openstack/tripleo-heat-templates
Code Issues Proposed changes
9751f02cde
tripleo-heat-templates/deployment/podman/podman-baremetal-ansible.yaml
Sofer Athlan-Guyot 90c52db21e Ensure container's image get updated if their name stay the same. 
In some environment the containers' tag isn't modified (think
"latest"). This is already supported during deployment so we re-use
the code during update.

We also make sure that the same mechanism is available for
ovn_controller update. It can be selectively disable if one pass:

    --skip-tags ovn_image

to the external-update run command.

We remove the ignore error as it's wrong indication that we are not
taking errors into account in those tasks. We also adjust the
delay as it's 3 seconds by default making the time we check longer
than the async tasks. Eventually, we add a new parameter for
controlling the downloading of the image
"OVNControllerImageUpdateTimeout" which is set to 10min by default.

Note that in order to pass CI, we need to modify the tht syntax test:
 - ensure containers.podman collection is installed;
 - ensure custom tripleo-ansible filter are found;
 - make sure tripleo_role_name is defined in the syntax test playbook.

Change-Id: I6d439367816d5f5968b8f890f74b7a2f74715f52
2022-09-27 12:20:54 +02:00

266 lines
10 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
Configures podman on the host
parameters:
DockerInsecureRegistryAddress:
description: Optional. The IP Address and Port of an insecure docker
namespace that will be configured in /etc/sysconfig/docker.
The value can be multiple addresses separated by commas.
type: comma_delimited_list
default: []
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
ContainerImageRegistryLogin:
type: boolean
default: false
description: Flag to enable container registry login actions during the deployment.
Setting this to true will cause login calls to be performed during the
deployment.
ContainerImageRegistryCredentials:
type: json
hidden: true
default: {}
description: |
Mapping of image registry hosts to login credentials. Must be in the following example format
docker.io:
username: pa55word
'192.0.2.1:8787':
registry_username: password
ContainerDefaultPidsLimit:
type: number
default: 4096
description: Setting to configure the default pids_limit in /etc/container/container.conf.
This is supported starting with podman 2.0.x
ContainerDefaultEventsLogger:
type: string
default: 'journald'
description: Setting to configure where podman logs its events. Uses journald by default
as that will rotate data stored in tmpfs.
constraints:
- allowed_values: ['journald', 'file', 'none']
SystemdDropInDependencies:
default: true
description: tell the tripleo_container_manage to inject
additional ordering dependencies for the systemd
scopes associated to podman containers.
type: boolean
deployment_source_hosts:
default: 'Undercloud'
type: string
description: Host or hostgroup that runs the deployment
conditions:
insecure_registry_is_set:
not: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
outputs:
role_data:
description: Role data for the podman service
value:
ansible_group_vars:
tripleo_podman_tls_verify: {if: [insecure_registry_is_set, "false", "true"]}
service_name: podman
config_settings: {}
step_config: ''
host_prep_tasks:
- name: Install and configure Podman
block: &install_and_configure_podman
- name: Set login facts
no_log: true
set_fact:
tripleo_container_registry_insecure_registries:
if:
- insecure_registry_is_set
- {get_param: DockerInsecureRegistryAddress}
tripleo_container_registry_login: {get_param: ContainerImageRegistryLogin}
# default that is overwritten by the heat -> dict conversion
tripleo_container_registry_logins: {}
tripleo_container_registry_logins_json: {get_param: ContainerImageRegistryCredentials}
tripleo_container_default_pids_limit: {get_param: ContainerDefaultPidsLimit}
tripleo_container_events_logger_mechanism: {get_param: ContainerDefaultEventsLogger}
- name: Convert logins json to dict
no_log: true
set_fact:
tripleo_container_registry_logins: "{{ tripleo_container_registry_logins_json | from_json }}"
when:
- tripleo_container_registry_logins_json is string
- tripleo_container_registry_login | bool
- (tripleo_container_registry_logins_json | length) > 0
- name: Set registry logins
no_log: true
set_fact:
tripleo_container_registry_logins: "{{ tripleo_container_registry_logins_json }}"
when:
- tripleo_container_registry_logins_json is mapping
- tripleo_container_registry_login | bool
- (tripleo_container_registry_logins_json | length) > 0
- name: Run podman install
include_role:
name: tripleo_podman
tasks_from: tripleo_podman_install.yml
- name: Run podman login
include_role:
name: tripleo_podman
tasks_from: tripleo_podman_login.yml
- if:
- {get_param: SystemdDropInDependencies}
- - name: Configure tripleo_container_manage to generate systemd drop-in dependencies
copy:
dest: /etc/sysconfig/podman_drop_in
content: |
This file makes tripleo_container_manage generate additional systemd
dependencies for containers that have special
start/stop ordering constraints. It ensures that
those constraints are enforced on reboot/shutdown.
- - name: Configure tripleo_container_manage to not generate drop-in dependencies
file:
path: /etc/sysconfig/podman_drop_in
state: absent
deploy_steps_tasks:
- when:
- (step|int) == 1
block: &podman_prefetch_images
# NOTE(mwhahaha): validate_certs is a misnomer because what it
# actually does is enable the --tls-verify flag which forces
# registries to only be over HTTPS. By default, podman will only
# use HTTPS registries but has a way to configure specific insecure
# and non-HTTPS registries. The --tls-verify flag prevents this
# fallback from functioning. We rely on this fallback for the
# undercloud registry.
- name: Pre-fetch all the containers
become: true
containers.podman.podman_image:
name: "{{ prefetch_image }}"
validate_certs: false
force: true
register: result
until: result is succeeded
retries: 5
delay: 5
loop_control:
loop_var: prefetch_image
loop: "{{ lookup('template', tripleo_role_name + '/docker_config.yaml', errors='ignore') | default('{}', True) | from_yaml | recursive_get_key_from_dict(key='image') | unique }}"
- name: Manage tripleo container services
include_role:
name: tripleo_container_manage
tasks_from: shutdown.yml
when:
- (step|int) == 1
service_config_settings: {}
upgrade_tasks:
- name: Run podman install
when:
- step|int == 1
block:
- name: Make sure the Undercloud hostname is included in /etc/hosts
when:
- undercloud_hosts_entries is defined
lineinfile:
dest: /etc/hosts
line: "{{ undercloud_hosts_entries | join('') }}"
state: present
- name: Set container_registry_insecure_registries fact.
set_fact:
tripleo_container_registry_insecure_registries:
if:
- insecure_registry_is_set
- {get_param: DockerInsecureRegistryAddress}
- include_role:
name: tripleo_podman
tasks_from: tripleo_podman_install.yml
- name: system_upgrade_prepare step 2
tags:
- never
- system_upgrade
- system_upgrade_prepare
when:
- step|int == 2
block:
- name: Check if pcs is present
stat:
path: /usr/sbin/pcs
register: pcs_stat
- name: Stop pacemaker cluster before stopping all docker containers
# NOTE: We are intentionally not using the community version of
# pacemaker_cluster here due to variances between the two:
# https://bugs.launchpad.net/tripleo/+bug/1938967
pacemaker_cluster: state=offline
when: pcs_stat.stat.exists
- name: Destroy pacemaker cluster
command: /usr/sbin/pcs cluster destroy
when: pcs_stat.stat.exists
update_tasks:
- name: Force pre-fetch of container images
when:
- (step|int) == 5
block: *podman_prefetch_images
post_upgrade_tasks:
# Podman purge tasks are disabled on the undercloud since the ephemeral
# Heat images need to be kept. When commit
# https://github.com/containers/podman/commit/a5ad36c65ea07d839fd9bf55a820c8cb9884eed1
# is available in the podman version used by TripleO, the ephemeral
# Heat images could be labeled in a way that they could be kept with
# --filter, and these tasks could be re-enabled on the undercloud.
- name: Purge Podman
when:
- (step | int) == 3
- deployment_source_hosts not in group_names
include_role:
name: tripleo_podman
tasks_from: tripleo_podman_purge.yml
vars:
deployment_source_hosts: {get_param: deployment_source_hosts}
post_update_tasks:
# Podman purge tasks are disabled on the undercloud since the ephemeral
# Heat images need to be kept. When commit
# https://github.com/containers/podman/commit/a5ad36c65ea07d839fd9bf55a820c8cb9884eed1
# is available in the podman version used by TripleO, the ephemeral
# Heat images could be labeled in a way that they could be kept with
# --filter, and these tasks could be re-enabled on the undercloud.
- name: Purge Podman
when:
- (step | int) == 3
- deployment_source_hosts not in group_names
include_role:
name: tripleo_podman
tasks_from: tripleo_podman_purge.yml
vars:
deployment_source_hosts: {get_param: deployment_source_hosts}
View Git Blame Copy Permalink