7c8127cf96
https://review.openstack.org/500952 initially just did this. Then we assumed every container should have the selinux sysfs. This causes issues with the sshd container used for live-migration. The advice from the selinux experts is that it should not be enabled within containers, so reverting back to the original fix that enables it only in the nova-libvirt container. Closes-bug: 1729405 Change-Id: I80bf38d7d64ab99510574af5c57423fde9b84eca
75 lines
2.2 KiB
YAML
75 lines
2.2 KiB
YAML
heat_template_version: pike
|
|
|
|
description: >
|
|
Contains a static list of common things necessary for containers
|
|
|
|
parameters:
|
|
|
|
# Required parameters
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
|
|
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
|
|
outputs:
|
|
volumes:
|
|
description: Common volumes for the containers.
|
|
value:
|
|
list_concat:
|
|
- - /etc/hosts:/etc/hosts:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
# required for bootstrap_host_exec
|
|
- /etc/puppet:/etc/puppet:ro
|
|
# OpenSSL trusted CAs
|
|
- /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
|
|
- /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
|
|
- /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
|
|
- /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
|
|
# Syslog socket
|
|
- /dev/log:/dev/log
|
|
- /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- null
|