openstack/tripleo-heat-templates
Code Issues Proposed changes
d8604df61b
tripleo-heat-templates/deployment/placement/placement-api-container-puppet.yaml
Takashi Kajinami d8604df61b Log source ips instead of controller ips in apache access log 
Currently apache access logs have controller ips instead of source ips
recorded since apache simply records source ip of http traffic.

This change ensures that client ips are detected by the X-Forwarded-For
header added by haproxy.

Note that the forwarded format does not log client ip if the header is
missing. Because of this, direct http requests(eg. healthcheck requests
from haproxy) results in log lines without client ip.

Depends-on: https://review.opendev.org/837504
Change-Id: I470c4c26f6d9977ba68a5d6eb9cd2c35af9e4b9a
2022-05-07 02:15:20 +09:00

356 lines
14 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
OpenStack containerized Placement API service
parameters:
ContainerPlacementImage:
description: image
type: string
tags:
- role_specific
ContainerPlacementConfigImage:
description: The container image to use for the placement config_volume
type: string
tags:
- role_specific
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
EnableInternalTLS:
type: boolean
default: false
PlacementWorkers:
default: 0
description: Number of workers for Placement services.
type: number
PlacementPassword:
description: The password for the Placement service and db account
type: string
hidden: true
EnforceSecureRbac:
type: boolean
default: false
description: >-
Setting this option to True will configure each OpenStack service to
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
of RBAC personas across OpenStack services that include support for
system and project scope, as well as keystone's default roles, admin,
member, and reader. Do not enable this functionality until all services in
your deployment actually support secure RBAC.
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionPlacement:
default: 'overcloud-placement'
type: string
PlacementLoggingSource:
type: json
default:
tag: openstack.placement
file: /var/log/containers/httpd/placement_wsgi_error_ssl.log
Debug:
type: boolean
default: false
description: Set to True to enable debugging on all services.
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
PlacementDebug:
default: false
description: Set to True to enable debugging Placement services.
type: boolean
PlacementPolicies:
description: |
A hash of policies to configure for Placement API.
e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
conditions:
placement_workers_set:
not: {equals : [{get_param: PlacementWorkers}, 0]}
resources:
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
PlacementLogging:
type: OS::TripleO::Services::Logging::PlacementApi
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerPlacementImage: ContainerPlacementImage
ContainerPlacementConfigImage: ContainerPlacementConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerPlacementImage: {get_param: ContainerPlacementImage}
ContainerPlacementConfigImage: {get_param: ContainerPlacementConfigImage}
outputs:
role_data:
description: Role data for the Placement API role.
value:
service_name: placement
firewall_rules:
'138 placement':
dport:
- 8778
firewall_frontend_rules:
'100 placement_haproxy_frontend':
dport:
- 8778
firewall_ssl_frontend_rules:
'100 placement_haproxy_frontend_ssl':
dport:
- 13778
keystone_resources:
placement:
endpoints:
public: {get_param: [EndpointMap, PlacementPublic, uri]}
internal: {get_param: [EndpointMap, PlacementInternal, uri]}
admin: {get_param: [EndpointMap, PlacementAdmin, uri]}
users:
placement:
password: {get_param: PlacementPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'placement'
monitoring_subscription: {get_param: MonitoringSubscriptionPlacement}
config_settings:
map_merge:
- get_attr: [PlacementLogging, config_settings]
- apache::default_vhost: false
placement::api::enable_proxy_headers_parsing: true
placement::sync_db: false
placement::keystone::authtoken::project_name: 'service'
placement::keystone::authtoken::password: {get_param: PlacementPassword}
placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
placement::keystone::authtoken::region_name: {get_param: KeystoneRegion}
placement::keystone::authtoken::interface: 'internal'
placement::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
placement::policy::enforce_new_defaults: {get_param: EnforceSecureRbac}
placement::policy::enforce_scope: {get_param: EnforceSecureRbac}
placement::logging::debug:
if:
- {get_param: PlacementDebug}
- true
- {get_param: Debug}
placement::policy::policies: {get_param: PlacementPolicies}
placement::wsgi::apache::access_log_format: 'forwarded'
placement::wsgi::apache::api_port: '8778'
placement::wsgi::apache::path: '/placement'
placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
placement::wsgi::apache::bind_host:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, PlacementNetwork]}
placement::wsgi::apache::servername:
str_replace:
template:
"%{lookup('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, PlacementNetwork]}
placement::db::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: placement
password: {get_param: PlacementPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /placement
query:
if:
- {get_param: EnableSQLAlchemyCollectd}
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: placement_api
collectd_host: localhost
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
placement::wsgi::apache::workers:
if:
- placement_workers_set
- {get_param: PlacementWorkers}
service_config_settings:
rsyslog:
tripleo_logging_sources_placement:
- {get_param: PlacementLoggingSource}
mysql:
placement::db::mysql::password: {get_param: PlacementPassword}
placement::db::mysql::user: placement
placement::db::mysql::host: '%'
placement::db::mysql::dbname: placement
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: placement
puppet_tags: placement_config
step_config:
list_join:
- "\n"
- - {get_attr: [MySQLClient, role_data, step_config]}
- "include tripleo::profile::base::placement::api"
config_image: {get_attr: [RoleParametersValue, value, ContainerPlacementConfigImage]}
kolla_config:
/var/lib/kolla/config_files/placement_api.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files: &placement_api_config_files
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions: &placement_api_permissions
- path: /var/log/placement
owner: placement:placement
recurse: true
/var/lib/kolla/config_files/placement_api_db_sync.json:
command: "/usr/bin/bootstrap_host_exec placement su placement -s /bin/bash -c '/usr/bin/placement-manage db sync'"
config_files: *placement_api_config_files
permissions: *placement_api_permissions
/var/lib/kolla/config_files/placement_api_wait_for_service.json:
command: "/usr/bin/bootstrap_host_exec placement su placement -s /bin/bash -c '/container-config-scripts/pyshim.sh /container-config-scripts/placement_wait_for_service.py'"
config_files: *placement_api_config_files
permissions: *placement_api_permissions
container_config_scripts:
map_merge:
- {get_attr: [ContainersCommon, container_config_scripts]}
- placement_wait_for_service.py:
mode: "0755"
content: { get_file: ../../container_config_scripts/placement_wait_for_service.py }
docker_config:
step_2:
get_attr: [PlacementLogging, docker_config, step_2]
step_3:
placement_api_db_sync:
start_order: 1
image: &placement_api_image {get_attr: [RoleParametersValue, value, ContainerPlacementImage]}
net: host
detach: false
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [PlacementLogging, volumes]}
- - /var/lib/kolla/config_files/placement_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/placement:/var/lib/kolla/config_files/src:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
step_4:
placement_api:
start_order: 1
image: *placement_api_image
net: host
user: root
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [PlacementLogging, volumes]}
- - /var/lib/kolla/config_files/placement_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/placement:/var/lib/kolla/config_files/src:ro
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
placement_wait_for_service:
start_order: 2
image: *placement_api_image
user: root
net: host
privileged: false
detach: false
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [PlacementLogging, volumes]}
- - /var/lib/kolla/config_files/placement_api_wait_for_service.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/placement:/var/lib/kolla/config_files/src:ro
- /var/lib/container-config-scripts:/container-config-scripts:z
environment:
__OS_DEBUG:
yaql:
expression: str($.data.debug)
data:
debug: {get_param: Debug}
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks: {get_attr: [PlacementLogging, host_prep_tasks]}
deploy_steps_tasks:
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
upgrade_tasks: []
View Git Blame Copy Permalink