openstack/tripleo-heat-templates
Code Issues Proposed changes
dd8488c32d
tripleo-heat-templates/docker/services/zaqar.yaml
Kevin Carter c6752d70ec Resolve broken zaqar container caused by logging issues 
The zaqar container is broken due to the log file being owned by root. When
the zaqar-server log file is unabnle to be written to by the zaqar process
it causes a traceback resulting in 500 errors. This change ensures that the
zaqar log directory has the proper permissions and that the log file within
the directory is created when the container is started. A sticky bit is
being used on the zaqar log directory to ensure all files created within
the directory retain group expected permissions in almost all circumstances.

Related-Bug: #1843875

Change-Id: I63442f0bdec11179c361f503906166f75c5e0355
Signed-off-by: Kevin Carter <kecarter@redhat.com>
(cherry picked from commit 4579d42e8d)
2019-09-13 11:43:56 +02:00

225 lines
8.5 KiB
YAML
Raw Blame History

heat_template_version: queens
description: >
OpenStack containerized Zaqar services
parameters:
DockerZaqarImage:
description: image
type: string
DockerZaqarConfigImage:
description: The container image to use for the zaqar config_volume
type: string
ZaqarManagementStore:
type: string
description: The management store for Zaqar
default: mongodb
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
conditions:
zaqar_management_store_sqlalchemy: {equals : [{get_param: ZaqarManagementStore}, 'sqlalchemy']}
internal_tls_enabled: {get_param: EnableInternalTLS}
resources:
ContainersCommon:
type: ./containers-common.yaml
MySQLClient:
type: ../../puppet/services/database/mysql-client.yaml
ZaqarBase:
type: ../../puppet/services/zaqar-api.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
description: Role data for the Zaqar API role.
value:
service_name: {get_attr: [ZaqarBase, role_data, service_name]}
config_settings: {get_attr: [ZaqarBase, role_data, config_settings]}
logging_source: {get_attr: [ZaqarBase, role_data, logging_source]}
logging_groups: {get_attr: [ZaqarBase, role_data, logging_groups]}
service_config_settings: {get_attr: [ZaqarBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: zaqar
puppet_tags: zaqar_config
step_config:
list_join:
- "\n"
- - {get_attr: [ZaqarBase, role_data, step_config]}
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: DockerZaqarConfigImage}
kolla_config:
/var/lib/kolla/config_files/zaqar.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/zaqar_websocket.json:
command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf --config-file /etc/zaqar/1.conf
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/zaqar
owner: zaqar:zaqar
recurse: true
docker_config:
map_merge:
-
if:
- zaqar_management_store_sqlalchemy
-
step_2:
zaqar_init_log:
image: &zaqar_image {get_param: DockerZaqarImage}
user: root
volumes:
- /var/log/containers/zaqar:/var/log/zaqar
- /var/log/containers/httpd/zaqar:/var/log/httpd
command: ['/bin/bash', '-c', 'chmod 2755 /var/log/zaqar; touch /var/log/zaqar/zaqar-server.log; chown -R zaqar:zaqar /var/log/zaqar']
step_3:
zaqar_db_sync:
image: *zaqar_image
net: host
privileged: false
detach: false
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro
- /var/log/containers/zaqar:/var/log/zaqar
- /var/log/containers/httpd/zaqar:/var/log/httpd
command: "/usr/bin/bootstrap_host_exec zaqar_api su zaqar -s /bin/bash -c 'zaqar-sql-db-manage upgrade head'"
- {}
- step_4:
zaqar:
image: *zaqar_image
net: host
privileged: false
restart: always
# NOTE(mandre) kolla image changes the user to 'zaqar', we need it
# to be root to run httpd
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/zaqar.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/zaqar/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/zaqar:/var/log/zaqar
- /var/log/containers/httpd/zaqar:/var/log/httpd
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- ''
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
zaqar_websocket:
image: *zaqar_image
net: host
privileged: false
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/zaqar_websocket.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/zaqar/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/zaqar:/var/log/zaqar
- /var/log/containers/httpd/zaqar:/var/log/httpd
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
setype: "{{ item.setype }}"
state: directory
with_items:
- { 'path': /var/log/containers/zaqar, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/httpd/zaqar, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/zaqar, 'setype': svirt_sandbox_file_t }
- name: zaqar logs readme
copy:
dest: /var/log/zaqar/readme.txt
content: |
Log files from zaqar containers can be found under
/var/log/containers/zaqar and /var/log/containers/httpd/zaqar.
ignore_errors: true
upgrade_tasks:
- when: step|int == 0
tags: common
block:
- name: Check for zaqar running under apache
shell: "httpd -t -D DUMP_VHOSTS | grep -q zaqar_wsgi"
ignore_errors: True
register: zaqar_httpd_enabled_result
- set_fact:
zaqar_httpd_enabled: "{{ zaqar_httpd_enabled_result.rc == 0 }}"
- name: Check if httpd is running
command: systemctl is-active --quiet httpd
ignore_errors: True
register: httpd_running_result
when: httpd_running is undefined
- set_fact:
httpd_running: "{{ httpd_running_result.rc == 0 }}"
when: httpd_running is undefined
- name: Stop and disable zaqar service
when:
- step|int == 2
- zaqar_httpd_enabled|bool
- httpd_running|bool
service: name=httpd state=stopped enabled=no
metadata_settings:
get_attr: [ZaqarBase, role_data, metadata_settings]
View Git Blame Copy Permalink