c6752d70ec
The zaqar container is broken due to the log file being owned by root. When
the zaqar-server log file is unabnle to be written to by the zaqar process
it causes a traceback resulting in 500 errors. This change ensures that the
zaqar log directory has the proper permissions and that the log file within
the directory is created when the container is started. A sticky bit is
being used on the zaqar log directory to ensure all files created within
the directory retain group expected permissions in almost all circumstances.
Related-Bug: #1843875
Change-Id: I63442f0bdec11179c361f503906166f75c5e0355
Signed-off-by: Kevin Carter <kecarter@redhat.com>
(cherry picked from commit 4579d42e8d
)
225 lines
8.5 KiB
YAML
225 lines
8.5 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
OpenStack containerized Zaqar services
|
|
|
|
parameters:
|
|
DockerZaqarImage:
|
|
description: image
|
|
type: string
|
|
DockerZaqarConfigImage:
|
|
description: The container image to use for the zaqar config_volume
|
|
type: string
|
|
ZaqarManagementStore:
|
|
type: string
|
|
description: The management store for Zaqar
|
|
default: mongodb
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
|
|
conditions:
|
|
zaqar_management_store_sqlalchemy: {equals : [{get_param: ZaqarManagementStore}, 'sqlalchemy']}
|
|
internal_tls_enabled: {get_param: EnableInternalTLS}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ./containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../../puppet/services/database/mysql-client.yaml
|
|
|
|
ZaqarBase:
|
|
type: ../../puppet/services/zaqar-api.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Zaqar API role.
|
|
value:
|
|
service_name: {get_attr: [ZaqarBase, role_data, service_name]}
|
|
config_settings: {get_attr: [ZaqarBase, role_data, config_settings]}
|
|
logging_source: {get_attr: [ZaqarBase, role_data, logging_source]}
|
|
logging_groups: {get_attr: [ZaqarBase, role_data, logging_groups]}
|
|
service_config_settings: {get_attr: [ZaqarBase, role_data, service_config_settings]}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: zaqar
|
|
puppet_tags: zaqar_config
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - {get_attr: [ZaqarBase, role_data, step_config]}
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_param: DockerZaqarConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/zaqar.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
/var/lib/kolla/config_files/zaqar_websocket.json:
|
|
command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf --config-file /etc/zaqar/1.conf
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/zaqar
|
|
owner: zaqar:zaqar
|
|
recurse: true
|
|
docker_config:
|
|
map_merge:
|
|
-
|
|
if:
|
|
- zaqar_management_store_sqlalchemy
|
|
-
|
|
step_2:
|
|
zaqar_init_log:
|
|
image: &zaqar_image {get_param: DockerZaqarImage}
|
|
user: root
|
|
volumes:
|
|
- /var/log/containers/zaqar:/var/log/zaqar
|
|
- /var/log/containers/httpd/zaqar:/var/log/httpd
|
|
command: ['/bin/bash', '-c', 'chmod 2755 /var/log/zaqar; touch /var/log/zaqar/zaqar-server.log; chown -R zaqar:zaqar /var/log/zaqar']
|
|
step_3:
|
|
zaqar_db_sync:
|
|
image: *zaqar_image
|
|
net: host
|
|
privileged: false
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro
|
|
- /var/log/containers/zaqar:/var/log/zaqar
|
|
- /var/log/containers/httpd/zaqar:/var/log/httpd
|
|
command: "/usr/bin/bootstrap_host_exec zaqar_api su zaqar -s /bin/bash -c 'zaqar-sql-db-manage upgrade head'"
|
|
- {}
|
|
- step_4:
|
|
zaqar:
|
|
image: *zaqar_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
# NOTE(mandre) kolla image changes the user to 'zaqar', we need it
|
|
# to be root to run httpd
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/zaqar.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/zaqar/:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/zaqar:/var/log/zaqar
|
|
- /var/log/containers/httpd/zaqar:/var/log/httpd
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- ''
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- ''
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
zaqar_websocket:
|
|
image: *zaqar_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/zaqar_websocket.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/zaqar/:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/zaqar:/var/log/zaqar
|
|
- /var/log/containers/httpd/zaqar:/var/log/httpd
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
setype: "{{ item.setype }}"
|
|
state: directory
|
|
with_items:
|
|
- { 'path': /var/log/containers/zaqar, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/log/containers/httpd/zaqar, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/log/zaqar, 'setype': svirt_sandbox_file_t }
|
|
- name: zaqar logs readme
|
|
copy:
|
|
dest: /var/log/zaqar/readme.txt
|
|
content: |
|
|
Log files from zaqar containers can be found under
|
|
/var/log/containers/zaqar and /var/log/containers/httpd/zaqar.
|
|
ignore_errors: true
|
|
upgrade_tasks:
|
|
- when: step|int == 0
|
|
tags: common
|
|
block:
|
|
- name: Check for zaqar running under apache
|
|
shell: "httpd -t -D DUMP_VHOSTS | grep -q zaqar_wsgi"
|
|
ignore_errors: True
|
|
register: zaqar_httpd_enabled_result
|
|
- set_fact:
|
|
zaqar_httpd_enabled: "{{ zaqar_httpd_enabled_result.rc == 0 }}"
|
|
- name: Check if httpd is running
|
|
command: systemctl is-active --quiet httpd
|
|
ignore_errors: True
|
|
register: httpd_running_result
|
|
when: httpd_running is undefined
|
|
- set_fact:
|
|
httpd_running: "{{ httpd_running_result.rc == 0 }}"
|
|
when: httpd_running is undefined
|
|
- name: Stop and disable zaqar service
|
|
when:
|
|
- step|int == 2
|
|
- zaqar_httpd_enabled|bool
|
|
- httpd_running|bool
|
|
service: name=httpd state=stopped enabled=no
|
|
metadata_settings:
|
|
get_attr: [ZaqarBase, role_data, metadata_settings]
|