tripleo-heat-templates/deployment/horizon/horizon-container-puppet.yaml
Cédric Jeanneret c7acaa28de Ensure mode is correct for the tmp directory
There was a mix-up with "1777" and "01777" - while the first is OK with
"chmod", it's not good with ansible.

This patch corrects the mode introduced in
I6c239065d4c92c9afc62ff4e513e6d097a06e218, meaning we will need it down
to stable/train.

Change-Id: I6c26b19891c1210592e2696c2ae5cb865e3ded99
Resolves: rhbz#2117221
2022-08-10 15:50:29 +02:00

425 lines
16 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized Horizon service
parameters:
ContainerHorizonImage:
description: image
type: string
tags:
- role_specific
ContainerHorizonConfigImage:
description: The container image to use for the horizon config_volume
type: string
tags:
- role_specific
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
HorizonDebug:
default: false
description: Set to True to enable debugging Horizon service.
type: boolean
HorizonAllowedHosts:
default: '*'
description: A list of IP/Hostname for the server Horizon is running on.
Used for header checks.
type: comma_delimited_list
HorizonPasswordValidator:
description: Regex for password validation
type: string
default: ''
HorizonPasswordValidatorHelp:
description: Help text for password validation
type: string
default: ''
HorizonSecret:
description: Secret key for Django
type: string
hidden: true
default: ''
HorizonSecureCookies:
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
type: boolean
default: false
HorizonSessionTimeout:
description: Set session timeout for horizon in seconds
type: number
default: 1800
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
type: boolean
MonitoringSubscriptionHorizon:
default: 'overcloud-horizon'
type: string
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
HorizonVhostExtraParams:
default:
add_listen: true
priority: 10
access_log_format: '%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
options: ['FollowSymLinks','MultiViews']
description: Extra parameters for Horizon vhost configuration
type: json
HorizonCustomizationModule:
default: ''
description: Horizon has a global overrides mechanism available to perform customizations
type: string
HorizonHelpURL:
default: 'http://docs.openstack.org'
description: On top of dashboard there is a Help button. This button could be used
to re-direct user to vendor documentation or dedicated help portal.
type: string
TimeZone:
default: 'UTC'
description: The timezone to be set on the overcloud.
type: string
WebSSOEnable:
default: false
type: boolean
description: Enable support for Web Single Sign-On
WebSSOInitialChoice:
default: 'OIDC'
type: string
description: The initial authentication choice to select by default
WebSSOChoices:
default:
- ['OIDC', 'OpenID Connect']
type: json
description: Specifies the list of SSO authentication choices to present.
Each item is a list of an SSO choice identifier and a display
message.
WebSSOIDPMapping:
default:
'OIDC': ['myidp', 'openid']
type: json
description: Specifies a mapping from SSO authentication choice to identity
provider and protocol. The identity provider and protocol names
must match the resources defined in keystone.
HorizonDomainChoices:
default: []
type: json
description: Specifies available domains to choose from. We expect an array
of hashes, and the hashes should have two items each (name, display)
containing Keystone domain name and a human-readable description of
the domain respectively.
HorizonLoggingSource:
type: json
default:
tag: openstack.horizon
file: /var/log/containers/horizon/horizon.log
HorizonWorkers:
default: 0
description: Number of workers for Horizon service.
type: number
HorizonHstsHeaderValue:
default: []
description: Enables HTTP Strict-Transport-Security header in response.
type: comma_delimited_list
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- MemcachedIPv6
conditions:
horizon_domain_choices_set: {not: {equals: [{get_param: HorizonDomainChoices}, []]}}
is_ipv6:
equals:
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
- 6
horizon_logger_debug:
or:
- {get_param: Debug}
- {get_param: HorizonDebug}
horizon_workers_set:
not: {equals : [{get_param: HorizonWorkers}, 0]}
horizon_hsts_header_value_set:
not: {equals : [{get_param: HorizonHstsHeaderValue}, []]}
resources:
ContainersCommon:
type: ../containers-common.yaml
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerHorizonImage: ContainerHorizonImage
ContainerHorizonConfigImage: ContainerHorizonConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerHorizonImage: {get_param: ContainerHorizonImage}
ContainerHorizonConfigImage: {get_param: ContainerHorizonConfigImage}
outputs:
role_data:
description: Role data for the Horizon API role.
value:
service_name: horizon
firewall_rules:
'126 horizon':
dport:
- if:
- {get_param: EnableInternalTLS}
- 443
- 80
firewall_frontend_rules:
'100 horizon_haproxy_frontend':
dport:
- 80
firewall_ssl_frontend_rules:
'100 horizon_haproxy_frontend_ssl':
dport:
- 443
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
config_settings:
map_merge:
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
horizon::enable_secure_proxy_ssl_header: true
horizon::secure_proxy_addr_header: HTTP_X_FORWARDED_FOR
horizon::disable_password_reveal: true
horizon::enforce_password_check: true
horizon::disallow_iframe_embed: true
horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams}
horizon::bind_address:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]}
horizon::password_validator: {get_param: [HorizonPasswordValidator]}
horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
horizon::secret_key: {get_param: HorizonSecret}
horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
horizon::session_timeout: {get_param: HorizonSessionTimeout}
memcached_ipv6: {if: [is_ipv6, true, false]}
horizon::servername:
str_replace:
template:
"%{lookup('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::listen_ssl: {get_param: EnableInternalTLS}
horizon::customization_module: {get_param: HorizonCustomizationModule}
horizon::timezone: {get_param: TimeZone}
horizon::file_upload_temp_dir: '/var/tmp'
horizon::help_url: {get_param: HorizonHelpURL}
- if:
- {get_param: EnableInternalTLS}
- horizon::horizon_ca: {get_param: InternalTLSCAFile}
horizon::ssl_verify_client: require
- if:
- {get_param: WebSSOEnable}
- horizon::websso_enabled:
get_param: WebSSOEnable
horizon::websso_initial_choice:
get_param: WebSSOInitialChoice
horizon::websso_choices:
get_param: WebSSOChoices
horizon::websso_idp_mapping:
get_param: WebSSOIDPMapping
- if:
- {get_param: HorizonDebug}
- horizon::django_debug: true
- horizon::django_debug: {get_param: Debug}
- if:
- horizon_logger_debug
- horizon::log_level: 'DEBUG'
- if:
- horizon_domain_choices_set
- horizon::keystone_domain_choices: {get_param: HorizonDomainChoices}
- if:
- horizon_workers_set
- horizon::wsgi_processes: {get_param: HorizonWorkers}
ansible_group_vars:
keystone_enable_member: true
service_config_settings:
rsyslog:
tripleo_logging_sources_horizon:
yaql:
expression: $.data.sources.flatten()
data:
sources:
- {get_param: HorizonLoggingSource}
haproxy:
if:
- horizon_hsts_header_value_set
- tripleo::profile::base::horizon::hsts_header_value: {get_param: HorizonHstsHeaderValue}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: horizon
puppet_tags: horizon_config
step_config: |
include tripleo::profile::base::horizon
config_image: {get_attr: [RoleParametersValue, value, ContainerHorizonConfigImage]}
kolla_config:
/var/lib/kolla/config_files/horizon.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/horizon/
owner: apache:apache
recurse: true
# NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
# horizon:horizon - the policy.json files need read permissions for the apache user
# FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
- path: /etc/openstack-dashboard/
owner: apache:apache
recurse: true
# FIXME Apache tries to write a .lock file there
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/
owner: apache:apache
recurse: false
# FIXME Our theme settings are there
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/
owner: apache:apache
recurse: false
docker_config:
step_2:
horizon_fix_perms:
image: &horizon_image {get_attr: [RoleParametersValue, value, ContainerHorizonImage]}
net: none
user: root
# NOTE Set ownership for /var/log/horizon/horizon.log file here,
# otherwise it's created by root when generating django cache.
# FIXME Apache needs to read files in /etc/openstack-dashboard
# Need to set permissions to match the BM case,
# http://paste.openstack.org/show/609819/
command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log ; chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard']
volumes:
- /var/log/containers/horizon:/var/log/horizon:z
- /var/log/containers/httpd/horizon:/var/log/httpd:z
- /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard
step_3:
horizon:
image: *horizon_image
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro
- /var/log/containers/horizon:/var/log/horizon:z
- /var/log/containers/httpd/horizon:/var/log/httpd:z
- /var/tmp/horizon:/var/tmp:z
- /var/www:/var/www:ro
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
ENABLE_DESIGNATE: 'yes'
ENABLE_HEAT: 'yes'
ENABLE_IRONIC: 'yes'
ENABLE_MANILA: 'yes'
ENABLE_OCTAVIA: 'yes'
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/horizon, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/horizon, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/www, 'setype': container_file_t }
- { 'path': /var/tmp/horizon, 'setype': container_file_t, 'mode': '01777' }
- name: ensure /var/tmp/horizon exists on boot
copy:
dest: /etc/tmpfiles.d/var-tmp-horizon.conf
content: |
d /var/tmp/horizon 01777 root root - -
upgrade_tasks:
- name: Anchor for upgrade and update tasks
when: step|int == 0
block: &tmp_reset_label
- name: Reset selinux label on /var/tmp
file:
path: /var/tmp
state: directory
setype: tmp_t
mode: 01777
update_tasks:
- name: Anchor for upgrade and update tasks
when: step|int == 0
block: *tmp_reset_label
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop horizon container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- horizon
tripleo_delegate_to: "{{ groups['horizon'] | default([]) }}"