80f0176f6a
We have seen this container fail in selinux enforcing mode (rhbz#1698555): A) Enforcing on podman run -it --rm -user=root --net=host -e KOLLA_INSTALL_METATYPE=rhos -e KOLLA_INSTALL_TYPE=binary \ -e KOLLA_BASE_DISTRO=rhel -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS -e KOLLA_DISTRO_PYTHON_VERSION=3.6 \ -v /home/stack/undercloud.conf:/var/lib/undercloud.conf \ -v /var/lib/kolla/config_files/mistral_executor.json:/var/lib/kolla/config_files/config.json \ -v /var/lib/config-data/puppet-generated/mistral/:/var/lib/kolla/config_files/src 68c1f09c2bfa sh ()[root@undercloud-0 /]$ kolla_set_configs INFO:__main__:Loading config file at /var/lib/kolla/config_files/config.json ....snip.... INFO:__main__:Copying /var/lib/kolla/config_files/src/var/www/cgi-bin/mistral/app to /var/www/cgi-bin/mistral/app ERROR:__main__:MissingRequiredSource: /var/lib/undercloud.conf file is not found The error is a bit misleading because the file is actually there: ()[root@undercloud-0 /]$ ls -1 /var/lib/ |grep -i undercloud.conf undercloud.conf The problem is that we cannot access it because selinux is denying us: ()[root@undercloud-0 /]$ ls -lZ /var/lib/undercloud.conf ls: cannot access '/var/lib/undercloud.conf': Permission denied [root@undercloud-0 ~]# ls -ldZ /home/stack/ ; ls -lZ /home/stack/undercloud.conf drwx------. 9 stack stack unconfined_u:object_r:user_home_dir_t:s0 4096 Apr 10 11:06 /home/stack/ -rwxr-xr-x. 1 stack stack unconfined_u:object_r:user_home_t:s0 891 Apr 10 10:23 /home/stack/undercloud.conf Adding ',z' to the undercloud.conf bind mount fixed it for us. What is still left unclear is why we did not get specific 'denied' messages for this access problem. Co-Authored-By: Julie Pichon <jpichon@redhat.com> Change-Id: If061d496a26c84e5027916c0d8f9153b129b451a
256 lines
9.4 KiB
YAML
256 lines
9.4 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized Mistral Executor service
|
|
|
|
parameters:
|
|
DockerMistralExecutorImage:
|
|
description: image
|
|
type: string
|
|
DockerMistralExecutorUlimit:
|
|
default: ['nofile=1024']
|
|
description: ulimit for Mistral Executor Container
|
|
type: comma_delimited_list
|
|
DockerMistralConfigImage:
|
|
description: The container image to use for the mistral config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
MistralExecutorVolumes:
|
|
default: []
|
|
description: List of additional volumes to mount into the mistral-executor container
|
|
type: comma_delimited_list
|
|
MistralExecutorExtraVolumes:
|
|
default: []
|
|
description: List of user-provided additional volumes to mount into the mistral-executor container
|
|
type: comma_delimited_list
|
|
UndercloudConfigFilePath:
|
|
default: ''
|
|
description: Configuration file for Undercloud, needed by TripleO Validations.
|
|
type: string
|
|
ContainerCli:
|
|
type: string
|
|
default: 'podman'
|
|
description: CLI tool used to manage containers.
|
|
constraints:
|
|
- allowed_values: ['docker', 'podman']
|
|
MistralDockerGroup:
|
|
default: false
|
|
description: Add the mistral user to the docker group to allow actions to perform docker operations.
|
|
type: boolean
|
|
RpcPort:
|
|
default: 5672
|
|
description: The network port for messaging backend
|
|
type: number
|
|
TripleoAdminUser:
|
|
default: 'tripleo-admin'
|
|
description: Name of user which manages the hosts
|
|
type: string
|
|
|
|
conditions:
|
|
undercloud_config_file_path_unset: {equals : [{get_param: UndercloudConfigFilePath}, '']}
|
|
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../../docker/services/containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../database/mysql-client.yaml
|
|
|
|
MistralBase:
|
|
type: ./mistral-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Mistral Executor role.
|
|
value:
|
|
service_name: mistral_executor
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [MistralBase, role_data, config_settings]
|
|
# Note: the hiera parameter will only work if the TripleO validations
|
|
# are run from Mistral Executor container. If the parameter is
|
|
# needed on the host, it'll have to be defined somewhere else too.
|
|
# The hiera param is set to the same value as the bind mound location
|
|
# of the file inside the container.
|
|
- tripleo_undercloud_conf_file: '/var/lib/mistral/undercloud.conf'
|
|
tripleo::profile::base::mistral::executor::docker_group: {get_param: MistralDockerGroup}
|
|
service_config_settings: {get_attr: [MistralBase, role_data, service_config_settings]}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: mistral
|
|
puppet_tags: mistral_config,user,group
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - include ::tripleo::profile::base::mistral::executor
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_param: DockerMistralConfigImage}
|
|
volumes:
|
|
list_concat:
|
|
-
|
|
if:
|
|
- docker_enabled
|
|
- - /var/run/docker.sock:/var/run/docker.sock:rw
|
|
- null
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/mistral_executor.json:
|
|
command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/executor.log --server=executor
|
|
config_files:
|
|
list_concat:
|
|
- - source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- if:
|
|
- undercloud_config_file_path_unset
|
|
- null
|
|
- - source: '/var/lib/undercloud.conf'
|
|
dest: '/var/lib/mistral/undercloud.conf'
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/mistral
|
|
owner: mistral:mistral
|
|
recurse: true
|
|
- path: /var/lib/mistral
|
|
owner: mistral:mistral
|
|
recurse: true
|
|
docker_config:
|
|
step_4:
|
|
mistral_executor:
|
|
image: {get_param: DockerMistralExecutorImage}
|
|
ulimit: {get_param: DockerMistralExecutorUlimit}
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test:
|
|
list_join:
|
|
- ' '
|
|
- - '/openstack/healthcheck'
|
|
- yaql:
|
|
expression: str($.data.port)
|
|
data:
|
|
port: {get_param: RpcPort}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/mistral_executor.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/mistral/:/var/lib/kolla/config_files/src:ro
|
|
- /run:/run
|
|
- /var/log/containers/mistral:/var/log/mistral:z
|
|
- /var/lib/mistral:/var/lib/mistral:z
|
|
- /usr/share/ansible/:/usr/share/ansible/:ro
|
|
- /var/lib/config-data/puppet-generated:/var/lib/config-data/puppet-generated:ro
|
|
- /usr/share/openstack-tripleo-validations:/usr/share/openstack-tripleo-validations:ro
|
|
- /usr/share/openstack-tripleo-heat-templates:/usr/share/openstack-tripleo-heat-templates:ro
|
|
- {get_param: MistralExecutorVolumes}
|
|
- {get_param: MistralExecutorExtraVolumes}
|
|
- if:
|
|
- undercloud_config_file_path_unset
|
|
- null
|
|
- - list_join:
|
|
- ':'
|
|
- - {get_param: UndercloudConfigFilePath}
|
|
- '/var/lib/undercloud.conf'
|
|
- 'ro,z'
|
|
- - str_replace:
|
|
template:
|
|
'/home/tripleo-admin:/home/tripleo-admin'
|
|
params:
|
|
tripleo-admin: {get_param: TripleoAdminUser}
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
env_file: /etc/environment
|
|
host_prep_tasks:
|
|
- set_fact:
|
|
tripleo_admin_user: {get_param: TripleoAdminUser}
|
|
- import_role:
|
|
name: tripleo-create-admin
|
|
tasks_from: create_user.yml
|
|
vars:
|
|
tripleo_admin_generate_key: true
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/mistral, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/lib/mistral, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/log/mistral, 'setype': svirt_sandbox_file_t }
|
|
- name: create mistral/.ssh directory
|
|
file:
|
|
path: /var/lib/mistral/.ssh
|
|
state: directory
|
|
mode: 0700
|
|
- name: copy tripleo-admin private key to /var/lib/mistral/.ssh
|
|
copy:
|
|
src: /home/{{ tripleo_admin_user }}/.ssh/id_rsa
|
|
dest: /var/lib/mistral/.ssh/{{ tripleo_admin_user }}-rsa
|
|
mode: 0600
|
|
- name: mistral logs readme
|
|
copy:
|
|
dest: /var/log/mistral/readme.txt
|
|
content: |
|
|
Log files from mistral containers can be found under
|
|
/var/log/containers/mistral.
|
|
ignore_errors: true
|
|
- name: create ceph-ansible source directory
|
|
file:
|
|
path: /usr/share/ceph-ansible
|
|
state: directory
|
|
setype: svirt_sandbox_file_t
|
|
- name: create octavia-amphora-images directory
|
|
file:
|
|
path: /usr/share/openstack-octavia-amphora-images
|
|
state: directory
|
|
setype: svirt_sandbox_file_t
|
|
- name: enable virt_sandbox_use_netlink for healthcheck
|
|
seboolean:
|
|
name: virt_sandbox_use_netlink
|
|
persistent: yes
|
|
state: yes
|
|
post_upgrade_tasks:
|
|
- when: step|int == 1
|
|
import_role:
|
|
name: tripleo-docker-rm
|
|
vars:
|
|
containers_to_rm:
|
|
- mistral_executor
|