ce0cc752d9
In queens we didn't use the ansible-role-container-registry so we need to port the ansible logic that we use into puppet for the docker service configuration. Closes-Bug: #1833584 Depends-On: https://review.opendev.org/#/c/670082/ Change-Id: I5ee8f8b17ad3424a3bf9d4a420d6c65ab977c6b7
189 lines
7.9 KiB
YAML
189 lines
7.9 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
Configures docker on the host
|
|
|
|
parameters:
|
|
DockerInsecureRegistryAddress:
|
|
description: Optional. The IP Address and Port of an insecure docker
|
|
namespace that will be configured in /etc/sysconfig/docker.
|
|
The value can be multiple addresses separated by commas.
|
|
type: comma_delimited_list
|
|
default: []
|
|
DockerRegistryMirror:
|
|
description: Optional. Configure a registry-mirror in the /etc/docker/daemon.json file.
|
|
default: ''
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
Debug:
|
|
type: boolean
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
DockerDebug:
|
|
default: ''
|
|
description: Set to True to enable debugging Docker services.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
DockerOptions:
|
|
default: '--log-driver=journald --signature-verification=false --iptables=false --live-restore'
|
|
description: Options that are used to startup the docker service.
|
|
type: string
|
|
DockerAdditionalSockets:
|
|
default: ['/var/lib/openstack/docker.sock']
|
|
description: Additional domain sockets for the docker daemon to bind to (useful for mounting
|
|
into containers that launch other containers)
|
|
type: comma_delimited_list
|
|
DockerNetworkOptions:
|
|
default: '--bip=172.31.0.1/24'
|
|
description: More startup options, like CIDR for the default docker0 bridge (useful for the
|
|
network configuration conflicts resolution)
|
|
type: string
|
|
DeploymentUser:
|
|
default: ''
|
|
description: User added to the docker group in order to use container commands.
|
|
type: string
|
|
ContainerImageRegistryLogin:
|
|
type: boolean
|
|
default: false
|
|
description: Flag to enable container registry login actions during the deployment.
|
|
Setting this to true will cause login calls to be performed during the
|
|
deployment.
|
|
ContainerImageRegistryCredentials:
|
|
type: json
|
|
hidden: true
|
|
default: {}
|
|
description: |
|
|
Mapping of image registry hosts to login credentials. Must be in the following example format
|
|
|
|
docker.io:
|
|
username: pa55word
|
|
'192.0.2.1:8787':
|
|
registry_username: password
|
|
|
|
conditions:
|
|
insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
|
|
insecure_registry_mirror_is_empty: {equals : [{get_param: DockerRegistryMirror}, '']}
|
|
service_debug_unset: {equals : [{get_param: DockerDebug}, '']}
|
|
deployment_user_is_empty: {equals : [{get_param: DeploymentUser}, '']}
|
|
additional_sockets_is_empty: {equals : [{get_param: DockerAdditionalSockets}, []]}
|
|
container_registry_login: {equals: [{get_param: ContainerImageRegistryLogin}, true]}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the docker service
|
|
value:
|
|
service_name: docker
|
|
config_settings:
|
|
map_merge:
|
|
- tripleo::profile::base::docker::configure_network: true
|
|
tripleo::profile::base::docker::network_options: {get_param: DockerNetworkOptions}
|
|
tripleo::profile::base::docker::docker_options: {get_param: DockerOptions}
|
|
tripleo::profile::base::docker::debug:
|
|
if:
|
|
- service_debug_unset
|
|
- {get_param: Debug }
|
|
- {get_param: DockerDebug}
|
|
-
|
|
if:
|
|
- insecure_registry_is_empty
|
|
- {}
|
|
- tripleo::profile::base::docker::insecure_registries: {get_param: DockerInsecureRegistryAddress}
|
|
-
|
|
if:
|
|
- insecure_registry_mirror_is_empty
|
|
- {}
|
|
- tripleo::profile::base::docker::registry_mirror: {get_param: DockerRegistryMirror}
|
|
-
|
|
if:
|
|
- deployment_user_is_empty
|
|
- {}
|
|
- tripleo::profile::base::docker::deployment_user: {get_param: DeploymentUser}
|
|
-
|
|
if:
|
|
- additional_sockets_is_empty
|
|
- {}
|
|
- tripleo::profile::base::docker::additional_sockets: {get_param: DockerAdditionalSockets}
|
|
- if:
|
|
- container_registry_login
|
|
- tripleo::profile::base::docker::registry_credentials: {get_param: ContainerImageRegistryCredentials }
|
|
- {}
|
|
step_config: |
|
|
include ::tripleo::profile::base::docker
|
|
upgrade_tasks:
|
|
- name: Install docker packages on upgrade if missing
|
|
when: step|int == 3
|
|
yum: name=docker state=latest
|
|
update_tasks:
|
|
block:
|
|
- name: Detect if puppet on the docker profile would restart the service
|
|
# Note that due to https://tickets.puppetlabs.com/browse/PUP-686 --noop
|
|
# always exits 0, so we cannot rely on that to detect if puppet is going to change stuff
|
|
shell: |
|
|
puppet apply --noop --summarize --detailed-exitcodes --verbose \
|
|
--modulepath /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules \
|
|
--color=false -e "class { 'tripleo::profile::base::docker': step => 1, }" 2>&1 | \
|
|
awk -F ":" '/Out of sync:/ { print $2}'
|
|
register: puppet_docker_noop_output
|
|
failed_when: false
|
|
- name: Is docker going to be updated
|
|
shell: yum check-update docker
|
|
register: docker_check_update
|
|
failed_when: docker_check_update.rc not in [0, 100]
|
|
changed_when: docker_check_update.rc == 100
|
|
- name: Set docker_rpm_needs_update fact
|
|
set_fact: docker_rpm_needs_update={{ docker_check_update.rc == 100 }}
|
|
- name: Set puppet_docker_is_outofsync fact
|
|
set_fact: puppet_docker_is_outofsync={{ puppet_docker_noop_output.stdout|trim|int >= 1 }}
|
|
- name: Stop all containers
|
|
# xargs is preferable to docker stop $(docker ps -q) as that might generate a
|
|
# a too long command line
|
|
shell: docker ps -q | xargs --no-run-if-empty -n1 docker stop
|
|
# If we ship a config change which requires docker restart, change the when condition:
|
|
# when: puppet_docker_is_outofsync or docker_rpm_needs_update
|
|
when: docker_rpm_needs_update
|
|
- name: Stop docker
|
|
service:
|
|
name: docker
|
|
state: stopped
|
|
# If we ship a config change which requires docker restart, change the when condition:
|
|
# when: puppet_docker_is_outofsync or docker_rpm_needs_update
|
|
when: docker_rpm_needs_update
|
|
- name: Update the docker package
|
|
yum: name=docker state=latest update_cache=yes # cache for tripleo/+bug/1703830
|
|
when: docker_rpm_needs_update
|
|
- name: Apply puppet which will start the service again
|
|
shell: |
|
|
puppet apply --detailed-exitcodes --verbose \
|
|
--modulepath /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules \
|
|
-e "class { 'tripleo::profile::base::docker': step => 1, }"
|
|
register: puppet_docker_apply
|
|
failed_when: puppet_docker_apply.rc not in [0, 2]
|
|
changed_when: puppet_docker_apply.rc == 2
|
|
when: step|int == 2
|