openstack
/
puppet-tripleo
Code Issues Proposed changes
puppet-tripleo/manifests/profile/base/docker.pp

193 lines
6.1 KiB
Puppet
Raw Blame History

# Copyright 2017 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::profile::base::docker
#
# docker profile for tripleo
#
# === Parameters
#
# [*docker_namespace*]
# The namespace to be used when setting INSECURE_REGISTRY
# this will be split on "/" to derive the docker registry
# (defaults to undef)
#
# [*insecure_registry*]
# Set docker_namespace to INSECURE_REGISTRY, used when a local registry
# is enabled (defaults to false)
#
# [*registry_mirror*]
# Configure a registry-mirror in the /etc/docker/daemon.json file.
# (defaults to false)
#
# [*docker_options*]
# OPTIONS that are used to startup the docker service. NOTE:
# --selinux-enabled is dropped due to recommendations here:
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html
# Defaults to '--log-driver=journald --signature-verification=false'
#
# [*configure_storage*]
# Boolean. Whether to configure a docker storage backend. Defaults to true.
#
# [*storage_options*]
# Storage options to configure. Defaults to '-s overlay2'
#
# [*step*]
# step defaults to hiera('step')
#
# [*configure_libvirt_polkit*]
# Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host.
# Defaults to true when nova_compute service is enabled, false when nova_compute is disabled
#
# [*docker_nova_uid*]
# When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container.
# Defaults to 42436
#
# [*services_enabled*]
# List of TripleO services enabled on the role.
# Defaults to hiera('services_names')
#
class tripleo::profile::base::docker (
$docker_namespace = undef,
$insecure_registry = false,
$registry_mirror = false,
$docker_options = '--log-driver=journald --signature-verification=false',
$configure_storage = true,
$storage_options = '-s overlay2',
$step = Integer(hiera('step')),
$configure_libvirt_polkit = undef,
$docker_nova_uid = 42436,
$services_enabled = hiera('service_names', [])
) {
if $configure_libvirt_polkit == undef {
$configure_libvirt_polkit_real = 'nova_compute' in $services_enabled
} else {
$configure_libvirt_polkit_real = $configure_libvirt_polkit
}
if $step >= 1 {
package {'docker':
ensure => installed,
}
service { 'docker':
ensure => 'running',
enable => true,
require => Package['docker'],
}
if $insecure_registry {
if $docker_namespace == undef {
fail('You must provide a $docker_namespace in order to configure insecure registry')
}
$namespace = strip($docker_namespace.split('/')[0])
$changes = [ "set INSECURE_REGISTRY '\"--insecure-registry ${namespace}\"'",
"set OPTIONS '\"${docker_options}\"'" ]
} else {
$changes = [ 'rm INSECURE_REGISTRY',
"set OPTIONS '\"${docker_options}\"'" ]
}
augeas { 'docker-sysconfig':
lens => 'Shellvars.lns',
incl => '/etc/sysconfig/docker',
changes => $changes,
subscribe => Package['docker'],
notify => Service['docker'],
}
if $registry_mirror {
$mirror_changes = [
'set dict/entry[. = "registry-mirrors"] "registry-mirrors',
"set dict/entry[. = \"registry-mirrors\"]/array/string \"${registry_mirror}\""
]
} else {
$mirror_changes = [ 'rm dict/entry[. = "registry-mirrors"]', ]
}
file { '/etc/docker/daemon.json':
ensure => 'present',
content => '{}',
mode => '0644',
replace => false,
require => Package['docker']
}
augeas { 'docker-daemon.json':
lens => 'Json.lns',
incl => '/etc/docker/daemon.json',
changes => $mirror_changes,
subscribe => Package['docker'],
notify => Service['docker'],
require => File['/etc/docker/daemon.json'],
}
if $configure_storage {
if $storage_options == undef {
fail('You must provide a $storage_options in order to configure storage')
}
$storage_changes = [ "set DOCKER_STORAGE_OPTIONS '\" ${storage_options}\"'", ]
} else {
$storage_changes = [ 'rm DOCKER_STORAGE_OPTIONS', ]
}
augeas { 'docker-sysconfig-storage':
lens => 'Shellvars.lns',
incl => '/etc/sysconfig/docker-storage',
changes => $storage_changes,
notify => Service['docker'],
require => Package['docker'],
}
}
if ($step >= 4 and $configure_libvirt_polkit_real) {
# Workaround for polkit authorization for libvirtd socket on host
#
# This creates a local user with the kolla nova uid, and sets the polkit rule to
# allow both it and the nova user from the nova rpms, should it exist (uid 162).
group { 'docker_nova_group':
name => 'docker_nova',
gid => $docker_nova_uid
} ->
user { 'docker_nova_user':
name => 'docker_nova',
uid => $docker_nova_uid,
gid => $docker_nova_uid,
shell => '/sbin/nologin',
comment => 'OpenStack Nova Daemons',
groups => ['nobody']
}
# Similar to the polkit rule in the openstack-nova rpm spec
# but allow both the 'docker_nova' and 'nova' user
$docker_nova_polkit_rule = '// openstack-nova libvirt management permissions
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
/^(docker_)?nova$/.test(subject.user)) {
return polkit.Result.YES;
}
});
'
package {'polkit':
ensure => installed,
} ->
file {'/etc/polkit-1/rules.d/50-nova.rules':
content => $docker_nova_polkit_rule,
mode => '0644'
}
}
}
View Git Blame Copy Permalink