From 91049805243c48a935ad61e37e638b67c2cd0a28 Mon Sep 17 00:00:00 2001 From: Steve Baker Date: Fri, 15 Jun 2018 14:24:41 +1200 Subject: [PATCH] Allow a containerized mistral-executor to access docker This is required for a containerized undercloud to perform workflow driven container image prepare during overcloud deployment. This moves the MistralDockerGroup parameter out of mistral-base since this is only required for the executor. Further changes will be needed to puppet-tripleo to use 'group' and 'user' instead of ensure_resource, and also to ensure that the created docker group inside the executor container has the same gid as the docker group on the host, but these can depend on this change for testing. Change-Id: I429c72c0334a177d1ec37c3d9c13b7ba983de734 Blueprint: container-prepare-workflow --- docker/services/mistral-executor.yaml | 5 ++++- puppet/services/mistral-base.yaml | 5 ----- puppet/services/mistral-executor.yaml | 8 +++++++- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/docker/services/mistral-executor.yaml b/docker/services/mistral-executor.yaml index 7955b200b7..a8e24876c9 100644 --- a/docker/services/mistral-executor.yaml +++ b/docker/services/mistral-executor.yaml @@ -74,13 +74,15 @@ outputs: # BEGIN DOCKER SETTINGS puppet_config: config_volume: mistral - puppet_tags: mistral_config + puppet_tags: mistral_config,user,group step_config: list_join: - "\n" - - {get_attr: [MistralBase, role_data, step_config]} - {get_attr: [MySQLClient, role_data, step_config]} config_image: {get_param: DockerMistralConfigImage} + volumes: + - /var/run/docker.sock:/var/run/docker.sock:rw kolla_config: /var/lib/kolla/config_files/mistral_executor.json: command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/executor.log --server=executor @@ -115,6 +117,7 @@ outputs: # FIXME: this is required in order for Nova cells # initialization workflows on the Undercloud. Need to # exclude this on the overcloud for security reasons. + - /var/run/docker.sock:/var/run/docker.sock:rw - /var/lib/config-data/nova/etc/nova:/etc/nova:ro - /var/log/containers/mistral:/var/log/mistral - /var/lib/mistral:/var/lib/mistral diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml index b77aad6e6f..bfe802ff6a 100644 --- a/puppet/services/mistral-base.yaml +++ b/puppet/services/mistral-base.yaml @@ -45,10 +45,6 @@ parameters: description: The password for the Mistral service and db account, used by the Mistral services. type: string hidden: true - MistralDockerGroup: - default: false - description: Add the mistral user to the docker group to allow actions to perform docker operations. - type: boolean KeystoneRegion: type: string default: 'regionOne' @@ -121,7 +117,6 @@ outputs: - '' - - {get_param: [EndpointMap, KeystoneV3Internal, uri]} - '/ec2tokens' - tripleo::profile::base::mistral::executor::docker_group: {get_param: MistralDockerGroup} service_config_settings: keystone: mistral::keystone::auth::tenant: 'service' diff --git a/puppet/services/mistral-executor.yaml b/puppet/services/mistral-executor.yaml index aee3c0d153..f7232ab0be 100644 --- a/puppet/services/mistral-executor.yaml +++ b/puppet/services/mistral-executor.yaml @@ -30,6 +30,10 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + MistralDockerGroup: + default: false + description: Add the mistral user to the docker group to allow actions to perform docker operations. + type: boolean resources: MistralBase: @@ -48,7 +52,9 @@ outputs: value: service_name: mistral_executor config_settings: - get_attr: [MistralBase, role_data, config_settings] + map_merge: + - get_attr: [MistralBase, role_data, config_settings] + - tripleo::profile::base::mistral::executor::docker_group: {get_param: MistralDockerGroup} step_config: | include ::tripleo::profile::base::mistral::executor upgrade_tasks: