diff --git a/cinder/templates/bin/_db-init.sh.tpl b/cinder/templates/bin/_db-init.sh.tpl index 1762c2f7..7afa4607 100644 --- a/cinder/templates/bin/_db-init.sh.tpl +++ b/cinder/templates/bin/_db-init.sh.tpl @@ -18,14 +18,14 @@ set -ex export HOME=/tmp ansible localhost -vvv \ - -m mysql_db -a "login_host='{{ .Values.database.address }}' \ + -m mysql_db -a "login_host='{{ include "helm-toolkit.mariadb_host" . }}' \ login_port='{{ .Values.database.port }}' \ login_user='{{ .Values.database.root_user }}' \ login_password='{{ .Values.database.root_password }}' \ name='{{ .Values.database.cinder_database_name }}'" ansible localhost -vvv \ - -m mysql_user -a "login_host='{{ .Values.database.address }}' \ + -m mysql_user -a "login_host='{{ include "helm-toolkit.mariadb_host" . }}' \ login_port='{{ .Values.database.port }}' \ login_user='{{ .Values.database.root_user }}' \ login_password='{{ .Values.database.root_password }}' \ diff --git a/cinder/templates/bin/_disable-udev.sh.tpl b/cinder/templates/bin/_disable-udev.sh.tpl new file mode 100644 index 00000000..b3cfa081 --- /dev/null +++ b/cinder/templates/bin/_disable-udev.sh.tpl @@ -0,0 +1,19 @@ + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +sed -i "s|udev_rules = 1|udev_rules = 0|g" /etc/lvm/lvm.conf +sed -i "s|udev_sync = 1|udev_sync = 0|g" /etc/lvm/lvm.conf diff --git a/cinder/templates/configmap-bin.yaml b/cinder/templates/configmap-bin.yaml index 96d78bf2..bc535910 100644 --- a/cinder/templates/configmap-bin.yaml +++ b/cinder/templates/configmap-bin.yaml @@ -19,6 +19,10 @@ metadata: data: db-init.sh: |+ {{ tuple "bin/_db-init.sh.tpl" . | include "helm-toolkit.template" | indent 4 }} +{{ if .Values.lvm.enabled }} + disable-udev.sh: |+ +{{ tuple "bin/_disable-udev.sh.tpl" . | include "helm-toolkit.template" | indent 4 }} +{{ end }} ks-service.sh: |+ {{- include "helm-toolkit.keystone_service" . | indent 4 }} ks-endpoints.sh: |+ diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml index 8317882b..a856eed3 100644 --- a/cinder/templates/configmap-etc.yaml +++ b/cinder/templates/configmap-etc.yaml @@ -19,6 +19,10 @@ metadata: data: cinder.conf: |+ {{ tuple "etc/_cinder.conf.tpl" . | include "helm-toolkit.template" | indent 4 }} + rootwrap.conf: |+ +{{ tuple "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.template" | indent 4 }} + volume.filters: |+ +{{ tuple "etc/_volume.filters.tpl" . | include "helm-toolkit.template" | indent 4 }} api-paste.ini: |+ {{ tuple "etc/_cinder-api-paste.ini.tpl" . | include "helm-toolkit.template" | indent 4 }} policy.json: |+ diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml index 52705f8a..7dbbcf94 100644 --- a/cinder/templates/deployment-api.yaml +++ b/cinder/templates/deployment-api.yaml @@ -14,6 +14,9 @@ {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} +{{- $mounts_cinder_api := .Values.mounts.cinder_api.cinder_api }} +{{- $mounts_cinder_api_init := .Values.mounts.cinder_api.init_container }} + apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -36,7 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }} pod.beta.kubernetes.io/init-containers: '[ -{{ tuple $envAll $dependencies | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} +{{ tuple $envAll $dependencies $mounts_cinder_api_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} ]' spec: nodeSelector: @@ -65,33 +68,6 @@ spec: tcpSocket: port: {{ .Values.network.port.api }} volumeMounts: - - name: pod-etc-cinder - mountPath: /etc/cinder - - name: pod-var-cache-cinder - mountPath: /var/cache/cinder - - name: cinderconf - mountPath: /etc/cinder/conf/cinder.conf - subPath: cinder.conf - readOnly: true - - name: cinderpaste - mountPath: /etc/cinder/api-paste.ini - subPath: api-paste.ini - readOnly: true - - name: cinderpolicy - mountPath: /etc/cinder/policy.json - subPath: policy.json - readOnly: true +{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }} volumes: - - name: pod-etc-cinder - emptyDir: {} - - name: pod-var-cache-cinder - emptyDir: {} - - name: cinderconf - configMap: - name: cinder-etc - - name: cinderpaste - configMap: - name: cinder-etc - - name: cinderpolicy - configMap: - name: cinder-etc +{{ toYaml $mounts_cinder_api.volumes | indent 8 }} diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml index de5d42c8..39b0042e 100644 --- a/cinder/templates/deployment-scheduler.yaml +++ b/cinder/templates/deployment-scheduler.yaml @@ -14,6 +14,9 @@ {{- $envAll := . }} {{- $dependencies := .Values.dependencies.scheduler }} +{{- $mounts_cinder_scheduler := .Values.mounts.cinder_scheduler.cinder_scheduler }} +{{- $mounts_cinder_scheduler_init := .Values.mounts.cinder_scheduler.init_container }} + apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -36,7 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }} pod.beta.kubernetes.io/init-containers: '[ -{{ tuple $envAll $dependencies | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} +{{ tuple $envAll $dependencies $mounts_cinder_scheduler_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} ]' spec: nodeSelector: @@ -59,33 +62,6 @@ spec: - --config-dir - /etc/cinder/conf volumeMounts: - - name: pod-etc-cinder - mountPath: /etc/cinder - - name: pod-var-cache-cinder - mountPath: /var/cache/cinder - - name: cinderconf - mountPath: /etc/cinder/conf/cinder.conf - subPath: cinder.conf - readOnly: true - - name: cinderpaste - mountPath: /etc/cinder/api-paste.ini - subPath: api-paste.ini - readOnly: true - - name: cinderpolicy - mountPath: /etc/cinder/policy.json - subPath: policy.json - readOnly: true +{{ toYaml $mounts_cinder_scheduler.volumeMounts | indent 12 }} volumes: - - name: pod-etc-cinder - emptyDir: {} - - name: pod-var-cache-cinder - emptyDir: {} - - name: cinderconf - configMap: - name: cinder-etc - - name: cinderpaste - configMap: - name: cinder-etc - - name: cinderpolicy - configMap: - name: cinder-etc +{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }} diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index bd4517eb..a0b777c1 100644 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -14,6 +14,9 @@ {{- $envAll := . }} {{- $dependencies := .Values.dependencies.volume }} +{{- $mounts_cinder_volume := .Values.mounts.cinder_volume.cinder_volume }} +{{- $mounts_cinder_volume_init := .Values.mounts.cinder_volume.init_container }} + apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -36,13 +39,16 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }} pod.beta.kubernetes.io/init-containers: '[ -{{ tuple $envAll $dependencies | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} +{{ tuple $envAll $dependencies $mounts_cinder_volume_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} ]' spec: nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} containers: - name: cinder-volume + securityContext: + privileged: true + runAsUser: 0 image: {{ .Values.images.volume }} imagePullPolicy: {{ .Values.images.pull_policy }} {{- if .Values.resources.enabled }} @@ -59,33 +65,18 @@ spec: - --config-dir - /etc/cinder/conf volumeMounts: - - name: pod-etc-cinder - mountPath: /etc/cinder - - name: pod-var-cache-cinder - mountPath: /var/cache/cinder - - name: cinderconf - mountPath: /etc/cinder/conf/cinder.conf - subPath: cinder.conf - readOnly: true - - name: cephconf - mountPath: /etc/ceph/ceph.conf - subPath: ceph.conf - readOnly: true - - name: cephclientcinderkeyring - mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.cinder_user }}.keyring - subPath: ceph.client.{{ .Values.ceph.cinder_user }}.keyring - readOnly: true +{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }} +{{ if .Values.ceph.enabled }} +{{ toYaml $mounts_cinder_volume.ceph_volumeMounts | indent 12 }} +{{ end }} +{{ if .Values.lvm.enabled }} +{{ toYaml $mounts_cinder_volume.lvm_volumeMounts | indent 12 }} +{{ end }} volumes: - - name: pod-etc-cinder - emptyDir: {} - - name: pod-var-cache-cinder - emptyDir: {} - - name: cinderconf - configMap: - name: cinder-etc - - name: cephconf - configMap: - name: cinder-etc - - name: cephclientcinderkeyring - configMap: - name: cinder-etc +{{ toYaml $mounts_cinder_volume.volumes | indent 8 }} +{{ if .Values.ceph.enabled }} +{{ toYaml $mounts_cinder_volume.ceph_volumes | indent 8 }} +{{ end }} +{{ if .Values.lvm.enabled }} +{{ toYaml $mounts_cinder_volume.lvm_volumes | indent 8 }} +{{ end }} diff --git a/cinder/templates/etc/_cinder.conf.tpl b/cinder/templates/etc/_cinder.conf.tpl index cb336d64..96d66e24 100644 --- a/cinder/templates/etc/_cinder.conf.tpl +++ b/cinder/templates/etc/_cinder.conf.tpl @@ -20,6 +20,8 @@ use_stderr = True enable_v1_api = false volume_name_template = %s +per_volume_size_limit = 10 + osapi_volume_workers = {{ .Values.api.workers }} osapi_volume_listen = 0.0.0.0 osapi_volume_listen_port = {{ .Values.network.port.api }} @@ -39,6 +41,10 @@ os_region_name = {{ .Values.keystone.cinder_region_name }} # by pinning the agent identifier host=cinder-volume-worker +# Path to the rootwrap configuration file to use for running commands as root +# (string value) +rootwrap_config = /etc/cinder/rootwrap.conf + [database] connection = mysql+pymysql://{{ .Values.database.cinder_user }}:{{ .Values.database.cinder_password }}@{{ .Values.database.address }}:{{ .Values.database.port }}/{{ .Values.database.cinder_database_name }} max_retries = -1 @@ -63,6 +69,7 @@ rabbit_password = {{ .Values.messaging.password }} rabbit_ha_queues = true rabbit_hosts = {{ .Values.messaging.hosts }} +{{ if .Values.ceph.enabled }} [rbd1] volume_driver = cinder.volume.drivers.rbd.RBDDriver rbd_pool = {{ .Values.backends.rbd1.pool }} @@ -78,3 +85,18 @@ rbd_secret_uuid = {{- include "secrets/ceph-client-key" . -}} {{- end }} rbd_secret_uuid = {{ .Values.backends.rbd1.secret }} report_discard_supported = True +{{ end }} + +{{ if .Values.lvm.enabled }} +[lvm1] +iscsi_helper = tgtadm +iscsi_protocol = iscsi +lvm_conf_file = /etc/cinder/lvm.conf +lvm_type = default +volume_backend_name = lvm1 +volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver +volume_group = cinder-volumes + +[privsep_entrypoint] +helper_command=sudo cinder-rootwrap /etc/cinder/rootwrap.conf privsep-helper --config-file /etc/cinder/cinder.conf +{{ end }} diff --git a/cinder/templates/etc/_rootwrap.conf.tpl b/cinder/templates/etc/_rootwrap.conf.tpl new file mode 100644 index 00000000..4986c9e3 --- /dev/null +++ b/cinder/templates/etc/_rootwrap.conf.tpl @@ -0,0 +1,27 @@ +# Configuration for cinder-rootwrap +# This file should be owned by (and only-writeable by) the root user + +[DEFAULT] +# List of directories to load filter definitions from (separated by ','). +# These directories MUST all be only writeable by root ! +filters_path=/etc/cinder/rootwrap.d + +# List of directories to search executables in, in case filters do not +# explicitely specify a full path (separated by ',') +# If not specified, defaults to system PATH environment variable. +# These directories MUST all be only writeable by root ! +exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin + +# Enable logging to syslog +# Default value is False +use_syslog=False + +# Which syslog facility to use. +# Valid values include auth, authpriv, syslog, local0, local1... +# Default value is 'syslog' +syslog_log_facility=syslog + +# Which messages to log. +# INFO means log all usage +# ERROR means only log unsuccessful attempts +syslog_log_level=ERROR diff --git a/cinder/templates/etc/_volume.filters.tpl b/cinder/templates/etc/_volume.filters.tpl new file mode 100644 index 00000000..1e6815e0 --- /dev/null +++ b/cinder/templates/etc/_volume.filters.tpl @@ -0,0 +1,228 @@ +# cinder-rootwrap command filters for volume nodes +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# cinder/volume/iscsi.py: iscsi_helper '--op' ... +ietadm: CommandFilter, ietadm, root +tgtadm: CommandFilter, tgtadm, root +iscsictl: CommandFilter, iscsictl, root +tgt-admin: CommandFilter, tgt-admin, root +cinder-rtstool: CommandFilter, cinder-rtstool, root +scstadmin: CommandFilter, scstadmin, root + +# LVM related show commands +pvs: EnvFilter, env, root, LC_ALL=C, pvs +vgs: EnvFilter, env, root, LC_ALL=C, vgs +lvs: EnvFilter, env, root, LC_ALL=C, lvs +lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay + +# -LVM related show commands with suppress fd warnings +pvs2: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs +vgs2: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs +lvs2: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs +lvdisplay2: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay + + +# -LVM related show commands conf var +pvs3: EnvFilter, env, root, LC_ALL=C, LVM_SYSTEM_DIR=, pvs +vgs3: EnvFilter, env, root, LC_ALL=C, LVM_SYSTEM_DIR=, vgs +lvs3: EnvFilter, env, root, LC_ALL=C, LVM_SYSTEM_DIR=, lvs +lvdisplay3: EnvFilter, env, root, LC_ALL=C, LVM_SYSTEM_DIR=, lvdisplay + +# -LVM conf var with suppress fd_warnings +pvs4: EnvFilter, env, root, LC_ALL=C, LVM_SYSTEM_DIR=, LVM_SUPPRESS_FD_WARNINGS=, pvs +vgs4: EnvFilter, env, root, LC_ALL=C, LVM_SYSTEM_DIR=, LVM_SUPPRESS_FD_WARNINGS=, vgs +lvs4: EnvFilter, env, root, LC_ALL=C, LVM_SYSTEM_DIR=, LVM_SUPPRESS_FD_WARNINGS=, lvs +lvdisplay4: EnvFilter, env, root, LC_ALL=C, LVM_SYSTEM_DIR=, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay + +# os-brick library commands +# os_brick.privileged.run_as_root oslo.privsep context +# This line ties the superuser privs with the config files, context name, +# and (implicitly) the actual python code invoked. +privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* +# The following and any cinder/brick/* entries should all be obsoleted +# by privsep, and may be removed once the os-brick version requirement +# is updated appropriately. +scsi_id: CommandFilter, /lib/udev/scsi_id, root +drbdadm: CommandFilter, drbdadm, root + +# cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list +vgcreate: CommandFilter, vgcreate, root + +# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', sizestr, '-n', volume_name,.. +# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', ... +lvcreate: EnvFilter, env, root, LC_ALL=C, lvcreate +lvcreate_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvcreate +lvcreate_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvcreate +lvcreate_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LVM_SUPPRESS_FD_WARNINGS=, LC_ALL=C, lvcreate + +# cinder/volume/driver.py: 'dd', 'if=%s' % srcstr, 'of=%s' % deststr,... +dd: CommandFilter, dd, root + +# cinder/volume/driver.py: 'lvremove', '-f', %s/%s % ... +lvremove: CommandFilter, lvremove, root + +# cinder/volume/driver.py: 'lvrename', '%(vg)s', '%(orig)s' '(new)s'... +lvrename: CommandFilter, lvrename, root + +# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ... +# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ... +lvextend: EnvFilter, env, root, LC_ALL=C, lvextend +lvextend_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvextend +lvextend_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend +lvextend_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend + +# cinder/brick/local_dev/lvm.py: 'lvchange -a y -K ' +lvchange: CommandFilter, lvchange, root + +# cinder/brick/local_dev/lvm.py: 'lvconvert', '--merge', snapshot_name +lvconvert: CommandFilter, lvconvert, root + +# cinder/volume/driver.py: 'iscsiadm', '-m', 'discovery', '-t',... +# cinder/volume/driver.py: 'iscsiadm', '-m', 'node', '-T', ... +iscsiadm: CommandFilter, iscsiadm, root + +# cinder/volume/utils.py: utils.temporary_chown(path, 0) +chown: CommandFilter, chown, root + +# cinder/volume/utils.py: copy_volume(..., ionice='...') +ionice_1: ChainingRegExpFilter, ionice, root, ionice, -c[0-3], -n[0-7] +ionice_2: ChainingRegExpFilter, ionice, root, ionice, -c[0-3] + +# cinder/volume/utils.py: setup_blkio_cgroup() +cgcreate: CommandFilter, cgcreate, root +cgset: CommandFilter, cgset, root +cgexec: ChainingRegExpFilter, cgexec, root, cgexec, -g, blkio:\S+ + +# cinder/volume/driver.py +dmsetup: CommandFilter, dmsetup, root +ln: CommandFilter, ln, root + +# cinder/image/image_utils.py +qemu-img: EnvFilter, env, root, LC_ALL=C, qemu-img +qemu-img_convert: CommandFilter, qemu-img, root + +udevadm: CommandFilter, udevadm, root + +# cinder/volume/driver.py: utils.read_file_as_root() +cat: CommandFilter, cat, root + +# cinder/volume/nfs.py +stat: CommandFilter, stat, root +mount: CommandFilter, mount, root +df: CommandFilter, df, root +du: CommandFilter, du, root +truncate: CommandFilter, truncate, root +chmod: CommandFilter, chmod, root +rm: CommandFilter, rm, root + +# cinder/volume/drivers/remotefs.py +mkdir: CommandFilter, mkdir, root + +# cinder/volume/drivers/netapp/nfs.py: +netapp_nfs_find: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -name, img-cache.*, -amin, \+\d+ + +# cinder/volume/drivers/glusterfs.py +chgrp: CommandFilter, chgrp, root +umount: CommandFilter, umount, root +fallocate: CommandFilter, fallocate, root + +# cinder/volumes/drivers/hds/hds.py: +hus-cmd: CommandFilter, hus-cmd, root +hus-cmd_local: CommandFilter, /usr/local/bin/hus-cmd, root + +# cinder/volumes/drivers/hds/hnas_backend.py +ssc: CommandFilter, ssc, root + +# cinder/brick/initiator/connector.py: +ls: CommandFilter, ls, root +tee: CommandFilter, tee, root +multipath: CommandFilter, multipath, root +multipathd: CommandFilter, multipathd, root +systool: CommandFilter, systool, root + +# cinder/volume/drivers/block_device.py +blockdev: CommandFilter, blockdev, root + +# cinder/volume/drivers/ibm/gpfs.py +# cinder/volume/drivers/tintri.py +mv: CommandFilter, mv, root + +# cinder/volume/drivers/ibm/gpfs.py +cp: CommandFilter, cp, root +mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root +mmclone: CommandFilter, /usr/lpp/mmfs/bin/mmclone, root +mmlsattr: CommandFilter, /usr/lpp/mmfs/bin/mmlsattr, root +mmchattr: CommandFilter, /usr/lpp/mmfs/bin/mmchattr, root +mmlsconfig: CommandFilter, /usr/lpp/mmfs/bin/mmlsconfig, root +mmlsfs: CommandFilter, /usr/lpp/mmfs/bin/mmlsfs, root +mmlspool: CommandFilter, /usr/lpp/mmfs/bin/mmlspool, root +mkfs: CommandFilter, mkfs, root +mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root +mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root +mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root +mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root +mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root +mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root + +# cinder/volume/drivers/ibm/gpfs.py +# cinder/volume/drivers/ibm/ibmnas.py +find_maxdepth_inum: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -ignore_readdir_race, -inum, \d+, -print0, -quit + +# cinder/brick/initiator/connector.py: +aoe-revalidate: CommandFilter, aoe-revalidate, root +aoe-discover: CommandFilter, aoe-discover, root +aoe-flush: CommandFilter, aoe-flush, root + +# cinder/brick/initiator/linuxscsi.py: +sg_scan: CommandFilter, sg_scan, root + +#cinder/backup/services/tsm.py +dsmc:CommandFilter,/usr/bin/dsmc,root + +# cinder/volume/drivers/hitachi/hbsd_horcm.py +raidqry: CommandFilter, raidqry, root +raidcom: CommandFilter, raidcom, root +pairsplit: CommandFilter, pairsplit, root +paircreate: CommandFilter, paircreate, root +pairdisplay: CommandFilter, pairdisplay, root +pairevtwait: CommandFilter, pairevtwait, root +horcmstart.sh: CommandFilter, horcmstart.sh, root +horcmshutdown.sh: CommandFilter, horcmshutdown.sh, root +horcmgr: EnvFilter, env, root, HORCMINST=, /etc/horcmgr + +# cinder/volume/drivers/hitachi/hbsd_snm2.py +auman: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auman +auluref: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluref +auhgdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgdef +aufibre1: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aufibre1 +auhgwwn: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgwwn +auhgmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgmap +autargetmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetmap +aureplicationvvol: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationvvol +auluadd: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluadd +auludel: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auludel +auluchgsize: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluchgsize +auchapuser: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auchapuser +autargetdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetdef +autargetopt: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetopt +autargetini: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetini +auiscsi: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auiscsi +audppool: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/audppool +aureplicationlocal: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationlocal +aureplicationmon: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationmon + +# cinder/volume/drivers/hgst.py +vgc-cluster: CommandFilter, vgc-cluster, root + +# cinder/volume/drivers/vzstorage.py +pstorage-mount: CommandFilter, pstorage-mount, root +pstorage: CommandFilter, pstorage, root +ploop: CommandFilter, ploop, root + +# initiator/connector.py: +drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid + +# cinder/volume/drivers/quobyte.py +mount.quobyte: CommandFilter, mount.quobyte, root +umount.quobyte: CommandFilter, umount.quobyte, root diff --git a/cinder/templates/job-db-init.yaml b/cinder/templates/job-db-init.yaml index c00a207e..9c2f8df6 100644 --- a/cinder/templates/job-db-init.yaml +++ b/cinder/templates/job-db-init.yaml @@ -14,6 +14,9 @@ {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} +{{- $mounts_cinder_db_init := .Values.mounts.cinder_db_init.cinder_db_init }} +{{- $mounts_cinder_init_init := .Values.mounts.cinder_db_init.init_container }} + apiVersion: batch/v1 kind: Job metadata: @@ -23,7 +26,7 @@ spec: metadata: annotations: pod.beta.kubernetes.io/init-containers: '[ -{{ tuple $envAll $dependencies | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} +{{ tuple $envAll $dependencies $mounts_cinder_init_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} ]' spec: restartPolicy: OnFailure @@ -49,11 +52,6 @@ spec: - bash - /tmp/db-init.sh volumeMounts: - - name: dbinitsh - mountPath: /tmp/db-init.sh - subPath: db-init.sh - readOnly: true +{{ toYaml $mounts_cinder_db_init.volumeMounts | indent 12 }} volumes: - - name: dbinitsh - configMap: - name: cinder-bin +{{ toYaml $mounts_cinder_db_init.volumes | indent 8 }} diff --git a/cinder/templates/job-db-sync.yaml b/cinder/templates/job-db-sync.yaml index 0296b1ee..e47e2e4a 100644 --- a/cinder/templates/job-db-sync.yaml +++ b/cinder/templates/job-db-sync.yaml @@ -14,6 +14,9 @@ {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} +{{- $mounts_cinder_db_sync := .Values.mounts.cinder_db_sync.cinder_db_sync }} +{{- $mounts_cinder_sync_init := .Values.mounts.cinder_db_sync.init_container }} + apiVersion: batch/v1 kind: Job metadata: @@ -23,7 +26,7 @@ spec: metadata: annotations: pod.beta.kubernetes.io/init-containers: '[ -{{ tuple $envAll $dependencies | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} +{{ tuple $envAll $dependencies $mounts_cinder_sync_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} ]' spec: restartPolicy: OnFailure @@ -50,15 +53,6 @@ spec: - db - sync volumeMounts: - - name: pod-etc-cinder - mountPath: /etc/cinder - - name: cinderconf - mountPath: /etc/cinder/conf/cinder.conf - subPath: cinder.conf - readOnly: true +{{ toYaml $mounts_cinder_db_sync.volumeMounts | indent 12}} volumes: - - name: pod-etc-cinder - emptyDir: {} - - name: cinderconf - configMap: - name: cinder-etc +{{ toYaml $mounts_cinder_db_sync.volumes | indent 8 }} diff --git a/cinder/values.yaml b/cinder/values.yaml index 9cbb4a81..2c7cfefc 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -38,6 +38,26 @@ images: volume: quay.io/stackanetes/stackanetes-cinder-volume:newton pull_policy: "IfNotPresent" +backends: + enabled: + - rbd1 + rbd1: + secret: null + user: "admin" + pool: "volumes" + +ceph: + enabled: true + monitors: [] + cinder_user: "admin" + # a null value for the keyring will + # attempt to use the key from + # common/secrets/ceph-client-key + cinder_keyring: null + +lvm: + enabled: false + upgrades: revision_history: 3 pod_replacement_strategy: RollingUpdate @@ -74,23 +94,6 @@ database: cinder_password: password cinder_user: cinder -ceph: - enabled: true - monitors: [] - cinder_user: "admin" - # a null value for the keyring will - # attempt to use the key from - # common/secrets/ceph-client-key - cinder_keyring: null - -backends: - enabled: - - rbd1 - rbd1: - secret: null - user: "admin" - pool: "volumes" - glance: version: 2 @@ -153,6 +156,169 @@ dependencies: - keystone-api - cinder-api +mounts: + cinder_db_init: + init_container: null + cinder_db_init: + volumes: + - name: dbinitsh + configMap: + name: cinder-bin + volumeMounts: + - name: dbinitsh + mountPath: /tmp/db-init.sh + subPath: db-init.sh + readOnly: true + cinder_db_sync: + init_container: null + cinder_db_sync: + volumes: + - name: pod-etc-cinder + emptyDir: {} + - name: cinderconf + configMap: + name: cinder-etc + volumeMounts: + - name: pod-etc-cinder + mountPath: /etc/cinder + - name: cinderconf + mountPath: /etc/cinder/conf/cinder.conf + subPath: cinder.conf + readOnly: true + cinder_api: + init_container: null + cinder_api: + volumes: + - name: pod-etc-cinder + emptyDir: {} + - name: pod-var-cache-cinder + emptyDir: {} + - name: cinderconf + configMap: + name: cinder-etc + - name: cinderpaste + configMap: + name: cinder-etc + - name: cinderpolicy + configMap: + name: cinder-etc + volumeMounts: + - name: pod-etc-cinder + mountPath: /etc/cinder + - name: pod-var-cache-cinder + mountPath: /var/cache/cinder + - name: cinderconf + mountPath: /etc/cinder/conf/cinder.conf + subPath: cinder.conf + readOnly: true + - name: cinderpaste + mountPath: /etc/cinder/api-paste.ini + subPath: api-paste.ini + readOnly: true + - name: cinderpolicy + mountPath: /etc/cinder/policy.json + subPath: policy.json + readOnly: true + cinder_scheduler: + init_container: null + cinder_scheduler: + volumes: + - name: pod-etc-cinder + emptyDir: {} + - name: pod-var-cache-cinder + emptyDir: {} + - name: cinderconf + configMap: + name: cinder-etc + - name: cinderpaste + configMap: + name: cinder-etc + - name: cinderpolicy + configMap: + name: cinder-etc + volumeMounts: + - name: pod-etc-cinder + mountPath: /etc/cinder + - name: pod-var-cache-cinder + mountPath: /var/cache/cinder + - name: cinderconf + mountPath: /etc/cinder/conf/cinder.conf + subPath: cinder.conf + readOnly: true + - name: cinderpaste + mountPath: /etc/cinder/api-paste.ini + subPath: api-paste.ini + readOnly: true + - name: cinderpolicy + mountPath: /etc/cinder/policy.json + subPath: policy.json + readOnly: true + cinder_volume: + init_container: null + cinder_volume: + volumes: + - name: pod-etc-cinder + emptyDir: {} + - name: pod-var-cache-cinder + emptyDir: {} + - name: cinderconf + configMap: + name: cinder-etc + lvm_volumes: + - name: rootwrapconf + configMap: + name: cinder-etc + - name: volumefilters + configMap: + name: cinder-etc + - name: disable-udev + configMap: + name: cinder-bin + - name: host-dev + hostPath: + path: /dev + ceph_volumes: + - name: cephconf + configMap: + name: cinder-etc + - name: cephclientcinderkeyring + configMap: + name: cinder-etc + volumeMounts: + - name: pod-etc-cinder + mountPath: /etc/cinder + - name: pod-var-cache-cinder + mountPath: /var/cache/cinder + - name: cinderconf + mountPath: /etc/cinder/conf/cinder.conf + subPath: cinder.conf + readOnly: true + lvm_volumeMounts: + - name: rootwrapconf + mountPath: /etc/cinder/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + - name: volumefilters + mountPath: /etc/cinder/rootwrap.d/volume.filters + subPath: volume.filters + readOnly: true + - name: disable-udev + mountPath: /tmp/disable-udev.sh + subPath: disable-udev.sh + readOnly: true + - name: host-dev + mountPath: /dev + readOnly: false + ceph_volumeMounts: + - name: cephconf + mountPath: /etc/ceph/ceph.conf + subPath: ceph.conf + readOnly: true + - name: cephclientcinderkeyring + mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.cinder_user }}.keyring + subPath: ceph.client.{{ .Values.ceph.cinder_user }}.keyring + readOnly: true + # We use a different layout of the endpoints here to account for versioning # this swaps the service name and type, and should be rolled out to other # services.