openstack/devstack-plugin-container
Code Issues Proposed changes
Files
bdc0b49ce38d012be3328ddc7c59a7e496b098b4
devstack-plugin-container/devstack/lib/docker
Roman Dobosz bdc0b49ce3 Install apparmor tools also for Ubuntu Focal. 
k8s gate is still on focal, so patch which unblock the apparmor for
jammy does not affect it. Here is the fix for focal as well.

Change-Id: I2a9bc69a59e7d6d21d61e79115d5a3c726c73ab0
2023-02-23 18:36:19 +01:00

321 lines
11 KiB
Bash
Raw Blame History

#!/bin/bash
# Dependencies:
#
# - functions
# - ``STACK_USER`` must be defined
# stack.sh
# ---------
# - install_docker
# The following variables are assumed to be defined by certain functions:
#
# - ``http_proxy`` ``https_proxy`` ``no_proxy``
# Save trace setting
_XTRACE_DOCKER=$(set +o | grep xtrace)
set +o xtrace
# Defaults
# --------
DOCKER_ENGINE_SOCKET_FILE=${DOCKER_ENGINE_SOCKET_FILE:-/var/run/docker.sock}
DOCKER_ENGINE_PORT=${DOCKER_ENGINE_PORT:-2375}
DOCKER_CLUSTER_STORE=${DOCKER_CLUSTER_STORE:-}
STACK_GROUP="$( id --group --name "$STACK_USER" )"
DOCKER_GROUP=${DOCKER_GROUP:-$STACK_GROUP}
DOCKER_CGROUP_DRIVER=${DOCKER_CGROUP_DRIVER:-}
# TODO(hongbin): deprecate and remove clear container
ENABLE_CLEAR_CONTAINER=$(trueorfalse False ENABLE_CLEAR_CONTAINER)
ENABLE_KATA_CONTAINERS=$(trueorfalse False ENABLE_KATA_CONTAINERS)
ENABLE_CONTAINERD_CRI=$(trueorfalse False ENABLE_CONTAINERD_CRI)
ENABLE_LIVE_RESTORE=$(trueorfalse False ENABLE_LIVE_RESTORE)
ENABLE_IPV6=$(trueorfalse False ENABLE_IPV6)
KATA_BRANCH=${KATA_BRANCH:-master}
KATA_RUNTIME=${KATA_RUNTIME:-kata-runtime}
CONTAINERD_CONF_DIR=/etc/containerd
CONTAINERD_CONF=$CONTAINERD_CONF_DIR/config.toml
# Functions
# ---------
function check_docker {
if is_ubuntu; then
dpkg -s docker-engine > /dev/null 2>&1 || dpkg -s docker-ce > /dev/null 2>&1
else
rpm -q docker-engine > /dev/null 2>&1 || rpm -q docker > /dev/null 2>&1 || rpm -q docker-ce > /dev/null 2>&1
fi
}
function install_docker {
if [[ -z "$os_PACKAGE" ]]; then
GetOSVersion
fi
local lsb_dist=${os_VENDOR,,}
local dist_version=${os_CODENAME}
if [[ "$lsb_dist" != "centosstream" ]]; then
local arch
arch=$(dpkg --print-architecture)
fi
if is_ubuntu; then
apt_get install apparmor
if [[ ${dist_version} == 'trusty' ]]; then
if uname -r | grep -q -- '-generic' && dpkg -l 'linux-image-*-generic' | grep -qE '^ii|^hi' 2>/dev/null; then
apt_get install linux-image-extra-$(uname -r) linux-image-extra-virtual
else
(>&2 echo "WARNING: Current kernel is not supported by the linux-image-extra-virtual package. Docker may not work.")
fi
fi
apt_get install apt-transport-https ca-certificates software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository -y \
"deb [arch=${arch}] https://download.docker.com/linux/${lsb_dist} \
${dist_version} \
stable"
REPOS_UPDATED=False apt_get_update
apt_get install docker-ce
elif is_fedora; then
if [[ "$lsb_dist" = "centos" ]]; then
sudo yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
elif [[ "$lsb_dist" = "centosstream" ]]; then
sudo yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
sudo yum-config-manager \
--add-repo \
https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 #noqa
sudo yum-config-manager \
--enable \
packages.cloud.google.com_yum_repos_kubernetes-el7-x86_64
sudo dnf -y install kubeadm --nogpgcheck
elif [[ "$lsb_dist" = "fedora" ]]; then
sudo dnf config-manager \
--add-repo \
https://download.docker.com/linux/fedora/docker-ce.repo
fi
yum_install docker-ce
fi
if [[ "$ENABLE_KATA_CONTAINERS" == "True" ]]; then
# Kata Containers can't run inside VM, so check whether virtualization
# is enabled or not
if sudo grep -E 'svm|vmx' /proc/cpuinfo &> /dev/null; then
if is_ubuntu; then
install_kata_container_ubuntu
elif is_fedora; then
install_kata_container_fedora
fi
else
(>&2 echo "WARNING: Kata Containers needs the CPU extensions svm or vmx which is not enabled. Skipping Kata Containers installation.")
fi
# TODO(hongbin): deprecate and remove clear container
elif [[ "$ENABLE_CLEAR_CONTAINER" == "True" ]]; then
# Clear Container can't run inside VM, so check whether virtualization
# is enabled or not
(>&2 echo "WARNING: Clear Container support is deprecated in Train release and will be removed in U release.")
if sudo grep -E 'svm|vmx' /proc/cpuinfo &> /dev/null; then
if is_ubuntu; then
install_clear_container_ubuntu
elif is_fedora; then
install_clear_container_fedora
fi
else
(>&2 echo "WARNING: Clear Container needs the CPU extensions svm or vmx which is not enabled. Skipping Clear Container installation.")
fi
fi
if [[ "$ENABLE_CONTAINERD_CRI" == "True" ]]; then
source $DEST/devstack-plugin-container/devstack/lib/cni/plugins
install_cni_plugins
source $DEST/devstack-plugin-container/devstack/lib/tools/crictl
install_crictl
fi
}
function configure_docker {
if [[ ${ENABLE_CONTAINERD_CRI} == "True" ]]; then
source $DEST/devstack-plugin-container/devstack/lib/cni/plugins
configure_cni_plugins
configure_containerd
source $DEST/devstack-plugin-container/devstack/lib/tools/crictl
configure_crictl
fi
# After an ./unstack it will be stopped. So it is ok if it returns exit-code == 1
sudo systemctl stop docker.service || true
local cluster_store_opts=""
if [[ -n "$DOCKER_CLUSTER_STORE" ]]; then
cluster_store_opts+="\"cluster-store\": \"$DOCKER_CLUSTER_STORE\","
fi
local runtime_opts=""
if [[ "$ENABLE_KATA_CONTAINERS" == "True" ]]; then
if sudo grep -E 'svm|vmx' /proc/cpuinfo &> /dev/null; then
runtime_opts+="\"runtimes\": {
\"$KATA_RUNTIME\": {
\"path\": \"/usr/bin/kata-runtime\"
}
},
\"default-runtime\": \"$KATA_RUNTIME\","
fi
# TODO(hongbin): deprecate and remove clear container
elif [[ "$ENABLE_CLEAR_CONTAINER" == "True" ]]; then
(>&2 echo "WARNING: Clear Container support is deprecated in Train release and will be removed in U release.")
if sudo grep -E 'svm|vmx' /proc/cpuinfo &> /dev/null; then
runtime_opts+="\"runtimes\": {
\"cor\": {
\"path\": \"/usr/bin/cc-oci-runtime\"
}
},"
fi
fi
local docker_config_file=/etc/docker/daemon.json
local debug
local live_restore
local ipv6
if [[ "$ENABLE_DEBUG_LOG_LEVEL" == "True" ]]; then
debug=true
else
debug=false
fi
if [[ "$ENABLE_LIVE_RESTORE" == "True" ]]; then
live_restore=true
else
live_restore=false
fi
if [[ "$ENABLE_IPV6" == "True" ]]; then
ipv6=true
else
ipv6=false
fi
sudo mkdir -p $(dirname ${docker_config_file})
cat <<EOF | sudo tee $docker_config_file >/dev/null
{
$cluster_store_opts
$runtime_opts
"debug": ${debug},
"live-restore": ${live_restore},
"ipv6": ${ipv6},
"group": "$DOCKER_GROUP",
EOF
if [[ -n "$DOCKER_CGROUP_DRIVER" ]]; then
cat <<EOF | sudo tee -a $docker_config_file >/dev/null
"exec-opts": ["native.cgroupdriver=${DOCKER_CGROUP_DRIVER}"],
EOF
fi
cat <<EOF | sudo tee -a $docker_config_file >/dev/null
"hosts": [
"unix://$DOCKER_ENGINE_SOCKET_FILE",
"tcp://0.0.0.0:$DOCKER_ENGINE_PORT"
]
}
EOF
# NOTE(hongbin): We override ExecStart to workaround issue 22339.
# https://github.com/docker/docker/issues/22339
local docker_drop_in_file=/etc/systemd/system/docker.service.d/docker.conf
sudo mkdir -p $(dirname ${docker_drop_in_file})
cat <<EOF | sudo tee $docker_drop_in_file >/dev/null
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --config-file=$docker_config_file
Environment="HTTP_PROXY=$http_proxy" "HTTPS_PROXY=$https_proxy" "NO_PROXY=$no_proxy"
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker.service
}
function configure_containerd {
sudo mkdir -p $CONTAINERD_CONF_DIR
sudo chown -R $STACK_USER $CONTAINERD_CONF_DIR
stack_user_gid=$(getent group $STACK_USER | cut -d: -f3)
cat <<EOF | sudo tee $CONTAINERD_CONF >/dev/null
[grpc]
gid = $stack_user_gid
[debug]
level = "debug"
EOF
if [[ "$ENABLE_KATA_CONTAINERS" == "True" ]]; then
cat <<EOF | sudo tee -a $CONTAINERD_CONF >/dev/null
[plugins]
[plugins.cri]
[plugins.cri.containerd]
[plugins.cri.containerd.runtimes.${KATA_RUNTIME}]
runtime_type = "io.containerd.kata.v2"
EOF
fi
sudo systemctl --no-block restart containerd.service
}
function stop_docker {
sudo systemctl stop docker.service || true
}
function cleanup_docker {
uninstall_package docker-ce
rm -f $CONTAINERD_CONF
}
# TODO(hongbin): deprecate and remove clear container
function install_clear_container_ubuntu {
sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/clearlinux:/preview:/clear-containers-2.1/xUbuntu_$(lsb_release -rs)/ /' >> /etc/apt/sources.list.d/cc-oci-runtime.list"
curl -fsSL http://download.opensuse.org/repositories/home:/clearlinux:/preview:/clear-containers-2.1/xUbuntu_$(lsb_release -rs)/Release.key | sudo apt-key add -
REPOS_UPDATED=False apt_get_update
apt_get install cc-oci-runtime
}
# TODO(hongbin): deprecate and remove clear container
function install_clear_container_fedora {
source /etc/os-release
local lsb_dist=${os_VENDOR,,}
if [[ "$lsb_dist" = "fedora" ]]; then
sudo -E dnf config-manager \
--add-repo \
http://download.opensuse.org/repositories/home:clearlinux:preview:clear-containers-2.1/Fedora\_$VERSION_ID/home:clearlinux:preview:clear-containers-2.1.repo
fi
yum_install cc-oci-runtime linux-container
}
function install_kata_container_ubuntu {
sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/katacontainers:/releases:/$(arch):/${KATA_BRANCH}/xUbuntu_${os_RELEASE}/ /' \
> /etc/apt/sources.list.d/kata-containers.list"
curl -sL http://download.opensuse.org/repositories/home:/katacontainers:/releases:/$(arch):/${KATA_BRANCH}/xUbuntu_${os_RELEASE}/Release.key \
| sudo apt-key add -
REPOS_UPDATED=False apt_get_update
apt_get install kata-runtime kata-proxy kata-shim
}
function install_kata_container_fedora {
source /etc/os-release
if [[ -x $(command -v dnf 2>/dev/null) ]]; then
sudo dnf -y install dnf-plugins-core
sudo -E dnf config-manager --add-repo \
"http://download.opensuse.org/repositories/home:/katacontainers:/releases:/$(arch):/${KATA_BRANCH}/Fedora_${VERSION_ID}/home:katacontainers:releases:$(arch):${KATA_BRANCH}.repo"
elif [[ -x $(command -v yum 2>/dev/null) ]]; then
# all rh patforms (fedora, centos, rhel) have this pkg
sudo yum -y install yum-utils
sudo -E yum-config-manager --add-repo \
"http://download.opensuse.org/repositories/home:/katacontainers:/releases:/$(arch):/${KATA_BRANCH}/CentOS_${VERSION_ID}/home:katacontainers:releases:$(arch):${KATA_BRANCH}.repo"
else
die $LINENO "Unable to find or auto-install Kata Containers"
fi
yum_install kata-runtime kata-proxy kata-shim
}
# Restore xtrace
$_XTRACE_DOCKER
View Git Blame Copy Permalink