Since change I1bc19f8198da3f9ab2ae2a8864c3349b21b0249e we install the
centos-release-ceph-reef package as a dependency, but some code was
still expecting the quincy package.
Change-Id: I8ebcf815d80f3bead25e0078d69b34e17ad013bd
In the aarch64 image build,
use debian_arch to determine packages of different architectures.
Closes-Bug: #2036874
Change-Id: Ic86e6c22840f658bb68387aac688918d4db1f766
Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.
Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
Tim Shearer started it in 1d96a2bbe1b536b7d7f4cdbf55c6dabae6d058ae.
Since all extend_start files are sourced rather than executed, the executable
bits are now cleared throughout the project.
Change-Id: Ia1797c32fc6a35f9f077c673abf4d8e16e51a760
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.
Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.
Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
Big patch drops all mentions of binary images support. Suggestions are
welcome how to split it into parts or handle better.
Change-Id: I5d5a46c6ce7734ceb8b844e17b43e359d7cac6e3
This change adds and unifies an ability to override hardcoded URLs for
air-gapped environments via the usual blocks mechanism. Also, this
change replaces ENV with ARG instruction for the variables used only
in building images, and uses bash variable expansion where it possible.
This change is a continuation of the I46b77978926fc2b578a68d1aaa944b2198af0685
Change-Id: I1fbad333b1bc95484e6f4c5145d5936a0e2db84f
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
With RDO use we did not disabled some repositories. This patch disable
them and enable where needed.
Change-Id: Ia9d537fe9c1ad54789d2bfb4027254fbb3defe7e
This reverts commit 61def281d077f88051d1b1a14dfdbfabac036c8c.
Reason for revert: --location was already in curlrc and it was unified in change I46b77978926fc2b578a68d1aaa944b2198af0685
Change-Id: I066d747400ede30037ff324ad55430af7c35dc18
-L for curl: If the server reports that the requested page has moved to a different location (indicated with a Location: header and a 3XX response code), this option will make curl redo the request on the new place
It fixes build error for me:
INFO:kolla.common.utils.prometheus-v2-server: ---> Running in 693fd4095c77
INFO:kolla.common.utils.prometheus-v2-server:curl (https://github.com/prometheus/prometheus/releases/download/v2.23.0/prometheus-2.23.0.linux-amd64.tar.gz): response: 302, time: 0.166583, size: 640
INFO:kolla.common.utils.prometheus-v2-server:
INFO:kolla.common.utils.prometheus-v2-server:gzip: stdin: not in gzip format
INFO:kolla.common.utils.prometheus-v2-server:
INFO:kolla.common.utils.prometheus-v2-server:tar: Child returned status 1
INFO:kolla.common.utils.prometheus-v2-server:tar: Error is not recoverable: exiting now
Change-Id: I095ca6f34cc7c7bca485e9ec019cc52aeb8e3ff4
Currently we use couple of curl options throughout Dockerfiles, this change
adds all common options to curlrc (-sSLf) and removes usage of those in
Dockerfiles.
Change-Id: I46b77978926fc2b578a68d1aaa944b2198af0685
This is a follow-up on "Refactor httpd install to base image"
[1].
It seems a copy-paste algorithm was used to craft Dockerfiles
for some httpd-enabled services which resulted in an abundance of
ldappool packages getting installed, even in the 'source' case.
This seems to have also kept ldappool at a lower version because
it did not get updated via pip later.
This patch deals with that and also moves ldap deps for Keystone
to their proper place in 'source' case (extras).
Note Keystone client gets installed in openstack-base.
Cinder does not need to include Keystone either.
[1] https://review.opendev.org/744037
Change-Id: I017d7a6a5d2b1ae6c04556dcf172453a36de5be7
Refactor installing and initial setup of httpd and mod wsgi from
individual services to base image.
Change-Id: I651a55a9ebe258ef403d33de010a4dfb368a4021
With the move to RHEL/CentOS 8 we no longer have Python 2 in our images
so there is no need for checking which Python version (2.x or 3.x) is
used inside of containers.
We also no longer have to support yum as a value for
distro_package_manager.
Partially-Implements: blueprint centos-rhel-8
Change-Id: Ie45cf3465fedddbde7856961527421883ba3d5c9
Zun-cni-daemon is a new process for implementing CNI plugin for Zun.
It will be used by CRI runtime to connect podsandbox to neutron.
This image is based on the zun base image and includes additional
packages such as openvswitch.
Needed-By: https://review.opendev.org/#/c/708213/
Change-Id: Ic82c59a5e78078b4fea10df9d30b35da14cad922
Storage SIG has built Ceph Nautilus and Ganesha for CentOS8 in CentOS
Build System.
Let's switch to use them in kolla.
Change-Id: Id37dca84c4eb918aaf2d3c036ef5387fe75988dd
The only Ceph version that will support CentOS 8 is Octopus.
It will be released end of March 2020 - so for now let's use master.
Change-Id: I5955acb41e7346802d76f4f2b244cbf5c36f5bf2
Partially-Implements: blueprint centos-rhel-8
All Apache httpd setup has been moved to a new helper script,
kolla_httpd_setup. This includes the existing clean of /run/httpd,
/var/run/httpd, /tmp/httpd etc.
Horizon has an additional bit of Apache config for Debian/binary, which
has been kept in extend_start.sh for horizon.
Change-Id: Ia2af74b69c151db0bd7e452460b0babcee50b282
Related: blueprint centos-rhel-8
Disable external repositories by default and enable only when needed.
Depends-on: https://review.opendev.org/696480
Implements: blueprint repos-off-by-default
Change-Id: Icf2a8397a8349e0fe849d88d160409fd234480a9
This lets Zun containers use Cinder volumes.
Zun-compute formats attached block devices.
ext* and xfs are the most common filesystems and have tools
included in other relevant images.
In case of Ceph ceph-common is required for rbd attachment.
iSCSI is supported via packages installed in base.
Change-Id: Ib094ae8fcc8468949b3cd162a1cedba3fdfd3a47
Related-bug: #1797448
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
These run lspci and have this requirement in respective bindeps.
CentOS images seem to have it installed but Ubuntu not.
Ensure pciutils package is always installed.
zun-compute seemed to work nonetheless but generated errors
about being unable to take host inventory.
cyborg-agent is unknown to work at all and deb is unbuildable.
Change-Id: Iebc1f2c05c1f57c2b6f98ca9772f1ae9d9a420fa
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Commit 43b74ccc157c0b50138c3785ed91dab504895571 enabled use of Python 3
based packages but not switched to use Python 3.
Some of images still contain Python 2. There are two reasons:
- Ceph (ceph-common depends on Py2)
- python3-ldappool on Ubuntu 18.04
In Ceph situation Py3 packages were added. For second one we can not do
anything - Py2 dependency got dropped in Ubuntu 18.10 version.
Removed neutron-server-plugin-networking-infoblox due to being not
maintained. Once https://review.opendev.org/#/c/657578/ get merged
someone may revert that part.
Implements: blueprint debian-ubuntu-python3
Depends-on: Ie2a1077f7def0743f1403341985e2109aa490026
Change-Id: Ibfe0c2b8be98db56c61f74fb0247488ab3749ef4
Ubuntu/source deployment of several images (horizon, placement-api, zun)
failed with:
+ exec /usr/sbin/apache2 -DFOREGROUND
apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot
Change-Id: Ie2a1077f7def0743f1403341985e2109aa490026
RDO is currently working on python3 support for the next version of
CentOS/RHEL based systems. This package uses the distro_python3 flag
that was added as part of I4028991bad92c0e8e21066cc4173c06ce5eba393 to
use the python3 specific package names. This change only adds python3
package names for RHEL systems.
Conflicts-With: https://review.openstack.org/#/c/636457/
Change-Id: Iad6b70b433a0dd1b0f8ae6790fd280594517661a
Related-Blueprint: python3-support
This change updates the docker files to use base_package_type instead
of doing specific distro checks for the rhel/deb generic cases. The
base_distro is still available and is used when a specific distro needs
a customization but if the differences are purely rpm vs deb, then the
base_package_type can be used.
Change-Id: I8d720bb185df65a0178061ccf20b1ab2265da2c5
Zun compute needs to access the docker socket for API call.
The socket is owned by 'docker' group and the zun-compute process
is owned by 'zun' user. In order to allow the access, this commit
add zun user to docker group.
Change-Id: Ifa7d399242dddf8d07f8b495b344752131a0f110
It looks zun-api needs root permission to run under apache2.
Otherwise, the zun process will have problem to write to
apache2 logs.
Change-Id: I8b201fc70b8347be9869d7e6bf1eec00d8a32d6e
Zun processes were run as user 'root' in before. This is undesirable
for several reasons (i.e. security, privsep). This patch make the
Zun processes run as 'zun' user, which aligns with the practice of
other containers.
Change-Id: I0d3111f0ca6301d6f22410fe5fd5a2dbf586e691
Closes-Bug: #1787760
These packages produce a warning during the installation, we should
switch to their new names, usually to be specific about their use of
python2.
Change-Id: I0a80e822f64222d9a32aabd1fd834bcf794d6320
zun needs to start zun-wsproxy service to provide the container attach
feature(the container console on horizon), so a standalone docker image
is required.
Change-Id: I24d1b4a7b63c3bc86705269bda50fa2e3bdb9fab
- dind need setuptools to install docker
through pip in binary install
- oraclelinux fails to install due opstools
repo and openstack mitaka repos missing.
- zun removed moved nova out of etc because is not
used. 6dc2866167
Change-Id: Ic4eb0f2e97a108be3c854c95eede27b5cd411b5c
Closes-Bug: #1716952
centos based images have wrong label info,
these changes fix own image's name and build-date.
Change-Id: I1d13f8f386c8db12b5fbe5f8ecbbf9e3fbb4ba1c
Closes-Bug: #1680341
Zun uses wsgi to start process.
Rework zun-base image to make use of wsgi.
Create zun user with macros to maintain static uids.
Zun compute need root to connect docker
Change-Id: Idd417e1b804148543ee5f403a836fa1f3e6f7fb0
Closes-Bug: #1682142
Use LABEL instruction instead of MAINTAINER (deprecated) instruc-
tion as suggested by Docker's official dockerfile guide.
docs.docker.com/engine/reference/builder/#maintainer-deprecated
Closes-Bug: #1683652
Change-Id: Ie87a1ddf31aefcd0b623fd2837d78de420e76898
1. Enable customization of pip packages in source
branch of most images
2. All pip packages install uniformly through
install-pip macro, user can easily customize his
own pip command (For example using a mirror)
Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com>
Change-Id: If09582039f690fa4136e8f33200d5da15e092da7
