- Removed hardcoded yum repository configuration in favor of
commands dynamically generated based on repo-url and repo-file
arguments. We maintain a sane default set of repositories.
- Added generic rpm_setup_config parameter to add support for
installing .rpm or .repo files before building containers.
Co-Authored-By: Ryan Hallisey <rhallise@redhat.com>
Implements: blueprint custom-repos
Change-Id: I1b3a7647a9e7239de3cd162cb6f464f05632bde1
We want to record kolla version of running containers to be able to
detect whether or not we need to perform certain downtime-causing
actions during upgrade.
Change-Id: Ie113029da98303e6809d56edbf6d8de37be128d7
Implements: blueprint record-version
The ceph master repository is slow and the centos build often fails due
to timeouts fetching the ceph repo GPG key.
Switching to a more reliable mirror should improve things.
Change-Id: I7eef31fa9d83413a7c12134d285b3d20d95805e8
Closes-Bug: 1525505
RDO provides all of the OpenStack services, clients, libs and their
dependencies self-contained in it's repositories.
We have had users that were impacted by sudden updates from EPEL
when it was enabled because EPEL provided a more up-to-date version.
Packages may also be found in both the delorean and delorean-deps
repositories. yum-plugin-priorities will ensure the right package
candidates are chosen for installation.
Change-Id: I043ec1f60381dc7f5baab5f320ed5f1edde8ae82
Related-bug: https://bugzilla.redhat.com/show_bug.cgi?id=1284978
Closes-bug: #1520620
Drop root privileges for mariadb. This isn't perfect. If somemone
breaks out of the container and can run sudo within the contianer,
it would be possible to replace the root credentials of the database.
Any container that uses sudo suffers from some extra attack vector
related to the sudo command. That said, the sudo commands are
locked down to minimize harm.
Change-Id: I4b3573725d940bb8aa90d43a6235d8cf7d30fc64
Partially-Implements: blueprint drop-root
The reason we are doing drop root is so that a network exposed
software component (i.e. glance) cannot be used to affect the
immutability of the container which it runs in. I have tried
several different approaches and this is the only approach which
puts glance in PID=1 while ensuring no files may be written by
the glance process in the container image except for the log files.
Change-Id: Ifd3c8c361b78d0e4791dade3afa6435290407c41
Partially-Implements: blueprint drop-root
RDO does not yet provide a CI tested Mitaka repository.
As such, the current-passed-ci repository is the last tested
repository before the stable/liberty branch was cut.
To be able to test against the latest packages, we need to
use the untested repositories until the CI tested repository
is in place.
TrivialFix
Change-Id: I4a125eb3c84fa790746a9a8eca19e4fb2d9ecf38
Register with RHEL on the host machine and use yum to setup
the repos in the container.
Change-Id: I38aaf43fffaf7a235e69b330d5d9f0f1be31fe83
Backport: Liberty
Closes-Bug: #1513088
This patch uses the EL7 binary bits for percona's software instead
of EL6. To match binary ABIs, it is recommended to use the same
major version of EL for CentOS.
backport: liberty
Change-Id: I1d2b146a036806c7fd2baef97a6ed861a570d26e
Partial-Fix: #1509281
The delorean repositories no longer have a separate location for
openvswitch. Now openvswitch is located in delorean-deps.repo
and the rest of delorean master is located in the delorean.repo
file. These files can be installed for both RDO and SOURCE, but
not for RHOS. This patch uses the install_metatype to make a
determination as to when to install these two repos. In the
process, we can remove the source RPM installation.
Change-Id: Ieedddd9d7ee234b6acdb03f7043d57c18e024951
Closes-Bug: #1508326
The default timeout for Ceph GPG rpm key retrieval is 30 seconds.
In my testing, the GPG key takes approximately 50 seconds to download
often resulting in a failure to build containers that need to retrieve
the Ceph GPG sign key. Crank up the timer to 90 seconds so the key
is more likely to be downloaded, allowing images to be built.
backport: liberty
TrivialFix
Change-Id: I7420cdf8d3b61aa9f4f52795fccbe5da3e48d57b
Ceph packages need to be installed in nova, glance, and cinder.
Once that is done, Ceph works like a champ!
Change-Id: I296da1d04d0c1bcb729f22e65e432d53d561b49c
backport: liberty
Closes-Bug: #1505549
Make openstack-base optimized for from source builds for RPM based
distributions.
backport: liberty
Change-Id: I5f1056ebc09fd55cd5d46da7a09331e38940d888
Implements: blueprint openstack-common-container
The base image contains -d 10 in a yum command which prints unhelpful
debug output for one of the yum commands. Remove the extranous debug
output.
backport: liberty
TrivialFix
This patch is a trivial fix and is a test to set boundaries on what
a trivial fix looks like that doesn't require a bug tracker entry. If
reviewers feel a trivial fix isn't documented properly by this commit
message, please weigh in, as this is a slight suggested change to our
policy as first institued by the Magnum community and brought to my
attention by Jeff Peeler. Hopefully this compromise won't be abused :)
Change-Id: I57f00978d0baaefd73592f4ad6a655e663d83478
This brings Kolla images inline with FHS and should make finding
locations of things more consistent and reliable with the linux world
at large.
Change-Id: Iece5b4da4bace0fb8b1f41a65ab2c852ec73e6f8
Closes-Bug: #1485742
The majority of the start.sh code is identical. This removes that
duplicate code while still maintaining the ability to call code in a
specific container.
The start.sh is moved into /usr/local/bin/kolla_start in the container
The extend_start.sh script is called by the kolla_start script at the
location /usr/local/bin/kolla_extend_start . It always exists because
we create a noop kolla_extend_start in the base directory. We override
it with extend_start.sh in a specific image should we need to.
Of note, the neutron-agents container is exempt from this new
structure due to it being a fat container.
Additionally, we fix the inconsistent permissions throughout. 644 for
repo files and the scripts are set to 755 via a Docker RUN command to
ensure someones local perm change won't break upstream containers.
Change-Id: I7da8d19965463ad30ee522a71183e3f092e0d6ad
Closes-Bug: #1501295
