A bit like we did for I3e0e86026f5a4a78473bed824cd1682d3a020cd5 we
should remove the nss-systemd lookup from containers. The reasons for
this are as follows:
1) Just like for I3e0e86026f5a4a78473bed824cd1682d3a020cd5
when this nss module is triggered it tries to talk to dbus.
It triggers a bunch of selinux denials and it makes little sense
to open all containers to talk to dbus.
In particular, if a container is run as non-privileged and bind-mounts
/run from the host, we will hit selinux denials like the following:
type=USER_AVC msg=audit(1592337775.860:74119): pid=1284 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=406228 scontext=system_u:system_r:container_t:s0:c162,c886 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
2) It just makes little sense in a kolla-world to have containers
talk to dbus/systemd and it saves us some time when a lookup triggers
the systemd module for whatever reason. Especially because the
nss-systemd module does a few things which are not useful in a container
(ensures that the root and nobody users and groups remain resolvable,
SystemD's DynamicUser= feature, provide Lookup API via Varlink)
The sed regex gives us the wanted results:
$ diff -u /etc/nsswitch.conf.orig /etc/nsswitch.conf
--- /etc/nsswitch.conf.orig 2020-06-19 07:18:10.974580755 +0000
+++ /etc/nsswitch.conf 2020-06-19 07:20:12.260230103 +0000
@@ -53,9 +53,9 @@
# group: db files
# In order of likelihood of use to accelerate lookup.
-passwd: sss files systemd
+passwd: sss files
shadow: files sss
-group: sss files systemd
+group: sss files
hosts: files dns myhostname
services: files sss
netgroup: sss
Related-Bug: #1883849
Change-Id: I81e5b7abf4571fece13a029e25911e9e4dece673
This variable won't be used by Kolla Ansible once change
Ia786d037f5484f18294188639c956d4ed5ffbc2a is merged.
Change-Id: I600e24896e74496f05387183c10d6c8c6bbbb17b
Depends-On: https://review.opendev.org/735617
CentOS 8.2 has Erlang and RabbitMQ available in 'messaging/rabbitmq-38'
repository. We use it to grab Erlang while RabbitMQ comes from upstream
(like on x86-64).
Change-Id: I2559267d120081f2e5eabc9d966b019517a5ad5d
Debian packages are different from ubuntu packages.
Differencies in /etc/openstack-dashboard:
- Symlinking {{ python_path }}/openstack_dashboard/local/enabled/ -> /etc/openstack-dashboard/enabled
- Symlinking {{ python_path }}/openstack_dashboard/local_settings.d/ -> /etc/openstack-dashboard/local_settings.d
- Symlinking {{ python_path }}/openstack_dashboard/conf/ -> /etc/openstack-dashboard/policy
Every dashboard-plugin debian package is copying his policy files, local_settings, enabled to above locations.
Every dashboard-plugin is triggering dpkg and collect-static, compress is done by openstack-dashboard package.
Kolla has to remove all these debian package's configs and provide kolla configs.
Move also /etc/openstack-dashboard/policy to standard location and delete symlink as kolla-ansible is overriding
default policy files path to /etc/openstack-dashboard/.
Change-Id: Ieca15bdb315d52e9547d798df11641ef36485b26
Depends-On: https://review.opendev.org/733612
We need to be sure that we use exact same version every time. So fetch
upper-constraints.txt file earlier and use it while installing
virtualenv package.
Change-Id: I61711a878b2bda9f0d2e88966f13121dfcddfda7
In the Centos8 images, Storm fails to start since it cannot find
Python. This patch ensures that it can by setting the PYTHON env
var.
Change-Id: If6663b2f6dfadfd6a6db5e4aaca4eb782b87161f
Closes-Bug: #1876461
If they are available then we do not need to build them. Especially
AArch64 jobs will speedup (once wheels are built).
Change-Id: I79af6c37950e156018a9204fbcc7417cd7d41012
OpenStack tarballs are hosted on tarballs.opendev.org.
tarballs.openstack.org is just a redirect.
This change switches the tarballs-base configuration option to
https://tarballs.opendev.org. Since the new site is namespaced, we need
to add openstack/ to the URL path, or in some cases x/.
The following projects now publish under the x/ namespace:
* networking-ansible
* networking-mlnx
* vmware-nsx
* vmware-nsxlib
This reverts commit 1c2ee4993d, adapting
it to the master branch instead of stable/ussuri.
Change-Id: If9bd73a2e758c9da87f9a9a60fe075d807e3ca00
Co-Authored-By: Mark Goddard <mark@stackhpc.com>
This plugin [1,2] supports a number of use cases which are likely
to be useful out of the box to users enabling either Monasca or
Prometheus:
1. As a system admin I want to monitor the status of Fluentd
to ensure that it is functioning normally.
2. As a system admin I want to know the time to response for
calls made to endpoints defined in HAProxy.
[1] https://docs.fluentd.org/deployment/monitoring-prometheus
[2] https://github.com/fluent/fluent-plugin-prometheus
Change-Id: I9790cd6c9d142a4a3ced6d5c9a9af621c3892eb0
ovs images which based on centos miss libibverbs package.
this ps add the package to neutron-ovs-agent and ovs-base
images.
Closes-Bug: 1882863
Change-Id: I3e307efc43f934a944a91d5d131a11f607411df2
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
Update Sphinx version as well.
Remove docs requirements from lower-constraints, they are not needed
during install or test but only for docs building.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
Set openstackdocs_auto_name to use 'project' as name.
Change-Id: I138d51ace230a434e76fbe9fbbe97e53212230f3
It's still using temporary mirror in RDO infra, but now that packages
are properly synced to CentOS mirrors, let's switch to use it.
Change-Id: I913efffe6a1d8a0210b1158261c77d0d45ac3147
Michele Baldessari