A bit like we did for I3e0e86026f5a4a78473bed824cd1682d3a020cd5 we
should remove the nss-systemd lookup from containers. The reasons for
this are as follows:
1) Just like for I3e0e86026f5a4a78473bed824cd1682d3a020cd5
when this nss module is triggered it tries to talk to dbus.
It triggers a bunch of selinux denials and it makes little sense
to open all containers to talk to dbus.
In particular, if a container is run as non-privileged and bind-mounts
/run from the host, we will hit selinux denials like the following:
type=USER_AVC msg=audit(1592337775.860:74119): pid=1284 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=406228 scontext=system_u:system_r:container_t:s0:c162,c886 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
2) It just makes little sense in a kolla-world to have containers
talk to dbus/systemd and it saves us some time when a lookup triggers
the systemd module for whatever reason. Especially because the
nss-systemd module does a few things which are not useful in a container
(ensures that the root and nobody users and groups remain resolvable,
SystemD's DynamicUser= feature, provide Lookup API via Varlink)
The sed regex gives us the wanted results:
$ diff -u /etc/nsswitch.conf.orig /etc/nsswitch.conf
--- /etc/nsswitch.conf.orig 2020-06-19 07:18:10.974580755 +0000
+++ /etc/nsswitch.conf 2020-06-19 07:20:12.260230103 +0000
@@ -53,9 +53,9 @@
# group: db files
# In order of likelihood of use to accelerate lookup.
-passwd: sss files systemd
+passwd: sss files
shadow: files sss
-group: sss files systemd
+group: sss files
hosts: files dns myhostname
services: files sss
netgroup: sss
Related-Bug: #1883849
Change-Id: I81e5b7abf4571fece13a029e25911e9e4dece673
CentOS 8.2 has Erlang and RabbitMQ available in 'messaging/rabbitmq-38'
repository. We use it to grab Erlang while RabbitMQ comes from upstream
(like on x86-64).
Change-Id: I2559267d120081f2e5eabc9d966b019517a5ad5d
It's still using temporary mirror in RDO infra, but now that packages
are properly synced to CentOS mirrors, let's switch to use it.
Change-Id: I913efffe6a1d8a0210b1158261c77d0d45ac3147
'messaging-rabbitmq' and 'opstools' are enabled by RDO
delorean-deps.repo file
'influxdb' was also enabled
Depends-On: https://review.opendev.org/728687
Change-Id: Ibb0a7edc9e5632c1b89a7d52601f55a223b49dfb
There is a repo with binary packages for Ussuri. Let us use them instead
of Train ones.
amd64 only
Change-Id: I071eebc4f60094d881a68e201e8c3bb6e6742ff5
This is a follow up to I8b52b2630a72393bf4b9c7095fc67db6c36c27fa, which
upgraded elasticsearch and kibana to 6.x. It did not enable the
repositories or images for CentOS 8 however.
This change enables elasticsearch and kibana images for CentOS 8.
Change-Id: I7b375e493380c4e3d6b8c7b6f5ebc57c1b73043f
Related: blueprint elasticsearch-kibana-version-upgrade
With the move to RHEL/CentOS 8 we no longer have Python 2 in our images
so there is no need for checking which Python version (2.x or 3.x) is
used inside of containers.
We also no longer have to support yum as a value for
distro_package_manager.
Partially-Implements: blueprint centos-rhel-8
Change-Id: Ie45cf3465fedddbde7856961527421883ba3d5c9
Upgrade and pin RabbitMQ to 3.8.
Upgrade Erlang to 22 to meet requirements:
https://www.rabbitmq.com/which-erlang.html
Start using bintray repository provided by RabbitMQ.
Linaro builds will be used for aarch64.
Implements: blueprint rabbitmq-version-upgrade
Closes-Bug: #1848452
Change-Id: I3d775fd832f2603181da89009cebc1370a61a023
Adds collectd-dpdk_telemetry and collectd-logparser packages
to collectd RHEL-based image. dpdk_telemetry plugin collects DPDK
ethernet device metrics via dpdk_telemetry library. Logparser is
plugin for filtering and parsing log messages.
Change-Id: I0c7c94e9fae9d11660f938b8d7d6be0f270c972f
Upstream kibana package contains NodeJS x86-64 binaries so can not be
used directly on non-x86 architectures. I took upstream packages,
removed NodeJS binary from it and added 'nodejs' dependency.
Package is present in my Linaro OBS repository where I keep other
packages needed for aarch64 kolla run. Via APT pinning I mark them as
not wanted so they are not used on any architecture with two exceptions:
1. libvirt - we need fixed version to be able to use ThunderX servers
2. kibana - to be able to run it at all
For x86-64 upstream kibana package is used.
Closes-bug: #1867365
Change-Id: I456402849022100bde1fffdfbf6292b35690f0f2
Storage SIG has built Ceph Nautilus and Ganesha for CentOS8 in CentOS
Build System.
Let's switch to use them in kolla.
Change-Id: Id37dca84c4eb918aaf2d3c036ef5387fe75988dd
The disable_extra_repos macro accepts a list as its only argument. We
were calling it like this to disable EPEL:
disable_extra_repos('epel')
The macro interpreted this as a request to disable three repos, e, p, l.
Thanks Python! Type validation to be improved separately.
Additionally, on CentOS 8 the EPEL repository was not included in the
repository mapping file, repos.yaml. There is also another EPEL
repository on CentOS 8, epel-modular, which is enabled by default after
installing epel-release.
This change adds mappings for epel and epel-modular repos to repos.yaml,
and fixes the disabling of epel in the base image, as well as disabling
epel-modular.
There are some cases where EPEL is still used (it seemed a bit too
easy...), and the repository has been enabled for these images:
* bifrost-base (nginx)
* ironic-conductor (C7 only, shellinabox)
* freezer-base (C7 only, trickle)
* gnocchi-base (C8 binary only, python3-boto3)
* mariadb (pv)
* mongodb (C7 only, mongodb)
* nova-spicehtml5proxy (C7 only, spice-html5)
* telegraf (C7 only, python2-pip)
A few other things were changed:
* ironic-conductor does not require the ceph repo
* python3-pika is no longer installed in the openstack-base image
Related: blueprint remove-epel
Change-Id: I3761825239dfc462072383cde6276c4fb3e1bf12
Turns out that upstream provides repos also for aarch64.
CentOS one is not usable due to wrong arch name used (arm64 instead of
aarch64).
Change-Id: I1b4ef1fae0914d6826af5456cc9ea53bb26972ee
The only Ceph version that will support CentOS 8 is Octopus.
It will be released end of March 2020 - so for now let's use master.
Change-Id: I5955acb41e7346802d76f4f2b244cbf5c36f5bf2
Partially-Implements: blueprint centos-rhel-8
- Fix td-agent repo URL for fluentd. $releasever and $basearch variables
were escaped in the repo URL.
- Disable repo_gpgcheck for RabbitMQ. The rabbitmq-server 3.7 packages
on packagecloud are not signed, which is why we have gpgcheck=0 for
that repo. Previously repo_gpgcheck was set to 1, but this breaks DNF
which does not seem to accept keys imported by rpm --import for
signing a repo (as opposed to packages). This causes it to prompt
during package install, which does not work without a terminal in the
build container. This should be temporary as we will upgrade RabbitMQ
to 3.8 soon.
- Add InfluxDB repo back to list of repos to disable.
Change-Id: Ibbb720390ff17e11249a5aa77163c15c0971209a
Partially-Implements: blueprint centos-rhel-8
Turned out that since we commented mangling of system-wide Python
packages nothing broke. So let's get rid of that part.
Change-Id: I9e3a4424c584fb14cca50bb0b9392f7227161acc
So far we built 'base' image using upstream mirrors and then replaced
them with OpenStack infra ones. Let do that right after we copy own
APT sources.list file.
Change-Id: Icb745f628c1c50d9f20df022b08ddc46fccc270c
Adds support to the base and openstack-base images for CentOS 8.
These images have been removed from the list of unbuildable images, and
replaced with all dependent images.
Change-Id: I18fba8a5c2f99b700990cbf41c76077a1ec2408a
Partially-Implements: blueprint centos-rhel-8
In CentOS/RHEL 8 there is no scsi-target-utils package, nor is it
available in EPEL. In RHEL 7 and beyond the LIO kernel subsystem can be
used instead of the tgtd daemon.
This change removes support for the SCSI target daemon on CentOS/RHEL 8.
The 'tgtd' image is no longer available for CentOS/RHEL 8.
Change-Id: I56f230d66f75dd0546325676278f91579f08c822
Signed-off-by: Maciej Kucia <maciej@kucia.net>
Co-Authored-By: Maciej Kucia <maciej@kucia.net>
Co-Authored-By: Mark Goddard <mark@stackhpc.com>
Related: blueprint centos-rhel-8
Depends-On: https://review.opendev.org/631479/
Our images use 'scsi-target-utils' from EPEL and then can be built
without it. So let's disable this repository right after installing
package from it.
Images can enable EPEL with 'enable_extra_repos' macro.
Also added 'disable_extra_repos' macro as we have some images in a need.
Change-Id: Id70474e7602b531b63fdc11ae690fd9ed33def74
For infra images work we need 'base' image to be 'install_type'
agnostic. So it will be the same when built for 'binary' or 'source'
install type.
Change-Id: Ied4a00e8866560d39004a34d6857ac62e22e2c0c
All Apache httpd setup has been moved to a new helper script,
kolla_httpd_setup. This includes the existing clean of /run/httpd,
/var/run/httpd, /tmp/httpd etc.
Horizon has an additional bit of Apache config for Debian/binary, which
has been kept in extend_start.sh for horizon.
Change-Id: Ia2af74b69c151db0bd7e452460b0babcee50b282
Related: blueprint centos-rhel-8
In past we were building 'dumb-init' from source. Then in commit
f8fd560561 we moved to using binaries from
Debian packages instead. With keeping compiler...
Now Travis CI supports all architectures we care about. So dumb-init
upstream built all binaries for us.
Good bye compiler stuff. 115 megabytes saved.
Change-Id: I08e0e564908e6abb279a73f08cad4c851395ca47
Disable external repositories by default and enable only when needed.
Depends-on: https://review.opendev.org/696480
Implements: blueprint repos-off-by-default
Change-Id: Icf2a8397a8349e0fe849d88d160409fd234480a9
Michele Baldessari