This apache module is necessary for when one wants to use TLS for the services running over httpd. This only addressed RHEL based systems at the moment, since there is no such package available for Ubuntu. This requires apache2.2-common which will carry a lot more dependencies; So I think this should be handled and decided in a separate patch. when installing mod_ssl in RHEL-based distributions, an ssl.conf file is installed in the /etc/httpd/conf.d directory. This file tells httpd to listen on port 443; however, we don't want to do this by default, since this should be explicitly enabled by the container's configuration. This line is thus removed from the configuration. A release note was added, which specifies this. And the last sentence can be removed if this is addressed for debian/ubuntu as well. Related-Bug: #1675490 Co-Authored-By: Martin André <m.andre@redhat.com> Change-Id: Id6215d31547247309d43c031e163fa9e4c4ec5dc
15 KiB
Building Container Images
The kolla-build
command is responsible for building
Docker images.
Note
When developing Kolla it can be useful to build images using files
located in a local copy of Kolla. Use the tools/build.py
script instead of kolla-build
command in all below
instructions.
Generating kolla-build.conf
Install tox and generate the build configuration. The build configuration is designed to hold advanced customizations when building containers.
Create kolla-build.conf using the following steps.
pip install tox
tox -e genconfig
The location of the generated configuration file is
etc/kolla/kolla-build.conf
, it can also be copied to
/etc/kolla
. The default location is one of
/etc/kolla/kolla-build.conf
or
etc/kolla/kolla-build.conf
.
Guide
In general, images are built like this:
kolla-build
By default, the above command would build all images based on CentOS image.
The operator can change the base distro with the -b
option:
kolla-build -b ubuntu
There are following distros available for building images:
- centos
- oraclelinux
- ubuntu
Warning
Fedora images are deprecated since Newton and will be removed in the future.
It is possible to build only a subset of images by specifying them on the command line:
kolla-build keystone
In this case, the build script builds all images whose name contains
the keystone
string along with their dependencies.
Multiple names may be specified on the command line:
kolla-build keystone nova
The set of images built can be defined as a profile in the
profiles
section of kolla-build.conf
. Later,
profile can be specified by --profile
CLI argument or
profile
option in kolla-build.conf
. Kolla
provides some pre-defined profiles:
infra
infrastructure-related imagesmain
core OpenStack imagesaux
auxiliary images such as trove, magnum, ironicdefault
minimal set of images for a working deploy
For example, due to Magnum requires Heat, following profile can be
add to profiles
section in kolla-build.conf
:
magnum = magnum,heat
These images can be built using command line :
kolla-build --profile magnum
Or put following line to DEFAULT
section in
kolla-build.conf
:
profile = magnum
kolla-build
uses kolla
as default Docker
namespace. This is controlled with the -n
command line
option. To push images to a Dockerhub repository named
mykollarepo
:
kolla-build -n mykollarepo --push
To push images to a local registry<deploy_a_registry>
, use
--registry
flag:
kolla-build --registry 172.22.2.81:5000 --push
The build configuration can be customized using a config file, the
default location being one of /etc/kolla/kolla-build.conf
or etc/kolla/kolla-build.conf
. This file can be generated
using the following command:
tox -e genconfig
Build OpenStack from source
When building images, there are two methods of the OpenStack install.
One is binary
. Another is source
. The
binary
means that OpenStack will be installed from apt/yum.
And the source
means that OpenStack will be installed from
source code. The default method of the OpenStack install is
binary
. It can be changed to source
using the
-t
option:
kolla-build -t source
The locations of OpenStack source code are written in
etc/kolla/kolla-build.conf
. Now the source type supports
url
, git
, and local
. The location
of the local
source type can point to either a directory
containing the source code or to a tarball of the source. The
local
source type permits to make the best use of the
Docker cache.
etc/kolla/kolla-build.conf
looks like:
[glance-base]
type = url
location = http://tarballs.openstack.org/glance/glance-master.tar.gz
[keystone]
type = git
location = https://git.openstack.org/openstack/keystone
reference = stable/mitaka
[heat-base]
type = local
location = /home/kolla/src/heat
[ironic-base]
type = local
location = /tmp/ironic.tar.gz
To build RHEL containers, it is necessary to include registration with RHN of the container runtime operating system. To obtain a RHN username/password/pool id, contact Red Hat. Use a template's header block overrides file, add the following:
RUN subscription-manager register --user=<user-name> \
--password=<password> && subscription-manager attach --pool <pool-id>
Dockerfile Customisation
As of the Newton release, the kolla-build
tool provides
a Jinja2 based mechanism which allows operators to customise the
Dockerfiles used to generate Kolla images.
This offers a lot of flexibility on how images are built, e.g. installing extra packages as part of the build, tweaking settings, installing plugins, and numerous other capabilities. Some of these examples are described in more detail below.
Generic Customisation
Anywhere the line {% block ... %}
appears may be
modified. The Kolla community have added blocks throughout the
Dockerfiles where we think they will be useful, however, operators are
free to submit more if the ones provided are inadequate.
The following is an example of how an operator would modify the setup steps within the Horizon Dockerfile.
First, create a file to contain the customisations, e.g.
template-overrides.j2
. In this place the following:
{% extends parent_template %}
# Horizon
{% block horizon_redhat_binary_setup %}
RUN useradd --user-group myuser
{% endblock %}
Then rebuild the horizon image, passing the
--template-override
argument:
kolla-build --template-override template-overrides.j2 horizon
Note
The above example will replace all contents from the original block. Hence in many cases one may want to copy the original contents of the block before making changes.
More specific functionality such as removing/appending entries is available for packages, described in the next section.
Package Customisation
Packages installed as part of a container build can be overridden, appended to, and deleted. Taking the Horizon example, the following packages are installed as part of a binary install type build:
openstack-dashboard
httpd
mod_wsgi
mod_ssl
gettext
To add a package to this list, say, iproute
, first
create a file, e.g. template-overrides.j2
. In this place
the following:
{% extends parent_template %}
# Horizon
{% set horizon_packages_append = ['iproute'] %}
Then rebuild the horizon image, passing the
--template-override
argument:
kolla-build --template-override template-overrides.j2 horizon
Alternatively template_override
can be set in
kolla-build.conf
.
The append
suffix in the above example carries special
significance. It indicates the operation taken on the package list. The
following is a complete list of operations available:
- override
-
Replace the default packages with a custom list.
- append
-
Add a package to the default list.
- remove
-
Remove a package from the default list.
Using a different base image
Base-image can be specified by argument --base-image
.
For example:
kolla-build --base-image registry.access.redhat.com/rhel7/rhel --base rhel
Plugin Functionality
The Dockerfile customisation mechanism is also useful for adding/installing plugins to services. An example of this is Neutron's third party L2 drivers.
The bottom of each Dockerfile contains two blocks,
image_name_footer
, and footer
. The
image_name_footer
is intended for image specific
modifications, while the footer
can be used to apply a
common set of modifications to every Dockerfile.
For example, to add the networking-cisco
plugin to the
neutron_server
image, add the following to the
template-override
file:
{% extends parent_template %}
{% block neutron_server_footer %}
RUN git clone https://git.openstack.org/openstack/networking-cisco \
&& pip --no-cache-dir install networking-cisco
{% endblock %}
Astute readers may notice there is one problem with this however.
Assuming nothing else in the Dockerfile changes for a period of time,
the above RUN
statement will be cached by Docker, meaning
new commits added to the Git repository may be missed on subsequent
builds. To solve this the Kolla build tool also supports cloning
additional repositories at build time, which will be automatically made
available to the build, within an archive named
plugins-archive
.
Note
The following is available for source build types only.
To use this, add a section to
/etc/kolla/kolla-build.conf
in the following format:
[<image>-plugin-<plugin-name>]
Where <image>
is the image that the plugin should
be installed into, and <plugin-name>
is the chosen
plugin identifier.
Continuing with the above example, add the following to
/etc/kolla/kolla-build.conf
:
[neutron-server-plugin-networking-cisco]
type = git
location = https://git.openstack.org/openstack/networking-cisco
reference = master
The build will clone the repository, resulting in the following archive structure:
plugins-archive.tar
|__ plugins
|__networking-cisco
The template now becomes:
{% block neutron_server_footer %}
ADD plugins-archive /
pip --no-cache-dir install /plugins/*
{% endblock %}
Additions Functionality
The Dockerfile customisation mechanism is also useful for adding/installing additions into images. An example of this is adding your jenkins job build metadata (say formatted into a jenkins.json file) into the image.
The bottom of each Dockerfile contains two blocks,
image_name_footer
, and footer
. The
image_name_footer
is intended for image specific
modifications, while the footer
can be used to apply a
common set of modifications to every Dockerfile.
For example, to add the jenkins.json
additions to the
neutron_server
image, add the following to the
template-override
file:
{% extends parent_template %}
{% block neutron_server_footer %}
RUN cp /additions/jenkins/jenkins.json /jenkins.json
{% endblock %}
Astute readers may notice there is one problem with this however.
Assuming nothing else in the Dockerfile changes for a period of time,
the above RUN
statement will be cached by Docker, meaning
new commits added to the Git repository may be missed on subsequent
builds. To solve this the Kolla build tool also supports cloning
additional repositories at build time, which will be automatically made
available to the build, within an archive named
additions-archive
.
Note
The following is available for source build types only.
To use this, add a section to
/etc/kolla/kolla-build.conf
in the following format:
[<image>-additions-<additions-name>]
Where <image>
is the image that the plugin should
be installed into, and <additions-name>
is the chosen
additions identifier.
Continuing with the above example, add the following to
/etc/kolla/kolla-build.conf
:
[neutron-server-jenkins]
type = local
location = /path/to/your/jenkins/data
The build will copy the directory, resulting in the following archive structure:
additions-archive.tar
|__ additions
|__jenkins
The template now becomes:
{% block neutron_server_footer %}
ADD additions-archive /
RUN cp /additions/jenkins/jenkins.json /jenkins.json
{% endblock %}
Custom Repos
Red Hat
The build method allows the operator to build containers from custom
repos. The repos are accepted as a list of comma separated values and
can be in the form of .repo
, .rpm
, or a url.
See examples below.
Update rpm_setup_config
in
/etc/kolla/kolla-build.conf
:
rpm_setup_config = https://trunk.rdoproject.org/centos7/currrent/delorean.repo,https://trunk.rdoproject.org/centos7/delorean-deps.repo
If specifying a .repo
file, each .repo
file
will need to exist in the same directory as the base Dockerfile
(kolla/docker/base
):
rpm_setup_config = epel.repo,delorean.repo,delorean-deps.repo
Ubuntu
For Debian based images, additional apt sources may be added to the build as follows:
apt_sources_list = custom.list
Known issues
Can't build base image because Docker fails to install systemd or httpd.
There are some issues between Docker and AUFS. The simple workaround to avoid the issue is that add
-s devicemapper
or-s btrfs
toDOCKER_OPTS
. Get more information about the issue from the Docker bug tracker and how to configure Docker with BTRFS back end.Mirrors are unreliable.
Some of the mirrors Kolla uses can be unreliable. As a result occasionally some containers fail to build. To rectify build problems, the build tool will automatically attempt three retries of a build operation if the first one fails. The retry count is modified with the
--retries
option.
Kolla-ansible with Local Registry
To make kolla-ansible pull images from a local registry, set
"docker_registry"
to "172.22.2.81:5000"
in
"/etc/kolla/globals.yml"
. Make sure Docker is allowed to
pull images from insecure registry. See Docker Insecure Registry Config <deploy_a_registry>
.
Building behind a proxy
We can insert http_proxy settings into the images to fetch packages during build, and then unset them at the end to avoid having them carry through to the environment of the final images. Note however, it's not possible to drop the info completely using this method; it will still be visible in the layers of the image.
To set the proxy settings, we can add this to the template's header block:
ENV http_proxy=https://evil.corp.proxy:80
ENV https_proxy=https://evil.corp.proxy:80
To unset the proxy settings, we can add this to the template's footer block:
ENV http_proxy=""
ENV https_proxy=""
Besides this configuration options, the script will automatically read these environment variables. If the host system proxy parameters match the ones going to be used, no other input parameters will be needed. These are the variables that will be picked up from the user env:
HTTP_PROXY, http_proxy, HTTPS_PROXY, https_proxy, FTP_PROXY,
ftp_proxy, NO_PROXY, no_proxy
Also these variables could be overwritten using
--build-args
, which have precedence.