kolla/docker/base/Dockerfile.j2

461 lines
15 KiB
Django/Jinja
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

FROM {{ base_image }}:{{ base_distro_tag }}
{% block labels %}
LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
{% endblock %}
# We use curl in this dockerfile so let configure it before first use
COPY curlrc /root/.curlrc
{% block base_lang %}
# NOTE(yoctozepto): use a UTF-8 (Unicode) locale like standard image installs do
# fixes issues arising from ascii fallback usage
ENV LANG en_US.UTF-8
{% endblock %}
{# NOTE(SamYaple): Avoid uid/gid conflicts by creating each user/group up front. #}
{# Specifics required such as homedir or shell are configured within the service specific image #}
{%- for name, user in users | dictsort() %}
{% if loop.first -%}RUN {% else %} && {% endif -%}
groupadd --force --gid {{ user.gid }} {{ name }} \
&& useradd -l -M --shell /usr/sbin/nologin --uid {{ user.uid }} --gid {{ user.gid }} {{ name }}
{%- if not loop.last %} \{% endif -%}
{%- endfor %}
LABEL kolla_version="{{ kolla_version }}"
{% import "macros.j2" as macros with context %}
{% block base_header %}{% endblock %}
ENV KOLLA_BASE_DISTRO={{ base_distro }} \
KOLLA_INSTALL_TYPE={{ install_type }} \
KOLLA_INSTALL_METATYPE={{ install_metatype }} \
KOLLA_DISTRO_PYTHON_VERSION={{ distro_python_version }} \
KOLLA_BASE_ARCH={{ base_arch }}
#### Customize PS1 to be used with bash shell
COPY kolla_bashrc /tmp/
RUN cat /tmp/kolla_bashrc >> /etc/skel/.bashrc \
&& cat /tmp/kolla_bashrc >> /root/.bashrc
# PS1 var when used /bin/sh shell
ENV PS1="$(tput bold)($(printenv KOLLA_SERVICE_NAME))$(tput sgr0)[$(id -un)@$(hostname -s) $(pwd)]$ "
{% if base_package_type == 'rpm' %}
# For RPM Variants, enable the correct repositories - this should all be done
# in the base image so repos are consistent throughout the system. This also
# enables to provide repo overrides at a later date in a simple fashion if we
# desire such functionality. I think we will :)
RUN CURRENT_DISTRO_RELEASE=$(awk '{match($0, /[0-9]+/,version)}END{print version[0]}' /etc/system-release); \
if [ $CURRENT_DISTRO_RELEASE != "{{ supported_distro_release }}" ]; then \
echo "Only releases '{{ supported_distro_release }}' are supported on {{ base_distro }}"; false; \
fi \
&& cat /tmp/kolla_bashrc >> /etc/bashrc \
&& sed -i 's|^\(override_install_langs=.*\)|# \1|' /etc/dnf/dnf.conf
{% block base_dnf_conf %}
{% block base_yum_conf %}
COPY dnf.conf /etc/dnf/dnf.conf
{% endblock %}
{% endblock %}
#### BEGIN REPO ENABLEMENT
{% set base_yum_repo_files = [
] %}
{% set base_yum_url_packages = [
] %}
{% set base_yum_repo_keys = [
] %}
{% if base_arch == 'x86_64' %}
{% set base_yum_repo_files = [
'elasticsearch.repo',
'grafana.repo',
'influxdb.repo',
'rabbitmq_rabbitmq-server.repo',
'rabbitmq_rabbitmq-erlang.repo',
'td.repo',
] %}
# FIXME(mgoddard): Not available for CentOS 8 yet.
# 'crmsh.repo',
{% set base_yum_repo_keys = [
'https://artifacts.elastic.co/GPG-KEY-elasticsearch',
'https://packages.grafana.com/gpg.key',
'https://repos.influxdata.com/influxdb.key',
'https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc',
'https://packages.treasuredata.com/GPG-KEY-td-agent',
] %}
{% elif base_arch == 'aarch64' %}
{% set base_yum_repo_files = [
'elasticsearch.repo',
'grafana.repo',
'rabbitmq_rabbitmq-server.repo',
] %}
{% set base_yum_repo_keys = [
'https://packages.grafana.com/gpg.key',
'https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc',
] %}
# FIXME(mgoddard): Not available for CentOS 8 yet.
#
# 'https://artifacts.elastic.co/GPG-KEY-elasticsearch',
#
{% elif base_arch == 'ppc64le' %}
{% set base_yum_repo_files = [
'rabbitmq_rabbitmq-server.repo',
] %}
# FIXME(mgoddard): Not available for CentOS 8 yet.
#
# 'elasticsearch.repo',
#
{% set base_yum_repo_keys = [
] %}
# FIXME(mgoddard): Not available for CentOS 8 yet.
#
# 'https://artifacts.elastic.co/GPG-KEY-elasticsearch',
#
{% endif %}
{%- for repo_file in base_yum_repo_files | customizable('yum_repo_files') %}
COPY {{ repo_file }} /etc/yum.repos.d/{{ repo_file }}
{%- endfor %}
# NOTE(hrw): 'rabbitmq-server' is 'noarch' so we can install it on ppc64le from
# repo for other architecture.
# NOTE(mjturek): tripleo-ci overrides these repos so the file would not exist
# in that case. We test for the file's existence to avoid sed failing in that case.
{% if base_arch == 'ppc64le' %}
RUN if [[ -e /etc/yum.repos.d/rabbitmq_rabbitmq-server.repo ]]; then \
sed -i -e 's/\$basearch/x86_64/g' /etc/yum.repos.d/rabbitmq_rabbitmq-server.repo; \
fi
{% endif %}
{% block base_centos_repo_overrides_post_copy %}{% endblock %}
# Install what is needed for en_US.UTF-8
{% block base_centos_distro_sync_and_languages %}
{% set base_centos_language_packages = [
'langpacks-en',
'glibc-all-langpacks'
] %}
RUN {{ macros.install_packages(base_centos_language_packages | customizable("centos_language_packages"), chain=True, clean=False) }} \
&& {{ macros.rpm_security_update(clean_package_cache) }}
{% endblock %}
{{ macros.install_packages(base_yum_url_packages | customizable("yum_url_packages")) }}
{% for key in base_yum_repo_keys | customizable('yum_repo_keys') %}
{%- if loop.first %}RUN {% else %} && {% endif -%}
rpm --import {{ key }}
{%- if not loop.last %} \{% endif %}
{% endfor -%}
{% if install_metatype in ['rdo', 'mixed'] %}
{% for cmd in rpm_setup %}
{{ cmd }}
{% endfor %}
{% block base_centos_repo_overrides_post_rpm %}{% endblock %}
{% endif %}
{# endif for repo setup for all RHEL except RHEL OSP #}
{% if install_metatype == 'rhos' %}
{% block base_rhos_repo_enablement %}{% endblock %}
{% endif %}
{% if base_distro == 'centos' %}
{% block base_centos_gpg_key_import %}
RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
{% endblock %}
{% set base_centos_yum_repo_keys = [
'/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud',
'/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-OpsTools',
'/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Storage',
] %}
{% set base_centos_yum_repo_packages = [
'centos-release-ceph-nautilus',
'centos-release-openstack-ussuri',
'centos-release-opstools',
'epel-release',
] %}
# We need 'dnf-plugins-core' for 'dnf config-manager'
{% set base_centos_yum_repo_packages = base_centos_yum_repo_packages + [
'dnf-plugins-core'
] %}
{% set base_centos_yum_repos_to_enable = [
'powertools',
] %}
{% set base_centos_yum_repos_to_disable = [
'centos-ceph-nautilus',
'centos-opstools',
'centos-rabbitmq-38',
'epel',
'epel-modular',
] %}
{% if base_arch == 'x86_64' %}
{% set base_centos_yum_repos_to_disable = base_centos_yum_repos_to_disable + [
'influxdb',
] %}
{% elif base_arch == 'aarch64' %}
{% set base_centos_yum_repo_packages = base_centos_yum_repo_packages + [
'centos-release-rabbitmq-38'
] %}
{% endif %}
RUN {{ macros.install_packages(base_centos_yum_repo_packages | customizable("centos_yum_repo_packages"), chain=True, clean=False) }} \
{%- for repo in base_centos_yum_repos_to_enable | customizable('centos_yum_repos_to_enable') %}
&& dnf config-manager --enable {{ repo }} \
{% endfor -%}
{%- for repo in base_centos_yum_repos_to_disable | customizable('centos_yum_repos_to_disable') %}
&& dnf config-manager --disable {{ repo }} \
{% endfor -%}
{% for key in base_centos_yum_repo_keys | customizable('centos_yum_repo_keys') -%}
&& rpm --import {{ key }} \
{% endfor -%}
{% block base_centos_repo_overrides_post_yum -%}{% endblock -%}
&& {{ macros.rpm_security_update(clean_package_cache) }}
{%- endif %}
{# Endif for base_distro centos #}
{% if base_distro == 'rhel' %}
{% block base_rhel_package_installation %}{% endblock %}
{% endif %}
{# Endif for base_distro RHEL #}
#### END REPO ENABLEMENT
{# We are back to the basic if conditional here which is:
if base_package_type == 'rpm' #}
{% block base_redhat_binary_versionlock %}{% endblock %}
{% set base_centos_packages = [
'ca-certificates',
'curl',
'findutils',
'iproute',
'iscsi-initiator-utils',
'lvm2',
'ncurses',
'procps-ng',
'python3',
'python3-pip',
'socat',
'sudo',
'tar',
'util-linux-user',
'which'
] %}
# Install base packages
{{ macros.install_packages( base_centos_packages | customizable("centos_packages") | customizable("centos_binary_packages") | customizable("centos_source_packages") ) }}
{# endif for base_package_type rpm #}
{% elif base_package_type == 'deb' %}
# Ensure lsb_release exists
{{ macros.install_packages(['lsb-release']) }}
RUN if [ $(lsb_release -r -s) != "{{ supported_distro_release }}" ]; then \
echo "Only release '{{ supported_distro_release }}' is supported on {{ base_distro }}"; false; fi
# Customize PS1 bash shell
# enlarge 'system users' range so 'haproxy' package will not complain
# see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939470
RUN cat /tmp/kolla_bashrc >> /etc/bash.bashrc \
&& sed -i -e s/LAST_SYSTEM_UID=999/LAST_SYSTEM_UID=59999/g /etc/adduser.conf
# This will prevent questions from being asked during the install
ENV DEBIAN_FRONTEND noninteractive
# Reducing disk footprint
COPY dpkg_reducing_disk_footprint /etc/dpkg/dpkg.cfg.d/dpkg_reducing_disk_footprint
{% block base_ubuntu_package_pre %}
# Need apt-transport-https and ca-certificates before replacing sources.list or
# apt-get update will not work if any repositories are accessed via HTTPS
{% set base_ubuntu_package_pre_packages = [
'apt-transport-https',
'ca-certificates',
'curl',
'dirmngr',
'gnupg'
] %}
{{ macros.install_packages(base_ubuntu_package_pre_packages | customizable("base_ubuntu_package_pre_packages")) }}
{% endblock %}
{% block base_ubuntu_package_sources_list %}
{% if base_distro == 'debian' or ( base_distro == 'ubuntu' and base_arch == 'x86_64' ) %}
COPY sources.list.{{ base_distro }} /etc/apt/sources.list
{% else %}
COPY sources.list.{{ base_distro }}.{{ base_arch }} /etc/apt/sources.list
{% endif %}
COPY sources.list /etc/apt/sources.list.d/kolla-custom.list
{% endblock %}
{% block base_debian_after_sources_list %}{% endblock %}
{% block base_ubuntu_package_apt_preferences %}
COPY apt_preferences.{{ base_distro }} /etc/apt/preferences
COPY apt_preferences /etc/apt/preferences.d/kolla-custom
{% endblock %}
{% set base_apt_packages = [
'apt-utils',
'curl',
'gawk',
'iproute2',
'kmod',
'lvm2',
'netbase',
'open-iscsi',
'procps',
'python3',
'python3-pip',
'python3-setuptools',
'socat',
'sudo',
'tgt']
%}
{% if base_distro == 'ubuntu' %}
{# 391A9AA2147192839E9DB0315EDB1B62EC4926EA -- Canonical Cloud Archive Signing Key <ftpmaster@canonical.com> #}
{# 46095ACC8548582C1A2699A9D27D666CD88E42B4 -- Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org> #}
{# 49B07274951063870A8B7EAE7B8AA1A344C05248 -- Opendaylight Signing Key <https://launchpad.net/~odl-team> #}
{# 58118E89F3A912897C070ADBF76221572C52609D -- Docker Release Tool (releasedocker) <docker@docker.com> #}
{# 4D8EB5FDA37AB55F41A135203BF88A0C6A770882 -- Apache Qpid PPA Signing Key <dev@qpid.apache.org> #}
{# 901F9177AB97ACBE -- Treasure Data, Inc (Treasure Agent Official Signing key) <support@treasure-data.com> #}
{# A20F259AEB9C94BB -- Sensuapp (Freight) <support@hw-ops.com> #}
{# F1656F24C74CD1D8 -- MariaDB Signing Key <signing-key@mariadb.org> #}
{# F77F1EDA57EBB1CC -- Launchpad RabbitMQ Erlang PPA key #}
{# F6609E60DC62814E -- PackageCloud RabbitMQ repository key #}
{% set base_apt_keys = [
'391A9AA2147192839E9DB0315EDB1B62EC4926EA',
'46095ACC8548582C1A2699A9D27D666CD88E42B4',
'49B07274951063870A8B7EAE7B8AA1A344C05248',
'58118E89F3A912897C070ADBF76221572C52609D',
'4D8EB5FDA37AB55F41A135203BF88A0C6A770882',
'901F9177AB97ACBE',
'A20F259AEB9C94BB',
'F1656F24C74CD1D8',
'F77F1EDA57EBB1CC',
'F6609E60DC62814E',
] %}
{% set remote_apt_keys = [
'https://packages.grafana.com/gpg.key',
'https://repos.influxdata.com/influxdb.key',
] %}
{% elif base_distro == 'debian' %}
{% set base_apt_keys = [
'46095ACC8548582C1A2699A9D27D666CD88E42B4',
'F77F1EDA57EBB1CC',
'F6609E60DC62814E',
] %}
{% set remote_apt_keys = [
'https://download.docker.com/linux/debian/gpg',
'https://packages.grafana.com/gpg.key',
'http://buster-ussuri.debian.net/debian/dists/pubkey.gpg',
'https://packages.treasuredata.com/GPG-KEY-td-agent',
'https://repos.influxdata.com/influxdb.key',
'https://obs.linaro.org/repos/home:/marcin.juszkiewicz/debian-buster/Release.key',
] %}
{% set base_apt_packages = base_apt_packages +
['sudo',]
%}
{% endif %}
{% block base_ubuntu_package_installation %}
{%- block base_ubuntu_package_key_installation %}
{% for key in base_apt_keys | customizable('apt_keys') %}
{%- if loop.first %}RUN {% else %} && {% endif %}apt-key adv --no-tty --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 {{ key }}
{%- if not loop.last %} \
{% endif -%}
{% endfor %}
{% for key in remote_apt_keys | customizable('remote_apt_keys') %}
{%- if loop.first %} RUN {% else %} && {% endif %}curl -L {{ key }} | apt-key add -
{%- if not loop.last %} \
{% endif -%}
{% endfor %}
{% endblock %}
RUN apt-get update \
&& apt-get -y install locales \
&& sed -e "s/# $LANG UTF-8/$LANG UTF-8/g" /etc/locale.gen -i \
&& locale-gen "$LANG" \
&& apt-get -y upgrade \
&& apt-get -y dist-upgrade \
&& {{ macros.install_packages(base_apt_packages | customizable('apt_packages'), True) }}
{% endblock %}
{# endif base_package_type deb #}
{% endif %}
{% if base_distro == 'centos' or base_distro == 'rhel' %}
RUN sed -ri '/-session(\s+)optional(\s+)pam_systemd.so/d' /etc/pam.d/system-auth \
&& sed -ri '/^[^#]/ s/systemd//g' /etc/nsswitch.conf
{% endif %}
COPY set_configs.py /usr/local/bin/kolla_set_configs
COPY start.sh /usr/local/bin/kolla_start
COPY copy_cacerts.sh /usr/local/bin/kolla_copy_cacerts
COPY httpd_setup.sh /usr/local/bin/kolla_httpd_setup
COPY sudoers /etc/sudoers
{% if use_dumb_init %}
{% block dumb_init_installation %}
RUN curl -sSL https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_{{debian_arch}} -o /usr/local/bin/dumb-init \
&& chmod +x /usr/local/bin/dumb-init
{% endblock %}
ENTRYPOINT ["dumb-init", "--single-child", "--"]
{% endif %}
{% if docker_healthchecks %}
{% block healthcheck_installation %}
COPY healthcheck_curl healthcheck_filemod healthcheck_listen healthcheck_port healthcheck_socket /usr/local/bin/
RUN chmod 755 /usr/local/bin/healthcheck_*
{% endblock %}
{% endif %}
RUN touch /usr/local/bin/kolla_extend_start \
&& chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs /usr/local/bin/kolla_copy_cacerts /usr/local/bin/kolla_httpd_setup \
&& chmod 440 /etc/sudoers \
&& mkdir -p /var/log/kolla \
&& chown :kolla /var/log/kolla \
&& chmod 2775 /var/log/kolla \
&& rm -f /tmp/kolla_bashrc
{% block base_footer %}{% endblock %}
CMD ["kolla_start"]