The amphora-agent element installs a few build packages when installing
the agent from source. This patch removes those large in size packages
after they are no longer needed. This will reduce the
image size significantly.
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I5d12b7a987f65013daa5298f5062c1f30db23f41
In some environments running older versions of gunicorn in the
amphora image, gunicorn can fail to start do to /dev/log socket
issues (timing, configuration, etc.).
This patch sets up a dedicated rsyslog socket /run/rsyslog/octavia/log
for gunicorn and haproxy to use. This should resolve any issues with
systemd overriding the /dev/log socket.
This also bumps the gunicorn minimum verison to 19.9.0.
Change-Id: I1e1ad8fde2ad8c1ffba95b1867afb130503b0a5b
Since centos-minimal is used as base for centos image, dib installs
haproxy 1.5.x instead of haproxy 1.8.x, and dhcp client is missing
(dhclient package).
Depends-On: https://review.opendev.org/#/c/673172/
Story: 2006323
Task: 36056
Change-Id: I3be0fa18578c7c1552f24842a09e18c01e34358a
A recent patch[1] added --pbkdf-memory to the cryptsetup command line
to limit the memory cryptsetup is using. However, some distros use
an older version of cryptsetup that does not need this setting.
This patch adds logic to detect this and run the commands without
--pbkdf-memory.
[1] https://review.opendev.org/663784
Change-Id: I9e0debcbfe6ceeff0012c827d70d80d938b5a2fb
Story: 2006066
Task: 34782
dhclient-script(8) defines the enter hook path is
/etc/dhcp/dhclient-enter-hooks:
"On after defining the make_resolv_conf function, the client script
checks for the presence of an executable /etc/dhcp/dhclient-enter-hooks
script, and if present, it invokes the script inline, using the Bourne
shell command."
This was confirmed to be valid on RHEL and CentOS 7-8, and Fedora 28-30.
Change-Id: I473f1e5c6862ebf0d691a8191d17649ccf51e7f4
Task: 35725
Story: 2006190
Network scripts are deprecated in RHEL 8. This patch makes sure the
package is installed and the service enabled. Sometime in the future
(Train release or newer), support for Network Manager will be added as
it became the default network configuration tool in RHEL/CentOS 8 and
Fedora 28+.
This patch also reflects a change to diskimage-builder that will now
have a version-less 'rhel' element as opposed to a separate 'rhel7'
and 'rhel8' elements.
Change-Id: Id11459ea70479aa0145059f88af847dddcd93553
This patch limits cryptsetup to 256MB of RAM during the amphora
startup. Recent distros have changed to LUKS2 with Argon2
key derivation which defaults to using up to 1GB of RAM.
Typically our amphora are built with only 1GB of RAM for the whole
system.
Change-Id: I018e36f69a9c0b48a6651a01cc9a64abfc04d4de
Story: 2005837
Task: 33606
Updated diskimage create script to include an argument for disabling the temporary filesystem.
Updated diskimage create to support ppc64le as an argument.
Updated backports to support a properly configured PaaS repository for CentOS on power.
Change-Id: I8897278b1ac8b76d564f45bd0c7cbc26b29a8e5d
Load balancers with IPv6 VIP addresses would fail to create due to
a duplicate address detection issue. The keepalived process would also
crash with a segfault due to a known bug[1].
This patch resolves both issues and allows load balancers with IPv6
VIP addresses to be created in active/standby topology.
[1] https://github.com/acassen/keepalived/issues/457
Story: 2003451
Task: 24657
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I15a4be05740e2657f998902d468e57763c3ed52e
1. Removes the misc_dynamic setting from the UDP-CONNECT health monitor
as our script does not use it.
2. Adds a release note for the UDP features.
3. Updates the API reference for UDP support.
4. Adds a comment to the keepalived config with the LB ID.
5. Updates the status message type to be the correct UDP protocol.
6. Fix error during deleting a listener if there are multiple amphoraes.
7. Refactors systemd service script handling.
Story: 2003306
Task: 24258
Change-Id: I09240023d066ac5a71836d01045cda6ce5678712
When using the Octavia/amphora driver, unspecified or unlimited (-1)
settings would lead to a 2000 connection limit in HAproxy.
This patch updates that to be 1,000,000 connections.
1,000,000 was selected to amphora memory usage at a reasonable level.
Change-Id: Iddeb62412bb71b69cf1e9198be6131c59a3051b0
Story: 1635416
Task: 5159
ALso tweak the systemd service config for haproxy 1.8 since it no longer
ships with a systemd wrapper.
Change-Id: If4f230dcba8c360c919f6c2d93705bf67089b2cf
sosreport is a tool that collects information about a system.
The sos plugin for Octavia can gather information of installed packages,
log and configuration files for Octavia controller components and
amphora agent. The result is a generated report that can be used for
troubleshooting. The plugin redacts confidential data such as passwords,
certificates and secrets.
At present sos only installs in Red Hat family images as the plugin does
not support other distributions.
Change-Id: I5131a4cfdedd8b78fb673b4264ef1d7a1d613972
Previously we were using the "ubuntu" diskimage-builder base element as the
default base OS to build the amphora image.
The "ubuntu" element is based on the ubuntu cloud image. This image includes
packages we do not need for the amphora image. At this point it's not clear
that Ubuntu will ship an 18.04 LTS cloud image in the format the "ubuntu"
element requires.
This patch switches the default Ubuntu amphora image to build with the
"ubuntu-minimal" diskimage-builder element.
This patch also moves the amphora agent into a virtual environment inside
the amphora.
It also sets up support for Ubuntu 18.04 (bionic beaver) and HAProxy 1.8.
Change-Id: I84a85ca1363bce2e0f13da64540ec7ba3575e818
pip-and-virtualenv element is not needed in that case, and can cause
image build failures in environments without direct Internet access
Change-Id: I37616d76dd78ffb1419a898509e9466e7c54f69f
Merge source and RHEL elements, allowing both source and package based
installations.
Allow amphora agent install from distribution packages (not limited to
RHEL)
Add a new option to diskimage-create.sh script to do so (default is kept
to source installation from Octavia git tree)
For now, amphorae built with distribution packages will have SELinux
(when available) running in permissive mode.
Made the rebind-sshd element generic to streamline the script
Use POSIX syntax for logrotate kill command
Change-Id: I391b2a95d54c7b9fd8f31d3e2c136ff9cc3451f1
Currently with Octavia, if the user specifies a health monitor of type
"PING" we are still using a TCP connect to check for health.
This patch fixes that to actually ping the member to validate health.
Change-Id: I8a67efb7113ffa49b2805b37c3855373b17e5789
Story: 2001280
Task: 5826
Currently there are two haproxy-octavia elements, haproxy-octavia and
haproxy-octavia-ubuntu in the Octavia project. The have minimal changes
between them, so this patch merges them into one element with a
backward compatible element left for haproxy-octavia-ubuntu.
Change-Id: I990802726d24e319988bfb614b3bf3fb560512b4
awk variable needs doubled '$' and '\' characters to be properly escaped
(and working properly)
Change-Id: I7703ad64e03c7afe52e49194e3bbed9f228b5760
Closes-Bug: #1689412
diskimage-builder supports a generic DIB_DISTRIBUTION_MIRROR that can
replace all existing mirror elements
Change-Id: Ia91dabf10e591f953440459edad35ebfc20c5890
Closes-Bug: #1703624
This ensures we use the appropriate amphora package (and also allows
amphora image creation with local repositories)
Repositories were already needed for openstack-selinux package, so this
does not change the build procedure
Change-Id: I837f73ec896405b9a648febfaf2cf0704458825b
As a followup to Id99948aec64656a0532afc68e146f0610bff1378, adding auto
detection to haproxy_amphora.user_group
haproxy is capable[1] handling a list of configuration files.
This patch leverages that capability by simply providing haproxy with an
additional configuration file, which is baked in the amphora image via a
diskimage-builder element.
The above-mentioned element will specify the following values for user group:
Ubuntu: 'nogroup'
RHEL/CentOS/Fedora: 'haproxy'
The amphora-agent will parse and remove any user_group configuration provided
by Octavia controller worker.
This is in order to maintain amphora-agent backward compatibility to old
Octavia workers, who still provide user_group to the amphora-agent.
Octavia Workers that include this patch will no longer provide user_group
configuration to the amphora-agent.
[1] https://cbonte.github.io/haproxy-dconv/1.7/management.html#3
Related-Bug #1548070
Change-Id: Ia8fede9d7da4709a48661d1fc595a16d04fcbfa9
ecryptfs was dropped from RHEL/CentOS, use LUKS on a RAM-backed block
device (brd) instead.
Made the element name more generic
Added systemctl enable call in postinstall (for systemd init), so that
the service is correctly started and listed as wanted by amphora-agent
Change-Id: Id8c7ff93ae244ef14480e22c85dc79355a902105
Closes-Bug: #1642982
Closes-Bug: #1662952
This patch removes outdated kernel tuning parameters that were set
inside the amphora. With current kernel versions the performance
issues no longer out weigh the benefits.
Change-Id: I6435257ec1f0ee0cc8c38df0d1ff0247707174e4
Closes-Bug: #1661105
Not all Linux flavors accept the same type of configuration to manage
NICs. The amphora-agent must be able to distinguish between different
Linux flavors and choose the appropriate type of jinja2 NIC
configuration template for each one, respectively.
Up until now, The amphora-agent had no notion of the operating system
it is running on, therefore it used NIC configuration templates that
only match Debian based Linux flavors (mostly Ubuntu). Making it
unusable for flavors such as RHEL, Fedora and CentOS.
This fix enhances how the amphora-agent is handling NIC hot plugs.
It will use the appropriate jinja2 template by checking the Amphora
distribution name when needed.
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Closes-Bug #1548070
Change-Id: Id99948aec64656a0532afc68e146f0610bff1378
With the recent changes, gcc is not pulled in anymore on CentOS, and
compilation of the python modules fails in the amphora-agent element
To be on the safe side, this adds the build-essential dependency
to make sure these modules can be buillt
Change-Id: I842b07cbc3e48209fd500bff5cc798be655f0ae9
This patch sets up a seperate log file for the amphora-agent
and logrotate to manage this new log.
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: Ia7b057642d7a567d685d989d1c689d5f3481e73e
The previous patch that switched the agent install to use pip install
did not include the -U switch or the upper constraints flag.
This patch adds those to the amphora-agent element.
Change-Id: If907909704fcff4c7be10690eb4f50d0ba54b1c1
There were only two elements we were using from this repo -
os-svc-install which we werent actually calling anywhere, we only
depended on it needelessly and sysctl. The sysctl element has been moved
in to dib as dib-sysctl so we can now stop depending on
tripleo-image-elements entirely.
Depends-On: If312d199388036d6f4103e94dca99249cb3bcbaf
Depends-On: Ia730850a48e2478fd5461710a9d2619408725cd8
Change-Id: Ie78c4f3ebe506214f0ce7c456fcbbee09d35ba2a
pip install is greatly preferred over python setup.py install, so lets
use that to install our amphora-agent.
Change-Id: I5e4d169a1e6eb0e175f51943c08b025b09ffdc05
We only need ecryptfs-utils, as package managers will take care of the
sub-dependencies. Tested on an Ubuntu amphora, installed packages list
was identical.
This also fixes image creation on Fedora, as ecryptfs-utils package name
is identical there
Change-Id: Idab8c66e6bca137e79bef050fbaecd2f6c4add7a
Closes-Bug: #1640832
This patch enables auto-detection of the init system used in the
amphora image and adds support for systemd amphora.
This patch allows Ubuntu xenial amphora images to work.
It also merges two functional test files into one file to reduce
code duplication.
This is a scenario gate fix.
Change-Id: I5fec1680bd47719ae9f2fcb6abaaba8a78e2ae8b
Closes-Bug: #1640866
This patch adds an element that causes the terminated HTTPS
certificates and keys to be stored in an encrypted ramfs path
so they are encrypted at rest.
Change-Id: Id0f80f311d37d5691087e855fb1291011451c851
Closes-Bug: #1627370
