Ubuntu 20.04 is a "Tested Runtime" for the Victoria release[1].
This patch updated our diskimage-create script and elements to
support building a amphora image that uses Ubuntu 20.04 (focal).
[1] https://governance.openstack.org/tc/reference/runtimes/victoria.html
Change-Id: I6f53ea5d012ab64b985d981ecd1b1967e18e4e81
There is a bug in the octavia-lib DIB element where it runs install
actions that should only be ran when the amphora-agent is installed from
source. This issue causes the amphora image build to fail when
installing the amphora-agent from distribution packages (option -p in
the diskimage-create.sh tool).
Task: 40870
Story: 2008138
Change-Id: I46ba7798322f24255ab7d49db4b4df886e92cbf3
The pyroute2 module had a regression in 0.5.13, but neutron needed a fix
that was included in 0.5.13. It was easier for us to work around it than
for neutron to revert the update to 0.5.13, so we hacked a workaround[1].
A new pyroute2 release, 0.5.14, has been published, so this patch reverts
the hack and bumps our minimum version of pyroute2 to 0.5.14.
[1] https://review.opendev.org/#/c/744045
Change-Id: Ia4357a4f5db07e1a6b0beb11b58ce125215eeef1
This patch adds support for nftables (an iptables replacement) to
the devstack plugin and the amphora agent.
Change-Id: I9e2c4d6e68da67d68c6dfeb3b47edd600d1ba397
This new diskimage-builder element installs octavia-lib from Git for
source install type image builds rather than from released versions.
To mention some advantages:
1. allow custom octavia-lib versions (useful for development)
2. test unreleased octavia-lib changes in CI
3. install latest changes from master and stable branches
(aligns with approach taken with amphora-agent)
Branch checkout to stable/* from master for octavia-lib DIB element will
be automated on branch create. See https://review.opendev.org/#/c/745877
Change-Id: I6d87b6bd25c536b2bed1994427cd933bdcc091d6
A diskimage-builder patch [1] broke our amphora-agent element by
uninstalling git prior to the post-install.d phase.
A followup patch in Octavia [2] changed how we get the git
reference to awking an git internal log file. This seems fragile
to me, so I am proposing this alternative.
This patch updates our element to finish using git before the
install.d phase is complete.
[1] https://review.opendev.org/745678
[2] https://review.opendev.org/745683
Change-Id: I9a346b626f852171ec00d2868ccb6f98b1fb8994
A recent change in DIB [1] broke our CentOS 8 amphora image builds only
because we've not been handling package dependencies propertly.
The DIB change now installs package "python3" which provides
/usr/bin/python3 and is a requirement of scripts in later build phases.
It so happens that we are removing package "python3-pip", a dependency
of "python36" too early so builds fail when bin python3 is required.
DIB package-installs element provides property "build-only". When set,
it will cause packages to be added both to the list of packages
installed and list of packages to be uninstalled. This allows expressing
build-time dependencies that should not end up in the final image as is
the case of packages like "build-essential" and "libffi-dev" in our
amphora-agent element.
As for the removal of Git, we do not explicitely install it so we should
not uninstall it either. Git is a fake dependency of source-repositories
element and will be abstent in the final image with [2].
[1] https://review.opendev.org/#/c/741868/
[2] https://review.opendev.org/#/c/745678/
Depends-On: https://review.opendev.org/#/c/745678/
Change-Id: I3b82180c8fcf2e2f053c6bcce405f1ea730f62ba
This package provides rtas_errd which is necessary to process hotplug
events like VIP and member port attachments.
https://bugzilla.redhat.com/show_bug.cgi?id=1862726
Change-Id: I8b20602c5b075a6e47d3f7dc42a1bffb1b7a14ea
The pyroute2 package version 0.5.13 introduced a bug[1] that breaks
amphora. Unfortunately neutron needs a different fix that is in 0.5.13,
so we are going to work around the problem until we can get pyroute2 fixed.
This patch uninstalls pyroute2 and installs version 0.5.12.
[1] https://github.com/svinota/pyroute2/issues/724
Change-Id: I365d719810de792213da47ebafa46e7e0fd2e9fa
Remove net.ipv4.tcp_tw_recycle because it has been
removed from kernel since 4.12.
Change for tcp_timeout_time_wait/tcp_timeout_fin_wait
to net.netfilter.nf_*.
Change-Id: I0e3cde5aad9e9b6007f975eafb0205e2912b19d3
Signed-off-by: Mikhail Ushanov <gm.mephisto@gmail.com>
Red Hat/centos do not ship acpid for ppc64le, but others do.
This patch sets up a package map for DIB to exclude the acpid
package on Red Hat family image builds, while allowing it for the
other distros.
Change-Id: Iaef520e5f2a66833228e824ec4fb41f5915169af
On base operating systems that use DNF there can be a systemd timer
that attempts to call out and update the dnf cache every hour.
This patch adds an diskimage-builder element that disables this
timer as most amphora will not be successful in updating this cache
because they do not have network access or DNS services avaialable.
Change-Id: I5dec631d3e66e1dfb6b8741caea89938ee18a7d8
Story: 2007408
Task: 39019
This commit forces the use of LUKS1 in cryptsetup.
Centos uses LUKS2 by default in cryptsetup, ubuntu uses LUKS1.
Formating a LUKS2 block device is way longer than formating a LUKS1
device (15 sec vs 8 sec in my env) and LUKS2 doesn't provide any
significant features for octavia (it only improves recovery and
metadata).
The commit aslo limits the creation of more than 1 block ram device
(amphora doesn't need 16 ram devices), which reduces startup time.
Change-Id: I5cdc0a9ccc01548f195eed80f2ee2848a1a93e17
The diskimage-create.sh tool will now default to CentOS 8 when building
CentOS-based amphora images.
This patch also removes leftover references to support for Ubuntu Trusty
and Xenial.
Change-Id: I3aba59c8dd86aeeee28cc6a67af93697912fb55b
The image building process adds some unnecessary network interface
configuration files to /etc/network/interfaces.d. This element cleans those
out as they are not needed because cloud-init will create the required
configuration file.
Change-Id: If5fbfc34ff0e91608f402811aa2b78c9cbcb00ec
There is a potential race condition in the start order for the
amphora-agent service and the certs-ramfs service.
This patch configures an explict ordering for the services.
Change-Id: I8e449b19af72d72f6effd52e0a2debb5754a19b3
Story: 2006823
Task: 37396
The amphora-agent element installs a few build packages when installing
the agent from source. This patch removes those large in size packages
after they are no longer needed. This will reduce the
image size significantly.
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I5d12b7a987f65013daa5298f5062c1f30db23f41
In some environments running older versions of gunicorn in the
amphora image, gunicorn can fail to start do to /dev/log socket
issues (timing, configuration, etc.).
This patch sets up a dedicated rsyslog socket /run/rsyslog/octavia/log
for gunicorn and haproxy to use. This should resolve any issues with
systemd overriding the /dev/log socket.
This also bumps the gunicorn minimum verison to 19.9.0.
Change-Id: I1e1ad8fde2ad8c1ffba95b1867afb130503b0a5b
Since centos-minimal is used as base for centos image, dib installs
haproxy 1.5.x instead of haproxy 1.8.x, and dhcp client is missing
(dhclient package).
Depends-On: https://review.opendev.org/#/c/673172/
Story: 2006323
Task: 36056
Change-Id: I3be0fa18578c7c1552f24842a09e18c01e34358a
A recent patch[1] added --pbkdf-memory to the cryptsetup command line
to limit the memory cryptsetup is using. However, some distros use
an older version of cryptsetup that does not need this setting.
This patch adds logic to detect this and run the commands without
--pbkdf-memory.
[1] https://review.opendev.org/663784
Change-Id: I9e0debcbfe6ceeff0012c827d70d80d938b5a2fb
Story: 2006066
Task: 34782
dhclient-script(8) defines the enter hook path is
/etc/dhcp/dhclient-enter-hooks:
"On after defining the make_resolv_conf function, the client script
checks for the presence of an executable /etc/dhcp/dhclient-enter-hooks
script, and if present, it invokes the script inline, using the Bourne
shell command."
This was confirmed to be valid on RHEL and CentOS 7-8, and Fedora 28-30.
Change-Id: I473f1e5c6862ebf0d691a8191d17649ccf51e7f4
Task: 35725
Story: 2006190
Network scripts are deprecated in RHEL 8. This patch makes sure the
package is installed and the service enabled. Sometime in the future
(Train release or newer), support for Network Manager will be added as
it became the default network configuration tool in RHEL/CentOS 8 and
Fedora 28+.
This patch also reflects a change to diskimage-builder that will now
have a version-less 'rhel' element as opposed to a separate 'rhel7'
and 'rhel8' elements.
Change-Id: Id11459ea70479aa0145059f88af847dddcd93553
This patch limits cryptsetup to 256MB of RAM during the amphora
startup. Recent distros have changed to LUKS2 with Argon2
key derivation which defaults to using up to 1GB of RAM.
Typically our amphora are built with only 1GB of RAM for the whole
system.
Change-Id: I018e36f69a9c0b48a6651a01cc9a64abfc04d4de
Story: 2005837
Task: 33606
Updated diskimage create script to include an argument for disabling the temporary filesystem.
Updated diskimage create to support ppc64le as an argument.
Updated backports to support a properly configured PaaS repository for CentOS on power.
Change-Id: I8897278b1ac8b76d564f45bd0c7cbc26b29a8e5d
Load balancers with IPv6 VIP addresses would fail to create due to
a duplicate address detection issue. The keepalived process would also
crash with a segfault due to a known bug[1].
This patch resolves both issues and allows load balancers with IPv6
VIP addresses to be created in active/standby topology.
[1] https://github.com/acassen/keepalived/issues/457
Story: 2003451
Task: 24657
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I15a4be05740e2657f998902d468e57763c3ed52e
1. Removes the misc_dynamic setting from the UDP-CONNECT health monitor
as our script does not use it.
2. Adds a release note for the UDP features.
3. Updates the API reference for UDP support.
4. Adds a comment to the keepalived config with the LB ID.
5. Updates the status message type to be the correct UDP protocol.
6. Fix error during deleting a listener if there are multiple amphoraes.
7. Refactors systemd service script handling.
Story: 2003306
Task: 24258
Change-Id: I09240023d066ac5a71836d01045cda6ce5678712
When using the Octavia/amphora driver, unspecified or unlimited (-1)
settings would lead to a 2000 connection limit in HAproxy.
This patch updates that to be 1,000,000 connections.
1,000,000 was selected to amphora memory usage at a reasonable level.
Change-Id: Iddeb62412bb71b69cf1e9198be6131c59a3051b0
Story: 1635416
Task: 5159
ALso tweak the systemd service config for haproxy 1.8 since it no longer
ships with a systemd wrapper.
Change-Id: If4f230dcba8c360c919f6c2d93705bf67089b2cf
sosreport is a tool that collects information about a system.
The sos plugin for Octavia can gather information of installed packages,
log and configuration files for Octavia controller components and
amphora agent. The result is a generated report that can be used for
troubleshooting. The plugin redacts confidential data such as passwords,
certificates and secrets.
At present sos only installs in Red Hat family images as the plugin does
not support other distributions.
Change-Id: I5131a4cfdedd8b78fb673b4264ef1d7a1d613972
Previously we were using the "ubuntu" diskimage-builder base element as the
default base OS to build the amphora image.
The "ubuntu" element is based on the ubuntu cloud image. This image includes
packages we do not need for the amphora image. At this point it's not clear
that Ubuntu will ship an 18.04 LTS cloud image in the format the "ubuntu"
element requires.
This patch switches the default Ubuntu amphora image to build with the
"ubuntu-minimal" diskimage-builder element.
This patch also moves the amphora agent into a virtual environment inside
the amphora.
It also sets up support for Ubuntu 18.04 (bionic beaver) and HAProxy 1.8.
Change-Id: I84a85ca1363bce2e0f13da64540ec7ba3575e818
pip-and-virtualenv element is not needed in that case, and can cause
image build failures in environments without direct Internet access
Change-Id: I37616d76dd78ffb1419a898509e9466e7c54f69f
Merge source and RHEL elements, allowing both source and package based
installations.
Allow amphora agent install from distribution packages (not limited to
RHEL)
Add a new option to diskimage-create.sh script to do so (default is kept
to source installation from Octavia git tree)
For now, amphorae built with distribution packages will have SELinux
(when available) running in permissive mode.
Made the rebind-sshd element generic to streamline the script
Use POSIX syntax for logrotate kill command
Change-Id: I391b2a95d54c7b9fd8f31d3e2c136ff9cc3451f1
Currently with Octavia, if the user specifies a health monitor of type
"PING" we are still using a TCP connect to check for health.
This patch fixes that to actually ping the member to validate health.
Change-Id: I8a67efb7113ffa49b2805b37c3855373b17e5789
Story: 2001280
Task: 5826
