74a7cbe122
The FIPS jobs use centos-8-stream controllers but the image is still based on ubuntu, this commit updates the amphora images to centos-8-stream and enable FIPS inside the amphora. Change-Id: I8916796ed6727a103907a33d3c14e99e1d3734e6
381 lines
13 KiB
ReStructuredText
381 lines
13 KiB
ReStructuredText
===============================
|
|
Building Octavia Amphora Images
|
|
===============================
|
|
|
|
Octavia is an operator-grade reference implementation for Load Balancing as a
|
|
Service (LBaaS) for OpenStack. The component of Octavia that does the load
|
|
balancing is known as amphora. Amphora may be a virtual machine, may be a
|
|
container, or may run on bare metal. Creating images for bare metal amphora
|
|
installs is outside the scope of this version but may be added in a
|
|
future release.
|
|
|
|
Prerequisites
|
|
=============
|
|
|
|
Python pip should be installed as well as the python modules found in the
|
|
requirements.txt file.
|
|
|
|
To do so, you can use the following command on Ubuntu:
|
|
|
|
.. code:: bash
|
|
|
|
$ # Install python pip
|
|
$ sudo apt install python-pip
|
|
$ # Eventually create a virtualenv
|
|
$ sudo apt install python-virtualenv
|
|
$ virtualenv octavia_disk_image_create
|
|
$ source octavia_disk_image_create/bin/activate
|
|
$ # Install octavia requirements
|
|
$ cd octavia/diskimage-create
|
|
$ pip install -r requirements.txt
|
|
|
|
|
|
Your cache directory should have at least 1GB available, the working directory
|
|
will need ~1.5GB, and your image destination will need ~500MB
|
|
|
|
The script will use the version of diskimage-builder installed on your system,
|
|
or it can be overridden by setting the following environment variables:
|
|
|
|
.. code-block:: bash
|
|
|
|
DIB_REPO_PATH = /<some directory>/diskimage-builder
|
|
DIB_ELEMENTS = /<some directory>/diskimage-builder/elements
|
|
|
|
|
|
The following packages are required on each platform:
|
|
|
|
Ubuntu
|
|
|
|
.. code:: bash
|
|
|
|
$ sudo apt install qemu-utils git kpartx debootstrap
|
|
|
|
Fedora, CentOS and Red Hat Enterprise Linux
|
|
|
|
.. code:: bash
|
|
|
|
$ sudo dnf install qemu-img git e2fsprogs policycoreutils-python-utils
|
|
|
|
Test Prerequisites
|
|
------------------
|
|
The tox image tests require libguestfs-tools 1.24 or newer.
|
|
Libguestfs allows testing the Amphora image without requiring root privileges.
|
|
On Ubuntu systems you also need to give read access to the kernels for the user
|
|
running the tests:
|
|
|
|
.. code:: bash
|
|
|
|
$ sudo chmod 0644 /boot/vmlinuz*
|
|
|
|
Usage
|
|
=====
|
|
This script and associated elements will build Amphora images. Current support
|
|
is with an Ubuntu base OS and HAProxy. The script can use Fedora
|
|
as a base OS but these will not initially be tested or supported.
|
|
As the project progresses and/or the diskimage-builder project adds support
|
|
for additional base OS options they may become available for Amphora images.
|
|
This does not mean that they are necessarily supported or tested.
|
|
|
|
.. note::
|
|
|
|
If your cloud has multiple hardware architectures available to nova,
|
|
remember to set the appropriate hw_architecture property on the
|
|
image when you load it into glance. For example, when loading an
|
|
amphora image built for "amd64" you would add
|
|
"--property hw_architecture='x86_64'" to your "openstack image create"
|
|
command line.
|
|
|
|
The script will use environment variables to customize the build beyond the
|
|
Octavia project defaults, such as adding elements.
|
|
|
|
The supported and tested image is created by using the diskimage-create.sh
|
|
defaults (no command line parameters or environment variables set). As the
|
|
project progresses we may add additional supported configurations.
|
|
|
|
Command syntax:
|
|
|
|
|
|
.. code-block::
|
|
|
|
$ diskimage-create.sh
|
|
[-a i386 | **amd64** | armhf | aarch64 | ppc64le ]
|
|
[-b **haproxy** ]
|
|
[-c **~/.cache/image-create** | <cache directory> ]
|
|
[-d **focal**/**8** | <other release id> ]
|
|
[-e]
|
|
[-f]
|
|
[-g **repository branch** | stable/train | stable/stein | ... ]
|
|
[-h]
|
|
[-i **ubuntu-minimal** | fedora | centos-minimal | rhel ]
|
|
[-k <kernel package name> ]
|
|
[-l <log file> ]
|
|
[-n]
|
|
[-o **amphora-x64-haproxy** | <filename> ]
|
|
[-p]
|
|
[-r <root password> ]
|
|
[-s **2** | <size in GB> ]
|
|
[-t **qcow2** | tar ]
|
|
[-v]
|
|
[-w <working directory> ]
|
|
[-x]
|
|
[-y]
|
|
|
|
'-a' is the architecture type for the image (default: amd64)
|
|
'-b' is the backend type (default: haproxy)
|
|
'-c' is the path to the cache directory (default: ~/.cache/image-create)
|
|
'-d' distribution release id (default on ubuntu: focal)
|
|
'-e' enable complete mandatory access control systems when available (default: permissive)
|
|
'-f' disable tmpfs for build
|
|
'-g' build the image for a specific OpenStack Git branch (default: current repository branch)
|
|
'-h' display help message
|
|
'-i' is the base OS (default: ubuntu-minimal)
|
|
'-k' is the kernel meta package name, currently only for ubuntu-minimal base OS (default: linux-image-virtual)
|
|
'-l' is output logfile (default: none)
|
|
'-n' disable sshd (default: enabled)
|
|
'-o' is the output image file name
|
|
'-p' install amphora-agent from distribution packages (default: disabled)"
|
|
'-r' enable the root account in the generated image (default: disabled)
|
|
'-s' is the image size to produce in gigabytes (default: 2)
|
|
'-t' is the image type (default: qcow2)
|
|
'-v' display the script version
|
|
'-w' working directory for image building (default: .)
|
|
'-x' enable tracing for diskimage-builder
|
|
'-y' enable FIPS 140-2 mode in the amphora image
|
|
|
|
|
|
Building Images for Alternate Branches
|
|
======================================
|
|
|
|
By default, the diskimage-create.sh script will build an amphora image using
|
|
the Octavia Git branch of the repository. If you need an image for a specific
|
|
branch, such as "stable/train", you need to specify the "-g" option with the
|
|
branch name. An example for "stable/train" would be:
|
|
|
|
.. code-block:: bash
|
|
|
|
diskimage-create.sh -g stable/train
|
|
|
|
Advanced Git Branch/Reference Based Images
|
|
------------------------------------------
|
|
|
|
If you need to build an image from a local repository or with a specific Git
|
|
reference or branch, you will need to set some environment variables for
|
|
diskimage-builder.
|
|
|
|
.. note::
|
|
|
|
These advanced settings will override the "-g" diskimage-create.sh setting.
|
|
|
|
Building From a Local Octavia Repository
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Set the DIB_REPOLOCATION_amphora_agent variable to the location of the Git
|
|
repository containing the amphora agent:
|
|
|
|
.. code-block:: bash
|
|
|
|
export DIB_REPOLOCATION_amphora_agent=/opt/stack/octavia
|
|
|
|
Building With a Specific Git Reference
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Set the DIB_REPOREF_amphora_agent variable to point to the Git branch or
|
|
reference of the amphora agent:
|
|
|
|
.. code-block:: bash
|
|
|
|
export DIB_REPOREF_amphora_agent=refs/changes/40/674140/7
|
|
|
|
See the `Environment Variables`_ section below for additional information and
|
|
examples.
|
|
|
|
Amphora Agent Upper Constraints
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
You may also need to specify which version of the OpenStack
|
|
upper-constraints.txt file will be used to build the image. For example, to
|
|
specify the "stable/train" upper constraints Git branch, set the following
|
|
environment variable:
|
|
|
|
.. code-block:: bash
|
|
|
|
export DIB_REPOLOCATION_upper_constraints=https://opendev.org/openstack/requirements/raw/branch/stable/train/upper-constraints.txt
|
|
|
|
See `Dependency Management for OpenStack Projects <https://docs.openstack.org/project-team-guide/dependency-management.html>`_ for more information.
|
|
|
|
Environment Variables
|
|
=====================
|
|
These are optional environment variables that can be set to override the script
|
|
defaults.
|
|
|
|
DIB_REPOLOCATION_amphora_agent
|
|
- Location of the amphora-agent code that will be installed in the image.
|
|
- Default: https://opendev.org/openstack/octavia
|
|
- Example: /tmp/octavia
|
|
|
|
DIB_REPOREF_amphora_agent
|
|
- The Git reference to checkout for the amphora-agent code inside the
|
|
image.
|
|
- Default: The current branch
|
|
- Example: stable/stein
|
|
- Example: refs/changes/40/674140/7
|
|
|
|
DIB_REPOLOCATION_octavia_lib
|
|
- Location of the octavia-lib code that will be installed in the image.
|
|
- Default: https://opendev.org/openstack/octavia-lib
|
|
- Example: /tmp/octavia-lib
|
|
|
|
DIB_REPOREF_octavia_lib
|
|
- The Git reference to checkout for the octavia-lib code inside the
|
|
image.
|
|
- Default: master or stable branch for released OpenStack series installs.
|
|
- Example: stable/ussuri
|
|
- Example: refs/changes/19/744519/2
|
|
|
|
DIB_REPOLOCATION_upper_constraints
|
|
- Location of the upper-constraints.txt file used for the image.
|
|
- Default: The upper-constraints.txt for the current branch
|
|
- Example: https://opendev.org/openstack/requirements/raw/branch/master/upper-constraints.txt
|
|
- Example: https://opendev.org/openstack/requirements/raw/branch/stable/train/upper-constraints.txt
|
|
|
|
CLOUD_INIT_DATASOURCES
|
|
- Comma separated list of cloud-int datasources
|
|
- Default: ConfigDrive
|
|
- Options: NoCloud, ConfigDrive, OVF, MAAS, Ec2, <others>
|
|
- Reference: https://launchpad.net/cloud-init
|
|
|
|
DIB_DISTRIBUTION_MIRROR
|
|
- URL to a mirror for the base OS selected
|
|
- Default: None
|
|
|
|
DIB_ELEMENTS
|
|
- Override the elements used to build the image
|
|
- Default: None
|
|
|
|
DIB_LOCAL_ELEMENTS
|
|
- Elements to add to the build (requires DIB_LOCAL_ELEMENTS_PATH be
|
|
specified)
|
|
- Default: None
|
|
|
|
DIB_LOCAL_ELEMENTS_PATH
|
|
- Path to the local elements directory
|
|
- Default: None
|
|
|
|
DIB_REPO_PATH
|
|
- Directory containing diskimage-builder
|
|
- Default: <directory above OCTAVIA_HOME>/diskimage-builder
|
|
- Reference: https://github.com/openstack/diskimage-builder
|
|
|
|
OCTAVIA_REPO_PATH
|
|
- Directory containing octavia
|
|
- Default: <directory above the script location>
|
|
- Reference: https://github.com/openstack/octavia
|
|
|
|
Using distribution packages for amphora agent
|
|
---------------------------------------------
|
|
By default, amphora agent is installed from Octavia Git repository.
|
|
To use distribution packages, use the "-p" option.
|
|
|
|
Note this needs a base system image with the required repositories enabled (for
|
|
example RDO repositories for CentOS/Fedora). One of these variables must be
|
|
set:
|
|
|
|
DIB_LOCAL_IMAGE
|
|
- Path to the locally downloaded image
|
|
- Default: None
|
|
|
|
DIB_CLOUD_IMAGES
|
|
- Directory base URL to download the image from
|
|
- Default: depends on the distribution
|
|
|
|
RHEL specific variables
|
|
------------------------
|
|
Building a RHEL-based image requires:
|
|
- a Red Hat Enterprise Linux KVM Guest Image, manually download from the
|
|
Red Hat Customer Portal. Set the DIB_LOCAL_IMAGE variable to point to
|
|
the file. More details at:
|
|
<DIB_REPO_PATH>/elements/rhel
|
|
|
|
- a Red Hat subscription for the matching Red Hat OpenStack Platform
|
|
repository if you want to install the amphora agent from the official
|
|
distribution package (requires setting -p option in diskimage-create.sh).
|
|
Set the needed registration parameters depending on your configuration.
|
|
More details at:
|
|
<DIB_REPO_PATH>/elements/rhel-common
|
|
|
|
Here is an example with Customer Portal registration and OSP 15 repository:
|
|
|
|
.. code:: bash
|
|
|
|
$ export DIB_LOCAL_IMAGE='/tmp/rhel-server-8.0-x86_64-kvm.qcow2'
|
|
|
|
$ export REG_METHOD='portal' REG_REPOS='rhel-8-server-openstack-15-rpms'
|
|
|
|
$ export REG_USER='<user>' REG_PASSWORD='<password>' REG_AUTO_ATTACH=true
|
|
|
|
This example uses registration via a Satellite (the activation key must enable
|
|
an OSP repository):
|
|
|
|
.. code:: bash
|
|
|
|
$ export DIB_LOCAL_IMAGE='/tmp/rhel-server-8.1-x86_64-kvm.qcow2'
|
|
|
|
$ export REG_METHOD='satellite' REG_ACTIVATION_KEY="<activation key>"
|
|
|
|
$ export REG_SAT_URL="<satellite url>" REG_ORG="<satellite org>"
|
|
|
|
Building in a virtualenv with tox
|
|
---------------------------------
|
|
To make use of a virtualenv for Python dependencies you may run ``tox``. Note
|
|
that you may still need to install binary dependencies on the host for the
|
|
build to succeed.
|
|
|
|
If you wish to customize your build modify ``tox.ini`` to pass on relevant
|
|
environment variables or command line arguments to the ``diskimage-create.sh``
|
|
script.
|
|
|
|
.. code:: bash
|
|
|
|
$ tox -e build
|
|
|
|
|
|
Container Support
|
|
=================
|
|
The Docker command line required to import a tar file created with this script
|
|
is:
|
|
|
|
.. code:: bash
|
|
|
|
$ docker import - image:amphora-x64-haproxy < amphora-x64-haproxy.tar
|
|
|
|
|
|
References
|
|
==========
|
|
|
|
This documentation and script(s) leverage prior work by the OpenStack TripleO
|
|
and Sahara teams. Thank you to everyone that worked on them for providing a
|
|
great foundation for creating Octavia Amphora images.
|
|
|
|
* https://opendev.org/openstack/diskimage-builder
|
|
* https://opendev.org/openstack/tripleo-image-elements
|
|
* https://opendev.org/openstack/sahara-image-elements
|
|
|
|
Copyright
|
|
=========
|
|
|
|
Copyright 2014 Hewlett-Packard Development Company, L.P.
|
|
|
|
All Rights Reserved.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
not use this file except in compliance with the License. You may obtain
|
|
a copy of the License at
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
License for the specific language governing permissions and limitations
|
|
under the License.
|