Neutron agent processes launched in containers are failing with
"Error: relabel failed "/var/lib/neutron": \
SELinux relabeling of /var/lib/neutron is not allowed"
Possibly related prior patch:
https://review.opendev.org/#/c/626546/
Change-Id: Ifc7d0cb79214da44d9cd12481f010e2d7d325aa6
Related-Bug: #1881146
(cherry picked from commit 3fa8c735ae75653284906e5a192391cd03a8431d)
With I2feb9e81bc40e44cb2c7a2972366fa4b16590227, we don't need the
wrappers managed by Puppet anymore, everything is deployed by Ansible.
Blueprint: safe-side-containers
Depends-On: I2feb9e81bc40e44cb2c7a2972366fa4b16590227
Change-Id: I890fff9c7ead7e72fd4fe3a58b4ffce2e315b916
Depending on the podman version, "json-file" is set to noop and makes
podman crash (true for at least podman 1.4.1), while older versions
re-add this json-file as an alias to k8s-file (true since 1.4.3).
Ensuiring we're using k8s-file will prevent issues depending on the
podman version.
Relates to https://bugzilla.redhat.com/show_bug.cgi?id=1754416
Closes-Bug: #1844856
Change-Id: I70eba8af06741ed81173689a03c4867421917cd6
In order to get a more complete container logging, we now enable
the file logging for the podman containers.
This will output container stdout/stderr in a file located in the
new /var/log/containers/stdouts location.
This follows the other efforts already made with paunch[1] and
docker-puppet.py (now named container-puppet.py)[2]
Notes:
- podman supports only "json-file", allowing to push files in the
location we want via the "path" log option
- docker doesn't have the "path" log option and push its log in
/var/lib/docker/containers/ID/ID-json.log - unusable since it's
destroyed upon container removal.
[1] https://review.openstack.org/635437
[2] https://review.openstack.org/635438
Change-Id: Ibaa8bca52ea2f68afa1effc989b04d2e6213813a
...so the wrappers' logs can be found via the host's journalctl
Closes-bug: #1821794
Change-Id: I4174e6d5852a6939e71d4113a547cf3dc25b9f47
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Currently we spawn haproxy with: ip netns exec ${NETNS}
/usr/sbin/haproxy -Ds $ARGS.
The reason for that was that with -Ds we keep a process in the foreground:
-Ds Start in systemd daemon mode, keeping a process in foreground.
Since haproxy 1.8 removed the
haproxy-systemd-wrapper it also removed the '-Ds' option. In order to
keep things running in the foreground we can just switch to using '-Ws'
Which is the multiworker mode with systemd support which keeps the
process in the foregroud.
This commit keeps backward compatibility with current HAProxy to ease
the transition to new HAProxy.
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Change-Id: Ia914de9b3438976d24bf09ad680e806a0fb6644e
Neutron services failing with below Error when running with podman(0.12.1)
and container-selinux(2.77):-
relabel failed "/run/netns": operation not supported
Until this is fixed in podman/container-selinux, temporary remove selinux
relabel on /run/netns.
Change-Id: I596074fcc2318ebb3d7efb0128a2b25527e19808
Partial-Bug: #1809218
Adapt wrapper containers for podman, which has no a socket available.
Add container_cli parameter for base neutron class, default to docker.
Possible values: podman/docker (default). It is used by the wrappers
tooling to issue CLI commands to the host containers system.
Deprecate bind_socket so it does nothing for podman CLI.
Additionally, add debug triggers for the wrapper scripts messages to
become captured to the wrapper containers' stdout.
Do not stop and remove the existing container before launching a new
one. Allow the neutron parent process to control the process life
cycle. Although make the wraper containers cleaning up any exited
containers after its main process terminated by the neutron parent
process. Additionally, If a name is already taken by a container,
give it an unique name and assume all the smooth transitioning work
to be done by the parent neutron process and that clean up logic
in the wrapper.
Closes-Bug: #1799484
Change-Id: Ib3c41a8bee349856d21f360595e41a9eafd79323
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Neutron uses namespaces with different prefixes depending on
configuration and the nature of the resource. This patch changes the
wrappers to use the "ip netns identify" command to determine the target
namespace for the sidecar instead of trying to guess from the command
line options.
Change-Id: If58bb9dabebf201b592fb450a663ae2f24374e00
Closes-Bug: #1773823
The neutron agents use subprocesses like dnsmasq and keepalived as part
of their implementation. Running these "subprocesses" in separate
containers prevent dataplane breakages/unnecessary failover on agent
container restart.
Also amends docker daemon options to allow including additional unix
domain sockets to bind to the docker daemon. The paths can be mounted by
containers that launch containers instead of mounting /run/docker.sock.
This avoids issues if the docker daemon is restarted while the containers
are running.
Related-Bug: #1749209
Change-Id: Icd4c24ac686d957391548a04722266cefc1bce27