12 Commits

Author SHA1 Message Date
Brent Eagles
d2dfda965e Remove selinux relabel mount option for neutron
Neutron agent processes launched in containers are failing with
 "Error: relabel failed "/var/lib/neutron": \
  SELinux relabeling of /var/lib/neutron is not allowed"

Possibly related prior patch:
 https://review.opendev.org/#/c/626546/

Change-Id: Ifc7d0cb79214da44d9cd12481f010e2d7d325aa6
Related-Bug: #1881146
(cherry picked from commit 3fa8c735ae75653284906e5a192391cd03a8431d)
2020-06-03 09:46:47 +00:00
Emilien Macchi
25cf148373 Revert "Remove neutron wrappers"
This reverts commit afe7cecb598441abc0704c868643613428ef850a.

Change-Id: I961262422206c695de79a03de2be1e53defbc41c
2020-04-30 18:47:17 +00:00
Emilien Macchi
afe7cecb59 Remove neutron wrappers
With I2feb9e81bc40e44cb2c7a2972366fa4b16590227, we don't need the
wrappers managed by Puppet anymore, everything is deployed by Ansible.

Blueprint: safe-side-containers
Depends-On: I2feb9e81bc40e44cb2c7a2972366fa4b16590227

Change-Id: I890fff9c7ead7e72fd4fe3a58b4ffce2e315b916
2019-11-15 12:22:02 +00:00
Cédric Jeanneret
0976e4eeb3 Update log-driver value for podman
Depending on the podman version, "json-file" is set to noop and makes
podman crash (true for at least podman 1.4.1), while older versions
re-add this json-file as an alias to k8s-file (true since 1.4.3).

Ensuiring we're using k8s-file will prevent issues depending on the
podman version.

Relates to https://bugzilla.redhat.com/show_bug.cgi?id=1754416
Closes-Bug: #1844856

Change-Id: I70eba8af06741ed81173689a03c4867421917cd6
2019-09-23 13:49:31 +02:00
Cédric Jeanneret
f5a7ca6fb5 Correct how podman exec is called for the neutron-keepalived-state-change
Podman exec doesn't have the "--detach" flag, so this one didn't work at
all until now.

Change-Id: Ibf18056dc1ed0168b3aa467e7034af7e59c98cb7
2019-04-17 13:55:29 +02:00
Cédric Jeanneret
be1c9e1f85 Enable file logging for podman neutron sidecars
In order to get a more complete container logging, we now enable
the file logging for the podman containers.
This will output container stdout/stderr in a file located in the
new /var/log/containers/stdouts location.

This follows the other efforts already made with paunch[1] and
docker-puppet.py (now named container-puppet.py)[2]

Notes:
- podman supports only "json-file", allowing to push files in the
  location we want via the "path" log option
- docker doesn't have the "path" log option and push its log in
  /var/lib/docker/containers/ID/ID-json.log - unusable since it's
  destroyed upon container removal.

[1] https://review.openstack.org/635437
[2] https://review.openstack.org/635438

Change-Id: Ibaa8bca52ea2f68afa1effc989b04d2e6213813a
2019-04-16 14:11:00 +02:00
Bogdan Dobrelya
8249721e66 Allow neutron wrapper containers log to syslog
...so the wrappers' logs can be found via the host's journalctl

Closes-bug: #1821794

Change-Id: I4174e6d5852a6939e71d4113a547cf3dc25b9f47
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2019-03-27 14:35:37 +01:00
Michele Baldessari
d8691bcd9d Make the neutron-haproxy-wrapper compatible with haproxy 1.8
Currently we spawn haproxy with: ip netns exec ${NETNS}
/usr/sbin/haproxy -Ds $ARGS.

The reason for that was that with -Ds we keep a process in the foreground:
-Ds Start in systemd daemon mode, keeping a process in foreground.

Since haproxy 1.8 removed the
haproxy-systemd-wrapper it also removed the '-Ds' option. In order to
keep things running in the foreground we can just switch to using '-Ws'
Which is the multiworker mode with systemd support which keeps the
process in the foregroud.

This commit keeps backward compatibility with current HAProxy to ease
the transition to new HAProxy.

Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>

Change-Id: Ia914de9b3438976d24bf09ad680e806a0fb6644e
2019-01-16 10:52:21 +00:00
Cédric Jeanneret
7034cfdb68 Temporary remove selinux label mount option for neutron
Neutron services failing with below Error when running with podman(0.12.1)
and container-selinux(2.77):-

relabel failed "/run/netns": operation not supported

Until this is fixed in podman/container-selinux, temporary remove selinux
relabel on /run/netns.

Change-Id: I596074fcc2318ebb3d7efb0128a2b25527e19808
Partial-Bug: #1809218
2018-12-20 12:03:44 +01:00
Bogdan Dobrelya
6117cae693 Fix wrapper containers for podman w/o sockets
Adapt wrapper containers for podman, which has no a socket available.

Add container_cli parameter for base neutron class, default to docker.
Possible values: podman/docker (default). It is used by the wrappers
tooling to issue CLI commands to the host containers system.
Deprecate bind_socket so it does nothing for podman CLI.

Additionally, add debug triggers for the wrapper scripts messages to
become captured to the wrapper containers' stdout.

Do not stop and remove the existing container before launching a new
one. Allow the neutron parent process to control the process life
cycle. Although make the wraper containers cleaning up any exited
containers after its main process terminated by the neutron parent
process. Additionally, If a name is already taken by a container,
give it an unique name and assume all the smooth transitioning work
to be done by the parent neutron process and that clean up logic
in the wrapper.

Closes-Bug: #1799484
Change-Id: Ib3c41a8bee349856d21f360595e41a9eafd79323
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-11-05 20:39:29 +00:00
Brent Eagles
684521fc84 Neutron sidecar wrappers use netns they were invoked with
Neutron uses namespaces with different prefixes depending on
configuration and the nature of the resource. This patch changes the
wrappers to use the "ip netns identify" command to determine the target
namespace for the sidecar instead of trying to guess from the command
line options.

Change-Id: If58bb9dabebf201b592fb450a663ae2f24374e00
Closes-Bug: #1773823
2018-05-29 09:09:23 -02:30
Brent Eagles
015c9b757a Adding wrapper scripts for neutron agent subprocesses
The neutron agents use subprocesses like dnsmasq and keepalived as part
of their implementation. Running these "subprocesses" in separate
containers prevent dataplane breakages/unnecessary failover on agent
container restart.

Also amends docker daemon options to allow including additional unix
domain sockets to bind to the docker daemon. The paths can be mounted by
containers that launch containers instead of mounting /run/docker.sock.
This avoids issues if the docker daemon is restarted while the containers
are running.

Related-Bug: #1749209
Change-Id: Icd4c24ac686d957391548a04722266cefc1bce27
2018-04-30 21:58:29 -02:30