Brent Eagles d2dfda965e Remove selinux relabel mount option for neutron
Neutron agent processes launched in containers are failing with
 "Error: relabel failed "/var/lib/neutron": \
  SELinux relabeling of /var/lib/neutron is not allowed"

Possibly related prior patch:
 https://review.opendev.org/#/c/626546/

Change-Id: Ifc7d0cb79214da44d9cd12481f010e2d7d325aa6
Related-Bug: #1881146
(cherry picked from commit 3fa8c735ae75653284906e5a192391cd03a8431d)
2020-06-03 09:46:47 +00:00

61 lines
2.2 KiB
Plaintext

<%- | String $image_name = '',
String $bind_socket = '',
Boolean $debug,
String $container_cli = ''
| -%>
#!/bin/bash
<%- if $debug { -%>set -x<%- } -%>
<%- if $bind_socket { -%>
export DOCKER_HOST="<%=$bind_socket%>"
<%- } -%>
ARGS="$@"
# Extract the network namespace UUID from the command line args provided by
# neutron. Typically of the form (with dnsmasq as an example):
#
# dnsmasq --no-hosts --no-resolv --except-interface=lo \
# --pid-file=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/pid \
# --dhcp-hostsfile=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/host ...
NETWORK_ID=$(echo $ARGS| awk '{if (match($0, /(\w{8}-\w{4}-\w{4}-\w{4}-\w{12})/,m)) print m[0] }')
NAME=neutron-radvd-${NETWORK_ID}
<%- if $container_cli == 'docker' { -%>
CLI='docker'
LOGGING=''
CMD="ip netns exec qrouter-${NETWORK_ID} /usr/sbin/radvd -n"
<%- } elsif $container_cli == 'podman' { -%>
CLI="nsenter --net=/run/netns/${NETNS} --preserve-credentials -m -t 1 podman"
LOGGING="--log-driver k8s-file --log-opt path=/var/log/containers/stdouts/${NAME}.log"
CMD='/usr/sbin/radvd -n'
<%- } else { -%>
CLI='echo noop'
CMD='echo noop'
<%- } -%>
LIST=$($CLI ps -a --filter name=neutron-radvd- --format '{{.ID}}:{{.Names}}:{{.Status}}' | awk '{print $1}')
# Find orphaned containers left for dead after its main process terminated by neutron parent process
ORPHANTS=$(printf "%s\n" "${LIST}" | grep ":Exited")
if [ -n "${ORPHANTS}" ]; then
for orphant in $(printf "%s\n" "${ORPHANTS}" | awk -F':' '{print $1}'); do
echo "Removing orphaned container ${orphant}"
$CLI stop ${orphant} || true
$CLI rm -f ${orphant} || true
done
fi
# If the NAME is already taken by a container, give it an unique name
printf "%s\n" "${LIST}" | grep -q "${NAME}$" && NAME="${NAME}-$(date +%Y-%m-%d-%H%M%S-%N)"
echo "Starting a new child container ${NAME}"
$CLI run --detach ${LOGGING} \
-v /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron:ro \
-v /run/netns:/run/netns:shared \
-v /var/lib/neutron:/var/lib/neutron:shared \
-v /dev/log:/dev/log \
--net host \
--pid host \
--privileged \
-u root \
--name $NAME \
<%=$image_name%> \
$CMD $ARGS