9aedd84c7f
Neutron agent processes launched in containers are failing with
"Error: relabel failed "/var/lib/neutron": \
SELinux relabeling of /var/lib/neutron is not allowed"
Possibly related prior patch:
https://review.opendev.org/#/c/626546/
Change-Id: Ifc7d0cb79214da44d9cd12481f010e2d7d325aa6
Related-Bug: #1881146
(cherry picked from commit 3fa8c735ae
)
63 lines
2.4 KiB
Plaintext
63 lines
2.4 KiB
Plaintext
<%- | String $image_name = '',
|
|
String $bind_socket = '',
|
|
Boolean $debug,
|
|
String $container_cli = ''
|
|
| -%>
|
|
#!/bin/bash
|
|
<%- if $debug { -%>set -x<%- } -%>
|
|
|
|
<%- if $bind_socket { -%>
|
|
export DOCKER_HOST="<%=$bind_socket%>"
|
|
<%- } -%>
|
|
ARGS="$@"
|
|
|
|
# Extract the network namespace UUID from the command line args provided by
|
|
# neutron. Typically of the form (with dnsmasq as an example):
|
|
#
|
|
# dnsmasq --no-hosts --no-resolv --except-interface=lo \
|
|
# --pid-file=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/pid \
|
|
# --dhcp-hostsfile=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/host ...
|
|
NETNS=$(ip netns identify)
|
|
NAME=neutron-haproxy-${NETNS}
|
|
HAPROXY_CMD='$(if [ -f /usr/sbin/haproxy-systemd-wrapper ]; then echo "/usr/sbin/haproxy -Ds"; else echo "/usr/sbin/haproxy -Ws"; fi)'
|
|
<%- if $container_cli == 'docker' { -%>
|
|
CLI='docker'
|
|
LOGGING=''
|
|
CMD="ip netns exec ${NETNS} "'$HAPROXY'
|
|
<%- } elsif $container_cli == 'podman' { -%>
|
|
CLI="nsenter --net=/run/netns/${NETNS} --preserve-credentials -m -t 1 podman"
|
|
LOGGING="--log-driver k8s-file --log-opt path=/var/log/containers/stdouts/${NAME}.log"
|
|
CMD='$HAPROXY'
|
|
<%- } else { -%>
|
|
CLI='echo noop'
|
|
CMD='echo noop'
|
|
<%- } -%>
|
|
LIST=$($CLI ps -a --filter name=neutron-haproxy- --format '{{.ID}}:{{.Names}}:{{.Status}}' | awk '{print $1}')
|
|
|
|
# Find orphaned containers left for dead after its main process terminated by neutron parent process
|
|
# FIXME(cjeanner): https://github.com/containers/libpod/issues/1703
|
|
ORPHANTS=$(printf "%s\n" "${LIST}" | grep -E ":(Exited|Created)")
|
|
if [ -n "${ORPHANTS}" ]; then
|
|
for orphant in $(printf "%s\n" "${ORPHANTS}" | awk -F':' '{print $1}'); do
|
|
echo "Removing orphaned container ${orphant}"
|
|
$CLI stop ${orphant} || true
|
|
$CLI rm -f ${orphant} || true
|
|
done
|
|
fi
|
|
|
|
# If the NAME is already taken by a container, give it an unique name
|
|
printf "%s\n" "${LIST}" | grep -q "${NAME}$" && NAME="${NAME}-$(date +%Y-%m-%d-%H%M%S-%N)"
|
|
echo "Starting a new child container ${NAME}"
|
|
$CLI run --detach ${LOGGING} \
|
|
-v /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron:ro \
|
|
-v /run/netns:/run/netns:shared \
|
|
-v /var/lib/neutron:/var/lib/neutron:shared \
|
|
-v /dev/log:/dev/log \
|
|
--net host \
|
|
--pid host \
|
|
--privileged \
|
|
-u root \
|
|
--name $NAME \
|
|
<%=$image_name%> \
|
|
/bin/bash -c "HAPROXY=\"$HAPROXY_CMD\"; exec $CMD $ARGS"
|