Introduce a new linter for yaml-validate, and correct issues

This new linter ensures we don't have any trailing "/" in the container
volume definitions.

Those trailing "/" may create issues with the containers, for instance
for specific mounts such as "/dev"[1].

This patch also takes the opportunity to fix those trailing "/" for the
affected files, in order to start on a clean basis.

[1] https://launchpad.net/bugs/1950176

Change-Id: If951f9643d67574c1225301aab7c9e4b0d316b7f
Related-Bug: #1950176
This commit is contained in:
Cédric Jeanneret 2021-11-30 17:00:31 +01:00
parent 1f868ba530
commit 7a99ae23e3
21 changed files with 60 additions and 24 deletions

View File

@ -204,7 +204,7 @@ outputs:
list_concat:
- *mysql_volumes
- - /var/lib/config-data/puppet-generated/mysql/root:/root:rw
- /var/lib/container-config-scripts/:/container-config-scripts/:ro
- /var/lib/container-config-scripts:/container-config-scripts:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
net: host

View File

@ -211,7 +211,7 @@ outputs:
-
- /var/lib/kolla/config_files/novajoin_server.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/novajoin:/var/lib/kolla/config_files/src:ro
- /etc/ipa/:/etc/ipa/:ro
- /etc/ipa:/etc/ipa:ro
- /etc/novajoin/krb5.keytab:/etc/novajoin/krb5.keytab:ro
- /var/log/containers/novajoin:/var/log/novajoin
environment:
@ -229,7 +229,7 @@ outputs:
-
- /var/lib/kolla/config_files/novajoin_notifier.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/novajoin:/var/lib/kolla/config_files/src:ro
- /etc/ipa/:/etc/ipa/:ro
- /etc/ipa:/etc/ipa:ro
- /etc/novajoin/krb5.keytab:/etc/novajoin/krb5.keytab:ro
- /var/log/containers/novajoin:/var/log/novajoin
environment:

View File

@ -176,7 +176,7 @@ outputs:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/etcd:/var/lib/etcd
- /var/lib/kolla/config_files/etcd.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/etcd/:/var/lib/kolla/config_files/src:ro
- /var/lib/config-data/puppet-generated/etcd:/var/lib/kolla/config_files/src:ro
- if:
- internal_tls_enabled
- - /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro

View File

@ -324,8 +324,8 @@ outputs:
- /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro
- /var/log/containers/horizon:/var/log/horizon:z
- /var/log/containers/httpd/horizon:/var/log/httpd:z
- /var/tmp/horizon:/var/tmp/:z
- /var/www/:/var/www/:ro
- /var/tmp/horizon:/var/tmp:z
- /var/www:/var/www:ro
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro

View File

@ -137,7 +137,7 @@ outputs:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/ironic_pxe_tftp.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/ironic:/var/lib/kolla/config_files/src:ro
- /var/lib/ironic:/var/lib/ironic/:shared,z
- /var/lib/ironic:/var/lib/ironic:shared,z
- /var/log/containers/ironic:/var/log/ironic:z
- /var/log/containers/httpd/ironic-pxe:/var/log/httpd:z
environment:
@ -157,7 +157,7 @@ outputs:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/ironic_pxe_http.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/ironic:/var/lib/kolla/config_files/src:ro
- /var/lib/ironic:/var/lib/ironic/:shared,z
- /var/lib/ironic:/var/lib/ironic:shared,z
- /var/log/containers/ironic:/var/log/ironic:z
- /var/log/containers/httpd/ironic-pxe:/var/log/httpd:z
environment:

View File

@ -143,7 +143,7 @@ outputs:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/iscsid.json:/var/lib/kolla/config_files/config.json:ro
- /dev:/dev
- /run/:/run/
- /run:/run
- /sys:/sys
- /lib/modules:/lib/modules:ro
- /var/lib/config-data/puppet-generated/iscsid/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro

View File

@ -791,7 +791,7 @@ outputs:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [KeystoneLogging, volumes]}
- - /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
- /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
step_4:

View File

@ -741,7 +741,7 @@ outputs:
- /var/lib/config-data/puppet-generated/collectd:/var/lib/kolla/config_files/src:ro
- /var/log/containers/collectd:/var/log/collectd:rw,z
- /var/lib/container-config-scripts:/scripts:ro
- /run/:/run:rw
- /run:/run:rw
- /sys/fs/cgroup:/sys/fs/cgroup:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS

View File

@ -112,7 +112,7 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /lib/modules:/lib/modules:ro
- /usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro
- /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
- /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS

View File

@ -169,7 +169,7 @@ outputs:
- - /var/lib/kolla/config_files/neutron_mlnx_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
- /lib/modules:/lib/modules:ro
- /usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro
- /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
- /var/lib/config-data/puppet-generated/neutron/etc/neutron:/etc/neutron
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS

View File

@ -136,7 +136,7 @@ outputs:
volumes:
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch
- /etc/modules-load.d/:/etc/modules-load.d
- /etc/modules-load.d:/etc/modules-load.d
kolla_config:
get_attr: [NeutronOvsAgent, role_data, kolla_config]
container_config_scripts:

View File

@ -670,7 +670,7 @@ outputs:
- {get_attr: [NovaApiLogging, volumes]}
- - /var/lib/kolla/config_files/nova_wait_for_api_service.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro
- /var/lib/container-config-scripts/:/container-config-scripts/:z
- /var/lib/container-config-scripts:/container-config-scripts:z
environment:
__OS_DEBUG:
yaql:

View File

@ -1304,7 +1304,7 @@ outputs:
volumes:
- /var/lib/nova:/var/lib/nova:shared
- /var/lib/_nova_secontext:/var/lib/_nova_secontext:shared,z
- /var/lib/container-config-scripts/:/container-config-scripts/:z
- /var/lib/container-config-scripts:/container-config-scripts:z
command: "/container-config-scripts/pyshim.sh /container-config-scripts/nova_statedir_ownership.py"
environment:
# NOTE: this should force this container to re-run on each

View File

@ -153,7 +153,7 @@ outputs:
volumes:
- /var/lib/nova:/var/lib/nova:shared
- /var/lib/_nova_secontext:/var/lib/_nova_secontext:shared,z
- /var/lib/container-config-scripts/:/container-config-scripts/
- /var/lib/container-config-scripts:/container-config-scripts
command: "/container-config-scripts/pyshim.sh /container-config-scripts/nova_statedir_ownership.py"
step_5:
nova_compute:
@ -193,7 +193,7 @@ outputs:
- /var/lib/kolla/config_files/nova_ironic_wait_for_compute.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro
- /var/log/containers/nova:/var/log/nova
- /var/lib/container-config-scripts/:/container-config-scripts/
- /var/lib/container-config-scripts:/container-config-scripts
user: root
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS

View File

@ -173,7 +173,7 @@ outputs:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/nova-migration-target.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova_libvirt:/var/lib/kolla/config_files/src:ro
- /etc/ssh/:/host-ssh/:ro
- /etc/ssh:/host-ssh:ro
- /run/libvirt:/run/libvirt:shared,z
- /var/lib/nova:/var/lib/nova:shared
environment:

View File

@ -316,7 +316,7 @@ outputs:
# missing here because we use the same config_volume for all
# octavia services, hence the same container image to generate
# configuration.
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia
- /var/log/containers/octavia:/var/log/octavia:z
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /var/log/octavia']

View File

@ -146,7 +146,7 @@ outputs:
# missing here because we use the same config_volume for all
# octavia services, hence the same container image to generate
# configuration.
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/:z
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia:z
command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-health-manager; chown -R octavia:octavia /etc/octavia/conf.d/octavia-health-manager']
step_5:
map_merge:

View File

@ -120,7 +120,7 @@ outputs:
# missing here because we use the same config_volume for all
# octavia services, hence the same container image to generate
# configuration.
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/:z
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia:z
command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-housekeeping; chown -R octavia:octavia /etc/octavia/conf.d/octavia-housekeeping']
step_5:
octavia_housekeeping:

View File

@ -109,7 +109,7 @@ outputs:
# missing here because we use the same config_volume for all
# octavia services, hence the same container image to generate
# configuration.
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/:z
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia:z
command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-worker; chown -R octavia:octavia /etc/octavia/conf.d/octavia-worker']
step_5:
octavia_worker:

View File

@ -309,7 +309,7 @@ outputs:
- {get_attr: [PlacementLogging, volumes]}
- - /var/lib/kolla/config_files/placement_api_wait_for_service.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/placement:/var/lib/kolla/config_files/src:ro
- /var/lib/container-config-scripts/:/container-config-scripts/:z
- /var/lib/container-config-scripts:/container-config-scripts:z
environment:
__OS_DEBUG:
yaql:

View File

@ -716,6 +716,8 @@ def validate_docker_service(filename, tpl):
print('ERROR: %s should not be in puppet_config section.'
% key)
return 1
if validate_ct_volumes(puppet_config.get('volumes')):
return 1
for key in REQUIRED_DOCKER_PUPPET_CONFIG_SECTIONS:
if key not in puppet_config:
print('ERROR: %s is required in puppet_config for %s.'
@ -753,6 +755,8 @@ def validate_docker_service(filename, tpl):
print('ERROR: bootstrap_host_exec needs to run '
'as the root user.')
return 1
if validate_ct_volumes(container.get('volumes')):
return 1
if 'upgrade_tasks' in role_data and role_data['upgrade_tasks']:
if (validate_upgrade_tasks(role_data['upgrade_tasks']) or
@ -769,6 +773,38 @@ def validate_docker_service(filename, tpl):
return 0
def validate_ct_volumes(volumes):
'''Ensure we don't have any trailing "/" in the volume'''
if not volumes:
return 0
if isinstance(volumes, list):
# Plain list without much complications
for vol in volumes:
if isinstance(vol, dict):
# Avoid 'if'
continue
vol_def = vol.split(':')
if vol_def[0][-1] == '/' or vol_def[1][-1] == '/':
print('ERROR: trailing "/" detected for {}'.format(vol))
return 1
return 0
ret = 0
if isinstance(volumes, dict):
# We probably face a list_concat thing. Clean and re-run!
# First avoid the get_attr.
if 'get_attr' in list(volumes.keys()):
return 0
if 'list_concat' in list(volumes.keys()):
for vol in volumes['list_concat']:
if isinstance(vol, dict):
continue
ret += validate_ct_volumes(vol)
return ret
print('ERROR: unknown "volumes" type: {}'.format(volumes))
return 1
def validate_docker_logging_template(filename, tpl):
if 'outputs' not in tpl:
print('ERROR: outputs are missing from: %s' % filename)