From 8f4738362a0188c7206fa5c5a610efffeca8c122 Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Fri, 28 Sep 2018 15:15:17 +0200 Subject: [PATCH] Rework neutron/own agent wrapper tools for podman Add ContainerCli parameter, default to docker. Possible values: podman/docker (default). Deprecate DockerAdditionalSockets so it does nothing for podman. Nested podman CLI replaces docker sockets. Only bind mount /var/lib/openstack for the neutron/ovn agents for docker. Support debug messages for Neutron/OVN wrappers controled via NeutronWrapperDebug and OWNWrapperDebug (defaults to False). Or globally controlled by Debug. Make the wrapper containers managed by its parent processes and not exited/removed forcibly, when the parent container restarts. Background for podman CLI replacing the docker socket: We'll use 'nsenter -m -n -p -t 1 podman' in wrappers to execute podman in the same namespaces as on the host and to NOT bind-mount world for that, like: - /sys/fs/cgroup:/sys/fs/cgroup - /run/libpod:/run/libpod - /run/containers:/run/containers - /run/runc:/run/runc - /run/runc-ctrs:/run/runc-ctrs - /var/lib/containers:/var/lib/containers - /etc/containers:/etc/containers:ro - /usr/bin/podman:/usr/bin/podman:ro - /usr/bin/runc:/usr/bin/runc:ro - /usr/libexec/podman/conmon:/usr/libexec/podman/conmon:ro - /usr/lib64/libseccomp.so.2:/usr/lib64/libseccomp.so.2:ro ... We cannot use chroot /host instead as there is more bind-mounts to use outside of the /host chroot. Maybe varlink is a good replacement for all of that, but it's not there yet. Change-Id: I055fb7a5fd20932c5bee665bb96678f3ae92bffe Signed-off-by: Bogdan Dobrelya --- docker/services/neutron-dhcp.yaml | 28 ++++++++++++++++- docker/services/neutron-l3.yaml | 28 ++++++++++++++++- docker/services/ovn-metadata.yaml | 30 +++++++++++++++++-- puppet/services/docker.yaml | 9 ++++++ ...per-containers-debug-844c13348c83de93.yaml | 16 ++++++++++ 5 files changed, 107 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/wrapper-containers-debug-844c13348c83de93.yaml diff --git a/docker/services/neutron-dhcp.yaml b/docker/services/neutron-dhcp.yaml index d24350c2d7..5911384f88 100644 --- a/docker/services/neutron-dhcp.yaml +++ b/docker/services/neutron-dhcp.yaml @@ -23,6 +23,20 @@ parameters: description: Generate a wrapper script so neutron launches haproxy in a separate container. type: boolean default: true + Debug: + type: boolean + default: false + description: Set to True to enable debugging on all services. + NeutronWrapperDebug: + type: boolean + default: false + description: Controls debugging for the wrapper scripts. + ContainerCli: + type: string + default: 'docker' + description: CLI tool used to manage containers. + constraints: + - allowed_values: ['docker', 'podman'] NeutronDhcpAgentLoggingSource: type: json default: @@ -68,6 +82,8 @@ conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} dnsmasq_wrapper_enabled: {equals: [{get_param: NeutronEnableDnsmasqDockerWrapper}, true]} haproxy_wrapper_enabled: {equals: [{get_param: NeutronEnableHaproxyDockerWrapper}, true]} + docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']} + service_debug_unset: {equals : [{get_param: NeutronWrapperDebug}, false]} resources: @@ -108,6 +124,12 @@ outputs: tripleo::profile::base::neutron::dhcp_agent_wrappers::enable_haproxy_wrapper: {get_param: NeutronEnableHaproxyDockerWrapper} tripleo::profile::base::neutron::dhcp_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/dhcp_haproxy_wrapper' tripleo::profile::base::neutron::dhcp_agent_wrappers::haproxy_image: {get_param: DockerNeutronDHCPImage} + tripleo::profile::base::neutron::dhcp_agent_wrappers::debug: + if: + - service_debug_unset + - {get_param: Debug } + - {get_param: NeutronWrapperDebug} + tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli} service_config_settings: map_merge: - get_attr: [NeutronBase, role_data, service_config_settings] @@ -203,7 +225,11 @@ outputs: - /run/openvswitch:/run/openvswitch - /var/lib/neutron:/var/lib/neutron - /run/netns:/run/netns:shared - - /var/lib/openstack:/var/lib/openstack + - + if: + - docker_enabled + - - /var/lib/openstack:/var/lib/openstack + - null - if: - dnsmasq_wrapper_enabled diff --git a/docker/services/neutron-l3.yaml b/docker/services/neutron-l3.yaml index bb5eb80653..34d3363a24 100644 --- a/docker/services/neutron-l3.yaml +++ b/docker/services/neutron-l3.yaml @@ -40,6 +40,20 @@ parameters: once the fix to radvd is generally available across target distributions. type: boolean default: false + Debug: + type: boolean + default: false + description: Set to True to enable debugging on all services. + NeutronWrapperDebug: + type: boolean + default: false + description: Controls debugging for the wrapper scripts. + ContainerCli: + type: string + default: 'docker' + description: CLI tool used to manage containers. + constraints: + - allowed_values: ['docker', 'podman'] ServiceData: default: {} description: Dictionary packing service data @@ -72,6 +86,8 @@ conditions: haproxy_wrapper_enabled: {equals: [{get_param: NeutronEnableHaproxyDockerWrapper}, true]} dibbler_wrapper_enabled: {equals: [{get_param: NeutronEnableDibblerDockerWrapper}, true]} radvd_wrapper_enabled: {equals: [{get_param: NeutronEnableRadvdDockerWrapper}, true]} + docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']} + service_debug_unset: {equals : [{get_param: NeutronWrapperDebug}, false]} resources: @@ -116,6 +132,12 @@ outputs: tripleo::profile::base::neutron::l3_agent_wrappers::enable_radvd_wrapper: {get_param: NeutronEnableRadvdDockerWrapper} tripleo::profile::base::neutron::l3_agent_wrappers::radvd_process_wrapper: '/var/lib/neutron/radvd_wrapper' tripleo::profile::base::neutron::l3_agent_wrappers::radvd_image: {get_param: DockerNeutronL3AgentImage} + tripleo::profile::base::neutron::l3_agent_wrappers::debug: + if: + - service_debug_unset + - {get_param: Debug } + - {get_param: NeutronWrapperDebug} + tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli} service_config_settings: map_merge: @@ -202,7 +224,11 @@ outputs: - /run/openvswitch:/run/openvswitch - /var/lib/neutron:/var/lib/neutron - /run/netns:/run/netns:shared - - /var/lib/openstack:/var/lib/openstack + - + if: + - docker_enabled + - - /var/lib/openstack:/var/lib/openstack + - null - if: - keepalived_wrapper_enabled diff --git a/docker/services/ovn-metadata.yaml b/docker/services/ovn-metadata.yaml index 9bf2ab7a61..f9ef2654ed 100644 --- a/docker/services/ovn-metadata.yaml +++ b/docker/services/ovn-metadata.yaml @@ -19,6 +19,20 @@ parameters: description: Generate a wrapper script so that haproxy is launched in a separate container. type: boolean default: true + Debug: + type: boolean + default: false + description: Set to True to enable debugging on all services. + OVNWrapperDebug: + type: boolean + default: false + description: Controls debugging for the wrapper scripts. + ContainerCli: + type: string + default: 'docker' + description: CLI tool used to manage containers. + constraints: + - allowed_values: ['docker', 'podman'] ServiceData: default: {} description: Dictionary packing service data @@ -47,7 +61,9 @@ parameters: type: json conditions: - haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]} + haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]} + docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']} + service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]} resources: @@ -81,6 +97,12 @@ outputs: - tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::enable_haproxy_wrapper: {get_param: OVNEnableHaproxyDockerWrapper} tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/ovn_metadata_haproxy_wrapper' tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_image: {get_param: DockerOvnMetadataImage} + tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::debug: + if: + - service_debug_unset + - {get_param: Debug } + - {get_param: OVNWrapperDebug} + tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli} puppet_config: puppet_tags: neutron_config,ovn_metadata_agent_config config_volume: neutron @@ -171,7 +193,11 @@ outputs: - /run/openvswitch:/run/openvswitch - /var/lib/neutron:/var/lib/neutron - /run/netns:/run/netns:shared - - /var/lib/openstack:/var/lib/openstack + - + if: + - docker_enabled + - - /var/lib/openstack:/var/lib/openstack + - null - if: - haproxy_wrapper_enabled diff --git a/puppet/services/docker.yaml b/puppet/services/docker.yaml index 92d08024e0..b6d29698dd 100644 --- a/puppet/services/docker.yaml +++ b/puppet/services/docker.yaml @@ -68,6 +68,15 @@ parameters: default: '' description: User added to the docker group in order to use container commands. type: string +parameter_groups: +- label: deprecated + description: | + The following parameters are deprecated and will be removed. They should not + be relied on for new deployments. If you have concerns regarding deprecated + parameters, please contact the TripleO development team on IRC or the + OpenStack mailing list. + parameters: + - DockerAdditionalSockets conditions: insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]} diff --git a/releasenotes/notes/wrapper-containers-debug-844c13348c83de93.yaml b/releasenotes/notes/wrapper-containers-debug-844c13348c83de93.yaml new file mode 100644 index 0000000000..fbb540701c --- /dev/null +++ b/releasenotes/notes/wrapper-containers-debug-844c13348c83de93.yaml @@ -0,0 +1,16 @@ +--- +features: + - | + ``ContainerCli`` allows 'docker' (deprecated) and 'podman' for Neutron + L3/DHCP and OVN metadata rootwrap containers managed by agents. + Parameters ``OVNWrapperDebug`` and ``NeutronWrapperDebug`` (Defaults to + `False`) allow to log debug messages for the wrapper scripts managing + rootwrap containers. It is also controled by the global ``Debug`` setting. +fixes: + - | + Neutron/OVN rootwrap containers are managed by agents and will no longer + be deleted, when the parent container restarts. +deprecations: + - | + Parameter ``DockerAdditionalSockets`` is deprecated. No sockets are + expected to bind mount for podman. So it only works for the docker runtime.