openstack/tripleo-heat-templates
Code Issues Proposed changes
0e8be55089
tripleo-heat-templates/releasenotes/notes/wrapper-containers-debug-844c13348c83de93.yaml
Bogdan Dobrelya 8f4738362a Rework neutron/own agent wrapper tools for podman 
Add ContainerCli parameter, default to docker. Possible values:
podman/docker (default).

Deprecate DockerAdditionalSockets so it does nothing for podman.
Nested podman CLI replaces docker sockets. Only bind mount
/var/lib/openstack for the neutron/ovn agents for docker.

Support debug messages for Neutron/OVN wrappers controled via
NeutronWrapperDebug and OWNWrapperDebug (defaults to False). Or
globally controlled by Debug.

Make the wrapper containers managed by its parent processes and
not exited/removed forcibly, when the parent container restarts.

Background for podman CLI replacing the docker socket:

We'll use 'nsenter -m -n -p -t 1 podman' in wrappers
to execute podman in the same namespaces as on the host
and to NOT bind-mount world for that, like:
- /sys/fs/cgroup:/sys/fs/cgroup
- /run/libpod:/run/libpod
- /run/containers:/run/containers
- /run/runc:/run/runc
- /run/runc-ctrs:/run/runc-ctrs
- /var/lib/containers:/var/lib/containers
- /etc/containers:/etc/containers:ro
- /usr/bin/podman:/usr/bin/podman:ro
- /usr/bin/runc:/usr/bin/runc:ro
- /usr/libexec/podman/conmon:/usr/libexec/podman/conmon:ro
- /usr/lib64/libseccomp.so.2:/usr/lib64/libseccomp.so.2:ro
...

We cannot use chroot /host instead as there is more bind-mounts to use
outside of the /host chroot. Maybe varlink is a good replacement for
all of that, but it's not there yet.

Change-Id: I055fb7a5fd20932c5bee665bb96678f3ae92bffe
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-11-07 09:48:40 +01:00

17 lines
707 B
YAML
Raw Blame History

---
features:
- |
``ContainerCli`` allows 'docker' (deprecated) and 'podman' for Neutron
L3/DHCP and OVN metadata rootwrap containers managed by agents.
Parameters ``OVNWrapperDebug`` and ``NeutronWrapperDebug`` (Defaults to
`False`) allow to log debug messages for the wrapper scripts managing
rootwrap containers. It is also controled by the global ``Debug`` setting.
fixes:
- |
Neutron/OVN rootwrap containers are managed by agents and will no longer
be deleted, when the parent container restarts.
deprecations:
- |
Parameter ``DockerAdditionalSockets`` is deprecated. No sockets are
expected to bind mount for podman. So it only works for the docker runtime.
View Git Blame Copy Permalink