b6eedb6fb1
On recent, enforcing systems, the update_yum.sh can't be executed,
because SELinux prevents container_t to open user_tmp_t:
type=AVC msg=audit(1674049913.380:22858): avc: denied { open } for
pid=70472 comm="bash" path="/tmp/yum_update.sh" dev="vda4" ino=218200014
scontext=system_u:system_r:container_t:s0:c65,c705
tcontext=unconfined_u:object_r:user_tmp_t:s0
tclass=file permissive=0
This patch ensures it gets properly relabelled when bind-mounted during
the image build. Using the "z" will also ensure it's still usable even
when running multiple builds at the same time.
Change-Id: I4085865965f48c9fa6a88cde7010a51cd8c653d8
|
||
|---|---|---|
| ci-scripts | ||
| defaults | ||
| files | ||
| meta | ||
| tasks | ||
| templates | ||
| zuul.d | ||
| .ansible-lint | ||
| .gitignore | ||
| .gitreview | ||
| .pre-commit-config.yaml | ||
| .yamllint | ||
| ansible-requirements.txt | ||
| ansible.cfg | ||
| LICENSE | ||
| README.rst | ||
| requirements.txt | ||
| setup.cfg | ||
| setup.py | ||
| test-requirements.txt | ||
| tox.ini | ||
TripleO Modify Image
A role to allow modification to container images built for the TripleO project.
Role Variables
| Name | Default Value | Description |
|---|---|---|
| source_image | [undefined] | Mandatory fully qualified reference to the source image to be modified. The supplied Dockerfile will be copied and modified to make the FROM directive match this variable. |
| modify_dir_path | [undefined] | Mandatory path to the directory containing the Dockerfile to modify the image |
| modified_append_tag | date +-modified-%Y%m%d%H%M%S | String to be appended after the tag to indicate this is a modified version of the source image. |
| target_image | [undefined] | If set, the modified image will be tagged with target_image + modified_append_tag. If target_image is not set, the modified image will be tagged with source_image + modified_append_tag. If the purpose of the image is not changing, it may be enough to rely on the source_image + modified_append_tag tag to identify that this is a modified version of the source image. |
| Name | Default Value | Description |
|---|---|---|
| source_image | [undefined] | See modify image variables |
| modified_append_tag | date +-modified-%Y%m%d%H%M%S | See modify image variables |
| target_image | '' | See modify image variables |
| rpms_path | '' | If set, packages present in rpms_path will be updated but dependencies must also be included if required as yum is called with localupdate. |
| update_repo | '' | If set, packages from this repo will be updated. Other repos will only be used for dependencies of these updates. |
| yum_repos_dir_path | None | Optional path of directory to be used as /etc/yum.repos.d during the update |
| yum_cache | None | Optional path to the host directory for yum cache during the update. Requires an overlay-enabled FS that also supports SE context relabling. |
| force_purge_yum_cache | False | Optional argument that tells buildah to forcefully re-populate the yum cache with new contents. |
| Name | Default Value | Description |
|---|---|---|
| source_image | [undefined] | See modify image variables |
| modified_append_tag | date +-modified-%Y%m%d%H%M%S | See modify image variables |
| target_image | '' | See modify image variables |
| yum_packages | [] | Provide a list of packages to install via yum |
| yum_repos_dir_path | None | Optional path of directory to be used as /etc/yum.repos.d during the update |
| Name | Default Value | Description |
|---|---|---|
| source_image | [undefined] | See modify image variables |
| modified_append_tag | date +-modified-%Y%m%d%H%M%S | See modify image variables |
| target_image | '' | See modify image variables |
| refspecs | [] | An array of project/refspec pairs that will be installed into the generated container. Currently only supports python source projects. |
| python_dir | [] | Directory which contains a Python project ready to be installed with pip. |
Requirements
- ansible >= 2.4
- python >= 2.6
Dependencies
None
Warnings
On-disk repositories
Please ensure the SELinux label for the on-disk repositories are correct. Depending on your container-selinux (and podman) version, you may face issues.
Some examples of a correct type:
`system_u:object_r:rpm_var_cache_t``system_u:object_r:container_file_t`
First one matches the one of /var/cache/dnf, and is accessible from within a container, while the second one may allow a container to actually write in there.
Directories located in the user's home
You may want to avoid pointing to directories in your $HOME when
running this role, especially when it's running from within TripleO
client (for instance with the
`openstack tripleo container image prepare` command). Doing
so may break due to the SELinux labels and permissions associated to
your home directory.
Please use another location, such as /opt, or even /tmp - and double-check the SELinux labels therein.
Example Playbooks
Modify Image
The following playbook will produce a modified image with the tag :latest-modified-<timestamp> based on the Dockerfile in the custom directory /path/to/example_modify_dir.
- hosts: localhost
tasks:
- name: include ansible-role-tripleo-modify-image
import_role:
name: ansible-role-tripleo-modify-image
tasks_from: modify_image.yml
vars:
source_image: docker.io/tripleomaster/centos-binary-nova-api:latest
modify_dir_path: /path/to/example_modify_dirThe directory example_modify_dir contains the Dockerfile which will perform the modification, for example:
# This will be replaced in the file Dockerfile.modified
FROM centos-binary-nova-api
# switch to root to install packages
USER root
# install packages
RUN curl "https://bootstrap.pypa.io/get-pip.py" -o "/tmp/get-pip.py"
RUN python /tmp/get-pip.py
# switch the container back to the default user
USER novaYum update
The following playbook will produce a modified image with the tag :latest-updated which will do a yum update using the host's /etc/yum.repos.d. Only file repositories will be used (with baseurl=file://...). In this playbook the tasks_from is set as a variable instead of an import_role parameter.
- hosts: localhost
tasks:
- name: include ansible-role-tripleo-modify-image
import_role:
name: ansible-role-tripleo-modify-image
vars:
tasks_from: yum_update.yml
source_image: docker.io/tripleomaster/centos-binary-nova-api:latest
yum_repos_dir_path: /etc/yum.repos.d
modified_append_tag: updated
yum_cache: /tmp/containers-updater/yum_cache
rpms_path: /opt/rpms- hosts: localhost
tasks:
- name: include ansible-role-tripleo-modify-image
import_role:
name: ansible-role-tripleo-modify-image
vars:
tasks_from: yum_update.yml
source_image: docker.io/tripleomaster/centos-binary-nova-api:latest
modified_append_tag: updated
rpms_path: /opt/rpms/Note, if you have a locally installed gating repo, you can add
update_repo: gating-repo. This may be the case for the
consequent in-place deployments, like those performed with the CI
reproducer script.
Yum install
The following playbook will produce a modified image with the tag :latest-updated which will do a yum install of the requested packages using the host's /etc/yum.repos.d. In this playbook the tasks_from is set as a variable instead of an import_role parameter.
- hosts: localhost
tasks:
- name: include ansible-role-tripleo-modify-image
import_role:
name: ansible-role-tripleo-modify-image
vars:
tasks_from: yum_install.yml
source_image: docker.io/tripleomaster/centos-binary-nova-api:latest
yum_repos_dir_path: /etc/yum.repos.d
yum_packages: ['foobar-nova-plugin', 'fizzbuzz-nova-plugin']RPM install
The following playbook will produce a modified image with RPMs from the specified rpms_path on the local filesystem installed as a new layer for the container. The new container tag is appened with the '-hotfix' suffix. Useful for creating adhoc hotfix containers with local RPMs with no network connectivity.
- hosts: localhost
tasks:
- name: include ansible-role-tripleo-modify-image
import_role:
name: ansible-role-tripleo-modify-image
vars:
tasks_from: rpm_install.yml
source_image: docker.io/tripleomaster/centos-binary-nova-api:latest
rpms_path: /opt/rpms
modified_append_tag: -hotfixDev install
The following playbook will produce a modified image with Python source code installed via pip. To minimize dependencies within the container we generate the sdist locally and then copy it into the resulting container image as an sdist tarball to run pip install locally.
It can be used to pull a review from OpenDev Gerrit:
- hosts: localhost
connection: local
tasks:
- name: dev install heat-api
import_role:
name: ansible-role-tripleo-modify-image
vars:
tasks_from: dev_install.yml
source_image: docker.io/tripleomaster/centos-binary-heat-api:current-tripleo
refspecs:
-
project: heat
refspec: refs/changes/12/1234/3
modified_append_tag: -develor it can be used to build an image from a local Python directory:
- hosts: localhost
connection: local
tasks:
- name: dev install heat-api
import_role:
name: ansible-role-tripleo-modify-image
vars:
tasks_from: dev_install.yml
source_image: docker.io/tripleomaster/centos-binary-heat-api:current-tripleo
modified_append_tag: -devel
python_dir:
- /home/joe/git/openstack/heatNote: here, we can use a directory located in the user's home because it's probably launched by the user.
License
Apache 2.0