Our other keyservers for ubuntu use port 80 for firewall reasons.
Update the base to do the same.
TrivialFix
Change-Id: I4f6e59b3925e49a389e0415c943862cc13422f95
The base image is missing python-jinja2 for source builds which causes
the kolla_mesos_start script to fail on import.
Change-Id: I8550115dd42f4401a3351cd7c466fbeb1e02a665
Closes-Bug: #1532275
- Removed hardcoded yum repository configuration in favor of
commands dynamically generated based on repo-url and repo-file
arguments. We maintain a sane default set of repositories.
- Added generic rpm_setup_config parameter to add support for
installing .rpm or .repo files before building containers.
Co-Authored-By: Ryan Hallisey <rhallise@redhat.com>
Implements: blueprint custom-repos
Change-Id: I1b3a7647a9e7239de3cd162cb6f464f05632bde1
We want to record kolla version of running containers to be able to
detect whether or not we need to perform certain downtime-causing
actions during upgrade.
Change-Id: Ie113029da98303e6809d56edbf6d8de37be128d7
Implements: blueprint record-version
The ceph master repository is slow and the centos build often fails due
to timeouts fetching the ceph repo GPG key.
Switching to a more reliable mirror should improve things.
Change-Id: I7eef31fa9d83413a7c12134d285b3d20d95805e8
Closes-Bug: 1525505
RDO provides all of the OpenStack services, clients, libs and their
dependencies self-contained in it's repositories.
We have had users that were impacted by sudden updates from EPEL
when it was enabled because EPEL provided a more up-to-date version.
Packages may also be found in both the delorean and delorean-deps
repositories. yum-plugin-priorities will ensure the right package
candidates are chosen for installation.
Change-Id: I043ec1f60381dc7f5baab5f320ed5f1edde8ae82
Related-bug: https://bugzilla.redhat.com/show_bug.cgi?id=1284978
Closes-bug: #1520620
Drop root privileges for mariadb. This isn't perfect. If somemone
breaks out of the container and can run sudo within the contianer,
it would be possible to replace the root credentials of the database.
Any container that uses sudo suffers from some extra attack vector
related to the sudo command. That said, the sudo commands are
locked down to minimize harm.
Change-Id: I4b3573725d940bb8aa90d43a6235d8cf7d30fc64
Partially-Implements: blueprint drop-root
The reason we are doing drop root is so that a network exposed
software component (i.e. glance) cannot be used to affect the
immutability of the container which it runs in. I have tried
several different approaches and this is the only approach which
puts glance in PID=1 while ensuring no files may be written by
the glance process in the container image except for the log files.
Change-Id: Ifd3c8c361b78d0e4791dade3afa6435290407c41
Partially-Implements: blueprint drop-root
RDO does not yet provide a CI tested Mitaka repository.
As such, the current-passed-ci repository is the last tested
repository before the stable/liberty branch was cut.
To be able to test against the latest packages, we need to
use the untested repositories until the CI tested repository
is in place.
TrivialFix
Change-Id: I4a125eb3c84fa790746a9a8eca19e4fb2d9ecf38
Register with RHEL on the host machine and use yum to setup
the repos in the container.
Change-Id: I38aaf43fffaf7a235e69b330d5d9f0f1be31fe83
Backport: Liberty
Closes-Bug: #1513088
This patch uses the EL7 binary bits for percona's software instead
of EL6. To match binary ABIs, it is recommended to use the same
major version of EL for CentOS.
backport: liberty
Change-Id: I1d2b146a036806c7fd2baef97a6ed861a570d26e
Partial-Fix: #1509281
The delorean repositories no longer have a separate location for
openvswitch. Now openvswitch is located in delorean-deps.repo
and the rest of delorean master is located in the delorean.repo
file. These files can be installed for both RDO and SOURCE, but
not for RHOS. This patch uses the install_metatype to make a
determination as to when to install these two repos. In the
process, we can remove the source RPM installation.
Change-Id: Ieedddd9d7ee234b6acdb03f7043d57c18e024951
Closes-Bug: #1508326
The default timeout for Ceph GPG rpm key retrieval is 30 seconds.
In my testing, the GPG key takes approximately 50 seconds to download
often resulting in a failure to build containers that need to retrieve
the Ceph GPG sign key. Crank up the timer to 90 seconds so the key
is more likely to be downloaded, allowing images to be built.
backport: liberty
TrivialFix
Change-Id: I7420cdf8d3b61aa9f4f52795fccbe5da3e48d57b
Ceph packages need to be installed in nova, glance, and cinder.
Once that is done, Ceph works like a champ!
Change-Id: I296da1d04d0c1bcb729f22e65e432d53d561b49c
backport: liberty
Closes-Bug: #1505549
Make openstack-base optimized for from source builds for RPM based
distributions.
backport: liberty
Change-Id: I5f1056ebc09fd55cd5d46da7a09331e38940d888
Implements: blueprint openstack-common-container