The drop root change for Glance highlighted the fact that we were
binding volumes from glance_data into the wrong container - it was
glance_registry whereas it should be glance_api. This would result in
all images being lost if the glance_api container happens to restart.
Also, we need a sudoers file to chown the file backend dir to the glance
user.
Change-Id: If04337045bb94b3126e48d1f5bf0ea29e20373ae
Closes-Bug: #1516729
The USER operation affects all docker commands after it. This causes a
problem with our {{ include_footer }} implementation since commands in
that footer may require elevated permissions to perform.
In the current implementation I can no longer remove my proxy settings
once the USER has been changed.
Change-Id: I9b2bab5a15f595f6d52a46c64ddf59ba5608b938
Partially-Implements: blueprint drop-root
This uses the grouping feature of sudo to limit the amount of times
the base sudo file has to be modified to only once. The container
contents always runs as the user root, except the software which is
controlled by Kolla. This software may run as root, but it has
undergone a security audit and preserves permissions of the correct
files and does not permit the glance user to write any of the
set_config.py control files.
Change-Id: Ie3cd23edcde5b408a8f66970456279a1b15028e0
Partially-Implements: blueprint drop-root
Long story short, some kernels before 3.15 had an issue with using su
in a container when the network namespace was --net=host. The gate
has a 3.10 and a 3.13 kernel and has a problem with this. This changes
everything to use sudo
backport: liberty
Partially-Implements: blueprint functional-testing-gate
Change-Id: I4d79ccaa1cddffcc8393f64e7e1be2538efe33e5
The majority of the start.sh code is identical. This removes that
duplicate code while still maintaining the ability to call code in a
specific container.
The start.sh is moved into /usr/local/bin/kolla_start in the container
The extend_start.sh script is called by the kolla_start script at the
location /usr/local/bin/kolla_extend_start . It always exists because
we create a noop kolla_extend_start in the base directory. We override
it with extend_start.sh in a specific image should we need to.
Of note, the neutron-agents container is exempt from this new
structure due to it being a fat container.
Additionally, we fix the inconsistent permissions throughout. 644 for
repo files and the scripts are set to 755 via a Docker RUN command to
ensure someones local perm change won't break upstream containers.
Change-Id: I7da8d19965463ad30ee522a71183e3f092e0d6ad
Closes-Bug: #1501295
This prepares for the RHEL OSP implementation by making the build
tool convert all binary-* into an install_type of binary and * into
an install_metatype variable substitution inside the Dockerfiles.
Further binary-* is substituted as install_name to enable proper
building only.
Change-Id: Ib681b29176eb79a3cab12ec824313fdecb6e7a5f
Partially-Implements: blueprint rhel-based-image-support
I removed the files but not the COPY commands thus breaking all of
Kolla
Change-Id: I37d3e0cb94a1ecc12971f485f953310ba8fee53c
Partially-Implements: blueprint replace-config-external
Removes config-external for all services that have been replaced in
Ansible
Change-Id: I839a14418638b977fbc1d02ba6839811b0f909ea
Partially-Implements: blueprint replace-config-external
Updated build.py to reflect this change.
Deprecate --template option and make it a noop.
Change-Id: I7cd98d1ee684a4c64984a49597159868152683b2
Partially-Implements: blueprint remove-docker-dir
As a restructure, nothing is changed from the original behaviour and
naming despite the file structure changing. The symlinks to build had
to be updated generating lots of "deleted" and "new_file".
The new structure is:
docker/${base_distro}/${type}/${container}
base_distro == centos, ubuntu, fedora, etc
type == source, binary, rdo
type rdo is a symlink to binary for backwards compatibility
Two new flags are added to the build-all script to support the ability
to support different base distros and a flag to support binary or source
containers.
There are several added folders that are empty to hold the directory
structure for future containers of these types.
To use a prefix other than centos-rdo- you can set PREFIX in the toplevel
directory .buildconf file
Change-Id: Ifc7bac0d827470f506c8b5c004a833da9ce13b90
This represents making build-docker-images --release build
with the icehouse tag and causes docker-compsoe to pull from
the icehouse tag.
Partially-implements: blueprint port-kilo
Change-Id: I66b2c39abc55c0f47152dd90e696fc46b9c58f50
For some reason glance sometimes fails to permanently find keystone
while other services do find keystone. The host also has full access
to keystone. Change wait_for to fail_unless.
This could be a docker bug, a wait_for bug, or some other problem.
Change-Id: I02d611d65b7ffddb9c27101fd60e2a8b7cc25658
Rely on the the `check_for_*` functions and remove redundant
`fail_unless_*` calls.
Also change `wait_for` to exit when it is missing a required argument.
Change-Id: I90c4545691d53185556e2838303ac3df0afaf9fa
In order for the `check_for_*` functions to be consumed by `wait_for`,
they should notify of their success but not exit.
As a consequence, the previous behavior is restored by the fail_unless_*
companion functions.
With this change, it is now possible to do:
wait_for 30 1 check_for_os_service_running keystone
Change-Id: I16ddf8913027030c3ccb5487713d172904508fd6
This affects both fedora and the centos base images.
Wait_for will be intregrated into kolla-common.
Co-authored by: Charles Crouch <charcrou@cisco.com>
Change-Id: Ide2304b787d4c3bf6fb3949f09e2cf1f450c2173
This patch overlaps a little bit with https://review.openstack.org/#/c/162358/.
There were some additional glance config that needs to be added to run without
kubernetes.
Co-authored by: Charles Crouch (charcrou@cisco.com)
Change-Id: I1aab2f6e4a80aaf1e6c4b7fe330bcf9a7740fdc6
By changing the PREFIX variable in the .buildconf one is now able to
build docker images from different bases.
For example, add the following line to your .buildconf file to build
CentOS based images:
PREFIX=centos-rdo-
Default base image is Fedora. For now only RH family is supported.
Additionally, changing the namespace either with the NAMESPACE variable
in .buildconf or via --namespace commandline option now changes the
source namespace as well from the default kollaglue one.
Implements: blueprint multi-baseos
Co-Authored-By: Steven Dake <stdake@cisco.com>
Change-Id: I3964cd2292789ea883a1f2d2738a5731a4fff49b
add /check.sh to keystone and glance-api images that can be used to
verify proper functionality of the container.
Change-Id: I0a878678fb8e9427d8e99af4896cbc679d3490a4
- update keystone endpoints/user on boot (to avoid problems caused by,
e.g., a stale password or invalid endpoint urls)
- require GLANCE_DB_PASSWORD and GLANCE_KEYSTONE_PASSWORD in the
environment, since we start multiple containers
Change-Id: I31214b81280ed34409f92e79003c1116d5737d2e
- glance was using wrong var name for admin_password
- also missing "\" in several places, breaking multi-line crudini
commands.
- glance was using wrong tenant name
- in the registry container, glance-manage appears to reference
glance-api.conf
- the glance.json config file was not spawning a registry container
Change-Id: I280d1db3ed576988f2bf29ea665e1922a37f8752
This patch replaces the collection of individual "build" scripts with a
single script (tools/build-docker-image), made available as "build"
inside each image directory.
The build-docker-image script will, by default, build images tagged with
the current commit id in order to prevent developers from accidentally
stepping on each other or on release images.
Documentation in docs/image-building.md describes the script in more
detail.
Change-Id: I444d5c2256a85223f8750a0904cb4b07f18ab67f
Previously images were based from RHEL OSP + RDO Icehouse. This presents
a problem in that internal urls are used to access the rhel7 repositories.
For new contributors, we need something that can be accessed without special
rhel7 permissions.
mariadb and rabbitmq can from fedora
cinder, glance, keystone can from fedora-rdo-base
This patch also uses the RDO repositories from upstream. This patch also
udpates the base fedora image with latest bits.