This uses the grouping feature of sudo to limit the amount of times
the base sudo file has to be modified to only once. The container
contents always runs as the user root, except the software which is
controlled by Kolla. This software may run as root, but it has
undergone a security audit and preserves permissions of the correct
files and does not permit the glance user to write any of the
set_config.py control files.
Change-Id: Ie3cd23edcde5b408a8f66970456279a1b15028e0
Partially-Implements: blueprint drop-root
The reason we are doing drop root is so that a network exposed
software component (i.e. glance) cannot be used to affect the
immutability of the container which it runs in. I have tried
several different approaches and this is the only approach which
puts glance in PID=1 while ensuring no files may be written by
the glance process in the container image except for the log files.
Change-Id: Ifd3c8c361b78d0e4791dade3afa6435290407c41
Partially-Implements: blueprint drop-root
RDO does not yet provide a CI tested Mitaka repository.
As such, the current-passed-ci repository is the last tested
repository before the stable/liberty branch was cut.
To be able to test against the latest packages, we need to
use the untested repositories until the CI tested repository
is in place.
TrivialFix
Change-Id: I4a125eb3c84fa790746a9a8eca19e4fb2d9ecf38
pip install default prefix in Ubuntu is /usr/local, and Kolla tools scripts
didnt respect that. So I added few OS checks in this scripts.
I improve config path check in build.py. Added more verbose error if we can't
find config directory.
Change-Id: Ide521ed205b0dc1fc27e237a9a8f4da0168e664f
Closes-Bug: #1512302
The commands around installing docker on Centos7
in the quickstart guide needed a little tweaking
and a little spell checking.
Change-Id: Ia0367900ab9792a096f753d5fd943ffab0a005a4
build.py -b rhel -t [rdo|rhos|source|binary]
The last patch for this didn't quite fix the problem properly as
it only permitted RHOS builds.
backport: liberty
Change-Id: I27eed202560adce450c07d043cc224e7a6c6bbf6
Closes-Bug: #1513088
Use the absoluate path rather than that with `..`. This will be
helpfull for end-user to see where is the folder/file.
Closes-Bug: #1513726
Change-Id: I7169952d874ddf14469605444044de0163b033d3
This was conflicting with Percona-Server-devel-55 and broke centos
source build for openstack-base image.
Backport: Liberty
Change-Id: Ia2bb2106038e8e2eadb6668f4ae1ad1d95710c09
Closes-Bug: #1513711
Due bad rebases there is a huge section of the spice patch missing
from the implementation unfortunately. This patch finishes the rest
of this patch out properly.
Change-Id: I693c6745e9594fd91eb6453f6de9dfcbd410e89c
Paritally-Implements: blueprint nova-proxies
- Remove ansible-deployment documentation link, it was moved
to quickstart.
- Link to rendered documentation on docs.openstack.org instead
Change-Id: Ib97cfa23e7932c1d7012d1b36a26f32914431790
Closes-Bug: #1513582
The bootstrap must occur on the nova-api node due to binding in the
nova-api directory (same goes for all other services)
Closes-Bug: #1513439
Backport: Liberty
Change-Id: Iab88b49712828085e4d7e7f85e6d8f0b7999a9bf
The main reason for this change is to allow the DinD stuff to work. It
has limited use outside of that use case, but it may still be useful
to others in the future.
Change-Id: Ib3a4639cfb3fc0d378d33fc8b9ff8eb597f818ab
Partially-Implements: blueprint multinode-gate
Adjust all the configs to list all the rabbitmq hosts rather than
running rabbitmq through the VIP. This is made possible by clusterer
which has already merged.
Change-Id: I5db48f5f10ec68f4c8863a29bc13984f6845a4f9
Partially-Implements: blueprint rabbitmq-clusterer
In some cases we're seeing httpd not cleaning up properly after itself,
which results in the keystone container failing to restart. This is
confirmed to happen on rpm based distros, but have not had any reports
on Ubuntu.
Change-Id: I58b006189e700f1c851601b4f64dd0fae931103c
Closes-Bug: #1489676
Co-Authored-By: Tim Potter <tpot@hpe.com>
So we can respect DRY and share as much code as possible I have broken
out the common code between the aio and multinode gate scripts.
Additionally, this lays the ground work for removing our policy on
root-everywhere by using sudo. Once we get the non-root stuff worked
out we can gate as non-root user.
Change-Id: I781c597ab10f2296b95f51ae27e0fa617ffe0a66
Partially-Implements: blueprint multinode-gate
Mention `chrony` since thats what docs.openstack.org recommends for
WAN connections. It does do better than ntpd
Change-Id: I28caade26492294bf12b092ff949003c7bf0bb8e
The Fedora code is no longer used and can be removed. Should it be needed in the
future the code is very similiar to CentOS. As is it will just become out of
date as the code is never excersied.
Change-Id: I7df832e5b0830ac8b4507f000ed8ed6e43d39463
Partially-Implements: blueprint multinode-gate
Register with RHEL on the host machine and use yum to setup
the repos in the container.
Change-Id: I38aaf43fffaf7a235e69b330d5d9f0f1be31fe83
Backport: Liberty
Closes-Bug: #1513088
We target 14.04 which has the package name 'syslinux'
>14.04 has the package name 'pxelinux'
TrivialFix
Backport: Liberty
Change-Id: Id0f4f503257d62d9ce45be5eb8f4faa766244d0a