Global-requirements changed upper-constraints in [1].
Because of that change skyline and gnocchi build is now failing.
This patch fixes upper-constraints for those projects.
[1] https://review.opendev.org/c/openstack/requirements/+/900435
Change-Id: I09cc2635cd422a859ccded887affb58dfbdc60ad
Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.
Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.
Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.
Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
Big patch drops all mentions of binary images support. Suggestions are
welcome how to split it into parts or handle better.
Change-Id: I5d5a46c6ce7734ceb8b844e17b43e359d7cac6e3
Project description says:
/!DON’T USE IT, but use upstream python-rados, except you really can’t /!
Also installing it created errors which are silently ignored.
Change-Id: Id24458cd655aeace0e745c512aa7890b3edda51c
The binary images include python3-rados as a dependency, but source
images do not. This change fixes that.
Change-Id: I2c8cdfcd25856ecdcfd9f302965187b3b62376ad
Closes-Bug: #1927756
There is no need to install libraries to build Numpy as we have binary
wheel provided by numpy upstream.
Change-Id: I721001f877f6ec2f9a2e425c088a2e22177d2e5b
This is a follow-up on "Refactor httpd install to base image"
[1].
It seems a copy-paste algorithm was used to craft Dockerfiles
for some httpd-enabled services which resulted in an abundance of
ldappool packages getting installed, even in the 'source' case.
This seems to have also kept ldappool at a lower version because
it did not get updated via pip later.
This patch deals with that and also moves ldap deps for Keystone
to their proper place in 'source' case (extras).
Note Keystone client gets installed in openstack-base.
Cinder does not need to include Keystone either.
[1] https://review.opendev.org/744037
Change-Id: I017d7a6a5d2b1ae6c04556dcf172453a36de5be7
Refactor installing and initial setup of httpd and mod wsgi from
individual services to base image.
Change-Id: I651a55a9ebe258ef403d33de010a4dfb368a4021
When there is no cradox wheel available on pypi (for non-x86 archs) then
build fails:
Step 5/8 : RUN pip3 --no-cache-dir install --upgrade cradox && truncate -s 0 /etc/apache2/ports.conf
---> Running in 3a850b4d6319
Collecting cradox
Downloading f4790a3f5a19b700ff49e14ffa8153/cradox-2.1.2.tar.gz (44kB)
Complete output from command python setup.py egg_info:
WARNING: The wheel package is not available.
WARNING: The wheel package is not available.
ERROR: Failed to build one or more wheels
Change-Id: I519c2a59208376ae05e0a6f5fa4de303670f2674
With the move to RHEL/CentOS 8 we no longer have Python 2 in our images
so there is no need for checking which Python version (2.x or 3.x) is
used inside of containers.
We also no longer have to support yum as a value for
distro_package_manager.
Partially-Implements: blueprint centos-rhel-8
Change-Id: Ie45cf3465fedddbde7856961527421883ba3d5c9
Storage SIG has built Ceph Nautilus and Ganesha for CentOS8 in CentOS
Build System.
Let's switch to use them in kolla.
Change-Id: Id37dca84c4eb918aaf2d3c036ef5387fe75988dd
The disable_extra_repos macro accepts a list as its only argument. We
were calling it like this to disable EPEL:
disable_extra_repos('epel')
The macro interpreted this as a request to disable three repos, e, p, l.
Thanks Python! Type validation to be improved separately.
Additionally, on CentOS 8 the EPEL repository was not included in the
repository mapping file, repos.yaml. There is also another EPEL
repository on CentOS 8, epel-modular, which is enabled by default after
installing epel-release.
This change adds mappings for epel and epel-modular repos to repos.yaml,
and fixes the disabling of epel in the base image, as well as disabling
epel-modular.
There are some cases where EPEL is still used (it seemed a bit too
easy...), and the repository has been enabled for these images:
* bifrost-base (nginx)
* ironic-conductor (C7 only, shellinabox)
* freezer-base (C7 only, trickle)
* gnocchi-base (C8 binary only, python3-boto3)
* mariadb (pv)
* mongodb (C7 only, mongodb)
* nova-spicehtml5proxy (C7 only, spice-html5)
* telegraf (C7 only, python2-pip)
A few other things were changed:
* ironic-conductor does not require the ceph repo
* python3-pika is no longer installed in the openstack-base image
Related: blueprint remove-epel
Change-Id: I3761825239dfc462072383cde6276c4fb3e1bf12
The only Ceph version that will support CentOS 8 is Octopus.
It will be released end of March 2020 - so for now let's use master.
Change-Id: I5955acb41e7346802d76f4f2b244cbf5c36f5bf2
Partially-Implements: blueprint centos-rhel-8
Disable external repositories by default and enable only when needed.
Depends-on: https://review.opendev.org/696480
Implements: blueprint repos-off-by-default
Change-Id: Icf2a8397a8349e0fe849d88d160409fd234480a9
Commit 43b74ccc15 enabled use of Python 3
based packages but not switched to use Python 3.
Some of images still contain Python 2. There are two reasons:
- Ceph (ceph-common depends on Py2)
- python3-ldappool on Ubuntu 18.04
In Ceph situation Py3 packages were added. For second one we can not do
anything - Py2 dependency got dropped in Ubuntu 18.10 version.
Removed neutron-server-plugin-networking-infoblox due to being not
maintained. Once https://review.opendev.org/#/c/657578/ get merged
someone may revert that part.
Implements: blueprint debian-ubuntu-python3
Depends-on: Ie2a1077f7def0743f1403341985e2109aa490026
Change-Id: Ibfe0c2b8be98db56c61f74fb0247488ab3749ef4
RDO is currently working on python3 support for the next version of
CentOS/RHEL based systems. This package uses the distro_python3 flag
that was added as part of I4028991bad92c0e8e21066cc4173c06ce5eba393 to
use the python3 specific package names. This change only adds python3
package names for RHEL systems.
Conflicts-With: https://review.openstack.org/#/c/636457/
Change-Id: Iad6b70b433a0dd1b0f8ae6790fd280594517661a
Related-Blueprint: python3-support
Both Ubuntu Stein UCA and Debian 'buster' migrated their OpenStack
packages to Python 3.
Note that Debian 'buster' is not released yet and contains Rocky
packages. Stein ones will be available later.
Co-Authored-By: Lee Yarwood <lyarwood@redhat.com>
Co-Authored-By: Eduardo Gonzalez <dabarren@gmail.com>
Change-Id: I160f79cc57f54ec3eac857c5babd1a6e2656d228
During the Queens cycle the gnocci project was
moved out of openstack and so naming changed from
openstack-gnocchi-XXX to gnocchi-XXX
January 2018 - https://review.rdoproject.org/r/#/c/11110/
Also openstack-gnocchi-indexer-sqlalchemy was moved to gnocchi-common
2017 - https://review.rdoproject.org/r/#/c/10449/
Change-Id: I511c248bd009d03cad6811c576dd91a7bb29e203
This change updates the docker files to use base_package_type instead
of doing specific distro checks for the rhel/deb generic cases. The
base_distro is still available and is used when a specific distro needs
a customization but if the differences are purely rpm vs deb, then the
base_package_type can be used.
Change-Id: I8d720bb185df65a0178061ccf20b1ab2265da2c5
These packages produce a warning during the installation, we should
switch to their new names, usually to be specific about their use of
python2.
Change-Id: I0a80e822f64222d9a32aabd1fd834bcf794d6320
Based on gnocchi issue #412 [0], cradox is more stable and recommended
to use.
* Add cradox for source and RHEL family distro binary.
* Ubuntu binary lacks of cradox package, so install from pypi
[0] https://github.com/gnocchixyz/gnocchi/issues/412
Co-Authored-By: Jeffrey Zhang <zhang.lei.fly@gmail.com>
Change-Id: Icf7d6425884fb889d48c786caebbfc7b7050ae8e
Closes-Bug: #1718701
As for Debian we need to install blas/lapack devel headers to build
scipy.
Change-Id: I2e0257072192bae6b689d549df12a05196ff7698
Partially-Implements: blueprint multiarch-and-arm64-containers
centos based images have wrong label info,
these changes fix own image's name and build-date.
Change-Id: I1d13f8f386c8db12b5fbe5f8ecbbf9e3fbb4ba1c
Closes-Bug: #1680341
Use LABEL instruction instead of MAINTAINER (deprecated) instruc-
tion as suggested by Docker's official dockerfile guide.
docs.docker.com/engine/reference/builder/#maintainer-deprecated
Closes-Bug: #1683652
Change-Id: Ie87a1ddf31aefcd0b623fd2837d78de420e76898
On x86_64 pip is fetching precompiled 'scipy' package. On other
architectures we need to build it. For that we need some more
development packages.
Partially-Implements: blueprint multiarch-and-arm64-containers
Change-Id: I173f8daf1aa0aeb1683db08c50b79a0c39f9dc64
Debian support is not maintained in Kolla so it got a bit behind Ubuntu
one. This changeset enables Debian for all images. Jessie (even with
backports) may be too old for some images though.
Also unify distro check to ['debian', 'ubuntu'] to keep alphabetical order
like it is done for RPM distributions.
Partially-Implements: blueprint multiarch-and-arm64-containers
Change-Id: I056233fbfa277e0e2360c07c3f80d9558c554357
Some images have packages sorted alphabetically and some not.
Unify common style between all images.
Change-Id: I906ed89c10b12886665618752f525ba71d83d991
This apache module is necessary for when one wants to use TLS for the
services running over httpd.
This only addressed RHEL based systems at the moment, since there is no
such package available for Ubuntu. This requires apache2.2-common which
will carry a lot more dependencies; So I think this should be handled
and decided in a separate patch.
when installing mod_ssl in RHEL-based distributions, an ssl.conf file is
installed in the /etc/httpd/conf.d directory. This file tells httpd to
listen on port 443; however, we don't want to do this by default, since
this should be explicitly enabled by the container's configuration. This
line is thus removed from the configuration.
A release note was added, which specifies this. And the last sentence
can be removed if this is addressed for debian/ubuntu as well.
Related-Bug: #1675490
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: Id6215d31547247309d43c031e163fa9e4c4ec5dc
1. Enable customization of pip packages in source
branch of most images
2. All pip packages install uniformly through
install-pip macro, user can easily customize his
own pip command (For example using a mirror)
Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com>
Change-Id: If09582039f690fa4136e8f33200d5da15e092da7
* remove /var/log/gnocchi
* move gnocchiclient to openstack-base
* remove /var/lib/gnocchi because it create by macro
Change-Id: I4e06991dd7ca45b4c705b0e4be6e22ba1667e861
This centralizes all user and group creation into a single source. This
will fix any current and furture uid/gid mismatches (such as with
nova-libvirt).
In the process, we also unify users between the distros in a standard
way. The users in the following containers change from thier defaults:
Ubuntu: _chrony user is now chrony
Ubuntu: memcache user is now memcached
All: qemu user is used for ownership and socket permissions
All uid and gid numbers are customizable via kolla-build.conf
Co-Authored-By: Kris Lindgren <klindgren@godaddy.com>
Change-Id: I120f26ab0683dc87d69727c3df8d4707e52a4543
Partially-Implements: blueprint static-uid-gid
Gnocchi team removed etc/gnocchi folder in favor of
a custom command calling oslo-config-generator [0]
[0] https://review.openstack.org/#/c/419064/
Change-Id: I250f3bec7c1bba0018acc6251c54e0026b1dcae8
Gnocchi previously lacked high availability. We consider a lack of HA
in our a vast majority of operator oriented services to be a defective
design choice. this change integrates gnocchi with ceph to resolve the
the lack of HA.
Closes-Bug: #1626623
Change-Id: I71c5137842cb48bc4af0e50a2952df5631d0d6df
* mount gnocchi volume for gnocchi-api and gnocchi-statsd
* fix the failed of gnocchi-api
* use gnocchi user when running gnocchi-upgrade
* use the app.wsgi file in python path directly, rather than copy it to
/var/www/cgi-bin/gnocchi/app file
TrivialFix
Change-Id: Ie026b8f44cd8e9703bf115cebb4e2d50b114a3a2
Change needed to add header blocks to all Dockerfiles, similar to the
base.
Use case is to easily run something before packages are installed, e.g.
to COPY a local rpm in that can be added to the package list.
Change-Id: I1bbfdf0b762da0a392aa8bf47781315b45377bee
Closes-Bug: 1618969
Currently if the install_packages macro is run with an empty
package list, it will add a yum or apt-get command with no
packages listed.
This bug fix aims to omit this line when no packages have
been given, or, the operator wants to use the "_override" /
"_remove" functionality to disable all packages being
installed in a Dockerfile.
Co-Authored-By: Paul Bourke <paul.bourke@oracle.com>
Change-Id: Ifaaaebfccc3adb0f2f68a35ac08e59378bc87fdb
Closes-bug: 1612446
Michal Arbet