Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.
Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.
Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.
Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
Big patch drops all mentions of binary images support. Suggestions are
welcome how to split it into parts or handle better.
Change-Id: I5d5a46c6ce7734ceb8b844e17b43e359d7cac6e3
We have been configuring neutron to use /etc/neutron/api-paste.ini for
more than a month now. Remove this file from its old location before
Xena is released. Stop creating /usr/share/neutron which is now unused.
Change-Id: Ic90cd8e3065fa629d5ad67abaf7c193fd845259a
CentOS binary packages for Xena have moved Neutron's api-paste.ini file
to /etc/neutron [1]. Make this file available at the old location [2]
for compatiblity with kolla-ansible, until the configuration is modified
to use the new location.
[1] https://review.rdoproject.org/r/c/openstack/neutron-distgit/+/34845
[2] /usr/share/neutron/api-paste.ini
Change-Id: I2295884ef3b4c3bf4b087599322b0c5761e7b775
With RDO use we did not disabled some repositories. This patch disable
them and enable where needed.
Change-Id: Ia9d537fe9c1ad54789d2bfb4027254fbb3defe7e
python-vmware-nsx is not installed anywhere, we don't need the FIXED message
thi PS to clean it up
Change-Id: I1b05c03002e142c7b0f26808ad423b569140a7bc
With the move to RHEL/CentOS 8 we no longer have Python 2 in our images
so there is no need for checking which Python version (2.x or 3.x) is
used inside of containers.
We also no longer have to support yum as a value for
distro_package_manager.
Partially-Implements: blueprint centos-rhel-8
Change-Id: Ie45cf3465fedddbde7856961527421883ba3d5c9
* Some further changes for python2 vs python3 packages
* Allow rabbitmq 3.7.*, since a newer erlang is available
* Switch from qemu-img-ev to qemu-img on CentOS 8
* bridge-utils no longer available on CentOS 8
* libvirt-daemon-driver-lxc no longer available on CentOS 8
* Mark some more images buildable for CentOS 8
Change-Id: Iaf5b68ff6d944ae730ca0b1d5832172c106a6c08
Partially-Implements: blueprint centos-rhel-8
Partially-Implements: blueprint centos-rhel-python-3
When [1] was committed, neutron stopped building for Train.
Analogous patch is proposed to other stable branches.
This patch removes neutron from upper-constraints.
Kolla master is affected directly because we build Train
for CentOS 7 atm.
1. https://review.opendev.org/#/c/697370/
Change-Id: I944e8e42fef1d359d767cbc6e1c13371ed753f31
Currently neutron-server-ovn container does not run db setup for networking-ovn
subproject when bootstrapping - since it uses extend_start from
neutron-server (where networking-ovn is not installed).
Since OVN is being added as in-tree driver to Neutron and there is no
rationale behind supporting separate container images for neutron-server-ovn
and neutron-metadata-agent-ovn, hile networking-ovn driver uses around 1-2MB
of space - this change adds networking-ovn installation to neutron-base image
and deprecates neutron-server-ovn and neutron-metadata-agent-ovn images.
Change-Id: Ib2dbdd7e7d34f56985b7a5b2494c3b89034688cb
The package is required for infiniband deployment to be installed
on containers: neutron-server, neutron-dhcp-agent and neutron-l3-agent.
Change-Id: I017b65c2032648fa0ac7126d4a06cd98cb7c33a0
Commit 109706aa8b bumped 'system' users
beyond range used by Kolla. So Debian/Ubuntu does not complain that
system users created by packages exist already on package install.
Change-Id: I9bf4b240839d46088ac668f26cf065dd5e3775c2
backport: Stein
During the switch to Stein UCA, we did not switch all packages to python
3 for Debian/Ubuntu binary images. This change switches some more of
those packages.
Change-Id: I0bff21384d88ea678608392de2db1ba418c96665
Co-Authored-By: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Commit 43b74ccc15 enabled use of Python 3
based packages but not switched to use Python 3.
Some of images still contain Python 2. There are two reasons:
- Ceph (ceph-common depends on Py2)
- python3-ldappool on Ubuntu 18.04
In Ceph situation Py3 packages were added. For second one we can not do
anything - Py2 dependency got dropped in Ubuntu 18.10 version.
Removed neutron-server-plugin-networking-infoblox due to being not
maintained. Once https://review.opendev.org/#/c/657578/ get merged
someone may revert that part.
Implements: blueprint debian-ubuntu-python3
Depends-on: Ie2a1077f7def0743f1403341985e2109aa490026
Change-Id: Ibfe0c2b8be98db56c61f74fb0247488ab3749ef4
This package provides e.g. arping tool which is used by Neutron
services.
On e.g. RHEL7 it was probably installed as some dependency to other
package but on RHEL8 it's missing which cause some errors e.g.
in neutron_l3_agent container.
Change-Id: I9c087164f32cb8a69d2155bc68b6f62233ad58c6
Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1713321
RDO is currently working on python3 support for the next version of
CentOS/RHEL based systems. This package uses the distro_python3 flag
that was added as part of I4028991bad92c0e8e21066cc4173c06ce5eba393 to
use the python3 specific package names. This change only adds python3
package names for RHEL systems.
Conflicts-With: https://review.openstack.org/#/c/636457/
Change-Id: Iad6b70b433a0dd1b0f8ae6790fd280594517661a
Related-Blueprint: python3-support
Both Ubuntu Stein UCA and Debian 'buster' migrated their OpenStack
packages to Python 3.
Note that Debian 'buster' is not released yet and contains Rocky
packages. Stein ones will be available later.
Co-Authored-By: Lee Yarwood <lyarwood@redhat.com>
Co-Authored-By: Eduardo Gonzalez <dabarren@gmail.com>
Change-Id: I160f79cc57f54ec3eac857c5babd1a6e2656d228
This change updates the docker files to use base_package_type instead
of doing specific distro checks for the rhel/deb generic cases. The
base_distro is still available and is used when a specific distro needs
a customization but if the differences are purely rpm vs deb, then the
base_package_type can be used.
Change-Id: I8d720bb185df65a0178061ccf20b1ab2265da2c5
Use [ instead of [[.
This will solve the following issue:
Change-Id: I1153a5146ca8b08dd1ad732b60d8d4bce8e060ab
INFO:kolla.common.utils.neutron-base:/bin/sh: 1: [[: not found
INFO:kolla.common.utils.neutron-base:/bin/sh: 1: [[: not found
INFO:kolla.common.utils.neutron-base:/bin/sh: 1: [[: not found
INFO:kolla.common.utils.neutron-base:/bin/sh: 1: [[: not found
INFO:kolla.common.utils.neutron-base:/bin/sh: 1: [[: not found
INFO:kolla.common.utils.neutron-base:/bin/sh: 1: [[: not found
INFO:kolla.common.utils.neutron-base:
1. openstack-dashboard package already configured the folders as
expected.
2. UCA is not include python-vmware-nsx 13.0.0 package now.
Change-Id: I7cb0c4d3d872333dadd2eecd7071e8f08c21a44d
These packages produce a warning during the installation, we should
switch to their new names, usually to be specific about their use of
python2.
Change-Id: I0a80e822f64222d9a32aabd1fd834bcf794d6320
Neutron and Cinder base images doesn't include the necessary
vmware libs. If we enable vmware nsx (nsxv or dvs) we need those
libraries to be available.
Closes-Bug: #1730662
Change-Id: I94005728fbce8320d7cf9d3b746978d8c7634ed5
neutron-netns-cleanup script requires netstat command which is provided
by net-tools package.
Change-Id: Ic9417d2eb03e0dd93f7c668b189b4ad9c72eae0f
Closes-Bug: #1703078
Neutron-server and openvswitch-agent images consume sfc plugin
code to run sfc services.
This change adds db sync for sfc plugin.
Also move sfc code into neutron-base so other services
can make use of the plugin.
Change-Id: I60ba1333231a4ae38a041d41e551f7d74fe15e3b
Closes-Bug: #1664493
Michal Arbet