Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.
Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
OpenStack 'zed' requires Python 3.8+ so RHEL 8 family has to go.
This changeset moves to CentOS Stream 9 while move to RockyLinux 9 is
planned as final solution.
CI moved to CentOS Stream 9 nodes.
Depends-on: https://review.opendev.org/c/openstack/kolla-ansible/+/839715
Change-Id: I113b9984294cf8663d3fc0c8840320e1d40ea731
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.
Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.
Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
Big patch drops all mentions of binary images support. Suggestions are
welcome how to split it into parts or handle better.
Change-Id: I5d5a46c6ce7734ceb8b844e17b43e359d7cac6e3
We moved to CentOS Stream 8. Just no one noticed that binary target was
failing to build.
This change sorts out all failing images.
Change-Id: Ia7768caabfe214a629339d50973d0d9873fc65d5
This is a follow-up on "Refactor httpd install to base image"
[1].
It seems a copy-paste algorithm was used to craft Dockerfiles
for some httpd-enabled services which resulted in an abundance of
ldappool packages getting installed, even in the 'source' case.
This seems to have also kept ldappool at a lower version because
it did not get updated via pip later.
This patch deals with that and also moves ldap deps for Keystone
to their proper place in 'source' case (extras).
Note Keystone client gets installed in openstack-base.
Cinder does not need to include Keystone either.
[1] https://review.opendev.org/744037
Change-Id: I017d7a6a5d2b1ae6c04556dcf172453a36de5be7
Refactor installing and initial setup of httpd and mod wsgi from
individual services to base image.
Change-Id: I651a55a9ebe258ef403d33de010a4dfb368a4021
With the move to RHEL/CentOS 8 we no longer have Python 2 in our images
so there is no need for checking which Python version (2.x or 3.x) is
used inside of containers.
We also no longer have to support yum as a value for
distro_package_manager.
Partially-Implements: blueprint centos-rhel-8
Change-Id: Ie45cf3465fedddbde7856961527421883ba3d5c9
Commit 43b74ccc15 enabled use of Python 3
based packages but not switched to use Python 3.
Some of images still contain Python 2. There are two reasons:
- Ceph (ceph-common depends on Py2)
- python3-ldappool on Ubuntu 18.04
In Ceph situation Py3 packages were added. For second one we can not do
anything - Py2 dependency got dropped in Ubuntu 18.10 version.
Removed neutron-server-plugin-networking-infoblox due to being not
maintained. Once https://review.opendev.org/#/c/657578/ get merged
someone may revert that part.
Implements: blueprint debian-ubuntu-python3
Depends-on: Ie2a1077f7def0743f1403341985e2109aa490026
Change-Id: Ibfe0c2b8be98db56c61f74fb0247488ab3749ef4
RDO is currently working on python3 support for the next version of
CentOS/RHEL based systems. This package uses the distro_python3 flag
that was added as part of I4028991bad92c0e8e21066cc4173c06ce5eba393 to
use the python3 specific package names. This change only adds python3
package names for RHEL systems.
Conflicts-With: https://review.openstack.org/#/c/636457/
Change-Id: Iad6b70b433a0dd1b0f8ae6790fd280594517661a
Related-Blueprint: python3-support
This change updates the docker files to use base_package_type instead
of doing specific distro checks for the rhel/deb generic cases. The
base_distro is still available and is used when a specific distro needs
a customization but if the differences are purely rpm vs deb, then the
base_package_type can be used.
Change-Id: I8d720bb185df65a0178061ccf20b1ab2265da2c5
Target WSGI script not found or unable to stat:
/var/www/cgi-bin/vitrage when deploy install_type binary
Change-Id: Ia7de5db13eea21d976e919945769ac7d48bb04f7
These packages produce a warning during the installation, we should
switch to their new names, usually to be specific about their use of
python2.
Change-Id: I0a80e822f64222d9a32aabd1fd834bcf794d6320
Vitrage start api service under apache or uwsgi.
We have not created a migration to uwsgi.
This change adds apache packages needed for api
also add rdo binaries to rpm distros.
Adds missing collector image.
Change-Id: Iecb32e321b46f9b567af25fa6acafbe9a292bbca
Closes-Bug: #1681613
centos based images have wrong label info,
these changes fix own image's name and build-date.
Change-Id: I1d13f8f386c8db12b5fbe5f8ecbbf9e3fbb4ba1c
Closes-Bug: #1680341
Use LABEL instruction instead of MAINTAINER (deprecated) instruc-
tion as suggested by Docker's official dockerfile guide.
docs.docker.com/engine/reference/builder/#maintainer-deprecated
Closes-Bug: #1683652
Change-Id: Ie87a1ddf31aefcd0b623fd2837d78de420e76898
1. Enable customization of pip packages in source
branch of most images
2. All pip packages install uniformly through
install-pip macro, user can easily customize his
own pip command (For example using a mirror)
Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com>
Change-Id: If09582039f690fa4136e8f33200d5da15e092da7