Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.
Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
Tim Shearer started it in 1d96a2bbe1.
Since all extend_start files are sourced rather than executed, the executable
bits are now cleared throughout the project.
Change-Id: Ia1797c32fc6a35f9f077c673abf4d8e16e51a760
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.
Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.
Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
Big patch drops all mentions of binary images support. Suggestions are
welcome how to split it into parts or handle better.
Change-Id: I5d5a46c6ce7734ceb8b844e17b43e359d7cac6e3
Refactor installing and initial setup of httpd and mod wsgi from
individual services to base image.
Change-Id: I651a55a9ebe258ef403d33de010a4dfb368a4021
With the move to RHEL/CentOS 8 we no longer have Python 2 in our images
so there is no need for checking which Python version (2.x or 3.x) is
used inside of containers.
We also no longer have to support yum as a value for
distro_package_manager.
Partially-Implements: blueprint centos-rhel-8
Change-Id: Ie45cf3465fedddbde7856961527421883ba3d5c9
All Apache httpd setup has been moved to a new helper script,
kolla_httpd_setup. This includes the existing clean of /run/httpd,
/var/run/httpd, /tmp/httpd etc.
Horizon has an additional bit of Apache config for Debian/binary, which
has been kept in extend_start.sh for horizon.
Change-Id: Ia2af74b69c151db0bd7e452460b0babcee50b282
Related: blueprint centos-rhel-8
Barbican refers to python3 but uwsgi refers to python2. This change
fixes this issue.
Change-Id: I508bb082a319955b3e008235e158eaa07a1e8a74
Closes-Bug: #1849128
Ubuntu/source deployment of several images (horizon, placement-api, zun)
failed with:
+ exec /usr/sbin/apache2 -DFOREGROUND
apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot
Change-Id: Ie2a1077f7def0743f1403341985e2109aa490026
RDO is currently working on python3 support for the next version of
CentOS/RHEL based systems. This package uses the distro_python3 flag
that was added as part of I4028991bad92c0e8e21066cc4173c06ce5eba393 to
use the python3 specific package names. This change only adds python3
package names for RHEL systems.
Conflicts-With: https://review.openstack.org/#/c/636457/
Change-Id: Iad6b70b433a0dd1b0f8ae6790fd280594517661a
Related-Blueprint: python3-support
Both Ubuntu Stein UCA and Debian 'buster' migrated their OpenStack
packages to Python 3.
Note that Debian 'buster' is not released yet and contains Rocky
packages. Stein ones will be available later.
Co-Authored-By: Lee Yarwood <lyarwood@redhat.com>
Co-Authored-By: Eduardo Gonzalez <dabarren@gmail.com>
Change-Id: I160f79cc57f54ec3eac857c5babd1a6e2656d228
This change updates the docker files to use base_package_type instead
of doing specific distro checks for the rhel/deb generic cases. The
base_distro is still available and is used when a specific distro needs
a customization but if the differences are purely rpm vs deb, then the
base_package_type can be used.
Change-Id: I8d720bb185df65a0178061ccf20b1ab2265da2c5
The nfast group is needed to configure barbican to use Thales HSM
devices with the PKCS#11 plugin.
Change-Id: I3de8ca07a34ae63eb91fc8d83bb0676425295cbc
Mysql-python is a deprecated package and fails to build currently.
Make use of mysqlclient as is a fork of mysql-python with many bug
fixes a python3 support.
percona xtrabackup doenst work with mariadb 10.3,
replaces to use mariadb-backup tool.
https://jira.mariadb.org/browse/MDEV-15774
Change-Id: Icefe3a77fb12d57c869521000d458e3f58435374
We are running barbican over httpd in TripleO, and would like to
continue doing so when using containerized barbican. Thus, we need this
package in the image as well.
Change-Id: I7001855cffeed264cb45305e2aa6fac139ea05c9
centos based images have wrong label info,
these changes fix own image's name and build-date.
Change-Id: I1d13f8f386c8db12b5fbe5f8ecbbf9e3fbb4ba1c
Closes-Bug: #1680341
Use LABEL instruction instead of MAINTAINER (deprecated) instruc-
tion as suggested by Docker's official dockerfile guide.
docs.docker.com/engine/reference/builder/#maintainer-deprecated
Closes-Bug: #1683652
Change-Id: Ie87a1ddf31aefcd0b623fd2837d78de420e76898
Debian support is not maintained in Kolla so it got a bit behind Ubuntu
one. This changeset enables Debian for all images. Jessie (even with
backports) may be too old for some images though.
Also unify distro check to ['debian', 'ubuntu'] to keep alphabetical order
like it is done for RPM distributions.
Partially-Implements: blueprint multiarch-and-arm64-containers
Change-Id: I056233fbfa277e0e2360c07c3f80d9558c554357
Some images have packages sorted alphabetically and some not.
Unify common style between all images.
Change-Id: I906ed89c10b12886665618752f525ba71d83d991
Installs `uwsgi-plugin-python` and dependencies in `barbican-api` image.
This will resolve problems bootstrapping barbican-api with binary Centos
images which otherwise fail to start due to:
```
Running command: 'uwsgi --master --emperor /etc/barbican/vassals --logto /var/log/kolla/barbican/barbican-api.log'
/usr/local/bin/kolla_start: line 24: exec: uwsgi: not found
```
Tested with:
```
docker run --rm -ti --entrypoint=/bin/bash
kolla/centos-binary-barbican-api:3.0.3
$ uwsgi
*** Starting uWSGI 2.0.14 (64bit) on [Sat Feb 18 09:32:12 2017] ***
compiled with version: 4.8.5 20150623 (Red Hat 4.8.5-11) on 13 January 2017 23:06:53
os: Linux-4.9.4-moby #1 SMP Wed Jan 18 17:04:43 UTC 2017
nodename: b9063757e276
machine: x86_64
clock source: unix
pcre jit disabled
...
```
Closes-Bug: 1634010
Signed-off-by: Magnus Lööf <magnus.loof@basalt.se>
Change-Id: I77613bbeb19d89e6a25e52f24f3275d309ceb032
1. Enable customization of pip packages in source
branch of most images
2. All pip packages install uniformly through
install-pip macro, user can easily customize his
own pip command (For example using a mirror)
Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com>
Change-Id: If09582039f690fa4136e8f33200d5da15e092da7
This centralizes all user and group creation into a single source. This
will fix any current and furture uid/gid mismatches (such as with
nova-libvirt).
In the process, we also unify users between the distros in a standard
way. The users in the following containers change from thier defaults:
Ubuntu: _chrony user is now chrony
Ubuntu: memcache user is now memcached
All: qemu user is used for ownership and socket permissions
All uid and gid numbers are customizable via kolla-build.conf
Co-Authored-By: Kris Lindgren <klindgren@godaddy.com>
Change-Id: I120f26ab0683dc87d69727c3df8d4707e52a4543
Partially-Implements: blueprint static-uid-gid
Change needed to add header blocks to all Dockerfiles, similar to the
base.
Use case is to easily run something before packages are installed, e.g.
to COPY a local rpm in that can be added to the package list.
Change-Id: I1bbfdf0b762da0a392aa8bf47781315b45377bee
Closes-Bug: 1618969
As a restructure, nothing is changed from the original behaviour and
naming despite the file structure changing. The symlinks to build had
to be updated generating lots of "deleted" and "new_file".
The new structure is:
docker/${base_distro}/${type}/${container}
base_distro == centos, ubuntu, fedora, etc
type == source, binary, rdo
type rdo is a symlink to binary for backwards compatibility
Two new flags are added to the build-all script to support the ability
to support different base distros and a flag to support binary or source
containers.
There are several added folders that are empty to hold the directory
structure for future containers of these types.
To use a prefix other than centos-rdo- you can set PREFIX in the toplevel
directory .buildconf file
Change-Id: Ifc7bac0d827470f506c8b5c004a833da9ce13b90
This represents making build-docker-images --release build
with the icehouse tag and causes docker-compsoe to pull from
the icehouse tag.
Partially-implements: blueprint port-kilo
Change-Id: I66b2c39abc55c0f47152dd90e696fc46b9c58f50
The EXPOSE options will create a local docker-proxy. This is
unnecessary with --net=host mode. The docker-proxy adds about
20 microseconds of latency. Add documentation to the specification
to indicate where to find the ports that are exposed by the
services in case someone were to desire to add EXPOSE back to
the Dockerfiles.
Change-Id: I398e922fe096d6022a2d5985bb92498f89a5ea31
In order for the `check_for_*` functions to be consumed by `wait_for`,
they should notify of their success but not exit.
As a consequence, the previous behavior is restored by the fail_unless_*
companion functions.
With this change, it is now possible to do:
wait_for 30 1 check_for_os_service_running keystone
Change-Id: I16ddf8913027030c3ccb5487713d172904508fd6
When using ';' this can allow the previous command to fail and while the
docker build proceeds without realizing a command failed. Switching to
'&&' allows the exit code to make it to the docker build command and the
build to fail appropriately.
Change-Id: Idd0991ed4549542bb10d27da1a0a025d0503b6c1
By changing the PREFIX variable in the .buildconf one is now able to
build docker images from different bases.
For example, add the following line to your .buildconf file to build
CentOS based images:
PREFIX=centos-rdo-
Default base image is Fedora. For now only RH family is supported.
Additionally, changing the namespace either with the NAMESPACE variable
in .buildconf or via --namespace commandline option now changes the
source namespace as well from the default kollaglue one.
Implements: blueprint multi-baseos
Co-Authored-By: Steven Dake <stdake@cisco.com>
Change-Id: I3964cd2292789ea883a1f2d2738a5731a4fff49b
This allows Kubernetes to reschedule containers in case a required
variable is missing, for example when the Kubernetes pod is started
before the service.
The checks were cleaned using the following method:
* remove duplicates
* remove check for variables that get a default value in the same file
* check for all variables used in the file
* check for required services when it is obvious.
Change-Id: Ib7e0530c410c61f828d36efe8925a20dc9781eab
Adding Dockerfile, pod and service. Please note
that this uses the Juno version of Barbican
from tar ball and uses uwsgi to run the service.
Addressed review comments and added admin service
as well.
Fixing Maintainer email and yum clean up
Change-Id: If58c5eec00131582024045f8d213e48f9f466f4d
Radosław Piliszek