Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.
Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.
Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.
Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
elasticsearch-oss package fails to install if we install it with Java:
INFO:kolla.common.utils.elasticsearch:could not find java; set JAVA_HOME
INFO:kolla.common.utils.elasticsearch:error: %prein(elasticsearch-oss-0:6.8.23-1.noarch) scriptlet failed, exit status 1
INFO:kolla.common.utils.elasticsearch:[91mError in PREIN scriptlet in rpm package elasticsearch-oss
Backport down to ussuri needed.
Change-Id: I72d7920acd8d15941c8c57a4186186212b273a38
New pip has nice features for detection of conflicting
requirements.
When installing from PyPI, as we do in source images, running
the latest pip+setuptools+wheel is recommended.
This change covers entries missed in I4ae3a82cc796a60450c2a35beba32972964bc5d0
Change-Id: I0d69009b8b736b59b122ad29a9a5f6a22b041513
Newest elasticsearch python library required by Curator does no longer
work against the last OSS version of Elasticsearch (7.10.2). Pin it
to the last known working version.
Closes-Bug: #1941073
Change-Id: Ic8f0554c95c1903640c98a7831b829c1f88f49ff
This includes switching to releases of independently released projects.
Projects missing stable branches:
* networking-ansible
* vmware-nsx
* vmware-nsxlib
Includes the following other change squashed to pass CI:
elasticsearch-curator: install boto before curator
We need to install older boto versions to get image built.
Change https://review.opendev.org/759233
Change-Id: I6983b01daa6e577e3238f2823e6e7693d0a73c0a
Co-Authored-By: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Start using oss tagged binaries. These binaries contain only features
that are available under the Apache 2.0 license.
Implements: blueprint elasticsearch-kibana-version-upgrade
Co-authored-by: Dincer Celik <hello@dincercelik.com>
Change-Id: I8b52b2630a72393bf4b9c7095fc67db6c36c27fa
Seems we have a broken python3 env on Ubuntu for building curator - adding
python3-wheel fixes the build issues.
Change-Id: I8f0017a22fa7b11d8c46f60008172081d7ba5bcf
Disable external repositories by default and enable only when needed.
Depends-on: https://review.opendev.org/696480
Implements: blueprint repos-off-by-default
Change-Id: Icf2a8397a8349e0fe849d88d160409fd234480a9
Kolla provides log aggregation, but no solution to set retention periods
for aggregated logs. It therefore accumulates log data indefinitely unless
a user manually intervenes. This change adds Elasticsearch Curator which
provides a mechanism for automating such retention periods [1].
[1] https://www.elastic.co/guide/en/elasticsearch/client/curator/current/about.html
The container contains cron to support running Curator periodically.
Change-Id: Ief2c554a64ef6cc971635d7e2a718f63c310fbf6
Good to have proper Java version. Better is when JAVA_HOME is also
adjusted to point to proper directory. And to have it set proper way.
Change-Id: I0f83c3498028135751b0b887665d009e5e19410f
Many images have 'if x86_64 then amd64 elif aarch64 then arm64' check to
comply with Debian like architecture names in several projects.
This patch creates 'debian_arch' variable which can be used in all
Docker files (similar to 'base_arch' one).
All required images got converted to use it.
Change-Id: I9c5e6f13d6c9b24fe323408512bd5aef290111ad
This change updates the docker files to use base_package_type instead
of doing specific distro checks for the rhel/deb generic cases. The
base_distro is still available and is used when a specific distro needs
a customization but if the differences are purely rpm vs deb, then the
base_package_type can be used.
Change-Id: I8d720bb185df65a0178061ccf20b1ab2265da2c5
During the build of the Elasticsearch image, the Dockerfile sets an
env var specifying the architecture that the image is built for. This
change ensures that this env var is correctly used in the JAVA_HOME
directory.
Closes-Bug: 1780811
Change-Id: I3eeacabafcc3855165519a739792f0570fdfd5d8
Prefer the headless JRE wherever possible. This may be becessary to
adjust the override files for the customization of the containers where
java is installed.
Change-Id: I3479ac9e74aa9e860cf01db20bd7ab5f5cfc9c1a
On systemd-based distributions, the installation scripts will attempt to set
kernel parameters (e.g., vm.max_map_count); you can skip this by setting the
environment variable ES_SKIP_SET_KERNEL_PARAMETERS to true.
Change-Id: Ia0e103790bfbff078308acfe300fe66b7c50ebf5
set_configs.py has logic to handle chown of directories. Simplify
the codebase by removing these unnessary chowns. Further the chowns
cause some forms of NFS backed storage to not work properly.
Change-Id: I8df95d06b1010778deb3e2a3065aaab26ed2eb6a
Closes-Bug: #1693973
centos based images have wrong label info,
these changes fix own image's name and build-date.
Change-Id: I1d13f8f386c8db12b5fbe5f8ecbbf9e3fbb4ba1c
Closes-Bug: #1680341
Use LABEL instruction instead of MAINTAINER (deprecated) instruc-
tion as suggested by Docker's official dockerfile guide.
docs.docker.com/engine/reference/builder/#maintainer-deprecated
Closes-Bug: #1683652
Change-Id: Ie87a1ddf31aefcd0b623fd2837d78de420e76898
Debian support is not maintained in Kolla so it got a bit behind Ubuntu
one. This changeset enables Debian for all images. Jessie (even with
backports) may be too old for some images though.
Also unify distro check to ['debian', 'ubuntu'] to keep alphabetical order
like it is done for RPM distributions.
Partially-Implements: blueprint multiarch-and-arm64-containers
Change-Id: I056233fbfa277e0e2360c07c3f80d9558c554357
Some images have packages sorted alphabetically and some not.
Unify common style between all images.
Change-Id: I906ed89c10b12886665618752f525ba71d83d991
include_header and include_footer parameter is already removed, remove
them in all Dockerfiles.
Add missing footer block.
Change-Id: I90da03eb9f95a3827361d5f5ede65fde7d6be2b3
This centralizes all user and group creation into a single source. This
will fix any current and furture uid/gid mismatches (such as with
nova-libvirt).
In the process, we also unify users between the distros in a standard
way. The users in the following containers change from thier defaults:
Ubuntu: _chrony user is now chrony
Ubuntu: memcache user is now memcached
All: qemu user is used for ownership and socket permissions
All uid and gid numbers are customizable via kolla-build.conf
Co-Authored-By: Kris Lindgren <klindgren@godaddy.com>
Change-Id: I120f26ab0683dc87d69727c3df8d4707e52a4543
Partially-Implements: blueprint static-uid-gid
Change needed to add header blocks to all Dockerfiles, similar to the
base.
Use case is to easily run something before packages are installed, e.g.
to COPY a local rpm in that can be added to the package list.
Change-Id: I1bbfdf0b762da0a392aa8bf47781315b45377bee
Closes-Bug: 1618969
This patchset contains customization of Dockerfile of the
Elasticsearch container.
Change-Id: Icd38897b3a7ce02ab934fea6ad88cc3381546d5e
Partially-implements: blueprint third-party-plugin-support
Part of ELK stack. Includes Dockerfiles for both Centos and Ubuntu.
Change-Id: I9f76adf084cd4f68e29326112b76ffd02b5adada
Partially-implements: blueprint central-logging-service