The local_settings.py config is rendered by kolla-ansible
orchestration, which is not a good approach because upstream
local_settings.py can be changed anytime and that can be a problem,
as it was shown recently with the new version of horizon.
Fortunately, horizon supports local_settings overrides in
local_settings.d directory and moreover it's preffered
way how to configure horizon as per doc [1].
This patch just change the structure of files to support it.
[1] https://docs.openstack.org/horizon/latest/configuration/settings.html
Change-Id: Ib0c060adffe5287d786ba9247c6b962732cdb5e0
upper_constraints_remove() macro allows to remove line
upper_constraints_version_change() allows to change versions
This way we have cleaner way to alter u-c in those images which need it.
Change-Id: I8fc354b8aa4d03fcd3ecfb9cbfe75de67492a0e3
Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.
Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
OpenStack 'zed' requires Python 3.8+ so RHEL 8 family has to go.
This changeset moves to CentOS Stream 9 while move to RockyLinux 9 is
planned as final solution.
CI moved to CentOS Stream 9 nodes.
Depends-on: https://review.opendev.org/c/openstack/kolla-ansible/+/839715
Change-Id: I113b9984294cf8663d3fc0c8840320e1d40ea731
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.
Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.
Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
Big patch drops all mentions of binary images support. Suggestions are
welcome how to split it into parts or handle better.
Change-Id: I5d5a46c6ce7734ceb8b844e17b43e359d7cac6e3
Since commit 39f03063c0b0b22e608bbc606423e51be632be2a in
masakari-dashboard (also in Depends-On), Masakari dashboard uses
and distributes only the policy in YAML format.
Depends-On: https://review.opendev.org/c/openstack/masakari-dashboard/+/798842
Change-Id: Id1aad2c8894331b9540bfc66177368536667f003
This patch is adding python3-masakari-dashboard
to debian binary image as we added masakari-dashboard
to debian in wallaby cycle.
Change-Id: Ie3f357eaae5d1378ada32451dbd74f01f5cd2ba2
The debian-binary-horizon image is missing the default policies files
which should be in /etc/openstack-dashboard/default_policies. By copying
everything from /etc/openstack-dashboard/policy
into /etc/openstack-dashboard, we get the default policy files, as well
as commented out policy files (e.g. cinder_policy.yaml) and the
nova_policy.d directory containing api-extensions.yaml.
Change was merged for ubuntu in [1] but unfortunatelly
not for debian, this trivial patch fixes it also
for debian.
[1] https://review.opendev.org/c/openstack/kolla/+/794589
Closes-Bug: #1933759
Change-Id: I822d640a251e6ed9f71c76a922513e23e4218418
Patch to correctly copy monitoring_policy.json into
/etc/openstack-dashboard. Policy was misplaced, and not being enforced.
Note that by current default policy, admin doesn't not have Monitoring
access.
Closes-Bug: #1928408
Change-Id: I4faabdfa9c273fc61b536e6ce88b8d71ab2fc581
Since the commit 89a90ff9773b93062760df5e3deefb9750112633 was merged,
manila-ui provides two policy files. This change ensures that these
files are installed when manila-ui is enabled.
Change-Id: Id92145ba74237da2fd8430b9d84413465297d3a7
Since the commit 8e7914fce24d2c9d94a83795983aaa0fb05f020c was merged,
heat-dashboard no longer use policy.json but it use two yaml files to
manage policy rules. This change updates managed files for
heat-dashboard accordingly.
Change-Id: I0cae18c1d5169cd444a14ba3b56de24dede5919c
The ubuntu-binary-horizon image is missing the default policies files
which should be in /etc/openstack-dashboard/default_policies. By copying
everything from /usr/share/openstack-dashboard/openstack_dashboard/conf
into /etc/openstack-dashboard, we get the default policy files, as well
as commented out policy files (e.g. cinder_policy.yaml) and the
nova_policy.d directory containing api-extensions.yaml.
Change-Id: I3c6fdcb9b7dd7443a7755599f7e4ee59f67e0a91
Closes-Bug: #1930586
We moved to CentOS Stream 8. Just no one noticed that binary target was
failing to build.
This change sorts out all failing images.
Change-Id: Ia7768caabfe214a629339d50973d0d9873fc65d5
When running with `-o nounset` since [1], the Horizon became quite
fragile to run as it started requiring all ENABLE_* environment
variables to be set upfront. Normally they are - via kolla-ansible.
However, when working with it outside of kolla-ansible or removing
services (like it was the case 3 times during the Wallaby cycle),
it creates needless issues (like having to wait for images to get
published for kolla-ansible gate or users bumping into irrelevant
incompatibilities [2]).
This patch makes sure all ENABLE_* environment variables default
to 'no' and are no longer required to be set when there is no
need to set them to 'yes'.
[1] 032804e5a0
[2] https://bugs.launchpad.net/kolla/+bug/1911141
Change-Id: I644e072a699dccd8f32a24e484ff6dab7b9b449d
Make start.sh run with pipefail and nounset to avoid common errors
in the start scripts and detect them early.
Httpd code had to be patched to allow it to pass on Debuntu.
Also fix the two missed applications of httpd to make sure all
its path are covered.
And also fix Horizon's ENABLE_ZAQAR - K-A does not use Zaqar.
Yet another - Horizon's settings_bundle. :-)
Finally, fix Neutron for Debuntu (KOLLA_LEGACY_IPTABLES).
Change-Id: I39b8d78f6758df1f92b8b0d2c06ea99b038b843b
Depends-On: https://review.opendev.org/711923
The horizon image copies the masakari dashboard's policy file to Python
site packages, but it should go to /etc/openstack-dashboard. This allows
the dashboard to be seen by non-admins, although it fails to load.
We get an error like the following in horizon.log:
No policy rules for service 'instance-ha' in
/etc/openstack-dashboard/masakari_policy.json
This change fixes the issue.
Change-Id: I8ede183c76a830de06ce6524dc3f6f6944b182c1
Closes-Bug: #1894240
Refactor installing and initial setup of httpd and mod wsgi from
individual services to base image.
Change-Id: I651a55a9ebe258ef403d33de010a4dfb368a4021
Debian packages are different from ubuntu packages.
Differencies in /etc/openstack-dashboard:
- Symlinking {{ python_path }}/openstack_dashboard/local/enabled/ -> /etc/openstack-dashboard/enabled
- Symlinking {{ python_path }}/openstack_dashboard/local_settings.d/ -> /etc/openstack-dashboard/local_settings.d
- Symlinking {{ python_path }}/openstack_dashboard/conf/ -> /etc/openstack-dashboard/policy
Every dashboard-plugin debian package is copying his policy files, local_settings, enabled to above locations.
Every dashboard-plugin is triggering dpkg and collect-static, compress is done by openstack-dashboard package.
Kolla has to remove all these debian package's configs and provide kolla configs.
Move also /etc/openstack-dashboard/policy to standard location and delete symlink as kolla-ansible is overriding
default policy files path to /etc/openstack-dashboard/.
Change-Id: Ieca15bdb315d52e9547d798df11641ef36485b26
Depends-On: https://review.opendev.org/733612
With the move to RHEL/CentOS 8 we no longer have Python 2 in our images
so there is no need for checking which Python version (2.x or 3.x) is
used inside of containers.
We also no longer have to support yum as a value for
distro_package_manager.
Partially-Implements: blueprint centos-rhel-8
Change-Id: Ie45cf3465fedddbde7856961527421883ba3d5c9
When [1] was committed, horizon stopped building for Train.
Analogous patch is proposed to other stable branches.
This patch removes horizon from upper-constraints.
Kolla master is affected directly because we build Train
for CentOS 7 atm.
[1] 3e54878f9c
Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Change-Id: I1bd5a40eeef9612d995c81426fe510e89f438725
'config_monasca_dashboard' method added and called so if
'ENABLE_MONASCA' is set this merhod will add monasca-ui to horizon.
Change-Id: If46d0d629a678f9878f36f1cfbe31153ab5ebf9b
Implements: blueprint monasca-ui
Signed-off-by: Hamed Bahadorzadeh <h.bahadorzadeh@gmail.com>
All Apache httpd setup has been moved to a new helper script,
kolla_httpd_setup. This includes the existing clean of /run/httpd,
/var/run/httpd, /tmp/httpd etc.
Horizon has an additional bit of Apache config for Debian/binary, which
has been kept in extend_start.sh for horizon.
Change-Id: Ia2af74b69c151db0bd7e452460b0babcee50b282
Related: blueprint centos-rhel-8
This reverts the following commits:
df987c9d3fd866c63a326b40b655f1
These are no longer necessary as we are using stable/train branch for
source images until CentOS 8 / python 3 support is available and
working.
Change-Id: I5aedf1141862d51c5bb676a7393fc131c452c914
Related: blueprint centos-rhel-python-3
As CentOS 7 is Python 2 we need a way to remove plugins used in
OpenStack components once they switch to be Python 3 only.
'remove_py3_only_plugins_for_py2' macro does exactly that.
This change also disables networking-bgpvpn for python 2.
Change-Id: Ib90aabc485f1c831d3d41cc0f70052f8fffc3fe6
Related: blueprint drop-py2-support
This plugin moved to Python 3 only:
Change-Id: Ifa664ff2d65a7cbc969c4b1c279eae1ac21225d7
INFO:kolla.common.utils.horizon:[91mERROR: Package 'neutron-vpnaas-dashboard' requires a different Python: 2.7.5 not in '>=3.6'