Commit Graph

142 Commits

Author SHA1 Message Date
Michal Arbet 7f5a904e98 Fix openstack CADF audit maps and installation
This patch fixes missing pycadf's audit maps
for services and change the way how pycadf
is installed.

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/905858

Closes-Bug: #2047941
Change-Id: I9b43d1a9990ad8aa7381ea81b0f2d692967be949
2024-01-17 11:52:20 +00:00
Robin Klostermeyer f54fb018b0 Add ironic-prometheus-exporter
This commit adds the ironic-prometheus-exporter, following the
conventions used by the previously integrated exporters. '[The] Ironic
Prometheus Exporter is a Tool to expose hardware sensor data in the
Prometheus format through an HTTP endpoint.'[0]

[0] https://opendev.org/openstack/ironic-prometheus-exporter

Change-Id: If833f1f4a33c27cdc941dcc7cd5bbb06b26e1eaf
2023-08-29 12:40:24 +00:00
Pierre Riteau 9da0d15189 Remove ipxe code for Ubuntu Focal
The ipxe package in Ubuntu Jammy includes snponly.efi [1]. Remove code
to handle Focal in which snponly.efi is absent from the ipxe package.

[1] https://packages.ubuntu.com/jammy/all/ipxe/filelist

Change-Id: I5f494de36e6400b5486c1fb786b73c9e1512a046
2023-02-15 14:00:30 +00:00
Radosław Piliszek 2daf4331a6 Fix writable rootwrap/privsep config
Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.

Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
2022-10-10 15:06:05 +00:00
Michal Nasiadka 1d924eff03 Fix ironic-pxe EFI path for rocky
Change-Id: I6c82ef5b148b3ebdc8241871117dbe6cd68ed070
2022-10-03 12:31:08 +02:00
Michal Nasiadka 0883532434 Add RockyLinux 9 support
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/859570

Change-Id: I7af51d07b8a939c908aa072294061def57dd67de
2022-09-30 14:17:34 +00:00
Marcin Juszkiewicz 016c5ed30c adjust permissions on _extend_start files (part II)
Tim Shearer started it in 1d96a2bbe1.

Since all extend_start files are sourced rather than executed, the executable
bits are now cleared throughout the project.

Change-Id: Ia1797c32fc6a35f9f077c673abf4d8e16e51a760
2022-04-22 11:34:55 +02:00
Marcin Juszkiewicz e21aeb5ae9 flatten images a bit
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.

Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
2022-04-21 18:53:14 +00:00
Tim Shearer 1d96a2bbe1 Adjust permissions on _extend_start files.
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.

Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
2022-04-11 17:22:24 +02:00
Marcin Juszkiewicz 1749da2fbf docker: drop binary parts
Big patch drops all mentions of binary images support. Suggestions are
welcome how to split it into parts or handle better.

Change-Id: I5d5a46c6ce7734ceb8b844e17b43e359d7cac6e3
2022-04-09 17:44:26 +02:00
Mark Goddard 1bb57ae116 ironic: make tftpboot and httpboot paths configurable
This is needed to support PXE and iPXE at the same time. We will move
/tftpboot and /httpboot to /var/lib/ironic/. With these paths
configurable via an environment variable, we can support a clean
transition.

This patch also cleans up pxelinux part, making it
analogous to grub and ipxe parts.

RHEL leftover mention is removed.

Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Needed-By: https://review.opendev.org/c/openstack/kolla-ansible/+/832159

Change-Id: I1ae81217c8bbf606c903c8009a372662ca3ab08c
2022-04-05 19:46:10 +00:00
Mark Goddard 909710d739 ironic: Fix UEFI & iPXE bootloader filenames
When using Ironic with UEFI boot mode and iPXE booting, nodes will
attempt to chainload iPXE using a Network Boot Program (NBP). This is
configured in Ironic via [pxe] uefi_ipxe_bootfile_name, and the default
since Xena is snponly.efi. In Wallaby and earlier releases, the default
was ipxe.efi. These files need to be available in the /tftpboot
directory of the ironic-pxe image.

The current default of snponly.efi was not present for any supported
distros. ipxe.efi was present for Debian/Ubuntu but not CentOS, which
appends the architecture to the filename (e.g. ipxe-x86_64.efi).

This change ensures that both ipxe.efi and snponly.efi exist in
/tftpboot for all supported distributions, ensuring that both the
current and previous Ironic defaults should work. Where these files have
different names, we use symlinks to allow for any deployers overriding
the filenames in configuration.

Closes-Bug: #1959203

Change-Id: I79e78dca550262fc86b092a036f9ea96b214ab48
2022-02-10 12:44:14 +00:00
Xinliang Liu b6e057d694 Use distro provided GRUB efi
Use distro provided GRUB efi instead of creating it like ironic GRUB
setup doc[1]. This avoids below ubuntu ironic-python-agent images PXE
booting failure.
----------
error: invalid magic number.
error: you need to load the kernel first.

Press any key to continue...
----------

This also fixes x86_64 uefi pxe booting issue by setting up GRUB efi
for x86_64.

Besides, GRUB setup only needs to do once at bootstrap stage.

[1]:
https://docs.openstack.org/ironic/train/install/configure-pxe.html#uefi-pxe-GRUB-setup

Closes-Bug: #1879265
Change-Id: I8be5bdf5f1a62751aefe6bd0959e8f558fcfe591
2022-01-26 19:48:34 +00:00
Marcin Juszkiewicz bd90b02708 drop leftovers of RHEL support
As a project we never built RHEL based images so support for them
was not tested.

Change-Id: I27dfe34ade088228d71f6857ec4f3ab28ee63915
2021-07-28 16:04:21 +00:00
Marcin Juszkiewicz 0506ede84f Drop ppc64le support
We do not test support for ppc64le on CI or other systems.

In previous cycles it was used by TripleO and now they have own way.

Change-Id: Ibd955869a6f9485dfa4d08a8ad2f4b28b7d59c15
2021-05-11 12:45:16 +02:00
Zuul 9a9ae6e295 Merge "ironic-pxe: RHEL/CentOS: install AArch64 modules on all GRUB architectures" 2020-09-17 09:16:21 +00:00
Zuul a1cef38799 Merge "Enable mod_wsgi in Ironic API and Inspector container" 2020-09-08 08:50:48 +00:00
Yaakov Selkowitz c3a3c7bee0 ironic-pxe: RHEL/CentOS: install AArch64 modules on all GRUB architectures
grub2-efi-aa64-modules ships in RHEL and CentOS on all GRUB
architectures (x86_64, ppc64le, aarch64, but not s390x), and therefore
can be used on any of them to support heterogeneous clusters with AArch64.

Change-Id: Icf7e7bfddec89c4aec89410884480539b6bbfd74
2020-09-06 09:05:27 +00:00
James Kirsch 9a02633faf Enable mod_wsgi in Ironic API and Inspector container
This patch modifies the Dockerfile for both the Ironic API and
Inspector so that the 'root' user executes the container setup scripts.
This enables the container httpd configuration script to execute.

Change-Id: I02b58ac571cd4eb3b9d4a814fe0cb907a3564e23
2020-08-19 16:11:46 -07:00
Yaakov Selkowitz f64ecd98e8 ironic-pxe: add syslinux-tftpboot on ppc64le
syslinux-tftpboot was made installable on and shipped for ppc64le in RHEL
and CentOS 8.1.

Change-Id: I2135d6477d07e8786b81e6e3ea9f3367fc5e3ec6
2020-08-18 17:47:21 +00:00
James Kirsch 5bdf514645 Refactor httpd install to base image
Refactor installing and initial setup of httpd and mod wsgi from
individual services to base image.

Change-Id: I651a55a9ebe258ef403d33de010a4dfb368a4021
2020-08-10 09:51:07 +00:00
Sean Mooney b6c7110409 copy rootwarp files form venv in ironic base
This change modifies the ironic base container
to copy rootwarp filters from the virtual
env rather than the source code directory. This
is need because some required filters have
been moved to ironic-lib and are not present in
the /ironic dir. The rootwrap filters are not
automitaclly installed in /etc/... due to kolla
use of virtual envs and https://github.com/pypa/wheel/issues/92

Closes-Bug: #1886663
Change-Id: Idb0a675d92bab8b9a0cf5209f0a06e996e96033c
2020-07-07 13:19:41 +00:00
Marcin Juszkiewicz 53443c5c71 Remove support for CentOS 7
With the move to RHEL/CentOS 8 we no longer have Python 2 in our images
so there is no need for checking which Python version (2.x or 3.x) is
used inside of containers.

We also no longer have to support yum as a value for
distro_package_manager.

Partially-Implements: blueprint centos-rhel-8

Change-Id: Ie45cf3465fedddbde7856961527421883ba3d5c9
2020-04-15 09:32:06 +00:00
Christian Berendt 861f55fbfd Add block labels to all Dockerfiles
Change-Id: I9692dda817ef134d647247431565e1b58cf9da41
2020-03-01 17:25:58 +00:00
Mark Goddard 1fe8012ce2 Actually disable EPEL, and epel-modular
The disable_extra_repos macro accepts a list as its only argument. We
were calling it like this to disable EPEL:

disable_extra_repos('epel')

The macro interpreted this as a request to disable three repos, e, p, l.
Thanks Python! Type validation to be improved separately.

Additionally, on CentOS 8 the EPEL repository was not included in the
repository mapping file, repos.yaml. There is also another EPEL
repository on CentOS 8, epel-modular, which is enabled by default after
installing epel-release.

This change adds mappings for epel and epel-modular repos to repos.yaml,
and fixes the disabling of epel in the base image, as well as disabling
epel-modular.

There are some cases where EPEL is still used (it seemed a bit too
easy...), and the repository has been enabled for these images:

* bifrost-base (nginx)
* ironic-conductor (C7 only, shellinabox)
* freezer-base (C7 only, trickle)
* gnocchi-base (C8 binary only, python3-boto3)
* mariadb (pv)
* mongodb (C7 only, mongodb)
* nova-spicehtml5proxy (C7 only, spice-html5)
* telegraf (C7 only, python2-pip)

A few other things were changed:

* ironic-conductor does not require the ceph repo
* python3-pika is no longer installed in the openstack-base image

Related: blueprint remove-epel

Change-Id: I3761825239dfc462072383cde6276c4fb3e1bf12
2020-02-26 13:46:04 +00:00
Antony Messerli 7234e8b2f7 Add ssh clients to Ironic Conductor container
Adds ssh clients to Ironic Conductor container for
ansible deploy interface.

Change-Id: Ib995c6ebe5ee76ee1a39e4b5918a79bd61b87a01
Closes-Bug: #1862079
2020-02-06 15:02:26 -06:00
Zuul 481636bc6d Merge "Adds python3-systemd for ansible deploy interface" 2020-02-04 15:26:23 +00:00
Mark Goddard adcdef7d85 CentOS 8: Relax ironic iPXE EFI bootloader location
CentOS 7 had ipxe.efi. CentOS 8 has ipxe-i386.efi and ipxe-x86_64.efi.
Use a wildcard to copy any of these that are present.

Change-Id: I6d409e56b424a039f5aff9af86ca1b026c2c6286
Partially-Implements: blueprint centos-rhel-8
2020-02-01 12:01:11 +00:00
Antony Messerli 4a67e58f79 Adds python3-systemd for ansible deploy interface
When doing a source install, ironic doesn't have python3-systemd as a
dependency and the current ironic-conductor container doesn't install
the required dependencies which causes the ansible deploy interface to
fail with the error, "Systemd bindings do not exist".  This adds the
needed dependencies when doing a source build.  This installs the needed
files for both rpm and deb builds on python 2.x and 3.x.

Change-Id: I5d1bcb0f7d7902b4e122c12697483433bcf52ca2
Closes-Bug: #1861427
2020-01-30 22:00:10 -06:00
Mark Goddard 397651ec4b CentOS 8: Remove shellinabox from ironic-conductor
shellinabox is used by ironic-conductor to provide a browser-based shell
to access the consoles of nodes. It is not used by all console drivers,
and is not used in the integration with nova serial consoles.

The package was previously installed from EPEL7, but is not currently
provided by EPEL8.

This change removes the package to allow the ironic-conductor image to
build.

Change-Id: I210d9fddd6948dab1feb5abf59a50bce86f21f0f
Partially-Implements: blueprint centos-rhel-8
2020-01-29 14:16:27 +00:00
Mark Goddard 4b4e26262b CentOS 8: Update packages in images
* Some further changes for python2 vs python3 packages
* Allow rabbitmq 3.7.*, since a newer erlang is available
* Switch from qemu-img-ev to qemu-img on CentOS 8
* bridge-utils no longer available on CentOS 8
* libvirt-daemon-driver-lxc no longer available on CentOS 8
* Mark some more images buildable for CentOS 8

Change-Id: Iaf5b68ff6d944ae730ca0b1d5832172c106a6c08
Partially-Implements: blueprint centos-rhel-8
Partially-Implements: blueprint centos-rhel-python-3
2020-01-29 11:41:38 +00:00
Mark Goddard 8484190e77 Refactor Apache httpd setup
All Apache httpd setup has been moved to a new helper script,
kolla_httpd_setup. This includes the existing clean of /run/httpd,
/var/run/httpd, /tmp/httpd etc.

Horizon has an additional bit of Apache config for Debian/binary, which
has been kept in extend_start.sh for horizon.

Change-Id: Ia2af74b69c151db0bd7e452460b0babcee50b282
Related: blueprint centos-rhel-8
2019-12-11 11:38:46 +00:00
Marcin Juszkiewicz cf11cd6f3d Enable repos only when needed
Disable external repositories by default and enable only when needed.

Depends-on: https://review.opendev.org/696480

Implements: blueprint repos-off-by-default

Change-Id: Icf2a8397a8349e0fe849d88d160409fd234480a9
2019-11-29 11:38:06 +01:00
Mark Goddard fa8e174be6 Remove support for OracleLinux
We have agreed to remove support for Oracle Linux.

http://lists.openstack.org/pipermail/openstack-discuss/2019-June/006896.html

Change-Id: I961dfba1aeef2c509ecdaf376dfe6928926ffb39
Depends-On: https://review.opendev.org/682858
2019-09-18 13:42:47 +01:00
Zuul 17ce7d4de6 Merge "Debian/Ubuntu: more python3 packages for binary" 2019-06-07 08:29:09 +00:00
Mark Goddard aa59f0db6f Debian/Ubuntu: more python3 packages for binary
backport: Stein

During the switch to Stein UCA, we did not switch all packages to python
3 for Debian/Ubuntu binary images. This change switches some more of
those packages.

Change-Id: I0bff21384d88ea678608392de2db1ba418c96665
Co-Authored-By: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
2019-06-06 11:06:58 +00:00
Marcin Juszkiewicz d436001b43 Debian/Ubuntu: move to Python 3 for source images
Commit 43b74ccc15 enabled use of Python 3
based packages but not switched to use Python 3.

Some of images still contain Python 2. There are two reasons:

- Ceph (ceph-common depends on Py2)
- python3-ldappool on Ubuntu 18.04

In Ceph situation Py3 packages were added. For second one we can not do
anything - Py2 dependency got dropped in Ubuntu 18.10 version.

Removed neutron-server-plugin-networking-infoblox due to being not
maintained. Once https://review.opendev.org/#/c/657578/ get merged
someone may revert that part.

Implements: blueprint debian-ubuntu-python3

Depends-on: Ie2a1077f7def0743f1403341985e2109aa490026

Change-Id: Ibfe0c2b8be98db56c61f74fb0247488ab3749ef4
2019-06-06 11:59:03 +01:00
Marcin Juszkiewicz 932f09bcd6 create missing apache2 directory on Debian/Ubuntu
Ubuntu/source deployment of several images (horizon, placement-api, zun)
failed with:

+ exec /usr/sbin/apache2 -DFOREGROUND
apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot

Change-Id: Ie2a1077f7def0743f1403341985e2109aa490026
2019-06-03 15:11:24 +02:00
Mark Goddard 856b2c8824 Install udevadm in ironic-conductor image
backport: rocky, queens

A dependency on udevadm was recently added to ironic-lib:

https://review.opendev.org/#/q/I9db48a3462422749290bbb887c14816734ab0478

Change-Id: I6c5746606ab59fd88e35525ecc17a62bfa9211e6
Closes-Bug: #1825784
2019-04-24 10:54:50 +01:00
Alex Schultz b13e8ec315 Use virtual package for ansible
Rather than specify ansible-python3 or ansible, we can try the virtual
package for the python specific version of ansible.

Change-Id: I246edfaf8cc0ee12852c18c6f9027e48880797a4
2019-03-13 08:15:38 -06:00
Alex Schultz 3e5d8e2653 Add python3 packages for RHEL systems
RDO is currently working on python3 support for the next version of
CentOS/RHEL based systems.  This package uses the distro_python3 flag
that was added as part of I4028991bad92c0e8e21066cc4173c06ce5eba393 to
use the python3 specific package names.  This change only adds python3
package names for RHEL systems.

Conflicts-With: https://review.openstack.org/#/c/636457/
Change-Id: Iad6b70b433a0dd1b0f8ae6790fd280594517661a
Related-Blueprint: python3-support
2019-03-12 17:48:18 +00:00
Marcin Juszkiewicz 43b74ccc15 debian/ubuntu: make use of Python3 based packages
Both Ubuntu Stein UCA and Debian 'buster' migrated their OpenStack
packages to Python 3.

Note that Debian 'buster' is not released yet and contains Rocky
packages. Stein ones will be available later.

Co-Authored-By: Lee Yarwood <lyarwood@redhat.com>
Co-Authored-By: Eduardo Gonzalez <dabarren@gmail.com>

Change-Id: I160f79cc57f54ec3eac857c5babd1a6e2656d228
2019-02-28 13:06:24 +01:00
Alex Schultz ae1322ec10 Use base_package_type
This change updates the docker files to use base_package_type instead
of doing specific distro checks for the rhel/deb generic cases. The
base_distro is still available and is used when a specific distro needs
a customization but if the differences are purely rpm vs deb, then the
base_package_type can be used.

Change-Id: I8d720bb185df65a0178061ccf20b1ab2265da2c5
2019-01-17 08:23:41 -07:00
Cédric Jeanneret b4a7bcae62 Do not load iscsi_tcp from within a container.
The module must be loaded from the host directly in order
to avoid any SELinux issues.

There are examples in kolla-ansible and tripleo-heat-templates:
- https://review.openstack.org/#/c/605624/
- https://review.openstack.org/#/c/605450/

Change-Id: Ica68a109c3ed577e6a339ef315b576061cd557e5
Related-Bug: 1794550
2018-11-07 16:32:04 +01:00
Dan Williams b18b6a6d1d Add ironic-staging-drivers to ironic-conductor for RHEL family binary and source based builds.
Change-Id: I1a7533c738edeff4e696e95b9b267c23a78003e9
Closes-Bug: #1796194
2018-10-05 15:27:58 +01:00
Attila Fazekas a917eb7166 Using qemu-kvm on rhel
qemu-kvm-ev was used with centos,
in case of rhel when you have
access to the virtualisation related channels qemu-kvm pulls
qemu-kvm-rhev which is the recommended one.

qemu-kvm-ev was referenced by devstack long time ago,
but the explicit package install on rhel family today
is qemu-kvm and not qemu-kvm-ev.

I am unsure about the other distros, so just changing rhel.

Change-Id: If6d1e0367730fa80284395be33674a7cd1465389
2018-08-06 10:00:09 +00:00
Zuul d2583735e2 Merge "Apply Ironic rolling upgrade logic" 2018-07-19 05:12:30 +00:00
Martin André 5951977eab Stop using deprecated rpm package names
These packages produce a warning during the installation, we should
switch to their new names, usually to be specific about their use of
python2.

Change-Id: I0a80e822f64222d9a32aabd1fd834bcf794d6320
2018-07-10 16:32:18 +02:00
Duong Ha-Quang 93765f9ef0 Apply Ironic rolling upgrade logic
This patchset apply Ironic rolling upgrade logic [1][2]:
- Add ironic-dbsync online_data_migration to ironic-api image.

[1] https://docs.openstack.org/ironic/latest/contributor/rolling-upgrades.html
[2] https://docs.openstack.org/ironic/latest/admin/upgrade-guide.html#rolling-upgrades

Co-Authored-By: Ha Manh Dong <donghm@vn.fujitsu.com>
Change-Id: I14edf639e5120ea9c81252295161b76bc4514cbe
Implements: blueprint apply-service-upgrade-procedure
2018-07-10 08:28:15 +07:00
Will Szumski d63930e3dd copy iPXE NBP to /tftpboot during PXE bootstrap
This allows you to chainload iPXE from a standard PXE
environment.

As the PXE container already has apache installed, we
now have everything we need to support iPXE booting.

Change-Id: Ide32dc1910e9f8b3ff875238648726f719e271b2
Implements: blueprint ironic-ipxe
2018-05-15 16:21:18 +01:00