This code was valid for centos:8 and centos:stream8, but is not required
for centos:stream9 or rockylinux:9 which do not include this file.
Change-Id: I50f78d73afe0944dd91998ab9799fa2f36cc46a3
Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.
Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
OpenStack 'zed' requires Python 3.8+ so RHEL 8 family has to go.
This changeset moves to CentOS Stream 9 while move to RockyLinux 9 is
planned as final solution.
CI moved to CentOS Stream 9 nodes.
Depends-on: https://review.opendev.org/c/openstack/kolla-ansible/+/839715
Change-Id: I113b9984294cf8663d3fc0c8840320e1d40ea731
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.
Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.
Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
Big patch drops all mentions of binary images support. Suggestions are
welcome how to split it into parts or handle better.
Change-Id: I5d5a46c6ce7734ceb8b844e17b43e359d7cac6e3
This is a follow-up on "Refactor httpd install to base image"
[1].
It seems a copy-paste algorithm was used to craft Dockerfiles
for some httpd-enabled services which resulted in an abundance of
ldappool packages getting installed, even in the 'source' case.
This seems to have also kept ldappool at a lower version because
it did not get updated via pip later.
This patch deals with that and also moves ldap deps for Keystone
to their proper place in 'source' case (extras).
Note Keystone client gets installed in openstack-base.
Cinder does not need to include Keystone either.
[1] https://review.opendev.org/744037
Change-Id: I017d7a6a5d2b1ae6c04556dcf172453a36de5be7
Refactor installing and initial setup of httpd and mod wsgi from
individual services to base image.
Change-Id: I651a55a9ebe258ef403d33de010a4dfb368a4021
With the move to RHEL/CentOS 8 we no longer have Python 2 in our images
so there is no need for checking which Python version (2.x or 3.x) is
used inside of containers.
We also no longer have to support yum as a value for
distro_package_manager.
Partially-Implements: blueprint centos-rhel-8
Change-Id: Ie45cf3465fedddbde7856961527421883ba3d5c9
This fixes the issue when keystone-manage output included
backslashes and/or double quotation marks which broke JSON string.
Change-Id: Ifae18c407210c12745d29fc4c95dca69aeafe6a8
Closes-bug: #1866017
The centos:8 image contains a /run/nologin file, which prevents SSH
access to it. Remove this file in the keystone_ssh and nova_ssh images
to allow login via SSH.
Change-Id: I59dc2c4207af6812501b6c6acdb34e51a3e848c4
Partially-Implements: blueprint centos-rhel-8
* Some further changes for python2 vs python3 packages
* Allow rabbitmq 3.7.*, since a newer erlang is available
* Switch from qemu-img-ev to qemu-img on CentOS 8
* bridge-utils no longer available on CentOS 8
* libvirt-daemon-driver-lxc no longer available on CentOS 8
* Mark some more images buildable for CentOS 8
Change-Id: Iaf5b68ff6d944ae730ca0b1d5832172c106a6c08
Partially-Implements: blueprint centos-rhel-8
Partially-Implements: blueprint centos-rhel-python-3
Change is required to properly implement logic in fernet-node-sync.sh on
kolla-ansible side - to add a check if fernet key store is populated with
required number of tokens.
Change-Id: I51ed61e34a1dd79532b4528e56a9cd9011d46e6d
Related-Bug: #1846789
All Apache httpd setup has been moved to a new helper script,
kolla_httpd_setup. This includes the existing clean of /run/httpd,
/var/run/httpd, /tmp/httpd etc.
Horizon has an additional bit of Apache config for Debian/binary, which
has been kept in extend_start.sh for horizon.
Change-Id: Ia2af74b69c151db0bd7e452460b0babcee50b282
Related: blueprint centos-rhel-8
In some situations, Keystone bootstrap can fail, and then unhelpfully
fails displaying the error message output by the 'keystone-manage
bootstrap' command. This appears to be due to unprintable control
characters in the error message which prevent the output of the script
from being valid JSON.
This change fixes the issue by piping the output through 'cat -v', which
replaces unprintable characters with control codes.
Change-Id: I82444bc2272311023cc9e92c5a298d1c4c87483b
Closes-Bug: #1855701
backport: Stein
During the switch to Stein UCA, we did not switch all packages to python
3 for Debian/Ubuntu binary images. This change switches some more of
those packages.
Change-Id: I0bff21384d88ea678608392de2db1ba418c96665
Co-Authored-By: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Commit 43b74ccc15 enabled use of Python 3
based packages but not switched to use Python 3.
Some of images still contain Python 2. There are two reasons:
- Ceph (ceph-common depends on Py2)
- python3-ldappool on Ubuntu 18.04
In Ceph situation Py3 packages were added. For second one we can not do
anything - Py2 dependency got dropped in Ubuntu 18.10 version.
Removed neutron-server-plugin-networking-infoblox due to being not
maintained. Once https://review.opendev.org/#/c/657578/ get merged
someone may revert that part.
Implements: blueprint debian-ubuntu-python3
Depends-on: Ie2a1077f7def0743f1403341985e2109aa490026
Change-Id: Ibfe0c2b8be98db56c61f74fb0247488ab3749ef4
Ubuntu/source deployment of several images (horizon, placement-api, zun)
failed with:
+ exec /usr/sbin/apache2 -DFOREGROUND
apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot
Change-Id: Ie2a1077f7def0743f1403341985e2109aa490026
RDO is currently working on python3 support for the next version of
CentOS/RHEL based systems. This package uses the distro_python3 flag
that was added as part of I4028991bad92c0e8e21066cc4173c06ce5eba393 to
use the python3 specific package names. This change only adds python3
package names for RHEL systems.
Conflicts-With: https://review.openstack.org/#/c/636457/
Change-Id: Iad6b70b433a0dd1b0f8ae6790fd280594517661a
Related-Blueprint: python3-support
Both Ubuntu Stein UCA and Debian 'buster' migrated their OpenStack
packages to Python 3.
Note that Debian 'buster' is not released yet and contains Rocky
packages. Stein ones will be available later.
Co-Authored-By: Lee Yarwood <lyarwood@redhat.com>
Co-Authored-By: Eduardo Gonzalez <dabarren@gmail.com>
Change-Id: I160f79cc57f54ec3eac857c5babd1a6e2656d228
This change updates the docker files to use base_package_type instead
of doing specific distro checks for the rhel/deb generic cases. The
base_distro is still available and is used when a specific distro needs
a customization but if the differences are purely rpm vs deb, then the
base_package_type can be used.
Change-Id: I8d720bb185df65a0178061ccf20b1ab2265da2c5
These packages produce a warning during the installation, we should
switch to their new names, usually to be specific about their use of
python2.
Change-Id: I0a80e822f64222d9a32aabd1fd834bcf794d6320
Currently this causes bash to echo all lines parsed
and executed; which makes it not so nicely output the
bootstrapping password.
This is not something we should encourage and have show
up in peoples logs or other so stop doing that.
Change-Id: Iac963a5df393d0359b4c8f93b8756ca168f6f193
The packages needed for authentication using kerberos for keystone
landed in a recent patch [1]. Unfortunately, shortly after the patch
merging I was informed that the preferred module is mod_auth_gssapi
nowadays (given that there is a planned deprecation for mod_auth_kerb).
[1] I9ef972ea5a8e9cf4d1ed43ef27203576d9382822
Change-Id: I5f1aa4a959fd91b164a697e98e253fcab0fc1572
Currently when this is being ran, and say ara is being used to
capture the running of kolla-ansible ara will capture the full
command line ran (even if no_log is set); because by default these
modules do not hide what they are running.
So to avoid the situation where the command line shows the password
have this also be able to take in the password via an environment
variable as well (which ara will not capture).
Change-Id: I4d42d592d8031d0f3923bccc6b2db1149af08e75
The pip packages are normally already configurable with the
<image_name>_pip_packages variable. It doesn't make much sense to make
the list of packages installed with the plugins mechanism configurable
via the <image_name>_plugins_pip_packages variable too.
And even if we wanted to, the parameter to the `customizable()`
function should be 'plugins_pip_packages' and not 'pip_packages'.
This commit removes the customizable bits from the plugins install
macro, at least until we get a good use case for it.
Change-Id: I90dd28b8c5d981e6028af353e34645712ef09b0b
There should be no pip install in binary builds, move the installation
of the downloaded bits where it belongs into the 'source' install_type
section.
Change-Id: I6d8609d072d18e635250df1c1e9aa687ce1f769d
This allows deployers to pass arbitrary parameters to the kesytone-manage
commands. Which can be useful to pass the keystone log dir and file as an
empty environment variable, which, in turn, will allow us to make the db
sync command to log to stdout instead of the file.
Change-Id: Id9e8c641a6b00725d2f5c9623b05854a1b4e2af2
centos based images have wrong label info,
these changes fix own image's name and build-date.
Change-Id: I1d13f8f386c8db12b5fbe5f8ecbbf9e3fbb4ba1c
Closes-Bug: #1680341