Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.
Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
Tim Shearer started it in 1d96a2bbe1.
Since all extend_start files are sourced rather than executed, the executable
bits are now cleared throughout the project.
Change-Id: Ia1797c32fc6a35f9f077c673abf4d8e16e51a760
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.
Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.
Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
Big patch drops all mentions of binary images support. Suggestions are
welcome how to split it into parts or handle better.
Change-Id: I5d5a46c6ce7734ceb8b844e17b43e359d7cac6e3
Patch adds a script in the monasca-thresh image that can be used
to check if a topology exists in Storm, and optionally kill it.
This is part of a bug in kolla-ansible where topologies were
not submitted to Storm, but run locally. This patch includes
a topology check script enabled by KOLLA_BOOTSTRAP which will exit
kolla_start if the topology exists, and optionally enables topology
removal (to allow replacement) enabled by TOPOLOGY_REPLACE.
Topology names and various timeouts may be customized. If the
new env variables are not set, existing behavior is unchanged.
Partial-Bug: #1808805
Change-Id: If8f0730031435dda4235b7f2d2c23e5f5f767f87
Refactor storm image dependencies. Previously we had:
base -> storm -> monasca-thresh
Both storm and monasca-thresh images are final, and each includes a
footer. This causes issues when the footer expects to be at the end of
the image, or there to be only a single footer. In particular, since
I2592a736206eaec811290e9fbdbf2540c0518ffe, the footer used in CI jobs
reverts to the public package mirrors.
This change introduces a storm-base image, and refactors the dependency
chain:
base -> storm-base -> storm
base -> storm-base -> monasca-thresh
Related-Bug: #1902101
Change-Id: I53e8ba8d4baa4434cf3c49ed94d1f7cb44099bee
This patch is adding libffi-dev to build_packages
for Debian/Ubuntu which is fixing monasca-grafana build.
Change-Id: I67f93687d70f1c8c92719857cbf74971d9a17ae6
Currently we use couple of curl options throughout Dockerfiles, this change
adds all common options to curlrc (-sSLf) and removes usage of those in
Dockerfiles.
Change-Id: I46b77978926fc2b578a68d1aaa944b2198af0685
There is small subset of images where we need to know which install_type
or install_metatype is used. So add them only there (and their
children).
Change-Id: Ib7d5e36b958d6c8daf2989df32e29fa24b46c62a
Implements: blueprint infra-images
Refactor installing and initial setup of httpd and mod wsgi from
individual services to base image.
Change-Id: I651a55a9ebe258ef403d33de010a4dfb368a4021
Monasca, since the Train release has supported a unified API for both
logs and metrics. The Log API is no longer required.
Change-Id: I5a59a84b00a1770bfaf7257295e82bb5b92df029
In Train kolla switched to Python 3 in Debian and Ubuntu source images.
For services running under httpd with mod_wsgi, they should install
libapache2-mod-wsgi-py3 rather than libapache2-mod-wsgi. This was done
for most images, but cyborg and monasca were omitted. This change fixes
that.
Change-Id: I25cfa62dbf20490685617b4a4185bf95ab91725e
Closes-Bug: #1873421
With the move to RHEL/CentOS 8 we no longer have Python 2 in our images
so there is no need for checking which Python version (2.x or 3.x) is
used inside of containers.
We also no longer have to support yum as a value for
distro_package_manager.
Partially-Implements: blueprint centos-rhel-8
Change-Id: Ie45cf3465fedddbde7856961527421883ba3d5c9
Affected builds on Ubuntu which had:
npm 3.5.2
while the latest was:
npm 6.13.4
And CentOS had:
npm 5.6.0
This patch runs npm update via npm.
Pinned to 6.x.
Additionally, this moves npm packages prefix (root) to
/usr/local to avoid conflicts with native packages.
Change-Id: Ibaacc1cc478b2b2f8196a5da4eea3570d7d310ff
Closes-bug: #1856699
All Apache httpd setup has been moved to a new helper script,
kolla_httpd_setup. This includes the existing clean of /run/httpd,
/var/run/httpd, /tmp/httpd etc.
Horizon has an additional bit of Apache config for Debian/binary, which
has been kept in extend_start.sh for horizon.
Change-Id: Ia2af74b69c151db0bd7e452460b0babcee50b282
Related: blueprint centos-rhel-8
'monasca-common' is used by several monasca images:
- agent
- api
- log-api
- notification
- persister
So build it once.
Change-Id: I33fbc77562d3806695345ffd7504ef3385f7564a
Rake 13.0.0 (released today) depends on Ruby 2.2, but CentOS 7 only
provides Ruby 2.0.
This change pins rake in the monasca-grafana image to versions earlier
than 13.0.0.
Change-Id: Id9a76f459aff016fbc920370c0a3ec58e0397fcb
Closes-Bug: #1845647
This prevents the filesystem from filling up with Apache Storm
temporary files which will otherwise not be cleared.
Change-Id: Ib07e32f4e67e500f10986103d781dfd3874ffdd2
Partial-Bug: #1839149
The prometheus_client package is required to use the Prometheus plugin.
It makes sense to include this dependency by default since Kolla Ansible
can deploy many Prometheus exporters, making it easy to scrape their
metrics and store them in Monasca. The increase in size of the container
image is negligible.
Change-Id: I9b0a162513ed436930c4541b758fc9cb2ef97e96
Good to have proper Java version. Better is when JAVA_HOME is also
adjusted to point to proper directory. And to have it set proper way.
Change-Id: I0f83c3498028135751b0b887665d009e5e19410f
Ubuntu/source deployment of several images (horizon, placement-api, zun)
failed with:
+ exec /usr/sbin/apache2 -DFOREGROUND
apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot
Change-Id: Ie2a1077f7def0743f1403341985e2109aa490026
fixes build issue under Debian:buster on AArch64:
In file included from confluent_kafka/src/confluent_kafka.c:17:
confluent_kafka/src/confluent_kafka.h:22:10: fatal error: librdkafka/rdkafka.h: No such file or directory
#include <librdkafka/rdkafka.h>
^~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
error: command 'aarch64-linux-gnu-gcc' failed with exit status 1
Under Ubuntu it is still broken because librdkafka is too old.
Change-Id: I1e54645ea5805f985c9bd04f9936ea3edbebfd31
RDO is currently working on python3 support for the next version of
CentOS/RHEL based systems. This package uses the distro_python3 flag
that was added as part of I4028991bad92c0e8e21066cc4173c06ce5eba393 to
use the python3 specific package names. This change only adds python3
package names for RHEL systems.
Conflicts-With: https://review.openstack.org/#/c/636457/
Change-Id: Iad6b70b433a0dd1b0f8ae6790fd280594517661a
Related-Blueprint: python3-support
Many images have 'if x86_64 then amd64 elif aarch64 then arm64' check to
comply with Debian like architecture names in several projects.
This patch creates 'debian_arch' variable which can be used in all
Docker files (similar to 'base_arch' one).
All required images got converted to use it.
Change-Id: I9c5e6f13d6c9b24fe323408512bd5aef290111ad
Percona started signing packages with a new public GPG key, without
providing it via HTTPS. Ship the PERCONA-PACKAGING-KEY extracted from
the percona-release package.
https://jira.percona.com/browse/PT-1685
monasca-grafana broken by 'rake' missing when trying to install the
'fpm' gem.
Co-Authored-By: Mark Goddard <mark@stackhpc.com>
Change-Id: Ica9867448dc20864f2fd4614a295a23a4a625af4
Closes-Bug: #1813906
Closes-Bug: #1813927
This change updates the docker files to use base_package_type instead
of doing specific distro checks for the rhel/deb generic cases. The
base_distro is still available and is used when a specific distro needs
a customization but if the differences are purely rpm vs deb, then the
base_package_type can be used.
Change-Id: I8d720bb185df65a0178061ccf20b1ab2265da2c5
This provides support for building the Monasca fork of Grafana
which features Keystone integration.
It is primarily for use with the Monasca Grafana datasource, although
other datasources can be installed if required.
In the future it would be more efficient to build and host the packages
externally.
Implements: blueprint monasca-grafana
Change-Id: I6cb175868d1993ae31700de36b721f4833c4164b
Monasca-thresh inherits from the Storm container, but we want
it to write logs to the Monasca logs directory. In this commit
we overwrite the script which configures the Storm log directory
with the Monasca script.
Change-Id: Id961134e424117ebefb088021faaf37fa02757d7
Partially-Implements: blueprint monasca-containers
The monasca-thresh container is special in that inherits from
the Storm container so that it has access to the Storm client.
We could make monasca-base inherit from Storm, but it would
bloat the other Monasca images which may not run on the same
nodes as the Storm topology.
Partially-Implements: blueprint monasca-containers
Change-Id: Idd1703b72e45bb9d124e06a28738b18da0bc6918
Support has recently been added for managing the Monasca DB
with alembic. This change takes advantage of that.
Partially-Implements: blueprint monasca-containers
Change-Id: I89084ac0076eff099e567b32de249df9f0115e82