This code was valid for centos:8 and centos:stream8, but is not required
for centos:stream9 or rockylinux:9 which do not include this file.
Change-Id: I50f78d73afe0944dd91998ab9799fa2f36cc46a3
Since change I1bc19f8198da3f9ab2ae2a8864c3349b21b0249e we install the
centos-release-ceph-reef package as a dependency, but some code was
still expecting the quincy package.
Change-Id: I8ebcf815d80f3bead25e0078d69b34e17ad013bd
Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.
Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
This is necessary if using nova-compute with RBD backend (directly,
not via Cinder) and wishing to make an instance image to Glance
while (1) following the recommended Ceph permissions which do not
give Nova write permissions to the images' pool or (2) not using
RBD with Glance or (3) not revealing what Glance actually uses
as the backend (hiding locations).
Change-Id: I88e1e0ca01b2b2effad9515b905cc761fbb5d2d4
The goal of the swtpm project is to provide a TPM emulator (TPM 1.2 &
TPM 2) that can be integrated into virtualized environments, such as
virtual machines and containers.
Nova supports it for quite a while:
https://review.opendev.org/c/openstack/nova/+/631363
Change-Id: Ifb7e0f1632805807851720873a70179218bdf372
OpenStack 'zed' requires Python 3.8+ so RHEL 8 family has to go.
This changeset moves to CentOS Stream 9 while move to RockyLinux 9 is
planned as final solution.
CI moved to CentOS Stream 9 nodes.
Depends-on: https://review.opendev.org/c/openstack/kolla-ansible/+/839715
Change-Id: I113b9984294cf8663d3fc0c8840320e1d40ea731
Tim Shearer started it in 1d96a2bbe1.
Since all extend_start files are sourced rather than executed, the executable
bits are now cleared throughout the project.
Change-Id: Ia1797c32fc6a35f9f077c673abf4d8e16e51a760
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.
Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.
Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
Big patch drops all mentions of binary images support. Suggestions are
welcome how to split it into parts or handle better.
Change-Id: I5d5a46c6ce7734ceb8b844e17b43e359d7cac6e3
Adds Cyrus SASL packages necessary for the DIGEST-MD5 and SCRAM-SHA-256
mechanisms. These can be used for libvirt SASL authentication.
Change-Id: I13e19ca29eeab40cd08fa3afe2cdf7531867f81b
Partial-Bug: #1964013
We should use the same Python OVS bindings package
version as running OpenvSwitch. See related bug.
Closes-Bug: #1961874
Change-Id: Id6968e3ec1093f26f25f3045e2a6d8cc4f41adaa
This is noop on CentOS (it was installed as a dep already - better
be explicit) but installs qemu-img (and other qemu utils) on
Debian and Ubuntu.
qemu-img may be used by libvirtd to create non-raw images as it
happens, e.g., when Kolla's libvirtd is used by tenks.
Change-Id: Ib79b8486f4d5064e4f249201d28cf5d6541c69ef
This reverts commit 7de91fd603.
Reason for revert: Nova dropped pypowervm dependency so we do not need to handle it anymore.
Change-Id: I8bb6c4c07c30f108e77fbb8cdc38d634b42b900f
The EPEL8 repository doesn't provide the necessary spice-html5 package,
and the image is marked unbuildable for CentOS. Let's not make EPEL look
more useful than it is.
TrivialFix
Change-Id: Ia37792ca6e5b40156ebd57b6c290d1ee9d4ff87a
The nvme-cli package is required to get the nvme command executed by
os-brick, which is used by nova-compute.
We don't need to explicitely install it for centos binary images, as it
is required by os-brick which is required by openstack-nova-common, but
all other types of images were missing it.
Change-Id: I754939da7636c57d2a8d5b83debb5d8a58e38432
Closes-Bug: #1953509
Nova depends on pypowervm for POWER architecture support. But it is
unmaintained upstream and breaks CentOS builds (wants to install Py2
only 'futures' package).
Change-Id: Ife9385c93239e910db2e4405ec4661f667357bc0
libguestfs package fetched kernel-core one which fetched linux-firmware.
We remove the last one and save ~500MB of space:
before/centos-binary-nova-compute: 3.3GB
after1/centos-binary-nova-compute: 2.71GB
Closes-Bug: #1946801
Change-Id: I98cc19c95fcec07dd4e494c14c09938d754f1de0
edk2-ovmf introduced a bug [1] and results libvirt/qemu errors
It's going to be fixed in next rebase to libvirt 7.4.0 - but let's pin for now.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1961558#c10
Change-Id: I0cb0512ef40c48353d582b1c37a446f251b79ac7
We do not test support for ppc64le on CI or other systems.
In previous cycles it was used by TripleO and now they have own way.
Change-Id: Ibd955869a6f9485dfa4d08a8ad2f4b28b7d59c15
With RDO use we did not disabled some repositories. This patch disable
them and enable where needed.
Change-Id: Ia9d537fe9c1ad54789d2bfb4027254fbb3defe7e
There are several images installing 'python3-libvirt' package. Which for
Debian reside in 'libvirt' repo. So let's enable it where needed.
Change-Id: I1c91d27f2578f5ca7c83c4747725b1d9371880b0
nova-compute uses daxio to cleanup vpmem backend device on instance
delete. If the daxio binary is missing in the nova-compute container
instance delete fails. daxio is provided in centos via daxio, in
ubuntu via the pmdk-tools package.
Change-Id: Ifb5948653565e2ae902783762e20e33527020efe
Closes-Bug: 1907124
Refactor installing and initial setup of httpd and mod wsgi from
individual services to base image.
Change-Id: I651a55a9ebe258ef403d33de010a4dfb368a4021
This is no longer required when Kolla-Ansible is patched.
Note this is *not* safe to backport as it requires the user to
have Kolla-Ansible patched, i.e. would normally break most.
Change-Id: Ic5b9a58d212711a4d6c13822548c92013a6bae50
Related-Bug: #1681461
Depends-On: https://review.opendev.org/735441
This patch modifies the Dockerfile for the Nova API so that
the 'root' user executes the container setup scripts.
This enables the container httpd configuration script to execute.
Change-Id: I374af00a374346840c12777a530d39768b28c908
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/725962
Michal Wyszkowski