Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.
Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.
Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.
Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
Big patch drops all mentions of binary images support. Suggestions are
welcome how to split it into parts or handle better.
Change-Id: I5d5a46c6ce7734ceb8b844e17b43e359d7cac6e3
Swift-recon-cron requires rw access to the lock path
specified in in object-server.conf file. Currently it
doesn't exist in Swift containers
Closes-Bug: #1926203
Change-Id: Id3f824b741a5aa98efc7162fb7d49657e86a2bee
The UCA packages seem to be removing the swift user from the kolla
group. Explicitly add it after installation.
Closes-Bug: #1905279
Change-Id: I51c7c6e2f520a582de0409025eb5d1a6da2952a2
There is a time once every 2 years when ubuntu team releases new LTS
release. And then UCA joins with binary packages for current OpenStack
development cycle.
It is this time for Ubuntu 20.04 'focal'.
Depends-On: https://review.opendev.org/745156
Change-Id: I045aa6b4b4fd83fbe7d1fda89549f0ef1e88ec12
With the move to RHEL/CentOS 8 we no longer have Python 2 in our images
so there is no need for checking which Python version (2.x or 3.x) is
used inside of containers.
We also no longer have to support yum as a value for
distro_package_manager.
Partially-Implements: blueprint centos-rhel-8
Change-Id: Ie45cf3465fedddbde7856961527421883ba3d5c9
Instead of doing a recursive chown on /srv/node, chown only /srv/node
and any immediate subdirectory under /srv/node.
Change-Id: I8fd93fa77ba9fc63910360300b8783a34bd4e6d5
Closes-Bug: #1851169
RDO is currently working on python3 support for the next version of
CentOS/RHEL based systems. This package uses the distro_python3 flag
that was added as part of I4028991bad92c0e8e21066cc4173c06ce5eba393 to
use the python3 specific package names. This change only adds python3
package names for RHEL systems.
Conflicts-With: https://review.openstack.org/#/c/636457/
Change-Id: Iad6b70b433a0dd1b0f8ae6790fd280594517661a
Related-Blueprint: python3-support
This change updates the docker files to use base_package_type instead
of doing specific distro checks for the rhel/deb generic cases. The
base_distro is still available and is used when a specific distro needs
a customization but if the differences are purely rpm vs deb, then the
base_package_type can be used.
Change-Id: I8d720bb185df65a0178061ccf20b1ab2265da2c5
Due to there is no way to execute swift graceful shutdown commands
from swift-bootstrap container to swift service containers, so
we need to revert the patch set at [1].
[1] https://review.openstack.org/#/c/560248/
Change-Id: I3363895347c535054584d63e22284c211ca38ad6
Apply Swift rolling upgrade based on recommendations from Swift PTL John
Dickinson at [1]
[1]https://www.swiftstack.com/blog/2013/12/20/upgrade-openstack-swift-no-downtime/
Co-Authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
Co-Authored-By: Ha Manh Dong <donghm@vn.fujitsu.com>
Change-Id: Ic59a2d2dda3469af5d4259e020d22b619ff7d603
Implements: blueprint apply-service-upgrade-procedure
build-swift-ring.py is an ancient artifact from early Kolla days when
Swift was first implemented. It's not documented nor recommended to be
used.
Change-Id: I98f567067e455344ed68774cb35c3f3db26be74d
There are corresponding ansible changes to go with these image
changes - add nc to swift image, and create dir for lock files.
nc allows for rsync replication to easily target {{ swift_rsync_port }}
change the lock file location for swift user to access - see bug
for more details.
Change-Id: I78826aeee35601ff65cbe50932482ef2f68346ae
Closes-Bug: #1733851
The rational for packaging swift-object-expirer in
openstack-swift-proxy is detailed in
https://bugzilla.redhat.com/show_bug.cgi?id=1382921
It is a conscious packaging choice and not a bug, and as so update the
comment in swift-object-expirer image.
Change-Id: Ibccfa1482d3aeccf86a57603d9dedecbcc7d097c
centos based images have wrong label info,
these changes fix own image's name and build-date.
Change-Id: I1d13f8f386c8db12b5fbe5f8ecbbf9e3fbb4ba1c
Closes-Bug: #1680341
Use LABEL instruction instead of MAINTAINER (deprecated) instruc-
tion as suggested by Docker's official dockerfile guide.
docs.docker.com/engine/reference/builder/#maintainer-deprecated
Closes-Bug: #1683652
Change-Id: Ie87a1ddf31aefcd0b623fd2837d78de420e76898
Debian support is not maintained in Kolla so it got a bit behind Ubuntu
one. This changeset enables Debian for all images. Jessie (even with
backports) may be too old for some images though.
Also unify distro check to ['debian', 'ubuntu'] to keep alphabetical order
like it is done for RPM distributions.
Partially-Implements: blueprint multiarch-and-arm64-containers
Change-Id: I056233fbfa277e0e2360c07c3f80d9558c554357
1. Enable customization of pip packages in source
branch of most images
2. All pip packages install uniformly through
install-pip macro, user can easily customize his
own pip command (For example using a mirror)
Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com>
Change-Id: If09582039f690fa4136e8f33200d5da15e092da7
include_header and include_footer parameter is already removed, remove
them in all Dockerfiles.
Add missing footer block.
Change-Id: I90da03eb9f95a3827361d5f5ede65fde7d6be2b3
This centralizes all user and group creation into a single source. This
will fix any current and furture uid/gid mismatches (such as with
nova-libvirt).
In the process, we also unify users between the distros in a standard
way. The users in the following containers change from thier defaults:
Ubuntu: _chrony user is now chrony
Ubuntu: memcache user is now memcached
All: qemu user is used for ownership and socket permissions
All uid and gid numbers are customizable via kolla-build.conf
Co-Authored-By: Kris Lindgren <klindgren@godaddy.com>
Change-Id: I120f26ab0683dc87d69727c3df8d4707e52a4543
Partially-Implements: blueprint static-uid-gid
The swift-object-expirer is provided by the 'openstack-swift-proxy'
package and thus it is unavailable on swift-object image. This change
adds a new Docker image to fulfill this requirement and stop using
swift-object image in this case.
This image is needed while RDO does not fix the packaging. The issue
is being tracked in:
https://bugzilla.redhat.com/show_bug.cgi?id=1382921
Change-Id: Idc7ee92d756d8923da2198ede33abf5ed1142041
Closes-Bug: 1630425
Change needed to add header blocks to all Dockerfiles, similar to the
base.
Use case is to easily run something before packages are installed, e.g.
to COPY a local rpm in that can be added to the package list.
Change-Id: I1bbfdf0b762da0a392aa8bf47781315b45377bee
Closes-Bug: 1618969
* Inspected each error and fixed / added nosec where appropriate.
* build-swift-ring.py which was throwing sec errors is no longer used so
removed it.
* Removed the dev/ directory from being checked.
Closes-Bug: #1617713
Change-Id: I25664cabca4137e5c9f499c1af3f5ce78b86fb56
Currently if the install_packages macro is run with an empty
package list, it will add a yum or apt-get command with no
packages listed.
This bug fix aims to omit this line when no packages have
been given, or, the operator wants to use the "_override" /
"_remove" functionality to disable all packages being
installed in a Dockerfile.
Co-Authored-By: Paul Bourke <paul.bourke@oracle.com>
Change-Id: Ifaaaebfccc3adb0f2f68a35ac08e59378bc87fdb
Closes-bug: 1612446
This patchset contains customization of Dockerfile of Swift
containers.
Change-Id: I69250c4d9f6cc3949c9b9b52ea4b0cc2aec0231e
Partially-implements: blueprint third-party-plugin-support
This PS configures swift-rsyncd process to use non-default port
from the range above 1024.
Change-Id: I7c37c548a5185a2ffac789383fe012619e401131
Closes-Bug: #1573137