Commit Graph

106 Commits

Author SHA1 Message Date
Michal Arbet 7f5a904e98 Fix openstack CADF audit maps and installation
This patch fixes missing pycadf's audit maps
for services and change the way how pycadf
is installed.

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/905858

Closes-Bug: #2047941
Change-Id: I9b43d1a9990ad8aa7381ea81b0f2d692967be949
2024-01-17 11:52:20 +00:00
Takashi Kajinami d7e497ce52 Swift: Remove unused rootwrap
Swift does not use oslo.rootwrap. Thus the command and its config file
is just useless.

Change-Id: If4e346c2db841aad9b2ddac049dbbbc1ba5782ec
2023-11-27 00:11:41 +09:00
Radosław Piliszek 2daf4331a6 Fix writable rootwrap/privsep config
Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.

Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
2022-10-10 15:06:05 +00:00
Marcin Juszkiewicz e21aeb5ae9 flatten images a bit
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.

Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
2022-04-21 18:53:14 +00:00
Tim Shearer 1d96a2bbe1 Adjust permissions on _extend_start files.
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.

Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
2022-04-11 17:22:24 +02:00
Marcin Juszkiewicz 1749da2fbf docker: drop binary parts
Big patch drops all mentions of binary images support. Suggestions are
welcome how to split it into parts or handle better.

Change-Id: I5d5a46c6ce7734ceb8b844e17b43e359d7cac6e3
2022-04-09 17:44:26 +02:00
Stanislav Dmitriev ff25b500d2 Add Swift lock path in Swift containers
Swift-recon-cron requires rw access to the lock path
specified in in object-server.conf file. Currently it
doesn't exist in Swift containers

Closes-Bug: #1926203
Change-Id: Id3f824b741a5aa98efc7162fb7d49657e86a2bee
2021-11-18 20:20:26 -05:00
likui 62b37f0453 remove unicode from code
Change-Id: I616ab0d81b961effaa3b4a8639b1d06327473f08
Implements: blueprint remove-unicode
2021-01-03 12:45:34 +08:00
Mark Goddard aa3208ea0f swift: fix group membership in debuntu/binary
The UCA packages seem to be removing the swift user from the kolla
group. Explicitly add it after installation.

Closes-Bug: #1905279

Change-Id: I51c7c6e2f520a582de0409025eb5d1a6da2952a2
2020-11-24 09:28:03 +00:00
Marcin Juszkiewicz d2966452c5 ubuntu: move to 20.04 Focal
There is a time once every 2 years when ubuntu team releases new LTS
release. And then UCA joins with binary packages for current OpenStack
development cycle.

It is this time for Ubuntu 20.04 'focal'.

Depends-On: https://review.opendev.org/745156
Change-Id: I045aa6b4b4fd83fbe7d1fda89549f0ef1e88ec12
2020-08-07 14:38:02 +00:00
Zuul 2f66efdf5e Merge "Remove support for CentOS 7" 2020-04-15 14:02:57 +00:00
Marcin Juszkiewicz 53443c5c71 Remove support for CentOS 7
With the move to RHEL/CentOS 8 we no longer have Python 2 in our images
so there is no need for checking which Python version (2.x or 3.x) is
used inside of containers.

We also no longer have to support yum as a value for
distro_package_manager.

Partially-Implements: blueprint centos-rhel-8

Change-Id: Ie45cf3465fedddbde7856961527421883ba3d5c9
2020-04-15 09:32:06 +00:00
Marcin Juszkiewicz 6f7f241d94 swift: use python3 for scripts
We no longer ship Python2 in images so use Python 3 in scripts.

Change-Id: I428099d66715d6156a891d6f682f52e49f1b7753
2020-04-08 21:08:27 +00:00
Christian Berendt 861f55fbfd Add block labels to all Dockerfiles
Change-Id: I9692dda817ef134d647247431565e1b58cf9da41
2020-03-01 17:25:58 +00:00
Radosław Piliszek faec906090 Drop weird swift rootwrap config (xenapi with placeholder values)
Change-Id: I5514c53002a9e772b96e767b10fddf6342c7eb1d
2020-02-19 20:54:06 +01:00
Dincer Celik 190a6f7a26 Fixes swift-object-expirer for Debian and Ubuntu binary images.
Replaces 'swift-object' package with 'swift-object-expirer' package.

Change-Id: I8fa3fcad88b35743e042d8a62ccee722b08af673
Closes-Bug: #1859607
2020-01-20 15:21:11 +03:00
Martin Chlumsky 2d122afaf9 swift-rsyncd: don't recursively chown /srv/node at startup
Instead of doing a recursive chown on /srv/node, chown only /srv/node
and any immediate subdirectory under /srv/node.

Change-Id: I8fd93fa77ba9fc63910360300b8783a34bd4e6d5
Closes-Bug: #1851169
2019-11-05 09:12:46 -05:00
Marcin Juszkiewicz 8f22e9ebb3 swift-proxy-server: Ubuntu is still on Python 2
Change-Id: Ie174d1154bfe9295e5dae05ac885a5fa88487d4d
2019-10-03 08:17:26 -07:00
Zuul 25c5ac4722 Merge "swift-proxy-server: use Python 3 for Debian/Ubuntu" 2019-10-02 14:07:54 +00:00
Mark Goddard d61c54be9d Install rsync in swift-base containers on Debian/Ubuntu
This is used by the replicator services.

Change-Id: Iad7ad20542a159469d95e990c20564633046b251
Closes-Bug: #1846207
2019-10-01 15:55:17 +01:00
Marcin Juszkiewicz 061f9ce040 swift-proxy-server: use Python 3 for Debian/Ubuntu
Change-Id: I035c4fe7308adb851f93753a8e71fec8965c6704
2019-10-01 02:04:14 -07:00
Alex Schultz 3e5d8e2653 Add python3 packages for RHEL systems
RDO is currently working on python3 support for the next version of
CentOS/RHEL based systems.  This package uses the distro_python3 flag
that was added as part of I4028991bad92c0e8e21066cc4173c06ce5eba393 to
use the python3 specific package names.  This change only adds python3
package names for RHEL systems.

Conflicts-With: https://review.openstack.org/#/c/636457/
Change-Id: Iad6b70b433a0dd1b0f8ae6790fd280594517661a
Related-Blueprint: python3-support
2019-03-12 17:48:18 +00:00
Alex Schultz ae1322ec10 Use base_package_type
This change updates the docker files to use base_package_type instead
of doing specific distro checks for the rhel/deb generic cases. The
base_distro is still available and is used when a specific distro needs
a customization but if the differences are purely rpm vs deb, then the
base_package_type can be used.

Change-Id: I8d720bb185df65a0178061ccf20b1ab2265da2c5
2019-01-17 08:23:41 -07:00
Ha Manh Dong 065651a3fb Revert the patch set "Apply Swift rolling upgrade"
Due to there is no way to execute swift graceful shutdown commands
from swift-bootstrap container to swift service containers, so
we need to revert the patch set at [1].

[1] https://review.openstack.org/#/c/560248/

Change-Id: I3363895347c535054584d63e22284c211ca38ad6
2018-08-06 16:18:30 +07:00
confi-surya dc1389bc58 Apply Swift rolling upgrade
Apply Swift rolling upgrade based on recommendations from Swift PTL John
Dickinson at [1]

[1]https://www.swiftstack.com/blog/2013/12/20/upgrade-openstack-swift-no-downtime/

Co-Authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
Co-Authored-By: Ha Manh Dong <donghm@vn.fujitsu.com>
Change-Id: Ic59a2d2dda3469af5d4259e020d22b619ff7d603
Implements: blueprint apply-service-upgrade-procedure
2018-07-13 10:26:36 +07:00
Paul Bourke 901584ad36 Remove old unused script from swift-base
build-swift-ring.py is an ancient artifact from early Kolla days when
Swift was first implemented. It's not documented nor recommended to be
used.

Change-Id: I98f567067e455344ed68774cb35c3f3db26be74d
2017-12-12 12:19:03 +00:00
James McCarthy f7b453d95b Update swift for replication issues
There are corresponding ansible changes to go with these image
changes - add nc to swift image, and create dir for lock files.

nc allows for rsync replication to easily target {{ swift_rsync_port }}

change the lock file location for swift user to access - see bug
for more details.

Change-Id: I78826aeee35601ff65cbe50932482ef2f68346ae
Closes-Bug: #1733851
2017-11-28 13:59:43 +00:00
Martin André f0f4e70f1e Clarify comment about swift-object-expirer for RDO
The rational for packaging swift-object-expirer in
openstack-swift-proxy is detailed in
https://bugzilla.redhat.com/show_bug.cgi?id=1382921

It is a conscious packaging choice and not a bug, and as so update the
comment in swift-object-expirer image.

Change-Id: Ibccfa1482d3aeccf86a57603d9dedecbcc7d097c
2017-06-09 08:27:43 +02:00
shaofeng_cheng 627f6ce2f4 Add ceilometermiddleware in swift-proxy-server
Add ceilometermiddleware package in swift-proxy-server image.

Change-Id: I4075d14211778347afe7c03b661723f5a8e18c7a
Closes-Bug: #1691629
2017-05-18 14:50:49 +08:00
Jawon Choo 31259fa595 Override image's meta info.
centos based images have wrong label info,
these changes fix own image's name and build-date.

Change-Id: I1d13f8f386c8db12b5fbe5f8ecbbf9e3fbb4ba1c
Closes-Bug: #1680341
2017-05-03 11:08:17 +09:00
Chen 8c463a47a9 Use LABEL instead of MAINTAINER (deprecated) in all Dockerfile.j2
Use LABEL instruction instead of MAINTAINER (deprecated) instruc-
tion as suggested by Docker's official dockerfile guide.
docs.docker.com/engine/reference/builder/#maintainer-deprecated

Closes-Bug: #1683652

Change-Id: Ie87a1ddf31aefcd0b623fd2837d78de420e76898
2017-04-20 16:50:05 +09:00
Marcin Juszkiewicz 69fef5cd59 debian: enable all images enabled for Ubuntu
Debian support is not maintained in Kolla so it got a bit behind Ubuntu
one. This changeset enables Debian for all images. Jessie (even with
backports) may be too old for some images though.

Also unify distro check to ['debian', 'ubuntu'] to keep alphabetical order
like it is done for RPM distributions.

Partially-Implements: blueprint multiarch-and-arm64-containers

Change-Id: I056233fbfa277e0e2360c07c3f80d9558c554357
2017-04-04 22:48:18 +02:00
Chao Guo 961224c6cf Use install-pip macro in most source images
1. Enable customization of pip packages in source
branch of most images
2. All pip packages install uniformly through
install-pip macro, user can easily customize his
own pip command (For example using a mirror)

Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com>
Change-Id: If09582039f690fa4136e8f33200d5da15e092da7
2017-02-17 08:49:32 -03:00
Jeffrey Zhang e5903d5fa9 Remove include_header and include_footer in all Dockerfiles
include_header and include_footer parameter is already removed, remove
them in all Dockerfiles.
Add missing footer block.

Change-Id: I90da03eb9f95a3827361d5f5ede65fde7d6be2b3
2017-02-05 10:44:48 +08:00
zhubingbing 40efebd61f Fix swift dockerfile
* remove /var/log/swift
* fix code format

Change-Id: If10e668ed612df76c91e54947cf11910f7f1c707
2017-01-28 08:35:22 +00:00
Sam Yaple 58eee09c15 use static uid/gid in images
This centralizes all user and group creation into a single source. This
will fix any current and furture uid/gid mismatches (such as with
nova-libvirt).

In the process, we also unify users between the distros in a standard
way. The users in the following containers change from thier defaults:

Ubuntu: _chrony user is now chrony
Ubuntu: memcache user is now memcached
All: qemu user is used for ownership and socket permissions

All uid and gid numbers are customizable via kolla-build.conf

Co-Authored-By: Kris Lindgren <klindgren@godaddy.com>
Change-Id: I120f26ab0683dc87d69727c3df8d4707e52a4543
Partially-Implements: blueprint static-uid-gid
2017-01-17 09:02:21 -03:00
Jeffrey Zhang 6ef486fbff Remove footer block and variable in *-base images
Change-Id: I39aa88489f744f779150695f3f55ef80d42e1c61
Closes-Bug: #1653247
2017-01-05 22:05:29 +08:00
Chao Guo f2328f0ed5 Remove unneeded oslo-rootwrap in swift-base
Oslo-rootwrap is not needed by swift, so remove it.

Change-Id: Ic35ffabc7078fd66b2626ad5622a1585794f5d62
2016-12-26 09:01:04 +08:00
Christian Berendt 5cd30d4914 Remove Fedora support
Closes-bug: #1616387
Change-Id: Id97f88b9baa3d48d33ce120962450a374282d044
2016-11-03 10:50:22 +01:00
Otavio Salvador 9eb38405b7 ansible: swift: Fix swift-object-expirer restart loop
The swift-object-expirer is provided by the 'openstack-swift-proxy'
package and thus it is unavailable on swift-object image. This change
adds a new Docker image to fulfill this requirement and stop using
swift-object image in this case.

This image is needed while RDO does not fix the packaging. The issue
is being tracked in:

  https://bugzilla.redhat.com/show_bug.cgi?id=1382921

Change-Id: Idc7ee92d756d8923da2198ede33abf5ed1142041
Closes-Bug: 1630425
2016-10-11 14:56:18 -03:00
Paul Bourke b41247c656 Add header blocks to all Dockerfiles
Change needed to add header blocks to all Dockerfiles, similar to the
base.

Use case is to easily run something before packages are installed, e.g.
to COPY a local rpm in that can be added to the package list.

Change-Id: I1bbfdf0b762da0a392aa8bf47781315b45377bee
Closes-Bug: 1618969
2016-09-13 16:53:31 +01:00
Paul Bourke fc30d583f9 Fix bandit gate jobs
* Inspected each error and fixed / added nosec where appropriate.
* build-swift-ring.py which was throwing sec errors is no longer used so
  removed it.
* Removed the dev/ directory from being checked.

Closes-Bug: #1617713
Change-Id: I25664cabca4137e5c9f499c1af3f5ce78b86fb56
2016-08-28 08:52:44 +00:00
Shaun Smekel a9d08726f5 Handle empty package list for install_packages
Currently if the install_packages macro is run with an empty
package list, it will add a yum or apt-get command with no
packages listed.

This bug fix aims to omit this line when no packages have
been given, or, the operator wants to use the "_override" /
"_remove" functionality to disable all packages being
installed in a Dockerfile.

Co-Authored-By: Paul Bourke <paul.bourke@oracle.com>
Change-Id: Ifaaaebfccc3adb0f2f68a35ac08e59378bc87fdb
Closes-bug: 1612446
2016-08-19 10:49:03 +00:00
Shaun Smekel 503120657e Customizations for Swift
This patchset contains customization of Dockerfile of Swift
containers.

Change-Id: I69250c4d9f6cc3949c9b9b52ea4b0cc2aec0231e
Partially-implements: blueprint third-party-plugin-support
2016-08-12 07:16:19 +10:00
Jeffrey Zhang 3f79e37d21 Fix the overwrite sudoers file issue
Change-Id: I4b109f7fdc3b8e49defed26979b04ca158842e98
Closes-Bug: #1598423
2016-07-05 05:49:13 +00:00
Benedikt Trefzer ccca2e5a98 Make swift-base container build with debian
- add debian as base_system

Change-Id: I1d0f1e5de819e8325243fa0b971c1eb7b83fb5b5
Partially-implements: blueprint build-debian
2016-06-04 03:44:56 +00:00
Swapnil Kulkarni (coolsvap) 435b21b90d Update ubuntu dockerfiles for formatting
Change-Id: If4be00b937e14ec93443dcb7249cf17099d57cbe
Closes-Bug: #1569417
2016-05-26 04:09:22 +00:00
Serguei Bezverkhi d553514cb7 Configures swift-rsyncd to use non-default port
This PS configures swift-rsyncd process to use non-default port
from the range above 1024.

Change-Id: I7c37c548a5185a2ffac789383fe012619e401131
Closes-Bug: #1573137
2016-04-21 12:54:30 -04:00
Jenkins 765e40de02 Merge "Drop root for swift" 2016-04-14 18:59:56 +00:00
Jenkins b042f4d517 Merge "Update Swift dockerfiles for formatting" 2016-04-13 07:49:13 +00:00