Just as we noop package installation in docker-puppet.py when run
inside containers (via I2bd247af2b54f3a834cdc8a2f253600527c7acd8)
we should always noop them inside the docker_puppet_apply.sh helper
script as it is always run inside containers anyway.
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Change-Id: I572e31e933f7fd5b1bb695f28f78d57dceb28994
Related-Bug: #1812923
Unfortunately we may not necessarily know what version of python is
available in the containers when we run some python config scripts. In
order to work around this we have a pyshim which will try and find an
existing version of python available to run the script under. The
pyshim.sh will try python3 then python2 then python.
Depends-On: https://review.openstack.org/#/c/617716/
Change-Id: Ie08481722e9b22bb67d5282828df0941f37a140a
Closes-Bug: #1803411
Currently it is not possible to do per-node customization inside
docker-puppet.py because it overrides the fact 'uuid'.
This change adds a dedicated docker_puppet entry in hiera.yaml so that
docker-puppet.py needs to do nothing special for
/etc/puppet/hieradata/docker_puppet.json to be included in the hiera
merge.
Change-Id: Icf37dcd63e0152ee15e9f0079b45e31a4f8d9fbb
Depends-On: https://review.openstack.org/#/c/605478/
Closes-Bug: #1761624
The new master branch should point now to rocky.
So, HOT templates should specify that they might contain features
for rocky release [1]
Also, this submission updates the yaml validation to use only latest
heat_version alias. There are cases in which we will need to set
the version for specific templates i.e. mixed versions, so there
is added a variable to assign specific templates to specific heat_version
aliases, avoiding the introductions of error by bulk replacing the
the old version in new releases.
[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#rocky
Change-Id: Ib17526d9cc453516d99d4659ee5fa51a5aa7fb4b
Some services want the CA to be in the anchors directory. Just mount it
everywhere.
Change-Id: I5cf028d9424a253f8b5d66d818a091508b9486d7
Closes-Bug: #1766178
In change Icf4a64ed76635e39bbb34c3a088c55e1f14fddca we did a refactoring
of the puppet apply commmands into a single script. A typo slipped in
where we set FACTOR_uuid instead of FACTER_uuid
Change-Id: If67d1bbf50d4fdaffa14e197dffc90f5b1577712
Closes-Bug: #1750000
There are some configuration applies that we need to do during the
deployment. These currently live as manually constructed bash runs which
are missing the --detailed-exitcode handling to know when we have
failures. In order to reduce the duplicated code and simplify this
exeuction, this change creates a docker_config_scripts with
docker_puppet_run.sh in containers-common that can be reused by any of
the docker services. This allows use to properly handle
--detailed-exitcodes while also reducing the amount of duplicated code
bits that we have within THT.
Additionally this change adds a new shared value for ContainersCommon to
pull the required volumes for the docker_puppet_apply.sh script into a
single place. Unfortunately the existing volumes from ContainersCommon
includes a mount for /etc/puppet to /etc/puppet which causes problems
because we need to be able to write out a hiera value. The /etc/puppet
mount is needed for the bootstrap_host_exec function which is consumed
by various docker_config tasks but the mount conflicts with the puppet
apply logic being used.
Depends-On: I24e5e344b7f657ce5d42a7c7c45be7b5ed5e6445
Change-Id: Icf4a64ed76635e39bbb34c3a088c55e1f14fddca
Related-Bug: #1741345
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
https://review.openstack.org/500952 initially just did this. Then we assumed
every container should have the selinux sysfs.
This causes issues with the sshd container used for live-migration.
The advice from the selinux experts is that it should not be enabled within
containers, so reverting back to the original fix that enables it only in the
nova-libvirt container.
Closes-bug: 1729405
Change-Id: I80bf38d7d64ab99510574af5c57423fde9b84eca
We cannot use the --selinux-enabled docker daemon option on CentOS/RHEL 7.3.
It will fail if security_inode_copy_up is not found in the kernel symbols:
https://github.com/projectatomic/docker/blob/docker-1.12.6/daemon/daemon_unix.go#L661
NB this has been reduced to a warning upstream:
885b29df09
Instead this just bind mounts /sys/fs/selinux in containers-common.yaml.
Everything appears to work at initial glance. Pingtest succeeds, and
live-migration between baremetal and containerized computes works.
Change-Id: I018221bf7ae9ab9ece193b55f1ce31eb1591046c
Depends-On: I521c5351ad6020911106464bf712cf92e6fb0fca
Closes-bug: #1715171
Makes it possible to resolve network subnets within a service
template; the data is transported into a new property ServiceData
wired into every service which hopefully is generic enough to
be extended in the future and transport more data.
Data can be consumed in service templates to set config values
which need to know what is the subnet where a deamon operates (for
example the Ceph Public vs Cluster network).
Change-Id: I28e21c46f1ef609517175f7e7ee19e28d1c0cba2
This will allow the services running in the containers to trust the CA.
bp tls-via-certmonger-containers
Change-Id: Ib7eb682da64473a651b34243c92ab76009964aba
This allows any ssh client spawned from a container to validate ssh host key.
Change-Id: I86d95848e5f049e8af98107cd7027098d6cdee7c
Closes-bug: #1693841
This patch guards db syncs and initialization code from executing
on multiple nodes at the same time by using the new
bootstrap_host_exec script. This helper script checks to make
sure the container is executing on the "bootstrap host" for the
specified service (arg 0) and then if it matches runs the
specified command.
Depends-On: If25f217bbb592edab4e1dde53ca99ed93c0e146c
Depends-On: Ic1585bae27c318bd6bafc287e905f2ed250cce0f
Change-Id: I0c864ca093ea476248b619d8c88477ef0b64e2eb
Closes-Bug: 1688380
This enables common resources that the docker templates might need.
The initial resource only is common volumes, and two volumes are
introduced (localtime and hosts).
Change-Id: Ic55af32803f9493a61f9b57aff849bfc6187d992
Dan Prince