Rework neutron/own agent wrapper tools for podman
Add ContainerCli parameter, default to docker. Possible values: podman/docker (default). Deprecate DockerAdditionalSockets so it does nothing for podman. Nested podman CLI replaces docker sockets. Only bind mount /var/lib/openstack for the neutron/ovn agents for docker. Support debug messages for Neutron/OVN wrappers controled via NeutronWrapperDebug and OWNWrapperDebug (defaults to False). Or globally controlled by Debug. Make the wrapper containers managed by its parent processes and not exited/removed forcibly, when the parent container restarts. Background for podman CLI replacing the docker socket: We'll use 'nsenter -m -n -p -t 1 podman' in wrappers to execute podman in the same namespaces as on the host and to NOT bind-mount world for that, like: - /sys/fs/cgroup:/sys/fs/cgroup - /run/libpod:/run/libpod - /run/containers:/run/containers - /run/runc:/run/runc - /run/runc-ctrs:/run/runc-ctrs - /var/lib/containers:/var/lib/containers - /etc/containers:/etc/containers:ro - /usr/bin/podman:/usr/bin/podman:ro - /usr/bin/runc:/usr/bin/runc:ro - /usr/libexec/podman/conmon:/usr/libexec/podman/conmon:ro - /usr/lib64/libseccomp.so.2:/usr/lib64/libseccomp.so.2:ro ... We cannot use chroot /host instead as there is more bind-mounts to use outside of the /host chroot. Maybe varlink is a good replacement for all of that, but it's not there yet. Change-Id: I055fb7a5fd20932c5bee665bb96678f3ae92bffe Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
This commit is contained in:
Bogdan Dobrelya
Cédric Jeanneret
parent
5480200cba
commit
8f4738362a
|
|
@ -23,6 +23,20 @@ parameters:
|
|||
description: Generate a wrapper script so neutron launches haproxy in a separate container.
|
||||
type: boolean
|
||||
default: true
|
||||
Debug:
|
||||
type: boolean
|
||||
default: false
|
||||
description: Set to True to enable debugging on all services.
|
||||
NeutronWrapperDebug:
|
||||
type: boolean
|
||||
default: false
|
||||
description: Controls debugging for the wrapper scripts.
|
||||
ContainerCli:
|
||||
type: string
|
||||
default: 'docker'
|
||||
description: CLI tool used to manage containers.
|
||||
constraints:
|
||||
- allowed_values: ['docker', 'podman']
|
||||
NeutronDhcpAgentLoggingSource:
|
||||
type: json
|
||||
default:
|
||||
|
|
@ -68,6 +82,8 @@ conditions:
|
|||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
dnsmasq_wrapper_enabled: {equals: [{get_param: NeutronEnableDnsmasqDockerWrapper}, true]}
|
||||
haproxy_wrapper_enabled: {equals: [{get_param: NeutronEnableHaproxyDockerWrapper}, true]}
|
||||
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
|
||||
service_debug_unset: {equals : [{get_param: NeutronWrapperDebug}, false]}
|
||||
|
||||
resources:
|
||||
|
||||
|
|
@ -108,6 +124,12 @@ outputs:
|
|||
tripleo::profile::base::neutron::dhcp_agent_wrappers::enable_haproxy_wrapper: {get_param: NeutronEnableHaproxyDockerWrapper}
|
||||
tripleo::profile::base::neutron::dhcp_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/dhcp_haproxy_wrapper'
|
||||
tripleo::profile::base::neutron::dhcp_agent_wrappers::haproxy_image: {get_param: DockerNeutronDHCPImage}
|
||||
tripleo::profile::base::neutron::dhcp_agent_wrappers::debug:
|
||||
if:
|
||||
- service_debug_unset
|
||||
- {get_param: Debug }
|
||||
- {get_param: NeutronWrapperDebug}
|
||||
tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
|
||||
service_config_settings:
|
||||
map_merge:
|
||||
- get_attr: [NeutronBase, role_data, service_config_settings]
|
||||
|
|
@ -203,7 +225,11 @@ outputs:
|
|||
- /run/openvswitch:/run/openvswitch
|
||||
- /var/lib/neutron:/var/lib/neutron
|
||||
- /run/netns:/run/netns:shared
|
||||
- /var/lib/openstack:/var/lib/openstack
|
||||
-
|
||||
if:
|
||||
- docker_enabled
|
||||
- - /var/lib/openstack:/var/lib/openstack
|
||||
- null
|
||||
-
|
||||
if:
|
||||
- dnsmasq_wrapper_enabled
|
||||
|
|
|
|||
|
|
@ -40,6 +40,20 @@ parameters:
|
|||
once the fix to radvd is generally available across target distributions.
|
||||
type: boolean
|
||||
default: false
|
||||
Debug:
|
||||
type: boolean
|
||||
default: false
|
||||
description: Set to True to enable debugging on all services.
|
||||
NeutronWrapperDebug:
|
||||
type: boolean
|
||||
default: false
|
||||
description: Controls debugging for the wrapper scripts.
|
||||
ContainerCli:
|
||||
type: string
|
||||
default: 'docker'
|
||||
description: CLI tool used to manage containers.
|
||||
constraints:
|
||||
- allowed_values: ['docker', 'podman']
|
||||
ServiceData:
|
||||
default: {}
|
||||
description: Dictionary packing service data
|
||||
|
|
@ -72,6 +86,8 @@ conditions:
|
|||
haproxy_wrapper_enabled: {equals: [{get_param: NeutronEnableHaproxyDockerWrapper}, true]}
|
||||
dibbler_wrapper_enabled: {equals: [{get_param: NeutronEnableDibblerDockerWrapper}, true]}
|
||||
radvd_wrapper_enabled: {equals: [{get_param: NeutronEnableRadvdDockerWrapper}, true]}
|
||||
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
|
||||
service_debug_unset: {equals : [{get_param: NeutronWrapperDebug}, false]}
|
||||
|
||||
resources:
|
||||
|
||||
|
|
@ -116,6 +132,12 @@ outputs:
|
|||
tripleo::profile::base::neutron::l3_agent_wrappers::enable_radvd_wrapper: {get_param: NeutronEnableRadvdDockerWrapper}
|
||||
tripleo::profile::base::neutron::l3_agent_wrappers::radvd_process_wrapper: '/var/lib/neutron/radvd_wrapper'
|
||||
tripleo::profile::base::neutron::l3_agent_wrappers::radvd_image: {get_param: DockerNeutronL3AgentImage}
|
||||
tripleo::profile::base::neutron::l3_agent_wrappers::debug:
|
||||
if:
|
||||
- service_debug_unset
|
||||
- {get_param: Debug }
|
||||
- {get_param: NeutronWrapperDebug}
|
||||
tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
|
||||
|
||||
service_config_settings:
|
||||
map_merge:
|
||||
|
|
@ -202,7 +224,11 @@ outputs:
|
|||
- /run/openvswitch:/run/openvswitch
|
||||
- /var/lib/neutron:/var/lib/neutron
|
||||
- /run/netns:/run/netns:shared
|
||||
- /var/lib/openstack:/var/lib/openstack
|
||||
-
|
||||
if:
|
||||
- docker_enabled
|
||||
- - /var/lib/openstack:/var/lib/openstack
|
||||
- null
|
||||
-
|
||||
if:
|
||||
- keepalived_wrapper_enabled
|
||||
|
|
|
|||
|
|
@ -19,6 +19,20 @@ parameters:
|
|||
description: Generate a wrapper script so that haproxy is launched in a separate container.
|
||||
type: boolean
|
||||
default: true
|
||||
Debug:
|
||||
type: boolean
|
||||
default: false
|
||||
description: Set to True to enable debugging on all services.
|
||||
OVNWrapperDebug:
|
||||
type: boolean
|
||||
default: false
|
||||
description: Controls debugging for the wrapper scripts.
|
||||
ContainerCli:
|
||||
type: string
|
||||
default: 'docker'
|
||||
description: CLI tool used to manage containers.
|
||||
constraints:
|
||||
- allowed_values: ['docker', 'podman']
|
||||
ServiceData:
|
||||
default: {}
|
||||
description: Dictionary packing service data
|
||||
|
|
@ -47,7 +61,9 @@ parameters:
|
|||
type: json
|
||||
|
||||
conditions:
|
||||
haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]}
|
||||
haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]}
|
||||
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
|
||||
service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]}
|
||||
|
||||
resources:
|
||||
|
||||
|
|
@ -81,6 +97,12 @@ outputs:
|
|||
- tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::enable_haproxy_wrapper: {get_param: OVNEnableHaproxyDockerWrapper}
|
||||
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/ovn_metadata_haproxy_wrapper'
|
||||
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_image: {get_param: DockerOvnMetadataImage}
|
||||
tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::debug:
|
||||
if:
|
||||
- service_debug_unset
|
||||
- {get_param: Debug }
|
||||
- {get_param: OVNWrapperDebug}
|
||||
tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
|
||||
puppet_config:
|
||||
puppet_tags: neutron_config,ovn_metadata_agent_config
|
||||
config_volume: neutron
|
||||
|
|
@ -171,7 +193,11 @@ outputs:
|
|||
- /run/openvswitch:/run/openvswitch
|
||||
- /var/lib/neutron:/var/lib/neutron
|
||||
- /run/netns:/run/netns:shared
|
||||
- /var/lib/openstack:/var/lib/openstack
|
||||
-
|
||||
if:
|
||||
- docker_enabled
|
||||
- - /var/lib/openstack:/var/lib/openstack
|
||||
- null
|
||||
-
|
||||
if:
|
||||
- haproxy_wrapper_enabled
|
||||
|
|
|
|||
|
|
@ -68,6 +68,15 @@ parameters:
|
|||
default: ''
|
||||
description: User added to the docker group in order to use container commands.
|
||||
type: string
|
||||
parameter_groups:
|
||||
- label: deprecated
|
||||
description: |
|
||||
The following parameters are deprecated and will be removed. They should not
|
||||
be relied on for new deployments. If you have concerns regarding deprecated
|
||||
parameters, please contact the TripleO development team on IRC or the
|
||||
OpenStack mailing list.
|
||||
parameters:
|
||||
- DockerAdditionalSockets
|
||||
|
||||
conditions:
|
||||
insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
``ContainerCli`` allows 'docker' (deprecated) and 'podman' for Neutron
|
||||
L3/DHCP and OVN metadata rootwrap containers managed by agents.
|
||||
Parameters ``OVNWrapperDebug`` and ``NeutronWrapperDebug`` (Defaults to
|
||||
`False`) allow to log debug messages for the wrapper scripts managing
|
||||
rootwrap containers. It is also controled by the global ``Debug`` setting.
|
||||
fixes:
|
||||
- |
|
||||
Neutron/OVN rootwrap containers are managed by agents and will no longer
|
||||
be deleted, when the parent container restarts.
|
||||
deprecations:
|
||||
- |
|
||||
Parameter ``DockerAdditionalSockets`` is deprecated. No sockets are
|
||||
expected to bind mount for podman. So it only works for the docker runtime.
|
||||
Loading…
Reference in New Issue