From be43974c5f1d37d91ba0b3360a24547860a9a485 Mon Sep 17 00:00:00 2001
From: Jeffrey Zhang <zhang.lei.fly@gmail.com>
Date: Sun, 22 Oct 2023 15:41:30 +0800
Subject: [PATCH 1/4] Add rsync to nova-compute

when configure `remote_filesystem_transport` to rsync, rsync binary is
required.

Change-Id: I07be614846be9305f0775df22a6d931ceab1720a
(cherry picked from commit 92cedcd2b155907ab65884a0ba4dbae480900d28)
---
 docker/nova/nova-compute/Dockerfile.j2 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docker/nova/nova-compute/Dockerfile.j2 b/docker/nova/nova-compute/Dockerfile.j2
index 67cafa2a93..3c1eb0ea7c 100644
--- a/docker/nova/nova-compute/Dockerfile.j2
+++ b/docker/nova/nova-compute/Dockerfile.j2
@@ -29,6 +29,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
             'python3-oslo-vmware',
             'python3-rtslib',
             'qemu-kvm-block-rbd',
+            'rsync',
             'sysfsutils',
             'targetcli',
             'xfsprogs'
@@ -70,6 +71,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
             'python3-rbd',
             'python3-rtslib-fb',
             'qemu-block-extra',
+            'rsync',
             'sasl2-bin',
             'sysfsutils',
             'targetcli-fb',
@@ -112,6 +114,7 @@ RUN rm -f /etc/nova/nova-compute.conf
             'python3-rtslib',
             'qemu-img',
             'qemu-kvm-block-rbd',
+            'rsync',
             'sysfsutils',
             'targetcli',
             'xfsprogs'
@@ -152,6 +155,7 @@ RUN rm -f /etc/nova/nova-compute.conf
             'python3-rtslib-fb',
             'qemu-block-extra',
             'qemu-utils',
+            'rsync',
             'sasl2-bin',
             'sysfsutils',
             'targetcli-fb',

From 3a484edcd621126f149c474c768f17741f9eb315 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Mon, 27 Nov 2023 00:11:29 +0900
Subject: [PATCH 2/4] Swift: Remove unused rootwrap

Swift does not use oslo.rootwrap. Thus the command and its config file
is just useless.

Change-Id: If4e346c2db841aad9b2ddac049dbbbc1ba5782ec
(cherry picked from commit d7e497ce52cc109c9f7b4a83d85f0bebfa05298e)
---
 docker/swift/swift-base/Dockerfile.j2  |  7 +------
 docker/swift/swift-base/rootwrap.conf  | 27 --------------------------
 docker/swift/swift-base/swift-rootwrap | 10 ----------
 docker/swift/swift-base/swift_sudoers  |  1 -
 4 files changed, 1 insertion(+), 44 deletions(-)
 delete mode 100644 docker/swift/swift-base/rootwrap.conf
 delete mode 100644 docker/swift/swift-base/swift-rootwrap

diff --git a/docker/swift/swift-base/Dockerfile.j2 b/docker/swift/swift-base/Dockerfile.j2
index 6ef3db1241..adc2a6fd84 100644
--- a/docker/swift/swift-base/Dockerfile.j2
+++ b/docker/swift/swift-base/Dockerfile.j2
@@ -58,14 +58,9 @@ RUN ln -s swift-base-source/* swift \
     && chown -R swift: /etc/swift /var/cache/swift /var/lock/swift
 {% endif %}
 
-COPY swift-rootwrap /var/lib/kolla/venv/bin/swift-rootwrap
-COPY rootwrap.conf /etc/swift/rootwrap.conf
 COPY swift_sudoers /etc/sudoers.d/kolla_swift_sudoers
 
-RUN chmod 755 /var/lib/kolla/venv/bin/swift-rootwrap \
-    && chmod 644 /etc/swift/rootwrap.conf \
-    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/swift/rootwrap.conf \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_swift_sudoers \
     && mkdir -p /opt/swift
 
diff --git a/docker/swift/swift-base/rootwrap.conf b/docker/swift/swift-base/rootwrap.conf
deleted file mode 100644
index 9adfaa6684..0000000000
--- a/docker/swift/swift-base/rootwrap.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# Configuration for swift-rootwrap
-# This file should be owned by (and only-writeable by) the root user
-
-[DEFAULT]
-# List of directories to load filter definitions from (separated by ',').
-# These directories MUST all be only writeable by root !
-filters_path=/etc/swift/rootwrap.d,/usr/share/swift/rootwrap
-
-# List of directories to search executables in, in case filters do not
-# explicitely specify a full path (separated by ',')
-# If not specified, defaults to system PATH environment variable.
-# These directories MUST all be only writeable by root !
-exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
-
-# Enable logging to syslog
-# Default value is False
-use_syslog=False
-
-# Which syslog facility to use.
-# Valid values include auth, authpriv, syslog, local0, local1...
-# Default value is 'syslog'
-syslog_log_facility=syslog
-
-# Which messages to log.
-# INFO means log all usage
-# ERROR means only log unsuccessful attempts
-syslog_log_level=ERROR
diff --git a/docker/swift/swift-base/swift-rootwrap b/docker/swift/swift-base/swift-rootwrap
deleted file mode 100644
index 9432582dae..0000000000
--- a/docker/swift/swift-base/swift-rootwrap
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/usr/bin/python3
-# PBR Generated from 'console_scripts'
-
-import sys
-
-from oslo_rootwrap.cmd import main
-
-
-if __name__ == "__main__":
-    sys.exit(main())
diff --git a/docker/swift/swift-base/swift_sudoers b/docker/swift/swift-base/swift_sudoers
index 752fe0e2ee..f60e2260b0 100644
--- a/docker/swift/swift-base/swift_sudoers
+++ b/docker/swift/swift-base/swift_sudoers
@@ -1,3 +1,2 @@
 swift ALL=(root) NOPASSWD: /bin/find /srv/node/ -maxdepth 1 -type d -execdir chown swift\:swift {} \\+
 swift ALL=(root) NOPASSWD: /usr/bin/find /srv/node/ -maxdepth 1 -type d -execdir chown swift\:swift {} \\+
-swift ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/swift-rootwrap /etc/swift/rootwrap.conf *

From 009cbb3761143ff5c9101cca11f6b692ea92f194 Mon Sep 17 00:00:00 2001
From: Bartosz Bezak <bartosz@stackhpc.com>
Date: Wed, 13 Dec 2023 10:46:32 +0100
Subject: [PATCH 3/4] Pin docker.py to <7

Docker 7.0.0 introduced a pre build check for tag regex, which
fails where registry has port number defined - see [1] and [2].

[1]: https://github.com/docker/docker-py/commit/a9b5494fd0574e520c735e1d0c4a303528d48063
[2]: https://github.com/docker/docker-py/issues/3195

Also removing requirements check in CI as it is not allowing
such pinning, as kolla is not designed to be installed with
other openstack services in the same virtualenv.

Change-Id: Id64186bf87300f23acde4f90474abcd6944e5be0
(cherry picked from commit acf23fa830c8909b366f3ea38279560136f8dff1)
---
 .zuul.d/project.yaml | 1 -
 requirements.txt     | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/.zuul.d/project.yaml b/.zuul.d/project.yaml
index 12bca8ab9e..fd10db237f 100644
--- a/.zuul.d/project.yaml
+++ b/.zuul.d/project.yaml
@@ -3,7 +3,6 @@
     templates:
       - openstack-python3-yoga-jobs
       - openstack-python3-yoga-jobs-arm64
-      - check-requirements
       - publish-openstack-docs-pti
       - release-notes-jobs-python3
       - periodic-stable-jobs
diff --git a/requirements.txt b/requirements.txt
index 7d1c0d9dbb..6b9078a32c 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
 pbr!=2.1.0,>=2.0.0 # Apache-2.0
-docker>=2.4.2 # Apache-2.0
+docker>=2.4.2,<7.0.0 # Apache-2.0
 Jinja2>=3.0.1 # BSD License (3 clause)
 GitPython>=1.0.1 # BSD License (3 clause)
 oslo.config>=5.1.0 # Apache-2.0

From 82fe25505592ea121e91a33f467bdb059da01a6a Mon Sep 17 00:00:00 2001
From: Alex-Welsh <alex@stackhpc.com>
Date: Tue, 28 Nov 2023 13:08:58 +0000
Subject: [PATCH 4/4] Sync only local cell in nova bootstrap & upgrade

Added the --local_cell argument to nova db sync commands during
bootstrap and upgrade.

This was previously thought to have no effect [1], but has since been
discovered to fail when rotating the nova database password.

[1] https://opendev.org/openstack/kolla-ansible/src/branch/master/ansible/roles/nova/tasks/bootstrap_service.yml#L2-L3

Closes-Bug: #2045558
Change-Id: Ic64eb51325b3503a14ebab9b9ff2f4d9caec734a
(cherry picked from commit de1487f05187387aea3f113dcbb6926734b1ce6b)
---
 docker/nova/nova-api/extend_start.sh                       | 4 ++--
 .../notes/nova-sync-local-cell-8e3258f4b410d25c.yaml       | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/nova-sync-local-cell-8e3258f4b410d25c.yaml

diff --git a/docker/nova/nova-api/extend_start.sh b/docker/nova/nova-api/extend_start.sh
index aec89f6215..0c05222d96 100644
--- a/docker/nova/nova-api/extend_start.sh
+++ b/docker/nova/nova-api/extend_start.sh
@@ -8,14 +8,14 @@
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
     nova-manage api_db sync
-    nova-manage db sync
+    nova-manage db sync --local_cell
     nova-manage db online_data_migrations
     exit 0
 fi
 
 if [[ "${!KOLLA_UPGRADE[@]}" ]]; then
     nova-manage api_db sync
-    nova-manage db sync
+    nova-manage db sync --local_cell
     exit 0
 fi
 
diff --git a/releasenotes/notes/nova-sync-local-cell-8e3258f4b410d25c.yaml b/releasenotes/notes/nova-sync-local-cell-8e3258f4b410d25c.yaml
new file mode 100644
index 0000000000..0da2cde3ee
--- /dev/null
+++ b/releasenotes/notes/nova-sync-local-cell-8e3258f4b410d25c.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    The Nova API container extended startup script has been updated to only
+    sync the local Nova cell. This resolves an error that would occur when the
+    Nova database password changes. More details can be found on `this bug
+    report <https://bugs.launchpad.net/kolla/+bug/2045558>`__.