From 13d6a664f063b5c65ce957bac21652111a13d6b7 Mon Sep 17 00:00:00 2001 From: Michal Arbet Date: Mon, 3 Feb 2025 11:40:04 +0100 Subject: [PATCH 1/2] Install pycadf from pypi package Previously, the `pycadf` package did not include configuration files, so they were manually installed from source. However, this was fixed in pycadf's upstream in [1], allowing us to rely on the package itself. Additionally, the `ceilometer_api_audit_map.conf` file has been removed, as it was dropped in pycadf's upstream commit here [2] [1] https://review.opendev.org/c/openstack/pycadf/+/936741 [2] https://review.opendev.org/c/openstack/pycadf/+/930971 Change-Id: I022aa4c403f08385beb83b5d0c81f8abb42eb4a7 --- docker/cinder/cinder-base/Dockerfile.j2 | 2 +- docker/glance/glance-base/Dockerfile.j2 | 2 +- docker/gnocchi/gnocchi-base/Dockerfile.j2 | 2 +- docker/heat/heat-base/Dockerfile.j2 | 2 +- docker/ironic/ironic-base/Dockerfile.j2 | 2 +- docker/neutron/neutron-base/Dockerfile.j2 | 2 +- docker/nova/nova-base/Dockerfile.j2 | 2 +- docker/openstack-base/Dockerfile.j2 | 5 +---- docker/swift/swift-base/Dockerfile.j2 | 2 +- docker/trove/trove-base/Dockerfile.j2 | 2 +- kolla/common/sources.py | 4 ---- 11 files changed, 10 insertions(+), 17 deletions(-) diff --git a/docker/cinder/cinder-base/Dockerfile.j2 b/docker/cinder/cinder-base/Dockerfile.j2 index d7ba7612ac..0f0b208948 100644 --- a/docker/cinder/cinder-base/Dockerfile.j2 +++ b/docker/cinder/cinder-base/Dockerfile.j2 @@ -44,7 +44,7 @@ RUN ln -s cinder-base-source/* cinder \ && {{ macros.install_pip(cinder_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/cinder \ && cp -r /cinder/etc/cinder/* /etc/cinder/ \ - && cp /etc/pycadf/cinder_api_audit_map.conf /etc/cinder/ \ + && cp /var/lib/kolla/venv/etc/pycadf/cinder_api_audit_map.conf /etc/cinder/ \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/cinder/rootwrap.conf \ && chmod 750 /etc/sudoers.d \ && chmod 440 /etc/sudoers.d/kolla_cinder_sudoers \ diff --git a/docker/glance/glance-base/Dockerfile.j2 b/docker/glance/glance-base/Dockerfile.j2 index 19c8f58d38..f6cfe1b44e 100644 --- a/docker/glance/glance-base/Dockerfile.j2 +++ b/docker/glance/glance-base/Dockerfile.j2 @@ -41,7 +41,7 @@ RUN ln -s glance-base-source/* glance \ && {{ macros.install_pip(glance_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/glance \ && cp -r /glance/etc/* /etc/glance/ \ - && cp /etc/pycadf/glance_api_audit_map.conf /etc/glance/ \ + && cp /var/lib/kolla/venv/etc/pycadf/glance_api_audit_map.conf /etc/glance/ \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/glance/rootwrap.conf \ && chmod 750 /etc/sudoers.d \ && chmod 440 /etc/sudoers.d/kolla_glance_sudoers \ diff --git a/docker/gnocchi/gnocchi-base/Dockerfile.j2 b/docker/gnocchi/gnocchi-base/Dockerfile.j2 index 00d1abad96..f6376e8b06 100644 --- a/docker/gnocchi/gnocchi-base/Dockerfile.j2 +++ b/docker/gnocchi/gnocchi-base/Dockerfile.j2 @@ -46,7 +46,7 @@ RUN {{ macros.upper_constraints_version_change("Werkzeug", "3.0.1", "2.2.3") }} RUN ln -s gnocchi-base-source/* gnocchi \ && {{ macros.install_pip(gnocchi_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/gnocchi \ - && cp /etc/pycadf/gnocchi_api_audit_map.conf /etc/gnocchi/ \ + && cp /var/lib/kolla/venv/etc/pycadf/gnocchi_api_audit_map.conf /etc/gnocchi/ \ && chmod 750 /etc/sudoers.d \ && chmod 640 /etc/sudoers.d/kolla_gnocchi_sudoers \ && touch /usr/local/bin/kolla_gnocchi_extend_start \ diff --git a/docker/heat/heat-base/Dockerfile.j2 b/docker/heat/heat-base/Dockerfile.j2 index e3737f6187..59d6aabb86 100644 --- a/docker/heat/heat-base/Dockerfile.j2 +++ b/docker/heat/heat-base/Dockerfile.j2 @@ -27,7 +27,7 @@ RUN ln -s heat-base-source/* heat \ && {{ macros.install_pip(heat_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/heat \ && cp -r /heat/etc/heat/* /etc/heat/ \ - && cp /etc/pycadf/heat_api_audit_map.conf /etc/heat/ \ + && cp /var/lib/kolla/venv/etc/pycadf/heat_api_audit_map.conf /etc/heat/ \ && touch /usr/local/bin/kolla_heat_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_heat_extend_start diff --git a/docker/ironic/ironic-base/Dockerfile.j2 b/docker/ironic/ironic-base/Dockerfile.j2 index a468a2b32a..3cfa78f432 100644 --- a/docker/ironic/ironic-base/Dockerfile.j2 +++ b/docker/ironic/ironic-base/Dockerfile.j2 @@ -22,7 +22,7 @@ RUN ln -s ironic-base-source/* ironic \ && {{ macros.install_pip(ironic_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/ironic \ && cp -r /var/lib/kolla/venv/etc/ironic/* /etc/ironic/ \ - && cp /etc/pycadf/ironic_api_audit_map.conf /etc/ironic/ \ + && cp /var/lib/kolla/venv/etc/pycadf/ironic_api_audit_map.conf /etc/ironic/ \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ironic/rootwrap.conf \ && chmod 750 /etc/sudoers.d \ && chmod 440 /etc/sudoers.d/kolla_ironic_sudoers \ diff --git a/docker/neutron/neutron-base/Dockerfile.j2 b/docker/neutron/neutron-base/Dockerfile.j2 index d437a83498..40015e4956 100644 --- a/docker/neutron/neutron-base/Dockerfile.j2 +++ b/docker/neutron/neutron-base/Dockerfile.j2 @@ -74,7 +74,7 @@ RUN ln -s neutron-base-source/* neutron \ && mkdir -p /etc/neutron \ && cp -r /neutron/etc/* /etc/neutron/ \ && cp -r /neutron/etc/neutron/* /etc/neutron/ \ - && cp /etc/pycadf/neutron_api_audit_map.conf /etc/neutron/ \ + && cp /var/lib/kolla/venv/etc/pycadf/neutron_api_audit_map.conf /etc/neutron/ \ && mv /etc/neutron/neutron/ /etc/neutron/plugins/ \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/neutron/rootwrap.conf \ && if [ "$(ls /plugins)" ]; then \ diff --git a/docker/nova/nova-base/Dockerfile.j2 b/docker/nova/nova-base/Dockerfile.j2 index 8f42da4e74..8768c446d4 100644 --- a/docker/nova/nova-base/Dockerfile.j2 +++ b/docker/nova/nova-base/Dockerfile.j2 @@ -70,7 +70,7 @@ RUN ln -s nova-base-source/* nova \ && {{ macros.install_pip(nova_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/nova/ \ && cp -r /nova/etc/nova/* /etc/nova/ \ - && cp /etc/pycadf/nova_api_audit_map.conf /etc/nova/ \ + && cp /var/lib/kolla/venv/etc/pycadf/nova_api_audit_map.conf /etc/nova/ \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/nova/rootwrap.conf \ && if [ "$(ls /plugins)" ]; then \ {{ macros.install_pip(nova_base_plugins_pip_packages) }}; \ diff --git a/docker/openstack-base/Dockerfile.j2 b/docker/openstack-base/Dockerfile.j2 index af6492377d..8cb8a97b70 100644 --- a/docker/openstack-base/Dockerfile.j2 +++ b/docker/openstack-base/Dockerfile.j2 @@ -137,7 +137,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'pika', 'prettytable', 'psutil', - '/plugins/pycadf*', + 'pycadf', 'pymysql', 'pyngus', 'pyparsing', @@ -186,9 +186,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build ADD openstack-base-archive /openstack-base-source ADD plugins-archive / -RUN mkdir -p /etc/pycadf \ - && cp /plugins/pycadf*/etc/pycadf/* /etc/pycadf/ - RUN ln -s openstack-base-source/* /requirements \ {# NOTE(mnasiadka): Remove ovs from upper-constraints.txt because python3-openvswitch diff --git a/docker/swift/swift-base/Dockerfile.j2 b/docker/swift/swift-base/Dockerfile.j2 index 975eed9c6e..a460d59d9a 100644 --- a/docker/swift/swift-base/Dockerfile.j2 +++ b/docker/swift/swift-base/Dockerfile.j2 @@ -37,7 +37,7 @@ RUN ln -s swift-base-source/* swift \ && {{ macros.install_pip(swift_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/swift /var/cache/swift /var/lock/swift \ && cp -r /swift/etc/* /etc/swift/ \ - && cp /etc/pycadf/swift_api_audit_map.conf /etc/swift/ \ + && cp /var/lib/kolla/venv/etc/pycadf/swift_api_audit_map.conf /etc/swift/ \ && chown -R swift: /var/cache/swift /var/lock/swift \ && chmod 750 /etc/sudoers.d \ && chmod 440 /etc/sudoers.d/kolla_swift_sudoers \ diff --git a/docker/trove/trove-base/Dockerfile.j2 b/docker/trove/trove-base/Dockerfile.j2 index be98dbb4ba..2a3c188805 100644 --- a/docker/trove/trove-base/Dockerfile.j2 +++ b/docker/trove/trove-base/Dockerfile.j2 @@ -21,7 +21,7 @@ RUN ln -s trove-base-source/* trove \ && {{ macros.install_pip(trove_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/trove \ && cp -r /trove/etc/trove/* /etc/trove/ \ - && cp /etc/pycadf/trove_api_audit_map.conf /etc/trove/ \ + && cp /var/lib/kolla/venv/etc/pycadf/trove_api_audit_map.conf /etc/trove/ \ && touch /usr/local/bin/kolla_trove_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_trove_extend_start diff --git a/kolla/common/sources.py b/kolla/common/sources.py index e8da29f620..4488cad01f 100644 --- a/kolla/common/sources.py +++ b/kolla/common/sources.py @@ -15,10 +15,6 @@ 'type': 'url', 'location': ('$tarballs_base/openstack/requirements/' 'requirements-${openstack_branch}.tar.gz')}, - 'openstack-base-plugin-pycadf': { - 'type': 'url', - 'location': ('$tarballs_base/openstack/pycadf/' - 'pycadf-4.0.1.tar.gz')}, 'aodh-base': { 'type': 'url', 'location': ('$tarballs_base/openstack/aodh/' From ed7c8399c4a2a43e9a4165db416b98f5be8d538c Mon Sep 17 00:00:00 2001 From: Michal Arbet Date: Fri, 31 Jan 2025 12:48:45 +0100 Subject: [PATCH 2/2] Fix permissions for ironic metrics This patch adds creation of metrics folder, set permissions and SetGID bit. Closes-Bug: #2097098 Change-Id: Ic46b895775edf5e5fb2b637be49e2de1eb4adf36 --- docker/ironic/ironic-base/Dockerfile.j2 | 2 +- docker/ironic/ironic-base/extend_start.sh | 10 ++++++++++ docker/ironic/ironic-base/ironic_sudoers | 3 +++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/docker/ironic/ironic-base/Dockerfile.j2 b/docker/ironic/ironic-base/Dockerfile.j2 index 3cfa78f432..2002438c02 100644 --- a/docker/ironic/ironic-base/Dockerfile.j2 +++ b/docker/ironic/ironic-base/Dockerfile.j2 @@ -7,7 +7,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% import "macros.j2" as macros with context %} -{{ macros.configure_user(name='ironic') }} +{{ macros.configure_user(name='ironic', shell='/bin/bash') }} ADD ironic-base-archive /ironic-base-source ADD ironic_sudoers /etc/sudoers.d/kolla_ironic_sudoers diff --git a/docker/ironic/ironic-base/extend_start.sh b/docker/ironic/ironic-base/extend_start.sh index e3b1d4e2dc..dc6b05caaf 100644 --- a/docker/ironic/ironic-base/extend_start.sh +++ b/docker/ironic/ironic-base/extend_start.sh @@ -1,12 +1,22 @@ #!/bin/bash LOG_PATH=/var/log/kolla/ironic +METRICS_PATH=/var/lib/ironic-metrics if [[ ! -d "${LOG_PATH}" ]]; then mkdir -p "${LOG_PATH}" fi +if [[ ! -d "${METRICS_PATH}" ]]; then + sudo mkdir -p "${METRICS_PATH}" +fi if [[ $(stat -c %a "${LOG_PATH}") != "755" ]]; then chmod 755 "${LOG_PATH}" fi +if [[ $(stat -c %U:%G "${METRICS_PATH}") != "ironic:ironic" ]]; then + sudo chown ironic:ironic "${METRICS_PATH}" +fi +if [[ $(stat -c %a "${METRICS_PATH}") != "2775" ]]; then + sudo chmod 2775 "${METRICS_PATH}" +fi . /usr/local/bin/kolla_ironic_extend_start diff --git a/docker/ironic/ironic-base/ironic_sudoers b/docker/ironic/ironic-base/ironic_sudoers index 3e7c843f39..1a3f32e1af 100644 --- a/docker/ironic/ironic-base/ironic_sudoers +++ b/docker/ironic/ironic-base/ironic_sudoers @@ -1 +1,4 @@ ironic ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/ironic-rootwrap /etc/ironic/rootwrap.conf * +ironic ALL = (root) NOPASSWD: /bin/mkdir -p /var/lib/ironic-metrics, /usr/bin/mkdir -p /var/lib/ironic-metrics +ironic ALL = (root) NOPASSWD: /bin/chown ironic\:ironic /var/lib/ironic-metrics, /usr/bin/chown ironic\:ironic /var/lib/ironic-metrics +ironic ALL = (root) NOPASSWD: /bin/chmod 2755 /var/lib/ironic-metrics, /usr/bin/chmod 2775 /var/lib/ironic-metrics