stackhpc · priteau · May 12, 2025 · Nov 11, 2024 · Apr 24, 2025 · May 2, 2025
@@ -7,7 +7,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
 {% import "macros.j2" as macros with context %}
 
-{{ macros.configure_user(name='barbican', groups='nfast') }}
+{{ macros.configure_user(name='barbican', groups='nfast,hsmusers') }}
 
 {{ macros.install_packages(barbican_base_packages | customizable("packages")) }}
 

@@ -1,6 +1,6 @@
 [mariadb]
 name = MariaDB Server
-baseurl = https://dlm.mariadb.com/repo/mariadb-server/10.11/yum/rhel/$releasever/$basearch
+baseurl = https://dlm.mariadb.com/repo/mariadb-server/10.11.11/yum/rhel/$releasever/$basearch
 gpgcheck = 1
 enabled = 0
 module_hotfixes = 1

@@ -48,7 +48,8 @@ RUN mkdir -p /requirements \
     && python3 -m venv --system-site-packages {{ venv_path }} \
     && KOLLA_DISTRO_PYTHON_VERSION=$(/usr/bin/python3 -c "import sys; print('{}.{}'.format(sys.version_info.major, sys.version_info.minor))") \
     && cd {{ venv_path }}/lib \
-    && ln -s python${KOLLA_DISTRO_PYTHON_VERSION} {{ venv_path }}/lib/python3
+    && rm -f python3 \
+    && ln -s python${KOLLA_DISTRO_PYTHON_VERSION} python3
 
 RUN ln -s bifrost-base-source/* bifrost \
     && {{ macros.install_pip(['pip', 'wheel', 'setuptools']) }} \

@@ -23,6 +23,7 @@ function obtain_or_renew_certificate {
     local eab="${8}"
     local hmac="${9}"
     local key_id="${10}"
+    local letsencrypt_key_type="${11:-}"
 
     certificate_domain_opts=$(echo ${certificate_fqdns} | sed -r -e 's/^/,/g' -e 's/,/--domains=/g' -e 's/--/ --/g')
     certificate_fqdn=$(echo ${certificate_fqdns} | awk -F ',' '{print $1}')
@@ -69,6 +70,7 @@ function obtain_or_renew_certificate {
 
     log_info "[${certificate_fqdn} - cron] Obtaining certificate for domains ${certificate_fqdns}."
     mapfile -t cmd_output < <(/opt/lego --email="${mail}" \
+                                        $( [ -n "${letsencrypt_key_type}" ] && echo "--key-type ${letsencrypt_key_type}" ) \
                                         ${certificate_domain_opts} \
                                         --server "${acme_url}" \
                                         --path "/etc/letsencrypt/lego/${certificate_type}/" \
@@ -118,7 +120,7 @@ KEY_ID="NONE"
 LOG_FILE="/var/log/kolla/letsencrypt/lesencrypt-lego.log"
 
 
-VALID_ARGS=$(getopt -o ief:p:d:m:a:v:h: --long internal,external,fqdns:,port:,days:,mail:,acme:,vips:,haproxies-ssh:,eab,kid:,hmac: -- "$@")
+VALID_ARGS=$(getopt -o ief:p:d:m:a:v:h:k: --long internal,external,fqdns:,port:,days:,mail:,acme:,vips:,haproxies-ssh:,eab,kid:,hmac:,key-type: -- "$@")
 if [[ $? -ne 0 ]]; then
     exit 1;
 fi
@@ -176,6 +178,10 @@ while [ : ]; do
             KEY_ID="${2}"
             shift 2
             ;;
+        -k | --key-type)
+            LETSENCRYPT_KEY_TYPE="${2}"
+            shift 2
+            ;;
         --) shift;
             break
             ;;
@@ -203,12 +209,12 @@ if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then
         log_info "[${FQDN} - cron] This Letsencrypt-lego host is active..."
         if [ "${LETSENCRYPT_INTERNAL_FQDNS}" != "" ]; then
             log_info "[${FQDN} - cron] Processing domains ${LETSENCRYPT_INTERNAL_FQDNS}"
-            obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING} ${HMAC} ${KEY_ID}
+            obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING} ${HMAC} ${KEY_ID} ${LETSENCRYPT_KEY_TYPE}
         fi
 
         if [ "${LETSENCRYPT_EXTERNAL_FQDNS}" != "" ]; then
             log_info "[${FQDN} - cron] Processing domains ${LETSENCRYPT_EXTERNAL_FQDNS}"
-            obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING} ${HMAC} ${KEY_ID}
+            obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING} ${HMAC} ${KEY_ID} ${LETSENCRYPT_KEY_TYPE}
         fi
     else
         log_info "[${FQDN} - cron] This Letsencrypt-lego host is passive, nothing to do..."

@@ -70,6 +70,10 @@ ADD plugins-archive /
 
 COPY neutron_sudoers /etc/sudoers.d/kolla_neutron_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
+RUN mkdir -p /usr/local/lib/neutron-wrappers /usr/local/etc/neutron-wrappers
+COPY dnsmasq haproxy keepalived neutron-keepalived-state-change radvd copy-wrappers delete-wrappers /usr/local/lib/neutron-wrappers/
+RUN chmod +x /usr/local/lib/neutron-wrappers/copy-wrappers \
+    && chmod +x /usr/local/lib/neutron-wrappers/delete-wrappers
 
 RUN ln -s neutron-base-source/* neutron \
     && {{ macros.install_pip(neutron_base_pip_packages | customizable("pip_packages")) }} \

@@ -0,0 +1,9 @@
+#!/bin/bash
+for binary in dnsmasq haproxy keepalived neutron-keepalived-state-change radvd; do
+    cp /usr/local/lib/neutron-wrappers/${binary} /usr/local/bin/${binary}
+    chmod +x /usr/local/bin/${binary}
+done
+
+echo "KOLLA_IMAGE=${KOLLA_IMAGE}" > /usr/local/etc/neutron-wrappers/config
+echo "KOLLA_NAME=${KOLLA_NAME}" >> /usr/local/etc/neutron-wrappers/config
+echo "KOLLA_SERVICE_NAME=${KOLLA_SERVICE_NAME}" >> /usr/local/etc/neutron-wrappers/config
@@ -0,0 +1,6 @@
+#!/bin/bash
+for binary in dnsmasq haproxy keepalived neutron-keepalived-state-change radvd; do
+    rm -f /usr/local/bin/${binary}
+done
+
+rm -f /usr/local/etc/neutron-wrappers/config
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+source /usr/local/etc/neutron-wrappers/config
+
+ARGS="$@"
+
+# Extract the network namespace UUID from the command line args provided by
+# neutron. Typically of the form (with dnsmasq as an example):
+#
+# dnsmasq --no-hosts --no-resolv --except-interface=lo \
+#   --pid-file=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/pid  \
+#   --dhcp-hostsfile=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/host ...
+NETNS=$(ip netns identify)
+NAME=${KOLLA_NAME}_dnsmasq_${NETNS}
+
+if [[ -S "/var/run/docker.sock" ]]; then
+    CLI="docker"
+    CMD="ip netns exec ${NETNS} /usr/sbin/dnsmasq -k"
+elif [[ -S "/run/podman/podman.sock" ]]; then
+    CLI="nsenter --net=/run/netns/${NETNS} --preserve-credentials -m -t1 podman"
+    CMD="/usr/sbin/dnsmasq -k"
+else
+    echo "Could not detect a supported container runtime, exiting."
+    exit 1
+fi
+
+LIST=$($CLI ps -a --filter name=${SERVICE}_dnsmasq_ --format '{{.ID}}:{{.Names}}:{{.Status}}' | awk '{print $1}')
+
+# If the NAME is already taken by a container, give it an unique name
+printf "%s\n" "${LIST}" | grep -q "${NAME}$" && NAME="${NAME}_$(date +%Y-%m-%d-%H%M%S-%N)"
+
+echo "Starting a new child container ${NAME} using image ${KOLLA_IMAGE}"
+$CLI run --rm --detach \
+    -v /etc/kolla/${KOLLA_SERVICE_NAME}:/etc/neutron:ro \
+    -v /run/netns:/run/netns:shared \
+    -v neutron_metadata_socket:/var/lib/neutron/kolla/ \
+    -v kolla_logs:/var/log/kolla \
+    --net host \
+    --pid host \
+    --cgroupns host \
+    --privileged \
+    -u root \
+    --name $NAME \
+    ${KOLLA_IMAGE} \
+    $CMD $ARGS
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+source /usr/local/etc/neutron-wrappers/config
+
+ARGS="$@"
+
+# Extract the network namespace UUID from the command line args provided by
+# neutron. Typically of the form (with dnsmasq as an example):
+#
+# dnsmasq --no-hosts --no-resolv --except-interface=lo \
+#   --pid-file=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/pid  \
+#   --dhcp-hostsfile=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/host ...
+NETNS=$(ip netns identify)
+NAME=${KOLLA_NAME}_haproxy_${NETNS}
+HAPROXY_CMD='$(if [ -f /usr/sbin/haproxy-systemd-wrapper ]; then echo "/usr/sbin/haproxy -Ds"; else echo "/usr/sbin/haproxy -Ws"; fi)'
+if [[ -S "/var/run/docker.sock" ]]; then
+    CLI="docker"
+    CMD="ip netns exec ${NETNS} "'$HAPROXY'
+elif [[ -S "/run/podman/podman.sock" ]]; then
+    CLI="nsenter --net=/run/netns/${NETNS} --preserve-credentials -m -t 1 podman"
+    CMD='$HAPROXY'
+else
+    echo "Could not detect a supported container runtime, exiting."
+    exit 1
+fi
+
+LIST=$($CLI ps -a --filter name=${KOLLA_NAME}_haproxy_ --format '{{.ID}}:{{.Names}}:{{.Status}}' | awk '{print $1}')
+
+# If the NAME is already taken by a container, give it an unique name
+printf "%s\n" "${LIST}" | grep -q "${NAME}$" && NAME="${NAME}_$(date +%Y-%m-%d-%H%M%S-%N)"
+
+echo "Starting a new child container ${NAME} using image ${KOLLA_IMAGE}"
+$CLI run --rm --detach \
+    -v /etc/kolla/${KOLLA_SERVICE_NAME}:/etc/neutron:ro \
+    -v /run/netns:/run/netns:shared \
+    -v neutron_metadata_socket:/var/lib/neutron/kolla \
+    -v kolla_logs:/var/log/kolla \
+    --net host \
+    --pid host \
+    --cgroupns host \
+    --privileged \
+    -u root \
+    --name $NAME \
+    ${KOLLA_IMAGE} \
+    /bin/bash -c "HAPROXY=\"$HAPROXY_CMD\"; exec $CMD $ARGS"
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+source /usr/local/etc/neutron-wrappers/config
+
+ARGS="$@"
+
+# Extract the network namespace UUID from the command line args provided by
+# neutron. Typically of the form (with dnsmasq as an example):
+#
+# dnsmasq --no-hosts --no-resolv --except-interface=lo \
+#   --pid-file=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/pid  \
+#   --dhcp-hostsfile=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/host ...
+NETNS=$(ip netns identify)
+NAME=${KOLLA_NAME}_keepalived_${NETNS}
+
+if [[ -S "/var/run/docker.sock" ]]; then
+    CLI="docker"
+    CMD="ip netns exec ${NETNS} /usr/sbin/keepalived -n -l -D"
+elif [[ -S "/run/podman/podman.sock" ]]; then
+    CLI="nsenter --net=/run/netns/${NETNS} --preserve-credentials -m -t 1 podman"
+    CMD='/usr/sbin/keepalived -n -l -D'
+else
+    echo "Could not detect a supported container runtime, exiting."
+    exit 1
+fi
+
+LIST=$($CLI ps -a --filter name=${KOLLA_SERVICE}_keepalived_ --format '{{.ID}}:{{.Names}}:{{.Status}}' | awk '{print $1}')
+
+# If the NAME is already taken by a container, give it an unique name
+printf "%s\n" "${LIST}" | grep -q "${NAME}$" && NAME="${NAME}_$(date +%Y-%m-%d-%H%M%S-%N)"
+
+echo "Starting a new child container ${NAME} using image ${KOLLA_IMAGE}"
+$CLI run --detach \
+    -v /etc/kolla/${KOLLA_SERVICE_NAME}:/etc/neutron:ro \
+    -v /lib/modules:/lib/modules:ro \
+    -v /sbin/modprobe:/sbin/modprobe:ro \
+    -v /run/netns:/run/netns:shared \
+    -v neutron_metadata_socket:/var/lib/neutron/kolla/ \
+    -v kolla_logs:/var/log/kolla \
+    --net host \
+    --pid host \
+    --cgroupns host \
+    --privileged \
+    -u root \
+    --name $NAME \
+    ${KOLLA_IMAGE} \
+    $CMD $ARGS
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+source /usr/local/etc/neutron-wrappers/config
+
+ARGS="$@"
+
+# Extract the network namespace UUID from the command line args provided by
+# neutron. Typically of the form (with dnsmasq as an example):
+#
+# dnsmasq --no-hosts --no-resolv --except-interface=lo \
+#   --pid-file=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/pid  \
+#   --dhcp-hostsfile=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/host ...
+NETNS=$(ip netns identify)
+NAME=${KOLLA_NAME}_keepalived_${NETNS}
+if [[ -S "/var/run/docker.sock" ]]; then
+    CLI="docker exec --detach"
+    CMD="ip netns exec ${NETNS} /usr/bin/neutron-keepalived-state-change"
+elif [[ -S "/run/podman/podman.sock" ]]; then
+    CLI="nsenter --net=/run/netns/${NETNS} --preserve-credentials -m -t 1 podman exec"
+    CMD="/usr/bin/neutron-keepalived-state-change"
+else
+    echo "Could not detect a supported container runtime, exiting."
+    exit 1
+fi
+
+# The state change daemon only runs as a daemon for the moment so we need to
+# run it within an existing container with a sensibly matching lifetime.  The
+# related keepalived container seems an obvious choice.
+container_id=$($CLI ps --filter name=$NAME --format "{{.ID}}")
+
+if [[ -z $container_id ]];
+then
+    echo "WARNING: keepalived container is not running."
+    exit 0
+fi
+
+$CLI -u root \
+    --privileged \
+    $NAME \
+    $CMD $ARGS
@@ -8,3 +8,4 @@ neutron ALL = (root) NOPASSWD: /usr/sbin/update-alternatives --set iptables /usr
 neutron ALL = (root) NOPASSWD: /usr/sbin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
 neutron ALL = (root) NOPASSWD: /usr/sbin/update-alternatives --auto iptables
 neutron ALL = (root) NOPASSWD: /usr/sbin/update-alternatives --auto ip6tables
+neutron ALL = (root) NOPASSWD: /usr/local/lib/neutron-wrappers/copy-wrappers, /usr/local/lib/neutron-wrappers/delete-wrappers
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+source /usr/local/etc/neutron-wrappers/config
+
+ARGS="$@"
+# Extract the network namespace UUID from the command line args provided by
+# neutron. Typically of the form (with dnsmasq as an example):
+#
+# dnsmasq --no-hosts --no-resolv --except-interface=lo \
+#   --pid-file=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/pid  \
+#   --dhcp-hostsfile=/var/lib/neutron/dhcp/317716b8-919a-4a6f-8db1-78128ec3b100/host ...
+NETWORK_ID=$(echo $ARGS| awk '{if (match($0, /(\w{8}-\w{4}-\w{4}-\w{4}-\w{12})/,m)) print m[0] }')
+NAME=${KOLLA_NAME}_radvd_${NETWORK_ID}
+if [[ -S "/var/run/docker.sock" ]]; then
+    CLI="docker"
+    CMD="ip netns exec qrouter-${NETWORK_ID} /usr/sbin/radvd -n"
+elif [[ -S "/run/podman/podman.sock" ]]; then
+    CLI="nsenter --net=/run/netns/${NETNS} --preserve-credentials -m -t 1 podman"
+    CMD="/usr/sbin/radvd -n"
+else
+    echo "Could not detect a supported container runtime, exiting."
+    exit 1
+fi
+
+LIST=$($CLI ps -a --filter name=${KOLLA_NAME}_radvd_ --format '{{.ID}}:{{.Names}}:{{.Status}}' | awk '{print $1}')
+# If the NAME is already taken by a container, give it an unique name
+printf "%s\n" "${LIST}" | grep -q "${NAME}$" && NAME="${NAME}_$(date +%Y-%m-%d-%H%M%S-%N)"
+
+echo "Starting a new child container ${NAME} using image ${KOLLA_IMAGE}"
+$CLI run --rm --detach \
+     -v /etc/kolla/${KOLLA_SERVICE_NAME}:/etc/neutron:ro \
+     -v /run/netns:/run/netns:shared \
+     -v neutron_metadata_socket:/var/lib/neutron/kolla/ \
+     -v kolla_logs:/var/log/kolla \
+     --net host \
+     --pid host \
+     --cgroupns host \
+     --privileged \
+     -u root \
+     --name $NAME \
+     ${KOLLA_IMAGE} \
+     $CMD $ARGS
@@ -6,4 +6,12 @@ if [[ ! -f "/var/log/kolla/neutron/dnsmasq.log" ]]; then
     chown neutron:kolla /var/log/kolla/neutron/dnsmasq.log
 fi
 
+if [[ "${KOLLA_NEUTRON_WRAPPERS:-false}" == "true" ]]; then
+    echo "Copying neutron agent wrappers to /usr/local/bin"
+    sudo -E /usr/local/lib/neutron-wrappers/copy-wrappers
+else
+    echo "Removing neutron agent wrappers from /usr/local/bin"
+    sudo -E /usr/local/lib/neutron-wrappers/delete-wrappers
+fi
+
 . /usr/local/bin/kolla_neutron_extend_start
@@ -26,6 +26,8 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
 {{ macros.kolla_patch_sources() }}
 
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
+
 {% block neutron_l3_agent_footer %}{% endblock %}
 {% block footer %}{% endblock %}
 

@@ -0,0 +1,39 @@
+#!/bin/bash
+if [[ ! -d "/var/log/kolla/neutron" ]]; then
+    mkdir -p /var/log/kolla/neutron
+fi
+if [[ $(stat -c %a /var/log/kolla/neutron) != "755" ]]; then
+    chmod 755 /var/log/kolla/neutron
+fi
+
+# NOTE(hrw): from RHEL 9 release notes:
+# "Iptables-nft and ipset are now deprecated, which included the utilities,
+#  iptables, ip6tables, ebtables, and arptables. These are all replaced by the
+#  nftables framework."
+# so no need to even use u-a on RHEL 9 family as there is one provider
+# (and there is no u-a for ip6tables so script fails)
+if [[ ! ${KOLLA_BASE_DISTRO} =~ centos|rocky ]]; then
+    if /usr/bin/update-alternatives --display iptables; then
+        # NOTE(yoctozepto): Kolla-Ansible does not always set KOLLA_LEGACY_IPTABLES;
+        # the workaround below ensures it gets set to `false` in such cases to fix
+        # this code under `set -o nounset`.
+        KOLLA_LEGACY_IPTABLES=${KOLLA_LEGACY_IPTABLES-false}
+        if [[ $KOLLA_LEGACY_IPTABLES == "true" ]]; then
+            sudo /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
+            sudo /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+        else
+            sudo /usr/bin/update-alternatives --auto iptables
+            sudo /usr/bin/update-alternatives --auto ip6tables
+        fi
+    fi
+fi
+
+if [[ "${KOLLA_NEUTRON_WRAPPERS:-false}" == "true" ]]; then
+    echo "Copying neutron agent wrappers to /usr/local/bin"
+    sudo -E /usr/local/lib/neutron-wrappers/copy-wrappers
+else
+    echo "Removing neutron agent wrappers from /usr/local/bin"
+    sudo -E /usr/local/lib/neutron-wrappers/delete-wrappers
+fi
+
+. /usr/local/bin/kolla_neutron_extend_start