Merge remote-tracking branch 'starlingx/master' into HEAD

Change-Id: Iaf611b4be300467ed0c3bee5ba1af4a06bb98230 Signed-off-by: Scott Little <scott.little@windriver.com>
2019-01-23 16:10:10 -05:00 · 2019-01-23 16:10:10 -05:00 · 679b884c76
parent 7856f0ab35 cf67244052
commit 679b884c76
13 changed files with 223 additions and 10 deletions
--- a/openstack/openstack-helm-infra/centos/build_srpm.data
+++ b/openstack/openstack-helm-infra/centos/build_srpm.data
@ -5,4 +5,4 @@ TAR="$TAR_NAME-$SHA.tar.gz"

 COPY_LIST="${CGCS_BASE}/downloads/$TAR $PKG_BASE/files/*"

-TIS_PATCH_VER=5
+TIS_PATCH_VER=6
--- a/openstack/openstack-helm-infra/centos/openstack-helm-infra.spec
+++ b/openstack/openstack-helm-infra/centos/openstack-helm-infra.spec
@ -18,6 +18,7 @@ BuildArch:     noarch
 Patch01: 0001-gnocchi-chart-updates.patch
 Patch02: Mariadb-Support-adoption-of-running-single-node-mari.patch
 Patch03: Mariadb-Share-container-PID-namespaces-under-docker.patch
+Patch04: 0004-Allow-multiple-containers-per-daemonset-pod.patch

 BuildRequires: helm

@ -29,6 +30,7 @@ Openstack Helm Infra charts
 %patch01 -p1
 %patch02 -p1
 %patch03 -p1
+%patch04 -p1

 %build
 # initialize helm and build the toolkit
--- a/openstack/openstack-helm-infra/files/0004-Allow-multiple-containers-per-daemonset-pod.patch
+++ b/openstack/openstack-helm-infra/files/0004-Allow-multiple-containers-per-daemonset-pod.patch
@ -0,0 +1,35 @@
+From 26844aac43f76afc65ed907fc94ab83ca93c86ae Mon Sep 17 00:00:00 2001
+From: Gerry Kopec <Gerry.Kopec@windriver.com>
+Date: Wed, 9 Jan 2019 20:11:33 -0500
+Subject: [PATCH] Allow multiple containers per daemonset pod
+
+Remove code that restricted daemonset pods to single containers.
+Container names will default to name from helm chart template without
+hostname and sha though the pod will still have them.
+
+May require further refinement before this can be upstreamed.
+---
+ helm-toolkit/templates/utils/_daemonset_overrides.tpl | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/helm-toolkit/templates/utils/_daemonset_overrides.tpl
+index 8ba2241..b960a84 100644
+--- a/helm-toolkit/templates/utils/_daemonset_overrides.tpl
+++ b/helm-toolkit/templates/utils/_daemonset_overrides.tpl
+@@ -217,13 +217,6 @@ limitations under the License.
+     {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+     {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+ 
+-    {{/* set container name
+-    assume not more than one container is defined */}}
+-    {{- $container := first $context.Values.__daemonset_yaml.spec.template.spec.containers }}
+-    {{- $_ := set $container "name" $current_dict.dns_1123_name }}
+-    {{- $cont_list := list $container }}
+-    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "containers" $cont_list }}
+-
+     {{/* cross-reference configmap name to container volume definitions */}}
+     {{- $_ := set $context.Values "__volume_list" list }}
+     {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+-- 
+1.8.3.1
+
--- a/openstack/openstack-helm/centos/build_srpm.data
+++ b/openstack/openstack-helm/centos/build_srpm.data
@ -5,4 +5,4 @@ TAR="$TAR_NAME-$SHA.tar.gz"

 COPY_LIST="${CGCS_BASE}/downloads/$TAR $PKG_BASE/files/* "

-TIS_PATCH_VER=9
+TIS_PATCH_VER=10
--- a/openstack/openstack-helm/centos/openstack-helm.spec
+++ b/openstack/openstack-helm/centos/openstack-helm.spec
@ -23,9 +23,10 @@ Patch02: 0002-Add-Aodh-Chart.patch
 Patch03: 0003-Add-Panko-Chart.patch
 Patch04: Remove-stale-Apache2-service-pids-when-a-POD-starts.patch
 Patch05: 0005-Add-heat-purge-deleted-cron-job.patch
-Patch06: 0006-Stein-Remove-ceilometer-upgrade-option.patch
-Patch07: 0007-Stein-Update-Cinder-to-include-resource_filters.json.patch
-Patch08: 0008-Stein-add-log_config_append-to-neutron-etc.patch
+Patch06: 0006-Enable-cold-migration-in-nova-helm-chart.patch
+Patch07: 0007-Stein-Remove-ceilometer-upgrade-option.patch
+Patch08: 0008-Stein-Update-Cinder-to-include-resource_filters.json.patch
+Patch09: 0009-Stein-add-log_config_append-to-neutron-etc.patch

 BuildRequires: helm
 BuildRequires: openstack-helm-infra
@ -44,6 +45,7 @@ Openstack Helm charts
 %patch06 -p1
 %patch07 -p1
 %patch08 -p1
+%patch09 -p1

 %build
 # initialize helm and build the toolkit
--- a/openstack/openstack-helm/files/0006-Enable-cold-migration-in-nova-helm-chart.patch
+++ b/openstack/openstack-helm/files/0006-Enable-cold-migration-in-nova-helm-chart.patch
@ -0,0 +1,174 @@
+From 7760815c98231ffd431f053f8fac35902f420118 Mon Sep 17 00:00:00 2001
+From: Gerry Kopec <Gerry.Kopec@windriver.com>
+Date: Thu, 10 Jan 2019 00:12:21 -0500
+Subject: [PATCH] Enable cold migration in nova helm chart
+
+- Move private key from sshd container to nova-compute container.
+- Map private and public keys to configmap-ssh which will default to
+  correct file permissions.
+- Add additional config to /etc/ssh/sshd_config to allow passwordless
+  root logins over appropriate subnet passed in from overrides.
+- Remove chmods from sshd bash script as they are failing.
+
+Depends on helm-toolkit supporting multiple containers per pod.
+---
+ nova/templates/bin/_ssh-start.sh.tpl  | 19 ++++++++++++++++---
+ nova/templates/configmap-etc.yaml     |  4 ++--
+ nova/templates/configmap-ssh.yaml     | 35 +++++++++++++++++++++++++++++++++++
+ nova/templates/daemonset-compute.yaml | 14 +++++++++-----
+ nova/values.yaml                      |  5 +++++
+ 5 files changed, 67 insertions(+), 10 deletions(-)
+ create mode 100755 nova/templates/configmap-ssh.yaml
+
+diff --git a/nova/templates/bin/_ssh-start.sh.tpl b/nova/templates/bin/_ssh-start.sh.tpl
+index 1c10cb0..158090b 100644
+--- a/nova/templates/bin/_ssh-start.sh.tpl
+++ b/nova/templates/bin/_ssh-start.sh.tpl
+@@ -33,8 +33,21 @@ if [[ $(stat -c %U:%G ~nova/.ssh) != "nova:nova" ]]; then
+     chown nova: ~nova/.ssh
+ fi
+ 
+-chmod 0600 ~root/.ssh/authorized_keys
+-chmod 0600 ~root/.ssh/id_rsa
+-chmod 0600 ~root/.ssh/id_rsa.pub
+{{- if .Values.network.sshd.enabled }}
+subnet_address="{{- .Values.network.sshd.from_subnet -}}"
+cat > /tmp/sshd_config_extend <<EOF
+
+# This Match block prevents Password Authentication for root user
+Match User root
+    PasswordAuthentication no
+
+# This Match Block is used to allow Root Login exceptions over the
+# internal subnet used by Nova Migrations
+Match Address $subnet_address
+    PermitRootLogin without-password
+EOF
+cat /tmp/sshd_config_extend >> /etc/ssh/sshd_config
+rm /tmp/sshd_config_extend
+{{- end }}
+ 
+ exec /usr/sbin/sshd -D -e -o Port=$SSH_PORT
+diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml
+index 55aa311..0d1e7a5 100644
+--- a/nova/templates/configmap-etc.yaml
+++ b/nova/templates/configmap-etc.yaml
+@@ -232,8 +232,8 @@ data:
+   logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+   nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }}
+-# FIXME(portdirect): why is this file suffixed .sh?
+-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config.sh" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config" "format" "Secret" ) | indent 2 }}
+
+ {{- end }}
+ {{- end }}
+ {{- if .Values.manifests.configmap_etc }}
+diff --git a/nova/templates/configmap-ssh.yaml b/nova/templates/configmap-ssh.yaml
+new file mode 100755
+index 0000000..bab8e33
+--- /dev/null
+++ b/nova/templates/configmap-ssh.yaml
+@@ -0,0 +1,35 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "nova.configmap.ssh" }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nova-ssh
+type: Opaque
+data:
+  ssh-key-private: {{ .Values.conf.ssh_private | b64enc }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh_public "key" "ssh-key-public" "format" "Secret" ) | indent 2 }}
+
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- list "nova-ssh" . | include "nova.configmap.ssh" }}
+{{- end }}
+diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
+index 850f0b0..82f185f 100644
+--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
+@@ -217,6 +217,9 @@ spec:
+               mountPath: /root/.ssh/config
+               subPath: ssh-config
+               readOnly: true
+            - name: nova-ssh
+              mountPath: /root/.ssh/id_rsa
+              subPath: ssh-key-private
+             {{- if .Values.conf.ceph.enabled }}
+             - name: etcceph
+               mountPath: /etc/ceph
+@@ -273,13 +276,10 @@ spec:
+               mountPath: /var/lib/nova
+             - name: varliblibvirt
+               mountPath: /var/lib/libvirt
+-            - name: nova-etc
+-              mountPath: /root/.ssh/id_rsa
+-              subPath: ssh-key-private
+-            - name: nova-etc
+            - name: nova-ssh
+               mountPath: /root/.ssh/id_rsa.pub
+               subPath: ssh-key-public
+-            - name: nova-etc
+            - name: nova-ssh
+               mountPath: /root/.ssh/authorized_keys
+               subPath: ssh-key-public
+             - name: nova-bin
+@@ -295,6 +295,10 @@ spec:
+           secret:
+             secretName: {{ $configMapName }}
+             defaultMode: 0444
+        - name: nova-ssh
+          secret:
+            secretName: nova-ssh
+            defaultMode: 0400
+         {{- if .Values.conf.ceph.enabled }}
+         - name: etcceph
+           emptyDir: {}
+diff --git a/nova/values.yaml b/nova/values.yaml
+index 4edf5c6..9646ded 100644
+--- a/nova/values.yaml
+++ b/nova/values.yaml
+@@ -209,6 +209,9 @@ network:
+   ssh:
+     name: "nova-ssh"
+     port: 8022
+  sshd:
+    enabled: false
+    from_subnet: 0.0.0.0/24
+ 
+ dependencies:
+   dynamic:
+@@ -460,6 +463,8 @@ conf:
+       StrictHostKeyChecking no
+       UserKnownHostsFile /dev/null
+       Port {{ .Values.network.ssh.port }}
+  ssh_private: 'null'
+  ssh_public: 'null'
+   rally_tests:
+     run_tempest: false
+     tests:
+-- 
+1.8.3.1
+
--- a/openstack/openstack-helm/files/0007-Stein-Remove-ceilometer-upgrade-option.patch
+++ b/openstack/openstack-helm/files/0007-Stein-Remove-ceilometer-upgrade-option.patch
--- a/openstack/openstack-helm/files/0008-Stein-Update-Cinder-to-include-resource_filters.json.patch
+++ b/openstack/openstack-helm/files/0008-Stein-Update-Cinder-to-include-resource_filters.json.patch
--- a/openstack/openstack-helm/files/0009-Stein-add-log_config_append-to-neutron-etc.patch
+++ b/openstack/openstack-helm/files/0009-Stein-add-log_config_append-to-neutron-etc.patch
--- a/openstack/openstack-helm/files/Remove-stale-Apache2-service-pids-when-a-POD-starts.patch
+++ b/openstack/openstack-helm/files/Remove-stale-Apache2-service-pids-when-a-POD-starts.patch
@ -56,8 +56,8 @@ index 217d942..a5950a4 100644
      source /etc/apache2/envvars
   fi
 
-+  # Get rid of stale pid file if present.
-+  rm -f /var/run/apache2/*.pid
+  # Get rid of stale pid, shared memory segment and wsgi sock files if present.
+  rm -f /var/run/apache2/*
 +
   # Start Apache2
   exec apache2 -DFOREGROUND
--- a/openstack/python-ceilometer/centos/stx-ceilometer.master_docker_image
+++ b/openstack/python-ceilometer/centos/stx-ceilometer.master_docker_image
@ -2,6 +2,6 @@ BUILDER=loci
 LABEL=stx-ceilometer
 PROJECT=ceilometer
 PROJECT_REPO=https://github.com/openstack/ceilometer.git
-PIP_PACKAGES="pylint libvirt-python panko gnocchiclient"
+PIP_PACKAGES="pylint libvirt-python panko==5.0.0 gnocchiclient"
 DIST_PACKAGES="libvirt ipmitool"

--- a/openstack/python-nova/centos/stx-nova.master_docker_image
+++ b/openstack/python-nova/centos/stx-nova.master_docker_image
@ -3,7 +3,7 @@ LABEL=stx-nova
 PROJECT=nova
 PROJECT_REPO=https://github.com/openstack/nova.git
 PIP_PACKAGES="pycrypto httplib2 pylint"
-DIST_PACKAGES="openssh-clients openssh-server libvirt "
+DIST_PACKAGES="openssh-clients openssh-server libvirt e2fsprogs"
 PROFILES="fluent nova ceph linuxbridge openvswitch configdrive qemu apache"
 CUSTOMIZATION="yum install -y openssh-clients"

--- a/openstack/python-nova/centos/stx-nova.pike_docker_image
+++ b/openstack/python-nova/centos/stx-nova.pike_docker_image
@ -3,7 +3,7 @@ LABEL=stx-nova
 PROJECT=nova
 PROJECT_REPO=https://github.com/starlingx-staging/stx-nova.git
 PIP_PACKAGES="pycrypto tsconfig cgtsclient httplib2 pylint"
-DIST_PACKAGES="openssh-clients openssh-server libvirt pam-config"
+DIST_PACKAGES="openssh-clients openssh-server libvirt pam-config e2fsprogs"
 PROFILES="fluent nova ceph linuxbridge openvswitch configdrive qemu apache"