From c4d91eca1ba1614648fb2ae96340ed2876f64cd3 Mon Sep 17 00:00:00 2001 From: Alexandru Avadanii Date: Sat, 1 Sep 2018 18:05:08 +0200 Subject: [PATCH] [docker] Cleanup, minor fixes, formula bump * ship prebuilt salt master conf for better readability: - enable x509.sign_remote_certificate (for prx VCP nodes); * refactor Salt master CA handling: - preinstall `salt_minion_dependency_packages` and `salt_minion_reclass_dependencies` inside docker image; - persistent /etc/pki; - run salt.minion on cfg01 to generate master keys; * bump container formulas to 1 Sep 2018 versions or newer: - inject date into Docker makefile, forcing a fresh fetch of all salt formulas from upstream git repos; * workaround broken salt-formula-designate's meta/sphinx.yml: - the DEB package version of salt-formula-designate uses `cmd.shell` to query dpkg on the minion, while the git repo version still uses `cmd.run`, running into parsing issues; - temporarily disable sphinx metadata generation for designate until upstream git repo syncs with the DEB version; * upstream: salt-formula-salt AArch64 salt.control.virt support: - retire salt-formula-salt git submodule and related patches; * skip installing reclass distro package (already installed via pip inside the container); * limit initial pillar_refresh call to nodes on jumphost; * remove unused salt-formula-nova git submodule; JIRA: FUEL-383 Change-Id: I883b825e556f887a5e31f8a43676dcd8ece6dfde Signed-off-by: Alexandru Avadanii --- .gitmodules | 8 -- mcp/config/states/virtual_init | 6 +- ...02-OPNFV-package-installation-Ubuntu-user.patch | 23 ++- .../0002-Set-ovs-bridges-as-L3-interfaces.patch | 6 +- ...irt-xml-pass-loader-virt-machine-cpu-mode.patch | 157 --------------------- .../cluster/mcp-common-ha/openstack_control.yml.j2 | 3 + mcp/salt-formulas/salt-formula-nova | 1 - mcp/salt-formulas/salt-formula-salt | 1 - mcp/scripts/docker-compose/docker-compose.yaml.j2 | 1 + mcp/scripts/docker-compose/files/entrypoint.sh | 10 ++ mcp/scripts/docker-compose/files/opnfv_master.conf | 16 +++ mcp/scripts/lib.sh | 10 +- 12 files changed, 57 insertions(+), 185 deletions(-) delete mode 100644 mcp/patches/salt-formula-salt/0001-libvirt-xml-pass-loader-virt-machine-cpu-mode.patch delete mode 160000 mcp/salt-formulas/salt-formula-nova delete mode 160000 mcp/salt-formulas/salt-formula-salt create mode 100644 mcp/scripts/docker-compose/files/opnfv_master.conf diff --git a/.gitmodules b/.gitmodules index e664bd1ae..e1d801159 100644 --- a/.gitmodules +++ b/.gitmodules @@ -14,10 +14,6 @@ path = mcp/salt-formulas/salt-formula-linux url = https://github.com/salt-formulas/salt-formula-linux branch = master -[submodule "salt-formula-nova"] - path = mcp/salt-formulas/salt-formula-nova - url = https://github.com/salt-formulas/salt-formula-nova - branch = master [submodule "salt-formula-keystone"] path = mcp/salt-formulas/salt-formula-keystone url = https://github.com/salt-formulas/salt-formula-keystone @@ -26,7 +22,3 @@ path = mcp/salt-formulas/salt-formula-maas url = https://github.com/salt-formulas/salt-formula-maas branch = master -[submodule "salt-formula-salt"] - path = mcp/salt-formulas/salt-formula-salt - url = https://github.com/salt-formulas/salt-formula-salt - branch = master diff --git a/mcp/config/states/virtual_init b/mcp/config/states/virtual_init index 147e6b05e..47d69cd8a 100755 --- a/mcp/config/states/virtual_init +++ b/mcp/config/states/virtual_init @@ -19,9 +19,9 @@ CI_DEBUG=${CI_DEBUG:-0}; [[ "${CI_DEBUG}" =~ (false|0) ]] || set -x LOCAL_VIRT_NODES=$(echo ${virtual_nodes[*]}) # unquoted to filter space NODE_MASK="${LOCAL_VIRT_NODES// /|}" -# wait_for 3.0 "salt-call state.apply salt exclude='[{id: salt_master_service}]'" -wait_for 5.0 "salt-call state.sls reclass,linux.network" -wait_for 3.0 "salt -C '*' saltutil.refresh_pillar" +wait_for 5.0 "salt-call state.sls reclass,linux.network,salt.minion \ + exclude='[{id: reclass_packages}, {id: /etc/reclass/reclass-config.yml}]'" +wait_for 3.0 "salt -C 'E@^(${NODE_MASK}).*' saltutil.refresh_pillar" # NOTE: domain name changes are not yet supported without a clean redeploy diff --git a/mcp/patches/docker/0002-OPNFV-package-installation-Ubuntu-user.patch b/mcp/patches/docker/0002-OPNFV-package-installation-Ubuntu-user.patch index 51931b507..c983ad728 100644 --- a/mcp/patches/docker/0002-OPNFV-package-installation-Ubuntu-user.patch +++ b/mcp/patches/docker/0002-OPNFV-package-installation-Ubuntu-user.patch @@ -16,17 +16,26 @@ Subject: [PATCH] OPNFV package installation, Ubuntu user workaround); * While at it, create 'ubuntu' user so other OPNFV projects don't have to switch to 'root' login; +* Preinstall `salt_minion_dependency_packages` and + `salt_minion_reclass_dependencies`; Signed-off-by: Alexandru Avadanii --- - DockerMake.yml | 28 ++++++++++++++++++++++++++++ - 1 file changed, 28 insertions(+) + DockerMake.yml | 36 +++++++++++++++++++++++++++++++++++- + 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/DockerMake.yml b/DockerMake.yml -index 2c75586..4883e2c 100644 +index 2c75586..8fb460d 100644 --- a/DockerMake.yml +++ b/DockerMake.yml -@@ -108,6 +108,34 @@ salt-formulas: +@@ -102,12 +102,46 @@ salt-formulas: + ENV SALT_ENV_PATH_ $SALT_ENV_PATH_ + ARG RECLASS_BASE="/srv/salt/reclass" + ENV RECLASS_BASE $RECLASS_BASE +- RUN echo "Layer python/salt module prerequisites, formulas" \ ++ RUN echo "Layer python/salt module prerequisites, formulas (1 Sep 2018)" \ + && mkdir -p /srv/salt \ + && curl -sSqL https://raw.githubusercontent.com/salt-formulas/salt-formulas-scripts/master/formula-fetch.sh -o /srv/salt/formula-fetch.sh \ && bash -c 'source /srv/salt/formula-fetch.sh && setupPyEnv && fetchAll' \ && eval ${LAYER_CLEANUP} @@ -53,6 +62,12 @@ index 2c75586..4883e2c 100644 + kmod \ + net-tools \ + openssh-server \ ++ python-m2crypto \ ++ python-msgpack \ ++ python-netaddr \ ++ python-oauth \ ++ python-psutil \ ++ python-yaml \ + && useradd -m ubuntu \ + && echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/ubuntu \ + && eval ${LAYER_CLEANUP} diff --git a/mcp/patches/salt-formula-linux/0002-Set-ovs-bridges-as-L3-interfaces.patch b/mcp/patches/salt-formula-linux/0002-Set-ovs-bridges-as-L3-interfaces.patch index 9de6325ed..390a0bfcd 100644 --- a/mcp/patches/salt-formula-linux/0002-Set-ovs-bridges-as-L3-interfaces.patch +++ b/mcp/patches/salt-formula-linux/0002-Set-ovs-bridges-as-L3-interfaces.patch @@ -12,15 +12,15 @@ Subject: [PATCH] Set ovs bridges as L3 interfaces Change-Id: I1e83129cc184cf481bea21d7aa452bf60d9e0499 --- - linux/files/ovs_bridge | 19 +++++++++++++++++++ + linux/files/ovs_bridge | 18 ++++++++++++++++++ linux/files/ovs_port | 7 ++++++- linux/network/interface.sls | 28 ++++++++++++++++++++++++++++ - 3 files changed, 53 insertions(+), 1 deletion(-) + 3 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 linux/files/ovs_bridge diff --git a/linux/files/ovs_bridge b/linux/files/ovs_bridge new file mode 100644 -index 0000000..073c91c +index 0000000..d33864c --- /dev/null +++ b/linux/files/ovs_bridge @@ -0,0 +1,18 @@ diff --git a/mcp/patches/salt-formula-salt/0001-libvirt-xml-pass-loader-virt-machine-cpu-mode.patch b/mcp/patches/salt-formula-salt/0001-libvirt-xml-pass-loader-virt-machine-cpu-mode.patch deleted file mode 100644 index effab8743..000000000 --- a/mcp/patches/salt-formula-salt/0001-libvirt-xml-pass-loader-virt-machine-cpu-mode.patch +++ /dev/null @@ -1,157 +0,0 @@ -:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -: Copyright (c) 2018 Mirantis Inc., Enea AB and others. -: -: All rights reserved. This program and the accompanying materials -: are made available under the terms of the Apache License, Version 2.0 -: which accompanies this distribution, and is available at -: http://www.apache.org/licenses/LICENSE-2.0 -:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -From: Alexandru Avadanii -Date: Sun, 24 Jun 2018 20:36:44 +0200 -Subject: [PATCH] libvirt xml: pass loader, virt machine, cpu mode - -- libvirt xml: pass loader param to vm - Based on upstream commit [1]. -- libvirt xml: pass virt machine type -- libvirt xml: pass cpu mode to vm -- virt module: Allow NVRAM unlinking on DOM undefine - UEFI-enabled VMs usually have pflash (NVRAM) devices attached, - which require one additional libvirt flag to be passed at 'undefine'. - This is usually the case for AArch64 (arm64) VMs, where AAVMF (AA64 - UEFI) is the only supported guest bootloader. - -[1] https://github.com/saltstack/salt/commit/9cace9adb - -Signed-off-by: Alexandru Avadanii ---- - README.rst | 7 +++++ - _modules/virtng.py | 40 +++++++++++++++++++++++++++- - salt/control/virt.sls | 9 +++++++ - tests/pillar/control_virt_custom.sls | 6 +++++ - 4 files changed, 61 insertions(+), 1 deletion(-) - -diff --git a/README.rst b/README.rst -index fd15b19..7f8f4a4 100644 ---- a/README.rst -+++ b/README.rst -@@ -453,6 +453,13 @@ Control VM provisioning: - rate: - period: '1800' - bytes: '1500' -+ # Custom per-node loader definition (e.g. for AArch64 UEFI) -+ loader: -+ readonly: yes -+ type: pflash -+ path: /usr/share/AAVMF/AAVMF_CODE.fd -+ machine: virt-2.11 # Custom per-node virt machine type -+ cpu_mode: host-passthrough - mac: - nic01: AC:DE:48:AA:AA:AA - nic02: AC:DE:48:AA:AA:BB -diff --git a/_modules/virtng.py b/_modules/virtng.py -index ce09508..6abd0eb 100644 ---- a/_modules/virtng.py -+++ b/_modules/virtng.py -@@ -530,6 +530,9 @@ def init(name, - disk='default', - saltenv='base', - rng=None, -+ loader=None, -+ machine=None, -+ cpu_mode=None, - **kwargs): - ''' - Initialize a new vm -@@ -649,6 +652,37 @@ def init(name, - - xml = _gen_xml(name, cpu, mem, diskp, nicp, hypervisor, **kwargs) - -+ # TODO: Remove this code and refactor module, when salt-common would have updated libvirt_domain.jinja template -+ if cpu_mode: -+ xml_doc = minidom.parseString(xml) -+ cpu_xml = xml_doc.createElement("cpu") -+ cpu_xml.setAttribute('mode', cpu_mode) -+ xml_doc.getElementsByTagName("domain")[0].appendChild(cpu_xml) -+ xml = xml_doc.toxml() -+ -+ # TODO: Remove this code and refactor module, when salt-common would have updated libvirt_domain.jinja template -+ if machine: -+ xml_doc = minidom.parseString(xml) -+ os_xml = xml_doc.getElementsByTagName("domain")[0].getElementsByTagName("os")[0] -+ os_xml.getElementsByTagName("type")[0].setAttribute('machine', machine) -+ xml = xml_doc.toxml() -+ -+ # TODO: Remove this code and refactor module, when salt-common would have updated libvirt_domain.jinja template -+ if loader and 'path' not in loader: -+ log.info('`path` is a required property of `loader`, and cannot be found. Skipping loader configuration') -+ loader = None -+ elif loader: -+ xml_doc = minidom.parseString(xml) -+ loader_xml = xml_doc.createElement("loader") -+ for key, val in loader.items(): -+ if key == 'path': -+ continue -+ loader_xml.setAttribute(key, val) -+ loader_path_xml = xml_doc.createTextNode(loader['path']) -+ loader_xml.appendChild(loader_path_xml) -+ xml_doc.getElementsByTagName("domain")[0].getElementsByTagName("os")[0].appendChild(loader_xml) -+ xml = xml_doc.toxml() -+ - # TODO: Remove this code and refactor module, when salt-common would have updated libvirt_domain.jinja template - for _nic in nicp: - if _nic['virtualport']: -@@ -1552,7 +1586,11 @@ def undefine(vm_): - salt '*' virtng.undefine - ''' - dom = _get_dom(vm_) -- return dom.undefine() == 0 -+ if getattr(libvirt, 'VIR_DOMAIN_UNDEFINE_NVRAM', False): -+ # This one is only in 1.2.8+ -+ return dom.undefineFlags(libvirt.VIR_DOMAIN_UNDEFINE_NVRAM) == 0 -+ else: -+ return dom.undefine() == 0 - - - def purge(vm_, dirs=False): -diff --git a/salt/control/virt.sls b/salt/control/virt.sls -index a2e56ff..1bcca95 100644 ---- a/salt/control/virt.sls -+++ b/salt/control/virt.sls -@@ -58,6 +58,15 @@ salt_control_virt_{{ cluster_name }}_{{ node_name }}: - {%- elif rng is defined %} - - rng: {{ rng }} - {%- endif %} -+ {%- if node.loader is defined %} -+ - loader: {{ node.loader }} -+ {%- endif %} -+ {%- if node.machine is defined %} -+ - machine: {{ node.machine }} -+ {%- endif %} -+ {%- if node.cpu_mode is defined %} -+ - cpu_mode: {{ node.cpu_mode }} -+ {%- endif %} - - kwargs: - seed: True - serial_type: pty -diff --git a/tests/pillar/control_virt_custom.sls b/tests/pillar/control_virt_custom.sls -index 71cf37f..dcfafbd 100644 ---- a/tests/pillar/control_virt_custom.sls -+++ b/tests/pillar/control_virt_custom.sls -@@ -63,11 +63,17 @@ salt: - image: ubuntu.qcow - size: medium - img_dest: /var/lib/libvirt/ssdimages -+ machine: virt-2.11 -+ cpu_mode: host-passthrough - ubuntu2: - provider: node02.domain.com - image: bubuntu.qcomw - size: small - img_dest: /var/lib/libvirt/hddimages -+ loader: -+ readonly: yes -+ type: pflash -+ path: /usr/share/AAVMF/AAVMF_CODE.fd - ubuntu3: - provider: node03.domain.com - image: meowbuntu.qcom2 diff --git a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_control.yml.j2 b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_control.yml.j2 index a7e8fcde3..a518c6e11 100644 --- a/mcp/reclass/classes/cluster/mcp-common-ha/openstack_control.yml.j2 +++ b/mcp/reclass/classes/cluster/mcp-common-ha/openstack_control.yml.j2 @@ -182,6 +182,9 @@ parameters: keys: - designate designate: + _support: + sphinx: + enabled: False # Workaround broken meta/sphinx.yml in salt-formula-designate server: pools: default: diff --git a/mcp/salt-formulas/salt-formula-nova b/mcp/salt-formulas/salt-formula-nova deleted file mode 160000 index 539e9938e..000000000 --- a/mcp/salt-formulas/salt-formula-nova +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 539e9938e74f8a1ad19c2c1a653761df53bc24b7 diff --git a/mcp/salt-formulas/salt-formula-salt b/mcp/salt-formulas/salt-formula-salt deleted file mode 160000 index 262e8b0ba..000000000 --- a/mcp/salt-formulas/salt-formula-salt +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 262e8b0ba270baf46a3ad264a5acf3d6056b5cd3 diff --git a/mcp/scripts/docker-compose/docker-compose.yaml.j2 b/mcp/scripts/docker-compose/docker-compose.yaml.j2 index 5ee96a1fc..54315978e 100644 --- a/mcp/scripts/docker-compose/docker-compose.yaml.j2 +++ b/mcp/scripts/docker-compose/docker-compose.yaml.j2 @@ -25,6 +25,7 @@ services: - {{ conf.MCP_STORAGE_DIR }}/pod_config.yml:/root/pod_config.yml - {{ conf.MCP_STORAGE_DIR }}/base_image_opnfv_fuel_vcp.img:/srv/salt/env/prd/salt/files/control/images/base_image_opnfv_fuel_vcp.img - {{ conf.MCP_STORAGE_DIR }}/nodes:/srv/salt/reclass/nodes + - {{ conf.MCP_STORAGE_DIR }}/pki:/etc/pki - {{ conf.MCP_STORAGE_DIR }}/salt:/etc/salt - {{ conf.MCP_STORAGE_DIR }}/hosts:/etc/hosts hostname: cfg01 diff --git a/mcp/scripts/docker-compose/files/entrypoint.sh b/mcp/scripts/docker-compose/files/entrypoint.sh index 08c17a2e6..c7f7f9118 100755 --- a/mcp/scripts/docker-compose/files/entrypoint.sh +++ b/mcp/scripts/docker-compose/files/entrypoint.sh @@ -18,6 +18,16 @@ if [ ! -f /home/ubuntu/.ssh/authorized_keys ]; then /home/ubuntu/.ssh/authorized_keys fi +if ! grep -q localhost /etc/hosts; then + # overwrite hosts only on first container up, to preserve cluster nodes + cp -a /root/fuel/mcp/scripts/docker-compose/files/hosts /etc/hosts +fi + +# salt state does not properly configure file_roots in master.conf, hard set it +cp -a /root/fuel/mcp/scripts/docker-compose/files/opnfv_master.conf \ + /etc/salt/master.d/opnfv_master.conf +echo 'master: localhost' > /etc/salt/minion.d/opnfv_slave.conf + # NOTE: Most Salt and/or reclass tools have issues traversing Docker mounts # or detecting them as directories inside the container. # For now, let's do a lot of copy operations to bypass this. diff --git a/mcp/scripts/docker-compose/files/opnfv_master.conf b/mcp/scripts/docker-compose/files/opnfv_master.conf new file mode 100644 index 000000000..7066f04bf --- /dev/null +++ b/mcp/scripts/docker-compose/files/opnfv_master.conf @@ -0,0 +1,16 @@ +file_roots: + base: + - /srv/salt/env/prd + prd: + - /srv/salt/env/prd + dev: + - /srv/salt/env/dev + - /srv/salt/env/prd + +user: root +file_recv: True + +open_mode: True + +peer: + .*: ['x509.sign_remote_certificate'] diff --git a/mcp/scripts/lib.sh b/mcp/scripts/lib.sh index b43686b7d..cc88f9b54 100644 --- a/mcp/scripts/lib.sh +++ b/mcp/scripts/lib.sh @@ -493,15 +493,9 @@ function prepare_containers { docker-compose --version > /dev/null 2>&1 || COMPOSE_PREFIX="${image_dir}/" "${COMPOSE_PREFIX}docker-compose" -f docker-compose/docker-compose.yaml down - sudo rm -rf "${image_dir}/"{salt,hosts} "${image_dir}/nodes/"* + sudo rm -rf "${image_dir}/"{salt,hosts,pki} "${image_dir}/nodes/"* mkdir -p "${image_dir}/salt/"{master.d,minion.d} - # salt state does not properly configure file_roots in master.conf, hard set it - sed -e 's/user: salt/user: root\nfile_recv: True/' -e 's/auto_accept:/open_mode:/' \ - "${MCP_REPO_ROOT_PATH}/docker/files/salt/master.conf" > \ - "${image_dir}/salt/master.d/opnfv.conf" - echo 'master: localhost' > "${image_dir}/salt/minion.d/opnfv.conf" - cp "${MCP_REPO_ROOT_PATH}/mcp/scripts/docker-compose/files/hosts" \ - "${image_dir}/hosts" + touch "${image_dir}/hosts" } function start_containers { -- 2.16.6