Commit graph

1990 commits

Author SHA1 Message Date
Lucas Alvares Gomes
40197fa7f1 Follow up patch for 25d3ee5471
This patch is a follow up patch fixing some nits left by the review
25d3ee5471.

It does:

* Fix the README file to say that the password *must* be encrypted and
  the option values *must* be quoted

* Adds Type=oneshot in the upstart service config file so that upstart
  will not try to restart the service over and over.

* Enable setu, sete and setpipefail in the dynamic-login script

Change-Id: Iee5d75daef24469ccf47ca12de6ead37bf9d8d6f
2015-12-01 14:11:40 +00:00
Lucas Alvares Gomes
25d3ee5471 Add dynamic-login element
Troubleshooting an image can be quite hard, specially if you can not get
a prompt you can enter commands to find out what went wrong. By default,
the images (specially ramdisks) doesn't have any SSH key or password for
any user. Of course one could use the ``devuser`` element to generate
an image with SSH keys and user/password in the image but that would be
a massive security hole and very it's discouraged to run in production
with a ramdisk like that.

This commit is adding a new element called dynamic-login, which inserts
a helper script into the image to allow operators to inject a SSH key
and/or change the root password dynamically when it boots via parameters
in the kernel command line.

Those parameters are:

sshkey = If the operator append sshkey="$PUBLIC_SSH_KEY" to the kernel
command line on boot, the helper script will append this key to the root
user authorized_keys.

rootpwd = If the operator append rootpwd="$ENCRYPTED_PASSWORD" to the
kernel command line on boot, the helper script will set the root password
to the one specified by this option. Note that this password should be
an encrypted password.

Change-Id: I6b87a1b90163d79745f30dfacd37516051fa0aea
2015-11-20 17:02:54 +00:00
Jenkins
2ff566b80a Merge "Selectively prune /root for ironic-agent ramdisk" 2015-11-13 03:28:13 +00:00
Jenkins
5e571d9f44 Merge "Fixup RPM db path when building Fedora on Ubuntu" 2015-11-10 11:03:22 +00:00
Ian Wienand
3f3850aa0f Fixup RPM db path when building Fedora on Ubuntu
On Debian/Ubuntu installs of RPM, /usr/lib/rpm/macros sets

  %_dbpath  %(echo $HOME/.rpmdb)

which makes quite a bit of sense, because RPM is not the system
packager and thus RPM is setup to install things into a hierarchy in
the users homedir.

However, this messes things up when building a Fedora chroot on an
Ubuntu platform.

We use RPM & yum from the base-system to bootstrap the Fedora chroot.
While both obey --root flags, they still pick up the %_dbpath macro
and so end up creating the RPM database in <chroot>/home/user/.rpmdb

After we have bootstrapped yum/dnf, we execute further installation
commands from inside the chroot -- where we now have the Fedora
version of /usr/lib/rpm/macros and hence have _dbpath set to
/var/lib/rpm -- except there is no rpm database there.

Should anyone be finding this in the future, the actual issue that
appears is

  $ sudo chroot /opt/dib_tmp/image.b6B5S3f6/mnt dnf makecache
   Error: Failed to synchronize cache for repo 'fedora' from \
    'https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=x86_64': \
    Cannot prepare internal mirrorlist: file "repomd.xml" was not found in metalink

Note the issue there is that $releasever is not expanded, because the
rpmdb where this info is kept is not populated.

The trick is to make sure we override this value when using the host
rpm/yum to setup the chroot.  The bare rpm calls, which we use to
install the repos, have a --dbpath argument where we can override
this.  yum does not however, so we override this in the global
~/.rpmmacros while we are installing the packaging tools and
dependencies into the chroot.

Copious comments are included, because this is super-confusing.

Change-Id: I20801150ea02d1c64f118eb969fb2aec473476f7
2015-11-10 08:54:44 +00:00
Ian Wienand
8ee21cb9fd Remove unused RELEASE_RPMS variable
It was noticed during reviews of
Ic7aa8cbe13e4347b447e84bb9c12483a4e125228 these are unused

Change-Id: I9e0fa9d3e4864e54c6fe23f8b6e781e8d5d24bda
2015-11-10 07:17:52 +00:00
Jenkins
e90be5a595 Merge "Fix fedora-minimal kernel-install on older platforms" 2015-11-10 05:14:28 +00:00
Jenkins
6f21f47850 Merge "Clarify what fedora-minimal/install.d/99-ramdisk is doing" 2015-11-10 05:14:25 +00:00
Jenkins
3412ced2f0 Merge "dib-lint: ignore blank lines in element ordering" 2015-11-10 00:32:04 +00:00
Jenkins
484341c5ab Merge "Fix diskimage-builder image size" 2015-11-09 19:41:54 +00:00
Michael Johnson
590dce8dcc Fix diskimage-builder image size
This patch fixes the calculation of the resultant image size
when building an image with diskimage-builder on ext4 a
filesystem.

Prior to this, using the '--image-size 2' (2GB) setting would
generate an image that would not boot under a 2GB nova flavor.

Change-Id: I7a753bdef84c6300ccea73ae4a92bf330dcd77cb
Closes-Bug: #1513622
2015-11-09 16:20:18 +00:00
Jenkins
dfb40eb5aa Merge "Add --force to grub-install" 2015-11-09 07:14:13 +00:00
Jenkins
6f3185f251 Merge "Add missing six requirement for svc-map element" 2015-11-05 18:18:09 +00:00
Jenkins
8c42e60df5 Merge "Fix uniqueness check of initrd in fedora-minimal" 2015-11-05 03:36:13 +00:00
Martin André
8309df5f25 Add missing six requirement for svc-map element
Add constraint for versions >= 1.9.0 to be in line with global
requirements.

Change-Id: I91bcbfa00b1b03774d507dd5c9c5fcd1c4d809b4
2015-11-05 01:58:00 +00:00
Jenkins
63610993ed Merge "debian: cloud hostname ignored by Jessie" 2015-11-04 21:46:54 +00:00
Jenkins
29f42e2f15 Merge "Add support for Xen PV disks" 2015-11-04 21:07:25 +00:00
Jenkins
45928ab5d1 Merge "Add a tox target to run functional tests locally" 2015-11-03 20:56:02 +00:00
Jenkins
654d80a40f Merge "Define a default for $YUM" 2015-11-03 20:33:38 +00:00
Ian Wienand
f307bb4d8b Fix fedora-minimal kernel-install on older platforms
fedora-minimal fails to build on Ubuntu Trusty due do being unable to
find the initrd (see Id4c04d7ae20068643df34d2fa31068e8a917a52d).

This is a rather obscure problem that comes from the intersection of
several things.

The first thing to note is that the post-install scripts of the
kernel-core package use kernel-install [1].  For whatever reason, this
installs the kernel to /boot/MACHINE-ID/KERNEL-VERSION

MACHINE-ID comes from /etc/machine-id; a UUID that should have been
created by the systemd post-inst scripts with systemd-machine-id-setup
[2].

The chroot environment provided for root.d elements has no kernel
file-systems like /proc or /dev mounted.  This is where differences in
the base-system come into play -- on more recent systems that
implement getrandom() systemd does not need /dev/urandom to generate
the machine-id [3]; we get a value and /etc/machine-id is populated.

On older platforms (Trusty), systemd-machine-id-setup fails (unable to
access /dev/urandom) and we end up with a blank /etc/machine-id.  This
ends up making kernel-install (the script) fail during yum's
installation of kernel-core, which means the initrd is not installed
correctly.

We end up bailing out in fedora-minimal/install.d/99-ramdisk, where we
try to put the installed ramdisk in /boot for the later grub install
scripts to find.

The solution here is to mount the standard kernel file-systems within
the chroot before we try installing.

[1] http://www.freedesktop.org/software/systemd/man/kernel-install.html
[2] http://www.freedesktop.org/software/systemd/man/systemd-machine-id-setup.html
[3] https://github.com/systemd/systemd/blob/master/src/basic/random-util.c

Change-Id: Ibcce35da928f64e6a719b070bcc833346ee7ee92
2015-11-04 06:23:17 +11:00
Ian Wienand
a67ee17d62 Clarify what fedora-minimal/install.d/99-ramdisk is doing
Clarify what this script is doing.  It currently fails on some
platforms due to earlier errors, see
Ibcce35da928f64e6a719b070bcc833346ee7ee92

Change-Id: Id4c04d7ae20068643df34d2fa31068e8a917a52d
2015-11-04 06:23:17 +11:00
Martin André
d8a0e13261 Fix uniqueness check of initrd in fedora-minimal
The check suffered from various flaws.

First, due to missing quotes around $initrd, 'wc -l' would always see
1 line no matter how many results the find returned.

Second, echo adds a line break making 'wc -l' count 1 even for empty
string. We need to add a check for empty string.

Change-Id: Ib2c67960f566dbdc471d9585a4cef1beb1cc38ab
Closes-Bug: #1506692
2015-11-04 06:23:17 +11:00
Jenkins
449b4e205e Merge "Preserve env when calling yum with sudo" 2015-11-03 10:36:33 +00:00
OpenStack Proposal Bot
943ab4b88e Updated from global requirements
Change-Id: I93e693c255787272399d53d841627459e46e8974
2015-11-03 04:29:38 +00:00
Jenkins
ce16f9d38c Merge "Remove quotes from subshell call in bash script" 2015-11-02 21:07:20 +00:00
Jenkins
727b4cddf6 Merge "Prettyfy source-repositories doc" 2015-11-02 20:14:10 +00:00
Jenkins
40e9705655 Merge "Prettify 'Caches and offline mode' documentation" 2015-11-02 20:14:03 +00:00
Jenkins
2d826fb1f2 Merge "Prettify 'Developing Elements' documentation" 2015-11-02 20:14:00 +00:00
Jenkins
4d986ce3a5 Merge "Enable decimal value for $DIB_IMAGE_SIZE." 2015-11-02 20:13:22 +00:00
Antoine Musso
23be09ce35 debian: cloud hostname ignored by Jessie
5af25b5f fixed the hostname of Debian images to "debian" since a lack of
hostname definition set the hostname to "(None)".

It has been done by introducing /etc/cloud/cloud.cfg.d/01_hostname.cfg
with content:

  hostname: debian

Review supposed the hostname would be overriden by cloud meta-data. That
might have stand true for Wheezy but it is not the case for Jessie.

cloud-init 0.7.6 ignores cloud metadata whenever "hostname" or "fqdn"
are set in a config file. Roughly:

    # no fqdn set, get fqdn from cloud
    # get hostname from cfg if available otherwise cloud
    fqdn = cloud.get_hostname(fqdn=True)
    if "hostname" in cfg:
        # hashar: set from config file NOT cloud
        hostname = cfg['hostname']
    else:
        # fallback to cloud
        hostname = cloud.get_hostname()

Relevant code is
https://github.com/number5/cloud-init/blob/0.7.6/cloudinit/util.py#L839-L860

Only inject "hostname: debian" for the Wheezy release.

Bug: https://phabricator.wikimedia.org/T117283
Change-Id: I6e2522bd725cbf9651f11c76ecdc72ecbc92f402
2015-10-30 22:34:10 +01:00
Martin André
bc2199144e Selectively prune /root for ironic-agent ramdisk
Previously all files in /root were ignored when building the
ironic-agent ramdisk. This prevented for example to use the
local-config element to connect to the ramdisk via ssh as root user.

This commit change the exclude rule on /root to only ignore the
/root/.cache directory.

Change-Id: I18d839e8d97636f5f2164ba407f252407d9bc956
Closes-Bug: #1451668
2015-10-26 11:19:28 +09:00
Dmitry Tantsur
0e122e8e35 Add a tox target to run functional tests locally
Now 'tox -efunc' can be invoked to run all functional tests in
the 'venv' tox environment. Also `tox -efunc element-name` can be
used to run function tests for one element (e.g. ironic-agent).

Change-Id: Ia685d1b2a7deef2f8b98876ac09792134dd30f2f
2015-10-23 12:05:23 +02:00
Ian Wienand
94a7a7cf67 Create YUM_CACHE_DIR in yum-minimal
yum-minimal/root.d/08-yum-chroot runs before yum/root.d/50-yum-cache,
and thus if run on a completely fresh system will fail in
08-yum-chroot as the YUM_CACHE directory isn't made.

This is probably hidden by testing & nodepool builds, because it sets
DIB_IMAGE_CACHE.  It was hidden from me because locally I have done
builds using the "yum" element previously, which had created the
cache.

Change-Id: I333f5f7e67d198f75a522cc296c118c2e94a5ecb
2015-10-23 15:17:18 +11:00
Jenkins
9b45586f0e Merge "Use DIB_EPEL_MIRROR when finding the epel-release package" 2015-10-21 15:08:16 +00:00
Jenkins
48a9dd4d3d Merge "Fix tests/test_functions.bash" 2015-10-20 22:15:46 +00:00
Derek Higgins
0c0c7275a9 Use DIB_EPEL_MIRROR when finding the epel-release package
download.fedoraproject.org uses dns round robin and occasionally
hits a bad server. Using DIB_EPEL_MIRROR when finding the
epel-release package will allow us to avoid it e.g. in ci.

Change-Id: I756223b3e669532476663c05e79c238449b8a0db
2015-10-20 17:25:58 +01:00
Jenkins
b902189eaa Merge "Fix devuser pubkey defaults" 2015-10-20 01:41:16 +00:00
Jenkins
75d73ee379 Merge "Add flake8 to requirements" 2015-10-20 00:11:55 +00:00
Bob Ball
b5794f3665 Add support for Xen PV disks
Xen paravirtualised disks (supported by most modern kernels) have the
"xvd" prefix (e.g. xvda0).  The functions to strip partitions need to
match on Xen PV disks otherwise the device name is discarded.

Change-Id: I5539d2afba3fae30d1ddb49dcbf077113d38bbf7
Closes-Bug: #1498576
2015-10-19 15:38:00 +01:00
Gregory Haynes
757b8cee3b Add --force to grub-install
Grub fails to install the bootloader due to it being on the root
partition of a block device. This is not actually a problem for us, so
we need to force it to succeed.

Change-Id: I335ef04ca8a8a8a5c242d3444b09bcce0a9f51e7
2015-10-18 02:26:31 +00:00
Derek Higgins
63641aa2ce Preserve env when calling yum with sudo
In particular we need [http|https]_proxy to be preserved.

Change-Id: I5bcd1b1deac917a1be8d8155f1283e330e3d5862
2015-10-16 17:36:09 +01:00
Derek Higgins
614661ec5b Define a default for $YUM
This is set by elements that require it not to be yum.

Change-Id: Ie01f357eef382bd1549fbe2b911129a3c48818e0
2015-10-16 09:55:00 +01:00
Jenkins
21f5e6146c Merge "Reset yum/dnf cache to correct location" 2015-10-15 13:21:57 +00:00
Jenkins
2ed4c1d860 Merge "Remove extra install of release pkgs in fedora-minimal" 2015-10-15 04:01:08 +00:00
Jenkins
654fb0311d Merge "Update default fedora-minimal to f22" 2015-10-15 04:01:05 +00:00
Jenkins
98bbd432a9 Merge "Update rhel7 element readme" 2015-10-14 19:03:38 +00:00
Dmitry Tantsur
c49b733fef Fix tests/test_functions.bash
I am not sure why we didn't hit it before, but
1. The command is 'docker images', not 'docker image'
2. Calling 'docker rmi' requires a check on image presence

Change-Id: I127359043f975a25bb1bfad7469dfe01be67e2d9
2015-10-14 13:41:01 +02:00
Colleen Murphy
a6e6570102 Fix devuser pubkey defaults
Without this patch, the devuser element attempts to find public keys by
iterating over the string "rsa dsa". When two keys are grouped together
in quotes, a bash for loop treats it as a single key. You can see the
issue this causes when debug output is turned on:

   + for fmt in '"rsa dsa"'
   + '[' -f '/home/krinkle/.ssh/id_rsa dsa.pub' ']'

This is not a reasonably named key to look for, so this patch removes
the quotes so that the loop will look for id_rsa.pub and id_dsa.pub
separately.

Change-Id: I0b5b1abd14013de85d90e76a95918a8071a5e013
2015-10-13 17:54:09 -07:00
Ian Wienand
283c9705c0 Reset yum/dnf cache to correct location
Make sure we reset the yum/dnf cache to /var/cache/${YUM}, not just
/var/cache/yum

This was resulting in the F22 fedora-minimal image being larger than
the base-image.  Because F22 fedora-minimal does some installs with
dnf when bootstrapping the chroot before we set "cachedir=" to the
bind-mounted external cache, we have "/var/cache/dnf" created and and
populated with the package meta-data, etc.

When we globally point dnf to /var/cache/yum here, we effectively
orphan the /var/cache/dnf created in those first steps.  dnf doesn't
care, but we end up with two copies of all the package metadata, etc
in "/var/cache/dnf" & "/var/cache/yum".

This also cleans up the sed a bit, by just replacing the lines.

Change-Id: Icc98fe30c34cb941aed4b987647ab67ac34af15a
2015-10-14 06:36:06 +11:00
Ian Wienand
c40aa76d83 Remove extra install of release pkgs in fedora-minimal
I'm not sure why we try to do an extra install of these, it is done
inside the chroot in _install_repos.  Currently it just gets skipped
saying the packages are already installed.

Change-Id: Ic7aa8cbe13e4347b447e84bb9c12483a4e125228
2015-10-14 06:36:06 +11:00