Commit graph

68 commits

Author SHA1 Message Date
Ben Nemec
4e5dcdd9cf Clean more from ironic-agent ramdisk image
While we already clean a number of things off the ironic-agent
ramdisk, there are a few more significant ones that we should add
to the list.

First is the kernel source.  If you're rebuilding your kernel on
the agent ramdisk after the initial image build, then you need to
re-examine your life choices. ;-)

Second is /var/cache.  On yum-based distros, this contains a large
number of yum cache files that take up significant space.  We don't
really want to be copying around caches when booting a ramdisk
anyway, so cleaning this is the right thing to do regardless.

Third is all *.pyc or *.pyo files.  There are a lot of these, so
they eat up significant space and bloat the number of files in the
ramdisk, which makes it take longer to build.  the only purpose for
the files is to slightly speed up Python app startup, and we
probably lose more time transferring the files over the network
than we would gain in quicker start times.  Note that we were
already trying to remove these, but for some reason I was still
seeing them show up in my final images.  It makes more sense to
put them in the same pruning command as all the others anyway.

Fourth is /usr/include.  These are files only needed for
compilation.  See above for my thoughts on compiling in a ramdisk.

These changes have reduced the agent ramdisk from 391 MB to 333 MB
in my local centos 7 builds, and have reduced the number of files
in the ramdisk by over 18000.

Change-Id: I550f9904b9afd12d48da9ba24559acb23133d076
2016-06-24 13:21:32 -05:00
stephane
7eb72c0874 Ironic agent kernel should be owned by user building image
The initramfs file created by the ironic-agent element is
owned by the user running disk-image-create; ensure that
the other files created by the element are also owned by
the user.

Change-Id: I829db5b8e8bf1fc68face9cd2bda52d2a5ccdd4f
Closes-Bug: 1593010
2016-06-16 14:28:23 -07:00
Jenkins
5f4cac3303 Merge "Add a best-effort sudo safety check" 2016-05-26 17:31:00 +00:00
Jenkins
95c874abb9 Merge "Add dhcp-all-interfaces.target for syncing units" 2016-05-18 19:39:10 +00:00
Sam Betts
eb99fe7144 Add dhcp-all-interfaces.target for syncing units
Currently there is no way for a service to become aware that
dhcp-all-interfaces is finished configuring all the interfaces at
boot time. This causes problems for applications like the
ironic-python-agent which scans the interfaces when it first starts as
part of the inspection stage and can race against dhcp-all-interfaces
bringing up the interfaces, leading to inconsistent results.

This patch ensures that the dhcp-all-interfaces script runs before any
network interface is configured and brought up by the rest of the
system, and also ensures that the ironic-agent element also waits for
the network to be online before starting. This is done by using the
network targets provided by systemd.

Change-Id: Id9583b7f54361aa603a6229da598ad6a0f0f7938
2016-05-16 10:15:53 +01:00
vmud213
45628993e8 Do not remove sudo in ironic-agent
"ironic-agent" element is currently removing sudo, which breaks other
elements such as devuser.  There appears to be no security or other
reason to do this, it's just the way it has always been.  Leave sudo
in as it is considered part of the base cloud images.

Change-Id: Ida9b1885f745146071e4b2d85ae59341ac85d5c8
Closes-Bug: #1572486
2016-05-16 10:39:04 +10:00
Ian Wienand
672705831f Add a best-effort sudo safety check
As motivation for this; we have had two breakouts of dib in recent
memory.  One was a failure to unmount through symlinks in the core
code (I335316019ef948758392b03e91f9869102a472b9) and the other was
removing host keys on the build-system
(Ib01d71ff9415a0ae04d963f6e380aab9ac2260ce).

For the most part, dib runs unprivileged.  Bits of the core code are
hopefully well tested (modulo bugs like the first one!).  We give free
reign inside the chroot (although there is still some potential there
for adverse external affects via bind mounts).  Where we could be a
bit safer (and could have prevented at least the second of these
breakouts) is with some better checking that the "sudo" calls
*outside* the chroot at least looked sane.

This adds a basic check that we're using chroot or image paths when
calling sudo in those parts of elements that run *outside* the chroot.
Various files are updated to accomodate this check; mostly by just
ignoring it for existing code (I have not audited these calls).

Nobody is pretending this type of checking makes dib magically safe,
or removes the issues with it needing to do things as root during the
build.  But this can help find egregious errors like the key removal.

Change-Id: I161a5aea1d29dcdc7236f70d372c53246ec73749
2016-05-09 15:41:38 +10:00
Jenkins
4f6ce09385 Merge "Support to add certificate in ironic-agent" 2016-04-14 18:30:04 +00:00
Aparna
cd66aebf40 Support to add certificate in ironic-agent
This commits provides support to add certificate while
building the image using ironic-agent element. The
certificate can be CA certificate or self-signed certificate.

The certificate is set to the environment variable
'DIB_IPA_CERT' which in turn is used by the ironic-agent
element while building the image.

Change-Id: I648f7934d4787dcc3030885cfca771b642a9595e
2016-04-14 13:42:36 +00:00
Jenkins
792036ec62 Merge "ironic-agent postinst fails on systemd with no iptables" 2016-04-04 19:35:42 +00:00
Jenkins
fd806e9f42 Merge "Set tgtd not auto-start on OS boot time." 2016-04-02 16:28:43 +00:00
Jenkins
f80aff3645 Merge "ironic-python-agent should use console output" 2016-03-31 23:54:23 +00:00
zhangjian
fd7ccf97ee Set tgtd not auto-start on OS boot time.
Tgtd starts after OS boots up automatically, listens on the port 3260,
which cause lio fails to bind the same port later.
This patch removes the auto-start script of tgtd.

In IPA service, lio or tgtd would be used to create iscsi target.
If tgtd be chosen, IPA will start tgtd before iscsi setting.
IF lio be chosen, tgtd would keep not running.

Change-Id: Ic62055ac2f9252df832739631bfcbabfac0f9c4e
Closes-Bug: #1554987
2016-03-29 06:29:38 -04:00
stephane
dd7648277f ironic-agent postinst fails on systemd with no iptables
Where the base install for the image uses systemd but
the iptables service is not present, the postinstall
script for the ironic-agent element can fail. This is
due to 'systemctl disable iptables.service' returning
an error status when the service isn't present. Check
whether the service is enabled using 'systemctl
list-unit-files'.

Change-Id: I8069b062a27caead4097747d7aeae24a5262e117
2016-03-21 19:27:57 -07:00
Gregory Haynes
6f542c7c32 ironic-python-agent should use console output
It is standard to IPA to log to the console for easy debugging by
watching the server console.

Change-Id: I2beb75a99824f0cf1ec88d0ecb54baa4e73f6f15
2016-03-21 20:31:31 +00:00
Nisha Agarwal
55ea2b5633 Add psmisc to the packages for ironic-agent
This commit adds 'psmisc' and 'dosfstools' to the required
packages for ironic-agent element which in turn
installs ironic-python-agent and ironic-lib.
The ironic-lib requires the fuser command to be executed,
which needs the package 'psmisc'. Similarly mkfs with
'vfat' requires 'dosfstools' package.

Closes-Bug: 1554075
Change-Id: If421f2394c34bb938813d0e15e5085d093215921
2016-03-21 00:01:57 -07:00
Jenkins
9c5cd224a5 Merge "Add lshw package to ironic-agent" 2016-03-20 15:08:03 +00:00
Moshe Levi
9074f5f1fc Add lshw package to ironic-agent
This patch add the lshw utils to allow the agent
to retrive the vendor name. It also keeps the
/usr/share/misc/pci.ids file for Ubuntu distro.

Change-Id: I2828a7e585449f63887ad5a2e338b4e043d68e63
2016-03-09 12:54:57 +02:00
Jenkins
de4d0392d5 Merge "Install IPA in a virtual environment" 2016-02-26 16:23:37 +00:00
Lucas Alvares Gomes
006b3e6228 Install IPA in a virtual environment
In order to avoid conflict with installing dependencies for IPA from
pypi and distribution packages this patch propose installing IPA in a
virtual environment.

Closes-Bug: #1506792
Change-Id: I6a4c6403813d86f4110e98449ddd874109101b9e
2016-02-16 11:17:12 +00:00
Ian Wienand
b960614c9c Don't remove python3 & grubby in 99-remove-extra-packages
python3 is a hard requirement of dnf so can't be removed [1]

grubby is also required for kernel installs on Fedora.  For too much
detail see I1a6e45d04755515286b3d49f8280c16b527e2f48; but the kernel,
via dracut, now has this as a "recommends" due to people removing it
and making unbootable systems.

[1] http://logs.openstack.org/76/248976/2/check/gate-dib-dsvm-functests-devstack-f21/734c8bd/console.html

Change-Id: I5867ecd57834eece9477aa9ea4b8bdd70e238084
2016-02-16 13:40:01 +11:00
Jenkins
9e16c8c5f1 Merge "Use dnf to cleanup old kernels" 2016-02-15 22:56:12 +00:00
Dmitry Tantsur
1f9e669dbc Do not remove python-dev from ironic-agent image
While it does save 1MiB of space, it might also pull python packages
depending on it. E.g. it makes impossible to install python-hardware
on the IPA image for advanced introspection.

Change-Id: Iab80dde63e6de62a5e45dcf404b4f9f633e50ac3
2016-02-11 13:47:31 +01:00
Ian Wienand
cb0e0e903d Use dnf to cleanup old kernels
As described in the comment, there is a dnf equivalent of this command
that doesn't require us installing yum-utils (which drags in yum on
dnf-only systems such as f23)

This is a small consequence to this -- due to us not installing
yum-utils some installs will now be completely yum free.  This causes
a breakage in ironic-agent 99-remove-extra-packages where we remove
the yum package.  There is a long-standing bug/feature where missing
packages in a group of packages do not cause yum/dnf to exit with
failure, but uninstalling a single package will.  Because we have made
the systems yum-free, the uninstall of yum can fail in this corner
case.

It has always been like this, so I'm in favour of the "ain't broke"
approach.  To work-around this, I have just put yum into the existing
list of packages to be cleaned up.  I have added a note to the yum
installer taking note of this behaviour for future reference.

Change-Id: I8bbdc07ccdb89a105b4fc70d5a215077c42fcd03
2016-02-08 14:20:56 +11:00
Paul Belanger
b7f6527a0e Remove zero length files
This is to aid with Fedora packaging, since rpmlint complains about
including empty files.

Change-Id: I4ad867cd21304880a571e46805ab56044542400c
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-01-20 19:08:54 -05:00
Jenkins
a95b96f57f Merge "Use ironic-agent for source-repositories" 2015-12-09 23:18:58 +00:00
Dmitry Tantsur
901344ef7c Add kmod to package-installs of ironic-agent
The modprobe utility is required by the rtslib package (iSCSI Linux-IO).
It will also be required for inspection.

Change-Id: I6760c86160d1ceba45aedde62597a711bcb4543d
2015-12-09 14:27:21 +00:00
Dan Prince
d9dc8f1334 Use ironic-agent for source-repositories
I recently built a ramdisk for IPA and was confused by
the fact that the source-repositories name did not
match the element name. (this is a convention,
confusing when they don't match but certainly not
required).

This patch makes it so you can use DIB_REPOREF_ironic_agent to
customize the IPA ramdisk sources when building ramdisks.

For backwards compat if DIB_REPOREF_agent is set it automatically
sets the new DIB_REPOREF_ironic_agent to that value as well.

Change-Id: I082d989d0d85601f5984dc7c3767b8d66a3d5438
2015-11-22 15:03:31 -05:00
Martin André
bc2199144e Selectively prune /root for ironic-agent ramdisk
Previously all files in /root were ignored when building the
ironic-agent ramdisk. This prevented for example to use the
local-config element to connect to the ramdisk via ssh as root user.

This commit change the exclude rule on /root to only ignore the
/root/.cache directory.

Change-Id: I18d839e8d97636f5f2164ba407f252407d9bc956
Closes-Bug: #1451668
2015-10-26 11:19:28 +09:00
Derek Higgins
bdcd03d604 Avoid transcending /proc with find
Find doesn't like listings disappearing while its trying to find them,
in this case if a PID directory disappears while find is running. Using
-xdev prevents find from going into ./proc and as a side effect /dev
will also be avoided which is mounted on boot so not needed either.

Change-Id: Iaa282e58d81d533ad4445da0a44200dd14bf0850
Closes-bug: #1502142
2015-10-08 12:16:23 +01:00
Jenkins
ea94034331 Merge "agent: ensure vmlinuz file does not exist before hard-linking into it" 2015-10-05 20:56:09 +00:00
Derek Higgins
68856c6006 Restrict search for python object files to ./usr
Traversing the /proc filesystem causes find to error if it changes
while its being searched.

We have had a lot of ci failures on this find command since it was
added in Ibe40e6b8b884f37e3b5aeab6e7654593bcd63123

Change-Id: Ia8cfc923cce749a69d5108e588db2360238d866c
Closes-Bug: #1501949
2015-10-02 10:36:05 +01:00
Jenkins
5d8ab5a333 Merge "Install 'gdisk' when building ramdisk with ironic-agent" 2015-09-30 21:03:03 +00:00
Dmitry Tantsur
afda063697 agent: ensure vmlinuz file does not exist before hard-linking into it
Otherwise on rebuilding the agent the following error is produced:
    failed to create hard link /home/stack/ironic-agent.vmlinuz
and the vmlinuz file is not updated.

Change-Id: I2015da889c932a854727235b1e34256a28e9eac6
2015-09-30 11:37:28 +02:00
Jenkins
8e3f01fe82 Merge "Add functional test for ironic-agent on Fedora" 2015-09-29 22:23:09 +00:00
Gary Duan
398494568a Contains the directory name of /sys and /proc
When a ubuntu/IPA ramdisk is used to boot a baremetal machine with
ironic agent-ilo driver, it fails at the point of mounting /proc
and /sys. After the vmlinuz(kernel) is started and it tries to
load the partitions on ramdisk. It need the directory of "/sys"
and "/proc" to mount the corresponding filesystems.
In order to fix this issue, the directories of "sys" and "proc"
are retained but the subdirectories or files under them are empty.
With this change, the directories of "/sys" and "/proc" shows
up in the ramdisk and kernel will mount sys and proc filesystems
on them respectively.

Closes-Bug: #1488445
Change-Id: Iad5d62f373b73789118f23db4c932ea6e9a784c3
Signed-off-by: Gary Duan <duanlg@live.cn>
2015-09-25 16:51:44 +08:00
Shivanand Tendulker
cbd3a55d09 Install 'gdisk' when building ramdisk with ironic-agent
ironic-agent requires expect to be installed for config drive
creation and hence this commit adds it.

Change-Id: Ie1c0f488f416b4c373aa7f38dfd8df1917cd6be2
Depends-On: Ib4dd8c082a50e1dbaf0df91477b062716cb780ff
Closes-Bug: #1486967
2015-09-24 06:25:10 -07:00
Jenkins
626bf5d68e Merge "ironic-agent element to output a .kernel file" 2015-09-24 13:13:41 +00:00
Jenkins
bbea877f2c Merge "Remove dnf workaround in ironic-agent" 2015-09-24 11:01:30 +00:00
Jenkins
55a885b258 Merge "ironic-agent: remove python object files" 2015-09-24 10:13:09 +00:00
Lucas Alvares Gomes
ba808fa6ec ironic-agent element to output a .kernel file
The ironic-agent element is created using the disk-image-create utility
(even being a ramdisk) and outputs a .vmlinuz file for the kernel
(different than the ramdisk-image-create which outputs a .kernel file
for the kernel). This is inconsistent and make scripting against the
diskimage-builder more complicated if one wants to support different
types of ramdisk.

This patch creates a hard link for the .vmlinuz file to a .kernel file
at the end of the process (to keep backward compatibility) and print a
deprecation message.

Depends-On: I81400305f166d62aa4612aab54602abb8178b64c
Change-Id: I476f9ec9ec4206ece0261eaaf2b4182c6bcbd802
Closes-Bug: #1482606
2015-09-23 19:02:54 -04:00
Dmitry Tantsur
46dcaaedfc Add functional test for ironic-agent on Fedora
Added support for ramdisk-type elements in tests/test_functions.bash
Elements are distinguished by element-type file in a test element.
Note that ironic-agent ramdisk is built with disk-image-create.

Change-Id: I4759859e7f3c004c2d00e7318729602e6c3c4d95
2015-09-22 14:50:17 +02:00
Dmitry Tantsur
4f8d5d0439 Remove dnf workaround in ironic-agent
Now that we use dnf mark, it's no longer needed.

Change-Id: I0ed8176f7ab5122fbddd37e3ce1584091f0a3cc2
2015-09-21 13:13:19 +02:00
Dmitry Tantsur
79ffe86e34 ironic-agent: remove python object files
Makes the compressed ramdisk 2MiB smaller

Change-Id: Ibe40e6b8b884f37e3b5aeab6e7654593bcd63123
2015-09-21 13:10:47 +02:00
Dmitry Tantsur
2641fe0143 Install ironic-agent dependencies via package-installs
Some were still installed in shell scripts.

Change-Id: I96c55274c764fa04dc00863dcff3677fe9603d2a
2015-09-21 13:10:30 +02:00
Jenkins
b2fd0f3ad7 Merge "[ironic-agent] Use svc-map for enabling agent" 2015-09-03 15:05:24 +00:00
Dmitry Tantsur
5f68750b4b ironic-agent: ensure dmidecode and ipmitool are installed
Currently they are used for inspection, but may be also used for
other purposes, as they're accessed from IPA generic hardware layer.

Change-Id: I32c6a711d466131b9445023812a2a260ed2e01f3
2015-09-01 17:39:51 +02:00
John Trowbridge
109e02b1ce [ironic-agent] Use svc-map for enabling agent
Switch to using svc-map element for systemd based agent.

This allows both .deb and .rpm installs to share the
element for systemd based installs. There are not any
plans to package a .rpm package for upstart or sysv, so
these are left as is.

Change-Id: Idca7ad97355cae785162989774a7e6dea6fdc5b5
Closes-Bug: #1490584
2015-09-01 07:12:52 -04:00
Julia Kreger
51816f7dba Fix ironic-image pkg-map
Fixing the ironic-agent pkg-map by adding missing commas. Validated
updated form passes json linting. Also includes a listing for curl.

Change-Id: I1983f7a581be3a5aaa771b19c6609cf12b61a7bb
Closes-Bug: #1488969
2015-08-27 15:40:19 +00:00
Jenkins
0035b1440e Merge "Reduce the size of the ironic-agent ramdisk" 2015-08-24 16:52:14 +00:00