Because environment files are sourced into the current environment,
they shouldn't be setting global settings like tracing else they
affect every preceeding import. This is quite confusing when only
half your imports are traced in the logs, because it was either turned
on, or off, by a preceeding environment import.
There is a corresponding dib-run-parts change in
I29f7df1514aeb988222d1094e8269eddb485c2a0 that will greatly increase
debugability for environment files by deliberately logging what files
are sourced and consistently turning on tracing around their import.
This isn't strictly necessary (since dib-run-parts with the prior
change will just turn tracing off after import anyway) but it's a
decent cleanup for consistency. A bare-minimum dib-lint check is
added. Documentation is updated.
Change-Id: I10f68be0642835a04af7e5a2bc101502f61e5357
We are running into race conditions with glean, which ssh-keygen -A is
not handling properly. So, create a new script to first check if the
file exists, then use 'yes' to disable overwriting of existing files.
Change-Id: Ie82e1e3f832fcc8f32c7e1335c5f0ee16d36f9a8
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Theres a pretty standard workflow for setting a sysctl value which will
be applied on image boot which was written by tripleo. Lets move this in
tree as other folks (like Octavia) would like to depend on it.
Change-Id: I3c266870d417cdba3196f5fa65c4cd634ab13173
cloud-init-local needs to be run in the boot runlevel because it
modifies services in the default runlevel. When a runlevel is started
it is cached, so modifications that happen to the current runlevel while
you are in it are not acted upon.
Change-Id: Ifeae0071fc9e738ec223ec0df271559ad6e0196b
Add a new opensuse-minimal element to build small and highly
configurable openSUSE based images using the zypper-minimal element
as the main building mechanism
Change-Id: Iebfc4ad4aff763e511b093f1607b55851ccbddcb
All SUSE-based elements can benefit from the mkinitrd phase to move it
to a more generic location.
Change-Id: Ife171d462a393b6ac0bf2c5eaa48ea25eaf4d1cc
Since http://httpredir.debian.org is unreliable is selecting a mirror
to use, we'll now default to http://ftp.us.debian.org/debian. In
fact, in openstack-infra we have been overriding httpredir.debian.org
for a while, now make this default in diskimage-builder.
Change-Id: I48658bc076e13a0913821197e4120c73618fef8f
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Move the opensuse utilities to the zypper element so they can be used by
SUSE or zypper based elements. This brings the zypper element somewhat
in line with the rest of the package manager elements.
Change-Id: I8aa2849231454216cdd47629a5e2d6e45769dbbe
Depending on the pool id used, so many repos are brought,
including not valid ones that cause image to crash, or repos
that include conflicting packages.
Before enabling repos, disable all previous ones, so we
can be sure that we only bring the repos specified in the
parameters.
Change-Id: Ifd4d8d1d4fa954cd2593669e516e3201f2d6f6c1
Move managing of SSH host keys into a dedicated element.
Because glean doesn't generate SSH host keys anymore, we need to do it
with a systemd script. This is already handled by CentOS / Fedora so
we don't want to add it there.
This was done to address the upstream bug in debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500192
Change-Id: I31ad667672e08350872db21a83445fe0aa7a4a39
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Grub is first removed and then installed during RHEL image building. The
grub2 package typically requires the same version of grub2-tools, so if
we just remove and install the grub2 package, the installation can
potentially fail on being out of sync with grub2-tools version. Removing
and reinstalling both packages fixes this issue. Those packages are
already in package map for RHEL as "grub-pc", so we can use this alias.
Change-Id: Iefd9c17fffd43de3fea260510ad218b1322eecb3
Closes-Bug: #1627000
We are currently wasting about 10 minutes per deploy waiting for
DHCP on interfaces that will never get it. By default, the timeout
seems to be 5 minutes (the 10 minutes is because we boot both the
IPA ramdisk and the deployed image, and each waits for 5 minutes),
which is excessively long to get a DHCP response. This change
shortens the time to 30 seconds. If an interface hasn't gotten a
response in 30 seconds, chances are it's not going to. A 30
second wait should reduce our wasted time to 1 minute, which is
more reasonable.
This is being done in the systemd unit file because the -timeout
option to dhclient doesn't seem to override what is configured in
dhclient.conf, and doing it in the systemd file means that this
change will be limited to only the interfaces configured by
dhcp-all-interfaces.
Change-Id: Ia8610e3def39c937eb0c861fdc9bc571ec39f9f4
Closes-Bug: 1626673
Because we are using the building platform's "yum" to do the initial
install into the chroot, it is affected by the base-system's
/etc/yum.conf.
pip-and-virtaulenv in I82acb865378a0fa5903a6267bfcee0e2962eced0 added
"exclude=python-pip..." in /etc/yum.conf to stop the package manager
overwriting the installed pip. Now our CI images have built with
this, we are now picking up this exclude on centos. Since on F24
dnf->python->python-pip we end up failing to build the the chroot
because python-pip can not be satisifed. In a general sense, however,
this could be caused by any configuration put into /etc/yum.conf that
is incompatible with installing into the chroot.
yum has the option to disable all excludes which is used here. This
seems to be the best way to isolate the chroot install from any
excludes that may have been done on the base system for various
reasons. I did consider using a completely separate yum.conf we ship
with dib ... but let's start simple.
This should fix the current gate failures on centos
Change-Id: I4e4cc8ed09a29c4057ade34ea93025139e191bf5
yum-minimal installs selinux but not libselinux-python, which makes
interacting with the node from ansible hard fail. Add it.
Change-Id: I403e7806ae10d5dd96d0727832f4da20e34b94c7
Add support for new openSUSE Leap releases. Moreover, document
common environment variables and remove old note.
Change-Id: I8cf0b215cb4d9231e5658d49e3fd598dfbb5fd37
The previous commit removes dkms from the base element, which
means the centos elements should no longer have a dependency on
EPEL. Therefore, we should not hardcode the epel dependency. It
can still be included in image builds as desired by using the epel
element explicitly.
Co-Authored-By: Ben Nemec <bnemec@redhat.com>
Change-Id: Iceff0d5bedd9816adfd2990970e7c216b67b6bd0
The use of dkms in base was actually removed long ago in
Ic2c345bf9f0738dadae611194e263d3a5d424a3e and it is creating an
unnecessary dependency on EPEL for the centos elements.
Change-Id: Iae3100471e50a9c39f40b450f087192918ae54b3
This fix add need kernel module for Infiniband and ConnectX-4+ network
cards.
Also install by default required user space packages.
Change-Id: Ia2e7b1820f197778138a23fafaccb5a4fb44369a
On systemd-based operating systems that don't
use /etc/sysconfig/network-scripts
dhcp-all-interfaces configures 'lo' for dhcp.
This causes errors and fails networking.target
causing system-wide issues. This change excludes
'lo' at dhcp-all-interfaces udev rules level.
Closes-bug: #1621501
Change-Id: I7563b766827bedbea7ae1de35e5bdfcbf1fc0d1e
Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org>
Dependency to start network-pre (which
depends on network.target) before
dhcp-interface@.service collides with
Ubuntu's own network.target that suupose
to start after network-pre.
Change-Id: I9e59c970bfb1ebdaa15b4ec6b545761ede3ca056
Closes-bug: #1619816
It is possible and often desired to install glean from a source
repository when using the simple-init element. Document the process for
doing this.
Change-Id: Ie7c690406b14aae07d73261879b7ce8a2ed9dd8d
IPv6 privacy extensions can cause issues by preferring a temporary
network over a public one. This preference may limit connectivity
in certain situations. An example of a connectivity issue can be
seen where the command ``traceroute6`` fails or misses all hops
while other traffic to a given domain with a "AAAA" record may
succeed. To resolve this issue the IPv6 privacy extensions have
been disabled.
Change-Id: I62b9d6301b9e8b8e93b49cecbc96334ceea92fa5
Related-Bug: #1068756
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Currently, ironic-python-agent is installed without using an
upper-constraints.txt file.
This commits ensures ironic-python-agent is installed using
upper-constraints.
Change-Id: I6be6cfc012941e2cc9996717cba39b5415b85e14
Closes-Bug: #1616554
Explain difference between 'DIB_OFFLINE' and
'DIB_DEBIAN_USE_DEBOOTSTRAP_CACHE'
Those variables are not redundant,they hava different effective ranges.
However,some people may be confused about this and reported a bug.
So,this difference should be writen in the README file.
Closes-Bug: #1506275
Change-Id: Ie5316de41d129bf98781708954f09ef0b2592b53
Currently we update portage whenever we could need it. Instead we
should update portage only if we actually need to. This update adds a
check to do so.
Change-Id: Ifdb27fd844b0b3a169ced945ac7ee0ddc235e9ec
Gentoo has updated it's grub ebuild to default to the upstream
recommended installation parameter of grub-mkconfig instead of our
default multislot installation of grub2-mkconfig. Update the command
line parameter so that it works with both.
Change-Id: I359b44338a4f76af7c026f5cad212e6dc3dbf2b3
It's possible this is run form an environment where $USER isn't set,
properly fallback to whoami in this case.
Change-Id: I1181f714c3c456ee264b34d282bac5c0adb67a0e
Even though this file ends up in the /tmp directory, for readability
it's good to point out that server.pem is not necessarily the
certificate for a server, but can be a CA certificate which is
trusted if this option is used.
Change-Id: Iea27a702a844456e4472957438f75ed3819d62ca
For some use cases, it can be useful to keep all the kernels
and not just keep the latest one. Add a parameter that allows
it, and continue cleaning up kernels by default.
Change-Id: Ia6e6c1fa18e3724c1eb89226151d81e9e748b793
Kernels are built with auditing support, and without the audit deamon
logs bubble up to spam the console and /var/log/messages. This
package contains the audit daemon that catches these messages.
Change-Id: Ie3e216bab33b27f2d67a9379ddc3e89d66449251
Sometimes the secure_path option value in /etc/sudoers is surrounded by
quotes, in this case the current command creates an invalid entry and
it's not possible to sudo anymore.
This fix adjust the sed command to deal with possible quotes
Change-Id: Ifd6f9e29b3c0d04d6f65d3f55524ad202fb3294e
Optionally remove portage files, so that we can cache package and
keep the portage directory around, specifically for nodepool.
This also adds a section to the Gentoo readme about the variable
and renames the 00-gentoo-distro-name environment file to a more
appropriate name of 00-gentoo-envars.
Also brought up was the location of the gentoo-releng.gpg file,
this has been moved and the refrencing paths updated.
Change-Id: I20c91b36082828faa1ca481585acc5f9933211e1
Since the ironic-agent element builds the ramdisk and extracts the
kernel itself, there's no need to actually generate an image at the
end of the process. Previously the unnecessary image was being
deleted, but this wastes a bunch of time compressing and converting
the image. It's better to just not create the image at all.
This change adds a noop element called no-final-image that
disk-image-create looks for in the element list and, if found, will
cause it to skip the final image generation. This is more flexible
than the previous ironic-agent-specific method that would have
required changes to disk-image-create for every element that wanted
to behave similarly.
Note that this cannot be done using an environment variable, because
element environments.d entries do not propagate out to
disk-image-create. It also doesn't make sense as a user option
because it should be set by the element author, not the user.
Change-Id: I168feb18f0d578b3babbe4784d3ef75e755e1ebd
Most of the time,no useing no_proxy is ok,but sometime this will cause problem.
Add no_proxy here will increase the robustness of the program .
Change-Id: I976e689760d2e6de9e2081fcdee4f71299e8470e
The proliant-tools element was missing a few
dependencies which were stopping it from
building correctly.
Change-Id: Ib7159a0baa7932d1571272cefffaf01d60e9debc
Closes-Bug: #1590176
This patch solves three issues with Debian packaging / apt:
o When building 'testing' only default apt sources is
included - backports, updates and security are skipped because they
do not exists.
o The default release for Debian was `unstable`: this is now fixed to
`stable`.
o Starting a Debian Stretch VM that was build with diskimage-builder
does not work, because some mandatory packages are missing.
This patch fixes this problem: it adds the mandatory packages and
the test case.
Change-Id: If49b5b162c4da1e074e9b19324839bc59d87dc57
Signed-off-by: Andreas Florath <andreas@florath.net>
We should be doing more to ensure initial configuration during
configuration. Taken from the steps done by [1], here we set
locale.conf and a general timezone.
The only reliable UTF8 locale is en_US.UTF-8; we don't want to use C
locale as it causes havoc with things like python3 and unicode. We
set locale.conf to this.
For Fedora 24 ensure we install the en_* locales too (this is really a
bug separate to this -- when you log in, by default ssh tries to copy
over your locale env variables, so logging into a F24 system would
result in using invalid locales for the most common en_* cases).
While we are here, setup a timezone link. It turns out infra puppet
overwrites this later, but at least we have a sane default.
[1] https://www.freedesktop.org/software/systemd/man/systemd-firstboot.html#
Change-Id: Ib8951a97f1772bc5228c682e88628ff53400a923
This reverts commit a645fa4ffb.
It is really devstack causing problems here; it was removing the
python-virtualenv package & re-installing using pip (see depends-on).
This failed because the pip-install we did here removed the egg-file
that rpm expected to be there, so rpm bailed out on the removal.
But even if it worked, this just leads you back down the path of the
original problem; that the system packaged version can be re-installed
and overwrites the pip installed version. Thus I still believe this
is the correct thing to do in the dib element.
Note it is not a common problem (devstack aside); most jobs don't
touch python-virtualenv & related packages (the one we did notice this
on was being brought over from travisci where it was required for some
reason).
Change-Id: I82acb865378a0fa5903a6267bfcee0e2962eced0
Depends-On: Ib0edf6c4ee8a510e9d671213de35d787f56acfed
"visudo -c" should be run after the sudoers file has been edited. This
will ensure that the file is still syntactically correct, and exit 1 if
it isn't. Otherwise, obscure errors can occur later on, and it is
difficult to track them back to this script as the source of the error.
Change-Id: Id0e5114d72c0779952a0c2c2c06696929c6c8b17
Icf8a075224833fcfbbe2128e8802ff41c39f3c09 looked rather ugly, and it's
easy for us to expand the processing done in the arch list.
Change "arch" to a comma-separated list of architectures that should
match for install.
Add a "not-arch" list which will exclude the package from installation
on those architectures. (An aside -- I considered making it just he
one list with foo,!bar,moo but ! has special meaning in YAML, so it's
easier to have two lists).
$ ARCH=ppc64 package-installs-squash --elements ironic-agent --path=./elements/ /dev/stdout | grep dmidecode
$ ARCH=ppc64 package-installs-squash --elements ironic-agent --path=./elements/ /dev/stdout | grep lshw
"lshw",
$ ARCH=amd64 package-installs-squash --elements ironic-agent --path=./elements/ /dev/stdout | grep lshw
$ ARCH=amd64 package-installs-squash --elements ironic-agent --path=./elements/ /dev/stdout | grep dmidecode
"dmidecode",
Change-Id: Ic69dd02a09e6f3ba9078a2377d8df29871a20db2
Other fedora/centos elements can use the YUM variable, already set in
some base elements (fedora, centos-minimal). This commit also exports it
for centos/centos7.
Set a fallback value in pip-and-virtualenv element.
Change-Id: I681d77b924be035c81043bb34c72ec5f859e7108
Closes-Bug: 1598087
While we already clean a number of things off the ironic-agent
ramdisk, there are a few more significant ones that we should add
to the list.
First is the kernel source. If you're rebuilding your kernel on
the agent ramdisk after the initial image build, then you need to
re-examine your life choices. ;-)
Second is /var/cache. On yum-based distros, this contains a large
number of yum cache files that take up significant space. We don't
really want to be copying around caches when booting a ramdisk
anyway, so cleaning this is the right thing to do regardless.
Third is all *.pyc or *.pyo files. There are a lot of these, so
they eat up significant space and bloat the number of files in the
ramdisk, which makes it take longer to build. the only purpose for
the files is to slightly speed up Python app startup, and we
probably lose more time transferring the files over the network
than we would gain in quicker start times. Note that we were
already trying to remove these, but for some reason I was still
seeing them show up in my final images. It makes more sense to
put them in the same pruning command as all the others anyway.
Fourth is /usr/include. These are files only needed for
compilation. See above for my thoughts on compiling in a ramdisk.
These changes have reduced the agent ramdisk from 391 MB to 333 MB
in my local centos 7 builds, and have reduced the number of files
in the ramdisk by over 18000.
Change-Id: I550f9904b9afd12d48da9ba24559acb23133d076
Fedora 24 has split locales into separate packages. Testing revealed
what is possibly a bug in the choosing of default packages, so add a
small work-around to ensure the minimal locale pack is installed.
This appears to be the only change required for fedora-minimal with
Fedora 24; at least to build with the project-config infra elements.
Change-Id: I64438c34c572ed96211384ae1bfb45b2949e4318
This does not need to be the last finalise step, and some late finalise
steps can disable the network (for example, Octavia amphora DIB cleans
resolv.conf at 99) Moving it to 60 also aligns it with rhsm-unregister
rhel6 element, and still allows to run subscription-manager steps
before.
Also fix an unbound variable error that appeared when both
BASE_IMAGE_FILE and DIB_CLOUD_IMAGES are unset.
Change-Id: Icb0e20b01479fea345e01309fc4bf3f7f639900c