From 3dc8d73be9302bab7160993a07d801789177d91a Mon Sep 17 00:00:00 2001 From: Marjorie Middleton Date: Mon, 5 Aug 2019 20:50:58 +0000 Subject: [PATCH] Initial Commit of compute-utility container code Utility containers shall act as an interface to an Airship environment and shall enable them to perform routine operational and debugging activities. Utility containers shall enable Operations to seamlessly support Airship environment without exposing secrets and credentials, and at the same time restricting the access to actual containers. The compute-utility container permits access to services running on each compute node. Services include ovs, libvirt, ipmi, perccli, numa and sos. Change-Id: I389b6f62f8abbd665960a2fd4de880f0f5380c2a --- Compute_Utility_Readme | 121 +++++++++++++ .../compute-utility/Dockerfile.ubuntu_xenial | 19 ++ Dockerfiles/compute-utility/Makefile | 37 ++++ Dockerfiles/compute-utility/build.sh | 16 ++ compute-utility/Chart.yaml | 20 +++ compute-utility/requirements.yaml | 18 ++ .../templates/bin/_bootstrap.sh.tpl | 19 ++ compute-utility/templates/bin/_start.sh.tpl | 32 ++++ .../templates/bin/_utilscli-sudo.tpl | 16 ++ .../bin/utility/_compute-utility-rootwrap.tpl | 53 ++++++ .../templates/bin/utility/_compute.tpl | 53 ++++++ .../templates/bin/utility/_utilscli.tpl | 17 ++ compute-utility/templates/configmap-bin.yaml | 66 +++++++ .../templates/configmap-etc-client.yaml | 30 ++++ .../templates/configmap-etc-sudoers.yaml | 27 +++ .../templates/deployment-utility.yaml | 169 ++++++++++++++++++ compute-utility/values.yaml | 151 ++++++++++++++++ install_compute_utility.sh | 18 ++ zuul.d/compute-utility.yaml | 36 ++++ 19 files changed, 918 insertions(+) create mode 100644 Compute_Utility_Readme create mode 100755 Dockerfiles/compute-utility/Dockerfile.ubuntu_xenial create mode 100644 Dockerfiles/compute-utility/Makefile create mode 100755 Dockerfiles/compute-utility/build.sh create mode 100644 compute-utility/Chart.yaml create mode 100644 compute-utility/requirements.yaml create mode 100644 compute-utility/templates/bin/_bootstrap.sh.tpl create mode 100644 compute-utility/templates/bin/_start.sh.tpl create mode 100644 compute-utility/templates/bin/_utilscli-sudo.tpl create mode 100644 compute-utility/templates/bin/utility/_compute-utility-rootwrap.tpl create mode 100644 compute-utility/templates/bin/utility/_compute.tpl create mode 100644 compute-utility/templates/bin/utility/_utilscli.tpl create mode 100644 compute-utility/templates/configmap-bin.yaml create mode 100644 compute-utility/templates/configmap-etc-client.yaml create mode 100644 compute-utility/templates/configmap-etc-sudoers.yaml create mode 100644 compute-utility/templates/deployment-utility.yaml create mode 100644 compute-utility/values.yaml create mode 100755 install_compute_utility.sh create mode 100644 zuul.d/compute-utility.yaml diff --git a/Compute_Utility_Readme b/Compute_Utility_Readme new file mode 100644 index 00000000..191366c0 --- /dev/null +++ b/Compute_Utility_Readme @@ -0,0 +1,121 @@ +Compute Utility Container +----------------- +Prerequisites: Deploy OSH-AIO + + +Installation +------------ +1. Add the below to /etc/sudoers + +root ALL=(ALL) NOPASSWD: ALL +ubuntu ALL=(ALL) NOPASSWD: ALL + +2. Install the latest versions of Git, CA Certs & Make if necessary + +#!/bin/bash +set -xe + +sudo apt-get update +sudo apt-get install --no-install-recommends -y \ + ca-certificates \ + git \ + make \ + jq \ + nmap \ + curl \ + uuid-runtime + +3. Proxy Configuration + +Add the address of the Kubernetes API, 172.17.0.1, and .svc.cluster.local to your no_proxy and NO_PROXY environment variables. + +export no_proxy=${no_proxy},172.17.0.1,.svc.cluster.local +export NO_PROXY=${NO_PROXY},172.17.0.1,.svc.cluster.local + +4. Clone the OpenStack-Helm Repos + + +git clone https://git.openstack.org/openstack/openstack-helm-infra.git +git clone https://git.openstack.org/openstack/openstack-helm.git + +In order to deploy OpenStack-Helm behind corporate proxy servers, add the following entries to openstack-helm-infra/tools/gate/devel/local-vars.yaml. + +proxy: + http: http://username:password@host:port + https: https://username:password@host:port + noproxy: 127.0.0.1,localhost,172.17.0.1,.svc.cluster.local + + +5. Deploy Kubernetes & Helm + +cd openstack-helm +./tools/deployment/developer/common/010-deploy-k8s.sh + +6. Install OpenStack-Helm + +Setup Clients on the host and assemble the charts +./tools/deployment/developer/common/020-setup-client.sh + +Deploy the ingress controller +./tools/deployment/developer/common/030-ingress.sh + +7. Deploy Ceph + +./tools/deployment/developer/ceph/040-ceph.sh + + Activate the namespace to be able to use Ceph + ./tools/deployment/developer/ceph/045-ceph-ns-activate.sh + +8. Deploy Keystone +./tools/deployment/developer/ceph/080-keystone.sh + +9. Deploy Heat +./tools/deployment/developer/ceph/090-heat.sh + +10. Deploy Horizon +./tools/deployment/developer/ceph/100-horizon.sh + +11. Deploy Glance +./tools/deployment/developer/ceph/120-glance.sh + +12. Deploy Cinder +./tools/deployment/developer/ceph/130-cinder.sh + +13. Deploy LibVirt # required if you want to test compute-utility functionality +./tools/deployment/developer/ceph/150-libvirt.sh + +14. Deploy Compute Kit (Nova and Neutron) +./tools/deployment/developer/ceph/160-compute-kit.sh + +15. To run further commands from the CLI manually, execute the following to set up authentication credentials +export OS_CLOUD=openstack_helm + +16. Clone the Porthole and compute utility repo as well. + +git clone https://review.opendev.org/airship/porthole + +cd porthole +./install_compute_utility.sh + +Usage +----- + +Get in to the utility pod using kubectl exec. To perform any operation use the below example. + +kubectl exec -it -n utility /bin/bash + +Run the utilscli with commands formatted: utilscli + +example: + utilscli libvirt-client mtn16r001c002 virsh list + + +Accepted client-names are: + libvirt-client + ovs-client + ipmi-client + perccli-client + numa-client + sos-client + +Commands for each client vary with the client. diff --git a/Dockerfiles/compute-utility/Dockerfile.ubuntu_xenial b/Dockerfiles/compute-utility/Dockerfile.ubuntu_xenial new file mode 100755 index 00000000..5d4c5df5 --- /dev/null +++ b/Dockerfiles/compute-utility/Dockerfile.ubuntu_xenial @@ -0,0 +1,19 @@ +ARG FROM=docker.io/ubuntu:xenial +FROM ${FROM} + +ARG KUBE_VERSION=1.12.2 + +RUN set -xe \ + && sed -i '/nobody/d' /etc/passwd \ + && echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \ + && apt-get update && apt-get dist-upgrade -y \ + && apt-get install -y wget curl apt-transport-https ca-certificates gnupg\ + && apt-get update && apt-get install -y bash python-oslo.rootwrap moreutils vim sudo screen radosgw rsyslog hexedit jq s3cmd rsync xz-utils iperf \ + && apt-get remove --purge -y wget apt-transport-https && apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* \ + && TMP_DIR=$(mktemp --directory) \ + && cd ${TMP_DIR} \ + && curl -sSL https://dl.k8s.io/v${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz | tar -zxv --strip-components=1 \ + && mv ${TMP_DIR}/client/bin/kubectl /usr/bin/kubectl \ + && chmod +x /usr/bin/kubectl \ + && rm -rf ${TMP_DIR} +CMD ["/bin/bash"] diff --git a/Dockerfiles/compute-utility/Makefile b/Dockerfiles/compute-utility/Makefile new file mode 100644 index 00000000..0e67096b --- /dev/null +++ b/Dockerfiles/compute-utility/Makefile @@ -0,0 +1,37 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +SHELL := /bin/bash + +DOCKER_REGISTRY ?= quay.io +IMAGE_NAME ?= compute-utility +IMAGE_PREFIX ?= attcomdev +IMAGE_TAG ?= latest +LABEL ?= mimic + +IMAGE := ${DOCKER_REGISTRY}/${IMAGE_PREFIX}/${IMAGE_NAME}:${IMAGE_TAG} + +# Build compute-utility Docker image for this project +.PHONY: images +images: build_$(IMAGE_NAME) + +# Make targets intended for use by the primary targets above. +.PHONY: build_$(IMAGE_NAME) +build_$(IMAGE_NAME): + docker build -f Dockerfile.${DISTRO} \ + --network host \ + -t $(IMAGE) \ + --label $(LABEL) \ + . diff --git a/Dockerfiles/compute-utility/build.sh b/Dockerfiles/compute-utility/build.sh new file mode 100755 index 00000000..600899d5 --- /dev/null +++ b/Dockerfiles/compute-utility/build.sh @@ -0,0 +1,16 @@ +#!/bin/bash +set -xe +SCRIPT=`realpath $0` +SCRIPT_DIR=`dirname ${SCRIPT}` +## Only build from main folder +cd ${SCRIPT_DIR}/.. + +IMAGE="compute-utility" +VERSION=${VERSION:-latest} +DISTRO=${DISTRO:-ubuntu_xenial} +REGISTRY_URI=${REGISTRY_URI:-"openstackhelm/"} +EXTRA_TAG_INFO=${EXTRA_TAG_INFO:-""} +docker build -f ${IMAGE}/Dockerfile.${DISTRO} \ +--network=host -t ${REGISTRY_URI}${IMAGE}:${VERSION}-${DISTRO}${EXTRA_TAG_INFO} \ +${extra_build_args} \ +${IMAGE} diff --git a/compute-utility/Chart.yaml b/compute-utility/Chart.yaml new file mode 100644 index 00000000..20cddf4d --- /dev/null +++ b/compute-utility/Chart.yaml @@ -0,0 +1,20 @@ +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: porthole Compute Client +name: compute-utility +version: 0.1.0 + +--- diff --git a/compute-utility/requirements.yaml b/compute-utility/requirements.yaml new file mode 100644 index 00000000..e69c985d --- /dev/null +++ b/compute-utility/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/compute-utility/templates/bin/_bootstrap.sh.tpl b/compute-utility/templates/bin/_bootstrap.sh.tpl new file mode 100644 index 00000000..4b5d093a --- /dev/null +++ b/compute-utility/templates/bin/_bootstrap.sh.tpl @@ -0,0 +1,19 @@ +#!/bin/bash +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +set -ex +sudo /tmp/start.sh +tail -f /var/log/syslog diff --git a/compute-utility/templates/bin/_start.sh.tpl b/compute-utility/templates/bin/_start.sh.tpl new file mode 100644 index 00000000..8ea307ef --- /dev/null +++ b/compute-utility/templates/bin/_start.sh.tpl @@ -0,0 +1,32 @@ +#!/bin/bash +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +set -ex +sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf +/etc/init.d/rsyslog start +{{/* +These lines will disable extra handler, extra formatter, extra level to the +root logger by oslo-rootwrap module, imported in _openstack-utility-rootwrap.tpl. +These lines will get rid of duplicate logs, generated because of the formatter +attached by oslo-rootwrap. +*/}} +sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py +sed -i "/handler.setFormatter/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py +sed -i "/os.path.basename/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py +sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py + +# for readiness probe +touch /tmp/done diff --git a/compute-utility/templates/bin/_utilscli-sudo.tpl b/compute-utility/templates/bin/_utilscli-sudo.tpl new file mode 100644 index 00000000..68bff331 --- /dev/null +++ b/compute-utility/templates/bin/_utilscli-sudo.tpl @@ -0,0 +1,16 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +nobody ALL=SETENV: NOPASSWD: /tmp/start.sh, /tmp/bootstrap.sh, /usr/local/bin/compute-utility-rootwrap * diff --git a/compute-utility/templates/bin/utility/_compute-utility-rootwrap.tpl b/compute-utility/templates/bin/utility/_compute-utility-rootwrap.tpl new file mode 100644 index 00000000..e0681479 --- /dev/null +++ b/compute-utility/templates/bin/utility/_compute-utility-rootwrap.tpl @@ -0,0 +1,53 @@ +#!/usr/bin/python +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +# PBR Generated from u'console_scripts' +import sys +import os +import logging +#import getpass +from oslo_rootwrap.cmd import main + +exec_name = sys.argv[0] +host_name = os.environ.get("HOSTNAME") +log_level = {{ .Values.conf.computerootwrapconf.DEFAULT.syslog_log_level | quote }} +facility = {{ .Values.conf.computerootwrapconf.DEFAULT.syslog_log_facility | quote }} + +if "AUSER" in os.environ: + user_id = os.environ["AUSER"] +elif {{ .Values.conf.utility.always_log_user | quote }} == 'true': + os.environ["AUSER"] = "development site" #getpass.getuser() + user_id = os.environ["AUSER"] +else: + print("No username set in AUSER environment variable, for security reasons access restricted from connecting to container.") + exit() + +try: + handler = logging.handlers.SysLogHandler(address='/dev/log',facility=facility) +except IOError: + print("Unable to setup logging, for security reasons access restricted from connecting to container.") + exit() + +formatter = logging.Formatter('%(asctime)s ' + host_name + ' ' + '%(levelname)s' + + os.path.basename(exec_name) + ': ' + 'ActualUser=' + user_id + ': %(message)s') +handler.setFormatter(formatter) +root = logging.getLogger() +root.setLevel(log_level) +root.addHandler(handler) + +if __name__ == "__main__": + sys.exit(main()) + diff --git a/compute-utility/templates/bin/utility/_compute.tpl b/compute-utility/templates/bin/utility/_compute.tpl new file mode 100644 index 00000000..53a6adda --- /dev/null +++ b/compute-utility/templates/bin/utility/_compute.tpl @@ -0,0 +1,53 @@ +#!/bin/bash + +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +usage() { + echo "Usage: utilscli " + exit 1 +} + +COMPONENT=$0; +HOSTNAME=$1; shift +COMMAND=$1; shift +OPTIONS="$@" + +if [[ -z "${COMPONENT}" || -z "${HOSTNAME}" || -z "$COMMAND" ]]; then + echo "ERROR: Missing command line argument(s)!" + usage + exit 1 +fi + +# remove the /tmp, then only search on the first half of the component (second half should be -client) +prefix="/tmp/" +suffix="-client" +COMP1=${COMPONENT#"$prefix"} +COMP=${COMP1%"$suffix"} + +# find the pod for the component and hostname +POD=$(kubectl get pod -n openstack -o wide | grep -i $COMP | grep $HOSTNAME | awk '{print $1}') +if [[ -z "${POD}" ]]; then + echo "ERROR: Could not find matching pod for host $HOSTNAME and component $COMP1" + usage + exit 1 +fi +# run the command +result=$(kubectl exec -it $POD -n openstack -- $COMMAND $OPTIONS) + +echo "$result" + +exit 0 diff --git a/compute-utility/templates/bin/utility/_utilscli.tpl b/compute-utility/templates/bin/utility/_utilscli.tpl new file mode 100644 index 00000000..627b19da --- /dev/null +++ b/compute-utility/templates/bin/utility/_utilscli.tpl @@ -0,0 +1,17 @@ +#!/bin/bash +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +script -f -a -q /var/log/syslog -c "sudo -E /usr/local/bin/compute-utility-rootwrap /etc/compute-utility/rootwrap.conf $*" diff --git a/compute-utility/templates/configmap-bin.yaml b/compute-utility/templates/configmap-bin.yaml new file mode 100644 index 00000000..5075717a --- /dev/null +++ b/compute-utility/templates/configmap-bin.yaml @@ -0,0 +1,66 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.configmap_bin .Values.deployment.compute }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "bin" }} +data: +{{- if .Values.images.local_registry.active }} + image-repo-sync.sh: | +{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} +{{- end }} + + start.sh: | +{{ tuple "bin/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + + compute-utility-rootwrap: | +{{ tuple "bin/utility/_compute-utility-rootwrap.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + + ovs-client: | +{{ tuple "bin/utility/_compute.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + + libvirt-client: | +{{ tuple "bin/utility/_compute.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + + ipmi-client: | +{{ tuple "bin/utility/_compute.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + + perccli-client: | +{{ tuple "bin/utility/_compute.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + + numa-client: | +{{ tuple "bin/utility/_compute.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + + sos-client: | +{{ tuple "bin/utility/_compute.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }} +data: + utilscli: | +{{ tuple "bin/utility/_utilscli.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + + bootstrap.sh: | +{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + +{{- end }} diff --git a/compute-utility/templates/configmap-etc-client.yaml b/compute-utility/templates/configmap-etc-client.yaml new file mode 100644 index 00000000..c9216a13 --- /dev/null +++ b/compute-utility/templates/configmap-etc-client.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.configmap_etc_client .Values.deployment.compute }} +{{- $envAll := . }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "etc" }} +data: + rootwrap.conf: | +{{ include "helm-toolkit.utils.to_ini" .Values.conf.computerootwrapconf | indent 4 }} + compute-rootwrap-filter: | +{{ include "helm-toolkit.utils.to_ini" .Values.conf.computefilter | indent 4 }} +{{- end }} diff --git a/compute-utility/templates/configmap-etc-sudoers.yaml b/compute-utility/templates/configmap-etc-sudoers.yaml new file mode 100644 index 00000000..f6f3d161 --- /dev/null +++ b/compute-utility/templates/configmap-etc-sudoers.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.configmap_etc_sudoers .Values.deployment.compute }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }} +data: + utilscli-sudo: | +{{ tuple "bin/_utilscli-sudo.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/compute-utility/templates/deployment-utility.yaml b/compute-utility/templates/deployment-utility.yaml new file mode 100644 index 00000000..3e79beb2 --- /dev/null +++ b/compute-utility/templates/deployment-utility.yaml @@ -0,0 +1,169 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.manifests.deployment_utility ( and .Values.deployment.compute .Values.conf.features.utility) }} +{{- $envAll := . }} + +{{- $serviceAccountName := printf "%s" $envAll.Release.Name }} +{{ tuple $envAll "utility" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - pods + - pods/exec + verbs: + - get + - list + - watch + - exec + - create +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ printf "%s" $envAll.Release.Name }} + labels: +{{ tuple $envAll "compute" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + replicas: {{ .Values.pod.replicas.utility }} + selector: + matchLabels: +{{ tuple $envAll "compute" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} + template: + metadata: + name: {{ printf "%s" $envAll.Release.Name }} + annotations: + {{ tuple . | include "helm-toolkit.snippets.release_uuid" }} + labels: +{{ tuple $envAll "compute" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: + securityContext: + runAsUser: 65534 + serviceAccountName: {{ $serviceAccountName }} + affinity: +{{ tuple $envAll "compute" "utility" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }} + containers: + - name: {{ printf "%s" $envAll.Release.Name }} +{{ tuple $envAll "compute_utility" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.compute_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /tmp/bootstrap.sh + readinessProbe: + exec: + command: + - cat + - /tmp/done + initialDelaySeconds: 5 + periodSeconds: 15 + livenessProbe: + exec: + command: + - utilscli + initialDelaySeconds: 5 + periodSeconds: 15 + volumeMounts: + - name: compute-utility-bin-utilscli + mountPath: /tmp/bootstrap.sh + subPath: bootstrap.sh + readOnly: true + - name: compute-utility-bin + mountPath: /tmp/start.sh + subPath: start.sh + readOnly: true + - name: compute-utility-bin-utilscli + mountPath: /usr/local/bin/utilscli + subPath: utilscli + readOnly: true + - name: compute-utility-bin + mountPath: /usr/local/bin/compute-utility-rootwrap + subPath: compute-utility-rootwrap + readOnly: true + - name: compute-utility-sudoers + mountPath: /etc/sudoers.d/utilscli-sudo + subPath: utilscli-sudo + readOnly: true + - name: compute-utility-etc + mountPath: /etc/compute-utility/rootwrap.d/compute-rootwrap-filter + subPath: compute-rootwrap-filter + readOnly: true + - name: compute-utility-etc + mountPath: /etc/compute-utility/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + - name: compute-utility-bin + mountPath: /tmp/ovs-client + subPath: ovs-client + readOnly: true + - name: compute-utility-bin + mountPath: /tmp/libvirt-client + subPath: libvirt-client + readOnly: true + - name: compute-utility-bin + mountPath: /tmp/ipmi-client + subPath: ipmi-client + readOnly: true + - name: compute-utility-bin + mountPath: /tmp/perccli-client + subPath: perccli-client + readOnly: true + - name: compute-utility-bin + mountPath: /tmp/numa-client + subPath: numa-client + readOnly: true + - name: compute-utility-bin + mountPath: /tmp/sos-client + subPath: sos-client + readOnly: true + + volumes: + - name: compute-utility-sudoers + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }} + defaultMode: 0644 + - name: compute-utility-bin + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "bin" }} + defaultMode: 0555 + - name: compute-utility-etc + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "etc" }} + defaultMode: 0555 + - name: compute-utility-bin-utilscli + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }} + defaultMode: 0755 + +{{- end }} diff --git a/compute-utility/values.yaml b/compute-utility/values.yaml new file mode 100644 index 00000000..6b035d6d --- /dev/null +++ b/compute-utility/values.yaml @@ -0,0 +1,151 @@ +# Default values for compute-utility. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +# name: value + + +deployment: + compute: true + +release_group: null +release_uuid: null + +images: + pull_policy: IfNotPresent + tags: + #compute_utility: 'quay.io/attcomdev/compute-utility:latest' + compute_utility: 'docker.io/mhmiddleton/mhmuc:compute-utility_v0.0.1' + #image_repo_sync: docker.io/docker:17.07.0 + + local_registry: + active: false + exclude: + - dep_check + - image_repo_sync + +labels: + utility: + node_selector_key: openstack-helm-node-class + node_selector_value: primary + +pod: + dns_policy: "ClusterFirstWithHostNet" + replicas: + utility: 1 + affinity: + anti: + type: + default: preferredDuringSchedulingIgnoredDuringExecution + topologyKey: + default: kubernetes.io/hostname + resources: + enabled: false + utility: + requests: + memory: "100Mi" + cpu: "250m" + limits: + memory: "250Mi" + cpu: "500m" + jobs: + bootstrap: + limits: + memory: "1024Mi" + cpu: "2000m" + requests: + memory: "128Mi" + cpu: "500m" + image_repo_sync: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + +conf: + features: + utility: true + computeconf: + etc: compute-etc + computefilter: + Filters: + # compute-rootwrap command filters for compute utility container + # This file should be owned by (and only-writeable by) the root user + ovs-client: CommandFilter, ovs-client, root + libvirt-client: CommandFilter, libvirt-client, root + ipmi-client: CommandFilter, ipmi-client, root + perccli-client: CommandFilter, perccli-client, root + numa-client: CommandFilter, numa-client, root + sos-client: CommandFilter, sos-client, root + kubectl: CommandFilter, kubectl, root + computerootwrapconf: + DEFAULT: + # Configuration for compute-rootwrap + # This file should be owned by (and only-writeable by) the root user + # List of directories to load filter definitions from (separated by ','). + # These directories MUST all be only writeable by root ! + filters_path: /etc/compute-utility/rootwrap.d + # List of directories to search executables in, in case filters do not + # explicitely specify a full path (separated by ',') + # If not specified, defaults to system PATH environment variable. + # These directories MUST all be only writeable by root ! + exec_dirs: /sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/tmp + # Enable logging to syslog + # Default value is False + use_syslog: True + # Which syslog facility to use. + # Valid values include auth, authpriv, syslog, local0, local1... + # Default value is 'syslog' + syslog_log_facility: syslog + # Which messages to log. + # INFO means log all usage + # ERROR means only log unsuccessful attempts + syslog_log_level: INFO + utility: + # True for development labs, + # False where jump hosts will be integrated + always_log_user: true + +dependencies: + dynamic: + common: + local_image_registry: + jobs: + - compute-utility-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + image_repo_sync: + services: + - endpoint: internal + service: local_image_registry + +bootstrap: + enabled: true + +endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 + +monitoring: + prometheus: + enabled: true + +manifests: + configmap_bin: true + configmap_etc_client: true + configmap_etc_sudoers: true + deployment_utility: true diff --git a/install_compute_utility.sh b/install_compute_utility.sh new file mode 100755 index 00000000..7edf8176 --- /dev/null +++ b/install_compute_utility.sh @@ -0,0 +1,18 @@ +#!/bin/bash +set -xe + +#NOTE: Lint and package chart +: ${OSH_INFRA_PATH:="../../openstack-helm-infra"} + +make compute-utility + +helm upgrade --install compute-utility compute-utility --namespace=utility + +#NOTE: Wait for deploy +./${OSH_INFRA_PATH}/tools/deployment/common/wait-for-pods.sh utility + +#NOTE: Validate Deployment info +kubectl get -n utility jobs +kubectl get -n utility secrets +kubectl get -n utility configmaps +kubectl get -n utility pods diff --git a/zuul.d/compute-utility.yaml b/zuul.d/compute-utility.yaml new file mode 100644 index 00000000..c23cec4d --- /dev/null +++ b/zuul.d/compute-utility.yaml @@ -0,0 +1,36 @@ +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- project: + check: + jobs: + - porthole-compute-utility-lint-ws + gate: + jobs: + - porthole-compute-utility-lint-ws + +- nodeset: + name: porthole-compute-utility-single-node + nodes: + - name: primary + label: ubuntu-xenial + +- job: + name: porthole-compute-utility-lint-ws + description: | + Lints all files by checking them for whitespace. + run: tools/gate/playbooks/zuul-linter.yaml + timeout: 300 + nodeset: porthole-compute-utility-single-node +