Kernel Modules: Load via chroot into host

This PS moves the loading of kernel modules required by services to
being perfromed via a chroot on the host, this ensures that the correct
module is found and provides compatibility across distros.

Change-Id: I889fdd047a24bf4b123dadf9f6d6e6e8079d69d1

neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+chroot /mnt/host-rootfs modprobe ip6_tables
+chroot /mnt/host-rootfs modprobe ebtables

neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl

@@ -18,8 +18,6 @@ limitations under the License.
 
 set -ex
 
-modprobe ebtables
-
 # configure external bridge
 external_bridge="{{- .Values.network.external_bridge -}}"
 external_interface="{{- .Values.network.interface.external -}}"

neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+chroot /mnt/host-rootfs modprobe ip6_tables

neutron/templates/configmap-bin.yaml

@@ -49,6 +49,8 @@ data:
 {{ tuple "bin/_neutron-linuxbridge-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   neutron-linuxbridge-agent-init.sh: |+
 {{ tuple "bin/_neutron-linuxbridge-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-linuxbridge-agent-init-modules.sh: |+
+{{ tuple "bin/_neutron-linuxbridge-agent-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   neutron-metadata-agent.sh: |+
 {{ tuple "bin/_neutron-metadata-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   neutron-metadata-agent-init.sh: |+
@@ -57,6 +59,8 @@ data:
 {{ tuple "bin/_neutron-openvswitch-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   neutron-openvswitch-agent-init.sh: |+
 {{ tuple "bin/_neutron-openvswitch-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-openvswitch-agent-init-modules.sh: |+
+{{ tuple "bin/_neutron-openvswitch-agent-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   neutron-server.sh: |+
 {{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 {{- end }}

neutron/templates/daemonset-lb-agent.yaml

@@ -40,6 +40,24 @@ spec:
       hostNetwork: true
       initContainers:
 {{ tuple $envAll $dependencies $mounts_neutron_lb_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: neutron-lb-agent-kernel-modules
+          image: {{ .Values.images.tags.neutron_linuxbridge_agent }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+          securityContext:
+            capabilities:
+              add:
+                - SYS_MODULE
+            runAsUser: 0
+          command:
+            - /tmp/neutron-linuxbridge-agent-init-modules.sh
+          volumeMounts:
+            - name: neutron-bin
+              mountPath: /tmp/neutron-linuxbridge-agent-init-modules.sh
+              subPath: neutron-linuxbridge-agent-init-modules.sh
+              readOnly: true
+            - name: host-rootfs
+              mountPath: /mnt/host-rootfs
+              readOnly: true
         - name: neutron-lb-agent-init
           image: {{ .Values.images.tags.neutron_linuxbridge_agent }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
@@ -119,9 +137,6 @@ spec:
               mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
               subPath: openvswitch-plugin.filters
               readOnly: true
-            - name: libmodules
-              mountPath: /lib/modules
-              readOnly: true
             - name: run
               mountPath: /run
 {{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }}
@@ -211,9 +226,6 @@ spec:
               mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
               subPath: openvswitch-plugin.filters
               readOnly: true
-            - name: libmodules
-              mountPath: /lib/modules
-              readOnly: true
             - name: run
               mountPath: /run
 {{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }}
@@ -228,11 +240,11 @@ spec:
           configMap:
             name: neutron-etc
             defaultMode: 0444
-        - name: libmodules
-          hostPath:
-            path: /lib/modules
         - name: run
           hostPath:
             path: /run
+        - name: host-rootfs
+          hostPath:
+            path: /
 {{ if $mounts_neutron_lb_agent.volumes }}{{ toYaml $mounts_neutron_lb_agent.volumes | indent 8 }}{{ end }}
 {{- end }}

neutron/templates/daemonset-ovs-agent.yaml

@@ -40,6 +40,24 @@ spec:
       hostNetwork: true
       initContainers:
 {{ tuple $envAll $dependencies $mounts_neutron_ovs_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: neutron-openvswitch-agent-kernel-modules
+          image: {{ .Values.images.tags.neutron_openvswitch_agent }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+          securityContext:
+            capabilities:
+              add:
+                - SYS_MODULE
+            runAsUser: 0
+          command:
+            - /tmp/neutron-openvswitch-agent-init-modules.sh
+          volumeMounts:
+            - name: neutron-bin
+              mountPath: /tmp/neutron-openvswitch-agent-init-modules.sh
+              subPath: neutron-openvswitch-agent-init-modules.sh
+              readOnly: true
+            - name: host-rootfs
+              mountPath: /mnt/host-rootfs
+              readOnly: true
         - name: neutron-ovs-agent-init
           image: {{ .Values.images.tags.neutron_openvswitch_agent }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
@@ -119,9 +137,6 @@ spec:
               mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
               subPath: openvswitch-plugin.filters
               readOnly: true
-            - name: libmodules
-              mountPath: /lib/modules
-              readOnly: true
             - name: run
               mountPath: /run
 {{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}
@@ -213,9 +228,6 @@ spec:
               mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
               subPath: openvswitch-plugin.filters
               readOnly: true
-            - name: libmodules
-              mountPath: /lib/modules
-              readOnly: true
             - name: run
               mountPath: /run
 {{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}
@@ -232,11 +244,11 @@ spec:
           configMap:
             name: neutron-etc
             defaultMode: 0444
-        - name: libmodules
-          hostPath:
-            path: /lib/modules
         - name: run
           hostPath:
             path: /run
+        - name: host-rootfs
+          hostPath:
+            path: /
 {{ if $mounts_neutron_ovs_agent.volumes }}{{ toYaml $mounts_neutron_ovs_agent.volumes | indent 8 }}{{ end }}
 {{- end }}

openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+chroot /mnt/host-rootfs modprobe openvswitch
+chroot /mnt/host-rootfs modprobe gre
+chroot /mnt/host-rootfs modprobe vxlan

openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl

@@ -18,12 +18,6 @@ limitations under the License.
 
 set -ex
 
-# load tunnel kernel modules we may use and gre/vxlan
-modprobe openvswitch
-
-modprobe gre
-modprobe vxlan
-
 sock="/var/run/openvswitch/db.sock"
 t=0
 while [ ! -e "${sock}" ] ; do

openvswitch/templates/configmap-bin.yaml

@@ -26,4 +26,6 @@ data:
 {{ tuple "bin/_openvswitch-db-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   openvswitch-vswitchd.sh: |+
 {{ tuple "bin/_openvswitch-vswitchd.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  openvswitch-vswitchd-init-modules.sh: |+
+{{ tuple "bin/_openvswitch-vswitchd-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 {{- end }}

openvswitch/templates/daemonset-ovs-vswitchd.yaml

@@ -34,6 +34,25 @@ spec:
         {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
+      initContainers:
+        - name: openvswitch-vswitchd-modules
+          image: {{ .Values.images.tags.openvswitch_vswitchd }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+          securityContext:
+            capabilities:
+              add:
+                - SYS_MODULE
+            runAsUser: 0
+          command:
+            - /tmp/openvswitch-vswitchd-init-modules.sh
+          volumeMounts:
+            - name: openvswitch-bin
+              mountPath: /tmp/openvswitch-vswitchd-init-modules.sh
+              subPath: openvswitch-vswitchd-init-modules.sh
+              readOnly: true
+            - name: host-rootfs
+              mountPath: /mnt/host-rootfs
+              readOnly: true
       containers:
         - name: openvswitch-vswitchd
           image: {{ .Values.images.tags.openvswitch_vswitchd }}
@@ -56,9 +75,6 @@ spec:
               mountPath: /tmp/openvswitch-vswitchd.sh
               subPath: openvswitch-vswitchd.sh
               readOnly: true
-            - name: libmodules
-              mountPath: /lib/modules
-              readOnly: true
             - name: run
               mountPath: /run
       volumes:
@@ -66,10 +82,10 @@ spec:
           configMap:
             name: openvswitch-bin
             defaultMode: 0555
-        - name: libmodules
-          hostPath:
-            path: /lib/modules
         - name: run
           hostPath:
             path: /run
+        - name: host-rootfs
+          hostPath:
+            path: /
 {{- end }}

tools/gate/funcs/common.sh

@@ -70,15 +70,6 @@ function base_install {
     sdn_lb_support_install
   fi
 
-  # NOTE(portdirect): Temp workaround until module loading is supported by
-  # OpenStack-Helm in Fedora
-  if [ "x$HOST_OS" == "xfedora" ]; then
-    sudo modprobe openvswitch
-    sudo modprobe ebtables
-    sudo modprobe gre
-    sudo modprobe vxlan
-    sudo modprobe ip6_tables
-  fi
 }
 
 function json_to_yaml {