diff --git a/glance/Chart.yaml b/glance/Chart.yaml index ca89a96756..df10e82204 100644 --- a/glance/Chart.yaml +++ b/glance/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Glance name: glance -version: 0.3.11 +version: 0.3.12 home: https://docs.openstack.org/glance/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png sources: diff --git a/glance/templates/bin/_iscsiadm.tpl b/glance/templates/bin/_iscsiadm.tpl new file mode 100644 index 0000000000..f27d757bba --- /dev/null +++ b/glance/templates/bin/_iscsiadm.tpl @@ -0,0 +1,20 @@ +#!/bin/bash + +{{/* +Copyright 2020 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \ + iscsiadm "${@:1}" diff --git a/glance/templates/bin/_multipath.tpl b/glance/templates/bin/_multipath.tpl new file mode 100644 index 0000000000..7f84c9c88a --- /dev/null +++ b/glance/templates/bin/_multipath.tpl @@ -0,0 +1,18 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \ + multipath "${@:1}" diff --git a/glance/templates/bin/_multipathd.tpl b/glance/templates/bin/_multipathd.tpl new file mode 100644 index 0000000000..a9ff34a653 --- /dev/null +++ b/glance/templates/bin/_multipathd.tpl @@ -0,0 +1,18 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \ + multipathd "${@:1}" diff --git a/glance/templates/configmap-bin.yaml b/glance/templates/configmap-bin.yaml index 2c840defeb..600681bf06 100644 --- a/glance/templates/configmap-bin.yaml +++ b/glance/templates/configmap-bin.yaml @@ -21,6 +21,14 @@ kind: ConfigMap metadata: name: glance-bin data: +{{- if eq .Values.storage "cinder" }} + iscsiadm: | +{{ tuple "bin/_iscsiadm.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + multipath: | +{{ tuple "bin/_multipath.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + multipathd: | +{{ tuple "bin/_multipathd.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} {{- if .Values.bootstrap.enabled }} bootstrap.sh: | {{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml index 1f89a8132c..0ee260614e 100644 --- a/glance/templates/configmap-etc.yaml +++ b/glance/templates/configmap-etc.yaml @@ -145,6 +145,12 @@ data: glance-api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }} policy.yaml: {{ toYaml .Values.conf.policy | b64enc }} api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }} + glance_sudoers: {{ $envAll.Values.conf.glance_sudoers | b64enc }} + rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }} +{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} +{{- $filePrefix := replace "_" "-" $key }} + {{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }} +{{- end }} {{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }} {{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf" "format" "Secret" ) | indent 2 }} {{- end }} diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml index 20a0888b6a..9c26c747f4 100644 --- a/glance/templates/deployment-api.yaml +++ b/glance/templates/deployment-api.yaml @@ -55,6 +55,13 @@ spec: nodeSelector: {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }} terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }} +{{- if .Values.pod.useHostNetwork.api }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} +{{- if eq .Values.storage "cinder" }} + hostIPC: true +{{- end }} initContainers: {{ tuple $envAll "api" $mounts_glance_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: glance-perms @@ -185,6 +192,8 @@ spec: volumeMounts: - name: pod-tmp mountPath: /tmp + - name: glance-tmp + mountPath: /var/lib/glance/tmp - name: etcglance mountPath: /etc/glance - name: glance-bin @@ -213,12 +222,73 @@ spec: mountPath: /etc/glance/api_audit_map.conf subPath: api_audit_map.conf readOnly: true + - name: glance-etc + # NOTE (Portdirect): We mount here to override Kollas + # custom sudoers file when using Kolla images, this + # location will also work fine for other images. + mountPath: /etc/sudoers.d/kolla_glance_sudoers + subPath: glance_sudoers + readOnly: true + - name: glance-etc + mountPath: /etc/glance/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "api" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/glance/rootwrap.d/%s.filters" $filePrefix }} + - name: glance-etc + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} + readOnly: true + {{- end }} + {{- end }} - name: glance-etc mountPath: {{ .Values.conf.glance.glance_store.swift_store_config_file }} subPath: swift-store.conf readOnly: true - name: glance-images mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }} +{{- if eq .Values.storage "cinder" }} + - name: host-rootfs + mountPath: /mnt/host-rootfs + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} + mountPropagation: HostToContainer + {{- end }} + - name: host-dev + mountPath: /dev + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} + mountPropagation: HostToContainer + {{- end }} + - name: runlock + mountPath: /run/lock + - name: etciscsi + mountPath: /etc/iscsi + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} + mountPropagation: HostToContainer + {{- end }} + - name: usrlocalsbin + mountPath: /usr/local/sbin + - name: glance-bin + mountPath: /usr/local/sbin/iscsiadm + subPath: iscsiadm + - name: glance-bin + mountPath: /usr/local/sbin/multipath + subPath: multipath + - name: glance-bin + mountPath: /usr/local/sbin/multipathd + subPath: multipathd + - name: etcmultipath + mountPath: /etc/multipath + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} + mountPropagation: Bidirectional + {{- end }} + - name: sys + mountPath: /sys + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} + mountPropagation: HostToContainer + {{- end }} +{{- end }} {{- if eq .Values.storage "rbd" }} - name: etcceph mountPath: /etc/ceph @@ -238,6 +308,8 @@ spec: volumes: - name: pod-tmp emptyDir: {} + - name: glance-tmp + emptyDir: {} - name: etcglance emptyDir: {} - name: glance-bin @@ -267,6 +339,28 @@ spec: secret: secretName: {{ .Values.secrets.rbd | quote }} {{- end }} +{{- if eq .Values.storage "cinder" }} + - name: host-rootfs + hostPath: + path: / + - name: host-dev + hostPath: + path: /dev + - name: runlock + hostPath: + path: /run/lock + - name: etciscsi + hostPath: + path: /etc/iscsi + - name: usrlocalsbin + emptyDir: {} + - name: etcmultipath + hostPath: + path: /etc/multipath + - name: sys + hostPath: + path: /sys +{{- end }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} diff --git a/glance/values.yaml b/glance/values.yaml index a3742d0a9d..dfaac1521f 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -244,6 +244,60 @@ conf: add_metadef_tags: rule:metadef_admin delete_metadef_tag: rule:metadef_admin delete_metadef_tags: rule:metadef_admin + glance_sudoers: | + # This sudoers file supports rootwrap for both Kolla and LOCI Images. + Defaults !requiretty + Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin" + glance ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/glance-rootwrap /etc/glance/rootwrap.conf *, /var/lib/openstack/bin/glance-rootwrap /etc/glance/rootwrap.conf * + rootwrap: | + # Configuration for glance-rootwrap + # This file should be owned by (and only-writable by) the root user + + [DEFAULT] + # List of directories to load filter definitions from (separated by ','). + # These directories MUST all be only writeable by root ! + filters_path=/etc/glance/rootwrap.d,/usr/share/glance/rootwrap + + # List of directories to search executables in, in case filters do not + # explicitely specify a full path (separated by ',') + # If not specified, defaults to system PATH environment variable. + # These directories MUST all be only writeable by root ! + exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin + + # Enable logging to syslog + # Default value is False + use_syslog=False + + # Which syslog facility to use. + # Valid values include auth, authpriv, syslog, local0, local1... + # Default value is 'syslog' + syslog_log_facility=syslog + + # Which messages to log. + # INFO means log all usage + # ERROR means only log unsuccessful attempts + syslog_log_level=ERROR + rootwrap_filters: + glance_cinder_store: + pods: + - api + content: | + # glance-rootwrap command filters for glance cinder store + # This file should be owned by (and only-writable by) the root user + + [Filters] + # cinder store driver + disk_chown: RegExpFilter, chown, root, chown, \d+, /dev/(?!.*/\.\.).* + + # os-brick library commands + # os_brick.privileged.run_as_root oslo.privsep context + # This line ties the superuser privs with the config files, context name, + # and (implicitly) the actual python code invoked. + privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* + + chown: CommandFilter, chown, root + mount: CommandFilter, mount, root + umount: CommandFilter, umount, root glance: DEFAULT: log_config_append: /etc/glance/logging.conf @@ -259,6 +313,7 @@ conf: auth_version: v3 memcache_security_strategy: ENCRYPT glance_store: + cinder_catalog_info: volumev3::internalURL rbd_store_chunk_size: 8 rbd_store_replication: 3 rbd_store_crush_rule: replicated_rule @@ -275,6 +330,8 @@ conf: flavor: keystone database: max_retries: -1 + oslo_concurrency: + lock_path: "/var/lib/glance/tmp" oslo_messaging_notifications: driver: messagingv2 oslo_messaging_rabbit: @@ -837,6 +894,8 @@ pod: - key: node-role.kubernetes.io/master operator: Exists effect: NoSchedule + useHostNetwork: + api: false mounts: glance_api: init_container: null diff --git a/releasenotes/notes/glance.yaml b/releasenotes/notes/glance.yaml index 781d3d3c73..aa50605317 100644 --- a/releasenotes/notes/glance.yaml +++ b/releasenotes/notes/glance.yaml @@ -32,4 +32,5 @@ glance: - 0.3.9 Support TLS endpoints - 0.3.10 Distinguish between port number of internal endpoint and binding port number - 0.3.11 Use HTTP probe instead of TCP probe + - 0.3.12 Add support for using Cinder as backend ...