Skip to content

yoga host image selinux #790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

yoga host image selinux #790

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
72c3017
RL9: Set SELinux to permissive mode in the standard overcloud host image
markgoddard Nov 15, 2023
920f01d
RL9: Use Pulp repo snapshots when building overcloud host image
markgoddard Nov 15, 2023
6c8460b
Add retries to overcloud host image pulp tasks
markgoddard Nov 16, 2023
106d236
Use build args in containerfile element
mnasiadka Dec 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions etc/kayobe/ansible/pulp-host-image-promote.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@
name: "{{ repository_name }}_{{ promotion_tag }}"
base_path: "{{ base_path }}/{{ promotion_tag }}"
register: distribution_details
until: distribution_details is success
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pulled out this stuff into #1031

retries: 3
delay: 1

- name: Fail if the image does not exist
fail:
Expand All @@ -34,6 +37,10 @@
base_path: "{{ base_path }}/{{ promotion_tag }}"
content_guard: release
state: present
register: content_guard_result
until: content_guard_result is success
retries: 3
delay: 1

- name: Print version tag and os
debug:
Expand Down
26 changes: 26 additions & 0 deletions etc/kayobe/ansible/pulp-host-image-upload.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@
password: "{{ remote_pulp_password }}"
file: "{{ found_files.files[0].path }}"
state: present
register: upload_result
until: upload_result is success
retries: 3
delay: 1

- name: Get sha256 hash
ansible.builtin.stat:
Expand All @@ -40,6 +44,10 @@
sha256: "{{ file_stats.stat.checksum }}"
relative_path: "{{ found_files.files[0].path | basename }}"
state: present
register: file_content_result
until: file_content_result is success
retries: 3
delay: 1

- name: Ensure file repo exists
pulp.squeezer.file_repository:
Expand All @@ -48,6 +56,10 @@
password: "{{ remote_pulp_password }}"
name: "{{ repository_name }}"
state: present
register: file_repo_result
until: file_repo_result is success
retries: 3
delay: 1

- name: Add content to file repo
pulp.squeezer.file_repository_content:
Expand All @@ -58,6 +70,10 @@
present_content:
- relative_path: "{{ found_files.files[0].path | basename }}"
sha256: "{{ file_stats.stat.checksum }}"
register: file_repo_content_result
until: file_repo_content_result is success
retries: 3
delay: 1

- name: Create a new publication to point to this version
pulp.squeezer.file_publication:
Expand All @@ -67,6 +83,9 @@
repository: "{{ repository_name }}"
state: present
register: publication_details
until: publication_details is success
retries: 3
delay: 1

- name: Update distribution for latest version
pulp.squeezer.file_distribution:
Expand All @@ -79,6 +98,9 @@
content_guard: development
state: present
register: latest_distribution_details
until: latest_distribution_details is success
retries: 3
delay: 1

- name: Create distribution for given version
pulp.squeezer.file_distribution:
Expand All @@ -91,6 +113,10 @@
content_guard: development
state: present
when: latest_distribution_details.changed
register: distribution_result
until: distribution_result is success
retries: 3
delay: 1

- name: Update new images file with versioned path
lineinfile:
Expand Down
2 changes: 1 addition & 1 deletion etc/kayobe/overcloud-dib.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ overcloud_dib_host_packages_extra:
overcloud_dib_git_elements_extra:
- repo: "https://github.com/stackhpc/stackhpc-image-elements"
local: "{{ source_checkout_path }}/stackhpc-image-elements"
version: "v1.6.0"
version: "rocky_container_pulp"
elements_path: "elements"

# List of git repositories containing Diskimage Builder (DIB) elements. See
Expand Down
8 changes: 5 additions & 3 deletions etc/kayobe/stackhpc-overcloud-dib.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ stackhpc_overcloud_dib_name: "deployment_image"
stackhpc_overcloud_dib_elements:
- "{{ os_distribution }}-{% if os_distribution == 'rocky' %}container-stackhpc{% else %}minimal{% endif %}"
- "cloud-init-datasources"
- "{% if os_distribution in ['centos', 'rocky'] %}disable-selinux{% endif %}"
- "{% if os_distribution == 'rocky' and os_release == '9' %}selinux-permissive{% elif os_distribution in ['centos', 'rocky'] %}disable-selinux{% endif %}"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This part did work:

sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

- "enable-serial-console"
- "{% if kayobe_environment == 'ci-builder' %}etc-hosts{% endif %}"
- "vm"
Expand Down Expand Up @@ -55,11 +55,13 @@ stackhpc_overcloud_dib_env_vars:
# Avoid DNS queries during sudo commands, since we might not always have working DNS.
DIB_SUDOERS_CONFIG: |
Defaults !fqdn
# FIXME: Support templating repo files.
# DIB_YUM_MINIMAL_BOOTSTRAP_REPOS: /path/to/dir/containing/dib-mirror-*.repo
# On Rocky Linux 9, use the host's repo files.
# These will have been configured to point to Test Pulp repo snapshots during the 'host configure' step.
# FIXME: This assumes we are building on RL9, which may not be the case.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On yoga we use the CS8 builder runners: https://github.com/stackhpc/stackhpc-kayobe-config/blob/stackhpc/yoga/.github/workflows/overcloud-host-image-build.yml#L42
We do switch to RL9 for Zed though: https://github.com/stackhpc/stackhpc-kayobe-config/blob/stackhpc/zed/.github/workflows/overcloud-host-image-build.yml#L30

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right - we could make it work for CS8 too, but thought I'd focus on the future :)

YUM: dnf
# Workaround for stack user home ownership bug
DIB_IMAGE_CACHE: "/tmp/yum"
DIB_CONTAINERFILE_BUILDOPTS: "--add-host pulp-server.internal.sms-cloud:10.205.3.187 --build-arg ROCKY_USE_MIRROR=true --build-arg ROCKY_APPSTREAM_URL={{ stackhpc_repo_rocky_9_appstream_url }} --build-arg ROCKY_BASEOS_URL={{ stackhpc_repo_rocky_9_baseos_url }} --build-arg ROCKY_CRB_URL={{ stackhpc_repo_rocky_9_crb_url }}"

# StackHPC overcloud DIB image packages.
stackhpc_overcloud_dib_packages:
Expand Down