TWpower Reading time ~5 minutes

Update(2020.11.15): Add Victoria version. Rocky version also tested

Update(2020.11.15): Added Ubuntu content and changed to use Python3 and pip3

Update(2019.10.13): Add issue solving parts

Build openstack kolla image by using source


Environment and Prerequisite

  • Linux base system(Done tests on Mac, Ubuntu 18.04.5 LTS and CentOS 7.6)
  • Bash shell(/bin/bash)
  • Docker
  • pip -> From January 1, 2020 Python 2 is no longer supported any more so avoid using Python 2.X.X.
  • pip3
  • Git


Kolla Image?

Kolla Image

  • Kolla’s mission is to provide production-ready containers and deployment tools for operating OpenStack clouds.
  • Kolla Image means containerized images of openstack components
  • Related projects are Openstack Helm and Kolla-ansible
  • Link: https://docs.openstack.org/kolla/latest/


How to build image

Before build!

  • There are two ways to build kolla images. One is from binary and the other is from source. Default value setting is binary.
  • binary build images by using remote binary component file. source build images from source codes.
  • Below scenario introduce build from source and build only nova component.
  • For using source, we need each components source code files.(We will clone it from git repository)
  • Below scenario is tested on both Mac and CentOS-7.6
  • In Ubuntu and CentOS, tested on root user.
  • In MacOS, use sudo command.
  • When developing Kolla it can be useful to build images using files located in a local copy of Kolla. Use the tools/build.py script instead of kolla-build command in all below instructions.
  • From January 1, 2020 Python 2 is no longer supported any more so avoid using Python 2.X.X. You can check it on here


0. Prerequisites

CentOS

sudo yum install epel-release -y
sudo yum install python-devel git python3 python-pip gcc -y

Ubuntu

sudo apt-get install git python3 python3-pip python-pip gcc -y

MacOS

brew install git python3 -y


1. Clone kolla repository

  • Clone kolla repository and switch to stable/victoria branch
  • This post will build stable/victoria version images.
  • Also done test on stable/rocky version.
$ git clone https://github.com/openstack/kolla.git
$ cd kolla/
$ git checkout stable/victoria


2. Install needed packages

  • You can use kolla-build command after installing kolla
# In kolla directory path
$ cd ..
$ pip3 install kolla/

Issue Solving - 1

  • Upgrade pip version if there is error like below in CentOS
  • After not using pip(which used in Python 2), this issue not occurs.
...
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-GB1G0n/GitPython/
...
  • Upgrade pip version
pip install --upgrade pip

Issue Solving - 2

  • Remove yum package if there is error like below in CentOS
  • After not using pip(which used in Python 2), this issue not occurs.
...
ERROR: Cannot uninstall 'requests'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.
...
  • Remove yum package
$ rpm -qa | grep requests
$ yum remove python-requests-2.6.0-1.el7_1.noarch -y


3. Generate kolla-build.conf

$ pip3 install tox
$ cd kolla/
$ tox -e genconfig
...
genconfig: commands succeeded
congratulations :)

Issue Solving 1 - Python.h

  • Install packages if there is error like below in CentOS
  • After not using pip(which used in Python 2), this issue not occurs.
...
configure: error: no acceptable C compiler found in $PATH
...
_posixsubprocess.c:16:20: fatal error: Python.h: No such file or directory
...
  • Install python-devel and gcc
$ sudo yum install python-devel gcc -y

Issue Solving 2 - more_itertools

  • Downgrade pip packagee if there is error like below in CentOS
  • After not using pip(which used in Python 2), this issue not occurs.
...
File "/usr/lib/python2.7/site-packages/more_itertools/more.py", line 340
  def _collate(*iterables, key=lambda a: a, reverse=False):
                             ^
SyntaxError: invalid syntax
...
  • Downgrade version of more-itertools
pip install more-itertools==5.0.0


4. Clone nova repository

  • Clone nova repository and switch to stable/victoria branch
  • Remember the path of nova directory
# In kolla directory path
$ cd ..
$ git clone https://github.com/openstack/nova.git
$ cd nova/
$ git checkout stable/victoria
$ pwd
/root/nova


5. Modify kolla-build.conf

  • Modify [nova-base] part’s type and location
  • (Option) Modify tag if you want to change image tag name
  • location value must be your nova directory path on your local computer
  • The location of the generated configuration file is etc/kolla/kolla-build.conf, it can also be copied to /etc/kolla. The default location is one of /etc/kolla/kolla-build.conf or etc/kolla/kolla-build.conf.
# In nova directory path
$ cd ..
$ cd kolla
$ vi etc/kolla/kolla-build.conf # File is in kolla repo path

...
[nova-base]

type = local

# Below value should be your local computer nova directory path
location = /root/nova
...

...
# The Docker tag (string value)
tag = victoria
...
  • Copy modified file etc/kolla/kolla-build.conf to /etc/kolla/kolla-build.conf
$ mkdir -p /etc/kolla/ && cp etc/kolla/kolla-build.conf /etc/kolla/kolla-build.conf


6. Build

  • Build nova from source code in kolla directory
# In kolla directory path
$ python tools/build.py -t source nova

# OR

$ kolla-build -t source nova
  • Build all components using binary
# In kolla directory path
$ python tools/build.py

# OR

$ kolla-build
  • Build specific component
# In kolla directory path
$ python tools/build.py keystone

# OR

$ kolla-build keystone
  • Build using specific os base image
  • Use -b option with ubuntu or centos
# In kolla directory path
$ python tools/build.py -b centos -t source nova

# OR

$ kolla-build -b centos -t source nova


Image build result

$ docker images
REPOSITORY                                TAG                 IMAGE ID            CREATED             SIZE
kolla/centos-source-nova-compute          victoria            5145ea1a6ba7        About an hour ago   2.48GB
kolla/centos-source-nova-novncproxy       victoria            d8338f6be7fa        About an hour ago   1.66GB
kolla/centos-source-nova-ssh              victoria            bbd9d11448b4        About an hour ago   1.61GB
kolla/centos-source-nova-compute-ironic   victoria            18d58cc4b892        About an hour ago   1.61GB
kolla/centos-source-nova-conductor        victoria            395fa15a5da4        2 hours ago         1.58GB
kolla/centos-source-nova-api              victoria            20cc9cbe4234        2 hours ago         1.58GB
kolla/centos-source-nova-scheduler        victoria            b8b967a7dc3d        2 hours ago         1.58GB
kolla/centos-source-nova-mksproxy         victoria            90e969a20b73        2 hours ago         1.58GB
kolla/centos-source-nova-serialproxy      victoria            b8a4f46b847d        2 hours ago         1.58GB
kolla/centos-source-nova-base             victoria            4fdef07ed1c6        2 hours ago         1.58GB
kolla/centos-source-novajoin-server       victoria            9359d838c42b        2 hours ago         956MB
kolla/centos-source-novajoin-notifier     victoria            7704d7b68a0a        2 hours ago         956MB
kolla/centos-source-novajoin-base         victoria            75aca84b6a12        2 hours ago         956MB
kolla/centos-source-openstack-base        victoria            215a22192097        2 hours ago         809MB
kolla/centos-source-nova-libvirt          victoria            1672530e7c27        2 hours ago         1.28GB
kolla/centos-source-base                  victoria            36674f426fd1        2 hours ago         314MB
centos                                    8                   0d120b6ccaa8        3 months ago        215MB

Reference

TWpower Reading time ~1 minute

도커 혹은 쿠버네티스 Pod에서 컨테이너를 privileged mode로 사용해보자


환경

  • Linux 기반 시스템
  • Bash shell(/bin/bash)
  • Docker
  • Kubernetes


Privileged Mode 사용하기

Privileged Mode란?

--cap-add: Add Linux capabilities
--cap-drop: Drop Linux capabilities
--privileged=false: Give extended privileges to this container
--device=[]: Allows you to run devices inside the container without the --privileged flag.
  • 도커 컨테이너는 일반적으로 “unprivileged”이며 도커 데몬과 같은 프로세스를 도커 컨테이너 안에서 실행 할 수 없습니다. “privileged”된 컨테이너들만 모든 호스트의 장치에 접근 할 수 있으며 일반적인 컨테이너는 보안상 해당 기능이 없는 “unprivileged”로 실행됩니다.
  • docker run --privileged를 이용해 컨테이너를 사용하면 모든 장치에 접근할 수 있을뿐만 아니라 호스트 컴퓨터 커널의 대부분의 기능을 사용할 수 있습니다. systemctl과 같은 프로그램이나 도커 컨테이너 내부에서 도커를 사용할 수 있습니다.
  • --cap-add--cap-drop 옵션을 이용해 --privileged 옵션을 사용하지 않고 필요한 기능만 추가해서 사용할 수 있습니다. 해당 옵션은 공식 홈페이지에 다양한 옵션들과 기능이 나와있습니다.


도커 컨테이너 Privileged Mode 사용법

  • 도커 컨테이너를 생성할 때 --privileged 옵션을 함께 주고 실행하면 됩니다.
sudo docker run --privileged [IMAGE NAME] [OTHER OPTIONS...]

도커 컨테이너 Privileged Mode 예제

  • CentOS를 받아서 systemctl을 사용해보겠습니다.
  • systemctl을 사용하기 위해서는 /sbin/init을 해줘서 기본 설정들을 시작해야합니다.
# Run docker container in privileged mode
# Run "/sbin/init" command in background
$ sudo docker run -d --privileged --name centos-example centos /sbin/init

# Access to docker container
$ sudo docker exec -it centos-example /bin/bash

# Run systemctl command
$ systemctl -a
...


Kubernetes Pod에서 컨테이너 Privileged Mode 사용법

  • Pod을 설정한 YAML 파일에서 securityContextprivileged: true를 추가해주시면 됩니다.
  • openstack-helm과 공식 홈페이지에서 예제를 가져왔습니다.
...
containers:
  - name: pod-name
    image: image-name
    securityContext:
      privileged: true
...

Kubernetes Pod에서 Privileged Mode 예제

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
    - name:  pause
      image: k8s.gcr.io/pause
      securityContext:
        privileged: true


참고자료

TWpower Reading time ~1 minute

Run privileged mode container in Docker or Kubernetes Pod


Environment and Prerequisite

  • Linux base system
  • Bash shell(/bin/bash)
  • Docker
  • Kubernetes


Run Privileged Mode

What is Privileged Mode?

--cap-add: Add Linux capabilities
--cap-drop: Drop Linux capabilities
--privileged=false: Give extended privileges to this container
--device=[]: Allows you to run devices inside the container without the --privileged flag.
  • By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a “privileged” container is given access to all devices.
  • By using docker run --privileged, container can not only access to all hosts devices but also use most of host computer’s kernel functions. You can use like systemctl program or run docker daemon in docker container.
  • You can add or drop needed linux kernel(host) capabilities by using --cap-add and --cap-drop options. There are many option values in docker official page.


Docker Container Privileged Mode Usage

  • Give --privileged option when running container.
sudo docker run --privileged [IMAGE NAME] [OTHER OPTIONS...]

Docker Container Privileged Mode Example

  • Download CentOS image and use systemctl command
  • /sbin/init should be run before using systemctl
# Run docker container in privileged mode
# Run "/sbin/init" command in background
$ sudo docker run -d --privileged --name centos-example centos /sbin/init

# Access to docker container
$ sudo docker exec -it centos-example /bin/bash

# Run systemctl command
$ systemctl -a
...


Kubernetes Pod Container Privileged Mode Usage

  • Add securityContext with privileged: true option to Pod YAML file.
  • Examples are from openstack-helm and official page.
...
containers:
  - name: pod-name
    image: image-name
    securityContext:
      privileged: true
...

Kubernetes Pod Container Privileged Mode Example

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
    - name:  pause
      image: k8s.gcr.io/pause
      securityContext:
        privileged: true


Reference

TWpower Reading time ~1 minute

원격에 있는 스크립트를 받아서 바로 실행해보자.


환경

  • Linux 기반 시스템
  • Bash shell(/bin/bash)
  • url을 보시면 스크립트 내용을 확인할 수 있습니다. 해당 링크는 Github Gist입니다.


curl을 이용해 원격에 있는 쉘스크립트를 받아서 실행

(방법1) 리다이렉션(Redirection) 이용하기

형태

bash <(curl -s [URL])

예제

bash <(curl -s https://gist.githubusercontent.com/TWpower/1c3e78ef762d493f6df3033f30165afc/raw/55688b960b8d31f2185d3dbfe80c6815efd4a47a/remote-sh-test.sh)


(방법2) 파이프(Pipe) 이용하기

형태

curl -s [URL] | bash -s arg1 arg2 arg3 ...

예제

curl -s https://gist.githubusercontent.com/TWpower/1c3e78ef762d493f6df3033f30165afc/raw/55688b960b8d31f2185d3dbfe80c6815efd4a47a/remote-sh-test.sh | bash -s

# With sudo
echo [!!PASSWORD!!] | sudo -S curl -s https://gist.githubusercontent.com/TWpower/8fb35a2bdc297ef897cf6f3aae5a6598/raw/f988316bb7a4ef9ba9551593e4b472b609b2865b/remote-sh-sudo-test.sh | bash -s


참고자료

TWpower Reading time ~1 minute

Run remote shell script in local computer.


Environment and Prerequisite

  • Linux base system
  • Bash shell(/bin/bash)
  • You can see script content in url. It is code on Github Gist.


Down and run remote shell script in local by using curl

(Method1) Use Redirection

Usage

bash <(curl -s [URL])

Example

bash <(curl -s https://gist.githubusercontent.com/TWpower/1c3e78ef762d493f6df3033f30165afc/raw/55688b960b8d31f2185d3dbfe80c6815efd4a47a/remote-sh-test.sh)


(Method2) Use Pipe

Usage

curl -s [URL] | bash -s arg1 arg2 arg3 ...

Example

curl -s https://gist.githubusercontent.com/TWpower/1c3e78ef762d493f6df3033f30165afc/raw/55688b960b8d31f2185d3dbfe80c6815efd4a47a/remote-sh-test.sh | bash -s

# With sudo
echo [!!PASSWORD!!] | sudo -S curl -s https://gist.githubusercontent.com/TWpower/8fb35a2bdc297ef897cf6f3aae5a6598/raw/f988316bb7a4ef9ba9551593e4b472b609b2865b/remote-sh-sudo-test.sh | bash -s


Reference