Update(2019.10.13) : Add issue solving parts

Build openstack kolla image by using source


Environment and Prerequisite

  • Linux base system(Done tests on Mac and CentOS-7.6)
  • Bash shell(/bin/bash)
  • Docker
  • pip
  • Git


Kolla Image?

Kolla Image

  • Kolla’s mission is to provide production-ready containers and deployment tools for operating OpenStack clouds.
  • Kolla Image means containerized images of openstack components
  • Related projects are Openstack Helm and Kolla-ansible
  • Link : https://docs.openstack.org/kolla/latest/


How to build image

Before build!

  • There are two ways to build kolla images. One is from binary and the other is from source. Default value setting is binary.
  • binary build images by using remote binary component file. source build images from source codes.
  • Below scenario introduce build from source and build only nova component.
  • For using source, we need each components source code files.(We will clone it from git repository)
  • Below scenario is tested on both Mac and CentOS-7.6
  • When developing Kolla it can be useful to build images using files located in a local copy of Kolla. Use the tools/build.py script instead of kolla-build command in all below instructions.


0. Prerequisites

CentOS

MacOS


1. Clone kolla repository

  • Clone kolla repository and switch to stable/rocky branch
  • This post will build stable/rocky version images.
$ git clone https://github.com/openstack/kolla.git
$ cd kolla/
$ git checkout stable/rocky


2. Install needed packages

  • You can use kolla-build command after installing kolla
# In kolla directory path
$ cd ..
$ pip install kolla/

Issue Solving - 1

  • Upgrade pip version if there is error like below in CentOS
...
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-GB1G0n/GitPython/
...
  • Upgrade pip version
pip install --upgrade pip

Issue Solving - 2

  • Remove yum package if there is error like below in CentOS
...
ERROR: Cannot uninstall 'requests'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.
...
  • Remove yum package
$ rpm -qa | grep requests
$ yum remove python-requests-2.6.0-1.el7_1.noarch -y


3. Generate kolla-build.conf

$ pip install tox
$ cd kolla/
$ tox -e genconfig
...
genconfig: commands succeeded
congratulations :)

Issue Solving 1 - Python.h

  • Install packages if there is error like below in CentOS
...
configure: error: no acceptable C compiler found in $PATH
...
_posixsubprocess.c:16:20: fatal error: Python.h: No such file or directory
...
  • Install python-devel and gcc
$ sudo yum install python-devel gcc -y

Issue Solving 2 - more_itertools

  • Downgrade pip packagee if there is error like below in CentOS
...
File "/usr/lib/python2.7/site-packages/more_itertools/more.py", line 340
  def _collate(*iterables, key=lambda a: a, reverse=False):
                             ^
SyntaxError: invalid syntax
...
  • Downgrade version of more-itertools
pip install more-itertools==5.0.0


4. Clone nova repository

  • Clone nova repository and switch to stable/rocky branch
  • Remember the path of nova directory
# In kolla directory path
$ cd ..
$ git clone https://github.com/openstack/nova.git
$ cd nova/
$ git checkout stable/rocky
$ pwd
/root/nova


5. Modify kolla-build.conf

  • Modify [nova-base] part
  • location value must be your nova directory path on your local computer
  • The location of the generated configuration file is etc/kolla/kolla-build.conf, it can also be copied to /etc/kolla. The default location is one of /etc/kolla/kolla-build.conf or etc/kolla/kolla-build.conf.
  • Copy modified file etc/kolla/kolla-build.conf to /etc/kolla/kolla-build.conf
# In nova directory path
$ cd ..
$ cd kolla
$ vi etc/kolla/kolla-build.conf # File is in kolla repo path

[nova-base]
type = local
# Below value should be your local computer nova directory path
location = /root/nova

$ mkdir -p /etc/kolla/ && cp etc/kolla/kolla-build.conf /etc/kolla/kolla-build.conf


6. Build

  • Build nova from source code in kolla directory
# In kolla directory path
$ python tools/build.py -t source nova

# OR

$ kolla-build -t source nova
  • Build all components using binary
# In kolla directory path
$ python tools/build.py

# OR

$ kolla-build
  • Build specific component
# In kolla directory path
$ python tools/build.py keystone

# OR

$ kolla-build keystone


Image build result

$ docker images
REPOSITORY                                 TAG                 IMAGE ID            CREATED              SIZE
kolla/centos-source-nova-compute           7.0.4               694d85ecaa62        About a minute ago   1.81GB
kolla/centos-source-novajoin-notifier      7.0.4               c116e353b02b        4 minutes ago        1.2GB
kolla/centos-source-novajoin-server        7.0.4               9541f2052b73        4 minutes ago        1.2GB
kolla/centos-source-novajoin-base          7.0.4               125d2a2e8b9a        4 minutes ago        1.2GB
kolla/centos-source-nova-placement-api     7.0.4               655930338019        7 minutes ago        1.34GB
kolla/centos-source-nova-api               7.0.4               d9521fa18d3d        7 minutes ago        1.34GB
kolla/centos-source-nova-spicehtml5proxy   7.0.4               6395db08d1df        8 minutes ago        1.33GB
kolla/centos-source-nova-ssh               7.0.4               b395c526352e        8 minutes ago        1.31GB
kolla/centos-source-nova-compute-ironic    7.0.4               dd0a8457063f        8 minutes ago        1.29GB
kolla/centos-source-nova-novncproxy        7.0.4               c407eee656a3        9 minutes ago        1.29GB
kolla/centos-source-nova-serialproxy       7.0.4               b854ffc79ded        11 minutes ago       1.26GB
kolla/centos-source-nova-consoleauth       7.0.4               1abeb9649aea        11 minutes ago       1.26GB
kolla/centos-source-nova-scheduler         7.0.4               0675166ec124        11 minutes ago       1.26GB
kolla/centos-source-nova-conductor         7.0.4               701da269a6d8        11 minutes ago       1.26GB
kolla/centos-source-nova-mksproxy          7.0.4               7aca763eadc8        11 minutes ago       1.26GB
kolla/centos-source-nova-base              7.0.4               7334dc66fc18        11 minutes ago       1.26GB
kolla/centos-source-nova-libvirt           7.0.4               2f9b6a373655        13 minutes ago       972MB
kolla/centos-source-openstack-base         7.0.4               a0d75d6d1f88        15 minutes ago       1.01GB
kolla/centos-source-base                   7.0.4               0c78c4431ab3        25 minutes ago       416MB
centos                                     7                   9f38484d220f        3 months ago         202MB
hello-world                                latest              fce289e99eb9        5 months ago         1.84kB

Reference

도커 혹은 쿠버네티스 Pod에서 컨테이너를 privileged mode로 사용해보자


환경

  • Linux 기반 시스템
  • Bash shell(/bin/bash)
  • Docker
  • Kubernetes


Privileged Mode 사용하기

Privileged Mode란?

--cap-add: Add Linux capabilities
--cap-drop: Drop Linux capabilities
--privileged=false: Give extended privileges to this container
--device=[]: Allows you to run devices inside the container without the --privileged flag.
  • 도커 컨테이너는 일반적으로 “unprivileged”이며 도커 데몬과 같은 프로세스를 도커 컨테이너 안에서 실행 할 수 없습니다. “privileged”된 컨테이너들만 모든 호스트의 장치에 접근 할 수 있으며 일반적인 컨테이너는 보안상 해당 기능이 없는 “unprivileged”로 실행됩니다.
  • docker run --privileged를 이용해 컨테이너를 사용하면 모든 장치에 접근할 수 있을뿐만 아니라 호스트 컴퓨터 커널의 대부분의 기능을 사용할 수 있습니다. systemctl과 같은 프로그램이나 도커 컨테이너 내부에서 도커를 사용할 수 있습니다.
  • --cap-add--cap-drop 옵션을 이용해 --privileged 옵션을 사용하지 않고 필요한 기능만 추가해서 사용할 수 있습니다. 해당 옵션은 공식 홈페이지에 다양한 옵션들과 기능이 나와있습니다.


도커 컨테이너 Privileged Mode 사용법

  • 도커 컨테이너를 생성할 때 --privileged 옵션을 함께 주고 실행하면 됩니다.
sudo docker run --privileged [IMAGE NAME] [OTHER OPTIONS...]

도커 컨테이너 Privileged Mode 예제

  • CentOS를 받아서 systemctl을 사용해보겠습니다.
  • systemctl을 사용하기 위해서는 /sbin/init을 해줘서 기본 설정들을 시작해야합니다.
# Run docker container in privileged mode
# Run "/sbin/init" command in background
$ sudo docker run -d --privileged --name centos-example centos /sbin/init

# Access to docker container
$ sudo docker exec -it centos-example /bin/bash

# Run systemctl command
$ systemctl -a
...


Kubernetes Pod에서 컨테이너 Privileged Mode 사용법

  • Pod을 설정한 YAML 파일에서 securityContextprivileged: true를 추가해주시면 됩니다.
  • openstack-helm과 공식 홈페이지에서 예제를 가져왔습니다.
...
containers:
  - name: pod-name
    image: image-name
    securityContext:
      privileged: true
...

Kubernetes Pod에서 Privileged Mode 예제

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
    - name:  pause
      image: k8s.gcr.io/pause
      securityContext:
        privileged: true


참고자료

Run privileged mode container in Docker or Kubernetes Pod


Environment and Prerequisite

  • Linux base system
  • Bash shell(/bin/bash)
  • Docker
  • Kubernetes


Run Privileged Mode

What is Privileged Mode?

--cap-add: Add Linux capabilities
--cap-drop: Drop Linux capabilities
--privileged=false: Give extended privileges to this container
--device=[]: Allows you to run devices inside the container without the --privileged flag.
  • By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a “privileged” container is given access to all devices.
  • By using docker run --privileged, container can not only access to all hosts devices but also use most of host computer’s kernel functions. You can use like systemctl program or run docker daemon in docker container.
  • You can add or drop needed linux kernel(host) capabilities by using --cap-add and --cap-drop options. There are many option values in docker official page.


Docker Container Privileged Mode Usage

  • Give --privileged option when running container.
sudo docker run --privileged [IMAGE NAME] [OTHER OPTIONS...]

Docker Container Privileged Mode Example

  • Download CentOS image and use systemctl command
  • /sbin/init should be run before using systemctl
# Run docker container in privileged mode
# Run "/sbin/init" command in background
$ sudo docker run -d --privileged --name centos-example centos /sbin/init

# Access to docker container
$ sudo docker exec -it centos-example /bin/bash

# Run systemctl command
$ systemctl -a
...


Kubernetes Pod Container Privileged Mode Usage

  • Add securityContext with privileged: true option to Pod YAML file.
  • Examples are from openstack-helm and official page.
...
containers:
  - name: pod-name
    image: image-name
    securityContext:
      privileged: true
...

Kubernetes Pod Container Privileged Mode Example

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
    - name:  pause
      image: k8s.gcr.io/pause
      securityContext:
        privileged: true


Reference

원격에 있는 스크립트를 받아서 바로 실행해보자.


환경

  • Linux 기반 시스템
  • Bash shell(/bin/bash)
  • url을 보시면 스크립트 내용을 확인할 수 있습니다. 해당 링크는 Github Gist입니다.


curl을 이용해 원격에 있는 쉘스크립트를 받아서 실행

(방법1) 리다이렉션(Redirection) 이용하기

형태

bash <(curl -s [URL])

예제

bash <(curl -s https://gist.githubusercontent.com/TWpower/1c3e78ef762d493f6df3033f30165afc/raw/55688b960b8d31f2185d3dbfe80c6815efd4a47a/remote-sh-test.sh)


(방법2) 파이프(Pipe) 이용하기

형태

curl -s [URL] | bash -s arg1 arg2 arg3 ...

예제

curl -s https://gist.githubusercontent.com/TWpower/1c3e78ef762d493f6df3033f30165afc/raw/55688b960b8d31f2185d3dbfe80c6815efd4a47a/remote-sh-test.sh | bash -s
# With sudo
echo [!!PASSWORD!!] | sudo -S curl -s https://gist.githubusercontent.com/TWpower/8fb35a2bdc297ef897cf6f3aae5a6598/raw/f988316bb7a4ef9ba9551593e4b472b609b2865b/remote-sh-sudo-test.sh | bash -s


참고자료

Run remote shell script in local computer.


Environment and Prerequisite

  • Linux base system
  • Bash shell(/bin/bash)
  • You can see script content in url. It is code on Github Gist.


Down and run remote shell script in local by using curl

(Method1) Use Redirection

Usage

bash <(curl -s [URL])

Example

bash <(curl -s https://gist.githubusercontent.com/TWpower/1c3e78ef762d493f6df3033f30165afc/raw/55688b960b8d31f2185d3dbfe80c6815efd4a47a/remote-sh-test.sh)


(Method2) Use Pipe

Usage

curl -s [URL] | bash -s arg1 arg2 arg3 ...

Example

curl -s https://gist.githubusercontent.com/TWpower/1c3e78ef762d493f6df3033f30165afc/raw/55688b960b8d31f2185d3dbfe80c6815efd4a47a/remote-sh-test.sh | bash -s
# With sudo
echo [!!PASSWORD!!] | sudo -S curl -s https://gist.githubusercontent.com/TWpower/8fb35a2bdc297ef897cf6f3aae5a6598/raw/f988316bb7a4ef9ba9551593e4b472b609b2865b/remote-sh-sudo-test.sh | bash -s


Reference