|Hein-Pieter van Braam 65ced4aa66 Enable memcached for keystone||3 years ago|
|README.md||3 years ago|
|build-image.py||3 years ago|
|images.yml||3 years ago|
Notes and scripts so far
To this end we'll run Fedora 26 with CentOS7 containers running RDO packages.
We will use Puppet to manage the base OS as well as the Configuration for the containerized OpenStack components. So for instance the Keystone container contains:
The services in the container are all configured to start at boot (httpd in the case of keystone) while Puppet will manage /var/lib/machines/keystone/etc/keystone/keystone.conf From the host.
# cat /var/lib/machines/keystone/etc/systemd/network/80-container-host0.network [Match] Virtualization=container Name=host0 [Network] DHCP=yes LinkLocalAddressing=yes
This will just make sure everything 'just works'
# cat /etc/systemd/nspawn/keystone.nspawn [Exec] PrivateUsers=no [Network] Port=35357:35357 Port=5000:5000
This will forward the keystone ports from the host to the container without any further interference.
(PrivateUsers=no is required to allow httpd to install suexec, if we switch to another httpd we may be able to use private users)
We can't create network namespaces from inside nspawn containers as long as nspawn doesn't set the shareable flag on the rootfs of the container. So for Neutron we need a workaround.
We need to create network namespaces in the host system's mount namespace. We can actually enter the mount namespace of the host if we have a file descriptor into the hosts' mount namespace available. Normally this would not be the case but we can make sure we get access to it by bind mounting the /proc filesystem of the host into the container at a different location. We then just need to make sure that calls to 'ip' get intercepted and ran in the host mount namespace.
The neutron agents don't call '/sbin/ip' but just 'ip' so by modifying the service file for the agents to include a different path we can make it call our own ip without modifying /sbin/ip.
The wrapper script:
#!/bin/bash if [ "$1" == "netns" ]; then if [ "$2" == "add" ] || [ "$2" == "delete" ]; then nsenter --mount=/hostproc/1/ns/mnt /sbin/ip "$@" exit $? fi fi /sbin/ip "$@" exit $?
The nspawn file for the container:
[Exec] PrivateUsers=no [Network] Private=no [Files] Bind=/var/run/netns:/var/run/netns Bind=/proc:/hostproc
Note that we really only need to run namespace creation and destruction in the host mount namespace. Exec and everything else can remain in the container.
Some small tooling for the creation of the nspawn container. Currently runs only on DNF based distros. See build-image.py and images.yml