Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove dependency on playbook2image, rebase directly on OS. #4742

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
.*
bin
docs
hack
inventory
test
utils
**/*.md
*.spec
*.ini
*.txt
setup*
29 changes: 0 additions & 29 deletions BUILD.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,35 +33,6 @@ To build a container image of `openshift-ansible` using standalone **Docker**:
cd openshift-ansible
docker build -f images/installer/Dockerfile -t openshift-ansible .

### Building on OpenShift

To build an openshift-ansible image using an **OpenShift** [build and image stream](https://docs.openshift.org/latest/architecture/core_concepts/builds_and_image_streams.html) the straightforward command would be:

oc new-build registry.centos.org/openshift/playbook2image~https://github.com/openshift/openshift-ansible

However: because the `Dockerfile` for this repository is not in the top level directory, and because we can't change the build context to the `images/installer` path as it would cause the build to fail, the `oc new-app` command above will create a build configuration using the *source to image* strategy, which is the default approach of the [playbook2image](https://github.com/openshift/playbook2image) base image. This does build an image successfully, but unfortunately the resulting image will be missing some customizations that are handled by the [Dockerfile](images/installer/Dockerfile) in this repo.

At the time of this writing there is no straightforward option to [set the dockerfilePath](https://docs.openshift.org/latest/dev_guide/builds/build_strategies.html#dockerfile-path) of a `docker` build strategy with `oc new-build`. The alternatives to achieve this are:

- Use the simple `oc new-build` command above to generate the BuildConfig and ImageStream objects, and then manually edit the generated build configuration to change its strategy to `dockerStrategy` and set `dockerfilePath` to `images/installer/Dockerfile`.

- Download and pass the `Dockerfile` to `oc new-build` with the `-D` option:

```
curl -s https://raw.githubusercontent.com/openshift/openshift-ansible/master/images/installer/Dockerfile |
oc new-build -D - \
--docker-image=registry.centos.org/openshift/playbook2image \
https://github.com/openshift/openshift-ansible
```

Once a build is started, the progress of the build can be monitored with:

oc logs -f bc/openshift-ansible

Once built, the image will be visible in the Image Stream created by `oc new-app`:

oc describe imagestream openshift-ansible

## Build the Atomic System Container

A system container runs using runC instead of Docker and it is managed
Expand Down
6 changes: 1 addition & 5 deletions README_CONTAINER_IMAGE.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Containerized openshift-ansible to run playbooks

The [Dockerfile](images/installer/Dockerfile) in this repository uses the [playbook2image](https://github.com/openshift/playbook2image) source-to-image base image to containerize `openshift-ansible`. The resulting image can run any of the provided playbooks. See [BUILD.md](BUILD.md) for image build instructions.
The [Dockerfile](images/installer/Dockerfile) in this repository can be used to build a containerized `openshift-ansible`. The resulting image can run any of the provided playbooks. See [BUILD.md](BUILD.md) for image build instructions.

The image is designed to **run as a non-root user**. The container's UID is mapped to the username `default` at runtime. Therefore, the container's environment reflects that user's settings, and the configuration should match that. For example `$HOME` is `/opt/app-root/src`, so ssh keys are expected to be under `/opt/app-root/src/.ssh`. If you ran a container as `root` you would have to adjust the container's configuration accordingly, e.g. by placing ssh keys under `/root/.ssh` instead. Nevertheless, the expectation is that containers will be run as non-root; for example, this container image can be run inside OpenShift under the default `restricted` [security context constraint](https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints).

Expand All @@ -14,8 +14,6 @@ This provides consistency with other images used by the platform and it's also a

## Usage

The `playbook2image` base image provides several options to control the behaviour of the containers. For more details on these options see the [playbook2image](https://github.com/openshift/playbook2image) documentation.

At the very least, when running a container you must specify:

1. An **inventory**. This can be a location inside the container (possibly mounted as a volume) with a path referenced via the `INVENTORY_FILE` environment variable. Alternatively you can serve the inventory file from a web server and use the `INVENTORY_URL` environment variable to fetch it, or `DYNAMIC_SCRIPT_URL` to download a script that provides a dynamic inventory.
Expand Down Expand Up @@ -52,8 +50,6 @@ Here is a detailed explanation of the options used in the command above:

Further usage examples are available in the [examples directory](examples/) with samples of how to use the image from within OpenShift.

Additional usage information for images built from `playbook2image` like this one can be found in the [playbook2image examples](https://github.com/openshift/playbook2image/tree/master/examples).

## Running openshift-ansible as a System Container

Building the System Container: See the [BUILD.md](BUILD.md).
Expand Down
62 changes: 27 additions & 35 deletions images/installer/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,51 +1,43 @@
# Using playbook2image as a base
# See https://github.com/openshift/playbook2image for details on the image
# including documentation for the settings/env vars referenced below
FROM registry.centos.org/openshift/playbook2image:latest
FROM centos:7

MAINTAINER OpenShift Team <dev@lists.openshift.redhat.com>

USER root

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any reason to move the USER and RUN commands before the LABELs? If not, wouldn't it be better to leave the LABELs first to keep the metadata type of content at the top? The caching related benefits of that are probably not relevant in our case, but still wondering if it would make sense from a file organization POV?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's really just that when iterating on changes, it helps to put the slowest thing (the install) first so it can be most likely to be cached. Not a huge deal to me but I don't like having to re-run the install just because I tweaked the labels. Labels are still pretty close to the top... but we can move it if you like.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Heh, in the "normal" use case it's usually the other way around: when you build the same image over time, labels change less than the result of 'yum install' - so having the labels before the run should help caching.

However, this doesn't really apply to our build system (I think), so it was more of a comment around the logical structure of the file. To me it looks better to have the metadata first, but up to you.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our build system doesn't use cache so as far as I'm concerned the only optimizations to consider are for iterative local development. So I vote to leave it as is unless I hear loud complaining :)

# install ansible and deps
RUN INSTALL_PKGS="python-lxml pyOpenSSL python2-cryptography openssl java-1.8.0-openjdk-headless httpd-tools openssh-clients" \
&& yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS \
&& EPEL_PKGS="ansible python-passlib python2-boto" \
&& yum install -y epel-release \
&& yum install -y --setopt=tsflags=nodocs $EPEL_PKGS \
&& rpm -q $INSTALL_PKGS $EPEL_PKGS \
&& yum clean all

LABEL name="openshift/origin-ansible" \
summary="OpenShift's installation and configuration tool" \
description="A containerized openshift-ansible image to let you run playbooks to install, upgrade, maintain and check an OpenShift cluster" \
url="https://github.com/openshift/openshift-ansible" \
io.k8s.display-name="openshift-ansible" \
io.k8s.description="A containerized openshift-ansible image to let you run playbooks to install, upgrade, maintain and check an OpenShift cluster" \
io.openshift.expose-services="" \
io.openshift.tags="openshift,install,upgrade,ansible"
io.openshift.tags="openshift,install,upgrade,ansible" \
atomic.run="once"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍


USER root
ENV USER_UID=1001 \
HOME=/opt/app-root/src \
WORK_DIR=/usr/share/ansible/openshift-ansible \
OPTS="-v"

# Create a symlink to /opt/app-root/src so that files under /usr/share/ansible are accessible.
# This is required since the system-container uses by default the playbook under
# /usr/share/ansible/openshift-ansible. With this change we won't need to keep two different
# configurations for the two images.
RUN mkdir -p /usr/share/ansible/ && ln -s /opt/app-root/src /usr/share/ansible/openshift-ansible
# Add image scripts and files for running as a system container
COPY images/installer/root /
# Include playbooks, roles, plugins, etc. from this repo
COPY . ${WORK_DIR}

RUN INSTALL_PKGS="skopeo openssl java-1.8.0-openjdk-headless httpd-tools" && \
yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS && \
yum clean all
RUN /usr/local/bin/user_setup \
&& rm /usr/local/bin/usage.ocp

USER ${USER_UID}

# The playbook to be run is specified via the PLAYBOOK_FILE env var.
# This sets a default of openshift_facts.yml as it's an informative playbook
# that can help test that everything is set properly (inventory, sshkeys)
ENV PLAYBOOK_FILE=playbooks/byo/openshift_facts.yml \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious, why was PLAYBOOK_FILE removed while other env items were kept?

OPTS="-v" \
INSTALL_OC=true

# playbook2image's assemble script expects the source to be available in
# /tmp/src (as per the source-to-image specs) so we import it there
ADD . /tmp/src

# Running the 'assemble' script provided by playbook2image will install
# dependencies specified in requirements.txt and install the 'oc' client
# as per the INSTALL_OC environment setting above
RUN /usr/libexec/s2i/assemble

# Add files for running as a system container
COPY images/installer/system-container/root /

CMD [ "/usr/libexec/s2i/run" ]
WORKDIR ${WORK_DIR}
ENTRYPOINT [ "/usr/local/bin/entrypoint" ]
CMD [ "/usr/local/bin/run" ]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that this has been re-arranged I think it would make sense to complete the work by moving the contents under system-container/root into root so there's only one root.

The README.md inside system-container could be moved higher up as README_SYSTEM_CONTAINER.md, or its contents integrated into README_CONTAINER_IMAGE.md...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will go ahead and add a commit for this

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed in e02bc5d

67 changes: 29 additions & 38 deletions images/installer/Dockerfile.rhel7
Original file line number Diff line number Diff line change
@@ -1,55 +1,46 @@
FROM openshift3/playbook2image
FROM rhel7.3:7.3-released

MAINTAINER OpenShift Team <dev@lists.openshift.redhat.com>

# override env vars from base image
ENV SUMMARY="OpenShift's installation and configuration tool" \
DESCRIPTION="A containerized openshift-ansible image to let you run playbooks to install, upgrade, maintain and check an OpenShift cluster"
USER root

# Playbooks, roles, and their dependencies are installed from packages.
RUN INSTALL_PKGS="atomic-openshift-utils atomic-openshift-clients python-boto openssl java-1.8.0-openjdk-headless httpd-tools" \
&& yum repolist > /dev/null \
&& yum-config-manager --enable rhel-7-server-ose-3.6-rpms \
&& yum-config-manager --enable rhel-7-server-rh-common-rpms \
&& yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS \
&& rpm -q $INSTALL_PKGS \
&& yum clean all

LABEL name="openshift3/ose-ansible" \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question as with Dockerfile: should LABEL come before USER/RUN?

summary="$SUMMARY" \
description="$DESCRIPTION" \
summary="OpenShift's installation and configuration tool" \
description="A containerized openshift-ansible image to let you run playbooks to install, upgrade, maintain and check an OpenShift cluster" \
url="https://github.com/openshift/openshift-ansible" \
io.k8s.display-name="openshift-ansible" \
io.k8s.description="$DESCRIPTION" \
io.k8s.description="A containerized openshift-ansible image to let you run playbooks to install, upgrade, maintain and check an OpenShift cluster" \
io.openshift.expose-services="" \
io.openshift.tags="openshift,install,upgrade,ansible" \
com.redhat.component="aos3-installation-docker" \
version="v3.6.0" \
release="1" \
architecture="x86_64"

# Playbooks, roles and their dependencies are installed from packages.
# Unlike in Dockerfile, we don't invoke the 'assemble' script here
# because all content and dependencies (like 'oc') is already
# installed via yum.
USER root
RUN INSTALL_PKGS="atomic-openshift-utils atomic-openshift-clients python-boto skopeo openssl java-1.8.0-openjdk-headless httpd-tools" && \
yum repolist > /dev/null && \
yum-config-manager --enable rhel-7-server-ose-3.6-rpms && \
yum-config-manager --enable rhel-7-server-rh-common-rpms && \
yum install -y $INSTALL_PKGS && \
yum clean all

# The symlinks below are a (hopefully temporary) hack to work around the fact that this
# image is based on python s2i which uses the python27 SCL instead of system python,
# and so the system python modules we need would otherwise not be in the path.
RUN ln -s /usr/lib/python2.7/site-packages/{boto,passlib} /opt/app-root/lib64/python2.7/

USER ${USER_UID}
architecture="x86_64" \
atomic.run="once"

# The playbook to be run is specified via the PLAYBOOK_FILE env var.
# This sets a default of openshift_facts.yml as it's an informative playbook
# that can help test that everything is set properly (inventory, sshkeys).
# As the playbooks are installed via packages instead of being copied to
# $APP_HOME by the 'assemble' script, we set the WORK_DIR env var to the
# location of openshift-ansible.
ENV PLAYBOOK_FILE=playbooks/byo/openshift_facts.yml \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious, why was PLAYBOOK_FILE removed while other env items were kept?

Copy link
Member

@sosiouxme sosiouxme Jul 18, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want the image to do something helpful if you just run it without reading the docs (or if you miss salient items). To me the most helpful thing seems to print a usage message immediately and exit. If we specify PLAYBOOK_FILE then we're going to run a playbook, and running a "usage" playbook seemed like overkill when we can just... run usage.

ANSIBLE_CONFIG=/usr/share/atomic-openshift-utils/ansible.cfg \
ENV USER_UID=1001 \
HOME=/opt/app-root/src \
WORK_DIR=/usr/share/ansible/openshift-ansible \
ANSIBLE_CONFIG=/usr/share/atomic-openshift-utils/ansible.cfg \
OPTS="-v"

# Add files for running as a system container
COPY system-container/root /
# Add image scripts and files for running as a system container
COPY root /

RUN /usr/local/bin/user_setup \
&& mv /usr/local/bin/usage{.ocp,}

USER ${USER_UID}

CMD [ "/usr/libexec/s2i/run" ]
WORKDIR ${WORK_DIR}
ENTRYPOINT [ "/usr/local/bin/entrypoint" ]
CMD [ "/usr/local/bin/run" ]
Original file line number Diff line number Diff line change
@@ -1,17 +1,34 @@
# System container installer
ORIGIN-ANSIBLE IMAGE INSTALLER
===============================

Contains Dockerfile information for building an openshift/origin-ansible image
based on `centos:7` or `rhel7.3:7.3-released`.

Read additional setup information for this image at: https://hub.docker.com/r/openshift/origin-ansible/

Read additional information about the `openshift/origin-ansible` at: https://github.com/openshift/openshift-ansible/blob/master/README_CONTAINER_IMAGE.md

Also contains necessary components for running the installer using an Atomic System Container.


System container installer
==========================

These files are needed to run the installer using an [Atomic System container](http://www.projectatomic.io/blog/2016/09/intro-to-system-containers/).
These files can be found under `root/exports`:

* config.json.template - Template of the configuration file used for running containers.

* manifest.json - Used to define various settings for the system container, such as the default values to use for the installation.

* run-system-container.sh - Entrypoint to the container.
* manifest.json - Used to define various settings for the system container, such as the default values to use for the installation.

* service.template - Template file for the systemd service.

* tmpfiles.template - Template file for systemd-tmpfiles.

These files can be found under `root/usr/local/bin`:

* run-system-container.sh - Entrypoint to the container.

## Options

These options may be set via the ``atomic`` ``--set`` flag. For defaults see ``root/exports/manifest.json``
Expand All @@ -28,4 +45,4 @@ These options may be set via the ``atomic`` ``--set`` flag. For defaults see ``r

* ANSIBLE_CONFIG - Full path for the ansible configuration file to use inside the container

* INVENTORY_FILE - Full path for the inventory to use from the host
* INVENTORY_FILE - Full path for the inventory to use from the host
17 changes: 17 additions & 0 deletions images/installer/root/usr/local/bin/entrypoint
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#!/bin/bash -e
#
# This file serves as the main entrypoint to the openshift-ansible image.
#
# For more information see the documentation:
# https://github.com/openshift/openshift-ansible/blob/master/README_CONTAINER_IMAGE.md


# Patch /etc/passwd file with the current user info.
# The current user's entry must be correctly defined in this file in order for
# the `ssh` command to work within the created container.

if ! whoami &>/dev/null; then
echo "${USER:-default}:x:$(id -u):$(id -g):Default User:$HOME:/sbin/nologin" >> /etc/passwd
fi

exec "$@"
46 changes: 46 additions & 0 deletions images/installer/root/usr/local/bin/run
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
#!/bin/bash -e
#
# This file serves as the default command to the openshift-ansible image.
# Runs a playbook with inventory as specified by environment variables.
#
# For more information see the documentation:
# https://github.com/openshift/openshift-ansible/blob/master/README_CONTAINER_IMAGE.md

# SOURCE and HOME DIRECTORY: /opt/app-root/src

if [[ -z "${PLAYBOOK_FILE}" ]]; then
echo
echo "PLAYBOOK_FILE must be provided."
exec /usr/local/bin/usage
fi

INVENTORY="$(mktemp)"
if [[ -v INVENTORY_FILE ]]; then
# Make a copy so that ALLOW_ANSIBLE_CONNECTION_LOCAL below
# does not attempt to modify the original
cp -a ${INVENTORY_FILE} ${INVENTORY}
elif [[ -v INVENTORY_URL ]]; then
curl -o ${INVENTORY} ${INVENTORY_URL}
elif [[ -v DYNAMIC_SCRIPT_URL ]]; then
curl -o ${INVENTORY} ${DYNAMIC_SCRIPT_URL}
chmod 755 ${INVENTORY}
else
echo
echo "One of INVENTORY_FILE, INVENTORY_URL or DYNAMIC_SCRIPT_URL must be provided."
exec /usr/local/bin/usage
fi
INVENTORY_ARG="-i ${INVENTORY}"

if [[ "$ALLOW_ANSIBLE_CONNECTION_LOCAL" = false ]]; then
sed -i s/ansible_connection=local// ${INVENTORY}
fi

if [[ -v VAULT_PASS ]]; then
VAULT_PASS_FILE=.vaultpass
echo ${VAULT_PASS} > ${VAULT_PASS_FILE}
VAULT_PASS_ARG="--vault-password-file ${VAULT_PASS_FILE}"
fi

cd ${WORK_DIR}

exec ansible-playbook ${INVENTORY_ARG} ${VAULT_PASS_ARG} ${OPTS} ${PLAYBOOK_FILE}
33 changes: 33 additions & 0 deletions images/installer/root/usr/local/bin/usage
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
#!/bin/bash -e
cat <<"EOF"

The origin-ansible image provides several options to control the behaviour of the containers.
For more details on these options see the documentation:

https://github.com/openshift/openshift-ansible/blob/master/README_CONTAINER_IMAGE.md

At a minimum, when running a container using this image you must provide:

* ssh keys so that Ansible can reach your hosts. These should be mounted as a volume under
/opt/app-root/src/.ssh
* An inventory file. This can be mounted inside the container as a volume and specified with the
INVENTORY_FILE environment variable. Alternatively you can serve the inventory file from a web
server and use the INVENTORY_URL environment variable to fetch it.
* The playbook to run. This is set using the PLAYBOOK_FILE environment variable.

Here is an example of how to run a containerized origin-ansible with
the openshift_facts playbook, which collects and displays facts about your
OpenShift environment. The inventory and ssh keys are mounted as volumes
(the latter requires setting the uid in the container and SELinux label
in the key file via :Z so they can be accessed) and the PLAYBOOK_FILE
environment variable is set to point to the playbook within the image:

docker run -tu `id -u` \
-v $HOME/.ssh/id_rsa:/opt/app-root/src/.ssh/id_rsa:Z,ro \
-v /etc/ansible/hosts:/tmp/inventory:Z,ro \
-e INVENTORY_FILE=/tmp/inventory \
-e OPTS="-v" \
-e PLAYBOOK_FILE=playbooks/byo/openshift_facts.yml \
openshift/origin-ansible

EOF
Loading