zuul: drop devstack-gate reference

Devstack jobs no longer depend on the devstack-gate project, which has been retired Change-Id: Id4721d419b22b6d6498d192e3f313629ad33ef69 (cherry picked from commit 3e2a0ffe4f)
Update .gitreview for stable/2023.2
2024-06-11 09:46:16 +00:00 · 2023-09-14 01:35:02 +00:00 · 2023-02-27 15:33:34 +01:00 · 2023-02-24 15:11:33 +00:00 · 2023-02-23 18:36:19 +01:00 · 2023-02-22 12:38:38 +01:00
6 changed files with 87 additions and 17 deletions
--- a/.gitreview
+++ b/.gitreview
@@ -2,4 +2,4 @@
 host=review.opendev.org
 port=29418
 project=openstack/devstack-plugin-container.git
-defaultbranch=stable/zed
+defaultbranch=stable/2023.2
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -7,7 +7,6 @@
    timeout: 4200
    required-projects:
      - openstack/devstack
-      - openstack/devstack-gate
      - openstack/devstack-plugin-container
    vars:
      devstack_localrc:
@@ -25,7 +24,6 @@
    timeout: 7200
    required-projects:
      - openstack/devstack
-      - openstack/devstack-gate
      - openstack/devstack-plugin-container
    vars:
      devstack_services:
--- a/devstack/lib/crio
+++ b/devstack/lib/crio
@@ -48,9 +48,9 @@ function install_crio {
            software-properties-common
        sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 \
            --recv ${kubic_obs_project_key}
-        sudo apt-add-repository "deb https://download.opensuse.org/"`
+        sudo apt-add-repository -y "deb https://download.opensuse.org/"`
            `"repositories/devel:/kubic:/libcontainers:/stable/${os}/ /"
-        sudo apt-add-repository "deb http://download.opensuse.org/"`
+        sudo apt-add-repository -y "deb http://download.opensuse.org/"`
            `"repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/"`
            `"${CRIO_VERSION}/${os}/ /"

@@ -66,6 +66,17 @@ function install_crio {
                --add-repo \
                https://cbs.centos.org/repos/paas7-crio-311-candidate/x86_64/os/
        fi
+        if [[ "${os_VENDOR}" == *'Stream' ]]; then
+                    local stream="_Stream"
+        fi
+        # NOTE: All crio versions are not supported for Centos 8 stream
+        # because crio rpm is not present for some minor versions
+        sudo yum-config-manager \
+            --add-repo \
+            "https://download.opensuse.org/repositories/"`
+            `"devel:/kubic:/libcontainers:/stable:/cri-o:/${CRIO_VERSION}/"`
+            `"CentOS_${os_RELEASE}${stream}/"
+
        yum_install cri-o podman buildah
    fi
 }
@@ -85,16 +96,38 @@ function configure_crio {
        iniset -sudo ${CRIO_CONF} crio.runtime log_level \"info\"
    fi
    if is_ubuntu; then
+        local crio_minor=${CRIO_VERSION#*.}
        # At least for 18.04 we need to set up /etc/containers/registries.conf
        # with some initial content. That's another bug with that PPA.
        local registries_conf
        registries_conf="/etc/containers/registries.conf"
-        if [[ ! -f ${registries_conf} ]]; then
+
+        if [[ ! -f ${registries_conf} && $crio_minor -lt 24 ]]; then
            sudo mkdir -p `dirname ${registries_conf}`
            cat << EOF | sudo tee ${registries_conf}
 [registries.search]
 registries = ['docker.io']
 EOF
+        else
+            # If there is a config file, that means, we are probably on the
+            # newer version of crio/container/podman, which basically means
+            # we cannot mix [registries.search] registries filled with
+            # something and unqualified-search-registries setting which appear
+            # on sysregistry v2 config syntax. And because it's a TOML now, we
+            # cannot rely on iniset, but directly change the file.
+
+            local rname='unqualified-search-registries'
+            local rval='["docker.io", "quay.io"]'
+            if [[ ! -f ${registries_conf} ]]; then
+                cat << EOF | sudo tee ${registries_conf}
+unqualified-search-registries = ["docker.io", "quay.io"]
+EOF
+            elif grep -wq "^${rname}" "${registries_conf}"; then
+                sudo sed -i -e \
+                    "s/^${rname}.*$/${rname} = ${rval}/" "${registries_conf}"
+            else
+                sudo sed -i "1s/^/${rname} = ${rval}\n/" "${registries_conf}"
+            fi
        fi
        # CRI-O from kubic repo have placed runc in different place, not even
        # in path, just to not conflict with runc package from official repo.
@@ -113,7 +146,7 @@ EOF
        # By default CRI-O doesn't allow ICMP between containers, although it
        # is ususally expected for testing purposes.
        if [ "${CRIO_ALLOW_ICMP}" == "True" ]; then
-            if grep -q 'default_sysctls =' ${CRIO_CONF}; then
+            if grep -wq '^default_sysctls' ${CRIO_CONF}; then
                export CRIO_KEY="default_sysctls"
                export CRIO_VAL='[ "net.ipv4.ping_group_range=0 2147483647", ]'
                _update_config
--- a/devstack/lib/docker
+++ b/devstack/lib/docker
@@ -24,7 +24,8 @@ set +o xtrace
 DOCKER_ENGINE_SOCKET_FILE=${DOCKER_ENGINE_SOCKET_FILE:-/var/run/docker.sock}
 DOCKER_ENGINE_PORT=${DOCKER_ENGINE_PORT:-2375}
 DOCKER_CLUSTER_STORE=${DOCKER_CLUSTER_STORE:-}
-DOCKER_GROUP=${DOCKER_GROUP:-$STACK_USER}
+STACK_GROUP="$( id --group --name "$STACK_USER" )"
+DOCKER_GROUP=${DOCKER_GROUP:-$STACK_GROUP}
 DOCKER_CGROUP_DRIVER=${DOCKER_CGROUP_DRIVER:-}
 # TODO(hongbin): deprecate and remove clear container
 ENABLE_CLEAR_CONTAINER=$(trueorfalse False ENABLE_CLEAR_CONTAINER)
@@ -235,7 +236,7 @@ ExecStart=/usr/bin/dockerd --config-file=$docker_config_file
 Environment="HTTP_PROXY=$http_proxy" "HTTPS_PROXY=$https_proxy" "NO_PROXY=$no_proxy"
 EOF
    sudo systemctl daemon-reload
-    sudo systemctl --no-block restart docker.service
+    sudo systemctl restart docker.service
 }

 function configure_containerd {
--- a/devstack/lib/k8s
+++ b/devstack/lib/k8s
@@ -27,7 +27,7 @@ K8S_NODE_IP=${K8S_NODE_IP:-$HOST_IP}
 K8S_API_SERVER_PORT=${K8S_API_SERVER_PORT:-6443}
 K8S_POD_NETWORK_CIDR=${K8S_POD_NETWORK_CIDR:-10.244.0.0/16}
 K8S_SERVICE_NETWORK_CIDR=${K8S_SERVICE_NETWORK_CIDR:-10.96.0.0/12}
-K8S_VERSION=${K8S_VERSION:-1.19.0-00}
+K8S_VERSION=${K8S_VERSION:-1.23.16-00}
 K8S_NETWORK_ADDON=${K8S_NETWORK_ADDON:-flannel}

 # Functions
@@ -60,8 +60,18 @@ function install_kubeadm {
 function kubeadm_init {
    local kubeadm_config_file
    kubeadm_config_file=$(mktemp)
+
+    if [[ ${CONTAINER_ENGINE} == 'crio' ]]; then
+        CGROUP_DRIVER=$(iniget "/etc/crio/crio.conf" crio.runtime cgroup_manager)
+        CRI_SOCKET="unix:///var/run/crio/crio.sock"
+    else
+        # docker is used
+        CGROUP_DRIVER=$(docker info -f '{{.CgroupDriver}}')
+        CRI_SOCKET="/var/run/dockershim.sock"
+    fi
+
    cat <<EOF | tee $kubeadm_config_file >/dev/null
-apiVersion: kubeadm.k8s.io/v1beta1
+apiVersion: kubeadm.k8s.io/v1beta2
 kind: ClusterConfiguration
 imageRepository: "${KUBEADMIN_IMAGE_REPOSITORY}"
 etcd:
@@ -72,7 +82,7 @@ networking:
  podSubnet: "${K8S_POD_NETWORK_CIDR}"
  serviceSubnet: "${K8S_SERVICE_NETWORK_CIDR}"
 ---
-apiVersion: kubeadm.k8s.io/v1beta1
+apiVersion: kubeadm.k8s.io/v1beta2
 bootstrapTokens:
 - token: "${K8S_TOKEN}"
  ttl: 0s
@@ -80,10 +90,19 @@ kind: InitConfiguration
 localAPIEndpoint:
  advertiseAddress: "${K8S_API_SERVER_IP}"
  bindPort: ${K8S_API_SERVER_PORT}
+nodeRegistration:
+  criSocket: "$CRI_SOCKET"
+  kubeletExtraArgs:
+    enable-server: "true"
+  taints:
+    []
 ---
 apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
 failSwapOn: false
+address: "0.0.0.0"
+enableServer: true
+cgroupDriver: $CGROUP_DRIVER
 EOF
    sudo kubeadm config images pull --image-repository=${KUBEADMIN_IMAGE_REPOSITORY}
    sudo kubeadm init --config $kubeadm_config_file --ignore-preflight-errors Swap
@@ -94,15 +113,25 @@ EOF
    safe_chown $STACK_USER:$STACK_USER $kube_config_file

    if [[ "$K8S_NETWORK_ADDON" == "flannel" ]]; then
-        kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/4ff77dc7c35851913587f7daccf25d754e77aa65/Documentation/kube-flannel.yml
+        kubectl apply -f https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml
    fi
 }

 function kubeadm_join {
    local kubeadm_config_file
    kubeadm_config_file=$(mktemp)
+
+    if [[ ${CONTAINER_ENGINE} == 'crio' ]]; then
+        CGROUP_DRIVER=$(iniget "/etc/crio/crio.conf" crio.runtime cgroup_manager)
+        CRI_SOCKET="unix:///var/run/crio/crio.sock"
+    else
+        # docker is used
+        CGROUP_DRIVER=$(docker info -f '{{.CgroupDriver}}')
+        CRI_SOCKET="/var/run/dockershim.sock"
+    fi
+
    cat <<EOF | tee $kubeadm_config_file >/dev/null
-apiVersion: kubeadm.k8s.io/v1beta1
+apiVersion: kubeadm.k8s.io/v1beta2
 kind: JoinConfiguration
 discovery:
  bootstrapToken:
@@ -110,10 +139,19 @@ discovery:
    token: "${K8S_TOKEN}"
    unsafeSkipCAVerification: true
  tlsBootstrapToken: "${K8S_TOKEN}"
+nodeRegistration:
+  criSocket: "$CRI_SOCKET"
+  kubeletExtraArgs:
+    enable-server: "true"
+  taints:
+    []
 ---
 apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
 failSwapOn: false
+address: "0.0.0.0"
+enableServer: true
+cgroupDriver: $CGROUP_DRIVER
 EOF
    sudo kubeadm join --config $kubeadm_config_file --ignore-preflight-errors Swap
 }
--- a/devstack/settings
+++ b/devstack/settings
@@ -9,7 +9,7 @@ ENABLE_LIVE_RESTORE=${ENABLE_LIVE_RESTORE:-false}
 ENABLE_IPV6=${ENABLE_IPV6:-false}
 K8S_NETWORK_ADDON=${K8S_NETWORK_ADDON:-flannel}
 ENABLE_CONTAINERD_CRI=${ENABLE_CONTAINERD_CRI:-false}
-CRIO_VERSION=${CRIO_VERSION:-"1.18:/1.18.0"}
+CRIO_VERSION=${CRIO_VERSION:-"1.23:/1.23.0"}
 CRIO_ALLOW_ICMP=${CRIO_ALLOW_ICMP:-true}
 CNI_CONF_DIR=${CNI_CONF_DIR:-}
 CNI_PLUGIN_DIR=${CNI_PLUGIN_DIR:-}
@@ -28,8 +28,8 @@ if [[ ,${ENABLED_SERVICES} =~ ,"k8s-master" ]]; then
 fi

 # Customize kubeadm container images repository
-KUBEADMIN_IMAGE_REPOSITORY=${KUBEADMIN_IMAGE_REPOSITORY:-"k8s.gcr.io"}
+KUBEADMIN_IMAGE_REPOSITORY=${KUBEADMIN_IMAGE_REPOSITORY:-"registry.k8s.io"}

 # Configure crio pause image
-CRIO_PAUSE_IMAGE=${CRIO_PAUSE_IMAGE:-"k8s.gcr.io/pause:3.6"}
+CRIO_PAUSE_IMAGE=${CRIO_PAUSE_IMAGE:-"registry.k8s.io/pause:3.6"}
 CRIO_PAUSE_COMMAND=${CRIO_PAUSE_COMMAND:-"/pause"}
Author	SHA1	Message	Date
Dr. Jens Harbott	0f77ff7162	zuul: drop devstack-gate reference Devstack jobs no longer depend on the devstack-gate project, which has been retired Change-Id: Id4721d419b22b6d6498d192e3f313629ad33ef69 (cherry picked from commit `3e2a0ffe4f`)	2024-06-11 09:46:16 +00:00
OpenStack Release Bot	1bba1e3eb6	Update .gitreview for stable/2023.2 Change-Id: I481f4115f1336ad6d3e8e659404bf9b82c6b7764	2023-09-14 01:35:02 +00:00
psingla	f2fd4303cf	Adding cri-o repository for centos system cri-o repository for centos need to be added in /etc/yum.repos.d to successfully install cri-o on centos system. Change-Id: I6b215cb0efb3c53e97a4a6605e94a262c0d04f25	2023-02-27 15:33:34 +01:00
Hongbin Lu	f8e786f0d5	Support installing specific version of docker Change-Id: I12015c28f6f8ffc125097a14514a6a90a20cf35b	2023-02-24 15:11:33 +00:00
Roman Dobosz	bdc0b49ce3	Install apparmor tools also for Ubuntu Focal. k8s gate is still on focal, so patch which unblock the apparmor for jammy does not affect it. Here is the fix for focal as well. Change-Id: I2a9bc69a59e7d6d21d61e79115d5a3c726c73ab0	2023-02-23 18:36:19 +01:00
Roman Dobosz	38835f2c54	Use flannel preferred configuration. On the Github repository, flannel team has stated[1], that for k8s 1.17+ the yaml file[2] with flannel config should be used. This patch is changing it, as old version stopped to work. [1] https://github.com/flannel-io/flannel#deploying-flannel-manually [2] https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml Change-Id: Ib7af55304714d8e91f5e9c63cb1501fb515553d6	2023-02-22 12:38:38 +01:00
Roman Dobosz	c101497703	Bump k8s version. Kubernetes 1.19 is long gone over a year now. Current minimal supported version is 1.23.x. It is also last version, which supports docker-shim. In this patch we propose to bump the version of k8s to 1.23.16 and crio to 1.23. Change-Id: I822217e769cc5cd041032fb2302c3a9c130d11ff	2023-02-22 12:38:09 +01:00
Roman Dobosz	f3cbfa21ff	Change default kubernetes registry to current one. Last year, kubernetes community has made a move from k8s.gcr.io to registry.k8s.io. Currently images on k8s.gcr.io has been stopped from serving therefore, there is a need to migrate to the new one. Change-Id: I20305b380d26fdaa30632107b29debc519e13e54	2023-02-21 17:39:02 +01:00
Roman Dobosz	6c468e5293	Fix issue with lack of apparmor. Recently there are failures observed with docker installations. Newest version (23.x) started to fail to create containers, when there are no tools for apparmor available, and yet, this feature is enabled on kernel, which is true in case of Ubuntu Jammy (22.04) stable release. There are couple[1] of bugs[2] reported to the upstream, and as a workaround, proposal is to install apparmor. [1] https://github.com/moby/moby/issues/44900 [2] https://github.com/moby/moby/issues/44970 Change-Id: Ie10de8a8b074daa19ba4a882528e78cd1ee74245	2023-02-21 17:37:51 +01:00
Roman Dobosz	aef3c9209b	Fix the issue with default_sysctls for cri-o. In earlier version of cri-o (at least that been seen in 1.18) cri-o packages have default configuration stored as /etc/crio/crio.conf, with all the default values defined. Setting a value for the key means that was a need to actually change the default. In version up to 1.23 there was even no configuration stored at all, but starting from 1.24, all the default config options has been commented out, and only section names are not commented. Similar situation has been detected for registry configuration, but here it is even more difficult, as in recent version toml format has been used instead of ini. With this patch all of the cases has been covered. Change-Id: Ia1b3dee3979841e798cec11c02ba1412dccef6c2	2022-12-02 08:44:12 +01:00
Zuul	a6494044ff	Merge "Fix docker group name"	2022-11-24 14:13:30 +00:00
Yasufumi Ogawa	a7295a5201	Fix to be prompted to add apt repos Fix devstack installation for crio is prompted while running apt-add-repository. Signed-off-by: Yasufumi Ogawa <yasufum.o@gmail.com> Change-Id: I66d69d5df254af027baf1d359130d4423fe3c4a9	2022-11-24 06:47:10 +00:00
Martin André	b648421624	Fix docker group name devstack-plugin-container wrongfully assumes that the stack user name is also the name of the group under which install the docker daemon. This can cause devstack to install docker in such a way that the stack user does not have permissions to access the docker socket, as seen in [3]. [1] https://opendev.org/openstack/devstack-plugin-container [2] https://github.com/openstack/devstack-plugin-container/blob/f09c5c9/devstack/lib/docker#L27 [3] https://github.com/gophercloud/gophercloud/pull/2380#issuecomment-1094295137 Closes-Bug: 1970129 Change-Id: Id5f1fa24ebb09db10f0d56e4d6b111be66869b5a	2022-04-24 21:42:40 +02:00