From 35267bffe4d73de605a7e198d351027bb58dc15f Mon Sep 17 00:00:00 2001
From: intlabs <pete@port.direct>
Date: Mon, 9 Oct 2017 19:03:05 -0500
Subject: [PATCH] Kernel Modules: Load via chroot into host
This PS moves the loading of kernel modules required by services to
being perfromed via a chroot on the host, this ensures that the correct
module is found and provides compatibility across distros.
Change-Id: I889fdd047a24bf4b123dadf9f6d6e6e8079d69d1
---
...tron-linuxbridge-agent-init-modules.sh.tpl | 21 +++++++++++++
.../_neutron-linuxbridge-agent-init.sh.tpl | 2 --
...tron-openvswitch-agent-init-modules.sh.tpl | 20 +++++++++++++
neutron/templates/configmap-bin.yaml | 4 +++
neutron/templates/daemonset-lb-agent.yaml | 30 +++++++++++++------
neutron/templates/daemonset-ovs-agent.yaml | 30 +++++++++++++------
.../_openvswitch-vswitchd-init-modules.sh.tpl | 22 ++++++++++++++
.../bin/_openvswitch-vswitchd.sh.tpl | 6 ----
openvswitch/templates/configmap-bin.yaml | 2 ++
.../templates/daemonset-ovs-vswitchd.yaml | 28 +++++++++++++----
tools/gate/funcs/common.sh | 9 ------
11 files changed, 133 insertions(+), 41 deletions(-)
create mode 100644 neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl
create mode 100644 neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl
create mode 100644 openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl
diff --git a/neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl b/neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl
new file mode 100644
index 0000000000..7926dbd711
--- /dev/null
+++ b/neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+chroot /mnt/host-rootfs modprobe ip6_tables
+chroot /mnt/host-rootfs modprobe ebtables
diff --git a/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl b/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl
index 4816c90f01..52a372897a 100644
--- a/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl
+++ b/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl
@@ -18,8 +18,6 @@ limitations under the License.
set -ex
-modprobe ebtables
-
# configure external bridge
external_bridge="{{- .Values.network.external_bridge -}}"
external_interface="{{- .Values.network.interface.external -}}"
diff --git a/neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl b/neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl
new file mode 100644
index 0000000000..3321a9f7c3
--- /dev/null
+++ b/neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+chroot /mnt/host-rootfs modprobe ip6_tables
diff --git a/neutron/templates/configmap-bin.yaml b/neutron/templates/configmap-bin.yaml
index 197c9d8926..aaef7f3b2d 100644
--- a/neutron/templates/configmap-bin.yaml
+++ b/neutron/templates/configmap-bin.yaml
@@ -49,6 +49,8 @@ data:
{{ tuple "bin/_neutron-linuxbridge-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
neutron-linuxbridge-agent-init.sh: |+
{{ tuple "bin/_neutron-linuxbridge-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-linuxbridge-agent-init-modules.sh: |+
+{{ tuple "bin/_neutron-linuxbridge-agent-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
neutron-metadata-agent.sh: |+
{{ tuple "bin/_neutron-metadata-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
neutron-metadata-agent-init.sh: |+
@@ -57,6 +59,8 @@ data:
{{ tuple "bin/_neutron-openvswitch-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
neutron-openvswitch-agent-init.sh: |+
{{ tuple "bin/_neutron-openvswitch-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-openvswitch-agent-init-modules.sh: |+
+{{ tuple "bin/_neutron-openvswitch-agent-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
neutron-server.sh: |+
{{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
diff --git a/neutron/templates/daemonset-lb-agent.yaml b/neutron/templates/daemonset-lb-agent.yaml
index 5af6fb7bc5..b12bf4f693 100644
--- a/neutron/templates/daemonset-lb-agent.yaml
+++ b/neutron/templates/daemonset-lb-agent.yaml
@@ -40,6 +40,24 @@ spec:
hostNetwork: true
initContainers:
{{ tuple $envAll $dependencies $mounts_neutron_lb_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: neutron-lb-agent-kernel-modules
+ image: {{ .Values.images.tags.neutron_linuxbridge_agent }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ securityContext:
+ capabilities:
+ add:
+ - SYS_MODULE
+ runAsUser: 0
+ command:
+ - /tmp/neutron-linuxbridge-agent-init-modules.sh
+ volumeMounts:
+ - name: neutron-bin
+ mountPath: /tmp/neutron-linuxbridge-agent-init-modules.sh
+ subPath: neutron-linuxbridge-agent-init-modules.sh
+ readOnly: true
+ - name: host-rootfs
+ mountPath: /mnt/host-rootfs
+ readOnly: true
- name: neutron-lb-agent-init
image: {{ .Values.images.tags.neutron_linuxbridge_agent }}
imagePullPolicy: {{ .Values.images.pull_policy }}
@@ -119,9 +137,6 @@ spec:
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true
- - name: libmodules
- mountPath: /lib/modules
- readOnly: true
- name: run
mountPath: /run
{{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }}
@@ -211,9 +226,6 @@ spec:
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true
- - name: libmodules
- mountPath: /lib/modules
- readOnly: true
- name: run
mountPath: /run
{{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }}
@@ -228,11 +240,11 @@ spec:
configMap:
name: neutron-etc
defaultMode: 0444
- - name: libmodules
- hostPath:
- path: /lib/modules
- name: run
hostPath:
path: /run
+ - name: host-rootfs
+ hostPath:
+ path: /
{{ if $mounts_neutron_lb_agent.volumes }}{{ toYaml $mounts_neutron_lb_agent.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/neutron/templates/daemonset-ovs-agent.yaml b/neutron/templates/daemonset-ovs-agent.yaml
index a73ec9e046..3312b5bb13 100644
--- a/neutron/templates/daemonset-ovs-agent.yaml
+++ b/neutron/templates/daemonset-ovs-agent.yaml
@@ -40,6 +40,24 @@ spec:
hostNetwork: true
initContainers:
{{ tuple $envAll $dependencies $mounts_neutron_ovs_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: neutron-openvswitch-agent-kernel-modules
+ image: {{ .Values.images.tags.neutron_openvswitch_agent }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ securityContext:
+ capabilities:
+ add:
+ - SYS_MODULE
+ runAsUser: 0
+ command:
+ - /tmp/neutron-openvswitch-agent-init-modules.sh
+ volumeMounts:
+ - name: neutron-bin
+ mountPath: /tmp/neutron-openvswitch-agent-init-modules.sh
+ subPath: neutron-openvswitch-agent-init-modules.sh
+ readOnly: true
+ - name: host-rootfs
+ mountPath: /mnt/host-rootfs
+ readOnly: true
- name: neutron-ovs-agent-init
image: {{ .Values.images.tags.neutron_openvswitch_agent }}
imagePullPolicy: {{ .Values.images.pull_policy }}
@@ -119,9 +137,6 @@ spec:
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true
- - name: libmodules
- mountPath: /lib/modules
- readOnly: true
- name: run
mountPath: /run
{{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}
@@ -213,9 +228,6 @@ spec:
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true
- - name: libmodules
- mountPath: /lib/modules
- readOnly: true
- name: run
mountPath: /run
{{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}
@@ -232,11 +244,11 @@ spec:
configMap:
name: neutron-etc
defaultMode: 0444
- - name: libmodules
- hostPath:
- path: /lib/modules
- name: run
hostPath:
path: /run
+ - name: host-rootfs
+ hostPath:
+ path: /
{{ if $mounts_neutron_ovs_agent.volumes }}{{ toYaml $mounts_neutron_ovs_agent.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl b/openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl
new file mode 100644
index 0000000000..ae06b97c1c
--- /dev/null
+++ b/openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+chroot /mnt/host-rootfs modprobe openvswitch
+chroot /mnt/host-rootfs modprobe gre
+chroot /mnt/host-rootfs modprobe vxlan
diff --git a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
index 61364aa1a6..0c0477a5da 100644
--- a/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
+++ b/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
@@ -18,12 +18,6 @@ limitations under the License.
set -ex
-# load tunnel kernel modules we may use and gre/vxlan
-modprobe openvswitch
-
-modprobe gre
-modprobe vxlan
-
sock="/var/run/openvswitch/db.sock"
t=0
while [ ! -e "${sock}" ] ; do
diff --git a/openvswitch/templates/configmap-bin.yaml b/openvswitch/templates/configmap-bin.yaml
index ac13c9a312..43fc8fb2df 100644
--- a/openvswitch/templates/configmap-bin.yaml
+++ b/openvswitch/templates/configmap-bin.yaml
@@ -26,4 +26,6 @@ data:
{{ tuple "bin/_openvswitch-db-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
openvswitch-vswitchd.sh: |+
{{ tuple "bin/_openvswitch-vswitchd.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ openvswitch-vswitchd-init-modules.sh: |+
+{{ tuple "bin/_openvswitch-vswitchd-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
diff --git a/openvswitch/templates/daemonset-ovs-vswitchd.yaml b/openvswitch/templates/daemonset-ovs-vswitchd.yaml
index 60bfca7af5..24127cc111 100644
--- a/openvswitch/templates/daemonset-ovs-vswitchd.yaml
+++ b/openvswitch/templates/daemonset-ovs-vswitchd.yaml
@@ -34,6 +34,25 @@ spec:
{{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
+ initContainers:
+ - name: openvswitch-vswitchd-modules
+ image: {{ .Values.images.tags.openvswitch_vswitchd }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ securityContext:
+ capabilities:
+ add:
+ - SYS_MODULE
+ runAsUser: 0
+ command:
+ - /tmp/openvswitch-vswitchd-init-modules.sh
+ volumeMounts:
+ - name: openvswitch-bin
+ mountPath: /tmp/openvswitch-vswitchd-init-modules.sh
+ subPath: openvswitch-vswitchd-init-modules.sh
+ readOnly: true
+ - name: host-rootfs
+ mountPath: /mnt/host-rootfs
+ readOnly: true
containers:
- name: openvswitch-vswitchd
image: {{ .Values.images.tags.openvswitch_vswitchd }}
@@ -56,9 +75,6 @@ spec:
mountPath: /tmp/openvswitch-vswitchd.sh
subPath: openvswitch-vswitchd.sh
readOnly: true
- - name: libmodules
- mountPath: /lib/modules
- readOnly: true
- name: run
mountPath: /run
volumes:
@@ -66,10 +82,10 @@ spec:
configMap:
name: openvswitch-bin
defaultMode: 0555
- - name: libmodules
- hostPath:
- path: /lib/modules
- name: run
hostPath:
path: /run
+ - name: host-rootfs
+ hostPath:
+ path: /
{{- end }}
diff --git a/tools/gate/funcs/common.sh b/tools/gate/funcs/common.sh
index 11162c1ee7..081960d395 100644
--- a/tools/gate/funcs/common.sh
+++ b/tools/gate/funcs/common.sh
@@ -70,15 +70,6 @@ function base_install {
sdn_lb_support_install
fi
- # NOTE(portdirect): Temp workaround until module loading is supported by
- # OpenStack-Helm in Fedora
- if [ "x$HOST_OS" == "xfedora" ]; then
- sudo modprobe openvswitch
- sudo modprobe ebtables
- sudo modprobe gre
- sudo modprobe vxlan
- sudo modprobe ip6_tables
- fi
}
function json_to_yaml {