Update Nomad docker image files for VPP & CSIT

- The docker image files were originally created by Ed Kern for the Nomad container proof of concept build infrastructure for the VPP project. The original source files and commit history can be found in the respective repositories at https://github.com/snergfdio Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: Iff0a8fc76e8a1d2b56dfea6daff688b237338568
author: Dave Wallace <dwallacelf@gmail.com> 2020-05-28 14:56:07 -0400
committer: Dave Wallace <dwallacelf@gmail.com> 2020-05-28 15:45:04 -0400
commit: 9da67d4b8e0f47bcd50e2ec70b72bf06a0b6e908 (patch)
tree: d2476cd611acd57c1a482af425a31d58125819c7 /docker/csit
parent: 0e4d21ba4f01911130e2ed54bd1faff8baf8b5b0 (diff)
6 files changed, 364 insertions, 0 deletions
diff --git a/docker/csit/csit-shim/Dockerfile b/docker/csit/csit-shim/Dockerfile
new file mode 100644
index 000000000..288c49b19
--- /dev/null
+++ b/docker/csit/csit-shim/Dockerfile
@@ -0,0 +1,50 @@
+FROM ubuntu:18.04
+MAINTAINER Ed Kern <ejk@cisco.com>
+LABEL Description="CSIT shim container"
+LABEL Vendor="cisco.com"
+LABEL Version="1.2"
+
+# Setup the environment
+ENV DEBIAN_FRONTEND=noninteractive
+ENV NOTVISIBLE "in users profile"
+RUN echo "export VISIBLE=now" >> /etc/profile
+
+ADD files/wrapdocker /usr/local/bin/wrapdocker
+RUN chmod +x /usr/local/bin/wrapdocker
+
+# Install packages and Docker
+RUN apt-get -q update \
+ && apt-get install -y -qq \
+        bash \
+        curl \
+        iproute2 \
+        locales \
+        ssh \
+        sudo \
+        tzdata \
+        uuid-runtime \
+ && curl -fsSL https://get.docker.com | sh \
+ && rm -rf /var/lib/apt/lists/*
+
+# Configure locales
+RUN locale-gen en_US
+
+RUN mkdir /var/run/sshd
+RUN echo 'root:Csit1234' | chpasswd
+RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
+
+# SSH login fix. Otherwise user is kicked off after login
+RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
+
+# Need volume for sidecar docker launches
+VOLUME /var/lib/docker
+
+# SSH to listen on port 6022 in shim
+RUN echo 'Port 6022' >>/etc/ssh/sshd_config
+RUN echo 'Port 6023' >>/etc/ssh/sshd_config
+ADD files/badkeypub /root/.ssh/authorized_keys
+ADD files/sshconfig /root/.ssh/config
+
+# Start sshd by default
+EXPOSE 22
+CMD ["/usr/sbin/sshd", "-D"]
diff --git a/docker/csit/csit-shim/files/badkeypub b/docker/csit/csit-shim/files/badkeypub
new file mode 100644
index 000000000..574268450
--- /dev/null
+++ b/docker/csit/csit-shim/files/badkeypub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyUNd/iRk5Ajw4ZBB0gXyjzecEzQHh/MctgvHGJjasqJDkwYyZBrunUorOZ3n82W8VGdd5+eNINCWOM/ERjuaHjnutfade+ocPgZRdk+kEgTvetDVNWIgBd0PMVcnp57jJfx7CZVqTNgGeVQ8OJ2RbJGeOb/EKApQI74IPkAfc0PSieSw5gC0eqEOHb39Awgp0ycrzsUHF/OEicfCmo+6vvrMGenDe7frKUoTKYMWs7l3DOyFC8NaOxhGD3J1Ne5u3A/r4w6mN1HVI0rFwIcoms+t0B4lb2ODWKZiZikQdn8/eqwsmbSEZZsWN3FkshgjPS83+dNqVwB6pPY5Yqte7 ejk@bhima.local
diff --git a/docker/csit/csit-shim/files/sshconfig b/docker/csit/csit-shim/files/sshconfig
new file mode 100644
index 000000000..85ad6f74a
--- /dev/null
+++ b/docker/csit/csit-shim/files/sshconfig
@@ -0,0 +1,3 @@
+Host 172.17.0.*
+	StrictHostKeyChecking no
+	UserKnownHostsFile=/dev/null
diff --git a/docker/csit/csit-shim/files/wrapdocker b/docker/csit/csit-shim/files/wrapdocker
new file mode 100644
index 000000000..2ca579fdf
--- /dev/null
+++ b/docker/csit/csit-shim/files/wrapdocker
@@ -0,0 +1,113 @@
+#!/bin/bash
+
+# Ensure that all nodes in /dev/mapper correspond to mapped devices currently loaded by the device-mapper kernel driver
+dmsetup mknodes
+
+# First, make sure that cgroups are mounted correctly.
+CGROUP=/sys/fs/cgroup
+: {LOG:=stdio}
+
+[ -d $CGROUP ] ||
+    mkdir $CGROUP
+
+mountpoint -q $CGROUP ||
+    mount -n -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $CGROUP || {
+        echo "Could not make a tmpfs mount. Did you use --privileged?"
+        exit 1
+    }
+
+if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security
+then
+    mount -t securityfs none /sys/kernel/security || {
+        echo "Could not mount /sys/kernel/security."
+        echo "AppArmor detection and --privileged mode might break."
+    }
+fi
+
+# Mount the cgroup hierarchies exactly as they are in the parent system.
+for SUBSYS in $(cut -d: -f2 /proc/1/cgroup)
+do
+        [ -d $CGROUP/$SUBSYS ] || mkdir $CGROUP/$SUBSYS
+        mountpoint -q $CGROUP/$SUBSYS ||
+                mount -n -t cgroup -o $SUBSYS cgroup $CGROUP/$SUBSYS
+
+        # The two following sections address a bug which manifests itself
+        # by a cryptic "lxc-start: no ns_cgroup option specified" when
+        # trying to start containers withina container.
+        # The bug seems to appear when the cgroup hierarchies are not
+        # mounted on the exact same directories in the host, and in the
+        # container.
+
+        # Named, control-less cgroups are mounted with "-o name=foo"
+        # (and appear as such under /proc/<pid>/cgroup) but are usually
+        # mounted on a directory named "foo" (without the "name=" prefix).
+        # Systemd and OpenRC (and possibly others) both create such a
+        # cgroup. To avoid the aforementioned bug, we symlink "foo" to
+        # "name=foo". This shouldn't have any adverse effect.
+        echo $SUBSYS | grep -q ^name= && {
+                NAME=$(echo $SUBSYS | sed s/^name=//)
+                ln -s $SUBSYS $CGROUP/$NAME
+        }
+
+        # Likewise, on at least one system, it has been reported that
+        # systemd would mount the CPU and CPU accounting controllers
+        # (respectively "cpu" and "cpuacct") with "-o cpuacct,cpu"
+        # but on a directory called "cpu,cpuacct" (note the inversion
+        # in the order of the groups). This tries to work around it.
+        [ $SUBSYS = cpuacct,cpu ] && ln -s $SUBSYS $CGROUP/cpu,cpuacct
+done
+
+# Note: as I write those lines, the LXC userland tools cannot setup
+# a "sub-container" properly if the "devices" cgroup is not in its
+# own hierarchy. Let's detect this and issue a warning.
+grep -q :devices: /proc/1/cgroup ||
+    echo "WARNING: the 'devices' cgroup should be in its own hierarchy."
+grep -qw devices /proc/1/cgroup ||
+    echo "WARNING: it looks like the 'devices' cgroup is not mounted."
+
+# Now, close extraneous file descriptors.
+pushd /proc/self/fd >/dev/null
+for FD in *
+do
+    case "$FD" in
+    # Keep stdin/stdout/stderr
+    [012])
+        ;;
+    # Nuke everything else
+    *)
+        eval exec "$FD>&-"
+        ;;
+    esac
+done
+popd >/dev/null
+
+
+# If a pidfile is still around (for example after a container restart),
+# delete it so that docker can start.
+rm -rf /var/run/docker.pid
+
+# If we were given a PORT environment variable, start as a simple daemon;
+# otherwise, spawn a shell as well
+if [ "$PORT" ]
+then
+    exec dockerd -H 0.0.0.0:$PORT -H unix:///var/run/docker.sock \
+        $DOCKER_DAEMON_ARGS
+else
+    if [ "$LOG" == "file" ]
+    then
+        dockerd $DOCKER_DAEMON_ARGS &>/var/log/docker.log &
+    else
+        dockerd $DOCKER_DAEMON_ARGS &
+    fi
+    (( timeout = 60 + SECONDS ))
+    until docker info >/dev/null 2>&1
+    do
+        if (( SECONDS >= timeout )); then
+            echo 'Timed out trying to connect to internal docker host.' >&2
+            break
+        fi
+        sleep 1
+    done
+    [[ $1 ]] && exec "$@"
+    exec bash --login
+fi
diff --git a/docker/csit/csit-sut/Dockerfile b/docker/csit/csit-sut/Dockerfile
new file mode 100644
index 000000000..ba212dc96
--- /dev/null
+++ b/docker/csit/csit-sut/Dockerfile
@@ -0,0 +1,173 @@
+# Copyright (c) 2019 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ubuntu:18.04
+MAINTAINER csit-dev <csit-dev@lists.fd.io>
+LABEL Description="CSIT vpp-device ubuntu 18.04 SUT image"
+LABEL Version="0.7"
+
+# Setup the environment
+ENV DEBIAN_FRONTEND=noninteractive
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+ENV NOTVISIBLE "in users profile"
+ENV VPP_PYTHON_PREFIX=/var/cache/vpp/python
+
+# Install packages and Docker
+RUN apt-get -q update \
+ && apt-get install -y -qq \
+        # general tools
+        apt-transport-https \
+        bridge-utils \
+        cloud-init \
+        curl \
+        gdb \
+        locales \
+        net-tools \
+        openssh-server \
+        pciutils \
+        rsyslog \
+        software-properties-common \
+        ssh \
+        sudo \
+        supervisor \
+        tar \
+        vim \
+        wget \
+        # csit requirements
+        cmake \
+        dkms \
+        gfortran \
+        libblas-dev \
+        libffi-dev \
+        liblapack-dev \
+        libpcap-dev \
+        libssl-dev \
+        python-all \
+        python-apt \
+        python-cffi \
+        python-cffi-backend \
+        python-dev \
+        python-enum34 \
+        python-pip \
+        python-setuptools \
+        python-virtualenv \
+        python3-all \
+        python3-apt \
+        python3-cffi \
+        python3-cffi-backend \
+        python3-dev \
+        python3-pip \
+        python3-setuptools \
+        python3-virtualenv \
+        qemu-system \
+        socat \
+        strongswan \
+        unzip \
+        tcpdump \
+        zlib1g-dev \
+        # vpp requirements
+        ca-certificates \
+        libapr1 \
+        libmbedcrypto1 \
+        libmbedtls10 \
+        libmbedx509-0 \
+        libnuma1 \
+        sshpass \
+ && curl -L https://packagecloud.io/fdio/master/gpgkey | sudo apt-key add - \
+ && curl -s https://packagecloud.io/install/repositories/fdio/master/script.deb.sh | sudo bash \
+ # temp hack due to build.sh
+ && apt-get install -y -qq vpp-ext-deps \
+ && curl -fsSL https://get.docker.com | sh \
+ && rm -rf /var/lib/apt/lists/*
+
+# Configure locales
+RUN locale-gen en_US.UTF-8 \
+ && dpkg-reconfigure locales
+
+# Fix permissions
+RUN chown root:syslog /var/log \
+ && chmod 755 /etc/default
+
+# Create directory structure
+RUN mkdir -p /tmp/dumps \
+ && mkdir -p /var/cache/vpp/python \
+ && mkdir -p /var/run/sshd
+
+# CSIT PIP pre-cache
+RUN pip3 install \
+        ecdsa==0.13.3 \
+        paramiko==2.6.0 \
+        pycrypto==2.6.1 \
+        pypcap==1.2.3 \
+        PyYAML==5.1.1 \
+        requests==2.22.0 \
+        robotframework==3.1.2 \
+        scapy==2.4.3 \
+        scp==0.13.2 \
+        ansible==2.7.8 \
+        dill==0.2.8.2 \
+        numpy==1.17.3 \
+        hdrhistogram==0.6.1 \
+        pandas==0.25.3 \
+        plotly==4.1.1 \
+        PTable==0.9.2 \
+        Sphinx==2.2.1 \
+        sphinx-rtd-theme==0.4.0 \
+        sphinxcontrib-programoutput==0.15 \
+        sphinxcontrib-robotdoc==0.11.0 \
+        alabaster==0.7.12 \
+        Babel==2.7.0 \
+        bcrypt==3.1.7 \
+        certifi==2019.9.11 \
+        cffi==1.13.2 \
+        chardet==3.0.4 \
+        cryptography==2.8 \
+        docutils==0.15.2 \
+        future==0.18.2 \
+        idna==2.8 \
+        imagesize==1.1.0 \
+        Jinja2==2.10.3 \
+        MarkupSafe==1.1.1 \
+        packaging==19.2 \
+        pbr==5.4.3 \
+        pycparser==2.19 \
+        Pygments==2.4.2 \
+        PyNaCl==1.3.0 \
+        pyparsing==2.4.4 \
+        python-dateutil==2.8.1 \
+        pytz==2019.3 \
+        retrying==1.3.3 \
+        six==1.13.0 \
+        snowballstemmer==2.0.0 \
+        sphinxcontrib-applehelp==1.0.1 \
+        sphinxcontrib-devhelp==1.0.1 \
+        sphinxcontrib-htmlhelp==1.0.2 \
+        sphinxcontrib-jsmath==1.0.1 \
+        sphinxcontrib-qthelp==1.0.2 \
+        sphinxcontrib-serializinghtml==1.1.3 \
+        urllib3==1.25.6
+
+# ARM workaround
+RUN pip3 install scipy==1.1.0
+
+# SSH settings
+RUN echo 'root:Csit1234' | chpasswd \
+ && sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config \
+ && sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd \
+ && echo "export VISIBLE=now" >> /etc/profile
+
+EXPOSE 2222
+
+COPY supervisord.conf /etc/supervisor/supervisord.conf
+
+CMD ["sh", "-c", "rm -f /dev/shm/db /dev/shm/global_vm /dev/shm/vpe-api; /usr/bin/supervisord -c /etc/supervisor/supervisord.conf; /usr/sbin/sshd -D -p 2222"]
diff --git a/docker/csit/csit-sut/supervisord.conf b/docker/csit/csit-sut/supervisord.conf
new file mode 100644
index 000000000..4a6fe9656
--- /dev/null
+++ b/docker/csit/csit-sut/supervisord.conf
@@ -0,0 +1,24 @@
+[unix_http_server]
+file = /tmp/supervisor.sock
+chmod = 0777
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl = unix:///tmp/supervisor.sock
+
+[supervisord]
+pidfile = /tmp/supervisord.pid
+identifier = supervisor
+directory = /tmp
+logfile = /tmp/supervisord.log
+loglevel = debug
+nodaemon = false
+
+[program:vpp]
+command = /usr/bin/vpp -c /etc/vpp/startup.conf
+autostart = false
+autorestart = true
+redirect_stderr = true
+priority = 1
author	Dave Wallace <dwallacelf@gmail.com>	2020-05-28 14:56:07 -0400
committer	Dave Wallace <dwallacelf@gmail.com>	2020-05-28 15:45:04 -0400
commit	9da67d4b8e0f47bcd50e2ec70b72bf06a0b6e908 (patch)
tree	d2476cd611acd57c1a482af425a31d58125819c7 /docker/csit
parent	0e4d21ba4f01911130e2ed54bd1faff8baf8b5b0 (diff)