From 938d89a6d00a6bd4e2dd9ca870d0f1e62f144f93 Mon Sep 17 00:00:00 2001 From: pmikus Date: Fri, 4 Dec 2020 08:44:21 +0000 Subject: Terraform: csit-shim refactor - remove snergster image dependency Signed-off-by: pmikus Change-Id: I76fef60371e35dddc6da56db5f9207e003d1c792 --- .../ansible/roles/csit_shim_image/files/Dockerfile | 61 +++++++++++ .../roles/csit_shim_image/files/files/badkeypub | 1 + .../roles/csit_shim_image/files/files/sshconfig | 3 + .../roles/csit_shim_image/files/files/wrapdocker | 113 +++++++++++++++++++++ .../ansible/roles/csit_shim_image/tasks/main.yaml | 32 ++++++ .../tools/testbed-setup/ansible/vpp_device.yaml | 2 + 6 files changed, 212 insertions(+) create mode 100644 resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/Dockerfile create mode 100644 resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/badkeypub create mode 100644 resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/sshconfig create mode 100644 resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/wrapdocker create mode 100644 resources/tools/testbed-setup/ansible/roles/csit_shim_image/tasks/main.yaml (limited to 'resources/tools/testbed-setup/ansible') diff --git a/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/Dockerfile b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/Dockerfile new file mode 100644 index 0000000000..2b2e1eae55 --- /dev/null +++ b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/Dockerfile @@ -0,0 +1,61 @@ +# Copyright (c) 2020 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM ubuntu:18.04 +LABEL Description="CSIT vpp-device ubuntu 18.04 shim image" +LABEL Version="master" + +# Setup the environment +ENV DEBIAN_FRONTEND=noninteractive +ENV NOTVISIBLE "in users profile" +RUN echo "export VISIBLE=now" >> /etc/profile + +ADD files/wrapdocker /usr/local/bin/wrapdocker +RUN chmod +x /usr/local/bin/wrapdocker + +# Install packages and Docker +RUN apt-get -q update \ + && apt-get install -y -qq \ + bash \ + curl \ + iproute2 \ + locales \ + ssh \ + sudo \ + tzdata \ + uuid-runtime \ + && curl -fsSL https://get.docker.com | sh \ + && rm -rf /var/lib/apt/lists/* + +# Configure locales +RUN locale-gen en_US + +RUN mkdir /var/run/sshd +RUN echo 'root:Csit1234' | chpasswd +RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config + +# SSH login fix. Otherwise user is kicked off after login +RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd + +# Need volume for sidecar docker launches +VOLUME /var/lib/docker + +# SSH to listen on port 6022 in shim +RUN echo 'Port 6022' >>/etc/ssh/sshd_config +RUN echo 'Port 6023' >>/etc/ssh/sshd_config +ADD files/badkeypub /root/.ssh/authorized_keys +ADD files/sshconfig /root/.ssh/config + +# Start sshd by default +EXPOSE 22 +CMD ["/usr/sbin/sshd", "-D"] \ No newline at end of file diff --git a/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/badkeypub b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/badkeypub new file mode 100644 index 0000000000..4530b66b05 --- /dev/null +++ b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/badkeypub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyUNd/iRk5Ajw4ZBB0gXyjzecEzQHh/MctgvHGJjasqJDkwYyZBrunUorOZ3n82W8VGdd5+eNINCWOM/ERjuaHjnutfade+ocPgZRdk+kEgTvetDVNWIgBd0PMVcnp57jJfx7CZVqTNgGeVQ8OJ2RbJGeOb/EKApQI74IPkAfc0PSieSw5gC0eqEOHb39Awgp0ycrzsUHF/OEicfCmo+6vvrMGenDe7frKUoTKYMWs7l3DOyFC8NaOxhGD3J1Ne5u3A/r4w6mN1HVI0rFwIcoms+t0B4lb2ODWKZiZikQdn8/eqwsmbSEZZsWN3FkshgjPS83+dNqVwB6pPY5Yqte7 ejk@bhima.local \ No newline at end of file diff --git a/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/sshconfig b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/sshconfig new file mode 100644 index 0000000000..e7bd90757e --- /dev/null +++ b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/sshconfig @@ -0,0 +1,3 @@ +Host 172.17.0.* + StrictHostKeyChecking no + UserKnownHostsFile=/dev/null \ No newline at end of file diff --git a/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/wrapdocker b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/wrapdocker new file mode 100644 index 0000000000..d13f8b7c5e --- /dev/null +++ b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/wrapdocker @@ -0,0 +1,113 @@ +#!/bin/bash + +# Ensure that all nodes in /dev/mapper correspond to mapped devices currently loaded by the device-mapper kernel driver +dmsetup mknodes + +# First, make sure that cgroups are mounted correctly. +CGROUP=/sys/fs/cgroup +: {LOG:=stdio} + +[ -d $CGROUP ] || + mkdir $CGROUP + +mountpoint -q $CGROUP || + mount -n -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $CGROUP || { + echo "Could not make a tmpfs mount. Did you use --privileged?" + exit 1 + } + +if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security +then + mount -t securityfs none /sys/kernel/security || { + echo "Could not mount /sys/kernel/security." + echo "AppArmor detection and --privileged mode might break." + } +fi + +# Mount the cgroup hierarchies exactly as they are in the parent system. +for SUBSYS in $(cut -d: -f2 /proc/1/cgroup) +do + [ -d $CGROUP/$SUBSYS ] || mkdir $CGROUP/$SUBSYS + mountpoint -q $CGROUP/$SUBSYS || + mount -n -t cgroup -o $SUBSYS cgroup $CGROUP/$SUBSYS + + # The two following sections address a bug which manifests itself + # by a cryptic "lxc-start: no ns_cgroup option specified" when + # trying to start containers withina container. + # The bug seems to appear when the cgroup hierarchies are not + # mounted on the exact same directories in the host, and in the + # container. + + # Named, control-less cgroups are mounted with "-o name=foo" + # (and appear as such under /proc//cgroup) but are usually + # mounted on a directory named "foo" (without the "name=" prefix). + # Systemd and OpenRC (and possibly others) both create such a + # cgroup. To avoid the aforementioned bug, we symlink "foo" to + # "name=foo". This shouldn't have any adverse effect. + echo $SUBSYS | grep -q ^name= && { + NAME=$(echo $SUBSYS | sed s/^name=//) + ln -s $SUBSYS $CGROUP/$NAME + } + + # Likewise, on at least one system, it has been reported that + # systemd would mount the CPU and CPU accounting controllers + # (respectively "cpu" and "cpuacct") with "-o cpuacct,cpu" + # but on a directory called "cpu,cpuacct" (note the inversion + # in the order of the groups). This tries to work around it. + [ $SUBSYS = cpuacct,cpu ] && ln -s $SUBSYS $CGROUP/cpu,cpuacct +done + +# Note: as I write those lines, the LXC userland tools cannot setup +# a "sub-container" properly if the "devices" cgroup is not in its +# own hierarchy. Let's detect this and issue a warning. +grep -q :devices: /proc/1/cgroup || + echo "WARNING: the 'devices' cgroup should be in its own hierarchy." +grep -qw devices /proc/1/cgroup || + echo "WARNING: it looks like the 'devices' cgroup is not mounted." + +# Now, close extraneous file descriptors. +pushd /proc/self/fd >/dev/null +for FD in * +do + case "$FD" in + # Keep stdin/stdout/stderr + [012]) + ;; + # Nuke everything else + *) + eval exec "$FD>&-" + ;; + esac +done +popd >/dev/null + + +# If a pidfile is still around (for example after a container restart), +# delete it so that docker can start. +rm -rf /var/run/docker.pid + +# If we were given a PORT environment variable, start as a simple daemon; +# otherwise, spawn a shell as well +if [ "$PORT" ] +then + exec dockerd -H 0.0.0.0:$PORT -H unix:///var/run/docker.sock \ + $DOCKER_DAEMON_ARGS +else + if [ "$LOG" == "file" ] + then + dockerd $DOCKER_DAEMON_ARGS &>/var/log/docker.log & + else + dockerd $DOCKER_DAEMON_ARGS & + fi + (( timeout = 60 + SECONDS )) + until docker info >/dev/null 2>&1 + do + if (( SECONDS >= timeout )); then + echo 'Timed out trying to connect to internal docker host.' >&2 + break + fi + sleep 1 + done + [[ $1 ]] && exec "$@" + exec bash --login +fi \ No newline at end of file diff --git a/resources/tools/testbed-setup/ansible/roles/csit_shim_image/tasks/main.yaml b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/tasks/main.yaml new file mode 100644 index 0000000000..bdba4f6563 --- /dev/null +++ b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/tasks/main.yaml @@ -0,0 +1,32 @@ +--- +# file: roles/csit_shim_image/tasks/main.yaml + +- name: Create a directory if it does not exist + file: + path: "{{ item }}" + state: "directory" + mode: 0755 + with_items: + - "/opt/csit-shim/" + - "/opt/csit-shim/files" + tags: csit-shim-image + +- name: Copy Build Items + copy: + src: "{{ item }}" + dest: "/opt/csit-shim/{{ item }}" + owner: "root" + group: "root" + mode: 0655 + with_items: + - "Dockerfile" + - "files/badkeypub" + - "files/sshconfig" + - "files/wrapdocker" + tags: csit-shim-image + +- name: Build CSIT shim Docker Image + shell: "docker build -t csit_shim-ubuntu1804:local ." + args: + chdir: "/opt/csit-shim" + tags: csit-shim-image \ No newline at end of file diff --git a/resources/tools/testbed-setup/ansible/vpp_device.yaml b/resources/tools/testbed-setup/ansible/vpp_device.yaml index 363d1b190a..ac42b8cafe 100644 --- a/resources/tools/testbed-setup/ansible/vpp_device.yaml +++ b/resources/tools/testbed-setup/ansible/vpp_device.yaml @@ -24,5 +24,7 @@ tags: kernel_vm - role: csit_sut_image tags: csit_sut_image + - role: csit_shim_image + tags: csit_shim_image - role: cleanup tags: cleanup -- cgit 1.2.3-korg