Add saline server container #9451
Conversation
vzhestkov
force-pushed
the
add-saline-server-container
branch
3 times, most recently
from
089cbf5
to
be0bf41
Compare
vzhestkov
force-pushed
the
add-saline-server-container
branch
from
be0bf41
to
8af40f9
Compare
vzhestkov
force-pushed
the
add-saline-server-container
branch
from
8af40f9
to
fa4069f
Compare
| RUN mkdir /etc/saline.defaults && cp -r /etc/salt/saline* /etc/saline.defaults/ | ||
| RUN chown -R salt:salt /etc/saline.defaults |
There was a problem hiding this comment.
Have you tried something like:
COPY --chown=salt:salt "/etc/salt/saline*" "/etc/saline.defaults"
| # endlabelprefix | ||
|
|
||
| # Saline | ||
| EXPOSE 8216/tcp |
There was a problem hiding this comment.
As far as I understand this container is in the same network, is it possible to contact server without exposing? For example by using the name.
| sed -i '/pam_systemd.so/d' /etc/pam.d/* | ||
|
|
||
| rpm -e --nodeps \ | ||
| systemd systemd-presets-branding-openSUSE systemd-default-settings-branding-openSUSE systemd-default-settings systemd-presets-common-SUSE \ | ||
| curl container-suseconnect kubic-locale-archive file-magic libmagic1 dmidecode netcfg update-alternatives \ | ||
| zypper libzypp boost-license1_66_0 libboost_thread1_66_0 libsolv-tools libsolv-tools-base \ | ||
| info xz gzip perl-base ncurses-utils libsqlite3-0 \ | ||
| libsodium23 iproute2 p11-kit-tools libp11-kit0 cracklib-dict-small \ | ||
| libxtables12 libcap-ng0 libcap2 libapparmor1 procps libprocps8 libusb-1_0-0 \ | ||
| python3-Babel python3-zypp-plugin python3-rpm python3-pyasn1 python3-asn1crypto python3-urllib3 python3-idna \ | ||
| python3-pyparsing python3-pycparser python3-setuptools python3-cryptography python3-M2Crypto python3-psutil \ | ||
| python3-cffi python3-chardet python3-pyOpenSSL python3-py python3-requests python3-ply python3-pytz python3-jmespath \ | ||
| python3-appdirs python3-apipkg \ | ||
| rpm-config-SUSE rpm-ndb | ||
|
|
||
| rm -rf /var/lib/zypp /var/log/zypp /var/cache/zypp /var/log/* /var/lib/rpm/* |
There was a problem hiding this comment.
Instead of all that, can you do multistage build with only the packages required?
There was a problem hiding this comment.
Nope, because there are a list of the hard dependencies for python3-salt which makes sense for either master or minion, but doesn't make any sense for Saline as it's not using such calls internally. As the result on installing python3-salt it installs all the dependencies, but maybe threre is any way to install the packages with forcing to ignore the dependencies completely.
There was a problem hiding this comment.
This thread might be helpful: https://forums.opensuse.org/t/how-to-install-software-without-dependencies-in-zypper/20716/7
| cp -r /etc/saline.defaults/saline* /etc/salt/ | ||
|
|
||
| mkdir -p /run/salt/master | ||
| chown -R salt:salt /run/salt | ||
|
|
||
| mkdir -p /etc/salt/pki/saline | ||
|
|
||
| if [[ "$NOSSL" == "YES" ]]; then | ||
| cat > /etc/salt/saline.d/restapi.conf <<EOL | ||
| restapi: | ||
| host: 0.0.0.0 | ||
| disable_ssl: true | ||
| EOL | ||
| else | ||
| cp /etc/pki/tls/certs/spacewalk.crt /etc/salt/pki/saline/saline.crt | ||
| cp /etc/pki/tls/private/spacewalk.key /etc/salt/pki/saline/saline.key | ||
| chown -R salt:salt /etc/salt/pki/saline | ||
| chmod 0750 /etc/salt/pki/saline | ||
| cat > /etc/salt/saline.d/restapi.conf <<EOL |
There was a problem hiding this comment.
It's a lot of cp, chown, chmod. Can you do it in the container at once and here only generate file based on NOSSL value?
There was a problem hiding this comment.
These files are from the shared volume and runtime ones, no any changes to do it during the build time of the container.
There was a problem hiding this comment.
Ok, but in case of this file specifically, it would be less code to (if possible):
mkdir --parents /run/salt/master /etc/salt/pki/saline- It's unlikely that privileges on certs are set wrongly during generation, can we remove
chmod 0750 /etc/salt/pki/saline? - one
chownin the end
There was a problem hiding this comment.
chmod 0750 here is not recursive and sets the permission to the directory only while the chown call is recursive to set salt owner on the certificate and key file, I can rearrange the orders of the calls, but without 0750 on the directory the permisison is wrong there.
There was a problem hiding this comment.
Ok, I was thinking directory permission is not important, but maybe it's true as you can? delete folder with certs having permissions correctly set
|
@vzhestkov did you try to build the container pushing it to OBS? |
What does this PR change?
Adds server container with Saline inside.
GUI diff
No difference.
Before:
After:
Documentation
No documentation needed: add explanation. This can't be used if there is a GUI diff
No documentation needed: only internal and user invisible changes
Documentation issue was created: Link for SUSE Manager contributors, Link for community contributors.
API documentation added: please review the Wiki page Writing Documentation for the API if you have any changes to API documentation.
(OPTIONAL) Documentation PR
DONE
Test coverage
ℹ️ If a major new functionality is added, it is strongly recommended that tests for the new functionality are added to the Cucumber test suite
No tests: add explanation
No tests: already covered
Unit tests were added
Cucumber tests were added
DONE
Links
Issue(s): #
Port(s): # add downstream PR(s), if any
Changelogs
Make sure the changelogs entries you are adding are compliant with https://github.com/uyuni-project/uyuni/wiki/Contributing#changelogs and https://github.com/uyuni-project/uyuni/wiki/Contributing#uyuni-projectuyuni-repository
If you don't need a changelog check, please mark this checkbox:
If you uncheck the checkbox after the PR is created, you will need to re-run
changelog_test(see below)Re-run a test
If you need to re-run a test, please mark the related checkbox, it will be unchecked automatically once it has re-run:
Before you merge
Check How to branch and merge properly!