no package should be installed inside a container

Bug #1812923 reported by Michele Baldessari on 2019-01-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Michele Baldessari

Bug Description

While deploying on a rhel8 os beta + pure f28 containers we noticed that during docker-puppet or during docker-puppet-apply.sh dnf is invoked to install packages (in this case it was specifically MySQL-python).

It makes zero sense to install packages inside a container because if you don't commit the container the content will be lost at restart anyway and so the installed package will be missing anyway.

root 60586 0.0 0.0 13948 2936 ? Ss 15:29 0:00 \_ /bin/bash /var/lib/docker-puppet/docker-puppet.sh
root 60623 6.8 0.7 366532 118236 ? Sl 15:29 0:04 \_ /usr/bin/ruby-mri /usr/bin/puppet apply --summarize --detailed-exitcodes --color=false --logdest syslog --logdest console --modulepath=/etc/puppet/modules:/usr/share/openstack-puppet/modules --tags file,file_line,concat,augeas,cron,cinder_config,cinder_type,file,concat,file_line /etc/config.pp
root 60879 24.1 0.8 613968 137800 ? Ss 15:29 0:11 \_ /usr/bin/python3 /usr/bin/dnf -d 0 -e 1 -y install MySQL-python

The packages *must* be preinstalled in the container images all the time, assuming we can invoke yum/dnf inside the container makes little sense.

Michele Baldessari (michele) wrote :

The reason for this is that this hiera key is set inequivocally:
[root@win1 hieradata]# hiera -c /etc/puppet/hiera.yaml tripleo::packages::enable_install
true

This is set in /usr/share/openstack-tripleo-heat-templates/environments/standalone/standalone-tripleo.yaml

Fix proposed to branch: master
Review: https://review.openstack.org/632564

Changed in tripleo:
assignee: nobody → Michele Baldessari (michele)
status: Triaged → In Progress
Alex Schultz (alex-schultz) wrote :

How is the package provider being run if we don't include it in the tags?

Michele Baldessari (michele) wrote :

I am not sure 100% tbh, but for sure we seem to install MySQL-python all over the place in docker-puppet.py runs.

Michele Baldessari (michele) wrote :

So just to be 100% sure I did another test (without the fix in tht for docker-puppet-apply) and I see in the cinder init task container:
Notice: Compiled catalog for win1.example.com in environment production in 1.75 seconds
Notice: /Stage[main]/Apache::Mod::Mime/File[mime.conf]/ensure: defined content as '{md5}9da85e58f3bd6c780ce76db603b7f028'
Notice: /Stage[main]/Apache::Mod::Mime_magic/File[mime_magic.conf]/ensure: defined content as '{md5}b258529b332429e2ff8344f726a95457'
Notice: /Stage[main]/Apache::Mod::Alias/File[alias.conf]/ensure: defined content as '{md5}577036df2ea320d90752bf96b5d768dd'
Notice: /Stage[main]/Apache::Mod::Autoindex/File[autoindex.conf]/content: content changed '{md5}1d7d7dd9f1b4beef5a21688ededda355' to '{md5}2421a3c6df32c7e38c2a7a22afdf5728'
Notice: /Stage[main]/Apache::Mod::Deflate/File[deflate.conf]/ensure: defined content as '{md5}a045d750d819b1e9dae3fbfb3f20edd5'
Notice: /Stage[main]/Apache::Mod::Dir/File[dir.conf]/ensure: defined content as '{md5}c741d8ea840e6eb999d739eed47c69d7'
Notice: /Stage[main]/Apache::Mod::Negotiation/File[negotiation.conf]/ensure: defined content as '{md5}47284b5580b986a6ba32580b6ffb9fd7'
Notice: /Stage[main]/Apache::Mod::Setenvif/File[setenvif.conf]/ensure: defined content as '{md5}c7ede4173da1915b7ec088201f030c28'
Notice: /Stage[main]/Apache::Mod::Prefork/File[/etc/httpd/conf.d/prefork.conf]/ensure: defined content as '{md5}f58b0483b70b4e73b5f67ff37b8f24a0'
Notice: /Stage[main]/Apache::Mod::Status/File[status.conf]/ensure: defined content as '{md5}fa95c477a2085c1f7f17ee5f8eccfb90'
Notice: /Stage[main]/Mysql::Bindings::Python/Package[python-mysqldb]/ensure: created
Notice: /Stage[main]/Apache/Concat[/etc/httpd/conf/ports.conf]/File[/etc/httpd/conf/ports.conf]/ensure: defined content as '{md5}d790c307b518148556667cc445b829f1'
Notice: /Stage[main]/Apache/File[/etc/httpd/conf/httpd.conf]/content: content changed '{md5}c6d1bc1fdbcb93bbd2596e4703f4108c' to '{md5}044612deaf501650d492dd48984f81b5'
Notice: /Stage[main]/Apache::Default_mods/Apache::Mod[log_config]/File[log_config.load]/ensure: defined content as '{md5}785d35cb285e190d589163b45263ca89'
Notice: /Stage[main]/Apache::Default_mods/Apache::Mod[systemd]/File[systemd.load]/ensure: defined content as '{md5}26e5d44aae258b3e9d821cbbbd3e2826'
Notice: /Stage[main]/Apache::Default_mods/Apache::Mod[unixd]/File[unixd.load]/ensure: defined content as '{md5}0e8468ecc1265f8947b8725f4d1be9c0'

No idea why tags aren't working, I suspect we're hitting some puppet bug or this is due to some prefetching which seems to not abide to tags (https://tickets.puppetlabs.com/browse/PUP-7103)

Reviewed: https://review.openstack.org/632564
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=49492570387880c6a3abbdf2a013706eff7fe034
Submitter: Zuul
Branch: master

commit 49492570387880c6a3abbdf2a013706eff7fe034
Author: Michele Baldessari <email address hidden>
Date: Tue Jan 22 22:53:42 2019 +0100

    noop package installations inside containers

    While deploying on a rhel8 os beta + pure f28 containers we noticed that
    during docker-puppet or during docker-puppet-apply.sh dnf is invoked to
    install packages (in this case it was specifically MySQL-python).

    It makes zero sense to install packages inside a container because if
    you don't commit the container the content will be lost at restart
    anyway and so the installed package will be missing anyway.

    root 60586 0.0 0.0 13948 2936 ? Ss 15:29 0:00 \_ /bin/bash /var/lib/docker-puppet/docker-puppet.sh
    root 60623 6.8 0.7 366532 118236 ? Sl 15:29 0:04 \_ /usr/bin/ruby-mri /usr/bin/puppet apply --summarize --detailed-exitcodes --color=false --logdest syslog --logdest console --modulepath=/etc/puppet/modules:/usr/share/openstack-puppet/modules --tags file,file_line,concat,augeas,cron,cinder_config,cinder_type,file,concat,file_line /etc/config.pp
    root 60879 24.1 0.8 613968 137800 ? Ss 15:29 0:11 \_ /usr/bin/python3 /usr/bin/dnf -d 0 -e 1 -y install MySQL-python

    The packages *must* be preinstalled in the container images all the
    time, assuming we can invoke yum/dnf inside the container makes little
    sense.
    The reason for this is that this hiera key should not have any effect
    inside a container:
    [root@win1 hieradata]# hiera -c /etc/puppet/hiera.yaml tripleo::packages::enable_install
    true

    Tested this change by redeploying a standalone env (which forces package
    installation to true) and observed no dnf calls like the ones described
    above.

    Change-Id: I2bd247af2b54f3a834cdc8a2f253600527c7acd8
    Closes-Bug: #1812923

Changed in tripleo:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/632574
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=f279e6ce6b215f9ed39fd12b17f23ebcf5664dd9
Submitter: Zuul
Branch: master

commit f279e6ce6b215f9ed39fd12b17f23ebcf5664dd9
Author: Michele Baldessari <email address hidden>
Date: Tue Jan 22 23:17:24 2019 +0100

    noop package installation inside docker_puppet_apply.sh

    Just as we noop package installation in docker-puppet.py when run
    inside containers (via I2bd247af2b54f3a834cdc8a2f253600527c7acd8)
    we should always noop them inside the docker_puppet_apply.sh helper
    script as it is always run inside containers anyway.

    Co-Authored-By: Damien Ciabrini <email address hidden>

    Change-Id: I572e31e933f7fd5b1bb695f28f78d57dceb28994
    Related-Bug: #1812923

This issue was fixed in the openstack/puppet-tripleo 10.3.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers