Skip to content

HackWeek 20: Uyuni SUSE Manager containerization project

Jump to bottom
Silvio Moioli edited this page Mar 30, 2021 · 22 revisions

Logistics

Objectives

  1. have a lot of fun!
  2. learn about container building (buildah)
  3. learn about container orchestration (podman with Docker Compose support, k3s)
  4. learn about containerized application deployment (helm)
  5. learn about roadblocks in delivering Uyuni as containers

Conventions

  • all development happens on the Uyuni containers branch/PR
  • all new files are to be added in the containers/ directory, for now
  • we use Dockerfiles (built with docker build or buildah), locally for now
  • we explicitly do not care about traditional clients at least for now

Current plans

  1. create a "fat" container with everything needed for a Proxy
  • 🟢 start from https://github.com/SUSE/spacewalk/wiki/Proxy-container
  • 🟢 find out which directories need to be mounted externally
  • 🟢 find out how it is best to specify configuration parameters (environment variables? answer files?)
  • 🟢 pass the machine-id as parameter
  • 🟢 add a startup (Salt) script. Figure out registration to the Server, activation of Proxy functionality (configure-proxy.sh), certs
  • 🟢 add a Server-side Python script to prepare configuration to onboard a Proxy
  • 🟢 ensure the Proxy works (manual test)
  • 🟢 ensure the Proxy container can be killed and restarted. With the same mount points and parameters, it should come back to full functionality ("proto-HA")
  1. try to slim down the Proxy container
  • 🟢 remove traditional stack processes/packages, if possible
  • 🟢 split out a first component (eg. salt-broker) into another container. In parallel:
    • 🟢 try orchestration with Podman
    • 🟢 try orchestration with k3s/Helm
  • ⚪ try to skip packaging for one of the packages (eg. salt-broker) - sources straight from git to image
  1. create a "fat" container with everything needed for a Server
  1. try to slim down the Server container
  • ⚪ carve PostgreSQL out. Try Postgres-in-containers or outside of them
  • ⚪ disable Cobbler. What needs to be done in order to make Cobbler "optional"?
  • ⚪ disable or remove the traditional stack
  1. other research

What did we learn?

  • Dockerfile syntax, best practices
  • K8s init containers
  • How to preseed a minion with an accepted key
  • For permanent storage use volumes. They are managed in docker/podman and get automatically the content of the directory in the image where it is mounted to. You need to update the owner of the mountpoint. Permission are taken from the original dir, but the ownership not.
  • UID/GID are not static! To prevent having different in different containers or changing them after a rebuild we need to force the numbering.

Important Proxy directories and files

  • configuration files changed by configure-proxy.sh:
/etc/apache2/conf.d/cobbler-proxy.conf
/etc/apache2/vhosts.d/ssl.conf

/etc/jabberd/c2s.xml
/etc/jabberd/router-users.xml
/etc/jabberd/router.xml
/etc/jabberd/s2s.xml
/etc/jabberd/sm.xml

/etc/squid/squid.conf

/etc/ssh/sshd_config

/etc/sysconfig/rhn/up2date
/etc/rhn/rhn.conf
  • configuration files related to the mgrsshtunnel user:
/etc/group
/etc/passwd
/etc/shadow
/var/spacewalk/mgrsshtunnel/
  • Key material
/etc/salt/pki/minion/minion.pem
/etc/salt/pki/minion/minion.pub

/etc/ssh/ssh_host_*_key.*

/etc/apache2/ssl.crt/server.crt
/etc/apache2/ssl.csr/server.csr
/etc/apache2/ssl.key/server.key
/etc/pki/spacewalk/jabberd/server.pem
/etc/jabberd/server.pem

/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT

/var/lib/ca-certificates/*

/var/spacewalk/gpgdir
  • Identifiers
/etc/salt/minion_id
/etc/machine-id
/etc/sysconfig/rhn/systemid
/var/lib/dbus/machine-id
  • "permanent" directories
/srv/www/htdocs/pub/
/var/cache/squid/
/var/spool/rhn-proxy
/var/log/

Ongoing Questions

Open Questions

  • does it make sense to send traceback emails? Specifically from the Proxy?

Summary

A short summary can be found here

Clone this wiki locally