Here at Bloomberg, we're evaluating Kolla to replace our in-house OpenStack
deployment system, and one of our requirements is that we be able to do our
builds without touching the Internet - everything needs to come from locally
hosted repositories. A few weeks ago, I pushed up a PR
(https://review.openstack.org/#/c/414639/) to start working on the ability to
build Kolla containers while disconnected from the Internet. It doesn't provide
complete coverage by any means (though that is the goal, to ensure that every
container can be built offline for every base OS image), but I wanted to use it
as a starter for further discussion, as well as reducing the amount of stuff
we're carrying as local changes on top of upstream Kolla.
That being said, when I pushed the PR up, it failed the Ubuntu checks. I looked
into it, and here's what I found:
1) There is a bug in Kolla (https://bugs.launchpad.net/kolla/+bug/1633187) that
causes it to ignore any custom sources.list provided when building
Debian/Ubuntu containers. You can supply one, and it will be copied into the
build context, but because of
http://git.openstack.org/cgit/openstack/kolla/tree/docker/base/Dockerfile.j2#n215,
only the sources.list files that come with Kolla would be used anyway.
Necessarily, because using local mirrors requires providing a custom
sources.list, I fixed this bug (https://bugs.launchpad.net/kolla/+bug/1633187).
2) The Ubuntu gate checks provide a custom sources.list which redirects the
container away from Canonical's mirrors and onto OSIC-hosted mirrors. The OSIC
mirror, for whatever reason, is unsigned. In current master Kolla, this
sources.list just isn't used, so checks that rebuild the base image will always
use archive.ubuntu.com, because that's the mirror that's specified in
docker/base/sources.list.ubuntu. Take for example the output of another PR
https://review.openstack.org/#/c/411154/ - if you examine
http://logs.openstack.org/54/411154/12/check/gate-kolla-dsvm-build-ubuntu-binary-ubuntu-xenial-nv/26627d8/console.html.gz
(from the very top), you can see that it's downloading packages from
archive.ubuntu.com as part of the base container build, even though
http://logs.openstack.org/54/411154/12/check/gate-kolla-dsvm-build-ubuntu-binary-ubuntu-xenial-nv/26627d8/logs/kolla_configs/kolla/sources.list.txt.gz
is supplied as sources.list.
3) When I fixed the bug described in #1, it meant the unsigned OSIC mirror
specified in sources.list suddenly started getting used, and the base container
build now fails because the container build process does not allow
unauthenticated packages to be installed.
How can this be fixed? There are a few options:
1) Remove the sources.list from the current gate configurations - the way
things are currently set up, the Ubuntu gates actually _depend_ on the presence
of a bug in Kolla to function if they ever need to build the base Kolla image.
This is not good.
2) I don't know why the OSIC Ubuntu mirror is unsigned. I feel like it should
be a straight clone of Canonical's repos so that the baked-in signing key for
the Ubuntu base image will just work, but presumably it's this way for a reason?
3) Specify a custom apt preferences in the gate to allow installing
unauthenticated packages in the containers (ugly).
Would somebody with knowledge of the Kolla testing infrastructure be so kind as
to comment? I brought this up in IRC a few times but could not get much
attention on it.
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
