Bug 1381508

Summary: [RFE] Tripleo needs to support whole disk overcloud images
Product: Red Hat OpenStack Reporter: Yolanda Robla <yroblamo>
Component: openstack-tripleo-commonAssignee: Yolanda Robla <yroblamo>
Status: CLOSED ERRATA QA Contact: mlammon
Severity: medium Docs Contact:
Priority: medium    
Version: 11.0 (Ocata)CC: akarlsso, arkady_kanevsky, brault, cdevine, christopher_dearborn, dbecker, dcain, dtantsur, fduthill, fzdarsky, hbrock, jjoyce, jjung, John_walsh, jslagle, kurt_hey, mburns, mcornea, mlammon, morazi, nlevinki, racedoro, rajini.karthik, randy_perryman, rhel-osp-director-maint, sasha, sclewis, slinaber, smerrow, sreichar, tvignaud, yroblamo
Target Milestone: Upstream M1Keywords: FutureFeature, Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/tripleo/+spec/build-whole-disk-images
Whiteboard: upstream_milestone_pike-2 upstream_definition_approved upstream_status_not-started
Fixed In Version: openstack-tripleo-common-7.3.1-0.20170720003002.f0ef9ac.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-13 20:46:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1355903, 1389435, 1396159, 1434350, 1438574, 1442136, 1476985    

Description Yolanda Robla 2016-10-04 10:50:39 UTC 
Description of problem:

Currently openstack image upload from tripleo, needs that 3 images are passed:
overcloud-full.qcow2
overcloud-full.initrd
overcloud-full.vmlinuz

But there can be another use case, that is supported in Ironic, and that is the ability to use full disk images, as documented on:

http://docs.openstack.org/project-install-guide/baremetal/draft/configure-integration.html#configure-the-image-service

Currently if you just provide the qcow2 image, the command fails complaining about missing initrd and vmlinuz.

Expected results:

tripleo shall just upload qcow2, and do not set kernel_id and ramdisk_id images, allowing for ironic to consider it as a full disk image.
Comment 1 Yolanda Robla 2016-11-21 14:09:56 UTC 
Changes to suport it landed on tripleo-client. It needs a new release to start using it.
Comment 2 Dmitry Tantsur 2016-11-25 14:02:19 UTC 
I'm leaving you assigned, as I know you've been working on it so far. Thanks!

Also, if the patch you've landed was the last patch in this RFE, please feel free to move it to POST.
Comment 3 Dmitry Tantsur 2016-12-06 15:29:01 UTC 
Is it done now? Could you please update the status accordingly?
Comment 4 Yolanda Robla 2016-12-22 10:02:00 UTC 
It needs changes from diskimage-builder that have not landed yet.
But at the moment we worked on alternatives, using guestfs, to get the overcloud-full image that is flat partition, and convert to whole disk:

http://teknoarticles.blogspot.com.es/2016/12/start-using-whole-disk-images-with.html
http://teknoarticles.blogspot.com.es/2016/12/how-to-encrypt-your-home-with-guestfs.html

There is a pending article i need to write, about how to expand the filesystem after deployment, to consume the remaining disk space.
Comment 5 Ramon Acedo 2017-01-09 12:17:20 UTC 
Hi Yolanda, moving to ON_DEV as you're actively working on this. 

Whole disk support is already implemented in Ironic and I believe the TripleO client has already merged the code to support uploading images with "--whole-disk" into director's Glance. In any case this will only be possible to be used with custom Overcloud images as the stock images will be flat partition images, right?
Comment 6 Yolanda Robla 2017-01-09 13:38:49 UTC 
Yes, at the moment it can only be used witih custom overcloud images. There is no way from TripleO to generate it.
Comment 8 Dmitry Tantsur 2017-01-11 11:44:27 UTC 
Looks like more work has to be done here around building images, so I'm deferring this RFE to Pike. Also resetting the component to a more generic one.
Comment 9 Yolanda Robla 2017-02-28 11:04:13 UTC 
Related blueprint: https://blueprints.launchpad.net/tripleo/+spec/build-whole-disk-images
Comment 15 Ramon Acedo 2017-05-24 12:32:40 UTC 
Hi Yolanda, is all the code completed? This BZ can be set to POST if it is, as per https://bugs.launchpad.net/tripleo/+bug/1630203 I believe there isn't anything else pending, right?
Comment 16 Yolanda Robla 2017-06-05 11:21:22 UTC 
Code finally landed. But I'm working on CI jobs to produce the images. I also believe that some job needs to be done on tripleo, to produce the hardened image from the yaml file.
Comment 17 Yolanda Robla 2017-06-07 16:10:56 UTC 
This feature needs to land for OSP12 as Tech Preview, to get initial feedback from customers. On OSP13 the intention is to land it on production.
Comment 18 arkady kanevsky 2017-06-07 18:27:21 UTC 
We will also need it backported to OSP10.
Alternatively we can patch overcloud image of OSP10 for JS (version TBD) as part of deployment tools, but still need support.
Comment 19 Yolanda Robla 2017-06-08 14:04:57 UTC 
Support for whole disk images is available in OSP10, see https://bugzilla.redhat.com/show_bug.cgi?id=1434350 . And about using a whole disk image in OSP10, you can take this as a reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1417231
Comment 20 Yolanda Robla 2017-06-08 14:08:37 UTC 
So mlammon, for testing it, the image has not been packaged yet and it can take time, tied to https://bugzilla.redhat.com/show_bug.cgi?id=1459602

You can build the image manually and test it. You need to follow instructions on:
https://docs.openstack.org/developer/tripleo-docs/basic_deployment/basic_deployment_cli.html

And the command to build the image is:
 openstack overcloud image build  --config-file /usr/share/tripleo-common/image-yaml/overcloud-hardened-images.yaml --config-file /usr/share/tripleo-common/image-yaml/overcloud-hardened-images-centos7.yaml --image-name overcloud-hardened-full
Comment 21 Ramon Acedo 2017-06-13 10:43:47 UTC 
Thanks Yolanda. Is it expected that built image will have multiple partitions? And, does it support LVM? Or do you want to have verified that the resulting image is a whole-disk overcloud image but without custom partitioning and LVM?
Comment 22 Yolanda Robla 2017-06-26 12:25:03 UTC 
Hi Ramon. So the image will have multiple partitions, but not LVM. Users could specify their own partitions exporting DIB_BLOCK_DEVICE_CONFIG var before building their own image (I need to create a blogpost + raise a documentation bug for it).
Comment 23 Yolanda Robla 2017-06-26 12:29:56 UTC 
Sorry, last comment was for the OSP12 version. For this 10/11 version, the image is generated with the script. And yes, the final image has LVM support.
Comment 26 Yolanda Robla 2017-07-19 13:31:44 UTC 
That blogpost will help on testing http://teknoarticles.blogspot.com.es/2017/07/build-and-use-security-hardened-images.html
Comment 28 Ramon Acedo 2017-07-20 16:33:00 UTC 
When users build the image as specified in comment #20 they'll need to specify their CDN or Satellite credentials. d-i-b has an element so I think this should be possible:

https://docs.openstack.org/diskimage-builder/latest/elements/rhel-common/README.html

Also with RHEL we have to have a base image:

https://docs.openstack.org/diskimage-builder/latest/elements/rhel7/README.html

Then, you can also add local repos, although I don't know if that will be necessary as when you use an activation key, it's usually associated to repositories so you could create an activation key for the OSP repos and use that. This is how to pass local repos:

https://docs.openstack.org/diskimage-builder/latest/elements/yum/README.html

Is there any other option for end users that will have subscriptions to achieve this?

How does d-i-b know where the pike repos are? Mike showed that in his tests the build process failed to fetch the repo info with an error like this:

--------------
Setting up Package Sacks
http://download.lab.bos.redhat.com/rcm-guest/puddles/OpenStack/12.0-RHEL-7/2017-07-13.2/RH7-RHOS-DEVTOOLS-12.0/x86_64/os/repodata/repomd.xml: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below knowledge base article
-------------- 
https://access.redhat.com/articles/1320623
Comment 29 Yolanda Robla 2017-07-21 10:41:58 UTC 
So depending on CentOS/RHEL, several env vars need to be set. It's partially documented on http://tripleo-docs.readthedocs.io/en/latest/basic_deployment/basic_deployment_cli.html
Additionally, we need to export DIB_YUM_REPO_CONF var, with the list of repos needed.
I'll add this to my blogpost, to make it more complete, and also prepare it to be the base for future documentation.
Comment 32 mlammon 2017-11-15 14:18:32 UTC 
This can now be marked verified and tested. Whole Disk Image was tested and deployed into the overcloud containing the requirements of separate partition with the security hardened image created and deployed on many nodes.

openstack overcloud image build --image-name overcloud-hardened-full --config-file /usr/share/openstack-tripleo-common/image-yaml/overcloud-hardened-images.yaml --config-file /usr/share/openstack-tripleo-common/image-yaml/overcloud-hardened-images-rhel7.yaml --verbose

cd
mv ~/images/overcloud-full.qcow2 ~/images/overcloud-full-old.qcow2
cp ~/images/overcloud-hardened-full.qcow2 overcloud-full.qcow2
Comment 35 errata-xmlrpc 2017-12-13 20:46:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462