From 364b9f418c31b93b916a2328344b737bd68856e6 Mon Sep 17 00:00:00 2001 From: Kim soo Date: Fri, 13 Mar 2026 15:53:06 +0900 Subject: [PATCH 1/4] masakari: Add crmadmin and cibadmin to monitors sudoers The hostmonitor calls crmadmin and cibadmin with run_as_root=True, but the sudoers file only includes crm_mon. Since the container runs as the masakari user, sudo calls to crmadmin and cibadmin fail with "password required", causing the hostmonitor to skip all host monitoring every cycle. This completely breaks automatic instance evacuation in HCI (hyper-converged) deployments where all nodes run the full pacemaker stack instead of pacemaker-remote. In separated deployments, the crmadmin code path is skipped because pacemaker_remote_status=True, which is why this bug has gone undetected. Closes-Bug: #2144074 Change-Id: I22bbaa1f1fd1f3d53de48ec7c0099d028118448b Signed-off-by: Kim soo --- docker/masakari/masakari-monitors/masakari_monitors_sudoers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker/masakari/masakari-monitors/masakari_monitors_sudoers b/docker/masakari/masakari-monitors/masakari_monitors_sudoers index 6cc823d78d..be3867b5ca 100644 --- a/docker/masakari/masakari-monitors/masakari_monitors_sudoers +++ b/docker/masakari/masakari-monitors/masakari_monitors_sudoers @@ -1,3 +1,5 @@ masakari ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/privsep-helper masakari ALL=(root) NOPASSWD: /usr/sbin/tcpdump * masakari ALL=(root) NOPASSWD: /usr/sbin/crm_mon -X +masakari ALL=(root) NOPASSWD: /usr/sbin/crmadmin * +masakari ALL=(root) NOPASSWD: /usr/sbin/cibadmin --query From 7f277e1c0384ceaf7526ce261ab0bde8977a86fd Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Fri, 8 May 2026 07:55:29 +0200 Subject: [PATCH 2/4] httpd: Install mod_auth_mellon from EPEL And remove the redundant comment and repo enablement in keystone container. Change-Id: I3a64b13fcaef62c73cccc9c478e7392efc8ee554 Signed-off-by: Michal Nasiadka --- docker/httpd/Dockerfile.j2 | 3 +-- docker/keystone/keystone-base/Dockerfile.j2 | 3 +-- kolla/template/repos.yaml | 4 ---- 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/docker/httpd/Dockerfile.j2 b/docker/httpd/Dockerfile.j2 index 03b4e688b1..98f012f2a8 100644 --- a/docker/httpd/Dockerfile.j2 +++ b/docker/httpd/Dockerfile.j2 @@ -8,8 +8,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% import "macros.j2" as macros with context %} {% if base_package_type == 'rpm' %} -{# NOTE(mnasiadka): mod_auth_mellon missing in CentOS 10 Stream - temporarily from Kolla COPR #} -{{ macros.enable_extra_repos(['epel', 'kolla_el10']) }} +{{ macros.enable_extra_repos(['epel']) }} {% set apache_packages = [ 'httpd', 'mod_ssl', diff --git a/docker/keystone/keystone-base/Dockerfile.j2 b/docker/keystone/keystone-base/Dockerfile.j2 index 36d793a2e7..47b37983c0 100644 --- a/docker/keystone/keystone-base/Dockerfile.j2 +++ b/docker/keystone/keystone-base/Dockerfile.j2 @@ -11,8 +11,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_package_type == 'rpm' %} -{# NOTE(mnasiadka): mod_auth_mellon missing in CentOS 10 Stream - temporarily from Kolla COPR #} -{{ macros.enable_extra_repos(['epel', 'kolla_el10']) }} +{{ macros.enable_extra_repos(['epel']) }} {% set keystone_base_packages = [ 'cyrus-sasl-devel', diff --git a/kolla/template/repos.yaml b/kolla/template/repos.yaml index 92402bcddc..f23c18eed3 100644 --- a/kolla/template/repos.yaml +++ b/kolla/template/repos.yaml @@ -140,10 +140,6 @@ rpm: hacluster: name: "highavailability" distro: true - kolla_el10: - baseurl: "https://download.copr.fedorainfracloud.org/results/@openstack-kolla/el10-missing/epel-10-$basearch/" - gpgkey: "https://download.copr.fedorainfracloud.org/results/@openstack-kolla/el10-missing/pubkey.gpg" - name: "kolla_el10" mariadb: baseurl: "https://dlm.mariadb.com/repo/mariadb-server/11.4/yum/rhel/$releasever/$basearch" gpgkey: "https://downloads.mariadb.com/MariaDB/RPM-GPG-KEY-MariaDB" From 118541d5b3de5290d64a1e137d7bfb59afd8db4e Mon Sep 17 00:00:00 2001 From: Michael Still Date: Wed, 3 Jun 2026 13:10:47 +1000 Subject: [PATCH 3/4] Implement container image build for kerbside. This change adds images for Kerbside. Kerbside is a SPICE protocol native proxy used to expose the new spice-direct console type provided by Openstack Compute. This allows high fidelity virtual desktop experiences without requiring transcoding of the console into HTML5 in Horizon, or allowing users direct access to the console ports on your hypervisors. Sadly, Red Hat chose to remove SPICE support from qemu in RHEL9, and Rocky Linux has followed along. You therefore _must_ run the Debian or Ubuntu container images if you wish to use the ``spice-direct`` console type. Architecturally Kerbside has two components -- an API service which turns console access URLs from Nova into URLs to ``.vv`` files, and a proxy service which actually proxies the SPICE traffic. These are handled as separate container images here because they're quite different. One is a WSGI REST API, and the other is a daemon. It is also likely that deployers would choose to host these on different machines. Finally, the proxy service needs to be special cased in load balancing because it strongly expects to terminate TLS itself. The haproxy is therefore configured as a layer 4 proxy in this case. Depends-On: https://review.opendev.org/c/openstack/kolla/+/991249 Change-Id: If60a70745462e1360cfadaab1a5a8d75b7fdeb21 Partial-Bug: #2131793 (spice-direct consoles) Signed-off-by: Michael Still --- doc/source/support_matrix.rst | 9 +++++ docker/kerbside/kerbside-api/Dockerfile.j2 | 9 +++++ docker/kerbside/kerbside-api/extend_start.sh | 4 ++ docker/kerbside/kerbside-base/Dockerfile.j2 | 38 +++++++++++++++++++ docker/kerbside/kerbside-proxy/Dockerfile.j2 | 9 +++++ .../kerbside/kerbside-proxy/extend_start.sh | 4 ++ kolla/common/config.py | 1 + kolla/common/sources.py | 4 ++ kolla/common/users.py | 4 ++ .../add-kerbside-images-04d28d7e76e5bc1f.yaml | 9 +++++ 10 files changed, 91 insertions(+) create mode 100644 docker/kerbside/kerbside-api/Dockerfile.j2 create mode 100644 docker/kerbside/kerbside-api/extend_start.sh create mode 100644 docker/kerbside/kerbside-base/Dockerfile.j2 create mode 100644 docker/kerbside/kerbside-proxy/Dockerfile.j2 create mode 100644 docker/kerbside/kerbside-proxy/extend_start.sh create mode 100644 releasenotes/notes/add-kerbside-images-04d28d7e76e5bc1f.yaml diff --git a/doc/source/support_matrix.rst b/doc/source/support_matrix.rst index 2cce5c99a8..bec1aa0bd1 100644 --- a/doc/source/support_matrix.rst +++ b/doc/source/support_matrix.rst @@ -106,3 +106,12 @@ Currently unbuildable images For a list of currently unbuildable images please look into ``kolla/image/unbuildable.py`` file - ``UNBUILDABLE_IMAGES`` dictionary. + +SPICE limitations +================= + +The new OpenStack Compute console type ``spice-direct`` requires that +SPICE support be compiled into the qemu running the instance. Sadly, +Red Hat chose to remove SPICE support from qemu in RHEL9, and Rocky +Linux has followed along. You therefore _must_ run the Debian or Ubuntu +container images if you wish to use the ``spice-direct`` console type. diff --git a/docker/kerbside/kerbside-api/Dockerfile.j2 b/docker/kerbside/kerbside-api/Dockerfile.j2 new file mode 100644 index 0000000000..4e5e1f7a16 --- /dev/null +++ b/docker/kerbside/kerbside-api/Dockerfile.j2 @@ -0,0 +1,9 @@ +FROM {{ namespace }}/{{ image_prefix }}kerbside-base:{{ tag }} +{% block labels %} +LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}" +{% endblock %} + +COPY extend_start.sh /usr/local/bin/kolla_extend_start +RUN chmod 644 /usr/local/bin/kolla_extend_start + +USER kerbside diff --git a/docker/kerbside/kerbside-api/extend_start.sh b/docker/kerbside/kerbside-api/extend_start.sh new file mode 100644 index 0000000000..92ef80a22f --- /dev/null +++ b/docker/kerbside/kerbside-api/extend_start.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# Make the log directory +mkdir -p /var/log/kolla/kerbside diff --git a/docker/kerbside/kerbside-base/Dockerfile.j2 b/docker/kerbside/kerbside-base/Dockerfile.j2 new file mode 100644 index 0000000000..d2e31ca0e2 --- /dev/null +++ b/docker/kerbside/kerbside-base/Dockerfile.j2 @@ -0,0 +1,38 @@ +FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }} +{% block labels %} +LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}" +{% endblock %} + +{% block kerbside_base_header %}{% endblock %} + +{% import "macros.j2" as macros with context %} + +{{ macros.configure_user(name='kerbside', groups='kerbside') }} + +{% if base_package_type == 'rpm' %} + {% set kerbside_packages = [ + 'mariadb-devel', + 'pkgconfig' + ] %} +{% elif base_package_type == 'deb' %} + {% set kerbside_packages = [ + 'libmariadb-dev-compat', + 'pkg-config' + ] %} +{% endif %} + +{{ macros.install_packages(kerbside_packages | customizable("packages")) }} + +{% set kerbside_pip_packages = [ + '/kerbside' +] %} + +ADD kerbside-base-archive /kerbside-source +RUN ln -s kerbside-source/* kerbside \ + && if [ "$(ls /plugins)" ]; then \ + {{ macros.install_pip(kerbside_plugins_pip_packages) }}; \ + fi \ + && {{ macros.install_pip(kerbside_pip_packages | customizable("pip_packages"), false) }} \ + && rm -f /etc/machine-id + +{% block kerbside_base_footer %}{% endblock %} diff --git a/docker/kerbside/kerbside-proxy/Dockerfile.j2 b/docker/kerbside/kerbside-proxy/Dockerfile.j2 new file mode 100644 index 0000000000..4e5e1f7a16 --- /dev/null +++ b/docker/kerbside/kerbside-proxy/Dockerfile.j2 @@ -0,0 +1,9 @@ +FROM {{ namespace }}/{{ image_prefix }}kerbside-base:{{ tag }} +{% block labels %} +LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}" +{% endblock %} + +COPY extend_start.sh /usr/local/bin/kolla_extend_start +RUN chmod 644 /usr/local/bin/kolla_extend_start + +USER kerbside diff --git a/docker/kerbside/kerbside-proxy/extend_start.sh b/docker/kerbside/kerbside-proxy/extend_start.sh new file mode 100644 index 0000000000..92ef80a22f --- /dev/null +++ b/docker/kerbside/kerbside-proxy/extend_start.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# Make the log directory +mkdir -p /var/log/kolla/kerbside diff --git a/kolla/common/config.py b/kolla/common/config.py index 8a80e1f88f..cdeb425a5c 100644 --- a/kolla/common/config.py +++ b/kolla/common/config.py @@ -88,6 +88,7 @@ 'designate', 'gnocchi', 'ironic', + 'kerbside', 'magnum', 'manila', 'masakari', diff --git a/kolla/common/sources.py b/kolla/common/sources.py index 97edec1b18..08c4a4639b 100644 --- a/kolla/common/sources.py +++ b/kolla/common/sources.py @@ -152,6 +152,10 @@ 'type': 'url', 'location': ('$tarballs_base/openstack/keystone/' 'keystone-${openstack_branch}.tar.gz')}, + 'kerbside-base': { + 'type': 'git', + 'reference': 'develop', + 'location': ('https://github.com/shakenfist/kerbside')}, 'kolla-toolbox': { 'type': 'url', 'location': ('$tarballs_base/openstack/requirements/' diff --git a/kolla/common/users.py b/kolla/common/users.py index cd0a666607..19ebde20fe 100644 --- a/kolla/common/users.py +++ b/kolla/common/users.py @@ -350,4 +350,8 @@ 'uid': 42494, 'gid': 42494, }, + 'kerbside-user': { + 'uid': 42495, + 'gid': 42495, + } } diff --git a/releasenotes/notes/add-kerbside-images-04d28d7e76e5bc1f.yaml b/releasenotes/notes/add-kerbside-images-04d28d7e76e5bc1f.yaml new file mode 100644 index 0000000000..78be07bb99 --- /dev/null +++ b/releasenotes/notes/add-kerbside-images-04d28d7e76e5bc1f.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + This release adds images for Kerbside. Kerbside is a SPICE protocol + native proxy used to expose the new spice-direct console type provided + by Openstack Compute. This allows high fidelity virtual desktop + experiences without requiring transcoding of the console into HTML5 + in Horizon, or allowing users direct access to the console ports on + your hypervisors. From 6f6bceb17d986b82a3a142f7063fd7a69c2a72db Mon Sep 17 00:00:00 2001 From: Michael Still Date: Fri, 5 Jun 2026 19:16:56 +1000 Subject: [PATCH 4/4] Revert "Switch to Gazpacho/2026.1 sources". This reverts the OPENSTACK_RELEASE bump from kolla commit 352b7fce. The stable/2026.1 branch is now active, so the late-cycle pin to '2026.1' is stale and needs to be reverted back to 'master' -- mirroring the same housekeeping pattern as the 2025.1->master revert (87678d014, 2025-05) and the 2025.2->master revert (c30e4e524, 2025-12). I specifically found this because Nova master commit 770580bb bumped oslo.privsep in requirements.txt from >=2.6.2 to >=3.11.0. With OPENSTACK_RELEASE = '2026.1', openstack_branch resolves to stable-2026.1 and openstack-base pulls requirements-stable-2026.1.tar.gz, which still pins oslo.privsep===3.10.1. The resulting ResolutionImpossible causes image builds to fail. Change-Id: I7d156af2fa9677cd4921f518ac1c6ecf7acde9ce Signed-off-by: Michael Still --- kolla/common/config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kolla/common/config.py b/kolla/common/config.py index 8a80e1f88f..33938d5e29 100644 --- a/kolla/common/config.py +++ b/kolla/common/config.py @@ -38,7 +38,7 @@ 'ubuntu': 'Ubuntu 24.04.* LTS', } -OPENSTACK_RELEASE = '2026.1' +OPENSTACK_RELEASE = 'master' OPENSTACK_RELEASE_CODENAME = 'Gazpacho' # TODO(mandre) check for file integrity instead of downloading from an HTTPS