TripleO Container Image Preparation

TripleO support containerized undercloud and overcloud. Containerized overcloud feature is added in OSP 12 and containerized undercloud in OSP 14 with Docker as it's container engine. In OSP 15 it can be changed to Podman. And later versions it support podman.

TripleO container images are stored in docker registry or any custom registry. Images getting pulled from registry while deployment.

Container images can be available anywhere. Either in default registry or on undercloud node or you can use your own custom registry. To overcome conflicts of the images registry, version etc, container-image-parameters.yaml file is introduced.

What is container-image-parameters.yaml file?

Simple yaml file
Include meatadata about the container, like:
Pull location, push location
tag, release, version
authentication credentials
Image include, exclude options

Why container-image-parameters.yaml file?

Use different registry to pull and push
Pull images with different tags
Modify and push custom images
Authentication credentials to registry for pull and push
Layring image preparation entries with include / exclude.

How to generate container-image-parameters.yaml file?

You can generate it using openstack command.

$ openstack tripleo container image prepare default --output-env-file ~/container-image-parameters.yaml

If you are using Ansible use following role to generate container-image-parameters.yaml file

---
- hosts: localhost
  collections:
    - tripleo.operator
  tasks:
    - name: "Generate container-image-parameters.yaml file"
      inlclude_role:
        name: tripleo_container_image_prepare_default
      vars:
        tripleo_container_image_prepare_default_output_env_file: "~/container-image-parameters.yaml"

How to use container-image-parameters.yaml file?

While deploying containerized undercloud.
In udercloud.conf file:

    container_image_file: /home/stack/container-image-parameters.yaml

While deploying containerized overcloud you can pass it using -e option.

    $ openstack overcloud deploy -e /home/stack/container-image-parameters.yaml

Using Ansible

    - name: Run overcloud deploy
      import_role:
        name: tripleo_overcloud_deploy
      vars:
        tripleo_overcloud_deploy_environment_files:
          - /home/stack/conatiner-image-parameters.yaml

Contents in container-image-parameters.yaml

Let's take a look what this container-image-parameters.yaml file has.

parameter_defaults:
  ContainerImagePrepare:
  - set:
      ceph_alertmanager_image: alertmanager
      ceph_alertmanager_namespace: docker.io/prom
      ceph_alertmanager_tag: v0.16.2
      ceph_grafana_image: grafana
      ceph_grafana_namespace: docker.io/grafana
      ceph_grafana_tag: 5.4.3
      ceph_image: daemon
      ceph_namespace: docker.io/ceph
      ceph_node_exporter_image: node-exporter
      ceph_node_exporter_namespace: docker.io/prom
      ceph_node_exporter_tag: v0.17.0
      ceph_prometheus_image: prometheus
      ceph_prometheus_namespace: docker.io/prom
      ceph_prometheus_tag: v2.7.2
      ceph_tag: v4.0.12-stable-4.0-nautilus-centos-7-x86_64
      name_prefix: centos-binary-
      name_suffix: ''
      namespace: docker.io/tripleomaster
      neutron_driver: ovn
      rhel_containers: false
      tag: current-tripleo
    tag_from_label: rdo_version

ContainerImagePrepare : This option include set / import / exclude parameters for specific container.
All the parameters are starting with ceph_* are ceph specific parameters. It includes namespace pull images, image name and tag.
name_prefix: centos-binary- Pull all the images which are staring from centos-binary-* , you can see that name_suffix: '' is blank. While pulling images it will exclude ceph_* containers.
neutron_driver: ovn Use ovn neutron driver.
tag: current-tripleo All the images which as this tag will get pulled. This is equal to latest tag.
tag_from_label: rdo_version
Some images are not tagged as current_tripleo , if those images needs to pull you can specify specific version and release tag. tag_from_label: {version}-{release}

Push destination

Push destination is registry location where to push images which is pulled by deployer. This can be enabled by adding --local-push-destination. It will add push_destination parameter in the file.

push_destination either contain true or some other registry url. When it is set to true, deployer push the images to the undercloud. It's url will be discovered at the time of deployment. If some other location is specified images will be pushed there.

  parameter_defaults:
    ContainerImagePrepare:
    - push_destination: true
      set:
        ceph_alertmanager_image: alertmanager
        ceph_alertmanager_namespace: docker.io/prom
        ...

Push destination authentication

If push destination registry has authentication you can use ContainerImageRegistryCredentials to push the content.

  parameter_defaults:
    ContainerImagePrepare:
    - push_destination: xx.xx.xx.xx:xxxx 
      set:
        ceph_alertmanager_image: alertmanager
        ceph_alertmanager_namespace: docker.io/prom
        ...
    ContainerImageRegistryCredentials:
      'quay.io': {'username', 'password'}

Registry Login

Registry login can be enabled using --enable-registry-login option. Using this you can login to the registry while pulling the images. It can not be used with --local-push-destination.

Do not use this option with the overcloud deployment. Overcloud nodes may not have the network connectivity to target registry.

Layers in container-image-parameters.yaml

Layers can be created in container-image-parameters.yaml . This layers can include specific image pull / push / update operation.

parameter_defaults:
  ContainerImagePrepare:
  - push_destination: true
    set:
      name_prefix: centos-binary-
      name_suffix: ''
      namespace: docker.io/tripleomaster
      neutron_driver: ovn
      rhel_containers: false
      tag: current-tripleo
    tag_from_label: rdo_version
    exclude: [ceph]
  - push_destination: true
    set:
      ceph_alertmanager_image: alertmanager
      ceph_alertmanager_namespace: docker.io/prom
      ceph_alertmanager_tag: v0.16.2
      ceph_grafana_image: grafana
      ceph_grafana_namespace: docker.io/grafana
      ceph_grafana_tag: 5.4.3
      ceph_image: daemon
      ceph_namespace: docker.io/ceph
      ceph_node_exporter_image: node-exporter
      ceph_node_exporter_namespace: docker.io/prom
      ceph_node_exporter_tag: v0.17.0
      ceph_prometheus_image: prometheus
      ceph_prometheus_namespace: docker.io/prom
      ceph_prometheus_tag: v2.7.2
      ceph_tag: v4.0.12-stable-4.0-nautilus-centos-7-x86_64
    includes: [ceph]

Modify images

You can modify image while preparing it. This approach is very useful in CI or development workflow. Images can be updated using tripleo-modify-images role. Image name, and updates (in form of patch, Dockerfile or rpm) can be passed as variables.

ContainerImagePrepare:
- push_destination: true
  ...
  modify_role: tripleo-modify-image
  modify_append_tag: "-updated"
  modify_vars:
    tasks_from: yum_update.yml
    compare_host_packages: true
    yum_repos_dir_path: /etc/yum.repos.d
  ...

In above yaml is:

modify_role is Ansible role which modify the images.
modify_append_tag: Tag need to added after the image updated.
modify_vars: List of variables passed to the role. Above tasks will update all the packages in container.
Modify using Gerrit
- Role vars to modify image using gerrit.

      modify_role: tripleo-modify-image
      modify_append_tag: "-updated_change_1_2_3"  # Gerrit changes: refs/changes/1/2/3/
      modify_vars:
        task_from: dev_install.yaml
        source_image: docker.io/tripleomaster/centos-binary-nova-compute:current-tripleo
        refspecs:
          -
           project: nova
           refspec: refs/changes/1/2/3

Install package
- Role vars to modify using rpm

      ContainerImagePrepare:
      - push_destination: true
        ...
        includes:
        - nova-compute
        modify_role: tripleo-modify-image
        modify_append_tag: "-hotfix"
        modify_vars:
          tasks_from: rpm_install.yml
          rpms_path: /home/stack/nova-hotfix-pkgs
        ...

Update using dockerfile
- Role vars to modify using Dockerfile.

      ContainerImagePrepare:
      - push_destination: true
        ...
        includes:
        - nova-compute
        modify_role: tripleo-modify-image
        modify_append_tag: "-hotfix"
        modify_vars:
          tasks_from: modify_image.yml
          modify_dir_path: /home/stack/nova-custom

Conclusion

Well, I think container_image_perapare.yaml file is very useful for different purpose. It absolutely reduced the complexity to deal with the containers and repository.

TripleO Container Image Preparation