remove dependency on playbook2image

openshift · Jul 12, 2017 · e2e62ee · e2e62ee
1 parent b8c5241
commit e2e62ee
Show file tree

Hide file tree

Showing 5 changed files with 117 additions and 6 deletions.
diff --git a/images/installer/Dockerfile.rhel7 b/images/installer/Dockerfile.rhel7
@@ -1,4 +1,4 @@
-FROM openshift3/playbook2image
+FROM rhel7.3:7.3-released
 
 MAINTAINER OpenShift Team <dev@lists.openshift.redhat.com>
 
@@ -18,6 +18,8 @@ LABEL name="openshift3/ose-ansible" \
       version="v3.6.0" \
       release="1" \
       architecture="x86_64"
+      vcs-url="https://github.com/openshift/openshift-ansible" \
+      vcs-type="git" \
 
 # Playbooks, roles and their dependencies are installed from packages.
 # Unlike in Dockerfile, we don't invoke the 'assemble' script here
@@ -28,16 +30,28 @@ RUN INSTALL_PKGS="atomic-openshift-utils atomic-openshift-clients python-boto sk
     yum repolist > /dev/null && \
     yum-config-manager --enable rhel-7-server-ose-3.6-rpms && \
     yum-config-manager --enable rhel-7-server-rh-common-rpms && \
+    yum install -y --setopt=tsflags=nodocs ansible
     yum install -y $INSTALL_PKGS && \
     yum clean all
 
-# The symlinks below are a (hopefully temporary) hack to work around the fact that this
-# image is based on python s2i which uses the python27 SCL instead of system python,
-# and so the system python modules we need would otherwise not be in the path.
-RUN ln -s /usr/lib/python2.7/site-packages/{boto,passlib} /opt/app-root/lib64/python2.7/
+# Add entrypoint and other setup scripts
+COPY user_setup /tmp
+COPY ./images/installer/bin/ /usr/bin
 
+RUN mkdir -p ${APP_HOME} ${APP_ROOT}/etc ${APP_ROOT}/bin
+RUN chmod -R ug+x ${APP_ROOT}/bin ${APP_ROOT}/etc /tmp/user_setup && \
+    /tmp/user_setup
+
+# Back to the UID used in the base image
 USER ${USER_UID}
 
+ENV APP_ROOT=/opt/app-root
+ENV USER_NAME=default \
+    USER_UID=1001 \
+    APP_HOME=${APP_ROOT}/src \
+    HOME=${APP_ROOT}/src \
+    PATH=$PATH:${APP_ROOT}/bin
+
 # The playbook to be run is specified via the PLAYBOOK_FILE env var.
 # This sets a default of openshift_facts.yml as it's an informative playbook
 # that can help test that everything is set properly (inventory, sshkeys).
@@ -52,4 +66,6 @@ ENV PLAYBOOK_FILE=playbooks/byo/openshift_facts.yml \
 # Add files for running as a system container
 COPY system-container/root /
 
-CMD [ "/usr/libexec/s2i/run" ]
+WORKDIR ${APP_HOME}
+
+CMD [ "/usr/bin/run" ]
diff --git a/images/installer/bin/README.md b/images/installer/bin/README.md
@@ -0,0 +1,5 @@
+Utils for use during / after installation of image
+==================================================
+
+Contains image entrypoint as well as any other scripts useful
+in aiding an image run.
diff --git a/images/installer/bin/run b/images/installer/bin/run
@@ -0,0 +1,62 @@
+#!/bin/bash -e
+#
+# This file serves as the main entrypoint to the openshift-ansible image.
+# Contains setup logic and runs a user-specified playbook via the
+# $PLAYBOOK_FILE environment variable.
+#
+# For more information see the documentation:
+#	https://github.com/openshift/source-to-image/blob/master/docs/builder_image.md
+#
+
+# SOURCE and HOME DIRECTORY: /opt/app-root/src
+
+USER_ID=$(id -u)
+GROUP_ID=$(id -g)
+
+# Patch /etc/passwd file with the local user info. 
+# A user (name) must be defined in this file in order for
+# the `ssh` command to work within the created container.
+sed "s@${USER_NAME}:x:\${USER_ID}:\${GROUP_ID}@${USER_NAME}:x:${USER_ID}:${GROUP_ID}@g" ${APP_ROOT}/etc/passwd.template > /etc/passwd
+
+INVENTORY="$(mktemp)"
+if [[ -v INVENTORY_FILE ]]; then
+  # If the pointed inventory has execute/search perms we can assume it
+  # contains a dynamic inventory and we use it directly.
+  # Otherwise we make a copy so that ALLOW_ANSIBLE_CONNECTION_LOCAL below
+  # does not attempt to modify the original
+  if [[ -x ${INVENTORY_FILE} ]]; then
+    INVENTORY="${INVENTORY_FILE}"
+  else
+    cp ${INVENTORY_FILE} ${INVENTORY}
+  fi
+elif [[ -v INVENTORY_URL ]]; then
+  curl -o ${INVENTORY} ${INVENTORY_URL}
+elif [[ -v DYNAMIC_SCRIPT_URL ]]; then
+  curl -o ${INVENTORY} ${DYNAMIC_SCRIPT_URL}
+  chmod 755 ${INVENTORY}
+else
+  echo "One of INVENTORY_FILE, INVENTORY_URL or DYNAMIC_SCRIPT_URL must be provided"
+  exit 1
+fi
+INVENTORY_ARG="-i ${INVENTORY}"
+
+if [[ "$ALLOW_ANSIBLE_CONNECTION_LOCAL" = false ]]; then
+  sed -i s/ansible_connection=local// ${INVENTORY}
+fi
+
+if [[ -v VAULT_PASS ]]; then
+  VAULT_PASS_FILE=.vaultpass
+  echo ${VAULT_PASS} > ${VAULT_PASS_FILE}
+  VAULT_PASS_ARG="--vault-password-file ${VAULT_PASS_FILE}"
+fi
+
+WORK_DIR=${WORK_DIR:-${APP_HOME}}
+
+cd ${WORK_DIR}
+
+if [[ -z PLAYBOOK_FILE ]]; then
+    exec /usr/bin/usage
+    exit 0
+fi
+
+ansible-playbook ${INVENTORY_ARG} ${VAULT_PASS_ARG} ${OPTS} ${PLAYBOOK_FILE}
diff --git a/images/installer/bin/usage b/images/installer/bin/usage
@@ -0,0 +1,23 @@
+
+#!/bin/bash -e
+cat <<EOF
+The openshift/openshift-ansible image provides several options to control the behaviour of the containers.
+For more details on these options see the documentation:
+
+  https://github.com/openshift/openshift-ansible/blob/master/README_CONTAINER_IMAGE.md
+
+At the very least, when running a container using this image you must specify:
+
+An inventory file. This can be mounted inside the container as a volume and specified with the INVENTORY_FILE environment variable. Alternatively you can serve the inventory file from a web server and use the INVENTORY_URL environment variable to fetch it.
+ssh keys so that Ansible can reach your hosts. These should be mounted as a volume under /opt/app-root/src/.ssh
+The playbook to run. This is set using the PLAYBOOK_FILE environment variable. If you don't specify a playbook the openshift_facts playbook will be run, collecting and showing facts about your OpenShift environment.
+Here is an example of how to run a containerized openshift-ansible playbook that will check the expiration dates of OpenShift's internal certificates using the openshift_certificate_expiry role. The inventory and ssh keys are mounted as volumes (the latter requires setting the uid in the container and SELinux label in the key file via :Z so they can be accessed) and the PLAYBOOK_FILE environment variable is set to point to an example certificate check playbook that is already part of the image:
+
+docker run -u `id -u` \
+       -v $HOME/.ssh/id_rsa:/opt/app-root/src/.ssh/id_rsa:Z,ro \
+       -v /etc/ansible/hosts:/tmp/inventory:ro \
+       -e INVENTORY_FILE=/tmp/inventory \
+       -e OPTS="-v" \
+       -e PLAYBOOK_FILE=playbooks/certificate_expiry/default.yaml \
+       openshift/origin-ansible
+EOF
diff --git a/images/installer/bin/user_setup b/images/installer/bin/user_setup
@@ -0,0 +1,5 @@
+#!/bin/sh
+set -x
+chown -R ${USER_UID}:0 ${APP_ROOT}
+chmod -R g+rw ${APP_ROOT} /etc/passwd
+find ${APP_ROOT} -type d -exec chmod g+x {} +