move keepalived here from BMO repo

This commit: - Moves the project used to build the Metal3 keepalived container from the BMO repository to this repository - Adds support for customizable config file location for the keepalived container - Add container building github workflow for keepalived These changes were needed for two related reasons. - The community has decided that there is no reason to keep the keepalived files in BMO and they much better fit for the utility-images repository. - There is ongoing work to turn the ironic pod compatible with the K8s pod security option that enforces the use of read only mode for the container file system and the current containers deployed as part of the Ironic pod such as keepalived are not compatible without modification. Signed-off-by: Adam Rozman <[email protected]>
metal3-io · Jan 31, 2025 · 059e134 · 059e134
1 parent 7bdb949
commit 059e134
Show file tree

Hide file tree

Showing 6 changed files with 108 additions and 0 deletions.
diff --git a/.github/workflows/build-images-action.yml b/.github/workflows/build-images-action.yml
@@ -33,3 +33,15 @@ jobs:
       QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
       QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }}
       SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+  build_keepalived:
+    name: Build keepalived container image
+    if: github.repository == 'metal3-io/utility-images'
+    uses: metal3-io/project-infra/.github/workflows/container-image-build.yml@main
+    with:
+      image-name: 'keepalived'
+      dockerfile-directory: keepalived
+      pushImage: true
+    secrets:
+      QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
+      QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
diff --git a/README.md b/README.md
@@ -74,3 +74,21 @@ FakeIPA simulate the IPA by:
   a queue of fake agents.
 - Faking the sync/async commands needed by ironic to inspect,
   clean and provision a node.
+
+## Keepalived
+
+Keepalived container used in Ironic deployments. Keepalived is used to
+provide fix IP address for Ironic in such a manner that even after pivoting
+operations the IP of Ironic stays persistent.
+
+[Keeplaived documentation](https://www.keepalived.org/manpage.html)
+
+Deployment configuration options:
+
+- `CUSTOM_CONF_DIR` - when specified, the config files will be moved to the
+  specified directory and the variable substitution will happen there
+- 'PROVISIONING_IP' - the fix IP provided by keepalived
+- 'PROVISIONING_INTERFACE' - The name of the interface that will be used
+  to "host" the fixed IP (keepalived is used in a pod that is attached to
+  host network, thus the interface names are the same as the interface names
+  on the host)
diff --git a/keepalived/Dockerfile b/keepalived/Dockerfile
@@ -0,0 +1,16 @@
+# Support FROM override
+ARG BASE_IMAGE=ubuntu:22.04
+
+FROM $BASE_IMAGE
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get -y update && \
+    apt-get -y install keepalived && \
+    apt-get -y clean
+
+COPY sample.keepalived.conf /etc/keepalived/keepalived.conf
+COPY manage-keepalived.sh configure-nonroot.sh /bin/
+
+RUN /bin/configure-nonroot.sh && rm /bin/configure-nonroot.sh
+
+CMD ["/bin/bash", "/bin/manage-keepalived.sh"]
diff --git a/keepalived/configure-nonroot.sh b/keepalived/configure-nonroot.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+set -eux
+
+# create nonroot image matching the keepalived manifest
+NONROOT_USER="nonroot"
+NONROOT_GROUP="nonroot"
+NONROOT_UID=65532
+NONROOT_GID=65532
+
+# run as non-root, allow editing the keepalived.conf during startup
+groupadd -g "${NONROOT_GID}" "${NONROOT_GROUP}"
+useradd -u "${NONROOT_UID}" -g "${NONROOT_GID}" -m "${NONROOT_USER}"
+
+mkdir -p /run/keepalived
+chown -R root:"${NONROOT_GROUP}" /etc/keepalived /run/keepalived
+chmod 2775 /etc/keepalived /run/keepalived
+chmod 664 /etc/keepalived/keepalived.conf
+
+setcap "cap_net_raw,cap_net_broadcast,cap_net_admin=+eip" /usr/sbin/keepalived
diff --git a/keepalived/manage-keepalived.sh b/keepalived/manage-keepalived.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/bash
+
+set -eux
+CUSTOM_CONF_DIR="${CUSTOM_CONF_DIR:-}"
+KEEPALIVED_DEFAULT_CONF='/etc/keepalived/keepalived.conf'
+if [[ -z "${CUSTOM_CONF_DIR}" ]]; then
+    KEEAPLIVED_CONF="${KEEPALIVED_DEFAULT_CONF}"
+else
+    KEEAPLIVED_CONF="${KEEPALIVED_DEFAULT_CONF}/keepalived.conf"
+    cp "${KEEPALIVED_DEFAULT_CONF}" "${KEEAPLIVED_CONF}"
+
+fi
+export assignedIP="${PROVISIONING_IP}/32"
+export interface="${PROVISIONING_INTERFACE}"
+
+sed -i "s~INTERFACE~${interface}~g" "${KEEAPLIVED_CONF}"
+sed -i "s~CHANGEIP~${assignedIP}~g" "${KEEAPLIVED_CONF}"
+
+exec /usr/sbin/keepalived --dont-fork --log-console \
+    --pid='/run/keepalived/keepalived.pid' \
+    --vrrp_pid='/run/keepalived/vrrp.pid' \
+    --use-file="${KEEAPLIVED_CONF}"
diff --git a/keepalived/sample.keepalived.conf b/keepalived/sample.keepalived.conf
@@ -0,0 +1,20 @@
+! Configuration File for keepalived
+global_defs {
+    notification_email {
+    [email protected]
+    [email protected]
+    }
+    notification_email_from [email protected]
+    smtp_server localhost
+    smtp_connect_timeout 30
+}
+vrrp_instance VI_1 {
+    state MASTER
+    interface INTERFACE
+    virtual_router_id 1
+    priority 101
+    advert_int 1
+    virtual_ipaddress {
+        CHANGEIP
+    }
+}