During MAAS enlistment (and commissioning), an IPMI account (named
"maas" by default) is created on each node, which MAAS then uses for
power management.
This change allows MAAS to use the same credentials as the ones used by
the OOB driver, by overwriting the power parameters for the discovered
nodes. This includes the power type, so if the node is configured to use
Redfish, then Drydock will update a MAAS node discovered as IPMI to use
Redfish instead.
It also provides an option to instruct MAAS not to recreate IPMI
credentials during commissioning, which is passed through to the MAAS
API. Setting this to true is only supported in MAAS 2.7 or later [0].
The two maasdriver configuration options are introduced in drydock.conf,
along with their default values:
[maasdriver]
use_node_oob_params = false
skip_bmc_config = false
These options do not prevent MAAS from creating the IPMI account during
enlistment - this would require addition MAAS customization.
0: 8842d0bfd3
Change-Id: I24d3bc3b1cc94907d73bc247de3fc06dd4750ab1
The existing max_workers setting for the ThreadPoolExecutor caps the
number of nodes that can be deployed concurrently to 16. This change
allows more threads to be run in parallel, allowing the operator to
deploy more nodes at once.
Change-Id: I6d1dfa7ad8f5e03a8328311e6b59ee116a250462
The MAAS API call "GET /MAAS/api/2.0/machines/" retrieves information
about every machine known to MAAS, which is very slow. The API supports
filtering based on hostname and mac_address (among others), and querying
for power parameters for all nodes at once.
This change modifies identify_baremetal_node to avoid calling refresh on
the full machine list.
Also, the refresh method of ResourceCollectionBase is updated to allow
passing of params, which can be used to take advantage of the filtering.
Note that a filtered call to refresh overwrites the resources collection
to only contain the returned values.
Most calls to Machines.refresh() aren't really needed at all - they are
replaced with a call to Machines.empty_refresh(), which will still make
sure that the API endpoint is accessible but return an empty collection.
(This may get removed entirely in the future.)
Change-Id: Ie58c45e1790c5c827d9d47f5582214ca519946de
This patchset tunes the Drydock MAAS request factory to:
a) Implement retries for requests toward MAAS_URL/api/2.0/
b) Bumps the request timeout slightly
In addition, restricts threaded actions towards nodes to
using the same MAAS client, effectively rate limiting calls
to the MAAS api.
Change-Id: I2e66105ae332adaed62c9c3bc8cddc63e1f7bf23
* pep8 fixes for airship-drydock-omni-test
* Install requirements sequential for ubuntu_xenial image
* Install older version of pip<21.0 for ubuntu_xenial image
Change-Id: If494b6abc1f8b85d96da4cad2da8606b8b2a1352
Adding said label, that's already defined, to the deployment itself.
This will enable Armada to properly wait for certain percentages
of the deployment replicas to be ready prior to proceeding. Prior to
this change, there wasn't a way to select the Drydock deployment via
labels.
Change-Id: I7c5ed223d54213a1260c27485d0bfd493c09163f
Patch PyYAML (via the pylibyaml library) to automatically enable the
LibYAML parser and emitter, which are faster than the Python versions.
https://pypi.org/project/pylibyaml/
Change-Id: Iaddc0f30ed99b1f9a999f5365e9e8bf43349b82f
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0
Change-Id: Ic115755eff68f419116b79102661e9fe1a7b1764
When pip is upgraded to 20.3, the pip dependency resolver is much more
strict and will no longer install a combination of packages that is mutually
inconsistent[0].
These changes account for the fact that Shipyard imports Armada, Drydock,
Promenade, and Deckhand. Having said that, with pip 20.3, the pip
packages amongst those projects cannot conflict. A follow-up change may
be needed if more conflicts are found.
[0] https://pip.pypa.io/en/latest/user_guide/#changes-to-the-pip-dependency-resolver-in-20-2-2020
Change-Id: I89c6dc728824f00f964c794142766012c407c4ed
During drydock node deployments, sometimes MaaS node deployment for
some nodes fails when the node tries to pull the node bootaction
files, using drydock api.
Drydock api call fails with `500 Internal Server Error`, when
drydock tries to create the booaction files for the node. The logs,
however do no provide any additional clues on what caused drydock to
fail. This issue does not happen always, and subsequent site updates
will most of the deploy the failed nodes.
The additional checks and logs are added to help pinpoint the root cause
of the 500 return code, if/when this issue heppens again.
This ps also, uplifted `MarkupSafe` pip library from 1.0 to 1.1.1 to
address the issue with MarkupSafe and latest version of setuptools
described here: https://github.com/pallets/markupsafe/issues/116
Change-Id: I08a088d9690d8d9dd1f771dc5e84d1eb02fbd39f
This updates the drydock chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: Ibeb60d0b88f3519730b5b76996ab137c5af4f4f5
Use apt to install python3-pip, and use pip3 in event system has
both pip2 and pip3 installed. Use apt to install setuptools for
Ansible's consumption.
Change-Id: Id80c809c636abe41a1cbb4d465f82ed1e8e0e9d7
Signed-off-by: Alexander Hughes <Alexander.Hughes@pm.me>
Corrects a recently introduced rendering error in the chart that
resulted in missing metadata labels for the drydock-db-init and
drydock-db-sync jobs.
https://review.opendev.org/#/c/724768
Change-Id: Ifa01bbc369a33ca3d5482c760a342d873736272e
This change allows node storage sizes to be specified using binary
prefixes (MiB, GiB, TiB) in addition to the existing supported formats
(MB, GB, TB).
Change-Id: Idef88b648a75bad87625acf1d73af011480cc0b9
A recent change[0] to address PEP8 issues resulted in an unintended
behavior modification, in some cases resulting in MAAS allocation of
multiple IP addresses to the same NIC.
This reverts to the original code logic.
[0] 1755930331
Change-Id: I6dccd1b60c414e3aa966085e81dc0b61244e9814
The Airship vulnerability documentation has moved [0]. This change
updates SECURITY.md to point to the correct location.
[0] https://docs.airshipit.org/learn/vulnerabilities.html
Change-Id: Iea843a3399bc7836f5645c3ca81603e2e9ca7356
Signed-off-by: Drew Walters <andrew.walters@att.com>
Flake8 version recently updated to include new PEP8 rules. Some of
the codebase is not compliant with the new rules.
Change-Id: I0f5b3d41ee54ff0d9ffa05f733f98c7e34f0f258
Signed-off-by: Alexander Hughes <Alexander.Hughes@pm.me>
Automatic security alerts were created for pyyaml==3.12 and
requests==2.19.1 suggesting these packages be upgraded to 2.20.0 and
5.1 respectively.
Vulnerabilities addressed:
CVE-2018-18074 on requests package
CVE-2017-18342 on PyYAML package
Change-Id: Iff5bc11d60c2724fef0bb8b2552e17573c79dc9f
Signed-off-by: Alexander Hughes <Alexander.Hughes@pm.me>
With Ubuntu bionic base image for drydock docker image, uwsig crashes
with segmentation fault when it tries to load/import the psycopg2 package.
The reason for this is that uwsgi and psycopg2 packages are built with
incopatible ssl libraries.
Upgrading uwsgi and psycopg2 to address this issue for bionic based
images.
Change-Id: I3d0bfb96c19849f5c2925366f8712bf47985df67
All Airship projects are moving to GitHub issues. This change adds a
GitHub security policy that links to the official Airship vulnerability
management process [0]. When users on GitHub click "New Issue" on this
GitHub repository, they will see an option to report a security
vulnerability, which will direct them to our official policy.
[0] https://airship-docs.readthedocs.io/en/latest/security/vulnerabilities.html
Change-Id: Iaf060dd0085c21f0c4f18f100e3e053b5ceedbed
Signed-off-by: Drew Walters <andrew.walters@att.com>
Adds support to build drydock image using either a xenial or a bionic base
image. Currently only xenial base is supported.
The default base image is set to ubuntu bionic.
Change-Id: I93672cf35879d8525d28e870ea83e5512c1043f9
Updated Makefile to run the build baclient package for go on the
host instead of as a docker container, to allow the Makefile be
called from another container. Reason being, in a docker-in-docker,
volume mapping requires knowledge of host filesystem path instead
of the docker daemon filesystem path.
Corrected proxy configuration in the scripts to use the USE_PROXY,
PROXY and NO_PROXY environment variables.
Updated Dockerfile to add multi-stage build, to avoid including the
golang-go package in the docker image. Stage one creates the
baclient Go library, and stage two creates the drydock image, and
copies the baclient from stage one image.
Change-Id: I29a30e870da8f44279dcd62bb1173165fa939d43
This change updates the location of the kubernetes-entrypoint image to
point to its new home in the airshipit namespace on quay.io [0]. The
stackanetes image is no longer maintained.
[0] https://quay.io/repository/airshipit/kubernetes-entrypoint
Depends-On: 8314c53030
Change-Id: I08db87c2f97c687bd87162e2f7eaf81abe882c31
Signed-off-by: Drew Walters <andrew.walters@att.com>
This change updates the helm-toolkit version used to build the Drydock
chart in order to introduce a change that removes use of the echo binary
from the Kubernetes entrypoint init container [0]. This is required in
order to use the new Kubernetes entrypoint image, which does not include
the binary.
[0] https://review.opendev.org/688435
Change-Id: I3c291367541aca9d2d8f2a7c3c0600d9d9efb84f
Signed-off-by: Drew Walters <andrew.walters@att.com>
Update apiversion for deployment to apps/v1
Add selector match labels to deployment
This patch is similar to https://review.opendev.org/#/c/638276/
These changes are required to install drydock helm chart on k8s 1.16.0
Change-Id: Ie9b7344fc94058a6212d09a9b96fe1b2b9d07b4e
- Currently several failure paths won't log any messages
when doing a site validation. Add these messages
- Also, for validation steps that are dependent on external resources
make the resource inaccessibility a warning rather than a failure.
Change-Id: I431ed188e2f6cd3fc3fa41ae2729f3a099fdfbf5
The patch introduces network policy configuration similar
to openstack-helm services. It allows users to configure
policies depending on the environment.
* Network policies are disabled by default.
* When enabled default policies allow all ingress and
egress traffic (i.e. policy set to {}), this may be
changed in future patch-sets.
Change-Id: I2705fcf1d322ed06b124811b4ab91bfdfbdeacf3
Readthedocs failed to render Drydock exceptions with error:
> WARNING: autodoc: failed to import exception xxx from module
> 'drydock_provisioner'; the following exception was raised: No module
> named 'drydock_provisioner'
Trying to add Drydock requirements to the installed requirements list,
so that Readthedocs has all modules, including those needed for the
Drydock itself.
Unify docs building by utilizing Zuul docs-on-readthedocs template job.
Cosmetic readability changes:
1. combined all Makefile .PHONY targets into one
2. merged multiple LABEL instructions in Dockerfile into one
Change-Id: I6a9b47cffc66d739968fa886c51e25b1e09ef124
Phil Sphicas
DeJaeger, Darren (dd118r)
Zuul
anthony.bellino
Andrii Ostapenko
Rick Bartra
Mahmoudi, Ahmad (am495p)
KHIYANI, RAHUL (rk0850)
Alexander Hughes
DODDA, PRATEEK
Drew Walters
Hemanth Nakkina
Scott Hussey
Evgeny L
Roman Gorshunov
Carter, Matt (mc981n)
Mahmoudi, Ahmad (am495p)
Kumar, Nishant(nk613n)