The named and nginx processes both try to use all available CPUs. In
addition, there is a bug in named that sometimes causes it to spin on a
FUTEX, pegging the CPU.
This change constrains those processes to a single CPU (overridable in
values.yaml), and includes /etc/bind/bind.keys in named.conf to avoid
the CPU spike.
Change-Id: I4a278023f5c0dd5e7bdee46891591b278f2ddcad
This patchset adds ca-certificates to the maas-rack-controller and
maas-region-controller docker images, so the new ISRG Root X1
certificate will be included.
Change-Id: Ia721b14ddc7d9e12d422f482a2e2d7f6f2c09b37
Updates the helm installation script to download and install v2.17.0
from get.helm.sh (instead of v2.14 from storage.googleapis.com).
Change-Id: I5e0ccfc60ff976f7a8d89a9a66ad6da0785a9f2b
This change renames the various patch files to reflect that they are
based on diffs against MAAS 2.8. Files that were previously listed as
2.3_*.patch originally were created against MAAS 2.3, but this is not
particularly relevant anymore.
Change-Id: I93ca4fc414f0983be62f0a8bae8ec699f3d4e7a0
Adding said label, that's already defined, to the deployments themselves.
This will enable Armada to properly wait for certain percentages of the
deployment replicas to be ready prior to proceeding. Prior to this change,
there wasn't a way to select these deployments via labels.
Change-Id: I4d8e479eb40e4395a4e3b79bbc9df651aa4e12e7
Sometimes the ephemeral environment needs additional cloud-init data.
This change allows user-data sections to be added to the default files
in /etc/maas/preseeds: enlist, commissioning, and curtin.
For example, to resolve issues with 'apt-get update' failures during
enlistment, something like this may be necessary:
conf:
cloudconfig:
override: true
sections:
bootcmd:
- "rm -fr /var/lib/apt/lists"
Change-Id: I817006a799003ace3f35d02507489720b0f9079b
For any host mounts that include /var/lib/kubelet, use HostToContainer
mountPropagation, which avoids creating extra references to mounts in
other containers.
Affects the following resources:
* maas-ingress deployment
Change-Id: I8f8239dc868e30d0203cb994b0eb6a615f40d87b
The upstream Helm chart repos have moved permanently, causing a failure
when running "make helm-serve": 'Error: error initializing: Looks like
"https://kubernetes-charts.storage.googleapis.com" is not a valid chart
repository or cannot be reached'.
This change skips the chart refresh, since the upstream charts are not
used anyway.
Change-Id: Ic146e09dca6a7d72607a794984376d0fa9bc5475
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0
Change-Id: I74df8053fadaf5a3f07d6fd947161886f01c728b
This updates the maas chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag
Change-Id: I1eba6ab3a7c27ddcb3e8ddc8e743b91dc5e521c3
This change allows extra late_commands to be added to the curtin
userdata, which are executed before the node is rebooted at the end of
the deployment. This can be useful to install packages or perform other
customization.
One sample use-case is the installation of specific kernel module
packages that match the target kernel image, in cases where the
ephemeral environment uses a different kernel version.
Change-Id: I80084c544f6a7dafd6aa84c8041cf86bdc3b9f4b
The existing drivers.yaml rendered by the MAAS chart is missing the
top-level 'drivers' key, so it doesn't actually work. This change fixes
the rendering of the file, and adds a comment in values.yaml about where
to look for additional information about where and how the file is used:
https://github.com/maas/maas/blob/2.3.5/src/maasserver/third_party_drivers.py
Change-Id: I940c8a57d3e404a101de5c1ea92f8a467319dbaa
Use apt to install python3-pip, and use pip3 in event system has
both pip2 and pip3 installed. Use apt to install setuptools for
Ansible's consumption.
Change-Id: I041d4cdfda670339cfbbc75d280c8d9071227f3b
Signed-off-by: Alexander Hughes <Alexander.Hughes@pm.me>
When using 'make USE_PROXY=true', the 'docker build' is executed with
the correct proxy-related build-args, but the Dockerfile does not
actually consume them.
This change updates the Dockerfiles to accept the following ARGs:
HTTP_PROXY, HTTPS_PROXY, NO_PROXY (upper or lowercase)
Change-Id: I6888d1f15f430e73338c269784ded9a0dea6c9ce
MAAS uses MBR for boot disks smaller than 2 TiB. This change provides an
option to force the use of GPT, regardless of boot disk size. The chart
value is: conf.maas.force_gpt=true.
The 2 TiB "threshold" for when GPT is required is simply lowered to 0:
https://github.com/maas/maas/blob/2.3/src/maasserver/models/partitiontable.py#L51-L53
This change could be accomplished with a patch to the maas-region image
directly, but then it would not be configurable, and it may not be
useful for all users. Using sed in the startup script seems like a fair
solution.
Change-Id: I87d3f4b9c97048cdef383cbd15c5a16ac219066b
Using `exit 0` in the ntpd stub causes some unwanted log warnings:
maas.service_monitor[151]: [warn] Service 'ntp' is on but not in the
expected state of 'running', its current state is 'exited'.
This change allows the stub to respond appropriately to 'systemctl
status ntpd' and 'systemctl restart ntpd' and keeps MAAS happier.
Change-Id: I41b95051ce595fb9001f4104a1abb48b66a657c4
By default, curtin creates a swap file of up to 8GB. When swap is later
disabled, there is still a /swap.img file left hanging around that needs
to be cleaned up.
This change sets the size to 0 to disable the creation of the swap file
in the first place.
https://curtin.readthedocs.io/en/latest/topics/config.html#swap
Change-Id: I9e1e5f67007ae3c49617525e989b27e123b69d53
MAAS rack and region controllers poll the status of services every
minute, cluttering the logs with messages like the ones below. This
change turns disables sudo logging for the maas user.
sudo[10061]: maas : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/systemctl status ntp
sudo[10061]: pam_unix(sudo:session): session opened for user root by (uid=0)
sudo[10061]: pam_unix(sudo:session): session closed for user root
Change-Id: I18547c5248cf73743cd8c0f26c471854540936eb
A recent change[0] to allow customization of the log level inadvertently
resulted in most messages being logged twice - once if they matched the
severity constraint, and again for all non-local messages, which for the
intended use case is all of them.
This change corrects the rsyslog.conf to drop local messages, and log
the remainder at the configured severity level. It also removes the
"$RepeatedMsgReduction on" parameter, which may have partially masked
the issue, and whose use is not advised.[1]
Change-Id: Ib15f82d9e1c7cef7d6085d6a215354b064aa09bb
0: e22afb6e95
1: https://www.rsyslog.com/doc/v8-stable/configuration/action/rsconf1_repeatedmsgreduction.html
The Airship vulnerability documentation has moved [0]. This change
updates SECURITY.md to point to the correct location.
[0] https://docs.airshipit.org/learn/vulnerabilities.html
Change-Id: Iea843a3399bc7836f5645c3ca81603e2e9ca7356
Signed-off-by: Drew Walters <andrew.walters@att.com>
Provide a knob to adjust some less-common MAAS configuration settings.
Changes the default values as follows: disables network discovery, sets
the active subnet mapping interval to 0 (from 10800 seconds), marks the
intro as completed, and disables Google analytics.
Refer to `maas $PROFILE maas set-config -h` for the list of available
configuration items.
Change-Id: I46d348ef5777e22ebeb7a062e5f6061d9ad61a1c
An API request for the list of partitions associated with a block device
should simply return an empty list if there are no partitions. Instead,
we get an maasserver.models.partitiontable.DoesNotExist exception. This
patch allows the API server to respond correctly.
Before:
maas admin partitions read x76dma 9
PartitionTable matching query does not exist.
After:
maas admin partitions read x76dma 9
Success.
Machine-readable output follows:
[]
Reference:
https://old-docs.maas.io/2.3/en/api#get-api20nodessystem_idblockdevicesdevice_idpartitions
Change-Id: I427a17686e257bbcc89843dead60f297b4903489
All Airship projects are moving to GitHub issues. This change adds a
GitHub security policy that links to the official Airship vulnerability
management process [0]. When users on GitHub click "New Issue" on this
GitHub repository, they will see an option to report a security
vulnerability, which will direct them to our official policy.
[0] https://airship-docs.readthedocs.io/en/latest/security/vulnerabilities.html
Change-Id: Iaf060dd0085c21f0c4f18f100e3e053b5ceedbed
Signed-off-by: Drew Walters <andrew.walters@att.com>
Phil Sphicas
anthony.bellino
Zuul
Crank, Daniel (dc6350)
Sean Eagan
Maximilian Weiss
DeJaeger, Darren (dd118r)
Andrii Ostapenko
KHIYANI, RAHUL (rk0850)
KAVVA, JAGAN MOHAN REDDY (jk330k)
Alexander Hughes
DODDA, PRATEEK
Drew Walters
Anderson, Craig (ca846m)