Update the sshd_config on our test nodes to accomodate what appears to
be an increase in ssh scanner traffic. In particular LoginGraceTime
defaults to 120 seconds. We reduce that to 30 seconds to cycle
connections more quickly. Then we also increase the maximum number of
connection startups to 30 from the default of 10. We also reduce the
random fail rate from 30% to 10% between 31 and 100 connections.
I'm not entirely certain this will fix things, but based on what we've
seen from logs it may be what we need to make ssh to test nodes more
reliable.
Change-Id: Ifacf7d00de157ab2fb60cde990f0b49f03f71415
Rocky 9 has coreutils-single package installed, so trying to install
coreutils package conflicts. Just blank this out for this platform
like 8.
Change-Id: I48933a61a065cee9402cb803b0da214eafe2cd8a
Update the package maps. It also seems like matching just "9" will
cover 9-stream and Rocky, which just uses DIB_RELEASE "9". Also fixup
the 80-enable-haveged to skip on rocky.
Change-Id: Ia352d217d00e10068a463b62f7d9aca72cb88a8c
openEuler 22.03 supports python3 only. There is no
python-devel package.
This patch update the pkg mapping to fix the package
install problem in nodepool.
Change-Id: I11750048841ec49c893b4c9332a6029b329b54cb
Change I316e9587b6e290cd421b47f506c91dbebe0975c0 had a rather
embarrasing oversight in that it copied the /usr/bindep-env/bin/pip
invocation for upgrading pip to all the other venv's.
i.e. we were upgrading hte bindep-env pip over and over, and not
actually the pip in the working venv. The os-testr install on older
platforms has now broken because it still tries to install with the
ancient inbuilt pip -- local testing has confirmed that it works with
the updated pip.
Change-Id: I22c549b5f9b9e3882fcd2340946d2850b0b2f86b
Ansible v5 appears to rely on setfacl more than ansible 2.9 did when
running tasks as a different unprivileged user than the one currently
running ansible. Without setfacl installed we get errors like:
Failed to set permissions on the temporary files Ansible needs to
create when becoming an unprivileged user (rc: 1, err: chmod:
invalid mode: ‘A+user:stack:rx:allow’ Try 'chmod --help' for more
information.}). For information on working around this, see
https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user
Installing setfacl makes the error go away as ansible get use setfacl
instead of chown/chmod.
Ubuntu, Debian, Fedora, CentOS, and OpenSUSE all appear to call the
package 'acl'. We assume that openeuler and rocky inherit this package
name. That means we only need to override the package name for Gentoo.
Change-Id: I71736578dbd5e0683b18023e73ab44255eb6eb18
The previous patch[1] applied a partial context to the unbound.log file.
This patch applies a full context to resolve the "partial context" error, using semanage to make the file label persistent.
[1] https://review.opendev.org/c/openstack/project-config/+/841546
Change-Id: Ic15957fa4ef58355efd2e96f143386f393b0a59d
I4f3265c16320613d4ba74a02df1361c5d9cf2fb1 moved this file to
/var/lib/unbound on selinux systems, as it was getting permissions
errors trying to write into /var/log.
This turns out to make it harder to collect the logs from projects
like devstack. It's simpler if we just have the log file in a
consistent place. On selinux systems, set the context, and revert
things to just writing into /usr/log/unbound.log
Change-Id: I6bb58ef0d6bf4cbbb7fd4066e01b7a01d05009c3
coreutils comes in two variants now, 'coreutils-single' which is a
busybox-like single binary called through symlinks and the regular
coreutils. Both satisfy the dependency for coreutils for any other
packages, but if you explicitly ask to install coreutils over
coretuils-single you get an error.
Since coreutils-single is already in the base-image, just skip
installing it on Rocky 8.
Change-Id: I89f8cb49b0cd373e454dd37439bf6efd971233e5
The common version of get-pip.py no longer supports python3.6 or older.
Devstack has amended it's use of this file to use a stable version of
the installer for python3.6 [0]. Pre-cache this version in our images,
too, so that it can be consumed in the CI.
[0] https://review.opendev.org/#/q/Iab2c391d5388461fe9e9037cee81884ce8032e72
Change-Id: Ied14dc7188e27e2a4b144d597b696ee85f25721d
When adding support for CentOS Stream 9 [1], I made dib to install haveged
in centos8 or centos8s only. This broke centos7 images.
This patch should get haveged installed in all centos releases != 9-stream and fix
centos7 one.
[1] https://review.opendev.org/c/openstack/project-config/+/811442
Change-Id: I5a33160c6272ee4e452b83599ca3ed552422c6d2
This package is not installed (see
I9b88baf422d947d5209d036766a86b09dca0c21a) so we can't enable this
service on 9-stream.
Change-Id: Ie42d73e7cd12c80b076429a643d95778ff5665b8
The recent pyyaml 6 release, incorporated in the latest
nodepool-builder/dib images, requires a specific loader now. Use
safe_load as there's nothing crazy going on here.
Change-Id: I26e5e1cf6778cb51872d6a65b2ac683335201bb4
This patch is adding support for CentOS Stream 9 in elements
infra-package-needs and nodepool-base which are used in nodepool images.
- Remove installation of ntpdate (it has been removed in CS9).
- It skips installation of haveged until it's available in EPEL9.
- It maps package iptables to iptables-service.
Note that this patch has been tested together with dib patch in Depends-On.
Depends-On: https://review.opendev.org/c/openstack/diskimage-builder/+/811392
Change-Id: I25d9bb7272edc3215840a53e5d79efe5d1fd7210
This updates the on-disk cache version to the same as the default
version in zuul-jobs from I0d5e1b567c364a9e6c7aa0b95de17abffaef0434
Note we have a pull request open on this original project to
incorporate these changes, but the project has been dormat for a long
time. If we don't have a response in the medium-term future, we can
bring this project into opendev.org git and maintain our enhancments
there.
Change-Id: I26b1a7d0dde12be7c493d44d754b9ea8f72e6e66
The pip installed in the venv with "python3 -m venv" on Xenial is 8.X
-- this does not understand python_requires metadata on packages and
can thus pull in requirements that won't actually run inside the
virtualenv.
Avoid this by upgrading pip in the venv before installing.
While this is the immediate need; do the same on the other venv's we
create for general sanity.
Change-Id: I316e9587b6e290cd421b47f506c91dbebe0975c0
See I361059c6b62ea240b6fef5a61d254959622199d7 where we modified Fedora
to not install the deprecated ntp package.
Change-Id: I9147f16a4e67b15ac7cc0bc4684ad8390718525f
ntp/ntpdate isn't a package on Fedora any more [1]. Make this like
centos 8 above and install chrony for time services.
[1] https://fedoraproject.org/wiki/Changes/NtpReplacement
Change-Id: I361059c6b62ea240b6fef5a61d254959622199d7
As noted inline, the /etc/init.d directory appears to have been
somehow remove/no longer created with a recent update. I've added
this manually and the image builds, and the rc-local.service still
runs. Do this for now to unblock other builds.
Change-Id: I0b0b2e38951bad656bcfdb47b6470e033564db59
This reverts commit 5ee0780486.
0.5.2 [1] was cut after another colleague asked for a release. I guess their release build issues have been resolved since I asked a few weeks ago. As a result this build is no longer required once we've bumped to 0.5.2.
[1] https://github.com/cirros-dev/cirros/releases/tag/0.5.2
Change-Id: I5332d0e47ad863ca9795a8b0b86b73156621622d
As discussed on the ML [1] the nova-next job is looking to start testing
the q35 machine type. In order to do this *before* the next Cirros
release a custom dev build of the Cirros image has been built with the
ahci module included, as is now required to allow for SATA based config
drives to work.
[1] http://lists.openstack.org/pipermail/openstack-discuss/2021-March/020823.html
Change-Id: I67912064487598c0e5b4ce3001276f42e0ebcad1
Some distros (gentoo) do not come with six in the base image (stage3),
it is installed later in the image build. Use the native
urlopen/URLError if the six version is not available.
Change-Id: Id1c52aa17e565c16369645508e43e4f485defa66
This reverts commit 6f992efbc5.
Setuptools 50.1.0 has been released which reverts the breaking behavior.
https://review.opendev.org/#/c/749766/ tests that these fixes work in
other venvs that exhibited the same problems. That change looks happy so
I think this revert is ready to go.
Change-Id: I31b62be4f85f40f4d99e463cd961dec0a3542f47
Also, install yamllint in the dib env, as it's a requirement
of dib-lint now but is only in test-requirements for dib.
Change-Id: I083bca901ca51438099d1d3bbbd0076ac3d7da07
systemd timesyncd is the default mechanism for timesync on Focal;
let's reduce our modification footprint by not overinstalling ntp or
trying to enable it.
Change-Id: I60e15b9101511e9008159b7a0b63f1b4b3febb96
Ironic uses them in its gate jobs, downloading every time. With
github broken all these jobs are failing now.
Change-Id: I8649d2cd530bdedcbd333991f7376fe9cd9bf267
This is particularly important for debuntu where we need working gpg for
apt and a missing gpg-agent is fatal. We install it globally so that
consistent tooling is available across systems.
Note everyone but suse seems to have a gnupg2 package. Suse calls it
gpg2.
Change-Id: I6c56e85db501f2c9d7c648e614f1efbaadc213a2
This is installed for the base images in the dependent change
Depends-On: https://review.opendev.org/716788
Change-Id: Ic6ae3c5406fc0efd7fff1875459dfab85b4f702c
We had been running a script to generate a list of things to cache for
devstack. Unfortunately, we've discovered that this attempts to perform
unsafe actions which illustrates that this is unsafe (and creates
unnecessary relationship between opendev images and openstack/devstack).
Address this by providing a static list of things to cache.
Note this does not do anything for arm64 images (that will need to be
addressed in a follow on but they are largely not running devstack there
yet).
On a Bionic node this is what we have in /opt/cache/files/:
cirros-0.3.2-i386-disk.vmdk
cirros-0.3.4-x86_64-disk.img
cirros-0.3.4-x86_64-disk.vhd.tgz
cirros-0.3.4-x86_64-uec.tar.gz
cirros-0.3.5-x86_64-disk.img
cirros-0.3.5-x86_64-disk.vhd.tgz
cirros-0.3.5-x86_64-uec.tar.gz
cirros-0.4.0-x86_64-disk.img
cirros-0.4.0-x86_64-uec.tar.gz
etcd-v3.1.10-linux-amd64.tar.gz
etcd-v3.2.17-linux-amd64.tar.gz
etcd-v3.3.12-linux-amd64.tar.gz
get-pip.py
stackviz-latest.tar.gz
zanata-cli-4.3.3-dist.tar.gz
I've trimmed out the vmdk, vhd, and tarball based images as we should
all be using qcow2s. Everything under etcd is provided by preexisting
static lists.
Change-Id: Iff741e8ed4c517ccabae6e6d6ba730f0aa37a272
This will install tox into a virtualenv on our images. On our older
images with globally installed tox this can be ignored but as we move to
"plain" images this can be used as an opt in tox executable by jobs.
Jobs can set the tox_executable path for the ensure-tox role.
We don't install it globally to avoid polluting package manager managed
paths.
Change-Id: If5397d731e9fb04431482529aed23cd9fdaecc1d
This is a follow-on to I85438baf5bb31790a56fe5b38327361f0a2398e9.
Skip over this install of tox, which no longer works without the
"pip-and-virtualenv" element define of $DIB_PYTHON_PIP. We want to
not install globally in the image, but move things like this to
ansible roles in base jobs if required.
Change-Id: Id1571210f0778019c78aec9f38e9f1254c1d68f9
Since all platforms have Python 3, use the new ensure-venv element
from the dependent change to install bindep and os-testr.
Since we are no longer using pip to install anything during the
builder, this drops the dependency on pip-and-virtualenv from
nodepool-base. Avoiding this element is our long-term goal, as it's
modification to system state are problematic in a number of ways. To
maintain the status-quo, the pip-and-virtualenv element is added
explicitly to each build's element list, with a note on it's future.
The current plan for backwards compatability is to replicate the
environment pip-and-virtualenv provides in a base role/job that can be
optionally included. To test this, provide a new node type
"ubuntu-bionic-plain" that will not include the pip-and-virtualenv
element. This is put on just one provider (rax) to minimise impact.
The dependent-change (and a dib release) is required before merge so
the ensure-venv element is available.
Depends-On: https://review.opendev.org/707513
Change-Id: I85438baf5bb31790a56fe5b38327361f0a2398e9
The dib 2.34.0 release uncapped hacking and has found some new minor
issues. Add missing readmes and fix whitespace.
Change-Id: Ia05e54c26988774bf03b0764a6df5e60e8ddaca8