When Debian's ifup tool runs for a IPv6 VLAN interface it is not setting
the MTU found in the configuration file. Instead it sets it to the
underlying interface's MTU. If that's a jumbo MTU value, it can cause
packet drops during file transfer and installation on controller-1
to fail.
This fix uses post-up configuration to set the correct MTU value to
mimic CentOS's ifup tool behavior.
Test Plan:
PASS: check that the VLAN's MTU is correct
PASS: installation on standard lab
Closes-Bug: 1991582
Signed-off-by: Caio Bruchert <caio.bruchert@windriver.com>
Change-Id: Id898a0eb132abe6838ddc81ff0adb4401c33d731
This commit adds sysinv service parameters configuration for sssd
support of remote ldap domains. Remote ldap domains get configured
with default configuration. A subset of the domain parameters
that are specific to the ldap server will to be added using
service parameters mechanism.
A maximum of 3 AD remote ldap domains are allowed: ldap-domain1,
ldap-domain2, ldap-domain3.
Validation methods are implemented for the service parameters.
Parameter Validation will be enabled in the next code drop.
In this commit service parameters are applied to only controllers.
Worker and Storage node personalities will be added in a subsequent
commit.
Tests performed:
PASS: Successful install in AIO-SX system configuration.
PASS: The default remote ldap domain configuration gets populated in
sssd.conf.
PASS: sssd service is successfully started.
PASS: Remote ldap domain service parameters are added and applied at
runtime.
PASS: Verify connection to the new ldap server using ldapsearch.
PASS: Verify ldap users have been discovered and cached in /etc/passwd
PASS: Verify remote ssh connection for an AD ldap user.
Story: 2009834
Task: 46364
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: I28df5059acd0a5e4a9f4368eb3cc8b0544d36333
Removed conf files from /etc/pmon.d/
as they are being moved to another location.
This is part of an effort to allow pmon conf files
to be selected at runtime by kickstarts.
The change is debian-only, since centos support
will be dropped soon.
Centos' pmon conf files remain in /etc/pmon.d/
Test Plan:
PASS - deb doesn't install anything to /etc/pmon.d/
PASS - AIOSX unlocked-enabled-available
PASS - Standard 2+2 unlocked-enabled-available
Story: 2010211
Task: 46301
Depends-On: https://review.opendev.org/c/starlingx/metal/+/855095
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: I1055170e1d5c4ff3a21350c6c5a54b31b6fc57bb
Recent changes [1] to AppImageParser _find_images_in_dict and
generate_download_images_list methods made this code to break with both
AttributeError and TypeError when stx-openstack application is being
uploaded.
This change includes extra protection against these types of errors and
restablish the flow for generating stx-openstack image list based on its
overrides.
It also adds a new image resource to TestKubeAppImageParser unit tests,
using an Openstack resource extracted from when debugging the original
error. It should prevent this issue to happen again for future changes
at AppImageParser logic.
The original change to generate_download_images_list, for example, would
fail the test:
* TestKubeAppImageParser.test_generate_download_images_list
[1] https://review.opendev.org/c/starlingx/config/+/858762
Test Plan:
PASS - Locally execute unit tests: TestKubeAppImageParser
PASS - Build the sysinv package with this change
PASS - Upload stx-openstack app
PASS - Apply stx-openstack app
Closes-Bug: 1991115
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Change-Id: I8a1384bfefd12f8a893249853cbeae3a9d3661e0
k8s versions older than 1.21 are no longer required. This change removes k8s older versions - 1.18.1, 1.19.13 and 1.20.9
Test-plan: Debian
PASS: system kube-version-list doesn't show the old versions - 1.18.1, 1.19.13 and 1.20.9
Story: 2010301
Task: 46416
Signed-off-by: rsivanan <rameshkumar.sivanandam@windriver.com>
Change-Id: Ia1dc4b105e091e83f3bcf8a5038f40ff4c29a7c1
Details: Add platform-upgrade cmd to /usr/bin/ during Debian
installation.
This is a fix for https://review.opendev.org/c/starlingx/config/+/853676
Task: 45858
Story: 2009303
Signed-off-by: Junfeng (Shawn) Li <junfeng.li@windriver.com>
Change-Id: Iaf0722b063ac2b06c30b59f7ba266ea1573a463d
Remove the installation of per-package preset installs
since they are centrally managed now by the ISO install
for the following packages:
- config-gate-worker
- config-gate
- controllerconfig
- sysinv-agent
- sysinv-fpga-agent
Story: 2009968
Task: 46406
Test Plan
PASS Build package
PASS Build ISO
PASS Check for non-existant preset file in /etc/systemd/system-preset
Depends-On: https://review.opendev.org/c/starlingx/integ/+/853653
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I4204f75d3a7cfc25ab8b5f303d12023eafc212f0
Changed image tag from stx.6.0-v1.0.1. to stx.8.0-v1.0.2
Story: 2009831
Task: 46404
Depends-On: https://review.opendev.org/c/starlingx/root/+/857468
Signed-off-by: Mohammad Issa <mohammad.issa@windriver.com>
Change-Id: I2431dce863cd24a7fccdb2868a73ba754b407d72
In support for the STS silicom application, this
commit adds support for a new image format, which
may be found in the application charts (eg. values.yaml).
For the STS application, the format is as follows:
Images:
Tsyncd: quay.io/silicom/tsyncd:2.1.2.9
TsyncExtts: quay.io/silicom/tsync_extts:1.0.0
Phc2Sys: quay.io/silicom/phc2sys:3.1.1
GrpcTsyncd: quay.io/silicom/grpc-tsyncd:2.1.2.9
Gpsd: quay.io/silicom/gpsd:3.23.1
Testing:
- Apply the app-sts-silicom application. Ensure images
can be extracted and downloaded from the helm charts.
- Ensure the application is applied with no errors
Story: 2010213
Task: 45955
Signed-off-by: Steven Webster <steven.webster@windriver.com>
Change-Id: Iebe94fb77780e516697c2d98efb296aff415b22f
This commit catches the forbidden error raised for a user trying to
run sysinv commands without enough privileges. The forbidden exception
used to not be caught, resulting in sysinv CLI returning a "None" to
the user. With this commit, a more useful error message is shown to
the user.
Test Cases:
PASS: Create a reader user and run "system modify --description".
Ensure a meaningful error is returned since readers are not
allowed to run system modify. Ensure no changes are made
by checking "system show"
Change-Id: I11c407f06196962ba445c6d8a9f7591cc8a5cf05
Story: 2010149
Task: 46360
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
During the boot process, most notably in IPv6 installations,
sysinv-agent is failing to mount /opt/platform/sysinv/${SW_VERSION}
to /mnt/sysinv during the 3 attempts done. This is starting the
agent with default values, making the process stuck trying to connect
to rabbitmq in localhost:5672 instead of controller-0:5672,
preventing the correct node installation from controller-0.
This change introduces a 1s sleep between attempts, with tests
indicating that the 2nd attempt is usually successful.
It is also adding a explicitly dependency with remote-fs.target, it
did not took effect on the first reboot after install (the loop was
responsible to copy config file). But on subsequent lock/unlock it
did not executed the mount as /opt/platform was available (this was
not happenning without the dependency).
Test Plan:
[PASS] install an AIO-DX with 3 compute nodes in IPv6 network
Story: 2010211
Task: 46348
Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Change-Id: Idab6b1887f38283ea8e0e05923a0ae4265c2e877
This commit fixes an issue where trying to install the same certificate
again results in a 'Cannot install certificate with same subject'. That
is incorrect and should be thrown only for a different certificate with
the same subject.
Test Plan:
PASS: Manage a subcloud and verify that it's able to synchronize certs
without the 'Cannot install certificate with same subject' error
PASS: Try to install the same certificate multiple times and verify
that no 'Cannot install certificate with same subject' error
is returned
PASS: Try to install two different certificates with same subjects and
verify that a 'Cannot install certificate with same subject' error
is returned
Closes-Bug: 1990007
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Change-Id: I17861145f20b8e1ef61896c3271a96a28fe9ded2
This commit:
Adds an upgrade script to call the ansible playbook
upgrade-openldap-certificate.yml and create the openldap certificate
during the upgrade activate stage.
Changes the puppet plugin code for ldap to read the openldap
certificate only in activate statuses during an upgrade.
Fixes an issue with certificate_shell where it may call len() for a
certificate that does not have the subject information, resulting a
NoneType error.
Test Plan:
PASS: Upgrade from stx 22.06 to 22.12 and verify that the openldap
certificate is successfully created in kubernetes
in upgrade activate stage
PASS: After certificate is created in kubernetes, verify that the
certificate and key is read by puppet and saved to files
in /etc/ldap/certs
PASS: After certificate is created in kubernetes, verify that the
certificate is picked up by cert-mon and saved to database
and show in 'system certificate-list'
Story: 2009834
Task: 45933
Change-Id: Ia4b9d1921b1e7afdc29f398f902faf2a8bf1e25b
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/856556
ptp4l configuration needs the correct VLAN interface name for the
port section.
For example: if the VLAN interface creates the Linux interface named
'vlan100@enp0s8', the port section must be 'vlan100' and not 'enp0s8'
nor 'vlan100@enp0s8'.
Test Plan:
PASS: Assign VLAN interface to PTP instance
PASS: Assign bond interface to PTP instance
PASS: Assign eth interface to PTP instance
Closes-Bug: 1989797
Signed-off-by: Caio Bruchert <caio.bruchert@windriver.com>
Change-Id: I953fee83151bc1546786e495514c9352c8ccfc0a
Details: Add a new cli command to wrap ansible playbook below
ansible-playbook /usr/share/ansible/stx-ansible/playbooks/upgrade_platform.yml
The ansible_become_pass is required parameter for this command.
If the password is not present in the command line, the password
prompt will appear requiring entering password.
The password entered in prompt doesn't appear in the bash.log
This command also accepts -extra_vars that is the same parameter used
in ansible-playbook command.
Example:
platform-upgrade --become_pass=mypassword --extra_vars=k1=v1,k2=v2
Test Plan:
PASS: execute the command without become_pass provided
PASS: execute the command with become_pass provided
PASS: execute the command with more optional parameters provided
PASS: execute the command with parameters in different order
Task: 45858
Story: 2009303
Change-Id: I4a731c5fd3254f686b215ffd1dd5e72b6009f096
Signed-off-by: Junfeng (Shawn) Li <junfeng.li@windriver.com>
This commit adds listeners to monitor the change of keystone
service users' passwords, apply puppet runtime manifest to
update the service configuration and restart the related
services.
Tests passed:
1 Update keyring users' password
2 Change keystone users' passwords with OpenStack CLI
3 Verified the configuration updated
4 Verified the service w/o auth failure
5 No host swact during the apply, no FM alarm created at the
end of the process
Note:
1 the password synchronization between keyring and keystone
is not included in this review.
2. the update of the secure static hieradata is not included
in this change due to upgrade concerns, users need to update
the hieradata manually. E.g. the subcloud_rehome playbook
will add a task to migrate the passwords in the hieradata
during subcloud rehoming.
3. the unit tests will be delivered by another task in this
story.
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/853708
Story: 2010230
Task: 46074
Signed-off-by: Yuxing Jiang <Yuxing.Jiang@windriver.com>
Change-Id: I1a2dbc8b1e0bd03c2086895818729b2283b0fb96
This changes allow users for global customization
of kubelet and control plane components during
runtime process.
* Validations have been relaxed to enable creation of
new sections in kubernetes service through service-parameter.
e.i.: kube_apiserver, kube_scheduler, kube_controllerManager,
kubelet.
* Validations have been relaxed to enable creation of
new parameters in kubernetes service through service-parameter.
* Upgrade script has been added in order to migrate the parameters
(oidc_issuer_url, oidc_client_id, oidc_username_claim,
oidc_groups_claim) to (oidc-issuer-url, oidc-client-id,
oidc-username-claim, oidc-groups-claim)
Test Plan:
* Fresh Install: AIO-SX, Standard.
* B&R and Upgrade: AIO-SX, Standard.
* Create, modify, delete supported parameters and verify changes.
* Add and apply not supported parameters and verify kube-apiserver auto
restore process.
* Validate launch example Pods, for both simplex and duplex systems.
Story: 2009766
Task: 44378
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/827760
Signed-off-by: Jorge Saffe <jorge.saffe@windriver.com>
Change-Id: I8e1311a78bf9e1419d76d4d19777a847a53e82f4
This commits aims to do a clean up in the _agent_audit, removing the
deprecated RemoteError exception snippets and the _audit_tpm_device
which isn't supported anymore. Also, splits the _agent_audit with
_inventory_audit and _lldp_audit. Each one with it's own interval
value.
TEST PLAN:
PASS: AIO-SX: Manually replaced this file into a installation.
PASS: AIO-SX: Rebuild the whole system with the changes without
crashes.
PASS: AIO-SX: bootstrap and unlocked system, no errors.
PASS: AIO-SX: followed sysinv logs to make sure the audits are being
called during the period.
Story: 2010087
Task: 46173
Signed-off-by: Caio Cesar Ferreira <Caio.CesarFerreira@windriver.com>
Change-Id: I3215a5a10e7ec4d10985fc16f1a2bad3617c1cd4
This change updated provider_uri to be 'ldaps' so openldap syncrepl
will be secure over TLS.
This change also updated puppet tox unit tests accordingly.
Test Plan:
PASS: DX system deployment
PASS: Check syncrepl section in slapd.conf.backup, it should contain:
provider=ldaps://<controller>
tls_cert="/etc/ldap/certs/openldap-cert.crt"
tls_key="/etc/ldap/certs/openldap-cert.key"
tls_cacert="/etc/ssl/certs/ca-certificates.crt"
tls_reqsan=demand
PASS: On one controller, add a new openldap user, and check the
newly added user exists on the other controller by:
ldapsearch -xH ldaps://<the other controller>
-b 'ou=people,dc=cgcs,dc=local' '(objectclass=*)' |
grep <the newly added user>
PASS: After active controller swact, repeat TC #3 again.
Story: 2009834
Task: 46245
Depends-On: https://review.opendev.org/c/starlingx/config-files/+/856769
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: If59016555e0762693ce3e9eeea33ae61e7dda4b1
The current device image cache directory is off /usr which is
a read-only filesystem in Debian. It is moved to /var, a read-write
filesystem, so that image cache directory can be created during
firmware update on Debian. The directory structure is unchanged for
CentOS.
Test Plan:
Verified: The device image cache directory can be created during
FW update on Debian. And the code changes would not
impact CentOS.
Story: 2010119
Task: 46230
Signed-off-by: lzhu1 <li.zhu@windriver.com>
Change-Id: Ic1c4db352a0032395dab853cbfb7f886e009cbfa
It was detected the command 'system dns-modify' updates the
resolv.conf correctly but after reboot the resolv.conf
is overwritten with old values.
The reason was the system.yaml was being updated but code
was not calling script: puppet-manifest-apply.sh to update
YAMLs in the path that puppet will use.
Changed code to use puppet runtime class and the right
function to update YAMLs and call puppet-manifest-apply.sh.
Test Plan (DEBIAN: Standard CENTOS: AIO-DX):
PASS Modify DNS and check resolv.conf in both controllers
PASS Modify DNS and reboot both controllers
PASS Install AIO-DX in VBox using ISO with this fix
PASS Install Standard in VBox using ISO with this fix
Closes-Bug: #1989142
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/856560
Signed-off-by: Fabiano Mercer <fabiano.correamercer@windriver.com>
Change-Id: Ic0b2790bc3a92526efd459e4103380461c541f0d
Do not enter the code branch that tries to read the openldap certificate
on sysinv startup and is causing an error during 22.12 upgrade.
This is a temporary fix to allow the upgrade to run. A subsequent code
change to create the openldap certificate during the upgrade and then
remove this check will be done later.
Test Plan:
PASS: Install fresh iso and verify that certificate and key files are
created and there are no sysinv.log or puppet.log errors
PASS: Upgrade from stx 22.06 to 22.12 and verify that sysinv process
does not try to read certificates from kubernetes and there are
no sysinv.log or puppet.log errors
Story: 2009834
Task: 45933
Change-Id: Ie5201b6149f5dcec48e958fef3a4f987006b81be
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Depends-On: https://review.opendev.org/c/starlingx/config/+/855699
Currently, there is no path inside the appfwk to get an app
from 'remove-failed' state to any other state.
This commit makes it so that using remove --force
will prevent the app from being put in remove-failed
if the operation fails.
Instead, the app is put in 'uploaded' state
and a progress message warning about this is set.
remove --force can also be used to recover the app
from remove-failed state for a posterior delete.
Test Plan:
PASS: remove (without -f) results in remove-failed
state in case of an error
PASS: remove --force results in uploaded state
instead of remove-failed in case of an error
and the progress message is set.
(tested for apply-failed and remove-failed)
PASS: remove --force does not set the warning
progress message when the remove succeeds
Related-Bug: 1987115
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: Iba659c05bf9abd28b0319e6c438141f9aa1c9240
Openldap is not running on subcloud so no openldap certificate
is created as k8s secret during bootstrap. But current sysinv ldap
plugin still tries to retrieve the certificate from k8s, causing
subcloud unlock to fail.
This change updated sysinv ldap plugin to not retrieve openldap
certificate for subcloud.
Test Plan:
PASS: subcloud deployment by "dcmanager subcloud add"
Closes-Bug: 1988601
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: Iafbc5d6ff90735c07ac6850d2f76e9a6230a7a41
