4237 Commits

Author SHA1 Message Date
Zuul
5ec2d6822a Merge "Enable swact in USM deploy abort/rollback scenario" 2024-06-13 19:39:24 +00:00
Zuul
90fd94380f Merge "Auto-install system-local-ca RCA as trusted" 2024-06-12 21:26:43 +00:00
Zuul
2b8f3c760e Merge "Increase socket receive size on IPsec server" 2024-06-12 15:25:58 +00:00
Marcelo Loebens
4d5ef21966 Auto-install system-local-ca RCA as trusted
Use cert-mon to monitor and install system-local-ca's RCA
as a trusted CA upon changes in the secret.

This RCA anchors the platform certificates (OpenLDAP, Docker
Registry, REST API/GUI and such), and needs to be trusted
by the platform.

A known issue with OpenSSL results in problems when a new
RCA with the same subject as existing one is added to the
trusted bundle. Cert-mon will remove an existing RCA if
it has the same subject as the new one.

Test plan:
PASS: Run tox to validate the unit tests.
PASS: Bootstrap AIO-SX and DC + SX subcloud.
PASS: Run system-local-ca update.
PASS: Manually replaced system-local-ca 'ca.crt' with a RCA
      w/ same subject. Observed that cert-mon uninstalls the
      old RCA and installs the new one.

Story: 2009811
Task: 50275

Change-Id: I5a9cd1ad4063e24d8f5b976e922cc980aba2f612
Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
2024-06-11 14:42:18 -04:00
Zuul
8eb8c5e5be Merge "Improve reapply evaluation for StarlingX apps" 2024-06-11 16:44:46 +00:00
Zuul
7c4ee5b972 Merge "access usm api via internal endpoint" 2024-06-10 17:57:47 +00:00
Heitor Matsui
5e53290ed6 Enable swact in USM deploy abort/rollback scenario
Currently the swact logic blocks the USM abort/rollback
scenario after controller-0 is rolled back.

This commit enables swacting between controllers
in a abort/rollback scenario for USM major release
deployment.

Test Plan
PASS: swact between controllers during USM abort
(Regression)
PASS: swact between controllers out of USM abort

Story: 2010676
Task: 50264

Change-Id: I3cc4c5c5c080bba4c3ff60c1591a4eab7339a16c
Signed-off-by: Heitor Matsui <heitorvieira.matsui@windriver.com>
2024-06-10 14:30:17 -03:00
Bin Qian
c6b51832da access usm api via internal endpoint
In a admin network configured DC, subcloud fails to unlock after
bootstrap, sysinv checks system upgrade state via admin network.

The fix is to change sysinv to access USM via internal endpoint.

TCs:
    passed: provisioned subcloud w/ admin network configured.
    passed: provisioned standalone SX w/o admin network configured.

Closes-Bug: 2068776

Change-Id: I71cee9bdb65d26b92708d2d89329791822f17a92
Signed-off-by: Bin Qian <bin.qian@windriver.com>
2024-06-10 14:58:59 +00:00
Zuul
d720c69cf6 Merge "New API for Admin address pool modification" 2024-06-07 19:16:43 +00:00
Zuul
4463794622 Merge "Implement new API for Management address pool modification" 2024-06-07 19:11:20 +00:00
Zuul
8e0ab5a37f Merge "Implement new API for OAM address pool modification" 2024-06-07 19:02:57 +00:00
Zuul
99902c7587 Merge "Implement Ansible bootstrap with dual-stack support for non-DC systems" 2024-06-07 17:31:49 +00:00
Manoel Benedito Neto
ca07cb8edb Increase socket receive size on IPsec server
This commit increases socket buffer receive size on IPsec server to
the same socket buffer receive size of IPsec client. This modification
ensures that packets exchanged during IPsec communication are readable
by both, server and client.

Test Plan:
PASS: Full build, install, bootstrap and deploy a DX system with IPsec
      enabled. Observe that controller-0 and controller-1 are on
      unlocked enable available status and security associations are
      created between the controllers.

Story: 2010940
Task: 50294

Change-Id: I0a0928e598ed3f8c8296d17d1c53057cc07103a2
Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
2024-06-07 14:40:39 +00:00
Lucas Ratusznei Fonseca
379667be29 New API for Admin address pool modification
This change enables modification of the address pools associated
to the Admin network via addrpool-modify and
network-addrpool-add / network-addrpool-remove commands.

Change summary
==============

- Admin network runtime reconfiguration
    All operations that lead to admin network changes trigger the
    runtime reconfiguration.

- DC route updates
    DC route update operations are trigerred not only when an
    interface-network is created, but also when the gateway address
    is changed via addrpool-modify or when a network-address-pool
    relation is changed.

Test plan
=========

Installation tests
------------------

System: DC with AIO-SX subcloud, IPv4

[PASS] TC1 - Installation/bootstrap/unlock on VirtualBox

Online setup tests
------------------

System: AIO-SX subcloud

Initial setup:
  - Interface oam0: ethernet assigned to oam
  - Interface mgmt0: ethernet assigned to mgmt and cluster-host
  - Interface admin0: ethernet unassigned

Procedure:
  - Perform action
  - Check that network config in kernel is updated at runtime and
    matches database

[PASS] TC2 - Create admin network with gateway address
[PASS] TC3 - Assign network to admin0 interface
[PASS] TC4 - Modify network/prefix/ranges/addresses in the primary pool
[PASS] TC5 - Try to remove primary pool (fails)
[PASS] TC6 - Create secondary pool, assign secondary pool to network
[PASS] TC7 - Modify network/prefix/ranges/addrs. in the secondary pool
[PASS] TC8 - Remove secondary pool from network
[PASS] TC9 - Assign secondary pool to network again
[PASS] TC10 - Remove gateway address from primary pool
[PASS] TC11 - Add gateway address to primary pool

Rehoming test
-------------

[PASS] TC12 - Rehome AIO-SX subcloud

Story: 2011027
Task: 50136
Depends-On: https://review.opendev.org/c/starlingx/config/+/918961
Depends-On: https://review.opendev.org/c/starlingx/ha/+/920774
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/920775
Change-Id: I4d0538bfa37b015b09b6a0f16373a6de7b77b67a
Signed-off-by: Lucas Ratusznei Fonseca <lucas.ratuszneifonseca@windriver.com>
2024-06-06 15:49:58 -03:00
Lucas Ratusznei Fonseca
e629f3c378 Implement new API for Management address pool modification
This change enables modification of the address pools associated
to the Management network via addrpool-modify and
network-addrpool-add / network-addrpool-remove commands.

Change summary
==============

- Management network reconfiguration
    All operations that lead to management network changes for AIO-SX
    set the management reconfiguration flag. Also, changes are only
    allowed if the host is locked.

- No proxy list
    The docker 'no proxy list' service parameter update logic was
    expanded to consider all scenarions in which the management
    network and associated entities can be changed:
    > The association between the management network and an interface
      is changed via interface-network-assign and
      interface-network-remove.
    > The management network is currently assigned to an interface and
      a network-address-pool association is created or removed.
    > The management network is currently assigned to an interface and
      an associated address pool is modified or deleted.

- Address pool overlaps
    Validation for address pool overlaps are done when an attempt is
    made to assign an address pool to a network (via
    network-addrpool-assign) or to an interface (via host-if-add or
    host-if-modify), and no longer when it is created. This means that
    multiple address pools with overlapped ranges can be created, as
    long as they are not assigned. The validation is also performed
    when editing an address pool that is already assigned.

- Other validations
    Several validations were made using the address pool name as
    reference, which made mandatory the use of specific names for
    certain address pools. All the validations are now made using
    database relations as reference.

Test plan
=========

Installation tests
------------------

Systems: AIO-SX, AIO-DX

[PASS] TC1 - Installation/bootstrap/unlock on VirtualBox, IPv4
[PASS] TC2 - Installation/bootstrap/unlock on VirtualBox, IPv6

Online setup tests
------------------

System: AIO-SX

Stacks: IPv4, IPv6

Initial setup:
  - Interface oam0: ethernet assigned to oam
  - Interface mgmt0: ethernet assigned to mgmt and cluster-host

Procedure:
  - Lock host
  - Perform action
  - Unlock host
  - Check that interface config matches database

[PASS] TC3 - Modify network/prefix/ranges/addresses in the primary pool
[PASS] TC4 - Try to remove primary pool (fails)
[PASS] TC5 - Create secondary pool, assign secondary pool to network
[PASS] TC6 - Modify network/prefix/ranges/addrs. in the secondary pool
[PASS] TC7 - Remove secondary pool from mgmt network
[PASS] TC8 - Assign secondary pool to mgmt network again

Story: 2011027
Task: 50068
Depends-On: https://review.opendev.org/c/starlingx/config/+/917689
Change-Id: I7966674c4432ea6a101c7c517ced9ab535969acb
Signed-off-by: Lucas Ratusznei Fonseca <lucas.ratuszneifonseca@windriver.com>
2024-06-06 15:31:41 -03:00
Lucas Ratusznei Fonseca
4bb98c5ebb Implement new API for OAM address pool modification
This change enables modification of the address pools associated
to the OAM network via addrpool-modify and network-addrpool-add /
network-addrpool-remove commands.

Change summary
==============

- addrpool-modify
    The command was expanded to allow for editing of parameters that
    were previously unavailable:
      - network
      - prefix
      - floating-address
      - controller0-address
      - controller1-address
      - gateway-address

- network-addrpool-add / network-addrpool-remove
    The commands allow changing associations for the OAM network
    and trigger runtime reconfiguration for AIO-SX. For now, only
    the secondary address pool association can be changed.

- oam-modify / oam-show
    A deprecation warning was added to the commands.

Test plan
=========

Online setup tests
------------------

System:
  - AIO-SX
  - AIO-DX

Stacks:
  - IPv4
  - IPv6

[PASS] TC1 - Modify floating-address in the primary pool
[PASS] TC2 - Modify controller0-address in the primary pool
[PASS] TC3 - Modify controller0-address in the primary pool
[PASS] TC4 - Modify gateway-address in the primary pool
[PASS] TC5 - Try to modify only network/prefix in primary pool (fails)
[PASS] TC6 - Modify network/prefix/ranges/addresses in the primary pool
[PASS] TC7 - Try to remove primary pool (fails)
[PASS] TC8 - Add secondary pool
[PASS] TC9 - Modify network/prefix/ranges/addrs. in the secondary pool
[PASS] TC10 - Remove secondary pool

Installation tests
------------------

Systems: AIO-SX, AIO-DX

[PASS] TC11 - Installation/bootstrap/unlock on VirtualBox, IPv4
[PASS] TC12 - Installation/bootstrap/unlock on VirtualBox, IPv6

Story: 2011027
Task: 50003
Depends-On: https://review.opendev.org/c/starlingx/config/+/918088
Change-Id: Ic7346aebdd458b411bb07d20bfbd5ccaab437ef1
Signed-off-by: Lucas Ratusznei Fonseca <lucas.ratuszneifonseca@windriver.com>
2024-06-06 15:19:52 -03:00
Zuul
09ae451257 Merge "New host label to share /dev/vhost-net with pods" 2024-06-06 15:25:39 +00:00
Zuul
4d6e486284 Merge "Enable optional host-fs ceph filesystem" 2024-06-05 21:00:29 +00:00
Caio Bruchert
8b75212309 New host label to share /dev/vhost-net with pods
The new label 'sriovdp-vhostnet=enabled' was added to allow
/dev/vhost-net and /dev/net/tun to be shared with containers.
When setting this label the needVhostNet parameter will be added to the
SR-IOV Network Device Plugin configuration file.

Test Plan:
PASS: assign the label and check that the devices appear inside the pod
PASS: remove the label and check that the devices won't appear inside
      the pod

Story: 2011131
Task: 50167

Change-Id: I28d222222d854aecb7cb0f9e37ad39c64b106941
Signed-off-by: Caio Bruchert <caio.bruchert@windriver.com>
2024-06-05 15:30:18 -03:00
Zuul
c0e5d7638a Merge "Fix host update command by not referencing mgmt_ip" 2024-06-05 10:32:00 +00:00
Teresa Ho
d43909af5a Fix host update command by not referencing mgmt_ip
When updating the host DB record, no need to update the mgmt_ip
since the attribute has already been deleted from the DB.

Test plan:
PASS: Host add/update of a controller node
PASS: Host add/update of a storage node

Story: 2010722
Task: 49835

Signed-off-by: Teresa Ho <teresa.ho@windriver.com>
Change-Id: I1acaab48a65e5f4047e27aa2a54c3d35a28a5d7b
2024-06-04 13:49:28 -04:00
Igor Soares
d96f86495a Improve reapply evaluation for StarlingX apps
The RPC operation for evaluating whether applications need to be
reapplied was changed from a "call" operation to "cast". It is was also
moved from the Kubernetes upgrade complete step to the delete step
instead.

The "call" operation meant that the response back to the user would be
delayed when finishing a Kubernetes upgrade as well as when performing
other actions. Also, exceptions raised along the reapply checks would
raise unwanted errors during the k8s upgrade completion process. The
reapply operation was moved to the kube-upgrade-delete step, since
applications can now be post updated in between completion and deletion
steps, therefore it makes more sense to trigger the evaluation after all
apps have been updated.

Test Plan:
PASS: build-pkgs -a && build-image
PASS: AIO-SX fresh install.
      lock/unlock node.
      Confirm that the reapply evaluation operation was triggered.
PASS: Upgrade Kubernetes from 1.24 to 1.25.
      Confirm that the reapply evaluation operation was triggered when
      running kube-upgrade-delete.
PASS  AIO-DX fresh install.
      Switch node activity.
      Confirm that the reapply evaluation operation was triggered
PASS  Reinstall node
      Confirm that the reapply evaluation operation was triggered
PASS  Delete node
      Confirm that the reapply evaluation operation was triggered
PASS: Modify node
      Confirm that the reapply evaluation operation was triggered

Closes-bug: 2067641

Change-Id: Ifdf1b47f10a2c29bc6515a6a8132849e63da5704
Signed-off-by: Igor Soares <Igor.PiresSoares@windriver.com>
2024-06-04 12:42:45 -03:00
Zuul
a967faadb5 Merge "Add unit test to new ceph-rook" 2024-06-04 14:49:10 +00:00
Zuul
609f1843a3 Merge "Add/delete host-stor for new ceph-rook" 2024-06-04 14:46:31 +00:00
Zuul
1a72cc8096 Merge "Add/delete/modify storage-backend for ceph-rook" 2024-06-04 14:32:35 +00:00
Gustavo Ornaghi Antunes
ff2f6d5031 Add unit test to new ceph-rook
The change added all unit tests to the ceph-rook backend, the tests
include:
 - tests about capabilities
 - tests about services
 - tests about deployment_model

All tests are for adding and modifying procedures, including valid and
invalid options in each test

Depends-On: https://review.opendev.org/c/starlingx/config/+/918749

Story: 2011117
Task: 50088

Change-Id: I06714f7e190221d835ecf7bc76f23726e6d5f1dc
Signed-off-by: Gustavo Ornaghi Antunes <gustavo.ornaghiantunes@windriver.com>
2024-06-04 08:13:23 -03:00
Gustavo Ornaghi Antunes
742f1b94e3 Add/delete host-stor for new ceph-rook
The host-stor-add command accepts adding new host-stor only if the
storage-backend is ceph, so now we need to change it to accept rook-ceph
as well.

This adds/modifies checks in host-stor-add to accept adding host-stor
OSD for new ceph-rook storage backend.

Test Plan:
 - PASS: Check host-stor can be added with OSD function
 - PASS: Check host-stor can be removed

Depends-On: https://review.opendev.org/c/starlingx/config/+/918749

Story: 2011117
Task: 50071

Change-Id: I660abab2313fd37cc20b2d255d355bba0d198613
Signed-off-by: Gustavo Ornaghi Antunes <gustavo.ornaghiantunes@windriver.com>
2024-06-04 08:13:15 -03:00
Robert Church
55a01519bd Enable optional host-fs ceph filesystem
This adds an optional ceph-lv filesystem to the cgts-vg volume group
which will be used to establish ceph specific storage on controllers and
workers. The presence of this filesystem on a particular host will be
used to determine where containerized Ceph services will be provisioned
via Rook.

Additional followup commits will be submitted that adds state
information for the filesystem and institutes semantic checks limiting
when this filesystem can be added.

Other minor related changes:
 - Rename is_filesystem_enabled() to is_host_filesystem_enabled() to
   differentiate between controller and host filesystems
 - Change FS_CREATION_ALLOWED to HOSTFS_CREATION_ALLOWED to
   differentiate between controller and host filesystems

Test Plan:
 - PASS: Install AIO-SX with bare-metal Ceph
 - PASS: Install AIO-DX with bare-metal Ceph
 - PASS: Install 2+2 with bare-metal Ceph
 - PASS: add/remove optional ceph host-fs on controller-0/1
 - PASS: add/remove optional ceph host-fs on worker

Change-Id: Iba08543374281922e4e1f44ec9bb3326f7a22c08
Story: 2011117
Task: 50036
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/918449
Signed-off-by: Robert Church <robert.church@windriver.com>
2024-06-03 12:31:20 -05:00
Zuul
2bc81c3c22 Merge "Service parameter for pwd rules in keystone.conf" 2024-06-03 16:24:46 +00:00
Zuul
6d66ca4b01 Merge "Improve sysinv.log messages" 2024-06-03 15:39:39 +00:00
Zuul
2b23401f7c Merge "Update ceph-mon API to be only applicable to Ceph" 2024-06-03 15:39:28 +00:00
Zuul
07bd90bb7a Merge "Update the controllerfs API to support fs creation/deletion" 2024-06-03 15:22:41 +00:00
Fabiano Correa Mercer
0ee337e5bb Improve sysinv.log messages
Upon investigation, we have identified an opportunity to enhance the
messaging within the sysinv.log file.
Currently, during the initialization process, DNSMasq is initiated
following the readiness of the management_ip (IPv4/IPv6) and the
file system.
However, during the initial unlock phase following a fresh install,
we observed delays in certain services receiving DNS query results
despite DNSMasq being operational.
This issue predominantly manifests during the first unlock
post-installation, affecting services such as sysinv-api and
sysinv-conductor.
Consequently, error messages are logged in the sysinv.log as these
services encounter difficulties.
Fortunately, this issue does not adversely impact system functionality
as the SM effectively restarts these services.
To mitigate these error messages and ensure smoother operation,
we've introduced a new dependency within the SM.
Now, the sysinv-api service will commence only after DNSMasq is
operational, thereby reducing the likelihood of DNS-related issues
during startup.
However, due to constraints related to host-swact, a similar adjustment
cannot be made for sysinv-conductor at this time.
Additionally, we refined the DNSMasq start script to return only upon
successful resolution of a DNS query, streamlining its initialization
process.

Test Plan

AIO-SX fresh install
AIO-DX fresh install
AIO-DX host-swact

Story: 2010722
Task: 50220

Change-Id: I546a85861415d9b12c9073625ca5d2db6ebfa2e6
Signed-off-by: Fabiano Correa Mercer <fabiano.correamercer@windriver.com>
2024-06-03 10:14:48 -03:00
gcabral
9cc41b9f20 Update the controllerfs API to support fs creation/deletion
This commit adds support for creating and deleting a controller
filesystem. At the moment, only the creation of the controller
fs 'ceph-float' is allowed, used to establish ceph-specific
storage on controllers for Rook Ceph support.

The states below were introduced:

- 'drbd_fs_creating_in_progress': Status when creation is in
   progress. The standby controller must be locked when using
   the fs command.
- 'drbd_fs_creating_on_unlock': Status when using the create fs
   command after bootstrap and before the first unlock of
   controller-0.
- 'drbd_fs_deleting_in_progress': Status when deletion is in
   progress. The standby controller must be locked when using
   the fs command.
- 'drbd_fs_update_error': Status that indicates that there was a
   failure in creation/deletion, with the possibility of retry
   to be successful.
   * A new alarm was added to FM for controller-fs: 800.105.

Test Plan:
 PASS: AIO-SX / AIO-DX / Standard -> fresh install with Ceph Bare
       Metal using designer build with topic changes + Check that
       there is no interference or errors.
 PASS: AIO-DX -> Standby controller locked and ceph-rook as
       storage-backend + controller-fs add ceph-float=<size> +
       checking if everything is created correctly: lv, drbd and
       SM services.
 PASS: AIO-DX -> After bootstrap, add ceph-rook as storage backend
       + use controller-fs add ceph=<size> + check if controller_fs
       went to creation state on unlock + continue installation and
       check if after unlock controller-1 if everything is created
       correctly.
 PASS: AIO-DX -> with the ceph filesystem created, modify (resize)
       the new filesystem and some of the default ones, checking
       that is working properly.
 PASS: AIO-DX -> Lock/unlock + swact tests.
 PASS: AIO-DX -> Standby controller locked + controllerfs-delete
       ceph + checking if everything is deleted correctly: lv, drbd
       and SM services.
 PASS: Force operation to go to the state "drbd_fs_update_error" +
       Check if the alarm 800.105 is raised + retry the command that
       failed + Verify that the execution was successful and the
       alarm was cleared.

Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/919078

Story: 2011117
Task: 50073

Change-Id: I57dd9669ad8cddea81ec0692cd11435dae27dce4
Co-Authored-By: Robert Church <robert.church@windriver.com>
Signed-off-by: Gabriel de Araújo Cabral <gabriel.cabral@windriver.com>
2024-06-03 12:21:25 +00:00
Tara Subedi
9d21d26bef Implement Ansible bootstrap with dual-stack support for non-DC systems
This changes are done to support dependency of dual-stack
ansible bootstrap on ansible-playbooks.

Address-pool no longer looked-up based on hard-coded pool name
(e.g. management), rather derived from sysinv/database based on
network-type.

Note: Dual stack support for DC systems will be implemented in
a follow-up review.

TEST PLAN:
  PASS: AIO-SX dual-stack bootstrap: primary IPv6, secondary IPv4
           dual-stack config on localhost.yml as following:
           external_oam_subnet: fd00::/64,10.20.5.0/24
           external_oam_gateway_address: fd00::1,10.20.5.1
           external_oam_floating_address: fd00::10.20.5.3,10.20.5.3
           external_oam_node_0_address: fd00::10.20.5.4,10.20.5.4
           external_oam_node_1_address: fd00::10.20.5.5,10.20.5.5
           management_subnet: fd01::/64,192.168.204.0/24
           management_multicast_subnet: ff08::1:1:0/124,239.1.1.0/28
           cluster_host_subnet: fd02::/64,192.168.206.0/24
           cluster_pod_subnet: fd03::/64,172.16.0.0/16
           cluster_service_subnet: fd04::/112,10.96.0.0/12

           management_start_address: fd01::1,192.168.204.1

           dns_servers:
             - fd00::1

        Successful bootstrap
        system addrpool-list: shows both primary and secondary
            pools with correct addresses
        ip addr show: see mgmt/oam/cluster-host dual-stack
        ip route/ ip -6 route: default routes for oam
        Pods e.g. coredns showing dual-stack IP (correct address)
        unlock successful

  PASS: AIO-SX dual-stack bootstrap: primary IPv4, secondary IPv6
        dual-stack config on localhost.yml as following:
        external_oam_subnet: 10.20.1.0/24,fd00::/64
        external_oam_gateway_address: 10.20.1.1,fd00::1
        external_oam_floating_address: 10.20.1.3,fd00::10.20.1.3
        external_oam_node_0_address: 10.20.1.4,fd00::10.20.1.4
        external_oam_node_1_address: 10.20.1.5,fd00::10.20.1.5
        management_subnet: 192.168.204.0/24,fd01::/64
        management_multicast_subnet: 239.1.1.0/28,ff08::1:1:0/124
        cluster_host_subnet: 192.168.206.0/24,fd02::/64
        cluster_pod_subnet: 172.16.0.0/16,fd03::/64
        cluster_service_subnet: 10.96.0.0/12,fd04::/112

        management_start_address: 192.168.204.1,fd01::1

        dns_servers:
         - 128.224.144.130

        Successful bootstrap
        system addrpool-list: shows both primary and secondary
            pools with correct addresses
        ip addr show: see mgmt/oam/cluster-host dual-stack
        ip route/ ip -6 route: default routes for oam
        Pods e.g. coredns showing dual-stack IP (correct address)
        unlock successful

  PASS:  AIO DX primary:IPv4, secondary:IPv6
           bootstrap and unlock and swact to see nothing breaks
  PASS:  AIO DX primary:IPv6, secondary:IPv4
           bootstrap and unlock and swact to see nothing breaks
  PASS:  Standard primary:IPv4, secondary:IPv6
           bootstrap and unlock to see nothing breaks
  PASS:  Standard primary:IPv6, secondary:IPv4
           bootstrap and unlock to see nothing breaks
  PASS: AIO SX IPv4: bootstrap and unlock and backup/restore
  PASS: AIO SX IPv6: bootstrap and unlock and backup/restore
  PASS: DC IPv4 (DX system controller, SX subcloud):
        - bootstrap and unlock to see nothing breaks
        - subcloud bootstrap replay: change networking config
           (added secondary IPv6 stack on management_subnet)
           of subcloud's localhost.yml and re-run bootstrap
           playbook: addrpool-list and "ip addr show" reflects
           changes.

Story: 2011027
Task: 50144

Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/917254
Change-Id: Id0ac553abdd8affbfa2fe18853e9100ae6aa5226
Signed-off-by: Tara Nath Subedi <tara.subedi@windriver.com>
2024-05-31 15:02:46 -04:00
gcabral
4ec6690ef3 Update ceph-mon API to be only applicable to Ceph
This commit introduces changes to make ceph-mon API available
only for systems that have Ceph as the storage backend.

Test Plan:
 PASS: AIO-SX/AIO-DX/Standard -> Fresh install with Ceph bare
       metal.
 PASS: In the above systems, Check that all ceph-mon commands do
       not have restrictions on the system's storage backend and
       are working properly.
 PASS: AIO-DX -> Fresh install with Rook Ceph as storage-backend
       + Check if the restriction is present when attempting to
       create a ceph-mon.
 PASS: AIO-DX -> Fresh install without any storage backend +
       Check if the restriction is present when attempting to
       create a ceph-mon.

Story: 2011117
Task: 50098

Change-Id: I700cee85f574869e87c091fb3b9a478a3b569e0a
Signed-off-by: Gabriel de Araújo Cabral <gabriel.cabral@windriver.com>
2024-05-31 15:07:22 -03:00
Zuul
776636f503 Merge "Add region name support for VIM hieradata" 2024-05-31 14:00:58 +00:00
Gustavo Ornaghi Antunes
bfd0b03eb3 Add/delete/modify storage-backend for ceph-rook
This change add/delete/modify storage-backend commands,
including the following changes:
 - Check if there is ceph or ceph-rook in the system, only one is
   allowed, never both
 - deployment_model argument, use: -d or --deployment
 - Add default deployment model for ceph-rook backend
 - disallow if the deployment model it not supported
   (supported values: controller, dedicated and open)
 - Initial state for ceph-rook backend is configuring-with-app
 - Add default services for ceph-rook backend
 - Add supported services check for ceph-rook backend
 - disallow modify ceph-rook backend if deployment model is from
   controller to dedicated if controller hosts has OSDs deployed
 - disallow modify ceph-rook backend if deployment model is from
   dedicated to controller if worker hosts has OSDs deployed

Test Plan:
 - PASS: allow/disallow adding ceph-rook backend if ceph already in
         system
 - PASS: Check if the deployment model value is added in capabilities
         column in storage_backend
 - PASS: Check if it is not allowed to insert/modify another type of
         deployment model in storage_backend.
 - PASS: Check if storage_backend state is aligned with host lock/unlock
 - PASS: Check that when host is unlocked the storage_backend state has
         been updated.
 - PASS: Check if default values have been added to storage_backend
 - PASS: Check if it is not allowed to insert/modify another type of
         service in storage_backend services
 - PASS: Check if modify ceph-rook backend is allowed from controller to
         dedicated if controller hosts has not OSDs deployed
 - PASS: Check if modify ceph-rook backend is allowed from dedicated to
         controller if worker hosts has not OSDs deployed
 - PASS: Check if delete ceph-rook backend is allowed only if the app
         does not exist
 - PASS: Check if ceph-rook backend can not be modified if app is in
         transition state

Story: 2011117
Task: 50062

Change-Id: I5be1323d3ac08cff02d859bd8e414814bc378c4f
Signed-off-by: Gustavo Ornaghi Antunes <gustavo.ornaghiantunes@windriver.com>
2024-05-31 08:39:05 -03:00
Zuul
82e91b2eb5 Merge "Improvement log error indicating namespace not found" 2024-05-29 18:53:54 +00:00
Zuul
1c3a66f66c Merge "Improve robustness of ipsec-config's ocf script" 2024-05-29 17:51:24 +00:00
Andy Ning
3992a3fa90 Improve robustness of ipsec-config's ocf script
This update made various improvments to the ipsec-config's ocf script
to make it more resillient to error conditions. Particularly when the
swanctl.conf points to the wrong version of config file, the
ipsec-config service will correct it based on whether the host is
active or standby controller.

Test Plan:
PASS: In a DX system, swact controllers back and forth, verify after
      swact, swanctl.conf points to the correct version of swanctl
      config file, IPsec SAs established, both controllers are in
      unlocked|enabled|available state.
PASS: In a DX system, lock standby controller, then force reboot active
      controller by "reboot -f", verify that the swanctl.conf points to
      the swanct_standby.conf when it boots up, and then it is
      corrected to point to swanctl_active.conf by ipsec-config when SM
      services start up, also IPsec SAs are established between
      controllers. Eventually both controllers are in
      unlocked|enabled|available, system is stable with no reboot.
PASS: In a DX system, reboot both controllers, verify that the
      swanctl.conf points to the swanct_standby.conf when they boot up,
      then the symlink on active controller is corrected by
      ipsec-config when SM services start up, also IPsec SAs are
      established between controllers. Eventually both controllers are
      in unlocked|enabled|available, system is stable with no reboot.
PASS: In a DX system, manually link a wrong config file to
      swanctl.conf, verify that the ipsec-config service correct it.

Story: 2010940
Task: 50198

Change-Id: I9fc028eb7a0ed296f9dd47b92c2b53302e845ac3
Signed-off-by: Andy Ning <andy.ning@windriver.com>
2024-05-29 13:18:37 -04:00
David Bastos
46cb112872 Improvement log error indicating namespace not found
Namespace not found error message is shown in sysinv.log when an application that has a specific namespace is uploaded.

This log is expected and has no impact on the system. This
happens due to the command "kubectl -k <manifest_dir>
--dry-run=server". If the application has a specific namespace that
the system does not yet have, the command shows this error. But
there is nothing to worry about, as the namespace is created within
the apply process.

To avoid misinterpretations, this log has been suppressed.

Test Plan:
PASS: Add the new log to kube_app.py and restart sysinv.
PASS: During the application upload process, the log that says the
      namespace was not found no longer appears.

Closes-Bug: 2067070

Change-Id: I6e56c338c9789c686381c330be65ec109a3f0b50
Signed-off-by: David Bastos <david.barbosabastos@windriver.com>
2024-05-29 14:15:19 -03:00
Zuul
d589382f22 Merge "Support verify and cert in cgtsclient upload cmd" 2024-05-29 16:12:37 +00:00
Zuul
dd9456f232 Merge "Fix support for generic StarlingX apps" 2024-05-29 15:40:29 +00:00
Zuul
af79457839 Merge "deploy activate, keystone db migration script" 2024-05-29 15:11:49 +00:00
Zuul
208e2366ea Merge "Standardize supported k8s version formats" 2024-05-29 14:39:20 +00:00
Joseph Vazhappilly
7ca49b48c5 Support verify and cert in cgtsclient upload cmd
Cgtsclient uses post method of request module to upload files and
does not use, verify and cert options of post method. This cause
failure when doing insecure upload like in license-install command.

This change updates cgtsclient to use verify and cert options of
post method, when using upload commands.

Test Plan:
PASS: Verify upload with SessionClient using verify & cert options
PASS: Verify upload with HTTPClient using verify & cert options
PASS: Verify insecure, ca-file, cert-file & key-file in cgtsclient

Closes-Bug: 2067447

Change-Id: Icb9aca3d69ddd2e8b7882f0ce6907f18feccd28e
Signed-off-by: Joseph Vazhappilly <joseph.vazhappillypaily@windriver.com>
2024-05-29 01:51:38 -04:00
Igor Soares
66e59f016d Fix support for generic StarlingX apps
This commit fixes the support for StarlingX applications that do not
provide any plugins, also known as generic apps. Two changes were
required to fix that regression:

  * Check if the app is generic when retrieving its charts. A previous
    commit [1] introduced a check to verify whether charts are enabled,
    which caused false negatives because generic apps do not provide
    plugins to tell if they are enabled or disabled. In light of that,
    all charts provided by generic apps should be considered as enabled.
  * Swap the order that the "_get_list_of_charts" and
    "generate_helm_application_overrides" methods are called during the
    application apply process. The call to
    "generate_helm_application_overrides" requires application charts to
    be passed as a parameter, so "_get_list_of_charts" should be called
    first.

In addition, an error log message was added to cover the scenario where
no application charts are found. That will provide better information
for developers that eventually makes mistakes when structuring their
apps. Otherwise, the apply process would silently abort with no clear
error.

[1] 967eedadb7

Test Plan:
PASS: build-pkgs -a && build-image.
PASS: AIO-SX fresh install.
PASS: Upload/apply/remove/delete generic app.
PASS: Upload dell-storage app.
      Enable csm-replication replication chart.
      Apply user overrides.
      Apply dell-storage.
      Confirm that the enabled chart was installed.
      Remove/Delete dell-storage.

Closes-bug: 2067430

Change-Id: Ib6fbd53209e19b12c5dbedc3584e04f8261363f4
Signed-off-by: Igor Soares <Igor.PiresSoares@windriver.com>
2024-05-28 19:12:03 -03:00
Bin Qian
307135c64b deploy activate, keystone db migration script
Convert keystone database migration to a migration script at major
release deploy activate, to replace the logic in [1].

[1]: https://opendev.org/starlingx/config/src/branch/master/controllerconfig/controllerconfig/controllerconfig/upgrades/management.py#L340-L354

Story: 2010676
Task: 50081

TCs:
    Passed: USM major release deploy activate completed successfully
    Passed: USM major release deploy activate failed
    Passed: USM major release deploy activate after activate failed

Change-Id: Ie6529733c2db231db03d7253a8a716cb0899fd8a
Signed-off-by: Bin Qian <bin.qian@windriver.com>
2024-05-28 21:54:07 +00:00
Joshua Kraitberg
e3e399508a Add region name support for VIM hieradata
Region name was not being correctly updated to match correct value.
This lead to the VIM services having the wrong region name and failing.

TEST PLAN
PASS: On SX subcloud (with UUID region name), verify VIM config for
correct region names

Story: 2011045
Task: 50208
Change-Id: I896b1bf8898886ee5962bb4cce6e955a70a91ff7
Signed-off-by: Joshua Kraitberg <joshua.kraitberg@windriver.com>
2024-05-28 11:59:42 -04:00