This change added ipsec-auth client invocation in controller_config,
worker_config and storage_config init scripts that will run during
first reboot after installation, to configure and enable IPsec for the
node.
Note that IPsec for the first controller is configured and enabled by
bootstrap ansible playbook. So the invocation of ipsec-client is
skipped in controller_config.
Test Plan:
PASS: DX system, install controller-0, bootstrap and unlock, verify
IPsec is configured and enabled.
PASS: Install controller-1, verify IPsec is configured and enabled
after first reboot, SAs are established, and controller-1 is
online.
PASS: Install a worker node, verify IPsec is configured and enabled
after first reboot, SAs are establishe, and the worker node is
online.
PASS: After controller-1 and worker hosts are unlocked, verify SAs are
established among all hosts, and all nodes are in unlocked,
enabled and available states.
PASS: DC system with SX subcloud, verify System Controller and subcloud
are deployed successfully. In central cloud, SAs are established
among all hosts, all nodes are in unlocked, enabled and available
states.
Verify subcloud are online, managed, and all resource are in
in-sync states.
Verfiy user can ssh to subcloud.
Story: 2010940
Task: 50021
Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/917868
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I5572b4b50238c0c5e76cc04cabd24078e9defa5b
StarlingX stopped supporting CentOS builds in the after release 7.0.
This update will strip CentOS from our code base. It will also remove
references to the failed OpenSUSE feature as well.
Story: 2011110
Task: 49944
Change-Id: I8cd4e23ab83f2fe064fa1f88553eb32a69a67265
Signed-off-by: Scott Little <scott.little@windriver.com>
This commit to remove the usage of the mgmt_ip in the host table in
favor of either controller FQDN for AIO-SX or the management address
configured in the address table.
Test Plan:
PASS: AIO-SX and AIO-DX virtualbox installation IPv4/IPv6
PASS: Standard virtualbox installation IPv6
PASS: DC virtualbox installation IPv4 ( AIO-SX/DX subclouds )
PASS: AIO-SX and AIO-DX installation IPv4/IPv6
PASS: AIO-DX plus installation IPv6
PASS: DC IPv6 and subcloud AIO-SX
PASS: AIO-DX host-swact
PASS: DC IPv4 virtualbox with subcloud AIO-DX and AIO-DX
PASS: AIO-SX to AIO-DX migration
PASS: netstat -tupl ( no services are using the MGMT IP address )
PASS: Ran sanity/regression tests
PASS: Backup and Restore for AIO-SX/AIO-DX / DC subcloud AIO-SX
PASS: Add and unlock worker node on a deployed standard system
Story: 2010722
Task: 48567
Depends-on: https://review.opendev.org/c/starlingx/config/+/886208
Signed-off-by: Teresa Ho <teresa.ho@windriver.com>
Change-Id: Id2a79ee291b4f706611ebd8eeceaed31e6ca5aa5
The Debian packaging has been changed to reflect all the
git commits under the directory, and not just the commits
to the metadata folder.
This ensures that any new code submissions under those
directories will increment the versions.
Test Plan:
PASS: build-pkgs -p config-gate
PASS: build-pkgs -p controllerconfig
PASS: build-pkgs -p storageconfig
PASS: build-pkgs -p cert-alarm
PASS: build-pkgs -p cert-mon
PASS: build-pkgs -p cgts-client
PASS: build-pkgs -p sysinv-agent
PASS: build-pkgs -p sysinv
PASS: build-pkgs -p tsconfig
PASS: build-pkgs -p workerconfig
Story: 2010550
Task: 47305
Signed-off-by: Luis Sampaio <luis.sampaio@windriver.com>
Change-Id: I50ac37d06740cc096711c136ad815dcdf54528bf
Copy k8s-coredump token on install for secondary
controller nodes and worker nodes.
Test Plan:
PASS: Install and bootstrap Standard system
PASS: Verify if /etc/k8s-coredump-conf.json file is
created on all controller and compute nodes.
Regression:
PASS: After bootstrap, create and crash a pod with
annotations configured and verify if coredump
is generated on pod namespace on each node.
PASS: After bootstrap, crash a non k8s application
and verify that the coredump is generated as
previously (by systemd-coredump) on each node.
Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/864113
Closes-bug: 1996054
Signed-off-by: Heron Vieira <heron.vieira@windriver.com>
Change-Id: Ib15b84ca8cc8ca870a21d314f6ee2b7193532aa1
This work:
- is part of Debian integration effort.
- affect Debian only
- will allow puppet manifests to be applied on worker node at
unlock/reboot time.
This specific commit:
- allows controllerconfig and workerconfig-standalone packages
to coexist on the same iso by letting files be selected at runtime
- lets workerconfig service be installed by systemd
- drops the Makefile usage for workerconfig-standalone to simplify
debian packaging.
Future work will account for storageconfig package to coexist with
controllerconfig and workerconfig.
Tests on Debian:
PASS: controllers unlocked on Standard
PASS: workerconfig started puppet manifest apply on worker node
PASS: controllers unlocked on AIO-DX
PASS: controllerconfig is running on AIO-DX,
controllerconfig is running on Standard,
workerconfig is not running on controller node AIO-DX & Standard,
workerconfig is running on worker node
Depends-On: https://review.opendev.org/c/starlingx/metal/+/852170/
Story: 2010211
Task: 45951
Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Change-Id: I308c7a10767c09c4781fd435d8192b250a8dba7b
Add debian packaging directory to build workerconfig for
Debian.
Story: 2009101
Task: 43021
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I3f6bac8a60f1fe77efb54f2e549df3dd716eb7ce
Create a single puppet manifest for AIO controllers.
This change includes:
1. remove workerconfig from an AIO controller deployment
2. running puppet based on subfunctions of the nodes
Depends-on: https://review.opendev.org/c/starlingx/stx-puppet/+/780600
Partial-Bug: 1918139
Signed-off-by: Bin Qian <bin.qian@windriver.com>
Change-Id: Ie3693219e3c19460ac5b617cc216cbc809ec2403
This update makes use of the PKG_GITREVCOUNT variable to auto-version
the packages in this repo.
Change-Id: I3a2c8caeb4b4647608978b1f2ccfcf0661508803
Depends-On: https://review.opendev.org/727837
Story: 2006166
Task: 39766
Signed-off-by: Don Penney <don.penney@windriver.com>
Add the following to setup the environment which allows the subcloud
to use central-cloud's local registry via the OAM interface
- controller_config:
copy registry.central certificate from the shared directory to
docker certificate directory
- worker_config:
copy registry.central certificate from the shared directory to
docker certificate directory
- sysinv:
Add a new network type for system controller OAM network
Retrieve the system controller's OAM floating IP address
from DB and populate the hiera record for dnsmasq
Add a public URL encoded address for haproxy
Depends-On: https://review.opendev.org/#/c/690082/
Change-Id: Ibbc7f0ed84679a3ced3a9fee712bd1da5865f213
Partial-Bug: 1846799
Signed-off-by: Tao Liu <tao.liu@windriver.com>
These files will be extracted by the _service file that is managed
by OBS.
These do not affect the CentOS build
Story: 2006723
Task: 37133
Change-Id: Iec8329ca2c7d6442cd41436c291eae79326052fb
Signed-off-by: Saul Wold <sgw@linux.intel.com>
The disable_worker_services file was originally created
to prevent the (bare metal) nova-compute services from
running on a newly upgraded controller in an AIO-DX
configuration. This situation no longer exists because
the bare metal nova-compute services do not exist after
transiting to containers. this flag is no longer needed.
Removing all references to the disable_worker_services file.
Change-Id: I551122d0383eb7f7d6e53defa4010e1d62c1c899
Partial-Bug: #1838432
Signed-off-by: marvin <weifei.yu@intel.com>
Build Service Management using Open Build Service (OBS) with the following
base artifacts:
- Specfile
- Changelog
OBS is a generic system to build and distribute binary packages from
sources [0], StarlingX OBS Project:
- Cloud:starlingx:2.0 [1]
[0] openbuildservice.org
[1] https://build.opensuse.org/project/show/Cloud:StarlingX:2.0
Story: 2006508
Task: 36549
Task: 36550
Change-Id: Ie42be9038b8ddb2257a2b97c26404b82e428a680
Signed-off-by: Hayde Martinez <hayde.martinez.landa@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
To build RPM packages for openSUSE in OBS infrastructure, it's
required for the services to have an init script compliant to LSB.
Change-Id: I59fa2f2e0a18de5a8e6a08d468ae09e8e3f9d91d
Story: 2005679
Task: 33677
Signed-off-by: Marcela Rosales <marcela.a.rosales.jimenez@intel.com>
Addresses several issues with deploying IPv6 based network deployments:
- kubelet node IP assignment for IP version detection
- calico upversion to fix router ID generation from hash
- calico configuration specific to IPv6
- multus configuration specific to IPv6
- ansible bootstrap playbook updates to wrap IPv6 addresses
- ansible bootstrap updated to use Jinja2 templates
- puppet configuration for platform services with IPv6 addresses
- IPv4 and IPv6 IP forwarding sysctl setup
- docker registry does not support URL encoded IPv6
- armada does not support IPv6 address binding
NOTE:
The Puppet ERB templates were updated to maintain config_controller
functionality, but the files moved to Jinja2 templates should be removed
once config_controller is completely removed.
Change-Id: I815035c679e61250099c74b1239f19bcc72733a0
Depends-On: https://review.opendev.org/662292
Closes-Bug: #1830779
Signed-off-by: Matt Peters <matt.peters@windriver.com>
This commit adds functionality for Docker registry to authenticate
using Keystone.
First, this commit contains puppet changes which are required to
manage the new token server required for Keystone authentication.
Second, with proper authentication now implemented, we are removing
the "insecure" flag for the controller registry in the "daemon.json"
file in "/etc/docker".
With the "insecure" flag removed, Docker will start complaining about
certificate issues. This commit also includes generation of default
certificates suitable for use by Docker registry as well as a sysinv
command "system certificate-install -m docker_registry" to update the
certificate.
Docker registry token server works only with PKCS1 style keys while we
would like to use PKCS8 keys by default. This is why our default
certificate and installed certificate create both a PKCS1 style key as
well as a PKCS8 style key. The keys are installed to
"/etc/ssl/private/" as registry-cert.crt, registry-cert.key, and
registry-cert-pkcs1.key.
Story: 2002840
Task: 22783
Depends-On: https://review.openstack.org/#/c/626354/
Change-Id: I0127bd5f10f3950739678929b92eb1b77e2119db
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
In order to avoid conflicts with containerized services
binding to standard HTTP (80) / HTTPS (443) port numbers,
the default port numbers are changed to 8080 and 8443.
Furthermore, CLI commands are provided to allow binding
to alternate port numbers.
List of changes:
. Add service parameters for HTTP and HTTPS port
. Configure the lighttpd ports via puppet and use port
8008 for platform horizon
. Add http port to platform.conf for the config scripts
. Support helm repo URL update
. Add helm-toolkit plugin for location override
. Override Armada manifest location
. Add installer base URL option to pxeboot-update
script
. Add a patching run time class to restart patch-agent
when the port config is changed
. Add a semantic check to block port config when a
patching operation is in progress or a host is not
in unlocked/enabled state
CLI commands for viewing and updating port numbers are:
system service-parameter-list --service http
system service-parameter-modify lighttpd port http=8090
system service-parameter-apply lighttpd
Tests Performed:
Non-containerized deployment installation and sanity
AIO-DX: Sanity and Nightly automated test suite
2+2 System: Sanity and Nightly automated test suite
2+4+6 System: Sanity and Nightly automated test suite
Kubernetes deployment on VBox:
AIO-SX: application apply and launch instance
AIO-DX: application apply and launch instance
2+2 System: application apply and launch instance
HTTP/HTTPS port configuration
Enable/Disable https
Story: 2004642
Task: 28592
Change-Id: I65029e0c15aaf626acb56ab71e7bbde64c7e76a8
Signed-off-by: Tao Liu <tao.liu@windriver.com>
This update replaced the compute personality & subfunction
to worker, and updated internal and customer visible
references.
In addition, the compute-huge package has been renamed to
worker-utils as it contains various scripts/services that
used to affine running tasks or interface IRQ to specific CPUs.
The worker_reserved.conf is now installed to /etc/platform.
The cpu function 'VM' has also been renamed to 'Application'.
Tests Performed:
Non-containerized deployment
AIO-SX: Sanity and Nightly automated test suite
AIO-DX: Sanity and Nightly automated test suite
2+2 System: Sanity and Nightly automated test suite
2+2 System: Horizon Patch Orchestration
Kubernetes deployment:
AIO-SX: Create, delete, reboot and rebuild instances
2+2+2 System: worker nodes are unlock enable and no alarms
Story: 2004022
Task: 27013
Change-Id: I0e0be6b3a6f25f7fb8edf64ea4326854513aa396
Signed-off-by: Tao Liu <tao.liu@windriver.com>