Changed image tag from stx.6.0-v1.0.1. to stx.8.0-v1.0.2
Story: 2009831
Task: 46404
Depends-On: https://review.opendev.org/c/starlingx/root/+/857468
Signed-off-by: Mohammad Issa <mohammad.issa@windriver.com>
Change-Id: I2431dce863cd24a7fccdb2868a73ba754b407d72
This commit fixes an issue where trying to install the same certificate
again results in a 'Cannot install certificate with same subject'. That
is incorrect and should be thrown only for a different certificate with
the same subject.
Test Plan:
PASS: Manage a subcloud and verify that it's able to synchronize certs
without the 'Cannot install certificate with same subject' error
PASS: Try to install the same certificate multiple times and verify
that no 'Cannot install certificate with same subject' error
is returned
PASS: Try to install two different certificates with same subjects and
verify that a 'Cannot install certificate with same subject' error
is returned
Closes-Bug: 1990007
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Change-Id: I17861145f20b8e1ef61896c3271a96a28fe9ded2
This commit:
Adds an upgrade script to call the ansible playbook
upgrade-openldap-certificate.yml and create the openldap certificate
during the upgrade activate stage.
Changes the puppet plugin code for ldap to read the openldap
certificate only in activate statuses during an upgrade.
Fixes an issue with certificate_shell where it may call len() for a
certificate that does not have the subject information, resulting a
NoneType error.
Test Plan:
PASS: Upgrade from stx 22.06 to 22.12 and verify that the openldap
certificate is successfully created in kubernetes
in upgrade activate stage
PASS: After certificate is created in kubernetes, verify that the
certificate and key is read by puppet and saved to files
in /etc/ldap/certs
PASS: After certificate is created in kubernetes, verify that the
certificate is picked up by cert-mon and saved to database
and show in 'system certificate-list'
Story: 2009834
Task: 45933
Change-Id: Ia4b9d1921b1e7afdc29f398f902faf2a8bf1e25b
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/856556
ptp4l configuration needs the correct VLAN interface name for the
port section.
For example: if the VLAN interface creates the Linux interface named
'vlan100@enp0s8', the port section must be 'vlan100' and not 'enp0s8'
nor 'vlan100@enp0s8'.
Test Plan:
PASS: Assign VLAN interface to PTP instance
PASS: Assign bond interface to PTP instance
PASS: Assign eth interface to PTP instance
Closes-Bug: 1989797
Signed-off-by: Caio Bruchert <caio.bruchert@windriver.com>
Change-Id: I953fee83151bc1546786e495514c9352c8ccfc0a
This commit adds listeners to monitor the change of keystone
service users' passwords, apply puppet runtime manifest to
update the service configuration and restart the related
services.
Tests passed:
1 Update keyring users' password
2 Change keystone users' passwords with OpenStack CLI
3 Verified the configuration updated
4 Verified the service w/o auth failure
5 No host swact during the apply, no FM alarm created at the
end of the process
Note:
1 the password synchronization between keyring and keystone
is not included in this review.
2. the update of the secure static hieradata is not included
in this change due to upgrade concerns, users need to update
the hieradata manually. E.g. the subcloud_rehome playbook
will add a task to migrate the passwords in the hieradata
during subcloud rehoming.
3. the unit tests will be delivered by another task in this
story.
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/853708
Story: 2010230
Task: 46074
Signed-off-by: Yuxing Jiang <Yuxing.Jiang@windriver.com>
Change-Id: I1a2dbc8b1e0bd03c2086895818729b2283b0fb96
This changes allow users for global customization
of kubelet and control plane components during
runtime process.
* Validations have been relaxed to enable creation of
new sections in kubernetes service through service-parameter.
e.i.: kube_apiserver, kube_scheduler, kube_controllerManager,
kubelet.
* Validations have been relaxed to enable creation of
new parameters in kubernetes service through service-parameter.
* Upgrade script has been added in order to migrate the parameters
(oidc_issuer_url, oidc_client_id, oidc_username_claim,
oidc_groups_claim) to (oidc-issuer-url, oidc-client-id,
oidc-username-claim, oidc-groups-claim)
Test Plan:
* Fresh Install: AIO-SX, Standard.
* B&R and Upgrade: AIO-SX, Standard.
* Create, modify, delete supported parameters and verify changes.
* Add and apply not supported parameters and verify kube-apiserver auto
restore process.
* Validate launch example Pods, for both simplex and duplex systems.
Story: 2009766
Task: 44378
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/827760
Signed-off-by: Jorge Saffe <jorge.saffe@windriver.com>
Change-Id: I8e1311a78bf9e1419d76d4d19777a847a53e82f4
This commits aims to do a clean up in the _agent_audit, removing the
deprecated RemoteError exception snippets and the _audit_tpm_device
which isn't supported anymore. Also, splits the _agent_audit with
_inventory_audit and _lldp_audit. Each one with it's own interval
value.
TEST PLAN:
PASS: AIO-SX: Manually replaced this file into a installation.
PASS: AIO-SX: Rebuild the whole system with the changes without
crashes.
PASS: AIO-SX: bootstrap and unlocked system, no errors.
PASS: AIO-SX: followed sysinv logs to make sure the audits are being
called during the period.
Story: 2010087
Task: 46173
Signed-off-by: Caio Cesar Ferreira <Caio.CesarFerreira@windriver.com>
Change-Id: I3215a5a10e7ec4d10985fc16f1a2bad3617c1cd4
This change updated provider_uri to be 'ldaps' so openldap syncrepl
will be secure over TLS.
This change also updated puppet tox unit tests accordingly.
Test Plan:
PASS: DX system deployment
PASS: Check syncrepl section in slapd.conf.backup, it should contain:
provider=ldaps://<controller>
tls_cert="/etc/ldap/certs/openldap-cert.crt"
tls_key="/etc/ldap/certs/openldap-cert.key"
tls_cacert="/etc/ssl/certs/ca-certificates.crt"
tls_reqsan=demand
PASS: On one controller, add a new openldap user, and check the
newly added user exists on the other controller by:
ldapsearch -xH ldaps://<the other controller>
-b 'ou=people,dc=cgcs,dc=local' '(objectclass=*)' |
grep <the newly added user>
PASS: After active controller swact, repeat TC #3 again.
Story: 2009834
Task: 46245
Depends-On: https://review.opendev.org/c/starlingx/config-files/+/856769
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: If59016555e0762693ce3e9eeea33ae61e7dda4b1
The current device image cache directory is off /usr which is
a read-only filesystem in Debian. It is moved to /var, a read-write
filesystem, so that image cache directory can be created during
firmware update on Debian. The directory structure is unchanged for
CentOS.
Test Plan:
Verified: The device image cache directory can be created during
FW update on Debian. And the code changes would not
impact CentOS.
Story: 2010119
Task: 46230
Signed-off-by: lzhu1 <li.zhu@windriver.com>
Change-Id: Ic1c4db352a0032395dab853cbfb7f886e009cbfa
It was detected the command 'system dns-modify' updates the
resolv.conf correctly but after reboot the resolv.conf
is overwritten with old values.
The reason was the system.yaml was being updated but code
was not calling script: puppet-manifest-apply.sh to update
YAMLs in the path that puppet will use.
Changed code to use puppet runtime class and the right
function to update YAMLs and call puppet-manifest-apply.sh.
Test Plan (DEBIAN: Standard CENTOS: AIO-DX):
PASS Modify DNS and check resolv.conf in both controllers
PASS Modify DNS and reboot both controllers
PASS Install AIO-DX in VBox using ISO with this fix
PASS Install Standard in VBox using ISO with this fix
Closes-Bug: #1989142
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/856560
Signed-off-by: Fabiano Mercer <fabiano.correamercer@windriver.com>
Change-Id: Ic0b2790bc3a92526efd459e4103380461c541f0d
Do not enter the code branch that tries to read the openldap certificate
on sysinv startup and is causing an error during 22.12 upgrade.
This is a temporary fix to allow the upgrade to run. A subsequent code
change to create the openldap certificate during the upgrade and then
remove this check will be done later.
Test Plan:
PASS: Install fresh iso and verify that certificate and key files are
created and there are no sysinv.log or puppet.log errors
PASS: Upgrade from stx 22.06 to 22.12 and verify that sysinv process
does not try to read certificates from kubernetes and there are
no sysinv.log or puppet.log errors
Story: 2009834
Task: 45933
Change-Id: Ie5201b6149f5dcec48e958fef3a4f987006b81be
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Depends-On: https://review.opendev.org/c/starlingx/config/+/855699
Currently, there is no path inside the appfwk to get an app
from 'remove-failed' state to any other state.
This commit makes it so that using remove --force
will prevent the app from being put in remove-failed
if the operation fails.
Instead, the app is put in 'uploaded' state
and a progress message warning about this is set.
remove --force can also be used to recover the app
from remove-failed state for a posterior delete.
Test Plan:
PASS: remove (without -f) results in remove-failed
state in case of an error
PASS: remove --force results in uploaded state
instead of remove-failed in case of an error
and the progress message is set.
(tested for apply-failed and remove-failed)
PASS: remove --force does not set the warning
progress message when the remove succeeds
Related-Bug: 1987115
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: Iba659c05bf9abd28b0319e6c438141f9aa1c9240
Openldap is not running on subcloud so no openldap certificate
is created as k8s secret during bootstrap. But current sysinv ldap
plugin still tries to retrieve the certificate from k8s, causing
subcloud unlock to fail.
This change updated sysinv ldap plugin to not retrieve openldap
certificate for subcloud.
Test Plan:
PASS: subcloud deployment by "dcmanager subcloud add"
Closes-Bug: 1988601
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: Iafbc5d6ff90735c07ac6850d2f76e9a6230a7a41
Debian and CentOS partition scheme differs, so on a upgrade
scenario from CentOS to Debian the hosts may report disk information
different from what is recorded on the database.
This commit allows deleting a PV that fall under these conditions
on the specific scenario of CentOS -> Debian upgrade, and makes
audit check if reported partition data have difference on some
fields to determine if they need to be updated.
Test Plan:
PASS: upgrade and unlock both controller-1 and controller-0 on Debian
and verify that disk and partition information is consistent
PASS: install, bootstrap and unlock AIO-SX on Debian
Story: 2009303
Task: 46078
Signed-off-by: Heitor Matsui <HeitorVieira.Matsui@windriver.com>
Change-Id: Ia812612c96806a7f886f1997e96f95241e5e0447
Cert-mon can fail to install certificates during host-unlock because
this can be a busy moment for the system, especially for sysinv. This
happens when the system is under stress with high CPU load ( usually
in virtual environments where many vms are running in parallel).
This change only affects the cert-mon rest client.
Test plan:
PASS: Check if cert-mon is able to install certificates on host-unlock
under high CPU load
Story: 2009834
Task: 46166
Change-Id: I4ae92aa8d07e717401e815ac156dc60233383e14
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
This is part of the change to replace nslcd with sssd to
support multiple secure ldap backends.
This change updated sysinv ldap puppet plugin to retrieve
openldap certificate and key from k8s certificate secret into
secure_system.yaml. The certificate and key will then be used by
ldap puppet to generate openldap certificate and key files for
secure openldap service.
Test Plan on Debian (SX and DX):
PASS: Package build, image build.
PASS: System deployment.
PASS: Openldap certificate and key files are generated, and slapd is
configured to use the certificate and key after controller is
unlocked.
PASS: sssd is connected to slapd on the secure port after unlock.
PASS: ldap functions work properly (ldap user creation, user login
on console and by ssh etc).
PASS: For DX system, ldap functions still work properly after swact.
Test Plan on CentOS:
PASS: ldap functions work properly (ldap user creation, user login
on console and by ssh etc)
Story: 2009834
Task: 46072
Depends-On: https://review.opendev.org/c/starlingx/metal/+/854203
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: Iec876c9b0a5698cf0b15781792443e99ddb5f4ec
Searched the code for unused RPCs and removed them.
Focus of this was to look only on sysinv-agent RPCs.
TEST PLAN:
PASS: Success rebuild of the system.
PASS: Run all sysinv unit tests with 100% success.
PASS: Verify sysinv logs and check for errors.
PASS: AIO-SX and AIO-DX sysinv install/replace.
PASS: Success of AIO-SX and AIO-DX bootstrap.
PASS: Success on call system commands related with the API.
Story: 2010087
Task: 45672
Change-Id: I154bddbd3eb501e7aa0c51c9f74935e269a36fa8
Signed-off-by: Eduardo Juliano Alberti <eduardo.alberti@windriver.com>
Created a duplicate install of /etc/pmon.d/*.conf files
to /usr/share/starlingx/pmon.d/
This is part of an effort to allow pmon conf files
to be selected at runtime by kickstarts.
Test Plan:
PASS: duplicate conf on deb
Story: 2010211
Task: 46108
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: Ie707b832e2e440a224cd7ccd2761e5ca1bfff571
Details: This change is to avoid checking signature file
that throws exception on Debian
The signature file object has different type in CentOS and Debian
(StringIO vs BytesIO). The BytesIO has fileno attribute but file
descriptor checking is not supported on Debian. Therefore,
we see exception from checking signature file file descriptor.
This fix is to make sure we don't check signature file file
descriptor.
Test Plan:
PASS: run system load import on Debian OS
PASS: run system load import on CentOS
Task: 46094
Story: 2009303
Signed-off-by: Junfeng (Shawn) Li <junfeng.li@windriver.com>
Change-Id: Ieab68ea1354969ee7fcd2f24e8641586428441fd
Searched the code for unused RPCs and removed them.
Focus of this was to look only on sysinv-conductor RPCs.
TEST PLAN:
PASS: Success rebuild of the system.
PASS: Run all sysinv unit tests with 100% success.
PASS: Verify sysinv logs and check for errors.
PASS: AIO-SX and AIO-DX sysinv install/replace.
PASS: Success of AIO-SX and AIO-DX bootstrap.
PASS: Success on call system commands related with the API.
Story: 2010087
Task: 45908
Change-Id: Ia091c1855b8e596f62f0d3d6f14807638aa10cc2
Signed-off-by: Eduardo Juliano Alberti <eduardo.alberti@windriver.com>
Fixed application-remove cmd putting app in 'remove-failed' state
when used to remove an app which doesn't have any resources
in kubernetes.
(eg.: application-apply failed to download docker images)
Added some missing error message logging.
Test Plan:
PASS: remove cmd changes app state from 'apply-failed' to 'uploaded'
when apply cmd failed to download docker images
Closes-Bug: 1987115
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: I30191f9b90c40f6432cf75e141d12319046486a6
The commit a6a5349d02
(k8s-1.22.5: remove feature-gates)
added a script that removes deprecated feature gates which is run during
upgrade-activate phase of previous upgrade cycle .
The commit 73632416b3
(Preserve kube-apiserver manifest params during upgrade-activate)
modified the script to preserve the kube-apiserver manifest parameters
and it is supposed to run in next patch release upgrade.
This change adds a new 'from_version' for the manifest to run during
next patch release.
The previous 'from_version' is still supported as in the future, we will
need to support CentOS to Debian upgrade.
Test Plan:
On CentOS AIO-SX
PASS: Upgrade Successful. Check if advertise address in
kube-apiserver manifest before and after running
upgrade-activate is same.
Ensure that the seccomp profile configuration is
removed after upgrade-activate.
Kube-apiserver is running and cluster is accessible after
the upgrade.
Closes-Bug: 1986854
Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
Change-Id: I0e40df6e341f2da4f0e7ed4b4803197cd07470d5
This reverts commit 3d3bddfa17e2f5185f461b177fd2f116a52dff29.
Reason for revert: There's a critical bug reported at https://bugs.launchpad.net/starlingx/+bug/1987105 informing that ceph osds were not configured on Standard type labs anymore after this change. It needs to be reverted and fixed, taking care of this bug.
Change-Id: Iaec1feff6ed41bc9b63d65953d99475a24ac568e
Closes-Bug: 1987105
It was detected the command 'system host-if-modify' is failing for
VLAN Interfaces.
Try to change any parameter of a VLAN interface like:
system host-if-modify controller-0 vlanIF0 -n vlanIF1
The following error will be returned:
"VLAN id must be specified."
Test Plan (AIO-DX):
PASS Create Interface VLAN and change ifname with host-if-modify
PASS Setup IPv6 AIO-DX LAB
Closes-Bug: #1986951
Signed-off-by: Fabiano Mercer <fabiano.correamercer@windriver.com>
Change-Id: Ibd9952fd6d84a5a997339070e35872949a89f633
Several API calls were missing a timeout. A default timeout of 30
seconds was given to each.
No issues have been reported. This is a preventive change,
meant to tighten behaviour.
Test Plan:
Bootstrap, unlock, lock in SX configuration
Bootstrap, unlock, lock in DX configuration
Closes-Bug: 1927775
Signed-off-by: Joshua Kraitberg <joshua.kraitberg@windriver.com>
Change-Id: I8cb5717557cdde34345af948eb5a8c9613c1995b
In VirtualBox, after unlock, SM has all of its services
in 'initial' state.
The reason for this is that SM will not proceed unless
it detects there are no timer delays.
This is particularly noticable for AIO-SX.
By disabling nohz_full in virtual box, the timers are
not delayed and SM is able to start up its services
more quickly (5 seconds). Othwerwise SM initialization
on a 4 core system can range from 10 minutes to 10 hours.
Test Plan:
Build/Bootstrap/Unlock Debian AIO-SX on virtualbox.
Closes-Bug: 1890323
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I94226721d2ccd83a8b0caac09d1c745d4c908ae4
