Remove the installation of per-package preset installs
since they are centrally managed now by the ISO install
for the following packages:
- config-gate-worker
- config-gate
- controllerconfig
- sysinv-agent
- sysinv-fpga-agent
Story: 2009968
Task: 46406
Test Plan
PASS Build package
PASS Build ISO
PASS Check for non-existant preset file in /etc/systemd/system-preset
Depends-On: https://review.opendev.org/c/starlingx/integ/+/853653
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I4204f75d3a7cfc25ab8b5f303d12023eafc212f0
This is part of the change to replace nslcd with sssd to
support multiple secure ldap backends.
This change updated sysinv ldap puppet plugin to retrieve
openldap certificate and key from k8s certificate secret into
secure_system.yaml. The certificate and key will then be used by
ldap puppet to generate openldap certificate and key files for
secure openldap service.
Test Plan on Debian (SX and DX):
PASS: Package build, image build.
PASS: System deployment.
PASS: Openldap certificate and key files are generated, and slapd is
configured to use the certificate and key after controller is
unlocked.
PASS: sssd is connected to slapd on the secure port after unlock.
PASS: ldap functions work properly (ldap user creation, user login
on console and by ssh etc).
PASS: For DX system, ldap functions still work properly after swact.
Test Plan on CentOS:
PASS: ldap functions work properly (ldap user creation, user login
on console and by ssh etc)
Story: 2009834
Task: 46072
Depends-On: https://review.opendev.org/c/starlingx/metal/+/854203
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: Iec876c9b0a5698cf0b15781792443e99ddb5f4ec
Searched the code for unused RPCs and removed them.
Focus of this was to look only on sysinv-agent RPCs.
TEST PLAN:
PASS: Success rebuild of the system.
PASS: Run all sysinv unit tests with 100% success.
PASS: Verify sysinv logs and check for errors.
PASS: AIO-SX and AIO-DX sysinv install/replace.
PASS: Success of AIO-SX and AIO-DX bootstrap.
PASS: Success on call system commands related with the API.
Story: 2010087
Task: 45672
Change-Id: I154bddbd3eb501e7aa0c51c9f74935e269a36fa8
Signed-off-by: Eduardo Juliano Alberti <eduardo.alberti@windriver.com>
Created a duplicate install of /etc/pmon.d/*.conf files
to /usr/share/starlingx/pmon.d/
This is part of an effort to allow pmon conf files
to be selected at runtime by kickstarts.
Test Plan:
PASS: duplicate conf on deb
Story: 2010211
Task: 46108
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: Ie707b832e2e440a224cd7ccd2761e5ca1bfff571
Details: This change is to avoid checking signature file
that throws exception on Debian
The signature file object has different type in CentOS and Debian
(StringIO vs BytesIO). The BytesIO has fileno attribute but file
descriptor checking is not supported on Debian. Therefore,
we see exception from checking signature file file descriptor.
This fix is to make sure we don't check signature file file
descriptor.
Test Plan:
PASS: run system load import on Debian OS
PASS: run system load import on CentOS
Task: 46094
Story: 2009303
Signed-off-by: Junfeng (Shawn) Li <junfeng.li@windriver.com>
Change-Id: Ieab68ea1354969ee7fcd2f24e8641586428441fd
The commit a6a5349d02
(k8s-1.22.5: remove feature-gates)
added a script that removes deprecated feature gates which is run during
upgrade-activate phase of previous upgrade cycle .
The commit 73632416b3
(Preserve kube-apiserver manifest params during upgrade-activate)
modified the script to preserve the kube-apiserver manifest parameters
and it is supposed to run in next patch release upgrade.
This change adds a new 'from_version' for the manifest to run during
next patch release.
The previous 'from_version' is still supported as in the future, we will
need to support CentOS to Debian upgrade.
Test Plan:
On CentOS AIO-SX
PASS: Upgrade Successful. Check if advertise address in
kube-apiserver manifest before and after running
upgrade-activate is same.
Ensure that the seccomp profile configuration is
removed after upgrade-activate.
Kube-apiserver is running and cluster is accessible after
the upgrade.
Closes-Bug: 1986854
Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
Change-Id: I0e40df6e341f2da4f0e7ed4b4803197cd07470d5
This reverts commit 3d3bddfa17e2f5185f461b177fd2f116a52dff29.
Reason for revert: There's a critical bug reported at https://bugs.launchpad.net/starlingx/+bug/1987105 informing that ceph osds were not configured on Standard type labs anymore after this change. It needs to be reverted and fixed, taking care of this bug.
Change-Id: Iaec1feff6ed41bc9b63d65953d99475a24ac568e
Closes-Bug: 1987105
It was detected the command 'system host-if-modify' is failing for
VLAN Interfaces.
Try to change any parameter of a VLAN interface like:
system host-if-modify controller-0 vlanIF0 -n vlanIF1
The following error will be returned:
"VLAN id must be specified."
Test Plan (AIO-DX):
PASS Create Interface VLAN and change ifname with host-if-modify
PASS Setup IPv6 AIO-DX LAB
Closes-Bug: #1986951
Signed-off-by: Fabiano Mercer <fabiano.correamercer@windriver.com>
Change-Id: Ibd9952fd6d84a5a997339070e35872949a89f633
Several API calls were missing a timeout. A default timeout of 30
seconds was given to each.
No issues have been reported. This is a preventive change,
meant to tighten behaviour.
Test Plan:
Bootstrap, unlock, lock in SX configuration
Bootstrap, unlock, lock in DX configuration
Closes-Bug: 1927775
Signed-off-by: Joshua Kraitberg <joshua.kraitberg@windriver.com>
Change-Id: I8cb5717557cdde34345af948eb5a8c9613c1995b
In VirtualBox, after unlock, SM has all of its services
in 'initial' state.
The reason for this is that SM will not proceed unless
it detects there are no timer delays.
This is particularly noticable for AIO-SX.
By disabling nohz_full in virtual box, the timers are
not delayed and SM is able to start up its services
more quickly (5 seconds). Othwerwise SM initialization
on a 4 core system can range from 10 minutes to 10 hours.
Test Plan:
Build/Bootstrap/Unlock Debian AIO-SX on virtualbox.
Closes-Bug: 1890323
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I94226721d2ccd83a8b0caac09d1c745d4c908ae4
This commit updates sssd service parameter configuration in the sssd
puppet plugin of the sysinv component. New parameters have been added
to local domain and to nss and pam services configuration.
Test Plan for Debian:
PASS: SX system bootstrap, unlock successfully.
PASS: sssd.conf configuration data gets added in secure_system.yaml.
PASS: sssd service starts successfully.
PASS: Add new user successfully.
PASS: The new user gets cached in /etc/passwd.
PASS: New user can ssh successfully from remote server using sssd.
Test Plan for CentOS:
PASS: SX system installs successfully.
PASS: Add ldap user and search users are successfull
Story: 2009834
Task: 46014
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: If5c3812f2a3682e995107c9c09b90fb5fcb6db41
It happpens because "ifup -a" is executed by the service.
But it fails because /var/run/network-scripts.puppet/interfaces
has 2 interfaces with same IP address.
It can happen when an interface (i.e: mgmt) is configured on the loopback.
The same IP Address is configured for interfaces: lo and lo:1.
For this case parent interface "lo" should be defined as Manual and not
receive a Static IP address, while "lo:1" will receive the Static IP
address.
Test Plan (Debian only):
PASS Configure MGMT in the loopback interface AIO-SX
PASS Configure MGMT in the ETH interface AIO-DX
PASS Check systemctl status networking.service after unlock
Partial-Bug: #1983503
Change-Id: Ic2f07f847cb461dd01aa8cd33faae99ceb827eb2
Signed-off-by: Fabiano Mercer <fabiano.correamercer@windriver.com>
Logging is already being handled by consumers for these requests.
Test Plan:
Apply a patch
Confirm duplicate logs are gone from /var/log/sysinv.log
Story: 2008943
Task: 46008
Signed-off-by: Joshua Kraitberg <joshua.kraitberg@windriver.com>
Change-Id: Ief6337d3d27de143508914f26d5113d5841bc731
Remove old comment used in upgrade from R4->R5, the partition
check it's still valid in case there's a need to create new partitions
to be included in a volume group over an upgrade.
Story: 2010087
Task: 45721
Signed-off-by: Caio Cesar Ferreira <caio.cesarferreira@windriver.com>
Change-Id: I880cf5fb492c0a0e6f3454b14bf1e571267259c9
This commit changes the default access rule to accept users with reader
role when it is a GET request. Other requests (PATCH, POST, PUT and
DELETE) still require admin role. Also, the code that executes the
access control methods was rewritten to avoid unnecessary tests
(variable "is_public_api" is tested first).
Test Plan:
PASS: Successfully deploy an AIO-SX using a Debian image with this
commit present. Successfully create, through openstack CLI, the users:
'testreader' with role 'reader' in project 'admin' and
'otherreader' with role 'reader' in project 'notadminproject'.
Create openrc files for all new users. Note: the other user that will be
used is the already existing 'admin' with role 'admin' in project
'admin'.
PASS: In the deployed AIO-SX, to assert that public API works without
authentication, execute the commands:
"curl -v http://<MGMT_IP>:6385/v1/" and
"curl -v http://<MGMT_IP>:6385/v1/isystems/mgmtvlan" and
verify that they are accepted and that the HTTP response is 200,
and execute the commands:
"curl -v http://<MGMT_IP>:6385/v1/isystems/" and
"curl -v http://<MGMT_IP>:6385/v1/service_parameter" and
verify that they are rejected and that the HTTP response is 401.
PASS: In the deployed AIO-SX, to assert that access rules work as
intended, add the following line in "/etc/sysinv/policy.yaml":
config_api:service_parameter:get: role:reader
and execute the following commands using users "admin", "testreader" and
"otherreader":
system service-parameter-list
system host-list
system modify --description='test'
For user "admin", all commands will be successful; for user
"testreader", only commands "service-parameter-list" and "host-list"
will be successful; for user "otherreader", only command
"service-parameter-list" will be successful.
PASS: Repeat all tests above changing the deploy to AIO-DX using an
CentOS image.
PASS: Successfully execute Debian AIO-SX daily regression and sanity
tests using an image containing this change.
Story: 2010149
Task: 46004
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: I701592b50cb687a2e227162e3cba30c0f8d12613
Details: This commit is to add a new method to get target
release OS type during upgrades. The target release may be either Debian or CentOS.
By checking the existence of os_tree repo in the target release,
we can identify the OS type. If os_tree repo exists, it is Debian
Test Plan:
PASS: Added new test cases for the method.
PASS: Ran all unit test cases.
PASS: Integration test with command host-upgrade that eventually
triggers _update_pxe_config()
Task: 45887
Story: 2009303
Signed-off-by: Junfeng (Shawn) Li <junfeng.li@windriver.com>
Change-Id: I70b5b154ffa46c4390fb6fae8252073307f40997
Block the addition of ssl_ca certificates with same subject name
Test Plan:
PASS: Attempted to install another certificate with same subject, and
verified that it fails with an error.
PASS: Generate and install a full iso and verified that columns subject
and hash_subject were added to certificate table.
PASS: Verified that when there is a subject name clash the command
system certificate-install returns an error and the certificate
that has the same subject
PASS: Verified that the system shows an error when the subject field is
emtpy for ssl_ca
PASS: Verified that a new column subject shows up for command
system certificate-list
PASS: Verified that a new column subject shows up as a return to
a successful system certificate-install command
Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/851894
Closes-bug: 1981100
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
Change-Id: I7ce11cc5dab6f686d360d01594ba100d07d2c2db
This commit does two different changes: it changes the policy engine to
oslo_policy and restrict access to sysinv API to users of projects
'admin' or 'services'.
The policy engine deprecated is the one present in the file
"sysinv/sysinv/sysinv/sysinv/openstack/common/policy.py" (780 lines).
This file is no longer used by this repository and was not deleted
because it is used by other repositories, like starlingx/update. The
library oslo_policy is used in its place. In fact, the deprecated engine
seems to be an ancient version of oslo_policy. The library oslo_policy
changed the default format of configuration files from JSON to YAML, so
the configuration files named "policy.json" were changed to
"policy.yaml". The file that initializes and wraps oslo_policy
("sysinv/sysinv/sysinv/sysinv/common/policy.py") contains the minimal
implementation to use this library.
The access to sysinv API, before this commit, was restricted to users
with role "admin" or "administrator" from any project. This commit
restricts the access to users with role "admin" of projects "admin" or
"services". This change should not cause problems, because role
"administrator" doesn't exist and because all users from Starlingx are
from projects "admin" or "services". This change is needed to avoid
access from admin users of other projects.
To test custom policy rules set in the file "/etc/sysinv/policy.yaml",
it will be used the Service Parameter API actions create/apply/modify/
delete/get (commands "system service-parameter-[add/apply/modify/delete/
list]". To test default policy for sysinv API commands, it will be used
the command to change the system description (PATCH "/v1/isystems",
command "system modify --description='test'"). On test plan, these
commands will be reffered as "test commands". Any change in the file
"/etc/sysinv/policy.yaml" is detected by policy engine and rules are
updated.
Test Plan:
PASS: Successfully deploy an AIO-SX using an Debian image with this
commit present. Successfully create, through openstack CLI, the users:
'testreader' with role 'reader' in project 'admin',
'adminsvc' with role 'admin' in project 'services' and
'otheradmin' with role 'admin' in project 'notadminproject'.
Create openrc files for all new users. Note: the other user that will be
used is the already existing 'admin' with role 'admin' in project
'admin'.
PASS: In the deployed AIO-SX, check the behavior of test commands
through different users: for "admin" and "adminsvc" users, all commands
are successful; for user "testreader", only "service-parameter-list"
command is successful and for user "otheradmin" no command is
successful.
PASS: In the deployed AIO-SX, add the following lines in file
"/etc/sysinv/policy.yaml":
config_api:service_parameter:add: role:reader
config_api:service_parameter:apply: role:reader
config_api:service_parameter:delete: role:reader
config_api:service_parameter:get: role:reader
config_api:service_parameter:modify: role:reader
and check the behavior of test commands through different users:
for "admin" and "adminsvc" users, all commands are successful; for users
"testreader" and "otheradmin", all commands are successful except the
change in the system description ("system modify --description='test'").
PASS: In the deployed AIO-SX, to assert that public API works without
authentication, execute the commands:
"curl -v http://<MGMT_IP>:6385/v1/" and
"curl -v http://<MGMT_IP>:6385/v1/isystems/mgmtvlan" and
verify that they are accepted and that the HTTP response is 200,
and execute the commands:
"curl -v http://<MGMT_IP>:6385/v1/isystems/" and
"curl -v http://<MGMT_IP>:6385/v1/service_parameter" and
verify that they are rejected and that the HTTP response is 401.
PASS: Repeat all tests above changing the deploy to AIO-DX using an
CentOS image.
PASS: Successfully execute Debian AIO-SX daily regression and sanity
tests using an image containing this change.
Story: 2010149
Task: 45984
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: Id7aa387e154afb1441a8484b076cdc97f2fc46cb
Since Ceph nautilus no longer need upgrades, the code is being removed
to not interfere with installation and future upgrades.
Test Plan:
PASS Upgrade of 2+2+2
PASS Upgrade of AIO-DX
PASS Upgrade of AIO-SX
PASS Fresh install of AIO-SX
PASS Fresh install of AIO-DX
PASS Fresh install of 2+2+2
Story: 2010222
Task: 45972
Signed-off-by: Luiz Felipe Kina <LuizFelipe.EiskeKina@windriver.com>
Change-Id: I3db99617131c5a25e35965dd27d64df0c0fd5cae
Starling-X API does not allow the use of dashes and dots
in the interface name. The aim is to allow the use of dots,
dashes, and underscores in general.
This change is because of Starling-X and K8s having
naming rule inconsistencies and might cause confusion to customer.
Test Plan:
PASS: Obtain the list of characters that are deemed not valid
for interface names and remove dots, dashes, and underscores
from the list.
Test 1: using "+": system host-if-add ... controller-0 vf+2 vf ..
--> Cannot use '+' as a special character in interface name.
Test 2: using "=": system host-if-add ... controller-0 vf=2 vf ..
--> Cannot use '=' as a special character in interface name.
Test 3: using ".": system host-if-add ... controller-0 vf.2 vf ..
--> No error returned
Test 4: using "-": system host-if-add ... controller-0 vf-2 vf ..
--> No error returned
Test 5: using "_": system host-if-add ... controller-0 vf_2 vf ..
--> No error returned
PASS: The changes were tested on a controller to make sure it can
be locked and unlocked.
Closes-Bug: 1983614
Signed-off-by: Mohammad Issa <mohammad.issa@windriver.com>
Change-Id: Ie50981dfca988bcb47eaf1a28603ad24f2de83d7
An issue was noted when attempting to use a bonded interface on
a management or cluster-host network without an upper VLAN
interface. The problem turned out to be the following pre-up
command in the sysconfig file associated with the bond:
/sbin/modprobe bonding; echo +%s > /sys/class/net/bonding_masters
The code which programs this command was added in 2019 to fix bug
(bug 1836969)
d0ad539f83
However, it is noted that today, this command will fail as the bonded
interface is already created. Trying to add it to the
bonding_masters list will fail, leaving the interface in a 'down'
state.
The reason this code was added was to be able to disable DAD in
a duplex-direct system, where the duplicate address detection
would not complete until both hosts were powered on and
initialized.
This commit ensures that:
1. The interface is only added to the bonding_masters
in a duplex-direct system (in order to be able to
disable DAD before the interface comes up)
2. In the case of a duplex-direct system, if the
interface is already added to the bonding_masters,
it won't be added again.
Note:
The underlying ifup upstream code already accounts for
the situation that an interface has been added to the
bonding_masters list, so it is safe for us to explicitly
add it in a pre-up directive in the case that DAD must
be disabled.
Testing:
1. Ensure the bonding interface (without VLAN) comes up
2. Ensure in a duplex-direct system that the accept_dad is
able to be set (regression test bug 1836969)
Change-Id: I4f712bbbbfa75adfcccbb737df60109db2fef1ee
Closes-Bug: 1981765
Signed-off-by: Steven Webster <steven.webster@windriver.com>
The goals of this story are the optimization of this audit aiming to
decrease the cpu consumption spike each minute and clean up the code.
Currently, the sysinv-agent service has just one periodic task to audit
a set of components (storage inventory, memory, lldp and so on).
Following the changes [1] and [2], this story split the
_agent_audit task in two: _lldp_audit and _inventory_audit. Each one
with its own interval value.
This story also removes the call for the _audit_tpm_device which isn't
supported anymore. Furthermore, withdraws the RemoteError exception
snippets once that are deprecated. And yet, creates the
_initial_config_and_report method which gathers the host initialization
code. This method is called every cycle until the initialization is
completed. After that refactoring, it just needs to check two flags
before proceeding to carry out the inventory. Also, this story removes
the code related to the subfunctions alarm raise/clear that is
deprecated.
TEST PLAN:
PASS: AIO-SX: Manually replace this file into a Debian installation
PASS: AIO-SX: Rebuild the whole system with the changes without
crashes (including bootstrap and host unlock - CentOS)
PASS: AIO-SX: Verify if the both audits are being called
PASS: AIO-SX: Look for errors in sysinv logs
Story: 2010087
Task: 45715
Depends-On:
[1] https://review.opendev.org/c/starlingx/stx-puppet/+/849561
[2] https://review.opendev.org/c/starlingx/config/+/848330
Change-Id: I5ac72b36c31092377eefbaaa1fbe5d8bf11c5c37
Signed-off-by: Marcos Paulo Oliveira Silva
<Marcos.PauloOliveiraSilva@windriver.com>
Task 45646 changes the install_state variable name but it was not
necessary.
So this commit fixes it to the correct name.
TEST PLAN:
PASS: AIO-SX: manually replaced these files into a Debian installation
and no crashes happened.
PASS: follow the sysinv logs seeking for errors. No error was found.
PASS: guarantee that the mentioned audit is being called.
Story: 2010087
Task: 45953
Depends-On: https://review.opendev.org/c/starlingx/config/+/848437
Signed-off-by: Bruno Costa <bruno.costa@windriver.com>
Change-Id: Ia1483cf4bf3aa70853f3ab9a27aa0220825a54ba
