starlingx/docs
Code Issues Proposed changes

Debian Tech Preview

Browse Source 
Draft Debian preview document
Additional placeholders for conditional content.
Add k8s 1.23 only bullet to Limited Scope topic.
rST rendering fixes.
Address patchset 3 review comments.
Additional operational impacts.
Implement patchset 5 review comments.
Reuse PXE config updates DS.
Address patchset 8 review comments.
Additional patching details.
rST formatting fix.
Complete Known Issues topic.
Fix typo in placeholder name.
Make references to Debian GA version generic.
Fix merge conflict.
Remove trailing space.

Story: 2009965
Task: 45617

Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: Iac67113dc7f56209637828a2b807cd65669ec583
This commit is contained in:
Ron Stone 2022-06-06 09:27:44 -04:00
parent 32ca14806a
commit df8d634fc8
16 changed files with 720 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
doc/source/_includes/deb-tech-preview.rest Normal file
View File

@ -0,0 +1,21 @@
.. begin-prod-an-1
.. end-prod-an-1
.. begin-prod-an-2
.. end-prod-an-2
.. begin-dec-and-imp
.. end-dec-and-imp
.. begin-declarative
.. end-declarative
.. begin-install-prereqs
.. end-install-prereqs
.. begin-prep-servers
.. end-prep-servers
.. begin-known-issues
.. end-known-issues

11
doc/source/_vendor/vendor_strings.txt
View File

@ -102,3 +102,14 @@
because target lable differs here/partner contexts.
.. |_link-inst-book| replace:: :ref:`Installation guide <index-install-e083ca818006>`
.. Debian Tech Preview
.. |deb-prev-prods| replace:: |prod|
.. |deb-510-kernel-release| replace:: release 6.0
.. |deb-eval-release| replace:: release 7.0
.. |deb-production-release| replace:: release 8.0
.. |deb-install-step-change| replace:: \
.. |deb-dup-std-na| replace:: Duplex, and standard configurations are not available.
.. |deb-update-iso| replace:: \

6
doc/source/debian/index-debian-introduction-8eb59cf0a062.rst
View File

@ -1,8 +1,8 @@
.. _index-debian-introduction-8eb59cf0a062:
===================
Debian Introduction
===================
==============
Debian Preview
==============
--------------------
StarlingX Kubernetes

42
doc/source/debian/kubernetes/debian-based-solution-75cd4fb6f023.rst Normal file
View File

@ -0,0 +1,42 @@
.. _debian-based-solution-75cd4fb6f023:
=====================
Debian-based Solution
=====================
Major features of Debian-based |prod| will include:
* Linux 5.10 Yocto-based kernel ( https://www.yoctoproject.org/ )
The Yocto Project Kernel:
* tracks stable kernel updates very closely; staying very current with the
stable kernel,
* provides a reliable implementation of the pre-empt-rt patchset (see:
https://rt.wiki.kernel.org/index.php/Main_Page), and
* provides predictable and searchable |CVE| handling.
|org| will also leverage its existing relationships with the Yocto Project to
enhance development, bug fixes and other activities in the Yocto Project kernel
to drive |prod| quality and feature content.
* Debian Bullseye (11.3)
Debian is a well-established Linux Distribution supported by a large and
mature open-source community.
* OSTree ( https://ostree.readthedocs.io/en/stable/manual/introduction/ )
OSTree provides for robust and efficient versioning, packaging and
upgrading of Linux-based systems.
* An updated Installer to seamlessly adapt to Debian and OSTree
* Updated software patching and upgrades for Debian and OSTree.
.. include:: /_includes/deb-tech-preview.rest
:start-after: begin-prod-an-2
:end-before: end-prod-an-2

BIN
doc/source/debian/kubernetes/figures/debian_patching_details_horizon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

11
doc/source/debian/kubernetes/index-debian-introduction-kub-c3fa5e92e8d6.rst
View File

@ -1,5 +1,16 @@
.. _index-debian-introduction-kub-c3fa5e92e8d6:
.. include:: /_includes/toc-title-debian-kub.rest
.. toctree::
:maxdepth: 2
overview-234a36ffe9fb
debian-based-solution-75cd4fb6f023
operational-impacts-9cf2e610b5b3
technology-preview-reduced-scope-0008a139a4b9
technology-preview-installation-fa6f71e9737d
technology-preview-known-issues-899a77ad709c

133
doc/source/debian/kubernetes/operational-impacts-9cf2e610b5b3.rst Normal file
View File

@ -0,0 +1,133 @@
.. _operational-impacts-9cf2e610b5b3:
===================
Operational Impacts
===================
The operational impact of Debian-based |prod| is small:
* Functional equivalence with CentOS-based |prod|
* Use of the |prod| CLIs and APIs will remain the same:
* |prod| on Debian will provide the same CLIs and APIs as |prod| on CentOS.
* |prod| on Debian will run the same 5.10 kernel version as |prod| on
CentOS.
* |prod| on Debian will support the same set of Kubernetes APIs used in
|prod| on CentOS.
* The procedure to install hosts will be unchanged by the migration from
CentOS to Debian. Only the ``grub`` menu has been modified.
* The CLIs used for software updates (patching) will be unchanged by
the migration from CentOS to Debian.
* User applications running in containers on CentOS should run on Debian
without modification. Re-validation of containers on Debian is encouraged to
identify any exceptions.
* A small subset of operating system-specific commands will differ. Some of
these changes result from the switch in distributions while others are
generic changes that have accumulated since the release of the CentOS
distribution currently used. For example:
* The Debian installation requires new pxeboot grub menus. See
:ref:`Technology Preview Installation <deb-grub-deltas>`.
* Some prompt strings will be slightly different (for example: ssh login,
passwd command, and others).
* Many 3rd-party software packages are running a newer version in Debian
and this may lead to minor changes in syntax, output, config files, and
logs.
* The URL to expose keystone service does not have the version appended.
* On Debian, interface and static routes need to be handled using system-API.
* Do not edit configuration files in ``/etc/network/`` as they are
regenerated from sysinv database after a system reboot. Any changes
directly done there will be lost.
* The static routes configuration file is ``/etc/network/routes``
* Interface configuration files are located in
``/etc/network/interfaces.d/``
* Debian stores network information in ``/etc/network`` instead of
``/etc/sysconfig/network-scripts`` location used in CentOS. However, the
|prod| ``system …`` commands are unchanged. |deb-update-iso|
* Patching on Debian is done using ostree commits rather than individual
RPMs.
You can see which packages are updated by ostree using the :command:`dpkg
-l` instead of :command:`rpm -qa` used on CentOS.
* Patching is done via reboot required patches. In-service patching is not
supported in the Technology Preview release.
* The patching CLI commands and Horizon interactions are the same as for
CentOS.
* The supported patching CLI commands for |deb-eval-release| are:
* ``sw-patch upload``
* ``sw-patch upload-dir``
* ``sw-patch apply``
* ``sw-patch remove``
* ``sw-patch delete``
* ``sw-patch query``
* ``sw-patch show``
* ``sw-patch query-hosts``
* ``sw-patch host-install``
* ``sw-patch host-install-async``
* ``sw-patch install-local``
However, since Debian patches work with ostree commits rather than
RPMs, the patch contents visible on Horizon and CLI are different.
Running the ``sw-patch show <patch-ID>`` CLI command or selecting
**Software Management** and the patch name in Horizon displays details
about the contents of a Debian patch including:
* The number of ostree commits in this patch.
* The base commit on which the patch can be applied.
* The commit IDs that are associated with this patch.
**CLI**
Sample ``sw-patch show <patch-ID>`` output:
.. code-block:: none
DEBIAN_RR:
Release: 22.06
Patch State: Available
Status: DEV
Unremovable: N
RR: Y
Summary: Reboot Required Patch 0015
Description: Reboot Required Patch for resolving subcloud unlock issue
Install Instructions:
Please ensure that there is 450MB minimum available space in the directory where the patch is going to be placed.
Warnings: This patch requires PATCH_0014 to be installed first.
Contents:
No. of commits: 2
Base commit: d0a0d5ad78746c86ab477fb5ccb98d7e813484a9cb1c0a780363233794655fdc
Commit1: a386e76d6430f7fd6693d40379cccc838445f4abd409f158b919c010da80cb83
Commit2: 647dcef3f32d61b3d341fab905f5267c5614d804cae5d295693a6098db6e4e6d
**Horizon**
Sample **Software Management** > *patch name* output.
.. figure:: figures/debian_patching_details_horizon.png
:width: 600px

83
doc/source/debian/kubernetes/overview-234a36ffe9fb.rst Normal file
View File

@ -0,0 +1,83 @@
.. _overview-234a36ffe9fb:
========
Overview
========
With support for the CentOS Distribution being discontinued, |deb-prev-prods|
will move to the Debian OS Distribution. Debian is a well-established Linux
Distribution supported by a large and mature open-source community and used by
hundreds of commercial organizations, including Google. When fully transitioned
to Debian, |deb-prev-prods| will have full functional equivalence to the
current CentOS-based versions of |deb-prev-prods|.
The planned rollout for the transition to Debian is as follows:
.. rubric:: |prod| |deb-510-kernel-release| (RELEASED)
* General Availability (GA) Release of CentOS7 |prod| (for production
deployments)
* Moved to 5.10 kernel, which will be used by the upcoming Debian-based
release.
.. rubric:: |prod| |deb-eval-release|
|prod| |deb-eval-release| is a general Availability (GA) Release of CentOS7
|prod| for production deployments. It will be the last release of a CentOS7
based |prod|.
|prod| |deb-eval-release| inherits the 5.10 version of the Linux kernel
introduced in |prod| |deb-510-kernel-release|.
|prod| |deb-eval-release| is also a technology Preview Release of Debian |prod|
for evaluation purposes.
|prod| |deb-eval-release| release runs Debian Bullseye (11.3). It is limited in
scope to the |AIO-SX| configuration. |deb-dup-std-na|
See :ref:`technology-preview-reduced-scope-0008a139a4b9` for details.
.. rubric:: Debian |prod| General Availability
An upcoming release will make Debian |prod| genrally available for
production deployments.
This upcoming release will run Debian Bullseye 11.3 or later with
full functional equivalence to the CentOS-based |prod|.
.. only:: partner
.. include:: /_includes/deb-tech-preview.rest
:start-after: begin-prod-an-1
:end-before: end-prod-an-1
.. rubric:: Planned in-service upgrade paths for |prod|
* |prod| |deb-510-kernel-release| running CentOS ==> |prod| |deb-eval-release| running CentOS ==> |prod| Debian general availability release
or
* |prod| |deb-510-kernel-release| running CentOS ==> |prod| Debian general availability release
.. note::
There will be no upgrade paths related to the |prod| |deb-eval-release|
Debian Technology Preview release.
The |prod-long| |deb-eval-release| Debian Technology Preview allows you to
evaluate and prepare for the upcoming Debian-based General Availability release
while continuing to run your production deployment
on CentOS-based |prod-long|. It is strongly recommended that you perform a
complete assessment of |prod| and your application running on |prod| in a lab
setting to fully understand and plan for any changes that may be required to
your application when you migrate to Debian-based |prod|
the |prod| Debian General Availability release in a production
environment.

302
doc/source/debian/kubernetes/technology-preview-installation-fa6f71e9737d.rst Normal file
View File

@ -0,0 +1,302 @@
.. _technology-preview-installation-fa6f71e9737d:
===============================
Technology Preview Installation
===============================
In general, the installation of |prod| |deb-eval-release| Debian Technology
Preview on All-in-one Simplex is unchanged.
.. only:: partner
.. include:: /_includes/deb-tech-preview.rest
:start-after: begin-dec-and-imp
:end-before: end-dec-and-imp
There are no changes to:
* The overall installation workflow
.. only:: partner
.. include:: /_includes/deb-tech-preview.rest
:start-after: begin-install-prereqs
:end-before: end-install-prereqs
* The installation prerequisites, i.e. required files, boot mechanism
(bootable USB or pxeboot server), network connectivity, external DNS Server
and a Docker Registry:
.. only:: partner
.. include:: /_includes/deb-tech-preview.rest
:start-after: begin-install-prereqs
:end-before: end-install-prereqs
* The hardware requirements: :ref:`starlingx-hardware-requirements`, or
* The preparation of physical servers, i.e. BIOS setup, etc.
The only minor change in the installation is in the initial install of software
on controller-0. |deb-update-iso|
.. only:: partner
.. include:: /_includes/deb-tech-preview.rest
:start-after: begin-prep-servers
:end-before: end-prep-servers
There is a single install menu |deb-install-step-change| to choose between an
AIO-Controller with the Standard Kernel and an AIO-Controller with the
Low-Latency Kernel. Of course the actual console log output of the software
install will be different due to OSTree and Debian details.
.. _deb-grub-deltas:
The Debian installation requires configuration of the new pxeboot grub menus;
one for servers with Legacy BIOS support and another for servers with |UEFI|
firmware.
During |PXE| boot configuration setup, as described in
:ref:`configuring-a-pxe-boot-server-r6`, additional steps are required to
collect configuration information and create a grub menu to install |prod|
|deb-eval-release| AIO controller-0 function on the target server.
#. Wipe the install device prior to Debian installation.
.. code-block:: none
$ sudo wipedisk --force --include-backup
$ sudo sgdisk -o /dev/sda
Repeat the :command:`sudo sgdisk -o` command for all disks, such as ``dev/sdb``,
``/dev/sdc``, and so-on.
#. **Option 1:** Install controller-0 from a USB device containing the
Debian ISO image.
Use this method to install locally from a physical or virtual media USB
device/ISO.
#. Add the Debian ISO image to a USB device and make the target server
boot the ISO image from that USB device.
#. During installation, select the install type from the presented
menu. For a |UEFI| installation, the menu options are prefixed with
"UEFI ".
#. **Option 2:** Install controller-0 from a PXEboot install feed.
This method uses a network PXEboot install from a remote PXEboot server
and 'feed' directory.
* The 'feed' directory is a directory containing the mounted contents
of the Debian ISO.
* The 'feed' creation process for the Debian install differs from the
CentOS method.
* The 'feed' can be populated with either a **direct ISO mount**
or a **copy of the ISO content**.
**Direct ISO mount** method:
#. Mount the ISO at the feed directory location on the pxeboot server.
#. Copy the ISO to the 'feed' directory location pxeboot server.
.. note::
This can be a common location for installing many servers or a
unique location for a specific server.
#. Mount the ISO as the 'feed' directory.
.. note:: The mount requires root access. If you don't have root
access on the PXEboot server then use the **ISO copy** method.
.. code-block:: none
$ IMAGENAME=<debian_image>
$ sudo mount -o loop ${IMAGENAME}.iso ${IMAGENAME}_feed
**Copy ISO contents** method:
#. Create a tarball containing the mounted ISO content
#. Copy the Debian ISO to a location where the ISO can be mounted
#. Mount the ISO, tar it up and copy the feed tarball to the PXEboot
server
#. Untar the feed tarball at the feed directory location on your
PXEboot server.
An example of the above commands:
.. code-block:: none
$ IMAGENAME=<debian_image>
$ sudo mount -o loop ${IMAGENAME}.iso ${IMAGENAME}_feed
$ tar -czf ${IMAGENAME}_feed.tgz ${IMAGENAME}_feed
$ scp ${IMAGENAME}_feed.tgz <username>@<pxeboot_server>:<feed directory>
$ ssh <username>@<pxeboot_server>
$ cd <feed directory>
$ tar -xzf ${IMAGENAME}_feed.tgz
$ rm ${IMAGENAME}_feed.tgz
#. Optionally, link your new feed directory to the name the pxeboot
server translates the incoming MAC based |DHCP| request to.
.. code-block:: none
$ ln -s ${IMAGENAME}_feed feed
Your 'feed' directory or link should now list similarly to the
following example:
.. code-block:: none
drwxr-xr-x 7 someuser users 4096 Jun 13 10:33 starlingx-20220612220558_feed
lrwxrwxrwx 1 someuser users 58 Jun 13 10:35 feed -> starlingx-20220612220558_feed
The 'feed' directory structure should be as follows:
.. code-block:: none
feed
├── bzImage-rt ... Lowlatency kernel
├── bzImage-std ... Standard kernel
├── initrd ... Installer initramfs image
├── kickstart
│ └── kickstart.cfg ... Unified kickstart
├── ostree_repo ... OSTree Archive Repo
│ ├── config
│ ├── extensions
│ └── objects
├── pxeboot
└── samples
├── efi-pxeboot.cfg.debian ... controller-0 UEFI install menu sample
├── pxeboot.cfg.debian ... controller-0 BIOS install menu sample
├── pxeboot_setup.sh ... script used to tailor the above samples
└── README ... info file
Note that many files and directories have been omitted for clarity.
#. Set up the PXEboot grub menus.
The ISO contains a ``pxeboot/sample`` directory with controller-0
install grub menus.
* For BIOS: ``feed/pxeboot/samples/pxeboot.cfg.debian``
* For UEFI: ``feed/pxeboot/samples/efi-pxeboot.cfg.debian``
You must customize these grub menus for a specific server
install by modifying the following variable replacement strings
with path and other information that is specific to your pxeboot
server.
``xxxFEEDxxx``
The path between http server base and feed directory. For
example: ``/var/www/html/xxxFEED_xxx/<ISO content>``
``xxxPXEBOOTxxx``
The offset path between /pxeboot and the feed to find
``bzImage/initrd``. For example:
``/var/pxeboot/xxxPXEBOOTxxx/<ISO content>``
``xxxBASE_URLxxx``
The pxeboot server URL: ``http://###.###.###.###``
``xxxINSTDEVxxx``
The install device name. Default: ``/dev/sda`` Example:
``/dev/nvme01``
``xxxSYSTEMxxx``
The system install type index. Default: aio>aio-serial
(All-in-one Install - Serial; Console)
menu32 = no default system install type ; requires manual select
disk = Disk Boot
standard>serial = Controller Install - Serial Console
standard>graphical = Controller Install - Graphical Console
aio>serial = All-in-one Install - Serial Console
aio>graphical = All-in-one Install - Graphical Console
aio-lowlat>serial = All-in-one (lowlatency) Install - Serial Console
aio-lowlat>graphical = All-in-one (lowlatency) Install - Graphical Console
The ISO also contains the ``pxeboot/samples/pxeboot_setup.sh``
script that can be used to automatically setup both the BIOS and
|UEFI| grub files for a specific install.
.. code-block:: none
./feed/pxeboot/samples/pxeboot_setup.sh --help
Usage: ./pxeboot_setup.sh [Arguments Options]
Arguments:
-i | --input <input path> : Path to pxeboot.cfg.debian and efi-pxeboot.cfg.debian grub template files
-o | --output <output path> : Path to created pxeboot.cfg.debian and efi-pxeboot.cfg.debian grub files
-p | --pxeboot <pxeboot path> : Offset path between /pxeboot and bzImage/initrd
-f | --feed <feed path> : Offset path between http server base and mounted iso
-u | --url <pxe server url> : The pxeboot server's URL
Options:
-h | --help : Print this help info
-b | --backup : Create backup of updated grub files as .named files
-d | --device <install device> : Install device path ; default: /dev/sda
-s | --system <system install> : System install type ; default: 3
0 = Disk Boot
1 = Controller Install - Serial Console
2 = Controller Install - Graphical Console
3 = All-in-one Install - Serial Console (default)
4 = All-in-one Install - Graphical Console
5 = All-in-one (lowlatency) Install - Serial Console
6 = All-in-one (lowlatency) Install - Graphical Console
Example:
pxeboot_setup.sh -i /path/to/grub/template/dir
-o /path/to/target/iso/mount
-p pxeboot/offset/to/bzImage_initrd
-f pxeboot/offset/to/target_feed
-u http://###.###.###.###
-d /dev/sde
-s 5
The remaining install steps are also completely unchanged:
.. only:: partner
**Imperative mode**
:ref:`aio_simplex_install_kubernetes_r6`
.. only:: partner
.. include:: /_includes/deb-tech-preview.rest
:start-after: begin-declarative
:end-before: end-declarative

14
doc/source/debian/kubernetes/technology-preview-known-issues-899a77ad709c.rst Normal file
View File

@ -0,0 +1,14 @@
.. _technology-preview-known-issues-899a77ad709c:
===============================
Technology Preview Known Issues
===============================
Known issues and workarounds with the |prod| |deb-eval-release| are the same
as those for |prod| |deb-eval-release| based on CentOS.
.. only:: partner
.. include:: /_includes/deb-tech-preview.rest
:start-after: begin-known-issues
:end-before: end-known-issues

22
doc/source/debian/kubernetes/technology-preview-reduced-scope-0008a139a4b9.rst Normal file
View File

@ -0,0 +1,22 @@
.. _technology-preview-reduced-scope-0008a139a4b9:
================================
Technology Preview Reduced Scope
================================
The |prod| |deb-eval-release| Debian Technology Preview release will have
reduced scope:
* Only AIO-SX deployments are supported. Duplex, Standard and
Distributed Cloud configurations are not available in this release.
* Only Kubernetes version 1.23 is supported.
* Support for both standard and low-latency kernel.
* Only Reboot Patching is available. In-service patching is not supported.
* Upgrades to or from this release are not supported.
Full equivalency of configurations and features will be supported in the upcoming
|prod| Debian General Availability release.

2
doc/source/deploy_install_guides/r5_release/bare_metal/accessing-pxe-boot-server-files-for-a-custom-configuration.rst
View File

@ -17,7 +17,7 @@ use the contents of the working directory to construct a |PXE| boot environment
according to your own requirements or preferences.
For more information about using a |PXE| boot server, see :ref:`Configure a
PXE Boot Server <configuring-a-pxe-boot-server>`.
PXE Boot Server <configuring-a-pxe-boot-server-r5>`.
.. rubric:: |proc|

2
doc/source/deploy_install_guides/r5_release/bare_metal/configuring-a-pxe-boot-server.rst
View File

@ -1,6 +1,6 @@
.. jow1440534908675
.. _configuring-a-pxe-boot-server:
.. _configuring-a-pxe-boot-server-r5:
===========================
Configure a PXE Boot Server

13
doc/source/deploy_install_guides/r6_release/bare_metal/configuring-a-pxe-boot-server.rst
View File

@ -1,7 +1,12 @@
.. jow1440534908675
.. _configuring-a-pxe-boot-server:
.. _configuring-a-pxe-boot-server-r6:
===========================
Configure a PXE Boot Server
===========================
@ -14,7 +19,7 @@ initialization.
|prod| includes a setup script to simplify configuring a |PXE| boot server. If
you prefer, you can manually apply a custom configuration; for more
information, see :ref:`Access PXE Boot Server Files for a Custom Configuration
<accessing-pxe-boot-server-files-for-a-custom-configuration-r6>`.
<accessing-pxe-boot-server-files-for-a-custom-configuration>`.
The |prod| setup script accepts a path to the root TFTP directory as a
parameter, and copies all required files for BIOS and |UEFI| clients into this
@ -110,6 +115,12 @@ Use a Linux workstation as the |PXE| Boot server.
#. Set up the |PXE| boot configuration.
.. important::
|PXE| configuration steps differ for |prod| |deb-eval-release|
evaluation on the Debian distribution. See the :ref:`Debian Technology
Preview <deb-grub-deltas>` |PXE| configuration procedure for details.
The ISO image includes a setup script, which you can run to complete the
configuration.

40
doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst
View File

@ -6,7 +6,7 @@
Local LDAP Linux User Accounts
==============================
You can create regular Linux user accounts using the |prod| LDAP service.
You can create regular Linux user accounts using the |prod| |LDAP| service.
Local |LDAP| accounts are centrally managed on the active controller; all
hosts in the cloud/cluster use the Local |LDAP| server on the active controller
@ -40,9 +40,39 @@ Local |LDAP| user accounts share the following set of attributes:
- Login sessions are logged out automatically after about 15 minutes of
inactivity.
- The accounts are blocked following five consecutive unsuccessful login
attempts. They are unblocked automatically after a period of about five
minutes.
- After each unsuccessful login attemt, a 15 second delay is imposed before
making another attempt. If you attempt to login before 15 seconds the
system will display a message such as:
``Account temporary locked (10 seconds left)``
.. note:: On Debian-based |prod| systems, this delay is 3 seconds.
- After five consecutive unsuccessful login attempts, further attempts are
blocked for about five minutes. On further attemps within 5 minutes, the
system will display a message such as:
``Account locked due to 6 failed logins``
.. note::
On Debian-based |prod| systems, you are alerted on the 6th and
subsequent attempts:
``Account locked due to 6 failed logins``
and an error message is displayed on subsequent attempts:
``Maximum number of tries exceeded (5)``
To clarify, on CentOS-based |prod| systems, the 5 minute block is not an
absolute window, but a sliding one. That is, if you keep attempting to log
in within those 5 minutes, the window keeps sliding and the you remain
blocked. Therefore, you should not attempt any further login attempts for 5
minutes after 5 unsuccessful login attempts.
On Debian-based |prod| systems, 5 mins after the account is locked, the
failed attempts will be reset and failed attempts re-counted.
- All authentication attempts are recorded on the file /var/log/auth.log
of the target host.
@ -91,4 +121,4 @@ from the console ports of the hosts; no |SSH| access is allowed.
.. seealso::
:ref:`Create LDAP Linux Accounts <create-ldap-linux-accounts>`
:ref:`Create LDAP Linux Accounts <create-ldap-linux-accounts>`

31
doc/source/security/kubernetes/the-sysadmin-account.rst
View File

@ -23,13 +23,40 @@ The default initial password is **sysadmin**.
- The initial password must be changed immediately when you log in to each
host for the first time. For details, see |_link-inst-book|.
- After each unsuccessful login attempt, a 15 second delay is imposed before
making another attempt. If you attempt to login before 15 seconds the
system will display a message such as:
``Account temporary locked (10 seconds left)``
.. note:: On Debian-based |prod| systems, this delay is 3 seconds.
- After five consecutive unsuccessful login attempts, further attempts are
blocked for about five minutes. To clarify, the 5 minute block is not an
blocked for about five minutes. On further attemps within 5 minutes, the
system will display a message such as:
``Account locked due to 6 failed logins``
.. note::
On Debian-based |prod| systems, you are alerted on the 6th and
subsequent attempts:
``Account locked due to 6 failed logins``
and an error message is displayed on subsequent attempts:
``Maximum number of tries exceeded (5)``
To clarify, on CentOS-based |prod| systems, the 5 minute block is not an
absolute window, but a sliding one. That is, if you keep attempting to log
in within those 5 minutes, the window keeps sliding and the user remains
in within those 5 minutes, the window keeps sliding and the you remain
blocked. Therefore, you should not attempt any further login attempts for 5
minutes after 5 unsuccessful login attempts.
On Debian-based |prod| systems, 5 mins after the account is locked, the
failed attempts will be reset and failed attempts re-counted.
Subsequent password changes must be executed on the active controller in an
**unlocked**, **enabled**, and **available** state to ensure that they