diff --git a/doc/source/_includes/deb-tech-preview.rest b/doc/source/_includes/deb-tech-preview.rest new file mode 100644 index 000000000..e607937d3 --- /dev/null +++ b/doc/source/_includes/deb-tech-preview.rest @@ -0,0 +1,21 @@ +.. begin-prod-an-1 +.. end-prod-an-1 + +.. begin-prod-an-2 +.. end-prod-an-2 + +.. begin-dec-and-imp +.. end-dec-and-imp + +.. begin-declarative +.. end-declarative + +.. begin-install-prereqs +.. end-install-prereqs + +.. begin-prep-servers +.. end-prep-servers + +.. begin-known-issues +.. end-known-issues + diff --git a/doc/source/_vendor/vendor_strings.txt b/doc/source/_vendor/vendor_strings.txt index b5be4df28..92266a17f 100755 --- a/doc/source/_vendor/vendor_strings.txt +++ b/doc/source/_vendor/vendor_strings.txt @@ -102,3 +102,14 @@ because target lable differs here/partner contexts. .. |_link-inst-book| replace:: :ref:`Installation guide ` + + +.. Debian Tech Preview + +.. |deb-prev-prods| replace:: |prod| +.. |deb-510-kernel-release| replace:: release 6.0 +.. |deb-eval-release| replace:: release 7.0 +.. |deb-production-release| replace:: release 8.0 +.. |deb-install-step-change| replace:: \ +.. |deb-dup-std-na| replace:: Duplex, and standard configurations are not available. +.. |deb-update-iso| replace:: \ diff --git a/doc/source/debian/index-debian-introduction-8eb59cf0a062.rst b/doc/source/debian/index-debian-introduction-8eb59cf0a062.rst index e4e7006fd..e82f1306e 100644 --- a/doc/source/debian/index-debian-introduction-8eb59cf0a062.rst +++ b/doc/source/debian/index-debian-introduction-8eb59cf0a062.rst @@ -1,8 +1,8 @@ .. _index-debian-introduction-8eb59cf0a062: -=================== -Debian Introduction -=================== +============== +Debian Preview +============== -------------------- StarlingX Kubernetes diff --git a/doc/source/debian/kubernetes/debian-based-solution-75cd4fb6f023.rst b/doc/source/debian/kubernetes/debian-based-solution-75cd4fb6f023.rst new file mode 100644 index 000000000..c91bd417c --- /dev/null +++ b/doc/source/debian/kubernetes/debian-based-solution-75cd4fb6f023.rst @@ -0,0 +1,42 @@ +.. _debian-based-solution-75cd4fb6f023: + +===================== +Debian-based Solution +===================== + +Major features of Debian-based |prod| will include: + +* Linux 5.10 Yocto-based kernel ( https://www.yoctoproject.org/ ) + + The Yocto Project Kernel: + + * tracks stable kernel updates very closely; staying very current with the + stable kernel, + + * provides a reliable implementation of the pre-empt-rt patchset (see: + https://rt.wiki.kernel.org/index.php/Main_Page), and + + * provides predictable and searchable |CVE| handling. + +|org| will also leverage its existing relationships with the Yocto Project to +enhance development, bug fixes and other activities in the Yocto Project kernel +to drive |prod| quality and feature content. + +* Debian Bullseye (11.3) + + Debian is a well-established Linux Distribution supported by a large and + mature open-source community. + +* OSTree ( https://ostree.readthedocs.io/en/stable/manual/introduction/ ) + + OSTree provides for robust and efficient versioning, packaging and + upgrading of Linux-based systems. + +* An updated Installer to seamlessly adapt to Debian and OSTree + +* Updated software patching and upgrades for Debian and OSTree. + + +.. include:: /_includes/deb-tech-preview.rest + :start-after: begin-prod-an-2 + :end-before: end-prod-an-2 diff --git a/doc/source/debian/kubernetes/figures/debian_patching_details_horizon.png b/doc/source/debian/kubernetes/figures/debian_patching_details_horizon.png new file mode 100644 index 000000000..3b07ea4f1 Binary files /dev/null and b/doc/source/debian/kubernetes/figures/debian_patching_details_horizon.png differ diff --git a/doc/source/debian/kubernetes/index-debian-introduction-kub-c3fa5e92e8d6.rst b/doc/source/debian/kubernetes/index-debian-introduction-kub-c3fa5e92e8d6.rst index cf8d186ef..c9d8de899 100644 --- a/doc/source/debian/kubernetes/index-debian-introduction-kub-c3fa5e92e8d6.rst +++ b/doc/source/debian/kubernetes/index-debian-introduction-kub-c3fa5e92e8d6.rst @@ -1,5 +1,16 @@ + .. _index-debian-introduction-kub-c3fa5e92e8d6: .. include:: /_includes/toc-title-debian-kub.rest +.. toctree:: + :maxdepth: 2 + + overview-234a36ffe9fb + debian-based-solution-75cd4fb6f023 + operational-impacts-9cf2e610b5b3 + technology-preview-reduced-scope-0008a139a4b9 + technology-preview-installation-fa6f71e9737d + technology-preview-known-issues-899a77ad709c + diff --git a/doc/source/debian/kubernetes/operational-impacts-9cf2e610b5b3.rst b/doc/source/debian/kubernetes/operational-impacts-9cf2e610b5b3.rst new file mode 100644 index 000000000..76564f1d1 --- /dev/null +++ b/doc/source/debian/kubernetes/operational-impacts-9cf2e610b5b3.rst @@ -0,0 +1,133 @@ +.. _operational-impacts-9cf2e610b5b3: + +=================== +Operational Impacts +=================== + +The operational impact of Debian-based |prod| is small: + +* Functional equivalence with CentOS-based |prod| + +* Use of the |prod| CLIs and APIs will remain the same: + + * |prod| on Debian will provide the same CLIs and APIs as |prod| on CentOS. + + * |prod| on Debian will run the same 5.10 kernel version as |prod| on + CentOS. + + * |prod| on Debian will support the same set of Kubernetes APIs used in + |prod| on CentOS. + + * The procedure to install hosts will be unchanged by the migration from + CentOS to Debian. Only the ``grub`` menu has been modified. + + * The CLIs used for software updates (patching) will be unchanged by + the migration from CentOS to Debian. + +* User applications running in containers on CentOS should run on Debian + without modification. Re-validation of containers on Debian is encouraged to + identify any exceptions. + +* A small subset of operating system-specific commands will differ. Some of + these changes result from the switch in distributions while others are + generic changes that have accumulated since the release of the CentOS + distribution currently used. For example: + + + * The Debian installation requires new pxeboot grub menus. See + :ref:`Technology Preview Installation `. + + * Some prompt strings will be slightly different (for example: ssh login, + passwd command, and others). + + * Many 3rd-party software packages are running a newer version in Debian + and this may lead to minor changes in syntax, output, config files, and + logs. + + * The URL to expose keystone service does not have the version appended. + + * On Debian, interface and static routes need to be handled using system-API. + + * Do not edit configuration files in ``/etc/network/`` as they are + regenerated from sysinv database after a system reboot. Any changes + directly done there will be lost. + + * The static routes configuration file is ``/etc/network/routes`` + + * Interface configuration files are located in + ``/etc/network/interfaces.d/`` + + * Debian stores network information in ``/etc/network`` instead of + ``/etc/sysconfig/network-scripts`` location used in CentOS. However, the + |prod| ``system …`` commands are unchanged. |deb-update-iso| + + * Patching on Debian is done using ostree commits rather than individual + RPMs. + + You can see which packages are updated by ostree using the :command:`dpkg + -l` instead of :command:`rpm -qa` used on CentOS. + + * Patching is done via reboot required patches. In-service patching is not + supported in the Technology Preview release. + + * The patching CLI commands and Horizon interactions are the same as for + CentOS. + + * The supported patching CLI commands for |deb-eval-release| are: + + * ``sw-patch upload`` + * ``sw-patch upload-dir`` + * ``sw-patch apply`` + * ``sw-patch remove`` + * ``sw-patch delete`` + * ``sw-patch query`` + * ``sw-patch show`` + * ``sw-patch query-hosts`` + * ``sw-patch host-install`` + * ``sw-patch host-install-async`` + * ``sw-patch install-local`` + + However, since Debian patches work with ostree commits rather than + RPMs, the patch contents visible on Horizon and CLI are different. + + Running the ``sw-patch show `` CLI command or selecting + **Software Management** and the patch name in Horizon displays details + about the contents of a Debian patch including: + + * The number of ostree commits in this patch. + + * The base commit on which the patch can be applied. + + * The commit IDs that are associated with this patch. + + **CLI** + + Sample ``sw-patch show `` output: + + .. code-block:: none + + DEBIAN_RR: + Release: 22.06 + Patch State: Available + Status: DEV + Unremovable: N + RR: Y + Summary: Reboot Required Patch 0015 + Description: Reboot Required Patch for resolving subcloud unlock issue + Install Instructions: + Please ensure that there is 450MB minimum available space in the directory where the patch is going to be placed. + Warnings: This patch requires PATCH_0014 to be installed first. + Contents: + + No. of commits: 2 + Base commit: d0a0d5ad78746c86ab477fb5ccb98d7e813484a9cb1c0a780363233794655fdc + Commit1: a386e76d6430f7fd6693d40379cccc838445f4abd409f158b919c010da80cb83 + Commit2: 647dcef3f32d61b3d341fab905f5267c5614d804cae5d295693a6098db6e4e6d + + + **Horizon** + + Sample **Software Management** > *patch name* output. + + .. figure:: figures/debian_patching_details_horizon.png + :width: 600px diff --git a/doc/source/debian/kubernetes/overview-234a36ffe9fb.rst b/doc/source/debian/kubernetes/overview-234a36ffe9fb.rst new file mode 100644 index 000000000..8bfb9a3e4 --- /dev/null +++ b/doc/source/debian/kubernetes/overview-234a36ffe9fb.rst @@ -0,0 +1,83 @@ +.. _overview-234a36ffe9fb: + +======== +Overview +======== + +With support for the CentOS Distribution being discontinued, |deb-prev-prods| +will move to the Debian OS Distribution. Debian is a well-established Linux +Distribution supported by a large and mature open-source community and used by +hundreds of commercial organizations, including Google. When fully transitioned +to Debian, |deb-prev-prods| will have full functional equivalence to the +current CentOS-based versions of |deb-prev-prods|. + +The planned rollout for the transition to Debian is as follows: + + +.. rubric:: |prod| |deb-510-kernel-release| (RELEASED) + +* General Availability (GA) Release of CentOS7 |prod| (for production + deployments) + +* Moved to 5.10 kernel, which will be used by the upcoming Debian-based + release. + +.. rubric:: |prod| |deb-eval-release| + + +|prod| |deb-eval-release| is a general Availability (GA) Release of CentOS7 +|prod| for production deployments. It will be the last release of a CentOS7 +–based |prod|. + +|prod| |deb-eval-release| inherits the 5.10 version of the Linux kernel +introduced in |prod| |deb-510-kernel-release|. + +|prod| |deb-eval-release| is also a technology Preview Release of Debian |prod| +for evaluation purposes. + +|prod| |deb-eval-release| release runs Debian Bullseye (11.3). It is limited in +scope to the |AIO-SX| configuration. |deb-dup-std-na| + +See :ref:`technology-preview-reduced-scope-0008a139a4b9` for details. + + +.. rubric:: Debian |prod| General Availability + + +An upcoming release will make Debian |prod| genrally available for +production deployments. + +This upcoming release will run Debian Bullseye 11.3 or later with +full functional equivalence to the CentOS-based |prod|. + +.. only:: partner + + .. include:: /_includes/deb-tech-preview.rest + :start-after: begin-prod-an-1 + :end-before: end-prod-an-1 + + +.. rubric:: Planned in-service upgrade paths for |prod| + +* |prod| |deb-510-kernel-release| running CentOS ==> |prod| |deb-eval-release| running CentOS ==> |prod| Debian general availability release + +or + +* |prod| |deb-510-kernel-release| running CentOS ==> |prod| Debian general availability release + + +.. note:: + + There will be no upgrade paths related to the |prod| |deb-eval-release| + Debian Technology Preview release. + +The |prod-long| |deb-eval-release| Debian Technology Preview allows you to +evaluate and prepare for the upcoming Debian-based General Availability release +while continuing to run your production deployment +on CentOS-based |prod-long|. It is strongly recommended that you perform a +complete assessment of |prod| and your application running on |prod| in a lab +setting to fully understand and plan for any changes that may be required to +your application when you migrate to Debian-based |prod| +the |prod| Debian General Availability release in a production +environment. + diff --git a/doc/source/debian/kubernetes/technology-preview-installation-fa6f71e9737d.rst b/doc/source/debian/kubernetes/technology-preview-installation-fa6f71e9737d.rst new file mode 100644 index 000000000..be341bf01 --- /dev/null +++ b/doc/source/debian/kubernetes/technology-preview-installation-fa6f71e9737d.rst @@ -0,0 +1,302 @@ +.. _technology-preview-installation-fa6f71e9737d: + +=============================== +Technology Preview Installation +=============================== + +In general, the installation of |prod| |deb-eval-release| Debian Technology +Preview on All-in-one Simplex is unchanged. + + +.. only:: partner + + .. include:: /_includes/deb-tech-preview.rest + :start-after: begin-dec-and-imp + :end-before: end-dec-and-imp + + +There are no changes to: + +* The overall installation workflow + + .. only:: partner + + .. include:: /_includes/deb-tech-preview.rest + :start-after: begin-install-prereqs + :end-before: end-install-prereqs + + +* The installation prerequisites, i.e. required files, boot mechanism + (bootable USB or pxeboot server), network connectivity, external DNS Server + and a Docker Registry: + + .. only:: partner + + .. include:: /_includes/deb-tech-preview.rest + :start-after: begin-install-prereqs + :end-before: end-install-prereqs + +* The hardware requirements: :ref:`starlingx-hardware-requirements`, or + +* The preparation of physical servers, i.e. BIOS setup, etc. + +The only minor change in the installation is in the initial install of software +on controller-0. |deb-update-iso| + +.. only:: partner + + .. include:: /_includes/deb-tech-preview.rest + :start-after: begin-prep-servers + :end-before: end-prep-servers + +There is a single install menu |deb-install-step-change| to choose between an +AIO-Controller with the Standard Kernel and an AIO-Controller with the +Low-Latency Kernel. Of course the actual console log output of the software +install will be different due to OSTree and Debian details. + +.. _deb-grub-deltas: + +The Debian installation requires configuration of the new pxeboot grub menus; +one for servers with Legacy BIOS support and another for servers with |UEFI| +firmware. + +During |PXE| boot configuration setup, as described in +:ref:`configuring-a-pxe-boot-server-r6`, additional steps are required to +collect configuration information and create a grub menu to install |prod| +|deb-eval-release| AIO controller-0 function on the target server. + +#. Wipe the install device prior to Debian installation. + + .. code-block:: none + + $ sudo wipedisk --force --include-backup + $ sudo sgdisk -o /dev/sda + + Repeat the :command:`sudo sgdisk -o` command for all disks, such as ``dev/sdb``, + ``/dev/sdc``, and so-on. + +#. **Option 1:** Install controller-0 from a USB device containing the + Debian ISO image. + + Use this method to install locally from a physical or virtual media USB + device/ISO. + + #. Add the Debian ISO image to a USB device and make the target server + boot the ISO image from that USB device. + + #. During installation, select the install type from the presented + menu. For a |UEFI| installation, the menu options are prefixed with + "UEFI ". + +#. **Option 2:** Install controller-0 from a PXEboot install feed. + + This method uses a network PXEboot install from a remote PXEboot server + and 'feed' directory. + + * The 'feed' directory is a directory containing the mounted contents + of the Debian ISO. + + * The 'feed' creation process for the Debian install differs from the + CentOS method. + + * The 'feed' can be populated with either a **direct ISO mount** + or a **copy of the ISO content**. + + **Direct ISO mount** method: + + #. Mount the ISO at the feed directory location on the pxeboot server. + + #. Copy the ISO to the 'feed' directory location pxeboot server. + + .. note:: + + This can be a common location for installing many servers or a + unique location for a specific server. + + #. Mount the ISO as the 'feed' directory. + + .. note:: The mount requires root access. If you don't have root + access on the PXEboot server then use the **ISO copy** method. + + .. code-block:: none + + $ IMAGENAME= + $ sudo mount -o loop ${IMAGENAME}.iso ${IMAGENAME}_feed + + **Copy ISO contents** method: + + + #. Create a tarball containing the mounted ISO content + + #. Copy the Debian ISO to a location where the ISO can be mounted + + #. Mount the ISO, tar it up and copy the feed tarball to the PXEboot + server + + + #. Untar the feed tarball at the feed directory location on your + PXEboot server. + + An example of the above commands: + + .. code-block:: none + + $ IMAGENAME= + + $ sudo mount -o loop ${IMAGENAME}.iso ${IMAGENAME}_feed + $ tar -czf ${IMAGENAME}_feed.tgz ${IMAGENAME}_feed + $ scp ${IMAGENAME}_feed.tgz @: + + $ ssh @ + + $ cd + $ tar -xzf ${IMAGENAME}_feed.tgz + $ rm ${IMAGENAME}_feed.tgz + + #. Optionally, link your new feed directory to the name the pxeboot + server translates the incoming MAC based |DHCP| request to. + + .. code-block:: none + + $ ln -s ${IMAGENAME}_feed feed + + Your 'feed' directory or link should now list similarly to the + following example: + + .. code-block:: none + + drwxr-xr-x 7 someuser users 4096 Jun 13 10:33 starlingx-20220612220558_feed + lrwxrwxrwx 1 someuser users 58 Jun 13 10:35 feed -> starlingx-20220612220558_feed + + The 'feed' directory structure should be as follows: + + .. code-block:: none + + feed + ├── bzImage-rt ... Lowlatency kernel + ├── bzImage-std ... Standard kernel + ├── initrd ... Installer initramfs image + ├── kickstart + │ └── kickstart.cfg ... Unified kickstart + │ + ├── ostree_repo ... OSTree Archive Repo + │ ├── config + │ ├── extensions + │ └── objects + │ + ├── pxeboot + └── samples + ├── efi-pxeboot.cfg.debian ... controller-0 UEFI install menu sample + ├── pxeboot.cfg.debian ... controller-0 BIOS install menu sample + ├── pxeboot_setup.sh ... script used to tailor the above samples + └── README ... info file + + Note that many files and directories have been omitted for clarity. + + #. Set up the PXEboot grub menus. + + The ISO contains a ``pxeboot/sample`` directory with controller-0 + install grub menus. + + * For BIOS: ``feed/pxeboot/samples/pxeboot.cfg.debian`` + + * For UEFI: ``feed/pxeboot/samples/efi-pxeboot.cfg.debian`` + + You must customize these grub menus for a specific server + install by modifying the following variable replacement strings + with path and other information that is specific to your pxeboot + server. + + ``xxxFEEDxxx`` + The path between http server base and feed directory. For + example: ``/var/www/html/xxxFEED_xxx/`` + + ``xxxPXEBOOTxxx`` + The offset path between /pxeboot and the feed to find + ``bzImage/initrd``. For example: + ``/var/pxeboot/xxxPXEBOOTxxx/`` + + ``xxxBASE_URLxxx`` + The pxeboot server URL: ``http://###.###.###.###`` + + ``xxxINSTDEVxxx`` + The install device name. Default: ``/dev/sda`` Example: + ``/dev/nvme01`` + + ``xxxSYSTEMxxx`` + The system install type index. Default: aio>aio-serial + (All-in-one Install - Serial; Console) + + menu32 = no default system install type ; requires manual select + + disk = Disk Boot + + standard>serial = Controller Install - Serial Console + + standard>graphical = Controller Install - Graphical Console + + aio>serial = All-in-one Install - Serial Console + + aio>graphical = All-in-one Install - Graphical Console + + aio-lowlat>serial = All-in-one (lowlatency) Install - Serial Console + + aio-lowlat>graphical = All-in-one (lowlatency) Install - Graphical Console + + The ISO also contains the ``pxeboot/samples/pxeboot_setup.sh`` + script that can be used to automatically setup both the BIOS and + |UEFI| grub files for a specific install. + + .. code-block:: none + + ./feed/pxeboot/samples/pxeboot_setup.sh --help + + Usage: ./pxeboot_setup.sh [Arguments Options] + + Arguments: + + -i | --input : Path to pxeboot.cfg.debian and efi-pxeboot.cfg.debian grub template files + -o | --output : Path to created pxeboot.cfg.debian and efi-pxeboot.cfg.debian grub files + -p | --pxeboot : Offset path between /pxeboot and bzImage/initrd + -f | --feed : Offset path between http server base and mounted iso + -u | --url : The pxeboot server's URL + + Options: + + -h | --help : Print this help info + -b | --backup : Create backup of updated grub files as .named files + -d | --device : Install device path ; default: /dev/sda + -s | --system : System install type ; default: 3 + + 0 = Disk Boot + 1 = Controller Install - Serial Console + 2 = Controller Install - Graphical Console + 3 = All-in-one Install - Serial Console (default) + 4 = All-in-one Install - Graphical Console + 5 = All-in-one (lowlatency) Install - Serial Console + 6 = All-in-one (lowlatency) Install - Graphical Console + + Example: + + pxeboot_setup.sh -i /path/to/grub/template/dir + -o /path/to/target/iso/mount + -p pxeboot/offset/to/bzImage_initrd + -f pxeboot/offset/to/target_feed + -u http://###.###.###.### + -d /dev/sde + -s 5 + +The remaining install steps are also completely unchanged: + +.. only:: partner + + **Imperative mode** + +:ref:`aio_simplex_install_kubernetes_r6` + +.. only:: partner + + .. include:: /_includes/deb-tech-preview.rest + :start-after: begin-declarative + :end-before: end-declarative + diff --git a/doc/source/debian/kubernetes/technology-preview-known-issues-899a77ad709c.rst b/doc/source/debian/kubernetes/technology-preview-known-issues-899a77ad709c.rst new file mode 100644 index 000000000..66822365b --- /dev/null +++ b/doc/source/debian/kubernetes/technology-preview-known-issues-899a77ad709c.rst @@ -0,0 +1,14 @@ +.. _technology-preview-known-issues-899a77ad709c: + +=============================== +Technology Preview Known Issues +=============================== + +Known issues and workarounds with the |prod| |deb-eval-release| are the same +as those for |prod| |deb-eval-release| based on CentOS. + +.. only:: partner + + .. include:: /_includes/deb-tech-preview.rest + :start-after: begin-known-issues + :end-before: end-known-issues diff --git a/doc/source/debian/kubernetes/technology-preview-reduced-scope-0008a139a4b9.rst b/doc/source/debian/kubernetes/technology-preview-reduced-scope-0008a139a4b9.rst new file mode 100644 index 000000000..68f538395 --- /dev/null +++ b/doc/source/debian/kubernetes/technology-preview-reduced-scope-0008a139a4b9.rst @@ -0,0 +1,22 @@ +.. _technology-preview-reduced-scope-0008a139a4b9: + +================================ +Technology Preview Reduced Scope +================================ + +The |prod| |deb-eval-release| Debian Technology Preview release will have +reduced scope: + +* Only AIO-SX deployments are supported. Duplex, Standard and + Distributed Cloud configurations are not available in this release. + +* Only Kubernetes version 1.23 is supported. + +* Support for both standard and low-latency kernel. + +* Only Reboot Patching is available. In-service patching is not supported. + +* Upgrades to or from this release are not supported. + +Full equivalency of configurations and features will be supported in the upcoming +|prod| Debian General Availability release. diff --git a/doc/source/deploy_install_guides/r5_release/bare_metal/accessing-pxe-boot-server-files-for-a-custom-configuration.rst b/doc/source/deploy_install_guides/r5_release/bare_metal/accessing-pxe-boot-server-files-for-a-custom-configuration.rst index 7210022c6..ba4a6a020 100644 --- a/doc/source/deploy_install_guides/r5_release/bare_metal/accessing-pxe-boot-server-files-for-a-custom-configuration.rst +++ b/doc/source/deploy_install_guides/r5_release/bare_metal/accessing-pxe-boot-server-files-for-a-custom-configuration.rst @@ -17,7 +17,7 @@ use the contents of the working directory to construct a |PXE| boot environment according to your own requirements or preferences. For more information about using a |PXE| boot server, see :ref:`Configure a -PXE Boot Server `. +PXE Boot Server `. .. rubric:: |proc| diff --git a/doc/source/deploy_install_guides/r5_release/bare_metal/configuring-a-pxe-boot-server.rst b/doc/source/deploy_install_guides/r5_release/bare_metal/configuring-a-pxe-boot-server.rst index af1d5cdd4..d3e76d40a 100644 --- a/doc/source/deploy_install_guides/r5_release/bare_metal/configuring-a-pxe-boot-server.rst +++ b/doc/source/deploy_install_guides/r5_release/bare_metal/configuring-a-pxe-boot-server.rst @@ -1,6 +1,6 @@ .. jow1440534908675 -.. _configuring-a-pxe-boot-server: +.. _configuring-a-pxe-boot-server-r5: =========================== Configure a PXE Boot Server diff --git a/doc/source/deploy_install_guides/r6_release/bare_metal/configuring-a-pxe-boot-server.rst b/doc/source/deploy_install_guides/r6_release/bare_metal/configuring-a-pxe-boot-server.rst index 40ba68036..24cde988a 100644 --- a/doc/source/deploy_install_guides/r6_release/bare_metal/configuring-a-pxe-boot-server.rst +++ b/doc/source/deploy_install_guides/r6_release/bare_metal/configuring-a-pxe-boot-server.rst @@ -1,7 +1,12 @@ .. jow1440534908675 + +.. _configuring-a-pxe-boot-server: + .. _configuring-a-pxe-boot-server-r6: + + =========================== Configure a PXE Boot Server =========================== @@ -14,7 +19,7 @@ initialization. |prod| includes a setup script to simplify configuring a |PXE| boot server. If you prefer, you can manually apply a custom configuration; for more information, see :ref:`Access PXE Boot Server Files for a Custom Configuration -`. +`. The |prod| setup script accepts a path to the root TFTP directory as a parameter, and copies all required files for BIOS and |UEFI| clients into this @@ -110,6 +115,12 @@ Use a Linux workstation as the |PXE| Boot server. #. Set up the |PXE| boot configuration. + .. important:: + + |PXE| configuration steps differ for |prod| |deb-eval-release| + evaluation on the Debian distribution. See the :ref:`Debian Technology + Preview ` |PXE| configuration procedure for details. + The ISO image includes a setup script, which you can run to complete the configuration. diff --git a/doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst b/doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst index 515e869bc..df880fa73 100644 --- a/doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst +++ b/doc/source/security/kubernetes/local-ldap-linux-user-accounts.rst @@ -6,7 +6,7 @@ Local LDAP Linux User Accounts ============================== -You can create regular Linux user accounts using the |prod| LDAP service. +You can create regular Linux user accounts using the |prod| |LDAP| service. Local |LDAP| accounts are centrally managed on the active controller; all hosts in the cloud/cluster use the Local |LDAP| server on the active controller @@ -40,9 +40,39 @@ Local |LDAP| user accounts share the following set of attributes: - Login sessions are logged out automatically after about 15 minutes of inactivity. -- The accounts are blocked following five consecutive unsuccessful login - attempts. They are unblocked automatically after a period of about five - minutes. +- After each unsuccessful login attemt, a 15 second delay is imposed before + making another attempt. If you attempt to login before 15 seconds the + system will display a message such as: + + ``Account temporary locked (10 seconds left)`` + + .. note:: On Debian-based |prod| systems, this delay is 3 seconds. + + - After five consecutive unsuccessful login attempts, further attempts are + blocked for about five minutes. On further attemps within 5 minutes, the + system will display a message such as: + + ``Account locked due to 6 failed logins`` + + .. note:: + + On Debian-based |prod| systems, you are alerted on the 6th and + subsequent attempts: + + ``Account locked due to 6 failed logins`` + + and an error message is displayed on subsequent attempts: + + ``Maximum number of tries exceeded (5)`` + + To clarify, on CentOS-based |prod| systems, the 5 minute block is not an + absolute window, but a sliding one. That is, if you keep attempting to log + in within those 5 minutes, the window keeps sliding and the you remain + blocked. Therefore, you should not attempt any further login attempts for 5 + minutes after 5 unsuccessful login attempts. + + On Debian-based |prod| systems, 5 mins after the account is locked, the + failed attempts will be reset and failed attempts re-counted. - All authentication attempts are recorded on the file /var/log/auth.log of the target host. @@ -91,4 +121,4 @@ from the console ports of the hosts; no |SSH| access is allowed. .. seealso:: - :ref:`Create LDAP Linux Accounts ` \ No newline at end of file + :ref:`Create LDAP Linux Accounts ` diff --git a/doc/source/security/kubernetes/the-sysadmin-account.rst b/doc/source/security/kubernetes/the-sysadmin-account.rst index 4f6902226..563a36b99 100644 --- a/doc/source/security/kubernetes/the-sysadmin-account.rst +++ b/doc/source/security/kubernetes/the-sysadmin-account.rst @@ -23,13 +23,40 @@ The default initial password is **sysadmin**. - The initial password must be changed immediately when you log in to each host for the first time. For details, see |_link-inst-book|. +- After each unsuccessful login attempt, a 15 second delay is imposed before + making another attempt. If you attempt to login before 15 seconds the + system will display a message such as: + + ``Account temporary locked (10 seconds left)`` + + .. note:: On Debian-based |prod| systems, this delay is 3 seconds. + - After five consecutive unsuccessful login attempts, further attempts are - blocked for about five minutes. To clarify, the 5 minute block is not an + blocked for about five minutes. On further attemps within 5 minutes, the + system will display a message such as: + + ``Account locked due to 6 failed logins`` + + .. note:: + + On Debian-based |prod| systems, you are alerted on the 6th and + subsequent attempts: + + ``Account locked due to 6 failed logins`` + + and an error message is displayed on subsequent attempts: + + ``Maximum number of tries exceeded (5)`` + + To clarify, on CentOS-based |prod| systems, the 5 minute block is not an absolute window, but a sliding one. That is, if you keep attempting to log - in within those 5 minutes, the window keeps sliding and the user remains + in within those 5 minutes, the window keeps sliding and the you remain blocked. Therefore, you should not attempt any further login attempts for 5 minutes after 5 unsuccessful login attempts. + On Debian-based |prod| systems, 5 mins after the account is locked, the + failed attempts will be reset and failed attempts re-counted. + Subsequent password changes must be executed on the active controller in an **unlocked**, **enabled**, and **available** state to ensure that they