(1)Release Version Upgrade
(2)Matching code changes with el7 to el8
This package actually comes from the openstack package repo [0]
and the correct version is 2.21.0-3.
Since the CentOS folks have not created a cloud repo yet.
Ultimately this will need to be a python3 version.
We will need to rename the package to python3-requests.
[0] http://vault.centos.org/7.7.1908/cloud/Source/openstack-stein/
Story: 2006729
Task: 37659
Depends-On: https://review.opendev.org/#/c/696481/
Depends-On: https://review.opendev.org/#/c/696050/
Change-Id: I8544995320fa440074554c6fdf0e1143bf68b582
Signed-off-by: Dongqi Chen <chen.dq@neusoft.com>
This solves:
ntp: Stack-based buffer overflow in ntpq and ntpdc allows
denial of service or code execution (CVE-2018-12327)
See the announcement link:
https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006016.html
for more details.
Here we refresh the meta patches and correct the crime of
"name of patch file differs from git format-patch". We
also clean up the commit short logs.
Change-Id: I263465d85f06096296fdd478a302eb110ab1259c
Closes-Bug: 1849197
Depends-On: https://review.opendev.org/#/c/695983
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
OSDs might become stuck peering.
Recover from such state.
Closes-bug: 1851287
Change-Id: I2ef1a0e93d38c3d041ee0c5c1e66a4ac42785a68
Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
This solves:
systemd: line splitting via fgets() allows for state injection
during daemon-reexec (CVE-2018-15686)
along with some other less critical issues. See the security
announcement link:
https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006149.html
for more details.
Here we rebase the patches, and fix the atrocious crime of "name of patch file
doesn't match what git format-patch generates". We also squash down the
meta patches which add the patches to the spec file as part of
good housekeeping.
Change-Id: I01a3fa329bbad541a063cb604d1756892139967f
Closes-Bug: 1849200
Depends-On: https://review.opendev.org/#/c/695560
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
Uprev i40e to version 2.10.19.30
i40evf gets replaced by iavf version 3.7.61.20
The iavf driver supports both fortville and columbiaville,
so they decided to rename from i40evf to something more generic.
We get to drop the patch which polls for coming out of
reset as it was incorporated upstream.
The Intel FPGA Programmable Acceleration Card N3000 contains
dual Intel XL710 NICs and an FPGA for acceleration purposes.
This driver upgrade is required to support those NICs.
Change-Id: Ifbec94bcc00a8cce9fe97bf0eb41556b8bd3e592
Story: 2006740
Task: 37542
Depends-On: https://review.opendev.org/#/c/695061
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
This commit rebases initscripts patch set, dropping
run-dhclient-as-daemon-for-ipv6.patch
Currently, ifup-eth tries running ipv6 dhclient with the one-shot
option, and if that fails, then retries indefinitely in the background.
That has the side-effect of causing the ifup-post script to not be run
if the first dhclient attempt fails, which will prevent routes on that
interface from being created. This is especially problematic in the
case of a DOR, where the compute nodes may come up before dnsmasq is up
on the controller.
This is different from upstream centos, which will only try running
dhclient with the one-shot option for ipv6.
By reverting the initscripts patch to run as a daemon, ipv6 dhclient now
runs as one-shot only, and if it fails, ifup-eth script exits without
getting an address, and then the node fails to come up and reboot.
While this may result in the compute node having an extra reboot in a DOR,
that is preferable to the compute coming up incorrectly and requiring a
lock/unlock to recover.
Closes-bug: 1844579
Change-Id: I5b7f6b7c878dc4e4737d986f11fae3301585fb1c
Signed-off-by: Joseph Richard <joseph.richard@windriver.com>
In a DC system when subcloud is managed, keystone user/project IDs are
synced with Central Cloud, including admin user and project. But the
admin's secrets in Barbian still use the original user/project IDs,
causing docker registry access failure when platform-integ-apps is
reapplied.
This change added a patch to keystone puppet manifest, that updates
keystone admin user/project IDs to be the same as Central Cloud right
after keystone is bootstrapped during subcloud deployment. This way any
referece to admin user/project IDs after bootstrap will be using the
IDs same as Central Cloud, including the ones in Barbican. This will
solve the problem of retrieving central registry credential failure
when platform-integ-apps is reapplied.
Change-Id: I509a06b4b810620a1b3648837726f7f2771162a5
Closes-Bug: 1851247
Signed-off-by: Andy Ning <andy.ning@windriver.com>
The lldpd package currently does not package the /etc/default/lldpd
file as a config file, but it is modified at runtime by a puppet
manifest. As a result, if the lldpd package is updated on a system, it
would overwrite the modified file with the version from the package.
This update adds the %config(noreplace) to lldpd.spec for this file.
Change-Id: I82e62bdcac9ea07a3eaea0dfca5b1037b4b392d6
Partial-Bug: 1850695
Signed-off-by: Don Penney <don.penney@windriver.com>
The barbican user and group were missing from the setup files.
Adding it ensures consistent uid/gid values across nodes, where
filesystems may be shared.
Adding it also ensures uid/gid exists when barbican is installed.
This will fix sanity issues due to arbitrary rpm ordering during
initial system installation.
openstack-barbican-common has a scriptlet that sets up
barbican user and group if they do not exist, through
shadow-utils.
The shadow-utils requirement is set for openstack-barbican
rather than openstack-barbican-common or python-barbican.
Alternatively the src rpm could be patched, but this would add
source code patching debt, and still not resolve the filesystem
consistency issue.
Change-Id: I67b7c292e4a3356335df6619648284e028625fe6
Closes-Bug: 1849671
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
This is a minor bugfix release.
It requires golang 1.12.10 to build.
Change-Id: I3eb4818d4667ff3be1020a2066c52ed248d5e23c
Story: 2005860
Task: 37159
Depends-On: https://review.opendev.org/#/c/689000/
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
The spec file from Centos was written to tightly couple
the kubernetes rpms to the same version and therefore prevent
any of them from being changed without installing the entire set.
This blocks the kubernetes upgrade procedure, which expects
components such as kubeadm or kubelet to up-version independently
from the other kubernetes components.
Refer to Upgrading Control Planes section of:
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/
In addition, hyperkube (unused) was packaged in multiple
rpms which is an rpm patching semantic violation.
Story: 2005860
Task: 36956
Change-Id: I26b7bc4b232635ac5f58aa9db79fcfe505c85fdc
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
The ifup-aliases script assumes that the IPv4 address is always
defined. If the configuration is only for IPv6, the script would
generate an error and not process the IPv6 address of the interface.
This commit is to bring up the IPv6 interface even if the IPv4 address
is not defined.
Partial-Bug: 1834234
Change-Id: Ib0c4cbc7ec19cc0c0c485e4ad63c380aa8a49a4c
Signed-off-by: Teresa Ho <teresa.ho@windriver.com>
This image will be run as a daemonset to enable intel qat device plugin
Story: 2005514
Task: 36819
Change-Id: I6ba1410bec7bbbc915048f6dee66975eba1ced55
Signed-off-by: Mingyuan Qi <mingyuan.qi@intel.com>
Currently, StarlingX uses a version of the SR-IOV CNI and device
plugin container images that are based on a certain commit reference.
This is done to ensure reliable and predicable behaviour until the
images can be locked down on a stable release version.
It is desirable to move to a later version of these images for
a couple of reasons (aside from bug fixes, etc):
1. The SR-IOV CNI image now uses an alpine base, rather than
a Redhat base.
2. The SR-IOV device plugin allows a DPDK enabled pod with
Mellanox NICs to run unprivileged.
This commit moves the image base forward.
Testing has been performed with netdevice and DPDK based
pod applications with various combinations of the following
devices:
Mellanox MT27700 Family [ConnectX-4]
Intel 82599ES 10-Gigabit SFI/SFP+ Network Connection
Intel Ethernet Controller X710 for 10GbE SFP+
Change-Id: Ia74e135b3e4b1a00465d4a8fd0b4650efdcfd2c5
Closes-Bug: 1843963
Closes-Bug: 1835020
Signed-off-by: Steven Webster <steven.webster@windriver.com>
Create Intel FPGA plugins Docker images to StarlingX image build from
intel-device-plugins-for-kubernetes. Adjust the script to make it
more generic. Update intel-gpu-plugin to the latest codebase as well.
Change-Id: I4e60de505aca5d01c10a4db396a2311591b44ff0
Story: 2006495
Task: 36710
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
The spec file and srpm tarball are updated to build
the 1.16.0 kubernetes source archive.
Change-Id: Ib9770f43b3e035085ef1d1692d4f14c4beddae49
Story: 2005860
Task: 36702
Depends-On: https://review.opendev.org/#/c/684351
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
3.3.15 is the default etcd used by kubernetes 1.16
Some patches from the old src rpm have been removed since
they are not compatible with the updated source tree, and
do not appear related to STX.
Change-Id: I6337a963d7b4af059ae445e4a4f11fb69efbe0a7
Story: 2005860
Task: 36701
Depends-On: https://review.opendev.org/#/c/684351
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
boto3 is a python package for interacting with AWS. we need this for
interacting with an Amazon Docker registry. This commit adds boto3 and
its dependencies to the build
Story: 2006274
Task: 36704
Depends-On: https://review.opendev.org/683179
Change-Id: I5a5c7ea7b20c012b51ee20057a1ebd0f0c635386
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
Includes a spec file for building and changes to get the
kernel modules into the load.
Change-Id: I6e075e19b1e4deefd7f5bcb11fec34c383b313b8
Story: 2006495
Task: 36607
Depends-On: https://review.opendev.org/#/c/682058/
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
Explicitly set ceph-mgr configuration file path to
/etc/ceph/ceph.conf to avoid surprises. ceph-mon
and ceph-osd are also started with '-c' (--conf)
pointing to /etc/ceph/ceph.conf.
Change-Id: I4915952f17b4d96a8fce3b4b96335693f9b6c76b
Closes-bug: 1843082
Signed-off-by: Daniel Badea<daniel.badea@windriver.com>
This is required to fix a bug with ntpq and IPV6 addresses. The ntpq
command truncates the remote addresses to 15 characters. This is not
long enough for IPV6 addresses. This has been fixed in version 4.2.8
which is not yet released by Centos. Patch
Fix-ntpq-truncates-IPV6-addresses.patch provides a subset of the fix.
aeb3ee65bchttps://bugs.ntp.org/show_bug.cgi?id=1128
Depends-On: https://review.opendev.org/680105
Partial-Bug: 1840687
Change-Id: If9d07acf913ebebead5505d44129f0644511b748
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
python-cephclient certificate validation fails when connecting
to ceph-mgr restful plugin because server URL doesn't match
CommonName (CN) or SubjectAltName (SAN).
Setting CN to match server hostname fixes this issue but
raises a warning caused by missing SAN.
Using CN=ceph-restful and SAN=<hostname> fixes the issue
and clears the warning.
Change-Id: I6e8ca93c7b51546d134a6eb221c282961ba50afa
Closes-bug: 1828470
Signed-off-by: Daniel Badea <daniel.badea@windriver.com>