- Removed the py27 target for sw-patch since it is
python3 only.
- Set the base python in tox.ini to python3.
- Removed the site-packages directive for pylint since
site level rpm component no longer needs to be installed.
- Added the pep8 target (it just calls flake8).
- Removed redundant settings already set at testenv level.
- Cleaned up bandit suppressions that were not needed.
- Cleaned up the flake8 suppressions that were not needed.
- Cleaned up the pylint suppressions that were not needed.
- Minor code cleanup to reduce number of flake8 suppressions
- Minor code cleanup to reduce number of pylint suppressions
- Updated the copyright dates for updated source files
Test Plan:
Tox
Story: 2009969
Task: 45209
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: Ifccf2a274530b14bacb6ce2dc32f8cca01e26217
The PatchData object is updated to reflect the fields that would be
used in the Debian env. Similarly, the code to parse metadata has
been updated to incorporate the newer ostree commits and checksums.
Tests:
sw-patch upload
sw-patch delete
Story: 2009969
Task: 45203
Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>
Change-Id: I9efca439f212f1ab91655b8024bf4f8937ff882f
The previous patching scripts were specific to the
centos rpm patching directories, so these scripts
are cloned for the debian env and updated to reflect
the new python and binary locations.
These scripts affect build commands and not runtime.
These scripts are not operational as they point to
utilities and imports that are not converted to ostree
yet.
Test Plan:
Verify build and ISO creation for debian succeed.
Story: 2009969
Task: 45198
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: Ia903c6b4f07e3d1409c04c2cc17ff40a2e5a4c7f
The sw-patch bash-completion file needs to be located at
usr/share/bash-completion/completions/sw-patch
Test Plan:
Build / Boot / Bootstrap / Install on Debian
Verify sw-patch <tab> shows the sw-patch commands
Story: 2009969
Task: 45201
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: Icdb3915fbc36f753d058a643bc04a6fdb0923867
Remove the rpm imports from debian patching code.
The dnf imports will be removed in a later commit.
The patch code had methods, variables and subprocesses
that reference 'rpm'. Most of these have been removed
or renamed. The remaining 'rpm' references will be
removed as functionality related to those calls is
implemented for debian ostree.
The code is being converted to ostree, so these changes
are not currently runnable, nor were the rpm calls on
debian.
The createrepo calls are also removed, ostree equivalent
calls may (or may not) be added in a followup commit.
The subprocess exceptions are made more generic, as
any uncaight exception in API handling could make the patch
controller non-responsive. Robustness improvements may be
investigated in a followup commit.
Test Plan:
Verify build/install/bootstrap/unlock on Debian.
Verify sw-patch upload /delete do not report failures
using a signed patch. (Note: used an rpm patch for centos)
Story: 2009969
Task: 45192
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I0590950868805b89dd1e302397d83f1a6f5e244a
systemd reports the following:
systemd[1]: /lib/systemd/system/sw-patch.service:11:
Standard output type syslog+console is obsolete,
automatically updating to journal+console.
Please update your unit file, and consider removing
the setting altogether.
This change is similar to controllerconfig service file
771e6ca734
Test Plan:
Build / Bootstrap / Unlock on Debian
Verify that /var/log/daemon.log does not show the 'obsolete' errors
Verify that logs during sw-patch service start are logged.
Story: 2009969
Task: 45145
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I1e900f12884f8626e76e72e79de2453de32691cf
On Debian running python3, patch dev signature verification
fails because the expected string becomes malformed using
the 'update' method.
This fixes the issue, by not calling 'update' and instead
directly passing the signature string to the constructor.
Test-Plan:
Verify on Debian that a sample designer patch can be
imported (when the dev certificate is installed).
Verify that altering the DEV_CERT_CONTENTS causes the
dev certificate to be rejected and the patch to not import.
Co-Authored-By: Jessica Castelino <jessica.castelino@windriver.com>
Story: 2009969
Task: 44950
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I9c2d2ce3cbcf75f41d7886057959e2dbebcff084
The original cgcs-patch is rpm based which requires a
complete re-write to work on ostree/dpkg systems like Debian.
The code has been forked, since the older Centos env and
python2.7 are end-of-life.
Forking the code allows all new development to not
require re-testing on Centos.
The debian folder under cgcs-patch has been moved
under sw-patch
Renaming and refactoring will be done in later commits.
pylint is un-clamped in order to work on python3.9
Some minor pylint suppressions have been added.
Test Plan:
Verify that this builds on Debian
Verify that the ISO installs the new content on Debian without
breaking packages that import cgcs_patch.
Verify patching service runs on Debian
Co-Authored-By: Jessica Castelino <jessica.castelino@windriver.com>
Story: 2009101
Task: 43076
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I3f1bca749404053bae63d4bcc9fb2477cf909fcd
Ensure that the services needed for cgcs-patch are
enabled when the package is installed.
Story: 2009101
Task: 43076
Test Plan
PASS Build and Test ISO
PASS Check for /etc/systemd/system-preset/00-cgcs-patch.preset
Signed-off-by: Chuck Short <charles.short@windriver.com>
Change-Id: Ie74d9925b66f767d623ca0c8ec00081fe63a3a8f
This adds a version check to kubelet patch restarting script.
This will only restart kubelet if the running kubelet is v1.21.8.
This script requires modification depending on specific kubelet
versions that are actually being patched.
TESTING:
- PASS: Verified restart of kubelet and isolcpus_plugin services
with designer patch install and remove for only v1.21.8
Story: 2008760
Task: 44541
Signed-off-by: Jim Gauld <james.gauld@windriver.com>
Change-Id: I335f2a2e088ead55d32749c07e217a96d53c09a3
This provides an example patch script for restarting kubelet and
isolcpus_plugin services.
TESTING:
- PASS: Verified restart of kubelet and isolcpus_plugin services
with designer patch install and remove.
Story: 2008760
Task: 44541
Signed-off-by: Jim Gauld <james.gauld@windriver.com>
Change-Id: Idf624051b7238f39c4238ad72a7d7ffe14395b8b
Replace dl_hook with "src_path" and "src_files"
Test Plan:
Pass: successfully build patch-alarm
Pass: No difference comparing with the result of dl_hook
Story: 2009101
Task: 43897
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Change-Id: I7f7a59271d5f290b6f6a8778984bc5d3176536cd
Lintian complains that bash-completion scripts are installed in the
wrong place. Install them in the right place.
Story: 2009101
Task: 43076
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I0e6afbcbd9b2d59da025667156ccd0a53b6e3b4b
During upgrade-start we call upgrade-start-pkg-extract to extract the
kickstarts and pxeboot data from the N+1 load. This data is used to boot
controller-1 in duplex environments. As these packages can be patched we
need to select the latest version of the package.
Currently the dnf repoquery call returns every version of the rpm
queried. This results in the base version being used during the package
extraction. This commit updates the command to use --latest-limit=1.
The command is also updated to use --disablerepo=*. This will result in
the command being restricted to the specified N+1 repos. Without the
disablerepo option the N repo packages are included in the results.
This brings the call in line with the behavior of
utilities/utilities/platform-util/scripts/gen-bootloader-iso.sh
Testing:
AIO-DX upgrade with patched kickstart package
Closes-Bug: 1955410
Change-Id: Ia1cd778791b64133667327031305d0f1914aed2d
Signed-off-by: David Sullivan <david.sullivan@windriver.com>
The previous bindep fix was only for centos, so zuul
workers running ubuntu (dpkg) would still not work.
Updating the file to handle those nodes.
Updating a python file to ensure pylint target is executed
The sitepackages for the cgcs-patch pylint tox target
also needs to be set to True to correspond to the bindep
values.
Story: 2008943
Task: 44183
Signed-off-by: albailey <Al.Bailey@windriver.com>
Change-Id: I2a9e630aa26c2823ccdc6a361c46575b58a1c39c
Tox pylint target fails when it cannot 'import rpm'.
There is no pypi package that provides that, since the
centos rpm-python is meant to be installed on the host.
Adding the bindep entry for rpm-python, which the
zuul job will use to prepare the zuul worker host
to properly provide the necessary rpm.
Story: 2008943
Task: 44183
Signed-off-by: albailey <Al.Bailey@windriver.com>
Change-Id: If904bd184e5aaa458393f3154abb6f9c5f0fb967
This change is to enable the upgrade to next release, which will
support OSTree. In the next release, /www and /pxeboot will be
moved to /var/www and /var/pxeboot respectively. During upgrade
to next release, rpms from next release will need to be extracted
into current release structure (/var and /pxeboot).
TCs:
Passed: upgrade to build with /www and /pxeboot moved under /var.
Change-Id: Id0dec2dee89dcad04c24b12a7a6072d03078f65e
Story: 2009101
Task: 43539
Signed-off-by: Bin Qian <bin.qian@windriver.com>
- Add blacklist for lintian-overrides.
- Fix debian/changelog, it assseumed it was still native source
format.
- Update debian version in meta_data.yaml
- Fix typo in debian/control
Story: 2009101
Task: 43076
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: Idda262ade8c801c3bbafa020e37b596a8378f541
Removing redundant py36 Zuul jobs since we now have py39 Zuul jobs in
place with the debian nodeset
Story: 2006796
Task: 43495
Signed-off-by: Bernardo Decco <bernardo.deccodesiqueira@windriver.com>
Change-Id: I63d9b3270dfedf79ca73ab19fabf1883706be879
Due to a recent change in fm-api's directory structure, unit tests would
fail since the virtualenv would not be able to find fm-api/setup.py.
Adjust the tox.ini to point to the correct directory. Tested locally
by running tox.ini.
Depends-On: https://review.opendev.org/c/starlingx/fault/+/806046
Story: 2009101
Task: 43091
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: If55a6d92dc861b23516637fcb90c52852c3fd92a
A lot of work has gone into making sure that StarlingX is python3
compatible. To ensure future compatibility, enable the python3
portability checks. Disable the checks that are raising errors.
Another set of commits will address the offending code.
Add following suppress warnings in cgcs-patch/pylint.rc:
- W1618: no-absolute-import
- W1619: old-division
- W1630: cmp-method
Add following suppress warnings in patch-alarm/pylint.rc:
- W1618: no-absolute-import
Story: 2006796
Task: 43198
Signed-off-by: Ricardo Alvim <Ricardo.AlvimNetto@windriver.com>
Change-Id: I0cbe384a72792cf123976f0de2020ae6f3fcd208
patch-alarm runs on python2.7, so the node should be ubuntu-xenial.
Story: 2009101
Task: 43263
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I91e370e8500008234254e5a158f49b4b55306e36
This commit fixes an issue seen during a k8s upgrade from 1.18.1
to 1.19.13. It was noticed that after upgrading kubelet to 1.19.13,
the sw-patch-controller process would continually restart.
It was found via packet tracing and logging that traffic from the
management interface to the localhost address at port 5489 was being
blocked. This indicated a likely issue in iptables.
Comparing the iptables rules in 1.18.1 to 1.19.13 shows the reason
why:
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- !loopback/8 loopback/8 \
! ctstate RELATED,ESTABLISHED,DNAT
That is, drop all packets _not_ from the loopback interface _to_
the loopback interface that do not have an existing connection
state.
It was found that this rule was added in the following commit:
https://github.com/kubernetes/kubernetes/pull/91569/files
Which was added to address the security concern identified here:
https://github.com/kubernetes/kubernetes/issues/90259
It appears that the PatchMessageHelloAgent periodically sends
messages to both the patch controller's agent address as well
as to the localhost address. Since the outgoing socket used
for all messages is explicitly bound to the management
address, the traffic to the localhost address will hit the
drop rule noted above.
The solution in this commit is to not explicitly bind the
outgoing socket to the management address, so as to have the
kernel choosed the correct outgoing interface for both
messages.
Story: 2008972
Task: 43244
Testing:
AIO-SX (unicast traffic), AIO-DX, Standard (multicast traffic).
Ensure sw-patch-controller stays up after k8s upgrade.
Install a patch on all nodes.
Signed-off-by: Steven Webster <steven.webster@windriver.com>
Change-Id: I93912b934986dc28196c9ba50f2803bf0fe01513
Enable python3.9 in tox.ini and zuul gate. Tested locally
by running tox and running in the zuul gate.
Story: 2009101
Task: 43105
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I44eaeb134d6b7b54788469fa469b04674aeb90c0
The load-delete function calls sw-patch del-release function
that tries to delete a 'version' key from a dictionary that
does not exists.
This dictionary is populated looping the folders inside
/www/pages/feed. Each folder is a version imported.
After the upgrade the old version folder is deleted,
the version is not include at the dictionary.
The solution was to verify if this key exists before deleting.
The following tests
Tested load-delete action on a SX system after load-import
Tested load-delete action on a SX system after upgrade-complete
Closes-Bug: 1940302
Signed-off-by: João Pedro Alexandroni Cordova de Sousa <JoaoPedroAlexandroni.CordovadeSouza@windriver.com>
Change-Id: I83f8d144edd53523a98402fbee71dce1507fc79c
Al Bailey