StarlingX stopped supporting CentOS builds in the after release 7.0.
This update will strip CentOS from our code base. It will also remove
references to the failed OpenSUSE feature as well.
Story: 2011110
Task: 49963
Change-Id: I2979f438571d872bcb43b5424549c824a8a86c30
Signed-off-by: Scott Little <scott.little@windriver.com>
This review will be enforcing new password rules to Keystone accounts,
the new rules are:
- Minimum 12 characters
- At least 1 Uppercase letter
- At least 1 number
- At least 1 special character
- Cannot reuse past 5 passwords
Test Plan:
PASS: Run fresh install of AIO-SX with complete bootstrap and unlock
of the controller-0.
PASS: Run build-pkgs -c -p keystone.
PASS: Run build-image.
Note: The password command that I used for the next test cases is:
openstack user password set
PASS: Change password 5 times and then try to use the first password of
the sequence again to verify if it is using password history.
PASS: Try to change the password to a password without an uppercase
letter and verify if it fail.
PASS: Try to change the password to a password without a number
and verify if it fail.
PASS: Try to change the password to a password without a special
character and verify if it fail.
PASS: Try password with less than 12 character and verify if it fails.
PASS: Access account and change password using serial console.
PASS: Try a password that doesn't fit the password requirements and
verify if the error message is shown.
Story: 2011084
Task: 49824
Change-Id: Iba10465e4ea25fb6e35aa0e7b81391269cda739e
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
Adding software-client and tsconfig to PIP_PACKAGES to have their
dependencies fulfilled on stx-platformclients image
Test Plan:
PASS Build python3 wheels tarball on Debian and build
stx-platformclients image on Debian.
Depends-On: https://review.opendev.org/c/starlingx/update/+/901240
Story: 2010676
Task: 49164
Change-Id: I84c951405c4caa3f4a7846979b59ff23cca54d23
Signed-off-by: Guilherme Costa <guilherme.costa@windriver.com>
Upgrade python-horizon to 18.6.2-5+deb11u2 to fix the CVE issue:
CVE-2022-45582
Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2022-45582
TestPlan:
PASS: downloader;build-pkgs -c;build-image
PASS: boot
PASS: Sanity test on AIO-SX node
Closes-bug: 2038880
Change-Id: I7ce385cde29ade8681ec6449d0f3379057edaac0
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
This commit changes the group ownership for "/opt/platform/.keyring"
directory, and its subdirectories and files, from "root" to
'sys_protected', when keystone password changes for the admin user.
The 'sys_protected' group ownership is needed to support access
privileges for OpenLDAP/WAD users and is implemented by the ansible
bootstrap configuration.
The group ownership update in this commit is required because after
a keystone and corresponding keyring password change for the admin
user, the group ownership of the "/opt/platform/.keyring" directory
has been reset to "root".
As a consequence, a ldap user loses permission to access files in
that directory.
The group ownership reset is done in the keystone package.
That is why the fix for this bug is delivered as a patch for the
keystone package.
Test Plan:
PASS: Verify the keystone patch install correctly.
PASS: Verify the group ownership was applied correctly
for files in "/opt/platform/.keyring" so are part of the
"sys_protected" group before changing keystone password for the admin
user.
PASS: Verify the group ownership for files in "/opt/platform/.keyring"
remains "sys_protected" after changing keystone password for the admin
user.
PASS: Verify that an openldap user that is part of the "sys_protected"
group can execute command: "source /etc/platform/openrc" after the
keystone password has been changed for the admin user.
Closes-Bug: 2039870
Change-Id: I0360d1f13725cca9900b967c32451fc6f7afe761
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
This condition will disable the address pools row dropdown
menu for address pools created before bootstrap which are
read-only and leave them enabled for address pools created
post bootstrap which are not read-only.
Test Plan:
PASS: Build python-django-horizon package with these changes
and install it in a system. Verify the changes are applied
correctly.
PASS: Build iso with these changes and perform a fresh
install. Verify the changes are applied correctly.
Partial-bug: 2030350
Change-Id: Ieb0397dda8b4c8bc249faf1fd99b8218432fdc51
Signed-off-by: Rafael Moyano <rafael.moyano@windriver.com>
Fix CVE-2021-38155
Refer to:
https://security-tracker.debian.org/tracker/CVE-2021-38155
TestPlan:
PASS: build-pkgs -a
PASS: build-image
PASS: Jenkins Installation.
PASS: Check the package version with 'dpkg -l'
Closes-Bug: 2021546
Change-Id: Ifb54a95842c4080a8ab0f1c03df70dd4bd1f194b
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
As the `stable/ussuri` branch is potentially being removed from all
OpenStack repositories -- as seen in `openstack/heat` [1] -- we should
consider using a different `PROJECT_REF` for all LOCI-based container
images in stx-openstack to avoid possible build breaks in the future.
This change proposes the use of the following commit SHAs:
Repository stable/ussuri's HEAD (as of May 9th)
* openstack/aodh 4366d6eae1aad4e15aeca4bc7e8b5e757c7601e8
* openstack/ironic 859e51c8b4b8344827b5bba1f9a0b737ffbc1ebc
* openstack/barbican cc076f24e55c24a6fc8e57ca606130090fb6369b
* openstack/ceilometer bcada72c3aaeeb2a86de3368b1787a9253c9d55b
* openstack/cinder 79b012fbc8b6bc9dcce2c8c52a6fa63976a0309f
* openstack/glance 6f03ccd47772e02f810de8fa3158afddc4a9c158
* openstack/horizon e6f3952b878d6b04fde9742987e0f37a1cfad3e5
* openstack/keystone 1ab860a08e527ca9e0c82a49fbf004d415fec991
* openstack/neutron fe2445d99c430bb080ac45a19e4958b1ae7c9857
* openstack/nova 3fe8880d3759cbd7b19d75dcf235dfd5c511be13
* openstack/placement 5a865abc2545544870ad972f70cd54ebd14c19a8
Note: Gnocchi is in [2] and currently points to a specific semver.
[1] https://opendev.org/openstack/heat
[2] https://github.com/gnocchixyz/gnocchi
Test Plan:
PASS - Build stx-debian base image
PASS - Build wheels tarball
PASS - Build all the stx-openstack images affected by this change
Partial-Bug: 2019015
Change-Id: Ibf589444237664dd9e4ab8314ca1c8ad44f80ec7
Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
It has been observed that the stx-openstack helm charts build started to
fail since the `stable/ussuri` branch was removed from the upstream
project `openstack/heat`.
In order to be able to build the helm charts again, we must change the
`PROJECT_REF` value to use a commit hash in place of the branch name.
This change proposes the use of the following commit SHA:
Repository Former stable/ussuri branch and ussuri-eol tag's
HEAD (as of May 9th)
* openstack/heat 5466ede853bde7d636943cba017ed8265dcfd260
Test Plan:
PASS - Build stx-debian base image
PASS - Build wheels tarball
PASS - Build stx-heat image
Partial-Bug: 2019015
Change-Id: I785d704c68ca6d987f30a57c5068677eef1e77f2
Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
This review intends to solve a id conflict between the
cinder user and the keystone user (added on [1]). The
keystone user is attached with the id 42424, same as
the cinder user. This conflict is making volume related
commands to fail due permissions of the user (because it
is trying to execute the commands as keystone user, not
cinder).
[1] https://review.opendev.org/c/starlingx/integ/+/854246
Test plan:
PASS - Check the /etc/passwd file to see that the user
'cinder' in the cinder container changed its id
from 42424 to 42425.
Partial-Bug: 2012392
Signed-off-by: Rafael Falcao <rafael.vieirafalcao@windriver.com>
Change-Id: I29bba77beb0e63dfd03fcc681aba8a13b4c3445f
These patches add the `location` parameter in python-cinderclient's
`backup-create` command and in python-openstackclient's `volume backup
create` command to allow the optional specification of volume backup
locations.
The unit tests for both clients were updated accordingly.
Test Plan:
PASS - Build python-cinderclient package
PASS - Build python-openstackclient package
PASS - Verify that the `--location` parameter is available for use in
both clients when creating volume backups
Story: 2010317
Task: 47616
Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
Change-Id: If821fe402f1d34d89e978028d46916651dc700e6
On CentOS, with `python-openstackclient` on version 4.0.0
(stable/train), the plugin entry point discovery was done by using
a built-in library called `pkg_resources` ([1], [2], [3]).
On Debian, with `python-openstackclient` on version 5.4.0-4
(stable/victoria), the discovery process is now performed by using the
`stevedore` library ([4], [5], [6]).
The problem with this replacement is that, with `stevedore`, there's no
guarantee that the plugin entry point discovery list will be the same as
it was with `pkg_resources`. That is, the fetching order of entry points
may vary from CentOS to Debian.
For plugins that just extend the existing OpenStackClient (OSC) CLI by
adding commands to it, this is fine, as the loading order doesn't
matter.
However, for custom plugins that not only add commands but also override
existing entry points configured by default plugins, this may become
a problem, because the former needs to be loaded after the latter,
otherwise, the overrides will have no effect.
Therefore, this change aims to provide a plugin entry point sorting
mechanism to keep the discovery process more consistent.
By reading plugin-specific options such as `load_first` or `load_last`
from a configuration file - that can be specified through command-line
argument (--os-osc-config-file, defaults to
/etc/openstackclient/openstackclient.conf) - the plugin entry point
sorting mechanism can decide where to insert the newly discovered
plugin: at the beginning, at the end, or where it would be inserted by
default in the list.
[1] https://opendev.org/starlingx/upstream/src/branch/master/openstack/python-openstackclient/centos/python-openstackclient.spec#L19
[2] https://opendev.org/openstack/python-openstackclient/src/branch/stable/train/openstackclient/common/clientmanager.py#L146
[3] https://opendev.org/openstack/cliff/src/branch/stable/train/cliff/commandmanager.py#L61
[4] https://opendev.org/starlingx/upstream/src/branch/master/openstack/python-openstackclient/debian/meta_data.yaml#L5
[5] https://opendev.org/openstack/python-openstackclient/src/branch/stable/victoria/openstackclient/common/clientmanager.py#L147
[6] https://opendev.org/openstack/cliff/src/branch/stable/victoria/cliff/commandmanager.py#L75
Test Plan:
PASS - Build python-openstackclient package
PASS - Build/install ISO with built package
PASS - Verify that the platform OSC has an additional argument for
reading configuration files:
`openstack -h | grep -- --os-osc-config file`
PASS - Verify that, when reading a configuration file with the
`load_first` or `load_last` options (in the [plugins] section),
the order in which the specified plugins are loaded is different
Story: 2010317
Task: 47545
Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
Change-Id: If2237bc8cef197d2a163bd7b8063dfdbb2ab1c3d
This change enables building the stx-nova and stx-ceilometer images
within the Debian build framework. It is now based on stx-debian and
following the new convention for StarlingX images.
Test Plan:
PASS: Build both images
PASS: Manually upload the built images to a system, use helm-override to
change their respective containers images and reapply
stx-openstack
PASS: Ensure affected pods successfully start and are running
PASS: Ensure affected pods liveness and readiness probes are healthy
Story: 2010072
Task: 47090
Depends-On: https://review.opendev.org/c/starlingx/root/+/871314
Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
Change-Id: Ibe92ad8eb003df225dd77be60bd9c5387f1109a3
This change enables building the following stx-openstack images with
WSGI within the Debian build framework:
- stx-aodh
- stx-ironic
- stx-horizon
- stx-keystone
- stx-placement
- stx-gnocchi
They are now based on stx-debian and following the new convention for
StarlingX images.
Test Plan:
PASS - Build images
PASS - Manually upload the built images to a system, use helm-override
to change their respective containers images and reapply
stx-openstack
PASS - Ensure affected pods successfully start and are running
PASS - Ensure affected pods liveness and readiness probes are healthy
Story: 2010072
Task: 47089
Depends-On: https://review.opendev.org/c/starlingx/root/+/871314
Depends-On: https://review.opendev.org/c/starlingx/root/+/871638
Depends-On: https://review.opendev.org/c/starlingx/root/+/871705
Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
Change-Id: I18bcb51f2826fd0382370f5236db4b5954ac1b53
This change adds the curl package to stx-heat, originally ported to
Debian in [1].
It has been observed that some bootstrap pods were failing to start due
to the missing command.
[1] https://review.opendev.org/c/starlingx/upstream/+/868726
Story: 2010072
Task: 47088
Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
Change-Id: Ie37415888ebb285da191d9b38dae5e9272ce5d0f
Build stx-openstack related images using stx-debian base image
This change port openstack related images from Centos to Debian
in stx/upstream.
The following images were ported:
- stx-cinder
- stx-glance
- stx-neutron
- stx-openstackclients
- stx-heat
- stx-barbican
Test Plan:
PASS - Build images in a debian build environment
PASS - Manually upload the built images to stx-openstack,
use helm-override to change the required containers
image and reapply stx-openstack.
PASS - Check the healthy of the pods related to those images
Story: 2010072
Task: 47088
Signed-off-by: Romulo Leite <romulo.leite@windriver.com>
Change-Id: Ief0f0c53eb973dad2dd5b7461d756ad79278858e
Move script to extract branding archive before
horizon service starts.
Closes-bug: 2002838
Test Plan:
PASS: Confirm branding file applied in pre-install in SX
PASS: Confirm branding file applied in post-install in SX
PASS: Confirm branding file applied in pre-install in DX
PASS: Confirm branding file applied in post-install in DX
Signed-off-by: Takamasa Takenaka <takamasa.takenaka@windriver.com>
Change-Id: Ia36afd96493f1e15509607c706ca12d46466f741
Netaddr is using version 0.7.19 on remote cli. Because of this
version, commands being executed towards platform apis are causing a
syntax warning.
This fix changes the minimum requirement of netaddr to 0.7.20 to
address a fix for this warning.
Test Plan:
PASS: Build debian iso and perform fresh install.
PASS Build python3 wheels tarball on Debian and build
stx-platformclients image on Debian.
Closes-Bug: 1999563
Signed-off-by: Luiz Felipe Kina <LuizFelipe.EiskeKina@windriver.com>
Change-Id: I0c111875f622be9696bf143b321f1a8dfd594c7f
When an Action table is created with a 'danger' action_type and a
single handler method for a single object, the 'selection' and
'help' parameters are empty. This causes the pop-up message to be
incomplete. For example:
"You have selected: . Please confirm your selection. "
This patch fixes this behaviour by displaying the message with
the selected objects only when one or more objects are selected.
Otherwise, it only asks for confirmation.
Closes-Bug: 2000799
Test Plan:
PASS: Build python3-django-horizon package including these changes.
PASS: Test the behaviour for single delete actions. For example:
Create a patch strategy and press the "Delete" action. Verify
the following message is displayed in the pop-up message:
"Please confirm your selection. This action cannot be undone."
PASS: Test the behaviour for multiple delete actions. For example:
Upload more than one patch, select them and click on the 'Delete'
action. Verify the following message is displayed:
You have selected: "22.12_NRR_INSVC", "22.12_RESTART_FAILURE_INSVC".
Please confirm your selection. This action cannot be undone.
Signed-off-by: Enzo Candotti <enzo.candotti@windriver.com>
Change-Id: I85bc5c8155466e14a1a5fa84d54ed22032437f88
A new version of flake8 (6.0.0) was released Nov 23, 2022
It is leading to an argparse error
ValueError: 'string' is not callable
The fix is to use 'hacking' which is an openstack module
that pulls in the appropriate version of flake8.
Closes-Bug: #1997971
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: Icaa5cd1cb7c362bd8caf666d82d7d7f655523fb0
This creates stx-platformclients debian image for Debian with Python3
with updates on libraries to Debian. I added wheels that weren't being
automatically created on debian_stable_wheels.inc and changed the names
of packages to build on Python3.
Test Plan:
PASS: Build debian iso and perform fresh install.
PASS Build python3 wheels tarball on Debian and build
stx-platformclients image on Debian.
Story: 2009831
Task: 46792
Signed-off-by: Luiz Felipe Kina <LuizFelipe.EiskeKina@windriver.com>
Change-Id: Idf742cf75d9a07d2d90a4bc7b4cdec10e7058a8a
This creates the debian docker image file of stx-platformclients.
Since we are not currently building Openstack on debian yet, this
won't have any effect on our current build/testing.
Test Plan:
PASS: Build platformclients and placement images using a debian base
image
Story: 2009831
Task: 44512
Signed-off-by: Luiz Felipe Kina <LuizFelipe.EiskeKina@windriver.com>
Change-Id: I5bf8292e5c3f6e37b633560522fb3a1f6e8e6fee
Lock down python-gnocchiclient to the last sha known to build.
That most recent tag under that sha was 7.0.7. Update the
spec file to reflect that version.
Partial-bug: 1983389
Signed-off-by: Scott Little <scott.little@windriver.com>
Change-Id: Ifd57565637376ec8083d917de30fd33ded15d1cc
On CentOS the /opt/branding directory is created by horizon.
On Debian, it will now be created the same way.
The directory needs to exist on both environments to provide
parity. Other applications like backup and restore expect
this directory to exist.
Test Plan:
Build/Install/Bootstrap AIO-SX on Debian
Verify /opt/branding directory exists
Story: 2010165
Task: 45877
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I141d62e90161dcaea72d5245814827518326b05b
Improving the code quality of upstream by adding the flake8 check on
zuul and adding the flake8-import-order plugin to standardize imports.
Also, defaults testenv to python3.9 configuration that should be used
for now on with the debian migration.
Story: 2010100
Task: 45669
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I55aa952c4f22a7af53e1f1c11a4a51997afa4bcf
Following the openstack transition to Debian, this aims to start the
creation of the debian docker image files, adapting the customization
to proper enable WSGI on Debian.
Since we are not currently building Openstack on debian yet, this
won't have any effect on our current build/testing.
Also, since these images use apache, there's a change which is yet to
be done on the stx-openstack-helm manifest to user the "www-data"
socket-user insetad of "apache", since the latter one is for centos
only.
Test Plan:
PASS: Build horizon and placement images using a debian base image
PASS: Override both images on a working Openstack application
PASS: Access the horizon interface
PASS: Remove and apply Openstack
Story: 2010072
Task: 45558
Signed-off-by: Pedro Almeida <pedro.monteiroazevedodemouraalmeida@windriver.com>
Change-Id: I776e03b863056fbb068e2eca0637e9c8b64b4b0c
This work affects only Debian. This is part of a fix for a bootstrap
issue.
Contents of bash-completion generated at build time vs runtime differ.
Allow puppet code to generate bash-completion at runtime as on CentOS.
Ostree doesn't allow changes /usr, instead ensure
/etc/bash_completion.d is created, as the completion will be generated
there.
Tests on AIO-SX:
PASS: build-pkgs, build-image, install
PASS: bootstrap without ostree unlock goes past the issue
Story: 2009964
Task: 45530
Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Change-Id: Ib941deb5bb1817b6c32a90bbd7ef0a1f3c7dd276
Currently Barbican stores base64 encoded secret data (plugin_meta
and cypher_text) as hex bytes in database. But when these data
is retrieved from database for base64 decoding, it is not
converted back to ascii format, causing the decoding failed with
error:
binascii.Error: Invalid base64-encoded string: number of data
characters (273) cannot be 1 more than a multiple of 4.
This commit added a patch to Barbican to store these data in ascii
format in the database so they can be decoded when retrieved.
Test Plan for Debian:
PASS: trigger mtcAgent to store a password secret in Barbican by
system host-update controller-0 bm_type=dynamic bm_ip=<bm IP>
bm_username=root bm_password=root.
PASS: retrieve the secret with "--payload" option by
openstack secret get <secret URL> --payload.
PASS: AIO-SX deployment and unlock.
Closes-Bug: 1975611
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I1c2fa112caa8700b1c21130aec041fd7d2a52a19
This commit resolve an error starting the horizon SM service on
Debian based StarlingX AIO-SX distro: after applying the current
known workarounds before bootstrap and after bootstrap, the unlock
is now passing but after the unlock the horizon SM service is
failing to go enabled-active.
The changes cover:
* Openstack-Dashboard / Horizon:
- Files have been copied and/or relocated.
- Symbolic links have been created.
Test Plan:
* Debian distro:
- Fresh Install with AIO-SX.
- Install including ansible bootstrap and controller-0 unlock
- Horizon launches and the main GUI pages are working
Story: 2009965
Task: 45312
Signed-off-by: Jorge Saffe <jorge.saffe@windriver.com>
Change-Id: Iefc4b53dcca70debe223493c64abd2f4a8b099bd
The keystone wasn't responding to ipv6.
This patch changed the bind address to
support ipv6.
TEST PLAN for Debian
PASS: AIO-SX ipv4 bootstrap
PASS: AIO-SX ipv4 unlock
PASS: AIO-SX ipv6 bootstrap
PASS: AIO-SX ipv6 unlock
Story: 2009964
Task: 45047
Signed-off-by: João Pedro Alexandroni Cordova de Sousa <JoaoPedroAlexandroni.CordovadeSouza@windriver.com>
Change-Id: Ie68c54c07da27625ebe587f5257c64a8192a1276
This update patched keystone to support storing users in keyring
under "CGCS" service.
Test Plan for Debian:
PASS: package build, image build
PASS: system bootstrap, unlock
PASS: Change keystone "admin" password, observe it changes in keyring
too.
PASS: Add a new keystone user "test" with password, add the user to
keyring by "keyring set CGCS test". Change test's password,
observe it changes in keyring too.
PASS: Delete the keystone user "test", observe user "test" is deleted
from keyring.
Story: 2009965
Task: 44970
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I75ea23f87487b764370a0990ad8aba896d3a0767
This work is part of Debian integration effort.
This will fix a bootstrap issue.
Barbican will not start unless the log directory is created and has
correct permissions.
Tests:
PASS: build-pkgs
PASS: build-image
PASS: install iso
PASS: bootstrap
Story: 2009101
Task: 44903
Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Change-Id: I37e84dbc564632dba574a3ba3fa417a1e219bef2
This change added support of two login fail lockout security
compliance options for keystone on Debian.
Test Plan for Debian:
PASS: package build, image build
PASS: system bootstrap, keystone is running by systemd
PASS: controller unlock, keystone is running by SM
PASS: "openstack endpoint list" return correct list
PASS: check the following two security compliance options are
set correclty in /etc/keystone/keystone.conf:
lockout_duration=1800
lockout_failure_attempts=5
Test Plan for CentOS:
PASS: system bootstrap, keystone is running by systemd
PASS: controller unlock, keystone is running by SM
PASS: "openstack endpoint list" return correct list
PASS: check the following two security compliance options are
set correclty in /etc/keystone/keystone.conf:
lockout_duration=1800
lockout_failure_attempts=5
Story: 2009101
Task: 44785
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I09a65d070f1ed8e8aa65371f99f4aa722f671a1d
Start barbican with gunicorn during bootstrap to align with
its startup by SM after unlock. This change also enables
barbican to be managed by SM after controller unlock.
Test Plan for Debian:
PASS: package build, image build
PASS: system bootstrap, barbican-api is running with gunicorn
PASS: controller unlock, barbican-api service state in SM is
enabled-active enabled-active
Story: 2009101
Task: 44713
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: Ib2583b0585679753dc871f9ee0202253832283d9