Merge "Merge remote-tracking branch 'gerrit/master' into f/centos76" into f/centos76
This commit is contained in:
commit
1e1cb40b7c
|
@ -7,6 +7,8 @@
|
|||
|
||||
# TPM setup (both active controller and remote)
|
||||
|
||||
export TPM_INTERFACE_TYPE=dev
|
||||
|
||||
CERTIFICATE_FILE="server-cert.pem"
|
||||
LOGFILE="/etc/ssl/private/.install.log"
|
||||
ORIGINAL_KEY=$1
|
||||
|
@ -53,8 +55,7 @@ declare -a helper_scripts=("tss2_createprimary"
|
|||
"tss2_contextsave"
|
||||
"tss2_evictcontrol"
|
||||
"tss2_flushcontext"
|
||||
"create_tpm2_key"
|
||||
"resourcemgr")
|
||||
"create_tpm2_key")
|
||||
for src in "${helper_scripts[@]}"; do
|
||||
if ! type "$src" &>/dev/null; then
|
||||
error_exit "ERROR: Cannot find $src. Needed for TPM configuration"
|
||||
|
@ -62,41 +63,6 @@ for src in "${helper_scripts[@]}"; do
|
|||
done
|
||||
}
|
||||
|
||||
startResourceMgr () {
|
||||
resourcemgr &>> $LOGFILE 2>&1 &
|
||||
|
||||
# ensure the resourcemgr is started
|
||||
for i in {1..5}
|
||||
do
|
||||
sleep 0.5
|
||||
MGR_RUNNING=`pidof resourcemgr`
|
||||
if [ ! -z $MGR_RUNNING ]; then
|
||||
break
|
||||
fi
|
||||
done
|
||||
[ ! -z $MGR_RUNNING ] || error_exit "Unable to start TPM resourcemgr"
|
||||
|
||||
# check to see if the resourcemgr port is open
|
||||
IS_OPEN=0
|
||||
for i in {1..5}
|
||||
do
|
||||
sleep 0.5
|
||||
_test=`netstat -an | grep $RESOURCEMGR_DEFAULT_PORT | grep -i listen`
|
||||
if [ ! -z "$_test" ]; then
|
||||
IS_OPEN=1
|
||||
break
|
||||
fi
|
||||
done
|
||||
[ $IS_OPEN -ne 0 ] || error_exit "Unable to initialize resourcemgr"
|
||||
}
|
||||
|
||||
stopResourceMgr () {
|
||||
# Kill any previous instances of resourcemgr
|
||||
pkill -c -TERM resourcemgr &> /dev/null 2>&1
|
||||
}
|
||||
|
||||
|
||||
|
||||
### Main ###
|
||||
# remove previous object context
|
||||
rm -f $TPM_OBJECT_CONTEXT &> /dev/null
|
||||
|
@ -115,14 +81,10 @@ if [ "$TPM_VERSION" != "2.0" ]; then
|
|||
error_exit "ERROR: TPM Device is not version 2.0 compatible"
|
||||
fi
|
||||
|
||||
# Start the Intel ResourceMgr to clear the NV
|
||||
# Clear the NV
|
||||
# as well as all stale transient handles in
|
||||
# the endorsement hierarchy.
|
||||
# Since ResourceMgr has a number of stability,
|
||||
# and security issues, we will stop it after it
|
||||
# initializes the NV and Handle space
|
||||
startResourceMgr
|
||||
stopResourceMgr
|
||||
tss2_clear -hi l
|
||||
|
||||
# Create the Endorsement Primary Key hierarchy which will be used
|
||||
# for wrapping the private key. Use RSA as the primary key encryption
|
||||
|
@ -136,14 +98,14 @@ PRIMARY_HANDLE="0x$PRIMARY_HANDLE"
|
|||
# be persistently stored in TPM NV.
|
||||
# evict the persistent handle if it exists previously
|
||||
tss2_evictcontrol -hi o -ho $TPM_KEY_HIERARCHY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE
|
||||
tss2_evictcontrol -hi o -ho $PRIMARY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE &>> $LOGFILE
|
||||
tss2_evictcontrol -hi o -ho $PRIMARY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE >> $LOGFILE
|
||||
[ $? -eq 0 ] || error_exit "Unable to persist Key Hierarchy in TPM memory"
|
||||
|
||||
tss2_flushcontext -ha $PRIMARY_HANDLE
|
||||
|
||||
# wrap the original private key in TPM's Endorsement key hierarchy
|
||||
# this will generate a TSS key blob in ASN 1 encoding
|
||||
create_tpm2_key -p $TPM_KEY_HIERARCHY_HANDLE -w $ORIGINAL_KEY $TPM_OBJECT_CONTEXT &>> $LOGFILE
|
||||
create_tpm2_key -p $TPM_KEY_HIERARCHY_HANDLE -w $ORIGINAL_KEY $TPM_OBJECT_CONTEXT >> $LOGFILE
|
||||
[ $? -eq 0 ] || error_exit "Unable to wrap provided private key into TPM Key Hierarchy"
|
||||
|
||||
# the apps will also need to the public key, place it in
|
||||
|
|
|
@ -312,6 +312,14 @@ static int tpm_engine_init(ENGINE * e)
|
|||
* N.B: This assumes that the kernel-modules-tpm
|
||||
* pkg is installed with the modified tpm_crb KLM
|
||||
*/
|
||||
if ((result = p_tpm2_Set_Property(hContext,
|
||||
TPM_INTERFACE_TYPE, "dev"))) {
|
||||
DBG("Failed to set Resource Manager in context (%p): rc %d",
|
||||
hContext, (int)result);
|
||||
TSSerr(TPM_F_TPM_ENGINE_INIT, TPM_R_UNIT_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if ((result = p_tpm2_Set_Property(hContext,
|
||||
TPM_DEVICE, "/dev/tpmrm0"))) {
|
||||
DBG("Failed to set Resource Manager in context (%p): rc %d",
|
||||
|
|
|
@ -46,6 +46,7 @@ install -m 755 collect_patching.sh %{buildroot}%{_sysconfdir}/collect.d/collect_
|
|||
install -m 755 collect_coredump.sh %{buildroot}%{_sysconfdir}/collect.d/collect_coredump
|
||||
install -m 755 collect_crash.sh %{buildroot}%{_sysconfdir}/collect.d/collect_crash
|
||||
install -m 755 collect_ima.sh %{buildroot}%{_sysconfdir}/collect.d/collect_ima
|
||||
install -m 755 collect_fm.sh %{buildroot}%{_sysconfdir}/collect.d/collect_fm
|
||||
|
||||
install -m 755 etc.exclude %{buildroot}%{_sysconfdir}/collect/etc.exclude
|
||||
install -m 755 run.exclude %{buildroot}%{_sysconfdir}/collect/run.exclude
|
||||
|
|
|
@ -0,0 +1,41 @@
|
|||
#! /bin/bash
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
|
||||
# Loads Up Utilities and Commands Variables
|
||||
|
||||
source /usr/local/sbin/collect_parms
|
||||
source /usr/local/sbin/collect_utils
|
||||
|
||||
SERVICE="alarms"
|
||||
LOGFILE="${extradir}/${SERVICE}.info"
|
||||
|
||||
function is_service_active {
|
||||
active=`sm-query service management-ip | grep "enabled-active"`
|
||||
if [ -z "$active" ] ; then
|
||||
return 0
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Only Controller
|
||||
###############################################################################
|
||||
if [ "$nodetype" = "controller" ] ; then
|
||||
|
||||
is_service_active
|
||||
if [ "$?" = "0" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "${hostname}: System Alarm List .: ${LOGFILE}"
|
||||
|
||||
# These go into the SERVICE.info file
|
||||
delimiter ${LOGFILE} "fm alarm-list"
|
||||
fm alarm-list 2>>${COLLECT_ERROR_LOG} >> ${LOGFILE}
|
||||
fi
|
||||
|
||||
exit 0
|
|
@ -1176,7 +1176,7 @@ def getPlatformCores(node, cpe):
|
|||
logging.basicConfig(filename="/tmp/livestream.log", filemode="a", format="%(asctime)s %(levelname)s %(message)s", level=logging.INFO)
|
||||
core_list = list()
|
||||
try:
|
||||
with open("/etc/nova/compute_reserved.conf", "r") as f:
|
||||
with open("/etc/platform/worker_reserved.conf", "r") as f:
|
||||
for line in f:
|
||||
if line.startswith("PLATFORM_CPU_LIST"):
|
||||
core_list = line.split("=")[1].replace("\"", "").strip("\n").split(",")
|
||||
|
|
|
@ -9,4 +9,4 @@
|
|||
#
|
||||
# Note: Sourced from scripts, so needs to be bash-able
|
||||
#
|
||||
PLATFORM_RELEASE="18.10"
|
||||
PLATFORM_RELEASE="19.01"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Copyright (c) 2017 Wind River Systems, Inc.
|
||||
# Copyright (c) 2017-2018 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
@ -9,9 +9,12 @@
|
|||
# $1 - listening port of remote log server
|
||||
PORT=$1
|
||||
|
||||
DEFAULT_PRIORITY=1
|
||||
|
||||
function is_loopback {
|
||||
# (from include/uapi/linux/if.h)
|
||||
IFF_LOOPBACK=$((1<<3))
|
||||
# IFF_LOOPBACK = 1<<3 = 8. Using a left shifted syntax can confuse bashate.
|
||||
IFF_LOOPBACK=8
|
||||
|
||||
# get the interface flags
|
||||
FLAGS=`cat /sys/class/net/$DEV/flags`
|
||||
|
@ -26,7 +29,8 @@ function is_loopback {
|
|||
|
||||
function log {
|
||||
# It seems that syslog isn't yet running, so append directly to the syslog file
|
||||
echo `date +%FT%T.%3N` `hostname` CGCS_TC_SETUP: $@ >> /var/log/platform.log
|
||||
local FILE=/var/log/platform.log
|
||||
echo `date +%FT%T.%3N` `hostname` CGCS_TC_SETUP: $@ >> $FILE
|
||||
}
|
||||
|
||||
function test_valid_speed {
|
||||
|
@ -44,14 +48,10 @@ function test_valid_speed {
|
|||
function get_dev_speed {
|
||||
# If the link doesn't come up we won't go enabled, so here we can
|
||||
# afford to wait forever for the link.
|
||||
while true
|
||||
do
|
||||
if [ -e /sys/class/net/$1/bonding ]
|
||||
then
|
||||
for VAL in `cat /sys/class/net/$1/lower_*/speed`
|
||||
do
|
||||
if test_valid_speed $VAL
|
||||
then
|
||||
while true; do
|
||||
if [ -e /sys/class/net/$1/bonding ]; then
|
||||
for VAL in `cat /sys/class/net/$1/lower_*/speed`; do
|
||||
if test_valid_speed $VAL; then
|
||||
log slave for bond link $1 reported speed $VAL
|
||||
echo $VAL
|
||||
return 0
|
||||
|
@ -59,24 +59,24 @@ function get_dev_speed {
|
|||
log slave for bond link $1 reported invalid speed $VAL
|
||||
fi
|
||||
done
|
||||
log all slaves for bond link $1 reported invalid speeds, will sleep 30 sec and try again
|
||||
log all slaves for bond link $1 reported invalid speeds, \
|
||||
will sleep 30 sec and try again
|
||||
else
|
||||
VAL=`cat /sys/class/net/$1/speed`
|
||||
if test_valid_speed $VAL
|
||||
then
|
||||
if test_valid_speed $VAL; then
|
||||
log link $1 reported speed $VAL
|
||||
echo $VAL
|
||||
return 0
|
||||
else
|
||||
log link $1 returned invalid speed $VAL, will sleep 30 sec and try again
|
||||
log link $1 returned invalid speed $VAL, \
|
||||
will sleep 30 sec and try again
|
||||
fi
|
||||
fi
|
||||
sleep 30
|
||||
done
|
||||
}
|
||||
|
||||
if [ -f /etc/platform/platform.conf ]
|
||||
then
|
||||
if [ -f /etc/platform/platform.conf ]; then
|
||||
source /etc/platform/platform.conf
|
||||
else
|
||||
exit 0
|
||||
|
@ -94,8 +94,7 @@ LOG_CBW=20
|
|||
# 1:40 = default class from cgcs_tc_setup.sh
|
||||
# 1:60 = LOG class
|
||||
|
||||
if [ $nodetype == "controller" ]
|
||||
then
|
||||
if [ $nodetype == "controller" ]; then
|
||||
# Add class and filters to the oam interface
|
||||
DEV=$oam_interface
|
||||
SPEED=$(get_dev_speed $DEV)
|
||||
|
@ -105,17 +104,22 @@ then
|
|||
|
||||
# create new qdiscs, classes and LOG filters
|
||||
tc qdisc add dev $DEV root handle 1: htb default 40
|
||||
tc class add dev $DEV parent 1: classid 1:1 htb rate ${SPEED}mbit burst 15k quantum 60000
|
||||
tc class add dev $DEV parent 1: classid 1:1 htb rate ${SPEED}mbit \
|
||||
burst 15k quantum 60000
|
||||
|
||||
AC="tc class add dev $DEV parent 1:1 classid"
|
||||
$AC 1:40 htb rate $((${DEFAULT_BW}*${SPEED}/100))mbit burst 15k ceil $((${DEFAULT_CBW}*${SPEED}/100))mbit quantum 60000
|
||||
$AC 1:60 htb rate $((${LOG_BW}*${SPEED}/100))mbit burst 15k ceil $((${LOG_CBW}*${SPEED}/100))mbit quantum 60000
|
||||
$AC 1:40 htb rate $((${DEFAULT_BW}*${SPEED}/100))mbit burst 15k \
|
||||
ceil $((${DEFAULT_CBW}*${SPEED}/100))mbit quantum 60000
|
||||
$AC 1:60 htb rate $((${LOG_BW}*${SPEED}/100))mbit burst 15k \
|
||||
ceil $((${LOG_CBW}*${SPEED}/100))mbit quantum 60000
|
||||
|
||||
tc qdisc add dev $DEV parent 1:40 handle 40: sfq perturb 10
|
||||
tc qdisc add dev $DEV parent 1:60 handle 60: sfq perturb 10
|
||||
|
||||
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dport ${PORT} 0xffff flowid 1:60
|
||||
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip sport ${PORT} 0xffff flowid 1:60
|
||||
tc filter add dev $DEV protocol ip parent 1:0 prio $DEFAULT_PRIORITY \
|
||||
u32 match ip dport ${PORT} 0xffff flowid 1:60
|
||||
tc filter add dev $DEV protocol ip parent 1:0 prio $DEFAULT_PRIORITY \
|
||||
u32 match ip sport ${PORT} 0xffff flowid 1:60
|
||||
|
||||
fi
|
||||
|
||||
|
@ -128,12 +132,69 @@ then
|
|||
exit 0
|
||||
fi
|
||||
|
||||
function infra_exists {
|
||||
if [ -z "$infrastructure_interface" ]; then
|
||||
return 1
|
||||
else
|
||||
return 0
|
||||
fi
|
||||
}
|
||||
|
||||
function is_consolidated {
|
||||
if ! infra_exists; then
|
||||
return 1
|
||||
else
|
||||
|
||||
local INFRA=$infrastructure_interface
|
||||
local MGMT=$management_interface
|
||||
|
||||
# determine whether the management interface is a parent of the
|
||||
# infrastructure interface based on name.
|
||||
# eg. this matches enp0s8 to enp0s8.10 but not enp0s88
|
||||
if [[ $INFRA =~ $MGMT[\.][0-9]+$ ]]; then
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
function is_vlan {
|
||||
if [ -f /proc/net/vlan/$DEV ]; then
|
||||
return 0
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
function get_mgmt_tc_filter_priority {
|
||||
local PRIORITY=$DEFAULT_PRIORITY
|
||||
|
||||
if is_consolidated
|
||||
then
|
||||
if ! is_vlan
|
||||
then
|
||||
# If we have a consolidated VLAN interface, we must set the
|
||||
# priority to $DEFAULT_PRIORITY + 1 for the underlying
|
||||
# ethernet interface, as it will already have
|
||||
# $DEFAULT_PRIORITY filters to catch high priority
|
||||
# infra traffic
|
||||
PRIORITY=$(($DEFAULT_PRIORITY + 1))
|
||||
fi
|
||||
fi
|
||||
echo $PRIORITY
|
||||
return 0
|
||||
}
|
||||
|
||||
SPEED=$(get_dev_speed $DEV)
|
||||
PRIORITY=$(get_mgmt_tc_filter_priority)
|
||||
|
||||
AC="tc class add dev $DEV parent 1:1 classid"
|
||||
$AC 1:60 htb rate $((${LOG_BW}*${SPEED}/100))mbit burst 15k ceil $((${LOG_CBW}*${SPEED}/100))mbit quantum 60000
|
||||
$AC 1:60 htb rate $((${LOG_BW}*${SPEED}/100))mbit burst 15k \
|
||||
ceil $((${LOG_CBW}*${SPEED}/100))mbit quantum 60000
|
||||
|
||||
tc qdisc add dev $DEV parent 1:60 handle 60: sfq perturb 10
|
||||
|
||||
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dport ${PORT} 0xffff flowid 1:60
|
||||
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip sport ${PORT} 0xffff flowid 1:60
|
||||
tc filter add dev $DEV protocol ip parent 1:0 prio $PRIORITY \
|
||||
u32 match ip dport ${PORT} 0xffff flowid 1:60
|
||||
tc filter add dev $DEV protocol ip parent 1:0 prio $PRIORITY \
|
||||
u32 match ip sport ${PORT} 0xffff flowid 1:60
|
||||
|
|
Loading…
Reference in New Issue