This commit fixes a quoting issue in the handle_delete function causing
a cleanup error in CentOS subclouds.
Test Cases
PASS: run gen-bootloader-iso-centos.sh --delete option, verifying that
the subcloud cleanup operation completes as expected, including the
removal of /var/www/pages/iso/21.12 directory.
Closes-Bug: 2031446
Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: Ia0cedb66819458e58cab50c3df05e6c4dcd86fc9
The certificate names in the output of "show-certs.sh" are not
correlated with the corresponding certificate expiry/expired
alarms, this fix addresses this issue.
Test Cases:
PASS: Run the "show-certs.sh" on systemcontroller and verify the
namespace,cert names in the output for admin-ep certs
PASS: Run the "show-certs.sh" on subcloud and verify the
namespace,cert names in the output for admin-ep certs
PASS: Run the "show-certs.sh" on standalone and verify it works
as expected
PASS: Run the "show-certs.sh" and verify that "registry.local"
changed to "docker_registry" to corelate with the alarm
PASS: Run "show-certs.sh" script without -k and verify the
filename is shown for ldap,ssl and docker-registry certs
PASS: Run "show-certs.sh" with -k and verify namespace/secret
name is shown in the output
PASS: Run "show-cert.sh -k" and verify in the output that for
"cm-cert-manager-webhook-ca" secret the renewal shows as
"Auto renewal"
Closes-bug: 2029412
Change-Id: Icf08493f19bf529101488a8b5fa4278ed9b325fc
Signed-off-by: amantri <ayyappa.mantri@windriver.com>
The --no-force-password option removes the forced password change on
initial login. This is to enable customers who use a customized workflow
where the initial password is set to a secure value via update-iso.sh,
and do not want a forced password change on initial login.
Note: Used incorrectly, this is an insecure option. The
--no-force-password should only be used in secure environments, where
the initial password is kept secret. Further, this update does not
affect the password aging policies in place.
Test Plan:
PASS: Use update-iso.sh to change an existing ISO:
sudo ./update-iso.sh --addon ./ks-addon.cfg \
--no-force-password \
--initial-password 'MyPassword#123' \
--input ./starlingx-intel-x86-64-cd.iso \
--output ./update.iso
And boot from the new ISO. Verify that the initial password upon
boot is as expected, and that the provide password is accepted on first
login, without the normal forced password change on initial login.
PASS: Use update-iso.sh without the --no-force-password option, verify
that the user is still forced to change password on initial login.
Closes-Bug: 2030917
Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I962e66741cf10b24ba965bef99f3cd2ef977cec4
This script creates the file ".kube/config" in the home folder of the
logged in user and sets/replaces the value of variable KUBECONFIG inside
file ".profile". Currently, the main use case that involves this K8S
config file is the K8S authentication through OIDC token.
Test Plan:
PASS: Deploy an IPv4 AIO-SX with an image containing this change and
verify that the script is available at "/usr/local/bin/kubeconfig-setup"
with permissions "-r-xr-xr-x", owner root, group root. Setup OIDC app,
create local linux user "tu1" and create a ClusterRoleBinding in K8S for
tu1 user as cluster-admin.
PASS: Using the deployed AIO-SX, SSH to the controller using "tu1".
Execute "kubeconfig-setup; source .profile", verify that the file
"/home/tu1/.kube/config" was created, execute "oidc-auth" and then
"kubectl get pods -A -v=6", verifying in the output that the file
"/home/tu1/.kube/config" is being used by kubectl.
PASS: Using the deployed AIO-SX, edit the file ".profile" of "tu1"
replacing 'export KUBECONFIG="/home/tu1/.kube/config"' by "export
KUBECONFIG="invalid_value"' and then repeat the previous test, that will
be successful. After, verify that KUBECONFIG is set to 'export
KUBECONFIG="/home/tu1/.kube/config"' in ".profile".
PASS: Using the deployed AIO-SX, SSH again to the controller using "tu1"
and just execute "kubectl get pods -A -v=6", verifying in the output
that the file "/home/tu1/.kube/config" is being used by kubectl.
PASS: Repeat all tests above using an IPv6 AIO-SX.
Story: 2010738
Task: 48566
Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/890359
Depends-On: https://review.opendev.org/c/starlingx/config/+/890436
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: I2b8cab1ca8d029782351152d635014d3dec2df52
Add explicit collect of certificates files for the platform.
Delete all crt, pem and key files in collect before including those
files explicitly listed in certs.include file. Use openssl command to
omit all but certificate information from the files.
Test Plan:
PASS AIO-SX, AIO-DX+, DC with AIO-SX subcloud
PASS options --skip-mask, --omit-certs, --subcloud
PASS bashate
PASS unit test for collect_certificates
PASS collect output contains no crt, pem and key files except those
listed in certs.include
PASS If a file listed in certs.include does not exist on the filesystem
then the absence is ignored - it is ok for a specified file not to
exist.
PASS file with key omits key - only certs are copied
PASS manual verify of file paths (including those on DC subcloud)
Closes-Bug: 2029302
Change-Id: I9fafe5fde39a1a7de9a887424f274986b13e053a
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
1) auto load the sctp module
2) configure the required network parameters
To facilitate better network performance for SCTP network traffic and
provide performance improvements for typical k8s application workloads
the following network parameters need to be modified to the respective
values.
net.core.rmem_max - Defines the maximum receive window size.
net.core.wmem_max - Defines the maximum send window size.
net.sctp.rcvbuf_policy - Defines the socket receive buffer accounting
policy.
net.sctp.sndbuf_policy - Defines the socket send buffer accounting
policy.
Depends-On: https://review.opendev.org/c/starlingx/config-files/+/890503
Test Plan:
PASS: SCTP autoload after iso installation on AIO-SX
lsmod | grep sctp
PASS: Configured values can be read through sysctl commands on AIO-SX
sysctl net.core.rmem_max
sysctl net.core.wmem_max
sysctl net.sctp.rcvbuf_policy
sysctl net.sctp.sndbuf_policy
Story: 2010849
Task: 48508
Change-Id: I561f1d08d669114da7b59affb495b062fbacf83c
Signed-off-by: ajaiswal <abhishek.jaiswal@windriver.com>
The kubelet server and kubelet CA certificates are not documented
so they are not required to be included in show-certs.sh output.
Only kubelet client certificate is required to be included.
Test Plan:
PASS: Run show-certs.sh, verify the output contains the status
of kubelet client, as following
kubelet client CERTIFICATE:
------------------------------------------
Renewal : Automatically by k8s
Filename : /var/lib/kubelet/pki/kubelet-client-current.pem
Subject : O = system:nodes, CN = system:node:controller-0
Issuer : CN = starlingx
Issue Date : Apr 27 18:41:43 2023 GMT
Expiry Date : Apr 26 18:42:00 2024 GMT
Residual Time : 340d
Closes-Bug: 2020507
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I6c8c14a1c75aaaae958ea8752e69c5e82df3ef4f
This commit addresses two issues around installing subclouds of a
different release than the system controller, on pure Debian
installations:
1. The miniboot ISO must use the same initrd as the target release for
the subcloud. If necessary, the initrd-mini and it's .sig file are
pulled from the ostree repo inside the load-imported ISO.
2. Support a mechanism for release-specific kickstart-override files. We
add release-specific directories under
/var/miniboot/kickstart-override, while maintaining the legacy
location if the target subcloud is running the same release as the
system controller.
And thirdly, logging changes are incorporated to provide consistency for
logging the gen-bootloader-iso.sh script output into the
/var/log/user.log file. We now include normal info-level logs in this
file for easier debugging and traceability; for this reason, the amount
of info-level logging is also reduced to the minimum. Note that verbose
logging can still be enabled via a file present at
/tmp/gen-bootloader-verbose (this behaviour is unchanged).
Test Plan:
PASS:
- Install and bootstrap a 22.12 subcloud from a 23.09 system controller
- using a load-imported 22.12 ISO
- Install and bootstrap a 23.09 subcloud from a 23.09 system controller
- using a load-imported 23.09 ISO
- Invoke gen-bootloader-iso.sh, testing various combinations of
/var/miniboot/kickstart-override configurations:
- Legacy location: /var/miniboot/kickstart-override/miniboot.cfg
is present. This file should only be used if the two releases
match::
- ignored for 22.12 subcloud install
- used for 23.09 subcloud install
- /var/miniboot/kickstart-override/22.12/miniboot.cfg present:
- used only for 22.12 subcloud install
- /var/miniboot/kickstart-override/23.09/miniboot.cfg present:
- used only for 23.09 subcloud install
- Both /var/miniboot/kickstart-override/miniboot.cfg and
/var/miniboot/kickstart-override/23.09/miniboot.cfg present:
- the /var/miniboot/kickstart-override/23.09/miniboot.cfg takes
precedence over the non-release-specific legacy location
Story: 2010611
Task: 48479
Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: Ia7b0396cc84c208c71ec7f6382c0043523b5a91d
Script will execute the ansible playbook for static image update
conditionally only for deploy plug-in post update.
Test Plan:
PASS: Verify script does execute static image update playbook
for deploy plug-in post update
PASS: Verify script does not execute static image update playbook
for deploy plug-in post upgrade
Story: 2010718
Task: 48458
Change-Id: I0d9ca4b4df31fac8fcd2eaa6a470208b63e1c8ee
Signed-off-by: Sriram Narasimhan <sriram.narasimhan@windriver.com>
This commit fixes the incompatible --crypt option for older
releases of openssl. We also add the -quiet option to suppress
the warning message if a password is longer than 8 characters.
Test Plan:
PASS: Run this script with --initial-password option in centos
environment where openssl version is:
OpenSSL 1.0.2k-fips 26 Jan 2017
PASS: Run this script with --initial-password option in debian
environment where openssl version is:
OpenSSL 1.1.1n 15 Mar 2022
Closes-Bug: 2028787
Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I2e87a6e8c1fa9fe4d3c1dc8982995a09f997f47b
A recent update introduced an empty file (__init__.py) in the plugins
folder which was causing report traceback failures for off system runs.
Also the current handling of the --plugin option is broken.
The fix to that issue lead to a few additional more general plugin
handling improvements.
Test Plan:
PASS: Verify ignore handling of empty plugin files.
PASS: Verify all python file permissions set to executable
on fresh pull in git and after on-system package install.
PASS: Verify all plugin file permissions are not executable
on fresh pull in git and after on-system package install.
PASS: Verify general handling of the --plugin option with space
delimited plugins that follow.
PASS: Verify correlator is not run if there is no plugin data
to correlate.
PASS: Verify missing plugin output log files do not lead to a
file not found error on the console.
PASS: Verify refactored plugin search handling success and
error paths.
PASS: Verify refactored plugin search handling finds and adds
built-in and localhost plugins with and without the --plugin
option specified.
PASS: Verify that previous plugin data is removed prior to a rerun
of the tool. This is helpful for localhost plugin development.
PASS: Verify handling of adding multiple plugins that span both
built-in and localhost locations.
PASS: Verify handling of missing plugin(s) when specified with
the --plugin option.
Regression:
PASS: Verify collector package build and passes tox.
PASS: Verify both on-system and off-system Report handling.
PASS: Verify collect all using --report option
PASS: Verify logging with and without --debug option.
PASS: Verify no pep8 errors or warnings.
Story: 2010533
Task: 48433
Task: 48432
Task: 48443
Change-Id: I42616daad2de6b0785f11736ef20b11e19f19869
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
Utility script is created to update deploy plug-in automatically
post patching. This involves:
1. run ansible playbook to upgrade static images
- pull deploy plug-in image from configured source
- push its image to local registry
2. run ansible playbook to refresh deploy plug-in
Test Plan:
PASS: Verify deploy plug-in is refreshed after script execution.
- Create restart script to invoke the utility script
- Copy the new debian files onto the controller
- Create sneaky patch with debian files and restart script
- Check deploy plug-in image version before applying sneaky patch
- Apply the sneaky patch
- Check deploy plug-in image version after applying sneaky patch
PASS: Verify utility script is in debian package
PASS: Verify error handling is done for playbook
PASS: Verify sneaky patch remove is successful
PASS: Verify deploy pod is running new image after the patch
containing deploy plug-in update is applied
PASS: Verify script logs generated in /var/log/platform.log
Story: 2010718
Task: 48412
Change-Id: Ifd348f005117aca5cf18e16719123410d86d027d
Signed-off-by: Susendra Selvaraj <Susendra.Selvaraj@windriver.com>
An orchestrated subclod collect fails if one or more of the
subcloud system nodes fail to collect. For example if inactive
controller-1 is unreachable.
This update makes collect error handling improvements to allow
for an incomplete subcloud collect to finish successfully while
there is at least one valid host collected from that subcloud.
Also, allow the --timeout option to specify a timeout that is
outside the recommended range. A warning message will be produced.
Test Plan: each test case verified in both parallel and inline modes
PASS: Verify subcloud collect completes successfully when the active
controller collect succeeds but the inactive controller or other
subcloud system node is unreachable.
PASS: Verify same case above but rather with a --clean rather than
collect operation.
PASS: Verify the above 2 test cases for local system collect all
rather than subcloud collect.
PASS: Verify subcloud collect completes successfully when the active
controller collect succeeds but the inactive controller or
other subcloud system node is reachable but fails with host
collect timeout.
PASS: Verify warning but allowing the user to specify a timeout that
is outside the recommended range.
Note: Its useful to allow for testing and extreme cases
PASS: Verify missing report tool does not fail a collect
Regression:
PASS: Verify error handling of collect from unknown host or subcloud
PASS: Verify subcloud collect fails if the subcloud is not reachable
PASS: Verify local collect failure handling when remote collect_host
thread is killed.
PASS: Verify host collect failure handling when a reachable
host collect fails with a timeout.
Closes-Bug: 2026768
Change-Id: Id0d53c42dae9c22323d798e23463dc636f7fbe38
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
This change adds a config file to /etc/modules-load.d/ to load the
intel-uncore-frequency module, because the module in question is not
set up for automatic loading via modules aliases. This module was
initially enabled by [1].
This module will be used by Power Metrics App in StarlingX [2].
[1] https://review.opendev.org/c/starlingx/kernel/+/884305
[2] https://opendev.org/starlingx/app-power-metrics
TEST PLAN:
PASS: Build iso success for rt and std.
PASS: Install success onto an AIO-SX lab with both rt and std kernel.
PASS: Verify with lsmod if intel-uncore-frequency module is loaded.
Story: 2010773
Task: 48329
Change-Id: I2cc34756da64b887d6d58277306b790ec8f4a149
Signed-off-by: Alyson Deives Pereira <alyson.deivespereira@windriver.com>
Update existing dynamic ISO generation scripts to target the last
CentOS release from within a Debian environment.
Changes are applied for gen-prestaged-iso-centos.sh for support
within a Debian instance.
The existing Debian-targeting files (gen-bootloader-iso.sh,
gen-prestaged-iso.sh) are updated for minor fixes in logging,
consistency, and overall code structure for ease of support and
maintenance.
This commit aligns recent changes of gen-bootloader-iso.sh into
gen-bootloader-iso-centos.sh, for easier support going forward.
And finally, unit tests are added for the gen-prestaged-iso* scripts.
The unit tests use shunit2 framework, which is dynamically pulled in as
required to run the tests. At this point, tests are only run manually;
they are not part of the loadbuild. Unit tests may be added for
gen-bootloader-iso.sh in a further commit; however, this is of lesser
priority since this script is employed frequently on subcloud remote
installations.
Test Plan
PASS:
- Test gen-prestaged-iso.sh for generating a prestaged ISO targeting a
local Debian install. An ISO is generated and a full subcloud
deployment is successful
- Test gen-prestaged-iso-centos.sh for generating a prestaged ISO
targeting a local CentOS install. An ISO is generated and a full
subcloud deployment is successful
- Run the two new unit tests, gen-prestaged-iso-test.sh, and
gen-prestaged-iso-centos-test.sh, both in standalone and via
run-tests.sh. Verify with both an empty and populated input directory.
- Verify full remote/redfish Debian subcloud install and deployment.
Targeted at gen-bootloader-iso.sh changes.
- Verify full remote/redfish CentOS subcloud install and deployment.
Targeted at gen-bootloader-iso-centos.sh changes.
Story: 2010611
Task: 48267
Depends-On: https://review.opendev.org/c/starlingx/metal/+/886662
Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I31e76ed107f589b1196320b3c8d7243fb15d3491
This change adds an utility script called "local_starlingxrc". It does
the following actions: if the file "~/$USER-openrc" exists, sources it;
if it doesn't exist, creates and sources it. The openrc file created
uses the same Keystone username of the linux user logged in and asks the
password. It should be used through command "source local_starlingxrc".
Test Plan:
PASS: Successfully deploy an AIO-DX containing this change.
PASS: In the deployed AIO-DX, check that the command "local_starlingxrc"
is available at "/usr/local/bin/local_starlingxrc" with permissions
"-r-xr-xr-x", user root, group root.
PASS: In the deployed AIO-DX, create linux user user1 that is not part
of groups sys_protected and root and create Keystone user user1 with
user role "reader". Execute a SSH to the active controller using user1,
execute "source local_starlingxrc", inform the password asked and
execute "system host-list" with no errors. Check that the file
"user1-openrc" is created in user1 home folder with permissions
"-rw-------", owner user1. Exit and execute SSH again using user1,
execute "source local_starlingxrc", check that no password is asked and
execute "system host-list" with no errors.
PASS: Repeat the test above using standby controller. Check that the
output of "source local_starlingxrc" always prints an error message
saying that it is not the active controller and that "system host-list"
always returns an error.
Partial-Bug: 2024627
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/886661
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: I576bf49cc5db9fef10f26963219d7c179f46a24f
This commit supports the developer use-case of a system controller
ostree repo configured with gpg-verify=false. In such cases, the
subcloud ostree repo instances must also be configured with
gpg-verify=false, or the ostree pull will fail.
We first check if the system controller is configured with
gpg-verify=false. If so, then the 'instgpg=0' boot parameter is added
to miniboot ISO. This will trigger the appropriate configuration in both
the miniboot kickstart and the LAT /install script.
A minor fix is also included where missing initramfs .sig files would
fail the install. Some developer builds do not contain the .sig files,
which causes remote subcloud install failures without this fix.
Test Plan:
PASS:
- Install subcloud with non-GPG signed ostree commits present on system
controller. Ensure the ostree pull is successful on subcloud, with a
successful install.
- Ensure normal subcloud installation is successful
Story: 2010611
Task: 48308
Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I25333f75e6592d7c8dd40f509c5316a02e366f85
This adds in flake8, bandit and pylint tox jobs for
the report tool
Test Plan:
PASS: build-pkgs -c -p collector
Story: 2010642
Task: 48265
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I81fcf500663e1f74f491e11c25ff1d427d456536
The collect operation has been seen to fail with a timeout error
when collecting from remote hosts over a high latency network.
This update consolidates the collect timeouts into a separate
source included file '/etc/collect/collect_timeouts'.
The ssh, scp and sudo timeouts were seen to vary from function
to function. Since the timeout is always waiting for password
prompt this update normaizes them all to 60 seconds.
Move additional miscellaneous timeouts to the timeouts file
giving them opportunity to be configurable in the future.
Test Plan: High latency is 1200 ms
PASS: Verify collect system hosts on typical network
PASS: Verify collect multiple subclouds on typical network
PASS: Verify collect system hosts on high latency network
PASS: Verify collect multiple subclouds on high latency network
PASS: Verify collect subcloud with persistent long delays
... 1200ms, 1500ms, 2000ms, 300ms and 5000ms
PASS: Verify that the new collect timeouts file can be modified and
those modified values used in subsequent collect operations
PASS: High latency collect soak (10 iterations)
Closes-Bug: 2023554
Change-Id: I6fa318eea35c175d01646d93220637e95efd29e1
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
Subcloud collect bundles have an extra level of directory heirarchy.
This update refactors the report.py bundle search and extraction
handling to support both single and multi host and subcloud collect
bundles.
Typical used is
report.py <bundle pointer option> /path/to/bundle
Bundle pointer options
--bundle Use this option to point to a 'directory' that 'contains'
host tarball files.
--directory Use this option when a collect bundle 'tar file' is in a
in a specific 'directory'.
--file Use this option to point to a specific collect bundle
tar file to analyze.
The following additional changes / improvements were made:
- improved report.py code structure
- improved management of the input and output dirs
- improved debug and error logging (new --state option)
- removed --clean option that can fail due to bundle file permissions
- added --bundle option to support pointing to a directory
containing a set of host tarballs.
- modified collect to use the new --bundle option when --report
option is used.
- implement tool logfile migration from /tmp to bundle output_dir
- create report_analysis dir in final output_dir only
- fix file permissions to allow execution from git
- order plugin analysis output based on size
- added additional error checking and handling
Test Plan:
PASS: Verify collect --report (std system, AIO and subcloud)
PASS: Verify report analysis
PASS: Verify report run on-system, git and cached copy
PASS: Verify on and off system analysis of
PASS: ... single-host collect bundle with --file option
PASS: ... multi-host collect bundle with --file option
PASS: ... single-subcloud collect bundle with --file option
PASS: ... multi-subcloud collect bundle with --file option
PASS: ... single-host collect bundle with --directory option
PASS: ... multi-host collect bundle with --directory option
PASS: ... single-subcloud collect bundle with --directory option
PASS: ... multi-subcloud collect bundle with --directory option
PASS: ... single-host collect bundle with --bundle option
PASS: ... multi-host collect bundle with --bundle option
PASS: Verify --directory option handling when
PASS: ... there are multiple bundles to select from (pass)
PASS: ... there are is a bundle without the date_time (prompt)
PASS: ... there are extra non-bundle files in target dir (ignore)
PASS: ... the target dir only contains host tarballs (fail)
PASS: ... the target dir has no tar files or extracted bundle (fail)
PASS: ... the target dir does not exist (fail)
PASS: Verify --bundle option handling when
PASS: ... there are host tarballs in the target directory (pass)
PASS: ... there are only extracted host dirs in target dir (pass)
PASS: ... there are no host tarballs or dirs in target dir (fail)
PASS: ... the target dir does not have a dated host dir (fail)
PASS: ... the target dir does not exist (fail)
PASS: ... the target is a file rather than a dir (fail)
PASS: Verify --file option handling when
PASS: ... the target tar file is found (pass)
PASS: ... the target tar file is not date_time named (prompt)
PASS: ... the target tar file does not exists (fail)
PASS: ... the target tar is not a collect bundle (fail)
PASS: Verify tar file(s) in a single and multi-subcloud collect
with the --report option each include a report analysis.
PASS: Verify logging with and without --debug and --state options
PASS: Verify error handling when no -b, -f or -d option is specified
Story: 2010533
Task: 48187
Change-Id: I4924034aa27577f94e97928265c752c204a447c7
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
Current version 1.1.11 of 'mkisofs' (also known as genisoimage) no
longer errors out on input files later than 4G. The 4G limitation
only applies to ISO images that need to be ISO-9660 compliant.
StarlingX prestaging ISO images are not required to comply
to ISO-9660 as they never have. The gen-prestaged-iso.sh script
has always warned that the created filesystem does not conform
to ISO-9600 and there has never been a problem installing images
produced with this tool.
Therefore, this update removes the input filesize check which
is preventing system administrators from creating prestaged
iso images from Debian StarlingX images that exceed 4 GB
Test Plan:
PEND: Create and install prestaged ISO images from an input
ISOs that are larger than 4G ; sizes of 4.1G, 6G and 10G.
PASS: ... 4.1G
PASS: ... 5.8G
PASS: ... 14G
Closes-Bug: 2023592
Change-Id: I2ac3f3ad159892aed9cdb091c5ab3d93e7630430
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
The functional changes made to update-iso.sh over the transition from
CentOS to Debian did not change the example in the tool's help output.
This update modifies the network setup example in the update-iso.sh
script to reflect the method used in Debian.
Test Plan: Create a ks-addon.cfg script and add it to the iso
using the update-iso.sh script.
PASS: Run the update-iso.sh to add the ks-addon.cfg file
PASS: Verify help output content and format
PASS: Verify addon execution and interface file setup over USB install
PASS: Verify addon execution and interface setup over pxeboot install
... with pxeboot addon support added to the kickstart
PASS: Verify network scripts created properly on install
PASS: Verify networking automatically setup over post install reboot
... using the example provided in this update
Closes-Bug: 2023486
Change-Id: I42d13c1ef0ad12b435c52c1bb312a21f30cf7fcd
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
When the --param extra_boot_params argument is given, we need to parse
the given boot parameters and include them in the miniboot boot options
by adding them into the BOOT_ARGS_COMMON variable
Example:
For '--param extra_boot_params=arg1=1,arg2=two'
The following is added to the miniboot kernel options:
extra_boot_params=arg1=1,arg2=two arg1=1 arg2=two
Where 'extra_boot_params=arg1=1,arg2=two' is required for parsing by
miniboot.cfg and 'arg1=1 arg2=two' are the actual boot parameters
applied during boot of the miniboot bootimage.iso.
Test Plan
PASS:
- Verify that extra_boot_params is parsed both the 'extra_boot_params='
as well as separate miniboot kernel options (see above example)
- Verify that the miniboot comes up with the kernel options in its
/proc/cmdline (i.e., the initial miniboot ISO boots with the
configured extra options)
- Tested with the follow input:
--param extra_boot_params=arg1=1,arg2=2
--param extra_boot_params=arg1=1
--param extra_boot_params=arg1
Closes-Bug: 2023407
Depends-On: https://review.opendev.org/c/starlingx/distcloud/+/885758
Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: Iae094d9f7746e8d2963e137ab809376d75ad1bca
The current system_info plugin logs the system info for the last
host in host_dirs rather than that of the active controller.
It also does not capture the system info for all the nodes
into its plugin output file.
This update improves the system_info plugin as well implements
the following improvements to rendering and substring handling
improvements.
1. Improve system_info plugin capture and render.
2. Adds which controller was active at the time of the collect
to the system info rendering output.
3. Improve report analysis rendering by displaying the full
path to plugin and correlation files.
4. Adds string exclude support to the substring algorithm.
This allows the generic string rearches like ERROR to be
searched for and gathered while also allowing specific
noise logs what are considered noise logs to be filtered out.
5. Create a separate SM errors substring plugin using the new
exclude option.
6. Adds support for commented and empty lines in the plugins
This allows for properly commented and formatted plugins.
7. Adds plugin label name error checking
This allows esier debug of improperly coded plugins.
8. Fixed additional pep8 warnings.
Test Plan:
PASS: Verify on-system collect with --report option
PASS: Verify on-system report generation
PASS: Verify off-system report generation from git
PASS: Verify system_info plugin collects info from all hosts
PASS: Verify report displays system_info from active controller
PASS: Verify handling when no active controller is detected
PASS: Verify new sm_errors substring plugin with excludes
PASS: Verify plugins can have empty or # commented lines
PASS: Verify report tool plugins output include path to each
plugin file
PASS: Verify report tool correlations include path to each
correlation file
PASS: Verify report tool plugin label parsing error handling
PASS: Verify all files pass pep8 without warning or error
Story: 2010533
Task: 48072
Change-Id: I6d0253a4c3d8804a5e45b970d766e578ea69368f
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
Currently show-certs.sh doesn't show status of kubelet client
and server certificates. This update add them to the utility
scripts.
Test Plan:
PASS: Run show-certs.sh, verify the output contains the status
of kubelet client and server certificates, as following
kubelet client CERTIFICATE:
------------------------------------------
Renewal : Automatically by k8s
Filename : /var/lib/kubelet/pki/kubelet-client-current.pem
Subject : O = system:nodes, CN = system:node:controller-0
Issuer : CN = starlingx
Issue Date : Apr 27 18:41:43 2023 GMT
Expiry Date : Apr 26 18:42:00 2024 GMT
Residual Time : 340d
kubelet server CERTIFICATE:
------------------------------------------
Renewal : Manual
Filename : /var/lib/kubelet/pki/kubelet.crt
Subject : CN = controller-0@1682620922
Issuer : CN = controller-0-ca@1682620922
Issue Date : Apr 27 17:42:02 2023 GMT
Expiry Date : Apr 26 17:42:02 2024 GMT
Residual Time : 340d
kubelet CA CERTIFICATE:
------------------------------------------
Renewal : Manual
Filename : /var/lib/kubelet/pki/kubelet.crt
Subject : CN = controller-0-ca@1682620922
Issuer : CN = controller-0-ca@1682620922
Issue Date : Apr 27 17:42:02 2023 GMT
Expiry Date : Apr 26 17:42:02 2024 GMT
Residual Time : 340d
Closes-Bug: 2020507
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I8d4c06a63270afb610f10b0a5e3be24f48aa9607
Add handling for passwords that have duplicate special
characters.
For instance without this update, passing collect the following
sudo password would fail while with this update it succeeds.
[[Pa$$word123]]
The following characters are verified to require escapes.
1. [ and ] (square brackets) [$$Copper1$$] … escaped by collect
2. ? (question mark) ?Copper123? … escaped by collect
3. $ (dollar sign) $Copper123$ … escaped by collect
4. " (double quotes) “<Mooser123>” … escaped by collect
5. \ (backslash) \Mooser1\ … escaped by collect
Note that the backslash '\' must be escaped by the user. For instance to enter a password with backslashes that reads like this \Copper123\ it must be escaped going in like this \\Copper123\\
The following special characters are verified to not require escapes.
6. & (ampersand) &Copper123& … no escape needed
7. ( and ) (parentheses) (Duffy123) … no escape needed
8. { and } (curly braces) {HealthCare123} … no escape needed
9. ; (semicolon) ;Copper123; … no escape needed
10. | (pipe) |PasswdTst123| … no escape needed
11. < (less than) <Mooser123> … no escape needed
12. > (greater than) <|>Copper123<|> … no escape needed
13. >> (double greater than) >>Mooser321<< … no escape needed
14. ' (single quotes) ‘Copper911’ … no escape needed
15. * (asterisk) *Mooser123* … no escape needed
16. # (hash or pound sign) #Mooser123# … no escape needed
17. ! (exclamation mark) !!@$Mooser1$@!! … no escape needed
18. ~ (tilde) ~Copper1~ … no escape needed
19. @ (at symbol) @Passwd1@ … no escape needed
20. ^ (caret) @^Myword1^@ … no escape needed
Test Plan:
PASS: Build and Install Debian Image
PASS: Run collect with typical password
The following password patterns were verified to be parsed
properly and all verified to work with collect.
PASS: [[Pa$$word123]] -> \[\[Pa\$\$word123\]\]
PASS: $$Passwd123$$ -> \$\$Passwd123\$\$
PASS: \Passwd1\ -> \\Passwd1\\
PASS: "Passwd1" -> \"Passwd1\"
PASS: [Passwd1] -> \[Passwd1\]
PASS: $Passwd1$ -> \$Passwd1\$
PASS: Li69nux* -> Li69nux*
PASS: "[Li69nux*]" -> \"\[Li69nux*\]\"
PASS: St8rlingX* -> St8rlingX*
PASS: $t8rlingX* -> \$t8rlingX*
PASS: $[$$Passwd1$$]$ -> \$\[\$\$Passwd1\$\$\]\$
PASS: "]\\$Passwd1$\\[" -> \"\]\\\\\$Passwd1\$\\\\\[\"
PASS: [[$$$[Passwd1]$$$] -> \[\[\$\$\$\[Passwd1\]\$\$\$\]
PASS: ""[[[$$$Passwd1$$$]]]"" -> \"\"\[\[\[\$\$\$Passwd1\$\$\$\]\]\]\"\"
Closes-Bug: 2019511
Change-Id: I7d1f3b1e3814b6acb017994bc3a2822ea3ff0244
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
This commit updates the build-info package metadata
to track the src_path directory and the debian dir. Any
changes to either directory will increase the package
version.
Test Plan:
Pass: build-pkgs -p build-info
Story: 2010550
Task: 47928
Change-Id: Ibf50f5e80b3e56631f37f45685d279e2013ccdfa
Signed-off-by: Luis Sampaio <luis.sampaio@windriver.com>
Updating the rsa ssh host key based on:
https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
Note: In the future, StarlingX should have a zuul job and
secret setup for all repos so we do not need to do this
for every repo.
Needed to rename the secret, because zuul fails if like-named
secrets have diffent values in different branches of the same
repo.
Partial-Bug: #2015246
Change-Id: I62f60a26ee662814d9a21398aa138956da2fc53a
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>