840 Commits

Author SHA1 Message Date
Kyle MacLeod
dae78f1f9e Fix quoting in handle_delete causing install cleanup failure
This commit fixes a quoting issue in the handle_delete function causing
a cleanup error in CentOS subclouds.

Test Cases
PASS: run gen-bootloader-iso-centos.sh --delete option, verifying that
the subcloud cleanup operation completes as expected, including the
removal of /var/www/pages/iso/21.12 directory.

Closes-Bug: 2031446

Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: Ia0cedb66819458e58cab50c3df05e6c4dcd86fc9
2023-08-15 18:33:33 -04:00
Zuul
9518668f20 Merge "SCTP socket buffer settings" 2023-08-14 16:18:18 +00:00
Zuul
2b2c302a07 Merge "update-iso.sh: add --no-force-password option" 2023-08-14 13:57:19 +00:00
Zuul
db9a18bce6 Merge "collector: add collect of certificates" 2023-08-14 13:32:34 +00:00
Zuul
7611f836c5 Merge "Fix the output of show-certs script to correlate with the alarms" 2023-08-11 21:11:23 +00:00
Zuul
4d1bec7adf Merge "Create kubeconfig-setup script" 2023-08-11 21:05:49 +00:00
amantri
95e774f310 Fix the output of show-certs script to correlate with the alarms
The certificate names in the output of "show-certs.sh" are not
correlated with the corresponding certificate expiry/expired
alarms, this fix addresses this issue.

Test Cases:
PASS: Run the "show-certs.sh" on systemcontroller and verify the
      namespace,cert names in the output for admin-ep certs
PASS: Run the "show-certs.sh" on subcloud and verify the
      namespace,cert names in the output for admin-ep certs
PASS: Run the "show-certs.sh" on standalone and verify it works
      as expected
PASS: Run the "show-certs.sh" and verify that "registry.local"
      changed to "docker_registry" to corelate with the alarm
PASS: Run "show-certs.sh" script without -k and verify the
      filename is shown for ldap,ssl and docker-registry certs
PASS: Run "show-certs.sh" with -k and verify namespace/secret
      name is shown in the output
PASS: Run "show-cert.sh -k" and verify in the output that for
      "cm-cert-manager-webhook-ca" secret the renewal shows as
      "Auto renewal"

Closes-bug: 2029412

Change-Id: Icf08493f19bf529101488a8b5fa4278ed9b325fc
Signed-off-by: amantri <ayyappa.mantri@windriver.com>
2023-08-11 11:45:59 -04:00
Kyle MacLeod
cd854334ec update-iso.sh: add --no-force-password option
The --no-force-password option removes the forced password change on
initial login. This is to enable customers who use a customized workflow
where the initial password is set to a secure value via update-iso.sh,
and do not want a forced password change on initial login.

Note: Used incorrectly, this is an insecure option. The
--no-force-password should only be used in secure environments, where
the initial password is kept secret. Further, this update does not
affect the password aging policies in place.

Test Plan:
PASS: Use update-iso.sh to change an existing ISO:
    sudo ./update-iso.sh --addon ./ks-addon.cfg \
      --no-force-password \
      --initial-password 'MyPassword#123' \
      --input ./starlingx-intel-x86-64-cd.iso \
      --output ./update.iso
And boot from the new ISO. Verify that the initial password upon
boot is as expected, and that the provide password is accepted on first
login, without the normal forced password change on initial login.

PASS: Use update-iso.sh without the --no-force-password option, verify
that the user is still forced to change password on initial login.

Closes-Bug: 2030917

Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I962e66741cf10b24ba965bef99f3cd2ef977cec4
2023-08-09 17:29:59 -04:00
Joao Victor Portal
97142ae827 Create kubeconfig-setup script
This script creates the file ".kube/config" in the home folder of the
logged in user and sets/replaces the value of variable KUBECONFIG inside
file ".profile". Currently, the main use case that involves this K8S
config file is the K8S authentication through OIDC token.

Test Plan:

PASS: Deploy an IPv4 AIO-SX with an image containing this change and
verify that the script is available at "/usr/local/bin/kubeconfig-setup"
with permissions "-r-xr-xr-x", owner root, group root. Setup OIDC app,
create local linux user "tu1" and create a ClusterRoleBinding in K8S for
tu1 user as cluster-admin.
PASS: Using the deployed AIO-SX, SSH to the controller using "tu1".
Execute "kubeconfig-setup; source .profile", verify that the file
"/home/tu1/.kube/config" was created, execute "oidc-auth" and then
"kubectl get pods -A -v=6", verifying in the output that the file
"/home/tu1/.kube/config" is being used by kubectl.
PASS: Using the deployed AIO-SX, edit the file ".profile" of "tu1"
replacing 'export KUBECONFIG="/home/tu1/.kube/config"' by "export
KUBECONFIG="invalid_value"' and then repeat the previous test, that will
be successful. After, verify that KUBECONFIG is set to 'export
KUBECONFIG="/home/tu1/.kube/config"' in ".profile".
PASS: Using the deployed AIO-SX, SSH again to the controller using "tu1"
and just execute "kubectl get pods -A -v=6", verifying in the output
that the file "/home/tu1/.kube/config" is being used by kubectl.
PASS: Repeat all tests above using an IPv6 AIO-SX.

Story: 2010738
Task: 48566

Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/890359
Depends-On: https://review.opendev.org/c/starlingx/config/+/890436
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: I2b8cab1ca8d029782351152d635014d3dec2df52
2023-08-09 13:52:57 -03:00
Michel Thebeau
50c17f8e57 collector: add collect of certificates
Add explicit collect of certificates files for the platform.

Delete all crt, pem and key files in collect before including those
files explicitly listed in certs.include file.  Use openssl command to
omit all but certificate information from the files.

Test Plan:
PASS  AIO-SX, AIO-DX+, DC with AIO-SX subcloud
PASS  options --skip-mask, --omit-certs, --subcloud
PASS  bashate
PASS  unit test for collect_certificates
PASS  collect output contains no crt, pem and key files except those
      listed in certs.include
PASS  If a file listed in certs.include does not exist on the filesystem
      then the absence is ignored - it is ok for a specified file not to
      exist.
PASS  file with key omits key - only certs are copied
PASS  manual verify of file paths (including those on DC subcloud)

Closes-Bug: 2029302

Change-Id: I9fafe5fde39a1a7de9a887424f274986b13e053a
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
2023-08-08 19:04:49 +00:00
Abhishek jaiswal
219252de3e SCTP socket buffer settings
1) auto load the sctp module
2) configure the required network parameters

To facilitate better network performance for SCTP network traffic and
provide performance improvements for typical k8s application workloads
the following network parameters need to be modified to the respective
values.

  net.core.rmem_max      - Defines the maximum receive window size.
  net.core.wmem_max      - Defines the maximum send window size.
  net.sctp.rcvbuf_policy - Defines the socket receive buffer accounting
                           policy.
  net.sctp.sndbuf_policy - Defines the socket send buffer accounting
                           policy.

Depends-On: https://review.opendev.org/c/starlingx/config-files/+/890503

Test Plan:
PASS: SCTP autoload after iso installation on AIO-SX
        lsmod | grep sctp

PASS: Configured values can be read through sysctl commands on AIO-SX
        sysctl net.core.rmem_max
        sysctl net.core.wmem_max
        sysctl net.sctp.rcvbuf_policy
        sysctl net.sctp.sndbuf_policy

Story: 2010849
Task: 48508

Change-Id: I561f1d08d669114da7b59affb495b062fbacf83c
Signed-off-by: ajaiswal <abhishek.jaiswal@windriver.com>
2023-08-08 12:50:33 +00:00
Zuul
36170e3457 Merge "Remove kubelet server and CA certs from show-certs" vf/antelope 2023-08-04 15:41:59 +00:00
Andy Ning
9fb5dfea47 Remove kubelet server and CA certs from show-certs
The kubelet server and kubelet CA certificates are not documented
so they are not required to be included in show-certs.sh output.

Only kubelet client certificate is required to be included.

Test Plan:
PASS: Run show-certs.sh, verify the output contains the status
      of kubelet client, as following
 kubelet client  CERTIFICATE:
 ------------------------------------------
         Renewal        :  Automatically by k8s
         Filename       :  /var/lib/kubelet/pki/kubelet-client-current.pem
         Subject        :  O = system:nodes, CN = system:node:controller-0
         Issuer         :  CN = starlingx
         Issue Date     :  Apr 27 18:41:43 2023 GMT
         Expiry Date    :  Apr 26 18:42:00 2024 GMT
         Residual Time  :  340d

Closes-Bug: 2020507
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I6c8c14a1c75aaaae958ea8752e69c5e82df3ef4f
2023-08-03 11:52:02 -04:00
Zuul
34087435e0 Merge "miniboot: Use release-specific initrd-mini and kickstart-override files" 2023-08-03 08:58:43 +00:00
Kyle MacLeod
ebef3e47f4 miniboot: Use release-specific initrd-mini and kickstart-override files
This commit addresses two issues around installing subclouds of a
different release than the system controller, on pure Debian
installations:

1. The miniboot ISO must use the same initrd as the target release for
   the subcloud. If necessary, the initrd-mini and it's .sig file are
   pulled from the ostree repo inside the load-imported ISO.
2. Support a mechanism for release-specific kickstart-override files. We
   add release-specific directories under
   /var/miniboot/kickstart-override, while maintaining the legacy
   location if the target subcloud is running the same release as the
   system controller.

And thirdly, logging changes are incorporated to provide consistency for
logging the gen-bootloader-iso.sh script output into the
/var/log/user.log file. We now include normal info-level logs in this
file for easier debugging and traceability; for this reason, the amount
of info-level logging is also reduced to the minimum. Note that verbose
logging can still be enabled via a file present at
/tmp/gen-bootloader-verbose (this behaviour is unchanged).

Test Plan:
PASS:
- Install and bootstrap a 22.12 subcloud from a 23.09 system controller
    - using a load-imported 22.12 ISO
- Install and bootstrap a 23.09 subcloud from a 23.09 system controller
    - using a load-imported 23.09 ISO
- Invoke gen-bootloader-iso.sh, testing various combinations of
  /var/miniboot/kickstart-override configurations:
    - Legacy location: /var/miniboot/kickstart-override/miniboot.cfg
      is present. This file should only be used if the two releases
      match::
        - ignored for 22.12 subcloud install
        - used for 23.09 subcloud install
    - /var/miniboot/kickstart-override/22.12/miniboot.cfg present:
        - used only for 22.12 subcloud install
    - /var/miniboot/kickstart-override/23.09/miniboot.cfg present:
        - used only for 23.09 subcloud install
    - Both /var/miniboot/kickstart-override/miniboot.cfg and
      /var/miniboot/kickstart-override/23.09/miniboot.cfg present:
        - the /var/miniboot/kickstart-override/23.09/miniboot.cfg takes
          precedence over the non-release-specific legacy location

Story: 2010611
Task: 48479

Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: Ia7b0396cc84c208c71ec7f6382c0043523b5a91d
2023-08-01 17:45:38 -04:00
Zuul
762bb9006b Merge "Update script to refresh deploy plug-in post update" 2023-07-31 18:00:59 +00:00
Sriram Narasimhan
d612d0ef09 Update script to refresh deploy plug-in post update
Script will execute the ansible playbook for static image update
conditionally only for deploy plug-in post update.

Test Plan:
PASS: Verify script does execute static image update playbook
      for deploy plug-in post update
PASS: Verify script does not execute static image update playbook
      for deploy plug-in post upgrade

Story: 2010718
Task: 48458

Change-Id: I0d9ca4b4df31fac8fcd2eaa6a470208b63e1c8ee
Signed-off-by: Sriram Narasimhan <sriram.narasimhan@windriver.com>
2023-07-31 09:21:56 -04:00
Zuul
7d7547f97d Merge "Fix openssl passwd args for initial password change" 2023-07-27 13:47:04 +00:00
Kyle MacLeod
f098b44d5f Fix openssl passwd args for initial password change
This commit fixes the incompatible --crypt option for older
releases of openssl. We also add the -quiet option to suppress
the warning message if a password is longer than 8 characters.

Test Plan:
PASS: Run this script with --initial-password option in centos
      environment where openssl version is:
      OpenSSL 1.0.2k-fips  26 Jan 2017
PASS: Run this script with --initial-password option in debian
      environment where openssl version is:
      OpenSSL 1.1.1n  15 Mar 2022

Closes-Bug: 2028787

Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I2e87a6e8c1fa9fe4d3c1dc8982995a09f997f47b
2023-07-26 10:58:56 -04:00
Zuul
3830211bb0 Merge "Report Tool: Improve plugin handling" 2023-07-24 14:16:51 +00:00
Eric MacDonald
712187a496 Report Tool: Improve plugin handling
A recent update introduced an empty file (__init__.py) in the plugins
folder which was causing report traceback failures for off system runs.

Also the current handling of the --plugin option is broken.
The fix to that issue lead to a few additional more general plugin
handling improvements.

Test Plan:

PASS: Verify ignore handling of empty plugin files.
PASS: Verify all python file permissions set to executable
      on fresh pull in git and after on-system package install.
PASS: Verify all plugin file permissions are not executable
      on fresh pull in git and after on-system package install.
PASS: Verify general handling of the --plugin option with space
      delimited plugins that follow.
PASS: Verify correlator is not run if there is no plugin data
      to correlate.
PASS: Verify missing plugin output log files do not lead to a
      file not found error on the console.
PASS: Verify refactored plugin search handling success and
      error paths.
PASS: Verify refactored plugin search handling finds and adds
      built-in and localhost plugins with and without the --plugin
      option specified.
PASS: Verify that previous plugin data is removed prior to a rerun
      of the tool. This is helpful for localhost plugin development.
PASS: Verify handling of adding multiple plugins that span both
      built-in and localhost locations.
PASS: Verify handling of missing plugin(s) when specified with
      the --plugin option.

Regression:

PASS: Verify collector package build and passes tox.
PASS: Verify both on-system and off-system Report handling.
PASS: Verify collect all using --report option
PASS: Verify logging with and without --debug option.
PASS: Verify no pep8 errors or warnings.

Story: 2010533
Task: 48433
Task: 48432
Task: 48443

Change-Id: I42616daad2de6b0785f11736ef20b11e19f19869
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
2023-07-21 16:51:54 +00:00
Zuul
40e18a57eb Merge "Add script to refresh deploy plug-in post patching" 2023-07-21 13:18:27 +00:00
Susendra Selvaraj
7a371e65a2 Add script to refresh deploy plug-in post patching
Utility script is created to update deploy plug-in automatically
post patching. This involves:
1. run ansible playbook to upgrade static images
   - pull deploy plug-in image from configured source
   - push its image to local registry
2. run ansible playbook to refresh deploy plug-in

Test Plan:
PASS: Verify deploy plug-in is refreshed after script execution.
 - Create restart script to invoke the utility script
 - Copy the new debian files onto the controller
 - Create sneaky patch with debian files and restart script
 - Check deploy plug-in image version before applying sneaky patch
 - Apply the sneaky patch
 - Check deploy plug-in image version after applying sneaky patch
PASS: Verify utility script is in debian package
PASS: Verify error handling is done for playbook
PASS: Verify sneaky patch remove is successful
PASS: Verify deploy pod is running new image after the patch
      containing deploy plug-in update is applied
PASS: Verify script logs generated in /var/log/platform.log

Story: 2010718
Task: 48412

Change-Id: Ifd348f005117aca5cf18e16719123410d86d027d
Signed-off-by: Susendra Selvaraj <Susendra.Selvaraj@windriver.com>
2023-07-20 15:34:06 -04:00
Zuul
3b338a6ce3 Merge "stx-extensions: load intel-uncore-frequency module" 2023-07-17 15:46:10 +00:00
Zuul
c5059576ef Merge "Fix subcloud collect when a subcloud system node collect fails" 2023-07-13 21:27:21 +00:00
Zuul
8dc55a40f6 Merge "Create local_starlingxrc script" 2023-07-13 21:15:12 +00:00
Eric MacDonald
014314a07f Fix subcloud collect when a subcloud system node collect fails
An orchestrated subclod collect fails if one or more of the
subcloud system nodes fail to collect. For example if inactive
controller-1 is unreachable.

This update makes collect error handling improvements to allow
for an incomplete subcloud collect to finish successfully while
there is at least one valid host collected from that subcloud.

Also, allow the --timeout option to specify a timeout that is
outside the recommended range. A warning message will be produced.

Test Plan: each test case verified in both parallel and inline modes

PASS: Verify subcloud collect completes successfully when the active
      controller collect succeeds but the inactive controller or other
      subcloud system node is unreachable.
PASS: Verify same case above but rather with a --clean rather than
      collect operation.
PASS: Verify the above 2 test cases for local system collect all
      rather than subcloud collect.
PASS: Verify subcloud collect completes successfully when the active
      controller collect succeeds but the inactive controller or
      other subcloud system node is reachable but fails with host
      collect timeout.
PASS: Verify warning but allowing the user to specify a timeout that
      is outside the recommended range.
      Note: Its useful to allow for testing and extreme cases
PASS: Verify missing report tool does not fail a collect

Regression:

PASS: Verify error handling of collect from unknown host or subcloud
PASS: Verify subcloud collect fails if the subcloud is not reachable
PASS: Verify local collect failure handling when remote collect_host
      thread is killed.
PASS: Verify host collect failure handling when a reachable
      host collect fails with a timeout.

Closes-Bug: 2026768
Change-Id: Id0d53c42dae9c22323d798e23463dc636f7fbe38
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
2023-07-13 16:29:12 +00:00
Alyson Deives Pereira
d95248449c stx-extensions: load intel-uncore-frequency module
This change adds a config file to /etc/modules-load.d/ to load the
intel-uncore-frequency module, because the module in question is not
set up for automatic loading via modules aliases. This module was
initially enabled by [1].

This module will be used by Power Metrics App in StarlingX [2].

[1] https://review.opendev.org/c/starlingx/kernel/+/884305
[2] https://opendev.org/starlingx/app-power-metrics

TEST PLAN:
PASS: Build iso success for rt and std.
PASS: Install success onto an AIO-SX lab with both rt and std kernel.
PASS: Verify with lsmod if intel-uncore-frequency module is loaded.

Story: 2010773
Task: 48329

Change-Id: I2cc34756da64b887d6d58277306b790ec8f4a149
Signed-off-by: Alyson Deives Pereira <alyson.deivespereira@windriver.com>
2023-07-12 15:36:14 -03:00
Kyle MacLeod
e5d9077c39 Update gen iso scripts for CentOS support in Debian
Update existing dynamic ISO generation scripts to target the last
CentOS release from within a Debian environment.

Changes are applied for gen-prestaged-iso-centos.sh for support
within a Debian instance.

The existing Debian-targeting files (gen-bootloader-iso.sh,
gen-prestaged-iso.sh) are updated for minor fixes in logging,
consistency, and overall code structure for ease of support and
maintenance.

This commit aligns recent changes of gen-bootloader-iso.sh into
gen-bootloader-iso-centos.sh, for easier support going forward.

And finally, unit tests are added for the gen-prestaged-iso* scripts.
The unit tests use shunit2 framework, which is dynamically pulled in as
required to run the tests. At this point, tests are only run manually;
they are not part of the loadbuild. Unit tests may be added for
gen-bootloader-iso.sh in a further commit; however, this is of lesser
priority since this script is employed frequently on subcloud remote
installations.

Test Plan

PASS:
- Test gen-prestaged-iso.sh for generating a prestaged ISO targeting a
  local Debian install. An ISO is generated and a full subcloud
  deployment is successful
- Test gen-prestaged-iso-centos.sh for generating a prestaged ISO
  targeting a local CentOS install. An ISO is generated and a full
  subcloud deployment is successful
- Run the two new unit tests, gen-prestaged-iso-test.sh, and
  gen-prestaged-iso-centos-test.sh, both in standalone and via
  run-tests.sh. Verify with both an empty and populated input directory.
- Verify full remote/redfish Debian subcloud install and deployment.
  Targeted at gen-bootloader-iso.sh changes.
- Verify full remote/redfish CentOS subcloud install and deployment.
  Targeted at gen-bootloader-iso-centos.sh changes.

Story: 2010611
Task: 48267
Depends-On: https://review.opendev.org/c/starlingx/metal/+/886662

Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I31e76ed107f589b1196320b3c8d7243fb15d3491
2023-07-11 10:10:39 -04:00
Joao Victor Portal
de718da43e Create local_starlingxrc script
This change adds an utility script called "local_starlingxrc". It does
the following actions: if the file "~/$USER-openrc" exists, sources it;
if it doesn't exist, creates and sources it. The openrc file created
uses the same Keystone username of the linux user logged in and asks the
password. It should be used through command "source local_starlingxrc".

Test Plan:

PASS: Successfully deploy an AIO-DX containing this change.
PASS: In the deployed AIO-DX, check that the command "local_starlingxrc"
is available at "/usr/local/bin/local_starlingxrc" with permissions
"-r-xr-xr-x", user root, group root.
PASS: In the deployed AIO-DX, create linux user user1 that is not part
of groups sys_protected and root and create Keystone user user1 with
user role "reader". Execute a SSH to the active controller using user1,
execute "source local_starlingxrc", inform the password asked and
execute "system host-list" with no errors. Check that the file
"user1-openrc" is created in user1 home folder with permissions
"-rw-------", owner user1. Exit and execute SSH again using user1,
execute "source local_starlingxrc", check that no password is asked and
execute "system host-list" with no errors.
PASS: Repeat the test above using standby controller. Check that the
output of "source local_starlingxrc" always prints an error message
saying that it is not the active controller and that "system host-list"
always returns an error.

Partial-Bug: 2024627
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/886661
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: I576bf49cc5db9fef10f26963219d7c179f46a24f
2023-07-11 14:03:08 +00:00
Zuul
8c865c4937 Merge "Adding tox jobs for report tool" 2023-07-10 14:17:35 +00:00
Kyle MacLeod
f12b149a35 Support gpg-verify=false for subcloud remote ostree pull
This commit supports the developer use-case of a system controller
ostree repo configured with gpg-verify=false. In such cases, the
subcloud ostree repo instances must also be configured with
gpg-verify=false, or the ostree pull will fail.

We first check if the system controller is configured with
gpg-verify=false.  If so, then the 'instgpg=0' boot parameter is added
to miniboot ISO. This will trigger the appropriate configuration in both
the miniboot kickstart and the LAT /install script.

A minor fix is also included where missing initramfs .sig files would
fail the install. Some developer builds do not contain the .sig files,
which causes remote subcloud install failures without this fix.

Test Plan:
PASS:
- Install subcloud with non-GPG signed ostree commits present on system
  controller. Ensure the ostree pull is successful on subcloud, with a
  successful install.
- Ensure normal subcloud installation is successful

Story: 2010611
Task: 48308

Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I25333f75e6592d7c8dd40f509c5316a02e366f85
2023-06-28 16:41:05 -04:00
Al Bailey
4c907bc2a7 Adding tox jobs for report tool
This adds in flake8, bandit and pylint tox jobs for
the report tool

Test Plan:
   PASS: build-pkgs -c -p collector
Story: 2010642
Task: 48265
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I81fcf500663e1f74f491e11c25ff1d427d456536
2023-06-21 16:14:12 +00:00
Zuul
f3b8c885a3 Merge "Increase collect ssh, scp and sudo expect operation timeouts" 2023-06-20 14:57:42 +00:00
Zuul
ba5aa76492 Merge "Update update-iso.sh script with Debian network interface setup example" 2023-06-16 19:27:13 +00:00
Eric MacDonald
29fb1c4435 Increase collect ssh, scp and sudo expect operation timeouts
The collect operation has been seen to fail with a timeout error
when collecting from remote hosts over a high latency network.

This update consolidates the collect timeouts into a separate
source included file '/etc/collect/collect_timeouts'.

The ssh, scp and sudo timeouts were seen to vary from function
to function. Since the timeout is always waiting for password
prompt this update normaizes them all to 60 seconds.

Move additional miscellaneous timeouts to the timeouts file
giving them opportunity to be configurable in the future.

Test Plan: High latency is 1200 ms

PASS: Verify collect system hosts on typical network
PASS: Verify collect multiple subclouds on typical network
PASS: Verify collect system hosts on high latency network
PASS: Verify collect multiple subclouds on high latency network
PASS: Verify collect subcloud with persistent long delays
      ... 1200ms, 1500ms, 2000ms, 300ms and 5000ms
PASS: Verify that the new collect timeouts file can be modified and
      those modified values used in subsequent collect operations
PASS: High latency collect soak (10 iterations)

Closes-Bug: 2023554
Change-Id: I6fa318eea35c175d01646d93220637e95efd29e1
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
2023-06-16 15:47:16 +00:00
Zuul
d56d82ce4c Merge "Report tool support for subcloud collect bundles" 2023-06-14 18:18:58 +00:00
Eric MacDonald
53719fe07f Report tool support for subcloud collect bundles
Subcloud collect bundles have an extra level of directory heirarchy.

This update refactors the report.py bundle search and extraction
handling to support both single and multi host and subcloud collect
bundles.

Typical used is

    report.py <bundle pointer option> /path/to/bundle

Bundle pointer options

--bundle    Use this option to point to a 'directory' that 'contains'
            host tarball files.

--directory Use this option when a collect bundle 'tar file' is in a
            in a specific 'directory'.

--file      Use this option to point to a specific collect bundle
            tar file to analyze.

The following additional changes / improvements were made:

- improved report.py code structure
- improved management of the input and output dirs
- improved debug and error logging (new --state option)
- removed --clean option that can fail due to bundle file permissions
- added --bundle option to support pointing to a directory
  containing a set of host tarballs.
- modified collect to use the new --bundle option when --report
  option is used.
- implement tool logfile migration from /tmp to bundle output_dir
- create report_analysis dir in final output_dir only
- fix file permissions to allow execution from git
- order plugin analysis output based on size
- added additional error checking and handling

Test Plan:

PASS: Verify collect --report (std system, AIO and subcloud)
PASS: Verify report analysis
PASS: Verify report run on-system, git and cached copy

PASS: Verify on and off system analysis of
PASS: ... single-host collect bundle with --file option
PASS: ... multi-host collect bundle with --file option
PASS: ... single-subcloud collect bundle with --file option
PASS: ... multi-subcloud collect bundle with --file option
PASS: ... single-host collect bundle with --directory option
PASS: ... multi-host collect bundle with --directory option
PASS: ... single-subcloud collect bundle with --directory option
PASS: ... multi-subcloud collect bundle with --directory option
PASS: ... single-host collect bundle with --bundle option
PASS: ... multi-host collect bundle with --bundle option

PASS: Verify --directory option handling when
PASS: ... there are multiple bundles to select from (pass)
PASS: ... there are is a bundle without the date_time (prompt)
PASS: ... there are extra non-bundle files in target dir (ignore)
PASS: ... the target dir only contains host tarballs (fail)
PASS: ... the target dir has no tar files or extracted bundle (fail)
PASS: ... the target dir does not exist (fail)

PASS: Verify --bundle option handling when
PASS: ... there are host tarballs in the target directory (pass)
PASS: ... there are only extracted host dirs in target dir (pass)
PASS: ... there are no host tarballs or dirs in target dir (fail)
PASS: ... the target dir does not have a dated host dir (fail)
PASS: ... the target dir does not exist (fail)
PASS: ... the target is a file rather than a dir (fail)

PASS: Verify --file option handling when
PASS: ... the target tar file is found (pass)
PASS: ... the target tar file is not date_time named (prompt)
PASS: ... the target tar file does not exists (fail)
PASS: ... the target tar is not a collect bundle (fail)

PASS: Verify tar file(s) in a single and multi-subcloud collect
      with the --report option each include a report analysis.
PASS: Verify logging with and without --debug and --state options
PASS: Verify error handling when no -b, -f or -d option is specified

Story: 2010533
Task: 48187
Change-Id: I4924034aa27577f94e97928265c752c204a447c7
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
2023-06-13 21:59:03 +00:00
Zuul
c4b2d8d8e5 Merge "Remove gen-prestaged-iso.sh max file size limitation" 2023-06-13 14:32:10 +00:00
Eric MacDonald
cb27342079 Remove gen-prestaged-iso.sh max file size limitation
Current version 1.1.11 of 'mkisofs' (also known as genisoimage) no
longer errors out on input files later than 4G. The 4G limitation
only applies to ISO images that need to be ISO-9660 compliant.

StarlingX prestaging ISO images are not required to comply
to ISO-9660 as they never have. The gen-prestaged-iso.sh script
has always warned that the created filesystem does not conform
to ISO-9600 and there has never been a problem installing images
produced with this tool.

Therefore, this update removes the input filesize check which
is preventing system administrators from creating prestaged
iso images from Debian StarlingX images that exceed 4 GB

Test Plan:

PEND: Create and install prestaged ISO images from an input
      ISOs that are larger than 4G ; sizes of 4.1G, 6G and 10G.
PASS: ... 4.1G
PASS: ... 5.8G
PASS: ... 14G

Closes-Bug: 2023592
Change-Id: I2ac3f3ad159892aed9cdb091c5ab3d93e7630430
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
2023-06-12 23:06:49 +00:00
Eric MacDonald
eefc2de70c Update update-iso.sh script with Debian network interface setup example
The functional changes made to update-iso.sh over the transition from
CentOS to Debian did not change the example in the tool's help output.

This update modifies the network setup example in the update-iso.sh
script to reflect the method used in Debian.

Test Plan: Create a ks-addon.cfg script and add it to the iso
           using the update-iso.sh script.

PASS: Run the update-iso.sh to add the ks-addon.cfg file
PASS: Verify help output content and format
PASS: Verify addon execution and interface file setup over USB install
PASS: Verify addon execution and interface setup over pxeboot install
      ... with pxeboot addon support added to the kickstart
PASS: Verify network scripts created properly on install
PASS: Verify networking automatically setup over post install reboot
      ... using the example provided in this update

Closes-Bug: 2023486
Change-Id: I42d13c1ef0ad12b435c52c1bb312a21f30cf7fcd
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
2023-06-12 13:29:24 +00:00
Kyle MacLeod
05d5a6f917 Add extra_boot_params boot parameters into miniboot parms
When the --param extra_boot_params argument is given, we need to parse
the given boot parameters and include them in the miniboot boot options
by adding them into the BOOT_ARGS_COMMON variable

Example:
For '--param extra_boot_params=arg1=1,arg2=two'

The following is added to the miniboot kernel options:
extra_boot_params=arg1=1,arg2=two arg1=1 arg2=two

Where 'extra_boot_params=arg1=1,arg2=two' is required for parsing by
miniboot.cfg and 'arg1=1 arg2=two' are the actual boot parameters
applied during boot of the miniboot bootimage.iso.

Test Plan
PASS:
- Verify that extra_boot_params is parsed both the 'extra_boot_params='
  as well as separate miniboot kernel options (see above example)
- Verify that the miniboot comes up with the kernel options in its
  /proc/cmdline (i.e., the initial miniboot ISO boots with the
  configured extra options)
- Tested with the follow input:
    --param extra_boot_params=arg1=1,arg2=2
    --param extra_boot_params=arg1=1
    --param extra_boot_params=arg1

Closes-Bug: 2023407
Depends-On: https://review.opendev.org/c/starlingx/distcloud/+/885758

Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: Iae094d9f7746e8d2963e137ab809376d75ad1bca
2023-06-09 12:52:04 -04:00
Zuul
d98212da96 Merge "Improve report tool system_info plugin behavior" 2023-05-25 18:11:55 +00:00
Eric MacDonald
b6343a9e55 Improve report tool system_info plugin behavior
The current system_info plugin logs the system info for the last
host in host_dirs rather than that of the active controller.

It also does not capture the system info for all the nodes
into its plugin output file.

This update improves the system_info plugin as well implements
the following improvements to rendering and substring handling
improvements.

1. Improve system_info plugin capture and render.

2. Adds which controller was active at the time of the collect
   to the system info rendering output.

3. Improve report analysis rendering by displaying the full
   path to plugin and correlation files.

4. Adds string exclude support to the substring algorithm.
   This allows the generic string rearches like ERROR to be
   searched for and gathered while also allowing specific
   noise logs what are considered noise logs to be filtered out.

5. Create a separate SM errors substring plugin using the new
   exclude option.

6. Adds support for commented and empty lines in the plugins
   This allows for properly commented and formatted plugins.

7. Adds plugin label name error checking
   This allows esier debug of improperly coded plugins.

8. Fixed additional pep8 warnings.

Test Plan:

PASS: Verify on-system collect with --report option
PASS: Verify on-system report generation
PASS: Verify off-system report generation from git
PASS: Verify system_info plugin collects info from all hosts
PASS: Verify report displays system_info from active controller
PASS: Verify handling when no active controller is detected
PASS: Verify new sm_errors substring plugin with excludes
PASS: Verify plugins can have empty or # commented lines
PASS: Verify report tool plugins output include path to each
      plugin file
PASS: Verify report tool correlations include path to each
      correlation file
PASS: Verify report tool plugin label parsing error handling
PASS: Verify all files pass pep8 without warning or error

Story: 2010533
Task: 48072
Change-Id: I6d0253a4c3d8804a5e45b970d766e578ea69368f
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
2023-05-25 13:11:45 +00:00
Zuul
afa01edd4f Merge "Add kubelet certificates to show-certs.sh" 2023-05-24 18:35:40 +00:00
Andy Ning
1fbecbaae2 Add kubelet certificates to show-certs.sh
Currently show-certs.sh doesn't show status of kubelet client
and server certificates. This update add them to the utility
scripts.

Test Plan:
PASS: Run show-certs.sh, verify the output contains the status
      of kubelet client and server certificates, as following
 kubelet client  CERTIFICATE:
 ------------------------------------------
         Renewal        :  Automatically by k8s
         Filename       :  /var/lib/kubelet/pki/kubelet-client-current.pem
         Subject        :  O = system:nodes, CN = system:node:controller-0
         Issuer         :  CN = starlingx
         Issue Date     :  Apr 27 18:41:43 2023 GMT
         Expiry Date    :  Apr 26 18:42:00 2024 GMT
         Residual Time  :  340d

 kubelet server  CERTIFICATE:
 ------------------------------------------
         Renewal        :  Manual
         Filename       :  /var/lib/kubelet/pki/kubelet.crt
         Subject        :  CN = controller-0@1682620922
         Issuer         :  CN = controller-0-ca@1682620922
         Issue Date     :  Apr 27 17:42:02 2023 GMT
         Expiry Date    :  Apr 26 17:42:02 2024 GMT
         Residual Time  :  340d

 kubelet CA  CERTIFICATE:
 ------------------------------------------
         Renewal        :  Manual
         Filename       :  /var/lib/kubelet/pki/kubelet.crt
         Subject        :  CN = controller-0-ca@1682620922
         Issuer         :  CN = controller-0-ca@1682620922
         Issue Date     :  Apr 27 17:42:02 2023 GMT
         Expiry Date    :  Apr 26 17:42:02 2024 GMT
         Residual Time  :  340d

Closes-Bug: 2020507
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I8d4c06a63270afb610f10b0a5e3be24f48aa9607
2023-05-24 13:29:43 -04:00
Eric MacDonald
55db5c8470 Add multi special character password handling to collect
Add handling for passwords that have duplicate special
characters.

For instance without this update, passing collect the following
sudo password would fail while with this update it succeeds.

    [[Pa$$word123]]

The following characters are verified to require escapes.

1.  [ and ] (square brackets)  [$$Copper1$$]   … escaped by collect
2.  ? (question mark)          ?Copper123?     … escaped by collect
3.  $ (dollar sign)            $Copper123$     … escaped by collect
4.  " (double quotes)          “<Mooser123>”   … escaped by collect
5.  \ (backslash)              \Mooser1\       … escaped by collect

Note that the backslash '\' must be escaped by the user. For instance to enter a password with backslashes that reads like this \Copper123\ it must be escaped going in like this \\Copper123\\

The following special characters are verified to not require escapes.

6.  & (ampersand)              &Copper123&     … no escape needed
7.  ( and ) (parentheses)      (Duffy123)      … no escape needed
8.  { and } (curly braces)     {HealthCare123} … no escape needed
9.  ; (semicolon)              ;Copper123;     … no escape needed
10. | (pipe)                   |PasswdTst123|  … no escape needed
11. < (less than)              <Mooser123>     … no escape needed
12. > (greater than)           <|>Copper123<|> … no escape needed
13. >> (double greater than)   >>Mooser321<<   … no escape needed
14. ' (single quotes)          ‘Copper911’     … no escape needed
15. * (asterisk)               *Mooser123*     … no escape needed
16. # (hash or pound sign)     #Mooser123#     … no escape needed
17. ! (exclamation mark)       !!@$Mooser1$@!! … no escape needed
18. ~ (tilde)                  ~Copper1~       … no escape needed
19. @ (at symbol)              @Passwd1@       … no escape needed
20. ^ (caret)                  @^Myword1^@     … no escape needed

Test Plan:

PASS: Build and Install Debian Image
PASS: Run collect with typical password

The following password patterns were verified to be parsed
properly and all verified to work with collect.

PASS: [[Pa$$word123]] -> \[\[Pa\$\$word123\]\]
PASS: $$Passwd123$$ -> \$\$Passwd123\$\$
PASS: \Passwd1\ -> \\Passwd1\\
PASS: "Passwd1" -> \"Passwd1\"
PASS: [Passwd1] -> \[Passwd1\]
PASS: $Passwd1$ -> \$Passwd1\$
PASS: Li69nux* -> Li69nux*
PASS: "[Li69nux*]" -> \"\[Li69nux*\]\"
PASS: St8rlingX* -> St8rlingX*
PASS: $t8rlingX* -> \$t8rlingX*
PASS: $[$$Passwd1$$]$ -> \$\[\$\$Passwd1\$\$\]\$
PASS: "]\\$Passwd1$\\[" -> \"\]\\\\\$Passwd1\$\\\\\[\"
PASS: [[$$$[Passwd1]$$$] -> \[\[\$\$\$\[Passwd1\]\$\$\$\]
PASS: ""[[[$$$Passwd1$$$]]]"" -> \"\"\[\[\[\$\$\$Passwd1\$\$\$\]\]\]\"\"

Closes-Bug: 2019511
Change-Id: I7d1f3b1e3814b6acb017994bc3a2822ea3ff0244
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
2023-05-18 23:00:47 +00:00
Luis Sampaio
71d0c40b2d Update build-info pkg version
This commit updates the build-info package metadata
to track the src_path directory and the debian dir. Any
changes to either directory will increase the package
version.

Test Plan:
Pass: build-pkgs -p build-info

Story: 2010550
Task: 47928
Change-Id: Ibf50f5e80b3e56631f37f45685d279e2013ccdfa
Signed-off-by: Luis Sampaio <luis.sampaio@windriver.com>
2023-05-02 11:27:59 -07:00
Zuul
41725cc184 Merge "Update release version to 23.09" 2023-05-02 16:02:32 +00:00
Davlet Panech
41e11f4008 Fix github mirroring for this repo
Updating the rsa ssh host key based on:
https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

Note: In the future, StarlingX should have a zuul job and
secret setup for all repos so we do not need to do this
for every repo.

Needed to rename the secret, because zuul fails if like-named
secrets have diffent values in different branches of the same
repo.

Partial-Bug: #2015246
Change-Id: I62f60a26ee662814d9a21398aa138956da2fc53a
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
2023-04-28 12:38:53 -04:00