Update puppetlabs-postgresql to 8.0.0, since it fully supports
Debian bullseye, and the version we were using doesn't support it
fully.
This does not affect Centos builds at all.
Test Plan
PASS Build packages
PASS Test ISO install
Story: 2009101
Task: 43326
Depends-On: https://review.opendev.org/c/starlingx/utilities/+/840497
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I195003be09af86d3430fe901057ec4bf559c51ed
This commit adds the kubernetes plugin kubectl cert manager to the iso.
This is used to convert old v1alpha2 and v1alpha3 cert manager
resources to v1 during a system upgrade. The plugin is not required
for debian because there are no old cert manager resources to convert.
Test Cases:
PASS: Convert our default DC certificates and issuers using
kubectl cert manager
Change-Id: I59f1b0e4d5d6ece1ccef43fee1acacd7b7e44efd
Story: 2009837
Task: 45372
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
Correct the paths for the following defaults:
- OCF_RESKEY_pgctl_default
- OCF_RESKEY_pgdata_default
- OCF_RESKEY_socketdir_default
Test Plan
PASS Build resource-agents package
PASS Build ISO
PASS Unlock system
Story: 2009101
Task: 43317
Depends-On: https://review.opendev.org/c/starlingx/utilities/+/840497
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I8eab1ff7a39222dce9c2b6c0094338e70c03c1e4
This reverts commit 33c720cd03.
Reason for revert: failing bootstrap, because sysinv group was removed.
Story: 2009101
Task: 43417
Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Change-Id: Iaa3154518bfc0361b21a383f1fc85d83f0e22212
Add the support for the signature of livepatched modules, so we can
avoid the unsigned kernel module loading issue.
Test Plan:
Pass: Verify the kpatch-build building process.
Pass: Execute shellcheck tool without errors and warnings for
the kpatch-build script after applying this patch.
Story: 2009221
Task: 44580
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Ieb56539b873dab3eab350797b8c3ab2d8923ef5d
A problem may occur if puppet attempts to inject a firewall rule
while the underlying iptables/ip6tables has existing rules which
use the --random-fully flag in the NAT table.
The issue occurs because puppet-firewall first makes a call to
iptables-save/ip6tables-save to parse the existing rules
(to determine if the rule already exists). If it finds a rule
with --random-fully, it will immediately bail out.
The current version(s) of puppet-firewall in StarlingX are old
enough that they don't have parsing logic for the --random-fully
flag that was initially supported in iptables version 1.6.2+.
Now that StarlingX uses iptables 1.8.4, we must account for the
possibility that various components (ie. kubernetes) will make
use of --random-fully rules.
This feature has been implemented upstream in the following commits:
https://github.com/puppetlabs/puppetlabs-firewall/commits/
9a4bc6a81cf0cd4a56ba458fadac830a2c4df529
0ea2b74c0b4a451a37bae8c2ff105b72481ab485
The above commits have been ported back to:
CentOS: puppet-firewall-1.8.2
Debian: puppetlabs-firewall-1.12.0
Since StarlingX does not currently build it's own version
of puppet-firewall in either CentOS or Debian, this commit
also contains the infrastructure to do so.
Testing:
Note: Since the issue is intermittent on unlock, the functional
tests were performed with a custom runtime manifest that installed
a dummy iptables/ip6tables rule when an interface was modified.
At this time, it was guaranteed that there were rules with
the --random-fully flag present.
CentOS:
Package build: PASS
Present in iso: PASS
IPv4 functional test (iptables): PASS
IPv6 functional test (ip6tables): PASS
Debian:
Package build: PASS
Present in iso: PASS
IPv4 functional test (iptables): PASS
IPv6 functional test (ip6tables): PASS
Closes-Bug: #1971900
Signed-off-by: Steven Webster <steven.webster@windriver.com>
Change-Id: I7dbb9e1b99d95df0aa5a7db7aa22c3c314253788
The new version mainly supports:
- Modify grub.cfg at OS boot time in EFI secure boot
- Install multiple kernels to one image
For details, in https://github.com/Wind-River/meta-lat
the following commits are added:
aad9f83 lat-installer: set default kernel and kernel param at OS
install time
44a22e5 genimage: do not use real time kernel in installer OS for
debian
cb3542a genimage: support multiple kernels for debian
170df7d debian/ostree: support multiple kernels
8ec7c6a grub-efi: load kernel.env to choose which kernel to boot
88bcd8a grub-efi: support to modify grub.cfg at OS boot time
4e51daa mttyexec: fix no output to file
25e5d7d mttyexec: fix do_compile error
eab4b48 genimage: search root in grub.cfg
5900abe wic: fix EFI of USB's ISO not detected on dell-9010 host
06e6b92 lat installer: add boot parameter efibootfirst=1
95f5d70 lat installer: insert a hook to report error log
5cec871 lat installer && mttyexec: save output of install
452350f lat installer: do not call dhcp for local kickstart
2004330 package-index bbappend: add missing depends task
9cdcb08 lat installer: improve kickstart hook position
9d341a8 lat installer: filter out installer ISO from prompt
f7e9bef lat installer: do not install to disk of installer ISO image
774c067 lat installer: fix conflict of multiple installer ISO image
Story: 2009964
Task: 45310
PASS: Build package initramfs-ostree,ostree,mttyexec
PASS: Build image
PASS: ISO install on Qemu, PXE install on Edgeline e920t, edit grub.cfg
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Change-Id: I339d34fa3972ce42f72df744dd346e0b1aa806c8
This change makes a correction in kubeadm.conf for k8s 1.21.8 on
Debian originally committed in
https://review.opendev.org/c/starlingx/integ/+/827384
/etc/sysconfig does not exist on Debian.
Kubelet service environment variables file location is /etc/default/
on StarlingX Debian.
Test Plan:
Package builds successfully
Closes-Bug: 1955608
Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
Change-Id: Ic3f7f6a514088a3ccbd7f99c0433a8144e8d0ade
Integration for AIO-SX is reaching final stages.
We've used a workaround that removes the ordering setting for about
2 months now. [1]
There is a puppet warning raised when configuring ordering.
Using title-hash ordering we see errors, using default
ordering(manifest), there are no errors.
Remove ordering configuration.
Tests:
PASS: build-pkgs, build-image, install, check puppet.conf
PASS: bootstrap
PASS: unlock
[1]: https://opendev.org/starlingx/utilities/src/commit/
7ad712b168691c8172d6baffdd9a21eccad7cda4/tools/debian-integration/
source-debian/before_bootstrap_workarounds.sh
[2]: https://puppet.com/docs/puppet/5.5/configuration.html#ordering
Story: 2009964
Task: 45206
Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Change-Id: I3025139d79959fdd0dac591bcb4087a12ce9646b
OSTree structure requires /usr to be readonly as OSTree's dracut
hook creates a read-only bind mount over /usr.
1. deploy validate_postgresql_connection.sh directly to
/usr/local/bin. It was copied to the location after
installation.
2. move /usr/local/etc/ldapscripts to /etc/ldapscripts, files
need writable.
3. move /usr/libexec/cni to /opt/cni/bin. Plugins are installed
at runtime.
TCs:
provision aio-dx centos with /usr mount to readonly fs.
unlocked host
provision aio-sx debian and unlocked host.
upgrade AIO-DX from 21.12
upgrade AIO-SX from 21.12
successfully apply cert-manager and nginx-ingress-controller
Story: 2009101
Task: 44314
Change-Id: I99231f3f7db3d2d8eaceba137e13dea650370f71
Signed-off-by: Bin Qian <bin.qian@windriver.com>
This changes Debian package name for k8s 1.21.8 from "kubernetes" to
"kubernetes-1.21.8".
Until https://review.opendev.org/c/starlingx/integ/+/831343
is merged, version 1.21.8 is the only packaged version of
kubernetes on StarlingX Debian. In future, multiple kubernetes
versions will be supported on most, if not all, StarlingX releases.
Currently, Debian build server uses the value of 'debname' parameter in
the meta_data.yaml as the package name.
'debname' is an optional parameter in the meta_data.yaml.
If not provided, it uses package dir name as the package name
(kubernetes-1.21.8 in this case), which follows the preferred format
('kubernetes-<version>') for naming different versions of kubernetes
packages distinctly.
Test Plan:
PASS: Package builds successfully
PASS: Image builds successfully.
Story: 2009830
Task: 44638
Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
Change-Id: I46f7d9307f4254597557bb8be81ef471dcc7d73d
This prevents the pci-irq-affinity-agent from being
enabled. This service is not used by the platform
anymore, migrating to be a stx-openstack container [1].
However, there is still WIP for complete the removal [2],
but the agent is already used as a container, it is not
doing anything on the platform.
1: https://storyboard.openstack.org/#!/story/2009299
2: https://review.opendev.org/c/starlingx/utilities/+/830892
Test Plan:
PASS: bootstrap finished successfully
PASS: unlock finished successfully
Story: 2009965
Task: 45194
Signed-off-by: Hugo Brito <hugo.brito@windriver.com>
Change-Id: I6f89653bcf9904362b1f942720cc486a102b7f6f
The HieraPuppet.lookup() function malfunctions when hiera v5 is used.
In order to have Hiera v5 working, the function was replaced by the
'puppet lookup' command.
Hiera v5 should be used instead of Hiera v3 to avoid the following
warning during bootstrap:
"/etc/puppet/hiera.yaml: Use of 'hiera.yaml' version 3
is deprecated. It should be converted to version 5"
Also replaced the default path in which keystone.rb looks for
openstacklib since a custom installation directory is being used.
Debian Bullseye tests:
PASS: Build & install
PASS: Successful Bootstrap
Story: 2009964
Task: 45008
Signed-off-by: Matheus Machado Guilhermino <Matheus.MachadoGuilhermino@windriver.com>
Change-Id: I570aa6e06448e00b96882629b54882a1467740c5
Distro layer package 'python-keyring' has a dependency on flock layer
package 'tsconfig'. This is s violation of the layering policy,
preventing successful layerd builds.
Get the SW_VERSION via parsing the /etc/build.info file instead of the
tsconfig.tsconfig python module at run time. We do this so that
python-keyring no longer has a runtime dependency on tsconfig.
Test Plan:
Pass: build python-keyring
Pass: put the codes in a test.py. get the SW_VERSION variable by run the
test.py in an environment in which build-info is installed.
Pass: trigger exception if removing /etc/build.info, or no SW_VERSION
in the file.
Closes-Bug: https://bugs.launchpad.net/starlingx/+bug/1968611
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I7f0c4eaae7aacf5bcbef082817dc99a62600a162
The version 20220422 contains one commit:
lat installer: fix local kickstart not found [1]
lat installer: skip to install disk of installer ISO image [2]
lat installer: fix conflict of multiple installer ISO image [3]
lat installer: do not install to disk of installer ISO image [4]
lat installer: filter out installer ISO from prompt [5]
lat installer: improve kickstart hook position [6]
PASS: Build package initramfs-ostree and image
PASS: Boot image to install and boot from installed disk
Story: 2009964
Task: 45096
[1] https://github.com/Wind-River/meta-lat/commit/
ca0f4beed92f7f94120e3144532059da7154fe80
[2] https://github.com/Wind-River/meta-lat/commit/
0243956bc7784bcfed021447ff38a9a8d6ee45e2
[3] https://github.com/Wind-River/meta-lat/commit/
774c067f28b7d3942479353874e21b37076b2598
[4] https://github.com/Wind-River/meta-lat/commit/
f7e9befa780eeb81f21e7cd9f19f6bd227bc4d23
[5] https://github.com/Wind-River/meta-lat/commit/
9d341a83cb93dd476218e413de6de6ab59f8bcb3
[6] https://github.com/Wind-River/meta-lat/commit/
9cdcb08b9876e842d75ee7ba6e90bde1d67ac2c6
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Change-Id: I2f834f53fe26e342003b8953fe1b722a81eee3ce
Although LAT adds these variables to the grub.cfg file for
disk boot automatically. However for pxeboot we develop the
grub menus outside of LAT.
This update is in response to not wanting to put the size
variables "FSZ BSZ RSZ VSZ" on the pxeboot grub command line.
If don’t specify the size variables (FSZ BSZ RSZ VSZ) on the
grub command line nor the --inst-flux option in the lat-disk
command.
Have default size variables in install script
PASS: Build package initramfs-ostree
PASS: PXE install without don’t specify the size variables
(FSZ BSZ RSZ VSZ) on the grub command line nor the
--inst-flux option in the lat-disk command.
Story: 2008846
Task: 44637
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Change-Id: Id7f8a015f38ce9a7840f2172093d591ec117d843
Add kpatch 0.9.5 of debian packaging.
The source code package is from
https://github.com/dynup/kpatch/archive/refs/tags/v0.9.5.tar.gz
kpatch is a Linux dynamic kernel patching tool which allows you to
patch a running kernel without rebooting or restarting any processes.
It enables sysadmins to apply critical security patches to the kernel
immediately, without having to wait for long-running tasks to complete,
users to log off, or for scheduled reboot windows.
It gives more control over up-time without sacrificing security or
stability.
Need to work together with the relevant kernel module.
Test Plan:
Pass: Build successfully with 'build-pkgs -p kpatch'
Story: 2009221
Task: 44580
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: I664ca39c1cbc7bfdf0f5a57ac10118f4a9b62037
The output of "pvs -o pv_name,vg_name,lv_name --separator ','" is the
same under CentOS and Debian. This output is fed to the csv.to_a.map
function which produces a slightly different hash.
Under Centos ruby (2.0.0):
{:_pv=>" /dev/sda5", :vg=>"cgts-vg", :lv=>"log-lv"}
Under Debian ruby (2.7.4):
{:pv=>" /dev/sda7", :vg=>"cgts-vg", :lv=>"log-lv"}
The '_pv' hash key is invalid under Debian and results in:
undefined method `strip' for nil:NilClass (NoMethodError)
This patch corrects the variable reference
Change-Id: I70033adfff4b551770e9b5026ed93c98949f3689
Story: 2009964
Task: 45101
Signed-off-by: Robert Church <robert.church@windriver.com>
On Debian we lost the ability to control resolv.conf throughout
ansible bootstrap. It is observed how renewing leases will override
DNSs configured during ansible bootstrap. Problems will surface when
later in the boostrap docker images are downloaded, because
information related to DNSs was overwritten by dhclient.
This behavior is different than on CentOS.
Align behavior with CentOS. In fact align with how the design should
be: control resolv.conf throughout bootstrap and don't let external
factors change it during that time.
Created a patch and updated the format(git am compatible) for an older one.
Test on AIO-SX:
PASS: build-pkgs && build-image
PASS: custom test using dhclient for OAM interface.
Forcing lease renewal to 10 seconds for quick tests.
Without this patch it is observed how resolv.conf is updated by
dhclient after resolv.conf is changed as per requirement to solve
custom domains.
With this patch it is observed how resolv.conf is not updated
anymore.
Story: 2009964
Task: 45093
Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Change-Id: Ic8f5ed7363124f04ff440dc9bf9935270a9ab8c9
With the iptables-config package implementation the iptables packages
(see Dependes-On tag below) can be removed from this file.
Story: 2009965
Task: 45084
Depends-On: https://review.opendev.org/c/starlingx/config-files/+/838339
Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Change-Id: Id1817cc72001869bc37c7588f65ee5a8b54fef60
When the debian image boots, udev complains about
missing groups. Specifically 'video', 'audio', and 'lp'.
These groups were remvoved in Centos. Re-add the groups
to silence the warnings in the daemon.log when the
machine boots.
Test Plan
PASS Build base-passwd package
PASS Boot Debian ISO
PASS Check for udev warnings in the daemon.log
Story: 2009101
Task: 43417
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: Id5b5901615246ede736369b79a72d5cc9d0599cc
On Debian puppet is failing on unlock because some
services are nonexistent when puppet tries to mask them.
This commit adds a patch with the fix from puppet 6.X.
See: e42922b50e
Test Plan:
CentOS/Debian:
Pass: Build package
Pass: Build image
Pass: Controller unlocked/enabled/available
Pass: Same behaviour as before CentOS
Story: 2009965
Task: 45002
Signed-off-by: Fabricio Henrique Ramos <fabriciohenrique.ramos@windriver.com>
Change-Id: Idd10533d146ac10cda0adf9504b52f59593fb810