Upstream has deprecated 'node-role.kubernetes.io/master'
to use 'node-role.kubernetes.io/control-plane' in k8s 1.24.
To preserve backwards compatibility we need to revert back to using
the 'node-role.kubernetes.io/master' taint.
Platform and applications need to be updated to use 'control-plane'
with nodeSelector/Tolerations so we may upgrade from 'master'.
Test-plan:
PASS: kubernetes-1.24.4 package builds
PASS: AIO-SX Fresh install of ISO with k8s 1.24.4
Story: 2010301
Task: 46564
Signed-off-by: Jim Gauld <james.gauld@windriver.com>
Change-Id: I660bf2bc0bbf50cdff85b9c72477e53b176c9ed9
The debian version did not match the downloaded
tarball.
The build break issue was introduced when this merged
https://review.opendev.org/c/starlingx/integ/+/860297
Test Plan:
downloader -b -s -B std,rt
build-pkgs -c python-keyring
Story: 2010353
Task: 46503
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I4a19bacf11fc45e3c9be5c4666554f17e93057e2
This review allows this repo to pass zuul.
Bashate 2.1.1 was released Oct 6, 2022
It adds a more stict indentation check
Fixed the new bashate error.
Related-Bug: 1991971
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I2730f9216b46b3fa2a83f2f8d55ead2b813f4e37
This commit uprevs the containernetworking-plugins to 1.1.1 and
bond-cni v1.0 (with the latest commit) on Debian
This version of containernetworking-plugins has a Build-Depends on:
golang-github-networkplumbing-go-nft-dev v0.2.0-2
The bond-cni vendor module patches are taken care of
in the latest commit update.
Also, the plugins sysctl patches are taken care of in the
containernetworking-plugins v1.1.1 release.
Test Plan:
- PASS: downloader -b -s -B std,rt
- PASS: build pkgs
- PASS: build image
- PASS: install and ensure the plugins are present
at /var/opt/cni/bin/
- PASS: install and ensure the packages are the correct version
Story: 2010212
Task: 46507
Signed-off-by: Mohammad Issa <mohammad.issa@windriver.com>
Change-Id: I079e50c9339bac395dfaf9d1f27aa321dbc45140
Update storage preset to manage the system services that are started
based on storage personality.
Test Plan:
PASS: Install storage-0 and check if it is online
Story: 2010211
Task: 46509
Signed-off-by: Hediberto Cavalcante da Silva <hediberto.cavalcantedasilva@windriver.com>
Change-Id: I1ebd30ad5a6ffd54171793c32c3e4aa447ef42e7
Add debian infrastructure for openvswitch to build a debian package.
Needs to be merged with [1].
Test Plan:
PASS - Build openvswitch package
PASS - Build all debian packages
PASS - Create and install stx iso
PASS - Check if the package is installed in the iso
[1] https://review.opendev.org/c/starlingx/tools/+/859335
Story: 2010317
Task: 46389
Signed-off-by: Pedro Almeida <pedro.monteiroazevedodemouraalmeida@windriver.com>
Co-authored-by: Rafael Cardoso Pereira <rafael.cardosopereira@windriver.com>
Change-Id: I06c341c05c745490be37ae31df5d0c31ca3dce82
This is done for moving packages that are related to secure boot
out of LAT and into integ.
Use shim version: 15+1533136590.3beb971.
Although there was a debian package for shim here, it wasn't
effective because LAT didn't use it (the shim version in use is
12+gitAUTOINC+5202f80c32). So I abandon it and choose a proper
version for this porting.
I choose this version because it should be matched with the grub image.
shim 15.3 introduced and now mandates SBAT.
This means that shim 15.3+ will not launch any EFI binaries
without a .sbat section.
Use tis-shim.der (another format for tis-shim.crt) to verify grub
image's signature.
Test Plan:
The tests are done with all the changes for this porting,
which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
they are in a chain for secure boot verification.
- PASS: secure boot OK on qemu.
- PASS: secure boot OK on PowerEdge R430 lab.
- PASS: secure boot NG on qemu/hardware when shim/grub-efi images
are without the right signatures.
Story: 2009221
Task: 46401
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I2449ac9bbad7635b095a66309f77765a8a01cd1b
This is done for moving packages that are related to secure boot
out of LAT and into integ.
Add efitools 1.9.2-1 for debian.
The patches for code and changes for debian build are ported from
layers ( meta-lat and meta-secure-core ) of yocto upstream.
Test Plan:
The tests are done with all the changes for this porting,
which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
they are in a chain for secure boot verification.
- PASS: secure boot OK on qemu.
- PASS: secure boot OK on PowerEdge R430 lab.
- PASS: secure boot NG on qemu/hardware when shim/grub-efi images
are without the right signatures.
Story: 2009221
Task: 46400
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I672f0c0182bf894d10c508b83b959eec47971ceb
Remove the network drivers ice, i40e and iavf if multi-drivers-switch
is set in cmdline, which ensures that ice, i40e and iavf drivers will
not be loaded during initramfs stage.
pxe-network-installer will not be impacted because the parameter
multi-drivers-switch is not set in this stage.
We need do the following steps to switch to the legacy drivers.
1. Add /etc/depmod.d/multi-drivers.conf.
cat /etc/depmod.d/multi-drivers.conf
override ice * extra/ice-1.8.3.1.2
override i40e * extra/i40e-2.18.9
override iavf * extra/iavf-4.4.2
2. depmod
3. Add cmdline parameter multi-drivers-switch=1
4. reboot
Do the following steps to switch back to the latest drivers.
1. Modify /etc/depmod.d/multi-drivers.conf.
cat /etc/depmod.d/multi-drivers.conf
override ice * updates/ice
override i40e * updates/i40e
override iavf * updates/iavf
2. depmod
3. reboot
Testing:
- An ISO image can be built out successfully.
- PXE network install success onto a All-in-One Duplex lab with rt
and std kernel.
- Drivers will not be loaded in initramfs stage.
- Latest driver versions are loaded by default and ddp version correct.
It is 1.3.30.0.
- It can switch to the legacy drivers manually with
/etc/depmod.d/multi-driver.conf and cmdline parameter
multi-drivers-switch=1, ddp version is 1.3.28.0.
Story: 2010326
Task: 46438
Depends-On: https://review.opendev.org/c/starlingx/kernel/+/859519
Signed-off-by: Jiping Ma <jiping.ma2@windriver.com>
Change-Id: If86e8280011bfef97ec54ad5b47959a6128a4eb5
The systemd-preset package centrally manages the
system services that are started based on "personality
types".
The systemd-preset package works in concert with the
platform-kickstart package. When the user selects the type of
node they want to install, the kickstart package
will symlink one of the node types from the systemd-preset
package and will run the systemctl preset-all command to
reset the services that are going to be started
at boot.
Test Plan
Build package
Build ISO
Install ISO
Bootstrap AIO install type
Story: 2009968
Task: 46406
Depends-On: https://review.opendev.org/c/starlingx/metal/+/854667
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I0c9c78c7fb9a2e00904e934fde8b2ae9d7592380
Remove the system-presets from the centos-debian-compat
package so that the systemd-presets policies can be
better managed.
This is part of the systemd-traits work that is currently
being undertaken.
Test Plan
Build package
Build ISO
Install ISO
Check for symlink from /lib/lsb/init-functions
to /etc/init.d/functions.
Story: 2009968
Task: 46406
Depends-On: https://review.opendev.org/c/starlingx/metal/+/854667
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I5d30aca52819a536a78faaab0452f2dc2baed839
Disable the following services:
- systemd-timesyncd
- systemd-networkd
- systemd-network-generator
- systemd-resolved
- systemd-homed
- systemd-userdbd
- systemd-boot-update
The reason these services are being disabled is because of the new
"system traits" feature. When the kickstart file runs the command
"systemctl preset-all" the sevices will be enabled by default. To
get the original state in AIO-SX the services will be disabled by
default.
This is part of the "system traits" feature. This work only
affects Debian.
Story: 2009968
Task: 46406
Test Plan
PASS Build package
PASS Build ISO
PASS Check for running systemd-network
Depends-On: https://review.opendev.org/c/starlingx/integ/+/853653
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I382beab7dcd491fe40941da936af15e7819c2307
This adds kubernetes 1.24.4 package for Debian, this is built
using golang-1.18.5.
The debian/rules has been updated to align more closely with Debian
Source Package: kubernetes (1.20.5+really1.20.2-1.1), the debian/* files
from this tarball: kubernetes_1.20.5+really1.20.2-1.1.debian.tar.xz .
Reference: https://packages.debian.org/source/bookworm/kubernetes
This has customizations to debian/* overrides (e.g. rules, control,
and kubernetes-x.*. This enables support of kubernetes upgrades with
multiple build versions of kubernetes, and has specific binaries/config
files isolated in stages, with -master, -misc, and -unit-test packages
built but not required in production. Each kubernetes version is built
with a corresponding golang compiler version.
The following patches were cleanly applied and included:
kubeadm-create-platform-pods-with-zero-CPU-resources.patch
Revert-use-subpath-for-coredns-only-for-default-repo.patch
kubernetes-make-isolcpus-allocation-SMT-aware.patch
kubelet-sort-isolcpus-allocation-when-SMT-enabled.patch
The following patches did not apply cleanly. These will be included
in a subsequent commit after porting them to kubernetes 1.24.4.
kubelet-cpumanager-disable-CFS-quota-throttling-for-.patch
kubelet-cpumanager-keep-normal-containers-off-reserv.patch
kubelet-cpumanager-infra-pods-use-system-reserved-CP.patch
kubelet-cpumanager-introduce-concept-of-isolated-CPU.patch
enable-support-for-kubernetes-to-ignore-isolcpus.patch
Test Plan: Debian
PASS: kubernetes-1.24.4 package builds successfully
PASS: all packages build successfully
PASS: build-iso successful with multiple kubernetes versions
Story: 2010301
Task: 46312
Depends-On: https://review.opendev.org/c/starlingx/compile/+/857971
Signed-off-by: Jim Gauld <james.gauld@windriver.com>
Change-Id: I154dcb4087631c5f0d921b008917ae5485b83b15
Removed conf files from /etc/pmon.d/
as they are being moved to another location.
This is part of an effort to allow pmon conf files
to be selected at runtime by kickstarts.
The change is debian-only, since centos support
will be dropped soon.
Centos' pmon conf files remain in /etc/pmon.d/
Test Plan:
PASS - deb doesn't install anything to /etc/pmon.d/
PASS - AIOSX unlocked-enabled-available
PASS - Standard 2+2 unlocked-enabled-available
Story: 2010211
Task: 46305
Depends-On: https://review.opendev.org/c/starlingx/metal/+/855095
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: I27bd3be81f68bd57582d69a280f872cb7e7a73c6
This change removes the gpu-operator helm chart from Debian ISO. The
NVIDIA GPU Operator uses the operator framework within Kubernetes to
automate the management of all NVIDIA software components needed to
provision GPU.
But if NVIDIA is not present in the nodes/controller this helm will
never be used and should not be in the ISO image.
The GPU Operator will continue to be built but not installed
into the image.
Test plan (Debian only)
PASS build ISO and confirm that package was not installed
Story: 2009968
Task: 46344
Signed-off-by: Fabiano Mercer <fabiano.correamercer@windriver.com>
Change-Id: I1068eebd694cc9395dbe197257707abe2ff36e0e
The nsenter package is used in the scope of the k8s coredump handler.
This package is required so the handler is able to specify separate
namespaces for the applications when they generate a coredump.
Story: 2010261
Task: 46159
Depends-On: https://review.opendev.org/c/starlingx/tools/+/854684
Test Plan:
PASS: Verify STX Debian builds properly
PASS: Verify STX Debian deploys properly
PASS: Verify python3-nsenter package was properly installed
PASS: Verify k8s-coredump runs properly
Signed-off-by: Adriano Oliveira <adriano.oliveira@windriver.com>
Change-Id: Idf0ebb90e1c91ae4f83fb7c6a85039e57e4f80bb
Currently the packages puppet-network and ifupdown-extra are not
handling the default route with in a standard manner. The package
puppet-network is adding the netmask value as IPv4 (0.0.0.0), this
change uses the prefix length with zero, as ifupdown-extra is capable
to process both netmask and prefix length per entry in
/etc/network/routes.
As for ifupdown-extra it was not capable to handle the "default"
keyword for IPv4/6 routes. This change adds that capacity.
Test plan
[PASS] install AIO-DX with 1 compute node
[PASS] unlock compute node, a default IPv6 route was installed
[PASS] add/remove IPv6 routes on the compute node
[PASS] add/remove another IPv6 default route on the compute node,
with different metric
Story: 2010211
Task: 46284
Signed-off-by: Andre Kantek <andrefernandozanella.kantek@windriver.com>
Change-Id: I38bc8437c26c1e906b600b5f3c609fe504883101
For StarlingX, enable full control of the partition creation and
formatting scheme in the kickstart hooks so that partitioning can be
more easily aligned with previous releases and can be adjusted for
specific personalities without needing additional LAT installer changes.
This change will add an "inststx" option. This option, when enabled,
will skip the default LAT installer partitioning and formatting schemes
and only call the "%part" and %mkfs kickstart LAT hooks.
By default, inststx will be enabled so that no bootline changes will be
required in base-bullseye.yaml or the pxeboot installer code
Test Plan:
PASS - Install/Bootstrap/Provision AIO-SX
PASS - Install/Bootstrap/Provision Std Controller + workers (2+2)
Change-Id: I0e9774ad4b7446ddb867f837d0ad3d0586bf8250
Story: 2009303
Task: 46192
Signed-off-by: Robert Church <robert.church@windriver.com>
Correct the required exec resource title for updating DC keystone
admin user/project IDs section.
The exec resource title was renamed from "keystone-manage bootstrap"
to "keystone bootstrap" in Debian. Update this patch accordingly.
Test Plan:
Verified: successfully get openstack secrets after DC installation
and Subcloud managed on Debian.
Story: 2010119
Task: 46218
Signed-off-by: lzhu1 <li.zhu@windriver.com>
Change-Id: I5dd9f06436903a01b564f44004058438a93de8b6
Remove two patches that were initially submitted to enable AIO
integration prior to the creation of the Debian kickstarts. Now that we
are utilizing the kickstart file and LAT kickstart hooks, remove the
unused code from the installer.
This change also renames patches in sequential order and cleanups up
subject lines.
Test Plan:
PASS: Install/Bootstrap/Provision AIO
PASS: Install/Bootstrap/Provision STD Controller/Worker
Change-Id: I5349a23c7fbd8b435fc9cbaffdecbafd388befa7
Story: 2009303
Task: 46189
Signed-off-by: Robert Church <robert.church@windriver.com>
The directory change will fix the error shown when building an image
regarding n3000-opae. The build script needs a non-empty docker
directory as well as a Dockerfile to run properly.
Closes-Bug: 1988868
Signed-off-by: Mohammad Issa <mohammad.issa@windriver.com>
Change-Id: I0cf57216d60a12728a13c1278b6ea4a5d2cd1e2f
It was detected on StarlingX the lack of correct hostname after
address atribution by the server, if the installation is IPv6. This
change makes the dhclient script read the field fqdn_hostname (if
available) to set the name.
Test Plan
[PASS] Install AIO-DX within a IPv6 network
[PASS] unlock controller-1
Story: 2009968
Task: 46211
Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Change-Id: I9c876d00feed03720317fa4d581971b4c25f771f
During AIO-DX IPv6 node installation, the management address for
controller-1 set by dhclient receives a "/128" prefix length. The
cause comes from DHCPv6, which does not inform a prefix length on its
negotiation. The prefix should be learned via RA messages.
Since the internode IPv6 communications in StarlingX do not contain
a router and RA is in principle disabled on the management network,
we must set the system with the default prefix length of 64. A similar
patch was done for Centos.
Test Plan
[PASS] Install AIO-DX on IPv6 network, it is correctly setting the
controller-1 mgmt ip address after the first boot.
Story: 2009968
Task: 46184
Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Change-Id: I2fce4e7fce7f4e1fd6902d24330d7621b238031a
Due to the changes
bd9e560d4b
which removed the sm-watchdog, we also need to remove the enablement
of the service it provided from systemd preset.
Story: 2010087
Task: 46007
Depends-on: https://review.opendev.org/c/starlingx/metal/+/855396
Signed-off-by: Davi Frossard <dbarrosf@windriver.com>
Change-Id: I7df5b047c9f2a954ebd38ec1df82b3d2d65f2ea6
nslcd has been replaced by sssd on Debian. The puppet-nslcd
package is no longer needed. With this change, the package
is no longer built and included in the image.
Test Plan on Debian:
PASS: image build
PASS: After system deployed, verify puppet-nslcd package doesn't
exist.
PASS: openldap functions (user addition, user login on console and
by ssh, etc) work properly.
Story: 2009834
Task: 46174
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/855513
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: Ia29dc8e66fc1f7e7c537b4dea87511aba00f2217