We need to upversion as the leapseconds files
have expired. We also pick up any changes to
timezones, such as when DST occurs.
Verification:
- tzdata package builds ok
- check built package to ensure it contains the
leap-seconds.list file
- build-iso and make sure it contains the new rpm
- boot the iso and ensure nothing weird observed
regarding the date
- run "export TZ=/usr/share/zoneinfo/EST5EDT" followed
by the date command and ensure that it displays the
correct time for that timezone
Partial-Bug: 1981368
Change-Id: Ic12eb4a3a1eb3d545a4ae5d24dc01f83aeed08a0
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
A problem may occur if puppet attempts to inject a firewall rule
while the underlying iptables/ip6tables has existing rules which
use the --random-fully flag in the NAT table.
The issue occurs because puppet-firewall first makes a call to
iptables-save/ip6tables-save to parse the existing rules
(to determine if the rule already exists). If it finds a rule
with --random-fully, it will immediately bail out.
The current version(s) of puppet-firewall in StarlingX are old
enough that they don't have parsing logic for the --random-fully
flag that was initially supported in iptables version 1.6.2+.
Now that StarlingX uses iptables 1.8.4, we must account for the
possibility that various components (ie. kubernetes) will make
use of --random-fully rules.
This feature has been implemented upstream in the following commits:
https://github.com/puppetlabs/puppetlabs-firewall/commits/
9a4bc6a81cf0cd4a56ba458fadac830a2c4df529
0ea2b74c0b4a451a37bae8c2ff105b72481ab485
The above commits have been ported back to:
CentOS: puppet-firewall-1.8.2
Debian: puppetlabs-firewall-1.12.0
Since StarlingX does not currently build it's own version
of puppet-firewall in either CentOS or Debian, this commit
also contains the infrastructure to do so.
Testing:
Note: Since the issue is intermittent on unlock, the functional
tests were performed with a custom runtime manifest that installed
a dummy iptables/ip6tables rule when an interface was modified.
At this time, it was guaranteed that there were rules with
the --random-fully flag present.
CentOS:
Package build: PASS
Present in iso: PASS
IPv4 functional test (iptables): PASS
IPv6 functional test (ip6tables): PASS
Debian:
Package build: PASS
Present in iso: PASS
IPv4 functional test (iptables): PASS
IPv6 functional test (ip6tables): PASS
Closes-Bug: #1971900
Signed-off-by: Steven Webster <steven.webster@windriver.com>
Change-Id: I7dbb9e1b99d95df0aa5a7db7aa22c3c314253788
We need to install the leap-seconds.list file as
the prebuilts don't. This file is needed for
later versions of ptp.
Verification:
- tzdata package now builds
- check built package to ensure it contains the
leap-seconds.list file
- build-iso and make sure it contains the new rpm
- boot the iso and ensure nothing weird observed
regarding the date
- run "export TZ=/usr/share/zoneinfo/EST5EDT" followed
by the date command and ensure that it displays the
correct time for that timezone
Story: 2009130
Task: 44276
Change-Id: I57ce64d49cbf3f6a1de95aa7df462f7ae9daa1ad
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
Patch the python2-kubernetes-8.0.0-8.el7.noarch.rpm with recent
bug fix commits required for proper kubernetes watch functionality.
Patches watch.py up to commit 10ae476 in the 'base' repo
(kubernetes-client/python-base).
Commits are taken from the cloned github repo, saved in patch format,
and applied as a patch to the source RPM.
Reference:
https://github.com/kubernetes-client/python-base/commits/master/watch/watch.py
This patch includes commits beginning with d56fdbc, up to and including 10ae476
Testing:
- Built and testing on local distributed cloud system
- Similar testing to this patch but ased on locally modified package
has been done on 1000 subcloud system
- Examine/compare contents of installed package vs. expected
- Generating events which trigger the watch conditions
- Monitor watches for proper behaviour on expiry
Story: 2008960
Task: 43053
Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I7ad78957b6ef61e7204c45f482f201d5c281385b
This commit applies several patches to the linuxptp srpm in order to
address an issue syncing multiple interfaces on a ptp node. The srpm
used is linuxptp-2.0-2.el7.src.rpm.
Patch descriptions:
base/linuxptp/centos/meta_patches:
0001 updates the srpm spec file to apply the patches during build
0002 updates the package versioning to comply with the STX format
base/linuxptp/centos/patches:
Patches 0001-0005 combine to correct a fault present when a ptp node is
configured with multiple clocks in jbod mode which results in the client
port getting stuck in the UNCALIBRATED state and unable to lock to the
Grandmaster clock. The root of the issue lies in the sanity check where
checking timestamps recieved on multiple ports will result in the
sanity_freq_limit threshold constantly being reached and the servo for
that port is repeatedly reset, preventing it from ever syncing.
The changes in patches 0001-0005 have been written by Miroslav Lichvar
on the linuxptp-devel mailing list. They are currently under review and
testing by the upstream linuxptp maintainers prior to merging. I was
able to apply them as-is to linuxptp v2.0. I have chosen to keep them as
individual patches, as that is how they will appear upstream.
Patch 0006 is my work and serves to address an issue in phc2sys
where the local ptp clocks are not synced together properly if the local
time is far behind the reference time. This issue ocurrs when phc2sys
starts and there is no client port currently synced to a grandmaster. In
the original behaviour, phc2sys selects the first configured port and
proceeds to sync all of the other clocks to it by performing the
first_step operation.
Then ptp4l will evenually lock to the Grandmaster clock, and that
single port will have its time updated to the correct value, but
phc2sys has already performed the first_step operation and will not
step the other clocks again.
My solution is to provide an option to disable the selection of a
default port by phc2sys. When no default port is selected, phc2sys waits
for ptp4l to sync to the Grandmaster before bringing the other clocks
into sync with the first_step operation.
This option is configured via the default_sync
parameter or the -D flag. The default_sync parameter is set to on by
default to in order to keep the behaviour the same as upstream linuxptp
but can be configured by users via
system service-parameter-add ptp global default_sync=0
Closes-Bug: 1930607
Signed-off-by: Cole Walker <cole.walker@windriver.com>
Change-Id: I2f660787c6753dcd4fc4c51da7b08ab9e6f197f4
Update ntp source package to:
ntp-4.2.6p5-29.el7.centos.2.src.rpm
In fact it is version ntp-4.2.6p5-29.el7_8.2.
(Refer to https://git.centos.org/rpms/ntp/c/
e9ba41e9edf8efad8f090aad24845b8f4db0668d?branch=c7)
Story: 2008532
Task: 41691
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: If5db6b15b9c01a20a614bb160bba575c6b578d3e
Upgrade dhcp pkg to dhcp-4.2.5-82.el7.centos.src.rpm
Adjust the context of the patch to match to apply the new version.
At the same time as the new version depends on the bind-export
pacakges, so we also add the dependence package in tools repo.
bind-export-libs-9.11.4-26.P2.el7.x86_64.rpm
bind-export-devel-9.11.4-26.P2.el7.x86_64.rpm
In addition, since the patch dhcp-dhclient_ipv6_prefix.patch set the
default prefixlen to 128, which is usually the specifications call
for host address and it doesn't include any on-link information.
By contrast, 64 indicates that's subnet area, and this vaule is used
frequently as usual. So we still use the previous value 64.
As a result we don't need to modify the relevant place where every
application code needed for the compatibility any more.
Depends-On: https://review.opendev.org/c/starlingx/tools/+/772241
Story: 2008532
Task: 41638
Change-Id: I0305711790d8e3fb1adfa69e1077468456b65d84
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
This reverts commit 613fbf258f72042f912a1fde5608168b1068db36.
Since this upversioned package updates the prefixlen to 128, and it
will occur all hosts offline after booting off the controller-0.
At the same time this issue will block the use of recent loads for
both development and test activities. So we revert the patch firstly,
and investigate deeply then send the new review and request of the
upgraded patch with the appropriate offline fix.
Closes-Bug: #1915050
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: I02ecaa1bda463efb38d9c32a47f2221d0de7f99d
Avoid to the heap-based buffer overflow.
Upgrade to the below package to fix the CVE issue:
grub2-2.02-0.86.el7.centos.src.rpm
At the same time adjust the context and drop
0004-grub2-remove-32b-requirements.patch since it already had been
included in the new version.
Story: 2008532
Task: 41664
Change-Id: I7943127323ee28457ffe0a4ece54764633f86d9f
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Upgrade dhcp pkg to dhcp-4.2.5-82.el7.centos.src.rpm
At the same time since the new version depends on the bind-export
pacakge, so we also add the dependence package in tools repo.
Depends-On: https://review.opendev.org/c/starlingx/tools/+/771744
Story: 2008532
Task: 41638
Change-Id: Ic25b4404475a6f914e5a524db7d60d7e9dcffc85
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Uninstall SNMP RPM Host-Based from starlingx/integ repo because it
will be containerized.
Also disable snmp from networking/lldpd/centos/lldpd.spec file.
Story: 2008132
Task: 41322
Depends-On: https://review.opendev.org/761792
Signed-off-by: Nicolas Alvarez <nicolas.alvarez@windriver.com>
Change-Id: Ifda06a5eb3bd0ec9683823b643e6d9cc0e7c97e2
pkg logmgmt upgraded to python3 requires python3 model "daemon",
and no pkgs in Centos7 offical repo provide it.
this patch refer to the python3-daemon pkg build by rdo
for CentOS 8: python-daemon-2.2.3-7.el8.src.rpm
disable the rpm check part which is not required in stx to
reduce python3 dependencies that not supported by CentOS 7
Depends-on: https://review.opendev.org/#/c/727657/
Depends-on: https://review.opendev.org/#/c/727662/
Change-Id: Ie08ea9c7adf830ad4e8e924fa69352fb2a923a6f
Story: 2007106
Task: 39291
Signed-off-by: SidneyAn <ran1.an@intel.com>
Build broken by commit 5056c8458696acb429279a3c07f12971f0b386df
which changed the version of the libibverbs and rdms-core packages
without a matching change to the lst files.
This update brings the lst file into line with the new version.
Story: 2007308
Task: 38805
Task: 38806
Change-Id: I0a305804e0a4cf7c1dd06c3a6ec1af5724dcdfc5
Signed-off-by: Scott Little <scott.little@windriver.com>
* Moved subdirectories from kernel/ into a new repo
* Removed references to kernel from this repo's file lists
Change-Id: I386418f51169dd9b8c977bae328060077ac44b93
Depends on: I4b171accd8b489c92f6d2c69cb7aa5c63e75f336
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
This upgrade fixes the CVEs listed below. We refresh the patches
against the new kernel source.
The patch 15 is now included in new version, so I drop it
in the new patch.
CVE bug: CVE-2019-11810:kernel: a NULL pointer dereference in
drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS
CVE bug: CVE-2019-11811: kernel: use-after-free in IPMI Edit
CVE bug: CVE-2019-14835: kernel: vhost-net: guest to host kernel
escape during migration
Closes-Bug: 1849206
Closes-Bug: 1849209
Closes-Bug: 1847817
Change-Id: I217cf8684e31dacea627c33462e5e4b6e089c38f
Depends-On: https://review.opendev.org/#/c/695355/
Signed-off-by: Robin Lu <bin1.lu@intel.com>
We are currently carrying patches for python-eventlet and
python-requests that are over three years old and were
created to "fix" a nova issue. Now that nova is in a
container, it no longer uses our eventlet or requests so
these patches do not have any effect.
The patches need to be removed to allow eventlet to be
upversioned, which is being done in another commit.
Change-Id: I730ba86d8f6ec8b88b060ada324cfd268af24b35
Story: 2006781
Task: 37583
Depends-On: https://review.opendev.org/#/c/700071/
Depends-On: https://review.opendev.org/#/c/700054/
Signed-off-by: Bart Wensley <barton.wensley@windriver.com>