Release is done, mirror is in place, ready to go.
Adopt using systemd-timesyncd like we do for recent Ubuntu releases.
Change-Id: I3fbdc151177bf2dba81920a4a2e3966f271b50ad
The package-maps install of tox is only defined for gentoo, and that
came in with the original image build parts. We don't need that any
more.
10-pip-packages I didn't trace down, but it hasn't been doing anything
for a long time, since we removed pip-and-virtualenv. We can remove
that.
The install done in 40-install-tox I can not see being used anywhere.
It came in with If5397d731e9fb04431482529aed23cd9fdaecc1d but I can't
see the venv actually referenced anywhere. I think this has all been
replaced by the ensure-tox role (or, indeed, jobs migrating away from
tox). Remove it.
Change-Id: If3fddd79dde56f4087e465ed8b8013f0f337e0cb
This came in via Ie1a0aba57390c9c0b269b4cbb076090ae1de73a9 many years
ago, when it was copied from old puppet. I can't see that we need to
be installing this for any infra reason.
I guess there is a small posibility things are relying on this, but
they would be better to install it themselves anyway.
Change-Id: I0b8908a79a5dcbe2a5bf5bf72986ea28e17c95fa
We don't need to pull in Python 2 python-xml or python-dev packages
any more
python3 is always installed by DIB (it needs python3 on the image to
run elements). So we don't explicitly need to pull that in.
Change-Id: I36942435a709c25097cb57d336c45c2884a0103c
c.f. I9ccebe2dbf3a8682dab60c2070c5f78849e01446
The RedHat platforms vary if they come pre-installed with curl or
curl-minimal, and if curl-minimal is installed, it causes conflicts
when you try to install "curl" (without removing it first, or using
"swap").
pkg-map is not designed to deal with this at all; it can't say "curl |
curl-minimal". But all our base images come with curl, because we're
using cache-url which uses it.
So, in short, drop it here to avoid this conflict.
Change-Id: I4e930080f89fe833702f7cafef09642e0638960f
Update the sshd_config on our test nodes to accomodate what appears to
be an increase in ssh scanner traffic. In particular LoginGraceTime
defaults to 120 seconds. We reduce that to 30 seconds to cycle
connections more quickly. Then we also increase the maximum number of
connection startups to 30 from the default of 10. We also reduce the
random fail rate from 30% to 10% between 31 and 100 connections.
I'm not entirely certain this will fix things, but based on what we've
seen from logs it may be what we need to make ssh to test nodes more
reliable.
Change-Id: Ifacf7d00de157ab2fb60cde990f0b49f03f71415
Rocky 9 has coreutils-single package installed, so trying to install
coreutils package conflicts. Just blank this out for this platform
like 8.
Change-Id: I48933a61a065cee9402cb803b0da214eafe2cd8a
Update the package maps. It also seems like matching just "9" will
cover 9-stream and Rocky, which just uses DIB_RELEASE "9". Also fixup
the 80-enable-haveged to skip on rocky.
Change-Id: Ia352d217d00e10068a463b62f7d9aca72cb88a8c
openEuler 22.03 supports python3 only. There is no
python-devel package.
This patch update the pkg mapping to fix the package
install problem in nodepool.
Change-Id: I11750048841ec49c893b4c9332a6029b329b54cb
Change I316e9587b6e290cd421b47f506c91dbebe0975c0 had a rather
embarrasing oversight in that it copied the /usr/bindep-env/bin/pip
invocation for upgrading pip to all the other venv's.
i.e. we were upgrading hte bindep-env pip over and over, and not
actually the pip in the working venv. The os-testr install on older
platforms has now broken because it still tries to install with the
ancient inbuilt pip -- local testing has confirmed that it works with
the updated pip.
Change-Id: I22c549b5f9b9e3882fcd2340946d2850b0b2f86b
Ansible v5 appears to rely on setfacl more than ansible 2.9 did when
running tasks as a different unprivileged user than the one currently
running ansible. Without setfacl installed we get errors like:
Failed to set permissions on the temporary files Ansible needs to
create when becoming an unprivileged user (rc: 1, err: chmod:
invalid mode: ‘A+user:stack:rx:allow’ Try 'chmod --help' for more
information.}). For information on working around this, see
https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user
Installing setfacl makes the error go away as ansible get use setfacl
instead of chown/chmod.
Ubuntu, Debian, Fedora, CentOS, and OpenSUSE all appear to call the
package 'acl'. We assume that openeuler and rocky inherit this package
name. That means we only need to override the package name for Gentoo.
Change-Id: I71736578dbd5e0683b18023e73ab44255eb6eb18
coreutils comes in two variants now, 'coreutils-single' which is a
busybox-like single binary called through symlinks and the regular
coreutils. Both satisfy the dependency for coreutils for any other
packages, but if you explicitly ask to install coreutils over
coretuils-single you get an error.
Since coreutils-single is already in the base-image, just skip
installing it on Rocky 8.
Change-Id: I89f8cb49b0cd373e454dd37439bf6efd971233e5
When adding support for CentOS Stream 9 [1], I made dib to install haveged
in centos8 or centos8s only. This broke centos7 images.
This patch should get haveged installed in all centos releases != 9-stream and fix
centos7 one.
[1] https://review.opendev.org/c/openstack/project-config/+/811442
Change-Id: I5a33160c6272ee4e452b83599ca3ed552422c6d2
This package is not installed (see
I9b88baf422d947d5209d036766a86b09dca0c21a) so we can't enable this
service on 9-stream.
Change-Id: Ie42d73e7cd12c80b076429a643d95778ff5665b8
This patch is adding support for CentOS Stream 9 in elements
infra-package-needs and nodepool-base which are used in nodepool images.
- Remove installation of ntpdate (it has been removed in CS9).
- It skips installation of haveged until it's available in EPEL9.
- It maps package iptables to iptables-service.
Note that this patch has been tested together with dib patch in Depends-On.
Depends-On: https://review.opendev.org/c/openstack/diskimage-builder/+/811392
Change-Id: I25d9bb7272edc3215840a53e5d79efe5d1fd7210
The pip installed in the venv with "python3 -m venv" on Xenial is 8.X
-- this does not understand python_requires metadata on packages and
can thus pull in requirements that won't actually run inside the
virtualenv.
Avoid this by upgrading pip in the venv before installing.
While this is the immediate need; do the same on the other venv's we
create for general sanity.
Change-Id: I316e9587b6e290cd421b47f506c91dbebe0975c0
See I361059c6b62ea240b6fef5a61d254959622199d7 where we modified Fedora
to not install the deprecated ntp package.
Change-Id: I9147f16a4e67b15ac7cc0bc4684ad8390718525f
ntp/ntpdate isn't a package on Fedora any more [1]. Make this like
centos 8 above and install chrony for time services.
[1] https://fedoraproject.org/wiki/Changes/NtpReplacement
Change-Id: I361059c6b62ea240b6fef5a61d254959622199d7
This reverts commit 6f992efbc5.
Setuptools 50.1.0 has been released which reverts the breaking behavior.
https://review.opendev.org/#/c/749766/ tests that these fixes work in
other venvs that exhibited the same problems. That change looks happy so
I think this revert is ready to go.
Change-Id: I31b62be4f85f40f4d99e463cd961dec0a3542f47
Also, install yamllint in the dib env, as it's a requirement
of dib-lint now but is only in test-requirements for dib.
Change-Id: I083bca901ca51438099d1d3bbbd0076ac3d7da07
systemd timesyncd is the default mechanism for timesync on Focal;
let's reduce our modification footprint by not overinstalling ntp or
trying to enable it.
Change-Id: I60e15b9101511e9008159b7a0b63f1b4b3febb96
This is particularly important for debuntu where we need working gpg for
apt and a missing gpg-agent is fatal. We install it globally so that
consistent tooling is available across systems.
Note everyone but suse seems to have a gnupg2 package. Suse calls it
gpg2.
Change-Id: I6c56e85db501f2c9d7c648e614f1efbaadc213a2
This will install tox into a virtualenv on our images. On our older
images with globally installed tox this can be ignored but as we move to
"plain" images this can be used as an opt in tox executable by jobs.
Jobs can set the tox_executable path for the ensure-tox role.
We don't install it globally to avoid polluting package manager managed
paths.
Change-Id: If5397d731e9fb04431482529aed23cd9fdaecc1d
This is a follow-on to I85438baf5bb31790a56fe5b38327361f0a2398e9.
Skip over this install of tox, which no longer works without the
"pip-and-virtualenv" element define of $DIB_PYTHON_PIP. We want to
not install globally in the image, but move things like this to
ansible roles in base jobs if required.
Change-Id: Id1571210f0778019c78aec9f38e9f1254c1d68f9
Since all platforms have Python 3, use the new ensure-venv element
from the dependent change to install bindep and os-testr.
Since we are no longer using pip to install anything during the
builder, this drops the dependency on pip-and-virtualenv from
nodepool-base. Avoiding this element is our long-term goal, as it's
modification to system state are problematic in a number of ways. To
maintain the status-quo, the pip-and-virtualenv element is added
explicitly to each build's element list, with a note on it's future.
The current plan for backwards compatability is to replicate the
environment pip-and-virtualenv provides in a base role/job that can be
optionally included. To test this, provide a new node type
"ubuntu-bionic-plain" that will not include the pip-and-virtualenv
element. This is put on just one provider (rax) to minimise impact.
The dependent-change (and a dib release) is required before merge so
the ensure-venv element is available.
Depends-On: https://review.opendev.org/707513
Change-Id: I85438baf5bb31790a56fe5b38327361f0a2398e9
The dib 2.34.0 release uncapped hacking and has found some new minor
issues. Add missing readmes and fix whitespace.
Change-Id: Ia05e54c26988774bf03b0764a6df5e60e8ddaca8
--seeder=pip is breaking images where pip is not installed from source.
New virtualenv upstream release 20.0.2 has fixed the issue seen when
using sudo [1] by copying instead of symlinking and does not need this
fix anymore.
[1] f4fd6a0991
This reverts commit be9530ae16.
Change-Id: I799982d9c023141cf612901084d4ecbd4447e969
New virtualenv will by default use a common location for seed libs like
setuptools, wheel, and pip. Unfortunately this breaks if root installs
the virtualenv and other users are expected to use it because these
other users cannot access /root/.local (where the files are stashed).
We fix this by using --seeder=pip which will install all of those libs
into the virtualenv itself.
Change-Id: I4922ea50e31dceda96f545a0d409c0d7dc022e19
On platforms such as CentOS 8 which are python3 first, "virtualenv"
and "pip" may not exist (removed to avoid any confusion over them
being v2 or v3 commands).
The referenced dib change exports new variables that should be correct
on all platforms for creating virtualenv's and pip installs.
(note will require DIB release to be active on builders)
Depends-On: https://review.opendev.org/684462
Change-Id: I3414fb9e503f94ff744b560eff9ec0f4afdbb50e
We've never really tested any of this on RHEL, so remove that match
(also, rhel7 element is deprecated for the version-less rhel element).
The CentOS elements export $YUM to be either dnf/yum as appropriate,
so use that behind the distro check where it will be defined.
Change-Id: I3dc18b2f7b6a624719a5f8d7d8b888c69fc0ac2b
These images are Python3 only -- no python-dev
The ntp tools are replaced with chrony on CentOS 8, select it instead.
Update the service enablement too. I have done a quick audit and
I don't believe any of our base job parts rely on ntpdate as such
(except for deprecated devstack-gate; there is actually an
unmerged ancient change! [1]).
[1] https://review.opendev.org/#/c/352674/1/functions.sh
Change-Id: Id2dbda7f114de0be4e4227da179490a17a22eb24
In openSUSE Tumbleweed, the SuSEfirewall2 package was removed in favor
of firewalld[1]. This commit updates the openSUSE nodeset to use plain
iptables rather than injecting iptables rules into the SuSEfirewall2
service. This will work on both Tumbleweed and Leap nodesets.
openSUSE provides no iptables-service package the way the RHEL family
does, so we can't fall back to that. Rather than try to convert iptables
rules to firewalld syntax, this change leverages init.d to ensure
iptables rules are loaded at boot. The 89-unbound script has been
coopted for this purpose since it already creates
/etc/init.d/boot.local. Switched from `dd` to `cat` which makes
conditionally composing the file more natural.
[1] https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
Change-Id: Ia2b72e25078efa68019f1bf7c7a0b77e6ff702fd
A new version was stabilized on the 5th that allows for more complex
ssl usage.
also, alphabetize the use flag definitions based on package name.
Change-Id: Ie6f3f8462e98ca24879db9ef942ec81072330323
This reverts commit 08a258c96b.
Note the difference here is using all lower case for the options. It
seems sshd is sensitive to the case.
Change-Id: Ide639491bcdedfb2ee8f76e8d0bfe83dde45805f
This reverts commit 5d81e77e8c.
This breaks our images with:
"/etc/ssh/sshd_config line 85: Bad yes/no argument: No"
Change-Id: Id6feff2a6842764b2f375b77e33f52b5fc03944f
Glean only configures key based authentication credentials. There is no
reason to allow password auth so disable it. This shouldn't be necessary
as no accounts allow password auth in /etc/shadow anyway but this gives
us security in layers like onions and ogres.
Change-Id: Ie17aa901eb3fe7387707a236287a3e880990eeb2
Add rhel7 distrib in unbound and iptables script for nodepool-base, and
add haveged installation for infra-package-needs to ensure users could
use these elements to build rhel based image.
Change-Id: Ib0ad877369bafab64a1fd25cc331363d771d5753
This was brought in with puppet work in
Ia9c45b762eea9f2989c9c63fb944b9e5e1f17ed2 but we do not want it in the
base centos 7 image. bindep-fallback packages relying on it have been
removed with Iab9495bd381b135e8a0f2e8f35e51a9218cf8f40. I have done a
local build with this and there's no other hidden dependencies relying
on this within the image creation AFAICS.
Change-Id: I747c2b8754effbc6ec82af3bf7543fd9599a6c14