Commit Graph

221 Commits

Author SHA1 Message Date
Anselme, Schubert (sa246v) d00ea5f796
Update MAAS to 3.0.2
This PS updates MAAS (focal) to 3.0.2.
Version 3.0.2 includes the fix for ipv6 address issue in dhcpd.conf
https://bugs.launchpad.net/maas/+bug/2027621

Change-Id: Ifbbd546d7f2ba548c231180851c90594d971b7c1
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
2024-03-06 11:21:58 -05:00
Ritchie, Frank (fr801x) 906f9a5f15 Change pathtype to prefix
Due to cve-2022-4886 the default pathType for an ingress should be
either "Exact" or "Prefix". This allows for more strict path validation by
the admission controller.

Change-Id: I1089bd5c893685fe3b2bcd6868da2f2b761e144f
2024-01-29 10:58:42 -05:00
Ritchie, Frank (fr801x) 962db46114 Update helm toolkit reference
Update helm toolkit reference

Update helm toolkit ref so that ingress will be created with a pathType
of Prefix.

https: //review.opendev.org/c/openstack/openstack-helm-infra/+/905757
Change-Id: Iccedcd7b15b2da9ed35748af9809def69b7ae6da
2024-01-23 17:34:07 -05:00
Alexey Odinokov cd65140a7c Fixing name for maas-export-api-key job
previously it was maas-export-api-key}-job.
It worked, but looked not accurate.

Change-Id: I578c70c09ebbf2bdbccbf81eae69db70250a715d
2023-11-21 12:36:05 -06:00
SPEARS, DUSTIN (ds443n) ba3657c0c1 Add option to mount host path for cgroups
Capability added to disable cgroups host path volume

Change-Id: I007d9a79b812094126fadb36fd743133495d337f
2023-09-19 13:24:28 -04:00
Anselme, Schubert (sa246v) 736c936394
Parametrise readiness probe
Change-Id: I358ae8307799fff0674a428c42b90381d6d3a631
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
2023-08-23 14:42:59 -04:00
Ruslan Aliev eaabbb2722 Disable ipv6 for bind9 named service
* Allow any recursion and cache queries for named svc
 * Bump maas v3 to the actual version

Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I16a4ec843dc73a2349e8603d4200920599eab918
2023-07-12 21:31:53 -05:00
Wahlstedt, Walter (ww229g) 565d20ee18 add commissioning script
Change-Id: I5aadcee07b4eefccdf5666fa024d87f2f4e86eb5
2023-05-24 15:59:53 -04:00
Ruslan Aliev 003f7bf702 MAAS region & rack controller upgrade v3.0.0
Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I87a86c920e49e53447c87bcff3c0fae08ebf267f
2023-03-13 02:20:28 -05:00
Ruslan Aliev 771db2bacb Add DEBIAN_FRONTEND noninteractive env var
sstream cache image

Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I7b8e5d4ff4e0f725f56871ccde7388d35b610b3a
2023-02-21 17:01:55 -06:00
Ruslan Aliev 23a2b557f1 Revert "Upgrading MAAS to v3"
This reverts commit 129d958a51.

Reason for revert: reverting back to 2.8.7 to modify chart

Change-Id: I68d3abfb19decc5eb470fcf43694506bc5edd4b6
2023-02-16 15:32:01 -06:00
Anselme, Schubbert (sa246v) 129d958a51
Upgrading MAAS to v3
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
Change-Id: I4b5a5f6a7e21d790cce13a5ccff9819f517cad64
2022-11-23 12:55:52 -05:00
Ruslan Aliev 2d5b698d9e Switch PVCs to use storageClassName
HTK and Helm versions are also updated.

Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: Ia1ef4ec23f53dcb591e139c3476e143a55351fd3
2022-09-16 19:02:23 -05:00
Phil Sphicas 50b3d68905 Control bind9 and nginx resource usage
The named and nginx processes both try to use all available CPUs. In
addition, there is a bug in named that sometimes causes it to spin on a
FUTEX, pegging the CPU.

This change constrains those processes to a single CPU (overridable in
values.yaml), and includes /etc/bind/bind.keys in named.conf to avoid
the CPU spike.

Change-Id: I4a278023f5c0dd5e7bdee46891591b278f2ddcad
2021-11-10 23:35:50 -08:00
Phil Sphicas 666567eae5 Update chart to use stable Kubernetes APIs
Update the MAAS chart to use non-deprecated APIs [0], specifically
addressing the following resource types:
* ClusterRole
* ClusterRoleBinding
* Ingress
* Role
* Rolebinding

The APIs being migrated to are available in v1.19 or earlier. As of this
change, v1.19 is the oldest supported Kubernetes version, slated for EOL
on 2021-10-28. [1]

Also includes an HTK uplift that includes updated Ingress templates. [2]

0: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
1: https://kubernetes.io/releases/
2: https://review.opendev.org/c/openstack/openstack-helm-infra/+/813115

Change-Id: I5e78f1ab094666538ed419a78f6966a2ba295d6a
2021-10-18 11:52:30 -07:00
anthony.bellino 760f1c97cf Fix: Update maas controller version to 2.8.7-8611-g.f2514168f-0ubuntu1~18.04.1
Change-Id: I3b2fa9a076ed2ac18a4c10da7554fda9c5b73b00
2021-10-05 13:11:51 -07:00
Zuul c5f6fc0f34 Merge "Helm 3: Fix Job labels" 2021-10-05 03:24:05 +00:00
Crank, Daniel (dc6350) afd76b3c89 Add ca-certificates to images
This patchset adds ca-certificates to the maas-rack-controller and
maas-region-controller docker images, so the new ISRG Root X1
certificate will be included.

Change-Id: Ia721b14ddc7d9e12d422f482a2e2d7f6f2c09b37
2021-10-01 15:48:28 -05:00
Sean Eagan 983853de55 Helm 3: Fix Job labels
See the dependency below for details.

Depends-On: https://review.opendev.org/c/openstack/openstack-helm-infra/+/811826
Change-Id: I997313865002469f1916c5baa8ccaa26c37619b5
2021-10-01 13:40:45 -05:00
Maximilian Weiss 2bddbbfb9d Update MAAS controller version to 2.8.7-8610-g.4a04daa43-0ubuntu1~18.04.1
Change-Id: Ia2cb9bbc0cb5a9333ffa3685536060d00985aa41
2021-09-21 15:33:27 +00:00
Maximilian Weiss 2746d04402 Cleanup Makefile, allow cache use, and allow extra args
Change-Id: I7ded3a1c95151f898e00f6168d0c90938e17b0e6
2021-08-24 17:19:57 +00:00
Maximilian Weiss 3accf71685 Update HTK stable commit to 0.2.19
Update helm-toolkit stable commit to merge of this change:
https://review.opendev.org/c/openstack/openstack-helm-infra/+/802925

Change-Id: Iafd86a087dbf04ce49c8d0a427305219d1d0483e
2021-08-17 17:47:09 +00:00
Maximilian Weiss d3e8a4601d Update helm installation script
Updates the helm installation script to download and install v2.17.0
from get.helm.sh (instead of v2.14 from storage.googleapis.com).

Change-Id: I5e0ccfc60ff976f7a8d89a9a66ad6da0785a9f2b
2021-08-17 17:47:09 +00:00
Phil Sphicas 2e94c847ac Adjust Redfish retry interval
Patch the redfish driver to retry requests less aggressively, using
values that match the IPMI driver [0], instead of the defaults [1].

This helps prevent HTTP 409 and HTTP 500 errors.

0: https://git.launchpad.net/maas/tree/src/provisioningserver/drivers/power/ipmi.py?h=2.8.6#n234
1: https://git.launchpad.net/maas/tree/src/provisioningserver/drivers/power/__init__.py?h=2.8.6#n42

Change-Id: Ia41aafd04a6b8439e04fdd6d9f867a79f74789e1
2021-08-03 21:56:31 +00:00
Phil Sphicas d6d9b4c857 Clean up names of patch files
This change renames the various patch files to reflect that they are
based on diffs against MAAS 2.8. Files that were previously listed as
2.3_*.patch originally were created against MAAS 2.3, but this is not
particularly relevant anymore.

Change-Id: I93ca4fc414f0983be62f0a8bae8ec699f3d4e7a0
2021-08-03 21:56:27 +00:00
Phil Sphicas b648edfe40 Deploy MAAS 2.8 on Ubuntu bionic
Image changes:
* base image ubuntu:18.04
* MAAS version 2.8.6-8602-g.07cdffcaa-0ubuntu1~18.04.1 from ppa/2.8
* default contents of /var/lib/maas are archived in /opt/maas
* updated patches:
  - 2.3_bios_grub_partition.patch, changed in maas [0]
  - 2.3_partitiontable_does_not_exist.patch, changed in maas [1] [2]
  - 2.3_secure_headers.patch, updated for twisted 17.9.0 [3]
* removed patches:
  - 2.3_bios_grub_preseed.patch, changed in maas, now N/A [0]
  - 2.3_hostheader.patch, fixed in maas [4]
  - 2.3_maas_enlist.patch, fixed in maas [5]
  - 2.3_mac_address.patch, fixed in maas [6]
* new patches:
  - 2.8_maas_ipmi_autodetect_tool.patch, enlistment reliability
* reformatted patches due to blackening change [1]:
  - 2.3_configure_ipmi_user.patch
  - 2.3_ipmi_error.patch
  - 2.3_kernel_package.patch, custom req to specify kernel package
  - 2.3_nic_filter.patch, custom req to ignore cali* interfaces
  - 2.3_region_secret_rotate.patch
  - 2.3_route.patch

Chart changes:
* maas-region podport is 5240
* maas config option http_boot is no longer configurable [7]
* start script restores some default files into /var/lib/maas
* register-rack-controller script removes old files in /etc/maas
* enlist userdata now matches commissioning/curtin userdata [8]
* force_gpt option is removed [9], as GPT is now the default
* update to configure remote_syslog in import resources job [10]
* enlist_commissioning is disabled for backwards compatibility [11]

0: d8e234eb09
1: db30bb39fa
2: 665feb7575
3: https://github.com/twisted/twisted/blob/twisted-17.9.0/src/twisted/web/server.py
4: 573da69729
5: d390a1da6a
6: 34631c2fe5
7: 0e94c26a53
8: 22641cffcc
9: 97c25a0486
10: d67c359c7b
11: 51b9712c20

Change-Id: I0685d76cf083ff5aa33c8db552059721289d5c53
2021-08-03 21:56:23 +00:00
Zuul 94e55069dc Merge "Add "labels" to MAAS ingress & ingress-errors deployments" 2021-05-14 19:12:07 +00:00
Phil Sphicas 840b482373 Fix Docker image build jobs
Update the deb-docker path to fix the docker image build jobs.

Change-Id: Ia6f427af61827ffff15b6c9b246809fae37cc26a
2021-05-10 05:20:53 +00:00
DeJaeger, Darren (dd118r) 5a1866fb45 Add "labels" to MAAS ingress & ingress-errors deployments
Adding said label, that's already defined, to the deployments themselves.
This will enable Armada to properly wait for certain percentages of the
deployment replicas to be ready prior to proceeding. Prior to this change,
there wasn't a way to select these deployments via labels.

Change-Id: I4d8e479eb40e4395a4e3b79bbc9df651aa4e12e7
2021-04-30 16:58:31 -04:00
Phil Sphicas 35fa3175e3 Allow additional preseed overrides
Sometimes the ephemeral environment needs additional cloud-init data.
This change allows user-data sections to be added to the default files
in /etc/maas/preseeds: enlist, commissioning, and curtin.

For example, to resolve issues with 'apt-get update' failures during
enlistment, something like this may be necessary:
conf:
  cloudconfig:
    override: true
    sections:
      bootcmd:
        - "rm -fr /var/lib/apt/lists"

Change-Id: I817006a799003ace3f35d02507489720b0f9079b
2021-02-12 06:29:10 +00:00
Phil Sphicas ccfbd4340f Use HostToContainer mountPropagation
For any host mounts that include /var/lib/kubelet, use HostToContainer
mountPropagation, which avoids creating extra references to mounts in
other containers.

Affects the following resources:
* maas-ingress deployment

Change-Id: I8f8239dc868e30d0203cb994b0eb6a615f40d87b
2021-01-07 20:31:00 +00:00
Phil Sphicas ff7676e58e Ignore upstream chart repos when installing Helm
The upstream Helm chart repos have moved permanently, causing a failure
when running "make helm-serve": 'Error: error initializing: Looks like
"https://kubernetes-charts.storage.googleapis.com" is not a valid chart
repository or cannot be reached'.

This change skips the chart refresh, since the upstream charts are not
used anyway.

Change-Id: Ic146e09dca6a7d72607a794984376d0fa9bc5475
2021-01-07 19:59:13 +00:00
Andrii Ostapenko a1cf7a95ed
Change helm-toolkit dependency version to ">= 0.1.0"
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0

Change-Id: I74df8053fadaf5a3f07d6fd947161886f01c728b
2020-09-24 19:43:02 -05:00
KHIYANI, RAHUL (rk0850) 2dd543c841 override security context capabilities to values.yaml
Change-Id: I1120a4f5325172a8ece7d2ce8bb24706e28b319f
2020-08-06 12:20:30 -05:00
KHIYANI, RAHUL (rk0850) f899a11a06 Fix: updating maas-syslog to readOnly-fs false
updating it to false as it requires write permission to write pid file

Change-Id: I2b68ef641619a56d88bd4c659fe75d40267e3977
2020-07-31 17:14:34 -05:00
Phil Sphicas 294980dfa9 Update HTK stable commit
Update helm-toolkit stable commit to merge of this change:
https://review.opendev.org/#/c/734702/

Change-Id: I770334c5a2ca58980d6eae013150e0f8127f22cf
2020-07-28 16:32:11 +00:00
KHIYANI, RAHUL (rk0850) 926dadfbf4 [FIX] override security context capabilities in values.yaml
Add missing helm-toolkit snippet for ingress-errors container

Change-Id: I9c7ec6b71a1d026257c2a1f76e18a3e3be8e244d
2020-07-21 03:56:42 +00:00
KHIYANI, RAHUL (rk0850) 20c6e525ea Implement helm-toolkit snippet to maas pods/containers
This updates the maas chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag

Change-Id: I1eba6ab3a7c27ddcb3e8ddc8e743b91dc5e521c3
2020-07-20 14:43:41 +00:00
Zuul 749a968d90 Merge "Enable Docker default AppArmor profile to maas" 2020-06-26 16:20:39 +00:00
KAVVA, JAGAN MOHAN REDDY (jk330k) a8a530bec7 Enable Docker default AppArmor profile to maas
This adds default Apparmor profile to maas-cache container.

Change-Id: Ib181189d968e328291b802d1528b33fc74b7873e
2020-06-26 08:44:58 -05:00
Phil Sphicas 843089243b Allow additional late_commands in curtin userdata
This change allows extra late_commands to be added to the curtin
userdata, which are executed before the node is rebooted at the end of
the deployment. This can be useful to install packages or perform other
customization.

One sample use-case is the installation of specific kernel module
packages that match the target kernel image, in cases where the
ephemeral environment uses a different kernel version.

Change-Id: I80084c544f6a7dafd6aa84c8041cf86bdc3b9f4b
2020-06-20 18:57:42 +00:00
Phil Sphicas 6f6c9b4aec Fix rendering of obscure MAAS file drivers.yaml
The existing drivers.yaml rendered by the MAAS chart is missing the
top-level 'drivers' key, so it doesn't actually work. This change fixes
the rendering of the file, and adds a comment in values.yaml about where
to look for additional information about where and how the file is used:

https://github.com/maas/maas/blob/2.3.5/src/maasserver/third_party_drivers.py

Change-Id: I940c8a57d3e404a101de5c1ea92f8a467319dbaa
2020-06-20 17:46:34 +00:00
Alexander Hughes afe3d6e444 Fix image build checks missing setuptools
Use apt to install python3-pip, and use pip3 in event system has
both pip2 and pip3 installed. Use apt to install setuptools for
Ansible's consumption.

Change-Id: I041d4cdfda670339cfbbc75d280c8d9071227f3b
Signed-off-by: Alexander Hughes <Alexander.Hughes@pm.me>
2020-06-17 12:42:40 +00:00
Phil Sphicas 88353232aa Respect USE_PROXY=true for image builds
When using 'make USE_PROXY=true', the 'docker build' is executed with
the correct proxy-related build-args, but the Dockerfile does not
actually consume them.

This change updates the Dockerfiles to accept the following ARGs:
HTTP_PROXY, HTTPS_PROXY, NO_PROXY (upper or lowercase)

Change-Id: I6888d1f15f430e73338c269784ded9a0dea6c9ce
2020-06-11 15:22:09 +00:00
Zuul 2989bbb4a2 Merge "maas-region: option to always use GPT" 2020-06-02 20:35:30 +00:00
Zuul 036043a175 Merge "maas-syslog fix: eliminate duplicate messages" 2020-06-02 16:17:46 +00:00
Phil Sphicas 97c25a0486 maas-region: option to always use GPT
MAAS uses MBR for boot disks smaller than 2 TiB. This change provides an
option to force the use of GPT, regardless of boot disk size. The chart
value is: conf.maas.force_gpt=true.

The 2 TiB "threshold" for when GPT is required is simply lowered to 0:
https://github.com/maas/maas/blob/2.3/src/maasserver/models/partitiontable.py#L51-L53

This change could be accomplished with a patch to the maas-region image
directly, but then it would not be configurable, and it may not be
useful for all users. Using sed in the startup script seems like a fair
solution.

Change-Id: I87d3f4b9c97048cdef383cbd15c5a16ac219066b
2020-06-02 02:17:18 +00:00
Phil Sphicas cad7c5c9e1 Enhance MAAS ntpd stub
Using `exit 0` in the ntpd stub causes some unwanted log warnings:

    maas.service_monitor[151]: [warn] Service 'ntp' is on but not in the
    expected state of 'running', its current state is 'exited'.

This change allows the stub to respond appropriately to 'systemctl
status ntpd' and 'systemctl restart ntpd' and keeps MAAS happier.

Change-Id: I41b95051ce595fb9001f4104a1abb48b66a657c4
2020-06-02 02:15:59 +00:00
Zuul 1f13d56418 Merge "Eliminate sudo and pam_unix(sudo:session) log spam" 2020-06-02 00:04:27 +00:00
Phil Sphicas 3624da26f5 Disable creation of swap file
By default, curtin creates a swap file of up to 8GB. When swap is later
disabled, there is still a /swap.img file left hanging around that needs
to be cleaned up.

This change sets the size to 0 to disable the creation of the swap file
in the first place.

https://curtin.readthedocs.io/en/latest/topics/config.html#swap

Change-Id: I9e1e5f67007ae3c49617525e989b27e123b69d53
2020-06-01 23:09:36 +00:00