During the first unlock after a fresh install, the DNSMasq is started
but we noticed that other services that depends on it are not
receiving the DNS query answers in time, as a result the services are
restarted by SM and everything works fine.
This issue doesn't happen for the next lock/unlocks.
To mitigate this issue, the DNSMasq start process will have 20
seconds to resolve the "controller.internal", so the next services
handled by SM will start just when DNSMasq is fully operational.
Test done:
AIO-SX fresh install
AIO-DX fresh install
AIO-DX host-swact
Story: 2010722
Task: 50243
Depends-On: https://review.opendev.org/c/starlingx/config/+/920694
Change-Id: I405de2248a8b834cbc297c3e550566052264f343
Signed-off-by: Fabiano Correa Mercer <fabiano.correamercer@windriver.com>
Enforce new password rules for linux os accounts, the new rules are:
- Minimum 12 characters
- At least 1 Uppercase letter
- At least 1 number
- At least 1 special character
- Cannot reuse past 5 passwords
Test Plan:
PASS: Run fresh install of AIO-SX with complete bootstrap and unlock
of the controller-0.
PASS: Run build-pkgs -c -p pam-config.
PASS: Run build-image.
PASS: Change password 5 times and then try to use the first password of
the sequence again to verify if it is using password history.
PASS: Try password without at least 1 letter.
PASS: Try password without at least one number.
PASS: Try password without at least one special character.
PASS: Try password with less than 12 character and verify if it fails.
PASS: Access account and change password using serial console.
Story: 2011084
Task: 49821
Change-Id: Ia2629bbbc09038a9aa2a1742eca335e3d22bfaff
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
The SSSD "ldap_access_filter" configuration for WAD domain,
does not perform as expected. Instead of allowing access only
for the members of the configured group, as part of the
"ldap_access_filter" parameter setting, it allows access with
no restrictions to any ldap user in the domain. So basically,
the "ldap_access_filter" configuration is ignored.
The fix is setting the proper pam configuration in file
"/etc/pam.d/common-account" to enforce "ldap_access_filter"
access control and at the same time to allow local users to
login when SSSD is failing to connect.
Test Plan:
PASS: Verify the "/etc/pam.d/common-account" has been updated on
a deployed AIO-SX system configuration and SSSD service is running.
PASS: Create a WAD group and add 2 ldap users as members of the
group. Set the "ldap_access_filter" to allow access to the only 2
users in the group. Login with a ldap user that is a member
of the allowed group and the user should login.
PASS: Login with a user that is not a member of the
allowed group configured in the previous test and the user should
fail authentication.
PASS: Stop SSSD service and test that a local user, e.g. sysadmin,
can login when SSSD is not running. Also test that sudo works for
sysadmin user.
PASS: Restart SSSD service and test that a new local ldap user gets
prompted to change password at first login.
Pass: Tested successfully on a DC system, both on system controller
and on the subcloud all the above tests performed on an AIO-SX
system configuration.
Closes-Bug: 2064171
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: Ia6ae3e0d825c358992b92784b4e10fbfb688de2d
StarlingX stopped supporting CentOS builds in the after release 7.0.
This update will strip CentOS from our code base. It will also remove
references to the failed OpenSUSE feature as well.
Story: 2011110
Task: 49945
Change-Id: I534a3812bc6454024514b204374cbcb09c68e50b
Signed-off-by: Scott Little <scott.little@windriver.com>
Enforce new password rules for ldap accounts, the new rules are:
- Minimum 12 characters
- At least 1 Uppercase letter
- At least 1 number
- At least 1 special character
- Cannot reuse past 5 passwords
- Default password expiry period should be set to 90 days.
Test Plan:
PASS: Run fresh install of AIO-SX with complete bootstrap and unlock
of the controller-0.
PASS: Run build-pkgs -c -p openldap-config.
PASS: Run build-image.
Note: The command used to change password to the test cases bellow is:
sudo ldapsetpasswd <user> <password>
PASS: Change password 5 times and then try to use the first password of
the sequence again to verify if it is using password history.
PASS: Try password without at least 1 letter.
PASS: Try password without at least one number.
PASS: Try password without at least one special character.
PASS: Try password with less than 12 character and verify if it fails.
PASS: Access account and change password using serial console.
PASS: Create a user with ldapadduser with reduced password expiry time
and see if the password expiry warning is shown.
PASS: Create a user with ldapadduser set to 90 days and then change the
date/time to verify if the expiry warning is shown.
Story: 2011084
Task: 49863
Change-Id: I4938eef8c0f8deb8b5fc6535b5bc3411bf10ba0d
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
This review will be fixing the syntax that is missing, from SHA to
SHA1.
Test Plan:
PASS: Run fresh install of AIO-SX and verify if it unlocks the
the controller-0 with no issues.
Closes-Bug: 2054813
Change-Id: Id7e1978e42e4c0d560d9fe5fdaf034d79f865b0a
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
This commit is setting a minimum tls version and setting a rule
to avoid the use of weak cipher by openldap.
Test Plan:
PASS: Run build-pkgs -c -p openldap-config
PASS: Run build-image with the changes for openldap-config present.
PASS: Run 'nmap --script ssl-enum-ciphers' to the desired port to see
if it is only using tls1.2 and tls1.3.
PASS: Create ldap users on system controller with ldapusersetup.
Verify that user is synchronized to subcloud
Do ldapfinger <username> on subcloud and verify the user is returned
ssh with the user in the subcloud. Verify login goes through.
Run commands with sudo and verify that sudo works without issues
PASS: Run a full setup of an AIO-SX and verify the status of slapd
service.
Closes-Bug: 2054813
Change-Id: Iabbc5c877256b4f886706cf7601ea26e5ab54d28
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
With the IPSec feature DHCP clients in starlingx no longer need to
request the options: domain-name-servers, and
dhcp6.name-servers.
The reason is that the management network is been migrated to a static
address configuration, with gateway and DNS servers provided to
the config files (ifcfg-* and resolv.conf) first by kickstart and
after by puppet manifest configuration.
The pxeboot network will use DHCP for initial bringup but it does not
need those options.
Test Plan:
[PASS] Install IPv4 Standard with storage
[PASS] Install IPv6 Standard with storage
Story: 2010940
Task: 49385
Depends-On: https://review.opendev.org/c/starlingx/config/+/904000
Change-Id: I2dc8f44aaf9d22881ae24679795f14b4e5b648d1
Signed-off-by: Andre Kantek <andrefernandozanella.kantek@windriver.com>
The luks-fs-mgr service is creating a file based encrypted
container that when unencrypted is mounted as an accessible
filesystem. This mounted filesystem is detected by udev and
considered by sysinv-agent if it should be reported as a
partition-able block device. It sets custom
identifier VAULT_TYPE attribute to "luks_encrypted_vault"
for any LUKS-encrypted device, whose DM_UUID attribute
value matches any characters that come after "CRYPT-LUKS2",
to make sure it is generic to all LUKS filesystem if multiple
are specified in the future.
Test Plan:
PASS: build-pkgs -c -p luks-config
PASS: build-image
PAAS: AIO-DX bootstrap
PASS: rule file created at /etc/udev/rules.d
PASS: udevadm info /dev/dm-* shows new identifier
Story: 2010872
Task: 49237
Change-Id: I747e52441f442648055f02fc7d3e6dc028ff75f6
Signed-off-by: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
The new rsync module [luksdata] contains the
destination folder path.
This is used by rsync daemon when rsync command
is executed on active controller to copy data.
TEST
PASSED: Deployed changes on Duplex
PASSED: Created new file on active controller
PASSED: Changed existing file on active controller
PASSED: Deleted a file on active controller
Story: 2010872
Task: 49058
Change-Id: I02c0092b77ebc1d8e93daa75d8644c150e080d60
Signed-off-by: Harshad sonde <harshad.sonde@windriver.com>
This updates containerd.service service override file
containerd-stx-override.conf with systemd dependencies:
After=syslog.service
This addresses cases of missing logs during shutdown.
Test plan:
- PASS - build-image, install and boot up on AIO-SX
- PASS - verify service order dependencies via
'sudo systemd-analyse dump'
- PASS - perform reboot and verify /var/log/daemon.log
containerd is stopped before logger is stopped.
Partial-Bug: 2043069
Change-Id: I136c584c3832e17cdf35d7ba87387bd3ce3f4a2d
Signed-off-by: Jim Gauld <James.Gauld@windriver.com>
This commit removes the implementation for ldap user password expiry
done in commit 13d31e8184.
This is because it is getting replaced by an sssd password expiration
control implementation. The sssd solution also fixes a bug in the
previous implementation to allow password expiration detection to work
for ldap users logging in a subcloud. In the sssd solution the warning
in advance of the password expiration is more precise, giving the
number of hours if there is only a day to expiry and the number of
minutes if there is less than an hour to expiry.
Test Plan:
PASS: Verify SSSD configuration in "/etc/sssd/sssd.conf" gets
updated with password expiration configuration.
PASS: Create a local openldap user using "ldapusersetup" utility
and set the "shadowMax" attribute for the user password to expire
in 2 days. The ldap user attribute "shadowMax" gives the maximum
number of days that a shadow password is valid.
PASS: Use the command "date" to set the time in the future to get
the password to expire (e.g." date -s "Tue Aug 10 06:33:37 UTC 2023").
PASS: Execute ssh using the ldap user you have just created.
A message saying the password was expired should be displayed and
a prompt to change the password would follow up.
PASS: After the password was updated try to login the user again
using the new password and should succeed.
PASS: Verify that a warning saying that the user's password expired
and needs to be renewed appears in "/var/log/auth.log"
(e.g.:"pam_sss(sshd:account): Access denied for user testuser1: 12
(Authentication token is no longer valid; new one required)").
PASS: Verify that a password expiration warning occurs at login time,
before the password actually expires. Examples: "Your password will
expire in 1 day(s)." or "Your password will expire in 45 minute(s).".
Use real time for this test instead of artificially modifying the
date.
PASS: Verify the password expiration warning occurs according to the
configuration of the ldap user account.
PASS: Check that script "/etc/profile.d/password-expiration-check.sh"
does not exist.
PASS: Verify ldap user password expiration in a AIO-SX and a subcloud
of a DC system.
Closes-Bug: 2029425
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: I12936f8fccf04e5c673844457528982c4bf57018
CentOS Iso is no longer built from master branch. We won't be needing
the init scripts in directories "centos" and "files" which
handle the system initialization specs
TEST PLAN:
PASS: Designer Build of Debian AIO-SX ISO & Deployment without centos
related files
Story: 2010849
Task: 48573
Change-Id: I5df84e8a43ed4e07fa6b180877ea74c69751be79
In this commit, we are removing the value set to net.core.rmem_max.
This value will be set in /etc/sysctl.d/50-net-core.conf.
This change is to be made because systemd-sysctl will always load
sysctl.conf file last and it will override the configuration set in
50-net-core.conf
REFERENCE to the MR where rmem_max is added to 50-net-core.conf:
https://review.opendev.org/c/starlingx/utilities/+/889325
TEST PLAN:
PASS: Read memory max value (net.core.rmem_max) is loaded
from 50-net-core.conf
TEST DESCRIPTION: In AIO-SX net.core.rmem_max value is read
using the sysctl commands. After a successful deployment,
the value set in 50-net-core.conf is loaded.
Story: 2010849
Task: 48529
Change-Id: Ie2b078e5e0e2878cf1ffe5f94357e1dec6e4e10f
Host DNS records must use the ".internal" domain
to configure FQDN entries with the format of <host>.internal.
Given the complexities of supporting the multi-host reconfiguration,
this task will focus on support for a simplex system only.
Since the lookup will fail after the mdns4_minimal entry
because .local is treated as a multicast domain.
Putting dns before mdns4_minimal resolves the situation.
Work Items:
- prefix the dns entry to resolve registry.local issue
Testing:
- build successful
- succesfully bring up AIO-SX and AIO-DX
- ensure changes only apply on AIO-SX
- ping system host's new aliases (with and without ".internal")
-> also with manual removal of mgmt entries from /etc/hosts
- ensure all mgmt interfaces are up
- ping registry.local
Story: 2010722
Task: 48296
Change-Id: Ic7ffa6790dfa49867c4efb246b4707cdb7d10cb3
Signed-off-by: Mohammad Issa <mohammad.issa@windriver.com>
Local OpenLDAP and WAD servers are being used for k8s api and SSH
authentication. We need the ability to disallow SSH authentication
for selective users. As part of the solution, we create a Linux
group where all ldap users with "denied ssh access" will be added.
This commit sets the group for "denied ssh access" in the sshd
configuration file "/etc/ssh/sshd_config".
Test Plan:
PASS: Debian image gets successfully installed in AIO-SX system.
PASS: Verify the Linux group has been created and the sshd
configuration file was updated with denied ssh access for that group.
PASS: Create an openldap user and add to the "deny ssh access" group.
Verify that the user cannot ssh.
PASS: Create a WAD group with the same name and gidNumber as the
Linux group for "deny ssh access". Create a WAD user in this group.
Validate that the new WAD user in the "deny ssh group" cannot ssh
to stx platform.
PASS: Remove the WAD user from the WAD "deny ssh access" group.
Validate that now the user can have ssh access to stx platform.
PASS: Remove the openldap user from the Linux "deny ssh access" group.
Validate that now the user can have ssh access to stx platform.
Story: 2010589
Task: 48231
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/886150
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: If96f3f52cb10a8c32df5b777ba7c85f33edb3f96
This log rotation config for /var/log/rss-memory.log used
for memory growth debugging
Test Plan:
- PASS: Build an image, install and bootstrap successfully
- PASS: Apply monitor pods so addon logs would be installed.
- PASS: Check that log entries are correctly displayed.
Partial-Bug: 2019007
Depends-On: https://review.opendev.org/c/starlingx/monitoring/+/883866
Change-Id: Ia440154482cc9907bf43670390cf85efee18960b
Signed-off-by: cpompeud <Cesar.PompeudeBarrosBombonate@windriver.com>
The debian packaging guidelines do not want packages to install
binaries under /usr/local so we're moving the k8s-container-cleanup.sh
executable to /usr/sbin.
This should be merged with the corresponding change in the "integ"
repo, but it's not the end of the world if it isn't done at exactly
the same time.
Test Plan:
PASS Install AIO-SX with K8s 1.25 and upgrade to K8s 1.26.
PASS Install with K8s 1.26 on AIO-SX and ensure the system comes up
normally.
Story: 2010368
Task: 48012
Change-Id: I4a536d27364df2c57a8c375684d14929b45f13fb
Signed-off-by: Chris Friesen <chris.friesen@windriver.com>
It has been noted on heavy load test conditions that lsof
can hang for a considerable time and cause timeouts on the
RabbitMQ stop path triggered from Service Manager on a
swact scenario.
To avoid that, both netstat or ss commands could be used to
check for listening process on the amqp port (5672).
The ss command has been chosen since man page of netstat mark
it as obsolete and points ss as replacement for the major part
of it.
Also, note that ss uses Netlink which uses socket API.
Closes-Bug: 2018346
Test Plan:
PASS: Verify, using ss, the listening amqp socket
PASS: Verify AIO-DX is properly deployed
PASS: Restart RabbitMQ service successfully using sm-restart
PASS: Swact successfully on DX system
PASS: Lock/unlock successfully
Change-Id: I929b2a1b7a61eb70154c00177aa0b7f2fc46890a
Signed-off-by: Adriano Oliveira <adriano.oliveira@windriver.com>
Debian patching in DX env requires the software repo to be
synced between controllers. This commit enables that for us.
Test Plan:
Setup DX and run software commands to ensure that software
repo is synced between controllers after every command
Story: 2010676
Task: 47949
Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>
Change-Id: If62e7e6ed35c8579ff60f1c2009a0dc0ef142532
Updating the rsa ssh host key based on:
https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
Note: In the future, StarlingX should have a zuul job and
secret setup for all repos so we do not need to do this
for every repo.
Needed to rename the secret, because zuul fails if like-named
secrets have diffent values in different branches of the same
repo.
Partial-Bug: #2015246
Change-Id: I44451c0c159bb9bdadbf00363c9d9bfbfd59fdf2
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Currently local openldap service (slapd) doesn't have logs at all.
This change enables logging for the service.
Test Plan:
PASS: Verify the logs are generated in /var/log/slapd.log after
system is successfully deployed.
PASS: Verify that standard openldap operations are logged, such as
adding users, searching for users.
PASS: Verify log file is rotated when reaching the configured size.
Closes-Bug: 2017796
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I277f25e855a51da1865d7cf995b0e447fb1e53be
- Armada has been replaced by Fluxcd, so the logrotate config can
be adapted.
- An entry was added to /etc/tmpfiles.d to create /var/log/flux
during boot. Some more context in [1].
- About the owner:group:
The flux container processes are associated with the user:group
'nobody:nogroup' as defined in their Dockerfiles [2,3], which is
a default user with very restricted privileges [4].
Since /var/log is owned by root, it does not allow flux to write files.
To circumvent that, /var/log/flux has its ownership set to match
the container processes.
[1] https://review.opendev.org/c/starlingx/config-files/+/859666
[2] https://github.com/fluxcd/source-controller/blob/v0.32.1/Dockerfile#L87
[3] https://github.com/fluxcd/helm-controller/blob/v0.27.0/Dockerfile#L44
[4] https://wiki.debian.org/SystemGroups
Test Plan:
PASS build custom iso and install. Flux log dir exists
and has right owner:group.
PASS logs rotate
Partial-Bug: 2009784
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: I8bf8bf5f42c78d6ddab8f0d65e6ffaff9a8ec555
There is an issue with debian SSSD package and the password expiration
message and change prompt are not showing up when expected.
This change adds a custom shell script that will use the last password
modification date from ldap and the expected shadowWarning and
shadowMax configured for the user to tell when to show password
expiration warning and when to ask the user to change their passwords.
This commit addresses only local openldap users as this is more
critical, since AD users will be warned and have their password
expiration handled externally by their organization. Further work to
include AD users in this script in under investigation.
Test plan:
PASS: 1) Create ldap user with 'ldapusersetup -u ldap_user1 --sudo
--secondgroup sys_protected --passmax 1 --passwarning 2',
login with user and verify the first time passwrod change prompt
is shown.
PASS: 2) After test #1, exit and login back again with user ldap_user1
and verify after login msg 'Warning: The password for ldap_user1
will expire in 1 day.' is shown.
PASS: 3) After test #1, logout ldap_user1 and change the system's date
to 1 day in the future. Login back with ldap_user1 and verify
that after login msg 'Warning: The password for ldap_user1 will
expire in 0 day.' is shown.
PASS: 4) After test #3, logout ldap_user1 and change the system's date
to 1 day in the future. Login back with ldap_user1 and verify
that the system will print a msg 'WARNING: Your password has
expired.' and will prompt users to change their passwords.
Closes-Bug: 2008501
Change-Id: I609f54fca11bf8747a6fb306343e70039ac9686a
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
This change adds the necessary files for the opensvswitch-config
package to be built for Debian.
Test Plan:
PASS: Build the openvswitch-config.deb package
PASS: Ensure the delivered files paths are correct
PASS: Build Debian ISO with openvswitch-config package
Story: 2010317
Task: 47276
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Change-Id: I4f74192ee284ce351a253a4394f2f21545128612
In order to have a multipath.conf file during the install
process on Debian, the multipath-config package was created.
This package simply writes a custom version of the multipath.conf
to /etc/multipath.conf
To have it in the installer, it should also be included in the
base-initramfs-bullseye.yaml file
Blacklist exception support is added for:
- HP 3PAR SANs (H/W multipath)
- QEMU (for virtual multipath development)
- TrueNAS (currently only iSCSI support validate)
Test Plan:
PASS - AIO-SX: HPE multipath install/bootstrap/unlock
PASS - AIO-SX: Qemu virtual multipath install/bootstrap/unlock
PASS - AIO-DX: Qemu virtual multipath install/bootstrap/unlock
PASS - AIO-DX+: Qemu virtual multipath install/bootstrap/unlock
PASS - 2+2 (controller storage): Qemu virtual multipath
install/bootstrap/unlock
PASS - 2+2+2 (dedicated storage): Qemu virtual multipath
install/bootstrap/unlock
PASS - Add OSD ceph storage configuration (AIO-SX)
PASS - Expand CGTS volume group using extra disk (Partition) (AIO-SX)
PASS - Expand CGTS volume group using extra disk (disk) (AIO-SX)
PASS - Add nova local volume group using extra disk (AIO-SX)
PASS - App pod that alocates and writes into a PVC (AIO-SX)
PASS - Local disk Commands (Disk API) - Check if the output is broken
- host-disk-list
- host-disk-show
- host-disk-partition-list
- host-disk-partition-show
- host-pv-list
- host-pv-show
- host-stor-list
- host-stor-show
- host-lvg-list
- host-lvg-show
- host-pv-add
PASS - Create nova-local volume group
PASS - Local disk Commands on AIO-DX after swact
Regression:
PASS - AIO-SX: Non-multipath install/bootstrap/unlock (NVME)
PASS - AIO-DX: Non-multipath install/bootstrap/unlock (SSD)
PASS - 2+2: Non-multipath install/bootstrap/unlock (SSD)
PASS - 2+2+2 : Non-multipath install/bootstrap/unlock (SSD and HD)
Change-Id: I196031dee403db50e6dbcdb36a0a2ed95fc42be3
Depends-On: https://review.opendev.org/c/starlingx/tools/+/860590
Story: 2010046
Task: 66650
Signed-off-by: Matheus Guilhermino <matheus.machadoguilhermino@windriver.com>
Signed-off-by: Robert Church <robert.church@windriver.com>
- Don't bypass the the normal vimrc configuration.
- Fix debian/changelog to stop it complaining while building
the base-files-config package.
Testing:
PASS Build base-files-config package.
PASS Build ISO
PASS Boot ISO
PASS Verify .vimrc has changed
PASS Open /etc/host with vim, check for errors for vimrc.
Close-Bug: 2006482
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I2a29943b951e192fdac90d379134ea2b04ce4d76
This change will allow this repo to pass zuul now
that this has merged:
https://review.opendev.org/c/zuul/zuul-jobs/+/866943
Tox 4 deprecated whitelist_externals.
Replace whitelist_externals with allowlist_externals
Partial-Bug: #2000399
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I5a2ae729f2e54a6520f7f80ee103113ccb775dd5
There is a known intermittent bug with docker which breaks some of
its functions, such as downloading images [1].
The details are being investigated, but most likely docker.service
start occasionally fails to create all the subfolders required
in /var/lib/docker. The workaround is a service restart.
With this change, there is a short wait time after which docker
health is checked and if the check fails the service is restarted.
Note the required subfolders are created almost immediately, so
the wait can be short.
Still, pmon tolerance is slightly increased to allow the repair
mechanism a couple retries before stepping in.
[1] https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1950751
Test Plan:
PASS With pmon turned off and a sleep time of 10 secs,
deleted /var/lib/docker/tmp and restarted docker.
Then deleted /var/lib/docker/tmp dir during the 'sleep 10',
observed that an automatic '/bin/systemctl restart
docker.service' is triggered, docker is restarted and /tmp
recreated successfully.
PASS With pmon service up and using the proposed time intervals,
restarted docker service successfully without interference
between the two mechanisms
PASS Completed the following operations:
- AIO-SX install/bootstrap/unlock
- lock/unlock
- sudo reboot
with the following results:
- /var/lib/docker has all sub-directories
- applications applied
- docker service running
- pulled hello-world image
- no alarms
- no 'download failed' error messages in daemon.log
Partial-Bug: 1999182
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: Ide2d214ea3c7efb3f2a24327c11ae55f90d5a9ce
Ostree repo pull requests generates excessive amounts of lighttpd
access log entries. This commit configures syslog-ng to filter out
any ostree pull related log entry that returns a 200 status code from
the lighttpd access log.
This commit only filters requests from the /iso/*/ostree_repo/objects/*/*.filez|.dirtree URL, it does not filter request to the /feed/rel-
*/ostree_repo/objects/... URL.
Test Plan:
1. PASS - Install a subcloud and verify that the ostree pull request
messages are filtered out from /var/www/var/log/lighttpd-access.log;
2. PASS - Use curl to request invalid files and verify that requests
with status code other than 200 are still being logged.
3. PASS - Do a system bring-up test by creating an image with the
applied changes and verify that the system installation succeeds
and that the syslog-ng and lighttpd services are working.
4. PASS - Verify that Horizon is still able to do HTTP requests.
Partial-Bug: #1998837
Signed-off-by: Gustavo Herzmann <gustavo.herzmann@windriver.com>
Change-Id: I637e7f1bae362be98f4b88bbc7c0585d1121fe80
Zuul