From f24b2f5054156016284fb520022d259906fb3ef5 Mon Sep 17 00:00:00 2001 From: Gerry Kopec Date: Mon, 30 Mar 2020 00:37:38 -0400 Subject: [PATCH 01/27] Remove dcorch-snmp dcorch-snmp process/service is being removed from distributed cloud. Remove associated puppet config. Change-Id: I5691648887e2302eeda0b5e853a72df52ae0ba72 Story: 2007267 Task: 39190 Depends-On: https://review.opendev.org/#/c/715765 Signed-off-by: Gerry Kopec --- .../src/dcorch/manifests/params.pp | 6 --- .../src/dcorch/manifests/snmp.pp | 47 ------------------- puppet-manifests/src/manifests/controller.pp | 2 - .../src/modules/platform/manifests/dcorch.pp | 9 ---- .../src/modules/platform/manifests/sm.pp | 9 ---- 5 files changed, 73 deletions(-) delete mode 100644 modules/puppet-dcorch/src/dcorch/manifests/snmp.pp diff --git a/modules/puppet-dcorch/src/dcorch/manifests/params.pp b/modules/puppet-dcorch/src/dcorch/manifests/params.pp index 76d5fa1f..df823dc5 100644 --- a/modules/puppet-dcorch/src/dcorch/manifests/params.pp +++ b/modules/puppet-dcorch/src/dcorch/manifests/params.pp @@ -20,8 +20,6 @@ class dcorch::params { $api_service = 'dcorch-api' $engine_package = 'distributedcloud-dcorch' $engine_service = 'dcorch-engine' - $snmp_package = 'distributedcloud-dcorch' - $snmp_service = 'dcorch-snmp' $api_proxy_package = 'distributedcloud-dcorch' $api_proxy_service = 'dcorch-api-proxy' @@ -35,8 +33,6 @@ class dcorch::params { $api_service = 'dcorch-api' $engine_package = false $engine_service = 'dcorch-engine' - $snmp_package = false - $snmp_service = 'dcorch-snmp' $api_proxy_package = false $api_proxy_service = 'dcorch-api-proxy' @@ -48,8 +44,6 @@ class dcorch::params { $client_package = 'distributedcloud-client-dcorchclient' $api_package = false $api_service = 'dcorch-api' - $snmp_package = false - $snmp_service = 'dcorch-snmp' $engine_package = false $engine_service = 'dcorch-engine' $api_proxy_package = false diff --git a/modules/puppet-dcorch/src/dcorch/manifests/snmp.pp b/modules/puppet-dcorch/src/dcorch/manifests/snmp.pp deleted file mode 100644 index f82a57c0..00000000 --- a/modules/puppet-dcorch/src/dcorch/manifests/snmp.pp +++ /dev/null @@ -1,47 +0,0 @@ -# -# Files in this package are licensed under Apache; see LICENSE file. -# -# Copyright (c) 2013-2018 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# -# Dec 2017 Creation based off puppet-sysinv -# - -class dcorch::snmp ( - $package_ensure = 'latest', - $enabled = false, - $bind_host = '0.0.0.0', - $com_str = 'dcorchAlarmAggregator' -) { - - include dcorch::params - include dcorch::deps - - if $::dcorch::params::snmp_package { - package { 'dcorch-snmp': - ensure => $package_ensure, - name => $::dcorch::params::snmp_package, - tag => 'dcorch-package', - } - } - dcorch_config { - 'snmp/snmp_ip': value => $bind_host; - 'snmp/snmp_comm_str': value => $com_str; - } - - if $enabled { - $ensure = 'running' - } else { - $ensure = 'stopped' - } - - service { 'dcorch-snmp': - ensure => $ensure, - name => $::dcorch::params::snmp_service, - enable => $enabled, - hasstatus => false, - tag => 'dcorch-service', - } - -} diff --git a/puppet-manifests/src/manifests/controller.pp b/puppet-manifests/src/manifests/controller.pp index eeba6f8c..e247c828 100644 --- a/puppet-manifests/src/manifests/controller.pp +++ b/puppet-manifests/src/manifests/controller.pp @@ -89,8 +89,6 @@ include ::platform::dcorch::engine include ::platform::dcorch::api_proxy include ::platform::dcmanager::api -include ::platform::dcorch::snmp - include ::platform::dcdbsync include ::platform::dcdbsync::api diff --git a/puppet-manifests/src/modules/platform/manifests/dcorch.pp b/puppet-manifests/src/modules/platform/manifests/dcorch.pp index d899ff18..9e4080cb 100644 --- a/puppet-manifests/src/modules/platform/manifests/dcorch.pp +++ b/puppet-manifests/src/modules/platform/manifests/dcorch.pp @@ -110,15 +110,6 @@ class platform::dcorch::engine } } -class platform::dcorch::snmp - inherits ::platform::dcorch::params { - if $::platform::params::distributed_cloud_role =='systemcontroller' { - class { '::dcorch::snmp': - bind_host => $api_host, - } - } -} - class platform::dcorch::api_proxy inherits ::platform::dcorch::params { diff --git a/puppet-manifests/src/modules/platform/manifests/sm.pp b/puppet-manifests/src/modules/platform/manifests/sm.pp index 6079a765..e8871c30 100644 --- a/puppet-manifests/src/modules/platform/manifests/sm.pp +++ b/puppet-manifests/src/modules/platform/manifests/sm.pp @@ -817,12 +817,6 @@ class platform::sm -> exec { 'Provision DCOrch-Engine in SM (service dcorch-engine)': command => 'sm-provision service dcorch-engine', } - -> exec { 'Provision DCOrch-Snmp (service-group-member dcorch-snmp)': - command => 'sm-provision service-group-member distributed-cloud-services dcorch-snmp', - } - -> exec { 'Provision DCOrch-Snmp in SM (service dcorch-snmp)': - command => 'sm-provision service dcorch-snmp', - } -> exec { 'Provision DCOrch-Identity-Api-Proxy (service-group-member dcorch-identity-api-proxy)': command => 'sm-provision service-group-member distributed-cloud-services dcorch-identity-api-proxy', } @@ -862,9 +856,6 @@ class platform::sm -> exec { 'Configure OpenStack - DCOrch-Engine': command => "sm-configure service_instance dcorch-engine dcorch-engine \"\"", } - -> exec { 'Configure OpenStack - DCOrch-Snmp': - command => "sm-configure service_instance dcorch-snmp dcorch-snmp \"\"", - } -> exec { 'Configure OpenStack - DCOrch-identity-api-proxy': command => "sm-configure service_instance dcorch-identity-api-proxy dcorch-identity-api-proxy \"\"", } From cc786eda4dafb88f857c7b5272338b4bcf4a5204 Mon Sep 17 00:00:00 2001 From: Jerry Sun Date: Fri, 27 Mar 2020 14:11:45 -0400 Subject: [PATCH 02/27] Support adding admission plugin post bootstrap This commit adds the ability to change the admission plugins of kube-apiserver post bootstrap. We need this for pod security plugin. Starting pod security plugin without any policies will result in all pods being denied. Story: 2007351 Task: 38897 Change-Id: I3ad3ba91f3084bd2f0054d5d063d2242594997b2 Signed-off-by: Jerry Sun --- .../platform/files/change_kube_apiserver_params.py | 9 +++++++++ .../src/modules/platform/manifests/kubernetes.pp | 3 ++- .../platform/templates/kube-apiserver-change-params.erb | 3 +++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/puppet-manifests/src/modules/platform/files/change_kube_apiserver_params.py b/puppet-manifests/src/modules/platform/files/change_kube_apiserver_params.py index 75afff85..c72c9faf 100644 --- a/puppet-manifests/src/modules/platform/files/change_kube_apiserver_params.py +++ b/puppet-manifests/src/modules/platform/files/change_kube_apiserver_params.py @@ -19,6 +19,7 @@ parser.add_argument("--oidc_issuer_url") parser.add_argument("--oidc_client_id") parser.add_argument("--oidc_username_claim") parser.add_argument("--oidc_groups_claim") +parser.add_argument("--admission_plugins") args = parser.parse_args() if args.configmap_file: @@ -59,6 +60,14 @@ else: if 'oidc-groups-claim' in cluster_config['apiServer']['extraArgs']: del cluster_config['apiServer']['extraArgs']['oidc-groups-claim'] +if args.admission_plugins: + cluster_config['apiServer']['extraArgs']['enable-admission-plugins'] = \ + args.admission_plugins +else: + plugins = 'enable-admission-plugins' + if plugins in cluster_config['apiServer']['extraArgs']: + del cluster_config['apiServer']['extraArgs'][plugins] + cluster_config_string = yaml.dump(cluster_config, Dumper=yaml.RoundTripDumper, default_flow_style=False) # use yaml.scalarstring.PreservedScalarString to make sure the yaml is diff --git a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp index cbbfa681..c1f2cd70 100644 --- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp +++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp @@ -21,7 +21,8 @@ class platform::kubernetes::params ( $oidc_issuer_url = undef, $oidc_client_id = undef, $oidc_username_claim = undef, - $oidc_groups_claim = undef + $oidc_groups_claim = undef, + $admission_plugins = undef ) { } class platform::kubernetes::cgroup::params ( diff --git a/puppet-manifests/src/modules/platform/templates/kube-apiserver-change-params.erb b/puppet-manifests/src/modules/platform/templates/kube-apiserver-change-params.erb index 9596b75f..f63505ff 100644 --- a/puppet-manifests/src/modules/platform/templates/kube-apiserver-change-params.erb +++ b/puppet-manifests/src/modules/platform/templates/kube-apiserver-change-params.erb @@ -20,6 +20,9 @@ python /usr/share/puppet/modules/platform/files/change_kube_apiserver_params.py <%- if @oidc_groups_claim -%> --oidc_groups_claim <%= @oidc_groups_claim %> \ <%- end -%> +<%- if @admission_plugins -%> +--admission_plugins <%= @admission_plugins %> \ +<%- end -%> kubectl --kubeconfig=/etc/kubernetes/admin.conf -n kube-system patch configmap kubeadm-config -p "$(cat <%= @configmap_temp_file %>)" kubeadm config view > <%= @configmap_temp_file %> From 07edad67cc55caf4726d3db3529c8e71fff6254e Mon Sep 17 00:00:00 2001 From: Paul Vaduva Date: Thu, 26 Mar 2020 03:09:47 +0200 Subject: [PATCH 03/27] Set preferred_lft to 0 for mgmt and nfs floating ips For ipv6 the only way to prefer the fixed ip for outgoing connection is to set preferred_lft to 0 for the floating ips Change-Id: I13573ac4628db1fc49146f353d7eb2c96eb1aff0 Closes-bug: 1856064 Signed-off-by: Paul Vaduva --- .../src/modules/platform/manifests/network.pp | 6 +++++ .../src/modules/platform/manifests/sm.pp | 22 ++++++++++++++++--- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/puppet-manifests/src/modules/platform/manifests/network.pp b/puppet-manifests/src/modules/platform/manifests/network.pp index 2d6964e6..4edbf0d7 100644 --- a/puppet-manifests/src/modules/platform/manifests/network.pp +++ b/puppet-manifests/src/modules/platform/manifests/network.pp @@ -109,8 +109,14 @@ define network_address ( # loopback interface. These addresses must be assigned using the host scope # or assignment is prevented (can't have multiple global scope addresses on # the loopback interface). + + # For ipv6 the only way to initiate outgoing connections + # over the fixed ips is to set preferred_lft to 0 for the + # floating ips so that they are not used if $ifname == 'lo' { $options = 'scope host' + } elsif $::platform::network::mgmt::params::subnet_version == $::platform::params::ipv6 { + $options = 'preferred_lft 0' } else { $options = '' } diff --git a/puppet-manifests/src/modules/platform/manifests/sm.pp b/puppet-manifests/src/modules/platform/manifests/sm.pp index 6079a765..6bebf899 100644 --- a/puppet-manifests/src/modules/platform/manifests/sm.pp +++ b/puppet-manifests/src/modules/platform/manifests/sm.pp @@ -258,8 +258,16 @@ class platform::sm command => "sm-configure service_instance management-ip management-ip \"ip=${mgmt_ip_param_ip},cidr_netmask=${mgmt_ip_param_mask},nic=${mgmt_ip_interface},arp_count=7,dc=yes\"", } } else { + # For ipv6 the only way to initiate outgoing connections + # over the fixed ips is to set preferred_lft to 0 for the + # floating ips so that they are not used + if $::platform::network::mgmt::params::subnet_version == $::platform::params::ipv6 { + $preferred_lft = '0' + } else { + $preferred_lft = 'forever' + } exec { 'Configure Management IP': - command => "sm-configure service_instance management-ip management-ip \"ip=${mgmt_ip_param_ip},cidr_netmask=${mgmt_ip_param_mask},nic=${mgmt_ip_interface},arp_count=7\"", + command => "sm-configure service_instance management-ip management-ip \"ip=${mgmt_ip_param_ip},cidr_netmask=${mgmt_ip_param_mask},nic=${mgmt_ip_interface},arp_count=7,preferred_lft=${preferred_lft}\"", } } @@ -270,9 +278,17 @@ class platform::sm "sm-configure service_instance cluster-host-ip cluster-host-ip \"ip=${cluster_host_ip_param_ip},cidr_netmask=${cluster_host_ip_param_mask},nic=${cluster_host_ip_interface},arp_count=7,dc=yes\"", } } else { + # For ipv6 the only way to initiate outgoing connections + # over the fixed ips is to set preferred_lft to 0 for the + # floating ips so that they are not used + if $::platform::network::cluster_host::params::subnet_version == $::platform::params::ipv6 { + $preferred_lft_cluster = '0' + } else { + $preferred_lft_cluster = 'forever' + } exec { 'Configure Cluster Host IP service instance': command => - "sm-configure service_instance cluster-host-ip cluster-host-ip \"ip=${cluster_host_ip_param_ip},cidr_netmask=${cluster_host_ip_param_mask},nic=${cluster_host_ip_interface},arp_count=7\"", + "sm-configure service_instance cluster-host-ip cluster-host-ip \"ip=${cluster_host_ip_param_ip},cidr_netmask=${cluster_host_ip_param_mask},nic=${cluster_host_ip_interface},arp_count=7,preferred_lft=${preferred_lft_cluster}\"", } } @@ -503,7 +519,7 @@ class platform::sm } } else { exec { 'Configure Platform NFS': - command => "sm-configure service_instance platform-nfs-ip platform-nfs-ip \"ip=${platform_nfs_ip_param_ip},cidr_netmask=${platform_nfs_ip_param_mask},nic=${mgmt_ip_interface},arp_count=7\"", + command => "sm-configure service_instance platform-nfs-ip platform-nfs-ip \"ip=${platform_nfs_ip_param_ip},cidr_netmask=${platform_nfs_ip_param_mask},nic=${mgmt_ip_interface},arp_count=7,preferred_lft=${preferred_lft}\"", } } From 296bd3d1f733e10b11f3dc2601e9fa1f08c9c719 Mon Sep 17 00:00:00 2001 From: Robert Church Date: Fri, 27 Mar 2020 23:38:24 -0400 Subject: [PATCH 04/27] Ensure network config has been applied before containerd If containerd is started prior to networking providing a default route, the containerd cri plugin will fail to load with the following message: msg="failed to load plugin io.containerd.grpc.v1.cri" error="failed to create CRI service: failed to create stream server: failed to get stream server address: no default routes found in \"/proc/net/route\" or \"/proc/net/ipv6_route\"" and the status of the plugin will be in 'error' TYPE ID PLATFORMS STATUS io.containerd.grpc.v1 cri linux/amd64 error This will prevent any crictl image pulls from working. This change will ensure the network config is applied prior to configuring and restarting containerd. Docker and containerd also have a dependency, so also ensure the network config is applied prior to configuring and restarting docker. Change-Id: I94a3349b438816d21b147cbd62054862d07d8bee Partial-Bug: #1868728 Signed-off-by: Robert Church --- .../src/modules/platform/manifests/containerd.pp | 6 ++++++ puppet-manifests/src/modules/platform/manifests/docker.pp | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/puppet-manifests/src/modules/platform/manifests/containerd.pp b/puppet-manifests/src/modules/platform/manifests/containerd.pp index eca2f498..c09a04fc 100644 --- a/puppet-manifests/src/modules/platform/manifests/containerd.pp +++ b/puppet-manifests/src/modules/platform/manifests/containerd.pp @@ -16,6 +16,12 @@ class platform::containerd::config include ::platform::kubernetes::params include ::platform::dockerdistribution::registries + # If containerd is started prior to networking providing a default route, the + # containerd cri plugin will fail to load and the status of the cri plugin + # will be in 'error'. This will prevent any crictl image pulls from working as + # containerd is not automatically restarted when plugins fail to load. + Anchor['platform::networking'] -> Class[$name] + # inherit the proxy setting from docker $http_proxy = $::platform::docker::params::http_proxy $https_proxy = $::platform::docker::params::https_proxy diff --git a/puppet-manifests/src/modules/platform/manifests/docker.pp b/puppet-manifests/src/modules/platform/manifests/docker.pp index 69e203d2..7003f5ac 100644 --- a/puppet-manifests/src/modules/platform/manifests/docker.pp +++ b/puppet-manifests/src/modules/platform/manifests/docker.pp @@ -20,6 +20,12 @@ class platform::docker::params ( class platform::docker::config inherits ::platform::docker::params { + # Docker restarts will trigger a containerd restart and containerd needs a + # default route present for it's CRI plugin to load correctly. Since we are + # defering containerd restart until after the network config is applied, do + # the same here to align config/restart times for both containerd and docker. + Anchor['platform::networking'] -> Class[$name] + if $http_proxy or $https_proxy { file { '/etc/systemd/system/docker.service.d': ensure => 'directory', From 93d22c438ed6939bd4b1723b37e23794eacb7006 Mon Sep 17 00:00:00 2001 From: Paul Vaduva Date: Thu, 2 Apr 2020 13:06:57 +0300 Subject: [PATCH 05/27] Configure docker and containerd once per AIO deploy Prevent a double configuration of docker and containerd for AIO scenarios. Change-Id: I0cb9fdde5acf8d5d44d526e70ae4af726932709f Closes-bug: 1869193 Signed-off-by: Paul Vaduva --- puppet-manifests/src/manifests/controller.pp | 4 ++-- puppet-manifests/src/manifests/storage.pp | 4 ++-- puppet-manifests/src/manifests/worker.pp | 4 ++-- .../modules/platform/manifests/containerd.pp | 17 ++++++++++++++++- .../src/modules/platform/manifests/docker.pp | 18 +++++++++++++++++- 5 files changed, 39 insertions(+), 8 deletions(-) diff --git a/puppet-manifests/src/manifests/controller.pp b/puppet-manifests/src/manifests/controller.pp index eeba6f8c..c93caa53 100644 --- a/puppet-manifests/src/manifests/controller.pp +++ b/puppet-manifests/src/manifests/controller.pp @@ -40,9 +40,9 @@ include ::platform::postgresql::server include ::platform::haproxy::server include ::platform::grub include ::platform::etcd -include ::platform::docker +include ::platform::docker::controller include ::platform::dockerdistribution -include ::platform::containerd +include ::platform::containerd::controller include ::platform::kubernetes::master include ::platform::helm diff --git a/puppet-manifests/src/manifests/storage.pp b/puppet-manifests/src/manifests/storage.pp index c9a2edfc..17d42cdf 100644 --- a/puppet-manifests/src/manifests/storage.pp +++ b/puppet-manifests/src/manifests/storage.pp @@ -27,8 +27,8 @@ include ::platform::sysinv include ::platform::grub include ::platform::collectd include ::platform::filesystem::storage -include ::platform::docker -include ::platform::containerd +include ::platform::docker::storage +include ::platform::containerd::storage include ::platform::ceph::storage class { '::platform::config::storage::post': diff --git a/puppet-manifests/src/manifests/worker.pp b/puppet-manifests/src/manifests/worker.pp index 6caa9945..3490aa5b 100644 --- a/puppet-manifests/src/manifests/worker.pp +++ b/puppet-manifests/src/manifests/worker.pp @@ -30,8 +30,8 @@ include ::platform::devices include ::platform::grub include ::platform::collectd include ::platform::filesystem::compute -include ::platform::docker -include ::platform::containerd +include ::platform::docker::worker +include ::platform::containerd::worker include ::platform::dockerdistribution::compute include ::platform::kubernetes::worker include ::platform::multipath diff --git a/puppet-manifests/src/modules/platform/manifests/containerd.pp b/puppet-manifests/src/modules/platform/manifests/containerd.pp index eca2f498..0691051a 100644 --- a/puppet-manifests/src/modules/platform/manifests/containerd.pp +++ b/puppet-manifests/src/modules/platform/manifests/containerd.pp @@ -91,9 +91,24 @@ class platform::containerd::install } } -class platform::containerd +class platform::containerd::controller { include ::platform::containerd::install include ::platform::containerd::config } +class platform::containerd::worker +{ + if $::personality != 'controller' { + include ::platform::containerd::install + include ::platform::containerd::config + } +} + +class platform::containerd::storage +{ + if $::personality != 'controller' { + include ::platform::containerd::install + include ::platform::containerd::config + } +} diff --git a/puppet-manifests/src/modules/platform/manifests/docker.pp b/puppet-manifests/src/modules/platform/manifests/docker.pp index 69e203d2..03a2d704 100644 --- a/puppet-manifests/src/modules/platform/manifests/docker.pp +++ b/puppet-manifests/src/modules/platform/manifests/docker.pp @@ -63,12 +63,28 @@ class platform::docker::install } } -class platform::docker +class platform::docker::controller { include ::platform::docker::install include ::platform::docker::config } +class platform::docker::worker +{ + if $::personality != 'controller' { + include ::platform::docker::install + include ::platform::docker::config + } +} + +class platform::docker::storage +{ + if $::personality != 'controller' { + include ::platform::docker::install + include ::platform::docker::config + } +} + class platform::docker::config::bootstrap inherits ::platform::docker::params { From 45ecd74e05deb3d37d51d7d4812ae9fdfa296d31 Mon Sep 17 00:00:00 2001 From: Jerry Sun Date: Fri, 3 Apr 2020 15:25:51 -0400 Subject: [PATCH 06/27] Support adding admission plugin post bootrstrap This commit adds mandatory plugins automatically, without having the user specify them through system service-parameters. Story: 2007351 Task: 38897 Change-Id: Ia423bc3b7be241297d9d1c7a917ac308855c6114 Signed-off-by: Jerry Sun --- .../platform/files/change_kube_apiserver_params.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/puppet-manifests/src/modules/platform/files/change_kube_apiserver_params.py b/puppet-manifests/src/modules/platform/files/change_kube_apiserver_params.py index c72c9faf..3c2d23ce 100644 --- a/puppet-manifests/src/modules/platform/files/change_kube_apiserver_params.py +++ b/puppet-manifests/src/modules/platform/files/change_kube_apiserver_params.py @@ -61,8 +61,17 @@ else: del cluster_config['apiServer']['extraArgs']['oidc-groups-claim'] if args.admission_plugins: + all_plugins = args.admission_plugins + # there are some plugins required by the system + # if the plugins is specified manually, these ones might + # be missed. We will add these automatically so the user + # does not need to keep track of them + required_plugins = ['NodeRestriction'] + for plugin in required_plugins: + if plugin not in all_plugins: + all_plugins = all_plugins + "," + plugin cluster_config['apiServer']['extraArgs']['enable-admission-plugins'] = \ - args.admission_plugins + all_plugins else: plugins = 'enable-admission-plugins' if plugins in cluster_config['apiServer']['extraArgs']: From 6b11dcc799c62fd9690ece744cf6a9583b2db994 Mon Sep 17 00:00:00 2001 From: Jim Somerville Date: Mon, 6 Apr 2020 13:25:58 -0400 Subject: [PATCH 07/27] lowlat: enable ktimer_lockless_check if it exists Enable check for raising timer interrupt only if one is pending. This allows nohz full mode to operate properly on isolated cores. Without it, ktimersoftd interferes with only one job being on the run queue on that core, causing it to drop out of nohz. If ktimer_lockless_check doesn't exist in the kernel, then no error is reported ie. it just fails silently. Closes-Bug: 1870456 Change-Id: I93d0fab3e9f4f56f9afb9bbfaa04882cf9068db5 Signed-off-by: Jim Somerville --- puppet-manifests/centos/build_srpm.data | 2 +- .../src/modules/platform/manifests/sysctl.pp | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/puppet-manifests/centos/build_srpm.data b/puppet-manifests/centos/build_srpm.data index 7d32ce1e..2bdf6c5d 100644 --- a/puppet-manifests/centos/build_srpm.data +++ b/puppet-manifests/centos/build_srpm.data @@ -1,2 +1,2 @@ SRC_DIR="src" -TIS_PATCH_VER=96 +TIS_PATCH_VER=97 diff --git a/puppet-manifests/src/modules/platform/manifests/sysctl.pp b/puppet-manifests/src/modules/platform/manifests/sysctl.pp index 79a7106b..8b1bf1c9 100644 --- a/puppet-manifests/src/modules/platform/manifests/sysctl.pp +++ b/puppet-manifests/src/modules/platform/manifests/sysctl.pp @@ -46,6 +46,16 @@ class platform::sysctl sysctl::value { 'kernel.sched_rt_runtime_us': value => '1000000', } + + # Enable check for raising timer interrupt only if one is pending. + # This allows nohz full mode to operate properly on isolated cores. + # Without it, ktimersoftd interferes with only one job being + # on the run queue on that core, causing it to drop out of nohz. + # If the check option doesn't exist in the kernel, silently fail. + exec { 'Enable ktimer_lockless_check mode if it exists': + command => "bash -c 'echo 1 2>/dev/null >/sys/kernel/ktimer_lockless_check; exit 0'", + } + } else { # Disable NUMA balancing sysctl::value { 'kernel.numa_balancing': From 21690922e2dc5653ba843167075e0f3577a7c8ed Mon Sep 17 00:00:00 2001 From: John Kung Date: Thu, 2 Apr 2020 10:53:21 -0400 Subject: [PATCH 08/27] Enable duplex platform upgrades: migrate etcd Enable the mechanism to upgrade the platform components on a running StarlingX system with duplex controllers. This includes upgrade updates for: o migrate etcd on host-swact Depends-On: https://review.opendev.org/#/c/717038/ Change-Id: Ife45253b46a9d58216d6cc943d7f4d40dd48b970 Story: 2007403 Task: 39246 Signed-off-by: John Kung --- .../src/modules/platform/files/etcd | 32 ++++++++++++------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/puppet-manifests/src/modules/platform/files/etcd b/puppet-manifests/src/modules/platform/files/etcd index 6593b605..ea4998a6 100644 --- a/puppet-manifests/src/modules/platform/files/etcd +++ b/puppet-manifests/src/modules/platform/files/etcd @@ -19,6 +19,7 @@ DESC="ETCD highly-available key value database" SERVICE="etcd.service" PIDFILE="/var/run/etcd.pid" +UPGRADE_SWACT_FILE="/etc/platform/.upgrade_swact_controller_1" status() @@ -46,16 +47,28 @@ start() fi fi - echo "Starting $SERVICE..." + RETVAL=0 - systemctl start $SERVICE + if [ -e $UPGRADE_SWACT_FILE ]; then + echo "Perform upgrade_swact_migration migrate etcd ..." + /usr/bin/upgrade_swact_migration.py migrate_etcd + if [ $? -ne 0 ] + then + RETVAL=1 + fi + fi - if [ $? -eq 0 ]; then - echo "Started $SERVICE successfully" - RETVAL=0 - else - echo "$SERVICE failed!" - RETVAL=1 + if [ $RETVAL -eq 0 ]; then + echo "Starting $SERVICE..." + + systemctl start $SERVICE + + if [ $? -eq 0 ]; then + echo "Started $SERVICE successfully" + else + echo "$SERVICE failed!" + RETVAL=1 + fi fi } @@ -98,6 +111,3 @@ case "$1" in esac exit $RETVAL - - - From 7134a062502bab3afde7d44c1d7cf6c21b2fa7ab Mon Sep 17 00:00:00 2001 From: Jessica Castelino Date: Wed, 8 Apr 2020 11:12:00 -0400 Subject: [PATCH 09/27] Database connection exhaustion in dcmanager during sync When a data sync is triggered for large number of subclouds (~100), the sync fails for some subclouds due to database connection exhaustion. In order to fix this issue, the limit on the number of database connections has been increased. Story: 2007267 Task: 38956 Change-Id: I88ed37ba3a143e3abee78a9f5584b16f17becc76 Signed-off-by: Jessica Castelino --- modules/puppet-dcmanager/src/dcmanager/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/puppet-dcmanager/src/dcmanager/manifests/init.pp b/modules/puppet-dcmanager/src/dcmanager/manifests/init.pp index c6d6e64e..325d0723 100644 --- a/modules/puppet-dcmanager/src/dcmanager/manifests/init.pp +++ b/modules/puppet-dcmanager/src/dcmanager/manifests/init.pp @@ -22,8 +22,8 @@ class dcmanager ( $database_connection = '', $database_idle_timeout = 3600, - $database_max_pool_size = 5, - $database_max_overflow = 10, + $database_max_pool_size = 1, + $database_max_overflow = 100, $control_exchange = 'openstack', $rabbit_host = '127.0.0.1', $rabbit_port = 5672, From 438354a28cf34c63a807ca90b6ed8806e01376af Mon Sep 17 00:00:00 2001 From: Robert Church Date: Mon, 23 Mar 2020 20:57:45 -0400 Subject: [PATCH 10/27] Upversion sandbox image to align with k8s v1.18.0 Change-Id: I02f6158d39b4f10764faf4055da4ab4cdc1f9662 Story: 2006999 Task: 39342 Depends-On: https://review.opendev.org/#/c/718568 Signed-off-by: Robert Church --- puppet-manifests/src/modules/platform/templates/config.toml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet-manifests/src/modules/platform/templates/config.toml.erb b/puppet-manifests/src/modules/platform/templates/config.toml.erb index 3f63dffb..8ae22602 100644 --- a/puppet-manifests/src/modules/platform/templates/config.toml.erb +++ b/puppet-manifests/src/modules/platform/templates/config.toml.erb @@ -29,7 +29,7 @@ oom_score = 0 stream_server_address = "" stream_server_port = "0" enable_selinux = false - sandbox_image = "registry.local:9001/k8s.gcr.io/pause:3.1" + sandbox_image = "registry.local:9001/k8s.gcr.io/pause:3.2" stats_collect_period = 10 systemd_cgroup = false enable_tls_streaming = false From 3b7ab6010ee45f5b35de54ff1b6d147761ea5d7f Mon Sep 17 00:00:00 2001 From: Andy Ning Date: Tue, 14 Apr 2020 11:24:17 -0400 Subject: [PATCH 11/27] Free dcdbsync openstack instance port for https admin endpoint Currently dcdbsync instance for openstack is listening on port 8220. With the admin endpoint of dcdbsync instance for platform has https enabled and uses port 8220, the port of dcdbsync instance for openstack is updated to use 8229. Change-Id: Ie3d60164e4e81de8e53ad452d4dbeab7ce4a5058 Story: 2007347 Task: 39409 Signed-off-by: Andy Ning --- .../puppet-dcdbsync/src/dcdbsync/manifests/openstack_api.pp | 4 ++-- puppet-manifests/src/modules/platform/manifests/dcdbsync.pp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/puppet-dcdbsync/src/dcdbsync/manifests/openstack_api.pp b/modules/puppet-dcdbsync/src/dcdbsync/manifests/openstack_api.pp index aaae7418..1f7316a7 100644 --- a/modules/puppet-dcdbsync/src/dcdbsync/manifests/openstack_api.pp +++ b/modules/puppet-dcdbsync/src/dcdbsync/manifests/openstack_api.pp @@ -60,7 +60,7 @@ # # [*bind_port*] # (optional) The dcorch dbsync api port -# Defaults to 8220 +# Defaults to 8229 # # [*package_ensure*] # (optional) The state of the package @@ -93,7 +93,7 @@ class dcdbsync::openstack_api ( $auth_type = 'password', $package_ensure = 'latest', $bind_host = '0.0.0.0', - $bind_port = 8220, + $bind_port = 8229, $enabled = false ) { diff --git a/puppet-manifests/src/modules/platform/manifests/dcdbsync.pp b/puppet-manifests/src/modules/platform/manifests/dcdbsync.pp index 789b3fba..9b290b9d 100644 --- a/puppet-manifests/src/modules/platform/manifests/dcdbsync.pp +++ b/puppet-manifests/src/modules/platform/manifests/dcdbsync.pp @@ -1,6 +1,6 @@ class platform::dcdbsync::params ( $api_port = 8219, - $api_openstack_port = 8220, + $api_openstack_port = 8229, $region_name = undef, $service_create = false, $service_enabled = false, From ccb72490976519ace03db8e5be4f7391f5e2942d Mon Sep 17 00:00:00 2001 From: Bart Wensley Date: Tue, 14 Apr 2020 15:43:20 -0500 Subject: [PATCH 12/27] Allow k8s upgrades to any release if necessary The default behaviour of the "kubeadm upgrade apply" command is to only allow upgrades to stable kubernetes versions. However, for both testing purposes and for potential critical fixes in the future, it may be necessary to upgrade to a release candidate or other release that kubernetes deems as unstable. Adding in the appropriate options when calling the "kubeadm upgrade apply" command to make this possible. Change-Id: I164caf495ee3680f549d651b97e7e502b1172c70 Story: 2006781 Task: 37578 Signed-off-by: Bart Wensley --- puppet-manifests/src/modules/platform/manifests/kubernetes.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp index c1f2cd70..b705b0c8 100644 --- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp +++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp @@ -539,8 +539,9 @@ class platform::kubernetes::upgrade_first_control_plane include ::platform::params + # The --allow-*-upgrades options allow us to upgrade to any k8s release if necessary exec { 'upgrade first control plane': - command => "kubeadm upgrade apply ${version} -y", + command => "kubeadm upgrade apply ${version} --allow-experimental-upgrades --allow-release-candidate-upgrades -y", logoutput => true, } From 9a18b7086035062bd326a279aea47c23c3c3f96e Mon Sep 17 00:00:00 2001 From: Paul Vaduva Date: Wed, 15 Apr 2020 09:56:42 -0400 Subject: [PATCH 13/27] Introduce a wait until network interfaces are ready The DAD (Duplicate Address Detection) mechanism keeps ipv6 network interface in tentative state until it finishes. During this time no binding to this interface address is possible and networking dependent services fail to start Change-Id: I9cfa604a0d75400f6d3c7172b3b973b0d50c3578 Closes-bug: 1871638 Signed-off-by: Paul Vaduva --- puppet-manifests/src/modules/platform/manifests/network.pp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/puppet-manifests/src/modules/platform/manifests/network.pp b/puppet-manifests/src/modules/platform/manifests/network.pp index d6f4b1ad..4d7ed39f 100644 --- a/puppet-manifests/src/modules/platform/manifests/network.pp +++ b/puppet-manifests/src/modules/platform/manifests/network.pp @@ -243,6 +243,7 @@ class platform::network::apply { Network_config <| |> -> Exec['apply-network-config'] -> Network_address <| |> + -> Exec['wait-for-tentative'] -> Anchor['platform::networking'] # Adding Network_route dependency separately, in case it's empty, @@ -260,6 +261,12 @@ class platform::network::apply { exec {'apply-network-config': command => 'apply_network_config.sh', } + # Wait for network interface to leave tentative state during ipv6 DAD + exec {'wait-for-tentative': + command => '[ $(ip -6 addr sh | grep -c inet6.*tentative) -eq 0 ]', + tries => 10, + try_sleep => 1, + } } From c82b459703c65d9d64759c124236c1c60b3d1916 Mon Sep 17 00:00:00 2001 From: Bin Qian Date: Tue, 7 Apr 2020 23:51:24 -0400 Subject: [PATCH 14/27] Install DC adminep cert and DC root ca certificate This is to install DC admin endpoint certificate (pem). This also install root CA to trusted CA, so to trust the certificate issued directly and indirectly by DC root CA. Story: 2007347 Task: 39430 Depends-on: https://review.opendev.org/720273 Change-Id: Ie242c6e833a574ff29562b468fff72352515d22a Signed-off-by: Bin Qian --- .../src/modules/platform/manifests/config.pp | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/puppet-manifests/src/modules/platform/manifests/config.pp b/puppet-manifests/src/modules/platform/manifests/config.pp index 7da6808d..88516609 100644 --- a/puppet-manifests/src/modules/platform/manifests/config.pp +++ b/puppet-manifests/src/modules/platform/manifests/config.pp @@ -295,6 +295,43 @@ class platform::config::certs::ssl_ca } } +class platform::config::dccert::params ( + $dc_root_ca_crt = '', + $dc_adminep_crt = '' +) { } + + +class platform::config::dc_root_ca + inherits ::platform::config::dccert::params { + $dc_root_ca_file = '/etc/pki/ca-trust/source/anchors/dc-adminep-root-ca.crt' + $dc_adminep_cert_file = '/etc/ssl/private/admin-ep-cert.pem' + + if ! empty($dc_adminep_crt) { + file { 'adminep-cert': + ensure => present, + path => $dc_adminep_cert_file, + owner => root, + group => root, + mode => '0400', + content => $dc_adminep_crt, + } + } + + if ! empty($dc_root_ca_crt) { + file { 'create-dc-adminep-root-ca-cert': + ensure => present, + path => $dc_root_ca_file, + owner => root, + group => root, + mode => '0644', + content => $dc_root_ca_crt, + } + -> exec { 'update-dc-ca-trust': + command => 'update-ca-trust', + } + } +} + class platform::config::runtime { include ::platform::config::certs::ssl_ca @@ -313,6 +350,9 @@ class platform::config::pre { include ::platform::config::file include ::platform::config::tpm include ::platform::config::certs::ssl_ca + if $::platform::params::distributed_cloud_role =='systemcontroller' { + include ::platform::config::dc_root_ca + } } From 4fc8bdcf4a011864aabe9df561e2c9bd2165c481 Mon Sep 17 00:00:00 2001 From: Stefan Dinescu Date: Tue, 14 Apr 2020 09:59:54 +0000 Subject: [PATCH 15/27] Add B&R information comments to DRBD manifest This commit adds a series of comments to the DRBD manifest so that users doing any changes to this manifest know also update the list of DRBD devices in the restore playbook. Change-Id: Iae1d9d98391759669871b016721418922aa134ce Partial-bug: 1854169 Signed-off-by: Stefan Dinescu --- .../src/modules/platform/manifests/drbd.pp | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/puppet-manifests/src/modules/platform/manifests/drbd.pp b/puppet-manifests/src/modules/platform/manifests/drbd.pp index 8841d704..412e0e1b 100644 --- a/puppet-manifests/src/modules/platform/manifests/drbd.pp +++ b/puppet-manifests/src/modules/platform/manifests/drbd.pp @@ -101,7 +101,20 @@ define platform::drbd::filesystem ( } } - +# The device names (/dev/drbdX) for all drbd devices added in this manifest +# should be kept in sync with the ones present in the restore ansible playbook +# present in the ansible-playbooks repo at: +# playbookconfig/src/playbooks/roles/restore-platform/restore-more-data/tasks/main.yml +# (ansible task name is "Resize DRBD filesystems"). +# This is done because the device names are only defined here and never reach +# sysinv, so there is no way to get this info from another place. +# If adding another drbd-synced resource, check backup&restore works after resizing +# the resource. +# +# NOTE: Only devices present in the "system controllerfs-list" command output +# need to be kept in sync. Filesystem that we don't allow resizing for +# (for example rabbitmq) or those that don't use the controllerfs +# command (for example cephmon) don't need to be kept in sync. class platform::drbd::pgsql::params ( $device = '/dev/drbd0', $lv_name = 'pgsql-lv', From 7910646e9bd97af02d7f95eec5d8bd3a19dfb0e1 Mon Sep 17 00:00:00 2001 From: Tao Liu Date: Thu, 16 Apr 2020 10:08:59 -0400 Subject: [PATCH 16/27] Support subcloud deploy upload the common files Create /opt/platform/deploy to host the deploy common files. Partial-Bug: 1864508 Change-Id: Ifd40cb02d4a2ee17a05457b43c6227aaa069e01e Signed-off-by: Tao Liu --- .../src/modules/platform/manifests/dcmanager.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/puppet-manifests/src/modules/platform/manifests/dcmanager.pp b/puppet-manifests/src/modules/platform/manifests/dcmanager.pp index 111771bc..fef8f180 100644 --- a/puppet-manifests/src/modules/platform/manifests/dcmanager.pp +++ b/puppet-manifests/src/modules/platform/manifests/dcmanager.pp @@ -7,6 +7,7 @@ class platform::dcmanager::params ( $service_name = 'dcmanager', $default_endpoint_type = 'internalURL', $service_create = false, + $deploy_base_dir = '/opt/platform/deploy', $iso_base_dir_source = '/opt/platform/iso', $iso_base_dir_target = '/www/pages/iso', ) { @@ -41,6 +42,10 @@ class platform::dcmanager ensure => directory, mode => '0755', } + file {$deploy_base_dir: + ensure => directory, + mode => '0755', + } } } @@ -84,6 +89,7 @@ class platform::dcmanager::fs::runtime { include ::platform::dcmanager::params $iso_base_dir_source = $::platform::dcmanager::params::iso_base_dir_source $iso_base_dir_target = $::platform::dcmanager::params::iso_base_dir_target + $deploy_base_dir = $::platform::dcmanager::params::deploy_base_dir file {$iso_base_dir_source: ensure => directory, @@ -95,6 +101,11 @@ class platform::dcmanager::fs::runtime { mode => '0755', } + file {$deploy_base_dir: + ensure => directory, + mode => '0755', + } + exec { "bind mount ${iso_base_dir_target}": command => "mount -o bind -t ext4 ${iso_base_dir_source} ${iso_base_dir_target}", require => File[ $iso_base_dir_source, $iso_base_dir_target ] From e5f325ccca896e9ba96d199c6cff456cce0014f5 Mon Sep 17 00:00:00 2001 From: Andy Ning Date: Mon, 6 Apr 2020 10:11:56 -0400 Subject: [PATCH 17/27] Config platform service admin endpoints to https for DC With this update https is enabled for platform services' admin endpoints for System Controller and subclouds when the first controller is unlocked. The services with admin endpoints enabled are: - fm - patching - vim - smapi - barbican - keystone - sysinv - dcdbsync - dcmanager Change-Id: I45b3c541cdb6191dad6d3e2b3e9cf8a3398b3a1b Story: 2007347 Task: 38891 Depends-On: https://review.opendev.org/#/c/720224/ Signed-off-by: Andy Ning --- .../src/dcorch/manifests/keystone/auth.pp | 10 ++++--- .../modules/openstack/manifests/barbican.pp | 14 ++++++++++ .../modules/openstack/manifests/keystone.pp | 13 +++++++++ .../modules/platform/manifests/dcdbsync.pp | 20 ++++++++++++++ .../modules/platform/manifests/dcmanager.pp | 14 ++++++++++ .../src/modules/platform/manifests/dcorch.pp | 27 +++++++++++++++++++ .../src/modules/platform/manifests/fm.pp | 13 +++++++++ .../src/modules/platform/manifests/haproxy.pp | 19 ++++++++++++- .../src/modules/platform/manifests/nfv.pp | 14 ++++++++++ .../modules/platform/manifests/patching.pp | 14 ++++++++++ .../src/modules/platform/manifests/smapi.pp | 12 +++++++++ .../src/modules/platform/manifests/sysinv.pp | 14 ++++++++++ 12 files changed, 180 insertions(+), 4 deletions(-) diff --git a/modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp b/modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp index 8e74ec7b..54fdbdf6 100644 --- a/modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp +++ b/modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp @@ -43,6 +43,10 @@ class dcorch::keystone::auth ( $cinder_proxy_public_url_v3 = 'http://127.0.0.1:28776/v3/%(tenant_id)s', $patching_proxy_public_url = 'http://127.0.0.1:25491', $identity_proxy_public_url = 'http://127.0.0.1:25000/v3', + + $identity_proxy_admin_url = 'http://127.0.0.1:25000/v3', + $sysinv_proxy_admin_url = 'http://127.0.0.1:26385/v1', + $patching_proxy_admin_url = 'http://127.0.0.1:25491', ) { if $::platform::params::distributed_cloud_role =='systemcontroller' { keystone::resource::service_identity { 'dcorch': @@ -68,7 +72,7 @@ class dcorch::keystone::auth ( type => 'platform', region => $region, public_url => $sysinv_proxy_public_url, - admin_url => $sysinv_proxy_internal_url, + admin_url => $sysinv_proxy_admin_url, internal_url => $sysinv_proxy_internal_url } @@ -78,7 +82,7 @@ class dcorch::keystone::auth ( type => 'patching', region => $region, public_url => $patching_proxy_public_url, - admin_url => $patching_proxy_internal_url, + admin_url => $patching_proxy_admin_url, internal_url => $patching_proxy_internal_url } keystone_endpoint { "${region}/keystone::identity" : @@ -87,7 +91,7 @@ class dcorch::keystone::auth ( type => 'identity', region => $region, public_url => $identity_proxy_public_url, - admin_url => $identity_proxy_internal_url, + admin_url => $identity_proxy_admin_url, internal_url => $identity_proxy_internal_url } } diff --git a/puppet-manifests/src/modules/openstack/manifests/barbican.pp b/puppet-manifests/src/modules/openstack/manifests/barbican.pp index ad174299..1f3eb4f3 100644 --- a/puppet-manifests/src/modules/openstack/manifests/barbican.pp +++ b/puppet-manifests/src/modules/openstack/manifests/barbican.pp @@ -90,12 +90,26 @@ class openstack::barbican::service ( class openstack::barbican::haproxy inherits ::openstack::barbican::params { + include ::platform::params + include ::platform::haproxy::params platform::haproxy::proxy { 'barbican-restapi': server_name => 's-barbican-restapi', public_port => $api_port, private_port => $api_port, } + + # Configure rules for DC https enabled admin endpoint. + if ($::platform::params::distributed_cloud_role == 'systemcontroller' or + $::platform::params::distributed_cloud_role == 'subcloud') { + platform::haproxy::proxy { 'barbican-restapi-admin': + https_ep_type => 'admin', + server_name => 's-barbican-restapi', + public_ip_address => $::platform::haproxy::params::private_ip_address, + public_port => $api_port + 1, + private_port => $api_port, + } + } } class openstack::barbican::api diff --git a/puppet-manifests/src/modules/openstack/manifests/keystone.pp b/puppet-manifests/src/modules/openstack/manifests/keystone.pp index bcd4638f..16921845 100644 --- a/puppet-manifests/src/modules/openstack/manifests/keystone.pp +++ b/puppet-manifests/src/modules/openstack/manifests/keystone.pp @@ -131,6 +131,7 @@ class openstack::keystone::haproxy inherits ::openstack::keystone::params { include ::platform::params + include ::platform::haproxy::params if !$::platform::params::region_config { platform::haproxy::proxy { 'keystone-restapi': @@ -139,6 +140,18 @@ class openstack::keystone::haproxy private_port => $api_port, } } + + # Configure rules for DC https enabled admin endpoint. + if ($::platform::params::distributed_cloud_role == 'systemcontroller' or + $::platform::params::distributed_cloud_role == 'subcloud') { + platform::haproxy::proxy { 'keystone-restapi-admin': + https_ep_type => 'admin', + server_name => 's-keystone', + public_ip_address => $::platform::haproxy::params::private_ip_address, + public_port => $api_port + 1, + private_port => $api_port, + } + } } define delete_endpoints ( diff --git a/puppet-manifests/src/modules/platform/manifests/dcdbsync.pp b/puppet-manifests/src/modules/platform/manifests/dcdbsync.pp index 9b290b9d..85f10454 100644 --- a/puppet-manifests/src/modules/platform/manifests/dcdbsync.pp +++ b/puppet-manifests/src/modules/platform/manifests/dcdbsync.pp @@ -41,6 +41,26 @@ class platform::dcdbsync::api } } } + + include ::platform::dcdbsync::haproxy +} + +class platform::dcdbsync::haproxy + inherits ::platform::dcdbsync::params { + include ::platform::params + include ::platform::haproxy::params + + # Configure rules for https enabled admin endpoint. + if ($::platform::params::distributed_cloud_role == 'systemcontroller' or + $::platform::params::distributed_cloud_role == 'subcloud') { + platform::haproxy::proxy { 'dcdbsync-restapi-admin': + https_ep_type => 'admin', + server_name => 's-dcdbsync', + public_ip_address => $::platform::haproxy::params::private_ip_address, + public_port => $api_port + 1, + private_port => $api_port, + } + } } class platform::dcdbsync::stx_openstack::runtime diff --git a/puppet-manifests/src/modules/platform/manifests/dcmanager.pp b/puppet-manifests/src/modules/platform/manifests/dcmanager.pp index fef8f180..478600ec 100644 --- a/puppet-manifests/src/modules/platform/manifests/dcmanager.pp +++ b/puppet-manifests/src/modules/platform/manifests/dcmanager.pp @@ -51,6 +51,9 @@ class platform::dcmanager class platform::dcmanager::haproxy inherits ::platform::dcmanager::params { + include ::platform::params + include ::platform::haproxy::params + if $::platform::params::distributed_cloud_role =='systemcontroller' { platform::haproxy::proxy { 'dcmanager-restapi': server_name => 's-dcmanager', @@ -58,6 +61,17 @@ class platform::dcmanager::haproxy private_port => $api_port, } } + + # Configure rules for https enabled admin endpoint. + if $::platform::params::distributed_cloud_role == 'systemcontroller' { + platform::haproxy::proxy { 'dcmanager-restapi-admin': + https_ep_type => 'admin', + server_name => 's-dcmanager', + public_ip_address => $::platform::haproxy::params::private_ip_address, + public_port => $api_port + 1, + private_port => $api_port, + } + } } class platform::dcmanager::manager { diff --git a/puppet-manifests/src/modules/platform/manifests/dcorch.pp b/puppet-manifests/src/modules/platform/manifests/dcorch.pp index 9e4080cb..0b758db3 100644 --- a/puppet-manifests/src/modules/platform/manifests/dcorch.pp +++ b/puppet-manifests/src/modules/platform/manifests/dcorch.pp @@ -69,6 +69,8 @@ class platform::dcorch::firewall class platform::dcorch::haproxy inherits ::platform::dcorch::params { + include ::platform::haproxy::params + if $::platform::params::distributed_cloud_role =='systemcontroller' { platform::haproxy::proxy { 'dcorch-neutron-api-proxy': server_name => 's-dcorch-neutron-api-proxy', @@ -100,6 +102,31 @@ class platform::dcorch::haproxy public_port => $identity_api_proxy_port, private_port => $identity_api_proxy_port, } + + # Configure rules for https enabled identity api proxy admin endpoint. + platform::haproxy::proxy { 'dcorch-identity-api-proxy-admin': + https_ep_type => 'admin', + server_name => 's-dcorch-identity-api-proxy', + public_ip_address => $::platform::haproxy::params::private_ip_address, + public_port => $identity_api_proxy_port + 1, + private_port => $identity_api_proxy_port, + } + # Configure rules for https enabled sysinv api proxy admin endpoint. + platform::haproxy::proxy { 'dcorch-sysinv-api-proxy-admin': + https_ep_type => 'admin', + server_name => 's-dcorch-sysinv-api-proxy', + public_ip_address => $::platform::haproxy::params::private_ip_address, + public_port => $sysinv_api_proxy_port + 1, + private_port => $sysinv_api_proxy_port, + } + # Configure rules for https enabled patching api proxy admin endpoint. + platform::haproxy::proxy { 'dcorch-patch-api-proxy-admin': + https_ep_type => 'admin', + server_name => 's-dcorch-patch-api-proxy', + public_ip_address => $::platform::haproxy::params::private_ip_address, + public_port => $patch_api_proxy_port + 1, + private_port => $patch_api_proxy_port, + } } } diff --git a/puppet-manifests/src/modules/platform/manifests/fm.pp b/puppet-manifests/src/modules/platform/manifests/fm.pp index d30cc3e3..31ee7bca 100644 --- a/puppet-manifests/src/modules/platform/manifests/fm.pp +++ b/puppet-manifests/src/modules/platform/manifests/fm.pp @@ -38,6 +38,7 @@ class platform::fm class platform::fm::haproxy inherits ::platform::fm::params { + include ::platform::params include ::platform::haproxy::params platform::haproxy::proxy { 'fm-api-internal': @@ -54,6 +55,18 @@ class platform::fm::haproxy public_port => $api_port, private_port => $api_port, } + + # Configure rules for DC https enabled admin endpoint. + if ($::platform::params::distributed_cloud_role == 'systemcontroller' or + $::platform::params::distributed_cloud_role == 'subcloud') { + platform::haproxy::proxy { 'fm-api-admin': + https_ep_type => 'admin', + server_name => 's-fm-api-admin', + public_ip_address => $::platform::haproxy::params::private_ip_address, + public_port => $api_port + 1, + private_port => $api_port, + } + } } class platform::fm::api diff --git a/puppet-manifests/src/modules/platform/manifests/haproxy.pp b/puppet-manifests/src/modules/platform/manifests/haproxy.pp index d9775976..9ca92056 100644 --- a/puppet-manifests/src/modules/platform/manifests/haproxy.pp +++ b/puppet-manifests/src/modules/platform/manifests/haproxy.pp @@ -3,6 +3,7 @@ class platform::haproxy::params ( $public_ip_address, $public_address_url, $enable_https = false, + $https_ep_type = 'public', $global_options = undef, $tpm_object = undef, @@ -20,6 +21,7 @@ define platform::haproxy::proxy ( $client_timeout = undef, $x_forwarded_proto = true, $enable_https = undef, + $https_ep_type = undef, $public_api = true, $tcp_mode = false, ) { @@ -31,13 +33,23 @@ define platform::haproxy::proxy ( $https_enabled = $::platform::haproxy::params::enable_https } + if $https_ep_type != undef { + $https_ep = $https_ep_type + } else { + $https_ep = $::platform::haproxy::params::https_ep_type + } + if $x_forwarded_proto { - if $https_enabled and $public_api { + if $https_enabled and $public_api and $https_ep == 'public' { $ssl_option = 'ssl crt /etc/ssl/private/server-cert.pem' $proto = 'X-Forwarded-Proto:\ https' # The value of max-age matches lighttpd.conf, and should be # maintained for consistency $hsts_option = 'Strict-Transport-Security:\ max-age=63072000;\ includeSubDomains' + } elsif $https_ep == 'admin' { + $ssl_option = 'ssl crt /etc/ssl/private/admin-ep-cert.pem' + $proto = 'X-Forwarded-Proto:\ https' + $hsts_option = 'Strict-Transport-Security:\ max-age=63072000;\ includeSubDomains' } else { $ssl_option = ' ' $proto = 'X-Forwarded-Proto:\ http' @@ -147,6 +159,11 @@ class platform::haproxy::runtime { include ::platform::nfv::haproxy include ::platform::ceph::haproxy include ::platform::fm::haproxy + if ($::platform::params::distributed_cloud_role == 'systemcontroller' or + $::platform::params::distributed_cloud_role == 'subcloud') { + include ::platform::dcdbsync::haproxy + include ::platform::smapi::haproxy + } if $::platform::params::distributed_cloud_role =='systemcontroller' { include ::platform::dcmanager::haproxy include ::platform::dcorch::haproxy diff --git a/puppet-manifests/src/modules/platform/manifests/nfv.pp b/puppet-manifests/src/modules/platform/manifests/nfv.pp index 10241e6c..e97d3c28 100644 --- a/puppet-manifests/src/modules/platform/manifests/nfv.pp +++ b/puppet-manifests/src/modules/platform/manifests/nfv.pp @@ -56,12 +56,26 @@ class platform::nfv::runtime { class platform::nfv::haproxy inherits ::platform::nfv::params { + include ::platform::params + include ::platform::haproxy::params platform::haproxy::proxy { 'vim-restapi': server_name => 's-vim-restapi', public_port => $api_port, private_port => $api_port, } + + # Configure rules for DC https enabled admin endpoint. + if ($::platform::params::distributed_cloud_role == 'systemcontroller' or + $::platform::params::distributed_cloud_role == 'subcloud') { + platform::haproxy::proxy { 'vim-restapi-admin': + https_ep_type => 'admin', + server_name => 's-vim-restapi', + public_ip_address => $::platform::haproxy::params::private_ip_address, + public_port => $api_port + 1, + private_port => $api_port, + } + } } diff --git a/puppet-manifests/src/modules/platform/manifests/patching.pp b/puppet-manifests/src/modules/platform/manifests/patching.pp index a6b4e9e4..24588a42 100644 --- a/puppet-manifests/src/modules/platform/manifests/patching.pp +++ b/puppet-manifests/src/modules/platform/manifests/patching.pp @@ -51,6 +51,8 @@ class platform::patching class platform::patching::haproxy inherits ::platform::patching::params { + include ::platform::params + include ::platform::haproxy::params platform::haproxy::proxy { 'patching-restapi': server_name => 's-patching', @@ -58,6 +60,18 @@ class platform::patching::haproxy private_port => $private_port, server_timeout => $server_timeout, } + + # Configure rules for DC https enabled admin endpoint. + if ($::platform::params::distributed_cloud_role == 'systemcontroller' or + $::platform::params::distributed_cloud_role == 'subcloud') { + platform::haproxy::proxy { 'patching-restapi-admin': + https_ep_type => 'admin', + server_name => 's-patching', + public_ip_address => $::platform::haproxy::params::private_ip_address, + public_port => $private_port + 1, + private_port => $private_port, + } + } } diff --git a/puppet-manifests/src/modules/platform/manifests/smapi.pp b/puppet-manifests/src/modules/platform/manifests/smapi.pp index 9a0a21df..f413f6f0 100644 --- a/puppet-manifests/src/modules/platform/manifests/smapi.pp +++ b/puppet-manifests/src/modules/platform/manifests/smapi.pp @@ -29,6 +29,18 @@ class platform::smapi::haproxy public_port => $port, private_port => $port, } + + # Configure rules for DC https enabled admin endpoint. + if ($::platform::params::distributed_cloud_role == 'systemcontroller' or + $::platform::params::distributed_cloud_role == 'subcloud') { + platform::haproxy::proxy { 'sm-api-admin': + https_ep_type => 'admin', + server_name => 's-smapi-admin', + public_ip_address => $::platform::haproxy::params::private_ip_address, + public_port => $port + 1, + private_port => $port, + } + } } class platform::smapi diff --git a/puppet-manifests/src/modules/platform/manifests/sysinv.pp b/puppet-manifests/src/modules/platform/manifests/sysinv.pp index 0733b99c..706b3b13 100644 --- a/puppet-manifests/src/modules/platform/manifests/sysinv.pp +++ b/puppet-manifests/src/modules/platform/manifests/sysinv.pp @@ -78,12 +78,26 @@ class platform::sysinv::conductor { class platform::sysinv::haproxy inherits ::platform::sysinv::params { + include ::platform::params + include ::platform::haproxy::params platform::haproxy::proxy { 'sysinv-restapi': server_name => 's-sysinv', public_port => $api_port, private_port => $api_port, } + + # Configure rules for DC https enabled admin endpoint. + if ($::platform::params::distributed_cloud_role == 'systemcontroller' or + $::platform::params::distributed_cloud_role == 'subcloud') { + platform::haproxy::proxy { 'sysinv-restapi-admin': + https_ep_type => 'admin', + server_name => 's-sysinv', + public_ip_address => $::platform::haproxy::params::private_ip_address, + public_port => $api_port + 1, + private_port => $api_port, + } + } } From 9e86812ec1301f384ebc8a701c021af9932ac2c1 Mon Sep 17 00:00:00 2001 From: Tee Ngo Date: Wed, 15 Apr 2020 15:36:49 -0400 Subject: [PATCH 18/27] Add a cron job to purge dcorch database This commit adds a daily cron job to purge deleted orch requests that are older than 3 days, their orch jobs and resources from dcorch database. Story: 2007267 Task: 39044 Depends-On: https://review.opendev.org/720277 Change-Id: Ibc9f78ac89f4cc6706886a49062c3f5a6145cc9f Signed-off-by: Tee Ngo --- .../src/modules/platform/manifests/dcorch.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/puppet-manifests/src/modules/platform/manifests/dcorch.pp b/puppet-manifests/src/modules/platform/manifests/dcorch.pp index 9e4080cb..3c05010d 100644 --- a/puppet-manifests/src/modules/platform/manifests/dcorch.pp +++ b/puppet-manifests/src/modules/platform/manifests/dcorch.pp @@ -40,6 +40,17 @@ class platform::dcorch proxy_bind_host => $api_host, proxy_remote_host => $api_host, } + + # Purge dcorch database 20 minutes in the first hour daily + cron { 'dcorch-cleaner': + ensure => 'present', + command => '/usr/bin/clean-dcorch', + environment => 'PATH=/bin:/usr/bin:/usr/sbin', + minute => '20', + hour => '*/24', + user => 'root', + } + } } From 7a759239557ca69e2bc0c0b3084e0759b461f06b Mon Sep 17 00:00:00 2001 From: Robert Church Date: Wed, 22 Apr 2020 02:42:13 -0400 Subject: [PATCH 19/27] Enable --reserved-cpus option in k8s v1.18.1 The option was introduced in k8s v1.17 and will now be used to define the explicit set of CPUs that are reserved for specific cpu functions in StarlingX. This retires setting the number of CPUs reserved in the --kube-reserved and --system-reserved options. Change-Id: I1a3d4e4cca7b6940682a787c2e7348e56a047a06 Story: 2006999 Task: 39529 Signed-off-by: Robert Church --- .../modules/platform/manifests/kubernetes.pp | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp index b705b0c8..92d2fd28 100644 --- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp +++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp @@ -10,9 +10,9 @@ class platform::kubernetes::params ( $host_labels = [], $k8s_cpuset = undef, $k8s_nodeset = undef, - $k8s_reserved_cpus = undef, + $k8s_platform_cpuset = undef, $k8s_reserved_mem = undef, - $k8s_isol_cpus = undef, + $k8s_all_reserved_cpuset = undef, $k8s_cpu_mgr_policy = 'none', $k8s_topology_mgr_policy = 'best-effort', $k8s_cni_bin_dir = '/usr/libexec/cni', @@ -108,9 +108,9 @@ class platform::kubernetes::kubeadm { $node_ip = $::platform::kubernetes::params::node_ip $host_labels = $::platform::kubernetes::params::host_labels - $k8s_reserved_cpus = $::platform::kubernetes::params::k8s_reserved_cpus + $k8s_platform_cpuset = $::platform::kubernetes::params::k8s_platform_cpuset $k8s_reserved_mem = $::platform::kubernetes::params::k8s_reserved_mem - $k8s_isol_cpus = $::platform::kubernetes::params::k8s_isol_cpus + $k8s_all_reserved_cpuset = $::platform::kubernetes::params::k8s_all_reserved_cpuset $k8s_cni_bin_dir = $::platform::kubernetes::params::k8s_cni_bin_dir $k8s_vol_plugin_dir = $::platform::kubernetes::params::k8s_vol_plugin_dir $k8s_cpu_mgr_policy = $::platform::kubernetes::params::k8s_cpu_mgr_policy @@ -128,21 +128,22 @@ class platform::kubernetes::kubeadm { and !('openstack-compute-node' in $host_labels) { $opts = join(['--feature-gates TopologyManager=true', "--cpu-manager-policy=${k8s_cpu_mgr_policy}", - "--topology-manager-policy=${k8s_topology_mgr_policy}", - '--system-reserved-cgroup=/system.slice'], ' ') + "--topology-manager-policy=${k8s_topology_mgr_policy}"], ' ') + $opts_sys_res = join(['--system-reserved=', - "cpu=${k8s_reserved_cpus},", "memory=${k8s_reserved_mem}Mi"]) - $opts_kube_res = join(['--kube-reserved=', - "cpu=${k8s_isol_cpus}"]) + if $k8s_cpu_mgr_policy == 'none' { - $k8s_cpu_manager_opts = join([$opts, - $opts_sys_res], ' ') + $k8s_reserved_cpus = $k8s_platform_cpuset } else { - $k8s_cpu_manager_opts = join([$opts, - $opts_sys_res, - $opts_kube_res], ' ') + # The union of platform, isolated, and vswitch + $k8s_reserved_cpus = $k8s_all_reserved_cpuset } + + $opts_res_cpus = "--reserved-cpus=${k8s_reserved_cpus}" + $k8s_cpu_manager_opts = join([$opts, + $opts_sys_res, + $opts_res_cpus], ' ') } else { $k8s_cpu_manager_opts = '--cpu-manager-policy=none' } From 77b2e1ccfa612b632a4831da8b9a2c95fa812e9b Mon Sep 17 00:00:00 2001 From: Jessica Castelino Date: Fri, 24 Apr 2020 15:09:15 -0400 Subject: [PATCH 20/27] Rename the existing /opt/patch-vault filesystem to /opt/dc-vault The filesystem /opt/patch-vault is renamed to /opt/dc-vault so that it can be re-used to store FPGA images and software loads. Thus, necessary changes have been made in the puppet manifests. Story: 2006740 Task: 39550 Depends-On: https://review.opendev.org/#/c/723007/ Change-Id: I26055b12e7bd241adb072c609f72b8d113b4a20e Signed-off-by: Jessica Castelino --- .../src/modules/platform/manifests/drbd.pp | 20 +++++------ .../src/modules/platform/manifests/sm.pp | 34 +++++++++---------- 2 files changed, 27 insertions(+), 27 deletions(-) diff --git a/puppet-manifests/src/modules/platform/manifests/drbd.pp b/puppet-manifests/src/modules/platform/manifests/drbd.pp index 412e0e1b..7b134bf1 100644 --- a/puppet-manifests/src/modules/platform/manifests/drbd.pp +++ b/puppet-manifests/src/modules/platform/manifests/drbd.pp @@ -223,19 +223,19 @@ class platform::drbd::extension ( } } -class platform::drbd::patch_vault::params ( +class platform::drbd::dc_vault::params ( $service_enabled = false, $device = '/dev/drbd6', - $lv_name = 'patch-vault-lv', - $lv_size = '8', - $mountpoint = '/opt/patch-vault', + $lv_name = 'dc-vault-lv', + $lv_size = '15', + $mountpoint = '/opt/dc-vault', $port = '7794', - $resource_name = 'drbd-patch-vault', + $resource_name = 'drbd-dc-vault', $vg_name = 'cgts-vg', ) {} -class platform::drbd::patch_vault ( -) inherits ::platform::drbd::patch_vault::params { +class platform::drbd::dc_vault ( +) inherits ::platform::drbd::dc_vault::params { if str2bool($::is_standalone_controller) { $drbd_primary = true @@ -460,7 +460,7 @@ class platform::drbd( include ::platform::drbd::rabbit include ::platform::drbd::platform include ::platform::drbd::extension - include ::platform::drbd::patch_vault + include ::platform::drbd::dc_vault include ::platform::drbd::etcd include ::platform::drbd::dockerdistribution include ::platform::drbd::cephmon @@ -530,10 +530,10 @@ class platform::drbd::extension::runtime { } -class platform::drbd::patch_vault::runtime { +class platform::drbd::dc_vault::runtime { include ::platform::drbd::params include ::platform::drbd::runtime_service_enable - include ::platform::drbd::patch_vault + include ::platform::drbd::dc_vault } class platform::drbd::etcd::runtime { diff --git a/puppet-manifests/src/modules/platform/manifests/sm.pp b/puppet-manifests/src/modules/platform/manifests/sm.pp index 062de39a..a55cead3 100644 --- a/puppet-manifests/src/modules/platform/manifests/sm.pp +++ b/puppet-manifests/src/modules/platform/manifests/sm.pp @@ -67,11 +67,11 @@ class platform::sm $extension_fs_device = $::platform::drbd::extension::params::device $extension_fs_directory = $::platform::drbd::extension::params::mountpoint - include ::platform::drbd::patch_vault::params - $drbd_patch_enabled = $::platform::drbd::patch_vault::params::service_enabled - $patch_drbd_resource = $::platform::drbd::patch_vault::params::resource_name - $patch_fs_device = $::platform::drbd::patch_vault::params::device - $patch_fs_directory = $::platform::drbd::patch_vault::params::mountpoint + include ::platform::drbd::dc_vault::params + $drbd_patch_enabled = $::platform::drbd::dc_vault::params::service_enabled + $patch_drbd_resource = $::platform::drbd::dc_vault::params::resource_name + $patch_fs_device = $::platform::drbd::dc_vault::params::device + $patch_fs_directory = $::platform::drbd::dc_vault::params::mountpoint include ::platform::drbd::etcd::params $etcd_drbd_resource = $::platform::drbd::etcd::params::resource_name @@ -385,12 +385,12 @@ class platform::sm } if $drbd_patch_enabled { - exec { 'Configure Patch-vault DRBD': - command => "sm-configure service_instance drbd-patch-vault drbd-patch-vault:${hostunit} \"drbd_resource=${patch_drbd_resource}\"", + exec { 'Configure DC-vault DRBD': + command => "sm-configure service_instance drbd-dc-vault drbd-dc-vault:${hostunit} \"drbd_resource=${patch_drbd_resource}\"", } - exec { 'Configure Patch-vault FileSystem': - command => "sm-configure service_instance patch-vault-fs patch-vault-fs \"device=${patch_fs_device},directory=${patch_fs_directory},options=noatime,nodiratime,fstype=ext4,check_level=20\"", + exec { 'Configure DC-vault FileSystem': + command => "sm-configure service_instance dc-vault-fs dc-vault-fs \"device=${patch_fs_device},directory=${patch_fs_directory},options=noatime,nodiratime,fstype=ext4,check_level=20\"", } } @@ -618,17 +618,17 @@ class platform::sm } if $drbd_patch_enabled { - exec { 'Provision patch-vault-fs (service-group-member)': - command => 'sm-provision service-group-member controller-services patch-vault-fs', + exec { 'Provision dc-vault-fs (service-group-member)': + command => 'sm-provision service-group-member controller-services dc-vault-fs', } - -> exec { 'Provision patch-vault-fs (service)': - command => 'sm-provision service patch-vault-fs', + -> exec { 'Provision dc-vault-fs (service)': + command => 'sm-provision service dc-vault-fs', } - -> exec { 'Provision drbd-patch-vault (service-group-member)': - command => 'sm-provision service-group-member controller-services drbd-patch-vault', + -> exec { 'Provision drbd-dc-vault (service-group-member)': + command => 'sm-provision service-group-member controller-services drbd-dc-vault', } - -> exec { 'Provision drbd-patch-vault (service)': - command => 'sm-provision service drbd-patch-vault', + -> exec { 'Provision drbd-dc-vault (service)': + command => 'sm-provision service drbd-dc-vault', } } From db97027fb7b8cf8484f6ddc9ee4906ca091107ec Mon Sep 17 00:00:00 2001 From: albailey Date: Tue, 28 Apr 2020 12:39:05 -0500 Subject: [PATCH 21/27] Clamp pylint to be less than 2.5.0 A new version of pylint was released on April 25 and it is breaking zuul jobs so submissions cannot merge. Clamping pylint to be less than 2.5.0 for now. Change-Id: Ibd62a5d67bf8f37119b612a274c2d472a3474859 Partial-Bug: 1875705 Signed-off-by: albailey --- tox.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tox.ini b/tox.ini index e5029101..8b8285ca 100644 --- a/tox.ini +++ b/tox.ini @@ -68,7 +68,7 @@ sitepackages = False deps = {[testenv]deps} ruamel.yaml - pylint + pylint<2.5.0 commands = pylint {posargs} --rcfile=./pylint.rc puppet-manifests From 4107faed7e3466cba6fe7b6867152c91c869105b Mon Sep 17 00:00:00 2001 From: Elena Taivan Date: Wed, 25 Mar 2020 11:48:49 +0000 Subject: [PATCH 22/27] Add a new filesystem for image conversion Adding runtime manifest for conversion logical volume. Adding new 'ensure' parameter for 'platform::filesystem' class. Change-Id: I622837959a5a7aabc462640b588713396354ce73 Partial-bug: 1819688 Signed-off-by: Elena Taivan --- .../modules/platform/manifests/filesystem.pp | 143 ++++++++++++++---- 1 file changed, 110 insertions(+), 33 deletions(-) diff --git a/puppet-manifests/src/modules/platform/manifests/filesystem.pp b/puppet-manifests/src/modules/platform/manifests/filesystem.pp index f03abedd..c798b562 100644 --- a/puppet-manifests/src/modules/platform/manifests/filesystem.pp +++ b/puppet-manifests/src/modules/platform/manifests/filesystem.pp @@ -10,6 +10,7 @@ define platform::filesystem ( $fs_type, $fs_options, $fs_use_all = false, + $ensure = present, $mode = '0750', ) { include ::platform::filesystem::params @@ -27,44 +28,73 @@ define platform::filesystem ( $fs_size_is_minsize = false } - # create logical volume - logical_volume { $lv_name: - ensure => present, - volume_group => $vg_name, - size => $size, - size_is_minsize => $fs_size_is_minsize, + if ($ensure == 'absent') { + exec { "umount mountpoint ${mountpoint}": + command => "umount ${mountpoint}; true", + onlyif => "test -e ${mountpoint}", + } + -> mount { $name: + ensure => $ensure, + atboot => 'yes', + name => $mountpoint, + device => $device, + options => 'defaults', + fstype => $fs_type, + } + -> exec { "wipe start of device ${device}": + command => "dd if=/dev/zero of=${device} bs=512 count=34", + onlyif => "blkid ${device}", + } + -> exec { "wipe end of device ${device}": + command => "dd if=/dev/zero of=${device} bs=512 seek=$(($(blockdev --getsz ${device}) - 34)) count=34", + onlyif => "blkid ${device}", + } + -> exec { "lvremove lv ${lv_name}": + command => "lvremove -f cgts-vg ${lv_name}; true", + onlyif => "test -e /dev/cgts-vg/${lv_name}" + } } - # create filesystem - -> filesystem { $device: - ensure => present, - fs_type => $fs_type, - options => $fs_options, - } + if ($ensure == 'present') { + # create logical volume + logical_volume { $lv_name: + ensure => $ensure, + volume_group => $vg_name, + size => $size, + size_is_minsize => $fs_size_is_minsize, + } - -> file { $mountpoint: - ensure => 'directory', - owner => 'root', - group => 'root', - mode => $mode, - } + # create filesystem + -> filesystem { $device: + ensure => $ensure, + fs_type => $fs_type, + options => $fs_options, + } - -> mount { $name: - ensure => 'mounted', - atboot => 'yes', - name => $mountpoint, - device => $device, - options => 'defaults', - fstype => $fs_type, - } + -> file { $mountpoint: + ensure => 'directory', + owner => 'root', + group => 'root', + mode => $mode, + } - # The above mount resource doesn't actually remount devices that were already present in /etc/fstab, but were - # unmounted during manifest application. To get around this, we attempt to mount them again, if they are not - # already mounted. - -> exec { "mount ${device}": - unless => "mount | awk '{print \$3}' | grep -Fxq ${mountpoint}", - command => "mount ${mountpoint}", - path => '/usr/bin' + -> mount { $name: + ensure => 'mounted', + atboot => 'yes', + name => $mountpoint, + device => $device, + options => 'defaults', + fstype => $fs_type, + } + + # The above mount resource doesn't actually remount devices that were already present in /etc/fstab, but were + # unmounted during manifest application. To get around this, we attempt to mount them again, if they are not + # already mounted. + -> exec { "mount ${device}": + unless => "mount | awk '{print \$3}' | grep -Fxq ${mountpoint}", + command => "mount ${mountpoint}", + path => '/usr/bin' + } } } @@ -123,6 +153,17 @@ class platform::filesystem::backup } } +class platform::filesystem::conversion::params ( + $conversion_enabled = false, + $ensure = absent, + $lv_size = '1', + $lv_name = 'conversion-lv', + $mountpoint = '/opt/conversion', + $devmapper = '/dev/mapper/cgts--vg-conversion--lv', + $fs_type = 'ext4', + $fs_options = ' ' +) { } + class platform::filesystem::scratch::params ( $lv_size = '8', $lv_name = 'scratch-lv', @@ -144,6 +185,22 @@ class platform::filesystem::scratch } } +class platform::filesystem::conversion + inherits ::platform::filesystem::conversion::params { + + if $conversion_enabled { + $ensure = present + } + platform::filesystem { $lv_name: + ensure => $ensure, + lv_name => $lv_name, + lv_size => $lv_size, + mountpoint => $mountpoint, + fs_type => $fs_type, + fs_options => $fs_options + } +} + class platform::filesystem::kubelet::params ( $lv_size = '10', $lv_name = 'kubelet-lv', @@ -216,6 +273,7 @@ class platform::filesystem::compute { class platform::filesystem::controller { include ::platform::filesystem::backup include ::platform::filesystem::scratch + include ::platform::filesystem::conversion include ::platform::filesystem::docker include ::platform::filesystem::kubelet } @@ -250,6 +308,25 @@ class platform::filesystem::scratch::runtime { } } +class platform::filesystem::conversion::runtime { + include ::platform::filesystem::conversion + include ::platform::filesystem::conversion::params + + $conversion_enabled = $::platform::filesystem::conversion::params::conversion_enabled + $lv_name = $::platform::filesystem::conversion::params::lv_name + $lv_size = $::platform::filesystem::conversion::params::lv_size + $devmapper = $::platform::filesystem::conversion::params::devmapper + + if $conversion_enabled { + Class['::platform::filesystem::conversion'] + -> platform::filesystem::resize { $lv_name: + lv_name => $lv_name, + lv_size => $lv_size, + devmapper => $devmapper, + } + } +} + class platform::filesystem::kubelet::runtime { include ::platform::filesystem::kubelet::params From b793518f65ae932f3974ff85b797f505b5ef1c2a Mon Sep 17 00:00:00 2001 From: Robert Church Date: Wed, 29 Apr 2020 12:49:04 -0400 Subject: [PATCH 23/27] Ensure containerd binds to the loopback interface Set the stream_server_address to bind to the loopback interface with a value of "127.0.0.1" for IPv4 and "::1" for IPv6. Without setting the stream_server_address in config.toml, containerd was binding to the OAM interface. Under most situations this resulted in containerd binding to the OAM fixed host address. But in an IPv6 configuration there were occasions where after controller-0 unlock, the OAM floating IP would be used. When this happened, swacting away from controller-0 would move the OAM floating IP to controller-1 and break access to containers residing on controller-0. This will explicitly update the containerd configuration to use the IP address of the loopback interface based on the system's network configuration. This also removes any security concerns with containerd binding to the OAM interface. Change-Id: I0f914d738e94b525cf217712675d3b4575817d1d Depends-On: https://review.opendev.org/#/c/725394/ Closes-Bug: #1875891 Signed-off-by: Robert Church --- .../src/modules/platform/manifests/containerd.pp | 9 ++++++++- .../src/modules/platform/templates/config.toml.erb | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/puppet-manifests/src/modules/platform/manifests/containerd.pp b/puppet-manifests/src/modules/platform/manifests/containerd.pp index 77b9785d..4448911c 100644 --- a/puppet-manifests/src/modules/platform/manifests/containerd.pp +++ b/puppet-manifests/src/modules/platform/manifests/containerd.pp @@ -5,7 +5,8 @@ class platform::containerd::params ( $no_proxy = undef, $k8s_registry = undef, $insecure_registries = undef, - $k8s_cni_bin_dir = '/usr/libexec/cni' + $k8s_cni_bin_dir = '/usr/libexec/cni', + $stream_server_address = 'localhost', ) { } class platform::containerd::config @@ -60,6 +61,12 @@ class platform::containerd::config # get cni bin directory $k8s_cni_bin_dir = $::platform::kubernetes::params::k8s_cni_bin_dir + if $::platform::network::mgmt::params::subnet_version == $::platform::params::ipv6 { + $stream_server_address = '::1' + } else { + $stream_server_address = '127.0.0.1' + } + file { '/etc/containerd': ensure => 'directory', owner => 'root', diff --git a/puppet-manifests/src/modules/platform/templates/config.toml.erb b/puppet-manifests/src/modules/platform/templates/config.toml.erb index 8ae22602..77696346 100644 --- a/puppet-manifests/src/modules/platform/templates/config.toml.erb +++ b/puppet-manifests/src/modules/platform/templates/config.toml.erb @@ -26,7 +26,7 @@ oom_score = 0 [plugins.cgroups] no_prometheus = false [plugins.cri] - stream_server_address = "" + stream_server_address = "<%= @stream_server_address %>" stream_server_port = "0" enable_selinux = false sandbox_image = "registry.local:9001/k8s.gcr.io/pause:3.2" From 4e9153cf234e714e4bbc9a9eb3d9b55b2828145a Mon Sep 17 00:00:00 2001 From: Tao Liu Date: Mon, 4 May 2020 14:30:30 -0500 Subject: [PATCH 24/27] Move subcloud audit to separate process Subcloud audit is being removed from the dcmanager-manager process and it is running in dcmanager-audit process. This update adds associated puppet config. Story: 2007267 Task: 39640 Depends-On: https://review.opendev.org/#/c/725627/ Change-Id: Idd2e675126a01d6113597646ddd9eb4a0bc5be44 Signed-off-by: Tao Liu --- puppet-manifests/src/modules/platform/manifests/sm.pp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/puppet-manifests/src/modules/platform/manifests/sm.pp b/puppet-manifests/src/modules/platform/manifests/sm.pp index 062de39a..c2a356c6 100644 --- a/puppet-manifests/src/modules/platform/manifests/sm.pp +++ b/puppet-manifests/src/modules/platform/manifests/sm.pp @@ -821,6 +821,12 @@ class platform::sm -> exec { 'Provision DCManager-Manager in SM (service dcmanager-manager)': command => 'sm-provision service dcmanager-manager', } + -> exec { 'Provision DCManager-Audit (service-group-member dcmanager-audit)': + command => 'sm-provision service-group-member distributed-cloud-services dcmanager-audit', + } + -> exec { 'Provision DCManager-Audit in SM (service dcmanager-audit)': + command => 'sm-provision service dcmanager-audit', + } -> exec { 'Provision DCManager-RestApi (service-group-member dcmanager-api)': command => 'sm-provision service-group-member distributed-cloud-services dcmanager-api', } @@ -866,6 +872,9 @@ class platform::sm -> exec { 'Configure Platform - DCManager-Manager': command => "sm-configure service_instance dcmanager-manager dcmanager-manager \"\"", } + -> exec { 'Configure Platform - DCManager-Audit': + command => "sm-configure service_instance dcmanager-audit dcmanager-audit \"\"", + } -> exec { 'Configure OpenStack - DCManager-API': command => "sm-configure service_instance dcmanager-api dcmanager-api \"\"", } From 04a3cb8cbad9b1700286c5de67aa5d974cf54400 Mon Sep 17 00:00:00 2001 From: Elena Taivan Date: Wed, 29 Apr 2020 08:44:13 +0000 Subject: [PATCH 25/27] Changing permissions for conversion folder Adding writing permissions to '/opt/conversion' mountpoint so openstack image conversion can happen there. Change-Id: Id1a91db6570dcbed3b8068e79e72f5bb800f24ad Partial-bug: 1819688 Signed-off-by: Elena Taivan --- .../src/modules/platform/manifests/filesystem.pp | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/puppet-manifests/src/modules/platform/manifests/filesystem.pp b/puppet-manifests/src/modules/platform/manifests/filesystem.pp index c798b562..1b5ac8d4 100644 --- a/puppet-manifests/src/modules/platform/manifests/filesystem.pp +++ b/puppet-manifests/src/modules/platform/manifests/filesystem.pp @@ -41,6 +41,10 @@ define platform::filesystem ( options => 'defaults', fstype => $fs_type, } + -> file { $mountpoint: + ensure => $ensure, + force => true, + } -> exec { "wipe start of device ${device}": command => "dd if=/dev/zero of=${device} bs=512 count=34", onlyif => "blkid ${device}", @@ -95,6 +99,9 @@ define platform::filesystem ( command => "mount ${mountpoint}", path => '/usr/bin' } + -> exec {"Change ${mountpoint} dir permissions": + command => "chmod ${mode} ${mountpoint}", + } } } @@ -161,7 +168,8 @@ class platform::filesystem::conversion::params ( $mountpoint = '/opt/conversion', $devmapper = '/dev/mapper/cgts--vg-conversion--lv', $fs_type = 'ext4', - $fs_options = ' ' + $fs_options = ' ', + $mode = '0750' ) { } class platform::filesystem::scratch::params ( @@ -190,6 +198,7 @@ class platform::filesystem::conversion if $conversion_enabled { $ensure = present + $mode = '0777' } platform::filesystem { $lv_name: ensure => $ensure, @@ -197,7 +206,8 @@ class platform::filesystem::conversion lv_size => $lv_size, mountpoint => $mountpoint, fs_type => $fs_type, - fs_options => $fs_options + fs_options => $fs_options, + mode => $mode } } From 65daac29e4635f32a57e80cd18f96fd59dc8ebe0 Mon Sep 17 00:00:00 2001 From: Bin Qian Date: Tue, 12 May 2020 22:39:21 -0400 Subject: [PATCH 26/27] DC cert manifest should only apply to controller nodes DC cert manifest should only apply to controller nodes on system controller. This fix is for DC with worker nodes in central cloud. Change-Id: I4233509a6f0afb3013c01e81dea6f655d9e15371 Closes-Bug: 1878260 Signed-off-by: Bin Qian --- puppet-manifests/centos/build_srpm.data | 2 +- puppet-manifests/src/modules/platform/manifests/config.pp | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/puppet-manifests/centos/build_srpm.data b/puppet-manifests/centos/build_srpm.data index 2bdf6c5d..992348db 100644 --- a/puppet-manifests/centos/build_srpm.data +++ b/puppet-manifests/centos/build_srpm.data @@ -1,2 +1,2 @@ SRC_DIR="src" -TIS_PATCH_VER=97 +TIS_PATCH_VER=98 diff --git a/puppet-manifests/src/modules/platform/manifests/config.pp b/puppet-manifests/src/modules/platform/manifests/config.pp index 88516609..a57295cb 100644 --- a/puppet-manifests/src/modules/platform/manifests/config.pp +++ b/puppet-manifests/src/modules/platform/manifests/config.pp @@ -350,7 +350,8 @@ class platform::config::pre { include ::platform::config::file include ::platform::config::tpm include ::platform::config::certs::ssl_ca - if $::platform::params::distributed_cloud_role =='systemcontroller' { + if ($::platform::params::distributed_cloud_role =='systemcontroller' and + $::personality == 'controller') { include ::platform::config::dc_root_ca } } From 4134023ab84d8a635b118d5e3ff26ade3bbe535b Mon Sep 17 00:00:00 2001 From: Sharath Kumar K Date: Thu, 7 May 2020 10:08:11 +0200 Subject: [PATCH 27/27] Tox and Zuul job for the bandit code scan in stx/stx-puppet Setting up the bandit tool for the scanning of HIGH severity issues in the python codes under Starlingx/stx-puppet folder. Expecting this merge will enable zuul job for CI/CD of bandit scan. Configuration files: 1. tox.ini for adding bandit environment and command. 2. test-requirements.txt for adding bandit version. 3. .zuul.yaml file for adding bandit job and configuring under check job to run code scan every time before code commit. Test: Run tox -e bandit command inside the fault folder to validate the bandit scan and result. Story: 2007541 Task: 39687 Depends-On: https://review.opendev.org/#/c/721294/ Change-Id: I2982268db2b5e75feeb287bc95420fedc9b0d816 Signed-off-by: Sharath Kumar K --- .zuul.yaml | 2 ++ test-requirements.txt | 1 + tox.ini | 5 +++++ 3 files changed, 8 insertions(+) diff --git a/.zuul.yaml b/.zuul.yaml index 46530649..0bee17b4 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -1,5 +1,7 @@ --- - project: + templates: + - stx-bandit-jobs check: jobs: - stx-puppet-linters diff --git a/test-requirements.txt b/test-requirements.txt index 8ae3e22f..3ee3d279 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,3 +1,4 @@ # hacking pulls in flake8 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 bashate >= 0.2 +bandit!=1.6.0,>=1.1.0,<2.0.0 diff --git a/tox.ini b/tox.ini index 8b8285ca..fc916874 100644 --- a/tox.ini +++ b/tox.ini @@ -81,3 +81,8 @@ show-source = True ignore = E123,E125,E501,H405,W504 exclude = .venv,.git,.tox,dist,doc,*lib/python*,*egg,build,release-tag-* +[testenv:bandit] +basepython = python3 +description = Bandit code scan for *.py files under config folder +deps = -r{toxinidir}/test-requirements.txt +commands = bandit -r {toxinidir}/ -x '**/.tox/**,**/.eggs/**' -lll