StarlingX

Containerd config needs a jinja template

Bug #1892768 reported by Jerry Sun on 2020-08-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Low	Carmen Rata

Bug Description

Brief Description
-----------------
/etc/containerd/config.toml is currently managed by puppet and also set up initially through ansible. Ansible currently works with the erb template and sed expressions, which is ugly. We should have a jinja template for this file for ansible to use instead of working with sed and the erb.

originally from comment in this review: https://review.opendev.org/#/c/746790/1/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_local_registry.yml

Severity
--------
Minor

Branch/Pull Time/Commit
-----------------------
August 24th pull

Tags:

CVE References

2020-15705

Bill Zvonar (billzvonar) on 2020-08-24

tags:	added: stx.5.0
tags:	added: stx.config
Changed in starlingx:
status:	New → Triaged
assignee:	nobody → Jerry Sun (jerry-sun-u)

Ghada Khalil (gkhalil) on 2020-09-04

Changed in starlingx:
importance:	Undecided → Low

Ghada Khalil (gkhalil) on 2020-12-18

Changed in starlingx:
assignee:	Jerry Sun (jerry-sun-u) → Douglas Lopes Pereira (douglaspereira)

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-12-18:

Tee Ngo should be able to provide some further insights of how to proceed with this code cleanup activity.

Ghada Khalil (gkhalil) on 2021-01-15

Changed in starlingx:
assignee:	Douglas Lopes Pereira (douglaspereira) → Carmen Rata (crata)

Revision history for this message

Carmen Rata (crata) wrote on 2021-03-12:

2 fixes have been merged in commits:

review.opendev.org / starlingx / ansible-playbooks / 64feca44b59284b07d42e7100fb90b22297c0ce0

review.opendev.org / starlingx / stx-puppet / a79bc74c31350fc05cf16d89b1c2cdf35af5ef5f

Changed in starlingx:
status:	Triaged → Fix Released

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2021-03-12:

Review Links:
https://review.opendev.org/c/starlingx/stx-puppet/+/780311
https://review.opendev.org/c/starlingx/ansible-playbooks/+/779047

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-18: Fix proposed to stx-puppet (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/792009

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-18: Change abandoned on stx-puppet (f/centos8)

Change abandoned by "Chuck Short <email address hidden>" on branch: f/centos8
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/792009

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-18: Fix proposed to stx-puppet (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/792013

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-18: Change abandoned on stx-puppet (f/centos8)

Change abandoned by "Chuck Short <email address hidden>" on branch: f/centos8
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/792013

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-18: Fix proposed to stx-puppet (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/792018

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-18: Change abandoned on stx-puppet (f/centos8)

Change abandoned by "Chuck Short <email address hidden>" on branch: f/centos8
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/792018

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-18: Fix proposed to stx-puppet (f/centos8)

#10

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/792029

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-19: Fix proposed to ansible-playbooks (f/centos8)

#11

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/c/starlingx/ansible-playbooks/+/792195

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-02:

#12

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/c/starlingx/ansible-playbooks/+/794303

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-02: Change abandoned on ansible-playbooks (f/centos8)

#13

Change abandoned by "Chuck Short <email address hidden>" on branch: f/centos8
Review: https://review.opendev.org/c/starlingx/ansible-playbooks/+/794303

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-02: Fix proposed to ansible-playbooks (f/centos8)

#14

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/c/starlingx/ansible-playbooks/+/794324

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-02: Change abandoned on ansible-playbooks (f/centos8)

#15

Change abandoned by "Chuck Short <email address hidden>" on branch: f/centos8
Review: https://review.opendev.org/c/starlingx/ansible-playbooks/+/792195

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-03: Fix merged to ansible-playbooks (f/centos8)

#16

Download full text (52.5 KiB)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/794324
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/163ec9989cc7360dba4c572b2c43effd10306048
Submitter: "Zuul (22348)"
Branch: f/centos8

commit 4e96b762f549aadb0291cc9bcf3352ae923e94eb
Author: Mihnea Saracin <email address hidden>
Date: Sat May 22 15:48:19 2021 +0000

Revert "Restore host filesystems with collected sizes"

This reverts commit 255488739efa4ac072424b19f2dbb7a3adb0254e.

Reason for revert: Did a rework to fix https://bugs.launchpad.net/starlingx/+bug/1926591. The original problem was in puppet, and this fix in ansible was not good enough, it generated some other problems.

Change-Id: Iea79701a874effecb7fe995ac468d50081d1a84f
Depends-On: I55ae6954d24ba32e40c2e5e276ec17015d9bba44

commit c064aacc377c8bd5336ceab825d4bcbf5af0b5e8
Author: Angie Wang <email address hidden>
Date: Fri May 21 21:28:02 2021 -0400

Ensure apiserver keys are present before extract from tarball

    This is to fix the upgrade playbook issue that happens during
    AIO-SX upgrade from stx4.0 to stx5.0 which introduced by
    https://review.opendev.org/c/starlingx/ansible-playbooks/+/792093.
    The apiserver keys are not available in stx4.0 side so we need
    to ensure the keys under /etc/kubernetes/pki are present in the
    backed-up tarball before extracting, otherwise playbook fails
    because the keys are not found in the archive.

    Change-Id: I8602f07d1b1041a7fd3fff21e6f9a422b9784ab5
    Closes-Bug: 928925
    Signed-off-by: Angie Wang <email address hidden>

commit 0261f22ff7c23d2a8608fe3b51725c9f29931281
Author: Don Penney <email address hidden>
Date: Thu May 20 23:09:07 2021 -0400

Update SX to DX migration to wait for coredns config

    This commit updates the SX to DX migration playbook to wait after
    modifying the system mode to duplex until the runtime manifest that
    updates coredns config has completed. The playbook will wait for up to
    20 minutes to allow for the possibilty that sysinv has multiple
    runtime manifests queued up, each of which could take several minutes.

    Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/792494
    Depends-On: https://review.opendev.org/c/starlingx/config/+/792496
    Change-Id: I3bf94d3493ae20eeb16b3fdcb27576ee18c0dc4d
    Closes-Bug: 1929148
    Signed-off-by: Don Penney <email address hidden>

commit 7c4f17bd0d92fc1122823211e1c9787829d206a9
Author: Daniel Safta <email address hidden>
Date: Wed May 19 09:08:16 2021 +0000

Fixed missing apiserver-etcd-client certs

    When controller-1 is the active controller
    the backup archive does not contain
    /etc/etcd/apiserver-etcd-client.{crt, key}

This change adds a new task which brings
the certs from /etc/kubernetes/pki

    Closes-bug: 1928925
    Signed-off-by: Daniel Safta <email address hidden>
    Change-Id: I3c68377603e1af9a71d104e5b1108e9582497a09

commit e221ef8fbe51aa6ca229b584fb5632fe512ad5cb
Author: David Sullivan <email address hidden>
Date: Wed May 19 16:01:27 2021 -0500

Support boo...

Reviewed:  https://review.opendev.org/c/starlingx/ansible-playbooks/+/794324
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/163ec9989cc7360dba4c572b2c43effd10306048
Submitter: "Zuul (22348)"
Branch:    f/centos8

commit 4e96b762f549aadb0291cc9bcf3352ae923e94eb
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Sat May 22 15:48:19 2021 +0000

Revert "Restore host filesystems with collected sizes"
    
    This reverts commit 255488739efa4ac072424b19f2dbb7a3adb0254e.
    
    Reason for revert: Did a rework to fix https://bugs.launchpad.net/starlingx/+bug/1926591. The original problem was in puppet, and this fix in ansible was not good enough, it generated some other problems.
    
    Change-Id: Iea79701a874effecb7fe995ac468d50081d1a84f
    Depends-On: I55ae6954d24ba32e40c2e5e276ec17015d9bba44

commit c064aacc377c8bd5336ceab825d4bcbf5af0b5e8
Author: Angie Wang <angie.wang@windriver.com>
Date:   Fri May 21 21:28:02 2021 -0400

Ensure apiserver keys are present before extract from tarball
    
    This is to fix the upgrade playbook issue that happens during
    AIO-SX upgrade from stx4.0 to stx5.0 which introduced by
    https://review.opendev.org/c/starlingx/ansible-playbooks/+/792093.
    The apiserver keys are not available in stx4.0 side so we need
    to ensure the keys under /etc/kubernetes/pki are present in the
    backed-up tarball before extracting, otherwise playbook fails
    because the keys are not found in the archive.
    
    Change-Id: I8602f07d1b1041a7fd3fff21e6f9a422b9784ab5
    Closes-Bug: 928925
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit 0261f22ff7c23d2a8608fe3b51725c9f29931281
Author: Don Penney <don.penney@windriver.com>
Date:   Thu May 20 23:09:07 2021 -0400

Update SX to DX migration to wait for coredns config
    
    This commit updates the SX to DX migration playbook to wait after
    modifying the system mode to duplex until the runtime manifest that
    updates coredns config has completed. The playbook will wait for up to
    20 minutes to allow for the possibilty that sysinv has multiple
    runtime manifests queued up, each of which could take several minutes.
    
    Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/792494
    Depends-On: https://review.opendev.org/c/starlingx/config/+/792496
    Change-Id: I3bf94d3493ae20eeb16b3fdcb27576ee18c0dc4d
    Closes-Bug: 1929148
    Signed-off-by: Don Penney <don.penney@windriver.com>

commit 7c4f17bd0d92fc1122823211e1c9787829d206a9
Author: Daniel Safta <daniel.safta@windriver.com>
Date:   Wed May 19 09:08:16 2021 +0000

Fixed missing apiserver-etcd-client certs
    
    When controller-1 is the active controller
    the backup archive does not contain
    /etc/etcd/apiserver-etcd-client.{crt, key}
    
    This change adds a new task which brings
    the certs from /etc/kubernetes/pki
    
    Closes-bug: 1928925
    Signed-off-by: Daniel Safta <daniel.safta@windriver.com>
    Change-Id: I3c68377603e1af9a71d104e5b1108e9582497a09

commit e221ef8fbe51aa6ca229b584fb5632fe512ad5cb
Author: David Sullivan <david.sullivan@windriver.com>
Date:   Wed May 19 16:01:27 2021 -0500

Support bootstrap replay with networking changes
    
    Currently bootstrap playbook replay will fail if the management or
    cluster host networks are changed. To resolve this a couple of changes
    are needed:
    
    * Restart the sysinv agent and wait until it is ready. The sysinv agent
      uses the current management ip for the rabbitMQ connection and
      applying runtime manifests. The process needs to be restarted to
      resync that data.
    
    * Copy the etcd certs to the /opt/platform on replay. The etcd-server
      certs are regenerated on replay. When the cluster host network changed
      the SAN in the certs under /opt/platform were out of date resulting in
      kube-apiserver failures on controller-0 unlock.
    
    Closes-Bug: 1925668
    Signed-off-by: David Sullivan <david.sullivan@windriver.com>
    Change-Id: I228321a2540a0024cd217ed844feb54be9ae3b29

commit 41ada83e4f4486d0795eed3e7a8bbe4227ee88d8
Author: Yuxing Jiang <yuxing.jiang@windriver.com>
Date:   Wed May 19 12:53:26 2021 -0500

Bug fix: update barbican external id if the project id changes
    
    The previous commit
    https://review.opendev.org/c/starlingx/ansible-playbooks/+/790824
    unexpectedly moves the update_barbican_project_external_id out of the
    scope of the project id changes. Further, the old_id['id'] is
    duplicated with the current_project_id, it will be undeclared in the
    case of the project id not changed (by deleting the subcloud in
    powered off status and re-add it with --migrate option). This commit
    deletes the duplicated variable and moves the
    update_barbican_project_external_id to the correct scope.
    
    Tests:
    1 Delete a subcloud from a central cloud and add it back with the
    migrate option.
    2 Migrate a subcloud successfully to a different central cloud.
    3 Migrate a subcloud successfully with an extra nonlocal user to a
    different central cloud.
    
    Partial-Bug: 1928139
    Signed-off-by: Yuxing Jiang <yuxing.jiang@windriver.com>
    Change-Id: I8acf7bcea5d8e77b92877427ccd40b95e8b3515e

commit ac0c5d51a8708c8c056a736ff11ce1a0b1550c4f
Author: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Date:   Thu May 13 19:53:41 2021 +0300

Create the pod_max_pids service parameter
    
    This adds a default entry to service parameters.
    
    Create the default entry taking into consideration the most hungry of
    the optional StarlingX apps. The user is free to modify the value as
    desired, using 'system service-parameter-modify'.
    
    Same can be created by the user using 'system service-parameter-add',
    but this helps the user by being transparent in service-parameter-list.
    
    If this service parameter was missing an entry, then no hieradata
    variable would have been generated, so puppet would have used
    a predefined value.
    
    Partial-Bug: 1928353
    Depends-On: I74fcf2bd405c2a3811a4f27a55b28c0d001430e1
    Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
    Change-Id: I707ddc4ca67595fbf809c6ffc15ecd4fb21f4661

commit 64bf73c85c5de0737c8a1cf967b6b251288ee424
Author: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Date:   Tue May 11 16:22:12 2021 +0300

Enable kubelet support for pod pid limit
    
    This protects the system before the unlock. This has the most meaning
    during the restore procedure, when the system is unprotected until
    unlock (until puppet generates the config file containing protection).
    
    Partial-Bug: 1928353
    Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
    Change-Id: I09c4d4f494bc113ae8b439256655476e03b54b0e

commit cfc719b82a6f1651a2b3950b316244f907d58491
Author: Angie Wang <angie.wang@windriver.com>
Date:   Mon May 17 17:11:12 2021 -0400

Configure kubeadm to not apply the default taint
    
    The taint "node-role.kubernetes.io/master:NoSchedule" needs
    to be removed from master node so that pods can be scheduled
    on it. This is handled by a bootstrap task. However, issue
    was seen that the default taint was not removed during bootstrap
    that causes armada pod fails to be scheduled on controller-0.
    This happens on one of the subcloud when bootstrapping a batch
    of 50 subclouds.
    
    Add configuration in kubeadm to not apply the default taint
    at the beginning so it doesn't need to be removed afterwards.
    
    Tested AIO-SX, DX upgrade and a batch of 50 subclouds deployment
    
    Change-Id: I543280ddd55ec94ccf0586dc07877349baa06bdd
    Closes-Bug: 1928722
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit 45c74db36670e9cba3475e598a4655490b744cee
Author: Yuxing Jiang <yuxing.jiang@windriver.com>
Date:   Thu May 13 10:46:02 2021 -0500

Cleanup of subcloud rehoming playbook
    
    As the ansible log is accessible for all the users, we don't want to
    expose the keystone IDs and passwords in a subcloud's ansible log.
    This commit hides the keystone IDs and passwords in the ansible log.
    
    This commit also removes un-used facts and the rehome_in_progress
    flag.
    
    Tested with successfully re-homed a SX and a DX subcloud in virtual
    box env.
    
    Story: 2008774
    Task: 42462
    
    Signed-off-by: Yuxing Jiang <yuxing.jiang@windriver.com>
    Change-Id: I6c2e83ba5b4923e9d7c82ccf94165608739e59e1

commit 0ca19e0870e06b601553ea2a9d9e1cfc0367d75f
Author: Yuxing Jiang <yuxing.jiang@windriver.com>
Date:   Tue May 11 16:02:49 2021 -0500

Clean non-local keystone user during migrating keystone IDs
    
    During the progress of re-homing a sub cloud to a new central cloud,
    insert a new user ID will be failed if there's a duplicated non-local
    user in keystone database. This commit deletes the non-local user with
    the same user id before inserting a new keystone local user into the
    database.
    
    Test:
    1. Add a non-local user in keystone database, and this user should
    have a same user ID as the new central cloud.
    2. Successfully re-home this subcloud to the new central cloud.
    3. Successfully re-home a subcloud without the duplicated user in
    keystone database.
    
    Partial-Bug: 1928139
    Signed-off-by: Yuxing Jiang <yuxing.jiang@windriver.com>
    Change-Id: Iecaac3400cb9362acc63686ae9470cf01f7eb2e1

commit 275e046280a71b0c5c8c637fdc7065d4e2e19aee
Author: Isac Souza <IsacSacchi.Souza@windriver.com>
Date:   Thu May 13 13:07:56 2021 -0300

Fix deletion of temp dir when backup fails
    
    When the /opt/backups disk is full and the backup playbook
    is executed, the Ansible task fails to create a temp directory.
    After the failure the cleanup code is executed but if the temp
    dir was not created, it fails because tempdir.path will be undefined.
    This second failure aborts the cleanup code and the
    "System Backup in progress." will stay on indefinitely, requiring
    manual intervetion.
    
    Tested by executing the backup procedure when /opt/backups
    is full.
    
    Closes-Bug: 1928365
    Signed-off-by: Isac Souza <IsacSacchi.Souza@windriver.com>
    Change-Id: I76c852b65bde4b40a22bcb9be3a81776ade86d15

commit 02b36df15ba42c4346b34b4ddce29d95b4c7fc69
Author: Tee Ngo <tee.ngo@windriver.com>
Date:   Thu May 13 12:17:06 2021 -0400

Enable ssh connection retries in Ansible playbooks
    
    In this commit:
     - Allow ssh retries in the playbooks in case of unreachable
       failures that are observed in batch subcloud deployment or
       upgrade where the system controller has low network bandwidth.
     - Increase ssh timeout to accomodate slow sudo response when
       ldap service is not yet available for the subcloud.
     - Allow docker login and images pull retries in case docker
       or docker proxy throws an exception due to slow response
       (e.g. oam network is overwhelmed).
    
    Closes-Bug: 1928357
    Change-Id: Ibc6155671b20a01340b66270c3c402174d34ab9e
    Signed-off-by: Tee Ngo <tee.ngo@windriver.com>

commit 20e44c6dd71758f89bbfe88c6204e777c17deb5d
Author: Zhipeng Liu <zhipengs.liu@intel.com>
Date:   Tue Apr 27 01:40:16 2021 +0800

Fix bootstrap replay failure when changing mgmt subnet
    
    After mgmt subnet is changed, we use previous controller_0
    address for etcd puppet apply to avoid resycing an nonexistent
    hieradata file.
    
    Change-Id: Ie31c48153af30df240237013dd51bfffea5213cd
    Closes-Bug: 1925668
    Signed-off-by: Zhipeng Liu <zhipengs.liu@intel.com>

commit 7228f60e146286d0948ac67bee159a7b8c54f704
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Tue May 11 18:56:03 2021 +0300

Fix restore user images playbook
    
    When running restore_user_images playbook,
    after the images will be uploaded to the local registry,
    the docker images stored in the local docker filesystem
    will be deleted by a python script called by the playbook.
    Sometimes this script will try to delete images
    that are not present into the local docker filesystem and
    will throw some errors.
    We fix this by adding a check before trying to delete an image.
    
    Also, updated the
    /playbooks/roles/common/push-docker-images/files/download_images.py
    file to do the same checks since it does similar steps
    and can also fail when deleting
    the images from the local docker cache.
    
    Closes-Bug: 1928092
    Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>
    Change-Id: I1be45b2669ad1ab209aa49f050106dd1a7759cee

commit d5460198dc0310a80580537fd8df76ae00e17f02
Author: Robert Church <robert.church@windriver.com>
Date:   Wed May 12 22:45:38 2021 -0400

Adjust armada's tiller container liveness probe
    
    With the liveness probe update in the armada helm chart to test the
    connectivity to the postgres backend, adjust the periodSeconds and
    failureThreshold to align with the minimum swact time to be expected for
    postgres switching from one controller to another.
    
    Reviewing logs from various H/W labs it appears that average postgres
    swact time ranges from 9s-20s, with the mean ~15s.
    
    Times can be observed with:
    2021-05-09T13:32:24.475 controller-1 OCF_pgsql(postgres)[396293]: info
                                         INFO: server shutting down
    2021-05-09T13:32:33.423 controller-0 OCF_pgsql(postgres)[147541]: info
                                         INFO: server starting
    
    Set the periodSeconds to 4 and the failureThreshold to 2 so that if the
    postgres server is not accessible, the tiller container will be
    restarted within the 9s minimum swact time. This will ensure that the
    next time tiller is required by Armada or used by the helmv2-cli that
    the connection to postgres backend has been re-established.
    
    Change-Id: I7454a737771d9a608d2fe69c5136d37da022007e
    Depends-On: https://review.opendev.org/c/starlingx/integ/+/791092
    Related-Bug: #1917308
    Signed-off-by: Robert Church <robert.church@windriver.com>

commit 9d4203b7e0d4b321fcccf14e69367573ef5d5093
Author: Tao Liu <tao.liu@windriver.com>
Date:   Wed May 12 20:30:37 2021 -0400

Use async_timeout for kubectl wait timeout
    
    Data migration failed for 5 subclouds during 30 subcloud upgrade.
    This failure was caused by timeout waiting for Kubernetes component,
    Networking or Armada pods to be ready.
    
    The async_timeout is set to 120s in restore mode, but the pod wait time
    is still set to 30s. This update changes the pod wait time to be the
    same as async_timeout.
    
    Tested on DC-2 with 50 subcloud parallel upgrade
    
    Closes-Bug: 1928252
    
    Signed-off-by: Tao Liu <tao.liu@windriver.com>
    Change-Id: If2b21d0cd2e0de9e84869323a43d4a249d031132

commit 36451c99ce76e76084ad5c68e4954bf347e8c0b7
Author: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Date:   Tue May 11 16:24:26 2021 +0300

Add helm sql database ip to armada overrides
    
    This will be used by tiller container to check that the container
    networking is properly set up.
    
    Partial-Bug: 1928141
    Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
    Change-Id: I177bb628497611eb64472291a04d635856c26590

commit 86fbafec14744d6630aff6e6ac2bb165c5be2be8
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Tue May 11 14:58:29 2021 -0400

Fix: Upgrade does not replay correctly after activate failure
    
    When the etcd runtime manifest fails during upgrade activate,
    the activation fails as expected. However when the upgrade-activate
    is attempted again, the etcd upgrade playbook is not re-run.
    Depending on when the manifest fails, this could result in secure
    etcd remaining disabled on the system.
    
    This commit makes it possible to replay the etcd upgrade playbook,
    thus solving the issue.
    
    Change-Id: I7f453d9040916381519ac96ed4567ec5fb6e7a8d
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>
    Closes-Bug: 1928130

commit 2dfadea581d1ac9955a7921bd2730e36a152255c
Author: Yuxing Jiang <yuxing.jiang@windriver.com>
Date:   Thu Mar 11 11:12:05 2021 -0500

Add a rehome subcloud playbook
    
    This commit creates a rehome_subcloud playbook to migrate an existing
    subcloud from the original central cloud to a new central cloud. This
    playbook is expected to be remotely play from the new central cloud
    system controller based on the subcloud's overrides. This playbook
    updates the system controller network info in the subcloud, migrates
    the keystone data and updates the subcloud's ca and certs. After
    running this playbook and unlock the subcloud controllers, the
    subcloud can be discovered online in the new central cloud, and
    can be managed and brought in-sync from the new central cloud.
    
    Test:
    Successfully migrate a AIOSX and a AIODX subcloud to the new central
    cloud with this playbook.
    
    Depends-On: https://review.opendev.org/c/starlingx/config/+/784767
    Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/785977
    Depends-On: https://review.opendev.org/c/starlingx/config/+/786638
    Depends-On: https://review.opendev.org/c/starlingx/config/+/787213
    
    Story: 2008774
    Task: 42152
    Change-Id: Iaa6699951e855c76602bd43f71d42e64e298c786
    Signed-off-by: Yuxing Jiang <yuxing.jiang@windriver.com>

commit d23b932208b778ec73cc51bccf460310f16ceaad
Author: Bin Qian <bin.qian@windriver.com>
Date:   Mon May 3 15:32:06 2021 -0400

Ensure n3000-opae image cache is not deleted
    
    Skip removing n3000-opae image cache. This image is expected to be
    available to reset n3000 fpgas before docker local registry is ready.
    
    Closes-Bug: 1927000
    Signed-off-by: Bin Qian <bin.qian@windriver.com>
    Change-Id: I3372d89c48b394c8cac6b9da06d2528bb6afa803

commit 255488739efa4ac072424b19f2dbb7a3adb0254e
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Thu Apr 29 16:37:21 2021 +0300

Restore host filesystems with collected sizes
    
    Since https://review.opendev.org/c/starlingx/ansible-playbooks/+/784860,
    the host filesystems(backup, docker, kubelet, scratch) are
    no longer resized in ansible at restore and they are not using the
    collected sizes from the backup archive. Puppet will try to
    resize them when unlocking but this will generate some errors.
    
    The solution is to create the host filesystems with the
    correct sizes at restore. The sizes are taken from the
    backup archive.
    
    Closes-Bug: 1926591
    Change-Id: Id670408a518e4a1e3fc75a668eea42d26a972d66
    Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>

commit bc0fba6bbbd0182c4886e5a3ccbfc2d0973cfd70
Author: Bin Qian <bin.qian@windriver.com>
Date:   Wed Apr 28 11:52:36 2021 -0400

Remove restore subcloud admin endpoint certificate from config
    
    This change is to exclude the admin endpoint certificate from restore
    to config directory. The admin endpoint certificate is stored in k8s
    (backup) and restore as part of k8s restore. Sysinv will generate it
    into hieradata from k8s secret and puppet will genereate the pem for
    haproxy.
    
    Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/786666
    Partial-Bug: 1923510
    Signed-off-by: Bin Qian <bin.qian@windriver.com>
    Change-Id: Iae8fb9c53e0aa6797a25b872adb0c99636c4243a

commit e88c9290a3ca2d947828a1f4e988f9fe61a1a623
Author: Melissa Wang <melissa.wang@windriver.com>
Date:   Mon Apr 26 17:45:40 2021 -0400

SX to DX migration: Check network interface config
    
    This change adds a semantic check to ensure that the cluster-host
    and management networks are not configured on loopback before
    allowing sx-to-dx migration.
    
    Task: 42375
    Story: 2008587
    
    Change-Id: I87326db222ffe9eb8bf23b69d17f676abc7c242d
    Signed-off-by: Melissa Wang <melissa.wang@windriver.com>

commit e25439d49d127779f9ab32650a4a51027242884b
Author: Bin Qian <bin.qian@windriver.com>
Date:   Wed Apr 14 14:53:56 2021 -0400

Remove creating admin endpoint cert in subcloud bootstrap
    
    This change removes creating admin endpoint cert in subcloud
    bootstrap.
    The admin endpoint cert is generated in manifest at the time when
    the controller node is unlock the first time. The cert data is
    retrieved directly from k8s secret data (where cert-manager is
    responsible to maintain it and keep it up to date).
    
    Partial-Bug: 1923510
    Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/786666
    Signed-off-by: Bin Qian <bin.qian@windriver.com>
    Change-Id: Ie6a5c8fe159efcdebdb4c81666e981772408b82c

commit 5b286734637ca6f503a62131b309829d2f308fed
Author: David Sullivan <david.sullivan@windriver.com>
Date:   Mon Apr 5 17:01:48 2021 -0500

Remove drbd resize actions from bootstrap playbook
    
    drbd resize actions can cause failures during unlock. Avoid all drbd
    resize actions during the bootstrap playbook. Pass the correct
    filesystem sizes to the bootstrap manifest. Use the collected drbd
    filesystem sizes during the restore/upgrade bootstrap manifest.
    
    Closes-Bug: 1920245
    Signed-off-by: David Sullivan <david.sullivan@windriver.com>
    Change-Id: I235575ad40ba84298d3db5b39ce7861a143c78a8

commit 05d3d8c21f5017b26466bfd1cdd1f1e7accf266f
Author: Carmen Rata <carmen.rata@windriver.com>
Date:   Mon Apr 12 10:35:57 2021 -0400

Fix kube-apiserver pod removal
    
    This commit adds rolebinding configuration to bind
    the "privileged-psp-user" role to the kubelet user.
    It fixes the issue where the kube-apiserver pod does
    not get recreated after enabling PodSecurityPolicy
    plugin. With this fix we make sure to allow the apiserver
    pod creation by granting permission to the kubelet user
    to create that pod.
    
    Closes-Bug: 1881605
    
    Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
    Change-Id: Ibdf6d4cacf2ce83dfa744455dac460027b2a6e47

commit 802afc1c23d26f44bd7954a5ec038c5badddcaa3
Author: Andrei Grosu <andrei.grosu@windriver.com>
Date:   Mon Feb 8 22:28:49 2021 +0000

Inform conductor of ansible backup actions.
    
    Let apps run custom code around backup actions inside the playbook.
    
    Story: 2007960
    Task: 40769
    Depends-On: I0ebab45f4846cbcd25fecac6bf99195d9047eb8a
    
    Signed-off-by: Andrei Grosu <andrei.grosu@windriver.com>
    Change-Id: I61156db05970aa03c96ddc8533fdd4f4a680b334

commit f6cd32b82bc01c9f1b9f53d1754aac6a45e51643
Author: Don Penney <don.penney@windriver.com>
Date:   Fri Mar 26 11:23:51 2021 -0400

Copy default-registry-key to deployment namespace
    
    After creating the deployment namespace, copy the default-registry-key
    from the kube-system namespace into it for use by pods running in that
    namespace.
    
    Story: 2007361
    Task: 42186
    Signed-off-by: Don Penney <don.penney@windriver.com>
    Change-Id: I3b431c74295cc0099f00814ee28709b1b4c56c8c

commit d61c82f555034f104e1bee8a83bb19ad448012b2
Author: Zhipeng Liu <zhipengs.liu@intel.com>
Date:   Wed Mar 31 23:12:43 2021 +0800

Change CN of etcd CA since etcd will reuse kubernetes CA
    
    Basic test pass on simplex.
    
    Closes-Bug: 1921511
    
    Change-Id: If3a7cca4a03b05ac5eb61f7f579449a7393c1644
    Signed-off-by: Zhipeng Liu <zhipengs.liu@intel.com>

commit 8a7c871a8d7c8843b404e6779eccd2e483293c2a
Author: Carmen Rata <carmen.rata@windriver.com>
Date:   Mon Mar 22 15:32:48 2021 -0400

Add default psp configuration to psp-policies.yaml
    
    Added ClusterRoleBindings configuration in psp-policies.yaml to
    enhance the current capabilities.
    The new configuration gives users the ability that by default,
    they can create pods and deployments with “restricted” capabilities
    in their namespaces.
    When psp policies are applied at bootstrap time, all tenants/users
    have at least restricted capabilities and access rights will be
    added as needed, reducing this way the manual configuration
    required.
    
    Closes-Bug: 1885716
    
    Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
    Change-Id: I6118efd6832836829d31aa84b2b4305d5a1f24c4

commit f7d5491e404ba2854105278f6b9e2883b52a5206
Author: Chris Friesen <chris.friesen@windriver.com>
Date:   Tue Aug 25 12:16:22 2020 -0400

Remove CPU resource requests from platform pods
    
    In order to allow applications to make use of all "application" cores,
    we need to remove all CPU resource requests from "platform" pods.  We tried
    to make this work by modifying Kubernetes itself to track platform pod resources
    separately, but it would have required changes to kube-scheduler, which would
    involve building a custom kube-scheduler container image.
    
    Some platform pods are created by "kubeadm" during early init and are handled
    via a kubernetes code change.  For calico, multus, and sriov we modify the
    templates used to create the pods and remove any reference to CPU resources.
    
    Normally this would mean that they could get throttled by application pods, but
    since they're running on the platform cores this shouldn't be a problem.
    
    Story: 2008760
    Task: 42170
    Change-Id: Ibf73bd0d105e4040f02a4114afbb31d131fc9585
    Signed-off-by: Chris Friesen <chris.friesen@windriver.com>

commit 41de2e52db9985d84397d7ba56a59bbeaa9cf88f
Author: Zhipeng Liu <zhipengs.liu@intel.com>
Date:   Fri Mar 19 01:00:10 2021 +0800

Fix bootstrap replay fails due to not changing etcd config.
    
    When replay bootstrap, we still need to apply etcd puppet manifest.
    Test PASS for below cases
    1）System bring up with bootstrap replay
       - non cluster host network reconfiguration
    2）System bring up with bootstrap replay
       - cluster host network change
    3）AIO simplex backup and restore
    
    Closes-Bug: 1918943
    Signed-off-by: Zhipeng Liu <zhipengs.liu@intel.com>
    Change-Id: Ib892776f4b2949f9255fc4725add1f0e362956a9

commit fbd6a848d53ae6de9703466215fb85df2485ab0b
Author: Scott Little <scott.little@windriver.com>
Date:   Thu Mar 25 11:35:34 2021 -0400

Set SW_VERSION 21.05
    
    Prep for the StarlingX 5.0 release.
    SW_VERSION uses YY.MM format.
    
    Story: 2008055
    Task: 42113
    Depends-On: https://review.opendev.org/c/starlingx/utilities/+/783042
    Signed-off-by: Scott Little <scott.little@windriver.com>
    Change-Id: Ic718ed214dfdb6eb8fcfffcadbbeadfbb8f6d052

commit 2ffd9c4bff6bd736f35cc1fb2fd3b0e25c9ef8f2
Author: David Sullivan <david.sullivan@windriver.com>
Date:   Fri Mar 19 10:36:55 2021 -0500

drbd filesystems not resized during bootstrap
    
    Remove drbd resize_result check on resize2fs operation. Both operations
    should run when requested. These commands will return 0 when the disk is
    resized and will return 0 if the disk is already correctly sized. Any
    non-zero return code should fail the playbook.
    
    Closes-Bug: 1920245
    Signed-off-by: David Sullivan <david.sullivan@windriver.com>
    Change-Id: I946f63b2886b5377494e658a59586005c27ec2d2

commit 8c2580cc85b8e7a2783ece895d7c2c476db81990
Author: Don Penney <don.penney@windriver.com>
Date:   Wed Mar 10 12:13:56 2021 -0500

Introduce SX to DX migration playbook
    
    This commit introduces a migrate-subcloud.yml playbook that the user
    can run, with an overrides file to provide config values, to perform
    the migration steps for a subcloud. Once the migration playbook has
    been applied and the subcloud has recovered from the unlock (performed
    by the playbook), the second controller can be installed and
    configured.
    
    Story: 2008587
    Task: 41743
    Depends-On: https://review.opendev.org/c/starlingx/config/+/776536
    Signed-off-by: Don Penney <don.penney@windriver.com>
    Change-Id: I1d8c1219694147baaabb183ef3debe1715aaf153

commit 64feca44b59284b07d42e7100fb90b22297c0ce0
Author: Carmen Rata <carmen.rata@windriver.com>
Date:   Fri Mar 5 15:18:46 2021 -0500

Use jinja2 template for containerd config.toml
    
    File "/etc/containerd/config.toml" is set up with ansible bootstrap
    using an erb template managed by puppet.
    We replace the erb template with a jinja2 template to improve ease
    of use and reduce the need for complex regular expressions.
    
    Closes-Bug: 1892768
    Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
    Change-Id: I93601321d4f554d27bb9457bcff99428351cbefd

commit df1f8e381d951a2ab6c52a32eb2467817795e083
Author: Suvro Ghosh <suvrojeet.ghosh@windriver.com>
Date:   Thu Mar 11 10:38:57 2021 -0500

Adding force flag to purge task
    
    This flag will allow ansible replay
    
    Story: 2007960
    Task: 42039
    Signed-off-by: Suvro Ghosh <suvrojeet.ghosh@windriver.com>
    Depends-On: If68d66d799addcd996da4b146d092c855b455aa3
    Change-Id: I93821965184d95a00fddd3398a1c214e3d730efa

commit ed7314d4c4c1f9d6f18dc6c144dd4b6cdf67b66e
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Mon Mar 8 14:36:54 2021 +0200

Fix bootstrap playbook when initializing kubernetes
    
    The etcd endpoint in the kubedeadm file is different than
    the endpoint defined in the etcd config file.
    This is because in the kubeadm file, the etcd endpoint is equal to
    the 'cluster_floating_address' variable. And in the etcd config
    file the 'default_cluster_host_start_address' variable is used.
    These 2 variables can be different when the
    'cluster_host_start_address' variable defined in the localhost.yml
    differs from the first address of the 'cluster_host_subnet'.
    
    The solution is to use 'cluster_floating_address' in both cases
    because this variable is defined in the following way:
    
    cluster_floating_address: "{{ address_pairs['cluster_host']['start'] }}"
    will be different than the 'default_cluster_host_start_address': "{{
    (cluster_host_subnet | ipaddr(1)).split('/')[0] }
    
    So it will use 'default_cluster_host_start_address' when the
    'cluster_host_start_address' is not defined.
    
    Closes-Bug: 1918130
    Change-Id: I8fecc1e5e54b5a9a9a72a54c069f79f5f2d434ba
    Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>

commit ff5c9327c1990cb2bf6454a1a156669187dc056b
Author: Babak Sarashki <babak.sarashki@windriver.com>
Date:   Wed Feb 24 05:45:30 2021 +0000

Remove container runtime interface (CRI) placeholder
    
    Change-Id Ib1dd5bd (stx-puppet) and Icc5fd16 (config) add
    support to set CRI entries for kubernetes runTimeClass.
    
    This is not needed during the initial bring-up of services
    at bootstrap time and produces incorrect config.toml causing
    bootstrap failure. Therefore, it is removed from the initial
    config.toml generated during bring up of essential services.
    
    Story: 2008434
    Task: 41928
    
    Depends-On: https://review.opendev.org/c/starlingx/config/+/776220
    Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/776223
    
    Signed-off-by: Babak Sarashki <babak.sarashki@windriver.com>
    Change-Id: Id124653329da0ba9f990e5bba6b53faa3c88fa86

commit ae898b781539f71ea009cefec7602ed62335741b
Author: Teresa Ho <teresa.ho@windriver.com>
Date:   Thu Feb 11 13:22:39 2021 -0500

Create device_images bind directory
    
    The device images are stored in the drbd filesystem
    (/opt/platform/device_images) in the active controller.
    In order to allow the other worker hosts to retrieve the device images
    from the active controller over lighttpd, the directory
    /www/pages/device_images is created as a bind mount of the drbd
    directory.
    
    Tests performed on the following systems:
    AIO-DX, AIO-DX plus compute, Standard 2+1
    DC with AIO-DX plus subcloud
    DC with Standard subcloud
    
    Story: 2007875
    Task: 41878
    
    Change-Id: I00c75767543d3840c466df887e9f16ba75a5386d
    Signed-off-by: Teresa Ho <teresa.ho@windriver.com>

commit 9814ec0490506f222326396368f34e278ae52a0d
Author: Tee Ngo <tee.ngo@windriver.com>
Date:   Mon Feb 22 23:07:34 2021 -0500

Update Ansible bootstrap address validation
    
    The method to validate bootstrap address in previous
    commit (9c62c83536b737e731b140c95be37d74769989ff) is not
    reliable for IPv6. This commit fixes it.
    
    Task: 41800
    Story: 2008573
    Change-Id: Ibadf36e7f6c1ec31ca47514802991c92959fd138
    Signed-off-by: Tee Ngo <tee.ngo@windriver.com>

commit 9cee892563c68154714bcb7a7e173dcc13b6b237
Author: Angie Wang <angie.wang@windriver.com>
Date:   Wed Feb 24 14:27:14 2021 -0500

Update the minimum root disk size to be aligned with sysinv
    
    Change-Id: I03c8b31ab76ce8a2b8534677910763150ec1d9c0
    Closes-bug: 1916797
    Depends-On: https://review.opendev.org/c/starlingx/config/+/777465
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit f2d20c15bbda992bec707b9dd3529f5f1fd53b83
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Tue Feb 2 18:09:33 2021 +0200

Fix restoring dc-vault on a central controller
    
    At this moment, when we do a restore procedure on a
    DC system controller, the /opt/dc-vault directory will be
    created under "/" filesystem. It should be created on
    a separated filesystem, but that filesystem is available
    only after an unlock of the controller.
    
    The proposed solution is to create an additional restore
    playbook for the dc-vault that will be manually run after
    unlocking controller-0. The backup playbook will create
    an additional archive with the contents of dc-vault, and
    the dc-vault directory will be removed from the platform
    backup.
    
    The new playbook will be used like this:
    
    ansible-playbook
    /usr/share/ansible/stx-ansible/playbooks/restore_dc_vault.yml -e
    "ansible_become_pass=Li69nux*" -e "admin_password=Li69nux*" -e
    "initial_backup_dir=/home/sysadmin" -e
    "backup_filename=localhost_dc_vault_backup_2021_02_02_11_46_09.tgz"
    
    Closes-Bug: 1914258
    Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>
    Change-Id: I8fdd5b678e2296cd0ce98ea4dd91e2988beb200f

commit 3babc1eed3ba861c652f082655fa284992be0859
Author: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Date:   Fri Feb 19 16:45:22 2021 +0200

B&R: Fix registry backup generated when it should not
    
    Incorrect ansible variable evaluation results in the a backup file
    generated when it is required not do so.
    
    Fix the evaluation.
    
    Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
    Depends-On: I4644784ea4164134f163d218e69dc4ceb148985a
    Closes-Bug: 1916246
    Change-Id: I2a31dcda55137a668b2e82b9a938535bdf623656

commit 151b885dc733d5094fce474ae042ee2f2ceae49e
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Fri Feb 19 16:21:23 2021 +0200

B&R: Fix backup hangout on IPv6 systems
    
    IPv6 addreses must be enclosed in square brackets when they are
    followed by a port number.
    
    At the "[backup/backup-system : Create etcd snapshot]"
    step, the etcd IPv6 endpoint is not wrapped in square brackets,
    so the command hangs indefinitely.
    
    We fix this by using the 'ipwrap' ansible filter which will
    wrap the address in [] brackets if it's an IPv6 one.
    
    Closes-bug: 1916053
    Change-Id: If40ed59f4e44c9f877aaefe87f6211a3e83ddfee
    Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>

commit 71db4f1aa82a36c360ada97a6d8d989a736e1133
Author: Steven Webster <steven.webster@windriver.com>
Date:   Wed Feb 17 13:54:14 2021 -0500

Uprev SR-IOV CNI image
    
    This commit uprevs the SR-IOV CNI image to pick up a few bug
    fixes.  Specifically, this commit will allow rate-limiting
    configuration on a VF to be retained after the VF has been
    used by a pod (and pod subsequently deleted).
    
    Testing:
    
    NICs:
    Ethernet Controller X710 for 10GbE SFP+
    Mellanox MT27700 Family [ConnectX-4]
    
    Functional:
    Connectivity testing (kernel + DPDK)
    Devices allocated appropriately to pod
    Rate-limiting information retained after pod deletion
    
    Closes-Bug: #1915951
    
    Signed-off-by: Steven Webster <steven.webster@windriver.com>
    Change-Id: Ie893fee61fa15e28e1994b5e766ed3bca2ff4050

commit 9c62c83536b737e731b140c95be37d74769989ff
Author: Tee Ngo <tee.ngo@windriver.com>
Date:   Tue Feb 9 23:08:32 2021 -0500

Ansible update to support remote subcloud restore
    
    In this commit:
      - Common code to validate target is updated to include additional
        host check options (system readiness, load version, bootstrap ip,
        and patches).
      - A new playbook is added to perform host check for various
        use cases (remote install, pre subcloud restore, pre subcloud
        upgrade, etc...).
      - Install playbook is updated to make use of the new playbook.
      - A new role which performs generic user input validation for all
        restore playbooks is added.
      - A new B&R parameter is added to indicate where the backup data
        can be found, on the host itself (on-box) or on another
        machine (off-box).
      - Platform, user images and openstack restore playbooks are
        updated to a) make use of the on_box_data parameter,
        b) use the same target_backup_dir for both local and remote
        playbook execution for consistent behavior.
      - Host override file is extracted only on the target.
      - Patches restore is skipped if requested by the caller. Default
        behavior is to restore patches.
      - Various subtle bugs are fixed.
      - Ansible version is specified in Zuul test requirements.
    
    Tests:
      - Deployment of a Redfish capable subcloud
      - Remote restore a simplex with various options: a) without patches
        b) skip patches restore, c) with patches restore, d) on-box backup
        tarball, e) off-box backup tarball
      - Local restore of a simplex with 2 options: a) without patches and
        b) skip patches restore
      - Simplex fresh install
      - Restore user images
      - Restore OpenStack
      - Error cases
    
    Task: 41725
    Story: 2008573
    Change-Id: Ica2b9010a73854a01216e2e16b581484d182264e
    Signed-off-by: Tee Ngo <tee.ngo@windriver.com>

commit 64af997f72d2e78615bd38d573aa13d0a59932da
Author: Yuxing Jiang <yuxing.jiang@windriver.com>
Date:   Thu Feb 4 17:55:24 2021 -0500

Fetch additional image config file for remote play
    
    When invoking the playbook remotely, the additional system images
    config file locates in the remote host may not also exist in the
    control host. This commit fetches the additional image config file to
    the control host to prevent include_vars failure.
    
    Tests:
    1 Remote backup and restore an AIOSX node with the additional system
    images config file from a control host without the config file.
    2 Build an image ISO and installed/ bootstrapped an AIOSX node.
    
    Closes-Bug: 1914611
    Signed-off-by: Yuxing Jiang <yuxing.jiang@windriver.com>
    Change-Id: I79362b00a25ca031a1fbbaa92476955e35477b73

commit 6226fa7a28ee271f92419bbeb62f2ee512e4b192
Author: Mingyuan Qi <mingyuan.qi@intel.com>
Date:   Tue Dec 8 05:52:41 2020 +0000

Add provision edgeworker playbook
    
    This playbook provisions edgeworker nodes to setup OS
    configurations as well as join the node to the Kubernetes
    platform.
    
    This playbook should be triggered manually after an edgeworker node
    added to sysinv. Make sure the edgeworker node has got the correct
    mgmt ip address from controller's dhcp server.
    
    1. Create an inventory file for edgeworker nodes on the active
    controller:
    
    tee ./edgeworker_inventory.yml << EOF
    all:
      hosts:
        localhost:
          ansible_connection: local
      children:
        edgeworker:
          hosts:
            <edgeworker hostname>:
              ansible_ssh_user: <admin username>
              ansible_ssh_pass: <ssh password>
              ansible_become_pass: <admin password>
              ansible_python_interpreter: <python path(e.g.
    /usr/bin/python3)>
            #<more edgeworker nodes>:
      vars:
        ansible_ssh_user: sysadmin
        ansible_ssh_pass: St8rlingX*
        ansible_become_pass: St8rlingX*
    EOF
    
    2. Trigger the playbook provision_edgeworker.yml:
    
    ansible-playbook \
    -i ./edgeworker_inventory.yml \
    /usr/share/ansible/stx-ansible/playbooks/provision_edgeworker.yml
    
    After the provisioning, the edgeworker node will be shown Ready in
    Kubernetes.
    
    Test:
    Edgeworker node OS: Ubuntu 18.04/20.04
    AIO-SX + edgeworker nodes: PASS
    AIO-DX + edgeworker nodes: PASS
    Standard + edgeworker nodes: PASS
    
    Story: 2008129
    Task: 40879
    
    Signed-off-by: Mingyuan Qi <mingyuan.qi@intel.com>
    Change-Id: If189f915461da3ce79dea3a688a3cf5e59d8f12c
    Depends-On: https://review.opendev.org/c/starlingx/config/+/763918

commit 2a5e37cecfde7572331b0c7f13e8ea55400c5260
Author: Douglas Henrique Koerich <douglashenrique.koerich@windriver.com>
Date:   Mon Feb 1 09:26:48 2021 -0500

Remove RPF config of tunl0 interfaces from kernel
    
    Calico project removed "strict" mode for RPF from kernel's IPv4
    configuration at version 3.12, moving back to former approach of
    setting iptables rules for security purposes (see
    https://github.com/projectcalico/felix/pull/2189). Thus, forcing
    disable of RPF at tunl0 interface as introduced by the fix of
    bug 1838801 isn't necessary anymore.
    This commit removes that forced writing of kernel configuration,
    so that calico-node pod is healthy after started, and asymmetrical
    routing still works as required.
    
    Implements: removal of postStart hook for Calico pods
    Closes-Bug: 1912807
    Signed-off-by: Douglas Henrique Koerich <douglashenrique.koerich@windriver.com>
    Change-Id: Iea8f4aa988269f99f5632fec2cf344297709eaef

commit adf542c16b71e681e47599b1e60a17311efeb6a6
Author: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Date:   Thu Jan 21 09:05:22 2021 +0200

B&R: Fix restore of ceph using mds
    
    Calling /etc/init.d/ceph without specifying a component applies an
    action to all components.
    After cephfs_platform_integ topic merged, ceph mds component is also
    used.
    Mds requires a monitor to be up before starting.
    Due to the fact that the ceph script was called without specifying the
    components mds the start action was applied to mds also and it was
    applied before starting the monitor, resulting in failure.
    
    The fix is to specify the monitor and osd components.
    Mds will be start when ceph is restarted a few tasks later.
    
    Plus minor ansible changes:
    - Use failed_when instead of ignore_errors
    - Renamed task
    
    Closes-Bug: 1912488
    Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
    Change-Id: I5388ddd32923bbd9acb205fa2d2adbc083346631

commit c62c3aa8890ef6c0d80ba8397ef64f5b0fb8c291
Author: Yuxing Jiang <yuxing.jiang@windriver.com>
Date:   Mon Jan 18 15:49:21 2021 -0500

Bug fix: static image type error
    
    A bug was introduced by commit
    587c1ff2075c518f32bb93f14f66bcd23e542259 that the bootstrap of a
    distributed cloud system controller will fail due to the RVMC image
    is a string rather than a list. This commit converts it to a single
    member list before appending it to static images list.
    
    Tested by bootstraping a distributed cloud system controller.
    
    Change-Id: Ib2e0c6cc1913e0ee44f8b288004459c497ebedb8
    Closes-Bug: 1908100
    Signed-off-by: Yuxing Jiang <yuxing.jiang@windriver.com>

commit 6cf33738447ba9f65d0f5aec1507991676522a58
Author: Sabeel Ansari <Sabeel.Ansari@windriver.com>
Date:   Tue Dec 22 12:22:04 2020 -0500

Create deployment namespace during bootstrap
    
    A generic namespace is being created during bootstrap
    called 'deployment'. This namespace will be shared by
    various deployed platform resources including platform
    certificates.
    
    Change-Id: I48bca00cc882fae691786fd1e200e28bf126496b
    Story: 2007361
    Task: 41495
    Signed-off-by: Sabeel Ansari <Sabeel.Ansari@windriver.com>

commit 587c1ff2075c518f32bb93f14f66bcd23e542259
Author: Yuxing Jiang <yuxing.jiang@windriver.com>
Date:   Mon Dec 14 11:55:32 2020 -0500

Upgrade: append additional images to the static images list
    
    Images specified in additional_local_registry_images at install time
    will not be upgraded after an upgrade is completed. This commit allows
    common/load-images-information load additional images list from
    /usr/share/additional-system-images.yml by default.
    
    In a distributed cloud system, the Redfish Virtual Media
    Controller(RVMC) image is can support remote install on Redfish
    configured hosts. This commit includes the RMVC image in the static
    images list if the host is a DC controller, enables
    download/push/update this image with other static images.
    
    Tested by installing and upgrading an AIODX central cloud with an
    AIOSX subcloud DC system.
    
    Partial-Bug: 1908100
    Change-Id: I1f927f876f4883a587098c61fbcaf408d65fdde4
    Signed-off-by: Yuxing Jiang <yuxing.jiang@windriver.com>

commit a83a13a0e8c6923ea4e9f74797269aa9ee4bf02d
Author: Tee Ngo <tee.ngo@windriver.com>
Date:   Mon Jan 11 00:46:54 2021 -0500

Ensure docker proxies are defined
    
    System triggered playbooks such as upgrade-static-images,
    will fail to pull newer images from AWS ECR if either
    docker http or https proxy is not configured. This commit
    resolves the issue.
    
    Tests:
      - Fresh install with public registries
      - Fresh install with a private registry
      - Fresh install with AWS registry, http proxy configured
      - Fresh install with AWS registry, proxies not configured
          a. Perform controller swact
          b. Perform upgrade
    
    Closes-Bug: 1910951
    Change-Id: I93c2856210dde90a66bae823178e14f140f711f4
    Signed-off by: Tee Ngo <tee.ngo@windriver.com>

commit bbcec5f2d678a0f18c02eb514e274a6187c21e32
Author: Angie Wang <angie.wang@windriver.com>
Date:   Wed Oct 14 15:56:39 2020 -0400

Configure SQL as helm storage backend
    
    Configmap is the default helmv2 storage backend to store
    release information but its 1MB resource limit prevents
    scaling up stx openstack worker nodes, so we want to use
    SQL as helm storage backend.
    
    Update armada overrides to start up tiller with SQL storage
    backend.
    
    Tested:
    - AIO-SX, AIO-DX, STD installation (IPv4 and IPv6)
    - apply stx-openstack
    - host-swact/lock/unlock
    - AIO-SX, AIO-DX upgrade with stx-openstack, stx-monitor
    - backup&restore with stx-openstack
    
    Closes-Bug: 1887677
    Depends-on: https://review.opendev.org/#/c/761647/
    Change-Id: I8ad7194973e8fc60ee2539dea5da67b15be1df4a
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit 56e338e5c729242dd14a7ecd4d294d65ca069863
Author: Tee Ngo <tee.ngo@windriver.com>
Date:   Wed Dec 16 23:52:26 2020 -0500

Improve bootstrap config validation
    
    A misconfigured docker_registries when merged with the
    default docker_registries will lead to bootstrap failure
    with a misleading error that is difficult for the user to
    identify the root cause.
    
    Add tasks to ensure user provided registry keys are valid.
    
    Closes-Bug: 1908479
    Change-Id: I829496481708221a772a9242dc660a2462880116
    Signed-off-by: Tee Ngo <tee.ngo@windriver.com>

commit 820f347324d4fb7d17396d5d21f98eb2b674d23a
Author: Zhipeng Liu <zhipengs.liu@intel.com>
Date:   Sat Oct 31 00:32:03 2020 +0800

Enable etcd with security setting.
    
    Add etcd client/server certificate generation process in
    ansible playbook and restart etcd after etcd security config
    enabled.
    
    Test status.
    1) Deployment test on both simplex and duplex  - PASS
       check the communication status between apiserver
       and etcd by kubectl command
       check the etcd status and configuration on controllers
    2) Switch active controller - PASS
       After switching, check the communication status between
       apiserver and etcd by kubectl command
       check the etcd status and configuration on controllers
    3) Lock/unlock of a simplex controller - PASS
    4) Backup/Restore test on simplex - PASS
    5) Spontaneous reboot of a simplex controller - PASS
    6) Enable secured etcd on simplex by script after deploy
       unsecured etcd. - PASS
    7) Backup test on Duplex - PASS
    8) Restore test on Duplex - PASS
    9) Re-installing a controller host on a duplex setup and
       then swacting to it - PASS
    
    Partial-Bug: 1894870
    
    Depends-on: https://review.opendev.org/#/c/760508/
    Change-Id: I88691b84c9acc2e27f0b783d7454a873d3490072
    Signed-off-by: Zhipeng Liu <zhipengs.liu@intel.com>

commit 0df607a49b514f143a9198c6fbba1e9e846e6c4f
Author: Jim Gauld <james.gauld@windriver.com>
Date:   Tue Jul 14 14:21:14 2020 -0400

Support upgrade to Helm v3 with containerized armada
    
    This provides an upgrades playbook for containerized armada
    to launch armada using Helm v3.
    
    This refactors common code from bringup_helm.yml so that it may be
    called from either bootstrap or upgrade.
    
    Story: 2007927
    Task: 40354
    Closes-Bug: 1906554
    
    Change-Id: I061006683252a8592f07c90d6d82bdc109418451
    Signed-off-by: Jim Gauld <james.gauld@windriver.com>
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit 936881f954f8acb2ed0b69de47f576d49ed82d2d
Author: Cole Walker <cole.walker@windriver.com>
Date:   Mon Nov 30 17:27:56 2020 -0500

Check local pods only to prevent B&R timeout
    
    This fix reworks a kubectl wait command to only wait for ready pods on
    the local controller. This fixes an issue where restoring a cluster with
    many nodes can timeout during "Start wait for armada,
    calico-kube-controllers & coredns deployments to reach Available state".
    This timeout was happening because the kubectl command was waiting for
    pods on downed nodes to become ready for 30 seconds per pod. In cases
    where there were 5 or more unreachable pods, the async timeout value of
    120 seconds would be reached and the kubectl wait commands would be
    terminated before completion. This prevented subsequent Ansible tasks
    from completing and resulted in a parsing error during "Fail if any of
    the Kubernetes component, Networking or Armada pods are not ready by
    this time"
    
    The fix here adds --field-selector spec.nodeName=$(hostname) to the
    kubectl wait command and causes only pods on the running
    controller to be checked. This also ensures that the asyncronous tasks
    will always only take 30 seconds, regardless of the number of nodes in
    the cluser.
    
    Removed the behaviour where the wait time would scale up based on the
    number of nodes, as the return time of the async tasks is now always a
    fixed 30 seconds.
    
    Closes-Bug: 1905788
    
    Change-Id: Idb7b30891d4fd00901aaa69412ef4c59913e21f3
    Signed-off-by: Cole Walker <cole.walker@windriver.com>

commit 843e77819228d1298db192d68746f2591ac3e078
Author: Andy Ning <andy.ning@windriver.com>
Date:   Fri Dec 4 10:14:25 2020 -0500

Restrict permissions on docker registry certificate file
    
    It is noticed that docker registry certificate file
    (/etc/docker/certs.d/registry.local:9001/registry-cert.crt) has
    permission set to 644. This update changes its permissions to
    400 as required, by preserving the original permissions when it
    is copied over in ansible bootstrap.
    
    Change-Id: Ic85fa5fa2595f81d5cde6b0294eb7fbbd9c7dc63
    Closes-Bug: 1906844
    Signed-off-by: Andy Ning <andy.ning@windriver.com>

commit d3e48692a5b28a2466ea9dbf8d0737bebd9df68e
Author: Cole Walker <cole.walker@windriver.com>
Date:   Tue Dec 1 16:50:41 2020 -0500

Lower negative cache TTL for coredns
    
    This change updates the coredns config map to lower the TTL for caching
    negative responses from 30 seconds down to 5 seconds. This will improve
    the response time for cases where a hostname lookup might occur before a
    given pod is created, resulting in a negative entry being cached and
    preventing pods from resolving the name for 30 seconds afterwards.
    
    The default cache size of 9984 items is unchanged, but must be
    explicitly defined in this configuration.
    
    The change also adds coredns to the upgrade-k8s-networking playbook to
    ensure that changes to coredns can be automatically deployed by
    sysinv-conductor.
    
    Closes-Bug: 1906870
    
    Change-Id: I7b44358508c32c8ca4e58b1e69d6232f1a61bfcf
    Signed-off-by: Cole Walker <cole.walker@windriver.com>

commit 1d7305eaf980ea258bcf9e2bb31406bf96ceb766
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Wed Nov 18 01:11:33 2020 -0500

Remove the addition of identity to shared services
    
    Identity services are no longer a shared service in DC.
    This commit removes the addition of identity to the shared service
    list for subclouds.
    
    Change-Id: I3d9d0e4df1a41142cce1ce13d4bbf7d43a626909
    Partial-Bug: 1904675
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>

tags:

added: in-f-centos8

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-03: Fix merged to stx-puppet (f/centos8)

#17

Download full text (48.0 KiB)

Reviewed: https://review.opendev.org/c/starlingx/stx-puppet/+/792029
Committed: https://opendev.org/starlingx/stx-puppet/commit/2b026190a3cb6d561b6ec4a46dfb3add67f1fa69
Submitter: "Zuul (22348)"
Branch: f/centos8

commit 3e3940824dfb830ebd39fd93265b983c6a22fc51
Author: Dan Voiculeasa <email address hidden>
Date: Thu May 13 18:03:45 2021 +0300

Enable kubelet support for pod pid limit

Enable limiting the number of pids inside of pods.

    Add a default value to protect against a missing value.
    Default to 750 pids limit to align with service parameter default
    value for most resource consuming StarlingX optional app (openstack).
    In fact any value above service parameter minimum value is good for the
    default.

    Closes-Bug: 1928353
    Signed-off-by: Dan Voiculeasa <email address hidden>
    Change-Id: I10c1684fe3145e0a46b011f8e87f7a23557ddd4a

commit 0c16d288fbc483103b7ba5dad7782e97f59f4e17
Author: Jessica Castelino <email address hidden>
Date: Tue May 11 10:21:57 2021 -0400

Safe restart of the etcd SM service in etcd upgrade runtime class

    While upgrading the central cloud of a DC system, activation failed
    because there was an unexpected SWACT to controller-1. This was due
    to the etcd upgrade script. Part of this script runs the etcd
    manifest. This triggers a reload/restart of the etcd service. As this
    is done outside of the sm, sm saw the process failure and triggered
    the SWACT.

    This commit modifies platform::etcd::upgrade::runtime puppet class
    to do a safe restart of the etcd SM service and thus, solve the
    issue.

    Change-Id: I3381b6976114c77ee96028d7d96a00302ad865ec
    Signed-off-by: Jessica Castelino <email address hidden>
    Closes-Bug: 1928135

commit eec3008f600aeeb69a42338ed44332228a862d11
Author: Mihnea Saracin <email address hidden>
Date: Mon May 10 13:09:52 2021 +0300

Serialize updates to global_filter in the AIO manifest

    Right now, looking at the aio manifest:
    https://review.opendev.org/c/starlingx/stx-puppet/+/780600/15/puppet-manifests/src/manifests/aio.pp
    there are 3 classes that update
    in parallel the lvm global_filter:
    - include ::platform::lvm::controller
    - include ::platform::worker::storage
    - include ::platform::lvm::compute
    And this generates some errors.

We fix this by adding dependencies between the above classes
in order to update the global_filter in a serial mode.

    Closes-Bug: 1927762
    Signed-off-by: Mihnea Saracin <email address hidden>
    Change-Id: If6971e520454cdef41138b2f29998c036d8307ff

commit 97371409b9b2ae3f0db6a6a0acaeabd74927160e
Author: Steven Webster <email address hidden>
Date: Fri May 7 15:33:43 2021 -0400

Add SR-IOV rate-limit dependency

    Currently, the binding of an SR-IOV virtual function (VF) to a
    driver has a dependency on platform::networking. This is needed
    to ensure that SR-IOV is enabled (VFs created) before actually
    doing the bind.

This dependency does not exist for configuring the VF rate-limits
however. There is a cha...

Reviewed:  https://review.opendev.org/c/starlingx/stx-puppet/+/792029
Committed: https://opendev.org/starlingx/stx-puppet/commit/2b026190a3cb6d561b6ec4a46dfb3add67f1fa69
Submitter: "Zuul (22348)"
Branch:    f/centos8

commit 3e3940824dfb830ebd39fd93265b983c6a22fc51
Author: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Date:   Thu May 13 18:03:45 2021 +0300

Enable kubelet support for pod pid limit
    
    Enable limiting the number of pids inside of pods.
    
    Add a default value to protect against a missing value.
    Default to 750 pids limit to align with service parameter default
    value for most resource consuming StarlingX optional app (openstack).
    In fact any value above service parameter minimum value is good for the
    default.
    
    Closes-Bug: 1928353
    Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
    Change-Id: I10c1684fe3145e0a46b011f8e87f7a23557ddd4a

commit 0c16d288fbc483103b7ba5dad7782e97f59f4e17
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Tue May 11 10:21:57 2021 -0400

Safe restart of the etcd SM service in etcd upgrade runtime class
    
    While upgrading the central cloud of a DC system, activation failed
    because there was an unexpected SWACT to controller-1. This was due
    to the etcd upgrade script. Part of this script runs the etcd
    manifest. This triggers a reload/restart of the etcd service. As this
    is done outside of the sm, sm saw the process failure and triggered
    the SWACT.
    
    This commit modifies platform::etcd::upgrade::runtime puppet class
    to do a safe restart of the etcd SM service and thus, solve the
    issue.
    
    Change-Id: I3381b6976114c77ee96028d7d96a00302ad865ec
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>
    Closes-Bug: 1928135

commit eec3008f600aeeb69a42338ed44332228a862d11
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Mon May 10 13:09:52 2021 +0300

Serialize updates to global_filter in the AIO manifest
    
    Right now, looking at the aio manifest:
    https://review.opendev.org/c/starlingx/stx-puppet/+/780600/15/puppet-manifests/src/manifests/aio.pp
    there are 3 classes that update
    in parallel the lvm global_filter:
    - include ::platform::lvm::controller
    - include ::platform::worker::storage
    - include ::platform::lvm::compute
    And this generates some errors.
    
    We fix this by adding dependencies between the above classes
    in order to update the global_filter in a serial mode.
    
    Closes-Bug: 1927762
    Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>
    Change-Id: If6971e520454cdef41138b2f29998c036d8307ff

commit 97371409b9b2ae3f0db6a6a0acaeabd74927160e
Author: Steven Webster <steven.webster@windriver.com>
Date:   Fri May 7 15:33:43 2021 -0400

Add SR-IOV rate-limit dependency
    
    Currently, the binding of an SR-IOV virtual function (VF) to a
    driver has a dependency on platform::networking.  This is needed
    to ensure that SR-IOV is enabled (VFs created) before actually
    doing the bind.
    
    This dependency does not exist for configuring the VF rate-limits
    however.  There is a chance that the VF rate-limiting configuration
    happens before the VFs are actually created.
    
    This commit fixes the issue by creating a dependency on
    platform::networking from the sriov::config class, which ensures
    the VFs are created before both driver binding and rate
    limiting configuration occurs.
    
    Closes-Bug: #1927758
    Signed-off-by: Steven Webster <steven.webster@windriver.com>
    Change-Id: Ic452247eb8c980e1b18bdc54832eb635d7a9fc54

commit 0b429c7cb0c16e34755c1b1e146ebb8b006d44dc
Author: Jim Gauld <james.gauld@windriver.com>
Date:   Thu May 6 12:33:24 2021 -0400

Configure etcd service critical process nice and ionice
    
    The etcd server is a critical "interactive" process that requires
    low-latency. This process has many etcd threads, each worker does
    minimal work and wakes up frequently. The threads do small amount of
    writes to commit.
    
    The etcd server will start exceeding heartbeat interval of 100ms and
    the election timeout of 1000ms under load and independent disk stress,
    if not properly tuned as a critical process. This cascades into many
    failures.
    
    This requires io-scheduler 'cfq' to take advantage of io-nice policy
    and priority. This bumps up to best-effort/0 from best-effort/4.
    
    This sets nice -19 from nice 0. This helps tremendously with
    interactive processes for linux CFS (completely-fair-scheduler).
    
    With tuned settings, under application load and additional disk stress,
    we see a dramatic reduction of 'blocked_max' and no more kern.log
    etcdserver related errors for exceeding the timeouts.
    We see dramatic improvement to system responsiveness for kubectl,
    kube-apiserver. This prevents pods from failing when clients they
    cannot renew lease.
    
    Note that 'blocked_max' scheduler stats for this process represents
    involuntary wait for disk related delay, scheduling delay, etc.
    
    Testing coverage:
    - various root disk HW: RAID, NVMe, SSD, VBox
    - sanity on multiple labs: R730_1 with RAID, WFP13_14
    
    Configuration change used in testing:
    - baseline: deadline, best-effort/4,
    - system under test: cfq, best-effort/0, nice -19
    - dd stress was single writer to root disk:
      while true; do
        dd if=/dev/zero of=./test.dd bs=200K count=20000 conv=fsync
      done
    
    Compared results and observe system behaviour:
    - watch kern.log for etcserver 'took too long', and 'wal: sync'
    - watch fm alarms
    - watch kubectl pod status
    - observe performance with: iotop, schedtop, iostat
    
    Tests performed:
    - DRBD resync with and without dd writer stress
    - swact with and without dd stress
    - large application apply + dd writer stress
    - launch large number of pods (eg, scale nginx with 80 pods),
      watch systemctl status commands using strace to check for hang
    - copy very large files, create big tarballs, write mkisofs iso
    - host install
    
    Closes-Bug: 1927515
    Depends-On: https://review.opendev.org/c/starlingx/config-files/+/790098
    Signed-off-by: Jim Gauld <james.gauld@windriver.com>
    Change-Id: Ieeeba5c1375d8d99401f839c7409a9de356fda87

commit 9782bb104c07b4aed0876d88d1743d4816a34515
Author: Don Penney <don.penney@windriver.com>
Date:   Fri May 7 08:51:19 2021 -0400

Update dnsmasq.conf for UEFI pxeboot
    
    Due to recent grub2 update for CVE-2020-15705, pxeboot must use the
    shim.efi file for secure boot, rather than grubx64.efi directly.
    
    Change-Id: I864ff46f449e92dfd5f1667379bc56aaaf6dfe2c
    Closes-Bug: 1927730
    Depends-On: https://review.opendev.org/c/starlingx/metal/+/790253
    Depends-On: https://review.opendev.org/c/starlingx/integ/+/790254
    Signed-off-by: Don Penney <don.penney@windriver.com>

commit c120fb798091db9fb756e51b895dccfa8d80a947
Author: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Date:   Wed May 5 17:30:19 2021 -0400

AIO-SX reboots after change OAM ip address
    
    On HW tests, it was detected that openstack-endpoints restart was
    happening at the same as the service-manager restart, this creating
    a conflict that preventing SM services to reach enabled-active.
    This was provoking the reboot.
    
    The correction creates openstack::keystone::endpoint::runtime::post
    class to be executed the post stage and not on the main stage, to
    avoid conflict with service-manager
    
    Also marking platform::network::runtime to be run at the pre stage
    to avoid some encountered apply errors related to the delay of
    haproxy bringup due to the lack of the IP address on the interface
    as it was only configured later. This way the other restarted
    services will have the address on the interface as restart happens
    
    Tested on AIO-SX, by monitoring manifest apply and validating that
    no reboot happens
    
    Closes-Bug: 1927275
    
    Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
    Change-Id: Ia70a3395753e43b3c1e2c037818c8c23e4ec0fd6

commit cb7858c65982c250f07a5022719d4f2b6d547d64
Author: Pedro Henrique Linhares <PedroHenriqueLinhares.Silva@windriver.com>
Date:   Wed May 5 11:11:27 2021 -0300

Fix for failure during AIO-SX to AIO-DX migration on standalone system
    
    Fix drbd-cephmon mount error by manually remounting monitor DRBD after
    DRBD::Resource creation. Removed patching of Kubernetes Persistent
    Volumes from puppet manifest since Kubelet and kube-api are no longer
    available during puppet run.
    
    Partial-Bug: 1927224
    Signed-off-by: Pedro Henrique Linhares <PedroHenriqueLinhares.Silva@windriver.com>
    Change-Id: Id5565ac734499b617b470499cfc2aa1ae2972da3

commit 5695a29e6a5ed8ee5d211e937496384027d7fd4e
Author: Bin Qian <bin.qian@windriver.com>
Date:   Thu Apr 29 13:35:38 2021 -0400

Fix missing kubelet service enable for worker nodes
    
    Previous commit:
      https://review.opendev.org/c/starlingx/stx-puppet/+/780600/
    kubelet enable is skipped for the worker nodes.
    
    Change-Id: I7769aebb4a9e38404af0c883640e1a27bb1e9e84
    Closes-Bug: 1918139
    Signed-off-by: Bin Qian <bin.qian@windriver.com>

commit 94ec35ff2d5363d3816f6d267a77a4efba6c6aa8
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Wed Apr 14 23:28:03 2021 -0400

Increase min_free_kbytes to 256M for storage to avoid OOM issue
    
    Help to prevent the OOM issue that it failed to allocate memory
    with error message 'page allocation failure: order:2, mode:0x104020'
    
    As the min_free_kbytes in the linux documentation shows:
    This is used to force the Linux VM to keep a minimum number
    of kilobytes free.  The VM uses this number to compute a
    watermark[WMARK_MIN] value for each lowmem zone in the system.
    Each lowmem zone gets a number of reserved free pages based
    proportionally on its size.
    
    Keeping more memory free in those zones means that the os itself is
    less likely to run out of memory during high memory pressure and high
    allocation events.
    
    Based on the issue occurs on the storage node so far, we only update
    the value for the storage node.
    
    Closes-Bug: #1924209
    
    Change-Id: Iae2e5a0787f69c62ba5da53663371fd2be148e15
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 736199af4106378b86b4cdca784105fe2cd8ed05
Author: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Date:   Wed Apr 28 14:50:21 2021 -0400

On runtime, kube-sriov-device-plugin needs to be restarted
    
    The previous correction for bug 1918139 removed the sriov plugin
    restart necessary during runtime, done during the interface sriov
    assign to a datanetwork (allowed on an unlocked AIO-SX). Without
    it, the pod creation will not be able to use a datanetwork created
    on runtime.
    
    The correction bring back the platform::kubernetes::worker::sriovdp
    class to be used only on runtime
    
    Closes-Bug: 1918139
    
    Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
    Change-Id: Ied19bf3138b58b279b350d067ae0c1080e220f31

commit 69b9809465b5e7a837917cce7d0a731ddf257f0d
Author: Steven Webster <steven.webster@windriver.com>
Date:   Tue Apr 27 17:54:24 2021 -0400

Fix interface (re)configuration for single-nic system
    
    Currently, the apply-network-config manifest step launches a script
    that detects differences between puppet's view of what the
    ifcfg-* network scripts should be and what the value
    of the ifcfg files actually are in the /etc/sysconfig/network-scripts/
    directory.
    
    If there are differences, the puppet representation of the interface
    configuration is copied to the system network-scripts directory and
    the interface is brought down and up to apply the config.
    If there are no changes between the puppet view and the system view,
    the interface is left alone.
    
    An issue can occur in a single-nic system comprising a physical
    lower ethernet interface configured for SR-IOV with upper vlan
    interfaces (oam, mgmt, etc).  If the lower interface is
    re-configured, it is subsequently brought down/up to apply
    the changes.  This causes the upper vlan interfaces to also
    be brought down by the kernel.  In the case of an IPv6 system,
    the interfaces will lose their addresses as well as any configured
    default route.  In the case of an IPv4 system, the default route
    will be wiped out, which could cause issues in a distributed cloud
    environment.
    
    This commit addresses the issue by detecting whether any lower
    interface associated with a vlan interface has been marked for
    re-configuration.  If this is the case, the vlan interface is
    also added to the up/down list to cause it to re-apply the
    existing static configuration (if it is not already in the list).
    
    Closes-Bug: 1926366
    Signed-off-by: Steven Webster <steven.webster@windriver.com>
    Change-Id: I40177900ef58a9619fecb34ceffc412f31d1a965

commit 139ba4aa6c143e495b8b7136b359254ceb3ba296
Author: Bin Qian <bin.qian@windriver.com>
Date:   Mon Apr 26 14:59:51 2021 -0400

Reset N3000 fpgas only when it exists
    
    Remove calling reset n3000 fpga before detecting h/w exists.
    
    Closes-Bug: 1918139
    Change-Id: I81b7fbc9500fac7e86424537551c1e9aac7492ec
    Signed-off-by: Bin Qian <bin.qian@windriver.com>

commit e6b1ae7d222f83625110d80a576b95f88f5ed04a
Author: Charles Short <charles.short@windriver.com>
Date:   Mon Apr 26 11:16:00 2021 -0400

Fix zuul errors due to changes in dependencies
    
    Pin hacking to < 4.0.1 to fix zuul gate issues.
    
    Test:
    Ran tox -e pep8 command to validate the pep8 job and result.
    
    Related-Bug: 1926172
    
    Signed-off-by: Charles Short <charles.short@windriver.com>
    Change-Id: Ia85b584d7ff4e5e7cb19a820d6f6323aa672f52e

commit 16f0b0cc66b23a9e74005a9cd9379de6a2d78234
Author: Yuxing Jiang <yuxing.jiang@windriver.com>
Date:   Fri Apr 23 10:02:35 2021 -0400

Rename the dnsmasq runtime class
    
    As the platform::dns:runtime class only referencing the resource of
    dnsmasq, this commit renames it as platform::dns::dnsmasq::runtime in
    order to indicate its function clearly.
    
    Story: 2008774
    Task: 42365
    
    Change-Id: I79dd23bf64abfd63906daa59ec59c4496dedda31
    Signed-off-by: Yuxing Jiang <yuxing.jiang@windriver.com>

commit 70971df9f35886f5ece04c82bfccee105d3d0861
Author: Bin Qian <bin.qian@windriver.com>
Date:   Tue Mar 30 15:58:15 2021 -0400

AIO manifest to start kubernetes once
    
    This change is to avoid restarting kubernetes.
    Also calling sysinv-reset-n3000-fpgas to reset N3000 FPGAS
    on host start up.
    
    Depends-On: https://review.opendev.org/c/starlingx/config/+/785683
    Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/780600
    Change-Id: I4a27840820fd45ad86cef4dfce6ea0389e583f68
    Partial-Bug: 1918139
    Signed-off-by: Bin Qian <bin.qian@windriver.com>

commit f4694f8a30f1e5cbe0f7d354f95949a1601eb1e1
Author: Bin Qian <bin.qian@windriver.com>
Date:   Mon Feb 8 13:00:38 2021 -0500

Single puppet for AIO controllers
    
    This change includes:
    1. create aio.pp for AIO controller nodes
    2. execute aio.pp for nodes with subfunctions of 'controller,worker'
    3. remove sriov device plugin restart code as now kubelet starts
       after related config are applied.
    
    Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/784761
    Change-Id: I54b90a76454c6c545bf2891b81225bbf2ba15b03
    Partial-Bug: 1918139
    Signed-off-by: Bin Qian <bin.qian@windriver.com>

commit accc39cefe9f54efa656b99bb3fad949ba030367
Author: Pedro Henrique Linhares <PedroHenriqueLinhares.Silva@windriver.com>
Date:   Sun Mar 7 19:38:23 2021 -0300

DRBD replication, rebuilding monitor and PVCs during migration to AIO-DX
    
    Given the system capability "simplex_to_duplex_migration" exists on the
    system to indicate that it is going through a migration from AIO-SX
    to AIO-DX, this commit will during the unlock process, create a DRBD
    replicated filesystem for the floating monitor, rebuild the monitor
    store.db from the existing Ceph OSDs on the system, recover the
    previously existing cephfs filesystems, updates the ceph crushmap
    and updates the Ceph monitor IP on existing PersistentVolume resources.
    
    Story: 2008587
    Task: 42078
    
    Signed-off-by: Pedro Linhares <PedroHenriqueLinhares.Silva@windriver.com>
    Change-Id: Iba6ec8bf812c9623724c357455a370d79ffd7b60
    Signed-off-by: Pedro Henrique Linhares <PedroHenriqueLinhares.Silva@windriver.com>

commit 569b457592d3f3c95aba72f5f52108316842b6fe
Author: Bin Qian <bin.qian@windriver.com>
Date:   Wed Apr 14 14:54:40 2021 -0400

Generate admin ep cert on subcloud controllers in puppet
    
    Enabled admin endpoint cert to be generated in manifest directly
    from k8s secret data (via secure hieradata). This operation is
    consistant to the system controller as well as admin endpoint cert
    renewal.
    
    Partial-Bug: 1923510
    
    Change-Id: I442f3c2c97cf83588aefa8b4fe808834a31fdcc5
    Signed-off-by: Bin Qian <bin.qian@windriver.com>

commit ffddc103ca66f87fb96ae02e9cfbb656d39f38ab
Author: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Date:   Thu Apr 15 09:59:55 2021 -0400

OAM IP change needs double lock/unlock controllers for IPV6 system
    
    Added IPv6 address fields on the list used to detect if the interface
    have changed on apply_network_config.sh. Without it was only copying
    the interface config file from /var/run/network-scripts.puppet/ to
    /etc/sysconfig/network-scripts/ which explains why it was working
    on the second reboot.
    
    Tested on:
    AIO-DX
    AIO-SX
    
    Closes-Bug: 1895555
    Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
    Change-Id: I25e60a04b4aec38c254ff3e3a7b2f0d80ce5daaf

commit f46c154188b5d90bdd19ba2a5952b4f8c565d5d3
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Wed Apr 14 17:13:59 2021 -0400

kdump config remove intel eth drivers from ramdisk
    
    Problem:
    On a kernel crash, such as the watchdog timer firing, kexec
    tries booting the crash recovery kernel in order to capture
    a vmcore so that the issue can be debugged. This normally
    succeeds unless the platform has ice network hardware. Why?
    Because the crash recovery kernel has only a small amount of
    memory set aside for it, and the ice driver allocates enough
    memory to cause memory exhaustion.  This causes the crash
    recovery kernel's startup to fail, leading to complete platform
    hang.  In order to break out of the hang, one needs to manually
    do a hardware reset or power cycle.
    
    Solution:
    Change kdump.conf to leave the ice driver module out of the
    initramfs that is used by the crash recovery kernel.  In
    fact, leave all of the intel ethernet drivers out since they
    are not needed and increase the risk of memory exhaustion.
    Upon changing kdump.conf, the kdump service is restarted to
    regenerate the initramfs.
    
    Verification:
    Install, check the kdump.conf file and unpack the initramfs file
    making sure that those modules are gone.  Check controller,
    worker, and storage node types.  Reboot node, make sure things
    behave as expected ie. no extra kdump.conf mangling and no
    unexpected kdump service restarts.
    Also crash a node with intel ethernet hardware on it and make
    sure it comes back up with a vmcore left in /var/log/crash.
    
    Change-Id: I9112f722cee8e199d94393bca887d3bb9bb89b39
    Closes-Bug: 1923879
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit f21842a2c46c656086234b9b006c224a41485acb
Author: Yuxing Jiang <yuxing.jiang@windriver.com>
Date:   Mon Apr 12 17:06:33 2021 -0400

Creates a LDAP client runtime class
    
    This commit creates a wrapper class platform::ldap::client::runtime to
    update the LDAP client in runtime.
    
    Tested with apply this class in runtime to update the LDAP server URI.
    
    Change-Id: Ia3e40617c9e628deeca839734bd3a3b41431f336
    Story: 2008774
    Task: 42248
    Signed-off-by: Yuxing Jiang <yuxing.jiang@windriver.com>

commit 2a80652598f399995edfc434f1aa0154f1b8299c
Author: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Date:   Tue Mar 30 13:46:11 2021 -0400

Applying SRIOV VF configuration at runtime
    
    During runtime, if a user converts a non pci-sriov classed interface
    to a pci-sriov classed interface with type 'ethernet', or creates an
    SR-IOV interface of type 'VF', logic is implemented to enable and
    configure the interface'
    
    Story: 2008531
    Task: 42203
    Change-Id: I0edb4abf2cea6dc29b9485fa09d1fecab4b76c65
    Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>

commit 28ef813cda9fd0191d8cee9c1f2bd80d64175f6f
Author: Don Penney <don.penney@windriver.com>
Date:   Tue Mar 30 18:10:02 2021 -0400

Add aggregate to DX service group reprovisioning
    
    The following prior update added service group reprovisioning on DX
    nodes, but was missing the aggregate option necessary to ensure
    certain groups were active on the same controller:
    https://review.opendev.org/c/starlingx/stx-puppet/+/773277
    
    As a result, failures during swact could lead to these groups being
    assigned to different nodes, causing other failures in the system.
    
    This update adds the missing aggregate option.
    
    Partial-Bug: 1893669
    Signed-off-by: Don Penney <don.penney@windriver.com>
    Change-Id: I063d1549aa456bd4bb68c4c69c50dbc078ae7be0

commit 6a4907694c386aa6e85b0c51ac1963903f9092c8
Author: Robert Church <robert.church@windriver.com>
Date:   Sat Oct 24 03:30:47 2020 -0400

Add support for setting optional k8s cpu configuration flag
    
    If the host-label 'kube-ignore-isol-cpus=enabled' is added to a host,
    then file '/etc/kubernetes/ignore_isolcpus' will be created for kubelet
    to consume so that it can determine how to handle application-isolated
    CPUs.
    
    Story: 2008760
    Task: 42166
    Signed-off-by: Robert Church <robert.church@windriver.com>
    Signed-off-by: Chris Friesen <chris.friesen@windriver.com>
    Change-Id: Ifbcc245d0e2716b7abb7726d38d3662e7b53d770

commit 5927be3eed92dee4192bf76af04b171c9758bfd5
Author: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Date:   Thu Mar 11 05:59:50 2021 -0500

Added classes to restart service manager and vim-webserver
    
    For service manager, created a class to stop, modify the OAM IP and
    restart it. In the case of vim-webserver, a new class to only restart the
    service during runtime
    
    Story: 2008531
    Task: 42061
    Change-Id: I7846c5ab3f1f8d0adb741356164a20932f9ed25f
    Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>

commit e1552be5bcd4f32ae5d9c30a4158ca98368005a6
Author: Robert Church <robert.church@windriver.com>
Date:   Thu Mar 11 01:30:24 2021 -0500

Enabling Ceph MDS as part of adding Ceph at runtime
    
    A metadata server is assigned to every node that has a monitor.
    
    Restructure the metadataserver class to ensure that the metadata server:
     - is started after the Ceph monitor and the Ceph manager on controllers
     - is started after the Ceph monitor on a worker assigned a monitor
    
    If the metadata server is started prior to the monitor, it will not
    start properly.
    
    Future optimization may be to create a MDS SM service on the
    controllers, but based on current testing, it seems unnecessary.
    
    Tested:
     - Adding Ceph pre-controller-0 unlock
       - AIO-SX, AIO-DX, Standard 2+2, Storage 2+2+2
     - Adding Ceph at runtime after installed nodes are fully provisioned.
       - AIO-SX, AIO-DX, Standard 2+2
     - For all the above configs also added storage tiers and confirmed
       proper functionality
     - NOTE: No Ceph runtime option for labs with storage node
       configuration.
    
    Change-Id: I27b53b55738d0aec70db6a9e4004c920029869fa
    Closes-Bug: #1919276
    Signed-off-by: Robert Church <robert.church@windriver.com>

commit 1aef5b8968d8ce28c4fbc42a5160f77a8ebff642
Author: Robert Church <robert.church@windriver.com>
Date:   Thu Mar 11 01:29:04 2021 -0500

Re-enable adding bare-metal Ceph storage backend at runtime
    
    Adding the bare-metal Ceph storage backend at runtime fails as
    $::platform::rook::params::service_enabled can not be resolved.
    
    This update explicitly includes the class to allow resolution and enable
    the Ceph storage backend to be added.
    
    Change-Id: I1bd12910784387c2a2d37a29d2f299e3cebb8cd2
    Closes-Bug: #1919274
    Signed-off-by: Robert Church <robert.church@windriver.com>

commit a79bc74c31350fc05cf16d89b1c2cdf35af5ef5f
Author: Carmen Rata <carmen.rata@windriver.com>
Date:   Fri Mar 12 13:47:19 2021 -0500

Cleanup config.toml.erb of MARK_* comments
    
    The comments that contain strings "MARK_BEGIN" and "MARK_END"
    are not used anymore in ansible bookstrap and they need
    to be cleaned up from config.toml.erb template.
    
    Change-Id: Id53bc58d2624581b6e50ead1c77a5cd424631ae5
    Closes-Bug: 1892768
    Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/779047
    Signed-off-by: Carmen Rata <carmen.rata@windriver.com>

commit 13ba2d4a7e6f9337eda22d98df872cb40ec983ac
Author: John Kung <john.kung@windriver.com>
Date:   Sun Feb 28 10:38:54 2021 -0600

puppet manifest apply check hieradata rsync
    
    Update the puppet manifest apply to check whether the hieradata
    has been rsync successfully.  Check return value and, in certain
    cases reattempt, before continuing.  This is needed because
    the hieradata is actually generated by the controller node,
    and this script may be running on another host.
    
    It has been observed that there are instances on worker host
    whereby some of the hieradata is missing (e.g. missing
    system.yaml openstack_host in puppet.log).
    
    Verified:
        install, deployment and sanity on multinode and AIO
        backup and restore with Ceph
        platform upgrade
    
    Change-Id: I9e7a0a02dd28c06d914fafe8234f4fee5e05247c
    Closes-Bug: 1917229
    Signed-off-by: John Kung <john.kung@windriver.com>

commit fab4ea75c03d96ece44f441725f7f385202e737c
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Fri Feb 26 16:23:35 2021 -0500

Increase haproxy timeout for patching
    
    Some patching operations can take a significant amount of time.
    Thus, in this commit the haproxy timeouts for
    patching-restapi-admin-internal and patching-restapi-internal
    are updated to be 600s.
    
    Change-Id: I1b73793c2963be2d1e40634ed6f85d747c6d6985
    Story: 2007267
    Task: 41944
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>

commit 8300408337a5051aba0c7106add4f0068ba7d461
Author: Babak Sarashki <babak.sarashki@windriver.com>
Date:   Wed Feb 17 15:56:40 2021 +0000

Add container runtime interface (CRI) placeholder to config.toml
    
    This commit extends containerd config.toml template file  to include
    placeholder for custom CRI entries. The custom CRI entries can be
    specified via service-parameter method (Change-Id: Icc5fd16 stx/config).
    
    Story: 2008434
    Task: 41389
    
    Depends-On: https://review.opendev.org/c/starlingx/config/+/776220
    
    Signed-off-by: Babak Sarashki <babak.sarashki@windriver.com>
    Change-Id: Ib1dd5bd2fbb5e386cf06ab4161226c3bf6f107ac

commit a8cf39d9d37d51869503cfa4d239faa4ced7e67f
Author: Teresa Ho <teresa.ho@windriver.com>
Date:   Thu Feb 11 13:23:23 2021 -0500

Device image repository
    
    The device images are stored in the drbd filesystem
    (/opt/platform/device_images) in the active controller.
    In order to allow the other worker hosts to retrieve the device images
    from the active controller over lighttpd, the directory
    /www/pages/device_images is created as a bind mount of the drbd
    directory. This mount resource is managed by SM.
    The 'device_images' is added to the lighttpd static content list.
    
    Tests performed on the following systems:
    AIO-DX, AIO-DX plus compute, Standard 2+1
    DC with AIO-DX plus subcloud
    DC with Standard subcloud
    
    Story: 2007875
    Task: 41877
    Depends-On: https://review.opendev.org/c/starlingx/ha/+/776489
    
    Change-Id: I4e7686ece49546d7ef84f5724370167afaf21375
    Signed-off-by: Teresa Ho <teresa.ho@windriver.com>

commit 2e92d0ec7e3e39b69ac4838d54f5ec8e0ad752bc
Author: Litao Gao <litao.gao@windriver.com>
Date:   Thu Feb 18 07:59:17 2021 -0500

Add retry to tolerate 'ip link set' failure
    
    If 'ip link set' is executed too fast for X710, it is possible
    that some of them fails with 'Resource temporarily unavailable'.
    Add retry in puppet Exec resource to tolerate this failure case.
    
    Story: 2008470
    Task: 41936
    
    Signed-off-by: Litao Gao <litao.gao@windriver.com>
    Change-Id: Ib80ea77d36a0b0f63d3db2015dadb3911c56d1e9

commit 598427b294ee25fa817fb2de5e56bb18825c984e
Author: Douglas Henrique Koerich <douglashenrique.koerich@windriver.com>
Date:   Thu Feb 25 07:49:26 2021 -0500

Increase timeout for sriovdp deletion
    
    In an AIO-SX, pods get launched by kubelet soon after puppet is done
    with controller's manifest but is still working with worker's manifest.
    When pods are several the concurrency may lead the SRIOV device plugin
    to not be deleted (then restarted) in the expected time frame.
    The final solution for this problem is on the way, by refactoring the
    current AIO to orchestrate between pods bring-up and worker setup. In
    the meantime, the workaround solution in this change is the increase
    of the original timeout for deletion of the SRIOV device plugin.
    
    Closes-Bug: 1916620
    Implements: increased timeout value to manage sriovdp in kubernetes.pp
    Signed-off-by: Douglas Henrique Koerich <douglashenrique.koerich@windriver.com>
    Change-Id: I0f6fb20a0ed5086fc80794b35715eea8d3d74cb8

commit 98601d637cb8f421a0fdccb2acb63339309d0dbe
Author: albailey <Al.Bailey@windriver.com>
Date:   Fri Feb 12 11:33:36 2021 -0600

Use kubelet.conf instead of admin.conf on worker nodes during upgrade
    
    Specifying a config file that does not exist causes kubelet upgrades
    to fail on worker nodes when some of the commands return errors.
    
    admin.conf does not exist on worker nodes, but exists on controllers.
    The code has been updated to use kubelet.conf during worker kubelet
    upgrade actions.
    
    The worker init code has also been changed when pulling the pause
    image so that it does not try to contact k8s.gcr.io.
    The kubernetes-version needed to be passed in when querying for the
    pause image.
    
    Story: 2008137
    Task: 41828
    Change-Id: I6565132bd587927bd26c845c2ea56a995ac6da1c
    Signed-off-by: albailey <Al.Bailey@windriver.com>

commit 20f211cbef89be56ad7dd26e93cb720d81a93172
Author: albailey <Al.Bailey@windriver.com>
Date:   Fri Feb 19 12:14:38 2021 -0600

Add bindep target to tox
    
    bindep is a helpful tox target to assist in determining
    what components a test environment needs to have installed.
    
    For stx-puppet, puppet-lint needs ruby headers otherwise
    the tox linters target will fail.
    
    Partial-Bug: #1907678
    Signed-off-by: albailey <Al.Bailey@windriver.com>
    Change-Id: Iaccd8d8f3af292ef29028cde59f0d344b94f1d72

commit c67bd455f8b8bd06ab9611d1b5d6ce7f2f948337
Author: albailey <Al.Bailey@windriver.com>
Date:   Fri Feb 19 10:01:19 2021 -0600

Fix running tox linters in a python2 env
    
    The bandit target is python3, and the package
    fails to be installed in a python2 env.
    
    Partial-Bug: #1907678
    Signed-off-by: albailey <Al.Bailey@windriver.com>
    Change-Id: I9d683c99274dc3120995e0376ace53644dc2a050

commit 54be537f9edea23df45dc3221d9be41d83f13778
Author: Chris Friesen <chris.friesen@windriver.com>
Date:   Fri Feb 12 17:45:58 2021 -0600

Add support for dcmanager-audit-worker service
    
    We're moving the bulk of the dcmanager subcloud audits to separate
    worker processes, so we need to add a service for the main worker
    processes (which will then spawn additional workers).
    
    Story: 2007267
    Task: 41869
    Signed-off-by: Chris Friesen <chris.friesen@windriver.com>
    Depends-On: https://review.opendev.org/c/starlingx/ha/+/775457
    Change-Id: I119d24ae67ec4a40c360ac721582b45388231cbf

commit 3c2f1530c9ee8ccd2c27cb757655a9c851b926ae
Author: Babak Sarashki <zbsarashki@gmail.com>
Date:   Thu Feb 4 23:52:37 2021 +0000

platform puppet: Config ACC100 bbdev with QMGR val
    
    The ACC100 PF and VF configuration takes the same puppet
    config code path as the N3000 except that the ACC100 does
    not require a reset, but requires bbdev config.
    
    This patch adds platform::devices::acc100::fec class to
    exec pf-bb-config to configure QMGR on the Intel ACC100
    (Mt. Bryce) with number of 5G UL/DL qgroups and configures
    the device with the number of VF's.
    
    Story: 2008440
    Task: 41530
    
    Depends-On: https://review.opendev.org/c/starlingx/integ/+/775252
    
    Signed-off-by: Babak Sarashki <zbsarashki@gmail.com>
    Change-Id: I7d42852009fedba5136d9d726092f273ef41c7fd

commit 5a555ad98eb4fb978c7b553d463dfedf4d9b3a25
Author: Eric MacDonald <eric.macdonald@windriver.com>
Date:   Wed Feb 3 12:11:16 2021 -0500

Change collectd plugin search path
    
    This update changes the collectd's plugin
    search path from /etc/collectd.d to
    /etc/collectd.d/starlingx to avoid loading
    the collectd default plugins.
    
    Partial-Fix: 1905581
    Depends-On: https://review.opendev.org/c/starlingx/monitoring/+/772516
    Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
    Change-Id: I1999f25244465430d9c1385a2fc3c002d0e108c9

commit fbb4cdef07c52acb66cfcaf91bc2d029ffb00ff1
Author: Don Penney <don.penney@windriver.com>
Date:   Sun Jan 31 22:02:43 2021 -0500

Reprovision SM services on duplex
    
    Update SM provisioning for duplex to reprovision services
    if needed. The default configuration in SM is duplex services,
    and a simplex node will reprovision these to be simplex. In
    order to support SX to DX migration, these services will also
    be reprovisioned on duplex to ensure the configuration
    is correct.
    
    Story: 2008587
    Task: 41743
    
    Change-Id: Ifb61a6046c680d0dee7c76660397c6fe8c2cbe73
    Signed-off-by: Don Penney <don.penney@windriver.com>

commit b2e37caaeb90e5931cb1522d8d23e6258d506fdb
Author: Jerry Sun <jerry.sun@windriver.com>
Date:   Wed Feb 3 09:26:47 2021 -0500

Etcd parameters lost when changing kube-apiserver parameters
    
    Etcd parameters are getting lost when changing kube-apiserver
    parameters. This is due to no default values being present. The
    missing etcd parameters causes kube-apiserver to fail to start up.
    This commit makes the script for changing kube-apiserver parameters
    keep any existing etcd parameters in the previous config.
    
    Change-Id: I83eb5426ba72a36a5eed3ecbddcbbacdf38803c5
    Closes-bug: 1914291
    Signed-off-by: Jerry Sun <jerry.sun@windriver.com>

commit a4decc6fbc0f796e03f25119b635fad51962fbdd
Author: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Date:   Wed Jan 27 14:29:59 2021 -0500

Added class to handle pci runtime config on kubernetes
    
    The new class adds a handler on puppet to trigger
    configuration on runtime when an SR-IOV interface is
    assigned to a data network on an unlocked host
    
    Story: 2008531
    Task: 41707
    Depends-On: https://review.opendev.org/c/starlingx/config/+/772759
    Change-Id: Iddbc272eb6b3321c987c2700e63734ee57244cf9
    Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>

commit a34cd954e92f37994d40a31ccc2777249598622d
Author: Eric MacDonald <eric.macdonald@windriver.com>
Date:   Mon Jan 25 10:01:29 2021 -0500

Modify collectd manifest to not start collectd
    
    The collectd puppet manifest auto starts the
    collectd process before a node's configuration
    is complete. This has been see to lead to a
    collectd process core dump in the collectd's
    network plugin due to being started before
    networking is setup or fully operational.
    
    Collectd has a service file that has been
    modified by the Depends-On update to start
    collectd after config is complete.
    
    Partial-Bug: 1872979
    Depends-On: https://review.opendev.org/772349
    Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
    Change-Id: I70ded9b745b7dadb7c50b1d5f9ba8bdcb5ffa2da

commit 389f37582a1568bc34089956dc52b6fe5c274b83
Author: John Kung <john.kung@windriver.com>
Date:   Thu Jan 21 09:41:41 2021 -0600

Adjust dcorch database pool size for dcorch scaling
    
    The dcorch database pool sizes are updated based upon
    the delivery of feature with multiple dcorch engine workers.
    
    As the workload is allocated amongst 5 multiple workers,
    the values for the dcorch database pools can be lowered
    from the defaults previously set for the single process case.
    
    The max theoretical database connections allowable per worker
    is based on 100 audit and 100 sync threads.
    
    Furthermore, the dcorch scaling feature audits based on
    audit timestamp so the peak loads are also likely more balanced.
    
    Testcases:
    In multiple subclouds environment, monitor each
    dcorch engine each workers database connections usage:
    subcloud add
    subcloud initial manage
    subcloud resource sync
    subcloud manage and unmanage
    
    Change-Id: Id3386df6289d42080a90b9d97cc0834054160805
    Story: 2007267
    Task: 41650
    Signed-off-by: John Kung <john.kung@windriver.com>

commit b112fce71e8ce69b7065fa3bf8f4da896cd637a3
Author: Litao Gao <litao.gao@windriver.com>
Date:   Tue Jan 12 10:18:08 2021 -0500

VF rate limiting support
    
    This commit implements puppet part logic to perform
    VF max_tx_rate setting according to the configuration.
    
    Story: 2008470
    Task:  41508
    
    Depends-On: https://review.opendev.org/c/starlingx/config/+/770135
    Signed-off-by: Litao Gao <litao.gao@windriver.com>
    Change-Id: Ic599f9ac70430529f31d57a74d0809f7077b98e5

commit ce66ffd30cb33f2b770587d7731732e34593e8f1
Author: Martin, Chen <haochuan.z.chen@intel.com>
Date:   Sun Jul 5 20:42:55 2020 +0800

Add puppet class for rook
    
    Create a new drbd device for rook. For duplex system, device mount to
    folder /var/lib/ceph/mon-a for mon data sync on two controllers.
    
    Story: 2005527
    Task: 40281
    
    Change-Id: Ic5edca16e2dce905aeb582b0359446bd222e5ad3
    Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>

commit 2680e463198cd75b01a8f04140e2d4f72e4844c9
Author: David Sullivan <david.sullivan@windriver.com>
Date:   Tue Jan 19 10:47:17 2021 -0600

Migrate etcd after both controllers are upgraded
    
    The flag to trigger the data migration is now set by the conductor on
    controller-1 and the migration will be performed on controller-0. The
    flag is now set in a drbd synced filesystem so it is accessible to both
    controllers.
    
    Depends-On: https://review.opendev.org/c/starlingx/config/+/771668
    Story: 2008055
    Task: 41631
    Signed-off-by: David Sullivan <david.sullivan@windriver.com>
    Change-Id: I761740f4de24f33f2d314ec1bc8fbc5941607900

commit 978dea28f21592ad4aa79e99821b70a1b07ab438
Author: Takamasa Takenaka <takamasa.takenaka@windriver.com>
Date:   Wed Jan 20 09:47:34 2021 -0300

Remove trap destination from fm.conf
    
    With the host-based SNMP removal,
    remove trap_destination entry from fm.conf
    
    Story: 2008132
    Task: 41350
    Change-Id: I3f0298233beedc3370fa8c4c2dbc65fe678b14a6
    Depends-On: https://review.opendev.org/765381
    Signed-off-by: Takamasa Takenaka <takamasa.takenaka@windriver.com>

commit 0f7418e761fa49b0f5a5edc9593ff9f6c0921206
Author: Angie Wang <angie.wang@windriver.com>
Date:   Mon Sep 28 11:39:17 2020 -0400

Configure SQL as helm storage backend
    
    Configmap is the default helmv2 storage backend to store
    release information but its 1MB resource limit prevents
    scaling up stx openstack worker nodes, so we want to use
    SQL as helm storage backend.
    
    Add class in helm puppet manifest to setup helm database
    during ansible bootstrap.
    
    This commit also fixes the IP address in postgres pg_hba.conf.
    
    Currently, we have the following rules for both IPv4 and
    IPv6 systems:
    Rule Name: allow access to all users with encrypted password
    from all IPv4 addresses.
    host  all  all         0.0.0.0/0   md5
    Rule Name: deny access to postgresql user.
    host  all  postgres    0.0.0.0/32 reject
    
    For the IPv6 system, the address of pods is IPv6. The CIDR
    address in the rule should be changed to corresponding
    IPv6 address (::0/0) to allow tiller running in container
    to access helm database.
    
    Depends-On: https://review.opendev.org/#/c/761645/
    Change-Id: Ifd072000e0680a59d5be0f2f1ef2ce1cbabc1e4f
    Partial-Bug: 1887677
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit 4b97414655f5126ce65acf9b15be635483955c74
Author: Takamasa Takenaka <takamasa.takenaka@windriver.com>
Date:   Thu Jan 7 11:12:11 2021 -0300

Support trap_server_port configurable
    
    Add parameter for trap_server_port to make user can
    configure snmp trap server port number through
    user helm override.
    
    Story: 2008132
    Task: 41548
    Signed-off-by: Takamasa Takenaka <takamasa.takenaka@windriver.com>
    Change-Id: Iac44d813447881591efd7b4a088185f2d59986be

commit 777d5d0de78c97fdc223e56662f7d3db6def2768
Author: Zhipeng Liu <zhipengs.liu@intel.com>
Date:   Sat Oct 31 01:15:33 2020 +0800

Enable etcd with security setting.
    
    Update etcd puppet to support security settings.
    
    Partial-Bug: 1894870
    
    Change-Id: Ifb5bb2506a260186bf4e8caa487bbeaae04df80b
    Signed-off-by: Zhipeng Liu <zhipengs.liu@intel.com>

commit 6182d3f94990ea282004245e2d821eae5ac573ea
Author: Don Penney <don.penney@windriver.com>
Date:   Thu Dec 17 13:21:50 2020 -0500

Add auto-version for remaining stx/stx-puppet packages
    
    Update remaining StarlingX packages with hardcoded TIS_PATCH_VER to
    use PKG_GITREVCOUNT where possible, with offsets as needed to ensure
    the version is incremented above the hardcoded version.
    
    Change-Id: I110ef3a10c3164f8edb706b9257f33178b4a2517
    Story: 2008455
    Task: 41456
    Signed-off-by: Don Penney <don.penney@windriver.com>

commit f8397fe71bae28a4126bbdf38da0731ba529b4c0
Author: Nicolas Alvarez <nicolas.alvarez@windriver.com>
Date:   Thu Nov 26 16:51:32 2020 -0300

Delete SNMP Host-Based entries.
    
    Delete entries related with SNMP Host-Based.
    
    Story: 2008132
    Task: 41323
    Signed-off-by: Nicolas Alvarez <nicolas.alvarez@windriver.com>
    Depends-On: https://review.opendev.org/766094
    
    Change-Id: I2c4a89fd7c4bac9895311787663a6d693600b090

commit b1997248da4bcb1d3ec0ce15d423eb42d2219a3e
Author: Daniel Safta <daniel.safta@windriver.com>
Date:   Mon Oct 5 10:33:36 2020 +0000

Add mds support in puppet for CephFS.
    
    Mds configuration needs to be present on every node that
    has a ceph monitor in order for CephFS to be available.
    
    Change-Id: Ic4270e401b2c3e5123aecfab21af1e874b733830
    Story: 2008162
    Task: 40908
    Signed-off-by: Daniel Safta <daniel.safta@windriver.com>

commit 6f881cc84e3d3c922423441304e7157effc505e7
Author: Andy Ning <andy.ning@windriver.com>
Date:   Thu Dec 3 09:41:08 2020 -0500

Skip platform ceph osds puppet manifest following DOR
    
    ceph::osd puppet manifest will fail during controller puppet
    manifests apply following DOR, because as both controllers are
    booting up, there is no ceph monitor cluster so puppet is unable
    to validate or invalidate the existing configuration.
    
    This change updated platform::ceph::controller class to skip
    platform ceph osds in the case of DOR.
    
    Change-Id: I0254ce28869bc87c5e939ea8984d175244ebb65f
    Partial-Bug: 1904739
    Signed-off-by: Andy Ning <andy.ning@windriver.com>

commit 8ba9e81db4e238c69edebdfec4738063aad7eb14
Author: Carmen Rata <carmen.rata@windriver.com>
Date:   Tue Dec 1 22:22:57 2020 -0500

Fix directory permissions for /var/log/rabbitmq
    
    Updated /var/log/rabbitmq directory permissions to 750 from 755
    to disallow world access to rabbitmq log files but at the same
    time to allow group access.
    The changes are made to comply as much as possible with
    openscap rules security requirements.
    Verified that installation is successful for AIO-SX
    and Standard 2+2 system configurations.
    
    Story: 2008037
    Task: 40694
    
    Change-Id: I1c0112575033c04983c56298e2131882911333de
    Signed-off-by: Carmen Rata <carmen.rata@windriver.com>

commit 3b7c55174aafffd8f35545ad8e20d928322de2f9
Author: Lu Yao Chen <luyao.chen@windriver.com>
Date:   Wed Nov 25 14:28:48 2020 -0500

Retain more puppet log files
    
    Increased max log directories to retain more
    debugging info from puppet.log.
    
    Was tested by looping system host-cpu-modify
    commands, /var/log/puppet caps at 50 log directories
    instead of 20.
    
    Closes-Bug: 1903994
    
    Signed-off-by: Lu Yao Chen <luyao.chen@windriver.com>
    Change-Id: Ia8458396867f988d5061d3aa49fa2a21ee6ebac2

commit 77d3382d2c63dba2e04cb92333a37b0370992cd5
Author: Carmen Rata <carmen.rata@windriver.com>
Date:   Mon Nov 23 18:22:12 2020 -0500

Fix permission of puppet saved logs tar file
    
    Changed the permissions of puppet saved logs tar file from
    644 to 600 to comply with openscap rules security requirements.
    Verified that installation is successful for AIO-SX
    and Standard 2+2 system configurations.
    
    Story: 2008037
    Task: 40694
    
    Change-Id: I1fe365e808a085999667e898788afacf61fd6612
    Signed-off-by: Carmen Rata <carmen.rata@windriver.com>

commit e5ff48c2ca6931eadff3566de33519a3496beeab
Author: Andy Ning <andy.ning@windriver.com>
Date:   Mon Nov 23 14:07:35 2020 -0500

Remove comments in keystone::upgrade class
    
    The TODO comments in keystone::upgrade class no longer applies.
    This update removed them.
    
    Change-Id: Id9f7b39c15db1f73428d4f23d93ef3e3b4ad50f5
    Partial-Bug: 1886064
    Signed-off-by: Andy Ning <andy.ning@windriver.com>

commit c10b5897b9d972555228f6510803c48981050e5f
Author: Jerry Sun <jerry.sun@windriver.com>
Date:   Thu Nov 19 11:05:12 2020 -0500

Update dnsmasq config for slow DNS servers
    
    When a configured DNS server is taking a long time to respond to
    unknown domains or hosts, registry interactions like push, pull,
    and querying for images through system commands will fail due to
    hostname resolution for registry.local. This is because it attempt
    to resolve registry.local using the A record first, which times out
    since it is hitting the configured external DNS server. This
    prevents the process from looking up the AAAA record which would
    resolve to the dnsmasq CNAME record. This commit updates the dnsmasq
    config to prevent forwarding the local domain to upstream servers.
    
    Change-Id: Ic3cf6aae87f8f2d5c61a24db00a4cb814c20aac6
    Closes-Bug: 1904885
    Signed-off-by: Jerry Sun <jerry.sun@windriver.com>

commit 3ca2387ddbb455a081689be72632b408988c5d39
Author: Takamasa Takenaka <takamasa.takenaka@windriver.com>
Date:   Tue Nov 3 15:35:29 2020 -0300

Add variables for snmp in fm.conf
    
    Snmp trap client needs the following three variables
    to connect to snmp trap server.
    - trap_server_ip
    - trap_server_port
    - snmp_enabled
    Modify puppet to add these variables. trap_server_ip
    and trap_server_port are fixed. snmp_enabled takes
    True/False depends on snmp armada app is applied
    or not (True when applied).
    
    Change-Id: Ibedaf772153f49c6dfefe644044da07b5d32bb20
    Story: 2008132
    Task: 41207
    Depends-On: https://review.opendev.org/761213
    Signed-off-by: Takamasa Takenaka <takamasa.takenaka@windriver.com>

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.