StarlingX

IPv6: All hosts remain offline after booting off the controller-0

Bug #1915050 reported by Ghada Khalil on 2021-02-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Critical	Yue Tao

Bug Description

Brief Description
-----------------
controller-1 and worker nodes remained offline after PXE from controller-0 install. This is seen on a multi-node system w/ IPv6

For some reason the hosts mgmt. address has incorrect CIDR

10: vlan133@ens801f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 90:e2:ba:b0:e9:f4 brd ff:ff:ff:ff:ff:ff inet6 fd01:1::4/128 scope global dynamic valid_lft 5526sec preferred_lft 5226sec inet6 fe80::92e2:baff:feb0:e9f4/64 scope link valid_lft forever preferred_lft forever

It should have been inet6 fd01:1::4/64.

Severity
--------
Critical

Steps to Reproduce
------------------
On a multi-node system w/ IPv6 config:
- Install controller-0
- Install/Configure the rest of the nodes

Expected Behavior
------------------
All nodes should install successfully and go to an online state

Actual Behavior
----------------
Controller-1 and worker nodes install, but remain in an offline state

Reproducibility
---------------
100% Reproducible on multi-node systems w/ IPv6 config

System Configuration
--------------------
multi-node systems w/ IPv6 config

Branch/Pull Time/Commit
-----------------------
stx master: Feb 1, 2021

Last Pass
---------
stx master: January 18, 2021
Note: There were build failures due to CENGN corruption from Jan 21 to Jan 28, hence the gap between the last pass and when the issue was discovered.

Timestamp/Logs
--------------
Issue is reproducible

Test Activity
-------------
Sanity

Workaround
----------
None

Tags:

CVE References

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2021-02-08:

Adding investigation by Don Penney:
The nodes are installing fine, and the kickstarts are generating initial network-scripts with BOOTPROTO=dhcp. On the initial boot of the node post-install, the interface configuration is then done via DHCP.

The DHCP package was recently upversioned, Jan 22, from 4.2.5-68 to 4.2.5-82:
https://review.opendev.org/c/starlingx/integ/+/771752
https://review.opendev.org/c/starlingx/tools/+/771744 (dependeny update)

Perhaps something in this update is resulting in the resulting DHCP address having /128

tags:	added: stx.5.0 stx.distro.other
Changed in starlingx:
importance:	Undecided → Critical
status:	New → Triaged

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2021-02-08:

stx.5.0 / critical - issue affects all IPv6 multi-node systems

The above update should be reverted and tested to see if that addresses the issue. Then the issue can be investigated further before re-introducing this version of dhcp.

Changed in starlingx:
assignee:	nobody → Yue Tao (wrytao)

Revision history for this message

Zhixiong Chi (zhixiongchi) wrote on 2021-02-09:

This issue should be introduced by the patch named "dhcp-dhclient_ipv6_prefix.patch", which is included the new version of dhcp for the CentOS srpm mirror(https://review.opendev.org/c/starlingx/integ/+/771752). This patch change the default value of the ipv6 prefixlen to 128 when using dhcp.
The previous value it 64.
Next step we will revert the patch dhcp-dhclient_ipv6_prefix.patch to keep the previous value.

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2021-02-10:

Review: https://review.opendev.org/c/starlingx/integ/+/774824

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2021-02-11:

For now, we agreed to completely back-out the dhcp package upversion to enable IPv6 multi-node configurations:
https://review.opendev.org/c/starlingx/integ/+/775056
https://review.opendev.org/c/starlingx/tools/+/775058

Changed in starlingx:
status:	Triaged → Won't Fix
status:	Won't Fix → In Progress

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2021-02-11:

Revert was merged.

Changed in starlingx:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-19: Fix proposed to tools (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/c/starlingx/tools/+/792229

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-28: Change abandoned on tools (f/centos8)

Change abandoned by "Chuck Short <email address hidden>" on branch: f/centos8
Review: https://review.opendev.org/c/starlingx/tools/+/792229
Reason: Updated merge coming

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-28: Fix proposed to tools (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/c/starlingx/tools/+/793627

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-31: Fix proposed to integ (f/centos8)

#10

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/c/starlingx/integ/+/793754

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-04: Fix merged to tools (f/centos8)

#11

Download full text (30.4 KiB)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/793627
Committed: https://opendev.org/starlingx/tools/commit/d701c6f896dfe440566cc942e3dd71be1f19ae5d
Submitter: "Zuul (22348)"
Branch: f/centos8

commit 7b5f3a45e663866a3c0ca3ca86eb3c92bc7f0210
Author: Scott Little <email address hidden>
Date: Wed May 5 09:56:33 2021 -0400

fix bad flockflock url pt 2

    A stray '}' character found it's way into my prior update
    titled 'fix bad flockflock url' after testing. The result was
    the following error

sed: -e expression #1, char 15: unexpected `}'

This removes the unwanted '}', restoring the prior update
to its intended form.

    Closes-bug: 1926987
    Signed-off-by: Scott Little <email address hidden>
    Change-Id: I48f4721ccaf121679916b01747243deedf5836cd

commit ac05493480f6df6f31d071d29380c1b4f35b70a9
Author: Scott Little <email address hidden>
Date: Tue May 4 12:42:36 2021 -0400

fix git-review within docker build environment

'tb create' fails to create a build environment since
upstream git-review was updated of Apr 26.

Fix is to install/update pbr ahead of git-review.

    Also, to reduce the likelyhood of this recurring, lock
    down specific versions of the pypi supplied tools we
    know to work.

    Closes-bug: 1927137
    Signed-off-by: Scott Little <email address hidden>
    Change-Id: Ib9fe6fd33de4d637f254ac421cc0427ee6131b65

commit b96ebc83d859a4a7802a462504817ecec6182a7b
Author: Scott Little <email address hidden>
Date: Mon May 3 13:16:53 2021 -0400

fix bad flockflock url

download_mirror.sh fails due to a bad path containing
‘stx-tools/centos-mirror-tools/config/centos/flockflock’

    The path is constructed, and the trigger is when an EOL is missing
    from a centos_build_layer.cfg file, causing 'cat' to merge the last
    line of the offending file with the first line of the next file.

Switch 'cat' to 'grep', which will always ensure an EOL is present.
Along the way, we can filter out empty lines and comments.

    Closes-bug: 1926987
    Signed-off-by: Scott Little <email address hidden>
    Change-Id: I2404b3415f0f3e2f395c2bcb7a527aa01a488f61

commit 4c3ee114bcbff710c2049626044dd1ddc756cbd9
Author: Joe Slater <email address hidden>
Date: Tue Apr 27 18:50:53 2021 -0400

screen: fix CVE-2021-26937 segfault

Advance to screen-4.1.0-0.27.20120314git3c2946.el7_9.x86_64.rpm.

    Closes-bug: 1926372
    Change-Id: I41834e7b1e16153b0632751f59f7ac9f503389da
    Signed-off-by: Joe Slater <email address hidden>

commit e31e0dda7a4c09143d41cd518ab97ea6112d7fb5
Author: Li Zhou <email address hidden>
Date: Tue Apr 13 04:53:50 2021 -0400

systemd: Upgrade to version 219-78.el7_9.3

Refer the lst entries to the new version.

    Partial-Bug: #1924691
    Signed-off-by: Li Zhou <email address hidden>
    Change-Id: I557eff6a47f341cc67de02fd59024b28bb6cac84

commit 26db2859dd3a5c060c337b886fd16c4d2d9f93af
Author: Scott Little <email address hidden>
Date: Mon Apr 12 11:21:31 2021 -0400

Replace basearch references in y...

Reviewed:  https://review.opendev.org/c/starlingx/tools/+/793627
Committed: https://opendev.org/starlingx/tools/commit/d701c6f896dfe440566cc942e3dd71be1f19ae5d
Submitter: "Zuul (22348)"
Branch:    f/centos8

commit 7b5f3a45e663866a3c0ca3ca86eb3c92bc7f0210
Author: Scott Little <scott.little@windriver.com>
Date:   Wed May 5 09:56:33 2021 -0400

fix bad flockflock url pt 2
    
    A stray '}' character found it's way into my prior update
    titled 'fix bad flockflock url' after testing. The result was
    the following error
    
    sed: -e expression #1, char 15: unexpected `}'
    
    This removes the unwanted '}', restoring the prior update
    to its intended form.
    
    Closes-bug: 1926987
    Signed-off-by: Scott Little <scott.little@windriver.com>
    Change-Id: I48f4721ccaf121679916b01747243deedf5836cd

commit ac05493480f6df6f31d071d29380c1b4f35b70a9
Author: Scott Little <scott.little@windriver.com>
Date:   Tue May 4 12:42:36 2021 -0400

fix git-review within docker build environment
    
    'tb create' fails to create a build environment since
    upstream git-review was updated of Apr 26.
    
    Fix is to install/update pbr ahead of git-review.
    
    Also, to reduce the likelyhood of this recurring, lock
    down specific versions of the pypi supplied tools we
    know to work.
    
    Closes-bug: 1927137
    Signed-off-by: Scott Little <scott.little@windriver.com>
    Change-Id: Ib9fe6fd33de4d637f254ac421cc0427ee6131b65

commit b96ebc83d859a4a7802a462504817ecec6182a7b
Author: Scott Little <scott.little@windriver.com>
Date:   Mon May 3 13:16:53 2021 -0400

fix bad flockflock url
    
    download_mirror.sh fails due to a bad path containing
    ‘stx-tools/centos-mirror-tools/config/centos/flockflock’
    
    The path is constructed, and the trigger is when an EOL is missing
    from a centos_build_layer.cfg file, causing 'cat' to merge the last
    line of the offending file with the first line of the next file.
    
    Switch 'cat' to 'grep', which will always ensure an EOL is present.
    Along the way, we can filter out empty lines and comments.
    
    Closes-bug: 1926987
    Signed-off-by: Scott Little <scott.little@windriver.com>
    Change-Id: I2404b3415f0f3e2f395c2bcb7a527aa01a488f61

commit 4c3ee114bcbff710c2049626044dd1ddc756cbd9
Author: Joe Slater <joe.slater@windriver.com>
Date:   Tue Apr 27 18:50:53 2021 -0400

screen: fix CVE-2021-26937 segfault
    
    Advance to screen-4.1.0-0.27.20120314git3c2946.el7_9.x86_64.rpm.
    
    Closes-bug: 1926372
    Change-Id: I41834e7b1e16153b0632751f59f7ac9f503389da
    Signed-off-by: Joe Slater <joe.slater@windriver.com>

commit e31e0dda7a4c09143d41cd518ab97ea6112d7fb5
Author: Li Zhou <li.zhou@windriver.com>
Date:   Tue Apr 13 04:53:50 2021 -0400

systemd: Upgrade to version 219-78.el7_9.3
    
    Refer the lst entries to the new version.
    
    Partial-Bug: #1924691
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: I557eff6a47f341cc67de02fd59024b28bb6cac84

commit 26db2859dd3a5c060c337b886fd16c4d2d9f93af
Author: Scott Little <scott.little@windriver.com>
Date:   Mon Apr 12 11:21:31 2021 -0400

Replace basearch references in yum repos
    
    Some of our yum repos are using $basearch, rather than explicitly
    nameing x86_64, the only supported arch for StarlingX.  This means
    yum downloads may fail if the download host not x86_64, or if
    $basearch is left undefined.
    
    This update replaces '$basearch' with 'x86_64' within the openstack
    repo definitions, making it consistent with all other repo definitions.
    
    Closes-Bug: 1923458
    Signed-off-by: Scott Little <scott.little@windriver.com>
    Change-Id: I071c674bf79d7a98f0cf2493b88fe54d2b9d6efa

commit 8d236c574317426c4180ac375faa3a709f2f2cc4
Author: Carmen Rata <carmen.rata@windriver.com>
Date:   Mon Apr 5 13:03:25 2021 -0400

Update openscap rpms version in StarlingX build
    
    In order to be up-to-date with openscap tools used to scan
    for security violations we need to update the openscap rpms
    from:
    openscap-scanner-1.2.17-2.el7.x86_64
    openscap-1.2.17-2.el7.x86_64
    to:
    openscap-1.2.17-13.el7_9.x86_64.rpm
    openscap-scanner-1.2.17-13.el7_9.x86_64.rpm
    
    Story: 2008668
    Task: 41956
    
    Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
    Change-Id: I043904a6a8a6e77ed6204e0015e33876ddf7a77a

commit 9507d97d2a15eed3602454bea0c8da3e94e3df85
Author: Scott Little <scott.little@windriver.com>
Date:   Wed Mar 10 09:58:54 2021 -0500

Parallel downloads
    
    Download_mirror.sh takes 15 hours to download all the rpms and
    tarballs required to build StarlingX into a fresh workspace.
    It should be much faster than that.
    
    Replace the current serial download algorithm with one that is
    parallel.  I'll cap it at 8 parallel downloads for now.  I'm
    a little worried about overwelming CENGN.  This is sufficient
    to drop download times from 15 to 3 hours for a fresh workspace,
    and 30 min to 5 min to refresh an existing workspace.
    
    Closes-Bug: 1918477
    Signed-off-by: Scott Little <scott.little@windriver.com>
    Change-Id: I469b4fee3cb304fe2984aa697ce2dc6cec52e79e

commit eeef5c451d72b1ac557e1e149d4732d1bc040785
Author: Scott Little <scott.little@windriver.com>
Date:   Thu Mar 18 10:03:21 2021 -0400

Disable linuxsoft.cern.ch repos that are no longer responding
    
    failure: repodata/repomd.xml from
    Starlingx-linuxsoft.cern.ch_cern_centos_7.5_rt_Sources: [Errno 256] No
    more mirrors to try.
    http://linuxsoft.cern.ch/cern/centos/7.5/rt/Sources/repodata/repomd.xml:
    [Errno 14] curl#7 - "Failed to connect to 2001:1458:d00:1a::391: Network
    is unreachable"
    
    Closes-Bug: 1920024
    Signed-off-by: Scott Little <scott.little@windriver.com>
    Change-Id: Ia741b02fa10522309a30548b9879a471639db033

commit f1010717c7d09a4e55fceeface747f49fcb4f446
Author: Scott Little <scott.little@windriver.com>
Date:   Fri Mar 5 10:32:37 2021 -0500

fix for tb.sh dies on rmdir /var/lib/mock
    
    tb.sh create might fail to create the builder docker image.
    Yum install of the mock package failed, but yum did not report
    the failure because other packages in the instalation set succeeded.
    A subsequent command in the dockerfile fails when it tries to
    remove/relocate /var/lib/mock, but failes because it is not present.
    
    The yum error reporting was corrected in a recent update.
    But this does not address cached copies of old and broken
    yum install steps that pre-date the fix.
    
    The mock package is paricularly sensitive as it has cengn as
    the only source, where as other packages have multiple sources.
    
    One option is to force docker to not use the cache at all, which
    is slow.
    
    The second option is to change the docker file, placing the
    yum command to install mock under a seperate docker RUN command.
    The altered build instructions ensure that the docker cache
    with the broken install can't be used.  While we are at it,
    move the user/project customization steps as far down as possible
    to improve cache usage.
    
    This change implements both.
    
    Closes-Bug: 1917901
    Signed-off-by: Scott Little <scott.little@windriver.com>
    Change-Id: I28041bb44af53384c00a750b7162c6c6808c4e2d

commit ec5110928c5013177dc593d1df293a01ac033a0f
Author: Joe Slater <joe.slater@windriver.com>
Date:   Tue Mar 9 13:08:35 2021 -0500

perl: fix CVE-2020-10878 - integer overflow
    
    Update to
    
    perl-5.16.3-299.el7_9.x86_64.rpm
    perl-devel-5.16.3-299.el7_9.x86_64.rpm
    perl-libs-5.16.3-299.el7_9.x86_64.rpm
    perl-macros-5.16.3-299.el7_9.x86_64.rpm
    perl-ExtUtils-Embed-1.30-299.el7_9.noarch.rpm
    perl-ExtUtils-Install-1.58-299.el7_9.noarch.rpm
    perl-Pod-Escapes-1.04-299.el7_9.noarch.rpm
    
    Closes-Bug: 1918154
    Change-Id: I28bb5dd732209153080c93b3098397338d8552c3
    Signed-off-by: Joe Slater <joe.slater@windriver.com>

commit d968dcaec856a9dc9f8a65b1874ddeb78aad017d
Author: Scott Little <scott.little@windriver.com>
Date:   Fri Mar 5 09:20:36 2021 -0500

Add missing centos 7.9 rt source repo
    
    Signed-off-by: Scott Little <scott.little@windriver.com>
    Change-Id: I81b9127900a45be8bc4b47e2aca5cb1aa02c3d20

commit 965746b9d4224b6a34c7a0ac3d026393abb57c4b
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Sun Jan 24 20:55:34 2021 -0500

bind: fix five CVE issues
    
    Upgrade to the below packages to fix the CVE issues:
     bind-libs-lite-9.11.4-26.P2.el7.x86_64.rpm
     bind-license-9.11.4-26.P2.el7.noarch.rpm
     bind-lite-devel-9.11.4-26.P2.el7.x86_64.rpm
     bind-utils-9.11.4-26.P2.el7.x86_64.rpm
     bind-libs-9.11.4-26.P2.el7.x86_64.rpm
     bind-export-libs-9.11.4-26.P2.el7.x86_64.rpm
     bind-export-devel-9.11.4-26.P2.el7.x86_64.rpm
    
    Meanwhile this patch need to be merged with the upgraded dhcp togother.
    
    CVE: CVE-2018-5741 CVE-2018-5742 CVE-2018-5743 CVE-2019-6477
         CVE-2020-8617
    
    Story: 2008532
    Task: 41642
    Change-Id: If3bbac8f7d992f6a1f8e2f4df88b563d58feeffc
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 5279d637150f8f8a1a8b4b64dc268f6549290b3f
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Fri Jan 22 03:28:14 2021 -0500

glibc: fix CVE-2016-10739
    
    Upgrade the below packages to:
     glibc-2.17-317.el7.x86_64.rpm
     glibc-devel-2.17-317.el7.x86_64.rpm
     glibc-static-2.17-317.el7.x86_64.rpm
     glibc-common-2.17-317.el7.x86_64.rpm
     glibc-headers-2.17-317.el7.x86_64.rpm
     nscd-2.17-317.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41663
    Change-Id: Ia589fdb5ae0208053b12eafd23ef8183664b92be
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 9c01064e16700bb253c1f1607bfb7c75b2571745
Author: Li Zhou <li.zhou@windriver.com>
Date:   Tue Jan 26 07:46:07 2021 +0000

openssh: fix CVE-2018-15473 from repo list
    
    Update below packages to:
    openssh-7.4p1-21.el7.x86_64.rpm
    openssh-clients-7.4p1-21.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41668
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: I6876364bd86e520ccf49d3de2ef342b162247d8f

commit 4665c2250dbb1691105a00482ed841f0237bbf94
Author: Li Zhou <li.zhou@windriver.com>
Date:   Tue Jan 26 19:35:23 2021 -0800

python: fix CVE-2019-9636 CVE-2019-10160 CVE-2019-9948 CVE-2019-16056 in rpm list
    
    Python is upgraded to version 2.7.5-89 in srpm build to fix above CVEs.
    Update below packages for the updated depencies of python upgrading:
    python2-rpm-macros-3-34.el7.noarch.rpm
    python-rpm-macros-3-34.el7.noarch.rpm
    python-srpm-macros-3-34.el7.noarch.rpm
    
    Update below packages to below versions too in rpm list:
    python-2.7.5-89.el7.x86_64.rpm
    python-devel-2.7.5-89.el7.x86_64.rpm
    python-libs-2.7.5-89.el7.x86_64.rpm
    
    This commit need work together with the commit
    <python: fix CVE-2019-9636 CVE-2019-10160 CVE-2019-9948 CVE-2019-16056
    in srpm build> for repository starlingx/compile.
    
    Story: 2008532
    Task: 41665
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: I280cbc0408b41008ec2e07f2453d20fd6226c54a

commit d427e90a1c33fb3355c08614d3661b4519f35654
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Wed Feb 10 21:27:17 2021 -0500

Revert "Add the bind-export packages for dhcp CVE issue"
    
    This reverts commit 97c63675dab3957bcaff3718e8606ee13096f93e.
    
    Since we revert the dhcp new version in integ layer, so we also
    revert this dependence.
    
    Closes-Bug: #1915050
    Depends-On: https://review.opendev.org/c/starlingx/integ/+/775056
    
    Change-Id: Id7e9a42703cf1c14e04bbf1c1db931f4f05d7840
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 8be170ef575984b45d8822a89c0d645b6b4ec267
Author: Sanjay K Mukherjee <sanjay.k.mukherjee@intel.com>
Date:   Thu Jun 18 17:20:15 2020 -0400

cve_policy_filter.py supports CVSSV2 and CVSSV3 vulnerability report generation
    
    Added new files for CVSSv3 scan report generation
    
      Added new files:
           new file:   cve_policy_filter.py
           new file:   template_v3.txt
    
    Change-Id: I93978825f973435eb34a0c8e6b3d18e1ac580595
    Signed-off-by: Sanjay K Mukherjee <sanjay.k.mukherjee@intel.com>

commit ebc9f32d7de526b44234a56423dd6785243cc386
Author: Joe Slater <joe.slater@windriver.com>
Date:   Fri Feb 5 11:37:56 2021 -0500

nss: fix CVE-2019-17006 - crypto primitives missing length checks
    
    Update versions of nss, nss-utils, nss-tools, nss-sysinit,
    nss-softokn, nss-softokn-freebl, and nspr.
    
    All packages except the devel versions are on the default iso.
    
    The structure of all lst files was preserved.
    
    Closes-Bug: 1906471
    Change-Id: I98f1cf059cb1f91c1836f0f62807ba345668450f
    Signed-off-by: Joe Slater <joe.slater@windriver.com>

commit 6f4738643d710e0031f3f916e4bcb7bb441a5db1
Author: Joe Slater <joe.slater@windriver.com>
Date:   Tue Jan 19 17:00:57 2021 -0500

libxslt: fix CVE-2019-11068 - bypass of protection mechanism
    
    Move to
    
    libxslt-1.1.28-6.el7.x86-64.rpm
    libxslt-devel-1.1.28-6.el7.x86-64.rpm  (unused for iso build)
    libxslt-python-1.1.28-6.el7.x86-64.rpm  (unused for iso build)
    
    Closes-Bug: 1906470
    Change-Id: Iac627c89d7dfb115c869bc9b8b52b0ece38ea796
    Signed-off-by: Joe Slater <joe.slater@windriver.com>

commit 6ed078685c413b7199cd18bdde6cb8ad33fdb711
Author: Li Zhou <li.zhou@windriver.com>
Date:   Mon Jan 25 07:49:54 2021 +0000

nspr/nss/nss-softokn/nss-util: CVE-2018-12404 and CVE-2019-11745
    
    Update below packages to:
    nspr-4.25.0-2.el7_9.x86_64.rpm
    nspr-devel-4.25.0-2.el7_9.x86_64.rpm
    nss-3.53.1-3.el7_9.x86_64.rpm
    nss-devel-3.53.1-3.el7_9.x86_64.rpm
    nss-softokn-3.53.1-6.el7_9.x86_64.rpm
    nss-softokn-devel-3.53.1-6.el7_9.x86_64.rpm
    nss-softokn-freebl-3.53.1-6.el7_9.x86_64.rpm
    nss-softokn-freebl-devel-3.53.1-6.el7_9.x86_64.rpm
    nss-sysinit-3.53.1-3.el7_9.x86_64.rpm
    nss-tools-3.53.1-3.el7_9.x86_64.rpm
    nss-util-3.53.1-1.el7_9.x86_64.rpm
    nss-util-devel-3.53.1-1.el7_9.x86_64.rpm
    
    Story: 2008532
    Task: 41680
    Task: 41700
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: I0c17c36418f55db9dd7c9ed6567c74d828564bff
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 511859ef18129b3ac830c9f609f0324996e7c432
Author: Davlet Panech <davlet.panech@windriver.com>
Date:   Wed Jan 27 19:06:41 2021 -0500

Dockerfile: fail in "yum install" on missing packages
    
    By default "yum install" ignores packages that can't be downloaded and
    return 0 to the shell.
    
    In a Dockerfile such falsely successful commands are cached by
    "docker build", so that the next time we run "docker build" the
    "yum install" is not even attempted:
    
      # this "succeeds" and gets cached during the first "docker build",
      # even if the URL returns an error (eg DNS error or HTTP 404).
      # During a second "docker build" this bringis back the FS layer
      # from the cache and doesn't attempt to re-download the package
      # from that URL
      RUN yum install python3 http://some/url.rpm
      ...
    
    This patch avoids the problem in case CENGN mirror is down.
    
    Change-Id: I65f2185ce8a1832f3fc1be4135b0a49653654b5b
    Closes-Bug: 1912682
    Signed-off-by: Davlet Panech <davlet.panech@windriver.com>

commit 5440eb14768cee3658c5c4d10279eb7e8ef6c0b1
Author: Li Zhou <li.zhou@windriver.com>
Date:   Mon Jan 25 07:25:13 2021 +0000

unzip: fix CVE-2018-18384 CVE-2019-13232
    
    Update below packages to:
    unzip-6.0-21.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41681
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: Iccd6a16cd573d96254d785ae9d3b44b42fd1a95d

commit 40af436ba5876569403a04534bd243ac32d11eb0
Author: Li Zhou <li.zhou@windriver.com>
Date:   Mon Jan 25 07:21:21 2021 +0000

openjpeg2: fix CVE-2020-6851 CVE-2020-8112
    
    Update below package to:
    openjpeg2-2.3.1-3.el7_7.x86_64.rpm
    
    Story: 2008532
    Task: 41678
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: Ic6a9211d72eb60e3377d036d5d796f9a4b0efd88

commit 7c08668f79e3c7003ad006bd0b0a42810cd19560
Author: Li Zhou <li.zhou@windriver.com>
Date:   Mon Jan 25 07:19:09 2021 +0000

microcode_ctl: fix CVE-2020-0549
    
    Update below package to:
    microcode_ctl-2.1-73.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41679
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: I0df78aea2d38f27359b3f464b01a27637f91093f

commit 5f65806a263d58d7b031e71313b63cf8defc6619
Author: Li Zhou <li.zhou@windriver.com>
Date:   Sun Jan 24 04:06:03 2021 +0000

procps-ng: fix CVE-2018-1122
    
    Update below package to:
    procps-ng-3.3.10-28.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41667
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: Ic77255b742b691be041f9958609ed7bc227d0d49

commit 1ccf94214e3e65437b3162d88e2d0554a6987efd
Author: Li Zhou <li.zhou@windriver.com>
Date:   Sun Jan 24 04:04:38 2021 +0000

polkit: fix CVE-2018-1116
    
    Update below packages to:
    polkit-0.112-26.el7.x86_64.rpm
    polkit-devel-0.112-26.el7.x86_64.rpm
    polkit-docs-0.112-26.el7.noarch.rpm
    
    Story: 2008532
    Task: 41666
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: I8b85c4fb02d951c016379594a93cda932f0f2483

commit 9509a95f6562313030922e93ead36ea48521f99d
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Fri Jan 22 03:37:39 2021 -0500

httpd: fix CVE-2018-1312 CVE-2019-0220 CVE-2018-17199
    
    Upgrade the below packages to:
     httpd-2.4.6-95.el7.centos.x86_64.rpm
     httpd-tools-2.4.6-95.el7.centos.x86_64.rpm
    
    Story: 2008532
    Task: 41661
    Change-Id: I09c5d73e384eb757d5907eda1b0df374c44acdcf
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit bd8cf5a79290db8c6efaaaba592c57b694c121a7
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Fri Jan 22 03:34:19 2021 -0500

cups: fix CVE-2018-4700
    
    Upgrade the below packages to:
     cups-client-1.6.3-51.el7.x86_64.rpm
     cups-libs-1.6.3-51.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41662
    Change-Id: I8d9f8fd7571f7e400b8ef203bcdcf76bbde274e7
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 71eb4028ee7b33ce594325a7a37a81e417c250b4
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Fri Jan 22 02:15:30 2021 -0500

ipmitool: fix CVE-2020-5208
    
    Upgrade the below package to:
     ipmitool-1.8.18-9.el7_7.x86_64.rpm
    
    Story: 2008532
    Task: 41660
    Change-Id: I4679321578500bfe1df12a036721f5338b13b2d2
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 677ab7fa3304da29d6eda2c366d4581fb9acc272
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Fri Jan 22 02:08:45 2021 -0500

libtiff: fix CVE-2018-8905
    
    Upgrade the below packages to:
     libtiff-4.0.3-35.el7.x86_64.rpm
     libtiff-devel-4.0.3-35.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41659
    Change-Id: I44776633cb8031f1d506c7216b0973c85bdae979
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 359c43c08328021e6757230e7093d80e740ede37
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Fri Jan 22 02:05:24 2021 -0500

libsndfile: CVE-2018-13139
    
    Upgrade the below packages to:
     libsndfile-1.0.25-12.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41658
    Change-Id: I7ca91731beb7afe7d7515f12392173fdb041c14a
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 9fad2088fe8f5e884d0ebf07c3e234123bbd34d8
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Fri Jan 22 02:02:03 2021 -0500

libjpeg-turbo: fix CVE-2018-14498
    
    Upgrade the below packages to:
     libjpeg-turbo-1.2.90-8.el7.x86_64.rpm
     libjpeg-turbo-devel-1.2.90-8.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41657
    Change-Id: Ic2083117eaf7f2ace4ca2c87a2e2a1e0fe8d5725
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit c9b3e4af17581571177611aaee60c13a1309fb20
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Fri Jan 22 01:59:47 2021 -0500

libcgroup: fix CVE-2018-14348
    
    Upgrade the below packages to:
     libcgroup-0.41-21.el7.x86_64.rpm
     libcgroup-tools-0.41-21.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41656
    Change-Id: I2aa7a300f269755c885e20530d8bf843f45c0837
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit f7384e32ae7549fbcae669782bd896ed68cc8c66
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Fri Jan 22 00:49:11 2021 -0500

dbus: fix CVE-2020-12049
    
    Upgrade the below packages to:
     dbus-1.10.24-15.el7.x86_64.rpm
     dbus-devel-1.10.24-15.el7.x86_64.rpm
     dbus-libs-1.10.24-15.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41655
    Change-Id: Idda21afb1247e0fdbcb5bbdf3cf38d7ea63a9d2a
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit b53edee359157a9efbfc1e2b295e1b0b97628115
Author: Li Zhou <li.zhou@windriver.com>
Date:   Fri Jan 22 06:21:20 2021 +0000

sqlite: fix CVE-2019-13734
    
    Update below packages to:
    sqlite-3.7.17-8.el7_7.1.x86_64.rpm provided by mock
    sqlite-devel-3.7.17-8.el7_7.1.x86_64.rpm
    
    Story: 2008532
    Task: 41640
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: Ia76daf7f82b8e9130cb6a7ca81ddb1633f14f3d9

commit 8440bb5d34bd22fd8c29f05d34e8452bc6cc0ea9
Author: Li Zhou <li.zhou@windriver.com>
Date:   Fri Jan 22 06:18:28 2021 +0000

spice: fix CVE-2019-3813
    
    Update below packages to:
    spice-server-0.14.0-9.el7.x86_64.rpm
    spice-server-devel-0.14.0-9.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41641
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: Iee263332b5886d915366b445e3bcb8044abbf24a

commit 7815964df2054b8de4ab04c47a0b15e537796f1e
Author: Li Zhou <li.zhou@windriver.com>
Date:   Fri Jan 22 03:32:18 2021 +0000

unbound: fix CVE-2020-10772 CVE-2020-12663
    
    Update below package to:
    unbound-libs-1.6.6-5.el7_8.x86_64.rpm
    
    Story: 2008532
    Task: 41622
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: I51e8b2fe2e90009f1b508e2f8054c58ebe129578

commit ba7b1dea566181577e7c8d075135da7297684a47
Author: Li Zhou <li.zhou@windriver.com>
Date:   Fri Jan 22 02:37:28 2021 +0000

samba: fix CVE-2019-3880 CVE-2019-10218
    
    Update below packages to:
    samba-client-libs-4.10.16-5.el7.x86_64.rpm
    samba-common-4.10.16-5.el7.noarch.rpm
    samba-common-libs-4.10.16-5.el7.x86_64.rpm
    libwbclient-4.10.16-5.el7.x86_64.rpm
    
    Below packages are also updated for above packages' updated
    dependencies:
    libtdb-1.3.18-1.el7.x86_64.rpm
    libtevent-0.9.39-1.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41615
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: Ic4940f020e5ea063f1ca68787dbbb8e934fd5346

commit 2364efd18b8726eb95d637b4143e708abfecb968
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Thu Jan 21 05:10:12 2021 -0500

bash: fix CVE-2019-9924
    
    Upgrade to bash-4.2.46-34.el7.x86_64.rpm to fix CVE-2019-9924 issue.
    
    Story: 2008532
    Task: 41646
    Change-Id: Ie23a258aed42ce41b5c7629a5966cecff9bfb074
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 837e1dfe5590a97b6807c1811835fca5817dacd1
Author: Li Zhou <li.zhou@windriver.com>
Date:   Fri Jan 22 02:22:11 2021 +0000

vim: fix CVE-2019-12735
    
    Update below packages to:
    vim-common-7.4.629-7.el7.x86_64.rpm
    vim-enhanced-7.4.629-7.el7.x86_64.rpm
    vim-filesystem-7.4.629-7.el7.x86_64.rpm
    vim-minimal-7.4.629-7.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41621
    Change-Id: I0096997c93f94a93ca9e9c5cede094e147b5b010
    Signed-off-by: Li Zhou <li.zhou@windriver.com>

commit 6a786cda18dbeb17f1bc65e79f1e9503e79a00be
Author: Melissa Wang <melissa.wang@windriver.com>
Date:   Wed Jan 20 15:26:43 2021 -0500

Add cloud-init pack to lst file
    
    This update adds the cloud-init rpm to the lst file so that it can
    be added to the qcow2 in the automated build.
    
    Story ID: 2007858
    Task ID: 41654
    
    Change-Id: I5a081191dae5fa9b7b7c96d1223b029932bbfb55
    Signed-off-by: Melissa Wang <melissa.wang@windriver.com>

commit 97c63675dab3957bcaff3718e8606ee13096f93e
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Wed Jan 20 21:24:18 2021 -0500

Add the bind-export packages for dhcp CVE issue
    
    Add the following two packages:
      bind-export-libs-9.11.4-26.P2.el7.x86_64.rpm
      bind-export-devel-9.11.4-26.P2.el7.x86_64.rpm
    
    Since when we fix the dhcp CVE issue in integ repo by upgrade the
    dhcp rpm package version, it will depend on the bind-export package.
    
    Story: 2008532
    Task: 41638
    Change-Id: If8485b64b110914885af40b8d65d26009102bf70
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 73e3304c3c6be6bace95ca03ca5337f44c12ec61
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Tue Jan 19 21:13:44 2021 -0500

avahi: fix CVE-2017-6519
    
    Update to avahi-0.6.31-20.el7.x86_64.rpm
    
    Story: 2008532
    Task: 41620
    Change-Id: I67661e2107b4cd969569da51160c618cd5586d41
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit bdaa704f78daf10b9b343d5423ff6a697a528313
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Fri Jan 15 05:49:33 2021 -0500

file: fix CVE-2018-10360
    
    Update to the following packages to 5.11-37:
    file-5.11-37.el7.x86_64.rpm
    file-libs-5.11-37.el7.x86_64.rpm
    file-devel-5.11-37.el7.x86_64.rpm
    
    Closes-Bug: 1912156
    Change-Id: I34c1d4dc27afafd8fefb92a6e156cf75713262b0
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 0c23f5ac98df20115b579a25063fad1429a850c4
Author: Li Zhou <li.zhou@windriver.com>
Date:   Mon Jan 18 17:15:32 2021 +0800

tcpdump: fix CVE-2018-19519
    
    Update to tcpdump-4.9.2-4.el7_7.1.x86_64.rpm.
    
    Closes-Bug: 1912139
    
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: I53b80f4daebe98dacbb288ee5828fd7b901d0aed

commit 3fdacd356ec55403face16b8c02786e1496d3a7d
Author: Chen, Haochuan Z <haochuan.z.chen@intel.com>
Date:   Fri Jan 8 10:03:05 2021 +0800

Add rpm for ceph performance tuning tool, fio and dstat
    
    Story: 2008497
    Task: 41555
    
    Change-Id: I6e0f9b61b6c6815b255f3d02bfc06c623c56532f
    Signed-off-by: Chen, Haochuan Z <haochuan.z.chen@intel.com>

commit 1d175ac9c9cfcdfebeadb9db532cd73a78342cd7
Author: Don Penney <don.penney@windriver.com>
Date:   Mon Jan 4 13:22:26 2021 -0500

Add python3 RPMs to compile layer
    
    The 'compile' layer build is failing due to missing python3 packages.
    These packages had been added to the distro and flock LST files
    previously, but not the compile layer.
    
    Closes-Bug: 1910130
    Signed-off-by: Don Penney <don.penney@windriver.com>
    Change-Id: I44d1225b5a6c9e8ddbbfa91f0980d7b1b21d425b

commit be49af95252f7fb5eb58232dcf80e8a3510e0bf2
Author: Scott Little <scott.little@windriver.com>
Date:   Thu Dec 17 16:14:49 2020 -0500

Add layer awareness to mirror-check.sh
    
    This tool was missed when layered builds were introduced.
    It looks for lst files under the wrong path. I've added
    a layer arguement and fixed the path.
    
    It also needs to ignore commented lines within lst files.
    
    I also add dnf support.  Cloned from pkg-manager-utils.sh
    since stx-tools is sometimes expected to stand on it's own.
    
    One gap that I'm not addressing in this update.  It only
    looks at the upstream repo, never at the cengn mirror.
    If a package has been dropped by upstream, it reports as
    missing.
    
    Closes-Bug: 1908751
    Signed-off-by: Scott Little <scott.little@windriver.com>
    Change-Id: Idf4c9010c195f2fe8f7d0432c41c94fab00aec2c

commit 1fd6f3f636ec7b0780815120f10e1beb545bc07f
Author: Scott Little <scott.little@windriver.com>
Date:   Tue Dec 15 14:17:34 2020 -0500

tidy stx/downloads directory
    
    $MY_REPO/stx/downloads contains links to tarballs and other files
    relevant to the build.  It is populated by populate_downloads.sh.
    On subsequent runs, new links might be added, but old links are
    not cleaned up.
    
    Adopt the convention used by generate-centos-repo.sh of moving
    the old content under a timestamp backup directory, leaving
    an empty directory to re-populate.
    
    Closes-bug: 1908297
    Signed-off-by: Scott Little <scott.little@windriver.com>
    Change-Id: Ib6c8b782db6c369cb00e8fe8c64be099d7a5d238

commit 1f3f3e08bc8fa33cf34541f408df4975c787367b
Author: Davlet Panech <davlet.panech@windriver.com>
Date:   Mon Dec 14 10:01:45 2020 -0500

Update CentOS vault URL to HTTPS
    
    CentOS vault HTTP url redirects to HTTPS, but yum displays misleading
    error messages when the secondary HTTPS request fails.
    Use HTTPS directly.
    
    Change-Id: I687c1de2378de11abb5ad981bc73b66d8c40ba2a
    Closes-Bug: 1908088
    Signed-off-by: Davlet Panech <davlet.panech@windriver.com>

commit c7f398e9ea89da5e016e8a17a284ce181f0b98e4
Author: Joe Slater <joe.slater@windriver.com>
Date:   Wed Nov 11 10:33:55 2020 -0500

curl: fix CVE-2019-5482 - heap overflow in tftp
    
    curl-7.29.0-59.el7
    libcurl-7.29.0-59.el7
    libcurl-devel-7.29.0-59.el7
    
    depends on
    
    libssh2-1.8.0-4.el7
    libssh2-devel-1.8.0-4.el7
    
    Closes-Bug: 190214
    Change-Id: I2755068e55dc8c70452894030404df3d936fa6a5
    Signed-off-by: Joe Slater <joe.slater@windriver.com>

commit bbf8b0402a5b428105ac6c476dbd2b15c1a48ff8
Author: Scott Little <scott.little@windriver.com>
Date:   Fri Dec 4 16:08:25 2020 -0500

tb.sh: container stuck in - Removal In Progress
    
    Systemd is once preventing a clean exit of the build
    container.
    
    Mapping /run and /tmp to tmpfs helps on some systems.
    
    Partial-bug: 1907119
    Change-Id: I3fc54792d18b632fbd5cab678ce4fa348bc96873
    Signed-off-by: Scott Little <scott.little@windriver.com>

commit 451b9513e4d224d47e3d4d2d543e1bc834b78794
Author: Scott Little <scott.little@windriver.com>
Date:   Wed Dec 2 12:08:27 2020 -0500

Fix selection of release specific mock prototype
    
    Commit https://review.opendev.org/c/starlingx/root/+/762700
    was intended to include the code to select the release specific
    mock config prototype.
    
        e.g. mock.cfg.centos7.proto
    
    As delivered, it would always select the default.
    
        e.g. mock.cfg.proto
    
    Other improvements:
    - remove some trailing whitespace
    - improved cleanup of temorary directories
    
    Closes-Bug: 1906547
    Signed-off-by: Scott Little <scott.little@windriver.com>
    Change-Id: I3e988fb0e861efcf9cd16b8a46b74398dbb1db17

tags:

added: in-f-centos8

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-07: Fix merged to integ (f/centos8)

#12

Download full text (37.0 KiB)

Reviewed: https://review.opendev.org/c/starlingx/integ/+/793754
Committed: https://opendev.org/starlingx/integ/commit/a13966754d4e19423874ca31bf1533f057380c52
Submitter: "Zuul (22348)"
Branch: f/centos8

commit b310077093fd567944c6a46b7d0adcabe1f2b4b9
Author: Mihnea Saracin <email address hidden>
Date: Sat May 22 18:19:54 2021 +0300

Fix resize of filesystems in puppet logical_volume

    After system reinstalls there is stale data on the disk
    and puppet fails when resizing, reporting some wrong filesystem
    types. In our case docker-lv was reported as drbd when
    it should have been xfs.

    This problem was solved in some cases e.g:
    when doing a live fs resize we wipe the last 10MB
    at the end of partition:
    https://opendev.org/starlingx/stx-puppet/src/branch/master/puppet-manifests/src/modules/platform/manifests/filesystem.pp#L146

    Our issue happened here:
    https://opendev.org/starlingx/stx-puppet/src/branch/master/puppet-manifests/src/modules/platform/manifests/filesystem.pp#L65
    Resize can happen at unlock when a bigger size is detected for the
    filesystem and the 'logical_volume' will resize it.
    To fix this we have to wipe the last 10MB of the partition after the
    'lvextend' cmd in the 'logical_volume' module.

Tested the following scenarios:

B&R on SX with default sizes of filesystems and cgts-vg.

B&R on SX with with docker-lv of size 50G, backup-lv also 50G and
cgts-vg with additional physical volumes:

    - name: cgts-vg
        physicalVolumes:
        - path: /dev/disk/by-path/pci-0000:00:0d.0-ata-1.0
        size: 50
        type: partition
        - path: /dev/disk/by-path/pci-0000:00:0d.0-ata-1.0
        size: 30
        type: partition
        - path: /dev/disk/by-path/pci-0000:00:0d.0-ata-3.0
        type: disk

B&R on DX system with backup of size 70G and cgts-vg
with additional physical volumes:

    physicalVolumes:
    - path: /dev/disk/by-path/pci-0000:00:0d.0-ata-1.0
        size: 50
        type: partition
    - path: /dev/disk/by-path/pci-0000:00:0d.0-ata-1.0
        size: 30
        type: partition
    - path: /dev/disk/by-path/pci-0000:00:0d.0-ata-3.0
        type: disk

    Closes-Bug: 1926591
    Change-Id: I55ae6954d24ba32e40c2e5e276ec17015d9bba44
    Signed-off-by: Mihnea Saracin <email address hidden>

commit 3225570530458956fd642fa06b83360a7e4e2e61
Author: Mihnea Saracin <email address hidden>
Date: Thu May 20 14:33:58 2021 +0300

Execute once the ceph services script on AIO

    The MTC client manages ceph services via ceph.sh which
    is installed on all node types in
    /etc/service.d/{controller,worker,storage}/ceph.sh

    Since the AIO controllers have both controller and worker
    personalities, the MTC client will execute the ceph script
    twice (/etc/service.d/worker/ceph.sh,
    /etc/service.d/controller/ceph.sh).
    This behavior will generate some issues.

We fix this by exiting the ceph script if it is the one from
/etc/services.d/worker on AIO systems.

Closes-Bug: 1928934
Change-Id: I3e4dc313cc3764f870b8f6c640a60338...

Reviewed:  https://review.opendev.org/c/starlingx/integ/+/793754
Committed: https://opendev.org/starlingx/integ/commit/a13966754d4e19423874ca31bf1533f057380c52
Submitter: "Zuul (22348)"
Branch:    f/centos8

commit b310077093fd567944c6a46b7d0adcabe1f2b4b9
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Sat May 22 18:19:54 2021 +0300

Fix resize of filesystems in puppet logical_volume
    
    After system reinstalls there is stale data on the disk
    and puppet fails when resizing, reporting some wrong filesystem
    types. In our case docker-lv was reported as drbd when
    it should have been xfs.
    
    This problem was solved in some cases e.g:
    when doing a live fs resize we wipe the last 10MB
    at the end of partition:
    https://opendev.org/starlingx/stx-puppet/src/branch/master/puppet-manifests/src/modules/platform/manifests/filesystem.pp#L146
    
    Our issue happened here:
    https://opendev.org/starlingx/stx-puppet/src/branch/master/puppet-manifests/src/modules/platform/manifests/filesystem.pp#L65
    Resize can happen at unlock when a bigger size is detected for the
    filesystem and the 'logical_volume' will resize it.
    To fix this we have to wipe the last 10MB of the partition after the
    'lvextend' cmd in the 'logical_volume' module.
    
    Tested the following scenarios:
    
    B&R on SX with default sizes of filesystems and cgts-vg.
    
    B&R on SX with with docker-lv of size 50G, backup-lv also 50G and
    cgts-vg with additional physical volumes:
    
    - name: cgts-vg
        physicalVolumes:
        - path: /dev/disk/by-path/pci-0000:00:0d.0-ata-1.0
        size: 50
        type: partition
        - path: /dev/disk/by-path/pci-0000:00:0d.0-ata-1.0
        size: 30
        type: partition
        - path: /dev/disk/by-path/pci-0000:00:0d.0-ata-3.0
        type: disk
    
    B&R on DX system with backup of size 70G and cgts-vg
    with additional physical volumes:
    
    physicalVolumes:
    - path: /dev/disk/by-path/pci-0000:00:0d.0-ata-1.0
        size: 50
        type: partition
    - path: /dev/disk/by-path/pci-0000:00:0d.0-ata-1.0
        size: 30
        type: partition
    - path: /dev/disk/by-path/pci-0000:00:0d.0-ata-3.0
        type: disk
    
    Closes-Bug: 1926591
    Change-Id: I55ae6954d24ba32e40c2e5e276ec17015d9bba44
    Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>

commit 3225570530458956fd642fa06b83360a7e4e2e61
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Thu May 20 14:33:58 2021 +0300

Execute once the ceph services script on AIO
    
    The MTC client manages ceph services via ceph.sh which
    is installed on all node types in
    /etc/service.d/{controller,worker,storage}/ceph.sh
    
    Since the AIO controllers have both controller and worker
    personalities, the MTC client will execute the ceph script
    twice (/etc/service.d/worker/ceph.sh,
    /etc/service.d/controller/ceph.sh).
    This behavior will generate some issues.
    
    We fix this by exiting the ceph script if it is the one from
    /etc/services.d/worker on AIO systems.
    
    Closes-Bug: 1928934
    Change-Id: I3e4dc313cc3764f870b8f6c640a6033822639926
    Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>

commit b428a5de0070c6df82536b8b5b782810ebd9efda
Author: Cole Walker <cole.walker@windriver.com>
Date:   Wed May 19 16:57:54 2021 +0000

Revert "Remove recover operations to "restart-on-reboot" pods"
    
    This reverts commit 8abcbf6fb1951b25e9964933558b75b9aff88135.
    
    Reason for revert:
    
    After performing a backup and restore on an AIO-SX system, SRIOV pods do
    not return to a running state and are instead stuck in "container
    creating". The workaround for this is to restart SRIOV pods when the
    system unlocks.
    
    Reverting this commit to allow users to label SRIOV pods and have them
    restarted by k8s-pod-recovery. Labelled pods will be restarted by
    k8s-pod-recovery and will be running after backup and restore is
    completed.
    
    This change has been tested by performing backup and restore on an
    AIO-SX system. SRIOV pods now come up correctly when labelled with
    restart-on-reboot=true
    
    Closes-Bug: 1928965
    
    Signed-off-by: Cole Walker <cole.walker@windriver.com>
    Change-Id: I9c520c0a47aabca7b96e50adf0f71742f4199c2f

commit 4e1aa82e96d9b4caeff7e7b31632733c395c6ad0
Author: Robert Church <robert.church@windriver.com>
Date:   Sat May 15 16:24:29 2021 -0400

Update postgres liveness check to support IPv6 addresses
    
    Templating will add square brackets for IPv6 addresses which are
    interpreted as an array vs. a string. Quote this so that it interpreted
    correctly.
    
    Change-Id: I2b705015a74ea2e4e914b7a83cdceed37d49b766
    Related-Bug: #1917308
    Signed-off-by: Robert Church <robert.church@windriver.com>

commit b3540ccfdfa6956fb20c62e5e5bb76af56d2ab63
Author: Robert Church <robert.church@windriver.com>
Date:   Wed May 12 22:36:23 2021 -0400

Update the liveness probe to verify postgres connectivity
    
    Change the tillerLivenessProbeTemplate to test the connectivity to the
    postgres backend. We will override the periodSeconds and
    failureThreshold when installing the helm chart to trigger a restart of
    the tiller pod over a swact when the postgres DB/server moves from one
    controller to the other.
    
    This will help guarantee that the tiller connection is always
    re-established if the connectivity to the postgres backend fails.
    
    Change-Id: I7fbed33a8c821f6c9254f58d5953e2115cf4141a
    Related-Bug: #1917308
    Signed-off-by: Robert Church <robert.church@windriver.com>

commit 03665ae745babb4524e2b9b9cc0f768eaf1e8781
Author: Angie Wang <angie.wang@windriver.com>
Date:   Mon May 10 18:54:07 2021 -0400

Add armada namespace in k8s pod recovery
    
    Update k8s pod recovery service to include armada namespace
    so armada pod that stuck in an unknown state after host
    lock/unlock or reboot could be recovered by the service.
    
    Change-Id: Iacd92637a9b4fcaf4c0076e922e1bd739f69a584
    Closes-Bug: 1928018
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit 764cac1642a8820d169576da3d8d886449d3cf73
Author: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Date:   Tue May 11 17:04:01 2021 +0000

Armada: Fix tiller stuck connecting to postgres database
    
    Tiller may start executing before IPv6 network is fully initialized.
    This will result in tiller not being fully functional.
    The liveness probe will detect that tiller didn't start properly and
    restart it. But this might happen an unlimited number of times in a row.
    
    Wait until ping is succesful to the ip of the postgres database.
    This ensures that networking finished setting up.
    Credits to Cole Walker <cole.walker@windriver.com> for proposing the
    idea.
    
    Depends-On: I177bb628497611eb64472291a04d635856c26590
    Closes-Bug: 1928141
    Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
    Change-Id: I9c5be3f30fad2650e6aa53fb80ef44f7798813ed

commit 1974b3f570c0a21ec5e4cfe7d806c58a01a7dd0c
Author: Don Penney <don.penney@windriver.com>
Date:   Fri May 7 09:01:47 2021 -0400

Copy shim.efi to /pxeboot for UEFI pxeboot support
    
    Package a copy of the shim.efi file to /pxeboot to support UEFI secure
    boot. The recent grub2 update for CVE-2020-15705 requires the use of
    shim.efi in order to support kernel signature validation.
    
    Change-Id: If87925e1697b34d7ff1a7a770d9f13619dd9dd52
    Partial-Bug: 1927730
    Signed-off-by: Don Penney <don.penney@windriver.com>

commit b1ac60470315153dc9bc03f7f0bb1bfb221f6c5d
Author: Davlet Panech <davlet.panech@windriver.com>
Date:   Wed May 5 10:42:56 2021 -0400

Pin clearlinux/golang to v1.15.10 in Dockerfiles
    
    Upstream Dockerfiles use clearlinux/golang:latest as the base, which is
    broken as of now. Solution: change it to last known working tag before
    building.
    
    Closes-Bug: 1927153
    Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
    Change-Id: Ic13973c0518eeab74ec86884036d08c2b8a4961f

commit 4850ab86da1cecca239d2ffa6dded4c0946e8a43
Author: Li Zhou <li.zhou@windriver.com>
Date:   Tue Apr 13 04:34:32 2021 -0400

systemd: Upgrade to version 219-78.el7_9.3
    
    This fixes the issue of systemd sending tons of useless
    PropertiesChanged messages when a mount happens as described in:
    https://bugzilla.redhat.com/show_bug.cgi?id=1793527
    
    Depends-On: https://review.opendev.org/c/starlingx/tools/+/786601
    Partial-Bug: #1924691
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: I3596303d77211a135e8559a05806395328725cde

commit 18010eb1d637c8ea3c9fdd9be5684f1b5ee8b23c
Author: Thiago Brito <thiago.brito@windriver.com>
Date:   Thu Mar 25 14:55:11 2021 -0400

Upversioning armada tarball to 7ef4b86
    
    A fix landed upstream to deal with armada waiting indefinitely for
    evicted pods, which intermittently fails stx-openstack
    application. This commit upversions the tarball version to the
    one containing that change.
    
    Removing patches 0002 and 0003 since the commits are already on
    the armada code at this version.
    
    Story: 2008645
    Task: 41906
    
    Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
    Change-Id: I62caf0a403a054c30b5bbfc1a3c5bc4cf73b60a6

commit ccfeeef59d39e42b2775bb5a216732c4999f6e42
Author: Li Zhou <li.zhou@windriver.com>
Date:   Mon Apr 12 02:15:25 2021 -0400

systemd: Prevent excessive /proc/1/mountinfo reparsing
    
    Backport the patches for this issue:
    https://bugzilla.redhat.com/show_bug.cgi?id=1819868
    
    We met such an issue:
    When testing a large number of pods (> 230), occasionally observed a
    number of issues related to systemd process:
        systemd ran continually 90-100% cpu usage
        systemd memory usage started increasing rapidly (20GB/hour)
        systemctl commands would always timeout (Failed to get properties:
            Connection timed out)
        sm services failed and can't recover: open-ldap,
            registry-token-server, docker-distribution, etcd
        new pods can't start, and got stuck in state ContainerCreating
    
    Those patches work to prevent excessive /proc/1/mountinfo reparsing.
    It has been verified that those patches can improve this performance
    greatly.
    
    16 commits are listed in sequence (from [1] to [16]) at below link
    for the issue:
    https://github.com/systemd-rhel/rhel-8/pull/154/commits
    
    [16](10)core: prevent excessive /proc/self/mountinfo parsing
    [15][Dropped-6]test: add ratelimiting test
    [14](9)sd-event: add ability to ratelimit event sources
    [13](8)sd-event: increase n_enabled_child_sources just once
    [12](7)sd-event: update state at the end in event_source_enable
    [11](6)sd-event: remove earliest_index/latest_index into common part of
    event source objects
    [10][Dropped-5]sd-event: follow coding style with naming return
    parameter
    [9] [Dropped-4]sd-event: ref event loop while in sd_event_prepare() ot
    sd_event_run()
    [8] (5)sd-event: refuse running default event loops in any other thread
    than the one they are default for
    [7] [Dropped-3]sd-event: let's suffix last_run/last_log with "_usec"
    [6] [Dropped-2]sd-event: fix delays assert brain-o (#17790)
    [5] (4)sd-event: split out code to add/remove timer event sources to
    earliest/latest prioq
    [4] (3)sd-event: split clock data allocation out of sd_event_add_time()
    [3] [Dropped-1]sd-event: mention that two debug logged events are
    ignored
    [2] (2)sd-event: split out enable and disable codepaths from
    sd_event_source_set_enabled()
    [1] (1)sd-event: split out helper functions for reshuffling prioqs
    
    I ported 10 of them back (from (1) to (10)) to fix this issue
    and dropped the other 6 (from [Dropped-1] to [Dropped-6]) for those
    reasons:
    [Dropped-1]Only changes error log.
    [Dropped-2]Fixes a bug introduced in a commit which doesn't exist in
    this version.
    [Dropped-3]Only changes vars' names and there is no functional change.
    [Dropped-4]More commits are needed for merging it, while I don't see
    any help on adding the rate-limiting ability.
    [Dropped-5]Change coding style for a function which isn't really used
    by anyone.
    [Dropped-6]Add test cases.
    
    Closes-Bug: #1924686
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: Ia4c8f162cb1a47b40d1b26cf4d604976b97e92d6

commit e62b1a53b9148738a7c36355b19607d6e6f3d0d7
Author: David Sullivan <david.sullivan@windriver.com>
Date:   Tue Apr 20 17:32:45 2021 -0500

Unmount all targets during drbd stop
    
    When stopping drbd, we need to unmount targets from each device.
    Devices with multiple mountpoints can fail to unmount, leading to
    metadata corruption. Add --all-targets to the umount command.
    
    Closes-Bug: 1920245
    Signed-off-by: David Sullivan <david.sullivan@windriver.com>
    Change-Id: Ic1b4583c72a0dd256724b8672dbb59126273330b

commit de263f633ea359507357d3d4c53e98a71bff5afc
Author: Cole Walker <cole.walker@windriver.com>
Date:   Tue Apr 13 16:47:24 2021 -0400

Add alternative command to disable lldp agent for i40e devices
    
    LLDP information is not available for certain i40e network devices when
    running system host-lldp-neighbor-show.
    
    This is caused by the firmware lldp agent on the devices not getting
    disabled by the i40e-lldp-configure.sh script which is invoked by lldpd.
    
    The command used to disable the firmware lldp agent in the script works
    for some firmware versions found on devices, but not others. This change
    adds an ethtool command to disable the lldp agent which works for these
    other firmware versions.
    
    From testing, the ethtool method is used for firmware versions 5.05 and
    8.10. The sysfs method is used for firmware version 7.10. In all cases,
    the driver version is 2.14.13
    
    Closes-Bug: 1923665
    
    Signed-off-by: Cole Walker <cole.walker@windriver.com>
    Change-Id: Ifac34091599bd4020bf55cc1b8ba3119edccb297

commit 3924cfe7ae390678ae4df9b544acf8b373440183
Author: Marcus Secato <marcus.viniciuscarvalhosecato@windriver.com>
Date:   Thu Apr 15 17:52:58 2021 -0400

Set proper user ID for armada-api container
    
    Since armada application moved to Kubernetes cluster, processes and
    commands are not executed with the 'armada' user in armada-api
    container. Previously when armada was a separated container user was
    enforced through 'docker exec'.
    
    Closes-Bug: 1924579
    
    Signed-off-by: Marcus Secato <marcus.viniciuscarvalhosecato@windriver.com>
    Change-Id: I5600974c0b9c3ade73a58dae300e8f3b18c6aefd

commit 8abcbf6fb1951b25e9964933558b75b9aff88135
Author: Bin Qian <bin.qian@windriver.com>
Date:   Thu Apr 8 12:58:44 2021 -0400

Remove recover operations to "restart-on-reboot" pods
    
    The pods being labeled as "restart-on-reboot" is to workaround
    kubernetes restart on worker manifest. As the AIO running a
    single manifest to start kubernetes only once, the operation
    is no longer needed.
    
    Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/785736
    Change-Id: I0d6c549199559b2bc19d8edff52f64ea0b08b50d
    Closes-Bug: 1918139
    Signed-off-by: Bin Qian <bin.qian@windriver.com>

commit 859e8eb7309f6c26f1ebbc0898e87e82d56af97b
Author: Chris Friesen <chris.friesen@windriver.com>
Date:   Tue Apr 14 20:16:48 2020 -0400

add isolcpus device plugin for kubernetes
    
    In order to minimize latency as much as possible, we want to allow
    kubernetes containers to make use of CPUs which have been specified
    as "isolated" via the kernel boot args.
    
    This commit creates an isolcpus device plugin, which detects the isolated
    CPUs and exports them to kubelet via the device plugin API.
    
    See kubernetes/plugins/isolcpus-device-plugin/files/README.md for
    more information on the behaviour and design choices for this commit.
    
    When we move to a newer version of the Intel device plugin manager we
    may be able to simplify some of this.  See the above README.md file
    for details.
    
    Change-Id: I3bfe04ab6e7fbafefa63f6dc43cb2ed79a52579f
    Story: 2008760
    Task: 42165
    Signed-off-by: Chris Friesen <chris.friesen@windriver.com>

commit 777b7d88630bae55bf130e240212a2abf288bbd3
Author: Chris Friesen <chris.friesen@windriver.com>
Date:   Mon Oct 26 17:30:00 2020 -0400

enable support for kubernetes to ignore isolcpus
    
    The normal mechanisms for allocating isolated CPUs do not allow
    a mix of isolated and exclusive CPUs in the same container.  In
    order to allow this in *very* limited cases where the pod spec
    is known in advance we will add the ability to disable the normal
    isolcpus behaviour.
    
    If the file "/etc/kubernetes/ignore_isolcpus" exists, then kubelet
    will basically forget everything it knows about isolcpus and just
    treat them like regular CPUs.
    
    The admin user can then rely on the fact that CPU allocation is
    deterministic to ensure that the isolcpus they configure end up being
    allocated to the correct pods.
    
    Story: 2008760
    Task: 42164
    Change-Id: Ie38c81209ee407ac98b4882f2581fc14622b3af1
    Signed-off-by: Chris Friesen <chris.friesen@windriver.com>

commit 4150b7a6b61365525c6201ad04eb678c96a578d5
Author: Chris Friesen <chris.friesen@windriver.com>
Date:   Mon Aug 31 11:06:59 2020 -0400

kubeadm: create platform pods with zero CPU resources
    
    We want to specify zero CPU resources when creating the manifests
    for the static platform pods, as a workaround for the lack of
    separate resource tracking for platform resources.
    
    We also specify zero CPU resources for the coredns deployment.
    manifests.go appears to be the main file for this, not sure if the
    others are used by I changed them just in case.
    
    Story: 2008760
    Task: 42163
    Change-Id: I6410b8af556d5167d1813e7545fad8baa27b1100
    Signed-off-by: Chris Friesen <chris.friesen@windriver.com>

commit 71876817aa2a0a0109d7dfe6bf34c1344b3d5f06
Author: Chris Friesen <chris.friesen@windriver.com>
Date:   Fri Apr 24 02:25:22 2020 -0400

fix exclusive CPU alloc being deleted at container restart
    
    The expectation is that exclusive CPU allocations happen at pod
    creation time. When a container restarts, it should not have its
    exclusive CPU allocations removed, and it should not need to
    re-allocate CPUs.
    
    There are a few places in the current code that look for containers
    that have exited and call CpuManager.RemoveContainer() to clean up
    the container.  This will end up deleting any exclusive CPU
    allocations for that container, and if the container restarts within
    the same pod it will end up using the default cpuset rather than
    what should be exclusive CPUs.
    
    Removing those calls and adding resource cleanup at allocation
    time should get rid of the problem.
    
    This should eventually go into upstream 1.18.1, at which point
    we can just revert this commit.
    
    Story: 2008760
    Task: 42160
    Change-Id: I61d3670805ef805e21b9c54daf0677d4c7e1bc74
    Signed-off-by: Chris Friesen <chris.friesen@windriver.com>

commit b88df951face924d0c29fa76ee03424c4546afd2
Author: Chris Friesen <chris.friesen@windriver.com>
Date:   Fri Apr 24 02:18:00 2020 -0400

Add kubernetes support for isolated cpus
    
    This introduces the concept of "isolated CPUs", which are CPUs that
    have been isolated at the kernel level via the "isolcpus" kernel boot
    parameter.
    
    When starting the kubelet process, the set of reserved CPUs (including
    both platform and isolated CPUs) will be specified via
    '--reserved-cpus'.  The isolated CPUs will be identified by looking at
    "/sys/devices/system/cpu/isolated" and treated separately from the
    platform CPUs (which are used to run infrastructure pods).
    
    A plugin (outside the scope of this commit) exposes the isolated
    CPUs to kubelet via the device plugin API.
    
    If a pod specifies some number of "isolcpus" resources, the device manager
    will allocate them.  In this code we check whether such resources have
    been allocated, and if so we set the container cpuset to the isolated
    CPUs.  This does mean that it really only makes sense to specify "isolcpus"
    resources for best-effort or burstable pods, not for guaranteed ones since
    that would throw off the accounting code.  In order to ensure the accounting
    still works as designed, if "isolcpus" are specified for guaranteed pods,
    the affinity will be set to the non-isolated CPUs.
    
    Story: 2008760
    Task: 42161
    Change-Id: I7bd2eabb4c82faea63e3ad129ef735b9d1223e11
    Signed-off-by: Chris Friesen <chris.friesen@windriver.com>

commit a436a17d711db209c2bc8802360b9f31df16c237
Author: Chris Friesen <chris.friesen@windriver.com>
Date:   Fri Apr 24 02:12:35 2020 -0400

kubelet cpumanager patches for low-latency
    
    In order to minimize latency as much as possible, kubernetes containers
    require isolation of platform CPUs, isolcpus CPUs, and shared CPUs. For
    Guaranteed pods, we also need to disable CFS quota throttling.
    
    Infrastructure pods are allowed to run on platform CPUs since they're
    basically doing platform work.  This frees up some resources on
    application CPUs for "normal" kubernetes containers.
    
    Story: 2008760
    Task: 42159
    Change-Id: I28c99565ed8081496f6d8be4aa68144a1d3578ed
    Signed-off-by: Chris Friesen <chris.friesen@windriver.com>

commit 9d60767e32ab937be2e7d1beaf86c8651dd2ac5a
Author: Li Zhou <li.zhou@windriver.com>
Date:   Wed Mar 31 23:32:19 2021 -0400

ntp: fix CVE-2020-13817
    
    Update ntp source package to:
    ntp-4.2.6p5-29.el7.centos.2.src.rpm
    In fact it is version ntp-4.2.6p5-29.el7_8.2.
    (Refer to https://git.centos.org/rpms/ntp/c/
    e9ba41e9edf8efad8f090aad24845b8f4db0668d?branch=c7)
    
    Story: 2008532
    Task: 41691
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: If5db6b15b9c01a20a614bb160bba575c6b578d3e

commit 7badc1dad154bd28a8d299d748854dad53606c82
Author: Babak Sarashki <babak.sarashki@windriver.com>
Date:   Wed Mar 3 12:15:52 2021 +0000

integ: add nvidia gpu-operator helm charts
    
    This commit adds nvidia gpu-operator helm charts use case for
    custom container runtime feature. To load nvidia-gpu-operator
    on starlingx:
    
    system service-parameter-add platform container_runtime \
    custom_container_runtime=\
    nvidia:/usr/local/nvidia/toolkit/nvidia-container-runtime
    
    And define  runtimeClass for nvidia gpu  pods:
    
    kind: RuntimeClass
    apiVersion: node.k8s.io/v1beta1
    metadata:
      name: nvidia
    handler: nvidia
    
    The above will direct all containerd creations of pods with nvidia
    runtimeClass to nvidia-container-runtime -- where the nvidia-conta
    iner-runtime is installed by the operator onto a hostMount.
    
    Story: 2008434
    Task: 41978
    
    Signed-off-by: Babak Sarashki <babak.sarashki@windriver.com>
    Change-Id: Ifea8cdf6eb89a159f446c53566279e72fcf0e45e

commit 9c8d4bbcfb0d2b84bfc17276f4afa906b8e97686
Author: Chris Friesen <chris.friesen@windriver.com>
Date:   Wed Jul 15 19:45:24 2020 -0400

fix net/http caching of broken persistent connections
    
    The net/http transport code is currently broken, it keeps broken
    persistent connections in the cache if a write error happens during
    h2 handshake.
    
    This is documented in the upstream bug at:
    https://github.com/golang/go/issues/40213
    
    The problem occurs because in the "go" compiler the http2 code is
    imported into http as a bundle, with an additional "http2" prefix
    applied.  This messes up the erringRoundTripper handling because
    the name doesn't match.
    
    The solution is to have the "go" compiler look for an interface
    instead, so we add a new dummy function that doesn't actually do
    anything and then the "go" compiler can check whether the specified
    RoundTripper implements the dummy function.
    
    Specifically for Kubernetes we need to update the http2 code in the
    "vendor" subdirectory.  A separate change is being made in the "go"
    compiler.
    
    Partial-Bug: 1887438
    Depends-On: https://review.opendev.org/c/starlingx/compile/+/780669
    Signed-off-by: Chris Friesen <chris.friesen@windriver.com>
    Change-Id: I95dcbda879973524cd23b2a374537a675ce9435f

commit f161f7f18e6a12592f8e807b15576d6609d5946e
Author: Jim Gauld <James.Gauld@windriver.com>
Date:   Mon Mar 29 12:31:25 2021 +0000

Revert "integ: gpu-operator helm charts"
    
    This reverts commit 41bdf53f65684b54abaa3098a5fe3acf568cdf2a.
    
    Reason for revert: gpu operator patch is breaking stx-master build.
    
    e.g.,
    08:06:44 Failed to build packages:  gpu-operator-1.6.0-0.tis.1.src.rpm; problem with:
    Patch #2 (enablement-support-on-starlingx-cloud-platform.patch):
    . .
    Skipping patch.
    1 out of 1 hunk ignored -- saving rejects to file deployments/gpu-operator/templates/operator.yaml.rej
    patching file deployments/gpu-operator/values.yaml
    error: Bad exit status from /var/tmp/rpm-tmp.VQuqLh (%prep)
    
    Change-Id: Id7a05987586582c940d605874d1e0f813333f2c3

commit 41bdf53f65684b54abaa3098a5fe3acf568cdf2a
Author: Babak Sarashki <babak.sarashki@windriver.com>
Date:   Wed Mar 3 12:15:52 2021 +0000

integ: gpu-operator helm charts
    
    This commit adds nvidia gpu-operator helm charts use case for
    custom container runtime feature. To load nvidia-gpu-operator
    on starlingx:
    
    system service-parameter-add platform container_runtime \
    custom_container_runtime=\
    nvidia:/usr/local/nvidia/toolkit/nvidia-container-runtime
    
    And define  runtimeClass for nvidia gpu  pods:
    
    kind: RuntimeClass
    apiVersion: node.k8s.io/v1beta1
    metadata:
      name: nvidia
    handler: nvidia
    
    The above will direct all containerd creations of pods with nvidia
    runtimeClass to nvidia-container-runtime -- where the nvidia-conta
    iner-runtime is installed by the operator onto a hostMount.
    
    Story: 2008434
    Task: 41978
    
    Signed-off-by: Babak Sarashki <babak.sarashki@windriver.com>
    Change-Id: I999804d4697349bc0966d0a6e653d7bce15e18fc

commit 3832fabeff1493d424593ec502d261508d9e6e75
Author: Douglas Henrique Koerich <douglashenrique.koerich@windriver.com>
Date:   Mon Mar 22 15:06:41 2021 -0400

Upgrade pf-bb-config to version 21.3
    
    Upgrade of pf-bb-config package to v21.3 is required by Intel in order
    to have better support to ACC100 (Mount Bryce) device.
    
    Story: 2008440
    Task: 42090
    Change-Id: I2af1ca9fc43ae78f41f30f4bde255afaacb56c46
    Signed-off-by: Douglas Henrique Koerich <douglashenrique.koerich@windriver.com>

commit 852ec5ed538f5091ee7e6aa604be68295c09d21b
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Thu Mar 4 17:36:54 2021 +0200

Add custom apps in the k8s-pod-recovery service
    
    At startup, there might be pods that are left in unknown states.
    The k8s-pod-recovery service takes care of
    recovering these unknown pods in specific namespaces.
    To fix this for custom apps that are not part of starlingx,
    we modify the service to look into the /etc/k8s-post-recovery.d
    directory for conf files. Any app that needs to be recovered by this
    service will have to create a conf file e.g the app-1 will create
    /etc/k8s-post-recovery.d/APP_1.conf which will contain the following:
    namespace=app-1-namespace
    
    Closes-Bug: 1917781
    Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>
    Change-Id: I8febdb685d506cff3c34946163612cafdab3e3a8

commit 6169cc5d81f809a1237ba341f7cb87d09fdd811e
Author: Douglas Henrique Koerich <douglashenrique.koerich@windriver.com>
Date:   Thu Mar 11 09:12:49 2021 -0500

Handle labeled pods after stabilized
    
    Pods that are in a k8s deployment, daemonset, etc can be labeled as
    restart-on-reboot="true", which will automatically cause them to be
    restarted after the worker manifest has completed in an AIO system.
    It may happen, however, that k8s-pod-recovery service is started
    before the pods are scheduled and created at the node the script is
    running on, causing them to be not restarted. The proposed solution is
    to wait for stabilization of labeled pods before restarting them.
    
    Closes-Bug: 1900920
    Signed-off-by: Douglas Henrique Koerich <douglashenrique.koerich@windriver.com>
    Change-Id: I5c73bd838ab2be070bd40bea9e315dcf3852e47f

commit cb85cff32ba0afc48fbe16ab94dd36edc979fbb4
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Wed Jan 20 21:41:20 2021 -0500

dhcp: fix CVE-2019-6470
    
    Upgrade dhcp pkg to dhcp-4.2.5-82.el7.centos.src.rpm
    
    Adjust the context of the patch to match to apply the new version.
    At the same time as the new version depends on the bind-export
    pacakges, so we also add the dependence package in tools repo.
     bind-export-libs-9.11.4-26.P2.el7.x86_64.rpm
     bind-export-devel-9.11.4-26.P2.el7.x86_64.rpm
    
    In addition, since the patch dhcp-dhclient_ipv6_prefix.patch set the
    default prefixlen to 128, which is usually the specifications call
    for host address and it doesn't include any on-link information.
    By contrast, 64 indicates that's subnet area, and this vaule is used
    frequently as usual. So we still use the previous value 64.
    As a result we don't need to modify the relevant place where every
    application code needed for the compatibility any more.
    
    Depends-On: https://review.opendev.org/c/starlingx/tools/+/772241
    
    Story: 2008532
    Task: 41638
    Change-Id: I0305711790d8e3fb1adfa69e1077468456b65d84
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 7d7fe3dc61864e38c6f183aa6ae7583844b44183
Author: Joe Slater <joe.slater@windriver.com>
Date:   Wed Feb 24 17:39:05 2021 -0500

sudo: fix CVE-2021-3156
    
    Advance to sudo-1.8.23-10.el7_9.1.src.rpm.
    
    Closes-Bug: 1916946
    Change-Id: Ibb90439c77d6f5b1badcadb37080ff9e330787d5
    Signed-off-by: Joe Slater <joe.slater@windriver.com>

commit eccff3b0e661592084d9114a9a41816761e1f9b5
Author: Steven Webster <steven.webster@windriver.com>
Date:   Wed Feb 17 12:39:52 2021 -0500

Uprev SR-IOV CNI image
    
    This commit uprevs the SR-IOV CNI image to pick up a few bug
    fixes.  Specifically, this commit will allow rate-limiting
    configuration on a VF to be retained after the VF has been
    used by a pod (and pod subsequently deleted).
    
    Testing:
    
    NICs:
    Ethernet Controller X710 for 10GbE SFP+
    Mellanox MT27700 Family [ConnectX-4]
    
    Functional:
    Connectivity testing (kernel + DPDK)
    Devices allocated appropriately to pod
    Rate-limiting information retained after pod deletion
    
    Partial-Bug: #1915951
    
    Signed-off-by: Steven Webster <steven.webster@windriver.com>
    Change-Id: I32395c4805164401519cde8bc503f040c4187250

commit 8a33372bee65b517850245b55f771e3cd6bba0ff
Author: Babak Sarashki <zbsarashki@gmail.com>
Date:   Thu Feb 4 23:21:48 2021 +0000

Add: PF Baseband Device config application for ACC100
    
    This introduces PF BBDEV (baseband device) Configuration Application
    "pf_bb_config" and inih. PF BBDEV program accesses the configuration
    space and sets the various parameters through memory-mapped IO
    read/writes. This is needed for Intel ACC100 (Mt Bryce) configuration
    and QMGR related settings.
    
    PF BBDEV requires inih for parsing .INI configuration file. This
    commit adds the inih for static linkage with PF BBDEV.
    
    Story: 2008440
    Task: 41472
    Signed-off-by: Babak Sarashki <zbsarashki@gmail.com>
    Change-Id: Idaebcac5d0021d5c11c7ab27e13176139ba66c3b

commit 7b5b3aeabfdb47b51fce5f1591d82fd3ca5d9672
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Wed Feb 10 21:00:04 2021 -0500

Revert "dhcp: fix CVE-2019-6470"
    
    This reverts commit 613fbf258f72042f912a1fde5608168b1068db36.
    
    Since this upversioned package updates the prefixlen to 128, and it
    will occur all hosts offline after booting off the controller-0.
    At the same time this issue will block the use of recent loads for
    both development and test activities. So we revert the patch firstly,
    and investigate deeply then send the new review and request of the
    upgraded patch with the appropriate offline fix.
    
    Closes-Bug: #1915050
    
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
    Change-Id: I02ecaa1bda463efb38d9c32a47f2221d0de7f99d

commit 29dd2fd42acf3e37e53715ca4755b8b089c743cb
Author: Li Zhou <li.zhou@windriver.com>
Date:   Tue Jan 26 07:50:09 2021 +0000

openssh: fix CVE-2018-15473 from source build
    
    Upgrade to openssh-7.4p1-21 for fixing CVE.
    
    Story: 2008532
    Task: 41668
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: Ic3e10b3455587bba16585fe8e235c4c0655f1e3e

commit d053c675546e944d0a08fb6f8d2b831647f70663
Author: Li Zhou <li.zhou@windriver.com>
Date:   Tue Jan 26 07:21:41 2021 +0000

sudo: fix CVE-2019-18634
    
    Upgrade to sudo-1.8.23-10 for fixing CVE.
    
    Story: 2008532
    Task: 41689
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: I863e66ee887de40d75db7951f4ba408ad022c131

commit a0b2acecaac080345c1cd42c3ad7fc05d75ac96a
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Mon Jan 25 03:49:38 2021 -0500

grub2: fix CVE-2020-15707
    
    Avoid to the heap-based buffer overflow.
    
    Upgrade to the below package to fix the CVE issue:
     grub2-2.02-0.86.el7.centos.src.rpm
    
    At the same time adjust the context and drop
    0004-grub2-remove-32b-requirements.patch since it already had been
    included in the new version.
    
    Story: 2008532
    Task: 41664
    Change-Id: I7943127323ee28457ffe0a4ece54764633f86d9f
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 613fbf258f72042f912a1fde5608168b1068db36
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Wed Jan 20 21:41:20 2021 -0500

dhcp: fix CVE-2019-6470
    
    Upgrade dhcp pkg to dhcp-4.2.5-82.el7.centos.src.rpm
    
    At the same time since the new version depends on the bind-export
    pacakge, so we also add the dependence package in tools repo.
    
    Depends-On: https://review.opendev.org/c/starlingx/tools/+/771744
    
    Story: 2008532
    Task: 41638
    Change-Id: Ic25b4404475a6f914e5a524db7d60d7e9dcffc85
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>

commit 8ec4e97b34e49d2ad212bc16f7863fd83eff6f8e
Author: Don Penney <don.penney@windriver.com>
Date:   Thu Dec 17 13:26:44 2020 -0500

Add auto-version for remaining stx/integ packages
    
    Update remaining StarlingX packages with hardcoded TIS_PATCH_VER to
    use PKG_GITREVCOUNT where possible, with offsets as needed to ensure
    the version is incremented above the hardcoded version.
    
    Change-Id: I9b40cd7e41c0cd713b73741ac3c8cab41d358642
    Story: 2008455
    Task: 41461
    Signed-off-by: Don Penney <don.penney@windriver.com>

commit 46d8d8fdf1ec75d74df6e2f20dff5f31732b9dc7
Author: Robert Church <robert.church@windriver.com>
Date:   Sat Dec 12 01:08:54 2020 -0500

Add conditions to when RBD devices are unmounted
    
    ceph-preshutdown.sh is called as a post operation when docker is
    stopped/restarted. Based on current service dependencies, when docker is
    restarted this will also trigger a restart of containerd.
    
    Puppet manifests will restart containerd and docker for various
    operations both on system boot and during runtime operations when their
    configuration has changed.
    
    This update adds conditions to ensure that the RBD devices are only
    unmounted when the system is shutting down. This avoids the RBD backed
    persistent volumes from being forcibly removed from running pods and
    being remounted read-only during these restart scenarios.
    
    Change-Id: I7adfddf135debcc8bcaa1f93866e1a276b554c88
    Closes-Bug: #1901449
    Signed-off-by: Robert Church <robert.church@windriver.com>

commit d815cfe2f2003f4a64a5e0b5348b0e9daabb58df
Author: Nicolas Alvarez <nicolas.alvarez@windriver.com>
Date:   Thu Dec 3 17:42:31 2020 -0300

Uninstall SNMP RPM Host-Based from STX.
    
    Uninstall SNMP RPM Host-Based from starlingx/integ repo because it
    will be containerized.
    Also disable snmp from networking/lldpd/centos/lldpd.spec file.
    
    Story: 2008132
    Task: 41322
    Depends-On: https://review.opendev.org/761792
    Signed-off-by: Nicolas Alvarez <nicolas.alvarez@windriver.com>
    
    Change-Id: Ifda06a5eb3bd0ec9683823b643e6d9cc0e7c97e2

commit 39f6f92cc888b3893b4d4717fba1599056382997
Author: Angie Wang <angie.wang@windriver.com>
Date:   Mon Sep 28 11:24:12 2020 -0400

Armada: add configurations for helm sql storage backend
    
    Configmap is the default helmv2 storage backend to store
    release information but its 1MB resource limit prevents
    scaling up stx openstack workers, so we want to use sql
    as helm storage backend.
    
    Update armada chart to support sql storage backend
    configuration for helm/tiller.
    
    Upstream review: https://review.opendev.org/#/c/759899/
    
    Partial-Bug: 1887677
    Change-Id: Ifcb7f28e99413be5a0dbfddf684ca064866860f5
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

redhat-bugs #1793527
[CLOSED ERRATA] Edit
redhat-bugs #1819868 Edit
auto-github-golang-go #40213 Edit

Bug watches keep track of this bug in other bug trackers.