commit fc7b9b3d8d811fd50427b584dae5b7488947bb03
Author: Angie Wang <email address hidden>
Date: Tue Jan 28 13:57:52 2020 -0500
Fix the image download failure on IPv6 system
"crictl pull" failed to pull images on IPv6 system with
proxy setting since Containerd doesn't work with the
NO_PROXY environment variable that has IPv6 addresses
with square brackets. This commit updates to strip out
the square brackets from NO_PROXY environment variable.
Change-Id: I6bb5ad0379f576f66d77a90dfdca94f5e0f28f0c
Closes-Bug: 1859835
Signed-off-by: Angie Wang <email address hidden>
commit 950670ac1f0bfaa43e29eeb3ffda71a94de66520
Author: Jim Somerville <email address hidden>
Date: Mon Jan 27 17:09:52 2020 -0500
Security: Add nospectre_v1 to the security params
Most of the v1 mitigation is baked into the kernel and not
optional. The swapgs barriers are, however, optional.
They have a negative performance impact so we disable them
by using the nospectre_v1 kernel bootarg.
commit 83775d38804fb665af518127051b37a1daf31e36
Author: David Sullivan <email address hidden>
Date: Wed Jan 15 23:50:23 2020 -0500
Install secondary controller nodes with kubeadm join
Kubeadm init is no longer supported for installing secondary nodes in an
HA kubernetes cluster. kubeadm join with the --controller-plane option
should be used.
commit c94fa4a0174b96e0716d39bbea7e6fbbbee415a9
Author: Shuicheng Lin <email address hidden>
Date: Thu Jan 23 02:45:31 2020 +0800
Fix duplex system controller-1 fail to boot after unlock
It is due to controller-1 doesn't have /opt/platform/config folder.
And cause puppet failure due to using non-exist file as source.
Restrict the code for worker node only, since controller node
already has ca cert in the ssl folder.
Test:
Pass simplex/duplex/multi node deployment with vm created.
Closes-Bug: 1860529
Change-Id: I808ee15e5c78ebead114219d0ec428fb45cc9128
Signed-off-by: Shuicheng Lin <email address hidden>
commit 27f167eb14a04bc67ecca59af3b617c115522101
Author: Angie Wang <email address hidden>
Date: Wed Jan 15 16:15:26 2020 -0500
Remove puppet-manifests code made obsolete by ansible
As a result of switch to Ansible, remove the obsolete erb
templates and remove the dependency of is_initial_config_primary
facter.
commit 3bb532eb39fbfaf6c46d8be13c6111313dd3d581
Author: Robert Church <email address hidden>
Date: Thu Jan 16 02:43:29 2020 -0500
Provide a specific route runtime class
In an effort to optimize the time required to update interface routes,
restructure the platform::interfaces class to extract creating resources
for routes and addresses into separate classes. This allows the route
specific resources and dependencies to be called from a dedicated
runtime class.
Change-Id: Ieba501a6bd86164599eff97b9fe73d847740df68
Story: 2007101
Task: 38156
Signed-off-by: Robert Church <email address hidden>
commit 58bc99d89110a27d4e91393c7466904ecc8b1404
Author: Robert Church <email address hidden>
Date: Thu Jan 16 02:36:55 2020 -0500
Purge filebucket contents after every apply
Since filebucket doesn't have a built in cleanup mechanism, filebucket
entries will continually grow over time as puppet implements file
changes. Eventually, this will have space and inode impacts on the root
filesystem.
To avoid these issues on long running systems, remove the contents of
the filebucket directory after every apply.
Change-Id: I02519b9f61b0c1b95ceeca073448f42851ed9551
Story: 2007101
Task: 38155
Signed-off-by: Robert Church <email address hidden>
The dcmanager currently has no http_connect_timeout set for
keystone connections. That can result in an attempt to contact
keystone (e.g. to get a token) taking several minutes to
timeout if the keystone api is not reachable (e.g. if a subcloud
is powered down).
Changing the http_connect_timeout to 10s and configuring
http_request_max_retries as 3 (that is also the default but
adding this to the puppet module allows for easy changes in the
future).
commit 130919c096d3699022f9994957253e11b861b834
Author: Tyler Smith <email address hidden>
Date: Thu Jan 9 15:12:22 2020 -0500
Removing service catalog insertion from dcorch proxy
requests going through the dcorch proxy were having the entire service
catalog tacked on during the authtoken filter stage, this was resulting
in the header size growing too large for sysinv to handle the forwarded
requests.
This commit sets keystone_authtoken/include_service_catalog to False in
the dcorch settings to prevent this.
Tested by installing a subcloud, bringing online and managing, as well
as doing sysinv queries to SystemController. I've tested with 200
subclouds in dcmanager without issue.
Change-Id: Ic47c062bd8b5376084d27a9378c131650d9ec2da
Closes-Bug: 1856740
Signed-off-by: Tyler Smith <email address hidden>
Monitor the datanetwork for non-OpenStack work node
Update the lmon to support datanetwork interface monitoring
and use collectd to control the alarm information. Now lmon
will obtain the list of interfaces from /etc/lmon/lmon.conf
which can be generated by puppet.
By default, k8s cluster certificates generated by kubeadm have 1
year expiration. After certificates expired, k8s will not rotate
them automatically.
This commit checks the cert expiration date every day and rotates
them automatically if they expires within 90 days. After cert
renewed, all the k8s master component configurations will be updated.
An alarm will be sent to fm to notify the administrator to
reboot the controllers or renew the certs manually if the automatic
process fails.
Reviewed: https:/ /review. opendev. org/705852 /git.openstack. org/cgit/ starlingx/ stx-puppet/ commit/ ?id=e1f095eb112 f76a133734a17f0 1afeb9828ebaf2
Committed: https:/
Submitter: Zuul
Branch: f/centos8
commit fc7b9b3d8d811fd 50427b584dae5b7 488947bb03
Author: Angie Wang <email address hidden>
Date: Tue Jan 28 13:57:52 2020 -0500
Fix the image download failure on IPv6 system
"crictl pull" failed to pull images on IPv6 system with
proxy setting since Containerd doesn't work with the
NO_PROXY environment variable that has IPv6 addresses
with square brackets. This commit updates to strip out
the square brackets from NO_PROXY environment variable.
Change-Id: I6bb5ad0379f576 f66d77a90dfdca9 4f5e0f28f0c
Closes-Bug: 1859835
Signed-off-by: Angie Wang <email address hidden>
commit 950670ac1f0bfaa 43e29eeb3ffda71 a94de66520
Author: Jim Somerville <email address hidden>
Date: Mon Jan 27 17:09:52 2020 -0500
Security: Add nospectre_v1 to the security params
Most of the v1 mitigation is baked into the kernel and not
optional. The swapgs barriers are, however, optional.
They have a negative performance impact so we disable them
by using the nospectre_v1 kernel bootarg.
Partial-Bug: 1860193 /review. opendev. org/#/c/ 704406 64ebda679cf2904 74d3be413da
Depends-On: https:/
Change-Id: Iaa11ba3f430fc0
Signed-off-by: Jim Somerville <email address hidden>
commit 83775d38804fb66 5af518127051b37 a1daf31e36
Author: David Sullivan <email address hidden>
Date: Wed Jan 15 23:50:23 2020 -0500
Install secondary controller nodes with kubeadm join
Kubeadm init is no longer supported for installing secondary nodes in an
HA kubernetes cluster. kubeadm join with the --controller-plane option
should be used.
Change-Id: I21a30b9e871d05 c59a19e33a9d278 f0217682da6 /review. opendev. org/702797
Closes-Bug: 1846829
Depends-On: https:/
Signed-off-by: David Sullivan <email address hidden>
commit c94fa4a0174b96e 0716d39bbea7e6f bbbee415a9
Author: Shuicheng Lin <email address hidden>
Date: Thu Jan 23 02:45:31 2020 +0800
Fix duplex system controller-1 fail to boot after unlock
It is due to controller-1 doesn't have /opt/platform/ config folder.
And cause puppet failure due to using non-exist file as source.
Restrict the code for worker node only, since controller node
already has ca cert in the ssl folder.
Test: duplex/ multi node deployment with vm created.
Pass simplex/
Closes-Bug: 1860529 ead114219d0ec42 8fb45cc9128
Change-Id: I808ee15e5c78eb
Signed-off-by: Shuicheng Lin <email address hidden>
commit 27f167eb14a04bc 67ecca59af3b617 c115522101
Author: Angie Wang <email address hidden>
Date: Wed Jan 15 16:15:26 2020 -0500
Remove puppet-manifests code made obsolete by ansible
As a result of switch to Ansible, remove the obsolete erb config_ primary
templates and remove the dependency of is_initial_
facter.
Change-Id: I4ca6525f01a37d a971dc66a11ee99 ea4e115e3ad /review. opendev. org/#/c/ 703517/
Partial-Bug: 1834218
Depends-On: https:/
Signed-off-by: Angie Wang <email address hidden>
commit 3bb532eb39fbfaf 6c46d8be13c6111 313dd3d581
Author: Robert Church <email address hidden>
Date: Thu Jan 16 02:43:29 2020 -0500
Provide a specific route runtime class
In an effort to optimize the time required to update interface routes, :interfaces class to extract creating resources
restructure the platform:
for routes and addresses into separate classes. This allows the route
specific resources and dependencies to be called from a dedicated
runtime class.
Change-Id: Ieba501a6bd8616 4599eff97b9fe73 d847740df68
Story: 2007101
Task: 38156
Signed-off-by: Robert Church <email address hidden>
commit 58bc99d89110a27 d4e91393c746690 4ecc8b1404
Author: Robert Church <email address hidden>
Date: Thu Jan 16 02:36:55 2020 -0500
Purge filebucket contents after every apply
Since filebucket doesn't have a built in cleanup mechanism, filebucket
entries will continually grow over time as puppet implements file
changes. Eventually, this will have space and inode impacts on the root
filesystem.
To avoid these issues on long running systems, remove the contents of
the filebucket directory after every apply.
Change-Id: I02519b9f61b0c1 b95ceeca073448f 42851ed9551
Story: 2007101
Task: 38155
Signed-off-by: Robert Church <email address hidden>
commit 1b5372b52cd5804 2e9623d6e9e076f c2d430f312
Author: Bart Wensley <email address hidden>
Date: Mon Jan 20 12:28:20 2020 -0600
Configure keystone http timeouts for dcmanager
The dcmanager currently has no http_connect_ timeout set for
keystone connections. That can result in an attempt to contact
keystone (e.g. to get a token) taking several minutes to
timeout if the keystone api is not reachable (e.g. if a subcloud
is powered down).
Changing the http_connect_ timeout to 10s and configuring request_ max_retries as 3 (that is also the default but
http_
adding this to the puppet module allows for easy changes in the
future).
Change-Id: I6a62846e7f4e75 e9b2f0705f59818 243ea909e41
Partial-Bug: 1854894
Signed-off-by: Bart Wensley <email address hidden>
commit 7b2726ed1b23547 1172e1e2002a1c0 981870f039
Author: Lin Shuicheng <email address hidden>
Date: Sun Jan 19 01:56:49 2020 +0000
Revert "Revert "Add Kata Container support in StarlingX""
This reverts commit 0f9dd0491b6847c 069f77f5dac418a 638bb25712.
Depends-On: https:/ /review. opendev. org/703263 a6e414fafddff62 52f0eea8e5d
Change-Id: I81fe7f8502d14b
Signed-off-by: Shuicheng Lin <email address hidden>
commit 0f9dd0491b6847c 069f77f5dac418a 638bb25712
Author: Don Penney <email address hidden>
Date: Tue Jan 14 20:38:41 2020 +0000
Revert "Add Kata Container support in StarlingX"
This reverts commit 0dd7219a17f27bb 35678bc2e3cf596 1bedf59f07.
Reverting due to https:/ /bugs.launchpad .net/starlingx/ +bug/1859686
Change-Id: I6b7d3bcb392275 a53bfe93c306e3b 462b393f3a1
commit 130919c096d3699 022f9994957253e 11b861b834
Author: Tyler Smith <email address hidden>
Date: Thu Jan 9 15:12:22 2020 -0500
Removing service catalog insertion from dcorch proxy
requests going through the dcorch proxy were having the entire service
catalog tacked on during the authtoken filter stage, this was resulting
in the header size growing too large for sysinv to handle the forwarded
requests.
This commit sets keystone_ authtoken/ include_ service_ catalog to False in
the dcorch settings to prevent this.
Tested by installing a subcloud, bringing online and managing, as well
as doing sysinv queries to SystemController. I've tested with 200
subclouds in dcmanager without issue.
Change-Id: Ic47c062bd8b537 6084d27a9378c13 1650d9ec2da
Closes-Bug: 1856740
Signed-off-by: Tyler Smith <email address hidden>
commit ab8a592a996d20d c5b0ec393f47a00 12250aa260
Author: marvin <email address hidden>
Date: Thu Nov 21 18:27:16 2019 +0800
Monitor the datanetwork for non-OpenStack work node
Update the lmon to support datanetwork interface monitoring
and use collectd to control the alarm information. Now lmon
will obtain the list of interfaces from /etc/lmon/lmon.conf
which can be generated by puppet.
Change-Id: I45fd056bd71f2f f9b49b52b8143e4 3179f18e03c /review. opendev. org/#/c/ 694927
Story: #2002948
Task: #37326
Depends-on: https:/
Signed-off-by: marvin <email address hidden>
commit 99d07a29865b409 9acce95d3c8ee5b 00e05d495c
Author: Don Penney <email address hidden>
Date: Thu Jan 2 17:42:00 2020 -0500
Generate DNF repo config files from puppet
Update the patching manifest to generate the DNF repo config files.
Depends-On: https:/ /review. opendev. org/700961 1c861f9ac06e47c ec579940438
Change-Id: I9f21ae4bd20b7a
Story: 2006227
Task: 37934
Signed-off-by: Don Penney <email address hidden>
commit 0dd7219a17f27bb 35678bc2e3cf596 1bedf59f07
Author: Shuicheng Lin <email address hidden>
Date: Fri Sep 27 23:33:31 2019 +0800
Add Kata Container support in StarlingX
1. add config for containerd
2. switch kubernetes to use containerd as CRI.
Story: 2006145 /review. opendev. org/685211 ca5394049ad898a 0899ce00d1b
Task: 36835
Depends-On: https:/
Change-Id: I4beab0725bd069
Signed-off-by: Shuicheng Lin <email address hidden>
commit e86f8b90fd71c6c 2df5613ac83dcb9 a357f5a364
Author: Mingyuan Qi <email address hidden>
Date: Thu Oct 31 11:16:01 2019 +0800
Rotate k8s certificate automatically
By default, k8s cluster certificates generated by kubeadm have 1
year expiration. After certificates expired, k8s will not rotate
them automatically.
This commit checks the cert expiration date every day and rotates
them automatically if they expires within 90 days. After cert
renewed, all the k8s master component configurations will be updated.
An alarm will be sent to fm to notify the administrator to
reboot the controllers or renew the certs manually if the automatic
process fails.
Change-Id: I383120b8904857 bcf09ad6ca99990 0ce8eda9b95 /review. opendev. org/#/c/ 696224/ /review. opendev. org/#/c/ 698624/
Closes-Bug: 1838659
Depends-On: https:/
Depends-On: https:/
Signed-off-by: Mingyuan Qi <email address hidden>