Here we rebase the patches, and fix the atrocious crime of "name of patch file
doesn't match what git format-patch generates". We also squash down the
meta patches which add the patches to the spec file as part of
good housekeeping.
commit 2718976ddc5c272a97cc60651fe5d63a9a037406
Author: Jim Somerville <email address hidden>
Date: Tue Oct 29 15:39:05 2019 -0400
i40e Driver Upgrade in support of N3000 on-board NICs
Uprev i40e to version 2.10.19.30
i40evf gets replaced by iavf version 3.7.61.20
The iavf driver supports both fortville and columbiaville,
so they decided to rename from i40evf to something more generic.
We get to drop the patch which polls for coming out of
reset as it was incorporated upstream.
The Intel FPGA Programmable Acceleration Card N3000 contains
dual Intel XL710 NICs and an FPGA for acceleration purposes.
This driver upgrade is required to support those NICs.
commit 8a3722089d821573ce6766e6fa40d78a0fdbaded
Author: Joseph Richard <email address hidden>
Date: Tue Oct 29 10:54:58 2019 -0400
Drop initscripts patch running ipv6 dhcp as daemon
This commit rebases initscripts patch set, dropping
run-dhclient-as-daemon-for-ipv6.patch
Currently, ifup-eth tries running ipv6 dhclient with the one-shot
option, and if that fails, then retries indefinitely in the background.
That has the side-effect of causing the ifup-post script to not be run
if the first dhclient attempt fails, which will prevent routes on that
interface from being created. This is especially problematic in the
case of a DOR, where the compute nodes may come up before dnsmasq is up
on the controller.
This is different from upstream centos, which will only try running
dhclient with the one-shot option for ipv6.
By reverting the initscripts patch to run as a daemon, ipv6 dhclient now
runs as one-shot only, and if it fails, ifup-eth script exits without
getting an address, and then the node fails to come up and reboot.
While this may result in the compute node having an extra reboot in a DOR,
that is preferable to the compute coming up incorrectly and requiring a
lock/unlock to recover.
Closes-bug: 1844579
Change-Id: I5b7f6b7c878dc4e4737d986f11fae3301585fb1c
Signed-off-by: Joseph Richard <email address hidden>
commit 5afd5f90b29f6e097824f7c6f2fe7762597d9ad6
Author: Andy Ning <email address hidden>
Date: Tue Nov 5 00:12:26 2019 -0500
update Barbican admin secret's user/project IDs during bootstrap
In a DC system when subcloud is managed, keystone user/project IDs are
synced with Central Cloud, including admin user and project. But the
admin's secrets in Barbian still use the original user/project IDs,
causing docker registry access failure when platform-integ-apps is
reapplied.
This change added a patch to keystone puppet manifest, that updates
keystone admin user/project IDs to be the same as Central Cloud right
after keystone is bootstrapped during subcloud deployment. This way any
referece to admin user/project IDs after bootstrap will be using the
IDs same as Central Cloud, including the ones in Barbican. This will
solve the problem of retrieving central registry credential failure
when platform-integ-apps is reapplied.
Change-Id: I509a06b4b810620a1b3648837726f7f2771162a5
Closes-Bug: 1851247
Signed-off-by: Andy Ning <email address hidden>
Reviewed: https:/ /review. opendev. org/698561 /git.openstack. org/cgit/ starlingx/ integ/commit/ ?id=9035cd1be8a a3138691c6c9921 9030dfbe77ebaf
Committed: https:/
Submitter: Zuul
Branch: f/centos8
commit 4aa661ce5666220 d6beb2a3a3fac98 7cba4feb74
Author: Martin, Chen <email address hidden>
Date: Thu Nov 21 10:28:13 2019 +0800
Build layering
Rebase tarball for i40e Driver
Rebase srpm for systemd 219-67.el7
Rebase srpm for sudo
Rebase srpm for ntp
Depends-On: https:/ /review. opendev. org/#/c/ 695061/ /review. opendev. org/#/c/ 695560/ /review. opendev. org/#/c/ 695637/ /review. opendev. org/#/c/ 695983/
Depends-On: https:/
Depends-On: https:/
Depends-On: https:/
Story: 2006166
Task: 37570
Change-Id: I7f33e0fb1319df 3421318c4927d2a 5675a490273
Signed-off-by: Martin, Chen <email address hidden>
commit 5d854355d873702 b78ff6aa8c6fddc 025c45be2d
Author: Jim Somerville <email address hidden>
Date: Mon Nov 25 16:07:17 2019 -0500
Uprev ntp to version 4.2.6p5-29.el7
This solves:
ntp: Stack-based buffer overflow in ntpq and ntpdc allows
denial of service or code execution (CVE-2018-12327)
See the announcement link:
https:/ /lists. centos. org/pipermail/ centos- cr-announce/ 2019-August/ 006016. html
for more details.
Here we refresh the meta patches and correct the crime of
"name of patch file differs from git format-patch". We
also clean up the commit short logs.
Change-Id: I263465d85f0609 6296fdd478a302e b110ab1259c /review. opendev. org/#/c/ 695983
Closes-Bug: 1849197
Depends-On: https:/
Signed-off-by: Jim Somerville <email address hidden>
commit 11fd5d9cd48a153 9b9c7a4ebc8aaad 69ed24ae5b
Author: Dan Voiculeasa <email address hidden>
Date: Thu Nov 21 15:01:36 2019 +0200
ceph- init-wrapper: Detect stuck peering OSDs and restart them
OSDs might become stuck peering.
Recover from such state.
Closes-bug: 1851287
Change-Id: I2ef1a0e93d38c3 d041ee0c5c1e66a 4ac42785a68
Signed-off-by: Dan Voiculeasa <email address hidden>
commit f30cb74fef4b977 21010ca9bc6a6b6 dde03c4add
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 11:01:27 2019 +0800
Update sudo srpm patch for CVE bug
To fix below CVE, we will use sudo-1. 8.23-4. el7_7.1. src.rpm /lists. centos. org/pipermail/ centos- announce/ 2019-October/ 023499. html
And we have to update some patches according to new srpm.
https:/
CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists
Closes-Bug: 1852825 /review. opendev. org/#/c/ 695637/ ce06cd504d9b427 fc3433fb756
Depends-On: https:/
Change-Id: Ifc0a3423464faf
Signed-off-by: Robin Lu <email address hidden>
commit 0231aba5cdcb96b 15106591acfff28 0159050366
Author: Jim Somerville <email address hidden>
Date: Thu Nov 21 15:54:15 2019 -0500
Uprev systemd to version 219-67.el7
This solves:
systemd: line splitting via fgets() allows for state injection
during daemon-reexec (CVE-2018-15686)
along with some other less critical issues. See the security
announcement link:
https:/ /lists. centos. org/pipermail/ centos- cr-announce/ 2019-August/ 006149. html
for more details.
Here we rebase the patches, and fix the atrocious crime of "name of patch file
doesn't match what git format-patch generates". We also squash down the
meta patches which add the patches to the spec file as part of
good housekeeping.
Change-Id: I01a3fa329bbad5 41a063cb604d175 6892139967f /review. opendev. org/#/c/ 695560
Closes-Bug: 1849200
Depends-On: https:/
Signed-off-by: Jim Somerville <email address hidden>
commit 2718976ddc5c272 a97cc60651fe5d6 3a9a037406
Author: Jim Somerville <email address hidden>
Date: Tue Oct 29 15:39:05 2019 -0400
i40e Driver Upgrade in support of N3000 on-board NICs
Uprev i40e to version 2.10.19.30
i40evf gets replaced by iavf version 3.7.61.20
The iavf driver supports both fortville and columbiaville,
so they decided to rename from i40evf to something more generic.
We get to drop the patch which polls for coming out of
reset as it was incorporated upstream.
The Intel FPGA Programmable Acceleration Card N3000 contains
dual Intel XL710 NICs and an FPGA for acceleration purposes.
This driver upgrade is required to support those NICs.
Change-Id: Ifbec94bcc00a8c ce9fe97bf0eb415 56b8bd3e592 /review. opendev. org/#/c/ 695061
Story: 2006740
Task: 37542
Depends-On: https:/
Signed-off-by: Jim Somerville <email address hidden>
commit 8a3722089d82157 3ce6766e6fa40d7 8a0fdbaded
Author: Joseph Richard <email address hidden>
Date: Tue Oct 29 10:54:58 2019 -0400
Drop initscripts patch running ipv6 dhcp as daemon
This commit rebases initscripts patch set, dropping dhclient- as-daemon- for-ipv6. patch
run-
Currently, ifup-eth tries running ipv6 dhclient with the one-shot
option, and if that fails, then retries indefinitely in the background.
That has the side-effect of causing the ifup-post script to not be run
if the first dhclient attempt fails, which will prevent routes on that
interface from being created. This is especially problematic in the
case of a DOR, where the compute nodes may come up before dnsmasq is up
on the controller.
This is different from upstream centos, which will only try running
dhclient with the one-shot option for ipv6.
By reverting the initscripts patch to run as a daemon, ipv6 dhclient now
runs as one-shot only, and if it fails, ifup-eth script exits without
getting an address, and then the node fails to come up and reboot.
While this may result in the compute node having an extra reboot in a DOR,
that is preferable to the compute coming up incorrectly and requiring a
lock/unlock to recover.
Closes-bug: 1844579 e4737d986f11fae 3301585fb1c
Change-Id: I5b7f6b7c878dc4
Signed-off-by: Joseph Richard <email address hidden>
commit 5afd5f90b29f6e0 97824f7c6f2fe77 62597d9ad6
Author: Andy Ning <email address hidden>
Date: Tue Nov 5 00:12:26 2019 -0500
update Barbican admin secret's user/project IDs during bootstrap
In a DC system when subcloud is managed, keystone user/project IDs are
synced with Central Cloud, including admin user and project. But the
admin's secrets in Barbian still use the original user/project IDs,
causing docker registry access failure when platform-integ-apps is
reapplied.
This change added a patch to keystone puppet manifest, that updates
keystone admin user/project IDs to be the same as Central Cloud right
after keystone is bootstrapped during subcloud deployment. This way any
referece to admin user/project IDs after bootstrap will be using the
IDs same as Central Cloud, including the ones in Barbican. This will
solve the problem of retrieving central registry credential failure
when platform-integ-apps is reapplied.
Change-Id: I509a06b4b81062 0a1b3648837726f 7f2771162a5
Closes-Bug: 1851247
Signed-off-by: Andy Ning <email address hidden>