Bug #1859835 “IPv6: System install failed at docker image pull” : Bugs : StarlingX

Revision history for this message

Peng Peng (ppeng) wrote on 2020-01-15:

#1

Logs @
https://files.starlingx.kube.cengn.ca/launchpad/1859835

Revision history for this message

Angie Wang (angiewang) wrote on 2020-01-15:

#2

This is due to recent KATA container change.

Images are all pulled and pushed to the local registry successfully by docker, but the "crictl pull" command fails.

controller-0:~$ crictl pull --creds admin:Li69nux* registry.local:9001/k8s.gcr.io/coredns:1.6.2
FATA[0000] pulling image failed: rpc error: code = Unknown desc = failed to pull and unpack image "registry.local:9001/k8s.gcr.io/coredns:1.6.2": failed to resolve reference "registry.local:9001/k8s.gcr.io/coredns:1.6.2": failed to authorize: failed to fetch oauth token: Post https://[face::1]:9002/token/: Forbidden

KATA container related commits were reverted in LP https://bugs.launchpad.net/starlingx/+bug/1859686, but the reverted changes were not in yesterday's load 2020-01-14_00-10-00.

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-01-15:

#3

The kata containers code was reverted by Don Penney on 2020-01-14. This issue is addressed in the Jan15 build.

https://review.opendev.org/702518
https://review.opendev.org/702519
https://review.opendev.org/702521
https://review.opendev.org/702522
https://review.opendev.org/702523
https://review.opendev.org/702524
https://review.opendev.org/702525
https://review.opendev.org/702526

tags:	added: stx.4.0
tags:	added: stx.config
Changed in starlingx:
importance:	Undecided → Critical
assignee:	nobody → Don Penney (dpenney)
status:	New → Fix Released

Revision history for this message

Peng Peng (ppeng) wrote on 2020-01-24:

#4

Issue reprodued on
Lab: WCP_78_79
Load: 2020-01-23_00-10-00

and
20200122T170940Z

new log attached
https://files.starlingx.kube.cengn.ca/launchpad/1859835

Changed in starlingx:
status:	Fix Released → Confirmed

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-01-24:

#5

The kata code was merged back as of 2020-01-21. It seems that the issue described here was re-introduced.

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-01-24:

#6

@Bruce, This is breaking general IPv6 deployments in master. With the Shanghai team on vacation, can you please find someone to revert the kata commits again?

Changed in starlingx:
assignee:	Don Penney (dpenney) → Bruce Jones (brucej)

Revision history for this message

Lin Shuicheng (shuicheng) wrote on 2020-01-25:

#7

I have IPv6 environment without proxy only. And it works well.
Could you share me the localhost.yml configuration with proxy? I could have a try in my environment.
It may be relate with the no_proxy list setting I guess.

Revision history for this message

Lin Shuicheng (shuicheng) wrote on 2020-01-25:

#8

Hi all,
The issue is due to containerd doesn't support IPv6 address with square bracket in NO_PROXY parameter.
With setting like below, both containerd and docker could access registry.local:9001 successfully.
And the only difference is, there is "[]" for IPv6 in docker, while containerd doesn't have it.

controller-0:/etc/systemd/system# cat containerd.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://child-prc.intel.com:913"
Environment="HTTPS_PROXY=http://child-prc.intel.com:913"
Environment="NO_PROXY=localhost,127.0.0.1,registry.local,fd04::1,fd01::1,fd01::2,fd00::2,fd00::3,registry.dcp-dev.intel.com"
controller-0:/etc/systemd/system# cat docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://child-prc.intel.com:913"
Environment="HTTPS_PROXY=http://child-prc.intel.com:913"
Environment="NO_PROXY=localhost,127.0.0.1,registry.local,[fd04::1],[fd01::1],[fd01::2],[fd00::2],[fd00::3],registry.dcp-dev.intel.com"

For ansible, the "[]" is added by "ipwrap" in below code:
https://opendev.org/starlingx/ansible-playbooks/src/branch/master/playbookconfig/src/playbooks/roles/bootstrap/validate-config/tasks/main.yml#L438

Puppet also need be updated to remove "[]" for containerd, while keep "[]" for docker.

Due to I am still with Chinese New Year holiday, and I am afraid I don't have much time to continue debug and fix it. Anyone could help own this issue is really appreciated. Otherwise, I will handle it after I am back to office at Feb 3.

Ghada Khalil (gkhalil) on 2020-01-27

tags:

added: stx.containers

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-01-27:

#9

Assigning to Angie Wang to help with this while Shuicheng is away

Changed in starlingx:
assignee:	Bruce Jones (brucej) → Angie Wang (angiewang)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-28: Fix proposed to ansible-playbooks (master)

#10

Fix proposed to branch: master
Review: https://review.opendev.org/704677

Changed in starlingx:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-28: Fix proposed to stx-puppet (master)

#11

Fix proposed to branch: master
Review: https://review.opendev.org/704679

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-29: Fix merged to ansible-playbooks (master)

#12

Reviewed: https://review.opendev.org/704677
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=393379bd7671aeec5e9852679a69bdc29577426a
Submitter: Zuul
Branch: master

commit 393379bd7671aeec5e9852679a69bdc29577426a
Author: Angie Wang <email address hidden>
Date: Tue Jan 28 14:01:10 2020 -0500

Fix the image download failure on IPv6 system

    "crictl pull" failed to pull images on IPv6 system with
    proxy setting since Containerd doesn't work with the
    NO_PROXY environment variable that has IPv6 addresses
    with square brackets. This commit updates to strip out
    the square brackets from NO_PROXY environment variable.

Verified on both IPv4 and IPv6 labs.

    Change-Id: I70bd00439b2cc39d2b25dd62746994a524be4998
    Partial-Bug: 1859835
    Signed-off-by: Angie Wang <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-29: Fix merged to stx-puppet (master)

#13

Reviewed: https://review.opendev.org/704679
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=fc7b9b3d8d811fd50427b584dae5b7488947bb03
Submitter: Zuul
Branch: master

commit fc7b9b3d8d811fd50427b584dae5b7488947bb03
Author: Angie Wang <email address hidden>
Date: Tue Jan 28 13:57:52 2020 -0500

Fix the image download failure on IPv6 system

    "crictl pull" failed to pull images on IPv6 system with
    proxy setting since Containerd doesn't work with the
    NO_PROXY environment variable that has IPv6 addresses
    with square brackets. This commit updates to strip out
    the square brackets from NO_PROXY environment variable.

    Change-Id: I6bb5ad0379f576f66d77a90dfdca94f5e0f28f0c
    Closes-Bug: 1859835
    Signed-off-by: Angie Wang <email address hidden>

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-04: Fix proposed to ansible-playbooks (f/centos8)

#14

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/705831

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-04: Fix proposed to stx-puppet (f/centos8)

#15

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/705852

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-05: Fix merged to ansible-playbooks (f/centos8)

#16

Download full text (8.2 KiB)

Reviewed: https://review.opendev.org/705831
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=6670caf7ceda5fe0dc46f2f82033b68abf00ed5e
Submitter: Zuul
Branch: f/centos8

commit bf8d081a95a9b1776964960a6d9089b1449f2c58
Author: Angie Wang <email address hidden>
Date: Thu Jan 30 17:57:05 2020 -0500

Support k8s networking upgrade based on k8s version

    Update to support a set of k8s networking templates
    based on kubernetes release. The kubernetes version
    needs to be passed to the ansible playbook
    k8s-networking-upgrade.yml to determine which set
    of networking manifests should be applied for the
    current kubernetes.

    Story: 2006781
    Task: 37584
    Change-Id: I3a0b9f56608ddb1323b36f9ecedb8a5488c222c9
    Signed-off-by: Angie Wang <email address hidden>

commit 2b0cd43e5fa75628d8eff78be7045ba4fc82d980
Author: Jerry Sun <email address hidden>
Date: Thu Dec 19 13:22:50 2019 -0500

Add Dex parameters to ansible bootstrap

    Add oidc_groups_claim as a new parameters for ansible
    config. We now have 2 valid configs: the previous 3 parameters
    for a microsoft azure authentication deployment, and the previous
    3 in addition to oidc_groups_claim for a dex authentication
    deployment.

    Story: 2006711
    Task: 37850
    Change-Id: I265d2f7872eb31e2b295eeff6a3165543673497c
    Depends-On: https://review.opendev.org/702798
    Signed-off-by: Jerry Sun <email address hidden>

commit 92ca122652733805b62fc16940861ca4e83e2bb1
Author: David Sullivan <email address hidden>
Date: Wed Jan 22 21:33:19 2020 -0500

Install secondary controller nodes with kubeadm join

    Kubeadm init is no longer supported for installing secondary nodes in an
    HA kubernetes cluster. kubeadm join with the --controller-plane option
    should be used.

    Change-Id: I64aaf02b09053608c884149d73bc1a3f2b62d98a
    Partial-Bug: 1846829
    Depends-On: https://review.opendev.org/702797
    Signed-off-by: David Sullivan <email address hidden>

commit 393379bd7671aeec5e9852679a69bdc29577426a
Author: Angie Wang <email address hidden>
Date: Tue Jan 28 14:01:10 2020 -0500

Fix the image download failure on IPv6 system

    "crictl pull" failed to pull images on IPv6 system with
    proxy setting since Containerd doesn't work with the
    NO_PROXY environment variable that has IPv6 addresses
    with square brackets. This commit updates to strip out
    the square brackets from NO_PROXY environment variable.

Verified on both IPv4 and IPv6 labs.

    Change-Id: I70bd00439b2cc39d2b25dd62746994a524be4998
    Partial-Bug: 1859835
    Signed-off-by: Angie Wang <email address hidden>

commit 792ea357e2b6d2bd23b441aa1657e0dc46f7ef5d
Author: Jim Somerville <email address hidden>
Date: Mon Jan 27 16:08:48 2020 -0500

Security: Add nospectre_v1 to the default setting

    Most of the v1 mitigation is baked into the kernel and not
    optional. The swapgs barriers are, however, optional.
    They have a negative performance impact so we disable them
    by using the nospectre_v1 kernel bootarg.

C...

Reviewed:  https://review.opendev.org/705831
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=6670caf7ceda5fe0dc46f2f82033b68abf00ed5e
Submitter: Zuul
Branch:    f/centos8

commit bf8d081a95a9b1776964960a6d9089b1449f2c58
Author: Angie Wang <angie.wang@windriver.com>
Date:   Thu Jan 30 17:57:05 2020 -0500

Support k8s networking upgrade based on k8s version
    
    Update to support a set of k8s networking templates
    based on kubernetes release. The kubernetes version
    needs to be passed to the ansible playbook
    k8s-networking-upgrade.yml to determine which set
    of networking manifests should be applied for the
    current kubernetes.
    
    Story: 2006781
    Task: 37584
    Change-Id: I3a0b9f56608ddb1323b36f9ecedb8a5488c222c9
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit 2b0cd43e5fa75628d8eff78be7045ba4fc82d980
Author: Jerry Sun <jerry.sun@windriver.com>
Date:   Thu Dec 19 13:22:50 2019 -0500

Add Dex parameters to ansible bootstrap
    
    Add oidc_groups_claim as a new parameters for ansible
    config. We now have 2 valid configs: the previous 3 parameters
    for a microsoft azure authentication deployment, and the previous
    3 in addition to oidc_groups_claim for a dex authentication
    deployment.
    
    Story: 2006711
    Task: 37850
    Change-Id: I265d2f7872eb31e2b295eeff6a3165543673497c
    Depends-On: https://review.opendev.org/702798
    Signed-off-by: Jerry Sun <jerry.sun@windriver.com>

commit 92ca122652733805b62fc16940861ca4e83e2bb1
Author: David Sullivan <david.sullivan@windriver.com>
Date:   Wed Jan 22 21:33:19 2020 -0500

Install secondary controller nodes with kubeadm join
    
    Kubeadm init is no longer supported for installing secondary nodes in an
    HA kubernetes cluster. kubeadm join with the --controller-plane option
    should be used.
    
    Change-Id: I64aaf02b09053608c884149d73bc1a3f2b62d98a
    Partial-Bug: 1846829
    Depends-On: https://review.opendev.org/702797
    Signed-off-by: David Sullivan <david.sullivan@windriver.com>

commit 393379bd7671aeec5e9852679a69bdc29577426a
Author: Angie Wang <angie.wang@windriver.com>
Date:   Tue Jan 28 14:01:10 2020 -0500

Fix the image download failure on IPv6 system
    
    "crictl pull" failed to pull images on IPv6 system with
    proxy setting since Containerd doesn't work with the
    NO_PROXY environment variable that has IPv6 addresses
    with square brackets. This commit updates to strip out
    the square brackets from NO_PROXY environment variable.
    
    Verified on both IPv4 and IPv6 labs.
    
    Change-Id: I70bd00439b2cc39d2b25dd62746994a524be4998
    Partial-Bug: 1859835
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit 792ea357e2b6d2bd23b441aa1657e0dc46f7ef5d
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Mon Jan 27 16:08:48 2020 -0500

Security: Add nospectre_v1 to the default setting
    
    Most of the v1 mitigation is baked into the kernel and not
    optional.  The swapgs barriers are, however, optional.
    They have a negative performance impact so we disable them
    by using the nospectre_v1 kernel bootarg.
    
    Change-Id: Idd806e76f3204c6bce7aae9dfdcd455566fdc795
    Partial-Bug: 1860193
    Depends-On: https://review.opendev.org/#/c/704406
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit 342bdacdf98864d7a4265be564a30f818e96ea87
Author: Andy Ning <andy.ning@windriver.com>
Date:   Wed Jan 22 10:24:53 2020 -0500

Restart Barbican after region_name is updated
    
    Restart Barbican after its region_name (among other parameters) is
    updated during bootstrap service endpoints reconfiguration to make it
    consistent with keystone service catalog.
    
    Change-Id: Id48078a4d1a429b1e6adc8d8fbcec7eac0264965
    Closes-Bug: 1859726
    Signed-off-by: Andy Ning <andy.ning@windriver.com>

commit 2f1476decac8da988209b5ba59d7a4381a7ed581
Author: Tao Liu <tao.liu@windriver.com>
Date:   Wed Jan 15 22:16:50 2020 -0500

Add an install playbook
    
    This update adds an install playbook that leverages
    Redfish Virtual Media Controller(rvmc).
    
    The playbook creates the rvmc resource which installs
    a host via a Redfish supported Board Management Controller.
    The playbook then monitors the boot progress, changes the
    initial password once the host is installed/booted,
    and awaits the system to be ready for the bootstrapping.
    
    Story: 2006980
    Task: 37715
    
    Depends-On: https://review.opendev.org/#/c/702786/
    Change-Id: Ib8a52fc1fe582fd01400d66653a31d8c48ee7792
    Signed-off-by: Tao Liu <tao.liu@windriver.com>

commit 3d6483194e843c9254d58698c0eed5f68bb748ee
Author: Angie Wang <angie.wang@windriver.com>
Date:   Fri Jan 17 15:07:39 2020 -0500

Remove the dependency of controllerconfig
    
    As controllerconfig is being cleaned up, remove the dependency
    of controllerconfig in Ansible playbook. This commit also copies
    over the registry cert template from puppet as it's only been
    used at bootstrap time.
    
    Change-Id: I820d968629a920dfe9846c5f855b048a6ae85e29
    Closes-Bug: 1834218
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit e03b1efbaf581ab49b88397a0c9f3802d64381a6
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Tue Jan 21 14:59:05 2020 +0200

B&R: Fix backup when openstack is not installed
    
    When the stx-openstack is not installed, a variable
    is left undefined in the ansible playbook, so we fix
    this by adding a default value for that variable.
    
    Change-Id: I3a2480456074022c0a1227bc19cea92f318afb1f
    Closes-Bug: #1860357
    Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>

commit c9db3fa3d36dcdbaaef7f399804c3ad823a72d83
Author: Lin Shuicheng <shuicheng.lin@intel.com>
Date:   Sun Jan 19 01:58:34 2020 +0000

Revert "Revert "configure kubernetes to use containerd as CRI""
    
    This reverts commit ae1e45e00e0d684a18d1a7026e2e88f17a81295f.
    
    Depends-On: https://review.opendev.org/703263
    Change-Id: Id7defcd9aa0ef7cf23bb6b4e5b43ed60f1bb5c62
    Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>

commit ae1e45e00e0d684a18d1a7026e2e88f17a81295f
Author: Don Penney <don.penney@windriver.com>
Date:   Tue Jan 14 20:38:27 2020 +0000

Revert "configure kubernetes to use containerd as CRI"
    
    This reverts commit c5c1699d9dcd7a997a8c4cc05df1d9189dbdac69.
    
    Reverting due to https://bugs.launchpad.net/starlingx/+bug/1859686
    
    Change-Id: I0b3b79ee1913e2386c874885a46ad141d358f69b

commit c5c1699d9dcd7a997a8c4cc05df1d9189dbdac69
Author: Shuicheng Lin <shuicheng.lin@intel.com>
Date:   Sat Sep 28 00:01:55 2019 +0800

configure kubernetes to use containerd as CRI
    
    config kubelet to use containerd as CRI.
    create config file config.toml for containerd.
    configure containerd to support insecure registries/proxy.
    Due to containerd doesn't support push image to registry, use
    docker to pull image and push to local registry, then use crictl
    to pull image from local registry for containerd.
    
    Story: 2006145
    Task: 36836
    Depends-On: https://review.opendev.org/685211
    Change-Id: I3d8c78bd0b860e0677559a497f27dee5e8028853
    Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>

commit f8dc7a8faf225609ebbd7f0e72e4c412898aeaaa
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Wed Dec 11 15:10:18 2019 +0200

B&R: Add backup & restore for Helm overrides
    
    Right now, if the user wants to restore only the stx-openstack,
    the Helm overrides will be regenerated at every restore procedure,
    so the Helm overrides data in the sysinv database will always change.
    On the other hand, the stx-openstack database will be unchanged
    at every restore and it contains some of the initial
    overrides data (e.g credentials).
    The issue here is that the sysinv database will be inconsistent
    with the stx-openstack database.
    
    We can fix this by adding the B&R of the Helm overrides
    in the stx-openstack B&R. This will be done by
    creating a database dump file which will
    contain the Helm overrides data.
    
    Change-Id: I3323a8500ace5e25be57dd5bd4bff51df609e968
    Story: 2006770
    Task: 37781
    Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>

tags:

added: in-f-centos8

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-05: Fix merged to stx-puppet (f/centos8)

#17

Download full text (9.5 KiB)

Reviewed: https://review.opendev.org/705852
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=e1f095eb112f76a133734a17f01afeb9828ebaf2
Submitter: Zuul
Branch: f/centos8

commit fc7b9b3d8d811fd50427b584dae5b7488947bb03
Author: Angie Wang <email address hidden>
Date: Tue Jan 28 13:57:52 2020 -0500

Fix the image download failure on IPv6 system

    "crictl pull" failed to pull images on IPv6 system with
    proxy setting since Containerd doesn't work with the
    NO_PROXY environment variable that has IPv6 addresses
    with square brackets. This commit updates to strip out
    the square brackets from NO_PROXY environment variable.

    Change-Id: I6bb5ad0379f576f66d77a90dfdca94f5e0f28f0c
    Closes-Bug: 1859835
    Signed-off-by: Angie Wang <email address hidden>

commit 950670ac1f0bfaa43e29eeb3ffda71a94de66520
Author: Jim Somerville <email address hidden>
Date: Mon Jan 27 17:09:52 2020 -0500

Security: Add nospectre_v1 to the security params

    Most of the v1 mitigation is baked into the kernel and not
    optional. The swapgs barriers are, however, optional.
    They have a negative performance impact so we disable them
    by using the nospectre_v1 kernel bootarg.

    Partial-Bug: 1860193
    Depends-On: https://review.opendev.org/#/c/704406
    Change-Id: Iaa11ba3f430fc064ebda679cf290474d3be413da
    Signed-off-by: Jim Somerville <email address hidden>

commit 83775d38804fb665af518127051b37a1daf31e36
Author: David Sullivan <email address hidden>
Date: Wed Jan 15 23:50:23 2020 -0500

Install secondary controller nodes with kubeadm join

    Kubeadm init is no longer supported for installing secondary nodes in an
    HA kubernetes cluster. kubeadm join with the --controller-plane option
    should be used.

    Change-Id: I21a30b9e871d05c59a19e33a9d278f0217682da6
    Closes-Bug: 1846829
    Depends-On: https://review.opendev.org/702797
    Signed-off-by: David Sullivan <email address hidden>

commit c94fa4a0174b96e0716d39bbea7e6fbbbee415a9
Author: Shuicheng Lin <email address hidden>
Date: Thu Jan 23 02:45:31 2020 +0800

Fix duplex system controller-1 fail to boot after unlock

    It is due to controller-1 doesn't have /opt/platform/config folder.
    And cause puppet failure due to using non-exist file as source.
    Restrict the code for worker node only, since controller node
    already has ca cert in the ssl folder.

Test:
Pass simplex/duplex/multi node deployment with vm created.

    Closes-Bug: 1860529
    Change-Id: I808ee15e5c78ebead114219d0ec428fb45cc9128
    Signed-off-by: Shuicheng Lin <email address hidden>

commit 27f167eb14a04bc67ecca59af3b617c115522101
Author: Angie Wang <email address hidden>
Date: Wed Jan 15 16:15:26 2020 -0500

Remove puppet-manifests code made obsolete by ansible

    As a result of switch to Ansible, remove the obsolete erb
    templates and remove the dependency of is_initial_config_primary
    facter.

    Change-Id: I4ca6525f01a37da971dc66a11ee99ea4e115e3ad
    Partial-Bug: 1834218
    Depends-On: https://review.opendev.org/#/c/703517/
...

Reviewed:  https://review.opendev.org/705852
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=e1f095eb112f76a133734a17f01afeb9828ebaf2
Submitter: Zuul
Branch:    f/centos8

commit fc7b9b3d8d811fd50427b584dae5b7488947bb03
Author: Angie Wang <angie.wang@windriver.com>
Date:   Tue Jan 28 13:57:52 2020 -0500

Fix the image download failure on IPv6 system
    
    "crictl pull" failed to pull images on IPv6 system with
    proxy setting since Containerd doesn't work with the
    NO_PROXY environment variable that has IPv6 addresses
    with square brackets. This commit updates to strip out
    the square brackets from NO_PROXY environment variable.
    
    Change-Id: I6bb5ad0379f576f66d77a90dfdca94f5e0f28f0c
    Closes-Bug: 1859835
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit 950670ac1f0bfaa43e29eeb3ffda71a94de66520
Author: Jim Somerville <Jim.Somerville@windriver.com>
Date:   Mon Jan 27 17:09:52 2020 -0500

Security: Add nospectre_v1 to the security params
    
    Most of the v1 mitigation is baked into the kernel and not
    optional.  The swapgs barriers are, however, optional.
    They have a negative performance impact so we disable them
    by using the nospectre_v1 kernel bootarg.
    
    Partial-Bug: 1860193
    Depends-On: https://review.opendev.org/#/c/704406
    Change-Id: Iaa11ba3f430fc064ebda679cf290474d3be413da
    Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

commit 83775d38804fb665af518127051b37a1daf31e36
Author: David Sullivan <david.sullivan@windriver.com>
Date:   Wed Jan 15 23:50:23 2020 -0500

Install secondary controller nodes with kubeadm join
    
    Kubeadm init is no longer supported for installing secondary nodes in an
    HA kubernetes cluster. kubeadm join with the --controller-plane option
    should be used.
    
    Change-Id: I21a30b9e871d05c59a19e33a9d278f0217682da6
    Closes-Bug: 1846829
    Depends-On: https://review.opendev.org/702797
    Signed-off-by: David Sullivan <david.sullivan@windriver.com>

commit c94fa4a0174b96e0716d39bbea7e6fbbbee415a9
Author: Shuicheng Lin <shuicheng.lin@intel.com>
Date:   Thu Jan 23 02:45:31 2020 +0800

Fix duplex system controller-1 fail to boot after unlock
    
    It is due to controller-1 doesn't have /opt/platform/config folder.
    And cause puppet failure due to using non-exist file as source.
    Restrict the code for worker node only, since controller node
    already has ca cert in the ssl folder.
    
    Test:
    Pass simplex/duplex/multi node deployment with vm created.
    
    Closes-Bug: 1860529
    Change-Id: I808ee15e5c78ebead114219d0ec428fb45cc9128
    Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>

commit 27f167eb14a04bc67ecca59af3b617c115522101
Author: Angie Wang <angie.wang@windriver.com>
Date:   Wed Jan 15 16:15:26 2020 -0500

Remove puppet-manifests code made obsolete by ansible
    
    As a result of switch to Ansible, remove the obsolete erb
    templates and remove the dependency of is_initial_config_primary
    facter.
    
    Change-Id: I4ca6525f01a37da971dc66a11ee99ea4e115e3ad
    Partial-Bug: 1834218
    Depends-On: https://review.opendev.org/#/c/703517/
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit 3bb532eb39fbfaf6c46d8be13c6111313dd3d581
Author: Robert Church <robert.church@windriver.com>
Date:   Thu Jan 16 02:43:29 2020 -0500

Provide a specific route runtime class
    
    In an effort to optimize the time required to update interface routes,
    restructure the platform::interfaces class to extract creating resources
    for routes and addresses into separate classes. This allows the route
    specific resources and dependencies to be called from a dedicated
    runtime class.
    
    Change-Id: Ieba501a6bd86164599eff97b9fe73d847740df68
    Story: 2007101
    Task: 38156
    Signed-off-by: Robert Church <robert.church@windriver.com>

commit 58bc99d89110a27d4e91393c7466904ecc8b1404
Author: Robert Church <robert.church@windriver.com>
Date:   Thu Jan 16 02:36:55 2020 -0500

Purge filebucket contents after every apply
    
    Since filebucket doesn't have a built in cleanup mechanism, filebucket
    entries will continually grow over time as puppet implements file
    changes. Eventually, this will have space and inode impacts on the root
    filesystem.
    
    To avoid these issues on long running systems, remove the contents of
    the filebucket directory after every apply.
    
    Change-Id: I02519b9f61b0c1b95ceeca073448f42851ed9551
    Story: 2007101
    Task: 38155
    Signed-off-by: Robert Church <robert.church@windriver.com>

commit 1b5372b52cd58042e9623d6e9e076fc2d430f312
Author: Bart Wensley <barton.wensley@windriver.com>
Date:   Mon Jan 20 12:28:20 2020 -0600

Configure keystone http timeouts for dcmanager
    
    The dcmanager currently has no http_connect_timeout set for
    keystone connections. That can result in an attempt to contact
    keystone (e.g. to get a token) taking several minutes to
    timeout if the keystone api is not reachable (e.g. if a subcloud
    is powered down).
    
    Changing the http_connect_timeout to 10s and configuring
    http_request_max_retries as 3 (that is also the default but
    adding this to the puppet module allows for easy changes in the
    future).
    
    Change-Id: I6a62846e7f4e75e9b2f0705f59818243ea909e41
    Partial-Bug: 1854894
    Signed-off-by: Bart Wensley <barton.wensley@windriver.com>

commit 7b2726ed1b235471172e1e2002a1c0981870f039
Author: Lin Shuicheng <shuicheng.lin@intel.com>
Date:   Sun Jan 19 01:56:49 2020 +0000

Revert "Revert "Add Kata Container support in StarlingX""
    
    This reverts commit 0f9dd0491b6847c069f77f5dac418a638bb25712.
    
    Depends-On: https://review.opendev.org/703263
    Change-Id: I81fe7f8502d14ba6e414fafddff6252f0eea8e5d
    Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>

commit 0f9dd0491b6847c069f77f5dac418a638bb25712
Author: Don Penney <don.penney@windriver.com>
Date:   Tue Jan 14 20:38:41 2020 +0000

Revert "Add Kata Container support in StarlingX"
    
    This reverts commit 0dd7219a17f27bb35678bc2e3cf5961bedf59f07.
    
    Reverting due to https://bugs.launchpad.net/starlingx/+bug/1859686
    
    Change-Id: I6b7d3bcb392275a53bfe93c306e3b462b393f3a1

commit 130919c096d3699022f9994957253e11b861b834
Author: Tyler Smith <tyler.smith@windriver.com>
Date:   Thu Jan 9 15:12:22 2020 -0500

Removing service catalog insertion from dcorch proxy
    
    requests going through the dcorch proxy were having the entire service
    catalog tacked on during the authtoken filter stage, this was resulting
    in the header size growing too large for sysinv to handle the forwarded
    requests.
    
    This commit sets keystone_authtoken/include_service_catalog to False in
    the dcorch settings to prevent this.
    
    Tested by installing a subcloud, bringing online and managing, as well
    as doing sysinv queries to SystemController.  I've tested with 200
    subclouds in dcmanager without issue.
    
    Change-Id: Ic47c062bd8b5376084d27a9378c131650d9ec2da
    Closes-Bug: 1856740
    Signed-off-by: Tyler Smith <tyler.smith@windriver.com>

commit ab8a592a996d20dc5b0ec393f47a0012250aa260
Author: marvin <weifei.yu@intel.com>
Date:   Thu Nov 21 18:27:16 2019 +0800

Monitor the datanetwork for non-OpenStack work node
    
    Update the lmon to support datanetwork interface monitoring
    and use collectd to control the alarm information. Now lmon
    will obtain the list of interfaces from /etc/lmon/lmon.conf
    which can be generated by puppet.
    
    Change-Id: I45fd056bd71f2ff9b49b52b8143e43179f18e03c
    Story: #2002948
    Task: #37326
    Depends-on: https://review.opendev.org/#/c/694927
    Signed-off-by: marvin <weifei.yu@intel.com>

commit 99d07a29865b4099acce95d3c8ee5b00e05d495c
Author: Don Penney <don.penney@windriver.com>
Date:   Thu Jan 2 17:42:00 2020 -0500

Generate DNF repo config files from puppet
    
    Update the patching manifest to generate the DNF repo config files.
    
    Depends-On: https://review.opendev.org/700961
    Change-Id: I9f21ae4bd20b7a1c861f9ac06e47cec579940438
    Story: 2006227
    Task: 37934
    Signed-off-by: Don Penney <don.penney@windriver.com>

commit 0dd7219a17f27bb35678bc2e3cf5961bedf59f07
Author: Shuicheng Lin <shuicheng.lin@intel.com>
Date:   Fri Sep 27 23:33:31 2019 +0800

Add Kata Container support in StarlingX
    
    1. add config for containerd
    2. switch kubernetes to use containerd as CRI.
    
    Story: 2006145
    Task: 36835
    Depends-On: https://review.opendev.org/685211
    Change-Id: I4beab0725bd069ca5394049ad898a0899ce00d1b
    Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>

commit e86f8b90fd71c6c2df5613ac83dcb9a357f5a364
Author: Mingyuan Qi <mingyuan.qi@intel.com>
Date:   Thu Oct 31 11:16:01 2019 +0800

Rotate k8s certificate automatically
    
    By default, k8s cluster certificates generated by kubeadm have 1
    year expiration. After certificates expired, k8s will not rotate
    them automatically.
    
    This commit checks the cert expiration date every day and rotates
    them automatically if they expires within 90 days. After cert
    renewed, all the k8s master component configurations will be updated.
    
    An alarm will be sent to fm to notify the administrator to
    reboot the controllers or renew the certs manually if the automatic
    process fails.
    
    Change-Id: I383120b8904857bcf09ad6ca999900ce8eda9b95
    Closes-Bug: 1838659
    Depends-On: https://review.opendev.org/#/c/696224/
    Depends-On: https://review.opendev.org/#/c/698624/
    Signed-off-by: Mingyuan Qi <mingyuan.qi@intel.com>

StarlingX

IPv6: System install failed at docker image pull

Bug Description

Other bug subscribers

Remote bug watches