Bug #1860995 “Cannot install multiple trusted CA during bootstra...” : Bugs : StarlingX

Ghada Khalil (gkhalil) on 2020-01-27

tags:

added: stx.security

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-01-29:

#1

stx.4.0 / medium priority as there is a workaround for this issue

Changed in starlingx:
importance:	Undecided → Medium
status:	New → Triaged
tags:	added: stx.4.0
Changed in starlingx:
assignee:	nobody → David Sullivan (dsullivanwr)

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-02-06:

#2

Assigning to Andy Ning since this seems similar to https://bugs.launchpad.net/starlingx/+bug/1861438

Changed in starlingx:
assignee:	David Sullivan (dsullivanwr) → Andy (andy.wrs)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-18: Fix proposed to config (master)

#3

Fix proposed to branch: master
Review: https://review.opendev.org/708502

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-05:

#4

Fix proposed to branch: master
Review: https://review.opendev.org/711538

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-05: Change abandoned on config (master)

#5

Change abandoned by Andy Ning (<email address hidden>) on branch: master
Review: https://review.opendev.org/708502
Reason: Replaced by:
https://review.opendev.org/#/c/711538/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-06: Fix proposed to ansible-playbooks (master)

#6

Fix proposed to branch: master
Review: https://review.opendev.org/711633

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-10: Fix proposed to distcloud (master)

#7

Fix proposed to branch: master
Review: https://review.opendev.org/712152

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-19: Fix merged to ansible-playbooks (master)

#8

Reviewed: https://review.opendev.org/711633
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=c03dc5f3fc7dd1a5646cfc5b83d6c6fc08241bc1
Submitter: Zuul
Branch: master

commit c03dc5f3fc7dd1a5646cfc5b83d6c6fc08241bc1
Author: Andy Ning <email address hidden>
Date: Thu Mar 5 16:57:29 2020 -0500

Create ssl_ca dir to support multiple CA certificate

    This update creates ssl_ca directory in the drbd shared fs during
    ansible bootstrap. The directory is used to store the CA certificates
    as individual files. CA certificate install and uninstall operations
    are manipulating these certificate files.

    Change-Id: Idfca7220320a5de1cc274e077fc7ce8d2778a76b
    Closes-Bug: 1861438
    Closes-Bug: 1860995
    Signed-off-by: Andy Ning <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-20: Fix merged to config (master)

#9

Reviewed: https://review.opendev.org/711538
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=c1c18871d72cdcd877b95f593bd119b47b3ddbb6
Submitter: Zuul
Branch: master

commit c1c18871d72cdcd877b95f593bd119b47b3ddbb6
Author: Andy Ning <email address hidden>
Date: Tue Feb 18 14:52:06 2020 -0500

Support multiple CA certificates installation

    This update enhanced sysinv certificate install API to be able to
    install multiple CA certs from a file. The returns from the API call
    indicates the certs actually installed in the call (ie, excluding these
    that are already in the system). This is neccessary especially for DC to
    support multiple CA certs synchronization.

    This update also added sysinv certficate uninstall API. The API is to
    be used to remove a particular CA certficate from the system, identified
    by its uuid. The API returns a json body with information about the
    certificate that has been removed. This is required by DC sysinv api
    proxy for certificate deletion synchronization, since DC tracks subcloud
    certificates resource by signature while the uninstall API request
    contains only uuid.

The uninstall API only supports ssl_ca certificate.

    cgtsclient and system CLI are also updated to align with the updated
    and new APIs. User can use "system certificate-install ..." to install
    one or multiple CA certificates, and "system certificate-uninstall ..."
    to remove a particular CA certificate from the system.

    When multiple CA certificates are installed in the system,
    "system certificate-list" will display each of the individual
    certificates.

    THe sysinv certificate configuration API reference is updated with the
    new uninstall API. Unit tests are added for CA certificate install and
    delete APIs.

    Change-Id: I7dba11e56792b7d198403c436c37f71d7b7193c9
    Depends-On: https://review.opendev.org/#/c/711633/
    Closes-Bug: 1861438
    Closes-Bug: 1860995
    Signed-off-by: Andy Ning <email address hidden>

Reviewed:  https://review.opendev.org/711538
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=c1c18871d72cdcd877b95f593bd119b47b3ddbb6
Submitter: Zuul
Branch:    master

commit c1c18871d72cdcd877b95f593bd119b47b3ddbb6
Author: Andy Ning <andy.ning@windriver.com>
Date:   Tue Feb 18 14:52:06 2020 -0500

Support multiple CA certificates installation
    
    This update enhanced sysinv certificate install API to be able to
    install multiple CA certs from a file. The returns from the API call
    indicates the certs actually installed in the call (ie, excluding these
    that are already in the system). This is neccessary especially for DC to
    support multiple CA certs synchronization.
    
    This update also added sysinv certficate uninstall API. The API is to
    be used to remove a particular CA certficate from the system, identified
    by its uuid. The API returns a json body with information about the
    certificate that has been removed. This is required by DC sysinv api
    proxy for certificate deletion synchronization, since DC tracks subcloud
    certificates resource by signature while the uninstall API request
    contains only uuid.
    
    The uninstall API only supports ssl_ca certificate.
    
    cgtsclient and system CLI are also updated to align with the updated
    and new APIs. User can use "system certificate-install ..." to install
    one or multiple CA certificates, and "system certificate-uninstall ..."
    to remove a particular CA certificate from the system.
    
    When multiple CA certificates are installed in the system,
    "system certificate-list" will display each of the individual
    certificates.
    
    THe sysinv certificate configuration API reference is updated with the
    new uninstall API. Unit tests are added for CA certificate install and
    delete APIs.
    
    Change-Id: I7dba11e56792b7d198403c436c37f71d7b7193c9
    Depends-On: https://review.opendev.org/#/c/711633/
    Closes-Bug: 1861438
    Closes-Bug: 1860995
    Signed-off-by: Andy Ning <andy.ning@windriver.com>

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-20: Fix merged to distcloud (master)

#10

Reviewed: https://review.opendev.org/712152
Committed: https://git.openstack.org/cgit/starlingx/distcloud/commit/?id=1e588cbefa789bf8546da708470e271f01dcd593
Submitter: Zuul
Branch: master

commit 1e588cbefa789bf8546da708470e271f01dcd593
Author: Andy Ning <email address hidden>
Date: Wed Feb 26 16:04:33 2020 -0500

Support multiple CA certificates synchronization in DC

    This update enhanced dcorch and sysinv API proxy to support multiple CA
    certificates synchronization in DC system. The support utilizes the
    updated sysinv certificate install API and the new certificate
    uninstall API.

    Closes-Bug: 1861438
    Closes-Bug: 1860995
    Depends-On: https://review.opendev.org/#/c/711538/
    Change-Id: I407314b913ae5a56bb714b39484aea3263a41d19
    Signed-off-by: Andy Ning <email address hidden>

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-31: Fix proposed to ansible-playbooks (f/centos8)

#11

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/716133

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-31: Fix proposed to config (f/centos8)

#12

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/716137

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-31: Fix proposed to distcloud (f/centos8)

#13

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/716140

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-31: Fix merged to ansible-playbooks (f/centos8)

#14

Download full text (12.5 KiB)

Reviewed: https://review.opendev.org/716133
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=ddcb11f4b773f4b3190663defe3ba0f3ec4201c8
Submitter: Zuul
Branch: f/centos8

commit bf103f3c54eb45c26d52a43c35339d1d863a42de
Author: Mihnea Saracin <email address hidden>
Date: Fri Mar 27 18:19:02 2020 +0200

Fix B&R when the controller needs to be unlocked

    After running the restore playbook, all the applications
    should be in an uploaded state. But they are in an
    applied state instead, making the controller-0
    unable to unlock.

    Closes-Bug: 1869403
    Change-Id: I8bd9c51e250969cc334d52b78c616f9ad082afd8
    Signed-off-by: Mihnea Saracin <email address hidden>

commit 6e875971afeaf1378c2c8aeb845359459838ce30
Author: Stefan Dinescu <email address hidden>
Date: Sat Mar 21 16:57:57 2020 +0200

Fix Netapp port conflict

    By default, the Trident Netapp service opens port 8443 for
    HTTPS REST api usage. This conflicts with the port the
    Horizon dashboard uses on an HTTPS enabled setup (the port
    is also 8443).

    In order to fix this, we change the default port from 8443
    to 8678, but also make it configurable through ansible
    overrides.

    The Trident service also opens port 8001 for metrics usage.
    While that doesn't currently conflict with any other service
    on the system, I also made that configurable through
    ansible overrides, in case such a conflict appears in the
    future.

    Change-Id: I08db939acac6082f82b9e12e932d8289c7cecdeb
    Closes-bug: 1868382
    Signed-off-by: Stefan Dinescu <email address hidden>

commit 5a9ba6786e393f2cd93bfae8c3a8f09f0cf9eb26
Author: Robert Church <email address hidden>
Date: Thu Mar 19 19:08:17 2020 -0400

Upversion Multus to 3.4

Updates the Multus configuration to align with version 3.4

    Change-Id: Ifc236ccbbe4e559987d7ef522902f638062348ca
    Depends-On: https://review.opendev.org/#/c/714024/
    Story: 2006999
    Task: 39110
    Signed-off-by: Robert Church <email address hidden>

commit 6a261463f9ac0f81d9c7f054dd3cb10a51934d4a
Author: Robert Church <email address hidden>
Date: Wed Mar 18 22:01:03 2020 -0400

Upversion Calico from 3.6 to 3.12

    Updates the Calico configuration to align with version 3.12. This
    introduces support for a Flex Volume Driver which requires enabling the
    --volume-plugin-dir option for kubelet, the --flex-volume-plugin-dir
    option for kube-controller-manager, and pulling the pod2daemon-flexvol
    image used by calico-node pods.

    Change-Id: I74bc5c53ffcb16c8e3c06cebf20eac296b9ccc65
    Story: 2006999
    Task: 39109
    Depends-On: https://review.opendev.org/#/c/714023
    Signed-off-by: Robert Church <email address hidden>

commit b35387f8bc40714e9633e6191267284b8af8ccee
Author: Stefan Dinescu <email address hidden>
Date: Thu Mar 19 18:13:26 2020 +0200

Netapp: Fix handling of IPv6 addresses

    Using bash process subtitution to pass the file parameter
    to the "create backend" command doesn't work as the bash
    variable expansion...

Reviewed:  https://review.opendev.org/716133
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=ddcb11f4b773f4b3190663defe3ba0f3ec4201c8
Submitter: Zuul
Branch:    f/centos8

commit bf103f3c54eb45c26d52a43c35339d1d863a42de
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Fri Mar 27 18:19:02 2020 +0200

Fix B&R when the controller needs to be unlocked
    
    After running the restore playbook, all the applications
    should be in an uploaded state. But they are in an
    applied state instead, making the controller-0
    unable to unlock.
    
    Closes-Bug: 1869403
    Change-Id: I8bd9c51e250969cc334d52b78c616f9ad082afd8
    Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>

commit 6e875971afeaf1378c2c8aeb845359459838ce30
Author: Stefan Dinescu <stefan.dinescu@windriver.com>
Date:   Sat Mar 21 16:57:57 2020 +0200

Fix Netapp port conflict
    
    By default, the Trident Netapp service opens port 8443 for
    HTTPS REST api usage. This conflicts with the port the
    Horizon dashboard uses on an HTTPS enabled setup (the port
    is also 8443).
    
    In order to fix this, we change the default port from 8443
    to 8678, but also make it configurable through ansible
    overrides.
    
    The Trident service also opens port 8001 for metrics usage.
    While that doesn't currently conflict with any other service
    on the system, I also made that configurable through
    ansible overrides, in case such a conflict appears in the
    future.
    
    Change-Id: I08db939acac6082f82b9e12e932d8289c7cecdeb
    Closes-bug: 1868382
    Signed-off-by: Stefan Dinescu <stefan.dinescu@windriver.com>

commit 5a9ba6786e393f2cd93bfae8c3a8f09f0cf9eb26
Author: Robert Church <robert.church@windriver.com>
Date:   Thu Mar 19 19:08:17 2020 -0400

Upversion Multus to 3.4
    
    Updates the Multus configuration to align with version 3.4
    
    Change-Id: Ifc236ccbbe4e559987d7ef522902f638062348ca
    Depends-On: https://review.opendev.org/#/c/714024/
    Story: 2006999
    Task: 39110
    Signed-off-by: Robert Church <robert.church@windriver.com>

commit 6a261463f9ac0f81d9c7f054dd3cb10a51934d4a
Author: Robert Church <robert.church@windriver.com>
Date:   Wed Mar 18 22:01:03 2020 -0400

Upversion Calico from 3.6 to 3.12
    
    Updates the Calico configuration to align with version 3.12. This
    introduces support for a Flex Volume Driver which requires enabling the
    --volume-plugin-dir option for kubelet, the --flex-volume-plugin-dir
    option for kube-controller-manager, and pulling the pod2daemon-flexvol
    image used by calico-node pods.
    
    Change-Id: I74bc5c53ffcb16c8e3c06cebf20eac296b9ccc65
    Story: 2006999
    Task: 39109
    Depends-On: https://review.opendev.org/#/c/714023
    Signed-off-by: Robert Church <robert.church@windriver.com>

commit b35387f8bc40714e9633e6191267284b8af8ccee
Author: Stefan Dinescu <stefan.dinescu@windriver.com>
Date:   Thu Mar 19 18:13:26 2020 +0200

Netapp: Fix handling of IPv6 addresses
    
    Using bash process subtitution to pass the file parameter
    to the "create backend" command doesn't work as the bash
    variable expansion breaks the IPv6 format, resulting in
    an invalid JSON file.
    
    In order to fix this, we create a temporary file where we
    store the desired information. This file is then cleaned
    (along with the whole staging folder) once the playbook
    finishes exection.
    
    Also improved handling of IPv6 by the install command by
    supporing extra parameters for the "tridentctl install"
    command. In order to force IPv6 compatibility, you need to
    add to the "trident_install_extra_params" variable the
    "--use-ipv6" option
    
    Change-Id: I5ecd98307d40cfdfe277d72acd7b095ff0b66aad
    Closes-bug: 1868103
    Signed-off-by: Stefan Dinescu <stefan.dinescu@windriver.com>

commit 8c6cf0e629cfb62ff654653e866e9a894b1bb806
Author: Stefan Dinescu <stefan.dinescu@windriver.com>
Date:   Wed Mar 4 14:12:57 2020 +0200

Add playbook for installing Trident Netapp backend
    
    Changes included:
    - add separate playbook for configuring the netapp storage
      backend for kubernetes
    - templates for trident are generated using the "tridentctl
      -n trident install --generate-custom-yaml"
    - change to the push-docker-images role to support being
      imported for the trident playbook
    - the YAML files generated from these templates are stored
      in /etc/kubernetes/trident/setup. This location can be
      customized using ansible overrides.
    - merged the "upgrade_k8s_networking=true" and
      "upgrade_kubernetes=true" variables into the
      "mode" variable.
    
    Changes made to the generated templates:
    - changed default REST api port from 8000 to 8677; this was
      done due to port 8000 already being used by armada in
      StarlingX. The port can be changed at any time through
      ansible overrides
    - allow configuration of any namespace for the pods to be
      launched in; the default is still "trident"
    - images pulled by the trident pods are pulled from the
      local registry. They are pre-pulled to the local registry
      by the push-docker-images role
    - add an imagePullSecret to the service account so images
      can be pulled from the local registry
    - add additional nodeSelector in order to restrict the
      main trident service to launching only on controller
      nodes
    
    Change-Id: I5ca9db9a17ba2cf8d1a000ab0b4e36656d8b290c
    Co-Authored-By: Stefan Dinescu <stefan.dinescu@windriver.com>
    Co-Authored-By: Ovidiu Poncea <ovidiu.poncea@windriver.com>
    Depends-On: https://review.opendev.org/#/c/711907/
    Story: 2007391
    Task: 38985
    Signed-off-by: Stefan Dinescu <stefan.dinescu@windriver.com>

commit 3441d046eaafcf20a463aaf4bd8c11172014f1e9
Author: Mihnea Saracin <Mihnea.Saracin@windriver.com>
Date:   Mon Mar 16 23:11:27 2020 +0200

Fix B&R when wipe_ceph_osds is set to true
    
    The helm charts are restored only when the ceph osds are not wiped,
    but they also need to be restored when the ceph osds are wiped.
    
    Closes-Bug: 1866704
    Change-Id: I7d9bf8cbfbf26a0edd44c6af6f0d98d95abfb682
    Signed-off-by: Mihnea Saracin <Mihnea.Saracin@windriver.com>

commit c03dc5f3fc7dd1a5646cfc5b83d6c6fc08241bc1
Author: Andy Ning <andy.ning@windriver.com>
Date:   Thu Mar 5 16:57:29 2020 -0500

Create ssl_ca dir to support multiple CA certificate
    
    This update creates ssl_ca directory in the drbd shared fs during
    ansible bootstrap. The directory is used to store the CA certificates
    as individual files. CA certificate install and uninstall operations
    are manipulating these certificate files.
    
    Change-Id: Idfca7220320a5de1cc274e077fc7ce8d2778a76b
    Closes-Bug: 1861438
    Closes-Bug: 1860995
    Signed-off-by: Andy Ning <andy.ning@windriver.com>

commit 208df05af590ab1cbdac16c94f65b29d4fac3e90
Author: David Sullivan <david.sullivan@windriver.com>
Date:   Sun Mar 1 21:16:04 2020 -0500

Add OAM IP records to API server certSANs
    
    Add the OAM IP records to the apiserver_cert_sans. This will allow for
    remote access to the kubernetes API server.
    
    Change-Id: I344f59fa0b5a24633f1341e2c2fd54748d88c0af
    Closes-Bug: 1863798
    Signed-off-by: David Sullivan <david.sullivan@windriver.com>

commit fea7aa9c64f4a84216e241921d5b202a137c2c04
Author: Jerry Sun <jerry.sun@windriver.com>
Date:   Wed Mar 4 16:08:36 2020 -0500

Support post-bootstrap config of kube-apiserver parameters
    
    Save the openid connect parameters for kube-apiserver in system
    service parameters. This keeps them consistent if the user changes
    them after bootstrap
    
    Story: 2006711
    Task: 38944
    
    Depends-On: https://review.opendev.org/711337
    
    Change-Id: I1757afecb1ff222b16feee464fa486d5ac02f40d
    Signed-off-by: Jerry Sun <jerry.sun@windriver.com>

commit 3a21623f6b7285ac9e822a8a9b23d5d0fd0f4e38
Author: hutianhao <hu.tianhao@99cloud.net>
Date:   Wed Feb 19 17:14:44 2020 +0800

Select another way to get device information
    
    If terminal language is Chinese(maybe other language will also have
    this problem), it can't get exact root disk size because the word
    "Disk" is not in English. So drdb config will fail after unlock.
    Select another way to get device information to avoid this problem.
    
    Closes-Bug: 1859951
    Change-Id: Ie144f7f302b73854c8407681a5dd0981797d4c5f
    Signed-off-by: hutianhao <hu.tianhao@99cloud.net>

commit 7e0f62e8480197d1518e890eb47ec7ac18986e46
Author: Ovidiu Poncea <ovidiu.poncea@windriver.com>
Date:   Thu Dec 19 11:15:45 2019 +0200

B&R: Add support for backing up and restoring StarlingX apps
    
    This works when ceph storage backend is kept intact (i.e. when
    restore is run with wipe_ceph_osds=false). To accomplish this the
    commit enhances platform B&R to include the etcd database. Ceph
    PVC are kept intact.
    
    Details:
     o Backup etcd db
     o Restore etcd db
     o Allow k8s to start with the restored db
     o Fix helm to start with the restored db
    
    Change-Id: I80f36dbedbd322bd3129aaa7740704f97da7750c
    Story: 2006770
    Task: 37780
    Signed-off-by: Ovidiu Poncea <ovidiu.poncea@windriver.com>

commit 37471539878e6861cec4983cd8d89ba154acd7f3
Author: Tao Liu <tao.liu@windriver.com>
Date:   Wed Feb 19 19:06:26 2020 -0500

Increase activeDeadlineSeconds in the rvmc template
    
    While investigating a remote install failure, it was observed
    that the rvmc job/pod was terminating after 10 mins prior
    to entering an error or complete state hence, the error
    logs were not captured.
    
    This update increases activeDeadlineSeconds from 600 seconds
    to 1200 seconds.
    
    Change-Id: Ibb9240c7153b7dbead20ffb0a7ac4fc606b64fcd
    Story: 2006980
    Task: 38465
    Signed-off-by: Tao Liu <tao.liu@windriver.com>

commit f4baa947f7643d0d437e63c83725c4c9c24f27c8
Author: Don Penney <don.penney@windriver.com>
Date:   Wed Feb 12 14:48:15 2020 -0500

Replace image stable-latest tags with static versions
    
    In order to avoid compatiblity issues from using a moving
    stable-latest tag on referenced images, the playbooks are updated to
    use static version tags for those images built by CENGN.
    
    Change-Id: I336ec16ec6c8d7581f547efa77bd75f2c1b4726b
    Partial-Bug: 1854869
    Signed-off-by: Don Penney <don.penney@windriver.com>

commit e364e4b11ca9977a37e3b3d05924846b0fbe7e0d
Author: Stefan Dinescu <stefan.dinescu@windriver.com>
Date:   Fri Jan 31 17:37:23 2020 +0200

Remove default provisioning of ceph
    
    Ceph is no longer a default service, so we remove
    the provisioning from ansible.
    
    Ceph will be configured using the following command
        "system storage-backend-add ceph --confirmed"
    This configuration option will be available after
    running the ansible bootstrap.
    
    Change-Id: I8cac1ef3ab97a036f7e77289b8fb7807cf37ddd7
    Depends-On: https://review.opendev.org/705235
    Story: 2007064
    Task: 38590
    Signed-off-by: Stefan Dinescu <stefan.dinescu@windriver.com>

commit ee0b46522c106832004eed7e332fbe93f8de385b
Author: Andy Ning <andy.ning@windriver.com>
Date:   Tue Feb 4 15:18:01 2020 -0500

Enable kubernetes secret encryption at rest
    
    This update enabled kubernetes secret resource encryption during
    ansible play system deployment. It contains the following changes:
    
    - An extraArgs "encryption-provider-config:
      /etc/kubernetes/encryption-provider.yaml" is added to kubeadm.yaml
      by template. This argument will be fed into kube-apiserver static
      pod manifest so that kube-apiserver will be started with this
      encryption enabling flag.
    - A template file is added to generate the actual encryption provider
      configuration file. This generated file is hostPath mounted to
      kube-apiserver pod as kube-apiserver's encryption provider configuration.
    - The generated encryption provider configuration file is transfered to
      the second controller by the shared fs for kube-apiserver pod running
      on the second controller.
    
    Change-Id: If1c1e1887e024923e5d876bf589a5bfd312d5da9
    Story: 2007243
    Task: 38626
    Depends-On: https://review.opendev.org/#/c/705975
    Signed-off-by: Andy Ning <andy.ning@windriver.com>

commit 5471cd1ae5ed92af0d160e04ce0983dee85cf716
Author: Bin Qian <bin.qian@windriver.com>
Date:   Wed Feb 5 08:27:51 2020 -0500

Adding job to upload commits to GitHub
    Add job to publish ansible-playbooks repo to GitHub
    
    Change-Id: Ica6f28f34882ec574bd91f6aa26933e0f1b4f6fa
    Story: 2007252
    Task: 38655
    Signed-off-by: Bin Qian <bin.qian@windriver.com>

tags:

added: in-f-centos8

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-31: Fix merged to config (f/centos8)

#15

Download full text (32.3 KiB)

Reviewed: https://review.opendev.org/716137
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=cb4cf4299c2ec10fb2eb03cdee3f6d78a6413089
Submitter: Zuul
Branch: f/centos8

commit 16477935845e1c27b4c9d31743e359b0aa94a948
Author: Steven Webster <email address hidden>
Date: Sat Mar 28 17:19:30 2020 -0400

Fix SR-IOV runtime manifest apply

    When an SR-IOV interface is configured, the platform's
    network runtime manifest is applied in order to apply the virtual
    function (VF) config and restart the interface. This results in
    sysinv being able to determine and populate the puppet hieradata
    with the virtual function PCI addresses.

    A side effect of the network manifest apply is that potentially
    all platform interfaces may be brought down/up if it is determined
    that their configuration has changed. This will likely be the case
    for a system which configures SR-IOV interfaces before initial
    unlock.

    A few issues have been encountered because of this, with some
    services not behaving well when the interface they are communicating
    over suddenly goes down.

    This commit makes the SR-IOV VF configuration much more targeted
    so that only the operation of setting the desired number of VFs
    is performed.

    Closes-Bug: #1868584
    Depends-On: https://review.opendev.org/715669
    Change-Id: Ie162380d3732eb1b6e9c553362fe68cbc313ae2b
    Signed-off-by: Steven Webster <email address hidden>

commit 45c9fe2d3571574b9e0503af108fe7c1567007db
Author: Zhipeng Liu <email address hidden>
Date: Thu Mar 26 01:58:34 2020 +0800

Add ipv6 support for novncproxy_base_url.

For ipv6 address, we need url with below format
[ip]:port

Partial-Bug: 1859641

Change-Id: I01a5cd92deb9e88c2d31bd1e16e5bce1e849fcc7
Signed-off-by: Zhipeng Liu <email address hidden>

commit d119336b3a3b24d924e000277a37ab0b5f93aae1
Author: Andy Ning <email address hidden>
Date: Mon Mar 23 16:26:21 2020 -0400

Fix timeout waiting for CA cert install during ansible replay

    During ansible bootstrap replay, the ssl_ca_complete_flag file is
    removed. It expects puppet platform::config::runtime manifest apply
    during system CA certificate install to re-generate it. So this commit
    updated conductor manager to run that puppet manifest even if the CA cert
    has already installed so that the ssl_ca_complete_flag file is created
    and makes ansible replay to continue.

    Change-Id: Ic9051fba9afe5d5a189e2be8c8c2960bdb0d20a4
    Closes-Bug: 1868585
    Signed-off-by: Andy Ning <email address hidden>

commit 24a533d800b2c57b84f1086593fe5f04f95fe906
Author: Zhipeng Liu <email address hidden>
Date: Fri Mar 20 23:10:31 2020 +0800

Fix rabbitmq could not bind port to ipv6 address issue

    When we use Armada to deploy openstack service for ipv6, rabbitmq
    pod could not start listen on [::]:5672 and [::]:15672.
    For ipv6, we need an override for configuration file.

Upstream patch link is:
https://review.opendev.org/#/c/714027/

Test pass for deploying rabbitmq service on both ipv...

Reviewed:  https://review.opendev.org/716137
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=cb4cf4299c2ec10fb2eb03cdee3f6d78a6413089
Submitter: Zuul
Branch:    f/centos8

commit 16477935845e1c27b4c9d31743e359b0aa94a948
Author: Steven Webster <steven.webster@windriver.com>
Date:   Sat Mar 28 17:19:30 2020 -0400

Fix SR-IOV runtime manifest apply
    
    When an SR-IOV interface is configured, the platform's
    network runtime manifest is applied in order to apply the virtual
    function (VF) config and restart the interface.  This results in
    sysinv being able to determine and populate the puppet hieradata
    with the virtual function PCI addresses.
    
    A side effect of the network manifest apply is that potentially
    all platform interfaces may be brought down/up if it is determined
    that their configuration has changed.  This will likely be the case
    for a system which configures SR-IOV interfaces before initial
    unlock.
    
    A few issues have been encountered because of this, with some
    services not behaving well when the interface they are communicating
    over suddenly goes down.
    
    This commit makes the SR-IOV VF configuration much more targeted
    so that only the operation of setting the desired number of VFs
    is performed.
    
    Closes-Bug: #1868584
    Depends-On: https://review.opendev.org/715669
    Change-Id: Ie162380d3732eb1b6e9c553362fe68cbc313ae2b
    Signed-off-by: Steven Webster <steven.webster@windriver.com>

commit 45c9fe2d3571574b9e0503af108fe7c1567007db
Author: Zhipeng Liu <zhipengs.liu@intel.com>
Date:   Thu Mar 26 01:58:34 2020 +0800

Add ipv6 support for novncproxy_base_url.
    
    For ipv6 address, we need url with below format
    [ip]:port
    
    Partial-Bug: 1859641
    
    Change-Id: I01a5cd92deb9e88c2d31bd1e16e5bce1e849fcc7
    Signed-off-by: Zhipeng Liu <zhipengs.liu@intel.com>

commit d119336b3a3b24d924e000277a37ab0b5f93aae1
Author: Andy Ning <andy.ning@windriver.com>
Date:   Mon Mar 23 16:26:21 2020 -0400

Fix timeout waiting for CA cert install during ansible replay
    
    During ansible bootstrap replay, the ssl_ca_complete_flag file is
    removed. It expects puppet platform::config::runtime manifest apply
    during system CA certificate install to re-generate it. So this commit
    updated conductor manager to run that puppet manifest even if the CA cert
    has already installed so that the ssl_ca_complete_flag file is created
    and makes ansible replay to continue.
    
    Change-Id: Ic9051fba9afe5d5a189e2be8c8c2960bdb0d20a4
    Closes-Bug: 1868585
    Signed-off-by: Andy Ning <andy.ning@windriver.com>

commit 24a533d800b2c57b84f1086593fe5f04f95fe906
Author: Zhipeng Liu <zhipengs.liu@intel.com>
Date:   Fri Mar 20 23:10:31 2020 +0800

Fix rabbitmq could not bind port to ipv6 address issue
    
    When we use Armada to deploy openstack service for ipv6, rabbitmq
    pod could not start listen on [::]:5672 and [::]:15672.
    For ipv6, we need an override for configuration file.
    
    Upstream patch link is:
    https://review.opendev.org/#/c/714027/
    
    Test pass for deploying rabbitmq service on both ipv4 and ipv6 setup
    
    Partial-Bug: 1859641
    
    Change-Id: I6495c45fbd8cc1de3c9f5d9ef5003447079d91b8
    Signed-off-by: Zhipeng Liu <zhipengs.liu@intel.com>

commit 08aa950393a7e3c5fd5299b88e134307800584aa
Author: Kevin Smith <kevin.smith@windriver.com>
Date:   Sun Mar 22 14:29:15 2020 -0400

application-apply error string too long
    
    During application-apply exception handling, str(e) is
    used as the input to the progress column of the kube_app
    table in the database, which may be longer than the 255
    character limit.  The result is an application stuck
    in 'applying' status.  This update adds a more readable
    error message to just check logs.
    
    There are other instances where str(e) is used as input to
    the database and could cause a similar problem which should
    also be looked at.
    
    Change-Id: I01a5e8f56a628726163e2cfffc58143ae8d5f845
    Closes-Bug: 1867019
    Signed-off-by: Kevin Smith <kevin.smith@windriver.com>

commit c1c18871d72cdcd877b95f593bd119b47b3ddbb6
Author: Andy Ning <andy.ning@windriver.com>
Date:   Tue Feb 18 14:52:06 2020 -0500

Support multiple CA certificates installation
    
    This update enhanced sysinv certificate install API to be able to
    install multiple CA certs from a file. The returns from the API call
    indicates the certs actually installed in the call (ie, excluding these
    that are already in the system). This is neccessary especially for DC to
    support multiple CA certs synchronization.
    
    This update also added sysinv certficate uninstall API. The API is to
    be used to remove a particular CA certficate from the system, identified
    by its uuid. The API returns a json body with information about the
    certificate that has been removed. This is required by DC sysinv api
    proxy for certificate deletion synchronization, since DC tracks subcloud
    certificates resource by signature while the uninstall API request
    contains only uuid.
    
    The uninstall API only supports ssl_ca certificate.
    
    cgtsclient and system CLI are also updated to align with the updated
    and new APIs. User can use "system certificate-install ..." to install
    one or multiple CA certificates, and "system certificate-uninstall ..."
    to remove a particular CA certificate from the system.
    
    When multiple CA certificates are installed in the system,
    "system certificate-list" will display each of the individual
    certificates.
    
    THe sysinv certificate configuration API reference is updated with the
    new uninstall API. Unit tests are added for CA certificate install and
    delete APIs.
    
    Change-Id: I7dba11e56792b7d198403c436c37f71d7b7193c9
    Depends-On: https://review.opendev.org/#/c/711633/
    Closes-Bug: 1861438
    Closes-Bug: 1860995
    Signed-off-by: Andy Ning <andy.ning@windriver.com>

commit 241ea2871b15965bd694895f796660f7f1fddbf3
Author: Tee Ngo <tee.ngo@windriver.com>
Date:   Thu Mar 19 13:54:15 2020 -0400

Set time limit for filebeat open filehandlers
    
    In a large system, filebeat can harvest a large number of files
    and with the default file closing policies, many deleted files are
    not freed. Over time, this leads to /var/log partition running out
    of space, services not being able to flush their logs to disk and
    logmgmt process continously rotating logs.
    
    This commit sets a default time limit for each open file harvester.
    This value can be adjusted as needed via user overrides.
    
    Closes-Bug: 1865924
    Change-Id: I9dbf9cb2128157834b937357dcc6c4945dc5d2f3
    Signed-off-by: Tee Ngo <tee.ngo@windriver.com>

commit d7c3822a52ecc3b4288106c4e544e67add80fbf5
Author: Jerry Sun <jerry.sun@windriver.com>
Date:   Fri Mar 13 12:37:39 2020 -0400

Remove usage of /etc/kubernetes/kubeadm.yaml
    
    /etc/kubernetes/kubeadm.yaml could contain stale data, for example, from
    changing kube-apiserver parameters. There are currently no system impacts
    from using the stale file, but as we change more parameters, there could
    be system impact. This commit makes the existing usage of kubeadm.yaml
    generate a temp copy of the file with current data first.
    
    Change-Id: I62391d184e3e5d6397a9af4f43c7c7ec19314afc
    Partial-bug: 1866695
    Signed-off-by: Jerry Sun <jerry.sun@windriver.com>

commit 8ecdcbbbcdc2807113c7b7004f92653acffa0b41
Author: Teresa Ho <teresa.ho@windriver.com>
Date:   Tue Mar 10 16:46:04 2020 -0400

Add platform network type for storage
    
    Added a new platform network type for optional backend storage.
    
    Story: 2007391
    Task: 39018
    
    Change-Id: I1a389b8aede49095e4f7f7d24ed8224504575d45
    Signed-off-by: Teresa Ho <teresa.ho@windriver.com>

commit 2528dce84b5891038ca56c6959304ac4c1fc934a
Author: Thomas Gao <Thomas.Gao@windriver.com>
Date:   Thu Feb 13 18:52:15 2020 -0500

Allow VF type interface to detect underlying port
    
    Do `host-if-show` on VF interface whose underlying port supports
    dpdk will now display accelerated [True]. Before this fix, only
    ethernet, vlan, and ae type interfaces supports detecting
    underlying ports that support dpdk.
    
    Closes-Bug: 1846260
    
    Change-Id: Ifdee31811824a38ebc7d3a8febde2341d39ba986
    Signed-off-by: Thomas Gao <Thomas.Gao@windriver.com>

commit 95d8bb436b625c82e78ebb2a2134e0e861bd5574
Author: Jerry Sun <jerry.sun@windriver.com>
Date:   Wed Mar 4 16:07:22 2020 -0500

Support post-bootstrap config of kube-apiserver parameters
    
    Add system service parameters for each of the kube-apiserver parameters
    for openid connect.
    
    Story: 2006711
    Task: 38944
    
    Depends-On: https://review.opendev.org/711336
    
    Change-Id: Ib4b9aee036447087f88f803548e3f982446ccda4
    Signed-off-by: Jerry Sun <jerry.sun@windriver.com>

commit 6f162c3422df6c11b0d9f548487bfb3b9e401ca5
Author: Thomas Gao <Thomas.Gao@windriver.com>
Date:   Fri Feb 7 15:28:42 2020 -0500

Fixed address interface foreign key inconsistency
    
    Foreign key in sysinv.object.address.Address is `interface_uuid`,
    which is inconsistent with the foreign key `interface_id` defined
    in the database schema. This fix corrected that.
    
    Added a unit test to verify that addresses associated with an interface
    could be deleted.
    
    Additionally wrote a set of TODO unit tests blocked by
    the bug: tested delete address for orphaned-routes case, unlocked
    host state, and the case where address is allocated from pool.
    
    Modified interface querying mechanism to look up all interfaces.
    This modification is necessary because the current implementation of
    add_interface_filter only looks up those of type ethernet, ae and
    vlan. Attempting to get an virtual-type interface will raise an
    exception, causing Jenkins installation to fail.
    
    After a visual inspection of interface_uuid occurrences, fixed a few
    other occurrences of bad address.interface_uuid that are not caught
    by the unit test. Added new unit test suites in place to cover the
    code paths.
    
    Closes-Bug: 1861131
    
    Change-Id: I6f2449bbbb69d6f2353e521bfcd138d880ce878f
    Signed-off-by: Thomas Gao <Thomas.Gao@windriver.com>

commit 964a2b7c6238ce91d4ace34dcac790fa5a37d55c
Author: Kevin Smith <kevin.smith@windriver.com>
Date:   Tue Mar 3 14:17:42 2020 -0500

stx-monitor: only delete pvcs on app delete.
    
    It may be desired to keep the persistent volumes after removing the
    stx-monitor application.  This update will not remove the pvcs on
    application-remove, but remove them on application-delete
    
    Closes-Bug: 1865568
    
    Change-Id: I9b06008fe6b6033e5a1ce6808cc5d4fa6aabcd05
    Signed-off-by: Kevin Smith <kevin.smith@windriver.com>

commit c5d43da89e7fd2a12407bc4bebd14ab87d16c638
Author: Angie Wang <angie.wang@windriver.com>
Date:   Tue Feb 25 17:00:53 2020 -0500

Allow users to override a single image with a custom registry
    
    In the case that the user overrides a single image with a
    custom registry that is not from any known registries
    in Sysinv. This image downloading will fail as it
    prepends the docker.io registry to the image reference
    , then generates an invalid image tag.
    
    The original purpose of adding that logic is to handle
    the image that comes from docker.io but do not have
    docker.io explicitly specified in its image name. This
    case has already been updated to handle in the class
    "AppImageParser".
    
    This commit removes the related logic that causing the
    issue.
    
    Tested:
     - system helm-override-update stx-openstack nova openstack \
         --set images.tags.nova_api=mycustomregistry.com/stx-nova:latest
     - system application-apply stx-openstack
    
    Change-Id: I07d1a658c3cf56a3e09e81e1f947f93de50b513d
    Closes-Bug: 1859881
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit 347af170f9cf1fd49be2a52107f0594d9d4b8ba8
Author: David Sullivan <david.sullivan@windriver.com>
Date:   Tue Feb 25 21:13:59 2020 -0500

Update PTP API ref and unit tests
    
    Add the PTP apply function to the API ref and the unit tests.
    
    Story: 2006759
    Task: 38848
    Change-Id: Iae3cc9e90b653fd92a83a0d9a216d87016cf4c6c
    Signed-off-by: David Sullivan <david.sullivan@windriver.com>

commit 8e2e5f7e82efde39407d34c1a26daffb97dbe26d
Author: Kevin Smith <kevin.smith@windriver.com>
Date:   Fri Feb 21 07:56:04 2020 -0500

Set elasticsearch pod java options according to ip config
    
    The "-Djava.net.preferIPv6Addresses=true" java option was set
    for both ipv4 and ipv6 configurations which worked fine in both
    configs.  At some point recently in ipv4 configurations, the
    stx-monitor application stopped applying successfully due to
    elasticsearch cluster discovery failure.  Why the ipv4 failures
    are only recently occurring is unknown, but removal of this
    unnecessary java option for ipv4 eliminates the failures.
    
    This update will set the above java option for elasticsearch
    pods only if the cluster service network is ipv6.
    
    Closes-Bug: 1864193
    
    Change-Id: I2952f1c799b121d0812314156162af7696ebd6b0
    Signed-off-by: Kevin Smith <kevin.smith@windriver.com>

commit 6065f1318af289001d2017111cc8633c3320efda
Author: Matt Peters <matt.peters@windriver.com>
Date:   Thu Feb 20 16:22:02 2020 -0500

Remove system name from default index naming
    
    Remove the system name from the default index naming
    since it causes a large number of small independent
    indexes to be created that does not scale well against
    the current daily index rotation.
    
    Change-Id: Ia880a1d8c48703a0741a72e999c0cdb93c229423
    Story: 2006990
    Task: 38834
    Signed-off-by: Matt Peters <matt.peters@windriver.com>

commit 73d407bdf44933673e8e975e2523828b9c43e25d
Author: Matt Peters <matt.peters@windriver.com>
Date:   Thu Feb 20 16:21:40 2020 -0500

Add normalized percentages to cpu metric collection
    
    CPU metric collection which has been normalized against the
    number of cores is not enabled.  This update adds the
    appropriate configuration option to enable these metrics.
    
    Change-Id: I1e2dcd0fac144236dab3718a917344c339444003
    Closes-Bug: 1864128
    Signed-off-by: Matt Peters <matt.peters@windriver.com>

commit bbb9a477c1cb33ca51a134d742073cc200f89fb0
Author: Angie Wang <angie.wang@windriver.com>
Date:   Thu Feb 20 11:56:01 2020 -0500

Reject the k8s first control plane upgrade after networking is upgraded
    
    The first upgraded control plane shouldn't be allowed to re-upgrade
    after the k8s networking upgrade is done. This commit adds a check
    to prevent this action.
    
    Change-Id: I01c6539fe89749663dff6159e56d14f9a510ebe0
    Story: 2006781
    Task: 38761
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit cb2b83365e823cd69a0e8e2a3c54b3e679f48776
Author: Teresa Ho <teresa.ho@windriver.com>
Date:   Thu Feb 20 11:37:03 2020 -0500

Support for https in OIDC client
    
    Changed OIDC client to use HTTPS by default.
    
    Story: 2006711
    Task: 38481
    
    Depends-On: https://review.opendev.org/#/c/708911
    Change-Id: I567b224030cfe2278cdca57f2d40ad36c98d7ff6
    Signed-off-by: Teresa Ho <teresa.ho@windriver.com>

commit 4687ea36b5fadb7dad0cfe0a1ede4b488a0b5aeb
Author: David Sullivan <david.sullivan@windriver.com>
Date:   Fri Feb 14 15:30:41 2020 -0500

Apply PTP configuration at runtime
    
    Allow PTP configuration to be applied at runtime. Previously this would
    have required a lock/unlock of the host. A new command 'system
    ptp-apply' has been added to apply the ptp configuration.
    
    Note we will not apply ptp configurations to hosts that have switched
    from ntp to ptp. That change will require a lock/unlock as before.
    
    Depends-On: https://review.opendev.org/707904
    Change-Id: I098bd12336f34324a77615a20a4e36b7620ab79b
    Story: 2006759
    Task: 38770
    Signed-off-by: David Sullivan <david.sullivan@windriver.com>

commit d93d5804c626955fb711897745dce4a61136183b
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Fri Feb 14 16:47:03 2020 -0500

Fixed error responses in controller-fs
    
    Error response given by controller-fs-modify erroneously mentions
    filesystem names which are not controller filesystems. To fix this,
    hard-coded filesystem names have been completely removed.
    
    Change-Id: Ic6f563dd0b347ac7ece628f6e716c952205c1687
    Closes-Bug: 1862416
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>

commit f6eebbd318f3c596c7d408696ce1558fd03a5497
Author: Bart Wensley <barton.wensley@windriver.com>
Date:   Wed Feb 19 12:56:21 2020 -0600

Disable keystone caching on subclouds
    
    The use of keystone caching on subclouds causes problems because
    the syncing of fernet keys to the subcloud results in stale
    cache entries. This causes authentication failures until the
    cache entries age out or new tokens are created.
    
    Since the keystone load in a subcloud is light, there is really
    no need for caching at this time - it is being disabled in
    subclouds.
    
    Change-Id: I777c57c46cf1bcd701fbbac73228a2cb81d8424b
    Closes-Bug: 1860372
    Signed-off-by: Bart Wensley <barton.wensley@windriver.com>

commit b330498aecb7068e8bfa65c41c71e974b2d674aa
Author: Mingyuan Qi <mingyuan.qi@intel.com>
Date:   Tue Feb 18 03:48:44 2020 +0000

Change docker client to crictl in cert rotation
    
    When container runtime moving to containerd, the containers are
    created by containerd. Accordingly, the client tool is changed
    to crictl. In the kube cert rotation script, the containers will
    be stopped by crictl and automatically started by kubelet to
    update the renewed certificates within the container.
    
    Story: 2006145
    Task: 37619
    
    Change-Id: Ia8cf76c15811f8f9d88199158e83ccba31534e4e
    Signed-off-by: Mingyuan Qi <mingyuan.qi@intel.com>

commit 7afe5de64d0d23ec951620e0380fb65e2f49f4c3
Author: Angie Wang <angie.wang@windriver.com>
Date:   Tue Feb 11 17:25:11 2020 -0500

Add semantic checks for k8s upgrade
    
    Semantic checks added:
      - verify whether all installed applications are compatible with
        the new k8s version before starting k8s upgrade
      - prevent host-unlock if the host kubelet upgrade is in progress
        (allow --force to do force unlock).
      - prevent application-apply/update if the app is incompatible with
        the current k8s version.
    
    For the application that has k8s version restriction, the following
    keys need to be optionally specified in its metadata file:
    ie...
    supported_k8s_version:
      minimum: v1.16.1
      maximum: v1.16.3
    
    The k8s version related information in metadata file will be used for
    compatibility check. The metadata file is updated to copy over to the
    drbd fs during application-upload.
    
    Tests conducted:
      - "system kube-upgrade-start" rejected if any installed app's k8s
        version check failed
      - host-unlock rejected if the host is in upgrading-kubelet status
      - was able to forcibly unlock host even if it's upgrading kubelet
      - application-apply/update testing
    
    Change-Id: I1ef852cccddf7ae39eca4b4e25b80a7f4347d8a4
    Story: 2006781
    Task: 38761
    Signed-off-by: Angie Wang <angie.wang@windriver.com>

commit 2b49e9f3f93c9913961b437d4e51d1e7d46f1222
Author: Robert Church <robert.church@windriver.com>
Date:   Thu Feb 13 10:00:56 2020 -0600

Workaround for cleaning up MatchNodeSelector pods after host reboot
    
    Added a K8sPodOperator class to look for and remove Failed pods with a
    MatchNodeSelector reason.
    
    MatchNodeSelector pods related to applications will not be removed by
    K8S automatically. These pods may block subsequent application applies
    as tiller expects these pods to be in a non failed state.
    
    A check for this condition is added in two locations:
    - to the _k8s_application_audit() which is run immediately on
      sysinv-conductor startup and runs every minute. This runs 4 times in a
      5 minute window at startup on a simplex install. This should catch all
      cases unless there is a delay accessing the k8s API that lasts longer
      than 5 minutes at startup.
    - to the application-apply path. This would cover any case that occurs
      after the initial 5 minute conductor startup OR any occurance on a
      non-simplex installation (so far only observed on AIO-SX)
    
    NOTE: This commit will be reverted once a proper upstream k8S fix is
    provided.
    
    Related upstream bugs:
    - https://github.com/kubernetes/kubernetes/issues/80745
    - https://github.com/kubernetes/kubernetes/issues/85334
    
    The following PR was tested and fixed this issue but has not landed
    upstream in a new k8s release:
    - https://github.com/kubernetes/kubernetes/pull/80976
    
    Change-Id: Ia5418794a44e7821933e8335d5c5db25b58a739f
    Closes-Bug: #1849688
    Signed-off-by: Robert Church <robert.church@windriver.com>

commit 34e410821b7b0699444b303fcdec1ab89d860cc6
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Thu Feb 13 15:38:51 2020 -0500

Fix inconsistent disk space calculation
    
    Integer division in Python 2 behaves like floating-point
    division in Python 3. Thus, changes are made to rectify this
    behavior.
    
    Change-Id: I6a5905a4d97df5b9e73e165580801c865006f316
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>
    Closes-Bug: 1862668

commit e6e37c949a39e4ee3d4f4c9407a85089e7514345
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Mon Feb 10 16:26:13 2020 -0500

Added unit test cases for host file system.
    
    Test cases added for API endpoints used by:
     1. host-fs-list
     2. host-fs-modify
     3. host-fs-show
    
    This commit also fixes the issue of Host FS disk space calculations
    yielding different values in Python 2 and Python 3.
    
    Change-Id: I50a1ca43c43c3bba30730c616b3788664920d0c9
    Story: 2007082
    Task: 38013
    Partial-Bug: 1862668
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>

commit 227ddec6189fdabdc75d45162fc22b9af7118982
Author: Thomas Gao <Thomas.Gao@windriver.com>
Date:   Thu Feb 13 10:47:55 2020 -0500

Fix device plugin port handling for pci-passthrough
    
    While generating the SR-IOV device plugin configuration data,
    it is necessary to get the underlying port information.
    For SR-IOV ports there is special handling required to deal
    with the case of a 'VF' subinterface.  For PCI-Passthrough,
    the port can and should be accessed directly.
    
    Closes-Bug: 1856587
    
    Co-Authored-By: Steven Webster <steven.webster@windriver.com>
    
    Change-Id: I70f315669776a591e23e69c6653098e720815b99
    Signed-off-by: Thomas Gao <Thomas.Gao@windriver.com>

commit cab522030f79c0060b80050c6a560696d7db80d9
Author: Stefan Dinescu <stefan.dinescu@windriver.com>
Date:   Fri Jan 31 17:31:17 2020 +0200

Make Ceph storage backend optional
    
    Changes included in this commit:
    - change consistency checks to allow a system to
      be deployed without ceph configured
    - allow ceph to be provisioned before unlocking
      controller-0
    - add support for runtime provisioning of ceph
      on an already fully deployed system
    - move default cluster and storage tier config
      from conductor initialization to storage-backend
      creation
    - move CephOperator initialization from conductor
      initialization to a greenthread that waits for
      the ceph cluster to become responsive
    - make adding ceph storage-backend timing consistent
      across all setups: you can add it before unlocking
      controller-0 or only after all controller nodes
      have been unlocked.
    
    Tests run:
    - all tests were run on AIO-SX, AIO-DX, Standard
      and Storage configs
    - deploy system without ceph
    - configure ceph after running ansible bootstrap,
      but before unlocking controller-0
    - configure ceph at runtime on an already deployed
      system
    - swacting
    
    Change-Id: I05fbd494d9a22a535eae200a26c21b1702500194
    Depends-On: https://review.opendev.org/705234
    Story: 2007064
    Task: 37931
    Signed-off-by: Stefan Dinescu <stefan.dinescu@windriver.com>

commit f1605d465b5cb10a9d46803e88096951cdacc3a5
Author: David Sullivan <david.sullivan@windriver.com>
Date:   Mon Feb 3 14:35:45 2020 -0500

PTP Configuration Enhancements
    
    Add PTP service parameters. Any service parameters in the global ptp
    section will be written to the ptp4l conf. phc2sys service parameters
    will be used to specify the command line options used with the phc2sys
    service.
    
    Values specified in the service parameters will take precedence over
    values specified by the PTP table.
    
    Story: 2006759
    Task: 38669
    Depends-On: https://review.opendev.org/#/c/706364
    Change-Id: I791ec251be44d963bfb5eb69268fbc7a8a75391a
    Signed-off-by: David Sullivan <david.sullivan@windriver.com>

commit 173eb3bea75e2a774976461a5caef482c20a814a
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Mon Feb 3 16:21:42 2020 -0500

Added unit test cases for controller file system
    
    Test cases added for API endpoints used by:
     1. controllerfs-list
     2. controllerfs-modify
     3. controllerfs-show
    
    Change-Id: Ifd525d2218a099b15139f17d6b4ae1b7279e8810
    Story: 2007082
    Task: 38003
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>

commit aead92341082065798ee4450d804f64d63ba35f1
Author: Thomas Gao <Thomas.Gao@windriver.com>
Date:   Tue Jan 21 18:12:46 2020 -0500

Enabled platform interfaces to add ip address(es)
    
    Removed network type check in api controller interface to allow platform
    interfaces to have static address mode in the database.
    
    Removed broken network type check in api controller address.
    
    Loosened interface-class and network-type restrictions in puppet
    controller to allow platform interfaces to have static ip address
    during system unlock.
    
    Added unit tests to test puppet interface's new restriction logic of
    get_interface_address_method for ipv4 static mode (valid), ipv6 static
    mode (valid), and ipv4 static mode with network type (invalid).
    
    Added unit test to ensure one can add an ip address to the static
    platform interface. Enabled DAD for ipv6 tests. Renamed get_post_object
    parameter interface_id to interface_uuid to eliminate usage
    inconsistency because the former is rejected in the POST request.
    
    Closes-Bug: 1855191
    
    Change-Id: I1f2bc92bb1a97dc4afb21966de4055b12855510a
    Signed-off-by: Thomas Gao <Thomas.Gao@windriver.com>

commit b27ae6b348fdd03d83859e7c1a21baf828859328
Author: Thomas Gao <Thomas.Gao@windriver.com>
Date:   Thu Jan 16 11:21:30 2020 -0500

Fixed semantic checks for SR-IOV VF parameters.
    
    Only interfaces of class pci-sriov may have numvfs and vf_driver.
    However, interfaces of class data attempting to add numvfs and
    vf_driver via the cli was able to pass the semantic check.
    Moreover, when an interface class changes from pci-sriov to data,
    the numvfs and vf_driver fields are not cleared.
    
    This fix tackles the above issues by altering the condition-
    check that resets the 2 fields before the semantic check such
    that faulty semantic will not pass the semantic check.
    This fix also ensures the 2 fields are permanently reset
    once interface class is changed from pci-sriov to data.
    
    Added several unit tests to verify all situations described
    above.
    
    Depends-On: https://review.opendev.org/#/c/705293
    
    Closes-Bug: 1855933
    
    Change-Id: I3c25c57edcdd50c5e76e17da658c7985821a3436
    Signed-off-by: Thomas Gao <Thomas.Gao@windriver.com>

commit 4598ca8d65417b7ac9f19f6fd3954639d230b46b
Author: Al Bailey <Al.Bailey@windriver.com>
Date:   Wed Feb 5 09:38:42 2020 -0600

Deprecate sysinv.openstack.common.db in favor of oslo_db
    
    openstack.common.db was not being used except by unit tests.
    The sysinv engine had previously been converted, so the
    changes are primarily in the unit test environment.
    
    Story: 2006796
    Task: 37426
    Change-Id: Ie638ee7e347fef0ada061ed4047decd0cbb919ef
    Signed-off-by: Al Bailey <Al.Bailey@windriver.com>

commit fb84bf9bdcb7844e6ac0ea192480a43ae4ac7480
Author: Thomas Gao <Thomas.Gao@windriver.com>
Date:   Fri Jan 31 10:06:25 2020 -0500

Forbid unlocked hosts to modify interfaces
    
    Simplified the convoluted logic that allows certain unlocked hosts to
    modify interfaces. Now the logic simply rejects unlocked hosts.
    
    Fixed a series of unit tests that modifies unlocked test controller by
    transfer the modification operations to locked test workers. Moreover,
    hardcoded test controller id is replaced with worker id attribute.
    
    Fixed another set of tests that attempts to create ethernet, vlan, or
    bond on a unlocked test controller, even though those tests are intended
    for locked test workers. These redundant network configuration are
    promptly removed, because to keep them will force the only active
    controller node to be locked.
    
    Closes-Bug: 1855187
    
    Change-Id: I7eacba9d064a4efb2c2032c3879d11460401ca08
    Signed-off-by: Thomas Gao <Thomas.Gao@windriver.com>

commit 29f38ce63725a829a165989bb134fd98ac8bea78
Author: Andy Ning <andy.ning@windriver.com>
Date:   Tue Feb 4 15:42:20 2020 -0500

Copy encryption provider config file to second controller
    
    kube-apiserver encryption provider config file is generated by ansible
    bootstrap on the first controller and stored in the shared fs. It is
    then copied over to the second controller. When kube-apiserver pod
    starts it will take this configuration file as its encryption provider
    configuration.
    
    Change-Id: Ibfcfb13c8a6685e38a1043acd7ec752ea116911c
    Story: 2007243
    Task: 38627
    Signed-off-by: Andy Ning <andy.ning@windriver.com>

commit c4fa36214c444b34ae9c2b06f35758eb1ba8c987
Author: Thomas Gao <Thomas.Gao@windriver.com>
Date:   Mon Feb 3 15:41:28 2020 -0500

Forbid IPv4 DNS in an IPv6 OAM config
    
    Implemented IP version check in DNS controller api to reject patch
    operations with mismatched DNS server IP version.
    
    Enabled and fixed relevant unit tests.
    
    Rearranged unit test inheritance hierachy to eliminate undesired test
    repetitions.
    
    Closes-Bug: 1860489
    
    Change-Id: Ief4a19eeea03086bb5816a13cb3a706a48bab51a
    Signed-off-by: Thomas Gao <Thomas.Gao@windriver.com>

commit 5df1f3a89a6e1ef699fc6030a18902faf45daf88
Author: Bin Qian <bin.qian@windriver.com>
Date:   Wed Feb 5 13:26:43 2020 -0500

Adding job to upload commits to GitHub
    
    Add job to publish config repo to GitHub
    Fix host_key
    
    Story: 2007252
    Task: 38657
    
    Change-Id: Id0c1fe7278cbddbf6082f452323537427fefe95f
    Signed-off-by: Bin Qian <bin.qian@windriver.com>

commit 8ab1e2d7c624f83d72efcbfcddcdffa567a26bad
Author: Shuicheng Lin <shuicheng.lin@intel.com>
Date:   Wed Dec 11 16:37:03 2019 +0800

Audit local registry secret info when there is user update in keystone
    
    local registry uses admin's username&password for authentication.
    And admin's password could be changed by openstack client cmd. It will
    cause auth info in secrets obsolete, and lead to invalid authentication
    in keystone.
    To keep secrets info updated, keystone event notification is enabled.
    And event notification listener is added in sysinv. So when there is
    user password change, a user update event will be sent out by keystone.
    And sysinv will call function audit_local_registry_secrets to check
    whether kubernetes secret info need be updated or not.
    
    A periodic task is added also to ensure secrets are always synced, in
    case notification is missed or there is failure in handle notification.
    
    oslo_messaging is added to tox's requirements.txt to avoid tox failure.
    The version is based on global-requirements.txt from Openstack Train.
    
    Test:
    Pass deployment and secrets could be updated automatically with new auth
    info.
    Pass host-swact in duplex mode.
    
    Closes-Bug: 1853017
    Depends-On: https://review.opendev.org/700677
    Depends-On: https://review.opendev.org/699547
    Change-Id: I959b65288e0834b989aa87e40506e41d0bba0d59
    Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-01: Fix merged to distcloud (f/centos8)

#16

Download full text (15.6 KiB)

Reviewed: https://review.opendev.org/716140
Committed: https://git.openstack.org/cgit/starlingx/distcloud/commit/?id=04b49dd093ab850f4520cdb85638221120dd7568
Submitter: Zuul
Branch: f/centos8

commit 25c9d6ed3861f2d783404fcf84b186441ab9cd4d
Author: albailey <email address hidden>
Date: Wed Mar 25 15:43:32 2020 -0500

Removing ddt from unit tests

This cleanup should assist in transitioning to
stestr and fixtures, as well as py3 support.

The ddt data is primarily unused, only subcloud, route
and endpoints were being loaded.

The information in the data files was out of date,
and not necessarily matching the current product model.

    Story: 2004515
    Task: 39160
    Change-Id: Iddd7ed4664b0d59dbc58aae5c3fedd74c9a138c0
    Signed-off-by: albailey <email address hidden>

commit 7f3827f24d2fb3cb546d3caf71d505d23187b0dc
Author: Tao Liu <email address hidden>
Date: Thu Mar 12 09:46:29 2020 -0400

Keystone token and resource caching

    Add the following misc. changes to dcorch and dcmanager components:
    - Cache the master resource in dcorch audit
    - Consolidate the openstack drivers to common module, combine the
      dcmanager and dcorch sysinv client. (Note: the sdk driver that
      used by nova, neutron and cinder will be cleaned as part of
      story 2006588).
    - Update the common sdk driver:
      . in order to avoid creating new keystone client multiple times
      . to add a option for caching region clients, in addition to the
        keystone client
      . finally, to randomize the token early renewal duration
    - Change subcloud audit manager, patch audit manager,
      and sw update manager to:
      utilize the sdk driver which caches the keystone client and token

    Test cases:
    1. Manage/unmanage subclouds
    2. Platform resources sync and audit
    3. Verify the keystone token is cached until the token is
       expired
    4. Add/delete subclouds
    5. Managed subcloud goes offline/online (power off/on)
    6. Managed subcloud goes offline/online (delete/add a static route)
    7. Apply a patch to all subclouds via patch Orchestration

Story: 2007267
Task: 38865

Change-Id: I75e0cf66a797a65faf75e7c64dafb07f54c2df06
Signed-off-by: Tao Liu <email address hidden>

commit 3a1bf60caddfa2e807d4f5996ff94fea7dde5477
Author: Jessica Castelino <email address hidden>
Date: Wed Mar 11 16:23:21 2020 -0400

Cleanup subcloud details when subcloud add fails

    Failure during add subcloud prevents subcloud from being added again
    with the same name as the subcloud details are not cleaned up
    properly. Fixes have been added for proper cleanup of dcorch database
    tables, ansible subcloud inventory files, keystone endpoints, keystone
    region, and addn_hosts_dc file when failure is encountered.

    Test cases:
    1. Add subcloud
    2. Add subcloud with "--deploy-playbook"
    3. Delete subcloud
    4. Raise explicit exception in dcorch/objects/subcloud.py
    5. Raise explicit exception in dcmanager/manager/subcloud_manager.py

Change-Id: Iedf172c3e9c3c4bdb9b9482dc5d46f072b3ccf61
...

Reviewed:  https://review.opendev.org/716140
Committed: https://git.openstack.org/cgit/starlingx/distcloud/commit/?id=04b49dd093ab850f4520cdb85638221120dd7568
Submitter: Zuul
Branch:    f/centos8

commit 25c9d6ed3861f2d783404fcf84b186441ab9cd4d
Author: albailey <Al.Bailey@windriver.com>
Date:   Wed Mar 25 15:43:32 2020 -0500

Removing ddt from unit tests
    
    This cleanup should assist in transitioning to
    stestr and fixtures, as well as py3 support.
    
    The ddt data is primarily unused, only subcloud, route
    and endpoints were being loaded.
    
    The information in the data files was out of date,
    and not necessarily matching the current product model.
    
    Story: 2004515
    Task: 39160
    Change-Id: Iddd7ed4664b0d59dbc58aae5c3fedd74c9a138c0
    Signed-off-by: albailey <Al.Bailey@windriver.com>

commit 7f3827f24d2fb3cb546d3caf71d505d23187b0dc
Author: Tao Liu <tao.liu@windriver.com>
Date:   Thu Mar 12 09:46:29 2020 -0400

Keystone token and resource caching
    
    Add the following misc. changes to dcorch and dcmanager components:
    - Cache the master resource in dcorch audit
    - Consolidate the openstack drivers to common module, combine the
      dcmanager and dcorch sysinv client. (Note: the sdk driver that
      used by nova, neutron and cinder will be cleaned as part of
      story 2006588).
    - Update the common sdk driver:
      . in order to avoid creating new keystone client multiple times
      . to add a option for caching region clients, in addition to the
        keystone client
      . finally, to randomize the token early renewal duration
    - Change subcloud audit manager, patch audit manager,
      and sw update manager to:
      utilize the sdk driver which caches the keystone client and token
    
    Test cases:
    1. Manage/unmanage subclouds
    2. Platform resources sync and audit
    3. Verify the keystone token is cached until the token is
       expired
    4. Add/delete subclouds
    5. Managed subcloud goes offline/online (power off/on)
    6. Managed subcloud goes offline/online (delete/add a static route)
    7. Apply a patch to all subclouds via patch Orchestration
    
    Story: 2007267
    Task: 38865
    
    Change-Id: I75e0cf66a797a65faf75e7c64dafb07f54c2df06
    Signed-off-by: Tao Liu <tao.liu@windriver.com>

commit 3a1bf60caddfa2e807d4f5996ff94fea7dde5477
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Wed Mar 11 16:23:21 2020 -0400

Cleanup subcloud details when subcloud add fails
    
    Failure during add subcloud prevents subcloud from being added again
    with the same name as the subcloud details are not cleaned up
    properly. Fixes have been added for proper cleanup of dcorch database
    tables, ansible subcloud inventory files, keystone endpoints, keystone
    region, and addn_hosts_dc file when failure is encountered.
    
    Test cases:
    1. Add subcloud
    2. Add subcloud with "--deploy-playbook"
    3. Delete subcloud
    4. Raise explicit exception in dcorch/objects/subcloud.py
    5. Raise explicit exception in dcmanager/manager/subcloud_manager.py
    
    Change-Id: Iedf172c3e9c3c4bdb9b9482dc5d46f072b3ccf61
    Closes-Bug: 1862774
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>

commit 1e588cbefa789bf8546da708470e271f01dcd593
Author: Andy Ning <andy.ning@windriver.com>
Date:   Wed Feb 26 16:04:33 2020 -0500

Support multiple CA certificates synchronization in DC
    
    This update enhanced dcorch and sysinv API proxy to support multiple CA
    certificates synchronization in DC system. The support utilizes the
    updated sysinv certificate install API and the new certificate
    uninstall API.
    
    Closes-Bug: 1861438
    Closes-Bug: 1860995
    Depends-On: https://review.opendev.org/#/c/711538/
    Change-Id: I407314b913ae5a56bb714b39484aea3263a41d19
    Signed-off-by: Andy Ning <andy.ning@windriver.com>

commit dbd92e06500567ce7086fa172cdc745e1c62c6bb
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Tue Mar 10 15:04:59 2020 -0400

Increase ThreadGroup size for patch orchestration
    
    The default ThreadGroup size is 10. In order to allow for more
    parallelism when doing patch orchestration across many subclouds,
    this is being increased to 100.
    
    Change-Id: I82ace0d616d1455fd65e1583c694a71f8dede721
    Story: 2007267
    Task: 38913
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>

commit 48268f420e1bbfbdf284fc3ef513626d1d2b051c
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Wed Mar 4 16:55:04 2020 -0500

Remove remote logging configuration
    
    Remote logging is removed from dcorch logs to avoid
    sync of unnecessary system data
    
    Story: 2007267
    Task: 38970
    Change-Id: I36fade7ff4a87855207f570f103b7e1b8fc1262a
    Partial-Bug: 1857069
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>

commit 4fb11314833cf1b83ef18c332e151b129ea73aaf
Author: Tao Liu <tao.liu@windriver.com>
Date:   Mon Mar 9 18:12:18 2020 -0400

Support OAM on vlan and pulling rvmc from local registry
    
    Add 'vlan=' option to anaconda boot options, and ensure 'ip=' option
    using a vlan interface when the bootstrap_vlan parameter is provided.
    
    The rvmc image, which had been pulled to the local registry during
    bootstrapping, was pulled from docker.io when the rvmc job/pod
    was launched. This update adds the local registry prefix to the
    image name override.
    
    Note: The OAM network on vlan configuration has been tested by the
    customer.
    
    Closes-Bug: 1866670
    Closes-Bug: 1866669
    
    Change-Id: I9ad27742cf4c380749cbad68ecaee165d114b11c
    Signed-off-by: Tao Liu <tao.liu@windriver.com>

commit e39a56cdc6e5fd63461d7e9ae25ebe617ccab94e
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Mon Mar 9 17:01:30 2020 -0400

Fixed a typo in StarlingX API reference document
    
    Change-Id: Ie317ab71f356bf8c74984e45784c39daea53e7e2
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>

commit 3c8d6bc7f56c97350ca255502462d565eaed38b2
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Fri Mar 6 17:09:27 2020 -0500

Reduce dcorch log size
    
    Removes unnecessary dcorch info logs to reduce log size
    
    Change-Id: Ib8b3b31c4c174b85cf95cb1a4fc06b3ae10f4d32
    Story: 2007267
    Task: 38740
    Depends-On: https://review.opendev.org/#/c/711775/
    Closes-Bug: 1857069
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>

commit fe3ef48558f4ba58981572a73b876da06c89220d
Author: Jessica Castelino <jessica.castelino@windriver.com>
Date:   Mon Mar 2 16:20:27 2020 -0500

Show OAM Floating IP for Subcloud
    
    Extends the dcmanager subcloud show command to display the floating
    OAM IP of the subcloud from the system controller.
    
    Change-Id: Ib421ea65660ed77a241798831c83cbaf1710f9e8
    Story: 2007267
    Task: 38896
    Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>

commit 501fa35af2780d57329478fe0ef0a6037ef8bf73
Author: Al Bailey <Al.Bailey@windriver.com>
Date:   Tue Jan 21 17:04:56 2020 -0600

Update pylint for distributedcloud
    
    The pylint that was specified as an upper constraint was not
    as strict as the newer versions.
    
    - Fixed or suppressed any new error codes being reported.
    Suppressed error codes should be fixed by additional reviews.
    
    - added a zuul target for pylint
    
    - Added dcdbsync to the folders being processed by pylint.
    
    - Removed the env:UPPER_CONSTRAINTS_FILE from tox.ini so that zuul
    does not override the upper constraints with an newer version.
    
    - Needed to add greenlet to the extension-pkg-whitelist since
    runtime introspection of that component is not possible.
    
    - oslo-messaging get_transport deprecated 'aliases' in pike, and
    removed it in rocky. The packaged version in STX is 5.30.6
    which still supports aliases. This requires us to explicitly
    run tox with the version that we ship (pre-stein). This is
    controlled by a local upper-constraints.txt file.
    Related-Bug: 1865054
    
    - Paste file handling reports a pylint issue which has been suppressed
    Related-Bug: 1865085
    
    Story: 2004515
    Task: 38882
    Change-Id: Ie7c8c2adab1eeb9100159a2aa29968a0b557e2e4
    Signed-off-by: Al Bailey <Al.Bailey@windriver.com>

commit abe9efce41d3b94c12aeaff14f013c5c25b76d42
Author: Tao Liu <tao.liu@windriver.com>
Date:   Sun Feb 9 20:47:16 2020 -0500

Keystone token and client caching
    
    This update is to change the platform SDK driver to cache the keystone
    token and client sessions, also to add the fm client to the platform
    SDK in order to remove the sdk.py once nova, neutron and cinder
    references are removed (as part of story 2006588).
    
    The keystone client/token is cached per-region vs. the client session,
    which is cached per-region & per-thread. This is because, simultaneous
    access from different greenthreads to the client socket is not allowed.
    
    The initial sync does not use the cached clients as requesting a
    new token is required for each region.
    
    In addition, this update modifies the EndpointCache class to load
    the auth plugin once.
    
    Test cases:
    1. Manage/unmanage subclouds
    2. Platform resources and alarm summary sync
    3. Platform resources and alarm summary audit
    4. Verify the keystone client/token is cached until the token is
       expired
    5. Add/delete subclouds
    6. Managed subcloud goes offline/online (power off/on)
    7. Managed subcloud goes offline/online (delete/add a static route)
    
    Story: 2007267
    Task: 38709
    
    Change-Id: I0842a79838ea0f7a6c16f3b1e69ad0eb1357018a
    Signed-off-by: Tao Liu <tao.liu@windriver.com>

commit bde6982ded5ae8995d6ba0b758ea990086b7fa05
Author: Al Bailey <Al.Bailey@windriver.com>
Date:   Tue Jan 21 16:31:33 2020 -0600

Updating flake8 version for distributed cloud
    
    This also fixes the linters target which fails when yamllint
    does not find any inputs.
    
    Most new failures are being suppressed for now, and will be
    cleaned up by future submissions.
    
    Story: 2004515
    Task: 38739
    Change-Id: I8bddba83408be19a487837e326c86432579c50db
    Signed-off-by: Al Bailey <Al.Bailey@windriver.com>

commit 9180e7df84840745138827688cc8a482dd02f09c
Author: Robert Church <robert.church@windriver.com>
Date:   Thu Feb 6 16:44:48 2020 -0500

Add various locking support to DCManager
    
    Support the following lock updates in DCManager:
     - Provide a function decorator in common/utility.py for a synchronized
       lock that supports both external locks and internal fair locks. This
       decorator is setup, by default, for external locks.
     - Refactor update_subcloud_endpoint_status() so that a common private
       method is provided that is suitable for locking.
     - Update subcloud_manager.py to provide a function decorator to produce
       an internal fair lock based on a unique subcloud name. This decorator
       is specifically designed to be used with
       _update_subcloud_endpoint_status(). This will ensure that the
       multi-threaded DCManager process will only update subcloud endpoint
       information in a synchronized manner.
     - Provide an API lock to the SubcloudsController for the post, patch,
       and delete operations
    
    Update distributedcloud requirements and spec file to require
    oslo.concurrency >= 3.29.1. This is the latest version supported by the
    Openstack Stein and is a version containing fair lock support.
    
    Update unit tests:
     - Added unit test for update_subcloud_endpoint_status. This verifies
       high level functionality and the calling of fair locks based on the
       unique subcloud name.
     - Fixed intermittent failure seen when executing the add_subcloud unit
       test by mocking thread.Threading.
     - Leverage the use of oslo_concurrency's behavior to use the
       OSLO_LOCK_PATH environment variable if the lock_path config option is
       not set. Currently this is not set as we specify a hard coded
       external lock path at runtime. This allows us to set the lock path
       for tox tests via the test environment.
    
    Change-Id: Id1902e8553408cbdd60b648efc39d59e8edcdb55
    Depends-On: https://review.opendev.org/#/c/707188/
    Closes-Bug: #1855359
    Signed-off-by: Robert Church <robert.church@windriver.com>

commit 0389c7fbb1630988acd385140c9fc16835aae090
Author: Bart Wensley <barton.wensley@windriver.com>
Date:   Tue Feb 11 15:21:09 2020 -0600

Fix subcloud manage/unmanage issues caused by identity sync
    
    Recently identity (keystone) sync functionality was added to the
    dcorch. This changed the behaviour of the update_subcloud_states
    RPC. The dcmanager expects this RPC to be handled quickly and
    a reply sent almost immediately (timeout is 60s). Instead, the
    dcorch is now performing an identity sync when handling this
    RPC, which involves sending multiple messages to a subcloud and
    waiting for replies. This causes the update_subcloud_states RPC
    to time out sometimes (especially if a subcloud is unreachable)
    and the dcmanager/dcorch states to get out of sync, with no
    recovery mechanism in place.
    
    To fix this, I have create a new initial sync manager in the
    dcorch. When the dcorch handles the update_subcloud_states RPC,
    it will now just update the subcloud to indicate that an initial
    sync is required and then reply to the RPC immediately. The
    initial sync manager will perform the initial sync in the
    background (separate greenthreads) and enable the subcloud when
    it has completed. I also enhanced the dcmanager subcloud audit
    to periodically send a state update for each subcloud to the
    dcorch, which will correct any state mismatches that might
    occur.
    
    Change-Id: I70b98d432c3ed56b9532117f69f02d4a0cff5742
    Closes-Bug: 1860999
    Closes-Bug: 1861157
    Signed-off-by: Bart Wensley <barton.wensley@windriver.com>

commit b3c2086acf9295b5b11bac4cdb3c918423cadc14
Author: Tao Liu <tao.liu@windriver.com>
Date:   Wed Feb 12 10:07:36 2020 -0500

Generate a hybrid bootloader from ISO
    
    Update subcloud installer to use the gen-bootloader-iso.sh
    utility to generate a hybrid bootloader from ISO
    
    Add no_check_certificate option to allow the user to disable
    the certificate check.
    
    Depends-On: https://review.opendev.org/#/c/707049/
    Story: 2006980
    Task: 38465
    
    Change-Id: I83b5d09ccd4076ee44360446b1ae1706c06cebdf
    Signed-off-by: Tao Liu <tao.liu@windriver.com>

commit f3f6872b50822211a78888b4015ff9370be752b3
Author: Tao Liu <tao.liu@windriver.com>
Date:   Mon Feb 3 15:53:14 2020 -0500

Distributed Cloud: Large patch upload failed
    
    The third-party modules that used by the proxy service utilize
    the tempfile module to create interim files, under the default
    temp location.  As a result, a large patch upload failed due to
    "No space left on device".
    
    This update sets TMPDIR environment variable to
    /scratch/patch-api-proxy-tmpdir in the patch proxy service,
    so that the temp files will not use the default location.
    
    Change-Id: Iab4a8fefbab74047b3ec9f318397b21f75c1c5cb
    Closes-Bug: 1861329
    Signed-off-by: Tao Liu <tao.liu@windriver.com>

commit 6b95eb951a26fa05142143fa51d3cde99738dbee
Author: Bin Qian <bin.qian@windriver.com>
Date:   Wed Feb 5 14:41:17 2020 -0500

Adding job to upload commits to GitHub
    
    Add job to publish distcloud repo to GitHub
    
    Change-Id: I1825e823a5be37ede21b658297a108c0328b6fbf
    Story: 2007252
    Task: 38667
    Signed-off-by: Bin Qian <bin.qian@windriver.com>

StarlingX

Cannot install multiple trusted CA during bootstrap

Bug Description

Other bug subscribers

Remote bug watches