* Allow any recursion and cache queries for named svc
* Bump maas v3 to the actual version
Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I16a4ec843dc73a2349e8603d4200920599eab918
The named and nginx processes both try to use all available CPUs. In
addition, there is a bug in named that sometimes causes it to spin on a
FUTEX, pegging the CPU.
This change constrains those processes to a single CPU (overridable in
values.yaml), and includes /etc/bind/bind.keys in named.conf to avoid
the CPU spike.
Change-Id: I4a278023f5c0dd5e7bdee46891591b278f2ddcad
Sometimes the ephemeral environment needs additional cloud-init data.
This change allows user-data sections to be added to the default files
in /etc/maas/preseeds: enlist, commissioning, and curtin.
For example, to resolve issues with 'apt-get update' failures during
enlistment, something like this may be necessary:
conf:
cloudconfig:
override: true
sections:
bootcmd:
- "rm -fr /var/lib/apt/lists"
Change-Id: I817006a799003ace3f35d02507489720b0f9079b
This updates the maas chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag
Change-Id: I1eba6ab3a7c27ddcb3e8ddc8e743b91dc5e521c3
- Add a new pod running syslog to receive syslog
messages containing the console logs of bootstrapping
nodes. This aids in troubleshooting without requiring
accessing the OOB console.
- Add a UDP forwarder to the MAAS ingress controller
as nodes attempt to send syslogs to UDP 514 of the region
controller
Change-Id: I3f508225f4394a90c6f2534a51f262b42c1afa4e
The maas-rack and maas-region containers can successfully run and function
as non-privileged if given the appropriate Linux capabilities. This change
is a security enhancement as the maas-rack and maas-region containers now only
have access to the capabiities it needs to do its job - instead of having full
root access.
The capabilities listed in the `statefulset-rack` and `statefulset-region`
charts function as a whitelist in that the maas-rack and maas-region containers
only have access to the Linux capabilities listed in their SecurityContext
along with the default capabilties that Docker gives to unprivileged containers.
The default list of capabilties include the following:
- SETPCAP
- MKNOD
- AUDIT_WRITE
- CHOWN
- NET_RAW
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- SETGID
- SETUID
- NET_BIND_SERVICE
- SYS_CHROOT
- SETFCAP
The bcc-capable tool [0] was used to discover which Linux capabilities the
maas-rack and maas-region containers invoke. The capabale tool, has the ability
to record the Linux capabiltiies that are invoked by all the processes running
in the container. While still running as privileged, the capable tool was
installed and ran within the container during maas bootstrapping. When
bootstrapping was complete, the list of Linux capabilities were reviewed and
added to the appropriate charts.
[0]https://github.com/iovisor/bcc/blob/master/tools/capable.py
Change-Id: I11cf1da8ea8219320c4d3028502c133391116201
- This PS adds support for password rotation for 'maas-region' password
and 'maas-postgres-password'.
- This PS enables MAAS to use the newly created helm-toolkit
script for postgreSQL DB initialization
Depends-On: https://review.openstack.org/#/c/635348/
Change-Id: Ibb36761351d8c34933a3bb71555bb23e8247a069
All containers were already running in non-privileged
containers except region-controller and rack-controller.
Both of those require privileged containers but
can still function with the docker-default apparmor
profile applied.
This PS uses the new, more generic HTK snippet name
(see https://review.openstack.org/613703).
Change-Id: Icaa720f05b18f4264ae7098b427fe5f639cba2c6
Upgrades to the MAAS chart to allow for the Pods
running the rack and region services to work across
all control plane hosts.
Change-Id: I84c856599a1122a2b4a64242a7cea357887b0462
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. This can be used, for example, to force an
artificial manifest change in CICD scenarios, for upgradability
testing purposes.
Change-Id: I994f9eb9cd75947ee36276a542fa23cc547065e0
This PS updates the maas chart to support modern helm toolkits.
Change-Id: Id70343afdec622dc84b89b0d7f496e9ef498ea6b
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the charts and images for running systemd in a more
kubernetes friendly way:
- The hosts cgroupfs is mounted in read only
- Required mounts are created (tmp tmp/lock)
- A tty is created for the container
- A unit is added to each image that streams journald to stdout
Follow up patches will improve the image builds, create cgroups in an
init container, and also drop unrequired privileges from the containers
in addition to compatibility with recent helm-toolkits.
Change-Id: If3b0df28fea967c5ff67df51e1e95bc74f906222
Signed-off-by: Pete Birley <pete@port.direct>
- Add support for optionally mounting a
private key for the maas user to access
remote hosts via ssh (e.g. virsh)
- Add libvirt-bin to the rack controller
Change-Id: I18efb6a6947a5a5f91800bf6494b7d9d15d8aaf2
This allows ntpd to be disabled in both the privileged
rack and region controllers for use cases where we
do not wish these processes to conflict with ntpd
on the physical host running the containers. This
method as opposed to overriding sysvinit style scripts
and potentially other ways to launch ntpd that may
exist appears to be the safest way to ensure it does
not ever run.
Change-Id: Ib52727becc1849a2a75d2d62d1c51553047a8fcf
- To allow MAAS to support 3rd party hardware drivers that do
not come bundled, allow the chart to override /etc/maas/drivers.yaml
with user-specified values.
Change-Id: I2f9930719aeaeacb135670224ffc1c99752c987f
- Fully support Postgres configuration
in the endpoints stanza
- Add RBAC support to the region and rack
pods
- Add custom RBAC for export API key job
to allow secret creation
Change-Id: I9d0b63ac329bb0b9539b14123c5e16ad3cd1c9f0
For better security use Kubernetes secrets
to set environmental variables for the
bootstrapping job
- Create secret manifest for the MaaS admin user
- Update job-bootstrap-admin-user to use secret for environment
setup
- Update job-export-api-key to source admin username
from secret
- Update job-import to source admin username
from secret
Change-Id: I0ea5a5517c5a90f481c459e836f081f3d2744dad
- If conf.cache.enabled is true, deploy a sidecar container
in the region pod with a simplestreams repo populated w/ a Ubuntu image
- If conf.cache.enabled is true, configure MaaS to source the image
from the sidecar
- Update README
Closes #1
Change-Id: I968614d6fb7ca86589dc6e2efd1f66ae920d03a8
- Add Values.conf.curtin.override switch for enabling/disable whether
the default curtin_userdata is overwritten
- Update the customized template for curtin_userdata to be compatible
with the Drydock boot action system
Change-Id: I90c317725dfdd34a756e90425c9c3fcfcc6911db