Commit Graph

29 Commits

Author SHA1 Message Date
Ruslan Aliev eaabbb2722 Disable ipv6 for bind9 named service
* Allow any recursion and cache queries for named svc
 * Bump maas v3 to the actual version

Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I16a4ec843dc73a2349e8603d4200920599eab918
2023-07-12 21:31:53 -05:00
Ruslan Aliev 23a2b557f1 Revert "Upgrading MAAS to v3"
This reverts commit 129d958a51.

Reason for revert: reverting back to 2.8.7 to modify chart

Change-Id: I68d3abfb19decc5eb470fcf43694506bc5edd4b6
2023-02-16 15:32:01 -06:00
Anselme, Schubbert (sa246v) 129d958a51
Upgrading MAAS to v3
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
Change-Id: I4b5a5f6a7e21d790cce13a5ccff9819f517cad64
2022-11-23 12:55:52 -05:00
Phil Sphicas 50b3d68905 Control bind9 and nginx resource usage
The named and nginx processes both try to use all available CPUs. In
addition, there is a bug in named that sometimes causes it to spin on a
FUTEX, pegging the CPU.

This change constrains those processes to a single CPU (overridable in
values.yaml), and includes /etc/bind/bind.keys in named.conf to avoid
the CPU spike.

Change-Id: I4a278023f5c0dd5e7bdee46891591b278f2ddcad
2021-11-10 23:35:50 -08:00
anthony.bellino 760f1c97cf Fix: Update maas controller version to 2.8.7-8611-g.f2514168f-0ubuntu1~18.04.1
Change-Id: I3b2fa9a076ed2ac18a4c10da7554fda9c5b73b00
2021-10-05 13:11:51 -07:00
Crank, Daniel (dc6350) afd76b3c89 Add ca-certificates to images
This patchset adds ca-certificates to the maas-rack-controller and
maas-region-controller docker images, so the new ISRG Root X1
certificate will be included.

Change-Id: Ia721b14ddc7d9e12d422f482a2e2d7f6f2c09b37
2021-10-01 15:48:28 -05:00
Maximilian Weiss 2bddbbfb9d Update MAAS controller version to 2.8.7-8610-g.4a04daa43-0ubuntu1~18.04.1
Change-Id: Ia2cb9bbc0cb5a9333ffa3685536060d00985aa41
2021-09-21 15:33:27 +00:00
Phil Sphicas 2e94c847ac Adjust Redfish retry interval
Patch the redfish driver to retry requests less aggressively, using
values that match the IPMI driver [0], instead of the defaults [1].

This helps prevent HTTP 409 and HTTP 500 errors.

0: https://git.launchpad.net/maas/tree/src/provisioningserver/drivers/power/ipmi.py?h=2.8.6#n234
1: https://git.launchpad.net/maas/tree/src/provisioningserver/drivers/power/__init__.py?h=2.8.6#n42

Change-Id: Ia41aafd04a6b8439e04fdd6d9f867a79f74789e1
2021-08-03 21:56:31 +00:00
Phil Sphicas d6d9b4c857 Clean up names of patch files
This change renames the various patch files to reflect that they are
based on diffs against MAAS 2.8. Files that were previously listed as
2.3_*.patch originally were created against MAAS 2.3, but this is not
particularly relevant anymore.

Change-Id: I93ca4fc414f0983be62f0a8bae8ec699f3d4e7a0
2021-08-03 21:56:27 +00:00
Phil Sphicas b648edfe40 Deploy MAAS 2.8 on Ubuntu bionic
Image changes:
* base image ubuntu:18.04
* MAAS version 2.8.6-8602-g.07cdffcaa-0ubuntu1~18.04.1 from ppa/2.8
* default contents of /var/lib/maas are archived in /opt/maas
* updated patches:
  - 2.3_bios_grub_partition.patch, changed in maas [0]
  - 2.3_partitiontable_does_not_exist.patch, changed in maas [1] [2]
  - 2.3_secure_headers.patch, updated for twisted 17.9.0 [3]
* removed patches:
  - 2.3_bios_grub_preseed.patch, changed in maas, now N/A [0]
  - 2.3_hostheader.patch, fixed in maas [4]
  - 2.3_maas_enlist.patch, fixed in maas [5]
  - 2.3_mac_address.patch, fixed in maas [6]
* new patches:
  - 2.8_maas_ipmi_autodetect_tool.patch, enlistment reliability
* reformatted patches due to blackening change [1]:
  - 2.3_configure_ipmi_user.patch
  - 2.3_ipmi_error.patch
  - 2.3_kernel_package.patch, custom req to specify kernel package
  - 2.3_nic_filter.patch, custom req to ignore cali* interfaces
  - 2.3_region_secret_rotate.patch
  - 2.3_route.patch

Chart changes:
* maas-region podport is 5240
* maas config option http_boot is no longer configurable [7]
* start script restores some default files into /var/lib/maas
* register-rack-controller script removes old files in /etc/maas
* enlist userdata now matches commissioning/curtin userdata [8]
* force_gpt option is removed [9], as GPT is now the default
* update to configure remote_syslog in import resources job [10]
* enlist_commissioning is disabled for backwards compatibility [11]

0: d8e234eb09
1: db30bb39fa
2: 665feb7575
3: https://github.com/twisted/twisted/blob/twisted-17.9.0/src/twisted/web/server.py
4: 573da69729
5: d390a1da6a
6: 34631c2fe5
7: 0e94c26a53
8: 22641cffcc
9: 97c25a0486
10: d67c359c7b
11: 51b9712c20

Change-Id: I0685d76cf083ff5aa33c8db552059721289d5c53
2021-08-03 21:56:23 +00:00
Phil Sphicas 88353232aa Respect USE_PROXY=true for image builds
When using 'make USE_PROXY=true', the 'docker build' is executed with
the correct proxy-related build-args, but the Dockerfile does not
actually consume them.

This change updates the Dockerfiles to accept the following ARGs:
HTTP_PROXY, HTTPS_PROXY, NO_PROXY (upper or lowercase)

Change-Id: I6888d1f15f430e73338c269784ded9a0dea6c9ce
2020-06-11 15:22:09 +00:00
Phil Sphicas 25a71bc565 Eliminate sudo and pam_unix(sudo:session) log spam
MAAS rack and region controllers poll the status of services every
minute, cluttering the logs with messages like the ones below. This
change turns disables sudo logging for the maas user.

sudo[10061]:     maas : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/systemctl status ntp
sudo[10061]: pam_unix(sudo:session): session opened for user root by (uid=0)
sudo[10061]: pam_unix(sudo:session): session closed for user root

Change-Id: I18547c5248cf73743cd8c0f26c471854540936eb
2020-06-01 05:19:15 +00:00
Phil Sphicas 03ebbaaca3 maas-rack image: improve IPMI error handling
MAAS uses ipmipower to power nodes on and off. The ipmipower command
sometimes fails with the message:
    x.x.x.x: BMC error
but exits with return code of 0.

Because MAAS is not aware of this specific error, and is also not able
to detect the power state from the output, the built in retry logic is
not used, resulting in failed deployments or nodes in Power Error.

This patch adds "BMC error" to the list of known retriable errors, and
also adds additional retries.

Error strings from ipmipower 1.4:
http://git.savannah.gnu.org/cgit/freeipmi.git/tree/ipmipower/ipmipower_output.c?h=Release-1_4_0_branch#n52

IPMI_ERRORS known to MAAS 2.3:
https://git.launchpad.net/maas/tree/src/provisioningserver/drivers/power/ipmi.py?h=2.3#n50

Change-Id: Ia4b10e47855d67ba81e9ab800be3d780f8b38cac
2019-11-29 09:42:45 -08:00
Scott Hussey a14389d411 Patch Twisted to secure response headers
- The 'Server' header on a HTTP response can be considered
  an information disclosure vulnerability.

Change-Id: I3b3f00005a61aa19199955d0d4549d81bc30c4d6
2019-10-10 17:32:32 -05:00
Scott Hussey 8d56122554 (fix) Give systemd service access to env
- The service to register the rack controller pod does not
  have access to the MAAS_API_KEY env var so it fails to deregister
  when needed.

Change-Id: I16bc63ef14a2dab463dfdca11b7e3ca13d508a9e
2019-01-25 11:22:59 -06:00
Scott Hussey 617607e426 (fix) Fix static ports in MAAS ingress
- Some residual static configuration was left in the MAAS ingress
  deployment template. Update it to render the ingress ports from
  endpoints and also to remove the TCP forwarder for the MAAS
  region API and instead use a standard Ingress resource.

Change-Id: I7764d48ea919147503e9bf2521c52cb6f0028538
2018-12-07 22:18:45 +00:00
Scott Hussey b4d6562bba (fix) Fix import job race condition
- If the import job triggers before the rack controller pod(s)
  have registered w/ the region controller, then it must fully timeout
  and then reschedule to pass. Update it so that each time it checks for
  rack controller image sync, it updates the list of all registered
  rack controllers.
- Update register service to be part of Dockerfile so it can be
  enabled.

Change-Id: I72e190d472ad259da65b2e583b2a16d8adf660f5
2018-11-19 14:50:19 -06:00
Scott Hussey 2d71c24e0f [WIP] [fix] Patch issues in upstream MAAS
- maas-enlist does not work with hyphenated domains. Backport from
  upstream fix.
- Ignore MAC addresses of '00:00:00:00:00:00' to fix issue of OVS
  break MAAS controller registration

Change-Id: I26b09bb35ef3bfc9424188dbf9fccf0ca3199441
2018-11-15 16:42:47 -06:00
Scott Hussey 1c0485e3e6 Support MAAS HA
- Create two replicas of rack and region pods
- Use required anti-affinity between rack pods
- Remove the MAAS ingress controller from the rack pod
  and into dedicated deployment
- Update rack registration script to harvest the systemid
  from the underlying host when available

Change-Id: I41e21b7bb5256d04b37a70fbd2088c617b5d239a
2018-11-05 21:08:15 +00:00
Roman Gorshunov c3a364c153 Fix: git commit id labels on images
1) Use OCI Image Specs for labels instead of custom 'commit-id=xxxxx'
   or legacy "Label Schema"
2) Fix missing git commit id labels on images (.revision)
3) Add human-readable title (.title) of the image, URL (.url), and
   a few other properties (annotations) according to the latest Specs

Change-Id: I8ee3aef8d64efe6237f630caab3683f7137d4e68
2018-10-17 20:35:40 +02:00
Crank, Daniel (dc6350) 56521ab77c [470918] Update MaaS to 2.3.5
Updating MaaS to 2.3.5, as 2.3.0 appears to no longer be
available in the Ubuntu repo.

Change-Id: I5afb38d8e73485be1ab05a9ac2a18e1befe70152
2018-10-11 09:03:46 -05:00
Roman Gorshunov d5448b360e Fix: various documentation and URL fixes
1) UCP -> Airship
2) readthedocs.org -> readthedocs.io (there is redirect)
3) http -> https
4) attcomdev -> airshipit (repo on quay.io)
5) att-comdev -> openstack/airship-* (repo on github/openstack git)
6) many URLs have been verified and adjusted to be current
7) no need for 'en/latest/' path in URL of the RTD
8) added more info to some setup.cfg and setup.py files
9) ucp-integration docs are now in airship-in-a-bottle
10) various other minor fixes

Change-Id: I8fe2ac12a3e104309e818d956313693c3ba6f7cc
2018-09-24 12:53:27 +02:00
Jerome Brette bfa8c97d3a Update Dockerfile to allow override of FROM variable
l is to let user customize the base image of the component
by passing FROM=myimage during the build process. This would let any
project leveraging Airship ensure that the base image is matching the
security requirements for that project and still use the same Dockerfile.
This will also ease the control of the /etc/apt/source.list
and thereby the result of apt-get update/upgrade procedure.
2. The above goal is achievable by using docker-ce feature such as:
ARG FROM="defaultbaseimage:xx"
FROM ${FROM}
For this reason, the installation of docker.io in the Zuul gating is beeing
replaced by docker-ce.
3. Third Goal is to bring consistency with the other compoenents leveraging
Helm such as the openstack-helm and potentially use bindep the same way
the LOCI images are to ensure
4. The new syntax in the Dockerfile is still commented out until the associated
image builder have been updated to use docker-ce as they have been for the LOCI
images.

Change-Id: I9a9d63329bea2b562f297705dc51661896a592f2
2018-07-17 16:36:20 -05:00
Scott Hussey b09fee26b8 (fix) Make rackd stateful
- Use a statefulset and PVC to make rackd systemid assignment
  stateful between pod restarts. This is to alleviate instability
  in MAAS upgrades.

Change-Id: Iea5c3d3897b561d4ba479203ee6aec5885282e1a
2018-06-29 07:37:28 -05:00
Scott Hussey 7af3ee9347 (fix) Disable libvirt service
- Rearrange Dockerfile layers to run the systemd link
  deletion statement to after the install of the libvirtd
  package

Change-Id: I49b0cb4ef4ebf6e92d2f99a7137387a5018ed3b5
2018-06-25 12:56:56 -05:00
Pete Birley 426f8dacf3 MaaS: Slightly clean systemd and enable Stdout logging for journald
This PS updates the charts and images for running systemd in a more
kubernetes friendly  way:
 - The hosts cgroupfs is mounted in read only
 - Required mounts are created (tmp tmp/lock)
 - A tty is created for the container
 - A unit is added to each image that streams journald to stdout

Follow up patches will improve the image builds, create cgroups in an
init container, and also drop unrequired privileges from the containers
in addition to compatibility with recent helm-toolkits.

Change-Id: If3b0df28fea967c5ff67df51e1e95bc74f906222
Signed-off-by: Pete Birley <pete@port.direct>
2018-06-16 15:58:11 +00:00
Scott Hussey 791e49c519 [Chart] support ssh private key
- Add support for optionally mounting a
  private key for the maas user to access
  remote hosts via ssh (e.g. virsh)
- Add libvirt-bin to the rack controller

Change-Id: I18efb6a6947a5a5f91800bf6494b7d9d15d8aaf2
2018-05-02 21:58:08 -05:00
Scott Hussey fa06f61461 Update chart for MaaS 2.3
- Default images to MaaS 2.3
- Add Peer Proxy support (double proxy)

Change-Id: I2d064a96f0e551b3514c841056bdda5c4571e4a7
2018-01-04 21:13:24 -06:00
Scott Hussey 840075ca88 Move Dockerfiles into maas repo
- Move Dockerfile for MaaS region controller to this repo
- Move Dockerfile for MaaS rack controller to this repo
- Create Makefile with standard UCP entrypoints for image building
- Clean up chart to pass 'make lint'
- Update Dockerfiles to pin apt packages to explicit maas version

Change-Id: I4a540b16a4f75f4a1aae1eb9cfb1bb7a16de18d6
2017-11-27 12:40:00 -06:00