Commit Graph

40 Commits

Author SHA1 Message Date
Ruslan Aliev eaabbb2722 Disable ipv6 for bind9 named service
* Allow any recursion and cache queries for named svc
 * Bump maas v3 to the actual version

Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I16a4ec843dc73a2349e8603d4200920599eab918
2023-07-12 21:31:53 -05:00
Ruslan Aliev 23a2b557f1 Revert "Upgrading MAAS to v3"
This reverts commit 129d958a51.

Reason for revert: reverting back to 2.8.7 to modify chart

Change-Id: I68d3abfb19decc5eb470fcf43694506bc5edd4b6
2023-02-16 15:32:01 -06:00
Anselme, Schubbert (sa246v) 129d958a51
Upgrading MAAS to v3
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
Change-Id: I4b5a5f6a7e21d790cce13a5ccff9819f517cad64
2022-11-23 12:55:52 -05:00
Phil Sphicas 50b3d68905 Control bind9 and nginx resource usage
The named and nginx processes both try to use all available CPUs. In
addition, there is a bug in named that sometimes causes it to spin on a
FUTEX, pegging the CPU.

This change constrains those processes to a single CPU (overridable in
values.yaml), and includes /etc/bind/bind.keys in named.conf to avoid
the CPU spike.

Change-Id: I4a278023f5c0dd5e7bdee46891591b278f2ddcad
2021-11-10 23:35:50 -08:00
anthony.bellino 760f1c97cf Fix: Update maas controller version to 2.8.7-8611-g.f2514168f-0ubuntu1~18.04.1
Change-Id: I3b2fa9a076ed2ac18a4c10da7554fda9c5b73b00
2021-10-05 13:11:51 -07:00
Crank, Daniel (dc6350) afd76b3c89 Add ca-certificates to images
This patchset adds ca-certificates to the maas-rack-controller and
maas-region-controller docker images, so the new ISRG Root X1
certificate will be included.

Change-Id: Ia721b14ddc7d9e12d422f482a2e2d7f6f2c09b37
2021-10-01 15:48:28 -05:00
Maximilian Weiss 2bddbbfb9d Update MAAS controller version to 2.8.7-8610-g.4a04daa43-0ubuntu1~18.04.1
Change-Id: Ia2cb9bbc0cb5a9333ffa3685536060d00985aa41
2021-09-21 15:33:27 +00:00
Phil Sphicas d6d9b4c857 Clean up names of patch files
This change renames the various patch files to reflect that they are
based on diffs against MAAS 2.8. Files that were previously listed as
2.3_*.patch originally were created against MAAS 2.3, but this is not
particularly relevant anymore.

Change-Id: I93ca4fc414f0983be62f0a8bae8ec699f3d4e7a0
2021-08-03 21:56:27 +00:00
Phil Sphicas b648edfe40 Deploy MAAS 2.8 on Ubuntu bionic
Image changes:
* base image ubuntu:18.04
* MAAS version 2.8.6-8602-g.07cdffcaa-0ubuntu1~18.04.1 from ppa/2.8
* default contents of /var/lib/maas are archived in /opt/maas
* updated patches:
  - 2.3_bios_grub_partition.patch, changed in maas [0]
  - 2.3_partitiontable_does_not_exist.patch, changed in maas [1] [2]
  - 2.3_secure_headers.patch, updated for twisted 17.9.0 [3]
* removed patches:
  - 2.3_bios_grub_preseed.patch, changed in maas, now N/A [0]
  - 2.3_hostheader.patch, fixed in maas [4]
  - 2.3_maas_enlist.patch, fixed in maas [5]
  - 2.3_mac_address.patch, fixed in maas [6]
* new patches:
  - 2.8_maas_ipmi_autodetect_tool.patch, enlistment reliability
* reformatted patches due to blackening change [1]:
  - 2.3_configure_ipmi_user.patch
  - 2.3_ipmi_error.patch
  - 2.3_kernel_package.patch, custom req to specify kernel package
  - 2.3_nic_filter.patch, custom req to ignore cali* interfaces
  - 2.3_region_secret_rotate.patch
  - 2.3_route.patch

Chart changes:
* maas-region podport is 5240
* maas config option http_boot is no longer configurable [7]
* start script restores some default files into /var/lib/maas
* register-rack-controller script removes old files in /etc/maas
* enlist userdata now matches commissioning/curtin userdata [8]
* force_gpt option is removed [9], as GPT is now the default
* update to configure remote_syslog in import resources job [10]
* enlist_commissioning is disabled for backwards compatibility [11]

0: d8e234eb09
1: db30bb39fa
2: 665feb7575
3: https://github.com/twisted/twisted/blob/twisted-17.9.0/src/twisted/web/server.py
4: 573da69729
5: d390a1da6a
6: 34631c2fe5
7: 0e94c26a53
8: 22641cffcc
9: 97c25a0486
10: d67c359c7b
11: 51b9712c20

Change-Id: I0685d76cf083ff5aa33c8db552059721289d5c53
2021-08-03 21:56:23 +00:00
Phil Sphicas 88353232aa Respect USE_PROXY=true for image builds
When using 'make USE_PROXY=true', the 'docker build' is executed with
the correct proxy-related build-args, but the Dockerfile does not
actually consume them.

This change updates the Dockerfiles to accept the following ARGs:
HTTP_PROXY, HTTPS_PROXY, NO_PROXY (upper or lowercase)

Change-Id: I6888d1f15f430e73338c269784ded9a0dea6c9ce
2020-06-11 15:22:09 +00:00
Phil Sphicas 25a71bc565 Eliminate sudo and pam_unix(sudo:session) log spam
MAAS rack and region controllers poll the status of services every
minute, cluttering the logs with messages like the ones below. This
change turns disables sudo logging for the maas user.

sudo[10061]:     maas : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/systemctl status ntp
sudo[10061]: pam_unix(sudo:session): session opened for user root by (uid=0)
sudo[10061]: pam_unix(sudo:session): session closed for user root

Change-Id: I18547c5248cf73743cd8c0f26c471854540936eb
2020-06-01 05:19:15 +00:00
Phil Sphicas a351d51b84 maas-region patch: PartitionTable does not exist
An API request for the list of partitions associated with a block device
should simply return an empty list if there are no partitions. Instead,
we get an maasserver.models.partitiontable.DoesNotExist exception. This
patch allows the API server to respond correctly.

Before:
maas admin partitions read x76dma 9
PartitionTable matching query does not exist.

After:
maas admin partitions read x76dma 9
Success.
Machine-readable output follows:
[]

Reference:
https://old-docs.maas.io/2.3/en/api#get-api20nodessystem_idblockdevicesdevice_idpartitions

Change-Id: I427a17686e257bbcc89843dead60f297b4903489
2020-05-03 02:04:18 +00:00
Chris Wedgwood 230c7e888a Disable avahi-daemon
avahi-daemon isn't useful or needed.  Disable.

Change-Id: Ic82c93e29e333477b06e0fc77edecdfdcb673531
2020-02-20 12:31:23 -06:00
Nishant Kumar d86e3fa479 Support rotation for maas region secret
More details on this bug - https://bugs.launchpad.net/maas/+bug/1850180

Change-Id: I52312ccec74a1973fdb7aebe3bfc6c0088004ad5
2019-10-30 20:26:20 +00:00
Scott Hussey a14389d411 Patch Twisted to secure response headers
- The 'Server' header on a HTTP response can be considered
  an information disclosure vulnerability.

Change-Id: I3b3f00005a61aa19199955d0d4549d81bc30c4d6
2019-10-10 17:32:32 -05:00
Zuul 418d66da10 Merge "fix: failed to render preseed with kernel flags (not k=v)" 2019-10-06 15:44:56 +00:00
Zuul 097af3779a Merge "Add retries to MaaS BMC user configuration" 2019-10-06 15:40:38 +00:00
Sphicas, Phil (ps3910) 06f63cc415 fix: failed to render preseed with kernel flags (not k=v)
When using tags with kernel_opts that contain standalone flags (e.g.
debug, rcu_nocb_poll, etc.), or anything not of the form param=value,
deployments fail with the following error:

Failed to render preseed: dictionary update sequence element #x has
length 1; 2 is required

This patchset accommodates these kernel flags, and also params with
multiple '=' signs (root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)

Change-Id: I14cf1ca1e6a23e5fedf61e4a6b57bbc57cafc971
2019-10-05 20:02:09 -07:00
Sphicas, Phil (ps3910) 205c9e64ab trivial: maas-region container patches file twice
Avoid patching ipaddr.py twice. The currently duplicated section in
get_ip_addr() does not cause any problems, but it's a good idea to
clean it up:

    # Exclude interfaces that have duplicate MACs
    # such as OVS gretap and erspan interfaces
    ifaces = { k: v
               for k, v in ifaces.items()
               if v.get('mac', '') != '00:00:00:00:00:00'}
    # Exclude interfaces that have duplicate MACs
    # such as OVS gretap and erspan interfaces
    ifaces = { k: v
               for k, v in ifaces.items()
               if v.get('mac', '') != '00:00:00:00:00:00'}

Change-Id: Ia2be1e204246a320a45a00ec66f7e65c2880ba5c
2019-10-05 14:07:40 -07:00
Carter, Matt (mc981n) 48df9fd6f5 Add retries to MaaS BMC user configuration
It has been observed that MaaS will fail to enlist/commission/deploy
nodes if it fails to set up its own user in the BMC during cloud
init. This patch set adds a git patch file to update the MaaS source
code in order to retry setting up the MaaS BMC user if it fails.

This patch set also adds to the exception message sent when MaaS
fails to set up a BMC user.

Change-Id: I475988875acffac620302fae3eed8d236a5a46f7
2019-09-17 15:49:46 -05:00
Scott Hussey 7f50e96ff3 Open MAAS proxy ACL
- Allow requests from any source through the MAAS proxy
  so that traffic routed through maas-ingress will work

Change-Id: I91e40789ad45c0ea75c54eccbf37931156b224e3
2019-01-10 21:12:10 -06:00
Scott Hussey 2d71c24e0f [WIP] [fix] Patch issues in upstream MAAS
- maas-enlist does not work with hyphenated domains. Backport from
  upstream fix.
- Ignore MAC addresses of '00:00:00:00:00:00' to fix issue of OVS
  break MAAS controller registration

Change-Id: I26b09bb35ef3bfc9424188dbf9fccf0ca3199441
2018-11-15 16:42:47 -06:00
Zuul e80d4e58eb Merge "Fix: git commit id labels on images" 2018-10-29 21:38:56 +00:00
Zuul 48c6c20a7f Merge "bugfix: Ensure kernel_package param is not required" 2018-10-19 16:06:50 +00:00
Alan Meadows 037bde9934 bugfix: Ensure kernel_package param is not required
A previous patchset introduced a new kernel
param option 'kernel_package.' This patch corrects
the logic in that so that the parameter is not a
required parameter - and if absent falls back to
the traditional MaaS behavior which will select the
latest kernel from the appropriate line.

Change-Id: Icc62b27e0f39914fb73fb9f655d9b7b0b6c6f489
2018-10-19 07:56:18 -07:00
Kaspars Skels e53cb2d237 Set MAAS internal proxy to 31800
Looks like new version of MAAS has fixed long standing bug
https://bugs.launchpad.net/maas/+bug/1779712

This will match internal MAAS ports to NodePort.

Change-Id: I639a4c492eb80545c69fd132d3b2dc4cca524933
2018-10-19 09:06:28 -05:00
Alan Meadows cdfb1737da Bugfix Bios Grub Partition Behavior
MaaS 2.3.5 added bios grub partition changes that no
longer cared for the size of the storage device nor
whether it was a boot device.  This patch effectively
restores the original behavior which was also
reintroduced in MaaS 2.4.0.

Change-Id: I8b7b38fe42b005a656e6c5cab615c144b6a90b22
2018-10-18 09:46:33 -07:00
Roman Gorshunov c3a364c153 Fix: git commit id labels on images
1) Use OCI Image Specs for labels instead of custom 'commit-id=xxxxx'
   or legacy "Label Schema"
2) Fix missing git commit id labels on images (.revision)
3) Add human-readable title (.title) of the image, URL (.url), and
   a few other properties (annotations) according to the latest Specs

Change-Id: I8ee3aef8d64efe6237f630caab3683f7137d4e68
2018-10-17 20:35:40 +02:00
Alan Meadows 52ddfdcf4d Add support for specific kernel package selection
by tagging a node with a tag of 'kernel_package' with
a value of the explicit package name which will drive
the curtin installer.

Change-Id: I67c8395c30bcb538859947f7406a433fb18a981b
2018-10-16 14:04:16 -07:00
Crank, Daniel (dc6350) 56521ab77c [470918] Update MaaS to 2.3.5
Updating MaaS to 2.3.5, as 2.3.0 appears to no longer be
available in the Ubuntu repo.

Change-Id: I5afb38d8e73485be1ab05a9ac2a18e1befe70152
2018-10-11 09:03:46 -05:00
Roman Gorshunov d5448b360e Fix: various documentation and URL fixes
1) UCP -> Airship
2) readthedocs.org -> readthedocs.io (there is redirect)
3) http -> https
4) attcomdev -> airshipit (repo on quay.io)
5) att-comdev -> openstack/airship-* (repo on github/openstack git)
6) many URLs have been verified and adjusted to be current
7) no need for 'en/latest/' path in URL of the RTD
8) added more info to some setup.cfg and setup.py files
9) ucp-integration docs are now in airship-in-a-bottle
10) various other minor fixes

Change-Id: I8fe2ac12a3e104309e818d956313693c3ba6f7cc
2018-09-24 12:53:27 +02:00
Jerome Brette bfa8c97d3a Update Dockerfile to allow override of FROM variable
l is to let user customize the base image of the component
by passing FROM=myimage during the build process. This would let any
project leveraging Airship ensure that the base image is matching the
security requirements for that project and still use the same Dockerfile.
This will also ease the control of the /etc/apt/source.list
and thereby the result of apt-get update/upgrade procedure.
2. The above goal is achievable by using docker-ce feature such as:
ARG FROM="defaultbaseimage:xx"
FROM ${FROM}
For this reason, the installation of docker.io in the Zuul gating is beeing
replaced by docker-ce.
3. Third Goal is to bring consistency with the other compoenents leveraging
Helm such as the openstack-helm and potentially use bindep the same way
the LOCI images are to ensure
4. The new syntax in the Dockerfile is still commented out until the associated
image builder have been updated to use docker-ce as they have been for the LOCI
images.

Change-Id: I9a9d63329bea2b562f297705dc51661896a592f2
2018-07-17 16:36:20 -05:00
Pete Birley 426f8dacf3 MaaS: Slightly clean systemd and enable Stdout logging for journald
This PS updates the charts and images for running systemd in a more
kubernetes friendly  way:
 - The hosts cgroupfs is mounted in read only
 - Required mounts are created (tmp tmp/lock)
 - A tty is created for the container
 - A unit is added to each image that streams journald to stdout

Follow up patches will improve the image builds, create cgroups in an
init container, and also drop unrequired privileges from the containers
in addition to compatibility with recent helm-toolkits.

Change-Id: If3b0df28fea967c5ff67df51e1e95bc74f906222
Signed-off-by: Pete Birley <pete@port.direct>
2018-06-16 15:58:11 +00:00
Scott Hussey a9301c146b [Fix] Ubuntu 18.04 broke default MAAS configs
- Add a selection to explicitly choose the Ubuntu release
- Add a gate for rack controller image sync before attempting to
  configure ephemeral image selection

Change-Id: Id8397d79fa5d136d78923f838c624283fad3d769
2018-05-02 21:58:08 -05:00
Scott Hussey 524188787c [Fix] Patch MaaS recursion limit issue
- Bug 1729715 causes a regiond exception due to infinite
  recursion. Apply a proposed patch to attempt a fix.

Change-Id: I025cdddfa7f6786e327987e2a245980a54d5ffd3
2018-04-10 11:36:41 -05:00
Scott Hussey 1df0ad3c6d Fix for unconfigured static routes
- Hot-patch MaaS code so that the cloud-init
  network configuration YAML places static routes
  within the interface configuration that is the
  source network for the route. this should fix route
  volatility on deployment caused by the default behavior
  of all static routes going to the bottom of the network
  configuration and thus being attached to the last interface
  defined

Change-Id: Ibe04000dafc21b37386777968c43e1b34e1a9838
2018-03-06 16:25:21 -06:00
Scott Hussey ec58f85762 Patch MAAS to render correct proxy url
MAAS hard codes the proxy URL passed to
bootstrapping nodes w/ port 8000. The proxy
URL needs to support the nodeport standard
currently used.

- Patch MAAS to render the apt proxy url using
  maas_url from regiond.conf
- Use hardcoded port 31800 instead of 8000

Change-Id: I9d2ed35fb3947be51bc9c9e2b5f13f1144b4e927
2018-01-29 09:55:58 -06:00
Scott Hussey 8b29fb6bdf Fix for 2.3 metadata_url bug
This is a temporary workaround patch
to resolve https://bugs.launchpad.net/maas/+bug/1743005

- Update chart to point at patched image sthussey/maas-region:2.3_patch

Change-Id: I8c631da1b4b555523485d666cea22cb2dbaeff26
2018-01-29 09:55:58 -06:00
Scott Hussey fa06f61461 Update chart for MaaS 2.3
- Default images to MaaS 2.3
- Add Peer Proxy support (double proxy)

Change-Id: I2d064a96f0e551b3514c841056bdda5c4571e4a7
2018-01-04 21:13:24 -06:00
Scott Hussey 840075ca88 Move Dockerfiles into maas repo
- Move Dockerfile for MaaS region controller to this repo
- Move Dockerfile for MaaS rack controller to this repo
- Create Makefile with standard UCP entrypoints for image building
- Clean up chart to pass 'make lint'
- Update Dockerfiles to pin apt packages to explicit maas version

Change-Id: I4a540b16a4f75f4a1aae1eb9cfb1bb7a16de18d6
2017-11-27 12:40:00 -06:00