From a2cc9609d17a4323f97ffe284997d715550c864a Mon Sep 17 00:00:00 2001 From: "Anselme, Schubert (sa246v)" Date: Mon, 3 Apr 2023 09:54:18 -0400 Subject: [PATCH] Upgrade MAAS This PS upgrades maas to version 3.2 (focal) and also adds maas version 3.4 (jammy) Signed-off-by: Anselme, Schubert (sa246v) Change-Id: If5fffa59f547d4b19d7c0f086204800e9144d952 --- .gitignore | 2 + charts/maas/Chart.yaml | 3 +- charts/maas/requirements.lock | 6 + charts/maas/templates/bin/_enable-tls.sh.tpl | 19 ++ .../bin/_import-boot-resources.sh.tpl | 246 +++++++++--------- charts/maas/templates/bin/_maas-test.sh.tpl | 90 +++---- .../templates/certificate-maas-ingress.yaml | 32 +++ charts/maas/templates/certificate-maas.yaml | 35 +++ charts/maas/templates/configmap-bin.yaml | 4 + .../templates/deployment-ingress-errors.yaml | 2 +- charts/maas/templates/ingress-region.yaml | 9 + charts/maas/templates/job-enable-tls.yaml | 79 ++++++ charts/maas/templates/job-import.yaml | 14 + charts/maas/templates/secret-maas-tls.yaml | 29 +++ .../templates/service-ingress-headless.yaml | 4 + charts/maas/templates/statefulset-rack.yaml | 14 + charts/maas/templates/statefulset-region.yaml | 14 + .../maas/templates/tests/test-maas-init.yaml | 20 +- charts/maas/values.yaml | 27 +- ...llow_query.patch => 3.2_allow_query.patch} | 2 +- ..._ipmi_error.patch => 3.2_ipmi_error.patch} | 6 +- ..._nic_filter.patch => 3.2_nic_filter.patch} | 4 +- ...etries.patch => 3.2_redfish_retries.patch} | 6 +- ...headers.patch => 3.2_secure_headers.patch} | 6 +- images/maas-rack-controller-focal/Dockerfile | 24 +- .../3.4_allow_query.patch} | 2 +- .../3.4_ipmi_error.patch | 27 ++ .../3.4_nic_filter.patch | 13 + .../3.4_redfish_retries.patch | 12 + .../3.4_secure_headers.patch | 12 + images/maas-rack-controller-jammy/Dockerfile | 85 ++++++ images/maas-rack-controller-jammy/README.md | 1 + .../scripts/journalctl-to-tty.service | 13 + .../scripts/register-rack-controller.service | 12 + .../3.0_bios_grub_partition.patch | 13 - .../3.2_allow_query.patch | 15 ++ .../3.2_bios_grub_partition.patch | 12 + ...er.patch => 3.2_configure_ipmi_user.patch} | 16 +- ...package.patch => 3.2_kernel_package.patch} | 13 +- ...> 3.2_partitiontable_does_not_exist.patch} | 2 +- ....0_proxy_acl.patch => 3.2_proxy_acl.patch} | 0 ..._regex_tags.patch => 3.2_regex_tags.patch} | 16 +- ...e.patch => 3.2_region_secret_rotate.patch} | 5 +- .../{3.0_route.patch => 3.2_route.patch} | 14 +- ...headers.patch => 3.2_secure_headers.patch} | 6 +- .../maas-region-controller-focal/Dockerfile | 44 ++-- .../3.4_allow_query.patch | 15 ++ .../3.4_bios_grub_partition.patch | 12 + .../3.4_configure_ipmi_user.patch | 52 ++++ .../3.4_kernel_package.patch | 31 +++ .../3.4_partitiontable_does_not_exist.patch | 13 + .../3.4_proxy_acl.patch | 10 + .../3.4_regex_tags.patch | 24 ++ .../3.4_route.patch | 17 ++ .../3.4_secure_headers.patch | 12 + .../maas-region-controller-jammy/Dockerfile | 91 +++++++ images/maas-region-controller-jammy/README.md | 1 + .../journalctl-to-tty.service | 13 + 58 files changed, 1045 insertions(+), 276 deletions(-) create mode 100644 charts/maas/requirements.lock create mode 100644 charts/maas/templates/bin/_enable-tls.sh.tpl create mode 100644 charts/maas/templates/certificate-maas-ingress.yaml create mode 100644 charts/maas/templates/certificate-maas.yaml create mode 100644 charts/maas/templates/job-enable-tls.yaml create mode 100644 charts/maas/templates/secret-maas-tls.yaml rename images/maas-rack-controller-focal/{3.0_allow_query.patch => 3.2_allow_query.patch} (94%) rename images/maas-rack-controller-focal/{3.0_ipmi_error.patch => 3.2_ipmi_error.patch} (90%) rename images/maas-rack-controller-focal/{3.0_nic_filter.patch => 3.2_nic_filter.patch} (84%) rename images/maas-rack-controller-focal/{3.0_redfish_retries.patch => 3.2_redfish_retries.patch} (82%) rename images/maas-rack-controller-focal/{3.0_secure_headers.patch => 3.2_secure_headers.patch} (91%) rename images/{maas-region-controller-focal/3.0_allow_query.patch => maas-rack-controller-jammy/3.4_allow_query.patch} (94%) create mode 100644 images/maas-rack-controller-jammy/3.4_ipmi_error.patch create mode 100644 images/maas-rack-controller-jammy/3.4_nic_filter.patch create mode 100644 images/maas-rack-controller-jammy/3.4_redfish_retries.patch create mode 100644 images/maas-rack-controller-jammy/3.4_secure_headers.patch create mode 100644 images/maas-rack-controller-jammy/Dockerfile create mode 100644 images/maas-rack-controller-jammy/README.md create mode 100644 images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service create mode 100644 images/maas-rack-controller-jammy/scripts/register-rack-controller.service delete mode 100644 images/maas-region-controller-focal/3.0_bios_grub_partition.patch create mode 100644 images/maas-region-controller-focal/3.2_allow_query.patch create mode 100644 images/maas-region-controller-focal/3.2_bios_grub_partition.patch rename images/maas-region-controller-focal/{3.0_configure_ipmi_user.patch => 3.2_configure_ipmi_user.patch} (86%) rename images/maas-region-controller-focal/{3.0_kernel_package.patch => 3.2_kernel_package.patch} (73%) rename images/maas-region-controller-focal/{3.0_partitiontable_does_not_exist.patch => 3.2_partitiontable_does_not_exist.patch} (94%) rename images/maas-region-controller-focal/{3.0_proxy_acl.patch => 3.2_proxy_acl.patch} (100%) rename images/maas-region-controller-focal/{3.0_regex_tags.patch => 3.2_regex_tags.patch} (81%) rename images/maas-region-controller-focal/{3.0_region_secret_rotate.patch => 3.2_region_secret_rotate.patch} (95%) rename images/maas-region-controller-focal/{3.0_route.patch => 3.2_route.patch} (66%) rename images/maas-region-controller-focal/{3.0_secure_headers.patch => 3.2_secure_headers.patch} (91%) create mode 100644 images/maas-region-controller-jammy/3.4_allow_query.patch create mode 100644 images/maas-region-controller-jammy/3.4_bios_grub_partition.patch create mode 100644 images/maas-region-controller-jammy/3.4_configure_ipmi_user.patch create mode 100644 images/maas-region-controller-jammy/3.4_kernel_package.patch create mode 100644 images/maas-region-controller-jammy/3.4_partitiontable_does_not_exist.patch create mode 100644 images/maas-region-controller-jammy/3.4_proxy_acl.patch create mode 100644 images/maas-region-controller-jammy/3.4_regex_tags.patch create mode 100644 images/maas-region-controller-jammy/3.4_route.patch create mode 100644 images/maas-region-controller-jammy/3.4_secure_headers.patch create mode 100644 images/maas-region-controller-jammy/Dockerfile create mode 100644 images/maas-region-controller-jammy/README.md create mode 100644 images/maas-region-controller-jammy/journalctl-to-tty.service diff --git a/.gitignore b/.gitignore index 6ae6960..63d412f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ # Distribution / packaging build/ *.tgz +charts/deps/ +!charts/deps/.gitkeep diff --git a/charts/maas/Chart.yaml b/charts/maas/Chart.yaml index 35e2830..05d8695 100755 --- a/charts/maas/Chart.yaml +++ b/charts/maas/Chart.yaml @@ -15,7 +15,8 @@ apiVersion: v1 description: Chart to run Canonical MaaS name: maas -version: 0.1.5 +version: 0.1.6 +appVersion: 3.2.9 home: https://docs.ubuntu.com/maas sources: - https://git.launchpad.net/maas diff --git a/charts/maas/requirements.lock b/charts/maas/requirements.lock new file mode 100644 index 0000000..07bc73f --- /dev/null +++ b/charts/maas/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: helm-toolkit + repository: file://../deps/helm-toolkit + version: 0.2.54 +digest: sha256:ffbfe5c88704dc3f39eaea0b97f2355de43e9667bec2385bd1a0bc5771ff32f3 +generated: "2023-08-11T09:29:34.123882-04:00" diff --git a/charts/maas/templates/bin/_enable-tls.sh.tpl b/charts/maas/templates/bin/_enable-tls.sh.tpl new file mode 100644 index 0000000..c07f9f4 --- /dev/null +++ b/charts/maas/templates/bin/_enable-tls.sh.tpl @@ -0,0 +1,19 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +maas config-tls enable --yes --port 5240 --cacert /etc/maas/ssl/ca.crt /etc/maas/ssl/tls.key /etc/maas/ssl/tls.crt diff --git a/charts/maas/templates/bin/_import-boot-resources.sh.tpl b/charts/maas/templates/bin/_import-boot-resources.sh.tpl index 7ca5999..0227a84 100644 --- a/charts/maas/templates/bin/_import-boot-resources.sh.tpl +++ b/charts/maas/templates/bin/_import-boot-resources.sh.tpl @@ -23,173 +23,161 @@ JOB_TIMEOUT=${JOB_TIMEOUT:-900} RETRY_TIMER=${RETRY_TIMER:-30} function timer { - retry_wait=$1 - shift + retry_wait=$1 + shift - while [[ ${JOB_TIMEOUT} -gt 0 ]] - do - "$@" - rc=$? - if [ $rc -eq 0 ] - then - return $rc - else - JOB_TIMEOUT=$(($JOB_TIMEOUT - $retry_wait)) - sleep $retry_wait - fi - done + while [[ ${JOB_TIMEOUT} -gt 0 ]]; do + "$@" + rc=$? + if [ $rc -eq 0 ]; then + return $rc + else + JOB_TIMEOUT=$((JOB_TIMEOUT - retry_wait)) + sleep $retry_wait + fi + done - return 124 + return 124 } function import_resources { - check_for_download - rc=$? + check_for_download + rc=$? - if [ $rc -ne 0 ] - then - echo "Starting image import try ${import_tries}..." - maas ${ADMIN_USERNAME} boot-resources import - sleep 30 - check_for_download - rc=$? - fi + if [ $rc -ne 0 ]; then + echo "Starting image import try ${import_tries}..." + maas ${ADMIN_USERNAME} boot-resources import + sleep 30 + check_for_download + rc=$? + fi - return $rc + return $rc } function start_import { - timer "$RETRY_TIMER" import_resources + timer "$RETRY_TIMER" import_resources } function check_for_download { - if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true'; - then - echo -e '\nBoot resources currently importing\n' - return 1 - else - synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq ".[] | select( .type | contains(\"Synced\")) | .name " | grep -c $MAAS_DEFAULT_DISTRO) - if [[ $synced_imgs -gt 0 ]] - then - echo 'Boot resources have completed importing' - return 0 - else - echo 'Import failed!' - return 1 - fi - fi + if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true'; then + echo -e '\nBoot resources currently importing\n' + return 1 + else + synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq '.[] | select( .type | contains("Synced")) | .name ' | grep -c $MAAS_DEFAULT_DISTRO) + if [[ $synced_imgs -gt 0 ]]; then + echo 'Boot resources have completed importing' + return 0 + else + echo 'Import failed!' + return 1 + fi + fi } function check_then_set_single { - option="$1" - value="$2" + option="$1" + value="$2" - cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"') - desired_val=$(echo ${value} | tr -d '"') + cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"') + desired_val=$(echo ${value} | tr -d '"') - if [[ $cur_val != $desired_val ]] - then - echo "Setting MAAS option ${option} to ${desired_val}" - maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val} - return $? - else - echo "MAAS option ${option} already set to ${cur_val}" - return 0 - fi + if [[ $cur_val != $desired_val ]]; then + echo "Setting MAAS option ${option} to ${desired_val}" + maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val} + return $? + else + echo "MAAS option ${option} already set to ${cur_val}" + return 0 + fi } function check_then_set { - option=$1 - value=$2 + option=$1 + value=$2 - timer "$RETRY_TIMER" check_then_set_single "$option" "$value" + timer "$RETRY_TIMER" check_then_set_single "$option" "$value" } # Get rack controllers reporting a healthy rackd function get_active_rack_controllers { - maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id' + maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id' } function check_for_rack_sync_single { - sync_list="" + sync_list="" - rack_list=$(get_active_rack_controllers) - for rack_id in ${rack_list} - do - selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name") - synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"') - if [[ $synced_ctlr == "true" && ! -z ${selected_imgs} ]] - then - sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq) - else - maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id} - fi - if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$' ) == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]] - then - return 0 - fi - done + rack_list=$(get_active_rack_controllers) + for rack_id in ${rack_list}; do + selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name") + synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"') + if [[ $synced_ctlr == "true" && -n ${selected_imgs} ]]; then + sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq) + else + maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id} + fi + if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$') == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]]; then + return 0 + fi + done - return 1 + return 1 } function check_for_rack_sync { - timer "$RETRY_TIMER" check_for_rack_sync_single + timer "$RETRY_TIMER" check_for_rack_sync_single } function configure_proxy { - check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED} - check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED} - check_then_set http_proxy ${MAAS_PROXY_SERVER} - check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT} + check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED} + check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED} + check_then_set http_proxy ${MAAS_PROXY_SERVER} + check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT} } function configure_ntp { - check_then_set ntp_servers ${MAAS_NTP_SERVERS} - check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY} + check_then_set ntp_servers ${MAAS_NTP_SERVERS} + check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY} } function configure_dns { - check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED} - check_then_set upstream_dns ${MAAS_DNS_SERVERS} + check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED} + check_then_set upstream_dns ${MAAS_DNS_SERVERS} } function configure_syslog { - check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG} + check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG} } function configure_images { - check_for_rack_sync + check_for_rack_sync - if [[ $? -eq 124 ]] - then - echo "Timed out waiting for rack controller sync." - return 1 - fi + if [[ $? -eq 124 ]]; then + echo "Timed out waiting for rack controller sync." + return 1 + fi - check_then_set default_osystem ${MAAS_DEFAULT_OS} - check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO} - check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO} - check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL} + check_then_set default_osystem ${MAAS_DEFAULT_OS} + check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO} + check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO} + check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL} } function configure_boot_sources { - if [[ $USE_IMAGE_CACHE == 'true' ]] - then - maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/ - fi + if [[ $USE_IMAGE_CACHE == 'true' ]]; then + maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/ + fi - selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')" + selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')" - if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}" - then - # Need to start an import to get the availability data - maas "$ADMIN_USERNAME" boot-resources import - if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \ - release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then - return 1 - fi - fi + if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}"; then + # Need to start an import to get the availability data + maas "$ADMIN_USERNAME" boot-resources import + if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \ + release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then + return 1 + fi + fi } function create_extra_commissioning_script { @@ -215,21 +203,24 @@ EOF } function configure_extra_settings { -{{- range $k, $v := .Values.conf.maas.extra_settings }} - check_then_set {{$k}} {{$v}} -{{- else }} - : No additional MAAS config -{{- end }} + {{- range $k, $v := .Values.conf.maas.extra_settings }} + check_then_set {{$k}} {{$v}} + {{- else }} + : No additional MAAS config + {{- end }} } function maas_login { - KEY=$(maas-region apikey --username=${ADMIN_USERNAME}) - if [ -z "$KEY" ] - then - return 1 - fi - maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY - return $? + KEY=$(maas-region apikey --username=${ADMIN_USERNAME}) + if [ -z "$KEY" ]; then + return 1 + fi + {{- if .Values.conf.maas.tls.enabled }} + maas login --cacerts /usr/local/share/ca-certificates/maas-ca.crt ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY + {{- else }} + maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY + {{- end }} + return $? } timer "$RETRY_TIMER" maas_login @@ -245,10 +236,9 @@ create_extra_commissioning_script timer "$RETRY_TIMER" configure_boot_sources start_import -if [[ $? -eq 0 ]] -then - configure_images +if [[ $? -eq 0 ]]; then + configure_images else - echo "Image import FAILED!" - exit 1 + echo "Image import FAILED!" + exit 1 fi diff --git a/charts/maas/templates/bin/_maas-test.sh.tpl b/charts/maas/templates/bin/_maas-test.sh.tpl index 4a36e81..debf41a 100644 --- a/charts/maas/templates/bin/_maas-test.sh.tpl +++ b/charts/maas/templates/bin/_maas-test.sh.tpl @@ -18,78 +18,74 @@ set -ex function check_boot_images { - if maas local boot-resources is-importing | grep -q 'true'; - then - echo -e '\nBoot resources currently importing\n' - return 1 - else - synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced) - if [[ $synced_imgs -gt 0 ]] - then - echo 'Boot resources have completed importing' - return 0 - else - return 1 - fi - fi + if maas local boot-resources is-importing | grep -q 'true'; then + echo -e '\nBoot resources currently importing\n' + return 1 + else + synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced) + if [[ $synced_imgs -gt 0 ]]; then + echo 'Boot resources have completed importing' + return 0 + else + return 1 + fi + fi } function check_rack_controllers { - rack_cnt=$(maas local rack-controllers read | grep -c hostname) - if [[ $rack_cnt -gt 0 ]] - then - echo "Found $rack_cnt rack controllers." - return 0 - else - return 1 - fi + rack_cnt=$(maas local rack-controllers read | grep -c hostname) + if [[ $rack_cnt -gt 0 ]]; then + echo "Found $rack_cnt rack controllers." + return 0 + else + return 1 + fi } function check_admin_api { - if maas local version read; - then - echo 'Admin API is responding' - return 0 - else - return 1 - fi + if maas local version read; then + echo 'Admin API is responding' + return 0 + else + return 1 + fi } function establish_session { - maas login local ${MAAS_URL} ${MAAS_API_KEY} - return $? + {{- if .Values.conf.maas.tls.enabled }} + maas login --cacerts /usr/local/share/ca-certificates/maas-ca.crt local ${MAAS_URL} ${MAAS_API_KEY} + {{- else }} + maas login local ${MAAS_URL} ${MAAS_API_KEY} + {{- end }} + return $? } establish_session -if [[ $? -ne 0 ]] -then - echo "MAAS API login FAILED!" - exit 1 +if [[ $? -ne 0 ]]; then + echo "MAAS API login FAILED!" + exit 1 fi check_boot_images -if [[ $? -eq 1 ]] -then - echo "Image import test FAILED!" - exit 1 +if [[ $? -eq 1 ]]; then + echo "Image import test FAILED!" + exit 1 fi check_rack_controllers -if [[ $? -eq 1 ]] -then - echo "Rack controller query FAILED!" - exit 1 +if [[ $? -eq 1 ]]; then + echo "Rack controller query FAILED!" + exit 1 fi check_admin_api -if [[ $? -eq 1 ]] -then - echo "Admin API response FAILED!" - exit 1 +if [[ $? -eq 1 ]]; then + echo "Admin API response FAILED!" + exit 1 fi echo "MAAS Validation SUCCESS!" diff --git a/charts/maas/templates/certificate-maas-ingress.yaml b/charts/maas/templates/certificate-maas-ingress.yaml new file mode 100644 index 0000000..a2b44d9 --- /dev/null +++ b/charts/maas/templates/certificate-maas-ingress.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled .Values.cert_manager.create }} +{{- $envAll := . }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.secrets.maas_ingress_cert }} +spec: + secretName: {{ .Values.secrets.maas_ingress_cert }} + commonName: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} + issuerRef: + kind: {{ .Values.cert_manager.issuer.kind }} + name: {{ .Values.cert_manager.issuer.name }} + dnsNames: + - {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{ end }} diff --git a/charts/maas/templates/certificate-maas.yaml b/charts/maas/templates/certificate-maas.yaml new file mode 100644 index 0000000..ebf9a0f --- /dev/null +++ b/charts/maas/templates/certificate-maas.yaml @@ -0,0 +1,35 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled }} +{{- $envAll := . }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.secrets.maas_cert }} +spec: + secretName: {{ .Values.secrets.maas_cert }} + commonName: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + issuerRef: + kind: {{ .Values.cert_manager.issuer.kind }} + name: {{ .Values.cert_manager.issuer.name }} + dnsNames: + - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }} + - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc + - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc.cluster.local +{{ end }} diff --git a/charts/maas/templates/configmap-bin.yaml b/charts/maas/templates/configmap-bin.yaml index 43d7bd7..b2980e3 100644 --- a/charts/maas/templates/configmap-bin.yaml +++ b/charts/maas/templates/configmap-bin.yaml @@ -49,3 +49,7 @@ data: {{ tuple "bin/_maas-vip-configure.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} start-syslog.sh: | {{ tuple "bin/_start-syslog.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- if .Values.conf.maas.tls.enabled }} + enable-tls.sh: | +{{ tuple "bin/_enable-tls.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{ end }} diff --git a/charts/maas/templates/deployment-ingress-errors.yaml b/charts/maas/templates/deployment-ingress-errors.yaml index 0bd3d83..689ee68 100644 --- a/charts/maas/templates/deployment-ingress-errors.yaml +++ b/charts/maas/templates/deployment-ingress-errors.yaml @@ -15,7 +15,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.rack_statefulset }} +{{- if and .Values.manifests.maas_ingress .Values.manifests.rack_statefulset }} {{- $envAll := . }} {{- $labels := tuple $envAll "maas" "ingress-errors" | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}} {{- $serviceAccountName := "maas-ingress-errors" }} diff --git a/charts/maas/templates/ingress-region.yaml b/charts/maas/templates/ingress-region.yaml index 939898c..1cba370 100644 --- a/charts/maas/templates/ingress-region.yaml +++ b/charts/maas/templates/ingress-region.yaml @@ -20,8 +20,17 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: maas-region-api + metadata: + annotations: +{{ toYaml .Values.network.region_api.ingress.annotations | indent 8 }} spec: ingressClassName: {{ .Values.network.region_api.ingress.classes.cluster | quote }} +{{- if .Values.conf.maas.tls.enabled }} + tls: + - secretName: maas-region-api-tls + hosts: + - {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{ end }} rules: - host: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} http: diff --git a/charts/maas/templates/job-enable-tls.yaml b/charts/maas/templates/job-enable-tls.yaml new file mode 100644 index 0000000..8644baf --- /dev/null +++ b/charts/maas/templates/job-enable-tls.yaml @@ -0,0 +1,79 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. +Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.conf.maas.tls.enabled }} +{{- $envAll := . }} +{{- $serviceAccountName := "maas-enable-tls" }} +{{ tuple $envAll "enable_tls" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: maas-enable-tls + labels: +{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +spec: + template: + metadata: + labels: +{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ dict "envAll" $envAll "podName" "maas-enable-tls" "containerNames" (list "init" "maas-enable-tls") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} + spec: +{{ dict "envAll" $envAll "application" "enable_tls" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }} + initContainers: +{{ tuple $envAll "enable_tls" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - name: maas-enable-tls + image: {{ .Values.images.tags.enable_tls }} + imagePullPolicy: {{ .Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.enable_tls | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "enable_tls" "container" "maas_enable_tls" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/enable-tls.sh + volumeMounts: + - name: maas-bin + mountPath: /tmp/enable-tls.sh + subPath: enable-tls.sh + readOnly: true + - name: maas-etc + mountPath: /etc/maas/regiond.conf + subPath: regiond.conf + readOnly: true + - name: maas-tls + mountPath: /etc/maas/ssl + readOnly: true + volumes: + - name: maas-bin + configMap: + name: maas-bin + defaultMode: 0555 + - name: maas-etc + configMap: + name: maas-etc + defaultMode: 0444 + - name: maas-tls + secret: + secretName: {{ .Values.secrets.maas_cert }} + defaultMode: 0444 +{{ end }} diff --git a/charts/maas/templates/job-import.yaml b/charts/maas/templates/job-import.yaml index 4ec7d75..b3ba62b 100644 --- a/charts/maas/templates/job-import.yaml +++ b/charts/maas/templates/job-import.yaml @@ -116,6 +116,12 @@ spec: mountPath: /etc/maas/regiond.conf subPath: regiond.conf readOnly: true +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/maas-ca.crt + subPath: maas-ca.crt + readOnly: true +{{ end }} volumes: - name: maas-bin configMap: @@ -125,3 +131,11 @@ spec: configMap: name: maas-etc defaultMode: 0444 +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + secret: + secretName: {{ .Values.secrets.maas_cert }} + items: + - key: ca.crt + path: maas-ca.crt +{{ end }} diff --git a/charts/maas/templates/secret-maas-tls.yaml b/charts/maas/templates/secret-maas-tls.yaml new file mode 100644 index 0000000..f7038c1 --- /dev/null +++ b/charts/maas/templates/secret-maas-tls.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create (eq .Values.cert_manager.enabled false) }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.secrets.certificate }} +type: kubernetes/tls +data: + ca.crt: {{ .Values.conf.maas.tls.ca | b64enc }} + tls.crt: {{ .Values.conf.maas.tls.cert | b64enc }} + tls.key: {{ .Values.conf.maas.tls.key | b64enc }} +{{ end }} diff --git a/charts/maas/templates/service-ingress-headless.yaml b/charts/maas/templates/service-ingress-headless.yaml index 912ceb1..d32840b 100644 --- a/charts/maas/templates/service-ingress-headless.yaml +++ b/charts/maas/templates/service-ingress-headless.yaml @@ -24,6 +24,10 @@ spec: ports: - name: http port: 80 +{{- if .Values.conf.maas.tls.enabled }} + - name: https + port: 443 +{{- end }} selector: {{ tuple . "maas" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} ... diff --git a/charts/maas/templates/statefulset-rack.yaml b/charts/maas/templates/statefulset-rack.yaml index 1913b30..7f7f77e 100644 --- a/charts/maas/templates/statefulset-rack.yaml +++ b/charts/maas/templates/statefulset-rack.yaml @@ -155,6 +155,12 @@ spec: mountPath: /etc/bind/named.conf.options subPath: named.conf.options readOnly: true +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/maas-ca.crt + subPath: maas-ca.crt + readOnly: true +{{ end }} {{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }} volumes: {{- if not .Values.conf.maas.cgroups.disable_cgroups_rack }} @@ -185,6 +191,14 @@ spec: configMap: name: maas-etc defaultMode: 0444 +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + secret: + secretName: {{ .Values.secrets.maas_cert }} + items: + - key: ca.crt + path: maas-ca.crt +{{ end }} {{ if $mounts_maas_rack.volumes }}{{ toYaml $mounts_maas_rack.volumes | indent 8 }}{{ end }} volumeClaimTemplates: - metadata: diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml index 092ef6d..dd676fa 100644 --- a/charts/maas/templates/statefulset-region.yaml +++ b/charts/maas/templates/statefulset-region.yaml @@ -179,6 +179,12 @@ spec: mountPath: /etc/default/bind9 subPath: named readOnly: true +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/maas-ca.crt + subPath: maas-ca.crt + readOnly: true +{{ end }} {{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }} volumes: {{- if not .Values.conf.maas.cgroups.disable_cgroups_region }} @@ -203,6 +209,14 @@ spec: - name: maas-region-secret secret: secretName: {{ .Values.secrets.maas_region.name }} +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + secret: + secretName: {{ .Values.secrets.maas_cert }} + items: + - key: ca.crt + path: maas-ca.crt +{{ end }} {{- if $mounts_maas_region.volumes }}{{ toYaml $mounts_maas_region.volumes | indent 8 }}{{ end }} {{- if .Values.manifests.maas_syslog }} volumeClaimTemplates: diff --git a/charts/maas/templates/tests/test-maas-init.yaml b/charts/maas/templates/tests/test-maas-init.yaml index 790c7c7..6c9e443 100644 --- a/charts/maas/templates/tests/test-maas-init.yaml +++ b/charts/maas/templates/tests/test-maas-init.yaml @@ -38,7 +38,11 @@ spec: - name: maas-api-test env: - name: 'MAAS_URL' - value: {{ tuple "maas_region" "internal" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} +{{- if empty .Values.conf.maas.url.maas_url }} + value: {{ tuple "maas_region" "public" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} +{{- else }} + value: {{ .Values.conf.maas.url.maas_url }} +{{- end }} - name: 'MAAS_API_KEY' valueFrom: secretKeyRef: @@ -54,10 +58,24 @@ spec: mountPath: /tmp/maas-test.sh subPath: maas-test.sh readOnly: true +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/maas-ca.crt + subPath: maas-ca.crt + readOnly: true +{{ end }} volumes: - name: maas-bin configMap: name: maas-bin defaultMode: 0555 +{{- if .Values.conf.maas.tls.enabled }} + - name: ca-cert + secret: + secretName: {{ .Values.secrets.maas_cert }} + items: + - key: ca.crt + path: maas-ca.crt +{{ end }} ... {{- end }} diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml index 23faed9..991f524 100644 --- a/charts/maas/values.yaml +++ b/charts/maas/values.yaml @@ -74,6 +74,12 @@ dependencies: endpoint: internal - service: maas_ingress endpoint: monitor + enable_tls: + jobs: + - maas-bootstrap-admin-user + services: + - service: maas_region + endpoint: internal network_policy: maas: @@ -108,6 +114,7 @@ images: ingress_vip: docker.io/busybox:latest error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0 maas_syslog: quay.io/airshipit/maas-region-controller:latest + enable_tls: quay.io/airshipit/maas-region-controller:latest pull_policy: IfNotPresent local_registry: # TODO(portdirect): this chart does not yet support local image cacheing @@ -263,8 +270,8 @@ conf: proxy_server: null images: default_os: 'ubuntu' - default_image: 'bionic' - default_kernel: 'ga-18.04' + default_image: 'focal' + default_kernel: 'ga-20.04' credentials: secret: namespace: maas @@ -294,6 +301,12 @@ conf: # system user for console login/recovery in early phases of deployment system_user: 'root' system_passwd: 'password' + tls: + enabled: false + create: false + ca: "" + cert: "" + key: "" drivers: null #### If you populates drivers, it will replace the 3rd party driver #### info that comes with MaaS. see structure below if it is needed @@ -341,6 +354,8 @@ secrets: name: maas-region-secret value: 3858f62230ac3c915f300c664312c63f ssh_key: ssh-private-key + maas_cert: maas-region-api-tls + maas_ingress_cert: maas-region-api-ingress-tls pod: mandatory_access_control: @@ -659,7 +674,6 @@ endpoints: syslog: public: 514 podport: 514 - maas_db: auth: admin: @@ -722,3 +736,10 @@ endpoints: default: http host_fqdn_override: default: null + +cert_manager: + enabled: false + create: false + issuer: + kind: ClusterIssuer + name: ca-issuer diff --git a/images/maas-rack-controller-focal/3.0_allow_query.patch b/images/maas-rack-controller-focal/3.2_allow_query.patch similarity index 94% rename from images/maas-rack-controller-focal/3.0_allow_query.patch rename to images/maas-rack-controller-focal/3.2_allow_query.patch index bbff6a9..60d0bef 100644 --- a/images/maas-rack-controller-focal/3.0_allow_query.patch +++ b/images/maas-rack-controller-focal/3.2_allow_query.patch @@ -1,5 +1,5 @@ diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -index d76fcfa9a..d198e90b9 100644 +index d76fcfa..d198e90 100644 --- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template @@ -13,8 +13,8 @@ empty-zones-enable no; diff --git a/images/maas-rack-controller-focal/3.0_ipmi_error.patch b/images/maas-rack-controller-focal/3.2_ipmi_error.patch similarity index 90% rename from images/maas-rack-controller-focal/3.0_ipmi_error.patch rename to images/maas-rack-controller-focal/3.2_ipmi_error.patch index ed26007..ac6ff18 100644 --- a/images/maas-rack-controller-focal/3.0_ipmi_error.patch +++ b/images/maas-rack-controller-focal/3.2_ipmi_error.patch @@ -1,5 +1,5 @@ diff --git a/src/provisioningserver/drivers/power/ipmi.py b/src/provisioningserver/drivers/power/ipmi.py -index acf284e9d..edcaf9e41 100644 +index 70201e8..26625e2 100644 --- a/src/provisioningserver/drivers/power/ipmi.py +++ b/src/provisioningserver/drivers/power/ipmi.py @@ -155,6 +155,13 @@ IPMI_ERRORS = { @@ -16,12 +16,12 @@ index acf284e9d..edcaf9e41 100644 "could not find inband device": { "message": ( "An inband device could not be found." -@@ -283,7 +290,7 @@ class IPMIPowerDriver(PowerDriver): +@@ -308,7 +315,7 @@ class IPMIPowerDriver(PowerDriver): ), ] ip_extractor = make_ip_extractor("power_address") - wait_time = (4, 8, 16, 32) + wait_time = (4, 4, 8, 8, 16, 16, 32, 32) - + def detect_missing_packages(self): if not shell.has_command_available("ipmipower"): diff --git a/images/maas-rack-controller-focal/3.0_nic_filter.patch b/images/maas-rack-controller-focal/3.2_nic_filter.patch similarity index 84% rename from images/maas-rack-controller-focal/3.0_nic_filter.patch rename to images/maas-rack-controller-focal/3.2_nic_filter.patch index f3c58f5..3f98078 100644 --- a/images/maas-rack-controller-focal/3.0_nic_filter.patch +++ b/images/maas-rack-controller-focal/3.2_nic_filter.patch @@ -1,8 +1,8 @@ diff --git a/src/provisioningserver/utils/network.py b/src/provisioningserver/utils/network.py -index d8c781e38..3d2e6264c 100644 +index 7895227..0f665ad 100644 --- a/src/provisioningserver/utils/network.py +++ b/src/provisioningserver/utils/network.py -@@ -1129,6 +1129,8 @@ def get_all_interfaces_definition( +@@ -1128,6 +1128,8 @@ def get_all_interfaces_definition( # interfaces for guests. By themselves, they're not useful for MAAS to # manage. "tunnel", diff --git a/images/maas-rack-controller-focal/3.0_redfish_retries.patch b/images/maas-rack-controller-focal/3.2_redfish_retries.patch similarity index 82% rename from images/maas-rack-controller-focal/3.0_redfish_retries.patch rename to images/maas-rack-controller-focal/3.2_redfish_retries.patch index 1189bf7..67865ca 100644 --- a/images/maas-rack-controller-focal/3.0_redfish_retries.patch +++ b/images/maas-rack-controller-focal/3.2_redfish_retries.patch @@ -1,12 +1,12 @@ diff --git a/src/provisioningserver/drivers/power/redfish.py b/src/provisioningserver/drivers/power/redfish.py -index 334ea2ca8..f38b05b8c 100644 +index 19d9ecd..0075997 100644 --- a/src/provisioningserver/drivers/power/redfish.py +++ b/src/provisioningserver/drivers/power/redfish.py -@@ -151,6 +151,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase): +@@ -170,6 +170,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase): make_setting_field("node_id", "Node ID", scope=SETTING_SCOPE.NODE), ] ip_extractor = make_ip_extractor("power_address") + wait_time = (4, 8, 16, 32) - + def detect_missing_packages(self): # no required packages diff --git a/images/maas-rack-controller-focal/3.0_secure_headers.patch b/images/maas-rack-controller-focal/3.2_secure_headers.patch similarity index 91% rename from images/maas-rack-controller-focal/3.0_secure_headers.patch rename to images/maas-rack-controller-focal/3.2_secure_headers.patch index f751649..aeb5652 100644 --- a/images/maas-rack-controller-focal/3.0_secure_headers.patch +++ b/images/maas-rack-controller-focal/3.2_secure_headers.patch @@ -1,12 +1,12 @@ diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py -index 23e3e408e..8e3e5b772 100644 +index 23e3e40..8e3e5b7 100644 --- a/src/twisted/web/server.py +++ b/src/twisted/web/server.py @@ -178,7 +178,6 @@ class Request(Copyable, http.Request, components.Componentized): self.site = self.channel.site - + # set various default headers - self.setHeader(b'server', version) self.setHeader(b'date', http.datetimeToString()) - + # Resource Identification diff --git a/images/maas-rack-controller-focal/Dockerfile b/images/maas-rack-controller-focal/Dockerfile index 4005574..d974ec9 100644 --- a/images/maas-rack-controller-focal/Dockerfile +++ b/images/maas-rack-controller-focal/Dockerfile @@ -18,7 +18,7 @@ ARG no_proxy ENV DEBIAN_FRONTEND noninteractive ENV container docker -ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1 +ENV MAAS_VERSION 1:3.2.9-12055-g.c3d5597a7-0ubuntu1~20.04.1 RUN apt-get -qq update \ && apt-get install -y \ @@ -43,7 +43,7 @@ RUN apt-get -qq update \ -exec rm \{} \; \ && systemctl set-default multi-user.target \ # Install maas from the ppa - && add-apt-repository -yu ppa:maas/3.0 \ + && add-apt-repository -yu ppa:maas/3.2 \ && apt-get install -y \ maas-rack-controller=$MAAS_VERSION \ && rm -rf /var/lib/apt/lists/* @@ -56,20 +56,20 @@ COPY scripts/register-rack-controller.service /lib/systemd/system/register-rack- RUN systemctl enable register-rack-controller.service # Patch so that Calico interfaces are ignored -COPY 3.0_nic_filter.patch /tmp/3.0_nic_filter.patch -COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch +COPY 3.2_nic_filter.patch /tmp/3.2_nic_filter.patch +COPY 3.2_secure_headers.patch /tmp/3.2_secure_headers.patch # Patch so maas knows that "BMC error" is retriable -COPY 3.0_ipmi_error.patch /tmp/3.0_ipmi_error.patch +COPY 3.2_ipmi_error.patch /tmp/3.2_ipmi_error.patch # Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC -COPY 3.0_redfish_retries.patch /tmp/3.0_redfish_retries.patch +COPY 3.2_redfish_retries.patch /tmp/3.2_redfish_retries.patch # Patch to allow any recursion and cache queries -COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch +COPY 3.2_allow_query.patch /tmp/3.2_allow_query.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.0_nic_filter.patch -RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.0_ipmi_error.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.0_redfish_retries.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.2_nic_filter.patch +RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.2_secure_headers.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.2_ipmi_error.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.2_redfish_retries.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.2_allow_query.patch # echo journalctl logs to the container's stdout COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service diff --git a/images/maas-region-controller-focal/3.0_allow_query.patch b/images/maas-rack-controller-jammy/3.4_allow_query.patch similarity index 94% rename from images/maas-region-controller-focal/3.0_allow_query.patch rename to images/maas-rack-controller-jammy/3.4_allow_query.patch index bbff6a9..60d0bef 100644 --- a/images/maas-region-controller-focal/3.0_allow_query.patch +++ b/images/maas-rack-controller-jammy/3.4_allow_query.patch @@ -1,5 +1,5 @@ diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -index d76fcfa9a..d198e90b9 100644 +index d76fcfa..d198e90 100644 --- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template @@ -13,8 +13,8 @@ empty-zones-enable no; diff --git a/images/maas-rack-controller-jammy/3.4_ipmi_error.patch b/images/maas-rack-controller-jammy/3.4_ipmi_error.patch new file mode 100644 index 0000000..81c28b4 --- /dev/null +++ b/images/maas-rack-controller-jammy/3.4_ipmi_error.patch @@ -0,0 +1,27 @@ +diff --git a/src/provisioningserver/drivers/power/ipmi.py b/src/provisioningserver/drivers/power/ipmi.py +index f3f0806..c115e53 100644 +--- a/src/provisioningserver/drivers/power/ipmi.py ++++ b/src/provisioningserver/drivers/power/ipmi.py +@@ -155,6 +155,13 @@ IPMI_ERRORS = { + ), + "exception": PowerConnError, + }, ++ "BMC error": { ++ "message": ( ++ "Device not responding correctly while performing power action." ++ " MAAS performed several retries. Please wait and try again." ++ ), ++ "exception": PowerConnError, ++ }, + "could not find inband device": { + "message": ( + "An inband device could not be found." +@@ -308,7 +315,7 @@ class IPMIPowerDriver(PowerDriver): + ), + ] + ip_extractor = make_ip_extractor("power_address") +- wait_time = (4, 8, 16, 32) ++ wait_time = (4, 4, 8, 8, 16, 16, 32, 32) + + def detect_missing_packages(self): + if not shell.has_command_available("ipmipower"): diff --git a/images/maas-rack-controller-jammy/3.4_nic_filter.patch b/images/maas-rack-controller-jammy/3.4_nic_filter.patch new file mode 100644 index 0000000..0d1df3c --- /dev/null +++ b/images/maas-rack-controller-jammy/3.4_nic_filter.patch @@ -0,0 +1,13 @@ +diff --git a/src/provisioningserver/utils/network.py b/src/provisioningserver/utils/network.py +index d6fb989..f4ece75 100644 +--- a/src/provisioningserver/utils/network.py ++++ b/src/provisioningserver/utils/network.py +@@ -1169,6 +1169,8 @@ def get_all_interfaces_definition( + # interfaces for guests. By themselves, they're not useful for MAAS to + # manage. + "tunnel", ++ # Always exclude non-specific ethernet interfaces. ++ "ethernet", + ] + if not running_in_container(): + # When not running in a container, we should be able to identify diff --git a/images/maas-rack-controller-jammy/3.4_redfish_retries.patch b/images/maas-rack-controller-jammy/3.4_redfish_retries.patch new file mode 100644 index 0000000..36f2180 --- /dev/null +++ b/images/maas-rack-controller-jammy/3.4_redfish_retries.patch @@ -0,0 +1,12 @@ +diff --git a/src/provisioningserver/drivers/power/redfish.py b/src/provisioningserver/drivers/power/redfish.py +index 2be490e..482bf4a 100644 +--- a/src/provisioningserver/drivers/power/redfish.py ++++ b/src/provisioningserver/drivers/power/redfish.py +@@ -170,6 +170,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase): + make_setting_field("node_id", "Node ID", scope=SETTING_SCOPE.NODE), + ] + ip_extractor = make_ip_extractor("power_address") ++ wait_time = (4, 8, 16, 32) + + def detect_missing_packages(self): + # no required packages diff --git a/images/maas-rack-controller-jammy/3.4_secure_headers.patch b/images/maas-rack-controller-jammy/3.4_secure_headers.patch new file mode 100644 index 0000000..ca66adf --- /dev/null +++ b/images/maas-rack-controller-jammy/3.4_secure_headers.patch @@ -0,0 +1,12 @@ +diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py +index d30156b..3a04ecb 100644 +--- a/src/twisted/web/server.py ++++ b/src/twisted/web/server.py +@@ -206,7 +206,6 @@ class Request(Copyable, http.Request, components.Componentized): + self.site = self.channel.site + + # set various default headers +- self.setHeader(b"server", version) + self.setHeader(b"date", http.datetimeToString()) + + # Resource Identification diff --git a/images/maas-rack-controller-jammy/Dockerfile b/images/maas-rack-controller-jammy/Dockerfile new file mode 100644 index 0000000..e70e402 --- /dev/null +++ b/images/maas-rack-controller-jammy/Dockerfile @@ -0,0 +1,85 @@ +ARG FROM=ubuntu:20.04 +FROM ${FROM} + +LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' +LABEL org.opencontainers.image.url='https://airshipit.org' +LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas' +LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas' +LABEL org.opencontainers.image.vendor='The Airship Authors' +LABEL org.opencontainers.image.licenses='Apache-2.0' + +ARG HTTP_PROXY +ARG HTTPS_PROXY +ARG NO_PROXY +ARG http_proxy +ARG https_proxy +ARG no_proxy + +ENV DEBIAN_FRONTEND noninteractive +ENV container docker + +ENV MAAS_VERSION 1:3.4.0-14321-g.1027c7664-0ubuntu1~22.04.1 + +RUN apt-get -qq update \ + && apt-get install -y \ + avahi-daemon \ + isc-dhcp-server \ + jq \ + libvirt-clients \ + libvirt-daemon-system\ + patch \ + software-properties-common \ + sudo \ + systemd \ + ca-certificates \ +# Don't start any optional services except for the few we need. +# (specifically, don't start avahi-daemon, isc-dhcp-server, or libvirtd) + && find /etc/systemd/system \ + /lib/systemd/system \ + -path '*.wants/*' \ + -not -name '*journald*' \ + -not -name '*systemd-tmpfiles*' \ + -not -name '*systemd-user-sessions*' \ + -exec rm \{} \; \ + && systemctl set-default multi-user.target \ +# Install maas from the ppa + && add-apt-repository -yu ppa:maas/3.4 \ + && apt-get install -y \ + maas-rack-controller=$MAAS_VERSION \ + && rm -rf /var/lib/apt/lists/* + +# Preserve the directory structure, permissions, and contents of /var/lib/maas +RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas + +# register ourselves with the region controller +COPY scripts/register-rack-controller.service /lib/systemd/system/register-rack-controller.service +RUN systemctl enable register-rack-controller.service + +# Patch so that Calico interfaces are ignored +COPY 3.4_nic_filter.patch /tmp/3.4_nic_filter.patch +COPY 3.4_secure_headers.patch /tmp/3.4_secure_headers.patch +# Patch so maas knows that "BMC error" is retriable +COPY 3.4_ipmi_error.patch /tmp/3.4_ipmi_error.patch +# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC +COPY 3.4_redfish_retries.patch /tmp/3.4_redfish_retries.patch +# Patch to allow any recursion and cache queries +COPY 3.4_allow_query.patch /tmp/3.4_allow_query.patch + +RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.4_nic_filter.patch +RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.4_secure_headers.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.4_ipmi_error.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.4_redfish_retries.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.4_allow_query.patch + +# echo journalctl logs to the container's stdout +COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service +RUN systemctl enable journalctl-to-tty.service + +# quiet sudo for the maas user +RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log + +# avoid triggering bind9 high cpu utilization bug +RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns + +# initalize systemd +CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] diff --git a/images/maas-rack-controller-jammy/README.md b/images/maas-rack-controller-jammy/README.md new file mode 100644 index 0000000..0a11659 --- /dev/null +++ b/images/maas-rack-controller-jammy/README.md @@ -0,0 +1 @@ +[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-rack) Ubuntu MaaS Rack Controller diff --git a/images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service b/images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service new file mode 100644 index 0000000..2725055 --- /dev/null +++ b/images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service @@ -0,0 +1,13 @@ +[Unit] +Description=Journald console log streamer +Requires=systemd-journald.service +After=systemd-journald.service + +[Service] +Restart=always +RestartSec=0 +ExecStart=/bin/journalctl -f +StandardOutput=tty + +[Install] +WantedBy=basic.target diff --git a/images/maas-rack-controller-jammy/scripts/register-rack-controller.service b/images/maas-rack-controller-jammy/scripts/register-rack-controller.service new file mode 100644 index 0000000..fb439d3 --- /dev/null +++ b/images/maas-rack-controller-jammy/scripts/register-rack-controller.service @@ -0,0 +1,12 @@ +[Unit] +Description=Register with MaaS Region Controller +Wants=network-online.target +After=network-online.target + +[Service] +Type=oneshot +PassEnvironment=MAAS_ENDPOINT MAAS_REGION_SECRET MAAS_API_KEY HOST_MOUNT_PATH +ExecStart=/usr/local/bin/register-rack-controller.sh + +[Install] +WantedBy=multi-user.target diff --git a/images/maas-region-controller-focal/3.0_bios_grub_partition.patch b/images/maas-region-controller-focal/3.0_bios_grub_partition.patch deleted file mode 100644 index fc3a1c7..0000000 --- a/images/maas-region-controller-focal/3.0_bios_grub_partition.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py -index 62895f83b..832b1db4c 100644 ---- a/src/maasserver/models/partition.py -+++ b/src/maasserver/models/partition.py -@@ -248,7 +248,7 @@ class Partition(CleanSave, TimestampedModel): - return idx + 1 - elif arch == "ppc64el" and block_device.id == boot_disk.id: - return idx + 2 -- elif arch == "amd64" and bios_boot_method != "uefi": -+ elif arch == "amd64" and bios_boot_method != "uefi" and block_device.id == boot_disk.id: - if block_device.type == "physical": - # Delay the `type` check because it can cause a query. Only - # physical block devices get the bios_grub partition. diff --git a/images/maas-region-controller-focal/3.2_allow_query.patch b/images/maas-region-controller-focal/3.2_allow_query.patch new file mode 100644 index 0000000..60d0bef --- /dev/null +++ b/images/maas-region-controller-focal/3.2_allow_query.patch @@ -0,0 +1,15 @@ +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index d76fcfa..d198e90 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -13,8 +13,8 @@ empty-zones-enable no; + allow-query { any; }; + {{endif}} + {{if not upstream_allow_recursion}} +-allow-recursion { trusted; }; ++allow-recursion { any; }; + {{endif}} + {{if not upstream_allow_query_cache}} +-allow-query-cache { trusted; }; ++allow-query-cache { any; }; + {{endif}} diff --git a/images/maas-region-controller-focal/3.2_bios_grub_partition.patch b/images/maas-region-controller-focal/3.2_bios_grub_partition.patch new file mode 100644 index 0000000..2e79cd0 --- /dev/null +++ b/images/maas-region-controller-focal/3.2_bios_grub_partition.patch @@ -0,0 +1,12 @@ +diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py +index 84a8fba..c62f25f 100644 +--- a/src/maasserver/models/partition.py ++++ b/src/maasserver/models/partition.py +@@ -211,6 +211,7 @@ class Partition(CleanSave, TimestampedModel): + arch == "amd64" + and bios_boot_method != "uefi" + and block_device.type == "physical" ++ and block_device.id == boot_disk.id + ) + if need_prep_partition or need_bios_grub: + index = 2 diff --git a/images/maas-region-controller-focal/3.0_configure_ipmi_user.patch b/images/maas-region-controller-focal/3.2_configure_ipmi_user.patch similarity index 86% rename from images/maas-region-controller-focal/3.0_configure_ipmi_user.patch rename to images/maas-region-controller-focal/3.2_configure_ipmi_user.patch index 39b06ae..a417f3d 100644 --- a/images/maas-region-controller-focal/3.0_configure_ipmi_user.patch +++ b/images/maas-region-controller-focal/3.2_configure_ipmi_user.patch @@ -1,10 +1,10 @@ diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py -index 42e4c79e4..11df96313 100755 +index 02e900d..411832a 100755 --- a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py +++ b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py -@@ -396,6 +396,29 @@ class IPMI(BMCConfig): +@@ -184,6 +184,29 @@ class IPMIBase(BMCConfig): return first_unused - + def add_bmc_user(self): + """Create/configure an IPMI user, but with several tries""" + attempt = 1 @@ -32,7 +32,7 @@ index 42e4c79e4..11df96313 100755 if not self.username: self.username = "maas" user_number = self._pick_user_number(self.username) -@@ -417,7 +440,7 @@ class IPMI(BMCConfig): +@@ -205,7 +228,7 @@ class IPMIBase(BMCConfig): if self._bmc_config[user_number].get(key) != value: self._bmc_set(user_number, key, value) except Exception: @@ -41,12 +41,12 @@ index 42e4c79e4..11df96313 100755 else: self.password = password # Not all user settings are available on all BMC keys, its -@@ -432,8 +455,6 @@ class IPMI(BMCConfig): +@@ -220,8 +243,6 @@ class IPMIBase(BMCConfig): "Yes", ) return - print("ERROR: Unable to add BMC user!", file=sys.stderr) - sys.exit(1) - - def _config_ipmi_lan_channel_settings(self): - """Enable IPMI-over-Lan (Lan_Channel) if it is disabled""" + + def _bmc_get_config(self, section=None): + """Fetch and cache all BMC settings.""" diff --git a/images/maas-region-controller-focal/3.0_kernel_package.patch b/images/maas-region-controller-focal/3.2_kernel_package.patch similarity index 73% rename from images/maas-region-controller-focal/3.0_kernel_package.patch rename to images/maas-region-controller-focal/3.2_kernel_package.patch index 934d1f3..2c1e67e 100644 --- a/images/maas-region-controller-focal/3.0_kernel_package.patch +++ b/images/maas-region-controller-focal/3.2_kernel_package.patch @@ -1,16 +1,15 @@ diff --git a/src/maasserver/preseed.py b/src/maasserver/preseed.py -index f9ba34a18..a9f41b9c2 100644 +index c692969..c20facf 100644 --- a/src/maasserver/preseed.py +++ b/src/maasserver/preseed.py -@@ -232,7 +232,27 @@ def compose_curtin_kernel_preseed(node): - The BootResourceFile table contains a mapping between hwe kernels and - Ubuntu package names. If this mapping is missing we fall back to letting - Curtin figure out which kernel should be installed""" -+ +@@ -250,7 +250,26 @@ def compose_curtin_kernel_preseed(node): + if node.get_osystem() == "custom": + return [] + + # previous logic to retrieve kpackage parameter kpackage = BootResource.objects.get_kpackage_for_node(node) + -+ # determine if this node has kernel parameters applied by drydock ++ # determine if thie node has kernel parameters applied by drydock + # and override kpackage if we discover the right properties + kernel_opt_tag = "%s_kp" % (node.hostname) + if kernel_opt_tag in node.tag_names(): diff --git a/images/maas-region-controller-focal/3.0_partitiontable_does_not_exist.patch b/images/maas-region-controller-focal/3.2_partitiontable_does_not_exist.patch similarity index 94% rename from images/maas-region-controller-focal/3.0_partitiontable_does_not_exist.patch rename to images/maas-region-controller-focal/3.2_partitiontable_does_not_exist.patch index b0f98d3..796b6db 100644 --- a/images/maas-region-controller-focal/3.0_partitiontable_does_not_exist.patch +++ b/images/maas-region-controller-focal/3.2_partitiontable_does_not_exist.patch @@ -1,5 +1,5 @@ diff --git a/src/maasserver/api/partitions.py b/src/maasserver/api/partitions.py -index 5a413fb3b..6a5ad8b47 100644 +index dd1b431..235c03f 100644 --- a/src/maasserver/api/partitions.py +++ b/src/maasserver/api/partitions.py @@ -99,7 +99,7 @@ class PartitionsHandler(OperationsHandler): diff --git a/images/maas-region-controller-focal/3.0_proxy_acl.patch b/images/maas-region-controller-focal/3.2_proxy_acl.patch similarity index 100% rename from images/maas-region-controller-focal/3.0_proxy_acl.patch rename to images/maas-region-controller-focal/3.2_proxy_acl.patch diff --git a/images/maas-region-controller-focal/3.0_regex_tags.patch b/images/maas-region-controller-focal/3.2_regex_tags.patch similarity index 81% rename from images/maas-region-controller-focal/3.0_regex_tags.patch rename to images/maas-region-controller-focal/3.2_regex_tags.patch index aa438fa..01f5778 100644 --- a/images/maas-region-controller-focal/3.0_regex_tags.patch +++ b/images/maas-region-controller-focal/3.2_regex_tags.patch @@ -1,17 +1,17 @@ diff --git a/src/maasserver/models/ownerdata.py b/src/maasserver/models/ownerdata.py -index 5d26041ca..0e208f264 100644 +index 2cbaa9d..14eeb69 100644 --- a/src/maasserver/models/ownerdata.py +++ b/src/maasserver/models/ownerdata.py -@@ -18,7 +18,7 @@ from django.db.models import ( - from maasserver import DefaultMeta +@@ -17,7 +17,7 @@ from django.db.models import ( + from maasserver.models.cleansave import CleanSave - + -DATA_KEY_RE = re.compile(r"[\w.-]+$") +#DATA_KEY_RE = re.compile(r"[\w.-]+$") - - + + class OwnerDataManager(Manager): -@@ -33,8 +33,8 @@ class OwnerDataManager(Manager): +@@ -32,8 +32,8 @@ class OwnerDataManager(Manager): if value is None: to_remove.add(key) else: @@ -19,6 +19,6 @@ index 5d26041ca..0e208f264 100644 - raise ValueError("Invalid character in key name") + # if not DATA_KEY_RE.match(key): + # raise ValueError("Invalid character in key name") - + self.update_or_create( node=node, key=key, defaults={"value": value} diff --git a/images/maas-region-controller-focal/3.0_region_secret_rotate.patch b/images/maas-region-controller-focal/3.2_region_secret_rotate.patch similarity index 95% rename from images/maas-region-controller-focal/3.0_region_secret_rotate.patch rename to images/maas-region-controller-focal/3.2_region_secret_rotate.patch index fce4a7e..fc9bee0 100644 --- a/images/maas-region-controller-focal/3.0_region_secret_rotate.patch +++ b/images/maas-region-controller-focal/3.2_region_secret_rotate.patch @@ -1,5 +1,5 @@ diff --git a/src/maasserver/security.py b/src/maasserver/security.py -index a9420e504..61c6f00c6 100644 +index a9420e5..7973120 100644 --- a/src/maasserver/security.py +++ b/src/maasserver/security.py @@ -96,11 +96,11 @@ def get_shared_secret_txn(): @@ -16,6 +16,5 @@ index a9420e504..61c6f00c6 100644 + # secret and set it in the database (set_config function) + secret = secret_on_fs + Config.objects.set_config("rpc_shared_secret", to_hex(secret)) - + return secret - diff --git a/images/maas-region-controller-focal/3.0_route.patch b/images/maas-region-controller-focal/3.2_route.patch similarity index 66% rename from images/maas-region-controller-focal/3.0_route.patch rename to images/maas-region-controller-focal/3.2_route.patch index 391c617..d1f9efc 100644 --- a/images/maas-region-controller-focal/3.0_route.patch +++ b/images/maas-region-controller-focal/3.2_route.patch @@ -1,13 +1,17 @@ diff --git a/src/maasserver/preseed_network.py b/src/maasserver/preseed_network.py -index 3851424fc..8bfa90e7d 100644 +index 7660feb..dae412d 100644 --- a/src/maasserver/preseed_network.py +++ b/src/maasserver/preseed_network.py -@@ -309,7 +309,7 @@ class InterfaceConfiguration: - +@@ -308,7 +308,11 @@ class InterfaceConfiguration: + def _get_matching_routes(self, source): """Return all route objects matching `source`.""" - return {route for route in self.routes if route.source == source} -+ return {route for route in self.routes if str(route.source.cidr) == str(source.cidr)} - ++ return { ++ route ++ for route in self.routes ++ if str(route.source.cidr) == str(source.cidr) ++ } + def _generate_addresses(self, version=1): """Generate the various addresses needed for this interface.""" diff --git a/images/maas-region-controller-focal/3.0_secure_headers.patch b/images/maas-region-controller-focal/3.2_secure_headers.patch similarity index 91% rename from images/maas-region-controller-focal/3.0_secure_headers.patch rename to images/maas-region-controller-focal/3.2_secure_headers.patch index f751649..aeb5652 100644 --- a/images/maas-region-controller-focal/3.0_secure_headers.patch +++ b/images/maas-region-controller-focal/3.2_secure_headers.patch @@ -1,12 +1,12 @@ diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py -index 23e3e408e..8e3e5b772 100644 +index 23e3e40..8e3e5b7 100644 --- a/src/twisted/web/server.py +++ b/src/twisted/web/server.py @@ -178,7 +178,6 @@ class Request(Copyable, http.Request, components.Componentized): self.site = self.channel.site - + # set various default headers - self.setHeader(b'server', version) self.setHeader(b'date', http.datetimeToString()) - + # Resource Identification diff --git a/images/maas-region-controller-focal/Dockerfile b/images/maas-region-controller-focal/Dockerfile index 59e2284..ec08c22 100644 --- a/images/maas-region-controller-focal/Dockerfile +++ b/images/maas-region-controller-focal/Dockerfile @@ -18,7 +18,7 @@ ARG no_proxy ENV DEBIAN_FRONTEND noninteractive ENV container docker -ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1 +ENV MAAS_VERSION 1:3.2.9-12055-g.c3d5597a7-0ubuntu1~20.04.1 RUN apt-get -qq update \ && apt-get install -y \ @@ -41,7 +41,7 @@ RUN apt-get -qq update \ -exec rm \{} \; \ && systemctl set-default multi-user.target \ # Install maas from the ppa - && add-apt-repository -yu ppa:maas/3.0 \ + && add-apt-repository -yu ppa:maas/3.2 \ && apt-get install -y \ maas-region-api=$MAAS_VERSION \ # tcpdump is required by /usr/lib/maas/beacon-monitor @@ -52,32 +52,32 @@ RUN apt-get -qq update \ RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas # MAAS workarounds -COPY 3.0_route.patch /tmp/3.0_route.patch -COPY 3.0_kernel_package.patch /tmp/3.0_kernel_package.patch -COPY 3.0_bios_grub_partition.patch /tmp/3.0_bios_grub_partition.patch +COPY 3.2_route.patch /tmp/3.2_route.patch +COPY 3.2_kernel_package.patch /tmp/3.2_kernel_package.patch +COPY 3.2_bios_grub_partition.patch /tmp/3.2_bios_grub_partition.patch # sh8121att: allow all requests via the proxy to allow it to work # behind ingress -COPY 3.0_proxy_acl.patch /tmp/3.0_proxy_acl.patch +COPY 3.2_proxy_acl.patch /tmp/3.2_proxy_acl.patch # Patch to add retrying to MaaS BMC user setup, and improve exception handling -COPY 3.0_configure_ipmi_user.patch /tmp/3.0_configure_ipmi_user.patch -COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch -COPY 3.0_region_secret_rotate.patch /tmp/3.0_region_secret_rotate.patch -COPY 3.0_partitiontable_does_not_exist.patch /tmp/3.0_partitiontable_does_not_exist.patch +COPY 3.2_configure_ipmi_user.patch /tmp/3.2_configure_ipmi_user.patch +COPY 3.2_secure_headers.patch /tmp/3.2_secure_headers.patch +COPY 3.2_region_secret_rotate.patch /tmp/3.2_region_secret_rotate.patch +COPY 3.2_partitiontable_does_not_exist.patch /tmp/3.2_partitiontable_does_not_exist.patch # Allow tags with '/' symbols -COPY 3.0_regex_tags.patch /tmp/3.0_regex_tags.patch +COPY 3.2_regex_tags.patch /tmp/3.2_regex_tags.patch # Patch to allow any recursion and cache queries -COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch +COPY 3.2_allow_query.patch /tmp/3.2_allow_query.patch -RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.0_route.patch -RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.0_kernel_package.patch -RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/3.0_bios_grub_partition.patch -RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/3.0_region_secret_rotate.patch -RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.0_configure_ipmi_user.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.0_proxy_acl.patch -RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch -RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.0_partitiontable_does_not_exist.patch -RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.0_regex_tags.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch +RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.2_route.patch +RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.2_kernel_package.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/3.2_bios_grub_partition.patch +RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/3.2_region_secret_rotate.patch +RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.2_configure_ipmi_user.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.2_proxy_acl.patch +RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.2_secure_headers.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.2_partitiontable_does_not_exist.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.2_regex_tags.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.2_allow_query.patch # echo journalctl logs to the container's stdout COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service diff --git a/images/maas-region-controller-jammy/3.4_allow_query.patch b/images/maas-region-controller-jammy/3.4_allow_query.patch new file mode 100644 index 0000000..60d0bef --- /dev/null +++ b/images/maas-region-controller-jammy/3.4_allow_query.patch @@ -0,0 +1,15 @@ +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index d76fcfa..d198e90 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -13,8 +13,8 @@ empty-zones-enable no; + allow-query { any; }; + {{endif}} + {{if not upstream_allow_recursion}} +-allow-recursion { trusted; }; ++allow-recursion { any; }; + {{endif}} + {{if not upstream_allow_query_cache}} +-allow-query-cache { trusted; }; ++allow-query-cache { any; }; + {{endif}} diff --git a/images/maas-region-controller-jammy/3.4_bios_grub_partition.patch b/images/maas-region-controller-jammy/3.4_bios_grub_partition.patch new file mode 100644 index 0000000..112fc12 --- /dev/null +++ b/images/maas-region-controller-jammy/3.4_bios_grub_partition.patch @@ -0,0 +1,12 @@ +diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py +index 2d09666..9c2dfa6 100644 +--- a/src/maasserver/models/partition.py ++++ b/src/maasserver/models/partition.py +@@ -211,6 +211,7 @@ class Partition(CleanSave, TimestampedModel): + arch == "amd64" + and bios_boot_method != "uefi" + and block_device.type == "physical" ++ and block_device.id == boot_disk.id + ) + if need_prep_partition or need_bios_grub: + index = 2 diff --git a/images/maas-region-controller-jammy/3.4_configure_ipmi_user.patch b/images/maas-region-controller-jammy/3.4_configure_ipmi_user.patch new file mode 100644 index 0000000..c4d128c --- /dev/null +++ b/images/maas-region-controller-jammy/3.4_configure_ipmi_user.patch @@ -0,0 +1,52 @@ +diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py +index 38ba140..36e0bb8 100755 +--- a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py ++++ b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py +@@ -185,6 +185,29 @@ class IPMIBase(BMCConfig): + return first_unused + + def add_bmc_user(self): ++ """Create/configure an IPMI user, but with several tries""" ++ attempt = 1 ++ max_attempts = 5 ++ backoff_amount = 30 ++ exceptions_caught = [] ++ while attempt <= max_attempts: ++ print("INFO: Attempt to add IPMI BMC user - %s" % attempt) ++ try: ++ self._add_bmc_user() ++ except Exception as e: ++ exceptions_caught.append(e) ++ if (attempt + 1) > max_attempts: ++ # This is our last attempt, exiting ++ print("ERROR: Unable to add BMC user!\n{}".format(exceptions_caught), file=sys.stderr) ++ sys.exit(1) ++ ++ if self.password is None: ++ time.sleep(attempt * backoff_amount) ++ else: ++ return ++ attempt += 1 ++ ++ def _add_bmc_user(self): + if not self.username: + self.username = "maas" + user_number = self._pick_user_number(self.username) +@@ -206,7 +229,7 @@ class IPMIBase(BMCConfig): + if self._bmc_config[user_number].get(key) != value: + self._bmc_set(user_number, key, value) + except Exception: +- pass ++ raise + else: + self.password = password + # Not all user settings are available on all BMC keys, its +@@ -221,8 +244,6 @@ class IPMIBase(BMCConfig): + "Yes", + ) + return +- print("ERROR: Unable to add BMC user!", file=sys.stderr) +- sys.exit(1) + + def _bmc_get_config(self, section=None): + """Fetch and cache all BMC settings.""" diff --git a/images/maas-region-controller-jammy/3.4_kernel_package.patch b/images/maas-region-controller-jammy/3.4_kernel_package.patch new file mode 100644 index 0000000..ea05f79 --- /dev/null +++ b/images/maas-region-controller-jammy/3.4_kernel_package.patch @@ -0,0 +1,31 @@ +diff --git a/src/maasserver/preseed.py b/src/maasserver/preseed.py +index a7ba9f8..9a30021 100644 +--- a/src/maasserver/preseed.py ++++ b/src/maasserver/preseed.py +@@ -248,7 +248,26 @@ def compose_curtin_kernel_preseed(node): + if node.get_osystem() == "custom": + return [] + ++ # previous logic to retrieve kpackage parameter + kpackage = BootResource.objects.get_kpackage_for_node(node) ++ ++ # determine if thie node has kernel parameters applied by drydock ++ # and override kpackage if we discover the right properties ++ kernel_opt_tag = "%s_kp" % (node.hostname) ++ if kernel_opt_tag in node.tag_names(): ++ ++ # the tag exists, retrieve it ++ kernel_opts = node.tags.get(name=kernel_opt_tag).kernel_opts ++ ++ # parse the string and find our package param value ++ # e.g. kernel_package=linux-image-4.15.0-34-generic ++ kparams = kernel_opts.split() ++ kdict = dict( ++ kparam.split("=", 1) for kparam in kparams if "=" in kparam ++ ) ++ if "kernel_package" in kdict: ++ kpackage = kdict["kernel_package"] ++ + if kpackage: + kernel_config = {"kernel": {"package": kpackage, "mapping": {}}} + return [yaml.safe_dump(kernel_config)] diff --git a/images/maas-region-controller-jammy/3.4_partitiontable_does_not_exist.patch b/images/maas-region-controller-jammy/3.4_partitiontable_does_not_exist.patch new file mode 100644 index 0000000..8346799 --- /dev/null +++ b/images/maas-region-controller-jammy/3.4_partitiontable_does_not_exist.patch @@ -0,0 +1,13 @@ +diff --git a/src/maasserver/api/partitions.py b/src/maasserver/api/partitions.py +index 4302d8d..f0e51c8 100644 +--- a/src/maasserver/api/partitions.py ++++ b/src/maasserver/api/partitions.py +@@ -99,7 +99,7 @@ class PartitionsHandler(OperationsHandler): + device = BlockDevice.objects.get_block_device_or_404( + system_id, device_id, request.user, NodePermission.view + ) +- partition_table = device.partitiontable_set.get() ++ partition_table = device.get_partitiontable() + if partition_table is None: + return [] + else: diff --git a/images/maas-region-controller-jammy/3.4_proxy_acl.patch b/images/maas-region-controller-jammy/3.4_proxy_acl.patch new file mode 100644 index 0000000..0de535e --- /dev/null +++ b/images/maas-region-controller-jammy/3.4_proxy_acl.patch @@ -0,0 +1,10 @@ +18,24c18 +< http_access allow maas_proxy_manager localhost +< http_access deny maas_proxy_manager +< http_access deny !Safe_ports +< http_access deny CONNECT !SSL_ports +< http_access allow localnet +< http_access allow localhost +< http_access deny all +--- +> http_access allow all diff --git a/images/maas-region-controller-jammy/3.4_regex_tags.patch b/images/maas-region-controller-jammy/3.4_regex_tags.patch new file mode 100644 index 0000000..cf18f28 --- /dev/null +++ b/images/maas-region-controller-jammy/3.4_regex_tags.patch @@ -0,0 +1,24 @@ +diff --git a/src/maasserver/models/ownerdata.py b/src/maasserver/models/ownerdata.py +index 2cbaa9d..f8cbeb5 100644 +--- a/src/maasserver/models/ownerdata.py ++++ b/src/maasserver/models/ownerdata.py +@@ -17,7 +17,7 @@ from django.db.models import ( + + from maasserver.models.cleansave import CleanSave + +-DATA_KEY_RE = re.compile(r"[\w.-]+$") ++#DATA_KEY_RE = re.compile(r"[\w.-]+$") + + + class OwnerDataManager(Manager): +@@ -32,8 +32,8 @@ class OwnerDataManager(Manager): + if value is None: + to_remove.add(key) + else: +- if not DATA_KEY_RE.match(key): +- raise ValueError("Invalid character in key name") ++ # if not DATA_KEY_RE.match(key): ++ # raise ValueError("Invalid character in key name") + + self.update_or_create( + node=node, key=key, defaults={"value": value} diff --git a/images/maas-region-controller-jammy/3.4_route.patch b/images/maas-region-controller-jammy/3.4_route.patch new file mode 100644 index 0000000..a9e1b25 --- /dev/null +++ b/images/maas-region-controller-jammy/3.4_route.patch @@ -0,0 +1,17 @@ +diff --git a/src/maasserver/preseed_network.py b/src/maasserver/preseed_network.py +index c1e516c..f90aa4d 100644 +--- a/src/maasserver/preseed_network.py ++++ b/src/maasserver/preseed_network.py +@@ -307,7 +307,11 @@ class InterfaceConfiguration: + + def _get_matching_routes(self, source): + """Return all route objects matching `source`.""" +- return {route for route in self.routes if route.source == source} ++ return { ++ route ++ for route in self.routes ++ if str(route.source.cidr) == str(source.cidr) ++ } + + def _generate_addresses(self): + """Generate the various addresses needed for this interface.""" diff --git a/images/maas-region-controller-jammy/3.4_secure_headers.patch b/images/maas-region-controller-jammy/3.4_secure_headers.patch new file mode 100644 index 0000000..ca66adf --- /dev/null +++ b/images/maas-region-controller-jammy/3.4_secure_headers.patch @@ -0,0 +1,12 @@ +diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py +index d30156b..3a04ecb 100644 +--- a/src/twisted/web/server.py ++++ b/src/twisted/web/server.py +@@ -206,7 +206,6 @@ class Request(Copyable, http.Request, components.Componentized): + self.site = self.channel.site + + # set various default headers +- self.setHeader(b"server", version) + self.setHeader(b"date", http.datetimeToString()) + + # Resource Identification diff --git a/images/maas-region-controller-jammy/Dockerfile b/images/maas-region-controller-jammy/Dockerfile new file mode 100644 index 0000000..1e61685 --- /dev/null +++ b/images/maas-region-controller-jammy/Dockerfile @@ -0,0 +1,91 @@ +ARG FROM=ubuntu:20.04 +FROM ${FROM} + +LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' +LABEL org.opencontainers.image.url='https://airshipit.org' +LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas' +LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas' +LABEL org.opencontainers.image.vendor='The Airship Authors' +LABEL org.opencontainers.image.licenses='Apache-2.0' + +ARG HTTP_PROXY +ARG HTTPS_PROXY +ARG NO_PROXY +ARG http_proxy +ARG https_proxy +ARG no_proxy + +ENV DEBIAN_FRONTEND noninteractive +ENV container docker + +ENV MAAS_VERSION 1:3.4.0-14321-g.1027c7664-0ubuntu1~22.04.1 + +RUN apt-get -qq update \ + && apt-get install -y \ + avahi-daemon \ + jq \ + patch \ + software-properties-common \ + sudo \ + systemd \ + cron \ + ca-certificates \ +# Don't start any optional services except for the few we need. +# (specifically, don't start avahi-daemon) + && find /etc/systemd/system \ + /lib/systemd/system \ + -path '*.wants/*' \ + -not -name '*journald*' \ + -not -name '*systemd-tmpfiles*' \ + -not -name '*systemd-user-sessions*' \ + -exec rm \{} \; \ + && systemctl set-default multi-user.target \ +# Install maas from the ppa + && add-apt-repository -yu ppa:maas/3.4 \ + && apt-get install -y \ + maas-region-api=$MAAS_VERSION \ + # tcpdump is required by /usr/lib/maas/beacon-monitor + tcpdump \ + && rm -rf /var/lib/apt/lists/* + +# Preserve the directory structure, permissions, and contents of /var/lib/maas +RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas + +# MAAS workarounds +COPY 3.4_route.patch /tmp/3.4_route.patch +COPY 3.4_kernel_package.patch /tmp/3.4_kernel_package.patch +COPY 3.4_bios_grub_partition.patch /tmp/3.4_bios_grub_partition.patch +# sh8121att: allow all requests via the proxy to allow it to work +# behind ingress +COPY 3.4_proxy_acl.patch /tmp/3.4_proxy_acl.patch +# Patch to add retrying to MaaS BMC user setup, and improve exception handling +COPY 3.4_configure_ipmi_user.patch /tmp/3.4_configure_ipmi_user.patch +COPY 3.4_secure_headers.patch /tmp/3.4_secure_headers.patch +COPY 3.4_partitiontable_does_not_exist.patch /tmp/3.4_partitiontable_does_not_exist.patch +# Allow tags with '/' symbols +COPY 3.4_regex_tags.patch /tmp/3.4_regex_tags.patch +# Patch to allow any recursion and cache queries +COPY 3.4_allow_query.patch /tmp/3.4_allow_query.patch + +RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.4_route.patch +RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.4_kernel_package.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/3.4_bios_grub_partition.patch +RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.4_configure_ipmi_user.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.4_proxy_acl.patch +RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.4_secure_headers.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.4_partitiontable_does_not_exist.patch +RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.4_regex_tags.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.4_allow_query.patch + +# echo journalctl logs to the container's stdout +COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service +RUN systemctl enable journalctl-to-tty.service + +# quiet sudo for the maas user +RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log + +# avoid triggering bind9 high cpu utilization bug +RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns + +# initalize systemd +CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] diff --git a/images/maas-region-controller-jammy/README.md b/images/maas-region-controller-jammy/README.md new file mode 100644 index 0000000..cd33b83 --- /dev/null +++ b/images/maas-region-controller-jammy/README.md @@ -0,0 +1 @@ +[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-region) Ubuntu MaaS Region Controller diff --git a/images/maas-region-controller-jammy/journalctl-to-tty.service b/images/maas-region-controller-jammy/journalctl-to-tty.service new file mode 100644 index 0000000..2725055 --- /dev/null +++ b/images/maas-region-controller-jammy/journalctl-to-tty.service @@ -0,0 +1,13 @@ +[Unit] +Description=Journald console log streamer +Requires=systemd-journald.service +After=systemd-journald.service + +[Service] +Restart=always +RestartSec=0 +ExecStart=/bin/journalctl -f +StandardOutput=tty + +[Install] +WantedBy=basic.target