airship
/
maas
Code Issues Proposed changes

Upgrading MAAS to v3 

Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
Change-Id: I4b5a5f6a7e21d790cce13a5ccff9819f517cad64
This commit is contained in:
Anselme, Schubbert (sa246v) 2022-09-01 11:28:13 -04:00 committed by Anselme, Schubert (sa246v)
parent 2d5b698d9e
commit efd58c59a0
No known key found for this signature in database
GPG Key ID: F3B03D5AF2155BED
53 changed files with 1163 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.zuul.yaml
View File

@ -18,6 +18,7 @@
- airship-maas-chart-build-latest-htk
- airship-maas-docker-build-gate
- airship-maas-lint-yaml
- airship-maas-helm-deploy
gate:
jobs:
- airship-maas-lint-ws
@ -82,6 +83,14 @@
irrelevant-files:
- '^charts/maas/templates/.*'
- job:
name: airship-maas-helm-deploy
timeout: 5400
run: tools/gate/playbooks/helm-deploy.yaml
nodeset: airship-maas-single-node
files:
- '^charts/.*'
- job:
name: airship-maas-docker-publish
timeout: 1800

4
Makefile
View File

@ -33,8 +33,8 @@ IMAGE_NAME := maas-rack-controller maas-region-controller sstream-cache
BUILD_DIR := $(shell mktemp -d)
HELM := $(BUILD_DIR)/helm
SSTREAM_IMAGE := "https://images.maas.io/ephemeral-v3/stable/"
SSTREAM_RELEASE := "bionic"
UBUNTU_BASE_IMAGE ?= ubuntu:18.04
SSTREAM_RELEASE := "focal"
UBUNTU_BASE_IMAGE ?= ubuntu:20.04
USE_CACHED_IMG ?= false
DOCKER_EXTRA_ARGS ?=

6
charts/maas/requirements.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: helm-toolkit
repository: https://artifacts-nc.zc1.cti.att.com/artifactory/helm-charts/
version: 0.2.48
digest: sha256:600876c5b3c83581640d71b72a87116a4bb8295190faa7229d9eebe753c3d1e1
generated: "2022-09-06T08:31:48.311579-04:00"

21
charts/maas/templates/bin/_enable-tls.sh.tpl Normal file
View File

@ -0,0 +1,21 @@
#!/bin/sh
{{/*
Copyright 2022 The Openstack-Helm Authors.
Copyright (c) 2022 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.*/}}
set -ex
maas config-tls enable ${MAAS_TLS_KEY} ${MAAS_TLS_CERT} --cacert ${MAAS_CA_CERT} --port 5443 || exit 1

18
charts/maas/templates/bin/_maas-test.sh.tpl
View File

@ -17,6 +17,16 @@
set -ex
function check_admin_api {
if maas admin version read | grep -q 'true';
then
echo 'Admin API is responding'
return 0
else
return 1
fi
}
function check_boot_images {
if maas local boot-resources is-importing | grep -q 'true';
then
@ -74,5 +84,13 @@ then
exit 1
fi
check_admin_api
if [[ $? -eq 1 ]]
then
echo "Admin API response FAILED!"
exit 1
fi
echo "MAAS Validation SUCCESS!"
exit 0

58
charts/maas/templates/certificates.yaml Normal file
View File

@ -0,0 +1,58 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.conf.maas.enable_tls -}}
# TODO: use helm-tookit for maas ingress certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: maas-api-ingress-cert
namespace: {{ .Release.Namespace }}
spec:
commonName: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
dnsNames:
- {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
duration: 2160h
issuerRef:
name: ca-issuer
privateKey:
size: 2048
secretName: maas-api-ingress-tls
usages:
- server auth
- client auth
---
# TODO: use helm-tookit for maas certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: maas-api-cert
namespace: {{ .Release.Namespace }}
spec:
commonName: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
dnsNames:
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc.cluster.local
duration: 2160h
issuerRef:
name: ca-issuer
privateKey:
size: 2048
secretName: maas-api-tls
usages:
- server auth
- client auth
{{- end -}}

3
charts/maas/templates/configmap-bin.yaml
View File

@ -49,3 +49,6 @@ data:
{{ tuple "bin/_maas-vip-configure.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
start-syslog.sh: |
{{ tuple "bin/_start-syslog.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- if .Values.conf.maas.enable_tls -}}
{{ tuple "bin/_enable-tls.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end -}}

1
charts/maas/templates/deployment-maas-ingress.yaml
View File

@ -119,6 +119,7 @@ rules:
- configmaps
verbs:
- create
- update
- apiGroups:
- ""
resources:

7
charts/maas/templates/ingress-region.yaml
View File

@ -14,6 +14,7 @@
# limitations under the License.
*/}}
# TODO: enable ingress tls
{{- if and .Values.manifests.ingress_region .Values.network.region_api.ingress.public }}
---
apiVersion: networking.k8s.io/v1
@ -22,6 +23,12 @@ metadata:
name: maas-region-api
spec:
ingressClassName: {{ .Values.network.region_api.ingress.classes.cluster | quote }}
{{- if .Values.conf.maas.enable_tls }}
tls:
- secretName: maas-api-ingress-tls
hosts:
- {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{- end }}
rules:
- host: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
http:

88
charts/maas/templates/job-enable-tls.yaml Normal file
View File

@ -0,0 +1,88 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.conf.maas.enable_tls -}}
# TODO: enable tls job
{{- $envAll := . }}
{{- $serviceAccountName := "maas-enable-tls" }}
{{ tuple $envAll "enable_tls" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: maas-enable-tls
labels:
{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
spec:
template:
metadata:
labels:
{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "maas-enable-tls" "containerNames" (list "init" "maas-enable-tls") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "enable_tls" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
initContainers:
{{ tuple $envAll "enable_tls" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: maas-enable-tls
image: {{ .Values.images.tags.bootstrap }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.enable_tls | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "enable_tls" "container" "maas_enable_tls" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: MAAS_TLS_KEY
value: /etc/maas/tls/tls.key
- name: MAAS_TLS_CERT
value: /etc/maas/tls/tls.cert
- name: MAAS_CA_CERT
value: /etc/maas/tls/ca.cert
command:
- /tmp/enable-tls.sh
volumeMounts:
- name: maas-bin
mountPath: /tmp/enable-tls.sh
subPath: enable-tls.sh
readOnly: true
- name: maas-etc
mountPath: /etc/maas/regiond.conf
subPath: regiond.conf
readOnly: true
- name: maas-tls
mountPath: /etc/maas/tls
subPath: tls
readOnly: true
volumes:
- name: maas-bin
configMap:
name: maas-bin
defaultMode: 0555
- name: maas-etc
configMap:
name: maas-etc
defaultMode: 0444
- name: maas-tls
secret:
secretName: maas-api-tls
defaultMode: 0444
{{- end -}}

11
charts/maas/values.yaml
View File

@ -96,7 +96,7 @@ manifests:
images:
tags:
db_init: docker.io/postgres:9.5
db_init: docker.io/postgres:14.5
db_sync: quay.io/airshipit/maas-region-controller:latest
maas_rack: quay.io/airshipit/maas-rack-controller:latest
maas_region: quay.io/airshipit/maas-region-controller:latest
@ -104,9 +104,9 @@ images:
export_api_key: quay.io/airshipit/maas-region-controller:latest
maas_cache: quay.io/airshipit/sstream-cache:latest
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1
ingress: k8s.gcr.io/ingress-nginx/controller:v1.2.0
ingress_vip: docker.io/busybox:latest
error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0
error_pages: k8s.gcr.io/defaultbackend-amd64:1.5
maas_syslog: quay.io/airshipit/maas-region-controller:latest
pull_policy: IfNotPresent
local_registry:
@ -231,6 +231,7 @@ conf:
maas:
override:
append:
enable_tls: false
url:
maas_url: null
ingress_disable_gui: false
@ -258,8 +259,8 @@ conf:
proxy_server: null
images:
default_os: 'ubuntu'
default_image: 'bionic'
default_kernel: 'ga-18.04'
default_image: 'focal'
default_kernel: 'ga-20.04'
credentials:
secret:
namespace: maas

2
images/maas-rack-controller/2.8_ipmi_error.patch → images/maas-rack-controller-bionic/2.8_ipmi_error.patch
View File

@ -22,6 +22,6 @@ index e99b807ce..8f56dc77a 100644
ip_extractor = make_ip_extractor("power_address")
- wait_time = (4, 8, 16, 32)
+ wait_time = (4, 4, 8, 8, 16, 16, 32, 32)
def detect_missing_packages(self):
if not shell.has_command_available("ipmipower"):

0
images/maas-rack-controller/2.8_nic_filter.patch → images/maas-rack-controller-bionic/2.8_nic_filter.patch
View File

2
images/maas-rack-controller/2.8_redfish_retries.patch → images/maas-rack-controller-bionic/2.8_redfish_retries.patch
View File

@ -7,6 +7,6 @@ index 27f63545a..9c39d577e 100644
]
ip_extractor = make_ip_extractor("power_address")
+ wait_time = (4, 8, 16, 32)
def detect_missing_packages(self):
# no required packages

4
images/maas-rack-controller/2.8_secure_headers.patch → images/maas-rack-controller-bionic/2.8_secure_headers.patch
View File

@ -4,9 +4,9 @@ index 3a3f9f89b..1eb273816 100644
+++ b/src/twisted/web/server.py
@@ -174,7 +174,6 @@ class Request(Copyable, http.Request, components.Componentized):
self.site = self.channel.site
# set various default headers
- self.setHeader(b'server', version)
self.setHeader(b'date', http.datetimeToString())
# Resource Identification

80
images/maas-rack-controller-bionic/Dockerfile Normal file
View File

@ -0,0 +1,80 @@
FROM ubuntu:18.04
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
LABEL org.opencontainers.image.url='https://airshipit.org'
LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas'
LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas'
LABEL org.opencontainers.image.vendor='The Airship Authors'
LABEL org.opencontainers.image.licenses='Apache-2.0'
ARG HTTP_PROXY
ARG HTTPS_PROXY
ARG NO_PROXY
ARG http_proxy
ARG https_proxy
ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive
ENV container docker
ENV MAAS_VERSION 2.8.7-8611-g.f2514168f-0ubuntu1~18.04.1
RUN apt-get -qq update \
&& apt-get install -y \
avahi-daemon \
isc-dhcp-server \
jq \
libvirt-bin \
patch \
software-properties-common \
sudo \
systemd \
ca-certificates \
# Don't start any optional services except for the few we need.
# (specifically, don't start avahi-daemon, isc-dhcp-server, or libvirtd)
&& find /etc/systemd/system \
/lib/systemd/system \
-path '*.wants/*' \
-not -name '*journald*' \
-not -name '*systemd-tmpfiles*' \
-not -name '*systemd-user-sessions*' \
-exec rm \{} \; \
&& systemctl set-default multi-user.target \
# Install maas from the ppa
&& add-apt-repository -yu ppa:maas/2.8 \
&& apt-get install -y \
maas-rack-controller=$MAAS_VERSION \
&& rm -rf /var/lib/apt/lists/*
# Preserve the directory structure, permissions, and contents of /var/lib/maas
RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas
# register ourselves with the region controller
COPY scripts/register-rack-controller.service /lib/systemd/system/register-rack-controller.service
RUN systemctl enable register-rack-controller.service
# Patch so that Calico interfaces are ignored
COPY 2.8_nic_filter.patch /tmp/2.8_nic_filter.patch
COPY 2.8_secure_headers.patch /tmp/2.8_secure_headers.patch
# Patch so maas knows that "BMC error" is retriable
COPY 2.8_ipmi_error.patch /tmp/2.8_ipmi_error.patch
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
COPY 2.8_redfish_retries.patch /tmp/2.8_redfish_retries.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/2.8_nic_filter.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/2.8_ipmi_error.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/2.8_redfish_retries.patch
# echo journalctl logs to the container's stdout
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
RUN systemctl enable journalctl-to-tty.service
# quiet sudo for the maas user
RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log
# avoid triggering bind9 high cpu utilization bug
RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf
# initalize systemd
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

1
images/maas-rack-controller-bionic/README.md Normal file
View File

@ -0,0 +1 @@
[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-rack) Ubuntu MaaS Rack Controller

0
images/maas-rack-controller/scripts/journalctl-to-tty.service → images/maas-rack-controller-bionic/scripts/journalctl-to-tty.service
View File

0
images/maas-rack-controller/scripts/register-rack-controller.service → images/maas-rack-controller-bionic/scripts/register-rack-controller.service
View File

59
images/maas-rack-controller/Dockerfile
View File

@ -1,4 +1,4 @@
ARG FROM=ubuntu:18.04
ARG FROM=ubuntu:20.04
FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
@ -18,57 +18,60 @@ ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive
ENV container docker
ENV MAAS_VERSION 2.8.7-8611-g.f2514168f-0ubuntu1~18.04.1
ENV MAAS_VERSION 1:3.0.0-10029-g.986ea3e45-0ubuntu1~20.04.1
RUN apt-get -qq update \
&& apt-get install -y \
&& apt-get install -y \
avahi-daemon \
isc-dhcp-server \
jq \
libvirt-bin \
libvirt-daemon-system \
libvirt-clients \
patch \
software-properties-common \
sudo \
systemd \
ca-certificates \
# Don't start any optional services except for the few we need.
# (specifically, don't start avahi-daemon, isc-dhcp-server, or libvirtd)
&& find /etc/systemd/system \
/lib/systemd/system \
-path '*.wants/*' \
-not -name '*journald*' \
-not -name '*systemd-tmpfiles*' \
-not -name '*systemd-user-sessions*' \
-exec rm \{} \; \
&& systemctl set-default multi-user.target \
# Install maas from the ppa
&& add-apt-repository -yu ppa:maas/2.8 \
&& apt-get install -y \
# Don't start any optional services except for the few we need.
# (specifically, don't start avahi-daemon, isc-dhcp-server, or libvirtd)
&& find /etc/systemd/system \
/lib/systemd/system \
-path '*.wants/*' \
-not -name '*journald*' \
-not -name '*systemd-tmpfiles*' \
-not -name '*systemd-user-sessions*' \
-exec rm \{} \; \
&& systemctl set-default multi-user.target \
# Install maas from the ppa
&& add-apt-repository -yu ppa:maas/3.0 \
&& apt-get install -y \
maas-rack-controller=$MAAS_VERSION \
&& rm -rf /var/lib/apt/lists/*
&& rm -rf /var/lib/apt/lists/*
# Update latest packages, including security updates
RUN apt-get -qq update \
&& apt-get upgrade -y
# Preserve the directory structure, permissions, and contents of /var/lib/maas
RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas
# register ourselves with the region controller
COPY scripts/register-rack-controller.service /lib/systemd/system/register-rack-controller.service
COPY register-rack-controller.service /lib/systemd/system/register-rack-controller.service
RUN systemctl enable register-rack-controller.service
# Patch so that Calico interfaces are ignored
COPY 2.8_nic_filter.patch /tmp/2.8_nic_filter.patch
COPY 2.8_secure_headers.patch /tmp/2.8_secure_headers.patch
COPY nic_filter.patch /tmp/nic_filter.patch
# Patch so maas knows that "BMC error" is retriable
COPY 2.8_ipmi_error.patch /tmp/2.8_ipmi_error.patch
COPY ipmi_error.patch /tmp/ipmi_error.patch
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
COPY 2.8_redfish_retries.patch /tmp/2.8_redfish_retries.patch
COPY redfish_retries.patch /tmp/redfish_retries.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/2.8_nic_filter.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/2.8_ipmi_error.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/2.8_redfish_retries.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/nic_filter.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/ipmi_error.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/redfish_retries.patch
# echo journalctl logs to the container's stdout
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
RUN systemctl enable journalctl-to-tty.service
# quiet sudo for the maas user

27
images/maas-rack-controller/ipmi_error.patch Normal file
View File

@ -0,0 +1,27 @@
diff --git a/src/provisioningserver/drivers/power/ipmi.py b/src/provisioningserver/drivers/power/ipmi.py
index 70201e86e..26625e21d 100644
--- a/src/provisioningserver/drivers/power/ipmi.py
+++ b/src/provisioningserver/drivers/power/ipmi.py
@@ -155,6 +155,13 @@ IPMI_ERRORS = {
),
"exception": PowerConnError,
},
+ "BMC error": {
+ "message": (
+ "Device not responding correctly while performing power action."
+ " MAAS performed several retries. Please wait and try again."
+ ),
+ "exception": PowerConnError,
+ },
"could not find inband device": {
"message": (
"An inband device could not be found."
@@ -308,7 +315,7 @@ class IPMIPowerDriver(PowerDriver):
),
]
ip_extractor = make_ip_extractor("power_address")
- wait_time = (4, 8, 16, 32)
+ wait_time = (4, 4, 8, 8, 16, 16, 32, 32)
def detect_missing_packages(self):
if not shell.has_command_available("ipmipower"):

13
images/maas-rack-controller/journalctl-to-tty.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Journald console log streamer
Requires=systemd-journald.service
After=systemd-journald.service
[Service]
Restart=always
RestartSec=0
ExecStart=/bin/journalctl -f
StandardOutput=tty
[Install]
WantedBy=basic.target

12
images/maas-rack-controller/nic_filter.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/src/provisioningserver/utils/network.py b/src/provisioningserver/utils/network.py
index 7895227c4..df83836f3 100644
--- a/src/provisioningserver/utils/network.py
+++ b/src/provisioningserver/utils/network.py
@@ -1128,6 +1128,7 @@ def get_all_interfaces_definition(
# interfaces for guests. By themselves, they're not useful for MAAS to
# manage.
"tunnel",
+ "ethernet",
]
if not running_in_container():
# When not running in a container, we should be able to identify

12
images/maas-rack-controller/redfish_retries.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/src/provisioningserver/drivers/power/redfish.py b/src/provisioningserver/drivers/power/redfish.py
index 19d9ecd88..0075997dd 100644
--- a/src/provisioningserver/drivers/power/redfish.py
+++ b/src/provisioningserver/drivers/power/redfish.py
@@ -170,6 +170,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase):
make_setting_field("node_id", "Node ID", scope=SETTING_SCOPE.NODE),
]
ip_extractor = make_ip_extractor("power_address")
+ wait_time = (4, 8, 16, 32)
def detect_missing_packages(self):
# no required packages

12
images/maas-rack-controller/register-rack-controller.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Register with MaaS Region Controller
Wants=network-online.target
After=network-online.target
[Service]
Type=oneshot
PassEnvironment=MAAS_ENDPOINT MAAS_REGION_SECRET MAAS_API_KEY HOST_MOUNT_PATH
ExecStart=/usr/local/bin/register-rack-controller.sh
[Install]
WantedBy=multi-user.target

0
images/maas-region-controller/2.8_bios_grub_partition.patch → images/maas-region-controller-bionic/2.8_bios_grub_partition.patch
View File

12
images/maas-region-controller/2.8_configure_ipmi_user.patch → images/maas-region-controller-bionic/2.8_configure_ipmi_user.patch
View File

@ -4,8 +4,8 @@ index 13188ecb8..7b3dad4d4 100755
+++ b/src/metadataserver/user_data/templates/snippets/maas_ipmi_autodetect.py
@@ -235,8 +235,30 @@ def make_ipmi_user_settings(username, password):
return user_settings
+def configure_ipmi_user_with_backoff(username):
+ """Create/configure an IPMI user, but with several tries"""
+ attempt = 1
@ -45,15 +45,15 @@ index 13188ecb8..7b3dad4d4 100755
+ raise IPMIError(
+ "Unable to set BMC password:\n{}".format(exceptions_caught)
+ )
def set_ipmi_lan_channel_settings():
@@ -389,7 +413,7 @@ def main():
IPMI_MAAS_USER = args.maas_ipmi_user
IPMI_MAAS_PASSWORD = None
- IPMI_MAAS_PASSWORD = configure_ipmi_user(IPMI_MAAS_USER)
+ IPMI_MAAS_PASSWORD = configure_ipmi_user_with_backoff(IPMI_MAAS_USER)
# Attempt to enable IPMI Over Lan. If it is disabled, MAAS won't
# be able to remotely communicate to the BMC.

0
images/maas-region-controller/2.8_kernel_package.patch → images/maas-region-controller-bionic/2.8_kernel_package.patch
View File

4
images/maas-region-controller/2.8_maas_ipmi_autodetect_tool.patch → images/maas-region-controller-bionic/2.8_maas_ipmi_autodetect_tool.patch
View File

@ -3,8 +3,8 @@ index f8ca88467..530bc7d15 100755
--- a/src/metadataserver/user_data/templates/snippets/maas_ipmi_autodetect_tool.py
+++ b/src/metadataserver/user_data/templates/snippets/maas_ipmi_autodetect_tool.py
@@ -33,7 +33,11 @@ def detect_ipmi():
def is_host_moonshot():
- output = subprocess.check_output(["ipmitool", "raw", "06", "01"])
+ (status, output) = subprocess.getstatusoutput(

0
images/maas-region-controller/2.8_partitiontable_does_not_exist.patch → images/maas-region-controller-bionic/2.8_partitiontable_does_not_exist.patch
View File

0
images/maas-region-controller/2.8_proxy_acl.patch → images/maas-region-controller-bionic/2.8_proxy_acl.patch
View File

3
images/maas-region-controller/2.8_region_secret_rotate.patch → images/maas-region-controller-bionic/2.8_region_secret_rotate.patch
View File

@ -16,6 +16,5 @@ index f92529265..542970009 100644
+ # secret and set it in the database (set_config function)
+ secret = secret_on_fs
+ Config.objects.set_config("rpc_shared_secret", to_hex(secret))
return secret

4
images/maas-region-controller/2.8_route.patch → images/maas-region-controller-bionic/2.8_route.patch
View File

@ -3,7 +3,7 @@ index 99a3ce309..2a9e72d88 100644
--- a/src/maasserver/preseed_network.py
+++ b/src/maasserver/preseed_network.py
@@ -308,7 +308,11 @@ class InterfaceConfiguration:
def _get_matching_routes(self, source):
"""Return all route objects matching `source`."""
- return {route for route in self.routes if route.source == source}
@ -12,6 +12,6 @@ index 99a3ce309..2a9e72d88 100644
+ for route in self.routes
+ if str(route.source.cidr) == str(source.cidr)
+ }
def _generate_addresses(self, version=1):
"""Generate the various addresses needed for this interface."""

4
images/maas-region-controller/2.8_secure_headers.patch → images/maas-region-controller-bionic/2.8_secure_headers.patch
View File

@ -4,9 +4,9 @@ index 3a3f9f89b..1eb273816 100644
+++ b/src/twisted/web/server.py
@@ -174,7 +174,6 @@ class Request(Copyable, http.Request, components.Componentized):
self.site = self.channel.site
# set various default headers
- self.setHeader(b'server', version)
self.setHeader(b'date', http.datetimeToString())
# Resource Identification

88
images/maas-region-controller-bionic/Dockerfile Normal file
View File

@ -0,0 +1,88 @@
FROM ubuntu:18.04
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
LABEL org.opencontainers.image.url='https://airshipit.org'
LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas'
LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas'
LABEL org.opencontainers.image.vendor='The Airship Authors'
LABEL org.opencontainers.image.licenses='Apache-2.0'
ARG HTTP_PROXY
ARG HTTPS_PROXY
ARG NO_PROXY
ARG http_proxy
ARG https_proxy
ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive
ENV container docker
ENV MAAS_VERSION 2.8.7-8611-g.f2514168f-0ubuntu1~18.04.1
RUN apt-get -qq update \
&& apt-get install -y \
avahi-daemon \
jq \
patch \
software-properties-common \
sudo \
systemd \
ca-certificates \
# Don't start any optional services except for the few we need.
# (specifically, don't start avahi-daemon)
&& find /etc/systemd/system \
/lib/systemd/system \
-path '*.wants/*' \
-not -name '*journald*' \
-not -name '*systemd-tmpfiles*' \
-not -name '*systemd-user-sessions*' \
-exec rm \{} \; \
&& systemctl set-default multi-user.target \
# Install maas from the ppa
&& add-apt-repository -yu ppa:maas/2.8 \
&& apt-get install -y \
maas-region-api=$MAAS_VERSION \
# tcpdump is required by /usr/lib/maas/beacon-monitor
tcpdump \
&& rm -rf /var/lib/apt/lists/*
# Preserve the directory structure, permissions, and contents of /var/lib/maas
RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas
# MAAS workarounds
COPY 2.8_route.patch /tmp/2.8_route.patch
COPY 2.8_kernel_package.patch /tmp/2.8_kernel_package.patch
COPY 2.8_bios_grub_partition.patch /tmp/2.8_bios_grub_partition.patch
# sh8121att: allow all requests via the proxy to allow it to work
# behind ingress
COPY 2.8_proxy_acl.patch /tmp/2.8_proxy_acl.patch
# Patch to add retrying to MaaS BMC user setup, and improve exception handling
COPY 2.8_configure_ipmi_user.patch /tmp/2.8_configure_ipmi_user.patch
COPY 2.8_secure_headers.patch /tmp/2.8_secure_headers.patch
COPY 2.8_region_secret_rotate.patch /tmp/2.8_region_secret_rotate.patch
COPY 2.8_partitiontable_does_not_exist.patch /tmp/2.8_partitiontable_does_not_exist.patch
# Avoid enlistment failures due to exceptions during moonshot detect attempts
COPY 2.8_maas_ipmi_autodetect_tool.patch /tmp/2.8_maas_ipmi_autodetect_tool.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.8_route.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.8_kernel_package.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/2.8_bios_grub_partition.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/2.8_region_secret_rotate.patch
RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets && patch maas_ipmi_autodetect.py < /tmp/2.8_configure_ipmi_user.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/2.8_proxy_acl.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/2.8_partitiontable_does_not_exist.patch
RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets/ && patch maas_ipmi_autodetect_tool.py < /tmp/2.8_maas_ipmi_autodetect_tool.patch
# echo journalctl logs to the container's stdout
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
RUN systemctl enable journalctl-to-tty.service
# quiet sudo for the maas user
RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log
# avoid triggering bind9 high cpu utilization bug
RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf
# initalize systemd
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

1
images/maas-region-controller-bionic/README.md Normal file
View File

@ -0,0 +1 @@
[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-region) Ubuntu MaaS Region Controller

13
images/maas-region-controller-bionic/journalctl-to-tty.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Journald console log streamer
Requires=systemd-journald.service
After=systemd-journald.service
[Service]
Restart=always
RestartSec=0
ExecStart=/bin/journalctl -f
StandardOutput=tty
[Install]
WantedBy=basic.target

76
images/maas-region-controller/Dockerfile
View File

@ -1,4 +1,4 @@
ARG FROM=ubuntu:18.04
ARG FROM=ubuntu:20.04
FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
@ -18,10 +18,10 @@ ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive
ENV container docker
ENV MAAS_VERSION 2.8.7-8611-g.f2514168f-0ubuntu1~18.04.1
ENV MAAS_VERSION 1:3.0.0-10029-g.986ea3e45-0ubuntu1~20.04.1
RUN apt-get -qq update \
&& apt-get install -y \
&& apt-get install -y \
avahi-daemon \
jq \
patch \
@ -29,51 +29,53 @@ RUN apt-get -qq update \
sudo \
systemd \
ca-certificates \
# Don't start any optional services except for the few we need.
# (specifically, don't start avahi-daemon)
&& find /etc/systemd/system \
/lib/systemd/system \
-path '*.wants/*' \
-not -name '*journald*' \
-not -name '*systemd-tmpfiles*' \
-not -name '*systemd-user-sessions*' \
-exec rm \{} \; \
&& systemctl set-default multi-user.target \
# Install maas from the ppa
&& add-apt-repository -yu ppa:maas/2.8 \
&& apt-get install -y \
# NOTE: required for maas-syslog
# Error: failed to create containerd task:
# failed to create shim: OCI runtime create failed: container_linux.go:380:
# starting container process caused: exec: "cron":
# executable file not found in $PATH: unknown
cron \
# Don't start any optional services except for the few we need.
# (specifically, don't start avahi-daemon)
&& find /etc/systemd/system \
/lib/systemd/system \
-path '*.wants/*' \
-not -name '*journald*' \
-not -name '*systemd-tmpfiles*' \
-not -name '*systemd-user-sessions*' \
-exec rm \{} \; \
&& systemctl set-default multi-user.target \
# Install maas from the ppa
&& add-apt-repository -yu ppa:maas/3.0 \
&& apt-get install -y \
maas-region-api=$MAAS_VERSION \
# tcpdump is required by /usr/lib/maas/beacon-monitor
tcpdump \
&& rm -rf /var/lib/apt/lists/*
&& rm -rf /var/lib/apt/lists/*
# Update latest packages, including security updates
RUN apt-get -qq update \
&& apt-get upgrade -y
# Preserve the directory structure, permissions, and contents of /var/lib/maas
RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas
# MAAS workarounds
COPY 2.8_route.patch /tmp/2.8_route.patch
COPY 2.8_kernel_package.patch /tmp/2.8_kernel_package.patch
COPY 2.8_bios_grub_partition.patch /tmp/2.8_bios_grub_partition.patch
COPY route.patch /tmp/route.patch
COPY kernel_package.patch /tmp/kernel_package.patch
COPY bios_grub_partition.patch /tmp/bios_grub_partition.patch
# sh8121att: allow all requests via the proxy to allow it to work
# behind ingress
COPY 2.8_proxy_acl.patch /tmp/2.8_proxy_acl.patch
# Patch to add retrying to MaaS BMC user setup, and improve exception handling
COPY 2.8_configure_ipmi_user.patch /tmp/2.8_configure_ipmi_user.patch
COPY 2.8_secure_headers.patch /tmp/2.8_secure_headers.patch
COPY 2.8_region_secret_rotate.patch /tmp/2.8_region_secret_rotate.patch
COPY 2.8_partitiontable_does_not_exist.patch /tmp/2.8_partitiontable_does_not_exist.patch
# Avoid enlistment failures due to exceptions during moonshot detect attempts
COPY 2.8_maas_ipmi_autodetect_tool.patch /tmp/2.8_maas_ipmi_autodetect_tool.patch
COPY proxy_acl.patch /tmp/proxy_acl.patch
COPY region_secret_rotate.patch /tmp/region_secret_rotate.patch
COPY partitiontable_does_not_exists.patch /tmp/partitiontable_does_not_exists.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.8_route.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.8_kernel_package.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/2.8_bios_grub_partition.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/2.8_region_secret_rotate.patch
RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets && patch maas_ipmi_autodetect.py < /tmp/2.8_configure_ipmi_user.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/2.8_proxy_acl.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/2.8_partitiontable_does_not_exist.patch
RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets/ && patch maas_ipmi_autodetect_tool.py < /tmp/2.8_maas_ipmi_autodetect_tool.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/route.patch
# RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/kernel_package.patch
# RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/bios_grub_partition.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/region_secret_rotate.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/proxy_acl.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/partitiontable_does_not_exists.patch
# echo journalctl logs to the container's stdout
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service

15
images/maas-region-controller/bios_grub_partition.patch Normal file
View File

@ -0,0 +1,15 @@
diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py
index 84a8fba98..50f6d915f 100644
--- a/src/maasserver/models/partition.py
+++ b/src/maasserver/models/partition.py
@@ -205,7 +205,9 @@ class Partition(CleanSave, TimestampedModel):
block_device = self.partition_table.block_device
need_prep_partition = (
- arch == "ppc64el" and block_device.id == boot_disk.id
+ arch == "amd64"
+ and bios_boot_method != "uefi"
+ and block_device.id == boot_disk.id
)
need_bios_grub = (
arch == "amd64"

31
images/maas-region-controller/kernel_package.patch Normal file
View File

@ -0,0 +1,31 @@
diff --git a/src/maasserver/preseed.py b/src/maasserver/preseed.py
index c69296983..5b63327b1 100644
--- a/src/maasserver/preseed.py
+++ b/src/maasserver/preseed.py
@@ -250,7 +250,26 @@ def compose_curtin_kernel_preseed(node):
if node.get_osystem() == "custom":
return []
+ # previous logic to retrieve kpackage parameter
kpackage = BootResource.objects.get_kpackage_for_node(node)
+
+ # determine if this node has kernel parameters applied by drydock
+ # and override kpackage if we discover the right properties
+ kernel_opt_tag = "%s_kp" % (node.hostname)
+ if kernel_opt_tag in node.tag_names():
+
+ # the tag exists, retrieve it
+ kernel_opts = node.tags.get(name=kernel_opt_tag).kernel_opts
+
+ # parse the string and find our package param value
+ # e.g. kernel_package=linux-image-4.15.0-34-generic
+ kparams = kernel_opts.split()
+ kdict = dict(
+ kparam.split("=", 1) for kparam in kparams if "=" in kparam
+ )
+ if "kernel_package" in kdict:
+ kpackage = kdict["kernel_package"]
+
if kpackage:
kernel_config = {"kernel": {"package": kpackage, "mapping": {}}}
return [yaml.safe_dump(kernel_config)]

13
images/maas-region-controller/partitiontable_does_not_exists.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/src/maasserver/api/partitions.py b/src/maasserver/api/partitions.py
index dd1b4316c..235c03f45 100644
--- a/src/maasserver/api/partitions.py
+++ b/src/maasserver/api/partitions.py
@@ -99,7 +99,7 @@ class PartitionsHandler(OperationsHandler):
device = BlockDevice.objects.get_block_device_or_404(
system_id, device_id, request.user, NodePermission.view
)
- partition_table = device.partitiontable_set.get()
+ partition_table = device.get_partitiontable()
if partition_table is None:
return []
else:

10
images/maas-region-controller/proxy_acl.patch Normal file
View File

@ -0,0 +1,10 @@
18,24c18
< http_access allow maas_proxy_manager localhost
< http_access deny maas_proxy_manager
< http_access deny !Safe_ports
< http_access deny CONNECT !SSL_ports
< http_access allow localnet
< http_access allow localhost
< http_access deny all
---
> http_access allow all

20
images/maas-region-controller/region_secret_rotate.patch Normal file
View File

@ -0,0 +1,20 @@
diff --git a/src/maasserver/security.py b/src/maasserver/security.py
index a9420e504..a8399f1a4 100644
--- a/src/maasserver/security.py
+++ b/src/maasserver/security.py
@@ -96,11 +96,11 @@ def get_shared_secret_txn():
elif secret_in_db == secret_on_fs:
secret = secret_in_db # or secret_on_fs.
else:
- raise AssertionError(
- "The secret stored in the database does not match the secret "
- "stored on the filesystem at %s. Please investigate."
- % get_shared_secret_filesystem_path()
- )
+ # (nk613n): When we rotate secrets we only update the filesystem
+ # so if the secrets don't match we will default to the FS
+ # secret and set it in the database (set_config function)
+ secret = secret_on_fs
+ Config.objects.set_config("rpc_shared_secret", to_hex(secret))
return secret

17
images/maas-region-controller/route.patch Normal file
View File

@ -0,0 +1,17 @@
diff --git a/src/maasserver/preseed_network.py b/src/maasserver/preseed_network.py
index 7660feba1..dae412d01 100644
--- a/src/maasserver/preseed_network.py
+++ b/src/maasserver/preseed_network.py
@@ -308,7 +308,11 @@ class InterfaceConfiguration:
def _get_matching_routes(self, source):
"""Return all route objects matching `source`."""
- return {route for route in self.routes if route.source == source}
+ return {
+ route
+ for route in self.routes
+ if str(route.source.cidr) == str(source.cidr)
+ }
def _generate_addresses(self, version=1):
"""Generate the various addresses needed for this interface."""

48
images/sstream-cache-bionic/Dockerfile Normal file
View File

@ -0,0 +1,48 @@
FROM ubuntu:18.04
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
LABEL org.opencontainers.image.url='https://airshipit.org'
LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas'
LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas'
LABEL org.opencontainers.image.vendor='The Airship Authors'
LABEL org.opencontainers.image.licenses='Apache-2.0'
ARG HTTP_PROXY
ARG HTTPS_PROXY
ARG NO_PROXY
ARG http_proxy
ARG https_proxy
ARG no_proxy
ARG SSTREAM_IMAGE=https://images.maas.io/ephemeral-v3/stable/
ARG SSTREAM_RELEASE=bionic
ENV DEBIAN_FRONTEND noninteractive
ENV container docker
RUN apt-get -qq update && \
apt install -y simplestreams \
apache2 \
gpgv \
ubuntu-cloudimage-keyring \
python-certifi --no-install-recommends \
file
RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \
/var/www/html/maas/images/ephemeral-v3/daily 'arch=amd64' "release~${SSTREAM_RELEASE}" --max=1 --progress
RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \
/var/www/html/maas/images/ephemeral-v3/daily 'os~(grub*|pxelinux)' --max=1 --progress
RUN sh -c 'echo "" > /etc/apache2/ports.conf'
ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_PID_FILE /var/run/apache2.pid
ENV APACHE_RUN_DIR /var/run/
ENV APACHE_LOCK_DIR /var/lock
ENV APACHE_LOG_DIR /var/log/
ENV LANG C
ENTRYPOINT ["/usr/sbin/apache2"]
CMD ["-E", "/dev/stderr","-c","ErrorLog /dev/stderr","-c","Listen 8888","-c","ServerRoot /etc/apache2","-c","DocumentRoot /var/www/html","-D","FOREGROUND"]

23
images/sstream-cache/Dockerfile
View File

@ -1,4 +1,4 @@
ARG FROM=ubuntu:18.04
ARG FROM=ubuntu:20.04
FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
@ -16,21 +16,28 @@ ARG https_proxy
ARG no_proxy
ARG SSTREAM_IMAGE=https://images.maas.io/ephemeral-v3/stable/
ARG SSTREAM_RELEASE=bionic
ARG SSTREAM_RELEASE=focal
ENV DEBIAN_FRONTEND noninteractive
ENV container docker
RUN apt-get -qq update && \
apt install -y simplestreams \
apache2 \
gpgv \
ubuntu-cloudimage-keyring \
python-certifi --no-install-recommends \
file
apache2 \
gpgv \
ubuntu-cloudimage-keyring \
python-certifi --no-install-recommends \
file
# Update latest packages, including security updates
RUN apt-get -qq update \
&& apt-get upgrade -y
RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \
/var/www/html/maas/images/ephemeral-v3/daily 'arch=amd64' "release~${SSTREAM_RELEASE}" --max=1 --progress
RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \
/var/www/html/maas/images/ephemeral-v3/daily 'os~(grub*|pxelinux)' --max=1 --progress
/var/www/html/maas/images/ephemeral-v3/daily 'os~(grub*|pxelinux)' --max=1 --progress
RUN sh -c 'echo "" > /etc/apache2/ports.conf'

29
tools/gate/playbooks/helm-deploy.yaml Normal file
View File

@ -0,0 +1,29 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- hosts: primary
tasks:
- name: Deploy MAAS helm chart
shell: |
set -xe;
./tools/maas/00-packages.sh
./tools/maas/01-create-cluster.sh
./tools/maas/02-cert-manager.sh
./tools/maas/03-postgresql.sh
./tools/maas/04-load-images.sh
./tools/maas/05-maas.sh
args:
chdir: "{{ zuul.project.src_dir }}"
# environment:
# MAAS_REGION_CONTROLLER: ""
# MAAS_RACK_CONTROLLER: ""
# MAAS_SSTREAM_CACHE: ""

10
tools/maas/00-packages.sh Executable file
View File

@ -0,0 +1,10 @@
#!/bin/sh
set -ex
# clone osh-infra
git clone https://opendev.org/openstack/openstack-helm-infra.git
# install packages
./openstack-helm-infra/tools/deployment/common/000-install-packages.sh
./openstack-helm-infra/tools/deployment/common/001-setup-apparmor-profiles.sh

206
tools/maas/01-create-cluster.sh Executable file
View File

@ -0,0 +1,206 @@
#!/bin/sh
set -ex
: "${HELM_VERSION:="v3.6.3"}"
: "${KUBE_VERSION:="v1.23.12"}"
: "${MINIKUBE_VERSION:="v1.25.2"}"
: "${CALICO_VERSION:="v3.20"}"
: "${YQ_VERSION:="v4.6.0"}"
: ${OSH_INFRA_EXTRA_HELM_ARGS:=""}
: ${OSH_INFRA_EXTRA_HELM_ARGS_POSTGRESQL:=""}
export DEBCONF_NONINTERACTIVE_SEEN=true
export DEBIAN_FRONTEND=noninteractive
sudo swapoff -a
echo "DefaultLimitMEMLOCK=16384" | sudo tee -a /etc/systemd/system.conf
sudo systemctl daemon-reexec
# NOTE: Add docker repo
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo apt-key fingerprint 0EBFCD88
sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
# Install required packages for K8s on host
wget -q -O- 'https://download.ceph.com/keys/release.asc' | sudo apt-key add -
RELEASE_NAME=$(grep 'CODENAME' /etc/lsb-release | awk -F= '{print $2}')
sudo add-apt-repository "deb https://download.ceph.com/debian-nautilus/
${RELEASE_NAME} main"
sudo -E apt-get update
sudo -E apt-get install -y \
docker-ce \
docker-ce-cli \
containerd.io=1.5.11-1 \
socat \
jq \
util-linux \
bridge-utils \
iptables \
conntrack \
libffi-dev \
ipvsadm \
make \
bc \
git-review \
notary \
ceph-common \
rbd-nbd \
nfs-common
# Prepare tmpfs for etcd when running on CI
# CI VMs can have slow I/O causing issues for etcd
# Only do this on CI (when user is zuul), so that local development can have a kubernetes
# environment that will persist on reboot since etcd data will stay intact
if [ "$USER" = "zuul" ]; then
sudo mkdir -p /var/lib/minikube/etcd
sudo mount -t tmpfs -o size=512m tmpfs /var/lib/minikube/etcd
fi
# Install YQ
wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64.tar.gz -O - | tar xz && sudo mv yq_linux_amd64 /usr/local/bin/yq
# Install minikube and kubectl
URL="https://storage.googleapis.com"
sudo -E curl -sSLo /usr/local/bin/minikube "${URL}"/minikube/releases/"${MINIKUBE_VERSION}"/minikube-linux-amd64
sudo -E curl -sSLo /usr/local/bin/kubectl "${URL}"/kubernetes-release/release/"${KUBE_VERSION}"/bin/linux/amd64/kubectl
sudo -E chmod +x /usr/local/bin/minikube
sudo -E chmod +x /usr/local/bin/kubectl
# Install Helm
TMP_DIR=$(mktemp -d)
sudo -E bash -c \
"curl -sSL https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz | tar -zxv --strip-components=1 -C ${TMP_DIR}"
sudo -E mv "${TMP_DIR}"/helm /usr/local/bin/helm
rm -rf "${TMP_DIR}"
# NOTE: Deploy kubernetes using minikube. A CNI that supports network policy is
# required for validation; use calico for simplicity.
sudo -E minikube config set kubernetes-version "${KUBE_VERSION}"
sudo -E minikube config set vm-driver none
sudo -E minikube start \
--docker-env HTTP_PROXY="${HTTP_PROXY}" \
--docker-env HTTPS_PROXY="${HTTPS_PROXY}" \
--docker-env NO_PROXY="${NO_PROXY},10.96.0.0/12" \
--network-plugin=cni \
--wait=apiserver,system_pods \
--apiserver-names="$(hostname -f)" \
--extra-config=controller-manager.allocate-node-cidrs=true \
--extra-config=controller-manager.cluster-cidr=192.168.0.0/16 \
--extra-config=kube-proxy.mode=ipvs \
--extra-config=apiserver.service-node-port-range=1-65535 \
--extra-config=kubelet.cgroup-driver=systemd \
--extra-config=kubelet.resolv-conf=/run/systemd/resolve/resolv.conf \
--feature-gates=RemoveSelfLink=false \
--embed-certs
sudo -E systemctl enable --now kubelet
sudo -E minikube addons list
curl -LSs https://docs.projectcalico.org/archive/"${CALICO_VERSION}"/manifests/calico.yaml -o /tmp/calico.yaml
sed -i -e 's#docker.io/calico/#quay.io/calico/#g' /tmp/calico.yaml
# Download images needed for calico before applying manifests, so that `kubectl wait` timeout
# for `k8s-app=kube-dns` isn't reached by slow download speeds
awk '/image:/ { print $2 }' /tmp/calico.yaml | xargs -I{} sudo docker pull {}
kubectl apply -f /tmp/calico.yaml
# Note: Patch calico daemonset to enable Prometheus metrics and annotations
tee /tmp/calico-node.yaml <<EOF
spec:
template:
metadata:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9091"
spec:
containers:
- name: calico-node
env:
- name: FELIX_PROMETHEUSMETRICSENABLED
value: "true"
- name: FELIX_PROMETHEUSMETRICSPORT
value: "9091"
- name: FELIX_IGNORELOOSERPF
value: "true"
EOF
kubectl -n kube-system patch daemonset calico-node --patch "$(cat /tmp/calico-node.yaml)"
kubectl get pod -A
kubectl -n kube-system get pod -l k8s-app=kube-dns
# NOTE: Wait for dns to be running.
# END=$(($(date +%s) + 240))
# until kubectl --namespace=kube-system \
# get pods -l k8s-app=kube-dns --no-headers -o name | grep -q "^pod/coredns"; do
# NOW=$(date +%s)
# [ "${NOW}" -gt "${END}" ] && exit 1
# echo "still waiting for dns"
# sleep 10
# done
# kubectl -n kube-system wait --timeout=240s --for=condition=Ready pods -l k8s-app=kube-dns
# add node labels
kubectl label node --all openstack-control-plane=enabled --overwrite
kubectl label node --all ucp-control-plane=enabled --overwrite
# create maas namespace
kubectl create namespace ucp --dry-run=client -o yaml | kubectl apply -f -
# configure storageclass
cat <<EOF | kubectl apply -f -
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: general
labels:
addonmanager.kubernetes.io/mode: EnsureExists
provisioner: k8s.io/minikube-hostpath
reclaimPolicy: Delete
volumeBindingMode: Immediate
EOF
# deploy ingress
cat <<EOF >/tmp/ingress.yaml
controller:
admissionWebhooks:
enabled: false
config:
enable-underscores-in-headers: "true"
ssl-reject-handshake: "true"
ingressClass: maas-ingress
ingressClassByName: true
ingressClassResource:
controllerValue: k8s.io/maas-ingress
enabled: true
name: maas-ingress
kind: DaemonSet
nodeSelector:
ucp-control-plane: enabled
defaultBackend:
enabled: true
nodeSelector:
ucp-control-plane: enabled
fullnameOverride: maas-ingress
udp:
"53": ucp/maas-region:region-dns
"514": ucp/maas-syslog:syslog
EOF
helm dependency update ./openstack-helm-infra/ingress
helm upgrade --install ingress-ucp ./openstack-helm-infra/ingress \
--namespace=ucp \
--values /tmp/ingress.yaml \
${OSH_INFRA_EXTRA_HELM_ARGS} \
${OSH_INFRA_EXTRA_HELM_ARGS_INGRESS_OPENSTACK}
./openstack-helm-infra/tools/deployment/common/wait-for-pods.sh ucp

37
tools/maas/02-cert-manager.sh Executable file
View File

@ -0,0 +1,37 @@
#!/bin/sh
set -ex
# deploy cert-manager
helm upgrade --install cert-manager cert-manager \
--repo=https://charts.jetstack.io \
--namespace=cert-manager \
--create-namespace \
--set installCRDs=true
./openstack-helm-infra/tools/deployment/common/wait-for-pods.sh cert-manager
# generate ca cert
openssl req -x509 \
-sha256 -days 356 \
-nodes \
-newkey rsa:2048 \
-subj "/CN=MAAS CA" \
-keyout /tmp/tls.key \
-out /tmp/tls.crt
kubectl create secret generic \
--namespace=cert-manager \
--from-file=/tmp/tls.key \
--from-file=/tmp/tls.crt \
ca-clusterissuer-creds \
--dry-run=client -o yaml | kubectl apply -f -
# deploy cluster-ca-issuer
helm dependency update ./openstack-helm-infra/ca-clusterissuer
helm upgrade --install cluster-issuer \
--namespace=cert-manager \
./openstack-helm-infra/ca-clusterissuer \
--set conf.ca.issuer.name=ca-issuer \
--set conf.ca.secret.name=ca-clusterissuer-creds \
--set manifests.secret_ca=false

19
tools/maas/03-postgresql.sh Executable file
View File

@ -0,0 +1,19 @@
#!/bin/sh
set -ex
: ${OSH_INFRA_EXTRA_HELM_ARGS:=""}
: ${OSH_INFRA_EXTRA_HELM_ARGS_POSTGRESQL:="$(./tools/deployment/common/get-values-overrides.sh postgresql)"}
# deploy postgresql
helm dependency update ./openstack-helm-infra/postgresql
helm upgrade --install postgresql ./openstack-helm-infra/postgresql \
--namespace=ucp \
--set monitoring.prometheus.enabled=true \
--set storage.pvc.size=1Gi \
--set storage.pvc.enabled=true \
--set pod.replicas.server=1 \
${OSH_INFRA_EXTRA_HELM_ARGS} \
${OSH_INFRA_EXTRA_HELM_ARGS_POSTGRESQL}
./openstack-helm-infra/tools/deployment/common/wait-for-pods.sh ucp

22
tools/maas/04-load-images.sh Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
set -ex
# FIXME: container images
sudo -E docker image ls
# import region controller
# sudo -E docker image import \
# ${MAAS_REGION_CONTROLLER} \
# quay.io/airshipit/maas-region-controller:latest
# import rack controller
# sudo -E docker image import \
# ${MAAS_RACK_CONTROLLER} \
# quay.io/airshipit/maas-rack-controller:latest
# import sstream cache
# sudo -E docker image import \
# ${MAAS_SSTREAM_CACHE} \
# quay.io/airshipit/sstream-cache:latest

106
tools/maas/05-maas.sh Executable file
View File

@ -0,0 +1,106 @@
#!/bin/sh
set -ex
# maas
cat <<EOF >/tmp/maas.yaml
conf:
cache:
enabled: true
cloudconfig:
override: true
sections:
bootcmd:
- rm -fr /var/lib/apt/lists
- sysctl net.ipv6.conf.all.disable_ipv6=1
- sysctl net.ipv6.conf.default.disable_ipv6=1
- sysctl net.ipv6.conf.lo.disable_ipv6=0
maas:
enable_tls: false
url:
maas_url: http://maas-region.ucp.svc.cluster.local/MAAS
credentials:
secret:
namespace: ucp
dns:
require_dnssec: "no"
dns_servers:
- 10.96.0.10
- 8.8.8.8
- 8.8.4.4
extra_settings:
active_discovery_interval: 0
enlist_commissioning: false
force_v1_network_yaml: true
network_discovery: disabled
images:
default_os: ubuntu
default_image: focal
default_kernel: ga-20.04
ntp:
disable_ntpd_rack: true
disable_ntpd_region: true
use_external_only: "true"
ntp_servers:
- 209.115.181.110
- 216.197.228.230
- 207.210.46.249
- 216.232.132.95
proxy:
peer_proxy_enabled: false
proxy_enabled: false
system_passwd: null
system_user: null
syslog:
log_level: DEBUG
maas_region:
host_fqdn_override:
default: null
public:
host: maas.ucp.svc.cluster.local
hosts:
default: maas-region
name: maas-region
path:
default: /MAAS
port:
region_api:
default: 80
nodeport: 31900
podport: 5240
public: 80
region_proxy:
default: 8000
scheme:
default: http
maas_syslog:
host_fqdn_override:
public:
host: maas.ucp.svc.cluster.local
manifests:
configmap_ingress: false
maas_ingress: false
network:
proxy:
node_port:
enabled: false
pod:
replicas:
rack: 1
region: 1
syslog: 1
endpoints:
maas_ingress:
hosts:
default: ingress
error_pages: ingress-error-pages
monitor: ingress-exporter
EOF
# deploy maas
helm upgrade --install maas \
--namespace=ucp \
--values /tmp/maas.yaml \
./charts/maas
./openstack-helm-infra/tools/deployment/common/wait-for-pods.sh ucp