DC cert manifest should only apply to controller nodes on system
controller.
This fix is for DC with worker nodes in central cloud.
Change-Id: I4233509a6f0afb3013c01e81dea6f655d9e15371
Closes-Bug: 1878260
Signed-off-by: Bin Qian <bin.qian@windriver.com>
Subcloud audit is being removed from the dcmanager-manager
process and it is running in dcmanager-audit process.
This update adds associated puppet config.
Story: 2007267
Task: 39640
Depends-On: https://review.opendev.org/#/c/725627/
Change-Id: Idd2e675126a01d6113597646ddd9eb4a0bc5be44
Signed-off-by: Tao Liu <tao.liu@windriver.com>
Set the stream_server_address to bind to the loopback interface with a
value of "127.0.0.1" for IPv4 and "::1" for IPv6.
Without setting the stream_server_address in config.toml, containerd was
binding to the OAM interface. Under most situations this resulted in
containerd binding to the OAM fixed host address. But in an IPv6
configuration there were occasions where after controller-0 unlock, the
OAM floating IP would be used. When this happened, swacting away from
controller-0 would move the OAM floating IP to controller-1 and break
access to containers residing on controller-0.
This will explicitly update the containerd configuration to use the IP
address of the loopback interface based on the system's network
configuration.
This also removes any security concerns with containerd binding to the
OAM interface.
Change-Id: I0f914d738e94b525cf217712675d3b4575817d1d
Depends-On: https://review.opendev.org/#/c/725394/
Closes-Bug: #1875891
Signed-off-by: Robert Church <robert.church@windriver.com>
A new version of pylint was released on April 25
and it is breaking zuul jobs so submissions cannot merge.
Clamping pylint to be less than 2.5.0 for now.
Change-Id: Ibd62a5d67bf8f37119b612a274c2d472a3474859
Partial-Bug: 1875705
Signed-off-by: albailey <Al.Bailey@windriver.com>
The filesystem /opt/patch-vault is renamed to /opt/dc-vault so that
it can be re-used to store FPGA images and software loads. Thus,
necessary changes have been made in the puppet manifests.
Story: 2006740
Task: 39550
Depends-On: https://review.opendev.org/#/c/723007/
Change-Id: I26055b12e7bd241adb072c609f72b8d113b4a20e
Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>
The option was introduced in k8s v1.17 and will now be used to define
the explicit set of CPUs that are reserved for specific cpu functions in
StarlingX.
This retires setting the number of CPUs reserved in the --kube-reserved
and --system-reserved options.
Change-Id: I1a3d4e4cca7b6940682a787c2e7348e56a047a06
Story: 2006999
Task: 39529
Signed-off-by: Robert Church <robert.church@windriver.com>
This commit adds a daily cron job to purge deleted orch
requests that are older than 3 days, their orch jobs
and resources from dcorch database.
Story: 2007267
Task: 39044
Depends-On: https://review.opendev.org/720277
Change-Id: Ibc9f78ac89f4cc6706886a49062c3f5a6145cc9f
Signed-off-by: Tee Ngo <tee.ngo@windriver.com>
With this update https is enabled for platform services' admin endpoints
for System Controller and subclouds when the first controller is
unlocked.
The services with admin endpoints enabled are:
- fm
- patching
- vim
- smapi
- barbican
- keystone
- sysinv
- dcdbsync
- dcmanager
Change-Id: I45b3c541cdb6191dad6d3e2b3e9cf8a3398b3a1b
Story: 2007347
Task: 38891
Depends-On: https://review.opendev.org/#/c/720224/
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Create /opt/platform/deploy to host the deploy common files.
Partial-Bug: 1864508
Change-Id: Ifd40cb02d4a2ee17a05457b43c6227aaa069e01e
Signed-off-by: Tao Liu <tao.liu@windriver.com>
This commit adds a series of comments to the DRBD manifest
so that users doing any changes to this manifest know also
update the list of DRBD devices in the restore playbook.
Change-Id: Iae1d9d98391759669871b016721418922aa134ce
Partial-bug: 1854169
Signed-off-by: Stefan Dinescu <stefan.dinescu@windriver.com>
This is to install DC admin endpoint certificate (pem).
This also install root CA to trusted CA, so to trust the certificate
issued directly and indirectly by DC root CA.
Story: 2007347
Task: 39430
Depends-on: https://review.opendev.org/720273
Change-Id: Ie242c6e833a574ff29562b468fff72352515d22a
Signed-off-by: Bin Qian <bin.qian@windriver.com>
The DAD (Duplicate Address Detection) mechanism keeps
ipv6 network interface in tentative state until it finishes.
During this time no binding to this interface address is
possible and networking dependent services fail to start
Change-Id: I9cfa604a0d75400f6d3c7172b3b973b0d50c3578
Closes-bug: 1871638
Signed-off-by: Paul Vaduva <Paul.Vaduva@windriver.com>
The default behaviour of the "kubeadm upgrade apply" command is
to only allow upgrades to stable kubernetes versions. However,
for both testing purposes and for potential critical fixes in
the future, it may be necessary to upgrade to a release
candidate or other release that kubernetes deems as unstable.
Adding in the appropriate options when calling the "kubeadm
upgrade apply" command to make this possible.
Change-Id: I164caf495ee3680f549d651b97e7e502b1172c70
Story: 2006781
Task: 37578
Signed-off-by: Bart Wensley <barton.wensley@windriver.com>
Currently dcdbsync instance for openstack is listening on port 8220.
With the admin endpoint of dcdbsync instance for platform has https
enabled and uses port 8220, the port of dcdbsync instance for
openstack is updated to use 8229.
Change-Id: Ie3d60164e4e81de8e53ad452d4dbeab7ce4a5058
Story: 2007347
Task: 39409
Signed-off-by: Andy Ning <andy.ning@windriver.com>
When a data sync is triggered for large number of subclouds (~100),
the sync fails for some subclouds due to database connection exhaustion.
In order to fix this issue, the limit on the number of database
connections has been increased.
Story: 2007267
Task: 38956
Change-Id: I88ed37ba3a143e3abee78a9f5584b16f17becc76
Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>
Enable the mechanism to upgrade the platform components on
a running StarlingX system with duplex controllers.
This includes upgrade updates for:
o migrate etcd on host-swact
Depends-On: https://review.opendev.org/#/c/717038/
Change-Id: Ife45253b46a9d58216d6cc943d7f4d40dd48b970
Story: 2007403
Task: 39246
Signed-off-by: John Kung <john.kung@windriver.com>
Enable check for raising timer interrupt only if one is pending.
This allows nohz full mode to operate properly on isolated cores.
Without it, ktimersoftd interferes with only one job being
on the run queue on that core, causing it to drop out of nohz.
If ktimer_lockless_check doesn't exist in the kernel, then no
error is reported ie. it just fails silently.
Closes-Bug: 1870456
Change-Id: I93d0fab3e9f4f56f9afb9bbfaa04882cf9068db5
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
This commit adds mandatory plugins automatically, without having the
user specify them through system service-parameters.
Story: 2007351
Task: 38897
Change-Id: Ia423bc3b7be241297d9d1c7a917ac308855c6114
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
Prevent a double configuration of docker and containerd
for AIO scenarios.
Change-Id: I0cb9fdde5acf8d5d44d526e70ae4af726932709f
Closes-bug: 1869193
Signed-off-by: Paul Vaduva <Paul.Vaduva@windriver.com>
If containerd is started prior to networking providing a default route,
the containerd cri plugin will fail to load with the following message:
msg="failed to load plugin io.containerd.grpc.v1.cri" error="failed to
create CRI service: failed to create stream server: failed to get stream
server address: no default routes found in \"/proc/net/route\" or
\"/proc/net/ipv6_route\""
and the status of the plugin will be in 'error'
TYPE ID PLATFORMS STATUS
io.containerd.grpc.v1 cri linux/amd64 error
This will prevent any crictl image pulls from working.
This change will ensure the network config is applied prior to
configuring and restarting containerd.
Docker and containerd also have a dependency, so also ensure the
network config is applied prior to configuring and restarting
docker.
Change-Id: I94a3349b438816d21b147cbd62054862d07d8bee
Partial-Bug: #1868728
Signed-off-by: Robert Church <robert.church@windriver.com>
For ipv6 the only way to prefer the fixed ip for
outgoing connection is to set preferred_lft to 0 for
the floating ips
Change-Id: I13573ac4628db1fc49146f353d7eb2c96eb1aff0
Closes-bug: 1856064
Signed-off-by: Paul Vaduva <Paul.Vaduva@windriver.com>
This commit adds the ability to change the admission plugins of
kube-apiserver post bootstrap. We need this for pod security plugin.
Starting pod security plugin without any policies will result in all
pods being denied.
Story: 2007351
Task: 38897
Change-Id: I3ad3ba91f3084bd2f0054d5d063d2242594997b2
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
When an SR-IOV interface is configured, the platform's
network runtime manifest is applied in order to apply the virtual
function (VF) config and restart the interface. This results in
sysinv being able to determine and populate the puppet hieradata
with the virtual function PCI addresses.
A side effect of the network manifest apply is that potentially
all platform interfaces may be brought down/up if it is determined
that their configuration has changed. This will likely be the case
for a system which configures SR-IOV interfaces before initial
unlock.
A few issues have been encountered because of this, with some
services not behaving well when the interface they are communicating
over suddenly goes down.
This commit makes the SR-IOV VF configuration much more targeted
so that only the operation of setting the desired number of VFs
is performed.
Closes-Bug: #1868584
Change-Id: Ic867fccae89fe8bc9173598c3c84c94ba2d7511f
Signed-off-by: Steven Webster <steven.webster@windriver.com>
When upversioning Calico from 3.6 to 3.12 the --volume-plugin-dir
argument needs to be provided to kubelet.
Specifically, the configuration for Calico 3.8 "Adds a Flex Volume
Driver that creates a per-pod Unix Domain Socket to allow Dikastes to
communicate with Felix over the Policy Sync API."
Change-Id: Ic76baa00de4402cbb65c37fe89835b114d424634
Story: 2006999
Task: 39111
Signed-off-by: Robert Church <robert.church@windriver.com>
Now that we are not using /etc/kubernetes/kubeadm.yaml anymore,
we can remove the creation of the file from puppet. Bootstrap will
still create it for bootstrap use.
Change-Id: Id08af049fac3fc68b70a7dae5aec8548865a4784
Closes-bug: 1866695
Depends-On: https://review.opendev.org/#/c/713020/
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
