There is an issue with debian SSSD package and the password expiration
message and change prompt are not showing up when expected.
This change adds a custom shell script that will use the last password
modification date from ldap and the expected shadowWarning and
shadowMax configured for the user to tell when to show password
expiration warning and when to ask the user to change their passwords.
This commit addresses only local openldap users as this is more
critical, since AD users will be warned and have their password
expiration handled externally by their organization. Further work to
include AD users in this script in under investigation.
Test plan:
PASS: 1) Create ldap user with 'ldapusersetup -u ldap_user1 --sudo
--secondgroup sys_protected --passmax 1 --passwarning 2',
login with user and verify the first time passwrod change prompt
is shown.
PASS: 2) After test #1, exit and login back again with user ldap_user1
and verify after login msg 'Warning: The password for ldap_user1
will expire in 1 day.' is shown.
PASS: 3) After test #1, logout ldap_user1 and change the system's date
to 1 day in the future. Login back with ldap_user1 and verify
that after login msg 'Warning: The password for ldap_user1 will
expire in 0 day.' is shown.
PASS: 4) After test #3, logout ldap_user1 and change the system's date
to 1 day in the future. Login back with ldap_user1 and verify
that the system will print a msg 'WARNING: Your password has
expired.' and will prompt users to change their passwords.
Closes-Bug: 2008501
Change-Id: I609f54fca11bf8747a6fb306343e70039ac9686a
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
This change adds the necessary files for the opensvswitch-config
package to be built for Debian.
Test Plan:
PASS: Build the openvswitch-config.deb package
PASS: Ensure the delivered files paths are correct
PASS: Build Debian ISO with openvswitch-config package
Story: 2010317
Task: 47276
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Change-Id: I4f74192ee284ce351a253a4394f2f21545128612
In order to have a multipath.conf file during the install
process on Debian, the multipath-config package was created.
This package simply writes a custom version of the multipath.conf
to /etc/multipath.conf
To have it in the installer, it should also be included in the
base-initramfs-bullseye.yaml file
Blacklist exception support is added for:
- HP 3PAR SANs (H/W multipath)
- QEMU (for virtual multipath development)
- TrueNAS (currently only iSCSI support validate)
Test Plan:
PASS - AIO-SX: HPE multipath install/bootstrap/unlock
PASS - AIO-SX: Qemu virtual multipath install/bootstrap/unlock
PASS - AIO-DX: Qemu virtual multipath install/bootstrap/unlock
PASS - AIO-DX+: Qemu virtual multipath install/bootstrap/unlock
PASS - 2+2 (controller storage): Qemu virtual multipath
install/bootstrap/unlock
PASS - 2+2+2 (dedicated storage): Qemu virtual multipath
install/bootstrap/unlock
PASS - Add OSD ceph storage configuration (AIO-SX)
PASS - Expand CGTS volume group using extra disk (Partition) (AIO-SX)
PASS - Expand CGTS volume group using extra disk (disk) (AIO-SX)
PASS - Add nova local volume group using extra disk (AIO-SX)
PASS - App pod that alocates and writes into a PVC (AIO-SX)
PASS - Local disk Commands (Disk API) - Check if the output is broken
- host-disk-list
- host-disk-show
- host-disk-partition-list
- host-disk-partition-show
- host-pv-list
- host-pv-show
- host-stor-list
- host-stor-show
- host-lvg-list
- host-lvg-show
- host-pv-add
PASS - Create nova-local volume group
PASS - Local disk Commands on AIO-DX after swact
Regression:
PASS - AIO-SX: Non-multipath install/bootstrap/unlock (NVME)
PASS - AIO-DX: Non-multipath install/bootstrap/unlock (SSD)
PASS - 2+2: Non-multipath install/bootstrap/unlock (SSD)
PASS - 2+2+2 : Non-multipath install/bootstrap/unlock (SSD and HD)
Change-Id: I196031dee403db50e6dbcdb36a0a2ed95fc42be3
Depends-On: https://review.opendev.org/c/starlingx/tools/+/860590
Story: 2010046
Task: 66650
Signed-off-by: Matheus Guilhermino <matheus.machadoguilhermino@windriver.com>
Signed-off-by: Robert Church <robert.church@windriver.com>
- Don't bypass the the normal vimrc configuration.
- Fix debian/changelog to stop it complaining while building
the base-files-config package.
Testing:
PASS Build base-files-config package.
PASS Build ISO
PASS Boot ISO
PASS Verify .vimrc has changed
PASS Open /etc/host with vim, check for errors for vimrc.
Close-Bug: 2006482
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I2a29943b951e192fdac90d379134ea2b04ce4d76
This change will allow this repo to pass zuul now
that this has merged:
https://review.opendev.org/c/zuul/zuul-jobs/+/866943
Tox 4 deprecated whitelist_externals.
Replace whitelist_externals with allowlist_externals
Partial-Bug: #2000399
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I5a2ae729f2e54a6520f7f80ee103113ccb775dd5
There is a known intermittent bug with docker which breaks some of
its functions, such as downloading images [1].
The details are being investigated, but most likely docker.service
start occasionally fails to create all the subfolders required
in /var/lib/docker. The workaround is a service restart.
With this change, there is a short wait time after which docker
health is checked and if the check fails the service is restarted.
Note the required subfolders are created almost immediately, so
the wait can be short.
Still, pmon tolerance is slightly increased to allow the repair
mechanism a couple retries before stepping in.
[1] https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1950751
Test Plan:
PASS With pmon turned off and a sleep time of 10 secs,
deleted /var/lib/docker/tmp and restarted docker.
Then deleted /var/lib/docker/tmp dir during the 'sleep 10',
observed that an automatic '/bin/systemctl restart
docker.service' is triggered, docker is restarted and /tmp
recreated successfully.
PASS With pmon service up and using the proposed time intervals,
restarted docker service successfully without interference
between the two mechanisms
PASS Completed the following operations:
- AIO-SX install/bootstrap/unlock
- lock/unlock
- sudo reboot
with the following results:
- /var/lib/docker has all sub-directories
- applications applied
- docker service running
- pulled hello-world image
- no alarms
- no 'download failed' error messages in daemon.log
Partial-Bug: 1999182
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: Ide2d214ea3c7efb3f2a24327c11ae55f90d5a9ce
Ostree repo pull requests generates excessive amounts of lighttpd
access log entries. This commit configures syslog-ng to filter out
any ostree pull related log entry that returns a 200 status code from
the lighttpd access log.
This commit only filters requests from the /iso/*/ostree_repo/objects/*/*.filez|.dirtree URL, it does not filter request to the /feed/rel-
*/ostree_repo/objects/... URL.
Test Plan:
1. PASS - Install a subcloud and verify that the ostree pull request
messages are filtered out from /var/www/var/log/lighttpd-access.log;
2. PASS - Use curl to request invalid files and verify that requests
with status code other than 200 are still being logged.
3. PASS - Do a system bring-up test by creating an image with the
applied changes and verify that the system installation succeeds
and that the syslog-ng and lighttpd services are working.
4. PASS - Verify that Horizon is still able to do HTTP requests.
Partial-Bug: #1998837
Signed-off-by: Gustavo Herzmann <gustavo.herzmann@windriver.com>
Change-Id: I637e7f1bae362be98f4b88bbc7c0585d1121fe80
The change https://review.opendev.org/c/starlingx/config-files/+/861633
causes an unexpected behavior of systemd, terminating user processes
in case of session timeout after bootstrap and before unlock. As a
workaround, this change disables session timeout.
Test Plan:
[PASS] Install, bootstrap and unlock.
[PASS] Verify env variable TMOUT is set to 0.
[PASS] Wait long time (more than 15min) and verify that seession still open.
Partial-Bug: 1999049
Signed-off-by: Davi Frossard <dbarrosf@windriver.com>
Change-Id: If72a29119917a91ded2d0d3bd2a12013794c1448
Add settings to vimrc so that it backwards compatible with
Centos 7.
Test Plan
PASS build base-files-config package
PASS Build ISO
PASS Run the vim command, try to copy text from another window.
Story: 2009968
Task: 46700
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I383c7d302eef4f051b63f81dab2232a31a53e893
Due to the way /etc/udev/rules.d/60-io-scheduler.rules is
written, it doesn't check if the I/O scheduler is already
set correctly or not, before resetting it. Thus, a condition
was added to each "action", in such a way that only the
correct "action" is executed.
Using gparted/sgdisk in sysinv causes disks to be "reprobed"
by the kernel every minute, so the disk I/O scheduler is reset
multiple times. This can be seen by running the command below:
sysadmin@controller-0:~$ ( while true; do sched="$(cat /sys/block
/sda/queue/scheduler)"; if test "${sched}" != "${last_sched}";
then echo "$(date -Is): change: ${sched}"; last_sched="${sched}";
fi; done )
Test Plan:
PASS: It was checked disk I/O scheduler (sys/block/sda/queue
/scheduler) is not resetting every minute, multiple times on
AIO-SX fresh install.
Closes-Bug: 1996822
Signed-off-by: Erickson Silva de Oliveira <Erickson.SilvadeOliveira@windriver.com>
Change-Id: Ic4a9b963d00393b591fd23f2c1224ad6b8740e5e
On DC with central cloud as standard, sometimes occurs
that RabbitMQ doesn't start properly and keeps being restarted
by sm, either on system restart or restarting RabbitMQ service.
It was found that part of the problem was the presence of
the rabbit_stop function inside the rabbit_start,
which was added in the past because in a previous version
of RabbitMQ the service didn't completely stop before the
call of the start function. Since this problem doesn't occur
on Debian, the rabbit_stop call was removed, and along side
[1], fixes this problem.
Test Plan:
PASS - Run sm-restart service rabbit successfully check rabbit was
running as expected. This test was used to recreate the bug.
PASS - Reboot the host successfully and check rabbit was running as
expected.
PASS - Lock/unlock and check if rabbit was running as expected.
Regression test:
PASS - Install and bootstrap DC
PASS - Install and bootstrap DX
[1]
Depends-on: https://review.opendev.org/c/starlingx/ha/+/866208
Closes-bug: 1997966
Signed-off-by: Victor Romano <victor.gluzromano@windriver.com>
Change-Id: Ibd49a83f58a7f7efcf7b5c026aaf3e86d985e31d
The regex in prompt.sh is incorrectly adding [] to around
user@hostname. This commit removes those brackets in order
to have the expected format.
Test Plan:
PASS: Enter "sudo su -" and verify if the prompt shows
"root@controller-0:~$".
PASS: Generate a new .iso with the changes and verify
if when entering sudo with "sudo su -" it is showing
"root@controller-0:~$".
PASS: Install system and verify if prompt show
"sysadmin@controller-0:~$ "
Closes-Bug: 1997972
Related-Bug: 1995988
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
Change-Id: Idfd3b03f2ce1eb9679e227c9406aaf200514977a
A lot of applications get the timezone information from
the cache, so they won't be aware of the timezone's
changing, and the log's timestamp does not change with
the timezone changing.
Use the local time as a timestamp for the log instead
of the timestamp of the sender's messages can fix it.
Test Plan:
PASS: Change the timezone and reload the syslog-ng
service ,the timestamp of the log is equal to
local time.
Closes-bug: 1997930
Signed-off-by: Wentao Zhang<Wentao.Zhang@windriver.com>
Change-Id: I13ec19d4f78ea3d5f6a7c20873c082add5fe412e
This disables the docker network bridge that is created by default
when no bridge options are provided by docker.service or daemon.json.
Since docker bridge is not used, it can be safely removed.
The docker.service file is provided by package docker.io, i.e.,
dpkg-query -S /lib/systemd/system/docker.service
docker.io: /lib/systemd/system/docker.service
dpkg -s docker.io | grep Version
Version: 20.10.5+dfsg1-1+deb11u1
This file contains the default ExecStart:
[Service]
ExecStart=/usr/sbin/dockerd -H fd:// $DOCKER_OPTS
The ExecStart gets overridden by a Drop-In. The previous default
setting gets wiped out using "ExecStart=", then the value is redefined
with same options and "--bridge=none" appended.
Drop-In: /etc/systemd/system/docker.service.d
└─docker-stx-override.conf
If the network with address 172.17.0.0/16 (or similar network) and it
gateway address is 172.17.0.1, this IP address causes conflict with
docker0 bridge. This results in packet loss between GW and application
pods.
Closes-Bug: 1996916
Test Plan:
PASS: AIO-SX Fresh install ISO. Verify docker bridge not configured.
i.e., 'sudo docker network ls'
PASS: STORAGE: Fresh install ISO. Verify docker bridge not configured.
i.e., 'sudo docker network ls'
Signed-off-by: Jim Gauld <james.gauld@windriver.com>
Change-Id: Ied12dffd3d2894c05bd174ea937ae4bd9a800084
This disables the docker network bridge that is created by default
when no bridge options are provided by docker.service or daemon.json.
Since docker bridge is not used, it can be safely removed.
The docker.service file is provided by RPM docker-ce, i.e.,
rpm -q --whatprovides /usr/lib/systemd/system/docker.service
docker-ce-18.09.6-3.el7.x86_64
This file contains the default ExecStart:
[Service]
ExecStart=/usr/bin/dockerd -H fd:// \
--containerd=/run/containerd/containerd.sock
The ExecStart gets overridden by a Drop-In. The previous default
setting gets wiped out using "ExecStart=", then the value is redefined
with same options and "--bridge=none" appended.
Drop-In: /etc/systemd/system/docker.service.d
└─docker-stx-override.conf
If the network with address 172.17.0.0/16 (or similar network) and it
gateway address is 172.17.0.1, this IP address causes conflict with
docker0 bridge. This results in packet loss between GW and application
pods.
Closes-Bug: 1996916
Test Plan:
PASS: AIO-SX Fresh install ISO. Verify docker bridge not configured.
i.e., 'sudo docker network ls'
PASS: Designer in-service patch apply and remove (with this change).
Verify docker bridge not configured.
i.e., 'sudo docker network ls'
Signed-off-by: Jim Gauld <james.gauld@windriver.com>
Change-Id: Ibd0164002744f1bd56e14fdb53c5b9a935b1fcc4
Switch to root user, wasn't adding "root@" to the prompt in
case of "sudo su -", for "sudo su" it uses the configuration
described in /etc/bash.bashrc, but for "sudo su -" it is
replaced by the $SP1 described in /etc/profile.d/prompt.sh.
To fix it was necessary to change the regex inside
/etc/profile.d/prompt.sh to show the user before @.
Test Plan:
PASS: Generate new image and check with the changes were
applied and working.
Closes-Bug: 1995988
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
Change-Id: I0160c01ad2ffa99203abf11ca61e7d34faf740dd
Move the packages of "config-files" from stx-std.lst to debian_iso_image.inc
Test Plan:
Pass: build-pkgs -c -a
Pass: build-image
Pass: boot
Story: 2008862
Task: 46756
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I0a898d769a5796202a7acb8c9b33c411bdf92daf
[1] describes a 10s timeout behavior running "rabbitmqctl wait".
Analyzing the rabbit logs from a Distributed Cloud system that was
presenting rabbit startup issues, it looks the startup time for rabbit
was taking around 8.5s. Based on the 10s timeout behavior issue from
[1], the rabbit service stop working after reboot controller-0 from a
DC system triggered by deployment manager execution.
This review adds the "timeout" parameter in the "rabbitmqctl wait"
command enabling again a clean installation.
NOTE: this issue was observed in DC Systems.
1 - https://github.com/rabbitmq/rabbitmq-server-release/pull/129#
issue-599125985
Test Plan:
PASS - Run sm-restart service rabbit successfully check rabbit was
running as expected. This test was used to recreate the bug.
PASS - Reboot the host successfully and check rabbit was running as
expected.
Regression test:
PASS - Install and bootstrap AIO-SX
PASS - Install and bootstrap AIO-DX
PASS - Install and bootstrap DC
Closes-bug: 1995518
Signed-off-by: Samuel Toledo <samuel.presatoledo@windriver.com>
Change-Id: I2117205c0fcb5d92d30ee30ac280abcb66205d19
Use the systemd-tmpfile service to manage the
directories that are needed for log files in
/var/log. Ostree removes these directories before
the tree is checked out at boot. This prevent services
such as keystone and barbican from starting because
the /var/log/keystone and /var/log/barbican from
starting because the directories are missing
Test Plan:
PASS Apply patch
PASS Build initramfs-ostree package
PASS Build image
PASS Boot image
PASS Check for missing /var/log/keystone
Depends-On: https://review.opendev.org/c/starlingx/integ/+/859664
Story: 2009968
Task: 46459
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: Icfc5411ee2c2669be26c9328f8b42441fce8a1e4
Remove pam_systemd.so from /etc/pam.d/common-session
since it was causing a performance hit with mtcClient
running at the same time.
Test Plan on Debian:
PASS: package build, image build
PASS: system installation, bootstrap and unlock
PASS: console login by sysadmin. Observed that home
directory is created the first time the user login.
PASS: su to sysdmin. Observed that home
directory is created the first time the user is su to.
PASS: wait for timeout, log back in, and run
system host-unlock controller-0
PASS: check for systemd --user processes.
Story: 2009965
Task: 45290
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: Ida555ade017ddebd50fc02d703f177026c498957
Current pam common-account setting will prevent local users
(such as sysadmin) from login to the system if sssd is not running.
This change updated common-account setting so that local users
can still login even when sssd is not running.
Test Plan:
PASS: In a deployed system, stop sssd, verify that local users
(especially sysadmin) can still login.
Story: 2009834
Task: 46432
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: Ibf789183d1899658648f04273565fb4edaa0d139
It is observed some LVs fail to be mounted.
During investigation it was observed not all entries were created
in /dev/cgts-vg/ by udev.
Some device units are in inactive dead state.
Example: dev-cgts\x2dvg-backup\x2dlv.device loaded inactive dead
This prevented LVs to be mounted by hitting a timeout and placing the
system in maintenance mode(emergency mode).
This commit makes systemd-udev-settle service call
'vgmknodes --refresh' after its normal operation. The service does not
change between system versions 247 and 251.
Calling 'vgmknodes --refresh'' will create the missing links in
/dev/cgts-vg and the device units will become active plugged.
Example: dev-cgts\x2dvg-backup\x2dlv.device loaded active plugged
The issue became more frequent on nodes other than controller-0 when
systemd was upversioned [1]. The issue still happens occasionally on
systemd 247, but it is very hard to reproduce, thus developer testing
was done on systemd 251.
Initial tests were done for systemd 251, but on a HW lab the emergency
mode was observed for systemd 247 recently. On that lab observed the
same symptopms: missing links in /dev/cgts-vg and inactive device
units. After calling 'vgmknodes --refresh' the links appeared and
device units became active. Since the symptoms are the same this
should also fix Emergency Mode for systemd 247.
Tests:
PASS: Using systemd 251.
Manually patched systemd-udev-settle.
24h reboot test for compute-0 on the same machine the issue
happened 5/10 times.
Compute-0 booted each 7 minutes without hitting emergency
mode and puppet applied succesfully.
PASS: build & AIO-DX fully deployed on HW lab
PASS: Using HW lab where issue occured. Using systemd 247.
Installed iso, created reboot loop, enabled journal.
Over 60+ hours of reboots. Logs for applying puppet are seen
~10 minutes distance. No puppet error, system not in emergency
mode. vgmknodes output seen in journal fixing links.
[1]: https://review.opendev.org/c/starlingx/integ/+/853745
Story: 2010211
Task: 46203
Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Change-Id: Iad6e3c7dda9e5b46cc5d604f13c17205c5cfdbe0
It was identified that the sshd service was being restarted
automatically by systemd because the ssh.service file had the
"Restart=on-failure" set, which prevented pmon to proper monitor it
resulting in the alarm not being set.
Comparing with CentOS, we confirmed that this line in the service
file was commented out.
However, checking the openssh-config for Debian, the line was also
commented out, but the file, sshd.service is not the file used by
openssh-server package in Debian, instead, it is the ssh.service.
This commit replaces sshd.service file by ssh.service (based on the
file from the Debian package openssh-server) and add the modification
to comment out the "Restart=on-failure".
Test Plan
PASS: Build and install
PASS: Unlock AIO-SX
PASS: Verified that killing the sshd process 10 times would
trigger the alarm
Closes-bug: 1991400
Signed-off-by: Manasses Julio <manasses.dasilvajunior@windriver.com>
Change-Id: I477d5261ccf44ccb29c7b3ab0dbc9bd816a753cc
Remove the installation of per-package preset installs
since they are centrally managed now by the ISO install
for the following packages:
- filesystem-scripts
- haproxy-config
- iscsi-initiator-utils-config
- nfs-utils-config
- tuned-config
Story: 2009968
Task: 46406
Test Plan
PASS Build package
PASS Build ISO
PASS Check for non-existant preset file in /etc/systemd/system-preset
Depends-On: https://review.opendev.org/c/starlingx/integ/+/853653
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I40f7b181be5bea926b3a7632c83629f9eaefd7be
Removed conf files from /etc/pmon.d/
as they are being moved to another location.
This is part of an effort to allow pmon conf files
to be selected at runtime by kickstarts.
The change is debian-only, since centos support
will be dropped soon.
Centos' pmon conf files remain in /etc/pmon.d/
Also refatored containerd-config debian files
Test Plan:
PASS - deb doesn't install anything to /etc/pmon.d/
PASS - containerd-config debian pkg has the same
filepaths and permissions
PASS - AIOSX unlocked-enabled-available
PASS - Standard 2+2 unlocked-enabled-available
Story: 2010211
Task: 46302
Depends-On: https://review.opendev.org/c/starlingx/metal/+/855095
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: Ifee02f5ee23ce8c1dca9c011ff3a2ae144765e85
This change updated slapd.conf so that openldap syncrepl will
be configured to be secure over TLS.
Test Plan:
PASS: DX system deployment
PASS: Check syncrepl section in slapd.conf.backup, it should contain:
tls_cert="/etc/ldap/certs/openldap-cert.crt"
tls_key="/etc/ldap/certs/openldap-cert.key"
tls_cacert="/etc/ssl/certs/ca-certificates.crt"
tls_reqsan=demand
Story: 2009834
Task: 46246
Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/856766
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: Ia3bb31a733cb976ea9c5d0428b64f012dc9ec57e
Zuul