Commit Graph

386 Commits

Author SHA1 Message Date
Zuul adf9764322 Merge "update tzdata" 2024-03-04 19:33:48 +00:00
Scott Little 1bbcf7596b update tzdata
tzdata expires every 6-12 months.

Update to the latest tzdata, valid until Dec 2024
The new tzdata is supplied by upstream, we no longer need
to build it ourselves.  We just need to be sure it is included
in the iso.

Verification:
- tzdata is no longer built
- build-iso and make sure it contains the new package
- check the package to ensure it contains the
  expected leap-seconds.list file
- boot the iso and ensure nothing weird observed
  regarding the date
- run "export TZ=/usr/share/zoneinfo/EST5EDT" followed
  by the date command and ensure that it displays the
  correct time for that timezone

Partial-Bug: 2054466
Change-Id: I765dc225f9b9f23799af662cd87fe94703857241
Signed-off-by: Scott Little <scott.little@windriver.com>
2024-03-04 17:26:34 +00:00
Zuul 10ebdfe1c2 Merge "Fix uninitialized ts2phc variable in nmea_scan_rmc" 2024-03-04 17:15:44 +00:00
Cole Walker acadeca144 Fix uninitialized ts2phc variable in nmea_scan_rmc
This change pulls in an upstream linuxptp fix to initialize the tm_isdst
variable.

An unitialized tm_isdst variable in ts2phc can result in mktime failing
and cause ts2phc to be unable to sync time with a "invalid master time
stamp" error.

The fault was intermittent based on the random value in the unitialized
variable. If it was read as a positive integer, mktime would fail and
the symptom would occur.

The upstream commit id is:
63fc1ef4fd5e5fc45dd4de3bf27920bb109a4357

Test plan:
Pass: Verify package build
Pass: Deploy updated ts2phc binary and perform repeated service
start/stops. The fault was not reproduced after 20 attempts.

Closes-bug: https://bugs.launchpad.net/starlingx/+bug/2055464

Change-Id: I9fb1722c6ab93f6bb9ec6cdc4fbe902a823b3e2e
Signed-off-by: Cole Walker <cole.walker@windriver.com>
2024-03-01 13:43:45 -05:00
Leonardo Mendes 5642771926 Preset to enable ipsec auth server service
This update added ipsec-server service to systemd preset config
to enable it on controllers.

Test Plan (DX system):
PASS: Install and bootstrap controller-0, verify ipsec-server is
      "enabled" and "vendor preset: enabled" after first reboot and
      bootstrap.

Story: 2010940
Task: 49583

Depends-On: https://review.opendev.org/c/starlingx/metal/+/907348

Change-Id: I41d4fdb9f9adc857234981e04de1a5a4e8af8721
Signed-off-by: Leonardo Mendes <Leonardo.MendesSantana@windriver.com>
2024-02-20 14:10:57 -03:00
Andy Ning 92e7b2fce3 Preset to enable strongswan IPSec daemon service
This update added strongswan IPSec daemon (charon) to systemd
preset config to enable it on all types of systems.

Test Plan (DX system):
PASS: Install and bootstrap controller-0, verify IPSec service is
      "enabled" and "vendor preset: enabled" after first reboot and
      bootstrap.
PASS: Unlock controller-0, verify IPSec service is enabled and
      "vendor preset: enabled" after unlock.
PASS: Install controller-1, verify IPSec service is enabled and
      "vendor preset: enabled" after first reboot.

Story: 2010940
Task: 49482

Co-Authored-By: Andy Ning <andy.ning@windriver.com>

Change-Id: I2bc122f080e33b87fd1b6535d1817df2a9cb0b52
Signed-off-by: Leonardo Mendes <Leonardo.MendesSantana@windriver.com>
2024-02-09 14:24:53 +00:00
Eric MacDonald b5ef59fc8e Remove guestServer and guestAgent from systemd-presets
The stx/nfv/mtce-guest service has been deprecated and is no longer
built as part of the nfv git.

https://opendev.org/starlingx/nfv/commit/
bfded2ded62263695ec37fb6214eda7b191c1cbc

However, removing the guestServer and guestAgent systemd presets
were missed.

Therefore, as a final cleanup effort for these deprecated
services, this update removes all references to both the
guestAgent and guestServer from starlingX systemd-presets.

Test Plan:

PASS: Full clean Debian build
PASS: Debian ISO install Standard system with worker and storage
PASS: Verify guestServer and guestAgent service files are not packaged.

Related-Bug: 2051389
Change-Id: I4b0dfa1739f35b0ceab3b6b98a9b24eb53caa1a9
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
2024-02-01 15:13:06 +00:00
Andre Mauricio Zelak cfe25f0193 Fixed event port id map
Fixed the port id map in the Port Data Set event handling. The port id
is composed by port number and node index after the HA implementation.

Code tidying. As definition, the port id and the port number are
different. An existing port number variable was rennamed to
prevent missinterpretation.

Code tidying. The HA node state change processing was disabled
when HA feature is not enabled.

Test plan:
PASS: Verify the phc2sys executable recognizes the port in the port
state change event, when -a configuration option is used
PASS: Verify the events in the HA scenario are being recognized

Story: 2010723
Task: 49405

Change-Id: Iea2b3c4e7d7dcd07ca2ad52bc4042f80282b1a9a
Signed-off-by: Andre Mauricio Zelak <andre.zelak@windriver.com>
2024-01-15 16:28:29 -03:00
Zuul dd59d24235 Merge "Fix PTP configuration compatibility" 2024-01-12 17:22:32 +00:00
Andre Mauricio Zelak 9fb03e0f35 Fix PTP configuration compatibility
Fixed the behavior when HA is disabled, one interface has been
configured and '-a' autoconfiguration option is enabled in a
phc2sys instance. The behavior before HA feature was to ignore
the given interface. To keep compatibility with earlier
configurations, interfaces in the configuration file are
ignored if HA is disabled.

Test Plan: non HA
PASS: Verify behavior when HA is disabled and interface has been
configured.
PASS: Verify behavior when HA is ommited and interface has been
configured.
PASS: Verify behavior when HA is disabled and no interface has
been configured.

Test Plan: HA
PASS: Verify phc2sys exit with error when HA is enabled and
one interface has been configured.

Test Plan: Build
PASS: Verify patch application and package build

Closes-bug: 2048085

Change-Id: Ia65c157cfd63b637bd3ae3d7e370407e82371305
Signed-off-by: Andre Mauricio Zelak <andre.zelak@windriver.com>
2024-01-11 17:30:26 -03:00
Zuul e13fcc0035 Merge "haproxy: Upgrade to 2.2.9-2+deb11u6" 2024-01-08 16:08:03 +00:00
Zhixiong Chi eb9852003a haproxy: Upgrade to 2.2.9-2+deb11u6
Upgrade haproxy to 2.2.9-2+deb11u6 to fix the CVE issues
CVE-2023-40225/CVE-2023-45539.

Refer to:
https://security-tracker.debian.org/tracker/DSA-5590-1
https://nvd.nist.gov/vuln/detail/CVE-2023-40225
https://nvd.nist.gov/vuln/detail/CVE-2023-45539

Test Plan:
PASS: $downloader
PASS: $build-pkgs --clean --parallel 10
PASS: $build-image
PASS: Jenkins Installation
PASS: dpkg -l |grep haproxy
ii  haproxy                       2.2.9-2+deb11u6.stx.4

Closes-Bug: 2047674

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Ifeb5326d24fe2d2b655c9a87994401c8f1b7b05f
2024-01-02 04:31:53 -05:00
Davi Frossard 9a3d4fb04d systemd: fix build after meson upgrade
Fix the following build issues after meson is
upgraded to 1.0.1-5.

* Change operator combining bools from + to and

upstream meson stopped allowing combining boolean
with the plus operator, and now requires using the
logical and operator

reference:
mesonbuild/meson@43302d3

Fixes: systemd#20632

* Add dependency on rsync

Story: 2010781
Task: 48183

Depends-on: https://review.opendev.org/c/starlingx/tools/+/902324

Signed-off-by: Dan Streetman
Signed-off-by: david.liu <david.liu@windriver.com>
Change-Id: I2064b9f01252139ece252494a007cc00a8b4cb7b
2023-12-04 07:15:33 -05:00
Zuul 0aa365b12b Merge "Revert "systemd: fix build after meson upgrade"" 2023-11-30 23:01:26 +00:00
Davlet Panech f1d49ea941 Revert "systemd: fix build after meson upgrade"
This reverts commit 6dbae8b47e.

Reason for revert: Goes together with this other revert https://review.opendev.org/c/starlingx/tools/+/902237

Change-Id: I46e6a6841c1527268a20dfca67fcef2932c9eb35
2023-11-30 21:18:16 +00:00
Zuul d52a1eedd3 Merge "systemd: fix build after meson upgrade" 2023-11-29 19:42:51 +00:00
Zuul 825db5ef8f Merge "Enabling Luks encrytion service manager" 2023-11-29 15:07:11 +00:00
Zhixiong Chi dcb205850c isc-dhcp: fix CVE-2022-2929
Backport the source patch from the version 4.4.1-2.3+deb11u2.
[https://sources.debian.org/src/isc-dhcp/4.4.1-2.3+deb11u2/debian/patches/CVE-2022-2929.patch]

Refer to:
https://security-tracker.debian.org/tracker/DSA-5251-1
It refers to two issues, CVE-2022-2928 and CVE-2022-2929.
CVE-2022-2928 has been fixed in
[https://review.opendev.org/c/starlingx/integ/+/865278]

Pass: build-pkgs -c -p isc-dhcp
Pass: build-pkgs -a
Pass: build-image
Pass: Debian AIO jenkins installation

Issue is very difficult to reproduce, so we are simply focused on
making sure that this doesn't break anything.

Closes-Bug: 2043434

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Ie9148ea007526160b34c57df5f98d776c04dbe3a
2023-11-13 23:54:17 -05:00
Scott Little 21906e7285 No leap second on 2023-12-31
We need to upversion as the leapseconds files
have expired.  We also pick up any changes to
timezones, such as when DST occurs.

Verification:
- tzdata package builds ok
- check built package to ensure it contains the
  leap-seconds.list file
- build-iso and make sure it contains the new rpm
- boot the iso and ensure nothing weird observed
  regarding the date
- run "export TZ=/usr/share/zoneinfo/EST5EDT" followed
  by the date command and ensure that it displays the
  correct time for that timezone

Closes-Bug: 2039739
Depends-On: https://review.opendev.org/c/starlingx/root/+/898690
Signed-off-by: Scott Little <scott.little@windriver.com>
Change-Id: Idf5d477f0d43845b4d50e2954bd19f6431c49ab1
2023-10-18 22:25:19 -04:00
Rahul Roshan Kachchap fa05f9d0d1 Enabling Luks encrytion service manager
Added enable luks-fs-mgr.service to systemd preset files to enable
and start the luks-fs-mgr service during boot or restart of node.

Test Plan:
PASSED: build-pkgs -c -p systemd-presets
PASSED: build-image
PASSED: AIO-SX bootstrap
PASSED: AIO-SX sudo systemctl status luks-fs-mgr

Story: 2010872
Task: 48824

Change-Id: I496d3e4b3b85e1e8d885409779d46becf5e9688a
Signed-off-by: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
2023-09-25 03:08:50 -04:00
Zuul af3acd39e4 Merge "Use time traceable flag in HA clock selection" 2023-09-11 18:07:13 +00:00
Andre Mauricio Zelak 600ad549b5 Use time traceable flag in HA clock selection
A new time traceable flag was added to pmc agent to store the current
time traceable status.

This flag replaces the utc_offset_traceable flag in the HA clock
selection algorithm and status command.

Test plan: HA clock selection algorithm
PASS: Verify the clock source which time isn't traceable is discarded
by the algorithm if ha_gm_timeTraceable is enabled.
PASS: Verify the clock source which time is traceable isn't discarded
by the algorithm if ha_gm_timeTraceable is enabled.

Regression: status command
PASS: Verify the response of status command shows the correct GM time
traceable.

The 'valid sources' command is used to get a list of interfaces which
the clock is matching the requirements. The response contains a space
separated list of interfaces, or "None" when not a single clock is
matching all the requirements.

Test plan: valid sources command
PASS: Verify that a space separated list of interface is returned when
one or more clocks match the requirements.
PASS: Verify that the string "None" is returned when not a single clock
match the requirements.

Now the GM time traceable check is enabled by default as it is an
important check for both T-GM and T-BC scenarios.

The GM time traceable check is controlled in configuration by using
the ha_gm_timeTraceable setting, and it can be disabled using the
value 0 (ha_gm_timeTraceable 0).

Test plan: default value
PASS Verify the check is performed by default.
PASS Verify the user can disable the check by configuration.

Bonus:

Fixed the behavior when none clock is matching the requirements and the
active clock source is disabled using the 'disable source <interface>'
command. The interface is must be disabled and a new clock source is
selected.

Test plan: none clock is matching the requirements
PASS: Verify that the active source can be disabled and a new one is
selected.
PASS: Verify that an attempt to disable the last active interface
fails and an appopriated message is given as response.
PASS: Verify that the interface with higher priority is selected after
re-enabling it.
PASS: Verify the active clock source doesn't change if another
interface is disabled.
PASS: Verify the active clock source doesn't change if another
interface is re-enabled.

Story: 2010723
Task: 48702

Change-Id: I64193575a995e520d36460c0ebb8dd452fa8c2b8
Signed-off-by: Andre Mauricio Zelak <andre.zelak@windriver.com>
2023-09-06 15:09:14 -03:00
Zuul 7b62e540d7 Merge "Select the clock matching requirements" 2023-09-06 15:46:54 +00:00
Andre Mauricio Zelak 4a94f788a4 Select the clock matching requirements
Fix clock selection algorithm behavior where a clock source starts
to match requirements but is not selected because it has the same
ha_priority than active.

In a HA configuration with two or more clocks configured with equal
ha_priority if no clock source matches the requirements the first one
in the configuration file is selected active. This is a standard
behavior to always have a clock source, even when they are not
synchronized.

When one of the clock sources starts to match the requirements it
must be selected active, regardless of the priority.

But when a second clock source starts to match the requirements and
has the same ha_priority as the active, the active remains the clock
source. There is no need to switch active when they have equal
ha_priority.

Test plan: two sources with the same priority
PASS: Verify a clock source is selected active when it starts to match
the requirements and the current active doesn't match them, even if
they have equal ha_priority.
PASS: Verify a clock source isn't selected active when it starts to
match the requirements and the current active also matches them.

Regression: two sources with different priority
PASS: Verify a clock source is selected active when it starts to match
the requirements and the current active doesn't match them, even if
their ha_priority is lower than the actives.
PASS: Verify a clock source is selected active when it starts to match
the requirements and the current active also matches them but has
lower ha_priority configured.
PASS: Verify a clock source isn't selected active when it starts to
match the requirements and the current active also matches them
and has higher ha_priority configured.

Story: 2010723
Task: 48699

Change-Id: If80532b7b8febcc164f7c748a8d4122b4f10fd3b
Signed-off-by: Andre Mauricio Zelak <andre.zelak@windriver.com>
2023-09-05 11:26:10 -03:00
Zuul a140a14ee4 Merge "GM clock accuracy and offset scaled log variance" 2023-08-30 16:15:03 +00:00
Andre Mauricio Zelak 59b3912596 GM clock accuracy and offset scaled log variance
Include GM clock quality parameters clock accuracy and offset
scaled log variance to the clock selection algorithm. Those
checks together with the clock class can check the remote
clock quality, enhancing T-BC support.

The existing ha_min_local_clockClass, ha_min_clockAccuracy,
ha_min_gm_offsetScaledLogVariance and ha_min_gm_ClockClass were
renamed. Now their names are ha_max* because they represent the
maximum value the clock can present to be considered valid.

The existing ha_timeTraceable and ha_frequencyTraceable were
renamed. Now their names contain gm to explain and show they
correspond to the GM time and frequency traceability.

The ha_min_local_clockClass is now ha_max_local_clockClass, and
Its default value was changed to 255.

The ha_min_clockAccuracy is now ha_max_local_clockAccuracy, its
name now contains the local key to differentiate from the GM
configuration option.

The ha_min_offsetScaledLogVariance is now
ha_max_local_offsetScaledLogVar. Its name now contains the
local key to differentiate from the GM configuration option,
and the word Variace was shortened Var due to the size limit
of the name.

The ha_min_gm_ClockClass is now ha_max_gm_clockClass, and its
default value was changed to 6.

The ha_max_local_clockClass and ha_max_gm_clockClass default values
were changed to make it easier to configure both T-GM and T-BC
scenarios.

The new ha_max_gm_clockAccuracy option is a global setting for the
maximum GM clock accuracy requirement. It ranges from 0x00 to 0xff
and its default is 0xfe.

The new ha_max_gm_offsetScaledLogVar option is a global setting for
the maximum GM offset scaled log variance requirement. It ranges
from 0x0000 to 0xffff and its default is 0xffff.

The status command now includes the GM clock accuracy and offset scaled
log variance values.

Test plan: new GM fields
PASS Verify the clock is discarded because GM clock accuracy is out of
requirement
PASS Verify the clock is discarded because GM offset scaled log
variance is out of the requirement
PASS Verify the status command shows the new fields gm.clockAcc and
gm.offset

Test plan: new default values
PASS Verify the ha_max_gm_ClockClass and ha_max_local_clockClass
default values.

Test plan: renamed fields
PASS Verify the a configuration containing all HA configuration options
is accepted.

Story: 2010723
Task: 48675

Change-Id: I7ed1300a51cbdcaa44d7f350dcdc92e54469a497
Signed-off-by: Andre Mauricio Zelak <andre.zelak@windriver.com>
2023-08-28 12:48:19 -03:00
Zuul e2628d9911 Merge "HA domain number" 2023-08-25 17:49:37 +00:00
Andre Mauricio Zelak b707fdb119 HA domain number
Support multiple domain numbers for each uds socket used in HA phc2sys.

The ha_domainNumber option is an interface setting to configure
the domain number for an uds socket. It ranges from 0 to 127.
If the ha_domainNumber is not configured for a given interface,
the global domainNumber setting is used.

Test plan:
PASS: Verify use of ha_domainNumber configuration in manual
configuration.

Failure path: domain number match
PASS: Verify that phc2sys fails to start if domain number
doesn't match ptp4l instance parameter.

Regression:
PASS: Verify use of global domain number in manual configuration.
PASS: Verify auto configuration uses global domain number.

Story: 2010723
Task: 48656

Change-Id: If71775f6ce02586573f005c3b3e805b5351a5a86
Signed-off-by: Andre Mauricio Zelak <andre.zelak@windriver.com>
2023-08-21 14:35:31 -03:00
Zuul 2c20b741c8 Merge "Redundant HA PTP timing clock sources support" 2023-08-21 15:29:08 +00:00
Andre Mauricio Zelak deeacbcdf3 Redundant HA PTP timing clock sources support
Enhanced phc2sys to support multiple PTP timing clock sources, to
select the best clock source available according to the clocks
statuses.

A series of changes were patched back from a newer version of the
linuxptp package. They contain the support for multiple pmc nodes,
necessary to communicate with multiple ptp4l instances.

The phc2sys is now able to automatically select the best clock
according to the clocks statuses, and also monitors any clock
status change and act to keep the system synchronized to the
best clock source available.

A new set of configuration options were added to control the behavior
of the automatic clock selection algorithm and to configure the clock
source interfaces.

And a new command interface was added to phc2sys to gather statuses
about the clocks configured and the HA algorithm. This interface also
provides commands to control the clock source selection for debug and
maintenance proposes.

Test plan:
PASS: Verify the linuxptp package is built containing all the patches.
PASS: Verify the .deb package produced in the build install and that
all the PTP different deployments new and existing are OK.
PASS: Verify that a new image containing the linuxptp packed can be
installed and that all the PTP different deployments new and existing
are OK.

Story: 2010723
Task: 48642
Change-Id: Ic8c4d9bd335c582a91f1f4418947a81fc5e8b4f9
Signed-off-by: Andre Mauricio Zelak <andre.zelak@windriver.com>
2023-08-18 10:05:14 -03:00
Nidhi Shivashankara Belur f66fe0e761 Upgrade pf-bb-config to 23.03
Test Status:

- PASS: Build pf-bb-config package.

  UIO mode with ACC100, ACC200 and N3000

  - PASS: Apply configuration & Unlock host.
  - PASS: Reboot test.
  - PASS: Remove configuration & unlock host.

Story: 2010864
Task: 48543
Change-Id: Iab0731449482f171490051d1fcd33560b2cc7f63
Signed-off-by: Nidhi Shivashankara Belur <nidhi.shivashankara.belur@intel.com>
2023-08-17 12:15:41 +05:30
Zuul 2414c8c373 Merge "lighttpd: fix CVE-2022-22707" 2023-07-21 14:53:45 +00:00
Zuul 43798866bb Merge "Disable software controller services for storage and worker preset" 2023-07-21 14:53:39 +00:00
Zhixiong Chi 58b0815e45 lighttpd: fix CVE-2022-22707
Fix CVE-2022-22707 issue.

Refer to:
https://security-tracker.debian.org/tracker/CVE-2022-22707

TestPlan:
PASS: build-pkgs -a
PASS: build-image
PASS: Jenkins Installation on AIO-DX lab.
PASS: controller-1 installation.
PASS: Check the package version with 'dpkg -l' both on controller-0
      and controller-1

Closes-Bug: 2021548

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Iceaf2a89bcac7c5a9892c5eb0c119fa49777a78c
2023-07-20 05:13:24 +00:00
Jessica Castelino 25f589048f Disable software controller services for storage and worker preset
This update adds disable software-controller-daemon service and
software-controller service in the systemd-presets package for
storage, worker and worker-lowlatency install types.

Test Plan:

PASS: Verify Debian package build
PASS: Verify software controller services are auto disabled on below
      system nodes and types:
      AIO SX install
      AIO DX install

Story: 2010676
Task: 48050
Change-Id: I5ef785c4ad74f61de7a289d9db43472976736d65
Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>
2023-07-17 15:27:29 +00:00
Li Zhou e02f0f7f3c Debian: systemd: fix CVE-2022-3821/CVE-2022-4415
Upgrade systemd's version from 247.3-7 to 247.3-7+deb11u2
to fix CVE-2022-3821/CVE-2022-4415.

Test Plan:
 Pass: downloader
 Pass: build-pkgs --clean --all
 Pass: build-image
 Pass: boot

Closes-bug: #2021448

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I747041d7810fd9033fc16f48d9fa05e0756a6513
2023-06-29 06:14:34 -04:00
Eric MacDonald 4bbcb90e70 Revert "lighttd: Upgrade to 1.4.59-1+deb11u2"
This reverts commit e61f579d8b.

Reason for revert: experiencing lighttpd process failures
Closes-Bug: 2024626
Change-Id: I68be7a128dc300c15002683f7cfd3a8c6cd1c11f
2023-06-21 23:43:48 +00:00
Zhixiong Chi e61f579d8b lighttd: Upgrade to 1.4.59-1+deb11u2
Fix CVE-2022-22707 issue.

Refer to:
https://security-tracker.debian.org/tracker/CVE-2022-22707

Meanwhile rebase the local patches for new version.

TestPlan:
PASS: build-pkgs -a
PASS: build-image
PASS: Jenkins Installation.
PASS: Check the package version with 'dpkg -l'

Closes-Bug: 2021548

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Id4b245ed4ba7c00d854ce758a3d241ad74fd1a0f
2023-06-18 23:18:49 -04:00
david.liu 6dbae8b47e systemd: fix build after meson upgrade
Fix the following build issues after meson is
upgraded to 1.0.1-5.

* Change operator combining bools from + to and

upstream meson stopped allowing combining boolean
with the plus operator, and now requires using the
logical and operator

reference:
mesonbuild/meson@43302d3

Fixes: systemd#20632

* Add dependency on rsync

Story: 2010781
Task: 48183

Depends-on: https://review.opendev.org/c/starlingx/tools/+/885946

Change-Id: Ica8f16fb1c538904d31304272b7fab824ab0aaa5
Signed-off-by: Dan Streetman
Signed-off-by: david.liu <david.liu@windriver.com>
2023-06-18 18:36:19 -07:00
Zhixiong Chi 323cc82399 haproxy: upgrade to 2.2.9-2+deb11u5
Fix the CVE-2023-0836 issue:
5 bytes left uninitialized in the connection buffer

Refer to:
https://www.debian.org/security/2023/dsa-5388

Test Plan:
PASS: $downloader
PASS: $build-pkgs --clean --parallel 10
PASS: $build-image
PASS: Jenkins Installation
PASS: dpkg -l |grep haproxy
ii  haproxy                       2.2.9-2+deb11u5.stx.3

Closes-Bug: 2020732

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: I8c5a938ace4b81d6adf3ddb242a6b80555c6c7d4
2023-05-29 06:21:54 -04:00
Zuul 52f496eb8a Merge "Add enable software services to systemd-presets package" 2023-05-01 19:57:44 +00:00
Jessica Castelino e421251878 Add enable software services to systemd-presets package
This update adds enable for all software services in
the systemd-presets package for all install types.

This ensures that the sofware services are auto
enabled on all system nodes following the install.

Test Plan:

PASS: Verify Debian package build
PASS: Verify software services are auto enabled on below
      system nodes and types:
      AIO SX install
      AIO DX install
PASS: Verify patch services co-exist with software services

Story: 2010676
Task: 47867
Change-Id: I06752bc89cc253735f2d01e82708eced53213336
Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com>
2023-05-01 17:03:08 +00:00
Nidhi Shivashankara Belur 0728f9abb4 Upgrade pf-bb-config to 22.11
- Upversion pf-bb-config to v22.11.
- Replace config file for fpga-5gnr 1 VF.

Test Status:

- PASS: Build pf-bb-config package.

  UIO mode with ACC100, ACC200 and N3000

  - PASS: Apply configuration & Unlock host.
  - PASS: Reboot test.
  - PASS: Remove configuration & unlock host.

  VFIO mode with ACC100 and ACC200

  - PASS: Apply configuration & Unlock host.
  - PASS: Reboot test.
  - PASS: Remove configuration & Unlock host.

Story: 2010698
Task: 47821
Change-Id: I2bfc66a363426a809e6c938b0673db71b2b5892b
Signed-off-by: Nidhi Shivashankara Belur <nidhi.shivashankara.belur@intel.com>
2023-04-19 23:39:09 -07:00
Zuul e7f3cca60f Merge "Update systemd-presets and shim pkgs' revisions" 2023-03-16 19:11:32 +00:00
Manoel Benedito Neto a8f7a06d8f Update debian packages for pkg-versioning
The Debian packaging has been changed to reflect all the
latest git commits under the directory, pointed as usable, and to
improve pkg-versioning addressing the first commit as start point to
debian build packages.

This commit add GITREVCOUNT and remove PKG_GITREVCOUNT of the packages
to calculate git revisions relative to package's source git repository,
instead of count git revisions relative only to package's debian
folder. This ensures that any new code submissions under those
directories will increment the versions.

The commit SHA 9b545c5e19 was chosen to be the BASE_SRCREV of the
base-passwd's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained base-passwd version .stx.8)

The commit SHA 698c14ccef was chosen to be the BASE_SRCREV of the
puppet-ldap's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained puppet-ldap version .stx.2)

The commit SHA 39bc6c35f1 was chosen to be the BASE_SRCREV of the
ldapscripts's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained ldapscripts version .stx.4)

The commit SHA 2821680c8b was chosen to be the BASE_SRCREV of the
openldap's metadata because is the commit that creates the debian
directory with build files structure for this package.
(maintained openldap version .stx.9)

The commit SHA f043585c65 was chosen to be the BASE_SRCREV of the
openscap's metadata because is the commit that creates the debian
directory with build files structure for this package.
(maintained openscap version .stx.3)

The commit SHA de2af4d74d was chosen to be the BASE_SRCREV of the
keyrings.alt's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained keyring.alt version .stx.4)

The commit SHA de2af4d74d was chosen to be the BASE_SRCREV of the
python-keyring's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained python-keyring version .stx.4)

Test Plan:
PASS: Verify package versions are updated as expected.
PASS: build-pkgs -c -p base-passwd
PASS: build-pkgs -c -p puppet-ldap
PASS: build-pkgs -c -p ldapscripts
PASS: build-pkgs -c -p openldap
PASS: build-pkgs -c -p openscap
PASS: build-pkgs -c -p keyrings.alt
PASS: build-pkgs -c -p python-keyrings

Story: 2010550
Task: 47496

Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
Change-Id: I32b47348ece39ea88b3c5aeb0d1e64c6d3e7a6b5
2023-03-15 14:44:32 +00:00
Manoel Benedito Neto c15e3e1a3a Fix lint errors identified by Zuul pylint job
This commit fixes lint errors identified by Zuul after stx-integ-pylint
job is executed.

Test Plan:
PASS: stx-integ-pylint job is executed successfully.
PASS: Run "yamllint ." command on integ repo base directory. Observe
      that no lint errors of line-length, truthy, indentation,
      new-line-at-end-of-file and document-start are listed.
PASS: build-pkgs -a -c

Closes-Bug: 2011632
Change-Id: I4d8229b5de8c9d88ff2aab6169521ab377b5866c
Signed-off-by: Manoel Benedito Neto <manoel.beneditoneto@windriver.com>
2023-03-15 12:07:17 +00:00
Yue Tao 2a3b5c8349 Update systemd-presets and shim pkgs' revisions
Add SRC_GITREVCOUNT to calculate the relevant git commits of
"src_path" or "src_files" to package's revision.

Test Plan:
Pass: build-pkgs -c -p systemd-presets,shim
Pass: Observe relevant git commits of 'src_path' or 'src_files'
      are added to package's revision

Story: 2010550
Task: 47537

Depends-On: https://review.opendev.org/c/starlingx/root/+/875584

Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I9852f534c53664e89e8b0082d2e68b3d9333d6f9
2023-03-15 18:11:47 +08:00
Zhixiong Chi 46e734ac4e Debian: haproxy: CVE-2023-0056,CVE-2023-25725
Upgrade haproxy from "2.2.9-2+deb11u3" to "2.2.9-2+deb11u4" to
fix below CVEs:
CVE-2023-0056
CVE-2023-25725

Refer to:
https://www.debian.org/security/2023/dsa-5348
https://security-tracker.debian.org/tracker/DSA-5348-1

Test Plan:
PASS: $downloader
PASS: $build-pkgs --clean --parallel 10
PASS: $build-image
PASS: Jenkins Installation
PASS: Validation that the package version has been upgraded.

Closes-Bug: 2009334

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Ibe076cb75deaa212fb954aa880324220165a5523
2023-03-09 15:42:06 +00:00
Al Bailey 5c6b186a4e Update integ debian package ver based on git
For components that contain additional contents, the Debian
packaging has been changed to reflect all the git commits
under the directory, and not just the commits to the
metadata folder.

This ensures that any new code submissions under those
directories will increment the versions.

Some components were defining PKG_GITREVCOUNT but were
missing the boolean value of  'true'.
Note: Empty value or 'True' value are treated the same as
'true' for PKG_GITREVCOUNT calculation, but have been
updated for consistency with the rest of StarlingX.

Updated debian packages for:
 - centos-debian-compat (1.0.stx.4 -> 1.0.stx.17)
 - kpatch (0.9.5-1.stx.7 -> 0.9.5-1.stx.8)
 - libfdt (1.4.4-1.stx.3  -> 1.4.4-1.stx.4)
 - puppet-module-puppetlabs-postgresql
     (8.0.0-1.stx.1 -> 8.0.0-1.stx.2)
 - python-nss (1.0.1-1.stx.1 -> 1.0.1-1.stx.2)

Test Plan:
  PASS: downloader && build-pkgs -c -p centos-debian-compat
  PASS: downloader && build-pkgs -c -p libftd
  PASS: downloader && build-pkgs -c -p kpatch
  PASS: downloader && \
    build-pkgs -c -p puppet-module-puppetlabs-postgresql
  PASS: downloader && build-pkgs -c -p python-nss

This review also references tasks for components that were
initially tasked to be updated, however have now been
verified to 'NOT' require changes.
Tasks: 47421..47446

This verification included in some cases adding files
under debian sub directories and observing the increment.

Verification command to build these is
    downloader && build-pkgs -c -p <the module>

Components verified to not require meta_data changes:
 - dh-python (4.20201102+nmu1.stx.2)
 - dnsmasq (2.85-1.stx.2)
 - facter (3.14.12-1.stx.2)
 - haproxy (2.2.9-2+deb11u3.stx.1)
    Note: 'files' directory exists but is unused
 - isc-dhcp (4.4.1-2.3.stx.5)
 - lsb (11.1.0.stx.1)
 - lvm2 (2.03.11-2.stx.2)
 - nsenter (0.2.stx.1)
 - puppet (5.5.22-1.stx.5)
 - puppet-boolean (2.0.2-0.stx.2)
 - puppet-dnsmasq (1.1.0-0.stx.2)
 - puppet-lvm (1.4.0-1.stx.5)
 - puppet-module-nanliu-staging (1.0.4-2.stx.2)
 - puppet-module-oslo (17.4.0-2.stx.3)
 - puppet-module-puppetlabs-firewall (1.12.0-1.stx.1)
 - puppet-module-puppetlabs-haproxy (2.1.0-3.stx.2)
 - puppet-module-puppetlabs-mysql (8.1.0-5.stx.1)
 - puppet-module-puppetlabs-rabbitmq (8.5.0-6.stx.6)
 - puppet-module-puppetlabs-stdlib (5.0.0-1.stx.2)
 - puppet-puppi (2.2.11-0.stx.2)
    Note: puppet_downloader.sh exists but is unused
 - setuptools (52.0.0-4.stx.1)

Story: 2010550
Task: 47424
Task: 47427
Task: 47436
Task: 47442
Task: 47446
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I7c5402d232d39d2bda053542a3cb48719e98a0e0
2023-03-01 18:53:50 +00:00
Zuul cf0289564c Merge "Update resource-agents package ver based on git" 2023-02-21 22:23:57 +00:00