Commit Graph

2076 Commits

Author SHA1 Message Date
Wentao Zhang c91b9dddce Debian: libuv1: fix CVE-2024-24806
Upgrade libuv1 to 1.40.0-2+deb11u1

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2024-24806
https://security-tracker.debian.org/tracker/DSA-5638-1

Test Plan:
Pass: downloader
Pass: build-pkgs --clean --all
Pass: build-image
Pass: boot

Closes-bug: #2057488

Change-Id: If9a79c49b8c203054911d548c5b907c800a04477
Signed-off-by: Wentao Zhang <Wentao.Zhang@windriver.com>
2024-03-14 17:19:16 +08:00
Wentao Zhang 27881330ab Debian: gnutls28: CVE-2023-5981
Upgrade libgnutls28-dev to 3.7.1-5+deb11u4
Upgrade libgnutls30 to 3.7.1-5+deb11u4
Upgrade libgnutls-dane0 to 3.7.1-5+deb11u4
Upgrade libgnutls-openssl27 to 3.7.1-5+deb11u4
Upgrade libgnutlsxx28 to 3.7.1-5+deb11u4

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2023-5981

Test Plan:
Pass: downloader
Pass: build-pkgs --clean --all
Pass: build-image
Pass: boot

Closes-bug: #2057487

Change-Id: Ibc1d9f3c19b8330cc66a504c3ccb2972814789f8
Signed-off-by: Wentao Zhang <Wentao.Zhang@windriver.com>
2024-03-14 17:18:56 +08:00
Peng Zhang a700aafb23 openssl: Fix the misleading error message when loading qatengine
Upgrade openssl related packages from 1.1.1n-0+deb11u5 to
1.1.1w-0+deb11u1 in order to fixing the misleading error message when
loading qatengine.

Refer to:
https://github.com/openssl/openssl/issues/17962

TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: /usr/bin/openssl engine -t -c qatengine

Closes-bug: 2055247

Change-Id: I5dd6b13bd77fa61b6ec560193e6dd93fef6183e6
Signed-off-by: Peng Zhang <Peng.Zhang2@windriver.com>
2024-03-05 17:23:08 +08:00
Zuul ec5615cfce Merge "fix librte url" 2024-03-04 19:33:50 +00:00
Zuul f119c4c410 Merge "update tzdata" 2024-03-04 19:33:49 +00:00
Scott Little 5f2321c978 fix librte url
librte 20.11.6-1~deb11u1 is no longer available at the given url.

This update substitutes a valid url for librte 20.11.6-1~deb11u1.

Closes-Bug: 2056062
Change-Id: I6f13747bed5f3d365ae2e22790b067d899c770b6
Signed-off-by: Scott Little <scott.little@windriver.com>
2024-03-04 17:32:57 +00:00
Scott Little baecf294d2 update tzdata
tzdata expires every 6-12 months.

Update to the latest txdata, valid until Dec 2024

Partial-bug: 2054466
Change-Id: Ie85112c3cd7bfa9fb29f738f88875f82a72e5b15
Signed-off-by: Scott Little <scott.little@windriver.com>
2024-03-01 13:38:37 -05:00
Wentao Zhang 183e2959e8 Debian: postgresql-13: fix CVE-2024-0985
Upgrade libpq5 to 13.14-0+deb11u1
Upgrade libpq-dev to 13.14-0+deb11u1
Upgrade postgresql-13 to 13.14-0+deb11u1
Upgrade postgresql-client-13 to 13.14-0+deb11u1

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2024-0985
https://security-tracker.debian.org/tracker/DSA-5622-1

TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: Jenkins Installation

Closes-Bug: 2054274

Change-Id: I194a78d1e1371b6550a1fc755f296251f417f016
Signed-off-by: Wentao Zhang <Wentao.Zhang@windriver.com>
2024-03-01 18:50:35 +08:00
Wentao Zhang 4dae7592e5 Debian: tar : fix CVE-2022-48303/CVE-2023-39804
Upgrade tar to 1.34+dfsg-1+deb11u1

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2022-48303
https://nvd.nist.gov/vuln/detail/CVE-2023-39804

Test Plan:
Pass: downloader
Pass: build-pkgs --clean --all
Pass: build-image
Pass: boot

Closes-bug: #2052926

Change-Id: Iafa9152957b51cef162c318e3499457c276c041c
Signed-off-by: Wentao Zhang <wentao.zhang@windriver.com>
2024-02-27 13:53:41 +08:00
Wentao Zhang 0f9413c743 Debian: perl : fix CVE-2023-47038
Upgrade libperl5.32 to 5.32.1-4+deb11u3
Upgrade perl to 5.32.1-4+deb11u3
Upgrade perl-base to 5.32.1-4+deb11u3
Upgrade perl-modules-5.32 to 5.32.1-4+deb11u3

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2023-47038

Test Plan:
Pass: downloader
Pass: build-pkgs --clean --all
Pass: build-image
Pass: boot

Closes-bug: #2052927

Change-Id: I64872f5ff20a18fafcae7f10bf37cc686847140a
Signed-off-by: Wentao Zhang <wentao.zhang@windriver.com>
2024-02-27 13:53:16 +08:00
Wentao Zhang e0cc551fcb Debian: jqueryui : fix CVE-2022-31160
Upgrade libjs-jquery-ui to 1.12.1+dfsg-8+deb11u2

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2022-31160

Test Plan:
Pass: downloader
Pass: build-pkgs --clean --all
Pass: build-image
Pass: boot

Closes-bug: #2052923

Change-Id: I588f6c917d8123fc15444ccca1337e5d316fc9df
Signed-off-by: Wentao Zhang <wentao.zhang@windriver.com>
2024-02-27 13:38:44 +08:00
Wentao Zhang 874990dca8 Debian: glib2.0 : fix CVE-2023-29499/CVE-2023-32611/CVE-2023-32665
Upgrade libglib2.0-0 to 2.66.8-1+deb11u1
Upgrade libglib2.0-dev to 2.66.8-1+deb11u1
Upgrade libglib2.0-bin to 2.66.8-1+deb11u1
Upgrade libglib2.0-dev-bin to 2.66.8-1+deb11u1

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2023-29499
https://nvd.nist.gov/vuln/detail/CVE-2023-32611
https://nvd.nist.gov/vuln/detail/CVE-2023-32665

Test Plan:
Pass: downloader
Pass: build-pkgs --clean --all
Pass: build-image
Pass: boot

Closes-bug: #2052924

Change-Id: I2531757a643b3b443de392e30983378341d5b581
Signed-off-by: Wentao Zhang <wentao.zhang@windriver.com>
2024-02-27 11:16:15 +08:00
Zuul 0fd795f328 Merge "bind9: Upgrade to 1:9.16.48-1" 2024-02-26 15:06:35 +00:00
Zuul 07fcb93304 Merge "libunbound: Upgrade to 1.13.1-1+deb11u2" 2024-02-26 15:04:55 +00:00
Peng Zhang e819e5f144 bind9: Upgrade to 1:9.16.48-1
Upgrade package bind9-dnsutils, bind9-host and bind9-libs from
1:9.16.44-1~deb11u1 to 1:9.16.48-1 in order to fixing following
CVE issues:
1.CVE-2023-4408
2.CVE-2023-5517
3.CVE-2023-5679
4.CVE-2023-50387
5.CVE-2023-50868
6.CVE-2023-6516.

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2023-4408
https://nvd.nist.gov/vuln/detail/CVE-2023-5517
https://nvd.nist.gov/vuln/detail/CVE-2023-5679
https://nvd.nist.gov/vuln/detail/CVE-2023-50387
https://nvd.nist.gov/vuln/detail/CVE-2023-50868
https://nvd.nist.gov/vuln/detail/CVE-2023-6516
https://security-tracker.debian.org/tracker/DSA-5621-1

TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: Jenkins Installation

Closes-Bug: 2054275

Change-Id: Ia672dfd46b71db404dee55a8a33e66a7d3580791
Signed-off-by: Peng Zhang <Peng.Zhang2@windriver.com>
2024-02-26 15:08:13 +08:00
Peng Zhang 24d8e4e82c libunbound: Upgrade to 1.13.1-1+deb11u2
Upgrade package libunbound8 and libunbound-dev from 1.13.1-1+deb11u1
to 1.13.1-1+deb11u2 in order to fixing the CVE issue CVE-2023-50387
and CVE-2023-50868.

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2023-50387
https://nvd.nist.gov/vuln/detail/CVE-2023-50868
https://security-tracker.debian.org/tracker/DSA-5620-1

TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: Jenkins Installation

Closes-Bug: 2054276

Change-Id: I646be1b0d6c0f8be2108a68d1ac1c9ad78eee519
Signed-off-by: Peng Zhang <Peng.Zhang2@windriver.com>
2024-02-26 15:03:44 +08:00
Peng Zhang a36a1ee862 ovmf: Upgrade to ovmf_2020.11-2+deb11u2_all.deb
Upgrade package ovmf from 2020.11-2+deb11u1 to 2020.11-2+deb11u2 in
order to fixing the CVE issue CVE-2023-48733.

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2023-48733
https://security-tracker.debian.org/tracker/DSA-5624-1

TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: Jenkins Installation

Closes-Bug: 2054273

Change-Id: I42937791da7c25b59ae4cf2f945bdd4b6d57ade3
Signed-off-by: Peng Zhang <Peng.Zhang2@windriver.com>
2024-02-26 10:36:40 +08:00
Davlet Panech 14d5030d09 aptly: update expired GPG key
Aptly repos are signed with a GPG key embedded in environment
containers. That key expired today (2024-02-23).

Replace key with a new one that does not expire at all.

Partial-Bug: 2054862
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I41a5c7a785a23eb8c9546e99865ecf62faaf506a
2024-02-23 22:47:45 -05:00
Zuul c7ba0ddeb8 Merge "Add ndisc6 package to iso, allow patches on ifupdown package" 2024-02-22 14:26:33 +00:00
Zuul fa10efb041 Merge "stx control stop: faster shutdown" 2024-02-20 21:31:23 +00:00
Zuul 872cf170b7 Merge "stx control stop --wait: helm compatibility" 2024-02-16 14:53:42 +00:00
Davlet Panech f5ddd163a1 stx control stop --wait: helm compatibility
Don't use --wait with helm uninstall because it requires helm >= 3.7,
and even in those versions doesn't work correctly.

Story: 2011038
Task: 49549

Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I4f3be32bf4ce84e1670e7884fc09c3ddac00b85a
2024-02-16 08:23:07 -05:00
Lucas Ratusznei Fonseca 74b47609a3 Add ndisc6 package to iso, allow patches on ifupdown package
The ndisc6 package has useful diagnostic tools for IPv6 networks. It is
being added to allow for duplicate address and gateway reachability
detection by the scripts from the ifupdown-extra package.
The ifupdown package is being removed from the list because it's being
added via the integ project instead, to allow for patches.

Test Plan

[PASS] downloader
[PASS] build-pkgs --clean --all
[PASS] build-image
[PASS] Run full build, system install, bootstrap and unlock SX system
[PASS] Run command "dpkg --list | grep ndisc6"
[PASS] Run command "ndisc6 --help"
[PASS] Run command "dpkg --list | grep ifupdown"
[PASS] Run command "ifup --help"

Depends-On: https://review.opendev.org/c/starlingx/integ/+/908172

Closes-Bug: #2052534
Change-Id: I9dd38bbd1f89e266e0b55ffde9865f94a641c8ff
Signed-off-by: Lucas Ratusznei Fonseca <lucas.ratuszneifonseca@windriver.com>
2024-02-15 18:43:29 -03:00
Davlet Panech 86d219ada7 stx control stop: faster shutdown
Make sure aptly & builder containers catch and handle SIGTERM. Otherwise
"stx stop" sends the signal, 2 out of 6 containers ignore it, then
docker waits for ~15 seconds and SIGKILL's them.

* stx-builder.Dockerfile: change default image command from plain "bash"
  to "tini" that starts "sleep infinity". Tini catches and broadcasts
  signals to its own children (sleep), enabling graceful shutdown to
  work

* aptly: replace call to "supervisord" to "exec supervisord", to make
  sure it runs as PID 1 and actually receives signals from docker.

* stx_control.py: slightly reduce loop sleep time in "stx control stop"

TESTS
==================
* Retest "stx control start --wait"
* Make sure builder's entry point executes "finisSetup.sh" script, as
  before this change
* Make sure "stx control stop --wait" exits quickly (~4 seconds on my
  machine, down from ~15 seconds)

Story: 2011038
Task: 49577

Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I984846fc45349be045c069b84186f12179fe36ad
2024-02-15 14:28:54 -05:00
Davlet Panech 4df5160bbd stx-init-env: faster minikube status check
Avoid "minikube profile list" when checking whether the profile exists.
The list command attempts to connect to each profile and is quite slow.

Use "minikube status -p $MINIKUBENAME" instead.

Story: 2011038
Task: 49570

Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: If799840d749de00af907de7867ec68fb9908afa3
2024-02-14 13:25:08 -05:00
Davlet Panech 4187e73f86 Commands to reset the build environment
* stx script:
- New command "stx control is-started" to complement start/stop
- New option "stx control {start,stop} --wait"

* stx-init-env:
- new option --reset: delete chroots + restart pods
- new option --reset-hard: stop pods, delete local workspaces,
  chroots, aptly, docker & minikube profile
- rename option "--nuke" to "--delete-minikube-profile"; old spelling
  is still accepted with a warning
- renamed & refactored some functions

* import-stx:
- new env var STX_RM_METHOD: may be optionally set to "docker" for
  deleting root-owned files via "docker run", rather than "sudo"

TESTS
=========================
* Misc sanity checks using minikube & k8s
* Manually tested blacklist checks in safe_rm()
* rm via "sudo" vs "docker run"
* Using minikube:
- stx-init-env
- stx-init-env --rebuild
- stx start, build all packages, --reset, build all packages
- stx start, build all packages, --reset-hard, stx-init-env,
  build all packages

Story: 2011038
Task: 49549

Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: Ife4172ae9fa7b58332ac7ad65beb99525bc2a1a3
2024-02-14 13:19:31 -05:00
Carmen Rata 5527d0df46 Disallow remote login as root
This commit fixes a security vulnerability found by a NESSUS Scan
in the sshd configuration. The ssh login as root is allowed in
"/etc/ssh/sshd_config" due to "PermitRootLogin" set to "yes".
It should be disallowed, and the setting of "PermitRootLogin"
should be "no". The fix is to remove the section pertaining to
"Allow root ssh login" in "base_bullseye.yaml", which is a leftover
cleanup from the Debian integration.

Test Plan:
PASS: Verify the stx build installs correctly in an AIO-SX system
configuration.
PASS: Verify the "PermitRootLogin" is set to "no" in
"/etc/ssh/sshd_config" file.
PASS: Verify that remote ssh as user root is not successful.

Closes-Bug: 2051473

Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: Iee29cf2d5ade6268dcafcb0f3eb12d5f9afefc88
2024-01-29 15:12:10 +00:00
Zhixiong Chi fcf426cf15 curl: Upgrade to 7.74.0-1.3+deb11u11
Upgrade subpackages curl|libcurl3-gnutls|libcurl4|libcurl4-gnutls-dev
|libcurl4-openssl-dev to 7.74.0-1.3+deb11u11 to fix the CVE issue
CVE-2023-46218.

Refer to:
https://www.debian.org/security/2023/dsa-5587
https://www.tenable.com/plugins/nessus/187288
https://nvd.nist.gov/vuln/detail/CVE-2023-46218

TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: Jenkins Installation

Closes-Bug: 2047316

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Idbb9e6767a7982207c7de7fc19fce890bc91f6da
2024-01-14 02:35:09 +00:00
Zuul 7133843f58 Merge "Add inotifytools package" 2024-01-11 06:49:24 +00:00
Kaustubh Dhokte 232a9c62f0 Bump up golang version from 1.19.8 to 1.19.12
New etcd version 3.4.27 builds using golang version 1.19.10 minimum.
So bumping it up to closest possible available and working version.

Test Plan:
PASS: Downloader succeeds.
PASS: All packages build succeeds.
PASS: Build Image succeeds.

Story: 2010878
Task: 48961

Change-Id: Ia5fe36f0ed2dba6083a1fd8f8f2c3919b70d5abe
Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
2024-01-10 15:02:09 +00:00
Zuul 184e48d3c8 Merge "openssh: Upgrade to 8.4p1-5+deb11u3" 2024-01-08 16:49:17 +00:00
Zuul a5573372fa Merge "libbluetooth3: Upgrade to 5.55-3.1+deb11u1" 2024-01-08 16:49:16 +00:00
Zuul 5cb69b92dc Merge "libssh: Upgrade to 0.9.8-0+deb11u1" 2024-01-08 16:08:02 +00:00
Zuul fbf32f8317 Merge "base-bullseye: update qemu and requied packages" 2024-01-08 16:05:53 +00:00
Harshad sonde f8b363c4c8 Add inotifytools package
Package added:
  -> inotifytools 3.14-7
  -> libinotifytools0 3.14-7

This package will be used by luks-fs-mgr service to detect
file change and creation recursively, so that those files can be rsynced
with the standby controller.

Test Plan:
PASSED: downloader && build-image successful
PASSED: Deployed image successfully on AIO-DX
        Both controllers in available and online state
        inotifytools package successfully installed on controllers
        Able to execute inotifywait command

Story: 2010873
Task: 49371

Change-Id: Ib3fec16671b22107db5b1e8e33a772a765018962
Signed-off-by: Harshad sonde <harshad.sonde@windriver.com>
2024-01-03 09:16:09 -05:00
Zuul 2048253ec7 Merge "GRUB configuration: Increase UEFI watchdog timeout" 2024-01-02 16:20:50 +00:00
Zhixiong Chi 29ec4cfeaa libssh: Upgrade to 0.9.8-0+deb11u1
Upgrade libssh-4 and libssh-dev to 0.9.8-0+deb11u1 to fix the CVE
issues CVE-2023-6004/CVE-2023-6918/CVE-2023-48795

Refer to:
https://security-tracker.debian.org/tracker/DSA-5591-1
https://nvd.nist.gov/vuln/detail/CVE-2023-6004
https://nvd.nist.gov/vuln/detail/CVE-2023-6918
https://nvd.nist.gov/vuln/detail/CVE-2023-48795

Closes-Bug: 2047673

Change-Id: I03397c7ca51e569b12387c8f86f79dbe0781a1df
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
2024-01-02 04:28:22 -05:00
Zhixiong Chi 186726132a openssh: Upgrade to 8.4p1-5+deb11u3
Upgrade the three subpackages openssh-client openssh-server
openssh-sftp-server to 8.4p1-5+deb11u3 to fix CVE issues
CVE-2023-51384/CVE-2023-28531/CVE-2023-48795/CVE-2023-51385/CVE-2021-41617

Refer to:
https://www.debian.org/security/2023/dsa-5586
https://www.tenable.com/plugins/nessus/187289
https://www.tenable.com/plugins/nessus/187213
https://nvd.nist.gov/vuln/detail/CVE-2023-51384
https://nvd.nist.gov/vuln/detail/CVE-2023-28531
https://nvd.nist.gov/vuln/detail/CVE-2023-48795
https://nvd.nist.gov/vuln/detail/CVE-2023-51385
https://nvd.nist.gov/vuln/detail/CVE-2021-41617

TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: Jenkins Installation

Closes-Bug: 2047315

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: I1c5ca1ef41a29a23b9acea3a849c390e252bcdac
2023-12-29 02:44:30 +00:00
Zhixiong Chi 18969517c9 libbluetooth3: Upgrade to 5.55-3.1+deb11u1
Upgrade subpackages libbluetooth3 and libbluetooth-dev to
5.55-3.1+deb11u1 to fix the CVE issue CVE-2023-45866.
Add libbluetooth-dev since it's the dependency of python3.9.

Refer to:
https://www.debian.org/security/2023/dsa-5584
https://security-tracker.debian.org/tracker/CVE-2023-45866

TestPlan:
PASS: downloader; build-pkgs -c; build-image
PASS: Jenkins Installation

Closes-Bug: 2047185

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Id4175c0ef5791dbc02fa546a6b0a21a64cfec711
2023-12-28 20:26:45 -05:00
Zuul 6f6a4cd4e0 Merge "nghttp2: Upgrade to 1.43.0-1+deb11u1" 2023-12-18 07:23:27 +00:00
Zuul dcdcda8400 Merge "Software upload: create pxeboot versioned dir" 2023-12-14 21:34:59 +00:00
Zuul da5292bace Merge "Copy deployment scripts to ISO" 2023-12-14 16:16:45 +00:00
junfeng-li 7e098b39bf Copy deployment scripts to ISO
This commit is to copy all USM deployment scripts to ISO
/upgrades/software-deploy/ directory. These scripts will later be
 deployed to /usr/sbin/software-deploy/ during 'software upload'

Test Plan:

PASS: ISO built and scripts are in the ISO directory

Task: 48956
Story: 2010676
Change-Id: Ib18c09d66058ae861f3a30e3d41106f3bebd9d92
Signed-off-by: junfeng-li <junfeng.li@windriver.com>
2023-12-12 14:02:12 +00:00
M. Vefa Bicakci 00a5ccd35b GRUB configuration: Increase UEFI watchdog timeout
This commit increases the UEFI watchdog timeout utilized by GRUB in
StarlingX from 3 minutes to 20 minutes to prevent undesirable and
arguably premature UEFI watchdog timeout-triggered reboots during the
installation of StarlingX ISO images via BMC/iLO/iDRAC/platform-provided
virtual media redirection features in conjunction with ISO images hosted
on web servers.

In more detail, a user reported that a StarlingX-based distribution's
ISO image would not successfully install with platform-provided ISO
image redirection when the ISO image in question was hosted on a web
server, despite the bandwidth and latency between the platform network
interface and the web server being acceptable. The same user reported
that removing the "efi-watchdog enable ..." line from the GRUB
configuration resolved the issue.

The same issue was later reproduced locally with an HPE DL360g10 server,
where the OAM network interface was able to download an ISO image from a
local server on a different subnet at a rate of about 76 MiB/s. (While
the OAM and the iLO network interfaces are likely not the same, we do
not envision the network conditions to be vastly different when the two
network paths are compared.) In our reproduction of the issue, the
downloading of the kernel and the initramfs images takes approximately
nine minutes and ten seconds, after which the "Linux version" banner is
printed out by the kernel on the serial console, regardless of whether
the "Enhanced Download Performance" setting is enabled in the iLO
settings or not.

Based on these experimental results, this commit changes the UEFI
watchdog timeout from 3 minutes to a duration that is approximately two
times the initial kernel/initramfs load time of 9 minutes and 10 seconds
encountered in our experiments: 20 minutes.

Note that this commit does not affect the GRUB configuration files that
are used after installation. The timeout remains 3 minutes in
"/boot/efi/EFI/BOOT/grub.cfg" on installed systems after this commit,
which is appropriate as the GRUB configuration file in question is
utilized for booting up from local storage (i.e., SSD or HDD).

Verification:

* The reported issue was confirmed by placing a StarlingX-based
  distribution's nightly build ISO image on a web server, and the iLO
  (out-of-band platform management firmware) of the HPE DL360g10 server
  under test was configured to boot up from the ISO image on the web
  server via virtual media redirection using an HTTP URL. The 3 minute
  UEFI watchdog timeout set by GRUB was observed to be insufficient and
  the server was seen to autonomously reboot in the middle of the
  loading of the kernel and/or initramfs images.

* A custom ISO image was built with this commit.

* The built ISO image was uploaded to the same web server and the iLO
  configuration was modified to boot up from the custom-built ISO image
  instead, also via an HTTP URL. The server was observed to load the
  kernel/initramfs and transfer the control to the Linux kernel in about
  9 minutes and 10 seconds, regardless of the "Enhanced Download
  Performance" setting in the iLO.

* The installation was allowed to continue. Without the "Enhanced
  Download Performance" setting, the installation finished in ~36 hours,
  whereas with the setting in question enabled, the installation
  finished in ~2 hours. We also observed that this setting did not
  affect the initial loading of the kernel and initramfs images by GRUB.

Closes-Bug: 2046182
Change-Id: Iaadf304fcc1969350e399fcd89a06ce1102df223
Signed-off-by: M. Vefa Bicakci <vefa.bicakci@windriver.com>
2023-12-11 18:28:31 +00:00
Zuul 33ec3996c2 Merge "LAT: update to lat-sdk-20231206" 2023-12-11 14:56:45 +00:00
Zuul a303f9dcc3 Merge "stx-init-env: new option --no-start" 2023-12-07 15:48:08 +00:00
Zhang Xiao 1275dc128f LAT: update to lat-sdk-20231206
Update lat-sdk.sh for the meta-lat commit:
https://github.com/Wind-River/meta-lat/commit/3ddaf92342

Test plan:
  PASS: Run "stx-init-env --rebuild".
        Run "stx shell" to enter new builder container.
        Run "build-image -c".
  PASS: Check the boot checksum of new build ostree repos, the order
        is always standard kernel, rt kernel, vmlinuz and initrd.
  PASS: Qemu boot OK;

Closes-Bug: 2045914

Change-Id: I256c83d213bde76b82879711d8a0e038bcbf394d
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
2023-12-07 23:36:35 +08:00
Zuul 220395b099 Merge "Add packages for containerized virtual switch tests" 2023-12-07 03:26:14 +00:00
Davlet Panech 5b62b7ef1e stx-init-env: new option --no-start
New option to skip (re-)starting the pods. This will allow us to better
control build stages in Jenkins.

TESTS
=====================
Run with and without the new option

Story: 2010226
Task: 49211

Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I367a6db9503a13d376966376a8b25cbedccd1f35
2023-12-06 11:25:46 -05:00
Zhixiong Chi 71d79a575c nghttp2: Upgrade to 1.43.0-1+deb11u1
Upgrade subpackage libnghttp2-14 to 1.43.0-1+deb11u1 to fix CVE
issue CVE-2023-44487

Refer to:
https://security-tracker.debian.org/tracker/DSA-5570-1
https://www.debian.org/security/2023/dsa-5570
https://www.tenable.com/plugins/nessus/186518

TestPla
PASS: downloader; build-pkgs; build-image
PASS: Jenkins Installation

Closes-Bug: 2045544

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Ib6d97caf466b851e814e818b41a69cdb62752eb0
2023-12-05 22:10:30 -05:00