Commit Graph

433 Commits

Author SHA1 Message Date
Zuul 2b88224302 Merge "rabbitmq-server: Upgrade to 3.8.9-3+deb11u1" 2023-12-18 07:19:52 +00:00
Zhixiong Chi 0dd2eb4ab8 rabbitmq-server: Upgrade to 3.8.9-3+deb11u1
Upgrade rabbitmq-server to 3.8.9-3+deb11u1 to fix the CVE issue:
CVE-2023-46118

Refer to:
https://security-tracker.debian.org/tracker/CVE-2023-46118
https://www.debian.org/security/2023/dsa-5571
https://www.tenable.com/plugins/nessus/186517

TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: Jenkins Installation

Closes-bug: 2045522

Change-Id: Ifccda2e60db6915e10beef14dd3a65b615f4ec45
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
2023-12-05 22:09:02 -05:00
Guilherme Costa c733474d1e Adding software-client and tsconfig on stx-platformclients dependencies
Adding software-client and tsconfig to PIP_PACKAGES to have their
dependencies fulfilled on stx-platformclients image

Test Plan:
PASS Build python3 wheels tarball on Debian and build
    stx-platformclients image on Debian.

Depends-On: https://review.opendev.org/c/starlingx/update/+/901240

Story: 2010676
Task: 49164

Change-Id: I84c951405c4caa3f4a7846979b59ff23cca54d23
Signed-off-by: Guilherme Costa <guilherme.costa@windriver.com>
2023-11-29 11:06:10 -03:00
Zuul 25ca5b8cbd Merge "python-horizon: Upgrade to 18.6.2-5+deb11u2" 2023-11-01 14:00:47 +00:00
Zhixiong Chi 9924af318e python-horizon: Upgrade to 18.6.2-5+deb11u2
Upgrade python-horizon to 18.6.2-5+deb11u2 to fix the CVE issue:
CVE-2022-45582

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2022-45582

TestPlan:
PASS: downloader;build-pkgs -c;build-image
PASS: boot
PASS: Sanity test on AIO-SX node

Closes-bug: 2038880

Change-Id: I7ce385cde29ade8681ec6449d0f3379057edaac0
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
2023-10-24 03:14:18 -04:00
Carmen Rata eb557c0450 Set keyring dir group ownership on password change
This commit changes the group ownership for "/opt/platform/.keyring"
directory, and its subdirectories and files, from "root" to
'sys_protected', when keystone password changes for the admin user.
The 'sys_protected' group ownership is needed to support access
privileges for OpenLDAP/WAD users and is implemented by the ansible
bootstrap configuration.
The group ownership update in this commit is required because after
a keystone and corresponding keyring password change for the admin
user, the group ownership of the "/opt/platform/.keyring" directory
has been reset to "root".
As a consequence, a ldap user loses permission to access files in
that directory.
The group ownership reset is done in the keystone package.
That is why the fix for this bug is delivered as a patch for the
keystone package.

Test Plan:
PASS: Verify the keystone patch install correctly.
PASS: Verify the group ownership was applied correctly
for files in "/opt/platform/.keyring" so are part of the
"sys_protected" group before changing keystone password for the admin
user.
PASS: Verify the group ownership for files in "/opt/platform/.keyring"
remains "sys_protected" after changing keystone password for the admin
user.
PASS: Verify that an openldap user that is part of the "sys_protected"
group can execute command: "source /etc/platform/openrc" after the
keystone password has been changed for the admin user.

Closes-Bug: 2039870

Change-Id: I0360d1f13725cca9900b967c32451fc6f7afe761
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
2023-10-20 02:57:36 +00:00
Rafael Moyano 837787b404 Add enabled condition for read-only address pools
This condition will disable the address pools row dropdown
menu for address pools created before bootstrap which are
read-only and leave them enabled for address pools created
post bootstrap which are not read-only.

Test Plan:
PASS: Build python-django-horizon package with these changes
 and install it in a system. Verify the changes are applied
  correctly.
PASS: Build iso with these changes and perform a fresh
install. Verify the changes are applied correctly.

Partial-bug: 2030350

Change-Id: Ieb0397dda8b4c8bc249faf1fd99b8218432fdc51
Signed-off-by: Rafael Moyano <rafael.moyano@windriver.com>
2023-08-15 16:06:59 -03:00
Zhang Xiao 7be76ad952 Debian: barbican: CVE-2022-3100
Upgrade barbican from 1:11.0.0-3 to 1:11.0.0-3+deb11u1

Refer to:
https://www.debian.org/security/2022/dsa-5247
https://security-tracker.debian.org/tracker/CVE-2022-3100

Test Plan:
PASS: $downloader
PASS: $build-pkgs -c -a --parallel 10
PASS: $build-image
PASS: Jenkins Installation
PASS: dpkg -l | grep barbican-common
      ii  barbican-common  1:11.0.0-3+deb11u1.stx.5

Closes-Bug: 2021469

Change-Id: I03c845195afd991773f733f837f862a4714f6cab
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
2023-06-24 15:34:00 +08:00
Zhixiong Chi c59b61be25 keystone: Upgrade to 18.0.0-3+deb11u1
Fix CVE-2021-38155

Refer to:
https://security-tracker.debian.org/tracker/CVE-2021-38155

TestPlan:
PASS: build-pkgs -a
PASS: build-image
PASS: Jenkins Installation.
PASS: Check the package version with 'dpkg -l'

Closes-Bug: 2021546

Change-Id: Ifb54a95842c4080a8ab0f1c03df70dd4bd1f194b
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
2023-06-15 21:21:59 -04:00
Luan Nunes Utimura 67c274141a stx-openstack: Use commit hash in PROJECT_REF
As the `stable/ussuri` branch is potentially being removed from all
OpenStack repositories -- as seen in `openstack/heat` [1] -- we should
consider using a different `PROJECT_REF` for all LOCI-based container
images in stx-openstack to avoid possible build breaks in the future.

This change proposes the use of the following commit SHAs:

  Repository            stable/ussuri's HEAD (as of May 9th)
* openstack/aodh        4366d6eae1aad4e15aeca4bc7e8b5e757c7601e8
* openstack/ironic      859e51c8b4b8344827b5bba1f9a0b737ffbc1ebc
* openstack/barbican    cc076f24e55c24a6fc8e57ca606130090fb6369b
* openstack/ceilometer  bcada72c3aaeeb2a86de3368b1787a9253c9d55b
* openstack/cinder      79b012fbc8b6bc9dcce2c8c52a6fa63976a0309f
* openstack/glance      6f03ccd47772e02f810de8fa3158afddc4a9c158
* openstack/horizon     e6f3952b878d6b04fde9742987e0f37a1cfad3e5
* openstack/keystone    1ab860a08e527ca9e0c82a49fbf004d415fec991
* openstack/neutron     fe2445d99c430bb080ac45a19e4958b1ae7c9857
* openstack/nova        3fe8880d3759cbd7b19d75dcf235dfd5c511be13
* openstack/placement   5a865abc2545544870ad972f70cd54ebd14c19a8

Note: Gnocchi is in [2] and currently points to a specific semver.

[1] https://opendev.org/openstack/heat
[2] https://github.com/gnocchixyz/gnocchi

Test Plan:
PASS - Build stx-debian base image
PASS - Build wheels tarball
PASS - Build all the stx-openstack images affected by this change

Partial-Bug: 2019015

Change-Id: Ibf589444237664dd9e4ab8314ca1c8ad44f80ec7
Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
2023-05-10 11:25:00 -03:00
Luan Nunes Utimura 7243a5140f stx-heat: Use commit hash in PROJECT_REF
It has been observed that the stx-openstack helm charts build started to
fail since the `stable/ussuri` branch was removed from the upstream
project `openstack/heat`.

In order to be able to build the helm charts again, we must change the
`PROJECT_REF` value to use a commit hash in place of the branch name.

This change proposes the use of the following commit SHA:

  Repository            Former stable/ussuri branch and ussuri-eol tag's
                        HEAD (as of May 9th)
* openstack/heat        5466ede853bde7d636943cba017ed8265dcfd260

Test Plan:
PASS - Build stx-debian base image
PASS - Build wheels tarball
PASS - Build stx-heat image

Partial-Bug: 2019015

Change-Id: I785d704c68ca6d987f30a57c5068677eef1e77f2
Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
2023-05-10 09:30:32 -03:00
Rafael Falcao 7f23ac77b6 Add PROJECT_UID and PROJECT_GID specification to stx-cinder
This review intends to solve a id conflict between the
cinder user and the keystone user (added on [1]). The
keystone user is attached with the id 42424, same as
the cinder user. This conflict is making volume related
commands to fail due permissions of the user (because it
is trying to execute the commands as keystone user, not
cinder).

[1] https://review.opendev.org/c/starlingx/integ/+/854246

Test plan:
PASS - Check the /etc/passwd file to see that the user
       'cinder' in the cinder container changed its id
       from 42424 to 42425.

Partial-Bug: 2012392

Signed-off-by: Rafael Falcao <rafael.vieirafalcao@windriver.com>
Change-Id: I29bba77beb0e63dfd03fcc681aba8a13b4c3445f
2023-04-20 09:20:08 -03:00
Luan Nunes Utimura a9b102dba6 Add location parameter for volume backup creation
These patches add the `location` parameter in python-cinderclient's
`backup-create` command and in python-openstackclient's `volume backup
create` command to allow the optional specification of volume backup
locations.

The unit tests for both clients were updated accordingly.

Test Plan:
PASS - Build python-cinderclient package
PASS - Build python-openstackclient package
PASS - Verify that the `--location` parameter is available for use in
       both clients when creating volume backups

Story: 2010317
Task: 47616

Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
Change-Id: If821fe402f1d34d89e978028d46916651dc700e6
2023-03-09 14:43:07 -03:00
Zuul 55297417a5 Merge "Add plugin entry point sorting mechanism in OSC" 2023-03-06 15:56:11 +00:00
Luan Nunes Utimura aa8ba61828 Add plugin entry point sorting mechanism in OSC
On CentOS, with `python-openstackclient` on version 4.0.0
(stable/train), the plugin entry point discovery was done by using
a built-in library called `pkg_resources` ([1], [2], [3]).

On Debian, with `python-openstackclient` on version 5.4.0-4
(stable/victoria), the discovery process is now performed by using the
`stevedore` library ([4], [5], [6]).

The problem with this replacement is that, with `stevedore`, there's no
guarantee that the plugin entry point discovery list will be the same as
it was with `pkg_resources`. That is, the fetching order of entry points
may vary from CentOS to Debian.

For plugins that just extend the existing OpenStackClient (OSC) CLI by
adding commands to it, this is fine, as the loading order doesn't
matter.

However, for custom plugins that not only add commands but also override
existing entry points configured by default plugins, this may become
a problem, because the former needs to be loaded after the latter,
otherwise, the overrides will have no effect.

Therefore, this change aims to provide a plugin entry point sorting
mechanism to keep the discovery process more consistent.

By reading plugin-specific options such as `load_first` or `load_last`
from a configuration file - that can be specified through command-line
argument (--os-osc-config-file, defaults to
/etc/openstackclient/openstackclient.conf) - the plugin entry point
sorting mechanism can decide where to insert the newly discovered
plugin: at the beginning, at the end, or where it would be inserted by
default in the list.

[1] https://opendev.org/starlingx/upstream/src/branch/master/openstack/python-openstackclient/centos/python-openstackclient.spec#L19
[2] https://opendev.org/openstack/python-openstackclient/src/branch/stable/train/openstackclient/common/clientmanager.py#L146
[3] https://opendev.org/openstack/cliff/src/branch/stable/train/cliff/commandmanager.py#L61
[4] https://opendev.org/starlingx/upstream/src/branch/master/openstack/python-openstackclient/debian/meta_data.yaml#L5
[5] https://opendev.org/openstack/python-openstackclient/src/branch/stable/victoria/openstackclient/common/clientmanager.py#L147
[6] https://opendev.org/openstack/cliff/src/branch/stable/victoria/cliff/commandmanager.py#L75

Test Plan:
PASS - Build python-openstackclient package
PASS - Build/install ISO with built package
PASS - Verify that the platform OSC has an additional argument for
       reading configuration files:
       `openstack -h | grep -- --os-osc-config file`
PASS - Verify that, when reading a configuration file with the
       `load_first` or `load_last` options (in the [plugins] section),
       the order in which the specified plugins are loaded is different

Story: 2010317
Task: 47545

Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
Change-Id: If2237bc8cef197d2a163bd7b8063dfdbb2ab1c3d
2023-03-02 18:10:15 -03:00
Thales Elero Cervi 660c529bba Update debian package versions to use git commits
The Debian packaging has been changed to reflect all the
git commits under the directory, and not just the commits
to the metadata folder.

This ensures that any new code submissions under those
directories will increment the versions.

TEST PLAN:
PASS - build-pkgs -c -p barbican
PASS - build-pkgs -c -p keystone
PASS - build-pkgs -c -p openstack-pkg-tools
PASS - build-pkgs -c -p openstack-resource-agents
PASS - build-pkgs -c -p python-aodhclient
PASS - build-pkgs -c -p python-barbicanclient
PASS - build-pkgs -c -p python-cinderclient
PASS - build-pkgs -c -p python-glanceclient
PASS - build-pkgs -c -p python-gnocchiclient
PASS - build-pkgs -c -p python-heatclient
PASS - build-pkgs -c -p horizon
PASS - build-pkgs -c -p python-ironicclient
PASS - build-pkgs -c -p python-keystoneclient
PASS - build-pkgs -c -p python-neutronclient
PASS - build-pkgs -c -p python-novaclient
PASS - build-pkgs -c -p python-openstackclient
PASS - build-pkgs -c -p python-openstacksdk
PASS - build-pkgs -c -p python-osc-lib
PASS - build-pkgs -c -p python-pankoclient
PASS - build-pkgs -c -p python-wsme
PASS - build-pkgs -c -p rabbitmq-server

Story: 2010550
Task: 47489

Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
Change-Id: Ib09af4af71e636e082c5690fc8b24952544fd7e6
2023-02-23 13:50:05 -03:00
Zuul f4f87d58af Merge "Change version requirement of netaddr" 2023-02-17 20:42:48 +00:00
Zuul 084db20633 Merge "Port stx-openstack images with WSGI to stx-debian" 2023-01-26 18:24:03 +00:00
Zuul a47f19f391 Merge "Port stx-nova and stx-ceilometer to stx-debian" 2023-01-26 18:18:52 +00:00
Luan Nunes Utimura 1526d5838c Port stx-nova and stx-ceilometer to stx-debian
This change enables building the stx-nova and stx-ceilometer images
within the Debian build framework. It is now based on stx-debian and
following the new convention for StarlingX images.

Test Plan:
PASS: Build both images
PASS: Manually upload the built images to a system, use helm-override to
      change their respective containers images and reapply
      stx-openstack
PASS: Ensure affected pods successfully start and are running
PASS: Ensure affected pods liveness and readiness probes are healthy

Story: 2010072
Task: 47090

Depends-On: https://review.opendev.org/c/starlingx/root/+/871314

Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
Change-Id: Ibe92ad8eb003df225dd77be60bd9c5387f1109a3
2023-01-26 13:51:40 -03:00
Luan Nunes Utimura 1543c5820c Port stx-openstack images with WSGI to stx-debian
This change enables building the following stx-openstack images with
WSGI within the Debian build framework:

- stx-aodh
- stx-ironic
- stx-horizon
- stx-keystone
- stx-placement
- stx-gnocchi

They are now based on stx-debian and following the new convention for
StarlingX images.

Test Plan:
PASS - Build images
PASS - Manually upload the built images to a system, use helm-override
       to change their respective containers images and reapply
       stx-openstack
PASS - Ensure affected pods successfully start and are running
PASS - Ensure affected pods liveness and readiness probes are healthy

Story: 2010072
Task: 47089

Depends-On: https://review.opendev.org/c/starlingx/root/+/871314
Depends-On: https://review.opendev.org/c/starlingx/root/+/871638
Depends-On: https://review.opendev.org/c/starlingx/root/+/871705

Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
Change-Id: I18bcb51f2826fd0382370f5236db4b5954ac1b53
2023-01-25 08:54:55 -03:00
Luan Nunes Utimura 847d13be9b Debian: Add missing curl package to stx-heat
This change adds the curl package to stx-heat, originally ported to
Debian in [1].

It has been observed that some bootstrap pods were failing to start due
to the missing command.

[1] https://review.opendev.org/c/starlingx/upstream/+/868726

Story: 2010072
Task: 47088

Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
Change-Id: Ie37415888ebb285da191d9b38dae5e9272ce5d0f
2023-01-23 15:53:53 -03:00
Zuul e6e1d16db6 Merge "Port openstack related images to stx-debian" 2023-01-17 13:30:45 +00:00
Romulo Leite 281590535e Port openstack related images to stx-debian
Build stx-openstack related images using stx-debian base image
This change port openstack related images from Centos to Debian
in stx/upstream.

 The following images were ported:

- stx-cinder
- stx-glance
- stx-neutron
- stx-openstackclients
- stx-heat
- stx-barbican

Test Plan:

PASS - Build images in a debian build environment
PASS - Manually upload the built images to stx-openstack,
       use helm-override to change the required containers
       image and reapply stx-openstack.
PASS - Check the healthy of the pods related to those images

Story: 2010072
Task: 47088

Signed-off-by: Romulo Leite <romulo.leite@windriver.com>
Change-Id: Ief0f0c53eb973dad2dd5b7461d756ad79278858e
2023-01-13 16:49:45 -03:00
Takamasa Takenaka b7f29b2136 Extract branding before horizon starts
Move script to extract branding archive before
horizon service starts.

Closes-bug: 2002838

Test Plan:
PASS: Confirm branding file applied in pre-install in SX
PASS: Confirm branding file applied in post-install in SX
PASS: Confirm branding file applied in pre-install in DX
PASS: Confirm branding file applied in post-install in DX

Signed-off-by: Takamasa Takenaka <takamasa.takenaka@windriver.com>
Change-Id: Ia36afd96493f1e15509607c706ca12d46466f741
2023-01-13 15:30:50 -03:00
Luiz Felipe Kina e77cc3c011 Change version requirement of netaddr
Netaddr is using version 0.7.19 on remote cli. Because of this
version, commands being executed towards platform apis are causing a
syntax warning.
This fix changes the minimum requirement of netaddr to 0.7.20 to
address a fix for this warning.

Test Plan:
PASS: Build debian iso and perform fresh install.
PASS Build python3 wheels tarball on Debian and build
stx-platformclients image on Debian.


Closes-Bug: 1999563

Signed-off-by: Luiz Felipe Kina <LuizFelipe.EiskeKina@windriver.com>
Change-Id: I0c111875f622be9696bf143b321f1a8dfd594c7f
2023-01-12 12:01:31 +00:00
Enzo Candotti feb152c085 Fix incomplete pop-up message on delete Action
When an Action table is created with a 'danger' action_type and a
single handler method for a single object, the 'selection' and
'help' parameters are empty. This causes the pop-up message to be
incomplete. For example:

"You have selected: . Please confirm your selection. "

This patch fixes this behaviour by displaying the message with
the selected objects only when one or more objects are selected.
Otherwise, it only asks for confirmation.

Closes-Bug: 2000799

Test Plan:
PASS: Build python3-django-horizon package including these changes.
PASS: Test the behaviour for single delete actions. For example:
Create a patch strategy and press the "Delete" action. Verify
the following message is displayed in the pop-up message:
"Please confirm your selection. This action cannot be undone."

PASS: Test the behaviour for multiple delete actions. For example:
Upload more than one patch, select them and click on the 'Delete'
action. Verify the following message is displayed:
You have selected: "22.12_NRR_INSVC", "22.12_RESTART_FAILURE_INSVC".
Please confirm your selection. This action cannot be undone.

Signed-off-by: Enzo Candotti <enzo.candotti@windriver.com>
Change-Id: I85bc5c8155466e14a1a5fa84d54ed22032437f88
2023-01-02 20:04:36 +00:00
Al Bailey f7a056dca0 Fix pep8 Zuul failure
A new version of flake8 (6.0.0) was released Nov 23, 2022
It is leading to an argparse error
  ValueError: 'string' is not callable

The fix is to use 'hacking' which is an openstack module
that pulls in the appropriate version of flake8.

Closes-Bug: #1997971
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: Icaa5cd1cb7c362bd8caf666d82d7d7f655523fb0
2022-11-25 13:44:16 +00:00
leiskeki 9e88048440 Update stx-platformclients debian image
This creates stx-platformclients debian image for Debian with Python3
with updates on libraries to Debian. I added wheels that weren't being
automatically created on debian_stable_wheels.inc and changed the names
of packages to build on Python3.

Test Plan:
PASS: Build debian iso and perform fresh install.
PASS Build python3 wheels tarball on Debian and build
stx-platformclients image on Debian.

Story: 2009831
Task: 46792

Signed-off-by: Luiz Felipe Kina <LuizFelipe.EiskeKina@windriver.com>
Change-Id: Idf742cf75d9a07d2d90a4bc7b4cdec10e7058a8a
2022-11-11 17:25:05 +00:00
Luiz Felipe Kina 16a7cd9086 Update stx-platformclients image
This creates the debian docker image file of stx-platformclients.

Since we are not currently building Openstack on debian yet, this
won't have any effect on our current build/testing.

Test Plan:

PASS: Build platformclients and placement images using a debian base
image

Story: 2009831
Task: 44512

Signed-off-by: Luiz Felipe Kina <LuizFelipe.EiskeKina@windriver.com>
Change-Id: I5bf8292e5c3f6e37b633560522fb3a1f6e8e6fee
2022-09-22 14:58:25 -04:00
Scott Little ba8d7863e7 python-gnocchiclient build fix
Lock down python-gnocchiclient to the last sha known to build.
That most recent tag under that sha was 7.0.7.  Update the
spec file to reflect that version.

Partial-bug: 1983389
Signed-off-by: Scott Little <scott.little@windriver.com>
Change-Id: Ifd57565637376ec8083d917de30fd33ded15d1cc
2022-08-02 15:16:35 -04:00
Al Bailey df17997230 Debian: Create /opt/branding directory
On CentOS the /opt/branding directory is created by horizon.
On Debian, it will now be created the same way.

The directory needs to exist on both environments to provide
parity. Other applications like backup and restore expect
this directory to exist.

Test Plan:
  Build/Install/Bootstrap AIO-SX on Debian
  Verify /opt/branding directory exists

Story: 2010165
Task: 45877
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I141d62e90161dcaea72d5245814827518326b05b
2022-07-25 15:09:43 +00:00
Zuul 889b63b3e2 Merge "Add flake8-import-order and use python3.9 on tox" 2022-06-30 17:17:25 +00:00
Thiago Brito 4d34b1ac65 Add flake8-import-order and use python3.9 on tox
Improving the code quality of upstream by adding the flake8 check on
zuul and adding the flake8-import-order plugin to standardize imports.
Also, defaults testenv to python3.9 configuration that should be used
for now on with the debian migration.

Story: 2010100
Task: 45669
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I55aa952c4f22a7af53e1f1c11a4a51997afa4bcf
2022-06-22 21:59:14 +00:00
Pedro Almeida c040bd5a76 First update on image customization
Following the openstack transition to Debian, this aims to start the
creation of the debian docker image files, adapting the customization
to proper enable WSGI on Debian.

Since we are not currently building Openstack on debian yet, this
won't have any effect on our current build/testing.

Also, since these images use apache, there's a change which is yet to
be done on the stx-openstack-helm manifest to user the "www-data"
socket-user insetad of "apache", since the latter one is for centos
only.

Test Plan:

PASS: Build horizon and placement images using a debian base image
PASS: Override both images on a working Openstack application
PASS: Access the horizon interface
PASS: Remove and apply Openstack

Story: 2010072
Task: 45558

Signed-off-by: Pedro Almeida <pedro.monteiroazevedodemouraalmeida@windriver.com>
Change-Id: I776e03b863056fbb068e2eca0637e9c8b64b4b0c
2022-06-14 12:08:10 -03:00
Dan Voiculeasa 1b989b481a debian: Allow runtime openstack completion
This work affects only Debian. This is part of a fix for a bootstrap
issue.

Contents of bash-completion generated at build time vs runtime differ.
Allow puppet code to generate bash-completion at runtime as on CentOS.
Ostree doesn't allow changes /usr, instead ensure
/etc/bash_completion.d is created, as the completion will be generated
there.

Tests on AIO-SX:
PASS: build-pkgs, build-image, install
PASS: bootstrap without ostree unlock goes past the issue

Story: 2009964
Task: 45530
Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Change-Id: Ib941deb5bb1817b6c32a90bbd7ef0a1f3c7dd276
2022-06-03 12:21:25 +03:00
Zuul e0592d6086 Merge "Added patch to store barbican data in ascii format in DB" 2022-06-02 13:15:52 +00:00
Andy Ning ccf9416b74 Added patch to store barbican data in ascii format in DB
Currently Barbican stores base64 encoded secret data (plugin_meta
and cypher_text) as hex bytes in database. But when these data
is retrieved from database for base64 decoding, it is not
converted back to ascii format, causing the decoding failed with
error:

binascii.Error: Invalid base64-encoded string: number of data
characters (273) cannot be 1 more than a multiple of 4.

This commit added a patch to Barbican to store these data in ascii
format in the database so they can be decoded when retrieved.

Test Plan for Debian:
PASS: trigger mtcAgent to store a password secret in Barbican by
      system host-update controller-0 bm_type=dynamic bm_ip=<bm IP>
      bm_username=root bm_password=root.
PASS: retrieve the secret with "--payload" option by
      openstack secret get <secret URL> --payload.
PASS: AIO-SX deployment and unlock.

Closes-Bug: 1975611
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I1c2fa112caa8700b1c21130aec041fd7d2a52a19
2022-05-24 14:02:26 -04:00
Jorge Saffe a6a38cf50c Horizon service not enabled-active in SM.
This commit resolve an error starting the horizon SM service on
Debian based StarlingX AIO-SX distro: after applying the current
known workarounds before bootstrap and after bootstrap, the unlock
is now passing but after the unlock the horizon SM service is
failing to go enabled-active.

The changes cover:
* Openstack-Dashboard / Horizon:
  - Files have been copied and/or relocated.
  - Symbolic links have been created.

Test Plan:
* Debian distro:
  - Fresh Install with AIO-SX.
  - Install including ansible bootstrap and controller-0 unlock
  - Horizon launches and the main GUI pages are working

Story: 2009965
Task: 45312
Signed-off-by: Jorge Saffe <jorge.saffe@windriver.com>
Change-Id: Iefc4b53dcca70debe223493c64abd2f4a8b099bd
2022-05-12 20:15:39 -04:00
Zuul 453fe66e2b Merge "Added patch to support ipv6 on keystone" 2022-04-13 22:02:50 +00:00
João Pedro Alexandroni Cordova de Sousa 6537beb2c4 Added patch to support ipv6 on keystone
The keystone wasn't responding to ipv6.
This patch changed the bind address to
support ipv6.

TEST PLAN for Debian

PASS: AIO-SX ipv4 bootstrap
PASS: AIO-SX ipv4 unlock
PASS: AIO-SX ipv6 bootstrap
PASS: AIO-SX ipv6 unlock

Story: 2009964
Task: 45047

Signed-off-by: João Pedro Alexandroni Cordova de Sousa <JoaoPedroAlexandroni.CordovadeSouza@windriver.com>
Change-Id: Ie68c54c07da27625ebe587f5257c64a8192a1276
2022-04-13 16:41:09 +00:00
Andy Ning 86820ad8ec Add support to keystone to store users in keyring on Debian
This update patched keystone to support storing users in keyring
under "CGCS" service.

Test Plan for Debian:
PASS: package build, image build
PASS: system bootstrap, unlock
PASS: Change keystone "admin" password, observe it changes in keyring
      too.
PASS: Add a new keystone user "test" with password, add the user to
      keyring by "keyring set CGCS test". Change test's password,
      observe it changes in keyring too.
PASS: Delete the keystone user "test", observe user "test" is deleted
      from keyring.

Story: 2009965
Task: 44970
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I75ea23f87487b764370a0990ad8aba896d3a0767
2022-04-09 16:03:20 +00:00
Dan Voiculeasa bab092610c debian: Update barbican packaging
This work is part of Debian integration effort.
This will fix a bootstrap issue.

Barbican will not start unless the log directory is created and has
correct permissions.

Tests:
PASS: build-pkgs
PASS: build-image
PASS: install iso
PASS: bootstrap

Story: 2009101
Task: 44903
Signed-off-by: Dan Voiculeasa <dan.voiculeasa@windriver.com>
Change-Id: I37e84dbc564632dba574a3ba3fa417a1e219bef2
2022-03-31 20:22:27 +03:00
Zuul 9587f60ef6 Merge "Stop building panko images" 2022-03-28 22:45:40 +00:00
Andy Ning e866d329d6 Add lockout security compliance options for keystone
This change added support of two login fail lockout security
compliance options for keystone on Debian.

Test Plan for Debian:
PASS: package build, image build
PASS: system bootstrap, keystone is running by systemd
PASS: controller unlock, keystone is running by SM
PASS: "openstack endpoint list" return correct list
PASS: check the following two security compliance options are
      set correclty in /etc/keystone/keystone.conf:
      lockout_duration=1800
      lockout_failure_attempts=5

Test Plan for CentOS:
PASS: system bootstrap, keystone is running by systemd
PASS: controller unlock, keystone is running by SM
PASS: "openstack endpoint list" return correct list
PASS: check the following two security compliance options are
      set correclty in /etc/keystone/keystone.conf:
      lockout_duration=1800
      lockout_failure_attempts=5

Story: 2009101
Task: 44785
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I09a65d070f1ed8e8aa65371f99f4aa722f671a1d
2022-03-16 11:28:58 -04:00
Zuul df8ab84101 Merge "Start barbican with gunicorn during bootstrap for Debian" 2022-03-11 20:25:24 +00:00
Andy Ning bef89ec31e Start barbican with gunicorn during bootstrap for Debian
Start barbican with gunicorn during bootstrap to align with
its startup by SM after unlock. This change also enables
barbican to be managed by SM after controller unlock.

Test Plan for Debian:
PASS: package build, image build
PASS: system bootstrap, barbican-api is running with gunicorn
PASS: controller unlock, barbican-api service state in SM is
      enabled-active enabled-active

Story: 2009101
Task: 44713
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: Ib2583b0585679753dc871f9ee0202253832283d9
2022-03-09 13:24:59 -05:00
zulcss 0c2f80ebe0 debian: Add missing public.py
It was unwittingly dropped in the last update, needed for unlock.

Story: 2009101
Task: 43770

Signed-off-by: Chuck Short <charles.short@windriver.com>
Change-Id: I4fb815f722ad5b85c553612b34f57849c9ba874d
2022-03-04 13:12:26 +00:00
Thiago Brito 84ee2a8431 Stop building panko images
With the retirement of panko started on [1], we can now remove this
image and shave some time from our image build.

[1] 0a50ff4f89

Story: 2009161
Task: 44352
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Ie3a8f928610f4ae5d3656aaae93d219e0d19a399
2022-03-03 19:03:57 -03:00
Charles Short aea896eb19 debian: Cleanup Debian Keystone configuration
This patch does several things at once:
- Simplify the keystone patch that we carry by adding only the Centos
  changes that we carry. This also fixes the keystone user creation
  when the packages installed, ensuring that the keystone log
  directories are created properly when the package is installed.
- Disable keystone from starting when the package is installed.
  Under a normal situation when the keystone package asks
  a series of questions to configure the package. When the ISO is
  built it uses the non-interactive package installation,
  which means debconf questions that configures
  the endpoints are not configured properly. This leaves keystone
  in a bad state when the package is installed and prevents
  the uwsgi process from starting properly. To fix this we
  override the init/systemd script installation in the debian/rules.
  However, this is not enough since the keystone.postinst.in will
  also enable the systemd keystone unit and try to start it as
  well. This patch will also disable that mechanism as well.
- Note: 0001-Rebasing-Keyring-integration.patch was dropped earlier
  because it no longer applied to Keystone. This patch needs to be
  re-worked and tracked seperately in order to have the same
  functionality in Centos.

Test Plan
PASS Build and boot ISO
PASS Bootstrap

Story: 2009101
Task: 43770

Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: Ibf31672242be6510a0e673525094a909db22dd3a
2022-03-01 16:18:18 +00:00