This updates syslog-ng configuration for logging of openstack dcdbsync
instance.
Story: 2004766
Task: 36097
Change-Id: If72df22b9200445f95a6894df73fad1cfffa7944
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Need install openssh before install pam-config package as pam-config
package will change ssh related pam config file.
Verified below issue!
When trying to login invalid password attempt 5 times using
ssh, the user account is not locked out.
Closes-Bug: #1814345
Change-Id: I4d973dac88dba3133cfcc92a96fba7918d674e79
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Log files that may contain secure information should have
restricted permissions. This includes all -api log files,
as well as log files in which the operator login and
authententication attempts are logged.
Change-Id: I56ef476609d65991529ba0a6311ebd29a7710386
Closes-Bug: 1836632
Signed-off-by: Don Penney <don.penney@windriver.com>
Move ssh.pam from openssh-config to pam-config
Verified below issue!
When trying to login invalid password attempt 5 times using
ssh, the user account is not locked out.
/etc/pam.d/sshd is expected in controller node as well.
Closes-Bug: #1814345
Change-Id: I8fae8782cbd491c6efe8631f04c2728a531bc4ca
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
This also changes the group wrs_protected to sys_protected
to de-brand the user and group names.
Depends-On: I887464a20fc17d66529caea03be2b445156f9426
Change-Id: Ic2ea06d3ac15c31854a604af5f4cecf9094fcaea
Story: 2004716
Task: 28748
Signed-off-by: Saul Wold <sgw@linux.intel.com>
This commit adds /var/log/armada, which stores application related
logs generated by Armada service, to logrotate.
Story: 2003908
Task: 28267
Depends-On: https://review.opendev.org/663347
Change-Id: I98c7caf85cfecf4de1f55be69a00697f9073a1a8
Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>
Most of the openstack processes are containerized so there is no
need for them to be included in the patch restart scripts, or
the syslog configuration and log rotation files.
Story: 2004764
Task: 30668
Change-Id: Ib342fa7b594cdafa5d7c7575044ea28783daf9d0
Signed-off-by: Al Bailey <Al.Bailey@windriver.com>
This commit updates syslog-ng configuration to support dcorch dbsync
service logging.
Story: 2002842
Task: 22787
Signed-off-by: Andy Ning <andy.ning@windriver.com>
(cherry picked from commit 38a07c1bda)
Depends-On: https://review.opendev.org/#/c/655768
Change-Id: I2db9f911d2c5ec979e32f30497d6e72337741cdc
All rmon resource monitoring has been moved to collectd.
This update removes rmon from mtce and the load.
Story: 2002823
Task: 30045
Test Plan:
PASS: Build and install a standard system.
PASS: Inspect mtce rpm list
PASS: Inspect logs
PASS: Check pmon.d
Depends-On: https://review.openstack.org/#/c/643739
Change-Id: I927862895272fdd024d281ab49e0a128465b1b3f
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
override docker service so systemd:
1. to create/remove /var/run/dockerd.pid file at service start/stop.
2. not to restart automatically on exit or failure
deploy docker.conf for pmond to monitor docker service
Story: 2002843
Task: 29391
Change-Id: I3595d0d4f97d90e4119fc1455bcf164aebc5d6ec
Signed-off-by: Bin Qian <bin.qian@windriver.com>
This update introduces interface monitoring for oam,
mgmt and infra networks as a collectd plugin.
The interface plugin runs and queries the new maintenance
Link Monitor daemon for Link Model and Information every
10 seconds.
The plugin then manages alarms based on the link model similar
to how rmon did in the past ; port and interface alarms.
Severity: Interface and Port levels
Alarm Level Minor Major Critical
----------- ----- --------------------- ----------------------------
Interface N/A One of lag pair is Up All Interface ports are Down
Port N/A Physical Link is Down N/A
Degrade support for interface monitoring is add to the mtce
degrade notifier. Any link down condition results in a host
degrade condition like was in rmon.
Sample Data: represented as % of total links Up for that network interface
100 or 100% percent used - all links of interface are up.
50 or 50% percent used - one of lag pair is Up and the other is Down
0 or 0% percent used - all ports for that network are Down
The plugin documents all of this in its header.
This update also
1. Adds the new lmond process to syslog-ng config file.
2. Adds the new lmond process to the mtce patch script.
3. Modifies the cpu, df and memory threshold settings by -1.
rmon thresholds were precise whereas collectd requires
that the samples cross the thresholds, not just meet them.
So for example, in terms of a 90% usage action the
threshold needs to be 89.
Test Plan: (WIP but almost complete)
PASS: Verify interface plugin startup
PASS: Verify interface plugin logging
PASS: Verify interface plugin Link Status Query and response handling
PASS: Verify monitor, sample storage and grafana display
PASS: verify port and interface alarm matches what rmon produced
PASS: Verify lmon port config from manifest configured plugin
PASS: Verify lmon port config from lmon.conf
PASS: Verify single interface failure handling and recovery
PASS: Verify lagged interface failure handling and recovery
PASS: Verify link loss of lagged interface shared between mgmt and oam (hp380)
PASS: Verify network interface failure handling ; single port
PASS: Verify network interface degrade handling ; lagged interface
PEND: Verify network interface degrade handling ; vlan interface
PASS: Verify HTTP request timeout period and handling
PASS: Verify link status query failure handling - invalid uri (timeout)
PASS: Verify link status query failure handling - missing uri (timeout)
PASS: Verify link status query failure handling - status fail
PASS: Verify link status query failure handling - bad json resp
Change-Id: I2e2dfe6ddfa06a46770245540c7153d330bdf196
Story: 2002823
Task: 28635
Depends-On: https://review.openstack.org/#/c/633264
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
The compute personality & subfunction has been changed to
worker, and compute_reserved.conf has been rename to
worker_reserved.conf. Compute configuration flags have
been updated to worker flags.
This update changes misc dependencies to compute
personality, compute_reserved.conf and configuration
flag files.
It aslo removed puppet-nova dependencies to
compute_reserved.conf.
Tests Performed:
Non-containerized deployment
AIO-SX: Sanity and Nightly automated test suite
AIO-DX: Sanity and Nightly automated test suite
2+2 System: Sanity and Nightly automated test suite
2+2 System: Horizon Patch Orchestration
Kubernetes deployment:
AIO-SX: Create, delete, reboot and rebuild instances
2+2+2 System: worker nodes are unlock enable and no alarms
Story: 2004022
Task: 27013
Depends-On: https://review.openstack.org/#/c/624452/
Change-Id: Iccf5584058a2154f1c4ffdb061938e76b9965861
Signed-off-by: Tao Liu <tao.liu@windriver.com>
LDAP sudo user is not able to login by password.
root cause is that password rules in system-auth is not updated
correctly because system-auth.apm in pam-config is missed to be
copied to /etc/pam.d/system-auth
copy system-auth.pam in pam-config to /etc/pam.d/system-auth to
solve this issue.
Closes-Bug: #1806977
Change-Id: Ic646e30d06bcbe8cf3bf66c903942e4240bd23bd
Signed-off-by: Sun Austin <austin.sun@intel.com>
- add barbican logs in syslog
- support no reboot patching for barbican processes
- get information about barbican in collect script
Change-Id: I75557a2d35d3861c2dee3d0a5a0960bebc6d0e48
Story: 2003108
Task: 27700
Depends-On: I6b0b0c90456627bebde2b834b339bc968100b6f9
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
Use setup-config package to package config files for setup package.
Merge all passwd, group, uidgid patches to one patch.
Deployment test and ping test between VMs pass
Config and service files check pass.
Story: 2003768
Task: 27592
Change-Id: I98da90695c8184261279b27b4ede63fd7951babf
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Use util-linux-config package to package config files for util-linux.
Remove util-linux package folder and use RPM instead of SRPM for
util-linux.
Deployment test and ping test between VMs pass
Config file check pass.
Story: 2003768
Task: 27595
Depends-on: https://review.openstack.org/#/c/618943/
Change-Id: If90ed6df4a875a576c7ac709589ac221bb0fa2e3
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Use pam-config package to package config files for pam package.
We can remove related patch of pam and use RPM instead of SRPM
for pam.
Deployment test and ping test between VMs pass
Config files check pass.
Story: 2003768
Task: 27589
Depends-on: https://review.openstack.org/#/c/617454/
Change-Id: Ib19aa8ef023c184c7dcf0e4086adb516be0d947d
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Use rsync-config package to package rsyncd.conf file for rsync
package.
Remove rsync package folder and use RPM instead of SRPM for rsync.
Deployment test and ping test between VMs pass
Config file check pass.
Story: 2003768
Task: 27590
Depends-on: https://review.openstack.org/#/c/617447/
Change-Id: Ic5aeec585774917bb4b25c08fe1a4fa5a3e7d77c
Package iptables-config is created for iptables customized
config file. And there is no other change for iptables, so
we could replace iptables srpm with rpm directly.
iptables-config is set to depends on iptables, so iptables
could be installed automatically.
Test:
Pass build and multi node deploy test. Confirm iptables
config file is the same as before.
Story: 2003768
Task: 27600
Depends-On: https://review.openstack.org/617170
Change-Id: I08daae6f53de43688e9edb2506398e3391589fe0
Signed-off-by: slin14 <shuicheng.lin@intel.com>
Package audit-config is created to config customized config
file of audit. Since there is no other change for audit,
we could replace srpm with rpm directly.
audit-config is set to depends on audit, so audit rpm will be
installed automatically.
Test:
Pass build and multi node deploy test. Confirm syslog.conf is
the same as before in the deploy.
Story: 2003768
Task: 27602
Depends-On: https://review.openstack.org/617174
Change-Id: I6101142642dd21c35e7db1352cc8c9aa05fba923
Signed-off-by: slin14 <shuicheng.lin@intel.com>
Package syslog-ng-config is created to install customized
config file of syslog-ng. Since there is no source code change
in syslog-ng, we could replace the srpm with rpm directly.
syslog-ng-config is set to depends on syslog-ng. So syslog-ng
will be installed automatically.
Test:
Pass build and basic deploy test. Confirmed the related config
file is the same as before.
Story: 2003768
Task: 27599
Depends-On: https://review.openstack.org/616720
Change-Id: I2a4e15b9ffde92aa59072d590de2b56d239e29ad
Signed-off-by: slin14 <shuicheng.lin@intel.com>
Add ntp-config package to config the customized ntp.conf and ntpd.
With this change, ntp srpm is dropped to replaced by rpm.
ntp-config is configured to depend on ntp, so ntp will be included
in the ISO automatically.
ntp package will be installed in all type node, so no change to filter.
Test has been done:
build and deploy with multinode. confirm ntp.conf and ntpd is kept
the same as before.
Story: 2003768
Task: 27587
Change-Id: I795f0fd2b53c46c7302104a07c5d4cfe869d3c7b
Signed-off-by: slin14 <shuicheng.lin@intel.com>
The refactor task is to eliminate patch which is relate to configure
file modification. And we could replace srpm with rpm if all patches
could be eliminated, which will help save build time.
To eliminate the patch, a new config package or puppet file will be
created to do the configure file modification. Here is the general
guide for the refactor process:
https://review.openstack.org/612292
For shadow-utils, the configure file is moved to shadow-utils-config
package, so src rpm is replaced with rpm.
shadow-utils-config is configured to depend on shadow-utils, so
shadow-utils rpm will be picked automatically in ISO build.
File clear_shadow_locks and su under files folder is not used in build,
so just delete them.
This patch should has no function change from end user view.
Test has been done:
Done build and deploy test, and confirm login.defs and
clear_shadow_locks.service in the deploy node are the same as before.
Story: 2003768
Task: 27593
Change-Id: Ie62800c64aca54c39950266f8cf36e47cc1f55bd
Signed-off-by: slin14 <shuicheng.lin@intel.com>
Use mecached-custom package to package service file to system
folder instead of platform-utils.
Basic deployment test pass and service file status check pass.
Story: 2004108
Task: 27517
Depends-on: https://review.openstack.org/#/c/614085/
Change-Id: Ic66f077159be2f21caa6e8e68241aae65b9f2245
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
There is security related issue with lshell, and it is not
maintained now. So remove it from our system to avoid
security issue.
To remove lshell:
1. Package sudo-config is created for wrs.sudo configure file
following the refactor process.
2. ldapusersetup in ldapscripts is modified to use bash only.
lshell support is removed.
ldapusersetup related patches are merged into 1 for easy
maintenance.
Test has been done:
Build and deploy test is done, also unit tests for ldap are
executed with pass, except lshell related test.
Closes-Bug: 1795451
Change-Id: Ia5de1bc94d22eb6c9bea6d9a96e92564ad848b19
Signed-off-by: slin14 <shuicheng.lin@intel.com>
Scott Little