From 4f4cc4c84715cf86815c2706dbd6032cd86e2500 Mon Sep 17 00:00:00 2001 From: Jagatguru Prasad Mishra Date: Tue, 26 Dec 2023 04:42:28 -0500 Subject: [PATCH] Avoid copying symlink content to fix sanity issue During ansible bootstrap, encryption-provider.yaml was copied to '/opt/platform/config//kubernetes' directory from '/etc/kubernetes'. After supporting luks volume, this file is moved to the luks volume and symlink is created at '/etc/kubernetes' and '/opt/platform/config//kubernetes' pointing to encryption-provider.yaml file in the luks volume. After ansible bootstrap completes, controllerconfig service tries to copy the files from '/opt/platform/config//kubernetes' to '/etc/kubernetes'. So it tries to copy encryption-provider.yaml as well which is a symlink of a file in luks volume. This change adds an argument '-P' to to the 'cp' command which avoid copying the source content from the symlink pointing to the luks volume. This change is required as the luks volume may not be accessible while it is getting copied. The directory for which this '-P' option is applied contains only one symlink which is 'encryption-provider.yaml', so there is no negative impact. Test Plan: PASS: build-pkgs -c -p controllerconfig PASS: AIO-SX bootstrap should pass and host should come to unlocked/enabled/available state PASS: Verify if a symlink encryption-provider.yaml is copied at '/etc/kubernetes/' location after host-unlock. PASS: Verify if the below file is accessible /var/luks/stx/luks_fs/controller/etc/kubernetes/ encryption-provider.yaml from symlink in /etc/kubernetes/ PASS: Standard setup- Verify if a symlink encryption-provider.yaml is copied at '/etc/kubernetes/' on both controllers. PASS: Standard setup- Verify if a symlink encryption-provider.yaml is present at '/opt/platform/config//kubernetes/' on conroller-1 after 'system host-swact 1' PASS: Standard setup- lock/unlock controller-1. Check if puppet mainfest is executed succesfully on controller-1 after reboot. Controller should come to unlocked/enabled/available state. PASS: Standard setup- lock/unlock controller-0. Check if puppet mainfest is executed succesfully on controller-0 after reboot. Controller should come to unlocked/enabled/available state. Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/904342 Story: 2010873 Task: 49323 Change-Id: I8e064fc0e7a6fc8a0b571673fe8f6e66e4e43aee Signed-off-by: Jagatguru Prasad Mishra --- controllerconfig/controllerconfig/scripts/controller_config | 6 ++++-- .../controllerconfig/scripts/controllerconfig.service | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/controllerconfig/controllerconfig/scripts/controller_config b/controllerconfig/controllerconfig/scripts/controller_config index c92d667d65..8fc5270e2f 100755 --- a/controllerconfig/controllerconfig/scripts/controller_config +++ b/controllerconfig/controllerconfig/scripts/controller_config @@ -479,13 +479,15 @@ start() fi # Copy over kube-apiserver encryption provider config, admission control config and - # extra files referenced in admission control config + # extra files referenced in admission control config. + # Encryption provider config is a symbolic link hence using -P option to avoid + # copying the source content if [ -e $CONFIG_DIR/kubernetes/ ] then FILES=`ls $CONFIG_DIR/kubernetes/*.yaml` for FILE in $FILES do - cp $FILE /etc/kubernetes/ + cp -P $FILE /etc/kubernetes/ if [ $? -ne 0 ] then fatal_error "Unable to copy kube-apiserver config file: $FILE" diff --git a/controllerconfig/controllerconfig/scripts/controllerconfig.service b/controllerconfig/controllerconfig/scripts/controllerconfig.service index a6e42cc5f3..404180eab0 100644 --- a/controllerconfig/controllerconfig/scripts/controllerconfig.service +++ b/controllerconfig/controllerconfig/scripts/controllerconfig.service @@ -2,6 +2,7 @@ Description=controllerconfig service After=syslog.target network.target remote-fs.target sw-patch.service sysinv-agent.service After=network-online.target +After=luks-fs-mgr.service Before=config.service [Service]