starlingx
/
config
Code Issues Proposed changes
config/sysinv/sysinv/sysinv/sysinv/api/controllers/v1
History
Steven Webster f8d30588ad Fix LDAP issue for DC subcloud 
This commit fixes an LDAP authentication issue seen on worker nodes
of a subcloud after a rehoming procedure was performed.

There are two main parts:

1. Since every host of a subcloud authenticates with the system
   controller, we need to reconfigure the LDAP URI across all nodes
   of the system when the system controller network changes (upon
   rehome).  Currently, it is only being reconfigured on controller
   nodes.

2. Currently, the system uses an SNAT rule to allow worker/storage
   nodes to authenticate with the system controller when the admin
   network is in use.  This is because the admin network only exists
   between controller nodes of a distributed cloud.  The SNAT rule
   is needed to allow traffic from the (private) management network
   of the subcloud over the admin network to the system controller
   and back again.  If the admin network is _not_ being used,
   worker/storage nodes of the subcloud can authenticate with the
   system controller, but routes must be installed on the
   worker/storage nodes to facilitate this.  It becomes tricky to
   manage in certain circumstances of rehoming/network config.
   This traffic really should be treated in the same way as that
   of the admin network.

This commit addresses the above by:

1. Reconfiguring the ldap_server config across all nodes upon
   system controller network changes.

2. Generalizing the current admin network nat implementation to
   handle the management network as well.

Test Plan:

IPv4, IPv6 distributed clouds

1. Rehome a subcloud to another system controller and back again
   (mgmt network)
2. Update the subcloud to use the admin network (mgmt -> admin)
3. Rehome the subcloud to another system controller and back again
   (admin network)
4. Update the subcloud to use the mgmt network (admin -> mgmt)

After each of the numbered steps, the following were performed:

a. Ensure the system controller could become managed, online, in-sync
b. Ensure the iptables SNAT rules were installed or updated
   appropriately on the subcloud controller nodes.
c. Log into a worker node of the subcloud and ensure sudo commands
   could be issued without LDAP timeout.
d. Log into worder node with LDAP USER X via console and verify
   login succeed

In general, tcpdump was also used to ensure the SNAT translation was
actually happening.

Partial-Bug: #2056560

Change-Id: Ia675a4ff3a2cba93e4ef62b27dba91802811e097
Signed-off-by: Steven Webster <steven.webster@windriver.com>
 		2024-03-13 14:27:13 -04:00
..
__init__.py Add runtime reconfiguration of kubelet 2022-06-09 17:59:35 -04:00
address.py Create the admin network in sysinv / DB. 2022-12-22 02:20:22 -05:00
address_pool.py Fix LDAP issue for DC subcloud 2024-03-13 14:27:13 -04:00
base.py Fix calls in sysinv to non-existent methods and constants 2019-08-30 14:54:58 -05:00
ceph_mon.py Fill device_path in ceph_mon table of the sysinv database 2023-01-20 14:40:29 +00:00
certificate.py Update not ssl_ca certificate removal message 2023-02-16 19:52:14 +00:00
cluster.py python3: Refactor dict for python2/python3 compat 2021-08-10 12:58:36 -04:00
collection.py Fix calls in sysinv to non-existent methods and constants 2019-08-30 14:54:58 -05:00
controller_fs.py Block filesystem resizes if waiting for agent to report 2022-04-27 12:29:08 -03:00
cpu.py Remove host hardware sysinv profile 2021-10-18 18:01:40 -03:00
cpu_utils.py Add support to Power Manager Profiles config 2023-08-09 11:39:55 +00:00
datanetwork.py python3: Refactor dict for python2/python3 compat 2021-08-10 12:58:36 -04:00
device_image.py Merge sysinv_fpga_agent with sysinv_agent 2022-10-03 14:12:28 -04:00
device_image_state.py Sysinv extensions for FPGA support 2020-05-13 16:20:37 -04:00
device_label.py Allow applying device image with non-device label 2020-07-28 11:27:28 -04:00
disk.py Add ZeroMQ RPC backend 2022-11-24 13:28:01 -03:00
dns.py Forbid IPv4 DNS in an IPv6 OAM config 2020-02-06 10:27:04 -05:00
drbdconfig.py Deprecate sysinv.openstack.common.log 2019-11-05 15:29:20 -06:00
ethernet_port.py Re-enable important py3k checks for sysinv 2021-11-10 11:08:12 -03:00
fernet_repo.py Deprecate sysinv.openstack.common.log 2019-11-05 15:29:20 -06:00
health.py Add pod health status to kube rootca check 2023-11-17 17:19:42 -03:00
helm_charts.py Fix helm charts tests for DebianOS 2021-08-17 07:39:31 +00:00
host.py Merge "Fix links to LLDP neighbors in API responses for host and port" 2024-02-26 13:44:47 +00:00
host_fs.py Revert "Create optional filesystems on resize request" 2023-01-11 00:43:38 +00:00
hwmon_api.py move rest_api to common code 2021-03-02 15:36:03 -06:00
interface.py Adding semantic check on deletion of admin-interface 2023-12-12 16:02:11 -05:00
interface_datanetwork.py python3: Refactor dict for python2/python3 compat 2021-08-10 12:58:36 -04:00
interface_network.py Fix LDAP issue for DC subcloud 2024-03-13 14:27:13 -04:00
kernel.py Block host-unlock till kernel manifest completes 2023-10-18 14:42:50 -04:00
kube_app.py Update apps during Kubernetes upgrade 2024-02-13 15:01:54 -03:00
kube_cluster.py Config API for Kubernetes cluster access information 2021-03-01 07:29:12 -06:00
kube_cmd_version.py Add new kube_cmd_versions table and API endpoint 2021-08-04 16:31:25 +03:00
kube_config_kubelet.py Add runtime reconfiguration of kubelet 2022-06-09 17:59:35 -04:00
kube_host_upgrade.py Provide infrastructure for kubernetes upgrades 2019-11-22 15:13:52 -06:00
kube_rootca_update.py Improve kube-rootca-get-id API and error handling 2023-11-24 09:16:48 -05:00
kube_upgrade.py Update apps during Kubernetes upgrade 2024-02-13 15:01:54 -03:00
kube_version.py python3: Refactor dict for python2/python3 compat 2021-08-10 12:58:36 -04:00
label.py Revert "Add functionality for intel gpu device plugin" 2023-09-22 13:32:12 +00:00
license.py Deprecate sysinv.openstack.common.log 2019-11-05 15:29:20 -06:00
link.py StarlingX open source release updates 2018-05-31 07:35:52 -07:00
lldp_agent.py python3: Refactor dict for python2/python3 compat 2021-08-10 12:58:36 -04:00
lldp_neighbour.py python3: Refactor dict for python2/python3 compat 2021-08-10 12:58:36 -04:00
lldp_tlv.py python3: Refactor dict for python2/python3 compat 2021-08-10 12:58:36 -04:00
load.py Merge "Load-import clean up temp folder" 2023-11-01 17:04:32 +00:00
lvg.py Allow optional use of a cgts-vg/instances-lv fs 2022-12-08 23:44:46 -06:00
memory.py Align API types with database types 2022-07-14 18:27:31 -03:00
mtce_api.py move rest_api to common code 2021-03-02 15:36:03 -06:00
network.py Fix LDAP issue for DC subcloud 2024-03-13 14:27:13 -04:00
network_oam.py System mode modify fails for duplex systems 2023-02-08 11:02:45 -03:00
node.py python3: Refactor dict for python2/python3 compat 2021-08-10 12:58:36 -04:00
ntp.py Deprecate sysinv.openstack.common.log 2019-11-05 15:29:20 -06:00
partition.py Fix the condition to delete a stuck partition in the database 2023-11-01 12:31:55 -03:00
patch_api.py move rest_api to common code 2021-03-02 15:36:03 -06:00
pci_device.py Adjust partition sysinv data from template 2022-11-09 16:46:08 +00:00
port.py Fix links to LLDP neighbors in API responses for host and port 2024-02-22 16:05:46 -03:00
ptp.py [PTP dual NIC config] Patching PTP configuration 2022-02-10 11:51:08 -03:00
ptp_instance.py Added synce4l configuration support 2023-02-21 09:37:28 -05:00
ptp_interface.py Fix PTP parameter deletion error messages 2022-02-22 07:04:01 -05:00
ptp_parameter.py [PTP dual NIC config] Changes from new data model 2021-12-23 15:59:02 -03:00
pv.py Adjust partition sysinv data from template 2022-11-09 16:46:08 +00:00
query.py Deprecate sysinv.openstack.common.log 2019-11-05 15:29:20 -06:00
registry_image.py Add error message to system registry-image-delete 2023-10-05 10:29:29 -03:00
remotelogging.py Deprecate sysinv.openstack.common.log 2019-11-05 15:29:20 -06:00
restore.py Introduce CLI commands for system restore control 2020-10-09 16:54:04 +03:00
route.py Create the admin network in sysinv / DB. 2022-12-22 02:20:22 -05:00
sdn_controller.py python3: Refactor dict for python2/python3 compat 2021-08-10 12:58:36 -04:00
sensor.py Align API types with database types 2022-07-14 18:27:31 -03:00
sensorgroup.py Align API types with database types 2022-07-14 18:27:31 -03:00
service.py python3: Refactor dict for python2/python3 compat 2021-08-10 12:58:36 -04:00
service_parameter.py Check duplicate in host-record service parameter 2023-12-15 05:14:21 -05:00
servicegroup.py Deprecate sysinv.openstack.common.log 2019-11-05 15:29:20 -06:00
servicenode.py Deprecate sysinv.openstack.common.log 2019-11-05 15:29:20 -06:00
sm_api.py move rest_api to common code 2021-03-02 15:36:03 -06:00
state.py StarlingX open source release updates 2018-05-31 07:35:52 -07:00
storage.py Additional mechanism for unsafe force 2023-10-27 17:12:04 -03:00
storage_backend.py Expose ceph backend field over proxy endpoint 2021-05-24 11:00:19 +03:00
storage_ceph.py Clean unused ceph quota code 2022-02-15 14:12:19 -05:00
storage_ceph_external.py Allow configurable ceph storage backend network 2021-05-07 14:31:39 +03:00
storage_ceph_rook.py Allow configurable ceph storage backend network 2021-05-07 14:31:39 +03:00
storage_external.py Allow configurable ceph storage backend network 2021-05-07 14:31:39 +03:00
storage_file.py Allow configurable ceph storage backend network 2021-05-07 14:31:39 +03:00
storage_lvm.py Re-enable important py3k checks for sysinv 2021-11-10 11:08:12 -03:00
storage_tier.py Remove host hardware sysinv profile 2021-10-18 18:01:40 -03:00
system.py RPC timeout when changing the system timezone 2023-08-25 09:09:56 -03:00
types.py low latency updates host-kernel-modify 2023-07-11 11:01:12 -04:00
upgrade.py Add semantic check for Restore in progress 2024-02-02 08:35:24 -05:00
user.py Deprecate sysinv.openstack.common.log 2019-11-05 15:29:20 -06:00
utils.py Additional mechanism for unsafe force 2023-10-27 17:12:04 -03:00
vim_api.py Additional mechanism for unsafe force 2023-10-27 17:12:04 -03:00