starlingx
/
config
Code Issues Proposed changes
config/sysinv/sysinv/sysinv/sysinv/common
History
Steven Webster f8d30588ad Fix LDAP issue for DC subcloud 
This commit fixes an LDAP authentication issue seen on worker nodes
of a subcloud after a rehoming procedure was performed.

There are two main parts:

1. Since every host of a subcloud authenticates with the system
   controller, we need to reconfigure the LDAP URI across all nodes
   of the system when the system controller network changes (upon
   rehome).  Currently, it is only being reconfigured on controller
   nodes.

2. Currently, the system uses an SNAT rule to allow worker/storage
   nodes to authenticate with the system controller when the admin
   network is in use.  This is because the admin network only exists
   between controller nodes of a distributed cloud.  The SNAT rule
   is needed to allow traffic from the (private) management network
   of the subcloud over the admin network to the system controller
   and back again.  If the admin network is _not_ being used,
   worker/storage nodes of the subcloud can authenticate with the
   system controller, but routes must be installed on the
   worker/storage nodes to facilitate this.  It becomes tricky to
   manage in certain circumstances of rehoming/network config.
   This traffic really should be treated in the same way as that
   of the admin network.

This commit addresses the above by:

1. Reconfiguring the ldap_server config across all nodes upon
   system controller network changes.

2. Generalizing the current admin network nat implementation to
   handle the management network as well.

Test Plan:

IPv4, IPv6 distributed clouds

1. Rehome a subcloud to another system controller and back again
   (mgmt network)
2. Update the subcloud to use the admin network (mgmt -> admin)
3. Rehome the subcloud to another system controller and back again
   (admin network)
4. Update the subcloud to use the mgmt network (admin -> mgmt)

After each of the numbered steps, the following were performed:

a. Ensure the system controller could become managed, online, in-sync
b. Ensure the iptables SNAT rules were installed or updated
   appropriately on the subcloud controller nodes.
c. Log into a worker node of the subcloud and ensure sudo commands
   could be issued without LDAP timeout.
d. Log into worder node with LDAP USER X via console and verify
   login succeed

In general, tcpdump was also used to ensure the SNAT translation was
actually happening.

Partial-Bug: #2056560

Change-Id: Ia675a4ff3a2cba93e4ef62b27dba91802811e097
Signed-off-by: Steven Webster <steven.webster@windriver.com>
 		2024-03-13 14:27:13 -04:00
..
__init__.py StarlingX open source release updates 2018-05-31 07:35:52 -07:00
app_metadata.py Update apps during Kubernetes upgrade 2024-02-13 15:01:54 -03:00
barbican_config.py Move bootstrap endpoint reconfig from puppet to sysinv 2024-02-27 13:56:31 -03:00
ceph.py Additional mechanism for unsafe force 2023-10-27 17:12:04 -03:00
config.py Deprecate sysinv.openstack.common.db in favor of oslo_db 2020-02-07 11:55:49 -06:00
configp.py StarlingX open source release updates 2018-05-31 07:35:52 -07:00
constants.py Merge "Remove support for ignoring k8s isolated CPUs in sysinv" 2024-02-27 20:47:11 +00:00
context.py Replace openstack/context library by oslo_context 2023-02-24 16:17:30 -03:00
dc_api.py Update license file with a detailed open source license 2022-06-02 12:08:16 -04:00
device.py Added the support of ACC200 device 2022-11-17 15:32:52 +00:00
disk_utils.py Replace parted and sgdisk with sfdisk in sysinv 2022-12-05 21:37:41 +00:00
etcd.py Backup control-plane during k8s network upgrade 2023-05-05 23:00:44 +00:00
exception.py Create kube_app_bundle table 2024-01-08 16:53:40 -03:00
extension_manager.py Deprecate sysinv.openstack.common.log 2019-11-05 15:29:20 -06:00
fernet.py Unsupported 'message' Exception attribute in PY3 2021-06-23 12:47:23 -04:00
fm.py Only use required fault management endpoint 2022-12-09 18:52:56 +00:00
fpga_constants.py Merge sysinv_fpga_agent with sysinv_agent 2022-10-03 14:12:28 -04:00
health.py Upgrade health check for Platform Issuer 2024-02-27 16:05:22 -04:00
image_service.py Deprecate the sysinv.openstack.common utils files 2019-12-04 10:58:39 -06:00
images.py Deprecate the sysinv.openstack.common utils files 2019-12-04 10:58:39 -06:00
inotify.py Introduce support for multiple application bundles 2024-01-15 17:49:29 -03:00
interface.py Fix mention of python-k8sapp-openstack in sysinv 2023-03-08 09:45:24 -03:00
kubernetes.py Kubernetes periodic audit for cluster health 2024-02-21 01:56:21 -05:00
openstack_config_endpoints.py Move bootstrap endpoint reconfig from puppet to sysinv 2024-02-27 13:56:31 -03:00
paths.py StarlingX open source release updates 2018-05-31 07:35:52 -07:00
platform_firewall.py Correct typo for PTP's UDP ports in the OAM firewall 2023-10-12 10:01:24 -03:00
policy.py Deprecate old policy engine and restrict access 2022-08-10 11:18:38 -03:00
rest_api.py Initial implementation of IPsec Auth Server 2024-01-30 14:31:05 -03:00
retrying.py Re-enable important py3k checks for sysinv 2021-11-10 11:08:12 -03:00
service.py Replace openstack/context library by oslo_context 2023-02-24 16:17:30 -03:00
service_parameter.py Update dns hostname validation for host-records 2024-01-05 00:03:46 -05:00
states.py Fix word and statement errors in comments 2018-11-14 10:04:51 +08:00
storage_backend_conf.py Preserve ceph monitor order for overrides 2022-11-01 16:17:09 +02:00
utils.py Fix LDAP issue for DC subcloud 2024-03-13 14:27:13 -04:00
wsgi_service.py Use FQDN for MGMT network 2023-10-31 20:45:40 -04:00