airship/maas
Code Issues Proposed changes

Upgrade MAAS to 3.5

Browse Source 
This PS upgrades maas to version maas version 3.5 (jammy)

Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
Change-Id: If5fffa59f547d4b19d7c0f086204800e9144d952
This commit is contained in:
Anselme, Schubert (sa246v) 2023-04-03 09:54:18 -04:00 committed by Sergiy Markin
parent b7062cd81a
commit 4d3ec058d8
53 changed files with 1381 additions and 309 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -7,4 +7,5 @@ build/
.vscode/
charts/deps
charts/deps/
!charts/deps/.gitkeep

112
.zuul.yaml
View File

@ -16,13 +16,13 @@
- airship-maas-lint-ws
- airship-maas-chart-build-gate
- airship-maas-chart-build-latest-htk
- airship-maas-docker-build-gate-bionic
- airship-maas-docker-build-gate
- airship-maas-lint-yaml
gate:
jobs:
- airship-maas-lint-ws
- airship-maas-chart-build-gate
- airship-maas-docker-build-gate-bionic
- airship-maas-docker-build-gate
- airship-maas-lint-yaml
post:
jobs:
@ -47,14 +47,14 @@
Lints all files for trailing whitespace
run: tools/gate/playbooks/zuul-linter.yaml
timeout: 300
nodeset: airship-maas-single-node
nodeset: airship-maas-single-node-jammy
- job:
name: airship-maas-chart-build-gate
description: Build charts using pinned Helm toolkit.
run: tools/gate/playbooks/helm-linter.yaml
timeout: 600
nodeset: airship-maas-single-node
nodeset: airship-maas-single-node-jammy
vars:
HTK_COMMIT: 49c117443391cec75e0bd52bb4a9d033325927ad
@ -64,17 +64,17 @@
voting: false
run: tools/gate/playbooks/helm-linter.yaml
timeout: 600
nodeset: airship-maas-single-node
nodeset: airship-maas-single-node-jammy
vars:
HTK_COMMIT: master
- job:
name: airship-maas-docker-build-gate-bionic
timeout: 1800
name: airship-maas-docker-build-gate
timeout: 3600
run: tools/gate/playbooks/docker-image-build.yaml
nodeset: airship-maas-single-node
nodeset: airship-maas-single-node-jammy
files:
- '^images/.*'
- "^images/.*"
vars:
publish: false
tags:
@ -88,17 +88,17 @@
run: tools/gate/playbooks/lint-yaml.yaml
nodeset: airship-maas-single-node
irrelevant-files:
- '^charts/maas/templates/.*'
- "^charts/maas/templates/.*"
- job:
name: airship-maas-docker-publish
timeout: 1800
timeout: 3600
run: tools/gate/playbooks/docker-image-build.yaml
nodeset: airship-maas-single-node
nodeset: airship-maas-single-node-jammy
secrets:
- airship_maas_quay_creds
irrelevant-files:
- '^images/.*'
- "^images/.*"
vars:
publish: true
tags:
@ -142,53 +142,53 @@
git_mirror_repository: airshipit/maas
secrets:
- name: git_mirror_credentials
secret: maas-airshipit-github-secret
secret: maas-airshipit-github-secret-2023-03-23
pass-to-parent: true
- secret:
name: maas-airshipit-github-secret
name: maas-airshipit-github-secret-2023-03-23
data:
user: git
host: github.com
host_key: github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
host_key: github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
ssh_key: !encrypted/pkcs1-oaep
- WjZJqgndvx9apoPz8nA1sJ324cYE7JyGQYjzYevbJO95t/oqcuI3lKl7MJ7CVnbYXcuVO
f9gy1hqnF1dpi2vB/eO3xevj95pU61XPyR5HcJiI25CyVv1R0lEf6m160nTkliYOIpPR6
jVqU6ciE2fpTiQ6wPBQHBnguTJsNRulBsjnbpzzvKG3L0Li1RV+j2tP7JyCzsrwbbXCe3
27bwQD1ZnhOH6oDA1LDpqVLhcFbTW/A1UnCn5gRt3Z0I+Av49yw3fN3e1RP9p5wOiLXGm
022lzm59SnEc3jWlmMaySzBs4KyUABI7Xc7uENl+erYbe8Hb52rPPvbwPYRnSymh2V4h/
SVqwbDOQ1p1ogS1mHk03HPFDMgsdoOG6LtvgLBEgWDFE04Qw350dVypL+MzsgZwVIQq21
sVpfMHJF4A9GqYjHZLJSngVJVKf3sYFnvYEP6L3DUiDa3jvLRpo/lAnr1UNdV4VOZHqah
ZCZuJ0OELi4lakHbh4LSEc4n+a0yev8Z1azH5pkpgZhLrAjaWnhgZiyfHifWCvTyRG27P
s6Xph5P0E2sRwIfdK2wnVSA5RDSvdh00z72Bh72k726lQHulFs1TsTtwYo+cpdQNM87Xh
uW+99Z0ntzLO53EsyiQRy9c8PYXX8FrK+KGPrhJ/dztPcB68njY2v/ypTB7YOs=
- icA8YhdGSbPCzGGmRpm4LsUIQzSXaFCapcsG9gNf7KVUfkcWApVaK9b3fylw8e50lQ5Cx
5OAGOElXvAMW7NijsPD3c5TztB/rIunsOGhN/k9+x5c8fNoWBSXlwtf28pJ1iAEIoyozZ
FN9esz/XbFUke7tM73Fg7DJaS8FUeA4SNr4O+Y8hM74hYxUPidkuR8r+yKNcp9hLM6czT
jx7WmPO5+1ZFvPva2qKzOc27SEPPSkl0t6MIg9wPTQCUcxiQj38ZapDQInV4ozTJVRW0W
YuHaSnGIUhudfuHVvnA9A3VgVpgz+Jgpv92KjD/kKA6JQdIA4K9G/05qGrf9k45fFUe0b
h+Wnuta8h50BzZ8n8tLHQxf+B7e30JLbK962ywUpnc9LryfnWrV5CPneREz8tfs9iq3i6
m7jyl3xi9PtZ/qBqHX3oP2vim+GWSvOT209S9XxDZWMzhRsO2NuySgepwYYipOYQgwoq4
ViqzYYCGrGpUDGWzu0GtYw3HGSBle1izmiPNh+CpUUPPUnZ6v3dNsxOYiqy1DaHFxiNdy
xttyZFUzVxrIGY7Ju+R1bxMs3HHUtxZcPVpEuCukq3ucCfsM9s6+lKBhUhELNO4NIULM9
kEFVn/kjqAlQoPFuI2brHwJ0ELJE+djKf8a/d72HngF5hUzMNeZ/H4P9RZlq2E=
- GrHLGoP4HZyVFx0FUxSE1yv6PYWsAQuGJfzkG86dr60TzAT64tTaf23ZhI+lGwfJQZkMd
LdzpAPdDMCAxCLiB5HUylo2dIzLKPtNgMmK/KNpVdX1ehWHlm+f0r70LJ7Ft2lSGZfNbh
Dkp1JBhFc+p6b0pxz3OZaGKD/uy/sAAVyx6pkwO2Lyxx3LAprA2syWUj9/OWkCFGZpQ4R
aLBy5IBBXMvaCaQC4OrSzSLlKErXNq+guj9z5pa7ct4xNs5ZRK77Fp/o3Ch3WP7XwaFbT
/jX8yDQEzOyV/ZufH2kdmum8oV9iLbjS410jOEqvBmJ8oU5TKztz3wreo6gHnb/Ipmqbe
iGVOHSp+VYM2CsJ1WNxYiAxfgjiXDeGdFw2HsdZRA5x2WSKmTuJE8PWLMjn9I3qQzTJSb
16Rb1l/NptL2VrfLitDykhIIlrvKWUf3t1fJ4SLMeqpn4pee4Z+WFTiNutc0rzdOJIl5I
9MsiGf+stSTd+SOl327geM9ay7Jnxa/orjVrHff3EfCJkWPGqTBno7asNz18xfQARmym0
OJVPsVSvwXgWNPlbb9kcmvX6NwAPsUdqylgBbl9BWlTklhWUzrT5fFxlrmbVA6fe/9isR
Ye7KnKzbTZJoKSRWmCHIsm48tBLxWgTt95md7phMwqsPQD3YY12xkszRn92KfM=
- Br6y0uCDii7X5kvCulc/kuYwm6ysaOfu3r7iWxshcPw2Up+WdltWRIa+dBcR9pDm/FNwa
iWPVyrL7qvavLgRQT7M0GdECFo6Y6D19Qvt2WPSpcD5MwphZdrAU8ENKlBtm8MhMnWA9T
XWBLBH0BSFRU2GpGk+7zC4cUnKo3uV3fc7AtXW7W076kGoWy01z4EtgL5P+s7SLPMKCyA
CH969Hnz1zDn8BebTaM45gc6fPX5f1o0haPF22XDOb+/I3CiAfH9fA0HYWzZqForvLV5J
6LZ8kxDWzmvxnEFiggT3Zc/jNi74bQ0YVrI5RoplNbvqiSpuszl4HpWBogr9ybkIbU1BT
fVX2l09NN4v5eWxfQGjdQpuuxSUN1pY2aCIcluxjELkZ0ACqqHVL6swaATxWIe1xZwPLb
3qn21OV4RqAf1BFPttYsLIH3+bX0A6302LcYZcHtmse+B2rQAu2c4XsSL1H8ClRji/4Wm
LFXQPCLteeVlb3feYffA3Vzjn0pnltRb6QulKNtaWp0viG1w88+aiJvyKP4MGJrzOnEQk
iFGqB42WTLr2N6vzw5SIVpk3CvqlVIfvSUet8NikwH96NXMNzW5vwkGdzxoop2A44MIoW
mZq8KcKOaK+KH3mr7XeipxaHt74P8EhnQuOtXrcCbTEkByWdzm55UM7aPQNeoc=
- Ctq8uiBKJa7YVWphZu4y/M7cajpPKKIx9kc0xM8fIfkUBWG++JXFjvqVMn1wolfBCbfw5
fSqNyEazE+Vr8Gk/9iwpgD13b7O+ar7CfY/HmkjeqRQYqGDEsBzCKEksK4zjzzRBufqpC
DpulFkPSR9RoiQKuIv2C3n3afJkXgWPosdF9akluHRK5gzm7ayWkvoWEVQDkG1JaIrg6F
R/v12ADusA1RKYqbRyHR5RVV9CJqu4RImvZvXBGau6H+0zZQLCATnUZH8vEjiu/GVFlcz
Z7Zy6pGSFsxxlSqibcPwYR/CwQBOc+WDQQZ0zD1LfI+64K4t17VcxEtL0S/x07PKfKKmr
hYDQLR6Zg7uSzoloW27r3hUP1PcHjdGRF4u21EToT+7BVb2yPBfNS+W2i+NX1VQrWTGqP
lvmCz0A7bEn7PmHvPhtUwoSX2ZW0nqXdpTiDLpn1/Q+VpkCdMEMT42VeuuYTVvbxAtEaU
195LHICPH/6r6o4C57/3ouLcuTKAQr7u2Wnn/7MyPVBtFRnOtjX1t/Hil42QVaHFtbjun
ov/GEnKqdPH1S/2XfPlgIVwgjI4k2LRWRm0F2HLrXiSfZrjofCbLFuBZKK23zHaUFrI8P
QyyyET/Sdo8qpOFEpfzdFD0fH8NqU7mt5Ka/F1d2uYJmhCbRX1kpcSXqo+RFgA=
- OxJZdG9DkL9I9ecTx56HAF05I3GbGbXUUF2yDeA26uXUHJRFp8y/llfGyt2G6gUlZ6apM
ti7oC4tnsxdTt83vRx2O/p+SF7PYoQuYf+6d2+6CFBB58g4bV6JfncVyRyIAWtHRDMWFo
kY9YYc1pFPQZ6m+mdi7SMsjLHWZwos/Xh+tBpyUyKdKC7aoNUZiAWDYAUPnIjQamB+QXm
8tzfbvhqz33DcFlrBiR0SC8XkOlm88gPtxVftJEiugyQPRfDvjG3Q6Zo4gRAsTfslQQAF
gjENyXoSGUcvQREh237vLBdqLskke6qpeVb2769omaSdh/Fh0d1f6pjw2BCfMfcNz8GYe
1HIATlj1PFFPCnI+BVzH/mr81PdWx5k31sMgI85vcucDBw7XQiBpCiJUzy4ZRrDyFupNt
oEajwkexnYSJAVD87brH4N76uRUCqBHMbaXZubZlXupkzDQov1R8UOcYv5zf0UQri+Bq7
dyEbVZXxleyWlW62GDu1rsFdwmKdcGLoBLdzmI8ZVHXp82DT926o8dLBDpGRahbAu0M7c
A7i0VbtSmrXifD8tkMo9s9vJ82gl6VL4UUSimAfKEzpnMZxdoFEWlbivOOhAjsRBjk5wR
JvusSAVfpTRWXcD9rtFlwO6G9njsbTt+rWVpT+uKOxB+c2eceTJXwGyHo9vVdU=
- k83gdcIAOl0ga4oFzSFMq5KdrafmnRLbfRwaCdc0GfrKxT6MusVIY1axFnOjyKxhzANhA
d0UzuOTedDxmBsKvddX4Ridkj9dpbaP6csqz/4rce1p0cgoD7opr9td1UU95HcYBO61Qm
7914nWPDNludEn09+YEsMsiylSx6fBx7hkAAg+fC4TQQDJf+SA47pyZN7RRqtpJ7MLy6h
UViKVYfEep3zlJn1coBylrQ0atT59kNYxYLzvPmUnYVTibibmR2Kqg91c6wm4bfwcFOgL
eKdP02RRWhQSCPCEeOJ5aDqKfgBrUKXYQ3ZellHaBOn9BHrKnJMD4pEpffQLkv+YJM7xq
SfHArdJ7wnvn3NXxktWZN6qvDO0sgLMCyKGj4Q0+DA5cleY1aaQ5n3IH4VbtacqkO8TJi
iSUlhzHolYuTfijWDIQ3NbjO4i47XXn9LEvpeGjB2ridMflb9s1q/v3b9XC8h+8Dz3XsH
RM2248CPaWGSrQvJ90pr88sWb0e1VHWIxkTvSiu90iZeUn0OYnyyAPThZDkGqt6VCUsGF
EK+lnxoE9v9kNN7eCwLAQtUqLoTGj+c+OtNtC65lyVQXQWd+ca7rQ6XMlIlzOU8X/Z4no
bw/EWFCYGJxkZp4KWH/zurvpvWEvknxVWnH7HTEMRxQvstczuOcensZn6WLBk4=
- VUITbduRP6LvFR0Fwiam0+2V68F3mIpGSYjRCzcSpIHjecng6n+FiHKM5CG1pPQV3uOOp
bL7uRCx6cSHG8gfrjR3PD8xf1VR/K5redHosWOSXUz7+dSPhObQA/VaTi92BUMKu3rdjJ
rJhiEOPSVl+QxsJzWt+6pGHuOyLOGkOBycwjBRTG1plUA8thgoTIl2srDKP3728YjvfBq
MCK6JhwelPKLCWEeVYCeyLoF2eqEqqxSfbFiDdtqnXAF4fNUsHuVMHF9Cz+NGJ1o/EgS2
tio1Om3VEbgViPtdhNCyU9NZMEtO+5KpNoiV1rIA7Na+I5K1clztt3ax94muKJqjj+04f
Q4J2h1zR+1Lok43mEest+wjVRsfyTXf8jMHOJ9QF10Z+26UwDUKSgRP+jm+Lx8QUMKyi7
R+1g0gyQqvxgUqIt35TeRu3tgX+50TQBKX0RFIatUuiCG1FuKB6q2VmjjA5L8M+gEZwO4
fm17RWjM2EbRdFuNmPymrHSvc3gWTUe25nPbKDpovPhU0K1493QZgYLUqmlvh7RRw4eHa
GHLQTPtXMpsrl+c3A/2hpXcUvYHhmxvlFLla7p0mgmD2uNB5wRDqU88p/ub0z0jHCLO5Q
+izMoqA6r8FuVMjccHc8DEwZcsuQ3jvZk1XCxY3mAkPHiAoyxvQtxfNeRuBZw0=

11
Makefile
View File

@ -15,13 +15,10 @@
DOCKER_REGISTRY ?= quay.io
REGION_SUFFIX ?= maas-region
IMG_COMMON_DIR ?= images
REGION_IMG_DIR ?= images/maas-region-controller
RACK_SUFFIX ?= maas-rack
RACK_IMG_DIR ?= images/maas-rack-controller
CACHE_SUFFIX ?= maas-cache
CACHE_IMG_DIR ?= images/sstream-cache
IMAGE_PREFIX ?= airshipit
IMAGE_TAG ?= untagged
IMAGE_TAG ?= latest
PROXY ?= http://proxy.foo.com:8000
NO_PROXY ?= localhost,127.0.0.1,.svc.cluster.local
USE_PROXY ?= false
@ -29,12 +26,12 @@ PUSH_IMAGE ?= false
# use this variable for image labels added in internal build process
LABEL ?= org.airshipit.build=community
COMMIT ?= $(shell git rev-parse HEAD)
IMAGE_NAME := maas-rack-controller maas-region-controller sstream-cache
IMAGE_NAME := maas-rack-controller-jammy maas-region-controller-jammy sstream-cache-jammy
BUILD_DIR := $(shell mktemp -d)
HELM := $(BUILD_DIR)/helm
SSTREAM_IMAGE := "https://images.maas.io/ephemeral-v3/stable/"
SSTREAM_RELEASE := "bionic"
UBUNTU_BASE_IMAGE ?= ubuntu:18.04
SSTREAM_RELEASE := "jammy"
UBUNTU_BASE_IMAGE ?= quay.io/airshipit/ubuntu:jammy
USE_CACHED_IMG ?= false
DOCKER_EXTRA_ARGS ?=

4
charts/maas/Chart.yaml
View File

@ -12,10 +12,12 @@
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v1
description: Chart to run Canonical MaaS
name: maas
version: 0.1.5
version: 0.1.6
appVersion: 3.5.3
home: https://docs.ubuntu.com/maas
sources:
- https://git.launchpad.net/maas

6
charts/maas/requirements.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: helm-toolkit
repository: file://../deps/helm-toolkit
version: 2024.2.0
digest: sha256:68a561f57ba60b9f040679cd768b0abb8d5b48175f0da0977d168d31667e8635
generated: "2025-03-18T21:30:44.577523-04:00"

1
charts/maas/requirements.yaml
View File

@ -12,6 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
---
dependencies:
- name: helm-toolkit
repository: file://../deps/helm-toolkit

5
charts/maas/templates/bin/_db-sync.sh.tpl
View File

@ -16,7 +16,8 @@
set -ex
rm -f /var/run/rsyslogd.pid
service rsyslog restart
# error: rsyslog: Unrecognized service
rm -f /var/run/rsyslogd.pid || true
service rsyslog restart || true
maas-region dbupgrade

19
charts/maas/templates/bin/_enable-tls.sh.tpl Normal file
View File

@ -0,0 +1,19 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
maas config-tls enable --yes --cacert /etc/maas/ssl/ca.crt /etc/maas/ssl/tls.key /etc/maas/ssl/tls.crt

75
charts/maas/templates/bin/_export-secret-key.sh.tpl Normal file
View File

@ -0,0 +1,75 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
function clear_secret {
wget \
--server-response \
--ca-certificate=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
--header='Content-Type: application/json' \
--header="Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
--method=DELETE \
https://kubernetes.default.svc.cluster.local/api/v1/namespaces/${MAAS_REGION_SECRET_NAMESPACE}/secrets/${MAAS_REGION_SECRET}
}
function post_secret {
wget \
--server-response \
--ca-certificate=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
--header='Content-Type: application/json' \
--header="Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
--method=POST \
--body-file=/tmp/secret.json \
https://kubernetes.default.svc.cluster.local/api/v1/namespaces/${MAAS_REGION_SECRET_NAMESPACE}/secrets \
2>&1
}
SECRET=$(cat /var/lib/maas/secret)
if [ "x$SECRET" != "x" ]; then
ENCODED_SECRET=$(echo -n $SECRET | base64 -w 0)
cat <<EOS > /tmp/secret.json
{
"apiVersion": "v1",
"kind": "Secret",
"type": "Opaque",
"metadata": {
"name": "${MAAS_REGION_SECRET}"
},
"data": {
"REGION_SECRET": "$ENCODED_SECRET"
}
}
EOS
while true; do
export result=$(post_secret)
if [ ! -z "$(echo "$result" | grep -i '201 Created')" ]; then
echo 'Secret created'
break
elif [ ! -z "$(echo "$result" | grep -i '409 Conflict')" ]; then
echo 'Secret exists, clearing before trying again'
clear_secret
else
echo 'Secret creation failed'
echo $result
fi
sleep 15
done
else
echo "Failed to get key from maas."
exit 1
fi

248
charts/maas/templates/bin/_import-boot-resources.sh.tpl
View File

@ -23,173 +23,161 @@ JOB_TIMEOUT=${JOB_TIMEOUT:-900}
RETRY_TIMER=${RETRY_TIMER:-30}
function timer {
retry_wait=$1
shift
retry_wait=$1
shift
while [[ ${JOB_TIMEOUT} -gt 0 ]]
do
"$@"
rc=$?
if [ $rc -eq 0 ]
then
return $rc
else
JOB_TIMEOUT=$(($JOB_TIMEOUT - $retry_wait))
sleep $retry_wait
fi
done
while [[ ${JOB_TIMEOUT} -gt 0 ]]; do
"$@"
rc=$?
if [ $rc -eq 0 ]; then
return $rc
else
JOB_TIMEOUT=$((JOB_TIMEOUT - retry_wait))
sleep $retry_wait
fi
done
return 124
return 124
}
function import_resources {
check_for_download
rc=$?
check_for_download
rc=$?
if [ $rc -ne 0 ]
then
echo "Starting image import try ${import_tries}..."
maas ${ADMIN_USERNAME} boot-resources import
sleep 30
check_for_download
rc=$?
fi
if [ $rc -ne 0 ]; then
echo "Starting image import try ${import_tries}..."
maas ${ADMIN_USERNAME} boot-resources import
sleep 30
check_for_download
rc=$?
fi
return $rc
return $rc
}
function start_import {
timer "$RETRY_TIMER" import_resources
timer "$RETRY_TIMER" import_resources
}
function check_for_download {
if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true';
then
echo -e '\nBoot resources currently importing\n'
return 1
else
synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq ".[] | select( .type | contains(\"Synced\")) | .name " | grep -c $MAAS_DEFAULT_DISTRO)
if [[ $synced_imgs -gt 0 ]]
then
echo 'Boot resources have completed importing'
return 0
else
echo 'Import failed!'
return 1
fi
fi
if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true'; then
echo -e '\nBoot resources currently importing\n'
return 1
else
synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq '.[] | select( .type | contains("Synced")) | .name ' | grep -c $MAAS_DEFAULT_DISTRO)
if [[ $synced_imgs -gt 0 ]]; then
echo 'Boot resources have completed importing'
return 0
else
echo 'Import failed!'
return 1
fi
fi
}
function check_then_set_single {
option="$1"
value="$2"
option="$1"
value="$2"
cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"')
desired_val=$(echo ${value} | tr -d '"')
cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"')
desired_val=$(echo ${value} | tr -d '"')
if [[ $cur_val != $desired_val ]]
then
echo "Setting MAAS option ${option} to ${desired_val}"
maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val}
return $?
else
echo "MAAS option ${option} already set to ${cur_val}"
return 0
fi
if [[ $cur_val != $desired_val ]]; then
echo "Setting MAAS option ${option} to ${desired_val}"
maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val}
return $?
else
echo "MAAS option ${option} already set to ${cur_val}"
return 0
fi
}
function check_then_set {
option=$1
value=$2
option=$1
value=$2
timer "$RETRY_TIMER" check_then_set_single "$option" "$value"
timer "$RETRY_TIMER" check_then_set_single "$option" "$value"
}
# Get rack controllers reporting a healthy rackd
function get_active_rack_controllers {
maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id'
maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id'
}
function check_for_rack_sync_single {
sync_list=""
sync_list=""
rack_list=$(get_active_rack_controllers)
for rack_id in ${rack_list}
do
selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name")
synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"')
if [[ $synced_ctlr == "true" && ! -z ${selected_imgs} ]]
then
sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq)
else
maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id}
fi
if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$' ) == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]]
then
return 0
fi
done
rack_list=$(get_active_rack_controllers)
for rack_id in ${rack_list}; do
selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name")
synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"')
if [[ $synced_ctlr == "true" && -n ${selected_imgs} ]]; then
sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq)
else
maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id}
fi
if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$') == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]]; then
return 0
fi
done
return 1
return 1
}
function check_for_rack_sync {
timer "$RETRY_TIMER" check_for_rack_sync_single
timer "$RETRY_TIMER" check_for_rack_sync_single
}
function configure_proxy {
check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED}
check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED}
check_then_set http_proxy ${MAAS_PROXY_SERVER}
check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT}
check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED}
check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED}
check_then_set http_proxy ${MAAS_PROXY_SERVER}
check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT}
}
function configure_ntp {
check_then_set ntp_servers ${MAAS_NTP_SERVERS}
check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY}
check_then_set ntp_servers ${MAAS_NTP_SERVERS}
check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY}
}
function configure_dns {
check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED}
check_then_set upstream_dns ${MAAS_DNS_SERVERS}
check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED}
check_then_set upstream_dns ${MAAS_DNS_SERVERS}
}
function configure_syslog {
check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG}
check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG}
}
function configure_images {
check_for_rack_sync
check_for_rack_sync
if [[ $? -eq 124 ]]
then
echo "Timed out waiting for rack controller sync."
return 1
fi
if [[ $? -eq 124 ]]; then
echo "Timed out waiting for rack controller sync."
return 1
fi
check_then_set default_osystem ${MAAS_DEFAULT_OS}
check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO}
check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO}
check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL}
check_then_set default_osystem ${MAAS_DEFAULT_OS}
check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO}
check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO}
check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL}
}
function configure_boot_sources {
if [[ $USE_IMAGE_CACHE == 'true' ]]
then
maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/
fi
if [[ $USE_IMAGE_CACHE == 'true' ]]; then
maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/
fi
selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')"
selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')"
if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}"
then
# Need to start an import to get the availability data
maas "$ADMIN_USERNAME" boot-resources import
if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \
release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then
return 1
fi
fi
if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}"; then
# Need to start an import to get the availability data
maas "$ADMIN_USERNAME" boot-resources import
if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \
release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then
return 1
fi
fi
}
function create_extra_commissioning_script {
@ -215,21 +203,26 @@ EOF
}
function configure_extra_settings {
{{- range $k, $v := .Values.conf.maas.extra_settings }}
check_then_set {{$k}} {{$v}}
{{- else }}
: No additional MAAS config
{{- end }}
{{- range $k, $v := .Values.conf.maas.extra_settings }}
check_then_set {{$k}} {{$v}}
{{- else }}
: No additional MAAS config
{{- end }}
}
function maas_login {
KEY=$(maas-region apikey --username=${ADMIN_USERNAME})
if [ -z "$KEY" ]
then
return 1
fi
maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
return $?
KEY=$(maas-region apikey --username=${ADMIN_USERNAME})
if [ -z "$KEY" ]; then
return 1
fi
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
maas login --insecure ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
{{- else if .Values.conf.maas.tls.enabled }}
maas login --cacerts /usr/local/share/ca-certificates/maas-ca.crt ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
{{- else }}
maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
{{- end }}
return $?
}
timer "$RETRY_TIMER" maas_login
@ -245,10 +238,9 @@ create_extra_commissioning_script
timer "$RETRY_TIMER" configure_boot_sources
start_import
if [[ $? -eq 0 ]]
then
configure_images
if [[ $? -eq 0 ]]; then
configure_images
else
echo "Image import FAILED!"
exit 1
echo "Image import FAILED!"
exit 1
fi

23
charts/maas/templates/bin/_import-ca-cert.sh.tpl Normal file
View File

@ -0,0 +1,23 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
sleep 15
# Import MaaS CA Certificate
cp -f /etc/maas/certificates/ca.crt /usr/local/share/ca-certificates/ca.crt
update-ca-certificates

91
charts/maas/templates/bin/_maas-test.sh.tpl
View File

@ -18,78 +18,75 @@
set -ex
function check_boot_images {
if maas local boot-resources is-importing | grep -q 'true';
then
echo -e '\nBoot resources currently importing\n'
return 1
else
synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced)
if [[ $synced_imgs -gt 0 ]]
then
echo 'Boot resources have completed importing'
return 0
else
return 1
fi
fi
if maas local boot-resources is-importing | grep -q 'true'; then
echo -e '\nBoot resources currently importing\n'
return 1
else
synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced)
if [[ $synced_imgs -gt 0 ]]; then
echo 'Boot resources have completed importing'
return 0
else
return 1
fi
fi
}
function check_rack_controllers {
rack_cnt=$(maas local rack-controllers read | grep -c hostname)
if [[ $rack_cnt -gt 0 ]]
then
echo "Found $rack_cnt rack controllers."
return 0
else
return 1
fi
rack_cnt=$(maas local rack-controllers read | grep -c hostname)
if [[ $rack_cnt -gt 0 ]]; then
echo "Found $rack_cnt rack controllers."
return 0
else
return 1
fi
}
function check_admin_api {
if maas local version read;
then
echo 'Admin API is responding'
return 0
else
return 1
fi
if maas local version read; then
echo 'Admin API is responding'
return 0
else
return 1
fi
}
function establish_session {
maas login local ${MAAS_URL} ${MAAS_API_KEY}
return $?
maas login local ${MAAS_URL} ${MAAS_API_KEY}
return $?
}
# Import CA Certificate
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
update-ca-certificates
{{- end }}
establish_session
if [[ $? -ne 0 ]]
then
echo "MAAS API login FAILED!"
exit 1
if [[ $? -ne 0 ]]; then
echo "MAAS API login FAILED!"
exit 1
fi
check_boot_images
if [[ $? -eq 1 ]]
then
echo "Image import test FAILED!"
exit 1
if [[ $? -eq 1 ]]; then
echo "Image import test FAILED!"
exit 1
fi
check_rack_controllers
if [[ $? -eq 1 ]]
then
echo "Rack controller query FAILED!"
exit 1
if [[ $? -eq 1 ]]; then
echo "Rack controller query FAILED!"
exit 1
fi
check_admin_api
if [[ $? -eq 1 ]]
then
echo "Admin API response FAILED!"
exit 1
if [[ $? -eq 1 ]]; then
echo "Admin API response FAILED!"
exit 1
fi
echo "MAAS Validation SUCCESS!"

32
charts/maas/templates/certificate-maas-ingress.yaml Normal file
View File

@ -0,0 +1,32 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled .Values.cert_manager.create }}
{{- $envAll := . }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.secrets.maas_ingress_cert }}
spec:
secretName: {{ .Values.secrets.maas_ingress_cert }}
commonName: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
issuerRef:
kind: {{ .Values.cert_manager.issuer.kind }}
name: {{ .Values.cert_manager.issuer.name }}
dnsNames:
- {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{ end }}

35
charts/maas/templates/certificate-maas.yaml Normal file
View File

@ -0,0 +1,35 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled }}
{{- $envAll := . }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.secrets.maas_cert }}
spec:
secretName: {{ .Values.secrets.maas_cert }}
commonName: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
issuerRef:
kind: {{ .Values.cert_manager.issuer.kind }}
name: {{ .Values.cert_manager.issuer.name }}
dnsNames:
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc.cluster.local
{{ end }}

9
charts/maas/templates/configmap-bin.yaml
View File

@ -23,6 +23,9 @@ metadata:
data:
db-init.sh: |+
{{- include "helm-toolkit.scripts.pg_db_init" . | indent 4 }}
#set maasdb owner to maas
pgsql_superuser_cmd "ALTER DATABASE $USER_DB_NAME OWNER to $USER_DB_USER;"
db-sync.sh: |+
{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bootstrap-admin-user.sh: |
@ -35,6 +38,8 @@ data:
{{ tuple "bin/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
export-api-key.sh: |
{{ tuple "bin/_export-api-key.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
export-secret-key.sh: |
{{ tuple "bin/_export-secret-key.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
register-rack-controller.sh: |
{{ tuple "bin/_register-rack-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
maas-test.sh: |
@ -49,3 +54,7 @@ data:
{{ tuple "bin/_maas-vip-configure.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
start-syslog.sh: |
{{ tuple "bin/_start-syslog.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- if .Values.conf.maas.tls.enabled }}
enable-tls.sh: |
{{ tuple "bin/_enable-tls.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

2
charts/maas/templates/deployment-ingress-errors.yaml
View File

@ -15,7 +15,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.rack_statefulset }}
{{- if and .Values.manifests.maas_ingress .Values.manifests.rack_statefulset }}
{{- $envAll := . }}
{{- $labels := tuple $envAll "maas" "ingress-errors" | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
{{- $serviceAccountName := "maas-ingress-errors" }}

45
charts/maas/templates/ingress-region.yaml
View File

@ -20,8 +20,16 @@ apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: maas-region-api
annotations:
{{ toYaml .Values.network.region_api.ingress.annotations | indent 4 }}
spec:
ingressClassName: {{ .Values.network.region_api.ingress.classes.cluster | quote }}
{{- if .Values.conf.maas.tls.enabled }}
tls:
- secretName: maas-region-api-tls
hosts:
- {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{ end }}
rules:
- host: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
http:
@ -55,6 +63,43 @@ spec:
name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port:
name: region-api
{{- else if (and .Values.conf.maas.ingress_disable_gui .Values.conf.maas.tls.enabled) }}
- path: /MAAS/api
pathType: Prefix
backend:
service:
name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port:
name: region-api-tls
- path: /MAAS/images-stream
pathType: Prefix
backend:
service:
name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port:
name: region-api-tls
- path: /MAAS/metadata
pathType: Prefix
backend:
service:
name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port:
name: region-api-tls
- path: /MAAS/rpc
pathType: Prefix
backend:
service:
name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port:
name: region-api-tls
{{- else if .Values.conf.maas.tls.enabled }}
- path: /
pathType: Prefix
backend:
service:
name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
port:
name: region-api-tls
{{- else }}
- path: /
pathType: Prefix

79
charts/maas/templates/job-enable-tls.yaml Normal file
View File

@ -0,0 +1,79 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.conf.maas.tls.enabled }}
{{- $envAll := . }}
{{- $serviceAccountName := "maas-enable-tls" }}
{{ tuple $envAll "enable_tls" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: maas-enable-tls
labels:
{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
spec:
template:
metadata:
labels:
{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "maas-enable-tls" "containerNames" (list "init" "maas-enable-tls") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "enable_tls" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
initContainers:
{{ tuple $envAll "enable_tls" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: maas-enable-tls
image: {{ .Values.images.tags.enable_tls }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.enable_tls | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "enable_tls" "container" "maas_enable_tls" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/enable-tls.sh
volumeMounts:
- name: maas-bin
mountPath: /tmp/enable-tls.sh
subPath: enable-tls.sh
readOnly: true
- name: maas-etc
mountPath: /etc/maas/regiond.conf
subPath: regiond.conf
readOnly: true
- name: maas-tls
mountPath: /etc/maas/ssl
readOnly: true
volumes:
- name: maas-bin
configMap:
name: maas-bin
defaultMode: 0555
- name: maas-etc
configMap:
name: maas-etc
defaultMode: 0444
- name: maas-tls
secret:
secretName: {{ .Values.secrets.maas_cert }}
defaultMode: 0444
{{ end }}

23
charts/maas/templates/job-import.yaml
View File

@ -46,6 +46,15 @@ spec:
- name: region-import-resources
image: {{ .Values.images.tags.maas_region }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
- sleep 15; update-ca-certificates
{{- end }}
env:
- name: USE_IMAGE_CACHE
value: {{ .Values.conf.cache.enabled | quote }}
@ -100,6 +109,12 @@ spec:
- /tmp/import-boot-resources.sh
{{ dict "envAll" $envAll "component" "import-resources" "container" "region-import-resources" "type" "readiness" "probeTemplate" (include "jobreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
volumeMounts:
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/ca.crt
subPath: ca.crt
readOnly: true
{{- end }}
- name: maas-bin
mountPath: /tmp/import-boot-resources.sh
subPath: import-boot-resources.sh
@ -125,3 +140,11 @@ spec:
configMap:
name: maas-etc
defaultMode: 0444
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: ca.crt
{{ end }}

14
charts/maas/templates/secret-region.yaml → charts/maas/templates/secret-maas-tls.yaml
View File

@ -1,5 +1,5 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@ -14,14 +14,16 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create (eq .Values.cert_manager.enabled false) }}
{{- $envAll := . }}
{{- $secretName := index $envAll.Values.secrets.maas_region "name" }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
type: Opaque
name: {{ .Values.secrets.certificate }}
type: kubernetes/tls
data:
REGION_SECRET: |-
{{ $envAll.Values.secrets.maas_region.value | b64enc | indent 4 }}
ca.crt: {{ .Values.conf.maas.tls.ca | b64enc }}
tls.crt: {{ .Values.conf.maas.tls.cert | b64enc }}
tls.key: {{ .Values.conf.maas.tls.key | b64enc }}
{{ end }}

4
charts/maas/templates/service-ingress-headless.yaml
View File

@ -24,6 +24,10 @@ spec:
ports:
- name: http
port: 80
{{- if .Values.conf.maas.tls.enabled }}
- name: https
port: 443
{{- end }}
selector:
{{ tuple . "maas" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
...

20
charts/maas/templates/service-region.yaml
View File

@ -28,6 +28,14 @@ spec:
{{ if .Values.network.region_api.node_port.enabled }}
nodePort: {{ tuple "maas_region" "nodeport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ end }}
{{- if .Values.conf.maas.tls.enabled }}
- name: region-api-tls
port: {{ tuple "maas_region" "secure" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
targetPort: {{ tuple "maas_region" "podporttls" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ if .Values.network.region_api.node_port.enabled }}
nodePort: {{ tuple "maas_region" "nodeporttls" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ end }}
{{- end }}
- name: region-proxy
port: {{ tuple "maas_region" "internal" "region_proxy" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
targetPort: {{ tuple "maas_region" "podport" "region_proxy" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@ -41,6 +49,18 @@ spec:
- name: region-syslog
port: 514
targetPort: {{ tuple "maas_region" "podport" "region_syslog" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- name: temporal-server
port: 5271
targetPort: 5271
- name: temporal-matching
port: 5272
targetPort: 5272
- name: temporal-history
port: 5273
targetPort: 5273
- name: temporal-worker
port: 5274
targetPort: 5274
selector:
{{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{ if or .Values.network.region_proxy.node_port.enabled .Values.network.region_api.node_port.enabled }}

24
charts/maas/templates/statefulset-rack.yaml
View File

@ -71,6 +71,15 @@ spec:
image: {{ .Values.images.tags.maas_rack }}
imagePullPolicy: {{ .Values.images.pull_policy }}
tty: true
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
- sleep 15; update-ca-certificates
{{- end }}
{{ dict "envAll" $envAll "application" "rack" "container" "maas_rack" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: MAAS_ENDPOINT
@ -97,7 +106,6 @@ spec:
{{- if not .Values.conf.maas.cgroups.disable_cgroups_rack }}
- mountPath: /sys/fs/cgroup
name: host-sys-fs-cgroup
readOnly: true
{{- end }}
- mountPath: /run
name: pod-run
@ -113,6 +121,12 @@ spec:
mountPath: /usr/sbin/ntpd
subPath: ntpd.sh
readOnly: true
{{- end }}
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/ca.crt
subPath: ca.crt
readOnly: true
{{- end }}
- name: maas-bin
mountPath: /tmp/start.sh
@ -185,6 +199,14 @@ spec:
configMap:
name: maas-etc
defaultMode: 0444
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: ca.crt
{{ end }}
{{ if $mounts_maas_rack.volumes }}{{ toYaml $mounts_maas_rack.volumes | indent 8 }}{{ end }}
volumeClaimTemplates:
- metadata:

87
charts/maas/templates/statefulset-region.yaml
View File

@ -17,9 +17,53 @@
{{- $serviceAccountName := "maas-region" }}
{{- $mounts_maas_region := .Values.pod.mounts.maas_region.maas_region }}
{{- $mounts_maas_region_init := .Values.pod.mounts.maas_region.init_container }}
{{ tuple $envAll "region_controller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $envAll.Release.Name }}-{{ $envAll.Release.Namespace }}-{{ $serviceAccountName }}-export
namespace: {{ $envAll.Release.Namespace }}
rules:
- apiGroups:
- ""
- extensions
- batch
- apps
verbs:
- get
- list
resources:
- services
- endpoints
- jobs
- pods
- apiGroups:
- ""
verbs:
- get
- create
- update
- delete
resources:
- secrets
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $envAll.Release.Name }}-{{ $serviceAccountName }}-export
namespace: {{ $envAll.Release.Namespace }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $envAll.Release.Name }}-{{ $envAll.Release.Namespace }}-{{ $serviceAccountName }}-export
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
@ -94,12 +138,29 @@ spec:
image: {{ .Values.images.tags.maas_region }}
imagePullPolicy: {{ .Values.images.pull_policy }}
tty: true
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
- sleep 15; update-ca-certificates; /tmp/export-secret-key.sh
{{ tuple $envAll $envAll.Values.pod.resources.maas_region | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "region" "container" "maas_region" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: MAAS_REGION_SECRET_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MAAS_REGION_SECRET
value: {{ .Values.secrets.maas_region.name }}
ports:
- name: region-api
containerPort: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- if .Values.conf.maas.tls.enabled }}
- name: region-api-tls
containerPort: {{ tuple "maas_region" "podporttls" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}
- name: region-proxy
containerPort: {{ tuple "maas_region" "podport" "region_proxy" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
readinessProbe:
@ -111,7 +172,6 @@ spec:
{{- if not .Values.conf.maas.cgroups.disable_cgroups_region }}
- mountPath: /sys/fs/cgroup
name: host-sys-fs-cgroup
readOnly: true
{{- end }}
- mountPath: /run
name: pod-run
@ -119,9 +179,15 @@ spec:
name: pod-run-lock
- mountPath: /tmp
name: pod-tmp
- name: maas-region-secret
mountPath: /var/lib/maas/secret
subPath: REGION_SECRET
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/ca.crt
subPath: ca.crt
readOnly: true
{{- end }}
- name: maas-bin
mountPath: /tmp/export-secret-key.sh
subPath: export-secret-key.sh
readOnly: true
- name: maas-etc
mountPath: /etc/bind/named.conf.options
@ -200,9 +266,14 @@ spec:
configMap:
name: maas-bin
defaultMode: 0555
- name: maas-region-secret
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_region.name }}
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: ca.crt
{{ end }}
{{- if $mounts_maas_region.volumes }}{{ toYaml $mounts_maas_region.volumes | indent 8 }}{{ end }}
{{- if .Values.manifests.maas_syslog }}
volumeClaimTemplates:

20
charts/maas/templates/tests/test-maas-init.yaml
View File

@ -38,7 +38,11 @@ spec:
- name: maas-api-test
env:
- name: 'MAAS_URL'
value: {{ tuple "maas_region" "internal" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
{{- if empty .Values.conf.maas.url.maas_url }}
value: {{ tuple "maas_region" "public" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
{{- else }}
value: {{ .Values.conf.maas.url.maas_url }}
{{- end }}
- name: 'MAAS_API_KEY'
valueFrom:
secretKeyRef:
@ -50,6 +54,12 @@ spec:
{{ dict "envAll" $envAll "application" "api_test" "container" "maas_api_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
command: ["/tmp/maas-test.sh"]
volumeMounts:
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/ca.crt
subPath: ca.crt
readOnly: true
{{- end }}
- name: maas-bin
mountPath: /tmp/maas-test.sh
subPath: maas-test.sh
@ -59,5 +69,13 @@ spec:
configMap:
name: maas-bin
defaultMode: 0555
{{- if (and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.insecure) }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: ca.crt
{{ end }}
...
{{- end }}

86
charts/maas/values.yaml
View File

@ -17,6 +17,7 @@
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
---
dependencies:
static:
maas_ingress: {}
@ -29,6 +30,7 @@ dependencies:
endpoint: monitor
jobs:
- maas-export-api-key
- maas-export-secret-key
region_controller:
jobs:
- maas-db-sync
@ -74,6 +76,12 @@ dependencies:
endpoint: internal
- service: maas_ingress
endpoint: monitor
enable_tls:
jobs:
- maas-bootstrap-admin-user
services:
- service: maas_region
endpoint: internal
network_policy:
maas:
@ -96,18 +104,19 @@ manifests:
images:
tags:
db_init: docker.io/postgres:9.5
db_init: docker.io/library/postgres:14.5
db_sync: quay.io/airshipit/maas-region-controller:latest
maas_rack: quay.io/airshipit/maas-rack-controller:latest
maas_region: quay.io/airshipit/maas-region-controller:latest
bootstrap: quay.io/airshipit/maas-region-controller:latest
export_api_key: quay.io/airshipit/maas-region-controller:latest
maas_cache: quay.io/airshipit/sstream-cache:latest
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1
ingress_vip: docker.io/busybox:latest
error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0
maas_syslog: quay.io/airshipit/maas-region-controller:latest
enable_tls: quay.io/airshipit/maas-region-controller:latest
pull_policy: IfNotPresent
local_registry:
# TODO(portdirect): this chart does not yet support local image cacheing
@ -119,7 +128,7 @@ jobs:
import_boot_resources:
try_limit: 1
retry_timer: 10
#default timeout: 15 minutes
# default timeout: 15 minutes
timeout: 900
labels:
@ -222,12 +231,12 @@ conf:
logfile: nodeboot.log
logrotate:
# How many rotated logs to keep
rotate: '30'
rotate: "30"
# Size threshold when a log should rotate
size: '100M'
size: "100M"
# levels (emerg,alert,crit,error,warning,notice,info,debug)
# use 'info' as default when overwritting the default
log_level: 'info'
log_level: "info"
maas:
override:
append:
@ -262,9 +271,9 @@ conf:
# An external proxy server to use
proxy_server: null
images:
default_os: 'ubuntu'
default_image: 'bionic'
default_kernel: 'ga-18.04'
default_os: "ubuntu"
default_image: "focal"
default_kernel: "ga-20.04"
credentials:
secret:
namespace: maas
@ -292,8 +301,15 @@ conf:
# enlist_commissioning: if true, directly go into commissioning during enlistment
enlist_commissioning: false
# system user for console login/recovery in early phases of deployment
system_user: 'root'
system_passwd: 'password'
system_user: "root"
system_passwd: "password"
tls:
enabled: false
create: false
insecure: false # set to true to allow self-signed certs
ca: ""
cert: ""
key: ""
drivers: null
#### If you populates drivers, it will replace the 3rd party driver
#### info that comes with MaaS. see structure below if it is needed
@ -339,8 +355,9 @@ secrets:
admin: maas-admin
maas_region:
name: maas-region-secret
value: 3858f62230ac3c915f300c664312c63f
ssh_key: ssh-private-key
maas_cert: maas-region-api-tls
maas_ingress_cert: maas-region-api-ingress-tls
pod:
mandatory_access_control:
@ -389,19 +406,19 @@ pod:
readOnlyRootFilesystem: false
capabilities:
add:
- 'NET_ADMIN'
- 'SYS_MODULE'
- "NET_ADMIN"
- "SYS_MODULE"
runAsUser: 0
maas_ingress_vip:
readOnlyRootFilesystem: false
capabilities:
add:
- 'NET_ADMIN'
- "NET_ADMIN"
maas_ingress:
readOnlyRootFilesystem: false
capabilities:
add:
- 'NET_BIND_SERVICE'
- "NET_BIND_SERVICE"
ingress_errors:
pod:
runAsUser: 65534
@ -455,12 +472,12 @@ pod:
readOnlyRootFilesystem: false
capabilities:
add:
- 'DAC_READ_SEARCH'
- 'NET_ADMIN'
- 'SYS_ADMIN'
- 'SYS_PTRACE'
- 'SYS_RESOURCE'
- 'SYS_TIME'
- "DAC_READ_SEARCH"
- "NET_ADMIN"
- "SYS_ADMIN"
- "SYS_PTRACE"
- "SYS_RESOURCE"
- "SYS_TIME"
region:
pod:
runAsUser: 0
@ -471,12 +488,12 @@ pod:
readOnlyRootFilesystem: false
capabilities:
add:
- 'SYS_ADMIN'
- 'NET_ADMIN'
- 'SYS_PTRACE'
- 'SYS_TIME'
- 'SYS_RESOURCE'
- 'DAC_READ_SEARCH'
- "SYS_ADMIN"
- "NET_ADMIN"
- "SYS_PTRACE"
- "SYS_TIME"
- "SYS_RESOURCE"
- "DAC_READ_SEARCH"
api_test:
pod:
runAsUser: 0
@ -659,7 +676,6 @@ endpoints:
syslog:
public: 514
podport: 514
maas_db:
auth:
admin:
@ -690,12 +706,15 @@ endpoints:
path:
default: /MAAS
scheme:
default: 'http'
default: "http"
port:
region_api:
default: 80
secure: 443
nodeport: 31900
nodeporttls: 31901
podport: 5240
podporttls: 5443
public: 80
region_proxy:
default: 8000
@ -722,3 +741,10 @@ endpoints:
default: http
host_fqdn_override:
default: null
cert_manager:
enabled: false
create: false
issuer:
kind: ClusterIssuer
name: ca-issuer

27
images/maas-rack-controller-jammy/3.5_ipmi_error.patch Normal file
View File

@ -0,0 +1,27 @@
diff --git a/src/provisioningserver/drivers/power/ipmi.py b/src/provisioningserver/drivers/power/ipmi.py
index 752ae66..e8f1632 100644
--- a/src/provisioningserver/drivers/power/ipmi.py
+++ b/src/provisioningserver/drivers/power/ipmi.py
@@ -155,6 +155,13 @@ IPMI_ERRORS = {
),
"exception": PowerConnError,
},
+ "BMC error": {
+ "message": (
+ "Device not responding correctly while performing power action."
+ " MAAS performed several retries. Please wait and try again."
+ ),
+ "exception": PowerConnError,
+ },
"could not find inband device": {
"message": (
"An inband device could not be found."
@@ -321,7 +328,7 @@ class IPMIPowerDriver(PowerDriver):
),
]
ip_extractor = make_ip_extractor("power_address")
- wait_time = (4, 8, 16, 32)
+ wait_time = (4, 4, 8, 8, 16, 16, 32, 32)
def detect_missing_packages(self):
if not shell.has_command_available("ipmipower"):

13
images/maas-rack-controller-jammy/3.5_nic_filter.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/src/provisioningserver/utils/network.py b/src/provisioningserver/utils/network.py
index 6124f68..fb1fa0b 100644
--- a/src/provisioningserver/utils/network.py
+++ b/src/provisioningserver/utils/network.py
@@ -1187,6 +1187,8 @@ def get_all_interfaces_definition(
# interfaces for guests. By themselves, they're not useful for MAAS to
# manage.
"tunnel",
+ # Always exclude non-specific ethernet interfaces.
+ "ethernet",
]
if not running_in_container():
# When not running in a container, we should be able to identify

12
images/maas-rack-controller-jammy/3.5_redfish_retries.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/src/provisioningserver/drivers/power/redfish.py b/src/provisioningserver/drivers/power/redfish.py
index e46d930..dbe17a3 100644
--- a/src/provisioningserver/drivers/power/redfish.py
+++ b/src/provisioningserver/drivers/power/redfish.py
@@ -175,6 +175,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase):
make_setting_field("node_id", "Node ID", scope=SETTING_SCOPE.NODE),
]
ip_extractor = make_ip_extractor("power_address")
+ wait_time = (4, 8, 16, 32)
def detect_missing_packages(self):
# no required packages

12
images/maas-rack-controller-jammy/3.5_secure_headers.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py
index d30156b..3a04ecb 100644
--- a/src/twisted/web/server.py
+++ b/src/twisted/web/server.py
@@ -206,7 +206,6 @@ class Request(Copyable, http.Request, components.Componentized):
self.site = self.channel.site
# set various default headers
- self.setHeader(b"server", version)
self.setHeader(b"date", http.datetimeToString())
# Resource Identification

9
images/maas-rack-controller-jammy/3.5_transfer_trusted_only.patch Normal file
View File

@ -0,0 +1,9 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index d76fcfa9a..0cca0fe8d 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -18,3 +18,4 @@ allow-recursion { trusted; };
{{if not upstream_allow_query_cache}}
allow-query-cache { trusted; };
{{endif}}
+allow-transfer { trusted; };

93
images/maas-rack-controller-jammy/Dockerfile Normal file
View File

@ -0,0 +1,93 @@
ARG FROM=quay.io/airshipit/ubuntu:jammy
FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
LABEL org.opencontainers.image.url='https://airshipit.org'
LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas'
LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas'
LABEL org.opencontainers.image.vendor='The Airship Authors'
LABEL org.opencontainers.image.licenses='Apache-2.0'
ARG HTTP_PROXY
ARG HTTPS_PROXY
ARG NO_PROXY
ARG http_proxy
ARG https_proxy
ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive
ENV container docker
ENV MAAS_VERSION 1:3.5.4-16349-g.4dbbed5f4-0ubuntu1~22.04.1
RUN apt-get -qq update \
&& apt-get install -y \
avahi-daemon \
isc-dhcp-server \
jq \
libvirt-clients \
libvirt-daemon-system\
patch \
software-properties-common \
sudo \
systemd \
ca-certificates \
# Don't start any optional services except for the few we need.
# (specifically, don't start avahi-daemon, isc-dhcp-server, or libvirtd)
&& find /etc/systemd/system \
/lib/systemd/system \
-path '*.wants/*' \
-not -name '*journald*' \
-not -name '*systemd-tmpfiles*' \
-not -name '*systemd-user-sessions*' \
-exec rm \{} \; \
&& systemctl set-default multi-user.target \
# Install maas from the ppa
&& add-apt-repository -yu ppa:maas/3.5 \
&& apt-get install -y \
maas-rack-controller=$MAAS_VERSION \
&& rm -rf /var/lib/apt/lists/*
# Preserve the directory structure, permissions, and contents of /var/lib/maas
RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas
# register ourselves with the region controller
COPY scripts/register-rack-controller.service /lib/systemd/system/register-rack-controller.service
RUN systemctl enable register-rack-controller.service
# Patch so that Calico interfaces are ignored
COPY 3.5_nic_filter.patch /tmp/3.5_nic_filter.patch
COPY 3.5_secure_headers.patch /tmp/3.5_secure_headers.patch
# Patch so maas knows that "BMC error" is retriable
COPY 3.5_ipmi_error.patch /tmp/3.5_ipmi_error.patch
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
COPY 3.5_redfish_retries.patch /tmp/3.5_redfish_retries.patch
# Patch to restrict access to zone transfers
COPY 3.5_transfer_trusted_only.patch /tmp/3.5_transfer_trusted_only.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.5_nic_filter.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.5_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.5_ipmi_error.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.5_redfish_retries.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.5_transfer_trusted_only.patch
# echo journalctl logs to the container's stdout
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
RUN systemctl enable journalctl-to-tty.service
# quiet sudo for the maas user
RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log
# avoid triggering bind9 high cpu utilization bug
RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns
# fix chronyd.pid permission
COPY scripts/override.chrony.conf /etc/systemd/system/chrony.service.d/override.conf
# fix httpproxy.sock permission
COPY scripts/maas-http-watcher.service /etc/systemd/system/maas-http-watcher.service
COPY scripts/maas-http-watcher.path /etc/systemd/system/maas-http-watcher.path
RUN systemctl enable maas-http-watcher.service
# initalize systemd
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

1
images/maas-rack-controller-jammy/README.md Normal file
View File

@ -0,0 +1 @@
[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-rack) Ubuntu MaaS Rack Controller

13
images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Journald console log streamer
Requires=systemd-journald.service
After=systemd-journald.service
[Service]
Restart=always
RestartSec=0
ExecStart=/bin/journalctl -f
StandardOutput=tty
[Install]
WantedBy=basic.target

5
images/maas-rack-controller-jammy/scripts/maas-http-watcher.path Normal file
View File

@ -0,0 +1,5 @@
[Path]
PathModified=/var/run/maas/httpproxy.sock
[Install]
WantedBy=multi-user.target

9
images/maas-rack-controller-jammy/scripts/maas-http-watcher.service Normal file
View File

@ -0,0 +1,9 @@
[Unit]
Description=MAAS HTTP server and reverse proxy server
After=network.target
[Service]
ExecStart=bash -c 'until (stat -f /var/run/maas/httpproxy.sock); do sleep 60; done; chmod o+rw /var/run/maas/httpproxy.sock'
[Install]
WantedBy=multi-user.target

3
images/maas-rack-controller-jammy/scripts/override.chrony.conf Normal file
View File

@ -0,0 +1,3 @@
[Service]
ExecStartPre=-mkdir -p /var/log/chrony
ExecStartPre=-chown root /var/run/chrony

12
images/maas-rack-controller-jammy/scripts/register-rack-controller.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Register with MaaS Region Controller
Wants=network-online.target
After=network-online.target
[Service]
Type=oneshot
PassEnvironment=MAAS_ENDPOINT MAAS_REGION_SECRET MAAS_API_KEY HOST_MOUNT_PATH
ExecStart=/usr/local/bin/register-rack-controller.sh
[Install]
WantedBy=multi-user.target

70
images/maas-region-controller-jammy/3.5_configure_ipmi_user.patch Normal file
View File

@ -0,0 +1,70 @@
diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
index 9d032ee..b01a12a 100755
--- a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
+++ b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
@@ -129,17 +129,27 @@ class BMCConfig(metaclass=ABCMeta):
"""Returns boolean value of whether the BMC was detected."""
def add_bmc_user(self):
- """Add the specified BMC user and (re)set its password.
-
- Should set the username and password, even if it hasn't been
- changed.
- """
- # MAAS is the default user and will always be passed to the script.
- if self.username not in (None, "maas"):
- print(
- "WARNING: Unable to set a specific username or password on %s!"
- % self
- )
+ """Create/configure an IPMI user, but with several tries"""
+ attempt = 1
+ max_attempts = 5
+ backoff_amount = 30
+ exceptions_caught = []
+ while attempt <= max_attempts:
+ print("INFO: Attempt to add IPMI BMC user - %s" % attempt)
+ try:
+ self._add_bmc_user()
+ except Exception as e:
+ exceptions_caught.append(e)
+ if (attempt + 1) > max_attempts:
+ # This is our last attempt, exiting
+ print("ERROR: Unable to add BMC user!\n{}".format(exceptions_caught), file=sys.stderr)
+ sys.exit(1)
+
+ if self.password is None:
+ time.sleep(attempt * backoff_amount)
+ else:
+ return
+ attempt += 1
def configure(self):
"""Configure the BMC for use."""
@@ -188,7 +198,7 @@ class IPMIBase(BMCConfig):
first_unused = section_name
return first_unused
- def add_bmc_user(self):
+ def _add_bmc_user(self):
if not self.username:
self.username = "maas"
user_number = self._pick_user_number(self.username)
@@ -212,7 +222,7 @@ class IPMIBase(BMCConfig):
if self._bmc_config[user_number].get(key) != value:
self._bmc_set(user_number, key, value)
except Exception:
- pass
+ raise
else:
self.password = password
# Not all user settings are available on all BMC keys, its
@@ -227,8 +237,6 @@ class IPMIBase(BMCConfig):
"Yes",
)
return
- print("ERROR: Unable to add BMC user!", file=sys.stderr)
- sys.exit(1)
def _bmc_get_config(self, section=None):
"""Fetch and cache all BMC settings."""

31
images/maas-region-controller-jammy/3.5_kernel_package.patch Normal file
View File

@ -0,0 +1,31 @@
diff --git a/src/maasserver/preseed.py b/src/maasserver/preseed.py
index 72a7c86..4559326 100644
--- a/src/maasserver/preseed.py
+++ b/src/maasserver/preseed.py
@@ -254,7 +254,26 @@ def compose_curtin_kernel_preseed(node):
if node.get_osystem() == "custom":
return []
+ # previous logic to retrieve kpackage parameter
kpackage = BootResource.objects.get_kpackage_for_node(node)
+
+ # determine if this node has kernel parameters applied by drydock
+ # and override kpackage if we discover the right properties
+ kernel_opt_tag = "%s_kp" % (node.hostname)
+ if kernel_opt_tag in node.tag_names():
+
+ # the tag exists, retrieve it
+ kernel_opts = node.tags.get(name=kernel_opt_tag).kernel_opts
+
+ # parse the string and find our package param value
+ # e.g. kernel_package=linux-image-4.15.0-34-generic
+ kparams = kernel_opts.split()
+ kdict = dict(
+ kparam.split("=", 1) for kparam in kparams if "=" in kparam
+ )
+ if "kernel_package" in kdict:
+ kpackage = kdict["kernel_package"]
+
if kpackage:
kernel_config = {"kernel": {"package": kpackage, "mapping": {}}}
return [yaml.safe_dump(kernel_config)]

13
images/maas-region-controller-jammy/3.5_partitiontable_does_not_exist.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/src/maasserver/api/partitions.py b/src/maasserver/api/partitions.py
index 4302d8d..f0e51c8 100644
--- a/src/maasserver/api/partitions.py
+++ b/src/maasserver/api/partitions.py
@@ -99,7 +99,7 @@ class PartitionsHandler(OperationsHandler):
device = BlockDevice.objects.get_block_device_or_404(
system_id, device_id, request.user, NodePermission.view
)
- partition_table = device.partitiontable_set.get()
+ partition_table = device.get_partitiontable()
if partition_table is None:
return []
else:

10
images/maas-region-controller-jammy/3.5_proxy_acl.patch Normal file
View File

@ -0,0 +1,10 @@
18,24c18
< http_access allow maas_proxy_manager localhost
< http_access deny maas_proxy_manager
< http_access deny !Safe_ports
< http_access deny CONNECT !SSL_ports
< http_access allow localnet
< http_access allow localhost
< http_access deny all
---
> http_access allow all

24
images/maas-region-controller-jammy/3.5_regex_tags.patch Normal file
View File

@ -0,0 +1,24 @@
diff --git a/src/maasserver/models/ownerdata.py b/src/maasserver/models/ownerdata.py
index 2cbaa9d..bb83b4b 100644
--- a/src/maasserver/models/ownerdata.py
+++ b/src/maasserver/models/ownerdata.py
@@ -17,7 +17,7 @@ from django.db.models import (
from maasserver.models.cleansave import CleanSave
-DATA_KEY_RE = re.compile(r"[\w.-]+$")
+#DATA_KEY_RE = re.compile(r"[\w.-]+$")
class OwnerDataManager(Manager):
@@ -32,8 +32,8 @@ class OwnerDataManager(Manager):
if value is None:
to_remove.add(key)
else:
- if not DATA_KEY_RE.match(key):
- raise ValueError("Invalid character in key name")
+ # if not DATA_KEY_RE.match(key):
+ # raise ValueError("Invalid character in key name")
self.update_or_create(
node=node, key=key, defaults={"value": value}

17
images/maas-region-controller-jammy/3.5_route.patch Normal file
View File

@ -0,0 +1,17 @@
diff --git a/src/maasserver/preseed_network.py b/src/maasserver/preseed_network.py
index 1203e6b..5475b18 100644
--- a/src/maasserver/preseed_network.py
+++ b/src/maasserver/preseed_network.py
@@ -307,7 +307,11 @@ class InterfaceConfiguration:
def _get_matching_routes(self, source):
"""Return all route objects matching `source`."""
- return {route for route in self.routes if route.source == source}
+ return {
+ route
+ for route in self.routes
+ if str(route.source.cidr) == str(source.cidr)
+ }
def _generate_addresses(self):
"""Generate the various addresses needed for this interface."""

12
images/maas-region-controller-jammy/3.5_secure_headers.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py
index d30156b..3a04ecb 100644
--- a/src/twisted/web/server.py
+++ b/src/twisted/web/server.py
@@ -206,7 +206,6 @@ class Request(Copyable, http.Request, components.Componentized):
self.site = self.channel.site
# set various default headers
- self.setHeader(b"server", version)
self.setHeader(b"date", http.datetimeToString())
# Resource Identification

9
images/maas-region-controller-jammy/3.5_transfer_trusted_only.patch Normal file
View File

@ -0,0 +1,9 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index d76fcfa9a..0cca0fe8d 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -18,3 +18,4 @@ allow-recursion { trusted; };
{{if not upstream_allow_query_cache}}
allow-query-cache { trusted; };
{{endif}}
+allow-transfer { trusted; };

93
images/maas-region-controller-jammy/Dockerfile Normal file
View File

@ -0,0 +1,93 @@
ARG FROM=quay.io/airshipit/ubuntu:jammy
FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
LABEL org.opencontainers.image.url='https://airshipit.org'
LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas'
LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas'
LABEL org.opencontainers.image.vendor='The Airship Authors'
LABEL org.opencontainers.image.licenses='Apache-2.0'
ARG HTTP_PROXY
ARG HTTPS_PROXY
ARG NO_PROXY
ARG http_proxy
ARG https_proxy
ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive
ENV container docker
ENV MAAS_VERSION 1:3.5.4-16349-g.4dbbed5f4-0ubuntu1~22.04.1
RUN apt-get -qq update \
&& apt-get install -y \
avahi-daemon \
jq \
patch \
software-properties-common \
sudo \
systemd \
cron \
ca-certificates \
bind9-dnsutils \
# Don't start any optional services except for the few we need.
# (specifically, don't start avahi-daemon)
&& find /etc/systemd/system \
/lib/systemd/system \
-path '*.wants/*' \
-not -name '*journald*' \
-not -name '*systemd-tmpfiles*' \
-not -name '*systemd-user-sessions*' \
-exec rm \{} \; \
&& systemctl set-default multi-user.target \
# Install maas from the ppa
&& add-apt-repository -yu ppa:maas/3.5 \
&& apt-get install -y \
maas-region-api=$MAAS_VERSION \
# tcpdump is required by /usr/lib/maas/beacon-monitor
tcpdump \
&& rm -rf /var/lib/apt/lists/*
# Preserve the directory structure, permissions, and contents of /var/lib/maas
RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas
# MAAS workarounds
COPY 3.5_route.patch /tmp/3.5_route.patch
COPY 3.5_kernel_package.patch /tmp/3.5_kernel_package.patch
# sh8121att: allow all requests via the proxy to allow it to work
# behind ingress
COPY 3.5_proxy_acl.patch /tmp/3.5_proxy_acl.patch
# Patch to add retrying to MaaS BMC user setup, and improve exception handling
COPY 3.5_configure_ipmi_user.patch /tmp/3.5_configure_ipmi_user.patch
COPY 3.5_secure_headers.patch /tmp/3.5_secure_headers.patch
COPY 3.5_partitiontable_does_not_exist.patch /tmp/3.5_partitiontable_does_not_exist.patch
# Allow tags with '/' symbols
COPY 3.5_regex_tags.patch /tmp/3.5_regex_tags.patch
# Patch to restrict access to zone transfers
COPY 3.5_transfer_trusted_only.patch /tmp/3.5_transfer_trusted_only.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.5_route.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.5_kernel_package.patch
RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.5_configure_ipmi_user.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.5_proxy_acl.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.5_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.5_partitiontable_does_not_exist.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.5_regex_tags.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.5_transfer_trusted_only.patch
# echo journalctl logs to the container's stdout
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
RUN systemctl enable journalctl-to-tty.service
# quiet sudo for the maas user
RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log
# avoid triggering bind9 high cpu utilization bug
RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns
# fix chronyd.pid permission
COPY override.chrony.conf /etc/systemd/system/chrony.service.d/override.conf
# initalize systemd
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

1
images/maas-region-controller-jammy/README.md Normal file
View File

@ -0,0 +1 @@
[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-region) Ubuntu MaaS Region Controller

13
images/maas-region-controller-jammy/journalctl-to-tty.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Journald console log streamer
Requires=systemd-journald.service
After=systemd-journald.service
[Service]
Restart=always
RestartSec=0
ExecStart=/bin/journalctl -f
StandardOutput=tty
[Install]
WantedBy=basic.target

3
images/maas-region-controller-jammy/override.chrony.conf Normal file
View File

@ -0,0 +1,3 @@
[Service]
ExecStartPre=-mkdir -p /var/log/chrony
ExecStartPre=-chown root /var/run/chrony

49
images/sstream-cache-jammy/Dockerfile Normal file
View File

@ -0,0 +1,49 @@
ARG FROM=quay.io/airshipit/ubuntu:jammy
FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
LABEL org.opencontainers.image.url='https://airshipit.org'
LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas'
LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas'
LABEL org.opencontainers.image.vendor='The Airship Authors'
LABEL org.opencontainers.image.licenses='Apache-2.0'
ARG HTTP_PROXY
ARG HTTPS_PROXY
ARG NO_PROXY
ARG http_proxy
ARG https_proxy
ARG no_proxy
ARG SSTREAM_IMAGE=https://images.maas.io/ephemeral-v3/stable/
ARG SSTREAM_RELEASE=jammy
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get -qq update && \
apt-get install -y --no-install-recommends \
apache2 \
file \
gpgv \
python3-certifi \
simplestreams \
ubuntu-cloudimage-keyring
RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \
/var/www/html/maas/images/ephemeral-v3/daily 'arch=amd64' "release~${SSTREAM_RELEASE}" --max=1 --progress
RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \
/var/www/html/maas/images/ephemeral-v3/daily 'os~(grub*|pxelinux)' --max=1 --progress
RUN sh -c 'echo "" > /etc/apache2/ports.conf'
ENV APACHE_RUN_USER=www-data
ENV APACHE_RUN_GROUP=www-data
ENV APACHE_PID_FILE=/var/run/apache2.pid
ENV APACHE_RUN_DIR=/var/run/
ENV APACHE_LOCK_DIR=/var/lock
ENV APACHE_LOG_DIR=/var/log/
ENV LANG=C
ENTRYPOINT ["/usr/sbin/apache2"]
CMD ["-E", "/dev/stderr","-c","ErrorLog /dev/stderr","-c","Listen 8888","-c","ServerRoot /etc/apache2","-c","DocumentRoot /var/www/html","-D","FOREGROUND"]

31
images/sstream-cache/Dockerfile
View File

@ -1,4 +1,4 @@
ARG FROM=ubuntu:18.04
ARG FROM=public.ecr.aws/docker/library/ubuntu:bionic
FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
@ -18,15 +18,16 @@ ARG no_proxy
ARG SSTREAM_IMAGE=https://images.maas.io/ephemeral-v3/stable/
ARG SSTREAM_RELEASE=bionic
ENV DEBIAN_FRONTEND noninteractive
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get -qq update && \
apt install -y simplestreams \
apache2 \
gpgv \
ubuntu-cloudimage-keyring \
python-certifi --no-install-recommends \
file
apt-get install -y --no-install-recommends \
apache2 \
file \
gpgv \
python3-certifi \
simplestreams \
ubuntu-cloudimage-keyring
RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg ${SSTREAM_IMAGE} \
/var/www/html/maas/images/ephemeral-v3/daily 'arch=amd64' "release~${SSTREAM_RELEASE}" --max=1 --progress
@ -36,13 +37,13 @@ RUN sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg $
RUN sh -c 'echo "" > /etc/apache2/ports.conf'
ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_PID_FILE /var/run/apache2.pid
ENV APACHE_RUN_DIR /var/run/
ENV APACHE_LOCK_DIR /var/lock
ENV APACHE_LOG_DIR /var/log/
ENV LANG C
ENV APACHE_RUN_USER=www-data
ENV APACHE_RUN_GROUP=www-data
ENV APACHE_PID_FILE=/var/run/apache2.pid
ENV APACHE_RUN_DIR=/var/run/
ENV APACHE_LOCK_DIR=/var/lock
ENV APACHE_LOG_DIR=/var/log/
ENV LANG=C
ENTRYPOINT ["/usr/sbin/apache2"]
CMD ["-E", "/dev/stderr","-c","ErrorLog /dev/stderr","-c","Listen 8888","-c","ServerRoot /etc/apache2","-c","DocumentRoot /var/www/html","-D","FOREGROUND"]

27
tools/gate/playbooks/docker-image-build.yaml
View File

@ -13,6 +13,12 @@
# limitations under the License.
- hosts: primary
roles:
- bindep
- ensure-docker
- ensure-python
- ensure-pip
tasks:
- include_vars: vars.yaml
@ -40,9 +46,19 @@
debug:
var: image_tags
- name: docker install
include_role:
name: ensure-docker
- name: Install Docker python module for ansible docker login
block:
- pip:
name: docker
executable: pip3
become: True
- name: Install tox python module for ansible docker login
block:
- pip:
name: tox
executable: pip3
become: True
- name: Make images
when: not publish
@ -65,9 +81,10 @@
- name: Publish images
block:
- docker_login:
username: "{{ airship_maas_quay_creds.username }}"
password: "{{ airship_maas_quay_creds.password }}"
username: "{{ airship_armada_quay_creds.username }}"
password: "{{ airship_armada_quay_creds.password }}"
registry_url: "https://quay.io/api/v1/"
api_version: "1.43"
- make:
chdir: "{{ zuul.project.src_dir }}"