------------------------------------------------------------------- Tue Nov 6 10:23:05 UTC 2018 - containers-bugowner@suse.de - Commit 1e2ae73 by Maximilian Meister mmeister@suse.de update to k8s 1.10.x (bsc#1114645) this requires the config flag to be set again, as it's now used for a config manifest Signed-off-by: Maximilian Meister ------------------------------------------------------------------- Tue Oct 16 11:11:01 UTC 2018 - containers-bugowner@suse.de - Commit 32e80d6 by Florian Bergmann fbergmann@suse.de Fix bsc#1072242: Map the keyboard file into velum container. Map the keyboard file from the admin node into the valum container to make keyboard defined in YaST available. Signed-off-by: Florian Bergmann (cherry picked from commit fda5fa463a34d67b8e7d2686ac8790514e101e4c) ------------------------------------------------------------------- Thu Jun 7 18:26:20 UTC 2018 - containers-builds@suse.de - Commit b140166 by Jordi Massaguer Pla jmassaguerpla@suse.de We removed the mysql dir, so we need to do the same in the package msyql dir was removed in https://github.com/kubic-project/caasp-container-manifests/pull/189 Fixes: bsc#1095335 Signed-off-by: Jordi Massaguer Pla (cherry picked from commit a392f5c81a3ac046a19e71433cba78ccac381d8c) ------------------------------------------------------------------- Thu Jun 7 14:46:47 UTC 2018 - containers-builds@suse.de - Commit 901126d by Rafael Fernández López ereslibre@ereslibre.es Configure `innodb_log_file_size` to a 128M limit When a salt output is big enough, mysql will refuse to insert the offending row for being too big, with an error: ``` [ERROR ] Could not store events - returner 'mysql.event_return' raised exception: (1118, 'The size of BLOB/TEXT data inserted in one transaction is greater than 10% of redo log size. Increase the redo log size using innodb_log_file_size.') ``` Whatever we set as `innodb_log_file_size` will be an arbitrary number that will eventually be flooded if the cluster is big enough, or if salt is noisy enough. Given a cluster size, this can suddenly fail if we add more states (thus, increasing salt's output). Obviously, given the same salt states, we can also reach this limit by increasing the cluster size. There is not a definitive fix for this issue, all we can do for now (without a proper refactor of the way we integrate salt and velum) is to ensure that with todays salt states we can reach a certain number of nodes. As said, this can no longer be true if we add more salt states and we reach again the limit for the same cluster size. Fixes: bsc#1095335 (cherry picked from commit ea9e260c7531168e467272f1ca4f29df4bd53168) ------------------------------------------------------------------- Wed May 16 12:53:55 UTC 2018 - containers-bugowner@suse.de - Commit d634ddf by Rafael Fernández López ereslibre@ereslibre.es Update manifests to match haproxy changes to work as an http proxy fix bsc#1071994 (cherry picked from commit b74681d8308bf0812c885d34b697d40859e7b702) ------------------------------------------------------------------- Tue May 15 02:57:19 UTC 2018 - containers-bugowner@suse.de - Commit 09587b6 by Kiall Mac Innes kiall@macinnes.ie Add Housekeeping Job ------------------------------------------------------------------- Wed May 9 12:17:33 UTC 2018 - containers-bugowner@suse.de - Commit e287de6 by Rafael Fernández López ereslibre@ereslibre.es Run Velum's `bin/init` as an init container This will ensure that when the dashboard, api and event processor start, the database has been created and/or migrated at all times. This avoids the weird situation in which the api and event-processor can start while the dashboard was still migrating the database, causing side-effects if Rails already cached some model attributes on other processes. Fixes: bsc#1091843 (cherry picked from commit 2dec06e40227abdb847e376ca0dbaf5ddfc10f69) ------------------------------------------------------------------- Wed May 9 10:46:36 UTC 2018 - jmassaguerpla@suse.com - Replace master.tar.gz by release-3.0.tar.gz release#3.0 ------------------------------------------------------------------- Wed May 9 10:32:19 UTC 2018 - containers-bugowner@suse.de - Commit 9ce118a by Maximilian Meister mmeister@suse.de make VERSION stable release#3.0 Signed-off-by: Maximilian Meister ------------------------------------------------------------------- Mon May 7 19:55:14 UTC 2018 - containers-bugowner@suse.de - Commit 73a51a2 by Thorsten Kukuk kukuk@thkukuk.de Run activate.sh from admin-node-init.service during the first boot fix bsc#1092593 ------------------------------------------------------------------- Mon Apr 23 08:27:12 UTC 2018 - containers-bugowner@suse.de - Commit b34c443 by Kiall Mac Innes kiall@macinnes.ie salt-master and salt-api should not load each others configuration files Since both need different log_level settings, they need their own config files. The intent for these two files was just that - api specific, and master specific settings. ------------------------------------------------------------------- Wed Apr 18 08:28:11 UTC 2018 - containers-bugowner@suse.de - Commit ccbb3d7 by Rafael Fernández López ereslibre@ereslibre.es Add minion reconciler to the event processor. Feature#force-remove-nodes ------------------------------------------------------------------- Mon Apr 16 16:58:20 UTC 2018 - containers-bugowner@suse.de - Commit 2701ede by Thorsten Kukuk kukuk@thkukuk.de Fix version number of pause image for SLE15 and Factory ------------------------------------------------------------------- Thu Apr 12 18:05:50 UTC 2018 - containers-bugowner@suse.de - Commit dbbfa42 by Kiall Mac Innes kiall@macinnes.ie Pass through /etc/caasp/pillar-seeds to Velum Dashboard container This allows for pre-seeding any pillar values specified in the above directory. ------------------------------------------------------------------- Fri Mar 23 11:37:36 UTC 2018 - containers-bugowner@suse.de - Commit 5aeb3dc by Michal Jura mjura@suse.com Mount /etc/caasp/cpi directory to velum ------------------------------------------------------------------- Thu Mar 22 15:53:39 UTC 2018 - containers-bugowner@suse.de - Commit d429409 by Thorsten Kukuk kukuk@thkukuk.de Move /etc/issue.d/90-velum.conf to /run/issue.d/80-velum.conf (it's only valid until next reboot) and call issue-generator at the end [bsc#1047192]. ------------------------------------------------------------------- Thu Mar 22 12:03:59 UTC 2018 - containers-bugowner@suse.de - Commit 7b30b38 by Thorsten Kukuk kukuk@thkukuk.de ifconfig is deprecated since years and removed from SLE15 ------------------------------------------------------------------- Thu Mar 15 17:07:22 UTC 2018 - containers-bugowner@suse.de - Commit a90b497 by Richard Brown rbrownccb@opensuse.org Remove Kubic workaround, caasp-tools no longer conflicts ------------------------------------------------------------------- Wed Mar 14 11:41:38 UTC 2018 - containers-bugowner@suse.de - Commit 6103539 by Richard Brown rbrownccb@opensuse.org Change manifest __TAG__'s for Kubic also ------------------------------------------------------------------- Mon Mar 5 16:15:03 UTC 2018 - rbrown@suse.com - Remove Kubic workaround, caasp-tools no longer conflicts ------------------------------------------------------------------- Tue Feb 27 14:13:46 UTC 2018 - containers-bugowner@suse.de - Commit d02a181 by Kiall Mac Innes kiall@macinnes.ie Haproxy: Remove daemon config flag ------------------------------------------------------------------- Tue Feb 27 10:31:18 UTC 2018 - containers-bugowner@suse.de - Commit 4a6ade3 by Kiall Mac Innes kiall@macinnes.ie Fix three upgrade issues * Migrate the old HAProxy config over * Add the new static velum/velum-api haproxy sections * Generate the missing *-bundle.pem files Fixes bsc#1080978 ------------------------------------------------------------------- Tue Feb 27 10:22:55 UTC 2018 - containers-bugowner@suse.de - Commit 7a8e1d1 by Flavio Castelli fcastelli@suse.com Make entrypoint of mariadb-user-secrets container more robust I've run into a timing issue that caused the root password of mariadb **not** being injected into the running container "mariadb-user-secrets" in time. That caused the container to enter an infinite loop consisting of trying to connect to mariadb as root without a specifying password, getting an error message, sleeping 1 second and trying again. This is an init container, as long as it's running kubelet won't start over containers, like openldap, velum-*, salt-*,... With this change the mariadb entrypoint waits untile the file containing the root password exists and is not empty. Signed-off-by: Flavio Castelli ------------------------------------------------------------------- Tue Feb 27 08:53:47 UTC 2018 - containers-bugowner@suse.de - Commit da3c5cc by Kiall Mac Innes kiall@macinnes.ie Update missed LDAP_HOST value from 127.0.0.1 to ldap.infra.caasp.local I don't think this value is actually used, however, for consistency, lets set it to the correct value. We may want to check if it's used and remove if not. ------------------------------------------------------------------- Mon Feb 26 10:52:10 UTC 2018 - containers-bugowner@suse.de - Commit 30edb7c by Maximilian Meister mmeister@suse.de enable certificate validation for net-ldap CVE-2017-17718 requires net-ldap to validate the certificate therefore set a fixed resolvable name for ldap and generate the certificate for it Signed-off-by: Maximilian Meister ------------------------------------------------------------------- Thu Feb 22 11:51:48 UTC 2018 - containers-bugowner@suse.de - Commit 30edb7c by Maximilian Meister mmeister@suse.de enable certificate validation for net-ldap CVE-2017-17718 requires net-ldap to validate the certificate therefore set a fixed resolvable name for ldap and generate the certificate for it Signed-off-by: Maximilian Meister ------------------------------------------------------------------- Fri Feb 16 14:02:33 UTC 2018 - containers-bugowner@suse.de - Commit 51731ef by Kiall Mac Innes kiall@macinnes.ie Velum Dash and API both attempt to bind to the same port It's not possible to reliably bind to 0.0.0.0:443 for one service, and 127.0.0.1:443 for another service. As such, we'll move velum-api over to 127.0.0.1:444 ------------------------------------------------------------------- Thu Feb 15 16:33:02 UTC 2018 - containers-bugowner@suse.de - Commit 94ec5bb by Kiall Mac Innes kiall@macinnes.ie Increase haproxy timeouts from 50sec, to 120sec Some components have a 60 second timeout for salt request timeouts, e.g the salt-api server which is called by Velum. Increase this timeout to double their timeouts to allow the real failures to be disclosed. We'll likely want to rework how timeouts are handled soon accross all our components. ------------------------------------------------------------------- Mon Feb 12 15:19:58 UTC 2018 - containers-bugowner@suse.de - Commit e8ace8f by Kiall Mac Innes kiall@macinnes.ie Fix a build error introduced by the previous change: [ 26s] caasp-container-manifests-3.0.0+git_r240_60aff03-1.1.noarch.rpm: directories not owned by a package: [ 26s] - /etc/caasp ------------------------------------------------------------------- Mon Feb 12 15:09:49 UTC 2018 - containers-bugowner@suse.de - Commit d707d7d by Kiall Mac Innes kiall@macinnes.ie Move haproxy config to /etc/caasp/haproxy This avoids a conflict between the caasp-container-manifests package, and the haproxy package. ------------------------------------------------------------------- Thu Feb 8 13:30:47 UTC 2018 - containers-bugowner@suse.de - Commit d18485c by Kiall Mac Innes kiall@macinnes.ie Sync haproxy manifest with salt repo The haproxy manifest is duplicated between the salt and c-c-m repo, sync the recent changes from the salt repo over here to keep everything lined up. Syncs 25c660fd92150fbf8b1a7213282d2f9ead9a67e6 from the salt repo. ------------------------------------------------------------------- Wed Feb 7 17:40:09 UTC 2018 - containers-bugowner@suse.de - Commit 96952e7 by Richard Brown rbrownccb@opensuse.org Use base_image name as 'kubic-' for kubic images ------------------------------------------------------------------- Tue Feb 6 15:40:01 UTC 2018 - containers-bugowner@suse.de - Commit a52dec4 by Joachim Gleissner jgleissner@suse.com Add mount for public cloud pillar ------------------------------------------------------------------- Tue Feb 6 10:20:06 UTC 2018 - containers-bugowner@suse.de - Commit db81118 by Jordi Massaguer Pla jmassaguerpla@suse.de [packaging] replace sles12/pause image by tumbleweed/pause image for kubic Signed-off-by: Jordi Massaguer Pla ------------------------------------------------------------------- Mon Feb 5 16:58:54 UTC 2018 - containers-bugowner@suse.de - Commit 682c2a1 by Jordi Massaguer Pla jmassaguerpla@suse.de Fix a conflict in Factory caasp-tools provides the activate.sh script when building in Factory Signed-off-by: Jordi Massaguer Pla ------------------------------------------------------------------- Mon Feb 5 16:51:51 UTC 2018 - containers-bugowner@suse.de - Commit 8f06135 by Jordi Massaguer Pla jmassaguerpla@suse.de [packaging] Use pipe instead of per-cent in the sed expression as per-cent is reserved for rpm macros Signed-off-by: Jordi Massaguer Pla ------------------------------------------------------------------- Thu Feb 1 12:06:44 UTC 2018 - containers-bugowner@suse.de - Commit cba5612 by Jordi Massaguer Pla jmassaguerpla@suse.de Add kubic images If this package is built in tumbleweed,the images should be named tumbleweed and not sle12. When this builds on sle15, the images should be named sle15. We cannot use the same name for the different suse versions as if this images were in a registry, they should be named different. ------------------------------------------------------------------- Fri Jan 19 13:39:55 UTC 2018 - containers-bugowner@suse.de - Commit a185168 by Federico Ceratto federico.ceratto@suse.de Disable swap bsc#1075001 ------------------------------------------------------------------- Mon Jan 15 13:39:42 UTC 2018 - containers-bugowner@suse.de - Commit a0d7831 by Rafael Fernández López ereslibre@ereslibre.es Fix version to 3.0.0+dev ------------------------------------------------------------------- Mon Dec 18 15:44:36 UTC 2017 - containers-bugowner@suse.de - Commit 793b753 by Rafael Fernández López ereslibre@ereslibre.es Do not use FileOrCreate resource type. The init container for the secrets will create this file. ------------------------------------------------------------------- Fri Dec 1 15:29:32 UTC 2017 - containers-bugowner@suse.de - Commit 735919a by Kiall Mac Innes kiall@macinnes.ie Move manifests into a subdirectory This allows us to remove the public.yaml / private.yaml hardcodes, which in turn allows us to split the public / private pods into more specific pods matching the typical patterns used to deploy workloads in K8S. ------------------------------------------------------------------- Wed Nov 29 09:47:37 UTC 2017 - containers-bugowner@suse.de - Commit 3248cf2 by Rafael Fernández López ereslibre@ereslibre.es Reuse `$DIR` when setting the prefix for the private folder Move constant functions to global vars. ------------------------------------------------------------------- Mon Nov 27 15:44:27 UTC 2017 - containers-bugowner@suse.de - Commit 492a8c5 by Rafael Fernández López ereslibre@ereslibre.es Add `%dir` directive for `/etc/haproxy`, so this RPM knows it tracks this directory ------------------------------------------------------------------- Mon Nov 27 15:24:14 UTC 2017 - containers-bugowner@suse.de - Commit 65a58c6 by Rafael Fernández López ereslibre@ereslibre.es Fix haproxy.cfg location on the RPM spec ------------------------------------------------------------------- Mon Nov 27 14:18:22 UTC 2017 - containers-bugowner@suse.de - Commit 9f73951 by Rafael Fernández López ereslibre@ereslibre.es Use HAProxy from the beginning for Velum too. This will help us with SSL termination on HAProxy side. ------------------------------------------------------------------- Tue Nov 21 09:26:11 UTC 2017 - containers-bugowner@suse.de - Commit c1a0716 by Rafael Fernández López ereslibre@ereslibre.es Generate username and password for the Velum internal API Also, mount the CA certificate in the salt-master container, as it is required for the Velum pillar to perform SSL/TLS requests. Fixes: bsc#1069145 ------------------------------------------------------------------- Mon Nov 6 12:42:06 UTC 2017 - containers-bugowner@suse.de - Commit e42f910 by Rafael Fernández López ereslibre@ereslibre.es Follow prefix patterns for returner credentials too, as has been introduced in 17a0d8d8ac58ee8cb6d79849219b5631a60afa1e Fixes: bsc#1062248 ------------------------------------------------------------------- Fri Nov 3 11:19:55 UTC 2017 - containers-bugowner@suse.de - Commit 682830d by Rafael Fernández López ereslibre@ereslibre.es Move init containers from annotations to their own section. Also, make indentation style unique throughout the manifests. Fixes: #114 ------------------------------------------------------------------- Tue Oct 10 12:25:28 UTC 2017 - containers-bugowner@suse.de - Commit a778319 by Maximilian Meister mmeister@suse.de wait for network to be online follow up of #127 bsc#1062284 Signed-off-by: Maximilian Meister ------------------------------------------------------------------- Mon Oct 9 17:08:53 UTC 2017 - containers-bugowner@suse.de - Commit 01bff6b by Kiall Mac Innes kiall@macinnes.ie Wait for network before running admin-node-setup.service As we need to know the IPs and hostnames for use in the TLS certificates this generates, we should ensure the network is up and running before this unit triggers. bsc#1062284 ------------------------------------------------------------------- Sat Oct 7 08:47:57 UTC 2017 - containers-bugowner@suse.de - Commit 3cc3db7 by Kiall Mac Innes kiall@macinnes.ie Update VERSION file to 2.0.0+dev ------------------------------------------------------------------- Fri Oct 6 14:29:40 UTC 2017 - containers-bugowner@suse.de - Commit be61fbd by Alvaro Saurin alvaro.saurin@gmail.com Fix wrong package name ------------------------------------------------------------------- Fri Oct 6 11:11:03 UTC 2017 - containers-bugowner@suse.de - Commit 4a75b00 by Maximilian Meister mmeister@suse.de kubelet: update deprecated --config flag (bsc#1062011) new flag: --pod-manifest-path this needs to be done during upgrade to 2.0 otherwise kubelet wont start https://bugzilla.suse.com/show_bug.cgi?id=1062011 Signed-off-by: Maximilian Meister Commit 18fa99d by Kiall Mac Innes kiall@macinnes.ie Ensure LDAP cert is generated on upgrade Moving the call to gen-certs.sh from activate.sh, over to admin-node-setup.sh will ensure that any missing certs are generated upon upgrade. This will ensure the new LDAP cert is created. In order to preserve issue generation, which contains the Velum key fingerprint, we must also move this to admin-node-setup. bsc#1062022 Commit 86edf7c by Kiall Mac Innes kiall@macinnes.ie Move salt-master-custom.conf creation to admin-node-setup activate.sh is only ran once, during a fresh install. This step is required on fresh installs, and 1.0 -> 2.0 upgrades, so moving to admin-node-setup.sh and ensuring idempotency will resolve this issue. bsc#1062003 ------------------------------------------------------------------- Wed Oct 4 12:58:47 UTC 2017 - containers-bugowner@suse.de - Commit 260a882 by Alvaro Saurin alvaro.saurin@gmail.com Re-add the sle12-flannel-image ------------------------------------------------------------------- Mon Oct 2 15:33:22 UTC 2017 - containers-bugowner@suse.de - Commit 1125bcf by Nikhil Manchanda SlickNik@gmail.com Add helm tiller image ------------------------------------------------------------------- Thu Sep 21 13:13:01 UTC 2017 - containers-bugowner@suse.de - Commit 17a0d8d by Kiall Mac Innes kiall@macinnes.ie Allow custom options to be passed to the Salt Master Create a file for custom salt-master configuration options to be supplied. This will be loaded in numeric order, allowing for certain options (e.g. worker thread counts). bsc#1059724 ------------------------------------------------------------------- Wed Sep 20 09:15:13 UTC 2017 - containers-bugowner@suse.de - Commit 66f75e1 by Robert Roland robert.roland@suse.com Put the OpenLDAP config db and data db on the host OpenLDAP did not put its configuration database and data database on the admin node's filesystem, so if the OpenLDAP container restarted, all login data and TLS configuration data were lost. Fixes bsc#1059407 ------------------------------------------------------------------- Fri Sep 15 08:50:13 UTC 2017 - containers-bugowner@suse.de - Commit 531839c by Jordi Massaguer Pla jmassaguerpla@suse.de Revert requirement on helm-tiller image. We will add this later. Signed-off-by: Jordi Massaguer Pla ------------------------------------------------------------------- Wed Sep 13 15:41:23 UTC 2017 - containers-bugowner@suse.de - Commit fed0ac3 by Jordi Massaguer Pla jmassaguerpla@suse.de add helm tiller image Signed-off-by: Jordi Massaguer Pla ------------------------------------------------------------------- Wed Sep 13 15:40:22 UTC 2017 - containers-bugowner@suse.de - Commit 8d9256d by Jordi Massaguer Pla jmassaguerpla@suse.de update openldap and dex version requirement Signed-off-by: Jordi Massaguer Pla ------------------------------------------------------------------- Wed Sep 13 08:52:27 UTC 2017 - containers-bugowner@suse.de - Commit 188d179 by Robert Roland robert.roland@suse.com Removing hardcoded admin password for LDAP Switching to sles12/openldap image from other image ------------------------------------------------------------------- Mon Sep 11 17:29:01 UTC 2017 - containers-bugowner@suse.de - Commit 838e5ac by Robert Roland robert.roland@suse.com Adding RBAC dependencies to make_spec ------------------------------------------------------------------- Mon Sep 11 13:28:19 UTC 2017 - containers-bugowner@suse.de - Commit 0931f23 by Jordi Massaguer Pla jmassaguerpla@suse.de Revert "Revert "update image requirements"" This reverts commit cc67389ddc19b50cf49ba9139389f4ab3cbb8aa9. This is to update the requirements for the sles12sp3 images. We had to revert that because the images were not in the iso. ------------------------------------------------------------------- Thu Sep 7 17:09:49 UTC 2017 - containers-bugowner@suse.de - Commit d010b99 by Jordi Massaguer Pla jmassaguerpla@suse.de flannel docker image is not yet needed This image is for CNI and we still don't need this Signed-off-by: Jordi Massaguer Pla ------------------------------------------------------------------- Wed Sep 6 17:15:46 UTC 2017 - containers-bugowner@suse.de - Commit cc67389 by Jordi Massaguer Pla jmassaguerpla@suse.de Revert "update image requirements" This reverts commit 777e2226d8055566212bd7fc16e5b9324210fa0a. This broke our dvd cause the new packages are not yet in. Let's revert it and do this again once the new packages are in. ------------------------------------------------------------------- Wed Sep 6 15:06:29 UTC 2017 - containers-bugowner@suse.de - Commit 777e222 by Jordi Massaguer Pla jmassaguerpla@suse.de update image requirements For CAASP 2.0, image version is > 2.0 and we have renamed the images to not contain "docker" in its name. Signed-off-by: Jordi Massaguer Pla ------------------------------------------------------------------- Tue Sep 5 17:15:31 UTC 2017 - containers-bugowner@suse.de - Commit e21f9a6 by Robert Roland rob.roland@gmail.com RBAC: Adding OpenLDAP to admin node (#89) * adding OpenLDAP container to the public manifest * Adding LDAP configuration to velum ------------------------------------------------------------------- Fri Sep 1 15:08:14 UTC 2017 - containers-bugowner@suse.de - Commit 1f7ce09 by Jordi Massaguer Pla jmassaguerpla@suse.de update requirements of docker images admin-node-setup.sh script expects images to have a .tag file in order to substitute the __TAG__ tags in public.yaml and private.yaml This .tag is in the update images, which are >= 1.1.0 ------------------------------------------------------------------- Mon Aug 28 16:51:35 UTC 2017 - containers-bugowner@suse.de - Commit 5ed140b by Kiall Mac Innes kiall@macinnes.ie Use the tagfiles rather than hardcoding a tag This decouples our manifests from the tag of the images contained within the RPMs. These tagfiles will contain the latest, and most specifc, tag for a given image. ------------------------------------------------------------------- Mon Aug 28 15:36:40 UTC 2017 - containers-bugowner@suse.de - Commit 35c6630 by Aishwarya Thangappa aishwarya.thangappa@gmail.com Include kubedns, dnsmasq-nanny and sidecar as dependecies ------------------------------------------------------------------- Fri Aug 18 14:22:12 UTC 2017 - containers-bugowner@suse.de - Commit 89e2fa5 by Alvaro Saurin alvaro.saurin@gmail.com Require the flannel docker image ------------------------------------------------------------------- Fri Aug 18 12:18:51 UTC 2017 - containers-bugowner@suse.de - Commit 66e9487 by Kiall Mac Innes kiall@macinnes.ie Include haproxy as a dependency haproxy will be used to loadbalance requests over the chosen masters, so we'll need to include the haproxy docker RPM as a dependency. ------------------------------------------------------------------- Thu Aug 17 14:39:34 UTC 2017 - containers-bugowner@suse.de - Commit 5b61692 by Kiall Mac Innes kiall@macinnes.ie Increase MariaDBs max_allowed_packet to 16MB MariaDB's max allowed packet size is too small for some larger deployments, by increasing it, we allow ourselves some time to implement an alternative pattern for handling salt's event stream. Fixes bsc#1054250 ------------------------------------------------------------------- Fri Aug 11 17:24:41 UTC 2017 - containers-bugowner@suse.de - Commit 8473650 by Kiall Mac Innes kiall@macinnes.ie etcd on admin node does not have any peers As such, there is no reason to listen on 0.0.0.0 for peering. ------------------------------------------------------------------- Tue Jul 25 07:48:57 UTC 2017 - containers-bugowner@suse.de - Commit 1655395 by Flavio Castelli fcastelli@suse.com Improve comment about how to access velum Be explicit about using `https://`, some users tried to access velum using `http://velum-ip:443`. Fixes bsc#1047310 ------------------------------------------------------------------- Mon Jul 24 12:35:06 UTC 2017 - containers-bugowner@suse.de - Commit 453eac7 by Rafael Fernández López ereslibre@ereslibre.es Cache the grains on the `ca` container Rendering grains on the `ca` takes a fair amount of time if they are not cached, as lots of grains are falling back to other cases, making other calls like `publish.publish` timeout (timeouts by default after 5 seconds). Forcing the grains cache will be slow only the first time, when the grains get populated, and will get cached, making future uses faster. Fixes: bsc#1049886 ------------------------------------------------------------------- Thu Jul 20 15:55:19 UTC 2017 - containers-bugowner@suse.de - Commit 1676983 by Rafael Fernández López ereslibre@ereslibre.es Add fingerprints to the velum issue By adding SHA1 and SHA256 fingerprints to the Velum issue, we can ensure that the instance we are accessing is the right one, and we are not mistaken (several clusters) or to reject a MITM, since the certificates chain of trust does not exist (the CA is autogenerated), and the customer has no way to import the CA as trusted for now. Fixes: bsc#1048135 ------------------------------------------------------------------- Fri Jul 14 13:39:28 UTC 2017 - containers-bugowner@suse.de - Commit d376008 by Maximilian Meister mmeister@suse.de make branch safe by transforming slashes to dashes Signed-off-by: Maximilian Meister Commit 4cfa01c by Maximilian Meister mmeister@suse.de packaging: make branch configurable Signed-off-by: Maximilian Meister ------------------------------------------------------------------- Fri Jul 14 13:38:20 UTC 2017 - containers-bugowner@suse.de - Commit 1e3ef9e by Kiall Mac Innes kiall@macinnes.ie Add Jenkinsfile The Jenkinsfile in each repo, if we adopt Jenkins in the end, will be very thin, including just a single library load, and a single method call. This prevents us from needing to keep each projects Jenkinsfile in sync as CI changes are made. ------------------------------------------------------------------- Tue Jul 11 10:27:54 UTC 2017 - containers-bugowner@suse.de - Commit 1e3ef9e by Kiall Mac Innes kiall@macinnes.ie Add Jenkinsfile The Jenkinsfile in each repo, if we adopt Jenkins in the end, will be very thin, including just a single library load, and a single method call. This prevents us from needing to keep each projects Jenkinsfile in sync as CI changes are made. ------------------------------------------------------------------- Thu Jul 6 12:38:26 UTC 2017 - containers-bugowner@suse.de - Commit 2a2a6af by Kiall Mac Innes kiall@macinnes.ie Reinstate critical flag on x509 extensions Reinstate the critiical flag on two x509 extenstions: * X509v3 Basic Constraints (CA=False) * X509v3 Key Usage (Digital Signature, Non Repudiation, Key Encipherment) bsc#1046708 ------------------------------------------------------------------- Tue Jul 4 16:47:24 UTC 2017 - containers-bugowner@suse.de - Commit c685e59 by Kiall Mac Innes kiall@macinnes.ie Match up TLS cert generation to genca.sh * Remove critical constraints * Add nonRepudiation and digitalSignature key usages * Include only the keyid Authority Identifier bsc#1046708 Commit eb05991 by Kiall Mac Innes kiall@macinnes.ie Include a UUID in the CA's Subject field Including a random UUID in the CA's subject fields ensures that browsers do not cache certs from older deployments, preventing access to replacement deployments. bsc#1046881 Commit ee9d3ab by Kiall Mac Innes kiall@macinnes.ie Include x509 Subject and Authority IDs in certs e.g: X509v3 extensions: X509v3 Subject Key Identifier: 15:5F:91:F5:63:EA:85:B6:91:AB:8C:A9:9E:C2:36:F0:FD:11:B8:2E X509v3 Authority Key Identifier: keyid:F2:AA:7D:21:48:9D:45:00:FA:0C:94:40:48:81:B7:92:33:B5:27:12 bsc#1046881 Commit 69a738d by Kiall Mac Innes kiall@macinnes.ie End entity TLS certs should not be CA certs Use different extentions when self signing the CA cert, and when signing end entity certs. bsc#1047177 Commit 0c4bbd7 by Kiall Mac Innes kiall@macinnes.ie CA: Add some logging to more easily identify the steps ------------------------------------------------------------------- Fri Jun 30 11:54:29 UTC 2017 - containers-bugowner@suse.de - Commit 7ae4dac by Rafael Fernández López ereslibre@ereslibre.es Rename `velum-dashboard-autoyast` to `velum-autoyast` We have a lot of processes in the development, e2e-tests and debugging environments that use `velum-dashboard`. Renaming the autoyast serving to `velum-autoyast` will make them still only match one container, the one they expect (actually both of them are practically the same thing, but to keep things as they were). ------------------------------------------------------------------- Fri Jun 30 09:50:00 UTC 2017 - containers-bugowner@suse.de - Commit ab71633 by Jordi Massaguer Pla jmassaguerpla@suse.de fix requirements for the docker images This is needed to fix bsc#1046378 Signed-off-by: Jordi Massaguer Pla ------------------------------------------------------------------- Thu Jun 29 17:10:53 UTC 2017 - containers-bugowner@suse.de - Commit f9ee78a by Rafael Fernández López ereslibre@ereslibre.es Add gen-certs script This script will generate a CA and both certificates for services that require to start with TLS enabled: `velum` and `salt-api`. Thanks to Robert Roland (@robdaemon) for providing the original script. Fixes: bsc#1043570 Fixes: bsc#1043589 ------------------------------------------------------------------- Wed Jun 28 16:21:10 UTC 2017 - containers-bugowner@suse.de - Commit 6714137 by Kiall Mac Innes kiall@macinnes.ie Clear TX update grains on admin node boot bsc#1045379 Clear the tx_update_{reboot_needed,failed} grains upon boot. This ensures the UI doesn't continue to show an admin node upgrade after we've upgraded. ------------------------------------------------------------------- Wed Jun 28 12:45:13 UTC 2017 - containers-bugowner@suse.de - Commit aa1a388 by Alvaro Saurin alvaro.saurin@gmail.com Minor: some comments ------------------------------------------------------------------- Wed Jun 28 12:27:04 UTC 2017 - containers-bugowner@suse.de - Commit 0ea70ff by Kiall Mac Innes kiall@macinnes.ie Remove unnecessary code from activate.sh See SR#135010, SR#134883, SR#134572 ------------------------------------------------------------------- Wed Jun 28 11:06:58 UTC 2017 - containers-bugowner@suse.de - Commit b738430 by Graham Hayes graham.hayes@suse.com bsc#1045350 Accept salt keys that have been pre-generated Currently the admin nodes salt minion starts before the container that generates and accepts keys is ran. This means that the salt minion is started with a key that is not accepted, and goes to a pending state. This checks if the key is pre-generated, and if we have accepted a key from this minion before. If the key has been generated, but not accepted, we accept the key and continue. ------------------------------------------------------------------- Tue Jun 27 15:16:44 UTC 2017 - containers-bugowner@suse.de - Commit bf6b0f0 by Graham Hayes graham.hayes@suse.com bsc#1043592 Use mktemp to create tmp directories Use `mktemp` to ensure that directory has a random name ------------------------------------------------------------------- Tue Jun 27 11:48:39 UTC 2017 - containers-bugowner@suse.de - Commit 2ab0646 by Thorsten Kukuk kukuk@thkukuk.de Fix ordner number of velum.conf for issue.d (we use only two digit numbers) ------------------------------------------------------------------- Tue Jun 27 11:42:22 UTC 2017 - containers-bugowner@suse.de - Commit 09c947b by Jordi Massaguer Pla jmassaguerpla@suse.de add the admin-node-setup script and service to the package This is the 3rd step to fix bsc#1045378 - activate.sh was not reran after admin node upgrade Commit 81a7983 by Jordi Massaguer Pla jmassaguerpla@suse.de add admin-node-setup service This is the second step to fix bsc#1045378 - activate.sh was not reran after admin node upgrade We create a service that will run the admin-node-setup.sh on every reboot (thus on every update) Enable this in the activate.sh Commit 68926c0 by Jordi Massaguer Pla jmassaguerpla@suse.de split activate into 2 This is the first step to fix bsc#1045378 - activate.sh was not reran after admin node upgrade. We need to split the script in 2: - activate.sh: run only once after the installation - admin-node-setup.sh: run on every reboot (thus in every update) ------------------------------------------------------------------- Mon Jun 26 11:40:59 UTC 2017 - containers-bugowner@suse.de - Commit d5a5ccc by Graham Hayes graham.hayes@suse.com bsc#1043592 Add pre-generation of minion keys Generates 2 salt keys (ca and admin) and places them in the correct directories. This allows us to remove *auto_accept* from the master config file and select the rest of the members of the cluster. The admin key is writen out to */etc/salt/pki/minion/minion.(pub|pem)* The ca key is written out the same path in the container. bsc#1043592 ------------------------------------------------------------------- Fri Jun 23 10:24:50 UTC 2017 - containers-bugowner@suse.de - Commit 1f5680c by Rafael Fernández López ereslibre@ereslibre.es Mount `salt-master` and `salt-minion-ca` caches from the host This way we ensure that the mine information and other cached information survives reboots. Fixes: bsc#1045368 ------------------------------------------------------------------- Thu Jun 22 09:47:54 UTC 2017 - containers-bugowner@suse.de - Commit 5e81ace by Graham Hayes graham.hayes@suse.com Add 'grains_refresh_every' to config ------------------------------------------------------------------- Tue Jun 20 11:26:20 UTC 2017 - containers-bugowner@suse.de - Commit ea55036 by Rafael Fernández López ereslibre@ereslibre.es Connect the `salt-minion` in the administration dashboard machine to the `salt-master` Set the `admin` role to the administration dashboard machine, as well as the minion configuration (`id` and `master` location). This way we will leave the `salt-minion` in the administration dashboard connected to the `salt-master` for future orchestrated upgrades. ------------------------------------------------------------------- Thu Jun 8 12:32:35 UTC 2017 - containers-bugowner@suse.de - Commit 6db8409 by Rafael Fernández López ereslibre@ereslibre.es Do not mount `/usr/share/salt/kubernetes/config/master.d` from the host We will mounting other volumes on top of this on the containers, and they will fail because on the host, `/usr/share/salt/kubernetes/config/master.d` is a `RO` volume. We fix this by mounting all specific files in the containers instead of the top level directory of the hierarchy. This imposes us the restriction to modify the container manifests every time a new config file appears, but that should not happen very often. Otherwise, we cannot add our own configuration files on top of the `RO` mounted volume, because they will fail. In this case, the mounted folder on the containers will be `/etc/salt/master.d`, but in this case this folder won't be mounted from `/usr/share/salt/kubernetes/config/master.d`, it will live only in the container, and we will mount the specific files under it, what will avoid the `RO` volume problems from the host. ------------------------------------------------------------------- Thu Jun 8 09:52:55 UTC 2017 - containers-bugowner@suse.de - Commit faa0ddb by Rafael Fernández López ereslibre@ereslibre.es Do not mount these three mountpoints readonly Related to infrastructure secrets. It makes the container initialization to fail. Ideally they should be read-only, as they will only read from here, but something is trying to write in there, avoiding containers to start. ------------------------------------------------------------------- Thu Jun 8 07:54:36 UTC 2017 - containers-bugowner@suse.de - Commit 46e5def by Rafael Fernández López ereslibre@ereslibre.es Install setup folder -- we need it to mount the initialization scripts Related to hardcoded secrets removal, was a bug in the packaging side ------------------------------------------------------------------- Wed Jun 7 14:15:24 UTC 2017 - containers-bugowner@suse.de - Commit 5c48335 by Rafael Fernández López ereslibre@ereslibre.es Remove hardcoded secrets We will be generating secrets with init containers. These secrets will be created in a volume mounted from the host, so they survive reboots. While being sufficient for our GA purposes we will need to rethink how we do this in a HA environment. Some secrets are generated with the init containers: * mysql root password * mysql velum user password * mysql salt user password * saltapi user password Once we have generated all the passwords, we need to write this configuration on files that will be mounted on the different containers, so the different services can read the files where the passwords are written. By default, passwords will be created in files with permissions 400. Password generation uses `/dev/random`, performing a `base64` encoding to that random content, and pick up a line of the `base64` output. Images will take this environment variables and they will use their entrypoint to perform the required actions. Example: * mariadb container will set the root password and do some initializations * salt-master container will `chpasswd` the `saltapi` user to the generated saltapi password. ------------------------------------------------------------------- Tue Jun 6 11:40:57 UTC 2017 - containers-bugowner@suse.de - Commit bf0bce0 by Kiall Mac Innes kiall@macinnes.ie Bump image tag for salt pods to 2016.11.4 ------------------------------------------------------------------- Fri Jun 2 15:05:53 UTC 2017 - containers-bugowner@suse.de - Commit 331fd9b by Kiall Mac Innes kiall@macinnes.ie Update RPM spec for salt 2016.11.4 As the RPM names have changed with the new tag, we need to update the spec to require the new salt version. ------------------------------------------------------------------- Thu May 25 19:59:20 UTC 2017 - containers-bugowner@suse.de - Commit 1880b3f by Rafael Fernández López ereslibre@ereslibre.es - Make substitution in a safer way for --pod-infra-container-image argument - - This wasn't working on our production image because we are using Kubernetes - 1.5 that in our config comes with the following setting in - /etc/kubernetes/kubelet: - - KUBELET_ARGS="--config=/etc/kubernetes/manifests" - - On 1.6, --config has been completely removed and it will use - --pod-manifest-path, but not on our current installed configuration. - - By adding this change, we ensure that we only make the replacement once (if - the pod-manifest-path is already there we won't do anything), and we don't - rely on the current contents for making the substitution. - - Fixes: bsc#1039863 ------------------------------------------------------------------- Wed May 24 17:24:18 UTC 2017 - containers-bugowner@suse.de - Commit f24962e by Rafael Fernández López ereslibre@ereslibre.es - Mount MariaDB configuration under `/etc/my.cnf.d` - - * Under SLE the configuration lives under `/etc/my.cnf.d` - * Add `[mysqld]` section to the skip-networking file so it will be - processed by mysqld (otherwise it's ignored) - * Mount only the `skip-networking.cnf` file, as other cnf files come - pre-installed in `/etc/my.cnf.d` and we would be shadowing them ------------------------------------------------------------------- Tue May 23 15:10:52 UTC 2017 - containers-bugowner@suse.de - Commit b050481 by Michal Jura mjura@suse.com - Kubernetes does not pick the sles12/pause image, bsc#1039863 - - Kubernetes does not pick the sles12/pause image, but the one from GCR on - OpenStack. - - After Kubernetes version upgrade KUBELET_ARGS changed and option --config for - sed regular expresion is not matched. - - This change is fixing sed regular expresion for - /etc/kubernetes/kubelet config file. ------------------------------------------------------------------- Fri May 12 10:45:17 UTC 2017 - containers-bugowner@suse.de - Share ssh public key for autoyast profile, bsc#1030876 ------------------------------------------------------------------- Mon May 8 12:01:02 UTC 2017 - containers-bugowner@suse.de - Use the configuration files found in the kubernetes-salt package ------------------------------------------------------------------- Wed May 3 15:13:12 UTC 2017 - containers-bugowner@suse.de - activate.sh: notify that velum is starting (bsc#1031682) ------------------------------------------------------------------- Wed May 3 14:08:27 UTC 2017 - containers-bugowner@suse.de - Set the presence flag ------------------------------------------------------------------- Wed Apr 26 14:22:47 UTC 2017 - containers-bugowner@suse.de - Mount mysql data dir ------------------------------------------------------------------- Tue Apr 25 17:21:11 UTC 2017 - containers-bugowner@suse.de - Update salt-master configuration ------------------------------------------------------------------- Tue Apr 25 15:22:22 UTC 2017 - containers-bugowner@suse.de - Update mysql paths after checking manifests in production - Migrate https://github.com/kubic-project/velum/pull/104 to production ------------------------------------------------------------------- Tue Apr 25 10:58:37 UTC 2017 - containers-bugowner@suse.de - Migrate https://github.com/kubic-project/velum/pull/126/files to production ------------------------------------------------------------------- Wed Apr 19 18:04:08 UTC 2017 - containers-bugowner@suse.de - Add missing VELUM_SALT_PASSWORD ------------------------------------------------------------------- Tue Apr 18 14:10:00 UTC 2017 - containers-bugowner@suse.de - activate.sh: fix bsc#1032651 ------------------------------------------------------------------- Fri Mar 31 13:13:58 UTC 2017 - containers-bugowner@suse.de - Persist CA certificates and issued certificates ------------------------------------------------------------------- Tue Mar 28 13:45:34 UTC 2017 - containers-bugowner@suse.de - Enable etcd using the activate.sh script ------------------------------------------------------------------- Mon Mar 27 14:44:56 UTC 2017 - containers-bugowner@suse.de - Added a temporary fix for the pause container in the dashboard ------------------------------------------------------------------- Fri Mar 24 15:59:56 UTC 2017 - containers-bugowner@suse.de - Rename database ------------------------------------------------------------------- Fri Mar 24 11:04:47 UTC 2017 - containers-bugowner@suse.de - Remove leftover that made the kubelet ignore salt.yaml file ------------------------------------------------------------------- Thu Mar 23 17:28:13 UTC 2017 - containers-bugowner@suse.de - fix call to init ------------------------------------------------------------------- Thu Mar 23 16:20:16 UTC 2017 - containers-bugowner@suse.de - use bundle as this is a symlink now in the image - review entry commands ------------------------------------------------------------------- Thu Mar 23 16:16:16 UTC 2017 - containers-bugowner@suse.de - Fix TODO comments about path prefixes - Add velum configuration settings ------------------------------------------------------------------- Thu Mar 23 13:56:22 UTC 2017 - containers-bugowner@suse.de - Use port 80 by default ------------------------------------------------------------------- Thu Mar 23 13:35:01 UTC 2017 - containers-bugowner@suse.de - fix velum version in spec - replace opensuse by sles12 images ------------------------------------------------------------------- Thu Mar 23 11:58:37 UTC 2017 - containers-bugowner@suse.de - redirect errors to standard error ------------------------------------------------------------------- Wed Mar 22 14:48:12 UTC 2017 - containers-bugowner@suse.de - check if the activate is being run by YaST or by cloud-init ------------------------------------------------------------------- Wed Mar 22 11:51:39 UTC 2017 - containers-bugowner@suse.de - Clarify the important assumption that DB container will not move to a different host after it is started for the very first time. ------------------------------------------------------------------- Wed Mar 22 11:48:43 UTC 2017 - containers-bugowner@suse.de - fix enabled services in controller node ------------------------------------------------------------------- Wed Mar 22 11:34:44 UTC 2017 - containers-bugowner@suse.de - add executable permissions to activate.sh ------------------------------------------------------------------- Tue Mar 21 14:46:37 UTC 2017 - containers-bugowner@suse.de - fix velum name ------------------------------------------------------------------- Mon Mar 20 16:57:20 UTC 2017 - containers-bugowner@suse.de - add the required images for caasp as Requires ------------------------------------------------------------------- Fri Mar 17 15:11:16 UTC 2017 - containers-bugowner@suse.de - add activate in rpm ------------------------------------------------------------------- Fri Mar 17 12:34:31 UTC 2017 - containers-bugowner@suse.de - Revert "add pv-recycler-node image" ------------------------------------------------------------------- Wed Mar 15 16:44:37 UTC 2017 - containers-bugowner@suse.de - Revert "add pv-recycler-node image" ------------------------------------------------------------------- Wed Mar 15 16:38:29 UTC 2017 - containers-bugowner@suse.de - add pv-recycler-node image ------------------------------------------------------------------- Wed Mar 15 16:32:27 UTC 2017 - containers-bugowner@suse.de - use mariadb docker image based on sles12sp2 ------------------------------------------------------------------- Wed Mar 15 16:29:12 UTC 2017 - containers-bugowner@suse.de - update salt images to sles12 images ------------------------------------------------------------------- Tue Mar 14 17:21:30 UTC 2017 - containers-bugowner@suse.de - packaging: don't expand inner variables in the template ------------------------------------------------------------------- Tue Mar 14 17:02:27 UTC 2017 - containers-bugowner@suse.de - packaging: help automated packaging for caasp-container-manifests ------------------------------------------------------------------- Thu Mar 9 13:18:52 UTC 2017 - jmassaguerpla@suse.com - Add configuration files ------------------------------------------------------------------- Thu Mar 2 10:39:12 UTC 2017 - hguo@suse.com - New package, initial release.