Hello community,

here is the log from the commit of package caasp-container-manifests for 
openSUSE:Factory checked in at 2018-03-06 10:48:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/caasp-container-manifests (Old)
 and      /work/SRC/openSUSE:Factory/.caasp-container-manifests.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "caasp-container-manifests"

Tue Mar  6 10:48:53 2018 rev:2 rq:583219 version:3.0.0+git_r256_2ce2854

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/caasp-container-manifests/caasp-container-manifests.changes
      2018-02-21 14:11:05.551008265 +0100
+++ 
/work/SRC/openSUSE:Factory/.caasp-container-manifests.new/caasp-container-manifests.changes
 2018-03-06 10:49:28.775533866 +0100
@@ -1,0 +2,110 @@
+Mon Mar  5 16:15:03 UTC 2018 - rbr...@suse.com
+
+- Remove Kubic workaround, caasp-tools no longer conflicts
+
+-------------------------------------------------------------------
+Tue Feb 27 14:13:46 UTC 2018 - containers-bugow...@suse.de
+
+- Commit d02a181 by Kiall Mac Innes ki...@macinnes.ie
+ Haproxy: Remove daemon config flag
+
+
+-------------------------------------------------------------------
+Tue Feb 27 10:31:18 UTC 2018 - containers-bugow...@suse.de
+
+- Commit 4a6ade3 by Kiall Mac Innes ki...@macinnes.ie
+ Fix three upgrade issues
+ 
+ * Migrate the old HAProxy config over
+ * Add the new static velum/velum-api haproxy sections
+ * Generate the missing *-bundle.pem files
+ 
+ Fixes bsc#1080978
+
+
+-------------------------------------------------------------------
+Tue Feb 27 10:22:55 UTC 2018 - containers-bugow...@suse.de
+
+- Commit 7a8e1d1 by Flavio Castelli fcaste...@suse.com
+ Make entrypoint of mariadb-user-secrets container more robust
+ 
+ I've run into a timing issue that caused the root password of mariadb
+ **not** being injected into the running container "mariadb-user-secrets" in
+ time. That caused the container to enter an infinite loop consisting of
+ trying to connect to mariadb as root without a specifying password, getting
+ an error message, sleeping 1 second and trying again.
+ 
+ This is an init container, as long as it's running kubelet won't start over
+ containers, like openldap, velum-*, salt-*,...
+ 
+ With this change the mariadb entrypoint waits untile the file containing the
+ root password exists and is not empty.
+ 
+ Signed-off-by: Flavio Castelli <fcaste...@suse.com>
+
+
+-------------------------------------------------------------------
+Tue Feb 27 08:53:47 UTC 2018 - containers-bugow...@suse.de
+
+- Commit da3c5cc by Kiall Mac Innes ki...@macinnes.ie
+ Update missed LDAP_HOST value from 127.0.0.1 to ldap.infra.caasp.local
+ 
+ I don't think this value is actually used, however, for consistency, lets set
+ it to the correct value. We may want to check if it's used and remove if not.
+
+
+-------------------------------------------------------------------
+Mon Feb 26 10:52:10 UTC 2018 - containers-bugow...@suse.de
+
+- Commit 30edb7c by Maximilian Meister mmeis...@suse.de
+ enable certificate validation for net-ldap
+ 
+ CVE-2017-17718 requires net-ldap to validate the certificate
+ 
+ therefore set a fixed resolvable name for ldap and generate the certificate
+ for it
+ 
+ Signed-off-by: Maximilian Meister <mmeis...@suse.de>
+
+
+-------------------------------------------------------------------
+Thu Feb 22 11:51:48 UTC 2018 - containers-bugow...@suse.de
+
+- Commit 30edb7c by Maximilian Meister mmeis...@suse.de
+ enable certificate validation for net-ldap
+ 
+ CVE-2017-17718 requires net-ldap to validate the certificate
+ 
+ therefore set a fixed resolvable name for ldap and generate the certificate
+ for it
+ 
+ Signed-off-by: Maximilian Meister <mmeis...@suse.de>
+
+
+-------------------------------------------------------------------
+Fri Feb 16 14:02:33 UTC 2018 - containers-bugow...@suse.de
+
+- Commit 51731ef by Kiall Mac Innes ki...@macinnes.ie
+ Velum Dash and API both attempt to bind to the same port
+ 
+ It's not possible to reliably bind to 0.0.0.0:443 for one service, and
+ 127.0.0.1:443 for another service.
+ 
+ As such, we'll move velum-api over to 127.0.0.1:444
+
+
+-------------------------------------------------------------------
+Thu Feb 15 16:33:02 UTC 2018 - containers-bugow...@suse.de
+
+- Commit 94ec5bb by Kiall Mac Innes ki...@macinnes.ie
+ Increase haproxy timeouts from 50sec, to 120sec
+ 
+ Some components have a 60 second timeout for salt request timeouts, e.g the
+ salt-api server which is called by Velum. Increase this timeout to double
+ their timeouts to allow the real failures to be disclosed.
+ 
+ We'll likely want to rework how timeouts are handled soon accross all our
+ components.
+
+
+-------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ caasp-container-manifests.spec ++++++
--- /var/tmp/diff_new_pack.6DxbH3/_old  2018-03-06 10:49:29.475508580 +0100
+++ /var/tmp/diff_new_pack.6DxbH3/_new  2018-03-06 10:49:29.475508580 +0100
@@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
+
 %if 0%{?suse_version} == 1315 && !0%{?is_opensuse}
   %define _base_image sles12
 %endif
@@ -28,40 +29,34 @@
 %endif
 
 Name:           caasp-container-manifests
-Version:        3.0.0+git_r242_40d3c00
+Version:        3.0.0+git_r256_2ce2854
 Release:        0
-License:        Apache-2.0
 Summary:        Manifest file templates for containers on controller node
-Url:            https://github.com/kubic-project/caasp-container-manifests
+License:        Apache-2.0
 Group:          System/Management
+Url:            https://github.com/kubic-project/caasp-container-manifests
 Source:         master.tar.gz
 Requires:       container-feeder
 # Require all the docker images
-Requires:       %{_base_image}-pause-image >= 2.0.0
+Requires:       %{_base_image}-caasp-dex-image >= 2.0.0
+Requires:       %{_base_image}-dnsmasq-nanny-image >= 2.0.0
+Requires:       %{_base_image}-flannel-image >= 2.0.0
+Requires:       %{_base_image}-haproxy-image >= 2.0.0
+Requires:       %{_base_image}-kubedns-image >= 2.0.0
 Requires:       %{_base_image}-mariadb-image >= 2.0.0
+Requires:       %{_base_image}-openldap-image >= 2.0.0
+Requires:       %{_base_image}-pause-image >= 2.0.0
 Requires:       %{_base_image}-pv-recycler-node-image >= 2.0.0
 Requires:       %{_base_image}-salt-api-image >= 2.0.0
 Requires:       %{_base_image}-salt-master-image >= 2.0.0
 Requires:       %{_base_image}-salt-minion-image >= 2.0.0
-Requires:       %{_base_image}-velum-image >= 2.0.0
-Requires:       %{_base_image}-haproxy-image >= 2.0.0
-Requires:       %{_base_image}-flannel-image >= 2.0.0
-Requires:       %{_base_image}-dnsmasq-nanny-image >= 2.0.0
-Requires:       %{_base_image}-kubedns-image >= 2.0.0
 Requires:       %{_base_image}-sidecar-image >= 2.0.0
 Requires:       %{_base_image}-tiller-image >= 2.0.0
-Requires:       %{_base_image}-openldap-image >= 2.0.0
-Requires:       %{_base_image}-caasp-dex-image >= 2.0.0
+Requires:       %{_base_image}-velum-image >= 2.0.0
 # Require all  the things we mount from the host from the kubernetes-salt 
package
 Requires:       kubernetes-salt
 BuildArch:      noarch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-%if ! 0%{?is_susecaasp}
-# caasp-tools package provides 
%{_datadir}/caasp-container-manifests/activate.sh
-# if this is not building for SUSE CaaSP, so both packages can't be installed
-# at the same time.
-Conflicts:      caasp-tools
-%endif
 
 %description
 Manifest file templates will instruct kubelet service to bring up salt
@@ -120,4 +115,5 @@
 %{_sbindir}/rcadmin-node-setup
 %{_unitdir}/admin-node-setup.service
 %{_datadir}/%{name}/*
+
 %changelog

++++++ master.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/caasp-container-manifests-master/admin-node-setup.sh 
new/caasp-container-manifests-master/admin-node-setup.sh
--- old/caasp-container-manifests-master/admin-node-setup.sh    2018-02-12 
16:19:40.000000000 +0100
+++ new/caasp-container-manifests-master/admin-node-setup.sh    2018-02-27 
15:13:49.000000000 +0100
@@ -49,18 +49,73 @@
 
 rm -rf $tmp_dir
 
-# First time setup of user-configuration for salt-master
+# Create CaaSP config dir
 if [ ! -d "/etc/caasp" ]; then
     mkdir /etc/caasp
 fi
 
+# First time setup of user-configuration for salt-master
 if [ ! -f "/etc/caasp/salt-master-custom.conf" ]; then
     echo "# Custom Configurations for Salt-Master" > 
/etc/caasp/salt-master-custom.conf
 fi
 
+# Migrate haproxy config path post path change
+if [[ ! -f "/etc/caasp/haproxy/haproxy.cfg" && -f "/etc/haproxy/haproxy.cfg" 
]]; then
+    if [ ! -d "/etc/caasp/haproxy" ]; then
+        mkdir /etc/caasp/haproxy
+    fi
+
+    mv /etc/haproxy/haproxy.cfg /etc/caasp/haproxy/haproxy.cfg
+
+    # Add the Velum and Velum-API services to HAproxy
+    cat << EOF >> /etc/caasp/haproxy/haproxy.cfg
+
+listen velum
+        bind 0.0.0.0:80
+        bind 0.0.0.0:443 ssl crt /etc/pki/velum.pem ca-file /etc/pki/ca.crt
+        mode http
+        acl path_autoyast path_reg ^/autoyast$
+        option forwardfor
+        http-request set-header X-Forwarded-Proto https
+        redirect scheme https code 302 if !{ ssl_fc } !path_autoyast
+        default-server inter 10s fall 3
+        balance roundrobin
+        server velum unix@/var/run/puma/dashboard.sock
+
+listen velum-api
+        bind 127.0.0.1:443 ssl crt /etc/pki/velum.pem ca-file /etc/pki/ca.crt
+        mode http
+        option forwardfor
+        http-request set-header X-Forwarded-Proto https
+        default-server inter 10s fall 3
+        balance roundrobin
+        server velum unix@/var/run/puma/api.sock
+EOF
+fi
+
+# Generate missing TLS bundle files
+if [ ! -f "/etc/pki/private/velum-bundle.pem" ]; then
+    cat /etc/pki/velum.crt /etc/pki/private/velum.key > 
/etc/pki/private/velum-bundle.pem
+    chmod 600 /etc/pki/private/velum-bundle.pem
+fi
+if [ ! -f "/etc/pki/private/salt-api-bundle.pem" ]; then
+    cat /etc/pki/salt-api.crt /etc/pki/private/salt-api.key > 
/etc/pki/private/salt-api-bundle.pem
+    chmod 600 /etc/pki/private/salt-api-bundle.pem
+fi
+if [ ! -f "/etc/pki/private/ldap-bundle.pem" ]; then
+    cat /etc/pki/ldap.crt /etc/pki/private/ldap.key > 
/etc/pki/private/ldap-bundle.pem
+    chmod 600 /etc/pki/private/ldap-bundle.pem
+fi
+
 # Generate TLS CA and Initial Certificates
 /usr/share/caasp-container-manifests/gen-certs.sh
 
+# add an entry for ldap.infra.caasp.local to /etc/hosts
+# this is needed to enable net-ldap to validate the certificate for LDAP_HOST
+if ! [ "$(cat /etc/hosts | grep -E "^127.0.0.1\s+" | grep 
ldap.infra.caasp.local)" ]; then
+    sed -i 's/127.0.0.1\tlocalhost/127.0.0.1\tlocalhost 
ldap.infra.caasp.local/g' /etc/hosts
+fi
+
 VELUM_CRT_FINGERPRINT_SHA1=$(openssl x509 -noout -in /etc/pki/velum.crt 
-fingerprint -sha1 | cut -d= -f2)
 VELUM_CRT_FINGERPRINT_SHA256=$(openssl x509 -noout -in /etc/pki/velum.crt 
-fingerprint -sha256 | cut -d= -f2)
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/caasp-container-manifests-master/config/haproxy/haproxy.cfg 
new/caasp-container-manifests-master/config/haproxy/haproxy.cfg
--- old/caasp-container-manifests-master/config/haproxy/haproxy.cfg     
2018-02-12 16:19:40.000000000 +0100
+++ new/caasp-container-manifests-master/config/haproxy/haproxy.cfg     
2018-02-27 15:13:49.000000000 +0100
@@ -1,7 +1,6 @@
 global
         log /dev/log    local0
         log /dev/log    local1 notice
-        daemon
 
 defaults
         log     global
@@ -9,8 +8,8 @@
         option  tcplog
         option  dontlognull
         timeout connect 5000
-        timeout client 50000
-        timeout server 50000
+        timeout client 120000
+        timeout server 120000
 
 listen velum
         bind 0.0.0.0:80
@@ -25,10 +24,10 @@
         server velum unix@/var/run/puma/dashboard.sock
 
 listen velum-api
-        bind 127.0.0.1:443 ssl crt /etc/pki/velum.pem ca-file /etc/pki/ca.crt
+        bind 127.0.0.1:444 ssl crt /etc/pki/velum.pem ca-file /etc/pki/ca.crt
         mode http
         option forwardfor
         http-request set-header X-Forwarded-Proto https
         default-server inter 10s fall 3
         balance roundrobin
-        server velum unix@/var/run/puma/api.sock
\ No newline at end of file
+        server velum unix@/var/run/puma/api.sock
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/caasp-container-manifests-master/gen-certs.sh 
new/caasp-container-manifests-master/gen-certs.sh
--- old/caasp-container-manifests-master/gen-certs.sh   2018-02-12 
16:19:40.000000000 +0100
+++ new/caasp-container-manifests-master/gen-certs.sh   2018-02-27 
15:13:49.000000000 +0100
@@ -148,6 +148,7 @@
     openssl verify -CAfile $DIR/ca.crt $DIR/$1.crt
 
     cat $DIR/$1.crt $PRIVATEDIR/$1.key > $PRIVATEDIR/$1-bundle.pem
+    chmod 600 $PRIVATEDIR/$1-bundle.pem
 }
 
 ip_addresses() {
@@ -161,4 +162,4 @@
 genca
 gencert "velum" "Velum" "$all_hostnames" "$(ip_addresses)"
 gencert "salt-api" "salt-api.infra.caasp.local" "" "127.0.0.1"
-gencert "ldap" "OpenLDAP" "$all_hostnames" "$(ip_addresses)"
+gencert "ldap" "OpenLDAP" "ldap.infra.caasp.local" "$(ip_addresses)"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/caasp-container-manifests-master/manifests/public.yaml 
new/caasp-container-manifests-master/manifests/public.yaml
--- old/caasp-container-manifests-master/manifests/public.yaml  2018-02-12 
16:19:40.000000000 +0100
+++ new/caasp-container-manifests-master/manifests/public.yaml  2018-02-27 
15:13:49.000000000 +0100
@@ -256,7 +256,7 @@
     - name: VELUM_INTERNAL_API_PASSWORD_FILE
       value: /var/lib/misc/infra-secrets/velum-internal-api-password
     - name: LDAP_HOST
-      value: "127.0.0.1"
+      value: "ldap.infra.caasp.local"
     - name: LDAP_PORT
       value: "389"
     - name: LDAP_GROUP_BASE_DN
@@ -326,7 +326,7 @@
     - name: VELUM_INTERNAL_API_PASSWORD_FILE
       value: /var/lib/misc/infra-secrets/velum-internal-api-password
     - name: LDAP_HOST
-      value: "127.0.0.1"
+      value: "ldap.infra.caasp.local"
     - name: LDAP_PORT
       value: "389"
     - name: LDAP_GROUP_BASE_DN
@@ -422,7 +422,7 @@
     - name: VELUM_INTERNAL_API_PASSWORD_FILE
       value: /var/lib/misc/infra-secrets/velum-internal-api-password
     - name: LDAP_HOST
-      value: "127.0.0.1"
+      value: "ldap.infra.caasp.local"
     - name: LDAP_PORT
       value: "389"
     - name: LDAP_GROUP_BASE_DN
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/caasp-container-manifests-master/setup/mysql/setup-mysql.sh 
new/caasp-container-manifests-master/setup/mysql/setup-mysql.sh
--- old/caasp-container-manifests-master/setup/mysql/setup-mysql.sh     
2018-02-12 16:19:40.000000000 +0100
+++ new/caasp-container-manifests-master/setup/mysql/setup-mysql.sh     
2018-02-27 15:13:49.000000000 +0100
@@ -1,7 +1,8 @@
 #!/usr/bin/env bash
 umask 377;
 
-while [ ! -f /infra-secrets/mariadb-root-password ]; do
+# wait until the file exists and has contents
+while [ ! -s /infra-secrets/mariadb-root-password ]; do
     sleep 1
 done
 


Reply via email to