Hello community,
here is the log from the commit of package caasp-container-manifests for
openSUSE:Factory checked in at 2018-03-06 10:48:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/caasp-container-manifests (Old)
and /work/SRC/openSUSE:Factory/.caasp-container-manifests.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "caasp-container-manifests"
Tue Mar 6 10:48:53 2018 rev:2 rq:583219 version:3.0.0+git_r256_2ce2854
Changes:
--------
---
/work/SRC/openSUSE:Factory/caasp-container-manifests/caasp-container-manifests.changes
2018-02-21 14:11:05.551008265 +0100
+++
/work/SRC/openSUSE:Factory/.caasp-container-manifests.new/caasp-container-manifests.changes
2018-03-06 10:49:28.775533866 +0100
@@ -1,0 +2,110 @@
+Mon Mar 5 16:15:03 UTC 2018 - [email protected]
+
+- Remove Kubic workaround, caasp-tools no longer conflicts
+
+-------------------------------------------------------------------
+Tue Feb 27 14:13:46 UTC 2018 - [email protected]
+
+- Commit d02a181 by Kiall Mac Innes [email protected]
+ Haproxy: Remove daemon config flag
+
+
+-------------------------------------------------------------------
+Tue Feb 27 10:31:18 UTC 2018 - [email protected]
+
+- Commit 4a6ade3 by Kiall Mac Innes [email protected]
+ Fix three upgrade issues
+
+ * Migrate the old HAProxy config over
+ * Add the new static velum/velum-api haproxy sections
+ * Generate the missing *-bundle.pem files
+
+ Fixes bsc#1080978
+
+
+-------------------------------------------------------------------
+Tue Feb 27 10:22:55 UTC 2018 - [email protected]
+
+- Commit 7a8e1d1 by Flavio Castelli [email protected]
+ Make entrypoint of mariadb-user-secrets container more robust
+
+ I've run into a timing issue that caused the root password of mariadb
+ **not** being injected into the running container "mariadb-user-secrets" in
+ time. That caused the container to enter an infinite loop consisting of
+ trying to connect to mariadb as root without a specifying password, getting
+ an error message, sleeping 1 second and trying again.
+
+ This is an init container, as long as it's running kubelet won't start over
+ containers, like openldap, velum-*, salt-*,...
+
+ With this change the mariadb entrypoint waits untile the file containing the
+ root password exists and is not empty.
+
+ Signed-off-by: Flavio Castelli <[email protected]>
+
+
+-------------------------------------------------------------------
+Tue Feb 27 08:53:47 UTC 2018 - [email protected]
+
+- Commit da3c5cc by Kiall Mac Innes [email protected]
+ Update missed LDAP_HOST value from 127.0.0.1 to ldap.infra.caasp.local
+
+ I don't think this value is actually used, however, for consistency, lets set
+ it to the correct value. We may want to check if it's used and remove if not.
+
+
+-------------------------------------------------------------------
+Mon Feb 26 10:52:10 UTC 2018 - [email protected]
+
+- Commit 30edb7c by Maximilian Meister [email protected]
+ enable certificate validation for net-ldap
+
+ CVE-2017-17718 requires net-ldap to validate the certificate
+
+ therefore set a fixed resolvable name for ldap and generate the certificate
+ for it
+
+ Signed-off-by: Maximilian Meister <[email protected]>
+
+
+-------------------------------------------------------------------
+Thu Feb 22 11:51:48 UTC 2018 - [email protected]
+
+- Commit 30edb7c by Maximilian Meister [email protected]
+ enable certificate validation for net-ldap
+
+ CVE-2017-17718 requires net-ldap to validate the certificate
+
+ therefore set a fixed resolvable name for ldap and generate the certificate
+ for it
+
+ Signed-off-by: Maximilian Meister <[email protected]>
+
+
+-------------------------------------------------------------------
+Fri Feb 16 14:02:33 UTC 2018 - [email protected]
+
+- Commit 51731ef by Kiall Mac Innes [email protected]
+ Velum Dash and API both attempt to bind to the same port
+
+ It's not possible to reliably bind to 0.0.0.0:443 for one service, and
+ 127.0.0.1:443 for another service.
+
+ As such, we'll move velum-api over to 127.0.0.1:444
+
+
+-------------------------------------------------------------------
+Thu Feb 15 16:33:02 UTC 2018 - [email protected]
+
+- Commit 94ec5bb by Kiall Mac Innes [email protected]
+ Increase haproxy timeouts from 50sec, to 120sec
+
+ Some components have a 60 second timeout for salt request timeouts, e.g the
+ salt-api server which is called by Velum. Increase this timeout to double
+ their timeouts to allow the real failures to be disclosed.
+
+ We'll likely want to rework how timeouts are handled soon accross all our
+ components.
+
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ caasp-container-manifests.spec ++++++
--- /var/tmp/diff_new_pack.6DxbH3/_old 2018-03-06 10:49:29.475508580 +0100
+++ /var/tmp/diff_new_pack.6DxbH3/_new 2018-03-06 10:49:29.475508580 +0100
@@ -15,6 +15,7 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
+
%if 0%{?suse_version} == 1315 && !0%{?is_opensuse}
%define _base_image sles12
%endif
@@ -28,40 +29,34 @@
%endif
Name: caasp-container-manifests
-Version: 3.0.0+git_r242_40d3c00
+Version: 3.0.0+git_r256_2ce2854
Release: 0
-License: Apache-2.0
Summary: Manifest file templates for containers on controller node
-Url: https://github.com/kubic-project/caasp-container-manifests
+License: Apache-2.0
Group: System/Management
+Url: https://github.com/kubic-project/caasp-container-manifests
Source: master.tar.gz
Requires: container-feeder
# Require all the docker images
-Requires: %{_base_image}-pause-image >= 2.0.0
+Requires: %{_base_image}-caasp-dex-image >= 2.0.0
+Requires: %{_base_image}-dnsmasq-nanny-image >= 2.0.0
+Requires: %{_base_image}-flannel-image >= 2.0.0
+Requires: %{_base_image}-haproxy-image >= 2.0.0
+Requires: %{_base_image}-kubedns-image >= 2.0.0
Requires: %{_base_image}-mariadb-image >= 2.0.0
+Requires: %{_base_image}-openldap-image >= 2.0.0
+Requires: %{_base_image}-pause-image >= 2.0.0
Requires: %{_base_image}-pv-recycler-node-image >= 2.0.0
Requires: %{_base_image}-salt-api-image >= 2.0.0
Requires: %{_base_image}-salt-master-image >= 2.0.0
Requires: %{_base_image}-salt-minion-image >= 2.0.0
-Requires: %{_base_image}-velum-image >= 2.0.0
-Requires: %{_base_image}-haproxy-image >= 2.0.0
-Requires: %{_base_image}-flannel-image >= 2.0.0
-Requires: %{_base_image}-dnsmasq-nanny-image >= 2.0.0
-Requires: %{_base_image}-kubedns-image >= 2.0.0
Requires: %{_base_image}-sidecar-image >= 2.0.0
Requires: %{_base_image}-tiller-image >= 2.0.0
-Requires: %{_base_image}-openldap-image >= 2.0.0
-Requires: %{_base_image}-caasp-dex-image >= 2.0.0
+Requires: %{_base_image}-velum-image >= 2.0.0
# Require all the things we mount from the host from the kubernetes-salt
package
Requires: kubernetes-salt
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
-%if ! 0%{?is_susecaasp}
-# caasp-tools package provides
%{_datadir}/caasp-container-manifests/activate.sh
-# if this is not building for SUSE CaaSP, so both packages can't be installed
-# at the same time.
-Conflicts: caasp-tools
-%endif
%description
Manifest file templates will instruct kubelet service to bring up salt
@@ -120,4 +115,5 @@
%{_sbindir}/rcadmin-node-setup
%{_unitdir}/admin-node-setup.service
%{_datadir}/%{name}/*
+
%changelog
++++++ master.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/caasp-container-manifests-master/admin-node-setup.sh
new/caasp-container-manifests-master/admin-node-setup.sh
--- old/caasp-container-manifests-master/admin-node-setup.sh 2018-02-12
16:19:40.000000000 +0100
+++ new/caasp-container-manifests-master/admin-node-setup.sh 2018-02-27
15:13:49.000000000 +0100
@@ -49,18 +49,73 @@
rm -rf $tmp_dir
-# First time setup of user-configuration for salt-master
+# Create CaaSP config dir
if [ ! -d "/etc/caasp" ]; then
mkdir /etc/caasp
fi
+# First time setup of user-configuration for salt-master
if [ ! -f "/etc/caasp/salt-master-custom.conf" ]; then
echo "# Custom Configurations for Salt-Master" >
/etc/caasp/salt-master-custom.conf
fi
+# Migrate haproxy config path post path change
+if [[ ! -f "/etc/caasp/haproxy/haproxy.cfg" && -f "/etc/haproxy/haproxy.cfg"
]]; then
+ if [ ! -d "/etc/caasp/haproxy" ]; then
+ mkdir /etc/caasp/haproxy
+ fi
+
+ mv /etc/haproxy/haproxy.cfg /etc/caasp/haproxy/haproxy.cfg
+
+ # Add the Velum and Velum-API services to HAproxy
+ cat << EOF >> /etc/caasp/haproxy/haproxy.cfg
+
+listen velum
+ bind 0.0.0.0:80
+ bind 0.0.0.0:443 ssl crt /etc/pki/velum.pem ca-file /etc/pki/ca.crt
+ mode http
+ acl path_autoyast path_reg ^/autoyast$
+ option forwardfor
+ http-request set-header X-Forwarded-Proto https
+ redirect scheme https code 302 if !{ ssl_fc } !path_autoyast
+ default-server inter 10s fall 3
+ balance roundrobin
+ server velum unix@/var/run/puma/dashboard.sock
+
+listen velum-api
+ bind 127.0.0.1:443 ssl crt /etc/pki/velum.pem ca-file /etc/pki/ca.crt
+ mode http
+ option forwardfor
+ http-request set-header X-Forwarded-Proto https
+ default-server inter 10s fall 3
+ balance roundrobin
+ server velum unix@/var/run/puma/api.sock
+EOF
+fi
+
+# Generate missing TLS bundle files
+if [ ! -f "/etc/pki/private/velum-bundle.pem" ]; then
+ cat /etc/pki/velum.crt /etc/pki/private/velum.key >
/etc/pki/private/velum-bundle.pem
+ chmod 600 /etc/pki/private/velum-bundle.pem
+fi
+if [ ! -f "/etc/pki/private/salt-api-bundle.pem" ]; then
+ cat /etc/pki/salt-api.crt /etc/pki/private/salt-api.key >
/etc/pki/private/salt-api-bundle.pem
+ chmod 600 /etc/pki/private/salt-api-bundle.pem
+fi
+if [ ! -f "/etc/pki/private/ldap-bundle.pem" ]; then
+ cat /etc/pki/ldap.crt /etc/pki/private/ldap.key >
/etc/pki/private/ldap-bundle.pem
+ chmod 600 /etc/pki/private/ldap-bundle.pem
+fi
+
# Generate TLS CA and Initial Certificates
/usr/share/caasp-container-manifests/gen-certs.sh
+# add an entry for ldap.infra.caasp.local to /etc/hosts
+# this is needed to enable net-ldap to validate the certificate for LDAP_HOST
+if ! [ "$(cat /etc/hosts | grep -E "^127.0.0.1\s+" | grep
ldap.infra.caasp.local)" ]; then
+ sed -i 's/127.0.0.1\tlocalhost/127.0.0.1\tlocalhost
ldap.infra.caasp.local/g' /etc/hosts
+fi
+
VELUM_CRT_FINGERPRINT_SHA1=$(openssl x509 -noout -in /etc/pki/velum.crt
-fingerprint -sha1 | cut -d= -f2)
VELUM_CRT_FINGERPRINT_SHA256=$(openssl x509 -noout -in /etc/pki/velum.crt
-fingerprint -sha256 | cut -d= -f2)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/caasp-container-manifests-master/config/haproxy/haproxy.cfg
new/caasp-container-manifests-master/config/haproxy/haproxy.cfg
--- old/caasp-container-manifests-master/config/haproxy/haproxy.cfg
2018-02-12 16:19:40.000000000 +0100
+++ new/caasp-container-manifests-master/config/haproxy/haproxy.cfg
2018-02-27 15:13:49.000000000 +0100
@@ -1,7 +1,6 @@
global
log /dev/log local0
log /dev/log local1 notice
- daemon
defaults
log global
@@ -9,8 +8,8 @@
option tcplog
option dontlognull
timeout connect 5000
- timeout client 50000
- timeout server 50000
+ timeout client 120000
+ timeout server 120000
listen velum
bind 0.0.0.0:80
@@ -25,10 +24,10 @@
server velum unix@/var/run/puma/dashboard.sock
listen velum-api
- bind 127.0.0.1:443 ssl crt /etc/pki/velum.pem ca-file /etc/pki/ca.crt
+ bind 127.0.0.1:444 ssl crt /etc/pki/velum.pem ca-file /etc/pki/ca.crt
mode http
option forwardfor
http-request set-header X-Forwarded-Proto https
default-server inter 10s fall 3
balance roundrobin
- server velum unix@/var/run/puma/api.sock
\ No newline at end of file
+ server velum unix@/var/run/puma/api.sock
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/caasp-container-manifests-master/gen-certs.sh
new/caasp-container-manifests-master/gen-certs.sh
--- old/caasp-container-manifests-master/gen-certs.sh 2018-02-12
16:19:40.000000000 +0100
+++ new/caasp-container-manifests-master/gen-certs.sh 2018-02-27
15:13:49.000000000 +0100
@@ -148,6 +148,7 @@
openssl verify -CAfile $DIR/ca.crt $DIR/$1.crt
cat $DIR/$1.crt $PRIVATEDIR/$1.key > $PRIVATEDIR/$1-bundle.pem
+ chmod 600 $PRIVATEDIR/$1-bundle.pem
}
ip_addresses() {
@@ -161,4 +162,4 @@
genca
gencert "velum" "Velum" "$all_hostnames" "$(ip_addresses)"
gencert "salt-api" "salt-api.infra.caasp.local" "" "127.0.0.1"
-gencert "ldap" "OpenLDAP" "$all_hostnames" "$(ip_addresses)"
+gencert "ldap" "OpenLDAP" "ldap.infra.caasp.local" "$(ip_addresses)"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/caasp-container-manifests-master/manifests/public.yaml
new/caasp-container-manifests-master/manifests/public.yaml
--- old/caasp-container-manifests-master/manifests/public.yaml 2018-02-12
16:19:40.000000000 +0100
+++ new/caasp-container-manifests-master/manifests/public.yaml 2018-02-27
15:13:49.000000000 +0100
@@ -256,7 +256,7 @@
- name: VELUM_INTERNAL_API_PASSWORD_FILE
value: /var/lib/misc/infra-secrets/velum-internal-api-password
- name: LDAP_HOST
- value: "127.0.0.1"
+ value: "ldap.infra.caasp.local"
- name: LDAP_PORT
value: "389"
- name: LDAP_GROUP_BASE_DN
@@ -326,7 +326,7 @@
- name: VELUM_INTERNAL_API_PASSWORD_FILE
value: /var/lib/misc/infra-secrets/velum-internal-api-password
- name: LDAP_HOST
- value: "127.0.0.1"
+ value: "ldap.infra.caasp.local"
- name: LDAP_PORT
value: "389"
- name: LDAP_GROUP_BASE_DN
@@ -422,7 +422,7 @@
- name: VELUM_INTERNAL_API_PASSWORD_FILE
value: /var/lib/misc/infra-secrets/velum-internal-api-password
- name: LDAP_HOST
- value: "127.0.0.1"
+ value: "ldap.infra.caasp.local"
- name: LDAP_PORT
value: "389"
- name: LDAP_GROUP_BASE_DN
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/caasp-container-manifests-master/setup/mysql/setup-mysql.sh
new/caasp-container-manifests-master/setup/mysql/setup-mysql.sh
--- old/caasp-container-manifests-master/setup/mysql/setup-mysql.sh
2018-02-12 16:19:40.000000000 +0100
+++ new/caasp-container-manifests-master/setup/mysql/setup-mysql.sh
2018-02-27 15:13:49.000000000 +0100
@@ -1,7 +1,8 @@
#!/usr/bin/env bash
umask 377;
-while [ ! -f /infra-secrets/mariadb-root-password ]; do
+# wait until the file exists and has contents
+while [ ! -s /infra-secrets/mariadb-root-password ]; do
sleep 1
done
