From adf64cb917c2170b34a2d028bca1741e39bafec7 Mon Sep 17 00:00:00 2001 From: Jim Somerville Date: Tue, 4 Dec 2018 14:57:34 -0500 Subject: [PATCH 1/9] Upgrade qemu to version 3.0.0 Note that it now uses keycodemapdb source which was upgraded earlier. Story: 2003395 Task: 24521 Change-Id: I551d654c4b5d7c923911d8c33f0b5fca022d1dda Signed-off-by: Jim Somerville --- virt/qemu/centos/build_srpm.data | 4 +++- virt/qemu/centos/files/build_configure.sh | 1 - virt/qemu/centos/qemu-kvm.spec | 12 ++++++++++-- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/virt/qemu/centos/build_srpm.data b/virt/qemu/centos/build_srpm.data index aeaa896ee..27a85e5e6 100644 --- a/virt/qemu/centos/build_srpm.data +++ b/virt/qemu/centos/build_srpm.data @@ -1,8 +1,10 @@ SRC_DIR="$CGCS_BASE/git/qemu" COPY_LIST="$CGCS_BASE/downloads/kvm-unit-tests.git-4ea7633.tar.bz2 \ + $CGCS_BASE/downloads/keycodemapdb-16e5b07.tar.gz \ $FILES_BASE/* \ $PKG_BASE/qemu/qemu_clean \ $PKG_BASE/qemu/qemu_clean.service \ $PKG_BASE/qemu/qemu-system-x86.conf" -TIS_BASE_SRCREV=c284b3d419e1cc9b1f25661f4f636f19b1399970 +TIS_BASE_SRCREV=38441756b70eec5807b5f60dad11a93a91199866 TIS_PATCH_VER=GITREVCOUNT + diff --git a/virt/qemu/centos/files/build_configure.sh b/virt/qemu/centos/files/build_configure.sh index f9ba586f4..c487d9971 100755 --- a/virt/qemu/centos/files/build_configure.sh +++ b/virt/qemu/centos/files/build_configure.sh @@ -60,7 +60,6 @@ fi --with-pkgversion=${nvr} \ --with-confsuffix=/${pkgname} \ --with-coroutine=ucontext \ - --with-system-pixman \ --disable-bluez \ --disable-brlapi \ --enable-cap-ng \ diff --git a/virt/qemu/centos/qemu-kvm.spec b/virt/qemu/centos/qemu-kvm.spec index d8bd443d4..b93d34372 100644 --- a/virt/qemu/centos/qemu-kvm.spec +++ b/virt/qemu/centos/qemu-kvm.spec @@ -82,7 +82,7 @@ Obsoletes: %1 < %{obsoletes_version} Summary: QEMU is a FAST! processor emulator Name: %{pkgname}%{?pkgsuffix} -Version: 2.10.0 +Version: 3.0.0 Release: 0%{?_tis_dist}.%{tis_patch_ver} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 @@ -158,6 +158,7 @@ Source25: kvm-unit-tests.git-4ea7633.tar.bz2 Source26: vhost.conf Source27: kvm.conf Source28: 95-kvm-memlock.conf +Source29: keycodemapdb-16e5b07.tar.gz #WRS Source127: qemu_clean @@ -422,6 +423,8 @@ buildldflags="VL_LDFLAGS=-Wl,--build-id" sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure %endif +tar xzf %{SOURCE29} -C ui + cp %{SOURCE24} build_configure.sh ./build_configure.sh \ @@ -593,6 +596,9 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/s390-zipl.rom rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/s390-ccw.img rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/s390-netboot.img rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/u-boot.e500 +rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/canyonlands.dtb +rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/hppa-firmware.img +rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/u-boot-sam460-20100605.bin %ifnarch %{power64} rm -f ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/spapr-rtas.bin @@ -794,7 +800,7 @@ exit 0 %files %defattr(-,root,root) %ifarch x86_64 - %{_datadir}/%{pkgname}/acpi-dsdt.aml +# %{_datadir}/%{pkgname}/acpi-dsdt.aml %{_datadir}/%{pkgname}/bios.bin %{_datadir}/%{pkgname}/bios-256k.bin %{_datadir}/%{pkgname}/linuxboot.bin @@ -856,7 +862,9 @@ exit 0 %{_bindir}/qemu-img %{_bindir}/qemu-io %{_bindir}/qemu-nbd +%{_bindir}/qemu-pr-helper %{_mandir}/man1/qemu-img.1* +%{_mandir}/man7/qemu-block-drivers.7* %{_mandir}/man8/qemu-nbd.8* # WRS: virtfs %{_mandir}/man1/virtfs-proxy-helper.1* From ff360aa30a96bf945308282ca61706d09d46129a Mon Sep 17 00:00:00 2001 From: Sun Austin Date: Mon, 10 Dec 2018 10:11:43 +0800 Subject: [PATCH 2/9] update /etc/pam.d/system-auth content with system-auth.pam LDAP sudo user is not able to login by password. root cause is that password rules in system-auth is not updated correctly because system-auth.apm in pam-config is missed to be copied to /etc/pam.d/system-auth copy system-auth.pam in pam-config to /etc/pam.d/system-auth to solve this issue. Closes-Bug: #1806977 Change-Id: Ic646e30d06bcbe8cf3bf66c903942e4240bd23bd Signed-off-by: Sun Austin --- config-files/pam-config/centos/build_srpm.data | 2 +- config-files/pam-config/centos/pam-config.spec | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/config-files/pam-config/centos/build_srpm.data b/config-files/pam-config/centos/build_srpm.data index da1e20bd8..2c3b2cb8b 100644 --- a/config-files/pam-config/centos/build_srpm.data +++ b/config-files/pam-config/centos/build_srpm.data @@ -1,2 +1,2 @@ SRC_DIR="files" -TIS_PATCH_VER=0 +TIS_PATCH_VER=1 diff --git a/config-files/pam-config/centos/pam-config.spec b/config-files/pam-config/centos/pam-config.spec index 369afd50b..4508f9e08 100644 --- a/config-files/pam-config/centos/pam-config.spec +++ b/config-files/pam-config/centos/pam-config.spec @@ -15,23 +15,31 @@ Summary: package StarlingX configuration files of pam to system folder. %description package StarlingX configuration files of pam to system folder. +%define _pamconfdir %{_sysconfdir}/pam.d + %prep %setup %build %install -%define _pamconfdir %{_sysconfdir}/pam.d %{__install} -d %{buildroot}%{_pamconfdir} +%{__install} -d %{buildroot}%{_datadir}/starlingx %{__install} -m 644 common-account %{buildroot}%{_pamconfdir}/common-account %{__install} -m 644 common-auth %{buildroot}%{_pamconfdir}/common-auth %{__install} -m 644 common-password %{buildroot}%{_pamconfdir}/common-password %{__install} -m 644 common-session %{buildroot}%{_pamconfdir}/common-session %{__install} -m 644 common-session-noninteractive %{buildroot}%{_pamconfdir}/common-session-noninteractive +%{__install} -m 644 system-auth.pamd %{buildroot}%{_datadir}/starlingx/stx.system-auth %post +if [ $1 -eq 1 ] ; then + # Initial installation + cp -f %{_datadir}/starlingx/stx.system-auth %{_pamconfdir}/system-auth +fi %files +%{_datadir}/starlingx/stx.system-auth %config(noreplace) %{_pamconfdir}/common-account %config(noreplace) %{_pamconfdir}/common-auth %config(noreplace) %{_pamconfdir}/common-password From 2730d2b38b6a8122397445b9dc647e73f0bbbb57 Mon Sep 17 00:00:00 2001 From: zhipengl Date: Sat, 8 Dec 2018 00:48:10 +0800 Subject: [PATCH 3/9] Refactor harden server and client config patch for openssh package Move ssh_config and sshd_config modification from openssh package to openssh-config package. Deployment test pass and configuration file check pass! Story: 2004477 Task: 28185 Change-Id: I9976733bab102ee076d514333cd5a74af20794ec Signed-off-by: zhipengl --- .../openssh-config/centos/openssh-config.spec | 8 +- base/openssh-config/files/ssh_config | 71 +++++++++ base/openssh-config/files/sshd_config | 148 ++++++++++++++++++ base/openssh/centos/build_srpm.data | 2 +- .../spec-include-TiS-changes.patch | 30 +--- .../harden-server-and-client-config.patch | 124 --------------- 6 files changed, 233 insertions(+), 150 deletions(-) create mode 100644 base/openssh-config/files/ssh_config create mode 100644 base/openssh-config/files/sshd_config delete mode 100644 base/openssh/centos/patches/harden-server-and-client-config.patch diff --git a/base/openssh-config/centos/openssh-config.spec b/base/openssh-config/centos/openssh-config.spec index 2bc503641..b8ecab924 100644 --- a/base/openssh-config/centos/openssh-config.spec +++ b/base/openssh-config/centos/openssh-config.spec @@ -26,14 +26,20 @@ package StarlingX configuration files of openssh to system folder. %{__install} -d %{buildroot}%{_sysconfdir}/systemd/system %{__install} -m 644 sshd.pam %{buildroot}%{_datadir}/starlingx/sshd.pam %{__install} -m 644 sshd.service %{buildroot}%{_sysconfdir}/systemd/system/sshd.service +%{__install} -m 644 ssh_config %{buildroot}%{_datadir}/starlingx/ssh_config +%{__install} -m 600 sshd_config %{buildroot}%{_datadir}/starlingx/sshd_config %post %define _pamconfdir %{_sysconfdir}/pam.d if [ $1 -eq 1 ] ; then # Initial installation - cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd + cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd + cp -f %{_datadir}/starlingx/ssh_config %{_sysconfdir}/ssh/ssh_config + cp -f %{_datadir}/starlingx/sshd_config %{_sysconfdir}/ssh/sshd_config fi %files %{_datadir}/starlingx/sshd.pam %{_sysconfdir}/systemd/system/sshd.service +%{_datadir}/starlingx/ssh_config +%{_datadir}/starlingx/sshd_config diff --git a/base/openssh-config/files/ssh_config b/base/openssh-config/files/ssh_config new file mode 100644 index 000000000..c970defeb --- /dev/null +++ b/base/openssh-config/files/ssh_config @@ -0,0 +1,71 @@ +# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * +# ForwardAgent no +# ForwardX11 no +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# GSSAPIKeyExchange no +# GSSAPITrustDNS no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 +# Port 22 +# Protocol 2 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h +# +# Uncomment this if you want to use .local domain +# Host *.local +# CheckHostIP no + +Host * + GSSAPIAuthentication yes +# If this option is set to yes then remote X11 clients will have full access +# to the original X11 display. As virtually no X11 client supports the untrusted +# mode correctly we set this to yes. + ForwardX11Trusted yes +# Send locale-related environment variables + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv XMODIFIERS + +# Filtered key exchange algorithm list +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 diff --git a/base/openssh-config/files/sshd_config b/base/openssh-config/files/sshd_config new file mode 100644 index 000000000..7091b6868 --- /dev/null +++ b/base/openssh-config/files/sshd_config @@ -0,0 +1,148 @@ +# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# If you want to change the port on a SELinux system, you have to tell +# SELinux about this change. +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER +# +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +RekeyLimit default 1h + +# Logging +#SyslogFacility AUTH +#SyslogFacility AUTHPRIV +LogLevel INFO + +# Authentication: + +LoginGraceTime 1m +PermitRootLogin no +#StrictModes yes +MaxAuthTries 4 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no +PasswordAuthentication yes + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no +#KerberosUseKuserok yes + +# GSSAPI options +GSSAPIAuthentication no +GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no +#GSSAPIEnablek5users no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several +# problems. +UsePAM yes + +AllowAgentForwarding no +AllowTcpForwarding no +#GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +UsePrivilegeSeparation yes +#PermitUserEnvironment no +Compression no +ClientAliveInterval 15 +ClientAliveCountMax 4 +#ShowPatchLevel no +# Make SSH connect faster on bootup +UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# default banner path +Banner /etc/issue.net + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server +DenyUsers admin secadmin operator +# Filtered cipher, MAC and key exchange algorithm list, defaults can be +# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex +# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list +# using "-" should be used for cipher, MAC and kex excluded suites. +Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com +MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 diff --git a/base/openssh/centos/build_srpm.data b/base/openssh/centos/build_srpm.data index c428b1f1d..ed8de7493 100644 --- a/base/openssh/centos/build_srpm.data +++ b/base/openssh/centos/build_srpm.data @@ -1 +1 @@ -TIS_PATCH_VER=9 +TIS_PATCH_VER=10 diff --git a/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch b/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch index 0a361ef97..6b328db57 100644 --- a/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch +++ b/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch @@ -5,35 +5,17 @@ Subject: spec-include-TiS-changes.patch Signed-off-by: zhipengl --- - SPECS/openssh.spec | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) + SPECS/openssh.spec | 5 ----- + 1 file changed, 5 deletions(-) diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index 0a91b56..bbae9d7 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec -@@ -250,6 +250,8 @@ Patch958: openssh-7.4p1-winscp-compat.patch - Patch959: openssh-7.4p1-authorized_keys_command.patch - # Fix for CVE-2017-15906 (#1517226) - Patch960: openssh-7.5p1-sftp-empty-files.patch -+# WRS: harden server and client config -+Patch1000: harden-server-and-client-config.patch - - License: BSD - Group: Applications/Internet -@@ -510,6 +512,8 @@ popd - %patch700 -p1 -b .fips - - %patch100 -p1 -b .coverity -+# WRS -+%patch1000 -p1 -b .harden - - %if 0 - # Nothing here yet @@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \ %preun server %systemd_preun sshd.service sshd.socket - + -%postun server -%systemd_postun_with_restart sshd.service - @@ -43,12 +25,12 @@ index 0a91b56..bbae9d7 100644 @@ -784,8 +785,6 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_unitdir}/sshd-keygen.service - + -%files server-sysvinit -%defattr(-,root,root) %attr(0755,root,root) /etc/rc.d/init.d/sshd %endif - --- + +-- 1.8.3.1 diff --git a/base/openssh/centos/patches/harden-server-and-client-config.patch b/base/openssh/centos/patches/harden-server-and-client-config.patch deleted file mode 100644 index ea474cffc..000000000 --- a/base/openssh/centos/patches/harden-server-and-client-config.patch +++ /dev/null @@ -1,124 +0,0 @@ -From a2f285b181d1867266ff9e705e87d54737f863cb Mon Sep 17 00:00:00 2001 -From: Andy Ning -Date: Fri, 23 Mar 2018 14:46:06 -0400 -Subject: [PATCH 1/1] CGTS-9265: remove sha1 based kex algorithms - -The patch hardened ssh server and client security, specifically -removed support of sha1 base kex algrorithms as found by Nessus -scan. ---- - ssh_config | 3 +++ - sshd_config | 45 +++++++++++++++++++++++++++------------------ - 2 files changed, 30 insertions(+), 18 deletions(-) - -diff --git a/ssh_config b/ssh_config -index d1c83ea..3320eb0 100644 ---- a/ssh_config -+++ b/ssh_config -@@ -66,3 +66,6 @@ Host * - SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT - SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE - SendEnv XMODIFIERS -+ -+# Filtered key exchange algorithm list -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 -diff --git a/sshd_config b/sshd_config -index 6bbb86b..7fb2ac7 100644 ---- a/sshd_config -+++ b/sshd_config -@@ -25,19 +25,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key - HostKey /etc/ssh/ssh_host_ed25519_key - - # Ciphers and keying --#RekeyLimit default none -+RekeyLimit default 1h - - # Logging - #SyslogFacility AUTH --SyslogFacility AUTHPRIV --#LogLevel INFO -+#SyslogFacility AUTHPRIV -+LogLevel INFO - - # Authentication: - --#LoginGraceTime 2m --#PermitRootLogin yes -+LoginGraceTime 1m -+PermitRootLogin no - #StrictModes yes --#MaxAuthTries 6 -+MaxAuthTries 4 - #MaxSessions 10 - - #PubkeyAuthentication yes -@@ -76,8 +76,8 @@ ChallengeResponseAuthentication no - #KerberosUseKuserok yes - - # GSSAPI options --GSSAPIAuthentication yes --GSSAPICleanupCredentials no -+GSSAPIAuthentication no -+GSSAPICleanupCredentials yes - #GSSAPIStrictAcceptorCheck yes - #GSSAPIKeyExchange no - #GSSAPIEnablek5users no -@@ -95,10 +95,10 @@ GSSAPICleanupCredentials no - # problems. - UsePAM yes - --#AllowAgentForwarding yes --#AllowTcpForwarding yes -+AllowAgentForwarding no -+AllowTcpForwarding no - #GatewayPorts no --X11Forwarding yes -+X11Forwarding no - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PermitTTY yes -@@ -106,21 +106,22 @@ X11Forwarding yes - #PrintLastLog yes - #TCPKeepAlive yes - #UseLogin no --#UsePrivilegeSeparation sandbox -+UsePrivilegeSeparation yes - #PermitUserEnvironment no --#Compression delayed --#ClientAliveInterval 0 --#ClientAliveCountMax 3 -+Compression no -+ClientAliveInterval 15 -+ClientAliveCountMax 4 - #ShowPatchLevel no --#UseDNS yes -+# Make SSH connect faster on bootup -+UseDNS no - #PidFile /var/run/sshd.pid - #MaxStartups 10:30:100 - #PermitTunnel no - #ChrootDirectory none - #VersionAddendum none - --# no default banner path --#Banner none -+# default banner path -+Banner /etc/issue.net - - # Accept locale-related environment variables - AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -@@ -137,3 +138,11 @@ Subsystem sftp /usr/libexec/sftp-server - # AllowTcpForwarding no - # PermitTTY no - # ForceCommand cvs server -+DenyUsers admin secadmin operator -+# Filtered cipher, MAC and key exchange algorithm list, defaults can be -+# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex -+# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list -+# using "-" should be used for cipher, MAC and kex excluded suites. -+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com -+MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 --- -1.8.3.1 - From 7754d7e95c9f5cc10ac0c6ea7b799debe79fe27b Mon Sep 17 00:00:00 2001 From: zhipengl Date: Tue, 11 Dec 2018 01:44:20 +0800 Subject: [PATCH 4/9] Remove meta_remove_bad_logrotate.patch We can do the similar change like we did in https://review.openstack.org/#/c/620466/ Since we have duplicated log configuration,we can erase logrotate.d/dhcp instead of remove the file with the patch. Deployment test pass and logrotate.d/dhcp file check pass. Story: 2004452 Task: 28131 Change-Id: Ib22fa073ca4e09af1b25854f0f1c8574f9337f3c Signed-off-by: zhipengl --- .../haproxy-config/centos/haproxy-config.spec | 3 ++ base/haproxy/centos/meta_patches/PATCH_ORDER | 1 - .../meta_remove_bad_logrotate.patch | 41 ------------------- 3 files changed, 3 insertions(+), 42 deletions(-) delete mode 100644 base/haproxy/centos/meta_patches/meta_remove_bad_logrotate.patch diff --git a/base/haproxy-config/centos/haproxy-config.spec b/base/haproxy-config/centos/haproxy-config.spec index 679393aec..da37aa34c 100644 --- a/base/haproxy-config/centos/haproxy-config.spec +++ b/base/haproxy-config/centos/haproxy-config.spec @@ -32,6 +32,9 @@ mkdir -p %{_sysconfdir}/init.d %post /bin/systemctl disable haproxy.service +if test -s %{_sysconfdir}/logrotate.d/haproxy ; then + echo '#See /etc/logrotate.d/syslog for haproxy rules' > %{_sysconfdir}/logrotate.d/haproxy +fi %files %defattr(-,root,root,-) diff --git a/base/haproxy/centos/meta_patches/PATCH_ORDER b/base/haproxy/centos/meta_patches/PATCH_ORDER index 3f3977f65..51c926e48 100644 --- a/base/haproxy/centos/meta_patches/PATCH_ORDER +++ b/base/haproxy/centos/meta_patches/PATCH_ORDER @@ -1,3 +1,2 @@ spec-include-TiS-changes.patch -meta_remove_bad_logrotate.patch 0001-Update-package-versioning-for-TIS-format.patch diff --git a/base/haproxy/centos/meta_patches/meta_remove_bad_logrotate.patch b/base/haproxy/centos/meta_patches/meta_remove_bad_logrotate.patch deleted file mode 100644 index 6ec309080..000000000 --- a/base/haproxy/centos/meta_patches/meta_remove_bad_logrotate.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 3eac39ba534b92dbcb3a898442b09be7acc389bb Mon Sep 17 00:00:00 2001 -From: Scott Little -Date: Mon, 2 Oct 2017 16:12:36 -0400 -Subject: [PATCH] WRS: meta_remove_bad_logrotate.patch - -Signed-off-by: zhipengl ---- - SPECS/haproxy.spec | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec -index 53def97..39c0c86 100644 ---- a/SPECS/haproxy.spec -+++ b/SPECS/haproxy.spec -@@ -18,7 +18,6 @@ URL: http://www.haproxy.org/ - Source0: http://www.haproxy.org/download/1.5/src/haproxy-%{version}.tar.gz - Source1: %{name}.service - Source2: %{name}.cfg --Source3: %{name}.logrotate - Source4: %{name}.sysconfig - Source5: halog.1 - -@@ -86,7 +85,6 @@ popd - - %{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service - %{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg --%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} - %{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name} - %{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1 - %{__install} -d -m 0755 %{buildroot}%{haproxy_home} -@@ -139,7 +137,6 @@ fi - %dir %{haproxy_datadir} - %{haproxy_datadir}/* - %config(noreplace) %{haproxy_confdir}/%{name}.cfg --%config(noreplace) %{_sysconfdir}/logrotate.d/%{name} - %config(noreplace) %{_sysconfdir}/sysconfig/%{name} - %{_unitdir}/%{name}.service - %{_sbindir}/%{name} --- -1.8.3.1 - From 11a4f7a6964bd96f22a02f3394fc2d62447480fa Mon Sep 17 00:00:00 2001 From: Eric MacDonald Date: Mon, 10 Dec 2018 19:02:18 -0500 Subject: [PATCH 5/9] Package log_functions.sh into platform-util The log_functions.sh script file was dropped in a recent edit of the compute-huge rpm. Some scripts depend on this file for log utilities. This update moves log_functions.sh out of compute-huge into platform-util and re-installs it in its previous location /etc/init.d Story: 2004043 Task: 28462 Change-Id: I4efb0a63f29bc446e7efd86cea7488f3e2e362df Signed-off-by: Eric MacDonald --- .../platform-util/centos/build_srpm.data | 2 +- .../platform-util/centos/platform-util.spec | 5 +++ .../platform-util/scripts/log_functions.sh | 45 +++++++++++++++++++ 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 utilities/platform-util/scripts/log_functions.sh diff --git a/utilities/platform-util/centos/build_srpm.data b/utilities/platform-util/centos/build_srpm.data index 1aafbdbd6..880171162 100644 --- a/utilities/platform-util/centos/build_srpm.data +++ b/utilities/platform-util/centos/build_srpm.data @@ -1,4 +1,4 @@ SRC_DIR="platform-util" COPY_LIST_TO_TAR="scripts" -TIS_PATCH_VER=14 +TIS_PATCH_VER=15 diff --git a/utilities/platform-util/centos/platform-util.spec b/utilities/platform-util/centos/platform-util.spec index 69f3e6983..b54116b49 100644 --- a/utilities/platform-util/centos/platform-util.spec +++ b/utilities/platform-util/centos/platform-util.spec @@ -28,6 +28,7 @@ Platform utilities that don't get packaged on controller hosts %define local_bindir %{local_dir}/bin %define local_sbindir %{local_dir}/sbin %define pythonroot /usr/lib64/python2.7/site-packages +%define local_etc_initd %{_sysconfdir}/init.d %prep %setup @@ -53,6 +54,9 @@ install %{_buildsubdir}/scripts/cgcs_tc_setup.sh %{buildroot}%{local_bindir} install %{_buildsubdir}/scripts/remotelogging_tc_setup.sh %{buildroot}%{local_bindir} install %{_buildsubdir}/scripts/connectivity_test %{buildroot}%{local_bindir} +install -d %{buildroot}%{local_etc_initd} +install %{_buildsubdir}/scripts/log_functions.sh %{buildroot}%{local_etc_initd} + install -d %{buildroot}%{local_sbindir} install -m 700 -P -D %{_buildsubdir}/scripts/patch-restart-mtce %{buildroot}%{local_sbindir} install -m 700 -p -D %{_buildsubdir}/scripts/patch-restart-processes %{buildroot}%{local_sbindir} @@ -87,6 +91,7 @@ systemctl enable opt-platform.service %{pythonroot}/platform_util/* %dir %{pythonroot}/platform_util-%{version}.0-py2.7.egg-info %{pythonroot}/platform_util-%{version}.0-py2.7.egg-info/* +%{local_etc_initd}/log_functions.sh %files -n platform-util-noncontroller %defattr(-,root,root,-) diff --git a/utilities/platform-util/scripts/log_functions.sh b/utilities/platform-util/scripts/log_functions.sh new file mode 100644 index 000000000..95a72ae2d --- /dev/null +++ b/utilities/platform-util/scripts/log_functions.sh @@ -0,0 +1,45 @@ +#!/bin/bash +################################################################################ +# Copyright (c) 2013-2015 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +################################################################################ + +################################################################################ +# Log if debug is enabled via LOG_DEBUG +# +################################################################################ +function log_debug { + if [ ! -z "${LOG_DEBUG}" ]; then + logger -p debug -t "$0[${PPID}]" -s "$@" 2>&1 + fi +} + +################################################################################ +# Log unconditionally to STDERR +# +################################################################################ +function log_error { + logger -p error -t "$0[${PPID}]" -s "$@" +} + +################################################################################ +# Log unconditionally to STDOUT +# +################################################################################ +function log { + logger -p info -t "$0[${PPID}]" -s "$@" 2>&1 +} + +################################################################################ +# Utility function to print the status of a command result +# +################################################################################ +function print_status { + if [ "$1" -eq "0" ]; then + echo "[ OK ]" + else + echo "[FAILED]" + fi +} From 2ec4482fc766bd583df422c2df5939a2707c7996 Mon Sep 17 00:00:00 2001 From: zhipengl Date: Tue, 11 Dec 2018 22:51:33 +0800 Subject: [PATCH 6/9] Refactor meta patch for facter package Merge 2 meta patches as the first meta patch is just overwritted by second one. Build pass! Story: 2003768 Task: 28458 Change-Id: I02ccadafa5381c82bcace340f6c399af38aeecc7 Signed-off-by: zhipengl --- .../0001-spec-include-TiS-paches.patch | 33 ++++++------- .../0003-Add-ipaddress-patch.patch | 48 ------------------- config/facter/centos/meta_patches/PATCH_ORDER | 1 - 3 files changed, 17 insertions(+), 65 deletions(-) delete mode 100644 config/facter/centos/meta_patches/0003-Add-ipaddress-patch.patch diff --git a/config/facter/centos/meta_patches/0001-spec-include-TiS-paches.patch b/config/facter/centos/meta_patches/0001-spec-include-TiS-paches.patch index 3284b2d7f..f12a78339 100644 --- a/config/facter/centos/meta_patches/0001-spec-include-TiS-paches.patch +++ b/config/facter/centos/meta_patches/0001-spec-include-TiS-paches.patch @@ -4,8 +4,8 @@ Date: Mon, 20 Mar 2017 09:58:00 -0400 Subject: [PATCH 1/2] WRS: spec-include-TiS-paches.patch --- - SPECS/facter.spec | 12 ++++++++++++ - 1 file changed, 12 insertions(+) + SPECS/facter.spec | 13 +++++++++++++ + 1 file changed, 13 insertions(+) diff --git a/SPECS/facter.spec b/SPECS/facter.spec index 97ee783..7996d45 100644 @@ -14,29 +14,30 @@ index 97ee783..7996d45 100644 @@ -31,6 +31,13 @@ Source0: https://downloads.puppetlabs.com/%{name}/%{name}-%{version}.tar. Source1: https://downloads.puppetlabs.com/%{name}/%{name}-%{version}.tar.gz.asc BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - + +# WRS patches -+Patch0: ps.patch -+Patch1: personality.patch -+Patch2: centos_remove-net-commands-that-can-timeout.patch -+Patch3: centos_fix-ipv6-regex.patch -+ ++Patch0001: 0001-ps.patch ++Patch0002: 0002-personality.patch ++Patch0003: 0003-centos_remove-net-commands-that-can-timeout.patch ++Patch0004: 0004-centos_fix-ipv6-regex.patch ++Patch0005: 0005-Hardcode-ipaddress-fact-to-localhost.patch + # Upstream claims to only support 1.8.7 and higher BuildRequires: ruby >= 1.8.7 BuildRequires: ruby-devel -@@ -71,6 +78,11 @@ key off the values returned by facts. - +@@ -71,6 +78,12 @@ key off the values returned by facts. + %prep %setup -q +# WRS apply patches -+%patch0 -p1 -+%patch1 -p1 -+%patch2 -p2 -+%patch3 -p2 - ++%patch0001 -p1 ++%patch0002 -p1 ++%patch0003 -p2 ++%patch0004 -p2 ++%patch0005 -p1 + %build # Nothing to build --- +-- 1.8.3.1 diff --git a/config/facter/centos/meta_patches/0003-Add-ipaddress-patch.patch b/config/facter/centos/meta_patches/0003-Add-ipaddress-patch.patch deleted file mode 100644 index ee5ca6ff3..000000000 --- a/config/facter/centos/meta_patches/0003-Add-ipaddress-patch.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 26fa177280c21f0c2048c90ae8fdd3ded7a60113 Mon Sep 17 00:00:00 2001 -From: Don Penney -Date: Thu, 26 Oct 2017 10:44:17 -0400 -Subject: [PATCH] Add ipaddress patch - ---- - SPECS/facter.spec | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/SPECS/facter.spec b/SPECS/facter.spec -index aa4a0db..2829879 100644 ---- a/SPECS/facter.spec -+++ b/SPECS/facter.spec -@@ -32,10 +32,11 @@ Source1: https://downloads.puppetlabs.com/%{name}/%{name}-%{version}.tar. - BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - - # WRS patches --Patch0: ps.patch --Patch1: personality.patch --Patch2: centos_remove-net-commands-that-can-timeout.patch --Patch3: centos_fix-ipv6-regex.patch -+Patch0001: 0001-ps.patch -+Patch0002: 0002-personality.patch -+Patch0003: 0003-centos_remove-net-commands-that-can-timeout.patch -+Patch0004: 0004-centos_fix-ipv6-regex.patch -+Patch0005: 0005-Hardcode-ipaddress-fact-to-localhost.patch - - - # Upstream claims to only support 1.8.7 and higher -@@ -79,10 +80,11 @@ key off the values returned by facts. - %prep - %setup -q - # WRS apply patches --%patch0 -p1 --%patch1 -p1 --%patch2 -p2 --%patch3 -p2 -+%patch0001 -p1 -+%patch0002 -p1 -+%patch0003 -p2 -+%patch0004 -p2 -+%patch0005 -p1 - - %build - # Nothing to build --- -1.8.3.1 - diff --git a/config/facter/centos/meta_patches/PATCH_ORDER b/config/facter/centos/meta_patches/PATCH_ORDER index 00edf2f3a..aef6d299e 100644 --- a/config/facter/centos/meta_patches/PATCH_ORDER +++ b/config/facter/centos/meta_patches/PATCH_ORDER @@ -1,3 +1,2 @@ 0001-spec-include-TiS-paches.patch 0002-Update-package-versioning-for-TIS-format.patch -0003-Add-ipaddress-patch.patch From 01f5fdd274ac0bc02528b4630dacaf3ca10eb27a Mon Sep 17 00:00:00 2001 From: Steven Webster Date: Wed, 5 Dec 2018 15:29:33 -0500 Subject: [PATCH 7/9] Traffic control: fix TC filters for vlan sub-interface Sometime after kernel 3.10.0-514.16.1.X, tc filter commands no longer match 802.1q packets when the filter protocol is set to 'ip'. This poses a problem for a consolidated (eg. infra w/ vlan over management) interface configuration. The tc filter will operate properly on the vlan interface, but all traffic will go to the default qdisc (low priority) when it arrives with a vlan tag at the sub-interface. This commit sets the filter protocol to '802.1q' in the case of a subinterface with a vlan tagged interface ontop of it. Some bashate cleanup has also been done on this file. Closes-Bug: #1807055 Change-Id: I457faa2b56bbd270c104cc0313ffe3cc1bfd4db3 Signed-off-by: Steven Webster --- .../platform-util/scripts/cgcs_tc_setup.sh | 220 +++++++++++------- 1 file changed, 132 insertions(+), 88 deletions(-) diff --git a/utilities/platform-util/scripts/cgcs_tc_setup.sh b/utilities/platform-util/scripts/cgcs_tc_setup.sh index 9dc3542af..581300537 100755 --- a/utilities/platform-util/scripts/cgcs_tc_setup.sh +++ b/utilities/platform-util/scripts/cgcs_tc_setup.sh @@ -1,14 +1,15 @@ #!/bin/sh # -# Copyright (c) 2017 Wind River Systems, Inc. +# Copyright (c) 2017-2018 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # # $1 - interface # $2 - interface type [mgmt, infra] -# $3 - dummy used to determine if we're backgrounded or not +# $3 - link capacity +# $4 - dummy used to determine if we're backgrounded or not DEV=$1 NETWORKTYPE=$2 @@ -42,7 +43,8 @@ function test_valid_speed { function log { # It seems that syslog isn't yet running, so append directly to the syslog file - echo `date +%FT%T.%3N` `hostname` CGCS_TC_SETUP: $@ >> /var/log/platform.log + FILE=/var/log/platform.log + echo `date +%FT%T.%3N` `hostname` CGCS_TC_SETUP: $@ >> $FILE } function infra_exists { @@ -57,15 +59,18 @@ function is_consolidated { if ! infra_exists then return 1 - else - # determine whether the management interface is a parent of the - # infrastructure interface based on name. - # eg. this matches enp0s8 to enp0s8.10 but not enp0s88 - if [[ $infrastructure_interface =~ $management_interface[\.][0-9]+$ ]]; then - return 0 - fi - return 1 fi + + local INFRA=$infrastructure_interface + local MGMT=$management_interface + + # determine whether the management interface is a parent of the + # infrastructure interface based on name. + # eg. this matches enp0s8 to enp0s8.10 but not enp0s88 + if [[ $INFRA =~ $MGMT[\.][0-9]+$ ]]; then + return 0 + fi + return 1 } function is_vlan { @@ -78,7 +83,8 @@ function is_vlan { function is_loopback { # (from include/uapi/linux/if.h) - IFF_LOOPBACK=$((1<<3)) + # IFF_LOOPBACK = 1<<3 = 8. Using a left shifted syntax can confuse bashate. + IFF_LOOPBACK=8 # get the interface flags FLAGS=`cat /sys/class/net/$DEV/flags` @@ -91,42 +97,78 @@ function is_loopback { fi } +function get_tc_filter_ethertype { + local ETHERTYPE=$DEFAULT_ETHERTYPE + + if is_consolidated + then + if ! is_vlan + then + # If we have a consolidated VLAN interface, we must set the + # protocol to '802.1q' for the underlying Ethernet interface + # to be able to match on IP packets coming from the VLAN + # interface. + ETHERTYPE=802.1q + fi + fi + echo $ETHERTYPE + return 0 +} + function setup_tc_port_filter { local PORT=$1 local PORTMASK=$2 local FLOWID=$3 local PROTOCOL=$4 + local PRIORITY=$DEFAULT_PRIORITY + local ETHERTYPE=$DEFAULT_ETHERTYPE - if [ -z $PROTOCOL ] - then + ETHERTYPE=$(get_tc_filter_ethertype) + + if [ -z $PROTOCOL ]; then # Apply to TCP and UDP - tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dport $PORT $PORTMASK flowid $FLOWID - tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip sport $PORT $PORTMASK flowid $FLOWID + tc filter add dev $DEV protocol $ETHERTYPE parent 1:0 prio $PRIORITY \ + u32 match ip dport $PORT $PORTMASK flowid $FLOWID + tc filter add dev $DEV protocol $ETHERTYPE parent 1:0 prio $PRIORITY \ + u32 match ip sport $PORT $PORTMASK flowid $FLOWID else # Apply to specific protocol only - tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip protocol 6 0xff match ip dport $PORT $PORTMASK flowid $FLOWID - tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip protocol 6 0xff match ip sport $PORT $PORTMASK flowid $FLOWID + tc filter add dev $DEV protocol $ETHERTYPE parent 1:0 prio $PRIORITY \ + u32 match ip protocol $PROTOCOL 0xff match \ + ip dport $PORT $PORTMASK flowid $FLOWID + tc filter add dev $DEV protocol $ETHERTYPE parent 1:0 prio $PRIORITY \ + u32 match ip protocol $PROTOCOL 0xff match \ + ip sport $PORT $PORTMASK flowid $FLOWID fi } -function setup_tc_tos_filter -{ +function setup_tc_tos_filter { local TOS=$1 local TOSMASK=$2 local FLOWID=$3 + local ETHERTYPE=$4 + local PRIORITY=$5 - tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip tos $TOS $TOSMASK flowid $FLOWID + if [ -z $ETHERTYPE ]; then + ETHERTYPE=$DEFAULT_ETHERTYPE + fi + + if [ -z $PRIORITY ]; then + PRIORITY=$DEFAULT_PRIORITY + fi + + tc filter add dev $DEV protocol $ETHERTYPE parent 1:0 prio $PRIORITY \ + u32 match ip tos $TOS $TOSMASK flowid $FLOWID } -function setup_root_tc -{ +function setup_root_tc { # create new qdiscs, classes and queues tc qdisc add dev $DEV root handle 1: htb default 40 - tc class add dev $DEV parent 1: classid 1:1 htb rate ${SPEED}mbit burst 15k quantum 60000 + tc class add dev $DEV parent 1: classid 1:1 htb rate ${SPEED}mbit \ + burst 15k quantum 60000 } -function setup_default_tc -{ +function setup_default_tc { local RATE=$1 local CEIL=$2 @@ -135,29 +177,40 @@ function setup_default_tc local FLOWID=$CLASSID # create default qdiscs, classes - $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k ceil $((${CEIL}*${SPEED}/100))mbit prio 4 quantum 60000 + $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k \ + ceil $((${CEIL}*${SPEED}/100))mbit prio 4 quantum 60000 tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10 } -function setup_hiprio_tc -{ +function setup_hiprio_tc { local RATE=$1 local CEIL=$2 local FLOWQ=10 local CLASSID=1:$FLOWQ local FLOWID=$CLASSID + local ETHERTYPE=$DEFAULT_ETHERTYPE + ETHERTYPE=$(get_tc_filter_ethertype) # create high priority qdiscs, classes, and queues - $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k ceil $((${CEIL}*${SPEED}/100))mbit prio 3 quantum 60000 + $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k \ + ceil $((${CEIL}*${SPEED}/100))mbit prio 3 quantum 60000 tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10 # filter for high priority traffic - setup_tc_tos_filter 0x10 0xf8 $FLOWID + setup_tc_tos_filter 0x10 0xf8 $FLOWID $ETHERTYPE + + if [ "$ETHERTYPE" != "$DEFAULT_ETHERTYPE" ]; then + # For the 'hiprio' class, a second filter at a different priority is + # needed in this case to match traffic with the default ethertype. + # (ie. high priority management traffic). + local PRIORITY + PRIORITY=$(($DEFAULT_PRIORITY + 1)) + setup_tc_tos_filter 0x10 0xf8 $FLOWID $DEFAULT_ETHERTYPE $PRIORITY + fi } -function setup_migration_tc -{ +function setup_migration_tc { local RATE=$1 local CEIL=$2 @@ -166,7 +219,8 @@ function setup_migration_tc local FLOWID=$CLASSID # create migration qdiscs, classes, and queues - $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k ceil $((${CEIL}*${SPEED}/100))mbit prio 2 quantum 60000 + $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k \ + ceil $((${CEIL}*${SPEED}/100))mbit prio 2 quantum 60000 tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10 # Migration (TCP, ports 49152-49215) @@ -176,8 +230,7 @@ function setup_migration_tc setup_tc_port_filter 16509 0xffff $FLOWID $TCP } -function setup_storage_tc -{ +function setup_storage_tc { local RATE=$1 local CEIL=$2 @@ -186,7 +239,8 @@ function setup_storage_tc local FLOWID=$CLASSID # create storage qdiscs, classes, and queues - $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k ceil $((${CEIL}*${SPEED}/100))mbit prio 1 quantum 60000 + $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k \ + ceil $((${CEIL}*${SPEED}/100))mbit prio 1 quantum 60000 tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10 # Storage, NFS (UDP/TCP, port 2049) @@ -205,8 +259,7 @@ function setup_storage_tc done } -function setup_drbd_tc -{ +function setup_drbd_tc { local RATE=$1 local CEIL=$2 @@ -215,14 +268,15 @@ function setup_drbd_tc local FLOWID=$CLASSID # create DRBD qdiscs, classes and queues - $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k ceil $((${CEIL}*${SPEED}/100))mbit quantum 60000 + $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k \ + ceil $((${CEIL}*${SPEED}/100))mbit quantum 60000 tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10 # DRDB (TCP, ports 7789,7790,7791,7799) # port 7793 is used with drdb-extension PORTS=( 7789 7790 7791 7792 7799 7793 ) - PORTMASKS=( 0xffff 0xffff 0xffff 0xffff 0xffff ) + PORTMASKS=( 0xffff 0xffff 0xffff 0xffff 0xffff 0xffff) for idx in "${!PORTS[@]}"; do PORT=${PORTS[$idx]} MASK=${PORTMASKS[$idx]} @@ -230,8 +284,7 @@ function setup_drbd_tc done } -function setup_mgmt_tc_individual -{ +function setup_mgmt_tc_individual { # Configure high priority and default traffic classes. setup_root_tc @@ -251,8 +304,7 @@ function setup_mgmt_tc_individual } -function setup_mgmt_tc_vlan -{ +function setup_mgmt_tc_vlan { # Configure high priority and default traffic classes. setup_root_tc @@ -271,8 +323,7 @@ function setup_mgmt_tc_vlan setup_default_tc $DEFAULT_BW $DEFAULT_CBW } -function setup_mgmt_tc_consolidated -{ +function setup_mgmt_tc_consolidated { # Configure management classes. # All traffic coming from the infra will get treated again by the # management traffic classes. We need to apply the same TCs as the @@ -282,8 +333,7 @@ function setup_mgmt_tc_consolidated setup_tc_all } -function setup_mgmt_tc_infra_exists -{ +function setup_mgmt_tc_infra_exists { if is_consolidated then # Infra over mgmt. In this case we want to reserve @@ -301,8 +351,7 @@ function setup_mgmt_tc_infra_exists fi } -function setup_mgmt_tc_no_infra -{ +function setup_mgmt_tc_no_infra { # Configure traffic classes for a management interface when # no infrastructure interface exists. Configure the full # set of TCs. @@ -311,35 +360,34 @@ function setup_mgmt_tc_no_infra setup_tc_all } -function setup_infra_tc_consolidated -{ +function setup_infra_tc_consolidated { # Configure the full set of traffic classes, but leave a small # portion of bandwidth for the management interface. # reserve 1% BW for management - local RESERVED=$((1*${SPEED}/100)) + local RESERVED + RESERVED=$((1*${SPEED}/100)) SPEED=$((${SPEED}-${RESERVED})) setup_root_tc setup_tc_all } -function setup_infra_tc_individual -{ +function setup_infra_tc_individual { # Configure the full set of traffic classes. setup_root_tc if is_vlan then # reserve 1% BW for sibling vlan interfaces - local RESERVED=$((1*${SPEED}/100)) + local RESERVED + RESERVED=$((1*${SPEED}/100)) SPEED=$((${SPEED}-${RESERVED})) fi setup_tc_all } -function setup_tc_all -{ +function setup_tc_all { # bandwidth percentages, in case of over-percentage, bandwidth is divided based # on bandwidth ratios local MIG_BW=30 @@ -359,24 +407,18 @@ function setup_tc_all setup_storage_tc $STOR_BW $STOR_CBW setup_migration_tc $MIG_BW $MIG_CBW setup_default_tc $DEFAULT_BW $DEFAULT_CBW - if [ $nodetype == "controller" ] - then + if [ $nodetype == "controller" ]; then setup_drbd_tc $DRBD_BW $DRBD_CBW fi } -function get_dev_speed -{ +function get_dev_speed { # If the link doesn't come up we won't go enabled, so here we can # afford to wait forever for the link. - while true - do - if [ -e /sys/class/net/$1/bonding ] - then - for VAL in `cat /sys/class/net/$1/lower_*/speed` - do - if test_valid_speed $VAL - then + while true; do + if [ -e /sys/class/net/$1/bonding ]; then + for VAL in `cat /sys/class/net/$1/lower_*/speed`; do + if test_valid_speed $VAL; then log slave for bond link $1 reported speed $VAL echo $VAL return 0 @@ -384,38 +426,36 @@ function get_dev_speed log slave for bond link $1 reported invalid speed $VAL fi done - log all slaves for bond link $1 reported invalid speeds, will sleep 30 sec and try again + log all slaves for bond link $1 reported invalid speeds, \ + will sleep 30 sec and try again else VAL=`cat /sys/class/net/$1/speed` - if test_valid_speed $VAL - then + if test_valid_speed $VAL; then log link $1 reported speed $VAL echo $VAL return 0 else - log link $1 returned invalid speed $VAL, will sleep 30 sec and try again + log link $1 returned invalid speed $VAL, \ + will sleep 30 sec and try again fi fi sleep 30 done } -function get_speed -{ +function get_speed { local dev=$1 local networktype=$2 local net_speed=$NETWORKSPEED - local dev_speed=$(get_dev_speed $DEV) + local dev_speed + dev_speed=$(get_dev_speed $DEV) local speed=$dev_speed - if [ $net_speed != $dev_speed ] - then + if [ $net_speed != $dev_speed ]; then log WARNING: $dev has a different operational speed [$dev_speed] \ than configured speed [$net_speed] for network type $networktype - if test_valid_speed $net_speed - then + if test_valid_speed $net_speed; then # Use greater of configured net speed / recorded dev speed - if [ $net_speed -gt $dev_speed ] - then + if [ $net_speed -gt $dev_speed ]; then speed=$net_speed fi fi @@ -433,8 +473,7 @@ fi log running tc setup script for $DEV $NETWORKTYPE in background -if [ -f /etc/platform/platform.conf ] -then +if [ -f /etc/platform/platform.conf ]; then source /etc/platform/platform.conf fi @@ -453,11 +492,16 @@ AC="tc class add dev $DEV parent 1:1 classid" TCP=6 UDP=17 +# default ethertype for filters +DEFAULT_ETHERTYPE=ip + +# default priority for filters +DEFAULT_PRIORITY=1 + # delete existing qdiscs tc qdisc del dev $DEV root > /dev/null 2>&1 -if [ ${NETWORKTYPE} = "mgmt" ] -then +if [ ${NETWORKTYPE} = "mgmt" ]; then if infra_exists then setup_mgmt_tc_infra_exists From 52bef031ac6e52c73a0a6a680b0ef31b99baac71 Mon Sep 17 00:00:00 2001 From: Alex Kozyrev Date: Tue, 11 Dec 2018 13:42:07 -0500 Subject: [PATCH 8/9] Provide a way to set mem_stats_period_seconds in puppet-nova. There is no support of mem_stats_period_seconds in puppet-nova now. We need to add a way to set it to 0 to disable QEMU memory balloon statistics. The intention is to help with cyclictest spikes due to stats collection. Depends-On: Iaea1962601755736688f2deb61730ab1d548b8b1 Change-Id: I1fe3dfede1a5a07ddb5adaff1095206ffe5f6340 Closes-bug: 1803615 Signed-off-by: Alex Kozyrev --- .../puppet-nova-11.4.0/centos/build_srpm.data | 2 +- ...-way-to-set-mem_stats_period_seconds.patch | 37 ++++++++++++ .../centos/meta_patches/PATCH_ORDER | 1 + ...-way-to-set-mem_stats_period_seconds.patch | 56 +++++++++++++++++++ 4 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 config/puppet-modules/openstack/puppet-nova-11.4.0/centos/meta_patches/0011-Provide-a-way-to-set-mem_stats_period_seconds.patch create mode 100644 config/puppet-modules/openstack/puppet-nova-11.4.0/centos/patches/0011-Provide-a-way-to-set-mem_stats_period_seconds.patch diff --git a/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/build_srpm.data b/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/build_srpm.data index c66bf348c..898fe26d9 100644 --- a/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/build_srpm.data +++ b/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/build_srpm.data @@ -1 +1 @@ -TIS_PATCH_VER=7 +TIS_PATCH_VER=8 diff --git a/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/meta_patches/0011-Provide-a-way-to-set-mem_stats_period_seconds.patch b/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/meta_patches/0011-Provide-a-way-to-set-mem_stats_period_seconds.patch new file mode 100644 index 000000000..6730c7226 --- /dev/null +++ b/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/meta_patches/0011-Provide-a-way-to-set-mem_stats_period_seconds.patch @@ -0,0 +1,37 @@ +From ab164d30bb18eb5c24ed3781ac7acde8fe61317d Mon Sep 17 00:00:00 2001 +From: Alex Kozyrev +Date: Tue, 11 Dec 2018 14:14:37 -0500 +Subject: [PATCH 1/1] Provide a way to set mem_stats_period_seconds in Nova. + +There is no support of mem_stats_period_seconds in puppet-nova now. +We need to add a way to set it to 0 to disable QEMU memory balloon statistics. +The intention is to help with cyclictest spikes due to stats collection. + +Signed-off-by: Alex Kozyrev +--- + SPECS/puppet-nova.spec | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/SPECS/puppet-nova.spec b/SPECS/puppet-nova.spec +index c40ec94..367de7b 100644 +--- a/SPECS/puppet-nova.spec ++++ b/SPECS/puppet-nova.spec +@@ -19,6 +19,7 @@ Patch0007: 0007-Remove-joshuabaird-ipaclient-from-puppet-nova-requir.patch + Patch0008: 0008-Adding-pci_weight_multiple-to-nova-scheduler-filter.patch + Patch0009: 0009-Remove-SerialConsole-from-NovaConf.patch + Patch0010: 0010-Remove-compute-huge.patch ++Patch0011: 0011-Provide-a-way-to-set-mem_stats_period_seconds.patch + + BuildArch: noarch + +@@ -49,6 +50,7 @@ Puppet module for OpenStack Nova + %patch0008 -p1 + %patch0009 -p1 + %patch0010 -p1 ++%patch0011 -p1 + + find . -type f -name ".*" -exec rm {} + + find . -size 0 -exec rm {} + +-- +1.8.3.1 + diff --git a/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/meta_patches/PATCH_ORDER b/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/meta_patches/PATCH_ORDER index 3b1dea7b1..800287913 100644 --- a/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/meta_patches/PATCH_ORDER +++ b/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/meta_patches/PATCH_ORDER @@ -8,3 +8,4 @@ 0008-Add-pci_weight_multiple-to-scheduler-filter.patch 0009-Remove-SerialConsole-from-NovaConf.patch 0010-Remove-compute-huge.patch +0011-Provide-a-way-to-set-mem_stats_period_seconds.patch diff --git a/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/patches/0011-Provide-a-way-to-set-mem_stats_period_seconds.patch b/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/patches/0011-Provide-a-way-to-set-mem_stats_period_seconds.patch new file mode 100644 index 000000000..1884b4311 --- /dev/null +++ b/config/puppet-modules/openstack/puppet-nova-11.4.0/centos/patches/0011-Provide-a-way-to-set-mem_stats_period_seconds.patch @@ -0,0 +1,56 @@ +From 3b825e021fea2a4223f72c5c1a8182a593750a40 Mon Sep 17 00:00:00 2001 +From: Alex Kozyrev +Date: Tue, 11 Dec 2018 14:10:01 -0500 +Subject: [PATCH 1/1] Provide a way to set mem_stats_period_seconds in Nova. + +There is no support of mem_stats_period_seconds in puppet-nova now. +We need to add a way to set it to 0 to disable QEMU memory balloon statistics. +The intention is to help with cyclictest spikes due to stats collection. + +Signed-off-by: Alex Kozyrev +--- + manifests/compute/libvirt.pp | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/manifests/compute/libvirt.pp b/manifests/compute/libvirt.pp +index 0d89c04..813d740 100644 +--- a/manifests/compute/libvirt.pp ++++ b/manifests/compute/libvirt.pp +@@ -151,6 +151,11 @@ + # forward progress in transferring data before aborting. + # Defaults to 150 + # ++# [*mem_stats_period_seconds*] ++# (optional) A number of seconds to memory usage statistics period.' ++# Zero or negative value mean to disable memory usage statistics. ++# Defaults to 10 ++# + class nova::compute::libvirt ( + $ensure_package = 'present', + $libvirt_virt_type = 'kvm', +@@ -182,6 +187,7 @@ class nova::compute::libvirt ( + $live_migration_downtime_delay = undef, + $live_migration_completion_timeout = undef, + $live_migration_progress_timeout = undef, ++ $mem_stats_period_seconds = undef, + ) inherits nova::params { + + include ::nova::deps +@@ -367,4 +373,14 @@ class nova::compute::libvirt ( + } + } + ++ if $mem_stats_period_seconds != undef { ++ nova_config { ++ 'libvirt/mem_stats_period_seconds': value => $live_migration_progress_timeout; ++ } ++ } else { ++ nova_config { ++ 'libvirt/mem_stats_period_seconds': ensure => absent; ++ } ++ } ++ + } +-- +1.8.3.1 + From 920fcb818c3dd8b0945e6d7bd2371dfb71790f60 Mon Sep 17 00:00:00 2001 From: zhipengl Date: Wed, 12 Dec 2018 19:42:40 +0800 Subject: [PATCH 9/9] Remove last patch of iscsi-initiator-utils As we see in the patch, it changes %dir to %ghost to avoid RPM audit. If we move the config file mod change to config package and use RPM instead of SRPM, we have no audit issue anymore and can ignore related change. Deployment test pass and related file check pass! Story: 2003768 Task: 28459 Depends-on: https://review.openstack.org/#/c/624584/ Change-Id: Ic23ccd740520e1942b3118a84cb03aef5f388332 Signed-off-by: zhipengl --- centos_iso_image.inc | 4 +- centos_pkg_dirs | 1 - .../centos/iscsi-initiator-utils-config.spec | 3 ++ filesystem/iscsi-initiator-utils/PKG-INFO | 17 ------- .../centos/build_srpm.data | 1 - .../0001-spec-include-TiS-changes.patch | 48 ------------------- ...te-package-versioning-for-TIS-format.patch | 27 ----------- .../centos/meta_patches/PATCH_ORDER | 3 -- .../iscsi-initiator-utils/centos/srpm_path | 2 - 9 files changed, 4 insertions(+), 102 deletions(-) delete mode 100644 filesystem/iscsi-initiator-utils/PKG-INFO delete mode 100644 filesystem/iscsi-initiator-utils/centos/build_srpm.data delete mode 100644 filesystem/iscsi-initiator-utils/centos/meta_patches/0001-spec-include-TiS-changes.patch delete mode 100644 filesystem/iscsi-initiator-utils/centos/meta_patches/0002-Update-package-versioning-for-TIS-format.patch delete mode 100644 filesystem/iscsi-initiator-utils/centos/meta_patches/PATCH_ORDER delete mode 100644 filesystem/iscsi-initiator-utils/centos/srpm_path diff --git a/centos_iso_image.inc b/centos_iso_image.inc index 71ce5fffe..63d9b3c95 100644 --- a/centos_iso_image.inc +++ b/centos_iso_image.inc @@ -296,9 +296,7 @@ bash haproxy haproxy-config -# iscsi-initiator-utils -iscsi-initiator-utils -iscsi-initiator-utils-iscsiuio +# iscsi-initiator-utils-config iscsi-initiator-utils-config # iptables diff --git a/centos_pkg_dirs b/centos_pkg_dirs index 97b374028..cc99a7c57 100644 --- a/centos_pkg_dirs +++ b/centos_pkg_dirs @@ -136,7 +136,6 @@ base/libfdt base/bash base/haproxy base/haproxy-config -filesystem/iscsi-initiator-utils filesystem/iscsi-initiator-utils-config ldap/ldapscripts networking/net-tools diff --git a/filesystem/iscsi-initiator-utils-config/centos/iscsi-initiator-utils-config.spec b/filesystem/iscsi-initiator-utils-config/centos/iscsi-initiator-utils-config.spec index b94a7f420..16bf8434f 100644 --- a/filesystem/iscsi-initiator-utils-config/centos/iscsi-initiator-utils-config.spec +++ b/filesystem/iscsi-initiator-utils-config/centos/iscsi-initiator-utils-config.spec @@ -10,6 +10,7 @@ BuildArch: noarch Source: %name-%version.tar.gz Requires: iscsi-initiator-utils +Requires: iscsi-initiator-utils-iscsiuio Summary: package StarlingX configuration files of iscsi-initiator-utils to system folder. %description @@ -33,6 +34,8 @@ package StarlingX configuration files of iscsi-initiator-utils to system folder. if [ $1 -eq 1 ] ; then # Initial installation cp -f %{_datadir}/starlingx/stx.iscsid.conf %{_sysconfdir}/iscsi/iscsid.conf + chmod 0750 %{_sysconfdir}/iscsi + chmod 0640 %{_sysconfdir}/iscsi/iscsid.conf fi /bin/systemctl disable iscsi-shutdown.service diff --git a/filesystem/iscsi-initiator-utils/PKG-INFO b/filesystem/iscsi-initiator-utils/PKG-INFO deleted file mode 100644 index 1336d621b..000000000 --- a/filesystem/iscsi-initiator-utils/PKG-INFO +++ /dev/null @@ -1,17 +0,0 @@ -Metadata-Version: 1.1 -Name: iscsi-initiator-utils -Version: 2.0-873 -Summary: iSCSI daemon and utility programs -Home-page: -Author: -Author-email: -License: GPLv2+ - -Description: -The iscsi package provides the server daemon for the iSCSI protocol, -as well as the utility programs used to manage it. iSCSI is a protocol -for distributed disk access using SCSI commands sent over Internet -Protocol networks. - - -Platform: UNKNOWN diff --git a/filesystem/iscsi-initiator-utils/centos/build_srpm.data b/filesystem/iscsi-initiator-utils/centos/build_srpm.data deleted file mode 100644 index d3f64f336..000000000 --- a/filesystem/iscsi-initiator-utils/centos/build_srpm.data +++ /dev/null @@ -1 +0,0 @@ -TIS_PATCH_VER=3 diff --git a/filesystem/iscsi-initiator-utils/centos/meta_patches/0001-spec-include-TiS-changes.patch b/filesystem/iscsi-initiator-utils/centos/meta_patches/0001-spec-include-TiS-changes.patch deleted file mode 100644 index 3675aa167..000000000 --- a/filesystem/iscsi-initiator-utils/centos/meta_patches/0001-spec-include-TiS-changes.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 5a1612476a2b2a4783b5a1bd0f5493b3b3974ecb Mon Sep 17 00:00:00 2001 -From: Scott Little -Date: Mon, 2 Oct 2017 16:19:19 -0400 -Subject: [PATCH 1/2] WRS: spec-include-TiS-changes.patch - ---- - SPECS/iscsi-initiator-utils.spec | 30 +++++++++++++++++++++--------- - 1 file changed, 21 insertions(+), 9 deletions(-) - -diff --git a/SPECS/iscsi-initiator-utils.spec b/SPECS/iscsi-initiator-utils.spec -index a7bd696..847f95c 100644 ---- a/SPECS/iscsi-initiator-utils.spec -+++ b/SPECS/iscsi-initiator-utils.spec -@@ -232,13 +241,13 @@ fi - - %files - %doc README --%dir %{_sharedstatedir}/iscsi --%dir %{_sharedstatedir}/iscsi/nodes --%dir %{_sharedstatedir}/iscsi/isns --%dir %{_sharedstatedir}/iscsi/static --%dir %{_sharedstatedir}/iscsi/slp --%dir %{_sharedstatedir}/iscsi/ifaces --%dir %{_sharedstatedir}/iscsi/send_targets -+%ghost %{_sharedstatedir}/iscsi -+%ghost %{_sharedstatedir}/iscsi/nodes -+%ghost %{_sharedstatedir}/iscsi/isns -+%ghost %{_sharedstatedir}/iscsi/static -+%ghost %{_sharedstatedir}/iscsi/slp -+%ghost %{_sharedstatedir}/iscsi/ifaces -+%ghost %{_sharedstatedir}/iscsi/send_targets - %ghost %{_var}/lock/iscsi - %ghost %{_var}/lock/iscsi/lock - %{_unitdir}/iscsi.service -@@ -248,8 +257,8 @@ fi - %{_libexecdir}/iscsi-mark-root-nodes - %{_sysconfdir}/NetworkManager/dispatcher.d/04-iscsi - %{_tmpfilesdir}/iscsi.conf --%dir %{_sysconfdir}/iscsi --%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/iscsi/iscsid.conf -+%attr(0750,root,root) %dir %{_sysconfdir}/iscsi -+%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/iscsi/iscsid.conf - %{_sbindir}/iscsi-iname - %{_sbindir}/iscsiadm - %{_sbindir}/iscsid --- -2.7.4 - diff --git a/filesystem/iscsi-initiator-utils/centos/meta_patches/0002-Update-package-versioning-for-TIS-format.patch b/filesystem/iscsi-initiator-utils/centos/meta_patches/0002-Update-package-versioning-for-TIS-format.patch deleted file mode 100644 index 779672d13..000000000 --- a/filesystem/iscsi-initiator-utils/centos/meta_patches/0002-Update-package-versioning-for-TIS-format.patch +++ /dev/null @@ -1,27 +0,0 @@ -From d30974d064455030457b4b37de3b3ea72a9feba0 Mon Sep 17 00:00:00 2001 -From: Scott Little -Date: Mon, 2 Oct 2017 16:19:19 -0400 -Subject: [PATCH 2/2] WRS: 0001-Update-package-versioning-for-TIS-format.patch - -Conflicts: - SPECS/iscsi-initiator-utils.spec ---- - SPECS/iscsi-initiator-utils.spec | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/SPECS/iscsi-initiator-utils.spec b/SPECS/iscsi-initiator-utils.spec -index 847f95c..8865737 100644 ---- a/SPECS/iscsi-initiator-utils.spec -+++ b/SPECS/iscsi-initiator-utils.spec -@@ -4,7 +4,7 @@ - Summary: iSCSI daemon and utility programs - Name: iscsi-initiator-utils - Version: 6.%{open_iscsi_version}.%{open_iscsi_build} --Release: 7%{?dist} -+Release: 7.el7%{?_tis_dist}.%{tis_patch_ver} - Group: System Environment/Daemons - License: GPLv2+ - URL: http://www.open-iscsi.org --- -2.7.4 - diff --git a/filesystem/iscsi-initiator-utils/centos/meta_patches/PATCH_ORDER b/filesystem/iscsi-initiator-utils/centos/meta_patches/PATCH_ORDER deleted file mode 100644 index 0fa12b23c..000000000 --- a/filesystem/iscsi-initiator-utils/centos/meta_patches/PATCH_ORDER +++ /dev/null @@ -1,3 +0,0 @@ -0001-spec-include-TiS-changes.patch -0002-Update-package-versioning-for-TIS-format.patch - diff --git a/filesystem/iscsi-initiator-utils/centos/srpm_path b/filesystem/iscsi-initiator-utils/centos/srpm_path deleted file mode 100644 index 35e4df0ed..000000000 --- a/filesystem/iscsi-initiator-utils/centos/srpm_path +++ /dev/null @@ -1,2 +0,0 @@ -mirror:Source/iscsi-initiator-utils-6.2.0.874-7.el7.src.rpm -