starlingx/integ
Code Issues Proposed changes

Merge remote-tracking branch 'origin/master' into f/centos76-merge

Browse Source 
Change-Id: Ia834ef99c13cc8b842e6588233d10b9efe927b0c
This commit is contained in:
Dean Troyer 2018-12-13 11:27:26 -06:00
commit e25c1acc9b
33 changed files with 557 additions and 454 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
base/haproxy-config/centos/haproxy-config.spec
View File

@ -32,6 +32,9 @@ mkdir -p %{_sysconfdir}/init.d
%post %post
/bin/systemctl disable haproxy.service /bin/systemctl disable haproxy.service
if test -s %{_sysconfdir}/logrotate.d/haproxy ; then
echo '#See /etc/logrotate.d/syslog for haproxy rules' > %{_sysconfdir}/logrotate.d/haproxy
fi
%files %files
%defattr(-,root,root,-) %defattr(-,root,root,-)

1
base/haproxy/centos/meta_patches/PATCH_ORDER
View File

@ -1,3 +1,2 @@
spec-include-TiS-changes.patch spec-include-TiS-changes.patch
meta_remove_bad_logrotate.patch
0001-Update-package-versioning-for-TIS-format.patch 0001-Update-package-versioning-for-TIS-format.patch

41
base/haproxy/centos/meta_patches/meta_remove_bad_logrotate.patch
View File

@ -1,41 +0,0 @@
From 3eac39ba534b92dbcb3a898442b09be7acc389bb Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH] WRS: meta_remove_bad_logrotate.patch
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
---
SPECS/haproxy.spec | 3 ---
1 file changed, 3 deletions(-)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index 53def97..39c0c86 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -18,7 +18,6 @@ URL: http://www.haproxy.org/
Source0: http://www.haproxy.org/download/1.5/src/haproxy-%{version}.tar.gz
Source1: %{name}.service
Source2: %{name}.cfg
-Source3: %{name}.logrotate
Source4: %{name}.sysconfig
Source5: halog.1
@@ -86,7 +85,6 @@ popd
%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
%{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
-%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
%{__install} -d -m 0755 %{buildroot}%{haproxy_home}
@@ -139,7 +137,6 @@ fi
%dir %{haproxy_datadir}
%{haproxy_datadir}/*
%config(noreplace) %{haproxy_confdir}/%{name}.cfg
-%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%{_unitdir}/%{name}.service
%{_sbindir}/%{name}
--
1.8.3.1

8
base/openssh-config/centos/openssh-config.spec
View File

@ -26,14 +26,20 @@ package StarlingX configuration files of openssh to system folder.
%{__install} -d %{buildroot}%{_sysconfdir}/systemd/system %{__install} -d %{buildroot}%{_sysconfdir}/systemd/system
%{__install} -m 644 sshd.pam %{buildroot}%{_datadir}/starlingx/sshd.pam %{__install} -m 644 sshd.pam %{buildroot}%{_datadir}/starlingx/sshd.pam
%{__install} -m 644 sshd.service %{buildroot}%{_sysconfdir}/systemd/system/sshd.service %{__install} -m 644 sshd.service %{buildroot}%{_sysconfdir}/systemd/system/sshd.service
%{__install} -m 644 ssh_config %{buildroot}%{_datadir}/starlingx/ssh_config
%{__install} -m 600 sshd_config %{buildroot}%{_datadir}/starlingx/sshd_config
%post %post
%define _pamconfdir %{_sysconfdir}/pam.d %define _pamconfdir %{_sysconfdir}/pam.d
if [ $1 -eq 1 ] ; then if [ $1 -eq 1 ] ; then
# Initial installation # Initial installation
cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd
cp -f %{_datadir}/starlingx/ssh_config %{_sysconfdir}/ssh/ssh_config
cp -f %{_datadir}/starlingx/sshd_config %{_sysconfdir}/ssh/sshd_config
fi fi
%files %files
%{_datadir}/starlingx/sshd.pam %{_datadir}/starlingx/sshd.pam
%{_sysconfdir}/systemd/system/sshd.service %{_sysconfdir}/systemd/system/sshd.service
%{_datadir}/starlingx/ssh_config
%{_datadir}/starlingx/sshd_config

71
base/openssh-config/files/ssh_config Normal file
View File

@ -0,0 +1,71 @@
# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
#
# Uncomment this if you want to use .local domain
# Host *.local
# CheckHostIP no
Host *
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
# Filtered key exchange algorithm list
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

148
base/openssh-config/files/sshd_config Normal file
View File

@ -0,0 +1,148 @@
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
RekeyLimit default 1h
# Logging
#SyslogFacility AUTH
#SyslogFacility AUTHPRIV
LogLevel INFO
# Authentication:
LoginGraceTime 1m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 4
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
Compression no
ClientAliveInterval 15
ClientAliveCountMax 4
#ShowPatchLevel no
# Make SSH connect faster on bootup
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# default banner path
Banner /etc/issue.net
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
DenyUsers admin secadmin operator
# Filtered cipher, MAC and key exchange algorithm list, defaults can be
# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
# using "-" should be used for cipher, MAC and kex excluded suites.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

2
base/openssh/centos/build_srpm.data
View File

@ -1 +1 @@
TIS_PATCH_VER=9 TIS_PATCH_VER=10

30
base/openssh/centos/meta_patches/spec-include-TiS-changes.patch
View File

@ -5,35 +5,17 @@ Subject: spec-include-TiS-changes.patch
Signed-off-by: zhipengl <zhipengs.liu@intel.com> Signed-off-by: zhipengl <zhipengs.liu@intel.com>
--- ---
SPECS/openssh.spec | 9 ++++----- SPECS/openssh.spec | 5 -----
1 file changed, 4 insertions(+), 5 deletions(-) 1 file changed, 5 deletions(-)
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index 0a91b56..bbae9d7 100644 index 0a91b56..bbae9d7 100644
--- a/SPECS/openssh.spec --- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec +++ b/SPECS/openssh.spec
@@ -250,6 +250,8 @@ Patch958: openssh-7.4p1-winscp-compat.patch
Patch959: openssh-7.4p1-authorized_keys_command.patch
# Fix for CVE-2017-15906 (#1517226)
Patch960: openssh-7.5p1-sftp-empty-files.patch
+# WRS: harden server and client config
+Patch1000: harden-server-and-client-config.patch
License: BSD
Group: Applications/Internet
@@ -510,6 +512,8 @@ popd
%patch700 -p1 -b .fips
%patch100 -p1 -b .coverity
+# WRS
+%patch1000 -p1 -b .harden
%if 0
# Nothing here yet
@@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \ @@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \
%preun server %preun server
%systemd_preun sshd.service sshd.socket %systemd_preun sshd.service sshd.socket
-%postun server -%postun server
-%systemd_postun_with_restart sshd.service -%systemd_postun_with_restart sshd.service
- -
@ -43,12 +25,12 @@ index 0a91b56..bbae9d7 100644
@@ -784,8 +785,6 @@ getent passwd sshd >/dev/null || \ @@ -784,8 +785,6 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service %attr(0644,root,root) %{_unitdir}/sshd-keygen.service
-%files server-sysvinit -%files server-sysvinit
-%defattr(-,root,root) -%defattr(-,root,root)
%attr(0755,root,root) /etc/rc.d/init.d/sshd %attr(0755,root,root) /etc/rc.d/init.d/sshd
%endif %endif
-- --
1.8.3.1 1.8.3.1

124
base/openssh/centos/patches/harden-server-and-client-config.patch
View File

@ -1,124 +0,0 @@
From a2f285b181d1867266ff9e705e87d54737f863cb Mon Sep 17 00:00:00 2001
From: Andy Ning <andy.ning@windriver.com>
Date: Fri, 23 Mar 2018 14:46:06 -0400
Subject: [PATCH 1/1] CGTS-9265: remove sha1 based kex algorithms
The patch hardened ssh server and client security, specifically
removed support of sha1 base kex algrorithms as found by Nessus
scan.
---
ssh_config | 3 +++
sshd_config | 45 +++++++++++++++++++++++++++------------------
2 files changed, 30 insertions(+), 18 deletions(-)
diff --git a/ssh_config b/ssh_config
index d1c83ea..3320eb0 100644
--- a/ssh_config
+++ b/ssh_config
@@ -66,3 +66,6 @@ Host *
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
+
+# Filtered key exchange algorithm list
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
diff --git a/sshd_config b/sshd_config
index 6bbb86b..7fb2ac7 100644
--- a/sshd_config
+++ b/sshd_config
@@ -25,19 +25,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
-#RekeyLimit default none
+RekeyLimit default 1h
# Logging
#SyslogFacility AUTH
-SyslogFacility AUTHPRIV
-#LogLevel INFO
+#SyslogFacility AUTHPRIV
+LogLevel INFO
# Authentication:
-#LoginGraceTime 2m
-#PermitRootLogin yes
+LoginGraceTime 1m
+PermitRootLogin no
#StrictModes yes
-#MaxAuthTries 6
+MaxAuthTries 4
#MaxSessions 10
#PubkeyAuthentication yes
@@ -76,8 +76,8 @@ ChallengeResponseAuthentication no
#KerberosUseKuserok yes
# GSSAPI options
-GSSAPIAuthentication yes
-GSSAPICleanupCredentials no
+GSSAPIAuthentication no
+GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
@@ -95,10 +95,10 @@ GSSAPICleanupCredentials no
# problems.
UsePAM yes
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
+AllowAgentForwarding no
+AllowTcpForwarding no
#GatewayPorts no
-X11Forwarding yes
+X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
@@ -106,21 +106,22 @@ X11Forwarding yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
-#UsePrivilegeSeparation sandbox
+UsePrivilegeSeparation yes
#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
+Compression no
+ClientAliveInterval 15
+ClientAliveCountMax 4
#ShowPatchLevel no
-#UseDNS yes
+# Make SSH connect faster on bootup
+UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
-# no default banner path
-#Banner none
+# default banner path
+Banner /etc/issue.net
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
@@ -137,3 +138,11 @@ Subsystem sftp /usr/libexec/sftp-server
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
+DenyUsers admin secadmin operator
+# Filtered cipher, MAC and key exchange algorithm list, defaults can be
+# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
+# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
+# using "-" should be used for cipher, MAC and kex excluded suites.
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
+MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
--
1.8.3.1

4
centos_iso_image.inc
View File

@ -296,9 +296,7 @@ bash
haproxy haproxy
haproxy-config haproxy-config
# iscsi-initiator-utils # iscsi-initiator-utils-config
iscsi-initiator-utils
iscsi-initiator-utils-iscsiuio
iscsi-initiator-utils-config iscsi-initiator-utils-config
# iptables # iptables

1
centos_pkg_dirs
View File

@ -136,7 +136,6 @@ base/libfdt
base/bash base/bash
base/haproxy base/haproxy
base/haproxy-config base/haproxy-config
filesystem/iscsi-initiator-utils
filesystem/iscsi-initiator-utils-config filesystem/iscsi-initiator-utils-config
ldap/ldapscripts ldap/ldapscripts
networking/net-tools networking/net-tools

2
config-files/pam-config/centos/build_srpm.data
View File

@ -1,2 +1,2 @@
SRC_DIR="files" SRC_DIR="files"
TIS_PATCH_VER=0 TIS_PATCH_VER=1

10
config-files/pam-config/centos/pam-config.spec
View File

@ -15,23 +15,31 @@ Summary: package StarlingX configuration files of pam to system folder.
%description %description
package StarlingX configuration files of pam to system folder. package StarlingX configuration files of pam to system folder.
%define _pamconfdir %{_sysconfdir}/pam.d
%prep %prep
%setup %setup
%build %build
%install %install
%define _pamconfdir %{_sysconfdir}/pam.d
%{__install} -d %{buildroot}%{_pamconfdir} %{__install} -d %{buildroot}%{_pamconfdir}
%{__install} -d %{buildroot}%{_datadir}/starlingx
%{__install} -m 644 common-account %{buildroot}%{_pamconfdir}/common-account %{__install} -m 644 common-account %{buildroot}%{_pamconfdir}/common-account
%{__install} -m 644 common-auth %{buildroot}%{_pamconfdir}/common-auth %{__install} -m 644 common-auth %{buildroot}%{_pamconfdir}/common-auth
%{__install} -m 644 common-password %{buildroot}%{_pamconfdir}/common-password %{__install} -m 644 common-password %{buildroot}%{_pamconfdir}/common-password
%{__install} -m 644 common-session %{buildroot}%{_pamconfdir}/common-session %{__install} -m 644 common-session %{buildroot}%{_pamconfdir}/common-session
%{__install} -m 644 common-session-noninteractive %{buildroot}%{_pamconfdir}/common-session-noninteractive %{__install} -m 644 common-session-noninteractive %{buildroot}%{_pamconfdir}/common-session-noninteractive
%{__install} -m 644 system-auth.pamd %{buildroot}%{_datadir}/starlingx/stx.system-auth
%post %post
if [ $1 -eq 1 ] ; then
# Initial installation
cp -f %{_datadir}/starlingx/stx.system-auth %{_pamconfdir}/system-auth
fi
%files %files
%{_datadir}/starlingx/stx.system-auth
%config(noreplace) %{_pamconfdir}/common-account %config(noreplace) %{_pamconfdir}/common-account
%config(noreplace) %{_pamconfdir}/common-auth %config(noreplace) %{_pamconfdir}/common-auth
%config(noreplace) %{_pamconfdir}/common-password %config(noreplace) %{_pamconfdir}/common-password

33
config/facter/centos/meta_patches/0001-spec-include-TiS-paches.patch
View File

@ -4,8 +4,8 @@ Date: Mon, 20 Mar 2017 09:58:00 -0400
Subject: [PATCH 1/2] WRS: spec-include-TiS-paches.patch Subject: [PATCH 1/2] WRS: spec-include-TiS-paches.patch
--- ---
SPECS/facter.spec | 12 ++++++++++++ SPECS/facter.spec | 13 +++++++++++++
1 file changed, 12 insertions(+) 1 file changed, 13 insertions(+)
diff --git a/SPECS/facter.spec b/SPECS/facter.spec diff --git a/SPECS/facter.spec b/SPECS/facter.spec
index 97ee783..7996d45 100644 index 97ee783..7996d45 100644
@ -14,29 +14,30 @@ index 97ee783..7996d45 100644
@@ -31,6 +31,13 @@ Source0: https://downloads.puppetlabs.com/%{name}/%{name}-%{version}.tar. @@ -31,6 +31,13 @@ Source0: https://downloads.puppetlabs.com/%{name}/%{name}-%{version}.tar.
Source1: https://downloads.puppetlabs.com/%{name}/%{name}-%{version}.tar.gz.asc Source1: https://downloads.puppetlabs.com/%{name}/%{name}-%{version}.tar.gz.asc
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+# WRS patches +# WRS patches
+Patch0: ps.patch +Patch0001: 0001-ps.patch
+Patch1: personality.patch +Patch0002: 0002-personality.patch
+Patch2: centos_remove-net-commands-that-can-timeout.patch +Patch0003: 0003-centos_remove-net-commands-that-can-timeout.patch
+Patch3: centos_fix-ipv6-regex.patch +Patch0004: 0004-centos_fix-ipv6-regex.patch
+ +Patch0005: 0005-Hardcode-ipaddress-fact-to-localhost.patch
+ +
# Upstream claims to only support 1.8.7 and higher # Upstream claims to only support 1.8.7 and higher
BuildRequires: ruby >= 1.8.7 BuildRequires: ruby >= 1.8.7
BuildRequires: ruby-devel BuildRequires: ruby-devel
@@ -71,6 +78,11 @@ key off the values returned by facts. @@ -71,6 +78,12 @@ key off the values returned by facts.
%prep %prep
%setup -q %setup -q
+# WRS apply patches +# WRS apply patches
+%patch0 -p1 +%patch0001 -p1
+%patch1 -p1 +%patch0002 -p1
+%patch2 -p2 +%patch0003 -p2
+%patch3 -p2 +%patch0004 -p2
+%patch0005 -p1
%build %build
# Nothing to build # Nothing to build
-- --
1.8.3.1 1.8.3.1

48
config/facter/centos/meta_patches/0003-Add-ipaddress-patch.patch
View File

@ -1,48 +0,0 @@
From 26fa177280c21f0c2048c90ae8fdd3ded7a60113 Mon Sep 17 00:00:00 2001
From: Don Penney <don.penney@windriver.com>
Date: Thu, 26 Oct 2017 10:44:17 -0400
Subject: [PATCH] Add ipaddress patch
---
SPECS/facter.spec | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/SPECS/facter.spec b/SPECS/facter.spec
index aa4a0db..2829879 100644
--- a/SPECS/facter.spec
+++ b/SPECS/facter.spec
@@ -32,10 +32,11 @@ Source1: https://downloads.puppetlabs.com/%{name}/%{name}-%{version}.tar.
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
# WRS patches
-Patch0: ps.patch
-Patch1: personality.patch
-Patch2: centos_remove-net-commands-that-can-timeout.patch
-Patch3: centos_fix-ipv6-regex.patch
+Patch0001: 0001-ps.patch
+Patch0002: 0002-personality.patch
+Patch0003: 0003-centos_remove-net-commands-that-can-timeout.patch
+Patch0004: 0004-centos_fix-ipv6-regex.patch
+Patch0005: 0005-Hardcode-ipaddress-fact-to-localhost.patch
# Upstream claims to only support 1.8.7 and higher
@@ -79,10 +80,11 @@ key off the values returned by facts.
%prep
%setup -q
# WRS apply patches
-%patch0 -p1
-%patch1 -p1
-%patch2 -p2
-%patch3 -p2
+%patch0001 -p1
+%patch0002 -p1
+%patch0003 -p2
+%patch0004 -p2
+%patch0005 -p1
%build
# Nothing to build
--
1.8.3.1

1
config/facter/centos/meta_patches/PATCH_ORDER
View File

@ -1,3 +1,2 @@
0001-spec-include-TiS-paches.patch 0001-spec-include-TiS-paches.patch
0002-Update-package-versioning-for-TIS-format.patch 0002-Update-package-versioning-for-TIS-format.patch
0003-Add-ipaddress-patch.patch

2
config/puppet-modules/openstack/puppet-nova-11.4.0/centos/build_srpm.data
View File

@ -1 +1 @@
TIS_PATCH_VER=7 TIS_PATCH_VER=8

37
config/puppet-modules/openstack/puppet-nova-11.4.0/centos/meta_patches/0011-Provide-a-way-to-set-mem_stats_period_seconds.patch Normal file
View File

@ -0,0 +1,37 @@
From ab164d30bb18eb5c24ed3781ac7acde8fe61317d Mon Sep 17 00:00:00 2001
From: Alex Kozyrev <alex.kozyrev@windriver.com>
Date: Tue, 11 Dec 2018 14:14:37 -0500
Subject: [PATCH 1/1] Provide a way to set mem_stats_period_seconds in Nova.
There is no support of mem_stats_period_seconds in puppet-nova now.
We need to add a way to set it to 0 to disable QEMU memory balloon statistics.
The intention is to help with cyclictest spikes due to stats collection.
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
---
SPECS/puppet-nova.spec | 2 ++
1 file changed, 2 insertions(+)
diff --git a/SPECS/puppet-nova.spec b/SPECS/puppet-nova.spec
index c40ec94..367de7b 100644
--- a/SPECS/puppet-nova.spec
+++ b/SPECS/puppet-nova.spec
@@ -19,6 +19,7 @@ Patch0007: 0007-Remove-joshuabaird-ipaclient-from-puppet-nova-requir.patch
Patch0008: 0008-Adding-pci_weight_multiple-to-nova-scheduler-filter.patch
Patch0009: 0009-Remove-SerialConsole-from-NovaConf.patch
Patch0010: 0010-Remove-compute-huge.patch
+Patch0011: 0011-Provide-a-way-to-set-mem_stats_period_seconds.patch
BuildArch: noarch
@@ -49,6 +50,7 @@ Puppet module for OpenStack Nova
%patch0008 -p1
%patch0009 -p1
%patch0010 -p1
+%patch0011 -p1
find . -type f -name ".*" -exec rm {} +
find . -size 0 -exec rm {} +
--
1.8.3.1

1
config/puppet-modules/openstack/puppet-nova-11.4.0/centos/meta_patches/PATCH_ORDER
View File

@ -8,3 +8,4 @@
0008-Add-pci_weight_multiple-to-scheduler-filter.patch 0008-Add-pci_weight_multiple-to-scheduler-filter.patch
0009-Remove-SerialConsole-from-NovaConf.patch 0009-Remove-SerialConsole-from-NovaConf.patch
0010-Remove-compute-huge.patch 0010-Remove-compute-huge.patch
0011-Provide-a-way-to-set-mem_stats_period_seconds.patch

56
config/puppet-modules/openstack/puppet-nova-11.4.0/centos/patches/0011-Provide-a-way-to-set-mem_stats_period_seconds.patch Normal file
View File

@ -0,0 +1,56 @@
From 3b825e021fea2a4223f72c5c1a8182a593750a40 Mon Sep 17 00:00:00 2001
From: Alex Kozyrev <alex.kozyrev@windriver.com>
Date: Tue, 11 Dec 2018 14:10:01 -0500
Subject: [PATCH 1/1] Provide a way to set mem_stats_period_seconds in Nova.
There is no support of mem_stats_period_seconds in puppet-nova now.
We need to add a way to set it to 0 to disable QEMU memory balloon statistics.
The intention is to help with cyclictest spikes due to stats collection.
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
---
manifests/compute/libvirt.pp | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/manifests/compute/libvirt.pp b/manifests/compute/libvirt.pp
index 0d89c04..813d740 100644
--- a/manifests/compute/libvirt.pp
+++ b/manifests/compute/libvirt.pp
@@ -151,6 +151,11 @@
# forward progress in transferring data before aborting.
# Defaults to 150
#
+# [*mem_stats_period_seconds*]
+# (optional) A number of seconds to memory usage statistics period.'
+# Zero or negative value mean to disable memory usage statistics.
+# Defaults to 10
+#
class nova::compute::libvirt (
$ensure_package = 'present',
$libvirt_virt_type = 'kvm',
@@ -182,6 +187,7 @@ class nova::compute::libvirt (
$live_migration_downtime_delay = undef,
$live_migration_completion_timeout = undef,
$live_migration_progress_timeout = undef,
+ $mem_stats_period_seconds = undef,
) inherits nova::params {
include ::nova::deps
@@ -367,4 +373,14 @@ class nova::compute::libvirt (
}
}
+ if $mem_stats_period_seconds != undef {
+ nova_config {
+ 'libvirt/mem_stats_period_seconds': value => $live_migration_progress_timeout;
+ }
+ } else {
+ nova_config {
+ 'libvirt/mem_stats_period_seconds': ensure => absent;
+ }
+ }
+
}
--
1.8.3.1

3
filesystem/iscsi-initiator-utils-config/centos/iscsi-initiator-utils-config.spec
View File

@ -10,6 +10,7 @@ BuildArch: noarch
Source: %name-%version.tar.gz Source: %name-%version.tar.gz
Requires: iscsi-initiator-utils Requires: iscsi-initiator-utils
Requires: iscsi-initiator-utils-iscsiuio
Summary: package StarlingX configuration files of iscsi-initiator-utils to system folder. Summary: package StarlingX configuration files of iscsi-initiator-utils to system folder.
%description %description
@ -33,6 +34,8 @@ package StarlingX configuration files of iscsi-initiator-utils to system folder.
if [ $1 -eq 1 ] ; then if [ $1 -eq 1 ] ; then
# Initial installation # Initial installation
cp -f %{_datadir}/starlingx/stx.iscsid.conf %{_sysconfdir}/iscsi/iscsid.conf cp -f %{_datadir}/starlingx/stx.iscsid.conf %{_sysconfdir}/iscsi/iscsid.conf
chmod 0750 %{_sysconfdir}/iscsi
chmod 0640 %{_sysconfdir}/iscsi/iscsid.conf
fi fi
/bin/systemctl disable iscsi-shutdown.service /bin/systemctl disable iscsi-shutdown.service

17
filesystem/iscsi-initiator-utils/PKG-INFO
View File

@ -1,17 +0,0 @@
Metadata-Version: 1.1
Name: iscsi-initiator-utils
Version: 2.0-873
Summary: iSCSI daemon and utility programs
Home-page:
Author:
Author-email:
License: GPLv2+
Description:
The iscsi package provides the server daemon for the iSCSI protocol,
as well as the utility programs used to manage it. iSCSI is a protocol
for distributed disk access using SCSI commands sent over Internet
Protocol networks.
Platform: UNKNOWN

1
filesystem/iscsi-initiator-utils/centos/build_srpm.data
View File

@ -1 +0,0 @@
TIS_PATCH_VER=3

48
filesystem/iscsi-initiator-utils/centos/meta_patches/0001-spec-include-TiS-changes.patch
View File

@ -1,48 +0,0 @@
From 5a1612476a2b2a4783b5a1bd0f5493b3b3974ecb Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:19:19 -0400
Subject: [PATCH 1/2] WRS: spec-include-TiS-changes.patch
---
SPECS/iscsi-initiator-utils.spec | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/SPECS/iscsi-initiator-utils.spec b/SPECS/iscsi-initiator-utils.spec
index a7bd696..847f95c 100644
--- a/SPECS/iscsi-initiator-utils.spec
+++ b/SPECS/iscsi-initiator-utils.spec
@@ -232,13 +241,13 @@ fi
%files
%doc README
-%dir %{_sharedstatedir}/iscsi
-%dir %{_sharedstatedir}/iscsi/nodes
-%dir %{_sharedstatedir}/iscsi/isns
-%dir %{_sharedstatedir}/iscsi/static
-%dir %{_sharedstatedir}/iscsi/slp
-%dir %{_sharedstatedir}/iscsi/ifaces
-%dir %{_sharedstatedir}/iscsi/send_targets
+%ghost %{_sharedstatedir}/iscsi
+%ghost %{_sharedstatedir}/iscsi/nodes
+%ghost %{_sharedstatedir}/iscsi/isns
+%ghost %{_sharedstatedir}/iscsi/static
+%ghost %{_sharedstatedir}/iscsi/slp
+%ghost %{_sharedstatedir}/iscsi/ifaces
+%ghost %{_sharedstatedir}/iscsi/send_targets
%ghost %{_var}/lock/iscsi
%ghost %{_var}/lock/iscsi/lock
%{_unitdir}/iscsi.service
@@ -248,8 +257,8 @@ fi
%{_libexecdir}/iscsi-mark-root-nodes
%{_sysconfdir}/NetworkManager/dispatcher.d/04-iscsi
%{_tmpfilesdir}/iscsi.conf
-%dir %{_sysconfdir}/iscsi
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/iscsi/iscsid.conf
+%attr(0750,root,root) %dir %{_sysconfdir}/iscsi
+%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/iscsi/iscsid.conf
%{_sbindir}/iscsi-iname
%{_sbindir}/iscsiadm
%{_sbindir}/iscsid
--
2.7.4

27
filesystem/iscsi-initiator-utils/centos/meta_patches/0002-Update-package-versioning-for-TIS-format.patch
View File

@ -1,27 +0,0 @@
From d30974d064455030457b4b37de3b3ea72a9feba0 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:19:19 -0400
Subject: [PATCH 2/2] WRS: 0001-Update-package-versioning-for-TIS-format.patch
Conflicts:
SPECS/iscsi-initiator-utils.spec
---
SPECS/iscsi-initiator-utils.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SPECS/iscsi-initiator-utils.spec b/SPECS/iscsi-initiator-utils.spec
index 847f95c..8865737 100644
--- a/SPECS/iscsi-initiator-utils.spec
+++ b/SPECS/iscsi-initiator-utils.spec
@@ -4,7 +4,7 @@
Summary: iSCSI daemon and utility programs
Name: iscsi-initiator-utils
Version: 6.%{open_iscsi_version}.%{open_iscsi_build}
-Release: 7%{?dist}
+Release: 7.el7%{?_tis_dist}.%{tis_patch_ver}
Group: System Environment/Daemons
License: GPLv2+
URL: http://www.open-iscsi.org
--
2.7.4

3
filesystem/iscsi-initiator-utils/centos/meta_patches/PATCH_ORDER
View File

@ -1,3 +0,0 @@
0001-spec-include-TiS-changes.patch
0002-Update-package-versioning-for-TIS-format.patch

2
filesystem/iscsi-initiator-utils/centos/srpm_path
View File

@ -1,2 +0,0 @@
mirror:Source/iscsi-initiator-utils-6.2.0.874-7.el7.src.rpm

5
utilities/platform-util/centos/platform-util.spec
View File

@ -28,6 +28,7 @@ Platform utilities that don't get packaged on controller hosts
%define local_bindir %{local_dir}/bin %define local_bindir %{local_dir}/bin
%define local_sbindir %{local_dir}/sbin %define local_sbindir %{local_dir}/sbin
%define pythonroot /usr/lib64/python2.7/site-packages %define pythonroot /usr/lib64/python2.7/site-packages
%define local_etc_initd %{_sysconfdir}/init.d
%prep %prep
%setup %setup
@ -53,6 +54,9 @@ install %{_buildsubdir}/scripts/cgcs_tc_setup.sh %{buildroot}%{local_bindir}
install %{_buildsubdir}/scripts/remotelogging_tc_setup.sh %{buildroot}%{local_bindir} install %{_buildsubdir}/scripts/remotelogging_tc_setup.sh %{buildroot}%{local_bindir}
install %{_buildsubdir}/scripts/connectivity_test %{buildroot}%{local_bindir} install %{_buildsubdir}/scripts/connectivity_test %{buildroot}%{local_bindir}
install -d %{buildroot}%{local_etc_initd}
install %{_buildsubdir}/scripts/log_functions.sh %{buildroot}%{local_etc_initd}
install -d %{buildroot}%{local_sbindir} install -d %{buildroot}%{local_sbindir}
install -m 700 -P -D %{_buildsubdir}/scripts/patch-restart-mtce %{buildroot}%{local_sbindir} install -m 700 -P -D %{_buildsubdir}/scripts/patch-restart-mtce %{buildroot}%{local_sbindir}
install -m 700 -p -D %{_buildsubdir}/scripts/patch-restart-processes %{buildroot}%{local_sbindir} install -m 700 -p -D %{_buildsubdir}/scripts/patch-restart-processes %{buildroot}%{local_sbindir}
@ -87,6 +91,7 @@ systemctl enable opt-platform.service
%{pythonroot}/platform_util/* %{pythonroot}/platform_util/*
%dir %{pythonroot}/platform_util-%{version}.0-py2.7.egg-info %dir %{pythonroot}/platform_util-%{version}.0-py2.7.egg-info
%{pythonroot}/platform_util-%{version}.0-py2.7.egg-info/* %{pythonroot}/platform_util-%{version}.0-py2.7.egg-info/*
%{local_etc_initd}/log_functions.sh
%files -n platform-util-noncontroller %files -n platform-util-noncontroller
%defattr(-,root,root,-) %defattr(-,root,root,-)

220
utilities/platform-util/scripts/cgcs_tc_setup.sh
View File

@ -1,14 +1,15 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2017 Wind River Systems, Inc. # Copyright (c) 2017-2018 Wind River Systems, Inc.
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
# $1 - interface # $1 - interface
# $2 - interface type [mgmt, infra] # $2 - interface type [mgmt, infra]
# $3 - dummy used to determine if we're backgrounded or not # $3 - link capacity
# $4 - dummy used to determine if we're backgrounded or not
DEV=$1 DEV=$1
NETWORKTYPE=$2 NETWORKTYPE=$2
@ -42,7 +43,8 @@ function test_valid_speed {
function log { function log {
# It seems that syslog isn't yet running, so append directly to the syslog file # It seems that syslog isn't yet running, so append directly to the syslog file
echo `date +%FT%T.%3N` `hostname` CGCS_TC_SETUP: $@ >> /var/log/platform.log FILE=/var/log/platform.log
echo `date +%FT%T.%3N` `hostname` CGCS_TC_SETUP: $@ >> $FILE
} }
function infra_exists { function infra_exists {
@ -57,15 +59,18 @@ function is_consolidated {
if ! infra_exists if ! infra_exists
then then
return 1 return 1
else
# determine whether the management interface is a parent of the
# infrastructure interface based on name.
# eg. this matches enp0s8 to enp0s8.10 but not enp0s88
if [[ $infrastructure_interface =~ $management_interface[\.][0-9]+$ ]]; then
return 0
fi
return 1
fi fi
local INFRA=$infrastructure_interface
local MGMT=$management_interface
# determine whether the management interface is a parent of the
# infrastructure interface based on name.
# eg. this matches enp0s8 to enp0s8.10 but not enp0s88
if [[ $INFRA =~ $MGMT[\.][0-9]+$ ]]; then
return 0
fi
return 1
} }
function is_vlan { function is_vlan {
@ -78,7 +83,8 @@ function is_vlan {
function is_loopback { function is_loopback {
# (from include/uapi/linux/if.h) # (from include/uapi/linux/if.h)
IFF_LOOPBACK=$((1<<3)) # IFF_LOOPBACK = 1<<3 = 8. Using a left shifted syntax can confuse bashate.
IFF_LOOPBACK=8
# get the interface flags # get the interface flags
FLAGS=`cat /sys/class/net/$DEV/flags` FLAGS=`cat /sys/class/net/$DEV/flags`
@ -91,42 +97,78 @@ function is_loopback {
fi fi
} }
function get_tc_filter_ethertype {
local ETHERTYPE=$DEFAULT_ETHERTYPE
if is_consolidated
then
if ! is_vlan
then
# If we have a consolidated VLAN interface, we must set the
# protocol to '802.1q' for the underlying Ethernet interface
# to be able to match on IP packets coming from the VLAN
# interface.
ETHERTYPE=802.1q
fi
fi
echo $ETHERTYPE
return 0
}
function setup_tc_port_filter { function setup_tc_port_filter {
local PORT=$1 local PORT=$1
local PORTMASK=$2 local PORTMASK=$2
local FLOWID=$3 local FLOWID=$3
local PROTOCOL=$4 local PROTOCOL=$4
local PRIORITY=$DEFAULT_PRIORITY
local ETHERTYPE=$DEFAULT_ETHERTYPE
if [ -z $PROTOCOL ] ETHERTYPE=$(get_tc_filter_ethertype)
then
if [ -z $PROTOCOL ]; then
# Apply to TCP and UDP # Apply to TCP and UDP
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dport $PORT $PORTMASK flowid $FLOWID tc filter add dev $DEV protocol $ETHERTYPE parent 1:0 prio $PRIORITY \
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip sport $PORT $PORTMASK flowid $FLOWID u32 match ip dport $PORT $PORTMASK flowid $FLOWID
tc filter add dev $DEV protocol $ETHERTYPE parent 1:0 prio $PRIORITY \
u32 match ip sport $PORT $PORTMASK flowid $FLOWID
else else
# Apply to specific protocol only # Apply to specific protocol only
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip protocol 6 0xff match ip dport $PORT $PORTMASK flowid $FLOWID tc filter add dev $DEV protocol $ETHERTYPE parent 1:0 prio $PRIORITY \
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip protocol 6 0xff match ip sport $PORT $PORTMASK flowid $FLOWID u32 match ip protocol $PROTOCOL 0xff match \
ip dport $PORT $PORTMASK flowid $FLOWID
tc filter add dev $DEV protocol $ETHERTYPE parent 1:0 prio $PRIORITY \
u32 match ip protocol $PROTOCOL 0xff match \
ip sport $PORT $PORTMASK flowid $FLOWID
fi fi
} }
function setup_tc_tos_filter function setup_tc_tos_filter {
{
local TOS=$1 local TOS=$1
local TOSMASK=$2 local TOSMASK=$2
local FLOWID=$3 local FLOWID=$3
local ETHERTYPE=$4
local PRIORITY=$5
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip tos $TOS $TOSMASK flowid $FLOWID if [ -z $ETHERTYPE ]; then
ETHERTYPE=$DEFAULT_ETHERTYPE
fi
if [ -z $PRIORITY ]; then
PRIORITY=$DEFAULT_PRIORITY
fi
tc filter add dev $DEV protocol $ETHERTYPE parent 1:0 prio $PRIORITY \
u32 match ip tos $TOS $TOSMASK flowid $FLOWID
} }
function setup_root_tc function setup_root_tc {
{
# create new qdiscs, classes and queues # create new qdiscs, classes and queues
tc qdisc add dev $DEV root handle 1: htb default 40 tc qdisc add dev $DEV root handle 1: htb default 40
tc class add dev $DEV parent 1: classid 1:1 htb rate ${SPEED}mbit burst 15k quantum 60000 tc class add dev $DEV parent 1: classid 1:1 htb rate ${SPEED}mbit \
burst 15k quantum 60000
} }
function setup_default_tc function setup_default_tc {
{
local RATE=$1 local RATE=$1
local CEIL=$2 local CEIL=$2
@ -135,29 +177,40 @@ function setup_default_tc
local FLOWID=$CLASSID local FLOWID=$CLASSID
# create default qdiscs, classes # create default qdiscs, classes
$AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k ceil $((${CEIL}*${SPEED}/100))mbit prio 4 quantum 60000 $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k \
ceil $((${CEIL}*${SPEED}/100))mbit prio 4 quantum 60000
tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10 tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10
} }
function setup_hiprio_tc function setup_hiprio_tc {
{
local RATE=$1 local RATE=$1
local CEIL=$2 local CEIL=$2
local FLOWQ=10 local FLOWQ=10
local CLASSID=1:$FLOWQ local CLASSID=1:$FLOWQ
local FLOWID=$CLASSID local FLOWID=$CLASSID
local ETHERTYPE=$DEFAULT_ETHERTYPE
ETHERTYPE=$(get_tc_filter_ethertype)
# create high priority qdiscs, classes, and queues # create high priority qdiscs, classes, and queues
$AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k ceil $((${CEIL}*${SPEED}/100))mbit prio 3 quantum 60000 $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k \
ceil $((${CEIL}*${SPEED}/100))mbit prio 3 quantum 60000
tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10 tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10
# filter for high priority traffic # filter for high priority traffic
setup_tc_tos_filter 0x10 0xf8 $FLOWID setup_tc_tos_filter 0x10 0xf8 $FLOWID $ETHERTYPE
if [ "$ETHERTYPE" != "$DEFAULT_ETHERTYPE" ]; then
# For the 'hiprio' class, a second filter at a different priority is
# needed in this case to match traffic with the default ethertype.
# (ie. high priority management traffic).
local PRIORITY
PRIORITY=$(($DEFAULT_PRIORITY + 1))
setup_tc_tos_filter 0x10 0xf8 $FLOWID $DEFAULT_ETHERTYPE $PRIORITY
fi
} }
function setup_migration_tc function setup_migration_tc {
{
local RATE=$1 local RATE=$1
local CEIL=$2 local CEIL=$2
@ -166,7 +219,8 @@ function setup_migration_tc
local FLOWID=$CLASSID local FLOWID=$CLASSID
# create migration qdiscs, classes, and queues # create migration qdiscs, classes, and queues
$AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k ceil $((${CEIL}*${SPEED}/100))mbit prio 2 quantum 60000 $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k \
ceil $((${CEIL}*${SPEED}/100))mbit prio 2 quantum 60000
tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10 tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10
# Migration (TCP, ports 49152-49215) # Migration (TCP, ports 49152-49215)
@ -176,8 +230,7 @@ function setup_migration_tc
setup_tc_port_filter 16509 0xffff $FLOWID $TCP setup_tc_port_filter 16509 0xffff $FLOWID $TCP
} }
function setup_storage_tc function setup_storage_tc {
{
local RATE=$1 local RATE=$1
local CEIL=$2 local CEIL=$2
@ -186,7 +239,8 @@ function setup_storage_tc
local FLOWID=$CLASSID local FLOWID=$CLASSID
# create storage qdiscs, classes, and queues # create storage qdiscs, classes, and queues
$AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k ceil $((${CEIL}*${SPEED}/100))mbit prio 1 quantum 60000 $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k \
ceil $((${CEIL}*${SPEED}/100))mbit prio 1 quantum 60000
tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10 tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10
# Storage, NFS (UDP/TCP, port 2049) # Storage, NFS (UDP/TCP, port 2049)
@ -205,8 +259,7 @@ function setup_storage_tc
done done
} }
function setup_drbd_tc function setup_drbd_tc {
{
local RATE=$1 local RATE=$1
local CEIL=$2 local CEIL=$2
@ -215,14 +268,15 @@ function setup_drbd_tc
local FLOWID=$CLASSID local FLOWID=$CLASSID
# create DRBD qdiscs, classes and queues # create DRBD qdiscs, classes and queues
$AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k ceil $((${CEIL}*${SPEED}/100))mbit quantum 60000 $AC $CLASSID htb rate $((${RATE}*${SPEED}/100))mbit burst 15k \
ceil $((${CEIL}*${SPEED}/100))mbit quantum 60000
tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10 tc qdisc add dev $DEV parent $CLASSID handle $FLOWQ: sfq perturb 10
# DRDB (TCP, ports 7789,7790,7791,7799) # DRDB (TCP, ports 7789,7790,7791,7799)
# port 7793 is used with drdb-extension # port 7793 is used with drdb-extension
PORTS=( 7789 7790 7791 7792 7799 7793 ) PORTS=( 7789 7790 7791 7792 7799 7793 )
PORTMASKS=( 0xffff 0xffff 0xffff 0xffff 0xffff ) PORTMASKS=( 0xffff 0xffff 0xffff 0xffff 0xffff 0xffff)
for idx in "${!PORTS[@]}"; do for idx in "${!PORTS[@]}"; do
PORT=${PORTS[$idx]} PORT=${PORTS[$idx]}
MASK=${PORTMASKS[$idx]} MASK=${PORTMASKS[$idx]}
@ -230,8 +284,7 @@ function setup_drbd_tc
done done
} }
function setup_mgmt_tc_individual function setup_mgmt_tc_individual {
{
# Configure high priority and default traffic classes. # Configure high priority and default traffic classes.
setup_root_tc setup_root_tc
@ -251,8 +304,7 @@ function setup_mgmt_tc_individual
} }
function setup_mgmt_tc_vlan function setup_mgmt_tc_vlan {
{
# Configure high priority and default traffic classes. # Configure high priority and default traffic classes.
setup_root_tc setup_root_tc
@ -271,8 +323,7 @@ function setup_mgmt_tc_vlan
setup_default_tc $DEFAULT_BW $DEFAULT_CBW setup_default_tc $DEFAULT_BW $DEFAULT_CBW
} }
function setup_mgmt_tc_consolidated function setup_mgmt_tc_consolidated {
{
# Configure management classes. # Configure management classes.
# All traffic coming from the infra will get treated again by the # All traffic coming from the infra will get treated again by the
# management traffic classes. We need to apply the same TCs as the # management traffic classes. We need to apply the same TCs as the
@ -282,8 +333,7 @@ function setup_mgmt_tc_consolidated
setup_tc_all setup_tc_all
} }
function setup_mgmt_tc_infra_exists function setup_mgmt_tc_infra_exists {
{
if is_consolidated if is_consolidated
then then
# Infra over mgmt. In this case we want to reserve # Infra over mgmt. In this case we want to reserve
@ -301,8 +351,7 @@ function setup_mgmt_tc_infra_exists
fi fi
} }
function setup_mgmt_tc_no_infra function setup_mgmt_tc_no_infra {
{
# Configure traffic classes for a management interface when # Configure traffic classes for a management interface when
# no infrastructure interface exists. Configure the full # no infrastructure interface exists. Configure the full
# set of TCs. # set of TCs.
@ -311,35 +360,34 @@ function setup_mgmt_tc_no_infra
setup_tc_all setup_tc_all
} }
function setup_infra_tc_consolidated function setup_infra_tc_consolidated {
{
# Configure the full set of traffic classes, but leave a small # Configure the full set of traffic classes, but leave a small
# portion of bandwidth for the management interface. # portion of bandwidth for the management interface.
# reserve 1% BW for management # reserve 1% BW for management
local RESERVED=$((1*${SPEED}/100)) local RESERVED
RESERVED=$((1*${SPEED}/100))
SPEED=$((${SPEED}-${RESERVED})) SPEED=$((${SPEED}-${RESERVED}))
setup_root_tc setup_root_tc
setup_tc_all setup_tc_all
} }
function setup_infra_tc_individual function setup_infra_tc_individual {
{
# Configure the full set of traffic classes. # Configure the full set of traffic classes.
setup_root_tc setup_root_tc
if is_vlan if is_vlan
then then
# reserve 1% BW for sibling vlan interfaces # reserve 1% BW for sibling vlan interfaces
local RESERVED=$((1*${SPEED}/100)) local RESERVED
RESERVED=$((1*${SPEED}/100))
SPEED=$((${SPEED}-${RESERVED})) SPEED=$((${SPEED}-${RESERVED}))
fi fi
setup_tc_all setup_tc_all
} }
function setup_tc_all function setup_tc_all {
{
# bandwidth percentages, in case of over-percentage, bandwidth is divided based # bandwidth percentages, in case of over-percentage, bandwidth is divided based
# on bandwidth ratios # on bandwidth ratios
local MIG_BW=30 local MIG_BW=30
@ -359,24 +407,18 @@ function setup_tc_all
setup_storage_tc $STOR_BW $STOR_CBW setup_storage_tc $STOR_BW $STOR_CBW
setup_migration_tc $MIG_BW $MIG_CBW setup_migration_tc $MIG_BW $MIG_CBW
setup_default_tc $DEFAULT_BW $DEFAULT_CBW setup_default_tc $DEFAULT_BW $DEFAULT_CBW
if [ $nodetype == "controller" ] if [ $nodetype == "controller" ]; then
then
setup_drbd_tc $DRBD_BW $DRBD_CBW setup_drbd_tc $DRBD_BW $DRBD_CBW
fi fi
} }
function get_dev_speed function get_dev_speed {
{
# If the link doesn't come up we won't go enabled, so here we can # If the link doesn't come up we won't go enabled, so here we can
# afford to wait forever for the link. # afford to wait forever for the link.
while true while true; do
do if [ -e /sys/class/net/$1/bonding ]; then
if [ -e /sys/class/net/$1/bonding ] for VAL in `cat /sys/class/net/$1/lower_*/speed`; do
then if test_valid_speed $VAL; then
for VAL in `cat /sys/class/net/$1/lower_*/speed`
do
if test_valid_speed $VAL
then
log slave for bond link $1 reported speed $VAL log slave for bond link $1 reported speed $VAL
echo $VAL echo $VAL
return 0 return 0
@ -384,38 +426,36 @@ function get_dev_speed
log slave for bond link $1 reported invalid speed $VAL log slave for bond link $1 reported invalid speed $VAL
fi fi
done done
log all slaves for bond link $1 reported invalid speeds, will sleep 30 sec and try again log all slaves for bond link $1 reported invalid speeds, \
will sleep 30 sec and try again
else else
VAL=`cat /sys/class/net/$1/speed` VAL=`cat /sys/class/net/$1/speed`
if test_valid_speed $VAL if test_valid_speed $VAL; then
then
log link $1 reported speed $VAL log link $1 reported speed $VAL
echo $VAL echo $VAL
return 0 return 0
else else
log link $1 returned invalid speed $VAL, will sleep 30 sec and try again log link $1 returned invalid speed $VAL, \
will sleep 30 sec and try again
fi fi
fi fi
sleep 30 sleep 30
done done
} }
function get_speed function get_speed {
{
local dev=$1 local dev=$1
local networktype=$2 local networktype=$2
local net_speed=$NETWORKSPEED local net_speed=$NETWORKSPEED
local dev_speed=$(get_dev_speed $DEV) local dev_speed
dev_speed=$(get_dev_speed $DEV)
local speed=$dev_speed local speed=$dev_speed
if [ $net_speed != $dev_speed ] if [ $net_speed != $dev_speed ]; then
then
log WARNING: $dev has a different operational speed [$dev_speed] \ log WARNING: $dev has a different operational speed [$dev_speed] \
than configured speed [$net_speed] for network type $networktype than configured speed [$net_speed] for network type $networktype
if test_valid_speed $net_speed if test_valid_speed $net_speed; then
then
# Use greater of configured net speed / recorded dev speed # Use greater of configured net speed / recorded dev speed
if [ $net_speed -gt $dev_speed ] if [ $net_speed -gt $dev_speed ]; then
then
speed=$net_speed speed=$net_speed
fi fi
fi fi
@ -433,8 +473,7 @@ fi
log running tc setup script for $DEV $NETWORKTYPE in background log running tc setup script for $DEV $NETWORKTYPE in background
if [ -f /etc/platform/platform.conf ] if [ -f /etc/platform/platform.conf ]; then
then
source /etc/platform/platform.conf source /etc/platform/platform.conf
fi fi
@ -453,11 +492,16 @@ AC="tc class add dev $DEV parent 1:1 classid"
TCP=6 TCP=6
UDP=17 UDP=17
# default ethertype for filters
DEFAULT_ETHERTYPE=ip
# default priority for filters
DEFAULT_PRIORITY=1
# delete existing qdiscs # delete existing qdiscs
tc qdisc del dev $DEV root > /dev/null 2>&1 tc qdisc del dev $DEV root > /dev/null 2>&1
if [ ${NETWORKTYPE} = "mgmt" ] if [ ${NETWORKTYPE} = "mgmt" ]; then
then
if infra_exists if infra_exists
then then
setup_mgmt_tc_infra_exists setup_mgmt_tc_infra_exists

45
utilities/platform-util/scripts/log_functions.sh Normal file
View File

@ -0,0 +1,45 @@
#!/bin/bash
################################################################################
# Copyright (c) 2013-2015 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
################################################################################
################################################################################
# Log if debug is enabled via LOG_DEBUG
#
################################################################################
function log_debug {
if [ ! -z "${LOG_DEBUG}" ]; then
logger -p debug -t "$0[${PPID}]" -s "$@" 2>&1
fi
}
################################################################################
# Log unconditionally to STDERR
#
################################################################################
function log_error {
logger -p error -t "$0[${PPID}]" -s "$@"
}
################################################################################
# Log unconditionally to STDOUT
#
################################################################################
function log {
logger -p info -t "$0[${PPID}]" -s "$@" 2>&1
}
################################################################################
# Utility function to print the status of a command result
#
################################################################################
function print_status {
if [ "$1" -eq "0" ]; then
echo "[ OK ]"
else
echo "[FAILED]"
fi
}

4
virt/qemu/centos/build_srpm.data
View File

@ -1,8 +1,10 @@
SRC_DIR="$CGCS_BASE/git/qemu" SRC_DIR="$CGCS_BASE/git/qemu"
COPY_LIST="$CGCS_BASE/downloads/kvm-unit-tests.git-4ea7633.tar.bz2 \ COPY_LIST="$CGCS_BASE/downloads/kvm-unit-tests.git-4ea7633.tar.bz2 \
$CGCS_BASE/downloads/keycodemapdb-16e5b07.tar.gz \
$FILES_BASE/* \ $FILES_BASE/* \
$PKG_BASE/qemu/qemu_clean \ $PKG_BASE/qemu/qemu_clean \
$PKG_BASE/qemu/qemu_clean.service \ $PKG_BASE/qemu/qemu_clean.service \
$PKG_BASE/qemu/qemu-system-x86.conf" $PKG_BASE/qemu/qemu-system-x86.conf"
TIS_BASE_SRCREV=c284b3d419e1cc9b1f25661f4f636f19b1399970 TIS_BASE_SRCREV=38441756b70eec5807b5f60dad11a93a91199866
TIS_PATCH_VER=GITREVCOUNT TIS_PATCH_VER=GITREVCOUNT

1
virt/qemu/centos/files/build_configure.sh
View File

@ -60,7 +60,6 @@ fi
--with-pkgversion=${nvr} \ --with-pkgversion=${nvr} \
--with-confsuffix=/${pkgname} \ --with-confsuffix=/${pkgname} \
--with-coroutine=ucontext \ --with-coroutine=ucontext \
--with-system-pixman \
--disable-bluez \ --disable-bluez \
--disable-brlapi \ --disable-brlapi \
--enable-cap-ng \ --enable-cap-ng \

12
virt/qemu/centos/qemu-kvm.spec
View File

@ -82,7 +82,7 @@ Obsoletes: %1 < %{obsoletes_version}
Summary: QEMU is a FAST! processor emulator Summary: QEMU is a FAST! processor emulator
Name: %{pkgname}%{?pkgsuffix} Name: %{pkgname}%{?pkgsuffix}
Version: 2.10.0 Version: 3.0.0
Release: 0%{?_tis_dist}.%{tis_patch_ver} Release: 0%{?_tis_dist}.%{tis_patch_ver}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 10 Epoch: 10
@ -158,6 +158,7 @@ Source25: kvm-unit-tests.git-4ea7633.tar.bz2
Source26: vhost.conf Source26: vhost.conf
Source27: kvm.conf Source27: kvm.conf
Source28: 95-kvm-memlock.conf Source28: 95-kvm-memlock.conf
Source29: keycodemapdb-16e5b07.tar.gz
#WRS #WRS
Source127: qemu_clean Source127: qemu_clean
@ -422,6 +423,8 @@ buildldflags="VL_LDFLAGS=-Wl,--build-id"
sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure
%endif %endif
tar xzf %{SOURCE29} -C ui
cp %{SOURCE24} build_configure.sh cp %{SOURCE24} build_configure.sh
./build_configure.sh \ ./build_configure.sh \
@ -593,6 +596,9 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/s390-zipl.rom
rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/s390-ccw.img rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/s390-ccw.img
rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/s390-netboot.img rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/s390-netboot.img
rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/u-boot.e500 rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/u-boot.e500
rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/canyonlands.dtb
rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/hppa-firmware.img
rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/u-boot-sam460-20100605.bin
%ifnarch %{power64} %ifnarch %{power64}
rm -f ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/spapr-rtas.bin rm -f ${RPM_BUILD_ROOT}%{_datadir}/%{pkgname}/spapr-rtas.bin
@ -794,7 +800,7 @@ exit 0
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%ifarch x86_64 %ifarch x86_64
%{_datadir}/%{pkgname}/acpi-dsdt.aml # %{_datadir}/%{pkgname}/acpi-dsdt.aml
%{_datadir}/%{pkgname}/bios.bin %{_datadir}/%{pkgname}/bios.bin
%{_datadir}/%{pkgname}/bios-256k.bin %{_datadir}/%{pkgname}/bios-256k.bin
%{_datadir}/%{pkgname}/linuxboot.bin %{_datadir}/%{pkgname}/linuxboot.bin
@ -856,7 +862,9 @@ exit 0
%{_bindir}/qemu-img %{_bindir}/qemu-img
%{_bindir}/qemu-io %{_bindir}/qemu-io
%{_bindir}/qemu-nbd %{_bindir}/qemu-nbd
%{_bindir}/qemu-pr-helper
%{_mandir}/man1/qemu-img.1* %{_mandir}/man1/qemu-img.1*
%{_mandir}/man7/qemu-block-drivers.7*
%{_mandir}/man8/qemu-nbd.8* %{_mandir}/man8/qemu-nbd.8*
# WRS: virtfs # WRS: virtfs
%{_mandir}/man1/virtfs-proxy-helper.1* %{_mandir}/man1/virtfs-proxy-helper.1*