Issue description:
PXE interfaces, which are used by salt should not be restarted
during salt calls, otherwise communication between salt master and
salt minion would be interrupted.
Therefore it is possible to specify "noifupdown: True" in pillars
for this interface or group of interfaces, which are used for PXE
network.
This pillar structure will remain until one removes it manualy.
It is not possible to remove it during deploy and enforce network
state without touching the model.
It is possible to override pillars from CLI like:
# salt ctl01* state.apply linux.network.interface \
pillar='{"linux":{"network":{"interface":{"ens3":{"noifupdown":True}}}}}'
However it is not easy/possible to predict all interfaces for PXE
network.
Solution:
Provide global noifupdown pillar value check.
If it exists, noifupdown will take effect and not otherwise.
So our deployment would have next steps:
- Execute: linux.network.interface pillar='{"linux":{"network":{"noifupdown":True}}}'
- Reboot node to enable kernel params like hugepages etc.
- Execute: linux.network.interface with no params to ensure PXE.
Pipelines may pass this parameter to control noifupdown behavior.
Change-Id: I8863f972c7805e4bf4f9e104d6c0ddf055c39cb1
Current thresholds don't matche real warning/minor values for
the time_squeeze numbers. As a result we have false positive.
Change-Id: I6990c101fe671c05d75d0640fd6799667b5f3fa1
Related-PROD: PROD-24406 (PROD:24406)
This typo mistake affects behavior of user.present module function
as it uses 'useradd' linux utility under the hood.
Missing USERGROUPS_ENAB parameter == do not create user groups by default.
This change in behavior of useradd util breaks all states, which are relaying
on creation of user group during new user creation procedure, e.g. set up
cassandra backups.
Change-Id: Ie17aae58fc6673b9c5d53bb68f681446f30d0a1a
Related-bug: PROD-23741
https://gerrit.mcp.mirantis.com/25351/ was merged but linux.system.shell
state wasn't included into init.yml and was never used.
This commit fixes this.
Related-Prod: PROD-23581
Change-Id: I89e09247dd2566b8a5b0c0e67e8ca9c789ed57f6
To simplify filtering in Kibana change
systemd.source prefix to record field "source".
Change-Id: I7729ae6721a1050a938370a588d35313f91f971a
Related-bug: PROD-21827 (PROD:21827)
Previous implementation was not able to add port 'dpdk0' to bridge
'br-dpdk0' since both matches 'grep' condition. To fix this we need to
look for port in a particular bridge
Change-Id: Ie83cebc3ab73c45a48f68fae2d6f474743215908
The following parameters defined in /etc/login.defs can
be overridden per-user:
* PASS_MAX_DAYS
* PASS_MIN_DAYS
* PASS_WARN_DAYS
* INACTIVE
Related-Prod: PROD-18386
Change-Id: I5b182128f9dd8a043b48fb86e61febb2fd5c7e0a
* Ubuntu pinning params allow to be used
multiply times. In same time, old `list`
format now allowing to be predictable
iterated inside jinja
Related-Bug: PROD-21604 (PROD:21604)
Change-Id: If1c0f0f834a296b9a19d0af5fc7673c9229a7ac5
Permissions 640 root:root doesn't allow regular user to read
/etc/{at,cron}.allow files, that changes behavior of at / crontab
commands:
* crontab command can't read /etc/cron.allow and allow any user to modify
their crontab files.
* at command can't read /etc/at.allow and deny every user.
at / crontab files have SGID bits set, so setting correct group
on /etc/{at,cron}.allow fixes the issue.
Change-Id: I4a3fc8d8e823498d6715e26307424e3065cbd6ca
* CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
* CIS 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
Related-Prod: PROD-20765
Change-Id: I5ff5e5bc76e1d87432caec70f2b35eec288e9213
linux/system/user.sls ignores 'shell' option if a
user is system. This is quite strange behavior, and it
breaks CIS:
* 5.4.2 Ensure system accounts are non-login
Change-Id: I32dd44ac4fcc1425ea47eb4cf60acf41f6ce0887
Related-Prod: PROD-20764
* Add TODO-proper fix for state - native salt fun.
But due bug[1] in saltstack - we can't enable
proper solution now
[1] 74599bbdfc
Related-PROD: PROD-20730
Change-Id: I11b6d81ae0f9a7864518f638e8fc423e4e087285
- Add possibility to remove prereq. packages installation BEFORE
* Crucial logic violation - if we don't have any repo\
have them configured in wrong way - stage will always fail.
* install prereq. packages after all - sounds stupid, but correct.
* By default - it will still try to install prereq. We don't want to
broke OLD logic.See readme, how-to overide such behaviour.
- don't update cache per-repo - it's simply useless and may fail due p1.
Run update only once - after all repos configured\reconfigured
- Add new option at system:refresh_repos_meta - for case, when update
should not be run in any case. By default - true.
- remove 99proxies-salt-{{ name }} along with disabled repo
- fix duplicate 'clean_file' option
Closes-Bug: PROD-15992 (PROD:15992)
Change-Id: I4b312f82f65be80e7726f62482978f68c25746a3
Wait for dpdk bond interfaces to come up.
linux.network.dpdk state fails to update a port within for loop
when this port does not exist yet.
Dependency will require interfaces to be added before
Prod-Related: PROD-19696
Closes-Bug: PROD-19696
Change-Id: Ia83218a76dd6e86664e7f9498a76341717eb5b80
Since we added to nstat's telegraf plugin the possibility
to collect data from `/proc/net/softnet_stat` regarding
dropped packets and rx_net_action a.k.a time squeeze, we need to enable
it globally on all hosts.
Also grafana dashboard update to include new graphs + added four
new Prometheus alers.
Related-Bug: PROD-21090
Change-Id: I9dfe87bdc8b677a51e3f305dd3c75c7d4cc4e0d4
nscd is recommended package for libpam-ldapd and libnss-ldapd, but
since we disabled Install-Recommends for apt in
https://gerrit.mcp.mirantis.net/14431 we need to specify this package in
linux formula.
nscd is a daemon which handles passwd, group and host lookups for
running programs and caches the results for the next query.
Change-Id: Ia17441da2b3072d943d0e9225721dc9921de2514
We create custom hugepages mount point for KVM/DPDK with custom
parameters (ownership flags/hugepages size). Need to disable default
mount point, because it can be unexpectedly used by DPDK.
Change-Id: Ibee95422213260e544406391c7a0922f1a41c5c2
Closes-Bug: PROD-14325
- fixed pkgrepo.manage to use/prefer key_url for salt >= 2017.7
- updated syntax for key verificatoin
- fix, avoid curl for salt:// schema (as in #156)
Change-Id: I1b50c287a4030a9cefa1b819017d59cc5fb1c197