By default salt minion meta files are created with wide
permissions.
This makes OS tokens, keystone credentials unprotected.
Patch fixes this.
Prod-Related: CEEMCP-13 unprotected keystone credentials
Customer-Found
Change-Id: I18283cff4aec795e0656b7b3519381792e8a6e54
Salt (ca.sls) supports generation a few CA.cert but it works incorrectly.
When we generate a few ca.cert, salt must upload it to mine. But it overwrites previous ones.
Related-Prod: PROD-21740
Change-Id: I60f1089cc58758d3be65371deaaa69348fde86a4
The patch adds _orchestrate.conf file to salt minion
configuration. Its template searches for "/meta/salt.yml"
file across all installed formulas and parses them if found.
As of now config will contain following data, e.g.:
orchestration:
deploy:
applications:
cinder:
priority: 150
keystone:
priority: 100
Application priorities will be used later for salt deploy
orchestration
Change-Id: I56b0d15e5a13ca4975d98b9675991f84885120e6
Related-PROD: PROD-19973
The conflicting ID is 'libvirt_service' and is found in SLS:
- libvirt.server.service
- salt.control.virt
Change-Id: Ibb0b6f0a574a53f1cb8517a9fe0d7f0febb07bb3
The patch adds ability to configure REDIS as cache
backed for salt-master to be used as distibuted cache
further.
Change-Id: I62a29713c23ad3f591f6e937bfc5b13eba92f402
Related-PROD: PROD-20581
The patch adds ability to enable/disable salt-syndic
by changing the value with soft params.
Depends-on: Id97088e0a8c449c38943b8ceaa2111647fea19fc
Change-Id: I019fc1a08ae4781a1bfd39f39acf1d695691b997
Related-PROD: PROD-20579
* Salt minion is unable unencrypt the messages from master during boot
because of lack of entropy, throwing the exception:
File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 146, in sign
raise SSLError('Unable to encrypt message')
SSLError: Unable to encrypt message:
error:80064191:lib(128):osrandom_init:getrandom() initialization failed with EAGAIN. Most likely Kernel CPRNG is not se
error:80065190:lib(128):osrandom_rand_bytes:getrandom() initialization failed.
error:04088003:rsa routines:RSA_setup_blinding:BN lib
error:04066044:rsa routines:RSA_EAY_PRIVATE_ENCRYPT:internal error
After node has been booted up, and /dev/random device collected some
extra entropy, salt-minion could start.
This patch configures libvirt vms to use /dev/urandom for faster
entropy regeneration
Change-Id: I470166b4424752d24ac4bb2cb87d9f99cd14752e
Co-Authored-By: Oleksandr Savatieiev <osavatieiev@mirantis.com>
Prod-Related: PROD-19711
When proxy parameter was defined and host is empty string, salt is complaining with warning. With this patch when host is empty parameters are not used.
Change-Id: I11150e5f141182d5934564611d6c39b2b379b5e9
[Fix] Doc
Issue: - It is not possible to pass [R]andom [N]umber [G]enerator
device to libvirt guest xml in order to control entropy.
- Doc has no information on how to provision vms using salt
Solution: - Pass rng parameters via kwargs from node: pillar
Attach rng xml object to generated xml.
- Provide with an example
Prod-Related: PROD-19214
Customer-Found
Change-Id: Iea111f2d927edf46f06bb7ccfad06d37b752fba9