Debian-12 with nvme_core.io_timeout=300 instead of infinity (#190)

Author: majst01

.github/workflows/pr.yaml

@@ -60,14 +60,16 @@ jobs:
           --no-lint \
           --no-push
 
+    # TODO enable debian build again, actually droptailer and firewall-controller did not get enabled
+    # and then goss tests fail
     - name: Build docker image for firewalls and export tarball
       run: |
         DOCKER_MAKE_REGISTRY_LOGIN_USER="metalstack+ci" \
         DOCKER_MAKE_REGISTRY_LOGIN_PASSWORD="${{ secrets.QUAY_IO_TOKEN }}" \
         TMPDIR=/var/tmp \
         docker-make \
           --work-dir firewall \
-          --build-only ${{ matrix.os }} \
+          --build-only ubuntu \
           --no-cache \
           --no-pull \
           --summary \

Makefile

@@ -11,6 +11,14 @@ LINKMODE := -extldflags=-static \
 		 -X 'github.com/metal-stack/v.GitSHA1=$(SHA)' \
 		 -X 'github.com/metal-stack/v.BuildDate=$(BUILDDATE)'
 
+
+all: clean binary
+
+.PHONY: clean
+clean:
+	rm -f debian/context/install-go
+	rm -f centos/context/install-go
+
 .PHONY: binary
 binary: test
 	GGO_ENABLED=0 \
@@ -26,5 +34,5 @@ binary: test
 
 .PHONY: test
 test:
-	GO_ENV=testing go test -cover ./...
+	GO_ENV=testing go test -race -cover ./...
 

centos/Dockerfile

@@ -1,6 +1,6 @@
 ARG BASE_OS_VERSION
 
-FROM golang:1.19-buster as ignition-builder
+FROM golang:1.20-bullseye as ignition-builder
 ARG IGNITION_BRANCH
 WORKDIR /work
 RUN set -ex \

cmd/install.go

@@ -145,7 +145,7 @@ func (i *installer) writeResolvConf() error {
 	// FIXME enable systemd-resolved based approach again once we figured out why it does not work on the firewall
 	// most probably because the resolved must be running in the internet facing vrf.
 	// ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
-	// in ignite this file is a symlinkg to /proc/net/pnp, to pass integration test, remove this first
+	// in ignite this file is a symlink to /proc/net/pnp, to pass integration test, remove this first
 	err := i.fs.Remove("/etc/resolv.conf")
 	if err != nil {
 		i.log.Infow("no /etc/resolv.conf present")
@@ -170,7 +170,7 @@ func (i *installer) buildCMDLine() string {
 		"init=/sbin/init",
 		"net.ifnames=0",
 		"biosdevname=0",
-		"nvme_core.io_timeout=4294967295",
+		"nvme_core.io_timeout=300", // 300 sec should be enough for firewalls to be replaced
 		"systemd.unified_cgroup_hierarchy=0",
 	}
 

cmd/install_test.go

@@ -380,8 +380,8 @@ func Test_installer_buildCMDLine(t *testing.T) {
 					ExitCode: 0,
 				},
 			},
-			// CMDLINE="console=${CONSOLE} root=UUID=${ROOT_UUID} init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 systemd.unified_cgroup_hierarchy=0"
-			want: "console=ttyS1,115200n8 root=UUID=543eb7f8-98d4-d986-e669-824dbebe69e5 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 systemd.unified_cgroup_hierarchy=0",
+			// CMDLINE="console=${CONSOLE} root=UUID=${ROOT_UUID} init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=300 systemd.unified_cgroup_hierarchy=0"
+			want: "console=ttyS1,115200n8 root=UUID=543eb7f8-98d4-d986-e669-824dbebe69e5 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=300 systemd.unified_cgroup_hierarchy=0",
 		},
 		{
 			name: "with raid",
@@ -400,8 +400,8 @@ func Test_installer_buildCMDLine(t *testing.T) {
 					ExitCode: 0,
 				},
 			},
-			// CMDLINE="console=${CONSOLE} root=UUID=${ROOT_UUID} init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 systemd.unified_cgroup_hierarchy=0"
-			want: "console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 systemd.unified_cgroup_hierarchy=0 rdloaddriver=raid0 rdloaddriver=raid1 rd.md.uuid=543eb7f8:98d4d986:e669824d:bebe69e5",
+			// CMDLINE="console=${CONSOLE} root=UUID=${ROOT_UUID} init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=300 systemd.unified_cgroup_hierarchy=0"
+			want: "console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=300 systemd.unified_cgroup_hierarchy=0 rdloaddriver=raid0 rdloaddriver=raid1 rd.md.uuid=543eb7f8:98d4d986:e669824d:bebe69e5",
 		},
 	}
 	for _, tt := range tests {
@@ -709,7 +709,7 @@ func Test_installer_grubInstall(t *testing.T) {
 			fsMocks: func(fs afero.Fs) {
 				require.NoError(t, afero.WriteFile(fs, "/etc/metal/install.yaml", []byte(sampleInstallYAML), 0700))
 			},
-			cmdline: "console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 systemd.unified_cgroup_hierarchy=0",
+			cmdline: "console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=300 systemd.unified_cgroup_hierarchy=0",
 			oss:     osUbuntu,
 			execMocks: []fakeexecparams{
 				{
@@ -732,7 +732,7 @@ func Test_installer_grubInstall(t *testing.T) {
 GRUB_TIMEOUT=5
 GRUB_DISTRIBUTOR=metal-ubuntu
 GRUB_CMDLINE_LINUX_DEFAULT=""
-GRUB_CMDLINE_LINUX="console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 systemd.unified_cgroup_hierarchy=0"
+GRUB_CMDLINE_LINUX="console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=300 systemd.unified_cgroup_hierarchy=0"
 GRUB_TERMINAL=serial
 GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8"`,
 		},
@@ -741,7 +741,7 @@ GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8"`,
 			fsMocks: func(fs afero.Fs) {
 				require.NoError(t, afero.WriteFile(fs, "/etc/metal/install.yaml", []byte(sampleInstallWithRaidYAML), 0700))
 			},
-			cmdline: "console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 systemd.unified_cgroup_hierarchy=0",
+			cmdline: "console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=300 systemd.unified_cgroup_hierarchy=0",
 			oss:     osUbuntu,
 			execMocks: []fakeexecparams{
 				{
@@ -789,7 +789,7 @@ GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8"`,
 GRUB_TIMEOUT=5
 GRUB_DISTRIBUTOR=metal-ubuntu
 GRUB_CMDLINE_LINUX_DEFAULT=""
-GRUB_CMDLINE_LINUX="console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 systemd.unified_cgroup_hierarchy=0"
+GRUB_CMDLINE_LINUX="console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=300 systemd.unified_cgroup_hierarchy=0"
 GRUB_TERMINAL=serial
 GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8"`,
 		},
@@ -801,7 +801,7 @@ GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8"`,
 				require.NoError(t, afero.WriteFile(fs, "/boot/initramfs-1.2.3.img", nil, 0700))
 				require.NoError(t, afero.WriteFile(fs, "/etc/metal/install.yaml", []byte(sampleInstallYAML), 0700))
 			},
-			cmdline: "console=ttyS1,115200n8 root=UUID=543eb7f8-98d4-d986-e669-824dbebe69e5 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 systemd.unified_cgroup_hierarchy=0",
+			cmdline: "console=ttyS1,115200n8 root=UUID=543eb7f8-98d4-d986-e669-824dbebe69e5 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=300 systemd.unified_cgroup_hierarchy=0",
 			oss:     osCentos,
 			execMocks: []fakeexecparams{
 				{
@@ -819,7 +819,7 @@ GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8"`,
 GRUB_TIMEOUT=5
 GRUB_DISTRIBUTOR=centos
 GRUB_CMDLINE_LINUX_DEFAULT=""
-GRUB_CMDLINE_LINUX="console=ttyS1,115200n8 root=UUID=543eb7f8-98d4-d986-e669-824dbebe69e5 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 systemd.unified_cgroup_hierarchy=0"
+GRUB_CMDLINE_LINUX="console=ttyS1,115200n8 root=UUID=543eb7f8-98d4-d986-e669-824dbebe69e5 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=300 systemd.unified_cgroup_hierarchy=0"
 GRUB_TERMINAL=serial
 GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8"`,
 		},
@@ -831,7 +831,7 @@ GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8"`,
 				require.NoError(t, afero.WriteFile(fs, "/boot/initramfs-1.2.3.img", nil, 0700))
 				require.NoError(t, afero.WriteFile(fs, "/etc/metal/install.yaml", []byte(sampleInstallWithRaidYAML), 0700))
 			},
-			cmdline: "console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 systemd.unified_cgroup_hierarchy=0",
+			cmdline: "console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=300 systemd.unified_cgroup_hierarchy=0",
 			oss:     osCentos,
 			execMocks: []fakeexecparams{
 				{
@@ -874,7 +874,7 @@ GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8"`,
 GRUB_TIMEOUT=5
 GRUB_DISTRIBUTOR=centos
 GRUB_CMDLINE_LINUX_DEFAULT=""
-GRUB_CMDLINE_LINUX="console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 systemd.unified_cgroup_hierarchy=0"
+GRUB_CMDLINE_LINUX="console=ttyS1,115200n8 root=UUID=ace079b5-06be-4429-bbf0-081ea4d7d0d9 init=/sbin/init net.ifnames=0 biosdevname=0 nvme_core.io_timeout=300 systemd.unified_cgroup_hierarchy=0"
 GRUB_TERMINAL=serial
 GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8"`,
 		},

debian/Dockerfile

@@ -21,6 +21,7 @@ ARG FRR_VERSION_DETAIL
 ARG GOLLDPD_VERSION
 ARG DOCKER_APT_OS
 ARG DOCKER_APT_CHANNEL
+ARG FRR_APT_CHANNEL
 ARG CRI_VERSION
 ARG SEMVER_MAJOR_MINOR
 ARG KERNEL_VERSION
@@ -40,8 +41,6 @@ COPY context/kernel-installation.sh /
 
 RUN set -ex \
  && rm -f /.dockerenv \
- && sed 's@archive.ubuntu.com@de.archive.ubuntu.com@' -i /etc/apt/sources.list \
- && sed 's@security.ubuntu.com@de.archive.ubuntu.com@' -i /etc/apt/sources.list \
  && apt-get update \
  && apt-get upgrade --yes \
  && apt-get install --yes --no-install-recommends \
@@ -85,16 +84,13 @@ RUN set -ex \
     watchdog \
     wget \
     vim \
+    zstd \
  && curl -fLsS https://github.com/metal-stack/go-lldpd/releases/download/${GOLLDPD_VERSION}/go-lldpd.tgz -o /tmp/go-lldpd.tgz \
  && tar -xf /tmp/go-lldpd.tgz \
  && curl -fLsS ${DOCKER_URL}/linux/${DOCKER_APT_OS}/gpg | apt-key add - \
- && add-apt-repository "deb [arch=amd64] ${DOCKER_URL}/linux/${DOCKER_APT_OS} ${DOCKER_APT_CHANNEL} stable" \
+ && echo "deb [arch=amd64] ${DOCKER_URL}/linux/${DOCKER_APT_OS} ${DOCKER_APT_CHANNEL} stable" > /etc/apt/sources.list.d/docker.list \
  && apt-get update \
  && apt-get install --yes --no-install-recommends docker-ce \
- # docker is always installed in /usr/bin/docker, on ubuntu /bin is a link to /usr/bin
- # debian does not have this link, therefore /bin/docker does not exist.
- # gardener requires /bin/docker in their kubelet.service.
- && ln -s /usr/bin/docker /bin/docker || true \
  # Install crictl to be able to manipulate containers managed with containerd instead of dockerd
  && curl -fLsS https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRI_VERSION}/crictl-${CRI_VERSION}-linux-amd64.tar.gz -o /tmp/crictl-${CRI_VERSION}-linux-amd64.tar.gz \
  && tar -xf /tmp/crictl-${CRI_VERSION}-linux-amd64.tar.gz -C /usr/local/bin \
@@ -105,7 +101,7 @@ RUN set -ex \
  && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy \
  # install frr from frrouting debian package repo
  && curl -fLsS https://deb.frrouting.org/frr/keys.asc | apt-key add - \
- && add-apt-repository "deb [arch=amd64] https://deb.frrouting.org/frr $(lsb_release -s -c) ${FRR_VERSION}" \
+ && echo "deb [arch=amd64] https://deb.frrouting.org/frr ${FRR_APT_CHANNEL} ${FRR_VERSION}" > /etc/apt/sources.list.d/frr.list \
  && apt update \
  && apt install --yes --no-install-recommends frr=${FRR_VERSION_DETAIL} frr-pythontools=${FRR_VERSION_DETAIL} \
  # Install Intel Firmware for e800 based network cards
@@ -143,7 +139,6 @@ RUN systemctl set-default multi-user.target \
                      docker.service \
                      frr.service \
                      systemd-networkd \
-                     systemd-resolved \
                      systemd-timesyncd \
                      watchdog.service \
                      cloud-init-custom.service \

debian/context/kernel-installation.sh

@@ -17,17 +17,18 @@ if [ "${ID}" = "ubuntu" ] ; then
         /tmp/linux-image* \
         /tmp/linux-modules* \
         intel-microcode
+    # Ubuntu still requires it
+    systemctl enable systemd-resolved
 else
     echo "Debian - Install kernel"
 
     cat <<EOF > /etc/apt/sources.list
-deb http://deb.debian.org/debian bullseye main contrib non-free
-deb http://deb.debian.org/debian bullseye-updates main contrib non-free
-deb http://deb.debian.org/debian bullseye-backports main
-deb http://security.debian.org/debian-security bullseye-security main contrib non-free
+deb http://deb.debian.org/debian bookworm main contrib non-free-firmware
+deb http://deb.debian.org/debian bookworm-updates main contrib non-free-firmware
+deb http://security.debian.org/debian-security bookworm-security main contrib non-free-firmware
 EOF
 
-    apt update && apt install -y intel-microcode "linux-image-${KERNEL_VERSION}-amd64-unsigned"
+    apt update && apt install -y intel-microcode linux-image-${KERNEL_VERSION}-amd64
 fi
 
 # Remove WIFI, netronome, v4l and liquidio firmware to save ~300MB image size

debian/docker-make.debian.yaml

@@ -15,19 +15,20 @@ default-build-args:
   - ICE_PKG_VERSION=1.3.30.0
 builds:
   -
-    name: "Debian 11"
+    name: "Debian 12"
     tags:
       - ${SEMVER}
       - ${SEMVER_MAJOR_MINOR}
     build-args:
-      - BASE_OS_VERSION=11
-      - DOCKER_APT_CHANNEL=bullseye
+      - BASE_OS_VERSION=bookworm
+      - DOCKER_APT_CHANNEL=bookworm
       - FRR_VERSION=frr-8
-      - FRR_VERSION_DETAIL=8.5.1-0~deb11u1
-      - SEMVER_MAJOR_MINOR=11
+      - FRR_VERSION_DETAIL=8.5.2-0~deb11u1
+      - FRR_APT_CHANNEL=bullseye
+      - SEMVER_MAJOR_MINOR=12
       - SEMVER=${SEMVER_MAJOR_MINOR}${SEMVER_PATCH}
-      # see https://packages.debian.org/bullseye-backports/kernel/ for available versions
-      - KERNEL_VERSION=6.1.0-0.deb11.7
+      # see https://packages.debian.org/bookworm/kernel/ for available versions
+      - KERNEL_VERSION=6.1.0-9
     after:
       - cd ../ && OS_NAME=${OS_NAME} ./test.sh quay.io/metalstack/${OS_NAME}:${SEMVER}
       - OS_NAME=${OS_NAME} SEMVER_MAJOR_MINOR=${SEMVER_MAJOR_MINOR} SEMVER_PATCH=${SEMVER_PATCH} ../export.sh

debian/docker-make.ubuntu.yaml

@@ -13,7 +13,7 @@ default-build-args:
   - DOCKER_APT_CHANNEL=jammy
   - CRI_VERSION=v1.27.0
   # see https://kernel.ubuntu.com/~kernel-ppa/mainline for available versions
-  - UBUNTU_MAINLINE_KERNEL_VERSION=v6.1.32
+  - UBUNTU_MAINLINE_KERNEL_VERSION=v6.1.34
   - ICE_VERSION=1.11.14
   - ICE_PKG_VERSION=1.3.30.0
 builds:
@@ -25,7 +25,8 @@ builds:
     build-args:
       - BASE_OS_VERSION=22.04
       - FRR_VERSION=frr-8
-      - FRR_VERSION_DETAIL=8.5.1-0~ubuntu22.04.1
+      - FRR_VERSION_DETAIL=8.5.2-0~ubuntu22.04.1
+      - FRR_APT_CHANNEL=jammy
       - SEMVER_MAJOR_MINOR=22.04
       - SEMVER=${SEMVER_MAJOR_MINOR}${SEMVER_PATCH}
     after:

firewall/Dockerfile

@@ -1,8 +1,8 @@
 ARG BASE_OS_NAME
 ARG BASE_OS_VERSION
 ARG DROPTAILER_VERSION=v0.2.11
-ARG FIREWALL_CONTROLLER_VERSION=v2.0.3
-ARG TAILSCALE_VERSION=v1.42.0
+ARG FIREWALL_CONTROLLER_VERSION=v2.0.5
+ARG TAILSCALE_VERSION=v1.44.0
 
 FROM ghcr.io/metal-stack/droptailer-client:${DROPTAILER_VERSION} AS droptailer-artifacts
 
@@ -48,14 +48,7 @@ RUN rm -f /etc/apt/sources.list.d/* \
  && apt install --yes frr frr-pythontools --no-install-recommends  --option=Dpkg::Options::=--force-confdef \
  && apt --yes autoremove
 
-# Pre-Configure chrony instead of systemd-timesyncd because it is able to run in a VRF context without issues.
-# Final setup is left to metal-networker that knows the internet-facing VRF.
-# To succeed metal-networker enabling chrony it is important to provide the chrony unit template in advance.
-# Usually the generator creates that template but the generator is loaded only after system boot or at `systemctl daemon-reload` (cannot be run from Docker Context).
-# systemd-time-wait-sync.service is disabled because it sometimes does not start and blocks depending services like logrotate.
-# see https://github.com/systemd/systemd/issues/14061
-RUN systemctl disable systemd-timesyncd \
- && systemctl disable chrony \
+RUN systemctl disable chrony \
  && systemctl mask chrony \
  && systemctl disable systemd-time-wait-sync.service \
  && systemctl mask systemd-time-wait-sync.service \
@@ -67,7 +60,6 @@ RUN systemctl disable systemd-timesyncd \
  && systemctl enable fever \
  && systemctl enable frr.service
 
-
 # Fix permissions of systemd service files
 RUN chmod 0644 /lib/systemd/system/*.service