Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-29067: Update MCS Cert and Key files within bootstrap Ignition with UserProvisionedDNS #9238

Merged
merged 1 commit into from
Jan 8, 2025
Merged

OCPBUGS-29067: Update MCS Cert and Key files within bootstrap Ignition with UserProvisionedDNS #9238

merged 1 commit into from
Jan 8, 2025

Conversation

sadasu
Copy link
Contributor

@sadasu sadasu commented Nov 25, 2024
edited
Loading

When UserProvisineDNS is enabled, the machine-config-server
cert is regenerated to respond to both the API-Int URL and API-Int LB IPs. This updated cert and key are added to machine-config-server-tls-secret.yaml within the bootstrap Ignition (as part of https://issues.redhat.com/browse/CORS-3709).

This PR updates the individual machine-config-server cert and key files generated also in the bootstrap ignition.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 25, 2024
@sadasu
Copy link
Contributor Author

sadasu commented Nov 25, 2024

/test ?

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Nov 25, 2024

@sadasu: The following commands are available to trigger required jobs:

/test altinfra-images

/test aro-unit

/test artifacts-images

/test e2e-agent-compact-ipv4

/test e2e-aws-ovn

/test e2e-aws-ovn-edge-zones-manifest-validation

/test e2e-aws-ovn-upi

/test e2e-azure-ovn

/test e2e-azure-ovn-upi

/test e2e-gcp-ovn

/test e2e-gcp-ovn-upi

/test e2e-metal-ipi-ovn-ipv6

/test e2e-openstack-ovn

/test e2e-vsphere-ovn

/test e2e-vsphere-ovn-upi

/test gofmt

/test golint

/test govet

/test images

/test integration-tests

/test integration-tests-nodejoiner

/test okd-images

/test okd-unit

/test okd-verify-codegen

/test openstack-manifests

/test shellcheck

/test terraform-images

/test terraform-verify-vendor

/test tf-lint

/test unit

/test verify-codegen

/test verify-vendor

/test yaml-lint

The following commands are available to trigger optional jobs:

/test altinfra-e2e-aws-custom-security-groups

/test altinfra-e2e-aws-ovn

/test altinfra-e2e-aws-ovn-fips

/test altinfra-e2e-aws-ovn-imdsv2

/test altinfra-e2e-aws-ovn-localzones

/test altinfra-e2e-aws-ovn-proxy

/test altinfra-e2e-aws-ovn-shared-vpc

/test altinfra-e2e-aws-ovn-shared-vpc-local-zones

/test altinfra-e2e-aws-ovn-shared-vpc-wavelength-zones

/test altinfra-e2e-aws-ovn-single-node

/test altinfra-e2e-aws-ovn-wavelengthzones

/test altinfra-e2e-azure-capi-ovn

/test altinfra-e2e-azure-ovn-shared-vpc

/test altinfra-e2e-gcp-capi-ovn

/test altinfra-e2e-gcp-ovn-byo-network-capi

/test altinfra-e2e-gcp-ovn-secureboot-capi

/test altinfra-e2e-gcp-ovn-xpn-capi

/test altinfra-e2e-ibmcloud-capi-ovn

/test altinfra-e2e-nutanix-capi-ovn

/test altinfra-e2e-openstack-capi-ccpmso

/test altinfra-e2e-openstack-capi-ccpmso-zone

/test altinfra-e2e-openstack-capi-dualstack

/test altinfra-e2e-openstack-capi-dualstack-upi

/test altinfra-e2e-openstack-capi-dualstack-v6primary

/test altinfra-e2e-openstack-capi-externallb

/test altinfra-e2e-openstack-capi-nfv-intel

/test altinfra-e2e-openstack-capi-ovn

/test altinfra-e2e-openstack-capi-proxy

/test altinfra-e2e-vsphere-capi-multi-vcenter-ovn

/test altinfra-e2e-vsphere-capi-ovn

/test altinfra-e2e-vsphere-capi-static-ovn

/test altinfra-e2e-vsphere-capi-zones

/test azure-ovn-marketplace-images

/test e2e-agent-4control-ipv4

/test e2e-agent-5control-ipv4

/test e2e-agent-compact-ipv4-add-nodes

/test e2e-agent-compact-ipv4-appliance-diskimage

/test e2e-agent-compact-ipv4-none-platform

/test e2e-agent-compact-ipv6-minimaliso

/test e2e-agent-ha-dualstack

/test e2e-agent-sno-ipv4-pxe

/test e2e-agent-sno-ipv6

/test e2e-aws-overlay-mtu-ovn-1200

/test e2e-aws-ovn-custom-iam-profile

/test e2e-aws-ovn-edge-zones

/test e2e-aws-ovn-fips

/test e2e-aws-ovn-heterogeneous

/test e2e-aws-ovn-imdsv2

/test e2e-aws-ovn-proxy

/test e2e-aws-ovn-public-ipv4-pool

/test e2e-aws-ovn-public-ipv4-pool-disabled

/test e2e-aws-ovn-public-subnets

/test e2e-aws-ovn-shared-vpc-custom-security-groups

/test e2e-aws-ovn-shared-vpc-edge-zones

/test e2e-aws-ovn-single-node

/test e2e-aws-ovn-techpreview

/test e2e-aws-ovn-upgrade

/test e2e-aws-ovn-workers-rhel8

/test e2e-aws-upi-proxy

/test e2e-azure-ovn-resourcegroup

/test e2e-azure-ovn-shared-vpc

/test e2e-azure-ovn-techpreview

/test e2e-azurestack

/test e2e-azurestack-upi

/test e2e-crc

/test e2e-external-aws

/test e2e-external-aws-ccm

/test e2e-gcp-ovn-byo-vpc

/test e2e-gcp-ovn-heterogeneous

/test e2e-gcp-ovn-techpreview

/test e2e-gcp-ovn-xpn

/test e2e-gcp-secureboot

/test e2e-gcp-upgrade

/test e2e-gcp-upi-xpn

/test e2e-gcp-user-provisioned-dns

/test e2e-ibmcloud-ovn

/test e2e-metal-assisted

/test e2e-metal-ipi-ovn

/test e2e-metal-ipi-ovn-dualstack

/test e2e-metal-ipi-ovn-swapped-hosts

/test e2e-metal-ipi-ovn-virtualmedia

/test e2e-metal-single-node-live-iso

/test e2e-nutanix-ovn

/test e2e-openstack-ccpmso

/test e2e-openstack-ccpmso-zone

/test e2e-openstack-dualstack

/test e2e-openstack-dualstack-upi

/test e2e-openstack-externallb

/test e2e-openstack-nfv-intel

/test e2e-openstack-proxy

/test e2e-openstack-singlestackv6

/test e2e-powervs-capi-ovn

/test e2e-vsphere-multi-vcenter-ovn

/test e2e-vsphere-ovn-multi-network

/test e2e-vsphere-ovn-techpreview

/test e2e-vsphere-ovn-upi-zones

/test e2e-vsphere-ovn-zones

/test e2e-vsphere-ovn-zones-techpreview

/test e2e-vsphere-static-ovn

/test okd-e2e-aws-ovn

/test okd-e2e-aws-ovn-upgrade

/test okd-e2e-gcp

/test okd-e2e-gcp-ovn-upgrade

/test okd-e2e-vsphere

/test okd-scos-e2e-aws-ovn

/test okd-scos-images

/test tf-fmt

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-installer-master-altinfra-images

pull-ci-openshift-installer-master-aro-unit

pull-ci-openshift-installer-master-artifacts-images

pull-ci-openshift-installer-master-e2e-aws-ovn

pull-ci-openshift-installer-master-gofmt

pull-ci-openshift-installer-master-golint

pull-ci-openshift-installer-master-govet

pull-ci-openshift-installer-master-images

pull-ci-openshift-installer-master-okd-scos-e2e-aws-ovn

pull-ci-openshift-installer-master-okd-unit

pull-ci-openshift-installer-master-okd-verify-codegen

pull-ci-openshift-installer-master-shellcheck

pull-ci-openshift-installer-master-tf-fmt

pull-ci-openshift-installer-master-tf-lint

pull-ci-openshift-installer-master-unit

pull-ci-openshift-installer-master-verify-codegen

pull-ci-openshift-installer-master-verify-vendor

pull-ci-openshift-installer-master-yaml-lint

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci bot requested review from andfasano and barbacbd November 25, 2024 19:35
@sadasu
Copy link
Contributor Author

sadasu commented Nov 25, 2024

/test e2e-gcp-user-provisioned-dns

@sadasu sadasu force-pushed the mcs-certkey-updates branch from bb48726 to ded76e0 Compare November 26, 2024 16:18
@sadasu sadasu changed the title WIP: GCP: Custom-DNS testing OCPBUGS-29067: Update MCS Cert and Key files within bootstrap Ignition when UserProvisionedDNS is enabled Nov 26, 2024
@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Nov 26, 2024
@openshift-ci-robot
Copy link
Contributor

@sadasu: This pull request references Jira Issue OCPBUGS-29067, which is invalid:

  • expected the bug to target either version "4.19." or "openshift-4.19.", but it targets "4.18.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 26, 2024
@sadasu
Copy link
Contributor Author

sadasu commented Nov 26, 2024

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Nov 26, 2024
@openshift-ci-robot
Copy link
Contributor

@sadasu: This pull request references Jira Issue OCPBUGS-29067, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jianli-wei

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from jianli-wei November 26, 2024 16:21
@openshift-ci-robot
Copy link
Contributor

@sadasu: This pull request references Jira Issue OCPBUGS-29067, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jianli-wei

In response to this:

When UserProvisineDNS is enabled, the machine-config-server
cert is regenerated to respond to both the API-Int URL and API-Int LB IPs. This updated cert and key are added to machine-config-server-tls-secret.yaml within the bootstrap Ignition (as part of https://issues.redhat.com/browse/CORS-3709).

This PR updates the individual machine-config-server cert and key files generated also in the bootstrap ignition.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@sadasu sadasu changed the title OCPBUGS-29067: Update MCS Cert and Key files within bootstrap Ignition when UserProvisionedDNS is enabled OCPBUGS-29067: Update MCS Cert and Key files within bootstrap Ignition with UserProvisionedDNS Nov 26, 2024
@sadasu sadasu force-pushed the mcs-certkey-updates branch from ded76e0 to 35fdbbf Compare December 2, 2024 20:35
barbacbd
barbacbd reviewed Dec 2, 2024
View reviewed changes
Copy link
Contributor

@barbacbd barbacbd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

pkg/infrastructure/clusterapi/ignition.go Outdated
if err != nil {
return fmt.Errorf("failed to marshal MCS Cert: %w", err)
}
encoded := fmt.Sprintf("%s%s", replaceable, base64.StdEncoding.EncodeToString(mcsCertContents))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I wonder if we should make this into a function. Or better yet, figure out why the ignition encoding gets the charset but simple encoding does not I do not think this should hold up the Pr though.

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 2, 2024
@sadasu
Copy link
Contributor Author

sadasu commented Dec 13, 2024

/test e2e-gcp-user-provisioned-dns

@sadasu sadasu force-pushed the mcs-certkey-updates branch from 35fdbbf to 38c4c9c Compare December 19, 2024 19:23
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Dec 19, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: barbacbd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sadasu sadasu force-pushed the mcs-certkey-updates branch from 38c4c9c to f11a60e Compare December 19, 2024 19:51
@sadasu
Copy link
Contributor Author

sadasu commented Dec 19, 2024

/test e2e-gcp-user-provisioned-dns

zaneb
zaneb reviewed Dec 19, 2024
View reviewed changes
pkg/infrastructure/clusterapi/ignition.go

rawDecodedText, err := base64.StdEncoding.DecodeString(replaced)
contents := strings.Split(*config.Storage.Files[i].Contents.Source, ",")
rawDecodedText, err := base64.StdEncoding.DecodeString(contents[1])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer rawDecodedText, err := dataurl.DecodeString(*fileData.Contents.Source)

pkg/infrastructure/clusterapi/ignition.go
@@ -128,7 +128,7 @@ func addLoadBalancersToInfra(platform string, config *igntypes.Config, publicLBs
return fmt.Errorf("failed to marshal infrastructure: %w", err)
}

encoded := fmt.Sprintf("%s%s", replaceable, base64.StdEncoding.EncodeToString(infraContents))
encoded := fmt.Sprintf("%s%s", header, base64.StdEncoding.EncodeToString(infraContents))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer encoded := dataurl.EncodeBytes(infraContents)

@sadasu
Copy link
Contributor Author

sadasu commented Jan 7, 2025

/retest-required

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 7, 2025
@patrickdillon
Copy link
Contributor

/test e2e-gcp-user-provisioned-dns

@sadasu
Copy link
Contributor Author

sadasu commented Jan 8, 2025

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 8, 2025
@sadasu
Custom DNS: Update MCS Cert and Key files within bootstrap Ignition
f7a2447 
When UserProvisineDNS is enabled, in addition to machine-config-server
cert file, also update the individual cert and key files within
the bootstrap Ignition.
@sadasu sadasu force-pushed the mcs-certkey-updates branch from f11a60e to f7a2447 Compare January 8, 2025 05:07
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jan 8, 2025
@sadasu
Copy link
Contributor Author

sadasu commented Jan 8, 2025

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 8, 2025
@sadasu
Copy link
Contributor Author

sadasu commented Jan 8, 2025

/test e2e-gcp-user-provisioned-dns

@patrickdillon
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 8, 2025
@sadasu
Copy link
Contributor Author

sadasu commented Jan 8, 2025

From serial logs from master nodes [obtained from ci/prow/e2e-gcp-user-provisioned-dns logs]:

[  128.324177] ignition[803]: GET https://10.0.0.2:22623/config/master: attempt #5^M
[  128.364840] ignition[803]: GET result: OK^M

@sadasu
Copy link
Contributor Author

sadasu commented Jan 8, 2025

Also, from the same logs:

Red Hat Enterprise Linux CoreOS 419.94.202501080056-0 4.19^M
SSH host key: SHA256:oGTizxf9F49t7LbzsCDl4Pf0EP60/JzOhle0LI/+lzI (ED25519)^M
SSH host key: SHA256:lqEHtwzInYomahgb+aLm/l6r3+EtJ+QsOaDk8ohkgBs (ECDSA)^M
SSH host key: SHA256:lHzpd2g2TdHV4PA2FHrJg78oMtaMAaaVe7eBcPkRZ6o (RSA)^M
ens4:  ^M
Ignition: ran on 2025/01/08 16:40:47 UTC (at least 2 boots ago)^M
Ignition: user-provided config was applied^M
ci-op-ng2zr748-3eb12-5xb5f-master-0 login: [   18.331235] Warning: Unmaintained driver is detected: nft_compat^M
[   20.934519] overlayfs: idmapped layers are currently not supported^M

@sadasu
Copy link
Contributor Author

sadasu commented Jan 8, 2025

/cherry-pick release-4.18

@openshift-cherrypick-robot
Copy link

@sadasu: once the present PR merges, I will cherry-pick it on top of release-4.18 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@patrickdillon
Copy link
Contributor

/testwith openshift/installer/main/e2e-gcp-user-provisioned-dns openshift/machine-config-operator#4367

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 8, 2025

@sadasu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-vsphere-ovn 35fdbbf link true /test e2e-vsphere-ovn
ci/prow/openstack-manifests 35fdbbf link true /test openstack-manifests
ci/prow/e2e-gcp-ovn-upi 35fdbbf link true /test e2e-gcp-ovn-upi
ci/prow/e2e-gcp-ovn 35fdbbf link true /test e2e-gcp-ovn
ci/prow/e2e-vsphere-ovn-upi 35fdbbf link true /test e2e-vsphere-ovn-upi
ci/prow/e2e-gcp-user-provisioned-dns f7a2447 link false /test e2e-gcp-user-provisioned-dns

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@sadasu
Copy link
Contributor Author

sadasu commented Jan 8, 2025

/label acknowledge-critical-fixes-only

@openshift-ci openshift-ci bot added the acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. label Jan 8, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit c028d7c into openshift:main Jan 8, 2025
18 of 20 checks passed
@openshift-ci-robot
Copy link
Contributor

@sadasu: Jira Issue OCPBUGS-29067: Some pull requests linked via external trackers have merged:

The following pull requests linked via external trackers have not merged:

These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-29067 has not been moved to the MODIFIED state.

In response to this:

When UserProvisineDNS is enabled, the machine-config-server
cert is regenerated to respond to both the API-Int URL and API-Int LB IPs. This updated cert and key are added to machine-config-server-tls-secret.yaml within the bootstrap Ignition (as part of https://issues.redhat.com/browse/CORS-3709).

This PR updates the individual machine-config-server cert and key files generated also in the bootstrap ignition.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-cherrypick-robot
Copy link

@sadasu: new pull request created: #9348

In response to this:

/cherry-pick release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Jan 8, 2025
Merged
@openshift-bot
Copy link
Contributor

[ART PR BUILD NOTIFIER]

Distgit: ose-installer-altinfra
This PR has been included in build ose-installer-altinfra-container-v4.19.0-202501082214.p0.gc028d7c.assembly.stream.el9.
All builds following this will include this PR.

@openshift-bot
Copy link
Contributor

[ART PR BUILD NOTIFIER]

Distgit: ose-baremetal-installer
This PR has been included in build ose-baremetal-installer-container-v4.19.0-202501082214.p0.gc028d7c.assembly.stream.el9.
All builds following this will include this PR.

@openshift-bot
Copy link
Contributor

[ART PR BUILD NOTIFIER]

Distgit: ose-installer-terraform-providers
This PR has been included in build ose-installer-terraform-providers-container-v4.19.0-202501082214.p0.gc028d7c.assembly.stream.el9.
All builds following this will include this PR.

@openshift-bot
Copy link
Contributor

[ART PR BUILD NOTIFIER]

Distgit: ose-installer-artifacts
This PR has been included in build ose-installer-artifacts-container-v4.19.0-202501082214.p0.gc028d7c.assembly.stream.el9.
All builds following this will include this PR.

@openshift-ci-robot openshift-ci-robot mentioned this pull request Jan 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@barbacbd barbacbd barbacbd left review comments

@zaneb zaneb zaneb left review comments

@andfasano andfasano Awaiting requested review from andfasano

@jianli-wei jianli-wei Awaiting requested review from jianli-wei

Assignees

@patrickdillon patrickdillon

Labels
acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@sadasu @openshift-ci-robot @patrickdillon @openshift-cherrypick-robot @openshift-bot @zaneb @barbacbd