diff --git a/.automation b/.automation index 7eefdb99f..7676aa89f 160000 --- a/.automation +++ b/.automation @@ -1 +1 @@ -Subproject commit 7eefdb99fe60df8eeac63004878ab4d44eb6d6ba +Subproject commit 7676aa89f0fde7291a846179c8820a8acc5c69ce diff --git a/.automation.conf/run-books/pulp-sync-content.sh b/.automation.conf/run-books/pulp-sync-content.sh new file mode 100755 index 000000000..97ff18e9f --- /dev/null +++ b/.automation.conf/run-books/pulp-sync-content.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +set -euE +set -o pipefail + +PARENT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +KAYOBE_AUTOMATION_DIR="$(realpath "${PARENT}/../../.automation")" + +function main { + if [ "${PULP_DO_CONTAINER_SYNC:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-container-sync.yml' -e stackhpc_pulp_images_kolla_filter="${PULP_KOLLA_FILTER:-}" + fi + if [ "${PULP_DO_CONTAINER_PUBLISH:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-container-publish.yml' -e stackhpc_pulp_images_kolla_filter="${PULP_KOLLA_FILTER:-}" + fi + if [ "${PULP_DO_REPO_SYNC:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-repo-sync.yml' + fi + if [ "${PULP_DO_REPO_PUBLISH:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-repo-publish.yml' + fi + if [ "${PULP_DO_REPO_PROMOTE:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-repo-promote-production.yml' + fi +} + +if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then + main +fi diff --git a/.github/workflows/overcloud-host-image-build.yml b/.github/workflows/overcloud-host-image-build.yml index a041b4f33..ee106cc5f 100644 --- a/.github/workflows/overcloud-host-image-build.yml +++ b/.github/workflows/overcloud-host-image-build.yml @@ -32,6 +32,13 @@ jobs: runs-on: arc-skc-host-image-builder-runner permissions: {} steps: + - name: Validate inputs + run: | + if [[ ${{ inputs.rocky9 }} == 'false' && ${{ inputs.ubuntu-jammy }} == 'false' ]]; then + echo "At least one distribution must be selected" + exit 1 + fi + - name: Install Package uses: ConorMacBride/install-package@main with: diff --git a/.github/workflows/overcloud-host-image-promote.yml b/.github/workflows/overcloud-host-image-promote.yml index 06879459f..7b06b90d7 100644 --- a/.github/workflows/overcloud-host-image-promote.yml +++ b/.github/workflows/overcloud-host-image-promote.yml @@ -23,6 +23,13 @@ jobs: if: github.repository == 'stackhpc/stackhpc-kayobe-config' runs-on: ubuntu-22.04 steps: + - name: Validate inputs + run: | + if [[ ${{ inputs.rocky9 }} == 'false' && ${{ inputs.ubuntu-jammy }} == 'false' ]]; then + echo "At least one distribution must be selected" + exit 1 + fi + - uses: actions/checkout@v4 with: path: src/kayobe-config diff --git a/.github/workflows/overcloud-host-image-upload.yml b/.github/workflows/overcloud-host-image-upload.yml index 7aceddd16..505a4b194 100644 --- a/.github/workflows/overcloud-host-image-upload.yml +++ b/.github/workflows/overcloud-host-image-upload.yml @@ -34,6 +34,13 @@ jobs: runs-on: arc-skc-host-image-builder-runner permissions: {} steps: + - name: Validate inputs + run: | + if [[ ${{ inputs.rocky9 }} == 'false' && ${{ inputs.ubuntu-jammy }} == 'false' ]]; then + echo "At least one distribution must be selected" + exit 1 + fi + - name: Install package dependencies run: | sudo apt update diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index f045fdaec..9638fff9d 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -9,12 +9,12 @@ on: required: false default: "" overcloud: - description: Build overcloud images? + description: Build container images for overcloud services? type: boolean required: false default: true seed: - description: Build seed images? + description: Build container images for seed services? type: boolean required: false default: false @@ -52,6 +52,17 @@ jobs: matrix: ${{ steps.set-matrix.outputs.matrix }} openstack_release: ${{ steps.openstack_release.outputs.openstack_release }} steps: + - name: Validate inputs + run: | + if [[ ${{ inputs.rocky-linux-9 }} == 'false' && ${{ inputs.ubuntu-jammy }} == 'false' ]]; then + echo "At least one distribution must be selected" + exit 1 + fi + if [[ ${{ inputs.overcloud }} == 'false' && ${{ inputs.seed }} == 'false' ]]; then + echo "At least one of overcloud or seed must be selected" + exit 1 + fi + - name: Checkout uses: actions/checkout@v4 diff --git a/doc/source/contributor/environments/ci-multinode.rst b/doc/source/contributor/environments/ci-multinode.rst index 28dc94de4..165ef5120 100644 --- a/doc/source/contributor/environments/ci-multinode.rst +++ b/doc/source/contributor/environments/ci-multinode.rst @@ -35,8 +35,15 @@ is not enabled by default. To enable it, set the following in kolla_enable_manila: true kolla_enable_manila_backend_cephfs_native: true -And re-run ``kayobe overcloud service deploy`` if you are working on an existing -deployment. +If you are working on an existing deployment, you need to do the following first. + +1. Create CephFS pools: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-pools.yml`` +2. Create cephx key for Manila: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-keys.yml`` +3. Run Manila related Ceph commands: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-commands-post.yml`` +4. Gather Ceph configuration and keyring for Manila: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-gather-keys.yml`` +5. Configure Storage network on Seed node: ``kayobe seed host configure -t network,ip-allocation,snat`` + +Then, run ``kayobe overcloud service deploy`` to deploy Manila. To test it, you will need two virtual machines. Cirros does not support the Ceph kernel client, so you will need to use a different image. Any regular Linux @@ -108,35 +115,35 @@ Then create a share type and share: .. code-block:: bash - manila type-create cephfs-type false --is_public true - manila type-key cephfs-type set vendor_name=Ceph storage_protocol=CEPHFS - manila create --name test-share --share-type cephfs-type CephFS 2 + openstack share type create cephfs-type false --public true + openstack share type set cephfs-type --extra-specs vendor_name=Ceph, storage_protocol=CEPHFS + openstack share create --name test-share --share-type cephfs-type --public true CephFS 2 Wait until the share is available: .. code-block:: bash - manila list + openstack share list Then allow access to the shares to two users: .. code-block:: bash - manila access-allow test-share cephx alice - manila access-allow test-share cephx bob + openstack share access create test-share cephx alice + openstack share access create test-share cephx bob Show the access list to make sure the state of both entries is ``active`` and take note of the access keys: .. code-block:: bash - manila access-list test-share + openstack share access list test-share And take note of the path to the share: .. code-block:: bash - manila share-export-location-list test-share + openstack share export location list test-share SSH into the first instance, create a directory for the share, and mount it: diff --git a/doc/source/operations/upgrading-openstack.rst b/doc/source/operations/upgrading-openstack.rst index 9fb53aabe..0708f655f 100644 --- a/doc/source/operations/upgrading-openstack.rst +++ b/doc/source/operations/upgrading-openstack.rst @@ -124,16 +124,11 @@ configuration. Known issues ============ -* OVN breaks on Rocky 9 deployments where hostnames are FQDNs. - Before upgrading, you must make sure no compute or controller nodes have any - ``.`` characters in their hostnames. Run the command below to check: - - .. code-block:: bash - - kayobe overcloud host command run --command "grep -v \'\.\' /etc/hostname" --show-output - - There is currently no known fix for this issue aside from reprovisioning. A - patch will be developed soon. +* Due to an incorrect default value NGS will attempt to use v3alpha for the api + path when communicating with etcd3. This isn't possible as in Caracal etcd is + running a newer version that has dropped support for v3alpha. You can work + around this in custom config, see the SMS PR for an example: + https://github.com/stackhpc/smslab-kayobe-config/pull/354 Security baseline ================= diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 589068d72..72d083a61 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -11,7 +11,7 @@ collections: - name: stackhpc.hashicorp version: 2.5.1 - name: stackhpc.kayobe_workflows - version: 1.0.3 + version: 1.1.0 roles: - src: stackhpc.vxlan - name: ansible-lockdown.ubuntu22_cis diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml index 8f85eef15..424cc8f73 100644 --- a/etc/kayobe/kolla-image-tags.yml +++ b/etc/kayobe/kolla-image-tags.yml @@ -28,3 +28,12 @@ kolla_image_tags: ubuntu-jammy: 2024.1-ubuntu-jammy-20240910T072617 rabbitmq: rocky-9: 2024.1-rocky-9-20240927T152945 + ironic: + rocky-9: 2024.1-rocky-9-20241022T090648 + ubuntu-jammy: 2024.1-ubuntu-jammy-20241022T090648 + ironic_dnsmasq: + rocky-9: 2024.1-rocky-9-20241022T090648 + ubuntu-jammy: 2024.1-ubuntu-jammy-20241022T090648 + ironic_neutron_agent: + rocky-9: 2024.1-rocky-9-20241022T090648 + ubuntu-jammy: 2024.1-ubuntu-jammy-20241022T090648 diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml index 4e5956182..b68be4991 100644 --- a/etc/kayobe/pulp.yml +++ b/etc/kayobe/pulp.yml @@ -122,12 +122,12 @@ stackhpc_pulp_deb_repos: components: "stable" required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}" - - name: "Docker CE for Ubuntu Jammy" + - name: "Ceph Reef for Debian" url: "{{ stackhpc_release_pulp_content_url }}/ceph/debian-reef/{{ stackhpc_pulp_repo_ceph_reef_debian_version }}" - distribution_name: "docker-ce-for-ubuntu-jammy-" - base_path: "docker-ce/ubuntu-jammy/" + distribution_name: "ceph-reef-debian-" + base_path: "ceph/debian-reef/" distributions: "jammy" - components: "stable" + components: "main" required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}" # Publication format is a subset of distribution. diff --git a/releasenotes/notes/fix-octavia-tls-terminated-pkcs12-4f7e32a6f5ca0143.yaml b/releasenotes/notes/fix-octavia-tls-terminated-pkcs12-4f7e32a6f5ca0143.yaml new file mode 100644 index 000000000..ee5167ce9 --- /dev/null +++ b/releasenotes/notes/fix-octavia-tls-terminated-pkcs12-4f7e32a6f5ca0143.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes creation and failover of Octavia TLS-terminated load balancers when + storing the certificate and key as a PKCS12 bundle in Barbican. diff --git a/releasenotes/notes/fix-ossa-2024-004-f732e58c12e26785.yaml b/releasenotes/notes/fix-ossa-2024-004-f732e58c12e26785.yaml new file mode 100644 index 000000000..ae0bd5b5f --- /dev/null +++ b/releasenotes/notes/fix-ossa-2024-004-f732e58c12e26785.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Fixes `OSSA-2024-004 + `_ with updated + container images for Ironic. diff --git a/releasenotes/notes/update-kayobe-automation-55fc9c5c380d819c.yaml b/releasenotes/notes/update-kayobe-automation-55fc9c5c380d819c.yaml new file mode 100644 index 000000000..f8e2e32a3 --- /dev/null +++ b/releasenotes/notes/update-kayobe-automation-55fc9c5c380d819c.yaml @@ -0,0 +1,23 @@ +--- +features: + - | + Upgrades kayobe-automation submodule to ``7676aa8``. + + Upgrades kayobe-workflows collection to ``v1.1.0``. + + Kayobe-automation config-diff now runs in parallel and generates both + the old and new configuration at the same time. This should improve + config-diff wait times. + + Add support for the `pulp-sync-content` run book. +deprecations: + - | + Kayobe-automation will now automatically detect vaulted files for the + purpose of config-diff therefore, ``KAYOBE_CONFIG_SECRET_PATHS_EXTRA`` and + ``KAYOBE_CONFIG_VAULTED_FILES_PATHS_EXTRA`` are no longer used +security: + - | + The upgraded kayobe-workflows collection increases the version of various + Actions and containers used within GitHub based workflows, including increasing + Docker in Docker to version ``27.3.1`` thus removing the vunerabilities present + in ``24.0-git``.