From abf4976a8d9db54b2170ccac46d62810e8f845f1 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Tue, 1 Oct 2024 09:22:36 +0100 Subject: [PATCH 01/19] Validate inputs to github workflows --- .github/workflows/overcloud-host-image-build.yml | 7 +++++++ .../workflows/overcloud-host-image-promote.yml | 7 +++++++ .github/workflows/overcloud-host-image-upload.yml | 7 +++++++ .../workflows/stackhpc-container-image-build.yml | 15 +++++++++++++-- 4 files changed, 34 insertions(+), 2 deletions(-) diff --git a/.github/workflows/overcloud-host-image-build.yml b/.github/workflows/overcloud-host-image-build.yml index 29354217d..875b77755 100644 --- a/.github/workflows/overcloud-host-image-build.yml +++ b/.github/workflows/overcloud-host-image-build.yml @@ -32,6 +32,13 @@ jobs: runs-on: arc-skc-host-image-builder-runner permissions: {} steps: + - name: Validate inputs + run: | + if [[ ${{ inputs.rocky9 }} == 'false' && ${{ inputs.ubuntu-jammy }} == 'false' ]]; then + echo "At least one distribution must be selected" + exit 1 + fi + - name: Install Package uses: ConorMacBride/install-package@main with: diff --git a/.github/workflows/overcloud-host-image-promote.yml b/.github/workflows/overcloud-host-image-promote.yml index a8a64f60f..601c2629f 100644 --- a/.github/workflows/overcloud-host-image-promote.yml +++ b/.github/workflows/overcloud-host-image-promote.yml @@ -23,6 +23,13 @@ jobs: if: github.repository == 'stackhpc/stackhpc-kayobe-config' runs-on: ubuntu-22.04 steps: + - name: Validate inputs + run: | + if [[ ${{ inputs.rocky9 }} == 'false' && ${{ inputs.ubuntu-jammy }} == 'false' ]]; then + echo "At least one distribution must be selected" + exit 1 + fi + - uses: actions/checkout@v4 with: path: src/kayobe-config diff --git a/.github/workflows/overcloud-host-image-upload.yml b/.github/workflows/overcloud-host-image-upload.yml index b08f57381..459dd4709 100644 --- a/.github/workflows/overcloud-host-image-upload.yml +++ b/.github/workflows/overcloud-host-image-upload.yml @@ -34,6 +34,13 @@ jobs: runs-on: arc-skc-host-image-builder-runner permissions: {} steps: + - name: Validate inputs + run: | + if [[ ${{ inputs.rocky9 }} == 'false' && ${{ inputs.ubuntu-jammy }} == 'false' ]]; then + echo "At least one distribution must be selected" + exit 1 + fi + - name: Install package dependencies run: | sudo apt update diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index 6721ebab4..2a7b6079c 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -9,12 +9,12 @@ on: required: false default: "" overcloud: - description: Build overcloud images? + description: Build container images for overcloud services? type: boolean required: false default: true seed: - description: Build seed images? + description: Build container images for seed services? type: boolean required: false default: false @@ -52,6 +52,17 @@ jobs: matrix: ${{ steps.set-matrix.outputs.matrix }} openstack_release: ${{ steps.openstack_release.outputs.openstack_release }} steps: + - name: Validate inputs + run: | + if [[ ${{ inputs.rocky-linux-9 }} == 'false' && ${{ inputs.ubuntu-jammy }} == 'false' ]]; then + echo "At least one distribution must be selected" + exit 1 + fi + if [[ ${{ inputs.overcloud }} == 'false' && ${{ inputs.seed }} == 'false' ]]; then + echo "At least one of overcloud or seed must be selected" + exit 1 + fi + - name: Checkout uses: actions/checkout@v4 From 7732ad1f4f84d0dd133e474bf856473cb0983438 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Fri, 4 Oct 2024 15:59:05 +0100 Subject: [PATCH 02/19] Add step to re-run cephadm playbook before deploy manila --- doc/source/contributor/environments/ci-multinode.rst | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/doc/source/contributor/environments/ci-multinode.rst b/doc/source/contributor/environments/ci-multinode.rst index 9f11a8a33..8d8e4afdf 100644 --- a/doc/source/contributor/environments/ci-multinode.rst +++ b/doc/source/contributor/environments/ci-multinode.rst @@ -30,8 +30,12 @@ is not enabled by default. To enable it, set the following in kolla_enable_manila: true kolla_enable_manila_backend_cephfs_native: true -And re-run ``kayobe overcloud service deploy`` if you are working on an existing -deployment. +If you are working on an existing deployment, re-run Cephadm playbook by +``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm.yml`` +to add Ceph configurations (such as Manila pools and CephFS file system) +for Manila. + +Then, run ``kayobe overcloud service deploy`` to deploy Manila. To test it, you will need two virtual machines. Cirros does not support the Ceph kernel client, so you will need to use a different image. Any regular Linux From 8776e3db0c1a29dedcb7f87122bc3bb1f7fe9ce2 Mon Sep 17 00:00:00 2001 From: Seunghun Lee <45145778+seunghun1ee@users.noreply.github.com> Date: Wed, 9 Oct 2024 11:03:15 +0100 Subject: [PATCH 03/19] Minor wording changes Co-authored-by: Alex-Welsh <112560678+Alex-Welsh@users.noreply.github.com> --- doc/source/contributor/environments/ci-multinode.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/source/contributor/environments/ci-multinode.rst b/doc/source/contributor/environments/ci-multinode.rst index 8d8e4afdf..08343976a 100644 --- a/doc/source/contributor/environments/ci-multinode.rst +++ b/doc/source/contributor/environments/ci-multinode.rst @@ -30,9 +30,9 @@ is not enabled by default. To enable it, set the following in kolla_enable_manila: true kolla_enable_manila_backend_cephfs_native: true -If you are working on an existing deployment, re-run Cephadm playbook by +If you are working on an existing deployment, re-run the Cephadm playbook ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm.yml`` -to add Ceph configurations (such as Manila pools and CephFS file system) +to add the Ceph configuration (such as pools and CephFS file systems) for Manila. Then, run ``kayobe overcloud service deploy`` to deploy Manila. From 4964c887f82fbb4d80cb7d785c8dfe78acae11ad Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Wed, 9 Oct 2024 14:24:49 +0100 Subject: [PATCH 04/19] Update testing Ubuntu image to 22.04 --- doc/source/contributor/environments/ci-multinode.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/source/contributor/environments/ci-multinode.rst b/doc/source/contributor/environments/ci-multinode.rst index 08343976a..318937fe5 100644 --- a/doc/source/contributor/environments/ci-multinode.rst +++ b/doc/source/contributor/environments/ci-multinode.rst @@ -39,19 +39,19 @@ Then, run ``kayobe overcloud service deploy`` to deploy Manila. To test it, you will need two virtual machines. Cirros does not support the Ceph kernel client, so you will need to use a different image. Any regular Linux -distribution should work. As an example, this guide will use Ubuntu 20.04. +distribution should work. As an example, this guide will use Ubuntu 22.04. Download the image locally: .. code-block:: bash - wget http://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img + wget http://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img Upload the image to Glance: .. code-block:: bash - openstack image create --container-format bare --disk-format qcow2 --file focal-server-cloudimg-amd64.img Ubuntu-20.04 --progress + openstack image create --container-format bare --disk-format qcow2 --file jammy-server-cloudimg-amd64.img Ubuntu-22.04 --progress Create a keypair: @@ -63,8 +63,8 @@ Create two virtual machines from the image: .. code-block:: bash - openstack server create --flavor m1.small --image Ubuntu-20.04 --key-name id_rsa --network admin-tenant ubuntu-client-1 - openstack server create --flavor m1.small --image Ubuntu-20.04 --key-name id_rsa --network admin-tenant ubuntu-client-2 + openstack server create --flavor m1.small --image Ubuntu-22.04 --key-name id_rsa --network admin-tenant ubuntu-client-1 + openstack server create --flavor m1.small --image Ubuntu-22.04 --key-name id_rsa --network admin-tenant ubuntu-client-2 Wait until the instances are active. It is worth noting that this process can take a while, especially if the overcloud is deployed to virtual machines. You From f5bd9f954f18e80b6ea6e5ccf34bf7f3fd213564 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Wed, 9 Oct 2024 14:26:03 +0100 Subject: [PATCH 05/19] Only run necessary playbooks --- doc/source/contributor/environments/ci-multinode.rst | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/source/contributor/environments/ci-multinode.rst b/doc/source/contributor/environments/ci-multinode.rst index 318937fe5..ca868c16e 100644 --- a/doc/source/contributor/environments/ci-multinode.rst +++ b/doc/source/contributor/environments/ci-multinode.rst @@ -30,10 +30,12 @@ is not enabled by default. To enable it, set the following in kolla_enable_manila: true kolla_enable_manila_backend_cephfs_native: true -If you are working on an existing deployment, re-run the Cephadm playbook -``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm.yml`` -to add the Ceph configuration (such as pools and CephFS file systems) -for Manila. +If you are working on an existing deployment, you need to do the following first. + +1. Create CephFS pools: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-pools.yml`` +2. Create cephx key for Manila: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-keys.yml`` +3. Run Manila related Ceph commands: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-commands-post.yml`` +4. Gather Ceph configuration and keyring for Manila: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-gather-keys.yml`` Then, run ``kayobe overcloud service deploy`` to deploy Manila. From 2b1df124afea05dbc3877bdab04b7d699f608022 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Wed, 9 Oct 2024 14:55:07 +0100 Subject: [PATCH 06/19] Update Manila commands --- .../contributor/environments/ci-multinode.rst | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/doc/source/contributor/environments/ci-multinode.rst b/doc/source/contributor/environments/ci-multinode.rst index ca868c16e..595be67b2 100644 --- a/doc/source/contributor/environments/ci-multinode.rst +++ b/doc/source/contributor/environments/ci-multinode.rst @@ -109,35 +109,36 @@ Then create a share type and share: .. code-block:: bash - manila type-create cephfs-type false --is_public true - manila type-key cephfs-type set vendor_name=Ceph storage_protocol=CEPHFS - manila create --name test-share --share-type cephfs-type CephFS 2 + openstack share type create cephfs-type false --public true + openstack share type set cephfs-type --extra-specs vendor_name=Ceph + openstack share type set cephfs-type --extra-specs storage_protocol=CEPHFS + openstack share create --name test-share --share-type cephfs-type --public true CephFS 2 Wait until the share is available: .. code-block:: bash - manila list + openstack share list Then allow access to the shares to two users: .. code-block:: bash - manila access-allow test-share cephx alice - manila access-allow test-share cephx bob + openstack share access create test-share cephx alice + openstack share access create test-share cephx bob Show the access list to make sure the state of both entries is ``active`` and take note of the access keys: .. code-block:: bash - manila access-list test-share + openstack share access list test-share And take note of the path to the share: .. code-block:: bash - manila share-export-location-list test-share + openstack share export location list test-share SSH into the first instance, create a directory for the share, and mount it: From 1c412a9b7b860e63d32c6d75724c8028f194ad91 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Wed, 9 Oct 2024 16:04:26 +0100 Subject: [PATCH 07/19] Add seed host configure step for storage network --- doc/source/contributor/environments/ci-multinode.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/source/contributor/environments/ci-multinode.rst b/doc/source/contributor/environments/ci-multinode.rst index 595be67b2..a9fc9fe22 100644 --- a/doc/source/contributor/environments/ci-multinode.rst +++ b/doc/source/contributor/environments/ci-multinode.rst @@ -36,6 +36,7 @@ If you are working on an existing deployment, you need to do the following first 2. Create cephx key for Manila: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-keys.yml`` 3. Run Manila related Ceph commands: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-commands-post.yml`` 4. Gather Ceph configuration and keyring for Manila: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-gather-keys.yml`` +5. Configure Storage network on Seed node: ``kayobe seed host configure -t network,ip-allocation,snat`` Then, run ``kayobe overcloud service deploy`` to deploy Manila. From afa18fd0e588d1278be9c1a492cdf65a732de28a Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Wed, 9 Oct 2024 16:58:44 +0100 Subject: [PATCH 08/19] Revert "Update testing Ubuntu image to 22.04" This reverts commit f5950fc3d7f65300acaaf65daf24f285eec787fb. It was found that Ubuntu 22.04 client has a problem with mount. Keep using Ubuntu 20.04 until fix is found --- doc/source/contributor/environments/ci-multinode.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/source/contributor/environments/ci-multinode.rst b/doc/source/contributor/environments/ci-multinode.rst index a9fc9fe22..ed4b1f9f6 100644 --- a/doc/source/contributor/environments/ci-multinode.rst +++ b/doc/source/contributor/environments/ci-multinode.rst @@ -42,19 +42,19 @@ Then, run ``kayobe overcloud service deploy`` to deploy Manila. To test it, you will need two virtual machines. Cirros does not support the Ceph kernel client, so you will need to use a different image. Any regular Linux -distribution should work. As an example, this guide will use Ubuntu 22.04. +distribution should work. As an example, this guide will use Ubuntu 20.04. Download the image locally: .. code-block:: bash - wget http://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img + wget http://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img Upload the image to Glance: .. code-block:: bash - openstack image create --container-format bare --disk-format qcow2 --file jammy-server-cloudimg-amd64.img Ubuntu-22.04 --progress + openstack image create --container-format bare --disk-format qcow2 --file focal-server-cloudimg-amd64.img Ubuntu-20.04 --progress Create a keypair: @@ -66,8 +66,8 @@ Create two virtual machines from the image: .. code-block:: bash - openstack server create --flavor m1.small --image Ubuntu-22.04 --key-name id_rsa --network admin-tenant ubuntu-client-1 - openstack server create --flavor m1.small --image Ubuntu-22.04 --key-name id_rsa --network admin-tenant ubuntu-client-2 + openstack server create --flavor m1.small --image Ubuntu-20.04 --key-name id_rsa --network admin-tenant ubuntu-client-1 + openstack server create --flavor m1.small --image Ubuntu-20.04 --key-name id_rsa --network admin-tenant ubuntu-client-2 Wait until the instances are active. It is worth noting that this process can take a while, especially if the overcloud is deployed to virtual machines. You From d6acc56ef689b33d1083e7dad0b4116d6b03982c Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Thu, 10 Oct 2024 10:31:17 +0100 Subject: [PATCH 09/19] Merge separated share type set --- doc/source/contributor/environments/ci-multinode.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/source/contributor/environments/ci-multinode.rst b/doc/source/contributor/environments/ci-multinode.rst index ed4b1f9f6..22e1d53a5 100644 --- a/doc/source/contributor/environments/ci-multinode.rst +++ b/doc/source/contributor/environments/ci-multinode.rst @@ -111,8 +111,7 @@ Then create a share type and share: .. code-block:: bash openstack share type create cephfs-type false --public true - openstack share type set cephfs-type --extra-specs vendor_name=Ceph - openstack share type set cephfs-type --extra-specs storage_protocol=CEPHFS + openstack share type set cephfs-type --extra-specs vendor_name=Ceph, storage_protocol=CEPHFS openstack share create --name test-share --share-type cephfs-type --public true CephFS 2 Wait until the share is available: From 9d344775769f0edb79405d926cb0f90b75b994e8 Mon Sep 17 00:00:00 2001 From: Jakub Darmach Date: Wed, 15 May 2024 09:34:01 +0200 Subject: [PATCH 10/19] Fix rabbitmq-reset.yml trying to restart wrong services Fixes egrep passed to systemctl attempting to restart other services containing nova in the name: ``` stderr: |- Failed to restart dev-disk-byx2did-dmx2dnamex2drootvgx2dlv_nova.device: Job type restart is not applicable for unit dev-disk-byx2did-dmx2dnamex2drootvgx2dlv_nova.device. Failed to restart dev-mapper-rootvgx2dlv_nova.device: Job type restart is not applicable for unit dev-mapper-rootvgx2dlv_nova.device. Failed to restart dev-rootvg-lv_nova.device: Job type restart is not applicable for unit dev-rootvg-lv_nova.device. ``` --- etc/kayobe/ansible/rabbitmq-reset.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/ansible/rabbitmq-reset.yml b/etc/kayobe/ansible/rabbitmq-reset.yml index 82e7ee992..b068413a5 100644 --- a/etc/kayobe/ansible/rabbitmq-reset.yml +++ b/etc/kayobe/ansible/rabbitmq-reset.yml @@ -68,4 +68,4 @@ # The following services use RabbitMQ. - name: Restart OpenStack services shell: >- - systemctl -a | egrep '(barbican|blazar|cinder|cloudkitty|designate|heat|ironic|keystone|magnum|manila|neutron|nova|octavia)' | awk '{ print $1 }' | xargs systemctl restart + systemctl -a | egrep 'kolla-(barbican|blazar|cinder|cloudkitty|designate|heat|ironic|keystone|magnum|manila|neutron|nova|octavia)' | awk '{ print $1 }' | xargs systemctl restart From c74aad88f9204dd1ef5e7eebf11fcbd83a1bbe9d Mon Sep 17 00:00:00 2001 From: Alex-Welsh <112560678+Alex-Welsh@users.noreply.github.com> Date: Fri, 11 Oct 2024 11:46:07 +0100 Subject: [PATCH 11/19] Add upgrade-prerequisites script for CI (#1308) * Add upgrade-prerequisites script for CI * Apply suggestions from code review Co-authored-by: Matt Crees --------- Co-authored-by: Matt Crees --- tools/upgrade-prerequisites.sh | 48 ++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100755 tools/upgrade-prerequisites.sh diff --git a/tools/upgrade-prerequisites.sh b/tools/upgrade-prerequisites.sh new file mode 100755 index 000000000..f2a20666b --- /dev/null +++ b/tools/upgrade-prerequisites.sh @@ -0,0 +1,48 @@ +#! /usr/bin/bash + +# This script is intended to be run in CI to test upgrades. +# It executes any preparation steps that must be perfomed before upgrading +# OpenStack services. + +# NOTE(upgrade): This script is unique to each release. It may not be required +# for some releases. + +set -ex + +function prechecks() { + if [[ ! $KAYOBE_CONFIG_PATH ]]; then + echo "Environment variable \$KAYOBE_CONFIG_PATH is not defined" + echo "Ensure your environment is set up to run kayobe commands" + exit 2 + fi +} + +function rabbit_upgrade() { + # Ensure RabbitMQ is upgraded to 3.13 + if kayobe overcloud host command run -l controllers -b --command "docker exec rabbitmq rabbitmqctl --version | grep -F 3.11." --show-output; then + kayobe kolla ansible run "rabbitmq-upgrade 3.12" + fi + sleep 200 + if kayobe overcloud host command run -l controllers -b --command "docker exec rabbitmq rabbitmqctl --version | grep -F 3.12." --show-output; then + kayobe kolla ansible run "rabbitmq-upgrade 3.13" + fi +} + +function rabbit_migration() { + if ! kayobe overcloud host command run -l controllers -b --command "docker exec $RABBITMQ_CONTAINER_NAME rabbitmqctl list_queues type | grep quorum"; then + # Set quorum flag, execute RabbitMQ queue migration script, unset quorum flag (to avoid git conflicts) + sed -i -e 's/om_enable_rabbitmq_high_availability: true/om_enable_rabbitmq_high_availability: false/' \ + -e 's/om_enable_rabbitmq_quorum_queues: false/om_enable_rabbitmq_quorum_queues: true/' \ + $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/globals.yml + + $KAYOBE_CONFIG_ROOT/tools/rabbitmq-quorum-migration.sh + + sed -i -e 's/om_enable_rabbitmq_high_availability: false/om_enable_rabbitmq_high_availability: true/' \ + -e 's/om_enable_rabbitmq_quorum_queues: true/om_enable_rabbitmq_quorum_queues: false/' \ + $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/globals.yml + fi +} + +prechecks +rabbit_upgrade +rabbit_migration From e95a0205e86bad6b53bc8fa01a993614efc4ac85 Mon Sep 17 00:00:00 2001 From: Seunghun Lee <45145778+seunghun1ee@users.noreply.github.com> Date: Tue, 15 Oct 2024 11:03:52 +0100 Subject: [PATCH 12/19] Fix unassigned rabbitmq container name (#1330) --- tools/upgrade-prerequisites.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/upgrade-prerequisites.sh b/tools/upgrade-prerequisites.sh index f2a20666b..aa66708c3 100755 --- a/tools/upgrade-prerequisites.sh +++ b/tools/upgrade-prerequisites.sh @@ -29,7 +29,7 @@ function rabbit_upgrade() { } function rabbit_migration() { - if ! kayobe overcloud host command run -l controllers -b --command "docker exec $RABBITMQ_CONTAINER_NAME rabbitmqctl list_queues type | grep quorum"; then + if ! kayobe overcloud host command run -l controllers -b --command "docker exec rabbitmq rabbitmqctl list_queues type | grep quorum"; then # Set quorum flag, execute RabbitMQ queue migration script, unset quorum flag (to avoid git conflicts) sed -i -e 's/om_enable_rabbitmq_high_availability: true/om_enable_rabbitmq_high_availability: false/' \ -e 's/om_enable_rabbitmq_quorum_queues: false/om_enable_rabbitmq_quorum_queues: true/' \ From bad366e715b0c4862023b0a4a36f7d31ed139661 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 15 Oct 2024 12:53:05 +0200 Subject: [PATCH 13/19] Build Octavia from StackHPC fork This fixes issues with creation and failover of TLS-terminated Octavia load balancers following our bump of pyOpenSSL [1] because of the removal of load_pkcs12 [2]. [1] https://github.com/stackhpc/requirements/pull/20 [2] https://bugs.launchpad.net/octavia/+bug/2042787 --- etc/kayobe/kolla-image-tags.yml | 4 ++-- etc/kayobe/kolla.yml | 4 ++++ .../fix-octavia-tls-terminated-pkcs12-4f7e32a6f5ca0143.yaml | 5 +++++ 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/fix-octavia-tls-terminated-pkcs12-4f7e32a6f5ca0143.yaml diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml index 2d7a5bd65..017319e3d 100644 --- a/etc/kayobe/kolla-image-tags.yml +++ b/etc/kayobe/kolla-image-tags.yml @@ -39,8 +39,8 @@ kolla_image_tags: rocky-9: 2023.1-rocky-9-20240926T151818 ubuntu-jammy: 2023.1-ubuntu-jammy-20240926T151818 octavia: - rocky-9: 2023.1-rocky-9-20240730T090421 - ubuntu-jammy: 2023.1-ubuntu-jammy-20240730T090421 + rocky-9: 2023.1-rocky-9-20241015T100903 + ubuntu-jammy: 2023.1-ubuntu-jammy-20241015T100903 opensearch: ubuntu-jammy: 2023.1-ubuntu-jammy-20240509T094444 openvswitch: diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index b6cc34475..c7fcc0675 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -155,6 +155,10 @@ kolla_sources: type: git location: https://github.com/stackhpc/networking-mlnx reference: stackhpc/{{ openstack_release }} + octavia-base: + type: git + location: https://github.com/stackhpc/octavia.git + reference: stackhpc/{{ openstack_release }} ############################################################################### # Kolla image build configuration. diff --git a/releasenotes/notes/fix-octavia-tls-terminated-pkcs12-4f7e32a6f5ca0143.yaml b/releasenotes/notes/fix-octavia-tls-terminated-pkcs12-4f7e32a6f5ca0143.yaml new file mode 100644 index 000000000..ee5167ce9 --- /dev/null +++ b/releasenotes/notes/fix-octavia-tls-terminated-pkcs12-4f7e32a6f5ca0143.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes creation and failover of Octavia TLS-terminated load balancers when + storing the certificate and key as a PKCS12 bundle in Barbican. From 57287fbeaca7bbdd6b52f6456b2b1d5db8c036b0 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Wed, 16 Oct 2024 10:50:19 +0100 Subject: [PATCH 14/19] feat: update `kayobe-automation` submodule and `workflows` (#1309) * feat: update `kayobe-automation` submodule and `workflows` Upgrade both the submodule used by `kayobe-automation` and the workflows collection that can generate `GitHub` workflows. Changes include: - Run config-diff in parallel - Automation detect vaulted files for config-diff - Add support for running hooks that use roles - Improvements to Tempest including the ability to run only failed tests - Use less verbose input descriptions - Bump up and pin the version of Actions and containers used by the workflows --- .automation | 2 +- .../run-books/pulp-sync-content.sh | 29 +++++++++++++++++++ etc/kayobe/ansible/requirements.yml | 2 +- ...te-kayobe-automation-55fc9c5c380d819c.yaml | 23 +++++++++++++++ 4 files changed, 54 insertions(+), 2 deletions(-) create mode 100755 .automation.conf/run-books/pulp-sync-content.sh create mode 100644 releasenotes/notes/update-kayobe-automation-55fc9c5c380d819c.yaml diff --git a/.automation b/.automation index 7eefdb99f..7676aa89f 160000 --- a/.automation +++ b/.automation @@ -1 +1 @@ -Subproject commit 7eefdb99fe60df8eeac63004878ab4d44eb6d6ba +Subproject commit 7676aa89f0fde7291a846179c8820a8acc5c69ce diff --git a/.automation.conf/run-books/pulp-sync-content.sh b/.automation.conf/run-books/pulp-sync-content.sh new file mode 100755 index 000000000..97ff18e9f --- /dev/null +++ b/.automation.conf/run-books/pulp-sync-content.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +set -euE +set -o pipefail + +PARENT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +KAYOBE_AUTOMATION_DIR="$(realpath "${PARENT}/../../.automation")" + +function main { + if [ "${PULP_DO_CONTAINER_SYNC:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-container-sync.yml' -e stackhpc_pulp_images_kolla_filter="${PULP_KOLLA_FILTER:-}" + fi + if [ "${PULP_DO_CONTAINER_PUBLISH:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-container-publish.yml' -e stackhpc_pulp_images_kolla_filter="${PULP_KOLLA_FILTER:-}" + fi + if [ "${PULP_DO_REPO_SYNC:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-repo-sync.yml' + fi + if [ "${PULP_DO_REPO_PUBLISH:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-repo-publish.yml' + fi + if [ "${PULP_DO_REPO_PROMOTE:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-repo-promote-production.yml' + fi +} + +if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then + main +fi diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 2bb4047ce..144cc3ac8 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -11,7 +11,7 @@ collections: - name: stackhpc.hashicorp version: 2.5.1 - name: stackhpc.kayobe_workflows - version: 1.0.3 + version: 1.1.0 roles: - src: stackhpc.vxlan - name: ansible-lockdown.ubuntu22_cis diff --git a/releasenotes/notes/update-kayobe-automation-55fc9c5c380d819c.yaml b/releasenotes/notes/update-kayobe-automation-55fc9c5c380d819c.yaml new file mode 100644 index 000000000..f8e2e32a3 --- /dev/null +++ b/releasenotes/notes/update-kayobe-automation-55fc9c5c380d819c.yaml @@ -0,0 +1,23 @@ +--- +features: + - | + Upgrades kayobe-automation submodule to ``7676aa8``. + + Upgrades kayobe-workflows collection to ``v1.1.0``. + + Kayobe-automation config-diff now runs in parallel and generates both + the old and new configuration at the same time. This should improve + config-diff wait times. + + Add support for the `pulp-sync-content` run book. +deprecations: + - | + Kayobe-automation will now automatically detect vaulted files for the + purpose of config-diff therefore, ``KAYOBE_CONFIG_SECRET_PATHS_EXTRA`` and + ``KAYOBE_CONFIG_VAULTED_FILES_PATHS_EXTRA`` are no longer used +security: + - | + The upgraded kayobe-workflows collection increases the version of various + Actions and containers used within GitHub based workflows, including increasing + Docker in Docker to version ``27.3.1`` thus removing the vunerabilities present + in ``24.0-git``. From 0205825babe5d03cf210a6f1a5ffb44e37f39959 Mon Sep 17 00:00:00 2001 From: Bartosz Bezak Date: Thu, 17 Oct 2024 09:28:21 +0200 Subject: [PATCH 15/19] trivy: Add more repositories to handle rate limits More repositories are configured to avoid issues when ghcr.io hits rate limits. If the primary repository fails due to rate limiting, the system will fall back to the public ECR repository [1] [1] https://github.com/aquasecurity/trivy/discussions/7668#discussioncomment-10892093 --- tools/scan-images.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/scan-images.sh b/tools/scan-images.sh index 3ee7d3edf..d71aec4b2 100755 --- a/tools/scan-images.sh +++ b/tools/scan-images.sh @@ -54,6 +54,10 @@ for image in $images; do --severity HIGH,CRITICAL \ --output image-scan-output/${filename}.json \ --ignore-unfixed \ + --db-repository ghcr.io/aquasecurity/trivy-db:2 \ + --db-repository public.ecr.aws/aquasecurity/trivy-db \ + --java-db-repository ghcr.io/aquasecurity/trivy-java-db:1 \ + --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db \ $image); then # Clean up the output file for any images with no vulnerabilities rm -f image-scan-output/${filename}.json From 3c7de26c01d7db29d0392c07fb50d014b10b6745 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Mon, 21 Oct 2024 16:32:57 +0100 Subject: [PATCH 16/19] Docment etcd known issue in 2024.1 upgrade --- doc/source/operations/upgrading-openstack.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/source/operations/upgrading-openstack.rst b/doc/source/operations/upgrading-openstack.rst index c4e1bb6f0..5b6c2ce65 100644 --- a/doc/source/operations/upgrading-openstack.rst +++ b/doc/source/operations/upgrading-openstack.rst @@ -127,6 +127,12 @@ Known issues There is currently no known fix for this issue aside from reprovisioning. A patch will be developed soon. +* Due to an incorrect default value NGS will attempt to use v3alpha for the api + path when communicating with etcd3. This isn't possible as in Caracal etcd is + running a newer version that has dropped support for v3alpha. You can work + around this in custom config, see the SMS PR for an example: + https://github.com/stackhpc/smslab-kayobe-config/pull/354 + Security baseline ================= From 93820c5d7b25a7600d55b87ab3b6a987ac03e42f Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Tue, 22 Oct 2024 11:07:21 +0100 Subject: [PATCH 17/19] INFRA-841 add tags for updated `Ironic` containers The Ironic containers been rebuilt with the latest sync which includes patches for the vulnerability `OSSA-2024-004`. --- etc/kayobe/kolla-image-tags.yml | 9 +++++++++ .../notes/fix-ossa-2024-004-f732e58c12e26785.yaml | 6 ++++++ 2 files changed, 15 insertions(+) create mode 100644 releasenotes/notes/fix-ossa-2024-004-f732e58c12e26785.yaml diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml index 8f85eef15..424cc8f73 100644 --- a/etc/kayobe/kolla-image-tags.yml +++ b/etc/kayobe/kolla-image-tags.yml @@ -28,3 +28,12 @@ kolla_image_tags: ubuntu-jammy: 2024.1-ubuntu-jammy-20240910T072617 rabbitmq: rocky-9: 2024.1-rocky-9-20240927T152945 + ironic: + rocky-9: 2024.1-rocky-9-20241022T090648 + ubuntu-jammy: 2024.1-ubuntu-jammy-20241022T090648 + ironic_dnsmasq: + rocky-9: 2024.1-rocky-9-20241022T090648 + ubuntu-jammy: 2024.1-ubuntu-jammy-20241022T090648 + ironic_neutron_agent: + rocky-9: 2024.1-rocky-9-20241022T090648 + ubuntu-jammy: 2024.1-ubuntu-jammy-20241022T090648 diff --git a/releasenotes/notes/fix-ossa-2024-004-f732e58c12e26785.yaml b/releasenotes/notes/fix-ossa-2024-004-f732e58c12e26785.yaml new file mode 100644 index 000000000..ae0bd5b5f --- /dev/null +++ b/releasenotes/notes/fix-ossa-2024-004-f732e58c12e26785.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Fixes `OSSA-2024-004 + `_ with updated + container images for Ironic. From e640bcc8047019f9ab26adaa16fef6c918dee3d0 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 24 Oct 2024 10:39:40 +0200 Subject: [PATCH 18/19] Remove documentation about resolved issue This issue was resolved in kolla-ansible [1]. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/931738 --- doc/source/operations/upgrading-openstack.rst | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/doc/source/operations/upgrading-openstack.rst b/doc/source/operations/upgrading-openstack.rst index b51c9425b..0708f655f 100644 --- a/doc/source/operations/upgrading-openstack.rst +++ b/doc/source/operations/upgrading-openstack.rst @@ -124,17 +124,6 @@ configuration. Known issues ============ -* OVN breaks on Rocky 9 deployments where hostnames are FQDNs. - Before upgrading, you must make sure no compute or controller nodes have any - ``.`` characters in their hostnames. Run the command below to check: - - .. code-block:: bash - - kayobe overcloud host command run --command "grep -v \'\.\' /etc/hostname" --show-output - - There is currently no known fix for this issue aside from reprovisioning. A - patch will be developed soon. - * Due to an incorrect default value NGS will attempt to use v3alpha for the api path when communicating with etcd3. This isn't possible as in Caracal etcd is running a newer version that has dropped support for v3alpha. You can work From 6cb451f5229a9d1de64b7c7b8b2d011a6d329c3f Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Mon, 28 Oct 2024 14:20:15 +0000 Subject: [PATCH 19/19] Fix Debian Ceph Reef repo names to match Release Train --- etc/kayobe/pulp.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml index 0789644aa..aa3c63d01 100644 --- a/etc/kayobe/pulp.yml +++ b/etc/kayobe/pulp.yml @@ -122,12 +122,12 @@ stackhpc_pulp_deb_repos: components: "stable" required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}" - - name: "Docker CE for Ubuntu Jammy" + - name: "Ceph Reef for Debian" url: "{{ stackhpc_release_pulp_content_url }}/ceph/debian-reef/{{ stackhpc_pulp_repo_ceph_reef_debian_version }}" - distribution_name: "docker-ce-for-ubuntu-jammy-" - base_path: "docker-ce/ubuntu-jammy/" + distribution_name: "ceph-reef-debian-" + base_path: "ceph/debian-reef/" distributions: "jammy" - components: "stable" + components: "main" required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}" # Publication format is a subset of distribution.