From 24bf2b8d63ea4a8a01e14e9301901b8acdc639a4 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 14 May 2024 09:33:52 +0100 Subject: [PATCH 01/11] Bump horizon to fix CVE-2023-31047 --- etc/kayobe/kolla/globals.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/kayobe/kolla/globals.yml b/etc/kayobe/kolla/globals.yml index e860121d8..6d3df4e57 100644 --- a/etc/kayobe/kolla/globals.yml +++ b/etc/kayobe/kolla/globals.yml @@ -38,6 +38,7 @@ kayobe_image_tags: cloudkitty_tag: "{% raw %}{{ kayobe_image_tags['cloudkitty'][kolla_base_distro] }}{% endraw %}" heat_tag: "{% raw %}{{ kayobe_image_tags['heat'][kolla_base_distro] }}{% endraw %}" +horizon_tag: yoga-20240510T114335 magnum_tag: "{% raw %}{{ kayobe_image_tags['magnum'][kolla_base_distro] }}{% endraw %}" neutron_tag: "{% raw %}{{ kayobe_image_tags['neutron'][kolla_base_distro] }}{% endraw %}" nova_tag: "{% raw %}{{ kayobe_image_tags['nova'][kolla_base_distro] }}{% endraw %}" From 67440eefda9d3b1fb965e1fd1bd3bb706a899571 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 14 May 2024 09:34:50 +0100 Subject: [PATCH 02/11] Bump grafana to fix CVE-2023-49569 --- etc/kayobe/kolla/globals.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/kayobe/kolla/globals.yml b/etc/kayobe/kolla/globals.yml index 6d3df4e57..265ba9f51 100644 --- a/etc/kayobe/kolla/globals.yml +++ b/etc/kayobe/kolla/globals.yml @@ -37,6 +37,7 @@ kayobe_image_tags: ubuntu: yoga-20231103T161400 cloudkitty_tag: "{% raw %}{{ kayobe_image_tags['cloudkitty'][kolla_base_distro] }}{% endraw %}" +grafana_tag: yoga-20240510T114335 heat_tag: "{% raw %}{{ kayobe_image_tags['heat'][kolla_base_distro] }}{% endraw %}" horizon_tag: yoga-20240510T114335 magnum_tag: "{% raw %}{{ kayobe_image_tags['magnum'][kolla_base_distro] }}{% endraw %}" From 76c3d6953850b2cd18cdd1487d5cce746b9badb1 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 14 May 2024 09:35:26 +0100 Subject: [PATCH 03/11] Bump prometheus-msteams to fix CVE-2022-40083 and CVE-2021-4238 --- etc/kayobe/kolla.yml | 7 +++++++ etc/kayobe/kolla/globals.yml | 1 + 2 files changed, 8 insertions(+) diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 0c537a729..9773da8b1 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -419,6 +419,13 @@ kolla_build_blocks: {% set magnum_capi_packages = ['git+https://github.com/stackhpc/magnum-capi-helm.git@v0.11.0'] %} RUN {{ macros.install_pip(magnum_capi_packages | customizable("pip_packages")) }} {% endraw %} + prometheus_msteams_repository_version: | # Yoga kolla has 1.5.0 + {% raw %} + ARG prometheus_msteams_version=1.5.2 + ARG prometheus_msteams_sha256sum=0f4df9ee31e655d1ec876ea2c53ab5ae5b07143ef21b9190e61b4d52839e135c + ARG prometheus_msteams_url=https://github.com/prometheus-msteams/prometheus-msteams/releases/download/v${prometheus_msteams_version}/prometheus-msteams-linux-{{debian_arch}} + {% endraw %} + # Dict mapping image customization variable names to their values. # Each variable takes the form: # __ diff --git a/etc/kayobe/kolla/globals.yml b/etc/kayobe/kolla/globals.yml index 265ba9f51..629b46601 100644 --- a/etc/kayobe/kolla/globals.yml +++ b/etc/kayobe/kolla/globals.yml @@ -44,6 +44,7 @@ magnum_tag: "{% raw %}{{ kayobe_image_tags['magnum'][kolla_base_distro] }}{% end neutron_tag: "{% raw %}{{ kayobe_image_tags['neutron'][kolla_base_distro] }}{% endraw %}" nova_tag: "{% raw %}{{ kayobe_image_tags['nova'][kolla_base_distro] }}{% endraw %}" opensearch_tag: yoga-20231219T221916 +prometheus_tag: yoga-20240510T145442 # These overrides are currently redundant, but are kept because it's not obvious that you need them if setting haproxy_tag glance_tls_proxy_tag: "{% raw %}{{ haproxy_tag | default(openstack_tag) }}{% endraw %}" From 645b1793841356152921921bbdc4b64fbd012222 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 14 May 2024 09:54:53 +0100 Subject: [PATCH 04/11] Add releasenote for yoga security patch q2 2024 --- ...metheus-to-fix-critical-cve-5983cb1d1f6f3ceb.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 releasenotes/notes/bump-horizon-grafana-prometheus-to-fix-critical-cve-5983cb1d1f6f3ceb.yaml diff --git a/releasenotes/notes/bump-horizon-grafana-prometheus-to-fix-critical-cve-5983cb1d1f6f3ceb.yaml b/releasenotes/notes/bump-horizon-grafana-prometheus-to-fix-critical-cve-5983cb1d1f6f3ceb.yaml new file mode 100644 index 000000000..fe7bf2c70 --- /dev/null +++ b/releasenotes/notes/bump-horizon-grafana-prometheus-to-fix-critical-cve-5983cb1d1f6f3ceb.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + Bumped Horizon kolla image + Bumped Grafana from 10.1.5-1 to 10.4.2-1 (CentOS & Rocky Linux) + Bumped Grafana from 10.4.1 to 10.4.2 (Ubuntu) + Bumped Prometheus-msteams from 1.5.0 to 1.5.2 +security: + - | + Fixed CVE-2023-31047 for Horizon. + Fixed CVE-2023-49569 for Grafana. + Fixed CVE-2022-40083 and CVE-2021-4238 for Prometheus-msteams. From 8a64c5c172812f5288d04f2a528678b77cef3e2d Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Thu, 16 May 2024 12:04:47 +0100 Subject: [PATCH 05/11] Add alerts for low available swap space --- .../kolla/config/prometheus/system.rules | 18 ++++++++++++++++++ etc/kayobe/stackhpc-monitoring.yml | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/etc/kayobe/kolla/config/prometheus/system.rules b/etc/kayobe/kolla/config/prometheus/system.rules index 613368be6..7981a5609 100644 --- a/etc/kayobe/kolla/config/prometheus/system.rules +++ b/etc/kayobe/kolla/config/prometheus/system.rules @@ -24,6 +24,24 @@ groups: summary: "Prometheus exporter at {{ $labels.instance }} reports low memory" description: "Available memory is {{ $value }} GiB." + - alert: LowSwapSpace + expr: (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes) < {% endraw %}{{ alertmanager_node_free_swap_warning_threshold_ratio }}{% raw %} + for: 1m + labels: + severity: warning + annotations: + summary: "Swap space at {{ $labels.instance }} reports low memory" + description: "Available swap space is {{ $value | humanizePercentage }}. Running out of swap space causes OOM Kills." + + - alert: LowSwapSpace + expr: (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes) < {% endraw %}{{ alertmanager_node_free_swap_critical_threshold_ratio }}{% raw %} + for: 1m + labels: + severity: critical + annotations: + summary: "Swap space at {{ $labels.instance }} reports low memory" + description: "Available swap space is {{ $value | humanizePercentage }}. Running out of swap space causes OOM Kills." + - alert: HostOomKillDetected expr: increase(node_vmstat_oom_kill[5m]) > 0 for: 5m diff --git a/etc/kayobe/stackhpc-monitoring.yml b/etc/kayobe/stackhpc-monitoring.yml index e8e0bb91f..185a87ebf 100644 --- a/etc/kayobe/stackhpc-monitoring.yml +++ b/etc/kayobe/stackhpc-monitoring.yml @@ -12,6 +12,12 @@ alertmanager_low_memory_threshold_gib: 5 # link. Change to false to disable this alert. alertmanager_warn_network_bond_single_link: true +# Threshold to trigger an LowSwapSpace alert on swap space depletion (ratio). +# When the ratio of free swap space is lower than each of these values, warning +# and critical alerts will be triggered respectively. +alertmanager_node_free_swap_warning_threshold_ratio: 0.25 +alertmanager_node_free_swap_critical_threshold_ratio: 0.1 + ############################################################################### # Exporter configuration From a0331ca5ccb021f908b31bc5fca32590e616d67e Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 20 May 2024 13:58:34 +0000 Subject: [PATCH 06/11] OS Capacity: Support providing a CA certificate For clouds that use an internal CA, it is necessary to provide a CA certificate to OS capacity. Co-Authored-By: Jake Hutchinson --- doc/source/configuration/monitoring.rst | 18 +++++++++++++++--- doc/source/configuration/vault.rst | 2 ++ .../ansible/deploy-os-capacity-exporter.yml | 12 ++++++++++++ .../templates/os_capacity-clouds.yml.j2 | 3 +++ .../ci-multinode/stackhpc-monitoring.yml | 3 +++ etc/kayobe/stackhpc-monitoring.yml | 3 +++ .../os-capacity-cacert-8b800b22d84ae0b1.yaml | 4 ++++ 7 files changed, 42 insertions(+), 3 deletions(-) create mode 100644 etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml create mode 100644 releasenotes/notes/os-capacity-cacert-8b800b22d84ae0b1.yaml diff --git a/doc/source/configuration/monitoring.rst b/doc/source/configuration/monitoring.rst index f23c7a915..e40f12b11 100644 --- a/doc/source/configuration/monitoring.rst +++ b/doc/source/configuration/monitoring.rst @@ -137,6 +137,8 @@ depending on your configuration, you may need set the ``kolla_enable_prometheus_ceph_mgr_exporter`` variable to ``true`` in order to enable the ceph mgr exporter. +.. _os-capacity: + OpenStack Capacity ================== @@ -160,9 +162,19 @@ project domain name in ``stackhpc-monitoring.yml``: stackhpc_os_capacity_openstack_region_name: Additionally, you should ensure these credentials have the correct permissions -for the exporter. If you are deploying in a cloud with internal TLS, you may be required -to disable certificate verification for the OpenStack Capacity exporter -if your certificate is not signed by a trusted CA. +for the exporter. + +If you are deploying in a cloud with internal TLS, you may be required +to provide a CA certificate for the OpenStack Capacity exporter if your +certificate is not signed by a trusted CA. For example, to use a CA certificate +named ``vault.crt`` that is also added to the Kolla containers: + +.. code-block:: yaml + + stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt" + +Alternatively, to disable certificate verification for the OpenStack Capacity +exporter: .. code-block:: yaml diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst index 21268f108..f06037930 100644 --- a/doc/source/configuration/vault.rst +++ b/doc/source/configuration/vault.rst @@ -196,6 +196,8 @@ Enable the required TLS variables in kayobe and kolla # Whether TLS is enabled for the internal API endpoints. Default is 'no'. kolla_enable_tls_internal: yes + See :ref:`os-capacity` for information on adding CA certificates to the trust store when deploying the OpenStack Capacity exporter. + 2. Set the following in etc/kayobe/kolla/globals.yml or if environments are being used etc/kayobe/environments/$KAYOBE_ENVIRONMENT/kolla/globals.yml .. code-block:: diff --git a/etc/kayobe/ansible/deploy-os-capacity-exporter.yml b/etc/kayobe/ansible/deploy-os-capacity-exporter.yml index cc3afa7b0..41d91bfbd 100644 --- a/etc/kayobe/ansible/deploy-os-capacity-exporter.yml +++ b/etc/kayobe/ansible/deploy-os-capacity-exporter.yml @@ -27,6 +27,7 @@ delegate_to: localhost register: credential when: stackhpc_enable_os_capacity + changed_when: false - name: Set facts for admin credentials ansible.builtin.set_fact: @@ -43,6 +44,16 @@ src: templates/os_capacity-clouds.yml.j2 dest: /opt/kayobe/os-capacity/clouds.yaml when: stackhpc_enable_os_capacity + register: clouds_yaml_result + + - name: Copy CA certificate to OpenStack Capacity nodes + ansible.builtin.copy: + src: "{{ stackhpc_os_capacity_openstack_cacert }}" + dest: /opt/kayobe/os-capacity/cacert.pem + when: + - stackhpc_enable_os_capacity + - stackhpc_os_capacity_openstack_cacert | length > 0 + register: cacert_result - name: Ensure os_capacity container is running community.docker.docker_container: @@ -56,6 +67,7 @@ source: /opt/kayobe/os-capacity/ target: /etc/openstack/ network_mode: host + restart: "{{ clouds_yaml_result is changed or cacert_result is changed }}" restart_policy: unless-stopped become: true when: stackhpc_enable_os_capacity diff --git a/etc/kayobe/ansible/templates/os_capacity-clouds.yml.j2 b/etc/kayobe/ansible/templates/os_capacity-clouds.yml.j2 index ef3c8d7a5..6475848ba 100644 --- a/etc/kayobe/ansible/templates/os_capacity-clouds.yml.j2 +++ b/etc/kayobe/ansible/templates/os_capacity-clouds.yml.j2 @@ -10,6 +10,9 @@ clouds: interface: "internal" identity_api_version: 3 auth_type: "password" +{% if stackhpc_os_capacity_openstack_cacert | length > 0 %} + cacert: /etc/openstack/cacert.pem +{% endif %} {% if not stackhpc_os_capacity_openstack_verify | bool %} verify: False {% endif %} diff --git a/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml b/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml new file mode 100644 index 000000000..93ce650b4 --- /dev/null +++ b/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml @@ -0,0 +1,3 @@ +--- +# Path to a CA certificate file to trust in the OpenStack Capacity exporter. +stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt" diff --git a/etc/kayobe/stackhpc-monitoring.yml b/etc/kayobe/stackhpc-monitoring.yml index e8e0bb91f..de12ed2ed 100644 --- a/etc/kayobe/stackhpc-monitoring.yml +++ b/etc/kayobe/stackhpc-monitoring.yml @@ -20,6 +20,9 @@ alertmanager_warn_network_bond_single_link: true # targets being templated during deployment. stackhpc_enable_os_capacity: true +# Path to a CA certificate file to trust in the OpenStack Capacity exporter. +stackhpc_os_capacity_openstack_cacert: "" + # Whether TLS certificate verification is enabled for the OpenStack Capacity # exporter during Keystone authentication. stackhpc_os_capacity_openstack_verify: true diff --git a/releasenotes/notes/os-capacity-cacert-8b800b22d84ae0b1.yaml b/releasenotes/notes/os-capacity-cacert-8b800b22d84ae0b1.yaml new file mode 100644 index 000000000..e20ee0714 --- /dev/null +++ b/releasenotes/notes/os-capacity-cacert-8b800b22d84ae0b1.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Adds support for providing a CA certificate for OpenStack Capacity exporter. From 643aa78a83c969720e34e21fbac79752359937e8 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 21 May 2024 10:51:36 +0100 Subject: [PATCH 07/11] Add releasenote for swap space monitoring --- ...erts-for-swap-availability-75e28ed7f913d1ec.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 releasenotes/notes/add-alerts-for-swap-availability-75e28ed7f913d1ec.yaml diff --git a/releasenotes/notes/add-alerts-for-swap-availability-75e28ed7f913d1ec.yaml b/releasenotes/notes/add-alerts-for-swap-availability-75e28ed7f913d1ec.yaml new file mode 100644 index 000000000..db5efb85c --- /dev/null +++ b/releasenotes/notes/add-alerts-for-swap-availability-75e28ed7f913d1ec.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + Added two alerts (Warning and critical) that are triggered when the ratio + of (free_swap_sppace / total_swap_space) is below thresholds. + Each threshold can be modified by alterting value of + ``alertmanager_node_free_swap_warning_threshold_ratio`` and + ``alertmanager_node_free_swap_critical_threshold_ratio``. + + Currently this solution has limitation of having one-size fits all policy. + This can cause unwanted alerts for the hosts which utilise swap heavily + Therefore it is recommended to tune the thresholds or apply silence rules + for the needs. From 6c46bcea9fb7680878c32d2d7503908de4a1c37f Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 27 May 2024 16:08:04 +0200 Subject: [PATCH 08/11] docs: Fix link in secret rotation page --- doc/source/operations/secret-rotation.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/operations/secret-rotation.rst b/doc/source/operations/secret-rotation.rst index f3213da37..5761fd4d6 100644 --- a/doc/source/operations/secret-rotation.rst +++ b/doc/source/operations/secret-rotation.rst @@ -46,7 +46,7 @@ process easier. This was previously mitigated with a change to the StackHPC fork of Kolla-Ansible, which has since been reverted due to an unforeseen issue. See - `here ` for more + `here `__ for more details. #. A change to Nova, to automate :ref:`this` step to change the From 4b0dc540ef9f711fdef8c5afe6ab9cb1f0579e9a Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 30 May 2024 14:25:05 +0200 Subject: [PATCH 09/11] Support synchronising custom container images A custom list of container images can be synced to the local Pulp using the stackhpc_pulp_repository_container_repos_extra and stackhpc_pulp_distribution_container_extra variables. --- doc/source/configuration/release-train.rst | 27 +++++++++++++++++++ etc/kayobe/pulp.yml | 12 +++++++-- ...pulp-container-extra-9379806192900d22.yaml | 6 +++++ 3 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/pulp-container-extra-9379806192900d22.yaml diff --git a/doc/source/configuration/release-train.rst b/doc/source/configuration/release-train.rst index 28cf6377b..afb52307d 100644 --- a/doc/source/configuration/release-train.rst +++ b/doc/source/configuration/release-train.rst @@ -153,6 +153,33 @@ By default, HashiCorp images (Consul and Vault) are not synced from Docker Hub to the local Pulp. To sync these images, set ``stackhpc_sync_hashicorp_images`` to ``true``. +Custom container images +----------------------- + +A custom list of container images can be synced to the local Pulp using the +``stackhpc_pulp_repository_container_repos_extra`` and +``stackhpc_pulp_distribution_container_extra`` variables. + +.. code-block:: yaml + + # List of extra container image repositories. + stackhpc_pulp_repository_container_repos_extra: + - name: "certbot/certbot" + url: "https://registry-1.docker.io" + policy: on_demand + proxy_url: "{{ pulp_proxy_url }}" + state: present + include_tags: "nightly" + required: True + + # List of extra container image distributions. + stackhpc_pulp_distribution_container_extra: + - name: certbot + repository: certbot/certbot + base_path: certbot/certbot + state: present + required: True + Usage ===== diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml index 3e268a662..c83366b41 100644 --- a/etc/kayobe/pulp.yml +++ b/etc/kayobe/pulp.yml @@ -821,14 +821,22 @@ stackhpc_pulp_distribution_container_hashicorp: state: present required: "{{ stackhpc_sync_hashicorp_images | bool }}" +# List of extra container image repositories. +stackhpc_pulp_repository_container_repos_extra: [] + +# List of extra container image distributions. +stackhpc_pulp_distribution_container_extra: [] + # List of container image repositories. stackhpc_pulp_repository_container_repos: >- {{ (stackhpc_pulp_repository_container_repos_kolla + stackhpc_pulp_repository_container_repos_ceph + - stackhpc_pulp_repository_container_repos_hashicorp) | selectattr('required') }} + stackhpc_pulp_repository_container_repos_hashicorp + + stackhpc_pulp_repository_container_repos_extra) | selectattr('required') }} # List of container image distributions. stackhpc_pulp_distribution_container: >- {{ (stackhpc_pulp_distribution_container_kolla + stackhpc_pulp_distribution_container_ceph + - stackhpc_pulp_distribution_container_hashicorp) | selectattr('required') }} + stackhpc_pulp_distribution_container_hashicorp + + stackhpc_pulp_distribution_container_extra) | selectattr('required') }} diff --git a/releasenotes/notes/pulp-container-extra-9379806192900d22.yaml b/releasenotes/notes/pulp-container-extra-9379806192900d22.yaml new file mode 100644 index 000000000..a725a4863 --- /dev/null +++ b/releasenotes/notes/pulp-container-extra-9379806192900d22.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Allows to synchronise a custom list of containers to Pulp using the + ``stackhpc_pulp_repository_container_repos_extra`` and + ``stackhpc_pulp_distribution_container_extra`` variables. From 76b181afebee0c696d61e0b86a95cb4422b3e6e8 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Tue, 22 Aug 2023 11:01:13 +0100 Subject: [PATCH 10/11] Use Rocky Linux 9 as base for kayobe-automation By default, kayobe-automation uses CentOS Stream 8 as the base image for its kayobe docker image. As it doesn't support python 3.8 (a requirement for the Zed release), it must be overridden to use Rocky Linux 9. (cherry picked from commit bc87579eb5d028947d5596c0c48c6a074212498f) --- .github/workflows/stackhpc-build-kayobe-image.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/stackhpc-build-kayobe-image.yml b/.github/workflows/stackhpc-build-kayobe-image.yml index 8c8ce4d2f..826f83bb1 100644 --- a/.github/workflows/stackhpc-build-kayobe-image.yml +++ b/.github/workflows/stackhpc-build-kayobe-image.yml @@ -21,6 +21,10 @@ on: no_proxy: type: string required: false + base_image: + type: string + required: false + default: "rockylinux:9" if: description: Whether to run the workflow (workaround for required status checks issue) type: boolean @@ -49,7 +53,7 @@ jobs: - name: Checkout kayobe config uses: actions/checkout@v4 with: - submodules: true + submodules: true - name: Log in to the Container registry uses: docker/login-action@v3 @@ -88,6 +92,7 @@ jobs: build-args: | http_proxy=${{ inputs.http_proxy }} https_proxy=${{ inputs.https_proxy }} + BASE_IMAGE=${{ inputs.base_image }} KAYOBE_USER_UID=1001 KAYOBE_USER_GID=1001 push: true From 40b00d7b4085f332c4965d09048072f62c5658c4 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 15 Jan 2024 13:23:32 +0000 Subject: [PATCH 11/11] CI: Fix default kayobe base image when built on push Inputs are not available to workflows triggered by a push. Apply a default to the base image. (cherry picked from commit 359ee380260ed9c4514d6ffccf702bce2d55fd83) --- .github/workflows/stackhpc-build-kayobe-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stackhpc-build-kayobe-image.yml b/.github/workflows/stackhpc-build-kayobe-image.yml index 826f83bb1..c45e0456b 100644 --- a/.github/workflows/stackhpc-build-kayobe-image.yml +++ b/.github/workflows/stackhpc-build-kayobe-image.yml @@ -92,7 +92,7 @@ jobs: build-args: | http_proxy=${{ inputs.http_proxy }} https_proxy=${{ inputs.https_proxy }} - BASE_IMAGE=${{ inputs.base_image }} + BASE_IMAGE=${{ inputs.base_image || 'rockylinux:9' }} KAYOBE_USER_UID=1001 KAYOBE_USER_GID=1001 push: true