From a42b23cf89fe174ae96bed521d52a40ba2f07962 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 21 Mar 2024 12:08:06 +0000 Subject: [PATCH 01/14] docs: Add note about pyroute2 bug in Jammy upgrade --- doc/source/operations/ubuntu-jammy.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/source/operations/ubuntu-jammy.rst b/doc/source/operations/ubuntu-jammy.rst index 4f684aa07..876c0002f 100644 --- a/doc/source/operations/ubuntu-jammy.rst +++ b/doc/source/operations/ubuntu-jammy.rst @@ -154,6 +154,14 @@ Common issues for all host types - Timeouts can become an issue with some hardware. The host will reboot once or twice depending on whether it needs to apply package updates. Edit the timeouts in the upgrade playbook (``ubuntu-upgrade.yml``) where required. +- On systems using OVN networking, the Yoga Kolla Neutron container images + include ``pyroute2`` 0.6.6. On Ubuntu Jammy systems this results in the + Neutron OVN metadata agent failing to provision the datapath correctly. See + `LP#1995735 + `__ and + `LP#2042954 `__ for + details. A `fix `__ + is in progress. Controllers =========== From bf4ad820fdf208d242b3edc1f7e4bc879a98aadd Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 21 May 2024 10:21:39 +0100 Subject: [PATCH 02/14] Add image to list on critical CVE detection --- tools/scan-images.sh | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/tools/scan-images.sh b/tools/scan-images.sh index 50a04185a..b35a79a3c 100755 --- a/tools/scan-images.sh +++ b/tools/scan-images.sh @@ -27,11 +27,13 @@ docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/$1-*:$2" > $1- images=$(grep --invert-match --no-filename ^REPOSITORY $1-scanned-container-images.txt | sed 's/ \+/:/g' | cut -f 1,2 -d:) # Ensure output files exist -touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt +touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt image-scan-output/critical-images.txt # If Trivy detects no vulnerabilities, add the image name to clean-images.txt. # If there are vulnerabilities detected, add it to dirty-images.txt and # generate a csv summary +# If the image contains at least one critical vulnerabilities, add it to +# critical-images.txt for image in $images; do filename=$(basename $image | sed 's/:/\./g') if $(trivy image \ @@ -51,13 +53,13 @@ for image in $images; do else # Add the image to the dirty list echo "${image}" >> image-scan-output/dirty-images.txt - + # Write a header for the summary CSV echo '"PkgName","PkgPath","PkgID","VulnerabilityID","FixedVersion","PrimaryURL","Severity"' > image-scan-output/${filename}.summary.csv # Write the summary CSV data - jq -r '.Results[] - | select(.Vulnerabilities) + jq -r '.Results[] + | select(.Vulnerabilities) | .Vulnerabilities # Ignore packages with "kernel" in the PkgName | map(select(.PkgName | test("kernel") | not )) @@ -72,8 +74,13 @@ for image in $images; do .[0].PrimaryURL, .[0].Severity ] - ) - | .[] + ) + | .[] | @csv' image-scan-output/${filename}.json >> image-scan-output/${filename}.summary.csv + + if [ $(grep "CRITICAL" image-scan-output/${filename}.summary.csv -c) -gt 0 ]; then + # If the image contains critical vulnerabilities, add the image to critical list + echo "${image}" >> image-scan-output/critical-images.txt + fi fi done From c507c73724edc8347e8172aef1926ec52e06701d Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 21 May 2024 10:24:39 +0100 Subject: [PATCH 03/14] Add new step to fail job on critical CVE detection --- .../stackhpc-container-image-build.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index 167af5cbd..63972f979 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -42,8 +42,7 @@ on: description: Push scanned images that have vulnerabilities? type: boolean required: false - # NOTE(Alex-Welsh): This default should be flipped once we resolve existing failures - default: true + default: false env: ANSIBLE_FORCE_COLOR: True @@ -181,7 +180,7 @@ jobs: KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }} - name: Create build logs output directory - run: mkdir image-build-logs + run: mkdir image-build-logs - name: Build kolla overcloud images id: build_overcloud_images @@ -254,7 +253,7 @@ jobs: while read -r image; do # Retries! - for i in {1..5}; do + for i in {1..5}; do if docker push $image; then echo "Pushed $image" break @@ -288,8 +287,15 @@ jobs: run: if [ $(wc -l < image-build-logs/push-failed-images.txt) -gt 0 ]; then cat image-build-logs/push-failed-images.txt && exit 1; fi if: ${{ !cancelled() }} - - name: Fail when images failed scanning - run: if [ $(wc -l < image-build-logs/dirty-images.txt) -gt 0 ]; then cat image-build-logs/dirty-images.txt && exit 1; fi + # NOTE(seunghun1ee): Currently we want to mark the job fail only when critical CVEs are detected. + # This can be used again instead of "Fail when critical vulnerabilities are found" when it's + # decided to fail the job on detecting high CVEs as well. + # - name: Fail when images failed scanning + # run: if [ $(wc -l < image-build-logs/image-scan-output/dirty-images.txt) -gt 0 ]; then cat image-build-logs/image-scan-output/dirty-images.txt && exit 1; fi + # if: ${{ !inputs.push-dirty && !cancelled() }} + + - name: Fail when critical vulnerabilities are found + run: if [ $(wc -l < image-build-logs/image-scan-output/critical-images.txt) -gt 0 ]; then cat image-build-logs/image-scan-output/critical-images.txt && exit 1; fi if: ${{ !inputs.push-dirty && !cancelled() }} # NOTE(mgoddard): Trigger another CI workflow in the From e7b97b23017dc445732237b48bf964d1624d4ce9 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Thu, 6 Jun 2024 10:38:12 +0100 Subject: [PATCH 04/14] Add condition to ensure swap is not zero --- etc/kayobe/kolla/config/prometheus/system.rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/kayobe/kolla/config/prometheus/system.rules b/etc/kayobe/kolla/config/prometheus/system.rules index 7981a5609..d5523d579 100644 --- a/etc/kayobe/kolla/config/prometheus/system.rules +++ b/etc/kayobe/kolla/config/prometheus/system.rules @@ -25,7 +25,7 @@ groups: description: "Available memory is {{ $value }} GiB." - alert: LowSwapSpace - expr: (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes) < {% endraw %}{{ alertmanager_node_free_swap_warning_threshold_ratio }}{% raw %} + expr: node_memory_SwapTotal_bytes > 0 and (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes) < {% endraw %}{{ alertmanager_node_free_swap_warning_threshold_ratio }}{% raw %} for: 1m labels: severity: warning @@ -34,7 +34,7 @@ groups: description: "Available swap space is {{ $value | humanizePercentage }}. Running out of swap space causes OOM Kills." - alert: LowSwapSpace - expr: (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes) < {% endraw %}{{ alertmanager_node_free_swap_critical_threshold_ratio }}{% raw %} + expr: node_memory_SwapTotal_bytes > 0 and (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes) < {% endraw %}{{ alertmanager_node_free_swap_critical_threshold_ratio }}{% raw %} for: 1m labels: severity: critical From 9c4c16e734186d449d5b54f98e4da33c0633403f Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 11 Jun 2024 14:32:56 +0100 Subject: [PATCH 05/14] Fix image push condition --- .github/workflows/stackhpc-container-image-build.yml | 9 ++++++++- tools/scan-images.sh | 5 +++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index 63972f979..bcf5ac956 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -39,7 +39,7 @@ on: required: false default: true push-dirty: - description: Push scanned images that have vulnerabilities? + description: Push scanned images that have critical vulnerabilities? type: boolean required: false default: false @@ -239,9 +239,16 @@ jobs: run: cp image-build-logs/image-scan-output/clean-images.txt image-build-logs/push-attempt-images.txt if: inputs.push + # NOTE(seunghun1ee): This always appends dirty images with CVEs severity lower than critical. + # This should be reverted when it's decided to filter high level CVEs as well. - name: Append dirty images to push list run: | cat image-build-logs/image-scan-output/dirty-images.txt >> image-build-logs/push-attempt-images.txt + if: ${{ inputs.push }} + + - name: Append images with critical vulnerabilities to push list + run: | + cat image-build-logs/image-scan-output/critical-images.txt >> image-build-logs/push-attempt-images.txt if: ${{ inputs.push && inputs.push-dirty }} - name: Push images diff --git a/tools/scan-images.sh b/tools/scan-images.sh index b35a79a3c..7fe4f95ad 100755 --- a/tools/scan-images.sh +++ b/tools/scan-images.sh @@ -51,8 +51,6 @@ for image in $images; do # Add the image to the clean list echo "${image}" >> image-scan-output/clean-images.txt else - # Add the image to the dirty list - echo "${image}" >> image-scan-output/dirty-images.txt # Write a header for the summary CSV echo '"PkgName","PkgPath","PkgID","VulnerabilityID","FixedVersion","PrimaryURL","Severity"' > image-scan-output/${filename}.summary.csv @@ -81,6 +79,9 @@ for image in $images; do if [ $(grep "CRITICAL" image-scan-output/${filename}.summary.csv -c) -gt 0 ]; then # If the image contains critical vulnerabilities, add the image to critical list echo "${image}" >> image-scan-output/critical-images.txt + else + # Otherwise, add the image to the dirty list + echo "${image}" >> image-scan-output/dirty-images.txt fi fi done From c1330358a6630eb05fc6b657239a4bf726b6e855 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 17 Jun 2024 11:06:08 +0200 Subject: [PATCH 06/14] Add instruction to update Octavia amphora image --- doc/source/operations/upgrading.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/source/operations/upgrading.rst b/doc/source/operations/upgrading.rst index d44f1e917..dcaf213b3 100644 --- a/doc/source/operations/upgrading.rst +++ b/doc/source/operations/upgrading.rst @@ -972,6 +972,13 @@ scope of the upgrade: kayobe overcloud service upgrade --tags config --kolla-tags keystone +Updating the Octavia Amphora Image +---------------------------------- + +If using Octavia with the Amphora driver, you may want to `build a new amphora +image +`__. + Testing ------- From a7187f9af309824c5bbfab9c83a72410ef0ea8e5 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Mon, 17 Jun 2024 10:25:25 +0100 Subject: [PATCH 07/14] Remove CentOS AIO CI tests --- .github/workflows/stackhpc-all-in-one.yml | 2 +- .github/workflows/stackhpc-pull-request.yml | 28 --------------------- 2 files changed, 1 insertion(+), 29 deletions(-) diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index c1adf56f0..6ad74cc12 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -14,7 +14,7 @@ on: os_distribution: description: Host OS distribution type: string - default: centos + default: rocky os_release: description: Host OS release type: string diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml index ce9243ba2..1a5fd2cad 100644 --- a/.github/workflows/stackhpc-pull-request.yml +++ b/.github/workflows/stackhpc-pull-request.yml @@ -76,34 +76,6 @@ jobs: if: ${{ needs.check-changes.outputs.aio == 'true' }} if: github.repository == 'stackhpc/stackhpc-kayobe-config' - all-in-one-centos-ovs: - name: aio (CentOS OVS) - needs: - - check-changes - - build-kayobe-image - uses: ./.github/workflows/stackhpc-all-in-one.yml - with: - kayobe_image: ${{ needs.build-kayobe-image.outputs.kayobe_image }} - neutron_plugin: ovs - OS_CLOUD: openstack - if: ${{ needs.check-changes.outputs.aio == 'true' }} - secrets: inherit - if: ${{ ! failure() && ! cancelled() && github.repository == 'stackhpc/stackhpc-kayobe-config' }} - - all-in-one-centos-ovn: - name: aio (CentOS OVN) - needs: - - check-changes - - build-kayobe-image - uses: ./.github/workflows/stackhpc-all-in-one.yml - with: - kayobe_image: ${{ needs.build-kayobe-image.outputs.kayobe_image }} - neutron_plugin: ovn - OS_CLOUD: openstack - if: ${{ needs.check-changes.outputs.aio == 'true' }} - secrets: inherit - if: ${{ ! failure() && ! cancelled() && github.repository == 'stackhpc/stackhpc-kayobe-config' }} - all-in-one-rocky-8-ovs: name: aio (Rocky OVS) needs: From 5cabb615ed95b731c2dc2914a15a63bfdead16b5 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 25 Jun 2024 09:48:34 +0100 Subject: [PATCH 08/14] Update ubuntu-jammy.rst --- doc/source/operations/ubuntu-jammy.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/operations/ubuntu-jammy.rst b/doc/source/operations/ubuntu-jammy.rst index 876c0002f..d09ab4e21 100644 --- a/doc/source/operations/ubuntu-jammy.rst +++ b/doc/source/operations/ubuntu-jammy.rst @@ -161,7 +161,7 @@ Common issues for all host types `__ and `LP#2042954 `__ for details. A `fix `__ - is in progress. + is now available but new images have not yet been built. Controllers =========== From ff5d320a93ddb26316fd66a934b1f9af78247011 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Wed, 26 Jun 2024 15:14:33 +0100 Subject: [PATCH 09/14] Refer to internal docs for building amphora images Easy to miss that these exist without a direct link. --- doc/source/operations/octavia.rst | 2 ++ doc/source/operations/upgrading.rst | 5 ++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/source/operations/octavia.rst b/doc/source/operations/octavia.rst index 80d7bdd25..e029bfafe 100644 --- a/doc/source/operations/octavia.rst +++ b/doc/source/operations/octavia.rst @@ -2,6 +2,8 @@ Octavia ======= +.. _Amphora image: + Building and rotating amphora images ==================================== diff --git a/doc/source/operations/upgrading.rst b/doc/source/operations/upgrading.rst index dcaf213b3..80cb1a126 100644 --- a/doc/source/operations/upgrading.rst +++ b/doc/source/operations/upgrading.rst @@ -975,9 +975,8 @@ scope of the upgrade: Updating the Octavia Amphora Image ---------------------------------- -If using Octavia with the Amphora driver, you may want to `build a new amphora -image -`__. +If using Octavia with the Amphora driver, you should :ref:`build a new amphora +image `. Testing ------- From 36596aa2fc646943fd4db857604fd28a05f34109 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 1 Jul 2024 16:08:42 +0200 Subject: [PATCH 10/14] docs: fix link --- doc/source/operations/upgrading.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/source/operations/upgrading.rst b/doc/source/operations/upgrading.rst index 80cb1a126..218c39bb1 100644 --- a/doc/source/operations/upgrading.rst +++ b/doc/source/operations/upgrading.rst @@ -363,8 +363,8 @@ To upgrade the Ansible control host: Syncing Release Train artifacts ------------------------------- -New `StackHPC Release Train <../configuration/release-train>` content should be -synced to the local Pulp server. This includes host packages (Deb/RPM) and +New `StackHPC Release Train <../configuration/release-train>`_ content should +be synced to the local Pulp server. This includes host packages (Deb/RPM) and container images. .. _sync-rt-package-repos: From 3683d2e494b683eb59907989cae09efa16544b8b Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 1 Jul 2024 16:18:03 +0000 Subject: [PATCH 11/14] Fix CentOS Stream 8 container image builds With the upstream CS8 repos gone, an issue with the extras & extras-common yum repo setup in our container images was shown. We were relying on the upstream extras repo, rather than the one in release train. --- etc/kayobe/kolla.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 9773da8b1..4b5686804 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -160,6 +160,9 @@ stackhpc_centos_stream_repos: tag: "appstream" - url: "{{ stackhpc_repo_centos_stream_extras_common_url }}" file: "CentOS-Stream-Extras-common.repo" + tag: "extras-common" + - url: "{{ stackhpc_repo_centos_stream_extras_url }}" + file: "CentOS-Stream-Extras.repo" tag: "extras" # List of repositories for EPEL. From 36abb41ba3c46993d1f61da055cbece7609f9bfc Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 1 Jul 2024 14:41:26 +0100 Subject: [PATCH 12/14] Fix CVE-2024-32498 Fixes CVE-2024-32498 [1] with updated container images for Cinder, Glance and Nova services. [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32498 --- etc/kayobe/kolla/globals.yml | 15 +++++++++++++++ .../notes/cve-2024-32498-2cbd205129351766.yaml | 7 +++++++ 2 files changed, 22 insertions(+) create mode 100644 releasenotes/notes/cve-2024-32498-2cbd205129351766.yaml diff --git a/etc/kayobe/kolla/globals.yml b/etc/kayobe/kolla/globals.yml index bdba945c1..eaa8b910a 100644 --- a/etc/kayobe/kolla/globals.yml +++ b/etc/kayobe/kolla/globals.yml @@ -15,10 +15,18 @@ kayobe_image_tags: centos: yoga-20231024T093507 rocky: yoga-20231218T141822 ubuntu: yoga-20231024T093507 + cinder: + centos: yoga-20240701T132344 + rocky: yoga-20240701T132344 + ubuntu: yoga-20240701T132344 cloudkitty: centos: yoga-20240503T150127 rocky: yoga-20240503T150127 ubuntu: yoga-20240503T150127 + glance: + centos: yoga-20240702T105751 + rocky: yoga-20240702T105751 + ubuntu: yoga-20240702T105751 heat: centos: yoga-20240320T082414 rocky: yoga-20240320T082414 @@ -32,17 +40,24 @@ kayobe_image_tags: rocky: yoga-20240105T120257 ubuntu: yoga-20231114T125927 nova: + centos: yoga-20240702T105751 + rocky: yoga-20240702T105751 + ubuntu: yoga-20240702T105751 + nova_libvirt: centos: yoga-20231113T171023 rocky: yoga-20240105T120257 ubuntu: yoga-20231103T161400 cloudkitty_tag: "{% raw %}{{ kayobe_image_tags['cloudkitty'][kolla_base_distro] }}{% endraw %}" +cinder_tag: "{% raw %}{{ kayobe_image_tags['cinder'][kolla_base_distro] }}{% endraw %}" +glance_tag: "{% raw %}{{ kayobe_image_tags['glance'][kolla_base_distro] }}{% endraw %}" grafana_tag: yoga-20240510T114335 heat_tag: "{% raw %}{{ kayobe_image_tags['heat'][kolla_base_distro] }}{% endraw %}" horizon_tag: yoga-20240510T114335 magnum_tag: "{% raw %}{{ kayobe_image_tags['magnum'][kolla_base_distro] }}{% endraw %}" neutron_tag: "{% raw %}{{ kayobe_image_tags['neutron'][kolla_base_distro] }}{% endraw %}" nova_tag: "{% raw %}{{ kayobe_image_tags['nova'][kolla_base_distro] }}{% endraw %}" +nova_libvirt_tag: "{% raw %}{{ kayobe_image_tags['nova_libvirt'][kolla_base_distro] }}{% endraw %}" opensearch_tag: yoga-20231219T221916 prometheus_tag: yoga-20240510T145442 diff --git a/releasenotes/notes/cve-2024-32498-2cbd205129351766.yaml b/releasenotes/notes/cve-2024-32498-2cbd205129351766.yaml new file mode 100644 index 000000000..4265e95c9 --- /dev/null +++ b/releasenotes/notes/cve-2024-32498-2cbd205129351766.yaml @@ -0,0 +1,7 @@ +--- +critical: + - | + Fixes `CVE-2024-32498 + `_ with + updated container images for Cinder, Glance and Nova services. + From b6394b0eee2dc5bcf46065c9e13b4242e2000147 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 1 Jul 2024 14:43:12 +0100 Subject: [PATCH 13/14] Revert "Remove CentOS AIO CI tests" This reverts commit a7187f9af309824c5bbfab9c83a72410ef0ea8e5. --- .github/workflows/stackhpc-all-in-one.yml | 2 +- .github/workflows/stackhpc-pull-request.yml | 28 +++++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index 6ad74cc12..c1adf56f0 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -14,7 +14,7 @@ on: os_distribution: description: Host OS distribution type: string - default: rocky + default: centos os_release: description: Host OS release type: string diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml index 1a5fd2cad..ce9243ba2 100644 --- a/.github/workflows/stackhpc-pull-request.yml +++ b/.github/workflows/stackhpc-pull-request.yml @@ -76,6 +76,34 @@ jobs: if: ${{ needs.check-changes.outputs.aio == 'true' }} if: github.repository == 'stackhpc/stackhpc-kayobe-config' + all-in-one-centos-ovs: + name: aio (CentOS OVS) + needs: + - check-changes + - build-kayobe-image + uses: ./.github/workflows/stackhpc-all-in-one.yml + with: + kayobe_image: ${{ needs.build-kayobe-image.outputs.kayobe_image }} + neutron_plugin: ovs + OS_CLOUD: openstack + if: ${{ needs.check-changes.outputs.aio == 'true' }} + secrets: inherit + if: ${{ ! failure() && ! cancelled() && github.repository == 'stackhpc/stackhpc-kayobe-config' }} + + all-in-one-centos-ovn: + name: aio (CentOS OVN) + needs: + - check-changes + - build-kayobe-image + uses: ./.github/workflows/stackhpc-all-in-one.yml + with: + kayobe_image: ${{ needs.build-kayobe-image.outputs.kayobe_image }} + neutron_plugin: ovn + OS_CLOUD: openstack + if: ${{ needs.check-changes.outputs.aio == 'true' }} + secrets: inherit + if: ${{ ! failure() && ! cancelled() && github.repository == 'stackhpc/stackhpc-kayobe-config' }} + all-in-one-rocky-8-ovs: name: aio (Rocky OVS) needs: From d8408216d9717ae12fd9cadd7e8285bc5e7038bc Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 1 Jul 2024 14:47:29 +0100 Subject: [PATCH 14/14] CI: Reorder growroot after minimal host configure on CentOS Stream 8 This ensures that the release train repos are in place. --- .github/workflows/stackhpc-all-in-one.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index c1adf56f0..c1d119b15 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -234,6 +234,21 @@ jobs: run: | docker image pull $KAYOBE_IMAGE + # NOTE: Boostrap release train repos before growroot due to missing + # upstream CS8 repos preventing installation of growroot package. + - name: Host configure + run: | + docker run -t --rm \ + -v $(pwd):/stack/kayobe-automation-env/src/kayobe-config \ + -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY -e KAYOBE_TAGS -e KOLLA_TAGS \ + $KAYOBE_IMAGE \ + /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/overcloud-host-configure.sh + env: + KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: ${{ steps.ssh_key.outputs.ssh_key }} + KAYOBE_TAGS: "ssh-known-host,kayobe-ansible-user,kayobe-target-venv,dnf,kolla-ansible-user,kolla-pip,kolla-target-venv" + KOLLA_TAGS: "none" + if: inputs.os_distribution == 'centos' && inputs.os_release == '8-stream' + - name: Run growroot run: | docker run -t --rm \