From bde14270185fb83e3f05f61447bdab7cb270ce7c Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 16 Jul 2024 11:12:04 +0100 Subject: [PATCH 1/3] Remove Kolla Ansible docker repo file on Jammy upgrade When switching from Kolla Ansible repositories to release train, we need to remove the docker.list file that was added by Kolla Ansible. --- etc/kayobe/ansible/ubuntu-upgrade.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/etc/kayobe/ansible/ubuntu-upgrade.yml b/etc/kayobe/ansible/ubuntu-upgrade.yml index 928e1c52d..c345fcb05 100644 --- a/etc/kayobe/ansible/ubuntu-upgrade.yml +++ b/etc/kayobe/ansible/ubuntu-upgrade.yml @@ -88,6 +88,13 @@ state: absent become: true + - name: Ensure Kolla Ansible Docker repo definition does not exist + file: + path: /etc/apt/sources.list.d/docker.list + state: absent + become: true + when: apt_repositories | selectattr('url', 'match', '.*docker-ce.*') | list | length > 0 + - name: Reboot and wait reboot: reboot_timeout: 1200 From ce12cc0976d7bbea7072f85cbe7de64c45b7c1eb Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 16 Jul 2024 11:13:32 +0100 Subject: [PATCH 2/3] Make reboot timeout configurable in Ubuntu Jammy upgrade --- etc/kayobe/ansible/ubuntu-upgrade.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/etc/kayobe/ansible/ubuntu-upgrade.yml b/etc/kayobe/ansible/ubuntu-upgrade.yml index c345fcb05..66ed49643 100644 --- a/etc/kayobe/ansible/ubuntu-upgrade.yml +++ b/etc/kayobe/ansible/ubuntu-upgrade.yml @@ -5,6 +5,7 @@ hosts: overcloud:infra-vms:seed:seed-hypervisor vars: ansible_python_interpreter: /usr/bin/python3 + reboot_timeout_s: "{{ 20 * 60 }}" tasks: - name: Assert that hosts are running Ubuntu Focal assert: @@ -37,7 +38,7 @@ - name: Reboot to apply updates reboot: - reboot_timeout: 1200 + reboot_timeout: "{{ reboot_timeout_s }}" connect_timeout: 600 become: true when: file_status.stat.exists @@ -81,6 +82,7 @@ hosts: overcloud:infra-vms:seed:seed-hypervisor vars: ansible_python_interpreter: /usr/bin/python3 + reboot_timeout_s: "{{ 20 * 60 }}" tasks: - name: Ensure Jammy repo definitions do not exist in sources.list blockinfile: @@ -97,7 +99,7 @@ - name: Reboot and wait reboot: - reboot_timeout: 1200 + reboot_timeout: "{{ reboot_timeout_s }}" connect_timeout: 600 become: true From 033a7a9fcfb35bbbcc1ca8ad9c581c11fd3eae67 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 16 Jul 2024 11:51:31 +0100 Subject: [PATCH 3/3] Only enable Apt CVE-2024-6387 repo on Jammy hosts The fix is not required on Focal, and the package is not compatible. --- etc/kayobe/apt.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/apt.yml b/etc/kayobe/apt.yml index d1369aaa7..15a4bb7e6 100644 --- a/etc/kayobe/apt.yml +++ b/etc/kayobe/apt.yml @@ -52,25 +52,29 @@ stackhpc_apt_repositories: suites: "{{ ansible_facts.distribution_release }} {{ ansible_facts.distribution_release }}-updates {{ ansible_facts.distribution_release }}-backports" components: main restricted universe multiverse architecture: amd64 + required: true - url: "{{ stackhpc_repo_ubuntu_focal_security_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_ubuntu_jammy_security_url }}" suites: "{{ ansible_facts.distribution_release }}-security" components: main restricted universe multiverse architecture: amd64 + required: true - url: "{{ stackhpc_repo_ubuntu_jammy_cve_2024_6387_url }}" suites: "pulp" components: upload architecture: amd64 trusted: yes + required: "{{ ansible_facts.distribution_release == 'jammy' }}" - url: "{{ stackhpc_repo_docker_ce_ubuntu_focal_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_docker_ce_ubuntu_jammy_url }}" suites: "{{ ansible_facts.distribution_release }}" components: stable signed_by: docker.asc architecture: amd64 + required: true # Do not replace apt configuration for non-overcloud hosts. This can result in # errors if apt reconfiguration is performed before local repository mirrors # are deployed. -apt_repositories: "{{ stackhpc_apt_repositories if 'overcloud' in group_names else [] }}" +apt_repositories: "{{ stackhpc_apt_repositories | selectattr('required') | list if 'overcloud' in group_names else [] }}" # Whether to disable repositories in /etc/apt/sources.list. This may be used # when replacing the distribution repositories via apt_repositories.