From ac221ad4c311fbdcacb5543449bbba291906d9b9 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Fri, 12 Jul 2024 13:35:16 +0100 Subject: [PATCH 01/10] Correct cve-2024-6387 reno --- .../notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml b/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml index b90480105..8de5f7a7f 100644 --- a/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml +++ b/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml @@ -2,4 +2,4 @@ security: - | Adds a custom Apt repository to address `CVE-2024-6387 - `__ in OpenSSH. From 23b0771e2ca3b038ab2b1b98258440638c1c6e98 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Fri, 12 Jul 2024 13:35:16 +0100 Subject: [PATCH 02/10] Correct cve-2024-6387 reno --- .../notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml b/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml index b90480105..8de5f7a7f 100644 --- a/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml +++ b/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml @@ -2,4 +2,4 @@ security: - | Adds a custom Apt repository to address `CVE-2024-6387 - `__ in OpenSSH. From 771b736be9a5b9c1993ec16c09b0be1c29fe37b4 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Fri, 12 Jul 2024 11:56:27 +0100 Subject: [PATCH 03/10] Split Ubuntu Docker CE package into Focal/Jammy --- etc/kayobe/apt.yml | 4 ++-- .../environments/ci-aio/stackhpc-ci.yml | 3 ++- .../environments/ci-builder/stackhpc-ci.yml | 3 ++- .../environments/ci-multinode/stackhpc-ci.yml | 3 ++- etc/kayobe/pulp-repo-versions.yml | 3 ++- etc/kayobe/pulp.yml | 20 +++++++++++++------ etc/kayobe/stackhpc.yml | 10 +++++++--- .../notes/docker-bump-dc4e85668ee69a21.yaml | 11 ++++++++++ 8 files changed, 42 insertions(+), 15 deletions(-) create mode 100644 releasenotes/notes/docker-bump-dc4e85668ee69a21.yaml diff --git a/etc/kayobe/apt.yml b/etc/kayobe/apt.yml index b23104087..d1369aaa7 100644 --- a/etc/kayobe/apt.yml +++ b/etc/kayobe/apt.yml @@ -61,8 +61,8 @@ stackhpc_apt_repositories: components: upload architecture: amd64 trusted: yes - - url: "{{ stackhpc_repo_docker_ce_ubuntu_url }}" - suites: "{{ ansible_facts.distribution_release }}" + - url: "{{ stackhpc_repo_docker_ce_ubuntu_focal_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_docker_ce_ubuntu_jammy_url }}" + suites: "{{ ansible_facts.distribution_release }}" components: stable signed_by: docker.asc architecture: amd64 diff --git a/etc/kayobe/environments/ci-aio/stackhpc-ci.yml b/etc/kayobe/environments/ci-aio/stackhpc-ci.yml index e3fd39b1f..c66dece44 100644 --- a/etc/kayobe/environments/ci-aio/stackhpc-ci.yml +++ b/etc/kayobe/environments/ci-aio/stackhpc-ci.yml @@ -51,7 +51,8 @@ stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}" stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}" stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "" -stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}" +stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}" +stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}" stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}" stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream__openstack_yoga_version }}" stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}" diff --git a/etc/kayobe/environments/ci-builder/stackhpc-ci.yml b/etc/kayobe/environments/ci-builder/stackhpc-ci.yml index 57825f73c..821be0208 100644 --- a/etc/kayobe/environments/ci-builder/stackhpc-ci.yml +++ b/etc/kayobe/environments/ci-builder/stackhpc-ci.yml @@ -74,7 +74,8 @@ stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}" stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}" stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "" -stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}" +stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}" +stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}" stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}" stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version }}" stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}" diff --git a/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml b/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml index 3563364c8..b4dc79200 100644 --- a/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml +++ b/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml @@ -48,7 +48,8 @@ stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}" stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}" stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "" -stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}" +stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}" +stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}" stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}" stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version }}" stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}" diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml index 914b00fde..be33dd15d 100644 --- a/etc/kayobe/pulp-repo-versions.yml +++ b/etc/kayobe/pulp-repo-versions.yml @@ -16,7 +16,8 @@ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20230929T005202 stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version: 20231005T010906 stackhpc_pulp_repo_centos_stream_9_opstools_version: 20230615T071742 stackhpc_pulp_repo_centos_stream_9_storage_ceph_pacific_version: 20230709T010022 -stackhpc_pulp_repo_docker_ce_ubuntu_version: 20231020T014922 +stackhpc_pulp_repo_docker_ce_ubuntu_focal_version: 20240122T172142 +stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version: 20240122T172142 stackhpc_pulp_repo_docker_version: 20230919T015626 stackhpc_pulp_repo_elasticsearch_logstash_kibana_7_x_version: 20231012T003815 stackhpc_pulp_repo_elrepo_9_version: 20230907T075311 diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml index 207c1f0eb..5b2e3d9e0 100644 --- a/etc/kayobe/pulp.yml +++ b/etc/kayobe/pulp.yml @@ -132,13 +132,21 @@ stackhpc_pulp_deb_repos: required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}" # Third-party repositories - - name: "Docker CE for Ubuntu" - url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu/{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}" - distribution_name: "docker-ce-for-ubuntu-" - base_path: "docker-ce/ubuntu/" - distributions: "focal jammy" + - name: "Docker CE for Ubuntu Focal" + url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu-focal/{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}" + distribution_name: "docker-ce-for-ubuntu-focal-" + base_path: "docker-ce/ubuntu-focal/" + distributions: "focal" components: "stable" - required: "{{ stackhpc_pulp_sync_ubuntu_focal or stackhpc_pulp_sync_ubuntu_jammy | bool }}" + required: "{{ stackhpc_pulp_sync_ubuntu_focal | bool }}" + + - name: "Docker CE for Ubuntu Jammy" + url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu-jammy/{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}" + distribution_name: "docker-ce-for-ubuntu-jammy-" + base_path: "docker-ce/ubuntu-jammy/" + distributions: "jammy" + components: "stable" + required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}" # Publication format is a subset of distribution. stackhpc_pulp_publication_deb_development: "{{ stackhpc_pulp_distribution_deb_development }}" diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml index b74648178..6cf6bc99a 100644 --- a/etc/kayobe/stackhpc.yml +++ b/etc/kayobe/stackhpc.yml @@ -55,9 +55,13 @@ stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "{{ stackhpc_repo_distribution stackhpc_repo_ubuntu_cloud_archive_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/ubuntu-cloud-archive/{{ stackhpc_repo_ubuntu_cloud_archive_version }}" stackhpc_repo_ubuntu_cloud_archive_version: "{{ stackhpc_repo_distribution }}" -# Docker CE for Ubuntu -stackhpc_repo_docker_ce_ubuntu_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu/{{ stackhpc_repo_docker_ce_ubuntu_version }}" -stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_repo_distribution }}" +# Docker CE for Ubuntu Focal +stackhpc_repo_docker_ce_ubuntu_focal_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu-focal/{{ stackhpc_repo_docker_ce_ubuntu_focal_version }}" +stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_repo_distribution }}" + +# Docker CE for Ubuntu Jammy +stackhpc_repo_docker_ce_ubuntu_jammy_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu-jammy/{{ stackhpc_repo_docker_ce_ubuntu_jammy_version }}" +stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_repo_distribution }}" ############################################################################### # RPMs diff --git a/releasenotes/notes/docker-bump-dc4e85668ee69a21.yaml b/releasenotes/notes/docker-bump-dc4e85668ee69a21.yaml new file mode 100644 index 000000000..3563d6d3a --- /dev/null +++ b/releasenotes/notes/docker-bump-dc4e85668ee69a21.yaml @@ -0,0 +1,11 @@ +--- +features: + - | + The Docker CE package for Ubuntu has been bumped from ``5:24.0.6-1`` to + ``5:25.0.0-1`` This is a side effect of separating out the repos for Docker + CE for Ubuntu Jammy/Focal. +fixes: + - | + Separated out repos for Docker CE for Ubuntu Jammy/Focal. This fixes a Pulp + sync issue where two "identical" repository versions existed with different + checksums. From 6a5920c0db154eff527224b7d57e61872e2f16f4 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 12 Jul 2024 17:56:20 +0000 Subject: [PATCH 04/10] Disables password expiration and inactivity policies (#1106) * Disables password expiration and inactivity policies This was causing the kayobe and kolla service accounts to be locked out of the system. * Remove flag that configures password expiry warning --- etc/kayobe/ansible/cis.yml | 11 +++++++++++ etc/kayobe/inventory/group_vars/overcloud/cis | 17 +++++++++++++++++ ...isable-password-expiry-3c296c72d36cd9da.yaml | 7 +++++++ 3 files changed, 35 insertions(+) create mode 100644 releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml index ffb31c2fe..f286aaec4 100644 --- a/etc/kayobe/ansible/cis.yml +++ b/etc/kayobe/ansible/cis.yml @@ -18,6 +18,17 @@ state: absent when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' + - name: Ensure service accounts have no expiry options set + # This is to workaround an issue where we set the expiry to 365 days on kayobe + # service accounts in a previous iteration of the CIS benchmark hardening + # defaults. This should restore the defaults and can eventually be removed. + command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }} + become: true + changed_when: false + with_items: + - "{{ kayobe_ansible_user }}" + - "{{ kolla_ansible_user }}" + - include_role: name: ansible-lockdown.rhel8_cis when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index b20843d37..c6adea094 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -75,6 +75,10 @@ rhel9cis_max_log_file_size: 1024 # `rhel9cis_bootloader_password_hash` rhel9cis_set_boot_pass: false +# NOTICE: rule disabled otherwise rule will prevent access to accounts +# as it will expire passwords older than one year. +rhel9cis_rule_5_6_1_1: false + ############################################################################## # Ubuntu Jammy CIS Hardening Configuration @@ -159,4 +163,17 @@ ubtu22cis_max_log_file_size: 1024 # ubtu22cis_bootloader_password_hash ubtu22cis_rule_1_4_1: false ubtu22cis_rule_1_4_3: false + +# Disable: Ensure minimum days between password changes is configured +ubtu22cis_rule_5_5_1_1: false + +# Disable: Ensure password expiration is 365 days or less +ubtu22cis_rule_5_5_1_2: false + +# Disable: Ensure inactive password lock is 30 days or less +ubtu22cis_rule_5_5_1_4: false + +# Disable: Ensure all users last password change date is in the past +ubtu22cis_rule_5_5_1_5: false + ############################################################################## diff --git a/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml b/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml new file mode 100644 index 000000000..3ad5e55b9 --- /dev/null +++ b/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml @@ -0,0 +1,7 @@ +--- +critical: + - | + Disables password expiration and inactivity policies. This caused the kayobe + and kolla service accounts to be locked out of the system. You should re-apply + the CIS benchmark hardening playbook as soon as possible to avoid being locked + out of your system. From bde14270185fb83e3f05f61447bdab7cb270ce7c Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 16 Jul 2024 11:12:04 +0100 Subject: [PATCH 05/10] Remove Kolla Ansible docker repo file on Jammy upgrade When switching from Kolla Ansible repositories to release train, we need to remove the docker.list file that was added by Kolla Ansible. --- etc/kayobe/ansible/ubuntu-upgrade.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/etc/kayobe/ansible/ubuntu-upgrade.yml b/etc/kayobe/ansible/ubuntu-upgrade.yml index 928e1c52d..c345fcb05 100644 --- a/etc/kayobe/ansible/ubuntu-upgrade.yml +++ b/etc/kayobe/ansible/ubuntu-upgrade.yml @@ -88,6 +88,13 @@ state: absent become: true + - name: Ensure Kolla Ansible Docker repo definition does not exist + file: + path: /etc/apt/sources.list.d/docker.list + state: absent + become: true + when: apt_repositories | selectattr('url', 'match', '.*docker-ce.*') | list | length > 0 + - name: Reboot and wait reboot: reboot_timeout: 1200 From ce12cc0976d7bbea7072f85cbe7de64c45b7c1eb Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 16 Jul 2024 11:13:32 +0100 Subject: [PATCH 06/10] Make reboot timeout configurable in Ubuntu Jammy upgrade --- etc/kayobe/ansible/ubuntu-upgrade.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/etc/kayobe/ansible/ubuntu-upgrade.yml b/etc/kayobe/ansible/ubuntu-upgrade.yml index c345fcb05..66ed49643 100644 --- a/etc/kayobe/ansible/ubuntu-upgrade.yml +++ b/etc/kayobe/ansible/ubuntu-upgrade.yml @@ -5,6 +5,7 @@ hosts: overcloud:infra-vms:seed:seed-hypervisor vars: ansible_python_interpreter: /usr/bin/python3 + reboot_timeout_s: "{{ 20 * 60 }}" tasks: - name: Assert that hosts are running Ubuntu Focal assert: @@ -37,7 +38,7 @@ - name: Reboot to apply updates reboot: - reboot_timeout: 1200 + reboot_timeout: "{{ reboot_timeout_s }}" connect_timeout: 600 become: true when: file_status.stat.exists @@ -81,6 +82,7 @@ hosts: overcloud:infra-vms:seed:seed-hypervisor vars: ansible_python_interpreter: /usr/bin/python3 + reboot_timeout_s: "{{ 20 * 60 }}" tasks: - name: Ensure Jammy repo definitions do not exist in sources.list blockinfile: @@ -97,7 +99,7 @@ - name: Reboot and wait reboot: - reboot_timeout: 1200 + reboot_timeout: "{{ reboot_timeout_s }}" connect_timeout: 600 become: true From 033a7a9fcfb35bbbcc1ca8ad9c581c11fd3eae67 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 16 Jul 2024 11:51:31 +0100 Subject: [PATCH 07/10] Only enable Apt CVE-2024-6387 repo on Jammy hosts The fix is not required on Focal, and the package is not compatible. --- etc/kayobe/apt.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/apt.yml b/etc/kayobe/apt.yml index d1369aaa7..15a4bb7e6 100644 --- a/etc/kayobe/apt.yml +++ b/etc/kayobe/apt.yml @@ -52,25 +52,29 @@ stackhpc_apt_repositories: suites: "{{ ansible_facts.distribution_release }} {{ ansible_facts.distribution_release }}-updates {{ ansible_facts.distribution_release }}-backports" components: main restricted universe multiverse architecture: amd64 + required: true - url: "{{ stackhpc_repo_ubuntu_focal_security_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_ubuntu_jammy_security_url }}" suites: "{{ ansible_facts.distribution_release }}-security" components: main restricted universe multiverse architecture: amd64 + required: true - url: "{{ stackhpc_repo_ubuntu_jammy_cve_2024_6387_url }}" suites: "pulp" components: upload architecture: amd64 trusted: yes + required: "{{ ansible_facts.distribution_release == 'jammy' }}" - url: "{{ stackhpc_repo_docker_ce_ubuntu_focal_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_docker_ce_ubuntu_jammy_url }}" suites: "{{ ansible_facts.distribution_release }}" components: stable signed_by: docker.asc architecture: amd64 + required: true # Do not replace apt configuration for non-overcloud hosts. This can result in # errors if apt reconfiguration is performed before local repository mirrors # are deployed. -apt_repositories: "{{ stackhpc_apt_repositories if 'overcloud' in group_names else [] }}" +apt_repositories: "{{ stackhpc_apt_repositories | selectattr('required') | list if 'overcloud' in group_names else [] }}" # Whether to disable repositories in /etc/apt/sources.list. This may be used # when replacing the distribution repositories via apt_repositories. From ab2a53230ec02b605b0bc77bf0a85697ec083f38 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 22 Jul 2024 13:13:37 +0100 Subject: [PATCH 08/10] ci-multinode: Add failing refstack tests to skip list In Yoga and Zed there are 2 tests that fail due to using internal TLS but no external TLS. This breaks some URLs in API responses. This change adds them to skip lists. This should be reverted in Antelope, since it supports external TLS in multinodes. --- .automation.conf/config.sh | 1 + .../tempest/skip-lists/ci-multinode-platform.2022.11 | 2 ++ .automation.conf/tempest/skip-lists/ci-multinode-tempest-full | 2 ++ 3 files changed, 5 insertions(+) create mode 100644 .automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 diff --git a/.automation.conf/config.sh b/.automation.conf/config.sh index 84b11dd07..23fd5d819 100644 --- a/.automation.conf/config.sh +++ b/.automation.conf/config.sh @@ -24,6 +24,7 @@ if [ ! -z ${KAYOBE_ENVIRONMENT:+x} ]; then # SMSLab is currently running with 1G switches. This causes tests using volumes and images to fail if # the concurrency is set too high. export TEMPEST_CONCURRENCY=1 + export KAYOBE_AUTOMATION_TEMPEST_SKIPLIST="ci-multinode-platform.2022.11" # Uncomment this to perform a full tempest test # export KAYOBE_AUTOMATION_TEMPEST_LOADLIST=tempest-full # export KAYOBE_AUTOMATION_TEMPEST_SKIPLIST=ci-multinode-tempest-full diff --git a/.automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 b/.automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 new file mode 100644 index 000000000..7f3276e64 --- /dev/null +++ b/.automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 @@ -0,0 +1,2 @@ +tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_pagination: "Fails without public TLS" +tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_details_pagination: "Fails without public TLS" diff --git a/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full b/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full index 94c494687..bb3ad2f71 100644 --- a/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full +++ b/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full @@ -1 +1,3 @@ +tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_pagination: "Fails without public TLS" +tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_details_pagination: "Fails without public TLS" tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_subnet_details.*: "Cirros image doesn't have '/var/run/udhcpc.eth0.pid" From 3d6ac12e2a6a90a7148a8aba684c0ebd90f86b7d Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 6 Jun 2024 12:45:37 +0100 Subject: [PATCH 09/10] Bump stackhpc.hashicorp role to 2.5.0 This brings in a useful idempotency fix for Vault deployment. (cherry picked from commit bf535c6e82bcffd462b144b621a1c84b352b3f4a) --- etc/kayobe/ansible/requirements.yml | 2 +- releasenotes/notes/hcp-2.5.0-8e30c7b1910f2bd2.yaml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/hcp-2.5.0-8e30c7b1910f2bd2.yaml diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 92c3faecd..29018d01d 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -9,7 +9,7 @@ collections: - name: stackhpc.pulp version: 0.4.1 - name: stackhpc.hashicorp - version: 2.4.0 + version: 2.5.0 - name: stackhpc.kayobe_workflows version: 1.0.3 roles: diff --git a/releasenotes/notes/hcp-2.5.0-8e30c7b1910f2bd2.yaml b/releasenotes/notes/hcp-2.5.0-8e30c7b1910f2bd2.yaml new file mode 100644 index 000000000..d56f6593e --- /dev/null +++ b/releasenotes/notes/hcp-2.5.0-8e30c7b1910f2bd2.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Updates the ``stackhpc.hashicorp`` Ansible collection to 2.5.0. This brings + in an idempotency fix for generating certificates. From 7c3a09f14fab9cebe856328e66f9bcb0f1d6b0ac Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 23 Jul 2024 08:52:56 +0100 Subject: [PATCH 10/10] Revert "ci-multinode: Add failing refstack tests to skip list" This reverts commit ab2a53230ec02b605b0bc77bf0a85697ec083f38. It does not apply to Antelope since external TLS is supported in multinode. --- .automation.conf/config.sh | 1 - .../tempest/skip-lists/ci-multinode-platform.2022.11 | 2 -- .automation.conf/tempest/skip-lists/ci-multinode-tempest-full | 2 -- 3 files changed, 5 deletions(-) delete mode 100644 .automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 diff --git a/.automation.conf/config.sh b/.automation.conf/config.sh index 23fd5d819..84b11dd07 100644 --- a/.automation.conf/config.sh +++ b/.automation.conf/config.sh @@ -24,7 +24,6 @@ if [ ! -z ${KAYOBE_ENVIRONMENT:+x} ]; then # SMSLab is currently running with 1G switches. This causes tests using volumes and images to fail if # the concurrency is set too high. export TEMPEST_CONCURRENCY=1 - export KAYOBE_AUTOMATION_TEMPEST_SKIPLIST="ci-multinode-platform.2022.11" # Uncomment this to perform a full tempest test # export KAYOBE_AUTOMATION_TEMPEST_LOADLIST=tempest-full # export KAYOBE_AUTOMATION_TEMPEST_SKIPLIST=ci-multinode-tempest-full diff --git a/.automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 b/.automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 deleted file mode 100644 index 7f3276e64..000000000 --- a/.automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 +++ /dev/null @@ -1,2 +0,0 @@ -tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_pagination: "Fails without public TLS" -tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_details_pagination: "Fails without public TLS" diff --git a/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full b/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full index bb3ad2f71..94c494687 100644 --- a/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full +++ b/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full @@ -1,3 +1 @@ -tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_pagination: "Fails without public TLS" -tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_details_pagination: "Fails without public TLS" tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_subnet_details.*: "Cirros image doesn't have '/var/run/udhcpc.eth0.pid"