stackhpc · m-bull · Jul 9, 2024 · May 9, 2024 · Mar 14, 2024 · Jun 10, 2024
@@ -144,6 +144,10 @@ jobs:
         run: |
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.49.0
 
+      - name: Install yq
+        run: |
+          curl -sL https://github.com/mikefarah/yq/releases/download/v4.42.1/yq_linux_amd64.tar.gz | tar xz && sudo mv yq_linux_amd64 /usr/bin/yq
+
       - name: Install Kayobe
         run: |
           mkdir -p venvs &&

@@ -399,8 +399,12 @@ kolla_build_blocks:
         fi
     {% endif %}
     {% endif %}
+  kolla_toolbox_header: |
+    ENV UPPER_CONSTRAINTS_FILE=https://raw.githubusercontent.com/stackhpc/requirements/stackhpc/{{ openstack_release }}/upper-constraints.txt
   bifrost_base_header: |
     ADD additions-archive /
+    ENV ANSIBLE_PIP_VERSION='>=8,<9'
+    ENV TOX_CONSTRAINTS_FILE=/requirements/upper-constraints.txt
   grafana_plugins_install: |
     RUN grafana-cli plugins install vonage-status-panel \
         && grafana-cli plugins install grafana-piechart-panel

@@ -13,53 +13,69 @@ kolla_base_distro: "{% raw %}{{ 'centos' if ansible_facts.distribution == 'Rocky
 kayobe_image_tags:
   openstack:
     centos: yoga-20231024T093507
-    rocky: yoga-20231218T141822
+    rocky: yoga-20240724T134946
     ubuntu: yoga-20231024T093507
   cinder:
     centos: yoga-20240701T132344
-    rocky: yoga-20240701T132344
+    rocky: yoga-20240724T134946
     ubuntu: yoga-20240701T132344
   cloudkitty:
     centos: yoga-20240503T150127
-    rocky: yoga-20240503T150127
+    rocky: yoga-20240724T134946
     ubuntu: yoga-20240503T150127
   glance:
     centos: yoga-20240702T105751
-    rocky: yoga-20240702T105751
+    rocky: yoga-20240724T134946
     ubuntu: yoga-20240702T105751
+  grafana:
+    centos: yoga-20240510T114335
+    rocky: yoga-20240724T134946
+    ubuntu: yoga-20240510T114335
   heat:
     centos: yoga-20240320T082414
-    rocky: yoga-20240320T082414
+    rocky: yoga-20240724T134946
     ubuntu: yoga-20240320T082414
+  horizon:
+    centos: yoga-20240510T114335
+    rocky: yoga-20240724T134946
+    ubuntu: yoga-20240510T114335
   magnum:
     centos: yoga-20240308T154440
-    rocky: yoga-20240308T154440
+    rocky: yoga-20240724T134946
     ubuntu: yoga-20240308T154440
   neutron:
     centos: yoga-20231114T125927
-    rocky: yoga-20240105T120257
+    rocky: yoga-20240724T134946
     ubuntu: yoga-20231114T125927
   nova:
     centos: yoga-20240724T085253
-    rocky: yoga-20240724T085253
+    rocky: yoga-20240724T134946
     ubuntu: yoga-20240724T085253
   nova_libvirt:
     centos: yoga-20231113T171023
-    rocky: yoga-20240105T120257
+    rocky: yoga-20240724T134946
     ubuntu: yoga-20231103T161400
-
+  opensearch:
+    centos: yoga-20231219T221916
+    rocky: yoga-20240724T134946
+    ubuntu: yoga-20231219T221916
+  prometheus:
+    centos: yoga-20240510T145442
+    rocky: yoga-20240724T134946
+    ubuntu: yoga-20240510T145442
+
 cloudkitty_tag: "{% raw %}{{ kayobe_image_tags['cloudkitty'][kolla_base_distro] }}{% endraw %}"
 cinder_tag: "{% raw %}{{ kayobe_image_tags['cinder'][kolla_base_distro] }}{% endraw %}"
 glance_tag: "{% raw %}{{ kayobe_image_tags['glance'][kolla_base_distro] }}{% endraw %}"
-grafana_tag: yoga-20240510T114335
+grafana_tag: "{% raw %}{{ kayobe_image_tags['grafana'][kolla_base_distro] }}{% endraw %}"
 heat_tag: "{% raw %}{{ kayobe_image_tags['heat'][kolla_base_distro] }}{% endraw %}"
-horizon_tag: yoga-20240510T114335
+horizon_tag: "{% raw %}{{ kayobe_image_tags['horizon'][kolla_base_distro] }}{% endraw %}"
 magnum_tag: "{% raw %}{{ kayobe_image_tags['magnum'][kolla_base_distro] }}{% endraw %}"
 neutron_tag: "{% raw %}{{ kayobe_image_tags['neutron'][kolla_base_distro] }}{% endraw %}"
 nova_tag: "{% raw %}{{ kayobe_image_tags['nova'][kolla_base_distro] }}{% endraw %}"
 nova_libvirt_tag: "{% raw %}{{ kayobe_image_tags['nova_libvirt'][kolla_base_distro] }}{% endraw %}"
-opensearch_tag: yoga-20231219T221916
-prometheus_tag: yoga-20240510T145442
+opensearch_tag: "{% raw %}{{ kayobe_image_tags['opensearch'][kolla_base_distro] }}{% endraw %}"
+prometheus_tag: "{% raw %}{{ kayobe_image_tags['prometheus'][kolla_base_distro] }}{% endraw %}"
 
 # These overrides are currently redundant, but are kept because it's not obvious that you need them if setting haproxy_tag
 glance_tls_proxy_tag: "{% raw %}{{ haproxy_tag | default(openstack_tag) }}{% endraw %}"

@@ -11,28 +11,28 @@ stackhpc_pulp_repo_centos_stream_8_openstack_yoga_version: 20231011T133933
 stackhpc_pulp_repo_centos_stream_8_opstools_version: 20230615T071742
 stackhpc_pulp_repo_centos_stream_8_powertools_version: 20231018T041416
 stackhpc_pulp_repo_centos_stream_8_storage_ceph_pacific_version: 20230709T010022
-stackhpc_pulp_repo_centos_stream_9_docker_version: 20230919T015626
-stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20230929T005202
-stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version: 20231005T010906
+stackhpc_pulp_repo_centos_stream_9_docker_version: 20240702T000233
+stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20240708T235303
+stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version: 20240221T101621
 stackhpc_pulp_repo_centos_stream_9_opstools_version: 20230615T071742
 stackhpc_pulp_repo_centos_stream_9_storage_ceph_pacific_version: 20230709T010022
 stackhpc_pulp_repo_docker_ce_ubuntu_focal_version: 20240122T172142
 stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version: 20240122T172142
 stackhpc_pulp_repo_docker_version: 20230919T015626
 stackhpc_pulp_repo_elasticsearch_logstash_kibana_7_x_version: 20231012T003815
 stackhpc_pulp_repo_elrepo_9_version: 20230907T075311
-stackhpc_pulp_repo_epel_9_version: 20231020T014922
+stackhpc_pulp_repo_epel_9_version: 20240708T235303
 stackhpc_pulp_repo_epel_modular_version: 20220913T043117
 stackhpc_pulp_repo_epel_version: 20231020T014922
-stackhpc_pulp_repo_grafana_version: 20231020T014922
+stackhpc_pulp_repo_grafana_version: 20240708T235303
 stackhpc_pulp_repo_mariadb_10_6_centos8_version: 20230815T010124
 stackhpc_pulp_repo_mlnx_ofed_5_7_1_0_2_0_rhel8_6_version: 20220920T151419
-stackhpc_pulp_repo_opensearch_2_x_version: 20231202T013234
-stackhpc_pulp_repo_opensearch_dashboards_2_x_version: 20231202T013234
-stackhpc_pulp_repo_rabbitmq_erlang_version: 20231015T004919
-stackhpc_pulp_repo_rabbitmq_server_version: 20231018T041416
-stackhpc_pulp_repo_rhel_9_influxdb_version: 20231019T010143
-stackhpc_pulp_repo_rhel_9_mariadb_10_6_version: 20230815T010124
+stackhpc_pulp_repo_opensearch_2_x_version: 20240626T000533
+stackhpc_pulp_repo_opensearch_dashboards_2_x_version: 20240626T000533
+stackhpc_pulp_repo_rabbitmq_erlang_version: 20240506T000343
+stackhpc_pulp_repo_rabbitmq_server_version: 20240704T001154
+stackhpc_pulp_repo_rhel_9_influxdb_version: 20240702T000233
+stackhpc_pulp_repo_rhel_9_mariadb_10_6_version: 20240517T012522
 stackhpc_pulp_repo_rhel_9_treasuredata_4_version: 20230903T003752
 stackhpc_pulp_repo_rocky_8_6_appstream_version: 20221105T035018
 stackhpc_pulp_repo_rocky_8_6_baseos_version: 20221105T035018
@@ -64,6 +64,11 @@ stackhpc_pulp_repo_rocky_9_3_baseos_version: 20231215T005810
 stackhpc_pulp_repo_rocky_9_3_crb_version: 20231215T005810
 stackhpc_pulp_repo_rocky_9_3_extras_version: 20231211T120328
 stackhpc_pulp_repo_rocky_9_3_highavailability_version: 20231214T005538
+stackhpc_pulp_repo_rocky_9_4_appstream_version: 20240704T001154
+stackhpc_pulp_repo_rocky_9_4_baseos_version: 20240707T011413
+stackhpc_pulp_repo_rocky_9_4_crb_version: 20240702T000233
+stackhpc_pulp_repo_rocky_9_4_extras_version: 20240707T235817
+stackhpc_pulp_repo_rocky_9_4_highavailability_version: 20240629T235004
 stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20240708T235303
 stackhpc_pulp_repo_treasuredata_4_version: 20230903T003752
 stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20231019T125502

@@ -248,8 +248,8 @@ stackhpc_pulp_sync_el_8: "{{ stackhpc_pulp_sync_rocky_8 or stackhpc_pulp_sync_ce
 
 # Whether to sync Rocky Linux 9 packages.
 stackhpc_pulp_sync_rocky_9: "{{ os_distribution == 'rocky' and os_release == '9' }}"
-# Rocky 9 minor version number. Supported values: 1, 2, 3. Default is 3
-stackhpc_pulp_repo_rocky_9_minor_version: 3
+# Rocky 9 minor version number. Supported values: 1, 2, 3, 4. Default is 4
+stackhpc_pulp_repo_rocky_9_minor_version: 4
 # Rocky 9 Snapshot versions. The defaults use the appropriate version from
 # pulp-repo-versions.yml for the selected minor release.
 stackhpc_pulp_repo_rocky_9_appstream_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_%s_appstream_version' % stackhpc_pulp_repo_rocky_9_minor_version) }}"

@@ -0,0 +1,20 @@
+---
+###############################################################################
+# Trivy allowed vulnerabilities list
+
+# Example allowed vulnerabilities file setup
+#
+# global_allowed_vulnerabilities:
+#   - CVE-2024-36039
+#
+# keystone_allowed_vulnerabilities:
+#   - CVE-2022-2447
+#
+# barbican_api_allowed_vulnerabilities:
+#   - CVE-2023-31047
+rocky_source_fluentd_allowed_vulnerabilities:
+  - CVE-2024-27280
+
+###############################################################################
+# Dummy variable to allow Ansible to accept this file.
+workaround_ansible_issue_8743: yes
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Added support for Rocky Linux 9.4 repositories and Kolla containers.
+    Made 9.4 the default version for Rocky Linux.
+  - |
+    Updated Rocky Linux 9.3 pulp repo versions.
+    Added Rocky Linux pulp repo versions.
+    Rebuilt Kolla containers with Rocky 9.4.
@@ -36,6 +36,16 @@ touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt imag
 # critical-images.txt
 for image in $images; do
   filename=$(basename $image | sed 's/:/\./g')
+  imagename=$(echo $filename | cut -d "." -f 1 | sed 's/-/_/g')
+  global_vulnerabilities=$(yq .global_allowed_vulnerabilities[] src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml)
+  image_vulnerabilities=$(yq .$imagename'_allowed_vulnerabilities[]' src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml)
+  touch .trivyignore
+  for vulnerability in $global_vulnerabilities; do
+    echo $vulnerability >> .trivyignore
+  done
+  for vulnerability in $image_vulnerabilities; do
+    echo $vulnerability >> .trivyignore
+  done
   if $(trivy image \
           --quiet \
           --exit-code 1 \
@@ -84,4 +94,5 @@ for image in $images; do
       echo "${image}" >> image-scan-output/dirty-images.txt
     fi
   fi
+  rm .trivyignore
 done