From 69a151d41dd64dafa351ff96063b7e4993e8d38e Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 10 Jun 2025 13:50:34 +0100 Subject: [PATCH 1/6] Bump package repos for Epoxy --- etc/kayobe/pulp-repo-versions.yml | 42 +++++++++++++++---------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml index 7d6cabbc9..33fe50dd2 100644 --- a/etc/kayobe/pulp-repo-versions.yml +++ b/etc/kayobe/pulp-repo-versions.yml @@ -1,20 +1,24 @@ --- # This file is autogenerated by Ansible using the following workflow: # https://github.com/stackhpc/stackhpc-release-train/actions/workflows/package-update-kayobe.yml -stackhpc_pulp_repo_centos_stream_9_docker_version: 20250123T000657 -stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20250205T015600 +stackhpc_pulp_repo_centos_stream_9_docker_version: 20250531T002004 +stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20250528T022338 stackhpc_pulp_repo_centos_stream_9_opstools_version: 20231213T031318 -stackhpc_pulp_repo_centos_stream_9_storage_ceph_squid_version: 20250203T100829 -stackhpc_pulp_repo_docker_ce_ubuntu_noble_version: 20250131T133101 -stackhpc_pulp_repo_elrepo_9_version: 20250203T000038 -stackhpc_pulp_repo_epel_9_version: 20250204T071808 -stackhpc_pulp_repo_grafana_version: 20250204T090817 -stackhpc_pulp_repo_opensearch_2_x_version: 20241106T010702 -stackhpc_pulp_repo_opensearch_dashboards_2_x_version: 20241106T010702 -stackhpc_pulp_repo_rhel9_rabbitmq_erlang_version: 20250128T001826 -stackhpc_pulp_repo_rhel9_rabbitmq_server_version: 20241217T002152 -stackhpc_pulp_repo_rhel_9_influxdb_version: 20250125T002237 -stackhpc_pulp_repo_rhel_9_mariadb_10_11_version: 20250205T001351 +stackhpc_pulp_repo_centos_stream_9_storage_ceph_squid_version: 20250412T024303 +stackhpc_pulp_repo_docker_ce_ubuntu_noble_version: 20250604T001951 +stackhpc_pulp_repo_elrepo_9_version: 20250608T000535 +stackhpc_pulp_repo_epel_9_version: 20250609T000109 +stackhpc_pulp_repo_grafana_version: 20250609T005704 +stackhpc_pulp_repo_opensearch_2_x_version: 20250430T014638 +stackhpc_pulp_repo_opensearch_dashboards_2_x_version: 20250430T014638 +stackhpc_pulp_repo_rhel9_rabbitmq_erlang_version: 20250607T003941 +stackhpc_pulp_repo_rhel9_rabbitmq_server_version: 20250607T003941 +stackhpc_pulp_repo_rhel_9_4_doca_modules_version: 20241213T112245 +stackhpc_pulp_repo_rhel_9_4_doca_version: 20241211T153620 +stackhpc_pulp_repo_rhel_9_5_doca_modules_version: 20250115T150314 +stackhpc_pulp_repo_rhel_9_5_doca_version: 20241211T171301 +stackhpc_pulp_repo_rhel_9_influxdb_version: 20250529T023704 +stackhpc_pulp_repo_rhel_9_mariadb_10_11_version: 20250523T014203 stackhpc_pulp_repo_rhel_9_rabbitmq_erlang_version: 20240711T091318 stackhpc_pulp_repo_rhel_9_rabbitmq_server_version: 20240711T091318 stackhpc_pulp_repo_rhel_9_treasuredata_5_version: 20241115T002028 @@ -43,11 +47,7 @@ stackhpc_pulp_repo_rocky_9_5_baseos_version: 20250201T125442 stackhpc_pulp_repo_rocky_9_5_crb_version: 20250204T095037 stackhpc_pulp_repo_rocky_9_5_extras_version: 20250122T025402 stackhpc_pulp_repo_rocky_9_5_highavailability_version: 20250204T095037 -stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20250128T024400 -stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20250205T050034 -stackhpc_pulp_repo_ubuntu_noble_security_version: 20250205T090140 -stackhpc_pulp_repo_ubuntu_noble_version: 20250205T090140 -stackhpc_pulp_repo_rhel_9_4_doca_version: 20241211T153620 -stackhpc_pulp_repo_rhel_9_4_doca_modules_version: 20241213T112245 -stackhpc_pulp_repo_rhel_9_5_doca_version: 20241211T171301 -stackhpc_pulp_repo_rhel_9_5_doca_modules_version: 20250115T150314 +stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20250222T040303 +stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20250609T053359 +stackhpc_pulp_repo_ubuntu_noble_security_version: 20250609T094526 +stackhpc_pulp_repo_ubuntu_noble_version: 20250609T094526 From 2743104b149b16f48fcfbaa8111bbe50014959c9 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 10 Jun 2025 14:19:07 +0100 Subject: [PATCH 2/6] Bump etcd to 3.5.21 --- etc/kayobe/kolla/kolla-build.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/kayobe/kolla/kolla-build.conf b/etc/kayobe/kolla/kolla-build.conf index c2cc7efa0..10b56a89c 100644 --- a/etc/kayobe/kolla/kolla-build.conf +++ b/etc/kayobe/kolla/kolla-build.conf @@ -14,3 +14,7 @@ build_args = {{ (kolla_build_args | default({})).items() | map('join', ':') | jo type = git location = https://github.com/stackhpc/requirements reference = stackhpc/{{ openstack_release }} + +[etcd] +version = 3.5.21 +sha256 = amd64:adddda4b06718e68671ffabff2f8cee48488ba61ad82900e639d108f2148501c,arm64:95bf6918623a097c0385b96f139d90248614485e781ec9bee4768dbb6c79c53f From ba7fc726ec4d7cc50e1bad6fea0360e1695c4e0e Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 10 Jun 2025 14:19:29 +0100 Subject: [PATCH 3/6] Bump letsencrypt-lego to v4.23.1 --- etc/kayobe/kolla/kolla-build.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/kayobe/kolla/kolla-build.conf b/etc/kayobe/kolla/kolla-build.conf index 10b56a89c..339ac3811 100644 --- a/etc/kayobe/kolla/kolla-build.conf +++ b/etc/kayobe/kolla/kolla-build.conf @@ -18,3 +18,7 @@ reference = stackhpc/{{ openstack_release }} [etcd] version = 3.5.21 sha256 = amd64:adddda4b06718e68671ffabff2f8cee48488ba61ad82900e639d108f2148501c,arm64:95bf6918623a097c0385b96f139d90248614485e781ec9bee4768dbb6c79c53f + +[letsencrypt-lego] +version = v4.23.1 +sha256 = amd64:1fd60b1fd59c239bed22719a5de402cb745d1f933540cb1ec196e2c03e6e8882,arm64:1114745108343286d4bff189b4bdee3cba9d07ebcacc673860d91ab951d31e0d From a8c530d96b7923ce9ae9dde50524253f7856b64e Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 10 Jun 2025 14:20:05 +0100 Subject: [PATCH 4/6] Bump magnum-conductor-plugin-helm to v3.18.2 --- etc/kayobe/kolla/kolla-build.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/kayobe/kolla/kolla-build.conf b/etc/kayobe/kolla/kolla-build.conf index 339ac3811..6bbd5b753 100644 --- a/etc/kayobe/kolla/kolla-build.conf +++ b/etc/kayobe/kolla/kolla-build.conf @@ -22,3 +22,7 @@ sha256 = amd64:adddda4b06718e68671ffabff2f8cee48488ba61ad82900e639d108f2148501c, [letsencrypt-lego] version = v4.23.1 sha256 = amd64:1fd60b1fd59c239bed22719a5de402cb745d1f933540cb1ec196e2c03e6e8882,arm64:1114745108343286d4bff189b4bdee3cba9d07ebcacc673860d91ab951d31e0d + +[magnum-conductor-plugin-helm] +version = v3.18.2 +sha256 = amd64:c5deada86fe609deefdf40e9cbbe3da2f8cf3f6a4551a0ebe7886dc8fcf98bce,arm64:03181a494a0916b370a100a5b2536104963b095be53fb23d1e29b2afb1c7de8d From 0ddb1c2be6847b1166f818cbd3b8c145593d495d Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 10 Jun 2025 16:48:33 +0100 Subject: [PATCH 5/6] Allow CVE-2024-45337 for influxdb No upstream fix available --- etc/kayobe/trivy/allowed-vulnerabilities.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/kayobe/trivy/allowed-vulnerabilities.yml b/etc/kayobe/trivy/allowed-vulnerabilities.yml index adf2aad82..a44e0508b 100644 --- a/etc/kayobe/trivy/allowed-vulnerabilities.yml +++ b/etc/kayobe/trivy/allowed-vulnerabilities.yml @@ -35,6 +35,8 @@ prometheus_libvirt_exporter_allowed_vulnerabilities: prometheus_cadvisor_allowed_vulnerabilities: - CVE-2024-41110 - CVE-2024-45337 +influxdb_allowed_vulnerabilities: + - CVE-2024-45337 ############################################################################### # Dummy variable to allow Ansible to accept this file. From a1cd8115826a503fb50be0ec68bffeb71bcaa348 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Wed, 11 Jun 2025 14:43:11 +0100 Subject: [PATCH 6/6] Bump Epoxy Kolla images to fix critical CVEs --- etc/kayobe/kolla-image-tags.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml index 75ec0cdda..d0690656f 100644 --- a/etc/kayobe/kolla-image-tags.yml +++ b/etc/kayobe/kolla-image-tags.yml @@ -5,7 +5,5 @@ # TODO: Rebuild epoxy images kolla_image_tags: openstack: - rocky-9: 2025.1-rocky-9-20250603T110500 - ubuntu-noble: 2025.1-ubuntu-noble-20250606T113506 - neutron_l3_agent: - rocky-9: 2025.1-rocky-9-20250606T090153 + rocky-9: 2025.1-rocky-9-20250611T085217 + ubuntu-noble: 2025.1-ubuntu-noble-20250611T085217