diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index 8cdd2e6381..a0f687e4e8 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -314,6 +314,26 @@ jobs: env: KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: ${{ steps.ssh_key.outputs.ssh_key }} + - name: Pull container images + run: | + # Try up to 3 times to pull container images. + for attempt in $(seq 3); do + docker run -t --rm \ + -v $(pwd):/stack/kayobe-automation-env/src/kayobe-config \ + -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY \ + ${{ steps.kayobe_image.outputs.kayobe_image }} \ + /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/overcloud-container-image-pull.sh + if [ "$?" = "0" ]; then + echo "Pulled container images on attempt $attempt" + exit 0 + fi + echo "Failed to pull container images on attempt $attempt" + done + echo "Failed to pull container imagers after $attempt attempts" + exit 1 + env: + KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: ${{ steps.ssh_key.outputs.ssh_key }} + - name: Service deploy run: | docker run -t --rm \ diff --git a/.github/workflows/stackhpc-multinode-periodic.yml b/.github/workflows/stackhpc-multinode-periodic.yml index 8d71500fd7..9618881f63 100644 --- a/.github/workflows/stackhpc-multinode-periodic.yml +++ b/.github/workflows/stackhpc-multinode-periodic.yml @@ -7,6 +7,7 @@ name: Multinode periodic schedule: # Runs nightly at 2:42 AM. - cron: "42 2 * * *" + workflow_dispatch: jobs: generate-inputs: name: Generate inputs @@ -31,7 +32,10 @@ jobs: - name: Display generated inputs run: | - echo '${{ toJSON(steps.generate-inputs.outputs) }}' + echo '## generated inputs:' > "$GITHUB_STEP_SUMMARY" + echo '```' >> "$GITHUB_STEP_SUMMARY" + echo '${{ toJSON(steps.generate-inputs.outputs) }}' | tee -a "$GITHUB_STEP_SUMMARY" + echo '```' >> "$GITHUB_STEP_SUMMARY" multinode: name: Multinode periodic needs: diff --git a/.github/workflows/stackhpc-multinode.yml b/.github/workflows/stackhpc-multinode.yml index 4869df6feb..7b958450e6 100644 --- a/.github/workflows/stackhpc-multinode.yml +++ b/.github/workflows/stackhpc-multinode.yml @@ -46,17 +46,56 @@ name: Multinode description: How long to break execution for (minutes) (note that instances are cleaned up after 12h) type: number default: 60 + use_my_ssh_key: + description: authorise my github ssh keys on Ansible control host + default: 'false' + type: boolean ssh_key: - description: SSH public key to authorise on Ansible control host + description: SSH public key to authorise on Ansible control host (if different from github ssh keys) type: string terraform_kayobe_multinode_version: description: terraform-kayobe-multinode version type: string default: main + small_cluster: + description: Create cluster with only 1 controller, 1 compute + default: 'false' + type: boolean jobs: + github_user_ssh_keys: + name: Retrieve actor github ssh keys + runs-on: ubuntu-latest + # Map a step output to a job output, this allows other jobs to be gated on the filter results + outputs: + ssh_keys: ${{ steps.compute_ssh_keys.outputs.ssh_keys }} + steps: + - name: Retrieve github user ssh keys or use provided ones + id: compute_ssh_keys + run: | + # encode array using jq: https://jstrieb.github.io/posts/github-actions-multiline-outputs/ + if ${{ inputs.use_my_ssh_key }} && [ -z "${{ inputs.ssh_key }}" ]; then + echo "Fetching ssh keys for ${{ github.actor }}" + ssh_keys="$(gh api /users/${{ github.actor }}/keys --jq '[.[].key]' | jq --compact-output)" + if [ -z "${ssh_keys}" ]; then + echo "E: Unable to get '${{ github.actor }}' ssh keys (quotes added for clarity)" + exit 1 + fi + elif [ -n "${{ inputs.ssh_key }}" ]; then + # single string to JSON array + ssh_keys="$(jq --raw-input --compact-output '.|[.]' <<<"${{ inputs.ssh_key }}")" + else + ssh_keys='' + fi + echo "ssh_keys=${ssh_keys}" >> "$GITHUB_OUTPUT" + env: + GH_TOKEN: ${{ github.token }} + - name: Show ssh_keys + run: | + echo "${{ steps.compute_ssh_keys.outputs.ssh_keys }}" multinode: name: Multinode - uses: stackhpc/stackhpc-openstack-gh-workflows/.github/workflows/multinode.yml@1.4.1 + needs: github_user_ssh_keys + uses: stackhpc/stackhpc-openstack-gh-workflows/.github/workflows/multinode.yml@multi_ssh_keys with: multinode_name: ${{ inputs.multinode_name }} os_distribution: ${{ inputs.os_distribution }} @@ -67,9 +106,11 @@ jobs: break_on: ${{ inputs.break_on }} # Workaround loss of number type using fromJSON: https://github.com/orgs/community/discussions/67182 break_duration: ${{ fromJSON(inputs.break_duration) }} - ssh_key: ${{ inputs.ssh_key }} + ssh_keys: ${{ needs.github_user_ssh_keys.outputs.ssh_keys }} stackhpc_kayobe_config_version: ${{ github.ref_name }} # NOTE(upgrade): Reference the PREVIOUS and CURRENT releases here. stackhpc_kayobe_config_previous_version: ${{ inputs.upgrade == 'major' && 'stackhpc/2024.1' || 'stackhpc/2025.1' }} terraform_kayobe_multinode_version: ${{ inputs.terraform_kayobe_multinode_version }} + multinode_controller_count: ${{ inputs.small_cluster && 1 || 3 }} + multinode_compute_count: ${{ inputs.small_cluster && 1 || 3 }} secrets: inherit diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml index ba9fca4e71..3332d376e0 100644 --- a/etc/kayobe/kolla-image-tags.yml +++ b/etc/kayobe/kolla-image-tags.yml @@ -4,25 +4,25 @@ # where the key is the OS distro and the value is the tag to deploy. kolla_image_tags: openstack: - rocky-9: 2025.1-rocky-9-20250730T105631 + rocky-9: 2025.1-rocky-9-20251208T092405 ubuntu-noble: 2025.1-ubuntu-noble-20250730T105631 iscsid: - rocky-9: 2025.1-rocky-9-20251013T135156 + rocky-9: 2025.1-rocky-9-20251208T092405 ubuntu-noble: 2025.1-ubuntu-noble-20251013T135156 keystone: - rocky-9: 2025.1-rocky-9-20251031T094539 + rocky-9: 2025.1-rocky-9-20251208T092405 ubuntu-noble: 2025.1-ubuntu-noble-20251031T094539 kolla_toolbox: - rocky-9: 2025.1-rocky-9-20250905T151507 + rocky-9: 2025.1-rocky-9-20251208T092405 ubuntu-noble: 2025.1-ubuntu-noble-20250905T151507 magnum: - rocky-9: 2025.1-rocky-9-20251016T073648 + rocky-9: 2025.1-rocky-9-20251208T092405 ubuntu-noble: 2025.1-ubuntu-noble-20251016T073648 ovn: - rocky-9: 2025.1-rocky-9-20250915T100822 + rocky-9: 2025.1-rocky-9-20251208T092405 prometheus_libvirt_exporter: - rocky-9: 2025.1-rocky-9-20250822T151934 + rocky-9: 2025.1-rocky-9-20251208T092405 ubuntu-noble: 2025.1-ubuntu-noble-20250822T151934 rabbitmq: - rocky-9: 2025.1-rocky-9-20250905T151507 + rocky-9: 2025.1-rocky-9-20251208T092405 ubuntu-noble: 2025.1-ubuntu-noble-20250905T151507 diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 6892d9e999..5feb230722 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -23,6 +23,11 @@ kolla_source_version: "{{ stackhpc_kolla_source_version }}" # Path in which to generate kolla configuration. #kolla_build_config_path: +# View debug logs, like source downloads, during image build. +kolla_build_extra_config: | + [DEFAULT] + debug = True + ############################################################################### # Kolla-ansible installation. diff --git a/etc/kayobe/kolla/kolla-build.conf b/etc/kayobe/kolla/kolla-build.conf index 6ff0aa287f..76f7eb3e29 100644 --- a/etc/kayobe/kolla/kolla-build.conf +++ b/etc/kayobe/kolla/kolla-build.conf @@ -16,7 +16,7 @@ build_args = {{ (kolla_build_args | default({})).items() | map('join', ':') | jo [openstack-base] type = git location = https://github.com/stackhpc/requirements -reference = stackhpc/{{ openstack_release }} +reference = bump-django-4.2 [etcd] version = 3.5.21 @@ -29,3 +29,8 @@ sha256 = amd64:1fd60b1fd59c239bed22719a5de402cb745d1f933540cb1ec196e2c03e6e8882, [magnum-conductor-plugin-helm] version = v3.18.2 sha256 = amd64:c5deada86fe609deefdf40e9cbbe3da2f8cf3f6a4551a0ebe7886dc8fcf98bce,arm64:03181a494a0916b370a100a5b2536104963b095be53fb23d1e29b2afb1c7de8d + +# TODO: move to kolla_sources in kolla.yml once https://review.opendev.org/c/openstack/kayobe/+/970268 is available +[prometheus-cadvisor] +version = 0.54.1 +sha256 = amd64:21be8d2797433048474e676d37c215c28fb171509448ef9b1c4648a564e39595,arm64:21f7bac786f6c53a8091964b4d3ff2486a0c460e5a410000b59a9a565b4183a9 diff --git a/etc/kayobe/ofed.yml b/etc/kayobe/ofed.yml index 7867206f64..e95761ecbf 100644 --- a/etc/kayobe/ofed.yml +++ b/etc/kayobe/ofed.yml @@ -3,7 +3,10 @@ ############################################################################### # DOCA host version -stackhpc_pulp_doca_version: "{{ '2.9.3' if stackhpc_pulp_repo_rocky_9_minor_version == '6' else '2.9.1' }}" +stackhpc_pulp_doca_version_matrix: + "6": 2.9.3 + "7": 3.2.0 +stackhpc_pulp_doca_version: "{{ stackhpc_pulp_doca_version_matrix[stackhpc_pulp_repo_rocky_9_minor_version] | default('2.9.1') }}" ############################################################################### # Pulp configuration for DOCA OFED diff --git a/etc/kayobe/pulp-host-image-versions.yml b/etc/kayobe/pulp-host-image-versions.yml index 0a368bc9fb..911a61c921 100644 --- a/etc/kayobe/pulp-host-image-versions.yml +++ b/etc/kayobe/pulp-host-image-versions.yml @@ -1,5 +1,5 @@ --- # Overcloud host image versioning tags # These images must be in SMS, since they are used by our AIO CI runners -stackhpc_rocky_9_overcloud_host_image_version: "2025.1-20251027T102633" +stackhpc_rocky_9_overcloud_host_image_version: "2025.1-20251209T112113" stackhpc_ubuntu_noble_overcloud_host_image_version: "2025.1-20250930T144255" diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml index a27b0bab1c..4a9e2f7c74 100644 --- a/etc/kayobe/pulp-repo-versions.yml +++ b/etc/kayobe/pulp-repo-versions.yml @@ -18,6 +18,7 @@ stackhpc_pulp_repo_doca_2_9_1_rhel9_5_version: 20241211T171301 stackhpc_pulp_repo_doca_2_9_1_rhel9_5_modules_version: 20250115T150314 stackhpc_pulp_repo_doca_2_9_3_rhel9_6_version: 20250703T135021 stackhpc_pulp_repo_doca_2_9_3_rhel9_6_modules_version: 20250714T141841 +stackhpc_pulp_repo_doca_3_2_0_rhel9_version: 20251204T124815 stackhpc_pulp_repo_docker_ce_ubuntu_noble_version: 20250616T155742 stackhpc_pulp_repo_elrepo_9_version: 20250610T235426 stackhpc_pulp_repo_elrepo_9_aarch64_version: 20250408T030629 @@ -76,6 +77,21 @@ stackhpc_pulp_repo_rocky_9_6_extras_version: 20250726T040613 stackhpc_pulp_repo_rocky_9_6_extras_aarch64_version: 20250726T045704 stackhpc_pulp_repo_rocky_9_6_highavailability_version: 20250605T150141 stackhpc_pulp_repo_rocky_9_6_highavailability_aarch64_version: 20250605T150141 +stackhpc_pulp_repo_rocky_9_7_appstream_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_appstream_aarch64_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_appstream_source_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_baseos_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_baseos_aarch64_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_baseos_source_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_crb_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_crb_aarch64_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_crb_source_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_extras_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_extras_aarch64_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_extras_source_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_highavailability_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_highavailability_aarch64_version: 20251203T103807 +stackhpc_pulp_repo_rocky_9_7_highavailability_source_version: 20251203T103807 stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20250222T040303 stackhpc_pulp_repo_rocky_9_sig_security_common_aarch64_version: 20250222T044743 stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20250620T063939 diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml index 845b452c4c..21105c47cc 100644 --- a/etc/kayobe/pulp.yml +++ b/etc/kayobe/pulp.yml @@ -200,8 +200,8 @@ stackhpc_pulp_distribution_deb_production: >- # Whether to sync Rocky Linux 9 packages. stackhpc_pulp_sync_rocky_9: "{{ os_distribution == 'rocky' }}" -# Rocky 9 minor version number. Supported values: 6. Default is 6 -stackhpc_pulp_repo_rocky_9_minor_version: '6' +# Rocky 9 minor version number. Supported values: 7. Default is 7 +stackhpc_pulp_repo_rocky_9_minor_version: '7' # Rocky 9 Snapshot versions. The defaults use the appropriate version from # pulp-repo-versions.yml for the selected minor release. diff --git a/etc/kayobe/stackhpc-overcloud-dib.yml b/etc/kayobe/stackhpc-overcloud-dib.yml index 63c769fb3a..daeecbe7bc 100644 --- a/etc/kayobe/stackhpc-overcloud-dib.yml +++ b/etc/kayobe/stackhpc-overcloud-dib.yml @@ -56,11 +56,17 @@ stackhpc_overcloud_dib_env_vars_default: # Workaround for stack user home ownership bug DIB_IMAGE_CACHE: "/tmp/yum" +# DIB_ROCKY_CONTAINER_STACKHPC_RESTORE_UPSTREAM_REPOFILES=true is important for +# the multinode workflow, where we need to install packages (tmux) in cloudinit +# or deploy-openstack-config.yml: /etc/yum.repos.d is empty in the built image. stackhpc_overcloud_dib_env_vars_ark: DIB_CONTAINERFILE_BUILDOPTS: >- --build-arg=ROCKY_USE_CUSTOM_DNF_MIRRORS=true --build-arg=ROCKY_CUSTOM_DNF_MIRROR_URLS={{ [stackhpc_repo_rocky_9_baseos_url, stackhpc_repo_rocky_9_appstream_url] | join(',') }} + --build-arg=DIB_ROCKY_CONTAINER_STACKHPC_RESTORE_UPSTREAM_REPOFILES=true + --build-arg=DIB_DEBUG_TRACE=1 DIB_DISTRIBUTION_MIRROR: "{{ stackhpc_repo_ubuntu_noble_url if os_distribution == 'ubuntu' else '' }}" + DIB_DEBUG_TRACE: 1 # StackHPC overcloud DIB image packages. stackhpc_overcloud_dib_packages: diff --git a/etc/kayobe/trivy/allowed-vulnerabilities.yml b/etc/kayobe/trivy/allowed-vulnerabilities.yml index 4759862058..a8c1f45f3a 100644 --- a/etc/kayobe/trivy/allowed-vulnerabilities.yml +++ b/etc/kayobe/trivy/allowed-vulnerabilities.yml @@ -20,7 +20,10 @@ influxdb_allowed_vulnerabilities: - CVE-2024-45337 magnum_conductor_allowed_vulnerabilities: - CVE-2024-45337 +opensearch_dashboards_allowed_vulnerabilities: + - CVE-2025-7783 prometheus_blackbox_exporter_allowed_vulnerabilities: + - CVE-2024-24790 - CVE-2024-45337 prometheus_memcached_exporter_allowed_vulnerabilities: - CVE-2024-45337 @@ -31,7 +34,10 @@ prometheus_elasticsearch_exporter_allowed_vulnerabilities: prometheus_node_exporter_allowed_vulnerabilities: - CVE-2024-45337 prometheus_openstack_exporter_allowed_vulnerabilities: + - CVE-2024-24790 - CVE-2024-45337 +prometheus_ovn_exporter_allowed_vulnerabilities: + - CVE-2024-24790 prometheus_libvirt_exporter_allowed_vulnerabilities: - CVE-2024-45337 prometheus_cadvisor_allowed_vulnerabilities: diff --git a/releasenotes/notes/rl9.7-c8d033f11097b76b.yaml b/releasenotes/notes/rl9.7-c8d033f11097b76b.yaml new file mode 100644 index 0000000000..4e48208896 --- /dev/null +++ b/releasenotes/notes/rl9.7-c8d033f11097b76b.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Added support for Rocky Linux 9.7, including host packages and a full + container image refresh. + XXXX PENDING CONTAINER BUILD +upgrade: + - | + 9.7 is now the default release for Rocky Linux.