Skip to content

Commit 5d50675

Browse files
wtripp180901wtripp180901
authored
Merge branch 'main' into fix/packer-sentinel-file
2 parents c2b50c2 + a7fbdaf commit 5d50675

File tree

29 files changed

+731
-179
lines changed

29 files changed

+731
-179
lines changed

.github/workflows/fatimage.yml

Lines changed: 58 additions & 63 deletions
Original file line numberDiff line numberDiff line change
@@ -1,70 +1,102 @@
1-
21
name: Build fat image
3-
'on':
2+
on:
43
workflow_dispatch:
5-
concurrency:
6-
group: ${{ github.ref }}-{{ matrix.os_version }}-{{ matrix.build }} # to branch/PR + OS + build
7-
cancel-in-progress: true
4+
inputs:
5+
ci_cloud:
6+
description: 'Select the CI_CLOUD'
7+
required: true
8+
type: choice
9+
options:
10+
- LEAFCLOUD
11+
- SMS
12+
- ARCUS
13+
814
jobs:
915
openstack:
1016
name: openstack-imagebuild
17+
concurrency:
18+
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.os_version }}-${{ matrix.build }} # to branch/PR + OS + build
19+
cancel-in-progress: true
1120
runs-on: ubuntu-22.04
1221
strategy:
13-
matrix:
22+
fail-fast: false # allow other matrix jobs to continue even if one fails
23+
matrix: # build RL8+OFED, RL9+OFED, RL9+OFED+CUDA versions
1424
os_version:
1525
- RL8
1626
- RL9
1727
build:
1828
- openstack.openhpc
19-
- openstack.openhpc-ofed
29+
- openstack.openhpc-cuda
2030
exclude:
2131
- os_version: RL8
22-
build: openstack.openhpc-ofed
23-
- os_version: RL9
24-
build: openstack.openhpc
32+
build: openstack.openhpc-cuda
2533
env:
2634
ANSIBLE_FORCE_COLOR: True
2735
OS_CLOUD: openstack
28-
CI_CLOUD: ${{ vars.CI_CLOUD }}
36+
CI_CLOUD: ${{ github.event.inputs.ci_cloud }}
37+
SOURCE_IMAGES_MAP: |
38+
{
39+
"RL8": {
40+
"openstack.openhpc": "rocky-latest-RL8",
41+
"openstack.openhpc-cuda": "rocky-latest-cuda-RL8"
42+
},
43+
"RL9": {
44+
"openstack.openhpc": "rocky-latest-RL9",
45+
"openstack.openhpc-cuda": "rocky-latest-cuda-RL9"
46+
}
47+
}
48+
2949
steps:
3050
- uses: actions/checkout@v2
3151

52+
- name: Record settings for CI cloud
53+
run: |
54+
echo CI_CLOUD: ${{ env.CI_CLOUD }}
55+
3256
- name: Setup ssh
3357
run: |
3458
set -x
3559
mkdir ~/.ssh
36-
echo "${{ secrets[format('{0}_SSH_KEY', vars.CI_CLOUD)] }}" > ~/.ssh/id_rsa
60+
echo "${{ secrets[format('{0}_SSH_KEY', env.CI_CLOUD)] }}" > ~/.ssh/id_rsa
3761
chmod 0600 ~/.ssh/id_rsa
3862
shell: bash
3963

4064
- name: Add bastion's ssh key to known_hosts
4165
run: cat environments/.stackhpc/bastion_fingerprints >> ~/.ssh/known_hosts
4266
shell: bash
43-
67+
4468
- name: Install ansible etc
4569
run: dev/setup-env.sh
46-
70+
4771
- name: Write clouds.yaml
4872
run: |
4973
mkdir -p ~/.config/openstack/
50-
echo "${{ secrets[format('{0}_CLOUDS_YAML', vars.CI_CLOUD)] }}" > ~/.config/openstack/clouds.yaml
74+
echo "${{ secrets[format('{0}_CLOUDS_YAML', env.CI_CLOUD)] }}" > ~/.config/openstack/clouds.yaml
5175
shell: bash
5276

5377
- name: Setup environment
5478
run: |
5579
. venv/bin/activate
5680
. environments/.stackhpc/activate
57-
81+
5882
- name: Build fat image with packer
5983
id: packer_build
6084
run: |
85+
set -x
6186
. venv/bin/activate
6287
. environments/.stackhpc/activate
6388
cd packer/
6489
packer init .
65-
PACKER_LOG=1 packer build -on-error=${{ vars.PACKER_ON_ERROR }} -only=${{ matrix.build }} -var-file=$PKR_VAR_environment_root/${{ vars.CI_CLOUD }}.pkrvars.hcl openstack.pkr.hcl
90+
91+
PACKER_LOG=1 packer build \
92+
-on-error=${{ vars.PACKER_ON_ERROR }} \
93+
-only=${{ matrix.build }} \
94+
-var-file=$PKR_VAR_environment_root/${{ env.CI_CLOUD }}.pkrvars.hcl \
95+
-var "source_image_name=${{ env.SOURCE_IMAGE }}" \
96+
openstack.pkr.hcl
6697
env:
6798
PKR_VAR_os_version: ${{ matrix.os_version }}
99+
SOURCE_IMAGE: ${{ fromJSON(env.SOURCE_IMAGES_MAP)[matrix.os_version][matrix.build] }}
68100

69101
- name: Get created image names from manifest
70102
id: manifest
@@ -75,51 +107,14 @@ jobs:
75107
sleep 5
76108
done
77109
IMAGE_NAME=$(openstack image show -f value -c name $IMAGE_ID)
78-
echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT"
79-
echo "image-id=$IMAGE_ID" >> "$GITHUB_OUTPUT"
80-
81-
- name: Download image
82-
run: |
83-
. venv/bin/activate
84-
openstack image save --file ${{ steps.manifest.outputs.image-name }}.qcow2 ${{ steps.manifest.outputs.image-name }}
85-
86-
- name: Set up QEMU
87-
uses: docker/setup-qemu-action@v3
88-
89-
- name: install libguestfs
90-
run: |
91-
sudo apt -y update
92-
sudo apt -y install libguestfs-tools
93-
94-
- name: mkdir for mount
95-
run: sudo mkdir -p './${{ steps.manifest.outputs.image-name }}'
96-
97-
- name: mount qcow2 file
98-
run: sudo guestmount -a ${{ steps.manifest.outputs.image-name }}.qcow2 -i --ro -o allow_other './${{ steps.manifest.outputs.image-name }}'
99-
100-
- name: Run Trivy vulnerability scanner
101-
uses: aquasecurity/[email protected]
102-
with:
103-
scan-type: fs
104-
scan-ref: "./${{ steps.manifest.outputs.image-name }}"
105-
scanners: "vuln"
106-
format: sarif
107-
output: "${{ steps.manifest.outputs.image-name }}.sarif"
108-
# turn off secret scanning to speed things up
109-
110-
- name: Upload Trivy scan results to GitHub Security tab
111-
uses: github/codeql-action/upload-sarif@v3
112-
with:
113-
sarif_file: "${{ steps.manifest.outputs.image-name }}.sarif"
114-
category: "${{ matrix.os_version }}-${{ matrix.build }}"
110+
echo $IMAGE_ID > image-id.txt
111+
echo $IMAGE_NAME > image-name.txt
115112
116-
- name: Fail if scan has CRITICAL vulnerabilities
117-
uses: aquasecurity/[email protected]
113+
- name: Upload manifest artifact
114+
uses: actions/upload-artifact@v4
118115
with:
119-
scan-type: fs
120-
scan-ref: "./${{ steps.manifest.outputs.image-name }}"
121-
scanners: "vuln"
122-
format: table
123-
exit-code: '1'
124-
severity: 'CRITICAL'
125-
ignore-unfixed: true
116+
name: image-details-${{ matrix.build }}-${{ matrix.os_version }}
117+
path: |
118+
./image-id.txt
119+
./image-name.txt
120+
overwrite: true

0 commit comments

Comments
 (0)