diff --git a/.github/workflows/fatimage.yml b/.github/workflows/fatimage.yml index e6727948b..31fcc789a 100644 --- a/.github/workflows/fatimage.yml +++ b/.github/workflows/fatimage.yml @@ -2,27 +2,26 @@ name: Build fat image 'on': workflow_dispatch: - inputs: - use_RL8: - required: true - description: Include RL8 image build - type: boolean - default: false concurrency: - group: ${{ github.ref }}-{{ matrix.os_version }} # to branch/PR + OS + group: ${{ github.ref }}-{{ matrix.os_version }}-{{ matrix.build }} # to branch/PR + OS + build cancel-in-progress: true jobs: openstack: name: openstack-imagebuild - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 strategy: matrix: - os_version: [RL8, RL9] - rl8_selected: - - ${{ inputs.use_RL8 == true }} # only potentially true for workflow_dispatch + os_version: + - RL8 + - RL9 + build: + - openstack.openhpc + - openstack.openhpc-ofed exclude: - os_version: RL8 - rl8_selected: false + build: openstack.openhpc-ofed + - os_version: RL9 + build: openstack.openhpc env: ANSIBLE_FORCE_COLOR: True OS_CLOUD: openstack @@ -63,7 +62,7 @@ jobs: . environments/.stackhpc/activate cd packer/ packer init . - PACKER_LOG=1 packer build -on-error=${{ vars.PACKER_ON_ERROR }} -except=openstack.openhpc-extra -var-file=$PKR_VAR_environment_root/${{ vars.CI_CLOUD }}.pkrvars.hcl openstack.pkr.hcl + PACKER_LOG=1 packer build -on-error=${{ vars.PACKER_ON_ERROR }} -only=${{ matrix.build }} -var-file=$PKR_VAR_environment_root/${{ vars.CI_CLOUD }}.pkrvars.hcl openstack.pkr.hcl env: PKR_VAR_os_version: ${{ matrix.os_version }} @@ -71,11 +70,56 @@ jobs: id: manifest run: | . venv/bin/activate - for IMAGE_ID in $(jq --raw-output '.builds[].artifact_id' packer/packer-manifest.json) - do - while ! openstack image show -f value -c name $IMAGE_ID; do - sleep 5 - done - IMAGE_NAME=$(openstack image show -f value -c name $IMAGE_ID) - echo $IMAGE_NAME + IMAGE_ID=$(jq --raw-output '.builds[-1].artifact_id' packer/packer-manifest.json) + while ! openstack image show -f value -c name $IMAGE_ID; do + sleep 5 done + IMAGE_NAME=$(openstack image show -f value -c name $IMAGE_ID) + echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT" + echo "image-id=$IMAGE_ID" >> "$GITHUB_OUTPUT" + + - name: Download image + run: | + . venv/bin/activate + openstack image save --file ${{ steps.manifest.outputs.image-name }}.qcow2 ${{ steps.manifest.outputs.image-name }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: install libguestfs + run: | + sudo apt -y update + sudo apt -y install libguestfs-tools + + - name: mkdir for mount + run: sudo mkdir -p './${{ steps.manifest.outputs.image-name }}' + + - name: mount qcow2 file + run: sudo guestmount -a ${{ steps.manifest.outputs.image-name }}.qcow2 -i --ro -o allow_other './${{ steps.manifest.outputs.image-name }}' + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.17.0 + with: + scan-type: fs + scan-ref: "./${{ steps.manifest.outputs.image-name }}" + scanners: "vuln" + format: sarif + output: "${{ steps.manifest.outputs.image-name }}.sarif" + # turn off secret scanning to speed things up + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "${{ steps.manifest.outputs.image-name }}.sarif" + category: "${{ matrix.os_version }}-${{ matrix.build }}" + + - name: Fail if scan has CRITICAL vulnerabilities + uses: aquasecurity/trivy-action@0.16.1 + with: + scan-type: fs + scan-ref: "./${{ steps.manifest.outputs.image-name }}" + scanners: "vuln" + format: table + exit-code: '1' + severity: 'CRITICAL' + ignore-unfixed: true diff --git a/environments/.stackhpc/hooks/post.yml b/environments/.stackhpc/hooks/post.yml new file mode 100644 index 000000000..eceadcbd8 --- /dev/null +++ b/environments/.stackhpc/hooks/post.yml @@ -0,0 +1,14 @@ +- hosts: openondemand + become: yes + gather_facts: false + tasks: + - name: Delete ondemand files causing Trivy scan false-positives + # Raised at https://github.com/OSC/ondemand/security/advisories/GHSA-f7j8-ppqm-m5vw + # All declared not to be an issue by Open Ondemand as relevant packages not installed + ansible.builtin.file: + path: "{{ item }}" + state: absent + with_items: + - /opt/ood/ondemand/root/usr/share/gems/3.1/ondemand/3.1.7-1/gems/bootstrap_form-2.7.0/test/dummy/Gemfile.lock + - /opt/ood/ondemand/root/usr/share/gems/3.1/ondemand/3.1.7-1/gems/bootstrap_form-4.5.0/demo/yarn.lock + - /var/www/ood/apps/sys/dashboard/node_modules/data-confirm-modal/Gemfile.lock \ No newline at end of file diff --git a/environments/.stackhpc/terraform/main.tf b/environments/.stackhpc/terraform/main.tf index f6168dcb7..ac588930c 100644 --- a/environments/.stackhpc/terraform/main.tf +++ b/environments/.stackhpc/terraform/main.tf @@ -29,9 +29,9 @@ variable "cluster_image" { description = "single image for all cluster nodes, keyed by os_version - a convenience for CI" type = map(string) default = { - # https://github.com/stackhpc/ansible-slurm-appliance/pull/411 - RL8: "openhpc-RL8-240725-1710-325c7b47" - RL9: "openhpc-ofed-RL9-240725-1710-325c7b47" + # https://github.com/stackhpc/ansible-slurm-appliance/pull/413 + RL8: "openhpc-RL8-240813-1317-1b370a36" + RL9: "openhpc-ofed-RL9-240813-1317-1b370a36" } } diff --git a/environments/common/inventory/group_vars/all/grafana.yml b/environments/common/inventory/group_vars/all/grafana.yml index 8222a3cca..90ef51c59 100644 --- a/environments/common/inventory/group_vars/all/grafana.yml +++ b/environments/common/inventory/group_vars/all/grafana.yml @@ -2,7 +2,7 @@ # See: https://github.com/cloudalchemy/ansible-grafana # for variable definitions. -grafana_version: '9.0.3' +grafana_version: '9.5.21' # need to copy some role defaults here so we can use in inventory: grafana_port: 3000