Synchronise 2025.1 with upstream#858
Merged
Alex-Welsh merged 17 commits intostackhpc/2025.1from Mar 30, 2026
Merged
Conversation
Currently, we add the AUDIT_WRITE capability for all unprivileged podman containers. This causes a diff because the cap is popped from params before comparing with the running container's actual values. This patch fixes it by overriding compare_cap_add() to normalize capability formats and account for auto-added AUDIT_WRITE, while working around a bug in older Podman versions where AUDIT_WRITE doesn't appear in the inspect API response. Closes-bug: #2133434 Change-Id: I61fc50654fb06e041776fd394f6b1cab2f9903ba Signed-off-by: Bertrand Lanson <bertrand.lanson@protonmail.com> (cherry picked from commit c7472c0)
Podman containers are created with default ulimites for RLIMIT_NOFILE and RLIMIT_NPROC that are breaking idempotence for kolla_container in check_container mode. We forbid users from setting them, so we should also ignore them when checking dimensions to make the module idempotent. Closes-bug: #2131038 Change-Id: If71589a666c4a3a8003a3419518fd7e4182c5e2b Signed-off-by: Bertrand Lanson <bertrand.lanson@protonmail.com> (cherry picked from commit f92973d)
Due to podman returning all mount option flags in Binds list, The compare_volumes function could not be idempotent because some flags would be skipped everytime, or analyzed when they shouldn't. This new version fixes it by filtering out all default flags from podman for both the requested and current volumes, making comparison accurate. It also takes into account special privileged paths that have the noexec flag added. Closes-bug: #2131039 Change-Id: I173bcb2b1f8c5b81f8395924dfccf73b060100b9 Signed-off-by: Bertrand Lanson <bertrand.lanson@protonmail.com> (cherry picked from commit df5d6dd)
Ensure each relay pre-creates its own log file, fixing fluentd permission denied errors on ovn-sb-relay-<id>.log. Closes-Bug: #2141909 Change-Id: Icd7bbda54c0112d1aafe636df0e4219ab06d914b Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com> (cherry picked from commit 142584d)
Compare ovn_sb_db_relay_<id> containers, not base ovn_sb_db_relay. Fix relay config ownership mismatch (root vs openvswitch). Co-Authored-By: Bertrand Lanson <bertrand.lanson@infomaniak.com> Co-Authored-By: Doug Szumski <doug@stackhpc.com> Closes-Bug: #2141573 Change-Id: I85420a7b2213d9a72ae3b2ef5de75bbaef04308c Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com> (cherry picked from commit be29193)
When the upstream endpoint uses HTTPS, TLS errors were observed. This fix checks if the upstream endpoint is HTTPS and ensures TLSv1.2 and TLSv1.3 are enabled in the nginx configuration. References: * https://review.opendev.org/c/openstack/skyline-apiserver/+/941715 Closes-Bug: #2091935 Related-Bug: #1951437 Change-Id: I597c8f1f609580cfc8c29efbc79ada312e667441 Signed-off-by: fprzewozn <przewozny.franciszek@gmail.com> (cherry picked from commit edfe281)
Fix a scheduling issue in the multinode and all-in-one inventory files, that would cause cyborg api and conductor service to also be scheduled on compute nodes rather then exclusively staying on the control plane. Closes-Bug: #2087552 Change-Id: I69d9a44db037fce42cb5a25b5688313eece15484 (cherry picked from commit 568e186) Signed-off-by: Pierre Riteau <pierre@stackhpc.com>
cAdvisor was listening on all interfaces, which would potentially expose information about running containers on public networks. Change the cAdvisor startup invocation to bind only to the internal API interface. Closes-Bug: #2144659 Change-Id: Ica0d5e727467988fab3d4eb532caa7226556e714 Signed-off-by: Stig Telfer <stig@stackhpc.com> (cherry picked from commit 735f126)
The previous code used `run_once`, `delegate_to`, and `loop`, so one host ran `kolla_container_facts` and `libvirtd --version` for every compute host in sequence. This is slow on large deployments. Run these checks on the compute hosts directly so Ansible can use normal per-host concurrency. Set `any_errors_fatal: true` on the libvirt version-check tasks so a failure on one host fails the play. Closes-bug: #2144664 Change-Id: Ic9564c84c0a6c1cef1f77ed115d860f819eec67b Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com> (cherry picked from commit cd7e865)
…dpoints" into stable/2025.1
Adds a check similar to the handlers that will stop iterated services correctly. This is necessary in the case of ovn sb db relay, where the container name is ovn_sb_db_relay_1 vs ovn_sb_db_relay. Without this, any stop action will fail. Closes-Bug: 2125630 Change-Id: Ide1bba57998f1298400239a3df6a12db7c674192 Signed-off-by: Jay Jahns <jayjahns@gmail.com> Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com> (cherry picked from commit 3e444dd)
github-actions
bot
added
the
automated
github-actions
bot
added
synchronisation
automated
Alex-Welsh
approved these changes
Mar 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains a snapshot of 2025.1 from upstream stable/2025.1.