Merge branch 'stackhpc/yoga' into yoga-upstream-merge

Author: markgoddard

.github/workflows/stackhpc-container-image-build.yml

@@ -38,6 +38,12 @@ on:
         type: boolean
         required: false
         default: true
+      push-dirty:
+        description: Push scanned images that have vulnerabilities?
+        type: boolean
+        required: false
+        # NOTE(Alex-Welsh): This default should be flipped once we resolve existing failures
+        default: true
 
 env:
   ANSIBLE_FORCE_COLOR: True
@@ -109,7 +115,15 @@ jobs:
       - name: Install package dependencies
         run: |
           sudo apt update
-          sudo apt install -y build-essential git unzip nodejs python3-wheel python3-pip python3-venv
+          sudo apt install -y build-essential git unzip nodejs python3-wheel python3-pip python3-venv curl jq wget
+
+      - name: Install gh
+        run: |
+          sudo mkdir -p -m 755 /etc/apt/keyrings && wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null
+          sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
+          sudo apt update
+          sudo apt install gh -y
 
       - name: Checkout
         uses: actions/checkout@v4
@@ -127,6 +141,10 @@ jobs:
         run: |
           docker ps
 
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.49.0
+
       - name: Install Kayobe
         run: |
           mkdir -p venvs &&
@@ -162,65 +180,124 @@ jobs:
         env:
           KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }}
 
-      - name: Build and push kolla overcloud images
+      - name: Create build logs output directory
+        run: mkdir image-build-logs 
+
+      - name: Build kolla overcloud images
+        id: build_overcloud_images
+        continue-on-error: true
         run: |
-          args="${{ github.event.inputs.regexes }}"
+          args="${{ inputs.regexes }}"
           args="$args -e kolla_base_distro=${{ matrix.distro }}"
           args="$args -e kolla_tag=${{ needs.generate-tag.outputs.kolla_tag }}"
           args="$args -e stackhpc_repo_mirror_auth_proxy_enabled=true"
-          if ${{ inputs.push }} == 'true'; then
-            args="$args --push"
-          fi
           source venvs/kayobe/bin/activate &&
           source src/kayobe-config/kayobe-env --environment ci-builder &&
           kayobe overcloud container image build $args
         env:
           KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }}
-        if: github.event.inputs.overcloud == 'true'
+        if: inputs.overcloud
+
+      - name: Copy overcloud container image build logs to output directory
+        run: sudo mv /var/log/kolla-build.log image-build-logs/kolla-build-overcloud.log
+        if: inputs.overcloud
 
-      - name: Build and push kolla seed images
+      - name: Build kolla seed images
+        id: build_seed_images
+        continue-on-error: true
         run: |
           args="-e kolla_base_distro=${{ matrix.distro }}"
           args="$args -e kolla_tag=${{ needs.generate-tag.outputs.kolla_tag }}"
           args="$args -e stackhpc_repo_mirror_auth_proxy_enabled=true"
-          if ${{ inputs.push }} == 'true'; then
-            args="$args --push"
-          fi
           source venvs/kayobe/bin/activate &&
           source src/kayobe-config/kayobe-env --environment ci-builder &&
           kayobe seed container image build $args
         env:
           KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }}
-        if: github.event.inputs.seed == 'true'
+        if: inputs.seed
+
+      - name: Copy seed container image build logs to output directory
+        run: sudo mv /var/log/kolla-build.log image-build-logs/kolla-build-seed.log
+        if: inputs.seed
 
       - name: Get built container images
-        run: |
-          docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/${{ matrix.distro }}-*:${{ needs.generate-tag.outputs.kolla_tag }}" > ${{ matrix.distro }}-container-images
+        run: docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/${{ matrix.distro }}-*:${{ needs.generate-tag.outputs.kolla_tag }}" > ${{ matrix.distro }}-container-images
 
       - name: Fail if no images have been built
         run: if [ $(wc -l < ${{ matrix.distro }}-container-images) -le 1 ]; then exit 1; fi
 
-      - name: Upload container images artifact
+      - name: Scan built container images
+        run: src/kayobe-config/tools/scan-images.sh ${{ matrix.distro }} ${{ needs.generate-tag.outputs.kolla_tag }}
+
+      - name: Move image scan logs to output artifact
+        run: mv image-scan-output image-build-logs/image-scan-output
+
+      - name: Fail if no images have passed scanning
+        run: if [ $(wc -l < image-build-logs/image-scan-output/clean-images.txt) -le 0 ]; then exit 1; fi
+        if: ${{ !inputs.push-dirty }}
+
+      - name: Copy clean images to push-attempt-images list
+        run: cp image-build-logs/image-scan-output/clean-images.txt image-build-logs/push-attempt-images.txt
+        if: inputs.push
+
+      - name: Append dirty images to push list
+        run: |
+          cat image-build-logs/image-scan-output/dirty-images.txt >> image-build-logs/push-attempt-images.txt
+        if: ${{ inputs.push && inputs.push-dirty }}
+
+      - name: Push images
+        run: |
+          touch image-build-logs/push-failed-images.txt
+          source venvs/kayobe/bin/activate &&
+          source src/kayobe-config/kayobe-env --environment ci-builder &&
+          kayobe playbook run ${KAYOBE_CONFIG_PATH}/ansible/docker-registry-login.yml &&
+
+          while read -r image; do
+            # Retries!
+            for i in {1..5}; do 
+              if docker push $image; then
+                echo "Pushed $image"
+                break
+              elif $i == 5; then
+                echo "Failed to push $image"
+                echo $image >> image-build-logs/push-failed-images.txt
+              else
+                echo "Failed on retry $i"
+                sleep 5
+              fi;
+            done
+          done < image-build-logs/push-attempt-images.txt
+        shell: bash
+        env:
+          KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }}
+        if: inputs.push
+
+      - name: Upload output artifact
         uses: actions/upload-artifact@v4
         with:
-          name: ${{ matrix.distro }} container images
-          path: ${{ matrix.distro }}-container-images
+          name: ${{ matrix.distro }}-logs
+          path: image-build-logs
           retention-days: 7
+        if: ${{ !cancelled() }}
+
+      - name: Fail when images failed to build
+        run: echo "An image build failed. Check the workflow artifact for build logs" && exit 1
+        if: ${{ steps.build_overcloud_images.outcome == 'failure' || steps.build_seed_images.outcome == 'failure' }}
+
+      - name: Fail when images failed to push
+        run: if [ $(wc -l < image-build-logs/push-failed-images.txt) -gt 0 ]; then cat image-build-logs/push-failed-images.txt && exit 1; fi
+        if: ${{ !cancelled() }}
+
+      - name: Fail when images failed scanning
+        run: if [ $(wc -l < image-build-logs/dirty-images.txt) -gt 0 ]; then cat image-build-logs/dirty-images.txt && exit 1; fi
+        if: ${{ !inputs.push-dirty && !cancelled() }}
 
-  sync-container-repositories:
-    name: Trigger container image repository sync
-    needs:
-      - container-image-build
-    if: github.repository == 'stackhpc/stackhpc-kayobe-config' && inputs.push
-    runs-on: ubuntu-latest
-    permissions: {}
-    steps:
       # NOTE(mgoddard): Trigger another CI workflow in the
       # stackhpc-release-train repository.
       - name: Trigger container image repository sync
         run: |
           filter='${{ inputs.regexes }}'
-          if [[ -n $filter ]] && [[ ${{ github.event.inputs.seed }} == 'true' ]]; then
+          if [[ -n $filter ]] && [[ ${{ inputs.seed }} == 'true' ]]; then
             filter="$filter bifrost"
           fi
           gh workflow run \
@@ -231,7 +308,9 @@ jobs:
           -f sync-new-images=false
         env:
           GITHUB_TOKEN: ${{ secrets.STACKHPC_RELEASE_TRAIN_TOKEN }}
+        if: ${{ github.repository == 'stackhpc/stackhpc-kayobe-config' && inputs.push && !cancelled() }}
 
       - name: Display link to container image repository sync workflows
         run: |
           echo "::notice Container image repository sync workflows: https://github.com/stackhpc/stackhpc-release-train/actions/workflows/container-sync.yml"
+        if: ${{ github.repository == 'stackhpc/stackhpc-kayobe-config' && inputs.push && !cancelled() }}

doc/source/operations/tempest.rst

@@ -277,7 +277,10 @@ command from the base of the ``kayobe-config`` directory:
 
 .. code-block:: bash
 
-    sudo -E docker run --detach -it --rm --network host -v $(pwd):/stack/kayobe-automation-env/src/kayobe-config -v $(pwd)/tempest-artifacts:/stack/tempest-artifacts -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY kayobe:latest /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/tempest.sh -e ansible_user=stack
+    sudo -E docker run --name kayobe-automation --detach -it --rm --network host \
+    -v $(pwd):/stack/kayobe-automation-env/src/kayobe-config -v $(pwd)/tempest-artifacts:/stack/tempest-artifacts \
+    -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY kayobe:latest \
+    /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/tempest.sh -e ansible_user=stack
 
 By default, ``no_log`` is set to stop credentials from leaking. This can be
 disabled by adding ``-e rally_no_sensitive_log=false`` to the end.

etc/kayobe/ansible/docker-registry-login.yml

@@ -0,0 +1,11 @@
+---
+- name: Login to docker registry
+  gather_facts: false
+  hosts: container-image-builders
+  tasks:
+    - name: Login to docker registry
+      docker_login:
+        registry_url: "{{ kolla_docker_registry or omit }}"
+        username: "{{ kolla_docker_registry_username }}"
+        password: "{{ kolla_docker_registry_password }}"
+        reauthorize: yes

etc/kayobe/containers/pulp/post.yml

@@ -27,3 +27,10 @@
   when:
     - stackhpc_pulp_sync_for_local_container_build | bool
     - pulp_settings.changed
+
+- name: Login to docker registry
+  docker_login:
+    registry_url: "{{ kolla_docker_registry or omit }}"
+    username: "{{ kolla_docker_registry_username }}"
+    password: "{{ kolla_docker_registry_password }}"
+    reauthorize: yes

etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh

@@ -87,7 +87,7 @@ kayobe seed vm provision
 kayobe seed host configure
 
 # Deploy local pulp server as a container on the seed VM
-kayobe seed service deploy --tags seed-deploy-containers --kolla-tags none -e deploy_containers_registry_attempt_login=False
+kayobe seed service deploy --tags seed-deploy-containers --kolla-tags none
 
 # Deploying the seed restarts networking interface, run configure-local-networking.sh again to re-add routes.
 $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/configure-local-networking.sh

etc/kayobe/environments/aufn-ceph/tenks.yml

@@ -87,3 +87,9 @@ bridge_type: linuxbridge
 
 # No placement service.
 wait_for_placement: false
+
+# NOTE(priteau): Disable libvirt_vm_trust_guest_rx_filters, which when enabled
+# triggers the following errors when booting baremetal instances with Tenks on
+# Libvirt 9: Cannot set interface flags on 'macvtap1': Value too large for
+# defined data type
+libvirt_vm_trust_guest_rx_filters: false

etc/kayobe/kolla/config/grafana/dashboards/ceph/ceph_overview.json

@@ -1924,23 +1924,25 @@
         }
       ],
       "spaceLength": 10,
-      "stack": true,
+      "stack": false,
       "steppedLine": false,
       "targets": [
         {
-          "expr": "ceph_cluster_total_objects",
+          "datasource": {
+            "uid": "$datasource"
+          },
+          "expr": "ceph_pool_objects * on(pool_id) group_left(instance,name) ceph_pool_metadata",
           "format": "time_series",
           "interval": "$interval",
           "intervalFactor": 1,
-          "legendFormat": "Total",
+          "legendFormat": "{{name}}",
+          "range": true,
           "refId": "A",
           "step": 300
         }
       ],
       "thresholds": [],
-      "timeFrom": null,
       "timeRegions": [],
-      "timeShift": null,
       "title": "Objects in the Cluster",
       "tooltip": {
         "msResolution": false,

etc/kayobe/seed.yml

@@ -154,7 +154,7 @@ seed_extra_containers: {}
 
 # Whether to attempt a basic authentication login to a registry when
 # deploying seed containers
-#seed_deploy_containers_registry_attempt_login:
+seed_deploy_containers_registry_attempt_login: "{{ not seed_pulp_container_enabled | bool }}"
 
 ###############################################################################
 # Seed node firewalld configuration.

releasenotes/notes/container-image-scanning-e5adf2c6b540b502.yaml

@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Kolla container images created using the
+    ``stackhpc-container-image-build.yml`` workflow are now automatically
+    scanned for vulnerablilities.

requirements.txt

@@ -1,4 +1,4 @@
 kayobe@git+https://github.com/stackhpc/kayobe@stackhpc/yoga
 ansible-modules-hashivault@git+https://github.com/stackhpc/ansible-modules-hashivault@stackhpc;python_version < "3.8"
-ansible-modules-hashivault@git+https://github.com/stackhpc/ansible-modules-hashivault@stackhpc-py39;python_version >= "3.8"
+ansible-modules-hashivault>=5.2.1;python_version >= "3.8"
 jmespath