From bf6d5b1f0391f739bcaea4317d951f935161d6bf Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 12:15:17 +0100 Subject: [PATCH 01/22] docs: Fix extlinks for updated sphinx The slug parameter is now required in the link f-string. --- doc/source/conf.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/source/conf.py b/doc/source/conf.py index b29d06071..238011fc9 100644 --- a/doc/source/conf.py +++ b/doc/source/conf.py @@ -122,10 +122,10 @@ } extlinks = { - f"{project}-doc": (f"https://docs.openstack.org/{project}/{current_series}/", "%s documentation") + f"{project}-doc": (f"https://docs.openstack.org/{project}/{current_series}/%s", "%s documentation") for project in extlinks_projects } -extlinks["skc-doc"] = (f"https://stackhpc-kayobe-config.readthedocs.io/en/stackhpc-{current_series}/", "%s documentation") -extlinks["kayobe-renos"] = (f"https://docs.openstack.org/releasenotes/kayobe/{current_series}.html", "%s release notes") -extlinks["kolla-ansible-renos"] = (f"https://docs.openstack.org/releasenotes/kolla-ansible/{current_series}.html", "%s release notes") -extlinks["ceph-doc"] = (f"https://docs.ceph.com/en/{ceph_series}/", "%s documentation") +extlinks["skc-doc"] = (f"https://stackhpc-kayobe-config.readthedocs.io/en/stackhpc-{current_series}/%s", "%s documentation") +extlinks["kayobe-renos"] = (f"https://docs.openstack.org/releasenotes/kayobe/{current_series}.html%s", "%s release notes") +extlinks["kolla-ansible-renos"] = (f"https://docs.openstack.org/releasenotes/kolla-ansible/{current_series}.html%s", "%s release notes") +extlinks["ceph-doc"] = (f"https://docs.ceph.com/en/{ceph_series}/%s", "%s documentation") From 27d5c6047e4c469782ed99f2eb5ee66f3fdacc70 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:22:07 +0100 Subject: [PATCH 02/22] Caracal: Update Nova and Cinder microversions in Tempest config --- .automation.conf/tempest/tempest-ci-multinode.overrides.conf | 4 ++-- doc/source/operations/tempest.rst | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.automation.conf/tempest/tempest-ci-multinode.overrides.conf b/.automation.conf/tempest/tempest-ci-multinode.overrides.conf index 663b384df..36b6db753 100644 --- a/.automation.conf/tempest/tempest-ci-multinode.overrides.conf +++ b/.automation.conf/tempest/tempest-ci-multinode.overrides.conf @@ -10,7 +10,7 @@ v3_endpoint_type = publicURL [compute] min_compute_nodes = 2 min_microversion = 2.1 -max_microversion = 2.95 +max_microversion = 2.96 [service-clients] http_timeout = 600 @@ -26,7 +26,7 @@ console_output = true storage_protocol = ceph build_timeout = 600 min_microversion = 3.0 -max_microversion = 3.70 +max_microversion = 3.71 [image] build_timeout = 600 diff --git a/doc/source/operations/tempest.rst b/doc/source/operations/tempest.rst index 101dae0dc..922f309d3 100644 --- a/doc/source/operations/tempest.rst +++ b/doc/source/operations/tempest.rst @@ -176,7 +176,7 @@ you understand all the options before applying them. min_compute_nodes = 2 # Required to test some API features min_microversion = 2.1 - max_microversion = 2.95 + max_microversion = 2.96 # Flavors for creating test servers and server resize. The ``alt`` flavor should be larger. flavor_ref = flavor_ref_alt = @@ -197,7 +197,7 @@ you understand all the options before applying them. storage_protocol = ceph # Required to test some API features min_microversion = 3.0 - max_microversion = 3.70 + max_microversion = 3.71 Tempest configuration override files are stored in ``.automation.conf/tempest/``. The default file used is From d9b63952ed3bf1564f09234be12a2eef91d8f9aa Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:55:07 +0100 Subject: [PATCH 03/22] Remove the swap.yml custom playbbok Rely on Kayobe swap support instead. --- doc/source/configuration/index.rst | 1 - doc/source/configuration/swap.rst | 28 ------------- etc/kayobe/ansible/swap.yml | 41 ------------------- ...remove-swap-playbook-f62a41945e29816d.yaml | 7 ++++ 4 files changed, 7 insertions(+), 70 deletions(-) delete mode 100644 doc/source/configuration/swap.rst delete mode 100644 etc/kayobe/ansible/swap.yml create mode 100644 releasenotes/notes/remove-swap-playbook-f62a41945e29816d.yaml diff --git a/doc/source/configuration/index.rst b/doc/source/configuration/index.rst index f8be7891a..d2dd4ccc6 100644 --- a/doc/source/configuration/index.rst +++ b/doc/source/configuration/index.rst @@ -12,7 +12,6 @@ the various features provided. release-train host-images lvm - swap cephadm monitoring wazuh diff --git a/doc/source/configuration/swap.rst b/doc/source/configuration/swap.rst deleted file mode 100644 index 58545e906..000000000 --- a/doc/source/configuration/swap.rst +++ /dev/null @@ -1,28 +0,0 @@ -==== -Swap -==== - -Support for :kayobe-doc:`managing swap files and devices -` was added to Kayobe in the Zed -release. The custom playbook described below is retained for backwards -compatibility but may be removed in a future release. - -StackHPC Kayobe configuration provides a ``swap.yml`` custom playbook that may -be used to configure a swap device. - -The following variables may be used to configure the playbook: - -``swap_group`` - Host pattern against which to target the playbook. Default is ``overcloud``. -``swap_device`` - Name of the swap device to configure. Default is ``/dev/rootvg/lv_swap`` to - match the standard :ref:`host image configuration `. - -This playbook may be used as a host configure post hook, e.g. for overcloud -hosts: - -.. code-block:: console - - mkdir -p ${KAYOBE_CONFIG_PATH}/hooks/overcloud-host-configure/post.d - cd ${KAYOBE_CONFIG_PATH}/hooks/overcloud-host-configure/post.d - ln -s ../../../ansible/swap.yml 10-swap.yml diff --git a/etc/kayobe/ansible/swap.yml b/etc/kayobe/ansible/swap.yml deleted file mode 100644 index dd08edac6..000000000 --- a/etc/kayobe/ansible/swap.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -# NOTE: Kayobe provides support for managing swap devices and files since the -# Zed release. This playbook is retained for backwards compatibility but will -# be removed in a future release. - -# Custom playbook to configure a swap device. This may be used as a -# post-overcloud host configure hook. -# -# Variables: -# * swap_group: Host pattern against which to target the playbook. Default is -# 'overcloud'. -# * swap_device: Name of the swap device to configure. Default is -# '/dev/rootvg/lv_swap'. To use a different value, set an extra -# var (e.g. in $KAYOBE_CONFIG_PATH/swap.yml) because play vars -# take precedence over any inventory variable. - -- name: Configure swap - hosts: "{{ swap_group | default('overcloud') }}" - tags: - - swap - vars: - swap_device: "/dev/rootvg/lv_swap" - become: true - tasks: - - name: Ensure swap filesystem is present - filesystem: - fstype: "swap" - dev: "{{ swap_device }}" - - - name: Ensure swap device present in fstab - mount: - name: "none" - src: "{{ swap_device }}" - fstype: "swap" - state: "present" - - # It does no harm to run this when swap is already active - - name: Enable swap devices - command: "/sbin/swapon -a" - when: - - ansible_facts.swaptotal_mb == 0 diff --git a/releasenotes/notes/remove-swap-playbook-f62a41945e29816d.yaml b/releasenotes/notes/remove-swap-playbook-f62a41945e29816d.yaml new file mode 100644 index 000000000..0e7173b68 --- /dev/null +++ b/releasenotes/notes/remove-swap-playbook-f62a41945e29816d.yaml @@ -0,0 +1,7 @@ +--- +upgrade: + - | + The ``swap.yml`` custom playbook has been removed in favour of Kayobe's + support for configuring swap. See the `Kayobe documentation + `__ + for details. From e170e7ad68d3d61e22de6c9f010ca4a0b65a98a2 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:27:30 +0100 Subject: [PATCH 04/22] Stop cloning Kayobe git repo, install it using requirements.txt Switching to this method ensures we use the correct version of Kayobe, and pull in any other dependencies specified in that file. --- .github/workflows/overcloud-host-image-build.yml | 9 +-------- .github/workflows/overcloud-host-image-promote.yml | 9 +-------- .github/workflows/overcloud-host-image-upload.yml | 9 +-------- .github/workflows/stackhpc-container-image-build.yml | 9 +-------- doc/source/contributor/environments/ci-aio.rst | 3 +-- doc/source/contributor/environments/ci-builder.rst | 3 +-- etc/kayobe/environments/ci-aio/automated-setup.sh | 2 +- 7 files changed, 7 insertions(+), 37 deletions(-) diff --git a/.github/workflows/overcloud-host-image-build.yml b/.github/workflows/overcloud-host-image-build.yml index adeb7ffe7..e51b33f33 100644 --- a/.github/workflows/overcloud-host-image-build.yml +++ b/.github/workflows/overcloud-host-image-build.yml @@ -67,13 +67,6 @@ jobs: run: | echo "${{ steps.host_image_tag.outputs.host_image_tag }}" - - name: Clone StackHPC Kayobe repository - uses: actions/checkout@v4 - with: - repository: stackhpc/kayobe - ref: refs/heads/stackhpc/${{ steps.openstack_release.outputs.openstack_release }} - path: src/kayobe - - name: Install Kayobe run: | mkdir -p venvs && @@ -81,7 +74,7 @@ jobs: python3 -m venv kayobe && source kayobe/bin/activate && pip install -U pip && - pip install ../src/kayobe + pip install ../src/kayobe-config/requirements.txt - name: Install terraform uses: hashicorp/setup-terraform@v2 diff --git a/.github/workflows/overcloud-host-image-promote.yml b/.github/workflows/overcloud-host-image-promote.yml index a8a64f60f..a83bc3a3f 100644 --- a/.github/workflows/overcloud-host-image-promote.yml +++ b/.github/workflows/overcloud-host-image-promote.yml @@ -34,13 +34,6 @@ jobs: echo "openstack_release=${BRANCH}" | sed -E "s,(stable|unmaintained)/,," >> $GITHUB_OUTPUT working-directory: src/kayobe-config - - name: Clone StackHPC Kayobe repository - uses: actions/checkout@v4 - with: - repository: stackhpc/kayobe - ref: refs/heads/stackhpc/${{ steps.openstack_release.outputs.openstack_release }} - path: src/kayobe - - name: Setup networking run: | if ! ip l show breth1 >/dev/null 2>&1; then @@ -63,7 +56,7 @@ jobs: python3 -m venv kayobe && source kayobe/bin/activate && pip install -U pip && - pip install ../src/kayobe + pip install ../src/kayobe-config/requirements.txt - name: Bootstrap the control host run: | diff --git a/.github/workflows/overcloud-host-image-upload.yml b/.github/workflows/overcloud-host-image-upload.yml index b08f57381..055e53c7f 100644 --- a/.github/workflows/overcloud-host-image-upload.yml +++ b/.github/workflows/overcloud-host-image-upload.yml @@ -49,13 +49,6 @@ jobs: BRANCH=$(awk -F'=' '/defaultbranch/ {print $2}' src/kayobe-config/.gitreview) echo "openstack_release=${BRANCH}" | sed -E "s,(stable|unmaintained)/,," >> $GITHUB_OUTPUT - - name: Clone StackHPC Kayobe repository - uses: actions/checkout@v4 - with: - repository: stackhpc/kayobe - ref: refs/heads/stackhpc/${{ steps.openstack_release.outputs.openstack_release }} - path: src/kayobe - - name: Install Kayobe run: | mkdir -p venvs && @@ -63,7 +56,7 @@ jobs: python3 -m venv kayobe && source kayobe/bin/activate && pip install -U pip && - pip install ../src/kayobe + pip install ../src/kayobe-config/requirements.txt - name: Bootstrap the control host run: | diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index 6721ebab4..7f301962a 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -120,13 +120,6 @@ jobs: with: path: src/kayobe-config - - name: Clone StackHPC Kayobe repository - uses: actions/checkout@v4 - with: - repository: stackhpc/kayobe - ref: refs/heads/stackhpc/${{ needs.generate-tag.outputs.openstack_release }} - path: src/kayobe - - name: Make sure dockerd is running and test Docker run: | docker ps @@ -146,7 +139,7 @@ jobs: python3 -m venv kayobe && source kayobe/bin/activate && pip install -U pip && - pip install ../src/kayobe + pip install ../src/kayobe-config/requirements.txt # Required for Pulp auth proxy deployment and Docker registry login. # Normally installed during host configure. diff --git a/doc/source/contributor/environments/ci-aio.rst b/doc/source/contributor/environments/ci-aio.rst index c8715fe55..68e93f37c 100644 --- a/doc/source/contributor/environments/ci-aio.rst +++ b/doc/source/contributor/environments/ci-aio.rst @@ -102,7 +102,6 @@ Clone the Kayobe and Kayobe configuration repositories (this one): cd mkdir -p src pushd src - git clone https://github.com/stackhpc/kayobe.git -b |current_release_git_branch_name| git clone https://github.com/stackhpc/stackhpc-kayobe-config -b |current_release_git_branch_name| kayobe-config popd @@ -116,7 +115,7 @@ Create a virtual environment and install Kayobe: python3 -m venv kayobe source kayobe/bin/activate pip install -U pip - pip install ../src/kayobe + pip install ../src/kayobe-config/requirements.txt popd Add initial network configuration: diff --git a/doc/source/contributor/environments/ci-builder.rst b/doc/source/contributor/environments/ci-builder.rst index ce785c7a4..6bf86ae07 100644 --- a/doc/source/contributor/environments/ci-builder.rst +++ b/doc/source/contributor/environments/ci-builder.rst @@ -57,7 +57,6 @@ Clone the Kayobe and Kayobe configuration repositories (this one): cd mkdir -p src pushd src - git clone https://github.com/stackhpc/kayobe.git -b |current_release_git_branch_name| git clone https://github.com/stackhpc/stackhpc-kayobe-config -b |current_release_git_branch_name| kayobe-config popd @@ -71,7 +70,7 @@ Create a virtual environment and install Kayobe: python3 -m venv kayobe source kayobe/bin/activate pip install -U pip - pip install ../src/kayobe + pip install ../src/kayobe-config/requirements.txt popd Add initial network configuration: diff --git a/etc/kayobe/environments/ci-aio/automated-setup.sh b/etc/kayobe/environments/ci-aio/automated-setup.sh index 686e708d2..93a310ed2 100644 --- a/etc/kayobe/environments/ci-aio/automated-setup.sh +++ b/etc/kayobe/environments/ci-aio/automated-setup.sh @@ -60,7 +60,7 @@ set +u source kayobe/bin/activate set -u pip install -U pip -pip install ../src/kayobe +pip install ../src/kayobe-config/requirements.txt popd if ! ip l show breth1 >/dev/null 2>&1; then From 14c079f4f2f232e59d9c4b2ee1e21dced9bc8a61 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:28:06 +0100 Subject: [PATCH 05/22] CI: Move jobs on public runners to Ubuntu Jammy images --- .github/workflows/stackhpc-build-kayobe-image.yml | 2 +- .github/workflows/stackhpc-pull-request.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/stackhpc-build-kayobe-image.yml b/.github/workflows/stackhpc-build-kayobe-image.yml index 0e8cc9711..f357692c0 100644 --- a/.github/workflows/stackhpc-build-kayobe-image.yml +++ b/.github/workflows/stackhpc-build-kayobe-image.yml @@ -42,7 +42,7 @@ jobs: build-kayobe-image: name: Build kayobe image if: inputs.if || github.repository == 'stackhpc/stackhpc-kayobe-config' && github.event_name == 'push' - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 permissions: contents: read packages: write diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml index 34d644bd9..196ecc3a3 100644 --- a/.github/workflows/stackhpc-pull-request.yml +++ b/.github/workflows/stackhpc-pull-request.yml @@ -13,7 +13,7 @@ jobs: # would skip the workflow entirely, and would prevent us from making the # aio jobs required to pass (a skip counts as a pass). check-changes: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 permissions: pull-requests: read name: Check changed files From 050584094e6e2aa8cdfaeb9a3f2db70487fd381d Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:29:20 +0100 Subject: [PATCH 06/22] Remove stale file from yamllint config This was removed in Antelope in f593df758ae09c9356ec8b04432ab7b65fb0f28e. --- .yamllint | 1 - 1 file changed, 1 deletion(-) diff --git a/.yamllint b/.yamllint index 1c115e29b..e02351b2a 100644 --- a/.yamllint +++ b/.yamllint @@ -14,7 +14,6 @@ rules: ignore: | *etc/kayobe/environments/ci-multinode/secrets.yml - *etc/kayobe/environments/ci-multinode/kolla/globals-tls-config.yml .automation/ releasenotes/ .github/ From abf504bb0b7d3dd68f2bad6010b4470a8a8cbc0b Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:30:23 +0100 Subject: [PATCH 07/22] Caracal: Remove WIP from README --- README.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.rst b/README.rst index d58cd47f8..0f5cf6d74 100644 --- a/README.rst +++ b/README.rst @@ -1,6 +1,6 @@ -================================================ -StackHPC Kayobe Configuration (Work in progress) -================================================ +============================= +StackHPC Kayobe Configuration +============================= This repository provides a base Kayobe configuration for the Caracal release of StackHPC OpenStack. From 1e13c279b51b287c44b27847a8eb332b3c8d1753 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:31:18 +0100 Subject: [PATCH 08/22] Caracal: Bump default Ceph version to Reef Also bump haproxy and keepalived container images used for Ceph RADOS Gateway ingress. --- doc/source/conf.py | 2 +- doc/source/configuration/cephadm.rst | 2 -- etc/kayobe/cephadm.yml | 8 ++++---- releasenotes/notes/ceph-reef-f447dde8c397f91b.yaml | 9 +++++++++ 4 files changed, 14 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/ceph-reef-f447dde8c397f91b.yaml diff --git a/doc/source/conf.py b/doc/source/conf.py index 238011fc9..7d9e69d86 100644 --- a/doc/source/conf.py +++ b/doc/source/conf.py @@ -32,7 +32,7 @@ current_series = "2024.1" previous_series = "2023.1" branch = f"stackhpc/{current_series}" -ceph_series = "quincy" +ceph_series = "reef" # Substitutions loader rst_prolog = """ diff --git a/doc/source/configuration/cephadm.rst b/doc/source/configuration/cephadm.rst index a259b42bc..f3cd8c482 100644 --- a/doc/source/configuration/cephadm.rst +++ b/doc/source/configuration/cephadm.rst @@ -19,8 +19,6 @@ create or modify Ceph cluster deployments. Supported features are: Resources ========= -- https://docs.ceph.com/en/quincy/cephadm/index.html -- https://docs.ceph.com/en/quincy/ - https://docs.ceph.com/en/reef/cephadm/index.html - https://docs.ceph.com/en/reef/ - https://github.com/stackhpc/ansible-collection-cephadm diff --git a/etc/kayobe/cephadm.yml b/etc/kayobe/cephadm.yml index d8f7e54f7..c0e9a995f 100644 --- a/etc/kayobe/cephadm.yml +++ b/etc/kayobe/cephadm.yml @@ -3,7 +3,7 @@ # Cephadm deployment configuration. # Ceph release name. -cephadm_ceph_release: "quincy" +cephadm_ceph_release: "reef" # Ceph FSID. #cephadm_fsid: @@ -12,7 +12,7 @@ cephadm_ceph_release: "quincy" cephadm_image: "{{ stackhpc_docker_registry if stackhpc_sync_ceph_images | bool else 'quay.io' }}/ceph/ceph:{{ cephadm_image_tag }}" # Ceph container image tag. -cephadm_image_tag: "v17.2.7" +cephadm_image_tag: "v18.2.4" # Ceph custom repo workaround for Ubuntu Jammy as there are no official ceph repos for jammy. cephadm_custom_repos: "{{ ansible_facts['distribution_release'] == 'jammy' }}" @@ -21,13 +21,13 @@ cephadm_custom_repos: "{{ ansible_facts['distribution_release'] == 'jammy' }}" cephadm_haproxy_image: "{{ stackhpc_docker_registry if stackhpc_sync_ceph_images | bool else 'quay.io' }}/ceph/haproxy:{{ cephadm_haproxy_image_tag }}" # HAProxy container image tag. -cephadm_haproxy_image_tag: "2.3" +cephadm_haproxy_image_tag: "2.6" # Keepalived container image. cephadm_keepalived_image: "{{ stackhpc_docker_registry if stackhpc_sync_ceph_images | bool else 'quay.io' }}/ceph/keepalived:{{ cephadm_keepalived_image_tag }}" # Keepalived container image tag. -cephadm_keepalived_image_tag: "2.1.5" +cephadm_keepalived_image_tag: "2.2.4" # Ceph container image registry URL. cephadm_registry_url: "{{ stackhpc_docker_registry }}" diff --git a/releasenotes/notes/ceph-reef-f447dde8c397f91b.yaml b/releasenotes/notes/ceph-reef-f447dde8c397f91b.yaml new file mode 100644 index 000000000..a5c1313b8 --- /dev/null +++ b/releasenotes/notes/ceph-reef-f447dde8c397f91b.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + Updates the default version of Ceph to Reef. The following container tags + are used for Ceph: + + - ``ceph``: ``v18.2.4`` + - ``haproxy``: ``2.6`` + - ``keepalived``: ``2.2.4`` From 2d563d4da3fd716fdab89b58876c9ec6ec8261f3 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:31:56 +0100 Subject: [PATCH 09/22] docs: Remove unnecessary cloudkitty TLS config This is now included in Kolla Ansible. --- doc/source/configuration/cloudkitty.rst | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/doc/source/configuration/cloudkitty.rst b/doc/source/configuration/cloudkitty.rst index c2701aa07..83f31205f 100644 --- a/doc/source/configuration/cloudkitty.rst +++ b/doc/source/configuration/cloudkitty.rst @@ -35,16 +35,6 @@ following in ``kolla/globals.yml``: cloudkitty_fetcher_backend: prometheus cloudkitty_storage_backend: elasticsearch -If you have TLS enabled, you will also need to set the cafile for Prometheus -and Elasticsearch. Set the following in ``kolla/globals.yml``. - -.. code-block:: - - {% raw %} - cloudkitty_prometheus_cafile: "{{ openstack_cacert }}" - cloudkitty_elasticsearch_cafile: "{{ openstack_cacert }}" - {% endraw %} - The default collection period is one hour, which is likely too long for most systems as CloudKitty charges by the **entire** collection period if any usage is seen within this timeframe. This is regardless of actual usage, meaning that From f3ec15444600d25fd30fa38eb5838c9cbee840a9 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:32:34 +0100 Subject: [PATCH 10/22] Caracal: replace 2023.1 with 2024.1 in ci-aio docs --- doc/source/contributor/environments/ci-aio.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/source/contributor/environments/ci-aio.rst b/doc/source/contributor/environments/ci-aio.rst index 68e93f37c..8dc7d3201 100644 --- a/doc/source/contributor/environments/ci-aio.rst +++ b/doc/source/contributor/environments/ci-aio.rst @@ -52,9 +52,9 @@ following options: * ``BASE_PATH`` (default: ``~``) - Directory to deploy from. The directory must exist before running the script. -* ``KAYOBE_BRANCH`` (default: ``stackhpc/2023.1``) - The branch of Kayobe +* ``KAYOBE_BRANCH`` (default: ``stackhpc/2024.1``) - The branch of Kayobe source code to use. -* ``KAYOBE_CONFIG_BRANCH`` (default: ``stackhpc/2023.1``) - The branch of +* ``KAYOBE_CONFIG_BRANCH`` (default: ``stackhpc/2024.1``) - The branch of ``stackhpc-kayobe-config`` to use. * ``KAYOBE_AIO_LVM`` (default: ``true``) - Whether the image uses LVM. * ``KAYOBE_CONFIG_EDIT_PAUSE`` (default: ``false``) - Option to pause From 15e4ba7da036f16a06cc07218e27e4b9141e0c4e Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:33:15 +0100 Subject: [PATCH 11/22] docs: Use a Jammy image for testing in ci-multinode example --- doc/source/contributor/environments/ci-multinode.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/source/contributor/environments/ci-multinode.rst b/doc/source/contributor/environments/ci-multinode.rst index b87b8ab2b..aa33edae5 100644 --- a/doc/source/contributor/environments/ci-multinode.rst +++ b/doc/source/contributor/environments/ci-multinode.rst @@ -35,19 +35,19 @@ deployment. To test it, you will need two virtual machines. Cirros does not support the Ceph kernel client, so you will need to use a different image. Any regular Linux -distribution should work. As an example, this guide will use Ubuntu 20.04. +distribution should work. As an example, this guide will use Ubuntu 22.04. Download the image locally: .. code-block:: bash - wget http://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img + wget https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img Upload the image to Glance: .. code-block:: bash - openstack image create --container-format bare --disk-format qcow2 --file focal-server-cloudimg-amd64.img Ubuntu-20.04 --progress + openstack image create --container-format bare --disk-format qcow2 --file jammy-server-cloudimg-amd64.img Ubuntu-22.04 --progress Create a keypair: @@ -59,8 +59,8 @@ Create two virtual machines from the image: .. code-block:: bash - openstack server create --flavor m1.small --image Ubuntu-20.04 --key-name id_rsa --network admin-tenant ubuntu-client-1 - openstack server create --flavor m1.small --image Ubuntu-20.04 --key-name id_rsa --network admin-tenant ubuntu-client-2 + openstack server create --flavor m1.small --image Ubuntu-22.04 --key-name id_rsa --network admin-tenant ubuntu-client-1 + openstack server create --flavor m1.small --image Ubuntu-22.04 --key-name id_rsa --network admin-tenant ubuntu-client-2 Wait until the instances are active. It is worth noting that this process can take a while, especially if the overcloud is deployed to virtual machines. You From a5f6f10698d1c99aeeffb60632af57ca935d366a Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:35:18 +0100 Subject: [PATCH 12/22] CIS: Use released versions of ansible-lockdown collections We no longer need to use forks of these collections, since the required changes have been merged upstream. --- etc/kayobe/ansible/requirements.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 7f41756a7..98403d635 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -15,15 +15,9 @@ collections: roles: - src: stackhpc.vxlan - name: ansible-lockdown.ubuntu22_cis - src: https://github.com/stackhpc/UBUNTU22-CIS - #FIXME: Waiting for https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/174 - # to be in a tagged release - version: bugfix/inject-facts + version: 1.4.0 - name: ansible-lockdown.rhel9_cis - src: https://github.com/stackhpc/RHEL9-CIS - #FIXME: Waiting for https://github.com/ansible-lockdown/RHEL9-CIS/pull/115 - # to be in a tagged release. - version: bugfix/inject-facts + version: 1.3.1 - name: wazuh-ansible src: https://github.com/stackhpc/wazuh-ansible version: stackhpc From 9ce5b5a853122cea09c1165dfc08129c3fefbdb6 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:35:56 +0100 Subject: [PATCH 13/22] Use cirros 0.6.2 in aio-init.sh --- etc/kayobe/ansible/scripts/aio-init.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/kayobe/ansible/scripts/aio-init.sh b/etc/kayobe/ansible/scripts/aio-init.sh index 817225dd2..b50ccfd38 100644 --- a/etc/kayobe/ansible/scripts/aio-init.sh +++ b/etc/kayobe/ansible/scripts/aio-init.sh @@ -22,8 +22,8 @@ fi ARCH=$(uname -m) IMAGE_PATH=/opt/cache/files/ -IMAGE_URL=https://github.com/cirros-dev/cirros/releases/download/0.5.1/ -IMAGE=cirros-0.5.1-${ARCH}-disk.img +IMAGE_URL=https://github.com/cirros-dev/cirros/releases/download/0.6.2/ +IMAGE=cirros-0.6.2-${ARCH}-disk.img IMAGE_NAME=cirros IMAGE_TYPE=linux @@ -142,4 +142,4 @@ if ! $KOLLA_OPENSTACK_COMMAND flavor list | grep -q m1.tiny; then $KOLLA_OPENSTACK_COMMAND flavor create --id 5 --ram 16384 --disk 160 --vcpus 8 m1.xlarge fi -touch /tmp/.init-runonce \ No newline at end of file +touch /tmp/.init-runonce From 5579ad6ed8516256ef27c8c7381589f86f36e267 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:40:07 +0100 Subject: [PATCH 14/22] Bump reno requirement --- releasenotes/requirements.txt | 2 +- test-requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/releasenotes/requirements.txt b/releasenotes/requirements.txt index f3596419c..22e2f6c3a 100644 --- a/releasenotes/requirements.txt +++ b/releasenotes/requirements.txt @@ -1,4 +1,4 @@ -reno>=3.4.0 # Apache-2.0 +reno>=4.1.0 # Apache-2.0 sphinx>=2.0.0,!=2.1.0 # BSD sphinxcontrib-svg2pdfconverter>=0.1.0 # BSD sphinx-material diff --git a/test-requirements.txt b/test-requirements.txt index d7f05bb0d..528bb2001 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -4,4 +4,4 @@ yamllint # GPLv3 doc8 # Apache-2.0 -reno>=3.4.0 # Apache-2.0 +reno>=4.1.0 # Apache-2.0 From 59d3523bfcb944c30e4c4ded9cf11edb3b628e92 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:40:31 +0100 Subject: [PATCH 15/22] Bump StackHPC copyright --- releasenotes/source/conf.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py index 30b5cf819..3db9e147d 100644 --- a/releasenotes/source/conf.py +++ b/releasenotes/source/conf.py @@ -45,7 +45,7 @@ # General information about the project. project = 'StackHPC Kayobe Configuration Release Notes' -copyright = '2023 StackHPC Ltd' +copyright = '2024 StackHPC Ltd' # Release notes do not need a version number in the title, they # cover multiple releases. From 28a55d6037e7bfabe531bfde67ecfd9c601d1fc9 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:41:44 +0100 Subject: [PATCH 16/22] Caracal: Bump releasenotes version RE --- releasenotes/config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/releasenotes/config.yaml b/releasenotes/config.yaml index 06d5194fb..a5b984a6b 100644 --- a/releasenotes/config.yaml +++ b/releasenotes/config.yaml @@ -1,4 +1,4 @@ --- -# This needs to be updated to the latest release. -release_tag_re: stackhpc/14\.\d+\.\d+\.\d +# NOTE(upgrade): This needs to be updated to the current release's major version. +release_tag_re: stackhpc/16\.\d+\.\d+\.\d ignore_null_merges: false From 406c637da673ccada4b3caf7f3decacfe90f224d Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:42:19 +0100 Subject: [PATCH 17/22] docs: Remove merged patches from password rotation --- doc/source/operations/secret-rotation.rst | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/doc/source/operations/secret-rotation.rst b/doc/source/operations/secret-rotation.rst index a2dad9b80..845548242 100644 --- a/doc/source/operations/secret-rotation.rst +++ b/doc/source/operations/secret-rotation.rst @@ -35,32 +35,15 @@ this guide. Installation: sudo apt/dnf install pwgen -As of writing, there are three upstream patches in the works to make this +As of writing, there is an upstream patch in the works to make this process easier. -#. A change to Kolla, to automate :ref:`this` step to change the - extended start for the ``nova-api`` container. - - The upstream patch can be found `here - `__. - - This was previously mitigated with a change to the StackHPC fork of - Kolla-Ansible, which has since been reverted due to an unforeseen issue. See - `here `__ for more - details. - #. A change to Nova, to automate :ref:`this` step to change the nova cell0 database connection string. The upstream patch can be found `here `__. -#. A change to Kolla-Ansible, to automate :ref:`this` step to - update service keystone user passwords. - - The upstream patch can be found `here - `__. - Full method =========== From beb0bba35d96228a8dddedec07769caf72d4102c Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 8 Aug 2024 11:46:35 +0100 Subject: [PATCH 18/22] Remove references to legacy SMS Test Pulp (pulp-server) --- doc/source/contributor/environments/aufn-ceph.rst | 15 --------------- etc/kayobe/ansible/fix-networking.yml | 2 -- .../aufn-ceph/a-universe-from-nothing.sh | 14 -------------- etc/kayobe/stackhpc-overcloud-dib.yml | 3 --- terraform/aio/templates/userdata.cfg.tpl | 4 ---- 5 files changed, 38 deletions(-) diff --git a/doc/source/contributor/environments/aufn-ceph.rst b/doc/source/contributor/environments/aufn-ceph.rst index ca7d8adfc..26e7fa7c9 100644 --- a/doc/source/contributor/environments/aufn-ceph.rst +++ b/doc/source/contributor/environments/aufn-ceph.rst @@ -43,13 +43,6 @@ Ubuntu: sudo apt -y install gcc libffi-dev python3-dev python-is-python3 -As a workaround for SMS lab's lack of DNS, add the following lines to ``/etc/hosts`` of the baremetal node: - -.. parsed-literal:: - - 10.0.0.34 pelican pelican.service.compute.sms-lab.cloud - 10.205.3.187 pulp-server pulp-server.internal.sms-cloud - Configure the system firewall and security settings: .. parsed-literal:: @@ -124,14 +117,6 @@ Once the seed vm is provisioned, deploy a local pulp server on the seed and then kayobe seed service deploy --tags seed-deploy-containers --kolla-tags none $KAYOBE_CONFIG_PATH/environments/aufn-ceph/configure-local-networking.sh -Once the local pulp server is deployed, we need to add the address of SMS lab test pulp to the local pulp container: - -.. parsed-literal:: - - ssh stack@192.168.33.5 - docker exec pulp sh -c 'echo "10.205.3.187 pulp-server pulp-server.internal.sms-cloud" | tee -a /etc/hosts' - exit - We can now sync the contents of the local pulp server with that of SMS test pulp and then complete the seed VM setup: .. parsed-literal:: diff --git a/etc/kayobe/ansible/fix-networking.yml b/etc/kayobe/ansible/fix-networking.yml index 01a833264..d3897e564 100644 --- a/etc/kayobe/ansible/fix-networking.yml +++ b/etc/kayobe/ansible/fix-networking.yml @@ -18,8 +18,6 @@ path: /etc/hosts marker: "# {mark} Kayobe entries" block: | - 10.0.0.34 pelican pelican.service.compute.sms-lab.cloud - 10.205.3.187 pulp-server pulp-server.internal.sms-cloud 192.168.37.2 internal.infra.mos.{{ root_domain }} 192.168.39.2 public.infra.mos.{{ root_domain }} become: true diff --git a/etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh b/etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh index 886f1f9f2..f8014b146 100755 --- a/etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh +++ b/etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh @@ -14,15 +14,6 @@ KAYOBE_BRANCH=stackhpc/2024.1 KAYOBE_CONFIG_BRANCH=stackhpc/2024.1 KAYOBE_ENVIRONMENT=aufn-ceph -PELICAN_HOST="10.0.0.34 pelican pelican.service.compute.sms-lab.cloud" -PULP_HOST="10.205.3.187 pulp-server pulp-server.internal.sms-cloud" - -# FIXME: Work around lack of DNS on SMS lab. -cat << EOF | sudo tee -a /etc/hosts -$PELICAN_HOST -$PULP_HOST -EOF - # Install git and tmux. if $(which dnf 2>/dev/null >/dev/null); then sudo dnf -y install git tmux @@ -92,11 +83,6 @@ kayobe seed service deploy --tags seed-deploy-containers --kolla-tags none # Deploying the seed restarts networking interface, run configure-local-networking.sh again to re-add routes. $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/configure-local-networking.sh -# Add sms lab test pulp to /etc/hosts of seed vm's pulp container -SEED_IP=192.168.33.5 -REMOTE_COMMAND="docker exec pulp sh -c 'echo $PULP_HOST | tee -a /etc/hosts'" -ssh stack@$SEED_IP $REMOTE_COMMAND - # Sync package & container repositories. kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/pulp-repo-sync.yml kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/pulp-repo-publish.yml diff --git a/etc/kayobe/stackhpc-overcloud-dib.yml b/etc/kayobe/stackhpc-overcloud-dib.yml index 8ab614860..69ba5c81e 100644 --- a/etc/kayobe/stackhpc-overcloud-dib.yml +++ b/etc/kayobe/stackhpc-overcloud-dib.yml @@ -47,9 +47,6 @@ stackhpc_overcloud_dib_env_vars: # sometimes). # DIB_DISTRIBUTION_MIRROR: "{{ stackhpc_repo_ubuntu_focal_url if os_distribution == 'ubuntu' else '' }}" DIB_DRACUT_ENABLED_MODULES_DEFAULT_CONFIG: "{{ stackhpc_overcloud_dib_dracut_enabled_modules_default_config }}" - # FIXME: Workaround for lack of internal DNS on SMS lab. - DIB_ETC_HOSTS_EXTRA: | - 10.205.3.187 pulp-server pulp-server.internal.sms-cloud DIB_RELEASE: "{{ overcloud_dib_os_release }}" DIB_SUDOERS_FILENAME: "no-fqdn" # Avoid DNS queries during sudo commands, since we might not always have working DNS. diff --git a/terraform/aio/templates/userdata.cfg.tpl b/terraform/aio/templates/userdata.cfg.tpl index aebd19229..b91b0e741 100644 --- a/terraform/aio/templates/userdata.cfg.tpl +++ b/terraform/aio/templates/userdata.cfg.tpl @@ -2,10 +2,6 @@ # Don't automatically mount ephemeral disk mounts: - [/dev/vdb, null] -# WORKAROUND: internal DNS missing from SMS lab. -runcmd: - - 'echo "10.0.0.34 pelican pelican.service.compute.sms-lab.cloud" >> /etc/hosts' - - 'echo "10.205.3.187 pulp-server pulp-server.internal.sms-cloud" >> /etc/hosts' # Configure SSH keys here, to avoid creating an ephemeral keypair. # This means only the instance needs to be cleaned up if the destroy fails. ssh_authorized_keys: From 8fe2d3a825d94971706717c339d58bea5fec4fc0 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 16 Aug 2024 11:42:23 +0100 Subject: [PATCH 19/22] docs: Remove reference to abandoned nova patch in secret rotation --- doc/source/operations/secret-rotation.rst | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/doc/source/operations/secret-rotation.rst b/doc/source/operations/secret-rotation.rst index 845548242..6e685f4db 100644 --- a/doc/source/operations/secret-rotation.rst +++ b/doc/source/operations/secret-rotation.rst @@ -34,17 +34,6 @@ this guide. Installation: sudo apt/dnf install pwgen - -As of writing, there is an upstream patch in the works to make this -process easier. - -#. A change to Nova, to automate :ref:`this` step to change the - nova cell0 database connection string. - - The upstream patch can be found `here - `__. - - Full method =========== From 746c5e3eecb23b736ee6dc33402c55f5385cb406 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Wed, 21 Aug 2024 15:50:48 +0100 Subject: [PATCH 20/22] Use git for ansible-lockdown roles They are not uploaded to Ansible Galaxy. --- etc/kayobe/ansible/requirements.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 37190045a..589068d72 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -15,8 +15,10 @@ collections: roles: - src: stackhpc.vxlan - name: ansible-lockdown.ubuntu22_cis - version: 1.4.0 + src: https://github.com/ansible-lockdown/UBUNTU22-CIS + version: 1.4.1 - name: ansible-lockdown.rhel9_cis + src: https://github.com/ansible-lockdown/RHEL9-CIS version: 1.3.1 - name: wazuh-ansible src: https://github.com/stackhpc/wazuh-ansible From 52c30759dde3ac4d600faecffbd341a3c722cc66 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 22 Aug 2024 09:17:09 +0100 Subject: [PATCH 21/22] Fix rhel9cis_auditd for RHEL9-CIS 1.3.1 A new max_log_file field was added. --- etc/kayobe/inventory/group_vars/cis-hardening/cis | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/kayobe/inventory/group_vars/cis-hardening/cis b/etc/kayobe/inventory/group_vars/cis-hardening/cis index 1ec8c3dcc..a80571f85 100644 --- a/etc/kayobe/inventory/group_vars/cis-hardening/cis +++ b/etc/kayobe/inventory/group_vars/cis-hardening/cis @@ -56,6 +56,7 @@ rhel9cis_auditd: space_left_action: syslog action_mail_acct: root admin_space_left_action: halt + max_log_file: 10 max_log_file_action: rotate # Max size of audit logs (MB) From 8f4f9308a1ae95c3e9cda49a3f8b5f1eb5aba044 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 22 Aug 2024 09:21:55 +0100 Subject: [PATCH 22/22] Add a release note for Ansible lockdown role updates --- .../notes/update-cis-roles-8c73975c37188071.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 releasenotes/notes/update-cis-roles-8c73975c37188071.yaml diff --git a/releasenotes/notes/update-cis-roles-8c73975c37188071.yaml b/releasenotes/notes/update-cis-roles-8c73975c37188071.yaml new file mode 100644 index 000000000..c1705edf0 --- /dev/null +++ b/releasenotes/notes/update-cis-roles-8c73975c37188071.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + Updates the Ansible Lockdown roles for Ubuntu and Rocky Linux to 1.4.1 and + 1.3.1 respectively. See `UBUNTU22-CIS + `__ + and `RHEL9-CIS + `__ for + release notes.