From 61e63361ee8877ceb4035424b9b2aac58fc4a246 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Wed, 4 Sep 2024 16:57:05 +0100 Subject: [PATCH 01/19] Fix prometheus_blackbox_exporter_endpoints to allow truthy values --- .../group_vars/prometheus-blackbox-exporter | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter b/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter index 4e95d64bd..dbcc7113b 100644 --- a/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter +++ b/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter @@ -6,13 +6,16 @@ # prometheus_blackbox_exporter_endpoints_kayobe is another set of default # endpoints that are templated by Kayobe rather than Kolla Ansible. See # kolla/globals.yml for more details. -prometheus_blackbox_exporter_endpoints: >- - {{ (prometheus_blackbox_exporter_endpoints_kayobe | default([]) + - prometheus_blackbox_exporter_endpoints_default) | - selectattr('enabled', 'true') | - map(attribute='endpoints') | flatten | - union(prometheus_blackbox_exporter_endpoints_custom) | - unique | select | list }} +prometheus_blackbox_exporter_endpoints: | + {% set endpoints = [] %} + {% for dict_item in (prometheus_blackbox_exporter_endpoints_kayobe | default([]) + prometheus_blackbox_exporter_endpoints_default) %} + {% if dict_item.enabled | bool %} + {% for endpoint in dict_item.endpoints %} + {% set _ = endpoints.append(endpoint) %} + {% endfor %} + {% endif %} + {% endfor %} + {{ (endpoints + prometheus_blackbox_exporter_endpoints_custom) | unique | list }} # A list of custom prometheus Blackbox exporter endpoints. Each element should # have the following format: From bdb623443cbb69abdf318657cfefe2d0ad7120d1 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Thu, 5 Sep 2024 14:12:55 +0100 Subject: [PATCH 02/19] Add bool to rabbitmq endpoint --- .../kolla/inventory/group_vars/prometheus-blackbox-exporter | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter b/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter index dbcc7113b..0c14cc830 100644 --- a/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter +++ b/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter @@ -128,7 +128,7 @@ prometheus_blackbox_exporter_endpoints_default: - endpoints: - "prometheus_alertmanager:http_2xx_alertmanager:{{ prometheus_alertmanager_public_endpoint if enable_prometheus_alertmanager_external else prometheus_alertmanager_internal_endpoint }}" enabled: "{{ enable_prometheus_alertmanager | bool }}" - - endpoints: "{% set rabbitmq_endpoints = [] %}{% for host in groups.get('rabbitmq', []) %}{{ rabbitmq_endpoints.append('rabbitmq_' + host.replace('-', '') + (':tls_connect:' if rabbitmq_enable_tls else ':tcp_connect:') + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['rabbitmq_port'] ) }}{% endfor %}{{ rabbitmq_endpoints }}" + - endpoints: "{% set rabbitmq_endpoints = [] %}{% for host in groups.get('rabbitmq', []) %}{{ rabbitmq_endpoints.append('rabbitmq_' + host.replace('-', '') + (':tls_connect:' if rabbitmq_enable_tls | bool else ':tcp_connect:') + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['rabbitmq_port'] ) }}{% endfor %}{{ rabbitmq_endpoints }}" enabled: "{{ enable_rabbitmq | bool }}" - endpoints: "{% set redis_endpoints = [] %}{% for host in groups.get('redis', []) %}{{ redis_endpoints.append('redis_' + host.replace('-', '') + ':tcp_connect:' + ('api' | kolla_address(host) | put_address_in_context('url')) + ':' + hostvars[host]['redis_port']) }}{% endfor %}{{ redis_endpoints }}" enabled: "{{ enable_redis | bool }}" From dc85568a1b8f0fc8babd1623dbba60c1c1032fa8 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Thu, 5 Sep 2024 14:13:22 +0100 Subject: [PATCH 03/19] Correct horizon_public_endpoint horizon_public_port is dependent on backend_tls being enabled, rather than external tls. --- .../kolla/inventory/group_vars/prometheus-blackbox-exporter | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter b/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter index 0c14cc830..f321cc4f0 100644 --- a/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter +++ b/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter @@ -149,7 +149,7 @@ heat_cfn_internal_base_endpoint: "{{ heat_cfn_internal_fqdn | kolla_url(internal heat_cfn_public_base_endpoint: "{{ heat_cfn_external_fqdn | kolla_url(public_protocol, heat_api_cfn_public_port) }}" heat_internal_base_endpoint: "{{ heat_internal_fqdn | kolla_url(internal_protocol, heat_api_port) }}" heat_public_base_endpoint: "{{ heat_external_fqdn | kolla_url(public_protocol, heat_api_public_port) }}" -horizon_public_endpoint: "{{ horizon_external_fqdn | kolla_url(public_protocol, horizon_listen_port) }}" +horizon_public_endpoint: "{{ horizon_external_fqdn | kolla_url(public_protocol, horizon_tls_port if kolla_enable_tls_external | bool else horizon_port) }}" ironic_inspector_internal_endpoint: "{{ ironic_inspector_internal_fqdn | kolla_url(internal_protocol, ironic_inspector_port) }}" ironic_inspector_public_endpoint: "{{ ironic_inspector_external_fqdn | kolla_url(public_protocol, ironic_inspector_public_port) }}" magnum_internal_base_endpoint: "{{ magnum_internal_fqdn | kolla_url(internal_protocol, magnum_api_port) }}" From 49a4b06322d6194b1fe63002370229578ab9c978 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 6 Sep 2024 12:48:30 +0100 Subject: [PATCH 04/19] Add merge.py This script can be used for merging from one release branch of SKC into the next. --- tools/merge.py | 116 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100755 tools/merge.py diff --git a/tools/merge.py b/tools/merge.py new file mode 100755 index 000000000..216614b55 --- /dev/null +++ b/tools/merge.py @@ -0,0 +1,116 @@ +#!/usr/bin/python3 + +DESCRIPTION = """ +This script merges one release branch of SKC into another. + +Example 1: Merge stackhpc/yoga into stackhpc/zed: + + merge.py yoga zed + +Example 2: Merge the branch created in example 1 into stackhpc/2023.1: + + merge.py zed 2023.1 zed-yoga-merge + +Example 3: Continue after manually resolving merge conflicts seen in example 2: + + merge.py zed 2023.1 zed-yoga-merge --continue + +""" + +import argparse +import os +from subprocess import check_call, check_output +import sys + + +def command(cmd): + print("Running:", cmd) + check_call(cmd) + + +def parse_args(): + parser = argparse.ArgumentParser(description=DESCRIPTION, formatter_class=argparse.RawDescriptionHelpFormatter) + #"Merge one branch of SKC into the next") + parser.add_argument("previous", type=str, help="The previous version") + parser.add_argument("current", type=str, help="The current version") + parser.add_argument("previous_branch", type=str, nargs="?", default=None, help="Optional branch to use as the previous release. Allows merging multiple branches in parallel.") + parser.add_argument("--continue", dest="cont", action="store_true", help="Continue after merge conflicts have been resolved.") + parser.add_argument("--remote", type=str, default="origin", help="Git remote") + return parser.parse_args() + + +def fetch(args): + command(["git", "fetch", args.remote]) + + +def checkout(args): + merge_branch = f"{args.current}-{args.previous}-merge" + current_branch = f"{args.remote}/stackhpc/{args.current}" + command(["git", "checkout", "-B", merge_branch, current_branch]) + + +def update_submodules(): + command(["git", "submodule", "update"]) + + +def merge_in_progress(): + repo_root = check_output(["git", "rev-parse", "--show-toplevel"]) + repo_root = repo_root.decode().strip() + return os.path.isfile(os.path.join(repo_root, ".git", "MERGE_HEAD")) + + +def uncommitted_changes(): + unstaged = check_output(["git", "diff"]) + staged = check_output(["git", "diff", "--cached"]) + return unstaged or staged + + +def continue_merge(): + if merge_in_progress(): + command(["git", "merge", "--continue"]) + else: + print("No merge in progress") + + +def merge(args): + if args.previous_branch: + previous_branch = args.previous_branch + else: + previous_branch = f"{args.remote}/stackhpc/{args.previous}" + commit_message = f"Merge stackhpc/{args.previous} into stackhpc/{args.current}" + command(["git", "merge", previous_branch, "-m", commit_message]) + + +def show_diff(args): + print("Proposed changes:") + current_branch = f"{args.remote}/stackhpc/{args.current}" + command(["git", "diff", current_branch]) + + +def create_pr(args): + current_branch = f"stackhpc/{args.current}" + pr_title = f"{args.current}: {args.previous} merge" + command(["gh", "pr", "create", "-f", "-a", "@me", "-B", current_branch, "-t", pr_title]) + + +def main(): + args = parse_args() + if args.cont: + continue_merge() + else: + if merge_in_progress(): + print("Merge in progress - did you miss the --continue argument?") + sys.exit(1) + if uncommitted_changes(): + print("You have uncommitted changes - aborting") + sys.exit(1) + fetch(args) + checkout(args) + update_submodules() + merge(args) + show_diff(args) + create_pr(args) + + +if __name__ == "__main__": + main() From 3a97322b6b402485ae5ef7102486803e3a3583af Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 6 Sep 2024 17:13:14 +0200 Subject: [PATCH 05/19] Fix CVE-2024-44082 / OSSA-2024-003 Fixes CVE-2024-44082 [1] with updated container images for Ironic services. Note that Ironic Python Agent images also need to be updated to fully fix this vulnerability. If this is not possible, a new configuration option ``[conductor]conductor_always_validates_images`` is available. See the OSSA-2024-003 announcement [2] for more details. [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44082 [2] https://security.openstack.org/ossa/OSSA-2024-003.html --- etc/kayobe/kolla-image-tags.yml | 3 +++ .../notes/fix-cve-2024-44082-122ef225f674d864.yaml | 12 ++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 releasenotes/notes/fix-cve-2024-44082-122ef225f674d864.yaml diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml index 2abd37c07..9a6c89aa3 100644 --- a/etc/kayobe/kolla-image-tags.yml +++ b/etc/kayobe/kolla-image-tags.yml @@ -14,6 +14,9 @@ kolla_image_tags: ubuntu-jammy: 2023.1-ubuntu-jammy-20240701T123544 haproxy_ssh: ubuntu-jammy: 2023.1-ubuntu-jammy-20240509T102329 + ironic: + rocky-9: 2023.1-rocky-9-20240906T144646 + ubuntu-jammy: 2023.1-ubuntu-jammy-20240906T144646 kolla_toolbox: rocky-9: 2023.1-rocky-9-20240809T102431 letsencrypt: diff --git a/releasenotes/notes/fix-cve-2024-44082-122ef225f674d864.yaml b/releasenotes/notes/fix-cve-2024-44082-122ef225f674d864.yaml new file mode 100644 index 000000000..3066b0758 --- /dev/null +++ b/releasenotes/notes/fix-cve-2024-44082-122ef225f674d864.yaml @@ -0,0 +1,12 @@ +--- +security: + - | + Fixes `CVE-2024-44082 + `_ with updated + container images for Ironic services. Note that Ironic Python Agent images + also need to be updated to fully fix this vulnerability. If this is not + possible, a new configuration option + ``[conductor]conductor_always_validates_images`` is available. See the + `OSSA-2024-003 description + `_ for more + details. From 631cb260efa81c5de78421f4551fcdd33f6323cb Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Tue, 10 Sep 2024 10:03:44 +0100 Subject: [PATCH 06/19] Add select --- .../kolla/inventory/group_vars/prometheus-blackbox-exporter | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter b/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter index f321cc4f0..cc4990334 100644 --- a/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter +++ b/etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter @@ -15,7 +15,7 @@ prometheus_blackbox_exporter_endpoints: | {% endfor %} {% endif %} {% endfor %} - {{ (endpoints + prometheus_blackbox_exporter_endpoints_custom) | unique | list }} + {{ (endpoints + prometheus_blackbox_exporter_endpoints_custom) | unique | select | list }} # A list of custom prometheus Blackbox exporter endpoints. Each element should # have the following format: From e4039e89ccbfdfc0c3dab1bdb01d7941e03b8bf5 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 10 Sep 2024 09:48:53 +0100 Subject: [PATCH 07/19] CI: Bump multinode.yml reusable workflow to 1.1.0 This pulls in a timeout increase and a fix for sanitising filenames in artifacts. https://github.com/stackhpc/stackhpc-openstack-gh-workflows/releases/tag/1.1.0 --- .github/workflows/stackhpc-multinode-periodic.yml | 2 +- .github/workflows/stackhpc-multinode.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/stackhpc-multinode-periodic.yml b/.github/workflows/stackhpc-multinode-periodic.yml index 341fbe55b..cb94705bc 100644 --- a/.github/workflows/stackhpc-multinode-periodic.yml +++ b/.github/workflows/stackhpc-multinode-periodic.yml @@ -35,7 +35,7 @@ jobs: name: Multinode periodic needs: - generate-inputs - uses: stackhpc/stackhpc-openstack-gh-workflows/.github/workflows/multinode.yml@1.0.1 + uses: stackhpc/stackhpc-openstack-gh-workflows/.github/workflows/multinode.yml@1.1.0 with: multinode_name: mn-prdc-${{ github.run_id }} os_distribution: ${{ needs.generate-inputs.outputs.os_distribution }} diff --git a/.github/workflows/stackhpc-multinode.yml b/.github/workflows/stackhpc-multinode.yml index a6d1c49a8..7d77c8742 100644 --- a/.github/workflows/stackhpc-multinode.yml +++ b/.github/workflows/stackhpc-multinode.yml @@ -52,7 +52,7 @@ name: Multinode jobs: multinode: name: Multinode - uses: stackhpc/stackhpc-openstack-gh-workflows/.github/workflows/multinode.yml@1.0.1 + uses: stackhpc/stackhpc-openstack-gh-workflows/.github/workflows/multinode.yml@1.1.0 with: multinode_name: ${{ inputs.multinode_name }} os_distribution: ${{ inputs.os_distribution }} From 8f18a1a4a124283ed0cafe7cb2e411b67ab69fb0 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 10 Sep 2024 16:14:03 +0100 Subject: [PATCH 08/19] CI: Add 2024.1 to nightly multinode test matrix --- .github/workflows/multinode-inputs.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/multinode-inputs.py b/.github/workflows/multinode-inputs.py index b862cbf91..c64b73544 100644 --- a/.github/workflows/multinode-inputs.py +++ b/.github/workflows/multinode-inputs.py @@ -33,7 +33,8 @@ class Scenario: UBUNTU_JAMMY = OSRelease("ubuntu", "jammy", "ubuntu") # NOTE(upgrade): Add supported releases here. OPENSTACK_RELEASES = [ - OpenStackRelease("2023.1", "zed", [ROCKY_9, UBUNTU_JAMMY]) + OpenStackRelease("2024.1", "2023.1", [ROCKY_9, UBUNTU_JAMMY]), + OpenStackRelease("2023.1", "zed", [ROCKY_9, UBUNTU_JAMMY]), ] NEUTRON_PLUGINS = ["ovs", "ovn"] From c4c531c76464c3bf27a1280d5ea7a4d6e9509238 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Fri, 30 Aug 2024 11:31:57 +0100 Subject: [PATCH 09/19] Add hook for fixing hostname bug in Multinode --- .../hooks/overcloud-host-configure/pre.d/10-fix-hostname.yml | 1 + etc/kayobe/environments/ci-multinode/inventory/groups | 2 +- etc/kayobe/environments/ci-multinode/reboot.yml | 3 +++ 3 files changed, 5 insertions(+), 1 deletion(-) create mode 120000 etc/kayobe/environments/ci-multinode/hooks/overcloud-host-configure/pre.d/10-fix-hostname.yml create mode 100644 etc/kayobe/environments/ci-multinode/reboot.yml diff --git a/etc/kayobe/environments/ci-multinode/hooks/overcloud-host-configure/pre.d/10-fix-hostname.yml b/etc/kayobe/environments/ci-multinode/hooks/overcloud-host-configure/pre.d/10-fix-hostname.yml new file mode 120000 index 000000000..829fbfd77 --- /dev/null +++ b/etc/kayobe/environments/ci-multinode/hooks/overcloud-host-configure/pre.d/10-fix-hostname.yml @@ -0,0 +1 @@ +../../../../../ansible/fix-hostname.yml \ No newline at end of file diff --git a/etc/kayobe/environments/ci-multinode/inventory/groups b/etc/kayobe/environments/ci-multinode/inventory/groups index 08018ca3a..8bc65f541 100644 --- a/etc/kayobe/environments/ci-multinode/inventory/groups +++ b/etc/kayobe/environments/ci-multinode/inventory/groups @@ -5,4 +5,4 @@ controllers [fix-hostname:children] -storage +overcloud diff --git a/etc/kayobe/environments/ci-multinode/reboot.yml b/etc/kayobe/environments/ci-multinode/reboot.yml new file mode 100644 index 000000000..26ece04b1 --- /dev/null +++ b/etc/kayobe/environments/ci-multinode/reboot.yml @@ -0,0 +1,3 @@ +--- +# Ensure that the reboot playbook is always executed using the boostrap user +reboot_with_bootstrap_user: true From 043644b5569329967d610ba92800d60e2f5ce135 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Tue, 10 Sep 2024 16:23:43 +0100 Subject: [PATCH 10/19] Reboot hosts after fix-hostname changed --- etc/kayobe/ansible/fix-hostname.yml | 6 ++++++ etc/kayobe/ansible/reboot.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/ansible/fix-hostname.yml b/etc/kayobe/ansible/fix-hostname.yml index dc3c92e32..8738412aa 100644 --- a/etc/kayobe/ansible/fix-hostname.yml +++ b/etc/kayobe/ansible/fix-hostname.yml @@ -21,3 +21,9 @@ cmd: hostnamectl set-hostname "{{ inventory_hostname }}" when: current_hostname.stdout != inventory_hostname become: true + +- name: Reboot hosts + import_playbook: "{{ playbook_dir | realpath }}/reboot.yml" + vars: + reboot_hosts: fix-hostname + when: current_hostname.stdout != inventory_hostname diff --git a/etc/kayobe/ansible/reboot.yml b/etc/kayobe/ansible/reboot.yml index 92603ade2..545c509df 100644 --- a/etc/kayobe/ansible/reboot.yml +++ b/etc/kayobe/ansible/reboot.yml @@ -1,6 +1,6 @@ --- - name: Reboot the host - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: "{{ reboot_hosts | default('seed-hypervisor:seed:overcloud:infra-vms') }}" serial: "{{ lookup('env', 'ANSIBLE_SERIAL') | default(1, true) }}" gather_facts: false vars: From d48a399d6bb45ae35f17026b763d1aaed373f795 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Wed, 11 Sep 2024 13:56:59 +0100 Subject: [PATCH 11/19] Reboot with bootstrap user in ci-aio env --- etc/kayobe/ansible/fix-hostname.yml | 1 + etc/kayobe/environments/ci-multinode/reboot.yml | 3 --- 2 files changed, 1 insertion(+), 3 deletions(-) delete mode 100644 etc/kayobe/environments/ci-multinode/reboot.yml diff --git a/etc/kayobe/ansible/fix-hostname.yml b/etc/kayobe/ansible/fix-hostname.yml index 8738412aa..ca5bd8883 100644 --- a/etc/kayobe/ansible/fix-hostname.yml +++ b/etc/kayobe/ansible/fix-hostname.yml @@ -26,4 +26,5 @@ import_playbook: "{{ playbook_dir | realpath }}/reboot.yml" vars: reboot_hosts: fix-hostname + reboot_with_bootstrap_user: true when: current_hostname.stdout != inventory_hostname diff --git a/etc/kayobe/environments/ci-multinode/reboot.yml b/etc/kayobe/environments/ci-multinode/reboot.yml deleted file mode 100644 index 26ece04b1..000000000 --- a/etc/kayobe/environments/ci-multinode/reboot.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# Ensure that the reboot playbook is always executed using the boostrap user -reboot_with_bootstrap_user: true From 60432f601e1d206f5b89243e1e8529e3c7de60e3 Mon Sep 17 00:00:00 2001 From: Bartosz Bezak Date: Thu, 12 Sep 2024 10:24:09 +0200 Subject: [PATCH 12/19] Reference controller IP for backend TLS certificates --- etc/kayobe/ansible/vault-generate-backend-tls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/ansible/vault-generate-backend-tls.yml b/etc/kayobe/ansible/vault-generate-backend-tls.yml index bd61f9d9a..5603f1991 100644 --- a/etc/kayobe/ansible/vault-generate-backend-tls.yml +++ b/etc/kayobe/ansible/vault-generate-backend-tls.yml @@ -18,7 +18,7 @@ - name: Generate backend API certificates hosts: controllers:network vars: - vault_api_addr: "https://{{ internal_net_name | net_ip }}:8200" + vault_api_addr: "https://{{ internal_net_name | net_ip(groups['controllers'][0]) }}:8200" vault_intermediate_ca_name: "OS-TLS-INT" tasks: - name: Set a fact about the virtualenv on the remote system From 6181e8082f4cbd64d4c47af98067e6765565d191 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 12 Sep 2024 10:27:05 +0100 Subject: [PATCH 13/19] kolla-images.py: Add a check-image-map command This command checks the image mapping against Kolla Ansible variables. The *_image variables in Kolla Ansible define the mapping between containers and images. Ensure that the mapping defined in this script matches the one in Kolla Ansible. --- tools/kolla-images.py | 46 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/tools/kolla-images.py b/tools/kolla-images.py index 06e67cb1c..2d9193f3f 100755 --- a/tools/kolla-images.py +++ b/tools/kolla-images.py @@ -96,6 +96,9 @@ def parse_args() -> argparse.Namespace: parser.add_argument("--base-distros", default=",".join(SUPPORTED_BASE_DISTROS), choices=SUPPORTED_BASE_DISTROS) subparsers = parser.add_subparsers(dest="command", required=True) + subparser = subparsers.add_parser("check-image-map", help="Check image mapping against kolla-ansible") + subparser.add_argument("--kolla-ansible-path", required=True, help="Path to kolla-ansible repostory checked out to correct branch") + subparser = subparsers.add_parser("check-hierarchy", help="Check tag variable hierarchy against kolla-ansible") subparser.add_argument("--kolla-ansible-path", required=True, help="Path to kolla-ansible repostory checked out to correct branch") @@ -277,6 +280,45 @@ def check_tags(base_distros: List[str], kolla_image_tags: KollaImageTags, regist sys.exit(1) +def check_image_map(kolla_ansible_path: str): + """Check the image mapping against Kolla Ansible variables. + + The *_image variables in Kolla Ansible define the mapping between + containers and images. Ensure that the mapping defined in this script + matches the one in Kolla Ansible. + """ + supported_images = read_images("etc/kayobe/pulp.yml") + assert supported_images + # Build a map from container to image name. + cmd = """git grep -h '^[a-z0-9_]*_image:' ansible/roles/*/defaults/main.yml""" + image_map_str = subprocess.check_output(cmd, shell=True, cwd=os.path.realpath(kolla_ansible_path)) + image_map = yaml.safe_load(image_map_str) + image_var_re = re.compile(r"^([a-z0-9_]+)_image$") + image_map = { + image_var_re.match(image_var).group(1): image.split("/")[-1] + for image_var, image in image_map.items() + } + # Filter out unsupported images. + image_map = { + container: image + for container, image in image_map.items() + if image in supported_images + } + assert image_map + errors = [] + # Check that our mapping is correct. + for container, image in image_map.items(): + containers = get_containers(image) + if container not in containers: + errors.append((container, image)) + if errors: + print("Errors:") + for tag_var, image in errors: + print(f"Expected {tag_var} container to use {image} image") + if errors: + sys.exit(1) + + def check_hierarchy(kolla_ansible_path: str): """Check the tag variable hierarchy against Kolla Ansible variables.""" cmd = """git grep -h '^[a-z0-9_]*_tag:' ansible/roles/*/defaults/main.yml""" @@ -352,7 +394,9 @@ def main(): validate(kolla_image_tags) - if args.command == "check-hierarchy": + if args.command == "check-image-map": + check_image_map(args.kolla_ansible_path) + elif args.command == "check-hierarchy": check_hierarchy(args.kolla_ansible_path) elif args.command == "check-tags": check_tags(base_distros, kolla_image_tags, args.registry, args.namespace) From 6f1576365dd677a11c4e555060a18c45b6dcf8ee Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 12 Sep 2024 10:30:37 +0100 Subject: [PATCH 14/19] kolla-images.py: Fix image to container exceptions using check-image-map We recently had an issue where images were built for ironic, but this did not include dnsmasq due to not matching the regex. The 'ironic' tag was updated in kolla-image-tags.yml, which matches ironic_dnsmasq container, but no such dnsmasq image existed. This issue would have been caught the check-tags workflow with the correct mapping added in this change. --- tools/kolla-images.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/tools/kolla-images.py b/tools/kolla-images.py index 2d9193f3f..ec0d319c8 100755 --- a/tools/kolla-images.py +++ b/tools/kolla-images.py @@ -39,15 +39,19 @@ # Maps a Kolla image to a list of containers that use the image. IMAGE_TO_CONTAINERS_EXCEPTIONS: Dict[str, List[str]] = { + "dnsmasq": [ + "ironic_dnsmasq", + ], "haproxy": [ "glance_tls_proxy", + "haproxy", "neutron_tls_proxy", ], "mariadb-server": [ "mariadb", "mariabackup", ], - "neutron-eswitchd": [ + "neutron-mlnx-agent": [ "neutron_mlnx_agent", ], "neutron-metadata-agent": [ @@ -58,6 +62,15 @@ "nova_super_conductor", "nova_conductor", ], + "openvswitch-db-server": [ + "openvswitch_db", + ], + "ovn-nb-db-server": [ + "ovn_nb_db", + ], + "ovn-sb-db-server": [ + "ovn_sb_db", + ], "prometheus-v2-server": [ "prometheus_server", ], From 1caf4a3265e8364b19c408892ea50dfc211bf414 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 12 Sep 2024 10:31:16 +0100 Subject: [PATCH 15/19] kolla-images.py: Misc fixes --- etc/kayobe/ansible/check-tags.yml | 1 + tools/kolla-images.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/ansible/check-tags.yml b/etc/kayobe/ansible/check-tags.yml index dc429a7cd..bdfb294da 100644 --- a/etc/kayobe/ansible/check-tags.yml +++ b/etc/kayobe/ansible/check-tags.yml @@ -4,6 +4,7 @@ - name: Check whether tags exist in Pulp container registry hosts: localhost + gather_facts: false tasks: - name: Query images and tags command: diff --git a/tools/kolla-images.py b/tools/kolla-images.py index ec0d319c8..65c2f78e7 100755 --- a/tools/kolla-images.py +++ b/tools/kolla-images.py @@ -130,7 +130,7 @@ def parse_args() -> argparse.Namespace: return parser.parse_args() -def get_abs_path(relative_path: str) -> str: +def get_abs_path(relative_path: str) -> pathlib.Path: """Return the absolute path of a file in SKC.""" script_path = pathlib.Path(inspect.getfile(inspect.currentframe())) return script_path.parent.parent / relative_path From 9241b3aba7453b55a1ee9edc019e549a08598d8e Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 12 Sep 2024 10:32:28 +0100 Subject: [PATCH 16/19] CI: Add check-image-map and check-hierarchy to check-tags workflow These commands ensure that the image map and hierarchy defined in kolla-images.py matches Kolla Ansible. Also update the path filter to run the check-tags workflow when pulp.yml or kolla-images.py is modified. --- .github/path-filters.yml | 2 ++ .github/workflows/stackhpc-check-tags.yml | 9 +++++ etc/kayobe/ansible/check-kolla-images-py.yml | 35 ++++++++++++++++++++ 3 files changed, 46 insertions(+) create mode 100644 etc/kayobe/ansible/check-kolla-images-py.yml diff --git a/.github/path-filters.yml b/.github/path-filters.yml index b9815d9d6..e9ef5a5ae 100644 --- a/.github/path-filters.yml +++ b/.github/path-filters.yml @@ -23,3 +23,5 @@ aio: check-tags: - '.github/workflows/stackhpc-check-tags.yml' - 'etc/kayobe/kolla-image-tags.yml' + - 'etc/kayobe/pulp.yml' + - 'tools/kolla-images.py' diff --git a/.github/workflows/stackhpc-check-tags.yml b/.github/workflows/stackhpc-check-tags.yml index 4016c00e9..db2383e21 100644 --- a/.github/workflows/stackhpc-check-tags.yml +++ b/.github/workflows/stackhpc-check-tags.yml @@ -46,6 +46,15 @@ jobs: run: | docker image pull $KAYOBE_IMAGE + - name: Check kolla-images.py image map and tag hierarchy + run: | + docker run -t --rm \ + -v $(pwd):/stack/kayobe-automation-env/src/kayobe-config \ + -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY \ + $KAYOBE_IMAGE \ + /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/playbook-run.sh \ + '$KAYOBE_CONFIG_PATH/ansible/check-kolla-images-py.yml' + - name: Check container image tags run: | docker run -t --rm \ diff --git a/etc/kayobe/ansible/check-kolla-images-py.yml b/etc/kayobe/ansible/check-kolla-images-py.yml new file mode 100644 index 000000000..ba934a222 --- /dev/null +++ b/etc/kayobe/ansible/check-kolla-images-py.yml @@ -0,0 +1,35 @@ +--- +- name: Check kolla-images.py image map and tag hierarchy + hosts: localhost + gather_facts: false + tasks: + - name: Create a temporary directory + ansible.builtin.tempfile: + state: directory + suffix: kolla-ansible + register: tempdir_result + + - name: Clone Kolla Ansible repository + ansible.builtin.git: + repo: "{{ stackhpc_kolla_ansible_source_url }}" + version: "{{ stackhpc_kolla_ansible_source_version }}" + dest: "{{ tempdir_result.path }}" + + - name: Check image mapping + ansible.builtin.command: + cmd: >- + {{ kayobe_config_path }}/../../tools/kolla-images.py + check-image-map + --kolla-ansible-path {{ tempdir_result.path }} + + - name: Check tag hierarchy + ansible.builtin.command: + cmd: >- + {{ kayobe_config_path }}/../../tools/kolla-images.py + check-hierarchy + --kolla-ansible-path {{ tempdir_result.path }} + + - name: Remove temporary directory + ansible.builtin.file: + path: "{{ tempdir_result.path }}" + state: absent From 1edb38ba15fcaafe9334208550a6cd858f577ec6 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 12 Sep 2024 10:43:17 +0100 Subject: [PATCH 17/19] CI: Trigger build-kayobe-image for check-tags job --- .github/path-filters.yml | 7 +++++-- .github/workflows/stackhpc-pull-request.yml | 3 ++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/path-filters.yml b/.github/path-filters.yml index e9ef5a5ae..02d0ab609 100644 --- a/.github/path-filters.yml +++ b/.github/path-filters.yml @@ -1,5 +1,5 @@ # This file is a list of path filters for the PR workflow in .github/workflows/stackhpc-pull-request.yml. -aio: +aio: &aio - '.automation' - '.automation.conf/config.sh' - '.automation.conf/tempest/load-lists/default' @@ -20,8 +20,11 @@ aio: - 'kayobe-env' - 'requirements.txt' - 'terraform/aio/**' -check-tags: +check-tags: &check-tags - '.github/workflows/stackhpc-check-tags.yml' - 'etc/kayobe/kolla-image-tags.yml' - 'etc/kayobe/pulp.yml' - 'tools/kolla-images.py' +build-kayobe-image: + - *aio + - *check-tags diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml index 34d644bd9..f5cfb90de 100644 --- a/.github/workflows/stackhpc-pull-request.yml +++ b/.github/workflows/stackhpc-pull-request.yml @@ -20,6 +20,7 @@ jobs: if: github.repository == 'stackhpc/stackhpc-kayobe-config' outputs: aio: ${{ steps.changes.outputs.aio }} + build-kayobe-image: ${{ steps.changes.outputs.build-kayobe-image }} check-tags: ${{ steps.changes.outputs.check-tags }} steps: - name: GitHub Checkout @@ -74,7 +75,7 @@ jobs: - check-changes uses: ./.github/workflows/stackhpc-build-kayobe-image.yml with: - if: ${{ needs.check-changes.outputs.aio == 'true' }} + if: ${{ needs.check-changes.outputs.build-kayobe-image == 'true' }} if: github.repository == 'stackhpc/stackhpc-kayobe-config' check-tags: From a4f03d42e54319f3dc44fdd306841c9e34da3238 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 12 Sep 2024 11:31:06 +0100 Subject: [PATCH 18/19] kolla-images.py: Add image map exception for neutron_eswitchd This was not caught because neutron-mlnx-agent is not in the list of supported images in pulp.yml. --- tools/kolla-images.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/kolla-images.py b/tools/kolla-images.py index 65c2f78e7..34ea9d6b8 100755 --- a/tools/kolla-images.py +++ b/tools/kolla-images.py @@ -52,6 +52,7 @@ "mariabackup", ], "neutron-mlnx-agent": [ + "neutron_eswitchd", "neutron_mlnx_agent", ], "neutron-metadata-agent": [ From 7d980678f40f6afb004013a7c1f9dcd23c17c602 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Thu, 12 Sep 2024 12:16:22 +0100 Subject: [PATCH 19/19] Fix growroot when using software raid (#818) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix growroot when using software raid Using @markgoddard's suggestion from: https://github.com/stackhpc/stackhpc-kayobe-config/pull/770#issuecomment-1814402925 * Add a release note * Update releasenotes/notes/fixes-growroot-for-software-raid-3852bdea5415a0be.yaml Co-authored-by: Alex-Welsh Co-authored-by: MichaƂ Nasiadka --- etc/kayobe/ansible/growroot.yml | 2 +- .../fixes-growroot-for-software-raid-3852bdea5415a0be.yaml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fixes-growroot-for-software-raid-3852bdea5415a0be.yaml diff --git a/etc/kayobe/ansible/growroot.yml b/etc/kayobe/ansible/growroot.yml index 333991aa0..4748ab75b 100644 --- a/etc/kayobe/ansible/growroot.yml +++ b/etc/kayobe/ansible/growroot.yml @@ -75,7 +75,7 @@ vars: pv: "{{ pvs.stdout | from_json }}" disk_tmp: "{{ pv.report[0].pv[0].pv_name[:-1] }}" - disk: "{{ disk_tmp[:-1] if disk_tmp[-1] == 'p' and disk_tmp[:9] == '/dev/nvme' else disk_tmp }}" + disk: "{{ disk_tmp[:-1] if pv.report[0].pv[0].pv_name | regex_search('[a-z0-9]+[0-9]+p[0-9]+') else disk_tmp }}" part_num: "{{ pv.report[0].pv[0].pv_name[-1] }}" become: true failed_when: "growpart.rc != 0 and 'NOCHANGE' not in growpart.stdout" diff --git a/releasenotes/notes/fixes-growroot-for-software-raid-3852bdea5415a0be.yaml b/releasenotes/notes/fixes-growroot-for-software-raid-3852bdea5415a0be.yaml new file mode 100644 index 000000000..0f66c6934 --- /dev/null +++ b/releasenotes/notes/fixes-growroot-for-software-raid-3852bdea5415a0be.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes a regression when using ``growroot.yml`` and software raid where the + playbook would fail to identify the correct disk.