new changes

bertiethorpe · bertiethorpe · commit 92e6d1c72bbb · 2024-09-18T12:32:27.000Z
diff --git a/.github/workflows/fatimage-cron.yml b/.github/workflows/fatimage-cron.yml
@@ -0,0 +1,130 @@
+name: Nightly fat image build
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *'  # Run at midnight
+
+jobs:
+  openstack:
+    name: openstack-imagebuild
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.os_version }}-${{ matrix.build }} # to branch/PR + OS + build
+      cancel-in-progress: true
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false # allow other matrix jobs to continue even if one fails
+      matrix: # build RL8+OFED, RL9+OFED base images
+        os_version:
+          - RL8
+          - RL9
+        build:
+          - openstack.openhpc-latest
+    env:
+      ANSIBLE_FORCE_COLOR: True
+      OS_CLOUD: openstack
+      CI_CLOUD: ${{ vars.CI_CLOUD }}
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Setup ssh
+        run: |
+          set -x
+          mkdir ~/.ssh
+          echo "${{ secrets[format('{0}_SSH_KEY', vars.CI_CLOUD)] }}" > ~/.ssh/id_rsa
+          chmod 0600 ~/.ssh/id_rsa
+        shell: bash
+
+      - name: Add bastion's ssh key to known_hosts
+        run: cat environments/.stackhpc/bastion_fingerprints >> ~/.ssh/known_hosts
+        shell: bash
+      
+      - name: Install ansible etc
+        run: dev/setup-env.sh
+      
+      - name: Write clouds.yaml
+        run: |
+          mkdir -p ~/.config/openstack/
+          echo "${{ secrets[format('{0}_CLOUDS_YAML', vars.CI_CLOUD)] }}" > ~/.config/openstack/clouds.yaml
+        shell: bash
+
+      - name: Setup environment
+        run: |
+          . venv/bin/activate
+          . environments/.stackhpc/activate
+
+      - name: Build fat image with packer
+        id: packer_build
+        run: |
+          set -x
+          . venv/bin/activate
+          . environments/.stackhpc/activate
+          cd packer/
+          packer init .
+
+          PACKER_LOG=1 packer build \
+          -on-error=${{ vars.PACKER_ON_ERROR }} \
+          -only=${{ matrix.build }} \
+          -var-file=$PKR_VAR_environment_root/${{ vars.CI_CLOUD }}.pkrvars.hcl \
+          openstack.pkr.hcl
+        env:
+          PKR_VAR_os_version: ${{ matrix.os_version }}
+
+      - name: Get created image names from manifest
+        id: manifest
+        run: |
+          . venv/bin/activate
+          IMAGE_ID=$(jq --raw-output '.builds[-1].artifact_id' packer/packer-manifest.json)
+          while ! openstack image show -f value -c name $IMAGE_ID; do
+            sleep 5
+          done
+          IMAGE_NAME=$(openstack image show -f value -c name $IMAGE_ID)
+          echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT"
+          echo "image-id=$IMAGE_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Download image
+        run: |
+          . venv/bin/activate
+          sudo mkdir /mnt/images
+          sudo chmod 777 /mnt/images
+          openstack image save --file /mnt/images/${{ steps.manifest.outputs.image-name }}.qcow2 ${{ steps.manifest.outputs.image-name }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: install libguestfs
+        run: |
+          sudo apt -y update
+          sudo apt -y install libguestfs-tools
+
+      - name: mkdir for mount
+        run: sudo mkdir -p './${{ steps.manifest.outputs.image-name }}'
+
+      - name: mount qcow2 file
+        run: sudo guestmount -a /mnt/images/${{ steps.manifest.outputs.image-name }}.qcow2 -i --ro -o allow_other './${{ steps.manifest.outputs.image-name }}'
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.17.0
+        with:
+          scan-type: fs
+          scan-ref: "${{ steps.manifest.outputs.image-name }}"
+          scanners: "vuln"
+          format: sarif
+          output: "${{ steps.manifest.outputs.image-name }}.sarif"
+          # turn off secret scanning to speed things up
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "${{ steps.manifest.outputs.image-name }}.sarif"
+          category: "${{ matrix.os_version }}-${{ matrix.build }}"
+
+      - name: Fail if scan has CRITICAL vulnerabilities
+        uses: aquasecurity/trivy-action@0.16.1
+        with:
+          scan-type: fs
+          scan-ref: "${{ steps.manifest.outputs.image-name }}"
+          scanners: "vuln"
+          format: table
+          exit-code: '1'
+          severity: 'CRITICAL'
+          ignore-unfixed: true
diff --git a/.github/workflows/fatimage.yml b/.github/workflows/fatimage.yml
@@ -66,30 +66,11 @@ jobs:
           cd packer/
           packer init .
 
-          MATRIX_BUILD="${{ matrix.build }}"
-          CLEAN_BUILD="${MATRIX_BUILD#openstack.}"
-          # SOURCE_IMAGE_NAME="${CLEAN_BUILD}-${{ matrix.os_version }}-latest"
-          SOURCE_IMAGE_NAME="{
-            RL8: "${CLEAN_BUILD}-${{ matrix.os_version }}-latest"
-            RL9: "${CLEAN_BUILD}-${{ matrix.os_version }}-latest"
-          }"
-          IMAGE_NAME="${CLEAN_BUILD}-${{ matrix.os_version }}-latest"
-          
-          PACKER_CMD="PACKER_LOG=1 packer build \
-          -debug \
+          PACKER_LOG=1 packer build \
           -on-error=${{ vars.PACKER_ON_ERROR }} \
           -only=${{ matrix.build }} \
           -var-file=$PKR_VAR_environment_root/${{ vars.CI_CLOUD }}.pkrvars.hcl \
-          -var "source_image_name=${SOURCE_IMAGE_NAME}" \
-          openstack.pkr.hcl"
-
-          # if [ "${{ github.event_name }}" != "schedule" ]; then
-          #   PACKER_CMD="$PACKER_CMD -var 'source_image_name[${{ matrix.os_version }}]=${SOURCE_IMAGE_NAME}'"
-          # else
-          #   PACKER_CMD="$PACKER_CMD -var 'image_name=$IMAGE_NAME'"
-          # fi
-
-          eval $PACKER_CMD
+          openstack.pkr.hcl
         env:
           PKR_VAR_os_version: ${{ matrix.os_version }}
 
diff --git a/packer/openstack.pkr.hcl b/packer/openstack.pkr.hcl
@@ -132,7 +132,7 @@ variable "volume_size" {
   type = map(number)
   default = {
     # fat image builds, GB:
-    openhpc = 15
+    openhpc-latest = 15
     openhpc-ofed = 15
     openhpc-cuda = 30
   }
@@ -153,9 +153,9 @@ variable "groups" {
   description = "Additional inventory groups (other than 'builder') to add build VM to, keyed by source name"
   default = {
     # fat image builds:
-    openhpc = ["control", "compute", "login"]
-    openhpc-ofed = ["control", "compute", "login", "ofed"]
-    openhpc-cuda = ["control", "compute", "login", "ofed", "cuda"]
+    openhpc-latest = ["ofed"]
+    openhpc-ofed = ["control", "compute", "login"]
+    openhpc-cuda = ["control", "compute", "login", "cuda"]
   }
 }
 
@@ -191,9 +191,9 @@ source "openstack" "openhpc" {
 
 build {
 
-  # non-OFED fat image:
+  # latest fat image:
   source "source.openstack.openhpc" {
-    name = "openhpc"
+    name = "openhpc-latest"
   }
 
   # OFED fat image:
