Merge pull request #612 from stackhpc/yoga/centos-stream8-snapshots-2023-09-04

Update CentOS 8 Stream snapshots

Author: markgoddard

etc/kayobe/dnf.yml

@@ -90,12 +90,22 @@ dnf_custom_repos_centos:
     file: CentOS-Stream-BaseOS
     gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
     gpgcheck: yes
+    # Exclude buggy iptables: https://bugzilla.redhat.com/show_bug.cgi?id=2236501
+    exclude: "iptables-1.8.5* iptables-libs-1.8.5* iptables-ebtables-1.8.5* iptables-services-1.8.5* iptables-arptables-1.8.5* iptables-devel-1.8.5*"
   extras:
+    # This repo is no longer updated: https://www.spinics.net/lists/centos-devel/msg21454.html
     baseurl: "{{ stackhpc_repo_centos_stream_extras_url }}"
     description: "CentOS Stream $releasever - Extras"
     file: CentOS-Stream-Extras
+    enabled: false
     gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
     gpgcheck: yes
+  extras-common:
+    baseurl: "{{ stackhpc_repo_centos_stream_extras_common_url }}"
+    description: "CentOS Stream $releasever - Extras common Packages"
+    file: CentOS-Stream-Extras-common
+    gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras
+    gpgcheck: yes
 
 # Rocky 8 specific repositories
 dnf_custom_repos_rocky:

etc/kayobe/environments/ci-aio/stackhpc-ci.yml

@@ -23,6 +23,7 @@ stackhpc_repo_mirror_url: "http://pulp-server.internal.sms-cloud:8080"
 stackhpc_repo_centos_stream_baseos_version: "{{ stackhpc_pulp_repo_centos_stream_8_baseos_version }}"
 stackhpc_repo_centos_stream_appstream_version: "{{ stackhpc_pulp_repo_centos_stream_8_appstream_version }}"
 stackhpc_repo_centos_stream_extras_version: "{{ stackhpc_pulp_repo_centos_stream_8_extras_version }}"
+stackhpc_repo_centos_stream_extras_common_version: "{{ stackhpc_pulp_repo_centos_stream_8_extras_common_version }}"
 stackhpc_repo_epel_version: "{{ stackhpc_pulp_repo_epel_version }}"
 stackhpc_repo_epel_modular_version: "{{ stackhpc_pulp_repo_epel_modular_version }}"
 stackhpc_repo_docker_version: "{{ stackhpc_pulp_repo_docker_version }}"

etc/kayobe/environments/ci-builder/stackhpc-ci.yml

@@ -47,6 +47,7 @@ stackhpc_repo_mirror_url: "http://pulp-server.internal.sms-cloud:8080"
 stackhpc_repo_centos_stream_baseos_version: "{{ stackhpc_pulp_repo_centos_stream_8_baseos_version }}"
 stackhpc_repo_centos_stream_appstream_version: "{{ stackhpc_pulp_repo_centos_stream_8_appstream_version }}"
 stackhpc_repo_centos_stream_extras_version: "{{ stackhpc_pulp_repo_centos_stream_8_extras_version }}"
+stackhpc_repo_centos_stream_extras_common_version: "{{ stackhpc_pulp_repo_centos_stream_8_extras_common_version }}"
 stackhpc_repo_epel_version: "{{ stackhpc_pulp_repo_epel_version }}"
 stackhpc_repo_epel_modular_version: "{{ stackhpc_pulp_repo_epel_modular_version }}"
 stackhpc_repo_docker_version: "{{ stackhpc_pulp_repo_docker_version }}"

etc/kayobe/environments/ci-multinode/stackhpc-ci.yml

@@ -23,6 +23,7 @@ stackhpc_repo_mirror_url: "http://pulp-server.internal.sms-cloud:8080"
 stackhpc_repo_centos_stream_baseos_version: "{{ stackhpc_pulp_repo_centos_stream_8_baseos_version }}"
 stackhpc_repo_centos_stream_appstream_version: "{{ stackhpc_pulp_repo_centos_stream_8_appstream_version }}"
 stackhpc_repo_centos_stream_extras_version: "{{ stackhpc_pulp_repo_centos_stream_8_extras_version }}"
+stackhpc_repo_centos_stream_extras_common_version: "{{ stackhpc_pulp_repo_centos_stream_8_extras_common_version }}"
 stackhpc_repo_epel_version: "{{ stackhpc_pulp_repo_epel_version }}"
 stackhpc_repo_epel_modular_version: "{{ stackhpc_pulp_repo_epel_modular_version }}"
 stackhpc_repo_docker_version: "{{ stackhpc_pulp_repo_docker_version }}"

etc/kayobe/kolla.yml

@@ -153,8 +153,8 @@ stackhpc_centos_stream_repos:
   - url: "{{ stackhpc_repo_centos_stream_appstream_url }}"
     file: "CentOS-Stream-AppStream.repo"
     tag: "appstream"
-  - url: "{{ stackhpc_repo_centos_stream_extras_url }}"
-    file: "CentOS-Stream-Extras.repo"
+  - url: "{{ stackhpc_repo_centos_stream_extras_common_url }}"
+    file: "CentOS-Stream-Extras-common.repo"
     tag: "extras"
 
 # List of repositories for EPEL.

etc/kayobe/kolla/globals.yml

@@ -6,49 +6,60 @@
 # non-overcloud hosts
 enable_docker_repo: "{% raw %}{{ 'overcloud' not in group_names or ansible_facts.os_family == 'Debian' }}{% endraw %}"
 
-magnum_tag: yoga-20230825T142202
-neutron_tag: yoga-20230728T081242
-nova_tag: yoga-20230718T112646
-octavia_tag: yoga-20230523T110936
-opensearch_tag: yoga-20230904T121340
-openvswitch_tag: yoga-20230515T150233
-ovn_tag: yoga-20230515T150233
-
 # kolla_base_distro must be set here to be resolvable on a per-host basis
 # This is necessary for os migrations where mixed clouds might be deployed
 kolla_base_distro: "{% raw %}{{ 'centos' if ansible_facts.distribution == 'Rocky' and ansible_facts.distribution_major_version == '8' else ansible_facts.distribution | lower }}{% endraw %}"
 
+opensearch_tag: yoga-20230904T121340
+
 kayobe_image_tags:
   openstack:
-    centos: yoga-20230217T135826
+    centos: yoga-20230905T130221
     rocky: yoga-20230310T170929
     ubuntu: yoga-20230220T181235
   bifrost:
-    centos: yoga-20230217T160618
     rocky: yoga-20230310T194732
     ubuntu: yoga-20230220T184947
   blazar:
-    centos: yoga-20230315T125157
     rocky: yoga-20230315T130918
     ubuntu: yoga-20230315T125441
   caso:
-    centos: yoga-20230315T125157
     rocky: yoga-20230315T130918
     ubuntu: yoga-20230315T125441
   grafana:
-    centos: yoga-20230419T085955
     rocky: yoga-20230419T111514
     ubuntu: yoga-20230426T084340
   ironic:
-    centos: yoga-20230316T154655
     rocky: yoga-20230316T170311
     ubuntu: yoga-20230316T154704
   ironic_dnsmasq:
-    centos: yoga-20230217T135826
     rocky: yoga-20230310T170929
     ubuntu: yoga-20230220T181235
+  kibana:
+    centos: yoga-20230907T152300
+  magnum:
+    rocky: yoga-20230825T142202
+    ubuntu: yoga-20230825T142202
+  neutron:
+    rocky: yoga-20230728T081242
+    ubuntu: yoga-20230728T081242
+  nova:
+    rocky: yoga-20230718T112646
+    ubuntu: yoga-20230718T112646
+  nova_libvirt:
+    # Live-migration is broken from qemu-kvm-6.2.0-20.module_el8.7.0+1218+f626c2ff to qemu-kvm-6.2.0-39.module_el8+669+76cc32af
+    # with signature: `Missing section footer for 0000:00:01.3/piix4_pm`. Test carefully before bumping.
+    centos: yoga-20230718T112646    
+  octavia:
+    rocky: yoga-20230523T110936
+    ubuntu: yoga-20230523T110936
+  openvswitch:
+    rocky: yoga-20230515T150233
+    ubuntu: yoga-20230515T150233
+  ovn:
+    rocky: yoga-20230515T150233
+    ubuntu: yoga-20230515T150233
   prometheus_node_exporter:
-    centos: yoga-20230310T173747
     rocky: yoga-20230315T170614
     ubuntu: yoga-20230315T170541
 
@@ -58,6 +69,14 @@ caso_tag: "{% raw %}{{ kayobe_image_tags['caso'][kolla_base_distro] | default(op
 grafana_tag: "{% raw %}{{ kayobe_image_tags['grafana'][kolla_base_distro] | default(openstack_tag) }}{% endraw %}"
 ironic_tag: "{% raw %}{{ kayobe_image_tags['ironic'][kolla_base_distro] | default(openstack_tag) }}{% endraw %}"
 ironic_dnsmasq_tag: "{% raw %}{{ kayobe_image_tags['ironic_dnsmasq'][kolla_base_distro] | default(openstack_tag) }}{% endraw %}"
+kibana_tag: "{% raw %}{{ kayobe_image_tags['kibana'][kolla_base_distro] | default(openstack_tag) }}{% endraw %}"
+magnum_tag: "{% raw %}{{ kayobe_image_tags['magnum'][kolla_base_distro] | default(openstack_tag) }}{% endraw %}"
+neutron_tag: "{% raw %}{{ kayobe_image_tags['neutron'][kolla_base_distro] | default(openstack_tag) }}{% endraw %}"
+nova_tag: "{% raw %}{{ kayobe_image_tags['nova'][kolla_base_distro] | default(openstack_tag) }}{% endraw %}"
+nova_libvirt_tag: "{% raw %}{{ kayobe_image_tags['nova_libvirt'][kolla_base_distro] | default(openstack_tag) }}{% endraw %}"
+octavia_tag: "{% raw %}{{ kayobe_image_tags['octavia'][kolla_base_distro] | default(openstack_tag) }}{% endraw %}"
+openvswitch_tag: "{% raw %}{{ kayobe_image_tags['openvswitch'][kolla_base_distro] | default(openstack_tag) }}{% endraw %}"
+ovn_tag: "{% raw %}{{ kayobe_image_tags['ovn'][kolla_base_distro] | default(openstack_tag) }}{% endraw %}"
 prometheus_node_exporter_tag: "{% raw %}{{ kayobe_image_tags['prometheus_node_exporter'][kolla_base_distro] | default(openstack_tag) }}{% endraw %}"
 
 glance_tls_proxy_tag: "{% raw %}{{ haproxy_tag | default(openstack_tag) }}{% endraw %}"

etc/kayobe/pulp-repo-versions.yml

@@ -1,31 +1,32 @@
 ---
 # Do not edit! This file is autogenerated by Ansible.
 stackhpc_pulp_repo_centos_stream_8_advanced_virtualization_version: 20211122T102435
-stackhpc_pulp_repo_centos_stream_8_appstream_version: 20230201T025809
-stackhpc_pulp_repo_centos_stream_8_baseos_version: 20230201T025809
+stackhpc_pulp_repo_centos_stream_8_appstream_version: 20230903T003752
+stackhpc_pulp_repo_centos_stream_8_baseos_version: 20230903T003752
 stackhpc_pulp_repo_centos_stream_8_extras_version: 20220401T032901
-stackhpc_pulp_repo_centos_stream_8_nfv_extras_version: 20220609T110556
-stackhpc_pulp_repo_centos_stream_8_nfv_openvswitch_version: 20230510T072502
-stackhpc_pulp_repo_centos_stream_8_openstack_yoga_version: 20230206T150339
-stackhpc_pulp_repo_centos_stream_8_opstools_version: 20220617T100837
-stackhpc_pulp_repo_centos_stream_8_powertools_version: 20230201T025809
-stackhpc_pulp_repo_centos_stream_8_storage_ceph_pacific_version: 20230201T025809
+stackhpc_pulp_repo_centos_stream_8_extras_common_version: 20230905T090158
+stackhpc_pulp_repo_centos_stream_8_nfv_extras_version: 20230308T103119
+stackhpc_pulp_repo_centos_stream_8_nfv_openvswitch_version: 20230829T005959
+stackhpc_pulp_repo_centos_stream_8_openstack_yoga_version: 20230812T015145
+stackhpc_pulp_repo_centos_stream_8_opstools_version: 20230615T071742
+stackhpc_pulp_repo_centos_stream_8_powertools_version: 20230903T003752
+stackhpc_pulp_repo_centos_stream_8_storage_ceph_pacific_version: 20230709T010022
 stackhpc_pulp_repo_centos_stream_9_docker_version: 20230228T044432
 stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20230510T072502
 stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version: 20230310T163106
 stackhpc_pulp_repo_centos_stream_9_opstools_version: 20230301T034123
 stackhpc_pulp_repo_centos_stream_9_storage_ceph_pacific_version: 20230308T155704
 stackhpc_pulp_repo_docker_ce_ubuntu_version: 20230811T005529
-stackhpc_pulp_repo_docker_version: 20230203T025251
-stackhpc_pulp_repo_elasticsearch_logstash_kibana_7_x_version: 20230203T025251
+stackhpc_pulp_repo_docker_version: 20230801T003759
+stackhpc_pulp_repo_elasticsearch_logstash_kibana_7_x_version: 20230727T144020
 stackhpc_pulp_repo_epel_9_version: 20230302T031902
 stackhpc_pulp_repo_epel_modular_version: 20220913T043117
 stackhpc_pulp_repo_epel_version: 20230206T150339
-stackhpc_pulp_repo_grafana_version: 20230418T141317
-stackhpc_pulp_repo_mariadb_10_6_centos8_version: 20230206T150339
+stackhpc_pulp_repo_grafana_version: 20230903T003752
+stackhpc_pulp_repo_mariadb_10_6_centos8_version: 20230815T010124
 stackhpc_pulp_repo_mlnx_ofed_5_7_1_0_2_0_rhel8_6_version: 20220920T151419
-stackhpc_pulp_repo_rabbitmq_erlang_version: 20221229T025716
-stackhpc_pulp_repo_rabbitmq_server_version: 20230201T025809
+stackhpc_pulp_repo_rabbitmq_erlang_version: 20230801T003759
+stackhpc_pulp_repo_rabbitmq_server_version: 20230825T131407
 stackhpc_pulp_repo_rhel_9_influxdb_version: 20230228T044432
 stackhpc_pulp_repo_rhel_9_mariadb_10_6_version: 20230228T044432
 stackhpc_pulp_repo_rhel_9_treasuredata_4_version: 20230228T044432
@@ -49,7 +50,7 @@ stackhpc_pulp_repo_rocky_9_2_baseos_version: 20230825T131407
 stackhpc_pulp_repo_rocky_9_2_crb_version: 20230825T131407
 stackhpc_pulp_repo_rocky_9_2_extras_version: 20230825T131407
 stackhpc_pulp_repo_rocky_9_2_highavailability_version: 20230805T012805
-stackhpc_pulp_repo_treasuredata_4_version: 20221105T035018
+stackhpc_pulp_repo_treasuredata_4_version: 20230903T003752
 stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20230811T105337
 stackhpc_pulp_repo_ubuntu_focal_security_version: 20230825T083004
 stackhpc_pulp_repo_ubuntu_focal_version: 20230825T083004

etc/kayobe/pulp.yml

@@ -277,6 +277,12 @@ stackhpc_pulp_rpm_repos:
     base_path: "centos/8-stream/extras/x86_64/os/"
     required: "{{ stackhpc_pulp_sync_centos_stream8 | bool }}"
 
+  - name: CentOS Stream 8 - Extras Common packages
+    url: "{{ stackhpc_release_pulp_content_url }}/centos/8-stream/extras/x86_64/extras-common/{{ stackhpc_pulp_repo_centos_stream_8_extras_common_version }}"
+    distribution_name: "centos-stream-8-extras-common-"
+    base_path: "centos/8-stream/extras/x86_64/extras-common/"
+    required: "{{ stackhpc_pulp_sync_centos_stream8 | bool }}"
+
   # Base Rocky 8 repositories
   - name: Rocky Linux 8 - AppStream
     url: "{{ stackhpc_release_pulp_content_url }}/rocky/8.{{ stackhpc_pulp_repo_rocky_8_minor_version }}/AppStream/x86_64/os/{{ stackhpc_pulp_repo_rocky_8_appstream_version }}"

etc/kayobe/stackhpc.yml

@@ -53,6 +53,10 @@ stackhpc_repo_centos_stream_appstream_version: "{{ stackhpc_repo_distribution }}
 stackhpc_repo_centos_stream_extras_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/centos/8-stream/extras/x86_64/os/{{ stackhpc_repo_centos_stream_extras_version }}"
 stackhpc_repo_centos_stream_extras_version: "{{ stackhpc_repo_distribution }}"
 
+# CentOS Stream 8 Extras Common packages
+stackhpc_repo_centos_stream_extras_common_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/centos/8-stream/extras/x86_64/extras-common/{{ stackhpc_repo_centos_stream_extras_common_version }}"
+stackhpc_repo_centos_stream_extras_common_version: "{{ stackhpc_repo_distribution }}"
+
 # EPEL 8
 stackhpc_repo_epel_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/epel/8/Everything/x86_64/{{ stackhpc_repo_epel_version }}"
 stackhpc_repo_epel_version: "{{ stackhpc_repo_distribution }}"

releasenotes/notes/bump-centos8-stream-snapshots-2023-09-04-a473edfd3f3b2298.yaml

@@ -0,0 +1,19 @@
+---
+security:
+  - |
+    Bumps CentOS Stream 8 snapshots to include fixes for Zenbleed
+    (CVE-2023-20593), Downfall (CVE-2022-40982) and Inception (CVE-2023-20569).
+    It is recommended that you update your OS packages and reboot into the kernel
+    as soon as possible.
+upgrade:
+  - |
+    CentOS Stream 8 snapshots have been bumped and new container images are
+    available.  Make sure to sync these into your local pulp. The yum repositories
+    must be reconfigured to exclude a `buggy version of iptables
+    <https://bugzilla.redhat.com/show_bug.cgi?id=2236501>`__. To do this use:
+    ``kayobe overcloud service reconfigure -kt none -t dnf``.
+  - |
+    CentOS Extras has been replaced with CentOS Extras Common. You may need to
+    use the ``--allowerasing`` option with DNF if you have packages installed
+    from the old repo. This is a one time only thing and on the next package
+    update you can drop this argument.