Merge pull request #1124 from stackhpc/yoga-bumps

markgoddard · web-flow · commit 928f96c9e149 · 2024-07-02T16:32:54.000+01:00
yoga: Fix CVE-2024-32498 & CentOS Stream 8 CI
diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml
@@ -14,7 +14,7 @@ on:
       os_distribution:
         description: Host OS distribution
         type: string
-        default: rocky
+        default: centos
       os_release:
         description: Host OS release
         type: string
@@ -234,6 +234,21 @@ jobs:
         run: |
           docker image pull $KAYOBE_IMAGE
 
+      # NOTE: Boostrap release train repos before growroot due to missing
+      # upstream CS8 repos preventing installation of growroot package.
+      - name: Host configure
+        run: |
+          docker run -t --rm \
+            -v $(pwd):/stack/kayobe-automation-env/src/kayobe-config \
+            -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY -e KAYOBE_TAGS -e KOLLA_TAGS \
+            $KAYOBE_IMAGE \
+            /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/overcloud-host-configure.sh
+        env:
+          KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: ${{ steps.ssh_key.outputs.ssh_key }}
+          KAYOBE_TAGS: "ssh-known-host,kayobe-ansible-user,kayobe-target-venv,dnf,kolla-ansible-user,kolla-pip,kolla-target-venv"
+          KOLLA_TAGS: "none"
+        if: inputs.os_distribution == 'centos' && inputs.os_release == '8-stream'
+
       - name: Run growroot
         run: |
           docker run -t --rm \
diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml
@@ -76,6 +76,34 @@ jobs:
       if: ${{ needs.check-changes.outputs.aio == 'true' }}
     if: github.repository == 'stackhpc/stackhpc-kayobe-config'
 
+  all-in-one-centos-ovs:
+    name: aio (CentOS OVS)
+    needs:
+      - check-changes
+      - build-kayobe-image
+    uses: ./.github/workflows/stackhpc-all-in-one.yml
+    with:
+      kayobe_image: ${{ needs.build-kayobe-image.outputs.kayobe_image }}
+      neutron_plugin: ovs
+      OS_CLOUD: openstack
+      if: ${{ needs.check-changes.outputs.aio == 'true' }}
+    secrets: inherit
+    if: ${{ ! failure() && ! cancelled() && github.repository == 'stackhpc/stackhpc-kayobe-config' }}
+
+  all-in-one-centos-ovn:
+    name: aio (CentOS OVN)
+    needs:
+      - check-changes
+      - build-kayobe-image
+    uses: ./.github/workflows/stackhpc-all-in-one.yml
+    with:
+      kayobe_image: ${{ needs.build-kayobe-image.outputs.kayobe_image }}
+      neutron_plugin: ovn
+      OS_CLOUD: openstack
+      if: ${{ needs.check-changes.outputs.aio == 'true' }}
+    secrets: inherit
+    if: ${{ ! failure() && ! cancelled() && github.repository == 'stackhpc/stackhpc-kayobe-config' }}
+
   all-in-one-rocky-8-ovs:
     name: aio (Rocky OVS)
     needs:
diff --git a/etc/kayobe/kolla/globals.yml b/etc/kayobe/kolla/globals.yml
@@ -15,10 +15,18 @@ kayobe_image_tags:
     centos: yoga-20231024T093507
     rocky: yoga-20231218T141822
     ubuntu: yoga-20231024T093507
+  cinder:
+    centos: yoga-20240701T132344
+    rocky: yoga-20240701T132344
+    ubuntu: yoga-20240701T132344
   cloudkitty:
     centos: yoga-20240503T150127
     rocky: yoga-20240503T150127
     ubuntu: yoga-20240503T150127
+  glance:
+    centos: yoga-20240702T105751
+    rocky: yoga-20240702T105751
+    ubuntu: yoga-20240702T105751
   heat:
     centos: yoga-20240320T082414
     rocky: yoga-20240320T082414
@@ -32,17 +40,24 @@ kayobe_image_tags:
     rocky: yoga-20240105T120257
     ubuntu: yoga-20231114T125927
   nova:
+    centos: yoga-20240702T105751
+    rocky: yoga-20240702T105751
+    ubuntu: yoga-20240702T105751
+  nova_libvirt:
     centos: yoga-20231113T171023
     rocky: yoga-20240105T120257
     ubuntu: yoga-20231103T161400
 
 cloudkitty_tag: "{% raw %}{{ kayobe_image_tags['cloudkitty'][kolla_base_distro] }}{% endraw %}"
+cinder_tag: "{% raw %}{{ kayobe_image_tags['cinder'][kolla_base_distro] }}{% endraw %}"
+glance_tag: "{% raw %}{{ kayobe_image_tags['glance'][kolla_base_distro] }}{% endraw %}"
 grafana_tag: yoga-20240510T114335
 heat_tag: "{% raw %}{{ kayobe_image_tags['heat'][kolla_base_distro] }}{% endraw %}"
 horizon_tag: yoga-20240510T114335
 magnum_tag: "{% raw %}{{ kayobe_image_tags['magnum'][kolla_base_distro] }}{% endraw %}"
 neutron_tag: "{% raw %}{{ kayobe_image_tags['neutron'][kolla_base_distro] }}{% endraw %}"
 nova_tag: "{% raw %}{{ kayobe_image_tags['nova'][kolla_base_distro] }}{% endraw %}"
+nova_libvirt_tag: "{% raw %}{{ kayobe_image_tags['nova_libvirt'][kolla_base_distro] }}{% endraw %}"
 opensearch_tag: yoga-20231219T221916
 prometheus_tag: yoga-20240510T145442
 
diff --git a/releasenotes/notes/cve-2024-32498-2cbd205129351766.yaml b/releasenotes/notes/cve-2024-32498-2cbd205129351766.yaml
@@ -0,0 +1,7 @@
+---
+critical:
+  - |
+    Fixes `CVE-2024-32498
+    <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32498>`_ with
+    updated container images for Cinder, Glance and Nova services.
+
