Merge pull request #1289 from stackhpc/caracal-host-images

Caracal host images

Author: Alex-Welsh

.github/workflows/overcloud-host-image-build.yml

@@ -98,15 +98,15 @@ jobs:
         run: |
           cat << EOF > terraform.tfvars
           ssh_public_key = "id_rsa.pub"
-          ssh_username = "rocky"
+          ssh_username = "ubuntu"
           aio_vm_name = "skc-host-image-builder"
-          # Must be a Rocky Linux 9 host to successfully build all images
+          # Must be an Ubuntu Jammy host to successfully build all images
           # This MUST NOT be an LVM image. It can cause confusing conficts with the built image.
-          aio_vm_image = "Rocky-9-GenericCloud-Base-9.3-20231113.0.x86_64.qcow2"
+          aio_vm_image = "Ubuntu-22.04"
           aio_vm_flavor = "en1.medium"
           aio_vm_network = "stackhpc-ci"
           aio_vm_subnet = "stackhpc-ci"
-          aio_vm_interface = "eth0"
+          aio_vm_interface = "ens3"
           EOF
         working-directory: ${{ github.workspace }}/src/kayobe-config/terraform/aio
 
@@ -184,14 +184,14 @@ jobs:
         run: |
           source venvs/kayobe/bin/activate &&
           source src/kayobe-config/kayobe-env --environment ci-builder &&
-          kayobe seed host configure -e seed_bootstrap_user=rocky --skip-tags network
+          kayobe seed host configure -e seed_bootstrap_user=ubuntu --skip-tags network
 
       - name: Install dependencies
         run: |
           source venvs/kayobe/bin/activate &&
           source src/kayobe-config/kayobe-env --environment ci-builder &&
           kayobe seed host command run \
-          --command "sudo dnf config-manager --set-enabled crb && sudo dnf -y install epel-release && sudo dnf -y install cloud-init debootstrap git kpartx zstd" --show-output
+          --command "sudo apt update && sudo apt -y install gcc git libffi-dev python3-dev python-is-python3 python3-venv" --show-output
         env:
           KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }}
 
@@ -311,8 +311,8 @@ jobs:
         continue-on-error: true
         run: |
           mkdir logs
-          scp -r rocky@$(jq -r .access_ip_v4.value src/kayobe-config/etc/kayobe/environments/ci-builder/tf-outputs.yml):/opt/kayobe/images/*/*.std* ./logs/
-          scp -r rocky@$(jq -r .access_ip_v4.value src/kayobe-config/etc/kayobe/environments/ci-builder/tf-outputs.yml):/tmp/updated_images.txt ./logs/ || true
+          scp -r ubuntu@$(jq -r .access_ip_v4.value src/kayobe-config/etc/kayobe/environments/ci-builder/tf-outputs.yml):/opt/kayobe/images/*/*.std* ./logs/
+          scp -r ubuntu@$(jq -r .access_ip_v4.value src/kayobe-config/etc/kayobe/environments/ci-builder/tf-outputs.yml):/tmp/updated_images.txt ./logs/ || true
         if: always()
 
       - name: Fail if any overcloud host image builds failed

.github/workflows/stackhpc-all-in-one.yml

@@ -396,13 +396,15 @@ jobs:
           KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: ${{ steps.ssh_key.outputs.ssh_key }}
         if: inputs.upgrade
 
+      # NOTE(Alex-Welsh): configure host with selinux_state=disabled, because
+      # Antelope images are not built as permissive
       - name: Host configure
         run: |
           docker run -t --rm \
             -v $(pwd):/stack/kayobe-automation-env/src/kayobe-config \
             -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY \
             $KAYOBE_IMAGE \
-            /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/overcloud-host-configure.sh
+            /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/overcloud-host-configure.sh -e selinux_state=disabled
         env:
           KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: ${{ steps.ssh_key.outputs.ssh_key }}
         if: inputs.upgrade

etc/kayobe/environments/ci-aio/globals.yml

@@ -55,11 +55,6 @@ os_release: >-
           {{ (lookup('pipe', '. /etc/os-release && echo $VERSION_CODENAME') | trim) if os_distribution == 'ubuntu' else
              (lookup('pipe', '. /etc/os-release && echo $VERSION_ID') | trim | split('.') | first) if os_distribution == 'rocky' }}
 
-###############################################################################
-
-# Avoid a reboot.
-selinux_state: disabled
-
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes

etc/kayobe/environments/ci-aio/inventory/group_vars/controllers/selinux

@@ -7,9 +7,3 @@
 # OS distribution name. Valid options are "rocky", "ubuntu". Default is
 # "rocky".
 os_distribution: "{{ lookup('pipe', '. /etc/os-release && echo $ID') | trim }}"
-
-###############################################################################
-# SELinux.
-
-# Avoid a reboot.
-selinux_state: disabled

etc/kayobe/environments/ci-builder/globals.yml

@@ -60,11 +60,6 @@ os_release: >-
 stackhpc_write_barbican_role_id_to_file: true
 stackhpc_barbican_role_id_file_path: "/tmp/barbican-role-id"
 
-###############################################################################
-
-# Avoid a reboot.
-selinux_state: disabled
-
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes

etc/kayobe/environments/ci-multinode/globals.yml

@@ -67,7 +67,7 @@ overcloud_dib_host_packages_extra:
 overcloud_dib_git_elements_extra:
   - repo: "https://github.com/stackhpc/stackhpc-image-elements"
     local: "{{ source_checkout_path }}/stackhpc-image-elements"
-    version: "v1.6.1"
+    version: "v1.6.3"
     elements_path: "elements"
 
 # List of git repositories containing Diskimage Builder (DIB) elements. See

etc/kayobe/overcloud-dib.yml

@@ -1,5 +1,5 @@
 ---
 # Overcloud host image versioning tags
 # These images must be in SMS, since they are used by our AIO CI runners
-stackhpc_rocky_9_overcloud_host_image_version: "2023.1-20240126T093158"
-stackhpc_ubuntu_jammy_overcloud_host_image_version: "2023.1-20240325T130221"
+stackhpc_rocky_9_overcloud_host_image_version: "2024.1-20240912T145502"
+stackhpc_ubuntu_jammy_overcloud_host_image_version: "2024.1-20240911T124950"

etc/kayobe/pulp-host-image-versions.yml

@@ -5,7 +5,7 @@ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20240829T093746
 stackhpc_pulp_repo_centos_stream_9_openstack_caracal_version: 20240902T080424
 stackhpc_pulp_repo_centos_stream_9_opstools_version: 20231213T031318
 stackhpc_pulp_repo_centos_stream_9_storage_ceph_reef_version: 20240502T000614
-stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version: 20240829T093746
+stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version: 20240910T001721
 stackhpc_pulp_repo_elrepo_9_version: 20240902T122220
 stackhpc_pulp_repo_epel_9_version: 20240902T080424
 stackhpc_pulp_repo_grafana_version: 20240902T080424
@@ -39,6 +39,6 @@ stackhpc_pulp_repo_rocky_9_4_crb_version: 20240816T002610
 stackhpc_pulp_repo_rocky_9_4_extras_version: 20240816T002610
 stackhpc_pulp_repo_rocky_9_4_highavailability_version: 20240816T002610
 stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20240718T001130
-stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20240902T130724
-stackhpc_pulp_repo_ubuntu_jammy_security_version: 20240901T094519
-stackhpc_pulp_repo_ubuntu_jammy_version: 20240901T094519
+stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20240911T041957
+stackhpc_pulp_repo_ubuntu_jammy_security_version: 20240911T063424
+stackhpc_pulp_repo_ubuntu_jammy_version: 20240911T063424

etc/kayobe/pulp-repo-versions.yml

@@ -23,9 +23,8 @@ stackhpc_overcloud_dib_name: "deployment_image"
 stackhpc_overcloud_dib_elements:
   - "{{ os_distribution }}-{% if os_distribution == 'rocky' %}container-stackhpc{% else %}minimal{% endif %}"
   - "cloud-init-datasources"
-  - "{% if os_distribution == 'rocky' %}disable-selinux{% endif %}"
+  - "{% if os_distribution == 'rocky' %}selinux-permissive{% endif %}"
   - "enable-serial-console"
-  - "{% if kayobe_environment == 'ci-builder' %}etc-hosts{% endif %}"
   - "vm"
   - "block-device-efi"
   - "cloud-init"

etc/kayobe/stackhpc-overcloud-dib.yml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The StackHPC overcloud host images have been rebuilt using new packages for
+    the Caracal release.

releasenotes/notes/host-image-rebuild-957b0a69de1044fc.yaml

@@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    Enables SELinux in permissive mode in the overcloud host image. This
+    matches the default configuration for SELinux in StackHPC Kayobe Configuration.