Merge branch 'stackhpc/yoga' into os_capacity

JohnGarbutt · web-flow · commit afacf82a538e · 2023-10-05T13:58:45.000+01:00
diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml
@@ -167,6 +167,10 @@ jobs:
         env:
           KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }}
 
+      - name: Prune local Kolla container images over 1 week old
+        run: |
+          sudo docker image prune --all --force --filter until=168h --filter="label=kolla_version"
+
       - name: Build and push kolla overcloud images
         run: |
           args="${{ github.event.inputs.regexes }}"
@@ -200,17 +204,16 @@ jobs:
         run: |
           sudo docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/${{ matrix.distro }}-*:${{ needs.generate-tag.outputs.kolla_tag }}" > ${{ matrix.distro }}-container-images
 
+      - name: Fail if no images have been built
+        run: if [ $(wc -l < ${{ matrix.distro }}-container-images) -le 1 ]; then exit 1; fi
+
       - name: Upload container images artifact
         uses: actions/upload-artifact@v3
         with:
           name: ${{ matrix.distro }} container images
           path: ${{ matrix.distro }}-container-images
           retention-days: 7
 
-      - name: Prune local Kolla container images over 1 week old
-        run: |
-          sudo docker image prune --all --force --filter until=168h --filter="label=kolla_version"
-
   sync-container-repositories:
     name: Trigger container image repository sync
     needs:
diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst
@@ -229,6 +229,18 @@ Enable the required TLS variables in kayobe and kolla
 
       kayobe overcloud service deploy
 
+   If VM provisioning fails with an error with this format:
+
+   .. code-block::
+
+      Unable to establish connection to http://<kolla internal vip/fqdn>:9696/v2.0/ports/some-sort-of-uuid: Connection aborted
+
+   Restart the nova-compute container on all hypervisors:
+
+   .. code-block::
+
+      kayobe overcloud host command run --command "docker restart nova_compute" --become --show-output -l compute
+
 Barbican integration
 ====================
 
diff --git a/doc/source/configuration/walled-garden.rst b/doc/source/configuration/walled-garden.rst
@@ -77,7 +77,8 @@ proxy:
      - "127.0.0.1"
      - "localhost"
      - "{{ ('http://' ~ docker_registry) | urlsplit('hostname') if docker_registry else '' }}"
-     - "{{ admin_oc_net_name | net_ip(inventory_hostname=groups['seed'][0]) }}"
+     - "{{ lookup('vars', admin_oc_net_name ~ '_ips')[groups.seed.0] }}"
+     - "{{ lookup('vars', admin_oc_net_name ~ '_ips')[inventory_hostname] }}"
      - "{{ kolla_external_fqdn }}"
      - "{{ kolla_internal_fqdn }}"
 
diff --git a/etc/kayobe/ansible/reboot.yml b/etc/kayobe/ansible/reboot.yml
@@ -1,7 +1,7 @@
 ---
 - name: Reboot the host
   hosts: seed-hypervisor:seed:overcloud:infra-vms
-  serial: "{{ lookup('env', 'ANSIBLE_SERIAL') | default(0, true) }}"
+  serial: "{{ lookup('env', 'ANSIBLE_SERIAL') | default(1, true) }}"
   tags:
     - reboot
   tasks:
diff --git a/etc/kayobe/pulp-host-image-versions.yml b/etc/kayobe/pulp-host-image-versions.yml
@@ -3,6 +3,6 @@
 # These images must be in SMS, since they are used by our AIO CI runners
 stackhpc_centos_8_stream_overcloud_host_image_version: "yoga-20230525T095243"
 stackhpc_rocky_8_overcloud_host_image_version: "yoga-20230629T135322"
-stackhpc_rocky_9_overcloud_host_image_version: "yoga-20230515T145140"
+stackhpc_rocky_9_overcloud_host_image_version: "yoga-20230929T133006"
 stackhpc_ubuntu_focal_overcloud_host_image_version: "yoga-20230609T120720"
 stackhpc_ubuntu_jammy_overcloud_host_image_version: "yoga-20230609T120720"
diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml
@@ -19,10 +19,10 @@ stackhpc_pulp_repo_centos_stream_9_storage_ceph_pacific_version: 20230308T155704
 stackhpc_pulp_repo_docker_ce_ubuntu_version: 20230908T013529
 stackhpc_pulp_repo_docker_version: 20230801T003759
 stackhpc_pulp_repo_elasticsearch_logstash_kibana_7_x_version: 20230727T144020
-stackhpc_pulp_repo_epel_9_version: 20230302T031902
 stackhpc_pulp_repo_elrepo_9_version: 20230907T075311
+stackhpc_pulp_repo_epel_9_version: 20230929T005202
 stackhpc_pulp_repo_epel_modular_version: 20220913T043117
-stackhpc_pulp_repo_epel_version: 20230206T150339
+stackhpc_pulp_repo_epel_version: 20230929T005202
 stackhpc_pulp_repo_grafana_version: 20230903T003752
 stackhpc_pulp_repo_mariadb_10_6_centos8_version: 20230815T010124
 stackhpc_pulp_repo_mlnx_ofed_5_7_1_0_2_0_rhel8_6_version: 20220920T151419
@@ -41,16 +41,21 @@ stackhpc_pulp_repo_rocky_8_7_baseos_version: 20221202T032715
 stackhpc_pulp_repo_rocky_8_7_extras_version: 20221201T192704
 stackhpc_pulp_repo_rocky_8_7_nfv_version: 20221202T032715
 stackhpc_pulp_repo_rocky_8_7_powertools_version: 20221202T032715
+stackhpc_pulp_repo_rocky_8_8_appstream_version: 20230928T024829
+stackhpc_pulp_repo_rocky_8_8_baseos_version: 20230928T024829
+stackhpc_pulp_repo_rocky_8_8_extras_version: 20230928T024829
+stackhpc_pulp_repo_rocky_8_8_nfv_version: 20230922T023520
+stackhpc_pulp_repo_rocky_8_8_powertools_version: 20230928T024829
 stackhpc_pulp_repo_rocky_9_1_appstream_version: 20230228T044432
 stackhpc_pulp_repo_rocky_9_1_baseos_version: 20230228T044432
 stackhpc_pulp_repo_rocky_9_1_crb_version: 20230228T044432
 stackhpc_pulp_repo_rocky_9_1_extras_version: 20230228T044432
 stackhpc_pulp_repo_rocky_9_1_highavailability_version: 20230228T044432
-stackhpc_pulp_repo_rocky_9_2_appstream_version: 20230825T131407
-stackhpc_pulp_repo_rocky_9_2_baseos_version: 20230825T131407
-stackhpc_pulp_repo_rocky_9_2_crb_version: 20230825T131407
-stackhpc_pulp_repo_rocky_9_2_extras_version: 20230825T131407
-stackhpc_pulp_repo_rocky_9_2_highavailability_version: 20230805T012805
+stackhpc_pulp_repo_rocky_9_2_appstream_version: 20230928T024829
+stackhpc_pulp_repo_rocky_9_2_baseos_version: 20230928T024829
+stackhpc_pulp_repo_rocky_9_2_crb_version: 20230928T024829
+stackhpc_pulp_repo_rocky_9_2_extras_version: 20230915T001040
+stackhpc_pulp_repo_rocky_9_2_highavailability_version: 20230918T015928
 stackhpc_pulp_repo_treasuredata_4_version: 20230903T003752
 stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20230908T112533
 stackhpc_pulp_repo_ubuntu_focal_security_version: 20230908T101641
diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml
@@ -217,8 +217,8 @@ stackhpc_pulp_sync_centos_stream8: "{{ os_distribution == 'centos' }}"
 
 # Whether to sync Rocky Linux 8 packages.
 stackhpc_pulp_sync_rocky_8: "{{ os_distribution == 'rocky' and os_release == '8' }}"
-# Rocky 8 minor version number. Supported values: 6, 7
-stackhpc_pulp_repo_rocky_8_minor_version: 7
+# Rocky 8 minor version number. Supported values: 6, 7, 8
+stackhpc_pulp_repo_rocky_8_minor_version: 8
 # Rocky 8 Snapshot versions. The defaults use the appropriate version from
 # pulp-repo-versions.yml for the selected minor release.
 stackhpc_pulp_repo_rocky_8_appstream_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_8_%s_appstream_version' % stackhpc_pulp_repo_rocky_8_minor_version) }}"
diff --git a/etc/kayobe/stackhpc-overcloud-dib.yml b/etc/kayobe/stackhpc-overcloud-dib.yml
@@ -67,13 +67,16 @@ stackhpc_overcloud_dib_packages:
   - "vim"
   - "git"
   - "less"
+  - "python3"
   - "{% if os_distribution == 'ubuntu' %}netbase{% endif %}"
   - "{% if os_distribution == 'ubuntu' %}iputils-ping{% endif %}"
   - "{% if os_distribution == 'ubuntu' %}curl{% endif %}"
   - "{% if os_distribution == 'ubuntu' %}apt-utils{% endif %}"
   - "{% if os_distribution == 'centos' %}openssh-clients{% endif %}"
   - "{% if os_distribution == 'rocky' %}NetworkManager-config-server{% endif %}"
   - "{% if os_distribution == 'rocky' %}linux-firmware{% endif %}"
+  - "{% if os_distribution == 'rocky' %}cloud-utils-growpart{% endif %}"
+  - "{% if os_distribution == 'ubuntu' %}cloud-guest-utils{% endif %}"
 
 # StackHPC overcloud DIB image block device configuration.
 # This image layout conforms to the CIS partition benchmarks.
diff --git a/releasenotes/notes/bump-rocky8-snapshots-2023-09-29-e115427edd3334c7.yaml b/releasenotes/notes/bump-rocky8-snapshots-2023-09-29-e115427edd3334c7.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    The Rocky 8 minor version has been bumped to 8.8 and new snapshots have
+    been created to include fixes for Zenbleed (CVE-2023-20593), Downfall
+    (CVE-2022-40982). It is recommended that you update your OS packages and
+    reboot into the kernel as soon as possible.
diff --git a/releasenotes/notes/bump-rocky9-snapshots-2023-09-29-c736c3d37afd7e5c.yaml b/releasenotes/notes/bump-rocky9-snapshots-2023-09-29-c736c3d37afd7e5c.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    The snapshots for Rocky 9.2 have been refreshed to include fixes for
+    Zenbleed (CVE-2023-20593), Downfall (CVE-2022-40982). It is recommended
+    that you update your OS packages and reboot into the kernel as soon as
+    possible.
diff --git a/releasenotes/notes/reboot-default-serial-5944a2a648da71c7.yaml b/releasenotes/notes/reboot-default-serial-5944a2a648da71c7.yaml
@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    The ``reboot.yml`` custom Ansible playbook now defaults to reboot only one
+    host at a time. Existing behaviour can be retained by setting
+    ANSIBLE_SERIAL=0.
