From 320fcbdce17c2b1f0d15114bc6f1dd9849c40324 Mon Sep 17 00:00:00 2001 From: Maksim Malchuk Date: Wed, 22 Dec 2021 10:45:58 +0300 Subject: [PATCH 01/11] Fix variable name TrivialFix The customization format of the variable name should contain the [1]. This change fixes the name of the 'remote_apt_keys' variable in base Dockerfile. 1. https://docs.openstack.org/kolla/latest/admin/image-building.html#dockerfile-customisation Change-Id: I423db39e77f337a73d3d88e3dbd56469be45110b Signed-off-by: Maksim Malchuk (cherry picked from commit cb99f46929298f8e1d939cfca2a1d4831cd1efca) (cherry picked from commit c8d3709436c6bc0f9d6bc8c038f3f3fb64dd6cb1) --- docker/base/Dockerfile.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 54d11a67e9..77a050c55d 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -368,7 +368,7 @@ COPY apt_preferences /etc/apt/preferences.d/kolla-custom 'F77F1EDA57EBB1CC', 'F6609E60DC62814E', ] %} - {% set remote_apt_keys = [ + {% set base_remote_apt_keys = [ 'https://packages.grafana.com/gpg.key', 'https://repos.influxdata.com/influxdb.key', ] %} @@ -379,7 +379,7 @@ COPY apt_preferences /etc/apt/preferences.d/kolla-custom 'F77F1EDA57EBB1CC', 'F6609E60DC62814E', ] %} - {% set remote_apt_keys = [ + {% set base_remote_apt_keys = [ 'https://download.docker.com/linux/debian/gpg', 'https://packages.grafana.com/gpg.key', 'https://packages.treasuredata.com/GPG-KEY-td-agent', @@ -394,7 +394,7 @@ COPY apt_preferences /etc/apt/preferences.d/kolla-custom {%- if not loop.last %} \ {% endif -%} {% endfor %} - {% for key in remote_apt_keys | customizable('remote_apt_keys') %} + {% for key in base_remote_apt_keys | customizable('remote_apt_keys') %} {%- if loop.first %} RUN {% else %} && {% endif %}curl {{ key }} | apt-key add - {%- if not loop.last %} \ {% endif -%} From 59adcfd80ad19e67d16cae3f23117d3ff4a1a1bc Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Wed, 12 Jan 2022 11:17:06 +0100 Subject: [PATCH 02/11] magnum: fix issue with keystone auth default policy Closes-Bug: #1957159 Change-Id: I042da2234d0a06f1b7ddcac9eb6db8b86f13d205 (cherry picked from commit 0a536f47a8e077d37ccff3b3201512c2b793b0ab) --- docker/magnum/magnum-base/Dockerfile.j2 | 1 + ...magnum-keystone-auth-default-policy-e16f7bb558aa4b14.yaml | 5 +++++ 2 files changed, 6 insertions(+) create mode 100644 releasenotes/notes/magnum-keystone-auth-default-policy-e16f7bb558aa4b14.yaml diff --git a/docker/magnum/magnum-base/Dockerfile.j2 b/docker/magnum/magnum-base/Dockerfile.j2 index 14024b6ace..981ea679f6 100644 --- a/docker/magnum/magnum-base/Dockerfile.j2 +++ b/docker/magnum/magnum-base/Dockerfile.j2 @@ -32,6 +32,7 @@ RUN ln -s magnum-base-source/* magnum \ && {{ macros.install_pip(magnum_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/magnum \ && cp -r /magnum/etc/magnum/* /etc/magnum \ + && mv /etc/magnum/keystone_auth_default_policy.sample /etc/magnum/keystone_auth_default_policy.json \ && chown -R magnum: /etc/magnum {% endif %} diff --git a/releasenotes/notes/magnum-keystone-auth-default-policy-e16f7bb558aa4b14.yaml b/releasenotes/notes/magnum-keystone-auth-default-policy-e16f7bb558aa4b14.yaml new file mode 100644 index 0000000000..820b69d3c2 --- /dev/null +++ b/releasenotes/notes/magnum-keystone-auth-default-policy-e16f7bb558aa4b14.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes an issue with missing Magnum Keystone auth default policy. + `LP#1957159 `__ From 4835d402f13df14119655ae9f8bcbc17b800b4b8 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 13 Jan 2022 22:35:27 +0100 Subject: [PATCH 03/11] Mitigate two Log4j vulnerabilities in Apache Storm The Log4j version was bumped on GitHub [1] but it is still pending inclusion in a release of Apache Storm. Apply the alternative mitigation recommended by Log4j [2] of removing the JndiLookup class from the classpath. [1] https://github.com/apache/storm/pull/3427 [2] https://logging.apache.org/log4j/2.x/security.html Change-Id: Ib3ecd73f9e39e320acb2c5f0962b8af9b1a817e9 (cherry picked from commit 448e4f56aa6218a66b0074329d322c0b6089b2e6) --- docker/storm/storm-base/Dockerfile.j2 | 5 +++++ ...torm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml diff --git a/docker/storm/storm-base/Dockerfile.j2 b/docker/storm/storm-base/Dockerfile.j2 index 25151029d3..3e0dae4b1c 100644 --- a/docker/storm/storm-base/Dockerfile.j2 +++ b/docker/storm/storm-base/Dockerfile.j2 @@ -12,6 +12,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_package_type == 'rpm' %} {% set storm_packages = [ 'java-1.8.0-openjdk-headless', + 'zip', ] %} {% elif base_package_type == 'deb' %} @@ -23,6 +24,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% set storm_packages = [ 'openjdk-' + java_version + '-jre-headless', + 'zip', ] %} {% endif %} @@ -40,6 +42,9 @@ RUN curl -o /tmp/storm.tgz ${storm_url} \ && tar --strip 1 -xvf /tmp/storm.tgz -C /opt/storm \ && rm -f /tmp/storm.tgz +# Mitigation for CVE-2021-44228 and CVE-2021-45046: remove the JndiLookup class +# from the classpath +RUN zip -q -d /opt/storm/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class {% endblock %} {% block storm_python_version %} diff --git a/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml b/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml new file mode 100644 index 0000000000..5126662ad0 --- /dev/null +++ b/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + Adds mitigation for Apache Log4j 2 Remote Code Execution (RCE) + vulnerabilities CVE-2021-44228 and CVE-2021-45046 to Apache Storm. From 5ba4fb275da333d7f71a17c8755d25b851e7f07b Mon Sep 17 00:00:00 2001 From: Marcin Juszkiewicz Date: Wed, 20 Oct 2021 15:28:16 +0200 Subject: [PATCH 04/11] openstack-base: drop anyjson It is required only in Tacker and fails to be installed. And even Tacker does not use it... Change-Id: Ic8ebe4089c84f923c24697d632eb294a262059a8 (cherry picked from commit ec06d44d2c095199a9e14aef2f036e957082537e) --- docker/openstack-base/Dockerfile.j2 | 2 -- 1 file changed, 2 deletions(-) diff --git a/docker/openstack-base/Dockerfile.j2 b/docker/openstack-base/Dockerfile.j2 index ba5d1f4746..98c3ac2372 100644 --- a/docker/openstack-base/Dockerfile.j2 +++ b/docker/openstack-base/Dockerfile.j2 @@ -24,7 +24,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'mod_ssl', 'openssl', 'python3-alembic', - 'python3-anyjson', 'python3-aodhclient', 'python3-barbicanclient', 'python3-cachetools', @@ -210,7 +209,6 @@ ENV DEBIAN_FRONTEND noninteractive 'WSME', 'alembic', 'amqp', - 'anyjson', 'aodhclient', 'appdirs', 'automaton', From 67e4f50bf7cd7166b27dcd38611215327b722cb8 Mon Sep 17 00:00:00 2001 From: Xinliang Liu Date: Fri, 15 May 2020 07:12:56 +0000 Subject: [PATCH 05/11] Use distro provided GRUB efi Use distro provided GRUB efi instead of creating it like ironic GRUB setup doc[1]. This avoids below ubuntu ironic-python-agent images PXE booting failure. ---------- error: invalid magic number. error: you need to load the kernel first. Press any key to continue... ---------- This also fixes x86_64 uefi pxe booting issue by setting up GRUB efi for x86_64. Besides, GRUB setup only needs to do once at bootstrap stage. [1]: https://docs.openstack.org/ironic/train/install/configure-pxe.html#uefi-pxe-GRUB-setup Closes-Bug: #1879265 Change-Id: I8be5bdf5f1a62751aefe6bd0959e8f558fcfe591 (cherry picked from commit b6e057d694d90d50ea278411d0edf20afe427e13) --- docker/ironic/ironic-pxe/Dockerfile.j2 | 10 ++--- docker/ironic/ironic-pxe/extend_start.sh | 40 ++++++++++++------- ...nt-pxe-booting-issue-95adaf9249207d5b.yaml | 6 +++ 3 files changed, 37 insertions(+), 19 deletions(-) create mode 100644 releasenotes/notes/fix-ubuntu-ironic-python-agent-pxe-booting-issue-95adaf9249207d5b.yaml diff --git a/docker/ironic/ironic-pxe/Dockerfile.j2 b/docker/ironic/ironic-pxe/Dockerfile.j2 index 700c4dfced..8236de6fbe 100644 --- a/docker/ironic/ironic-pxe/Dockerfile.j2 +++ b/docker/ironic/ironic-pxe/Dockerfile.j2 @@ -25,15 +25,19 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_arch != 's390x' %} {% set ironic_pxe_packages = ironic_pxe_packages + [ 'grub2-tools', - 'grub2-efi-aa64-modules' + 'grub2-efi-*64', + 'grub2-efi-aa64-modules', + 'shim-*64', ] %} {% endif %} {{ macros.install_packages(ironic_pxe_packages | customizable("packages")) }} {% elif base_package_type == 'deb' %} {% set ironic_pxe_packages = [ + 'grub-efi-*64-signed', 'ipxe', 'pxelinux', + 'shim-signed', 'syslinux-common', 'tftpd-hpa' ] %} @@ -42,10 +46,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% set ironic_pxe_packages = ironic_pxe_packages + [ 'syslinux' ] %} - {% elif base_arch == 'aarch64' %} - {% set ironic_pxe_packages = ironic_pxe_packages + [ - 'grub-efi-arm64' - ] %} {% endif %} {{ macros.install_packages(ironic_pxe_packages | customizable("packages")) }} diff --git a/docker/ironic/ironic-pxe/extend_start.sh b/docker/ironic/ironic-pxe/extend_start.sh index 44f101bb0b..0cd7350072 100644 --- a/docker/ironic/ironic-pxe/extend_start.sh +++ b/docker/ironic/ironic-pxe/extend_start.sh @@ -1,7 +1,8 @@ #!/bin/bash -function prepare_pxe { +# For x86 legacy BIOS boot mode +function prepare_pxe_pxelinux { chown -R ironic: /tftpboot for pxe_file in /var/lib/tftpboot/pxelinux.0 /var/lib/tftpboot/chain.c32 /usr/lib/syslinux/pxelinux.0 \ /usr/lib/syslinux/chain.c32 /usr/lib/PXELINUX/pxelinux.0 \ @@ -12,6 +13,28 @@ function prepare_pxe { done } +# For UEFI boot mode +function prepare_pxe_grub { + if [[ "${KOLLA_BASE_DISTRO}" =~ debian|ubuntu ]]; then + shim_src_file="/usr/lib/shim/shim*64.efi.signed" + grub_src_file="/usr/lib/grub/*-efi-signed/grubnet*64.efi.signed" + elif [[ "${KOLLA_BASE_DISTRO}" =~ centos|rhel ]]; then + shim_src_file="/boot/efi/EFI/centos/shim*64.efi" + grub_src_file="/boot/efi/EFI/centos/grub*64.efi" + fi + + if [[ "${KOLLA_BASE_ARCH}" == "x86_64" ]]; then + shim_dst_file="bootx64.efi" + grub_dst_file="grubx64.efi" + elif [[ "${KOLLA_BASE_ARCH}" == "aarch64" ]]; then + shim_dst_file="bootaa64.efi" + grub_dst_file="grubaa64.efi" + fi + + cp $shim_src_file /tftpboot/$shim_dst_file + cp $grub_src_file /tftpboot/$grub_dst_file +} + function prepare_ipxe { if [[ "${KOLLA_BASE_DISTRO}" =~ debian|ubuntu ]]; then cp /usr/lib/ipxe/{undionly.kpxe,ipxe.efi} /tftpboot @@ -23,21 +46,10 @@ function prepare_ipxe { # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases # of the KOLLA_BOOTSTRAP variable being set, including empty. if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then - prepare_pxe + prepare_pxe_pxelinux + prepare_pxe_grub prepare_ipxe exit 0 fi -if [[ -d /usr/lib/grub/arm64-efi ]]; then - modules="boot chain configfile efinet ext2 fat gettext help hfsplus loadenv \ - lsefi normal part_gpt part_msdos read search search_fs_file search_fs_uuid \ - search_label terminal terminfo tftp linux" - - if [[ "${KOLLA_BASE_DISTRO}" =~ debian|ubuntu ]]; then - grub-mkimage -v -o /tftpboot/grubaa64.efi -O arm64-efi -p "grub" $modules - elif [[ "${KOLLA_BASE_DISTRO}" =~ centos|rhel ]]; then - grub2-mkimage -v -o /tftpboot/grubaa64.efi -O arm64-efi -p "EFI/centos" $modules - fi -fi - . /usr/local/bin/kolla_httpd_setup diff --git a/releasenotes/notes/fix-ubuntu-ironic-python-agent-pxe-booting-issue-95adaf9249207d5b.yaml b/releasenotes/notes/fix-ubuntu-ironic-python-agent-pxe-booting-issue-95adaf9249207d5b.yaml new file mode 100644 index 0000000000..1679f59f7a --- /dev/null +++ b/releasenotes/notes/fix-ubuntu-ironic-python-agent-pxe-booting-issue-95adaf9249207d5b.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fix AArch64 ubuntu ironic-python-agent images UEFI PXE booting failure. + Also fix x86_64 lacking of GRUB efi files issue. + `LP#1879265 `__ From f439afa42e9f5074e4680987e6185c4bd93aa090 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Thu, 3 Feb 2022 15:52:19 +0100 Subject: [PATCH 06/11] Remove missing collectd packages Since CentOS Linux 8 repository retirement from CentOS mirrors - we need to use CentOS Stream 8 version of Opstools repo. Listed below packages are missing from the repo, and according to the maintainer dpdk_telemetry is not going to show up at all (it's basically dead). The rest of the packages might show up at a later stage - but it's not a priority for the maintainer. - collectd-dpdk_telemetry - collectd-libpod-stats - collectd-sensubility - python3-sqlalchemy-collectd Template override used to temporarily use Ceph Nautilus repo from RDO. Change-Id: I5f446fc276e245c1e6974ceeb6ff3dccd84ee502 (cherry picked from commit 405fca90f2c8d3763ac56ce8b925611d136bba6c) --- docker/base/Dockerfile.j2 | 7 +++++++ docker/collectd/Dockerfile.j2 | 4 ---- docker/openstack-base/Dockerfile.j2 | 1 - 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 77a050c55d..8bfc51f125 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -219,6 +219,13 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ RUN {{ macros.install_packages(base_centos_yum_repo_packages | customizable("centos_yum_repo_packages"), chain=True, clean=False) }} +{# TODO(mnasiadka): Remove this once Nautilus C8S lands on mirror.centos.org #} + +RUN sed -i \ + -e "s|^\(mirrorlist.*\)|#\1|" \ + -e "s|^#baseurl=http://mirror.centos.org.*|baseurl=https://trunk.rdoproject.org/centos8-master/deps/storage/nautilus/|" \ + /etc/yum.repos.d/CentOS-Ceph-Nautilus.repo + {%- for repo in base_centos_yum_repos_to_enable | customizable('centos_yum_repos_to_enable') %} && dnf config-manager --enable {{ repo }} {% endfor -%} {%- for repo in base_centos_yum_repos_to_disable | customizable('centos_yum_repos_to_disable') %} && dnf config-manager --disable {{ repo }} {% endfor -%} diff --git a/docker/collectd/Dockerfile.j2 b/docker/collectd/Dockerfile.j2 index d991827dc3..585d1f830b 100644 --- a/docker/collectd/Dockerfile.j2 +++ b/docker/collectd/Dockerfile.j2 @@ -30,10 +30,8 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'collectd-dbi', 'collectd-disk', 'collectd-dns', - 'collectd-dpdk_telemetry', 'collectd-generic-jmx', 'collectd-ipmi', - 'collectd-libpod-stats', 'collectd-log_logstash', 'collectd-logparser', 'collectd-mcelog', @@ -47,7 +45,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'collectd-procevent', 'collectd-python', 'collectd-sensors', - 'collectd-sensubility', 'collectd-smart', 'collectd-snmp', 'collectd-snmp-agent', @@ -57,7 +54,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'collectd-write_http', 'collectd-write_kafka', 'collectd-write_prometheus', - 'python3-sqlalchemy-collectd' ] %} {% if base_arch in ['x86_64', 'ppc64le'] %} diff --git a/docker/openstack-base/Dockerfile.j2 b/docker/openstack-base/Dockerfile.j2 index 98c3ac2372..7999304945 100644 --- a/docker/openstack-base/Dockerfile.j2 +++ b/docker/openstack-base/Dockerfile.j2 @@ -87,7 +87,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'python3-routes', 'python3-saharaclient', 'python3-sqlalchemy', - 'python3-sqlalchemy-collectd', 'python3-sqlparse', 'python3-swiftclient', 'python3-sysv_ipc', From 3bbc5b3299c69ec56e57d63bdb487121742a2730 Mon Sep 17 00:00:00 2001 From: "Dr. Jens Harbott" Date: Tue, 14 Dec 2021 13:10:39 +0100 Subject: [PATCH 07/11] Unpin td-agent and cap elasticsearch gem MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With [0] the version of td-agent being installed was pinned, which isn't sustainable in the long run, so we drop the pin. Latest version of the elasticsearch gem no longer works with older (OSS) versions of Elasticsearch. This is fixed by downgrading the version of the elasticsearch gems. Backport includes 711ec0829a95a12ae9e290aeb3837b457e1dd215 [1]. [0] Iefcdd3100b7e3c5320bc5f1286a18251bdeab885 [1] I353ef9b6b8da0e726c17ad2e06995d3690731e1d Related-Bug: 1930867 Closes-Bug: 1954759 Closes-Bug: 1960444 Signed-off-by: Dr. Jens Harbott Co-Authored-By: Radosław Piliszek Change-Id: I3045786e863b098d7339d1066aef6c857aa5f97f (cherry picked from commit a8e6924beaea3e268435156f6bbc34812a69a01c) --- docker/base/apt_preferences.debian | 5 ----- docker/base/apt_preferences.ubuntu | 5 ----- docker/fluentd/Dockerfile.j2 | 12 +++++++++--- .../cap-fluentd-elasticsearch-18c0ca8e90c1234c.yaml | 7 +++++++ 4 files changed, 16 insertions(+), 13 deletions(-) create mode 100644 releasenotes/notes/cap-fluentd-elasticsearch-18c0ca8e90c1234c.yaml diff --git a/docker/base/apt_preferences.debian b/docker/base/apt_preferences.debian index 9c4af3561d..488820223c 100644 --- a/docker/base/apt_preferences.debian +++ b/docker/base/apt_preferences.debian @@ -7,11 +7,6 @@ Package: erlang* Pin: version 1:23.* Pin-Priority: 1000 -# FIXME(mgoddard): Pinning to 4.0.* to avoid bug 1930867. -Package: td-agent* -Pin: version 4.0.* -Pin-Priority: 1000 - # NOTE(mgoddard): logstash 7.9.x is the last version that supports # Elasticsearch OSS. Package: logstash-oss diff --git a/docker/base/apt_preferences.ubuntu b/docker/base/apt_preferences.ubuntu index 4f07070673..fd8609d942 100644 --- a/docker/base/apt_preferences.ubuntu +++ b/docker/base/apt_preferences.ubuntu @@ -6,11 +6,6 @@ Package: erlang* Pin: version 1:23.* Pin-Priority: 1000 -# FIXME(mgoddard): Pinning to 4.0.* to avoid bug 1930867. -Package: td-agent* -Pin: version 4.0.* -Pin-Priority: 1000 - # NOTE(mgoddard): logstash 7.9.x is the last version that supports # Elasticsearch OSS. Package: logstash-oss diff --git a/docker/fluentd/Dockerfile.j2 b/docker/fluentd/Dockerfile.j2 index 0f3fe11df6..c1c8839b50 100644 --- a/docker/fluentd/Dockerfile.j2 +++ b/docker/fluentd/Dockerfile.j2 @@ -27,9 +27,8 @@ LABEL fluentd_version="0.14" fluentd_binary="td-agent" ] %} {% if base_arch in ['aarch64', 'x86_64'] %} - # FIXME(mgoddard): Pinning to 4.0.* to avoid bug 1930867. {% set fluentd_packages = fluentd_packages + [ - 'td-agent-4.0.*' + 'td-agent' ] %} {% else %} {% set fluentd_packages = fluentd_packages + [ @@ -62,7 +61,14 @@ LABEL fluentd_version="0.14" fluentd_binary="td-agent" {% endif %} {{ macros.configure_user(name=fluentd_user, groups='mysql') }} -{{ macros.install_packages(fluentd_packages | customizable("packages")) }} + +# NOTE(frickler): Downgrading elasticsearch gems for compatibility with OSS versions of ES +{{ macros.install_packages(fluentd_packages | customizable("packages")) }}{% if base_arch in ['aarch64', 'x86_64'] %} \ + && td-agent-gem install elasticsearch:7.13.0 \ + && td-agent-gem uninstall "elasticsearch:>7.13.0" \ + && td-agent-gem uninstall "elasticsearch-api:>7.13.0" \ + && td-agent-gem uninstall "elasticsearch-transport:>7.13.0" +{% endif %} # Distro specific files and operations # Fluentd on rpm-based non-x86_64 is installed from rpm diff --git a/releasenotes/notes/cap-fluentd-elasticsearch-18c0ca8e90c1234c.yaml b/releasenotes/notes/cap-fluentd-elasticsearch-18c0ca8e90c1234c.yaml new file mode 100644 index 0000000000..39af5d3ba0 --- /dev/null +++ b/releasenotes/notes/cap-fluentd-elasticsearch-18c0ca8e90c1234c.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Latest version of the elasticsearch gem no longer works with older + (OSS) versions of Elasticsearch. This is fixed by capping the version + of the elasticsearch gem installed into the fluentd container. + `LP#1954759 `__ From 1ac4662c11b7baade1a1d689f5a8b40d481aa3ab Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 10 Feb 2022 10:58:55 +0000 Subject: [PATCH 08/11] ironic: Fix UEFI & iPXE bootloader filenames When using Ironic with UEFI boot mode and iPXE booting, nodes will attempt to chainload iPXE using a Network Boot Program (NBP). This is configured in Ironic via [pxe] uefi_ipxe_bootfile_name, and the default since Xena is snponly.efi. In Wallaby and earlier releases, the default was ipxe.efi. These files need to be available in the /tftpboot directory of the ironic-pxe image. The current default of snponly.efi was not present for any supported distros. ipxe.efi was present for Debian/Ubuntu but not CentOS, which appends the architecture to the filename (e.g. ipxe-x86_64.efi). This change ensures that both ipxe.efi and snponly.efi exist in /tftpboot for all supported distributions, ensuring that both the current and previous Ironic defaults should work. Where these files have different names, we use symlinks to allow for any deployers overriding the filenames in configuration. Closes-Bug: #1959203 Change-Id: I79e78dca550262fc86b092a036f9ea96b214ab48 (cherry picked from commit 909710d739f1d7d4c2ef0865ebc9338f260aaa5b) --- docker/ironic/ironic-pxe/extend_start.sh | 17 +++++++++++++++++ .../notes/bug-1959203-1bb695e052248d78.yaml | 8 ++++++++ 2 files changed, 25 insertions(+) create mode 100644 releasenotes/notes/bug-1959203-1bb695e052248d78.yaml diff --git a/docker/ironic/ironic-pxe/extend_start.sh b/docker/ironic/ironic-pxe/extend_start.sh index 0cd7350072..739ace15e0 100644 --- a/docker/ironic/ironic-pxe/extend_start.sh +++ b/docker/ironic/ironic-pxe/extend_start.sh @@ -36,10 +36,27 @@ function prepare_pxe_grub { } function prepare_ipxe { + # NOTE(mgoddard): Ironic uses snponly.efi as the default for + # uefi_ipxe_bootfile_name since Xena. In Wallaby and earlier releases it + # was ipxe.efi. Ensure that both exist, using symlinks where the files are + # named differently to allow the original names to be used in ironic.conf. if [[ "${KOLLA_BASE_DISTRO}" =~ debian|ubuntu ]]; then cp /usr/lib/ipxe/{undionly.kpxe,ipxe.efi} /tftpboot + # NOTE(mgoddard): The 'else' can be removed when snponly.efi is + # available in Jammy 22.04. + if [[ -f /usr/lib/ipxe/snponly.efi ]]; then + cp /usr/lib/ipxe/snponly.efi /tftpboot/snponly.efi + elif [[ ! -e /tftpboot/snponly.efi ]]; then + ln -s /tftpboot/ipxe.efi /tftpboot/snponly.efi + fi elif [[ "${KOLLA_BASE_DISTRO}" =~ centos|rhel ]]; then cp /usr/share/ipxe/{undionly.kpxe,ipxe*.efi} /tftpboot + if [[ ! -e /tftpboot/ipxe.efi ]]; then + ln -s /tftpboot/ipxe-${KOLLA_BASE_ARCH}.efi /tftpboot/ipxe.efi + fi + if [[ ! -e /tftpboot/snponly.efi ]]; then + ln -s /tftpboot/ipxe-snponly-${KOLLA_BASE_ARCH}.efi /tftpboot/snponly.efi + fi fi } diff --git a/releasenotes/notes/bug-1959203-1bb695e052248d78.yaml b/releasenotes/notes/bug-1959203-1bb695e052248d78.yaml new file mode 100644 index 0000000000..a6068423bd --- /dev/null +++ b/releasenotes/notes/bug-1959203-1bb695e052248d78.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fixes an issue with Ironic deployments using UEFI and iPXE, where the + default UEFI iPXE bootloader in Ironic was not available in the TFTP + server. This affects all Kolla releases on CentOS, and Xena on + Debian/Ubuntu. `LP#1959203 + `__ From 7f38bce812ccb621a089755526f79bd792f4e071 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Tue, 8 Feb 2022 09:11:48 +0100 Subject: [PATCH 09/11] base: Drop usage of Ceph Nautilus from RDO This was temporary due to missing Ceph Nautilus repo on CentOS mirrors (after removing CentOS Linux content on EOL date). Change-Id: I86aa697b8def34e0cfb11d2f5ad903dd54e975ef --- docker/base/Dockerfile.j2 | 7 ------- tests/templates/template_overrides.j2 | 6 ++++++ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 8bfc51f125..77a050c55d 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -219,13 +219,6 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ RUN {{ macros.install_packages(base_centos_yum_repo_packages | customizable("centos_yum_repo_packages"), chain=True, clean=False) }} -{# TODO(mnasiadka): Remove this once Nautilus C8S lands on mirror.centos.org #} - -RUN sed -i \ - -e "s|^\(mirrorlist.*\)|#\1|" \ - -e "s|^#baseurl=http://mirror.centos.org.*|baseurl=https://trunk.rdoproject.org/centos8-master/deps/storage/nautilus/|" \ - /etc/yum.repos.d/CentOS-Ceph-Nautilus.repo - {%- for repo in base_centos_yum_repos_to_enable | customizable('centos_yum_repos_to_enable') %} && dnf config-manager --enable {{ repo }} {% endfor -%} {%- for repo in base_centos_yum_repos_to_disable | customizable('centos_yum_repos_to_disable') %} && dnf config-manager --disable {{ repo }} {% endfor -%} diff --git a/tests/templates/template_overrides.j2 b/tests/templates/template_overrides.j2 index 7fdf25fb81..be9145de97 100644 --- a/tests/templates/template_overrides.j2 +++ b/tests/templates/template_overrides.j2 @@ -36,6 +36,12 @@ RUN sed -i \ {% block base_centos_repo_overrides_post_yum -%} {%- endraw -%} +{# TODO(mnasiadka): Drop this line once baseurl in centos-ceph-nautilus has $stream instead of #} +{# pointing to centos8 #} + && sed -i \ + -e "s|^\(mirrorlist.*\)|#\1|" \ + -e "s|^#baseurl=http://mirror.centos.org/\$contentdir/\$releasever|baseurl=http://{{ nodepool_mirror_host }}/\$contentdir/\$stream|" \ + /etc/yum.repos.d/CentOS-Ceph*.repo \ && sed -i \ -e "s|^\(mirrorlist.*\)|#\1|" \ -e "s|^#baseurl=http://mirror.centos.org|baseurl=http://{{ nodepool_mirror_host }}|" \ From a29648baf8030d754eaf3764fe456146db320bff Mon Sep 17 00:00:00 2001 From: Marcin Juszkiewicz Date: Fri, 4 Feb 2022 17:15:27 +0100 Subject: [PATCH 10/11] collectd: pcie-errors is x86-64 only now Change-Id: Iad7e7ebb1fbf4d14f20960d6257345db71d0e214 (cherry picked from commit 941d021e091567d2709bbb868768c6dc4a3372e0) --- docker/collectd/Dockerfile.j2 | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/docker/collectd/Dockerfile.j2 b/docker/collectd/Dockerfile.j2 index 585d1f830b..6f8e93ad5d 100644 --- a/docker/collectd/Dockerfile.j2 +++ b/docker/collectd/Dockerfile.j2 @@ -65,18 +65,13 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_arch =='x86_64' %} {% set collectd_packages = collectd_packages + [ 'collectd-hugepages', + 'collectd-pcie-errors', 'collectd-pmu', 'collectd-rdt', 'collectd-turbostat' ] %} {% endif %} - {% if base_arch != 's390x' %} - {% set collectd_packages = collectd_packages + [ - 'collectd-pcie-errors' - ] %} - {% endif %} - {% endif %} {{ macros.install_packages(collectd_packages | customizable("packages")) }} From 50b1f117a907cf092f2523fd561a3717e607e1d1 Mon Sep 17 00:00:00 2001 From: Marcin Juszkiewicz Date: Thu, 3 Feb 2022 14:14:27 +0100 Subject: [PATCH 11/11] erlang: use packages from Erlang Solutions on AArch64 RabbitMQ requires Erlang 23+ and soon will bump to 24+. On AArch64 we used version 22 as there was no other option. Now it is. Change-Id: I667ccda5bb4edbfbfb97dfb0cea264837ed05cae (cherry picked from commit f943c7d773a280b832dde9edf9d615540b259b5c) --- docker/base/Dockerfile.j2 | 2 ++ docker/base/erlang-solutions.repo | 6 ++++++ docker/kolla-toolbox/Dockerfile.j2 | 22 ++++++++-------------- docker/rabbitmq/Dockerfile.j2 | 21 ++++++++------------- kolla/template/repos.yaml | 2 +- 5 files changed, 25 insertions(+), 28 deletions(-) create mode 100644 docker/base/erlang-solutions.repo diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 77a050c55d..b3a1ec87ad 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -93,12 +93,14 @@ COPY dnf.conf /etc/dnf/dnf.conf {% elif base_arch == 'aarch64' %} {% set base_yum_repo_files = [ 'elasticsearch.repo', + 'erlang-solutions.repo', 'grafana.repo', 'rabbitmq_rabbitmq-server.repo', 'td.repo', ] %} {% set base_yum_repo_keys = [ + 'https://packages.erlang-solutions.com/rpm/erlang_solutions.asc', 'https://packages.grafana.com/gpg.key', 'https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc', ] %} diff --git a/docker/base/erlang-solutions.repo b/docker/base/erlang-solutions.repo new file mode 100644 index 0000000000..4adbe680fc --- /dev/null +++ b/docker/base/erlang-solutions.repo @@ -0,0 +1,6 @@ +[erlang-solutions] +name=erlang-solutions +baseurl=https://packages.erlang-solutions.com/rpm/centos/$releasever/$basearch +gpgcheck=1 +gpgkey=https://packages.erlang-solutions.com/rpm/erlang_solutions.asc +enabled=0 diff --git a/docker/kolla-toolbox/Dockerfile.j2 b/docker/kolla-toolbox/Dockerfile.j2 index 023436802e..da1d2d2933 100644 --- a/docker/kolla-toolbox/Dockerfile.j2 +++ b/docker/kolla-toolbox/Dockerfile.j2 @@ -14,12 +14,17 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {{ macros.configure_user(name='ansible') }} {{ macros.configure_user(name='rabbitmq') }} -{{ macros.enable_extra_repos(['rabbitmq', 'erlang', 'openvswitch', 'powertools']) }} +{% if base_arch == 'aarch64' %} +{{ macros.enable_extra_repos(['epel']) }} +{% endif %} + +{{ macros.enable_extra_repos(['erlang', 'openvswitch', 'powertools', 'rabbitmq']) }} {% if base_package_type == 'rpm' %} {% set kolla_toolbox_packages = [ 'crudini', + 'erlang-23.*', 'gcc', 'gdisk', 'git', @@ -34,19 +39,8 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'openssl-devel', 'openvswitch', 'python3-devel', - ] %} - - {% if base_arch == 'aarch64' %} - {% set kolla_toolbox_packages = kolla_toolbox_packages + [ - 'erlang-22.*', - 'rabbitmq-server-3.8.14' - ] %} - {% else %} - {% set kolla_toolbox_packages = kolla_toolbox_packages + [ - 'erlang-23.*', - 'rabbitmq-server-3.8.*' - ] %} - {% endif %} + 'rabbitmq-server-3.8.*' + ] %} {% elif base_package_type == 'deb' %} {% set kolla_toolbox_packages = [ diff --git a/docker/rabbitmq/Dockerfile.j2 b/docker/rabbitmq/Dockerfile.j2 index 4a95a27b8d..854f0d2f38 100644 --- a/docker/rabbitmq/Dockerfile.j2 +++ b/docker/rabbitmq/Dockerfile.j2 @@ -9,27 +9,22 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {{ macros.configure_user(name='rabbitmq') }} -{{ macros.enable_extra_repos(['rabbitmq', 'erlang', 'powertools']) }} +{# NOTE(hrw): erlang packages from Erlang Solutions needs libwx from EPEL #} +{% if base_arch == 'aarch64' %} +{{ macros.enable_extra_repos(['epel']) }} +{% endif %} + +{{ macros.enable_extra_repos(['erlang', 'powertools', 'rabbitmq']) }} {% block rabbitmq_install %} {% if base_package_type == 'rpm' %} {% set rabbitmq_packages = [ + 'erlang-23.*', 'hostname', + 'rabbitmq-server-3.8.*' ] %} - {% if base_arch == 'aarch64' %} - {% set rabbitmq_packages = rabbitmq_packages + [ - 'erlang-22.*', - 'rabbitmq-server-3.8.14' - ] %} - {% else %} - {% set rabbitmq_packages = rabbitmq_packages + [ - 'erlang-23.*', - 'rabbitmq-server-3.8.*' - ] %} - {% endif %} - {% elif base_package_type == 'deb' %} {% set rabbitmq_packages = [ 'logrotate', diff --git a/kolla/template/repos.yaml b/kolla/template/repos.yaml index 797161e494..b2d8fcaf54 100644 --- a/kolla/template/repos.yaml +++ b/kolla/template/repos.yaml @@ -24,7 +24,7 @@ centos-aarch64: elasticsearch: "elasticsearch-kibana-logstash-7.x" epel: "epel" epel-modular: "epel-modular" - erlang: "centos-rabbitmq-38" + erlang: "erlang-solutions" extras: "extras" grafana: "grafana" hacluster: "ha"