From 8c9bcb0e7dcb652227995db1af3e9f6205943371 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Tue, 21 Sep 2021 07:40:58 +0000 Subject: [PATCH 01/20] [debian] Use upstream MariaDB This preserves the Debian-provided minor version - 10.5 in case of Bullseye in Wallaby and Xena - and is backported as a fix to Victoria and Ussuri (where it follows Buster and its 10.3). Closes-Bug: #1944410 Change-Id: I9704e5371a410cb1f69ec0367174e2b368961dc1 (cherry picked from commit b5422a6bc27797144da1ea973cec24a5cf46d2eb) --- docker/base/Dockerfile.j2 | 1 + kolla/template/repos.yaml | 2 ++ .../debian-mariadb-upstream-75e05cbdaa013abe.yaml | 10 ++++++++++ 3 files changed, 13 insertions(+) create mode 100644 releasenotes/notes/debian-mariadb-upstream-75e05cbdaa013abe.yaml diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 37e08409d2..e3258cfabc 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -368,6 +368,7 @@ COPY apt_preferences /etc/apt/preferences.d/kolla-custom {% elif base_distro == 'debian' %} {% set base_apt_keys = [ '46095ACC8548582C1A2699A9D27D666CD88E42B4', + 'F1656F24C74CD1D8', 'F77F1EDA57EBB1CC', 'F6609E60DC62814E', ] %} diff --git a/kolla/template/repos.yaml b/kolla/template/repos.yaml index cb11657b2c..e2ebd0d60c 100644 --- a/kolla/template/repos.yaml +++ b/kolla/template/repos.yaml @@ -55,6 +55,7 @@ debian: influxdb: "deb https://repos.influxdata.com/debian buster stable" logstash: "deb [arch=amd64] https://artifacts.elastic.co/packages/oss-6.x/apt stable main" kibana: "deb [arch=amd64] https://artifacts.elastic.co/packages/oss-6.x/apt stable main" + mariadb: "deb http://downloads.mariadb.com/MariaDB/mariadb-10.3/repo/debian buster main" rabbitmq: "deb https://packagecloud.io/rabbitmq/rabbitmq-server/debian/ buster main" td-agent: "deb http://packages.treasuredata.com/4/debian/buster buster contrib" @@ -66,6 +67,7 @@ debian-aarch64: logstash: "deb [arch=amd64] https://artifacts.elastic.co/packages/oss-6.x/apt stable main" kibana: "deb [arch=amd64] https://artifacts.elastic.co/packages/oss-6.x/apt stable main" libvirt: "deb https://obs.linaro.org/repos/home:/marcin.juszkiewicz/debian-buster ./" + mariadb: "deb http://downloads.mariadb.com/MariaDB/mariadb-10.3/repo/debian buster main" rabbitmq: "deb https://packagecloud.io/rabbitmq/rabbitmq-server/debian/ buster main" td-agent: "deb http://packages.treasuredata.com/4/debian/buster buster contrib" diff --git a/releasenotes/notes/debian-mariadb-upstream-75e05cbdaa013abe.yaml b/releasenotes/notes/debian-mariadb-upstream-75e05cbdaa013abe.yaml new file mode 100644 index 0000000000..bd92fedc73 --- /dev/null +++ b/releasenotes/notes/debian-mariadb-upstream-75e05cbdaa013abe.yaml @@ -0,0 +1,10 @@ +--- +upgrade: + - | + Debian now uses upstream MariaDB repos (thus following Ubuntu + images). This is done to avoid issues like the related one and + have an easy workaround of pinning to chosen MariaDB version if + need arises. + Operators may want to reflect this in their repo mirrors and + proxies. + `LP#1944410 `__ From 49a5b7e55381b4b1ef7aa0bb23178f13a924ee62 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Tue, 12 Oct 2021 13:24:47 +0200 Subject: [PATCH 02/20] cinder-volume/ubuntu: add lsscsi and nvme Closes-Bug: #1942038 Change-Id: Id488635110c6158dd23466250c9d57c4f0bc03ff (cherry picked from commit dfb65af8845b184c533fab451fd609b2f7de8859) --- docker/cinder/cinder-volume/Dockerfile.j2 | 2 ++ releasenotes/notes/bug-1942038-f1d96ae352f73bd1.yaml | 6 ++++++ 2 files changed, 8 insertions(+) create mode 100644 releasenotes/notes/bug-1942038-f1d96ae352f73bd1.yaml diff --git a/docker/cinder/cinder-volume/Dockerfile.j2 b/docker/cinder/cinder-volume/Dockerfile.j2 index f95cfb6844..74e8c56b23 100644 --- a/docker/cinder/cinder-volume/Dockerfile.j2 +++ b/docker/cinder/cinder-volume/Dockerfile.j2 @@ -23,7 +23,9 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% elif base_package_type == 'deb' %} {% set cinder_volume_packages = [ + 'lsscsi', 'nfs-common', + 'nvme-cli', 'sysfsutils', 'python3-rtslib-fb', 'targetcli-fb', diff --git a/releasenotes/notes/bug-1942038-f1d96ae352f73bd1.yaml b/releasenotes/notes/bug-1942038-f1d96ae352f73bd1.yaml new file mode 100644 index 0000000000..fee95505c3 --- /dev/null +++ b/releasenotes/notes/bug-1942038-f1d96ae352f73bd1.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes an issue with cinder-volume missing ``lsscsi`` and ``nvme`` commands + on Debian and Ubuntu. + `LP#1942038 `__ From 0bc8f2a335b28f9aabc796f6ebddaa8424b6fb61 Mon Sep 17 00:00:00 2001 From: Stanislav Dmitriev Date: Mon, 26 Apr 2021 16:06:58 -0400 Subject: [PATCH 03/20] Add Swift lock path in Swift containers Swift-recon-cron requires rw access to the lock path specified in in object-server.conf file. Currently it doesn't exist in Swift containers Closes-Bug: #1926203 Change-Id: Id3f824b741a5aa98efc7162fb7d49657e86a2bee (cherry picked from commit ff25b500d23155485dc57d10aed9070a4cba88b4) --- docker/swift/swift-base/Dockerfile.j2 | 4 ++-- releasenotes/notes/fix-lock-swift-path-9b743367e4014f92.yaml | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/fix-lock-swift-path-9b743367e4014f92.yaml diff --git a/docker/swift/swift-base/Dockerfile.j2 b/docker/swift/swift-base/Dockerfile.j2 index bf622fcd4a..6ef3db1241 100644 --- a/docker/swift/swift-base/Dockerfile.j2 +++ b/docker/swift/swift-base/Dockerfile.j2 @@ -53,9 +53,9 @@ ADD swift-base-archive /swift-base-source RUN ln -s swift-base-source/* swift \ && {{ macros.install_pip(swift_base_pip_packages | customizable("pip_packages")) }} \ - && mkdir -p /etc/swift /var/cache/swift \ + && mkdir -p /etc/swift /var/cache/swift /var/lock/swift \ && cp -r /swift/etc/* /etc/swift/ \ - && chown -R swift: /etc/swift /var/cache/swift + && chown -R swift: /etc/swift /var/cache/swift /var/lock/swift {% endif %} COPY swift-rootwrap /var/lib/kolla/venv/bin/swift-rootwrap diff --git a/releasenotes/notes/fix-lock-swift-path-9b743367e4014f92.yaml b/releasenotes/notes/fix-lock-swift-path-9b743367e4014f92.yaml new file mode 100644 index 0000000000..281fdee4c0 --- /dev/null +++ b/releasenotes/notes/fix-lock-swift-path-9b743367e4014f92.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes "Permission denied" issue for swift-recon tool that appears when + swift-recon tool tries to access deafult recon_lock_path From 2774e59ca74b2131318024002eb754badbe05790 Mon Sep 17 00:00:00 2001 From: Marcin Juszkiewicz Date: Thu, 25 Nov 2021 16:51:22 +0100 Subject: [PATCH 04/20] nova-compute: trim image a bit on CentOS libguestfs package fetched kernel-core one which fetched linux-firmware. We remove the last one and save ~500MB of space: before/centos-binary-nova-compute: 3.3GB after1/centos-binary-nova-compute: 2.71GB Closes-Bug: #1946801 Change-Id: I98cc19c95fcec07dd4e494c14c09938d754f1de0 (cherry picked from commit bbef9846c3eff5c96d4e81ffd3b4cf3446dd1eb2) --- docker/nova/nova-compute/Dockerfile.j2 | 12 +++++++++--- releasenotes/notes/bug-1946801-5f3af3c44e567fcf.yaml | 6 ++++++ 2 files changed, 15 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/bug-1946801-5f3af3c44e567fcf.yaml diff --git a/docker/nova/nova-compute/Dockerfile.j2 b/docker/nova/nova-compute/Dockerfile.j2 index 724fda8713..f98cac2e1b 100644 --- a/docker/nova/nova-compute/Dockerfile.j2 +++ b/docker/nova/nova-compute/Dockerfile.j2 @@ -39,7 +39,9 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build ] %} {% endif %} -{{ macros.install_packages(nova_compute_packages | customizable("packages")) }} +{{ macros.install_packages(nova_compute_packages | customizable("packages")) }} \ + && dnf remove -y linux-firmware \ + && dnf clean all {% elif base_package_type == 'deb' %} @@ -112,6 +114,10 @@ RUN rm -f /etc/nova/nova-compute.conf ] %} {% endif %} +{{ macros.install_packages(nova_compute_packages | customizable("packages")) }} \ + && dnf remove -y linux-firmware \ + && dnf clean all + {% elif base_package_type == 'deb' %} {% set nova_compute_packages = [ @@ -151,11 +157,11 @@ RUN rm -f /etc/nova/nova-compute.conf ] %} {% endif %} -RUN mkdir -p /etc/ceph +RUN mkdir -p /etc/ceph \ + && {{ macros.install_packages(nova_compute_packages | customizable("packages"), chain=True) }} {% endif %} -{{ macros.install_packages(nova_compute_packages | customizable("packages")) }} {% set nova_compute_pip_packages = [ 'oslo-vmware' diff --git a/releasenotes/notes/bug-1946801-5f3af3c44e567fcf.yaml b/releasenotes/notes/bug-1946801-5f3af3c44e567fcf.yaml new file mode 100644 index 0000000000..b67c9751fd --- /dev/null +++ b/releasenotes/notes/bug-1946801-5f3af3c44e567fcf.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + CentOS ``nova-compute`` image has ``linux-firmware`` package removed to save + image size by ~500MB. + `LP#1926801 `__ From d034341d50a1ef69f759bfc9e18398e0f27cf024 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 7 Dec 2021 16:02:03 +0100 Subject: [PATCH 05/20] Ensure nvme-cli is present in nova-compute images The nvme-cli package is required to get the nvme command executed by os-brick, which is used by nova-compute. We don't need to explicitely install it for centos binary images, as it is required by os-brick which is required by openstack-nova-common, but all other types of images were missing it. Change-Id: I754939da7636c57d2a8d5b83debb5d8a58e38432 Closes-Bug: #1953509 (cherry picked from commit 30eddf72f6d5380bb6078481581e47b0eec84982) --- docker/nova/nova-compute-ironic/Dockerfile.j2 | 3 +-- docker/nova/nova-compute/Dockerfile.j2 | 6 ++++-- releasenotes/notes/nova-nvme-cli-bf940ad0005cac80.yaml | 5 +++++ 3 files changed, 10 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/nova-nvme-cli-bf940ad0005cac80.yaml diff --git a/docker/nova/nova-compute-ironic/Dockerfile.j2 b/docker/nova/nova-compute-ironic/Dockerfile.j2 index b978e23996..1c5d7be37a 100644 --- a/docker/nova/nova-compute-ironic/Dockerfile.j2 +++ b/docker/nova/nova-compute-ironic/Dockerfile.j2 @@ -7,13 +7,12 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% import "macros.j2" as macros with context %} -{% set nova_compute_ironic_packages = ['genisoimage'] %} +{% set nova_compute_ironic_packages = ['genisoimage', 'nvme-cli'] %} {% if install_type == 'binary' %} {% if base_package_type == 'rpm' %} {% set nova_compute_ironic_packages = nova_compute_ironic_packages + [ - 'nvme-cli', 'openstack-nova-compute' ] %} {{ macros.install_packages(nova_compute_ironic_packages | customizable("packages")) }} diff --git a/docker/nova/nova-compute/Dockerfile.j2 b/docker/nova/nova-compute/Dockerfile.j2 index f98cac2e1b..697a4df5e5 100644 --- a/docker/nova/nova-compute/Dockerfile.j2 +++ b/docker/nova/nova-compute/Dockerfile.j2 @@ -20,7 +20,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'iscsi-initiator-utils', 'ndctl', 'nfs-utils', - 'nvme-cli', 'openstack-nova-compute', 'openvswitch', 'parted', @@ -54,8 +53,9 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'multipath-tools', 'nfs-common', 'nova-compute', - 'openvswitch-switch', + 'nvme-cli', 'open-iscsi', + 'openvswitch-switch', 'parted', 'pmdk-tools', 'python3-cephfs', @@ -96,6 +96,7 @@ RUN rm -f /etc/nova/nova-compute.conf 'libosinfo', 'ndctl', 'nfs-utils', + 'nvme-cli', 'openvswitch', 'parted', 'python3-libguestfs', @@ -128,6 +129,7 @@ RUN rm -f /etc/nova/nova-compute.conf 'libosinfo-bin', 'multipath-tools', 'nfs-common', + 'nvme-cli', 'open-iscsi', 'parted', 'pmdk-tools', diff --git a/releasenotes/notes/nova-nvme-cli-bf940ad0005cac80.yaml b/releasenotes/notes/nova-nvme-cli-bf940ad0005cac80.yaml new file mode 100644 index 0000000000..c5cfa373c8 --- /dev/null +++ b/releasenotes/notes/nova-nvme-cli-bf940ad0005cac80.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Ensures the ``nvme-cli`` package is present in ``nova-compute`` images, as + it expected by ``os-brick``. From 464d1517534fddefc70367abd19cb0acc8c6d694 Mon Sep 17 00:00:00 2001 From: Maksim Malchuk Date: Wed, 22 Dec 2021 10:45:58 +0300 Subject: [PATCH 06/20] Fix variable name TrivialFix The customization format of the variable name should contain the [1]. This change fixes the name of the 'remote_apt_keys' variable in base Dockerfile. 1. https://docs.openstack.org/kolla/latest/admin/image-building.html#dockerfile-customisation Change-Id: I423db39e77f337a73d3d88e3dbd56469be45110b Signed-off-by: Maksim Malchuk (cherry picked from commit cb99f46929298f8e1d939cfca2a1d4831cd1efca) (cherry picked from commit c8d3709436c6bc0f9d6bc8c038f3f3fb64dd6cb1) --- docker/base/Dockerfile.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index e3258cfabc..4e2197ed2c 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -361,7 +361,7 @@ COPY apt_preferences /etc/apt/preferences.d/kolla-custom 'F77F1EDA57EBB1CC', 'F6609E60DC62814E', ] %} - {% set remote_apt_keys = [ + {% set base_remote_apt_keys = [ 'https://packages.grafana.com/gpg.key', 'https://repos.influxdata.com/influxdb.key', ] %} @@ -372,7 +372,7 @@ COPY apt_preferences /etc/apt/preferences.d/kolla-custom 'F77F1EDA57EBB1CC', 'F6609E60DC62814E', ] %} - {% set remote_apt_keys = [ + {% set base_remote_apt_keys = [ 'https://download.docker.com/linux/debian/gpg', 'https://packages.grafana.com/gpg.key', 'http://buster-ussuri.debian.net/debian/dists/pubkey.gpg', @@ -392,7 +392,7 @@ COPY apt_preferences /etc/apt/preferences.d/kolla-custom {%- if not loop.last %} \ {% endif -%} {% endfor %} - {% for key in remote_apt_keys | customizable('remote_apt_keys') %} + {% for key in base_remote_apt_keys | customizable('remote_apt_keys') %} {%- if loop.first %} RUN {% else %} && {% endif %}curl {{ key }} | apt-key add - {%- if not loop.last %} \ {% endif -%} From bfc4c8e3c5a73bbd0130c0a4328914ee80072b2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Wed, 5 Jan 2022 16:16:33 +0000 Subject: [PATCH 07/20] [CI] Stop testing non-stream CentOS Per [1]. It was agreed on during a Kolla IRC meeting. [2] This continues building non-stream images but using stream on the host. [1] http://lists.openstack.org/pipermail/openstack-discuss/2021-December/026408.html [2] https://meetings.opendev.org/meetings/kolla/2021/kolla.2021-12-22-15.01.log.html#l-53 Needed-By: https://review.opendev.org/c/openstack/kolla-ansible/+/823555 Change-Id: I080ad3bbc0e53cec2ac11bfd485c97d88388ef79 --- .zuul.d/base.yaml | 12 ------------ .zuul.d/centos.yaml | 38 ++++---------------------------------- 2 files changed, 4 insertions(+), 46 deletions(-) diff --git a/.zuul.d/base.yaml b/.zuul.d/base.yaml index ae7cb1be36..ebd1f7897f 100644 --- a/.zuul.d/base.yaml +++ b/.zuul.d/base.yaml @@ -51,12 +51,6 @@ LfDhCLDD3VtnVOrj4UxZsjzmPbday1fziua/7f+CXsShC5erz0ZM65rMCwkjWeI6Kc63A 0M27tl+OWHO3KkfFR4tWc3dws3r1kYjQeds0adBHyYD0eL8SJfwZkbtojAQ1JM= -- nodeset: - name: kolla-centos8 - nodes: - - name: primary - label: centos-8 - - nodeset: name: kolla-centos8-stream nodes: @@ -75,12 +69,6 @@ - name: primary label: debian-buster -- nodeset: - name: kolla-centos8-aarch64 - nodes: - - name: primary - label: centos-8-arm64 - - nodeset: name: kolla-centos8-stream-aarch64 nodes: diff --git a/.zuul.d/centos.yaml b/.zuul.d/centos.yaml index 374cffd7ee..3e7fd2ef42 100644 --- a/.zuul.d/centos.yaml +++ b/.zuul.d/centos.yaml @@ -6,9 +6,6 @@ - kolla-build-centos8-source - kolla-build-centos8s-binary - kolla-build-centos8s-source - - kolla-ansible-centos8-source - - kolla-ansible-centos8-binary - - kolla-ansible-centos8-source-upgrade - kolla-ansible-centos8s-source - kolla-ansible-centos8s-binary - kolla-ansible-centos8s-source-upgrade @@ -21,8 +18,6 @@ jobs: - kolla-build-centos8-source - kolla-build-centos8s-source - - kolla-ansible-centos8-source - - kolla-ansible-centos8-source-upgrade - kolla-ansible-centos8s-source - kolla-ansible-centos8s-source-upgrade periodic: @@ -46,31 +41,6 @@ experimental: jobs: - kolla-build-no-infra-wheels-centos8-source - - kolla-ansible-centos8-source-bifrost: - files: ^docker\/(base|bifrost|openstack-base)\/.* - # Test rabbitmq & mariadb changes in multinode ceph jobs. - - kolla-ansible-centos8-source-ceph-ansible: - files: ^docker\/(base|cinder|glance|mariadb|openstack-base|rabbitmq)\/.* - - kolla-ansible-centos8-source-upgrade-ceph-ansible: - files: ^docker\/(base|cinder|glance|mariadb|openstack-base|rabbitmq)\/.* - - kolla-ansible-centos8-source-zun: - files: ^docker\/(base|cinder|etcd|iscsid|kuryr|openstack-base|zun)\/.* - - kolla-ansible-centos8-source-scenario-nfv: - files: ^docker\/(base|barbican|heat|mistral|openstack-base|redis|tacker)\/.* - - kolla-ansible-centos8-source-ironic: - files: ^docker\/(base|dnsmasq|ironic|ironic-inspector|iscsid|openstack-base)\/.* - - kolla-ansible-centos8-source-swift: - files: ^docker/(base|openstack-base|glance|swift)/ - - kolla-ansible-centos8-source-mariadb: - files: ^docker/(base|mariadb)/ - - kolla-ansible-centos8-source-masakari: - files: ^docker/(base|masakari)/ - - kolla-ansible-centos8-source-ovn: - files: ^docker/(base|neutron|openstack-base|openvswitch|ovn)/ - - kolla-ansible-centos8-source-prometheus-efk: - files: ^docker/(base|elasticsearch|grafana|kibana|prometheus)/ - - kolla-ansible-centos8-source-kvm: - files: ^docker/nova/ - kolla-ansible-centos8s-source-bifrost: files: ^docker\/(base|bifrost|openstack-base)\/.* # Test rabbitmq & mariadb changes in multinode ceph jobs. @@ -100,7 +70,7 @@ - job: name: kolla-build-centos8-binary parent: kolla-base - nodeset: kolla-centos8 + nodeset: kolla-centos8-stream voting: false vars: base_distro: centos @@ -164,7 +134,7 @@ - job: name: kolla-build-centos8-source parent: kolla-base - nodeset: kolla-centos8 + nodeset: kolla-centos8-stream vars: base_distro: centos install_type: source @@ -182,7 +152,7 @@ - job: name: kolla-build-centos8-source-aarch64 parent: kolla-build-centos8-source - nodeset: kolla-centos8-aarch64 + nodeset: kolla-centos8-stream-aarch64 voting: false - job: @@ -238,7 +208,7 @@ - job: name: kolla-build-no-infra-wheels-centos8-source parent: kolla-build-no-infra-wheels-base - nodeset: kolla-centos8 + nodeset: kolla-centos8-stream vars: base_distro: centos install_type: source From ca6951744f273f20bcf05916f090ee84abb163ea Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Wed, 12 Jan 2022 11:17:06 +0100 Subject: [PATCH 08/20] magnum: fix issue with keystone auth default policy Closes-Bug: #1957159 Change-Id: I042da2234d0a06f1b7ddcac9eb6db8b86f13d205 (cherry picked from commit 0a536f47a8e077d37ccff3b3201512c2b793b0ab) --- docker/magnum/magnum-base/Dockerfile.j2 | 1 + ...magnum-keystone-auth-default-policy-e16f7bb558aa4b14.yaml | 5 +++++ 2 files changed, 6 insertions(+) create mode 100644 releasenotes/notes/magnum-keystone-auth-default-policy-e16f7bb558aa4b14.yaml diff --git a/docker/magnum/magnum-base/Dockerfile.j2 b/docker/magnum/magnum-base/Dockerfile.j2 index 14024b6ace..981ea679f6 100644 --- a/docker/magnum/magnum-base/Dockerfile.j2 +++ b/docker/magnum/magnum-base/Dockerfile.j2 @@ -32,6 +32,7 @@ RUN ln -s magnum-base-source/* magnum \ && {{ macros.install_pip(magnum_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/magnum \ && cp -r /magnum/etc/magnum/* /etc/magnum \ + && mv /etc/magnum/keystone_auth_default_policy.sample /etc/magnum/keystone_auth_default_policy.json \ && chown -R magnum: /etc/magnum {% endif %} diff --git a/releasenotes/notes/magnum-keystone-auth-default-policy-e16f7bb558aa4b14.yaml b/releasenotes/notes/magnum-keystone-auth-default-policy-e16f7bb558aa4b14.yaml new file mode 100644 index 0000000000..820b69d3c2 --- /dev/null +++ b/releasenotes/notes/magnum-keystone-auth-default-policy-e16f7bb558aa4b14.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes an issue with missing Magnum Keystone auth default policy. + `LP#1957159 `__ From 891396f7b6935c3716b195651dad332e03180d77 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 13 Jan 2022 22:35:27 +0100 Subject: [PATCH 09/20] Mitigate two Log4j vulnerabilities in Apache Storm The Log4j version was bumped on GitHub [1] but it is still pending inclusion in a release of Apache Storm. Apply the alternative mitigation recommended by Log4j [2] of removing the JndiLookup class from the classpath. [1] https://github.com/apache/storm/pull/3427 [2] https://logging.apache.org/log4j/2.x/security.html Change-Id: Ib3ecd73f9e39e320acb2c5f0962b8af9b1a817e9 (cherry picked from commit 448e4f56aa6218a66b0074329d322c0b6089b2e6) --- docker/storm/storm-base/Dockerfile.j2 | 5 +++++ ...torm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml diff --git a/docker/storm/storm-base/Dockerfile.j2 b/docker/storm/storm-base/Dockerfile.j2 index 0f6fecbe1c..cc07ff5ffb 100644 --- a/docker/storm/storm-base/Dockerfile.j2 +++ b/docker/storm/storm-base/Dockerfile.j2 @@ -12,6 +12,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_package_type == 'rpm' %} {% set storm_packages = [ 'java-1.8.0-openjdk-headless', + 'zip', ] %} {% elif base_package_type == 'deb' %} @@ -23,6 +24,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% set storm_packages = [ 'openjdk-' + java_version + '-jre-headless', + 'zip', ] %} {% endif %} @@ -40,6 +42,9 @@ RUN curl -o /tmp/storm.tgz ${storm_url} \ && tar --strip 1 -xvf /tmp/storm.tgz -C /opt/storm \ && rm -f /tmp/storm.tgz +# Mitigation for CVE-2021-44228 and CVE-2021-45046: remove the JndiLookup class +# from the classpath +RUN zip -q -d /opt/storm/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class {% endblock %} {% block storm_python_version %} diff --git a/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml b/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml new file mode 100644 index 0000000000..5126662ad0 --- /dev/null +++ b/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + Adds mitigation for Apache Log4j 2 Remote Code Execution (RCE) + vulnerabilities CVE-2021-44228 and CVE-2021-45046 to Apache Storm. From 56f4942309d18ab241db8ebf0fe4a926caba3fbe Mon Sep 17 00:00:00 2001 From: Marcin Juszkiewicz Date: Wed, 20 Oct 2021 15:28:16 +0200 Subject: [PATCH 10/20] openstack-base: drop anyjson It is required only in Tacker and fails to be installed. And even Tacker does not use it... Change-Id: Ic8ebe4089c84f923c24697d632eb294a262059a8 (cherry picked from commit ec06d44d2c095199a9e14aef2f036e957082537e) --- docker/openstack-base/Dockerfile.j2 | 2 -- 1 file changed, 2 deletions(-) diff --git a/docker/openstack-base/Dockerfile.j2 b/docker/openstack-base/Dockerfile.j2 index a1120332e1..9650d319f7 100644 --- a/docker/openstack-base/Dockerfile.j2 +++ b/docker/openstack-base/Dockerfile.j2 @@ -24,7 +24,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'mod_ssl', 'openssl', 'python3-alembic', - 'python3-anyjson', 'python3-aodhclient', 'python3-barbicanclient', 'python3-cachetools', @@ -212,7 +211,6 @@ ENV DEBIAN_FRONTEND noninteractive 'WSME', 'alembic', 'amqp', - 'anyjson', 'aodhclient', 'appdirs', 'bcrypt', From 02f5222b0c8fdbdc9bb5343f678ecd137c8e5433 Mon Sep 17 00:00:00 2001 From: Xinliang Liu Date: Fri, 15 May 2020 07:12:56 +0000 Subject: [PATCH 11/20] Use distro provided GRUB efi Use distro provided GRUB efi instead of creating it like ironic GRUB setup doc[1]. This avoids below ubuntu ironic-python-agent images PXE booting failure. ---------- error: invalid magic number. error: you need to load the kernel first. Press any key to continue... ---------- This also fixes x86_64 uefi pxe booting issue by setting up GRUB efi for x86_64. Besides, GRUB setup only needs to do once at bootstrap stage. [1]: https://docs.openstack.org/ironic/train/install/configure-pxe.html#uefi-pxe-GRUB-setup Closes-Bug: #1879265 Change-Id: I8be5bdf5f1a62751aefe6bd0959e8f558fcfe591 (cherry picked from commit b6e057d694d90d50ea278411d0edf20afe427e13) --- docker/ironic/ironic-pxe/Dockerfile.j2 | 10 ++--- docker/ironic/ironic-pxe/extend_start.sh | 40 ++++++++++++------- ...nt-pxe-booting-issue-95adaf9249207d5b.yaml | 6 +++ 3 files changed, 37 insertions(+), 19 deletions(-) create mode 100644 releasenotes/notes/fix-ubuntu-ironic-python-agent-pxe-booting-issue-95adaf9249207d5b.yaml diff --git a/docker/ironic/ironic-pxe/Dockerfile.j2 b/docker/ironic/ironic-pxe/Dockerfile.j2 index 700c4dfced..8236de6fbe 100644 --- a/docker/ironic/ironic-pxe/Dockerfile.j2 +++ b/docker/ironic/ironic-pxe/Dockerfile.j2 @@ -25,15 +25,19 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_arch != 's390x' %} {% set ironic_pxe_packages = ironic_pxe_packages + [ 'grub2-tools', - 'grub2-efi-aa64-modules' + 'grub2-efi-*64', + 'grub2-efi-aa64-modules', + 'shim-*64', ] %} {% endif %} {{ macros.install_packages(ironic_pxe_packages | customizable("packages")) }} {% elif base_package_type == 'deb' %} {% set ironic_pxe_packages = [ + 'grub-efi-*64-signed', 'ipxe', 'pxelinux', + 'shim-signed', 'syslinux-common', 'tftpd-hpa' ] %} @@ -42,10 +46,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% set ironic_pxe_packages = ironic_pxe_packages + [ 'syslinux' ] %} - {% elif base_arch == 'aarch64' %} - {% set ironic_pxe_packages = ironic_pxe_packages + [ - 'grub-efi-arm64' - ] %} {% endif %} {{ macros.install_packages(ironic_pxe_packages | customizable("packages")) }} diff --git a/docker/ironic/ironic-pxe/extend_start.sh b/docker/ironic/ironic-pxe/extend_start.sh index 44f101bb0b..0cd7350072 100644 --- a/docker/ironic/ironic-pxe/extend_start.sh +++ b/docker/ironic/ironic-pxe/extend_start.sh @@ -1,7 +1,8 @@ #!/bin/bash -function prepare_pxe { +# For x86 legacy BIOS boot mode +function prepare_pxe_pxelinux { chown -R ironic: /tftpboot for pxe_file in /var/lib/tftpboot/pxelinux.0 /var/lib/tftpboot/chain.c32 /usr/lib/syslinux/pxelinux.0 \ /usr/lib/syslinux/chain.c32 /usr/lib/PXELINUX/pxelinux.0 \ @@ -12,6 +13,28 @@ function prepare_pxe { done } +# For UEFI boot mode +function prepare_pxe_grub { + if [[ "${KOLLA_BASE_DISTRO}" =~ debian|ubuntu ]]; then + shim_src_file="/usr/lib/shim/shim*64.efi.signed" + grub_src_file="/usr/lib/grub/*-efi-signed/grubnet*64.efi.signed" + elif [[ "${KOLLA_BASE_DISTRO}" =~ centos|rhel ]]; then + shim_src_file="/boot/efi/EFI/centos/shim*64.efi" + grub_src_file="/boot/efi/EFI/centos/grub*64.efi" + fi + + if [[ "${KOLLA_BASE_ARCH}" == "x86_64" ]]; then + shim_dst_file="bootx64.efi" + grub_dst_file="grubx64.efi" + elif [[ "${KOLLA_BASE_ARCH}" == "aarch64" ]]; then + shim_dst_file="bootaa64.efi" + grub_dst_file="grubaa64.efi" + fi + + cp $shim_src_file /tftpboot/$shim_dst_file + cp $grub_src_file /tftpboot/$grub_dst_file +} + function prepare_ipxe { if [[ "${KOLLA_BASE_DISTRO}" =~ debian|ubuntu ]]; then cp /usr/lib/ipxe/{undionly.kpxe,ipxe.efi} /tftpboot @@ -23,21 +46,10 @@ function prepare_ipxe { # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases # of the KOLLA_BOOTSTRAP variable being set, including empty. if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then - prepare_pxe + prepare_pxe_pxelinux + prepare_pxe_grub prepare_ipxe exit 0 fi -if [[ -d /usr/lib/grub/arm64-efi ]]; then - modules="boot chain configfile efinet ext2 fat gettext help hfsplus loadenv \ - lsefi normal part_gpt part_msdos read search search_fs_file search_fs_uuid \ - search_label terminal terminfo tftp linux" - - if [[ "${KOLLA_BASE_DISTRO}" =~ debian|ubuntu ]]; then - grub-mkimage -v -o /tftpboot/grubaa64.efi -O arm64-efi -p "grub" $modules - elif [[ "${KOLLA_BASE_DISTRO}" =~ centos|rhel ]]; then - grub2-mkimage -v -o /tftpboot/grubaa64.efi -O arm64-efi -p "EFI/centos" $modules - fi -fi - . /usr/local/bin/kolla_httpd_setup diff --git a/releasenotes/notes/fix-ubuntu-ironic-python-agent-pxe-booting-issue-95adaf9249207d5b.yaml b/releasenotes/notes/fix-ubuntu-ironic-python-agent-pxe-booting-issue-95adaf9249207d5b.yaml new file mode 100644 index 0000000000..1679f59f7a --- /dev/null +++ b/releasenotes/notes/fix-ubuntu-ironic-python-agent-pxe-booting-issue-95adaf9249207d5b.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fix AArch64 ubuntu ironic-python-agent images UEFI PXE booting failure. + Also fix x86_64 lacking of GRUB efi files issue. + `LP#1879265 `__ From 07f519996381789c1f21850cfc9b27f3b86a6f4c Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Thu, 3 Feb 2022 10:19:40 +0100 Subject: [PATCH 12/20] Drop CentOS Linux 8 image builds Included patch: Remove missing collectd packages Since CentOS Linux 8 repository retirement from CentOS mirrors - we need to use CentOS Stream 8 version of Opstools repo. Listed below packages are missing from the repo, and according to the maintainer dpdk_telemetry is not going to show up at all (it's basically dead). The rest of the packages might show up at a later stage - but it's not a priority for the maintainer. - collectd-dpdk_telemetry - collectd-libpod-stats - collectd-sensubility - python3-sqlalchemy-collectd (cherry picked from commit 405fca90f2c8d3763ac56ce8b925611d136bba6c) Change-Id: I95ea4a66a80bf035f8bd1180790c7e0c85d759ed --- .zuul.d/centos.yaml | 86 ------------------- doc/source/admin/image-building.rst | 8 -- doc/source/support_matrix.rst | 6 +- docker/base/Dockerfile.j2 | 7 ++ docker/collectd/Dockerfile.j2 | 4 - docker/openstack-base/Dockerfile.j2 | 1 - kolla/common/config.py | 12 +-- .../notes/centos-8-eol-4500333b5e01f448.yaml | 6 ++ 8 files changed, 24 insertions(+), 106 deletions(-) create mode 100644 releasenotes/notes/centos-8-eol-4500333b5e01f448.yaml diff --git a/.zuul.d/centos.yaml b/.zuul.d/centos.yaml index 3e7fd2ef42..ceba808e59 100644 --- a/.zuul.d/centos.yaml +++ b/.zuul.d/centos.yaml @@ -2,8 +2,6 @@ - project: check: jobs: - - kolla-build-centos8-binary - - kolla-build-centos8-source - kolla-build-centos8s-binary - kolla-build-centos8s-source - kolla-ansible-centos8s-source @@ -11,36 +9,27 @@ - kolla-ansible-centos8s-source-upgrade check-arm64: jobs: - - kolla-build-centos8-source-aarch64 - kolla-build-centos8s-source-aarch64 gate: queue: kolla jobs: - - kolla-build-centos8-source - kolla-build-centos8s-source - kolla-ansible-centos8s-source - kolla-ansible-centos8s-source-upgrade periodic: jobs: - - kolla-publish-centos8-source-quay - - kolla-publish-centos8-binary-quay - kolla-publish-centos8s-source-quay - kolla-publish-centos8s-binary-quay periodic-weekly: jobs: - - kolla-publish-centos8-source-dockerhub - - kolla-publish-centos8-binary-dockerhub - kolla-publish-centos8s-source-dockerhub - kolla-publish-centos8s-binary-dockerhub release: jobs: - - kolla-publish-centos8-source-dockerhub - - kolla-publish-centos8-binary-dockerhub - kolla-publish-centos8s-source-dockerhub - kolla-publish-centos8s-binary-dockerhub experimental: jobs: - - kolla-build-no-infra-wheels-centos8-source - kolla-ansible-centos8s-source-bifrost: files: ^docker\/(base|bifrost|openstack-base)\/.* # Test rabbitmq & mariadb changes in multinode ceph jobs. @@ -67,15 +56,6 @@ - kolla-ansible-centos8s-source-kvm: files: ^docker/nova/ -- job: - name: kolla-build-centos8-binary - parent: kolla-base - nodeset: kolla-centos8-stream - voting: false - vars: - base_distro: centos - install_type: binary - - job: name: kolla-build-centos8s-binary parent: kolla-base @@ -87,17 +67,6 @@ base_tag: stream8 install_type: binary -- job: - name: kolla-publish-centos8-binary-dockerhub - parent: kolla-build-centos8-binary - post-run: tests/playbooks/publish.yml - vars: - publisher: true - kolla_registry: dockerhub - kolla_namespace: kolla - secrets: - - kolla_dockerhub_creds - - job: name: kolla-publish-centos8s-binary-dockerhub parent: kolla-build-centos8s-binary @@ -109,17 +78,6 @@ secrets: - kolla_dockerhub_creds -- job: - name: kolla-publish-centos8-binary-quay - parent: kolla-build-centos8-binary - post-run: tests/playbooks/publish.yml - vars: - publisher: true - kolla_registry: quay.io - kolla_namespace: openstack.kolla - secrets: - - kolla_quay_io_creds - - job: name: kolla-publish-centos8s-binary-quay parent: kolla-build-centos8s-binary @@ -131,14 +89,6 @@ secrets: - kolla_quay_io_creds -- job: - name: kolla-build-centos8-source - parent: kolla-base - nodeset: kolla-centos8-stream - vars: - base_distro: centos - install_type: source - - job: name: kolla-build-centos8s-source parent: kolla-base @@ -149,29 +99,12 @@ base_tag: stream8 install_type: source -- job: - name: kolla-build-centos8-source-aarch64 - parent: kolla-build-centos8-source - nodeset: kolla-centos8-stream-aarch64 - voting: false - - job: name: kolla-build-centos8s-source-aarch64 parent: kolla-build-centos8s-source nodeset: kolla-centos8-stream-aarch64 voting: false -- job: - name: kolla-publish-centos8-source-dockerhub - parent: kolla-build-centos8-source - post-run: tests/playbooks/publish.yml - vars: - publisher: true - kolla_registry: dockerhub - kolla_namespace: kolla - secrets: - - kolla_dockerhub_creds - - job: name: kolla-publish-centos8s-source-dockerhub parent: kolla-build-centos8s-source @@ -183,17 +116,6 @@ secrets: - kolla_dockerhub_creds -- job: - name: kolla-publish-centos8-source-quay - parent: kolla-build-centos8-source - post-run: tests/playbooks/publish.yml - vars: - publisher: true - kolla_registry: quay.io - kolla_namespace: openstack.kolla - secrets: - - kolla_quay_io_creds - - job: name: kolla-publish-centos8s-source-quay parent: kolla-build-centos8s-source @@ -204,11 +126,3 @@ kolla_namespace: openstack.kolla secrets: - kolla_quay_io_creds - -- job: - name: kolla-build-no-infra-wheels-centos8-source - parent: kolla-build-no-infra-wheels-base - nodeset: kolla-centos8-stream - vars: - base_distro: centos - install_type: source diff --git a/doc/source/admin/image-building.rst b/doc/source/admin/image-building.rst index 1e51e135ed..069f67e2d6 100644 --- a/doc/source/admin/image-building.rst +++ b/doc/source/admin/image-building.rst @@ -78,14 +78,6 @@ See the :ref:`support matrix ` for information on supported base image distribution versions and supported images on each distribution. -The Victoria release supports both CentOS 8 Linux and CentOS 8 Stream base -container images. The default is to use CentOS 8 Linux. CentOS 8 Stream -may be used as follows: - -.. code-block:: console - - kolla-build --base centos --base-image quay.io/centos/centos --base-tag stream8 - It is possible to build only a subset of images by specifying them on the command line: diff --git a/doc/source/support_matrix.rst b/doc/source/support_matrix.rst index 87a6cfa1bb..364f3ccf0f 100644 --- a/doc/source/support_matrix.rst +++ b/doc/source/support_matrix.rst @@ -19,10 +19,14 @@ The following base container images are supported: CentOS 7 is no longer supported as a base container image. The Train release supports both CentOS 7 and 8 images, and provides a route for migration. +.. note:: + + CentOS 8 is no longer supported since it has been marked as End of Life + and repositories have been removed from CentOS mirrors. + =============== ============ =============================== ================ Distribution Default base Default base image Default base tag =============== ============ =============================== ================ -CentOS 8 Linux centos centos 8 CentOS 8 Stream centos quay.io/centos/centos stream8 Debian Buster debian debian 10 RHEL 8 rhel rhel 8 diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 4e2197ed2c..6248b8c215 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -223,6 +223,13 @@ RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial RUN {{ macros.install_packages(base_centos_yum_repo_packages | customizable("centos_yum_repo_packages"), chain=True, clean=False) }} +{# TODO(mnasiadka): Remove me once Nautilus C8S lands on mirror.centos.org #} + +RUN sed -i \ + -e "s|^\(mirrorlist.*\)|#\1|" \ + -e "s|^#baseurl=http://mirror.centos.org.*|baseurl=https://trunk.rdoproject.org/centos8-master/deps/storage/nautilus/|" \ + /etc/yum.repos.d/CentOS-Ceph-Nautilus.repo + {%- for repo in base_centos_yum_repos_to_enable | customizable('centos_yum_repos_to_enable') %} && dnf config-manager --enable {{ repo }} {% endfor -%} {%- for repo in base_centos_yum_repos_to_disable | customizable('centos_yum_repos_to_disable') %} && dnf config-manager --disable {{ repo }} {% endfor -%} diff --git a/docker/collectd/Dockerfile.j2 b/docker/collectd/Dockerfile.j2 index d991827dc3..585d1f830b 100644 --- a/docker/collectd/Dockerfile.j2 +++ b/docker/collectd/Dockerfile.j2 @@ -30,10 +30,8 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'collectd-dbi', 'collectd-disk', 'collectd-dns', - 'collectd-dpdk_telemetry', 'collectd-generic-jmx', 'collectd-ipmi', - 'collectd-libpod-stats', 'collectd-log_logstash', 'collectd-logparser', 'collectd-mcelog', @@ -47,7 +45,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'collectd-procevent', 'collectd-python', 'collectd-sensors', - 'collectd-sensubility', 'collectd-smart', 'collectd-snmp', 'collectd-snmp-agent', @@ -57,7 +54,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'collectd-write_http', 'collectd-write_kafka', 'collectd-write_prometheus', - 'python3-sqlalchemy-collectd' ] %} {% if base_arch in ['x86_64', 'ppc64le'] %} diff --git a/docker/openstack-base/Dockerfile.j2 b/docker/openstack-base/Dockerfile.j2 index 9650d319f7..a238d17024 100644 --- a/docker/openstack-base/Dockerfile.j2 +++ b/docker/openstack-base/Dockerfile.j2 @@ -87,7 +87,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'python3-routes', 'python3-saharaclient', 'python3-sqlalchemy', - 'python3-sqlalchemy-collectd', 'python3-sqlparse', 'python3-swiftclient', 'python3-sysv_ipc', diff --git a/kolla/common/config.py b/kolla/common/config.py index 55aec94126..7edfa95778 100755 --- a/kolla/common/config.py +++ b/kolla/common/config.py @@ -22,10 +22,10 @@ BASE_OS_DISTRO = ['centos', 'rhel', 'ubuntu', 'debian'] BASE_ARCH = ['x86_64', 'ppc64le', 'aarch64'] DEFAULT_BASE_TAGS = { - 'centos': '8', - 'rhel': '8', - 'debian': '10', - 'ubuntu': '20.04', + 'centos': {'name': 'quay.io/centos/centos', 'tag': 'stream8'}, + 'rhel': {'name': 'registry.access.redhat.com/ubi8', 'tag': 'latest'}, + 'debian': {'name': 'debian', 'tag': '10'}, + 'ubuntu': {'name': 'ubuntu', 'tag': '20.04'}, } DISTRO_RELEASE = { 'centos': '8', @@ -1198,10 +1198,10 @@ def parse(conf, args, usage=None, prog=None, # NOTE(jeffrey4l): set the default base tag based on the # base option - conf.set_default('base_tag', DEFAULT_BASE_TAGS.get(conf.base)) + conf.set_default('base_tag', DEFAULT_BASE_TAGS[conf.base]['tag']) prefix = '' if conf.openstack_release == 'master' else 'stable-' openstack_branch = '{}{}'.format(prefix, conf.openstack_release) conf.set_default('openstack_branch', openstack_branch) if not conf.base_image: - conf.base_image = conf.base + conf.base_image = DEFAULT_BASE_TAGS[conf.base]['name'] diff --git a/releasenotes/notes/centos-8-eol-4500333b5e01f448.yaml b/releasenotes/notes/centos-8-eol-4500333b5e01f448.yaml new file mode 100644 index 0000000000..a22d0e579f --- /dev/null +++ b/releasenotes/notes/centos-8-eol-4500333b5e01f448.yaml @@ -0,0 +1,6 @@ +--- +critical: + - | + CentOS Linux 8 (non-Stream) support has been dropped, since + repositories have been removed from CentOS mirrors - see + `announcement `_. From 77d683caaaed46149d2323b5a94c0e73bef3241c Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 10 Feb 2022 10:58:55 +0000 Subject: [PATCH 13/20] ironic: Fix UEFI & iPXE bootloader filenames When using Ironic with UEFI boot mode and iPXE booting, nodes will attempt to chainload iPXE using a Network Boot Program (NBP). This is configured in Ironic via [pxe] uefi_ipxe_bootfile_name, and the default since Xena is snponly.efi. In Wallaby and earlier releases, the default was ipxe.efi. These files need to be available in the /tftpboot directory of the ironic-pxe image. The current default of snponly.efi was not present for any supported distros. ipxe.efi was present for Debian/Ubuntu but not CentOS, which appends the architecture to the filename (e.g. ipxe-x86_64.efi). This change ensures that both ipxe.efi and snponly.efi exist in /tftpboot for all supported distributions, ensuring that both the current and previous Ironic defaults should work. Where these files have different names, we use symlinks to allow for any deployers overriding the filenames in configuration. Closes-Bug: #1959203 Change-Id: I79e78dca550262fc86b092a036f9ea96b214ab48 (cherry picked from commit 909710d739f1d7d4c2ef0865ebc9338f260aaa5b) --- docker/ironic/ironic-pxe/extend_start.sh | 17 +++++++++++++++++ .../notes/bug-1959203-1bb695e052248d78.yaml | 8 ++++++++ 2 files changed, 25 insertions(+) create mode 100644 releasenotes/notes/bug-1959203-1bb695e052248d78.yaml diff --git a/docker/ironic/ironic-pxe/extend_start.sh b/docker/ironic/ironic-pxe/extend_start.sh index 0cd7350072..739ace15e0 100644 --- a/docker/ironic/ironic-pxe/extend_start.sh +++ b/docker/ironic/ironic-pxe/extend_start.sh @@ -36,10 +36,27 @@ function prepare_pxe_grub { } function prepare_ipxe { + # NOTE(mgoddard): Ironic uses snponly.efi as the default for + # uefi_ipxe_bootfile_name since Xena. In Wallaby and earlier releases it + # was ipxe.efi. Ensure that both exist, using symlinks where the files are + # named differently to allow the original names to be used in ironic.conf. if [[ "${KOLLA_BASE_DISTRO}" =~ debian|ubuntu ]]; then cp /usr/lib/ipxe/{undionly.kpxe,ipxe.efi} /tftpboot + # NOTE(mgoddard): The 'else' can be removed when snponly.efi is + # available in Jammy 22.04. + if [[ -f /usr/lib/ipxe/snponly.efi ]]; then + cp /usr/lib/ipxe/snponly.efi /tftpboot/snponly.efi + elif [[ ! -e /tftpboot/snponly.efi ]]; then + ln -s /tftpboot/ipxe.efi /tftpboot/snponly.efi + fi elif [[ "${KOLLA_BASE_DISTRO}" =~ centos|rhel ]]; then cp /usr/share/ipxe/{undionly.kpxe,ipxe*.efi} /tftpboot + if [[ ! -e /tftpboot/ipxe.efi ]]; then + ln -s /tftpboot/ipxe-${KOLLA_BASE_ARCH}.efi /tftpboot/ipxe.efi + fi + if [[ ! -e /tftpboot/snponly.efi ]]; then + ln -s /tftpboot/ipxe-snponly-${KOLLA_BASE_ARCH}.efi /tftpboot/snponly.efi + fi fi } diff --git a/releasenotes/notes/bug-1959203-1bb695e052248d78.yaml b/releasenotes/notes/bug-1959203-1bb695e052248d78.yaml new file mode 100644 index 0000000000..a6068423bd --- /dev/null +++ b/releasenotes/notes/bug-1959203-1bb695e052248d78.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fixes an issue with Ironic deployments using UEFI and iPXE, where the + default UEFI iPXE bootloader in Ironic was not available in the TFTP + server. This affects all Kolla releases on CentOS, and Xena on + Debian/Ubuntu. `LP#1959203 + `__ From 07a4e434d3c04108e49a8185a3803298d53e1367 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Tue, 8 Feb 2022 09:11:48 +0100 Subject: [PATCH 14/20] base: Drop usage of Ceph Nautilus from RDO This was temporary due to missing Ceph Nautilus repo on CentOS mirrors (after removing CentOS Linux content on EOL date). Change-Id: I86aa697b8def34e0cfb11d2f5ad903dd54e975ef (cherry picked from commit 7f38bce812ccb621a089755526f79bd792f4e071) --- docker/base/Dockerfile.j2 | 7 ------- tests/templates/template_overrides.j2 | 6 ++++++ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 6248b8c215..4e2197ed2c 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -223,13 +223,6 @@ RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial RUN {{ macros.install_packages(base_centos_yum_repo_packages | customizable("centos_yum_repo_packages"), chain=True, clean=False) }} -{# TODO(mnasiadka): Remove me once Nautilus C8S lands on mirror.centos.org #} - -RUN sed -i \ - -e "s|^\(mirrorlist.*\)|#\1|" \ - -e "s|^#baseurl=http://mirror.centos.org.*|baseurl=https://trunk.rdoproject.org/centos8-master/deps/storage/nautilus/|" \ - /etc/yum.repos.d/CentOS-Ceph-Nautilus.repo - {%- for repo in base_centos_yum_repos_to_enable | customizable('centos_yum_repos_to_enable') %} && dnf config-manager --enable {{ repo }} {% endfor -%} {%- for repo in base_centos_yum_repos_to_disable | customizable('centos_yum_repos_to_disable') %} && dnf config-manager --disable {{ repo }} {% endfor -%} diff --git a/tests/templates/template_overrides.j2 b/tests/templates/template_overrides.j2 index 7fdf25fb81..be9145de97 100644 --- a/tests/templates/template_overrides.j2 +++ b/tests/templates/template_overrides.j2 @@ -36,6 +36,12 @@ RUN sed -i \ {% block base_centos_repo_overrides_post_yum -%} {%- endraw -%} +{# TODO(mnasiadka): Drop this line once baseurl in centos-ceph-nautilus has $stream instead of #} +{# pointing to centos8 #} + && sed -i \ + -e "s|^\(mirrorlist.*\)|#\1|" \ + -e "s|^#baseurl=http://mirror.centos.org/\$contentdir/\$releasever|baseurl=http://{{ nodepool_mirror_host }}/\$contentdir/\$stream|" \ + /etc/yum.repos.d/CentOS-Ceph*.repo \ && sed -i \ -e "s|^\(mirrorlist.*\)|#\1|" \ -e "s|^#baseurl=http://mirror.centos.org|baseurl=http://{{ nodepool_mirror_host }}|" \ From 545fed783d5f72fce41a4a54669c4518f7f8ac63 Mon Sep 17 00:00:00 2001 From: Marcin Juszkiewicz Date: Fri, 4 Feb 2022 17:15:27 +0100 Subject: [PATCH 15/20] collectd: pcie-errors is x86-64 only now Change-Id: Iad7e7ebb1fbf4d14f20960d6257345db71d0e214 (cherry picked from commit 941d021e091567d2709bbb868768c6dc4a3372e0) --- docker/collectd/Dockerfile.j2 | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/docker/collectd/Dockerfile.j2 b/docker/collectd/Dockerfile.j2 index 585d1f830b..6f8e93ad5d 100644 --- a/docker/collectd/Dockerfile.j2 +++ b/docker/collectd/Dockerfile.j2 @@ -65,18 +65,13 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_arch =='x86_64' %} {% set collectd_packages = collectd_packages + [ 'collectd-hugepages', + 'collectd-pcie-errors', 'collectd-pmu', 'collectd-rdt', 'collectd-turbostat' ] %} {% endif %} - {% if base_arch != 's390x' %} - {% set collectd_packages = collectd_packages + [ - 'collectd-pcie-errors' - ] %} - {% endif %} - {% endif %} {{ macros.install_packages(collectd_packages | customizable("packages")) }} From 674aede28e86cce56fc1a48ce07cc0444380d075 Mon Sep 17 00:00:00 2001 From: Marcin Juszkiewicz Date: Thu, 3 Feb 2022 14:14:27 +0100 Subject: [PATCH 16/20] erlang: use packages from Erlang Solutions on AArch64 RabbitMQ requires Erlang 23+ and soon will bump to 24+. On AArch64 we used version 22 as there was no other option. Now it is. Change-Id: I667ccda5bb4edbfbfb97dfb0cea264837ed05cae (cherry picked from commit f943c7d773a280b832dde9edf9d615540b259b5c) --- docker/base/Dockerfile.j2 | 4 ++++ docker/base/erlang-solutions.repo | 6 ++++++ docker/kolla-toolbox/Dockerfile.j2 | 22 ++++++++-------------- docker/rabbitmq/Dockerfile.j2 | 21 ++++++++------------- kolla/template/repos.yaml | 2 +- 5 files changed, 27 insertions(+), 28 deletions(-) create mode 100644 docker/base/erlang-solutions.repo diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 4e2197ed2c..188f6d2aab 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -92,12 +92,14 @@ COPY dnf.conf /etc/dnf/dnf.conf {% elif base_arch == 'aarch64' %} {% set base_yum_repo_files = [ 'elasticsearch.repo', + 'erlang-solutions.repo', 'grafana.repo', 'rabbitmq_rabbitmq-server.repo', 'td.repo', ] %} {% set base_yum_repo_keys = [ + 'https://packages.erlang-solutions.com/rpm/erlang_solutions.asc', 'https://packages.grafana.com/gpg.key', 'https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc', ] %} @@ -213,6 +215,8 @@ RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial 'centos-ceph-nautilus', 'centos-opstools', 'centos-rabbitmq-38', + 'epel', + 'epel-modular', ] %} {% if base_arch == 'x86_64' %} diff --git a/docker/base/erlang-solutions.repo b/docker/base/erlang-solutions.repo new file mode 100644 index 0000000000..4adbe680fc --- /dev/null +++ b/docker/base/erlang-solutions.repo @@ -0,0 +1,6 @@ +[erlang-solutions] +name=erlang-solutions +baseurl=https://packages.erlang-solutions.com/rpm/centos/$releasever/$basearch +gpgcheck=1 +gpgkey=https://packages.erlang-solutions.com/rpm/erlang_solutions.asc +enabled=0 diff --git a/docker/kolla-toolbox/Dockerfile.j2 b/docker/kolla-toolbox/Dockerfile.j2 index fa66b838de..9d3296ed49 100644 --- a/docker/kolla-toolbox/Dockerfile.j2 +++ b/docker/kolla-toolbox/Dockerfile.j2 @@ -14,12 +14,17 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {{ macros.configure_user(name='ansible') }} {{ macros.configure_user(name='rabbitmq') }} -{{ macros.enable_extra_repos(['rabbitmq', 'erlang']) }} +{% if base_arch == 'aarch64' %} +{{ macros.enable_extra_repos(['epel']) }} +{% endif %} + +{{ macros.enable_extra_repos(['erlang', 'openvswitch', 'powertools', 'rabbitmq']) }} {% if base_package_type == 'rpm' %} {% set kolla_toolbox_packages = [ 'crudini', + 'erlang-23.*', 'gcc', 'gdisk', 'git', @@ -34,19 +39,8 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'openssl-devel', 'openvswitch', 'python3-devel', - ] %} - - {% if base_arch == 'aarch64' %} - {% set kolla_toolbox_packages = kolla_toolbox_packages + [ - 'erlang-22.*', - 'rabbitmq-server-3.8.14' - ] %} - {% else %} - {% set kolla_toolbox_packages = kolla_toolbox_packages + [ - 'erlang-23.*', - 'rabbitmq-server-3.8.*' - ] %} - {% endif %} + 'rabbitmq-server-3.8.*' + ] %} {% elif base_package_type == 'deb' %} {% set kolla_toolbox_packages = [ diff --git a/docker/rabbitmq/Dockerfile.j2 b/docker/rabbitmq/Dockerfile.j2 index d629561870..646586b392 100644 --- a/docker/rabbitmq/Dockerfile.j2 +++ b/docker/rabbitmq/Dockerfile.j2 @@ -9,27 +9,22 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {{ macros.configure_user(name='rabbitmq') }} -{{ macros.enable_extra_repos(['rabbitmq', 'erlang']) }} +{# NOTE(hrw): erlang packages from Erlang Solutions needs libwx from EPEL #} +{% if base_arch == 'aarch64' %} +{{ macros.enable_extra_repos(['epel']) }} +{% endif %} + +{{ macros.enable_extra_repos(['erlang', 'powertools', 'rabbitmq']) }} {% block rabbitmq_install %} {% if base_package_type == 'rpm' %} {% set rabbitmq_packages = [ + 'erlang-23.*', 'hostname', + 'rabbitmq-server-3.8.*' ] %} - {% if base_arch == 'aarch64' %} - {% set rabbitmq_packages = rabbitmq_packages + [ - 'erlang-22.*', - 'rabbitmq-server-3.8.14' - ] %} - {% else %} - {% set rabbitmq_packages = rabbitmq_packages + [ - 'erlang-23.*', - 'rabbitmq-server-3.8.*' - ] %} - {% endif %} - {% elif base_package_type == 'deb' %} {% set rabbitmq_packages = [ 'logrotate', diff --git a/kolla/template/repos.yaml b/kolla/template/repos.yaml index e2ebd0d60c..b675902131 100644 --- a/kolla/template/repos.yaml +++ b/kolla/template/repos.yaml @@ -21,7 +21,7 @@ centos-aarch64: elasticsearch: "elasticsearch-kibana-logstash-6.x" epel: "epel" epel-modular: "epel-modular" - erlang: "centos-rabbitmq-38" + erlang: "erlang-solutions" extras: "extras" grafana: "grafana" hacluster: "ha" From 9b1ff36ac4cba497404852f329069f179659ed97 Mon Sep 17 00:00:00 2001 From: Jakub Darmach Date: Thu, 27 Jan 2022 14:39:54 +0100 Subject: [PATCH 17/20] Ensure set_configs sets execute bit on directories While handling permissions for directories, set_configs.py configures them same as for files - i.e. 0640 set in config.json which works fine for file will cause any potential subdirectories to lack traverse permission. Check and permission change was added to handle_permissions function to add +x if +r is present for user, group, others. Change-Id: Ic6e3ae4ff40c6ce5a5c0646ed309a2938903f6c0 (cherry picked from commit 1fe983df4fafa5a4a8eafe206e4abfaec2418da1) --- docker/base/set_configs.py | 10 ++++++++++ ...-directory-execute-permission-8ab919b7b17025d2.yaml | 5 +++++ 2 files changed, 15 insertions(+) create mode 100644 releasenotes/notes/set_config-directory-execute-permission-8ab919b7b17025d2.yaml diff --git a/docker/base/set_configs.py b/docker/base/set_configs.py index 0cb0e414c6..e624f29ba8 100644 --- a/docker/base/set_configs.py +++ b/docker/base/set_configs.py @@ -20,6 +20,7 @@ import os import pwd import shutil +import stat import sys @@ -369,6 +370,15 @@ def set_perms(path, uid, gid, perm): perm = ''.join([perm[:1], 'o', perm[1:]]) perm = int(perm, base=0) + # Ensure execute bit on directory if read bit is set + if os.path.isdir(path): + if perm & stat.S_IRUSR: + perm |= stat.S_IXUSR + if perm & stat.S_IRGRP: + perm |= stat.S_IXGRP + if perm & stat.S_IROTH: + perm |= stat.S_IXOTH + try: os.chmod(path, perm) except OSError: diff --git a/releasenotes/notes/set_config-directory-execute-permission-8ab919b7b17025d2.yaml b/releasenotes/notes/set_config-directory-execute-permission-8ab919b7b17025d2.yaml new file mode 100644 index 0000000000..04a047629f --- /dev/null +++ b/releasenotes/notes/set_config-directory-execute-permission-8ab919b7b17025d2.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes set_configs.py configuring same permission for directories and files, + causing directories lacking execute permission if not set for files. From 61f1705bce5628c6d19903640748c23c003f9fb3 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Thu, 24 Feb 2022 17:00:56 +0100 Subject: [PATCH 18/20] Use python3-openvswitch from distro We should use the same Python OVS bindings package version as running OpenvSwitch. See related bug. Closes-Bug: #1961874 (cherry picked from commit 8e8a499adc3ae0c4009bacde65cf3a141632ef3c) Change-Id: Ideae0c81d7c3833c8b0e22fce8691e9e42949ec5 --- docker/nova/nova-base/Dockerfile.j2 | 6 ++++-- docker/octavia/octavia-base/Dockerfile.j2 | 6 ++++++ docker/openstack-base/Dockerfile.j2 | 5 +++++ releasenotes/notes/distro-python-ovs-df705d1e59f16cde.yaml | 6 ++++++ 4 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/distro-python-ovs-df705d1e59f16cde.yaml diff --git a/docker/nova/nova-base/Dockerfile.j2 b/docker/nova/nova-base/Dockerfile.j2 index 7cf5cd50ca..67400baea7 100644 --- a/docker/nova/nova-base/Dockerfile.j2 +++ b/docker/nova/nova-base/Dockerfile.j2 @@ -56,7 +56,8 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_package_type == 'rpm' %} {% set nova_base_packages = [ - 'openvswitch' + 'openvswitch', + 'python3-openvswitch' ] %} {% if base_arch == 'x86_64' %} {% set nova_base_packages = nova_base_packages + [ @@ -79,7 +80,8 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'iptables', 'openssh-client', 'openvswitch-switch', - 'python3-libvirt' + 'python3-libvirt', + 'python3-openvswitch' ] %} {% if base_arch == 'x86_64' %} {% set nova_base_packages = nova_base_packages + [ diff --git a/docker/octavia/octavia-base/Dockerfile.j2 b/docker/octavia/octavia-base/Dockerfile.j2 index 8ae291f1ed..69d1a32c28 100644 --- a/docker/octavia/octavia-base/Dockerfile.j2 +++ b/docker/octavia/octavia-base/Dockerfile.j2 @@ -23,6 +23,12 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {{ macros.install_packages(octavia_base_packages | customizable("packages")) }} {% elif install_type == 'source' %} + {% set octavia_base_packages = [ + 'python3-openvswitch' + ] %} + +{{ macros.install_packages(octavia_base_packages | customizable("packages")) }} + ADD octavia-base-archive /octavia-base-source {% set octavia_base_pip_packages = [ diff --git a/docker/openstack-base/Dockerfile.j2 b/docker/openstack-base/Dockerfile.j2 index a238d17024..9103ab24ec 100644 --- a/docker/openstack-base/Dockerfile.j2 +++ b/docker/openstack-base/Dockerfile.j2 @@ -312,6 +312,11 @@ ENV DEBIAN_FRONTEND noninteractive ADD openstack-base-archive /openstack-base-source RUN ln -s openstack-base-source/* /requirements \ +{# NOTE(mnasiadka): Remove ovs from upper-constraints.txt because python3-openvswitch + is usually newer than UC entry and older version would get installed + in venv (see https://launchpad.net/bugs/1961874). +#} + && sed -i /^ovs=/d /requirements/upper-constraints.txt \ && mkdir -p /var/lib/kolla \ && {{ macros.install_pip(['virtualenv'])}} \ && virtualenv --system-site-packages /var/lib/kolla/venv diff --git a/releasenotes/notes/distro-python-ovs-df705d1e59f16cde.yaml b/releasenotes/notes/distro-python-ovs-df705d1e59f16cde.yaml new file mode 100644 index 0000000000..0d22a0167a --- /dev/null +++ b/releasenotes/notes/distro-python-ovs-df705d1e59f16cde.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes an issue when older version of Python OpenvSwitch bindings package + was used, than the running OpenvSwitch code. + `LP#1961874 `__ From 1ea5c73d6adbed04b9f25e310fc1590e6c269edc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Tue, 8 Mar 2022 16:23:26 +0100 Subject: [PATCH 19/20] Install glusterfs-client in Debuntu Closes-Bug: #1964140 Change-Id: I4658a06b077d096ab9f2cb5070e39c98b5a27254 (cherry picked from commit da33e18ac83ff4696dcc599f46c12f007ba54856) --- docker/manila/manila-share/Dockerfile.j2 | 2 ++ releasenotes/notes/bug-1964140-57b433329bab067e.yaml | 6 ++++++ 2 files changed, 8 insertions(+) create mode 100644 releasenotes/notes/bug-1964140-57b433329bab067e.yaml diff --git a/docker/manila/manila-share/Dockerfile.j2 b/docker/manila/manila-share/Dockerfile.j2 index 04ddbf4ec5..68e8534557 100644 --- a/docker/manila/manila-share/Dockerfile.j2 +++ b/docker/manila/manila-share/Dockerfile.j2 @@ -22,6 +22,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% set manila_share_packages = [ 'manila-share', 'ceph-common', + 'glusterfs-client', 'python3-cephfs', 'python3-rados', 'python3-rbd', @@ -42,6 +43,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% elif base_package_type == 'deb' %} {% set manila_share_packages = [ 'ceph-common', + 'glusterfs-client', 'python3-cephfs', 'python3-rados', 'python3-rbd', diff --git a/releasenotes/notes/bug-1964140-57b433329bab067e.yaml b/releasenotes/notes/bug-1964140-57b433329bab067e.yaml new file mode 100644 index 0000000000..8869ab6420 --- /dev/null +++ b/releasenotes/notes/bug-1964140-57b433329bab067e.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Installs ``glusterfs-client`` in Debian and Ubuntu ``manila-share`` images + to support GlusterFS across supported distributions. + `LP#1964140 `__ From ca495278084c0cd9d4fe759125ecd1b563d92ecf Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Wed, 9 Mar 2022 11:48:20 +0000 Subject: [PATCH 20/20] libvirt: add Cyrus SASL packages for DIGEST-MD5 Adds Cyrus SASL packages necessary for the DIGEST-MD5 and SCRAM-SHA-256 mechanisms. These can be used for libvirt SASL authentication. Change-Id: I13e19ca29eeab40cd08fa3afe2cdf7531867f81b Partial-Bug: #1964013 (cherry picked from commit e1efa9d257c45e5f99364974ea66a6d6ba5a5605) --- docker/nova/nova-compute/Dockerfile.j2 | 8 ++++++++ docker/nova/nova-libvirt/Dockerfile.j2 | 3 +++ releasenotes/notes/libvirt-sasl-07a8a1a25d2450c6.yaml | 6 ++++++ 3 files changed, 17 insertions(+) create mode 100644 releasenotes/notes/libvirt-sasl-07a8a1a25d2450c6.yaml diff --git a/docker/nova/nova-compute/Dockerfile.j2 b/docker/nova/nova-compute/Dockerfile.j2 index 697a4df5e5..79d3457e40 100644 --- a/docker/nova/nova-compute/Dockerfile.j2 +++ b/docker/nova/nova-compute/Dockerfile.j2 @@ -14,6 +14,8 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% set nova_compute_packages = [ 'ceph-common', + 'cyrus-sasl-md5', + 'cyrus-sasl-scram', 'device-mapper-multipath', 'e2fsprogs', 'genisoimage', @@ -50,6 +52,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'e2fsprogs', 'genisoimage', 'ironic-common', + 'libsasl2-modules-gssapi-mit', 'multipath-tools', 'nfs-common', 'nova-compute', @@ -65,6 +68,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'python3-rados', 'python3-rbd', 'python3-rtslib-fb', + 'sasl2-bin', 'sysfsutils', 'targetcli-fb', 'xfsprogs' @@ -88,6 +92,8 @@ RUN rm -f /etc/nova/nova-compute.conf {% set nova_compute_packages = [ 'ceph-common', + 'cyrus-sasl-md5', + 'cyrus-sasl-scram', 'device-mapper-multipath', 'dosfstools', 'e2fsprogs', @@ -127,6 +133,7 @@ RUN rm -f /etc/nova/nova-compute.conf 'e2fsprogs', 'genisoimage', 'libosinfo-bin', + 'libsasl2-modules-gssapi-mit', 'multipath-tools', 'nfs-common', 'nvme-cli', @@ -140,6 +147,7 @@ RUN rm -f /etc/nova/nova-compute.conf 'python3-rbd', 'python3-rtslib-fb', 'qemu-utils', + 'sasl2-bin', 'sysfsutils', 'targetcli-fb', 'xfsprogs' diff --git a/docker/nova/nova-libvirt/Dockerfile.j2 b/docker/nova/nova-libvirt/Dockerfile.j2 index 5613d9d9c0..96abfa7dcb 100644 --- a/docker/nova/nova-libvirt/Dockerfile.j2 +++ b/docker/nova/nova-libvirt/Dockerfile.j2 @@ -15,6 +15,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% set nova_libvirt_packages = [ 'ceph-common', + 'cyrus-sasl-md5', 'cyrus-sasl-scram', 'libguestfs', 'libvirt-client', @@ -40,6 +41,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% set nova_libvirt_packages = [ 'ceph-common', 'ebtables', + 'libsasl2-modules-gssapi-mit', 'libvirt-clients', 'libvirt-daemon-system', 'openvswitch-switch', @@ -49,6 +51,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'python3-rbd', 'qemu-block-extra', 'qemu-system', + 'sasl2-bin', 'trousers' ] %} diff --git a/releasenotes/notes/libvirt-sasl-07a8a1a25d2450c6.yaml b/releasenotes/notes/libvirt-sasl-07a8a1a25d2450c6.yaml new file mode 100644 index 0000000000..e88bc0d922 --- /dev/null +++ b/releasenotes/notes/libvirt-sasl-07a8a1a25d2450c6.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds Cyrus SASL packages necessary for the DIGEST-MD5 and SCRAM-SHA-256 + mechanisms. These can be used for libvirt SASL authentication. + `LP#1964013 `__