Merge remote-tracking branch 'origin/stackhpc/2024.1' into 2024.1-ans…

…ible-lint-alex
stackhpc · Jan 6, 2025 · 76e865e · 76e865e
2 parents 0a22977 + 479792c
commit 76e865e
Show file tree

Hide file tree

Showing 10 changed files with 150 additions and 58 deletions.
diff --git a/.github/auto-label.yaml b/.github/auto-label.yaml
@@ -1,26 +1,55 @@
 ---
 path:
   pullrequest: true
-  paths:
-    doc: 'documentation'
-    .github: 'workflows'
-    terraform: 'workflows'
-    etc:
-      kayobe:
-        enviromnents:
-          ci-aio: 'workflows'
-          ci-builder: 'workflows'
-          ci-multinode: 'workflows'
-        trivy: 'workflows'
-        ansible: 'ansible'
-        kolla:
-          config:
-            grafana: "monitoring"
-            prometheus: "monitoring"
-            fluentd: "monitoring"
+  multipleLabelPaths:
+    - paths:
+        .automation: 'kayobe-automation'
+        .automation.conf: 'kayobe-automation'
+    - paths:
+        doc: 'documentation'
+    - paths:
+        .github: 'workflows'
+        etc:
+          kayobe:
+            enviromnents:
+              ci-aio: 'workflows'
+              ci-builder: 'workflows'
+              ci-multinode: 'workflows'
+            trivy: 'workflows'
+        terraform: 'workflows'
+        tools:
+          scan-images.sh: "workflows"
+        tox.ini: 'workflows'
+    - paths:
+        etc:
+          kayobe:
+            ansible: 'ansible'
+            ansible.cfg: 'ansible'
+    - paths:
+        etc:
+          kayobe:
+            kolla:
+              config:
+                fluentd: "monitoring"
+                grafana: "monitoring"
+                prometheus: "monitoring"
+              inventory:
+                group_vars:
+                  prometheus-blackbox-exporter: "monitoring"
+    - paths:
+        etc:
+          kayobe:
+            kolla:
+              kolla-build.conf: "kolla"
+            kolla-image-tags.yml: "kolla"
+            kolla.yml: "kolla"
+        tools:
+          kolla-images.py: "kolla"
 
 staleness:
   pullrequest: true
+  old: 30
+  extraold: 90
 
 requestsize:
   enabled: true
diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst
@@ -105,6 +105,63 @@ Setup Vault HA on the overcloud hosts
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/overcloud-vault-keys.json
 
+Rotating Vault certificate on the overcloud hosts
+-------------------------------------------------
+
+The certificate for the overcloud vaults has an expiry time of one year. While
+the cloud won't break if this expires, it will need rotating before new
+certificates can be generated for internal PKI. If a vault becomes sealed, it
+cannot be unsealed with an expired certificate.
+
+1. Delete the old certificate:
+
+   .. code-block::
+
+      rm $KAYOBE_CONFIG_PATH/vault/overcloud.crt
+
+   Or if environments are being used
+
+   .. code-block::
+
+      rm $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/overcloud.crt
+
+2. Generate a new certificate (and key):
+
+   .. code-block::
+
+      kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-deploy-seed.yml
+
+3. Encrypt generated key with ansible-vault (use proper location of vault password file)
+
+   .. code-block::
+
+      ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/vault/overcloud.key
+
+   Or if environments are being used
+
+   .. code-block::
+
+      ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/overcloud.key
+
+4. Copy the new certificate to the overcloud hosts. Note, if the old
+   certificate has expired this will fail on the unseal step.
+
+   .. code-block::
+
+      kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-deploy-overcloud.yml
+
+5. Restart the containers to use the new certificate:
+
+   .. code-block::
+
+      kayobe overcloud host command run --command "docker restart vault" -l controllers
+
+6. If sealed, unseal the vault:
+
+   .. code-block::
+
+      kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-unseal-overcloud.yml
+
 Certificates generation
 =======================
 

diff --git a/doc/source/operations/upgrading-openstack.rst b/doc/source/operations/upgrading-openstack.rst
@@ -82,6 +82,8 @@ Then from the OpenStack CLI:
    openstack user delete heat
    openstack domain set --disable heat_user_domain
    openstack domain delete heat_user_domain
+   openstack endpoint list --service heat -c ID -f value | xargs openstack endpoint delete
+   openstack endpoint list --service heat-cfn -c ID -f value | xargs openstack endpoint delete
 
 You can drop the ``heat`` database too, unless you want to keep historical content.
 

diff --git a/etc/kayobe/ansible/stop-openstack-services.yml b/etc/kayobe/ansible/stop-openstack-services.yml
@@ -29,4 +29,4 @@
         executable: "/bin/bash"
         cmd: >-
           set -o pipefail &&
-          systemctl -a | egrep '({{ stop_service_list | join('|') }})' | awk '{ print $1 }' | xargs systemctl stop
+          systemctl -a | egrep 'kolla-({{ stop_service_list | join('|') }})' | awk '{ print $1 }' | xargs systemctl stop
diff --git a/etc/kayobe/containers/squid_proxy/squid.conf b/etc/kayobe/containers/squid_proxy/squid.conf
@@ -77,3 +77,7 @@ refresh_pattern ^ftp:		1440	20%	10080
 refresh_pattern ^gopher:	1440	0%	1440
 refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
 refresh_pattern .		0	20%	4320
+
+# Disable connections over IPv6
+# https://ramesh-sahoo.medium.com/squid-proxy-server-has-stopped-handling-connection-resulting-in-none-503-0-connect-errors-55477316850a
+dns_v4_first on
diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml
@@ -4,47 +4,29 @@
 # where the key is the OS distro and the value is the tag to deploy.
 kolla_image_tags:
   openstack:
-    rocky-9: 2024.1-rocky-9-20240903T113235
+    rocky-9: 2024.1-rocky-9-20241218T141751
     ubuntu-jammy: 2024.1-ubuntu-jammy-20240917T091559
   blazar:
-    rocky-9: 2024.1-rocky-9-20241125T093138
     ubuntu-jammy: 2024.1-ubuntu-jammy-20241125T093138
   cinder:
-    rocky-9: 2024.1-rocky-9-20241204T081836
     ubuntu-jammy: 2024.1-ubuntu-jammy-20241204T081836
-  heat:
-    rocky-9: 2024.1-rocky-9-20240805T142526
   nova:
-    rocky-9: 2024.1-rocky-9-20241004T094540
     ubuntu-jammy: 2024.1-ubuntu-jammy-20241004T094540
   neutron:
-    rocky-9: 2024.1-rocky-9-20241203T232519
     ubuntu-jammy: 2024.1-ubuntu-jammy-20241203T232519
   octavia:
-    rocky-9: 2024.1-rocky-9-20241004T094540
     ubuntu-jammy: 2024.1-ubuntu-jammy-20241004T094540
   horizon:
-    rocky-9: 2024.1-rocky-9-20241202T210927
     ubuntu-jammy: 2024.1-ubuntu-jammy-20241202T210927
   bifrost:
-    rocky-9: 2024.1-rocky-9-20241128T162336
     ubuntu-jammy: 2024.1-ubuntu-jammy-20241128T162336
-  prometheus:
-    rocky-9: 2024.1-rocky-9-20240910T072617
-  rabbitmq:
-    rocky-9: 2024.1-rocky-9-20240927T152945
   ironic:
-    rocky-9: 2024.1-rocky-9-20241023T143407
     ubuntu-jammy: 2024.1-ubuntu-jammy-20241023T143407
   ironic_dnsmasq:
-    rocky-9: 2024.1-rocky-9-20241023T143407
     ubuntu-jammy: 2024.1-ubuntu-jammy-20241023T143407
   ironic_neutron_agent:
-    rocky-9: 2024.1-rocky-9-20241023T143407
     ubuntu-jammy: 2024.1-ubuntu-jammy-20241023T143407
   letsencrypt:
-    rocky-9: 2024.1-rocky-9-20241206T090120
     ubuntu-jammy: 2024.1-ubuntu-jammy-20241206T090120
   grafana:
-    rocky-9: 2024.1-rocky-9-20241128T123708
     ubuntu-jammy: 2024.1-ubuntu-jammy-20241128T123708
diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml
@@ -1,23 +1,25 @@
 ---
-# Do not edit! This file is autogenerated by Ansible.
-stackhpc_pulp_repo_centos_stream_9_docker_version: 20240829T093746
-stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20240829T093746
-stackhpc_pulp_repo_centos_stream_9_openstack_caracal_version: 20240902T080424
+# This file is autogenerated by Ansible using the following workflow:
+# https://github.com/stackhpc/stackhpc-release-train/actions/workflows/package-update-kayobe.yml
+stackhpc_pulp_repo_centos_stream_9_docker_version: 20241210T000909
+stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20241214T012909
+stackhpc_pulp_repo_centos_stream_9_openstack_caracal_version: 20241212T022636
 stackhpc_pulp_repo_centos_stream_9_opstools_version: 20231213T031318
-stackhpc_pulp_repo_centos_stream_9_storage_ceph_reef_version: 20240502T000614
+stackhpc_pulp_repo_centos_stream_9_storage_ceph_reef_version: 20240923T233036
+stackhpc_pulp_repo_ceph_reef_debian_version: 20240925T152022
 stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version: 20240910T001721
-stackhpc_pulp_repo_elrepo_9_version: 20240902T122220
-stackhpc_pulp_repo_epel_9_version: 20240902T080424
-stackhpc_pulp_repo_grafana_version: 20240902T080424
-stackhpc_pulp_repo_opensearch_2_x_version: 20240807T235120
-stackhpc_pulp_repo_opensearch_dashboards_2_x_version: 20240807T235120
-stackhpc_pulp_repo_rhel9_rabbitmq_erlang_version: 20240925T093206
-stackhpc_pulp_repo_rhel9_rabbitmq_server_version: 20240925T111913
-stackhpc_pulp_repo_rhel_9_influxdb_version: 20240817T001913
-stackhpc_pulp_repo_rhel_9_mariadb_10_11_version: 20240810T001640
+stackhpc_pulp_repo_elrepo_9_version: 20241129T235743
+stackhpc_pulp_repo_epel_9_version: 20241216T235733
+stackhpc_pulp_repo_grafana_version: 20241216T002739
+stackhpc_pulp_repo_opensearch_2_x_version: 20241106T010702
+stackhpc_pulp_repo_opensearch_dashboards_2_x_version: 20241106T010702
+stackhpc_pulp_repo_rhel9_rabbitmq_erlang_version: 20241217T002152
+stackhpc_pulp_repo_rhel9_rabbitmq_server_version: 20241217T002152
+stackhpc_pulp_repo_rhel_9_influxdb_version: 20241217T002152
+stackhpc_pulp_repo_rhel_9_mariadb_10_11_version: 20241102T004913
 stackhpc_pulp_repo_rhel_9_rabbitmq_erlang_version: 20240711T091318
 stackhpc_pulp_repo_rhel_9_rabbitmq_server_version: 20240711T091318
-stackhpc_pulp_repo_rhel_9_treasuredata_5_version: 20240711T091318
+stackhpc_pulp_repo_rhel_9_treasuredata_5_version: 20241115T002028
 stackhpc_pulp_repo_rocky_9_1_appstream_version: 20231207T013715
 stackhpc_pulp_repo_rocky_9_1_baseos_version: 20231206T014015
 stackhpc_pulp_repo_rocky_9_1_crb_version: 20231211T120328
@@ -38,8 +40,12 @@ stackhpc_pulp_repo_rocky_9_4_baseos_version: 20240816T002610
 stackhpc_pulp_repo_rocky_9_4_crb_version: 20240816T002610
 stackhpc_pulp_repo_rocky_9_4_extras_version: 20240816T002610
 stackhpc_pulp_repo_rocky_9_4_highavailability_version: 20240816T002610
-stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20240718T001130
+stackhpc_pulp_repo_rocky_9_5_appstream_version: 20241217T005008
+stackhpc_pulp_repo_rocky_9_5_baseos_version: 20241216T013503
+stackhpc_pulp_repo_rocky_9_5_crb_version: 20241217T005008
+stackhpc_pulp_repo_rocky_9_5_extras_version: 20241216T004230
+stackhpc_pulp_repo_rocky_9_5_highavailability_version: 20241202T003154
+stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20241127T003858
 stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20240911T041957
 stackhpc_pulp_repo_ubuntu_jammy_security_version: 20240924T064114
 stackhpc_pulp_repo_ubuntu_jammy_version: 20240924T064114
-stackhpc_pulp_repo_ceph_reef_debian_version: 20240925T152022
diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml
@@ -212,8 +212,8 @@ stackhpc_pulp_distribution_deb_production: >-
 
 # Whether to sync Rocky Linux 9 packages.
 stackhpc_pulp_sync_rocky_9: "{{ os_distribution == 'rocky' }}"
-# Rocky 9 minor version number. Supported values: 1, 2, 3, 4. Default is 4
-stackhpc_pulp_repo_rocky_9_minor_version: 4
+# Rocky 9 minor version number. Supported values: 1, 2, 3, 4, 5. Default is 5
+stackhpc_pulp_repo_rocky_9_minor_version: 5
 # Rocky 9 Snapshot versions. The defaults use the appropriate version from
 # pulp-repo-versions.yml for the selected minor release.
 stackhpc_pulp_repo_rocky_9_appstream_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_%s_appstream_version' % stackhpc_pulp_repo_rocky_9_minor_version) }}"
@@ -252,7 +252,7 @@ stackhpc_pulp_rpm_repos:
     required: "{{ stackhpc_pulp_sync_for_local_container_build | bool and stackhpc_pulp_sync_el_9 | bool }}"
 
   - name: RabbitMQ - Server - RHEL 9
-    url: "{{ stackhpc_release_pulp_content_url }}/rabbitmq/rabbitmq-server/el/9/x86_64/{{ stackhpc_pulp_repo_rhel9_rabbitmq_server_version }}"
+    url: "{{ stackhpc_release_pulp_content_url }}/rabbitmq/rabbitmq-server/el/9/noarch/{{ stackhpc_pulp_repo_rhel9_rabbitmq_server_version }}"
     distribution_name: "rhel9-rabbitmq-server-"
     base_path: "rabbitmq/rabbitmq-server/el/9/x86_64/"
     required: "{{ stackhpc_pulp_sync_for_local_container_build | bool and stackhpc_pulp_sync_el_9 | bool }}"
@@ -344,7 +344,7 @@ stackhpc_pulp_rpm_repos:
 
   # Additional RHEL 9 repositories
   - name: TreasureData 5 for RHEL 9
-    url: "{{ stackhpc_release_pulp_content_url }}/treasuredata/4/redhat/9/x86_64/{{ stackhpc_pulp_repo_rhel_9_treasuredata_5_version }}"
+    url: "{{ stackhpc_release_pulp_content_url }}/treasuredata/lts/5/redhat/9/x86_64/{{ stackhpc_pulp_repo_rhel_9_treasuredata_5_version }}"
     distribution_name: "rhel-9-treasuredata-5-"
     base_path: "treasuredata/5/redhat/9/x86_64/"
     required: "{{ stackhpc_pulp_sync_for_local_container_build | bool and stackhpc_pulp_sync_el_9 | bool }}"

diff --git a/releasenotes/notes/fix-squid-issue-11b5f03719ab8b45.yaml b/releasenotes/notes/fix-squid-issue-11b5f03719ab8b45.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes an issue where Squid proxy could be unable to reach external servers
+    due to a preference of choosing IPv6 connectivity by default.
diff --git a/releasenotes/notes/rl95-6cbdf902e30502bf.yaml b/releasenotes/notes/rl95-6cbdf902e30502bf.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Added support for Rocky Linux 9.5, including host packages and a full
+    container image refresh.
+  - |
+    Made 9.5 the default release for Rocky Linux.