diff --git a/Dockerfile b/Dockerfile index 9c8e06b7d..4b74bee9b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,161 +1,27 @@ -FROM ubuntu:jammy-20240227 AS ubuntu -LABEL org.opencontainers.image.source=https://github.com/vexxhost/atmosphere - -FROM ubuntu AS helm -ARG TARGETOS -ARG TARGETARCH -ARG HELM_VERSION=3.14.0 -ADD https://get.helm.sh/helm-v${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz /helm.tar.gz -RUN tar -xzf /helm.tar.gz -RUN mv /${TARGETOS}-${TARGETARCH}/helm /usr/bin/helm - -FROM ubuntu AS ubuntu-cloud-archive -ADD --chmod=644 https://git.launchpad.net/ubuntu/+source/ubuntu-keyring/plain/keyrings/ubuntu-cloud-keyring.gpg /etc/apt/trusted.gpg.d/ubuntu-cloud-keyring.gpg -ARG RELEASE -RUN < /etc/apt/sources.list.d/cloudarchive.list; \ - elif [ "${RELEASE}" = "zed" ]; then \ - echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu \${VERSION_CODENAME}-updates/${RELEASE} main" > /etc/apt/sources.list.d/cloudarchive.list; \ - elif [ "${RELEASE}" = "2023.1" ]; then \ - echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu \${VERSION_CODENAME}-updates/antelope main" > /etc/apt/sources.list.d/cloudarchive.list; \ - elif [ "${RELEASE}" = "2023.2" ]; then \ - echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu \${VERSION_CODENAME}-updates/bobcat main" > /etc/apt/sources.list.d/cloudarchive.list; \ - elif [ "${RELEASE}" = "master" ]; then \ - echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu \${VERSION_CODENAME}-updates/caracal main" > /etc/apt/sources.list.d/cloudarchive.list; \ - else \ - echo "${RELEASE} is not supported on \${VERSION_CODENAME}"; \ - exit 1; \ - fi; \ -else - echo "Unsupported release"; \ - exit 1; \ -fi -EOF - -FROM alpine/git AS requirements -ARG BRANCH -ADD https://opendev.org/openstack/requirements.git#${BRANCH} /src -RUN < requirements.txt @@ -114,10 +93,15 @@ build.collections: SAVE IMAGE --cache-hint image: - ARG RELEASE=2023.1 - FROM ./images/cloud-archive-base+image --RELEASE ${RELEASE} + FROM ubuntu:jammy ENV ANSIBLE_PIPELINING=True - DO ./images+APT_INSTALL --PACKAGES "rsync openssh-client" + RUN <" - exit 1 -fi - -docker buildx create --name=atmosphere --driver=docker-container || true - -if [ "$PUSH" = true ]; then - docker buildx bake --builder=atmosphere --provenance --sbom=true --push $TARGET - - # Sign all images - export COSIGN_PASSWORD="" - for IMAGE in $(docker buildx bake --print ${TARGET} | jq -r '.target[].tags | select(. != null)[]'); do - cosign sign -y --recursive --key cosign.key ${IMAGE} - done -else - docker buildx bake --builder=atmosphere --provenance --sbom=true $TARGET -fi diff --git a/images/builder/Earthfile b/images/builder/Earthfile deleted file mode 100644 index f4e92d3fa..000000000 --- a/images/builder/Earthfile +++ /dev/null @@ -1,7 +0,0 @@ -VERSION 0.7 - -image: - FROM ../base+image - DO ../+APT_INSTALL --PACKAGES "build-essential git python3-dev python3-pip python3-venv" - ARG POETRY_VERSION=1.4.2 - RUN pip3 install --no-cache-dir poetry==${POETRY_VERSION} diff --git a/images/cinder/Dockerfile b/images/cinder/Dockerfile new file mode 100644 index 000000000..c544877a5 --- /dev/null +++ b/images/cinder/Dockerfile @@ -0,0 +1,37 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/openstack-venv-builder:zed AS build +ARG CINDER_GIT_REF=f74e2729554bee01b0a3e631a8001bb39e540433 +ADD --keep-git-dir=true https://opendev.org/openstack/cinder.git#${CINDER_GIT_REF} /src/cinder +RUN git -C /src/cinder fetch --unshallow +# COPY patches/cinder /patches/cinder +# RUN git -C /src/cinder apply --verbose /patches/cinder/* +RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private < +Date: Fri, 1 Mar 2024 13:50:13 +0800 +Subject: [PATCH 1/3] Create encrypted volumes directly to RBD + +This fix slow on create encrypted volumes with temp file import. +Encrypted volume create is now directly upload to RBD with qemu-img +command without temprory image file generated. + +Closes-Bug: #2055517 +Change-Id: If7a72a4acd5600de1350289a9d9c38017d42659e +--- + cinder/tests/unit/volume/drivers/test_rbd.py | 9 +-- + cinder/volume/drivers/rbd.py | 62 +++++++++---------- + ...ate-encrypted-volume-c1bb6b44b85c0242.yaml | 7 +++ + 3 files changed, 40 insertions(+), 38 deletions(-) + create mode 100644 releasenotes/notes/improve-create-encrypted-volume-c1bb6b44b85c0242.yaml + +diff --git a/cinder/tests/unit/volume/drivers/test_rbd.py b/cinder/tests/unit/volume/drivers/test_rbd.py +index f1ffeb89e..cf768df06 100644 +--- a/cinder/tests/unit/volume/drivers/test_rbd.py ++++ b/cinder/tests/unit/volume/drivers/test_rbd.py +@@ -3247,7 +3247,6 @@ class RBDTestCase(test.TestCase): + self.__dict__ = d + + mock_temp_file.return_value.__enter__.side_effect = [ +- DictObj({'name': '/imgfile'}), + DictObj({'name': '/passfile'})] + + key_mgr = fake_keymgr.fake_api() +@@ -3268,15 +3267,13 @@ class RBDTestCase(test.TestCase): + self.context) + mock_open.assert_called_with('/passfile', 'w') + +- mock_exec.assert_any_call( ++ mock_exec.assert_called_with( + 'qemu-img', 'create', '-f', 'luks', '-o', + 'cipher-alg=aes-256,cipher-mode=xts,ivgen-alg=essiv', + '--object', + 'secret,id=luks_sec,format=raw,file=/passfile', +- '-o', 'key-secret=luks_sec', '/imgfile', '12288M') +- mock_exec.assert_any_call( +- 'rbd', 'import', '--dest-pool', 'rbd', '--order', 22, +- '/imgfile', self.volume_c.name) ++ '-o', 'key-secret=luks_sec', 'rbd:rbd/%s' % self.volume_c.name, ++ '12288M') + + @mock.patch('cinder.objects.Volume.get_by_id') + @mock.patch('cinder.db.volume_glance_metadata_get', return_value={}) +diff --git a/cinder/volume/drivers/rbd.py b/cinder/volume/drivers/rbd.py +index 1f4dac8d9..aace801f3 100644 +--- a/cinder/volume/drivers/rbd.py ++++ b/cinder/volume/drivers/rbd.py +@@ -1089,8 +1089,8 @@ class RBDDriver(driver.CloneableImageVD, driver.MigrateVD, + context: context.RequestContext) -> None: + """Create an encrypted volume. + +- This works by creating an encrypted image locally, +- and then uploading it to the volume. ++ This works by creating an encrypted image and ++ then uploading it to the volume directly. + """ + encryption = volume_utils.check_encryption_provider(volume, context) + +@@ -1102,37 +1102,35 @@ class RBDDriver(driver.CloneableImageVD, driver.MigrateVD, + # create a file + tmp_dir = volume_utils.image_conversion_dir() + +- with tempfile.NamedTemporaryFile(dir=tmp_dir) as tmp_image: +- with tempfile.NamedTemporaryFile(dir=tmp_dir) as tmp_key: +- with open(tmp_key.name, 'w') as f: +- f.write(passphrase) +- +- cipher_spec = image_utils.decode_cipher(encryption['cipher'], +- encryption['key_size']) +- +- create_cmd = ( +- 'qemu-img', 'create', '-f', 'luks', +- '-o', 'cipher-alg=%(cipher_alg)s,' +- 'cipher-mode=%(cipher_mode)s,' +- 'ivgen-alg=%(ivgen_alg)s' % cipher_spec, +- '--object', 'secret,id=luks_sec,' +- 'format=raw,file=%(passfile)s' % {'passfile': +- tmp_key.name}, +- '-o', 'key-secret=luks_sec', +- tmp_image.name, +- '%sM' % (volume.size * 1024)) +- self._execute(*create_cmd) +- +- # Copy image into RBD +- chunk_size = self.configuration.rbd_store_chunk_size * units.Mi +- order = int(math.log(chunk_size, 2)) ++ with tempfile.NamedTemporaryFile(dir=tmp_dir) as tmp_key: ++ with open(tmp_key.name, 'w') as f: ++ f.write(passphrase) + +- cmd = ['rbd', 'import', +- '--dest-pool', self.configuration.rbd_pool, +- '--order', order, +- tmp_image.name, volume.name] +- cmd.extend(self._ceph_args()) +- self._execute(*cmd) ++ cipher_spec = image_utils.decode_cipher(encryption['cipher'], ++ encryption['key_size']) ++ ++ _, conf, user_id, _ = self._get_config_tuple() ++ rbd_options = '' ++ if user_id: ++ rbd_options += ':id=%(user_id)s' % {'user_id': user_id} ++ if conf: ++ rbd_options += ':conf=%(conf)s' % {'conf': conf} ++ create_cmd = ( ++ 'qemu-img', 'create', '-f', 'luks', ++ '-o', 'cipher-alg=%(cipher_alg)s,' ++ 'cipher-mode=%(cipher_mode)s,' ++ 'ivgen-alg=%(ivgen_alg)s' % cipher_spec, ++ '--object', 'secret,id=luks_sec,' ++ 'format=raw,file=%(passfile)s' % {'passfile': ++ tmp_key.name}, ++ '-o', 'key-secret=luks_sec', ++ 'rbd:%(pool_name)s/%(image_name)s%(rbd_options)s' % { ++ 'pool_name': self.configuration.rbd_pool, ++ 'image_name': volume.name, ++ 'rbd_options': rbd_options ++ }, ++ '%sM' % (volume.size * 1024)) ++ self._execute(*create_cmd) + + def create_volume(self, volume: Volume) -> dict[str, Any]: + """Creates a logical volume.""" +diff --git a/releasenotes/notes/improve-create-encrypted-volume-c1bb6b44b85c0242.yaml b/releasenotes/notes/improve-create-encrypted-volume-c1bb6b44b85c0242.yaml +new file mode 100644 +index 000000000..8bdff6746 +--- /dev/null ++++ b/releasenotes/notes/improve-create-encrypted-volume-c1bb6b44b85c0242.yaml +@@ -0,0 +1,7 @@ ++--- ++fixes: ++ - | ++ [Bug 255517](https://bugs.launchpad.net/cinder/+bug/2055517): Fix slow ++ on create encrypted volumes with temp file import. Encrypted volume create ++ is now directly upload to rbd with qemu-img command without temprory image ++ file generated. +-- +2.34.1 diff --git a/images/cinder/patches/cinder/0002-Allow-clone-encrypted-image-to-encrypted-volume.patch b/images/cinder/patches/cinder/0002-Allow-clone-encrypted-image-to-encrypted-volume.patch new file mode 100644 index 000000000..db47071c3 --- /dev/null +++ b/images/cinder/patches/cinder/0002-Allow-clone-encrypted-image-to-encrypted-volume.patch @@ -0,0 +1,129 @@ +From c47fb9f0209076182787f06b306f30c3e1948592 Mon Sep 17 00:00:00 2001 +From: ricolin +Date: Sat, 16 Mar 2024 00:35:12 +0800 +Subject: [PATCH 2/3] Allow clone encrypted image to encrypted volume + +Exactly like what we did in copy-and-import image when create encrypted +volume from encrypted image. If the image is encrypted, we will copy +`cinder_encryption_key_id` from image metadata to volume. That means we +should be safe to try directly clone from encrypted image. + +Related-Bug: #2055517 +Change-Id: Id6a1452c2c197a58677bf181470f54565fbd263b +--- + .../volume/flows/test_create_volume_flow.py | 46 +++++++++++++++++++ + cinder/volume/flows/manager/create_volume.py | 9 +++- + ...clone-encryped-image-6961ca1439825dc4.yaml | 8 ++++ + 3 files changed, 61 insertions(+), 2 deletions(-) + create mode 100644 releasenotes/notes/allow-clone-encryped-image-6961ca1439825dc4.yaml + +diff --git a/cinder/tests/unit/volume/flows/test_create_volume_flow.py b/cinder/tests/unit/volume/flows/test_create_volume_flow.py +index ad5735596..6ff97aaa0 100644 +--- a/cinder/tests/unit/volume/flows/test_create_volume_flow.py ++++ b/cinder/tests/unit/volume/flows/test_create_volume_flow.py +@@ -1203,6 +1203,7 @@ class CreateVolumeFlowManagerTestCase(test.TestCase): + encryption_key_id=fakes.ENCRYPTION_KEY_ID, + host='host@backend#pool') + ++ fake_driver.clone_image.return_value = (None, False) + fake_image_service = fake_image.FakeImageService() + image_meta = {} + image_id = fakes.IMAGE_ID +@@ -1219,6 +1220,7 @@ class CreateVolumeFlowManagerTestCase(test.TestCase): + image_meta, fake_image_service) + + fake_driver.create_volume.assert_called_once_with(volume) ++ fake_driver.clone_image.assert_called_once() + fake_driver.copy_image_to_encrypted_volume.assert_not_called() + fake_driver.copy_image_to_volume.assert_called_once_with( + self.ctxt, volume, fake_image_service, image_id, +@@ -1228,6 +1230,50 @@ class CreateVolumeFlowManagerTestCase(test.TestCase): + image_meta=image_meta) + mock_cleanup_cg.assert_called_once_with(volume) + ++ @mock.patch('cinder.volume.flows.manager.create_volume.' ++ 'CreateVolumeFromSpecTask.' ++ '_handle_bootable_volume_glance_meta') ++ @mock.patch('cinder.image.image_utils.TemporaryImages.fetch') ++ @mock.patch('cinder.image.image_utils.qemu_img_info') ++ @mock.patch('cinder.image.image_utils.check_virtual_size') ++ def test_create_encrypted_volume_from_enc_image_clone( ++ self, mock_check_size, mock_qemu_img, ++ mock_fetch_img, mock_handle_bootable ++ ): ++ fake_db = mock.MagicMock() ++ fake_driver = mock.MagicMock() ++ fake_volume_manager = mock.MagicMock() ++ fake_manager = create_volume_manager.CreateVolumeFromSpecTask( ++ fake_volume_manager, fake_db, fake_driver) ++ volume = fake_volume.fake_volume_obj( ++ self.ctxt, ++ encryption_key_id=fakes.ENCRYPTION_KEY_ID, ++ host='host@backend#pool') ++ ++ fake_driver.clone_image.return_value = (None, True) ++ fake_image_service = fake_image.FakeImageService() ++ image_meta = {} ++ image_id = fakes.IMAGE_ID ++ image_meta['id'] = image_id ++ image_meta['status'] = 'active' ++ image_meta['size'] = 1 ++ image_meta['cinder_encryption_key_id'] = \ ++ '00000000-0000-0000-0000-000000000000' ++ image_location = 'abc' ++ ++ fake_db.volume_update.return_value = volume ++ fake_manager._create_from_image(self.ctxt, volume, ++ image_location, image_id, ++ image_meta, fake_image_service) ++ ++ fake_driver.create_volume.assert_not_called() ++ fake_driver.clone_image.assert_called_once() ++ fake_driver.copy_image_to_encrypted_volume.assert_not_called() ++ fake_driver.copy_image_to_volume.assert_not_called() ++ mock_handle_bootable.assert_called_once_with(self.ctxt, volume, ++ image_id=image_id, ++ image_meta=image_meta) ++ + @ddt.data({'driver_error': True}, + {'driver_error': False}) + @mock.patch('cinder.backup.api.API.get_available_backup_service_host') +diff --git a/cinder/volume/flows/manager/create_volume.py b/cinder/volume/flows/manager/create_volume.py +index ac09ed898..549a49b00 100644 +--- a/cinder/volume/flows/manager/create_volume.py ++++ b/cinder/volume/flows/manager/create_volume.py +@@ -1087,11 +1087,16 @@ class CreateVolumeFromSpecTask(flow_utils.CinderTask): + # dict containing provider_location for cloned volume + # and clone status. + # NOTE (lixiaoy1): Currently all images are raw data, we can't +- # use clone_image to copy data if new volume is encrypted. ++ # use clone_image to copy data if new volume is encrypted ++ # NOTE (ricolin): If the image provided an encryption key, we have ++ # already cloned it to the volume's key in ++ # _get_encryption_key_id, so we can do a direct clone. ++ image_encryption_key = image_meta.get('cinder_encryption_key_id') + volume_is_encrypted = volume.encryption_key_id is not None + cloned = False + model_update = None +- if not volume_is_encrypted: ++ if not volume_is_encrypted or ( ++ volume_is_encrypted and image_encryption_key): + model_update, cloned = self.driver.clone_image(context, + volume, + image_location, +diff --git a/releasenotes/notes/allow-clone-encryped-image-6961ca1439825dc4.yaml b/releasenotes/notes/allow-clone-encryped-image-6961ca1439825dc4.yaml +new file mode 100644 +index 000000000..d6c7e8eb8 +--- /dev/null ++++ b/releasenotes/notes/allow-clone-encryped-image-6961ca1439825dc4.yaml +@@ -0,0 +1,8 @@ ++--- ++features: ++ - | ++ Allow clone encrypted image when create encrypted volume from image. ++ Exactly like what we did in copy-and-import image when create encrypted ++ volume from encrypted image. If the image is encrypted, we will copy ++ `cinder_encryption_key_id` from image metadata to volume. That means we ++ should be safe to try directly clone from encrypted image. +-- +2.34.1 diff --git a/images/cinder/patches/cinder/0003-Allow-encrypted-volume-clone-from-Glance-image.patch b/images/cinder/patches/cinder/0003-Allow-encrypted-volume-clone-from-Glance-image.patch new file mode 100644 index 000000000..f43644989 --- /dev/null +++ b/images/cinder/patches/cinder/0003-Allow-encrypted-volume-clone-from-Glance-image.patch @@ -0,0 +1,319 @@ +From 97953c8bd8c7d61a3f68c3e829ff79290315ec5b Mon Sep 17 00:00:00 2001 +From: ricolin +Date: Fri, 15 Mar 2024 23:26:14 +0800 +Subject: [PATCH 3/3] Allow encrypted volume clone from Glance image + +Allow clone image when creating encrypted volume from Glance image if both +stored in RBD. +Previously, Glance image clone is not supported for encrypted volume +creation. The old process is to download image to local disk, encrypt the +local file, and import it back to RBD. This not just slow, but also +protentially take large amount of local disk space from hosts that runs +Cinder volume service. +The new process is to try and clone from Glance image (if it's also stored +in RBD), flatten it, and encrypting new image in RBD for volume. And If +Glance image source is not clonable, will continue with copy-and-import +method as previous flow. +In above flow, If clone from Glance image is appliable. Even it still +requires to clone and flatten RBD image might took some time, but should +still be a lot faster than copy-and-import. And also no local disk will +be used to store raw image in this case. +This also introduced driver method `clone_image_and_encrypt` for drivers +that seperate the clone process from non-encrypted volume so the create +flow won't be affected. + +Related-Bug: #2055517 +Change-Id: Ia023646d8bc9468bf5cc8955f7013299b2a3a460 +--- + .../volume/flows/test_create_volume_flow.py | 49 ++++++++++ + cinder/volume/driver.py | 11 +++ + cinder/volume/drivers/rbd.py | 95 ++++++++++++++++--- + cinder/volume/flows/manager/create_volume.py | 8 +- + ...for-encrypted-volume-de477647e9016b8b.yaml | 21 ++++ + 5 files changed, 167 insertions(+), 17 deletions(-) + create mode 100644 releasenotes/notes/allow-clone-image-for-encrypted-volume-de477647e9016b8b.yaml + +diff --git a/cinder/tests/unit/volume/flows/test_create_volume_flow.py b/cinder/tests/unit/volume/flows/test_create_volume_flow.py +index 6ff97aaa0..a85bf7eec 100644 +--- a/cinder/tests/unit/volume/flows/test_create_volume_flow.py ++++ b/cinder/tests/unit/volume/flows/test_create_volume_flow.py +@@ -1164,6 +1164,7 @@ class CreateVolumeFlowManagerTestCase(test.TestCase): + image_location = 'abc' + + fake_db.volume_update.return_value = volume ++ fake_driver.clone_image_and_encrypt.return_value = (None, False) + fake_manager._create_from_image(self.ctxt, volume, + image_location, image_id, + image_meta, fake_image_service) +@@ -1178,6 +1179,54 @@ class CreateVolumeFlowManagerTestCase(test.TestCase): + image_meta=image_meta) + mock_cleanup_cg.assert_called_once_with(volume) + ++ @mock.patch('cinder.volume.flows.manager.create_volume.' ++ 'CreateVolumeFromSpecTask.' ++ '_prepare_image_cache_entry') ++ @mock.patch('cinder.volume.flows.manager.create_volume.' ++ 'CreateVolumeFromSpecTask.' ++ '_handle_bootable_volume_glance_meta') ++ @mock.patch('cinder.image.image_utils.TemporaryImages.fetch') ++ @mock.patch('cinder.image.image_utils.qemu_img_info') ++ @mock.patch('cinder.image.image_utils.check_virtual_size') ++ def test_create_encrypted_volume_from_image_clone( ++ self, mock_check_size, mock_qemu_img, mock_fetch_img, ++ mock_handle_bootable, mock_prepare_image_cache ++ ): ++ fake_db = mock.MagicMock() ++ fake_driver = mock.MagicMock() ++ fake_volume_manager = mock.MagicMock() ++ fake_cache = mock.MagicMock() ++ fake_manager = create_volume_manager.CreateVolumeFromSpecTask( ++ fake_volume_manager, fake_db, fake_driver, fake_cache) ++ volume = fake_volume.fake_volume_obj( ++ self.ctxt, ++ encryption_key_id=fakes.ENCRYPTION_KEY_ID, ++ host='host@backend#pool') ++ ++ fake_image_service = fake_image.FakeImageService() ++ image_meta = {} ++ image_id = fakes.IMAGE_ID ++ image_meta['id'] = image_id ++ image_meta['status'] = 'active' ++ image_meta['size'] = 1 ++ image_location = 'abc' ++ ++ fake_db.volume_update.return_value = volume ++ fake_driver.clone_image_and_encrypt.return_value = (None, True) ++ fake_manager._create_from_image(self.ctxt, volume, ++ image_location, image_id, ++ image_meta, fake_image_service) ++ ++ mock_prepare_image_cache.assert_not_called() ++ fake_driver.create_volume.assert_not_called() ++ fake_driver.clone_image.assert_not_called() ++ fake_driver.clone_image_and_encrypt.assert_called_once() ++ fake_driver.copy_image_to_encrypted_volume.assert_not_called() ++ fake_driver.copy_image_to_volume.assert_not_called() ++ mock_handle_bootable.assert_called_once_with(self.ctxt, volume, ++ image_id=image_id, ++ image_meta=image_meta) ++ + @mock.patch('cinder.volume.flows.manager.create_volume.' + 'CreateVolumeFromSpecTask.' + '_cleanup_cg_in_volume') +diff --git a/cinder/volume/driver.py b/cinder/volume/driver.py +index 2ff27564b..030b4a8dd 100644 +--- a/cinder/volume/driver.py ++++ b/cinder/volume/driver.py +@@ -1192,6 +1192,17 @@ class BaseVD(object, metaclass=abc.ABCMeta): + """ + return None, False + ++ def clone_image_and_encrypt( ++ self, context, volume, image_location, image_meta, image_service ++ ): ++ """Create and encrypt a volume efficiently from an existing image. ++ ++ Refer to ++ :obj:`cinder.interface.volume_driver.VolumeDriverCore.clone_image` ++ for additional information. ++ """ ++ return None, False ++ + def backup_use_temp_snapshot(self): + """Get the configured setting for backup from snapshot. + +diff --git a/cinder/volume/drivers/rbd.py b/cinder/volume/drivers/rbd.py +index aace801f3..ad0eea9d5 100644 +--- a/cinder/volume/drivers/rbd.py ++++ b/cinder/volume/drivers/rbd.py +@@ -141,6 +141,13 @@ CONF.register_opts(RBD_OPTS, group=configuration.SHARED_CONF_GROUP) + EXTRA_SPECS_REPL_ENABLED = "replication_enabled" + EXTRA_SPECS_MULTIATTACH = "multiattach" + ++# Note(ricolin): Reference ceph site for more information: ++# https://github.com/ceph/ceph/blob/main/src/include/rbd/librbd.h ++RBD_ENCRYPTION_ALG = { ++ 'aes-128': 0, ++ 'aes-256': 1 ++} ++ + QOS_KEY_MAP = { + 'total_iops_sec': { + 'ceph_key': 'rbd_qos_iops_limit', +@@ -1190,6 +1197,20 @@ class RBDDriver(driver.CloneableImageVD, driver.MigrateVD, + + return max(image_stripe_unit, default_stripe_unit) + ++ def _encrypt_volume(self, ++ context: context.RequestContext, ++ volume: Volume, ++ passphrase: str, ++ cipher_spec: dict ++ ) -> None: ++ LOG.debug("Encrypting volume $s", volume.name) ++ with RBDVolumeProxy(self, volume.name) as vol: ++ vol.encryption_format( ++ 0, ++ passphrase, ++ RBD_ENCRYPTION_ALG[cipher_spec['cipher_alg']] ++ ) ++ + def _clone(self, + volume: Volume, + src_pool: str, +@@ -1873,6 +1894,37 @@ class RBDDriver(driver.CloneableImageVD, driver.MigrateVD, + image_location: Optional[list], + image_meta: dict, + image_service) -> tuple[dict, bool]: ++ return self._clone_image(context, volume, image_location, ++ image_meta, image_service) ++ ++ def clone_image_and_encrypt( ++ self, ++ context: context.RequestContext, ++ volume: Volume, ++ image_location: Optional[list], ++ image_meta: dict, ++ image_service ++ ) -> tuple[dict, bool]: ++ ++ # Note(ricolin): method `encryption_format` added after Ceph Pacific ++ # release (>=16.1.0). ++ if self.rbd and hasattr( ++ self.rbd.Image, 'encryption_format') and callable( ++ self.rbd.Image.encryption_format): ++ return self._clone_image( ++ context, volume, image_location, ++ image_meta, image_service, is_encrypt=True) ++ else: ++ return {}, False ++ ++ def _clone_image(self, ++ context: context.RequestContext, ++ volume: Volume, ++ image_location: Optional[list], ++ image_meta: dict, ++ image_service, ++ is_encrypt: Optional[bool] = False ++ ) -> tuple[dict, bool]: + if image_location: + # Note: image_location[0] is glance image direct_url. + # image_location[1] contains the list of all locations (including +@@ -1890,12 +1942,41 @@ class RBDDriver(driver.CloneableImageVD, driver.MigrateVD, + url_location, image_meta): + _prefix, pool, image, snapshot = \ + self._parse_location(url_location) ++ if is_encrypt: ++ passphrase, cipher_spec = self._fetch_encryption_info( ++ context, volume) ++ if cipher_spec['cipher_alg'] not in RBD_ENCRYPTION_ALG: ++ LOG.debug( ++ "Skip clone. Cipher spec: %s not supported " ++ "for encrypt volume directly from RBD.", ++ cipher_spec) ++ return ({}, False) + volume_update = self._clone(volume, pool, image, snapshot) ++ if is_encrypt: ++ self._flatten(self.configuration.rbd_pool, volume.name) ++ self._encrypt_volume( ++ context, volume, passphrase, cipher_spec) + volume_update['provider_location'] = None + self._resize(volume) + return volume_update, True + return ({}, False) + ++ def _fetch_encryption_info(self, ++ context: context.RequestContext, ++ volume: Volume) -> tuple[str, dict]: ++ encryption = volume_utils.check_encryption_provider( ++ volume, ++ context) ++ # Fetch the key associated with the volume and decode the passphrase ++ keymgr = key_manager.API(CONF) ++ key = keymgr.get(context, encryption['encryption_key_id']) ++ passphrase = binascii.hexlify(key.get_encoded()).decode('utf-8') ++ ++ # Decode the dm-crypt style cipher spec into something qemu-img can use ++ cipher_spec = image_utils.decode_cipher(encryption['cipher'], ++ encryption['key_size']) ++ return passphrase, cipher_spec ++ + def copy_image_to_encrypted_volume(self, + context: context.RequestContext, + volume: Volume, +@@ -1920,18 +2001,8 @@ class RBDDriver(driver.CloneableImageVD, driver.MigrateVD, + volume: Volume, + tmp_dir: str, + src_image_path: Any) -> None: +- encryption = volume_utils.check_encryption_provider( +- volume, +- context) +- +- # Fetch the key associated with the volume and decode the passphrase +- keymgr = key_manager.API(CONF) +- key = keymgr.get(context, encryption['encryption_key_id']) +- passphrase = binascii.hexlify(key.get_encoded()).decode('utf-8') +- +- # Decode the dm-crypt style cipher spec into something qemu-img can use +- cipher_spec = image_utils.decode_cipher(encryption['cipher'], +- encryption['key_size']) ++ passphrase, cipher_spec = self._fetch_encryption_info( ++ context, volume) + + tmp_dir = volume_utils.image_conversion_dir() + +diff --git a/cinder/volume/flows/manager/create_volume.py b/cinder/volume/flows/manager/create_volume.py +index 549a49b00..8ea4c0fe1 100644 +--- a/cinder/volume/flows/manager/create_volume.py ++++ b/cinder/volume/flows/manager/create_volume.py +@@ -1086,11 +1086,6 @@ class CreateVolumeFromSpecTask(flow_utils.CinderTask): + # NOTE (singn): two params need to be returned + # dict containing provider_location for cloned volume + # and clone status. +- # NOTE (lixiaoy1): Currently all images are raw data, we can't +- # use clone_image to copy data if new volume is encrypted +- # NOTE (ricolin): If the image provided an encryption key, we have +- # already cloned it to the volume's key in +- # _get_encryption_key_id, so we can do a direct clone. + image_encryption_key = image_meta.get('cinder_encryption_key_id') + volume_is_encrypted = volume.encryption_key_id is not None + cloned = False +@@ -1102,6 +1097,9 @@ class CreateVolumeFromSpecTask(flow_utils.CinderTask): + image_location, + image_meta, + image_service) ++ else: ++ model_update, cloned = self.driver.clone_image_and_encrypt( ++ context, volume, image_location, image_meta, image_service) + + # Try and clone the image if we have it set as a glance location. + if not cloned and 'cinder' in CONF.allowed_direct_url_schemes: +diff --git a/releasenotes/notes/allow-clone-image-for-encrypted-volume-de477647e9016b8b.yaml b/releasenotes/notes/allow-clone-image-for-encrypted-volume-de477647e9016b8b.yaml +new file mode 100644 +index 000000000..63d1f38cd +--- /dev/null ++++ b/releasenotes/notes/allow-clone-image-for-encrypted-volume-de477647e9016b8b.yaml +@@ -0,0 +1,21 @@ ++--- ++features: ++ - | ++ Allow clone image when creating encrypted volume from Glance image if both ++ stored in RBD. ++ Previously, Glance image clone is not supported for encrypted volume ++ creation. The old process is to download image to local disk, encrypt the ++ local file, and import it back to RBD. This not just slow, but also ++ protentially take large amount of local disk space from hosts that runs ++ Cinder volume service. ++ The new process is to try and clone from Glance image (if it's also stored ++ in RBD), flatten it, and encrypting new image in RBD for volume. And If ++ Glance image source is not clonable, will continue with copy-and-import ++ method as previous flow. ++ In above flow, If clone from Glance image is appliable. Even it still ++ requires to clone and flatten RBD image might took some time, but should ++ still be a lot faster than copy-and-import. And also no local disk will ++ be used to store raw image in this case. ++ This also introduced driver method `clone_image_and_encrypt` for drivers ++ that seperate the clone process from non-encrypted volume so the create ++ flow won't be affected. +-- +2.34.1 diff --git a/images/cloud-archive-base/Earthfile b/images/cloud-archive-base/Earthfile deleted file mode 100644 index 473d5d890..000000000 --- a/images/cloud-archive-base/Earthfile +++ /dev/null @@ -1,23 +0,0 @@ -VERSION 0.7 - -image: - FROM ../base+image - DO ../+APT_INSTALL --PACKAGES "ca-certificates libpython3.10 lsb-release python3-distutils sudo ubuntu-cloud-keyring" - ARG RELEASE - IF [ "$(lsb_release -sc)" = "jammy" ] - IF [ "${RELEASE}" = "yoga" ] - # NOTE: Yoga shipped with 22.04, so no need to add an extra repository. - RUN echo "" > /etc/apt/sources.list.d/cloudarchive.list - ELSE IF [ "${RELEASE}" = "zed" ] - RUN echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu $(lsb_release -sc)-updates/${RELEASE} main" > /etc/apt/sources.list.d/cloudarchive.list - ELSE IF [ "${RELEASE}" = "2023.1" ] - RUN echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu $(lsb_release -sc)-updates/antelope main" > /etc/apt/sources.list.d/cloudarchive.list - ELSE IF [ "${RELEASE}" = "2023.2" ] - RUN echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu $(lsb_release -sc)-updates/bobcat main" > /etc/apt/sources.list.d/cloudarchive.list - ELSE IF [ "${RELEASE}" = "master" ] - RUN echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu $(lsb_release -sc)-updates/caracal main" > /etc/apt/sources.list.d/cloudarchive.list - ELSE - RUN echo "${RELEASE} is not supported on $(lsb_release -sc)" - RUN exit 1 - END - END diff --git a/images/cluster-api-provider-openstack/Dockerfile b/images/cluster-api-provider-openstack/Dockerfile new file mode 100644 index 000000000..aa05489a9 --- /dev/null +++ b/images/cluster-api-provider-openstack/Dockerfile @@ -0,0 +1,32 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM alpine/git:2.43.0 AS src +ARG CAPO_VERSION=v0.9.0 +ADD https://github.com/kubernetes-sigs/cluster-api-provider-openstack.git#${CAPO_VERSION} /src +WORKDIR /src +COPY /patches /patches +RUN git apply /patches/*.patch + +FROM golang:1.20 AS builder +COPY --from=src --link /src /src +WORKDIR /src +ARG ARCH +RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \ + go build -ldflags "-extldflags '-static'" -o manager ${package} + +FROM gcr.io/distroless/static:nonroot +COPY --from=builder /src/manager /manager +USER 65532 +ENTRYPOINT ["/manager"] diff --git a/images/cluster-api-provider-openstack/Earthfile b/images/cluster-api-provider-openstack/Earthfile deleted file mode 100644 index 111f465e0..000000000 --- a/images/cluster-api-provider-openstack/Earthfile +++ /dev/null @@ -1,18 +0,0 @@ -VERSION 0.7 - -ARG --global CAPO_VERSION=v0.8.0 -ARG --global EPOCH=2 - -clone: - FROM ../builder+image - GIT CLONE --branch ${CAPO_VERSION} https://github.com/kubernetes-sigs/cluster-api-provider-openstack /workspace/src - WORKDIR /workspace/src - COPY patches /workspace/patches - RUN git apply --verbose /workspace/patches/*.patch - SAVE ARTIFACT /workspace/src - -image: - FROM DOCKERFILE -f +clone/src/Dockerfile +clone/src/* - LABEL org.opencontainers.image.source=https://github.com/vexxhost/atmosphere - ARG REGISTRY=ghcr.io/vexxhost/atmosphere - SAVE IMAGE --push ${REGISTRY}/capi-openstack-controller:${CAPO_VERSION}-${EPOCH} diff --git a/images/cluster-api-provider-openstack/patches/0001-chore-bump-k8s-api-for-cve.patch b/images/cluster-api-provider-openstack/patches/0001-chore-bump-k8s-api-for-cve.patch index 2812ac502..cd99927fe 100644 --- a/images/cluster-api-provider-openstack/patches/0001-chore-bump-k8s-api-for-cve.patch +++ b/images/cluster-api-provider-openstack/patches/0001-chore-bump-k8s-api-for-cve.patch @@ -1,158 +1,89 @@ -From 139a57e7b0d4c57033e281b061e459039a5e21d3 Mon Sep 17 00:00:00 2001 +From eed5b5cc2a6cf48c0c9e0245695d0ac143150186 Mon Sep 17 00:00:00 2001 From: Mohammed Naser -Date: Mon, 22 Jan 2024 16:22:52 -0500 -Subject: [PATCH 2/2] chore: bump k8s api for cve +Date: Tue, 12 Mar 2024 18:18:25 -0400 +Subject: [PATCH] chore: bump k8s api for cve --- - go.mod | 17 +++++++++-------- - go.sum | 36 +++++++++++++++++++----------------- - 2 files changed, 28 insertions(+), 25 deletions(-) + go.mod | 8 ++++---- + go.sum | 16 ++++++++-------- + 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod -index db4a954a..49d2f7cf 100644 +index 997f8354..d6c300cc 100644 --- a/go.mod +++ b/go.mod -@@ -15,8 +15,8 @@ require ( - github.com/onsi/gomega v1.27.8 - github.com/prometheus/client_golang v1.16.0 +@@ -15,7 +15,7 @@ require ( + github.com/onsi/gomega v1.30.0 + github.com/prometheus/client_golang v1.17.0 github.com/spf13/pflag v1.0.5 -- golang.org/x/crypto v0.11.0 -- golang.org/x/text v0.11.0 -+ golang.org/x/crypto v0.14.0 -+ golang.org/x/text v0.13.0 +- golang.org/x/crypto v0.15.0 ++ golang.org/x/crypto v0.17.0 + golang.org/x/text v0.14.0 gopkg.in/ini.v1 v1.67.0 - k8s.io/api v0.27.2 - k8s.io/apiextensions-apiserver v0.27.2 + k8s.io/api v0.28.4 @@ -24,7 +24,7 @@ require ( - k8s.io/client-go v0.27.2 - k8s.io/component-base v0.27.2 - k8s.io/klog/v2 v2.90.1 -- k8s.io/kubernetes v1.27.2 -+ k8s.io/kubernetes v1.27.8 - k8s.io/utils v0.0.0-20230313181309-38a27ef9d749 - sigs.k8s.io/cluster-api v1.5.1 - sigs.k8s.io/cluster-api/test v1.5.1 -@@ -113,15 +113,16 @@ require ( - go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.24.0 // indirect - golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect -- golang.org/x/net v0.13.0 // indirect -+ golang.org/x/net v0.17.0 // indirect - golang.org/x/oauth2 v0.10.0 // indirect -- golang.org/x/sys v0.10.0 // indirect -- golang.org/x/term v0.10.0 // indirect -+ golang.org/x/sys v0.13.0 // indirect -+ golang.org/x/term v0.13.0 // indirect + k8s.io/client-go v0.28.4 + k8s.io/component-base v0.28.4 + k8s.io/klog/v2 v2.100.1 +- k8s.io/kubernetes v1.28.3 ++ k8s.io/kubernetes v1.28.4 + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 + sigs.k8s.io/cluster-api v1.6.0 + sigs.k8s.io/cluster-api/test v1.6.0 +@@ -139,8 +139,8 @@ require ( + golang.org/x/net v0.18.0 // indirect + golang.org/x/oauth2 v0.14.0 // indirect + golang.org/x/sync v0.4.0 // indirect +- golang.org/x/sys v0.14.0 // indirect +- golang.org/x/term v0.14.0 // indirect ++ golang.org/x/sys v0.15.0 // indirect ++ golang.org/x/term v0.15.0 // indirect golang.org/x/time v0.3.0 // indirect -- golang.org/x/tools v0.9.3 // indirect -+ golang.org/x/tools v0.12.0 // indirect - gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect - google.golang.org/appengine v1.6.7 // indirect -- google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect -+ google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a // indirect -+ google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect - google.golang.org/protobuf v1.31.0 // indirect - gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/yaml.v2 v2.4.0 // indirect + golang.org/x/tools v0.14.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum -index 66bd8109..f18ece49 100644 +index e3d46fdc..f5767735 100644 --- a/go.sum +++ b/go.sum -@@ -516,8 +516,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y +@@ -460,8 +460,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= --golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= --golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= -+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +-golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA= +-golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= ++golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= ++golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -@@ -555,7 +555,7 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= - golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= - golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= - golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= --golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= -+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= - golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= - golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= - golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -@@ -596,8 +596,8 @@ golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qx - golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= - golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= - golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= --golang.org/x/net v0.13.0 h1:Nvo8UFsZ8X3BhAC9699Z1j7XQ3rsZnUUm7jfBEk1ueY= --golang.org/x/net v0.13.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= -+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= - golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= - golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= - golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -@@ -673,13 +673,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc - golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +@@ -609,13 +609,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= --golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= --golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= +-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= ++golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= --golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= --golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= -+golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +-golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8= +-golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= ++golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= ++golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -@@ -690,8 +690,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= - golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= - golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= - golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= --golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= --golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= - golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= - golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= - golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -@@ -752,8 +752,8 @@ golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= - golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= - golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= - golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= --golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= --golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= -+golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss= -+golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= - golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= - golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= - golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -@@ -825,8 +825,10 @@ google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6D - google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= - google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= - google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= --google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= --google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= -+google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a h1:HiYVD+FGJkTo+9zj1gqz0anapsa1JxjiSrN+BJKyUmE= -+google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a/go.mod h1:ts19tUU+Z0ZShN1y3aPyq2+O3d5FUNNgT6FtOzmrNn8= -+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM= -+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= - google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= - google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= - google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= -@@ -914,8 +916,8 @@ k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw= - k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= - k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= - k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= --k8s.io/kubernetes v1.27.2 h1:g4v9oY6u7vBUDEuq4FvC50Bbw2K7GZuvM00IIESWVf4= --k8s.io/kubernetes v1.27.2/go.mod h1:U8ZXeKBAPxeb4J4/HOaxjw1A9K6WfSH+fY2SS7CR6IM= -+k8s.io/kubernetes v1.27.8 h1:K848lTo/D0jvrxUlTvw4nNADixbhXLHgKNDP/KlFGy8= -+k8s.io/kubernetes v1.27.8/go.mod h1:PUXXrx0IhAi+kI9BMDqNJHUnLndVv9W0DkriqyjuJOs= - k8s.io/utils v0.0.0-20230313181309-38a27ef9d749 h1:xMMXJlJbsU8w3V5N2FLDQ8YgU8s1EoULdbQBcAeNJkY= - k8s.io/utils v0.0.0-20230313181309-38a27ef9d749/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +@@ -841,8 +841,8 @@ k8s.io/kms v0.28.4 h1:PMgY/3CQTWP9eIKmNQiTgjLIZ0ns6O+voagzD2/4mSg= + k8s.io/kms v0.28.4/go.mod h1:HL4/lR/bhjAJPbqycKtfhWiKh1Sp21cpHOL8P4oo87w= + k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= + k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= +-k8s.io/kubernetes v1.28.3 h1:XTci6gzk+JR51UZuZQCFJ4CsyUkfivSjLI4O1P9z6LY= +-k8s.io/kubernetes v1.28.3/go.mod h1:NhAysZWvHtNcJFFHic87ofxQN7loylCQwg3ZvXVDbag= ++k8s.io/kubernetes v1.28.4 h1:aRNxs5jb8FVTtlnxeA4FSDBVKuFwA8Gw40/U2zReBYA= ++k8s.io/kubernetes v1.28.4/go.mod h1:BTzDCKYAlu6LL9ITbfjwgwIrJ30hlTgbv0eXDoA/WoA= + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= -- 2.43.0 - diff --git a/images/curl/Earthfile b/images/curl/Earthfile deleted file mode 100644 index 06d3d8e1a..000000000 --- a/images/curl/Earthfile +++ /dev/null @@ -1,5 +0,0 @@ -VERSION 0.7 - -image: - FROM curlimages/curl:7.78.0 - WORKDIR /tmp diff --git a/images/designate/Dockerfile b/images/designate/Dockerfile new file mode 100644 index 000000000..e1610c8d2 --- /dev/null +++ b/images/designate/Dockerfile @@ -0,0 +1,33 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/openstack-venv-builder:zed AS build +ARG DESIGNATE_GIT_REF=d247267823034c5e656f74e91b50475aa54d3fa6 +ADD --keep-git-dir=true https://opendev.org/openstack/designate.git#${DESIGNATE_GIT_REF} /src/designate +RUN git -C /src/designate fetch --unshallow +RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private < /etc/apt/sources.list.d/ceph.list - ELSE IF [ "$(lsb_release -sc)" = "jammy" ] - RUN echo "deb http://download.ceph.com/debian-reef/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/ceph.list - ELSE - RUN echo "${RELEASE} is not supported on $(lsb_release -sc)" - RUN exit 1 - END - DO ../+APT_INSTALL --PACKAGES="ceph-common cgroup-tools dmidecode ebtables iproute2 ipxe-qemu kmod libvirt-clients libvirt-daemon-system openssh-client openvswitch-switch ovmf pm-utils qemu-block-extra qemu-efi qemu-kvm seabios" - DO ../+CREATE_PROJECT_USER --PROJECT=nova - ARG REGISTRY=ghcr.io/vexxhost/atmosphere - SAVE IMAGE --push ${REGISTRY}/libvirtd:${RELEASE} - -image: - BUILD --platform linux/amd64 --platform linux/arm64 +platform-image diff --git a/images/libvirtd/keyrings/ceph.gpg b/images/libvirtd/keyrings/ceph.gpg deleted file mode 100644 index c5d8bd399..000000000 Binary files a/images/libvirtd/keyrings/ceph.gpg and /dev/null differ diff --git a/images/magnum/Dockerfile b/images/magnum/Dockerfile new file mode 100644 index 000000000..f945cf1b0 --- /dev/null +++ b/images/magnum/Dockerfile @@ -0,0 +1,45 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/ubuntu:zed AS helm +ARG TARGETOS +ARG TARGETARCH +ARG HELM_VERSION=3.14.0 +ADD https://get.helm.sh/helm-v${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz /helm.tar.gz +RUN tar -xzf /helm.tar.gz +RUN mv /${TARGETOS}-${TARGETARCH}/helm /usr/bin/helm + +FROM registry.atmosphere.dev/library/openstack-venv-builder:zed AS build +ARG MAGNUM_GIT_REF=0ee979099a01ae2c8b1b5d6757897a8993e4e34c +ADD --keep-git-dir=true https://opendev.org/openstack/magnum.git#${MAGNUM_GIT_REF} /src/magnum +RUN git -C /src/magnum fetch --unshallow +COPY patches/magnum /patches/magnum +RUN git -C /src/magnum apply --verbose /patches/magnum/* +RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private < -Date: Fri, 22 Sep 2023 16:25:10 +0200 -Subject: [PATCH] fix netns deletion of broken namespaces - -normal network namespaces are bind-mounted to files under -/var/run/netns. If a process deleting a network namespace gets killed -during that operation there is the chance that the bind mount to the -netns has been removed, but the file under /var/run/netns still exists. - -When the neutron-ovn-metadata-agent tries to clean up such network -namespaces it first tires to validate that the network namespace is -empty. For the cases described above this fails, as this network -namespace no longer really exists, but is just a stray file laying -around. - -To fix this we treat network namespaces where we get an `OSError` with -errno 22 (Invalid Argument) as empty. The calls to pyroute2 to delete -the namespace will then clean up the file. - -Additionally we add a guard to teardown_datapath to continue even if -this fails. failing to remove a datapath is not critical and leaves in -the worst case a process and a network namespace running, however -previously it would have also prevented the creation of new datapaths -which is critical for VM startup. - -Closes-Bug: #2037102 -Change-Id: I7c43812fed5903f98a2e491076c24a8d926a59b4 -(cherry picked from commit 566fea3fed837b0130023303c770aade391d3d61) ---- - neutron/agent/linux/ip_lib.py | 17 ++++++++++++- - neutron/agent/ovn/metadata/agent.py | 5 +++- - neutron/tests/unit/agent/linux/test_ip_lib.py | 15 +++++++++++ - .../unit/agent/ovn/metadata/test_agent.py | 25 +++++++++++++++++++ - 4 files changed, 60 insertions(+), 2 deletions(-) - -diff --git a/neutron/agent/linux/ip_lib.py b/neutron/agent/linux/ip_lib.py -index 10bd33d9e1..5d2593da47 100644 ---- a/neutron/agent/linux/ip_lib.py -+++ b/neutron/agent/linux/ip_lib.py -@@ -259,7 +259,22 @@ class IPWrapper(SubProcessBase): - return ip - - def namespace_is_empty(self): -- return not self.get_devices() -+ try: -+ return not self.get_devices() -+ except OSError as e: -+ # This can happen if we previously got terminated in the middle of -+ # removing this namespace. In this case the bind mount of the -+ # namespace under /var/run/netns will be removed, but the namespace -+ # file is still there. As the bind mount is gone we can no longer -+ # access the namespace to validate that it is empty. But since it -+ # should have already been removed we are sure that the check has -+ # passed the last time and since the namespace is unuseable that -+ # can not have changed. -+ # Future calls to pyroute2 to remove that namespace will clean up -+ # the leftover file. -+ if e.errno == errno.EINVAL: -+ return True -+ raise e - - def garbage_collect_namespace(self): - """Conditionally destroy the namespace if it is empty.""" -diff --git a/neutron/agent/ovn/metadata/agent.py b/neutron/agent/ovn/metadata/agent.py -index 1745239701..861715d8e1 100644 ---- a/neutron/agent/ovn/metadata/agent.py -+++ b/neutron/agent/ovn/metadata/agent.py -@@ -430,7 +430,10 @@ class MetadataAgent(object): - ns.startswith(NS_PREFIX) and - ns not in metadata_namespaces] - for ns in unused_namespaces: -- self.teardown_datapath(self._get_datapath_name(ns)) -+ try: -+ self.teardown_datapath(self._get_datapath_name(ns)) -+ except Exception: -+ LOG.exception('Error unable to destroy namespace: %s', ns) - - # resync all network namespaces based on the associated datapaths, - # even those that are already running. This is to make sure -diff --git a/neutron/tests/unit/agent/linux/test_ip_lib.py b/neutron/tests/unit/agent/linux/test_ip_lib.py -index d1c74fb3f7..159cafdb8e 100644 ---- a/neutron/tests/unit/agent/linux/test_ip_lib.py -+++ b/neutron/tests/unit/agent/linux/test_ip_lib.py -@@ -357,6 +357,21 @@ class TestIpWrapper(base.BaseTestCase): - self.assertNotIn(mock.call().delete('ns'), - ip_ns_cmd_cls.mock_calls) - -+ def test_garbage_collect_namespace_existing_broken(self): -+ with mock.patch.object(ip_lib, 'IpNetnsCommand') as ip_ns_cmd_cls: -+ ip_ns_cmd_cls.return_value.exists.return_value = True -+ -+ ip = ip_lib.IPWrapper(namespace='ns') -+ -+ with mock.patch.object(ip, 'get_devices', -+ side_effect=OSError(errno.EINVAL, None) -+ ) as mock_get_devices: -+ self.assertTrue(ip.garbage_collect_namespace()) -+ -+ mock_get_devices.assert_called_once_with() -+ expected = [mock.call().delete('ns')] -+ ip_ns_cmd_cls.assert_has_calls(expected) -+ - @mock.patch.object(priv_lib, 'create_interface') - def test_add_vlan(self, create): - retval = ip_lib.IPWrapper().add_vlan('eth0.1', 'eth0', '1') -diff --git a/neutron/tests/unit/agent/ovn/metadata/test_agent.py b/neutron/tests/unit/agent/ovn/metadata/test_agent.py -index 6df7da702d..9bf9f0db52 100644 ---- a/neutron/tests/unit/agent/ovn/metadata/test_agent.py -+++ b/neutron/tests/unit/agent/ovn/metadata/test_agent.py -@@ -134,6 +134,31 @@ class TestMetadataAgent(base.BaseTestCase): - lnn.assert_called_once_with() - tdp.assert_called_once_with('3') - -+ def test_sync_teardown_namespace_does_not_crash_on_error(self): -+ """Test that sync tears down unneeded metadata namespaces. -+ Even if that fails it continues to provision other datapaths -+ """ -+ with mock.patch.object( -+ self.agent, 'provision_datapath') as pdp,\ -+ mock.patch.object( -+ ip_lib, 'list_network_namespaces', -+ return_value=['ovnmeta-1', 'ovnmeta-2', 'ovnmeta-3', -+ 'ns1', 'ns2']) as lnn,\ -+ mock.patch.object( -+ self.agent, 'teardown_datapath', -+ side_effect=Exception()) as tdp: -+ self.agent.sync() -+ -+ pdp.assert_has_calls( -+ [ -+ mock.call(p.datapath) -+ for p in self.ports -+ ], -+ any_order=True -+ ) -+ lnn.assert_called_once_with() -+ tdp.assert_called_once_with('3') -+ - def test_get_networks_datapaths(self): - """Test get_networks_datapaths returns only datapath objects for the - networks containing vif ports of type ''(blank) and 'external'. --- -2.34.1 diff --git a/images/neutron/patches/neutron/0001-fix-ovn-set-mtu-in-external_ids-correctly.patch b/images/neutron/patches/neutron/0001-fix-ovn-set-mtu-in-external_ids-correctly.patch new file mode 100644 index 000000000..260532499 --- /dev/null +++ b/images/neutron/patches/neutron/0001-fix-ovn-set-mtu-in-external_ids-correctly.patch @@ -0,0 +1,38 @@ +From f8ec437329510ef59c81084712dbfe49528ef56d Mon Sep 17 00:00:00 2001 +From: Mohammed Naser +Date: Thu, 28 Mar 2024 14:38:43 -0400 +Subject: [PATCH] fix(ovn): set mtu in external_ids correctly + +In the previous patch, we did account for the MTU showing up +in the external IDs however the code only sets it if it's using +a remote managed port binding. This code instead sets the binding +for all the inerface types instead. + +Related-Change-Id: I7ff300e9634e5e3fc68d70540392109fd8b9babc +Closes-Bug: 2053274 +Change-Id: I0653c83c5fb595847bb61182223db39b2f7e98c6 +--- + .../plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py +index 3e7bc5c01f..6f9e90afde 100644 +--- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py ++++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py +@@ -480,11 +480,13 @@ class OVNClient(object): + # HA Chassis Group will bind the port to the highest + # priority Chassis + if port_type != ovn_const.LSP_TYPE_EXTERNAL: ++ port_net = self._plugin.get_network( ++ context, port['network_id']) ++ mtu = str(port_net['mtu']) + if (vnic_type == portbindings.VNIC_REMOTE_MANAGED and + ovn_const.VIF_DETAILS_PF_MAC_ADDRESS in binding_prof): + port_net = self._plugin.get_network( + context, port['network_id']) +- mtu = str(port_net['mtu']) + options.update({ + ovn_const.LSP_OPTIONS_VIF_PLUG_TYPE_KEY: 'representor', + ovn_const.LSP_OPTIONS_VIF_PLUG_MTU_REQUEST_KEY: mtu, +-- +2.34.1 diff --git a/images/nova-ssh/Dockerfile b/images/nova-ssh/Dockerfile new file mode 100644 index 000000000..84f6889a9 --- /dev/null +++ b/images/nova-ssh/Dockerfile @@ -0,0 +1,26 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/openstack-runtime:zed +RUN < -Date: Tue, 31 Oct 2023 22:52:50 -0400 -Subject: [PATCH] libvirt: Stop unconditionally enabling evmcs - -In I008841988547573878c4e06e82f0fa55084e51b5 we started enabling a -bunch of libvirt enlightenments for Windows unconditionally. Turns -out, the `evmcs` enlightenment only works on Intel hosts, and we broke -the ability to run Windows guests on AMD machines. Until we become -smarter about conditionally enabling evmcs (with something like traits -for host CPU features), just stop enabling it at all. - -Change-Id: I2ff4fdecd9dc69de283f0e52e07df1aeaf0a9048 -Closes-bug: 2009280 ---- - nova/tests/unit/virt/libvirt/test_driver.py | 5 ++++- - nova/virt/libvirt/driver.py | 1 - - ...p-unconditionally-enabling-evmcs-993a825641c4b9f3.yaml | 8 ++++++++ - 3 files changed, 12 insertions(+), 2 deletions(-) - create mode 100644 releasenotes/notes/libvirt-enlightenments-stop-unconditionally-enabling-evmcs-993a825641c4b9f3.yaml - -diff --git a/nova/tests/unit/virt/libvirt/test_driver.py b/nova/tests/unit/virt/libvirt/test_driver.py -index d01b9c2677..ebba604ffa 100644 ---- a/nova/tests/unit/virt/libvirt/test_driver.py -+++ b/nova/tests/unit/virt/libvirt/test_driver.py -@@ -27972,7 +27972,10 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): - self.assertTrue(hv.reenlightenment) - self.assertTrue(hv.tlbflush) - self.assertTrue(hv.ipi) -- self.assertTrue(hv.evmcs) -+ # NOTE(artom) evmcs only works on Intel hosts, so we can't enable it -+ # unconditionally. Until we become smarter about it, just don't enable -+ # it at all. See bug 2009280. -+ self.assertFalse(hv.evmcs) - - - class LibvirtVolumeUsageTestCase(test.NoDBTestCase): -diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py -index d03dc5fd67..1b28e50355 100644 ---- a/nova/virt/libvirt/driver.py -+++ b/nova/virt/libvirt/driver.py -@@ -6234,7 +6234,6 @@ class LibvirtDriver(driver.ComputeDriver): - hv.reenlightenment = True - hv.tlbflush = True - hv.ipi = True -- hv.evmcs = True - - # NOTE(kosamara): Spoofing the vendor_id aims to allow the nvidia - # driver to work on windows VMs. At the moment, the nvidia driver -diff --git a/releasenotes/notes/libvirt-enlightenments-stop-unconditionally-enabling-evmcs-993a825641c4b9f3.yaml b/releasenotes/notes/libvirt-enlightenments-stop-unconditionally-enabling-evmcs-993a825641c4b9f3.yaml -new file mode 100644 -index 0000000000..31609f2a2d ---- /dev/null -+++ b/releasenotes/notes/libvirt-enlightenments-stop-unconditionally-enabling-evmcs-993a825641c4b9f3.yaml -@@ -0,0 +1,8 @@ -+--- -+fixes: -+ - | -+ Bug 2009280 has been fixed by no longer enabling the evmcs enlightenment in -+ the libvirt driver. evmcs only works on Intel CPUs, and domains with that -+ enlightenment cannot be started on AMD hosts. There is a possible future -+ feature to enable support for generating this enlightenment only when -+ running on Intel hosts. --- -2.34.1 - diff --git a/images/nova/patches/nova/0001-libvirt-stop-enabling-hyperv-feature-reenlightenment.patch b/images/nova/patches/nova/0001-libvirt-stop-enabling-hyperv-feature-reenlightenment.patch deleted file mode 100644 index 88ea6312a..000000000 --- a/images/nova/patches/nova/0001-libvirt-stop-enabling-hyperv-feature-reenlightenment.patch +++ /dev/null @@ -1,52 +0,0 @@ -From e618e78edc6293d248a5fa2eb63b3fa636250fca Mon Sep 17 00:00:00 2001 -From: songjie -Date: Mon, 25 Dec 2023 16:59:36 +0800 -Subject: [PATCH] libvirt: stop enabling hyperv feature reenlightenment -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The 'reenlightenment' hyperv enlightenment will cause -instances live-migration to fail (KVM currently doesn’t -fully support reenlightenment notifications, see -www.qemu.org/docs/master/system/i386/hyperv.html), -so don't enable it now. - -Change-Id: I6821819450bc96e4304125ea3b76a0e462e6e33f -Closes-Bug: #2046549 -Related-Bug: #2009280 ---- - nova/tests/unit/virt/libvirt/test_driver.py | 4 +++- - nova/virt/libvirt/driver.py | 1 - - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/nova/tests/unit/virt/libvirt/test_driver.py b/nova/tests/unit/virt/libvirt/test_driver.py -index 868e024370..2e1d089898 100644 ---- a/nova/tests/unit/virt/libvirt/test_driver.py -+++ b/nova/tests/unit/virt/libvirt/test_driver.py -@@ -28048,7 +28048,9 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): - self.assertTrue(hv.synic) - self.assertTrue(hv.reset) - self.assertTrue(hv.frequencies) -- self.assertTrue(hv.reenlightenment) -+ # NOTE(jie) reenlightenment will cause instances live-migration -+ # failure, so don't enable it now. See bug 2046549. -+ self.assertFalse(hv.reenlightenment) - self.assertTrue(hv.tlbflush) - self.assertTrue(hv.ipi) - # NOTE(artom) evmcs only works on Intel hosts, so we can't enable it -diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py -index 7f5f48c047..f8e3353110 100644 ---- a/nova/virt/libvirt/driver.py -+++ b/nova/virt/libvirt/driver.py -@@ -6262,7 +6262,6 @@ class LibvirtDriver(driver.ComputeDriver): - hv.synic = True - hv.reset = True - hv.frequencies = True -- hv.reenlightenment = True - hv.tlbflush = True - hv.ipi = True - --- -2.34.1 - diff --git a/images/octavia/Dockerfile b/images/octavia/Dockerfile new file mode 100644 index 000000000..bf8d7e7f5 --- /dev/null +++ b/images/octavia/Dockerfile @@ -0,0 +1,36 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/openstack-venv-builder:zed AS build +ARG OCTAVIA_GIT_REF=000b577f3e9c9ff7cb893e9f6e635753017a78c6 +ADD --keep-git-dir=true https://opendev.org/openstack/octavia.git#${OCTAVIA_GIT_REF} /src/octavia +RUN git -C /src/octavia fetch --unshallow +ADD --keep-git-dir=true https://opendev.org/openstack/ovn-octavia-provider.git#stable/zed /src/ovn-octavia-provider +RUN git -C /src/ovn-octavia-provider fetch --unshallow +RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private < -Date: Tue, 16 Jan 2024 17:13:19 -0500 -Subject: [PATCH] fix: specify endpoint info. for neutron client - -Closes bug: #2049551 - -Change-Id: I80a266e500958415a70d462ddfe57e9e03e6ef13 ---- - octavia/common/clients.py | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/octavia/common/clients.py b/octavia/common/clients.py -index b13642bb..2abcc67b 100644 ---- a/octavia/common/clients.py -+++ b/octavia/common/clients.py -@@ -80,10 +80,16 @@ class NeutronAuth(object): - if not cls.neutron_client: - sess = ksession.get_session() - -- kwargs = {} -+ kwargs = { -+ 'region_name': CONF.neutron.region_name, -+ 'interface': CONF.neutron.valid_interfaces -+ } - if CONF.neutron.endpoint_override: - kwargs['network_endpoint_override'] = ( - CONF.neutron.endpoint_override) -+ if CONF.neutron.endpoint_override.startswith("https"): -+ kwargs['insecure'] = CONF.neutron.insecure -+ kwargs['cacert'] = CONF.neutron.cafile - - conn = openstack.connection.Connection( - session=sess, **kwargs) --- -2.34.1 - diff --git a/images/openstack-runtime/Dockerfile b/images/openstack-runtime/Dockerfile new file mode 100644 index 000000000..3cf9ae45f --- /dev/null +++ b/images/openstack-runtime/Dockerfile @@ -0,0 +1,23 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +ARG FROM=registry.atmosphere.dev/library/ubuntu-cloud-archive:zed +FROM ${FROM} +ONBUILD ARG PROJECT +ONBUILD ARG SHELL=/usr/sbin/nologin +ONBUILD RUN \ + groupadd -g 42424 ${PROJECT} && \ + useradd -u 42424 -g 42424 -M -d /var/lib/${PROJECT} -s ${SHELL} -c "${PROJECT} User" ${PROJECT} && \ + mkdir -p /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/cache/${PROJECT} && \ + chown -Rv ${PROJECT}:${PROJECT} /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/cache/${PROJECT} diff --git a/images/openstack-service/Earthfile b/images/openstack-service/Earthfile deleted file mode 100644 index ae4ab494d..000000000 --- a/images/openstack-service/Earthfile +++ /dev/null @@ -1,99 +0,0 @@ -VERSION 0.8 - -PIP_INSTALL: - FUNCTION - ARG PACKAGES - RUN --mount=type=cache,target=/root/.cache \ - /var/lib/openstack/bin/pip3 install \ - --constraint /upper-constraints.txt \ - ${PACKAGES} - -GIT_CHECKOUT: - FUNCTION - ARG PROJECT - ARG PROJECT_REPO=https://github.com/openstack/${PROJECT} - ARG PROJECT_REF - GIT CLONE --branch ${PROJECT_REF} ${PROJECT_REPO} /src - WORKDIR /src - RUN \ - git remote set-url origin ${PROJECT_REPO} && \ - git fetch --unshallow - COPY --if-exists patches/${PROJECT} /patches - IF [ -d /patches ] - RUN git apply --verbose /patches/*.patch - END - -BUILD_VENV: - FUNCTION - ARG PROJECT - ARG PROJECT_REPO=https://github.com/openstack/${PROJECT} - ARG PROJECT_REF - DO +GIT_CHECKOUT \ - --PROJECT=${PROJECT} \ - --PROJECT_REPO=${PROJECT_REPO} \ - --PROJECT_REF=${PROJECT_REF} - ARG EXTRAS="" - ARG PIP_PACKAGES="" - DO +PIP_INSTALL --PACKAGES "/src${EXTRAS} ${PIP_PACKAGES}" - SAVE ARTIFACT /var/lib/openstack venv - -requirements: - FROM ../base+image - ARG RELEASE - IF [ "${RELEASE}" = "master" ] - ARG BRANCH=master - ELSE - ARG BRANCH=stable/${RELEASE} - END - GIT CLONE --branch ${BRANCH} https://github.com/openstack/requirements /src - RUN \ - sed -i 's/cryptography===36.0.2/cryptography===42.0.4/' /src/upper-constraints.txt && \ - sed -i 's/cryptography===40.0.2/cryptography===42.0.4/' /src/upper-constraints.txt && \ - sed -i 's/cryptography===41.0.7/cryptography===42.0.4/' /src/upper-constraints.txt && \ - sed -i 's/Django===3.2.18/Django===3.2.24/' /src/upper-constraints.txt && \ - sed -i 's/Flask===2.2.3/Flask===2.2.5/' /src/upper-constraints.txt && \ - sed -i 's/Jinja2===3.1.2/Jinja2===3.1.3/' /src/upper-constraints.txt && \ - sed -i 's/paramiko===2.11.0/paramiko===3.4.0/' /src/upper-constraints.txt && \ - sed -i 's/paramiko===3.1.0/paramiko===3.4.0/' /src/upper-constraints.txt && \ - sed -i 's/pyOpenSSL===22.0.0/pyOpenSSL===24.0.0/' /src/upper-constraints.txt && \ - sed -i 's/pyOpenSSL===23.1.1/pyOpenSSL===24.0.0/' /src/upper-constraints.txt && \ - sed -i 's/requests===2.28.1/requests===2.31.0/' /src/upper-constraints.txt && \ - sed -i 's/requests===2.28.2/requests===2.31.0/' /src/upper-constraints.txt && \ - sed -i 's/sqlparse===0.4.2/sqlparse===0.4.4/' /src/upper-constraints.txt && \ - sed -i 's/urllib3===1.26.12/urllib3===1.26.18/' /src/upper-constraints.txt && \ - sed -i 's/urllib3===1.26.15/urllib3===1.26.18/' /src/upper-constraints.txt && \ - sed -i 's/Werkzeug===2.2.3/Werkzeug===2.3.8/' /src/upper-constraints.txt && \ - sed -i '/glance-store/d' /src/upper-constraints.txt && \ - sed -i '/horizon/d' /src/upper-constraints.txt - SAVE ARTIFACT /src/upper-constraints.txt - -builder: - ARG RELEASE - FROM ../cloud-archive-base+image --RELEASE=${RELEASE} - DO ../+APT_INSTALL --PACKAGES "\ - build-essential \ - curl \ - git \ - libldap2-dev \ - libpcre3-dev \ - libsasl2-dev \ - libssl-dev \ - lsb-release \ - openssh-client \ - python3 \ - python3-dev \ - python3-pip \ - python3-venv" - RUN --mount type=cache,target=/root/.cache \ - python3 -m venv --upgrade-deps --system-site-packages /var/lib/openstack - COPY \ - (+requirements/upper-constraints.txt --RELEASE=${RELEASE}) \ - /upper-constraints.txt - DO +PIP_INSTALL --PACKAGES "cryptography pymysql python-binary-memcached python-memcached uwsgi" - -image: - ARG --required RELEASE - FROM ../cloud-archive-base+image --RELEASE=${RELEASE} - ENV PATH=/var/lib/openstack/bin:$PATH - ARG --required PROJECT - DO ../+CREATE_PROJECT_USER --PROJECT=${PROJECT} diff --git a/images/openstack-venv-builder/Dockerfile b/images/openstack-venv-builder/Dockerfile new file mode 100644 index 000000000..2b154cf4d --- /dev/null +++ b/images/openstack-venv-builder/Dockerfile @@ -0,0 +1,62 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/ubuntu-cloud-archive:zed AS requirements +ADD https://releases.openstack.org/constraints/upper/zed /upper-constraints.txt +RUN < 23.0.1.dev6 therefore -# we ignore those old CVEs. -CVE-2012-3542 -CVE-2012-4413 -CVE-2013-2256 -CVE-2013-4179 -CVE-2014-3517 -CVE-2014-3608 -CVE-2014-3641 -CVE-2014-3708 -CVE-2015-0259 -CVE-2015-3221 -CVE-2015-3280 -CVE-2015-5251 -CVE-2015-5286 -CVE-2015-7713 diff --git a/images/trivy/Earthfile b/images/trivy/Earthfile deleted file mode 100644 index 8f6862546..000000000 --- a/images/trivy/Earthfile +++ /dev/null @@ -1,8 +0,0 @@ -VERSION 0.7 - -image: - FROM aquasec/trivy:0.48.3 - COPY .trivyignore /.trivyignore - # TODO(mnaser): Add automatic updates - RUN trivy image --download-db-only - RUN trivy image --download-java-db-only diff --git a/images/ubuntu-cloud-archive/Dockerfile b/images/ubuntu-cloud-archive/Dockerfile new file mode 100644 index 000000000..43d3a1a47 --- /dev/null +++ b/images/ubuntu-cloud-archive/Dockerfile @@ -0,0 +1,19 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/ubuntu:zed +COPY trusted.gpg.d/ubuntu-cloud-keyring.gpg /etc/apt/trusted.gpg.d/ubuntu-cloud-keyring.gpg +COPY < str: + response = requests.get( + f"https://opendev.org/api/v1/repos/openstack/{project}/commits", + params={"sha": branch, "limit": 1}, + ) + response.raise_for_status() + + return response.json()[0]["sha"] + + +def main(): + tmpl = jinja2.Template(TEMPLATE) + + for project in OPENSTACK_PROJECTS: + branch = BRANCH + if project == "tempest": + branch = "master" + + print( + tmpl.render( + { + "project": project, + "branch": branch, + "git_ref": get_latest_commit(project, branch), + } + ) + ) + + +if __name__ == "__main__": + main() diff --git a/zuul.d/container-images/barbican.yaml b/zuul.d/container-images/barbican.yaml new file mode 100644 index 000000000..15c371c40 --- /dev/null +++ b/zuul.d/container-images/barbican.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-barbican + gate: + jobs: + - atmosphere-upload-container-image-barbican + promote: + jobs: + - atmosphere-promote-container-image-barbican + +- job: + name: atmosphere-build-container-image-barbican + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-barbican + container_images: + - context: images/barbican + repository: registry.atmosphere.dev/library/barbican + arch: + - linux/amd64 + build_args: + - PROJECT=barbican + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/barbican/.* + +- job: + name: atmosphere-upload-container-image-barbican + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-barbican + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/base.yaml b/zuul.d/container-images/base.yaml new file mode 100644 index 000000000..6e33526a9 --- /dev/null +++ b/zuul.d/container-images/base.yaml @@ -0,0 +1,65 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-buildset-registry + gate: + jobs: + - atmosphere-buildset-registry + +- job: + name: atmosphere-buildset-registry + parent: ci-buildset-registry + +- job: + name: atmosphere-build-container-image + parent: ci-build-container-image + abstract: true + dependencies: + - name: atmosphere-buildset-registry + soft: false + vars: &image_vars + container_command: docker + promote_container_image_method: intermediate-registry + buildset_registry_namespaces: + - ['docker.io', 'https://registry-1.docker.io'] + - ['quay.io', 'https://quay.io'] + - ['gcr.io', 'https://gcr.io'] + - ['registry.atmosphere.dev', 'https://registry.atmosphere.dev'] + +- job: + name: atmosphere-upload-container-image + parent: ci-upload-container-image + abstract: true + dependencies: + - name: atmosphere-buildset-registry + soft: false + secrets: + name: container_registry_credentials + secret: atmosphere-registry-credentials + pass-to-parent: true + vars: *image_vars + +- job: + name: atmosphere-promote-container-image + parent: ci-promote-container-image + secrets: + name: container_registry_credentials + secret: atmosphere-registry-credentials + pass-to-parent: true + nodeset: + nodes: [] + vars: *image_vars diff --git a/zuul.d/container-images/cinder.yaml b/zuul.d/container-images/cinder.yaml new file mode 100644 index 000000000..3878407f6 --- /dev/null +++ b/zuul.d/container-images/cinder.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-cinder + gate: + jobs: + - atmosphere-upload-container-image-cinder + promote: + jobs: + - atmosphere-promote-container-image-cinder + +- job: + name: atmosphere-build-container-image-cinder + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-cinder + container_images: + - context: images/cinder + repository: registry.atmosphere.dev/library/cinder + arch: + - linux/amd64 + build_args: + - PROJECT=cinder + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/cinder/.* + +- job: + name: atmosphere-upload-container-image-cinder + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-cinder + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/cluster-api-provider-openstack.yaml b/zuul.d/container-images/cluster-api-provider-openstack.yaml new file mode 100644 index 000000000..5788c886f --- /dev/null +++ b/zuul.d/container-images/cluster-api-provider-openstack.yaml @@ -0,0 +1,51 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-cluster-api-provider-openstack + gate: + jobs: + - atmosphere-upload-container-image-cluster-api-provider-openstack + promote: + jobs: + - atmosphere-promote-container-image-cluster-api-provider-openstack + +- job: + name: atmosphere-build-container-image-cluster-api-provider-openstack + parent: atmosphere-build-container-image + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-cluster-api-provider-openstack + container_images: + - context: images/cluster-api-provider-openstack + repository: registry.atmosphere.dev/library/capi-openstack-controller + arch: + - linux/amd64 + tags: + - zed + files: &container_image_files + - images/cluster-api-provider-openstack/.* + +- job: + name: atmosphere-upload-container-image-cluster-api-provider-openstack + parent: atmosphere-upload-container-image + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-cluster-api-provider-openstack + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/designate.yaml b/zuul.d/container-images/designate.yaml new file mode 100644 index 000000000..eeb2fd199 --- /dev/null +++ b/zuul.d/container-images/designate.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-designate + gate: + jobs: + - atmosphere-upload-container-image-designate + promote: + jobs: + - atmosphere-promote-container-image-designate + +- job: + name: atmosphere-build-container-image-designate + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-designate + container_images: + - context: images/designate + repository: registry.atmosphere.dev/library/designate + arch: + - linux/amd64 + build_args: + - PROJECT=designate + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/designate/.* + +- job: + name: atmosphere-upload-container-image-designate + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-designate + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/glance.yaml b/zuul.d/container-images/glance.yaml new file mode 100644 index 000000000..e2ec62c7e --- /dev/null +++ b/zuul.d/container-images/glance.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-glance + gate: + jobs: + - atmosphere-upload-container-image-glance + promote: + jobs: + - atmosphere-promote-container-image-glance + +- job: + name: atmosphere-build-container-image-glance + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-glance + container_images: + - context: images/glance + repository: registry.atmosphere.dev/library/glance + arch: + - linux/amd64 + build_args: + - PROJECT=glance + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/glance/.* + +- job: + name: atmosphere-upload-container-image-glance + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-glance + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/heat.yaml b/zuul.d/container-images/heat.yaml new file mode 100644 index 000000000..549035691 --- /dev/null +++ b/zuul.d/container-images/heat.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-heat + gate: + jobs: + - atmosphere-upload-container-image-heat + promote: + jobs: + - atmosphere-promote-container-image-heat + +- job: + name: atmosphere-build-container-image-heat + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-heat + container_images: + - context: images/heat + repository: registry.atmosphere.dev/library/heat + arch: + - linux/amd64 + build_args: + - PROJECT=heat + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/heat/.* + +- job: + name: atmosphere-upload-container-image-heat + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-heat + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/horizon.yaml b/zuul.d/container-images/horizon.yaml new file mode 100644 index 000000000..096d510cd --- /dev/null +++ b/zuul.d/container-images/horizon.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-horizon + gate: + jobs: + - atmosphere-upload-container-image-horizon + promote: + jobs: + - atmosphere-promote-container-image-horizon + +- job: + name: atmosphere-build-container-image-horizon + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-horizon + container_images: + - context: images/horizon + repository: registry.atmosphere.dev/library/horizon + arch: + - linux/amd64 + build_args: + - PROJECT=horizon + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/horizon/.* + +- job: + name: atmosphere-upload-container-image-horizon + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-horizon + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/ironic.yaml b/zuul.d/container-images/ironic.yaml new file mode 100644 index 000000000..872780787 --- /dev/null +++ b/zuul.d/container-images/ironic.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-ironic + gate: + jobs: + - atmosphere-upload-container-image-ironic + promote: + jobs: + - atmosphere-promote-container-image-ironic + +- job: + name: atmosphere-build-container-image-ironic + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-ironic + container_images: + - context: images/ironic + repository: registry.atmosphere.dev/library/ironic + arch: + - linux/amd64 + build_args: + - PROJECT=ironic + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/ironic/.* + +- job: + name: atmosphere-upload-container-image-ironic + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-ironic + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/keystone.yaml b/zuul.d/container-images/keystone.yaml new file mode 100644 index 000000000..2c832231a --- /dev/null +++ b/zuul.d/container-images/keystone.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-keystone + gate: + jobs: + - atmosphere-upload-container-image-keystone + promote: + jobs: + - atmosphere-promote-container-image-keystone + +- job: + name: atmosphere-build-container-image-keystone + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-keystone + container_images: + - context: images/keystone + repository: registry.atmosphere.dev/library/keystone + arch: + - linux/amd64 + build_args: + - PROJECT=keystone + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/keystone/.* + +- job: + name: atmosphere-upload-container-image-keystone + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-keystone + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/kubernetes-entrypoint.yaml b/zuul.d/container-images/kubernetes-entrypoint.yaml new file mode 100644 index 000000000..40ec23a63 --- /dev/null +++ b/zuul.d/container-images/kubernetes-entrypoint.yaml @@ -0,0 +1,51 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-kubernetes-entrypoint + gate: + jobs: + - atmosphere-upload-container-image-kubernetes-entrypoint + promote: + jobs: + - atmosphere-promote-container-image-kubernetes-entrypoint + +- job: + name: atmosphere-build-container-image-kubernetes-entrypoint + parent: atmosphere-build-container-image + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-kubernetes-entrypoint + container_images: + - context: images/kubernetes-entrypoint + repository: registry.atmosphere.dev/library/kubernetes-entrypoint + arch: + - linux/amd64 + tags: + - zed + files: &container_image_files + - images/kubernetes-entrypoint/.* + +- job: + name: atmosphere-upload-container-image-kubernetes-entrypoint + parent: atmosphere-upload-container-image + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-kubernetes-entrypoint + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/libvirt-tls-sidecar.yaml b/zuul.d/container-images/libvirt-tls-sidecar.yaml new file mode 100644 index 000000000..a3e475762 --- /dev/null +++ b/zuul.d/container-images/libvirt-tls-sidecar.yaml @@ -0,0 +1,56 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-libvirt-tls-sidecar + gate: + jobs: + - atmosphere-upload-container-image-libvirt-tls-sidecar + promote: + jobs: + - atmosphere-promote-container-image-libvirt-tls-sidecar + +- job: + name: atmosphere-build-container-image-libvirt-tls-sidecar + parent: atmosphere-build-container-image + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-libvirt-tls-sidecar + container_images: + - context: . + target: libvirt-tls-sidecar + repository: registry.atmosphere.dev/library/libvirt-tls-sidecar + arch: + - linux/amd64 + tags: + - zed + files: &container_image_files + - go.mod + - go.sum + - cmd/.* + - internal/.* + - Dockerfile + +- job: + name: atmosphere-upload-container-image-libvirt-tls-sidecar + parent: atmosphere-upload-container-image + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-libvirt-tls-sidecar + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/libvirtd.yaml b/zuul.d/container-images/libvirtd.yaml new file mode 100644 index 000000000..6bd666875 --- /dev/null +++ b/zuul.d/container-images/libvirtd.yaml @@ -0,0 +1,69 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-libvirtd + gate: + jobs: + - atmosphere-upload-container-image-libvirtd + promote: + jobs: + - atmosphere-promote-container-image-libvirtd + +- job: + name: atmosphere-build-container-image-libvirtd + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-openstack-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-libvirtd + container_images: + - context: images/openstack-runtime + repository: registry.atmosphere.dev/library/libvirtd + arch: + - linux/amd64 + build_args: + - PROJECT=nova + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/openstack-runtime/.* + +- job: + name: atmosphere-upload-container-image-libvirtd + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-openstack-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-libvirtd + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/magnum.yaml b/zuul.d/container-images/magnum.yaml new file mode 100644 index 000000000..96eb257a3 --- /dev/null +++ b/zuul.d/container-images/magnum.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-magnum + gate: + jobs: + - atmosphere-upload-container-image-magnum + promote: + jobs: + - atmosphere-promote-container-image-magnum + +- job: + name: atmosphere-build-container-image-magnum + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-magnum + container_images: + - context: images/magnum + repository: registry.atmosphere.dev/library/magnum + arch: + - linux/amd64 + build_args: + - PROJECT=magnum + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/magnum/.* + +- job: + name: atmosphere-upload-container-image-magnum + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-magnum + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/manila.yaml b/zuul.d/container-images/manila.yaml new file mode 100644 index 000000000..11bca9364 --- /dev/null +++ b/zuul.d/container-images/manila.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-manila + gate: + jobs: + - atmosphere-upload-container-image-manila + promote: + jobs: + - atmosphere-promote-container-image-manila + +- job: + name: atmosphere-build-container-image-manila + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-manila + container_images: + - context: images/manila + repository: registry.atmosphere.dev/library/manila + arch: + - linux/amd64 + build_args: + - PROJECT=manila + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/manila/.* + +- job: + name: atmosphere-upload-container-image-manila + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-manila + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/netoffload.yaml b/zuul.d/container-images/netoffload.yaml new file mode 100644 index 000000000..0d8fde1c2 --- /dev/null +++ b/zuul.d/container-images/netoffload.yaml @@ -0,0 +1,51 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-netoffload + gate: + jobs: + - atmosphere-upload-container-image-netoffload + promote: + jobs: + - atmosphere-promote-container-image-netoffload + +- job: + name: atmosphere-build-container-image-netoffload + parent: atmosphere-build-container-image + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-netoffload + container_images: + - context: images/netoffload + repository: registry.atmosphere.dev/library/netoffload + arch: + - linux/amd64 + tags: + - zed + files: &container_image_files + - images/netoffload/.* + +- job: + name: atmosphere-upload-container-image-netoffload + parent: atmosphere-upload-container-image + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-netoffload + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/neutron.yaml b/zuul.d/container-images/neutron.yaml new file mode 100644 index 000000000..2c46f2adb --- /dev/null +++ b/zuul.d/container-images/neutron.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-neutron + gate: + jobs: + - atmosphere-upload-container-image-neutron + promote: + jobs: + - atmosphere-promote-container-image-neutron + +- job: + name: atmosphere-build-container-image-neutron + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-neutron + container_images: + - context: images/neutron + repository: registry.atmosphere.dev/library/neutron + arch: + - linux/amd64 + build_args: + - PROJECT=neutron + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/neutron/.* + +- job: + name: atmosphere-upload-container-image-neutron + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-neutron + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/nova-ssh.yaml b/zuul.d/container-images/nova-ssh.yaml new file mode 100644 index 000000000..e1583b849 --- /dev/null +++ b/zuul.d/container-images/nova-ssh.yaml @@ -0,0 +1,69 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-nova-ssh + gate: + jobs: + - atmosphere-upload-container-image-nova-ssh + promote: + jobs: + - atmosphere-promote-container-image-nova-ssh + +- job: + name: atmosphere-build-container-image-nova-ssh + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-openstack-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-nova-ssh + container_images: + - context: images/openstack-runtime + repository: registry.atmosphere.dev/library/nova-ssh + arch: + - linux/amd64 + build_args: + - PROJECT=nova + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/openstack-runtime/.* + +- job: + name: atmosphere-upload-container-image-nova-ssh + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-openstack-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-nova-ssh + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/nova.yaml b/zuul.d/container-images/nova.yaml new file mode 100644 index 000000000..b78c251d8 --- /dev/null +++ b/zuul.d/container-images/nova.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-nova + gate: + jobs: + - atmosphere-upload-container-image-nova + promote: + jobs: + - atmosphere-promote-container-image-nova + +- job: + name: atmosphere-build-container-image-nova + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-nova + container_images: + - context: images/nova + repository: registry.atmosphere.dev/library/nova + arch: + - linux/amd64 + build_args: + - PROJECT=nova + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/nova/.* + +- job: + name: atmosphere-upload-container-image-nova + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-nova + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/octavia.yaml b/zuul.d/container-images/octavia.yaml new file mode 100644 index 000000000..1fc3a46bf --- /dev/null +++ b/zuul.d/container-images/octavia.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-octavia + gate: + jobs: + - atmosphere-upload-container-image-octavia + promote: + jobs: + - atmosphere-promote-container-image-octavia + +- job: + name: atmosphere-build-container-image-octavia + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-octavia + container_images: + - context: images/octavia + repository: registry.atmosphere.dev/library/octavia + arch: + - linux/amd64 + build_args: + - PROJECT=octavia + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/octavia/.* + +- job: + name: atmosphere-upload-container-image-octavia + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-octavia + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/openstack-python-runtime.yaml b/zuul.d/container-images/openstack-python-runtime.yaml new file mode 100644 index 000000000..efb1efa3e --- /dev/null +++ b/zuul.d/container-images/openstack-python-runtime.yaml @@ -0,0 +1,70 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-openstack-python-runtime + gate: + jobs: + - atmosphere-upload-container-image-openstack-python-runtime + promote: + jobs: + - atmosphere-promote-container-image-openstack-python-runtime + +- job: + name: atmosphere-build-container-image-openstack-python-runtime + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-openstack-python-runtime + container_images: + - context: images/openstack-runtime + repository: registry.atmosphere.dev/library/openstack-python-runtime + arch: + - linux/amd64 + build_args: + - FROM=registry.atmosphere.dev/library/python-base:zed + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-runtime/.* + +- job: + name: atmosphere-upload-container-image-openstack-python-runtime + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-openstack-python-runtime + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/openstack-runtime.yaml b/zuul.d/container-images/openstack-runtime.yaml new file mode 100644 index 000000000..379074ae6 --- /dev/null +++ b/zuul.d/container-images/openstack-runtime.yaml @@ -0,0 +1,63 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-openstack-runtime + gate: + jobs: + - atmosphere-upload-container-image-openstack-runtime + promote: + jobs: + - atmosphere-promote-container-image-openstack-runtime + +- job: + name: atmosphere-build-container-image-openstack-runtime + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-openstack-runtime + container_images: + - context: images/openstack-runtime + repository: registry.atmosphere.dev/library/openstack-runtime + arch: + - linux/amd64 + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/openstack-runtime/.* + +- job: + name: atmosphere-upload-container-image-openstack-runtime + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-openstack-runtime + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/openstack-venv-builder.yaml b/zuul.d/container-images/openstack-venv-builder.yaml new file mode 100644 index 000000000..376d68e38 --- /dev/null +++ b/zuul.d/container-images/openstack-venv-builder.yaml @@ -0,0 +1,68 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-openstack-venv-builder + gate: + jobs: + - atmosphere-upload-container-image-openstack-venv-builder + promote: + jobs: + - atmosphere-promote-container-image-openstack-venv-builder + +- job: + name: atmosphere-build-container-image-openstack-venv-builder + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-openstack-venv-builder + container_images: + - context: images/openstack-venv-builder + repository: registry.atmosphere.dev/library/openstack-venv-builder + arch: + - linux/amd64 + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + +- job: + name: atmosphere-upload-container-image-openstack-venv-builder + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-openstack-venv-builder + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/openvswitch.yaml b/zuul.d/container-images/openvswitch.yaml new file mode 100644 index 000000000..29383813f --- /dev/null +++ b/zuul.d/container-images/openvswitch.yaml @@ -0,0 +1,51 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-openvswitch + gate: + jobs: + - atmosphere-upload-container-image-openvswitch + promote: + jobs: + - atmosphere-promote-container-image-openvswitch + +- job: + name: atmosphere-build-container-image-openvswitch + parent: atmosphere-build-container-image + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-openvswitch + container_images: + - context: images/openvswitch + repository: registry.atmosphere.dev/library/openvswitch + arch: + - linux/amd64 + tags: + - zed + files: &container_image_files + - images/openvswitch/.* + +- job: + name: atmosphere-upload-container-image-openvswitch + parent: atmosphere-upload-container-image + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-openvswitch + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/ovn.yaml b/zuul.d/container-images/ovn.yaml new file mode 100644 index 000000000..6650af8a8 --- /dev/null +++ b/zuul.d/container-images/ovn.yaml @@ -0,0 +1,68 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-ovn + gate: + jobs: + - atmosphere-upload-container-image-ovn + promote: + jobs: + - atmosphere-promote-container-image-ovn + +- job: + name: atmosphere-build-container-image-ovn + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-openvswitch + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-ovn + container_images: + - context: images/ovn + repository: registry.atmosphere.dev/library/ovn-central + arch: + - linux/amd64 + build_args: + - OVN_COMPONENT=central + tags: + - zed + - context: images/ovn + repository: registry.atmosphere.dev/library/ovn-host + arch: + - linux/amd64 + build_args: + - OVN_COMPONENT=host + tags: + - zed + files: &container_image_files + - images/openvswitch/.* + - images/ovn/.* + +- job: + name: atmosphere-upload-container-image-ovn + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-openvswitch + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-ovn + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/placement.yaml b/zuul.d/container-images/placement.yaml new file mode 100644 index 000000000..f4fbd800b --- /dev/null +++ b/zuul.d/container-images/placement.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-placement + gate: + jobs: + - atmosphere-upload-container-image-placement + promote: + jobs: + - atmosphere-promote-container-image-placement + +- job: + name: atmosphere-build-container-image-placement + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-placement + container_images: + - context: images/placement + repository: registry.atmosphere.dev/library/placement + arch: + - linux/amd64 + build_args: + - PROJECT=placement + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/placement/.* + +- job: + name: atmosphere-upload-container-image-placement + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-placement + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/python-base.yaml b/zuul.d/container-images/python-base.yaml new file mode 100644 index 000000000..22fef491f --- /dev/null +++ b/zuul.d/container-images/python-base.yaml @@ -0,0 +1,63 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-python-base + gate: + jobs: + - atmosphere-upload-container-image-python-base + promote: + jobs: + - atmosphere-promote-container-image-python-base + +- job: + name: atmosphere-build-container-image-python-base + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-python-base + container_images: + - context: images/python-base + repository: registry.atmosphere.dev/library/python-base + arch: + - linux/amd64 + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + +- job: + name: atmosphere-upload-container-image-python-base + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-python-base + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/senlin.yaml b/zuul.d/container-images/senlin.yaml new file mode 100644 index 000000000..fb77c5d4c --- /dev/null +++ b/zuul.d/container-images/senlin.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-senlin + gate: + jobs: + - atmosphere-upload-container-image-senlin + promote: + jobs: + - atmosphere-promote-container-image-senlin + +- job: + name: atmosphere-build-container-image-senlin + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-senlin + container_images: + - context: images/senlin + repository: registry.atmosphere.dev/library/senlin + arch: + - linux/amd64 + build_args: + - PROJECT=senlin + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/senlin/.* + +- job: + name: atmosphere-upload-container-image-senlin + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-senlin + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/staffeln.yaml b/zuul.d/container-images/staffeln.yaml new file mode 100644 index 000000000..5cf8deedf --- /dev/null +++ b/zuul.d/container-images/staffeln.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-staffeln + gate: + jobs: + - atmosphere-upload-container-image-staffeln + promote: + jobs: + - atmosphere-promote-container-image-staffeln + +- job: + name: atmosphere-build-container-image-staffeln + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-staffeln + container_images: + - context: images/staffeln + repository: registry.atmosphere.dev/library/staffeln + arch: + - linux/amd64 + build_args: + - PROJECT=staffeln + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/staffeln/.* + +- job: + name: atmosphere-upload-container-image-staffeln + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-staffeln + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/tempest.yaml b/zuul.d/container-images/tempest.yaml new file mode 100644 index 000000000..86cf038e1 --- /dev/null +++ b/zuul.d/container-images/tempest.yaml @@ -0,0 +1,80 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-tempest + gate: + jobs: + - atmosphere-upload-container-image-tempest + promote: + jobs: + - atmosphere-promote-container-image-tempest + +- job: + name: atmosphere-build-container-image-tempest + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + - name: atmosphere-build-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-build-container-image-python-base + soft: true + - name: atmosphere-build-container-image-openstack-venv-builder + soft: true + - name: atmosphere-build-container-image-openstack-python-runtime + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-tempest + container_images: + - context: images/tempest + repository: registry.atmosphere.dev/library/tempest + arch: + - linux/amd64 + build_args: + - PROJECT=tempest + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + - images/python-base/.* + - images/openstack-venv-builder/.* + - images/openstack-python-runtime/.* + - images/tempest/.* + +- job: + name: atmosphere-upload-container-image-tempest + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + - name: atmosphere-upload-container-image-ubuntu-cloud-archive + soft: true + - name: atmosphere-upload-container-image-python-base + soft: true + - name: atmosphere-upload-container-image-openstack-venv-builder + soft: true + - name: atmosphere-upload-container-image-openstack-python-runtime + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-tempest + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/ubuntu-cloud-archive.yaml b/zuul.d/container-images/ubuntu-cloud-archive.yaml new file mode 100644 index 000000000..fc10eab4d --- /dev/null +++ b/zuul.d/container-images/ubuntu-cloud-archive.yaml @@ -0,0 +1,58 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-ubuntu-cloud-archive + gate: + jobs: + - atmosphere-upload-container-image-ubuntu-cloud-archive + promote: + jobs: + - atmosphere-promote-container-image-ubuntu-cloud-archive + +- job: + name: atmosphere-build-container-image-ubuntu-cloud-archive + parent: atmosphere-build-container-image + dependencies: + - name: atmosphere-build-container-image-ubuntu + soft: true + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-ubuntu-cloud-archive + container_images: + - context: images/ubuntu-cloud-archive + repository: registry.atmosphere.dev/library/ubuntu-cloud-archive + arch: + - linux/amd64 + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + - images/ubuntu-cloud-archive/.* + +- job: + name: atmosphere-upload-container-image-ubuntu-cloud-archive + parent: atmosphere-upload-container-image + dependencies: + - name: atmosphere-upload-container-image-ubuntu + soft: true + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-ubuntu-cloud-archive + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/container-images/ubuntu.yaml b/zuul.d/container-images/ubuntu.yaml new file mode 100644 index 000000000..466079ad3 --- /dev/null +++ b/zuul.d/container-images/ubuntu.yaml @@ -0,0 +1,51 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-ubuntu + gate: + jobs: + - atmosphere-upload-container-image-ubuntu + promote: + jobs: + - atmosphere-promote-container-image-ubuntu + +- job: + name: atmosphere-build-container-image-ubuntu + parent: atmosphere-build-container-image + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-ubuntu + container_images: + - context: images/ubuntu + repository: registry.atmosphere.dev/library/ubuntu + arch: + - linux/amd64 + tags: + - zed + files: &container_image_files + - images/ubuntu/.* + +- job: + name: atmosphere-upload-container-image-ubuntu + parent: atmosphere-upload-container-image + vars: *container_image_vars + files: *container_image_files + +- job: + name: atmosphere-promote-container-image-ubuntu + parent: atmosphere-promote-container-image + vars: *container_image_vars + files: *container_image_files diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 9a3382883..53fbec658 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -12,20 +12,6 @@ # License for the specific language governing permissions and limitations # under the License. -- job: - name: atmosphere-buildset-registry - pre-run: zuul.d/playbooks/buildset-registry/pre.yml - run: zuul.d/playbooks/buildset-registry/run.yml - ansible-split-streams: true - -- job: - name: atmosphere-upload-images - parent: atmosphere-buildset-registry - run: zuul.d/playbooks/buildset-registry/run.yml - secrets: - - registry_credentials - - cosign_key - - job: name: atmosphere-molecule parent: tox @@ -33,8 +19,6 @@ pre-run: zuul.d/playbooks/molecule/pre.yml run: zuul.d/playbooks/molecule/run.yml post-run: zuul.d/playbooks/molecule/post.yml - dependencies: - - atmosphere-buildset-registry - job: name: atmosphere-molecule-keycloak diff --git a/zuul.d/playbooks/buildset-registry/run.yml b/zuul.d/playbooks/buildset-registry/run.yml deleted file mode 100644 index 7f8118c21..000000000 --- a/zuul.d/playbooks/buildset-registry/run.yml +++ /dev/null @@ -1,159 +0,0 @@ -# Copyright (c) 2024 VEXXHOST, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -- name: Build images - hosts: all - tasks: - # NOTE(mnaser): This can be removed once the following merges - # https://review.opendev.org/c/zuul/zuul-jobs/+/915025 - - name: Load "buildset_registry" fact - block: - - name: Check for results.json - stat: - path: "{{ zuul.executor.result_data_file }}" - register: result_json_stat - delegate_to: localhost - - name: Load information from zuul_return - no_log: true - set_fact: - buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}" - when: - - buildset_registry is not defined - - result_json_stat.stat.exists - - result_json_stat.stat.size > 0 - - "'buildset_registry' in (lookup('file', zuul.executor.result_data_file) | from_json).get('secret_data')" - - - name: Configure Buildkit certificates - when: buildset_registry is defined and buildset_registry.cert - become: true - block: - - name: Create a folder for the certificates - ansible.builtin.file: - path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}" - state: directory - - name: Copy the certificate - ansible.builtin.copy: - content: "{{ buildset_registry.cert }}" - dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt" - - name: Create a buildkitd.toml file - ansible.builtin.copy: - dest: /etc/buildkitd.toml - content: | - [registry."{{ buildset_registry.host }}:{{ buildset_registry.port }}"] - ca=["/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"] - - - name: Create builder - ansible.builtin.shell: docker buildx create --name=atmosphere --driver=docker-container {% if buildset_registry.cert %}--config /etc/buildkitd.toml{% endif %} - - - name: Point registry to Atmosphere if in post pipeline - when: zuul.pipeline == 'post' - no_log: true - ansible.builtin.set_fact: - buildset_registry: - host: registry.atmosphere.dev - port: 443 - username: "{{ registry_credentials.username }}" - password: "{{ registry_credentials.password }}" - - - name: Log into registry - docker_login: - registry: "{{ buildset_registry.host }}{% if buildset_registry.port != 443 %}:{{ buildset_registry.port }}{% endif %}" - username: "{{ buildset_registry.username }}" - password: "{{ buildset_registry.password }}" - - - name: Build images - ansible.builtin.shell: | - docker buildx bake --builder=atmosphere --provenance --sbom=true --push - args: - chdir: "{{ zuul.project.src_dir }}" - environment: - REGISTRY: "{{ buildset_registry.host }}{% if buildset_registry.port != 443 %}:{{ buildset_registry.port }}{% endif %}/library" - PUSH_TO_CACHE: "{{ zuul.pipeline == 'post' }}" - - - name: Get list of images built - ansible.builtin.shell: docker buildx bake --print - args: - chdir: "{{ zuul.project.src_dir }}" - environment: - REGISTRY: "{{ buildset_registry.host }}{% if buildset_registry.port != 443 %}:{{ buildset_registry.port }}{% endif %}/library" - register: images_built_json - - - name: Set fact with list of images - set_fact: - images_built: "{{ images_built_json.stdout | from_json | json_query('target.*.tags[?@] | []') }}" - - - name: Sign images - when: zuul.pipeline == 'post' - block: - - name: Download cosign binary - become: true - ansible.builtin.get_url: - url: https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 - dest: /usr/local/bin/cosign - mode: 0755 - - - name: Determine the digest for the images - ansible.builtin.shell: | - cosign triangulate --type=digest {{ item }} - loop: "{{ images_built }}" - register: cosign_digest - - - name: Copy the cosign public key - copy: - content: "{{ cosign_key.public }}" - dest: cosign.pub - - - name: Verify which images are signed - ignore_errors: true - ansible.builtin.shell: | - cosign verify --key cosign.pub --output json {{ item }} - loop: "{{ cosign_digest.results | map(attribute='stdout') | list | unique }}" - register: cosign_verify - - - name: Copy the cosign private key - copy: - content: "{{ cosign_key.private }}" - dest: cosign.key - - - name: Sign images - ansible.builtin.shell: | - cosign sign -y --recursive --key cosign.key {{ item }} - loop: "{{ cosign_verify.results | selectattr('failed', 'equalto', true) | map(attribute='item') | list }}" - - - name: Delete the cosign private key - file: - path: cosign.key - state: absent - - - name: Return Zuul artifacts for images - zuul_return: - data: - zuul: - artifacts: - - name: "{{ item }}" - url: "docker://{{ item }}" - metadata: - type: container_image - repository: "{{ item.split(':')[0] }}" - tag: "{{ item.split(':')[1] }}" - loop: "{{ images_built }}" - -- name: Yield to other jobs - hosts: localhost - tasks: - - name: Pause the job - zuul_return: - data: - zuul: - pause: true diff --git a/zuul.d/playbooks/molecule/pre.yml b/zuul.d/playbooks/molecule/pre.yml index f9f221336..a4bc6922b 100644 --- a/zuul.d/playbooks/molecule/pre.yml +++ b/zuul.d/playbooks/molecule/pre.yml @@ -59,8 +59,15 @@ - name: Replace the registry in image manifest ansible.builtin.replace: path: "{{ zuul.project.src_dir }}/roles/defaults/vars/main.yml" - regexp: "registry.atmosphere.dev/library/([^@]*)@sha256:[a-fA-F0-9]{64}" - replace: '{{ buildset_registry.host }}:{{ buildset_registry.port }}/library/\1' + regexp: "{{ repo }}:{{ tag }}" + replace: '{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ repo }}:{{ tag }}' + loop: "{{ zuul.artifacts | default([]) }}" + loop_control: + loop_var: zj_zuul_artifact + when: "'metadata' in zj_zuul_artifact and zj_zuul_artifact.metadata.type | default('') == 'container_image'" + vars: + repo: "{{ zj_zuul_artifact.metadata.repository }}" + tag: "{{ zj_zuul_artifact.metadata.tag }}" # TODO(mnaser): Drop this when we move to PBR - name: Add current folder to Git's safe directories diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 55e21fa8d..00acba138 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -15,12 +15,125 @@ - project: check: jobs: - - atmosphere-buildset-registry - - atmosphere-molecule-aio-openvswitch - - atmosphere-molecule-aio-ovn - - atmosphere-molecule-csi-local-path-provisioner - - atmosphere-molecule-csi-rbd - - atmosphere-molecule-keycloak - post: + - atmosphere-molecule-aio-openvswitch: + dependencies: &molecule_check_dependencies + - name: atmosphere-build-container-image-barbican + soft: true + - name: atmosphere-build-container-image-cinder + soft: true + - name: atmosphere-build-container-image-cluster-api-provider-openstack + soft: true + - name: atmosphere-build-container-image-designate + soft: true + - name: atmosphere-build-container-image-glance + soft: true + - name: atmosphere-build-container-image-heat + soft: true + - name: atmosphere-build-container-image-horizon + soft: true + - name: atmosphere-build-container-image-ironic + soft: true + - name: atmosphere-build-container-image-keystone + soft: true + - name: atmosphere-build-container-image-kubernetes-entrypoint + soft: true + - name: atmosphere-build-container-image-libvirt-tls-sidecar + soft: true + - name: atmosphere-build-container-image-libvirtd + soft: true + - name: atmosphere-build-container-image-magnum + soft: true + - name: atmosphere-build-container-image-manila + soft: true + - name: atmosphere-build-container-image-netoffload + soft: true + - name: atmosphere-build-container-image-neutron + soft: true + - name: atmosphere-build-container-image-nova + soft: true + - name: atmosphere-build-container-image-nova-ssh + soft: true + - name: atmosphere-build-container-image-octavia + soft: true + - name: atmosphere-build-container-image-openvswitch + soft: true + - name: atmosphere-build-container-image-ovn + soft: true + - name: atmosphere-build-container-image-placement + soft: true + - name: atmosphere-build-container-image-senlin + soft: true + - name: atmosphere-build-container-image-staffeln + soft: true + - name: atmosphere-build-container-image-tempest + soft: true + - atmosphere-molecule-aio-ovn: + dependencies: *molecule_check_dependencies + - atmosphere-molecule-csi-local-path-provisioner: + dependencies: *molecule_check_dependencies + - atmosphere-molecule-csi-rbd: + dependencies: *molecule_check_dependencies + - atmosphere-molecule-keycloak: + dependencies: *molecule_check_dependencies + gate: jobs: - - atmosphere-upload-images + - atmosphere-molecule-aio-openvswitch: + dependencies: &molecule_gate_dependencies + - name: atmosphere-upload-container-image-barbican + soft: true + - name: atmosphere-upload-container-image-cinder + soft: true + - name: atmosphere-upload-container-image-cluster-api-provider-openstack + soft: true + - name: atmosphere-upload-container-image-designate + soft: true + - name: atmosphere-upload-container-image-glance + soft: true + - name: atmosphere-upload-container-image-heat + soft: true + - name: atmosphere-upload-container-image-horizon + soft: true + - name: atmosphere-upload-container-image-ironic + soft: true + - name: atmosphere-upload-container-image-keystone + soft: true + - name: atmosphere-upload-container-image-kubernetes-entrypoint + soft: true + - name: atmosphere-upload-container-image-libvirt-tls-sidecar + soft: true + - name: atmosphere-upload-container-image-libvirtd + soft: true + - name: atmosphere-upload-container-image-magnum + soft: true + - name: atmosphere-upload-container-image-manila + soft: true + - name: atmosphere-upload-container-image-netoffload + soft: true + - name: atmosphere-upload-container-image-neutron + soft: true + - name: atmosphere-upload-container-image-nova + soft: true + - name: atmosphere-upload-container-image-nova-ssh + soft: true + - name: atmosphere-upload-container-image-octavia + soft: true + - name: atmosphere-upload-container-image-openvswitch + soft: true + - name: atmosphere-upload-container-image-ovn + soft: true + - name: atmosphere-upload-container-image-placement + soft: true + - name: atmosphere-upload-container-image-senlin + soft: true + - name: atmosphere-upload-container-image-staffeln + soft: true + - name: atmosphere-upload-container-image-tempest + soft: true + - atmosphere-molecule-aio-ovn: + dependencies: *molecule_gate_dependencies + - atmosphere-molecule-csi-local-path-provisioner: + dependencies: *molecule_gate_dependencies + - atmosphere-molecule-csi-rbd: + dependencies: *molecule_gate_dependencies + - atmosphere-molecule-keycloak: + dependencies: *molecule_gate_dependencies diff --git a/zuul.d/secrets.yaml b/zuul.d/secrets.yaml index 9cbc36264..5208efbb5 100644 --- a/zuul.d/secrets.yaml +++ b/zuul.d/secrets.yaml @@ -13,20 +13,21 @@ # under the License. - secret: - name: registry_credentials + name: atmosphere-registry-credentials data: - username: robot$zuul - password: !encrypted/pkcs1-oaep - - OOykjodZE21qsYYLpzplp+PV0QbsKQ1B3+kI7bY97VQI/d5RlewqlNABc10eQnyYFSDvq - z2gSigSHxaVcV5qKJLTNVDgzSBHBj349OaTh6dXsxplvoArehfYMMZGuNmFlucoeN8K6w - yLRViN7tCS39CAYdjeNX1X7mQ7gBC61jUQ++JB+R5MhXmALJxzPfQRl9jsYmjx9ZXjEwE - tjKLSyQifQU20eXbhZOUW2nr+ItTikS3AOSo6Ja6jCI1c9lj6mJtUOorGsuxfdhEigPws - Qnz539imGcyqySSxvbJvgoEYxhE3dHFV5cJkomoHHHwLH0wbjAgBQtCMX3CvpxNX8sBfJ - MxvUkxY8VWt3CtJkdq+/eaCovCRn6GN5enI5tlUJgpAyV+PO6PvkTan6yC8lHMM5pD4jX - Hdo6gt6m9WyA5VxUHdoYYMaDO/rvCxxrUevzPn8do5I96madr9S9lFARqw74mgXG5I6pZ - M7zDXnorUFyv9dUIB2rOZrp7o0OC2thujjDTKXb4qfmfXGOwlkNmtCLo6BaDo9pSdRN8p - k0YnUAItZ64qUR7paEUKGy4rzsZjDYvIj7DrCFvLL2CXcyjPGcmcblpSHe5vJ15CFVH8X - o39FIIhSmehvrYJziGYUgf4JY1B6ktBtFc9l78WeoJRHNce+viSSkBj1fhbUaI= + registry.atmosphere.dev: + username: robot$zuul + password: !encrypted/pkcs1-oaep + - OOykjodZE21qsYYLpzplp+PV0QbsKQ1B3+kI7bY97VQI/d5RlewqlNABc10eQnyYFSDvq + z2gSigSHxaVcV5qKJLTNVDgzSBHBj349OaTh6dXsxplvoArehfYMMZGuNmFlucoeN8K6w + yLRViN7tCS39CAYdjeNX1X7mQ7gBC61jUQ++JB+R5MhXmALJxzPfQRl9jsYmjx9ZXjEwE + tjKLSyQifQU20eXbhZOUW2nr+ItTikS3AOSo6Ja6jCI1c9lj6mJtUOorGsuxfdhEigPws + Qnz539imGcyqySSxvbJvgoEYxhE3dHFV5cJkomoHHHwLH0wbjAgBQtCMX3CvpxNX8sBfJ + MxvUkxY8VWt3CtJkdq+/eaCovCRn6GN5enI5tlUJgpAyV+PO6PvkTan6yC8lHMM5pD4jX + Hdo6gt6m9WyA5VxUHdoYYMaDO/rvCxxrUevzPn8do5I96madr9S9lFARqw74mgXG5I6pZ + M7zDXnorUFyv9dUIB2rOZrp7o0OC2thujjDTKXb4qfmfXGOwlkNmtCLo6BaDo9pSdRN8p + k0YnUAItZ64qUR7paEUKGy4rzsZjDYvIj7DrCFvLL2CXcyjPGcmcblpSHe5vJ15CFVH8X + o39FIIhSmehvrYJziGYUgf4JY1B6ktBtFc9l78WeoJRHNce+viSSkBj1fhbUaI= - secret: name: cosign_key