diff --git a/Dockerfile b/Dockerfile index 9c8e06b7d..4b74bee9b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,161 +1,27 @@ -FROM ubuntu:jammy-20240227 AS ubuntu -LABEL org.opencontainers.image.source=https://github.com/vexxhost/atmosphere - -FROM ubuntu AS helm -ARG TARGETOS -ARG TARGETARCH -ARG HELM_VERSION=3.14.0 -ADD https://get.helm.sh/helm-v${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz /helm.tar.gz -RUN tar -xzf /helm.tar.gz -RUN mv /${TARGETOS}-${TARGETARCH}/helm /usr/bin/helm - -FROM ubuntu AS ubuntu-cloud-archive -ADD --chmod=644 https://git.launchpad.net/ubuntu/+source/ubuntu-keyring/plain/keyrings/ubuntu-cloud-keyring.gpg /etc/apt/trusted.gpg.d/ubuntu-cloud-keyring.gpg -ARG RELEASE -RUN < /etc/apt/sources.list.d/cloudarchive.list; \ - elif [ "${RELEASE}" = "zed" ]; then \ - echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu \${VERSION_CODENAME}-updates/${RELEASE} main" > /etc/apt/sources.list.d/cloudarchive.list; \ - elif [ "${RELEASE}" = "2023.1" ]; then \ - echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu \${VERSION_CODENAME}-updates/antelope main" > /etc/apt/sources.list.d/cloudarchive.list; \ - elif [ "${RELEASE}" = "2023.2" ]; then \ - echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu \${VERSION_CODENAME}-updates/bobcat main" > /etc/apt/sources.list.d/cloudarchive.list; \ - elif [ "${RELEASE}" = "master" ]; then \ - echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu \${VERSION_CODENAME}-updates/caracal main" > /etc/apt/sources.list.d/cloudarchive.list; \ - else \ - echo "${RELEASE} is not supported on \${VERSION_CODENAME}"; \ - exit 1; \ - fi; \ -else - echo "Unsupported release"; \ - exit 1; \ -fi -EOF - -FROM alpine/git AS requirements -ARG BRANCH -ADD https://opendev.org/openstack/requirements.git#${BRANCH} /src -RUN < requirements.txt @@ -114,10 +90,14 @@ build.collections: SAVE IMAGE --cache-hint image: - ARG RELEASE=2023.1 - FROM ./images/cloud-archive-base+image --RELEASE ${RELEASE} + FROM ubuntu:jammy ENV ANSIBLE_PIPELINING=True - DO ./images+APT_INSTALL --PACKAGES "rsync openssh-client" + RUN \ + apt-get update -qq && \ + apt-get install -qq -y --no-install-recommends \ + rsync openssh-client && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* COPY +build.venv.runtime/venv /venv ENV PATH=/venv/bin:$PATH COPY +build.collections/ /usr/share/ansible @@ -125,60 +105,6 @@ image: ARG REGISTRY=ghcr.io/vexxhost/atmosphere SAVE IMAGE --push ${REGISTRY}:${tag} -images: - ARG REGISTRY=ghcr.io/vexxhost/atmosphere - BUILD +libvirt-tls-sidecar.image --REGISTRY=${REGISTRY} - BUILD ./images/cinder+image --REGISTRY=${REGISTRY} - BUILD ./images/cluster-api-provider-openstack+image --REGISTRY=${REGISTRY} - BUILD ./images/designate+image --REGISTRY=${REGISTRY} - BUILD ./images/glance+image --REGISTRY=${REGISTRY} - BUILD ./images/heat+image --REGISTRY=${REGISTRY} - BUILD ./images/horizon+image --REGISTRY=${REGISTRY} - BUILD ./images/ironic+image --REGISTRY=${REGISTRY} - BUILD ./images/keystone+image --REGISTRY=${REGISTRY} - BUILD ./images/kubernetes-entrypoint+image --REGISTRY=${REGISTRY} - BUILD ./images/libvirtd+image --REGISTRY=${REGISTRY} - BUILD ./images/magnum+image --REGISTRY=${REGISTRY} - BUILD ./images/manila+image --REGISTRY=${REGISTRY} - BUILD ./images/netoffload+image --REGISTRY=${REGISTRY} - BUILD ./images/neutron+image --REGISTRY=${REGISTRY} - BUILD ./images/nova-ssh+image --REGISTRY=${REGISTRY} - BUILD ./images/nova+image --REGISTRY=${REGISTRY} - BUILD ./images/octavia+image --REGISTRY=${REGISTRY} - BUILD ./images/openvswitch+image --REGISTRY=${REGISTRY} - BUILD ./images/ovn+images --REGISTRY=${REGISTRY} - BUILD ./images/placement+image --REGISTRY=${REGISTRY} - BUILD ./images/senlin+image --REGISTRY=${REGISTRY} - BUILD ./images/staffeln+image --REGISTRY=${REGISTRY} - BUILD ./images/tempest+image --REGISTRY=${REGISTRY} - -SCAN_IMAGE: - FUNCTION - ARG --required IMAGE - # TODO(mnaser): Include secret scanning when it's more reliable. - RUN \ - trivy image \ - --skip-db-update \ - --skip-java-db-update \ - --scanners vuln \ - --exit-code 1 \ - --ignore-unfixed \ - --timeout 10m \ - ${IMAGE} - -scan-image: - FROM ./images/trivy+image - ARG --required IMAGE - DO +SCAN_IMAGE --IMAGE ${IMAGE} - -scan-images: - FROM ./images/trivy+image - COPY roles/defaults/vars/main.yml /defaults.yml - # TODO(mnaser): Scan all images eventually - FOR IMAGE IN $(cat /defaults.yml | egrep -E 'ghcr.io/vexxhost|registry.atmosphere.dev' | cut -d' ' -f4 | sort | uniq) - BUILD +scan-image --IMAGE ${IMAGE} - END - pin-images: FROM +build.venv.dev COPY roles/defaults/vars/main.yml /defaults.yml diff --git a/docker-bake.hcl b/docker-bake.hcl deleted file mode 100644 index 7237361c9..000000000 --- a/docker-bake.hcl +++ /dev/null @@ -1,98 +0,0 @@ -variable "REGISTRY" { - default = "registry.atmosphere.dev/library" -} - -variable "CACHE_REGISTRY" { - default = "registry.atmosphere.dev/cache" -} - -variable "PUSH_TO_CACHE" { - default = false -} - -function "cache_from" { - params = [image] - result = ["type=registry,ref=${CACHE_REGISTRY}/${image}"] -} - -function "cache_to" { - params = [image] - result = PUSH_TO_CACHE ? [format("%s,%s", cache_from(image)[0], "mode=max,image-manifest=true,oci-mediatypes=true,compression=zstd")] : [] -} - -target "barbican" { - name = "barbican-${release.tgt}" - - context = "." - target = "barbican" - - cache-from = cache_from("barbican:${release.name}") - cache-to = cache_to("barbican:${release.name}") - - tags = [ - "${REGISTRY}/barbican:${release.name}", - "${REGISTRY}/barbican:${release.ref}" - ] - - matrix = { - release = [ - { - tgt = "bobcat", - name = "2023.2", - ref = "a00fcade4138ffc52cd9c84b5999297966f019b5" - } - ] - } - - args = { - RELEASE = release.name - BRANCH = format("stable/%s", release.name) - PROJECT = "barbican" - BARBICAN_GIT_REF = release.ref - } -} - -target "magnum" { - name = "magnum-${release.tgt}" - - context = "." - target = "magnum" - - cache-from = cache_from("magnum:${release.name}") - cache-to = cache_to("magnum:${release.name}") - - tags = [ - "${REGISTRY}/magnum:${release.name}", - "${REGISTRY}/magnum:${release.ref}" - ] - - matrix = { - release = [ - { - tgt = "zed", - name = "zed", - ref = "0ee979099a01ae2c8b1b5d6757897a8993e4e34c" - }, - { - tgt = "bobcat", - name = "2023.2", - ref = "5f921a72d22d7e96fb3584c4906a39de9a085a41" - } - ] - } - - args = { - RELEASE = release.name - BRANCH = format("stable/%s", release.name) - PROJECT = "magnum" - MAGNUM_GIT_REF = release.ref - } -} - - -group "default" { - targets = [ - "barbican", - "magnum" - ] -} diff --git a/images/Earthfile b/images/Earthfile deleted file mode 100644 index 32cab4a2f..000000000 --- a/images/Earthfile +++ /dev/null @@ -1,52 +0,0 @@ -VERSION 0.8 - -APT_INSTALL: - FUNCTION - ARG PACKAGES - RUN \ - apt-get update && \ - DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y ${PACKAGES} && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* - -DNF_INSTALL: - FUNCTION - ARG PACKAGES - RUN \ - dnf -y install \ - ${PACKAGES} \ - --setopt=install_weak_deps=False \ - --setopt=tsflags=nodocs && \ - dnf -y clean all && \ - rm -rf /var/cache/dnf - -CREATE_PROJECT_USER: - FUNCTION - ARG PROJECT - ARG SHELL=/usr/sbin/nologin - RUN \ - groupadd -g 42424 ${PROJECT} && \ - useradd -u 42424 -g 42424 -M -d /var/lib/${PROJECT} -s ${SHELL} -c "${PROJECT} User" ${PROJECT} && \ - mkdir -p /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/cache/${PROJECT} && \ - chown -Rv ${PROJECT}:${PROJECT} /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/cache/${PROJECT} - -fetch-gerrit-patch: - FROM ./base+image - DO +APT_INSTALL --PACKAGES "ca-certificates curl git jq" - ARG --required IMAGE - ARG PROJECT=${IMAGE} - ARG --required CHANGE - ARG PROJECT_REF=master - DO ./openstack-service+GIT_CHECKOUT \ - --PROJECT=${PROJECT} \ - --PROJECT_REF=${PROJECT_REF} - ARG REF=$(curl "https://review.opendev.org/changes/?q=${CHANGE}&o=CURRENT_REVISION" | tail -1 | jq -r '.[0].revisions[].ref') - COPY ${IMAGE}/patches/${PROJECT} /patches - RUN \ - git fetch https://review.opendev.org/openstack/${PROJECT} ${REF} && \ - git format-patch -1 --output-directory /gerrit FETCH_HEAD - ARG PATCH_ID=$(ls -1 /patches | wc -l | xargs printf "%04d") - RUN \ - cp /gerrit/0001-* \ - /patches/${PATCH_ID}-$(basename /gerrit/*.patch | sed 's/0001-//') - SAVE ARTIFACT /patches AS LOCAL ${IMAGE}/patches/${PROJECT} diff --git a/images/barbican/Dockerfile b/images/barbican/Dockerfile new file mode 100644 index 000000000..e12147859 --- /dev/null +++ b/images/barbican/Dockerfile @@ -0,0 +1,27 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/openstack-venv-builder:zed AS build +ARG BARBICAN_GIT_REF=7d6749fcb1ad16a3350de82cd8e523d5b55306f8 +ADD --keep-git-dir=true https://opendev.org/openstack/barbican.git#${BARBICAN_GIT_REF} /src/barbican +RUN git -C /src/barbican fetch --unshallow +RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <" - exit 1 -fi - -docker buildx create --name=atmosphere --driver=docker-container || true - -if [ "$PUSH" = true ]; then - docker buildx bake --builder=atmosphere --provenance --sbom=true --push $TARGET - - # Sign all images - export COSIGN_PASSWORD="" - for IMAGE in $(docker buildx bake --print ${TARGET} | jq -r '.target[].tags | select(. != null)[]'); do - cosign sign -y --recursive --key cosign.key ${IMAGE} - done -else - docker buildx bake --builder=atmosphere --provenance --sbom=true $TARGET -fi diff --git a/images/builder/Earthfile b/images/builder/Earthfile deleted file mode 100644 index f4e92d3fa..000000000 --- a/images/builder/Earthfile +++ /dev/null @@ -1,7 +0,0 @@ -VERSION 0.7 - -image: - FROM ../base+image - DO ../+APT_INSTALL --PACKAGES "build-essential git python3-dev python3-pip python3-venv" - ARG POETRY_VERSION=1.4.2 - RUN pip3 install --no-cache-dir poetry==${POETRY_VERSION} diff --git a/images/cinder/Dockerfile b/images/cinder/Dockerfile new file mode 100644 index 000000000..4c8f153ce --- /dev/null +++ b/images/cinder/Dockerfile @@ -0,0 +1,35 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/openstack-venv-builder:zed AS build +ARG CINDER_GIT_REF=f74e2729554bee01b0a3e631a8001bb39e540433 +ADD --keep-git-dir=true https://opendev.org/openstack/cinder.git#${CINDER_GIT_REF} /src/cinder +RUN git -C /src/cinder fetch --unshallow +RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private < /etc/apt/sources.list.d/cloudarchive.list - ELSE IF [ "${RELEASE}" = "zed" ] - RUN echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu $(lsb_release -sc)-updates/${RELEASE} main" > /etc/apt/sources.list.d/cloudarchive.list - ELSE IF [ "${RELEASE}" = "2023.1" ] - RUN echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu $(lsb_release -sc)-updates/antelope main" > /etc/apt/sources.list.d/cloudarchive.list - ELSE IF [ "${RELEASE}" = "2023.2" ] - RUN echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu $(lsb_release -sc)-updates/bobcat main" > /etc/apt/sources.list.d/cloudarchive.list - ELSE IF [ "${RELEASE}" = "master" ] - RUN echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu $(lsb_release -sc)-updates/caracal main" > /etc/apt/sources.list.d/cloudarchive.list - ELSE - RUN echo "${RELEASE} is not supported on $(lsb_release -sc)" - RUN exit 1 - END - END diff --git a/images/cluster-api-provider-openstack/Dockerfile b/images/cluster-api-provider-openstack/Dockerfile new file mode 100644 index 000000000..aa05489a9 --- /dev/null +++ b/images/cluster-api-provider-openstack/Dockerfile @@ -0,0 +1,32 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM alpine/git:2.43.0 AS src +ARG CAPO_VERSION=v0.9.0 +ADD https://github.com/kubernetes-sigs/cluster-api-provider-openstack.git#${CAPO_VERSION} /src +WORKDIR /src +COPY /patches /patches +RUN git apply /patches/*.patch + +FROM golang:1.20 AS builder +COPY --from=src --link /src /src +WORKDIR /src +ARG ARCH +RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \ + go build -ldflags "-extldflags '-static'" -o manager ${package} + +FROM gcr.io/distroless/static:nonroot +COPY --from=builder /src/manager /manager +USER 65532 +ENTRYPOINT ["/manager"] diff --git a/images/cluster-api-provider-openstack/Earthfile b/images/cluster-api-provider-openstack/Earthfile deleted file mode 100644 index 111f465e0..000000000 --- a/images/cluster-api-provider-openstack/Earthfile +++ /dev/null @@ -1,18 +0,0 @@ -VERSION 0.7 - -ARG --global CAPO_VERSION=v0.8.0 -ARG --global EPOCH=2 - -clone: - FROM ../builder+image - GIT CLONE --branch ${CAPO_VERSION} https://github.com/kubernetes-sigs/cluster-api-provider-openstack /workspace/src - WORKDIR /workspace/src - COPY patches /workspace/patches - RUN git apply --verbose /workspace/patches/*.patch - SAVE ARTIFACT /workspace/src - -image: - FROM DOCKERFILE -f +clone/src/Dockerfile +clone/src/* - LABEL org.opencontainers.image.source=https://github.com/vexxhost/atmosphere - ARG REGISTRY=ghcr.io/vexxhost/atmosphere - SAVE IMAGE --push ${REGISTRY}/capi-openstack-controller:${CAPO_VERSION}-${EPOCH} diff --git a/images/cluster-api-provider-openstack/patches/0001-chore-bump-k8s-api-for-cve.patch b/images/cluster-api-provider-openstack/patches/0001-chore-bump-k8s-api-for-cve.patch index 2812ac502..cd99927fe 100644 --- a/images/cluster-api-provider-openstack/patches/0001-chore-bump-k8s-api-for-cve.patch +++ b/images/cluster-api-provider-openstack/patches/0001-chore-bump-k8s-api-for-cve.patch @@ -1,158 +1,89 @@ -From 139a57e7b0d4c57033e281b061e459039a5e21d3 Mon Sep 17 00:00:00 2001 +From eed5b5cc2a6cf48c0c9e0245695d0ac143150186 Mon Sep 17 00:00:00 2001 From: Mohammed Naser -Date: Mon, 22 Jan 2024 16:22:52 -0500 -Subject: [PATCH 2/2] chore: bump k8s api for cve +Date: Tue, 12 Mar 2024 18:18:25 -0400 +Subject: [PATCH] chore: bump k8s api for cve --- - go.mod | 17 +++++++++-------- - go.sum | 36 +++++++++++++++++++----------------- - 2 files changed, 28 insertions(+), 25 deletions(-) + go.mod | 8 ++++---- + go.sum | 16 ++++++++-------- + 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod -index db4a954a..49d2f7cf 100644 +index 997f8354..d6c300cc 100644 --- a/go.mod +++ b/go.mod -@@ -15,8 +15,8 @@ require ( - github.com/onsi/gomega v1.27.8 - github.com/prometheus/client_golang v1.16.0 +@@ -15,7 +15,7 @@ require ( + github.com/onsi/gomega v1.30.0 + github.com/prometheus/client_golang v1.17.0 github.com/spf13/pflag v1.0.5 -- golang.org/x/crypto v0.11.0 -- golang.org/x/text v0.11.0 -+ golang.org/x/crypto v0.14.0 -+ golang.org/x/text v0.13.0 +- golang.org/x/crypto v0.15.0 ++ golang.org/x/crypto v0.17.0 + golang.org/x/text v0.14.0 gopkg.in/ini.v1 v1.67.0 - k8s.io/api v0.27.2 - k8s.io/apiextensions-apiserver v0.27.2 + k8s.io/api v0.28.4 @@ -24,7 +24,7 @@ require ( - k8s.io/client-go v0.27.2 - k8s.io/component-base v0.27.2 - k8s.io/klog/v2 v2.90.1 -- k8s.io/kubernetes v1.27.2 -+ k8s.io/kubernetes v1.27.8 - k8s.io/utils v0.0.0-20230313181309-38a27ef9d749 - sigs.k8s.io/cluster-api v1.5.1 - sigs.k8s.io/cluster-api/test v1.5.1 -@@ -113,15 +113,16 @@ require ( - go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.24.0 // indirect - golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect -- golang.org/x/net v0.13.0 // indirect -+ golang.org/x/net v0.17.0 // indirect - golang.org/x/oauth2 v0.10.0 // indirect -- golang.org/x/sys v0.10.0 // indirect -- golang.org/x/term v0.10.0 // indirect -+ golang.org/x/sys v0.13.0 // indirect -+ golang.org/x/term v0.13.0 // indirect + k8s.io/client-go v0.28.4 + k8s.io/component-base v0.28.4 + k8s.io/klog/v2 v2.100.1 +- k8s.io/kubernetes v1.28.3 ++ k8s.io/kubernetes v1.28.4 + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 + sigs.k8s.io/cluster-api v1.6.0 + sigs.k8s.io/cluster-api/test v1.6.0 +@@ -139,8 +139,8 @@ require ( + golang.org/x/net v0.18.0 // indirect + golang.org/x/oauth2 v0.14.0 // indirect + golang.org/x/sync v0.4.0 // indirect +- golang.org/x/sys v0.14.0 // indirect +- golang.org/x/term v0.14.0 // indirect ++ golang.org/x/sys v0.15.0 // indirect ++ golang.org/x/term v0.15.0 // indirect golang.org/x/time v0.3.0 // indirect -- golang.org/x/tools v0.9.3 // indirect -+ golang.org/x/tools v0.12.0 // indirect - gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect - google.golang.org/appengine v1.6.7 // indirect -- google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect -+ google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a // indirect -+ google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect - google.golang.org/protobuf v1.31.0 // indirect - gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/yaml.v2 v2.4.0 // indirect + golang.org/x/tools v0.14.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum -index 66bd8109..f18ece49 100644 +index e3d46fdc..f5767735 100644 --- a/go.sum +++ b/go.sum -@@ -516,8 +516,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y +@@ -460,8 +460,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= --golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= --golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= -+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +-golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA= +-golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= ++golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= ++golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -@@ -555,7 +555,7 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= - golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= - golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= - golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= --golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= -+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= - golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= - golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= - golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -@@ -596,8 +596,8 @@ golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qx - golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= - golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= - golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= --golang.org/x/net v0.13.0 h1:Nvo8UFsZ8X3BhAC9699Z1j7XQ3rsZnUUm7jfBEk1ueY= --golang.org/x/net v0.13.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= -+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= - golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= - golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= - golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -@@ -673,13 +673,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc - golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +@@ -609,13 +609,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= --golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= --golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= +-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= ++golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= --golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= --golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= -+golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +-golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8= +-golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= ++golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= ++golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -@@ -690,8 +690,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= - golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= - golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= - golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= --golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= --golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= - golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= - golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= - golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -@@ -752,8 +752,8 @@ golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= - golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= - golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= - golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= --golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= --golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= -+golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss= -+golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= - golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= - golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= - golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -@@ -825,8 +825,10 @@ google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6D - google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= - google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= - google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= --google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= --google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= -+google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a h1:HiYVD+FGJkTo+9zj1gqz0anapsa1JxjiSrN+BJKyUmE= -+google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a/go.mod h1:ts19tUU+Z0ZShN1y3aPyq2+O3d5FUNNgT6FtOzmrNn8= -+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM= -+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= - google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= - google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= - google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= -@@ -914,8 +916,8 @@ k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw= - k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= - k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= - k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= --k8s.io/kubernetes v1.27.2 h1:g4v9oY6u7vBUDEuq4FvC50Bbw2K7GZuvM00IIESWVf4= --k8s.io/kubernetes v1.27.2/go.mod h1:U8ZXeKBAPxeb4J4/HOaxjw1A9K6WfSH+fY2SS7CR6IM= -+k8s.io/kubernetes v1.27.8 h1:K848lTo/D0jvrxUlTvw4nNADixbhXLHgKNDP/KlFGy8= -+k8s.io/kubernetes v1.27.8/go.mod h1:PUXXrx0IhAi+kI9BMDqNJHUnLndVv9W0DkriqyjuJOs= - k8s.io/utils v0.0.0-20230313181309-38a27ef9d749 h1:xMMXJlJbsU8w3V5N2FLDQ8YgU8s1EoULdbQBcAeNJkY= - k8s.io/utils v0.0.0-20230313181309-38a27ef9d749/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +@@ -841,8 +841,8 @@ k8s.io/kms v0.28.4 h1:PMgY/3CQTWP9eIKmNQiTgjLIZ0ns6O+voagzD2/4mSg= + k8s.io/kms v0.28.4/go.mod h1:HL4/lR/bhjAJPbqycKtfhWiKh1Sp21cpHOL8P4oo87w= + k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= + k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= +-k8s.io/kubernetes v1.28.3 h1:XTci6gzk+JR51UZuZQCFJ4CsyUkfivSjLI4O1P9z6LY= +-k8s.io/kubernetes v1.28.3/go.mod h1:NhAysZWvHtNcJFFHic87ofxQN7loylCQwg3ZvXVDbag= ++k8s.io/kubernetes v1.28.4 h1:aRNxs5jb8FVTtlnxeA4FSDBVKuFwA8Gw40/U2zReBYA= ++k8s.io/kubernetes v1.28.4/go.mod h1:BTzDCKYAlu6LL9ITbfjwgwIrJ30hlTgbv0eXDoA/WoA= + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= -- 2.43.0 - diff --git a/images/curl/Earthfile b/images/curl/Earthfile deleted file mode 100644 index 06d3d8e1a..000000000 --- a/images/curl/Earthfile +++ /dev/null @@ -1,5 +0,0 @@ -VERSION 0.7 - -image: - FROM curlimages/curl:7.78.0 - WORKDIR /tmp diff --git a/images/designate/Dockerfile b/images/designate/Dockerfile new file mode 100644 index 000000000..e1610c8d2 --- /dev/null +++ b/images/designate/Dockerfile @@ -0,0 +1,33 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/openstack-venv-builder:zed AS build +ARG DESIGNATE_GIT_REF=d247267823034c5e656f74e91b50475aa54d3fa6 +ADD --keep-git-dir=true https://opendev.org/openstack/designate.git#${DESIGNATE_GIT_REF} /src/designate +RUN git -C /src/designate fetch --unshallow +RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private < /etc/apt/sources.list.d/ceph.list - ELSE IF [ "$(lsb_release -sc)" = "jammy" ] - RUN echo "deb http://download.ceph.com/debian-reef/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/ceph.list - ELSE - RUN echo "${RELEASE} is not supported on $(lsb_release -sc)" - RUN exit 1 - END - DO ../+APT_INSTALL --PACKAGES="ceph-common cgroup-tools dmidecode ebtables iproute2 ipxe-qemu kmod libvirt-clients libvirt-daemon-system openssh-client openvswitch-switch ovmf pm-utils qemu-block-extra qemu-efi qemu-kvm seabios" - DO ../+CREATE_PROJECT_USER --PROJECT=nova - ARG REGISTRY=ghcr.io/vexxhost/atmosphere - SAVE IMAGE --push ${REGISTRY}/libvirtd:${RELEASE} - -image: - BUILD --platform linux/amd64 --platform linux/arm64 +platform-image diff --git a/images/libvirtd/keyrings/ceph.gpg b/images/libvirtd/keyrings/ceph.gpg deleted file mode 100644 index c5d8bd399..000000000 Binary files a/images/libvirtd/keyrings/ceph.gpg and /dev/null differ diff --git a/images/magnum/Dockerfile b/images/magnum/Dockerfile new file mode 100644 index 000000000..f945cf1b0 --- /dev/null +++ b/images/magnum/Dockerfile @@ -0,0 +1,45 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/ubuntu:zed AS helm +ARG TARGETOS +ARG TARGETARCH +ARG HELM_VERSION=3.14.0 +ADD https://get.helm.sh/helm-v${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz /helm.tar.gz +RUN tar -xzf /helm.tar.gz +RUN mv /${TARGETOS}-${TARGETARCH}/helm /usr/bin/helm + +FROM registry.atmosphere.dev/library/openstack-venv-builder:zed AS build +ARG MAGNUM_GIT_REF=0ee979099a01ae2c8b1b5d6757897a8993e4e34c +ADD --keep-git-dir=true https://opendev.org/openstack/magnum.git#${MAGNUM_GIT_REF} /src/magnum +RUN git -C /src/magnum fetch --unshallow +COPY patches/magnum /patches/magnum +RUN git -C /src/magnum apply --verbose /patches/magnum/* +RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private < -Date: Fri, 31 Mar 2023 23:41:43 +1100 -Subject: [PATCH] Update chart.metadata.version to reflect breaking change in - helm v3.5.2 - -https: //github.com/helm/helm/issues/9342 -Change-Id: I1dbe7b0b85380e713ebb5dcdd7ecbfc6a438b852 -(cherry picked from commit ebee3263b6b3d3fa213ea8f837911b89785a4700) ---- - .../templates/kubernetes/fragments/install-helm-modules.sh | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh b/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh -index 475e8dbf6c..a0b3f4bc75 100644 ---- a/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh -+++ b/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh -@@ -72,8 +72,8 @@ else - cat << EOF > Chart.yaml - apiVersion: v1 - name: magnum --version: metachart --appVersion: metachart -+version: 1.0.0 -+appVersion: v1.0.0 - description: Magnum Helm Charts - EOF - sed -i '1i\dependencies:' requirements.yaml diff --git a/patches/zed/magnum/0000-Fix-Trust-token-scope-for-drivers.patch b/images/magnum/patches/magnum/0001-Fix-Trust-token-scope-for-drivers.patch similarity index 100% rename from patches/zed/magnum/0000-Fix-Trust-token-scope-for-drivers.patch rename to images/magnum/patches/magnum/0001-Fix-Trust-token-scope-for-drivers.patch diff --git a/images/manila/Dockerfile b/images/manila/Dockerfile new file mode 100644 index 000000000..4a222e083 --- /dev/null +++ b/images/manila/Dockerfile @@ -0,0 +1,35 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/openstack-venv-builder:zed AS build +ARG MANILA_GIT_REF=c0fc23a39f87629b59fae7bbf46f70e3e1b459cd +ADD --keep-git-dir=true https://opendev.org/openstack/manila.git#${MANILA_GIT_REF} /src/manila +RUN git -C /src/manila fetch --unshallow +COPY patches/manila /patches/manila +RUN git -C /src/manila apply --verbose /patches/manila/* +RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private < -Date: Fri, 22 Sep 2023 16:25:10 +0200 -Subject: [PATCH] fix netns deletion of broken namespaces - -normal network namespaces are bind-mounted to files under -/var/run/netns. If a process deleting a network namespace gets killed -during that operation there is the chance that the bind mount to the -netns has been removed, but the file under /var/run/netns still exists. - -When the neutron-ovn-metadata-agent tries to clean up such network -namespaces it first tires to validate that the network namespace is -empty. For the cases described above this fails, as this network -namespace no longer really exists, but is just a stray file laying -around. - -To fix this we treat network namespaces where we get an `OSError` with -errno 22 (Invalid Argument) as empty. The calls to pyroute2 to delete -the namespace will then clean up the file. - -Additionally we add a guard to teardown_datapath to continue even if -this fails. failing to remove a datapath is not critical and leaves in -the worst case a process and a network namespace running, however -previously it would have also prevented the creation of new datapaths -which is critical for VM startup. - -Closes-Bug: #2037102 -Change-Id: I7c43812fed5903f98a2e491076c24a8d926a59b4 -(cherry picked from commit 566fea3fed837b0130023303c770aade391d3d61) ---- - neutron/agent/linux/ip_lib.py | 17 ++++++++++++- - neutron/agent/ovn/metadata/agent.py | 5 +++- - neutron/tests/unit/agent/linux/test_ip_lib.py | 15 +++++++++++ - .../unit/agent/ovn/metadata/test_agent.py | 25 +++++++++++++++++++ - 4 files changed, 60 insertions(+), 2 deletions(-) - -diff --git a/neutron/agent/linux/ip_lib.py b/neutron/agent/linux/ip_lib.py -index 10bd33d9e1..5d2593da47 100644 ---- a/neutron/agent/linux/ip_lib.py -+++ b/neutron/agent/linux/ip_lib.py -@@ -259,7 +259,22 @@ class IPWrapper(SubProcessBase): - return ip - - def namespace_is_empty(self): -- return not self.get_devices() -+ try: -+ return not self.get_devices() -+ except OSError as e: -+ # This can happen if we previously got terminated in the middle of -+ # removing this namespace. In this case the bind mount of the -+ # namespace under /var/run/netns will be removed, but the namespace -+ # file is still there. As the bind mount is gone we can no longer -+ # access the namespace to validate that it is empty. But since it -+ # should have already been removed we are sure that the check has -+ # passed the last time and since the namespace is unuseable that -+ # can not have changed. -+ # Future calls to pyroute2 to remove that namespace will clean up -+ # the leftover file. -+ if e.errno == errno.EINVAL: -+ return True -+ raise e - - def garbage_collect_namespace(self): - """Conditionally destroy the namespace if it is empty.""" -diff --git a/neutron/agent/ovn/metadata/agent.py b/neutron/agent/ovn/metadata/agent.py -index 1745239701..861715d8e1 100644 ---- a/neutron/agent/ovn/metadata/agent.py -+++ b/neutron/agent/ovn/metadata/agent.py -@@ -430,7 +430,10 @@ class MetadataAgent(object): - ns.startswith(NS_PREFIX) and - ns not in metadata_namespaces] - for ns in unused_namespaces: -- self.teardown_datapath(self._get_datapath_name(ns)) -+ try: -+ self.teardown_datapath(self._get_datapath_name(ns)) -+ except Exception: -+ LOG.exception('Error unable to destroy namespace: %s', ns) - - # resync all network namespaces based on the associated datapaths, - # even those that are already running. This is to make sure -diff --git a/neutron/tests/unit/agent/linux/test_ip_lib.py b/neutron/tests/unit/agent/linux/test_ip_lib.py -index d1c74fb3f7..159cafdb8e 100644 ---- a/neutron/tests/unit/agent/linux/test_ip_lib.py -+++ b/neutron/tests/unit/agent/linux/test_ip_lib.py -@@ -357,6 +357,21 @@ class TestIpWrapper(base.BaseTestCase): - self.assertNotIn(mock.call().delete('ns'), - ip_ns_cmd_cls.mock_calls) - -+ def test_garbage_collect_namespace_existing_broken(self): -+ with mock.patch.object(ip_lib, 'IpNetnsCommand') as ip_ns_cmd_cls: -+ ip_ns_cmd_cls.return_value.exists.return_value = True -+ -+ ip = ip_lib.IPWrapper(namespace='ns') -+ -+ with mock.patch.object(ip, 'get_devices', -+ side_effect=OSError(errno.EINVAL, None) -+ ) as mock_get_devices: -+ self.assertTrue(ip.garbage_collect_namespace()) -+ -+ mock_get_devices.assert_called_once_with() -+ expected = [mock.call().delete('ns')] -+ ip_ns_cmd_cls.assert_has_calls(expected) -+ - @mock.patch.object(priv_lib, 'create_interface') - def test_add_vlan(self, create): - retval = ip_lib.IPWrapper().add_vlan('eth0.1', 'eth0', '1') -diff --git a/neutron/tests/unit/agent/ovn/metadata/test_agent.py b/neutron/tests/unit/agent/ovn/metadata/test_agent.py -index 6df7da702d..9bf9f0db52 100644 ---- a/neutron/tests/unit/agent/ovn/metadata/test_agent.py -+++ b/neutron/tests/unit/agent/ovn/metadata/test_agent.py -@@ -134,6 +134,31 @@ class TestMetadataAgent(base.BaseTestCase): - lnn.assert_called_once_with() - tdp.assert_called_once_with('3') - -+ def test_sync_teardown_namespace_does_not_crash_on_error(self): -+ """Test that sync tears down unneeded metadata namespaces. -+ Even if that fails it continues to provision other datapaths -+ """ -+ with mock.patch.object( -+ self.agent, 'provision_datapath') as pdp,\ -+ mock.patch.object( -+ ip_lib, 'list_network_namespaces', -+ return_value=['ovnmeta-1', 'ovnmeta-2', 'ovnmeta-3', -+ 'ns1', 'ns2']) as lnn,\ -+ mock.patch.object( -+ self.agent, 'teardown_datapath', -+ side_effect=Exception()) as tdp: -+ self.agent.sync() -+ -+ pdp.assert_has_calls( -+ [ -+ mock.call(p.datapath) -+ for p in self.ports -+ ], -+ any_order=True -+ ) -+ lnn.assert_called_once_with() -+ tdp.assert_called_once_with('3') -+ - def test_get_networks_datapaths(self): - """Test get_networks_datapaths returns only datapath objects for the - networks containing vif ports of type ''(blank) and 'external'. --- -2.34.1 diff --git a/images/neutron/patches/neutron/0001-fix-ovn-set-mtu-in-external_ids-correctly.patch b/images/neutron/patches/neutron/0001-fix-ovn-set-mtu-in-external_ids-correctly.patch new file mode 100644 index 000000000..260532499 --- /dev/null +++ b/images/neutron/patches/neutron/0001-fix-ovn-set-mtu-in-external_ids-correctly.patch @@ -0,0 +1,38 @@ +From f8ec437329510ef59c81084712dbfe49528ef56d Mon Sep 17 00:00:00 2001 +From: Mohammed Naser +Date: Thu, 28 Mar 2024 14:38:43 -0400 +Subject: [PATCH] fix(ovn): set mtu in external_ids correctly + +In the previous patch, we did account for the MTU showing up +in the external IDs however the code only sets it if it's using +a remote managed port binding. This code instead sets the binding +for all the inerface types instead. + +Related-Change-Id: I7ff300e9634e5e3fc68d70540392109fd8b9babc +Closes-Bug: 2053274 +Change-Id: I0653c83c5fb595847bb61182223db39b2f7e98c6 +--- + .../plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py +index 3e7bc5c01f..6f9e90afde 100644 +--- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py ++++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py +@@ -480,11 +480,13 @@ class OVNClient(object): + # HA Chassis Group will bind the port to the highest + # priority Chassis + if port_type != ovn_const.LSP_TYPE_EXTERNAL: ++ port_net = self._plugin.get_network( ++ context, port['network_id']) ++ mtu = str(port_net['mtu']) + if (vnic_type == portbindings.VNIC_REMOTE_MANAGED and + ovn_const.VIF_DETAILS_PF_MAC_ADDRESS in binding_prof): + port_net = self._plugin.get_network( + context, port['network_id']) +- mtu = str(port_net['mtu']) + options.update({ + ovn_const.LSP_OPTIONS_VIF_PLUG_TYPE_KEY: 'representor', + ovn_const.LSP_OPTIONS_VIF_PLUG_MTU_REQUEST_KEY: mtu, +-- +2.34.1 diff --git a/images/nova-ssh/Dockerfile b/images/nova-ssh/Dockerfile new file mode 100644 index 000000000..84f6889a9 --- /dev/null +++ b/images/nova-ssh/Dockerfile @@ -0,0 +1,26 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/openstack-runtime:zed +RUN < -Date: Tue, 31 Oct 2023 22:52:50 -0400 -Subject: [PATCH] libvirt: Stop unconditionally enabling evmcs - -In I008841988547573878c4e06e82f0fa55084e51b5 we started enabling a -bunch of libvirt enlightenments for Windows unconditionally. Turns -out, the `evmcs` enlightenment only works on Intel hosts, and we broke -the ability to run Windows guests on AMD machines. Until we become -smarter about conditionally enabling evmcs (with something like traits -for host CPU features), just stop enabling it at all. - -Change-Id: I2ff4fdecd9dc69de283f0e52e07df1aeaf0a9048 -Closes-bug: 2009280 ---- - nova/tests/unit/virt/libvirt/test_driver.py | 5 ++++- - nova/virt/libvirt/driver.py | 1 - - ...p-unconditionally-enabling-evmcs-993a825641c4b9f3.yaml | 8 ++++++++ - 3 files changed, 12 insertions(+), 2 deletions(-) - create mode 100644 releasenotes/notes/libvirt-enlightenments-stop-unconditionally-enabling-evmcs-993a825641c4b9f3.yaml - -diff --git a/nova/tests/unit/virt/libvirt/test_driver.py b/nova/tests/unit/virt/libvirt/test_driver.py -index d01b9c2677..ebba604ffa 100644 ---- a/nova/tests/unit/virt/libvirt/test_driver.py -+++ b/nova/tests/unit/virt/libvirt/test_driver.py -@@ -27972,7 +27972,10 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): - self.assertTrue(hv.reenlightenment) - self.assertTrue(hv.tlbflush) - self.assertTrue(hv.ipi) -- self.assertTrue(hv.evmcs) -+ # NOTE(artom) evmcs only works on Intel hosts, so we can't enable it -+ # unconditionally. Until we become smarter about it, just don't enable -+ # it at all. See bug 2009280. -+ self.assertFalse(hv.evmcs) - - - class LibvirtVolumeUsageTestCase(test.NoDBTestCase): -diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py -index d03dc5fd67..1b28e50355 100644 ---- a/nova/virt/libvirt/driver.py -+++ b/nova/virt/libvirt/driver.py -@@ -6234,7 +6234,6 @@ class LibvirtDriver(driver.ComputeDriver): - hv.reenlightenment = True - hv.tlbflush = True - hv.ipi = True -- hv.evmcs = True - - # NOTE(kosamara): Spoofing the vendor_id aims to allow the nvidia - # driver to work on windows VMs. At the moment, the nvidia driver -diff --git a/releasenotes/notes/libvirt-enlightenments-stop-unconditionally-enabling-evmcs-993a825641c4b9f3.yaml b/releasenotes/notes/libvirt-enlightenments-stop-unconditionally-enabling-evmcs-993a825641c4b9f3.yaml -new file mode 100644 -index 0000000000..31609f2a2d ---- /dev/null -+++ b/releasenotes/notes/libvirt-enlightenments-stop-unconditionally-enabling-evmcs-993a825641c4b9f3.yaml -@@ -0,0 +1,8 @@ -+--- -+fixes: -+ - | -+ Bug 2009280 has been fixed by no longer enabling the evmcs enlightenment in -+ the libvirt driver. evmcs only works on Intel CPUs, and domains with that -+ enlightenment cannot be started on AMD hosts. There is a possible future -+ feature to enable support for generating this enlightenment only when -+ running on Intel hosts. --- -2.34.1 - diff --git a/images/nova/patches/nova/0001-libvirt-stop-enabling-hyperv-feature-reenlightenment.patch b/images/nova/patches/nova/0001-libvirt-stop-enabling-hyperv-feature-reenlightenment.patch deleted file mode 100644 index 88ea6312a..000000000 --- a/images/nova/patches/nova/0001-libvirt-stop-enabling-hyperv-feature-reenlightenment.patch +++ /dev/null @@ -1,52 +0,0 @@ -From e618e78edc6293d248a5fa2eb63b3fa636250fca Mon Sep 17 00:00:00 2001 -From: songjie -Date: Mon, 25 Dec 2023 16:59:36 +0800 -Subject: [PATCH] libvirt: stop enabling hyperv feature reenlightenment -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The 'reenlightenment' hyperv enlightenment will cause -instances live-migration to fail (KVM currently doesn’t -fully support reenlightenment notifications, see -www.qemu.org/docs/master/system/i386/hyperv.html), -so don't enable it now. - -Change-Id: I6821819450bc96e4304125ea3b76a0e462e6e33f -Closes-Bug: #2046549 -Related-Bug: #2009280 ---- - nova/tests/unit/virt/libvirt/test_driver.py | 4 +++- - nova/virt/libvirt/driver.py | 1 - - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/nova/tests/unit/virt/libvirt/test_driver.py b/nova/tests/unit/virt/libvirt/test_driver.py -index 868e024370..2e1d089898 100644 ---- a/nova/tests/unit/virt/libvirt/test_driver.py -+++ b/nova/tests/unit/virt/libvirt/test_driver.py -@@ -28048,7 +28048,9 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): - self.assertTrue(hv.synic) - self.assertTrue(hv.reset) - self.assertTrue(hv.frequencies) -- self.assertTrue(hv.reenlightenment) -+ # NOTE(jie) reenlightenment will cause instances live-migration -+ # failure, so don't enable it now. See bug 2046549. -+ self.assertFalse(hv.reenlightenment) - self.assertTrue(hv.tlbflush) - self.assertTrue(hv.ipi) - # NOTE(artom) evmcs only works on Intel hosts, so we can't enable it -diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py -index 7f5f48c047..f8e3353110 100644 ---- a/nova/virt/libvirt/driver.py -+++ b/nova/virt/libvirt/driver.py -@@ -6262,7 +6262,6 @@ class LibvirtDriver(driver.ComputeDriver): - hv.synic = True - hv.reset = True - hv.frequencies = True -- hv.reenlightenment = True - hv.tlbflush = True - hv.ipi = True - --- -2.34.1 - diff --git a/images/octavia/Dockerfile b/images/octavia/Dockerfile new file mode 100644 index 000000000..bf8d7e7f5 --- /dev/null +++ b/images/octavia/Dockerfile @@ -0,0 +1,36 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/openstack-venv-builder:zed AS build +ARG OCTAVIA_GIT_REF=000b577f3e9c9ff7cb893e9f6e635753017a78c6 +ADD --keep-git-dir=true https://opendev.org/openstack/octavia.git#${OCTAVIA_GIT_REF} /src/octavia +RUN git -C /src/octavia fetch --unshallow +ADD --keep-git-dir=true https://opendev.org/openstack/ovn-octavia-provider.git#stable/zed /src/ovn-octavia-provider +RUN git -C /src/ovn-octavia-provider fetch --unshallow +RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private < -Date: Tue, 16 Jan 2024 17:13:19 -0500 -Subject: [PATCH] fix: specify endpoint info. for neutron client - -Closes bug: #2049551 - -Change-Id: I80a266e500958415a70d462ddfe57e9e03e6ef13 ---- - octavia/common/clients.py | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/octavia/common/clients.py b/octavia/common/clients.py -index b13642bb..2abcc67b 100644 ---- a/octavia/common/clients.py -+++ b/octavia/common/clients.py -@@ -80,10 +80,16 @@ class NeutronAuth(object): - if not cls.neutron_client: - sess = ksession.get_session() - -- kwargs = {} -+ kwargs = { -+ 'region_name': CONF.neutron.region_name, -+ 'interface': CONF.neutron.valid_interfaces -+ } - if CONF.neutron.endpoint_override: - kwargs['network_endpoint_override'] = ( - CONF.neutron.endpoint_override) -+ if CONF.neutron.endpoint_override.startswith("https"): -+ kwargs['insecure'] = CONF.neutron.insecure -+ kwargs['cacert'] = CONF.neutron.cafile - - conn = openstack.connection.Connection( - session=sess, **kwargs) --- -2.34.1 - diff --git a/images/openstack-runtime/Dockerfile b/images/openstack-runtime/Dockerfile new file mode 100644 index 000000000..3cf9ae45f --- /dev/null +++ b/images/openstack-runtime/Dockerfile @@ -0,0 +1,23 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +ARG FROM=registry.atmosphere.dev/library/ubuntu-cloud-archive:zed +FROM ${FROM} +ONBUILD ARG PROJECT +ONBUILD ARG SHELL=/usr/sbin/nologin +ONBUILD RUN \ + groupadd -g 42424 ${PROJECT} && \ + useradd -u 42424 -g 42424 -M -d /var/lib/${PROJECT} -s ${SHELL} -c "${PROJECT} User" ${PROJECT} && \ + mkdir -p /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/cache/${PROJECT} && \ + chown -Rv ${PROJECT}:${PROJECT} /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/cache/${PROJECT} diff --git a/images/openstack-service/Earthfile b/images/openstack-service/Earthfile deleted file mode 100644 index ae4ab494d..000000000 --- a/images/openstack-service/Earthfile +++ /dev/null @@ -1,99 +0,0 @@ -VERSION 0.8 - -PIP_INSTALL: - FUNCTION - ARG PACKAGES - RUN --mount=type=cache,target=/root/.cache \ - /var/lib/openstack/bin/pip3 install \ - --constraint /upper-constraints.txt \ - ${PACKAGES} - -GIT_CHECKOUT: - FUNCTION - ARG PROJECT - ARG PROJECT_REPO=https://github.com/openstack/${PROJECT} - ARG PROJECT_REF - GIT CLONE --branch ${PROJECT_REF} ${PROJECT_REPO} /src - WORKDIR /src - RUN \ - git remote set-url origin ${PROJECT_REPO} && \ - git fetch --unshallow - COPY --if-exists patches/${PROJECT} /patches - IF [ -d /patches ] - RUN git apply --verbose /patches/*.patch - END - -BUILD_VENV: - FUNCTION - ARG PROJECT - ARG PROJECT_REPO=https://github.com/openstack/${PROJECT} - ARG PROJECT_REF - DO +GIT_CHECKOUT \ - --PROJECT=${PROJECT} \ - --PROJECT_REPO=${PROJECT_REPO} \ - --PROJECT_REF=${PROJECT_REF} - ARG EXTRAS="" - ARG PIP_PACKAGES="" - DO +PIP_INSTALL --PACKAGES "/src${EXTRAS} ${PIP_PACKAGES}" - SAVE ARTIFACT /var/lib/openstack venv - -requirements: - FROM ../base+image - ARG RELEASE - IF [ "${RELEASE}" = "master" ] - ARG BRANCH=master - ELSE - ARG BRANCH=stable/${RELEASE} - END - GIT CLONE --branch ${BRANCH} https://github.com/openstack/requirements /src - RUN \ - sed -i 's/cryptography===36.0.2/cryptography===42.0.4/' /src/upper-constraints.txt && \ - sed -i 's/cryptography===40.0.2/cryptography===42.0.4/' /src/upper-constraints.txt && \ - sed -i 's/cryptography===41.0.7/cryptography===42.0.4/' /src/upper-constraints.txt && \ - sed -i 's/Django===3.2.18/Django===3.2.24/' /src/upper-constraints.txt && \ - sed -i 's/Flask===2.2.3/Flask===2.2.5/' /src/upper-constraints.txt && \ - sed -i 's/Jinja2===3.1.2/Jinja2===3.1.3/' /src/upper-constraints.txt && \ - sed -i 's/paramiko===2.11.0/paramiko===3.4.0/' /src/upper-constraints.txt && \ - sed -i 's/paramiko===3.1.0/paramiko===3.4.0/' /src/upper-constraints.txt && \ - sed -i 's/pyOpenSSL===22.0.0/pyOpenSSL===24.0.0/' /src/upper-constraints.txt && \ - sed -i 's/pyOpenSSL===23.1.1/pyOpenSSL===24.0.0/' /src/upper-constraints.txt && \ - sed -i 's/requests===2.28.1/requests===2.31.0/' /src/upper-constraints.txt && \ - sed -i 's/requests===2.28.2/requests===2.31.0/' /src/upper-constraints.txt && \ - sed -i 's/sqlparse===0.4.2/sqlparse===0.4.4/' /src/upper-constraints.txt && \ - sed -i 's/urllib3===1.26.12/urllib3===1.26.18/' /src/upper-constraints.txt && \ - sed -i 's/urllib3===1.26.15/urllib3===1.26.18/' /src/upper-constraints.txt && \ - sed -i 's/Werkzeug===2.2.3/Werkzeug===2.3.8/' /src/upper-constraints.txt && \ - sed -i '/glance-store/d' /src/upper-constraints.txt && \ - sed -i '/horizon/d' /src/upper-constraints.txt - SAVE ARTIFACT /src/upper-constraints.txt - -builder: - ARG RELEASE - FROM ../cloud-archive-base+image --RELEASE=${RELEASE} - DO ../+APT_INSTALL --PACKAGES "\ - build-essential \ - curl \ - git \ - libldap2-dev \ - libpcre3-dev \ - libsasl2-dev \ - libssl-dev \ - lsb-release \ - openssh-client \ - python3 \ - python3-dev \ - python3-pip \ - python3-venv" - RUN --mount type=cache,target=/root/.cache \ - python3 -m venv --upgrade-deps --system-site-packages /var/lib/openstack - COPY \ - (+requirements/upper-constraints.txt --RELEASE=${RELEASE}) \ - /upper-constraints.txt - DO +PIP_INSTALL --PACKAGES "cryptography pymysql python-binary-memcached python-memcached uwsgi" - -image: - ARG --required RELEASE - FROM ../cloud-archive-base+image --RELEASE=${RELEASE} - ENV PATH=/var/lib/openstack/bin:$PATH - ARG --required PROJECT - DO ../+CREATE_PROJECT_USER --PROJECT=${PROJECT} diff --git a/images/openstack-venv-builder/Dockerfile b/images/openstack-venv-builder/Dockerfile new file mode 100644 index 000000000..2b154cf4d --- /dev/null +++ b/images/openstack-venv-builder/Dockerfile @@ -0,0 +1,62 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM registry.atmosphere.dev/library/ubuntu-cloud-archive:zed AS requirements +ADD https://releases.openstack.org/constraints/upper/zed /upper-constraints.txt +RUN < 23.0.1.dev6 therefore -# we ignore those old CVEs. -CVE-2012-3542 -CVE-2012-4413 -CVE-2013-2256 -CVE-2013-4179 -CVE-2014-3517 -CVE-2014-3608 -CVE-2014-3641 -CVE-2014-3708 -CVE-2015-0259 -CVE-2015-3221 -CVE-2015-3280 -CVE-2015-5251 -CVE-2015-5286 -CVE-2015-7713 diff --git a/images/trivy/Earthfile b/images/trivy/Earthfile deleted file mode 100644 index 8f6862546..000000000 --- a/images/trivy/Earthfile +++ /dev/null @@ -1,8 +0,0 @@ -VERSION 0.7 - -image: - FROM aquasec/trivy:0.48.3 - COPY .trivyignore /.trivyignore - # TODO(mnaser): Add automatic updates - RUN trivy image --download-db-only - RUN trivy image --download-java-db-only diff --git a/zuul.d/playbooks/buildset-registry/pre.yml b/images/ubuntu-cloud-archive/Dockerfile similarity index 68% rename from zuul.d/playbooks/buildset-registry/pre.yml rename to images/ubuntu-cloud-archive/Dockerfile index 81304bb42..43d3a1a47 100644 --- a/zuul.d/playbooks/buildset-registry/pre.yml +++ b/images/ubuntu-cloud-archive/Dockerfile @@ -12,9 +12,8 @@ # License for the specific language governing permissions and limitations # under the License. -- name: Prepare host for building images - hosts: all - roles: - - ensure-docker - - run-buildset-registry - - use-buildset-registry +FROM registry.atmosphere.dev/library/ubuntu:zed +COPY trusted.gpg.d/ubuntu-cloud-keyring.gpg /etc/apt/trusted.gpg.d/ubuntu-cloud-keyring.gpg +COPY < 0 - - "'buildset_registry' in (lookup('file', zuul.executor.result_data_file) | from_json).get('secret_data')" - - - name: Configure Buildkit certificates - when: buildset_registry is defined and buildset_registry.cert - become: true - block: - - name: Create a folder for the certificates - ansible.builtin.file: - path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}" - state: directory - - name: Copy the certificate - ansible.builtin.copy: - content: "{{ buildset_registry.cert }}" - dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt" - - name: Create a buildkitd.toml file - ansible.builtin.copy: - dest: /etc/buildkitd.toml - content: | - [registry."{{ buildset_registry.host }}:{{ buildset_registry.port }}"] - ca=["/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"] - - - name: Create builder - ansible.builtin.shell: docker buildx create --name=atmosphere --driver=docker-container {% if buildset_registry.cert %}--config /etc/buildkitd.toml{% endif %} - - - name: Point registry to Atmosphere if in post pipeline - when: zuul.pipeline == 'post' - no_log: true - ansible.builtin.set_fact: - buildset_registry: - host: registry.atmosphere.dev - port: 443 - username: "{{ registry_credentials.username }}" - password: "{{ registry_credentials.password }}" - - - name: Log into registry - docker_login: - registry: "{{ buildset_registry.host }}{% if buildset_registry.port != 443 %}:{{ buildset_registry.port }}{% endif %}" - username: "{{ buildset_registry.username }}" - password: "{{ buildset_registry.password }}" - - - name: Build images - ansible.builtin.shell: | - docker buildx bake --builder=atmosphere --provenance --sbom=true --push - args: - chdir: "{{ zuul.project.src_dir }}" - environment: - REGISTRY: "{{ buildset_registry.host }}{% if buildset_registry.port != 443 %}:{{ buildset_registry.port }}{% endif %}/library" - PUSH_TO_CACHE: "{{ zuul.pipeline == 'post' }}" - - - name: Get list of images built - ansible.builtin.shell: docker buildx bake --print - args: - chdir: "{{ zuul.project.src_dir }}" - environment: - REGISTRY: "{{ buildset_registry.host }}{% if buildset_registry.port != 443 %}:{{ buildset_registry.port }}{% endif %}/library" - register: images_built_json - - - name: Set fact with list of images - set_fact: - images_built: "{{ images_built_json.stdout | from_json | json_query('target.*.tags[?@] | []') }}" - - - name: Sign images - when: zuul.pipeline == 'post' - block: - - name: Download cosign binary - become: true - ansible.builtin.get_url: - url: https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 - dest: /usr/local/bin/cosign - mode: 0755 - - - name: Determine the digest for the images - ansible.builtin.shell: | - cosign triangulate --type=digest {{ item }} - loop: "{{ images_built }}" - register: cosign_digest - - - name: Copy the cosign public key - copy: - content: "{{ cosign_key.public }}" - dest: cosign.pub - - - name: Verify which images are signed - ignore_errors: true - ansible.builtin.shell: | - cosign verify --key cosign.pub --output json {{ item }} - loop: "{{ cosign_digest.results | map(attribute='stdout') | list | unique }}" - register: cosign_verify - - - name: Copy the cosign private key - copy: - content: "{{ cosign_key.private }}" - dest: cosign.key - - - name: Sign images - ansible.builtin.shell: | - cosign sign -y --recursive --key cosign.key {{ item }} - loop: "{{ cosign_verify.results | selectattr('failed', 'equalto', true) | map(attribute='item') | list }}" - - - name: Delete the cosign private key - file: - path: cosign.key - state: absent - - - name: Return Zuul artifacts for images - zuul_return: - data: - zuul: - artifacts: - - name: "{{ item }}" - url: "docker://{{ item }}" - metadata: - type: container_image - repository: "{{ item.split(':')[0] }}" - tag: "{{ item.split(':')[1] }}" - loop: "{{ images_built }}" - -- name: Yield to other jobs - hosts: localhost - tasks: - - name: Pause the job - zuul_return: - data: - zuul: - pause: true diff --git a/zuul.d/playbooks/molecule/pre.yml b/zuul.d/playbooks/molecule/pre.yml index f9f221336..a4bc6922b 100644 --- a/zuul.d/playbooks/molecule/pre.yml +++ b/zuul.d/playbooks/molecule/pre.yml @@ -59,8 +59,15 @@ - name: Replace the registry in image manifest ansible.builtin.replace: path: "{{ zuul.project.src_dir }}/roles/defaults/vars/main.yml" - regexp: "registry.atmosphere.dev/library/([^@]*)@sha256:[a-fA-F0-9]{64}" - replace: '{{ buildset_registry.host }}:{{ buildset_registry.port }}/library/\1' + regexp: "{{ repo }}:{{ tag }}" + replace: '{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ repo }}:{{ tag }}' + loop: "{{ zuul.artifacts | default([]) }}" + loop_control: + loop_var: zj_zuul_artifact + when: "'metadata' in zj_zuul_artifact and zj_zuul_artifact.metadata.type | default('') == 'container_image'" + vars: + repo: "{{ zj_zuul_artifact.metadata.repository }}" + tag: "{{ zj_zuul_artifact.metadata.tag }}" # TODO(mnaser): Drop this when we move to PBR - name: Add current folder to Git's safe directories diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 55e21fa8d..51aba1ab9 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -13,14 +13,128 @@ # under the License. - project: + merge-mode: squash-merge check: jobs: - - atmosphere-buildset-registry - - atmosphere-molecule-aio-openvswitch - - atmosphere-molecule-aio-ovn - - atmosphere-molecule-csi-local-path-provisioner - - atmosphere-molecule-csi-rbd - - atmosphere-molecule-keycloak - post: + - atmosphere-molecule-aio-keycloak: + dependencies: &molecule_check_dependencies + - name: atmosphere-build-container-image-barbican + soft: true + - name: atmosphere-build-container-image-cinder + soft: true + - name: atmosphere-build-container-image-cluster-api-provider-openstack + soft: true + - name: atmosphere-build-container-image-designate + soft: true + - name: atmosphere-build-container-image-glance + soft: true + - name: atmosphere-build-container-image-heat + soft: true + - name: atmosphere-build-container-image-horizon + soft: true + - name: atmosphere-build-container-image-ironic + soft: true + - name: atmosphere-build-container-image-keystone + soft: true + - name: atmosphere-build-container-image-kubernetes-entrypoint + soft: true + - name: atmosphere-build-container-image-libvirt-tls-sidecar + soft: true + - name: atmosphere-build-container-image-libvirtd + soft: true + - name: atmosphere-build-container-image-magnum + soft: true + - name: atmosphere-build-container-image-manila + soft: true + - name: atmosphere-build-container-image-netoffload + soft: true + - name: atmosphere-build-container-image-neutron + soft: true + - name: atmosphere-build-container-image-nova + soft: true + - name: atmosphere-build-container-image-nova-ssh + soft: true + - name: atmosphere-build-container-image-octavia + soft: true + - name: atmosphere-build-container-image-openvswitch + soft: true + - name: atmosphere-build-container-image-ovn + soft: true + - name: atmosphere-build-container-image-placement + soft: true + - name: atmosphere-build-container-image-senlin + soft: true + - name: atmosphere-build-container-image-staffeln + soft: true + - name: atmosphere-build-container-image-tempest + soft: true + - atmosphere-molecule-aio-openvswitch: + dependencies: *molecule_check_dependencies + - atmosphere-molecule-aio-ovn: + dependencies: *molecule_check_dependencies + - atmosphere-molecule-csi-local-path-provisioner: + dependencies: *molecule_check_dependencies + - atmosphere-molecule-csi-rbd: + dependencies: *molecule_check_dependencies + gate: jobs: - - atmosphere-upload-images + - atmosphere-molecule-aio-keycloak: + dependencies: &molecule_gate_dependencies + - name: atmosphere-upload-container-image-barbican + soft: true + - name: atmosphere-upload-container-image-cinder + soft: true + - name: atmosphere-upload-container-image-cluster-api-provider-openstack + soft: true + - name: atmosphere-upload-container-image-designate + soft: true + - name: atmosphere-upload-container-image-glance + soft: true + - name: atmosphere-upload-container-image-heat + soft: true + - name: atmosphere-upload-container-image-horizon + soft: true + - name: atmosphere-upload-container-image-ironic + soft: true + - name: atmosphere-upload-container-image-keystone + soft: true + - name: atmosphere-upload-container-image-kubernetes-entrypoint + soft: true + - name: atmosphere-upload-container-image-libvirt-tls-sidecar + soft: true + - name: atmosphere-upload-container-image-libvirtd + soft: true + - name: atmosphere-upload-container-image-magnum + soft: true + - name: atmosphere-upload-container-image-manila + soft: true + - name: atmosphere-upload-container-image-netoffload + soft: true + - name: atmosphere-upload-container-image-neutron + soft: true + - name: atmosphere-upload-container-image-nova + soft: true + - name: atmosphere-upload-container-image-nova-ssh + soft: true + - name: atmosphere-upload-container-image-octavia + soft: true + - name: atmosphere-upload-container-image-openvswitch + soft: true + - name: atmosphere-upload-container-image-ovn + soft: true + - name: atmosphere-upload-container-image-placement + soft: true + - name: atmosphere-upload-container-image-senlin + soft: true + - name: atmosphere-upload-container-image-staffeln + soft: true + - name: atmosphere-upload-container-image-tempest + soft: true + - atmosphere-molecule-aio-openvswitch: + dependencies: *molecule_gate_dependencies + - atmosphere-molecule-aio-ovn: + dependencies: *molecule_gate_dependencies + - atmosphere-molecule-csi-local-path-provisioner: + dependencies: *molecule_gate_dependencies + - atmosphere-molecule-csi-rbd: + dependencies: *molecule_gate_dependencies diff --git a/zuul.d/secrets.yaml b/zuul.d/secrets.yaml index 9cbc36264..5208efbb5 100644 --- a/zuul.d/secrets.yaml +++ b/zuul.d/secrets.yaml @@ -13,20 +13,21 @@ # under the License. - secret: - name: registry_credentials + name: atmosphere-registry-credentials data: - username: robot$zuul - password: !encrypted/pkcs1-oaep - - OOykjodZE21qsYYLpzplp+PV0QbsKQ1B3+kI7bY97VQI/d5RlewqlNABc10eQnyYFSDvq - z2gSigSHxaVcV5qKJLTNVDgzSBHBj349OaTh6dXsxplvoArehfYMMZGuNmFlucoeN8K6w - yLRViN7tCS39CAYdjeNX1X7mQ7gBC61jUQ++JB+R5MhXmALJxzPfQRl9jsYmjx9ZXjEwE - tjKLSyQifQU20eXbhZOUW2nr+ItTikS3AOSo6Ja6jCI1c9lj6mJtUOorGsuxfdhEigPws - Qnz539imGcyqySSxvbJvgoEYxhE3dHFV5cJkomoHHHwLH0wbjAgBQtCMX3CvpxNX8sBfJ - MxvUkxY8VWt3CtJkdq+/eaCovCRn6GN5enI5tlUJgpAyV+PO6PvkTan6yC8lHMM5pD4jX - Hdo6gt6m9WyA5VxUHdoYYMaDO/rvCxxrUevzPn8do5I96madr9S9lFARqw74mgXG5I6pZ - M7zDXnorUFyv9dUIB2rOZrp7o0OC2thujjDTKXb4qfmfXGOwlkNmtCLo6BaDo9pSdRN8p - k0YnUAItZ64qUR7paEUKGy4rzsZjDYvIj7DrCFvLL2CXcyjPGcmcblpSHe5vJ15CFVH8X - o39FIIhSmehvrYJziGYUgf4JY1B6ktBtFc9l78WeoJRHNce+viSSkBj1fhbUaI= + registry.atmosphere.dev: + username: robot$zuul + password: !encrypted/pkcs1-oaep + - OOykjodZE21qsYYLpzplp+PV0QbsKQ1B3+kI7bY97VQI/d5RlewqlNABc10eQnyYFSDvq + z2gSigSHxaVcV5qKJLTNVDgzSBHBj349OaTh6dXsxplvoArehfYMMZGuNmFlucoeN8K6w + yLRViN7tCS39CAYdjeNX1X7mQ7gBC61jUQ++JB+R5MhXmALJxzPfQRl9jsYmjx9ZXjEwE + tjKLSyQifQU20eXbhZOUW2nr+ItTikS3AOSo6Ja6jCI1c9lj6mJtUOorGsuxfdhEigPws + Qnz539imGcyqySSxvbJvgoEYxhE3dHFV5cJkomoHHHwLH0wbjAgBQtCMX3CvpxNX8sBfJ + MxvUkxY8VWt3CtJkdq+/eaCovCRn6GN5enI5tlUJgpAyV+PO6PvkTan6yC8lHMM5pD4jX + Hdo6gt6m9WyA5VxUHdoYYMaDO/rvCxxrUevzPn8do5I96madr9S9lFARqw74mgXG5I6pZ + M7zDXnorUFyv9dUIB2rOZrp7o0OC2thujjDTKXb4qfmfXGOwlkNmtCLo6BaDo9pSdRN8p + k0YnUAItZ64qUR7paEUKGy4rzsZjDYvIj7DrCFvLL2CXcyjPGcmcblpSHe5vJ15CFVH8X + o39FIIhSmehvrYJziGYUgf4JY1B6ktBtFc9l78WeoJRHNce+viSSkBj1fhbUaI= - secret: name: cosign_key