[draft] RockyLinux 9.7

.github/workflows/stackhpc-all-in-one.yml

@@ -314,6 +314,26 @@ jobs:
         env:
           KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: ${{ steps.ssh_key.outputs.ssh_key }}
 
+      - name: Pull container images
+        run: |
+          # Try up to 3 times to pull container images.
+          for attempt in $(seq 3); do
+              docker run -t --rm \
+                -v $(pwd):/stack/kayobe-automation-env/src/kayobe-config \
+                -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY \
+                ${{ steps.kayobe_image.outputs.kayobe_image }} \
+                /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/overcloud-container-image-pull.sh
+              if [ "$?" = "0" ]; then
+                  echo "Pulled container images on attempt $attempt"
+                  exit 0
+              fi
+              echo "Failed to pull container images on attempt $attempt"
+          done
+          echo "Failed to pull container imagers after $attempt attempts"
+          exit 1
+        env:
+          KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: ${{ steps.ssh_key.outputs.ssh_key }}
+
       - name: Service deploy
         run: |
           docker run -t --rm \

.github/workflows/stackhpc-multinode-periodic.yml

@@ -7,6 +7,7 @@ name: Multinode periodic
   schedule:
     # Runs nightly at 2:42 AM.
     - cron: "42 2 * * *"
+  workflow_dispatch:
 jobs:
   generate-inputs:
     name: Generate inputs
@@ -31,7 +32,10 @@ jobs:
 
       - name: Display generated inputs
         run: |
-          echo '${{ toJSON(steps.generate-inputs.outputs) }}'
+          echo '## generated inputs:' > "$GITHUB_STEP_SUMMARY"
+          echo '```' >> "$GITHUB_STEP_SUMMARY"
+          echo '${{ toJSON(steps.generate-inputs.outputs) }}' | tee -a "$GITHUB_STEP_SUMMARY"
+          echo '```' >> "$GITHUB_STEP_SUMMARY"
   multinode:
     name: Multinode periodic
     needs:

.github/workflows/stackhpc-multinode.yml

@@ -46,17 +46,56 @@ name: Multinode
         description: How long to break execution for (minutes) (note that instances are cleaned up after 12h)
         type: number
         default: 60
+      use_my_ssh_key:
+        description: authorise my github ssh keys on Ansible control host
+        default: 'false'
+        type: boolean
       ssh_key:
-        description: SSH public key to authorise on Ansible control host
+        description: SSH public key to authorise on Ansible control host (if different from github ssh keys)
         type: string
       terraform_kayobe_multinode_version:
         description: terraform-kayobe-multinode version
         type: string
         default: main
+      small_cluster:
+        description: Create cluster with only 1 controller, 1 compute
+        default: 'false'
+        type: boolean
 jobs:
+  github_user_ssh_keys:
+    name: Retrieve actor github ssh keys
+    runs-on: ubuntu-latest
+    # Map a step output to a job output, this allows other jobs to be gated on the filter results
+    outputs:
+        ssh_keys: ${{ steps.compute_ssh_keys.outputs.ssh_keys }}
+    steps:
+      - name: Retrieve github user ssh keys or use provided ones
+        id: compute_ssh_keys
+        run: |
+          # encode array using jq: https://jstrieb.github.io/posts/github-actions-multiline-outputs/
+          if ${{ inputs.use_my_ssh_key }} && [ -z "${{ inputs.ssh_key }}" ]; then
+            echo "Fetching ssh keys for ${{ github.actor }}"
+            ssh_keys="$(gh api /users/${{ github.actor }}/keys --jq '[.[].key]' | jq --compact-output)"
+            if [ -z "${ssh_keys}" ]; then
+              echo "E: Unable to get '${{ github.actor }}' ssh keys (quotes added for clarity)"
+              exit 1
+            fi
+          elif [ -n "${{ inputs.ssh_key }}" ]; then
+            # single string to JSON array
+            ssh_keys="$(jq --raw-input --compact-output '.|[.]' <<<"${{ inputs.ssh_key }}")"
+          else
+            ssh_keys=''
+          fi
+          echo "ssh_keys=${ssh_keys}" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ github.token }}
+      - name: Show ssh_keys
+        run: |
+          echo "${{ steps.compute_ssh_keys.outputs.ssh_keys }}"
   multinode:
     name: Multinode
-    uses: stackhpc/stackhpc-openstack-gh-workflows/.github/workflows/multinode.yml@1.4.1
+    needs: github_user_ssh_keys
+    uses: stackhpc/stackhpc-openstack-gh-workflows/.github/workflows/multinode.yml@multi_ssh_keys
     with:
       multinode_name: ${{ inputs.multinode_name }}
       os_distribution: ${{ inputs.os_distribution }}
@@ -67,9 +106,11 @@ jobs:
       break_on: ${{ inputs.break_on }}
       # Workaround loss of number type using fromJSON: https://github.com/orgs/community/discussions/67182
       break_duration: ${{ fromJSON(inputs.break_duration) }}
-      ssh_key: ${{ inputs.ssh_key }}
+      ssh_keys: ${{ needs.github_user_ssh_keys.outputs.ssh_keys }}
       stackhpc_kayobe_config_version: ${{ github.ref_name }}
       # NOTE(upgrade): Reference the PREVIOUS and CURRENT releases here.
       stackhpc_kayobe_config_previous_version: ${{ inputs.upgrade == 'major' && 'stackhpc/2024.1' || 'stackhpc/2025.1' }}
       terraform_kayobe_multinode_version: ${{ inputs.terraform_kayobe_multinode_version }}
+      multinode_controller_count: ${{ inputs.small_cluster && 1 || 3 }}
+      multinode_compute_count: ${{ inputs.small_cluster && 1 || 3 }}
     secrets: inherit

etc/kayobe/kolla-image-tags.yml

@@ -4,25 +4,25 @@
 # where the key is the OS distro and the value is the tag to deploy.
 kolla_image_tags:
   openstack:
-    rocky-9: 2025.1-rocky-9-20250730T105631
+    rocky-9: 2025.1-rocky-9-20251208T092405
     ubuntu-noble: 2025.1-ubuntu-noble-20250730T105631
   iscsid:
-    rocky-9: 2025.1-rocky-9-20251013T135156
+    rocky-9: 2025.1-rocky-9-20251208T092405
     ubuntu-noble: 2025.1-ubuntu-noble-20251013T135156
   keystone:
-    rocky-9: 2025.1-rocky-9-20251031T094539
+    rocky-9: 2025.1-rocky-9-20251208T092405
     ubuntu-noble: 2025.1-ubuntu-noble-20251031T094539
   kolla_toolbox:
-    rocky-9: 2025.1-rocky-9-20250905T151507
+    rocky-9: 2025.1-rocky-9-20251208T092405
     ubuntu-noble: 2025.1-ubuntu-noble-20250905T151507
   magnum:
-    rocky-9: 2025.1-rocky-9-20251016T073648
+    rocky-9: 2025.1-rocky-9-20251208T092405
     ubuntu-noble: 2025.1-ubuntu-noble-20251016T073648
   ovn:
-    rocky-9: 2025.1-rocky-9-20250915T100822
+    rocky-9: 2025.1-rocky-9-20251208T092405
   prometheus_libvirt_exporter:
-    rocky-9: 2025.1-rocky-9-20250822T151934
+    rocky-9: 2025.1-rocky-9-20251208T092405
     ubuntu-noble: 2025.1-ubuntu-noble-20250822T151934
   rabbitmq:
-    rocky-9: 2025.1-rocky-9-20250905T151507
+    rocky-9: 2025.1-rocky-9-20251208T092405
     ubuntu-noble: 2025.1-ubuntu-noble-20250905T151507

etc/kayobe/kolla.yml

@@ -23,6 +23,11 @@ kolla_source_version: "{{ stackhpc_kolla_source_version }}"
 # Path in which to generate kolla configuration.
 #kolla_build_config_path:
 
+# View debug logs, like source downloads, during image build.
+kolla_build_extra_config: |
+  [DEFAULT]
+  debug = True
+
 ###############################################################################
 # Kolla-ansible installation.
 

etc/kayobe/kolla/kolla-build.conf

@@ -16,7 +16,7 @@ build_args = {{ (kolla_build_args | default({})).items() | map('join', ':') | jo
 [openstack-base]
 type = git
 location = https://github.com/stackhpc/requirements
-reference = stackhpc/{{ openstack_release }}
+reference = bump-django-4.2
 
 [etcd]
 version = 3.5.21
@@ -29,3 +29,8 @@ sha256 = amd64:1fd60b1fd59c239bed22719a5de402cb745d1f933540cb1ec196e2c03e6e8882,
 [magnum-conductor-plugin-helm]
 version = v3.18.2
 sha256 = amd64:c5deada86fe609deefdf40e9cbbe3da2f8cf3f6a4551a0ebe7886dc8fcf98bce,arm64:03181a494a0916b370a100a5b2536104963b095be53fb23d1e29b2afb1c7de8d
+
+# TODO: move to kolla_sources in kolla.yml once https://review.opendev.org/c/openstack/kayobe/+/970268 is available
+[prometheus-cadvisor]
+version = 0.54.1
+sha256 = amd64:21be8d2797433048474e676d37c215c28fb171509448ef9b1c4648a564e39595,arm64:21f7bac786f6c53a8091964b4d3ff2486a0c460e5a410000b59a9a565b4183a9

etc/kayobe/ofed.yml

@@ -3,7 +3,10 @@
 
 ###############################################################################
 # DOCA host version
-stackhpc_pulp_doca_version: "{{ '2.9.3' if stackhpc_pulp_repo_rocky_9_minor_version == '6' else '2.9.1' }}"
+stackhpc_pulp_doca_version_matrix:
+    "6": 2.9.3
+    "7": 3.2.0
+stackhpc_pulp_doca_version: "{{ stackhpc_pulp_doca_version_matrix[stackhpc_pulp_repo_rocky_9_minor_version] | default('2.9.1') }}"
 
 ###############################################################################
 # Pulp configuration for DOCA OFED

etc/kayobe/pulp-host-image-versions.yml

@@ -1,5 +1,5 @@
 ---
 # Overcloud host image versioning tags
 # These images must be in SMS, since they are used by our AIO CI runners
-stackhpc_rocky_9_overcloud_host_image_version: "2025.1-20251027T102633"
+stackhpc_rocky_9_overcloud_host_image_version: "2025.1-20251209T112113"
 stackhpc_ubuntu_noble_overcloud_host_image_version: "2025.1-20250930T144255"

etc/kayobe/pulp-repo-versions.yml

@@ -18,6 +18,7 @@ stackhpc_pulp_repo_doca_2_9_1_rhel9_5_version: 20241211T171301
 stackhpc_pulp_repo_doca_2_9_1_rhel9_5_modules_version: 20250115T150314
 stackhpc_pulp_repo_doca_2_9_3_rhel9_6_version: 20250703T135021
 stackhpc_pulp_repo_doca_2_9_3_rhel9_6_modules_version: 20250714T141841
+stackhpc_pulp_repo_doca_3_2_0_rhel9_version: 20251204T124815
 stackhpc_pulp_repo_docker_ce_ubuntu_noble_version: 20250616T155742
 stackhpc_pulp_repo_elrepo_9_version: 20250610T235426
 stackhpc_pulp_repo_elrepo_9_aarch64_version: 20250408T030629
@@ -76,6 +77,21 @@ stackhpc_pulp_repo_rocky_9_6_extras_version: 20250726T040613
 stackhpc_pulp_repo_rocky_9_6_extras_aarch64_version: 20250726T045704
 stackhpc_pulp_repo_rocky_9_6_highavailability_version: 20250605T150141
 stackhpc_pulp_repo_rocky_9_6_highavailability_aarch64_version: 20250605T150141
+stackhpc_pulp_repo_rocky_9_7_appstream_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_appstream_aarch64_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_appstream_source_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_baseos_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_baseos_aarch64_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_baseos_source_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_crb_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_crb_aarch64_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_crb_source_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_extras_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_extras_aarch64_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_extras_source_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_highavailability_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_highavailability_aarch64_version: 20251203T103807
+stackhpc_pulp_repo_rocky_9_7_highavailability_source_version: 20251203T103807
 stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20250222T040303
 stackhpc_pulp_repo_rocky_9_sig_security_common_aarch64_version: 20250222T044743
 stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20250620T063939

etc/kayobe/pulp.yml

@@ -200,8 +200,8 @@ stackhpc_pulp_distribution_deb_production: >-
 
 # Whether to sync Rocky Linux 9 packages.
 stackhpc_pulp_sync_rocky_9: "{{ os_distribution == 'rocky' }}"
-# Rocky 9 minor version number. Supported values: 6. Default is 6
-stackhpc_pulp_repo_rocky_9_minor_version: '6'
+# Rocky 9 minor version number. Supported values: 7. Default is 7
+stackhpc_pulp_repo_rocky_9_minor_version: '7'
 # Rocky 9 Snapshot versions. The defaults use the appropriate version from
 # pulp-repo-versions.yml for the selected minor release.
 

etc/kayobe/stackhpc-overcloud-dib.yml

@@ -56,11 +56,17 @@ stackhpc_overcloud_dib_env_vars_default:
   # Workaround for stack user home ownership bug
   DIB_IMAGE_CACHE: "/tmp/yum"
 
+# DIB_ROCKY_CONTAINER_STACKHPC_RESTORE_UPSTREAM_REPOFILES=true is important for
+# the multinode workflow, where we need to install packages (tmux) in cloudinit
+# or deploy-openstack-config.yml: /etc/yum.repos.d is empty in the built image.
 stackhpc_overcloud_dib_env_vars_ark:
   DIB_CONTAINERFILE_BUILDOPTS: >-
     --build-arg=ROCKY_USE_CUSTOM_DNF_MIRRORS=true
     --build-arg=ROCKY_CUSTOM_DNF_MIRROR_URLS={{ [stackhpc_repo_rocky_9_baseos_url, stackhpc_repo_rocky_9_appstream_url] | join(',') }}
+    --build-arg=DIB_ROCKY_CONTAINER_STACKHPC_RESTORE_UPSTREAM_REPOFILES=true
+    --build-arg=DIB_DEBUG_TRACE=1
   DIB_DISTRIBUTION_MIRROR: "{{ stackhpc_repo_ubuntu_noble_url if os_distribution == 'ubuntu' else '' }}"
+  DIB_DEBUG_TRACE: 1
 
 # StackHPC overcloud DIB image packages.
 stackhpc_overcloud_dib_packages:

etc/kayobe/trivy/allowed-vulnerabilities.yml

@@ -20,7 +20,10 @@ influxdb_allowed_vulnerabilities:
   - CVE-2024-45337
 magnum_conductor_allowed_vulnerabilities:
   - CVE-2024-45337
+opensearch_dashboards_allowed_vulnerabilities:
+  - CVE-2025-7783
 prometheus_blackbox_exporter_allowed_vulnerabilities:
+  - CVE-2024-24790
   - CVE-2024-45337
 prometheus_memcached_exporter_allowed_vulnerabilities:
   - CVE-2024-45337
@@ -31,7 +34,10 @@ prometheus_elasticsearch_exporter_allowed_vulnerabilities:
 prometheus_node_exporter_allowed_vulnerabilities:
   - CVE-2024-45337
 prometheus_openstack_exporter_allowed_vulnerabilities:
+  - CVE-2024-24790
   - CVE-2024-45337
+prometheus_ovn_exporter_allowed_vulnerabilities:
+  - CVE-2024-24790
 prometheus_libvirt_exporter_allowed_vulnerabilities:
   - CVE-2024-45337
 prometheus_cadvisor_allowed_vulnerabilities:

releasenotes/notes/rl9.7-c8d033f11097b76b.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Added support for Rocky Linux 9.7, including host packages and a full
+    container image refresh.
+    XXXX PENDING CONTAINER BUILD
+upgrade:
+  - |
+    9.7 is now the default release for Rocky Linux.