From 87f5d0a4c8012e0554af29c984f6707e61249de5 Mon Sep 17 00:00:00 2001 From: Michael Johnson Date: Wed, 11 Sep 2024 16:46:18 +0000 Subject: [PATCH 1/4] Fix amphora image builds to use DIB bindep The amphora image builds are currently failing because we are trying to install the binary packages for diskimage-builder ourselves in the ansible for the job. This patch changes that to use the bindep.txt included with diskimage-builder. Change-Id: I8e489b251ff0e58809b66c0145023769abef6e68 (cherry picked from commit d682e74d33073dede4476e8de3e20766dc49063a) (cherry picked from commit 9cfdc84cb16968eadfc99bbf9ea22f147e355aca) --- playbooks/image-build/run.yaml | 52 +++++----------------------------- zuul.d/jobs.yaml | 7 +---- 2 files changed, 8 insertions(+), 51 deletions(-) diff --git a/playbooks/image-build/run.yaml b/playbooks/image-build/run.yaml index a19afe05a..5e0213582 100644 --- a/playbooks/image-build/run.yaml +++ b/playbooks/image-build/run.yaml @@ -8,51 +8,6 @@ become: yes when: - ansible_os_family == 'RedHat' - - name: Install apt packages - apt: - pkg: "{{ item }}" - state: "latest" - update_cache: yes - register: install_packages - become: yes - until: install_packages is success - retries: 5 - delay: 2 - with_items: - - qemu-utils - - uuid-runtime - - curl - - kpartx - - python3-yaml - - debootstrap - - qemu - - bc - - python3-venv - - python3-setuptools - when: - - ansible_os_family == 'Debian' - - name: Install rpm packages - dnf: - pkg: "{{ item }}" - state: "latest" - update_cache: yes - register: install_packages - become: yes - until: install_packages is success - retries: 5 - delay: 2 - with_items: - - qemu-img - - uuid - - curl - - kpartx - - python3-pyyaml - - qemu-kvm - - python3-setuptools - - yum - - podman - when: - - ansible_os_family == 'RedHat' - name: Install required pip packages pip: name: "{{ item }}" @@ -65,7 +20,14 @@ delay: 2 become: yes with_items: + - bindep - diskimage-builder + - setuptools + - name: Install binary dependencies from diskimage-builder + include_role: + name: bindep + vars: + bindep_dir: "{{ ansible_user_dir }}/{{ zuul.projects['opendev.org/openstack/diskimage-builder'].src_dir }}" - name: Ensure artifacts/images directory exists file: path: '{{ ansible_user_dir }}/test-images' diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 07ed2a04e..783c6d483 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -172,6 +172,7 @@ not Git master. This job does not publish the image. run: playbooks/image-build/run.yaml required-projects: + - openstack/diskimage-builder - openstack/octavia - openstack/octavia-lib vars: @@ -184,8 +185,6 @@ description: | Builds an Ubuntu Jammy amphora image using diskimage-builder from Git master. This job does not publish the image. - required-projects: - - openstack/diskimage-builder vars: amphora_os: ubuntu amphora_os_release: jammy @@ -197,8 +196,6 @@ description: | Builds a CentOS 9 Stream amphora image using diskimage-builder from Git master. This job does not publish the image. - required-projects: - - openstack/diskimage-builder vars: amphora_os: centos amphora_os_release: 9-stream @@ -210,8 +207,6 @@ description: | Builds a Rocky Linux 9 amphora image using diskimage-builder from Git master. This job does not publish the image. - required-projects: - - openstack/diskimage-builder vars: amphora_os: rocky amphora_os_release: 9 From efe3ee865ecd0f5e875fb0b00d0ecbbf1c8ebc83 Mon Sep 17 00:00:00 2001 From: Tom Weininger Date: Wed, 6 Nov 2024 11:44:04 +0100 Subject: [PATCH 2/4] Handle undefined protocol field in security group rules correctly Prevent AttributeError when protocol field is None and skip processing of the rule instead. Closes-Bug: #2086768 Change-Id: I35e96fdd2c28a005811d6fdedb570ccc65e30e0a (cherry picked from commit 430854c1372885c6082393c5449fadf401578634) --- octavia/network/drivers/neutron/allowed_address_pairs.py | 5 +++-- .../network/drivers/neutron/test_allowed_address_pairs.py | 3 ++- ...ecuritygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml | 5 +++++ 3 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/fix-attributeerror-when-securitygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml diff --git a/octavia/network/drivers/neutron/allowed_address_pairs.py b/octavia/network/drivers/neutron/allowed_address_pairs.py index 61334da91..d450ea763 100644 --- a/octavia/network/drivers/neutron/allowed_address_pairs.py +++ b/octavia/network/drivers/neutron/allowed_address_pairs.py @@ -194,12 +194,13 @@ def _update_security_group_rules(self, load_balancer, sec_grp_id): # Don't remove egress rules and don't confuse other protocols with # None ports with the egress rules. VRRP uses protocol 51 and 112 if (rule.get('direction') == 'egress' or - rule.get('protocol').upper() not in + rule.get('protocol') is None or + rule['protocol'].upper() not in [constants.PROTOCOL_TCP, constants.PROTOCOL_UDP, lib_consts.PROTOCOL_SCTP]): continue old_ports.append((rule.get('port_range_max'), - rule.get('protocol').lower(), + rule['protocol'].lower(), rule.get('remote_ip_prefix'))) add_ports = set(updated_ports) - set(old_ports) diff --git a/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py b/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py index 25362a57f..defdcd757 100644 --- a/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py +++ b/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py @@ -1071,7 +1071,8 @@ def test_update_vip(self): fake_rules = [ {'id': 'rule-80', 'port_range_max': 80, 'protocol': 'tcp', 'remote_ip_prefix': '10.0.101.0/24'}, - {'id': 'rule-22', 'port_range_max': 22, 'protocol': 'tcp'} + {'id': 'rule-22', 'port_range_max': 22, 'protocol': 'tcp'}, + {'id': 'rule-None', 'port_range_max': 22}, ] list_rules = self.driver.network_proxy.security_group_rules list_rules.return_value = fake_rules diff --git a/releasenotes/notes/fix-attributeerror-when-securitygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml b/releasenotes/notes/fix-attributeerror-when-securitygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml new file mode 100644 index 000000000..9e6cd7f01 --- /dev/null +++ b/releasenotes/notes/fix-attributeerror-when-securitygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixed potential AttributeError during listener update when security group + rule had no protocol defined (ie. it was null). From 1e1301ff8a748be008fc8a690d4e28ba1fd8b92a Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Thu, 6 Jun 2024 10:18:18 +0200 Subject: [PATCH 3/4] Don't install firewalld in the amphora When building rockylinux images, DIB install the Minimal Install group which pulls firewalld. By default it allows only SSH traffic, so we would need specific rules for the management and tenant traffic, but as we are using security groups, it's safe to remove firewalld. Change-Id: I87a26faf6c72640d8916bc3452123a9b5a74d39f (cherry picked from commit e8fd3b7843b4971796aac69e5b1627d55451d082) --- elements/amphora-agent/package-installs.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/elements/amphora-agent/package-installs.yaml b/elements/amphora-agent/package-installs.yaml index 3ad31f362..c5fe07fc3 100644 --- a/elements/amphora-agent/package-installs.yaml +++ b/elements/amphora-agent/package-installs.yaml @@ -19,6 +19,10 @@ git-man: uninstall: True perl: uninstall: True +# diskimage-builder installs firewalld in rockylinux, it's not needed as it +# blocks management and tenant traffic by default and we use security groups +firewalld: + uninstall: True libffi-dev: build-only: True From a97dcca946307921d9feabd82653e5930d18e7fe Mon Sep 17 00:00:00 2001 From: Tom Weininger Date: Mon, 3 Jun 2024 10:20:58 +0200 Subject: [PATCH 4/4] curl-minimal conflicts with already installed curl ... on Rocky 9 during DIB build. 2024-05-29 14:06:50.789 | > Error: 2024-05-29 14:06:50.789 | > Problem: problem with installed package curl-7.76.1-29.el9_4.x86_64 2024-05-29 14:06:50.789 | > - package curl-minimal-7.76.1-29.el9_4.x86_64 from baseos conflicts with curl provided by curl-7.76.1-29.el9_4.x86_64 from @System 2024-05-29 14:06:50.789 | > - package curl-minimal-7.76.1-29.el9_4.x86_64 from baseos conflicts with curl provided by curl-7.76.1-29.el9_4.x86_64 from baseos 2024-05-29 14:06:50.789 | > - conflicting requests 2024-05-29 14:06:50.789 | > (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages) 2024-05-29 14:06:50.789 | returncode: 1 2024-05-29 14:06:50.789 | install-packages failed with returncode 1 Change-Id: I444293e0d6fcf125d2c3b12144bdf92c00f49dce (cherry picked from commit 5c0b011eacc9b5de1812bf2b52a663b192ff9d4a) --- elements/amphora-agent/pkg-map | 1 - 1 file changed, 1 deletion(-) diff --git a/elements/amphora-agent/pkg-map b/elements/amphora-agent/pkg-map index 55c461b54..36f98950a 100644 --- a/elements/amphora-agent/pkg-map +++ b/elements/amphora-agent/pkg-map @@ -26,7 +26,6 @@ }, "rocky": { "9": { - "curl": "curl-minimal", "isc-dhcp-client": "dhcp-client", "python3-dev": "platform-python-devel", "python3-venv": "",