From 99b3857abe68f2000138ff7bb38702de1bfe80af Mon Sep 17 00:00:00 2001 From: Drew Hudson-Viles Date: Tue, 18 Mar 2025 10:35:13 +0000 Subject: [PATCH] patch: adding rockylinux support to openstack and updating rockylinux goss package args from cloud-utils to cloud-utils-growpart. --- images/capi/Makefile | 4 +- .../ansible/roles/security/tasks/falco.yml | 80 ++++++++++++------- .../ansible/roles/security/tasks/trivy.yml | 39 ++++++--- images/capi/packer/goss/goss-vars.yaml | 41 +++++----- images/capi/packer/openstack/packer.json | 2 +- .../capi/packer/openstack/rockylinux-8.json | 8 ++ .../capi/packer/openstack/rockylinux-9.json | 8 ++ 7 files changed, 121 insertions(+), 61 deletions(-) create mode 100644 images/capi/packer/openstack/rockylinux-8.json create mode 100644 images/capi/packer/openstack/rockylinux-9.json diff --git a/images/capi/Makefile b/images/capi/Makefile index a676f6bffd..da5688f08f 100644 --- a/images/capi/Makefile +++ b/images/capi/Makefile @@ -380,7 +380,7 @@ OCI_BUILD_NAMES ?= oci-ubuntu-2004 oci-ubuntu-2204 oci-oracle-linux-8 oci-ora DO_BUILD_NAMES ?= do-centos-7 do-ubuntu-2004 do-ubuntu-2204 do-ubuntu-2404 -OPENSTACK_BUILD_NAMES ?= openstack-ubuntu-2004 openstack-ubuntu-2204 openstack-ubuntu-2404 openstack-flatcar +OPENSTACK_BUILD_NAMES ?= openstack-ubuntu-2004 openstack-ubuntu-2204 openstack-ubuntu-2404 openstack-flatcar openstack-rockylinux-8 openstack-rockylinux-9 OSC_BUILD_NAMES ?= osc-ubuntu-2004 osc-ubuntu-2204 @@ -825,6 +825,8 @@ build-node-ova-local-base-ubuntu-2004: ## Builds Ubuntu 20.04 Base Node OVA w lo build-openstack-ubuntu-2004: ## Builds Ubuntu 20.04 OpenStack image build-openstack-ubuntu-2204: ## Builds Ubuntu 22.04 OpenStack image build-openstack-ubuntu-2404: ## Builds Ubuntu 24.04 OpenStack image +build-openstack-rockylinux-8: ## Builds RockyLinux 8 OpenStack image +build-openstack-rockylinux-9: ## Builds RockyLinux 9 OpenStack image build-openstack-flatcar: ## Builds Flatcar OpenStack image build-openstack-all: $(OPENSTACK_BUILD_TARGETS) diff --git a/images/capi/ansible/roles/security/tasks/falco.yml b/images/capi/ansible/roles/security/tasks/falco.yml index f425d1b6c3..b1fbfbdfe1 100644 --- a/images/capi/ansible/roles/security/tasks/falco.yml +++ b/images/capi/ansible/roles/security/tasks/falco.yml @@ -14,44 +14,68 @@ --- -- name: Add Falco package signing key - ansible.builtin.apt_key: - url: https://falco.org/repo/falcosecurity-packages.asc - state: present +- name: Install Falco on Debian based systems when: ansible_os_family == "Debian" + block: + - name: Add Falco package signing key + ansible.builtin.apt_key: + url: https://falco.org/repo/falcosecurity-packages.asc + state: present -- name: Add Falco apt repo - ansible.builtin.apt_repository: - repo: deb https://download.falco.org/packages/deb stable main - state: present - filename: falcosecurity - when: ansible_os_family == "Debian" + - name: Add Falco apt repo + ansible.builtin.apt_repository: + repo: deb https://download.falco.org/packages/deb stable main + state: present + filename: falcosecurity -- name: Install Falco requirements - ansible.builtin.apt: - pkg: - - dkms - - make - - "linux-headers-{{ ansible_kernel }}" - - clang - - llvm - update_cache: true - state: present - ignore_errors: true - register: pkg_result - until: pkg_result is success - when: ansible_os_family == "Debian" + - name: Install Falco requirements + ansible.builtin.apt: + pkg: + - dkms + - make + - "linux-headers-{{ ansible_kernel }}" + - clang + - llvm + update_cache: true + state: present + ignore_errors: true + register: pkg_result + until: pkg_result is success + +- name: Install Falco on RedHat based systems + when: ansible_os_family == "RedHat" + block: + - name: Add Falco YUM repo + ansible.builtin.yum_repository: + name: Falco repository + description: Falco YUM repo + file: falcosecurity + baseurl: https://falco.org/repo/falcosecurity-rpm.repo + gpgcheck: true + enabled: true + gpgkey: https://falco.org/repo/falcosecurity-packages.asc + + - name: Install Falco requirements + ansible.builtin.dnf: + pkg: + - dkms + - make + - "kernel-devel-{{ ansible_kernel }}" + - clang + - llvm + - dialog + state: present + ignore_errors: true + register: pkg_result + until: pkg_result is success - name: Install Falco - ansible.builtin.apt: + ansible.builtin.package: name: falco - update_cache: true state: present - when: ansible_os_family == "Debian" - name: Enable Falco Modern eBPF ansible.builtin.service: name: falco-modern-bpf state: started enabled: true - when: ansible_os_family == "Debian" diff --git a/images/capi/ansible/roles/security/tasks/trivy.yml b/images/capi/ansible/roles/security/tasks/trivy.yml index 628ac8d00a..91a238b76f 100644 --- a/images/capi/ansible/roles/security/tasks/trivy.yml +++ b/images/capi/ansible/roles/security/tasks/trivy.yml @@ -14,25 +14,38 @@ --- -- name: Add Trivy package signing key - ansible.builtin.apt_key: - url: https://aquasecurity.github.io/trivy-repo/deb/public.key - state: present - when: ansible_os_family == "Debian" - -- name: Add Trivy apt repo - ansible.builtin.apt_repository: - repo: "deb https://aquasecurity.github.io/trivy-repo/deb {{ansible_distribution_release}} main" - state: present - filename: trivy +- name: Install Trivy on Debian based systems when: ansible_os_family == "Debian" + block: + - name: Add Trivy package signing key + ansible.builtin.apt_key: + url: https://aquasecurity.github.io/trivy-repo/deb/public.key + state: present + + - name: Add Trivy apt repo + ansible.builtin.apt_repository: + repo: "deb https://aquasecurity.github.io/trivy-repo/deb {{ansible_distribution_release}} main" + state: present + filename: trivy + +- name: Install Trivy on RedHat based systems + when: ansible_os_family == "RedHat" + block: + - name: Add Trivy rpm repo + ansible.builtin.yum_repository: + name: Trivy repository + description: Trivy YUM repo + file: trivy + baseurl: https://aquasecurity.github.io/trivy-repo/rpm/releases/{{ ansible_distribution_release }}/{{ ansible_architecture }}/ + gpgcheck: true + enabled: true + gpgkey: https://aquasecurity.github.io/trivy-repo/rpm/public.keyy - name: Install Trivy - ansible.builtin.apt: + ansible.builtin.package: name: trivy update_cache: true state: present - when: ansible_os_family == "Debian" - name: Update Trivy DB to ensure latest records are available as of now ansible.builtin.command: trivy rootfs --download-db-only diff --git a/images/capi/packer/goss/goss-vars.yaml b/images/capi/packer/goss/goss-vars.yaml index d8a23cbbc4..05c6494c07 100644 --- a/images/capi/packer/goss/goss-vars.yaml +++ b/images/capi/packer/goss/goss-vars.yaml @@ -331,6 +331,17 @@ rockylinux: - distro_version: "8" package: <<: *rh8_rpms + openstack: + package: + cloud-init: + cloud-utils-growpart: + os_version: + - distro_version: "8" + package: + <<: *rh8_rpms + - distro_version: "9" + package: + <<: *rh9_rpms rhel: common-package: *common_rpms amazon: @@ -405,24 +416,6 @@ rhel: - distro_version: "9" package: <<: *rh9_rpms - nutanix: - package: - cloud-init: - iscsi-initiator-utils: - nfs-utils: - lvm2: - xfsprogs: - os_version: - - distro_version: "8" - package: - <<: *rh8_rpms - - distro_version: "9" - package: - <<: *rh9_rpms - service: - iscsid: - enabled: true - running: false ubuntu: common-kernel-param: net.ipv4.conf.all.rp_filter: @@ -546,6 +539,18 @@ ubuntu: linux-tools-generic: huaweicloud: package: {} + openstack: + service: + networkd-dispatcher: + enabled: true + running: true + package: + linux-cloud-tools-virtual: + linux-tools-virtual: + open-vm-tools: + cloud-guest-utils: + cloud-initramfs-copymods: + cloud-initramfs-dyn-netconf: oracle linux: common-kernel-param: diff --git a/images/capi/packer/openstack/packer.json b/images/capi/packer/openstack/packer.json index 3ebc93fabe..4bf9d0379f 100644 --- a/images/capi/packer/openstack/packer.json +++ b/images/capi/packer/openstack/packer.json @@ -92,7 +92,7 @@ "ARCH": "amd64", "OS": "{{user `distro_name` | lower}}", "OS_VERSION": "{{user `os_version`}}", - "PROVIDER": "qemu", + "PROVIDER": "openstack", "containerd_version": "{{user `containerd_version`}}", "kubernetes_cni_deb_version": "{{ user `kubernetes_cni_deb_version` }}", "kubernetes_cni_rpm_version": "{{ split (user `kubernetes_cni_rpm_version`) \"-\" 0 }}", diff --git a/images/capi/packer/openstack/rockylinux-8.json b/images/capi/packer/openstack/rockylinux-8.json new file mode 100644 index 0000000000..c9b6954a54 --- /dev/null +++ b/images/capi/packer/openstack/rockylinux-8.json @@ -0,0 +1,8 @@ +{ + "build_name": "rockylinux-8", + "distro_name": "rockylinux", + "epel_rpm_gpg_key": "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8", + "os_version": "8", + "redhat_epel_rpm": "https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm", + "ssh_username": "cloud-user" +} diff --git a/images/capi/packer/openstack/rockylinux-9.json b/images/capi/packer/openstack/rockylinux-9.json new file mode 100644 index 0000000000..98a23982f8 --- /dev/null +++ b/images/capi/packer/openstack/rockylinux-9.json @@ -0,0 +1,8 @@ +{ + "build_name": "rockylinux-9", + "distro_name": "rockylinux", + "epel_rpm_gpg_key": "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9", + "os_version": "9", + "redhat_epel_rpm": "https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm", + "ssh_username": "cloud-user" +}