OCPBUGS-35895: Sync from upstream 2024-08-21 #552
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix patch path
Fix patch command, take two
Add ipxe support for arm64
Revert commit c3778af as the code is now included in the ironic package.
Bug 2080446: Sync with latest packages available
Bug 2088561: Update ironic packages to latest bugfix versions
…penshift-4.12-ironic Updating ironic images to be consistent with ART
Sync with upstream metal3-io ironic-image
In OpenShift we deploy Ironic only on one of the controlplane nodes. When the provisioning network is disabled, IPA talks to Ironic API via the node's IP address. If the Metal3 pod is relocated, IPA loses contact to Ironic API. Upstream in Metal3, this problem is solved via keepalived. We don't want to introduce another VIP in OpenShift, so instead this change adds a new script that launches httpd as a proxy to real Ironic. It will be deployed as a DaemonSet, making Ironic API available on the API VIP. The cluster-baremetal-operator will be responsible for updating the DaemonSet with the up-to-date real Ironic IP address.
METAL-256: Add a new entry point for the Ironic proxy
Merge from upstream metal3-io/ironic-image
The way httpd works, it requires a strict match of CommonName even if IP addresses are provided in SubjectAltName. This is not a setup we can support. On the other hand, we can validate the Ironic peer uses the same TLS certificate as we, so let's do it.
OCPBUGS-171: Fix IRONIC_EXTERNAL_IP when TLS is used for virtual media
ironic-proxy: never validate TLS peer name
Update dependencies for OCP 4.12
Update ironic and ironic-inspector for OCP 4.12
Bug 2104275: sync the ValueDisplayName fix
Update sushy to 4.3.0 (Zed final)
…penshift-4.18-ironic OCPBUGS-38275: Updating ironic-container image to be consistent with ART for 4.18
Most recent available is still from 4.17 but we should update it to avoid errors in the pipeline as the current one is too old.
OCPBUGS-38406: Update root image
OCPBUGS-38077: update sushy to pick up the RAID fix
Suppress the listing of files and directories being compiled/searched. compileall will still output any errors but they will no longer get lost in the 3000+ lines of output.
METAL-1123: Suppress file listing of compiled py files
OCPBUGS-38596: Update ironic version in ironic-image
OCPBUGS-38521: set min version for python3-webob
OCPBUGS-38782: redfish-virtualmedia fails on XFusion nodes
openshift#532 removes ironic inspector but missed scos and fcos dockerfiles
NO-ISSUE: fix scos and fcos dockerfiles to remove ironic-inspector
OCPBUGS-36492: Bump ironic-lib to fix utf8 decoding issue
The current `Listen` directive does not work on systems that have ipv6 disabled. The Apache Listen directive supports `Listen <port>` syntax at which point it seems to be able to listen correctly on both dual stack and ipv4 only systems. See https://httpd.apache.org/docs/2.4/bind.html for more details. Signed-off-by: Owen Thomas <owen@owen-thomas.co.uk>
Signed-off-by: Mahnoor Asghar <masghar@redhat.com>
We don't really need it in the final image Signed-off-by: Riccardo Pittau <elfosardo@gmail.com>
This is a tentative to make ipxe more close to the current version and include some improvements and bug fixes. As a first step we build and install ipxe using a commit hash, as no stable versions have been released since December 2020. We point the ipxe commit hash to [1] from November 2021, so roughly a year of changes is included. To see the complete list of changes run: `git log --pretty=oneline 988d2c1..9062544` from a local clone of the ipxe repository. In general the changes included between the stable 1.21.1 version and the current chosen hash improve compatibility with recent gcc and build libraries, while fixing numerous bugs. This change also introduce a build arg to allow choosing the ipxe commit hash at container build time. [1] ipxe/ipxe@9062544 Signed-off-by: Riccardo Pittau <elfosardo@gmail.com>
If FIPS is enabled in the hosts we should also run IPA in FIPS mode. It is possible to enable FIPS directly at kernel level using the fips option, determining the FIPS status for example from the cryptographic module and specifically the /proc/sys/crypto/fips_enabled file; if the file contains 1 then the system is in FIPS mode, if it contains 0 the FIPS algorithms are disabled. Therefore the value of the fips kernel option is 0 (default) if FIPS is disabled, or 1 if enabled. Note: Upstream commit changed to only set fips= when the value is 1 https://issues.redhat.com//browse/OCPBUGS-39536 Signed-off-by: Riccardo Pittau <elfosardo@gmail.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
metal3-io-bot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
metal3-io-bot
added
the
size/XXL
dtantsur
pushed a commit
to dtantsur/ironic-image
that referenced
this pull request
Sep 9, 2024
[4.17] OCPBUGS-38511: set min version for python3-webob
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This includes the new feature to enable fips mode for IPA on fips enabled systems
--
replacement for openshift#563 as ricardo is away and I can't update his PR
new version avoids setting fips=0 due to https://issues.redhat.com//browse/OCPBUGS-39536