diff --git a/.github/workflows/container-build-freezer.yaml b/.github/workflows/container-build-freezer.yaml index a8cb717..848c4fb 100644 --- a/.github/workflows/container-build-freezer.yaml +++ b/.github/workflows/container-build-freezer.yaml @@ -26,7 +26,7 @@ on: type: choice options: - master - - stable/2025.2 + - stable/2025.1 project-version: description: 'Version of OpenStack freezer to build, defaults to openstack-constraints if unspecified' required: false @@ -37,7 +37,7 @@ env: IMAGE_NAME: ${{ github.repository }}/freezer project_version: ${{ github.event.inputs.project-version }} openstack_constraints: > - ["stable/2025.2"] + ["stable/2025.1"] jobs: init: @@ -157,4 +157,4 @@ jobs: build-args: | OS_VERSION=${{ env.project_version != '' && env.project_version || matrix.openstack-constraints }} OS_CONSTRAINTS=${{ matrix.openstack-constraints }} - CACHEBUST=${{ github.sha }} \ No newline at end of file + CACHEBUST=${{ github.sha }} diff --git a/.github/workflows/container-build-nova-ceph.yaml b/.github/workflows/container-build-nova-ceph.yaml new file mode 100644 index 0000000..659d588 --- /dev/null +++ b/.github/workflows/container-build-nova-ceph.yaml @@ -0,0 +1,180 @@ +--- +name: Create and publish a nova-ceph image + +permissions: + actions: read + contents: read + id-token: write + packages: write + pull-requests: write + security-events: write + +on: + pull_request: + paths: + - .github/workflows/container-build-nova-ceph.yaml + - ContainerFiles/nova-ceph + - scripts/nova-ceph-cve-patching.sh + schedule: + - cron: '0 0 * * 0' # Run Weekly at midnight UTC + workflow_dispatch: + inputs: + openstack-constraints: + description: 'Version of OpenStack Constraints to use' + required: true + default: "master" + type: choice + options: + - master + - stable/2024.1 + - stable/2025.1 + novnc-version: + description: 'Version of novnc to use' + required: true + default: " v1.6.0" + type: choice + options: + - "master" + - "v1.6.0" + project-version: + description: 'Version of OpenStack nova-ceph to build, defaults to openstack-constraints if unspecified' + required: false + type: string + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }}/nova-ceph + project_version: ${{ github.event.inputs.project-version }} + # NOTE(cloudnull): This is used to parse the workflow_dispatch inputs, sadly the inputs are not available in the + # workflow_dispatch event, so they're being stored in the environment variables. This is a + # workaround until there's a better way to handle this. + openstack_constraints: > + ["stable/2024.1", "stable/2025.1"] + novnc_version: > + ["v1.6.0"] + +jobs: + init: + runs-on: ubuntu-latest + outputs: + openstack-constraints: ${{ steps.generate-matrix.outputs.openstack_constraints }} + novnc-version: ${{ steps.generate-matrix.outputs.novnc_version }} + steps: + - name: generate-matrix + id: generate-matrix + run: | + if [ "${{ github.event_name == 'workflow_dispatch' }}" = "true" ]; then + openstack_constraints="$(echo '${{ github.event.inputs.openstack-constraints }}' | jq -R '[select(length>0)]' | jq -c '.')" + novnc_version="$(echo '${{ github.event.inputs.novnc-version }}' | jq -R '[select(length>0)]' | jq -c '.')" + fi + echo "openstack_constraints=${openstack_constraints:-${{ env.openstack_constraints }}}" >> $GITHUB_OUTPUT + echo "novnc_version=${novnc_version:-${{ env.novnc_version }}}" >> $GITHUB_OUTPUT + build-and-push-image: + needs: + - init + strategy: + matrix: + openstack-constraints: ${{ fromJSON(needs.init.outputs.openstack-constraints)}} + novnc-version: ${{ fromJSON(needs.init.outputs.novnc-version) }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Dynamically set MY_DATE environment variable + run: echo "MY_DATE=$(date +%s)" >> $GITHUB_ENV + - name: Dynamically set OS_VERSION_PARSE environment variable + run: | + VERSION=$(echo -n "${{ env.project_version != '' && env.project_version || matrix.openstack-constraints }}" | awk -F'/' '{($2=="" ? x=$1 : x=$2); print x}') + echo "OS_VERSION_PARSE=${VERSION}" >> $GITHUB_ENV + NAME=$(echo -n "${{ env.IMAGE_NAME }}" | awk -F'/' '{print $NF}') + echo "CATEGORY_NAME=${VERSION}-${NAME}" >> $GITHUB_ENV + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + - name: Build and push Docker image + uses: docker/build-push-action@v6 + with: + context: . + file: ContainerFiles/nova-ceph + push: false + load: true + cache-from: type=gha + cache-to: type=gha,mode=max + tags: | + ${{ env.IMAGE_NAME }}:local + labels: ${{ steps.meta.outputs.labels }} + build-args: | + OS_VERSION=${{ env.project_version != '' && env.project_version || matrix.openstack-constraints }} + OS_CONSTRAINTS=${{ matrix.openstack-constraints }} + NOVNC_VERSION=${{ matrix.novnc-version }} + CACHEBUST=${{ github.sha }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' }} + with: + image-ref: '${{ env.IMAGE_NAME }}:local' + format: 'sarif' + output: 'trivy-results.sarif' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + - name: Upload Trivy scan results to GitHub Security tab + continue-on-error: true + if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' }} + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' + category: "${{ env.CATEGORY_NAME }}" + - name: Run Trivy scanner + uses: aquasecurity/trivy-action@0.28.0 + if: ${{ github.event_name == 'pull_request' }} + with: + image-ref: '${{ env.IMAGE_NAME }}:local' + output: trivy.txt + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + - name: Create trivy output file in markdown format + if: ${{ github.event_name == 'pull_request' }} + run: | + if [[ -s trivy.txt ]]; then + echo "### Security Output" > trivy-output.txt + echo '```terraform' >> trivy-output.txt + cat trivy.txt >> trivy-output.txt + echo '```' >> trivy-output.txt + fi + - name: Publish Trivy Output to Summary + if: ${{ github.event_name == 'pull_request' }} + run: | + if [[ -s trivy-output.txt ]]; then + { + cat trivy-output.txt + } >> $GITHUB_STEP_SUMMARY + fi + - name: Build and push Docker image + uses: docker/build-push-action@v6 + with: + context: . + file: ContainerFiles/nova-ceph + push: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' }} + cache-from: type=gha + cache-to: type=gha,mode=max + tags: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.OS_VERSION_PARSE }}-latest + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.OS_VERSION_PARSE }}-${{ env.MY_DATE }} + labels: ${{ steps.meta.outputs.labels }} + build-args: | + OS_VERSION=${{ env.project_version != '' && env.project_version || matrix.openstack-constraints }} + OS_CONSTRAINTS=${{ matrix.openstack-constraints }} + NOVNC_VERSION=${{ matrix.novnc-version }} + CACHEBUST=${{ github.sha }} diff --git a/.github/workflows/container-build-openstack-venv.yaml b/.github/workflows/container-build-openstack-venv.yaml index b1321d9..a17cbf9 100644 --- a/.github/workflows/container-build-openstack-venv.yaml +++ b/.github/workflows/container-build-openstack-venv.yaml @@ -21,7 +21,7 @@ on: env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }}/openstack-venv - PYTHON_VERSION: 3.12 + PYTHON_VERSION: 3.13 CATEGORY_NAME: openstack-venv jobs: diff --git a/.github/workflows/container-build-zaqar.yaml b/.github/workflows/container-build-zaqar.yaml index 1276321..3612761 100644 --- a/.github/workflows/container-build-zaqar.yaml +++ b/.github/workflows/container-build-zaqar.yaml @@ -113,6 +113,7 @@ jobs: output: 'trivy-results.sarif' ignore-unfixed: true severity: 'CRITICAL,HIGH' + skip-files: '**/autobahn/wamp/cryptosign.py' - name: Upload Trivy scan results to GitHub Security tab continue-on-error: true if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' }} @@ -128,6 +129,7 @@ jobs: output: trivy.txt ignore-unfixed: true severity: 'CRITICAL,HIGH' + skip-files: '**/autobahn/wamp/cryptosign.py' - name: Create trivy output file in markdown format if: ${{ github.event_name == 'pull_request' }} run: | diff --git a/ContainerFiles/alert-proxy b/ContainerFiles/alert-proxy index 1547044..d3879da 100644 --- a/ContainerFiles/alert-proxy +++ b/ContainerFiles/alert-proxy @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 @@ -26,7 +26,7 @@ RUN find / -name '*.pyc' -delete \ && rm -f /var/lib/openstack/lib/python*/site-packages/slapdtest/certs/client.key \ && rm -f /var/lib/openstack/lib/python*/site-packages/slapdtest/certs/server.key -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="alert-proxy" diff --git a/ContainerFiles/apache b/ContainerFiles/apache index ed8fc56..161901c 100644 --- a/ContainerFiles/apache +++ b/ContainerFiles/apache @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 LABEL maintainer="Rackspace" @@ -39,7 +39,7 @@ RUN find / -name '*.pyc' -delete \ && rm -f /var/lib/openstack/lib/python*/site-packages/slapdtest/certs/server.key -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="Apache2 with mod_wsgi ${MOD_WSGI_VERSION}" diff --git a/ContainerFiles/barbican b/ContainerFiles/barbican index b9094e2..38bbd59 100644 --- a/ContainerFiles/barbican +++ b/ContainerFiles/barbican @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -46,13 +46,13 @@ RUN find / -name '*.pyc' -delete \ && find / -name '*.pyo' -delete \ && find / -name '__pycache__' -delete \ && find / -name '*.whl' -delete \ - && rm -f /var/lib/openstack/lib/python3.12/site-packages/kmip/demos/certs/server.key \ + && rm -f /var/lib/openstack/lib/python3.13/site-packages/kmip/demos/certs/server.key \ && rm -f /var/lib/openstack/lib/python*/site-packages/slapdtest/certs/client.key \ && rm -f /var/lib/openstack/lib/python*/site-packages/slapdtest/certs/server.key \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="barbican" diff --git a/ContainerFiles/blazar b/ContainerFiles/blazar index ab724a8..7ed8b90 100644 --- a/ContainerFiles/blazar +++ b/ContainerFiles/blazar @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -51,7 +51,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="blazar" diff --git a/ContainerFiles/ceph-libs b/ContainerFiles/ceph-libs index 13bf5cd..0da84e4 100644 --- a/ContainerFiles/ceph-libs +++ b/ContainerFiles/ceph-libs @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG CEPH_VERSION=main @@ -102,7 +102,7 @@ WORKDIR /opt/ceph/build RUN ninja rbd rados cephfs RUN ninja install -FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:3.12-latest +FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:3.13-latest LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="ceph-libs" diff --git a/ContainerFiles/cinder b/ContainerFiles/cinder index 97fcb6c..9743283 100644 --- a/ContainerFiles/cinder +++ b/ContainerFiles/cinder @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -55,7 +55,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="cinder" @@ -63,7 +63,7 @@ LABEL org.opencontainers.image.description="OpenStack Service (cinder) built for COPY --from=dependency_build /var/lib/openstack /var/lib/openstack RUN export DEBIAN_FRONTEND=noninteractive \ && apt-get update && apt-get upgrade -y \ - && apt-get install --no-install-recommends -y libxml2 multipath-tools open-iscsi qemu-block-extra qemu-utils systemctl lsscsi nvme-cli sudo nfs-common \ + && apt-get install --no-install-recommends -y libxml2 multipath-tools open-iscsi qemu-block-extra qemu-utils systemd lsscsi nvme-cli sudo nfs-common \ && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \ && apt-get clean -y \ && rm -rf /var/lib/apt/lists/* \ diff --git a/ContainerFiles/cloudkitty b/ContainerFiles/cloudkitty index 12c5dcc..0214486 100644 --- a/ContainerFiles/cloudkitty +++ b/ContainerFiles/cloudkitty @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -49,7 +49,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="cloudkitty" diff --git a/ContainerFiles/designate b/ContainerFiles/designate index a4929f6..4175b11 100644 --- a/ContainerFiles/designate +++ b/ContainerFiles/designate @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -49,7 +49,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="designate" diff --git a/ContainerFiles/freezer b/ContainerFiles/freezer index 6cf98e0..bae1c02 100644 --- a/ContainerFiles/freezer +++ b/ContainerFiles/freezer @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -51,7 +51,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="freezer" diff --git a/ContainerFiles/glance b/ContainerFiles/glance index 756ef92..1d7cd0d 100644 --- a/ContainerFiles/glance +++ b/ContainerFiles/glance @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -55,7 +55,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="glance" diff --git a/ContainerFiles/heat b/ContainerFiles/heat index 5e28cf8..c1074cd 100644 --- a/ContainerFiles/heat +++ b/ContainerFiles/heat @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -50,7 +50,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="heat" @@ -61,7 +61,7 @@ RUN export DEBIAN_FRONTEND=noninteractive \ && apt-get install --no-install-recommends -y curl \ libxml2 \ libxslt1.1 \ - libopenmpi3 \ + libopenmpi40 \ && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \ && apt-get clean -y \ && rm -rf /var/lib/apt/lists/* \ diff --git a/ContainerFiles/horizon b/ContainerFiles/horizon index a9463c2..21be045 100644 --- a/ContainerFiles/horizon +++ b/ContainerFiles/horizon @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master diff --git a/ContainerFiles/ironic-api b/ContainerFiles/ironic-api index 383c8d5..ed91521 100644 --- a/ContainerFiles/ironic-api +++ b/ContainerFiles/ironic-api @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -49,7 +49,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="ironic-api" diff --git a/ContainerFiles/ironic-conductor b/ContainerFiles/ironic-conductor index c5baa5e..fc992f0 100644 --- a/ContainerFiles/ironic-conductor +++ b/ContainerFiles/ironic-conductor @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -50,7 +50,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="ironic-conductor" diff --git a/ContainerFiles/ironic-inspector b/ContainerFiles/ironic-inspector index a87903b..d384eb3 100644 --- a/ContainerFiles/ironic-inspector +++ b/ContainerFiles/ironic-inspector @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -49,7 +49,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="ironic-inspector" diff --git a/ContainerFiles/ironic-pxe b/ContainerFiles/ironic-pxe index 5b5d781..267a842 100644 --- a/ContainerFiles/ironic-pxe +++ b/ContainerFiles/ironic-pxe @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -49,7 +49,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="ironic-pxe" diff --git a/ContainerFiles/keystone b/ContainerFiles/keystone index 516750a..a61659c 100644 --- a/ContainerFiles/keystone +++ b/ContainerFiles/keystone @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master diff --git a/ContainerFiles/kube-ovn b/ContainerFiles/kube-ovn index 5795d4e..59ecb75 100644 --- a/ContainerFiles/kube-ovn +++ b/ContainerFiles/kube-ovn @@ -3,7 +3,7 @@ # https://docs.docker.com/develop/develop-images/multistage-build/ ARG KUBE_OVN_VERSION=v1.14.4 -FROM golang:1.25-bookworm AS dependency_build +FROM golang:1.25-trixie AS dependency_build ARG KUBE_OVN_VERSION_ENV=v1.14.4 ARG CACHEBUST=0 RUN export DEBIAN_FRONTEND=noninteractive \ diff --git a/ContainerFiles/kubectl b/ContainerFiles/kubectl index 97681c4..0deb985 100644 --- a/ContainerFiles/kubectl +++ b/ContainerFiles/kubectl @@ -1,5 +1,5 @@ # Simple, reliable kubectl container for Velero operations -FROM debian:bookworm-slim +FROM debian:trixie-slim # Set kubectl version ARG KUBECTL_VERSION=v1.34.1 ARG TARGETARCH=amd64 diff --git a/ContainerFiles/kubernetes-entrypoint b/ContainerFiles/kubernetes-entrypoint index 5fc9ed1..b6f93d8 100644 --- a/ContainerFiles/kubernetes-entrypoint +++ b/ContainerFiles/kubernetes-entrypoint @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -FROM golang:1.24-bookworm AS dependency_build +FROM golang:1.24-trixie AS dependency_build RUN export DEBIAN_FRONTEND=noninteractive \ && apt-get update && apt-get upgrade -y \ && apt-get install --no-install-recommends -y \ diff --git a/ContainerFiles/libguestfs b/ContainerFiles/libguestfs index 63a0f24..1ea9df2 100644 --- a/ContainerFiles/libguestfs +++ b/ContainerFiles/libguestfs @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG GUESTFS_VERSION=master ARG GUESTFS_HIVEX_VERSION=master @@ -23,14 +23,11 @@ RUN export DEBIAN_FRONTEND=noninteractive \ git \ gperf \ libacl1-dev \ - libacl1-dev \ libaugeas-dev \ libbpf-dev \ libcap-dev \ - libcap-dev \ libcap-ng-dev \ libconfig-dev \ - libconfig-dev \ libffi-dev \ libfuse-dev \ libhivex-dev \ @@ -43,7 +40,7 @@ RUN export DEBIAN_FRONTEND=noninteractive \ libsasl2-dev \ libssl-dev \ libsystemd-dev \ - libtsk-dev \ + libtirpc-dev \ libtsk-dev \ libvirt-dev \ libxdp-dev \ @@ -51,18 +48,14 @@ RUN export DEBIAN_FRONTEND=noninteractive \ libxslt1-dev \ libxslt1.1 \ libyara-dev \ - libyara-dev \ opam \ pkg-config \ qemu-block-extra \ - qemu-block-extra \ qemu-system \ qemu-utils \ - qemu-utils \ rsync \ ssl-cert \ supermin \ - supermin \ xmlsec1 \ xorriso \ zstd @@ -97,7 +90,7 @@ RUN PROC="$([ nproc > 4 ] && echo 4 || nproc)" make -j $PROC RUN make INSTALLDIRS=vendor REALLY_INSTALL=yes install -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="libguestfs" diff --git a/ContainerFiles/magnum b/ContainerFiles/magnum index 2475a41..eb40cfb 100644 --- a/ContainerFiles/magnum +++ b/ContainerFiles/magnum @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -51,7 +51,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="magnum" diff --git a/ContainerFiles/manila b/ContainerFiles/manila index f7127fa..be39816 100644 --- a/ContainerFiles/manila +++ b/ContainerFiles/manila @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -51,7 +51,7 @@ RUN find / -name '*.pyc' -delete \ && rm -f /var/lib/openstack/lib/python*/site-packages/slapdtest/certs/server.key \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="manila" diff --git a/ContainerFiles/masakari b/ContainerFiles/masakari index c20a796..6d7931c 100644 --- a/ContainerFiles/masakari +++ b/ContainerFiles/masakari @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -49,7 +49,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="masakari" diff --git a/ContainerFiles/masakari-monitors b/ContainerFiles/masakari-monitors index 9531e22..a45feba 100644 --- a/ContainerFiles/masakari-monitors +++ b/ContainerFiles/masakari-monitors @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG OS_VERSION=master ARG OS_CONSTRAINTS=master @@ -49,7 +49,7 @@ RUN find / -name '*.pyc' -delete \ && rm -f /var/lib/openstack/lib/python*/site-packages/slapdtest/certs/server.key \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="masakari-monitors" diff --git a/ContainerFiles/nova-ceph b/ContainerFiles/nova-ceph new file mode 100644 index 0000000..6e2543a --- /dev/null +++ b/ContainerFiles/nova-ceph @@ -0,0 +1,30 @@ +# syntax = docker/dockerfile:1 +# This Dockerfile uses multi-stage build to customize DEV and PROD images: +# https://docs.docker.com/develop/develop-images/multistage-build/ + +ARG VENV_TAG=3.12-latest + +FROM quay.io/rackspace/rackerlabs-nova-efi:2024.1-ubuntu_jammy-1737928811 +LABEL maintainer="Rackspace" +LABEL vendor="Rackspace OpenStack Team" +LABEL org.opencontainers.image.name="nova-ceph" +LABEL org.opencontainers.image.description="Nova container with ceph built for the enterprise." + +RUN export DEBIAN_FRONTEND=noninteractive \ + && apt-get update && apt-get upgrade -y \ + && apt-get install --no-install-recommends -y qemu-block-extra \ + && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \ + && apt-get clean -y \ + && rm -rf /var/lib/apt/lists/* \ + && rm -rf /etc/ssh/ssh_host_*_key \ + && find / -name '*.pyc' -delete \ + && find / -name '*.pyo' -delete \ + && find / -name '__pycache__' -delete +# Set the environment variables for the nova venv +ENV PATH="/var/lib/openstack/bin:$PATH" +# Set the working directory +WORKDIR /var/lib/openstack +# Set the user and group to match the original build +USER 42424:42424 +# Set the entrypoint to the nova-manage command +ENTRYPOINT ["/var/lib/openstack/bin/nova-manage"] diff --git a/ContainerFiles/octavia b/ContainerFiles/octavia index fe7ecd0..7ba3bd3 100644 --- a/ContainerFiles/octavia +++ b/ContainerFiles/octavia @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -55,7 +55,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="octavia" diff --git a/ContainerFiles/openstack-client b/ContainerFiles/openstack-client index c2dce59..5aff658 100644 --- a/ContainerFiles/openstack-client +++ b/ContainerFiles/openstack-client @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_CONSTRAINTS=master @@ -17,7 +17,7 @@ RUN export DEBIAN_FRONTEND=noninteractive \ git \ libffi-dev \ pkg-config \ - ssl-cert + ssl-cert # package list pulled from here: https://opendev.org/openstack/heat/src/branch/master/requirements.txt RUN /var/lib/openstack/bin/pip install --constraint https://opendev.org/openstack/requirements/raw/branch/${OS_CONSTRAINTS}/upper-constraints.txt \ pbr \ @@ -28,7 +28,7 @@ RUN /var/lib/openstack/bin/pip install --constraint https://opendev.org/openstac keystoneauth1 \ keystonemiddleware \ lxml> \ - netaddr \ + netaddr \ neutron-lib \ openstacksdk \ oslo.cache\ @@ -91,10 +91,10 @@ RUN find / -name '*.pyc' -delete \ && find / -name '*.whl' -delete \ && rm -f /var/lib/openstack/lib/python*/site-packages/slapdtest/certs/client.key \ && rm -f /var/lib/openstack/lib/python*/site-packages/slapdtest/certs/server.key \ - && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python3.12/site-packages/PyJWT-2.10.1.dist-info/METADATA + && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python3.13/site-packages/PyJWT-2.10.1.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="openstack-client" @@ -106,7 +106,7 @@ RUN export DEBIAN_FRONTEND=noninteractive \ iputils-ping \ libxml2 \ libxslt1.1 \ - libopenmpi3 \ + libopenmpi40 \ netcat-openbsd \ mariadb-client \ && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \ diff --git a/ContainerFiles/openstack-exporter b/ContainerFiles/openstack-exporter index 4b7d369..d727545 100644 --- a/ContainerFiles/openstack-exporter +++ b/ContainerFiles/openstack-exporter @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build WORKDIR /app @@ -13,7 +13,7 @@ RUN find / -name '*.pyc' -delete \ && find / -name '*.pyo' -delete \ && find / -name '__pycache__' -delete -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL org.opencontainers.image.name="openstack-exporter" LABEL org.opencontainers.image.description="OpenStack Exporter for Prometheus" diff --git a/ContainerFiles/openstack-venv b/ContainerFiles/openstack-venv index 16000bf..e86cc34 100644 --- a/ContainerFiles/openstack-venv +++ b/ContainerFiles/openstack-venv @@ -2,8 +2,8 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG PYTHON_VERSION=3.12 -ARG OS_RELEASE=bookworm +ARG PYTHON_VERSION=3.13 +ARG OS_RELEASE=trixie FROM python:${PYTHON_VERSION}-${OS_RELEASE} ARG CACHEBUST=0 RUN python3 -m venv /var/lib/openstack diff --git a/ContainerFiles/ovs b/ContainerFiles/ovs index e368b6f..b3b75dc 100644 --- a/ContainerFiles/ovs +++ b/ContainerFiles/ovs @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG OVS_VERSION=main RUN export DEBIAN_FRONTEND=noninteractive \ @@ -40,7 +40,7 @@ RUN ./boot.sh RUN ./configure --sysconfdir=/etc --localstatedir=/var RUN PROC="$([ nproc > 4 ] && echo 4 || nproc)" make -j $PROC && make install -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="ovs" diff --git a/ContainerFiles/placement b/ContainerFiles/placement index ed05bce..737a100 100644 --- a/ContainerFiles/placement +++ b/ContainerFiles/placement @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -49,7 +49,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="placement" diff --git a/ContainerFiles/skyline b/ContainerFiles/skyline index 095a891..5458285 100644 --- a/ContainerFiles/skyline +++ b/ContainerFiles/skyline @@ -1,7 +1,7 @@ # syntax = docker/dockerfile:1 # This Dockerfile builds Skyline from the RackerLabs fork. -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_CONSTRAINTS=master @@ -39,7 +39,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="skyline" diff --git a/ContainerFiles/zaqar b/ContainerFiles/zaqar index 4c7a872..1f10b86 100644 --- a/ContainerFiles/zaqar +++ b/ContainerFiles/zaqar @@ -2,7 +2,7 @@ # This Dockerfile uses multi-stage build to customize DEV and PROD images: # https://docs.docker.com/develop/develop-images/multistage-build/ -ARG VENV_TAG=3.12-latest +ARG VENV_TAG=3.13-latest FROM ghcr.io/rackerlabs/genestack-images/openstack-venv:${VENV_TAG} AS dependency_build ARG CACHEBUST=0 ARG OS_VERSION=master @@ -37,8 +37,7 @@ RUN /var/lib/openstack/bin/pip install --constraint https://opendev.org/openstac PyMySQL \ python-memcached \ uwsgi \ - redis \ - 'autobahn[encryption]' + redis COPY scripts/zaqar-cve-patching.sh /opt/ RUN bash /opt/zaqar-cve-patching.sh @@ -52,7 +51,7 @@ RUN find / -name '*.pyc' -delete \ && sed -i '/^Usage/,/^Documentation\n^-.*$/d' /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA -FROM python:3.12-slim-bookworm +FROM python:3.13-slim-trixie LABEL maintainer="Rackspace" LABEL vendor="Rackspace OpenStack Team" LABEL org.opencontainers.image.name="zaqar" diff --git a/docs/containers/alert-proxy.md b/docs/containers/alert-proxy.md index 86e56e6..e0582c2 100644 --- a/docs/containers/alert-proxy.md +++ b/docs/containers/alert-proxy.md @@ -22,14 +22,14 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | ??? example "Build Command" ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ -f ContainerFiles/alert-proxy \ -t alert-proxy:local \ diff --git a/docs/containers/apache.md b/docs/containers/apache.md index fd54546..452e3af 100644 --- a/docs/containers/apache.md +++ b/docs/containers/apache.md @@ -23,7 +23,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | MOD_WSGI_VERSION | 5.0.2 | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg MOD_WSGI_VERSION=5.0.2 \ -f ContainerFiles/apache \ diff --git a/docs/containers/barbican.md b/docs/containers/barbican.md index 041303f..4609b21 100644 --- a/docs/containers/barbican.md +++ b/docs/containers/barbican.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/blazar.md b/docs/containers/blazar.md index f2067a6..2c9fdca 100644 --- a/docs/containers/blazar.md +++ b/docs/containers/blazar.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/ceph-libs.md b/docs/containers/ceph-libs.md index 6c4f6c3..b964d81 100644 --- a/docs/containers/ceph-libs.md +++ b/docs/containers/ceph-libs.md @@ -23,7 +23,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | CEPH_VERSION | main | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg CEPH_VERSION=main \ -f ContainerFiles/ceph-libs \ diff --git a/docs/containers/cinder.md b/docs/containers/cinder.md index 23cd707..d0d2583 100644 --- a/docs/containers/cinder.md +++ b/docs/containers/cinder.md @@ -23,7 +23,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -32,7 +32,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/cloudkitty.md b/docs/containers/cloudkitty.md index 14ba31f..db2674b 100644 --- a/docs/containers/cloudkitty.md +++ b/docs/containers/cloudkitty.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/designate.md b/docs/containers/designate.md index 205e833..f713902 100644 --- a/docs/containers/designate.md +++ b/docs/containers/designate.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/freezer.md b/docs/containers/freezer.md index 5ed33af..b4f3f13 100644 --- a/docs/containers/freezer.md +++ b/docs/containers/freezer.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/glance.md b/docs/containers/glance.md index 9c614cb..840a14c 100644 --- a/docs/containers/glance.md +++ b/docs/containers/glance.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/heat.md b/docs/containers/heat.md index a865eb0..7a22b78 100644 --- a/docs/containers/heat.md +++ b/docs/containers/heat.md @@ -21,7 +21,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -30,7 +30,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/horizon.md b/docs/containers/horizon.md index 88c6e9b..b2158f9 100644 --- a/docs/containers/horizon.md +++ b/docs/containers/horizon.md @@ -23,7 +23,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -32,7 +32,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/ironic-api.md b/docs/containers/ironic-api.md index 74dd021..e9eb9d1 100644 --- a/docs/containers/ironic-api.md +++ b/docs/containers/ironic-api.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/ironic-conductor.md b/docs/containers/ironic-conductor.md index eedd720..e048690 100644 --- a/docs/containers/ironic-conductor.md +++ b/docs/containers/ironic-conductor.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/ironic-inspector.md b/docs/containers/ironic-inspector.md index 4109e5e..997275b 100644 --- a/docs/containers/ironic-inspector.md +++ b/docs/containers/ironic-inspector.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/ironic-pxe.md b/docs/containers/ironic-pxe.md index 6398527..7068f53 100644 --- a/docs/containers/ironic-pxe.md +++ b/docs/containers/ironic-pxe.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/keystone.md b/docs/containers/keystone.md index ecbf3bc..ffd7927 100644 --- a/docs/containers/keystone.md +++ b/docs/containers/keystone.md @@ -23,7 +23,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -34,7 +34,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/libguestfs.md b/docs/containers/libguestfs.md index a498102..8358e06 100644 --- a/docs/containers/libguestfs.md +++ b/docs/containers/libguestfs.md @@ -23,7 +23,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | GUESTFS_VERSION | master | | GUESTFS_HIVEX_VERSION | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg GUESTFS_VERSION=master \ --build-arg GUESTFS_HIVEX_VERSION=master \ -f ContainerFiles/libguestfs \ diff --git a/docs/containers/magnum.md b/docs/containers/magnum.md index 43b4c4d..c67c6d3 100644 --- a/docs/containers/magnum.md +++ b/docs/containers/magnum.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -32,7 +32,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/manila.md b/docs/containers/manila.md index d3a67c9..16fa08b 100644 --- a/docs/containers/manila.md +++ b/docs/containers/manila.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/masakari-monitors.md b/docs/containers/masakari-monitors.md index b7254dc..c67bcc2 100644 --- a/docs/containers/masakari-monitors.md +++ b/docs/containers/masakari-monitors.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/masakari.md b/docs/containers/masakari.md index 83d7611..5b97e03 100644 --- a/docs/containers/masakari.md +++ b/docs/containers/masakari.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/octavia.md b/docs/containers/octavia.md index 7e8b5e8..fa72319 100644 --- a/docs/containers/octavia.md +++ b/docs/containers/octavia.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -32,7 +32,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/openstack-client.md b/docs/containers/openstack-client.md index e4d3203..a9118f5 100644 --- a/docs/containers/openstack-client.md +++ b/docs/containers/openstack-client.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_CONSTRAINTS | master | @@ -30,7 +30,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ -f ContainerFiles/openstack-client \ -t openstack-client:local \ diff --git a/docs/containers/openstack-venv.md b/docs/containers/openstack-venv.md index 9b7e43f..c71009d 100644 --- a/docs/containers/openstack-venv.md +++ b/docs/containers/openstack-venv.md @@ -23,16 +23,16 @@ graph LR | Argument | Default | | --- | --- | -| PYTHON_VERSION | 3.12 | -| OS_RELEASE | bookworm | +| PYTHON_VERSION | 3.13 | +| OS_RELEASE | trixie | | CACHEBUST | 0 | ??? example "Build Command" ``` bash docker build \ - --build-arg PYTHON_VERSION=3.12 \ - --build-arg OS_RELEASE=bookworm \ + --build-arg PYTHON_VERSION=3.13 \ + --build-arg OS_RELEASE=trixie \ --build-arg CACHEBUST=0 \ -f ContainerFiles/openstack-venv \ -t openstack-venv:local \ diff --git a/docs/containers/ovs.md b/docs/containers/ovs.md index 0b57534..6700584 100644 --- a/docs/containers/ovs.md +++ b/docs/containers/ovs.md @@ -23,14 +23,14 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | OVS_VERSION | main | ??? example "Build Command" ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg OVS_VERSION=main \ -f ContainerFiles/ovs \ -t ovs:local \ diff --git a/docs/containers/placement.md b/docs/containers/placement.md index ab80fd2..2a4764a 100644 --- a/docs/containers/placement.md +++ b/docs/containers/placement.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/docs/containers/skyline.md b/docs/containers/skyline.md index adf54de..8ac1b04 100644 --- a/docs/containers/skyline.md +++ b/docs/containers/skyline.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_CONSTRAINTS | master | @@ -30,7 +30,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_CONSTRAINTS=master \ -f ContainerFiles/skyline \ diff --git a/docs/containers/zaqar.md b/docs/containers/zaqar.md index d7b4901..4658b88 100644 --- a/docs/containers/zaqar.md +++ b/docs/containers/zaqar.md @@ -22,7 +22,7 @@ graph LR | Argument | Default | | --- | --- | -| VENV_TAG | 3.12-latest | +| VENV_TAG | 3.13-latest | | CACHEBUST | 0 | | OS_VERSION | master | | OS_CONSTRAINTS | master | @@ -31,7 +31,7 @@ graph LR ``` bash docker build \ - --build-arg VENV_TAG=3.12-latest \ + --build-arg VENV_TAG=3.13-latest \ --build-arg CACHEBUST=0 \ --build-arg OS_VERSION=master \ --build-arg OS_CONSTRAINTS=master \ diff --git a/scripts/barbican-cve-patching.sh b/scripts/barbican-cve-patching.sh index 41f95c9..ecef45f 100644 --- a/scripts/barbican-cve-patching.sh +++ b/scripts/barbican-cve-patching.sh @@ -1,21 +1,24 @@ #!/usr/bin/env bash if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then - # CVE fixes CVE-2025-27516,CVE-2024-47081 + # CVE fixes CVE-2025-27516,CVE-2024-47081,CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ + "eventlet==0.40.3" \ "requests==2.32.4" elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-36039,CVE-2024-56326,CVE-2024-56201,CVE-2024-47081,CVE-2024-37891,CVE-2024-35195,CVE-2025-27516,CVE-2024-42353 - # GHSA-h4gh-qq45-vh27,CVE-2023-29483,CVE-2024-3651,CVE-2024-34064 + # GHSA-h4gh-qq45-vh27,CVE-2023-29483,CVE-2024-3651,CVE-2024-34064,CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL==1.1.1" \ "WebOb==1.8.8" \ + "Werkzeug==3.0.6" \ "cryptography==44.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "idna==3.7" \ "requests==2.32.4" \ - "urllib3==1.26.20" + "urllib3==1.26.20" \ + "zipp==3.19.1" fi diff --git a/scripts/blazar-cve-patching.sh b/scripts/blazar-cve-patching.sh index fc5bdf7..86fd28d 100644 --- a/scripts/blazar-cve-patching.sh +++ b/scripts/blazar-cve-patching.sh @@ -1,7 +1,25 @@ #!/usr/bin/env bash if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then - echo "No CVE patches available for stable/2025.1" + # CVE fixes CVE-2025-27516,CVE-2024-47081 + /var/lib/openstack/bin/pip install --upgrade \ + "Jinja2==3.1.6" \ + "eventlet==0.40.3" \ + "requests==2.32.4" \ + "urllib3==1.26.20" elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then - echo "No CVE patches available for stable/2024.1" + # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,GHSA-h4gh-qq45-vh27, + # CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891,CVE-2024-12797,CVE-2024-47081 + /var/lib/openstack/bin/pip install --upgrade \ + "Jinja2==3.1.6" \ + "PyMySQL==1.1.1" \ + "WebOb==1.8.8" \ + "Werkzeug==3.0.6" \ + "cryptography==44.0.1" \ + "dnspython==2.6.1" \ + "eventlet==0.40.3" \ + "idna==3.7" \ + "requests==2.32.4" \ + "urllib3==1.26.20" \ + "zipp==3.19.1" fi diff --git a/scripts/cinder-cve-patching.sh b/scripts/cinder-cve-patching.sh index 7733dd4..ee720ac 100644 --- a/scripts/cinder-cve-patching.sh +++ b/scripts/cinder-cve-patching.sh @@ -9,14 +9,15 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then "urllib3==1.26.20" elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,GHSA-h4gh-qq45-vh27, - # CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891,CVE-2024-12797,CVE-2024-47081,CVE-2025-4565 + # CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891,CVE-2024-12797,CVE-2024-47081,CVE-2025-4565, + # CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL==1.1.1" \ "WebOb==1.8.8" \ "cryptography==44.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "idna==3.7" \ "protobuf==4.25.8" \ "requests==2.32.4" \ diff --git a/scripts/cloudkitty-cve-patching.sh b/scripts/cloudkitty-cve-patching.sh index 22ae663..3b4130c 100644 --- a/scripts/cloudkitty-cve-patching.sh +++ b/scripts/cloudkitty-cve-patching.sh @@ -9,14 +9,14 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,GHSA-h4gh-qq45-vh27, # CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891,CVE-2024-12797,CVE-2024-47081,CVE-2024-5569, - # CVE-2024-49766,CVE-2024-49767 + # CVE-2024-49766,CVE-2024-49767,CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL==1.1.1" \ "WebOb==1.8.8" \ "cryptography==44.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "idna==3.7" \ "requests==2.32.4" \ "urllib3==1.26.20" \ diff --git a/scripts/designate-cve-patching.sh b/scripts/designate-cve-patching.sh index c2d784c..ce29002 100644 --- a/scripts/designate-cve-patching.sh +++ b/scripts/designate-cve-patching.sh @@ -9,7 +9,7 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,GHSA-h4gh-qq45-vh27, # CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891,CVE-2024-12797,CVE-2024-47081,CVE-2024-49767,CVE-2024-34069 - # CVE-2024-49766 + # CVE-2024-4976,CVE-2025-580686 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL==1.1.1" \ @@ -17,7 +17,7 @@ elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then "Werkzeug==3.0.6" \ "cryptography==44.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "idna==3.7" \ "requests==2.32.4" \ "urllib3==1.26.20" diff --git a/scripts/freezer-cve-patching.sh b/scripts/freezer-cve-patching.sh index 2151bba..02ec17c 100644 --- a/scripts/freezer-cve-patching.sh +++ b/scripts/freezer-cve-patching.sh @@ -1,7 +1,10 @@ #!/usr/bin/env bash -if [ ${OS_VERSION:-master} = "stable/2025.2" ]; then - # CVE fixes CVE-2025-50181 +if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then + # CVE fixes CVE-2025-50181,CVE-2025-27516,CVE-2024-47081 /var/lib/openstack/bin/pip install --upgrade \ - "urllib3==2.5.0" -fi \ No newline at end of file + "Jinja2==3.1.6" \ + "eventlet==0.40.3" \ + "requests==2.32.4" \ + "urllib3==1.26.20" +fi diff --git a/scripts/glance-cve-patching.sh b/scripts/glance-cve-patching.sh index 90bdb7c..4b8f4ab 100644 --- a/scripts/glance-cve-patching.sh +++ b/scripts/glance-cve-patching.sh @@ -9,13 +9,14 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,GHSA-h4gh-qq45-vh27, # CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-4340,CVE-2024-37891,CVE-2024-5569,CVE-2024-12797,CVE-2024-47081 + # CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL>=1.1.1,<1.2" \ "WebOb==1.8.8" \ "cryptography==44.0.1" \ "dnspython>=2.6.1,<2.7" \ - "eventlet>=0.35.2,<0.36" \ + "eventlet==0.40.3" \ "idna>=3.7,<3.8" \ "requests==2.32.4" \ "sqlparse>=0.5.0,<0.6" \ diff --git a/scripts/heat-cve-patching.sh b/scripts/heat-cve-patching.sh index a02d85e..c78bc8f 100644 --- a/scripts/heat-cve-patching.sh +++ b/scripts/heat-cve-patching.sh @@ -8,14 +8,14 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then "urllib3==1.26.20" elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,GHSA-h4gh-qq45-vh27, - # CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891,CVE-2024-12797,CVE-2024-47081 + # CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891,CVE-2024-12797,CVE-2024-47081,CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL==1.1.1" \ "WebOb==1.8.8" \ "cryptography==44.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "idna==3.7" \ "requests==2.32.4" \ "urllib3==1.26.20" diff --git a/scripts/horizon-cve-patching.sh b/scripts/horizon-cve-patching.sh index 5bf5292..a7102ac 100644 --- a/scripts/horizon-cve-patching.sh +++ b/scripts/horizon-cve-patching.sh @@ -18,7 +18,7 @@ elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then "WebOb==1.8.8" \ "cryptography==44.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "idna==3.7" \ "pymongo==4.6.3" \ "requests==2.32.4" \ diff --git a/scripts/ironic-cve-patching.sh b/scripts/ironic-cve-patching.sh index c2d784c..41ba640 100644 --- a/scripts/ironic-cve-patching.sh +++ b/scripts/ironic-cve-patching.sh @@ -9,7 +9,7 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,GHSA-h4gh-qq45-vh27, # CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891,CVE-2024-12797,CVE-2024-47081,CVE-2024-49767,CVE-2024-34069 - # CVE-2024-49766 + # CVE-2024-49766,CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL==1.1.1" \ @@ -17,7 +17,7 @@ elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then "Werkzeug==3.0.6" \ "cryptography==44.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "idna==3.7" \ "requests==2.32.4" \ "urllib3==1.26.20" diff --git a/scripts/keystone-cve-patching.sh b/scripts/keystone-cve-patching.sh index b3f960f..e887264 100644 --- a/scripts/keystone-cve-patching.sh +++ b/scripts/keystone-cve-patching.sh @@ -10,7 +10,7 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,CVE-2024-34069, # CVE-2024-49766,CVE-2024-49767,GHSA-h4gh-qq45-vh27,CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891, - # CVE-2024-12797,CVE-2025-47278,CVE-2024-47081,CVE-2025-61912 + # CVE-2024-12797,CVE-2025-47278,CVE-2024-47081,CVE-2025-61912,CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Flask==3.1.1" \ "Jinja2==3.1.6" \ @@ -19,7 +19,7 @@ elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then "Werkzeug>=3.0.6,<3.2" \ "cryptography==44.0.1" \ "dnspython>=2.6.1,<2.7" \ - "eventlet>=0.35.2,<0.36" \ + "eventlet>=0.35.2" \ "idna>=3.7,<3.8" \ "requests==2.32.4" \ "urllib3==1.26.20" \ diff --git a/scripts/magnum-cve-patching.sh b/scripts/magnum-cve-patching.sh index 22ae663..3b4130c 100644 --- a/scripts/magnum-cve-patching.sh +++ b/scripts/magnum-cve-patching.sh @@ -9,14 +9,14 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,GHSA-h4gh-qq45-vh27, # CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891,CVE-2024-12797,CVE-2024-47081,CVE-2024-5569, - # CVE-2024-49766,CVE-2024-49767 + # CVE-2024-49766,CVE-2024-49767,CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL==1.1.1" \ "WebOb==1.8.8" \ "cryptography==44.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "idna==3.7" \ "requests==2.32.4" \ "urllib3==1.26.20" \ diff --git a/scripts/masakari-cve-patching.sh b/scripts/masakari-cve-patching.sh index 94b7939..b4a456d 100644 --- a/scripts/masakari-cve-patching.sh +++ b/scripts/masakari-cve-patching.sh @@ -6,14 +6,14 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then "Jinja2==3.1.6" \ "requests==2.32.4" elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then - # CVE fixes CVE-2024-36039,CVE-2024-56326,CVE-2024-56201,CVE-2025-27516,CVE-2024-47081 + # CVE fixes CVE-2024-36039,CVE-2024-56326,CVE-2024-56201,CVE-2025-27516,CVE-2024-47081,CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL==1.1.1" \ "WebOb==1.8.8" \ "cryptography==44.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "idna==3.7" \ "requests==2.32.4" \ "urllib3==1.26.20" diff --git a/scripts/masakari-monitors-cve-patching.sh b/scripts/masakari-monitors-cve-patching.sh index 94b7939..b4a456d 100644 --- a/scripts/masakari-monitors-cve-patching.sh +++ b/scripts/masakari-monitors-cve-patching.sh @@ -6,14 +6,14 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then "Jinja2==3.1.6" \ "requests==2.32.4" elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then - # CVE fixes CVE-2024-36039,CVE-2024-56326,CVE-2024-56201,CVE-2025-27516,CVE-2024-47081 + # CVE fixes CVE-2024-36039,CVE-2024-56326,CVE-2024-56201,CVE-2025-27516,CVE-2024-47081,CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL==1.1.1" \ "WebOb==1.8.8" \ "cryptography==44.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "idna==3.7" \ "requests==2.32.4" \ "urllib3==1.26.20" diff --git a/scripts/neutron-cve-patching.sh b/scripts/neutron-cve-patching.sh index 361d1d7..a28de33 100644 --- a/scripts/neutron-cve-patching.sh +++ b/scripts/neutron-cve-patching.sh @@ -6,14 +6,15 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then "Jinja2==3.1.6" \ "requests==2.32.4" elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then - # CVE fixes CVE-2024-36039,CVE-2025-27516,CVE-2024-42353,GHSA-h4gh-qq45-vh27,CVE-2024-47081,CVE-2024-56201,CVE-2024-56326 + # CVE fixes CVE-2024-36039,CVE-2025-27516,CVE-2024-42353,GHSA-h4gh-qq45-vh27,CVE-2024-47081,CVE-2024-56201,CVE-2024-56326, + # CVE-2024-35195,CVE-2024-37891,CVE-2024-12797,CVE-2024-3651,CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL==1.1.1" \ "WebOb==1.8.8" \ "cryptography==43.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "idna==3.7" \ "requests==2.32.4" \ "urllib3==1.26.20" diff --git a/scripts/nova-ceph-cve-patching.sh b/scripts/nova-ceph-cve-patching.sh new file mode 100644 index 0000000..fe9cf9f --- /dev/null +++ b/scripts/nova-ceph-cve-patching.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +#if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then + # CVE fixes CVE-2025-27516,CVE-2024-47081 +# /var/lib/openstack/bin/pip install --upgrade \ +# "Jinja2==3.1.6" \ +# "requests==2.32.4" +#elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then + # CVE fixes CVE-2024-36039,CVE-2024-34064,CVE-2025-27516,CVE-2024-42353,GHSA-h4gh-qq45-vh27,CVE-2023-29483,CVE-2024-3651,CVE-2024-35195, + # CVE-2024-37891,CVE-2024-47081,CVE-2024-28102,CVE-2025-58068 +# /var/lib/openstack/bin/pip install --upgrade \ +# "Jinja2==3.1.6" \ +# "PyMySQL==1.1.1" \ +# "WebOb==1.8.8" \ +# "cryptography==43.0.1" \ +# "dnspython==2.6.1" \ +# "eventlet==0.40.3" \ +# "idna==3.7" \ +# "jwcrypto==1.5.6" \ +# "requests==2.32.4" \ +# "urllib3==1.26.20" +#fi diff --git a/scripts/nova-cve-patching.sh b/scripts/nova-cve-patching.sh index bbe2450..f13d91c 100644 --- a/scripts/nova-cve-patching.sh +++ b/scripts/nova-cve-patching.sh @@ -7,14 +7,14 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then "requests==2.32.4" elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-36039,CVE-2024-34064,CVE-2025-27516,CVE-2024-42353,GHSA-h4gh-qq45-vh27,CVE-2023-29483,CVE-2024-3651,CVE-2024-35195, - #. CVE-2024-37891,CVE-2024-47081,CVE-2024-28102 + # CVE-2024-37891,CVE-2024-47081,CVE-2024-28102,CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL==1.1.1" \ "WebOb==1.8.8" \ "cryptography==43.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "idna==3.7" \ "jwcrypto==1.5.6" \ "requests==2.32.4" \ diff --git a/scripts/octavia-cve-patching.sh b/scripts/octavia-cve-patching.sh index 2d66162..6f23223 100644 --- a/scripts/octavia-cve-patching.sh +++ b/scripts/octavia-cve-patching.sh @@ -9,7 +9,7 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-36039,CVE-2024-6827,CVE-2024-1135,CVE-2024-49767,CVE-2024-34069,CVE-2024-56326,CVE-2024-56326,CVE-2024-56201 # CVE-2024-35195,CVE-2024-37891,CVE-2024-3651,CVE-2023-29483,CVE-2024-49766,CVE-2024-42353,CVE-2025-27516,CVE-2024-34064 - # CVE-2024-12797,CVE-2024-47081 + # CVE-2024-12797,CVE-2024-47081,CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL==1.1.1" \ @@ -17,7 +17,7 @@ elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then "Werkzeug==3.0.6" \ "cryptography==44.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "gunicorn==23.0.0" \ "idna==3.7" \ "pyopenssl==24.3.0" \ diff --git a/scripts/placement-cve-patching.sh b/scripts/placement-cve-patching.sh index 87f723c..0e46625 100644 --- a/scripts/placement-cve-patching.sh +++ b/scripts/placement-cve-patching.sh @@ -7,14 +7,14 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then "requests==2.32.4" elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then # CVE fixes CVE-2024-36039,CVE-2025-27516,CVE-2024-42353,GHSA-h4gh-qq45-vh27,CVE-2024-47081,CVE-2024-56201,CVE-2024-56326, - # CVE-2024-37891,CVE-2024-35195,CVE-2024-3651,CVE-2024-34064 + # CVE-2024-37891,CVE-2024-35195,CVE-2024-3651,CVE-2024-34064,CVE-2025-58068 /var/lib/openstack/bin/pip install --upgrade \ "Jinja2==3.1.6" \ "PyMySQL==1.1.1" \ "WebOb==1.8.8" \ "cryptography==43.0.1" \ "dnspython==2.6.1" \ - "eventlet==0.35.2" \ + "eventlet==0.40.3" \ "idna==3.7" \ "requests==2.32.4" \ "urllib3==1.26.20" diff --git a/scripts/zaqar-cve-patching.sh b/scripts/zaqar-cve-patching.sh index f935cb9..298739b 100644 --- a/scripts/zaqar-cve-patching.sh +++ b/scripts/zaqar-cve-patching.sh @@ -5,5 +5,5 @@ if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then "jinja2==3.1.6" \ "requests==2.32.4" \ "eventlet==0.40.3" \ - "autobahn[encryption]" + "cryptography==44.0.1" fi