From 9fca209d49497c11558b2537eddba1750c38ad94 Mon Sep 17 00:00:00 2001
From: Douglas Viroel <dviroel@redhat.com>
Date: Wed, 8 Mar 2023 18:31:27 -0300
Subject: [PATCH] Pin nettle-3.8-3 on ubi9 only

This patch fixes the workaround proposed in [1] to install
nettle-3.8-3 only on ubi9 containers.
Since we are backporting this fix to stable/wallaby, we need
to guarantee that doesn't break ubi8 containers.

[1] https://review.opendev.org/c/openstack/tripleo-common/+/869104

Change-Id: I039ca97773699f6f744e83172dd6664ace0d8d60
---
 container-images/tcib/base/base.yaml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/container-images/tcib/base/base.yaml b/container-images/tcib/base/base.yaml
index bc9177182..9b02ee5ab 100644
--- a/container-images/tcib/base/base.yaml
+++ b/container-images/tcib/base/base.yaml
@@ -51,6 +51,15 @@ tcib_actions:
     if [ '{{ tcib_distro }}' == 'centos' ];then
     if [ -n "$(rpm -qa redhat-release)" ];then rpm -e --nodeps redhat-release; fi ;
     dnf -y install centos-stream-release; fi
+# TODO: Temporary pinning nettle to 3.8-3.el9, so it can be reinstalled from centos-9 repos.
+# nettle-3.8-3 is already installed in ubi9 image, but it conflicts with newer versions on gnutls
+# installed from centos-9 repos. This workaround can be reverted once ubi9.2 is released, which
+# should contain a newer version of gnutls with fixes to run under FIPS mode.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=2154924 and
+# https://bugs.launchpad.net/tripleo/+bug/1984237
+- run: >-
+    if [ '{{ tcib_release }}' == '9' ];then
+    dnf -y install nettle-3.8-3.el9; fi
 - run: dnf update --excludepkgs redhat-release -y && dnf clean all && rm -rf /var/cache/dnf
 tcib_cmd: kolla_start
 tcib_entrypoint: dumb-init --single-child --
@@ -60,17 +69,12 @@ tcib_envs:
 tcib_labels:
   maintainer: OpenStack TripleO team
   tcib_managed: True
-# TODO: Temporary pinning nettle to 3.8-3.el9, so it can be reinstalled from centos-9 repos.
-# nettle-3.8-3 is already installed in ubi9 image, but it conflicts with newer versions on gnutls
-# installed from centos-9 repos. This workaround can be reverted once ubi9.2 is released, which
-# should contain a newer version of gnutls with fixes to run under FIPS mode.
 tcib_packages:
   common:
   - ca-certificates
   - dumb-init
   - glibc-langpack-en
   - iscsi-initiator-utils
-  - nettle-3.8-3.el9
   - openstack-tripleo-common-containers
   - openstack-tripleo-common-container-base
   - procps-ng