openstack
/
tripleo-common
Code Issues Proposed changes

[FIPS] Install nettle-3.8-3.el9 in tcib base container 

This patch adds installation of nettle-3.8-3.el9 to replace the rhel-9.0
version of the package, since 'dnf udpate' doesn't replace it.
The rhel-9.0 version of this package fails when running under FIPS.
When we get a new version o nettle in centos mirrors, the 'dnf update'
shall install a new version of the package and the workaround can be
remove.
We can't add a condition to install only when fips is enabled, since
build containers job doesn't run under fips enabled mode.

Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2154924
Related-Bug: https://bugs.launchpad.net/tripleo/+bug/1984237
Change-Id: Iedc128120fd6925800c7e95664ce4e13ee8868a8

Pin nettle-3.8-3 on ubi9 only

This patch fixes the workaround proposed in [1] to install
nettle-3.8-3 only on ubi9 containers.
Since we are backporting this fix to stable/wallaby, we need
to guarantee that doesn't break ubi8 containers.

[1] https://review.opendev.org/c/openstack/tripleo-common/+/869104

Change-Id: I039ca97773699f6f744e83172dd6664ace0d8d60
This commit is contained in:
Douglas Viroel 2023-01-03 16:59:50 -03:00
parent 8509b2a4b2
commit ed2545f7fd
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
container-images/tcib/base/base.yaml
View File

@ -51,6 +51,15 @@ tcib_actions:
if [ '{{ tcib_distro }}' == 'centos' ];then
if [ -n "$(rpm -qa redhat-release)" ];then rpm -e --nodeps redhat-release; fi ;
dnf -y install centos-stream-release; fi
# TODO: Temporary pinning nettle to 3.8-3.el9, so it can be reinstalled from centos-9 repos.
# nettle-3.8-3 is already installed in ubi9 image, but it conflicts with newer versions on gnutls
# installed from centos-9 repos. This workaround can be reverted once ubi9.2 is released, which
# should contain a newer version of gnutls with fixes to run under FIPS mode.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=2154924 and
# https://bugs.launchpad.net/tripleo/+bug/1984237
- run: >-
if [ '{{ tcib_release }}' == '9' ];then
dnf -y install nettle-3.8-3.el9; fi
- run: dnf update --excludepkgs redhat-release -y && dnf clean all && rm -rf /var/cache/dnf
tcib_cmd: kolla_start
tcib_entrypoint: dumb-init --single-child --