Skip to content

[release-4.19] CORENET-5975: Dockerfile: Unpin OVS and consume the latest from FDP. #2548

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release-4.19
Choose a base branch
from
Open

[release-4.19] CORENET-5975: Dockerfile: Unpin OVS and consume the latest from FDP. #2548

wants to merge 1 commit into from

Conversation

openshift-cherrypick-robot
Copy link

This is an automated cherry-pick of #2525

/assign igsilya

@igsilya
Dockerfile: Unpin OVS and consume the latest from FDP.
976f749 
OVN-Kubernetes is always lagging behind on the version of OVS it pins.
This is causing a lot of trouble with keeping up with bug fixes and
especially CVE fixes on older branches, resulting in scanners constantly
flagging this image with poor security grades.

OVS package inside the container is responsible for the following:

  1. Command line utilities to talk with OVS from the host.
  2. ovsdb-server processes serving OVN databases.
  3. ovs-monitor-ipsec script for managing ipsec configuration on
     OVN tunnels.

These tools/programs are not changing that much between patch releases,
and bug fix releases in FDP are going through a lot of testing before
becoming available in the repo.  So, benefits of timely delivery of bug
and CVE fixes significantly outweighs the small risks that automatic
consumption of new builds incurs.  Main OVS is working on the host and
follows FDP for a very long time now, and it's also better to keep
the minor versions between host and container in sync, just to decrease
the amount of variables in the system.

Signed-off-by: Ilya Maximets <[email protected]>
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request May 6, 2025
Merged
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented May 6, 2025
edited by openshift-ci bot
Loading

@openshift-cherrypick-robot: Ignoring requests to cherry-pick non-bug issues: CORENET-5975

In response to this:

This is an automated cherry-pick of #2525

/assign igsilya

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from JacobTanenbaum and trozet May 6, 2025 10:31
igsilya
igsilya approved these changes May 6, 2025
View reviewed changes
Copy link
Contributor

@igsilya igsilya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean cherry-pick. 4.19 isn't far from 4.20 yet.
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 6, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 6, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: igsilya, openshift-cherrypick-robot
Once this PR has been reviewed and has the lgtm label, please assign danwinship for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@igsilya igsilya mentioned this pull request May 6, 2025
Open
@igsilya
Copy link
Contributor

igsilya commented May 6, 2025

/test e2e-aws-ovn-fdp-qe

@igsilya
Copy link
Contributor

igsilya commented May 6, 2025

/retest

@igsilya
Copy link
Contributor

igsilya commented May 12, 2025

Some jobs seem to be stuck.
/retest

@igsilya
Copy link
Contributor

igsilya commented May 12, 2025

/retest-required

@jluhrsen
Copy link
Contributor

/hold

I think we want to stop using cherry-pick bots and bring in our code to older branches via 'git merge'

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 12, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 13, 2025

@openshift-cherrypick-robot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-vsphere-ovn-techpreview 976f749 link false /test e2e-vsphere-ovn-techpreview
ci/prow/e2e-aws-ovn-hypershift-conformance-techpreview 976f749 link false /test e2e-aws-ovn-hypershift-conformance-techpreview
ci/prow/4.19-upgrade-from-stable-4.18-e2e-gcp-ovn-rt-upgrade 976f749 link true /test 4.19-upgrade-from-stable-4.18-e2e-gcp-ovn-rt-upgrade
ci/prow/e2e-aws-ovn-hypershift-kubevirt 976f749 link false /test e2e-aws-ovn-hypershift-kubevirt
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview 976f749 link false /test e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview
ci/prow/security 976f749 link false /test security

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@sdodson
Copy link
Member

sdodson commented May 15, 2025

I think we want to stop using cherry-pick bots and bring in our code to older branches via 'git merge'

When is that expected to happen for 4.19? If that doesn't happen before the first RHSAs for ovs 3.5 or ovn24.09 I'll be back to merge this as is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@igsilya igsilya igsilya approved these changes

@JacobTanenbaum JacobTanenbaum Awaiting requested review from JacobTanenbaum

@trozet trozet Awaiting requested review from trozet

Assignees

@igsilya igsilya

Labels
do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@openshift-cherrypick-robot @openshift-ci-robot @igsilya @jluhrsen @sdodson