diff --git a/.github/workflows/build_dev.yml b/.github/workflows/build_dev.yml index 40c8e670..27036f23 100644 --- a/.github/workflows/build_dev.yml +++ b/.github/workflows/build_dev.yml @@ -15,6 +15,9 @@ on: push: branches: - main + # make this job as dependency for trivy_image_check workflow + # https://stackoverflow.com/a/71489231 + workflow_call: jobs: dev_setup_build: diff --git a/.github/workflows/trivy_image_check.yaml b/.github/workflows/trivy_image_check.yaml index b35aea59..7e3e7fe3 100644 --- a/.github/workflows/trivy_image_check.yaml +++ b/.github/workflows/trivy_image_check.yaml @@ -12,9 +12,13 @@ on: pull_request: jobs: + build_dev: + uses: ./.github/workflows/build_dev.yml + secrets: inherit test: name: Trivy images check runs-on: [self-hosted, regular] + needs: [build_dev] steps: - uses: actions/checkout@v4 @@ -53,9 +57,9 @@ jobs: exit_code=0 image_name=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME image_name_with_tag=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME:pr$PR_NUMBER - + crane_output=$(crane export $image_name_with_tag | tar -xOf - images_digests.json | jq -c 'to_entries[]') - + while read -r item; do key=$(echo "$item" | jq -r '.key') value=$(echo "$item" | jq -r '.value') diff --git a/templates/agent/nodegroupconfiguration-blacklist-loop-devices.yaml b/templates/agent/nodegroupconfiguration-blacklist-loop-devices.yaml new file mode 100644 index 00000000..77f785c2 --- /dev/null +++ b/templates/agent/nodegroupconfiguration-blacklist-loop-devices.yaml @@ -0,0 +1,63 @@ +apiVersion: deckhouse.io/v1alpha1 +kind: NodeGroupConfiguration +metadata: + name: sds-node-configurator-add-loop-devices-to-blacklist.sh + {{- include "helm_lib_module_labels" (list .) | nindent 2 }} +spec: + weight: 100 + nodeGroups: ["*"] + bundles: ["*"] + content: | + # Copyright 2024 Flant JSC + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + + # Loop devices should not be queried by the LVM and multipath commands. + # So we add loop devices into blacklist for multipath and configure + # global_filter in lvm.conf for them + + bb-event-on 'bb-sync-file-changed' '_on_multipath_config_changed' + _on_multipath_config_changed() { + if systemctl is-enabled --quiet multipathd 2>/dev/null; then + systemctl reload multipathd + fi + } + + configure_lvm() { + command -V lvmconfig >/dev/null 2>&1 || return 0 + test -f /etc/lvm/lvm.conf || return 0 + current_global_filter=$(lvmconfig devices/global_filter 2>/dev/null || true) + + case "${current_global_filter}" in + '' ) new_global_filter='["r|^/dev/loop[0-9]+|"]' ;; + */dev/loop*) return 0 ;; + 'global_filter="'*) new_global_filter='["r|^/dev/loop[0-9]+|",'${current_global_filter#*=}] ;; + 'global_filter=['*) new_global_filter='["r|^/dev/loop[0-9]+|",'${current_global_filter#*[} ;; + *) echo error parsing global_filter >&2; return 1 ;; + esac + + lvmconfig --config "devices/global_filter=$new_global_filter" --withcomments --merge > /etc/lvm/lvm.conf.$$ + mv /etc/lvm/lvm.conf.$$ /etc/lvm/lvm.conf + } + + configure_multipath() { + mkdir -p /etc/multipath/conf.d + bb-sync-file /etc/multipath/conf.d/loop-blacklist.conf - <