all: children: cephs: hosts: instance: null computes: hosts: instance: null controllers: hosts: instance: null zuul_unreachable: hosts: {} hosts: instance: ansible_connection: ssh ansible_host: 162.253.55.204 ansible_port: 22 ansible_python_interpreter: auto ansible_user: zuul ceph_conf_overrides: - option: mon allow pool size one section: global value: true - option: osd crush chooseleaf type section: global value: 0 - option: auth allow insecure global id reclaim section: mon value: false ceph_csi_rbd_helm_values: provisioner: replicaCount: 1 ceph_fsid: 4837cbf8-4f90-4300-b3f6-726c9b9f89b4 ceph_osd_devices: - /dev/ceph-{{ inventory_hostname_short }}-osd0/data - /dev/ceph-{{ inventory_hostname_short }}-osd1/data - /dev/ceph-{{ inventory_hostname_short }}-osd2/data cilium_helm_values: operator: replicas: 1 cilium_ipv4_cidr: 172.24.0.0/16 csi_driver: rbd kube_vip_address: 172.17.0.100 kube_vip_interface: '{{ ansible_facts[''default_ipv4''].interface }}' kubernetes_hostname: '{{ ansible_facts[''default_ipv4''].address }}' molecule_scenario: csi nodepool: az: nova cloud: public external_id: bef65050-74a6-4b9b-a4b8-a6f0f5b10795 host_id: d953b2b79ff732b94d97ea6274a0c4d1174b1c52cbf038923e842d1b interface_ip: 162.253.55.204 label: ubuntu-jammy node_properties: {} private_ipv4: 162.253.55.204 private_ipv6: null provider: yul1 public_ipv4: 162.253.55.204 public_ipv6: 2604:e100:1:0:f816:3eff:fe99:d9ff region: ca-ymq-1 slot: null zuul_node: az: nova cloud: public external_id: bef65050-74a6-4b9b-a4b8-a6f0f5b10795 host_id: d953b2b79ff732b94d97ea6274a0c4d1174b1c52cbf038923e842d1b interface_ip: 162.253.55.204 label: ubuntu-jammy node_properties: {} private_ipv4: 162.253.55.204 private_ipv6: null provider: yul1 public_ipv4: 162.253.55.204 public_ipv6: 2604:e100:1:0:f816:3eff:fe99:d9ff region: ca-ymq-1 slot: null uuid: null vars: ceph_conf_overrides: - option: mon allow pool size one section: global value: true - option: osd crush chooseleaf type section: global value: 0 - option: auth allow insecure global id reclaim section: mon value: false ceph_csi_rbd_helm_values: provisioner: replicaCount: 1 ceph_fsid: 4837cbf8-4f90-4300-b3f6-726c9b9f89b4 ceph_osd_devices: - /dev/ceph-{{ inventory_hostname_short }}-osd0/data - /dev/ceph-{{ inventory_hostname_short }}-osd1/data - /dev/ceph-{{ inventory_hostname_short }}-osd2/data cilium_helm_values: operator: replicas: 1 cilium_ipv4_cidr: 172.24.0.0/16 csi_driver: rbd kube_vip_address: 172.17.0.100 kube_vip_interface: '{{ ansible_facts[''default_ipv4''].interface }}' kubernetes_hostname: '{{ ansible_facts[''default_ipv4''].address }}' molecule_scenario: csi zuul: _inheritance_path: - '' - '' - '' - '' - '' - '' ansible_version: '9' attempts: 1 branch: main build: e8dd750f1702412b93df50514a4c08cd build_refs: - branch: main change: '3493' change_message: 'fix(kube_prometheus_stack): set AppArmor to unconfined for node-exporter ## Summary The node-exporter requires ptrace capabilities to collect process metrics, which is denied by the `cri-containerd.apparmor.d` AppArmor profile. This causes audit logs like: ``` audit: type=1400 audit(1769757582.095:122939): apparmor="DENIED" operation="ptrace" class="ptrace" profile="cri-containerd.apparmor.d" pid=3673482 comm="node_exporter" requested_mask="read" denied_mask="read" peer="unconfined" ``` This PR adds a pod annotation to set the AppArmor profile to `unconfined` for the node-exporter container, allowing the necessary ptrace operations. ## Changes - Added `podAnnotations` with `container.apparmor.security.beta.kubernetes.io/node-exporter: unconfined` to the prometheus-node-exporter Helm values' change_url: https://github.com/vexxhost/atmosphere/pull/3493 commit_id: 3fce881c0ec964c18fc0766d78562e02e4dffa01 patchset: 3fce881c0ec964c18fc0766d78562e02e4dffa01 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere name: vexxhost/atmosphere short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere topic: null buildset: b67248cbb78e4c7d8081981e8a44e1ca buildset_refs: - branch: main change: '3493' change_message: 'fix(kube_prometheus_stack): set AppArmor to unconfined for node-exporter ## Summary The node-exporter requires ptrace capabilities to collect process metrics, which is denied by the `cri-containerd.apparmor.d` AppArmor profile. This causes audit logs like: ``` audit: type=1400 audit(1769757582.095:122939): apparmor="DENIED" operation="ptrace" class="ptrace" profile="cri-containerd.apparmor.d" pid=3673482 comm="node_exporter" requested_mask="read" denied_mask="read" peer="unconfined" ``` This PR adds a pod annotation to set the AppArmor profile to `unconfined` for the node-exporter container, allowing the necessary ptrace operations. ## Changes - Added `podAnnotations` with `container.apparmor.security.beta.kubernetes.io/node-exporter: unconfined` to the prometheus-node-exporter Helm values' change_url: https://github.com/vexxhost/atmosphere/pull/3493 commit_id: 3fce881c0ec964c18fc0766d78562e02e4dffa01 patchset: 3fce881c0ec964c18fc0766d78562e02e4dffa01 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere name: vexxhost/atmosphere short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere topic: null change: '3493' change_message: 'fix(kube_prometheus_stack): set AppArmor to unconfined for node-exporter ## Summary The node-exporter requires ptrace capabilities to collect process metrics, which is denied by the `cri-containerd.apparmor.d` AppArmor profile. This causes audit logs like: ``` audit: type=1400 audit(1769757582.095:122939): apparmor="DENIED" operation="ptrace" class="ptrace" profile="cri-containerd.apparmor.d" pid=3673482 comm="node_exporter" requested_mask="read" denied_mask="read" peer="unconfined" ``` This PR adds a pod annotation to set the AppArmor profile to `unconfined` for the node-exporter container, allowing the necessary ptrace operations. ## Changes - Added `podAnnotations` with `container.apparmor.security.beta.kubernetes.io/node-exporter: unconfined` to the prometheus-node-exporter Helm values' change_url: https://github.com/vexxhost/atmosphere/pull/3493 child_jobs: [] commit_id: 3fce881c0ec964c18fc0766d78562e02e4dffa01 event_id: 03510710-fdc2-11f0-903e-be0ca2c97621 executor: hostname: 3a2793d2bd32 inventory_file: /var/lib/zuul/builds/e8dd750f1702412b93df50514a4c08cd/ansible/inventory.yaml log_root: /var/lib/zuul/builds/e8dd750f1702412b93df50514a4c08cd/work/logs result_data_file: /var/lib/zuul/builds/e8dd750f1702412b93df50514a4c08cd/work/results.json src_root: /var/lib/zuul/builds/e8dd750f1702412b93df50514a4c08cd/work/src work_root: /var/lib/zuul/builds/e8dd750f1702412b93df50514a4c08cd/work include_vars: [] items: - branch: main change: '3493' change_message: 'fix(kube_prometheus_stack): set AppArmor to unconfined for node-exporter ## Summary The node-exporter requires ptrace capabilities to collect process metrics, which is denied by the `cri-containerd.apparmor.d` AppArmor profile. This causes audit logs like: ``` audit: type=1400 audit(1769757582.095:122939): apparmor="DENIED" operation="ptrace" class="ptrace" profile="cri-containerd.apparmor.d" pid=3673482 comm="node_exporter" requested_mask="read" denied_mask="read" peer="unconfined" ``` This PR adds a pod annotation to set the AppArmor profile to `unconfined` for the node-exporter container, allowing the necessary ptrace operations. ## Changes - Added `podAnnotations` with `container.apparmor.security.beta.kubernetes.io/node-exporter: unconfined` to the prometheus-node-exporter Helm values' change_url: https://github.com/vexxhost/atmosphere/pull/3493 commit_id: 3fce881c0ec964c18fc0766d78562e02e4dffa01 patchset: 3fce881c0ec964c18fc0766d78562e02e4dffa01 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere name: vexxhost/atmosphere short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere topic: null job: atmosphere-molecule-csi-rbd jobtags: [] max_attempts: 3 message: Zml4KGt1YmVfcHJvbWV0aGV1c19zdGFjayk6IHNldCBBcHBBcm1vciB0byB1bmNvbmZpbmVkIGZvciBub2RlLWV4cG9ydGVyCgojIyBTdW1tYXJ5CgpUaGUgbm9kZS1leHBvcnRlciByZXF1aXJlcyBwdHJhY2UgY2FwYWJpbGl0aWVzIHRvIGNvbGxlY3QgcHJvY2VzcyBtZXRyaWNzLCB3aGljaCBpcyBkZW5pZWQgYnkgdGhlIGBjcmktY29udGFpbmVyZC5hcHBhcm1vci5kYCBBcHBBcm1vciBwcm9maWxlLiBUaGlzIGNhdXNlcyBhdWRpdCBsb2dzIGxpa2U6CgpgYGAKYXVkaXQ6IHR5cGU9MTQwMCBhdWRpdCgxNzY5NzU3NTgyLjA5NToxMjI5MzkpOiBhcHBhcm1vcj0iREVOSUVEIiBvcGVyYXRpb249InB0cmFjZSIgY2xhc3M9InB0cmFjZSIgcHJvZmlsZT0iY3JpLWNvbnRhaW5lcmQuYXBwYXJtb3IuZCIgcGlkPTM2NzM0ODIgY29tbT0ibm9kZV9leHBvcnRlciIgcmVxdWVzdGVkX21hc2s9InJlYWQiIGRlbmllZF9tYXNrPSJyZWFkIiBwZWVyPSJ1bmNvbmZpbmVkIgpgYGAKClRoaXMgUFIgYWRkcyBhIHBvZCBhbm5vdGF0aW9uIHRvIHNldCB0aGUgQXBwQXJtb3IgcHJvZmlsZSB0byBgdW5jb25maW5lZGAgZm9yIHRoZSBub2RlLWV4cG9ydGVyIGNvbnRhaW5lciwgYWxsb3dpbmcgdGhlIG5lY2Vzc2FyeSBwdHJhY2Ugb3BlcmF0aW9ucy4KCiMjIENoYW5nZXMKCi0gQWRkZWQgYHBvZEFubm90YXRpb25zYCB3aXRoIGBjb250YWluZXIuYXBwYXJtb3Iuc2VjdXJpdHkuYmV0YS5rdWJlcm5ldGVzLmlvL25vZGUtZXhwb3J0ZXI6IHVuY29uZmluZWRgIHRvIHRoZSBwcm9tZXRoZXVzLW5vZGUtZXhwb3J0ZXIgSGVsbSB2YWx1ZXM= patchset: 3fce881c0ec964c18fc0766d78562e02e4dffa01 pipeline: check playbook_context: playbook_projects: trusted/project_0/vexxhost.dev/zuul-config: canonical_name: vexxhost.dev/zuul-config checkout: main commit: 9052b5a7781b3346e4cffd452a54448cbff54d8b trusted/project_1/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: d73b78cc624f363c6b7fcfe833f2db4571e4e979 trusted/project_2/github.com/vexxhost/zuul-jobs: canonical_name: github.com/vexxhost/zuul-jobs checkout: main commit: a6e68243e02ef030ce5e75f8b67630880c475f33 untrusted/project_0/github.com/vexxhost/zuul-jobs: canonical_name: github.com/vexxhost/zuul-jobs checkout: main commit: a6e68243e02ef030ce5e75f8b67630880c475f33 untrusted/project_1/vexxhost.dev/zuul-config: canonical_name: vexxhost.dev/zuul-config checkout: main commit: 9052b5a7781b3346e4cffd452a54448cbff54d8b untrusted/project_2/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: d73b78cc624f363c6b7fcfe833f2db4571e4e979 untrusted/project_3/github.com/vexxhost/atmosphere: canonical_name: github.com/vexxhost/atmosphere checkout: main commit: 3fce881c0ec964c18fc0766d78562e02e4dffa01 untrusted/project_4/opendev.org/openstack/openstack-helm: canonical_name: opendev.org/openstack/openstack-helm checkout: master commit: 078840392dcd130024e126ed6aa2b402eff95837 playbooks: - path: untrusted/project_0/github.com/vexxhost/zuul-jobs/playbooks/molecule/run.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/playbook_0/role_1/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/playbook_0/role_1/zuul-jobs/roles - checkout: main checkout_description: playbook branch link_name: ansible/playbook_0/role_2/zuul-jobs link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs role_path: ansible/playbook_0/role_2/zuul-jobs/roles post_review: false post_timeout: null pre_timeout: null project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere name: vexxhost/atmosphere short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere projects: github.com/vexxhost/atmosphere: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere checkout: main checkout_description: zuul branch commit: 3fce881c0ec964c18fc0766d78562e02e4dffa01 name: vexxhost/atmosphere required: false short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere ref: refs/pull/3493/head resources: {} tenant: oss timeout: 1800 topic: null voting: true