fix: cleanup old redhat kernels (#152)

* fix: cleanup old redhat kernels

* fix: remove also of kernel where semver version is less that the latest

* ci: Bump VM version to 1.2.7 and KMS version to 4.18.0

* ci: neither AWS nor GCP RedHat VM has a kernel-uki-virt package

* chore: test KMS packages installation

* Revert "chore: test KMS packages installation"

This reverts commit f2d9359.

.github/scripts/aws-packer-build.sh

@@ -3,11 +3,11 @@
 # Only for testing, DO NOT UNCOMMENT
 # DISTRIBUTION=rhel
 # PRODUCT=cosmian-vm
-# VERSION=0.1.6 # Optional
-# KMS_VERSION=4.17.0 # Provided by Github workflow
+# VERSION=0.1.7 # Optional
+# KMS_VERSION=4.18.0 # Provided by Github workflow
 # AI_RUNNER_VERSION=0.3.0 # Provided by Github workflow
-# GITHUB_REF=refs/tags/1.2.6 # Provided by Github Actions
-# GITHUB_REF_NAME=1.2.6 # Provided by Github Actions
+# GITHUB_REF=refs/tags/1.2.7 # Provided by Github Actions
+# GITHUB_REF_NAME=1.2.7 # Provided by Github Actions
 # IMAGE_NAME="cosmian-vm-${GITHUB_REF_NAME}-sev-${DISTRIBUTION}" # Only for testing
 
 set -ex

.github/scripts/azure-new-instance.sh

@@ -28,7 +28,7 @@ if [ "$TECHNO" = "tdx" ]; then
     --ssh-key-values "$SSH_PUB_KEY"
 else
   IMAGE_NAME="/subscriptions/e04f52be-d51f-43fe-95f8-d63a8fc91464/resourceGroups/packer-snp/providers/Microsoft.Compute/galleries/cosmian_packer/images/cosmian-vm-${DISTRIB}-${TECHNO}/versions/0.0.0"
-  IMAGE_NAME="/subscriptions/e04f52be-d51f-43fe-95f8-d63a8fc91464/resourceGroups/packer-snp/providers/Microsoft.Compute/galleries/cosmian_packer/images/base-image-${DISTRIB}-${TECHNO}/versions/0.1.6"
+  IMAGE_NAME="/subscriptions/e04f52be-d51f-43fe-95f8-d63a8fc91464/resourceGroups/packer-snp/providers/Microsoft.Compute/galleries/cosmian_packer/images/base-image-${DISTRIB}-${TECHNO}/versions/0.1.7"
 
   if [ "$DISTRIB" = "ubuntu" ]; then
     # Ubuntu SEV

.github/scripts/push_packages.sh

@@ -2,7 +2,7 @@
 
 set -ex
 
-VERSION=1.2.6
+VERSION=1.2.7
 
 set -x
 if [[ "${GITHUB_REF}" =~ 'refs/tags/' ]]; then

.github/workflows/aws_base_main.yml

@@ -22,4 +22,4 @@ jobs:
       techno: sev
       distrib: ${{ matrix.distrib }}
       product: ${{ matrix.product }}
-      base-version: 0.1.6
+      base-version: 0.1.7

.github/workflows/aws_main.yml

@@ -28,7 +28,7 @@ jobs:
       techno: sev
       distrib: ${{ matrix.distrib }}
       product: ${{ matrix.product }}
-      kms-version: 4.17.0
+      kms-version: 4.18.0
       ai-runner-version: 0.3.0
 
   post-clean-resources:

.github/workflows/azure_base_main.yml

@@ -26,6 +26,6 @@ jobs:
       techno: ${{ matrix.techno }}
       distrib: ${{ matrix.distrib }}
       product: ${{ matrix.product }}
-      base-version: 0.1.6
+      base-version: 0.1.7
       kms-version: 0.0.0
       ai-runner-version: 0.0.0

.github/workflows/azure_main.yml

@@ -28,7 +28,7 @@ jobs:
       techno: sev
       distrib: ${{ matrix.distrib }}
       product: ${{ matrix.product }}
-      kms-version: 4.17.0
+      kms-version: 4.18.0
       ai-runner-version: 0.3.0
 
   post-clean-resources:

.github/workflows/gcp_base_main.yml

@@ -26,4 +26,4 @@ jobs:
       techno: ${{ matrix.techno }}
       distrib: ${{ matrix.distrib }}
       product: ${{ matrix.product }}
-      base-version: 0.1.6
+      base-version: 0.1.7

.github/workflows/gcp_main.yml

@@ -33,7 +33,7 @@ jobs:
       min-cpu-platform: AMD Milan
       mode: beta
       product: ${{ matrix.product }}
-      kms-version: 4.17.0
+      kms-version: 4.18.0
       ai-runner-version: 0.3.0
 
   post-clean-gcp-resources:

.github/workflows/nightly_aws_main.yml

@@ -33,9 +33,9 @@ jobs:
       techno: ${{ matrix.techno }}
       distrib: ${{ matrix.distrib }}
       product: ${{ matrix.product }}
-      kms-version: 4.17.0
+      kms-version: 4.18.0
       ai-runner-version: 0.3.0
-      base-version: 0.1.6
+      base-version: 0.1.7
 
   # Too many failures when rebooting EC2
   # ansible:
@@ -60,7 +60,7 @@ jobs:
   #     techno: sev
   #     distrib: ${{ matrix.distrib }}
   #     product: ${{ matrix.product }}
-  #     kms-version: 4.17.0
+  #     kms-version: 4.18.0
   #     ai-runner-version: 0.3.0
 
   post-clean-resources:

.github/workflows/nightly_azure_main.yml

@@ -37,9 +37,9 @@ jobs:
       techno: ${{ matrix.techno }}
       distrib: ${{ matrix.distrib }}
       product: ${{ matrix.product }}
-      kms-version: 4.17.0
+      kms-version: 4.18.0
       ai-runner-version: 0.3.0
-      base-version: 0.1.6
+      base-version: 0.1.7
 
   ansible:
     if: startsWith(github.ref, 'refs/tags/') != true
@@ -64,7 +64,7 @@ jobs:
       techno: ${{ matrix.techno }}
       distrib: ${{ matrix.distrib }}
       product: ${{ matrix.product }}
-      kms-version: 4.17.0
+      kms-version: 4.18.0
       ai-runner-version: 0.3.0
 
   post-clean-resources:

.github/workflows/nightly_gcp_main.yml

@@ -53,9 +53,9 @@ jobs:
       min-cpu-platform: ${{ matrix.min-cpu-platform }}
       mode: ${{ matrix.mode }}
       product: ${{ matrix.product }}
-      kms-version: 4.17.0
+      kms-version: 4.18.0
       ai-runner-version: 0.3.0
-      base-version: 0.1.6
+      base-version: 0.1.7
 
   ansible:
     if: startsWith(github.ref, 'refs/tags/') != true
@@ -98,7 +98,7 @@ jobs:
       min-cpu-platform: ${{ matrix.min-cpu-platform }}
       mode: ${{ matrix.mode }}
       product: ${{ matrix.product }}
-      kms-version: 4.17.0
+      kms-version: 4.18.0
       ai-runner-version: 0.3.0
 
   post-clean-gcp-resources:

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.2.7] - 2024-09-12
+
+### 🐛 Bug Fixes
+
+- Cleanup old RedHat kernels for Azure certification process ([#150](https://github.com/Cosmian/cosmian_vm/pull/150))
+
+### 🧪 CI
+
+- Bump KMS version to 4.18.0
+- Small fix about tags detection in Bash ([#152](https://github.com/Cosmian/cosmian_vm/pull/152))
+
 ## [1.2.6] - 2024-09-06
 
 ### 🚀 Features
@@ -10,7 +21,7 @@ All notable changes to this project will be documented in this file.
 
 ### 🐛 Bug Fixes
 
-- Upgrade GCP official images to last versions ([#149](https://github.com/Cosmian/cosmian_vm/pull/149)) and use Cosmian base image 0.1.6:
+- Du to [CVE-2024-6387](https://ubuntu.com/security/CVE-2024-6387), upgrade GCP official images to last versions ([#149](https://github.com/Cosmian/cosmian_vm/pull/149)) and use Cosmian base image 0.1.6:
   - ubuntu-2404-noble-amd64-v20240523a -> ubuntu-2404-noble-amd64-v20240830
   - rhel-9-v20240515 -> rhel-9-v20240815
 

CHANGELOG_BASE_IMAGES.md

@@ -1,8 +1,12 @@
 # Cosmian Base Image Changelog
 
+## [0.1.7] - 2024-09-12
+
+- Du to Azure certification process, remove all old linux kernels on Redhat images ([#152](https://github.com/Cosmian/cosmian_vm/pull/152))
+
 ## [0.1.6] - 2024-09-06
 
-- Upgrade GCP official images to last versions: ([#149](https://github.com/Cosmian/cosmian_vm/pull/149))
+- Du to [CVE-2024-6387](https://ubuntu.com/security/CVE-2024-6387), upgrade GCP official images to last versions: ([#149](https://github.com/Cosmian/cosmian_vm/pull/149))
   - ubuntu-2404-noble-amd64-v20240523a -> ubuntu-2404-noble-amd64-v20240830
   - rhel-9-v20240515 -> rhel-9-v20240815
 

Cargo.toml

@@ -9,7 +9,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "1.2.6"
+version = "1.2.7"
 edition = "2021"
 license = "BUSL-1.1"
 license-file = "LICENSE"

README.md

@@ -127,7 +127,7 @@ aws ec2 describe-images --output json > aws_list.json
 | Azure - AMD SEV   |                Redhat-rhel-cvm-9_3_cvm_sev_snp                |  Redhat  | 9.3.2023111017  | base-image-rhel-sev   | X.Y.Z   |
 
 ```sh
-az vm list> azure_list.json
+az vm image list --all > azure_list.json
 ```
 
 #### Update Unified Kernel Image: UKI
@@ -139,11 +139,11 @@ Links:
 
 ### GCP images
 
-|                 |           Official image           | OS image | OS version | Cosmian base image          |
-| :-------------- | :--------------------------------: | :------: | ---------- | --------------------------- |
-| GCP - Intel TDX |     ubuntu-2204-tdx-v20240220      |  Ubuntu  | 22.04      | base-image-X-Y-Z-ubuntu-tdx |
+|                 |          Official image           | OS image | OS version | Cosmian base image          |
+| :-------------- | :-------------------------------: | :------: | ---------- | --------------------------- |
+| GCP - Intel TDX |     ubuntu-2204-tdx-v20240220     |  Ubuntu  | 22.04      | base-image-X-Y-Z-ubuntu-tdx |
 | GCP - AMD SEV   | ubuntu-2404-noble-amd64-v20240830 |  Ubuntu  | 24.04      | base-image-X-Y-Z-ubuntu-sev |
-| GCP - AMD SEV   |          rhel-9-v20240815          |  Redhat  | 9.3        | base-image-X-Y-Z-rhel-sev   |
+| GCP - AMD SEV   |         rhel-9-v20240815          |  Redhat  | 9.3        | base-image-X-Y-Z-rhel-sev   |
 
 ```sh
 gcloud compute images list > gcloud_list.json
@@ -349,6 +349,7 @@ cosmian_vm --url https://my_app.dev app restart
 
 | Base image | Cosmian VM | Cosmian KMS | Cosmian AI Runner |
 | ---------- | ---------- | ----------- | ----------------- |
+| 0.1.7      | 1.2.7      | 4.18.0      | 0.3.0             |
 | 0.1.6      | 1.2.6      | 4.17.0      | 0.3.0             |
 | 0.1.5      | 1.2.5      | 4.17.0      | 0.3.0             |
 | 0.1.5      | 1.2.4      | 4.16.0      | 0.3.0             |

ansible/group_vars/all.yml

@@ -1,8 +1,8 @@
 ---
-cosmian_vm_version: 1.2.6
-package_version: 1.2.6
-cosmian_kms_version: 4.17.0
-kms_package_version: 4.17.0
+cosmian_vm_version: 1.2.7
+package_version: 1.2.7
+cosmian_kms_version: 4.18.0
+kms_package_version: 4.18.0
 cosmian_ai_runner_version: 0.3.0
 
 nginx_user: root

ansible/roles/cleanup/tasks/main.yml

@@ -49,3 +49,47 @@
 - name: Display home directories
   ansible.builtin.debug:
     var: home_folders
+
+- name: Clean old kernel images
+  tags: clean_old_kernels
+  when: ansible_distribution == 'RedHat'
+  block:
+    - name: Get installed versions of all packages
+      ansible.builtin.package_facts:
+        manager: auto
+      register: installed_packages
+
+    - name: Display kernel version
+      ansible.builtin.debug:
+        msg: "echo {{ ansible_kernel }}"
+
+    - name: Extract version from ansible_kernel
+      ansible.builtin.set_fact:
+        kernel_release: "{{ ansible_kernel | regex_search('([0-9]+\\.[0-9]+\\.[0-9]+\\.[a-zA-Z0-9_]+)') }}"
+
+    - name: Extract main kernel version (X.Y.Z)
+      ansible.builtin.set_fact:
+        kernel_main_version: "{{ ansible_kernel | regex_search('^[0-9]+\\.[0-9]+\\.[0-9]+') }}"
+
+    - name: Show extracted kernel info
+      ansible.builtin.debug:
+        msg: "Extracted kernel version: {{ kernel_main_version }} and {{ kernel_release }}"
+      tags: clean_old_kernels
+
+    - name: Remove old installed kernel-modules-core versions
+      ansible.builtin.dnf:
+        name: "{{ item.name }}-{{ item.version }}-{{ item.release }}"
+        state: absent
+      with_items: "{{ installed_packages['ansible_facts']['packages']['kernel-modules-core'] }}"
+      when: item.release is version(kernel_release, '<') or item.version is version(kernel_main_version, '<')
+
+    - name: Get installed versions of all packages after cleanup
+      ansible.builtin.package_facts:
+        manager: auto
+      register: installed_packages
+
+    - name: Fail if old kernel-modules-core versions are found
+      ansible.builtin.fail:
+        name: Old version found {{ item.name }}-{{ item.version }}-{{ item.release }}
+      with_items: "{{ installed_packages['ansible_facts']['packages']['kernel-modules-core'] }}"
+      when: item.release is version(kernel_release, '<') or item.version is version(kernel_main_version, '<')