Add Rocky Linux security repositories

Author: priteau

etc/kayobe/dnf.yml

@@ -193,6 +193,15 @@ dnf_custom_repos_rocky_9:
     gpgcheck: yes
     username: "{{ stackhpc_repo_mirror_username | default(omit, true) }}"
     password: "{{ stackhpc_repo_mirror_password | default(omit, true) }}"
+  security:
+    baseurl: "{{ stackhpc_repo_rocky_9_security_url }}"
+    description: "Rocky Linux $releasever - Security"
+    enabled: "{{ dnf_enable_rocky_security | bool }}"
+    file: rocky-security
+    gpgkey: "{{ rocky_9_gpg_key }}"
+    gpgcheck: yes
+    username: "{{ stackhpc_repo_mirror_username | default(omit, true) }}"
+    password: "{{ stackhpc_repo_mirror_password | default(omit, true) }}"
   security-common:
     baseurl: "{{ stackhpc_repo_rocky_9_sig_security_common_url }}"
     description: "Rocky Linux $releasever - SIG Security Common"
@@ -276,6 +285,9 @@ dnf_enable_docker: true
 # systems only.
 dnf_install_doca: "{{ 'mlnx' in group_names }}"
 
+# Whether to enable the Rocky Linux security repository.
+dnf_enable_rocky_security: false
+
 ###############################################################################
 # DNF Automatic configuration.
 

etc/kayobe/environments/ci-aio/stackhpc-ci.yml

@@ -58,6 +58,7 @@ stackhpc_repo_rocky_9_baseos_version: "{{ stackhpc_pulp_repo_rocky_9_baseos_vers
 stackhpc_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_version }}"
 stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_version }}"
+stackhpc_repo_rocky_9_security_version: "{{ stackhpc_pulp_repo_rocky_9_security_version }}"
 stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_pulp_repo_multiarch_rocky_9_sig_security_common_version }}"
 stackhpc_repo_ubuntu_cloud_archive_version: "{{ stackhpc_pulp_repo_ubuntu_cloud_archive_version }}"
 stackhpc_repo_ubuntu_noble_security_version: "{{ stackhpc_pulp_repo_ubuntu_noble_security_version }}"

etc/kayobe/environments/ci-builder/stackhpc-ci.yml

@@ -90,6 +90,7 @@ stackhpc_repo_rocky_9_baseos_version: "{{ stackhpc_pulp_repo_rocky_9_baseos_vers
 stackhpc_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_version }}"
 stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_version }}"
+stackhpc_repo_rocky_9_security_version: "{{ stackhpc_pulp_repo_rocky_9_security_version }}"
 stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_pulp_repo_multiarch_rocky_9_sig_security_common_version }}"
 stackhpc_repo_ubuntu_cloud_archive_version: "{{ stackhpc_pulp_repo_ubuntu_cloud_archive_version }}"
 stackhpc_repo_ubuntu_noble_security_version: "{{ stackhpc_pulp_repo_ubuntu_noble_security_version }}"

etc/kayobe/environments/ci-multinode/stackhpc-ci.yml

@@ -50,6 +50,7 @@ stackhpc_repo_rocky_9_appstream_version: "{{ stackhpc_pulp_repo_rocky_9_appstrea
 stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_version }}"
 stackhpc_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_version }}"
+stackhpc_repo_rocky_9_security_version: "{{ stackhpc_pulp_repo_rocky_9_security_version }}"
 stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_pulp_repo_multiarch_rocky_9_sig_security_common_version }}"
 
 # Rocky-and-CI-specific Pulp urls

etc/kayobe/pulp-repo-versions.yml

@@ -73,6 +73,9 @@ stackhpc_pulp_repo_rocky_10_1_extras_version: 20260226T235218
 stackhpc_pulp_repo_rocky_10_1_highavailability_aarch64_version: 20260506T232721
 stackhpc_pulp_repo_rocky_10_1_highavailability_source_version: 20260428T223954
 stackhpc_pulp_repo_rocky_10_1_highavailability_version: 20260506T223941
+stackhpc_pulp_repo_rocky_10_1_security_aarch64_version: 20260510T225242
+stackhpc_pulp_repo_rocky_10_1_security_source_version: 20260510T222658
+stackhpc_pulp_repo_rocky_10_1_security_version: 20260510T223302
 stackhpc_pulp_repo_rocky_9_1_appstream_version: 20231207T013715
 stackhpc_pulp_repo_rocky_9_1_baseos_version: 20231206T014015
 stackhpc_pulp_repo_rocky_9_1_crb_version: 20231211T120328
@@ -128,6 +131,9 @@ stackhpc_pulp_repo_rocky_9_7_extras_version: 20260226T231043
 stackhpc_pulp_repo_rocky_9_7_highavailability_aarch64_version: 20260506T224443
 stackhpc_pulp_repo_rocky_9_7_highavailability_source_version: 20260429T221435
 stackhpc_pulp_repo_rocky_9_7_highavailability_version: 20260506T215314
+stackhpc_pulp_repo_rocky_9_7_security_aarch64_version: 20260510T220648
+stackhpc_pulp_repo_rocky_9_7_security_source_version: 20260510T215711
+stackhpc_pulp_repo_rocky_9_7_security_version: 20260510T213653
 stackhpc_pulp_repo_rocky_9_sig_security_common_aarch64_version: 20260305T225932
 stackhpc_pulp_repo_rocky_9_sig_security_common_source_version: 20260305T224636
 stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20260305T222525

etc/kayobe/pulp.yml

@@ -217,18 +217,21 @@ stackhpc_pulp_repo_rocky_9_appstream_version: "{{ stackhpc_pulp_repo_rocky_9_app
 stackhpc_pulp_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_9_extras_x86_64_version }}"
 stackhpc_pulp_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_9_crb_x86_64_version }}"
 stackhpc_pulp_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_9_highavailability_x86_64_version }}"
+stackhpc_pulp_repo_rocky_9_security_version: "{{ stackhpc_pulp_repo_rocky_9_security_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_9_security_x86_64_version }}"
 
 # Rocky 9 architecture-specific snapshot versions.
 stackhpc_pulp_repo_rocky_9_baseos_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_baseos_version') }}"
 stackhpc_pulp_repo_rocky_9_appstream_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_appstream_version') }}"
 stackhpc_pulp_repo_rocky_9_extras_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_extras_version') }}"
 stackhpc_pulp_repo_rocky_9_crb_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_crb_version') }}"
 stackhpc_pulp_repo_rocky_9_highavailability_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_highavailability_version') }}"
+stackhpc_pulp_repo_rocky_9_security_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_security_version') }}"
 stackhpc_pulp_repo_rocky_9_baseos_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_baseos_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_9_appstream_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_appstream_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_9_extras_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_extras_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_9_crb_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_crb_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_9_highavailability_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_highavailability_aarch64_version') }}"
+stackhpc_pulp_repo_rocky_9_security_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_security_aarch64_version') }}"
 
 # Rocky 9 Multiarch repositories
 #NOTE(bbezak): Versioned Erlang repos (aarch64 only). Fallback to generic Erlang version if not defined.
@@ -270,18 +273,21 @@ stackhpc_pulp_repo_rocky_10_baseos_version: "{{ stackhpc_pulp_repo_rocky_10_base
 stackhpc_pulp_repo_rocky_10_extras_version: "{{ stackhpc_pulp_repo_rocky_10_extras_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_10_extras_x86_64_version }}"
 stackhpc_pulp_repo_rocky_10_crb_version: "{{ stackhpc_pulp_repo_rocky_10_crb_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_10_crb_x86_64_version }}"
 stackhpc_pulp_repo_rocky_10_highavailability_version: "{{ stackhpc_pulp_repo_rocky_10_highavailability_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_10_highavailability_x86_64_version }}"
+stackhpc_pulp_repo_rocky_10_security_version: "{{ stackhpc_pulp_repo_rocky_10_security_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_10_security_x86_64_version }}"
 
 # Rocky 10 architecture-specific snapshot versions.
 stackhpc_pulp_repo_rocky_10_appstream_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_appstream_version') }}"
 stackhpc_pulp_repo_rocky_10_baseos_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_baseos_version') }}"
 stackhpc_pulp_repo_rocky_10_extras_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_extras_version') }}"
 stackhpc_pulp_repo_rocky_10_crb_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_crb_version') }}"
 stackhpc_pulp_repo_rocky_10_highavailability_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_highavailability_version') }}"
+stackhpc_pulp_repo_rocky_10_security_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_security_version') }}"
 stackhpc_pulp_repo_rocky_10_appstream_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_appstream_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_10_baseos_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_baseos_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_10_extras_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_extras_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_10_crb_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_crb_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_10_highavailability_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_highavailability_aarch64_version') }}"
+stackhpc_pulp_repo_rocky_10_security_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_security_aarch64_version') }}"
 
 # Rocky 10 Multiarch repositories
 stackhpc_pulp_repo_multiarch_centos_stream_10_nfv_openvswitch_version: "{{ lookup('vars', 'stackhpc_pulp_repo_centos_stream_10_nfv_openvswitch' ~ arch_suffix ~ '_version') }}"
@@ -436,6 +442,18 @@ stackhpc_pulp_rpm_repos:
     base_path: "rocky/9/highavailability/aarch64/os/"
     required: "{{ stackhpc_pulp_sync_rocky_9 | bool and 'aarch64' in stackhpc_pulp_rpm_architectures }}"
 
+  - name: Rocky Linux 9 - Security
+    url: "{{ stackhpc_release_pulp_content_url }}/rocky/9.{{ stackhpc_pulp_repo_rocky_9_minor_version }}/security/x86_64/os/{{ stackhpc_pulp_repo_rocky_9_security_x86_64_version }}"
+    distribution_name: "rocky-9-security-"
+    base_path: "rocky/9/security/x86_64/os/"
+    required: "{{ stackhpc_pulp_sync_rocky_9 | bool and 'x86_64' in stackhpc_pulp_rpm_architectures }}"
+
+  - name: Rocky Linux 9 - Security - aarch64
+    url: "{{ stackhpc_release_pulp_content_url }}/rocky/9.{{ stackhpc_pulp_repo_rocky_9_minor_version }}/security/aarch64/os/{{ stackhpc_pulp_repo_rocky_9_security_aarch64_version }}"
+    distribution_name: "rocky-9-security-aarch64-"
+    base_path: "rocky/9/security/aarch64/os/"
+    required: "{{ stackhpc_pulp_sync_rocky_9 | bool and 'aarch64' in stackhpc_pulp_rpm_architectures }}"
+
   - name: Rocky Linux 9 - SIG Security Common
     url: "{{ stackhpc_release_pulp_content_url }}/rocky/sig/9/security/x86_64/security-common/{{ stackhpc_pulp_repo_rocky_9_sig_security_common_version }}"
     distribution_name: rocky-9-sig-security-common-
@@ -638,6 +656,18 @@ stackhpc_pulp_rpm_repos:
     base_path: "rocky/10/highavailability/aarch64/os/"
     required: "{{ stackhpc_pulp_sync_rocky_10 | bool and 'aarch64' in stackhpc_pulp_rpm_architectures }}"
 
+  - name: Rocky Linux 10 - Security
+    url: "{{ stackhpc_release_pulp_content_url }}/rocky/10.{{ stackhpc_pulp_repo_rocky_10_minor_version }}/security/x86_64/os/{{ stackhpc_pulp_repo_rocky_10_security_x86_64_version }}"
+    distribution_name: "rocky-10-security-"
+    base_path: "rocky/10/security/x86_64/os/"
+    required: "{{ stackhpc_pulp_sync_rocky_10 | bool and 'x86_64' in stackhpc_pulp_rpm_architectures }}"
+
+  - name: Rocky Linux 10 - Security - aarch64
+    url: "{{ stackhpc_release_pulp_content_url }}/rocky/10.{{ stackhpc_pulp_repo_rocky_10_minor_version }}/security/aarch64/os/{{ stackhpc_pulp_repo_rocky_10_security_aarch64_version }}"
+    distribution_name: "rocky-10-security-aarch64-"
+    base_path: "rocky/10/security/aarch64/os/"
+    required: "{{ stackhpc_pulp_sync_rocky_10 | bool and 'aarch64' in stackhpc_pulp_rpm_architectures }}"
+
   # Additional CentOS Stream 10 repositories
   - name: CentOS Stream 10 - NFV OpenvSwitch
     url: "{{ stackhpc_release_pulp_content_url }}/centos/10-stream/nfv/x86_64/openvswitch-2/{{ stackhpc_pulp_repo_centos_stream_10_nfv_openvswitch_version }}"

etc/kayobe/stackhpc.yml

@@ -141,6 +141,10 @@ stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_repo_distribution }}"
 stackhpc_repo_rocky_9_highavailability_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/{{ stackhpc_rocky_9_url_version }}/highavailability/$basearch/os/{{ stackhpc_repo_rocky_9_highavailability_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_repo_distribution }}"
 
+# Rocky 9 Security
+stackhpc_repo_rocky_9_security_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/{{ stackhpc_rocky_9_url_version }}/security/$basearch/os/{{ stackhpc_repo_rocky_9_security_version }}"
+stackhpc_repo_rocky_9_security_version: "{{ stackhpc_repo_distribution }}"
+
 # Rocky 9 SIG Security Common
 stackhpc_repo_rocky_9_sig_security_common_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/sig/9/security/$basearch/security-common/{{ stackhpc_repo_rocky_9_sig_security_common_version }}"
 stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_repo_distribution }}"
@@ -173,6 +177,10 @@ stackhpc_repo_rocky_10_crb_version: "{{ stackhpc_repo_distribution }}"
 stackhpc_repo_rocky_10_highavailability_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/{{ stackhpc_rocky_10_url_version }}/highavailability/$basearch/os/{{ stackhpc_repo_rocky_10_highavailability_version }}"
 stackhpc_repo_rocky_10_highavailability_version: "{{ stackhpc_repo_distribution }}"
 
+# Rocky 10 Security
+stackhpc_repo_rocky_10_security_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/{{ stackhpc_rocky_10_url_version }}/security/$basearch/os/{{ stackhpc_repo_rocky_10_security_version }}"
+stackhpc_repo_rocky_10_security_version: "{{ stackhpc_repo_distribution }}"
+
 # CentOS Stream 10 - NFV OpenvSwitch
 stackhpc_repo_centos_stream_10_nfv_openvswitch_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/centos/10-stream/nfv/$basearch/openvswitch-2/{{ stackhpc_repo_centos_stream_10_nfv_openvswitch_version }}"
 stackhpc_repo_centos_stream_10_nfv_openvswitch_version: "{{ stackhpc_repo_distribution }}"

releasenotes/notes/rocky-security-repo-3cb76d4d87b8b9f6.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Adds support for the `Rocky Linux security repository
+    <https://forums.rockylinux.org/t/rocky-linux-security-repository-and-dirty-frag-security-update/20435>`__.
+    This repository is disabled by default, like in Rocky Linux. It can be
+    enabled by setting ``dnf_enable_rocky_security`` to ``true``.