stackhpc · priteau · May 13, 2026
@@ -137,6 +137,15 @@ dnf_custom_repos_rocky_9:
     gpgcheck: yes
     username: "{{ stackhpc_repo_mirror_username | default(omit, true) }}"
     password: "{{ stackhpc_repo_mirror_password | default(omit, true) }}"
+  security:
+    baseurl: "{{ stackhpc_repo_rocky_9_security_url }}"
+    description: "Rocky Linux $releasever - Security"
+    enabled: "{{ dnf_enable_rocky_security | bool }}"
+    file: rocky-security
+    gpgkey: "{{ rocky_9_gpg_key }}"
+    gpgcheck: yes
+    username: "{{ stackhpc_repo_mirror_username | default(omit, true) }}"
+    password: "{{ stackhpc_repo_mirror_password | default(omit, true) }}"
   security-common:
     baseurl: "{{ stackhpc_repo_rocky_9_sig_security_common_url }}"
     description: "Rocky Linux $releasever - SIG Security Common"
@@ -183,6 +192,9 @@ dnf_docker_gpg_key_url: "https://download.docker.com/linux/centos/gpg"
 # systems only.
 dnf_install_doca: "{{ 'mlnx' in group_names }}"
 
+# Whether to enable the Rocky Linux security repository.
+dnf_enable_rocky_security: false
+
 ###############################################################################
 # DNF Automatic configuration.
 

@@ -46,6 +46,7 @@ stackhpc_repo_rocky_9_appstream_version: "{{ stackhpc_pulp_repo_rocky_9_appstrea
 stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_version }}"
 stackhpc_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_version }}"
+stackhpc_repo_rocky_9_security_version: "{{ stackhpc_pulp_repo_rocky_9_security_version }}"
 stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_pulp_repo_multiarch_rocky_9_sig_security_common_version }}"
 stackhpc_repo_rhel9_doca_version: "{{ stackhpc_pulp_repo_rhel9_doca_version }}"
 stackhpc_repo_rhel9_doca_modules_version: "{{ stackhpc_pulp_repo_rhel9_doca_modules_version }}"

@@ -78,6 +78,7 @@ stackhpc_repo_rocky_9_appstream_version: "{{ stackhpc_pulp_repo_rocky_9_appstrea
 stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_version }}"
 stackhpc_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_version }}"
+stackhpc_repo_rocky_9_security_version: "{{ stackhpc_pulp_repo_rocky_9_security_version }}"
 stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_pulp_repo_multiarch_rocky_9_sig_security_common_version }}"
 stackhpc_repo_rhel9_doca_version: "{{ stackhpc_pulp_repo_rhel9_doca_version }}"
 

@@ -50,6 +50,7 @@ stackhpc_repo_rocky_9_appstream_version: "{{ stackhpc_pulp_repo_rocky_9_appstrea
 stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_version }}"
 stackhpc_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_version }}"
+stackhpc_repo_rocky_9_security_version: "{{ stackhpc_pulp_repo_rocky_9_security_version }}"
 stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_pulp_repo_multiarch_rocky_9_sig_security_common_version }}"
 
 # Rocky-and-CI-specific Pulp urls

@@ -71,6 +71,9 @@ stackhpc_pulp_repo_rocky_10_1_extras_version: 20260226T235218
 stackhpc_pulp_repo_rocky_10_1_highavailability_aarch64_version: 20260506T232721
 stackhpc_pulp_repo_rocky_10_1_highavailability_source_version: 20260428T223954
 stackhpc_pulp_repo_rocky_10_1_highavailability_version: 20260506T223941
+stackhpc_pulp_repo_rocky_10_1_security_aarch64_version: 20260510T225242
+stackhpc_pulp_repo_rocky_10_1_security_source_version: 20260510T222658
+stackhpc_pulp_repo_rocky_10_1_security_version: 20260510T223302
 stackhpc_pulp_repo_rocky_9_1_appstream_version: 20231207T013715
 stackhpc_pulp_repo_rocky_9_1_baseos_version: 20231206T014015
 stackhpc_pulp_repo_rocky_9_1_crb_version: 20231211T120328
@@ -126,6 +129,9 @@ stackhpc_pulp_repo_rocky_9_7_extras_version: 20260226T231043
 stackhpc_pulp_repo_rocky_9_7_highavailability_aarch64_version: 20260506T224443
 stackhpc_pulp_repo_rocky_9_7_highavailability_source_version: 20260429T221435
 stackhpc_pulp_repo_rocky_9_7_highavailability_version: 20260506T215314
+stackhpc_pulp_repo_rocky_9_7_security_aarch64_version: 20260510T220648
+stackhpc_pulp_repo_rocky_9_7_security_source_version: 20260510T215711
+stackhpc_pulp_repo_rocky_9_7_security_version: 20260510T213653
 stackhpc_pulp_repo_rocky_9_sig_security_common_aarch64_version: 20260305T225932
 stackhpc_pulp_repo_rocky_9_sig_security_common_source_version: 20260305T224636
 stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20260305T222525

@@ -217,18 +217,21 @@ stackhpc_pulp_repo_rocky_9_appstream_version: "{{ stackhpc_pulp_repo_rocky_9_app
 stackhpc_pulp_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_9_extras_x86_64_version }}"
 stackhpc_pulp_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_9_crb_x86_64_version }}"
 stackhpc_pulp_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_9_highavailability_x86_64_version }}"
+stackhpc_pulp_repo_rocky_9_security_version: "{{ stackhpc_pulp_repo_rocky_9_security_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_9_security_x86_64_version }}"
 
 # Rocky 9 architecture-specific snapshot versions.
 stackhpc_pulp_repo_rocky_9_baseos_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_baseos_version') }}"
 stackhpc_pulp_repo_rocky_9_appstream_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_appstream_version') }}"
 stackhpc_pulp_repo_rocky_9_extras_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_extras_version') }}"
 stackhpc_pulp_repo_rocky_9_crb_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_crb_version') }}"
 stackhpc_pulp_repo_rocky_9_highavailability_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_highavailability_version') }}"
+stackhpc_pulp_repo_rocky_9_security_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_security_version') }}"
 stackhpc_pulp_repo_rocky_9_baseos_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_baseos_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_9_appstream_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_appstream_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_9_extras_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_extras_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_9_crb_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_crb_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_9_highavailability_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_highavailability_aarch64_version') }}"
+stackhpc_pulp_repo_rocky_9_security_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_9_' ~ stackhpc_pulp_repo_rocky_9_minor_version ~ '_security_aarch64_version') }}"
 
 # Rocky 9 Multiarch repositories
 #NOTE(bbezak): Versioned Erlang repos (aarch64 only). Fallback to generic Erlang version if not defined.
@@ -270,18 +273,21 @@ stackhpc_pulp_repo_rocky_10_baseos_version: "{{ stackhpc_pulp_repo_rocky_10_base
 stackhpc_pulp_repo_rocky_10_extras_version: "{{ stackhpc_pulp_repo_rocky_10_extras_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_10_extras_x86_64_version }}"
 stackhpc_pulp_repo_rocky_10_crb_version: "{{ stackhpc_pulp_repo_rocky_10_crb_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_10_crb_x86_64_version }}"
 stackhpc_pulp_repo_rocky_10_highavailability_version: "{{ stackhpc_pulp_repo_rocky_10_highavailability_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_10_highavailability_x86_64_version }}"
+stackhpc_pulp_repo_rocky_10_security_version: "{{ stackhpc_pulp_repo_rocky_10_security_aarch64_version if kolla_base_arch == 'aarch64' else stackhpc_pulp_repo_rocky_10_security_x86_64_version }}"
 
 # Rocky 10 architecture-specific snapshot versions.
 stackhpc_pulp_repo_rocky_10_appstream_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_appstream_version') }}"
 stackhpc_pulp_repo_rocky_10_baseos_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_baseos_version') }}"
 stackhpc_pulp_repo_rocky_10_extras_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_extras_version') }}"
 stackhpc_pulp_repo_rocky_10_crb_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_crb_version') }}"
 stackhpc_pulp_repo_rocky_10_highavailability_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_highavailability_version') }}"
+stackhpc_pulp_repo_rocky_10_security_x86_64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_security_version') }}"
 stackhpc_pulp_repo_rocky_10_appstream_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_appstream_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_10_baseos_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_baseos_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_10_extras_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_extras_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_10_crb_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_crb_aarch64_version') }}"
 stackhpc_pulp_repo_rocky_10_highavailability_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_highavailability_aarch64_version') }}"
+stackhpc_pulp_repo_rocky_10_security_aarch64_version: "{{ lookup('vars', 'stackhpc_pulp_repo_rocky_10_' ~ stackhpc_pulp_repo_rocky_10_minor_version ~ '_security_aarch64_version') }}"
 
 # Rocky 10 Multiarch repositories
 stackhpc_pulp_repo_multiarch_centos_stream_10_nfv_openvswitch_version: "{{ lookup('vars', 'stackhpc_pulp_repo_centos_stream_10_nfv_openvswitch' ~ arch_suffix ~ '_version') }}"
@@ -435,6 +441,18 @@ stackhpc_pulp_rpm_repos:
     base_path: "rocky/9/highavailability/aarch64/os/"
     required: "{{ stackhpc_pulp_sync_rocky_9 | bool and 'aarch64' in stackhpc_pulp_rpm_architectures }}"
 
+  - name: Rocky Linux 9 - Security
+    url: "{{ stackhpc_release_pulp_content_url }}/rocky/9.{{ stackhpc_pulp_repo_rocky_9_minor_version }}/security/x86_64/os/{{ stackhpc_pulp_repo_rocky_9_security_x86_64_version }}"
+    distribution_name: "rocky-9-security-"
+    base_path: "rocky/9/security/x86_64/os/"
+    required: "{{ stackhpc_pulp_sync_rocky_9 | bool and 'x86_64' in stackhpc_pulp_rpm_architectures }}"
+
+  - name: Rocky Linux 9 - Security - aarch64
+    url: "{{ stackhpc_release_pulp_content_url }}/rocky/9.{{ stackhpc_pulp_repo_rocky_9_minor_version }}/security/aarch64/os/{{ stackhpc_pulp_repo_rocky_9_security_aarch64_version }}"
+    distribution_name: "rocky-9-security-aarch64-"
+    base_path: "rocky/9/security/aarch64/os/"
+    required: "{{ stackhpc_pulp_sync_rocky_9 | bool and 'aarch64' in stackhpc_pulp_rpm_architectures }}"
+
   - name: Rocky Linux 9 - SIG Security Common
     url: "{{ stackhpc_release_pulp_content_url }}/rocky/sig/9/security/x86_64/security-common/{{ stackhpc_pulp_repo_rocky_9_sig_security_common_version }}"
     distribution_name: rocky-9-sig-security-common-
@@ -637,6 +655,18 @@ stackhpc_pulp_rpm_repos:
     base_path: "rocky/10/highavailability/aarch64/os/"
     required: "{{ stackhpc_pulp_sync_rocky_10 | bool and 'aarch64' in stackhpc_pulp_rpm_architectures }}"
 
+  - name: Rocky Linux 10 - Security
+    url: "{{ stackhpc_release_pulp_content_url }}/rocky/10.{{ stackhpc_pulp_repo_rocky_10_minor_version }}/security/x86_64/os/{{ stackhpc_pulp_repo_rocky_10_security_x86_64_version }}"
+    distribution_name: "rocky-10-security-"
+    base_path: "rocky/10/security/x86_64/os/"
+    required: "{{ stackhpc_pulp_sync_rocky_10 | bool and 'x86_64' in stackhpc_pulp_rpm_architectures }}"
+
+  - name: Rocky Linux 10 - Security - aarch64
+    url: "{{ stackhpc_release_pulp_content_url }}/rocky/10.{{ stackhpc_pulp_repo_rocky_10_minor_version }}/security/aarch64/os/{{ stackhpc_pulp_repo_rocky_10_security_aarch64_version }}"
+    distribution_name: "rocky-10-security-aarch64-"
+    base_path: "rocky/10/security/aarch64/os/"
+    required: "{{ stackhpc_pulp_sync_rocky_10 | bool and 'aarch64' in stackhpc_pulp_rpm_architectures }}"
+
   # Additional CentOS Stream 10 repositories
   - name: CentOS Stream 10 - NFV OpenvSwitch
     url: "{{ stackhpc_release_pulp_content_url }}/centos/10-stream/nfv/x86_64/openvswitch-2/{{ stackhpc_pulp_repo_centos_stream_10_nfv_openvswitch_version }}"

@@ -141,6 +141,10 @@ stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_repo_distribution }}"
 stackhpc_repo_rocky_9_highavailability_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/{{ stackhpc_rocky_9_url_version }}/highavailability/$basearch/os/{{ stackhpc_repo_rocky_9_highavailability_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_repo_distribution }}"
 
+# Rocky 9 Security
+stackhpc_repo_rocky_9_security_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/{{ stackhpc_rocky_9_url_version }}/security/$basearch/os/{{ stackhpc_repo_rocky_9_security_version }}"
+stackhpc_repo_rocky_9_security_version: "{{ stackhpc_repo_distribution }}"
+
 # Rocky 9 SIG Security Common
 stackhpc_repo_rocky_9_sig_security_common_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/sig/9/security/$basearch/security-common/{{ stackhpc_repo_rocky_9_sig_security_common_version }}"
 stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_repo_distribution }}"
@@ -173,6 +177,10 @@ stackhpc_repo_rocky_10_crb_version: "{{ stackhpc_repo_distribution }}"
 stackhpc_repo_rocky_10_highavailability_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/{{ stackhpc_rocky_10_url_version }}/highavailability/$basearch/os/{{ stackhpc_repo_rocky_10_highavailability_version }}"
 stackhpc_repo_rocky_10_highavailability_version: "{{ stackhpc_repo_distribution }}"
 
+# Rocky 10 Security
+stackhpc_repo_rocky_10_security_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/{{ stackhpc_rocky_10_url_version }}/security/$basearch/os/{{ stackhpc_repo_rocky_10_security_version }}"
+stackhpc_repo_rocky_10_security_version: "{{ stackhpc_repo_distribution }}"
+
 # CentOS Stream 10 - NFV OpenvSwitch
 stackhpc_repo_centos_stream_10_nfv_openvswitch_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/centos/10-stream/nfv/$basearch/openvswitch-2/{{ stackhpc_repo_centos_stream_10_nfv_openvswitch_version }}"
 stackhpc_repo_centos_stream_10_nfv_openvswitch_version: "{{ stackhpc_repo_distribution }}"

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Adds support for the `Rocky Linux security repository
+    <https://forums.rockylinux.org/t/rocky-linux-security-repository-and-dirty-frag-security-update/20435>`__.
+    This repository is disabled by default, like in Rocky Linux. It can be
+    enabled by setting ``dnf_enable_rocky_security`` to ``true``.