[RELEASE] Release 1.7.0

derekbit commented 1 month ago

What's the task? Please describe.

Action items for releasing v<1.7.0>

Roles

Release captain: @derekbit
QA captain: @yangchiu

Describe the sub-tasks.

Pre-Release

The Release Captain needs to finish the following items.

[x] Before creating RC1, create a new release branch for the following component repositories, and then create RC1 from the new branch. Leave the master branch for the next feature release development (This task is only needed when doing a feature release such as 1.7.0).
- longhorn-manager
- longhorn-ui
- longhorn-tests
- longhorn-engine
- longhorn-instance-manager
- longhorn-share-manager
- backing-image-manager
- longhorn-spdk-engine (needed after GA)
[x] Trigger the GA release build by longhorn/longhorn Actions

The QA captain needs to coordinate the following items before the GA release.

[x] Regression test plan (manual)
[x] Run e2e regression for pre-GA milestones (install, upgrade) @yangchiu
[x] Run security testing of container images for pre-GA milestones @yangchiu
[x] Verify longhorn chart PR to ensure all artifacts are ready for GA (install, upgrade)
[x] Run core testing (install, upgrade) for the GA build
- Upgrade from the previous patch of the same feature release.
- Upgrade from the last patch of the previous feature release.

Release

The Release Captain needs to finish the following items.

[x] Release note - Release Captain
- [x] Deprecation note
- [x] Upgrade notes including highlighted notes, deprecation, compatible changes, and others impacting the current users
[x] Publish the new version of doc and add a next patch version of dev doc.
[x] Release longhorn/chart from the release branch to publish to ArtifactHub by longhorn/charts Actions
[x] Marked the release as latest release in longhorn/longhorn README.md
[ ] Marked the release as stable release
- For the first stable release, we need to consider several factors and reach a consensus by maintainers before claiming it stable.
- For any patch release after a stable release, we need to wait 1-2 weeks for user feedback.

Post-Release

After marking the release as a stable release, Release Captain needs to coordinate the following items

[ ] Update https://github.com/longhorn/longhorn/blob/master/deploy/upgrade_responder_server/chart-values.yaml - @PhanLe1010
[ ] Add another request for the rancher charts for the next patch release - @rebeccazzzz

Rancher Charts

The Release Captain needs to coordinate the following items.

[ ] Verify the chart can be installed & upgraded - QA captain
[ ] rancher/image-mirrors update - @mantissahz @PhanLe1010
[ ] rancher/charts active branches for Rancher App Marketplace - @mantissahz @PhanLe1010

cc @longhorn/qa @longhorn/dev

mantissahz commented 1 month ago

Do we need the Longhorn 1.7.0 chart for Rancher, @derekbit? IIRC x.x.0 will not be released to the Rancher App Marketplace.

derekbit commented 1 month ago

@innobead According to our latest policy for a stable version, the feature release is possible to be marked as a stable version. Do we need to release to Rancher App Marketplace after it is marked as table?

yangchiu commented 1 month ago

Run e2e regression for pre-GA milestones (install, upgrade):

v1.7.0-rc1 amd64: 9 failures v1.7.0-rc1 arm64: 8 failures v1.7.0-rc1 amd64 upgrade: 8 failures v1.7.0-rc1 arm64 upgrade: 8 failures

v1.7.0-rc2 amd64: 2 failures v1.7.0-rc2 arm64: 3 failures v1.7.0-rc2 amd64 upgrade: 2 failures v1.7.0-rc2 arm64 upgrade: 2 failures

v1.7.0-rc3 amd64: 1 failure v1.7.0-rc3 arm64: 0 failure v1.7.0-rc3 amd64 upgrade: 0 failure v1.7.0-rc3 arm64 upgrade: 0 failure

v1.7.0-rc4 amd64: 0 failure v1.7.0-rc4 arm64: 1 failure v1.7.0-rc4 amd64 upgrade: 1 failure v1.7.0-rc4 arm64 upgrade: 1 failure

yangchiu commented 1 month ago

Run security testing of container images for pre-GA milestones:

v1.7.0-rc1: 9 CRITICAL, 44 HIGH v1.7.0-rc2: 9 CRITICAL, 20 HIGH v1.7.0-rc3: 7 CRITICAL, 23 HIGH v1.7.0-rc4: 7 CRITICAL, 22 HIGH

ref: https://github.com/longhorn/longhorn/issues/8976

yangchiu commented 1 month ago

Run security testing of container images for pre-GA milestones:

v1.7.0-rc1: 9 CRITICAL, 44 HIGH v1.7.0-rc2: 9 CRITICAL, 20 HIGH v1.7.0-rc3: 7 CRITICAL, 23 HIGH

ref: #8976

@derekbit Should we fix the CVE issues in csi components?

csi-attacher-v4.6.1.CVE-2024-24790.stdlib-1.22.3 [CRITICAL]
csi-node-driver-registrar-v2.10.1.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
csi-provisioner-v4.0.1.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
csi-resizer-v1.11.1.CVE-2024-24790.stdlib-1.22.3 [CRITICAL]
csi-snapshotter-v7.0.2.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
openshift-origin-oauth-proxy-4.15.CVE-2024-24790.stdlib-1.20.10 [CRITICAL]
livenessprobe-v2.12.0.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]

derekbit commented 1 month ago

Run security testing of container images for pre-GA milestones: v1.7.0-rc1: 9 CRITICAL, 44 HIGH v1.7.0-rc2: 9 CRITICAL, 20 HIGH v1.7.0-rc3: 7 CRITICAL, 23 HIGH ref: #8976

@derekbit Should we fix the CVE issues in csi components?
csi-attacher-v4.6.1.CVE-2024-24790.stdlib-1.22.3 [CRITICAL]
csi-node-driver-registrar-v2.10.1.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
csi-provisioner-v4.0.1.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
csi-resizer-v1.11.1.CVE-2024-24790.stdlib-1.22.3 [CRITICAL]
csi-snapshotter-v7.0.2.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
openshift-origin-oauth-proxy-4.15.CVE-2024-24790.stdlib-1.20.10 [CRITICAL]
livenessprobe-v2.12.0.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]

Sure. @c3y1huang Can you help fix the CVE issues? Thank you.

c3y1huang commented 1 month ago

Run security testing of container images for pre-GA milestones: v1.7.0-rc1: 9 CRITICAL, 44 HIGH v1.7.0-rc2: 9 CRITICAL, 20 HIGH v1.7.0-rc3: 7 CRITICAL, 23 HIGH ref: #8976

@derekbit Should we fix the CVE issues in csi components?
csi-attacher-v4.6.1.CVE-2024-24790.stdlib-1.22.3 [CRITICAL]
csi-node-driver-registrar-v2.10.1.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
csi-provisioner-v4.0.1.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
csi-resizer-v1.11.1.CVE-2024-24790.stdlib-1.22.3 [CRITICAL]
csi-snapshotter-v7.0.2.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
openshift-origin-oauth-proxy-4.15.CVE-2024-24790.stdlib-1.20.10 [CRITICAL]
livenessprobe-v2.12.0.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
Sure. @c3y1huang Can you help fix the CVE issues? Thank you.

For external components, we will only address the CVEs if the fixes are included in the highest minor/patched version upstream. More details are included in the analysis and action summary.

cc @derekbit @yangchiu

innobead commented 1 month ago

@derekbit For now, it seems we treat CVE fixes differently for external embedded images such as CSI sidecars. I would recommend having a WIKI page to explain the rule we are following right now. For example:

For the CVE issues found in Longhorn components in the current release, which have already been addressed in the corresponding libraries or packages, the fixes will be introduced in the next patch release.
For the CVE issues found in upstream components, such as CSI sidecars, in the current release, the fixes will be introduced in a subsequent patch release only when the upstream fixes are available.

innobead commented 1 month ago

I just updated the rule to https://github.com/longhorn/longhorn/wiki/CVE-Security-Vulnerability-Resolution#release-cadence-for-fixing-cve-issues. Feel free to update it over time. @derekbit @c3y1huang

chriscchien commented 2 weeks ago

Verify longhorn chart PR to ensure all artifacts are ready for GA (install, upgrade)

Verified pass in below actions

Fresh install / upgrade from v1.6.2 / uninstall by chart.
v1(RWX/RWO) / v2 volume replica rebuilding.
v1(RWX/RWO) / v2 volume detach and reattach.
Volume backup and restoration.

yangchiu commented 2 weeks ago

Run core testing (install, upgrade) for the GA build:

v1.7.0 amd64: 0 failure v1.7.0 arm64: 0 failure v1.7.0 amd64 upgrade: 0 failure v1.7.0 arm64 upgrade: 0 failure v1.7.0 amd64 2 stage upgrade: 0 failure v1.7.0 arm64 2 stage upgrade: 0 failure

derekbit commented 2 weeks ago

Let's wait for 2 weeks to gather feedback about 1.7.0 and determine if we can mark v1.7.0 as a stable version.

@PhanLe1010 and @mantissahz @roger-ryao @rebeccazzzz Let's continue the post release tasks and rancher chart release after it is marked as stable. Thank you.

cc @innobead

PhanLe1010 commented 1 week ago

Since we concluded that 1.7.0 is not stable, I am thinking to skip updating this version in the upgrade responder server. Is it ok? @derekbit @innobead

derekbit commented 1 week ago

Sure from my side. WDYT? @innobead

longhorn / longhorn