Open derekbit opened 1 month ago
Do we need the Longhorn 1.7.0
chart for Rancher, @derekbit?
IIRC x.x.0
will not be released to the Rancher App Marketplace.
@innobead According to our latest policy for a stable version, the feature release is possible to be marked as a stable version. Do we need to release to Rancher App Marketplace after it is marked as table?
Run e2e regression for pre-GA milestones (install, upgrade):
v1.7.0-rc1 amd64: 9 failures v1.7.0-rc1 arm64: 8 failures v1.7.0-rc1 amd64 upgrade: 8 failures v1.7.0-rc1 arm64 upgrade: 8 failures
v1.7.0-rc2 amd64: 2 failures v1.7.0-rc2 arm64: 3 failures v1.7.0-rc2 amd64 upgrade: 2 failures v1.7.0-rc2 arm64 upgrade: 2 failures
v1.7.0-rc3 amd64: 1 failure v1.7.0-rc3 arm64: 0 failure v1.7.0-rc3 amd64 upgrade: 0 failure v1.7.0-rc3 arm64 upgrade: 0 failure
v1.7.0-rc4 amd64: 0 failure v1.7.0-rc4 arm64: 1 failure v1.7.0-rc4 amd64 upgrade: 1 failure v1.7.0-rc4 arm64 upgrade: 1 failure
Run security testing of container images for pre-GA milestones:
v1.7.0-rc1: 9 CRITICAL, 44 HIGH v1.7.0-rc2: 9 CRITICAL, 20 HIGH v1.7.0-rc3: 7 CRITICAL, 23 HIGH v1.7.0-rc4: 7 CRITICAL, 22 HIGH
Run security testing of container images for pre-GA milestones:
v1.7.0-rc1: 9 CRITICAL, 44 HIGH v1.7.0-rc2: 9 CRITICAL, 20 HIGH v1.7.0-rc3: 7 CRITICAL, 23 HIGH
ref: #8976
@derekbit Should we fix the CVE issues in csi components?
csi-attacher-v4.6.1.CVE-2024-24790.stdlib-1.22.3 [CRITICAL]
csi-node-driver-registrar-v2.10.1.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
csi-provisioner-v4.0.1.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
csi-resizer-v1.11.1.CVE-2024-24790.stdlib-1.22.3 [CRITICAL]
csi-snapshotter-v7.0.2.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
openshift-origin-oauth-proxy-4.15.CVE-2024-24790.stdlib-1.20.10 [CRITICAL]
livenessprobe-v2.12.0.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
Run security testing of container images for pre-GA milestones: v1.7.0-rc1: 9 CRITICAL, 44 HIGH v1.7.0-rc2: 9 CRITICAL, 20 HIGH v1.7.0-rc3: 7 CRITICAL, 23 HIGH ref: #8976
@derekbit Should we fix the CVE issues in csi components?
csi-attacher-v4.6.1.CVE-2024-24790.stdlib-1.22.3 [CRITICAL] csi-node-driver-registrar-v2.10.1.CVE-2024-24790.stdlib-1.21.5 [CRITICAL] csi-provisioner-v4.0.1.CVE-2024-24790.stdlib-1.21.5 [CRITICAL] csi-resizer-v1.11.1.CVE-2024-24790.stdlib-1.22.3 [CRITICAL] csi-snapshotter-v7.0.2.CVE-2024-24790.stdlib-1.21.5 [CRITICAL] openshift-origin-oauth-proxy-4.15.CVE-2024-24790.stdlib-1.20.10 [CRITICAL] livenessprobe-v2.12.0.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
Sure. @c3y1huang Can you help fix the CVE issues? Thank you.
Run security testing of container images for pre-GA milestones: v1.7.0-rc1: 9 CRITICAL, 44 HIGH v1.7.0-rc2: 9 CRITICAL, 20 HIGH v1.7.0-rc3: 7 CRITICAL, 23 HIGH ref: #8976
@derekbit Should we fix the CVE issues in csi components?
csi-attacher-v4.6.1.CVE-2024-24790.stdlib-1.22.3 [CRITICAL] csi-node-driver-registrar-v2.10.1.CVE-2024-24790.stdlib-1.21.5 [CRITICAL] csi-provisioner-v4.0.1.CVE-2024-24790.stdlib-1.21.5 [CRITICAL] csi-resizer-v1.11.1.CVE-2024-24790.stdlib-1.22.3 [CRITICAL] csi-snapshotter-v7.0.2.CVE-2024-24790.stdlib-1.21.5 [CRITICAL] openshift-origin-oauth-proxy-4.15.CVE-2024-24790.stdlib-1.20.10 [CRITICAL] livenessprobe-v2.12.0.CVE-2024-24790.stdlib-1.21.5 [CRITICAL]
Sure. @c3y1huang Can you help fix the CVE issues? Thank you.
For external components, we will only address the CVEs if the fixes are included in the highest minor/patched version upstream. More details are included in the analysis and action summary.
cc @derekbit @yangchiu
@derekbit For now, it seems we treat CVE fixes differently for external embedded images such as CSI sidecars. I would recommend having a WIKI page to explain the rule we are following right now. For example:
I just updated the rule to https://github.com/longhorn/longhorn/wiki/CVE-Security-Vulnerability-Resolution#release-cadence-for-fixing-cve-issues. Feel free to update it over time. @derekbit @c3y1huang
Verify longhorn chart PR to ensure all artifacts are ready for GA (install, upgrade)
Verified pass in below actions
Run core testing (install, upgrade) for the GA build:
v1.7.0 amd64: 0 failure v1.7.0 arm64: 0 failure v1.7.0 amd64 upgrade: 0 failure v1.7.0 arm64 upgrade: 0 failure v1.7.0 amd64 2 stage upgrade: 0 failure v1.7.0 arm64 2 stage upgrade: 0 failure
Let's wait for 2 weeks to gather feedback about 1.7.0 and determine if we can mark v1.7.0 as a stable
version.
@PhanLe1010 and @mantissahz @roger-ryao @rebeccazzzz Let's continue the post release tasks and rancher chart release after it is marked as stable. Thank you.
cc @innobead
Since we concluded that 1.7.0 is not stable, I am thinking to skip updating this version in the upgrade responder server. Is it ok? @derekbit @innobead
Sure from my side. WDYT? @innobead
What's the task? Please describe.
Action items for releasing v<1.7.0>
Roles
Describe the sub-tasks.
Pre-Release
The Release Captain needs to finish the following items.
The QA captain needs to coordinate the following items before the GA release.
install
,upgrade
) @yangchiuinstall
,upgrade
)Release
The Release Captain needs to finish the following items.
latest
release in longhorn/longhorn README.mdstable
releasePost-Release
After marking the release as a
stable
release, Release Captain needs to coordinate the following itemsRancher Charts
The Release Captain needs to coordinate the following items.
cc @longhorn/qa @longhorn/dev