Ceph Release Process
Prerequisites
Signing Machine
The signing machine is a virtual machine in the Sepia lab. SSH access to the signing machine is limited to the usual Infrastructure Admins along with a few other component leads (e.g., nfs-ganesha, ceph-iscsi).
The ubuntu user on the machine has some build scripts that help with pulling, pushing, and signing packages.
The GPG signing key permanently lives on a Nitrokey Pro and is passed through to the VM via RHV. This helps to ensure that the key cannot be exported or leave the datacenter in any way.
New Major Releases
For each new major (alphabetical) release, you must create one ceph-release RPM for each RPM repo (e.g., one for el8 and one for el9). chacra is a python service we use to store DEB and RPM repos. The chacra repos are configured to include this ceph-release RPM, but it must be built separately. You must make sure that chacra is properly configured to include this RPM for each particular release.
Update chacra so it is aware of the new Ceph release. See this PR for an example.
Redeploy chacra (e.g.,
ansible-playbook chacra.ceph.com.yml)
Summarized build process
QE finishes testing and finds a stopping point. That commit is pushed to the
$release-releasebranch in ceph.git (e.g.,quincy-release). This allows work to continue in the working$releasebranch without having to freeze it during the release process.The Ceph Council approves and notifies the “Build Lead”.
The “Build Lead” starts the Jenkins multijob, which triggers all builds.
Packages are pushed to chacra.ceph.com.
Packages are pulled from chacra.ceph.com to the Signer VM.
Packages are signed.
Packages are pushed to download.ceph.com.
Release containers are built and pushed to quay.io.
Hotfix Release Process Deviation
A hotfix release has a couple differences.
Check out the most recent tag. For example, if we’re releasing a hotfix on top of 17.2.3,
git checkout -f -B quincy-release origin/v17.2.3git cherry-pick -xthe necessary hotfix commitsgit push -f origin quincy-releaseNotify the “Build Lead” to start the build.
The “Build Lead” should set
RELEASE_TYPE=HOTFIXinstead ofSTABLE.
Security Release Process Deviation
A security/CVE release is similar to a hotfix release with two differences:
The fix should be pushed to the ceph-private repo instead of ceph.git (requires GitHub Admin Role).
The tags (e.g., v17.2.4) must be manually pushed to ceph.git by the “Build Lead.”
Check out the most recent tag. For example, if we’re releasing a security fix on top of 17.2.3,
git checkout -f -B quincy-release origin/v17.2.3git cherry-pick -xthe necessary security fix commitsgit remote add security git@github.com:ceph/ceph-private.gitgit push -f security quincy-releaseNotify the “Build Lead” to start the build.
The “Build Lead” should set
RELEASE_TYPE=SECURITYinstead ofSTABLE.Finally, the ceph-tag steps need to be manually run by the “Build Lead” as close to the Announcement time as possible:
# Example using quincy pretending 17.2.4 is the security release version # Add the ceph-releases repo (also requires GitHub Admin Role). The `ceph-setup <https://jenkins.ceph.com/job/ceph-setup>`_ job will have already created and pushed the tag to ceph-releases.git. git remote add releases git@github.com:ceph/ceph-releases.git git fetch --all # Check out the version commit git checkout -f -B quincy-release releases/quincy-release git push -f origin quincy-release git push origin v17.2.4 # Now create a Pull Request of quincy-release targeting quincy to merge the version commit and security fixes back into the quincy branch
1. Preparing the release branch
Once QE has determined a stopping point in the working (e.g., quincy) branch, that commit should be pushed to the corresponding quincy-release branch.
Notify the “Build Lead” that the release branch is ready.
2. Starting the build
We’ll use a stable/regular 15.2.17 release of Octopus as an example throughout this document.
Browse to https://jenkins.ceph.com/view/all/job/ceph/build?delay=0sec
Log in with GitHub OAuth
Set the parameters as necessary:
BRANCH=octopus TAG=checked VERSION=15.2.17 RELEASE_TYPE=STABLE ARCHS=x86_64 arm64
Use https://docs.ceph.com/en/latest/start/os-recommendations/?highlight=debian#platforms to determine the
DISTROSparameter. For example,Release
Distro Codemap
octopus (15.X.X)
focal bionic centos7 centos8 busterpacific (16.X.X)
focal bionic centos8 buster bullseyequincy (17.X.X)
focal centos8 centos9 bullseyeClick
Build.
3. Release Notes
Packages take hours to build. Use those hours to create the Release Notes and Announcements:
ceph.git Release Notes (e.g., v15.2.17’s ceph.git (docs.ceph.com) PR)
ceph.io Release Notes (e.g., v15.2.17’s ceph.io.git (www.ceph.io) PR)
E-mail announcement
See the Ceph Tracker wiki page that explains how to write the release notes.
4. Signing and Publishing the Build
Obtain the sha1 of the version commit from the build job or the
sha1file created by the ceph-setup job.Download the packages from chacra.ceph.com to the signing virtual machine. These packages get downloaded to
/opt/reposwhere the Sepia Lab Long Running (Ceph) Cluster is mounted.ssh ubuntu@signer.front.sepia.ceph.com sync-pull ceph [pacific|quincy|etc] <sha1>
Example:
$ sync-pull ceph octopus 8a82819d84cf884bd39c17e3236e0632ac146dc4 sync for: ceph octopus ******************************************** Found the most packages (332) in ubuntu/bionic. No JSON object could be decoded No JSON object could be decoded ubuntu@chacra.ceph.com:/opt/repos/ceph/octopus/8a82819d84cf884bd39c17e3236e0632ac146dc4/ubuntu/bionic/flavors/default/* /opt/repos/ceph/octopus-15.2.17/debian/jessie/ -------------------------------------------- receiving incremental file list db/ db/checksums.db 180.22K 100% 2.23MB/s 0:00:00 (xfr#1, to-chk=463/467) db/contents.cache.db 507.90K 100% 1.95MB/s 0:00:00 (xfr#2, to-chk=462/467) db/packages.db etc...Sign the DEBs:
merfi gpg /opt/repos/ceph/octopus-15.2.17/debianExample:
$ merfi gpg /opt/repos/ceph/octopus-15.2.17/debian --> Starting path collection, looking for files to sign --> 18 matching paths found --> will sign with the following commands: --> gpg --batch --yes --armor --detach-sig --output Release.gpg Release --> gpg --batch --yes --clearsign --output InRelease Release --> signing: /opt/repos/ceph/octopus-15.2.17/debian/jessie/dists/bionic/Release --> Running command: gpg --batch --yes --armor --detach-sig --output Release.gpg Release --> Running command: gpg --batch --yes --clearsign --output InRelease Release --> signing: /opt/repos/ceph/octopus-15.2.17/debian/jessie/dists/focal/Release --> Running command: gpg --batch --yes --armor --detach-sig --output Release.gpg Release --> Running command: gpg --batch --yes --clearsign --output InRelease Release etc...
Sign the RPMs:
sign-rpms octopusExample:
$ sign-rpms octopus Checking packages in: /opt/repos/ceph/octopus-15.2.17/centos/7 signing: /opt/repos/ceph/octopus-15.2.17/centos/7/SRPMS/ceph-release-1-1.el7.src.rpm /opt/repos/ceph/octopus-15.2.17/centos/7/SRPMS/ceph-release-1-1.el7.src.rpm: signing: /opt/repos/ceph/octopus-15.2.17/centos/7/SRPMS/ceph-15.2.17-0.el7.src.rpm /opt/repos/ceph/octopus-15.2.17/centos/7/SRPMS/ceph-15.2.17-0.el7.src.rpm: signing: /opt/repos/ceph/octopus-15.2.17/centos/7/noarch/ceph-mgr-modules-core-15.2.17-0.el7.noarch.rpm etc...
Publish the packages to download.ceph.com:
sync-push octopus
5. Build Containers
Start the following two jobs:
6. Announce the Release
Version Commit PR
The ceph-tag Jenkins job creates a Pull Request in ceph.git that targets the release branch.
If this was a regular release (not a hotfix release or a security release), the only commit in that Pull Request should be the version commit. For example, see v15.2.17’s version commit PR.
Request a review and then merge the Pull Request.
Announcing
Publish the Release Notes on ceph.io before announcing the release by email, because the e-mail announcement references the ceph.io blog post.