doc/dev/release-process.rst
The signing machine is a virtual machine in the Sepia lab <https://wiki.sepia.ceph.com/doku.php?id=start>_. SSH access to the signing
machine is limited to the usual Infrastructure Admins along with a few other
component leads (e.g., nfs-ganesha, ceph-iscsi).
The ubuntu user on the machine has some build scripts <https://github.com/ceph/ceph-build/tree/main/scripts>_ that help with pulling, pushing, and signing packages.
The GPG signing key permanently lives on a Nitrokey Pro <https://shop.nitrokey.com/shop/product/nkpr2-nitrokey-pro-2-3>_ and is passed through to the VM via RHV. This helps to ensure that the key cannot be exported or leave the datacenter in any way.
For each new major (alphabetical) release, you must create one ceph-release RPM for each RPM repo (e.g., one for el8 and one for el9). chacra <https://github.com/ceph/chacra>_ is a python service we use to store DEB and RPM repos. The chacra repos are configured to include this ceph-release RPM, but it must be built separately. You must make sure that chacra is properly configured to include this RPM for each particular release.
this PR <https://github.com/ceph/chacra/pull/219>_ for an example.ansible-playbook chacra.ceph.com.yml)$release-release branch in ceph.git (e.g., squid-release). This allows work to continue in the working $release branch without having to freeze it during the release process.Jenkins multijob <https://jenkins.ceph.com/view/all/job/ceph>_, which triggers all builds.A hotfix release has a couple differences.
Check out the most recent tag. For example, if we're releasing a hotfix on top of 19.2.1, git checkout -f -B squid-release tags/v19.2.1.
git cherry-pick -x the necessary hotfix commits (Note: only "cherry-pick" must be used).
git push -f origin squid-release.
Verify the commits in the $release-release branch:
git log --pretty=oneline --no-merges tags/v19.2.1..origin/squid-release. Verify that the commits produced are exactly what we want in the next point release.ceph-ci in this example), run git log --pretty=oneline --no-merges origin/squid-release...ceph-ci/squid-release. There should be no output produced if the $release-release branch in the ceph repo is identical to the RC in ceph-ci. Note the use of git triple dot notation <https://git-scm.com/book/en/v2/Git-Tools-Revision-Selection>_, which shows any commit discrepencies between both references.Notify the "Build Lead" to start the build.
The "Build Lead" should set RELEASE_TYPE=HOTFIX instead of STABLE.
A security/CVE release is similar to a hotfix release with two differences:
1. The fix should be pushed to the `ceph-private <https://github.com/ceph/ceph-private>`_ repo instead of ceph.git (requires GitHub Admin Role).
2. The tags (e.g., v19.2.3) must be manually pushed to ceph.git by the "Build Lead."
Check out the most recent tag. For example, if we're releasing a security fix on top of 19.2.2, git checkout -f -B squid-release origin/v19.2.2
git cherry-pick -x the necessary security fix commits
git remote add security [email protected]:ceph/ceph-private.git
git push -f security squid-release
Notify the "Build Lead" to start the build.
The "Build Lead" should set RELEASE_TYPE=SECURITY instead of STABLE.
Finally, the ceph-tag <https://github.com/ceph/ceph-build/blob/main/ansible/roles/ceph-release/tasks/push.yml>_ steps need to be manually run by the "Build Lead" as close to the Announcement time as possible::
ceph-setup <https://jenkins.ceph.com/job/ceph-setup>_ job will have already created and pushed the tag to ceph-releases.git.git remote add releases [email protected]:ceph/ceph-releases.git git fetch --all
git checkout -f -B squid-release releases/squid-release git push -f origin squid-release git push origin v19.2.3
Preparing the release branch ===============================
Once QE has determined a stopping point in the working (e.g., squid) branch, that commit should be pushed to the corresponding squid-release branch.
Notify the "Build Lead" that the release branch is ready.
We'll use a stable/regular 19.2.2 release of Squid as an example throughout this document.
Browse to https://jenkins.ceph.com/view/all/job/ceph-release-pipeline/build?delay=0sec
Log in with GitHub OAuth
Set the parameters as necessary::
BRANCH=squid TAG=checked VERSION=19.2.2 RELEASE_TYPE=STABLE ARCHS=x86_64 arm64
NOTE: if for some reason the build has to be restarted (for example if one distro failed) then the TAG option has to be unchecked.
Use https://docs.ceph.com/en/latest/start/os-recommendations/?highlight=debian#platforms to determine the DISTROS parameter. For example,
+-------------------+--------------------------------------------------+
| Release | Distro Codemap |
+===================+==================================================+
| pacific (16.X.X) | focal bionic buster bullseye |
+-------------------+--------------------------------------------------+
| quincy (17.X.X) | jammy focal centos9 bullseye |
+-------------------+--------------------------------------------------+
| reef (18.X.X) | jammy focal centos9 windows bookworm |
+-------------------+--------------------------------------------------+
| squid (19.X.X) | jammy centos9 windows bookworm |
+-------------------+--------------------------------------------------+
| tentacle (20.X.X) | jammy centos9 noble windows bookworm rocky10 |
+-------------------+--------------------------------------------------+
Click Build.
Release Notes ================
Packages take hours to build. Use those hours to create the Release Notes and Announcements:
v19.2.2's ceph.git (docs.ceph.com) PR <https://github.com/ceph/ceph/pull/62734>_)v19.2.2's ceph.io.git (www.ceph.io) PR <https://github.com/ceph/ceph.io/pull/864>_)See the Ceph Tracker wiki page that explains how to write the release notes <https://tracker.ceph.com/projects/ceph-releases/wiki/HOWTO_write_the_release_notes>_.
.. _Signing and Publishing the Build:
#. Obtain the sha1 of the version commit from the build job <https://jenkins.ceph.com/view/all/job/ceph>_ or the sha1 file created by the ceph-setup <https://jenkins.ceph.com/job/ceph-setup/>_ job.
#. Download the packages from chacra.ceph.com to the signing virtual machine. These packages get downloaded to /opt/repos where the Sepia Lab Long Running (Ceph) Cluster <https://wiki.sepia.ceph.com/doku.php?id=services:longrunningcluster>_ is mounted. Note: this step will also run a command to transfer the source tarballs from chacra.ceph.com to download.ceph.com directly, by ssh'ing to download.ceph.com and running /home/signer/bin/get-tarballs.sh.
.. prompt:: bash $
ssh [email protected]
sync-pull ceph [pacific|quincy|etc] <sha1>
Example::
$ sync-pull ceph squid 0eceb0defba60152a8182f7bd87d164b639885b8
sync for: ceph squid
********************************************
+ : 0eceb0defba60152a8182f7bd87d164b639885b8
+ project=ceph
+ release=squid
+ sha1=0eceb0defba60152a8182f7bd87d164b639885b8
+ echo 'sync for: ceph squid'
sync for: ceph squid
+ echo '********************************************'
********************************************
+ [[ ceph == \c\e\p\h ]]
+ current_highest_count=0
+ for combo in debian/bookworm debian/bullseye ubuntu/bionic ubuntu/focal ubuntu/jammy
++ wc -l
++ curl -fs https://chacra.ceph.com/r/ceph/squid/0eceb0defba60152a8182f7bd87d164b639885b8/debian/bookworm/flavors/default/pool/main/c/ceph/
+ combo_count=161
+ [[ 0 -eq 22 ]]
+ '[' 161 -gt 0 ']'
+ current_highest_count=161
+ highest_combo=debian/bookworm
etc...
#. Sign the DEBs:
.. prompt:: bash
merfi gpg /opt/repos/ceph/squid-19.2.2/debian/
Example::
--> Starting path collection, looking for files to sign
--> 1 repos found
--> signing: /opt/repos/ceph/squid-19.2.2/debian/jessie/dists/bookworm/Release
--> Running command: gpg --batch --yes --armor --detach-sig --output Release.gpg Release
--> Running command: gpg --batch --yes --clearsign --output InRelease Release
--> signing: /opt/repos/ceph/squid-19.2.2/debian/jessie/dists/jammy/Release
--> Running command: gpg --batch --yes --armor --detach-sig --output Release.gpg Release
--> Running command: gpg --batch --yes --clearsign --output InRelease Release
etc...
#. Sign the RPMs:
.. prompt:: bash
sign-rpms ceph squid
Example::
$ sign-rpms ceph squid
+ [[ 2 -lt 1 ]]
+ project=ceph
+ shift
+ '[' 1 -eq 0 ']'
+ releases=("$@")
+ distros=(centos rhel)
+ distro_versions=(7 8 9)
+ read -s -p 'Key Passphrase: ' GPG_PASSPHRASE
Key Passphrase: + echo
+ for release in "${releases[@]}"
+ for distro in "${distros[@]}"
+ for distro_version in "${distro_versions[@]}"
+ for path in /opt/repos/$project/$release*
+ '[' -d /opt/repos/ceph/squid-19.1.0/centos/7 ']'
...
+ echo 'Checking packages in: /opt/repos/ceph/squid-19.1.0/centos/9'
Checking packages in: /opt/repos/ceph/squid-19.1.0/centos/9
+ update_repo=0
+ cd /opt/repos/ceph/squid-19.1.0/centos/9
++ find -name '*.rpm'
+ for rpm in `find -name "*.rpm"`
++ grep '^Signature'
etc...
#. Publish the packages to download.ceph.com:
.. prompt:: bash $
sync-push ceph squid-19.2.2 2
This leaves the packages, and the tarball, in a password-protected prerelease area at https://download.ceph.com/prerelease/ceph. Verify them from there. When done and ready for release, log into download.ceph.com and mv the directories and the tarballs from the prerelease home (/data/download.ceph.com/www/prerelease/ceph) to the release directory (/data/download.ceph.com/www).
Unlike CI builds, which have access to packages in the correct form for
the container, release builds do not, because the build does not
sign the packages. Thus, release builds do not build the containers.
This must be done after :ref:Signing and Publishing the Build.
A Jenkins job named ceph-release-containers exists so that we can test the
images before release. The job exists both for convenience and because it
requires access to both x86_64 and arm64 builders. Start the job as Build with Parameters on
the Jenkins server, set BRANCH, SHA1 and VERSION fields and leave other fields as defaults.
This job:
builds the architecture-specific container imagess and pushes them to
quay.ceph.io/ceph/prerelease-amd64 and
quay.ceph.io/ceph/prerelease-arm64
fuses the architecture-specific images together into a "manifest-list"
or "fat" container image and pushes it to quay.ceph.io/ceph/prerelease
Finally, when all appropriate testing and verification is done on the
container images, run make-manifest-list.py --promote --version <ver> from the Ceph
source tree (at container/make-manifest-list.py) to promote them to
their final release location on quay.io/ceph/ceph (you must ensure
that you're logged into quay.io/ceph and quay.ceph.io/ceph with appropriate permissions):
.. prompt:: bash
cd <ceph-checkout>/container
./make-manifest-list.py --promote --version <ver>
The --promote step should be performed only as the final step in releasing
containers, after the container images have been tested and have been confirmed
to be good.
The ceph-tag Jenkins job <https://jenkins.ceph.com/job/ceph-tag>_ creates a Pull Request in ceph.git that targets the release branch.
If this was a regular release (not a hotfix release or a security release), the only commit in that Pull Request should be the version commit. For example, see v15.2.17's version commit PR <https://github.com/ceph/ceph/pull/47520>_.
Request a review and then merge the Pull Request.
Publish the Release Notes on ceph.io before announcing the release by email, because the e-mail announcement references the ceph.io blog post.