From 8feef04d72098305b528a46271f34c051745a813 Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Tue, 19 May 2026 19:16:10 +0200
Subject: [PATCH 1/4] CI: Exclude docker-ce 29.5.1 on CentOS/Rocky Linux

Related-Bug: #2153110

Change-Id: I0ef2c3dc5bfb87fc2f18f6fb92cd5f0f3e546577
Co-Authored-By: Michal Nasiadka <mnasiadka@gmail.com>
Signed-off-by: Pierre Riteau <pierre@stackhpc.com>
(cherry picked from commit 43294efe8ce9677d56929ae4e79e2c66c25f97f2)
---
 roles/kayobe-ci-prep/tasks/main.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/roles/kayobe-ci-prep/tasks/main.yml b/roles/kayobe-ci-prep/tasks/main.yml
index b3b9c25ad..096ef9c87 100644
--- a/roles/kayobe-ci-prep/tasks/main.yml
+++ b/roles/kayobe-ci-prep/tasks/main.yml
@@ -52,5 +52,19 @@
         - openssl-devel
       when: not kayobe_control_host_become | bool
 
+    # NOTE(priteau): Remove me when newer docker-ce package is out
+    - name: Install python3-dnf-plugin-versionlock
+      become: true
+      ansible.builtin.dnf:
+        name: python3-dnf-plugin-versionlock
+        state: present
+
+    - name: Pin docker-ce to 29.5.0
+      become: true
+      community.general.dnf_versionlock:
+        name: "docker-ce-3:29.5.1-1.el{{ ansible_facts.distribution_major_version }}"
+        state: excluded
+        raw: true
+
   when: ansible_facts.os_family == 'RedHat'
   become: true

From 95ae73986e3fd6549a8d8c75685015633c23eeae Mon Sep 17 00:00:00 2001
From: Will Szumski <will@stackhpc.com>
Date: Thu, 14 May 2026 12:01:39 +0100
Subject: [PATCH 2/4] [CI] Switch to baseurl for all repos

We still seem to be seeing failures with the following signature:

    Failed to download packages: No URLs in mirrorlist

This extends the previous change[1] to all repos.

[1] https://review.opendev.org/c/openstack/kayobe/+/983990

Change-Id: Ie1fc5c55137e985a21aeb97507c7efe9ec9b5336
Signed-off-by: Will Szumski <will@stackhpc.com>
(cherry picked from commit 8d6fcbfcc0e4b369b0f1f955404bbd2e39663274)
---
 roles/kayobe-ci-prep/tasks/main.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/roles/kayobe-ci-prep/tasks/main.yml b/roles/kayobe-ci-prep/tasks/main.yml
index 096ef9c87..0a83521f7 100644
--- a/roles/kayobe-ci-prep/tasks/main.yml
+++ b/roles/kayobe-ci-prep/tasks/main.yml
@@ -9,10 +9,20 @@
   vars:
     configure_ephemeral_mountpoint: "{{ '/var/lib/containers' if container_engine | default('docker') == 'podman' else '/var/lib/docker' }}"
 
+- name: Find YUM repo files
+  become: true
+  ansible.builtin.find:
+    paths: /etc/yum.repos.d
+    patterns: "*.repo"
+    file_type: file
+  register: repo_files
+  when: ansible_facts.distribution == "Rocky"
+
 - name: Set Rocky Linux mirror to download.rockylinux.org
   become: true
   ansible.builtin.shell:
-    cmd: sed -i 's/mirrorlist/#mirrorlist/g; s/#baseurl/baseurl/g' /etc/yum.repos.d/rocky.repo
+    cmd: sed -i 's/mirrorlist/#mirrorlist/g; s/#baseurl/baseurl/g' {{ item }}
+  loop: "{{ repo_files.files | map(attribute='path') | list }}"
   when: ansible_facts.distribution == "Rocky"
 
 - block:

From 2c2d4d3bc2fe0ddb98d4b84766c29d4b61f8d8ed Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Thu, 21 May 2026 09:57:10 +0200
Subject: [PATCH 3/4] Revert "CI: Exclude docker-ce 29.5.1 on CentOS/Rocky
 Linux"

Docker Engine 29.5.2 is out and fixes the regression introduced in 29.5.1 [1].

This reverts commit 43294efe8ce9677d56929ae4e79e2c66c25f97f2.

[1] https://docs.docker.com/engine/release-notes/29/#2952

Closes-Bug: #2153110
Change-Id: Ib1ce90cd9174a190248e11512308828a2719ba49
Signed-off-by: Pierre Riteau <pierre@stackhpc.com>
(cherry picked from commit 908d87145590ccf3b4ec070cb9767a964a232955)
---
 roles/kayobe-ci-prep/tasks/main.yml | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/roles/kayobe-ci-prep/tasks/main.yml b/roles/kayobe-ci-prep/tasks/main.yml
index 0a83521f7..942a1988a 100644
--- a/roles/kayobe-ci-prep/tasks/main.yml
+++ b/roles/kayobe-ci-prep/tasks/main.yml
@@ -62,19 +62,5 @@
         - openssl-devel
       when: not kayobe_control_host_become | bool
 
-    # NOTE(priteau): Remove me when newer docker-ce package is out
-    - name: Install python3-dnf-plugin-versionlock
-      become: true
-      ansible.builtin.dnf:
-        name: python3-dnf-plugin-versionlock
-        state: present
-
-    - name: Pin docker-ce to 29.5.0
-      become: true
-      community.general.dnf_versionlock:
-        name: "docker-ce-3:29.5.1-1.el{{ ansible_facts.distribution_major_version }}"
-        state: excluded
-        raw: true
-
   when: ansible_facts.os_family == 'RedHat'
   become: true

From 54ead7154b792670ffe989cf4a7d376e4423b7ba Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Thu, 21 May 2026 22:37:53 +0200
Subject: [PATCH 4/4] Bind inspection store to internal network

The inspection store was listening on all interfaces by default, but
only the internal network is required.

This fix is only needed in 2025.1 and older releases, since the
inspection store was removed in 2025.2 [1].

[1] https://review.opendev.org/c/openstack/kayobe/+/959849

Closes-Bug: #2153801
Change-Id: I3316d13179489500f1b9a0d0a2aeb85fa1b2bd70
Signed-off-by: Pierre Riteau <pierre@stackhpc.com>
---
 ansible/roles/inspection-store/templates/nginx.conf         | 2 +-
 .../inspection-store-nginx-listen-6ed8e936594e04f0.yaml     | 6 ++++++
 roles/kayobe-diagnostics/files/get_logs.sh                  | 5 +++++
 3 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/inspection-store-nginx-listen-6ed8e936594e04f0.yaml

diff --git a/ansible/roles/inspection-store/templates/nginx.conf b/ansible/roles/inspection-store/templates/nginx.conf
index cea01e58d..e7a883bc4 100644
--- a/ansible/roles/inspection-store/templates/nginx.conf
+++ b/ansible/roles/inspection-store/templates/nginx.conf
@@ -28,7 +28,7 @@ http {
     #gzip  on;
 
     server {
-        listen {{ inspection_store_port }};
+        listen {{ internal_net_name | net_ip }}:{{ inspection_store_port }};
         root /data;
         location /ironic-inspector {
             return 200 "";
diff --git a/releasenotes/notes/inspection-store-nginx-listen-6ed8e936594e04f0.yaml b/releasenotes/notes/inspection-store-nginx-listen-6ed8e936594e04f0.yaml
new file mode 100644
index 000000000..ba195e206
--- /dev/null
+++ b/releasenotes/notes/inspection-store-nginx-listen-6ed8e936594e04f0.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Fixes nginx configuration of the ``inspection_store`` container to listen
+    on the internal network instead of binding to all interfaces.
+    `LP#2153801 <https://bugs.launchpad.net/kayobe/+bug/2153801>`__
diff --git a/roles/kayobe-diagnostics/files/get_logs.sh b/roles/kayobe-diagnostics/files/get_logs.sh
index 3fd319f2c..c9767b744 100644
--- a/roles/kayobe-diagnostics/files/get_logs.sh
+++ b/roles/kayobe-diagnostics/files/get_logs.sh
@@ -147,6 +147,11 @@ copy_logs() {
         cp /opt/kayobe/images/ipa/ipa.stderr /opt/kayobe/images/ipa/ipa.stdout ${LOG_DIR}/kayobe/
     fi
 
+    # Inspection store
+    if [[ -d /opt/kayobe/etc/inspection-store ]]; then
+        cp -rnL /opt/kayobe/etc/inspection-store ${LOG_DIR}/kayobe/
+    fi
+
     # Overcloud host image build logs
     if [[ -f /opt/kayobe/images/deployment_image/deployment_image.stderr ]] || [[ -f /opt/kayobe/images/deployment_image/deployment_image.stdout ]]; then
         mkdir -p ${LOG_DIR}/kayobe