From f912421dd145a6e3c218a32210fa13572786d802 Mon Sep 17 00:00:00 2001
From: Bartosz Bezak <bartosz@stackhpc.com>
Date: Wed, 13 May 2026 13:36:20 +0200
Subject: [PATCH 1/4] Quote baremetal node create arguments

Quote driver-info and property arguments when creating baremetal nodes.
This fixes registration with complex passwords containing characters
like ), &, $, spaces, or quotes.

Closes-Bug: #2152538

Change-Id: I9d63881f03ae45c84eec90fd2c9a29c985a17bbc
Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com>
(cherry picked from commit 81aea979dcf7c6bb80bfa12dc8fb4f2f017f81a1)
(cherry picked from commit f42587a4147436e7c327f8c2cd53ea2d4c03584d)
(cherry picked from commit c32ebb8a40498dbd95dafe54ca4766c9c7af469f)
---
 ansible/baremetal-compute-register.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ansible/baremetal-compute-register.yml b/ansible/baremetal-compute-register.yml
index 43c0f55c3..99a621c2c 100644
--- a/ansible/baremetal-compute-register.yml
+++ b/ansible/baremetal-compute-register.yml
@@ -72,10 +72,10 @@
             --name {{ inventory_hostname }} \
             --driver {{ ironic_driver }} \
             {% for key, value in ironic_driver_info.items() %}
-            --driver-info {{ key }}={{ value }} \
+            --driver-info {{ (key ~ '=' ~ value) | quote }} \
             {% endfor %}
             {% for key, value in ironic_properties.items() %}
-            --property {{ key }}={{ value }} \
+            --property {{ (key ~ '=' ~ value) | quote }} \
             {% endfor %}
             --resource-class {{ ironic_resource_class }}
         when:

From 45a7e5fd8982d07b03621fbcfaecefeca6944cee Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Tue, 19 May 2026 19:16:10 +0200
Subject: [PATCH 2/4] CI: Exclude docker-ce 29.5.1 on CentOS/Rocky Linux

Related-Bug: #2153110

Change-Id: I0ef2c3dc5bfb87fc2f18f6fb92cd5f0f3e546577
Co-Authored-By: Michal Nasiadka <mnasiadka@gmail.com>
Signed-off-by: Pierre Riteau <pierre@stackhpc.com>
(cherry picked from commit 43294efe8ce9677d56929ae4e79e2c66c25f97f2)
---
 roles/kayobe-ci-prep/tasks/main.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/roles/kayobe-ci-prep/tasks/main.yml b/roles/kayobe-ci-prep/tasks/main.yml
index 120ab1bca..91a5c1c03 100644
--- a/roles/kayobe-ci-prep/tasks/main.yml
+++ b/roles/kayobe-ci-prep/tasks/main.yml
@@ -17,5 +17,20 @@
 
     - name: Enable the EPEL repository
       command: dnf config-manager --disable epel
+
+    # NOTE(priteau): Remove me when newer docker-ce package is out
+    - name: Install python3-dnf-plugin-versionlock
+      become: true
+      ansible.builtin.dnf:
+        name: python3-dnf-plugin-versionlock
+        state: present
+
+    - name: Pin docker-ce to 29.5.0
+      become: true
+      community.general.dnf_versionlock:
+        name: "docker-ce-3:29.5.1-1.el{{ ansible_facts.distribution_major_version }}"
+        state: excluded
+        raw: true
+
   when: ansible_facts.os_family == 'RedHat'
   become: true

From dda4f7d81ae64b3a44de89fc1e5654bde82828a4 Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Thu, 21 May 2026 09:57:10 +0200
Subject: [PATCH 3/4] Revert "CI: Exclude docker-ce 29.5.1 on CentOS/Rocky
 Linux"

Docker Engine 29.5.2 is out and fixes the regression introduced in 29.5.1 [1].

This reverts commit 43294efe8ce9677d56929ae4e79e2c66c25f97f2.

[1] https://docs.docker.com/engine/release-notes/29/#2952

Closes-Bug: #2153110
Change-Id: Ib1ce90cd9174a190248e11512308828a2719ba49
Signed-off-by: Pierre Riteau <pierre@stackhpc.com>
(cherry picked from commit 908d87145590ccf3b4ec070cb9767a964a232955)
---
 roles/kayobe-ci-prep/tasks/main.yml | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/roles/kayobe-ci-prep/tasks/main.yml b/roles/kayobe-ci-prep/tasks/main.yml
index 91a5c1c03..9d7b0d453 100644
--- a/roles/kayobe-ci-prep/tasks/main.yml
+++ b/roles/kayobe-ci-prep/tasks/main.yml
@@ -18,19 +18,5 @@
     - name: Enable the EPEL repository
       command: dnf config-manager --disable epel
 
-    # NOTE(priteau): Remove me when newer docker-ce package is out
-    - name: Install python3-dnf-plugin-versionlock
-      become: true
-      ansible.builtin.dnf:
-        name: python3-dnf-plugin-versionlock
-        state: present
-
-    - name: Pin docker-ce to 29.5.0
-      become: true
-      community.general.dnf_versionlock:
-        name: "docker-ce-3:29.5.1-1.el{{ ansible_facts.distribution_major_version }}"
-        state: excluded
-        raw: true
-
   when: ansible_facts.os_family == 'RedHat'
   become: true

From d640b18b0af8c6595d8e62587be367e07d27c801 Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Thu, 21 May 2026 22:37:53 +0200
Subject: [PATCH 4/4] Bind inspection store to internal network

The inspection store was listening on all interfaces by default, but
only the internal network is required.

This fix is only needed in 2025.1 and older releases, since the
inspection store was removed in 2025.2 [1].

[1] https://review.opendev.org/c/openstack/kayobe/+/959849

Closes-Bug: #2153801
Change-Id: I3316d13179489500f1b9a0d0a2aeb85fa1b2bd70
Signed-off-by: Pierre Riteau <pierre@stackhpc.com>
(cherry picked from commit 54ead7154b792670ffe989cf4a7d376e4423b7ba)
---
 ansible/roles/inspection-store/templates/nginx.conf         | 2 +-
 .../inspection-store-nginx-listen-6ed8e936594e04f0.yaml     | 6 ++++++
 roles/kayobe-diagnostics/files/get_logs.sh                  | 5 +++++
 3 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/inspection-store-nginx-listen-6ed8e936594e04f0.yaml

diff --git a/ansible/roles/inspection-store/templates/nginx.conf b/ansible/roles/inspection-store/templates/nginx.conf
index cea01e58d..e7a883bc4 100644
--- a/ansible/roles/inspection-store/templates/nginx.conf
+++ b/ansible/roles/inspection-store/templates/nginx.conf
@@ -28,7 +28,7 @@ http {
     #gzip  on;
 
     server {
-        listen {{ inspection_store_port }};
+        listen {{ internal_net_name | net_ip }}:{{ inspection_store_port }};
         root /data;
         location /ironic-inspector {
             return 200 "";
diff --git a/releasenotes/notes/inspection-store-nginx-listen-6ed8e936594e04f0.yaml b/releasenotes/notes/inspection-store-nginx-listen-6ed8e936594e04f0.yaml
new file mode 100644
index 000000000..ba195e206
--- /dev/null
+++ b/releasenotes/notes/inspection-store-nginx-listen-6ed8e936594e04f0.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Fixes nginx configuration of the ``inspection_store`` container to listen
+    on the internal network instead of binding to all interfaces.
+    `LP#2153801 <https://bugs.launchpad.net/kayobe/+bug/2153801>`__
diff --git a/roles/kayobe-diagnostics/files/get_logs.sh b/roles/kayobe-diagnostics/files/get_logs.sh
index 1207e2f56..396b23c9c 100644
--- a/roles/kayobe-diagnostics/files/get_logs.sh
+++ b/roles/kayobe-diagnostics/files/get_logs.sh
@@ -127,6 +127,11 @@ copy_logs() {
         cp /opt/kayobe/images/ipa/ipa.stderr /opt/kayobe/images/ipa/ipa.stdout ${LOG_DIR}/kayobe/
     fi
 
+    # Inspection store
+    if [[ -d /opt/kayobe/etc/inspection-store ]]; then
+        cp -rnL /opt/kayobe/etc/inspection-store ${LOG_DIR}/kayobe/
+    fi
+
     # Overcloud host image build logs
     if [[ -f /opt/kayobe/images/deployment_image/deployment_image.stderr ]] || [[ -f /opt/kayobe/images/deployment_image/deployment_image.stdout ]]; then
         mkdir -p ${LOG_DIR}/kayobe