Upgrade GitLab to Amazon Linux 2023 (#6160, #4890)

[achave11-ucsc]

Linked issues: #6160, #4890

Checklist

Author

• PR is assigned to the author
• Status of PR is In progress
• PR is a draft
• Target branch is develop
• Name of PR branch matches issues/<GitHub handle of author>/<issue#>-<slug>
• PR is linked to all issues it (partially) resolves
• Status of linked issues is In progress
• PR description links to linked issues
• PR title matches¹ that of a linked issue _{or comment in PR explains why they're different}
• PR title references all linked issues
• For each linked issue, there is at least one commit whose title references that issue

¹ when the issue title describes a problem, the corresponding PR
title is Fix: followed by the issue title

Author (partiality)

• Added p tag to titles of partial commits
• This PR is labeled partial _{or completely resolves all linked issues}
• This PR partially resolves each of the linked issues _{or does not have the partial label}

Author (reindex)

• Added r tag to commit title _{or the changes introduced by this PR will not require reindexing of any deployment}
• This PR is labeled reindex:dev _{or the changes introduced by it will not require reindexing of dev}
• This PR is labeled reindex:anvildev _{or the changes introduced by it will not require reindexing of anvildev}
• This PR is labeled reindex:anvilprod _{or the changes introduced by it will not require reindexing of anvilprod}
• This PR is labeled reindex:prod _{or the changes introduced by it will not require reindexing of prod}
• This PR is labeled reindex:partial and its description documents the specific reindexing procedure for dev, anvildev, anvilprod and prod _{or requires a full reindex or carries none of the labels reindex:dev, reindex:anvildev, reindex:anvilprod and reindex:prod}

Author (API changes)

• This PR and its linked issues are labeled API _{or this PR does not modify a REST API}
• Added a (A) tag to commit title for backwards (in)compatible changes _{or this PR does not modify a REST API}
• Updated REST API version number in app.py _{or this PR does not modify a REST API}

Author (upgrading deployments)

• Ran make docker_images.json and committed the resulting changes _{or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable}
• Documented upgrading of deployments in UPGRADING.rst _{or this PR does not require upgrading deployments}
• Added u tag to commit title _{or this PR does not require upgrading deployments}
• This PR is labeled upgrade _{or does not require upgrading deployments}
• This PR is labeled deploy:shared _{or does not modify docker_images.json, and does not require deploying the shared component for any other reason}
• This PR is labeled deploy:gitlab _{or does not require deploying the gitlab component}
• This PR is labeled deploy:runner _{or does not require deploying the runner image}

Author (hotfixes)

• Added F tag to main commit title _{or this PR does not include permanent fix for a temporary hotfix}
• Reverted the temporary hotfixes for any linked issues _{or the none of the stable branches (anvilprod and prod) have temporary hotfixes for any of the issues linked to this PR}

Author (before every review)

• Rebased PR branch on develop, squashed fixups from prior reviews
• Ran make requirements_update _{or this PR does not modify Dockerfile, environment, requirements*.txt, common.mk, Makefile or environment.boot}
• Added R tag to commit title _{or this PR does not modify requirements*.txt}
• This PR is labeled reqs _{or does not modify requirements*.txt}
• make integration_test passes in personal deployment _{or this PR does not modify functionality that could affect the IT outcome}
• PR is awaiting requested review from a peer
• Status of PR is Review requested
• PR is assigned to only the peer

Peer reviewer (after approval)

Note that when requesting changes, the PR must be assigned back to the author.

• Actually approved the PR
• PR is not a draft
• PR is awaiting requested review from system administrator
• Status of PR is Review requested
• PR is assigned to only the system administrator

System administrator (after approval)

• Actually approved the PR
• Labeled linked issues as demo or no demo
• Commented on linked issues about demo expectations _{or all linked issues are labeled no demo}
• Decided if PR can be labeled no sandbox
• A comment to this PR details the completed security design review
• PR title is appropriate as title of merge commit
• N reviews label is accurate
• Assign PR author for final validation and testing in tempdev

Author (after approval)

• Confirmed test job succeeds in the GitLab pipeline for this PR
• PR is assigned to only the system administrator

System administrator (after validation)

• Status of PR is Approved
• PR is assigned to only the operator

Operator

• Checked reindex:… labels and r commit title tag
• Checked that demo expectations are clear _{or all linked issues are labeled no demo}
• Squashed PR branch and rebased onto develop
• Sanity-checked history
• Pushed PR branch to GitHub

Operator (deploy .shared and .gitlab components)

• Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Checked the items in the next section _{or this PR is labeled deploy:gitlab}
• PR is assigned to only the system administrator _{or this PR is not labeled deploy:gitlab}

System administrator (post-deploy of .gitlab component)

• Background migrations for dev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• Background migrations for anvildev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• PR is assigned to only the operator

Operator (deploy runner image)

• Ran _select dev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Ran _select anvildev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}

Operator (sandbox build)

• Added sandbox label _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab dev _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab anvildev _{or PR is labeled no sandbox}
• Build passes in sandbox deployment _{or PR is labeled no sandbox}
• Build passes in anvilbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in sandbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in anvilbox deployment _{or PR is labeled no sandbox}
• Deleted unreferenced indices in sandbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in dev}
• Deleted unreferenced indices in anvilbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in anvildev}
• Started reindex in sandbox _{or this PR is not labeled reindex:dev}
• Started reindex in anvilbox _{or this PR is not labeled reindex:anvildev}
• Checked for failures in sandbox _{or this PR is not labeled reindex:dev}
• Checked for failures in anvilbox _{or this PR is not labeled reindex:anvildev}

Operator (merge the branch)

• All status checks passed and the PR is mergeable
• The title of the merge commit starts with the title of this PR
• Added PR # reference to merge commit title
• Collected commit title tags in merge commit title _{but only included p if the PR is also labeled partial}
• Pushed merge commit to GitHub
• Status of PR is Merged lower
• Status of blocked issues is Triage _{or no issues are blocked on the linked issues}

Operator (main build)

• Pushed merge commit to GitLab dev
• Pushed merge commit to GitLab anvildev
• Build passes on GitLab dev
• Reviewed build logs for anomalies on GitLab dev
• Build passes on GitLab anvildev
• Reviewed build logs for anomalies on GitLab anvildev
• Ran _select dev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Deleted PR branch from GitHub
• Deleted PR branch from GitLab dev
• Deleted PR branch from GitLab anvildev
• Status of linked issues is Lower, or Triage, if PR is partial

Operator (reindex)

• Deindexed all unreferenced catalogs in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed all unreferenced catalogs in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Deindexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Indexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Indexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Started reindex in dev _{or this PR does not require reindexing dev}
• Started reindex in anvildev _{or this PR does not require reindexing anvildev}
• Checked for, triaged and possibly requeued messages in both fail queues in dev _{or this PR does not require reindexing dev}
• Checked for, triaged and possibly requeued messages in both fail queues in anvildev _{or this PR does not require reindexing anvildev}
• Emptied fail queues in dev _{or this PR does not require reindexing dev}
• Emptied fail queues in anvildev _{or this PR does not require reindexing anvildev}
• Restarted the Data Browser pipeline for the ucsc/hca/dev branch on GitLab in dev _{or this PR does not require reindexing dev}
• Restarted the Data Browser pipeline for the ucsc/lungmap/dev branch on GitLab in dev _{or this PR does not require reindexing dev}
• Restarted deploy_browser job in the GitLab pipeline for this PR in dev _{or this PR does not require reindexing dev}
• Restarted the Data Browser pipeline for the ucsc/anvil/anvildev branch on GitLab in anvildev _{or this PR does not require reindexing anvildev}
• Restarted deploy_browser job in the GitLab pipeline for this PR in anvildev _{or this PR does not require reindexing anvildev}

Operator (mirroring)

• Started mirroring in dev _{or this PR does not require mirroring dev}
• Started mirroring in anvildev _{or this PR does not require mirroring anvildev}
• Checked for, triaged and possibly requeued messages in mirror fail queue in dev _{or this PR does not require mirroring dev}
• Checked for, triaged and possibly requeued messages in mirror fail queue in anvildev _{or this PR does not require mirroring anvildev}
• Emptied mirror fail queue in dev _{or this PR does not require mirroring dev}
• Emptied mirror fail queue in anvildev _{or this PR does not require mirroring anvildev}

Operator

• Propagated the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels to the next promotion PRs _{or this PR carries none of these labels}
• Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels, from the description of this PR to that of the next promotion PRs _{or this PR carries none of these labels}
• PR is assigned to no one

Shorthand for review comments

• L line is too long
• W line wrapping is wrong
• Q bad quotes
• F other formatting problem

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.82%. Comparing base (158e524) to head (c05f252).

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #7533   +/-   ##
========================================
  Coverage    84.82%   84.82%           
========================================
  Files          156      156           
  Lines        22862    22862           
========================================
  Hits         19393    19393           
  Misses        3469     3469           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coveralls]

coverage: 85.047%. remained the same
when pulling c05f252 on issues/achave11-ucsc/6160-7218-amazon-linux-2023
into 158e524 on develop.

[nadove-ucsc]

I would shorten the first commit title to "Add logging in resolve_container_path script"

Subject: [PATCH] REVIEW
---
Index: scripts/resolve_container_path.py
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/scripts/resolve_container_path.py b/scripts/resolve_container_path.py
--- a/scripts/resolve_container_path.py	(revision 186a22e1acdc5a14bb6bbc6c9057d761e31269c6)
+++ b/scripts/resolve_container_path.py	(date 1764793320467)
@@ -33,33 +33,38 @@
             log.info('Found %s', mountinfo)
             # Entries in /proc/self/mountinfo look like this:
             # 752 744 259:2 /docker/containers/dc61d93…ID…/hosts …
+            # REVIEW: some of these changes should go in a fixup! to your first
+            # commit, others to the last commit.
             prefix = '/docker/containers'
-            contents = csv.reader(f, delimiter=' ')
-            for line in contents:
+            log.info('cgroup v2 prefix is %s', prefix)
+            for line in csv.reader(f, delimiter=' '):
                 path = line[3]
                 if path.startswith(prefix):
-                    log.info('Extracting the container ID from %s', path)
-                    parts = path.rsplit('/', maxsplit=2)[:-1]
-                    assert len(parts) == 2 and parts[0] == prefix, parts
+                    log.info('Extracting container ID from %s', path)
+                    parts = path.rsplit('/', maxsplit=2)
+                    assert len(parts) == 3 and parts[0] == prefix and parts[2] == 'hosts', parts
                     container_id = parts[1]
     except FileNotFoundError:
         log.info('Did not find %s', mountinfo)
-        pass
     else:
-        log.info('cgroup v2 prefix is %s', prefix)
         api = docker.client.from_env().api
         for mount in api.inspect_container(container_id)['Mounts']:
             if container_path.startswith(mount['Destination']):
                 tail = os.path.relpath(container_path, mount['Destination'])
                 host_path = os.path.normpath(os.path.join(mount['Source'], tail))
-                log.info('Resolving %s to %s', container_path, host_path)
+                log.info('Resolved %s to %s', container_path, host_path)
                 return host_path
-    log.error('Cannot resolve container path: %s', container_path)
+    log.error('Failed to resolve container path %s', container_path)
     return None
 
 
-if __name__ == '__main__':
-    configure_script_logging(log)
-    container_path = sys.argv[1]
+# REVIEW: separate commit for this change, before any other changes
+def main(argv):
+    container_path = argv[0]
     host_path = resolve_container_path(container_path)
     print(container_path if host_path is None else host_path)
+
+
+if __name__ == '__main__':
+    configure_script_logging(log)
+    main(sys.argv[1:])

[hannes-ucsc]

Security design review

• Security design review completed; this PR does not …
  • … affect authentication; for example:
    • OAuth 2.0 with the application (API or Swagger UI)
    • Authentication of developers with Google Cloud APIs
    • Authentication of developers with AWS APIs
    • Authentication with a GitLab instance in the system
    • Password and 2FA authentication with GitHub
    • API access token authentication with GitHub
    • Authentication with Terra
  • … affect the permissions of internal users like access to
    • Cloud resources on AWS and GCP
    • GitLab repositories, projects and groups, administration
    • an EC2 instance via SSH
    • GitHub issues, pull requests, commits, commit statuses, wikis, repositories, organizations
  • … affect the permissions of external users like access to
    • TDR snapshots
  • … affect permissions of service or bot accounts
    • Cloud resources on AWS and GCP
  • … affect audit logging in the system, like
    • adding, removing or changing a log message that represents an auditable event
    • changing the routing of log messages through the system
  • … affect monitoring of the system
  • … introduce a new software dependency like Upgrade GitLab to Amazon Linux 2023 (#6160, #4890) #7533 (comment)
    • Python packages on PYPI
    • Command-line utilities
    • Docker images
    • Terraform providers
  • … add an interface that exposes sensitive or confidential data at the security boundary
  • … affect the encryption of data at rest
  • … require persistence of sensitive or confidential data that might require encryption at rest
  • … require unencrypted transmission of data within the security boundary
  • … affect the network security layer; for example by
    • modifying, adding or removing firewall rules
    • modifying, adding or removing security groups
    • changing or adding a port a service, proxy or load balancer listens on
• Documentation on any unchecked boxes is provided in comments below

[hannes-ucsc]

Security design review

This change upgrades CIS-hardened Amazon Linux AMI used for GitLab instances to the latest version available, ensuring long-term support and security patches.

[achave11-ucsc]

This PR still contains items to be addressed, and cannot be merged as is.
I initially failed to notice that the instance wasn't being rebooted, and that when the GitLab tempdev pipelines previously ran, FIPS mode was not enabled. Note that the log 15... 14... 13... 12... 11... 10... 9... 8... 7... 6... 5... 4... 3... 2... 1... is associated with the fips-mode-setup --enable command but fails to reboot nonetheless. This appears to steam from or be related from the SSH daemon misconfiguration, perhaps in the GitLab/-dind image, since after manually rebooting the instance (after ssh-ing into it), the ability to push/pull from the GitLab tempdev instance is gone. (For PL)

sshd logs:

Dec 23 06:35:16 ip-10-0-100-96 sshd[18321]: Connection closed by 172.25.1.135 port 47546
Dec 23 06:35:16 ip-10-0-100-96 sshd[18321]: error: kex_exchange_identification: Connection closed by remote host

cloud-init logs:

2025-12-23 05:17:30.972,Dec 23 05:17:30 ip-10-0-100-96 systemd[1]: Reached target cloud-init.target - Cloud-init target.
2025-12-23 05:15:47.572,"2025-12-23 05:15:41,958 - cc_power_state_change.py[DEBUG]: check_condition command (test -f /run/cloud-init-selinux-reboot): exited 1. condition not met."
2025-12-23 05:15:42.704,Dec 23 05:15:41 ip-10-0-100-96 cloud-init[8045]: -----BEGIN SSH HOST KEY FINGERPRINTS-----
2025-12-23 05:15:42.704,Dec 23 05:15:41 ip-10-0-100-96 cloud-init[8047]: 1024 SHA256:REDACTED/PSk [email protected] (DSA)
2025-12-23 05:15:42.704,Dec 23 05:15:41 ip-10-0-100-96 cloud-init[8044]: #############################################################
2025-12-23 05:15:42.704,Dec 23 05:15:41 ip-10-0-100-96 cloud-init[8050]: 256 SHA256:REDACTED/REDACTED [email protected] (ECDSA)
2025-12-23 05:15:42.704,Dec 23 05:15:41 ip-10-0-100-96 cloud-init[8058]: 3072 SHA256:REDACTED/REDACTED [email protected] (RSA)
2025-12-23 05:15:42.704,Dec 23 05:15:41 ip-10-0-100-96 cloud-init[8060]: -----END SSH HOST KEY FINGERPRINTS-----
2025-12-23 05:15:42.704,Dec 23 05:15:41 ip-10-0-100-96 cloud-init[8061]: #############################################################
2025-12-23 05:15:42.704,"Dec 23 05:15:41 ip-10-0-100-96 cloud-init[2432]: Cloud-init v. 22.2.2 finished at Tue, 23 Dec 2025 05:15:41 +0000. Datasource DataSourceEc2.  Up 131.86 seconds"
2025-12-23 05:15:42.491,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: Created symlink /etc/systemd/system/multi-user.target.wants/amazon-cloudwatch-agent.service → /etc/systemd/system/amazon-cloudwatch-agent.service.
2025-12-23 05:15:42.491,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: amazon-cloudwatch-agent has already been stopped
2025-12-23 05:15:42.491,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: Configuration validation succeeded
2025-12-23 05:15:42.491,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: Configuration validation second phase succeeded
2025-12-23 05:15:42.491,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent -schematest -config /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.toml
2025-12-23 05:15:42.491,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: I! imds retry client will retry 1 times
2025-12-23 05:15:42.491,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: D! [EC2] Found active network interface
2025-12-23 05:15:42.491,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: 2025/12/23 05:15:40 Configuration validation first phase succeeded
2025-12-23 05:15:42.491,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: 2025/12/23 05:15:40 D! ec2tagger processor required because append_dimensions is set
2025-12-23 05:15:42.491,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: 2025/12/23 05:15:40 I! Valid Json input schema.
2025-12-23 05:15:42.491,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: 2025/12/23 05:15:40 Reading json config file path: /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d/file_amazon-cloudwatch-agent.json.tmp ...
2025-12-23 05:15:42.490,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: 2025/12/23 05:15:40 Executing /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent with arguments: [config-translator -multi-config default -input /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json -input-dir /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d -output /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.toml -mode ec2 -config /opt/aws/amazon-cloudwatch-agent/etc/common-config.toml]
2025-12-23 05:15:42.490,"Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: 2025/12/23 05:15:40 Starting config-translator, this will map back to a call to amazon-cloudwatch-agent"
2025-12-23 05:15:42.490,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: Start configuration validation...
2025-12-23 05:15:42.490,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: I! Trying to detect region from ec2 D! [EC2] Found active network interface I! imds retry client will retry 1 times
2025-12-23 05:15:42.490,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: 2025/12/23 05:15:40 Executing /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent with arguments: [config-downloader -multi-config default -mode ec2 -download-source file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json -output-dir /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d -config /opt/aws/amazon-cloudwatch-agent/etc/common-config.toml]
2025-12-23 05:15:42.490,"Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: 2025/12/23 05:15:40 Starting config-downloader, this will map back to a call to amazon-cloudwatch-agent"
2025-12-23 05:15:42.490,Dec 23 05:15:40 ip-10-0-100-96 cloud-init[2432]: ****** processing amazon-cloudwatch-agent ******
2025-12-23 05:15:42.490,Dec 23 05:15:39 ip-10-0-100-96 cloud-init[2432]: Created symlink /etc/systemd/system/timers.target.wants/registry-garbage-collect.timer → /etc/systemd/system/registry-garbage-collect.timer.
2025-12-23 05:15:42.490,Dec 23 05:15:39 ip-10-0-100-96 cloud-init[2432]: Created symlink /etc/systemd/system/timers.target.wants/docker-prune.timer → /etc/systemd/system/docker-prune.timer.
2025-12-23 05:15:42.490,Dec 23 05:15:39 ip-10-0-100-96 cloud-init[2432]: Created symlink /etc/systemd/system/timers.target.wants/clamscan.timer → /etc/systemd/system/clamscan.timer.
2025-12-23 05:15:42.490,Dec 23 05:15:39 ip-10-0-100-96 cloud-init[2432]: Created symlink /etc/systemd/system/multi-user.target.wants/gitlab-runner.service → /etc/systemd/system/gitlab-runner.service.
2025-12-23 05:15:42.490,Dec 23 05:15:39 ip-10-0-100-96 cloud-init[2432]: Created symlink /etc/systemd/system/multi-user.target.wants/gitlab.service → /etc/systemd/system/gitlab.service.
2025-12-23 05:15:42.490,Dec 23 05:15:39 ip-10-0-100-96 cloud-init[2432]: Created symlink /etc/systemd/system/multi-user.target.wants/gitlab-dind.service → /etc/systemd/system/gitlab-dind.service.
2025-12-23 05:15:42.490,Dec 23 05:15:39 ip-10-0-100-96 cloud-init[2432]: Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
2025-12-23 05:15:42.490,Dec 23 05:15:39 ip-10-0-100-96 cloud-init[2432]: Please reboot the system for the setting to take effect.
2025-12-23 05:15:42.490,Dec 23 05:15:39 ip-10-0-100-96 cloud-init[2432]: FIPS mode will be enabled.
2025-12-23 05:15:42.490,Dec 23 05:15:39 ip-10-0-100-96 cloud-init[2432]: to fully take place.
2025-12-23 05:15:42.490,Dec 23 05:15:39 ip-10-0-100-96 cloud-init[2432]: It is recommended to restart the system for the change of policies
2025-12-23 05:15:42.490,Dec 23 05:15:39 ip-10-0-100-96 cloud-init[2432]: Note: System-wide crypto policies are applied on application start-up.
2025-12-23 05:15:42.490,Dec 23 05:15:39 ip-10-0-100-96 cloud-init[2432]: Setting system policy to FIPS
2025-12-23 05:15:42.489,Dec 23 05:15:11 ip-10-0-100-96 cloud-init[2432]: * PRESS CONTROL-C WITHIN 15 SECONDS TO ABORT...                 *
2025-12-23 05:15:42.489,Dec 23 05:15:11 ip-10-0-100-96 cloud-init[2432]: * ENABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED. *
2025-12-23 05:15:42.489,Dec 23 05:15:11 ip-10-0-100-96 cloud-init[2432]: *                                                               *
2025-12-23 05:15:42.489,Dec 23 05:15:11 ip-10-0-100-96 cloud-init[2432]: *****************************************************************
2025-12-23 05:15:42.489,Dec 23 05:15:11 ip-10-0-100-96 cloud-init[2432]: * REINSTALL WITH fips=1 INSTEAD.                                *
2025-12-23 05:15:42.489,Dec 23 05:15:11 ip-10-0-100-96 cloud-init[2432]: * THIS OPERATION CANNOT BE UNDONE.                              *
2025-12-23 05:15:42.489,Dec 23 05:15:26 ip-10-0-100-96 cloud-init[2432]: Kernel initramdisks are being regenerated. This might take some time.
2025-12-23 05:15:42.489,Dec 23 05:15:26 ip-10-0-100-96 cloud-init[2432]: 15... 14... 13... 12... 11... 10... 9... 8... 7... 6... 5... 4... 3... 2... 1...
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: amazon-ssm-agent-3.3.3050.0-1.amzn2023.x86_64        11/11
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  Verifying        : amazon-cloudwatch-agent-1.300060.1-1.amzn2023.x86_    1/11
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  Verifying        : amazon-ecr-credential-helper-0.11.0-1.amzn2023.x86    2/11
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  Verifying        : container-selinux-4:2.242.0-1.amzn2023.noarch         3/11
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  Verifying        : containerd-2.1.5-1.amzn2023.0.1.x86_64                4/11
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  Verifying        : docker-25.0.13-1.amzn2023.0.2.x86_64                  5/11
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  Verifying        : iptables-nft-1.8.8-3.amzn2023.0.2.x86_64              6/11
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  Verifying        : libcgroup-3.0-1.amzn2023.0.1.x86_64                   7/11
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  Verifying        : pigz-2.5-1.amzn2023.0.3.x86_64                        8/11
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  Verifying        : runc-1.3.3-2.amzn2023.0.1.x86_64                      9/11
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  Verifying        : amazon-ssm-agent-3.3.3270.0-1.x86_64                 10/11
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  Verifying        : amazon-ssm-agent-3.3.3050.0-1.amzn2023.x86_64        11/11
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]: Upgraded:
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  amazon-ssm-agent-3.3.3270.0-1.x86_64
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]: Installed:
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  amazon-cloudwatch-agent-1.300060.1-1.amzn2023.x86_64
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  amazon-ecr-credential-helper-0.11.0-1.amzn2023.x86_64
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  container-selinux-4:2.242.0-1.amzn2023.noarch
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  containerd-2.1.5-1.amzn2023.0.1.x86_64
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  docker-25.0.13-1.amzn2023.0.2.x86_64
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  iptables-nft-1.8.8-3.amzn2023.0.2.x86_64
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  libcgroup-3.0-1.amzn2023.0.1.x86_64
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  pigz-2.5-1.amzn2023.0.3.x86_64
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]:  runc-1.3.3-2.amzn2023.0.1.x86_64
2025-12-23 05:15:42.489,Dec 23 05:15:10 ip-10-0-100-96 cloud-init[2432]: Complete!
2025-12-23 05:15:42.489,Dec 23 05:15:11 ip-10-0-100-96 cloud-init[2432]: *****************************************************************
2025-12-23 05:15:42.488,Dec 23 05:14:36 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: amazon-ssm-agent-3.3.3270.0-1.x86_64                  8/11
2025-12-23 05:15:42.488,Dec 23 05:14:36 ip-10-0-100-96 cloud-init[2432]:  Upgrading        : amazon-ssm-agent-3.3.3270.0-1.x86_64                  8/11
2025-12-23 05:15:42.488,Dec 23 05:14:36 ip-10-0-100-96 cloud-init[2432]:  Installing       : amazon-ecr-credential-helper-0.11.0-1.amzn2023.x86    9/11
2025-12-23 05:15:42.488,Dec 23 05:14:37 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: amazon-cloudwatch-agent-1.300060.1-1.amzn2023.x86_   10/11
2025-12-23 05:15:42.488,"Dec 23 05:14:37 ip-10-0-100-96 cloud-init[2432]: create group cwagent, result: 0"
2025-12-23 05:15:42.488,"Dec 23 05:14:37 ip-10-0-100-96 cloud-init[2432]: create user cwagent, result: 0"
2025-12-23 05:15:42.488,Dec 23 05:14:38 ip-10-0-100-96 cloud-init[2432]:  Installing       : amazon-cloudwatch-agent-1.300060.1-1.amzn2023.x86_   10/11
2025-12-23 05:15:42.488,Dec 23 05:14:38 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: amazon-ssm-agent-3.3.3050.0-1.amzn2023.x86_64        11/11
2025-12-23 05:15:42.488,Dec 23 05:14:38 ip-10-0-100-96 cloud-init[2432]:  Cleanup          : amazon-ssm-agent-3.3.3050.0-1.amzn2023.x86_64        11/11
2025-12-23 05:15:42.488,Dec 23 05:14:38 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: amazon-ssm-agent-3.3.3050.0-1.amzn2023.x86_64        11/11
2025-12-23 05:15:42.488,Dec 23 05:15:06 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: container-selinux-4:2.242.0-1.amzn2023.noarch        11/11
2025-12-23 05:15:42.488,Dec 23 05:15:07 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: amazon-ssm-agent-3.3.3270.0-1.x86_64                 11/11
2025-12-23 05:15:42.488,Dec 23 05:15:07 ip-10-0-100-96 cloud-init[2432]: Created symlink /etc/systemd/system/multi-user.target.wants/amazon-ssm-agent.service → /etc/systemd/system/amazon-ssm-agent.service.
2025-12-23 05:15:42.488,Dec 23 05:15:07 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: amazon-cloudwatch-agent-1.300060.1-1.amzn2023.x86_   11/11
2025-12-23 05:15:42.487,"Dec 23 05:13:51 ip-10-0-100-96 cloud-init[2432]: Cloud-init v. 22.2.2 running 'modules:final' at Tue, 23 Dec 2025 05:13:51 +0000. Up 23.64 seconds."
2025-12-23 05:15:42.487,Dec 23 05:13:55 ip-10-0-100-96 cloud-init[2432]: Amazon Linux 2023 repository                     43 kB/s | 3.6 kB     00:00
2025-12-23 05:15:42.487,Dec 23 05:14:06 ip-10-0-100-96 cloud-init[2432]: Amazon Linux 2023 Kernel Livepatch repository    36 kB/s | 2.9 kB     00:00
2025-12-23 05:15:42.487,Dec 23 05:14:07 ip-10-0-100-96 cloud-init[2432]: Dependencies resolved.
2025-12-23 05:15:42.487,Dec 23 05:14:07 ip-10-0-100-96 cloud-init[2432]: Nothing to do.
2025-12-23 05:15:42.487,Dec 23 05:14:07 ip-10-0-100-96 cloud-init[2432]: Complete!
2025-12-23 05:15:42.487,Dec 23 05:14:08 ip-10-0-100-96 cloud-init[2432]: Last metadata expiration check: 0:00:02 ago on Tue Dec 23 05:14:06 2025.
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: amazon-ssm-agent.rpm                             89 MB/s |  25 MB     00:00
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: Package crypto-policies-20240828-2.git626aa59.amzn2023.0.1.noarch is already installed.
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: Package crypto-policies-scripts-20240828-2.git626aa59.amzn2023.0.1.noarch is already installed.
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: Dependencies resolved.
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: ================================================================================
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: Package                      Arch   Version                 Repository    Size
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: ================================================================================
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: Installing:
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: amazon-cloudwatch-agent      x86_64 1.300060.1-1.amzn2023   amazonlinux   79 M
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: amazon-ecr-credential-helper x86_64 0.11.0-1.amzn2023       amazonlinux  2.7 M
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: docker                       x86_64 25.0.13-1.amzn2023.0.2  amazonlinux   46 M
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: Upgrading:
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: amazon-ssm-agent             x86_64 3.3.3270.0-1            @commandline  25 M
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: Installing dependencies:
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: container-selinux            noarch 4:2.242.0-1.amzn2023    amazonlinux   58 k
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: containerd                   x86_64 2.1.5-1.amzn2023.0.1    amazonlinux   23 M
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: iptables-nft                 x86_64 1.8.8-3.amzn2023.0.2    amazonlinux  183 k
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: libcgroup                    x86_64 3.0-1.amzn2023.0.1      amazonlinux   75 k
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: pigz                         x86_64 2.5-1.amzn2023.0.3      amazonlinux   83 k
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: runc                         x86_64 1.3.3-2.amzn2023.0.1    amazonlinux  3.9 M
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: Transaction Summary
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: ================================================================================
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: Install  9 Packages
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: Upgrade  1 Package
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: Total size: 179 M
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: Total download size: 155 M
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: Downloading Packages:
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: (1/9): container-selinux-2.242.0-1.amzn2023.noa 1.2 MB/s |  58 kB     00:00
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: (2/9): amazon-ecr-credential-helper-0.11.0-1.am  35 MB/s | 2.7 MB     00:00
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: (3/9): containerd-2.1.5-1.amzn2023.0.1.x86_64.r  77 MB/s |  23 MB     00:00
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: (4/9): iptables-nft-1.8.8-3.amzn2023.0.2.x86_64 5.6 MB/s | 183 kB     00:00
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: (5/9): libcgroup-3.0-1.amzn2023.0.1.x86_64.rpm  2.6 MB/s |  75 kB     00:00
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: (6/9): pigz-2.5-1.amzn2023.0.3.x86_64.rpm       2.8 MB/s |  83 kB     00:00
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: (7/9): runc-1.3.3-2.amzn2023.0.1.x86_64.rpm      64 MB/s | 3.9 MB     00:00
2025-12-23 05:15:42.487,Dec 23 05:14:09 ip-10-0-100-96 cloud-init[2432]: (8/9): docker-25.0.13-1.amzn2023.0.2.x86_64.rpm  77 MB/s |  46 MB     00:00
2025-12-23 05:15:42.487,Dec 23 05:14:10 ip-10-0-100-96 cloud-init[2432]: (9/9): amazon-cloudwatch-agent-1.300060.1-1.amz  77 MB/s |  79 MB     00:01
2025-12-23 05:15:42.487,Dec 23 05:14:10 ip-10-0-100-96 cloud-init[2432]: --------------------------------------------------------------------------------
2025-12-23 05:15:42.487,Dec 23 05:14:10 ip-10-0-100-96 cloud-init[2432]: Total                                           144 MB/s | 155 MB     00:01
2025-12-23 05:15:42.487,Dec 23 05:14:11 ip-10-0-100-96 cloud-init[2432]: Running transaction check
2025-12-23 05:15:42.487,Dec 23 05:14:11 ip-10-0-100-96 cloud-init[2432]: Transaction check succeeded.
2025-12-23 05:15:42.487,Dec 23 05:14:11 ip-10-0-100-96 cloud-init[2432]: Running transaction test
2025-12-23 05:15:42.487,Dec 23 05:14:12 ip-10-0-100-96 cloud-init[2432]: Transaction test succeeded.
2025-12-23 05:15:42.487,Dec 23 05:14:12 ip-10-0-100-96 cloud-init[2432]: Running transaction
2025-12-23 05:15:42.487,Dec 23 05:14:14 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: amazon-ssm-agent-3.3.3270.0-1.x86_64                   1/1
2025-12-23 05:15:42.487,Dec 23 05:14:14 ip-10-0-100-96 cloud-init[2432]:  Preparing        :                                                        1/1
2025-12-23 05:15:42.487,Dec 23 05:14:14 ip-10-0-100-96 cloud-init[2432]:  Installing       : runc-1.3.3-2.amzn2023.0.1.x86_64                      1/11
2025-12-23 05:15:42.487,Dec 23 05:14:14 ip-10-0-100-96 cloud-init[2432]:  Installing       : containerd-2.1.5-1.amzn2023.0.1.x86_64                2/11
2025-12-23 05:15:42.487,Dec 23 05:14:14 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: containerd-2.1.5-1.amzn2023.0.1.x86_64                2/11
2025-12-23 05:15:42.487,Dec 23 05:14:14 ip-10-0-100-96 cloud-init[2432]:  Installing       : pigz-2.5-1.amzn2023.0.3.x86_64                        3/11
2025-12-23 05:15:42.487,Dec 23 05:14:14 ip-10-0-100-96 cloud-init[2432]:  Installing       : libcgroup-3.0-1.amzn2023.0.1.x86_64                   4/11
2025-12-23 05:15:42.487,Dec 23 05:14:14 ip-10-0-100-96 cloud-init[2432]:  Installing       : iptables-nft-1.8.8-3.amzn2023.0.2.x86_64              5/11
2025-12-23 05:15:42.487,Dec 23 05:14:15 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: iptables-nft-1.8.8-3.amzn2023.0.2.x86_64              5/11
2025-12-23 05:15:42.487,Dec 23 05:14:15 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: container-selinux-4:2.242.0-1.amzn2023.noarch         6/11
2025-12-23 05:15:42.487,Dec 23 05:14:15 ip-10-0-100-96 cloud-init[2432]:  Installing       : container-selinux-4:2.242.0-1.amzn2023.noarch         6/11
2025-12-23 05:15:42.487,Dec 23 05:14:31 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: container-selinux-4:2.242.0-1.amzn2023.noarch         6/11
2025-12-23 05:15:42.487,Dec 23 05:14:32 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: docker-25.0.13-1.amzn2023.0.2.x86_64                  7/11
2025-12-23 05:15:42.487,Dec 23 05:14:32 ip-10-0-100-96 cloud-init[2432]:  Installing       : docker-25.0.13-1.amzn2023.0.2.x86_64                  7/11
2025-12-23 05:15:42.487,Dec 23 05:14:33 ip-10-0-100-96 cloud-init[2432]:  Running scriptlet: docker-25.0.13-1.amzn2023.0.2.x86_64                  7/11
2025-12-23 05:15:42.487,Dec 23 05:14:33 ip-10-0-100-96 cloud-init[2432]: Created symlink /etc/systemd/system/sockets.target.wants/docker.socket → /usr/lib/systemd/system/docker.socket.
…
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: +----[SHA256]-----+
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: Generating public/private dsa key pair.
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: Your identification has been saved in /etc/ssh/ssh_host_dsa_key
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: The key fingerprint is:
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: SHA256:REDACTED/PSk [email protected]
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: The key's randomart image is:
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: +---[DSA 1024]----+
…
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: +----[SHA256]-----+
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: Generating public/private ecdsa key pair.
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: Your identification has been saved in /etc/ssh/ssh_host_ecdsa_key
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: Your public key has been saved in /etc/ssh/ssh_host_ecdsa_key.pub
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: The key fingerprint is:
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: SHA256:REDACTED [email protected]
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: The key's randomart image is:
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: +---[ECDSA 256]---+
…
2025-12-23 05:15:42.486,Dec 23 05:13:50 ip-10-0-100-96 cloud-init[2221]: +----[SHA256]-----+
2025-12-23 05:15:42.486,"Dec 23 05:13:50 ip-10-0-100-96 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cloud-init comm=""systemd"" exe=""/usr/lib/systemd/systemd"" hostname=? addr=? terminal=? res=success'

[achave11-ucsc]

After fixing the reboot problem (bbb3b65) and dropping the changes associated with #7218 (comment), the GitLab test job succeeded for this branch (commit c05f252).

[hannes-ucsc]

False positive. It is used in line 56 below.

[hannes-ucsc]

Suggested change

	def main(argv):
	def main(container_path):

[hannes-ucsc]

Suggested change

container_path = argv[0]

[hannes-ucsc]

Suggested change

	main(sys.argv[1:])
	main(sys.argv[1])

[hannes-ucsc]

Let's use '; '.join(['until [ -b /dev/nvme1n1', … and wrap over multiple lines.

A comment should added before this to refer to the upstream issue this is working around.

[hannes-ucsc]

Suggested change

	# A bug in Amazon's AMI causes 'condition' to depend on
	# the creation of a file that is never created
	# (/run/cloud-init-selinux-reboot), unless Amazon's
	# cc_selinux.py has to modify the SELinux configuration.
	# Luckily our cloud-config takes presedence, so we can
	# just override the condition here.
	# A bug in Amazon's AMI causes a 'condition' to be added to the effective cloud-init config. That condition depends on
	# the creation of a file that is never created
	# (/run/cloud-init-selinux-reboot), except when Amazon's
	# cc_selinux.py has to modify the SELinux configuration, which by default, it does not.
	# Luckily, our cloud-init config takes precedence, so we can
	# just override the condition here.