Merge pull request #3250 from SUSE/drop_sp3

dirkmueller · web-flow · commit e48e2c21b8cd · 2025-12-15T15:23:37.000+01:00
Remove SP3 LTSS
diff --git a/src/bci_build/os_version.py b/src/bci_build/os_version.py
@@ -16,8 +16,6 @@ class OsVersion(enum.Enum):
     SP5 = 5
     #: SLE 15 Service Pack 4
     SP4 = 4
-    #: SLE 15 Service Pack 3
-    SP3 = 3
     #: SUSE Linux 16.0
     SL16_0 = "16.0"
     #: SUSE Linux 16.1
@@ -128,7 +126,6 @@ def common_devel_packages(self) -> list[str]:
     @property
     def is_sle15(self) -> bool:
         return self.value in (
-            OsVersion.SP3.value,
             OsVersion.SP4.value,
             OsVersion.SP5.value,
             OsVersion.SP6.value,
@@ -199,7 +196,6 @@ def libexecdir(self) -> str:
 #: Operating system versions that have the label ``com.suse.release-stage`` set
 #: to ``released``.
 RELEASED_OS_VERSIONS: list[OsVersion] = [
-    OsVersion.SP3,
     OsVersion.SP4,
     OsVersion.SP5,
     OsVersion.SP6,
@@ -225,7 +221,7 @@ def libexecdir(self) -> str:
 ]
 
 # List of SPs that are already under LTSS
-ALL_OS_LTSS_VERSIONS: list[OsVersion] = [OsVersion.SP3, OsVersion.SP4, OsVersion.SP5]
+ALL_OS_LTSS_VERSIONS: list[OsVersion] = [OsVersion.SP4, OsVersion.SP5]
 
 # joint set of BASE and NON_BASE versions
 ALL_OS_VERSIONS: set[OsVersion] = {
diff --git a/src/bci_build/package/__init__.py b/src/bci_build/package/__init__.py
@@ -311,9 +311,7 @@ def __post_init__(self) -> None:
             )
 
         if self.build_recipe_type is None:
-            self.build_recipe_type = (
-                BuildType.KIWI if self.os_version == OsVersion.SP3 else BuildType.DOCKER
-            )
+            self.build_recipe_type = BuildType.DOCKER
 
         if not self._publish_registry:
             self._publish_registry = publish_registry(self.os_version)
diff --git a/src/bci_build/package/base-fips/README.md.j2 b/src/bci_build/package/base-fips/README.md.j2
@@ -1,6 +1,4 @@
-{% if image.build_version == '15.3' %}
-# The SUSE Linux Enterprise 15 SP3 LTSS FIPS-140-2 container image
-{% elif image.build_version == '15.4' %}
+{% if image.build_version == '15.4' %}
 # The SUSE Linux Enterprise 15 SP4 LTSS FIPS-140-3 container image
 {% else %}
 # The SUSE Linux Enterprise FIPS-140-3 container image
@@ -9,28 +7,7 @@
 
 ## Description
 
-{% if image.build_version | string == '15.3' %}
-This SUSE Linux Enterprise 15 SP3 LTSS-based container image includes the
-SLES 15 FIPS-140-2 certified OpenSSL and libgcrypt modules. The image is
-designed to run on a FIPS-140-2 compliant SUSE Linux Enterprise Server 15 SP3
-host environment. Although it is configured to enforce FIPS mode, the FIPS
-certification requires a host kernel in FIPS mode to be fully compliant.
-
-The [FIPS-140-2 certified OpenSSL module](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3991.pdf)
-is a cryptographic module that provides a FIPS-140-2 compliant
-cryptographic library. The module is certified by the National
-Institute of Standards and Technology (NIST).
-
-The FIPS-140-2 certified OpenSSL module is a drop-in replacement for the
-standard OpenSSL library. It provides the same functionality as the standard
-OpenSSL library, with additional security features to meet the FIPS-140-2
-requirements.
-
-Similarly, the [FIPS-140-2 certified libgcrypt module](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3848.pdf)
-is a drop-in replacement for the standard libgcrypt library. It provides the
-same functionality as the standard libgcrypt library, with the additional
-security features enforced to meet FIPS-140-2 requirements.
-{% elif image.build_version | string == "15.4" %}
+{% if image.build_version | string == "15.4" %}
 This SUSE Linux Enterprise 15 SP4 LTSS-based container image includes the
 OpenSSL and libgcrypt modules that have been interim validated to FIPS 140-3.
 
diff --git a/src/bci_build/package/base.py b/src/bci_build/package/base.py
@@ -174,8 +174,6 @@ def eula(self) -> str:
     @property
     def registry_prefix(self) -> str:
         if self.os_version.is_ltss:
-            if self.os_version == OsVersion.SP3:
-                return "suse/ltss/sle15.3"
             if self.os_version == OsVersion.SP4:
                 return "suse/ltss/sle15.4"
             if self.os_version == OsVersion.SP5:
@@ -233,7 +231,7 @@ def _get_base_kwargs(os_version: OsVersion) -> dict:
                 + (["user(nobody)"] if not os_version.is_ltss else [])
                 + (
                     ["openssl-3", "patterns-base-minimal_base"]
-                    if os_version not in (OsVersion.SP3, OsVersion.SP4)
+                    if os_version != OsVersion.SP4
                     else []
                 )
                 + (
@@ -250,11 +248,7 @@ def _get_base_kwargs(os_version: OsVersion) -> dict:
                     if os_version.is_tumbleweed
                     else ["suse-build-key"]
                 )
-                + (
-                    ["procps"]
-                    if os_version in (OsVersion.SP3, OsVersion.SP4, OsVersion.SP5)
-                    else []
-                )
+                + (["procps"] if os_version in (OsVersion.SP4, OsVersion.SP5) else [])
             )
         ]
         + [
@@ -264,10 +258,10 @@ def _get_base_kwargs(os_version: OsVersion) -> dict:
                     "aaa_base",
                     "cracklib-dict-small",
                     "filesystem",
+                    "jdupes",
                     "shadow",
                     "zypper",
                 ]
-                + (["jdupes"] if os_version not in (OsVersion.SP3,) else [])
                 + (
                     ["libcurl-mini4", "libopenssl-3-fips-provider"]
                     if os_version.is_sl16
@@ -298,7 +292,6 @@ def _get_base_kwargs(os_version: OsVersion) -> dict:
 BASE_CONTAINERS = [
     Sles15Image(**_get_base_kwargs(os_ver))
     for os_ver in (
-        OsVersion.SP3,
         OsVersion.SP4,
         OsVersion.SP5,
         OsVersion.SP6,
diff --git a/src/bci_build/package/basecontainers.py b/src/bci_build/package/basecontainers.py
@@ -134,16 +134,6 @@ def _get_micro_package_list(os_version: OsVersion) -> list[Package]:
 
 _FIPS_ASSET_BASEURL = "https://api.opensuse.org/public/build/"
 
-# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3991.pdf
-# Chapter 9.1 Crypto Officer Guidance
-_FIPS_15_SP2_BINARIES: list[str] = [
-    f"SUSE:SLE-15-SP2:Update/pool/x86_64/openssl-1_1.18804/{name}-1.1.1d-11.20.1.x86_64.rpm"
-    for name in ("openssl-1_1", "libopenssl1_1", "libopenssl1_1-hmac")
-] + [
-    f"SUSE:SLE-15-SP1:Update/pool/x86_64/libgcrypt.15117/{name}-1.8.2-8.36.1.x86_64.rpm"
-    for name in ("libgcrypt20", "libgcrypt20-hmac")
-]
-
 # submitted, not yet certified
 _FIPS_15_SP4_BINARIES: list[str] = [
     f"SUSE:SLE-15-SP4:Update/pool/x86_64/openssl-1_1.28168/{name}-1.1.1l-150400.7.28.1.x86_64.rpm"
@@ -167,8 +157,6 @@ def _get_fips_base_custom_end(os_version: OsVersion) -> str:
         f"{DOCKERFILE_RUN} update-crypto-policies --no-reload --set FIPS\n"
     )
     match os_version:
-        case OsVersion.SP3:
-            bins = _FIPS_15_SP2_BINARIES
         case OsVersion.SP4:
             bins = _FIPS_15_SP4_BINARIES
 
@@ -187,8 +175,8 @@ def _get_fips_base_custom_end(os_version: OsVersion) -> str:
 
     return (
         _get_asset_script(_FIPS_ASSET_BASEURL, bins)
+        + custom_set_fips_mode
         + (custom_install_bins if bins else "")
-        + (custom_set_fips_mode if os_version not in (OsVersion.SP3,) else "")
     )
 
 
@@ -209,9 +197,7 @@ def _get_fips_pretty_name(os_version: OsVersion) -> str:
     """Return a pretty name for FIPS enforcing containers."""
 
     if os_version.is_ltss:
-        if os_version == OsVersion.SP3:
-            return f"{os_version.pretty_os_version_no_dash} FIPS-140-2"
-        elif os_version == OsVersion.SP4:
+        if os_version == OsVersion.SP4:
             return f"{os_version.pretty_os_version_no_dash} FIPS-140-3"
 
     if os_version.is_sle15 or os_version.is_sl16 or os_version.is_tumbleweed:
@@ -223,8 +209,6 @@ def _get_fips_pretty_name(os_version: OsVersion) -> str:
 def _get_supported_until_fips(os_version: OsVersion) -> datetime.date | None:
     """Returns the end of LTSS for images under LTSS, otherwise end of general support if known"""
     match os_version:
-        case OsVersion.SP3:
-            return datetime.date(2025, 12, 31)
         case OsVersion.SP4:
             return datetime.date(2026, 12, 31)
         case _:
@@ -242,7 +226,6 @@ def _get_fips_base_kwargs(os_version: OsVersion) -> dict:
             # preserve backwards compatibility on already released distributions
             os_version
             not in (
-                OsVersion.SP3,
                 OsVersion.SP4,
                 OsVersion.SP5,
                 OsVersion.SP6,
@@ -256,12 +239,7 @@ def _get_fips_base_kwargs(os_version: OsVersion) -> dict:
         ),
         "pretty_name": _get_fips_pretty_name(os_version),
         "package_list": (
-            [*os_version.release_package_names, "coreutils"]
-            + (
-                ["fipscheck"]
-                if os_version == OsVersion.SP3
-                else ["crypto-policies-scripts"]
-            )
+            [*os_version.release_package_names, "coreutils", "crypto-policies-scripts"]
             + (["patterns-base-fips"] if os_version.is_sl16 else [])
         ),
         "extra_labels": {
diff --git a/src/bci_build/package/versions.py b/src/bci_build/package/versions.py
@@ -127,7 +127,7 @@ def get_pkg_version(pkg_name: str, os_version: OsVersion) -> str:
     OsVersion.SL16_0: "SUSE:SLFO:1.2",
     OsVersion.SL16_1: "SUSE:SLFO:Main:Build",
     OsVersion.TUMBLEWEED: "openSUSE:Factory",
-} | {OsVersion(ver): f"SUSE:SLE-15-SP{ver}:Update" for ver in range(3, 8)}
+} | {OsVersion(ver): f"SUSE:SLE-15-SP{ver}:Update" for ver in range(4, 8)}
 
 
 @overload
diff --git a/tests/test_build_results.py b/tests/test_build_results.py
@@ -10,7 +10,7 @@
 
 def test_from_resultlist():
     obs_api_reply = """<resultlist state="10c966b3d96474d1d59d0ba6d4d5b61a">
-  <result project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL" repository="images" arch="x86_64" code="building" state="building" dirty="true">
+  <result project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL" repository="images" arch="x86_64" code="building" state="building" dirty="true">
     <status package="golang-1.18" code="building">
       <details>building on old-cirrus2:14</details>
     </status>
@@ -25,26 +25,26 @@ def test_from_resultlist():
     </status>
     <status package="micro" code="scheduled"/>
   </result>
-  <result project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL" repository="images" arch="aarch64" code="building" state="building">
+  <result project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL" repository="images" arch="aarch64" code="building" state="building">
     <status package="openjdk-11" code="succeeded"/>
     <status package="openjdk-11-devel" code="building">
       <details>building on obs-arm-10:29</details>
     </status>
     <status package="python-3.6" code="succeeded"/>
     <status package="python-3.9" code="signing"/>
   </result>
-  <result project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL" repository="containerfile" arch="x86_64" code="published" state="published" dirty="true">
+  <result project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL" repository="containerfile" arch="x86_64" code="published" state="published" dirty="true">
     <status package="openjdk-11" code="excluded"/>
     <status package="openjdk-11-devel" code="excluded"/>
   </result>
-  <result project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL" repository="containerfile" arch="aarch64" code="published" state="published">
+  <result project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL" repository="containerfile" arch="aarch64" code="published" state="published">
   </result>
 </resultlist>
 
 """
     assert RepositoryBuildResult.from_resultlist(obs_api_reply) == [
         RepositoryBuildResult(
-            project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL",
+            project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL",
             repository="images",
             arch=Arch.X86_64,
             code="building",
@@ -75,7 +75,7 @@ def test_from_resultlist():
             ],
         ),
         RepositoryBuildResult(
-            project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL",
+            project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL",
             repository="images",
             arch=Arch.AARCH64,
             code="building",
@@ -98,7 +98,7 @@ def test_from_resultlist():
             ],
         ),
         RepositoryBuildResult(
-            project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL",
+            project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL",
             repository="containerfile",
             arch=Arch.X86_64,
             code="published",
@@ -113,7 +113,7 @@ def test_from_resultlist():
             ],
         ),
         RepositoryBuildResult(
-            project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL",
+            project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL",
             repository="containerfile",
             arch=Arch.AARCH64,
             code="published",
@@ -127,7 +127,7 @@ def test_is_build_failed_dirty_repo():
         is_build_failed(
             [
                 RepositoryBuildResult(
-                    project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL",
+                    project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL",
                     repository="containerfile",
                     arch=Arch.AARCH64,
                     code="published",
@@ -146,7 +146,7 @@ def test_is_build_failed_dirty_repo():
         (
             [
                 RepositoryBuildResult(
-                    project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL",
+                    project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL",
                     repository="containerfile",
                     arch=Arch.AARCH64,
                     code="published",
@@ -163,7 +163,7 @@ def test_is_build_failed_dirty_repo():
         (
             [
                 RepositoryBuildResult(
-                    project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL",
+                    project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL",
                     repository="containerfile",
                     arch=Arch.AARCH64,
                     code="published",
@@ -178,7 +178,7 @@ def test_is_build_failed_dirty_repo():
         (
             [
                 RepositoryBuildResult(
-                    project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL",
+                    project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL",
                     repository="containerfile",
                     arch=Arch.AARCH64,
                     code="published",
@@ -207,7 +207,7 @@ def test_is_build_failed(build_res: list[RepositoryBuildResult], is_failed: bool
         (
             [
                 RepositoryBuildResult(
-                    project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL",
+                    project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL",
                     repository="containerfile",
                     arch=Arch.AARCH64,
                     code="published",
@@ -227,12 +227,12 @@ def test_is_build_failed(build_res: list[RepositoryBuildResult], is_failed: bool
 <details>
 <summary>Build Results</summary>
 
-Repository `containerfile` in [home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL](https://build.opensuse.org/project/show/home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL) for `aarch64`: current state: published
+Repository `containerfile` in [home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL](https://build.opensuse.org/project/show/home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL) for `aarch64`: current state: published
 Build results:
 package name | status | build log
 -------------|--------|----------
-init | ✅ succeeded | [live log](https://build.opensuse.org/package/live_build_log/home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL/init/containerfile/aarch64)
-micro | ⛔ excluded | [live log](https://build.opensuse.org/package/live_build_log/home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL/micro/containerfile/aarch64)
+init | ✅ succeeded | [live log](https://build.opensuse.org/package/live_build_log/home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL/init/containerfile/aarch64)
+micro | ⛔ excluded | [live log](https://build.opensuse.org/package/live_build_log/home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL/micro/containerfile/aarch64)
 
 
 </details>
@@ -243,7 +243,7 @@ def test_is_build_failed(build_res: list[RepositoryBuildResult], is_failed: bool
         (
             [
                 RepositoryBuildResult(
-                    project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL",
+                    project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL",
                     repository="containerfile",
                     arch=Arch.AARCH64,
                     code="published",
@@ -264,12 +264,12 @@ def test_is_build_failed(build_res: list[RepositoryBuildResult], is_failed: bool
 <details>
 <summary>Build Results</summary>
 
-Repository `containerfile` in [home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL](https://build.opensuse.org/project/show/home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL) for `aarch64`: current state: building (repository is **dirty**)
+Repository `containerfile` in [home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL](https://build.opensuse.org/project/show/home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL) for `aarch64`: current state: building (repository is **dirty**)
 Build results:
 package name | status | detail | build log
 -------------|--------|--------|----------
-init | ❌ failed | | [live log](https://build.opensuse.org/package/live_build_log/home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL/init/containerfile/aarch64)
-micro | 🚫 unresolvable | Nothing provides gcc | [live log](https://build.opensuse.org/package/live_build_log/home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL/micro/containerfile/aarch64)
+init | ❌ failed | | [live log](https://build.opensuse.org/package/live_build_log/home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL/init/containerfile/aarch64)
+micro | 🚫 unresolvable | Nothing provides gcc | [live log](https://build.opensuse.org/package/live_build_log/home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL/micro/containerfile/aarch64)
 
 
 </details>
@@ -280,7 +280,7 @@ def test_is_build_failed(build_res: list[RepositoryBuildResult], is_failed: bool
         (
             [
                 RepositoryBuildResult(
-                    project="home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL",
+                    project="home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL",
                     repository="containerfile",
                     arch=Arch.AARCH64,
                     code="published",
@@ -300,12 +300,12 @@ def test_is_build_failed(build_res: list[RepositoryBuildResult], is_failed: bool
 <details>
 <summary>Build Results</summary>
 
-Repository `containerfile` in [home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL](https://build.opensuse.org/project/show/home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL) for `aarch64`: current state: published
+Repository `containerfile` in [home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL](https://build.opensuse.org/project/show/home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL) for `aarch64`: current state: published
 Build results:
 package name | status | detail | build log
 -------------|--------|--------|----------
-init | ❌ failed | | [live log](https://build.opensuse.org/package/live_build_log/home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL/init/containerfile/aarch64)
-micro | 🚫 unresolvable | Nothing provides rust | [live log](https://build.opensuse.org/package/live_build_log/home:testuser:BCI:Staging:SLE-15-SP3:sle15-sp3-NBdNL/micro/containerfile/aarch64)
+init | ❌ failed | | [live log](https://build.opensuse.org/package/live_build_log/home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL/init/containerfile/aarch64)
+micro | 🚫 unresolvable | Nothing provides rust | [live log](https://build.opensuse.org/package/live_build_log/home:testuser:BCI:Staging:SLE-15-SP7:sle15-sp7-NBdNL/micro/containerfile/aarch64)
 
 
 </details>
diff --git a/tests/test_crate.py b/tests/test_crate.py
diff --git a/tests/test_service.py b/tests/test_service.py

Original file line number	Diff line number	Diff line change
`@@ -311,9 +311,7 @@ def __post_init__(self) -> None:`
`311`	`311`	`)`
`312`	`312`
`313`	`313`	`if self.build_recipe_type is None:`
`314`		`- self.build_recipe_type = (`
`315`		`- BuildType.KIWI if self.os_version == OsVersion.SP3 else BuildType.DOCKER`
`316`		`- )`
	`314`	`+ self.build_recipe_type = BuildType.DOCKER`
`317`	`315`
`318`	`316`	`if not self._publish_registry:`
`319`	`317`	`self._publish_registry = publish_registry(self.os_version)`