RockyLinux 9.7 containers #2061
Conversation
- DOCA 3.2.1 for RL 9.7 - Bump Rocky 9 Security SIG repo, add source
The modules path remains specific to minor releases.
Remove DOCA 3.2.0: a single version is enough for RL 9.7
to fix multiple vulnerabilities
to see which sources are downloaded before docker build
to accomodate temporary errors from ark (was getting a 500 error)
control plane is trusted
CVE-2025-68428 is still present in opensearch-dashboards 2.19.4 because jspdf is still in version 3.0.1 Bumped opensearch-dashboard to 2.19.4 fixed CVE-2025-7783
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the overcloud host image and containers to use RockyLinux 9.7. The changes primarily involve updating version tags and repository configurations. I've identified a few areas for improvement. There's some duplicated logic for determining DOCA distribution strings across configuration files, which I've suggested refactoring for better maintainability. Additionally, I've flagged a potentially invalid CVE identifier in the Trivy allow-list which could impact security scanning.
etc/kayobe/ofed.yml
Outdated
| doca_distribution: "{% if stackhpc_pulp_doca_version is version('3.2.0', '>=') %}rhel9{% else %}rhel9_{{ stackhpc_pulp_repo_rocky_9_minor_version }}{% endif %}" | ||
| doca_version_lookup_var: "stackhpc_pulp_repo_doca_{{ stackhpc_pulp_doca_version | replace('.', '_') }}_{{ doca_distribution }}_version" |
There was a problem hiding this comment.
To avoid duplicating logic for determining the DOCA distribution string in etc/kayobe/stackhpc.yml, you could define a reusable variable here and use it in both places. This improves maintainability by having a single source of truth.
I'll add another comment in etc/kayobe/stackhpc.yml showing how to use the new variable.
doca_distribution_path_part: "{% if stackhpc_pulp_doca_version is version('3.2.0', '>=') %}rhel9{% else %}rhel9.{{ stackhpc_pulp_repo_rocky_9_minor_version }}{% endif %}"
doca_distribution: "{{ doca_distribution_path_part | replace('.', '_') }}"
doca_version_lookup_var: "stackhpc_pulp_repo_doca_{{ stackhpc_pulp_doca_version | replace('.', '_') }}_{{ doca_distribution }}_version"
etc/kayobe/stackhpc.yml
Outdated
|
|
||
| # DOCA | ||
| stackhpc_repo_rhel9_doca_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/doca/{{ stackhpc_pulp_doca_version }}/rhel9.{{ stackhpc_pulp_repo_rocky_9_minor_version }}/x86_64/{{ stackhpc_repo_rhel9_doca_version }}" | ||
| stackhpc_doca_distribution: "{% if stackhpc_pulp_doca_version is version('3.2.0', '>=') %}rhel9{% else %}rhel9.{{ stackhpc_pulp_repo_rocky_9_minor_version }}{% endif %}" |
There was a problem hiding this comment.
This logic is duplicated from etc/kayobe/ofed.yml. To follow the DRY (Don't Repeat Yourself) principle, you can use the doca_distribution_path_part variable defined in ofed.yml (as per my other comment). This makes the configuration easier to maintain.
stackhpc_doca_distribution: "{{ doca_distribution_path_part }}"
|
Successful tempest OVS after upgrade Manual inspection : ok |
elelaysh
force-pushed
the
rl-9.7-containers
branch
from
6ca1408 to
bce4374
Compare
removes the RockyLinux minor version in the name and path when DOCA version is greater than 3.2.0. Doesn't apply to DOCA modules because they are still compiled for a specific RL minor version.
elelaysh
force-pushed
the
rl-9.7-containers
branch
from
bce4374 to
35d3bd1
Compare
|
This PR builds upon #2025.