Caracal upgrade to Rocky Linux 9.7 #2126
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a wide range of changes to support Rocky Linux 9.7 and upgrade various components. The changes include updates to package versions, container image tags, Ansible playbooks, documentation, and CI configuration. Notably, there's a significant effort to add multi-architecture support, refactor secret store deployment playbooks into a unified set, and improve the logic for fixing OVN chassis priorities. The addition of numerous release notes is a great practice. I have a few suggestions for improvement regarding a hardcoded value in an alerting rule, a dependency pointing to a temporary branch, and a long inline script that could be refactored for better maintainability. Overall, this is a substantial and well-executed upgrade.
I am having trouble creating individual review comments. Click here to see my feedback.
etc/kayobe/kolla/config/prometheus/rabbitmq.rules (23)
The number of RabbitMQ nodes in this alert expression is hardcoded to 3. This seems to be a regression, as a variable (alertmanager_number_of_rabbitmq_nodes) was likely used before, and is still used for another alert in this file. Hardcoding this value may cause incorrect alerts if the number of RabbitMQ nodes is different from 3. Please consider restoring the use of a variable to determine the number of nodes dynamically.
etc/kayobe/kolla/kolla-build.conf (18)
The openstack-base source is pointing to a temporary branch bp/bump-django-4.2/2024.1. This is risky for long-term maintainability as temporary branches may be deleted. It's better to point to a stable tag or branch. If this is a temporary measure, it would be good to add a comment explaining the situation and when it can be reverted.
etc/kayobe/ansible/ovn-fix-chassis-priorities.yml (55-160)
The shell script in this task is very long and complex. Embedding large scripts directly in Ansible playbooks makes them difficult to read, maintain, and test. Consider moving this script to a separate file within the repository (e.g., in a files/ or scripts/ directory) and executing it by copying it to the target container and running it with ansible.builtin.command. This would improve readability and maintainability of the playbook.
elelaysh
force-pushed
the
rl-9.7-caracal
branch
2 times, most recently
from
2697c42 to
30b87fc
Compare
elelaysh
force-pushed
the
rl-9.7-caracal
branch
from
aee7f43 to
b8d1656
Compare
- DOCA 3.2.1 for RL 9.7 - Bump Rocky 9 Security SIG repo, add source
removes the RockyLinux minor version in the name and path when DOCA version is greater than 3.2.0. Doesn't apply to DOCA modules because they are still compiled for a specific RL minor version.
Latest version for RockyLinux is 29.2
Tested on multinode. Fix install-doca.yml to not install doca-ofed anymore (avoid dkms). The stackhpc_doca_kernel_version_matrix variable contains kernel module versions to install for last 2 supported minor RockyLinux versions. It must be changed after a new pre-compiled kernel module version has been built.
to fix multiple vulnerabilities
to see which sources are downloaded before docker build
to accomodate temporary errors from ark (was getting a 500 error)
control plane is trusted
CVE-2025-68428 is still present in opensearch-dashboards 2.19.4 because jspdf is still in version 3.0.1
Use the authenticating pulp_proxy for all CI build jobs that need packages from Ark - host images, Kolla images and the IPA image.
See actions/runs/21635017357
See actions/runs/21713574987
control plane is trusted
elelaysh
force-pushed
the
rl-9.7-caracal
branch
from
b8d1656 to
18c8328
Compare
4 participants
Also see #2025