From 7ce2c7fdee684bee5fd8da0af1c70b5ccda42362 Mon Sep 17 00:00:00 2001 From: Richard Lau Date: Wed, 4 Feb 2026 02:54:35 +0000 Subject: [PATCH] ansible: update RHEL 8 container Register the RHEL 8 containers with our RHEL subscription so that we can install older versions of some packages (e.g. `gcc-toolset-10`) without having to pick individual RPMs from another Linux distribution. Install clang 19 instead of 20. Add Rust toolchain. Set the hostname of the containers when building and running them to make it easier to correlate the containers to the agent definition in Jenkins and Ansible sources. --- ansible/roles/docker/meta/argument_specs.yml | 5 ++++ ansible/roles/docker/meta/main.yml | 4 +++ ansible/roles/docker/tasks/main.yml | 19 ++++++++++-- .../roles/docker/templates/jenkins.service.j2 | 2 +- .../docker/templates/rhel8.Dockerfile.j2 | 29 ++++++++++--------- .../roles/docker/templates/rhel_secrets.j2 | 2 ++ .../docker/templates/ubi81.Dockerfile.j2 | 29 ++++++++++--------- 7 files changed, 59 insertions(+), 31 deletions(-) create mode 100644 ansible/roles/docker/meta/argument_specs.yml create mode 100644 ansible/roles/docker/meta/main.yml create mode 100644 ansible/roles/docker/templates/rhel_secrets.j2 diff --git a/ansible/roles/docker/meta/argument_specs.yml b/ansible/roles/docker/meta/argument_specs.yml new file mode 100644 index 000000000..f837dd918 --- /dev/null +++ b/ansible/roles/docker/meta/argument_specs.yml @@ -0,0 +1,5 @@ +--- + +argument_specs: + main: + short_description: set up hosts for Docker containers diff --git a/ansible/roles/docker/meta/main.yml b/ansible/roles/docker/meta/main.yml new file mode 100644 index 000000000..c1873b46e --- /dev/null +++ b/ansible/roles/docker/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - role: read-secrets diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml index df5818003..071793131 100644 --- a/ansible/roles/docker/tasks/main.yml +++ b/ansible/roles/docker/tasks/main.yml @@ -175,11 +175,26 @@ - "{{ containers }}" when: containers is defined and item.os.find('_arm_cross') != -1 -- name: "docker : build image" +- name: "docker : create RHEL secrets file" + ansible.builtin.template: + src: "{{ role_path }}/templates/rhel_secrets.j2" + dest: /root/docker-container-{{ item.name }}/secrets.txt + mode: "0600" + with_items: + - "{{ containers }}" + when: containers is defined and (item.os == 'rhel8' or item.os == 'ubi81') + +- name: "docker : build images" command: docker build -t node-ci:{{ item.name }} /root/docker-container-{{ item.name }}/ with_items: - "{{ containers }}" - when: containers is defined + when: containers is defined and item.os != 'rhel8' and item.os != 'ubi81' + +- name: "docker : build RHEL images" + command: docker build --build-arg BUILDKIT_SANDBOX_HOSTNAME={{ item.name | regex_replace('_', '--') }} -t node-ci:{{ item.name }} /root/docker-container-{{ item.name }}/ + with_items: + - "{{ containers }}" + when: containers is defined and (item.os == 'rhel8' or item.os == 'ubi81') - name: "docker : generate and copy init script" template: diff --git a/ansible/roles/docker/templates/jenkins.service.j2 b/ansible/roles/docker/templates/jenkins.service.j2 index ecddfe810..9faaf4272 100644 --- a/ansible/roles/docker/templates/jenkins.service.j2 +++ b/ansible/roles/docker/templates/jenkins.service.j2 @@ -9,7 +9,7 @@ WantedBy=multi-user.target [Service] Type=simple User=root -ExecStart=/usr/bin/docker run --init --rm -v /home/{{ server_user }}/{{ item.name }}/:/home/{{ server_user }} -v /home/{{ server_user }}/.ccache/:/home/{{ server_user }}/.ccache --name node-ci-{{ item.name }} --sysctl net.ipv4.ip_unprivileged_port_start=1024 node-ci:{{ item.name }} +ExecStart=/usr/bin/docker run --init --rm -h {{ item.name | regex_replace('_', '--') }} -v /home/{{ server_user }}/{{ item.name }}/:/home/{{ server_user }} -v /home/{{ server_user }}/.ccache/:/home/{{ server_user }}/.ccache --name node-ci-{{ item.name }} --sysctl net.ipv4.ip_unprivileged_port_start=1024 node-ci:{{ item.name }} ExecStop=/usr/bin/docker stop -t 5 node-ci-{{ item.name }} Restart=always RestartSec=30 diff --git a/ansible/roles/docker/templates/rhel8.Dockerfile.j2 b/ansible/roles/docker/templates/rhel8.Dockerfile.j2 index e19fb0e9b..af749019e 100644 --- a/ansible/roles/docker/templates/rhel8.Dockerfile.j2 +++ b/ansible/roles/docker/templates/rhel8.Dockerfile.j2 @@ -12,31 +12,32 @@ ENV OSVARIANT docker ENV DESTCPU {{ arch }} ENV ARCH {{ arch }} +# Register with RHEL subscription to be able to install older versions of packages. +COPY secrets.txt /secrets.txt # ccache is not in the default repositories so get it from EPEL 8. -RUN dnf install --disableplugin=subscription-manager -y \ - https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ - && dnf update --disableplugin=subscription-manager -y \ - && dnf install --disableplugin=subscription-manager -y \ +RUN chmod u+x /secrets.txt && . /secrets.txt \ + && sed -i 's/\(def in_container():\)/\1\n return False/g' /usr/lib64/python*/*-packages/rhsm/config.py \ + && subscription-manager register --org $RH_ORG --activationkey $RH_ACTIVATION_KEY \ + && rm -rf /secrets.txt \ + && dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ + && dnf update -y \ + && dnf install -y \ ccache \ - clang \ gcc-c++ \ + gcc-toolset-10 \ gcc-toolset-12 \ + gcc-toolset-14-libatomic-devel \ git \ java-17-openjdk-headless \ + llvm-toolset-19.1.7 \ make \ python3.12 \ python3.12-pip \ procps-ng \ + rust-toolset-1.84.1 \ xz \ - && dnf --disableplugin=subscription-manager clean all - -RUN dnf install --disableplugin=subscription-manager -y \ - https://repo.almalinux.org/almalinux/8/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-14-libatomic-devel-14.2.1-1.1.el8_10.{{ ansible_architecture }}.rpm \ - http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-binutils-2.35-11.el8.{{ ansible_architecture }}.rpm \ - http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-gcc-10.3.1-1.2.el8_5.{{ ansible_architecture }}.rpm \ - http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-gcc-c++-10.3.1-1.2.el8_5.{{ ansible_architecture }}.rpm \ - http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-libstdc++-devel-10.3.1-1.2.el8_5.{{ ansible_architecture }}.rpm \ - http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-runtime-10.1-0.el8.{{ ansible_architecture }}.rpm + && dnf clean all \ + && subscription-manager unregister RUN groupadd -r -g {{ server_user_gid.stdout_lines[0] }} {{ server_user }} \ && adduser -r -m -d /home/{{ server_user }}/ \ diff --git a/ansible/roles/docker/templates/rhel_secrets.j2 b/ansible/roles/docker/templates/rhel_secrets.j2 new file mode 100644 index 000000000..bc6e7e044 --- /dev/null +++ b/ansible/roles/docker/templates/rhel_secrets.j2 @@ -0,0 +1,2 @@ +RH_ACTIVATION_KEY={{ secrets.rh_activationkey }} +RH_ORG={{ secrets.rh_org }} diff --git a/ansible/roles/docker/templates/ubi81.Dockerfile.j2 b/ansible/roles/docker/templates/ubi81.Dockerfile.j2 index 14e38d143..00fe5e1dc 100644 --- a/ansible/roles/docker/templates/ubi81.Dockerfile.j2 +++ b/ansible/roles/docker/templates/ubi81.Dockerfile.j2 @@ -12,31 +12,32 @@ ENV OSVARIANT docker ENV DESTCPU {{ arch }} ENV ARCH {{ arch }} +# Register with RHEL subscription to be able to install older versions of packages. +COPY secrets.txt /secrets.txt # ccache is not in the default repositories so get it from EPEL 8. -RUN dnf install --disableplugin=subscription-manager -y \ - https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ - && dnf update --disableplugin=subscription-manager -y \ - && dnf install --disableplugin=subscription-manager -y \ +RUN chmod u+x /secrets.txt && . /secrets.txt \ + && sed -i 's/\(def in_container():\)/\1\n return False/g' /usr/lib64/python*/*-packages/rhsm/config.py \ + && subscription-manager register --org $RH_ORG --activationkey $RH_ACTIVATION_KEY \ + && rm -rf /secrets.txt \ + && dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ + && dnf update -y \ + && dnf install -y \ ccache \ - clang \ gcc-c++ \ + gcc-toolset-10 \ gcc-toolset-12 \ + gcc-toolset-14-libatomic-devel \ git \ java-17-openjdk-headless \ + llvm-toolset-19.1.7 \ make \ python3.12 \ python3.12-pip \ openssl-devel \ procps-ng \ - && dnf --disableplugin=subscription-manager clean all - -RUN dnf install --disableplugin=subscription-manager -y \ - https://repo.almalinux.org/almalinux/8/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-14-libatomic-devel-14.2.1-1.1.el8_10.{{ ansible_architecture }}.rpm \ - http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-binutils-2.35-11.el8.{{ ansible_architecture }}.rpm \ - http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-gcc-10.3.1-1.2.el8_5.{{ ansible_architecture }}.rpm \ - http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-gcc-c++-10.3.1-1.2.el8_5.{{ ansible_architecture }}.rpm \ - http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-libstdc++-devel-10.3.1-1.2.el8_5.{{ ansible_architecture }}.rpm \ - http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-runtime-10.1-0.el8.{{ ansible_architecture }}.rpm + rust-toolset-1.84.1 \ + && dnf clean all \ + && subscription-manager unregister RUN groupadd -r -g {{ server_user_gid.stdout_lines[0] }} {{ server_user }} \ && adduser -r -m -d /home/{{ server_user }}/ \