Skip to content

Add conditionals for Rhel9 in common role #3802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
May 28, 2025

Conversation

AswathySK
Copy link
Contributor

The common role for Unix playbook doesnt include conditionals for rhel9 causing playbook failures.

Failures caused due to current condition:

  • EPEL release not enabled for rhel9
  • packags included in Installing additional build tools if NOT RHEL 8 task is applicable for rhel9 as well. For example NTP is replaced by chronyd.
  • Additional build tools for rhel 8 is also required by rhel 9
Checklist
  • commit message has one of the standard prefixes
  • faq.md updated if appropriate
  • other documentation is changed or added (if applicable)
  • playbook changes run through VPC or QPC (if you have access)
  • VPC/QPC not applicable for this PR
  • for inventory.yml changes, bastillion/nagios/jenkins updated accordingly

Copy link
Contributor

@AdamBrousseau AdamBrousseau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AswathySK can we make these conditions smarter so we don't have to keep updating them every time a new OS is released? Or do we prefer to leave it like this so we can test the new major OS releases?

@AswathySK
Copy link
Contributor Author

@AdamBrousseau instead of changing conditional to do it for everything greater than or equal to rhel 8 instead?
There could be change in package dependencies for the future releases.
So how to make the change right now is up to the community I suppose.

@AdamBrousseau
Copy link
Contributor

Sure. We can get other opinions. If we change it to be something like >=, and it stops working, the PBs will presumably fail and someone can investigate at that point. That would have to happen either way, but at least this way, you don't have to monitor and update it when it works.

@AdamBrousseau
Copy link
Contributor

@sxa do you have an opinion on the above?

@AswathySK AswathySK force-pushed the rhel9-conditionals branch 2 times, most recently from d831534 to e9ee426 Compare November 12, 2024 06:16
@AswathySK
Copy link
Contributor Author

@AdamBrousseau , I have made the change as per your suggestion.

package: "name={{ item }} state=latest"
with_items: "{{ Java_RHEL8 }}"
when: (ansible_distribution_major_version == "8")
when: (ansible_distribution_major_version | int >= 8)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these 3 cases still what we want?
From

Java_RHEL8:
  - java-1.8.0-openjdk-devel

Java_NOT_RHEL6_PPC64:             # Not RHEL8 either
  - java-1.7.0-openjdk-devel
  - java-1.8.0-openjdk-devel

Java_RHEL6_PPC64:
  - java-1.7.0-ibm-devel
  - java-1.8.0-ibm-devel

What is java 7 and 8 used for?

Copy link
Contributor Author

@AswathySK AswathySK Nov 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AdamBrousseau @sxa , I am not sure. Should we bump it to 17 or 21?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can tell it's been there since the beginning. Java is needed for 2 purposes that I know of.

  • Connecting agents to jenkins.
  • Bootjdk for compiling java.

Since Jenkins now requires jdk17 to run agents, and jdk11 was required 2 years ago, I don't think leaving this at java8 for jenkins connections is necessary.
For bootjdk requirement, the build scripts will pull the needed jdk during the build process so having a permanent install of 8 is not necessary in my opinion.

I would want an opinion from Adopt/@sxa before we remove it completely though.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as the boot JDK is concerned I don't want the builds pulling it down dynamically in most cases - that's mostly just a fallback mechanism. Other than pulling down the source, the builds should be able to run without network access.

I suspect those java-1.8.0* packages are no longer required, at least by Temurin, so it would likely be safe to remove them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AdamBrousseau , @sxa ,
Since stewart is of opinion not to pull down the bootjdks by the jobs.And java8 is not required, Should we remove the installing and setting up default java part in this role or should we maybe bump it to jdk17 or 21?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I think that should be safe. It will hopefully be obvious if some part of the process requires it, in which case it's easy to back it out again :-)

Can the 1.7 version be installed from the RHEL9 repositories?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sxa is there another part of the PB installing java for use by the jenkins agent that Adopt is running?
We have an internal Semeru role that installs 21 for this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep. The adoptopenjdk_install role: .

- role: adoptopenjdk_install # JDK21 Build Bootstrap

It's extracting as a tarball and doesn't set any default on the system to point to it, so the Jenkins agent is pointed directly to it under /usr/lub/jvm when it's started

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It sounds like we don't need any java 8 installs here then?
Stewart has confirmed the Jenkins agent uses the jvm from the adoptopenjdk_install role. That role installs all the bootjdks for the builds. And for Semeru, we have a separate PB for the jenkins agent.

@karianna karianna requested a review from sxa November 25, 2024 21:33
@karianna
Copy link
Contributor

karianna commented Dec 5, 2024

@AswathySK Linter failures as well

Copy link
Member

@sxa sxa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments/suggestions in addition to the Java7 on RHEL9 comments above.
Should any of these changes be made in the CentOS files too?

package: "name={{ item }} state=latest"
with_items: "{{ Additional_Build_Tools_NOT_RHEL8 }}"
with_items: "{{ Additional_Build_Tools_NOT_RHEL8Plus }}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably need to go through and sanitise some of these names. This one should probably be Additional_Build_Tools_RHEL6_RHEL7 now but that doesn't need to be changed in this PR

@@ -92,17 +92,6 @@ Additional_Build_Tools_RHEL7_s390x:
- libstdc++.s390 # a dependency required for executing a 32-bit C binary
- yum-utils # yumdownloader required for devkit creation

Java_RHEL8:
Copy link
Member

@sxa sxa Dec 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we still have the reference to Java_RHEL8 above I believe this should not be removed

@karianna karianna requested a review from sxa January 15, 2025 01:35
@sxa
Copy link
Member

sxa commented Jan 15, 2025

New VPC run at https://ci.adoptium.net/view/Tooling/job/VagrantPlaybookCheck/2038/ (Expect at least CentOS6 to fail - unrelated to this PR)

@karianna
Copy link
Contributor

@AswathySK merge conflicts.

Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A block has been put on this Pull Request as this repository is temporarily under a code freeze due to an ongoing release cycle.

If this pull request needs to be merged during the release cycle then please comment /merge and a PMC member will be able to remove the block.

If the code freeze is over you can remove this block by commenting /thaw.

@AswathySK
Copy link
Contributor Author

@karianna @sxa ,
should this merge wait until code freeze is over?

@karianna
Copy link
Contributor

Yes and I'd love to see the CEntOS6 and Solaris GH actions start passing again, but I suspect that's a separate issue

@AswathySK
Copy link
Contributor Author

@karianna ,
when will the code freeze be over?

@karianna
Copy link
Contributor

Not sure, should be by end of this week at the latest though

@sxa
Copy link
Member

sxa commented Feb 4, 2025

Looks like it was done during my time away at FOSDEM :-)
adoptium/.github#193
Currently catching up with notifications ...

@AswathySK
Copy link
Contributor Author

AswathySK commented May 19, 2025

@sxa ,
I noticed one more thing with enabling the EPEL repo.
Since the failed_when: false parameter is used the EPEL repo is not actually getting enabled. And for mercurial to be installed EPEL is needed as well.

{
  "msg": "Failed to validate GPG signature for epel-release-9-10.el9.noarch",
  "invocation": {
    "module_args": {
      "name": [
        "https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm"
      ],
      "allow_downgrade": false,
      "autoremove": false,
      "bugfix": false,
      "disable_gpg_check": false,
      "disable_plugin": [],
      "disablerepo": [],
      "download_only": false,
      "enable_plugin": [],
      "enablerepo": [],
      "exclude": [],
      "installroot": "/",
      "install_repoquery": true,
      "install_weak_deps": true,
      "security": false,
      "skip_broken": false,
      "update_cache": false,
      "update_only": false,
      "validate_certs": true,
      "lock_timeout": 30,
      "conf_file": null,
      "disable_excludes": null,
      "download_dir": null,
      "list": null,
      "releasever": null,
      "state": null
    }
  },
  "_ansible_no_log": false,
  "changed": false,
  "failed_when_result": false
}

We should either import the key or disable the gpg check(not secure).

- name: Import EPEL GPG key
  rpm_key:
    state: present
    key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}

or just add disable_gpg_check: true

@sxa
Copy link
Member

sxa commented May 19, 2025

@sxa , I noticed one more thing with enabling the EPEL repo. Since the failed_when: false parameter is used the EPEL repo is not actually getting enabled. And for mercurial to be installed EPEL is needed as well.

I wonder if we could just install the epel-release package instead of the current method - that should do everything correctly I think.

@sxa
Copy link
Member

sxa commented May 19, 2025

@AdamBrousseau Looks like you still have a pending change request on this - is it still valid?
It's a bit hard to see from the history but I think it's this one relating to setting the distro versions to "9+" instead of "9" which I believe has now been addressed.

@sxa
Copy link
Member

sxa commented May 19, 2025

@sxa , I noticed one more thing with enabling the EPEL repo. Since the failed_when: false parameter is used the EPEL repo is not actually getting enabled. And for mercurial to be installed EPEL is needed as well.

Noting that mercurial is no longer needed (unless someone in the IBM team tells me you still need it!) and it was removed on most distributions as part of #3913 - although I see that RedHat.yml got missed from that, so feel free to remove it under this PR too :-)

@AswathySK
Copy link
Contributor Author

AswathySK commented May 19, 2025

@sxa ,
The epel-release package is available in centOS only.
For rhel I think this is the way to go i guess.
If thats the case, should we import the gpg key or disable the check?
Reference: https://www.liquidweb.com/blog/enable-epel-repository/
https://www.redhat.com/en/blog/install-epel-linux

Screenshot 2025-05-19 at 10 11 41 PM

@sxa
Copy link
Member

sxa commented May 19, 2025

@sxa , The epel-release package is available in centOS only. For rhel I think this is the way to go i guess. If thats the case, should we import the gpg key or disable the check? Reference: https://www.liquidweb.com/blog/enable-epel-repository/ https://www.redhat.com/en/blog/install-epel-linux

I definitely don't want to remove the check, so importing the key seems like the better option here.

AswathySK added 3 commits May 20, 2025 11:04
Signed-off-by: Aswathy S Kumar <[email protected]>
Signed-off-by: Aswathy S Kumar <[email protected]>
Signed-off-by: Aswathy S Kumar <[email protected]>
@AswathySK
Copy link
Contributor Author

@sxa ,
I have made the change to import the key and also made change to the jdk being installed and default path being set.
can you please take a look at it?

@sxa
Copy link
Member

sxa commented May 20, 2025

@sxa , I have made the change to import the key and also made change to the jdk being installed and default path being set. can you please take a look at it?

The changes look good - thanks! It wont' work for EL10 where the 1.8.0 package doesn't exist but I can cover that in some other changes I'm making for EL10 :-)

Running one more set of tests at https://ci.adoptium.net/view/Tooling/job/VagrantPlaybookCheck/2099/ (I expect CentOS6 will still fail, but not because of this PR)

@@ -153,7 +166,7 @@
with_items: "{{ Java_NOT_RHEL6_PPC64 }}"
when:
- not (ansible_distribution_major_version == "6" and ansible_architecture == "ppc64")
- not (ansible_distribution_major_version == "8")
- not (ansible_distribution_major_version | int >= 8)
tags: install_java

- name: Install Java when RedHat 6 on ppc64
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we remove these 2? I don't think we need ppc64(BE) anymore. I doubt Adopt does either.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adopt definitely doesn't - as I recall that was left in for IBM internal use so from an Adoptium side I have no particular view one way or another on that one ;-)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It sounds like we don't need any java 8 installs here then?

I believe there are some things that rely on having a "default" java in the path. These things in the common role are to set that correctly I believe. In the future we could switch to making one of the Adoptium ones the default on the system but since that's not in place I would not want to remove that from this PR.

That would be a good separate issue/PR though, and should apply to all distributions.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough. So cleanup the ppc64 bits and then this will be ready 👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AdamBrousseau ,
Sorry I didnt get what you meant.
Do you need me to remove the task to install java for rhel 6 BE?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly I'm not sure. If we are 100% site than nothing requires JDK8 specifically then it should be ok but I'm not that confident at the moment and have requested input from the team as part of #3949 (Also referenced in Slack at https://adoptium.slack.com/archives/C53GHCXL4/p1747759541294539)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can I open a separate PR for removing the ppc64(BE) and updating jdk to 21 for rhel8+ or should it be done in this PR itself?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm absolutely fine with it being separate from this PR since it's not specifically about RHEL9 👍
Hopefully @AdamBrousseau is ok with that approach too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AdamBrousseau ,
Thoughts?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sxa @AdamBrousseau ,
I have removed tasks related to rhel6 ppc64.
The jdk version is still untouched.
Maybe once a decision regarding #3949 (comment) is made we can open a separate PR for that?

package: "name={{ item }} state=latest"
with_items: "{{ Java_RHEL8 }}"
when: (ansible_distribution_major_version == "8")
when: (ansible_distribution_major_version | int >= 8)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It sounds like we don't need any java 8 installs here then?
Stewart has confirmed the Jenkins agent uses the jvm from the adoptopenjdk_install role. That role installs all the bootjdks for the builds. And for Semeru, we have a separate PB for the jenkins agent.

Copy link
Contributor

@steelhead31 steelhead31 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@sxa
Copy link
Member

sxa commented May 22, 2025

@AswathySK I've just seen that one of the conditionals in the NTP_DATE role is wrong:

- name: Start NTP for RedHat, SLES 12 and CentOS 7
[...]
  when:
    - ntpd_entry_exists | default(false) | bool
    - (ansible_distribution == "RedHat" and ansible_distribution_major_version != "8") or

This will need to be <8 instead of != 8 so that we only try to use Chrony on 9+ too.

I'll let you decide if you want to add that change to this PR or create another one (or I can do another PR if you'd prefer)

@AswathySK
Copy link
Contributor Author

@sxa I will make the change in this PR itself.

@AswathySK
Copy link
Contributor Author

@sxa Since tehre are still no final decision regarding the jdk, I have created a separate PR for correcting the NTP time:
#3953

Copy link
Contributor

@karianna karianna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm mostly OK with this, would e good to have sxa's comments addressed

@AswathySK AswathySK requested a review from AdamBrousseau May 26, 2025 07:43
@sxa
Copy link
Member

sxa commented May 27, 2025

I'm mostly OK with this, would e good to have sxa's comments addressed

To clarify, I'm good with it now - it's just Adam B's requests to remove PPC64BE that are outstanding, then we can merge.

Copy link
Contributor

@AdamBrousseau AdamBrousseau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This lftm now. Although I'm still confused why we install java 7 & 8 vs 8 only when on rhel8+.

@AswathySK
Copy link
Contributor Author

This lftm now. Although I'm still confused why we install java 7 & 8 vs 8 only when on rhel8+.

@sxa , Do you know any history related to this?
Eventhough we install both even in Rhel6, java8 is set as default.

@sxa
Copy link
Member

sxa commented May 28, 2025

This lftm now. Although I'm still confused why we install java 7 & 8 vs 8 only when on rhel8+.

This really should be a discussion separate from this PR, but Temurin uses 7 to bootstrap 8 where possible (With one exception, we aim to use n-1 to bootstrap JDKn).

RHEL8+ does not java java-1.7.0 in the repositories which is why it is not installed there. That is ok, as we do not currently build on any RHEL8 systems, so it is not a hard requirement there at the current time, so we can let it slide. If it was available in those repositories, we could include it.

@sxa sxa merged commit 4476887 into adoptium:master May 28, 2025
10 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

5 participants