Add conditionals for Rhel9 in common role

[AswathySK]

The common role for Unix playbook doesnt include conditionals for rhel9 causing playbook failures.

Failures caused due to current condition:

• EPEL release not enabled for rhel9
• packags included in Installing additional build tools if NOT RHEL 8 task is applicable for rhel9 as well. For example NTP is replaced by chronyd.
• Additional build tools for rhel 8 is also required by rhel 9

Checklist

• commit message has one of the standard prefixes
• faq.md updated if appropriate
• other documentation is changed or added (if applicable)
• playbook changes run through VPC or QPC (if you have access)
• VPC/QPC not applicable for this PR
• for inventory.yml changes, bastillion/nagios/jenkins updated accordingly

[AdamBrousseau]

@AswathySK can we make these conditions smarter so we don't have to keep updating them every time a new OS is released? Or do we prefer to leave it like this so we can test the new major OS releases?

[AswathySK]

@AdamBrousseau instead of changing conditional to do it for everything greater than or equal to rhel 8 instead?
There could be change in package dependencies for the future releases.
So how to make the change right now is up to the community I suppose.

[AdamBrousseau]

Sure. We can get other opinions. If we change it to be something like >=, and it stops working, the PBs will presumably fail and someone can investigate at that point. That would have to happen either way, but at least this way, you don't have to monitor and update it when it works.

[AdamBrousseau]

@sxa do you have an opinion on the above?

[AswathySK]

@AdamBrousseau , I have made the change as per your suggestion.

[AdamBrousseau]

Are these 3 cases still what we want?
From

infrastructure/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/vars/RedHat.yml

Line 95 in 894d848

Java_RHEL8:

Java_RHEL8:
  - java-1.8.0-openjdk-devel

Java_NOT_RHEL6_PPC64:             # Not RHEL8 either
  - java-1.7.0-openjdk-devel
  - java-1.8.0-openjdk-devel

Java_RHEL6_PPC64:
  - java-1.7.0-ibm-devel
  - java-1.8.0-ibm-devel

What is java 7 and 8 used for?

[AswathySK]

@AdamBrousseau @sxa , I am not sure. Should we bump it to 17 or 21?

[AdamBrousseau]

As far as I can tell it's been there since the beginning. Java is needed for 2 purposes that I know of.

• Connecting agents to jenkins.
• Bootjdk for compiling java.

Since Jenkins now requires jdk17 to run agents, and jdk11 was required 2 years ago, I don't think leaving this at java8 for jenkins connections is necessary.
For bootjdk requirement, the build scripts will pull the needed jdk during the build process so having a permanent install of 8 is not necessary in my opinion.

I would want an opinion from Adopt/@sxa before we remove it completely though.

[sxa]

As far as the boot JDK is concerned I don't want the builds pulling it down dynamically in most cases - that's mostly just a fallback mechanism. Other than pulling down the source, the builds should be able to run without network access.

I suspect those java-1.8.0* packages are no longer required, at least by Temurin, so it would likely be safe to remove them.

[AswathySK]

@AdamBrousseau , @sxa ,
Since stewart is of opinion not to pull down the bootjdks by the jobs.And java8 is not required, Should we remove the installing and setting up default java part in this role or should we maybe bump it to jdk17 or 21?

[sxa]

Yes I think that should be safe. It will hopefully be obvious if some part of the process requires it, in which case it's easy to back it out again :-)

Can the 1.7 version be installed from the RHEL9 repositories?

[AdamBrousseau]

@sxa is there another part of the PB installing java for use by the jenkins agent that Adopt is running?
We have an internal Semeru role that installs 21 for this.

[sxa]

Yep. The adoptopenjdk_install role: .

infrastructure/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/main.yml

Line 131 in 028773c

- role: adoptopenjdk_install # JDK21 Build Bootstrap

It's extracting as a tarball and doesn't set any default on the system to point to it, so the Jenkins agent is pointed directly to it under /usr/lub/jvm when it's started

[AdamBrousseau]

It sounds like we don't need any java 8 installs here then?
Stewart has confirmed the Jenkins agent uses the jvm from the adoptopenjdk_install role. That role installs all the bootjdks for the builds. And for Semeru, we have a separate PB for the jenkins agent.

[karianna]

@AswathySK Linter failures as well

[sxa]

A few comments/suggestions in addition to the Java7 on RHEL9 comments above.
Should any of these changes be made in the CentOS files too?

[sxa]

We probably need to go through and sanitise some of these names. This one should probably be Additional_Build_Tools_RHEL6_RHEL7 now but that doesn't need to be changed in this PR

[sxa]

Since we still have the reference to Java_RHEL8 above I believe this should not be removed

[sxa]

New VPC run at https://ci.adoptium.net/view/Tooling/job/VagrantPlaybookCheck/2038/ (Expect at least CentOS6 to fail - unrelated to this PR)

[karianna]

@AswathySK merge conflicts.

[github-actions]

A block has been put on this Pull Request as this repository is temporarily under a code freeze due to an ongoing release cycle.

If this pull request needs to be merged during the release cycle then please comment /merge and a PMC member will be able to remove the block.

If the code freeze is over you can remove this block by commenting /thaw.

[AswathySK]

@karianna @sxa ,
should this merge wait until code freeze is over?

[karianna]

Yes and I'd love to see the CEntOS6 and Solaris GH actions start passing again, but I suspect that's a separate issue

[AswathySK]

@karianna ,
when will the code freeze be over?

[karianna]

Not sure, should be by end of this week at the latest though

[sxa]

Looks like it was done during my time away at FOSDEM :-)
adoptium/.github#193
Currently catching up with notifications ...

[AswathySK]

@sxa ,
I noticed one more thing with enabling the EPEL repo.
Since the failed_when: false parameter is used the EPEL repo is not actually getting enabled. And for mercurial to be installed EPEL is needed as well.

{
  "msg": "Failed to validate GPG signature for epel-release-9-10.el9.noarch",
  "invocation": {
    "module_args": {
      "name": [
        "https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm"
      ],
      "allow_downgrade": false,
      "autoremove": false,
      "bugfix": false,
      "disable_gpg_check": false,
      "disable_plugin": [],
      "disablerepo": [],
      "download_only": false,
      "enable_plugin": [],
      "enablerepo": [],
      "exclude": [],
      "installroot": "/",
      "install_repoquery": true,
      "install_weak_deps": true,
      "security": false,
      "skip_broken": false,
      "update_cache": false,
      "update_only": false,
      "validate_certs": true,
      "lock_timeout": 30,
      "conf_file": null,
      "disable_excludes": null,
      "download_dir": null,
      "list": null,
      "releasever": null,
      "state": null
    }
  },
  "_ansible_no_log": false,
  "changed": false,
  "failed_when_result": false
}

We should either import the key or disable the gpg check(not secure).

- name: Import EPEL GPG key
  rpm_key:
    state: present
    key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}

or just add disable_gpg_check: true

[sxa]

@sxa , I noticed one more thing with enabling the EPEL repo. Since the failed_when: false parameter is used the EPEL repo is not actually getting enabled. And for mercurial to be installed EPEL is needed as well.

I wonder if we could just install the epel-release package instead of the current method - that should do everything correctly I think.

[sxa]

@AdamBrousseau Looks like you still have a pending change request on this - is it still valid?
It's a bit hard to see from the history but I think it's this one relating to setting the distro versions to "9+" instead of "9" which I believe has now been addressed.

[sxa]

@sxa , I noticed one more thing with enabling the EPEL repo. Since the failed_when: false parameter is used the EPEL repo is not actually getting enabled. And for mercurial to be installed EPEL is needed as well.

Noting that mercurial is no longer needed (unless someone in the IBM team tells me you still need it!) and it was removed on most distributions as part of #3913 - although I see that RedHat.yml got missed from that, so feel free to remove it under this PR too :-)

[AswathySK]

@sxa ,
The epel-release package is available in centOS only.
For rhel I think this is the way to go i guess.
If thats the case, should we import the gpg key or disable the check?
Reference: https://www.liquidweb.com/blog/enable-epel-repository/
https://www.redhat.com/en/blog/install-epel-linux

[sxa]

@sxa , The epel-release package is available in centOS only. For rhel I think this is the way to go i guess. If thats the case, should we import the gpg key or disable the check? Reference: https://www.liquidweb.com/blog/enable-epel-repository/ https://www.redhat.com/en/blog/install-epel-linux

I definitely don't want to remove the check, so importing the key seems like the better option here.

[AswathySK]

@sxa ,
I have made the change to import the key and also made change to the jdk being installed and default path being set.
can you please take a look at it?

[sxa]

@sxa , I have made the change to import the key and also made change to the jdk being installed and default path being set. can you please take a look at it?

The changes look good - thanks! It wont' work for EL10 where the 1.8.0 package doesn't exist but I can cover that in some other changes I'm making for EL10 :-)

Running one more set of tests at https://ci.adoptium.net/view/Tooling/job/VagrantPlaybookCheck/2099/ (I expect CentOS6 will still fail, but not because of this PR)

[AdamBrousseau]

Can we remove these 2? I don't think we need ppc64(BE) anymore. I doubt Adopt does either.

[sxa]

Adopt definitely doesn't - as I recall that was left in for IBM internal use so from an Adoptium side I have no particular view one way or another on that one ;-)

[sxa]

It sounds like we don't need any java 8 installs here then?

I believe there are some things that rely on having a "default" java in the path. These things in the common role are to set that correctly I believe. In the future we could switch to making one of the Adoptium ones the default on the system but since that's not in place I would not want to remove that from this PR.

That would be a good separate issue/PR though, and should apply to all distributions.

[AdamBrousseau]

Fair enough. So cleanup the ppc64 bits and then this will be ready 👍

[AswathySK]

@AdamBrousseau ,
Sorry I didnt get what you meant.
Do you need me to remove the task to install java for rhel 6 BE?

[sxa]

Honestly I'm not sure. If we are 100% site than nothing requires JDK8 specifically then it should be ok but I'm not that confident at the moment and have requested input from the team as part of #3949 (Also referenced in Slack at https://adoptium.slack.com/archives/C53GHCXL4/p1747759541294539)

[AswathySK]

Can I open a separate PR for removing the ppc64(BE) and updating jdk to 21 for rhel8+ or should it be done in this PR itself?

[sxa]

I'm absolutely fine with it being separate from this PR since it's not specifically about RHEL9 👍
Hopefully @AdamBrousseau is ok with that approach too.

[AswathySK]

@AdamBrousseau ,
Thoughts?

[AswathySK]

@sxa @AdamBrousseau ,
I have removed tasks related to rhel6 ppc64.
The jdk version is still untouched.
Maybe once a decision regarding #3949 (comment) is made we can open a separate PR for that?

[AdamBrousseau]

It sounds like we don't need any java 8 installs here then?
Stewart has confirmed the Jenkins agent uses the jvm from the adoptopenjdk_install role. That role installs all the bootjdks for the builds. And for Semeru, we have a separate PB for the jenkins agent.

[steelhead31]

Looks good

[sxa]

@AswathySK I've just seen that one of the conditionals in the NTP_DATE role is wrong:

- name: Start NTP for RedHat, SLES 12 and CentOS 7
[...]
  when:
    - ntpd_entry_exists | default(false) | bool
    - (ansible_distribution == "RedHat" and ansible_distribution_major_version != "8") or

This will need to be <8 instead of != 8 so that we only try to use Chrony on 9+ too.

I'll let you decide if you want to add that change to this PR or create another one (or I can do another PR if you'd prefer)

[AswathySK]

@sxa I will make the change in this PR itself.

[AswathySK]

@sxa Since tehre are still no final decision regarding the jdk, I have created a separate PR for correcting the NTP time:
#3953

[karianna]

I'm mostly OK with this, would e good to have sxa's comments addressed

[sxa]

I'm mostly OK with this, would e good to have sxa's comments addressed

To clarify, I'm good with it now - it's just Adam B's requests to remove PPC64BE that are outstanding, then we can merge.

[AdamBrousseau]

This lftm now. Although I'm still confused why we install java 7 & 8 vs 8 only when on rhel8+.

[AswathySK]

This lftm now. Although I'm still confused why we install java 7 & 8 vs 8 only when on rhel8+.

@sxa , Do you know any history related to this?
Eventhough we install both even in Rhel6, java8 is set as default.

[sxa]

This lftm now. Although I'm still confused why we install java 7 & 8 vs 8 only when on rhel8+.

This really should be a discussion separate from this PR, but Temurin uses 7 to bootstrap 8 where possible (With one exception, we aim to use n-1 to bootstrap JDKn).

RHEL8+ does not java java-1.7.0 in the repositories which is why it is not installed there. That is ok, as we do not currently build on any RHEL8 systems, so it is not a hard requirement there at the current time, so we can let it slide. If it was available in those repositories, we could include it.