From 519d59106182d0f7d73bacad086314b8ba70a4b1 Mon Sep 17 00:00:00 2001 From: ocaisa Date: Tue, 9 Sep 2025 11:45:41 +0200 Subject: [PATCH 01/16] Update trusted directories for glibc to leverage variable symlinks Fixes #226 Since this is pretty relevant to security, I am inclined to point these variable symlinks to `/dev/null` by default but that does not actually address the problem being discussed in #226 (having to harass the admins to link the CUDA drivers). If we can have logic in our CVMFS configuration then maybe we can address that. --- .../playbooks/roles/compatibility_layer/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/playbooks/roles/compatibility_layer/defaults/main.yml b/ansible/playbooks/roles/compatibility_layer/defaults/main.yml index 9c7aab84..ddd867db 100644 --- a/ansible/playbooks/roles/compatibility_layer/defaults/main.yml +++ b/ansible/playbooks/roles/compatibility_layer/defaults/main.yml @@ -20,9 +20,9 @@ gentoo_git_repo: https://github.com/gentoo/gentoo.git gentoo_git_commit: 083e38cef302128d595e9f9cfd029ad8f67ec2b7 prefix_required_space: 15 GB prefix_user_defined_trusted_dirs: - - "/cvmfs/{{ cvmfs_repository }}/host_injections/{{ eessi_version }}/compat/{{ eessi_host_os }}/{{ eessi_host_arch }}/lib/override" - - "/cvmfs/{{ cvmfs_repository }}/host_injections/{{ eessi_version }}/compat/{{ eessi_host_os }}/{{ eessi_host_arch }}/lib/nvidia" - - "/cvmfs/{{ cvmfs_repository }}/host_injections/{{ eessi_version }}/compat/{{ eessi_host_os }}/{{ eessi_host_arch }}/lib/amd" + - "/cvmfs/{{ cvmfs_repository }}/versions/{{ eessi_version }}/compat/{{ eessi_host_os }}/{{ eessi_host_arch }}/lib/override" + - "/cvmfs/{{ cvmfs_repository }}/versions/{{ eessi_version }}/compat/{{ eessi_host_os }}/{{ eessi_host_arch }}/lib/nvidia" + - "/cvmfs/{{ cvmfs_repository }}/versions/{{ eessi_version }}/compat/{{ eessi_host_os }}/{{ eessi_host_arch }}/lib/amd" prefix_mask_packages: | # stick to GCC 13.x; using a too recent compiler in the compat layer may complicate stuff in the software layer, # see for example https://github.com/EESSI/software-layer/issues/151 From 86f27d5e00336da59445d8c16e9b6276d2666b4e Mon Sep 17 00:00:00 2001 From: ocaisa Date: Tue, 9 Sep 2025 12:27:24 +0200 Subject: [PATCH 02/16] Update `upload-artifact` action --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 39b06bd8..8200819f 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -62,7 +62,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: SARIF file path: results.sarif From 561194d2b398d1816052023dcc70e7257b034953 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 19:59:30 +0200 Subject: [PATCH 03/16] only sync when the overlay config is changed --- .../playbooks/roles/compatibility_layer/tasks/add_overlay.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml b/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml index f728896b..e642ae54 100644 --- a/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml +++ b/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml @@ -17,6 +17,7 @@ dest: "{{ gentoo_prefix_path }}/etc/portage/repos.conf/{{ item.name }}.conf" mode: "0644" loop: "{{ custom_overlays }}" + register: overlay_config_files - name: Make configuration file with overlays that can override eclasses ansible.builtin.copy: @@ -33,6 +34,7 @@ community.general.portage: sync: 'yes' verbose: true + when: overlay_config_files is changed - name: Find all files and directories in the etc/portage directory of the overlay ansible.builtin.find: From ba11c639c2f66e2cbd43816ac1c29838fc5944c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 20:32:52 +0200 Subject: [PATCH 04/16] add sync handler --- .../playbooks/roles/compatibility_layer/handlers/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ansible/playbooks/roles/compatibility_layer/handlers/main.yml b/ansible/playbooks/roles/compatibility_layer/handlers/main.yml index 15f88ef7..0780ff59 100644 --- a/ansible/playbooks/roles/compatibility_layer/handlers/main.yml +++ b/ansible/playbooks/roles/compatibility_layer/handlers/main.yml @@ -4,3 +4,9 @@ - name: Generate locales ansible.builtin.command: locale-gen changed_when: true + +- name: Sync the overlay repositories + community.general.portage: + sync: 'yes' + verbose: true + From 63f0dd4469cc8e0f6202fbf8c3bd572565e5328f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 20:34:08 +0200 Subject: [PATCH 05/16] rename sync handler --- ansible/playbooks/roles/compatibility_layer/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/playbooks/roles/compatibility_layer/handlers/main.yml b/ansible/playbooks/roles/compatibility_layer/handlers/main.yml index 0780ff59..195b1912 100644 --- a/ansible/playbooks/roles/compatibility_layer/handlers/main.yml +++ b/ansible/playbooks/roles/compatibility_layer/handlers/main.yml @@ -5,7 +5,7 @@ ansible.builtin.command: locale-gen changed_when: true -- name: Sync the overlay repositories +- name: Sync overlays community.general.portage: sync: 'yes' verbose: true From 4f95707162e7b8acf4ae6430226b0fb381217a91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 20:34:21 +0200 Subject: [PATCH 06/16] call sync handler --- .../roles/compatibility_layer/tasks/add_overlay.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml b/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml index e642ae54..16f75e0b 100644 --- a/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml +++ b/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml @@ -17,7 +17,7 @@ dest: "{{ gentoo_prefix_path }}/etc/portage/repos.conf/{{ item.name }}.conf" mode: "0644" loop: "{{ custom_overlays }}" - register: overlay_config_files + notify: Sync overlays - name: Make configuration file with overlays that can override eclasses ansible.builtin.copy: @@ -30,12 +30,6 @@ selectattr('eclass-overrides', 'equalto', True) | map(attribute='name') | join(' ') }} -- name: Sync the repositories - community.general.portage: - sync: 'yes' - verbose: true - when: overlay_config_files is changed - - name: Find all files and directories in the etc/portage directory of the overlay ansible.builtin.find: file_type: any From d38d6dd369944f4acb86c38672f44d33740a4249 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 20:36:03 +0200 Subject: [PATCH 07/16] flush handlers --- .../playbooks/roles/compatibility_layer/tasks/add_overlay.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml b/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml index 16f75e0b..693306cb 100644 --- a/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml +++ b/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml @@ -30,6 +30,9 @@ selectattr('eclass-overrides', 'equalto', True) | map(attribute='name') | join(' ') }} +- name: Flush handlers to make sure that overlays are synced + meta: flush_handlers + - name: Find all files and directories in the etc/portage directory of the overlay ansible.builtin.find: file_type: any From 7cf15eff3c798ea39b03eb1a06f4bd0b4afc6ee0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 20:48:46 +0200 Subject: [PATCH 08/16] remove blank line --- ansible/playbooks/roles/compatibility_layer/handlers/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible/playbooks/roles/compatibility_layer/handlers/main.yml b/ansible/playbooks/roles/compatibility_layer/handlers/main.yml index 195b1912..078eb915 100644 --- a/ansible/playbooks/roles/compatibility_layer/handlers/main.yml +++ b/ansible/playbooks/roles/compatibility_layer/handlers/main.yml @@ -9,4 +9,3 @@ community.general.portage: sync: 'yes' verbose: true - From 3d15aa0d4f49c8280164752e531db35f7306a94a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 20:49:00 +0200 Subject: [PATCH 09/16] use ansible.builtin.meta --- .../playbooks/roles/compatibility_layer/tasks/add_overlay.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml b/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml index 693306cb..47a8c4d4 100644 --- a/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml +++ b/ansible/playbooks/roles/compatibility_layer/tasks/add_overlay.yml @@ -31,7 +31,7 @@ }} - name: Flush handlers to make sure that overlays are synced - meta: flush_handlers + ansible.builtin.meta: flush_handlers - name: Find all files and directories in the etc/portage directory of the overlay ansible.builtin.find: From 2eb4c2af10ed17ca0a464ac13557230ff7dcea97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 20:56:58 +0200 Subject: [PATCH 10/16] add community.general dependency --- .github/workflows/ansible-lint.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index 68ba88ac..9b765099 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -21,3 +21,4 @@ jobs: # demote var-naming[no-role-prefix] to warnings, as we only have a single role, # and prefixing all variables in that role with the role name is really ugly args: "--warn-list var-naming[no-role-prefix]" + required_collections: 'community.general' From 5647d518b71db87aa0babb2244ab502a13a9a26b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 20:59:51 +0200 Subject: [PATCH 11/16] galaxy requirements file --- ansible/playbooks/galaxy-requirements.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 ansible/playbooks/galaxy-requirements.yml diff --git a/ansible/playbooks/galaxy-requirements.yml b/ansible/playbooks/galaxy-requirements.yml new file mode 100644 index 00000000..06b90316 --- /dev/null +++ b/ansible/playbooks/galaxy-requirements.yml @@ -0,0 +1,8 @@ +# +# Install roles and collections from the default Ansible Galaxy server. +# +--- +collections: + - name: community.general + version: '>=10.7.3' +... From 0d18772c2d042470312a56b56a96cd26a2e1c55b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 21:00:26 +0200 Subject: [PATCH 12/16] point to requirements file --- .github/workflows/ansible-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index 9b765099..b1c36fe7 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -21,4 +21,4 @@ jobs: # demote var-naming[no-role-prefix] to warnings, as we only have a single role, # and prefixing all variables in that role with the role name is really ugly args: "--warn-list var-naming[no-role-prefix]" - required_collections: 'community.general' + requirements_file: "galaxy-requirements.yml" From 5e1db9b46714d55df2ff869f3a4b649bd3b823fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 21:01:23 +0200 Subject: [PATCH 13/16] correct path to requirements file --- .github/workflows/ansible-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index b1c36fe7..c64abe87 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -21,4 +21,4 @@ jobs: # demote var-naming[no-role-prefix] to warnings, as we only have a single role, # and prefixing all variables in that role with the role name is really ugly args: "--warn-list var-naming[no-role-prefix]" - requirements_file: "galaxy-requirements.yml" + requirements_file: "ansible/playbooks/galaxy-requirements.yml" From 5b415fa3d03fafd8579df0702aff5a2a0b3ba90b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 21:02:33 +0200 Subject: [PATCH 14/16] move requirements file --- ansible/playbooks/galaxy-requirements.yml | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 ansible/playbooks/galaxy-requirements.yml diff --git a/ansible/playbooks/galaxy-requirements.yml b/ansible/playbooks/galaxy-requirements.yml deleted file mode 100644 index 06b90316..00000000 --- a/ansible/playbooks/galaxy-requirements.yml +++ /dev/null @@ -1,8 +0,0 @@ -# -# Install roles and collections from the default Ansible Galaxy server. -# ---- -collections: - - name: community.general - version: '>=10.7.3' -... From bf193be93895b32e6d1c17da6749cef33a766f98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 21:02:38 +0200 Subject: [PATCH 15/16] move requirements file --- ansible/galaxy-requirements.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 ansible/galaxy-requirements.yml diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml new file mode 100644 index 00000000..06b90316 --- /dev/null +++ b/ansible/galaxy-requirements.yml @@ -0,0 +1,8 @@ +# +# Install roles and collections from the default Ansible Galaxy server. +# +--- +collections: + - name: community.general + version: '>=10.7.3' +... From 419e3ce927f3a6b660da6265f6c0c04666c9f3e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bob=20Dr=C3=B6ge?= Date: Mon, 15 Sep 2025 21:02:59 +0200 Subject: [PATCH 16/16] move requirements file --- .github/workflows/ansible-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index c64abe87..94679101 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -21,4 +21,4 @@ jobs: # demote var-naming[no-role-prefix] to warnings, as we only have a single role, # and prefixing all variables in that role with the role name is really ugly args: "--warn-list var-naming[no-role-prefix]" - requirements_file: "ansible/playbooks/galaxy-requirements.yml" + requirements_file: "ansible/galaxy-requirements.yml"