Merge branch 'main' into fix/build-hpl-fatimage

bertiethorpe · web-flow · commit 2e1ba044df1e · 2025-07-31T14:00:13.000+01:00
diff --git a/.github/workflows/stackhpc.yml b/.github/workflows/stackhpc.yml
@@ -9,8 +9,7 @@ on:
       - '**'
       - '!dev/**'
       - 'dev/setup-env.sh'
-      - '!docs/**'
-      - '!README.md'
+      - '!**.md'
       - '!.gitignore'
       - '!.github/workflows/'
       - '.github/workflows/stackhpc'
@@ -19,8 +18,7 @@ on:
       - '**'
       - '!dev/**'
       - 'dev/setup-env.sh'
-      - '!docs/**'
-      - '!README.md'
+      - '!**.md'
       - '!.gitignore'
       - '!.github/workflows/'
       - '.github/workflows/stackhpc'
diff --git a/ansible/roles/freeipa/README.md b/ansible/roles/freeipa/README.md
@@ -37,6 +37,7 @@ Support FreeIPA in the appliance. In production use it is expected the FreeIPA s
 
 - `freeipa_host_password`. Required for initial enrolment only, FreeIPA host password as described above.
 - `freeipa_setup_dns`: Optional, whether to use the FreeIPA server as the client's nameserver. Defaults to `true` when `freeipa_server` contains a host, otherwise `false`.
+- `freeipa_ca_cert_file`: Optional, path **on the ansible deploy host** to FreeIPA server cert. Else this will be downloaded (insecurely) from the FreeIPA server over http.
 
 See also use of `appliances_state_dir` on the control node as described above.
 
diff --git a/ansible/roles/freeipa/defaults/main.yml b/ansible/roles/freeipa/defaults/main.yml
@@ -10,5 +10,5 @@ freeipa_user_defaults:
   ipa_pass: "{{ freeipa_admin_password | quote }}"
   ipa_user: admin
 freeipa_users: [] # see community.general.ipa_user
-
+freeipa_ca_cert_file: ''
 _freeipa_keytab_backup_path: "{{ hostvars[groups['control'].0].appliances_state_dir  }}/freeipa/{{ inventory_hostname }}/krb5.keytab"
diff --git a/ansible/roles/freeipa/tasks/enrol.yml b/ansible/roles/freeipa/tasks/enrol.yml
@@ -16,6 +16,15 @@
     mode: ug=rw,o=
   when: '"content" in _slurp_persisted_keytab'
 
+- name: Copy CA Cert to host
+  ansible.builtin.copy:
+    src: "{{ freeipa_ca_cert_file }}"
+    dest: /etc/ipa/ca.crt
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  when: freeipa_ca_cert_file != ''
+
 - name: Re-enrol with FreeIPA using backed-up keytab
   # Re-enrolment requires --force-join and --password, or --keytab
   # Re-rolement means:
@@ -31,6 +40,9 @@
         --mkhomedir
         --enable-dns-updates
         --keytab /tmp/krb5.keytab
+        {% if freeipa_ca_cert_file != '' %}
+        --ca-cert-file=/etc/ipa/ca.crt
+        {% endif %}
   when: '"content" in _slurp_persisted_keytab'
   register: ipa_client_install_keytab
   changed_when: ipa_client_install_keytab.rc == 0
@@ -47,6 +59,9 @@
         --mkhomedir
         --enable-dns-updates
         --password '{{ freeipa_host_password }}'
+        {% if freeipa_ca_cert_file != '' %}
+        --ca-cert-file=/etc/ipa/ca.crt
+        {% endif %}
   when:
     - '"content" not in _slurp_persisted_keytab'
     - freeipa_host_password is defined
diff --git a/ansible/roles/ofed/README.md b/ansible/roles/ofed/README.md
@@ -1,5 +1,10 @@
 # ofed
 
+> [!IMPORTANT]
+> This role is deprecated - it is not regularly maintained and StackHPC CI
+> does not test that it works. Consider using [ansible/roles/doca](../doca/README.md)
+> instead.
+
 This role installs Mellanox OFED:
 - It checks that the running kernel is the latest installed one, and errors if not.
 - Installation uses the `mlnxofedinstall` command, with support for the running kernel
diff --git a/docs/upgrades.md b/docs/upgrades.md
@@ -54,9 +54,9 @@ All other commands should be run on the Ansible deploy host.
    Make changes as necessary.
 
 1. Identify image(s) from the relevant [Slurm appliance release](https://github.com/stackhpc/ansible-slurm-appliance/releases), and download
-   using the link on the release plus the image name, e.g. for an image `openhpc-ofed-RL8-240906-1042-32568dbb`:
+   using the link on the release plus the image name, e.g. for an image `openhpc-RL9-250708-1547-1494192e`:
 
-        wget https://object.arcus.openstack.hpc.cam.ac.uk/swift/v1/AUTH_3a06571936a0424bb40bc5c672c4ccb1/openhpc-images/openhpc-ofed-RL8-240906-1042-32568dbb
+        wget https://object.arcus.openstack.hpc.cam.ac.uk/swift/v1/AUTH_3a06571936a0424bb40bc5c672c4ccb1/openhpc-images/openhpc-RL9-250708-1547-1494192e
 
     Note that some releases may not include new images. In this case use the image from the latest previous release with new images.
 
diff --git a/requirements.txt b/requirements.txt
@@ -1,6 +1,6 @@
 ansible==6.7.0 # cloudalchemy.prometheus uses ansible.builtin.include, removed in ansible-core==2.16 => ansible==9
 openstacksdk
-python-openstackclient==6.6.1 # v7.0.0 has a bug re. rebuild
+python-openstackclient==8.0.0
 python-manilaclient
 python-ironicclient
 jmespath
