Feature branch sync - pub/q2_upgrade to multi-subnet

.github/workflows/ansible-lint.yml

@@ -10,6 +10,7 @@ on:
       - pub/q2_dev
       - pub/telemetry
       - pub/q2_upgrade
+      - pub/q2_ansible
 
 jobs:
   build:

.github/workflows/pylint.yml

@@ -10,6 +10,7 @@ on:
       - pub/q2_dev
       - pub/telemetry
       - pub/q2_upgrade
+      - pub/q2_ansible
 
 jobs:
   build:

build_image_aarch64/ansible.cfg

@@ -5,6 +5,7 @@ host_key_checking = false
 forks = 5
 timeout = 180
 executable = /bin/bash
+interpreter_python = /usr/bin/python3
 library = ../common/library/modules
 module_utils = ../common/library/module_utils
 

build_image_aarch64/build_image_aarch64.yml

@@ -24,7 +24,7 @@
     - name: Set dynamic run tags including 'build_aarch_image'
       when: not config_file_status | default(false) | bool
       ansible.builtin.set_fact:
-        omnia_run_tags: "{{ (ansible_run_tags | default([]) + ['build_aarch_image']) | unique }}"
+        omnia_run_tags: "{{ (ansible_run_tags | default([]) | list + ['build_aarch_image']) | unique }}"
         cacheable: true
 
 - name: Invoke validate_config.yml to perform L1 and L2 validations with build_image tag
@@ -137,6 +137,16 @@
   roles:
     - prepare_arm_node
 
+- name: Pre-flight SELinux policy fix on aarch64 node
+  hosts: admin_aarch64
+  connection: ssh
+  gather_facts: false
+  tasks:
+    - name: Install SELinux policy module for container runtime
+      ansible.builtin.include_role:
+        name: image_creation
+        tasks_from: preflight_selinux_check.yml
+
 - name: Fetch packages for aarch64
   hosts: localhost
   connection: local

build_image_aarch64/roles/image_creation/files/omnia-crun-bpf.te

@@ -0,0 +1,15 @@
+module omnia-crun-bpf 1.0;
+
+require {
+    type init_t;
+    type container_runtime_t;
+    class bpf prog_run;
+}
+
+#============= init_t ==============
+# Fix: container-selinux policy regression on RHEL 10.2 (kernel 6.12+, crun 1.27+).
+# systemd (init_t) needs prog_run on container_runtime_t bpf programs to install
+# eBPF device filters on container cgroups. Without this, Podman containers fail:
+#   "crun: systemd failed to install eBPF device filter on cgroup ..."
+# Retire this module once an updated container-selinux ships the fix.
+allow init_t container_runtime_t:bpf prog_run;

build_image_aarch64/roles/image_creation/tasks/build_image_common.yml

@@ -65,3 +65,17 @@
       {{ '-e AWS_REQUEST_CHECKSUM_CALCULATION=when_required
       -e AWS_RESPONSE_CHECKSUM_VALIDATION=when_required'
       if s3_configurations.provider == 'powerscale' else '' }}
+
+- name: Verify Podman can run containers
+  ansible.builtin.command:
+    cmd: podman run --rm localhost/{{ aarch64_local_tag }} echo ok
+  register: _podman_verify
+  changed_when: false
+  failed_when: false
+  delegate_to: "{{ aarch64_build_host }}"
+  connection: ssh
+
+- name: Fail if Podman container runtime is broken
+  ansible.builtin.fail:
+    msg: "{{ podman_verify_fail_msg }} Error: {{ _podman_verify.stderr | default('unknown') }}"
+  when: _podman_verify.rc != 0

build_image_aarch64/roles/image_creation/tasks/preflight_selinux_check.yml

@@ -0,0 +1,75 @@
+# Copyright 2026 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+# Pre-flight: Install minimal SELinux policy module to fix container-selinux
+# regression on RHEL 10.2 (crun 1.27 + kernel 6.12). SELinux stays enforcing.
+# Retire this when an updated container-selinux ships the bpf prog_run rule.
+
+- name: Install omnia-crun-bpf SELinux policy module
+  block:
+    - name: Ensure SELinux policy build tools are present
+      ansible.builtin.package:
+        name:
+          - policycoreutils
+          - checkpolicy
+        state: present
+
+    - name: Check if omnia-crun-bpf SELinux module is loaded
+      ansible.builtin.command: semodule -lfull
+      register: _selinux_modules
+      changed_when: false
+
+    - name: Create SELinux custom policy directory
+      ansible.builtin.file:
+        path: "{{ selinux_policy_dir }}"
+        state: directory
+        mode: "0755"
+      when: selinux_module_name not in _selinux_modules.stdout
+
+    - name: Copy omnia-crun-bpf policy source
+      ansible.builtin.copy:
+        src: omnia-crun-bpf.te
+        dest: "{{ selinux_policy_dir }}/omnia-crun-bpf.te"
+        mode: "0600"
+      when: selinux_module_name not in _selinux_modules.stdout
+
+    - name: Compile SELinux policy module
+      ansible.builtin.command:
+        cmd: >-
+          checkmodule -M -m
+          -o {{ selinux_policy_dir }}/omnia-crun-bpf.mod
+          {{ selinux_policy_dir }}/omnia-crun-bpf.te
+      changed_when: true
+      when: selinux_module_name not in _selinux_modules.stdout
+
+    - name: Package SELinux policy module
+      ansible.builtin.command:
+        cmd: >-
+          semodule_package
+          -o {{ selinux_policy_dir }}/omnia-crun-bpf.pp
+          -m {{ selinux_policy_dir }}/omnia-crun-bpf.mod
+      changed_when: true
+      when: selinux_module_name not in _selinux_modules.stdout
+
+    - name: Load SELinux policy module
+      ansible.builtin.command:
+        cmd: semodule -X 300 -i {{ selinux_policy_dir }}/omnia-crun-bpf.pp
+      changed_when: true
+      when: selinux_module_name not in _selinux_modules.stdout
+
+  rescue:
+    - name: Warn that SELinux policy module installation failed
+      ansible.builtin.debug:
+        msg: "{{ selinux_install_warn_msg }}"

build_image_aarch64/roles/image_creation/vars/main.yml

@@ -54,3 +54,16 @@ compute_image_failure_msg: |
 openchami_compute_image_config_template: "{{ role_path }}/templates/images/rhel-compute-config.yaml.j2"
 storage_config_file_path: "{{ input_project_dir }}/storage_config.yml"
 storage_config_syntax_fail_msg: "Failed to load storage_config.yml due to syntax error"
+
+# preflight_selinux_check.yml
+selinux_module_name: "omnia-crun-bpf"
+selinux_policy_dir: "/etc/selinux/targeted/custom"
+podman_verify_fail_msg: >-
+  Podman cannot start containers on this node.
+  Ensure the node was rebooted after the kernel update and that the
+  omnia-crun-bpf SELinux module loaded successfully
+  (semodule -lfull | grep omnia-crun-bpf).
+selinux_install_warn_msg: >-
+  WARNING: Failed to install omnia-crun-bpf SELinux policy module.
+  Build will continue but may fail if the eBPF device filter issue is present.
+  Check SELinux policy tools and audit log on this node.

build_image_x86_64/ansible.cfg

@@ -5,6 +5,7 @@ host_key_checking = false
 forks = 5
 timeout = 180
 executable = /bin/bash
+interpreter_python = /usr/bin/python3
 library = ../common/library/modules
 module_utils = ../common/library/module_utils
 

build_image_x86_64/build_image_x86_64.yml

@@ -24,7 +24,7 @@
     - name: Set dynamic run tags including 'build_image'
       when: not config_file_status | default(false) | bool
       ansible.builtin.set_fact:
-        omnia_run_tags: "{{ (ansible_run_tags | default([]) + ['build_image']) | unique }}"
+        omnia_run_tags: "{{ (ansible_run_tags | default([]) | list + ['build_image']) | unique }}"
         cacheable: true
 
 - name: Invoke validate_config.yml to perform L1 and L2 validations with build_image tag
@@ -97,6 +97,16 @@
     oim_group: true
   tags: always
 
+- name: Pre-flight SELinux policy fix on OIM node
+  hosts: oim
+  connection: ssh
+  gather_facts: false
+  tasks:
+    - name: Install SELinux policy module for container runtime
+      ansible.builtin.include_role:
+        name: image_creation
+        tasks_from: preflight_selinux_check.yml
+
 - name: Configure auth for OpenCHAMI
   hosts: oim
   connection: ssh

build_image_x86_64/roles/image_creation/files/omnia-crun-bpf.te

@@ -0,0 +1,15 @@
+module omnia-crun-bpf 1.0;
+
+require {
+    type init_t;
+    type container_runtime_t;
+    class bpf prog_run;
+}
+
+#============= init_t ==============
+# Fix: container-selinux policy regression on RHEL 10.2 (kernel 6.12+, crun 1.27+).
+# systemd (init_t) needs prog_run on container_runtime_t bpf programs to install
+# eBPF device filters on container cgroups. Without this, Podman containers fail:
+#   "crun: systemd failed to install eBPF device filter on cgroup ..."
+# Retire this module once an updated container-selinux ships the fix.
+allow init_t container_runtime_t:bpf prog_run;

build_image_x86_64/roles/image_creation/tasks/build_image_common.yml

@@ -64,3 +64,15 @@
       {{ '-e AWS_REQUEST_CHECKSUM_CALCULATION=when_required
       -e AWS_RESPONSE_CHECKSUM_VALIDATION=when_required'
       if s3_configurations.provider == 'powerscale' else '' }}
+
+- name: Verify Podman can run containers
+  ansible.builtin.command:
+    cmd: podman run --rm localhost/{{ x86_64_local_tag }} echo ok
+  register: _podman_verify
+  changed_when: false
+  failed_when: false
+
+- name: Fail if Podman container runtime is broken
+  ansible.builtin.fail:
+    msg: "{{ podman_verify_fail_msg }} Error: {{ _podman_verify.stderr | default('unknown') }}"
+  when: _podman_verify.rc != 0

build_image_x86_64/roles/image_creation/tasks/preflight_selinux_check.yml

@@ -0,0 +1,75 @@
+# Copyright 2026 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+# Pre-flight: Install minimal SELinux policy module to fix container-selinux
+# regression on RHEL 10.2 (crun 1.27 + kernel 6.12). SELinux stays enforcing.
+# Retire this when an updated container-selinux ships the bpf prog_run rule.
+
+- name: Install omnia-crun-bpf SELinux policy module
+  block:
+    - name: Ensure SELinux policy build tools are present
+      ansible.builtin.package:
+        name:
+          - policycoreutils
+          - checkpolicy
+        state: present
+
+    - name: Check if omnia-crun-bpf SELinux module is loaded
+      ansible.builtin.command: semodule -lfull
+      register: _selinux_modules
+      changed_when: false
+
+    - name: Create SELinux custom policy directory
+      ansible.builtin.file:
+        path: "{{ selinux_policy_dir }}"
+        state: directory
+        mode: "0755"
+      when: selinux_module_name not in _selinux_modules.stdout
+
+    - name: Copy omnia-crun-bpf policy source
+      ansible.builtin.copy:
+        src: omnia-crun-bpf.te
+        dest: "{{ selinux_policy_dir }}/omnia-crun-bpf.te"
+        mode: "0600"
+      when: selinux_module_name not in _selinux_modules.stdout
+
+    - name: Compile SELinux policy module
+      ansible.builtin.command:
+        cmd: >-
+          checkmodule -M -m
+          -o {{ selinux_policy_dir }}/omnia-crun-bpf.mod
+          {{ selinux_policy_dir }}/omnia-crun-bpf.te
+      changed_when: true
+      when: selinux_module_name not in _selinux_modules.stdout
+
+    - name: Package SELinux policy module
+      ansible.builtin.command:
+        cmd: >-
+          semodule_package
+          -o {{ selinux_policy_dir }}/omnia-crun-bpf.pp
+          -m {{ selinux_policy_dir }}/omnia-crun-bpf.mod
+      changed_when: true
+      when: selinux_module_name not in _selinux_modules.stdout
+
+    - name: Load SELinux policy module
+      ansible.builtin.command:
+        cmd: semodule -X 300 -i {{ selinux_policy_dir }}/omnia-crun-bpf.pp
+      changed_when: true
+      when: selinux_module_name not in _selinux_modules.stdout
+
+  rescue:
+    - name: Warn that SELinux policy module installation failed
+      ansible.builtin.debug:
+        msg: "{{ selinux_install_warn_msg }}"

build_image_x86_64/roles/image_creation/vars/main.yml

@@ -61,3 +61,16 @@ network_spec: "{{ input_project_dir }}/network_spec.yml"
 network_spec_syntax_fail_msg: "Failed to load network_spec.yml due to syntax error"
 storage_config_file_path: "{{ input_project_dir }}/storage_config.yml"
 storage_config_syntax_fail_msg: "Failed to load storage_config.yml due to syntax error"
+
+# preflight_selinux_check.yml
+selinux_module_name: "omnia-crun-bpf"
+selinux_policy_dir: "/etc/selinux/targeted/custom"
+podman_verify_fail_msg: >-
+  Podman cannot start containers on this node.
+  Ensure the node was rebooted after the kernel update and that the
+  omnia-crun-bpf SELinux module loaded successfully
+  (semodule -lfull | grep omnia-crun-bpf).
+selinux_install_warn_msg: >-
+  WARNING: Failed to install omnia-crun-bpf SELinux policy module.
+  Build will continue but may fail if the eBPF device filter issue is present.
+  Check SELinux policy tools and audit log on this node.