ansible: update RHEL 8 container (#4231)

Register the RHEL 8 containers with our RHEL subscription so that
we can install older versions of some packages (e.g. `gcc-toolset-10`)
without having to pick individual RPMs from another Linux distribution.

Install clang 19 instead of 20.

Add Rust toolchain.

Set the hostname of the containers when building and running them to
make it easier to correlate the containers to the agent definition in
Jenkins and Ansible sources.

Refs: #4225 (comment)

Author: richardlau

ansible/roles/docker/meta/argument_specs.yml

@@ -0,0 +1,5 @@
+---
+
+argument_specs:
+  main:
+    short_description: set up hosts for Docker containers

ansible/roles/docker/meta/main.yml

@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - role: read-secrets

ansible/roles/docker/tasks/main.yml

@@ -175,11 +175,26 @@
     - "{{ containers }}"
   when: containers is defined and item.os.find('_arm_cross') != -1
 
-- name: "docker : build image"
+- name: "docker : create RHEL secrets file"
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/rhel_secrets.j2"
+    dest: /root/docker-container-{{ item.name }}/secrets.txt
+    mode: "0600"
+  with_items:
+    - "{{ containers }}"
+  when: containers is defined and (item.os == 'rhel8' or item.os == 'ubi81')
+
+- name: "docker : build images"
   command: docker build -t node-ci:{{ item.name }} /root/docker-container-{{ item.name }}/
   with_items:
     - "{{ containers }}"
-  when: containers is defined
+  when: containers is defined and item.os != 'rhel8' and item.os != 'ubi81'
+
+- name: "docker : build RHEL images"
+  command: docker build --build-arg BUILDKIT_SANDBOX_HOSTNAME={{ item.name | regex_replace('_', '--') }} -t node-ci:{{ item.name }} /root/docker-container-{{ item.name }}/
+  with_items:
+    - "{{ containers }}"
+  when: containers is defined and (item.os == 'rhel8' or item.os == 'ubi81')
 
 - name: "docker : generate and copy init script"
   template:

ansible/roles/docker/templates/jenkins.service.j2

@@ -9,7 +9,7 @@ WantedBy=multi-user.target
 [Service]
 Type=simple
 User=root
-ExecStart=/usr/bin/docker run --init --rm -v /home/{{ server_user }}/{{ item.name }}/:/home/{{ server_user }} -v /home/{{ server_user }}/.ccache/:/home/{{ server_user }}/.ccache --name node-ci-{{ item.name }} --sysctl net.ipv4.ip_unprivileged_port_start=1024 node-ci:{{ item.name }}
+ExecStart=/usr/bin/docker run --init --rm -h {{ item.name | regex_replace('_', '--') }} -v /home/{{ server_user }}/{{ item.name }}/:/home/{{ server_user }} -v /home/{{ server_user }}/.ccache/:/home/{{ server_user }}/.ccache --name node-ci-{{ item.name }} --sysctl net.ipv4.ip_unprivileged_port_start=1024 node-ci:{{ item.name }}
 ExecStop=/usr/bin/docker stop -t 5 node-ci-{{ item.name }}
 Restart=always
 RestartSec=30

ansible/roles/docker/templates/rhel8.Dockerfile.j2

@@ -12,31 +12,32 @@ ENV OSVARIANT docker
 ENV DESTCPU {{ arch }}
 ENV ARCH {{ arch }}
 
+# Register with RHEL subscription to be able to install older versions of packages.
+COPY secrets.txt /secrets.txt
 # ccache is not in the default repositories so get it from EPEL 8.
-RUN dnf install --disableplugin=subscription-manager -y \
-      https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \
-    && dnf update --disableplugin=subscription-manager -y \
-    && dnf install --disableplugin=subscription-manager -y \
+RUN . /secrets.txt \
+    && sed -i 's/\(def in_container():\)/\1\n    return False/g' /usr/lib64/python*/*-packages/rhsm/config.py \
+    && subscription-manager register --org $RH_ORG --activationkey $RH_ACTIVATION_KEY \
+    && rm -rf /secrets.txt \
+    && dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \
+    && dnf update -y \
+    && dnf install -y \
       ccache \
-      clang \
       gcc-c++ \
+      gcc-toolset-10 \
       gcc-toolset-12 \
+      gcc-toolset-14-libatomic-devel \
       git \
       java-17-openjdk-headless \
+      llvm-toolset-19.1.7 \
       make \
       python3.12 \
       python3.12-pip \
       procps-ng \
+      rust-toolset-1.84.1 \
       xz \
-    && dnf --disableplugin=subscription-manager clean all
-
-RUN dnf install --disableplugin=subscription-manager -y \
-      https://repo.almalinux.org/almalinux/8/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-14-libatomic-devel-14.2.1-1.1.el8_10.{{ ansible_architecture }}.rpm \
-      http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-binutils-2.35-11.el8.{{ ansible_architecture }}.rpm \
-      http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-gcc-10.3.1-1.2.el8_5.{{ ansible_architecture }}.rpm \
-      http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-gcc-c++-10.3.1-1.2.el8_5.{{ ansible_architecture }}.rpm \
-      http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-libstdc++-devel-10.3.1-1.2.el8_5.{{ ansible_architecture }}.rpm \
-      http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-runtime-10.1-0.el8.{{ ansible_architecture }}.rpm
+    && dnf clean all \
+    && subscription-manager unregister
 
 RUN groupadd -r -g {{ server_user_gid.stdout_lines[0] }} {{ server_user }} \
     && adduser -r -m -d /home/{{ server_user }}/ \

ansible/roles/docker/templates/rhel_secrets.j2

@@ -0,0 +1,2 @@
+RH_ACTIVATION_KEY={{ secrets.rh_activationkey }}
+RH_ORG={{ secrets.rh_org }}

ansible/roles/docker/templates/ubi81.Dockerfile.j2

@@ -12,31 +12,32 @@ ENV OSVARIANT docker
 ENV DESTCPU {{ arch }}
 ENV ARCH {{ arch }}
 
+# Register with RHEL subscription to be able to install older versions of packages.
+COPY secrets.txt /secrets.txt
 # ccache is not in the default repositories so get it from EPEL 8.
-RUN dnf install --disableplugin=subscription-manager -y \
-      https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \
-    && dnf update --disableplugin=subscription-manager -y \
-    && dnf install --disableplugin=subscription-manager -y \
+RUN chmod u+x /secrets.txt && . /secrets.txt \
+    && sed -i 's/\(def in_container():\)/\1\n    return False/g' /usr/lib64/python*/*-packages/rhsm/config.py \
+    && subscription-manager register --org $RH_ORG --activationkey $RH_ACTIVATION_KEY \
+    && rm -rf /secrets.txt \
+    && dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \
+    && dnf update -y \
+    && dnf install -y \
       ccache \
-      clang \
       gcc-c++ \
+      gcc-toolset-10 \
       gcc-toolset-12 \
+      gcc-toolset-14-libatomic-devel \
       git \
       java-17-openjdk-headless \
+      llvm-toolset-19.1.7 \
       make \
       python3.12 \
       python3.12-pip \
       openssl-devel \
       procps-ng \
-    && dnf --disableplugin=subscription-manager clean all
-
-RUN dnf install --disableplugin=subscription-manager -y \
-      https://repo.almalinux.org/almalinux/8/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-14-libatomic-devel-14.2.1-1.1.el8_10.{{ ansible_architecture }}.rpm \
-      http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-binutils-2.35-11.el8.{{ ansible_architecture }}.rpm \
-      http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-gcc-10.3.1-1.2.el8_5.{{ ansible_architecture }}.rpm \
-      http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-gcc-c++-10.3.1-1.2.el8_5.{{ ansible_architecture }}.rpm \
-      http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-libstdc++-devel-10.3.1-1.2.el8_5.{{ ansible_architecture }}.rpm \
-      http://vault.centos.org/centos/8-stream/AppStream/{{ ansible_architecture }}/os/Packages/gcc-toolset-10-runtime-10.1-0.el8.{{ ansible_architecture }}.rpm
+      rust-toolset-1.84.1 \
+    && dnf clean all \
+    && subscription-manager unregister
 
 RUN groupadd -r -g {{ server_user_gid.stdout_lines[0] }} {{ server_user }} \
     && adduser -r -m -d /home/{{ server_user }}/ \