Add support for Rocky Linux 10

README.rst

@@ -20,7 +20,7 @@ Requirements
 
 For this workshop, we require the use of a single server, configured as a
 *seed hypervisor*. This server should be a bare metal node or VM running
-Ubuntu Jammy or Rocky 9, with the following minimum requirements:
+Ubuntu Noble or Rocky Linux 10, with the following minimum requirements:
 
 * 64GB RAM (more is recommended when growing the lab deployment)
 * 100GB disk
@@ -59,7 +59,7 @@ There are four parts to this guide:
 exercise, and fetching the necessary source code.
 
 *Deploying a Seed* includes all instructions necessary to download and install
-the Kayobe prerequisites on a plain Rocky 9 or Ubuntu Jammy cloud image,
+the Kayobe prerequisites on a plain Rocky Linux 10 or Ubuntu Noble cloud image,
 including provisioning and configuration of a seed VM. Optionally, snapshot the
 instance after this step to reduce setup time in the future.
 
@@ -81,15 +81,10 @@ already logged in (e.g. ``ssh rocky@<ip>``, or ``ssh ubuntu@<ip>``).
 
    # Install git and tmux.
    if $(which dnf 2>/dev/null >/dev/null); then
-       sudo dnf -y install git tmux
+       sudo dnf -y install git python3 tmux
    else
        sudo apt update
-       sudo apt -y install git tmux
-   fi
-
-   # Install Python 3.12 on Rocky Linux 9
-   if $(which dnf 2>/dev/null >/dev/null); then
-       sudo dnf -y install python3.12
+       sudo apt -y install git python3 tmux
    fi
 
    # Disable the firewall.
@@ -114,12 +109,7 @@ already logged in (e.g. ``ssh rocky@<ip>``, or ``ssh ubuntu@<ip>``).
    [[ -d beokay ]] || git clone https://github.com/stackhpc/beokay.git
 
    # Use Beokay to bootstrap your control host.
-   if $(which dnf 2>/dev/null >/dev/null); then
-       PYTHON_ARG=" --python /usr/bin/python3.12"
-   else
-       PYTHON_ARG=""
-   fi
-   [[ -d deployment ]] || beokay/beokay.py create --base-path ~/deployment --kayobe-repo https://opendev.org/openstack/kayobe.git --kayobe-branch master --kayobe-config-repo https://github.com/stackhpc/a-universe-from-nothing.git --kayobe-config-branch master $PYTHON_ARG
+   [[ -d deployment ]] || beokay/beokay.py create --base-path ~/deployment --kayobe-repo https://opendev.org/openstack/kayobe.git --kayobe-branch master --kayobe-config-repo https://github.com/stackhpc/a-universe-from-nothing.git --kayobe-config-branch master
 
    # Clone the Tenks repository.
    cd ~/deployment/src

a-universe-from-nothing.sh

@@ -7,15 +7,10 @@ set -eu
 
 # Install git and tmux.
 if $(which dnf 2>/dev/null >/dev/null); then
-    sudo dnf -y install git tmux
+    sudo dnf -y install git python3 tmux
 else
     sudo apt update
-    sudo apt -y install git tmux
-fi
-
-# Install Python 3.12 on Rocky Linux 9
-if $(which dnf 2>/dev/null >/dev/null); then
-    sudo dnf -y install python3.12
+    sudo apt -y install git python3 tmux
 fi
 
 # Disable the firewall.
@@ -37,12 +32,7 @@ cd
 [[ -d beokay ]] || git clone https://github.com/stackhpc/beokay.git
 
 # Use Beokay to bootstrap your control host.
-if $(which dnf 2>/dev/null >/dev/null); then
-    PYTHON_ARG=" --python /usr/bin/python3.12"
-else
-    PYTHON_ARG=""
-fi
-[[ -d deployment ]] || beokay/beokay.py create --base-path ~/deployment --kayobe-repo https://opendev.org/openstack/kayobe.git --kayobe-branch master --kayobe-config-repo https://github.com/stackhpc/a-universe-from-nothing.git --kayobe-config-branch master $PYTHON_ARG
+[[ -d deployment ]] || beokay/beokay.py create --base-path ~/deployment --kayobe-repo https://opendev.org/openstack/kayobe.git --kayobe-branch master --kayobe-config-repo https://github.com/stackhpc/a-universe-from-nothing.git --kayobe-config-branch master
 
 # Clone the Tenks repository.
 cd ~/deployment/src
@@ -87,6 +77,8 @@ kayobe overcloud hardware inspect
 kayobe overcloud introspection data save
 kayobe overcloud provision
 kayobe overcloud host configure
+kayobe overcloud host package update --packages '*'
+kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/reboot.yml
 kayobe overcloud container image pull
 kayobe overcloud service deploy
 source ~/deployment/src/kayobe-config/etc/kolla/public-openrc.sh

configure-local-networking.sh

@@ -28,7 +28,7 @@ public_ip="10.0.2.1"
 
 # Install iptables.
 if $(which dnf >/dev/null 2>&1); then
-    sudo dnf -y install iptables
+    sudo dnf -y install nftables
 fi
 
 if $(which apt >/dev/null 2>&1); then
@@ -51,22 +51,41 @@ if ! sudo ip l show dummy1 >/dev/null 2>&1; then
   sudo ip l set dummy1 master braio
 fi
 
-# Configure IP routing and NAT to allow the seed VM and overcloud hosts to
-# route via this route to the outside world.
-sudo iptables -A POSTROUTING -t nat -o $iface -j MASQUERADE
 sudo sysctl -w net.ipv4.conf.all.forwarding=1
 
-# Configure port forwarding from the hypervisor to the Horizon GUI on the
-# controller.
-sudo iptables -A FORWARD -i $iface -o braio -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-sudo iptables -A FORWARD -i braio -o $iface -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+sudo nft add rule ip nat postrouting oif "$iface" masquerade
+
+# Create tables if not existing
+sudo nft add table inet filter 2>/dev/null
+sudo nft add table ip nat 2>/dev/null
+
+# Create chains if not existing
+sudo nft add chain inet filter forward '{ type filter hook forward priority 0; }' 2>/dev/null
+sudo nft add chain ip nat prerouting '{ type nat hook prerouting priority -100; }' 2>/dev/null
+sudo nft add chain ip nat postrouting '{ type nat hook postrouting priority 100; }' 2>/dev/null
+
+# ----- FILTER RULES -----
+
+# Allow established/related traffic: $iface → braio
+sudo nft add rule inet filter forward iif "$iface" oif "$braio" ct state established,related accept
+
+# Allow established/related traffic: braio → $iface
+sudo nft add rule inet filter forward iif "$braio" oif "$iface" ct state established,related accept
+
+# ----- PORT-SPECIFIC RULES -----
+
 for port in $forwarded_ports; do
-  # Allow new connections.
-  sudo iptables -A FORWARD -i $iface -o braio -p tcp --syn --dport $port -m conntrack --ctstate NEW -j ACCEPT
-  # Destination NAT.
-  sudo iptables -t nat -A PREROUTING -i $iface -p tcp --dport $port -j DNAT --to-destination $controller_vip
-  # Source NAT.
-  sudo iptables -t nat -A POSTROUTING -o braio -p tcp --dport $port -d $controller_vip -j SNAT --to-source $seed_hv_private_ip
+  # Allow NEW TCP connections from $iface → braio on this port
+  sudo nft add rule inet filter forward \
+       iif "$iface" oif "$braio" tcp dport "$port" ct state new accept
+
+  # DNAT: incoming traffic on $iface to controller VIP
+  sudo nft add rule ip nat prerouting \
+       iif "$iface" tcp dport "$port" dnat to "$controller_vip"
+
+  # SNAT: return traffic going to controller VIP on braio
+  sudo nft add rule ip nat postrouting \
+       oif "$braio" ip daddr "$controller_vip" tcp dport "$port" snat to "$seed_hv_private_ip"
 done
 
 # Configure an IP on the 'public' network to allow access to/from the cloud.

etc/kayobe/ansible/reboot.yml

@@ -0,0 +1,18 @@
+---
+- name: Reboot overcloud hosts if required
+  hosts: overcloud
+  tags:
+    - reboot
+  tasks:
+    - block:
+        - name: Check if hosts need restarting
+          ansible.builtin.command:
+            cmd: needs-restarting -r
+          failed_when: false
+          register: needs_restarting
+
+        - name: Reboot and wait
+          become: true
+          ansible.builtin.reboot:
+          when: needs_restarting.rc == 1
+      when: ansible_facts.os_family == 'RedHat'

etc/kayobe/inventory/group_vars/compute/network-interfaces

@@ -5,7 +5,7 @@
 # Controller interface on all-in-one network.
 aio_interface: "br{{ aio_bridge_ports[0] }}"
 aio_bridge_ports:
-  - "{{ 'ens2' if os_distribution == 'ubuntu' else 'eth0' }}"
+  - "{{ 'eth0' if (os_release | string).startswith('9') else 'ens2' }}"
 
 # Route via the seed-hypervisor to the outside world.
 aio_gateway: 192.168.33.4

etc/kayobe/inventory/group_vars/controllers/network-interfaces

@@ -5,7 +5,7 @@
 # Controller interface on all-in-one network.
 aio_interface: "br{{ aio_bridge_ports[0] }}"
 aio_bridge_ports:
-  - "{{ 'ens2' if os_distribution == 'ubuntu' else 'eth0' }}"
+  - "{{ 'eth0' if (os_release | string).startswith('9') else 'ens2' }}"
 
 # Route via the seed-hypervisor to the outside world.
 aio_gateway: 192.168.33.4

etc/kayobe/inventory/group_vars/seed/network-interfaces

@@ -2,7 +2,7 @@
 ###############################################################################
 # Network interface definitions for the seed group.
 
-aio_interface: "{{ 'ens2' if os_distribution == 'ubuntu' else 'eth0' }}"
+aio_interface: "{{ 'eth0' if (os_release | string).startswith('9') else 'ens2' }}"
 
 # Route via the seed-hypervisor to the outside world.
 # FIXME: Circular reference between seed & seed-hypervisor?