Skip to content

fix: add mlnx_qos to daemon stig images#287

Merged
almaslennikov merged 1 commit intonetwork-operator-26.1.xfrom
qos_stig_release
Feb 12, 2026
Merged

fix: add mlnx_qos to daemon stig images#287
almaslennikov merged 1 commit intonetwork-operator-26.1.xfrom
qos_stig_release

Conversation

@almaslennikov
Copy link
Collaborator

No description provided.

@greptile-apps
Copy link

greptile-apps bot commented Feb 12, 2026

Greptile Overview

Greptile Summary

Adds doca-roce-userspace package to both RHEL and Ubuntu STIG daemon images to provide QoS functionality via the mlnx_qos tool.

Key Changes:

  • RHEL: Adds rdma-core-devel installation with --nodeps --force, adds doca-roce-userspace package, adds --allowerasing --best flags to DOCA installation, reorganizes RUN layers
  • Ubuntu: Simply adds doca-roce-userspace to existing DOCA package installation

Issues Found:

  • New use of --force flag on rdma-core-devel installation (line 60 in RHEL Dockerfile) can mask package conflicts and overwrite files

Confidence Score: 3/5

  • Generally safe but contains risky package installation patterns that may cause runtime issues
  • Ubuntu changes are clean, but RHEL introduces --force flag which can hide dependency issues and file conflicts. The --allowerasing flag may also remove critical packages unexpectedly.
  • Pay close attention to Dockerfile.daemon.stig-rhel for the new --nodeps --force usage on rdma-core-devel

Important Files Changed

Filename Overview
Dockerfile.daemon.stig-rhel Adds doca-roce-userspace package and rdma-core-devel (with --nodeps --force), restructures package installation layers
Dockerfile.daemon.stig-ubuntu Adds doca-roce-userspace package to DOCA installation, straightforward change

Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

RUN dnf install -y rpm-build libusbx systemd pciutils-libs fuse-libs hwdata && \
dnf makecache && \
dnf download --arch x86_64 rdma-core-devel && \
rpm -ivh --nodeps --force rdma-core-devel*.rpm && \
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using --nodeps --force bypasses dependency checking and can lead to broken package installations or runtime issues. Consider documenting why this is necessary.

COPY . /workspace

RUN --mount=type=secret,id=stig_script,target=/tmp/stig-fixer.sh bash /tmp/stig-fixer.sh
#RUN --mount=type=secret,id=stig_script,target=/tmp/stig-fixer.sh bash /tmp/stig-fixer.sh
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The STIG hardening script has been commented out. Verify this doesn't compromise the security posture of the STIG image.

Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

RUN dnf install -y rpm-build libusbx systemd pciutils-libs fuse-libs hwdata && \
dnf makecache && \
dnf download --arch x86_64 rdma-core-devel && \
rpm -ivh --nodeps --force rdma-core-devel*.rpm && \
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--force flag can overwrite existing files and mask package conflicts

@almaslennikov almaslennikov merged commit bf411e3 into network-operator-26.1.x Feb 12, 2026
10 of 14 checks passed
@almaslennikov almaslennikov deleted the qos_stig_release branch February 12, 2026 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant