Skip to content

fix: NVIDIA Docker apt-get command#138

Closed
rollandf wants to merge 66 commits intoMellanox:network-operator-26.1.xfrom
rollandf:dockerbp
Closed

fix: NVIDIA Docker apt-get command#138
rollandf wants to merge 66 commits intoMellanox:network-operator-26.1.xfrom
rollandf:dockerbp

Conversation

@rollandf
Copy link
Member

@rollandf rollandf commented Jan 21, 2026

No description provided.

maze88 and others added 30 commits January 20, 2026 11:56
@maze88 @e0ne
feat: add CI for our fork
c942e79
@maze88 @e0ne
feat: add github action to sync mellanox fork from k8swg upstream
3edd011
@maze88 @e0ne
task: disable new CI until switching over
ff797a2 
Signed-off-by: Michael Zeevi <mzeevi@nvidia.com>
@e0ne
ci: Push artifacts versions to Network Operator repo
5a11da7 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@e0ne
fix: Fix docker image name for CI
4564e0a
@e0ne
fix: Use correct Docker image names
436056e 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@e0ne
fix: Push updated image and chart to Network Operator
ef8f50d 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@e0ne
fix: Fix SR-IOV Operator images and chart sync
1992148 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@e0ne
fix: Typo in fork-ci.yaml fixed
a492ba4 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@maze88 @e0ne
fix: update logic for determining network-operator base branch for va…
4842ada 
…lues update PR; and misc. corrections

Signed-off-by: Michael Zeevi <mzeevi@nvidia.com>
@e0ne
chore: Update PR and commit title for CI
2cf2428 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@rollandf @e0ne
ci: add all changed file to PR
8e57ca0 
Signed-off-by: Fred Rolland <frolland@nvidia.com>
@rollandf @e0ne
ci: add force flag to push on PR for CI
7212d8f 
- add force flag to push on PR for CI
- delete the chart directory before copy

Signed-off-by: Fred Rolland <frolland@nvidia.com>
@rollandf @e0ne
ci: PR for Network Operator base branch
505fb26 
The CI PR sent to update the SRIOV-Network Operator versions
should be based on the BASE_BRANCH

Signed-off-by: Fred Rolland <frolland@nvidia.com>
@maze88 @e0ne
task: various code cleanups
fbe7dc2 
- job names kebab case (more common on gh actions).
- pr body message with link to job.
- clean extra whitespace.

Signed-off-by: Michael Zeevi <mzeevi@nvidia.com>
@alekseysen @e0ne
Add Ubuntu support
2d80f32 
Many customers rely on the Ubuntu operating system, and the ability
to automatically update GRUB parameters is essential.

Signed-off-by: Aleksey Senin <alekseys@nvidia.com>
@almaslennikov @e0ne
change base image to doca
e48914e 
Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
@almaslennikov @e0ne
add copyrights
f697e0a 
Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
@almaslennikov @e0ne
Update CONTRIBUTING.md
de9b530 
Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>

Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
@almaslennikov @e0ne
fix typo in release workflow
3e48608 
Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>

Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
@almaslennikov @e0ne
chore: switch to reusable CI workflows
2dd5b70 
Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
@almaslennikov @e0ne
Update fork-sync.yaml
84c7db2 
Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
@rollandf @e0ne
chore: udpate Nvidia base image
0dfb2a3 
Signed-off-by: Fred Rolland <frolland@nvidia.com>
@e0ne
ci: Add STIG-bages image build for SR-IOV Network Config Daemon
23a694d 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@e0ne
fix: Update STIG/FedRamp image name
1e84be7 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@rollandf @e0ne
chore: use base image from arg
2d62ddf 
Signed-off-by: Fred Rolland <frolland@nvidia.com>
@rollandf @e0ne
chore: add goproxy secret
b874d5b 
Signed-off-by: Fred Rolland <frolland@nvidia.com>
@rollandf @e0ne
build: update Dockerfiles from network-operator-25.10.x branch
1f2c369 
Signed-off-by: Fred Rolland <frolland@nvidia.com>
@e0ne
feat: Make SR-IOV Network Operator working in STIG-Enabled Kubernetes…
b571b9f 
… Cluster

Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@rollandf @e0ne
fix: remove empty files
0f51339 
Signed-off-by: Fred Rolland <frolland@nvidia.com>
almaslennikov and others added 25 commits January 20, 2026 11:56
@almaslennikov @e0ne
fix: do not pass arguments to systemctl daemon-reload
5370f02 
this command does not take arguments thus failing before

Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
(cherry picked from commit 3072ff0)
(cherry picked from commit d409c77)
@e0ne
Make externalIds list sorted for systemd unit file
5c6327e 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
(cherry picked from commit fefa935)
(cherry picked from commit 62f62c1)
@maze88 @e0ne
chore: backport STIG SRIOV config daemon gitlab CI
ac9f9cc 
Signed-off-by: Michael Zeevi <mzeevi@nvidia.com>
@e0ne
Add 'Devlink Params configuration' design doc
c0c0868 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@e0ne
Add API changes to suppot devlink params configuration
3354fc0 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@e0ne
Initial implemenataion of devlink params configuration
1198da9 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>

fd
@e0ne
Configure devlink params for devices
d8205f8 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@e0ne
Implement interface GroupingPolicy (all)
62d9a28 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@e0ne
Add unit-tests for devlink params configuration
8307c0b 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@almaslennikov @e0ne
Fix a typo in fork-ci.yaml
618fbd2 
Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
@maze88 @e0ne
chore: backport updated gitlab CI from master branch
77b0f9e 
Signed-off-by: Michael Zeevi <mzeevi@nvidia.com>
@e0ne
fix: Ignore multiport attr by default to work with old NICs
62b8d58 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@e0ne
fix: Don't modify multiport param by default
740e857 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@e0ne
fix: Do not change multiport on VFs reset
8205409 
Signed-off-by: Ivan Kolodiazhnyi <ikolodiazhny@nvidia.com>
@maze88 @e0ne
chore: remove deprecated FIPS package checker script from STIG config…
7fee957 
… daemon CI

Signed-off-by: Michael Zeevi <mzeevi@nvidia.com>
@almaslennikov @e0ne
fix: set devlink params after the sriov configuration is complete
a4d2280 
Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
@almaslennikov @e0ne
Fix OVS bridge grouping to create single bridge with multiple uplinks
1fdf9fb 
When SriovNetworkNodePolicy specifies groupingPolicy: all, the operator
should create a single OVS bridge with all matching PFs as uplinks.
Previously, it was incorrectly creating separate bridges for each PF.

Changes:
- Update ApplyBridgeConfig to propagate GroupingPolicy to node state
- Add applyGroupedBridgeConfig() to create single bridge configuration
  with all matching PFs as uplinks when groupingPolicy is "all"
- Modify CreateOVSBridge() to support multiple uplinks per bridge
- Remove ConfigureBridgesGrouping() as grouped bridge creation is now
  handled entirely by the controller via ApplyBridgeConfig
- Add unit tests for grouped bridge functionality

Fixes issue where applying a policy like:
```
  bridge:
    ovs:
      bridge:
        groupingPolicy: all
```

Would create multiple bridges (br-ens2f0np0, br-ens2f1np1, etc.)
instead of a single bridge (br-<policy-name>) containing all PFs.

Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
@almaslennikov @e0ne
fix: install mstflint to config daemon image
4574589 
it's required for mlxfwreset to work properly

Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
@almaslennikov @e0ne
fix: getCurrentBridgeState to return all uplinks for grouped bridges
9f883f6 
The getCurrentBridgeState() function was only processing the first
uplink (Uplinks[0]) and ignoring the rest. This caused bridges with
multiple uplinks (created via groupingPolicy: all) to constantly
reconfigure because the current state comparison always showed a
mismatch.

Additionally, NeedToUpdateBridges was comparing the entire Bridges
struct including the GroupingPolicy field. However, GroupingPolicy is
a policy directive used during configuration and is not stored in OVS,
so it will never appear in the discovered status. This caused another
source of constant mismatch detection.

Changes:
- Modify getCurrentBridgeState() to iterate through all uplinks in
  knownConfig.Uplinks instead of only processing the first one
- Modify NeedToUpdateBridges to only compare OVS configurations,
  ignoring the GroupingPolicy field
- Add test cases for bridge with multiple uplinks
- Add test case for partial uplinks when some interfaces are missing
- Add test case for groupingPolicy difference being ignored

Fixes infinite reconciliation loop where bridge ports kept being
removed and re-added on every sync cycle.

Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
@rollandf @e0ne
daemon: fix kernel argument management and logging errors
9e9d6e2 
This commit addresses several issues in the sriov-network-config-daemon
relating to host configuration management and observability.

1. Fix kargs.sh for read-only root filesystems:
   The daemon now uses the host's /tmp directory (via chroot) for temporary
   workspace files. This allows the script to function correctly when the
   container is deployed with 'readOnlyRootFilesystem: true', which previously
   caused 'cp' and 'grep' failures.

2. Fix logging serialization bug:
   Updated NodeReconciler to correctly call the Name() method of the main
   plugin when logging errors. Previously, passing the function pointer directly
   caused "json: unsupported type: func() string" errors, masking the actual
   reconciliation failures.

Signed-off-by: Fred Rolland <frolland@nvidia.com>
@almaslennikov @e0ne
fix: replace mstflint and mstfwreset with mlx symlinks
ff56824 
Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
@rollandf @e0ne
fix: Mellanox reboot loop and improve devlink parameter reconciliation
c9fca06 
- Avoid unnecessary reboots by checking Mellanox firmware multiport state.
- Ensure devlink parameter changes trigger interface reconciliation.

Signed-off-by: Fred Rolland <frolland@nvidia.com>
@maze88 @e0ne
feat: switch to OIDC auth for go proxy
6e4374c 
Signed-off-by: Michael Zeevi <mzeevi@nvidia.com>
@rollandf @e0ne
fix: GPG error on DOCA repository
47ae0bf 
Signed-off-by: Fred Rolland <frolland@nvidia.com>
@rollandf
fix: NVIDIA Docker apt-get command
2d3c64e 
Signed-off-by: Fred Rolland <frolland@nvidia.com>
@github-actions
Copy link

github-actions bot commented Jan 21, 2026

Thanks for your PR,
To run vendors CIs, Maintainers can use one of:

  • /test-all: To run all tests for all vendors.
  • /test-e2e-all: To run all E2E tests for all vendors.
  • /test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs, Maintainers can use one of:

  • /skip-all: To skip all tests for all vendors.
  • /skip-e2e-all: To skip all E2E tests for all vendors.
  • /skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
    Best regards.

@greptile-apps
Copy link

greptile-apps bot commented Jan 21, 2026

Greptile Summary

This PR removes the || true fallback operator from the apt-get update command in the NVIDIA Docker config daemon Dockerfile. This change improves build robustness by ensuring the Docker build fails explicitly if package updates fail, rather than silently continuing with the previous workaround. Since the underlying GPG and authentication issues are already handled by the -o Acquire::AllowInsecureRepositories=true and --allow-unauthenticated command-line options added in the previous commit, the || true fallback is no longer necessary and was hiding potential package update failures.

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk
  • Score reflects a simple, well-justified change that improves Docker build failure handling without introducing any regressions. The change removes an unnecessary workaround operator while properly configured command options handle the underlying package repository issues. No files require special attention.
  • No files require special attention

Sequence Diagram

sequenceDiagram
    participant Docker Build
    participant apt-get update
    participant apt-get install
    participant Build Success

    Docker Build->>apt-get update: Run with AllowInsecureRepositories
    Note over apt-get update: GPG issue handled by command options
    apt-get update-->>Docker Build: Success
    Docker Build->>apt-get install: Run with --allow-unauthenticated
    apt-get install-->>Docker Build: Success
    Docker Build->>Build Success: Continue build
    Note over Docker Build: || true removed: Build will fail if update fails
Loading

@maze88 maze88 force-pushed the network-operator-26.1.x branch from 47ae0bf to f0a2814 Compare January 21, 2026 09:33
@rollandf rollandf closed this Jan 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@e0ne e0ne e0ne approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@rollandf @e0ne @maze88 @alekseysen @almaslennikov @heyvister1