Hi,
> On 26 Jul 2024, at 20:22, Josh Durgin <jdurgin@xxxxxxxxxx> wrote:
>
> We didn't want to stop building on Centos 8, but the way it went end of
> life and stopped doing any security updates forced our hand. See this
> thread for details [0].
>
> Essentially this made even building and testing with Centos 8 infeasible,
> so we suggest users migrate to Centos 9 (so they continue to get security
> updates) or run Ceph with containers.
>
> Josh
Personally, I don't understand how distribution security updates and package build are related. Perhaps, it is not obvious from the developer's side, but from the operational point of view it is not always possible to just take and change the kernel. Because for Ceph to work, hardware is needed (surprise), let me give you an example:
Imagine that you are in June 2023. You know for sure that the Reef release will be available on CentOS-Stream 8 [1]. You decide to choose this distribution and deploy it on the Pacific release, so that in 2025-2026 you can start the transition to the Reef release, without changing the distribution. Later, in 2029, the plan may be revised. But not earlier. All this time, the selected distribution will are completely satisfied, it does not matter at all whether new "security updates" will be received or not, because the distribution has exactly two tasks: to support the hardware and run Ceph.
A plan, budget and hardware are laid down. Everything is fine, the deployment is in progress, the kernel works correctly. Now you are in July 2024, 0.15 Exabytes are deployed and a problem appears that leads to an interesting situation:
* to change the distribution, you need to change the network adapters. More precisely, 980 network cards (because there is no stable driver for newer kernels [2]), this requires (excluding warehouse work, Ceph engineers, data center engineers and delivery) - $245,000
* engineer's salary for 5 years, so no one will let you just spend money to change one 10G network adapters to another 10G network adapters
* what will be done? local package builds
* what can an engineer do instead of organizing local package builds? Help the Ceph community and make the backports. This is how open source works
I remind that for Ceph there has always been a concept of ABC testing [3], from which it is obvious whether the packages were tested, or they are simply builds and provided. The community highlights that the C option is much better than the nothing option. The simplest fix of CentOS-Stream 8 distro/container build is sed before first dnf command
sed -i -e 's|mirrorlist|#mirrorlist|g' \
-e 's|#baseurl=http://mirror.centos.org|baseurl=https://vault.centos.org|g' \
/etc/yum.repos.d/*.repo
Thanks,
k
[1] https://download.ceph.com/rpm-18.1.0/el8
[2] https://forums.developer.nvidia.com/t/mlnx-en-4-9-4-18-0-535-el8/279404/2
[3] https://docs.ceph.com/en/latest/start/os-recommendations/#platforms
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
