Paul Bastide

Category: Application Development

  • Using HTTPS-only Connections for Package Repositories

    In CentOS (by default), repositories use a metalink rather than a direct baseurl. The metalink is an endpoint that returns a list of geographic mirrors tailored to your server.

    While the metalink URL itself is usually secure (starting with https://), the parameters at the end of the URL explicitly tell the CentOS mirror infrastructure which protocols (http or https) your machine is willing to accept. If your network team enforces a strict “Deny All” outbound policy for port 80, your server will no longer mysteriously hang or fail when dnf attempts to route traffic through an HTTP mirror.

    If you take a look at your .repo files, you might spot “http” in our CentOS repository configurations, such as metalink=https://mirrors.centos.org/metalink?repo=centos-crb-source-$stream&arch=source&protocol=https,http Notice the trailing query parameter: protocol=https,http.

    To ensure that your package manager exclusively uses secure connections, we need to strip the ,http fallback from the protocol parameter across all repository files.

    You can do this quickly and safely using a single sed command, followed by clearing the local cache so dnf fetches a fresh, HTTPS-only mirror list.

    Run the following commands as root (or with sudo):

    # 1. Remove the HTTP fallback from all repo files
sudo sed -i 's/protocol=https,http/protocol=https/g' /etc/yum.repos.d/*.repo

# 2. Clear out the old DNF cache containing the insecure mirrors
sudo dnf clean all

# 3. Rebuild the cache with the new HTTPS-only rules
sudo dnf makecache

    Now you can connect and use the https repository.

  • 2026-06: Additional IBM Power Open Source Images on the IBM Container Registry

    The IBM Linux on Power team has released some new open source container images into the IBM Container Registry (ICR). These images are available for no-charge and can be used in your development and production environments.

    Image NameTag NameProject LicensesImage Pull CommandLast Published On
    kafka4.1.0-bvApache-2.0podman pull icr.io/ppc64le-oss/kafka-ppc64le:4.1.0-bvJune 10, 2026
    ansible-acme-test-container2.3.0GPL-3.0, Apache License 2.0podman pull icr.io/ppc64le-oss/ansible-acme-test-container-ppc64le:2.3.0June 10, 2026
    vllm0.9.1Apache-2.0podman pull icr.io/ppc64le-oss/vllm-ppc64le:0.9.1June 9, 2026

    Refer to https://community.ibm.com/community/user/blogs/priya-seth/2023/04/05/open-source-containers-for-power-in-icr for more details.

    If you need opensource software enabled on IBM Power, reach out at https://www.ibm.com/power/resources/isv/enablement-request/

  • How to Run Multiple Clusters with one bastion node

    To run multiple OpenShift clusters from one bastion requires managing dhcpd, named, http, haproxy with isolated configurations.

    After deploying with ocp4-upi-powervm, you can ‘move’ the configuration over

    1. dhcpd enables booting the rhcos nodes, which then can grab their configuration. dhcpd support include statements, allowing you to split subnets, host reservations, and cluster-specific configurations into separate files.

      1. Create the conf.d directory: mkdir -p /etc/dhcp/conf.d
      2. Modify your main /etc/dhcp/dhcpd.conf to include the directory. Add this at the bottom of the file: include "/etc/dhcp/conf.d/ocp-cluster-1.conf";
      3. Create the file /etc/dhcp/conf.d/ocp-cluster-1.conf – you’ll have to give the host unique names.
      subnet 10.20.176.0 netmask 255.255.240.0 {
interface eth0;
    # Static entries
    host bootstrap { hardware ethernet fa:16:3e:ff:b7:b2; fixed-address 10.20.188.84; }
    host master-0 { hardware ethernet fa:16:3e:9b:c5:89; fixed-address 10.20.188.206; }
    host master-1 { hardware ethernet fa:16:3e:b7:ba:16; fixed-address 10.20.188.62; }
    host master-2 { hardware ethernet fa:16:3e:14:2c:ff; fixed-address 10.20.188.166; }
    host worker-0 { hardware ethernet fa:16:3e:97:7b:1b; fixed-address 10.20.188.79; }
    host worker-1 { hardware ethernet fa:16:3e:62:39:fe; fixed-address 10.20.188.234; }
    host worker-2 { hardware ethernet fa:16:3e:23:54:0a; fixed-address 10.20.188.131; }
    # this will not give out addresses to hosts not listed above
    #deny unknown-clients;

    # this is PXE specific
    filename "boot/grub2/powerpc-ieee1275/core.elf";

    next-server 10.20.188.128;
    }
      1. Restart the systemd service systemctl restart dhcpd

    2. If you are hosting ignition files on httpd on port 8080.

      1. Create the ignition folder mkdir -p /var/www/html/ignition/{ocp-cluster-1,ocp-cluster-2}
      2. Copy the ignition files into /var/www/html/ignition/ocp-cluster-#
      3. Or Download the ignitions curl -k -H "Accept: application/vnd.coreos.ignition+json;version=3.4.0" -o /var/www/html/ignition/power.ign https://api-int.XYZ.powervs-openshift-ipi.cis.ibm.net:22623/config/power
      4. Restore selinux restorecon -r /var/www/html/ignition

    3. HAProxy allows us to use separate use_backend and acl

      1. Edit /etc/haproxy/haproxy.cfg
      2. Add acl for the domain name based on hostname
      frontend https-all
mode        tcp
option      tcplog

bind        *:443

acl 02-https-ci req_ssl_sni -m end .mycluster1.ibm.net
use_backend https-workers-02 if 02-https-ci

acl 03-https req_ssl_sni -m end .mycluster2.ibm.net
use_backend https-workers-03 if 03-https
      1. Create a backend target for the above:
      backend https-workers-03
mode        tcp
balance     roundrobin
server      master1 192.168.3.11:443 check
server      master2 192.168.3.12:443 check
server      master3 192.168.3.13:443 check
server      worker1 192.168.3.51:443 check
server      worker2 192.168.3.52:443 check

    We use this approach in OCP LibVirt CI see haproxy_C155F2U31.cfg

    1. named support multiple conf files using the include directive

      1. Create the modular directory: mkdir -p /etc/named/conf.d
      2. Modify /etc/named.conf to include your custom zone files. include "/etc/named/conf.d/ocp-cluster-1.conf";
      3. Create the file /etc/named/conf.d/ocp-cluster-1.conf
      zone "mycluster2.ibm.net" IN {
    type master;
    file "/var/named/zones/db.ocp-cluster-1.local";
    allow-query { any; };
};

zone "122.168.192.in-addr.arpa" IN {
    type master;
    file "/var/named/zones/ocp-cluster-1.192.168.122";
    allow-query { any; };
};

    Using this approach you’ll be able to share the bastion.

  • 2026-06: Additions IBM Power Open Source Images on the IBM Container Registry (Part 2)

    The IBM Linux on Power team has released some new open source container images into the IBM Container Registry (ICR). These images are available for no-charge and can be used in your development and production environments.

    Image NameTag NameProject LicensesImage Pull CommandLast Published On
    envoy5.22.2Apache-2.0podman pull icr.io/ppc64le-oss/envoy-ppc64le:1.36.5June 8, 2026
    mongodb8.3.1Apache-2.0podman pull icr.io/ppc64le-oss/mongodb-ppc64le:8.3.1June 9, 2026
    kafka4.1.0-bvApache-2.0icr.io/ppc64le-oss/kafka-ppc64le:4.1.0-bvJune 10, 2026

    Refer to https://community.ibm.com/community/user/blogs/priya-seth/2023/04/05/open-source-containers-for-power-in-icr for more details.

    If you need opensource software enabled on IBM Power, reach out at https://www.ibm.com/power/resources/isv/enablement-request/

  • 2026-06: Additions IBM Power Open Source Images on the IBM Container Registry

    The IBM Linux on Power team has released some new open source container images into the IBM Container Registry (ICR). These images are available for no-charge and can be used in your development and production environments.

    Image NameTag NameProject LicensesImage Pull CommandLast Published On
    grafana-operator-ppc64le5.22.2Apache-2.0podman pull icr.io/ppc64le-oss/grafana-operator-ppc64le:5.22.2June 5, 2026

    Refer to https://community.ibm.com/community/user/blogs/priya-seth/2023/04/05/open-source-containers-for-power-in-icr for more details.

    If you need opensource software enabled on IBM Power, reach out at https://www.ibm.com/power/resources/isv/enablement-request/

  • June 2026: Additions IBM Power Open Source Images on the IBM Container Registry

    The IBM Linux on Power team has released some new open source container images into the IBM Container Registry (ICR). New images for redis-operator and opa (open policy agent) are particular interesting for those working with analytics and caching.

    redis-operator	v0.24.0 	Apache-2.0 	podman pull icr.io/ppc64le-oss/redis-operator-ppc64le:v0.24.0 	May 22, 2026
opa-ppc64le 	v1.15.1 	Apache-2.0 	podman pull icr.io/ppc64le-oss/opa-ppc64le :v1.15.1 	May 29, 2026

    Refer to https://community.ibm.com/community/user/blogs/priya-seth/2023/04/05/open-source-containers-for-power-in-icr for more details.

    If you need opensource software enabled on IBM Power, reach out at https://www.ibm.com/power/resources/isv/enablement-request/

  • Bash Fu  ${%%}

    Thanks to Gerrit for cluing me in.

    In Bash, symbols like # and % aren’t just random noise—they are powerful operators used for Parameter Expansion. They allow you to “trim” or “slice” strings stored in variables without needing external tools like sed or awk.

    To understand ${%%}, we have to break down how Bash sees those symbols.

    1. The Core Logic: Front vs. Back Think of these symbols as “knives” that cut parts of your string based on a pattern:
    SymbolActionMnemonic
    #Removes from the front (left)The # is on the left side of a standard keyboard (Shift+3).
    %Removes from the back (right)The % is on the right side of the # (Shift+5).
    1. Doubling Up: Small vs. Large The number of symbols determines how “aggressive” the cut is:
    • Single (# or %): Non-greedy. It removes the shortest possible match.
    • Double (“ or %%): Greedy. It removes the longest possible match.
    1. Practical Examples Let’s say we have a variable: file="image.jpg.backup"

    Using # and “ (Removing from the Front)

    • ${file#*.} → Result: jpg.backup (Cut the shortest bit ending in a dot).
    • ${file*.} → Result: backup (Cut everything up to the last dot).

    Using % and %% (Removing from the Back)

    • ${file%.*} → Result: image.jpg (Cut the shortest bit starting from a dot at the end).
    • ${file%%.*} → Result: image (Cut everything from the first dot to the end).

    If you have VAR="long.file.name.txt":

    SyntaxLogicResult
    ${VAR#*.}Delete shortest match from frontfile.name.txt
    ${VAR*.}Delete longest match from fronttxt
    ${VAR%.*}Delete shortest match from backlong.file.name
    ${VAR%%.*}Delete longest match from backlong

    Quick Tip: If you ever forget which is which, remember that on the keyboard, # is to the left of %. Therefore, # handles the left (start) of the string, and % handles the right (end).

  • Docling with IBM Power

    Originally posted to https://community.ibm.com/community/user/blogs/paul-bastide/2026/03/20/docling-with-ibm-power

    If you’ve been following the rapid evolution of document parsing in AI, you’ve likely encountered Docling. It’s a powerhouse for converting complex PDFs and documents into machine-readable formats. The AI Services team and the IBM Power Python Ecosystem team have provided all of the requirements so you can use docling and as it iterates rapidly, stay up-to-date.

    For python developers using IBM Power, this article provides a recipe to use docling with IBM Power. You can also learn more about the using the Python Ecosystem at https://community.ibm.com/community/user/blogs/janani-janakiraman/2025/09/10/developing-apps-using-python-packages-on-ibm-power

    The Recipe: Step-by-Step Installation

    This guide assumes you are working in a Linux environment (specifically optimized for ppc64le architectures, though the logic holds for most setups).

    1. Prepare Your Environment

    Start by setting up a fresh virtual environment to avoid dependency issues

    python3 -m venv ./test-venv
source ./test-venv/bin/activate
python3.12 -m venv --upgrade test-venv/

    2. Define the Requirements

    The AI Services team has identified a specific “golden set” of versions that play well together. Create a requirements.txt file containing the necessary packages, including doclingtorch, and transformers.

    accelerate==1.13.0
annotated-doc==0.0.4
annotated-types==0.7.0
antlr4-python3-runtime==4.9.3
attrs==26.1.0
beautifulsoup4==4.14.3
certifi==2026.2.25
charset-normalizer==3.4.6
click==8.3.1
colorlog==6.10.1
defusedxml==0.7.1
dill==0.4.1
docling==2.77.0
docling-core==2.70.2
docling-ibm-models==3.12.0
docling-parse==5.3.2
et_xmlfile==2.0.0
Faker==40.11.0
filelock==3.25.2
filetype==1.2.0
fsspec==2026.2.0
huggingface_hub==0.36.2
idna==3.11
Jinja2==3.1.6
jsonlines==4.0.0
jsonref==1.1.0
jsonschema==4.26.0
jsonschema-specifications==2025.9.1
latex2mathml==3.79.0
lxml==6.0.2
markdown-it-py==4.0.0
marko==2.2.2
MarkupSafe==3.0.3
mdurl==0.1.2
mpire==2.10.2
mpmath==1.3.0
multiprocess==0.70.19
networkx==3.6.1
numpy==2.4.1
omegaconf==2.3.0
opencv-python==4.10.0.84+ppc64le2
openpyxl==3.1.5
packaging==26.0
pandas==2.3.3
pillow==12.1.1
pip==26.0.1
pluggy==1.6.0
polyfactory==3.3.0
psutil==7.2.2
pyclipper==1.4.0
pydantic==2.12.5
pydantic_core==2.41.5
pydantic-settings==2.13.1
Pygments==2.19.2
pylatexenc==2.10
pypdfium2==5.6.0
python-dateutil==2.9.0.post0
python-docx==1.2.0
python-dotenv==1.2.2
python-pptx==1.0.2
pytz==2026.1.post1
PyYAML==6.0.3
rapidocr==3.7.0
referencing==0.37.0
regex==2026.2.28
requests==2.32.5
rich==14.3.3
rpds-py==0.30.0
rtree==1.4.1
safetensors==0.7.0
scipy==1.17.0
semchunk==3.2.5
shapely==2.1.2
shellingham==1.5.4
six==1.17.0
soupsieve==2.8.3
sympy==1.14.0
tabulate==0.10.0
tokenizers==0.22.2
torch==2.9.1
torchvision==0.24.1
tqdm==4.67.3
transformers==4.57.6
tree-sitter==0.25.2
tree-sitter-c==0.24.1
tree-sitter-javascript==0.25.0
tree-sitter-python==0.25.0
tree-sitter-typescript==0.23.2
typer==0.21.2
typing_extensions==4.15.0
typing-inspection==0.4.2
tzdata==2025.3
urllib3==2.6.3
xlsxwriter==3.2.9

    Note: Ensure you include the full list of dependencies (like docling==2.77.0 and docling-core==2.66.0) to maintain stability across your build.

    If you need OCR, you will need to run:

     yum install -y --setopt=tsflags=nodocs python3.12-devel python3.12-pip \
            lcms2-devel openblas-devel freetype libicu libjpeg-turbo && \
        yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
        yum install -y spatialindex-devel

    3. The Installation Secret Sauce

    Before running the install, ensure pip is at its latest version. Then, use the --extra-index-url flag to point to the optimized IBM developer wheels. This is the trick to getting the faster compilation mentioned earlier.

    pip install --upgrade pip
pip install -r requirements.txt \
    --extra-index-url=https://wheels.developerfirst.ibm.com/ppc64le/linux \
    --prefer-binary

    Verifying the Build

    Once the installation completes, it’s a good idea to run a “smoke test” to ensure the models can be fetched properly. You can use a simple script to trigger the model downloads:

    # download_docling_models.py
from docling.pipeline.standard_pdf_pipeline import StandardPdfPipeline

# This triggers the download of Layout & TableFormer models
pipeline = StandardPdfPipeline()
print("Download complete.")

    When you see the output Downloading ds4sd--docling-models (Layout & TableFormer)..., you’re officially ready to start parsing.

    Why This Matters

    By focusing on the dependencies rather than the wheel itself, the AI Services team has given us a way to stay agile. We get the latest features of Docling without the overhead of waiting for official distribution builds to catch up to the repo’s velocity.

    Special credit to Yussuf and his test!

  • Dynamic GOMAXPROCS

    Go 1.25 add container-ware GOMAXPROCS. Instead of assuming it has all available processors, go respects the cgroupv2 specified CPU limits. This feature ensures resources aren’t incorrectly used or killed for trying to access or use too much CPU.

    You can disable this feature using containermaxprocs=0 or tweaking it as you need (for instance only specifying 1 CPU when you have 2 or 8 threads available).

    Thanks to Karthik for the heads up….

    Go 1.25 Release Notes

  • Great News… IBM has Open Source Wheel Packages for Linux on Power

    Priya Seth posted about Open Source Wheel Packages for Linux on Power:

    IBM provides a dedicated repository of Python wheel packages optimized for the Linux on Power (ppc64le) architecture. These pre-built binaries simplify Python development on Power systems by eliminating the need to compile packages from source—saving time and reducing complexity.

    Wheel files (.whl) are the standard for distributing pre-compiled Python packages. For developers working on Power architecture, having access to architecture-specific wheels ensures compatibility and speeds up development.

    IBM hosts a curated collection of open-source Python wheels for the ppc64le platform listed at https://open-source-edge.developerfirst.ibm.com/

    Use pip to download the package without installing it:

    pip download <package_name>==<version> --prefer-binary --index-url=https://wheels.developerfirst.ibm.com/ppc64le/linux --verbose --no-deps

    Replace <package_name> and <version> with the desired values.

    Whether you’re building AI models, data pipelines, or enterprise applications, this repository helps accelerate your Python development on Power.

    You can also refer to https://community.ibm.com/community/user/blogs/nikhil-kalbande/2025/08/01/install-wheels-from-ibm-python-wheel-repository