coreos/fedora-coreos-config
1
0
Fork 0
mirror of https://github.com/coreos/fedora-coreos-config.git synced 2026-02-05 09:45:30 +01:00
Code Issues Releases Activity

tree: import changes from testing-devel at e38ae109f9

Browse Source
This commit is contained in:
CoreOS Bot
2025-12-12 18:09:53 +00:00
parent b5a91781ba
commit 08a03d5abb
19 changed files with 100 additions and 262 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
.github/workflows/bump-fedora-bootc.yaml vendored
View File

@@ -1,67 +0,0 @@
name: Bump fedora-bootc submodule
on:
schedule:
- cron: '0 */6 * * *'
workflow_dispatch:
permissions:
contents: read
jobs:
bump-fedora-bootc-submodule:
name: Bump fedora-bootc submodule
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
submodules: true
fetch-depth: 0
# https://github.com/actions/checkout/issues/766
- name: Mark git checkout as safe
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Check if there are new commits
run: |
diffset="bootc-base-imagectl minimal-plus.hidden.yaml fedora-includes/generic.yaml minimal/ minimal-plus/"
previous_rev=$(git -C fedora-bootc rev-parse HEAD)
git submodule update --remote fedora-bootc
new_rev=$(git -C fedora-bootc rev-parse HEAD)
if [ "${previous_rev}" != "${new_rev}" ]; then
if git -C fedora-bootc diff --quiet "${previous_rev}" "${new_rev}" ${diffset}; then
# reset back any changes to avoid a PR bump
git submodule update
fi
fi
if git diff --quiet --exit-code; then
echo "No bootc base images changes; exiting"
exit 0
fi
git -C fedora-bootc shortlog --no-merges "${previous_rev}..${new_rev}" -- ${diffset} > $RUNNER_TEMP/shortlog
marker=END-OF-LOG-MARKER-$RANDOM$RANDOM$RANDOM
cat >> $GITHUB_ENV <<EOF
SHORTLOG<<$marker
$(cat $RUNNER_TEMP/shortlog)
$marker
EOF
- name: Open pull request
uses: peter-evans/create-pull-request@v6
with:
token: ${{ secrets.COREOSBOT_RELENG_TOKEN }}
push-to-fork: coreosbot-releng/fedora-coreos-config
branch: bump-fedora-bootc
commit-message: |
Bump fedora-bootc submodule
${{ env.SHORTLOG }}
title: "Bump fedora-bootc submodule"
body: |
Created by [GitHub workflow](${{ github.server_url }}/${{ github.repository }}/actions/workflows/bump-fedora-bootc.yml) ([source](${{ github.server_url }}/${{ github.repository }}/blob/testing-devel/.github/workflows/bump-fedora-bootc.yml)).
```
${{ env.SHORTLOG }}
```
committer: "CoreOS Bot <coreosbot@fedoraproject.org>"
author: "CoreOS Bot <coreosbot@fedoraproject.org>"

1
.github/workflows/bump-rhcos-submodule.yml vendored
View File

@@ -14,6 +14,7 @@ on:
type: choice
options:
- testing-devel
- rhel-9.6
- rhcos-4.18
- rhcos-4.17
- rhcos-4.16

7
.github/workflows/promotion-diff.yml vendored
View File

@@ -45,9 +45,10 @@ jobs:
sed -E -i 's/^(\s+)((snooze:|warn:)\s+.*)/\1# \2 (disabled on promotion)/' origin/kola-denylist.yaml
- name: Normalize build-args.conf
run: |
# Ignore DESCRIPTION differences between streams since it's stream-specific.
sed -i '/^DESCRIPTION=/d' origin/build-args.conf
sed -i '/^DESCRIPTION=/d' new/build-args.conf
# Ignore those args differences between streams since it's stream-specific.
for arg in DESCRIPTION STREAM; do
sed -i "/^${arg}=/d" origin/build-args.conf new/build-args.conf
done
- name: Compare trees
uses: coreos/actions-lib/check-diff@main
with:

3
.gitmodules vendored
View File

@@ -1,3 +0,0 @@
[submodule "fedora-bootc"]
path = fedora-bootc
url = https://gitlab.com/fedora/bootc/base-images.git

2
.tekton/trigger
View File

@@ -6,4 +6,4 @@
# on the pipeline.
# See https://github.com/coreos/fedora-coreos-tracker/issues/2038#issuecomment-3498258143
# The format is YYYYMMDD
20251205
20251212

3
Containerfile
View File

@@ -18,6 +18,7 @@ ARG BUILDER_IMG=overridden
FROM ${BUILDER_IMG} as builder
ARG BASE_VERSION=overridden
ARG VERSION=overridden
ARG MANIFEST=overridden
ARG STREAM=overridden
@@ -42,7 +43,7 @@ RUN --mount=type=cache,rw,id=coreos-build-cache,target=/cache \
RUN --mount=type=cache,rw,id=coreos-build-cache,target=/cache \
--mount=type=secret,id=yumrepos,target=/etc/yum.repos.d/secret.repo \
--mount=type=secret,id=contentsets \
/src/build-rootfs "${MANIFEST}" "${VERSION}" /target-rootfs
/src/build-rootfs "${MANIFEST}" "${BASE_VERSION}" "${VERSION}" /target-rootfs
RUN --mount=type=bind,target=/run/src,rw \
rpm-ostree experimental compose build-chunked-oci \
--bootc --format-version=1 --rootfs /target-rootfs \

9
build-rootfs
View File

@@ -25,8 +25,9 @@ INPUTHASH = '/run/inputhash'
def main():
manifest_name = sys.argv[1]
version = sys.argv[2]
target_rootfs = sys.argv[3]
base_version = sys.argv[2]
version = sys.argv[3]
target_rootfs = sys.argv[4]
manifest_path = os.path.join(SRCDIR, manifest_name)
manifest = get_treefile(manifest_path)
@@ -72,7 +73,7 @@ def main():
inject_content_manifest(target_rootfs, manifest)
if version != "":
inject_version_info(target_rootfs, manifest['mutate-os-release'], version)
inject_version_info(target_rootfs, base_version, version)
strict_mode = os.getenv('STRICT_MODE')
if strict_mode == '1':
@@ -443,7 +444,7 @@ def verify_strict_mode(rootfs, locked_nevras):
# rpm-ostree won't write that value into the lockfiles. We
# need to check just the NVR or NVRA in that case.
# [1] https://src.fedoraproject.org/rpms/perl/blob/a8ff590c732b326216ab1499780e5964e4b03ddf/f/perl.spec#_2048
if epoch is '0':
if epoch == '0':
if nvra in locked_nevras or nvr in locked_nevras:
continue
raise Exception(f"found unlocked RPM in strict mode: {rpm}")

54
ci/overrides.py
View File

@@ -115,6 +115,42 @@ def do_fast_track(args):
for lockfile_path in get_lockfiles():
merge_overrides(lockfile_path, overrides)
konflux_rpm_lock(overrides)
def konflux_rpm_lock(overrides: dict):
# Modify the rpms.lock.yaml for override
lockfile_path = get_rpm_lockfile()
with open(lockfile_path) as f:
lockfile = yaml.safe_load(f)
for pkg_name, v in overrides.items():
is_noarch = v.get("evra") is not None
ver = v.get("evr") or v.get("evra")
nvr = f'{pkg_name}-{ver}'
update_rpm_lock_for_nvr(nvr, pkg_name, lockfile, is_noarch)
with open(lockfile_path, 'w') as f:
yaml.dump(lockfile, f)
def update_rpm_lock_for_nvr(nvr, pkg_name, manifest, is_noarch):
nevra_form = libdnf5.rpm.VectorNevraForm(1, libdnf5.rpm.Nevra.Form_NEVRA)
updated = False
# Iterate over all the arches
for arch_block in manifest["arches"]:
arch = arch_block.get("arch")
packages = arch_block.get("packages")
# Check if the nvr already exists in the konflux rpm lock or not
for package_entry in packages:
package_nvr = package_entry["url"].split("/")[-1]
parsed_vector = libdnf5.rpm.Nevra.parse(package_nvr, nevra_form)
parsed = parsed_vector.pop()
# Update the nvr with the new url if a match is found
if parsed.get_name() == pkg_name:
package_entry["url"] = build_coreos_pool_url(nvr, arch, is_noarch)
updated = True
if not updated:
raise Exception(f"Cannot find specified package {nvr} in the konflux rpm lock")
def do_pin(args):
overrides = {}
@@ -134,6 +170,8 @@ def do_pin(args):
for lockfile_path in get_lockfiles():
merge_overrides(lockfile_path, overrides)
konflux_rpm_lock(overrides)
def do_srpms(args):
printed = False
@@ -308,6 +346,22 @@ def get_lockfiles():
return [os.path.join(basedir, f) for f in lockfiles]
def get_rpm_lockfile():
lockfile = 'rpms.lock.yaml'
return os.path.join(basedir, lockfile)
def build_coreos_pool_url(nvr, arch, is_noarch):
"""
nvr: e.g. 'audit-4.1.2-2.fc43'
"""
first_letter = nvr[0].lower()
base = "https://kojipkgs.fedoraproject.org/repos-dist/coreos-pool/latest"
if is_noarch:
return f"{base}/{arch}/Packages/{first_letter}/{nvr}.rpm"
else:
return f"{base}/{arch}/Packages/{first_letter}/{nvr}.{arch}.rpm"
def graduate_lockfile(base, fn):
if not os.path.exists(fn):
return

1
fedora-bootc

Submodule fedora-bootc deleted from 1443b263c4

31
manifests/coreos-bootc-minimal-plus.yaml
View File

@@ -1,33 +1,4 @@
# Here, we include bootc minimal-plus, but override some key settings.
# If we are fedora there are a few more settings in
# fedora-includes/generic.yaml that fedora-minimal-plus.yaml
# pulls in. We need to monitor fedora-minimal-plus.yaml to
# make sure we update our strategy here if that file changes.
conditional-include:
- if: deriving == false
include: ../fedora-bootc/minimal-plus/manifest.yaml
- if:
- id == "fedora"
- deriving == false
include: ../fedora-bootc/fedora-includes/generic.yaml
# Required by Ignition, and makes the system not compatible with Anaconda.
# Note this deviates from fedora-bootc and means `systemctl enable` doesn't
# work in a container build. We'll have to resolve that issue some other way in
# the future... For more details, see
# https://github.com/CentOS/centos-bootc/issues/167
# https://coreos.github.io/rpm-ostree/treefile/#experimental-options
# This is re-implemented below for the container-native flow. Nuke this once
# that's the only path we support.
machineid-compat: false
# This is the historical default and what FCOS currently ships. fedora-bootc
# uses the new `root` value, but migrating FCOS is not that simple...
# https://coreos.github.io/rpm-ostree/treefile/#experimental-options
# This is re-implemented below for the container-native flow. Nuke this once
# that's the only path we support.
opt-usrlocal: var
# Here we override some key settings from bootc minimal-plus.
postprocess:
# Make `/opt and `/usr/local` symlinks.

2
manifests/disable-zincati.yaml
View File

@@ -1,2 +0,0 @@
ostree-layers:
- overlay/16disable-zincati

46
manifests/fedora-coreos-base.yaml
View File

@@ -24,30 +24,9 @@ ostree-layers:
- overlay/08nouveau
- overlay/09misc
- overlay/20platform-chrony
- overlay/25azure-udev-rules
- overlay/30lvmdevices
conditional-include:
- if: releasever < 43
include:
packages:
# iptables-legacy was in <43 but excluded from 43+
# https://github.com/coreos/fedora-coreos-tracker/issues/1818
- iptables-legacy
postprocess:
# Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
# remove iptables-legacy. This is needed because alternatives don't work
# https://github.com/coreos/fedora-coreos-tracker/issues/677
# https://github.com/coreos/fedora-coreos-tracker/issues/676
- |
#!/usr/bin/bash
set -eux -o pipefail
ln -sf /usr/sbin/ip6tables-nft /etc/alternatives/ip6tables
ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
ln -sf /usr/sbin/ip6tables-nft-save /etc/alternatives/ip6tables-save
ln -sf /usr/sbin/iptables-nft /etc/alternatives/iptables
ln -sf /usr/sbin/iptables-nft-restore /etc/alternatives/iptables-restore
ln -sf /usr/sbin/iptables-nft-save /etc/alternatives/iptables-save
- if: releasever > 42
include:
postprocess:
@@ -62,26 +41,6 @@ conditional-include:
# Be minimal
recommends: false
ignore-removed-users:
- root
ignore-removed-groups:
- root
# Add the sudo group to /etc/group
# This is re-implemented below for the container-native flow. Nuke this once
# that's the only path we support.
etc-group-members:
- sudo
check-passwd:
type: "file"
filename: "passwd"
check-groups:
type: "file"
filename: "group"
# we can drop this when it's the rpm-ostree default
rpmdb: sqlite
# ⚠⚠⚠ ONLY TEMPORARY HACKS ALLOWED HERE; ALL ENTRIES NEED TRACKER LINKS ⚠⚠⚠
# See also the version of this in fedora-coreos.yaml
postprocess:
@@ -119,7 +78,6 @@ postprocess:
ln -sf multi-user.target /usr/lib/systemd/system/default.target
# Add the sudo group to /etc/group in container-native flow.
# We can nuke `etc-group-members` once this is the only supported path.
- |
#!/usr/bin/env bash
set -xeuo pipefail
@@ -182,10 +140,6 @@ packages:
- kbd
# NIC firmware we've traditionally shipped but then were split out of linux-firmware in Fedora
- qed-firmware # https://github.com/coreos/fedora-coreos-tracker/issues/1746
# Include udev rules for NVMe backed Azure Instances
# see: https://issues.redhat.com/browse/COS-3124
# This package is not available in RHCOS yet
- azure-vm-utils
# - irqbalance
# - This thing is crying out to be pulled into systemd, but that hasn't happened

35
manifests/fedora-coreos.yaml
View File

@@ -2,20 +2,6 @@
# into "official" builds of Fedora CoreOS (such as including `fedora-release-coreos`)
# or are very "opinionated" like disabling SSH passwords by default.
ref: fedora/${basearch}/coreos/${stream}
metadata:
license: MIT
name: fedora-coreos
summary: Fedora CoreOS ${stream}
add-commit-metadata:
fedora-coreos.stream: ${stream}
variables:
# upper manifests can override this when deriving from minimal-plus instead of
# doing a base compose
deriving: false
include: fedora-coreos-base.yaml
conditional-include:
- if: releasever >= 41
@@ -48,27 +34,16 @@ conditional-include:
include:
packages:
- nfs-client-utils
# Do the alternatives migration from 43
- if: releasever >= 43
include:
ostree-layers:
- overlay/50alternatives
# Perform migration to container signing versus ostree commit signing.
# This is a requirement for moving to build-via-container in F43,
# thus it must happen before the switch to F43.
- if: releasever < 43
include:
ostree-layers:
- overlay/35container-signing-migration
ostree-layers:
- overlay/15fcos
- overlay/17fcos-container-signing
automatic-version-prefix: "${releasever}.<date:%Y%m%d>.dev"
mutate-os-release: "${releasever}"
packages:
- fedora-release-coreos
- fedora-repos-ostree
@@ -84,15 +59,6 @@ packages:
# https://github.com/coreos/fedora-coreos-tracker/issues/1567
- bash-color-prompt
# Add the docker group to /etc/group
# https://github.com/coreos/fedora-coreos-tracker/issues/2
# This will be no longer needed when systemd-sysusers has been implemented:
# https://github.com/projectatomic/rpm-ostree/issues/49
# This is re-implemented below for the container-native flow. Nuke this once
# that's the only path we support.
etc-group-members:
- docker
# ⚠⚠⚠ ONLY TEMPORARY HACKS ALLOWED HERE; ALL ENTRIES NEED TRACKER LINKS ⚠⚠⚠
# See also the version of this in fedora-coreos-base.yaml
postprocess:
@@ -190,7 +156,6 @@ postprocess:
# https://github.com/coreos/fedora-coreos-tracker/issues/2
# This will be no longer needed when systemd-sysusers has been implemented:
# https://github.com/projectatomic/rpm-ostree/issues/49
# We can nuke `etc-group-members` once this is the only path we support.
- |
#!/usr/bin/env bash
set -xeuo pipefail

8
manifests/shared-el.yaml
View File

@@ -2,7 +2,7 @@ conditional-include:
# Include shared-el9 workarounds on Fedora and EL9
- if: id == "fedora"
include: shared-el9.yaml
- if: osversion == "rhel-9.6"
- if: osversion == "rhel-9.8"
include: shared-el9.yaml
- if: osversion == "centos-9"
include: shared-el9.yaml
@@ -13,3 +13,9 @@ conditional-include:
include: shared-el10.yaml
- if: osversion == "centos-10"
include: shared-el10.yaml
packages:
# Include udev rules for NVMe backed Azure Instances [1]
# and unmanaged SRIOV network devices.
# [1] https://issues.redhat.com/browse/COS-3124
- azure-vm-utils

17
overlay.d/25azure-udev-rules/usr/lib/dracut/modules.d/25azure-udev-rules/module-setup.sh
View File

@@ -1,17 +0,0 @@
#!/usr/bin/bash
# Install 68-azure-sriov-nm-unmanaged.rules into the initramfs
# called by dracut
check() {
return 0
}
# called by dracut
depends() {
return 0
}
# called by dracut
install() {
inst_rules 68-azure-sriov-nm-unmanaged.rules
}

4
overlay.d/25azure-udev-rules/usr/lib/udev/rules.d/68-azure-sriov-nm-unmanaged.rules
View File

@@ -1,4 +0,0 @@
# Accelerated Networking on Azure exposes a new SRIOV interface to the VM.
# This interface is transparently bonded to the synthetic interface,
# so NetworkManager should just ignore any SRIOV interfaces.
SUBSYSTEM=="net", DRIVERS=="hv_pci", ACTION=="add|change|move", ENV{NM_UNMANAGED}="1"

13
overlay.d/README.md
View File

@@ -54,19 +54,6 @@ such as `azure`, `aws`, `gcp`. The chrony config for these NTP servers
should override other chrony configuration (e.g. DHCP-provided)
configuration.
25azure-udev-rules
-------------------
Add udev rules for SRIOV networking on Azure. The udev rules are also
needed in the initramfs [1] and are delivered here via a dracut
module. This may be able to be removed once an upstream PR [2]
merges, though we need to make sure the RPM [3] includes the dracut
bits to include the rules in the initramfs too.
[1] https://github.com/coreos/fedora-coreos-tracker/issues/1383
[2] https://github.com/Azure/WALinuxAgent/pull/1622
[3] https://src.fedoraproject.org/rpms/WALinuxAgent/pull-request/4
30lvmdevices
-------------------

30
tests/kola/upgrade/extended/test.sh
View File

@@ -330,22 +330,18 @@ if vereq $version $last_release; then
# Since we'll be manually running `rpm-ostree` let's stop zincati
systemctl stop zincati
# XXX: Since we can't rely on `ostree-image-signed` until the
# streams have switched over to it we have to comment out the
# true part of this if statement for now.
#
#inspect=$(skopeo inspect --retry-times=3 -n docker://quay.io/fedora/fedora-coreos:${target_stream})
#registry_version=$(jq -r '.Labels."org.opencontainers.image.version"' <<< "${inspect}")
#if [ "${registry_version}" == "${target_version}" ]; then
# # If the container is already pushed to the registry we'll use the registry
# if [ "${stream}" == "${target_stream}" ]; then
# # If we aren't switching steams we can just upgrade
# rpm-ostree upgrade
# else
# # else we need to rebase
# rpm-ostree rebase "ostree-image-signed:docker://quay.io/fedora/fedora-coreos:{target_stream}"
# fi
#else
inspect=$(skopeo inspect --retry-times=3 -n docker://quay.io/fedora/fedora-coreos:${target_stream})
registry_version=$(jq -r '.Labels."org.opencontainers.image.version"' <<< "${inspect}")
if [ "${registry_version}" == "${target_version}" ]; then
# If the container is already pushed to the registry we'll use the registry
if [ "${stream}" == "${target_stream}" ]; then
# If we aren't switching steams we can just upgrade
rpm-ostree upgrade
else
# else we need to rebase
rpm-ostree rebase "ostree-image-signed:docker://quay.io/fedora/fedora-coreos:${target_stream}"
fi
else
# Since in the next steps we are making multiple copies of the update on the
# system (i.e. update.ociarchive and copying into OSTree storage) let's free
# up some space by dropping the rollback deployment.
@@ -358,7 +354,7 @@ if vereq $version $last_release; then
"https://builds.coreos.fedoraproject.org/prod/streams/${target_stream}/builds/${target_version}/${arch}/fedora-coreos-${target_version}-ostree.${arch}.ociarchive"
rpm-ostree rebase "ostree-unverified-image:oci-archive:/srv/update.ociarchive"
rm /srv/update.ociarchive
#fi
fi
/tmp/autopkgtest-reboot $version # execute the reboot
sleep infinity
fi

29
versionary
View File

@@ -11,6 +11,7 @@
'''
import argparse
import dotenv
import json
import os
import platform
@@ -48,8 +49,8 @@ def main():
os.chdir(args.workdir)
assert os.path.isdir('builds'), 'Missing builds/ dir'
manifest = get_flattened_manifest()
x, y, z = (get_x(manifest), get_y(manifest), get_z(manifest, args.dev))
config = dotenv.dotenv_values('src/config/build-args.conf')
x, y, z = (get_x(config), get_y(config), get_z(config, args.dev))
n = get_next_iteration(x, y, z)
new_version = f'{x}.{y}.{z}.{n}'
@@ -65,22 +66,22 @@ def parse_args():
return parser.parse_args()
def get_x(manifest):
def get_x(config):
"""
X is the Fedora release version on which we're based.
X is the base release version on which we're based.
"""
releasever = manifest['releasever']
eprint(f"x: {releasever} (from manifest)")
return int(releasever)
base_version = config['BASE_VERSION']
eprint(f"x: {base_version} (from config)")
return int(base_version)
def get_y(manifest):
def get_y(config):
"""
Y is the base snapshot date in YYYYMMDD format of Fedora. We derive
this using the timestamp in the base lockfile.
"""
stream = manifest['add-commit-metadata']['fedora-coreos.stream']
stream = config['STREAM']
# XXX: should sanity check that the lockfiles for all the basearches have
# matching timestamps
@@ -111,14 +112,14 @@ def get_y(manifest):
return int(ymd)
def get_z(manifest, dev):
def get_z(config, dev):
"""
Z is the stream indicator.
"""
if dev:
eprint("z: dev (overridden)")
return 'dev'
stream = manifest['add-commit-metadata']['fedora-coreos.stream']
stream = config['STREAM']
assert stream in STREAM_TO_NUM, f"Unknown stream: {stream}"
mapped = STREAM_TO_NUM[stream]
eprint(f"z: {mapped} (mapped from stream {stream})")
@@ -151,12 +152,6 @@ def get_next_iteration(x, y, z):
return n
def get_flattened_manifest():
return yaml.safe_load(
subprocess.check_output(['rpm-ostree', 'compose', 'tree',
'--print-only', 'src/config/manifest.yaml']))
def parse_version(version):
m = re.match(r'^([0-9]{2})\.([0-9]{8})\.([0-9]+|dev)\.([0-9]+)$', version)
if m is None: