coreos/fedora-coreos-config
1
0
Fork 0
mirror of https://github.com/coreos/fedora-coreos-config.git synced 2026-02-05 09:45:30 +01:00
Code Issues Releases Activity

tree: import changes from testing-devel at 31598a1705

Browse Source
This commit is contained in:
CoreOS Bot
2025-04-15 18:35:03 +00:00
parent 4526841593
commit 3dc829bda1
28 changed files with 15 additions and 488 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ci/buildroot/Dockerfile
View File

@@ -5,7 +5,7 @@
#
# This image is used by CoreOS CI to build software like
# Ignition, rpm-ostree, ostree, coreos-installer, etc...
FROM quay.io/fedora/fedora:41
FROM quay.io/fedora/fedora:42
# Work around for https://bugzilla.redhat.com/show_bug.cgi?id=2278652
ENV container=oci
COPY . /src

4
ci/buildroot/install-buildroot.sh
View File

@@ -27,10 +27,10 @@ brs=$(grep -v '^#' "${dn}"/buildroot-buildreqs.txt)
echo "${brs}" | xargs dnf download --source
# rebuild the SRPM for this arch; see
# https://bugzilla.redhat.com/show_bug.cgi?id=1402784#c6
# Add workaround if on F41 for https://github.com/coreos/fedora-coreos-tracker/issues/1901
# Add workaround if on F42 for https://github.com/coreos/fedora-coreos-tracker/issues/1901
source /etc/os-release
workaround=""
if [ "${VERSION_ID}" == "41" ]; then
if [ "${VERSION_ID}" == "42" ]; then
workaround="--noclean"
fi
find . -name '*.src.rpm' -print0 | xargs -0n 1 rpmbuild -rs --nodeps \

9
image-base.yaml
View File

@@ -33,3 +33,12 @@ platform-compressor:
# For DigitalOcean you can upload a qcow2 compressed in either gzip or bzip2
# https://docs.digitalocean.com/products/custom-images/how-to/upload/
digitalocean: gzip
# Move to use OCI images by default
# https://github.com/coreos/fedora-coreos-tracker/issues/1823
deploy-via-container: true
container-imgref: "ostree-remote-registry:fedora:quay.io/fedora/fedora-coreos:{stream}"
# Enable 'erofs' by default for the rootfs in the Live ISO/PXE artifacts
live-rootfs-fstype: "erofs"
live-rootfs-fsoptions: "-zlzma,level=6 -Eall-fragments,fragdedupe=inode -C1048576 --quiet"

37
manifests/bootable-rpm-ostree.yaml
View File

@@ -1,37 +0,0 @@
# This minimal base is the userspace: systemd + rpm-ostree + bootloader.
# The intent of this is to inherit from this if you are doing something highly
# custom that e.g. might not involve Ignition or podman, but you do want
# rpm-ostree.
# We expect most people though using coreos-assembler to inherit from
# fedora-coreos-base.yaml.
packages:
- systemd
# linux-firmware now a recommends so let's explicitly include it
# https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
# https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
- linux-firmware
# rpm-ostree
- rpm-ostree nss-altfiles
# firmware updates
- fwupd
# https://fedoraproject.org/wiki/Changes/DNFAndBootcInImageModeFedora
- bootc
# bootloader
packages-aarch64:
- grub2-efi-aa64 efibootmgr shim
packages-ppc64le:
- grub2 ostree-grub2
packages-s390x:
# On Fedora, this is provided by s390utils-core. on RHEL, this is for now
# provided by s390utils-base, but soon will be -core too.
- /usr/sbin/zipl
packages-x86_64:
- grub2 grub2-efi-x64 efibootmgr shim
- microcode_ctl
exclude-packages:
# Exclude kernel-debug-core to make sure that it doesn't somehow get
# chosen as the package to satisfy the `kernel-core` dependency from
# the kernel package.
- kernel-debug-core

11
manifests/bootupd.yaml
View File

@@ -1,11 +0,0 @@
# Integration with https://github.com/coreos/bootupd
# xref https://github.com/coreos/fedora-coreos-tracker/issues/510
packages:
- bootupd
postprocess:
- |
#!/bin/bash
set -xeuo pipefail
# Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
/usr/bin/bootupctl backend generate-update-metadata

3
manifests/composefs.yaml
View File

@@ -1,3 +0,0 @@
# Enable composefs by default.
ostree-layers:
- overlay/08composefs

3
manifests/exclude-dnf.yaml
View File

@@ -1,3 +0,0 @@
exclude-packages:
- dnf
- dnf5

12
manifests/fedora-coreos-base.yaml
View File

@@ -9,19 +9,9 @@ include:
- file-transfer.yaml
- networking-tools.yaml
- user-experience.yaml
- shared-workarounds.yaml
- shared-el9.yaml
- shared-el10.yaml
conditional-include:
# starting from f42, we inherit from tier-x
# once we're on f42, we can move this up to the default list of includes above
- if: releasever >= 42
include: tier-x.yaml
# all these are inherited from tier-x in f42+, but we carry them here to
# enforce that there's really no coupling until f42
- if: releasever < 42
include: tier-x-dupes.yaml
- tier-x.yaml
ostree-layers:
- overlay/05core

20
manifests/fedora-coreos.yaml
View File

@@ -17,26 +17,6 @@ conditional-include:
- if: prod == false
# long-term, would be good to support specifying a nested TreeComposeConfig
include: disable-zincati.yaml
- if:
- basearch != "s390x"
# for 42+, it's inherited from fedora-bootc
- releasever < 42
# And remove some cruft from grub2
include: grub2-removals.yaml
# On <41, we want to keep making sure dnf doesn't slip in somehow
# On 41+, we do want it
# https://github.com/coreos/fedora-coreos-tracker/issues/1687
- if: releasever < 41
include: exclude-dnf.yaml
# for 42+, it's inherited from fedora-bootc
- if: releasever == 41
include: include-dnf.yaml
# Wifi firmwares will be dropped in F41
- if: releasever < 41
include: wifi-firmwares.yaml
# for 42+, it's inherited from fedora-bootc
- if: releasever == 41
include: composefs.yaml
- if: releasever >= 41
include: selinux-workaround.yaml

8
manifests/grub2-removals.yaml
View File

@@ -1,8 +0,0 @@
remove-from-packages:
# The grub bits are mainly designed for desktops, and IMO haven't seen
# enough testing in concert with ostree. At some point we'll flesh out
# the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47
- [grub2-tools, /etc/grub.d/08_fallback_counting,
/etc/grub.d/10_reset_boot_success,
/etc/grub.d/12_menu_auto_hide,
/usr/lib/systemd/.*]

17
manifests/ignition-and-ostree-tier-x-dupes.yaml
View File

@@ -1,17 +0,0 @@
# This manifest can go away in Fedora 42. It duplicates tier-x.
# Modern defaults we want
boot-location: modules
tmp-is-dir: true
# Required by Ignition, and makes the system not compatible with Anaconda
machineid-compat: false
remove-from-packages:
# We don't want systemd-firstboot.service. It conceptually conflicts with
# Ignition. We also inject runtime bits to disable it in systemd-firstboot.service.d/fcos-disable.conf
# to make it easier to use systemd builds from git.
- [systemd, /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
# We don't want auto-generated mount units. See also
# https://github.com/systemd/systemd/issues/13099
- [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]

2
manifests/include-dnf.yaml
View File

@@ -1,2 +0,0 @@
packages:
- dnf5

8
manifests/networking-tools-tier-x-dupes.yaml
View File

@@ -1,8 +0,0 @@
# This manifest can go away in Fedora 42. It duplicates tier-x.
packages:
# Standard tools for configuring network/hostname
- NetworkManager hostname
- iproute
# Firewall manipulation
- iptables

4
manifests/shared-workarounds.yaml
View File

@@ -1,4 +0,0 @@
# This manifest is a list of shared workarounds that are needed in both Fedora CoreOS
# and downstreams (i.e. Red Hat CoreOS).
ostree-layers:
- overlay/07fix-selinux-labels

14
manifests/system-configuration-tier-x-dupes.yaml
View File

@@ -1,14 +0,0 @@
# This manifest can go away in Fedora 42. It duplicates tier-x.
packages:
- cryptsetup
- e2fsprogs
- lvm2
- xfsprogs
# SELinux policy
- selinux-policy-targeted
# Allow for configuring different timezones
- tzdata
# zram-generator (but not zram-generator-defaults) for F33 change
# https://github.com/coreos/fedora-coreos-tracker/issues/509
- zram-generator

11
manifests/tier-x-dupes.yaml
View File

@@ -1,11 +0,0 @@
# All of these manifests duplicate tier-x. It's meant to be included by streams
# which do not yet inherit from it (like FCOS <42, and "traditional" RHCOS)
include:
- bootable-rpm-ostree.yaml
- ignition-and-ostree-tier-x-dupes.yaml
- system-configuration-tier-x-dupes.yaml
- networking-tools-tier-x-dupes.yaml
- user-experience-tier-x-dupes.yaml
# See https://github.com/coreos/bootupd
- bootupd.yaml

26
manifests/user-experience-tier-x-dupes.yaml
View File

@@ -1,26 +0,0 @@
# This manifest can go away in Fedora 42. It duplicates tier-x.
# Default to `bash` in our container, the same as other containers we ship.
# Note this changes to /sbin/init in f42 as inherited by tier-x.
container-cmd:
- /usr/bin/bash
packages:
# Basic user tools
- bash-completion
- coreutils
# jq - parsing/interacting with JSON data
- jq
- less
- sudo
- vim-minimal
# File compression/decompression
- tar
# Remote Access
- openssh-clients openssh-server
# Container tooling
## crun recommends but doesn't require criu and criu-libs. We want them for
## checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
- crun criu criu-libs
- podman
- skopeo

9
manifests/wifi-firmwares.yaml
View File

@@ -1,9 +0,0 @@
# Wifi/BT firmware files kept in FCOS until the F41 rebase
# See: https://github.com/coreos/fedora-coreos-tracker/issues/1575
packages:
- atheros-firmware
- brcmfmac-firmware
- mt7xxx-firmware
- nxpwireless-firmware
- realtek-firmware
- tiwilink-firmware

8
overlay.d/07fix-selinux-labels/usr/lib/systemd/system-preset/40-fix-selinux-labels.preset
View File

@@ -1,8 +0,0 @@
# Fix incorrect SELinux labels in /boot and /sysroot
# - https://github.com/coreos/fedora-coreos-tracker/issues/1772
# - https://github.com/coreos/fedora-coreos-tracker/issues/1771
# We need this for both FCOS and RHCOS and it needs to live for
# some time (not just a single FCOS barrier release) so that we
# can ensure RHCOS 4.16 aleph nodes and some early 4.17 aleph
# nodes have been fixed.
enable coreos-fix-selinux-labels.service

19
overlay.d/07fix-selinux-labels/usr/lib/systemd/system/coreos-fix-selinux-labels.service
View File

@@ -1,19 +0,0 @@
[Unit]
Description=Fix mislabeled or unlabeled SELinux contexts on files
Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/1771
Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/1772
ConditionPathExists=!/var/lib/coreos-fix-selinux-labels.stamp
# Run before zincati so we're not creating new files on the filesystem
# while we are fixing labels on existing files.
Before=zincati.service
[Service]
Type=oneshot
# Don't run this more than once, even if it fails
ExecStartPre=/bin/touch /var/lib/coreos-fix-selinux-labels.stamp
ExecStart=/usr/libexec/coreos-fix-selinux-labels
RemainAfterExit=yes
MountFlags=slave
[Install]
WantedBy=multi-user.target

165
overlay.d/07fix-selinux-labels/usr/libexec/coreos-fix-selinux-labels
View File

@@ -1,165 +0,0 @@
#!/usr/bin/bash
# Script to help fix selinux labels on systems that were created with
# OSBuild before https://github.com/coreos/coreos-assembler/commit/d3302e0fc9bedec2d4e935e3528eb5abd44e7ae8
# was put in place to ensure images didn't get created with unlabeled
# or mislabeled files. See also
# - https://github.com/coreos/fedora-coreos-tracker/issues/1771
# - https://github.com/coreos/fedora-coreos-tracker/issues/1772
#
# Also handle /boot/.root_uuid and /boot/grub2/bootuuid.cfg created
# by rdcore for some time without labels.
# - https://github.com/coreos/fedora-coreos-tracker/issues/1770
# - https://github.com/coreos/fedora-coreos-config/pull/3155
set -eu -o pipefail
print_header() {
echo '------------------------------------'
echo "$1"
echo
}
get_context() {
path=$1
getfattr -n security.selinux --absolute-name --only-values "${path}" | \
tr -d '\0' # Trim the null byte from the ouptut to prevent bash warning
}
path_unlabeled() {
test -e "$1" || return 1 # no exist so not unlabeled
if [ "$(get_context "$1")" == "system_u:object_r:unlabeled_t:s0" ]; then
return 0
else
return 1
fi
}
any_unlabeled() {
# shellcheck disable=SC2068
for file in $@; do
path_unlabeled "${file}" && return 0
done
return 1 # none were unlabeled
}
# Check a few known paths. If /sysroot is unlabeled then we need to
# clean up the mess that OSBuild left behind #1771,#1772. If /boot/.root_uuid
# or /boot/grub2/bootuuid.cfg are unlabeled we need to fix those two #1770.
if ! any_unlabeled '/sysroot' '/boot/.root_uuid' '/boot/grub2/bootuuid.cfg'; then
echo "This CoreOS installation is properly labeled. Exiting"
exit 0
fi
print_header "Remounting filesystems read/write"
# Note we don't need to remount them read-only later
# because we are running with MountFlags=slave so
# changes here won't propagate to the rest of the system
mount -v -o remount,rw /boot
mount -v -o remount,rw /sysroot
# Fix the few ones we know about. Some of these are from #1770
# and some from #1772, but it's easier to just combine the code.
print_header "Fixing label for files on the /boot filesystem"
for file in '.root_uuid' 'grub2/bootuuid.cfg' 'lost+found'; do
if path_unlabeled "/boot/${file}"; then
context=$(matchpathcon -n "/boot/${file}")
echo "Changing context of /boot/${file} to ${context}"
/usr/bin/chcon -h -v "${context}" "/boot/${file}"
fi
done
# Also handle coreos/platforms.json, which could have the wrong label
if [ -e "/boot/coreos/platforms.json" ]; then
restorecon -v "/boot/coreos/platforms.json"
fi
if ! path_unlabeled "/sysroot"; then
# We don't need to go further with the other fixes since
# this system doesn't appear to be affected by #1771,#1772.
echo "coreos-fix-selinux-labels finished successfully" > /var/lib/coreos-fix-selinux-labels.stamp
exit 0
fi
print_header "Mounting boot partition separately to check shadowed /boot/efi"
boot_mount_point=$(mktemp --directory)
mount -v /dev/disk/by-label/boot "$boot_mount_point"
if path_unlabeled "${boot_mount_point}/efi"; then
echo "Fixing label on shadowed /boot/efi"
context=$(matchpathcon -n "/boot/efi")
echo "Changing context of /boot/efi to ${context}"
/usr/bin/chcon -h -v "${context}" "${boot_mount_point}/efi"
fi
umount -v "$boot_mount_point"
rmdir "$boot_mount_point"
# The underlying /boot directory on the root filesystem can be wrong
print_header "Checking shadowed /boot"
if path_unlabeled "/sysroot/boot"; then
echo "Fixing the label for the /boot mount point on the root filesystem"
context=$(matchpathcon -n "/boot/")
echo "Changing context of /sysroot/boot to ${context}"
/usr/bin/chcon -h -v "${context}" "/sysroot/boot"
fi
# Fix unlabeled files. The find commands are hand crafted to try
# to catch all unlabeled files, but not touch any objects in the
# ostree repo and also not traverse too deep in the filesystem,
# which could take more time than we'd like.
#
# - /ostree/repo/refs/ to capture the container/blob/ files
# - /ostree/boot* to capture boot.x and bootx.x files
# - /ostree/repo/{.lock,config} - two known offenders
# - .aleph-version.json, .coreos-aleph-version.json - two more
# - -type l -or -type d - all directories and symlinks in the repo
# - -type f -regex '.*\.\(commitmeta\|commit\|dirmeta\|dirtree\|origin\)$'
# - all .commitmeta, .commit, .dirmeta, .dirtree, .origin
# files in the repo and no other files (objects)
#
# Note that we explicitly prune /sysroot/ostree/deploy/*/var so we
# don't consider anything under that path for our operation. Note
# also some of these are left unquoted to allow for shell expansion.
#
context=$(matchpathcon -n "/")
tmpfile=$(mktemp)
print_header "Changing context of unlabeled files to ${context}"
(
find "/sysroot/ostree/repo/refs" \
"/sysroot/.aleph-version.json" \
"/sysroot/.coreos-aleph-version.json" \
/sysroot/ostree/repo/{.lock,config} \
/sysroot/ostree/boot* \
-context '*:unlabeled_t:*' -print0;
find "/sysroot/" -maxdepth 7 -path /sysroot/ostree/deploy/*/var -prune -o \
\( \
-context '*:unlabeled_t:*' \
\( \
-type l -or -type d -or \
\( -type f -regex '.*\.\(commitmeta\|commit\|dirmeta\|dirtree\|origin\)$' \) \
\) \
-print0 \
\)
) | xargs --null -I{} chcon -v -h "${context}" {} > "${tmpfile}"
# Print something here for the journal, but not the full list of files
# because that would be a lot. We'll dump those in the stamp file later.
echo "Relabeled $(wc -l < "${tmpfile}") files to ${context}"
# Update the stamp file with a record of what was done up until this point
journalctl -b0 -u coreos-fix-selinux-labels.service >> /var/lib/coreos-fix-selinux-labels.stamp
print_header "The following are the unlabeled files that were fixed" >> /var/lib/coreos-fix-selinux-labels.stamp
cat "${tmpfile}" >> /var/lib/coreos-fix-selinux-labels.stamp
rm -f "${tmpfile}"
timestamp=$(date +%s)
print_header "Checking the repository for consistency"
if ! ostree fsck; then
echo "OSTree fsck found corruption. Please reprovision if you can or" 1>&2
echo "ask for help at https://discussion.fedoraproject.org/tag/coreos" 1>&2
echo "coreos-fix-selinux-labels finished with failure" > /var/lib/coreos-fix-selinux-labels.stamp
exit 1
fi
# Capture the final bits in the stamp file
journalctl --since="@${timestamp}" -u coreos-fix-selinux-labels.service >> /var/lib/coreos-fix-selinux-labels.stamp
# This will go to both the journal and the stamp file
echo "coreos-fix-selinux-labels finished successfully" | tee -a /var/lib/coreos-fix-selinux-labels.stamp

1
overlay.d/08composefs/README.md
View File

@@ -1 +0,0 @@
Enable composefs by default; more in https://ostreedev.github.io/ostree/composefs/

2
overlay.d/08composefs/usr/lib/ostree/prepare-root.conf
View File

@@ -1,2 +0,0 @@
[composefs]
enabled = true

5
overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
View File

@@ -1,8 +1,3 @@
enable coreos-check-ssh-keys.service
# Check if cgroupsv1 is still being used
enable coreos-check-cgroups-version.service
# https://fedoraproject.org/wiki/Changes/EnableFwupdRefreshByDefault
enable fwupd-refresh.timer
# Check if wifi firmwares are missing when NetworkManager-wifi is installed
# https://github.com/coreos/fedora-coreos-tracker/issues/1575
enable coreos-check-wireless-firmwares.service

25
overlay.d/15fcos/usr/libexec/coreos-check-cgroups-version
View File

@@ -1,25 +0,0 @@
#!/usr/bin/bash
# This script checks if the system is still using cgroups v1
# and prints a message to the serial console.
# Change the output color to yellow
warn=$(echo -e '\033[0;33m')
# No color
nc=$(echo -e '\033[0m')
motd_path=/run/motd.d/30_cgroupsv1_warning.motd
cat << EOF > "${motd_path}"
${warn}
##########################################################################
WARNING: This system is using cgroups v1. In Fedora 41 this system will
no longer continue to boot. It is strongly recommended to migrate this
system and your workloads to use cgroups v2. For instructions on how to
adjust kernel arguments to use cgroups v2, see:
https://docs.fedoraproject.org/en-US/fedora-coreos/kernel-args/
To disable this warning, use:
sudo systemctl disable coreos-check-cgroups-version.service
##########################################################################
${nc}
EOF

63
overlay.d/15fcos/usr/libexec/coreos-check-wireless-firmwares
View File

@@ -1,63 +0,0 @@
#!/usr/bin/bash
# This script checks if
# and will prints a message to the serial console
# to warn the user about missing wifi firmware messages
# and provide remediation steps
# See https://github.com/coreos/fedora-coreos-tracker/issues/1575
set -euo pipefail
# List of wifi-firmwares
# SOURCE: https://pagure.io/fedora-comps/blob/main/f/comps-f41.xml.in#_2700
firmwares=(
atheros-firmware
b43-fwcutter
b43-openfwwf
brcmfmac-firmware
iwlegacy-firmware
iwlwifi-dvm-firmware
iwlwifi-mvm-firmware
libertas-firmware
mt7xxx-firmware
nxpwireless-firmware
realtek-firmware
tiwilink-firmware
atmel-firmware
bcm283x-firmware
zd1211-firmware
)
# Get firmware names into `a|b|c|d` regex string
regex=$(IFS='|'; echo "${firmwares[*]}")
layered_packages="$(rpm-ostree status --json -b | jq -r '.deployments[0]."requested-packages"[]')"
if grep -q "NetworkManager-wifi" <<< "$layered_packages"; then
if grep -qP $regex <<< "$layered_packages"; then
exit 0
fi
else
exit 0
fi
# Change the output color to yellow
warn=$(echo -e '\033[0;33m')
# No color
nc=$(echo -e '\033[0m')
motd_path=/run/motd.d/30_wireless_firmwares_warning.motd
cat << EOF > "${motd_path}"
${warn}
##########################################################################
WARNING: NetworkManager-wifi is a requested layered package on this
system, but no Wi-Fi drivers are requested. The Wi-Fi drivers will no
longer be included by default in the future.
More context and remediation steps are available in the following FAQ entry:
https://docs.fedoraproject.org/en-US/fedora-coreos/faq/#wifi-fw
To disable this warning, use:
sudo systemctl disable coreos-check-wireless-firmwares.service
##########################################################################
${nc}
EOF

11
overlay.d/README.md
View File

@@ -10,17 +10,6 @@ This overlay matches `fedora-coreos-base.yaml`; core Ignition+ostree bits.
This overlay is shared with RHCOS/SCOS 9.
07fix-selinux-labels
--------------------
Fix incorrect SELinux labels in /boot and /sysroot
- https://github.com/coreos/fedora-coreos-tracker/issues/1772
- https://github.com/coreos/fedora-coreos-tracker/issues/1771
We need this for both FCOS and RHCOS and it needs to live for
some time (not just a single FCOS barrier release) so that we
can ensure RHCOS 4.16 aleph nodes and some early 4.17 aleph
nodes have been fixed. Remove it in the 4.19 cycle.
08nouveau
---------

4
tests/kola/data/commonlib.sh
View File

@@ -24,13 +24,13 @@ get_ipv4_for_nic() {
get_fedora_container_ref() {
local repo='quay.io/fedora/fedora'
local tag='41'
local tag='42'
echo "${repo}:${tag}"
}
get_fedora_minimal_container_ref() {
local repo='quay.io/fedora/fedora-minimal'
local tag='41'
local tag='42'
echo "${repo}:${tag}"
}