coreos/fedora-coreos-config
1
0
Fork 0
mirror of https://github.com/coreos/fedora-coreos-config.git synced 2026-02-05 09:45:30 +01:00
Code Issues Releases Activity

tree: import changes from testing-devel at 4c0f22e2a5

Browse Source
This commit is contained in:
CoreOS Bot
2025-09-14 01:43:03 +00:00
parent 2b5d976bca
commit 8f3cbcb30d
16 changed files with 317 additions and 221 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
manifests/fedora-coreos.yaml
View File

@@ -38,15 +38,6 @@ conditional-include:
# All Fedora CoreOS streams share the same pool for locked files.
lockfile-repos:
- fedora-coreos-pool
# The OCI migration is now happening in all streams, but we should
# be able to drop the migration code after the next barrier release.
# Let's just encode it to be dropped with F43, since we know there
# will be a barrier release before then.
# https://github.com/coreos/fedora-coreos-tracker/issues/1890
- if: releasever < 43
include:
ostree-layers:
- overlay/35oci-migration
# In F43 and older pull in the nfs-utils-coreos package
- if: releasever <= 43
include:
@@ -63,6 +54,27 @@ conditional-include:
include:
ostree-layers:
- overlay/50alternatives
# Add container signing configuration. Initially rolling this out only
# to `next`, `next-devel` and mechanical streams.
- if:
- stream != "stable"
- stream != "testing"
- stream != "testing-devel"
include:
ostree-layers:
- overlay/17fcos-container-signing
# Perform migration to container signing versus ostree commit signing.
# This is a requirement for moving to build-via-container in F43,
# thus it must happen before the switch to F43. Initially rolling out
# to `next` and `next-devel`.
- if:
- stream != "stable"
- stream != "testing"
- stream != "testing-devel"
- releasever < 43
include:
ostree-layers:
- overlay/35container-signing-migration
ostree-layers:
- overlay/15fcos

5
overlay.d/17fcos-container-signing/etc/containers/registries.d/fedora-coreos.yaml Normal file
View File

@@ -0,0 +1,5 @@
# Configuration to verify container pulls of Fedora CoreOS with signatures
# fetched from the CoreOS builds bucket.
docker:
quay.io/fedora/fedora-coreos:
lookaside: https://builds.coreos.fedoraproject.org/prod/signatures/oci

55
overlay.d/17fcos-container-signing/usr/lib/coreos/coreos-containers-policy.json Normal file
View File

@@ -0,0 +1,55 @@
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"containers-storage": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci-archive": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker": {
"": [
{
"type": "insecureAcceptAnything"
}
],
"quay.io/fedora/fedora-coreos": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPaths": [
"/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-42-primary",
"/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-43-primary",
"/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-44-primary"
]
}
]
}
}
}

7
overlay.d/17fcos-container-signing/usr/lib/systemd/system/rpm-ostreed.service.d/coreos-containers-policy.conf Normal file
View File

@@ -0,0 +1,7 @@
# Bind mount in our containers policy.json that configures
# how to do signature verification for quay.io/fedora/fedora-coreos
# Remove this override with:
# mkdir /etc/systemd/system/rpm-ostreed.service.d
# ln -s /dev/null /etc/systemd/system/rpm-ostreed.service.d/coreos-containers-policy.conf
[Service]
BindReadOnlyPaths=/usr/lib/coreos/coreos-containers-policy.json:/etc/containers/policy.json

2
overlay.d/35container-signing-migration/usr/lib/systemd/system-preset/35-container-signing-migration.preset Normal file
View File

@@ -0,0 +1,2 @@
# show a motd if the container signing migration cannot be done automatically
enable coreos-container-signing-migration-motd.service

12
overlay.d/35container-signing-migration/usr/lib/systemd/system/coreos-container-signing-migration-motd.service Normal file
View File

@@ -0,0 +1,12 @@
# This service is used for printing a message if
# the container signing migration failed or was opted out.
[Unit]
Description=Warn Based On Container Signing Migration Status
After=zincati.service multi-user.target
[Service]
Type=oneshot
ExecStart=/usr/libexec/coreos-container-signing-migration-motd
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

3
overlay.d/35container-signing-migration/usr/lib/systemd/system/zincati.service.d/010-container-signing-migration.conf Normal file
View File

@@ -0,0 +1,3 @@
[Service]
StateDirectory=coreos-container-signing-migration
ExecStartPre=-/usr/libexec/coreos-container-signing-migration

95
overlay.d/35container-signing-migration/usr/libexec/coreos-container-signing-migration Executable file
View File

@@ -0,0 +1,95 @@
#!/bin/bash
# This is a migration script to move FCOS to signature verification of
# the pulled update container image.
#
# Users that have disabled Zincati or use a non default ostree remote
# won't be migrated.
#
# See https://github.com/coreos/fedora-coreos-tracker/issues/2029
MIGRATION_OPT_OUT=/var/lib/coreos-container-signing-migration/opt-out.stamp
MIGRATION_FAILED=/var/lib/coreos-container-signing-migration/failed.stamp
if [ -e $MIGRATION_OPT_OUT ]; then
echo "${MIGRATION_OPT_OUT} to opt out of migration exists, doing nothing."
exit 0
fi
# create the failed stamp file as a precaution
touch $MIGRATION_FAILED
# if something goes wrong, exit the script so the failed stamp will remain
set -euxo pipefail
# Save the rpm-ostree status.
echo "Saving rpm-ostree status."
status=$(rpm-ostree status --json --booted)
# Error if the machine is not on an OCI deployment
booted_imgref=$(jq -r '.deployments[0]."container-image-reference"' <<< "$status")
if [ "$booted_imgref" == "null" ]; then
echo "ERROR: The booted deployment isn't an OCI container."
echo "ERROR: Can't proceed with container signing migration."
exit 1
fi
# Exit early if the machine is already migrated
if [[ "$booted_imgref" =~ ostree-image-signed:docker://quay.io/fedora/fedora-coreos ]]; then
echo "INFO: The container signing migration was previously completed."
rm $MIGRATION_FAILED
exit 0
fi
# Error if the machine starting state doesn't match expectation
if [[ ! "$booted_imgref" =~ ostree-remote-image:fedora:docker://quay.io/fedora/fedora-coreos ]]; then
# In this case the user is likely following some other image (quay.io/userx/fedora-coreos:testing)
# but it should still be ok to error here because zincati probably shouldn't be enabled?
echo "ERROR: The booted container imgref doesn't match the Fedora CoreOS default."
exit 1
fi
# gather information to populate the booted-status-override.json file
version=$(jq -r '.deployments[0].version' <<< "$status")
base_commit_meta=$(jq -r '.deployments[0]."base-commit-meta"' <<< "$status")
checksum=$(jq -r '.deployments[0].checksum' <<< "$status")
digest=$(jq -r '.deployments[0]."container-image-reference-digest"' <<< "$status")
# Determine the updated imgref to use. THIS IS THE MIGRATION. Example:
# from: ostree-remote-image:fedora:docker://quay.io/fedora/fedora-coreos:testing
# to: ostree-image-signed:docker://quay.io/fedora/fedora-coreos:${version}
#
# The hack here is we are replacing the stream tag with the version
# tag, which triggers zincati's logic [1] to do a rebase instead of a
# deploy, which means it will pick up the `ostree-image-signed` migration.
#
# The zincati code will still rebase to the stream tag [2], so this is
# ultimately harmless.
#
# For more info on refspecs and what they mean see [3].
#
# [1] https://github.com/coreos/zincati/blob/c47f43edb1c35204d948d16c2520f185455ec244/src/rpm_ostree/actor.rs#L92
# [2] https://github.com/coreos/zincati/blob/c47f43edb1c35204d948d16c2520f185455ec244/src/rpm_ostree/actor.rs#L88
# [3] https://github.com/coreos/rpm-ostree/blob/6f386be3d474aeb24fdc7f672d38151f95069223/docs/container.md?plain=1#L53
updated_imgref="ostree-image-signed:docker://quay.io/fedora/fedora-coreos:${version}"
# Proceed with the migration by writing an override status file,
# so at the next update, Zincati will use container signing.
echo "Writing a status override file for the booted deployment in /run/zincati/booted-status-override.json"
cat > /run/zincati/booted-status-override.json << EOF
{
"booted": true,
"container-image-reference": "$updated_imgref",
"container-image-reference-digest": "$digest",
"base-commit-meta": $base_commit_meta,
"checksum": "$checksum",
"version": "$version"
}
EOF
echo "Zincati will verify container signatures in the next update."
# All went well, delete the failed stamp
rm $MIGRATION_FAILED

77
overlay.d/35container-signing-migration/usr/libexec/coreos-container-signing-migration-motd Executable file
View File

@@ -0,0 +1,77 @@
#!/usr/bin/bash
# This script checks if container signing migration failed
# or was opted-out and prints the appropriate message
# to the console.
#
# See https://github.com/coreos/fedora-coreos-tracker/issues/2029
MIGRATION_OPT_OUT=/var/lib/coreos-container-signing-migration/opt-out.stamp
MIGRATION_FAILED=/var/lib/coreos-container-signing-migration/failed.stamp
ZINCATI_ENABLED=$(systemctl is-enabled zincati.service)
MOTD_PATH=/run/motd.d/30_container_signing_migration.motd
# Start by deleting any previous motd we created,
# e.g. if the migration failed then the user opted out, or fixed it.
rm -f $MOTD_PATH
opt_out_message="
This system has been opted out of the migration to container signed
images for updates as the opt-out stamp file exists.
The system will likely fail to continue updating in the near future.
See https://github.com/coreos/fedora-coreos-tracker/issues/2029
When ready, the migration can be resumed by deleting
${MIGRATION_OPT_OUT}, then restarting zincati.service"
failed_message="
The migration to OCI signed images for updates failed. Check the logs of
zincati.service for more details.
The system will likely fail to continue updating in the near future.
See https://github.com/coreos/fedora-coreos-tracker/issues/2029
When ready, the migration can be retried by deleting
${MIGRATION_FAILED}, then restarting zincati.service"
zincati_disabled_message="
The zincati service is disabled on this system.
If not done so already please migrate the system to the signed OCI backend
for updates by running:
stream=stable # or testing or next
target=ostree-signed-image:registry:quay.io/fedora/fedora-coreos:\$stream
sudo rpm-ostree rebase \$target --reboot
Where \$stream matches the Fedora CoreOS stream the system is following.
See https://github.com/coreos/fedora-coreos-tracker/issues/2029"
write_motd () {
# Change the output color to yellow
warn=$(echo -e '\033[0;33m')
# No color
nc=$(echo -e '\033[0m')
cat << EOF > "${MOTD_PATH}"
${warn}
##########################################################################
${1}
To disable this warning, use:
sudo systemctl disable coreos-container-signing-migration-motd.service
##########################################################################
${nc}
EOF
}
if [ -e $MIGRATION_OPT_OUT ]; then
write_motd "$opt_out_message"
elif [ -e $MIGRATION_FAILED ]; then
write_motd "$failed_message"
elif [ "$ZINCATI_ENABLED" == "disabled" ]; then
write_motd "$zincati_disabled_message"
fi

2
overlay.d/35oci-migration/usr/lib/systemd/system-preset/35-oci-migration.preset
View File

@@ -1,2 +0,0 @@
# show a motd if the OCI migration cannot be done automatically
enable coreos-oci-migration-motd.service

12
overlay.d/35oci-migration/usr/lib/systemd/system/coreos-oci-migration-motd.service
View File

@@ -1,12 +0,0 @@
# This service is used for printing a message if
# the oci migration failed or was opted out.
[Unit]
Description=Warn based on oci migration status
Before=systemd-user-sessions.service
[Service]
Type=oneshot
ExecStart=/usr/libexec/coreos-oci-migration-motd
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

5
overlay.d/35oci-migration/usr/lib/systemd/system/zincati.service.d/010-oci-migration.conf
View File

@@ -1,5 +0,0 @@
[Service]
StateDirectory=coreos-oci-migration
ExecStartPre=-/usr/libexec/coreos-oci-rebase
# wait for 3 min
TimeoutStartSec=300

78
overlay.d/35oci-migration/usr/libexec/coreos-oci-migration-motd
View File

@@ -1,78 +0,0 @@
#!/usr/bin/bash
# This script checks if oci migration failed
# or was opted-out and prints the appropriate message
# to the console.
#
# See https://github.com/coreos/fedora-coreos-tracker/issues/1890
# See migration script discussion in https://github.com/coreos/fedora-coreos-config/pull/3355
OCI_MIGRATION_OPT_OUT=/var/lib/coreos-oci-migration/opt-out.stamp
OCI_MIGRATION_FAILED=/var/lib/coreos-oci-migration/failed.stamp
ZINCATI_ENABLED=$(systemctl is-enabled zincati.service)
MOTD_PATH=/run/motd.d/30_oci_migration.motd
# Start by deleting any previous motd we created,
# e.g. if the migration failed then the user opted out, or fixed it.
rm -f $MOTD_PATH
opt_out_message="
This system has been opted out of the migration to OCI images for
updates as the opt-out stamp file exists.
This system will keep updating using the legacy OSTree repository,
but later this year new Fedora CoreOS updates will cease to be pushed
to the OSTree repository.
When ready, the migration can be resumed by deleting
${OCI_MIGRATION_OPT_OUT}, then restarting zincati.service"
failed_message="
The migration to OCI images for updates failed. Check the logs of
zincati.service for more details.
This system will keep updating using the legacy OSTree repository,
but later this year new Fedora CoreOS updates will cease to be pushed
to the OSTree repository.
When ready, the migration can be retried by deleting
${OCI_MIGRATION_FAILED}, then restarting zincati.service"
zincati_disabled_message="
The zincati service is disabled on this system.
If not done so already please migrate the system to the OCI backend
for updates by running:
stream=stable # or testing or next
target=ostree-remote-registry:fedora:quay.io/fedora/fedora-coreos:\$stream
sudo rpm-ostree rebase \$target --reboot
Where \$stream matches the Fedora CoreOS stream the system is following."
write_motd () {
# Change the output color to yellow
warn=$(echo -e '\033[0;33m')
# No color
nc=$(echo -e '\033[0m')
cat << EOF > "${MOTD_PATH}"
${warn}
##########################################################################
${1}
To disable this warning, use:
sudo systemctl disable coreos-oci-migration-motd.service
##########################################################################
${nc}
EOF
}
if [ -e $OCI_MIGRATION_OPT_OUT ]; then
write_motd "$opt_out_message"
elif [ -e $OCI_MIGRATION_FAILED ]; then
write_motd "$failed_message"
elif [ "$ZINCATI_ENABLED" == "disabled" ]; then
write_motd "$zincati_disabled_message"
fi

94
overlay.d/35oci-migration/usr/libexec/coreos-oci-rebase
View File

@@ -1,94 +0,0 @@
#!/bin/bash
# This is a migration script to move FCOS to OCI transport
#
# Users that have disabled Zincati or use a non default ostree remote
# won't be migrated.
#
# see https://fedoraproject.org/wiki/Changes/CoreOSOstree2OCIUpdates
# and https://github.com/coreos/fedora-coreos-tracker/issues/1823
OCI_MIGRATION_OPT_OUT=/var/lib/coreos-oci-migration/opt-out.stamp
OCI_MIGRATION_FAILED=/var/lib/coreos-oci-migration/failed.stamp
if [ -e $OCI_MIGRATION_OPT_OUT ]; then
echo "${OCI_MIGRATION_OPT_OUT} to opt out of migration exists, doing nothing."
exit 0
fi
# create the failed stamp file as a precaution
touch $OCI_MIGRATION_FAILED
# if something goes wrong, exit the script so the failed stamp will remain
set -euxo pipefail
CINCINNATI_URL="${CINCINNATI_URL:-https://raw-updates.coreos.fedoraproject.org/v1/graph}"
# Save the rpm-ostree status.
echo "Saving rpm-ostree status."
status=$(rpm-ostree status --json --booted)
# Maybe the machine is already on an OCI deployment
booted_imgref=$(jq -r '.deployments[0]."container-image-reference"' <<< "$status")
if [ "$booted_imgref" != "null" ]; then
echo "The booted deployment is already an OCI container."
rm $OCI_MIGRATION_FAILED
exit 0
fi
# check if the origin was changed
origin=$(jq -r '.deployments[0].origin' <<< "$status" | cut -d ':' -f 1)
origin_url=$(ostree remote show-url "$origin")
if [ "$origin_url" != "https://ostree.fedoraproject.org" ]; then
echo "ERROR: The OSTree origin is not matching the default Fedora CoreOS."
exit 1
fi
# fetch the SHA checksum of the matching OCI image for the booted deployment
version=$(jq -r '.deployments[0].version' <<< "$status")
stream=$(jq -r '.deployments[0]."base-commit-meta"."fedora-coreos.stream"' <<< "$status")
checksum=$(jq -r '.deployments[0].checksum' <<< "$status")
arch=$(arch)
cin_url="$CINCINNATI_URL?basearch=$arch&stream=$stream&oci=true"
# Wait for the network to be online
echo "Waiting for the network to be online."
nm-online --timeout 120
# Grab the OCI update graph that matches our stream and arch.
echo "Fetching cincinnati update graph for stream $stream on $arch"
cincinnati_graph=$(curl "$cin_url" -s)
imgref=$(echo "$cincinnati_graph" | jq --arg VERSION "$version" -r '.nodes[] | select(.version==$VERSION) | .payload')
if [ "$imgref" == "" ]; then
echo "ERROR: Could not find the current deployment in the update graph from cincinnati."
echo " If it is proxied, you can override the cincinnati url with an environment variable."
echo " e.g. CINCINNATI_URL=https://custom-cincinnati-address.com/v1/graph /usr/libexec/coreos-oci-rebase"
echo " Or add a drop-in to zincati with 'Environment=...'"
exit 1
fi
echo "Found OCI image $imgref in the update graph that matches the local deployment version."
digest=$(echo "$imgref" | cut -d '@' -f 2)
# Proceed with the migration by writing an override status file,
# so at the next update, Zincati will pull the OCI image.
echo "Writing a status override file for the booted deployment in /run/zincati/booted-status-override.json"
cat > /run/zincati/booted-status-override.json << EOF
{
"booted": true,
"container-image-reference": "ostree-remote-registry:fedora:$imgref",
"container-image-reference-digest": "$digest",
"base-commit-meta": {
"fedora-coreos.stream": "$stream"
},
"checksum": "$checksum",
"version": "$version"
}
EOF
echo "Zincati will rebase to an OCI image for the next update."
# All went well, delete the failed stamp
rm $OCI_MIGRATION_FAILED

29
overlay.d/README.md
View File

@@ -37,6 +37,15 @@ Things that are more closely "Fedora CoreOS":
key found.
* display warnings if mount points are not set up properly
17fcos-container-signing
------------------------
Configuration for container signature verification for our
fedora-coreos containers pulled from quay.io. Initially adding
here in a separate overlay to make it easy to include on specific
streams for the time being. Eventually can probably put this in
15fcos.
20platform-chrony
-----------------
@@ -72,18 +81,18 @@ information.
[1] https://github.com/coreos/fedora-coreos-tracker/issues/1517
35oci-migration
-------------------
35container-signing-migration
-----------------------------
Trigger a migration script to instruct Zincati to rebase the system
to using OCI images from quay.io/fedora/fedora-coreos for future
updates. [1]
This is composed of a migration script [2] and a motd generator to
instruct the user if something go wrong or show a reminder if the
user opted out.
This overlay will be used to perform a migration such
that upgrading systems will start using container signatures
for verification as opposed to OSTree commit signatures.
[1] https://github.com/coreos/fedora-coreos-tracker/issues/1890
[2] https://github.com/coreos/fedora-coreos-config/pull/3355
This is a necessary step for F43 as part of the build-via-container
change [1]. See [2].
[1] https://github.com/coreos/fedora-coreos-tracker/issues/1969
[2] https://github.com/coreos/fedora-coreos-tracker/issues/2029
50alternatives
--------------

32
tests/kola/upgrade/extended/test.sh
View File

@@ -319,18 +319,28 @@ systemd-run --wait --property=After=coreos-fix-selinux-labels.service \
# we have one more test. We'll now rebase to the target
# version, which should be in the compose OSTree repo.
if vereq $version $last_release; then
# Since we'll be manually running `rpm-ostree` let's stop zincati
systemctl stop zincati
# Since in the next steps we are making multiple copies of the update on the
# system (i.e. update.ociarchive and copying into OSTree storage) let's free
# up some space by dropping the rollback deployment.
rpm-ostree cleanup --rollback
# Pull the ociarchive from the builds dir here because the
# containers aren't pushed to quay until the release job is run
# and that hasn't happened yet.
curl -L -o /srv/update.ociarchive \
"https://builds.coreos.fedoraproject.org/prod/streams/${target_stream}/builds/${target_version}/${arch}/fedora-coreos-${target_version}-ostree.${arch}.ociarchive"
rpm-ostree rebase "ostree-unverified-image:oci-archive:/srv/update.ociarchive"
rm /srv/update.ociarchive
inspect=$(skopeo inspect --retry-times=3 -n docker://quay.io/fedora/fedora-coreos:${target_stream})
registry_version=$(jq -r '.Labels."org.opencontainers.image.version"' <<< "${inspect}")
if [ "${registry_version}" == "${target_version}" ]; then
# If the container is already pushed to the registry we'll just upgrade
rpm-ostree upgrade
else
# Since in the next steps we are making multiple copies of the update on the
# system (i.e. update.ociarchive and copying into OSTree storage) let's free
# up some space by dropping the rollback deployment.
rpm-ostree cleanup --rollback
# Pull the ociarchive from the builds dir here because the
# containers aren't pushed to quay yet. This can happen in the
# case where the release job isn't autotriggered (i.e. prod builds)
# or if somehow the release job failed.
curl -L -o /srv/update.ociarchive \
"https://builds.coreos.fedoraproject.org/prod/streams/${target_stream}/builds/${target_version}/${arch}/fedora-coreos-${target_version}-ostree.${arch}.ociarchive"
rpm-ostree rebase "ostree-unverified-image:oci-archive:/srv/update.ociarchive"
rm /srv/update.ociarchive
fi
/tmp/autopkgtest-reboot $version # execute the reboot
sleep infinity
fi