coreos/fedora-coreos-config
1
0
Fork 0
mirror of https://github.com/coreos/fedora-coreos-config.git synced 2026-02-05 09:45:30 +01:00
Code Issues Releases Activity

tree: import changes from testing-devel at 29ac01e6e7

Browse Source
This commit is contained in:
CoreOS Bot
2025-06-23 19:00:27 +00:00
parent 5daeab2fb8
commit b724137691
6 changed files with 89 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.github/workflows/container-native.yml vendored
View File

@@ -14,11 +14,6 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Validate synced Containerfile
run: |
set -xeuo pipefail
cat Containerfile.* > Containerfile
git diff --exit-code
# cargo-culted from rpm-ostree CI
# https://github.com/containers/podman/discussions/17362
- name: Get newer podman
@@ -30,6 +25,8 @@ jobs:
# Something is confused in latest GHA here
sudo rm /var/lib/containers -rf
- name: Build
run: podman build --security-opt=label=disable --cap-add=all --device /dev/fuse . -t localhost/fedora-coreos
# Note: we should be able to drop the `-v $PWD:/run/src` once
# https://github.com/containers/buildah/issues/5952 is fixed.
run: podman build --security-opt=label=disable --cap-add=all --device /dev/fuse --build-arg-file build-args.conf -v $PWD:/run/src . -t localhost/fedora-coreos
- name: Sanity-check
run: podman run --rm localhost/fedora-coreos echo hello

43
Containerfile
View File

@@ -1,19 +1,15 @@
# DO NOT EDIT. This Containerfile is produced by the concatenation of:
# - Containerfile.advisory: contains this advisory
# - Containerfile.args: contains stream-specific build args
# - Containerfile.base: actual build logic
# Rebuild it using `cat Containerfile.* > Containerfile`.
# To build this, run podman/buildah like this:
#
# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse \
# --build-arg-file build-args.conf -v $PWD:/run/src . -t localhost/fedora-coreos
#
# Note: we should be able to drop the `-v $PWD:/run/src` once
# https://github.com/containers/buildah/issues/5952 is fixed.
### Containerfile.args
# This is the developer default version. In pipelines, this is driven by versionary.
ARG VERSION="42"
# XXX: This should be a digested pull that gets bumped.
# https://gitlab.com/fedora/bootc/tracker/-/issues/34
ARG BUILDER_IMG=quay.io/fedora/fedora-bootc:42
ARG MANIFEST=manifest.yaml
### Containerfile.base
# Overridden by argfile.conf. The values here are invalid on purpose.
ARG VERSION=overridden
ARG BUILDER_IMG=overridden
ARG MANIFEST=overridden
FROM ${BUILDER_IMG} as builder
@@ -27,10 +23,23 @@ ARG MANIFEST
# Note: once we can rely on https://github.com/coreos/rpm-ostree/pull/5391,
# add this bit to the RUN command to make the developer path less painful.
# --mount=type=cache,rw,id=coreos-build-cache,target=/cache
RUN --mount=type=bind,target=/run/src /run/src/build-rootfs "${MANIFEST}" "${VERSION}" /target-rootfs
RUN --mount=type=secret,id=yumrepos,target=/etc/yum.repos.d/secret.repo \
--mount=type=secret,id=contentsets \
--mount=type=bind,target=/run/src \
/run/src/build-rootfs "${MANIFEST}" "${VERSION}" /target-rootfs
RUN --mount=type=bind,target=/run/src,rw \
rpm-ostree experimental compose build-chunked-oci \
--bootc --format-version=1 --rootfs /target-rootfs \
--output oci-archive:/run/src/out.ociarchive
FROM scratch
FROM oci-archive:./out.ociarchive
ARG VERSION
# Need to reference builder here to force ordering. But since we have to run
# something anyway, we might as well cleanup after ourselves.
RUN --mount=type=bind,from=builder,target=/var/tmp \
--mount=type=bind,target=/run/src,rw \
rm /run/src/out.ociarchive
COPY --from=builder /target-rootfs/ /
RUN <<EOF
set -xeuo pipefail

6
Containerfile.advisory
View File

@@ -1,6 +0,0 @@
# DO NOT EDIT. This Containerfile is produced by the concatenation of:
# - Containerfile.advisory: contains this advisory
# - Containerfile.args: contains stream-specific build args
# - Containerfile.base: actual build logic
# Rebuild it using `cat Containerfile.* > Containerfile`.

31
Containerfile.base
View File

@@ -1,31 +0,0 @@
### Containerfile.base
FROM ${BUILDER_IMG} as builder
ARG VERSION
ARG MANIFEST
# useful if you're hacking on rpm-ostree/bootc-base-imagectl
# COPY rpm-ostree /usr/bin/
# COPY bootc-base-imagectl /usr/libexec/
# Note: once we can rely on https://github.com/coreos/rpm-ostree/pull/5391,
# add this bit to the RUN command to make the developer path less painful.
# --mount=type=cache,rw,id=coreos-build-cache,target=/cache
RUN --mount=type=bind,target=/run/src /run/src/build-rootfs "${MANIFEST}" "${VERSION}" /target-rootfs
FROM scratch
ARG VERSION
COPY --from=builder /target-rootfs/ /
RUN <<EOF
set -xeuo pipefail
for script in /usr/libexec/coreos-postprocess-*; do
$script; rm $script
done
EOF
LABEL containers.bootc=1
LABEL ostree.bootable=1
LABEL org.opencontainers.image.version=$VERSION
STOPSIGNAL SIGRTMIN+3
CMD ["/sbin/init"]

10
Containerfile.args → build-args.conf
View File

@@ -1,9 +1,9 @@
### Containerfile.args
# Stream-specific build arguments.
# Pass to buildah/podman using `--build-arg-file`.
# This is the developer default version. In pipelines, this is driven by versionary.
ARG VERSION="42"
VERSION="42"
# XXX: This should be a digested pull that gets bumped.
# https://gitlab.com/fedora/bootc/tracker/-/issues/34
ARG BUILDER_IMG=quay.io/fedora/fedora-bootc:42
ARG MANIFEST=manifest.yaml
BUILDER_IMG=quay.io/fedora/fedora-bootc:42
MANIFEST=manifest.yaml

63
build-rootfs
View File

@@ -32,15 +32,17 @@ def main():
locked_nevras = get_locked_nevras()
if locked_nevras:
inject_pool_repo(locked_nevras)
inject_pool_repo_if_exists(locked_nevras)
packages.extend(locked_nevras)
overlays = gather_overlays(manifest)
build_rootfs(target_rootfs, manifest_path, packages, overlays)
nodocs = (manifest.get('documentation') is False)
build_rootfs(target_rootfs, manifest_path, packages, overlays, nodocs)
inject_live(target_rootfs)
inject_image_json(target_rootfs, manifest_path)
inject_platforms_json(target_rootfs)
inject_content_manifest(target_rootfs, manifest)
if version != "":
inject_version_info(target_rootfs, manifest['mutate-os-release'], version)
@@ -64,17 +66,19 @@ def get_treefile(manifest_path):
return json.loads(data)
def build_rootfs(target_rootfs, manifest_path, packages, overlays):
def build_rootfs(target_rootfs, manifest_path, packages, overlays, nodocs):
with tempfile.NamedTemporaryFile(mode='w') as argsfile:
for pkg in packages:
argsfile.write(f"--install={pkg}\n")
for overlay in overlays:
argsfile.write(f"--add-dir={overlay}\n")
if nodocs:
argsfile.write("--no-docs\n")
argsfile.flush()
cache_arg = ['--cachedir=/cache'] if os.path.isdir('/cache') else []
subprocess.check_call(["/usr/libexec/bootc-base-imagectl",
"--args-file", argsfile.name, "build-rootfs",
"--manifest", 'fedora-minimal-plus',
"--manifest", 'minimal-plus',
target_rootfs] + cache_arg)
@@ -108,12 +112,15 @@ def get_locked_nevras():
return [f'{k}-{v}' for (k, v) in locks.items()]
def inject_pool_repo(locked_nevras):
def inject_pool_repo_if_exists(locked_nevras):
srcrepo = os.path.join(CONTEXTDIR, "fedora-coreos-pool.repo")
if not os.path.exists(srcrepo):
return
# When adding the pool, we only want to _filter in_ locked packages;
# matching `lockfile-repos` semantics. This is abusing pretty hard the
# `includepkgs=` semantic but... it works.
shutil.copyfile(os.path.join(CONTEXTDIR, "fedora-coreos-pool.repo"),
"/etc/yum.repos.d/pool.repo")
shutil.copyfile(srcrepo, "/etc/yum.repos.d/pool.repo")
packages = ','.join(locked_nevras)
with open("/etc/yum.repos.d/pool.repo", 'a') as f:
f.write(f"\nincludepkgs={packages}\n")
@@ -128,7 +135,13 @@ def inject_version_info(rootfs, base_version, version):
os_release_path = os.path.join(rootfs, 'usr/lib/os-release')
with open(os_release_path) as f:
from collections import OrderedDict
os_release = OrderedDict([line.strip().split('=', 1) for line in f])
os_release = OrderedDict()
for line in f:
line = line.strip()
if len(line) == 0 or line.startswith('#'):
continue
(k, v) = line.split('=', 1)
os_release[k] = v
for key in ['VERSION', 'PRETTY_NAME']:
os_release[key] = os_release[key].replace(base_version, version)
@@ -164,6 +177,40 @@ def inject_image_json(rootfs, manifest_path):
json.dump(image, f, sort_keys=True)
def inject_content_manifest(target_rootfs, manifest):
content_manifest_path = '/run/secrets/contentsets'
if not os.path.exists(content_manifest_path):
return
with open(content_manifest_path) as f:
data = yaml.safe_load(f)
repos = []
for base_repo in manifest['repos']:
if base_repo in data['repo_mapping']:
if data['repo_mapping'][base_repo]['name'] != '':
repo_name = data['repo_mapping'][base_repo]['name'].replace('$ARCH', ARCH)
repos.append(repo_name)
else:
print('Warning: No corresponding repo in repository-to-cpe.json for ' + base_repo)
else:
# Warning message for repositories with no entry in content_sets.yaml
print('Warning: No corresponding entry in content_sets.yaml for ' + base_repo)
dest = os.path.join(target_rootfs, "usr/share/buildinfo/content_manifest.json")
os.makedirs(os.path.dirname(dest), exist_ok=True)
with open(dest, 'w') as f:
json.dump(fp=f, obj={
'metadata': {
'icm_version': 1,
'icm_spec': 'https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json',
'image_layer_index': 1
},
'content_sets': repos,
'image_contents': []
})
# Imported from cosa
# Merge two lists, avoiding duplicates. Exact duplicate kargs could be valid
# but we have no use case for them right now in our official images.