mirror of
https://github.com/coreos/fedora-coreos-config.git
synced 2026-02-05 09:45:30 +01:00
210 lines
7.4 KiB
YAML
210 lines
7.4 KiB
YAML
# This manifest file defines things that should really only go
|
|
# into "official" builds of Fedora CoreOS (such as including `fedora-release-coreos`)
|
|
# or are very "opinionated" like disabling SSH passwords by default.
|
|
|
|
include: fedora-coreos-base.yaml
|
|
conditional-include:
|
|
- if: releasever >= 41
|
|
include: selinux-workaround.yaml
|
|
# If not production then disable Zincati
|
|
- if: prod == false
|
|
include:
|
|
postprocess:
|
|
- |
|
|
#!/usr/bin/bash
|
|
set -eux -o pipefail
|
|
cat > /etc/zincati/config.d/90-disable-on-non-production-stream.toml << EOF
|
|
# https://github.com/coreos/fedora-coreos-tracker/issues/163
|
|
updates.enabled = false
|
|
EOF
|
|
# TODO: There is no coreos-pool tag/repo for RISCV yet
|
|
# https://github.com/coreos/fedora-coreos-tracker/issues/1931
|
|
- if: basearch != "riscv64"
|
|
include:
|
|
# All Fedora CoreOS streams share the same pool for locked files.
|
|
lockfile-repos:
|
|
- fedora-coreos-pool
|
|
# In F43 and older pull in the nfs-utils-coreos package
|
|
- if: releasever <= 43
|
|
include:
|
|
packages:
|
|
- nfs-utils-coreos
|
|
# In F44 we can use the nfs-client-utils package, which obsoletes nfs-utils-coreos
|
|
- if: releasever >= 44
|
|
include:
|
|
packages:
|
|
- nfs-client-utils
|
|
# Do the alternatives migration from 43
|
|
- if: releasever >= 43
|
|
include:
|
|
ostree-layers:
|
|
- overlay/50alternatives
|
|
|
|
ostree-layers:
|
|
- overlay/15fcos
|
|
- overlay/17fcos-container-signing
|
|
|
|
packages:
|
|
- fedora-release-coreos
|
|
- fedora-repos-ostree
|
|
# CL ships this.
|
|
- moby-engine
|
|
# Already pulled in by moby-engine, but let's be explicit. Typhoon uses it.
|
|
- containerd
|
|
# Updates
|
|
- zincati
|
|
# Include and set the default editor
|
|
- nano nano-default-editor
|
|
# Introduce a default colored prompt for Fedora's default shell bash.
|
|
# https://github.com/coreos/fedora-coreos-tracker/issues/1567
|
|
- bash-color-prompt
|
|
|
|
# ⚠⚠⚠ ONLY TEMPORARY HACKS ALLOWED HERE; ALL ENTRIES NEED TRACKER LINKS ⚠⚠⚠
|
|
# See also the version of this in fedora-coreos-base.yaml
|
|
postprocess:
|
|
# Disable Zincati on non-release builds
|
|
# https://github.com/coreos/fedora-coreos-tracker/issues/212
|
|
- |
|
|
#!/usr/bin/env bash
|
|
set -euxo pipefail
|
|
source /etc/os-release
|
|
if [[ $OSTREE_VERSION = *.dev* ]]; then
|
|
mkdir -p /etc/zincati/config.d
|
|
echo -e '# https://github.com/coreos/fedora-coreos-tracker/issues/212\nupdates.enabled = false' > /etc/zincati/config.d/95-disable-on-dev.toml
|
|
fi
|
|
# Users shouldn't be configuring `rpm-ostreed.conf`
|
|
# https://github.com/coreos/fedora-coreos-tracker/issues/271
|
|
- |
|
|
#!/usr/bin/env bash
|
|
set -xeuo pipefail
|
|
cat > /tmp/rpm-ostreed.conf << 'EOF'
|
|
# By default, this system has its OS updates managed by
|
|
# `zincati.service`. Changes made to this file may
|
|
# conflict with the configuation of `zincati.service`.
|
|
# See https://github.com/coreos/zincati for additional
|
|
# information.
|
|
|
|
EOF
|
|
conf_file=/usr/etc/rpm-ostreed.conf
|
|
# if we're deriving, then the config is in /etc already
|
|
if [ -f /run/.containerenv ]; then
|
|
conf_file=/etc/rpm-ostreed.conf
|
|
fi
|
|
cat "${conf_file}" >> /tmp/rpm-ostreed.conf
|
|
cp /tmp/rpm-ostreed.conf "${conf_file}"
|
|
rm /tmp/rpm-ostreed.conf
|
|
# Make sure that we do not ship broken symlinks:
|
|
# https://github.com/coreos/fedora-coreos-config/issues/1782
|
|
# Remove known broken symlinks that point to non-existing files or directories:
|
|
# - Remove `.build-id` for binaries that we remove in other parts of the FCOS manifest
|
|
# - Remove links to man pages that we remove in FCOS
|
|
# Man pages are removed in FCOS thus the links in alternatives pointing to those are left there broken.
|
|
# Docs removal comes from manifests/fedora-coreos.yaml
|
|
# - systemd-firstboot comes from manifests/ignition-and-ostree.yaml
|
|
# - systemd-gpt-auto-generator comes from ignition-and-ostree.yaml
|
|
- |
|
|
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
list_broken_symlinks_folders=(
|
|
'/etc/alternatives/'
|
|
'/usr/lib/.build-id/'
|
|
)
|
|
|
|
# It is not possible to remove files from usr after first boot so that is
|
|
# why we are removing them in the postprocess scripts here.
|
|
# The .build-id links are pointing to binaries that we remove in other parts of the FCOS manifest.
|
|
list_known_removed_folders=(
|
|
'/usr/bin/systemd-firstboot'
|
|
'/usr/lib/systemd/system-generators/systemd-gpt-auto-generator'
|
|
'/usr/share/doc/'
|
|
'/usr/share/info/'
|
|
'/usr/share/man/'
|
|
)
|
|
for folder in "${list_broken_symlinks_folders[@]}"; do
|
|
find "${folder}" -type l | while read -r file_name; do
|
|
real_path=$(realpath -m "${file_name}");
|
|
if [[ -e "${real_path}" ]]; then
|
|
continue
|
|
fi
|
|
for element in "${list_known_removed_folders[@]}"; do
|
|
if [[ "${real_path}" == "${element}"* ]]; then
|
|
rm -r "${file_name}"
|
|
fi
|
|
done
|
|
done
|
|
done
|
|
|
|
# Delete documentation. (Note that fedora-bootc doesn't explicitly set
|
|
# `documentation`, and neither do we, so the rpm-ostree default is true. We
|
|
# historically have effectively done the equivalent of `documentation: false`
|
|
# though.)
|
|
- |
|
|
#!/usr/bin/env bash
|
|
set -xeuo pipefail
|
|
|
|
# We don't ship man(1) or info(1)
|
|
rm -rf /usr/share/info
|
|
rm -rf /usr/share/man
|
|
# Drop text docs too
|
|
rm -rf /usr/share/doc
|
|
|
|
# Nuke broken alternatives links
|
|
rm -f /etc/alternatives/*-man
|
|
|
|
# Add the docker group to /etc/group
|
|
# https://github.com/coreos/fedora-coreos-tracker/issues/2
|
|
# This will be no longer needed when systemd-sysusers has been implemented:
|
|
# https://github.com/projectatomic/rpm-ostree/issues/49
|
|
- |
|
|
#!/usr/bin/env bash
|
|
set -xeuo pipefail
|
|
if [ -f /run/.containerenv ]; then
|
|
grep ^docker: /usr/lib/group >> /etc/group
|
|
fi
|
|
|
|
# Implement exclude-packages: in a postprocess because when building
|
|
# via container we don't have exclude-packages functionality.
|
|
#
|
|
# These are things we don't expect to ship on the host. We currently
|
|
# have recommends: false so these could only come in via hard requirement,
|
|
# in which case the build will fail.
|
|
- |
|
|
#!/usr/bin/env bash
|
|
set -x
|
|
excludes=(
|
|
perl
|
|
perl-interpreter
|
|
python
|
|
python3
|
|
python3-libs
|
|
nodejs
|
|
grubby
|
|
cowsay # Just in case
|
|
# Let's make sure initscripts doesn't get pulled back in
|
|
# https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254
|
|
initscripts
|
|
# nor /usr/sbin/service
|
|
initscripts-service
|
|
# For (datacenter/cloud oriented) servers, we want to see the details by default.
|
|
# https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/
|
|
plymouth
|
|
# Do not use legacy ifcfg config format in NetworkManager
|
|
# See https://github.com/coreos/fedora-coreos-config/pull/1991
|
|
NetworkManager-initscripts-ifcfg-rh
|
|
)
|
|
# Determine if anything that isn't allowed is actually provided.
|
|
actuals="$(rpm -q --whatprovides ${excludes[@]} | grep -v 'no package provides')"
|
|
if [ ! -z "${actuals}" ]; then
|
|
echo "Something is providing excluded RPM functionality!" 1>&2
|
|
echo "${actuals}" 1>&2
|
|
exit 1
|
|
fi
|
|
|
|
# We don't want auto-generated mount units. See also
|
|
# https://github.com/systemd/systemd/issues/13099
|
|
- |
|
|
#!/usr/bin/env bash
|
|
set -x
|
|
rm -vf /usr/lib/systemd/system-generators/systemd-gpt-auto-generator
|