particle-os/debian-bootc-base-images
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial split from Fedora CoreOS

Browse source
This commit is contained in:
Colin Walters 2022-12-09 15:30:03 -05:00
commit 60d8e77ee4
18 changed files with 743 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

53
oscore/bootable-rpm-ostree.yaml Normal file
View file

@ -0,0 +1,53 @@
# This minimal base starts just from: kernel + systemd + rpm-ostree + bootloader.
# The intent of this is to inherit from this if you are doing something highly
# custom that e.g. might not involve Ignition or podman, but you do want
# rpm-ostree.
# We expect most people though using coreos-assembler to inherit from
# fedora-coreos-base.yaml.
packages:
# Kernel + systemd.
- kernel systemd
# linux-firmware now a recommends so let's explicitly include it
# https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
# https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
- linux-firmware
# rpm-ostree
- rpm-ostree nss-altfiles
# bootloader
packages-aarch64:
- grub2-efi-aa64 efibootmgr shim
# firmware updates
- fwupd
packages-ppc64le:
- grub2 ostree-grub2
# firmware updates
- fwupd
packages-s390x:
# On Fedora, this is provided by s390utils-core. on RHEL, this is for now
# provided by s390utils-base, but soon will be -core too.
- /usr/sbin/zipl
# for Secure Execution
- veritysetup
packages-x86_64:
- grub2 grub2-efi-x64 efibootmgr shim
- microcode_ctl
# firmware updates
- fwupd
postprocess:
# See: https://github.com/coreos/fedora-coreos-tracker/issues/1253
# https://bugzilla.redhat.com/show_bug.cgi?id=2112857
# https://github.com/coreos/rpm-ostree/issues/3918
# Temporary workaround to remove the SetGID binary from liblockfile that is
# pulled by the s390utils but not needed for /usr/sbin/zipl.
- |
#!/usr/bin/env bash
set -xeuo pipefail
rm -f /usr/bin/dotlockfile
exclude-packages:
# Exclude kernel-debug-core to make sure that it doesn't somehow get
# chosen as the package to satisfy the `kernel-core` dependency from
# the kernel package.
- kernel-debug-core

13
oscore/bootupd.yaml Normal file
View file

@ -0,0 +1,13 @@
# Integration with https://github.com/coreos/bootupd
# xref https://github.com/coreos/fedora-coreos-tracker/issues/510
packages:
- bootupd
postprocess:
- |
#!/bin/bash
set -xeuo pipefail
# Until we have https://github.com/coreos/rpm-ostree/pull/2275
mkdir -p /run
# Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
/usr/bin/bootupctl backend generate-update-metadata /

76
oscore/fedora-next.repo Normal file
View file

@ -0,0 +1,76 @@
# Note we use baseurl= here because using auto-selected mirrors conflicts with
# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85.
[fedora-next]
name=Fedora $releasever - $basearch
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
enabled=1
#metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False
[fedora-next-updates]
name=Fedora $releasever - $basearch - Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
enabled=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=6h
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False
[fedora-next-updates-testing]
name=Fedora $releasever - $basearch - Test Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
enabled=1
gpgcheck=1
metadata_expire=6h
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False
[fedora-next-modular]
name=Fedora Modular $releasever - $basearch
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Modular/$basearch/os/
https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Modular/$basearch/os/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch
enabled=1
#metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
[fedora-next-updates-modular]
name=Fedora Modular $releasever - $basearch - Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Modular/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch
enabled=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
[fedora-next-updates-testing-modular]
name=Fedora Modular $releasever - $basearch - Test Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Modular/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Modular/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
enabled=1
gpgcheck=1
metadata_expire=6h
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False

38
oscore/fedora-rawhide.repo Normal file
View file

@ -0,0 +1,38 @@
# Note we use baseurl= here because using auto-selected mirrors conflicts with
# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85.
[fedora-rawhide]
name=Fedora - Rawhide - Developmental packages for the next Fedora release
baseurl=http://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/$basearch/os/
https://dl.fedoraproject.org/pub/fedora-secondary/development/rawhide/Everything/$basearch/os/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=$basearch
enabled=1
countme=1
metadata_expire=6h
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
excludepkgs=kernel kernel-core kernel-modules
# We are choosing to use only nodebug kernels in Fedora CoreOS
# for our testing. We've seen too many issues where an issue either
# shows up only on the debug kernels OR a debug kernel gives us a
# false positive or negative when trying to root cause a failure.
# Thus we use the nodebug kernel repo [1] and includepkgs=kernel
# here and excludepkgs=kernel above.
#
# [1] https://fedoraproject.org/wiki/RawhideKernelNodebug
[fedora-rawhide-nodebug-kernel]
name=nodebug kernels for Rawhide
baseurl=https://dl.fedoraproject.org/pub/alt/rawhide-kernel-nodebug/$basearch/
enabled=1
countme=1
metadata_expire=6h
repo_gpgcheck=0
type=rpm
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
includepkgs=kernel kernel-core kernel-modules

76
oscore/fedora.repo Normal file
View file

@ -0,0 +1,76 @@
# Note we use baseurl= here because using auto-selected mirrors conflicts with
# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85.
[fedora]
name=Fedora $releasever - $basearch
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/os/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
enabled=1
#metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False
[fedora-updates]
name=Fedora $releasever - $basearch - Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
enabled=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=6h
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False
[fedora-updates-testing]
name=Fedora $releasever - $basearch - Test Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
enabled=1
gpgcheck=1
metadata_expire=6h
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False
[fedora-modular]
name=Fedora Modular $releasever - $basearch
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Modular/$basearch/os/
https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Modular/$basearch/os/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch
enabled=1
#metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
[fedora-updates-modular]
name=Fedora Modular $releasever - $basearch - Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Modular/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch
enabled=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
[fedora-updates-testing-modular]
name=Fedora Modular $releasever - $basearch - Test Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Modular/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Modular/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
enabled=1
gpgcheck=1
metadata_expire=6h
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False

8
oscore/file-transfer.yaml Normal file
View file

@ -0,0 +1,8 @@
# Moving files around and verifying them
packages:
- git-core
- gnupg2
- rsync
# Explicit dependency on curl because we use it in coreos-livepxe-rootfs.sh
# We need curl and not curl-minimal because we support TFTP.
- curl

46
oscore/group Normal file
View file

@ -0,0 +1,46 @@
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:
man:x:15:
sudo:x:16:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
ssh_keys:x:999:
systemd-journal:x:190:
polkitd:x:998:
etcd:x:997:
dip:x:40:
cgred:x:996:
avahi-autoipd:x:170:
sssd:x:993:
dockerroot:x:986:
rpcuser:x:29:
nfsnobody:x:65534:
kube:x:994:
chrony:x:992:
tcpdump:x:72:
ceph:x:167:
input:x:104:
systemd-timesync:x:991:
systemd-network:x:990:
systemd-resolve:x:989:
systemd-bus-proxy:x:988:
cockpit-ws:x:987:

8
oscore/grub2-removals.yaml Normal file
View file

@ -0,0 +1,8 @@
remove-from-packages:
# The grub bits are mainly designed for desktops, and IMO haven't seen
# enough testing in concert with ostree. At some point we'll flesh out
# the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47
- [grub2-tools, /etc/grub.d/08_fallback_counting,
/etc/grub.d/10_reset_boot_success,
/etc/grub.d/12_menu_auto_hide,
/usr/lib/systemd/.*]

12
oscore/kdump-aarch64-aws-workaround.yaml Normal file
View file

@ -0,0 +1,12 @@
# This file includes a fixup for kdump on aarch64 AWS instances.
# The issue seems specific to aarch64 AWS instances, but we'll go
# ahead and apply it across the board for aarch64, since that's
# the easiest thing to do. Hopefully the upstream issue will get
# resolved soon.
postprocess:
- |
#!/usr/bin/env bash
# Remove irqpoll from the list of KDUMP_COMMANDLINE_APPEND. This
# causes issues on aarch64 AWS instances.
# https://github.com/coreos/fedora-coreos-tracker/issues/1187
sed -i -e 's/irqpoll //' /etc/sysconfig/kdump

202
oscore/manifest.yaml Normal file
View file

@ -0,0 +1,202 @@
releasever: 37
repos:
- fedora
- fedora-updates
metadata:
name: fedora-oscore
summary: Fedora OSCore
# Modern defaults we want
boot-location: modules
tmp-is-dir: true
# This one at least historically broke compatibility with Anaconda, but
# let's use it by default now.
machineid-compat: false
# Be minimal
recommends: false
ignore-removed-users:
- root
ignore-removed-groups:
- root
etc-group-members:
- wheel
- sudo
- systemd-journal
- adm
check-passwd:
type: "file"
filename: "passwd"
check-groups:
type: "file"
filename: "group"
include:
- bootable-rpm-ostree.yaml
- file-transfer.yaml
- networking-tools.yaml
- system-configuration.yaml
- user-experience.yaml
- shared-workarounds.yaml
conditional-include:
- if: basearch != "s390x"
# And remove some cruft from grub2
include: grub2-removals.yaml
remove-from-packages:
# Generally we expect other tools to do this (e.g. Ignition or cloud-init)
- [systemd, /usr/bin/systemd-firstboot,
/usr/lib/systemd/system/systemd-firstboot.service,
/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
# We don't want auto-generated mount units. See also
# https://github.com/systemd/systemd/issues/13099
- [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
# Drop some buggy sysusers fragments which do not match static IDs allocation:
# https://bugzilla.redhat.com/show_bug.cgi?id=2105177
- [dbus-common, /usr/lib/sysusers.d/dbus.conf]
automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
mutate-os-release: "${releasever}"
packages:
# We include this for historical reasons
- fedora-repos-ostree
# fedora-repos-modular was converted into its own subpackage in f33
# Continue to include it in case users want to use it.
- fedora-repos-modular
# Include and set the default editor
- nano nano-default-editor
# Security
- polkit
# Containers
- systemd-container catatonit
- fuse-overlayfs slirp4netns
# support for old style CNI networks and name resolution for
# podman containers with CNI networks
# https://github.com/coreos/fedora-coreos-tracker/issues/519
# https://github.com/coreos/fedora-coreos-tracker/issues/1128#issuecomment-1071338097
- containernetworking-plugins podman-plugins dnsmasq
# For podman v4 netavark gets pulled in but it only recommends
# aardvark-dns (which provides name resolution based on container
# names). This functionality was previously provided by dnsname from
# podman-plugins in the podman v3 stack.
# See https://github.com/containers/netavark/pull/217
- aardvark-dns
# Since we need `containernetworking-plugins` installed to continue
# to support CNI networks we need to also explicitly install
# `netavark` so we get both of them installed since both of them
# provide `container-network-stack`.
# https://github.com/coreos/fedora-coreos-tracker/issues/1128#issuecomment-1071458717
- netavark
# Minimal NFS client
- nfs-utils-coreos
# Active Directory support
- adcli
# Additional firewall support; we aren't including these in RHCOS or they
# don't exist in RHEL
- iptables-nft iptables-services
# WireGuard https://github.com/coreos/fedora-coreos-tracker/issues/362
- wireguard-tools
# Storage
- btrfs-progs
- WALinuxAgent-udev
# Allow communication between sudo and SSSD
# for caching sudo rules by SSSD.
# https://github.com/coreos/fedora-coreos-tracker/issues/445
- libsss_sudo
# SSSD; we only ship a subset of the backends
- sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
# Used by admins interactively
- attr
- openssl
- lsof
# Provides terminal tools like clear, reset, tput, and tset
- ncurses
# file-transfer: note fuse-sshfs is not in RHEL
# so we can't put it in file-transfer.yaml
- fuse-sshfs
# Improved MOTD experience
- console-login-helper-messages-motdgen
# i18n
- kbd
# zram-generator (but not zram-generator-defaults) for F33 change
# https://github.com/coreos/fedora-coreos-tracker/issues/509
- zram-generator
# resolved was broken out to its own package in rawhide/f35
- systemd-resolved
# In F35+ need `iptables-legacy` package
# See https://github.com/coreos/fedora-coreos-tracker/issues/676#issuecomment-928028451
- iptables-legacy
# Include the qemu-user-static-x86 package on aarch64 and s390x FCOS images
# to allow access to the large inventory of containers only built for x86_64.
# https://github.com/coreos/fedora-coreos-tracker/issues/1237
packages-x86_64:
- irqbalance
packages-ppc64le:
- irqbalance
- librtas
- powerpc-utils-core
- ppc64-diag-rtas
packages-aarch64:
- irqbalance
- qemu-user-static-x86
packages-s390x:
- qemu-user-static-x86
# See https://github.com/coreos/bootupd
arch-include:
x86_64: bootupd.yaml
aarch64: bootupd.yaml
postprocess:
# Undo RPM scripts enabling units; we want the presets to be canonical
# https://github.com/projectatomic/rpm-ostree/issues/1803
- |
#!/usr/bin/env bash
set -xeuo pipefail
rm -rf /etc/systemd/system/*
systemctl preset-all
rm -rf /etc/systemd/user/*
systemctl --user --global preset-all
# Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
# remove iptables-legacy. This is needed because alternatives don't work
# https://github.com/coreos/fedora-coreos-tracker/issues/677
# https://github.com/coreos/fedora-coreos-tracker/issues/676
- |
#!/usr/bin/env bash
set -xeuo pipefail
ln -sf /usr/sbin/ip6tables-nft /etc/alternatives/ip6tables
ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
ln -sf /usr/sbin/ip6tables-nft-save /etc/alternatives/ip6tables-save
ln -sf /usr/sbin/iptables-nft /etc/alternatives/iptables
ln -sf /usr/sbin/iptables-nft-restore /etc/alternatives/iptables-restore
ln -sf /usr/sbin/iptables-nft-save /etc/alternatives/iptables-save
# Things we don't expect to ship on the host. We currently
# have recommends: false so these could only come in via
# hard requirement, in which case the build will fail.
exclude-packages:
- python
- python2
- python2-libs
- python3
- python3-libs
- perl
- perl-interpreter
- nodejs
- grubby
- cowsay # Just in case
# Let's make sure initscripts doesn't get pulled back in
# https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254
- initscripts
# For (datacenter/cloud oriented) servers, we want to see the details by default.
# https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/
- plymouth
# Do not use legacy ifcfg config format in NetworkManager
# See https://github.com/coreos/fedora-coreos-config/pull/1991
- NetworkManager-initscripts-ifcfg-rh

21
oscore/networking-tools.yaml Normal file
View file

@ -0,0 +1,21 @@
# This defines a set of tools that are useful for configuring, debugging,
# or manipulating the network of a system. It is desired to keep this list
# generic enough to be shared downstream with RHCOS.
packages:
# Standard tools for configuring network/hostname
- NetworkManager hostname
# Interactive Networking configuration during coreos-install
- NetworkManager-tui
# Teaming https://github.com/coreos/fedora-coreos-config/pull/289
# and http://bugzilla.redhat.com/1758162
- NetworkManager-team teamd
# Support for cloud quirks and dynamic config in real rootfs:
# https://github.com/coreos/fedora-coreos-tracker/issues/320
- NetworkManager-cloud-setup
# Route manipulation and QoS
- iproute iproute-tc
# Firewall manipulation
- iptables nftables
# Interactive network tools for admins
- socat net-tools bind-utils

32
oscore/passwd Normal file
View file

@ -0,0 +1,32 @@
adm:x:3:4:adm:/var/adm:/usr/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/usr/sbin/nologin
bin:x:1:1:bin:/bin:/usr/sbin/nologin
ceph:x:167:167:Ceph daemons:/var/lib/ceph:/usr/sbin/nologin
chrony:x:994:992::/var/lib/chrony:/usr/sbin/nologin
cockpit-ws:x:988:987:User for cockpit-ws:/:/usr/sbin/nologin
daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin
dbus:x:81:81:System Message Bus:/:/usr/sbin/nologin
dockerroot:x:997:986:Docker User:/var/lib/docker:/usr/sbin/nologin
etcd:x:998:997:etcd user:/var/lib/etcd:/usr/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin
games:x:12:100:games:/usr/games:/usr/sbin/nologin
halt:x:7:0:halt:/sbin:/sbin/halt
kube:x:996:994:Kubernetes user:/:/usr/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin
nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin
operator:x:11:0:operator:/root:/usr/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/usr/sbin/nologin
root:x:0:0:Super User:/root:/bin/bash
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
sssd:x:995:993:User for sssd:/:/usr/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin
systemd-resolve:x:990:989:systemd Resolver:/:/usr/sbin/nologin
systemd-timesync:x:993:991:systemd Time Synchronization:/:/usr/sbin/nologin
tcpdump:x:72:72::/:/usr/sbin/nologin

34
oscore/shared-workarounds.yaml Normal file
View file

@ -0,0 +1,34 @@
# This manifest is a list of shared workarounds that are needed in both Fedora CoreOS
# and downstreams (i.e. Red Hat CoreOS).
postprocess:
# Put in the fix for multipathd.service in dracut on releases that haven't
# been fixed yet.
# https://github.com/dracutdevs/dracut/pull/1606
# https://github.com/coreos/fedora-coreos-config/pull/1233
- |
#!/usr/bin/env bash
set -xeuo pipefail
source /etc/os-release
# This has landed in Fedora but not in any version of RHEL yet
if [[ ${ID} != "rhel" ]]; then
exit 0
fi
mkdir /usr/lib/dracut/modules.d/36coreos-multipath-fix
cat > /usr/lib/dracut/modules.d/36coreos-multipath-fix/90-multipathd-remove-execstop.conf <<'EOF'
# Temporary workaround for https://github.com/dracutdevs/dracut/pull/1606.
[Service]
ExecStop=
EOF
cat > /usr/lib/dracut/modules.d/36coreos-multipath-fix/module-setup.sh <<'EOF'
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
install() {
# Temporary workaround for https://github.com/dracutdevs/dracut/pull/1606.
mkdir -p "$systemdsystemunitdir/multipathd.service.d"
inst_simple "$moddir/90-multipathd-remove-execstop.conf" \
"$systemdsystemunitdir/multipathd.service.d/90-multipathd-remove-execstop.conf"
}
EOF
chmod +x /usr/lib/dracut/modules.d/36coreos-multipath-fix/module-setup.sh

50
oscore/system-configuration.yaml Normal file
View file

@ -0,0 +1,50 @@
# These are packages that are related to configuring parts of the system.
# It is intended to be kept generic so that it may be shared downstream with
# RHCOS.
packages:
# Configuring SSH keys, cloud provider check-in, etc
# TODO: needs Ignition kargs
# - afterburn afterburn-dracut
# NTP support
- chrony
# Storage configuration/management
## cloud-utils-growpart - For growing root partition
- cifs-utils
- cloud-utils-growpart
- cryptsetup
- device-mapper-multipath
- e2fsprogs
- iscsi-initiator-utils
- lvm2
- mdadm
- sg3_utils
- xfsprogs
# User configuration
- passwd
- shadow-utils
- acl
# SELinux policy
- selinux-policy-targeted
# There are things that write outside of the journal still (such as the
# classic wtmp, etc.). auditd also writes outside the journal but it has its
# own log rotation.
# Anything package layered will also tend to expect files dropped in
# /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
# have it then people's disks will slowly fill up with logs.
- logrotate
# Boost starving threads
# https://github.com/coreos/fedora-coreos-tracker/issues/753
- stalld
- ssh-key-dir
postprocess:
# Make kdump work on firstboot
- |
#!/usr/bin/env bash
# Make kdump ignore `ignition.firstboot` when copying kargs from
# the running kernel to the kdump kernel when passing to be kexec.
# This makes it so kdump can be set up on the very first boot.
# Upstream request to have this upstream so we can stop carrying it here:
# https://lists.fedoraproject.org/archives/list/kexec@lists.fedoraproject.org/thread/5P4WIJLW2TSGF4PZGRZGOXYML4RXZU23/
sed -i -e 's/KDUMP_COMMANDLINE_REMOVE="/KDUMP_COMMANDLINE_REMOVE="ignition.firstboot /' /etc/sysconfig/kdump

46
oscore/user-experience.yaml Normal file
View file

@ -0,0 +1,46 @@
# This file is included in RHEL CoreOS, see
# https://github.com/openshift/os/blob/71c974b1e456292033e3ef3fe7bcfe17d1855ebc/manifest.yaml#L12
# Only apply changes here that should apply to both FCOS and RHCOS.
# Default to `bash` in our container, the same as other containers we ship.
container-cmd:
- /usr/bin/bash
# These packages are either widely used utilities/services or
# are targeted for improving the general CoreOS user experience.
# It is intended to be kept generic so that it may be shared downstream with
# RHCOS.
packages:
# Basic user tools
## jq - parsing/interacting with JSON data
- bash-completion
- coreutils
- file
- jq
- less
- sudo
- vim-minimal
# File compression/decompression
## bsdtar - dependency of 35coreos-live dracut module
- bsdtar
- bzip2
- gzip
- tar
- xz
- zstd
# Improved MOTD experience
- console-login-helper-messages-issuegen
- console-login-helper-messages-profile
# kdump support
# https://github.com/coreos/fedora-coreos-tracker/issues/622
- kexec-tools
# Remote Access
- openssh-clients openssh-server
# Container tooling
- crun
- podman
- runc
- skopeo
- toolbox
# nvme-cli for managing nvme disks
- nvme-cli