The `nobody` user/group is special and can't be driven from a sysusers
dropin because Fedora's systemd has a compiled-in default value
for naming the overflow user that same name and that always takes
precedence.
The problem is that due to legacy and cargo-culting, we have to deal
with a bunch of systems with the `nobody` user set to 99:99 that we
can't just ignore. We need to migrate those, but for now at least to
make `--sysusers` usable in these environments, let's add a new hidden
`--nobody-99` option which defines _only_ that entry in the hardcoded
passwd/group. This _is_ respected by systemd-sysusers.
See also: https://github.com/coreos/fedora-coreos-tracker/issues/1201
See also: https://github.com/systemd/systemd/issues/7717
This allows users to opt out of the hardcoded passwd/group files we
carry here in favour of making sysusers entries canonical.
This is especially useful with the `--add-dir` option, which allows
injecting user-owned sysusers entries to e.g. define more users or to
fixate normally floating UIDs from packages.
This uses the new `sysusers` knob in rpm-ostree. For more details, see:
https://github.com/coreos/rpm-ostree/pull/5427
chore(deps): update quay.io/bootc-devel/fedora-bootc-rawhide-compose docker tag to fedora-rawhide-20250713.n.0 (main)
See merge request fedora/bootc/base-images!241
chore(deps): update quay.io/bootc-devel/fedora-bootc-rawhide-compose docker tag to fedora-rawhide-20250711.n.0 (main)
See merge request fedora/bootc/base-images!239
Add support for Fedora 40/41 compose updates grouping
to the package rules for possible future needs
Signed-off-by: Miguel Martín <mmartinv@redhat.com>
Change the current branch creation schedule in renovate
for compose container images. Currently is using the default
renovate's configuration which is between 12:00 AM and 03:59 AM,
only on Monday.
Signed-off-by: Miguel Martín <mmartinv@redhat.com>
chore(deps): update quay.io/bootc-devel/fedora-bootc-rawhide-compose docker tag to fedora-rawhide-20250707.n.0 (main)
See merge request fedora/bootc/base-images!238
chore(deps): update quay.io/bootc-devel/fedora-bootc-42-compose docker tag to fedora-42-updates-testing-20250707.0 (main)
See merge request fedora/bootc/base-images!235
chore(deps): update quay.io/bootc-devel/fedora-bootc-rawhide-compose docker tag to fedora-rawhide-20250706.n.0 (main)
See merge request fedora/bootc/base-images!234
We need to separate renovate pipelineruns because they need a mixed
configuration from 'pull-request' and 'push' pipelineruns:
- We need the images to expire after few days
- We need to label the produced snapshot so they are not released [^1]
[^1]: https://github.com/konflux-ci/integration-service/issues/1192
Signed-off-by: Miguel Martín <mmartinv@redhat.com>
Using the on push pipelinerun has an undesired side effect of releasing
all the renovate builds before merging them into the main branch.
Use the "on pull request" pipelinerun in an attempt to avoid this.
Signed-off-by: Miguel Martín <mmartinv@redhat.com>
chore(deps): update quay.io/bootc-devel/fedora-bootc-rawhide-compose docker tag to fedora-rawhide-20250629.n.0 (main)
See merge request fedora/bootc/base-images!231
Instead of crating MRs, renovate will:
- Create the branch, wait for test results
- Rebase it any time it gets out of date with the base branch
- Automerge the branch commit if it's:
(a) up-to-date with the base branch, and
(b) passing all tests
- As a backup, raise a PR only if either:
(a) tests fail, or
(b) tests remain pending for too long (default: 24 hours)
Resolves#62
Signed-off-by: Miguel Martín <mmartinv@redhat.com>
Changes in `bootc-base-imagectl` and `install-manifests` files
must trigger konflux builds for all the existing base images.
Also changes in "minimal" or "minimal-plus" must trigger konflux
builds in all the "standard" images.
Signed-off-by: Miguel Martín <mmartinv@redhat.com>
chore(deps): update quay.io/bootc-devel/fedora-bootc-rawhide-compose docker tag to fedora-rawhide-20250627.n.0 (main)
See merge request fedora/bootc/base-images!230
