This one doesn't make much sense to have enabled by default on systems
with image based updates because we shouldn't need a local cache of
yum repo metadata (i.e. we should just be interacting with a registry).
The current custom base image flow of rebuilding a "built-in" image with
custom repos and then adding your own content separate is reasonable,
but it would be nice if one could augment the list of packages to
install in that initial build rather than as a separate transaction.
Then, you don't have to cleanup after dnf and `/var` content, re-inject
repo definitions, and refetch repo metadata. It also allows building
container images with additional packages without `dnf` necessarily
being in the package set.
We don't want to leak rpm-ostree implementation details, nor do we want
to invent a new format. So just add support for a `--install` arg and a
generic `--args-file` to pass arguments via a file.
We then generate a new treefile on the fly to extend the `packages`
list.
The prow/validate job does some various whitespace checks and
was complaining about these so I guess I'll try to make it happy:
```
[+] Found files with whitespace at the end of line
./fedora-coreos-config/fedora-bootc/.gitlab-ci.yml
./fedora-coreos-config/fedora-bootc/bootc-base-imagectl.md
./fedora-coreos-config/fedora-bootc/fedora-iot.yaml
./fedora-coreos-config/fedora-bootc/iot/manifest.yaml
[+] Found files with missing empty line at end of file
./fedora-coreos-config/fedora-bootc/bootc-base-imagectl
./fedora-coreos-config/fedora-bootc/fedora-iot.yaml
./fedora-coreos-config/fedora-bootc/iot/manifest.yaml
```
I'm sure there is a reason for why it is the way it is, which I will
learn about, but the way it is currently set up makes it hard to run
commands in the target system (like `rpm -q`) without doing a chroot
and doing a chroot requires some setup to happen.
I guess the nice thing about the way it is prior is we get to the look
at the filesystem untouched by the container runtime; which can
definitely be useful for tests.
Ansible's package builtin [1] uses dnf's Python API. This fails by
default with "Could not import the libdnf5 python module". This is
awkward and laborious to work around in Containerfiles, as you can't use
the normal `package:` to install, so it would require
distribution/release specific code, and replicating this to all
playbooks.
In particular this fixes linux-system-roles for running during bootc
container builds.
[1] https://docs.ansible.com/ansible/latest/collections/ansible/builtin/package_module.html
The comment states that we want to support kdump so we need the
makedumpfile and kdump-utils RPM for that. Note here that we specify
paths rather than RPM names because downstream in EL9 those subpackages
were still part of the kexec-tools package and not broken out yet.
This works around two issues:
- First, rpm switched to reading users/groups directly for
its implementation of systemd-sysusers, which meant
it no longer reads via nss, which breaks nss-altfiles.
xref: https://github.com/rpm-software-management/rpm/pull/2503#issuecomment-1536435351
and below.
- Second, even if that was fixed, `keylime` wants to add
its user to the group, which can't be done when it's a system
uid.
Since nothing in the OS content is owned by this group, we can
move underneath `/etc` by default.
Signed-off-by: Colin Walters <walters@verbum.org>
When we renamed tier-0 → minimal and tier-1 → standard, the
naming of tier-x became obsolete. Complete the nomenclature
update.
Closes: https://gitlab.com/fedora/bootc/base-images/-/issues/24
Signed-off-by: Colin Walters <walters@verbum.org>
The versioning here was originally inherited from the Fedora CoreOS
configuration. However...the version numbering was always
overridden by coreos-assembler, so it wasn't actually used there!
Conceptually there are two things here:
- OS version
- Arbitrary date stamp
For the "OS version"...well, the closest thing we have actually
to "version of set of RPMs" is a compose today, which is expressed
in a distinct label already - at least for CentOS and RHEL.
For Fedora of course post-branching there are no "composes"
as such but just a set of floating RPMs post-release.
We have the "arbitrary date stamp" in the container image build
time already - and tooling like bootc and rpm-ostree show
both the version and the build time.
Let's significantly simplify our version numbers by just going
to "OS version".
This especially fixes the bug that we weren't setting
`releasever` anymore which just broke the version anyways.
Closes: https://gitlab.com/fedora/bootc/base-images/-/issues/40
Signed-off-by: Colin Walters <walters@verbum.org>
https://dnf.readthedocs.io/en/latest/conf_ref.html#protect-running-kernel-label
uses uname to protect the running kernel, when both the
container and the host shared the same kernel version this
blocks removing the kernel or replacing it, since on ostree
systems we only support one kernel this prevents us from
installing kernel-rt for example.
For the use case of updating Konflux lockfiles we want
to be able to easily render the manifests to a tempdir without
installing to `/`.
Move the install of the build script to the main container
build so `install-manifests` only touches manifests.
Signed-off-by: Colin Walters <walters@verbum.org>
