go.mod: bump osbuild/images to v0.65.0

vendor/github.com/osbuild/images/internal/common/helpers.go

@@ -1,8 +1,10 @@
 package common
 
 import (
+	"bytes"
 	"fmt"
 	"io"
+	"os/exec"
 	"regexp"
 	"sort"
 	"strconv"
@@ -84,3 +86,26 @@ type nopSeekCloser struct {
 }
 
 func (nopSeekCloser) Close() error { return nil }
+
+// MountUnitNameFor returns the escaped name of the mount unit for a given
+// mountpoint by calling:
+//
+//	systemd-escape --path --suffix=mount "mountpoint"
+func MountUnitNameFor(mountpoint string) (string, error) {
+	cmd := exec.Command("systemd-escape", "--path", "--suffix=mount", mountpoint)
+	stdout, err := cmd.Output()
+	if err != nil {
+		return "", fmt.Errorf("systemd-escape call failed: %s", ExecError(err))
+	}
+	return strings.TrimSpace(string(stdout)), nil
+}
+
+// ExecError handles the error from an exec.Command().Output() call. It returns
+// a formatted error that includes StdErr when the error is of type
+// exec.ExitError.
+func ExecError(err error) error {
+	if err, ok := err.(*exec.ExitError); ok {
+		return fmt.Errorf("%s [%w]", bytes.TrimSpace(err.Stderr), err)
+	}
+	return err
+}

vendor/github.com/osbuild/images/pkg/distro/fedora/distro.go

@@ -872,7 +872,6 @@ func newDistro(version int) distro.Distro {
 		minimalrawImgType,
 	)
 
-	// iot simplified installer was introduced in F38
 	x86_64.addImageTypes(
 		&platform.X86{
 			BasePlatform: platform.BasePlatform{
@@ -921,62 +920,59 @@ func newDistro(version int) distro.Distro {
 		iotSimplifiedInstallerImgType,
 	)
 
-	if common.VersionGreaterThanOrEqual(rd.Releasever(), "39") {
-		// bootc was introduced in F39
-		x86_64.addImageTypes(
-			&platform.X86{
-				BasePlatform: platform.BasePlatform{
-					FirmwarePackages: []string{
-						"biosdevname",
-						"iwlwifi-dvm-firmware",
-						"iwlwifi-mvm-firmware",
-						"microcode_ctl",
-					},
+	x86_64.addImageTypes(
+		&platform.X86{
+			BasePlatform: platform.BasePlatform{
+				FirmwarePackages: []string{
+					"biosdevname",
+					"iwlwifi-dvm-firmware",
+					"iwlwifi-mvm-firmware",
+					"microcode_ctl",
 				},
-				BIOS:       true,
-				UEFIVendor: "fedora",
 			},
-			iotBootableContainer,
-		)
-		aarch64.addImageTypes(
-			&platform.Aarch64{
-				BasePlatform: platform.BasePlatform{
-					FirmwarePackages: []string{
-						"arm-image-installer",
-						"bcm283x-firmware",
-						"brcmfmac-firmware",
-						"iwlwifi-mvm-firmware",
-						"realtek-firmware",
-						"uboot-images-armv8",
-					},
+			BIOS:       true,
+			UEFIVendor: "fedora",
+		},
+		iotBootableContainer,
+	)
+	aarch64.addImageTypes(
+		&platform.Aarch64{
+			BasePlatform: platform.BasePlatform{
+				FirmwarePackages: []string{
+					"arm-image-installer",
+					"bcm283x-firmware",
+					"brcmfmac-firmware",
+					"iwlwifi-mvm-firmware",
+					"realtek-firmware",
+					"uboot-images-armv8",
 				},
-				UEFIVendor: "fedora",
 			},
-			iotBootableContainer,
-		)
+			UEFIVendor: "fedora",
+		},
+		iotBootableContainer,
+	)
 
-		ppc64le.addImageTypes(
-			&platform.PPC64LE{
-				BIOS: true,
-				BasePlatform: platform.BasePlatform{
-					ImageFormat: platform.FORMAT_QCOW2,
-					QCOW2Compat: "1.1",
-				},
+	ppc64le.addImageTypes(
+		&platform.PPC64LE{
+			BIOS: true,
+			BasePlatform: platform.BasePlatform{
+				ImageFormat: platform.FORMAT_QCOW2,
+				QCOW2Compat: "1.1",
 			},
-			iotBootableContainer,
-		)
+		},
+		iotBootableContainer,
+	)
 
-		s390x.addImageTypes(
-			&platform.S390X{
-				Zipl: true,
-				BasePlatform: platform.BasePlatform{
-					ImageFormat: platform.FORMAT_QCOW2,
-					QCOW2Compat: "1.1",
-				},
+	s390x.addImageTypes(
+		&platform.S390X{
+			Zipl: true,
+			BasePlatform: platform.BasePlatform{
+				ImageFormat: platform.FORMAT_QCOW2,
+				QCOW2Compat: "1.1",
 			},
-			iotBootableContainer,
-		)
-	}
+		},
+		iotBootableContainer,
+	)
 
 	ppc64le.addImageTypes(
 		&platform.PPC64LE{

vendor/github.com/osbuild/images/pkg/distro/fedora/package_sets.go

@@ -474,14 +474,6 @@ func anacondaPackageSet(t *imageType) rpmmd.PackageSet {
 		},
 	})
 
-	if common.VersionLessThan(t.arch.distro.osVersion, "39") {
-		ps = ps.Append(rpmmd.PackageSet{
-			Include: []string{
-				"lklug-fonts", // orphaned, unavailable in F39
-			},
-		})
-	}
-
 	switch t.Arch().Name() {
 	case arch.ARCH_X86_64.String():
 		ps = ps.Append(rpmmd.PackageSet{
@@ -627,14 +619,6 @@ func containerPackageSet(t *imageType) rpmmd.PackageSet {
 		},
 	}
 
-	if common.VersionLessThan(t.arch.distro.osVersion, "39") {
-		ps = ps.Append(rpmmd.PackageSet{
-			Include: []string{
-				"fedora-repos-modular",
-			},
-		})
-	}
-
 	return ps
 }
 
@@ -705,7 +689,8 @@ func iotSimplifiedInstallerPackageSet(t *imageType) rpmmd.PackageSet {
 				"shadow-utils", // includes passwd
 			},
 		})
-	} else if common.VersionLessThan(t.arch.distro.osVersion, "40") {
+	} else {
+		// F39 only
 		ps = ps.Append(rpmmd.PackageSet{
 			Include: []string{
 				"passwd",

vendor/github.com/osbuild/images/pkg/distro/fedora/partition_tables.go

@@ -431,13 +431,13 @@ var iotSimplifiedInstallerPartitionTables = distro.BasePartitionTableMap{
 		},
 	},
 	arch.ARCH_AARCH64.String(): disk.PartitionTable{
-		UUID: "0xc1748067",
-		Type: "dos",
+		UUID: "D209C89E-EA5E-4FBD-B161-B461CCE297E0",
+		Type: "gpt",
 		Partitions: []disk.Partition{
 			{
-				Size:     501 * common.MebiByte,
-				Type:     "06",
-				Bootable: true,
+				Size: 501 * common.MebiByte,
+				Type: disk.EFISystemPartitionGUID,
+				UUID: disk.EFISystemPartitionUUID,
 				Payload: &disk.Filesystem{
 					Type:         "vfat",
 					UUID:         disk.EFIFilesystemUUID,

vendor/github.com/osbuild/images/pkg/distro/rhel/rhel8/azure.go

@@ -256,10 +256,14 @@ func azureRhuiPackageSet(t *rhel.ImageType) rpmmd.PackageSet {
 // Includes the common azure package set, the common SAP packages, and
 // the azure rhui sap package.
 func azureSapPackageSet(t *rhel.ImageType) rpmmd.PackageSet {
+	rhuiPkg := "rhui-azure-rhel8-sap-ha"
+	if t.Arch().Distro().OsVersion() == "8.10" {
+		rhuiPkg = "rhui-azure-rhel8-base-sap-ha"
+	}
 	return rpmmd.PackageSet{
 		Include: []string{
 			"firewalld",
-			"rhui-azure-rhel8-sap-ha",
+			rhuiPkg,
 		},
 	}.Append(azureCommonPackageSet(t)).Append(SapPackageSet(t))
 }

vendor/github.com/osbuild/images/pkg/dnfjson/dnfjson.go

@@ -460,10 +460,12 @@ func (s *Solver) makeDepsolveRequest(pkgSets []rpmmd.PackageSet) (*Request, map[
 	if err != nil {
 		return nil, nil, err
 	}
+
 	args := arguments{
-		Repos:        dnfRepoMap,
-		RootDir:      s.rootDir,
-		Transactions: transactions,
+		Repos:            dnfRepoMap,
+		RootDir:          s.rootDir,
+		Transactions:     transactions,
+		OptionalMetadata: s.optionalMetadataForDistro(),
 	}
 
 	req := Request{
@@ -479,6 +481,20 @@ func (s *Solver) makeDepsolveRequest(pkgSets []rpmmd.PackageSet) (*Request, map[
 	return &req, rhsmMap, nil
 }
 
+func (s *Solver) optionalMetadataForDistro() []string {
+	// filelist repo metadata is required when using newer versions of libdnf
+	// with old repositories or packages that specify dependencies on files.
+	// EL10+ and Fedora 40+ packaging guidelines prohibit depending on
+	// filepaths so filelist downloads are disabled by default and are not
+	// required when depsolving for those distros. Explicitly enable the option
+	// for older distro versions in case we are using a newer libdnf.
+	switch s.modulePlatformID {
+	case "platform:f39", "platform:el7", "platform:el8", "platform:el9":
+		return []string{"filelists"}
+	}
+	return nil
+}
+
 // Helper function for creating a dump request payload
 func (s *Solver) makeDumpRequest(repos []rpmmd.RepoConfig) (*Request, error) {
 	dnfRepos, err := s.reposFromRPMMD(repos)
@@ -640,6 +656,9 @@ type arguments struct {
 	// Load repository configurations, gpg keys, and vars from an os-root-like
 	// tree.
 	RootDir string `json:"root_dir"`
+
+	// Optional metadata to download for the repositories
+	OptionalMetadata []string `json:"optional-metadata,omitempty"`
 }
 
 type searchArgs struct {

vendor/github.com/osbuild/images/pkg/manifest/ostree_deployment.go

@@ -513,17 +513,32 @@ func createMountpointService(serviceName string, mountpoints []string) *osbuild.
 	}
 	unit := osbuild.Unit{
 		Description:              "Ensure custom filesystem mountpoints exist",
-		DefaultDependencies:      false,
+		DefaultDependencies:      common.ToPtr(false), // Default dependencies would interfere with our custom order (before mountpoints)
 		ConditionPathIsDirectory: conditionPathIsDirectory,
+		After:                    []string{"ostree-remount.service"},
 	}
 	service := osbuild.Service{
 		Type:            osbuild.Oneshot,
-		RemainAfterExit: true,
-		//compatibility with composefs, will require transient rootfs to be enabled too.
-		ExecStartPre: []string{"/bin/sh -c \"if [ -z \"$(grep -Uq composefs /run/ostree-booted)\" ]; then chattr -i /; fi\""},
-		ExecStopPost: []string{"/bin/sh -c \"if [ -z \"$(grep -Uq composefs /run/ostree-booted)\" ]; then chattr +i /; fi\""},
-		ExecStart:    []string{"mkdir -p " + strings.Join(mountpoints[:], " ")},
+		RemainAfterExit: false,
+		// compatibility with composefs, will require transient rootfs to be enabled too.
+		ExecStartPre: []string{"/bin/sh -c \"if grep -Uq composefs /run/ostree-booted; then chattr -i /; fi\""},
+		ExecStopPost: []string{"/bin/sh -c \"if grep -Uq composefs /run/ostree-booted; then chattr +i /; fi\""},
+		ExecStart:    []string{"mkdir -p " + strings.Join(mountpoints, " ")},
 	}
+
+	// For every mountpoint we want to ensure, we need to set a Before order on
+	// the mount unit itself so that our mkdir runs before any of them are
+	// mounted
+	befores := make([]string, len(mountpoints))
+	for idx, mp := range mountpoints {
+		before, err := common.MountUnitNameFor(mp)
+		if err != nil {
+			panic(err)
+		}
+		befores[idx] = before
+	}
+	unit.Before = befores
+
 	install := osbuild.Install{
 		WantedBy: []string{"local-fs.target"},
 	}

vendor/github.com/osbuild/images/pkg/osbuild/systemd_unit_create_stage.go

@@ -23,12 +23,13 @@ const (
 
 type Unit struct {
 	Description              string   `json:"Description,omitempty"`
-	DefaultDependencies      bool     `json:"DefaultDependencies,omitempty"`
+	DefaultDependencies      *bool    `json:"DefaultDependencies,omitempty"`
 	ConditionPathExists      []string `json:"ConditionPathExists,omitempty"`
 	ConditionPathIsDirectory []string `json:"ConditionPathIsDirectory,omitempty"`
 	Requires                 []string `json:"Requires,omitempty"`
 	Wants                    []string `json:"Wants,omitempty"`
 	After                    []string `json:"After,omitempty"`
+	Before                   []string `json:"Before,omitempty"`
 }
 
 type Service struct {

vendor/github.com/osbuild/images/pkg/policies/policies.go

@@ -85,14 +85,18 @@ var CustomFilesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathP
 // MountpointPolicies for ostree
 var OstreeMountpointPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
 	"/":             {},
-	"/ostree":       {Deny: true},
-	"/home":         {Deny: true},
+	"/home":         {Deny: true}, // symlink to var/home
+	"/mnt":          {Deny: true}, // symlink to var/mnt
+	"/opt":          {Deny: true}, // symlink to var/opt
+	"/ostree":       {Deny: true}, // symlink to sysroot/ostree
+	"/root":         {Deny: true}, // symlink to var/roothome
+	"/srv":          {Deny: true}, // symlink to var/srv
 	"/var/home":     {Deny: true},
-	"/var/opt":      {Deny: true},
-	"/var/srv":      {Deny: true},
-	"/var/roothome": {Deny: true},
-	"/var/usrlocal": {Deny: true},
 	"/var/mnt":      {Deny: true},
+	"/var/opt":      {Deny: true},
+	"/var/roothome": {Deny: true},
+	"/var/srv":      {Deny: true},
+	"/var/usrlocal": {Deny: true},
 })
 
 // CustomDirectoriesPolicies for ostree