deps: bump images to 0.164

We have an issue where `%post` scripts are not being executed due to our incorrect handling of Anaconda modules [1].

[1]: https://github.com/osbuild/bootc-image-builder/issues/968

Signed-off-by: Simon de Vlieger <supakeen@redhat.com>

vendor/github.com/osbuild/images/pkg/manifest/anaconda_installer.go

@@ -86,7 +86,7 @@ type AnacondaInstaller struct {
 	// SELinux policy, when set it enables the labeling of the installer
 	// tree with the selected profile and selects the required package
 	// for depsolving
-	SElinux string
+	SELinux string
 
 	// Locale for the installer. This should be set to the same locale as the
 	// ISO OS payload, if known.
@@ -167,8 +167,8 @@ func (p *AnacondaInstaller) getBuildPackages(Distro) []string {
 		)
 	}
 
-	if p.SElinux != "" {
-		packages = append(packages, "policycoreutils", fmt.Sprintf("selinux-policy-%s", p.SElinux))
+	if p.SELinux != "" {
+		packages = append(packages, "policycoreutils", fmt.Sprintf("selinux-policy-%s", p.SELinux))
 	}
 
 	return packages
@@ -183,8 +183,8 @@ func (p *AnacondaInstaller) getPackageSetChain(Distro) []rpmmd.PackageSet {
 		packages = append(packages, "biosdevname")
 	}
 
-	if p.SElinux != "" {
-		packages = append(packages, fmt.Sprintf("selinux-policy-%s", p.SElinux))
+	if p.SELinux != "" {
+		packages = append(packages, fmt.Sprintf("selinux-policy-%s", p.SELinux))
 	}
 
 	return []rpmmd.PackageSet{
@@ -192,7 +192,7 @@ func (p *AnacondaInstaller) getPackageSetChain(Distro) []rpmmd.PackageSet {
 			Include:         append(packages, p.ExtraPackages...),
 			Exclude:         p.ExcludePackages,
 			Repositories:    append(p.repos, p.ExtraRepos...),
-			InstallWeakDeps: p.Type == AnacondaInstallerTypeLive,
+			InstallWeakDeps: true,
 		},
 	}
 }
@@ -328,10 +328,10 @@ func (p *AnacondaInstaller) payloadStages() []*osbuild.Stage {
 
 	stages = append(stages, osbuild.NewSELinuxConfigStage(&osbuild.SELinuxConfigStageOptions{State: osbuild.SELinuxStatePermissive}))
 
-	// SElinux is not supported on the non-live-installers (see the previous
+	// SELinux is not supported on the non-live-installers (see the previous
 	// stage setting SELinux to permissive. It's an error to set it to anything
 	// that isn't an empty string
-	if p.SElinux != "" {
+	if p.SELinux != "" {
 		panic("payload installers do not support SELinux policies")
 	}
 
@@ -400,9 +400,9 @@ func (p *AnacondaInstaller) liveStages() []*osbuild.Stage {
 	dracutOptions := p.dracutStageOptions()
 	stages = append(stages, osbuild.NewDracutStage(dracutOptions))
 
-	if p.SElinux != "" {
+	if p.SELinux != "" {
 		stages = append(stages, osbuild.NewSELinuxStage(&osbuild.SELinuxStageOptions{
-			FileContexts: fmt.Sprintf("etc/selinux/%s/contexts/files/file_contexts", p.SElinux),
+			FileContexts: fmt.Sprintf("etc/selinux/%s/contexts/files/file_contexts", p.SELinux),
 		}))
 	}
 

vendor/github.com/osbuild/images/pkg/manifest/anaconda_installer_iso_tree.go

@@ -58,6 +58,29 @@ const ( // ISOBoot type enum
 	Grub2ISOBoot                            // Boot with grub2 UEFI and grub2 BIOS
 )
 
+func (r *ISOBootType) UnmarshalJSON(data []byte) error {
+	var s string
+	if err := json.Unmarshal(data, &s); err != nil {
+		return err
+	}
+	switch s {
+	case "grub2-uefi", "":
+		*r = Grub2UEFIOnlyISOBoot
+	case "syslinux":
+		*r = SyslinuxISOBoot
+	case "grub2":
+		*r = Grub2ISOBoot
+	default:
+		return fmt.Errorf("unknown ISOBootType: %q", s)
+	}
+
+	return nil
+}
+
+func (r *ISOBootType) UnmarshalYAML(unmarshal func(any) error) error {
+	return common.UnmarshalYAMLviaJSON(r, unmarshal)
+}
+
 // An AnacondaInstallerISOTree represents a tree containing the anaconda installer,
 // configuration in terms of a kickstart file, as well as an embedded
 // payload to be installed, this payload can either be an ostree

vendor/github.com/osbuild/images/pkg/manifest/os.go

@@ -85,9 +85,12 @@ type OSCustomizations struct {
 	MaskedServices   []string
 	DefaultTarget    string
 
-	// SELinux policy, when set it enables the labeling of the tree with the
-	// selected profile
-	SElinux string
+	// SELinux policy, when set it enables the labeling of the
+	// tree with the selected profile
+	SELinux string
+	// BuildSELinux policy, when set it enables the labeling of
+	// the *build tree* with the selected profile
+	BuildSELinux string
 
 	SELinuxForceRelabel *bool
 
@@ -169,6 +172,12 @@ type OSCustomizations struct {
 	// MountUnits creates systemd .mount units to describe the filesystem
 	// instead of writing to /etc/fstab
 	MountUnits bool
+
+	// VersionlockPackges uses dnf versionlock to lock a package to the version
+	// that is installed during image build, preventing it from being updated.
+	// This is only supported for distributions that use dnf4, because osbuild
+	// only has a stage for dnf4 version locking.
+	VersionlockPackages []string
 }
 
 // OS represents the filesystem tree of the target image. This roughly
@@ -253,8 +262,8 @@ func (p *OS) getPackageSetChain(Distro) []rpmmd.PackageSet {
 		customizationPackages = append(customizationPackages, "chrony")
 	}
 
-	if p.OSCustomizations.SElinux != "" {
-		customizationPackages = append(customizationPackages, fmt.Sprintf("selinux-policy-%s", p.OSCustomizations.SElinux))
+	if p.OSCustomizations.SELinux != "" {
+		customizationPackages = append(customizationPackages, fmt.Sprintf("selinux-policy-%s", p.OSCustomizations.SELinux))
 	}
 
 	if p.OSCustomizations.OpenSCAPRemediationConfig != nil {
@@ -290,6 +299,11 @@ func (p *OS) getPackageSetChain(Distro) []rpmmd.PackageSet {
 		customizationPackages = append(customizationPackages, "firewalld")
 	}
 
+	if len(p.OSCustomizations.VersionlockPackages) > 0 {
+		// versionlocking packages requires dnf and the dnf plugin
+		customizationPackages = append(customizationPackages, "dnf", "python3-dnf-plugin-versionlock")
+	}
+
 	osRepos := append(p.repos, p.OSCustomizations.ExtraBaseRepos...)
 
 	// merge all package lists for the pipeline
@@ -372,8 +386,8 @@ func (p *OS) getBuildPackages(distro Distro) []string {
 	if p.OSTreeRef != "" {
 		packages = append(packages, "rpm-ostree")
 	}
-	if p.OSCustomizations.SElinux != "" {
-		packages = append(packages, "policycoreutils", fmt.Sprintf("selinux-policy-%s", p.OSCustomizations.SElinux))
+	if p.OSCustomizations.SELinux != "" {
+		packages = append(packages, "policycoreutils", fmt.Sprintf("selinux-policy-%s", p.OSCustomizations.SELinux))
 	}
 	if len(p.OSCustomizations.CloudInit) > 0 {
 		switch distro {
@@ -906,15 +920,23 @@ func (p *OS) serialize() osbuild.Pipeline {
 		pipeline.AddStage(osbuild.NewUpdateCATrustStage())
 	}
 
+	if len(p.OSCustomizations.VersionlockPackages) > 0 {
+		versionlockStageOptions, err := osbuild.GenDNF4VersionlockStageOptions(p.OSCustomizations.VersionlockPackages, p.packageSpecs)
+		if err != nil {
+			panic(err)
+		}
+		pipeline.AddStage(osbuild.NewDNF4VersionlockStage(versionlockStageOptions))
+	}
+
 	if p.OSCustomizations.MachineIdUninitialized {
 		pipeline.AddStage(osbuild.NewMachineIdStage(&osbuild.MachineIdStageOptions{
 			FirstBoot: osbuild.MachineIdFirstBootYes,
 		}))
 	}
 
-	if p.OSCustomizations.SElinux != "" {
+	if p.OSCustomizations.SELinux != "" {
 		pipeline.AddStage(osbuild.NewSELinuxStage(&osbuild.SELinuxStageOptions{
-			FileContexts:     fmt.Sprintf("etc/selinux/%s/contexts/files/file_contexts", p.OSCustomizations.SElinux),
+			FileContexts:     fmt.Sprintf("etc/selinux/%s/contexts/files/file_contexts", p.OSCustomizations.SELinux),
 			ForceAutorelabel: p.OSCustomizations.SELinuxForceRelabel,
 		}))
 	}
@@ -1111,21 +1133,13 @@ func findESPMountpoint(pt *disk.PartitionTable) (string, error) {
 //
 // [1] https://gitlab.com/kraxel/virt-firmware/-/commit/ca385db4f74a4d542455b9d40c91c8448c7be90c
 func maybeAddHMACandDirStage(packages []rpmmd.PackageSpec, espMountpoint, kernelVer string) ([]*osbuild.Stage, error) {
-	ukiDirectVer, err := rpmmd.GetVerStrFromPackageSpecList(packages, "uki-direct")
+	ukiDirect, err := rpmmd.GetPackage(packages, "uki-direct")
 	if err != nil {
 		// the uki-direct package isn't in the list: no override necessary
 		return nil, nil
 	}
 
-	// The GetVerStrFromPackageSpecList function returns
-	// <version>-<release>.<arch>. For the real package version, this doesn't
-	// appear to cause any issues with the version parser used by
-	// VersionLessThan. If a mock depsolver is used this can cause issues
-	// (Malformed version: 0-8.fk1.x86_64). Make sure we only use the <version>
-	// component to avoid issues.
-	ukiDirectVer = strings.SplitN(ukiDirectVer, "-", 2)[0]
-
-	if common.VersionLessThan(ukiDirectVer, "25.3") {
+	if common.VersionLessThan(ukiDirect.Version, "25.3") {
 		// generate hmac file using stage
 		kernelFilename := fmt.Sprintf("ffffffffffffffffffffffffffffffff-%s.efi", kernelVer)
 		kernelPath := filepath.Join(espMountpoint, "EFI", "Linux", kernelFilename)

vendor/github.com/osbuild/images/pkg/manifest/vagrant.go

@@ -1,17 +1,35 @@
 package manifest
 
 import (
+	"fmt"
+	"math/rand"
+
 	"github.com/osbuild/images/pkg/artifact"
 	"github.com/osbuild/images/pkg/osbuild"
 )
 
 type Vagrant struct {
 	Base
-	filename string
+	filename   string
+	provider   osbuild.VagrantProvider
+	macAddress string
 
 	imgPipeline FilePipeline
 }
 
+// Create a randomized mac address for each build, but generated with a potentially seeded
+// PRNG.
+// See: https://github.com/mirror/vbox/blob/b9657cd5351cf17432b664009cc25bb480dc64c1/src/VBox/Main/src-server/HostImpl.cpp#L3258-L3269
+// for where this implementation comes from.
+func virtualboxMacAddress(prng *rand.Rand) string {
+	manafacturer := "080027"
+	serial := make([]byte, 3)
+
+	prng.Read(serial)
+
+	return fmt.Sprintf("%s%x", manafacturer, serial)
+}
+
 func (p Vagrant) Filename() string {
 	return p.filename
 }
@@ -20,11 +38,16 @@ func (p *Vagrant) SetFilename(filename string) {
 	p.filename = filename
 }
 
-func NewVagrant(buildPipeline Build, imgPipeline FilePipeline) *Vagrant {
+func NewVagrant(buildPipeline Build, imgPipeline FilePipeline, provider osbuild.VagrantProvider, prng *rand.Rand) *Vagrant {
 	p := &Vagrant{
 		Base:        NewBase("vagrant", buildPipeline),
 		imgPipeline: imgPipeline,
 		filename:    "image.box",
+		provider:    provider,
+
+		// macAddress is only required when the provider is virtualbox, we set it always so we don't have to
+		// complicate flow in serialize
+		macAddress: virtualboxMacAddress(prng),
 	}
 
 	if buildPipeline != nil {
@@ -39,8 +62,42 @@ func NewVagrant(buildPipeline Build, imgPipeline FilePipeline) *Vagrant {
 func (p *Vagrant) serialize() osbuild.Pipeline {
 	pipeline := p.Base.serialize()
 
+	vagrantOptions := osbuild.NewVagrantStageOptions(p.provider)
+
+	// For the VirtualBox provider we need to inject the ovf stage as well
+	if p.provider == osbuild.VagrantProviderVirtualBox {
+		// TODO: find a way to avoid copying (by having the OVF stage take inputs?) as this can be
+		// slow and increase disk usage
+		inputName := "vmdk-tree"
+		pipeline.AddStage(osbuild.NewCopyStageSimple(
+			&osbuild.CopyStageOptions{
+				Paths: []osbuild.CopyStagePath{
+					{
+						From: fmt.Sprintf("input://%s/%s", inputName, p.imgPipeline.Export().Filename()),
+						To:   "tree:///",
+					},
+				},
+			},
+			osbuild.NewPipelineTreeInputs(inputName, p.imgPipeline.Name()),
+		))
+
+		vagrantOptions.SyncedFolders = map[string]*osbuild.VagrantSyncedFolderStageOptions{
+			"/vagrant": &osbuild.VagrantSyncedFolderStageOptions{
+				Type: osbuild.VagrantSyncedFolderTypeRsync,
+			},
+		}
+
+		vagrantOptions.VirtualBox = &osbuild.VagrantVirtualBoxStageOptions{
+			MacAddress: p.macAddress,
+		}
+
+		pipeline.AddStage(osbuild.NewOVFStage(&osbuild.OVFStageOptions{
+			Vmdk: p.imgPipeline.Filename(),
+		}))
+	}
+
 	pipeline.AddStage(osbuild.NewVagrantStage(
-		osbuild.NewVagrantStageOptions(osbuild.VagrantProviderLibvirt),
+		vagrantOptions,
 		osbuild.NewVagrantStagePipelineFilesInputs(p.imgPipeline.Name(), p.imgPipeline.Filename()),
 	))