The problem: osbuild-composer used to have a rather uncomplete logic for
selecting client certificates and keys while fetching data from
repositories that use the "subscription model". In this scenario, every
repo requires the user to use a client-side TLS certificate. The problem
is that every repo can use its own CA and require a different pair of
a certificate and a key. This case wasn't handled at all in composer.
Furthermore, osbuild-composer can use remote workers which complicates
things even more.
Assumptions: The problem outlined above is hard to solve in the general
case, but Red Hat Subscription Manager places certain limitations on how
subscriptions might be used. For example, a subscription must be tight to
a host system, so there is no way to use such a repository in osbuild-composer
without it being available on the host system as well.
Also, if a user wishes to use a certain repository in osbuild-composer it
must be available on both hosts: the composer and the worker. It will come
with different pair of a client certificate and a key but otherwise, its
configuration remains the same.
The solution: Expect all the subscriptions to be registered in the
/etc/yum.repos.d/redhat.repo file. Read the mapping of URLs to certificates
and keys from there and use it. Don't change the manifest format and let
osbuild guess the appropriate subscription to use.
Host group should be 'guest'. The ansible inventory file in the test
uses the group name 'guest'.
Change package check to tmux since zsh isn't installed.
Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
rhel-8 distribution is in fact RHEL 8.3. As it doesn't make much sense
to build images from 8.3 definitions and 8.4+ content, this commit changes
the repositories for rhel-8 to point at 8.3 content.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
Since we gained the ability to cross-distro build images, we need to have
a repo file per distribution even for RHEL. This commit adds one for RHEL
8.5.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
For s390x, prepend a kernel cmdline stage to the start of the OS
pipeline. This is a noop for other architectures for now.
Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
Returns a single stage that configures the bootloader, either GRUB or
ZIPL based on architecture.
Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
Utility function for finding the kernel package and returning it's
version string. Useful for configuring bootloaders.
Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
Added to format-request-map and generated manifest.
No image-info since ISOs aren't supported by the tool. The manifest is
useful only for detecting changes in the image type definition.
Several changes required to get the installer test working in CI.
Blueprint:
- Add packages for SSH and networking
- Use generated SSH key and username variable for user setup
Kickstart:
- The ISO contains a kickstart file with the `liveimg` command. Instead
of trying to inject a kickstart during virt-install, we override the
existing file on the ISO. The `modksiso` function reads a kickstart
file from an existing ISO, adds commands to make the installation
fully automatic (partitioning, text --non-interactive) and creates a
new ISO with the modified kickstart file using mkksiso.
- Simple networking added to kickstart file.
- Kernel command line args for installer added via the mkksiso command
since the `--cdrom` installation source doesn't support injecting
command line arguments.
virt-install:
- Using `--cdrom` instead of `--location`: latter was failing to
install.
- No longer injects a kickstart file (since we handle it separately) and
doesn't add extra Kernel args.
Location property is actually required. If it's omitted from the stage
options, the stage just fails.
Also see: https://github.com/osbuild/osbuild/pull/759
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
Fix the split of x86_64 boot package set into the Legacy and UEFI set.
The package `dracut-config-generic` is needed for Legacy, UEFI and
Hybrid boot mode, therefore it must be included in both package sets.
In the case of the Hybrid mode, the duplicated package is not expected
to cause any issues, because it should not appear as duplicated after
depsolving the package set using DNF.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
The `ami` image type was redefined based on the official RHEL EC2
images. In addition, two new image types `ec2` and `ec2-ha` were
defined. These new image types are by default not exposed via Weldr
API.
Update the docs/news/unreleased entry related to RHEL-8.5 main images to
reflect these changes.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
The `ec2` and `ec2-ha` images include RHUI client packages, which are
not publicly available. For this reason, building of such images in the
on-premise use case via WeldrAPI would always fail, unless the system
would be inside the Red Hat internal network or VPN.
Mark the `ec2` and `ec2-ha` image types for `rhel-*` distribution as
denied in WeldrAPI by default.
Extend and modify affected unit tests.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
image-info's code which analysed image with multiple partitions was not
correctly working with more than two partitions, which had to be the
root '/' and EFI partition '/boot/efi'. The consequence was that SELinux
labels on paths which were mounted incorrectly could have been reported
as incorrect.
Modify `append_partitions()` to first read the fstab entries and then
mount all partitions using their UUID in the correct order. Only then
analyze the image filesystem tree.
Regenerate affected image test cases.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
image-info could produce a weird fstab error with an empty list as a
member, when analysing images not built using osbuild. Ensure that any
lines in fstab with only whitespace characters are skipped during image
analysis.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Add new image type definitions `ec2` and `ec2-ha` representing the
official RHEL ec2 image types.
Add a `xzArchivePipeline()`, which returns a pipeline producing a XZ
archive from a file produced by a different pipeline.
Add rpmrepo snapshots for `rhui` and `ha` repositories used to generate
image test cases. `rhui` is used by the `ec2` image and it is available
on x86_64 and aarch64 architectures. `ha` is used by the `ec2-ha` image
and it is available only for x86_64.
The new image type definitions are currently not used by any
API test case.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Previously, the support of UEFI has been captured only on the level or
architecture definition as a binary boolean value. In reality some of
the architectures are able to support legacy, UEFI or hybrid boot.
Introduce a new BootType value, defined on the architecture level, which
can be set to one of the three boot types mentioned above. The value set
on the architecture level can be overridden on the image type level in
the image type definition.
Add two unexported helper methods to the `imageType`, specifically
`getBootType()` which returns the boot type that should be used for the
image type and architecture combination. The values set explicitly in
the image type or architecture definition should not be used directly.
Second added method is `supportsUEFI()`, which returns boolean value
representing the fact if the image type supports UEFI boot.
Split and define the boot package sets separately for the legacy and
UEFI boot. The `PackageSets()` method of the imageType structure is
modified to take the boot type into consideration and append appropriate
package sets to the "os" package set.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Redefine the `ami` image type in RHEL-8.5 to be based on RHEL
ec2 images. The pipeline has different default settings, therefore the
common "os" pipeline is not used. The RHEL ec2 images have a different
default size than the original `ami` image definition. The RHEL ec2
images use a different default partitioning scheme. Their configuration
is slightly different for each architecture and the x86_64 version
of the image does not support UEFI.
Update rpmrepo snapshots used to generate RHEL-8.5 x86_64 and aarch64
image test cases.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Add support for specifying the `leapsectz` property of
`org.osbuild.chrony` stage. Modify stage tests to test setting of the
value.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Add support for osbuild `org.osbuild.xz` stage. The stage accepts Files
inputs.
Add unit tests for the added functionality.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
osbuild stage inputs were originally implemented in composer as
stage-specific inputs, while in reality, they are defined as individual
inputs, usually accepted by multiple stages. Therefore a single stage
input can be passed to any stage, as long as the stage accepts it.
Files inputs type was previously defined, but not used by any stage.
Creation of proper inputs type structures is currently handled in
`internal/distro/rhel85/stage_inputs.go` instead.
Refactor files inputs type to be usable directly as an input type
structure for stages, which accept it. For now, implement only the
`org.osbuild.pipeline` origin and related input reference.
Add unit tests for the `FilesInputs`.
Define input origin names as string constants, so that they can be used
by inputs implementations, instead of using string literals.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Allow globing patterns in distro-specific image type deny list of Weldr
API configuration. Extend unit tests to verify simple globing patterns.
Update NEWS entry.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Refactor the `composeHandler()` method to send the actual error
returned by `getImageType()` as an API response.
Modify tests to handle the changed error message in API calls.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Rename the `checkImageTypeDenylist()` method to `isImageTypeAllowed()`
and return boolean value instead of error.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Change the Image Type denylist in Weldr API from being applied to all
distributions to being distribution-specific. A special name `*`
can be used in the configuration to match any distribution
or any image type.
Modify NEWS entry and unit tests to reflect this change.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Extend Weldr API to accept a list of denied image types, which should
not be exposed via API for any supported distribution. This
functionality will be needed to not expose image types which can't be
successfully built outside of Red Hat VPN. Example of such images are
the official RHEL EC2 images, which include RHUI client packages not
available publicly.
Image Types are filters when listing available compose types and
creating a new compose using Weldr API.
Extend osbuild-composer configuration to allow specifying the list of
denied Image Types for Weldr API.
Add unit tests for implemented changes.
Add NEWS entry describing the newly introduced functionality.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
The previous manifests were generated inside a RHEL VM which means that
the selinux context mismatch check didn't run properly
(see https://bugzilla.redhat.com/show_bug.cgi?id=1973754).
Regenerating them on F34 shows some mismatches for certain image types.
Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
In the main OS pipeline created by osPipeline(), there is often a set of
stages that are added after the common ones. The SELinux stage must
always be last in the pipeline, so it is added externally by the calling
function.
Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
