For RHEL-10, we have a special version of RHEL-8 repositories, that do
not contain the auxiliary key. This is due to the fact that the key uses
SHA-1, which is not allowed by default by RHEL-10 crypto policy.
We deleted repositories for these releases in osbuild/images, but we
need to delete them also here, to ensure that they don't end up in the
RPMs and that the cross-distro test case does not fail.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This commit changes the spec file so that most of the repositories
are taken from the `images` library. See images PR#1112 for details.
Note that we still need the -no-auth-keys and the centos-stream
symlinks.
Update the RPM GPG keys in the c10s repos that are shipped in the RPM,
to the one that is used in our testing c10s repos. This will fix image
builds on c10s.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This way users could at least build fedora 41, there is currently an
issue in rpmrepo where the fedora 41 branched repositories are very
slow, so enabling CI is currently not possible.
https://github.com/osbuild/rpmrepo/issues/111
The RHEL-8 auxiliary key uses SHA-1 in its signature. To enable RHEL-8
cross-builds on RHEL-10, we can't include the RHEL-8 auxiliary key in
the repo definitions.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
The RPM GPG release key used by Red Hat to sign its content used to be
signed using SHA-1. SHA-1 is no longer accepted on RHEL-10 / c10s and as
a result, such key can't be imported during image build. The RH GPG
release key has been resigned using SHA256 some time ago. Let's use this
version of the key for all RHEL repositories.
The key is taken from:
https://access.redhat.com/security/team/key
Specifically:
https://access.redhat.com/security/data/fd431d51.txt
The second key (auxiliary key 3) was not changed.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Where applicable, modify all repo config filenames to use a dot
to separate the release major and minor version. Modify test cases
to not remove dot from the distro version any more.
Existing tests will be extended (or new tests added) to explicitly test
backward compatibility and ensure that using old distro names without a
dot still works.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
- Add ppc64le and s390x repo URLs to Fedora repositories.
- Add Fedora 40 (rawhide) repositories.
- Update Fedora testing repositories to latest snapshots, adding new
arches and F40 repos. Basically took what is in osbuild/images repo.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Add a basic support for building RHEL-8.9 and RHEL-9.3 images with
composer.
Add 8.9 and 9.3 repositories to the multitude of places where we have
them.
Generate image test manifests for 8.9 and 9.3. No functional testing is
added for 8.9 or 9.3 at this moment.
This change unblocks the RHEL Gating (since unit tests are currently
failing on 8.9 and 9.3 as on unknown distribution).
Related to https://issues.redhat.com/browse/COMPOSER-1924
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
- repositories/: add google-compute-engine and google-cloud-sdk repos to
package repositories.
- test/data/repositories/: add rt, rhui, and rhui-azure to test
repositories.
- test-case-generators/: update unversioned rhel-8 repos to point to
RHEL 8.7 snapshots.
Release repositories (in repositories/) for RHEL 9 are the CDN repos
without a minor release, which should always track GA.
Test repositories (in test/data/ and test-case-generators/) point to
RHEL 9.1, the current GA.
Fedora 35 is going EOL on Tue 2022-12-13. At the time of writing this commit
message, that's the next day. As we do releases on Wednesdays, the next
release will never find its way to F35 and thus, there's no point in keeping
support for it.
Let's delete everything that relates to Fedora 35. If there's something that
cannot be deleted (e.g. CI containers based on F35), let's upgrade it to F37.
TestCrossArchDepsolve now uses CentOS Stream 8 because RHEL 8.4 cannot read
F37 repository metadata. This is a similar issue to
https://bugzilla.redhat.com/show_bug.cgi?id=2004853 . Basically, newer
repositories can be only read by libmodulemd >= 2.11.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
The most interesting change is the removal of smc-meera-fonts in 37. As
suggested, rit-meera-new-fonts is used instead.
Existing F35 and F36 manifests updated with package changes.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
Fedora 34 is EOL, let's remove all traces of it, including:
- distro definition
- repositories (and test one)
- test manifests
- special package set rules
- hacks from the spec file
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
The CentOS Linux 8 packages have been removed from the mirrors.
CentOS 8 is replaced by CentOS Stream 8. [0]
Keep the centos-8.json symlinked to centos-stream-8.json because
composer's host distro detection picks up CS8 as centos-8.
[0] https://www.centos.org/news-and-events/convert-to-stream-8/
Add a plain `rhel-8` alias as the default distribution name and version
for the `rhel8` package. The `rhel-86` distro is still available via
the NewRHEL86() constructor. These two distributions are identical.
Repositories
------------
The rhel-8 repositories (repositories/rhel-8.json) are now set to the
CDN repositories with no minor version:
https://cdn.redhat.com/content/dist/rhel8/8/...
The rhel-8 test repositories (test/data/repositories/rhel-8.json) were
already set to the plain `8` repositories. The Google repos have been
added.
The test case generator repositories used for `rhel-8` are the rpmrepo
snapshots as for rhel-86.
We would benefit from having support for 9.1 downstream so let's add it in
the form of an alias. This is a bare minimum for having a proper 9.1 support.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
Follow-up to 60db6ad06f
The SHA-1 key is no longer supported in RHEL 9.0. This isn't a problem
for RHEL 8.x in general, but it prevents cross building RHEL 8.x images
on RHEL 9.0, since the host (RHEL 9.0) rpm and openssl cannot import the
older keys and we fail to bootstrap the build root for the new image if
the source repositories use SHA-1 keys.
Related rhbz#2058497 (Comment 18).
Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
- 2 space indent
- lists on multiple lines
- newlines at EOF
This was accomplished by simply running each file through `jq` with no
arguments.
It is also equivalent to Python's `json.dump(..., indent=2)` plus the
added newline.
Google repositories use RSA/SHA1 for signing packages. However the SHA1
has been disabled by default on el9/c9s. Since osbuild-composer imports
GPG keys specified in the repository definition unconditionally, this
creates issues when installing rpms signed with the key by osbuild [1].
Remove GPG keys in all el9/c9s GCP repo definitions and disable GPG
signature verification until [2] is resolved.
[1] https://github.com/osbuild/osbuild/issues/991
[2] https://issuetracker.google.com/issues/223626963
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Add the `gce` image type intended for Google Compute Engine. The image
is BYOS - bring your own subscription and requires registering in order
to access Red Hat content.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Add the `gce` image type intended for Google Compute Engine. The image
is BYOS - bring your own subscription and requires registering in order
to access Red Hat content.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Add the `gce` image type intended for Google Compute Engine. The image
is BYOS - bring your own subscription and requires registering in order
to access Red Hat content.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Add the `gce` image type intended for Google Compute Engine. The image
is BYOS - bring your own subscription and requires registering in order
to access Red Hat content.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
RHEL 9.0 will ship a brand new auxiliary key. Let's use it everywhere in our
RHEL 9 stuff. Taken from current RHEL 9.0's redhat-release package.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
Add rpmrepo repositories for testing.
Symlink centos-9 to centos-stream-9.
Add rpmrepo snapshot repositories to test and
test-case-generator repos.
Remove unused repositories from cs9 test repositories.
Fedora 33 is already EOL, therefore there is no point in supporting
image builds for it. Drop F33 from the distroregistry list and remove
F33 repositories definition.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
We still need to double-check that these are the right addresses. For now,
this is just a best-effort guess.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
rhel-8 distribution is in fact RHEL 8.3. As it doesn't make much sense
to build images from 8.3 definitions and 8.4+ content, this commit changes
the repositories for rhel-8 to point at 8.3 content.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
Since we gained the ability to cross-distro build images, we need to have
a repo file per distribution even for RHEL. This commit adds one for RHEL
8.5.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
