Don't upgrade centos-9-stream repos in the Schutzfile, the newer ones
are broken. Considering CI is broken on main right now, that takes
priority, fixing centos-9 can be done in a followup.
The RPM GPG release key used by Red Hat to sign its content used to be
signed using SHA-1. SHA-1 is no longer accepted on RHEL-10 / c10s and as
a result, such key can't be imported during image build. The RH GPG
release key has been resigned using SHA256 some time ago. Let's use this
version of the key for all RHEL repositories.
The key is taken from:
https://access.redhat.com/security/team/key
Specifically:
https://access.redhat.com/security/data/fd431d51.txt
The second key (auxiliary key 3) was not changed.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
- Change the alias example at the top of the file to use RHEL 9 -> 9.4
instead of 8 -> 8.10 which is no longer true for the test.
- Fix some comment typos.
- Clean trailing whitespaces.
The test relies on the existence of the /etc/dnf/vars/releasever file
and the value it specifies. In SAP images, this file specifies the
locked release version for the system and it is written by the image
definition itself. This makes it a good candidate for ensuring we are
using the correct distro version when building the image.
However, RHEL 8.10 SAP images don't lock the distro version because 8.10
is the last minor version in the RHEL 8 cycle.
Let's override the alias for RHEL 8 to point to 8.8, which is a version
that should contain a releasever. The exact value we use isn't
important. What we are testing here is the mechanism for resolving
aliases.
for these 2 scripts we make cleanup() defined in the outer scope and
make sure that it executes on EXIT rather than RETURN which makes it
possible to stick the journalctl killing functionality inside of the
same function.
in many files there was a secondary call to `trap` for the sole purpose
of killing jornalctl (watching worker logs) so that GitLab CI doesn't
hang.
The issue with this is that sometimes the cleared the trap which invokes
the cleanup() function without reinstating it again (not everywhere).
Instead of doing this back-and-forth just make sure we don't leave any
journalctl processes dangling in the background!
NOTES:
- for some scripts, mainly ostree- ones there was no cleanup trap
present, but instead `trap` was configured inside the build_image() function.
The trouble is that this function is executed multiple times and
$WORKER_JOURNAL_PID changes value between these multiple executions.
That's why these scripts introduce the cleanup_on_exit() function where
we make sure to kill any possible dangling journalctl processes.
- The name `cleanup_on_exit()` is chosed because these same scripts
often have a helper function named clean_up() which is sometimes used to remove
virtual machines and other artifacts between calls of build_image().
The osbuild version should correspond to the version in the Schutzfile
for the old worker.
Furthermore the commits should be pulled from the rhel-9-cdn
repositories.
Nightly pipelines test against older osbuild-composer versions so we
need to still modify the kickstart file until the feature reaches the
nightly composes.
Use the new installer customizations to build and boot an unattended
installation and add the users to the sudoers with NOPASSWD enabled.
This is added both to he base installer test (installers.sh) and the
ostree test (ostree-ng.sh). For the ostree test, we keep the mkksiso
step to retain the remote configuration change. The modksiso() function
is changed to explicitly read the osbuild.ks file since we don't want to
modify the osbuild-base.ks file and we want to ensure that the kernel
command line argument points to the osbuild.ks file.
