For backward compatibility, revert changes related to hybrid boot mode
for RHEL (RHUI) EC2 images before 8.9 release.
This change does not affect CentOS Stream 8 AMI images nor the RHEL AMI
build by the service or on-premise.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
On RHEL-8, the x86_64 AMI / EC2 images used a BIOS-only partition table
layout, because the base partition table unification happened in the
past only on RHEL-9 and Fedora (inherited from RHEL-9).
To make things consistent and uniform across RHEL-8 and RHEL-9, I copied
the base partition table used by RHEL-9 AMI / EC2 images to RHEL-8. This
has a side-effect for aarch64 AMI / EC2, where the `/boot` partition
size changed from 512 MiB to 500 MiB, together with the partition GUID
to "Extended Boot Loader Partition GUID".
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Move the handling of the list of enabled and disabled systemd services
more to the end of the `os` pipeline, just before the SELinux stage.
This has no functional effect on produced images, but it will make it
nicer once the handling of the custom files and directories will be
added to the pipeline. Specifically it should be added right before the
services stage to allow enabling custom service files, but after all
other configurations that are applied to the image.
Regenerate all manifests.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Changes:
- Removed unneeded RPMs from the build root.
- /usr/bin/tar removed from selinux stage.
- Changed order of the rhsm stage. This will not affect functionality.
`amdgpu` module is causing error to be printed in the system log on AWS
instances. After investigation, it turns out that it is not needed.
Disable it by default on all AWS images.
Related to COMPOSER-1807
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Define the distribution strings for RHEL 8.5 in distro/rhel86 and add
constructors. Remove the old 8.5 from the distro registry and use the
new constructors.
Composer can now build RHEL 8.5 image-installer on aarch64, which wasn't
supported before.
RHEL 8.5 manifests have changed to minimise the differences from 8.6.
Some changes are fixes made in 8.6 but never backported to 8.5 because
of our (older) policy of not changing definitions after the release of a
distro.
Other changes are non-functional (e.g., stage or package order).
See the list below for the source of each change.
Manifest changes:
- Stage order changed for org.osbuild.systemd-logind and
org.osbuild.rhsm.
- org.osbuild.grub2 options: config.default = "saved"
Reverted 111cd8871f
- Partition sizes: RHEL 8.5 had extra arbitrarily sized padding for the
header. Now all partitions are sized to fit headers exactly.
Original change at b7abef54e8.
- SELinux set to permissive in Anaconda. This was changed in RHEL 8.6
and 9.0 but never backported to 8.5.
See a7fbe916b7.
- Installer isolevel set to 3. Like above, this was changed in
8.6 and 9.0.
Original change at d8d161480e.
- Specify a remote for edge deployments.
Original change at b18b4e80a0.
Whenever we create a new mountpoint due to a user customization,
ensure the layout uses LVM, i.e. convert plain layouts to it, if
needed. This does not apply to rpm-ostree based systems.
Add "lvm2" to the build pipeline and thus generate new manifests
and image infos.
Adjust the existing tests that assumed we can not create more
than 4 partitions on mbr layouts, since that is now not true
anymore.
This is a port from rhel86, commit 63aa155
The change in osPipeline() is required now to fix the Prefix for the
bootloader specification when LVM is used. The unspecified Prefix, which
was previously used for all cases, defaults to "/boot". When the layout
is converted to LVM, a boot partition is created and the BLS Prefix
should be set to "".
In the case where we don't have a partition table, the BLS stage is not
needed, but it was done unconditionally before, so keep the default
image definitions unchanged.
Co-Authored-By: Achilleas Koutsou <achilleas@koutsou.net>
Blueprint package set is now depsolved together with the OS package set
in a chain. The result is stored in the package specs sets under the OS
package set name.
In reality, the code was able to handle a `nil` package specs to be
passed to pipelines, however some parts were looking for the kernel
version in the blueprint package specs, which would be a bug.
Regenerated affected image test cases.
We should honour `pkg.CheckGPG` when creating the file inputs for the
rpm stage. This was lost in the transition from v1 to v2 manifests.
Regenerate image test manifests.
Co-authored-by: Tomas Hozza <thozza@redhat.com>
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Since udev will probe block devices it is advisable to hold a lock
on the device when modifying its partition table or the superblock
of the filesystem (see [1]). osbuild loopback devices do support
this via the `lock` option. Set this option for all operation that
involve changing block device "metadata" that could potentionally
race with udev, such as sfdisk, mkfs, creating a luks2 container
and creating LVM2 volume groups and logical volumes.
NB: osbuild also has its own device inhibition logic to prevent
udev/lvm2 from auto activating devices and in general to limit the
interaction between the host and devices used by osbuild. See [2]
for more information.
NB: this also locks the loopback device in situation where we the
it is strickly not the right thing to do, e.g. when creating a fs
on a logical voume that is located on a loopback device, since in
this case the device we would need to lock is the logical volume.
Sadly, LVM/DM devices are exempt from block device locking. But,
due to a bug in osbuild < 50, the udev inhibitor does *not* work
for loopback devices and therefore we have to use the actual lock
to preven LVM device auto-activation via `69-dm-lvm-metad.rules`.
The change was implemented by adding a new boolean to `getDevices`
indicating if the loopback device should be locked or not. Once
we depend on osbuild 50 we can change the logic in `getDevices`
to only lock the loopback device if the number of devices is one,
i.e. we are working directly on the loopback device.
[1] https://systemd.io/BLOCK_DEVICE_LOCKING/
[2] /usr/lib/udev/rules.d/10-osbuild-inhibitor.rules
Use entity based method `ForEachMountable` and `getDevices` to generate
all mounts and devices in a generic way, which then allows for mounts on
arbitrarily nested devices.
Update manifests and image info:
- New device names generated by `pathdot()` to avoid basename
collisions.
- Some partitions are generated in a different order now which changes
the order they appear in the manifest and their UUIDs.
Co-Authored-By: Christian Kellner <christian@kellner.me>
Disable loging in via password authentication since this is an
official Amazon marketplace requirement
Linux-based AMIs must not allow SSH password authentication.
Disable password authentication via your sshd_config file by
setting PasswordAuthentication to NO.
Section "Security policies" from
https://docs.aws.amazon.com/marketplace/latest/userguide/product-and-ami-policies.html
Use image_type_tags in repo definitions used for generating image test
cases. Enhance the `generate-test-cases` script to take the
image_type_tags into account when creating a compose request for a
specific image test case.
The motivation for the change is to keep the list of repositories in the
compose request of a image test case as small as possible. Previously,
all of the defined repositories were part of each image test cases for a
specific architecture, even those that were not needed.
Regenerate affected image test cases.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
This commit also fixes the rpmrepo for 8.5 rt. The previously used one
was wrongly generated and had to be regenerated.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
The RHSM DNF plugins `product-id` and `subscription-manager` are now
by default enabled on the RHEL-8.5 and RHEL-9.0 `ec2`, `ec2-ha` and
`ami` images.
The desired default state of the RHSM DNF plugins has been decided by
the RHSM team.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1996670
Signed-off-by: Tomas Hozza <thozza@redhat.com>
image-info's code which analysed image with multiple partitions was not
correctly working with more than two partitions, which had to be the
root '/' and EFI partition '/boot/efi'. The consequence was that SELinux
labels on paths which were mounted incorrectly could have been reported
as incorrect.
Modify `append_partitions()` to first read the fstab entries and then
mount all partitions using their UUID in the correct order. Only then
analyze the image filesystem tree.
Regenerate affected image test cases.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Add new image type definitions `ec2` and `ec2-ha` representing the
official RHEL ec2 image types.
Add a `xzArchivePipeline()`, which returns a pipeline producing a XZ
archive from a file produced by a different pipeline.
Add rpmrepo snapshots for `rhui` and `ha` repositories used to generate
image test cases. `rhui` is used by the `ec2` image and it is available
on x86_64 and aarch64 architectures. `ha` is used by the `ec2-ha` image
and it is available only for x86_64.
The new image type definitions are currently not used by any
API test case.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
