2 configurations for the listeners are now possible:
- enableJWT=false with client ssl auth
- enableJWT=true with https
Actual verification of the tokens is handled by
https://github.com/openshift-online/ocm-sdk-go.
An authentication handler is run as the top level handler, before any
routing is done. Routes which do not require authentication should be
listed as exceptions.
Authentication can be restricted using an ACL file which allows
filtering based on JWT claims. For more information see the inline
comments in ocm-sdk/authentication.
As an added quirk the `-v` flag for the osbuild-composer executable was
changed to `-verbose` to avoid flag collision with glog which declares
the `-v` flag in the package `init()` function. The ocm-sdk depends on
glog and pulls it in.
Move the ostree repository and the tar image to the root of the
boot iso. This has several advantages: we do no longer have to
correctly guess the size of the anaconda image. Also we do not
need to compress the payload within the squashfs.
Update the image installer's test data. NB: the changes to the
package list were introduced earlier and should mostly affect
the build pipeline. Should have caught is in the corresponding
change, but was apparently not picked up by CI.
OSBuild Composer can now build the RHEL 8.5 Raw Images. This images are
compressed raw images, i.e. a file that has a partition layout with an
deployed OSTree commit in it. It can be used to flash onto a hard drive
or booted in a virtual machine. An existing OSTree commit needs to
be provided.
The following image new types are supported: edge-raw-image.
Instead of using package sets at the distro, arch and image type
level and then merging them in `PackageSets`, store the function
that generates the package set in the image type and have them
return all the package set. In order to do so, they now take an
imageType parameter so that they can also return architecture
dependent packages.
Instead of having a common build package set defined at distro
struct level and merging them together with build packages in
the image type (and arches), we do the "inheritance" at the
package set level and append more specific packages to base
sets there. We also now ensure that each image type does have
a build package set defined.
The actual package set should not change for anything due to
this commit.
Split the common installer build packages from the one specific to
anaconda and edge.
NB: The "inheritance" is now done in the package sets rather than
outside, via package set merging.
The edge specific build packages, `edgeBuildPkgsKey` where defined
on the distro level but also always included in all actual edge
image types; there were thus duplicated.
This adds a new installer called the "Simplified Installer" for Edge.
In contrast to the existing insaller, which is based on Anaconda, this
new installer based on the CoreOS installer project[1], a small rust
based binary that is executed in the initramfs and will flash a raw
image to a specified installation device. For this a new blueprint
option is introduced. The raw image is created from an existing OSTree
commit and embedded into the resulting bootable iso. When booting the
iso the installation will automatically start witout any interaction
from the user.
NB: As with the existing edge installer, support is currently limited
to x86. The new installer also does not support non-uefi boot.
[1] https://github.com/coreos/coreos-installer
Co-Developed-by: Achilleas Koutsou <achilleas@koutsou.net>
Co-Developed-by: Antonio Murdaca <runcom@linux.com>
Add a new param to the helper function creating the grub2 stage, that
indicates whether greenboot should be enabled. So far this is false
for all uses, so nothing should change.
Add an argument to `dracutStageOptions` so that additional dracut
modules can be supplied. Remove `anaconda` from the list of mods
that are included by default, and manually include it for the
anaconda based installer.
Co-Developed-by: Achilleas Koutsou <achilleas@koutsou.net>
Co-Developed-by: Antonio Murdaca <runcom@linux.com>
osbuild, since version 30, supports the ostree deployments for the
fstab stage.
Co-Developed-by: Achilleas Koutsou <achilleas@koutsou.net>
Co-Developed-by: Christian Kellner <christian@kellner.me>
Mark the `FilesInput` as valid input for the copy stage input so it
can be used in the constructor helper function(s).
Co-Developed-by: Achilleas Koutsou <achilleas@koutsou.net>
Co-Developed-by: Antonio Murdaca <runcom@linux.com>
Add a level of indirection for the copy stage constructor function
in order to be able to use it with existing input types, like the
files input.
Co-Developed-by: Achilleas Koutsou <achilleas@koutsou.net>
Co-Developed-by: Antonio Murdaca <runcom@linux.com>
Add a new `install` option to the `grub2StageOptions` which directly
translates to the `uefi.install` option for the grub2 stage. This
should be false for all existing pipelines, where RPM directly is
used to fill `/boot/efi/EFI/<vendor>`.
Co-Developed-by: Achilleas Koutsou <achilleas@koutsou.net>
Co-Developed-by: Antonio Murdaca <runcom@linux.com>
Add the new stages included in osbuild 30 that can be used to
deploy an OSTree commit as well as the grub iso stage that
is used to configure grub2 (efi) for isos.
Bump the spec file requirement accordingly.
Co-Developed-by: Achilleas Koutsou <achilleas@koutsou.net>
Co-Developed-by: Christian Kellner <christian@kellner.me>
Should be a pointer otherwise it creates an empty object in the manifest
which makes the stage fail.
Co-Developed-by: Christian Kellner <christian@kellner.me>
When building RHEL for Edge commits and a parent together with an
URL was specified, add a `org.osbuild.ostree.passwd` stage which
then will pre-load the uid/gid database with the data from the
parent commit. This ensures that uids and gids do not change for
the "child" commit.
Add support for the `org.osbuild.ostree.passwd` and with it also
support for the `org.osbuild.ostree.checkout` input.
This stage can be used to pre-load the user and groups database
from an existing commit to ensure that uids/gids are stable.
Running the container on Openshift requires that the process inside the
container run without special permissions.
Switching to nginx and setting the following options that don't require
root privileges:
- Port 8080 (> 1024)
- pid file in '/tmp' instead of the default '/run' path
Also, the log file is chmod-ed to be world writable. Nginx always writes
to the default log file on startup, even if a different log file path is
specified in the configuration.
See rhbz#1945238
Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
org.osbuild.chmod: runs chmod on one or more files
org.osbuild.nginx.conf: write nginx config file
Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
weldr-client returns different json structures than the original
composer-cli does. It is being replaced in RHEL-9 and these changes make
it possible to run the tests with both old composer-cli and
weldr-client.
