Add a new `install` option to the `grub2StageOptions` which directly
translates to the `uefi.install` option for the grub2 stage. This
should be false for all existing pipelines, where RPM directly is
used to fill `/boot/efi/EFI/<vendor>`.
Co-Developed-by: Achilleas Koutsou <achilleas@koutsou.net>
Co-Developed-by: Antonio Murdaca <runcom@linux.com>
Should be a pointer otherwise it creates an empty object in the manifest
which makes the stage fail.
Co-Developed-by: Christian Kellner <christian@kellner.me>
When building RHEL for Edge commits and a parent together with an
URL was specified, add a `org.osbuild.ostree.passwd` stage which
then will pre-load the uid/gid database with the data from the
parent commit. This ensures that uids and gids do not change for
the "child" commit.
Running the container on Openshift requires that the process inside the
container run without special permissions.
Switching to nginx and setting the following options that don't require
root privileges:
- Port 8080 (> 1024)
- pid file in '/tmp' instead of the default '/run' path
Also, the log file is chmod-ed to be world writable. Nginx always writes
to the default log file on startup, even if a different log file path is
specified in the configuration.
See rhbz#1945238
Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
Change the x86_64-specific dracut configuration of RHEL-8.5 and RHEL-9.0
EC2 and AMI images to not include `xen-netfront` driver and add `nvme`
driver, which was previously not included. Since the configuration is no
longer Xen-specific, rename the configuration file to `ec2.conf`.
Justification:
There is no reason to put `xen-netfront` to initramfs as EC2 images don't
boot from network root. In addition, add `nvme` driver to handle the case
when initramfs is getting forcefully rebuild on a Xen instance (and not able
to boot on Nitro after that).
Related to https://issues.redhat.com/browse/COMPOSER-1096.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Feodra 34 and thus RHEL 9 switched to a unified grub configuration,
which means that the main grub config is always located in the same
location, /boot/grub2/grub.cfg.[1] osbuild has used this scheme for
hybrid boot on x64 but not on pure efi systems like aarch64. The
new osbuild option `uefi.unified` was introduced to select that new
unified grug cfg scheme also for those, pure efi, systems. Use that.
[1] https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
Devices unlike stage options, shouldn't be stage specific.
There is only one type of device so far, the loopback device, which
is already defined as a separate type.
The top level Devices type is simply an alias to a Device map.
The mkfs stages require a single device with a specific key ("device").
These stages accept only one device in their NewStage() function for
convenience and create the Stage struct with the required key.
The zipl.inst stage requires a device labeled 'disk' as well as the rest
of the devices that correspond to each partition. The disk device is
passed to the New stage function separately and added to the Stage
devices with the required key.
Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
Mounts unlike stage options, shouldn't be stage specific. We have
filesystem specific mount types, differentiated by their type string.
Mounts can define their own additional options if necessary.
The top level Mounts type is simply an alias to a Mount array.
Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
The `fix-bls` stage supports a `prefix` argument, which was not
supported in composer. Specifying this argument is necessary in case the
`/boot` mountpoint is on a separate partition.
Add the `prefix` argument to the `fix-bls` stage. Amend unit tests.
The RHEL-8.5 and RHEL-9.0 `aarch64` `ec2` and `ami` images use partitioning
with `/boot` on a separate partition. Due to this, the pipeline must specify
a non-default prefix to the `fix-bls` stage.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Specifying the boot partition filesystem UUID in grub2 stage is required
in case the `/boot` mountpoint is on a separate partition. This is the
case of RHEL-8.5 and RHEL-9.0 `ami` and `ec2` images.
Extend `disk.PartitionTable` with a new `BootPartition` method, which
returns a pointer to partition with FS mountpoint `/boot` if there is
such partition, or `nil` otherwise.
Extend the RHEL-8.5 and RHEL-9.0 code creating options structure for
grub2 osbuild stage to include the boot partition in case it has been
provided.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
The `/boot` partition had incorrect FS type `EFI System partition`,
instead of `Linux filesystem data`. Fix this.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Otherwise, kernel-install will just pick the cmdline from /proc/cmdline
that is actually the host's one. This way, I managed to leak the cmdline
from my Fedora running on btrfs to RHEL 9 image which led to a very weird
results.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
We want to also mangle RHEL 9 in the same style as we do 8.4+.
RHEL 8.0 => rhel-80
RHEL 8.1 => rhel-81
etc
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
Renamed tar-installer to image-installer.
This is a more appropriate name:
- It disassociates the image type from the "tar" image type. The two
should not be perceived to be connected.
- It's more descriptive. The format of the payload (tar) isn't relevant
to the purpose of the image type.
The problem: osbuild-composer used to have a rather uncomplete logic for
selecting client certificates and keys while fetching data from
repositories that use the "subscription model". In this scenario, every
repo requires the user to use a client-side TLS certificate. The problem
is that every repo can use its own CA and require a different pair of
a certificate and a key. This case wasn't handled at all in composer.
Furthermore, osbuild-composer can use remote workers which complicates
things even more.
Assumptions: The problem outlined above is hard to solve in the general
case, but Red Hat Subscription Manager places certain limitations on how
subscriptions might be used. For example, a subscription must be tight to
a host system, so there is no way to use such a repository in osbuild-composer
without it being available on the host system as well.
Also, if a user wishes to use a certain repository in osbuild-composer it
must be available on both hosts: the composer and the worker. It will come
with different pair of a client certificate and a key but otherwise, its
configuration remains the same.
The solution: Expect all the subscriptions to be registered in the
/etc/yum.repos.d/redhat.repo file. Read the mapping of URLs to certificates
and keys from there and use it. Don't change the manifest format and let
osbuild guess the appropriate subscription to use.
For s390x, prepend a kernel cmdline stage to the start of the OS
pipeline. This is a noop for other architectures for now.
Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
