Without configured repositories the generated pacman.conf isn't super
useful. Pacman supports two different ways to configure a repository
either with a Server = line or sourced from pacman's mirrorlist.
This stage is needed to write down the FDO DIUN pub key root certs
needed to talk to the manufacturer server to grab the device credentials
for provisioning and later onboarding
Co-Authored-By: Antonio Murdaca <runcom@linux.com>
According to OCI image specification the `created` property needs
to be in the format describe in RFC 3339, section 5.6 "Internet Date /
Time Format". The suffix is the "time-offset" which is either "Z" or
"time-numoffset".
Before commit 25b5679[2] we the datetime object, created via `utcnow`
did not have timezone information so "Z" was manually appended. This
was changed with commit 25b5679 and now the timezone information was
indeed included, which also meant that `isoformat` now included the
offset, i.e. `+00:00`. But the `Z` was still appended and the result
was `+00:00Z`, something that is not standard compliant. Fix this
by removing the extra `Z`.
[1] https://datatracker.ietf.org/doc/html/rfc3339#section-5.6
[2] 25b567990b
Each time the overlay backend runs on an xfs fs it creates the
file "overlay/backingFsBlockDev" in the containers storage directory.
It is not needed in the image as skopeo recreates it each boot, and
since it is a block device its existance means we can't store the
resulting tree in ostree. Lets just get rid of it.
This adds a stage called org.osbuild.skopeo that installs docker and
oci archive files into the container storage of the tree being
constructed.
The source can either be a file from another pipeline, for example one
created with the existing org.osbuild.oci-archive stage, or it can
be using the new org.osbuild.skopeo source and org.osbuild.containers
input, which will download an image from a registry and install that.
There is an optional option in the install stage that lets you
configure a custom storage location, which allows the use of the
additionalimagestores option in the container storage.conf
to use a read-only image stores (instead of /var/lib/container).
Note: skopeo fails to start if /etc/containers/policy.json is
not available, so we bind mount it from the build tree to the
buildroot if available.
This tries to make the various tar-balls produced by the stage more
likely to be identical in separate runs. We do this by sorting
the names and removing some unnecessary metadata for the files.
The most important thing to get right is the layer tarball, because
that is what defines the container id. We sort the names to avoid
random differences, and drop ctimes and atimes because these are
generally just set to the something near the current build time which
is not useful to encode in the container image. This is as opposed
to the mtime which generally comes from e.g. the rpms that where
installed in the pipeline.
For the actual archive tarball we can standardize metadata even more,
because none of the metadata are used when consuming the archive.
Currently we always write the kernel command line to the `grubenv`
file, if only to include the root device. Starting with Fedora 33
and thus RHEL 9, the kernel command line included statically in
the BLS snippets and the grubenv `kernelopts` variable not used.
Instead one of the {/usr/lib,/etc}/kernel/cmdline files is read
and the parameters in them used during the creation of the BLS
snippets.
Therefore we add a new `write_cmdline` option that, if set to
FALSE, will prevent us from writing the kernel command line.
The sysconfig stage currently does not produce expected results when
used multiple times within the same pipeline. Specifically, the stage
always truncates respective configuration files for properties `kernel`
and `network`, if if these are not set in the stage options. Due to this
reason, the outcome of the image builds may depend on the order of
multiple occurrences of the sysconfig stage.
The following two pipeline snippets would produce different
configuration files content:
Configuration files are truncated:
```
{
"type": "org.osbuild.sysconfig",
"options": {
"kernel": {
"update_default": true,
"default_kernel": "kernel"
},
"network": {
"networking": true,
"no_zero_conf": true
}
}
},
{
"type": "org.osbuild.sysconfig",
"options": {
"network-scripts": {
"ifcfg": {
"eth0": {
"bootproto": "dhcp",
"device": "eth0",
"ipv6init": false,
"onboot": true,
"peerdns": true,
"type": "Ethernet",
"userctl": true
}
}
}
}
},
```
No configuration files are truncated:
```
{
"type": "org.osbuild.sysconfig",
"options": {
"network-scripts": {
"ifcfg": {
"eth0": {
"bootproto": "dhcp",
"device": "eth0",
"ipv6init": false,
"onboot": true,
"peerdns": true,
"type": "Ethernet",
"userctl": true
}
}
}
}
},
{
"type": "org.osbuild.sysconfig",
"options": {
"kernel": {
"update_default": true,
"default_kernel": "kernel"
},
"network": {
"networking": true,
"no_zero_conf": true
}
}
},
```
Change the stage to not touch respective configuration files if the
`kernel` and `network` properties are not set in the stage options.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Pacman is the default package manager for Arch Linux and derivates, the
pacman.conf stage generate a valid pacman.conf configuration file.
Co-Authored-By: Jelle van der Waa <jvanderwaa@redhat.com>
Add a new stage `org.osbuild.dnf-automatic.config` for configuring DNF
Automatic.
The stage changes persistent DNF Automatic configuration. Currently, only
a subset of options can be set:
- 'commands' section
- apply_updates
- upgrade_type
Fix#908
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Add a new stage `org.osbuild.yum.repos` for creating YUM / DNF `.repo`
files in `/etc/yum.repos.d`. All repo-specific options are supported but
only a subset of options which can be set for a repo as well as in the
[main] section are supported.
Add unit test for the new stage.
Fix#907
Signed-off-by: Tomas Hozza <thozza@redhat.com>
New stage to initialize LUKS2 container on a given device, usually a
loopback device bound to a partition. The passphrase and uuid of the
container need to be specified. Optionally the cipher, label, sector
size and sub-label can be specified. Requires the cryptsetup binary
to be install in the build root.
Add support for `PermitRootLogin` option in the
`org.osbuild.sshd.config` stage.
I kept the "yes" and "no" values for consistency with other stage
options. While it will make the implementation in osbuild-composer
harder, it won't be impossible as we already have a precedence for doing
it this way (e.g. in the `org.osbuild.pam.limits.conf`).
Modify the stage unit tests to check the new option.
Remove the empty `org.osbuild.sshd.config` stage from `a.mpp.json`
since it does not add any value and it actually made the `tree-diff`
tool provide a weird tree diff results.
Fix#910
Signed-off-by: Tomas Hozza <thozza@redhat.com>
The idea behind the stage is to provision `var` of the stateroot,
i.e. the `var` the is shared amongst all deployments for a given
os (indicated by `osname`, e.g. `fedora`, `centos`, ...).
For `systemd-tmpfiles` to infer the correct paths, it needs to be
run on the deployment. The `var` of the latter needs to be bind-
mounted to the `var` of the stateroot, because it is shared. This
was always the intention but not what the code did. Fix this by
getting the `var` of the stateroot and bind it to the `var` of
the deployment.
NB: In reality this never mattered since systemd-tmpfiles is also
run during system startup.
This stage the same args and formats as org.osbuild.untar (and as such
much code is just copied from that stage), except it runs gunzip
instead. I need this to uncompress the aarch64 kernel when directly
uefi-booting it.
This applies the default authconfig settings to the tree.
Note that the `/backups` directory is removed. The tool creaset
this, and by default it should not exist, so this should be a
noop. However, if you run this on a tree with existing backups,
they would be lost.
This should not be needed in any case but can be a sledgehammer
for situations where we cannot properly label a file; it turns
out such a scenario is if a label, lets call it `a1`, is is an
alias to another label, lets call it `l1`. Setting `a1` will
lead to `l1` being read back, and thus copying the label `a1`
will result on the label `l1` being copied instead. Now if the
target distribution does not have `l1` but only has `a1` we
cannot set it and thus will end up with an unlabeled file.
Adds support to configure `yum-plugins`, which currently is a full
alias for `dnf-plugins`, although this might change in the future,
in case dnf options diverge from yum. It allows for both yum and
dnf plugins to be configured at the same time since on RHEL 7 both
files will be present.
Add a new stage for modifying YUM global configuration.
Add a unit test case for the newly added stage.
Because we test stages on Fedora, where there is no YUM, and this stage
is mostly intended for being used with RHEL-7 images, the stage does not
produce error in case the `/etc/yum.conf` file does not exist. It rather
produces a warning and creates the file. Ideally the stage would produce
an error in case the configuration file does not exist, but that would
be impossible to test on recent Fedora.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
It's possible the keys "logging" and "telemetry" can be arbitrary names.
If that's the case, we can change the schema without breaking backwards
compatibility, so defining known keys is safer.
New stage to schedule a script via a /etc/cron.{hourly, daily ...}.
Currently only a simple command that will be put into an generated
script with the given name. Later more options might be added.
This commit adds options to the org.osbuild.grub2 stage to configure
terminal input and output, serial console and timeout.
The functionality and configuration schema is the same as in the legacy
grub2 stage.
This is requried to comply with Azure marketplace best
practices. The WALinuxAgent should not handle formating or
swap, as that is done by cloud-init.
Signed-off-by: Tom Gundersen <teg@jklm.no>
