The org.osbuild.container-deploy stage uses podman. Including it
in the build here will allow that stage to be used with this
pipeline as the buildroot.
Include a workaround here for what I consider to be a bug [1] in that
`podman` will create `/etc/containers/networks` on first run if it
doesn't exist. That dir should just be created by an RPM. If we
don't include this workaround then the stage will fail when `podman`
attempts the `mkdir` because `/etc/containers` is mounted in from
the buildroot readonly.
[1] https://github.com/containers/common/pull/2265
Update the fedora manifest template to F41. This is a preparation for
testing a new `org.osbuild.dnf5.sbom.spdx` stage. In addition to that,
F39 is already EOL and unsupported, so moving to a newer version is
desirable.
Regenerate all testing manifests.
Notes about specific changes:
- Remove `pcmciautils` package from ostree manifest, because it has
been deprecated and it is not available on F41 any more.
- Add `python3-dnf` package to the Fedora build pipeline. The reason
is that DNF5 is installed by default since F41 and the module is
needed to test e.g. `org.osbuild.dnf4.sbom.spdx` or
`org.osbuild.dnf4.mark` stages.
- Add `python3-libdnf5` package to the Fedora build pipeline. This is a
preparation for testing a new `org.osbuild.dnf5.sbom.spdx` stage.
- Install `pam` in `authselect` stage test manifest, because otherwise
authselect fails on the nonexistence of /etc/pam.d.
- Adjust the `dnf4.mark` test case to also accept `dnf5` as the marked
package, because on F41, `dnf` is a virtual provide of it.
- Adjust stage tests and their diffs as needed.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
The next commit will add a stage test that requires erofs-utils. Let's add it
into the buildroot in a separate commit, so the history is more readable.
The items of an array are defined under the `items` key, not under `paths`.
Let's fix this.
Btw, this is possible because JSON Schema itself doesn't use
additionalProperties = false. This allows extending the schemas easily, but
is sadly a bit error-prone.
Sadly, since this issue effectively disabled validation of the stage options,
we also need to relax the schema a bit:
We found out that there are manifests in the wild, that use relative paths,
instead of absolute ones. Thus, this commit changes the validation regex to
allow relative paths. However, this now emits a warning and it's strongly
discouraged. The associated stage test was modified to accommodate for this.
Co-authored-by: Tomáš Hozza <thozza@redhat.com>
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
rpm-ostree 2023.2 dropped the `rpm-ostree container-encapsulate` entrypoint.
Instead, we have to use `rpm-ostree compose container-encapsulate`.
Adjust the code that it selects the correct entrypoint based on the rpm-ostree
version.
Since the new stage now requires python-yaml, add it to the buildroot and
regenerate all manifests.
This commit changes these manifests to use the new fedora-vars.ipp and
fedora-build-v2.ipp infrastructure to remove all hardcoded Fedora versions.
Note that this is currently limited only to stage tests that already use v2
manifests. v1 manifests will come later.
Notes:
The buildroot needs additional packages: zstd and openscap-utils. Thus,
all manifests had to be regenerated.
GPG keys were added where missing.
The oscap.remediation stage now creates a bunch of files with timestamps in
their names under /var/lib/authselect/backups. Thus, the newly introduced
`added_directories` directive is used to handle them.
I reviewed all changes in `diff.json` files, and they all seem sane given
that we jumped 4 releases forward.
This commit changes this manifest to use the new fedora-vars.ipp and
fedora-build-v2.ipp infrastructure to remove all hardcoded Fedora versions.
An auto-generated ostree ref and isolabel was added to fedora-vars.
smc-meera-fonts was retired, so this commit changes it to rit-meera-new-fonts.
See
a8fe0d2620
icfg and reiserfs-utils are gone too, and they don't seem to be neccessary for
the image, so they were removed as well. Please correct me, if I am wrong.
Add a new stage to generate an OpenSCAP tailoring file. The stage
overrides a base OpenSCAP profile by enabling and disabling user
selected rules and creates a new profile name which can be used for
OpenSCAP scanning and remediation.
Wrap the LVM volume group in a LUKS container with the passphrase
`osbuild` (yes, really, super secure). NB: the kernel command line
is changed to include `luks.uuid` which is needed so that dracut
will attempt to open the luks container. This corresponds to an
crypttab entry `luks-uuid UUID`. We cannot use the /etc/crypttab
for ostree based images because the initrd is created at commit
time but they luks volume is created at deployment time, we have
to use the kernel command line instead. See the man page for the
systemd-cryptsetup-generator(8) for more information.
The `cryptsetup` package is included in the build root since it is
needed by the `org.osbuild.luks2.format` stage. All manifests that
are using the `f34-build-v2` build root change as a result.
The order of entries in a dictionary is not specified by the JSON
standard and hard to control when marshalling dictionaries in Go.
Since the order of mounts is important and the wrong order leads
to wrong mount trees change the `mounts` field to an array. This
breaks existing manifests but after careful deliberation it was
concluded that the original schema with mounts as dictionaries
is not something we want to support. Apologies to everyone.
Adjust the schema of the copy and zipl stage accordingly.
Instead of having the OSTree repo in the anaconda root squashfs,
put the it to the root of the iso. This has several advantages:
first and foremost, we don't have to make a huge squahfs file-
system. We don't have to compress the repo. Additionally, the
repo is now easily accessible by mounting the iso.
Intead of overwriting the standard ananconda kickstart file, we
move it to the root of the iso. To have anaconda pick it up an
additional kernel command line parameter is required.
F34+ has the xorg-x11-server-utils package split up. Install the
individual new packages we need for anaconda.
See Anaconda commit 55371c996861a47da9504b31118858dd3257a8b0
The manifests set a "en_US" locale but this causes gnome-terminal to not
run due a non UTF-8 locale being used, which is an unsupported config:
gnome-terminal-server[1899]: Non UTF-8 locale (ISO-8859-1) is not supported!
Reported-by: Stephen Smoogen <ssmoogen@redhat.com>
The logic to sort urls was added globally in `mpp-import-pipeline`
but only the in the v1 code path was the `state.manifest_urls`
variable set and thus for v2 the actual sorting did not happen.
Fix this and set the `manifest_urls` to the `org.osbuild.curl`
items, which makes sense because we only know how to sort those.
In both mpp-depsolve and mpp-import-pipeline, sort the packages to
url dictionary before writing the JSON. This makes it easier to
look for packages but more importantly ensures that the resulting
set of packages has the same ordering in the sources section
independently of how it was assembled.
Move from using 'zram' to 'zram-generator-defaults' in the ostree bootiso
testing manifest. More information is available in Fedora 33 Change
document [1].
Add org.osbuild.kernel-cmdline stage to fedora-boot.json manifest
because of change in how grub handles the kernel command line arguments
[2].
GRUB2 Stage 2 checksums in assemblers test are updated. The change have
been verified by building the fedora-boot.json manifest with each checked
filesystem and booting the image in QEMU with legacy mode.
[1] https://fedoraproject.org/wiki/Changes/SwapOnZRAM
[2] https://github.com/osbuild/osbuild-composer/pull/982#issuecomment-697356929
Signed-off-by: Tomas Hozza <thozza@redhat.com>
This new manifests creates an boot iso which contains an ostree
commit that is build in the same manifest. The boot iso can then
be installed via the ISO.
