fedora-iot / ostree

Clone
Source Code
GIT

#50 F40: Add bootc image
Merged 2 months ago by pbrobinson. Opened 2 months ago by pwhalen.
fedora-iot/ pwhalen/ostree f40-bootc  into  f40

F40: Add bootc image
Paul Whalen • 2 months ago  
2abc5fd
file added
+9 
@@ -0,0 +1,9 @@ 
 

+ # Enable automatic updates by default
 

+ postprocess:
 

+   - |
 

+     #!/usr/bin/env bash
 

+     set -euo pipefail
 

+     target=/usr/lib/systemd/system/default.target.wants
 

+     mkdir -p $target
 

+     set -x
 

+     ln -s ../bootc-fetch-apply-updates.timer $target

file added
+29 
@@ -0,0 +1,29 @@ 
 

+ # Fix general bugs
 

+ 

+ postprocess:
 

+   # See also https://github.com/openshift/os/blob/f6cde963ee140c02364674db378b2bc4ac42675b/common.yaml#L156
 

+   # This one is undoes the effect of
 

+   # # RHEL-only: Disable /tmp on tmpfs.
 

+   #Wants=tmp.mount
 

+   # in /usr/lib/systemd/system/basic.target
 

+   # We absolutely must have tmpfs-on-tmp for multiple reasons,
 

+   # but the biggest is that when we have composefs for / it's read-only,
 

+   # and for units with ProtectSystem=full systemd clones / but needs
 

+   # a writable place.
 

+   - |
 

+     #!/usr/bin/env bash
 

+     set -xeuo pipefail
 

+     mkdir -p /usr/lib/systemd/system/local-fs.target.wants
 

+     if test '!' -f /usr/lib/systemd/system/local-fs.target.wants/tmp.mount; then
 

+       ln -sf ../tmp.mount /usr/lib/systemd/system/local-fs.target.wants
 

+     fi
 

+ 

+     # See https://github.com/containers/bootc/issues/358
 

+     # basically systemd-tmpfiles doesn't follow symlinks; ordinarily our
 

+     # tmpfiles.d unit for `/var/roothome` is fine, but this actually doesn't
 

+     # work if we want to use tmpfiles.d to write to `/root/.ssh` because
 

+     # tmpfiles gives up on that before getting to `/var/roothome`.
 

+     sed -ie 's, /root, /var/roothome,' /usr/lib/tmpfiles.d/provision.conf
 

+     # Because /var/roothome is also defined in rpm-ostree-0-integration.conf
 

+     # we need to delete /var/roothome
 

+     sed -ie '/^d- \/var\/roothome /d' /usr/lib/tmpfiles.d/provision.conf

file added
+10 
@@ -0,0 +1,10 @@ 
 

+ # Configuration for bootc
 

+ postprocess:
 

+   # ext4 is our default filesystem in iot
 

+   - |
 

+     #!/usr/bin/env bash
 

+     mkdir -p /usr/lib/bootc/install/
 

+     cat > /usr/lib/bootc/install/20-default-root.toml << EOF
 

+     [install]
 

+     root-fs-type = "ext4"
 

+     EOF

file added
+12 
@@ -0,0 +1,12 @@ 
 

+ # The bootc components.
 

+ packages:
 

+  - systemd
 

+  - bootc
 

+  # Required by bootc install today, though we'll likely switch bootc to use a Rust crate instead of sgdisk
 

+  - gdisk xfsprogs e2fsprogs dosfstools
 

+ 

+ exclude-packages:
 

+   # Exclude kernel-debug-core to make sure that it doesn't somehow get
 

+   # chosen as the package to satisfy the `kernel-core` dependency from
 

+   # the kernel package.
 

+   - kernel-debug-core

file added
+31 
@@ -0,0 +1,31 @@ 
 

+ # Integration with https://github.com/coreos/bootupd and bootloader logic
 

+ # xref https://github.com/coreos/fedora-coreos-tracker/issues/510
 

+ packages:
 

+   - bootupd
 

+ 

+ # bootloader
 

+ packages-aarch64:
 

+   - grub2-efi-aa64 efibootmgr shim
 

+ packages-ppc64le:
 

+   - grub2 ostree-grub2
 

+ packages-s390x:
 

+   # On Fedora, this is provided by s390utils-core. on RHEL, this is for now
 

+   # provided by s390utils-base, but soon will be -core too.
 

+   - /usr/sbin/zipl
 

+ packages-x86_64:
 

+   - grub2 grub2-efi-x64 efibootmgr shim
 

+   - microcode_ctl
 

+ 

+ conditional-include:
 

+   - if: basearch != "s390x"
 

+     # And remove some cruft from grub2
 

+     include: grub2-removals.yaml
 

+ 

+ postprocess:
 

+   - |
 

+     #!/bin/bash
 

+     set -xeuo pipefail
 

+     # Until we have https://github.com/coreos/rpm-ostree/pull/2275
 

+     mkdir -p /run
 

+     # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
 

+     /usr/bin/bootupctl backend generate-update-metadata

file added
+46 
@@ -0,0 +1,46 @@ 
 

+ root:x:0:
 

+ bin:x:1:
 

+ daemon:x:2:
 

+ sys:x:3:
 

+ adm:x:4:
 

+ tty:x:5:
 

+ disk:x:6:
 

+ lp:x:7:
 

+ mem:x:8:
 

+ kmem:x:9:
 

+ wheel:x:10:
 

+ cdrom:x:11:
 

+ mail:x:12:
 

+ man:x:15:
 

+ sudo:x:16:
 

+ dialout:x:18:
 

+ floppy:x:19:
 

+ games:x:20:
 

+ tape:x:33:
 

+ video:x:39:
 

+ ftp:x:50:
 

+ lock:x:54:
 

+ audio:x:63:
 

+ nobody:x:99:
 

+ users:x:100:
 

+ ssh_keys:x:999:
 

+ systemd-journal:x:190:
 

+ polkitd:x:998:
 

+ etcd:x:997:
 

+ dip:x:40:
 

+ cgred:x:996:
 

+ avahi-autoipd:x:170:
 

+ sssd:x:993:
 

+ dockerroot:x:986:
 

+ rpcuser:x:29:
 

+ nfsnobody:x:65534:
 

+ kube:x:994:
 

+ chrony:x:992:
 

+ tcpdump:x:72:
 

+ ceph:x:167:
 

+ input:x:104:
 

+ systemd-timesync:x:991:
 

+ systemd-network:x:990:
 

+ systemd-resolve:x:989:
 

+ systemd-bus-proxy:x:988:
 

+ cockpit-ws:x:987:

file added
+8 
@@ -0,0 +1,8 @@ 
 

+ remove-from-packages:
 

+   # The grub bits are mainly designed for desktops, and IMO haven't seen
 

+   # enough testing in concert with ostree. At some point we'll flesh out
 

+   # the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47
 

+   - [grub2-tools, /etc/grub.d/08_fallback_counting,
 

+                   /etc/grub.d/10_reset_boot_success,
 

+                   /etc/grub.d/12_menu_auto_hide,
 

+                   /usr/lib/systemd/.*]

file added
+18 
@@ -0,0 +1,18 @@ 
 

+ # Configuration for the initramfs
 

+ postprocess:
 

+   - |
 

+     #!/usr/bin/env bash
 

+     mkdir -p /usr/lib/dracut/dracut.conf.d
 

+     cat > /usr/lib/dracut/dracut.conf.d/20-bootc-base.conf << 'EOF'
 

+     # We want a generic image; hostonly makes no sense as part of a server side build
 

+     hostonly=no
 

+     dracutmodules+=" kernel-modules dracut-systemd systemd-initrd base ostree "
 

+     EOF
 

+     cat > /usr/lib/dracut/dracut.conf.d/22-bootc-generic.conf << 'EOF'
 

+     # Extra modules that we want by default that are known to exist in the kernel
 

+     dracutmodules+=" virtiofs "
 

+     EOF
 

+     cat > /usr/lib/dracut/dracut.conf.d/49-bootc-tpm2-tss.conf << 'EOF'
 

+     # We want this for systemd-cryptsetup tpm2 locking
 

+     dracutmodules+=" tpm2-tss "
 

+     EOF

file added
+6 
@@ -0,0 +1,6 @@ 
 

+ # Enable the Linux kernel; see also kernel-rt.
 

+ packages:
 

+  - kernel
 

+ 

+ exclude-packages:
 

+   - kernel-debug

file added
+71 
@@ -0,0 +1,71 @@ 
 

+ 

+ # Modern defaults we want
 

+ boot-location: modules
 

+ tmp-is-dir: true
 

+ # https://github.com/CentOS/centos-bootc/issues/167
 

+ machineid-compat: true
 

+ # Be minimal
 

+ recommends: false
 

+ 

+ ignore-removed-users:
 

+   - root
 

+ ignore-removed-groups:
 

+   - root
 

+ etc-group-members:
 

+   - wheel
 

+   - sudo
 

+   - systemd-journal
 

+   - adm
 

+ 

+ # Default to `bash` in our container, the same as other containers we ship.
 

+ container-cmd:
 

+   - /sbin/init
 

+ 

+ # Note that the default for c9s+ is sqlite; we can't rely on rpm being
 

+ # in the target (it isn't in tier-0!) so turn this to host here.  This
 

+ # does break the "hermetic build" aspect a bit.  Maybe eventually
 

+ # what we should do is special case this and actually install RPM temporarily
 

+ # and then remove it...
 

+ rpmdb: host
 

+ 

+ check-passwd:
 

+   type: "file"
 

+   filename: "passwd"
 

+ check-groups:
 

+   type: "file"
 

+   filename: "group"
 

+ 

+ automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
 

+ mutate-os-release: "${releasever}"
 

+ 

+ remove-from-packages:
 

+   # Generally we expect other tools to do this (e.g. Ignition or cloud-init)
 

+   - [systemd, /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
 

+   # We don't want auto-generated mount units. See also
 

+   # https://github.com/systemd/systemd/issues/13099
 

+   - [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
 

+   # Drop some buggy sysusers fragments which do not match static IDs allocation:
 

+   # https://bugzilla.redhat.com/show_bug.cgi?id=2105177
 

+   - [dbus-common, /usr/lib/sysusers.d/dbus.conf]
 

+ 

+ include:
 

+   - bootc.yaml
 

+   - ostree.yaml
 

+   - bootc-config.yaml
 

+   - initramfs.yaml
 

+   - autoupdates.yaml
 

+   - basic-fixes.yaml
 

+ 

+ packages:
 

+   # Even in tier-0, we have this.  If you don't want SELinux today, you'll need
 

+   # to build a custom image.
 

+   - selinux-policy-targeted
 

+   # And we want container-selinux because trying to layer it on later currently causes issues.
 

+   - container-selinux
 

+   # Needed for tpm2 bound luks
 

+   - tpm2-tools
 

+ 

+ # See https://github.com/coreos/bootupd
 

+ arch-include:
 

+   x86_64: bootupd.yaml
 

+   aarch64: bootupd.yaml

file added
+17 
@@ -0,0 +1,17 @@ 
 

+ packages:
 

+  - ostree nss-altfiles
 

+ 

+ # We want content lifecycled with the image
 

+ opt-usrlocal: "root"
 

+ 

+ postprocess:
 

+   # Set up default root config
 

+   - |
 

+     #!/usr/bin/env bash
 

+     mkdir -p /usr/lib/ostree
 

+     cat > /usr/lib/ostree/prepare-root.conf << EOF
 

+     [composefs]
 

+     enabled = yes
 

+     [sysroot]
 

+     readonly = true
 

+     EOF

file added
+32 
@@ -0,0 +1,32 @@ 
 

+ adm:x:3:4:adm:/var/adm:/usr/sbin/nologin
 

+ avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/usr/sbin/nologin
 

+ bin:x:1:1:bin:/bin:/usr/sbin/nologin
 

+ ceph:x:167:167:Ceph daemons:/var/lib/ceph:/usr/sbin/nologin
 

+ chrony:x:994:992::/var/lib/chrony:/usr/sbin/nologin
 

+ cockpit-ws:x:988:987:User for cockpit-ws:/:/usr/sbin/nologin
 

+ daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin
 

+ dbus:x:81:81:System Message Bus:/:/usr/sbin/nologin
 

+ dockerroot:x:997:986:Docker User:/var/lib/docker:/usr/sbin/nologin
 

+ etcd:x:998:997:etcd user:/var/lib/etcd:/usr/sbin/nologin
 

+ ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin
 

+ games:x:12:100:games:/usr/games:/usr/sbin/nologin
 

+ halt:x:7:0:halt:/sbin:/sbin/halt
 

+ kube:x:996:994:Kubernetes user:/:/usr/sbin/nologin
 

+ lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin
 

+ mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin
 

+ nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin
 

+ nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin
 

+ operator:x:11:0:operator:/root:/usr/sbin/nologin
 

+ polkitd:x:999:998:User for polkitd:/:/usr/sbin/nologin
 

+ root:x:0:0:Super User:/root:/bin/bash
 

+ rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
 

+ rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
 

+ shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 

+ sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
 

+ sssd:x:995:993:User for sssd:/:/usr/sbin/nologin
 

+ sync:x:5:0:sync:/sbin:/bin/sync
 

+ systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
 

+ systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin
 

+ systemd-resolve:x:990:989:systemd Resolver:/:/usr/sbin/nologin
 

+ systemd-timesync:x:993:991:systemd Time Synchronization:/:/usr/sbin/nologin
 

+ tcpdump:x:72:72::/:/usr/sbin/nologin

file added
+15 
@@ -0,0 +1,15 @@ 
 

+ releasever: 40
 

+ variables:
 

+   distro: "fedora"
 

+ 

+ repos:
 

+   - fedora-40
 

+ 

+ metadata:
 

+   name: fedora-bootc
 

+   summary: Fedora base bootc image
 

+ 

+ include:
 

+   - fedora-bootc-base/manifest.yaml
 

+   - fedora-bootc-base/kernel.yaml
 

+

Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.