commit 60d8e77ee405b59ff96ebf7a3a4fd1f9a784272b Author: Colin Walters Date: Fri Dec 9 15:30:03 2022 -0500 Initial split from Fedora CoreOS diff --git a/COPYING b/COPYING new file mode 100644 index 0000000..b81e261 --- /dev/null +++ b/COPYING @@ -0,0 +1,21 @@ +Copyright 2018 Fedora CoreOS Authors. + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be included +in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + diff --git a/LICENSE b/LICENSE new file mode 120000 index 0000000..d24842f --- /dev/null +++ b/LICENSE @@ -0,0 +1 @@ +COPYING \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..3989059 --- /dev/null +++ b/README.md @@ -0,0 +1,6 @@ +# Demonstration base images for use with bootc + +This repository contains "base images" suitable for use with github.com/containers/bootc + +These images are considered experimental. The intention is that these images are +generated by the OS vendor or distribution. diff --git a/oscore/bootable-rpm-ostree.yaml b/oscore/bootable-rpm-ostree.yaml new file mode 100644 index 0000000..c93ecbe --- /dev/null +++ b/oscore/bootable-rpm-ostree.yaml @@ -0,0 +1,53 @@ +# This minimal base starts just from: kernel + systemd + rpm-ostree + bootloader. +# The intent of this is to inherit from this if you are doing something highly +# custom that e.g. might not involve Ignition or podman, but you do want +# rpm-ostree. +# We expect most people though using coreos-assembler to inherit from +# fedora-coreos-base.yaml. +packages: + # Kernel + systemd. + - kernel systemd + # linux-firmware now a recommends so let's explicitly include it + # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b + # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide + - linux-firmware + # rpm-ostree + - rpm-ostree nss-altfiles + +# bootloader +packages-aarch64: + - grub2-efi-aa64 efibootmgr shim + # firmware updates + - fwupd +packages-ppc64le: + - grub2 ostree-grub2 + # firmware updates + - fwupd +packages-s390x: + # On Fedora, this is provided by s390utils-core. on RHEL, this is for now + # provided by s390utils-base, but soon will be -core too. + - /usr/sbin/zipl + # for Secure Execution + - veritysetup +packages-x86_64: + - grub2 grub2-efi-x64 efibootmgr shim + - microcode_ctl + # firmware updates + - fwupd + +postprocess: + # See: https://github.com/coreos/fedora-coreos-tracker/issues/1253 + # https://bugzilla.redhat.com/show_bug.cgi?id=2112857 + # https://github.com/coreos/rpm-ostree/issues/3918 + # Temporary workaround to remove the SetGID binary from liblockfile that is + # pulled by the s390utils but not needed for /usr/sbin/zipl. + - | + #!/usr/bin/env bash + set -xeuo pipefail + rm -f /usr/bin/dotlockfile + +exclude-packages: + # Exclude kernel-debug-core to make sure that it doesn't somehow get + # chosen as the package to satisfy the `kernel-core` dependency from + # the kernel package. + - kernel-debug-core diff --git a/oscore/bootupd.yaml b/oscore/bootupd.yaml new file mode 100644 index 0000000..ca8c5de --- /dev/null +++ b/oscore/bootupd.yaml @@ -0,0 +1,13 @@ +# Integration with https://github.com/coreos/bootupd +# xref https://github.com/coreos/fedora-coreos-tracker/issues/510 +packages: + - bootupd + +postprocess: + - | + #!/bin/bash + set -xeuo pipefail + # Until we have https://github.com/coreos/rpm-ostree/pull/2275 + mkdir -p /run + # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload + /usr/bin/bootupctl backend generate-update-metadata / diff --git a/oscore/fedora-next.repo b/oscore/fedora-next.repo new file mode 100644 index 0000000..a7bb4a2 --- /dev/null +++ b/oscore/fedora-next.repo @@ -0,0 +1,76 @@ +# Note we use baseurl= here because using auto-selected mirrors conflicts with +# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85. + +[fedora-next] +name=Fedora $releasever - $basearch +baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/ + https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/ +#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch +enabled=1 +#metadata_expire=7d +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False + +[fedora-next-updates] +name=Fedora $releasever - $basearch - Updates +baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/ + https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/ +#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch +enabled=1 +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False + +[fedora-next-updates-testing] +name=Fedora $releasever - $basearch - Test Updates +baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/ + https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/ +#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch +enabled=1 +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False + +[fedora-next-modular] +name=Fedora Modular $releasever - $basearch +baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Modular/$basearch/os/ + https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Modular/$basearch/os/ +#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch +enabled=1 +#metadata_expire=7d +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch +skip_if_unavailable=False + +[fedora-next-updates-modular] +name=Fedora Modular $releasever - $basearch - Updates +baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/$basearch/ + https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Modular/$basearch/ +#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch +enabled=1 +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch +skip_if_unavailable=False + +[fedora-next-updates-testing-modular] +name=Fedora Modular $releasever - $basearch - Test Updates +baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Modular/$basearch/ + https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Modular/$basearch/ +#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch +enabled=1 +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False diff --git a/oscore/fedora-rawhide.repo b/oscore/fedora-rawhide.repo new file mode 100644 index 0000000..05034e5 --- /dev/null +++ b/oscore/fedora-rawhide.repo @@ -0,0 +1,38 @@ +# Note we use baseurl= here because using auto-selected mirrors conflicts with +# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85. + +[fedora-rawhide] +name=Fedora - Rawhide - Developmental packages for the next Fedora release +baseurl=http://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/$basearch/os/ + https://dl.fedoraproject.org/pub/fedora-secondary/development/rawhide/Everything/$basearch/os/ +#metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=$basearch +enabled=1 +countme=1 +metadata_expire=6h +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch +skip_if_unavailable=False +excludepkgs=kernel kernel-core kernel-modules + +# We are choosing to use only nodebug kernels in Fedora CoreOS +# for our testing. We've seen too many issues where an issue either +# shows up only on the debug kernels OR a debug kernel gives us a +# false positive or negative when trying to root cause a failure. +# Thus we use the nodebug kernel repo [1] and includepkgs=kernel +# here and excludepkgs=kernel above. +# +# [1] https://fedoraproject.org/wiki/RawhideKernelNodebug +[fedora-rawhide-nodebug-kernel] +name=nodebug kernels for Rawhide +baseurl=https://dl.fedoraproject.org/pub/alt/rawhide-kernel-nodebug/$basearch/ +enabled=1 +countme=1 +metadata_expire=6h +repo_gpgcheck=0 +type=rpm +gpgcheck=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch +skip_if_unavailable=False +includepkgs=kernel kernel-core kernel-modules diff --git a/oscore/fedora.repo b/oscore/fedora.repo new file mode 100644 index 0000000..c4bc1c8 --- /dev/null +++ b/oscore/fedora.repo @@ -0,0 +1,76 @@ +# Note we use baseurl= here because using auto-selected mirrors conflicts with +# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85. + +[fedora] +name=Fedora $releasever - $basearch +baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/ + https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/os/ +#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch +enabled=1 +#metadata_expire=7d +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False + +[fedora-updates] +name=Fedora $releasever - $basearch - Updates +baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/ + https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/ +#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch +enabled=1 +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False + +[fedora-updates-testing] +name=Fedora $releasever - $basearch - Test Updates +baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/ + https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/ +#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch +enabled=1 +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False + +[fedora-modular] +name=Fedora Modular $releasever - $basearch +baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Modular/$basearch/os/ + https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Modular/$basearch/os/ +#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch +enabled=1 +#metadata_expire=7d +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch +skip_if_unavailable=False + +[fedora-updates-modular] +name=Fedora Modular $releasever - $basearch - Updates +baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/$basearch/ + https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Modular/$basearch/ +#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch +enabled=1 +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch +skip_if_unavailable=False + +[fedora-updates-testing-modular] +name=Fedora Modular $releasever - $basearch - Test Updates +baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Modular/$basearch/ + https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Modular/$basearch/ +#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch +enabled=1 +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False diff --git a/oscore/file-transfer.yaml b/oscore/file-transfer.yaml new file mode 100644 index 0000000..88e27b9 --- /dev/null +++ b/oscore/file-transfer.yaml @@ -0,0 +1,8 @@ +# Moving files around and verifying them +packages: + - git-core + - gnupg2 + - rsync + # Explicit dependency on curl because we use it in coreos-livepxe-rootfs.sh + # We need curl and not curl-minimal because we support TFTP. + - curl diff --git a/oscore/group b/oscore/group new file mode 100644 index 0000000..2fd197c --- /dev/null +++ b/oscore/group @@ -0,0 +1,46 @@ +root:x:0: +bin:x:1: +daemon:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mem:x:8: +kmem:x:9: +wheel:x:10: +cdrom:x:11: +mail:x:12: +man:x:15: +sudo:x:16: +dialout:x:18: +floppy:x:19: +games:x:20: +tape:x:33: +video:x:39: +ftp:x:50: +lock:x:54: +audio:x:63: +nobody:x:99: +users:x:100: +ssh_keys:x:999: +systemd-journal:x:190: +polkitd:x:998: +etcd:x:997: +dip:x:40: +cgred:x:996: +avahi-autoipd:x:170: +sssd:x:993: +dockerroot:x:986: +rpcuser:x:29: +nfsnobody:x:65534: +kube:x:994: +chrony:x:992: +tcpdump:x:72: +ceph:x:167: +input:x:104: +systemd-timesync:x:991: +systemd-network:x:990: +systemd-resolve:x:989: +systemd-bus-proxy:x:988: +cockpit-ws:x:987: diff --git a/oscore/grub2-removals.yaml b/oscore/grub2-removals.yaml new file mode 100644 index 0000000..f4800dd --- /dev/null +++ b/oscore/grub2-removals.yaml @@ -0,0 +1,8 @@ +remove-from-packages: + # The grub bits are mainly designed for desktops, and IMO haven't seen + # enough testing in concert with ostree. At some point we'll flesh out + # the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47 + - [grub2-tools, /etc/grub.d/08_fallback_counting, + /etc/grub.d/10_reset_boot_success, + /etc/grub.d/12_menu_auto_hide, + /usr/lib/systemd/.*] diff --git a/oscore/kdump-aarch64-aws-workaround.yaml b/oscore/kdump-aarch64-aws-workaround.yaml new file mode 100644 index 0000000..c198739 --- /dev/null +++ b/oscore/kdump-aarch64-aws-workaround.yaml @@ -0,0 +1,12 @@ +# This file includes a fixup for kdump on aarch64 AWS instances. +# The issue seems specific to aarch64 AWS instances, but we'll go +# ahead and apply it across the board for aarch64, since that's +# the easiest thing to do. Hopefully the upstream issue will get +# resolved soon. +postprocess: + - | + #!/usr/bin/env bash + # Remove irqpoll from the list of KDUMP_COMMANDLINE_APPEND. This + # causes issues on aarch64 AWS instances. + # https://github.com/coreos/fedora-coreos-tracker/issues/1187 + sed -i -e 's/irqpoll //' /etc/sysconfig/kdump diff --git a/oscore/manifest.yaml b/oscore/manifest.yaml new file mode 100644 index 0000000..334e831 --- /dev/null +++ b/oscore/manifest.yaml @@ -0,0 +1,202 @@ +releasever: 37 + +repos: + - fedora + - fedora-updates + +metadata: + name: fedora-oscore + summary: Fedora OSCore + +# Modern defaults we want +boot-location: modules +tmp-is-dir: true +# This one at least historically broke compatibility with Anaconda, but +# let's use it by default now. +machineid-compat: false +# Be minimal +recommends: false + +ignore-removed-users: + - root +ignore-removed-groups: + - root +etc-group-members: + - wheel + - sudo + - systemd-journal + - adm + +check-passwd: + type: "file" + filename: "passwd" +check-groups: + type: "file" + filename: "group" + +include: + - bootable-rpm-ostree.yaml + - file-transfer.yaml + - networking-tools.yaml + - system-configuration.yaml + - user-experience.yaml + - shared-workarounds.yaml + +conditional-include: + - if: basearch != "s390x" + # And remove some cruft from grub2 + include: grub2-removals.yaml + +remove-from-packages: + # Generally we expect other tools to do this (e.g. Ignition or cloud-init) + - [systemd, /usr/bin/systemd-firstboot, + /usr/lib/systemd/system/systemd-firstboot.service, + /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service] + # We don't want auto-generated mount units. See also + # https://github.com/systemd/systemd/issues/13099 + - [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator] + # Drop some buggy sysusers fragments which do not match static IDs allocation: + # https://bugzilla.redhat.com/show_bug.cgi?id=2105177 + - [dbus-common, /usr/lib/sysusers.d/dbus.conf] + +automatic-version-prefix: "${releasever}." +mutate-os-release: "${releasever}" + +packages: + # We include this for historical reasons + - fedora-repos-ostree + # fedora-repos-modular was converted into its own subpackage in f33 + # Continue to include it in case users want to use it. + - fedora-repos-modular + # Include and set the default editor + - nano nano-default-editor + # Security + - polkit + # Containers + - systemd-container catatonit + - fuse-overlayfs slirp4netns + # support for old style CNI networks and name resolution for + # podman containers with CNI networks + # https://github.com/coreos/fedora-coreos-tracker/issues/519 + # https://github.com/coreos/fedora-coreos-tracker/issues/1128#issuecomment-1071338097 + - containernetworking-plugins podman-plugins dnsmasq + # For podman v4 netavark gets pulled in but it only recommends + # aardvark-dns (which provides name resolution based on container + # names). This functionality was previously provided by dnsname from + # podman-plugins in the podman v3 stack. + # See https://github.com/containers/netavark/pull/217 + - aardvark-dns + # Since we need `containernetworking-plugins` installed to continue + # to support CNI networks we need to also explicitly install + # `netavark` so we get both of them installed since both of them + # provide `container-network-stack`. + # https://github.com/coreos/fedora-coreos-tracker/issues/1128#issuecomment-1071458717 + - netavark + # Minimal NFS client + - nfs-utils-coreos + # Active Directory support + - adcli + # Additional firewall support; we aren't including these in RHCOS or they + # don't exist in RHEL + - iptables-nft iptables-services + # WireGuard https://github.com/coreos/fedora-coreos-tracker/issues/362 + - wireguard-tools + # Storage + - btrfs-progs + - WALinuxAgent-udev + # Allow communication between sudo and SSSD + # for caching sudo rules by SSSD. + # https://github.com/coreos/fedora-coreos-tracker/issues/445 + - libsss_sudo + # SSSD; we only ship a subset of the backends + - sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap + # Used by admins interactively + - attr + - openssl + - lsof + # Provides terminal tools like clear, reset, tput, and tset + - ncurses + # file-transfer: note fuse-sshfs is not in RHEL + # so we can't put it in file-transfer.yaml + - fuse-sshfs + # Improved MOTD experience + - console-login-helper-messages-motdgen + # i18n + - kbd + # zram-generator (but not zram-generator-defaults) for F33 change + # https://github.com/coreos/fedora-coreos-tracker/issues/509 + - zram-generator + # resolved was broken out to its own package in rawhide/f35 + - systemd-resolved + # In F35+ need `iptables-legacy` package + # See https://github.com/coreos/fedora-coreos-tracker/issues/676#issuecomment-928028451 + - iptables-legacy + +# Include the qemu-user-static-x86 package on aarch64 and s390x FCOS images +# to allow access to the large inventory of containers only built for x86_64. +# https://github.com/coreos/fedora-coreos-tracker/issues/1237 +packages-x86_64: + - irqbalance +packages-ppc64le: + - irqbalance + - librtas + - powerpc-utils-core + - ppc64-diag-rtas +packages-aarch64: + - irqbalance + - qemu-user-static-x86 +packages-s390x: + - qemu-user-static-x86 + +# See https://github.com/coreos/bootupd +arch-include: + x86_64: bootupd.yaml + aarch64: bootupd.yaml + +postprocess: + # Undo RPM scripts enabling units; we want the presets to be canonical + # https://github.com/projectatomic/rpm-ostree/issues/1803 + - | + #!/usr/bin/env bash + set -xeuo pipefail + rm -rf /etc/systemd/system/* + systemctl preset-all + rm -rf /etc/systemd/user/* + systemctl --user --global preset-all + # Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we + # remove iptables-legacy. This is needed because alternatives don't work + # https://github.com/coreos/fedora-coreos-tracker/issues/677 + # https://github.com/coreos/fedora-coreos-tracker/issues/676 + - | + #!/usr/bin/env bash + set -xeuo pipefail + ln -sf /usr/sbin/ip6tables-nft /etc/alternatives/ip6tables + ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore + ln -sf /usr/sbin/ip6tables-nft-save /etc/alternatives/ip6tables-save + ln -sf /usr/sbin/iptables-nft /etc/alternatives/iptables + ln -sf /usr/sbin/iptables-nft-restore /etc/alternatives/iptables-restore + ln -sf /usr/sbin/iptables-nft-save /etc/alternatives/iptables-save + +# Things we don't expect to ship on the host. We currently +# have recommends: false so these could only come in via +# hard requirement, in which case the build will fail. +exclude-packages: + - python + - python2 + - python2-libs + - python3 + - python3-libs + - perl + - perl-interpreter + - nodejs + - grubby + - cowsay # Just in case + # Let's make sure initscripts doesn't get pulled back in + # https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254 + - initscripts + # For (datacenter/cloud oriented) servers, we want to see the details by default. + # https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/ + - plymouth + # Do not use legacy ifcfg config format in NetworkManager + # See https://github.com/coreos/fedora-coreos-config/pull/1991 + - NetworkManager-initscripts-ifcfg-rh diff --git a/oscore/networking-tools.yaml b/oscore/networking-tools.yaml new file mode 100644 index 0000000..ffb51ee --- /dev/null +++ b/oscore/networking-tools.yaml @@ -0,0 +1,21 @@ +# This defines a set of tools that are useful for configuring, debugging, +# or manipulating the network of a system. It is desired to keep this list +# generic enough to be shared downstream with RHCOS. + +packages: + # Standard tools for configuring network/hostname + - NetworkManager hostname + # Interactive Networking configuration during coreos-install + - NetworkManager-tui + # Teaming https://github.com/coreos/fedora-coreos-config/pull/289 + # and http://bugzilla.redhat.com/1758162 + - NetworkManager-team teamd + # Support for cloud quirks and dynamic config in real rootfs: + # https://github.com/coreos/fedora-coreos-tracker/issues/320 + - NetworkManager-cloud-setup + # Route manipulation and QoS + - iproute iproute-tc + # Firewall manipulation + - iptables nftables + # Interactive network tools for admins + - socat net-tools bind-utils diff --git a/oscore/passwd b/oscore/passwd new file mode 100644 index 0000000..ea84802 --- /dev/null +++ b/oscore/passwd @@ -0,0 +1,32 @@ +adm:x:3:4:adm:/var/adm:/usr/sbin/nologin +avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/usr/sbin/nologin +bin:x:1:1:bin:/bin:/usr/sbin/nologin +ceph:x:167:167:Ceph daemons:/var/lib/ceph:/usr/sbin/nologin +chrony:x:994:992::/var/lib/chrony:/usr/sbin/nologin +cockpit-ws:x:988:987:User for cockpit-ws:/:/usr/sbin/nologin +daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin +dbus:x:81:81:System Message Bus:/:/usr/sbin/nologin +dockerroot:x:997:986:Docker User:/var/lib/docker:/usr/sbin/nologin +etcd:x:998:997:etcd user:/var/lib/etcd:/usr/sbin/nologin +ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin +games:x:12:100:games:/usr/games:/usr/sbin/nologin +halt:x:7:0:halt:/sbin:/sbin/halt +kube:x:996:994:Kubernetes user:/:/usr/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin +nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin +nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin +operator:x:11:0:operator:/root:/usr/sbin/nologin +polkitd:x:999:998:User for polkitd:/:/usr/sbin/nologin +root:x:0:0:Super User:/root:/bin/bash +rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin +rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin +sssd:x:995:993:User for sssd:/:/usr/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin +systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin +systemd-resolve:x:990:989:systemd Resolver:/:/usr/sbin/nologin +systemd-timesync:x:993:991:systemd Time Synchronization:/:/usr/sbin/nologin +tcpdump:x:72:72::/:/usr/sbin/nologin diff --git a/oscore/shared-workarounds.yaml b/oscore/shared-workarounds.yaml new file mode 100644 index 0000000..06c1ca6 --- /dev/null +++ b/oscore/shared-workarounds.yaml @@ -0,0 +1,34 @@ +# This manifest is a list of shared workarounds that are needed in both Fedora CoreOS +# and downstreams (i.e. Red Hat CoreOS). + +postprocess: + # Put in the fix for multipathd.service in dracut on releases that haven't + # been fixed yet. + # https://github.com/dracutdevs/dracut/pull/1606 + # https://github.com/coreos/fedora-coreos-config/pull/1233 + - | + #!/usr/bin/env bash + set -xeuo pipefail + source /etc/os-release + # This has landed in Fedora but not in any version of RHEL yet + if [[ ${ID} != "rhel" ]]; then + exit 0 + fi + mkdir /usr/lib/dracut/modules.d/36coreos-multipath-fix + cat > /usr/lib/dracut/modules.d/36coreos-multipath-fix/90-multipathd-remove-execstop.conf <<'EOF' + # Temporary workaround for https://github.com/dracutdevs/dracut/pull/1606. + [Service] + ExecStop= + EOF + cat > /usr/lib/dracut/modules.d/36coreos-multipath-fix/module-setup.sh <<'EOF' + #!/bin/bash + # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- + # ex: ts=8 sw=4 sts=4 et filetype=sh + install() { + # Temporary workaround for https://github.com/dracutdevs/dracut/pull/1606. + mkdir -p "$systemdsystemunitdir/multipathd.service.d" + inst_simple "$moddir/90-multipathd-remove-execstop.conf" \ + "$systemdsystemunitdir/multipathd.service.d/90-multipathd-remove-execstop.conf" + } + EOF + chmod +x /usr/lib/dracut/modules.d/36coreos-multipath-fix/module-setup.sh diff --git a/oscore/system-configuration.yaml b/oscore/system-configuration.yaml new file mode 100644 index 0000000..b9fd6e2 --- /dev/null +++ b/oscore/system-configuration.yaml @@ -0,0 +1,50 @@ +# These are packages that are related to configuring parts of the system. +# It is intended to be kept generic so that it may be shared downstream with +# RHCOS. + +packages: + # Configuring SSH keys, cloud provider check-in, etc + # TODO: needs Ignition kargs + # - afterburn afterburn-dracut + # NTP support + - chrony + # Storage configuration/management + ## cloud-utils-growpart - For growing root partition + - cifs-utils + - cloud-utils-growpart + - cryptsetup + - device-mapper-multipath + - e2fsprogs + - iscsi-initiator-utils + - lvm2 + - mdadm + - sg3_utils + - xfsprogs + # User configuration + - passwd + - shadow-utils + - acl + # SELinux policy + - selinux-policy-targeted + # There are things that write outside of the journal still (such as the + # classic wtmp, etc.). auditd also writes outside the journal but it has its + # own log rotation. + # Anything package layered will also tend to expect files dropped in + # /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't + # have it then people's disks will slowly fill up with logs. + - logrotate + # Boost starving threads + # https://github.com/coreos/fedora-coreos-tracker/issues/753 + - stalld + - ssh-key-dir + +postprocess: + # Make kdump work on firstboot + - | + #!/usr/bin/env bash + # Make kdump ignore `ignition.firstboot` when copying kargs from + # the running kernel to the kdump kernel when passing to be kexec. + # This makes it so kdump can be set up on the very first boot. + # Upstream request to have this upstream so we can stop carrying it here: + # https://lists.fedoraproject.org/archives/list/kexec@lists.fedoraproject.org/thread/5P4WIJLW2TSGF4PZGRZGOXYML4RXZU23/ + sed -i -e 's/KDUMP_COMMANDLINE_REMOVE="/KDUMP_COMMANDLINE_REMOVE="ignition.firstboot /' /etc/sysconfig/kdump diff --git a/oscore/user-experience.yaml b/oscore/user-experience.yaml new file mode 100644 index 0000000..d0c57a7 --- /dev/null +++ b/oscore/user-experience.yaml @@ -0,0 +1,46 @@ +# This file is included in RHEL CoreOS, see +# https://github.com/openshift/os/blob/71c974b1e456292033e3ef3fe7bcfe17d1855ebc/manifest.yaml#L12 +# Only apply changes here that should apply to both FCOS and RHCOS. + +# Default to `bash` in our container, the same as other containers we ship. +container-cmd: + - /usr/bin/bash + +# These packages are either widely used utilities/services or +# are targeted for improving the general CoreOS user experience. +# It is intended to be kept generic so that it may be shared downstream with +# RHCOS. +packages: + # Basic user tools + ## jq - parsing/interacting with JSON data + - bash-completion + - coreutils + - file + - jq + - less + - sudo + - vim-minimal + # File compression/decompression + ## bsdtar - dependency of 35coreos-live dracut module + - bsdtar + - bzip2 + - gzip + - tar + - xz + - zstd + # Improved MOTD experience + - console-login-helper-messages-issuegen + - console-login-helper-messages-profile + # kdump support + # https://github.com/coreos/fedora-coreos-tracker/issues/622 + - kexec-tools + # Remote Access + - openssh-clients openssh-server + # Container tooling + - crun + - podman + - runc + - skopeo + - toolbox + # nvme-cli for managing nvme disks + - nvme-cli