public
/
bootc-base-images
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial split from Fedora CoreOS

This commit is contained in:
Colin Walters 2022-12-09 15:30:03 -05:00
commit 60d8e77ee4
18 changed files with 743 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
COPYING Normal file
View File

@ -0,0 +1,21 @@
Copyright 2018 Fedora CoreOS Authors.
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

1
LICENSE Symbolic link
View File

@ -0,0 +1 @@
COPYING

6
README.md Normal file
View File

@ -0,0 +1,6 @@
# Demonstration base images for use with bootc
This repository contains "base images" suitable for use with github.com/containers/bootc
These images are considered experimental. The intention is that these images are
generated by the OS vendor or distribution.

53
oscore/bootable-rpm-ostree.yaml Normal file
View File

@ -0,0 +1,53 @@
# This minimal base starts just from: kernel + systemd + rpm-ostree + bootloader.
# The intent of this is to inherit from this if you are doing something highly
# custom that e.g. might not involve Ignition or podman, but you do want
# rpm-ostree.
# We expect most people though using coreos-assembler to inherit from
# fedora-coreos-base.yaml.
packages:
# Kernel + systemd.
- kernel systemd
# linux-firmware now a recommends so let's explicitly include it
# https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
# https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
- linux-firmware
# rpm-ostree
- rpm-ostree nss-altfiles
# bootloader
packages-aarch64:
- grub2-efi-aa64 efibootmgr shim
# firmware updates
- fwupd
packages-ppc64le:
- grub2 ostree-grub2
# firmware updates
- fwupd
packages-s390x:
# On Fedora, this is provided by s390utils-core. on RHEL, this is for now
# provided by s390utils-base, but soon will be -core too.
- /usr/sbin/zipl
# for Secure Execution
- veritysetup
packages-x86_64:
- grub2 grub2-efi-x64 efibootmgr shim
- microcode_ctl
# firmware updates
- fwupd
postprocess:
# See: https://github.com/coreos/fedora-coreos-tracker/issues/1253
# https://bugzilla.redhat.com/show_bug.cgi?id=2112857
# https://github.com/coreos/rpm-ostree/issues/3918
# Temporary workaround to remove the SetGID binary from liblockfile that is
# pulled by the s390utils but not needed for /usr/sbin/zipl.
- |
#!/usr/bin/env bash
set -xeuo pipefail
rm -f /usr/bin/dotlockfile
exclude-packages:
# Exclude kernel-debug-core to make sure that it doesn't somehow get
# chosen as the package to satisfy the `kernel-core` dependency from
# the kernel package.
- kernel-debug-core

13
oscore/bootupd.yaml Normal file
View File

@ -0,0 +1,13 @@
# Integration with https://github.com/coreos/bootupd
# xref https://github.com/coreos/fedora-coreos-tracker/issues/510
packages:
- bootupd
postprocess:
- |
#!/bin/bash
set -xeuo pipefail
# Until we have https://github.com/coreos/rpm-ostree/pull/2275
mkdir -p /run
# Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
/usr/bin/bootupctl backend generate-update-metadata /

76
oscore/fedora-next.repo Normal file
View File

@ -0,0 +1,76 @@
# Note we use baseurl= here because using auto-selected mirrors conflicts with
# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85.
[fedora-next]
name=Fedora $releasever - $basearch
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
enabled=1
#metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False
[fedora-next-updates]
name=Fedora $releasever - $basearch - Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
enabled=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=6h
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False
[fedora-next-updates-testing]
name=Fedora $releasever - $basearch - Test Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
enabled=1
gpgcheck=1
metadata_expire=6h
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False
[fedora-next-modular]
name=Fedora Modular $releasever - $basearch
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Modular/$basearch/os/
https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Modular/$basearch/os/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch
enabled=1
#metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
[fedora-next-updates-modular]
name=Fedora Modular $releasever - $basearch - Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Modular/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch
enabled=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
[fedora-next-updates-testing-modular]
name=Fedora Modular $releasever - $basearch - Test Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Modular/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Modular/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
enabled=1
gpgcheck=1
metadata_expire=6h
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False

38
oscore/fedora-rawhide.repo Normal file
View File

@ -0,0 +1,38 @@
# Note we use baseurl= here because using auto-selected mirrors conflicts with
# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85.
[fedora-rawhide]
name=Fedora - Rawhide - Developmental packages for the next Fedora release
baseurl=http://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/$basearch/os/
https://dl.fedoraproject.org/pub/fedora-secondary/development/rawhide/Everything/$basearch/os/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=$basearch
enabled=1
countme=1
metadata_expire=6h
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
excludepkgs=kernel kernel-core kernel-modules
# We are choosing to use only nodebug kernels in Fedora CoreOS
# for our testing. We've seen too many issues where an issue either
# shows up only on the debug kernels OR a debug kernel gives us a
# false positive or negative when trying to root cause a failure.
# Thus we use the nodebug kernel repo [1] and includepkgs=kernel
# here and excludepkgs=kernel above.
#
# [1] https://fedoraproject.org/wiki/RawhideKernelNodebug
[fedora-rawhide-nodebug-kernel]
name=nodebug kernels for Rawhide
baseurl=https://dl.fedoraproject.org/pub/alt/rawhide-kernel-nodebug/$basearch/
enabled=1
countme=1
metadata_expire=6h
repo_gpgcheck=0
type=rpm
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
includepkgs=kernel kernel-core kernel-modules

76
oscore/fedora.repo Normal file
View File

@ -0,0 +1,76 @@
# Note we use baseurl= here because using auto-selected mirrors conflicts with
# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85.
[fedora]
name=Fedora $releasever - $basearch
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/os/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
enabled=1
#metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False
[fedora-updates]
name=Fedora $releasever - $basearch - Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
enabled=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=6h
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False
[fedora-updates-testing]
name=Fedora $releasever - $basearch - Test Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
enabled=1
gpgcheck=1
metadata_expire=6h
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False
[fedora-modular]
name=Fedora Modular $releasever - $basearch
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Modular/$basearch/os/
https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Modular/$basearch/os/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch
enabled=1
#metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
[fedora-updates-modular]
name=Fedora Modular $releasever - $basearch - Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Modular/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch
enabled=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
[fedora-updates-testing-modular]
name=Fedora Modular $releasever - $basearch - Test Updates
baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Modular/$basearch/
https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Modular/$basearch/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
enabled=1
gpgcheck=1
metadata_expire=6h
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
skip_if_unavailable=False

8
oscore/file-transfer.yaml Normal file
View File

@ -0,0 +1,8 @@
# Moving files around and verifying them
packages:
- git-core
- gnupg2
- rsync
# Explicit dependency on curl because we use it in coreos-livepxe-rootfs.sh
# We need curl and not curl-minimal because we support TFTP.
- curl

46
oscore/group Normal file
View File

@ -0,0 +1,46 @@
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:
man:x:15:
sudo:x:16:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
ssh_keys:x:999:
systemd-journal:x:190:
polkitd:x:998:
etcd:x:997:
dip:x:40:
cgred:x:996:
avahi-autoipd:x:170:
sssd:x:993:
dockerroot:x:986:
rpcuser:x:29:
nfsnobody:x:65534:
kube:x:994:
chrony:x:992:
tcpdump:x:72:
ceph:x:167:
input:x:104:
systemd-timesync:x:991:
systemd-network:x:990:
systemd-resolve:x:989:
systemd-bus-proxy:x:988:
cockpit-ws:x:987:

8
oscore/grub2-removals.yaml Normal file
View File

@ -0,0 +1,8 @@
remove-from-packages:
# The grub bits are mainly designed for desktops, and IMO haven't seen
# enough testing in concert with ostree. At some point we'll flesh out
# the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47
- [grub2-tools, /etc/grub.d/08_fallback_counting,
/etc/grub.d/10_reset_boot_success,
/etc/grub.d/12_menu_auto_hide,
/usr/lib/systemd/.*]

12
oscore/kdump-aarch64-aws-workaround.yaml Normal file
View File

@ -0,0 +1,12 @@
# This file includes a fixup for kdump on aarch64 AWS instances.
# The issue seems specific to aarch64 AWS instances, but we'll go
# ahead and apply it across the board for aarch64, since that's
# the easiest thing to do. Hopefully the upstream issue will get
# resolved soon.
postprocess:
- |
#!/usr/bin/env bash
# Remove irqpoll from the list of KDUMP_COMMANDLINE_APPEND. This
# causes issues on aarch64 AWS instances.
# https://github.com/coreos/fedora-coreos-tracker/issues/1187
sed -i -e 's/irqpoll //' /etc/sysconfig/kdump

202
oscore/manifest.yaml Normal file
View File

@ -0,0 +1,202 @@
releasever: 37
repos:
- fedora
- fedora-updates
metadata:
name: fedora-oscore
summary: Fedora OSCore
# Modern defaults we want
boot-location: modules
tmp-is-dir: true
# This one at least historically broke compatibility with Anaconda, but
# let's use it by default now.
machineid-compat: false
# Be minimal
recommends: false
ignore-removed-users:
- root
ignore-removed-groups:
- root
etc-group-members:
- wheel
- sudo
- systemd-journal
- adm
check-passwd:
type: "file"
filename: "passwd"
check-groups:
type: "file"
filename: "group"
include:
- bootable-rpm-ostree.yaml
- file-transfer.yaml
- networking-tools.yaml
- system-configuration.yaml
- user-experience.yaml
- shared-workarounds.yaml
conditional-include:
- if: basearch != "s390x"
# And remove some cruft from grub2
include: grub2-removals.yaml
remove-from-packages:
# Generally we expect other tools to do this (e.g. Ignition or cloud-init)
- [systemd, /usr/bin/systemd-firstboot,
/usr/lib/systemd/system/systemd-firstboot.service,
/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
# We don't want auto-generated mount units. See also
# https://github.com/systemd/systemd/issues/13099
- [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
# Drop some buggy sysusers fragments which do not match static IDs allocation:
# https://bugzilla.redhat.com/show_bug.cgi?id=2105177
- [dbus-common, /usr/lib/sysusers.d/dbus.conf]
automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
mutate-os-release: "${releasever}"
packages:
# We include this for historical reasons
- fedora-repos-ostree
# fedora-repos-modular was converted into its own subpackage in f33
# Continue to include it in case users want to use it.
- fedora-repos-modular
# Include and set the default editor
- nano nano-default-editor
# Security
- polkit
# Containers
- systemd-container catatonit
- fuse-overlayfs slirp4netns
# support for old style CNI networks and name resolution for
# podman containers with CNI networks
# https://github.com/coreos/fedora-coreos-tracker/issues/519
# https://github.com/coreos/fedora-coreos-tracker/issues/1128#issuecomment-1071338097
- containernetworking-plugins podman-plugins dnsmasq
# For podman v4 netavark gets pulled in but it only recommends
# aardvark-dns (which provides name resolution based on container
# names). This functionality was previously provided by dnsname from
# podman-plugins in the podman v3 stack.
# See https://github.com/containers/netavark/pull/217
- aardvark-dns
# Since we need `containernetworking-plugins` installed to continue
# to support CNI networks we need to also explicitly install
# `netavark` so we get both of them installed since both of them
# provide `container-network-stack`.
# https://github.com/coreos/fedora-coreos-tracker/issues/1128#issuecomment-1071458717
- netavark
# Minimal NFS client
- nfs-utils-coreos
# Active Directory support
- adcli
# Additional firewall support; we aren't including these in RHCOS or they
# don't exist in RHEL
- iptables-nft iptables-services
# WireGuard https://github.com/coreos/fedora-coreos-tracker/issues/362
- wireguard-tools
# Storage
- btrfs-progs
- WALinuxAgent-udev
# Allow communication between sudo and SSSD
# for caching sudo rules by SSSD.
# https://github.com/coreos/fedora-coreos-tracker/issues/445
- libsss_sudo
# SSSD; we only ship a subset of the backends
- sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
# Used by admins interactively
- attr
- openssl
- lsof
# Provides terminal tools like clear, reset, tput, and tset
- ncurses
# file-transfer: note fuse-sshfs is not in RHEL
# so we can't put it in file-transfer.yaml
- fuse-sshfs
# Improved MOTD experience
- console-login-helper-messages-motdgen
# i18n
- kbd
# zram-generator (but not zram-generator-defaults) for F33 change
# https://github.com/coreos/fedora-coreos-tracker/issues/509
- zram-generator
# resolved was broken out to its own package in rawhide/f35
- systemd-resolved
# In F35+ need `iptables-legacy` package
# See https://github.com/coreos/fedora-coreos-tracker/issues/676#issuecomment-928028451
- iptables-legacy
# Include the qemu-user-static-x86 package on aarch64 and s390x FCOS images
# to allow access to the large inventory of containers only built for x86_64.
# https://github.com/coreos/fedora-coreos-tracker/issues/1237
packages-x86_64:
- irqbalance
packages-ppc64le:
- irqbalance
- librtas
- powerpc-utils-core
- ppc64-diag-rtas
packages-aarch64:
- irqbalance
- qemu-user-static-x86
packages-s390x:
- qemu-user-static-x86
# See https://github.com/coreos/bootupd
arch-include:
x86_64: bootupd.yaml
aarch64: bootupd.yaml
postprocess:
# Undo RPM scripts enabling units; we want the presets to be canonical
# https://github.com/projectatomic/rpm-ostree/issues/1803
- |
#!/usr/bin/env bash
set -xeuo pipefail
rm -rf /etc/systemd/system/*
systemctl preset-all
rm -rf /etc/systemd/user/*
systemctl --user --global preset-all
# Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
# remove iptables-legacy. This is needed because alternatives don't work
# https://github.com/coreos/fedora-coreos-tracker/issues/677
# https://github.com/coreos/fedora-coreos-tracker/issues/676
- |
#!/usr/bin/env bash
set -xeuo pipefail
ln -sf /usr/sbin/ip6tables-nft /etc/alternatives/ip6tables
ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
ln -sf /usr/sbin/ip6tables-nft-save /etc/alternatives/ip6tables-save
ln -sf /usr/sbin/iptables-nft /etc/alternatives/iptables
ln -sf /usr/sbin/iptables-nft-restore /etc/alternatives/iptables-restore
ln -sf /usr/sbin/iptables-nft-save /etc/alternatives/iptables-save
# Things we don't expect to ship on the host. We currently
# have recommends: false so these could only come in via
# hard requirement, in which case the build will fail.
exclude-packages:
- python
- python2
- python2-libs
- python3
- python3-libs
- perl
- perl-interpreter
- nodejs
- grubby
- cowsay # Just in case
# Let's make sure initscripts doesn't get pulled back in
# https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254
- initscripts
# For (datacenter/cloud oriented) servers, we want to see the details by default.
# https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/
- plymouth
# Do not use legacy ifcfg config format in NetworkManager
# See https://github.com/coreos/fedora-coreos-config/pull/1991
- NetworkManager-initscripts-ifcfg-rh

21
oscore/networking-tools.yaml Normal file
View File

@ -0,0 +1,21 @@
# This defines a set of tools that are useful for configuring, debugging,
# or manipulating the network of a system. It is desired to keep this list
# generic enough to be shared downstream with RHCOS.
packages:
# Standard tools for configuring network/hostname
- NetworkManager hostname
# Interactive Networking configuration during coreos-install
- NetworkManager-tui
# Teaming https://github.com/coreos/fedora-coreos-config/pull/289
# and http://bugzilla.redhat.com/1758162
- NetworkManager-team teamd
# Support for cloud quirks and dynamic config in real rootfs:
# https://github.com/coreos/fedora-coreos-tracker/issues/320
- NetworkManager-cloud-setup
# Route manipulation and QoS
- iproute iproute-tc
# Firewall manipulation
- iptables nftables
# Interactive network tools for admins
- socat net-tools bind-utils

32
oscore/passwd Normal file
View File

@ -0,0 +1,32 @@
adm:x:3:4:adm:/var/adm:/usr/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/usr/sbin/nologin
bin:x:1:1:bin:/bin:/usr/sbin/nologin
ceph:x:167:167:Ceph daemons:/var/lib/ceph:/usr/sbin/nologin
chrony:x:994:992::/var/lib/chrony:/usr/sbin/nologin
cockpit-ws:x:988:987:User for cockpit-ws:/:/usr/sbin/nologin
daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin
dbus:x:81:81:System Message Bus:/:/usr/sbin/nologin
dockerroot:x:997:986:Docker User:/var/lib/docker:/usr/sbin/nologin
etcd:x:998:997:etcd user:/var/lib/etcd:/usr/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin
games:x:12:100:games:/usr/games:/usr/sbin/nologin
halt:x:7:0:halt:/sbin:/sbin/halt
kube:x:996:994:Kubernetes user:/:/usr/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin
nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin
operator:x:11:0:operator:/root:/usr/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/usr/sbin/nologin
root:x:0:0:Super User:/root:/bin/bash
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
sssd:x:995:993:User for sssd:/:/usr/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin
systemd-resolve:x:990:989:systemd Resolver:/:/usr/sbin/nologin
systemd-timesync:x:993:991:systemd Time Synchronization:/:/usr/sbin/nologin
tcpdump:x:72:72::/:/usr/sbin/nologin

34
oscore/shared-workarounds.yaml Normal file
View File

@ -0,0 +1,34 @@
# This manifest is a list of shared workarounds that are needed in both Fedora CoreOS
# and downstreams (i.e. Red Hat CoreOS).
postprocess:
# Put in the fix for multipathd.service in dracut on releases that haven't
# been fixed yet.
# https://github.com/dracutdevs/dracut/pull/1606
# https://github.com/coreos/fedora-coreos-config/pull/1233
- |
#!/usr/bin/env bash
set -xeuo pipefail
source /etc/os-release
# This has landed in Fedora but not in any version of RHEL yet
if [[ ${ID} != "rhel" ]]; then
exit 0
fi
mkdir /usr/lib/dracut/modules.d/36coreos-multipath-fix
cat > /usr/lib/dracut/modules.d/36coreos-multipath-fix/90-multipathd-remove-execstop.conf <<'EOF'
# Temporary workaround for https://github.com/dracutdevs/dracut/pull/1606.
[Service]
ExecStop=
EOF
cat > /usr/lib/dracut/modules.d/36coreos-multipath-fix/module-setup.sh <<'EOF'
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
install() {
# Temporary workaround for https://github.com/dracutdevs/dracut/pull/1606.
mkdir -p "$systemdsystemunitdir/multipathd.service.d"
inst_simple "$moddir/90-multipathd-remove-execstop.conf" \
"$systemdsystemunitdir/multipathd.service.d/90-multipathd-remove-execstop.conf"
}
EOF
chmod +x /usr/lib/dracut/modules.d/36coreos-multipath-fix/module-setup.sh

50
oscore/system-configuration.yaml Normal file
View File

@ -0,0 +1,50 @@
# These are packages that are related to configuring parts of the system.
# It is intended to be kept generic so that it may be shared downstream with
# RHCOS.
packages:
# Configuring SSH keys, cloud provider check-in, etc
# TODO: needs Ignition kargs
# - afterburn afterburn-dracut
# NTP support
- chrony
# Storage configuration/management
## cloud-utils-growpart - For growing root partition
- cifs-utils
- cloud-utils-growpart
- cryptsetup
- device-mapper-multipath
- e2fsprogs
- iscsi-initiator-utils
- lvm2
- mdadm
- sg3_utils
- xfsprogs
# User configuration
- passwd
- shadow-utils
- acl
# SELinux policy
- selinux-policy-targeted
# There are things that write outside of the journal still (such as the
# classic wtmp, etc.). auditd also writes outside the journal but it has its
# own log rotation.
# Anything package layered will also tend to expect files dropped in
# /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
# have it then people's disks will slowly fill up with logs.
- logrotate
# Boost starving threads
# https://github.com/coreos/fedora-coreos-tracker/issues/753
- stalld
- ssh-key-dir
postprocess:
# Make kdump work on firstboot
- |
#!/usr/bin/env bash
# Make kdump ignore `ignition.firstboot` when copying kargs from
# the running kernel to the kdump kernel when passing to be kexec.
# This makes it so kdump can be set up on the very first boot.
# Upstream request to have this upstream so we can stop carrying it here:
# https://lists.fedoraproject.org/archives/list/kexec@lists.fedoraproject.org/thread/5P4WIJLW2TSGF4PZGRZGOXYML4RXZU23/
sed -i -e 's/KDUMP_COMMANDLINE_REMOVE="/KDUMP_COMMANDLINE_REMOVE="ignition.firstboot /' /etc/sysconfig/kdump

46
oscore/user-experience.yaml Normal file
View File

@ -0,0 +1,46 @@
# This file is included in RHEL CoreOS, see
# https://github.com/openshift/os/blob/71c974b1e456292033e3ef3fe7bcfe17d1855ebc/manifest.yaml#L12
# Only apply changes here that should apply to both FCOS and RHCOS.
# Default to `bash` in our container, the same as other containers we ship.
container-cmd:
- /usr/bin/bash
# These packages are either widely used utilities/services or
# are targeted for improving the general CoreOS user experience.
# It is intended to be kept generic so that it may be shared downstream with
# RHCOS.
packages:
# Basic user tools
## jq - parsing/interacting with JSON data
- bash-completion
- coreutils
- file
- jq
- less
- sudo
- vim-minimal
# File compression/decompression
## bsdtar - dependency of 35coreos-live dracut module
- bsdtar
- bzip2
- gzip
- tar
- xz
- zstd
# Improved MOTD experience
- console-login-helper-messages-issuegen
- console-login-helper-messages-profile
# kdump support
# https://github.com/coreos/fedora-coreos-tracker/issues/622
- kexec-tools
# Remote Access
- openssh-clients openssh-server
# Container tooling
- crun
- podman
- runc
- skopeo
- toolbox
# nvme-cli for managing nvme disks
- nvme-cli