public
/
bootc-base-images
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Introduce a tier-0 image 

This is basically just:

- kernel
- systemd
- selinux-policy-targeted
- bootc

Notably it doesn't have `rpm-ostree` or `rpm`, or many other things.
It also doesn't even have `linux-firmware`.

And no `openssh`!

It's almost certain that you need to derive from this, but
it should be a suitable starting point.

TODO: Add something like

```
$ dnf-system-bootstrap
Installing packaging tools from quay.io/fedora/fedora-boot-dnf@sha256:abcd...)
 # This would be basically all the packages not in tier-0 that
 # are enough to give `dnf install`
$ dnf install cowsay
 # Install critical stuff
$ dnf system-bootstrap remove
 # Remove everything that we added for the package system, that isn't
 # a dependency of what the user wants!
```

(In theory we could make this work with multi-stage builds, but
 it's a little hard)
This commit is contained in:
Colin Walters 2023-09-15 14:52:53 -04:00
parent ebe3ea68a2
commit 7361f26eeb
27 changed files with 268 additions and 232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.gitlab-ci.yml
View File

@ -8,11 +8,15 @@ stages:
.base:
parallel:
matrix:
- TIER: [tier-1]
- TIER:
- tier-0
- tier-1
OS: centos
VERSION: [stream9]
VARIANT: ["", "-rt"]
- TIER: [tier-1]
- TIER:
- tier-0
- tier-1
OS: fedora
VERSION: [38]
VARIANT: [""]

13
centos-base.yaml
View File

@ -1,13 +0,0 @@
releasever: stream9
repos:
- baseos
- appstream
metadata:
name: c9s-boot-tier1
summary: CentOS 9 Bootable Tier 1
include:
- tier-1/manifest.yaml

5
centos-stream-9.yaml Normal file
View File

@ -0,0 +1,5 @@
releasever: stream9
repos:
- baseos
- appstream

5
centos-tier-0-rt-stream9.yaml Normal file
View File

@ -0,0 +1,5 @@
include:
- centos-stream-9.yaml
- tier-0/kernel-rt.yaml
- tier-0/manifest.yaml

5
centos-tier-0-stream9.yaml Normal file
View File

@ -0,0 +1,5 @@
include:
- centos-stream-9.yaml
- tier-0/kernel.yaml
- tier-0/manifest.yaml

5
centos-tier-1-rt-stream9.yaml
View File

@ -1,3 +1,4 @@
include:
- centos-base.yaml
- tier-1/kernel-rt.yaml
- centos-stream-9.yaml
- tier-0/kernel-rt.yaml
- tier-1/manifest.yaml

3
centos-tier-1-stream9.yaml
View File

@ -1,4 +1,5 @@
include:
- centos-base.yaml
- centos-stream-9.yaml
- tier-1/kernel.yaml
- tier-1/manifest.yaml

9
fedora-tier-0-38.yaml Normal file
View File

@ -0,0 +1,9 @@
releasever: 38
repos:
- fedora
- fedora-updates
include:
- tier-0/manifest.yaml
- tier-0/kernel.yaml

25
tier-0/bootc.yaml Normal file
View File

@ -0,0 +1,25 @@
# A relatively minimal base, but we also do include linux-firmware so
# we can be directly booted on metal.
packages:
- systemd
# linux-firmware now a recommends so let's explicitly include it
# https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
# https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
- linux-firmware
- ostree
# For now this will be shipped in rpm-ostree
# - bootc
# Required by bootc install today, though we'll likely switch bootc to use a Rust crate instead of sgdisk
- gdisk xfsprogs e2fsprogs dosfstools
exclude-packages:
# Exclude kernel-debug-core to make sure that it doesn't somehow get
# chosen as the package to satisfy the `kernel-core` dependency from
# the kernel package.
- kernel-debug-core
# rpm-ostree can be an alias for bootc, we want to enable that here.
postprocess:
- |
#!/usr/bin/env bash
ln -sr /usr/bin/{rpm-ostree,bootc}

31
tier-0/bootupd.yaml Normal file
View File

@ -0,0 +1,31 @@
# Integration with https://github.com/coreos/bootupd and bootloader logic
# xref https://github.com/coreos/fedora-coreos-tracker/issues/510
packages:
- bootupd
# bootloader
packages-aarch64:
- grub2-efi-aa64 efibootmgr shim
packages-ppc64le:
- grub2 ostree-grub2
packages-s390x:
# On Fedora, this is provided by s390utils-core. on RHEL, this is for now
# provided by s390utils-base, but soon will be -core too.
- /usr/sbin/zipl
packages-x86_64:
- grub2 grub2-efi-x64 efibootmgr shim
- microcode_ctl
conditional-include:
- if: basearch != "s390x"
# And remove some cruft from grub2
include: grub2-removals.yaml
postprocess:
- |
#!/bin/bash
set -xeuo pipefail
# Until we have https://github.com/coreos/rpm-ostree/pull/2275
mkdir -p /run
# Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
/usr/bin/bootupctl backend generate-update-metadata /

46
tier-0/group Normal file
View File

@ -0,0 +1,46 @@
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:
man:x:15:
sudo:x:16:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
ssh_keys:x:999:
systemd-journal:x:190:
polkitd:x:998:
etcd:x:997:
dip:x:40:
cgred:x:996:
avahi-autoipd:x:170:
sssd:x:993:
dockerroot:x:986:
rpcuser:x:29:
nfsnobody:x:65534:
kube:x:994:
chrony:x:992:
tcpdump:x:72:
ceph:x:167:
input:x:104:
systemd-timesync:x:991:
systemd-network:x:990:
systemd-resolve:x:989:
systemd-bus-proxy:x:988:
cockpit-ws:x:987:

8
tier-0/grub2-removals.yaml Normal file
View File

@ -0,0 +1,8 @@
remove-from-packages:
# The grub bits are mainly designed for desktops, and IMO haven't seen
# enough testing in concert with ostree. At some point we'll flesh out
# the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47
- [grub2-tools, /etc/grub.d/08_fallback_counting,
/etc/grub.d/10_reset_boot_success,
/etc/grub.d/12_menu_auto_hide,
/usr/lib/systemd/.*]

14
tier-0/initramfs.yaml Normal file
View File

@ -0,0 +1,14 @@
# Configuration for the initramfs
postprocess:
- |
#!/usr/bin/env bash
mkdir -p /usr/lib/dracut/dracut.conf.d
cat > /usr/lib/dracut/dracut.conf.d/01-bootc-nohostonly.conf
# We want a generic image; hostonly makes no sense as part of a server side build
hostonly=no
EOF
cat > /usr/lib/dracut/dracut.conf.d/49-tpm2-tss.conf << 'EOF'
# We want this for systemd-cryptsetup tpm2 locking
dracutmodules+=" tpm2-tss "
EOF

0
tier-1/kernel-rt.yaml → tier-0/kernel-rt.yaml
View File

6
tier-0/kernel.yaml Normal file
View File

@ -0,0 +1,6 @@
# Enable the Linux kernel; see also kernel-rt.
packages:
- kernel
exclude-packages:
- kernel-debug

62
tier-0/manifest.yaml Normal file
View File

@ -0,0 +1,62 @@
# Modern defaults we want
boot-location: modules
tmp-is-dir: true
# This one at least historically broke compatibility with Anaconda, but
# let's use it by default now.
machineid-compat: false
# Be minimal
recommends: false
ignore-removed-users:
- root
ignore-removed-groups:
- root
etc-group-members:
- wheel
- sudo
- systemd-journal
- adm
# Note that the default for c9s+ is sqlite; we can't rely on rpm being
# in the target (it isn't in tier-0!) so turn this to host here. This
# does break the "hermetic build" aspect a bit. Maybe eventually
# what we should do is special case this and actually install RPM temporarily
# and then remove it...
rpmdb: host
check-passwd:
type: "file"
filename: "passwd"
check-groups:
type: "file"
filename: "group"
automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
mutate-os-release: "${releasever}"
remove-from-packages:
# Generally we expect other tools to do this (e.g. Ignition or cloud-init)
- [systemd, /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
# We don't want auto-generated mount units. See also
# https://github.com/systemd/systemd/issues/13099
- [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
# Drop some buggy sysusers fragments which do not match static IDs allocation:
# https://bugzilla.redhat.com/show_bug.cgi?id=2105177
- [dbus-common, /usr/lib/sysusers.d/dbus.conf]
include:
- bootc.yaml
- initramfs.yaml
packages:
# Even in tier-0, we have this. If you don't want SELinux today, you'll need
# to build a custom image.
- selinux-policy-targeted
# Needed for tpm2 bound luks
- tpm2-tools
# See https://github.com/coreos/bootupd
arch-include:
x86_64: bootupd.yaml
aarch64: bootupd.yaml

32
tier-0/passwd Normal file
View File

@ -0,0 +1,32 @@
adm:x:3:4:adm:/var/adm:/usr/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/usr/sbin/nologin
bin:x:1:1:bin:/bin:/usr/sbin/nologin
ceph:x:167:167:Ceph daemons:/var/lib/ceph:/usr/sbin/nologin
chrony:x:994:992::/var/lib/chrony:/usr/sbin/nologin
cockpit-ws:x:988:987:User for cockpit-ws:/:/usr/sbin/nologin
daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin
dbus:x:81:81:System Message Bus:/:/usr/sbin/nologin
dockerroot:x:997:986:Docker User:/var/lib/docker:/usr/sbin/nologin
etcd:x:998:997:etcd user:/var/lib/etcd:/usr/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin
games:x:12:100:games:/usr/games:/usr/sbin/nologin
halt:x:7:0:halt:/sbin:/sbin/halt
kube:x:996:994:Kubernetes user:/:/usr/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin
nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin
operator:x:11:0:operator:/root:/usr/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/usr/sbin/nologin
root:x:0:0:Super User:/root:/bin/bash
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
sssd:x:995:993:User for sssd:/:/usr/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin
systemd-resolve:x:990:989:systemd Resolver:/:/usr/sbin/nologin
systemd-timesync:x:993:991:systemd Time Synchronization:/:/usr/sbin/nologin
tcpdump:x:72:72::/:/usr/sbin/nologin

24
tier-1/bootc.yaml
View File

@ -1,24 +0,0 @@
# A relatively minimal base, but we also do include linux-firmware so
# we can be directly booted on metal.
packages:
- systemd
# linux-firmware now a recommends so let's explicitly include it
# https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
# https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
- linux-firmware
# For now this will be shipped in rpm-ostree
# - bootc
# Required by bootc install today, though we'll likely switch bootc to use a Rust crate instead of sgdisk
- gdisk xfsprogs e2fsprogs dosfstools
exclude-packages:
# Exclude kernel-debug-core to make sure that it doesn't somehow get
# chosen as the package to satisfy the `kernel-core` dependency from
# the kernel package.
- kernel-debug-core
# rpm-ostree can be an alias for bootc, we want to enable that here.
postprocess:
- |
#!/usr/bin/env bash
ln -sr /usr/bin/{rpm-ostree,bootc}

1
tier-1/bootc.yaml Symbolic link
View File

@ -0,0 +1 @@
../tier-0/bootc.yaml

31
tier-1/bootupd.yaml
View File

@ -1,31 +0,0 @@
# Integration with https://github.com/coreos/bootupd and bootloader logic
# xref https://github.com/coreos/fedora-coreos-tracker/issues/510
packages:
- bootupd
# bootloader
packages-aarch64:
- grub2-efi-aa64 efibootmgr shim
packages-ppc64le:
- grub2 ostree-grub2
packages-s390x:
# On Fedora, this is provided by s390utils-core. on RHEL, this is for now
# provided by s390utils-base, but soon will be -core too.
- /usr/sbin/zipl
packages-x86_64:
- grub2 grub2-efi-x64 efibootmgr shim
- microcode_ctl
conditional-include:
- if: basearch != "s390x"
# And remove some cruft from grub2
include: grub2-removals.yaml
postprocess:
- |
#!/bin/bash
set -xeuo pipefail
# Until we have https://github.com/coreos/rpm-ostree/pull/2275
mkdir -p /run
# Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
/usr/bin/bootupctl backend generate-update-metadata /

1
tier-1/bootupd.yaml Symbolic link
View File

@ -0,0 +1 @@
../tier-0/bootupd.yaml

46
tier-1/group
View File

@ -1,46 +0,0 @@
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:
man:x:15:
sudo:x:16:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
ssh_keys:x:999:
systemd-journal:x:190:
polkitd:x:998:
etcd:x:997:
dip:x:40:
cgred:x:996:
avahi-autoipd:x:170:
sssd:x:993:
dockerroot:x:986:
rpcuser:x:29:
nfsnobody:x:65534:
kube:x:994:
chrony:x:992:
tcpdump:x:72:
ceph:x:167:
input:x:104:
systemd-timesync:x:991:
systemd-network:x:990:
systemd-resolve:x:989:
systemd-bus-proxy:x:988:
cockpit-ws:x:987:

1
tier-1/group Symbolic link
View File

@ -0,0 +1 @@
../tier-0/group

8
tier-1/grub2-removals.yaml
View File

@ -1,8 +0,0 @@
remove-from-packages:
# The grub bits are mainly designed for desktops, and IMO haven't seen
# enough testing in concert with ostree. At some point we'll flesh out
# the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47
- [grub2-tools, /etc/grub.d/08_fallback_counting,
/etc/grub.d/10_reset_boot_success,
/etc/grub.d/12_menu_auto_hide,
/usr/lib/systemd/.*]

1
tier-1/grub2-removals.yaml Symbolic link
View File

@ -0,0 +1 @@
../tier-0/grub2-removals.yaml

14
tier-1/initramfs.yaml
View File

@ -1,14 +0,0 @@
# Configuration for the initramfs
postprocess:
- |
#!/usr/bin/env bash
mkdir -p /usr/lib/dracut/dracut.conf.d
cat > /usr/lib/dracut/dracut.conf.d/01-bootc-nohostonly.conf
# We want a generic image; hostonly makes no sense as part of a server side build
hostonly=no
EOF
cat > /usr/lib/dracut/dracut.conf.d/49-tpm2-tss.conf << 'EOF'
# We want this for systemd-cryptsetup tpm2 locking
dracutmodules+=" tpm2-tss "
EOF

1
tier-1/initramfs.yaml Symbolic link
View File

@ -0,0 +1 @@
../tier-0/initramfs.yaml

6
tier-1/kernel.yaml
View File

@ -1,6 +0,0 @@
# Enable the Linux kernel; see also kernel-rt.
packages:
- kernel
exclude-packages:
- kernel-debug

1
tier-1/kernel.yaml Symbolic link
View File

@ -0,0 +1 @@
../tier-0/kernel.yaml

1
tier-1/manifest-tier-0.yaml Symbolic link
View File

@ -0,0 +1 @@
../tier-0/manifest.yaml

50
tier-1/manifest.yaml
View File

@ -1,54 +1,11 @@
# Modern defaults we want
boot-location: modules
tmp-is-dir: true
# This one at least historically broke compatibility with Anaconda, but
# let's use it by default now.
machineid-compat: false
# Be minimal
recommends: false
ignore-removed-users:
- root
ignore-removed-groups:
- root
etc-group-members:
- wheel
- sudo
- systemd-journal
- adm
check-passwd:
type: "file"
filename: "passwd"
check-groups:
type: "file"
filename: "group"
include:
- bootc.yaml
- initramfs.yaml
- bootable-rpm-ostree.yaml
- manifest-tier-0.yaml
- networking-tools.yaml
- system-configuration.yaml
- user-experience.yaml
- fwupd.yaml
remove-from-packages:
# Generally we expect other tools to do this (e.g. Ignition or cloud-init)
- [systemd, /usr/bin/systemd-firstboot,
/usr/lib/systemd/system/systemd-firstboot.service,
/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
# We don't want auto-generated mount units. See also
# https://github.com/systemd/systemd/issues/13099
- [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
# Drop some buggy sysusers fragments which do not match static IDs allocation:
# https://bugzilla.redhat.com/show_bug.cgi?id=2105177
- [dbus-common, /usr/lib/sysusers.d/dbus.conf]
automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
mutate-os-release: "${releasever}"
packages:
# Include and set the default editor
- nano
@ -114,11 +71,6 @@ packages-aarch64:
packages-s390x:
- qemu-user-static-x86
# See https://github.com/coreos/bootupd
arch-include:
x86_64: bootupd.yaml
aarch64: bootupd.yaml
postprocess:
# Undo RPM scripts enabling units; we want the presets to be canonical
# https://github.com/projectatomic/rpm-ostree/issues/1803

32
tier-1/passwd
View File

@ -1,32 +0,0 @@
adm:x:3:4:adm:/var/adm:/usr/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/usr/sbin/nologin
bin:x:1:1:bin:/bin:/usr/sbin/nologin
ceph:x:167:167:Ceph daemons:/var/lib/ceph:/usr/sbin/nologin
chrony:x:994:992::/var/lib/chrony:/usr/sbin/nologin
cockpit-ws:x:988:987:User for cockpit-ws:/:/usr/sbin/nologin
daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin
dbus:x:81:81:System Message Bus:/:/usr/sbin/nologin
dockerroot:x:997:986:Docker User:/var/lib/docker:/usr/sbin/nologin
etcd:x:998:997:etcd user:/var/lib/etcd:/usr/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin
games:x:12:100:games:/usr/games:/usr/sbin/nologin
halt:x:7:0:halt:/sbin:/sbin/halt
kube:x:996:994:Kubernetes user:/:/usr/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin
nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin
operator:x:11:0:operator:/root:/usr/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/usr/sbin/nologin
root:x:0:0:Super User:/root:/bin/bash
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
sssd:x:995:993:User for sssd:/:/usr/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin
systemd-resolve:x:990:989:systemd Resolver:/:/usr/sbin/nologin
systemd-timesync:x:993:991:systemd Time Synchronization:/:/usr/sbin/nologin
tcpdump:x:72:72::/:/usr/sbin/nologin

1
tier-1/passwd Symbolic link
View File

@ -0,0 +1 @@
../tier-0/passwd

4
tier-1/system-configuration.yaml
View File

@ -8,8 +8,6 @@ packages:
- chrony
# Storage configuration/management
- cryptsetup
# Needed for tpm2 bound luks
- tpm2-tools
- e2fsprogs
- sg3_utils
- xfsprogs
@ -19,8 +17,6 @@ packages:
- acl
# Manipulating the kernel keyring; used by bootc
- keyutils
# SELinux policy
- selinux-policy-targeted
# There are things that write outside of the journal still (such as the
# classic wtmp, etc.). auditd also writes outside the journal but it has its
# own log rotation.