bootc has a Rust create https://github.com/containers/bootc/pull/775
to replace gdisk which has been removed by c10s and RHEL-10
Signed-off-by: Xiaofeng Wang <xiaofwan@redhat.com>
Starting sssd-2.10 that is shipped in F41+ and C10S,
home dir for 'sssd' service user is set to '/run/sssd'
Take a note that it's not the case yet for sssd-2.9-
that is currently shipped in C9S.
dnf5 is currently in Fedora only, but this manifest is shared with
CentOS Stream and RHEL. Instead of requesting `dnf5`, request
`/usr/bin/dnf` instead. This will pull in dnf5 on Fedora, but dnf(4)
elsewhere.
We should be able to simplify this back to just `dnf` eventually once
dnf v4 is out of Fedora.
Classic sed invocation footgun. Doing `-ie` actually binds the `e` to
`-i` which tells sed to backup the original with a suffix of `e`.
This gets rid of `/usr/lib/tmpfiles.d/provision.confe`.
systemd-tmpfiles ignores files that don't have `.conf` so the stray file
had no effect.
These are all included in tier-x or tier-0 already.
Though it does drop bsdtar. This isn't really well-known enough to
belong here. It's included in FCOS because we use it in our scripts,
but it's not a requirement for any tier-1 logic AFAIK and I would be
surprised if users expected it there.
We want tier-1 to be another consumer of tier-x, kind of like its own
top-level Fedora variant. That way, tier-1 is now a strict superset of
tier-x, just like the other variants.
- Make very clear that tier-1 is the default image
- Link to our issue tracker for supportable base image customization
- Note use of `--build-arg=MANIFEST`.
etc.
Signed-off-by: Colin Walters <walters@verbum.org>
Let's at least verify tier-0 and tier-x can build fine. Ideally in the
future we actually run some tests on the resulting image, though let's
wait until this CI is migrated to Konflux before doing that.
tier-1 is more opinionated and automatic updates by default is
definitely a very strong opinion.
This makes it easier to inherit from tier-0 without having to undo that
knob if it's not desirable.
Prep for !48.
One of the main goals of the bootable containers initiative in Fedora
is to have all the image-based Fedora variants share a common base onto
which we can maintain CI, develop features, fix bugs, etc...
While I believe in the long-term, we should try to have literal
derivation from a base image, this is not currently desirable for
various reasons. Instead, for now we can share things at the manifest
level by having this repo be a submodule in the every variant's repo.
Currently, tier-0 is much smaller than it needs to be for sharing
purposes. Crucially, it doesn't include NetworkManager. At the same
time, tier-1 is much too large as a shared target. As a first step, we
should try to match variants where they currently are and not force them
to ship many more packages than they currently do.
For this purpose, I'm proposing a new tier: tier-x. The "x" stands for
"cross-variant". This tier is composed of tier-0 + a set of packages
that is currently in common to all the involved variants. The most
notable additions are NetworkManager, openssh, and rpm-ostree.
The intention then is to have every Fedora variant `include` this tier
and have it become the point of collaboration between variants. E.g. new
packages/bug fixes/temporary workarounds relevant to all variants likely
should land in this tier instead of in the downstreams. CI of course
will also be an important discussion point.
We only ship iptables-nft, so there's no need to explicitly
override the symlinks anymore. To enforce this remains the case, add
`iptables-legacy` to the exclusion list.
As per the comment, currently we're pulling in iptables-legacy because
for some reason the `iptables` Provides is fulfilled by that instead of
iptables-nft. Explicitly name the latter to avoid this.
Note in tier-1 we do pull iptables-nft only because it's explicitly
named there.
Instead of re-symlinking every tier-0 manifest, just include the tier-0
manifest directly. That way, rpm-ostree will already know to resolve its
manifests within the tier-0 directory.
Currently, there is both dnf and dnf5 in Fedora. dnf5 provides `dnf`,
but matching a package name is stronger and so requesting `dnf` here
still pulls in the legacy one.
This notably drops out Python from tier 0.
Fedora 41 appears to require the inclusion of `systemd-cryptsetup` in
the initrd in order to unlock LUKS devices at boot.
See: #17
Signed-off-by: Micah Abbott <miabbott@redhat.com>
Jonathan Lebon
Colin Walters
Colin Walters (Red Hat)
Xiaofeng Wang
Alexey Tikhonov
Jonathan Lebon
Joseph Marrero Corchado
Micah Abbott