We will have a better way to make derived container images
that doesn't require having dnf in the base image.
Prep for more minimal and custom images.
Signed-off-by: Colin Walters <walters@verbum.org>
The crun package was excluded from s390x and ppc64le rawhide builds due to
differing dependencies across architectures. This caused kola tests to
fail as the crun was missing. We are adding crun explicitly to the tier-x
manifest in the base images to ensure it is included in all architectures
Using `--from` to set the target releasever doesn't work yet because we
_need_ to set the `releasever` field since the repo files reference it.
There's a pending rpm-ostree PR to fix this but for now hack around it
by manually injecting the necessary variables in the treefile.
As agreed in https://gitlab.com/fedora/bootc/tracker/-/issues/39, we're
going to be maintaining the treefile for all Fedora versions in the
`main` branch. Accordingly stop hardcoding releasevers and repos in
the treefiles.
But for now, we're still building the official image in pungi using the
non-container-native path, so add compatibility stubs to not break it.
Coincidentally, this doubles down on the proposed API to build the base
images for different Fedora versions using the `--from` switch. Document
this in the README. But note this doesn't work yet because nothing is
telling rpm-ostree which repos to use or what the releasever should be.
bootc has a Rust create https://github.com/containers/bootc/pull/775
to replace gdisk which has been removed by c10s and RHEL-10
Signed-off-by: Xiaofeng Wang <xiaofwan@redhat.com>
Starting sssd-2.10 that is shipped in F41+ and C10S,
home dir for 'sssd' service user is set to '/run/sssd'
Take a note that it's not the case yet for sssd-2.9-
that is currently shipped in C9S.
dnf5 is currently in Fedora only, but this manifest is shared with
CentOS Stream and RHEL. Instead of requesting `dnf5`, request
`/usr/bin/dnf` instead. This will pull in dnf5 on Fedora, but dnf(4)
elsewhere.
We should be able to simplify this back to just `dnf` eventually once
dnf v4 is out of Fedora.
Classic sed invocation footgun. Doing `-ie` actually binds the `e` to
`-i` which tells sed to backup the original with a suffix of `e`.
This gets rid of `/usr/lib/tmpfiles.d/provision.confe`.
systemd-tmpfiles ignores files that don't have `.conf` so the stray file
had no effect.
These are all included in tier-x or tier-0 already.
Though it does drop bsdtar. This isn't really well-known enough to
belong here. It's included in FCOS because we use it in our scripts,
but it's not a requirement for any tier-1 logic AFAIK and I would be
surprised if users expected it there.
We want tier-1 to be another consumer of tier-x, kind of like its own
top-level Fedora variant. That way, tier-1 is now a strict superset of
tier-x, just like the other variants.
- Make very clear that tier-1 is the default image
- Link to our issue tracker for supportable base image customization
- Note use of `--build-arg=MANIFEST`.
etc.
Signed-off-by: Colin Walters <walters@verbum.org>
Let's at least verify tier-0 and tier-x can build fine. Ideally in the
future we actually run some tests on the resulting image, though let's
wait until this CI is migrated to Konflux before doing that.
tier-1 is more opinionated and automatic updates by default is
definitely a very strong opinion.
This makes it easier to inherit from tier-0 without having to undo that
knob if it's not desirable.
Prep for !48.
One of the main goals of the bootable containers initiative in Fedora
is to have all the image-based Fedora variants share a common base onto
which we can maintain CI, develop features, fix bugs, etc...
While I believe in the long-term, we should try to have literal
derivation from a base image, this is not currently desirable for
various reasons. Instead, for now we can share things at the manifest
level by having this repo be a submodule in the every variant's repo.
Currently, tier-0 is much smaller than it needs to be for sharing
purposes. Crucially, it doesn't include NetworkManager. At the same
time, tier-1 is much too large as a shared target. As a first step, we
should try to match variants where they currently are and not force them
to ship many more packages than they currently do.
For this purpose, I'm proposing a new tier: tier-x. The "x" stands for
"cross-variant". This tier is composed of tier-0 + a set of packages
that is currently in common to all the involved variants. The most
notable additions are NetworkManager, openssh, and rpm-ostree.
The intention then is to have every Fedora variant `include` this tier
and have it become the point of collaboration between variants. E.g. new
packages/bug fixes/temporary workarounds relevant to all variants likely
should land in this tier instead of in the downstreams. CI of course
will also be an important discussion point.
We only ship iptables-nft, so there's no need to explicitly
override the symlinks anymore. To enforce this remains the case, add
`iptables-legacy` to the exclusion list.
As per the comment, currently we're pulling in iptables-legacy because
for some reason the `iptables` Provides is fulfilled by that instead of
iptables-nft. Explicitly name the latter to avoid this.
Note in tier-1 we do pull iptables-nft only because it's explicitly
named there.
Colin Walters
Micah Abbott
Valentin Rothberg
Colin Walters (Red Hat)
Aashish Radhakrishnan
Jonathan Lebon
Jonathan Lebon
Xiaofeng Wang
Alexey Tikhonov