From e847b3ebcbfddf76145fc75a83f2608e11ed3389 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Mon, 31 Mar 2025 10:38:06 -0400 Subject: [PATCH 1/2] build.sh: add CentOS Stream keys into `/etc/pki/rpm-gpg` This goes together with a related patch in openshift/os. Copying the same context from that one: A long-standing issue that rears its head in various places in our code is the fact that the repo files for CentOS Stream reference a `gpgkey` path that is valid only for cosa but not within a CentOS Stream environment. See e.g. 0a7ad3b ("extensions: Workaround for CentOS GPG key paths") in the openshift/os repo for an example issue. We don't have this problem with RHEL because cosa, being Fedora-based, ships the Red Hat key in its `/etc/pki/rpm-gpg`. I want to address this for CentOS Stream the same way, i.e. by adding the CentOS Stream keys to `/etc/pki/rpm-gpg` in cosa. This should allow us to simplify code there. --- build.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/build.sh b/build.sh index b2217e9cf7..2cbc2b99be 100755 --- a/build.sh +++ b/build.sh @@ -90,6 +90,17 @@ install_rpms() { fi # Similarly for kernel data and SELinux policy, which we want to inject into supermin chmod -R a+rX /usr/lib/modules /usr/share/selinux/targeted + + # Symlink the CentOS Stream GPG keys to /etc to make it easier to build + # CentOS-based artifacts. + if [ ! -e "/etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial" ]; then + ln -s /usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial + ln -s {/usr/share/distribution-gpg-keys/centos,/etc/pki/rpm-gpg}/RPM-GPG-KEY-CentOS-SIG-Cloud + ln -s {/usr/share/distribution-gpg-keys/centos,/etc/pki/rpm-gpg}/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512 + ln -s {/usr/share/distribution-gpg-keys/centos,/etc/pki/rpm-gpg}/RPM-GPG-KEY-CentOS-SIG-NFV + ln -s {/usr/share/distribution-gpg-keys/centos,/etc/pki/rpm-gpg}/RPM-GPG-KEY-CentOS-SIG-Virtualization + fi + # Further cleanup yum clean all } From 91d5a361fa819aa220744da5729bae1a2640ea4b Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Mon, 31 Mar 2025 10:38:07 -0400 Subject: [PATCH 2/2] Add `cosa podman-build` This is basically a thin wrapper around `podman build` to make it easier to get the arguments right. The fanciest part really is the passing of the secret repos file into the build environment. Example usage: ``` cosa podman-build node cosa podman-build extensions ``` Additional arguments are passed through to `podman build`. --- src/cmd-podman-build | 46 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100755 src/cmd-podman-build diff --git a/src/cmd-podman-build b/src/cmd-podman-build new file mode 100755 index 0000000000..83d468ff41 --- /dev/null +++ b/src/cmd-podman-build @@ -0,0 +1,46 @@ +#!/bin/bash +set -xeuo pipefail + +meta=builds/latest/$(arch)/meta.json +name=$(jq -r .name "${meta}") +version=$(jq -r '."ostree-version"' "${meta}") + +# can't use `rpm-ostree --print-json | jq .` here because the manifest may have +# variables that need to be set +ocp_version=$(python3 < src/config/packages-openshift.yaml -c ' +import yaml, sys +y = yaml.safe_load(sys.stdin) +print(y["metadata"]["ocp_version"])') + +node_tag=localhost/${name}-${ocp_version}-${version}-node +extensions_tag=localhost/${name}-${ocp_version}-${version}-extensions + +target=${1:-} +case "${target}" in + node) + from=oci-archive:builds/latest/$(arch)/$(jq .images.ostree.path "$meta") + containerfile="src/config/Containerfile" + tag=${node_tag} + ;; + extensions) + from=${node_tag} + containerfile="src/config/extensions/Dockerfile" + tag=${extensions_tag} + ;; + "") echo "Usage: $0 (node|extensions) [extra podman args...]" >&2; exit 1;; +esac +shift + +cat src/config/*.repo > tmp/all.repo +if [ -d src/yumrepos ]; then + cat src/yumrepos/*.repo >> tmp/all.repo +fi +repos=$(realpath tmp/all.repo) + +set -x +podman build --from "$from" \ + -t "${tag}" \ + -f "${containerfile}" \ + --secret id=yumrepos,src="$repos" \ + -v /etc/pki/ca-trust:/etc/pki/ca-trust:ro \ + --security-opt label=disable src/config "$@"