diff --git a/common.yaml b/common.yaml index d90ec08e9..0e42b663c 100644 --- a/common.yaml +++ b/common.yaml @@ -36,57 +36,36 @@ conditional-include: documentation: false postprocess: - - | - #!/usr/bin/env bash - set -xeo pipefail - - # TEMPORARY: Create /etc/vmware-tools/tools.conf to ensure RHCOS shows up properly in VMWare - # See https://jira.coreos.com/browse/RHCOS-258 - if [ "$(uname -m)" == "x86_64" ]; then - cat > /etc/vmware-tools/tools.conf <<'EOF' - [guestosinfo] - short-name = rhel8-64 - EOF - fi - - # TEMPORARY: Remove /usr/etc/zkey/ group write permissions - # See https://github.com/openshift/os/issues/1209 - if [ "$(uname -m)" == "s390x" ]; then - chmod -R g-w /usr/etc/zkey - fi - - # Nuke network.service from orbit - # https://github.com/openshift/os/issues/117 - rm -rf /etc/rc.d/init.d/network /etc/rc.d/rc*.d/*network - - # We're not using resolved yet - rm -f /usr/lib/systemd/system/systemd-resolved.service + # TEMPORARY: Create /etc/vmware-tools/tools.conf to ensure RHCOS shows up properly in VMWare + # See https://jira.coreos.com/browse/RHCOS-258 - | #!/usr/bin/env bash - set -xeuo pipefail - # manually modify SELinux booleans that are needed for OCP use cases - semanage boolean --modify --on container_use_cephfs # RHBZ#1694045 - semanage boolean --modify --on virt_use_samba # RHBZ#1754825 + set -xeo pipefail + if [ "$(uname -m)" == "x86_64" ]; then + cat > /etc/vmware-tools/tools.conf <<'EOF' + [guestosinfo] + short-name = rhel8-64 + EOF + fi - # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812 - # https://bugzilla.redhat.com/show_bug.cgi?id=1796537 + # TEMPORARY: Remove /usr/etc/zkey/ group write permissions + # See https://github.com/openshift/os/issues/1209 - | - #!/usr/bin/bash - mkdir -p /usr/share/containers/oci/hooks.d + #!/usr/bin/env bash + set -xeo pipefail + if [ "$(uname -m)" == "s390x" ]; then + chmod -R g-w /usr/etc/zkey + fi - # This is part of e.g. fedora-repos in Fedora; we now want to include it by default - # so that the MCO can use it by default and not trip over SELinux issues trying - # to create it. + # Nuke network.service from orbit + # https://github.com/openshift/os/issues/117 - | - #!/usr/bin/bash - mkdir -p /etc/yum.repos.d + #!/usr/bin/env bash + set -xeo pipefail + rm -rf /etc/rc.d/init.d/network /etc/rc.d/rc*.d/*network - # These enable librhsm which enables host subscriptions to work in containers - # https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30 - - | - #!/usr/bin/bash - ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host - ln -sr /run/secrets/rhsm /etc/rhsm-host + # We're not using resolved yet + rm -f /usr/lib/systemd/system/systemd-resolved.service # This updates the PAM configuration to reference all of the SSSD modules. # Removes the `authselect` binary afterwards since `authselect` does not play well with `nss-altfiles` @@ -139,45 +118,30 @@ postprocess: done done - | - #!/usr/bin/env bash - set -xeo pipefail - - # FIXME: Why is this only broken here? NM isn't removing the link? - sed -i '/etc.resolv/d' /usr/lib/tmpfiles.d/etc.conf + #!/usr/bin/env bash + set -xeo pipefail - # crio should stop hardcoding things in their config file! - # We are apparently somehow pulling in a conmon override in RHCOS - # that contains /usr/libexec/crio/conmon - WHY? - # sed -i '/conmon.*=/d' /etc/crio/crio.conf - # Oh right but the MCO overrides that too so... - mkdir -p /usr/libexec/crio - ln -sr /usr/bin/conmon /usr/libexec/crio/conmon + # FIXME: Why is this only broken here? NM isn't removing the link? + sed -i '/etc.resolv/d' /usr/lib/tmpfiles.d/etc.conf - # Enable tmp-on-tmpfs by default because we don't want to have things leak - # across reboots, it increases alignment with FCOS, and also fixes the - # Live ISO. First, verify that RHEL is still disabling. - grep -q '# RHEL-only: Disable /tmp on tmpfs' /usr/lib/systemd/system/basic.target - echo '# RHCOS-only: we follow the Fedora/upstream default' >> /usr/lib/systemd/system/basic.target - echo 'Wants=tmp.mount' >> /usr/lib/systemd/system/basic.target - - | - #!/usr/bin/env bash - set -xeo pipefail - # See https://issues.redhat.com/browse/LOG-3117 - # Something changed between rhel8 and rhel9 to not generate this by default - # but we have containers that expect it to be mounted so for now let's continue - # generating it. - ln -sr /usr/share/zoneinfo/UTC /etc/localtime - | - #!/usr/bin/env bash - set -xeo pipefail - # Add the hugetlbfs group to the openvswitch user if the openvswitch-hugetlbfs.conf - # sysusers fragment exists. The usermod used to happen in the RPM scriptlets but - # that stopped working in the sysusers conversion. We should be able to drop this - # when a bug gets fixed in systemd: https://github.com/openshift/os/issues/1274#issuecomment-1605507390 - if [ -f /usr/lib/sysusers.d/openvswitch-hugetlbfs.conf ]; then - usermod -a -G hugetlbfs openvswitch - fi + #!/usr/bin/env bash + set -xeuo pipefail + # Enable tmp-on-tmpfs by default because we don't want to have things leak + # across reboots, it increases alignment with FCOS, and also fixes the + # Live ISO. First, verify that RHEL is still disabling. + grep -q '# RHEL-only: Disable /tmp on tmpfs' /usr/lib/systemd/system/basic.target + echo '# RHCOS-only: we follow the Fedora/upstream default' >> /usr/lib/systemd/system/basic.target + echo 'Wants=tmp.mount' >> /usr/lib/systemd/system/basic.target + - | + #!/usr/bin/env bash + set -xeo pipefail + # See https://issues.redhat.com/browse/LOG-3117 + # Something changed between rhel8 and rhel9 to not generate this by default + # but we have containers that expect it to be mounted so for now let's continue + # generating it. + ln -sr /usr/share/zoneinfo/UTC /etc/localtime remove-files: # We don't ship man(1) or info(1) @@ -233,7 +197,6 @@ packages: - bootupd # Containers - containernetworking-plugins - # Pinned due to cosa on Fedora not honoring RHEL 8 modules as expected - container-selinux # Needed for newer rpm-ostree - "'skopeo >= 2:1.7.0'" @@ -247,6 +210,8 @@ packages: # Common tools used by scripts and admins interactively - rsync tmux - nmap-ncat strace + # Future update manager on the client-side + - bootc # Editors - nano # Red Hat CA certs @@ -262,7 +227,6 @@ packages: - qemu-guest-agent # passwd was obsoleted by shadow-utils in F40+, but still needed here - passwd - # BELOW HERE ARE PACKAGES NOT IN RHEL # Gluster - Used for Openshift e2e gluster testcases # Reverts https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/367 and add it for all arches - glusterfs-fuse @@ -280,6 +244,8 @@ packages: - WALinuxAgent-udev # Provide fips-mode-setup which is needed by rhcos-fips.sh - crypto-policies-scripts + # For semanage + - policycoreutils-python-utils packages-x86_64: # Temporary add of open-vm-tools. Should be removed when containerized diff --git a/manifest-c9s.yaml b/manifest-c9s.yaml index e828ae4cc..fa9a7ca7b 100644 --- a/manifest-c9s.yaml +++ b/manifest-c9s.yaml @@ -112,13 +112,6 @@ postprocess: --- EOF - - | - #!/usr/bin/env bash - set -xeo pipefail - # We need to work in disconnected environments by default, and default-enabled - # repos will be attempted to be fetched by rpm-ostree when doing node-local - # kernel overrides today for e.g. kernel-rt. - for x in /etc/yum.repos.d/*.repo; do sed -i -e s,enabled=1,enabled=0, $x; done # Packages that are only in SCOS and not in RHCOS or that have special # constraints that do not apply to RHCOS @@ -130,7 +123,6 @@ packages: - centos-release-cloud-common - centos-release-nfv-common - centos-release-virt-common - - bootc # Packages pinned to specific repos in SCOS 9 repo-packages: diff --git a/manifest-rhel-9.4.yaml b/manifest-rhel-9.4.yaml index 1f0fcdd8c..6ecd224ea 100644 --- a/manifest-rhel-9.4.yaml +++ b/manifest-rhel-9.4.yaml @@ -108,13 +108,6 @@ postprocess: --- EOF - - | - #!/usr/bin/env bash - set -xeo pipefail - # We need to work in disconnected environments by default, and default-enabled - # repos will be attempted to be fetched by rpm-ostree when doing node-local - # kernel overrides today for e.g. kernel-rt. - for x in /etc/yum.repos.d/*.repo; do sed -i -e s,enabled=1,enabled=0, $x; done # Packages that are only in RHCOS and not in SCOS or that have special # constraints that do not apply to SCOS @@ -122,7 +115,6 @@ packages: # We include the generic release package and tweak the os-release info in a # post-proces script - centos-release - - bootc # Packages pinned to specific repos in SCOS 9 repo-packages: diff --git a/packages-openshift.yaml b/packages-openshift.yaml index fece50b5b..74c4bff37 100644 --- a/packages-openshift.yaml +++ b/packages-openshift.yaml @@ -10,3 +10,63 @@ packages: - ose-aws-ecr-image-credential-provider - ose-azure-acr-image-credential-provider - ose-gcp-gcr-image-credential-provider + +postprocess: + # This is part of e.g. fedora-repos in Fedora; we now want to include it by default + # so that the MCO can use it by default and not trip over SELinux issues trying + # to create it. + - | + #!/usr/bin/bash + set -euo pipefail + mkdir -p /etc/yum.repos.d + + # If there *are* repos built-in (e.g. c9s), disable them. + # We need to work in disconnected environments by default, and default-enabled + # repos will be attempted to be fetched by rpm-ostree when doing node-local + # kernel overrides today for e.g. kernel-rt. + for x in $(find /etc/yum.repos.d/ -name '*.repo'); do + sed -i -e s,enabled=1,enabled=0, $x + done + + # These enable librhsm which enables host subscriptions to work in containers + # https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30 + - | + #!/usr/bin/bash + set -euo pipefail + ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host + ln -sr /run/secrets/rhsm /etc/rhsm-host + + - | + #!/usr/bin/env bash + set -xeuo pipefail + # manually modify SELinux booleans that are needed for OCP use cases + semanage boolean --modify --on container_use_cephfs # RHBZ#1694045 + semanage boolean --modify --on virt_use_samba # RHBZ#1754825 + + # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812 + # https://bugzilla.redhat.com/show_bug.cgi?id=1796537 + - | + #!/usr/bin/bash + mkdir -p /usr/share/containers/oci/hooks.d + + - | + #!/usr/bin/env bash + set -xeo pipefail + # Add the hugetlbfs group to the openvswitch user if the openvswitch-hugetlbfs.conf + # sysusers fragment exists. The usermod used to happen in the RPM scriptlets but + # that stopped working in the sysusers conversion. We should be able to drop this + # when a bug gets fixed in systemd: https://github.com/openshift/os/issues/1274#issuecomment-1605507390 + if [ -f /usr/lib/sysusers.d/openvswitch-hugetlbfs.conf ]; then + usermod -a -G hugetlbfs openvswitch + fi + + - | + #!/usr/bin/env bash + set -xeuo pipefail + # crio should stop hardcoding things in their config file! + # We are apparently somehow pulling in a conmon override in RHCOS + # that contains /usr/libexec/crio/conmon - WHY? + # sed -i '/conmon.*=/d' /etc/crio/crio.conf + # Oh right but the MCO overrides that too so... + mkdir -p /usr/libexec/crio + ln -sr /usr/bin/conmon /usr/libexec/crio/conmon diff --git a/tests/kola/files/env-godebug b/tests/kola/files/env-godebug index 8f902b0bc..60733720e 100755 --- a/tests/kola/files/env-godebug +++ b/tests/kola/files/env-godebug @@ -10,9 +10,7 @@ set -xeuo pipefail . $KOLA_EXT_DATA/commonlib.sh -source /etc/os-release -ostree_conf="/boot/loader.1/entries/ostree-1-${ID}.conf" -initramfs=/boot$(grep initrd ${ostree_conf} | sed 's/initrd //g') +initramfs=$(ls /boot/ostree/*/initramfs-*) conf="etc/systemd/system.conf.d/10-default-env-godebug.conf" tempd=$(mktemp -d) # unpack 10-default-env-godebug.conf from initramfs file diff --git a/tests/kola/files/openvswitch-hugetlbfs-groups b/tests/kola/files/openvswitch-hugetlbfs-groups index cf7c395b8..06f8a7243 100755 --- a/tests/kola/files/openvswitch-hugetlbfs-groups +++ b/tests/kola/files/openvswitch-hugetlbfs-groups @@ -3,6 +3,7 @@ ## exclusive: false ## architectures: "x86_64 ppc64le" ## description: Verify openvswitch user is in the hugetlbfs group. +## tags: openshift set -xeuo pipefail diff --git a/tests/kola/version/rhel-matches-rhcos-build b/tests/kola/version/rhel-matches-rhcos-build index 8116a9f24..55e86e4a5 100755 --- a/tests/kola/version/rhel-matches-rhcos-build +++ b/tests/kola/version/rhel-matches-rhcos-build @@ -3,6 +3,7 @@ ## exclusive: false ## description: Verify that the OS version (C9S, RHEL 9.x) matches ## the version stored in /etc/os-release. +## tags: openshift set -xeuo pipefail