From 229493957bf7c77985bc2001b8b79ffb10bc855d Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Fri, 28 Mar 2025 12:01:27 -0400 Subject: [PATCH 01/11] Nuke `okd-c9s` variant This is not built anywhere by anyone. OKD has moved to the new layered node image model and uses the output from the `c9s` variant we currently build internally. --- README.md | 3 -- image-okd-c9s.yaml | 1 - manifest-okd-c9s.yaml | 112 ------------------------------------------ 3 files changed, 116 deletions(-) delete mode 120000 image-okd-c9s.yaml delete mode 100644 manifest-okd-c9s.yaml diff --git a/README.md b/README.md index 425537e3a..6f5008c7b 100644 --- a/README.md +++ b/README.md @@ -16,9 +16,6 @@ supported: - `rhel-9.6`: RHEL 9.6-based CoreOS; without OpenShift components. - `ocp-rhel-9.6`: RHEL 9.6-based CoreOS; including OpenShift components. - `c9s`: CentOS Stream-based CoreOS, without OKD components. -- `okd-c9s`: CentOS Stream-based CoreOS, including OpenShift components. This - currently includes some packages from RHEL because not all packages required - by OpenShift are provided in CentOS Stream. In the future, the `ocp-*` variants will be removed. Instead, OpenShift components will be layered by deriving from the `rhel-9.X`/`c9s` images. diff --git a/image-okd-c9s.yaml b/image-okd-c9s.yaml deleted file mode 120000 index 56168f452..000000000 --- a/image-okd-c9s.yaml +++ /dev/null @@ -1 +0,0 @@ -image-c9s.yaml \ No newline at end of file diff --git a/manifest-okd-c9s.yaml b/manifest-okd-c9s.yaml deleted file mode 100644 index 0b7e664ec..000000000 --- a/manifest-okd-c9s.yaml +++ /dev/null @@ -1,112 +0,0 @@ -# Manifest for OKD node based on CentOS Stream CoreOS 9 -# Note: this manifest is temporary; in the future, OKD components will be layered instead. - -metadata: - license: MIT - name: scos - summary: OKD 4.19 - -variables: - osversion: "c9s" - -include: - - manifest-c9s.yaml - - packages-openshift.yaml - -# Additional repos we need for OKD components -repos: - # CentOS Extras Common repo for SIG RPM GPG keys - - c9s-extras-common - # CentOS NFV SIG repo for openvswitch - - c9s-sig-nfv - # CentOS Cloud SIG repo for cri-o, cri-tools and conmon-rs - - c9s-sig-cloud-okd - # Include RHCOS 9 repo for oc, hyperkube - - rhel-9.6-server-ose-4.19 - -# We include hours/minutes to avoid version number reuse -automatic-version-prefix: "419.9." -# This ensures we're semver-compatible which OpenShift wants -automatic-version-suffix: "-" -# Keep this is sync with the version in postprocess -mutate-os-release: "4.19" - -postprocess: - - | - #!/usr/bin/env bash - set -xeo pipefail - - # Tweak /usr/lib/os-release - grep -v -e "OSTREE_VERSION" -e "OPENSHIFT_VERSION" /etc/os-release > /usr/lib/os-release.stream - ( - . /etc/os-release - cat > /usr/lib/os-release < /usr/lib/system-release-cpe < /usr/lib/system-release < /usr/lib/issue < Date: Sun, 30 Mar 2025 13:58:22 -0400 Subject: [PATCH 02/11] c9s.repo: use canonical /etc gpgkey paths A long-standing issue that rears its head in various places in our code is the fact that the repo files for CentOS Stream reference a `gpgkey` path that is valid only for cosa but not within a CentOS Stream environment. See e.g. 0a7ad3b ("extensions: Workaround for CentOS GPG key paths") for an example issue. We don't have this problem with RHEL because cosa, being Fedora-based, ships the Red Hat key in its `/etc/pki/rpm-gpg`. I want to address this for CentOS Stream the same way, i.e. by adding the CentOS Stream keys to `/etc/pki/rpm-gpg` in cosa. This should allow us to simplify code here. --- c9s-mirror.repo | 8 ++++---- c9s.repo | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/c9s-mirror.repo b/c9s-mirror.repo index 00b1c62c9..801dada3d 100644 --- a/c9s-mirror.repo +++ b/c9s-mirror.repo @@ -9,7 +9,7 @@ baseurl=https://mirror.stream.centos.org/9-stream/BaseOS/$basearch/os gpgcheck=1 repo_gpgcheck=0 enabled=1 -gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial [c9s-appstream-mirror] name=CentOS Stream 9 - AppStream @@ -17,7 +17,7 @@ baseurl=https://mirror.stream.centos.org/9-stream/AppStream/$basearch/os gpgcheck=1 repo_gpgcheck=0 enabled=1 -gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial [c9s-nfv-mirror] name=CentOS Stream 9 - NFV @@ -25,7 +25,7 @@ baseurl=https://mirror.stream.centos.org/9-stream/NFV/$basearch/os gpgcheck=1 repo_gpgcheck=0 enabled=1 -gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial [c9s-rt-mirror] name=CentOS Stream 9 - RT @@ -33,4 +33,4 @@ baseurl=https://mirror.stream.centos.org/9-stream/RT/$basearch/os gpgcheck=1 repo_gpgcheck=0 enabled=1 -gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial diff --git a/c9s.repo b/c9s.repo index 8bad37fbb..0297db80a 100644 --- a/c9s.repo +++ b/c9s.repo @@ -10,7 +10,7 @@ baseurl=https://composes.stream.centos.org/production/latest-CentOS-Stream/compo gpgcheck=1 repo_gpgcheck=0 enabled=1 -gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial [c9s-appstream] name=CentOS Stream 9 - AppStream @@ -18,7 +18,7 @@ baseurl=https://composes.stream.centos.org/production/latest-CentOS-Stream/compo gpgcheck=1 repo_gpgcheck=0 enabled=1 -gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial [c9s-extras-common] name=CentOS Stream 9 - Extras packages @@ -29,7 +29,7 @@ baseurl=https://mirror.stream.centos.org/SIGs/9-stream/extras/x86_64/extras-comm gpgcheck=1 repo_gpgcheck=0 enabled=1 -gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512 [c9s-nfv] name=CentOS Stream 9 - NFV @@ -37,7 +37,7 @@ baseurl=https://composes.stream.centos.org/production/latest-CentOS-Stream/compo gpgcheck=1 repo_gpgcheck=0 enabled=1 -gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial [c9s-rt] name=CentOS Stream 9 - RT @@ -45,7 +45,7 @@ baseurl=https://composes.stream.centos.org/production/latest-CentOS-Stream/compo gpgcheck=1 repo_gpgcheck=0 enabled=1 -gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial [c9s-sig-nfv] name=CentOS Stream 9 - SIG NFV @@ -53,7 +53,7 @@ baseurl=https://mirror.stream.centos.org/SIGs/9-stream/nfv/$basearch/openvswitch gpgcheck=1 repo_gpgcheck=0 enabled=1 -gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-SIG-NFV +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-NFV [c9s-sig-virtualization] name=CentOS Stream 9 - SIG Virtualization @@ -61,7 +61,7 @@ baseurl=https://mirror.stream.centos.org/SIGs/9-stream/virt/$basearch/kata-conta gpgcheck=1 repo_gpgcheck=0 enabled=1 -gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-SIG-Virtualization +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Virtualization [c9s-sig-cloud-okd] name=CentOS Stream 9 - SIG Cloud OKD 4.19 @@ -69,4 +69,4 @@ baseurl=https://mirror.stream.centos.org/SIGs/9-stream/cloud/$basearch/okd-4.19/ gpgcheck=1 repo_gpgcheck=0 enabled=1 -gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-SIG-Cloud +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud From 69a0b96bc9274959661da992596e66d0efb7c082 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Sat, 29 Mar 2025 21:14:46 -0400 Subject: [PATCH 03/11] Containerfiles: use heredoc to clean up gnarly `RUN`s Makes the embedded bash actually legible and e.g. allows comments. No functional change. --- Containerfile | 34 +++++++++++++++++++++++++--------- extensions/Dockerfile | 16 +++++++++++++++- 2 files changed, 40 insertions(+), 10 deletions(-) diff --git a/Containerfile b/Containerfile index c0989c915..d42cec723 100644 --- a/Containerfile +++ b/Containerfile @@ -29,15 +29,31 @@ FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev:c9s-coreos as build ARG OPENSHIFT_CI=0 -# Avoid shipping modified .pyc files. Due to https://github.com/ostreedev/ostree/issues/1469, -# any Python apps that run (e.g. dnf) will cause pyc creation. -RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/etc/yum.repos.d/secret.repo \ - find /usr -name '*.pyc' -exec mv {} {}.bak \; && \ - if [ "${OPENSHIFT_CI}" != 0 ]; then /run/src/ci/get-ocp-repo.sh --ocp-layer /run/src/packages-openshift.yaml --output-dir /etc/yum.repos.d; fi && \ - /run/src/scripts/apply-manifest /run/src/packages-openshift.yaml && \ - if [ "${OPENSHIFT_CI}" != 0 ]; then /run/src/ci/get-ocp-repo.sh --output-dir /etc/yum.repos.d --cleanup; fi && \ - find /usr -name '*.pyc.bak' -exec sh -c 'mv $1 ${1%.bak}' _ {} \; && \ - ostree container commit +RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/etc/yum.repos.d/secret.repo < Date: Sun, 30 Mar 2025 13:58:57 -0400 Subject: [PATCH 04/11] extensions-okd-c9s: add all mirror repos We had a mirror repo already for kernel-rt, but there are other extensions there that also have host version bindings. So just move it up to the top of the manifest and add all the other repos as well. --- extensions-okd-c9s.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/extensions-okd-c9s.yaml b/extensions-okd-c9s.yaml index 10b668877..460d1554e 100644 --- a/extensions-okd-c9s.yaml +++ b/extensions-okd-c9s.yaml @@ -4,6 +4,13 @@ repos: - c9s-sig-virtualization + # Some of the extensions here have version bindings to host packages. Add the + # mirrors since those retain multiple versions of packages in case the latest + # compose has already moved since the last base image build. + - c9s-baseos-mirror + - c9s-appstream-mirror + - c9s-nfv-mirror + - c9s-rt-mirror extensions: # https://issues.redhat.com/browse/RFE-4177 @@ -57,9 +64,6 @@ extensions: - x86_64 repos: - c9s-nfv - # nfv-mirror is needed while building scos node images through CI in case the composes have already moved kernel version - # this is true for any other package as well - so we will need to find a better solution for this [TODO] - - c9s-nfv-mirror packages: - kernel-rt-core - kernel-rt-kvm From a2c632dcc680d20500e0823e29fd5ba752259246 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Sun, 30 Mar 2025 13:59:51 -0400 Subject: [PATCH 05/11] extensions/Dockerfile: drop `VARIANT` arg Instead of having to explicitly pass in the `VARIANT`, we can autodetect it based on the node image we're building `FROM`. --- extensions/Dockerfile | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/extensions/Dockerfile b/extensions/Dockerfile index 92b38a595..b79bd32de 100644 --- a/extensions/Dockerfile +++ b/extensions/Dockerfile @@ -7,17 +7,18 @@ RUN mkdir /os WORKDIR /os ADD . . ARG OPENSHIFT_CI=0 -ARG VARIANT="" RUN if [ "${OPENSHIFT_CI}" != 0 ]; then ci/get-ocp-repo.sh --ocp-layer packages-openshift.yaml; fi RUN --mount=type=secret,id=yumrepos,target=/os/secret.repo < Date: Sun, 30 Mar 2025 14:01:30 -0400 Subject: [PATCH 06/11] Containerfile: move to treefile-apply, drop apply-manifest `apply-manifest` was essentially folded back into rpm-ostree in: https://github.com/coreos/rpm-ostree/pull/5274 The only thing we need to keep is the workaround for cri-o's `/var/opt`, which... we should just try to get fixed. --- Containerfile | 7 +++++- scripts/apply-manifest | 54 ------------------------------------------ 2 files changed, 6 insertions(+), 55 deletions(-) delete mode 100755 scripts/apply-manifest diff --git a/Containerfile b/Containerfile index d42cec723..1a5743182 100644 --- a/Containerfile +++ b/Containerfile @@ -43,8 +43,13 @@ RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/et /run/src/ci/get-ocp-repo.sh --ocp-layer /run/src/packages-openshift.yaml --output-dir /etc/yum.repos.d fi + # XXX: patch cri-o spec to use tmpfiles + # https://github.com/CentOS/centos-bootc/issues/393 + mkdir -p /var/opt + # this is where all the real work happens - /run/src/scripts/apply-manifest /run/src/packages-openshift.yaml + rpm-ostree experimental compose treefile-apply \ + /run/src/packages-openshift.yaml # do any cleanups necessary to undo what `get-ocp-repo.sh` did if [ "${OPENSHIFT_CI}" != 0 ]; then diff --git a/scripts/apply-manifest b/scripts/apply-manifest deleted file mode 100755 index 6563c7b6b..000000000 --- a/scripts/apply-manifest +++ /dev/null @@ -1,54 +0,0 @@ -#!/usr/bin/python3 -u - -# This is a hacky temporary script to apply an rpm-ostree manifest as part of a -# derived container build. It's only required because we're in this transitional -# state where some streams use the old way, and others use layering. Once all -# streams use layering, we could stop using manifests for the layered bits. (An -# obvious question here is whether we should keep extending the `rpm-ostree ex -# rebuild` stuff to keep using manifests even in a layered build. Though likely -# similar functionality will live in dnf instead.) - -# Note this only supports the subset of the manifest spec actually used in -# `packages-openshift.yaml`. - -import os -import shutil -import subprocess -import sys -import yaml - - -def runcmd(args): - print("Running:", ' '.join(args)) - subprocess.check_call(args) - - -manifest_file = sys.argv[1] -manifest_dir = os.path.dirname(manifest_file) - -with open(manifest_file) as f: - manifest = yaml.safe_load(f) - -if len(manifest.get('packages', [])): - - packages = [] - for pkg in manifest['packages']: - packages += pkg.split() - dnf_install = ['dnf', 'install', '--setopt=tsflags=nodocs', '--noplugins', '-y'] + packages - - # XXX: temporary hack for cri-o, which wants to create dirs under /opt - # https://github.com/CentOS/centos-bootc/issues/393 - if 'cri-o' in packages: - os.makedirs("/var/opt", exist_ok=True) - - runcmd(dnf_install) - - -if len(manifest.get('postprocess', [])): - for i, script in enumerate(manifest['postprocess']): - name = f"/tmp/postprocess-script-{i}" - with open(name, 'w') as f: - f.write(script) - os.chmod(name, 0o755) - runcmd([name]) - os.unlink(name) From d0fbf443a7a1fbbabf2799e27f44a6e5c00885b3 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Sun, 30 Mar 2025 14:00:56 -0400 Subject: [PATCH 07/11] packages-openshift: define repos list there Previously, when building the layered node image, we were relying on the default repo enablement settings. This though is at the source of a lot of complexity because then we need to make sure that we only inject just the repos that we need with the right enablement. See e.g. the complex logic in `get-ocp-repo.sh`. Let's instead match the semantics already in use by the base compose and extensions builds, both of which explicitly list the repos to enable. This means that we can be a lot less careful in what repo definitions we inject into the build environment, knowing only the necessary ones will be enabled. This is pretty easy to do now that (1) rpm-ostree suppports inlined treefiles, and (2) `treefile-apply` supports a `--var` option to define variables at invocation time. --- Containerfile | 3 ++- manifest-c9s.yaml | 1 + manifest-rhel-9.6.yaml | 1 + packages-openshift.yaml | 18 ++++++++++++++++++ 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/Containerfile b/Containerfile index 1a5743182..30256d269 100644 --- a/Containerfile +++ b/Containerfile @@ -47,9 +47,10 @@ RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/et # https://github.com/CentOS/centos-bootc/issues/393 mkdir -p /var/opt + source /etc/os-release # this is where all the real work happens rpm-ostree experimental compose treefile-apply \ - /run/src/packages-openshift.yaml + --var id=$ID /run/src/packages-openshift.yaml # do any cleanups necessary to undo what `get-ocp-repo.sh` did if [ "${OPENSHIFT_CI}" != 0 ]; then diff --git a/manifest-c9s.yaml b/manifest-c9s.yaml index b46b20b15..6cd434e68 100644 --- a/manifest-c9s.yaml +++ b/manifest-c9s.yaml @@ -6,6 +6,7 @@ metadata: summary: CentOS Stream CoreOS 9 variables: + id: "centos" osversion: "c9s" inherit_tier_x: true diff --git a/manifest-rhel-9.6.yaml b/manifest-rhel-9.6.yaml index d0a3c9b51..70189d09e 100644 --- a/manifest-rhel-9.6.yaml +++ b/manifest-rhel-9.6.yaml @@ -6,6 +6,7 @@ metadata: summary: RHEL CoreOS 9.6 variables: + id: "rhel" osversion: "rhel-9.6" inherit_tier_x: true diff --git a/packages-openshift.yaml b/packages-openshift.yaml index 6c058b0f8..a7b614e13 100644 --- a/packages-openshift.yaml +++ b/packages-openshift.yaml @@ -4,6 +4,24 @@ metadata: # inject when building the layered image. ocp_version: "4.19" +conditional-include: + - if: id == "rhel" + include: + repos: + - rhel-9.6-baseos + - rhel-9.6-appstream + - rhel-9.6-early-kernel + - rhel-9.6-fast-datapath + - rhel-9.6-server-ose-4.19 + - if: id == "centos" + include: + repos: + - c9s-baseos + - c9s-appstream + - c9s-sig-nfv + - c9s-sig-cloud-okd + - rhel-9.6-server-ose-4.19 + packages: # The packages below are required by OpenShift/OKD # but are not present in CentOS Stream and RHEL. From b4ce075c7607c930eece2ba20d8692e285a78938 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Sun, 30 Mar 2025 14:10:08 -0400 Subject: [PATCH 08/11] get-ocp-repo.sh: drastically simplify Now that (1) we've reworked the layered node image build to only enable the repos it needs, and (2) we've simplified the CentOS Stream GPG keys, we can delete all of the complex logic in this repo. It basically just boils down to curl'ing down all the repo files we may need to build the various artifacts that use this script. --- Containerfile | 6 +- ci/get-ocp-repo.sh | 206 ++--------------------------------- ci/prow-entrypoint.sh | 2 +- extensions-ocp-rhel-9.6.yaml | 1 - extensions/Dockerfile | 6 +- 5 files changed, 21 insertions(+), 200 deletions(-) diff --git a/Containerfile b/Containerfile index 30256d269..9fc9adedc 100644 --- a/Containerfile +++ b/Containerfile @@ -40,7 +40,7 @@ RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/et # fetch repos from in-cluster mirrors if we're running in OpenShift CI if [ "${OPENSHIFT_CI}" != 0 ]; then - /run/src/ci/get-ocp-repo.sh --ocp-layer /run/src/packages-openshift.yaml --output-dir /etc/yum.repos.d + /run/src/ci/get-ocp-repo.sh /etc/yum.repos.d/ocp.repo fi # XXX: patch cri-o spec to use tmpfiles @@ -52,9 +52,9 @@ RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/et rpm-ostree experimental compose treefile-apply \ --var id=$ID /run/src/packages-openshift.yaml - # do any cleanups necessary to undo what `get-ocp-repo.sh` did + # cleanup the repo file we injected if [ "${OPENSHIFT_CI}" != 0 ]; then - /run/src/ci/get-ocp-repo.sh --output-dir /etc/yum.repos.d --cleanup + rm /etc/yum.repos.d/ocp.repo fi find /usr -name '*.pyc.bak' -exec sh -c 'mv $1 ${1%.bak}' _ {} \; diff --git a/ci/get-ocp-repo.sh b/ci/get-ocp-repo.sh index 4fb06fa75..95ed35ef4 100755 --- a/ci/get-ocp-repo.sh +++ b/ci/get-ocp-repo.sh @@ -3,203 +3,21 @@ set -euo pipefail # This script is used when running within the OpenShift CI clusters to fetch # the RHEL and OCP yum repo files from an in-cluster service that mirrors the -# content. It's called from three places: -# - prow-entrypoint.sh: CI tests that build & and test different variants -# - extensions/Dockerfile: when building the extensions container in OpenShift CI -# - Containerfile: when building the node image in CI +# content. -print_usage_and_exit() { - cat 1>&2 <<'EOF' -Usage: $0 [OPTIONS] - - Fetch mirrored RHEL/OCP yum repo files from OpenShift CI's in-cluster service. - The following modes are supported: - - --cosa-workdir PATH Get RHEL and OCP versions from manifests in cosa workdir - --ocp-layer MANIFEST Get RHEL version from /usr/lib/os-release and OCP version from manifest - - The following options are supported - - --output-dir PATH Directory to which to output ocp.repo file -EOF - exit 1 -} - -info() { - echo "INFO:" "$@" >&2 -} - -cleanup_repos() { - # if we had installed the packages and created symlinks, remove it - if rpm -q centos-release-cloud; then - dnf remove -y centos-release-{cloud,nfv,virt}-common - find "/usr/share/distribution-gpg-keys/centos" -type l -exec rm -f {} \; - echo "Removed all symbolic links and packages installed for scos" - fi - # remove ocp.repo file - if [ -n "$ocp_manifest" ]; then - if [ -z "$output_dir" ]; then - output_dir=$(dirname "$ocp_manifest") - fi - else - if [ -z "$output_dir" ]; then - output_dir="$cosa_workdir/src/config" - fi - fi - rm "$output_dir/ocp.repo" - echo "Removed repo file $output_dir/ocp.repo" -} - -create_gpg_keys() { - # Check if centos-stream-release is installed and centos-release-cloud is not - # enablerepo added in case the repo is disabled (when building extensions) - if rpm -q centos-stream-release && ! rpm -q centos-release-cloud; then - dnf install -y centos-release-{cloud,nfv,virt}-common --enablerepo extras-common - fi - - # Create directory for CentOS distribution GPG keys - mkdir -p /usr/share/distribution-gpg-keys/centos - # Create symbolic links for GPG keys - if [ ! -e "/usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official" ]; then - ln -s /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial /usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official - ln -s {/etc/pki/rpm-gpg,/usr/share/distribution-gpg-keys/centos}/RPM-GPG-KEY-CentOS-SIG-Cloud - ln -s {/etc/pki/rpm-gpg,/usr/share/distribution-gpg-keys/centos}/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512 - ln -s {/etc/pki/rpm-gpg,/usr/share/distribution-gpg-keys/centos}/RPM-GPG-KEY-CentOS-SIG-NFV - ln -s {/etc/pki/rpm-gpg,/usr/share/distribution-gpg-keys/centos}/RPM-GPG-KEY-CentOS-SIG-Virtualization - fi -} - -cosa_workdir= -ocp_manifest= -output_dir= -rc=0 -options=$(getopt --options h --longoptions help,cosa-workdir:,ocp-layer:,output-dir:,cleanup -- "$@") || rc=$? -[ $rc -eq 0 ] || print_usage_and_exit -eval set -- "$options" -while [ $# -ne 0 ]; do - case "$1" in - -h | --help) print_usage_and_exit;; - --cosa-workdir) cosa_workdir=$2; shift;; - --ocp-layer) ocp_manifest=$2; shift;; - --output-dir) output_dir=$2; shift;; - --cleanup) cleanup_repos; exit 0;; - --) break;; - *) echo "$0: invalid argument: $1" >&2; exit 1;; - esac - shift -done - -if [ -n "$ocp_manifest" ]; then - # --ocp-layer path - ocp_version=$(rpm-ostree compose tree --print-only "$ocp_manifest" | jq -r '.metadata.ocp_version') - ocp_version=${ocp_version//./-} - info "Got OpenShift version $ocp_version from $ocp_manifest" - # osname is used lower down, so set it - osname=$(source /usr/lib/os-release; if [ $ID == centos ]; then echo scos; fi) - - if [ -z "$output_dir" ]; then - output_dir=$(dirname "$ocp_manifest") - fi - - # get rhel version corresponding to the release so we can get the - # correct OpenShift rpms from those for scos. These packages are not - # available in CentOS Stream - if [ "$osname" = scos ]; then - workdir=$(dirname "$ocp_manifest") - manifest="$workdir/manifest.yaml" - json=$(rpm-ostree compose tree --print-only "$manifest") - version=$(jq -r '.["automatic-version-prefix"]' <<< "$json") - rhel_version=$(cut -f2 -d. <<< "$version") - info "Got RHEL version $rhel_version from rhel manifest for scos" - else - rhel_version=$(source /usr/lib/os-release; echo ${VERSION_ID//./}) - info "Got RHEL version $rhel_version from /usr/lib/os-release" - fi -else - [ -n "$cosa_workdir" ] - # --cosa-workdir path - - # the OCP version always comes from packages-openshift.yaml - ocp_version=$(rpm-ostree compose tree --print-only "$cosa_workdir/src/config/packages-openshift.yaml" | jq -r '.metadata.ocp_version') - ocp_version=${ocp_version//./-} - info "Got OpenShift version $ocp_version from packages-openshift.yaml" - - # the RHEL version comes from the target manifest - - # first, make sure we're looking at the right manifest - manifest="$cosa_workdir/src/config/manifest.yaml" - if [ -f "$cosa_workdir/src/config.json" ]; then - variant="$(jq --raw-output '."coreos-assembler.config-variant"' 'src/config.json')" - manifest="$cosa_workdir/src/config/manifest-${variant}.yaml" - fi - - # flatten manifest and query a couple of fields - json=$(rpm-ostree compose tree --print-only "$manifest") - osname=$(jq -r '.metadata.name' <<< "$json") - is_ocp_variant=$(jq '.packages | contains(["cri-o"])' <<< "$json") - - if [ "$osname" = scos ] && [ "$is_ocp_variant" = false ]; then - # this is the pure SCOS case; we don't need any additional repos at all - info "Building pure SCOS variant. Exiting..." - exit 0 - elif [ "$osname" = scos ]; then - # We still need the OCP repos for now unfortunately because not - # everything is in the Stream repo. For the RHEL version, just use the - # default variant's one. - json=$(rpm-ostree compose tree --print-only "$cosa_workdir/src/config/manifest.yaml") - fi - version=$(jq -r '.["automatic-version-prefix"]' <<< "$json") - if [ "$is_ocp_variant" = true ]; then - # RHEL version is second field - info "Building OCP variant" - rhel_version=$(cut -f2 -d. <<< "$version") - else - # RHEL version is first and second field - info "Building pure variant" - rhel_version=$(cut -f1-2 -d. <<< "$version") - rhel_version=${rhel_version//./} - fi - info "Got RHEL version $rhel_version from automatic-version-prefix value $version" - - if [ -z "$output_dir" ]; then - output_dir="$cosa_workdir/src/config" - fi -fi - -mkdir -p "$output_dir" -repo_path="$output_dir/ocp.repo" - -set -x -curl --fail -L "http://base-${ocp_version}-rhel${rhel_version}.ocp.svc.cluster.local" -o "$repo_path" -set +x - -if [ "${rhel_version}" = 96 ]; then - # XXX: also currently also add 9.4 repos for crun-wasm when building extensions +urls=( + # theoretically that's the only one we need + "http://base-4-19-rhel96.ocp.svc.cluster.local" + # XXX: but also currently add 9.4 repos for crun-wasm when building extensions # https://github.com/openshift/os/issues/1680 # https://github.com/openshift/os/pull/1682 # https://issues.redhat.com/browse/COS-3075 - curl --fail -L http://base-4-19-rhel94.ocp.svc.cluster.local >> "$repo_path" -fi + "http://base-4-19-rhel94.ocp.svc.cluster.local" +) -# If we're building the SCOS OKD variant, then strip away all the RHEL repos and just keep the plashet. -# Temporary workaround until we have all packages for SCOS in CentOS Stream. -if [ "$osname" = scos ]; then - info "Neutering RHEL repos for SCOS" - awk '/server-ose/,/^$/' "$repo_path" > "$repo_path.tmp" - # only pull in certain Openshift packages as the rest come from the c9s repo - sed -i '/^baseurl = /a includepkgs=openshift-* ose-aws-ecr-* ose-azure-acr-* ose-gcp-gcr-*' "$repo_path.tmp" - # add the contents of the CentOS Stream repo - workdir="$cosa_workdir/src/config" - if [ -n "$ocp_manifest" ]; then - workdir=$(dirname "$ocp_manifest") - fi - # pull in the mirror repo as well in case there are newer versions in the composes - # and we require older versions - this happens because we build the node images async - # and the composes move fast. - cat "$workdir/c9s.repo" >> "$repo_path.tmp" - cat "$workdir/c9s-mirror.repo" >> "$repo_path.tmp" - mv "$repo_path.tmp" "$repo_path" - create_gpg_keys -fi +dest=$1; shift -cat "$repo_path" +rm -f "$dest" +for url in "${urls[@]}"; do + curl --fail -L "$url" >> "$dest" +done diff --git a/ci/prow-entrypoint.sh b/ci/prow-entrypoint.sh index 5ed7c2148..d49a60e03 100755 --- a/ci/prow-entrypoint.sh +++ b/ci/prow-entrypoint.sh @@ -60,7 +60,7 @@ cosa_init() { # Initialize the .repo files prepare_repos() { - src/config/ci/get-ocp-repo.sh --cosa-workdir . + src/config/ci/get-ocp-repo.sh src/config/ocp.repo } # Do a cosa build & cosa build-extensions only. diff --git a/extensions-ocp-rhel-9.6.yaml b/extensions-ocp-rhel-9.6.yaml index ca9194464..b500796db 100644 --- a/extensions-ocp-rhel-9.6.yaml +++ b/extensions-ocp-rhel-9.6.yaml @@ -13,7 +13,6 @@ extensions: # XXX: temporarily add rhel-9.4-appstream for crun-wasm # https://github.com/openshift/os/issues/1680 # https://issues.redhat.com/browse/COS-3075 - # NOTE: when reverting this, also revert the associated hack in get-ocp-repo.sh - rhel-9.4-appstream packages: - crun-wasm diff --git a/extensions/Dockerfile b/extensions/Dockerfile index b79bd32de..00dc9dd1a 100644 --- a/extensions/Dockerfile +++ b/extensions/Dockerfile @@ -7,10 +7,14 @@ RUN mkdir /os WORKDIR /os ADD . . ARG OPENSHIFT_CI=0 -RUN if [ "${OPENSHIFT_CI}" != 0 ]; then ci/get-ocp-repo.sh --ocp-layer packages-openshift.yaml; fi RUN --mount=type=secret,id=yumrepos,target=/os/secret.repo < Date: Wed, 2 Apr 2025 15:07:01 -0400 Subject: [PATCH 09/11] okd: add filtered repo for 4.19 plashet We only want certain packages to come from the 4.19 plashet. And we can't just rely on NVRs because the plashet may sometimes win. Long-term we should sever that dependence on ART packages, but for now, let's add a hack to essentially generate a repo on the fly from the 4.19 repo with the filters we need. The advantage of doing it this way instead of e.g. in the `get-ocp-repo.sh` script is that this applies both in CI and locally. --- Containerfile | 13 ++++++++++++- packages-openshift.yaml | 3 ++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/Containerfile b/Containerfile index 9fc9adedc..9a1f6c5cd 100644 --- a/Containerfile +++ b/Containerfile @@ -43,11 +43,22 @@ RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/et /run/src/ci/get-ocp-repo.sh /etc/yum.repos.d/ocp.repo fi + source /etc/os-release + + # XXX: For SCOS, only allow certain packages to come from ART; everything else + # should come from CentOS. We should eventually sever this. + if [ $ID = centos ]; then + # this says: "if the line starts with [.*], turn off printing. if the line starts with [our-repo], turn it on." + awk "/\[.*\]/{p=0} /\[rhel-9.6-server-ose-4.19\]/{p=1} p" /etc/yum.repos.d/*.repo > /etc/yum.repos.d/okd.repo.tmp + sed -i -e 's,rhel-9.6-server-ose-4.19,rhel-9.6-server-ose-4.19-okd,' /etc/yum.repos.d/okd.repo.tmp + echo 'includepkgs=openshift-*,ose-aws-ecr-*,ose-azure-acr-*,ose-gcp-gcr-*' >> /etc/yum.repos.d/okd.repo.tmp + mv /etc/yum.repos.d/okd.repo{.tmp,} + fi + # XXX: patch cri-o spec to use tmpfiles # https://github.com/CentOS/centos-bootc/issues/393 mkdir -p /var/opt - source /etc/os-release # this is where all the real work happens rpm-ostree experimental compose treefile-apply \ --var id=$ID /run/src/packages-openshift.yaml diff --git a/packages-openshift.yaml b/packages-openshift.yaml index a7b614e13..3e8c956b5 100644 --- a/packages-openshift.yaml +++ b/packages-openshift.yaml @@ -20,7 +20,8 @@ conditional-include: - c9s-appstream - c9s-sig-nfv - c9s-sig-cloud-okd - - rhel-9.6-server-ose-4.19 + # XXX: this shouldn't be here; see related XXX in Containerfile + - rhel-9.6-server-ose-4.19-okd packages: # The packages below are required by OpenShift/OKD From c04f31172f9a1c6708855edf7e260e30eaa1e5ce Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Thu, 3 Apr 2025 12:34:37 -0400 Subject: [PATCH 10/11] Containerfiles: move logic to separate shell script The OCP builder API path isn't parsing the heredoc correctly for some reason: error: build error: EOF: unterminated heredoc This will be fixed by https://github.com/openshift/builder/pull/469. Anyway, just work around this for now by moving all the logic to scripts. It does make the Containerfiles cleaner at least now that it has gotten so larger and we get syntax highlighting, ShellCheck, etc... so probably for the best. --- Containerfile | 43 +------------------------------------------ build-node-image.sh | 43 +++++++++++++++++++++++++++++++++++++++++++ extensions/Dockerfile | 23 +---------------------- extensions/build.sh | 22 ++++++++++++++++++++++ 4 files changed, 67 insertions(+), 64 deletions(-) create mode 100755 build-node-image.sh create mode 100755 extensions/build.sh diff --git a/Containerfile b/Containerfile index 9a1f6c5cd..924c5c492 100644 --- a/Containerfile +++ b/Containerfile @@ -29,48 +29,7 @@ FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev:c9s-coreos as build ARG OPENSHIFT_CI=0 -RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/etc/yum.repos.d/secret.repo < /etc/yum.repos.d/okd.repo.tmp - sed -i -e 's,rhel-9.6-server-ose-4.19,rhel-9.6-server-ose-4.19-okd,' /etc/yum.repos.d/okd.repo.tmp - echo 'includepkgs=openshift-*,ose-aws-ecr-*,ose-azure-acr-*,ose-gcp-gcr-*' >> /etc/yum.repos.d/okd.repo.tmp - mv /etc/yum.repos.d/okd.repo{.tmp,} - fi - - # XXX: patch cri-o spec to use tmpfiles - # https://github.com/CentOS/centos-bootc/issues/393 - mkdir -p /var/opt - - # this is where all the real work happens - rpm-ostree experimental compose treefile-apply \ - --var id=$ID /run/src/packages-openshift.yaml - - # cleanup the repo file we injected - if [ "${OPENSHIFT_CI}" != 0 ]; then - rm /etc/yum.repos.d/ocp.repo - fi - - find /usr -name '*.pyc.bak' -exec sh -c 'mv $1 ${1%.bak}' _ {} \; - ostree container commit -EOF +RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/etc/yum.repos.d/secret.repo /run/src/build-node-image.sh FROM build as metadata RUN --mount=type=bind,target=/run/src /run/src/scripts/generate-metadata diff --git a/build-node-image.sh b/build-node-image.sh new file mode 100755 index 000000000..81c2f5788 --- /dev/null +++ b/build-node-image.sh @@ -0,0 +1,43 @@ +#!/bin/bash +set -euo pipefail + +# This script builds the OpenShift node image. It's called from `Containerfile`. set -xeuo pipefail + +# Avoid shipping modified .pyc files. Due to +# https://github.com/ostreedev/ostree/issues/1469, any Python apps that +# run (e.g. dnf) will cause pyc creation. We do this by backing them up and +# restoring them at the end. +find /usr -name '*.pyc' -exec mv {} {}.bak \; + +# fetch repos from in-cluster mirrors if we're running in OpenShift CI +if [ "${OPENSHIFT_CI}" != 0 ]; then + /run/src/ci/get-ocp-repo.sh /etc/yum.repos.d/ocp.repo +fi + +source /etc/os-release + +# XXX: For SCOS, only allow certain packages to come from ART; everything else +# should come from CentOS. We should eventually sever this. +if [ $ID = centos ]; then + # this says: "if the line starts with [.*], turn off printing. if the line starts with [our-repo], turn it on." + awk "/\[.*\]/{p=0} /\[rhel-9.6-server-ose-4.19\]/{p=1} p" /etc/yum.repos.d/*.repo > /etc/yum.repos.d/okd.repo.tmp + sed -i -e 's,rhel-9.6-server-ose-4.19,rhel-9.6-server-ose-4.19-okd,' /etc/yum.repos.d/okd.repo.tmp + echo 'includepkgs=openshift-*,ose-aws-ecr-*,ose-azure-acr-*,ose-gcp-gcr-*' >> /etc/yum.repos.d/okd.repo.tmp + mv /etc/yum.repos.d/okd.repo{.tmp,} +fi + +# XXX: patch cri-o spec to use tmpfiles +# https://github.com/CentOS/centos-bootc/issues/393 +mkdir -p /var/opt + +# this is where all the real work happens +rpm-ostree experimental compose treefile-apply \ + --var id=$ID /run/src/packages-openshift.yaml + +# cleanup the repo file we injected +if [ "${OPENSHIFT_CI}" != 0 ]; then + rm /etc/yum.repos.d/ocp.repo +fi + +find /usr -name '*.pyc.bak' -exec sh -c 'mv $1 ${1%.bak}' _ {} \; +ostree container commit diff --git a/extensions/Dockerfile b/extensions/Dockerfile index 00dc9dd1a..a6dd91655 100644 --- a/extensions/Dockerfile +++ b/extensions/Dockerfile @@ -7,28 +7,7 @@ RUN mkdir /os WORKDIR /os ADD . . ARG OPENSHIFT_CI=0 -RUN --mount=type=secret,id=yumrepos,target=/os/secret.repo < Date: Fri, 4 Apr 2025 11:34:36 -0400 Subject: [PATCH 11/11] extensions-ocp-rhel-9.6.yaml: add rhel-9.6-fast-datapath repo Before we inherited this from the ocp-rhel-9.6 manifest. But now that we're inheriting from the rhel-9.6 manifest, that repo isn't enabled by default there since it's not strictly needed (because we don't ship openvswitch in the base). So we need to enable it here ourselves. --- extensions-ocp-rhel-9.6.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/extensions-ocp-rhel-9.6.yaml b/extensions-ocp-rhel-9.6.yaml index b500796db..ae762ef84 100644 --- a/extensions-ocp-rhel-9.6.yaml +++ b/extensions-ocp-rhel-9.6.yaml @@ -18,6 +18,8 @@ extensions: - crun-wasm # https://github.com/coreos/fedora-coreos-tracker/issues/1504 ipsec: + repos: + - rhel-9.6-fast-datapath packages: - libreswan - NetworkManager-libreswan