diff --git a/README.md b/README.md index 5584ae8c5..d0555dcdb 100644 --- a/README.md +++ b/README.md @@ -16,9 +16,10 @@ supported: - `rhel-9.6`: RHEL 9.6-based CoreOS; without OpenShift components. - `ocp-rhel-9.6`: RHEL 9.6-based CoreOS; including OpenShift components. - `c9s`/`c10s`: CentOS Stream-based CoreOS, without OKD components. +- `rhel-10.1`: RHEL 10.1-based CoreOS; without OpenShift components. In the future, the `ocp-*` variants will be removed. Instead, OpenShift -components will be layered by deriving from the `rhel-9.X`/`c9s` images. +components will be layered by deriving from the `rhel-9.X`/`rhel-10.X`/`c9s`/`c10s` images. The default variant is `ocp-rhel-9.6`. diff --git a/build-node-image.sh b/build-node-image.sh index 658c97e33..203d27304 100755 --- a/build-node-image.sh +++ b/build-node-image.sh @@ -1,7 +1,7 @@ #!/bin/bash -set -euo pipefail +set -euxo pipefail -# This script builds the OpenShift node image. It's called from `Containerfile`. set -xeuo pipefail +# This script builds the OpenShift node image. It's called from `Containerfile`. # Avoid shipping modified .pyc files. Due to # https://github.com/ostreedev/ostree/issues/1469, any Python apps that @@ -35,7 +35,7 @@ mkdir -p /var/opt # this is where all the real work happens rpm-ostree experimental compose treefile-apply \ - --var id=$ID /run/src/packages-openshift.yaml + --var "osversion=${ID}-${VERSION_ID}" /run/src/packages-openshift.yaml # cleanup any repo files we injected rm -f /etc/yum.repos.d/{ocp,git,okd}.repo diff --git a/ci/prow-entrypoint.sh b/ci/prow-entrypoint.sh index 65e07b0a7..b06fd2aa1 100755 --- a/ci/prow-entrypoint.sh +++ b/ci/prow-entrypoint.sh @@ -294,10 +294,16 @@ main() { kola_test_metal ;; "rhcos-10-build-test-qemu") - exit 0 + setup_user + cosa_init "rhel-10.1" + cosa_build + kola_test_qemu --tag '!openshift' ;; "rhcos-10-build-test-metal") - exit 0 + setup_user + cosa_init "rhel-10.1" + cosa_build + kola_test_metal ;; *) # This case ensures that we exhaustively list the tests that should diff --git a/common.yaml b/common.yaml index 641723cb9..df274ecc9 100644 --- a/common.yaml +++ b/common.yaml @@ -32,7 +32,7 @@ conditional-include: # And remove some cruft from grub2 include: fedora-coreos-config/manifests/grub2-removals.yaml # Packages specific to el9 - - if: osversion == "c9s" + - if: osversion == "centos-9" include: - fedora-coreos-config/manifests/shared-el9.yaml - manifest-el9-shared.yaml @@ -40,7 +40,7 @@ conditional-include: include: - fedora-coreos-config/manifests/shared-el9.yaml - manifest-el9-shared.yaml - - if: osversion == "c10s" + - if: osversion == "centos-10" include: - fedora-coreos-config/manifests/shared-el10.yaml - if: inherit_tier_x == true diff --git a/extensions-ocp-rhel-10.1.yaml b/extensions-ocp-rhel-10.1.yaml new file mode 100644 index 000000000..686a7f2c2 --- /dev/null +++ b/extensions-ocp-rhel-10.1.yaml @@ -0,0 +1,117 @@ +# RPMs as operating system extensions, distinct from the base ostree commit/image +# https://github.com/openshift/enhancements/blob/master/enhancements/rhcos/extensions.md +# and https://github.com/coreos/fedora-coreos-tracker/issues/401 + +# RULE: If repos support all architectures then put them in the global repos list +# at the top of this file (directly below this comment). If we don't we can have +# consistency issues across arches. See e.g. https://issues.redhat.com/browse/OCPBUGS-52293. + +repos: + # Generically used for various extensions. + # Repo placed here to respect the rule above. + - rhel-10.1-appstream + # For crun-wasm (wasm) and kata-containers (sandboxed-containers). + # Repo placed here to respect the rule above. + # XXX Move to 10.1 plashets when available + - rhel-9.6-server-ose-4.19 + # XXX: temporarily add rhel-9.4-appstream for crun-wasm since llvm + # libraries can't be found in rhel-9.6-appstream. + # https://github.com/openshift/os/issues/1680 + # https://issues.redhat.com/browse/COS-3075 + # Repo placed here to respect the rule above. + - rhel-9.4-appstream + # For two-node-ha extension. + # Repo placed here to respect the rule above. + - rhel-10.1-highavailability + # For ipsec extension include the fast-datapath repo. + # Repo placed here to respect the rule above. + # XXX uncomment when this repo exists for RHEL10 + # - rhel-10.1-fast-datapath + +extensions: + # https://issues.redhat.com/browse/RFE-4177 + wasm: + architectures: + - x86_64 + - aarch64 + packages: + - crun-wasm + # Uncomment once fast-datapath repo exists for RHEL 10 + ## https://github.com/coreos/fedora-coreos-tracker/issues/1504 + #ipsec: + # packages: + # - libreswan + # - NetworkManager-libreswan + # - openvswitch3.5-ipsec + # https://github.com/coreos/fedora-coreos-tracker/issues/326 + usbguard: + packages: + - usbguard + kerberos: + packages: + - krb5-workstation + - libkadm5 + # https://github.com/kmods-via-containers/kmods-via-containers/issues/3 + # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/866 + # These are currently overlaid onto the host so that they can be bind-mounted + # into build containers... in the future they should be a `development` + # extension: https://github.com/openshift/machine-config-operator/pull/2143. + kernel-devel: + packages: + - kernel-devel + - kernel-headers + match-base-evr: kernel + # These are already in the base, so they're not OS extensions, but they're + # useful to have in RPM form to install in kmod build containers. + kernel: + kind: development + packages: + - kernel + - kernel-core + - kernel-modules + - kernel-modules-extra + match-base-evr: kernel + # GRPA-2822 + # https://github.com/openshift/machine-config-operator/pull/1330 + # https://github.com/openshift/enhancements/blob/master/enhancements/support-for-realtime-kernel.md + kernel-rt: + architectures: + - x86_64 + repos: + # this is not available on all arches, so keep here and not in the global repo list + - rhel-10.1-nfv + packages: + - kernel-rt-core + - kernel-rt-kvm + - kernel-rt-modules + - kernel-rt-modules-extra + - kernel-rt-devel + match-base-evr: kernel + # https://github.com/openshift/machine-config-operator/pull/2456 + # https://github.com/openshift/enhancements/blob/master/enhancements/sandboxed-containers/sandboxed-containers-tech-preview.md + # GRPA-3123 + sandboxed-containers: + architectures: + - x86_64 + - s390x + packages: + - kata-containers + # https://issues.redhat.com/browse/COS-2402 + kernel-64k: + architectures: + - aarch64 + packages: + - kernel-64k-core + - kernel-64k-modules + - kernel-64k-modules-core + - kernel-64k-modules-extra + # https://issues.redhat.com/browse/COS-2940 + sysstat: + packages: + - sysstat + # https://issues.redhat.com/browse/OCPEDGE-1493 + two-node-ha: + packages: + - pacemaker + - pcs + - fence-agents-all diff --git a/extensions-ocp-rhel-9.6.yaml b/extensions-ocp-rhel-9.6.yaml index 270f551bd..d9c8e353b 100644 --- a/extensions-ocp-rhel-9.6.yaml +++ b/extensions-ocp-rhel-9.6.yaml @@ -22,6 +22,9 @@ repos: # For two-node-ha extension. # Repo placed here to respect the rule above. - rhel-9.6-highavailability + # For ipsec extension include the fast-datapath repo. + # Repo placed here to respect the rule above. + - rhel-9.6-fast-datapath extensions: # https://issues.redhat.com/browse/RFE-4177 @@ -33,8 +36,6 @@ extensions: - crun-wasm # https://github.com/coreos/fedora-coreos-tracker/issues/1504 ipsec: - repos: - - rhel-9.6-fast-datapath packages: - libreswan - NetworkManager-libreswan diff --git a/extensions/build.sh b/extensions/build.sh index 7d0090752..abae47c8c 100755 --- a/extensions/build.sh +++ b/extensions/build.sh @@ -9,11 +9,17 @@ fi . /etc/os-release # XXX: we can drop the rhcos check once we've dropped the `ocp-rhel-9.6` variant if [ $ID = rhel ] || [ $ID = rhcos ]; then - MANIFEST="manifest-rhel-9.6.yaml" - EXTENSIONS="extensions-ocp-rhel-9.6.yaml" + # For now, while we are still building the `4.19-9.6` stream the + # $VERSION_ID for those will be the openshift version while + # $RHEL_VERSION will be the RHEL version. Let's detect that situation + # here and use RHEL_VERSION if it exists. We should be able to drop + # this soon. + manifest_version="${RHEL_VERSION:-$VERSION_ID}" + MANIFEST="manifest-rhel-${manifest_version}.yaml" + EXTENSIONS="extensions-ocp-rhel-${manifest_version}.yaml" else - MANIFEST="manifest-c9s.yaml" - EXTENSIONS="extensions-okd-c9s.yaml" + MANIFEST="manifest-c${VERSION_ID}s.yaml" + EXTENSIONS="extensions-okd-c${VERSION_ID}s.yaml" fi rpm-ostree compose extensions --rootfs=/ \ diff --git a/image-c10s.yaml b/image-c10s.yaml index 14763a255..3264a1470 120000 --- a/image-c10s.yaml +++ b/image-c10s.yaml @@ -1 +1 @@ -image-rhel-9.6.yaml \ No newline at end of file +image-rhel-10.1.yaml \ No newline at end of file diff --git a/image-rhel-10.1.yaml b/image-rhel-10.1.yaml new file mode 100644 index 000000000..14967df81 --- /dev/null +++ b/image-rhel-10.1.yaml @@ -0,0 +1,34 @@ +# See https://github.com/coreos/coreos-assembler/pull/298 +size: 16 + +# We default to a container image +deploy-via-container: true + +# Disable networking by default on firstboot. We can drop this once cosa stops +# defaulting to `ip=dhcp,dhcp6 rd.neednet=1` when it doesn't see this key. +ignition-network-kcmdline: [] + +# add the requisite OCP metadata to our container image +# but xref https://github.com/openshift/os/issues/1047 +ostree-container-inject-openshift-cvo-labels: true + +# vmware-secure-boot changes the EFI secure boot option. +# set false here due to https://bugzilla.redhat.com/show_bug.cgi?id=2106055 +vmware-secure-boot: false + +# rhel9_64Guest requires hardware version 18 and vSphere 7.0U3 +# https://kb.vmware.com/s/article/88157 +vmware-os-type: rhel8_64Guest +# VMware hardware versions: https://kb.vmware.com/s/article/1003746 +# Supported VMware versions: https://lifecycle.vmware.com/ +vmware-hw-version: 15 + +# see https://github.com/coreos/coreos-assembler/pull/3607 +# Defaults for AWS +aws-imdsv2-only: false +aws-volume-type: "gp2" +aws-x86-boot-mode: "legacy-bios" + +# Enable 'erofs' by default for the rootfs in the Live ISO/PXE artifacts +live-rootfs-fstype: "erofs" +live-rootfs-fsoptions: "-zlzma,level=6 -Eall-fragments,fragdedupe=inode -C1048576 --quiet" diff --git a/kola-denylist.yaml b/kola-denylist.yaml index 3a9b9f7aa..9457e139f 100644 --- a/kola-denylist.yaml +++ b/kola-denylist.yaml @@ -6,20 +6,20 @@ - pattern: basic.uefi-secure tracker: https://github.com/openshift/os/issues/1237 osversion: - - c9s - - c10s + - centos-9 + - centos-10 - pattern: iso-live-login.uefi-secure tracker: https://github.com/openshift/os/issues/1237 osversion: - - c9s - - c10s + - centos-9 + - centos-10 - pattern: iso-as-disk.uefi-secure tracker: https://github.com/openshift/os/issues/1237 osversion: - - c9s - - c10s + - centos-9 + - centos-10 # The 4.17 and 4.18 build of Ignition encounters a FIPS panic so # we are using the 4.16 build for now while that is under investigation. @@ -44,45 +44,68 @@ - pattern: ostree.sync tracker: https://github.com/openshift/os/issues/1751 osversion: - - c10s + - centos-10 + - rhel-10.1 # Will fail until we have proper RHEL 10 builds of OCP packages - pattern: ext.config.version.rhel-major-version tracker: TODO osversion: - - c10s + - centos-10 + - rhel-10.1 - pattern: multipath.day1 tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1894 osversion: - - c10s + - centos-10 + - rhel-10.1 - pattern: multipath.day2 tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1894 osversion: - - c10s + - centos-10 + - rhel-10.1 - pattern: multipath.partition tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1894 osversion: - - c10s + - centos-10 + - rhel-10.1 - pattern: iso-offline-install*mpath.bios tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1894 osversion: - - c10s + - centos-10 + - rhel-10.1 - pattern: ext.config.shared.root-reprovision.luks.multipath tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1894 osversion: - - c10s + - centos-10 + - rhel-10.1 +# Waiting for submodule bump - pattern: ext.config.shared.networking.nm-ifcfg-rh-plugin tracker: https://github.com/openshift/os/pull/1759#issuecomment-2779700581 osversion: - - c10s + - centos-10 + - rhel-10.1 +# Waiting for submodule bump - pattern: ext.config.shared.networking.team-dhcp-via-ignition tracker: https://github.com/openshift/os/pull/1759#issuecomment-2779700581 osversion: - - c10s + - centos-10 + - rhel-10.1 + +# Waiting for submodule bump +# https://github.com/coreos/fedora-coreos-config/pull/3439 +- pattern: ext.config.shared.networking.default-network-behavior-change + tracker: https://github.com/openshift/os/pull/1759#issuecomment-2779700581 + osversion: + - rhel-10.1 + +- pattern: ext.config.shared.content-origins + tracker: https://issues.redhat.com/browse/RHEL-86436 + osversion: + - rhel-10.1 diff --git a/manifest-c10s.yaml b/manifest-c10s.yaml index fedc5321b..b668877ae 100644 --- a/manifest-c10s.yaml +++ b/manifest-c10s.yaml @@ -7,7 +7,7 @@ metadata: variables: id: "centos" - osversion: "c10s" + osversion: "centos-10" inherit_tier_x: true # Include manifests common to all RHEL and CentOS Stream versions diff --git a/manifest-c9s.yaml b/manifest-c9s.yaml index 6cd434e68..ea34983e8 100644 --- a/manifest-c9s.yaml +++ b/manifest-c9s.yaml @@ -7,7 +7,7 @@ metadata: variables: id: "centos" - osversion: "c9s" + osversion: "centos-9" inherit_tier_x: true # Include manifests common to all RHEL and CentOS Stream versions diff --git a/manifest-rhel-10.1.yaml b/manifest-rhel-10.1.yaml new file mode 100644 index 000000000..a1d8b1723 --- /dev/null +++ b/manifest-rhel-10.1.yaml @@ -0,0 +1,43 @@ +# Manifest for RHCOS based on RHEL 10.1 + +metadata: + license: MIT + name: rhcos + summary: RHEL CoreOS 10.1 + +variables: + id: "rhel" + osversion: "rhel-10.1" + inherit_tier_x: true + +# Include manifests common to all RHEL and CentOS Stream versions +include: + - common.yaml + - overrides-rhel-10.1.yaml + +# XXX get rhel 10.1 repos in prow +repos: + - rhel-10.1-baseos + - rhel-10.1-appstream + # Early kernel repo not available for now + # - rhel-10.1-early-kernel + +automatic-version-prefix: "10.1." +# This ensures we're semver-compatible which OpenShift wants +automatic-version-suffix: "-" + +mutate-os-release: "10.1" + +# Packages that are only in RHCOS and not in SCOS or that have special +# constraints that do not apply to SCOS +packages: + # We include the generic release package and tweak the os-release info in a + # post-process script + - redhat-release + # XXX: This should be in packages-openshift.yaml only. For now, + # it's in the base until the equivalent functionality lands in RHEL: + # https://issues.redhat.com/browse/RHEL-82921 + # XXX: commented out in RHEL10.1 because the rhel-10.1-early-kernel + # repo doesn't exist yet. In 9.6 this is provided by the rhel-9.6-early-kernel + # yum repo. + # - ose-aws-ecr-image-credential-provider diff --git a/overrides-rhel-10.1.yaml b/overrides-rhel-10.1.yaml new file mode 100644 index 000000000..b42da0aa9 --- /dev/null +++ b/overrides-rhel-10.1.yaml @@ -0,0 +1,5 @@ +# This is a poor man's version of an override lockfile for rhel-10.1. When needed +# we gather any overrides NEVRs here to keep them in one place. When not needed, +# empty or comment out this file (except this comment). + +#packages: diff --git a/packages-openshift.yaml b/packages-openshift.yaml index 3e8c956b5..81ff5a5fb 100644 --- a/packages-openshift.yaml +++ b/packages-openshift.yaml @@ -5,7 +5,14 @@ metadata: ocp_version: "4.19" conditional-include: - - if: id == "rhel" + - if: + - osversion != "rhel-9.6" + - osversion != "rhel-10.1" + - osversion != "centos-9" + - osversion != "centos-10" + include: + repos: [ENOEXIST] # We want an error in this case + - if: osversion == "rhel-9.6" include: repos: - rhel-9.6-baseos @@ -13,14 +20,37 @@ conditional-include: - rhel-9.6-early-kernel - rhel-9.6-fast-datapath - rhel-9.6-server-ose-4.19 - - if: id == "centos" + - if: osversion == "rhel-10.1" + include: + repos: + - rhel-10.1-baseos + - rhel-10.1-appstream + #- rhel-10.1-early-kernel + # XXX Not built for rhel 10 yet + #- rhel-10.1-fast-datapath + #- rhel-10.1-server-ose-4.19 + - rhel-9.6-fast-datapath + - rhel-9.6-server-ose-4.19 + - rhel-9.6-appstream-containernetworking + - if: osversion == "centos-9" include: repos: - c9s-baseos - c9s-appstream - c9s-sig-nfv - c9s-sig-cloud-okd - # XXX: this shouldn't be here; see related XXX in Containerfile + # XXX: this shouldn't be here; see related XXX in build-node-image.sh + - rhel-9.6-server-ose-4.19-okd + - if: osversion == "centos-10" + include: + repos: + - c10s-baseos + - c10s-appstream + - c10s-sig-nfv + - c10s-sig-cloud-okd + # XXX: this shouldn't be here; see related XXX in build-node-image.sh + # XXX: using 9.6 repo for now until 10.1 plashets exist + # - rhel-10.1-server-ose-4.19-okd - rhel-9.6-server-ose-4.19-okd packages: