NO-JIRA: Initial rhel 10 variant

README.md

@@ -16,9 +16,10 @@ supported:
 - `rhel-9.6`: RHEL 9.6-based CoreOS; without OpenShift components.
 - `ocp-rhel-9.6`: RHEL 9.6-based CoreOS; including OpenShift components.
 - `c9s`/`c10s`: CentOS Stream-based CoreOS, without OKD components.
+- `rhel-10.1`: RHEL 10.1-based CoreOS; without OpenShift components.
 
 In the future, the `ocp-*` variants will be removed. Instead, OpenShift
-components will be layered by deriving from the `rhel-9.X`/`c9s` images.
+components will be layered by deriving from the `rhel-9.X`/`rhel-10.X`/`c9s`/`c10s` images.
 
 The default variant is `ocp-rhel-9.6`.
 

build-node-image.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
-set -euo pipefail
+set -euxo pipefail
 
-# This script builds the OpenShift node image. It's called from `Containerfile`.    set -xeuo pipefail
+# This script builds the OpenShift node image. It's called from `Containerfile`.
 
 # Avoid shipping modified .pyc files. Due to
 # https://github.com/ostreedev/ostree/issues/1469, any Python apps that
@@ -35,7 +35,7 @@ mkdir -p /var/opt
 
 # this is where all the real work happens
 rpm-ostree experimental compose treefile-apply \
-    --var id=$ID /run/src/packages-openshift.yaml
+    --var "osversion=${ID}-${VERSION_ID}" /run/src/packages-openshift.yaml
 
 # cleanup any repo files we injected
 rm -f /etc/yum.repos.d/{ocp,git,okd}.repo

ci/prow-entrypoint.sh

@@ -294,10 +294,16 @@ main() {
             kola_test_metal
             ;;
         "rhcos-10-build-test-qemu")
-            exit 0
+            setup_user
+            cosa_init "rhel-10.1"
+            cosa_build
+            kola_test_qemu --tag '!openshift'
             ;;
         "rhcos-10-build-test-metal")
-            exit 0
+            setup_user
+            cosa_init "rhel-10.1"
+            cosa_build
+            kola_test_metal
             ;;
         *)
             # This case ensures that we exhaustively list the tests that should

common.yaml

@@ -32,15 +32,15 @@ conditional-include:
     # And remove some cruft from grub2
     include: fedora-coreos-config/manifests/grub2-removals.yaml
   # Packages specific to el9
-  - if: osversion == "c9s"
+  - if: osversion == "centos-9"
     include:
       - fedora-coreos-config/manifests/shared-el9.yaml
       - manifest-el9-shared.yaml
   - if: osversion == "rhel-9.6"
     include:
       - fedora-coreos-config/manifests/shared-el9.yaml
       - manifest-el9-shared.yaml
-  - if: osversion == "c10s"
+  - if: osversion == "centos-10"
     include:
       - fedora-coreos-config/manifests/shared-el10.yaml
   - if: inherit_tier_x == true

extensions-ocp-rhel-10.1.yaml

@@ -0,0 +1,117 @@
+# RPMs as operating system extensions, distinct from the base ostree commit/image
+# https://github.com/openshift/enhancements/blob/master/enhancements/rhcos/extensions.md
+# and https://github.com/coreos/fedora-coreos-tracker/issues/401
+
+# RULE: If repos support all architectures then put them in the global repos list
+# at the top of this file (directly below this comment). If we don't we can have
+# consistency issues across arches. See e.g. https://issues.redhat.com/browse/OCPBUGS-52293.
+
+repos:
+  # Generically used for various extensions.
+  # Repo placed here to respect the rule above.
+  - rhel-10.1-appstream
+  # For crun-wasm (wasm) and kata-containers (sandboxed-containers).
+  # Repo placed here to respect the rule above.
+  # XXX Move to 10.1 plashets when available
+  - rhel-9.6-server-ose-4.19
+  # XXX: temporarily add rhel-9.4-appstream for crun-wasm since llvm
+  # libraries can't be found in rhel-9.6-appstream.
+  # https://github.com/openshift/os/issues/1680
+  # https://issues.redhat.com/browse/COS-3075
+  # Repo placed here to respect the rule above.
+  - rhel-9.4-appstream
+  # For two-node-ha extension.
+  # Repo placed here to respect the rule above.
+  - rhel-10.1-highavailability
+  # For ipsec extension include the fast-datapath repo.
+  # Repo placed here to respect the rule above.
+  # XXX uncomment when this repo exists for RHEL10
+  # - rhel-10.1-fast-datapath
+
+extensions:
+  # https://issues.redhat.com/browse/RFE-4177
+  wasm:
+    architectures:
+      - x86_64
+      - aarch64
+    packages:
+      - crun-wasm
+ # Uncomment once fast-datapath repo exists for RHEL 10
+ ## https://github.com/coreos/fedora-coreos-tracker/issues/1504
+ #ipsec:
+ #  packages:
+ #    - libreswan
+ #    - NetworkManager-libreswan
+ #    - openvswitch3.5-ipsec
+  # https://github.com/coreos/fedora-coreos-tracker/issues/326
+  usbguard:
+    packages:
+      - usbguard
+  kerberos:
+    packages:
+      - krb5-workstation
+      - libkadm5
+  # https://github.com/kmods-via-containers/kmods-via-containers/issues/3
+  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/866
+  # These are currently overlaid onto the host so that they can be bind-mounted
+  # into build containers... in the future they should be a `development`
+  # extension: https://github.com/openshift/machine-config-operator/pull/2143.
+  kernel-devel:
+    packages:
+      - kernel-devel
+      - kernel-headers
+    match-base-evr: kernel
+  # These are already in the base, so they're not OS extensions, but they're
+  # useful to have in RPM form to install in kmod build containers.
+  kernel:
+    kind: development
+    packages:
+      - kernel
+      - kernel-core
+      - kernel-modules
+      - kernel-modules-extra
+    match-base-evr: kernel
+  # GRPA-2822
+  # https://github.com/openshift/machine-config-operator/pull/1330
+  # https://github.com/openshift/enhancements/blob/master/enhancements/support-for-realtime-kernel.md
+  kernel-rt:
+    architectures:
+      - x86_64
+    repos:
+      # this is not available on all arches, so keep here and not in the global repo list
+      - rhel-10.1-nfv
+    packages:
+      - kernel-rt-core
+      - kernel-rt-kvm
+      - kernel-rt-modules
+      - kernel-rt-modules-extra
+      - kernel-rt-devel
+    match-base-evr: kernel
+  # https://github.com/openshift/machine-config-operator/pull/2456
+  # https://github.com/openshift/enhancements/blob/master/enhancements/sandboxed-containers/sandboxed-containers-tech-preview.md
+  # GRPA-3123
+  sandboxed-containers:
+    architectures:
+      - x86_64
+      - s390x
+    packages:
+      - kata-containers
+  # https://issues.redhat.com/browse/COS-2402
+  kernel-64k:
+    architectures:
+      - aarch64
+    packages:
+      - kernel-64k-core
+      - kernel-64k-modules
+      - kernel-64k-modules-core
+      - kernel-64k-modules-extra
+  # https://issues.redhat.com/browse/COS-2940
+  sysstat:
+    packages:
+      - sysstat
+  # https://issues.redhat.com/browse/OCPEDGE-1493
+  two-node-ha:
+    packages:
+      - pacemaker
+      - pcs
+      - fence-agents-all

extensions-ocp-rhel-9.6.yaml

@@ -22,6 +22,9 @@ repos:
   # For two-node-ha extension.
   # Repo placed here to respect the rule above.
   - rhel-9.6-highavailability
+  # For ipsec extension include the fast-datapath repo.
+  # Repo placed here to respect the rule above.
+  - rhel-9.6-fast-datapath
 
 extensions:
   # https://issues.redhat.com/browse/RFE-4177
@@ -33,8 +36,6 @@ extensions:
       - crun-wasm
   # https://github.com/coreos/fedora-coreos-tracker/issues/1504
   ipsec:
-    repos:
-      - rhel-9.6-fast-datapath
     packages:
       - libreswan
       - NetworkManager-libreswan

extensions/build.sh

@@ -9,11 +9,17 @@ fi
 . /etc/os-release
 # XXX: we can drop the rhcos check once we've dropped the `ocp-rhel-9.6` variant
 if [ $ID = rhel ] || [ $ID = rhcos ]; then
-    MANIFEST="manifest-rhel-9.6.yaml"
-    EXTENSIONS="extensions-ocp-rhel-9.6.yaml"
+    # For now, while we are still building the `4.19-9.6` stream the
+    # $VERSION_ID for those will be the openshift version while
+    # $RHEL_VERSION will be the RHEL version. Let's detect that situation
+    # here and use RHEL_VERSION if it exists. We should be able to drop
+    # this soon.
+    manifest_version="${RHEL_VERSION:-$VERSION_ID}"
+    MANIFEST="manifest-rhel-${manifest_version}.yaml"
+    EXTENSIONS="extensions-ocp-rhel-${manifest_version}.yaml"
 else
-    MANIFEST="manifest-c9s.yaml"
-    EXTENSIONS="extensions-okd-c9s.yaml"
+    MANIFEST="manifest-c${VERSION_ID}s.yaml"
+    EXTENSIONS="extensions-okd-c${VERSION_ID}s.yaml"
 fi
 
 rpm-ostree compose extensions --rootfs=/ \

image-c10s.yaml

@@ -1 +1 @@
-image-rhel-9.6.yaml
+image-rhel-10.1.yaml

image-rhel-10.1.yaml

@@ -0,0 +1,34 @@
+# See https://github.com/coreos/coreos-assembler/pull/298
+size: 16
+
+# We default to a container image
+deploy-via-container: true
+
+# Disable networking by default on firstboot. We can drop this once cosa stops
+# defaulting to `ip=dhcp,dhcp6 rd.neednet=1` when it doesn't see this key.
+ignition-network-kcmdline: []
+
+# add the requisite OCP metadata to our container image
+# but xref https://github.com/openshift/os/issues/1047
+ostree-container-inject-openshift-cvo-labels: true
+
+# vmware-secure-boot changes the EFI secure boot option.
+# set false here due to https://bugzilla.redhat.com/show_bug.cgi?id=2106055
+vmware-secure-boot: false
+
+# rhel9_64Guest requires hardware version 18 and vSphere 7.0U3
+# https://kb.vmware.com/s/article/88157
+vmware-os-type: rhel8_64Guest
+# VMware hardware versions: https://kb.vmware.com/s/article/1003746
+# Supported VMware versions: https://lifecycle.vmware.com/
+vmware-hw-version: 15
+
+# see https://github.com/coreos/coreos-assembler/pull/3607
+# Defaults for AWS
+aws-imdsv2-only: false
+aws-volume-type: "gp2"
+aws-x86-boot-mode: "legacy-bios"
+
+# Enable 'erofs' by default for the rootfs in the Live ISO/PXE artifacts
+live-rootfs-fstype: "erofs"
+live-rootfs-fsoptions: "-zlzma,level=6 -Eall-fragments,fragdedupe=inode -C1048576 --quiet"

kola-denylist.yaml

@@ -6,20 +6,20 @@
 - pattern: basic.uefi-secure
   tracker: https://github.com/openshift/os/issues/1237
   osversion:
-    - c9s
-    - c10s
+    - centos-9
+    - centos-10
 
 - pattern: iso-live-login.uefi-secure
   tracker: https://github.com/openshift/os/issues/1237
   osversion:
-    - c9s
-    - c10s
+    - centos-9
+    - centos-10
 
 - pattern: iso-as-disk.uefi-secure
   tracker: https://github.com/openshift/os/issues/1237
   osversion:
-    - c9s
-    - c10s
+    - centos-9
+    - centos-10
 
 # The 4.17 and 4.18 build of Ignition encounters a FIPS panic so
 # we are using the 4.16 build for now while that is under investigation.
@@ -44,45 +44,68 @@
 - pattern: ostree.sync
   tracker: https://github.com/openshift/os/issues/1751
   osversion:
-    - c10s
+    - centos-10
+    - rhel-10.1
 
 # Will fail until we have proper RHEL 10 builds of OCP packages
 - pattern: ext.config.version.rhel-major-version
   tracker: TODO
   osversion:
-    - c10s
+    - centos-10
+    - rhel-10.1
 
 - pattern: multipath.day1
   tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1894
   osversion:
-    - c10s
+    - centos-10
+    - rhel-10.1
 
 - pattern: multipath.day2
   tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1894
   osversion:
-    - c10s
+    - centos-10
+    - rhel-10.1
 
 - pattern: multipath.partition
   tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1894
   osversion:
-    - c10s
+    - centos-10
+    - rhel-10.1
 
 - pattern: iso-offline-install*mpath.bios
   tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1894
   osversion:
-    - c10s
+    - centos-10
+    - rhel-10.1
 
 - pattern: ext.config.shared.root-reprovision.luks.multipath
   tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1894
   osversion:
-    - c10s
+    - centos-10
+    - rhel-10.1
 
+# Waiting for submodule bump
 - pattern: ext.config.shared.networking.nm-ifcfg-rh-plugin
   tracker: https://github.com/openshift/os/pull/1759#issuecomment-2779700581
   osversion:
-    - c10s
+    - centos-10
+    - rhel-10.1
 
+# Waiting for submodule bump
 - pattern: ext.config.shared.networking.team-dhcp-via-ignition
   tracker: https://github.com/openshift/os/pull/1759#issuecomment-2779700581
   osversion:
-    - c10s
+    - centos-10
+    - rhel-10.1
+
+# Waiting for submodule bump
+# https://github.com/coreos/fedora-coreos-config/pull/3439
+- pattern: ext.config.shared.networking.default-network-behavior-change
+  tracker: https://github.com/openshift/os/pull/1759#issuecomment-2779700581
+  osversion:
+    - rhel-10.1
+
+- pattern: ext.config.shared.content-origins
+  tracker: https://issues.redhat.com/browse/RHEL-86436
+  osversion:
+    - rhel-10.1

manifest-c10s.yaml

@@ -7,7 +7,7 @@ metadata:
 
 variables:
   id: "centos"
-  osversion: "c10s"
+  osversion: "centos-10"
   inherit_tier_x: true
 
 # Include manifests common to all RHEL and CentOS Stream versions

manifest-c9s.yaml

@@ -7,7 +7,7 @@ metadata:
 
 variables:
   id: "centos"
-  osversion: "c9s"
+  osversion: "centos-9"
   inherit_tier_x: true
 
 # Include manifests common to all RHEL and CentOS Stream versions