manifests: Rework to allow co-located builds for each RHEL version

ci/prow-entrypoint.sh

@@ -6,6 +6,9 @@ set -xeuo pipefail
 # Global variables
 REDIRECTOR_URL="https://rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com/art/storage/releases/"
 
+# Default version of RHEL used to build RHCOS
+RHELVER="rhel-8.6"
+
 # This function is used to update the /etc/passwd file within the COSA container
 # at test-time. The need for this comes from the fact that OpenShift will run a
 # container with a randomized user ID by default to enhance security. Because
@@ -28,6 +31,8 @@ setup_user() {
     whoami
 }
 
+# Setup a new build directory with COSA init, selecting the version of RHEL or
+# CentOS Stream that we want as a basis for RHCOS/SCOS.
 cosa_init() {
     if test -d builds; then
         echo "Already in an initialized cosa dir"
@@ -43,7 +48,7 @@ cosa_init() {
     cd "$cosa_dir"
 
     # Setup source tree
-    cosa init --transient "${tmp_src}/os"
+    cosa init --transient "${tmp_src}/os" "${RHELVER}"
 }
 
 # Do a cosa build & cosa build-extensions only.
@@ -61,11 +66,10 @@ cosa_build() {
     cosa buildfetch --url="${prev_build_url}"
 
     # Fetch the repos corresponding to the release we are building
-    rhelver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["automatic-version-prefix"]' | cut -f2 -d.)
-    id
-    whoami
-    ls -alh "src/config/"
-    curl -L "http://base-${ocpver_mut}-rhel${rhelver}.ocp.svc.cluster.local" -o "src/config/ocp.repo"
+    if [[ "${RHELVER}" == "rhel-8.6" ]]; then
+        rhelver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["automatic-version-prefix"]' | cut -f2 -d.)
+        curl -L "http://base-${ocpver_mut}-rhel${rhelver}.ocp.svc.cluster.local" -o "src/config/ocp.repo"
+    fi
 
     # Fetch packages
     cosa fetch
@@ -158,13 +162,15 @@ main () {
             cosa_init
             cosa_build
             ;;
-        "rhcos-86-build-test-qemu")
+        "build-test-qemu-kola-basic" | "rhcos-86-build-test-qemu")
+            RHELVER="rhel-8.6"
             setup_user
             cosa_init
             cosa_build
             kola_test_qemu
             ;;
-        "rhcos-86-build-test-metal")
+        "build-test-qemu-kola-all" | "rhcos-86-build-test-metal")
+            RHELVER="rhel-8.6"
             setup_user
             cosa_init
             cosa_build

common.yaml

@@ -0,0 +1,246 @@
+# We inherit from Fedora CoreOS' base configuration
+include:
+  - fedora-coreos-config/manifests/ignition-and-ostree.yaml
+  - fedora-coreos-config/manifests/file-transfer.yaml
+  - fedora-coreos-config/manifests/networking-tools.yaml
+  - fedora-coreos-config/manifests/system-configuration.yaml
+  - fedora-coreos-config/manifests/user-experience.yaml
+  - fedora-coreos-config/manifests/shared-workarounds.yaml
+  # RHCOS owned packages
+  - rhcos-packages.yaml
+
+# Layers common to all versions of RHCOS and SCOS
+ostree-layers:
+  - overlay/01fcos
+  - overlay/02fcos-nouveau
+  - overlay/05rhcos
+  - overlay/06gcp-routes
+  - overlay/15rhcos-tuned-bits
+  - overlay/20platform-chrony
+  - overlay/21dhcp-chrony
+
+arch-include:
+  x86_64:
+    - fedora-coreos-config/manifests/grub2-removals.yaml
+    - fedora-coreos-config/manifests/bootupd.yaml
+  ppc64le: fedora-coreos-config/manifests/grub2-removals.yaml
+  aarch64:
+    - fedora-coreos-config/manifests/grub2-removals.yaml
+    - fedora-coreos-config/manifests/bootupd.yaml
+
+documentation: false
+initramfs-args:
+  - "--no-hostonly"
+  - "--omit-drivers"
+  - "nouveau"
+  - "--omit"
+  # we don't need root-on-NFS
+  # see upstream: https://github.com/coreos/fedora-coreos-config/pull/60
+  - "nfs"
+  - "--add"
+  - "iscsi"
+  - "ignition"
+  - "--add"
+  - "ifcfg"
+  - "--add"
+  - "fips"
+  # The current default in RHEL8 is network-legacy
+ ## XXX: This does not work for now: https://github.com/dracutdevs/dracut/issues/798
+ ## XXX: Temporarily use overlay.d/05rhcos/usr/lib/dracut/modules.d/29rhcos-need-network-manager/module-setup.sh
+ #- "--add"
+ #- "network-manager"
+  - "--omit"
+  - "network-legacy"
+
+postprocess:
+  - |
+     #!/usr/bin/env bash
+     set -xeo pipefail
+
+     # Disable PasswordAuthentication in SSH
+     sed -i "s|^PasswordAuthentication yes$|PasswordAuthentication no|g" /etc/ssh/sshd_config
+     # Disable root login because don't do that.
+     sed -i "s|^PermitRootLogin yes$|PermitRootLogin no|g" /etc/ssh/sshd_config
+     # Enable ClientAliveInterval and set to 180 per https://bugzilla.redhat.com/show_bug.cgi?id=1701050
+     sed -i "s|^#ClientAliveInterval 0$|ClientAliveInterval 180|g" /etc/ssh/sshd_config
+
+     # TEMPORARY: Create /etc/vmware-tools/tools.conf to ensure RHCOS shows up properly in VMWare
+     # See https://jira.coreos.com/browse/RHCOS-258
+     if [ "$(uname -m)" == "x86_64" ]; then
+     cat > /etc/vmware-tools/tools.conf <<'EOF'
+     [guestosinfo]
+     short-name = rhel8-64
+     EOF
+     fi
+
+     # TEMPORARY: Fix file permission for cpictl until fix is backported to RHEL 8.6
+     # See https://bugzilla.redhat.com/show_bug.cgi?id=2024102
+     if [ "$(uname -m)" == "s390x" ]; then
+     [ "$(stat -c '%a' /usr/lib/s390-tools/cpictl)" == "755" ] && echo "Permission for /usr/lib/s390-tools/cpictl is fixed, remove temporary hack"
+     chmod 755 /usr/lib/s390-tools/cpictl
+     fi
+
+     # Nuke network.service from orbit
+     # https://github.com/openshift/os/issues/117
+     rm -rf /etc/rc.d/init.d/network /etc/rc.d/rc*.d/*network
+
+     # We're not using resolved yet
+     rm -f /usr/lib/systemd/system/systemd-resolved.service
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    # manually modify SELinux booleans that are needed for OCP use cases
+    semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
+    semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
+
+  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1796537
+  - |
+    #!/usr/bin/bash
+    mkdir -p /usr/share/containers/oci/hooks.d
+
+  # This is part of e.g. fedora-repos in Fedora; we now want to include it by default
+  # so that the MCO can use it by default and not trip over SELinux issues trying
+  # to create it.
+  - |
+    #!/usr/bin/bash
+    mkdir -p /etc/yum.repos.d
+
+  # This updates the PAM configuration to reference all of the SSSD modules.
+  # Removes the `authselect` binary afterwards since `authselect` does not play well with `nss-altfiles`
+  # (https://github.com/pbrezina/authselect/issues/48).
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1774154
+  # NOTE: This is a temporary hack which should be updated after switching to systemd-sysusers
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    # use `authselect test` since `authselect select` wants to copy to `/var` too
+    authselect test sssd --nsswitch | tail -n +2 > /etc/nsswitch.conf
+    for pam_file in system-auth password-auth smartcard-auth fingerprint-auth postlogin; do
+      authselect test sssd --${pam_file} | tail -n +2 > /etc/pam.d/${pam_file}
+    done
+    rm -f $(which authselect)
+
+etc-group-members:
+  - wheel
+  - sudo
+  - systemd-journal
+  - adm
+ignore-removed-users:
+  - root
+ignore-removed-groups:
+  - root
+check-passwd:
+  type: "file"
+  filename: "passwd"
+check-groups:
+  type: "file"
+  filename: "group"
+
+exclude-packages:
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1798278
+  - subscription-manager
+  # And this one shouldn't come in
+  - dnf
+  # https://github.com/coreos/rpm-ostree/pull/1789/files/a0cd999a8acd5b40ec1024a794a642916fbc8ff8#diff-fc2076dc46933204a7a798f544ce3734
+  # People need to use `rpm-ostree kargs` instead.
+  - grubby
+  # udisks2 is a fwupd recommends only need for encrypted swap checks
+  - udisks2
+  # dhcp-client is recommended by chrony for handling NTP servers given out via
+  # DHCP, but we have a NM dispatcher script that is doing that
+  # See: https://bugzilla.redhat.com/show_bug.cgi?id=1930468
+  # See: https://bugzilla.redhat.com/show_bug.cgi?id=1800901
+  - dhcp-client
+
+# Try to maintain this list ordering by "in RHEL, then not in RHEL".
+# To verify, disable all repos except the ootpa ones and then comment
+# out the bottom and run `coreos-assembler build`.
+# A lof of packages are inherited by the manifests included at the top.
+packages:
+ # Contains SCTP (https://bugzilla.redhat.com/show_bug.cgi?id=1718049)
+ # and it's not really going to be worth playing the "where's my kernel module"
+ # game long term.  If we ship it we support it, etc.
+ - kernel-modules-extra
+ # Audit
+ - audit
+ # Containers
+ - containernetworking-plugins
+ # Pinned due to cosa on Fedora not honoring RHEL 8 modules as expected
+ - container-selinux
+ - cri-o cri-tools
+ # Networking
+ - nfs-utils
+ - dnsmasq
+ - NetworkManager-ovs
+ # Extra runtime
+ - sssd
+ # Common tools used by scripts and admins interactively
+ - rsync tmux
+ - nmap-ncat strace
+ # Editors
+ - nano
+ # Red Hat CA certs
+ - subscription-manager-rhsm-certificates
+ # Used on the bootstrap node
+ - systemd-journal-remote
+ # Extras
+ - systemd-journal-gateway
+ # RHEL 8.6 shipped with clevis-15-8, so we can drop the version requirement
+ - clevis clevis-luks clevis-dracut
+ # tpm2-tools is required by clevis
+ - tpm2-tools
+ # Used to update PAM configuration to work with SSSD
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1774154
+ - authselect
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1900759
+ - qemu-guest-agent
+ # BELOW HERE ARE PACKAGES NOT IN RHEL
+ # OpenShift OKD
+ #- origin-node origin-hyperkube origin-clients
+ # OpenShift
+ - openshift-hyperkube openshift-clients
+ # Gluster - Used for Openshift e2e gluster testcases
+ # Reverts https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/367 and add it for all arches
+ - glusterfs-fuse
+ # Needed for kernel-devel extension: https://bugzilla.redhat.com/show_bug.cgi?id=1885408
+ # x86_64 and s390x have these packages installed as dependencies of other packages, ppc64le does not
+ # FIXME: once the below BZs have been resolved to remove perl dependencies, this can be done in the extensions script
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1877905
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1886201
+ - perl-interpreter
+ # https://github.com/coreos/fedora-coreos-tracker/issues/404
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1925698
+ # https://github.com/openshift/machine-config-operator/pull/2421
+ - conntrack-tools
+ # Upstream PR https://github.com/coreos/fedora-coreos-config/pull/786
+ - WALinuxAgent-udev
+
+packages-x86_64:
+  # Temporary add of open-vm-tools. Should be removed when containerized
+  - open-vm-tools
+  - irqbalance
+  # Until we sort out 4.2 -> 4.3 upgrades, we need to carry this.
+  # See also https://github.com/ostreedev/ostree/pull/1929
+  - ostree-grub2
+  # rdma-core cleanly covers some key bare metal use cases
+  - rdma-core
+
+packages-ppc64le:
+  - irqbalance
+  - librtas
+  - powerpc-utils-core
+  - ppc64-diag-rtas
+  - rdma-core
+
+remove-from-packages:
+  - - filesystem
+    - "/usr/share/backgrounds"
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1762509
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1727058
+  - - initscripts
+    - "/"
+  # Remove the systemd unit; we only want the binary to be used
+  # by MCD or kubelet.  See above.
+  - - conntrack-tools
+    - /usr/lib/systemd/system

extensions.yaml

@@ -0,0 +1 @@
+rhel-8.6/extensions.yaml