Wesley van Tilburg
65d97ef30b
Some checks failed
Build container images / Build and push image (base, 43) (push) Failing after 54s
197 lines
7.1 KiB
YAML
197 lines
7.1 KiB
YAML
#This file merges all the required yaml files from (https://gitlab.com/fedora/bootc/base-images/-/tree/main/minimal) into one
|
|
|
|
#==========================================================postprocess-conf.yaml========================================
|
|
# We want content lifecycled with the image
|
|
opt-usrlocal: "root"
|
|
|
|
# https://github.com/CentOS/centos-bootc/issues/167
|
|
machineid-compat: true
|
|
|
|
rpmdb: target
|
|
# We never want rpmdb.sqlite-shm as it's unreproducible
|
|
rpmdb-normalize: true
|
|
|
|
ignore-removed-users:
|
|
- root
|
|
ignore-removed-groups:
|
|
- root
|
|
# By default users and groups are injected to nss-altfiles
|
|
# which is immutable. This list moves a selected set
|
|
# to /etc/group instead, which is mutable per system
|
|
# and allows local users to become part of these groups.
|
|
etc-group-members:
|
|
- wheel
|
|
- systemd-journal
|
|
- tss # https://issues.redhat.com/browse/BIFROST-618
|
|
- kvm # https://issues.redhat.com/browse/RHEL-115278
|
|
- adm
|
|
|
|
#Only use the newer imports, not the one with backwards compatibility
|
|
#The files are retrieved when building to stay in sync with upstream
|
|
check-passwd:
|
|
type: "file"
|
|
filename: "passwd"
|
|
check-groups:
|
|
type: "file"
|
|
filename: "group"
|
|
|
|
#==========================================================postprocess-conf.yaml========================================
|
|
|
|
#tmpfiles.yaml
|
|
postprocess:
|
|
- |
|
|
#!/bin/bash
|
|
set -xeuo pipefail
|
|
cat >/usr/lib/tmpfiles.d/bootc-base-rpmstate.conf <<'EOF'
|
|
# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=771713
|
|
d /var/lib/rpm-state 0755 - - -
|
|
EOF
|
|
# Workaround for https://issues.redhat.com/browse/RHEL-106203
|
|
rm -f /usr/lib/tmpfiles.d/home.conf
|
|
|
|
- |
|
|
#!/bin/bash
|
|
set -xeuo pipefail
|
|
# Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
|
|
/usr/bin/bootupctl backend generate-update-metadata
|
|
|
|
# Workaround for https://issues.redhat.com/browse/RHEL-78104
|
|
- |
|
|
#!/bin/bash
|
|
set -xeuo pipefail
|
|
rm -vrf /usr/lib/ostree-boot/loader
|
|
|
|
# Set up default root config
|
|
- |
|
|
#!/usr/bin/env bash
|
|
set -xeuo pipefail
|
|
mkdir -p /usr/lib/ostree
|
|
cat > /usr/lib/ostree/prepare-root.conf << EOF
|
|
[composefs]
|
|
enabled = yes
|
|
[sysroot]
|
|
readonly = true
|
|
EOF
|
|
|
|
#initrams config
|
|
- |
|
|
#!/usr/bin/env bash
|
|
set -xeuo pipefail
|
|
mkdir -p /usr/lib/dracut/dracut.conf.d
|
|
cat > /usr/lib/dracut/dracut.conf.d/20-bootc-base.conf << 'EOF'
|
|
# We want a generic image; hostonly makes no sense as part of a server side build
|
|
hostonly=no
|
|
# Dracut will always fail to set security.selinux xattrs at build time
|
|
# https://github.com/dracut-ng/dracut-ng/issues/1561
|
|
export DRACUT_NO_XATTR=1
|
|
add_dracutmodules+=" kernel-modules dracut-systemd systemd-initrd base ostree "
|
|
EOF
|
|
cat > /usr/lib/dracut/dracut.conf.d/22-bootc-generic.conf << 'EOF'
|
|
# Extra modules that we want by default that are known to exist in the kernel
|
|
add_dracutmodules+=" virtiofs "
|
|
EOF
|
|
cat > /usr/lib/dracut/dracut.conf.d/49-bootc-tpm2-tss.conf << 'EOF'
|
|
# We want this for systemd-cryptsetup tpm2 locking
|
|
add_dracutmodules+=" tpm2-tss "
|
|
EOF
|
|
cat > /usr/lib/dracut/dracut.conf.d/59-altfiles.conf << 'EOF'
|
|
# https://issues.redhat.com/browse/RHEL-49590
|
|
# On image mode systems we use nss-altfiles for passwd and group,
|
|
# this makes sure dracut uses them which also fixes kdump writing to NFS.
|
|
install_items+=" /usr/lib/passwd /usr/lib/group "
|
|
EOF
|
|
|
|
- |
|
|
#!/usr/bin/env bash
|
|
set -xeuo pipefail
|
|
mkdir -p /usr/lib/systemd/system/local-fs.target.wants
|
|
if test '!' -f /usr/lib/systemd/system/local-fs.target.wants/tmp.mount; then
|
|
ln -sf ../tmp.mount /usr/lib/systemd/system/local-fs.target.wants
|
|
fi
|
|
sed -i -e 's, /root, /var/roothome,' /usr/lib/tmpfiles.d/provision.conf > /dev/null
|
|
sed -i -e '/^d- \/var\/roothome /d' /usr/lib/tmpfiles.d/provision.conf > /dev/null
|
|
|
|
- |
|
|
#!/usr/bin/env bash
|
|
set -xeuo pipefail
|
|
source /usr/lib/os-release
|
|
mkdir -p /usr/lib/kernel/install.conf.d
|
|
echo -e "# kernel-install will not try to run dracut and allow rpm-ostree to\n\
|
|
# take over. Rpm-ostree will use this to know that it is responsible\n\
|
|
# to run dracut and ensure that there is only one kernel in the image\n\
|
|
layout=ostree" | tee /usr/lib/kernel/install.conf /usr/lib/kernel/install.conf.d/00-bootc-kernel-layout.conf > /dev/null
|
|
# By default dnf keeps multiple versions of the kernel, with this
|
|
# configuration we tell dnf to treat the kernel as everything else.
|
|
# https://dnf.readthedocs.io/en/latest/conf_ref.html#main-options
|
|
# Let's add the config to a distribution configuration file if dnf5
|
|
# is used, we append to /etc/dnf/dnf.conf if not.
|
|
# Also set protect_running_kernel=False, dnf/yum pre-dates Containers and
|
|
# uses uname to protect the running kernel even on Container builds.
|
|
if [ -d "/usr/share/dnf5/libdnf.conf.d/" ]; then
|
|
echo -e "[main]\ninstallonlypkgs=''" >> /usr/share/dnf5/libdnf.conf.d/20-ostree-installonlypkgs.conf
|
|
echo -e "[main]\nprotect_running_kernel=False" >> /usr/share/dnf5/libdnf.conf.d/20-ostree-protect_running_kernel.conf
|
|
else
|
|
echo "installonlypkgs=''" >> /etc/dnf/dnf.conf
|
|
echo "protect_running_kernel=False" >> /etc/dnf/dnf.conf
|
|
fi
|
|
|
|
- |
|
|
#!/bin/bash
|
|
set -xeuo pipefail
|
|
# Override some of the default presets.
|
|
cat <<EOF > usr/lib/systemd/system-preset/85-bootc.preset
|
|
# Disable dnf-makecache.timer on bootc/image mode systems
|
|
# https://github.com/coreos/fedora-coreos-tracker/issues/1896#issuecomment-2848251507
|
|
disable dnf-makecache.timer
|
|
EOF
|
|
# Enable bootloader-update.service on F43+.
|
|
# https://github.com/coreos/fedora-coreos-tracker/issues/1468#issuecomment-2996654547
|
|
# https://fedoraproject.org/wiki/Changes/AutomaticBootloaderUpdatesBootc
|
|
- |
|
|
#!/bin/bash
|
|
set -xeuo pipefail
|
|
echo "enable bootloader-update.service" >> /usr/lib/systemd/system-preset/85-bootc.preset
|
|
# Undo RPM scripts enabling units; we want the presets to be canonical
|
|
# https://github.com/projectatomic/rpm-ostree/issues/1803
|
|
- |
|
|
#!/bin/bash
|
|
set -xeuo pipefail
|
|
rm -rf /etc/systemd/system/*
|
|
systemctl preset-all
|
|
rm -rf /etc/systemd/user/*
|
|
systemctl --user --global preset-all
|
|
|
|
|
|
|
|
|
|
packages:
|
|
- kernel
|
|
# systemd. Also name systemd-pam because it was dropped to a recommends
|
|
# but we still want it for handling user logins/sessions.
|
|
- systemd systemd-pam
|
|
# bootc itself.
|
|
- bootc
|
|
# Required by bootc install, sgdisk has been replaced by Rust crate
|
|
# in bootc https://github.com/containers/bootc/pull/775
|
|
- xfsprogs e2fsprogs dosfstools
|
|
- bootupd
|
|
|
|
packages-x86_64:
|
|
- grub2 grub2-efi-x64 efibootmgr shim
|
|
- microcode_ctl
|
|
|
|
exclude-packages:
|
|
- kernel-debug-core
|
|
|
|
# The grub bits are mainly designed for desktops, and IMO haven't seen
|
|
# enough testing in concert with ostree. At some point we'll flesh out
|
|
# the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47
|
|
|
|
remove-from-packages:
|
|
- [grub2-tools, /etc/grub.d/08_fallback_counting,
|
|
/etc/grub.d/10_reset_boot_success,
|
|
/etc/grub.d/12_menu_auto_hide,
|
|
/usr/lib/systemd/.*]
|
|
|
|
|