poc rocky 8

This commit is contained in:
kyleishie 2023-02-28 13:48:28 -05:00
commit 9d39f70686
22 changed files with 664 additions and 0 deletions

4
.gitignore vendored Normal file
View file

@ -0,0 +1,4 @@
.idea
build/repo
build/images
build/cache

2
LICENSE Normal file
View file

@ -0,0 +1,2 @@
https://rockylinux.org/licensing
BSD-3

16
README.md Normal file
View file

@ -0,0 +1,16 @@
# Rocky Linux OSTree
This repository contains the configuration files needed to spin Rocky Linux using rpm-ostree.
## Project Structure
- `manifest.$releasever-$rltype.yaml` - These files represent the entry point for a given release config.
- `manifests/rocky-common.yaml` - Default configuration for rpm-ostree and rocky common to all variants.
- `manifests/arch` - These files contain configuration specific to the named architecture, x86_64, aarch64, aarch64-pi. Note these should be explicitly included by top level manifests.
- `manifests/dnf-groups` - Contains lists of packages organized by containing dnf group, e.g., @Core, @Standard, etc. This is not a comprehensive list and my not be the best approach.
- `build` - Contains instructions and scripts to build both the server-side tree and an installation ISO. See the `build/README.md` for build instructions.
- `kickstarts` - Anaconda kickstart files that can be used with any anaconda installer image.
For details on these manifests, A.K.A. Treefiles, see: [Treefile Reference](https://coreos.github.io/rpm-ostree/treefile/)

75
build/Makefile Normal file
View file

@ -0,0 +1,75 @@
RELEASE_VER_MAJOR = 8
RELEASE_VER_MINOR = 7
ARCH = $(shell uname -m)
RELEASE_NAME = rocky-linux-ostree-$(ARCH)-$(RELEASE_VER_MAJOR).$(RELEASE_VER_MINOR)
DEFAULT_OSTREE_REMOTE = https://dl.rockylinux.org/pub/sig/$(RELEASE_VER_MAJOR)/ostree/$(ARCH)/standard/
MOCK_CONFIG = rocky-$(RELEASE_VER_MAJOR)-$(ARCH)
.PHONY: all
all: init tree iso
.PHONY: clean
clean:
rm -rf ./repo ./cache
.PHONY: init
init: clean
mkdir -p ./{repo,cache,images}
ostree --repo=./repo init --mode=archive
.PHONY: mirror
mirror: init
ostree --repo=./repo remote add rockylinux --set=gpg-verify=false $(DEFAULT_OSTREE_REMOTE) && \
ostree --repo=./repo pull --mirror rockylinux rockylinux/$(RELEASE_VER_MAJOR)/$(ARCH)/minimal/devel && \
ostree --repo=./repo summary --update
.PHONY: tree
tree:
rpm-ostree compose tree --repo=./repo --cachedir=./cache --unified-core ../manifest.8-minimal.yaml && \
ostree summary --repo=./repo --update
.PHONY: iso
iso:
mock -r $(MOCK_CONFIG) --clean
mock -r $(MOCK_CONFIG) --init
mock -r $(MOCK_CONFIG) --install lorax ostree
mock -r $(MOCK_CONFIG) --copyin $$(pwd)/repo /builddir/repo
mock -r $(MOCK_CONFIG) --copyin $$(pwd)/lorax-templates /builddir/lorax-templates
mock -r $(MOCK_CONFIG) --enable-network --chroot "cd /builddir && \
lorax --product='Rocky Linux OSTree' \
--version=$(RELEASE_VER_MAJOR) \
--release=$$(date +%Y%m%d) \
--variant=R$(RELEASE_VER_MAJOR) \
--skip-branding \
--installpkgs rocky-release* \
--installpkgs rocky-logos-$(RELEASE_VER_MAJOR)* \
--installpkgs ostree* \
--source=https://dl.rockylinux.org/pub/rocky/$(RELEASE_VER_MAJOR)/BaseOS/$(ARCH)/os/ \
--source=https://dl.rockylinux.org/pub/rocky/$(RELEASE_VER_MAJOR)/AppStream/$(ARCH)/os/ \
--nomacboot \
--volid=$(RELEASE_NAME) \
--add-template=/builddir/lorax-templates/lorax-configure-repo.tmpl \
--add-template=/builddir/lorax-templates/lorax-embed-repo.tmpl \
--add-template-var=ostree_install_repo=file:///builddir/repo \
--add-template-var=remote_url=$(DEFAULT_OSTREE_REMOTE) \
--add-template-var=default_ref=rockylinux/$(RELEASE_VER_MAJOR)/$(ARCH)/minimal/devel \
--logfile=/builddir/lorax.log \
--tmp=/builddir/tmp \
--rootfs-size=8 \
/builddir/completed-iso"
mock -r $(MOCK_CONFIG) --copyout /builddir/completed-iso/images/boot.iso $$(pwd)/images/$(RELEASE_NAME).iso
.PHONY: test-server
test-server:
podman stop ostree-test-server --ignore && \
podman rm ostree-test-server --ignore && \
podman run -d \
--name=ostree-test-server \
-p 9001:80 \
-v ./repo:/usr/share/nginx/repo \
-v ./nginx.conf:/etc/nginx/nginx.conf \
--security-opt label=disable \
nginx

59
build/README.md Normal file
View file

@ -0,0 +1,59 @@
## How to Build
### Notes on Building
- At the moment this config is built manually using the commands below. The end goal will be to incorporate this
into [Empanadas](https://github.com/rocky-linux/sig-core-toolkit). That being said the build tools provided here should
be considered a proof of concept at best, and will most likely be removed in the future.
- Depending on your setup, you may need to run the following commands as root.
### Tree & ISO
```
make
```
Composes an ostree commit based on the current config, updates the local repo, then creates an installation ISO which embeds the
local repo. For more control continue reading.
### Tree Composition
```
make init
```
Sanitizes the build env and creates an empty ostree repo. This step is only needed if you want to start
fresh. If you wish to build commits on top of existing rocky ostree create a mirror. See `make mirror`.
```
make mirror
```
Sanitizes the build env and mirror the ostree from the rockylinux.org remote. This is useful when you want a known working
starting point to commit on top of.
```
make tree
```
Composes a new tree commit based on the current manifest(s). At the moment, this is hardcoded to compose `../manifest.8-minimal.yaml`.
### Installer ISO
```
make iso
```
Creates an installation ISO of the current local tree in `./repo`.
#### Notes
1. The resulting ISO embeds the newest tree commit (depth 0). Currently, this is hardcoded to the `.../minimal/devel` ref.
2. The resulting ISO is a standard anaconda installer which will require the user to config users, network, etc. The "special sauce"
is the embedded kickstart file that calls `ostreesetup ...`. See `/lorax-templates/lorax-configure-repo.tmpl` or `kickstarts/rockylinux-8-x86_64-minimal-devel.ks` .
### Host Local Repo Server
```
make test-server
```
Deploys a nginx container to host `./repo` for testing purposes.
Note that you will need to manually add a remote to your ostree installation for this test server. This can be done like so:
```
ostree remote add --no-gpg-verify test-server http://your.ip.address.here:9001/
```
From there you can rebase your installation to the test server like so:
```
rpm-ostree rebase --remote test-server -b rockylinux/8/x86_64/minimal/devel
```

View file

@ -0,0 +1,8 @@
<%page args="default_ref, remote_url"/>
append usr/share/anaconda/interactive-defaults.ks "ostreesetup --nogpg --osname=rockylinux --remote=rockylinux --url=file:///ostree/repo --ref=${default_ref}"
append usr/share/anaconda/interactive-defaults.ks "firewall --use-system-defaults"
append usr/share/anaconda/interactive-defaults.ks "%post --erroronfail"
append usr/share/anaconda/interactive-defaults.ks "ostree remote delete rockylinux"
append usr/share/anaconda/interactive-defaults.ks "ostree remote add --no-gpg-verify rockylinux ${remote_url}"
append usr/share/anaconda/interactive-defaults.ks "%end"

View file

@ -0,0 +1,9 @@
<%page args="root, ostree_install_repo, default_ref"/>
runcmd mkdir ${root}/ostree
runcmd ostree --repo=${root}/ostree/repo init --mode=bare
runcmd ostree --repo=${root}/ostree/repo remote add rockylinux --set=gpg-verify=false ${ostree_install_repo}
runcmd ostree --repo=${root}/ostree/repo pull --mirror rockylinux ${default_ref}
runcmd ostree --repo=${root}/ostree/repo summary --update
runcmd chroot ${root} ls /etc/anaconda/product.d/
runcmd chroot ${root} sed -i '/Subscription/d' /etc/anaconda/product.d/rhel.conf
runcmd chroot ${root} sed -i 's/efi_dir = redhat/efi_dir = rocky/' /etc/anaconda/product.d/rhel.conf

27
build/nginx.conf Normal file
View file

@ -0,0 +1,27 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
server {
listen 80;
location / {
root /usr/share/nginx/repo;
autoindex on;
sendfile on;
tcp_nopush on;
}
}
}

View file

@ -0,0 +1,6 @@
ostreesetup --nogpg --osname=rockylinux --remote=rockylinux --url=https://dl.rockylinux.org/pub/sig/8/ostree/x86_64/standard/ --ref=rockylinux/8/x86_64/minimal/devel
%post --erroronfail
rm -f /etc/ostree/remotes.d/rockylinux.conf
ostree remote add --no-gpg-verify rockylinux https://dl.rockylinux.org/pub/sig/8/ostree/x86_64/standard/
%end

31
manifest.8-minimal.yaml Normal file
View file

@ -0,0 +1,31 @@
variables:
rltype: minimal
stream: devel
prod: false
releasever: 8
repovars:
rltype: ${rltype}
include:
- manifests/rocky-common.yaml
- manifests/fixes.yaml
- manifests/dnf-groups/Minimal_Install.yaml
arch-include:
x86_64: manifests/arch/x86_64.yaml
aarch64: manifests/arch/aarch64.yaml
exclude-packages:
- plymouth #mainly for debugging
postprocess:
- |
#!/usr/bin/env bash
set -xeuo pipefail
# Disable services
systemctl disable rdisc.service
systemctl disable sshd.service
systemctl disable sssd-nss.socket

View file

@ -0,0 +1,17 @@
# Anything specific to making aarch64 work
packages:
- grub2-efi
- ostree-grub2
- efibootmgr
- shim
# The following packages are specified in a repo specific way.
# This prevents us from needing to use repo config priorities.
# Note: This is not necessary for "normal" packages, but will become useful for SIG packages,
# such as raspberry pi kernel. Doing it now sets a standard and documents the approach.
repo-packages:
packages:
- kernel
- kernel-modules
- kernel-modules-extra
repo: baseos

View file

@ -0,0 +1,22 @@
# Anything specific to making x86_64 work
packages:
- grub2-efi-ia32
- grub2-efi-x64
- grub2-pc
- ostree-grub2
- efibootmgr
- shim-ia32
- shim-x64
- microcode_ctl
- mcelog
# The following packages are specified in a repo specific way.
# This prevents us from needing to use repo config priorities.
# Note: This is not necessary for "normal" packages, but will become useful for SIG packages,
# such as raspberry pi kernel. Doing it now sets a standard and documents the approach.
repo-packages:
- packages:
- kernel
- kernel-modules
- kernel-modules-extra
repo: baseos

View file

@ -0,0 +1,87 @@
# Packages from @Core
#
# Exclusions:
# dnf - Replaced by rpm-ostree
# yum - Replaced by rpm-ostree
# dnf-plugins-core - Removed since we don't install dnf
# plymouth - Removed because rpm-ostree compose can't seem to find it
packages:
# Mandatory
- NetworkManager
- audit
- basesystem
- bash
- coreutils
# - cronie
- curl
- e2fsprogs
- filesystem
- firewalld
- glibc
# - grubby
- hostname
# - initscripts
- iproute
- iprutils
- iputils
# - irqbalance
- kbd
# - kexec-tools
- less
- man-db
- ncurses
- openssh-clients
- openssh-server
# - parted
- passwd
- policycoreutils
- procps-ng
- rootfiles
# - rsyslog
- selinux-policy-targeted
- setup
- shadow-utils
- sssd-common
# - sssd-kcm
- sudo
- systemd
# - tuned
- util-linux
- vim-minimal
# - xfsprogs
# Default
# - NetworkManager-team
# - NetworkManager-tui
# - authselect
# - biosdevname
# - dracut-config-rescue
# - iwl100-firmware
# - iwl1000-firmware
# - iwl105-firmware
# - iwl135-firmware
# - iwl2000-firmware
# - iwl2030-firmware
# - iwl3160-firmware
# - iwl5000-firmware
# - iwl5150-firmware
# - iwl6000-firmware
# - iwl6000g2a-firmware
# - iwl6050-firmware
# - iwl7260-firmware
# - kernel-tools
# - libsysfs
- linux-firmware
# - lshw
# - lsscsi
# - microcode_ctl
- prefixdevname
# - sg3_utils
# - sg3_utils-libs
# Optional
# - dracut-config-generic
# - dracut-network
# - initial-setup
# - rdma-core
# - selinux-policy-mls
# - tboot

View file

@ -0,0 +1,7 @@
# Packages from @Guest Agents
packages:
# Mandatory
# - hyperv-daemons
# - open-vm-tools
# - qemu-guest-agent # rpm-ostree compose tree has a hard time finding this (yes I triple checked my repo settings)

View file

@ -0,0 +1,9 @@
# Packages from @Minimal Install
#
# Exclusions:
# see included manifests
include:
- Core.yaml
- Standard.yaml
- Guest_Agents.yaml

View file

@ -0,0 +1,12 @@
# dnf-groups
These manifest files are organized so that each file represents a DNF group and lists the packages from that group.
This may seem unnecessary, and in the end it doesn't really matter, but when thinking about rocky ostree in terms of
a rocky minimal clone it is helpful. Note that at the moment only mandatory and default packages from these groups are
included.
### Note About Excluded Packages
You will notice that a handful packages are commented out. Some of which have corresponding comments that explain why
they are excluded. If something is excluded without a comment it was most likely because it fell into the category of
"when its included rpm-ostree freaks out or the produced build is broken". In some cases these packages should be
included and warrant further investigation, however, others will probably be left out in the end regardless.

View file

@ -0,0 +1,97 @@
# Packages from @Standard
#
# Exclusions:
# kpatch-dnf - Removed since we don't install dnf
# plymouth - Removed because rpm-ostree compose can't seem to find it
#
# Exlusions due to %post issues: See https://bugzilla.redhat.com/show_bug.cgi?id=1352154#c6 & https://ostreedev.github.io/ostree/adapting-existing/
# kmod-kvdo
# vdo (installs kmod-kvdo)
# psacct
packages:
# Mandatory
- acl
# - at
- attr
- bc
- cpio
# - crontabs
# - cyrus-sasl-plain
# - dbus
# - ed
- file
- iptstate
# - irqbalance
# - kpatch
- logrotate
- lsof
- mcelog
# - microcode_ctl
# - net-tools
- pciutils
- quota
- rocky-release
# - rsyslog-gnutls
# - rsyslog-gssapi
# - rsyslog-relp
- sudo
# - symlinks
- systemd-udev
- tar
- tree
# - util-linux-user
# Default
- bash-completion
# - blktrace
# - bpftool
- bzip2
- chrony
# - cockpit
- cryptsetup
# - dos2unix
# - dosfstools
- ethtool
# - fprintd-pam
- gnupg2
# - ledmon
# - libstoragemgmt
- lvm2
# - mailcap
- man-pages
- mdadm
# - mlocate
- mtr
- nano
# - nmap-ncat
# - nvme-cli
# - pinfo
# - plymouth
- realmd
- rsync
# - smartmontools
- sos
- sssd
# - strace
# - tcpdump
# - teamd
- time
- unzip
- usbutils
# - vim-enhanced
# - virt-what
- wget
- which
# - xfsdump
- zip
# Optional
# - cifs-utils
# - cockpit-doc
# - fwupd
# - fwupdate
# - ima-evm-utils
# - nfs-utils
# - nvmetcli
# - traceroute
# - vdo-support
# - zsh

30
manifests/fixes.yaml Normal file
View file

@ -0,0 +1,30 @@
# Any workarounds should go here.
# Please include an explanation of any workaround you implement. Hint: Links are great. :)
packages:
- nss-altfiles # see: https://github.com/osbuild/osbuild-composer/issues/1763
postprocess:
- |
#!/usr/bin/env bash
set -xeuo pipefail
#TODO: Make this an overlay like fedora-coreos - see https://github.com/coreos/fedora-coreos-config/blob/testing-devel/overlay.d/05core/usr/lib/systemd/journald.conf.d/10-coreos-persistent.conf
# Work around https://bugzilla.redhat.com/show_bug.cgi?id=1265295
# From https://github.com/coreos/fedora-coreos-config/blob/testing-devel/overlay.d/05core/usr/lib/systemd/journald.conf.d/10-coreos-persistent.conf
install -dm0755 /usr/lib/systemd/journald.conf.d/
echo -e "[Journal]\nStorage=persistent" > /usr/lib/systemd/journald.conf.d/10-persistent.conf
# See: https://src.fedoraproject.org/rpms/glibc/pull-request/4
# Basically that program handles deleting old shared library directories
# mid-transaction, which never applies to rpm-ostree. This is structured as a
# loop/glob to avoid hardcoding (or trying to match) the architecture.
for x in /usr/sbin/glibc_post_upgrade.*; do
if test -f ${x}; then
ln -srf /usr/bin/true ${x}
fi
done
# THIS IS ONLY NEEDED FOR 8.6 AND LOWER
# Workaround for https://github.com/coreos/rpm-ostree/pull/3623 which is not included until rpm-ostree v2022.08
# sed -i 's/InaccessiblePaths=/InaccessiblePaths=-/g' /usr/lib/systemd/system/rpm-ostreed.service

44
manifests/group Normal file
View file

@ -0,0 +1,44 @@
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
users:x:100:
nobody:x:65534:
dbus:x:81:
utmp:x:22:
utempter:x:35:
input:x:999:
kvm:x:36:
render:x:998:
systemd-journal:x:190:
systemd-coredump:x:997:
systemd-resolve:x:193:
cgred:x:996:
polkitd:x:995:
ssh_keys:x:994:
rpc:x:32:
sssd:x:993:
printadmin:x:992:
rpcuser:x:29:
chrony:x:991:
sshd:x:74:
docker:x:990:
banana:x:3076:

22
manifests/passwd Normal file
View file

@ -0,0 +1,22 @@
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
sssd:x:997:993:User for sssd:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
chrony:x:996:991::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

View file

@ -0,0 +1,47 @@
# Common rpm-ostree compose settings belong here.
ref: rockylinux/${releasever}/${basearch}/${rltype}/${stream}
rojig:
name: rocky-ostree-config
summary: "Rocky Linux OSTree ${releasever}-${rltype}-${stream}"
license: MIT
repos:
- baseos
- appstream
automatic_version_prefix: "${releasever}/${rltype}/${stream} <date:%Y.%m>"
boot-location: modules
cliwrap: true
default_target: multi-user.target
documentation: false
mutate-os-release: "${releasever}-${rltype}-${stream}"
readonly-executables: true
selinux: true
tmp-is-dir: true
recommends: false
etc-group-members:
- wheel
ignore-removed-users:
- root
ignore-removed-groups:
- root
check-passwd:
type: file
filename: passwd
check-groups:
type: file
filename: group
units:
- getty@tty1.service
# Packages required by Rocky OSTree
packages:
- rocky-gpg-keys
- rocky-release
- rocky-repos
- rocky-logos
- rpm-ostree

33
rocky.repo Normal file
View file

@ -0,0 +1,33 @@
[baseos]
name=Rocky Linux $releasever - BaseOS
#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever
baseurl=https://dl.rockylinux.org/pub/rocky/$releasever/BaseOS/$basearch/os/
gpgcheck=0
enabled=1
countme=1
[appstream]
name=Rocky Linux $releasever - AppStream
#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$releasever
baseurl=https://dl.rockylinux.org/pub/rocky/$releasever/AppStream/$basearch/os/
gpgcheck=0
enabled=1
countme=1
[altarch-common]
name=Rocky Linux $releasever - Raspberry Pi
#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$releasever
baseurl=https://dl.rockylinux.org/pub/sig/$releasever/altarch/aarch64/altarch-common/
gpgcheck=0
enabled=1
countme=1
[altarch-rockyrpi]
name=Rocky Linux $releasever - Raspberry Pi
#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$releasever
baseurl=https://dl.rockylinux.org/pub/sig/$releasever/altarch/aarch64/altarch-rockyrpi/
gpgcheck=0
enabled=1
countme=1
#TODO: Define the rest