From 9d39f706862e622e39ebde3ad5ce9c172c8ba4a0 Mon Sep 17 00:00:00 2001 From: kyleishie Date: Tue, 28 Feb 2023 13:48:28 -0500 Subject: [PATCH] poc rocky 8 --- .gitignore | 4 + LICENSE | 2 + README.md | 16 +++ build/Makefile | 75 ++++++++++++++ build/README.md | 59 +++++++++++ .../lorax-templates/lorax-configure-repo.tmpl | 8 ++ build/lorax-templates/lorax-embed-repo.tmpl | 9 ++ build/nginx.conf | 27 ++++++ .../rockylinux-8-x86_64-minimal-devel.ks | 6 ++ manifest.8-minimal.yaml | 31 ++++++ manifests/arch/aarch64.yaml | 17 ++++ manifests/arch/x86_64.yaml | 22 +++++ manifests/dnf-groups/Core.yaml | 87 +++++++++++++++++ manifests/dnf-groups/Guest_Agents.yaml | 7 ++ manifests/dnf-groups/Minimal_Install.yaml | 9 ++ manifests/dnf-groups/README.md | 12 +++ manifests/dnf-groups/Standard.yaml | 97 +++++++++++++++++++ manifests/fixes.yaml | 30 ++++++ manifests/group | 44 +++++++++ manifests/passwd | 22 +++++ manifests/rocky-common.yaml | 47 +++++++++ rocky.repo | 33 +++++++ 22 files changed, 664 insertions(+) create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 README.md create mode 100644 build/Makefile create mode 100644 build/README.md create mode 100644 build/lorax-templates/lorax-configure-repo.tmpl create mode 100644 build/lorax-templates/lorax-embed-repo.tmpl create mode 100644 build/nginx.conf create mode 100644 kickstarts/rockylinux-8-x86_64-minimal-devel.ks create mode 100644 manifest.8-minimal.yaml create mode 100644 manifests/arch/aarch64.yaml create mode 100644 manifests/arch/x86_64.yaml create mode 100644 manifests/dnf-groups/Core.yaml create mode 100644 manifests/dnf-groups/Guest_Agents.yaml create mode 100644 manifests/dnf-groups/Minimal_Install.yaml create mode 100644 manifests/dnf-groups/README.md create mode 100644 manifests/dnf-groups/Standard.yaml create mode 100644 manifests/fixes.yaml create mode 100644 manifests/group create mode 100644 manifests/passwd create mode 100644 manifests/rocky-common.yaml create mode 100644 rocky.repo diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3ecca1f --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +.idea +build/repo +build/images +build/cache \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..70f4690 --- /dev/null +++ b/LICENSE @@ -0,0 +1,2 @@ +https://rockylinux.org/licensing +BSD-3 \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..7c59ff7 --- /dev/null +++ b/README.md @@ -0,0 +1,16 @@ +# Rocky Linux OSTree + +This repository contains the configuration files needed to spin Rocky Linux using rpm-ostree. + +## Project Structure +- `manifest.$releasever-$rltype.yaml` - These files represent the entry point for a given release config. +- `manifests/rocky-common.yaml` - Default configuration for rpm-ostree and rocky common to all variants. +- `manifests/arch` - These files contain configuration specific to the named architecture, x86_64, aarch64, aarch64-pi. Note these should be explicitly included by top level manifests. +- `manifests/dnf-groups` - Contains lists of packages organized by containing dnf group, e.g., @Core, @Standard, etc. This is not a comprehensive list and my not be the best approach. +- `build` - Contains instructions and scripts to build both the server-side tree and an installation ISO. See the `build/README.md` for build instructions. +- `kickstarts` - Anaconda kickstart files that can be used with any anaconda installer image. + +For details on these manifests, A.K.A. Treefiles, see: [Treefile Reference](https://coreos.github.io/rpm-ostree/treefile/) + + + diff --git a/build/Makefile b/build/Makefile new file mode 100644 index 0000000..0c43b43 --- /dev/null +++ b/build/Makefile @@ -0,0 +1,75 @@ +RELEASE_VER_MAJOR = 8 +RELEASE_VER_MINOR = 7 +ARCH = $(shell uname -m) +RELEASE_NAME = rocky-linux-ostree-$(ARCH)-$(RELEASE_VER_MAJOR).$(RELEASE_VER_MINOR) +DEFAULT_OSTREE_REMOTE = https://dl.rockylinux.org/pub/sig/$(RELEASE_VER_MAJOR)/ostree/$(ARCH)/standard/ +MOCK_CONFIG = rocky-$(RELEASE_VER_MAJOR)-$(ARCH) + + +.PHONY: all +all: init tree iso + +.PHONY: clean +clean: + rm -rf ./repo ./cache + +.PHONY: init +init: clean + mkdir -p ./{repo,cache,images} + ostree --repo=./repo init --mode=archive + +.PHONY: mirror +mirror: init + ostree --repo=./repo remote add rockylinux --set=gpg-verify=false $(DEFAULT_OSTREE_REMOTE) && \ + ostree --repo=./repo pull --mirror rockylinux rockylinux/$(RELEASE_VER_MAJOR)/$(ARCH)/minimal/devel && \ + ostree --repo=./repo summary --update + +.PHONY: tree +tree: + rpm-ostree compose tree --repo=./repo --cachedir=./cache --unified-core ../manifest.8-minimal.yaml && \ + ostree summary --repo=./repo --update + +.PHONY: iso +iso: + mock -r $(MOCK_CONFIG) --clean + mock -r $(MOCK_CONFIG) --init + mock -r $(MOCK_CONFIG) --install lorax ostree + mock -r $(MOCK_CONFIG) --copyin $$(pwd)/repo /builddir/repo + mock -r $(MOCK_CONFIG) --copyin $$(pwd)/lorax-templates /builddir/lorax-templates + mock -r $(MOCK_CONFIG) --enable-network --chroot "cd /builddir && \ + lorax --product='Rocky Linux OSTree' \ + --version=$(RELEASE_VER_MAJOR) \ + --release=$$(date +%Y%m%d) \ + --variant=R$(RELEASE_VER_MAJOR) \ + --skip-branding \ + --installpkgs rocky-release* \ + --installpkgs rocky-logos-$(RELEASE_VER_MAJOR)* \ + --installpkgs ostree* \ + --source=https://dl.rockylinux.org/pub/rocky/$(RELEASE_VER_MAJOR)/BaseOS/$(ARCH)/os/ \ + --source=https://dl.rockylinux.org/pub/rocky/$(RELEASE_VER_MAJOR)/AppStream/$(ARCH)/os/ \ + --nomacboot \ + --volid=$(RELEASE_NAME) \ + --add-template=/builddir/lorax-templates/lorax-configure-repo.tmpl \ + --add-template=/builddir/lorax-templates/lorax-embed-repo.tmpl \ + --add-template-var=ostree_install_repo=file:///builddir/repo \ + --add-template-var=remote_url=$(DEFAULT_OSTREE_REMOTE) \ + --add-template-var=default_ref=rockylinux/$(RELEASE_VER_MAJOR)/$(ARCH)/minimal/devel \ + --logfile=/builddir/lorax.log \ + --tmp=/builddir/tmp \ + --rootfs-size=8 \ + /builddir/completed-iso" + mock -r $(MOCK_CONFIG) --copyout /builddir/completed-iso/images/boot.iso $$(pwd)/images/$(RELEASE_NAME).iso + + +.PHONY: test-server +test-server: + podman stop ostree-test-server --ignore && \ + podman rm ostree-test-server --ignore && \ + podman run -d \ + --name=ostree-test-server \ + -p 9001:80 \ + -v ./repo:/usr/share/nginx/repo \ + -v ./nginx.conf:/etc/nginx/nginx.conf \ + --security-opt label=disable \ + nginx + diff --git a/build/README.md b/build/README.md new file mode 100644 index 0000000..9d8e07b --- /dev/null +++ b/build/README.md @@ -0,0 +1,59 @@ +## How to Build + +### Notes on Building +- At the moment this config is built manually using the commands below. The end goal will be to incorporate this +into [Empanadas](https://github.com/rocky-linux/sig-core-toolkit). That being said the build tools provided here should +be considered a proof of concept at best, and will most likely be removed in the future. +- Depending on your setup, you may need to run the following commands as root. + +### Tree & ISO +``` +make +``` +Composes an ostree commit based on the current config, updates the local repo, then creates an installation ISO which embeds the +local repo. For more control continue reading. + +### Tree Composition +``` +make init +``` +Sanitizes the build env and creates an empty ostree repo. This step is only needed if you want to start +fresh. If you wish to build commits on top of existing rocky ostree create a mirror. See `make mirror`. + +``` +make mirror +``` +Sanitizes the build env and mirror the ostree from the rockylinux.org remote. This is useful when you want a known working +starting point to commit on top of. + +``` +make tree +``` +Composes a new tree commit based on the current manifest(s). At the moment, this is hardcoded to compose `../manifest.8-minimal.yaml`. + +### Installer ISO +``` +make iso +``` +Creates an installation ISO of the current local tree in `./repo`. + +#### Notes +1. The resulting ISO embeds the newest tree commit (depth 0). Currently, this is hardcoded to the `.../minimal/devel` ref. +2. The resulting ISO is a standard anaconda installer which will require the user to config users, network, etc. The "special sauce" + is the embedded kickstart file that calls `ostreesetup ...`. See `/lorax-templates/lorax-configure-repo.tmpl` or `kickstarts/rockylinux-8-x86_64-minimal-devel.ks` . + +### Host Local Repo Server +``` +make test-server +``` +Deploys a nginx container to host `./repo` for testing purposes. + +Note that you will need to manually add a remote to your ostree installation for this test server. This can be done like so: +``` +ostree remote add --no-gpg-verify test-server http://your.ip.address.here:9001/ +``` + +From there you can rebase your installation to the test server like so: +``` +rpm-ostree rebase --remote test-server -b rockylinux/8/x86_64/minimal/devel +``` \ No newline at end of file diff --git a/build/lorax-templates/lorax-configure-repo.tmpl b/build/lorax-templates/lorax-configure-repo.tmpl new file mode 100644 index 0000000..afdacc0 --- /dev/null +++ b/build/lorax-templates/lorax-configure-repo.tmpl @@ -0,0 +1,8 @@ +<%page args="default_ref, remote_url"/> +append usr/share/anaconda/interactive-defaults.ks "ostreesetup --nogpg --osname=rockylinux --remote=rockylinux --url=file:///ostree/repo --ref=${default_ref}" +append usr/share/anaconda/interactive-defaults.ks "firewall --use-system-defaults" + +append usr/share/anaconda/interactive-defaults.ks "%post --erroronfail" +append usr/share/anaconda/interactive-defaults.ks "ostree remote delete rockylinux" +append usr/share/anaconda/interactive-defaults.ks "ostree remote add --no-gpg-verify rockylinux ${remote_url}" +append usr/share/anaconda/interactive-defaults.ks "%end" \ No newline at end of file diff --git a/build/lorax-templates/lorax-embed-repo.tmpl b/build/lorax-templates/lorax-embed-repo.tmpl new file mode 100644 index 0000000..510d03a --- /dev/null +++ b/build/lorax-templates/lorax-embed-repo.tmpl @@ -0,0 +1,9 @@ +<%page args="root, ostree_install_repo, default_ref"/> +runcmd mkdir ${root}/ostree +runcmd ostree --repo=${root}/ostree/repo init --mode=bare +runcmd ostree --repo=${root}/ostree/repo remote add rockylinux --set=gpg-verify=false ${ostree_install_repo} +runcmd ostree --repo=${root}/ostree/repo pull --mirror rockylinux ${default_ref} +runcmd ostree --repo=${root}/ostree/repo summary --update +runcmd chroot ${root} ls /etc/anaconda/product.d/ +runcmd chroot ${root} sed -i '/Subscription/d' /etc/anaconda/product.d/rhel.conf +runcmd chroot ${root} sed -i 's/efi_dir = redhat/efi_dir = rocky/' /etc/anaconda/product.d/rhel.conf \ No newline at end of file diff --git a/build/nginx.conf b/build/nginx.conf new file mode 100644 index 0000000..e8aa3a9 --- /dev/null +++ b/build/nginx.conf @@ -0,0 +1,27 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + default_type application/octet-stream; + + server { + listen 80; + + location / { + root /usr/share/nginx/repo; + autoindex on; + sendfile on; + tcp_nopush on; + } + } + +} \ No newline at end of file diff --git a/kickstarts/rockylinux-8-x86_64-minimal-devel.ks b/kickstarts/rockylinux-8-x86_64-minimal-devel.ks new file mode 100644 index 0000000..340e2a5 --- /dev/null +++ b/kickstarts/rockylinux-8-x86_64-minimal-devel.ks @@ -0,0 +1,6 @@ +ostreesetup --nogpg --osname=rockylinux --remote=rockylinux --url=https://dl.rockylinux.org/pub/sig/8/ostree/x86_64/standard/ --ref=rockylinux/8/x86_64/minimal/devel + +%post --erroronfail +rm -f /etc/ostree/remotes.d/rockylinux.conf +ostree remote add --no-gpg-verify rockylinux https://dl.rockylinux.org/pub/sig/8/ostree/x86_64/standard/ +%end \ No newline at end of file diff --git a/manifest.8-minimal.yaml b/manifest.8-minimal.yaml new file mode 100644 index 0000000..9caa4dc --- /dev/null +++ b/manifest.8-minimal.yaml @@ -0,0 +1,31 @@ +variables: + rltype: minimal + stream: devel + prod: false + +releasever: 8 + +repovars: + rltype: ${rltype} + +include: + - manifests/rocky-common.yaml + - manifests/fixes.yaml + - manifests/dnf-groups/Minimal_Install.yaml + +arch-include: + x86_64: manifests/arch/x86_64.yaml + aarch64: manifests/arch/aarch64.yaml + +exclude-packages: + - plymouth #mainly for debugging + +postprocess: + - | + #!/usr/bin/env bash + set -xeuo pipefail + + # Disable services + systemctl disable rdisc.service + systemctl disable sshd.service + systemctl disable sssd-nss.socket \ No newline at end of file diff --git a/manifests/arch/aarch64.yaml b/manifests/arch/aarch64.yaml new file mode 100644 index 0000000..52d3d5a --- /dev/null +++ b/manifests/arch/aarch64.yaml @@ -0,0 +1,17 @@ +# Anything specific to making aarch64 work +packages: + - grub2-efi + - ostree-grub2 + - efibootmgr + - shim + +# The following packages are specified in a repo specific way. +# This prevents us from needing to use repo config priorities. +# Note: This is not necessary for "normal" packages, but will become useful for SIG packages, +# such as raspberry pi kernel. Doing it now sets a standard and documents the approach. +repo-packages: + packages: + - kernel + - kernel-modules + - kernel-modules-extra + repo: baseos \ No newline at end of file diff --git a/manifests/arch/x86_64.yaml b/manifests/arch/x86_64.yaml new file mode 100644 index 0000000..5e05660 --- /dev/null +++ b/manifests/arch/x86_64.yaml @@ -0,0 +1,22 @@ +# Anything specific to making x86_64 work +packages: + - grub2-efi-ia32 + - grub2-efi-x64 + - grub2-pc + - ostree-grub2 + - efibootmgr + - shim-ia32 + - shim-x64 + - microcode_ctl + - mcelog + +# The following packages are specified in a repo specific way. +# This prevents us from needing to use repo config priorities. +# Note: This is not necessary for "normal" packages, but will become useful for SIG packages, +# such as raspberry pi kernel. Doing it now sets a standard and documents the approach. +repo-packages: + - packages: + - kernel + - kernel-modules + - kernel-modules-extra + repo: baseos diff --git a/manifests/dnf-groups/Core.yaml b/manifests/dnf-groups/Core.yaml new file mode 100644 index 0000000..d7f5452 --- /dev/null +++ b/manifests/dnf-groups/Core.yaml @@ -0,0 +1,87 @@ +# Packages from @Core +# +# Exclusions: +# dnf - Replaced by rpm-ostree +# yum - Replaced by rpm-ostree +# dnf-plugins-core - Removed since we don't install dnf +# plymouth - Removed because rpm-ostree compose can't seem to find it + +packages: +# Mandatory + - NetworkManager + - audit + - basesystem + - bash + - coreutils +# - cronie + - curl + - e2fsprogs + - filesystem + - firewalld + - glibc +# - grubby + - hostname +# - initscripts + - iproute + - iprutils + - iputils +# - irqbalance + - kbd +# - kexec-tools + - less + - man-db + - ncurses + - openssh-clients + - openssh-server +# - parted + - passwd + - policycoreutils + - procps-ng + - rootfiles +# - rsyslog + - selinux-policy-targeted + - setup + - shadow-utils + - sssd-common +# - sssd-kcm + - sudo + - systemd +# - tuned + - util-linux + - vim-minimal +# - xfsprogs +# Default +# - NetworkManager-team +# - NetworkManager-tui +# - authselect +# - biosdevname +# - dracut-config-rescue +# - iwl100-firmware +# - iwl1000-firmware +# - iwl105-firmware +# - iwl135-firmware +# - iwl2000-firmware +# - iwl2030-firmware +# - iwl3160-firmware +# - iwl5000-firmware +# - iwl5150-firmware +# - iwl6000-firmware +# - iwl6000g2a-firmware +# - iwl6050-firmware +# - iwl7260-firmware +# - kernel-tools +# - libsysfs + - linux-firmware +# - lshw +# - lsscsi +# - microcode_ctl + - prefixdevname +# - sg3_utils +# - sg3_utils-libs +# Optional +# - dracut-config-generic +# - dracut-network +# - initial-setup +# - rdma-core +# - selinux-policy-mls +# - tboot \ No newline at end of file diff --git a/manifests/dnf-groups/Guest_Agents.yaml b/manifests/dnf-groups/Guest_Agents.yaml new file mode 100644 index 0000000..650ebc2 --- /dev/null +++ b/manifests/dnf-groups/Guest_Agents.yaml @@ -0,0 +1,7 @@ +# Packages from @Guest Agents + +packages: +# Mandatory +# - hyperv-daemons +# - open-vm-tools +# - qemu-guest-agent # rpm-ostree compose tree has a hard time finding this (yes I triple checked my repo settings) \ No newline at end of file diff --git a/manifests/dnf-groups/Minimal_Install.yaml b/manifests/dnf-groups/Minimal_Install.yaml new file mode 100644 index 0000000..3bea8a2 --- /dev/null +++ b/manifests/dnf-groups/Minimal_Install.yaml @@ -0,0 +1,9 @@ +# Packages from @Minimal Install +# +# Exclusions: +# see included manifests + +include: + - Core.yaml + - Standard.yaml + - Guest_Agents.yaml \ No newline at end of file diff --git a/manifests/dnf-groups/README.md b/manifests/dnf-groups/README.md new file mode 100644 index 0000000..39037ed --- /dev/null +++ b/manifests/dnf-groups/README.md @@ -0,0 +1,12 @@ +# dnf-groups +These manifest files are organized so that each file represents a DNF group and lists the packages from that group. +This may seem unnecessary, and in the end it doesn't really matter, but when thinking about rocky ostree in terms of +a rocky minimal clone it is helpful. Note that at the moment only mandatory and default packages from these groups are +included. + +### Note About Excluded Packages +You will notice that a handful packages are commented out. Some of which have corresponding comments that explain why +they are excluded. If something is excluded without a comment it was most likely because it fell into the category of +"when its included rpm-ostree freaks out or the produced build is broken". In some cases these packages should be +included and warrant further investigation, however, others will probably be left out in the end regardless. + diff --git a/manifests/dnf-groups/Standard.yaml b/manifests/dnf-groups/Standard.yaml new file mode 100644 index 0000000..2a8141d --- /dev/null +++ b/manifests/dnf-groups/Standard.yaml @@ -0,0 +1,97 @@ +# Packages from @Standard +# +# Exclusions: +# kpatch-dnf - Removed since we don't install dnf +# plymouth - Removed because rpm-ostree compose can't seem to find it +# +# Exlusions due to %post issues: See https://bugzilla.redhat.com/show_bug.cgi?id=1352154#c6 & https://ostreedev.github.io/ostree/adapting-existing/ +# kmod-kvdo +# vdo (installs kmod-kvdo) +# psacct + +packages: +# Mandatory + - acl +# - at + - attr + - bc + - cpio +# - crontabs +# - cyrus-sasl-plain +# - dbus +# - ed + - file + - iptstate +# - irqbalance +# - kpatch + - logrotate + - lsof + - mcelog +# - microcode_ctl +# - net-tools + - pciutils + - quota + - rocky-release +# - rsyslog-gnutls +# - rsyslog-gssapi +# - rsyslog-relp + - sudo +# - symlinks + - systemd-udev + - tar + - tree +# - util-linux-user +# Default + - bash-completion +# - blktrace +# - bpftool + - bzip2 + - chrony +# - cockpit + - cryptsetup +# - dos2unix +# - dosfstools + - ethtool +# - fprintd-pam + - gnupg2 +# - ledmon +# - libstoragemgmt + - lvm2 +# - mailcap + - man-pages + - mdadm +# - mlocate + - mtr + - nano +# - nmap-ncat +# - nvme-cli +# - pinfo +# - plymouth + - realmd + - rsync +# - smartmontools + - sos + - sssd +# - strace +# - tcpdump +# - teamd + - time + - unzip + - usbutils +# - vim-enhanced +# - virt-what + - wget + - which +# - xfsdump + - zip +# Optional +# - cifs-utils +# - cockpit-doc +# - fwupd +# - fwupdate +# - ima-evm-utils +# - nfs-utils +# - nvmetcli +# - traceroute +# - vdo-support +# - zsh \ No newline at end of file diff --git a/manifests/fixes.yaml b/manifests/fixes.yaml new file mode 100644 index 0000000..f38e9be --- /dev/null +++ b/manifests/fixes.yaml @@ -0,0 +1,30 @@ +# Any workarounds should go here. +# Please include an explanation of any workaround you implement. Hint: Links are great. :) + +packages: + - nss-altfiles # see: https://github.com/osbuild/osbuild-composer/issues/1763 + +postprocess: + - | + #!/usr/bin/env bash + set -xeuo pipefail + + #TODO: Make this an overlay like fedora-coreos - see https://github.com/coreos/fedora-coreos-config/blob/testing-devel/overlay.d/05core/usr/lib/systemd/journald.conf.d/10-coreos-persistent.conf + # Work around https://bugzilla.redhat.com/show_bug.cgi?id=1265295 + # From https://github.com/coreos/fedora-coreos-config/blob/testing-devel/overlay.d/05core/usr/lib/systemd/journald.conf.d/10-coreos-persistent.conf + install -dm0755 /usr/lib/systemd/journald.conf.d/ + echo -e "[Journal]\nStorage=persistent" > /usr/lib/systemd/journald.conf.d/10-persistent.conf + + # See: https://src.fedoraproject.org/rpms/glibc/pull-request/4 + # Basically that program handles deleting old shared library directories + # mid-transaction, which never applies to rpm-ostree. This is structured as a + # loop/glob to avoid hardcoding (or trying to match) the architecture. + for x in /usr/sbin/glibc_post_upgrade.*; do + if test -f ${x}; then + ln -srf /usr/bin/true ${x} + fi + done + + # THIS IS ONLY NEEDED FOR 8.6 AND LOWER + # Workaround for https://github.com/coreos/rpm-ostree/pull/3623 which is not included until rpm-ostree v2022.08 + # sed -i 's/InaccessiblePaths=/InaccessiblePaths=-/g' /usr/lib/systemd/system/rpm-ostreed.service \ No newline at end of file diff --git a/manifests/group b/manifests/group new file mode 100644 index 0000000..774a67b --- /dev/null +++ b/manifests/group @@ -0,0 +1,44 @@ +root:x:0: +bin:x:1: +daemon:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mem:x:8: +kmem:x:9: +wheel:x:10: +cdrom:x:11: +mail:x:12: +man:x:15: +dialout:x:18: +floppy:x:19: +games:x:20: +tape:x:33: +video:x:39: +ftp:x:50: +lock:x:54: +audio:x:63: +users:x:100: +nobody:x:65534: +dbus:x:81: +utmp:x:22: +utempter:x:35: +input:x:999: +kvm:x:36: +render:x:998: +systemd-journal:x:190: +systemd-coredump:x:997: +systemd-resolve:x:193: +cgred:x:996: +polkitd:x:995: +ssh_keys:x:994: +rpc:x:32: +sssd:x:993: +printadmin:x:992: +rpcuser:x:29: +chrony:x:991: +sshd:x:74: +docker:x:990: +banana:x:3076: diff --git a/manifests/passwd b/manifests/passwd new file mode 100644 index 0000000..bb23079 --- /dev/null +++ b/manifests/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +adm:x:3:4:adm:/var/adm:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/spool/mail:/sbin/nologin +operator:x:11:0:operator:/root:/sbin/nologin +games:x:12:100:games:/usr/games:/sbin/nologin +ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin +nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin +dbus:x:81:81:System message bus:/:/sbin/nologin +systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin +systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin +polkitd:x:998:995:User for polkitd:/:/sbin/nologin +rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin +sssd:x:997:993:User for sssd:/:/sbin/nologin +rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin +chrony:x:996:991::/var/lib/chrony:/sbin/nologin +sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin \ No newline at end of file diff --git a/manifests/rocky-common.yaml b/manifests/rocky-common.yaml new file mode 100644 index 0000000..b8173e9 --- /dev/null +++ b/manifests/rocky-common.yaml @@ -0,0 +1,47 @@ +# Common rpm-ostree compose settings belong here. +ref: rockylinux/${releasever}/${basearch}/${rltype}/${stream} + +rojig: + name: rocky-ostree-config + summary: "Rocky Linux OSTree ${releasever}-${rltype}-${stream}" + license: MIT + +repos: + - baseos + - appstream + +automatic_version_prefix: "${releasever}/${rltype}/${stream} " +boot-location: modules +cliwrap: true +default_target: multi-user.target +documentation: false +mutate-os-release: "${releasever}-${rltype}-${stream}" +readonly-executables: true +selinux: true +tmp-is-dir: true +recommends: false +etc-group-members: + - wheel + +ignore-removed-users: + - root +ignore-removed-groups: + - root + +check-passwd: + type: file + filename: passwd +check-groups: + type: file + filename: group + +units: + - getty@tty1.service + +# Packages required by Rocky OSTree +packages: + - rocky-gpg-keys + - rocky-release + - rocky-repos + - rocky-logos + - rpm-ostree \ No newline at end of file diff --git a/rocky.repo b/rocky.repo new file mode 100644 index 0000000..5146644 --- /dev/null +++ b/rocky.repo @@ -0,0 +1,33 @@ +[baseos] +name=Rocky Linux $releasever - BaseOS +#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever +baseurl=https://dl.rockylinux.org/pub/rocky/$releasever/BaseOS/$basearch/os/ +gpgcheck=0 +enabled=1 +countme=1 + +[appstream] +name=Rocky Linux $releasever - AppStream +#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$releasever +baseurl=https://dl.rockylinux.org/pub/rocky/$releasever/AppStream/$basearch/os/ +gpgcheck=0 +enabled=1 +countme=1 + +[altarch-common] +name=Rocky Linux $releasever - Raspberry Pi +#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$releasever +baseurl=https://dl.rockylinux.org/pub/sig/$releasever/altarch/aarch64/altarch-common/ +gpgcheck=0 +enabled=1 +countme=1 + +[altarch-rockyrpi] +name=Rocky Linux $releasever - Raspberry Pi +#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$releasever +baseurl=https://dl.rockylinux.org/pub/sig/$releasever/altarch/aarch64/altarch-rockyrpi/ +gpgcheck=0 +enabled=1 +countme=1 + +#TODO: Define the rest \ No newline at end of file