diff --git a/.cci.jenkinsfile b/.cci.jenkinsfile index 82d958b285..07553f4633 100644 --- a/.cci.jenkinsfile +++ b/.cci.jenkinsfile @@ -3,6 +3,8 @@ cosaPod { checkoutToDir(scm, 'config') + def basearch = shwrapCapture("cosa basearch") + shwrap("cd config && ci/validate") shwrap(""" @@ -14,7 +16,18 @@ cosaPod { cosa buildprep https://builds.coreos.fedoraproject.org/prod/streams/${env.CHANGE_TARGET}/builds """) - fcosBuild(skipInit: true, extraFetchArgs: '--with-cosa-overrides') + // use a --parent-build arg so we can diff later and it matches prod + def parent_arg = "" + def parent_commit = "" + if (shwrapRc("test -e /srv/fcos/builds/latest/${basearch}/meta.json") == 0) { + shwrap("cp /srv/fcos/builds/latest/${basearch}/meta.json .") // readJSON wants it in the WORKSPACE + def meta = readJSON file: "meta.json" + def version = meta["buildid"] + parent_arg = "--parent-build ${version}" + parent_commit = meta["ostree-commit"] + } + + fcosBuild(skipInit: true, extraFetchArgs: '--with-cosa-overrides', extraArgs: parent_arg) parallel metal: { shwrap("cd /srv/fcos && cosa buildextend-metal") @@ -33,7 +46,17 @@ cosaPod { } // also print the pkgdiff as a separate stage to make it more visible - stage("RPM Diff") { - shwrap("jq .pkgdiff /srv/fcos/builds/latest/x86_64/meta.json") + if (parent_arg != "") { + stage("RPM Diff") { + shwrap(""" + cd /srv/fcos + new_commit=\$(jq -r '.["ostree-commit"]' builds/latest/${basearch}/meta.json) + rpm-ostree db diff --repo tmp/repo ${parent_commit} \${new_commit} | tee tmp/diff.txt + if grep -q Downgraded tmp/diff.txt; then + echo "Downgrade detected. This is likely unintentional. If not, you may safely ignore this error." + exit 1 + fi + """) + } } } diff --git a/ci/buildroot/Dockerfile b/ci/buildroot/Dockerfile index 6c52fcdf49..a3dc9a67be 100644 --- a/ci/buildroot/Dockerfile +++ b/ci/buildroot/Dockerfile @@ -6,8 +6,5 @@ # This image is used by CoreOS CI to build software like # Ignition, rpm-ostree, ostree, coreos-installer, etc... FROM registry.fedoraproject.org/fedora:33 -USER root -WORKDIR /root/containerbuild -COPY . tmp -RUN ./tmp/install-buildroot.sh && yum clean all && rm tmp -rf -WORKDIR /root +COPY . /src +RUN ./src/install-buildroot.sh && yum clean all && rm /src -rf # nocache 20210406 diff --git a/ci/buildroot/buildroot-reqs.txt b/ci/buildroot/buildroot-reqs.txt index 946f8eedc0..9fa769516c 100644 --- a/ci/buildroot/buildroot-reqs.txt +++ b/ci/buildroot/buildroot-reqs.txt @@ -28,12 +28,18 @@ xz # For rust projects like rpm-ostree rustfmt +# For unit tests at least. +ostree + # A super common tool jq # Used by ostree/rpm-ostree CI (TODO: add to something like TestBuildRequires in spec files) attr +rsync +python3-pyyaml parallel gjs +createrepo_c # Also, add clang since it's useful at least in CI for C/C++ projects clang lld @@ -41,3 +47,6 @@ clang lld libubsan libasan libtsan # And all C/C++ projects should use clang-analyzer clang-analyzer + +# We don't want zombies in our pods +dumb-init diff --git a/image-base.yaml b/image-base.yaml index 6e83494bd7..1aabf6ace6 100644 --- a/image-base.yaml +++ b/image-base.yaml @@ -1,3 +1,6 @@ +# This file is shared by all streams. For a stream-specific change, use +# image.yaml instead. + # Target disk size in GB. # Make it at least 10G because we want the rootfs to be at least 8G: # https://github.com/coreos/fedora-coreos-tracker/issues/586 @@ -6,9 +9,6 @@ size: 10 extra-kargs: # Disable SMT on systems vulnerable to MDS or any similar future issue. - mitigations=auto,nosmt - # https://github.com/coreos/fedora-coreos-tracker/issues/292 - # https://fedoraproject.org/wiki/Changes/CGroupsV2 - - systemd.unified_cgroup_hierarchy=0 # Disable networking by default on firstboot. We can drop this once cosa stops # defaulting to `ip=dhcp,dhcp6 rd.neednet=1` when it doesn't see this key. diff --git a/image.yaml b/image.yaml index 1bf800cca2..8f79a3abde 100644 --- a/image.yaml +++ b/image.yaml @@ -2,3 +2,8 @@ # similarly to manifest.yaml. Unlike image-base.yaml, which is shared by all # streams. include: image-base.yaml + +extra-kargs: + # https://github.com/coreos/fedora-coreos-tracker/issues/292 + # https://fedoraproject.org/wiki/Changes/CGroupsV2 + - systemd.unified_cgroup_hierarchy=0 diff --git a/manifest-lock.overrides.yaml b/manifest-lock.overrides.yaml index 19da4bbf30..91ebc1e8bd 100644 --- a/manifest-lock.overrides.yaml +++ b/manifest-lock.overrides.yaml @@ -22,25 +22,42 @@ packages: evr: 5.10.19-200.fc33 kernel-modules: evr: 5.10.19-200.fc33 - # Fast-track coreos-installer release - # https://bodhi.fedoraproject.org/updates/FEDORA-2021-7a0ce6189e - coreos-installer: - evr: 0.8.0-1.fc33 - coreos-installer-bootinfra: - evr: 0.8.0-1.fc33 + # Fast-track console-login-helper-messages release + # https://bodhi.fedoraproject.org/updates/FEDORA-2021-cf005d6480 + # New updates in console-login-helper-messages v0.21.2 fixes + # the console prompt being left solid white after displaying + # the OS release MOTD. + # https://github.com/coreos/fedora-coreos-tracker/issues/750 + console-login-helper-messages: + evra: 0.21.2-1.fc33.noarch + console-login-helper-messages-issuegen: + evra: 0.21.2-1.fc33.noarch + console-login-helper-messages-motdgen: + evra: 0.21.2-1.fc33.noarch + console-login-helper-messages-profile: + evra: 0.21.2-1.fc33.noarch # Fast-track new podman release to fix podman cp: # https://github.com/coreos/fedora-coreos-tracker/issues/771 # https://bodhi.fedoraproject.org/updates/FEDORA-2021-e70b450680 - # Also new podman needs newer crun, so bump that too. podman: evr: 2:3.1.0-2.fc33 podman-plugins: evr: 2:3.1.0-2.fc33 - crun: - evr: 0.18-5.fc33 - # Fast-track openssl for recent CVE-2021-3449, CVE-2021-3450 - # https://bodhi.fedoraproject.org/updates/FEDORA-2021-d049f32a82 - openssl: - evr: 1:1.1.1k-1.fc33 - openssl-libs: - evr: 1:1.1.1k-1.fc33 + # Fast-track new coreos-installer release + # https://bodhi.fedoraproject.org/updates/FEDORA-2021-c67cfeca62 + coreos-installer: + evr: 0.9.0-2.fc33 + coreos-installer-bootinfra: + evr: 0.9.0-2.fc33 + # Fast-track new afterburn release + # https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb2a204001 + afterburn: + evr: 5.0.0-1.fc33 + afterburn-dracut: + evr: 5.0.0-1.fc33 + # Fast-track rpm-ostree for CVE-2021-3445 + # https://bodhi.fedoraproject.org/updates/FEDORA-2021-eadfc56b95 + rpm-ostree: + evr: 2021.4-1.fc33 + rpm-ostree-libs: + evr: 2021.4-1.fc33 diff --git a/manifest-lock.x86_64.json b/manifest-lock.x86_64.json index 2ba3a8dd40..132482cbad 100644 --- a/manifest-lock.x86_64.json +++ b/manifest-lock.x86_64.json @@ -118,19 +118,19 @@ "evra": "2:2.0.26-1.fc33.x86_64" }, "console-login-helper-messages": { - "evra": "0.21.1-2.fc33.noarch" + "evra": "0.21.2-1.fc33.noarch" }, "console-login-helper-messages-issuegen": { - "evra": "0.21.1-2.fc33.noarch" + "evra": "0.21.2-1.fc33.noarch" }, "console-login-helper-messages-motdgen": { - "evra": "0.21.1-2.fc33.noarch" + "evra": "0.21.2-1.fc33.noarch" }, "console-login-helper-messages-profile": { - "evra": "0.21.1-2.fc33.noarch" + "evra": "0.21.2-1.fc33.noarch" }, "container-selinux": { - "evra": "2:2.158.0-1.fc33.noarch" + "evra": "2:2.160.0-1.fc33.noarch" }, "containerd": { "evra": "1.4.4-1.fc33.x86_64" @@ -142,10 +142,10 @@ "evra": "4:1-9.fc33.noarch" }, "coreos-installer": { - "evra": "0.8.0-1.fc33.x86_64" + "evra": "0.9.0-2.fc33.x86_64" }, "coreos-installer-bootinfra": { - "evra": "0.8.0-1.fc33.x86_64" + "evra": "0.9.0-2.fc33.x86_64" }, "coreutils": { "evra": "8.32-18.fc33.x86_64" @@ -166,7 +166,7 @@ "evra": "3.15-1.fc33.x86_64" }, "crun": { - "evra": "0.18-1.fc33.x86_64" + "evra": "0.18-5.fc33.x86_64" }, "crypto-policies": { "evra": "20200918-1.git85dccc5.fc33.noarch" @@ -181,7 +181,7 @@ "evra": "1:2.3.3op2-3.fc33.x86_64" }, "curl": { - "evra": "7.71.1-8.fc33.x86_64" + "evra": "7.71.1-9.fc33.x86_64" }, "cyrus-sasl-gssapi": { "evra": "2.1.27-6.fc33.x86_64" @@ -271,7 +271,7 @@ "evra": "0.0.4-7.fc33.x86_64" }, "fedora-gpg-keys": { - "evra": "33-3.noarch" + "evra": "33-4.noarch" }, "fedora-release-common": { "evra": "33-3.noarch" @@ -283,16 +283,16 @@ "evra": "33-3.noarch" }, "fedora-repos": { - "evra": "33-3.noarch" + "evra": "33-4.noarch" }, "fedora-repos-archive": { - "evra": "33-3.noarch" + "evra": "33-4.noarch" }, "fedora-repos-modular": { - "evra": "33-3.noarch" + "evra": "33-4.noarch" }, "fedora-repos-ostree": { - "evra": "33-3.noarch" + "evra": "33-4.noarch" }, "file": { "evra": "5.39-3.fc33.x86_64" @@ -310,7 +310,7 @@ "evra": "0.8.6-1.fc33.noarch" }, "flatpak-session-helper": { - "evra": "1.10.2-1.fc33.x86_64" + "evra": "1.10.2-2.fc33.x86_64" }, "fstrm": { "evra": "0.6.0-1.fc33.x86_64" @@ -325,7 +325,7 @@ "evra": "2.9.9-10.fc33.x86_64" }, "fuse-overlayfs": { - "evra": "1.4.0-1.fc33.x86_64" + "evra": "1.5.0-1.fc33.x86_64" }, "fuse-sshfs": { "evra": "3.7.1-1.fc33.x86_64" @@ -337,7 +337,7 @@ "evra": "3.9.4-1.fc33.x86_64" }, "fwupd": { - "evra": "1.5.7-1.fc33.x86_64" + "evra": "1.5.8-1.fc33.x86_64" }, "gawk": { "evra": "5.1.0-2.fc33.x86_64" @@ -382,22 +382,22 @@ "evra": "3.4-5.fc33.x86_64" }, "grub2-common": { - "evra": "1:2.04-33.fc33.noarch" + "evra": "1:2.06~rc1-1.fc33.noarch" }, "grub2-efi-x64": { - "evra": "1:2.04-33.fc33.x86_64" + "evra": "1:2.06~rc1-1.fc33.x86_64" }, "grub2-pc": { - "evra": "1:2.04-33.fc33.x86_64" + "evra": "1:2.06~rc1-1.fc33.x86_64" }, "grub2-pc-modules": { - "evra": "1:2.04-33.fc33.noarch" + "evra": "1:2.06~rc1-1.fc33.noarch" }, "grub2-tools": { - "evra": "1:2.04-33.fc33.x86_64" + "evra": "1:2.06~rc1-1.fc33.x86_64" }, "grub2-tools-minimal": { - "evra": "1:2.04-33.fc33.x86_64" + "evra": "1:2.06~rc1-1.fc33.x86_64" }, "gzip": { "evra": "1.10-3.fc33.x86_64" @@ -406,7 +406,7 @@ "evra": "3.23-3.fc33.x86_64" }, "hwdata": { - "evra": "0.345-1.fc33.noarch" + "evra": "0.346-1.fc33.noarch" }, "ignition": { "evra": "2.9.0-4.fc33.x86_64" @@ -547,7 +547,7 @@ "evra": "1.45.6-4.fc33.x86_64" }, "libcurl": { - "evra": "7.71.1-8.fc33.x86_64" + "evra": "7.71.1-9.fc33.x86_64" }, "libdaemon": { "evra": "0.14-20.fc33.x86_64" @@ -628,13 +628,13 @@ "evra": "1.3.5-13.fc33.x86_64" }, "libldb": { - "evra": "2.2.0-4.fc33.x86_64" + "evra": "2.2.1-1.fc33.x86_64" }, "libluksmeta": { "evra": "9-8.fc33.x86_64" }, "libmaxminddb": { - "evra": "1.5.0-1.fc33.x86_64" + "evra": "1.5.2-1.fc33.x86_64" }, "libmetalink": { "evra": "0.1.3-13.fc33.x86_64" @@ -727,7 +727,7 @@ "evra": "2.36.1-1.fc33.x86_64" }, "libsmbclient": { - "evra": "2:4.13.5-0.fc33.x86_64" + "evra": "2:4.13.7-0.fc33.x86_64" }, "libsmbios": { "evra": "2.4.3-1.fc33.x86_64" @@ -802,7 +802,7 @@ "evra": "0.3.0-10.fc33.x86_64" }, "libwbclient": { - "evra": "2:4.13.5-0.fc33.x86_64" + "evra": "2:4.13.7-0.fc33.x86_64" }, "libxcrypt": { "evra": "4.4.18-1.fc33.x86_64" @@ -925,19 +925,19 @@ "evra": "8.4p1-5.fc33.x86_64" }, "openssl": { - "evra": "1:1.1.1j-1.fc33.x86_64" + "evra": "1:1.1.1k-1.fc33.x86_64" }, "openssl-libs": { - "evra": "1:1.1.1j-1.fc33.x86_64" + "evra": "1:1.1.1k-1.fc33.x86_64" }, "os-prober": { "evra": "1.77-6.fc33.x86_64" }, "ostree": { - "evra": "2020.8-1.fc33.x86_64" + "evra": "2021.1-2.fc33.x86_64" }, "ostree-libs": { - "evra": "2020.8-1.fc33.x86_64" + "evra": "2021.1-2.fc33.x86_64" }, "p11-kit": { "evra": "0.23.22-2.fc33.x86_64" @@ -979,10 +979,10 @@ "evra": "1.7.3-5.fc33.x86_64" }, "podman": { - "evra": "2:3.0.1-1.fc33.x86_64" + "evra": "2:3.1.0-2.fc33.x86_64" }, "podman-plugins": { - "evra": "2:3.0.1-1.fc33.x86_64" + "evra": "2:3.1.0-2.fc33.x86_64" }, "policycoreutils": { "evra": "3.1-4.fc33.x86_64" @@ -1024,10 +1024,10 @@ "evra": "1.2.5-5.rc1.fc33.3.x86_64" }, "rpm": { - "evra": "4.16.1.2-1.fc33.x86_64" + "evra": "4.16.1.3-1.fc33.x86_64" }, "rpm-libs": { - "evra": "4.16.1.2-1.fc33.x86_64" + "evra": "4.16.1.3-1.fc33.x86_64" }, "rpm-ostree": { "evra": "2021.3-2.fc33.x86_64" @@ -1036,34 +1036,34 @@ "evra": "2021.3-2.fc33.x86_64" }, "rpm-plugin-selinux": { - "evra": "4.16.1.2-1.fc33.x86_64" + "evra": "4.16.1.3-1.fc33.x86_64" }, "rsync": { "evra": "3.2.3-3.fc33.x86_64" }, "runc": { - "evra": "2:1.0.0-279.dev.gitdedadbf.fc33.x86_64" + "evra": "2:1.0.0-375.dev.git12644e6.fc33.x86_64" }, "samba-client-libs": { - "evra": "2:4.13.5-0.fc33.x86_64" + "evra": "2:4.13.7-0.fc33.x86_64" }, "samba-common": { - "evra": "2:4.13.5-0.fc33.noarch" + "evra": "2:4.13.7-0.fc33.noarch" }, "samba-common-libs": { - "evra": "2:4.13.5-0.fc33.x86_64" + "evra": "2:4.13.7-0.fc33.x86_64" }, "samba-libs": { - "evra": "2:4.13.5-0.fc33.x86_64" + "evra": "2:4.13.7-0.fc33.x86_64" }, "sed": { "evra": "4.8-5.fc33.x86_64" }, "selinux-policy": { - "evra": "3.14.6-35.fc33.noarch" + "evra": "3.14.6-36.fc33.noarch" }, "selinux-policy-targeted": { - "evra": "3.14.6-35.fc33.noarch" + "evra": "3.14.6-36.fc33.noarch" }, "setup": { "evra": "2.13.7-2.fc33.noarch" @@ -1177,7 +1177,7 @@ "evra": "2.36.1-1.fc33.x86_64" }, "vim-minimal": { - "evra": "2:8.2.2637-1.fc33.x86_64" + "evra": "2:8.2.2735-1.fc33.x86_64" }, "which": { "evra": "2.21-20.fc33.x86_64" @@ -1201,7 +1201,7 @@ "evra": "1.1.9-1.fc33.x86_64" }, "zincati": { - "evra": "0.0.18-1.fc33.x86_64" + "evra": "0.0.19-1.fc33.x86_64" }, "zlib": { "evra": "1.2.11-23.fc33.x86_64" @@ -1211,16 +1211,16 @@ } }, "metadata": { - "generated": "2021-03-28T21:07:35Z", + "generated": "2021-04-12T13:15:09Z", "rpmmd_repos": { "fedora": { "generated": "2020-10-19T23:27:19Z" }, "fedora-coreos-pool": { - "generated": "2021-03-27T21:49:39Z" + "generated": "2021-04-09T13:35:48Z" }, "fedora-updates": { - "generated": "2021-03-28T17:15:17Z" + "generated": "2021-04-11T14:37:20Z" } } } diff --git a/manifests/fedora-coreos-base.yaml b/manifests/fedora-coreos-base.yaml index ad07f231c7..2dc6e9a45a 100644 --- a/manifests/fedora-coreos-base.yaml +++ b/manifests/fedora-coreos-base.yaml @@ -99,6 +99,18 @@ postprocess: DNSStubListener=no EOF + # Disable and delete the coreos-reset-stub-resolv-selinux-context.{path,service}. + # Not needed in Fedora 34 since https://github.com/systemd/systemd/pull/17976 has landed. + # Can remove this and the files in the overlay once we've migrated everything to F34. + - | + #!/usr/bin/env bash + set -xeuo pipefail + source /etc/os-release + if [ ${VERSION_ID} -ge 34 ]; then + rm -fv /etc/systemd/system/multi-user.target.wants/coreos-reset-stub-resolv-selinux-context.{path,service} \ + /usr/lib/systemd/system/coreos-reset-stub-resolv-selinux-context.{path,service} + fi + # Set the fallback hostname to `localhost`. This piggybacks on the # postprocess script above which neuters systemd-resolved, because # currently, a fallback hostname of `localhost` + systemd-resolved breaks @@ -125,6 +137,9 @@ postprocess: echo 'MOTD_FILE=/usr/share/misc/motd:/run/motd:/run/motd.d:/etc/motd:/etc/motd.d' >> /etc/login.defs fi +# Packages listed here should be specific to Fedore CoreOS (as in not yet +# available in RHCOS or not desired in RHCOS). All other packages should go +# into one of the sub-manifests listed at the top. packages: # Security - polkit @@ -137,7 +152,7 @@ packages: - fuse-overlayfs slirp4netns # name resolution for podman containers # https://github.com/coreos/fedora-coreos-tracker/issues/519 - - podman-plugins + - podman-plugins dnsmasq # Remote IPC for podman - libvarlink-util # Minimal NFS client @@ -167,7 +182,7 @@ packages: # file-transfer: note fuse-sshfs is not in RHEL # so we can't put it in file-transfer.yaml - fuse-sshfs - # User experience + # Improved MOTD experience - console-login-helper-messages-motdgen # i18n - kbd diff --git a/manifests/system-configuration.yaml b/manifests/system-configuration.yaml index e5a0c3c7d5..5b4bb68795 100644 --- a/manifests/system-configuration.yaml +++ b/manifests/system-configuration.yaml @@ -10,9 +10,10 @@ packages: # Installing CoreOS itself - coreos-installer coreos-installer-bootinfra # Storage configuration/management + ## cloud-utils-growpart - For growing root partition - cifs-utils - cloud-utils-growpart - - cryptsetup + - cryptsetup - device-mapper-multipath - e2fsprogs - iscsi-initiator-utils @@ -25,11 +26,11 @@ packages: - shadow-utils # SELinux policy - selinux-policy-targeted - # There are things that write outside of the journal still (such as the - # classic wtmp, etc.) - #(auditd also writes outside the journal but it has its own log rotation.) + # There are things that write outside of the journal still (such as the + # classic wtmp, etc.). auditd also writes outside the journal but it has its + # own log rotation. # Anything package layered will also tend to expect files dropped in - # /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't + # /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't # have it then people's disks will slowly fill up with logs. - logrotate # Boost starving threads diff --git a/manifests/user-experience.yaml b/manifests/user-experience.yaml index 60ce67d593..1874669071 100644 --- a/manifests/user-experience.yaml +++ b/manifests/user-experience.yaml @@ -13,7 +13,7 @@ packages: - sudo - vim-minimal # File compression/decompression - ## (bsdtar - dependency of 35coreos-live dracut module) + ## bsdtar - dependency of 35coreos-live dracut module - bsdtar - bzip2 - gzip @@ -22,8 +22,6 @@ packages: # Improved MOTD experience - console-login-helper-messages-issuegen - console-login-helper-messages-profile - # DNS/DHCP server - - dnsmasq # kdump support # https://github.com/coreos/fedora-coreos-tracker/issues/622 - kexec-tools diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-live/coreos-livepxe-rootfs.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-live/coreos-livepxe-rootfs.sh index 05824f3f24..0bc4e893bc 100755 --- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-live/coreos-livepxe-rootfs.sh +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-live/coreos-livepxe-rootfs.sh @@ -30,11 +30,24 @@ elif [[ -n "${rootfs_url}" ]]; then echo "Please fix your PXE configuration." >&2 exit 1 fi + + # First, reach out to the server to verify connectivity before + # trying to download and pipe content through other programs. + # Doing this allows us to retry all errors (including transient + # "no route to host" errors during startup), without using the + # --retry-all-errors, which is problematic (see curl man page) + # when piping the output. + curl_common_args="--silent --show-error --insecure --location --retry 5" + if ! curl --head --retry-all-errors $curl_common_args "${rootfs_url}" >/dev/null; then + echo "Couldn't establish connectivity with the server specified by coreos.live.rootfs_url=" >&2 + echo "Check that the URL is correct and can be reached." >&2 + exit 1 + fi # We don't need to verify TLS certificates because we're checking the # image hash. # bsdtar can read cpio archives and we already depend on it for # coreos-liveiso-persist-osmet.service, so use it instead of cpio. - if ! curl --silent --show-error --insecure --location --retry 5 "${rootfs_url}" | \ + if ! curl $curl_common_args "${rootfs_url}" | \ rdcore stream-hash /etc/coreos-live-want-rootfs | \ bsdtar -xf - -C / ; then echo "Couldn't fetch, verify, and unpack image specified by coreos.live.rootfs_url=" >&2 diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-network.service b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-network.service index 9f9cc92e4b..e7ba08d153 100644 --- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-network.service +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-network.service @@ -7,10 +7,11 @@ After=basic.target # Triggering conditions for cases where we need network: # * when Ignition signals that it is required for provisioning. # * on live systems fetching the remote rootfs in initramfs. -# * on Azure, for hostname fetching (metadata endpoint) and boot check-in (wireserver). +# * on Azure and Azure Stack Hub, for hostname fetching (metadata endpoint) and boot check-in (wireserver). ConditionPathExists=|/run/ignition/neednet ConditionKernelCommandLine=|coreos.live.rootfs_url ConditionKernelCommandLine=|ignition.platform.id=azure +ConditionKernelCommandLine=|ignition.platform.id=azurestack # Creates /run/ignition/neednet After=ignition-fetch-offline.service diff --git a/overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset b/overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset index 9299d17f89..871d19565e 100644 --- a/overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset +++ b/overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset @@ -22,3 +22,4 @@ enable bootupd.socket # The event for the attached device comes as a diag event. # Ideally it should have been added as part of base Fedora - but since it was arch specific, it was not added: https://bugzilla.redhat.com/show_bug.cgi?id=1433859 enable rtas_errd.service +enable clevis-luks-askpass.path diff --git a/overlay.d/12kdump/usr/lib/systemd/system/kdump.service.d/remount-boot.conf b/overlay.d/12kdump/usr/lib/systemd/system/kdump.service.d/remount-boot.conf new file mode 100644 index 0000000000..2b4d940847 --- /dev/null +++ b/overlay.d/12kdump/usr/lib/systemd/system/kdump.service.d/remount-boot.conf @@ -0,0 +1,9 @@ +# https://bugzilla.redhat.com/show_bug.cgi?id=1918493 +# `/boot` is read-only, but `kdump.service` wants to +# places its generated initramfs alongside the default +# initramfs under `/boot/ostree`. +# Until `kdump` gains the ability to place its initramfs +# elsewhere, temporarily remount `/boot` read-write before +# the `kdump` initramfs is generated. +[Service] +ExecStartPre=/usr/bin/mount -o remount,rw /boot diff --git a/tests/kola/misc-ro b/tests/kola/misc-ro index bf36423e05..c79c88c2fb 100755 --- a/tests/kola/misc-ro +++ b/tests/kola/misc-ro @@ -150,3 +150,26 @@ if ! grep prjquota <<< "${rootflags}"; then fatal "missing prjquota in root mount flags: ${rootflags}" fi ok "root mounted with prjquota" + +has_cgroup_karg=1 +grep -q systemd.unified_cgroup_hierarchy /proc/cmdline || has_cgroup_karg=0 +sys_fs_cgroup_source=$(findmnt -no SOURCE /sys/fs/cgroup) +stream=$(rpm-ostree status -b --json | jq -r '.deployments[0]["base-commit-meta"]["fedora-coreos.stream"]') +case "$stream" in + "testing-devel" | "testing" | "stable") + if [ $has_cgroup_karg == 0 ]; then + fatal "missing systemd.unified_cgroup_hierarchy=0" + fi + if [[ $sys_fs_cgroup_source != tmpfs ]]; then + fatal "/sys/fs/cgroup is not tmpfs" + fi + ;; + *) + if [ $has_cgroup_karg == 1 ]; then + fatal "found systemd.unified_cgroup_hierarchy=0" + fi + if [[ $sys_fs_cgroup_source != cgroup2 ]]; then + fatal "/sys/fs/cgroup is not cgroup2" + fi + ;; +esac diff --git a/tests/kola/podman/rootless-systemd b/tests/kola/podman/rootless-systemd index c12cec80a9..e41df869c0 100755 --- a/tests/kola/podman/rootless-systemd +++ b/tests/kola/podman/rootless-systemd @@ -53,10 +53,10 @@ main() { chmod +x /tmp/runascoreuserscript runascoreuser /tmp/runascoreuserscript - # Let it come up sleep 5 - if ! curl http://localhost:8080 1>/dev/null; then + # Try to grab the web page. Retry as it might not be up fully yet. + if ! curl --silent --show-error --retry 5 --retry-all-errors http://localhost:8080 >/dev/null; then echo TEST FAILED 1>&2 runascoreuser podman logs httpd return 1 diff --git a/tests/kola/rpm-ostree-countme/config.fcc b/tests/kola/rpm-ostree-countme/config.fcc new file mode 100644 index 0000000000..002cc59a7a --- /dev/null +++ b/tests/kola/rpm-ostree-countme/config.fcc @@ -0,0 +1,7 @@ +variant: fcos +version: 1.3.0 +systemd: + units: + - name: rpm-ostree-countme.timer + mask: false + enabled: true diff --git a/tests/kola/rpm-ostree-countme/test.sh b/tests/kola/rpm-ostree-countme/test.sh new file mode 100755 index 0000000000..c4dd7ebda2 --- /dev/null +++ b/tests/kola/rpm-ostree-countme/test.sh @@ -0,0 +1,37 @@ +#!/bin/bash +set -xeuo pipefail + +# No need to run an other platforms than QEMU. +# kola: { "tags": "needs-internet", "platforms": "qemu-unpriv" } + +ok() { + echo "ok" "$@" +} + +fatal() { + echo "$@" >&2 + exit 1 +} + +# Check that the timer got pulled when rpm-ostreed got started +if [[ $(systemctl show -p ActiveState rpm-ostree-countme.timer) != "ActiveState=active" ]] \ + && [[ $(systemctl show -p SubState rpm-ostree-countme.timer) != "SubState=waiting" ]]; then + fatal "rpm-ostree-countme timer has not been started" +fi + +# Check that running the service manually is successful +systemctl start rpm-ostree-countme.service +if [[ $(systemctl show -p ActiveState rpm-ostree-countme.service) != "ActiveState=inactive" ]] \ + && [[ $(systemctl show -p SubState rpm-ostree-countme.service) != "SubState=dead" ]] \ + && [[ $(systemctl show -p Result rpm-ostree-countme.service) != "Result=success" ]] \ + && [[ $(systemctl show -p ExecMainStatus rpm-ostree-countme.service) != "ExecMainStatus=0" ]]; then + fatal "rpm-ostree-countme exited with an error" +fi + +# Check rpm-ostree count me output +output="$(journalctl --output=json --boot --unit=rpm-ostree-countme.service --grep "Successful requests:" | jq --raw-output '.MESSAGE')" +if [[ "${output}" != "Successful requests: 2/2" ]] && [[ "${output}" != "Successful requests: 3/3" ]]; then + fatal "rpm-ostree-countme service ouput does not match expected sucess output" +fi + +ok countme diff --git a/tests/kola/var-mount/config.fcc b/tests/kola/var-mount/config.fcc new file mode 100644 index 0000000000..294426e29c --- /dev/null +++ b/tests/kola/var-mount/config.fcc @@ -0,0 +1,25 @@ +variant: fcos +version: 1.3.0 +storage: + disks: + - device: /dev/vda + partitions: + - label: var + size_mib: 1000 + start_mib: 5000 + - label: varlog + wipe_table: false + luks: + - name: varlog + device: /dev/disk/by-partlabel/varlog + clevis: + tpm2: true + filesystems: + - device: /dev/disk/by-partlabel/var + format: xfs + path: /var + with_mount_unit: true + - device: /dev/mapper/varlog + format: ext4 + path: /var/log + with_mount_unit: true diff --git a/tests/kola/var-mount/config.ign b/tests/kola/var-mount/config.ign deleted file mode 100644 index 3408b0cc43..0000000000 --- a/tests/kola/var-mount/config.ign +++ /dev/null @@ -1,36 +0,0 @@ -{ - "ignition": { - "version": "3.0.0" - }, - "storage": { - "disks": [ - { - "device": "/dev/vda", - "partitions": [ - { - "label": "var", - "sizeMiB": 0, - "startMiB": 5000 - } - ], - "wipeTable": false - } - ], - "filesystems": [ - { - "device": "/dev/disk/by-partlabel/var", - "format": "xfs", - "path": "/var" - } - ] - }, - "systemd": { - "units": [ - { - "contents": "[Unit]\nBefore=local-fs.target\nRequires=systemd-fsck@/dev/disk/by-partlabel/var\nAfter=systemd-fsck@/dev/disk/by-partlabel/var\n\n[Mount]\nWhere=/var\nWhat=/dev/disk/by-partlabel/var\nType=xfs\n\n[Install]\nRequiredBy=local-fs.target", - "enabled": true, - "name": "var.mount" - } - ] - } -} diff --git a/tests/kola/var-mount/test.sh b/tests/kola/var-mount/test.sh index ec5bd84c68..ba6565e80b 100755 --- a/tests/kola/var-mount/test.sh +++ b/tests/kola/var-mount/test.sh @@ -4,8 +4,44 @@ set -xeuo pipefail # restrict to qemu for now because the primary disk path is platform-dependent # kola: {"platforms": "qemu"} +ok() { + echo "ok" "$@" +} + +fatal() { + echo "$@" >&2 + exit 1 +} + +# /var + src=$(findmnt -nvr /var -o SOURCE) [[ $(realpath "$src") == $(realpath /dev/disk/by-partlabel/var) ]] fstype=$(findmnt -nvr /var -o FSTYPE) [[ $fstype == xfs ]] + +# /var/log + +src=$(findmnt -nvr /var/log -o SOURCE) +[[ $(realpath "$src") == $(realpath /dev/mapper/varlog) ]] + +blktype=$(lsblk -o TYPE "${src}" --noheadings) +[[ ${blktype} == crypt ]] + +fstype=$(findmnt -nvr /var/log -o FSTYPE) +[[ $fstype == ext4 ]] + +case "${AUTOPKGTEST_REBOOT_MARK:-}" in + "") + ok "mounted on first boot" + + # reboot once to sanity-check we can mount on second boot + /tmp/autopkgtest-reboot rebooted + ;; + + rebooted) + ok "mounted on reboot" + ;; + *) fatal "unexpected mark: ${AUTOPKGTEST_REBOOT_MARK}";; +esac diff --git a/tests/manual/coreos-docs-net-testing.sh b/tests/manual/coreos-docs-net-testing.sh index 5e0482a53a..ffd4d9db7e 100755 --- a/tests/manual/coreos-docs-net-testing.sh +++ b/tests/manual/coreos-docs-net-testing.sh @@ -20,13 +20,15 @@ set -eu -o pipefail # I test this way I usually stand up a separate VM on the same bridge # and run dnsmasq on a tagged network like: # +# interface=eth1 # cat < /etc/dnsmasq.d/vlandhcp -# interface=eth1.100 +# interface=${interface}.100 # bind-interfaces # dhcp-range=192.168.200.150,192.168.200.160,12h -# ip link add link eth0 name eth0.100 type vlan id 100 -# ip addr add 192.168.200.1/24 dev eth0.100 -# ip link set eth0.100 up +# EOF +# ip link add link $interface name "${interface}.100" type vlan id 100 +# ip addr add 192.168.200.1/24 dev "${interface}.100" +# ip link set "${interface}.100" up # systemctl enable dnsmasq --now # # - Dusty Mabe - dusty@dustymabe.com @@ -281,6 +283,8 @@ fcct_dhcpvlanbond=' mode=active-backup [ipv4] method=disabled + [ipv6] + method=disabled - path: /etc/NetworkManager/system-connections/${bondname}-slave-${subnic1}.nmconnection mode: 0600 contents: @@ -433,10 +437,6 @@ EOF common_args+=' ignition.firstboot' # manually set ignition.firstboot #common_args+=' rd.break=pre-mount' - # Have to add ipv6.disable=1 for Fedora 33+ because of - # https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/539 - common_args+=' ipv6.disable=1' - # export these values so we can substitute the values # in using the envsubst command export ip gateway netmask prefix interface nameserver bondname teamname bridgename subnic1 subnic2 vlanid @@ -480,7 +480,6 @@ EOF export hostname="staticvlan" x="${common_args} rd.neednet=1" x+=" ip=${ip}::${gateway}:${netmask}:${hostname}:${interface}.${vlanid}:none:${nameserver}" - x+=" ip=${interface}:off" x+=" vlan=${interface}.${vlanid}:${interface}" x+=" ip=${subnic2}:off" initramfs_staticvlan=$x @@ -489,10 +488,9 @@ EOF export hostname="dhcpvlanbond" x="${common_args} rd.neednet=1" - x+=" ip=vlan${vlanid}:dhcp" - x+=" ip=${bondname}:off" + x+=" ip=${bondname}.${vlanid}:dhcp" x+=" bond=${bondname}:${subnic1},${subnic2}:mode=active-backup,miimon=100" - x+=" vlan=vlan${vlanid}:${bondname}" + x+=" vlan=${bondname}.${vlanid}:${bondname}" initramfs_dhcpvlanbond=$x fcct_initramfs_dhcpvlanbond=$(echo "${fcct_common}${fcct_hostname}" | envsubst) fcct_dhcpvlanbond=$(echo "${fcct_common}${fcct_hostname}${fcct_dhcpvlanbond}" | envsubst) diff --git a/tests/manual/coreos-network-testing.sh b/tests/manual/coreos-network-testing.sh index 505a543a0f..2ebbdd5fea 100755 --- a/tests/manual/coreos-network-testing.sh +++ b/tests/manual/coreos-network-testing.sh @@ -546,10 +546,8 @@ EOF x="${common_args} rd.neednet=1 ip=${nic0}:dhcp ip=${nic1}:dhcp" initramfs_dhcp_nic0nic1=$x - # Have to add ipv6.disable=1 for Fedora 33+ because of - # https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/539 devname=$nic0 - x="${common_args} rd.neednet=1 ip=${nic1}:off ipv6.disable=1" + x="${common_args} rd.neednet=1 ip=${nic1}:off" x+=" ip=${ip}::${gateway}:${netmask}:${initramfshostname}:${devname}:none:${nameserverstatic}" initramfs_static_nic0=$x