[stable] tree: promote changes from testing at 602adfeb92e887c1e269cd16d15ce5af250fe5e5

.cci.jenkinsfile

@@ -3,6 +3,8 @@
 cosaPod {
     checkoutToDir(scm, 'config')
 
+    def basearch = shwrapCapture("cosa basearch")
+
     shwrap("cd config && ci/validate")
 
     shwrap("""
@@ -14,7 +16,18 @@ cosaPod {
         cosa buildprep https://builds.coreos.fedoraproject.org/prod/streams/${env.CHANGE_TARGET}/builds
     """)
 
-    fcosBuild(skipInit: true, extraFetchArgs: '--with-cosa-overrides')
+    // use a --parent-build arg so we can diff later and it matches prod
+    def parent_arg = ""
+    def parent_commit = ""
+    if (shwrapRc("test -e /srv/fcos/builds/latest/${basearch}/meta.json") == 0) {
+        shwrap("cp /srv/fcos/builds/latest/${basearch}/meta.json .") // readJSON wants it in the WORKSPACE
+        def meta = readJSON file: "meta.json"
+        def version = meta["buildid"]
+        parent_arg = "--parent-build ${version}"
+        parent_commit = meta["ostree-commit"]
+    }
+
+    fcosBuild(skipInit: true, extraFetchArgs: '--with-cosa-overrides', extraArgs: parent_arg)
 
     parallel metal: {
         shwrap("cd /srv/fcos && cosa buildextend-metal")
@@ -33,7 +46,17 @@ cosaPod {
     }
 
     // also print the pkgdiff as a separate stage to make it more visible
-    stage("RPM Diff") {
-        shwrap("jq .pkgdiff /srv/fcos/builds/latest/x86_64/meta.json")
+    if (parent_arg != "") {
+        stage("RPM Diff") {
+            shwrap("""
+                cd /srv/fcos
+                new_commit=\$(jq -r '.["ostree-commit"]' builds/latest/${basearch}/meta.json)
+                rpm-ostree db diff --repo tmp/repo ${parent_commit} \${new_commit} | tee tmp/diff.txt
+                if grep -q Downgraded tmp/diff.txt; then
+                    echo "Downgrade detected. This is likely unintentional. If not, you may safely ignore this error."
+                    exit 1
+                fi
+            """)
+        }
     }
 }

ci/buildroot/Dockerfile

@@ -6,8 +6,5 @@
 # This image is used by CoreOS CI to build software like
 # Ignition, rpm-ostree, ostree, coreos-installer, etc...
 FROM registry.fedoraproject.org/fedora:33
-USER root
-WORKDIR /root/containerbuild
-COPY . tmp
-RUN ./tmp/install-buildroot.sh && yum clean all && rm tmp -rf
-WORKDIR /root
+COPY . /src
+RUN ./src/install-buildroot.sh && yum clean all && rm /src -rf  # nocache 20210406

ci/buildroot/buildroot-reqs.txt

@@ -28,16 +28,25 @@ xz
 # For rust projects like rpm-ostree
 rustfmt
 
+# For unit tests at least.
+ostree
+
 # A super common tool
 jq
 
 # Used by ostree/rpm-ostree CI (TODO: add to something like TestBuildRequires in spec files)
 attr
+rsync
+python3-pyyaml
 parallel gjs
+createrepo_c
 
 # Also, add clang since it's useful at least in CI for C/C++ projects
 clang lld
 # All C/C++ projects should have CI that uses the sanitizers
 libubsan libasan libtsan
 # And all C/C++ projects should use clang-analyzer
 clang-analyzer
+
+# We don't want zombies in our pods
+dumb-init

image-base.yaml

@@ -1,3 +1,6 @@
+# This file is shared by all streams. For a stream-specific change, use
+# image.yaml instead.
+
 # Target disk size in GB.
 # Make it at least 10G because we want the rootfs to be at least 8G:
 # https://github.com/coreos/fedora-coreos-tracker/issues/586
@@ -6,9 +9,6 @@ size: 10
 extra-kargs:
     # Disable SMT on systems vulnerable to MDS or any similar future issue.
     - mitigations=auto,nosmt
-    # https://github.com/coreos/fedora-coreos-tracker/issues/292
-    # https://fedoraproject.org/wiki/Changes/CGroupsV2
-    - systemd.unified_cgroup_hierarchy=0
 
 # Disable networking by default on firstboot. We can drop this once cosa stops
 # defaulting to `ip=dhcp,dhcp6 rd.neednet=1` when it doesn't see this key.

image.yaml

@@ -2,3 +2,8 @@
 # similarly to manifest.yaml. Unlike image-base.yaml, which is shared by all
 # streams.
 include: image-base.yaml
+
+extra-kargs:
+    # https://github.com/coreos/fedora-coreos-tracker/issues/292
+    # https://fedoraproject.org/wiki/Changes/CGroupsV2
+    - systemd.unified_cgroup_hierarchy=0

manifest-lock.overrides.yaml

@@ -22,25 +22,42 @@ packages:
     evr: 5.10.19-200.fc33
   kernel-modules:
     evr: 5.10.19-200.fc33
-  # Fast-track coreos-installer release
-  # https://bodhi.fedoraproject.org/updates/FEDORA-2021-7a0ce6189e
-  coreos-installer:
-    evr: 0.8.0-1.fc33
-  coreos-installer-bootinfra:
-    evr: 0.8.0-1.fc33
+  # Fast-track console-login-helper-messages release
+  # https://bodhi.fedoraproject.org/updates/FEDORA-2021-cf005d6480
+  # New updates in console-login-helper-messages v0.21.2 fixes
+  # the console prompt being left solid white after displaying
+  # the OS release MOTD.
+  # https://github.com/coreos/fedora-coreos-tracker/issues/750
+  console-login-helper-messages:
+    evra: 0.21.2-1.fc33.noarch
+  console-login-helper-messages-issuegen:
+    evra: 0.21.2-1.fc33.noarch
+  console-login-helper-messages-motdgen:
+    evra: 0.21.2-1.fc33.noarch
+  console-login-helper-messages-profile:
+    evra: 0.21.2-1.fc33.noarch
   # Fast-track new podman release to fix podman cp:
   # https://github.com/coreos/fedora-coreos-tracker/issues/771
   # https://bodhi.fedoraproject.org/updates/FEDORA-2021-e70b450680
-  # Also new podman needs newer crun, so bump that too.
   podman:
     evr: 2:3.1.0-2.fc33
   podman-plugins:
     evr: 2:3.1.0-2.fc33
-  crun:
-    evr: 0.18-5.fc33
-  # Fast-track openssl for recent CVE-2021-3449, CVE-2021-3450
-  # https://bodhi.fedoraproject.org/updates/FEDORA-2021-d049f32a82
-  openssl:
-    evr: 1:1.1.1k-1.fc33
-  openssl-libs:
-    evr: 1:1.1.1k-1.fc33
+  # Fast-track new coreos-installer release
+  # https://bodhi.fedoraproject.org/updates/FEDORA-2021-c67cfeca62
+  coreos-installer:
+    evr: 0.9.0-2.fc33
+  coreos-installer-bootinfra:
+    evr: 0.9.0-2.fc33
+  # Fast-track new afterburn release
+  # https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb2a204001
+  afterburn:
+    evr: 5.0.0-1.fc33
+  afterburn-dracut:
+    evr: 5.0.0-1.fc33
+  # Fast-track rpm-ostree for CVE-2021-3445
+  # https://bodhi.fedoraproject.org/updates/FEDORA-2021-eadfc56b95
+  rpm-ostree:
+    evr: 2021.4-1.fc33
+  rpm-ostree-libs:
+    evr: 2021.4-1.fc33