Oracle Linux 9 Cloud Images

Cloud-init-ready, signed Oracle Linux 9 images for OpenStack and Proxmox

Report a bug · Request a feature

About

This repo builds Oracle Linux 9 cloud images on top of the upstream OL9U<U>_x86_64-kvm-b<B>.qcow2 KVM templates published at yum.oracle.com/oracle-linux-templates.html and republishes them through the openimages.cloud signed-release pipeline.

OL9 is supported under Oracle's premier support until 2032-06-30 (extended support to 2034-06-30) — fresh deployment target. For OL10, see the sibling repo open-img-cloud/oracle-linux-10.

The build pipeline is shared with the rest of open-img-cloud: this repo only ships the VERSION, customize.sh, detect-upstream.sh, and two thin caller workflows that delegate to the reusable workflows in open-img-cloud/.github (@main).

This pipeline is the openimages.cloud-aligned successor of the legacy linitio/openstack-oracle-linux-image (2022-2024 vintage), rebuilt around cosign-signed releases, R2/Garage object storage, and the shared cloud-init policy drop-in.

Customisations applied to the upstream rootfs:

• Org-wide cloud-init policy drop-in (99_oic-policy.cfg) injected by the reusable workflow into /etc/cloud/cloud.cfg.d/, pinning datasource_list: [OpenStack, ConfigDrive, NoCloud, None] and disable_root: true / ssh_pwauth: false
• virt-sysprep to clean transient state, then virt-sparsify --compress

The upstream OL9 KVM template already ships cloud-init, openssh-server, GRUB2 with serial console wired (console=tty0 console=ttyS0,115200), and a default user (oracle or cloud-user depending on build) — we don't override any of that.

Each release publishes:

• oracle-linux-9-<version>-x86_64.qcow2
• *.sha256, *.sha1, *.md5 per-file
• *.bundle cosign sigstore-bundle (signature + cert + Rekor proof)
• MANIFEST.json (build metadata, including the builder image digest)
• index.html directory listing

<version> is 9.<update>-b<build> (e.g. 9.7-b269), mirroring Oracle's own OL{R}U{U}-b{B} naming.

Where to download

Public CDN, served via Cloudflare in front of an R2 bucket (mirror of the source-of-truth Garage):

URL pattern	Cache policy
https://images.openimages.cloud/oracle-linux-9/<version>/<filename>	max-age=31536000, immutable
https://images.openimages.cloud/oracle-linux-9/latest/<filename>	max-age=300

Browse: images.openimages.cloud/oracle-linux-9/latest/

Verify before deploy

cosign 3.x:

sha256sum -c <filename>.sha256                    # integrity
cosign verify-blob \
    --bundle <filename>.bundle \
    --new-bundle-format \
    --certificate-identity-regexp '^https://github.com/open-img-cloud/\.github/\.github/workflows/build-libguestfs-image\.yml@' \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    <filename>                                     # provenance

The certificate identity points at the reusable build workflow in open-img-cloud/.github — that's where GitHub's OIDC binds the SAN for keyless signing. To tie the artifact back to this repo's commit, also check MANIFEST.json (commit, build_url, builder digest).

How to use

OpenStack

# Pull the qcow2 (replace <V> with the desired version, e.g. 9.7-b269)
curl -fLO https://images.openimages.cloud/oracle-linux-9/<V>/oracle-linux-9-<V>-x86_64.qcow2

openstack image create \
    --disk-format qcow2 --container-format bare \
    --min-disk 25 \
    --file oracle-linux-9-<V>-x86_64.qcow2 \
    'Oracle Linux 9 <V>'

Proxmox VE

scp oracle-linux-9-<V>-x86_64.qcow2 root@proxmox:/var/lib/vz/template/iso/

qm create <VMID> --name ol9-template --memory 2048 --cores 2 --net0 virtio,bridge=vmbr0
qm importdisk <VMID> oracle-linux-9-<V>-x86_64.qcow2 <STORAGE>
qm set <VMID> --scsihw virtio-scsi-pci --scsi0 <STORAGE>:vm-<VMID>-disk-0
qm set <VMID> --boot c --bootdisk scsi0
qm set <VMID> --ide2 <STORAGE>:cloudinit
qm set <VMID> --serial0 socket --vga serial0
qm set <VMID> --ciuser cloud-user --sshkeys ~/.ssh/authorized_keys --ipconfig0 ip=dhcp

Release flow

1. watch.yml runs daily 06:41 UTC, calls build/detect-upstream.sh which parses oracle-linux-templates.html for OL9 KVM artifacts and emits 9.<U>-b<B> for the highest (U, B) pair.
2. If the version differs from the current VERSION, the workflow opens (or updates) a PR auto/upstream-bump.
3. Merging the PR + pushing a v<VERSION> tag fires release.yml, which calls the shared build-libguestfs-image.yml@main reusable workflow.
4. Each build downloads the upstream qcow2, runs customize.sh, sysprep, sparsify, signs, and uploads to Garage + R2 under s3://oracle-linux-9/<version>/.

Repository layout

VERSION                          single line, e.g. "9.7-b269"
build/
  customize.sh                   virt-customize hook (qcow2 path as $1)
  detect-upstream.sh             parses oracle-linux-templates.html
.github/workflows/
  release.yml                    calls build-libguestfs-image.yml on tag push
  watch.yml                      daily cron, calls upstream-watch.yml
.gitignore                       repo-local override for global build/ exclusion
LICENSE                          GPL-2.0

Contributing

Fork, branch, PR. Keep changes focused; the customize hook in particular is consumed by the shared pipeline so backward-compatible tweaks are preferred over rewrites.

License

Distributed under the GPL-2.0 License. See LICENSE.

Contact

Kevin Allioli — kevin@stackops.ch · @stackopshq

Project: open-img-cloud/oracle-linux-9