Use the generic redhat-release package

[travier]

Ensure that /etc/issue.d exists for console-login-helper-messages

This can be removed once we rebase to RHEL 9 as it will be included in
the redhat-release package.

---

Use the generic redhat-release package

The redhat-release-coreos package is mostly a copy of the generic
package as all major configuration changes are made in this repo.

Thus move the os-release changes to a step in a postprocess script and
use the generic package to benefit from updates for free.

The changes are:

• No longer provide "extracted" GPG keys as they are not used in RHCOS
  (was in /usr/share/ostree/trusted.gpg.d/)
• containerisvsign.asc will be provided by the RHEL 8.5 version of this
  package in /etc/pki/rpm-gpg/
• Drop /etc/profile.d/path.sh
• Update default presets to their latest version as part of the
  redhat-release package

[travier]

This will fail CI as it needs a fix in RHCOS CLHM package.

[cgwalters]

Ahh I understand now. OK. I'm generally 👍 on this - none of my comments should be viewed as blocking.

Actually the more I think about it, this is a huge improvement over what we're doing now - the redhat-release-coreos package is a heavy weighted bag of technical debt that just goes away.

[cgwalters]

Hmm I think we could figure out how to pass this through.

Or actually, do we even need to use mutate-os-release here anymore since we're effectively rewriting it in postprocess anyways?

I think...hmm, we could pass down the value of automatic-version-prefix and then split on that or something?

Anyways, not a blocker at all, but would clearly be nice to have a single source-of-truth for major version.

[cgwalters]

I am generally fine with this, but I'd note that while we're replacing most of the fields, we're not replacing all of them (e.g. HOME_URL). I think what we probably want to do is basically carry an "overrides" set, and keep other values unchanged.

We could potentially make this a first-class operation in rpm-ostree so all the parsing/merging doesn't need to be shell script?

[miabbott]

This will fail CI as it needs a fix in RHCOS CLHM package.

While I'm in favor of this change, I don't want to merge it quite yet as it will block our ability to do downstream builds. (Even though those are still kind of shaky already)

Let's get the downstream CLHM package fixed, then land this.

[jupierce]

/test build-test-qemu

[HuijingHei]

Nice job! Anyway, this is a huge improve.

[HuijingHei]

/test build-test-qemu

[cgwalters]

So our CI here is broken because we're waiting on openshift/release#26193 - but if this has been tested locally I'm good with merging.

Thanks so much for doing this!

[miabbott]

openshift/release#26193 merged, so let's retest

/retest

[miabbott]

/retest

[miabbott]

Ah, the CI job is going to keep failing because the script is setup to curl the wrong repo

os/ci/prow-build-test-qemu.sh

Line 33 in ded68a2

curl -L http://base-"${ocpver_mut}"-rhel8.ocp.svc.cluster.local > src/config/ocp.repo

+ curl -L http://base-4-11-rhel8.ocp.svc.cluster.local

So it won't use the new repo from openshift/release#26193 until we update the script

If this has been tested locally, let's override the job and merge it.

[miabbott]

So it won't use the new repo from openshift/release#26193 until we update the script

#718

[miabbott]

/retest

[HuijingHei]

/retest

[HuijingHei]

2 cases failed:

• rhel-matches-rhcos-build failed as RHEL_VERSION=8.5 does not match rhel version in VERSION=411.84.202202250743-0, should replace 84 to 85 in automatic-version-prefix: "411.84.<date:%Y%m%d%H%M>", maybe there is better solution?

• network-online-service failed as network-online.target should be inactive default, but it is active, I do not find any special config for this

[core@cosa-devsh ~]$ systemctl show -p ActiveState network-online.target
ActiveState=active

[miabbott]

* `rhel-matches-rhcos-build` failed as `RHEL_VERSION=8.5` does not match rhel version in `VERSION=411.84.202202250743-0`, should replace 84 to 85 in `automatic-version-prefix: "411.84.<date:%Y%m%d%H%M>"`, maybe there is better solution?

The automatic-version-prefix: needs to be updated as we are using RHEL 8.5 content now. It may be worthwhile to examine if the test should be reworked now that we are using the redhat-release package.

[HuijingHei]

@jlebon would you help to check failed case network-online-service? Thanks!
From log systemctl show -p ActiveState network-online.target should be default inactive, but actually active.
Check 411.84.202202251839-0 using the same systemd-239-51.el8.x86_64 as rhel8.5, but get result actually is inactive

[jlebon]

@jlebon would you help to check failed case network-online-service? Thanks!

Looks like this is coming from nfs-client.target, which is now enabled via presets in RHEL 8.5+. Backstory on this is in https://bugzilla.redhat.com/show_bug.cgi?id=1967515. The TL;DR I think is that it used to enable itself in a scriptlet, and was moved to a preset in 8.5 as per packaging guidelines and to fix container-related issues. The scriptlet approach never worked on RHCOS because we explicitly make presets canonical (https://github.com/coreos/fedora-coreos-config/blob/656b9727368317a5adcf49823f9ae3a03d1fe3f5/manifests/ignition-and-ostree.yaml#L39-L48).

It's interesting though that since AFAIK NFS works fine on RHCOS currently, it must mean something in the stack is enabling it on-demand (or I think for NFSv3 it can also be socket activated). I'm not seeing it in e.g. https://github.com/openshift/csi-driver-nfs offhand, but it must be happening somehow.

I think it was a conscious decision though to keep it off by default in RHCOS, so we should keep disabling it as before and let whatever re-enables it on-demand keep kicking in.

Added a commit here which does that!

[cgwalters]

It's interesting though that since AFAIK NFS works fine on RHCOS currently, it must mean something in the stack is enabling it on-demand (or I think for NFSv3 it can also be socket activated). I'm not seeing it in e.g. https://github.com/openshift/csi-driver-nfs offhand, but it must be happening somehow.

https://github.com/openshift/machine-config-operator/blob/4e7fe38d0db4a3a542a246b6a9eb97f582b91b07/templates/master/01-master-kubelet/_base/units/kubelet.service.yaml#L6

Which was cargo culted from CoreOS Tectonic. We've had multiple BZs about this from people not using NFS, and I think indeed enabling it needs to move into the storage drivers.

[cgwalters]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters, HuijingHei, travier

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [HuijingHei,cgwalters,travier]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jlebon]

/test build-test-qemu

[openshift-ci]

@travier: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[lucab]

Isn't this going to throw off-path all the scriptlets and other postprocess scripts which rely on os-release content?
Specifically, I think some of them will source RHEL-original content now.

[jlebon]

Isn't this going to throw off-path all the scriptlets and other postprocess scripts which rely on os-release content? Specifically, I think some of them will source RHEL-original content now.

Yeah, I think you're right. Good catch.

For scriptlets, only those which run at compose time would see the difference. I'd be surprised if there were any in our base set which had RHCOS-specific logic. If we encounter any, we should try to work with the maintainers to rip it out, but in the worst case there's /run/ostree-booted which is likely a more appropriate API.

For postprocess scripts, include semantics means indeed that the postprocess added here will run last. Though AFAICT, none of the ones in this repo or in FCOS use ID. There are the workarounds in https://github.com/coreos/fedora-coreos-config/blob/testing-devel/manifests/shared-workarounds.yaml which use NAME but the conditionals are on Fedora so those don't break (but easily could've!). (Edit: My local checkout was old. I see coreos/fedora-coreos-config@656b972 now and the follow-up in coreos/fedora-coreos-config#1553 which is probably what brought you here.)

So overall I think we're OK. But long-term I agree with #713 (comment) we probably want to fold this into rpm-ostree.