Split manifest to support both RHCOS & SCOS

Enables us to build both SCOS and RHCOS from the same branch. RHCOS is still built by default for now. Change the manifest.yaml symlink target to build SCOS.
openshift · Apr 7, 2022 · d7d3940 · d7d3940
1 parent aecea15
commit d7d3940
Show file tree

Hide file tree

Showing 7 changed files with 706 additions and 426 deletions.
diff --git a/extensions-scos.yaml b/extensions-scos.yaml
@@ -0,0 +1,62 @@
+# RPMs as operating system extensions, distinct from the base ostree commit/image
+# https://github.com/openshift/enhancements/blob/master/enhancements/rhcos/extensions.md
+# and https://github.com/coreos/fedora-coreos-tracker/issues/401
+
+repos:
+  - nfv
+
+extensions:
+  # https://github.com/coreos/fedora-coreos-tracker/issues/326
+  usbguard:
+    packages:
+      - usbguard
+  kerberos:
+    packages:
+      - krb5-workstation
+      - libkadm5
+  # https://github.com/kmods-via-containers/kmods-via-containers/issues/3
+  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/866
+  # These are currently overlaid onto the host so that they can be bind-mounted
+  # into build containers... in the future they should be a `development`
+  # extension: https://github.com/openshift/machine-config-operator/pull/2143.
+  kernel-devel:
+    packages:
+      - kernel-devel
+      - kernel-headers
+    match-base-evr: kernel
+  # These are already in the base, so they're not OS extensions, but they're
+  # useful to have in RPM form to install in kmod build containers.
+  kernel:
+    kind: development
+    packages:
+      - kernel
+      - kernel-core
+      - kernel-modules
+      - kernel-modules-extra
+    match-base-evr: kernel
+  # GRPA-2822
+  # https://github.com/openshift/machine-config-operator/pull/1330
+  # https://github.com/openshift/enhancements/blob/master/enhancements/support-for-realtime-kernel.md
+  kernel-rt:
+    architectures:
+      - x86_64
+    packages:
+      - kernel-rt-core
+      - kernel-rt-kvm
+      - kernel-rt-modules
+      - kernel-rt-modules-extra
+      - kernel-rt-devel
+  # https://github.com/openshift/machine-config-operator/pull/2456
+  # https://github.com/openshift/enhancements/blob/master/enhancements/sandboxed-containers/sandboxed-containers-tech-preview.md
+  # GRPA-3123
+  # - kata-containers (RHAOS)
+  # sandboxed-containers:
+  #   architectures:
+  #     - x86_64
+  #   modules:
+  #     enable:
+  #       - virt:rhel
+  #   repos:
+  #     - rhel-8-appstream
+  #   packages:
+  #     - kata-containers
diff --git a/manifest-common.yaml b/manifest-common.yaml
@@ -0,0 +1,245 @@
+# We inherit from Fedora CoreOS' base configuration
+include:
+  - fedora-coreos-config/manifests/ignition-and-ostree.yaml
+  - fedora-coreos-config/manifests/file-transfer.yaml
+  - fedora-coreos-config/manifests/networking-tools.yaml
+  - fedora-coreos-config/manifests/system-configuration.yaml
+  - fedora-coreos-config/manifests/user-experience.yaml
+  - fedora-coreos-config/manifests/shared-workarounds.yaml
+  # RHCOS owned packages
+  - rhcos-packages.yaml
+
+# Layers common to RHCOS & SCOS
+ostree-layers:
+  - overlay/01fcos
+  - overlay/02fcos-nouveau
+  - overlay/05rhcos
+  - overlay/06gcp-routes
+  - overlay/15rhcos-tuned-bits
+  - overlay/20platform-chrony
+  - overlay/21dhcp-chrony
+  - overlay/25rhcos-azure-udev-rules
+
+arch-include:
+  x86_64:
+    - fedora-coreos-config/manifests/grub2-removals.yaml
+    - fedora-coreos-config/manifests/bootupd.yaml
+  ppc64le: fedora-coreos-config/manifests/grub2-removals.yaml
+  aarch64:
+    - fedora-coreos-config/manifests/grub2-removals.yaml
+    - fedora-coreos-config/manifests/bootupd.yaml
+
+documentation: false
+initramfs-args:
+  - "--no-hostonly"
+  - "--omit-drivers"
+  - "nouveau"
+  - "--omit"
+  # we don't need root-on-NFS
+  # see upstream: https://github.com/coreos/fedora-coreos-config/pull/60
+  - "nfs"
+  - "--add"
+  - "iscsi"
+  - "ignition"
+  - "--add"
+  - "ifcfg"
+  - "--add"
+  - "fips"
+  # The current default in RHEL8 is network-legacy
+ ## XXX: This does not work for now: https://github.com/dracutdevs/dracut/issues/798
+ ## XXX: Temporarily use overlay.d/05rhcos/usr/lib/dracut/modules.d/29rhcos-need-network-manager/module-setup.sh
+ #- "--add"
+ #- "network-manager"
+  - "--omit"
+  - "network-legacy"
+
+postprocess:
+  - |
+     #!/usr/bin/env bash
+     set -xeo pipefail
+
+     # Disable PasswordAuthentication in SSH
+     sed -i "s|^PasswordAuthentication yes$|PasswordAuthentication no|g" /etc/ssh/sshd_config
+     # Disable root login because don't do that.
+     sed -i "s|^PermitRootLogin yes$|PermitRootLogin no|g" /etc/ssh/sshd_config
+     # Enable ClientAliveInterval and set to 180 per https://bugzilla.redhat.com/show_bug.cgi?id=1701050
+     sed -i "s|^#ClientAliveInterval 0$|ClientAliveInterval 180|g" /etc/ssh/sshd_config
+
+     # TEMPORARY: Create /etc/vmware-tools/tools.conf to ensure RHCOS shows up properly in VMWare
+     # See https://jira.coreos.com/browse/RHCOS-258
+     if [ "$(uname -m)" == "x86_64" ]; then
+     cat > /etc/vmware-tools/tools.conf <<'EOF'
+     [guestosinfo]
+     short-name = rhel8-64
+     EOF
+     fi
+
+     # TEMPORARY: Fix file permission for cpictl until fix is backported to RHEL 8.6
+     # See https://bugzilla.redhat.com/show_bug.cgi?id=2024102
+     if [ "$(uname -m)" == "s390x" ]; then
+     [ "$(stat -c '%a' /usr/lib/s390-tools/cpictl)" == "755" ] && echo "Permission for /usr/lib/s390-tools/cpictl is fixed, remove temporary hack"
+     chmod 755 /usr/lib/s390-tools/cpictl
+     fi
+
+     # Nuke network.service from orbit
+     # https://github.com/openshift/os/issues/117
+     rm -rf /etc/rc.d/init.d/network /etc/rc.d/rc*.d/*network
+
+     # We're not using resolved yet
+     rm -f /usr/lib/systemd/system/systemd-resolved.service
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    # manually modify SELinux booleans that are needed for OCP use cases
+    semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
+    semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
+
+  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1796537
+  - |
+    #!/usr/bin/bash
+    mkdir -p /usr/share/containers/oci/hooks.d
+
+  # This is part of e.g. fedora-repos in Fedora; we now want to include it by default
+  # so that the MCO can use it by default and not trip over SELinux issues trying
+  # to create it.
+  - |
+    #!/usr/bin/bash
+    mkdir -p /etc/yum.repos.d
+
+  # This updates the PAM configuration to reference all of the SSSD modules.
+  # Removes the `authselect` binary afterwards since `authselect` does not play well with `nss-altfiles`
+  # (https://github.com/pbrezina/authselect/issues/48).
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1774154
+  # NOTE: This is a temporary hack which should be updated after switching to systemd-sysusers
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    # use `authselect test` since `authselect select` wants to copy to `/var` too
+    authselect test sssd --nsswitch | tail -n +2 > /etc/nsswitch.conf
+    for pam_file in system-auth password-auth smartcard-auth fingerprint-auth postlogin; do
+      authselect test sssd --${pam_file} | tail -n +2 > /etc/pam.d/${pam_file}
+    done
+    rm -f $(which authselect)
+
+etc-group-members:
+  - wheel
+  - sudo
+  - systemd-journal
+  - adm
+ignore-removed-users:
+  - root
+ignore-removed-groups:
+  - root
+check-passwd:
+  type: "file"
+  filename: "passwd"
+check-groups:
+  type: "file"
+  filename: "group"
+
+exclude-packages:
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1798278
+  - subscription-manager
+  # And this one shouldn't come in
+  - dnf
+  # https://github.com/coreos/rpm-ostree/pull/1789/files/a0cd999a8acd5b40ec1024a794a642916fbc8ff8#diff-fc2076dc46933204a7a798f544ce3734
+  # People need to use `rpm-ostree kargs` instead.
+  - grubby
+  # udisks2 is a fwupd recommends only need for encrypted swap checks
+  - udisks2
+  # dhcp-client is recommended by chrony for handling NTP servers given out via
+  # DHCP, but we have a NM dispatcher script that is doing that
+  # See: https://bugzilla.redhat.com/show_bug.cgi?id=1930468
+  # See: https://bugzilla.redhat.com/show_bug.cgi?id=1800901
+  - dhcp-client
+
+# Try to maintain this list ordering by "in RHEL, then not in RHEL".
+# To verify, disable all repos except the ootpa ones and then comment
+# out the bottom and run `coreos-assembler build`.
+# A lof of packages are inherited by the manifests included at the top.
+packages:
+ # Contains SCTP (https://bugzilla.redhat.com/show_bug.cgi?id=1718049)
+ # and it's not really going to be worth playing the "where's my kernel module"
+ # game long term.  If we ship it we support it, etc.
+ - kernel-modules-extra
+ # Audit
+ - audit
+ # Currently required by rpm-ostree
+ - polkit
+ # Containers
+ - containernetworking-plugins
+ # Pinned due to cosa on Fedora not honoring RHEL 8 modules as expected
+ - container-selinux
+ - cri-o cri-tools
+ # Networking
+ - nfs-utils
+ - dnsmasq
+ - NetworkManager-ovs
+ # Extra runtime
+ - sssd
+ # Common tools used by scripts and admins interactively
+ - rsync tmux
+ - nmap-ncat strace
+ # Editors
+ - nano
+ # Red Hat CA certs
+ - subscription-manager-rhsm-certificates
+ # Used on the bootstrap node
+ - systemd-journal-remote
+ # Extras
+ - systemd-journal-gateway
+ - clevis clevis-luks clevis-dracut
+ - tpm2-tools
+ # Used to update PAM configuration to work with SSSD
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1774154
+ - authselect
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1900759
+ - qemu-guest-agent
+ # BELOW HERE ARE PACKAGES NOT IN RHEL
+ # OpenShift OKD
+ #- origin-node origin-hyperkube origin-clients
+ # OpenShift
+ - openshift-hyperkube openshift-clients
+ # Gluster - Used for Openshift e2e gluster testcases
+ # Reverts https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/367 and add it for all arches
+ - glusterfs-fuse
+ # Needed for kernel-devel extension: https://bugzilla.redhat.com/show_bug.cgi?id=1885408
+ # x86_64 and s390x have these packages installed as dependencies of other packages, ppc64le does not
+ # FIXME: once the below BZs have been resolved to remove perl dependencies, this can be done in the extensions script
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1877905
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1886201
+ - perl-interpreter
+ # https://github.com/coreos/fedora-coreos-tracker/issues/404
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1925698
+ # https://github.com/openshift/machine-config-operator/pull/2421
+ - conntrack-tools
+
+packages-x86_64:
+  # Temporary add of open-vm-tools. Should be removed when containerized
+  - open-vm-tools
+  - irqbalance
+  # Until we sort out 4.2 -> 4.3 upgrades, we need to carry this.
+  # See also https://github.com/ostreedev/ostree/pull/1929
+  - ostree-grub2
+  # rdma-core cleanly covers some key bare metal use cases
+  - rdma-core
+
+packages-ppc64le:
+  - irqbalance
+  - librtas
+  - powerpc-utils-core
+  - ppc64-diag-rtas
+  - rdma-core
+
+remove-from-packages:
+  - - filesystem
+    - "/usr/share/backgrounds"
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1762509
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1727058
+  - - initscripts
+    - "/"
+  # Remove the systemd unit; we only want the binary to be used
+  # by MCD or kubelet.  See above.
+  - - conntrack-tools
+    - /usr/lib/systemd/system