-
Notifications
You must be signed in to change notification settings - Fork 107
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Split manifest to support both RHCOS & SCOS
Enables us to build both SCOS and RHCOS from the same branch. RHCOS is still built by default for now. Change the manifest.yaml symlink target to build SCOS.
- Loading branch information
Showing
7 changed files
with
706 additions
and
426 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
# RPMs as operating system extensions, distinct from the base ostree commit/image | ||
# https://github.com/openshift/enhancements/blob/master/enhancements/rhcos/extensions.md | ||
# and https://github.com/coreos/fedora-coreos-tracker/issues/401 | ||
|
||
repos: | ||
- nfv | ||
|
||
extensions: | ||
# https://github.com/coreos/fedora-coreos-tracker/issues/326 | ||
usbguard: | ||
packages: | ||
- usbguard | ||
kerberos: | ||
packages: | ||
- krb5-workstation | ||
- libkadm5 | ||
# https://github.com/kmods-via-containers/kmods-via-containers/issues/3 | ||
# https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/866 | ||
# These are currently overlaid onto the host so that they can be bind-mounted | ||
# into build containers... in the future they should be a `development` | ||
# extension: https://github.com/openshift/machine-config-operator/pull/2143. | ||
kernel-devel: | ||
packages: | ||
- kernel-devel | ||
- kernel-headers | ||
match-base-evr: kernel | ||
# These are already in the base, so they're not OS extensions, but they're | ||
# useful to have in RPM form to install in kmod build containers. | ||
kernel: | ||
kind: development | ||
packages: | ||
- kernel | ||
- kernel-core | ||
- kernel-modules | ||
- kernel-modules-extra | ||
match-base-evr: kernel | ||
# GRPA-2822 | ||
# https://github.com/openshift/machine-config-operator/pull/1330 | ||
# https://github.com/openshift/enhancements/blob/master/enhancements/support-for-realtime-kernel.md | ||
kernel-rt: | ||
architectures: | ||
- x86_64 | ||
packages: | ||
- kernel-rt-core | ||
- kernel-rt-kvm | ||
- kernel-rt-modules | ||
- kernel-rt-modules-extra | ||
- kernel-rt-devel | ||
# https://github.com/openshift/machine-config-operator/pull/2456 | ||
# https://github.com/openshift/enhancements/blob/master/enhancements/sandboxed-containers/sandboxed-containers-tech-preview.md | ||
# GRPA-3123 | ||
# - kata-containers (RHAOS) | ||
# sandboxed-containers: | ||
# architectures: | ||
# - x86_64 | ||
# modules: | ||
# enable: | ||
# - virt:rhel | ||
# repos: | ||
# - rhel-8-appstream | ||
# packages: | ||
# - kata-containers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,245 @@ | ||
# We inherit from Fedora CoreOS' base configuration | ||
include: | ||
- fedora-coreos-config/manifests/ignition-and-ostree.yaml | ||
- fedora-coreos-config/manifests/file-transfer.yaml | ||
- fedora-coreos-config/manifests/networking-tools.yaml | ||
- fedora-coreos-config/manifests/system-configuration.yaml | ||
- fedora-coreos-config/manifests/user-experience.yaml | ||
- fedora-coreos-config/manifests/shared-workarounds.yaml | ||
# RHCOS owned packages | ||
- rhcos-packages.yaml | ||
|
||
# Layers common to RHCOS & SCOS | ||
ostree-layers: | ||
- overlay/01fcos | ||
- overlay/02fcos-nouveau | ||
- overlay/05rhcos | ||
- overlay/06gcp-routes | ||
- overlay/15rhcos-tuned-bits | ||
- overlay/20platform-chrony | ||
- overlay/21dhcp-chrony | ||
- overlay/25rhcos-azure-udev-rules | ||
|
||
arch-include: | ||
x86_64: | ||
- fedora-coreos-config/manifests/grub2-removals.yaml | ||
- fedora-coreos-config/manifests/bootupd.yaml | ||
ppc64le: fedora-coreos-config/manifests/grub2-removals.yaml | ||
aarch64: | ||
- fedora-coreos-config/manifests/grub2-removals.yaml | ||
- fedora-coreos-config/manifests/bootupd.yaml | ||
|
||
documentation: false | ||
initramfs-args: | ||
- "--no-hostonly" | ||
- "--omit-drivers" | ||
- "nouveau" | ||
- "--omit" | ||
# we don't need root-on-NFS | ||
# see upstream: https://github.com/coreos/fedora-coreos-config/pull/60 | ||
- "nfs" | ||
- "--add" | ||
- "iscsi" | ||
- "ignition" | ||
- "--add" | ||
- "ifcfg" | ||
- "--add" | ||
- "fips" | ||
# The current default in RHEL8 is network-legacy | ||
## XXX: This does not work for now: https://github.com/dracutdevs/dracut/issues/798 | ||
## XXX: Temporarily use overlay.d/05rhcos/usr/lib/dracut/modules.d/29rhcos-need-network-manager/module-setup.sh | ||
#- "--add" | ||
#- "network-manager" | ||
- "--omit" | ||
- "network-legacy" | ||
|
||
postprocess: | ||
- | | ||
#!/usr/bin/env bash | ||
set -xeo pipefail | ||
# Disable PasswordAuthentication in SSH | ||
sed -i "s|^PasswordAuthentication yes$|PasswordAuthentication no|g" /etc/ssh/sshd_config | ||
# Disable root login because don't do that. | ||
sed -i "s|^PermitRootLogin yes$|PermitRootLogin no|g" /etc/ssh/sshd_config | ||
# Enable ClientAliveInterval and set to 180 per https://bugzilla.redhat.com/show_bug.cgi?id=1701050 | ||
sed -i "s|^#ClientAliveInterval 0$|ClientAliveInterval 180|g" /etc/ssh/sshd_config | ||
# TEMPORARY: Create /etc/vmware-tools/tools.conf to ensure RHCOS shows up properly in VMWare | ||
# See https://jira.coreos.com/browse/RHCOS-258 | ||
if [ "$(uname -m)" == "x86_64" ]; then | ||
cat > /etc/vmware-tools/tools.conf <<'EOF' | ||
[guestosinfo] | ||
short-name = rhel8-64 | ||
EOF | ||
fi | ||
# TEMPORARY: Fix file permission for cpictl until fix is backported to RHEL 8.6 | ||
# See https://bugzilla.redhat.com/show_bug.cgi?id=2024102 | ||
if [ "$(uname -m)" == "s390x" ]; then | ||
[ "$(stat -c '%a' /usr/lib/s390-tools/cpictl)" == "755" ] && echo "Permission for /usr/lib/s390-tools/cpictl is fixed, remove temporary hack" | ||
chmod 755 /usr/lib/s390-tools/cpictl | ||
fi | ||
# Nuke network.service from orbit | ||
# https://github.com/openshift/os/issues/117 | ||
rm -rf /etc/rc.d/init.d/network /etc/rc.d/rc*.d/*network | ||
# We're not using resolved yet | ||
rm -f /usr/lib/systemd/system/systemd-resolved.service | ||
- | | ||
#!/usr/bin/env bash | ||
set -xeuo pipefail | ||
# manually modify SELinux booleans that are needed for OCP use cases | ||
semanage boolean --modify --on container_use_cephfs # RHBZ#1694045 | ||
semanage boolean --modify --on virt_use_samba # RHBZ#1754825 | ||
# https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812 | ||
# https://bugzilla.redhat.com/show_bug.cgi?id=1796537 | ||
- | | ||
#!/usr/bin/bash | ||
mkdir -p /usr/share/containers/oci/hooks.d | ||
# This is part of e.g. fedora-repos in Fedora; we now want to include it by default | ||
# so that the MCO can use it by default and not trip over SELinux issues trying | ||
# to create it. | ||
- | | ||
#!/usr/bin/bash | ||
mkdir -p /etc/yum.repos.d | ||
# This updates the PAM configuration to reference all of the SSSD modules. | ||
# Removes the `authselect` binary afterwards since `authselect` does not play well with `nss-altfiles` | ||
# (https://github.com/pbrezina/authselect/issues/48). | ||
# https://bugzilla.redhat.com/show_bug.cgi?id=1774154 | ||
# NOTE: This is a temporary hack which should be updated after switching to systemd-sysusers | ||
- | | ||
#!/usr/bin/env bash | ||
set -xeuo pipefail | ||
# use `authselect test` since `authselect select` wants to copy to `/var` too | ||
authselect test sssd --nsswitch | tail -n +2 > /etc/nsswitch.conf | ||
for pam_file in system-auth password-auth smartcard-auth fingerprint-auth postlogin; do | ||
authselect test sssd --${pam_file} | tail -n +2 > /etc/pam.d/${pam_file} | ||
done | ||
rm -f $(which authselect) | ||
etc-group-members: | ||
- wheel | ||
- sudo | ||
- systemd-journal | ||
- adm | ||
ignore-removed-users: | ||
- root | ||
ignore-removed-groups: | ||
- root | ||
check-passwd: | ||
type: "file" | ||
filename: "passwd" | ||
check-groups: | ||
type: "file" | ||
filename: "group" | ||
|
||
exclude-packages: | ||
# https://bugzilla.redhat.com/show_bug.cgi?id=1798278 | ||
- subscription-manager | ||
# And this one shouldn't come in | ||
- dnf | ||
# https://github.com/coreos/rpm-ostree/pull/1789/files/a0cd999a8acd5b40ec1024a794a642916fbc8ff8#diff-fc2076dc46933204a7a798f544ce3734 | ||
# People need to use `rpm-ostree kargs` instead. | ||
- grubby | ||
# udisks2 is a fwupd recommends only need for encrypted swap checks | ||
- udisks2 | ||
# dhcp-client is recommended by chrony for handling NTP servers given out via | ||
# DHCP, but we have a NM dispatcher script that is doing that | ||
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1930468 | ||
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1800901 | ||
- dhcp-client | ||
|
||
# Try to maintain this list ordering by "in RHEL, then not in RHEL". | ||
# To verify, disable all repos except the ootpa ones and then comment | ||
# out the bottom and run `coreos-assembler build`. | ||
# A lof of packages are inherited by the manifests included at the top. | ||
packages: | ||
# Contains SCTP (https://bugzilla.redhat.com/show_bug.cgi?id=1718049) | ||
# and it's not really going to be worth playing the "where's my kernel module" | ||
# game long term. If we ship it we support it, etc. | ||
- kernel-modules-extra | ||
# Audit | ||
- audit | ||
# Currently required by rpm-ostree | ||
- polkit | ||
# Containers | ||
- containernetworking-plugins | ||
# Pinned due to cosa on Fedora not honoring RHEL 8 modules as expected | ||
- container-selinux | ||
- cri-o cri-tools | ||
# Networking | ||
- nfs-utils | ||
- dnsmasq | ||
- NetworkManager-ovs | ||
# Extra runtime | ||
- sssd | ||
# Common tools used by scripts and admins interactively | ||
- rsync tmux | ||
- nmap-ncat strace | ||
# Editors | ||
- nano | ||
# Red Hat CA certs | ||
- subscription-manager-rhsm-certificates | ||
# Used on the bootstrap node | ||
- systemd-journal-remote | ||
# Extras | ||
- systemd-journal-gateway | ||
- clevis clevis-luks clevis-dracut | ||
- tpm2-tools | ||
# Used to update PAM configuration to work with SSSD | ||
# https://bugzilla.redhat.com/show_bug.cgi?id=1774154 | ||
- authselect | ||
# https://bugzilla.redhat.com/show_bug.cgi?id=1900759 | ||
- qemu-guest-agent | ||
# BELOW HERE ARE PACKAGES NOT IN RHEL | ||
# OpenShift OKD | ||
#- origin-node origin-hyperkube origin-clients | ||
# OpenShift | ||
- openshift-hyperkube openshift-clients | ||
# Gluster - Used for Openshift e2e gluster testcases | ||
# Reverts https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/367 and add it for all arches | ||
- glusterfs-fuse | ||
# Needed for kernel-devel extension: https://bugzilla.redhat.com/show_bug.cgi?id=1885408 | ||
# x86_64 and s390x have these packages installed as dependencies of other packages, ppc64le does not | ||
# FIXME: once the below BZs have been resolved to remove perl dependencies, this can be done in the extensions script | ||
# https://bugzilla.redhat.com/show_bug.cgi?id=1877905 | ||
# https://bugzilla.redhat.com/show_bug.cgi?id=1886201 | ||
- perl-interpreter | ||
# https://github.com/coreos/fedora-coreos-tracker/issues/404 | ||
# https://bugzilla.redhat.com/show_bug.cgi?id=1925698 | ||
# https://github.com/openshift/machine-config-operator/pull/2421 | ||
- conntrack-tools | ||
|
||
packages-x86_64: | ||
# Temporary add of open-vm-tools. Should be removed when containerized | ||
- open-vm-tools | ||
- irqbalance | ||
# Until we sort out 4.2 -> 4.3 upgrades, we need to carry this. | ||
# See also https://github.com/ostreedev/ostree/pull/1929 | ||
- ostree-grub2 | ||
# rdma-core cleanly covers some key bare metal use cases | ||
- rdma-core | ||
|
||
packages-ppc64le: | ||
- irqbalance | ||
- librtas | ||
- powerpc-utils-core | ||
- ppc64-diag-rtas | ||
- rdma-core | ||
|
||
remove-from-packages: | ||
- - filesystem | ||
- "/usr/share/backgrounds" | ||
# https://bugzilla.redhat.com/show_bug.cgi?id=1762509 | ||
# https://bugzilla.redhat.com/show_bug.cgi?id=1727058 | ||
- - initscripts | ||
- "/" | ||
# Remove the systemd unit; we only want the binary to be used | ||
# by MCD or kubelet. See above. | ||
- - conntrack-tools | ||
- /usr/lib/systemd/system |
Oops, something went wrong.