diff --git a/packaging/selinux/microshift.te b/packaging/selinux/microshift.te index 175b926e8a..0d9ef586b8 100644 --- a/packaging/selinux/microshift.te +++ b/packaging/selinux/microshift.te @@ -4,15 +4,9 @@ type microshift_t; domain_type(microshift_t); gen_require(` - type kubelet_t, var_lib_t, container_var_lib_t, kernel_t; + type kubelet_t, var_lib_t, container_var_lib_t; ') -# Workaround for kernel 7.x composefs/overlayfs SELinux regression (USHIFT-7215). -# CRI-O runs as kernel_t instead of container_runtime_t on composefs, which denies -# execmem needed for text relocations. Upstream fix: kernel v7.1-rc1 commits -# 880bd496ec72, 6af36aeb147a, 82544d36b172. Remove when backported to RHEL 10.2 kernel. -allow kernel_t self:process execmem; - # When microshift creates backup folders in /var/lib/microshift-backups, the correct labels are applied # Note: filetrans_pattern rules states; # Process running as `kubelet_t` that creates a `dir` called `microshift-backups` diff --git a/test/bin/ci_phase_iso_build.sh b/test/bin/ci_phase_iso_build.sh index 5cdbbe63f8..dcdf43a175 100755 --- a/test/bin/ci_phase_iso_build.sh +++ b/test/bin/ci_phase_iso_build.sh @@ -70,8 +70,18 @@ update_build_cache() { # Build templates $(dry_run) bash -x ./bin/build_bootc_images.sh -g ./image-blueprints-bootc/templates # Build the bootc base layer and brew RPMs to be cached - $(dry_run) bash -x ./bin/build_bootc_images.sh -l ./image-blueprints-bootc/el9/layer1-base -l ./image-blueprints-bootc/el10/layer1-base - $(dry_run) bash -x ./bin/build_bootc_images.sh -l ./image-blueprints-bootc/el9/layer4-release -l ./image-blueprints-bootc/el10/layer4-release + local pid1 pid2 failed=false + $(dry_run) bash -x ./bin/build_bootc_images.sh -l ./image-blueprints-bootc/el9/layer1-base -l ./image-blueprints-bootc/el9/layer4-release & + pid1=$! + $(dry_run) bash -x ./bin/build_bootc_images.sh -l ./image-blueprints-bootc/el10/layer1-base -l ./image-blueprints-bootc/el10/layer4-release & + pid2=$! + + wait "${pid1}" || failed=true + wait "${pid2}" || failed=true + if ${failed}; then + echo "ERROR: One of the build_bootc_images.sh commands failed" + exit 1 + fi # Prepare for the cache upload by stopping composer services and cleaning # temporary artifacts diff --git a/test/bin/common.sh b/test/bin/common.sh index 8b092354b8..ef682a676f 100644 --- a/test/bin/common.sh +++ b/test/bin/common.sh @@ -388,8 +388,6 @@ MICROSHIFT_Y2_OPTIONAL_RPMS_LIST=( microshift-cert-manager-release-info microshift-sriov microshift-sriov-release-info - microshift-metrics-server - microshift-metrics-server-release-info ) MICROSHIFT_Y1_OPTIONAL_RPMS_LIST=( "${MICROSHIFT_Y2_OPTIONAL_RPMS_LIST[@]}" diff --git a/test/bin/pyutils/build_bootc_images.py b/test/bin/pyutils/build_bootc_images.py index d432db2bf3..6231816872 100644 --- a/test/bin/pyutils/build_bootc_images.py +++ b/test/bin/pyutils/build_bootc_images.py @@ -31,9 +31,8 @@ BREW_REPO = common.get_env_var('BREW_REPO') HOME_DIR = common.get_env_var("HOME") PULL_SECRET = common.get_env_var('PULL_SECRET', f"{HOME_DIR}/.pull-secret.json") -# Switch to quay.io/centos-bootc/bootc-image-builder:latest if any new upstream -# features are required -BIB_IMAGE = "registry.redhat.io/rhel9/bootc-image-builder:latest" +BIB_IMAGE_RHEL9 = "registry.redhat.io/rhel9/bootc-image-builder:latest" +BIB_IMAGE = "registry.redhat.io/rhel10/bootc-image-builder:latest" IBC_IMAGE = "ghcr.io/osbuild/image-builder-cli:latest" GOMPLATE = common.get_env_var('GOMPLATE') MIRROR_REGISTRY = common.get_env_var('MIRROR_REGISTRY_URL') @@ -48,7 +47,7 @@ def cleanup_atexit(dry_run): common.terminate_process(pid) # Terminate running image builder containers - for builder_image in [BIB_IMAGE, IBC_IMAGE]: + for builder_image in [BIB_IMAGE_RHEL9, BIB_IMAGE, IBC_IMAGE]: podman_args = [ "sudo", "podman", "ps", "--filter", f"ancestor={builder_image}", @@ -356,6 +355,12 @@ def should_skip(image, cached): common.run_command(["sed", f"s/^/{cf_outname}: /", cf_logfile], dry_run) +def get_bib_image(bootc_imgref): + if "/rhel9/" in bootc_imgref or "/rhel-9." in bootc_imgref: + return BIB_IMAGE_RHEL9 + return BIB_IMAGE + + def process_image_bootc(groupdir, bootcfile, dry_run): bf_path, bf_outname, bf_outdir, bf_logfile = get_process_file_names( groupdir, bootcfile, BOOTC_ISO_DIR) @@ -393,19 +398,20 @@ def should_skip(file): try: # Redirect the output to the log file with open(bf_logfile, 'w') as logfile: + # Read the image reference and select the matching BIB + bf_imgref = common.read_file_valid_lines(bf_outfile).strip() + bib_image = get_bib_image(bf_imgref) + # Download the bootc image builder itself in case # it requires authorization for accessing the image pull_args = [ "sudo", "podman", "pull", - "--authfile", PULL_SECRET, BIB_IMAGE + "--authfile", PULL_SECRET, bib_image ] start = time.time() common.retry_on_exception(3, common.run_command_in_shell, pull_args, dry_run, logfile, logfile) common.record_junit(bf_path, "pull-bootc-bib", "OK", start) - # Read the image reference - bf_imgref = common.read_file_valid_lines(bf_outfile).strip() - # Download the image to be used by bootc image builder. # Locally built images should also be downloaded in case they were # cached but not fetched from the mirror registry. @@ -431,7 +437,7 @@ def should_skip(file): ] # Add the bootc image builder command line using local images build_args += [ - BIB_IMAGE, + bib_image, "--type", "anaconda-iso", bf_imgref ] diff --git a/test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile b/test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile index 1ebbd33fd5..7deeb1cc84 100644 --- a/test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile +++ b/test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile @@ -1,19 +1,12 @@ -FROM registry.stage.redhat.io/rhel10/rhel-bootc:10.2 +FROM registry.redhat.io/rhel10/rhel-bootc:10.2 # Build arguments ARG USHIFT_RPM_REPO_NAME=microshift-local ARG USHIFT_RPM_REPO_PATH=/tmp/$USHIFT_RPM_REPO_NAME # Configure the RPM repositories -# - No EUS repositories in staging environment -# - Disable default repositories to avoid pre-release repo access errors COPY --chmod=755 ./bootc-images/rpm-repo-config.sh /tmp/rpm-repo-config.sh -RUN /tmp/rpm-repo-config.sh --disable-all && rm -f /tmp/rpm-repo-config.sh - -# Configure the RHEL mirror RPM repositories (for use in the staging environment) -ARG RHEL_MIRROR_REPO_NAME=rhel102-mirror.repo -ARG RHEL_MIRROR_REPO_PATH=/etc/yum.repos.d/$RHEL_MIRROR_REPO_NAME -COPY --chmod=644 ./bootc-images/$RHEL_MIRROR_REPO_NAME $RHEL_MIRROR_REPO_PATH +RUN /tmp/rpm-repo-config.sh --enable-eus && rm -f /tmp/rpm-repo-config.sh # Copy the MicroShift repository contents COPY ./rpm-repos/$USHIFT_RPM_REPO_NAME $USHIFT_RPM_REPO_PATH diff --git a/test/image-blueprints-bootc/el10/layer1-base/group2/rhel102-bootc.image-bootc b/test/image-blueprints-bootc/el10/layer1-base/group2/rhel102-bootc.image-bootc index 49161c5354..564a58b86e 100644 --- a/test/image-blueprints-bootc/el10/layer1-base/group2/rhel102-bootc.image-bootc +++ b/test/image-blueprints-bootc/el10/layer1-base/group2/rhel102-bootc.image-bootc @@ -1,7 +1 @@ - -# TODO: Replace this by a RHEL 10.2 image when its RPM repositories are released. -# Bootc Image Builder has a limitation does not allowing it to build ISO images -# from containers that use repositories protected by credentials. Thus, we build -# from the test agent container image which uses proxy for accessing repositories. -# registry.redhat.io/rhel10/rhel-bootc:10.2 -localhost/rhel102-test-agent:latest +registry.redhat.io/rhel10/rhel-bootc:10.2 \ No newline at end of file diff --git a/test/image-blueprints-bootc/el10/layer1-base/group2/rhel102-installer.image-installer b/test/image-blueprints-bootc/el10/layer1-base/group2/rhel102-installer.image-installer index c5271c9e1d..4d279e3e94 100644 --- a/test/image-blueprints-bootc/el10/layer1-base/group2/rhel102-installer.image-installer +++ b/test/image-blueprints-bootc/el10/layer1-base/group2/rhel102-installer.image-installer @@ -1,2 +1 @@ - -rhel-10.2 +rhel-10.2 \ No newline at end of file diff --git a/test/package-sources-bootc/rhel102-mirror.repo b/test/package-sources-bootc/rhel102-mirror.repo deleted file mode 100644 index a7eb27b06d..0000000000 --- a/test/package-sources-bootc/rhel102-mirror.repo +++ /dev/null @@ -1,31 +0,0 @@ -[rhel-10.2-appstream] -name = rhel-10.2-appstream -baseurl = http://localhost:{{ .Env.WEB_SERVER_PORT }}/ocp-mirror/reposync/4.22{{ if eq .Env.UNAME_M "aarch64" }}_aarch64{{ end }}/rhel-102-appstream -enabled = 1 -sslverify = false -gpgcheck = 0 -# Increase the priority of the RHEL mirror baseos / appstream repositories to -# ensure its packages take precedence over RHEL mirror early-kernel repositories, -# but not over RHOCP beta repositories with higher priority. -priority=60 -skip_if_unavailable = false - -[rhel-10.2-baseos] -name = rhel-10.2-baseos -baseurl = http://localhost:{{ .Env.WEB_SERVER_PORT }}/ocp-mirror/reposync/4.22{{ if eq .Env.UNAME_M "aarch64" }}_aarch64{{ end }}/rhel-102-baseos -enabled = 1 -sslverify = false -gpgcheck = 0 -# Increase the priority of the RHEL mirror baseos / appstream repositories to -# ensure its packages take precedence over RHEL mirror early-kernel repositories, -# but not over RHOCP beta repositories with higher priority. -priority=60 -skip_if_unavailable = false - -[rhel-10.2-early-kernel] -name = rhel-10.2-early-kernel -baseurl = http://localhost:{{ .Env.WEB_SERVER_PORT }}/ocp-mirror/reposync/4.22{{ if eq .Env.UNAME_M "aarch64" }}_aarch64{{ end }}/rhel-102-early-kernel -enabled = 1 -sslverify = false -gpgcheck = 0 -skip_if_unavailable = false