Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 1 addition & 7 deletions packaging/selinux/microshift.te
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,9 @@ type microshift_t;
domain_type(microshift_t);

gen_require(`
type kubelet_t, var_lib_t, container_var_lib_t, kernel_t;
type kubelet_t, var_lib_t, container_var_lib_t;
')

# Workaround for kernel 7.x composefs/overlayfs SELinux regression (USHIFT-7215).
# CRI-O runs as kernel_t instead of container_runtime_t on composefs, which denies
# execmem needed for text relocations. Upstream fix: kernel v7.1-rc1 commits
# 880bd496ec72, 6af36aeb147a, 82544d36b172. Remove when backported to RHEL 10.2 kernel.
allow kernel_t self:process execmem;

# When microshift creates backup folders in /var/lib/microshift-backups, the correct labels are applied
# Note: filetrans_pattern rules states;
# Process running as `kubelet_t` that creates a `dir` called `microshift-backups`
Expand Down
14 changes: 12 additions & 2 deletions test/bin/ci_phase_iso_build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,18 @@ update_build_cache() {
# Build templates
$(dry_run) bash -x ./bin/build_bootc_images.sh -g ./image-blueprints-bootc/templates
# Build the bootc base layer and brew RPMs to be cached
$(dry_run) bash -x ./bin/build_bootc_images.sh -l ./image-blueprints-bootc/el9/layer1-base -l ./image-blueprints-bootc/el10/layer1-base
$(dry_run) bash -x ./bin/build_bootc_images.sh -l ./image-blueprints-bootc/el9/layer4-release -l ./image-blueprints-bootc/el10/layer4-release
local pid1 pid2 failed=false
$(dry_run) bash -x ./bin/build_bootc_images.sh -l ./image-blueprints-bootc/el9/layer1-base -l ./image-blueprints-bootc/el9/layer4-release &
pid1=$!
$(dry_run) bash -x ./bin/build_bootc_images.sh -l ./image-blueprints-bootc/el10/layer1-base -l ./image-blueprints-bootc/el10/layer4-release &
pid2=$!

wait "${pid1}" || failed=true
wait "${pid2}" || failed=true
if ${failed}; then
echo "ERROR: One of the build_bootc_images.sh commands failed"
exit 1
fi

# Prepare for the cache upload by stopping composer services and cleaning
# temporary artifacts
Expand Down
2 changes: 0 additions & 2 deletions test/bin/common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -388,8 +388,6 @@ MICROSHIFT_Y2_OPTIONAL_RPMS_LIST=(
microshift-cert-manager-release-info
microshift-sriov
microshift-sriov-release-info
microshift-metrics-server
microshift-metrics-server-release-info
)
MICROSHIFT_Y1_OPTIONAL_RPMS_LIST=(
"${MICROSHIFT_Y2_OPTIONAL_RPMS_LIST[@]}"
Expand Down
24 changes: 15 additions & 9 deletions test/bin/pyutils/build_bootc_images.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,8 @@
BREW_REPO = common.get_env_var('BREW_REPO')
HOME_DIR = common.get_env_var("HOME")
PULL_SECRET = common.get_env_var('PULL_SECRET', f"{HOME_DIR}/.pull-secret.json")
# Switch to quay.io/centos-bootc/bootc-image-builder:latest if any new upstream
# features are required
BIB_IMAGE = "registry.redhat.io/rhel9/bootc-image-builder:latest"
BIB_IMAGE_RHEL9 = "registry.redhat.io/rhel9/bootc-image-builder:latest"
BIB_IMAGE = "registry.redhat.io/rhel10/bootc-image-builder:latest"
IBC_IMAGE = "ghcr.io/osbuild/image-builder-cli:latest"
GOMPLATE = common.get_env_var('GOMPLATE')
MIRROR_REGISTRY = common.get_env_var('MIRROR_REGISTRY_URL')
Expand All @@ -48,7 +47,7 @@ def cleanup_atexit(dry_run):
common.terminate_process(pid)

# Terminate running image builder containers
for builder_image in [BIB_IMAGE, IBC_IMAGE]:
for builder_image in [BIB_IMAGE_RHEL9, BIB_IMAGE, IBC_IMAGE]:
podman_args = [
"sudo", "podman", "ps",
"--filter", f"ancestor={builder_image}",
Expand Down Expand Up @@ -356,6 +355,12 @@ def should_skip(image, cached):
common.run_command(["sed", f"s/^/{cf_outname}: /", cf_logfile], dry_run)


def get_bib_image(bootc_imgref):
if "/rhel9/" in bootc_imgref or "/rhel-9." in bootc_imgref:
return BIB_IMAGE_RHEL9
return BIB_IMAGE


def process_image_bootc(groupdir, bootcfile, dry_run):
bf_path, bf_outname, bf_outdir, bf_logfile = get_process_file_names(
groupdir, bootcfile, BOOTC_ISO_DIR)
Expand Down Expand Up @@ -393,19 +398,20 @@ def should_skip(file):
try:
# Redirect the output to the log file
with open(bf_logfile, 'w') as logfile:
# Read the image reference and select the matching BIB
bf_imgref = common.read_file_valid_lines(bf_outfile).strip()
bib_image = get_bib_image(bf_imgref)

# Download the bootc image builder itself in case
# it requires authorization for accessing the image
pull_args = [
"sudo", "podman", "pull",
"--authfile", PULL_SECRET, BIB_IMAGE
"--authfile", PULL_SECRET, bib_image
]
start = time.time()
common.retry_on_exception(3, common.run_command_in_shell, pull_args, dry_run, logfile, logfile)
common.record_junit(bf_path, "pull-bootc-bib", "OK", start)

# Read the image reference
bf_imgref = common.read_file_valid_lines(bf_outfile).strip()

# Download the image to be used by bootc image builder.
# Locally built images should also be downloaded in case they were
# cached but not fetched from the mirror registry.
Expand All @@ -431,7 +437,7 @@ def should_skip(file):
]
# Add the bootc image builder command line using local images
build_args += [
BIB_IMAGE,
bib_image,
"--type", "anaconda-iso",
bf_imgref
]
Expand Down
Original file line number Diff line number Diff line change
@@ -1,19 +1,12 @@
FROM registry.stage.redhat.io/rhel10/rhel-bootc:10.2
FROM registry.redhat.io/rhel10/rhel-bootc:10.2

# Build arguments
ARG USHIFT_RPM_REPO_NAME=microshift-local
ARG USHIFT_RPM_REPO_PATH=/tmp/$USHIFT_RPM_REPO_NAME

# Configure the RPM repositories
# - No EUS repositories in staging environment
# - Disable default repositories to avoid pre-release repo access errors
COPY --chmod=755 ./bootc-images/rpm-repo-config.sh /tmp/rpm-repo-config.sh
RUN /tmp/rpm-repo-config.sh --disable-all && rm -f /tmp/rpm-repo-config.sh

# Configure the RHEL mirror RPM repositories (for use in the staging environment)
ARG RHEL_MIRROR_REPO_NAME=rhel102-mirror.repo
ARG RHEL_MIRROR_REPO_PATH=/etc/yum.repos.d/$RHEL_MIRROR_REPO_NAME
COPY --chmod=644 ./bootc-images/$RHEL_MIRROR_REPO_NAME $RHEL_MIRROR_REPO_PATH
RUN /tmp/rpm-repo-config.sh --enable-eus && rm -f /tmp/rpm-repo-config.sh

# Copy the MicroShift repository contents
COPY ./rpm-repos/$USHIFT_RPM_REPO_NAME $USHIFT_RPM_REPO_PATH
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1 @@

# TODO: Replace this by a RHEL 10.2 image when its RPM repositories are released.
# Bootc Image Builder has a limitation does not allowing it to build ISO images
# from containers that use repositories protected by credentials. Thus, we build
# from the test agent container image which uses proxy for accessing repositories.
# registry.redhat.io/rhel10/rhel-bootc:10.2
localhost/rhel102-test-agent:latest
registry.redhat.io/rhel10/rhel-bootc:10.2
Original file line number Diff line number Diff line change
@@ -1,2 +1 @@

rhel-10.2
rhel-10.2
31 changes: 0 additions & 31 deletions test/package-sources-bootc/rhel102-mirror.repo

This file was deleted.