From 94818f594109e72626cb334644a1e4fc4a900009 Mon Sep 17 00:00:00 2001 From: Brent Baude Date: Thu, 28 Sep 2023 09:07:42 -0500 Subject: [PATCH] podman machine: disable zincati update service As explained in #21022, there are all kinds of downsides to a machine updating itself (via zincati) automatically, like interuption of service, lost mounts, etc. disabling zincati will at least allow stop these downsides. we are likely to contemplate if podman will take over the update process externally where interuption of services will not occur etc. Fixes #20122 Signed-off-by: Brent Baude --- .../markdown/podman-machine-init.1.md.in | 28 ++++++++++++++++++- pkg/machine/e2e/config_test.go | 13 +++++++-- pkg/machine/e2e/init_test.go | 13 +++++++-- pkg/machine/ignition.go | 6 ++++ 4 files changed, 55 insertions(+), 5 deletions(-) diff --git a/docs/source/markdown/podman-machine-init.1.md.in b/docs/source/markdown/podman-machine-init.1.md.in index 77232bc85c..f3d0c2cff5 100644 --- a/docs/source/markdown/podman-machine-init.1.md.in +++ b/docs/source/markdown/podman-machine-init.1.md.in @@ -24,7 +24,30 @@ but can be optionally used on Linux. SSH keys are automatically generated to access the VM, and system connections to the root account and a user account inside the VM are added. -By default, the VM distribution is [Fedora CoreOS](https://getfedora.org/en/coreos?stream=testing). +By default, the VM distribution is [Fedora CoreOS](https://getfedora.org/en/coreos?stream=testing) except for +WSL which is based on a custom Fedora image. While Fedora CoreOS upgrades come out every 14 days, the automatic +update mechanism Zincata is disabled by Podman machine. + +To check if there is an upgrade available for your machine os, you can run the following command: + +``` +$ podman machine ssh 'sudo rpm-ostree upgrade --check' + +``` +If an update is available, you can rerun the above command and remove the `--check` and your operating system will +be updated. After updating, you must stop and start your machine with `podman machine stop && podman machine start` for +it to take effect. + +Note: Updating as described above can result in version mismatches between Podman on the host and Podman in the +machine. Executing `podman info` should reveal versions of both. A configuration where the Podman host and machine +mismatch are unsupported. + +For more information on updates and advanced configuration, +see the Fedora CoreOS documentation about [auto-updates](https://docs.fedoraproject.org/en-US/fedora-coreos/auto-updates/) and [update strategies](https://coreos.github.io/zincati/usage/updates-strategy/). + + + + Fedora CoreOS upgrades come out every 14 days and are detected and installed automatically. The VM is rebooted during the upgrade. For more information on updates and advanced configuration, see the Fedora CoreOS documentation about [auto-updates](https://docs.fedoraproject.org/en-US/fedora-coreos/auto-updates/) and [update strategies](https://coreos.github.io/zincati/usage/updates-strategy/). @@ -78,6 +101,9 @@ Set the timezone for the machine and containers. Valid values are `local` or a `timezone` such as `America/Chicago`. A value of `local`, which is the default, means to use the timezone of the machine host. +The timezone setting is not used with WSL. WSL automatically sets the timezone to the same +as the host Windows operating system. + @@option user-mode-networking #### **--username** diff --git a/pkg/machine/e2e/config_test.go b/pkg/machine/e2e/config_test.go index 63e0fa7bbd..420505e701 100644 --- a/pkg/machine/e2e/config_test.go +++ b/pkg/machine/e2e/config_test.go @@ -203,13 +203,13 @@ func (matcher *ValidJSONMatcher) NegatedFailureMessage(actual interface{}) (mess } func skipIfVmtype(vmType machine.VMType, message string) { - if testProvider.VMType() == vmType { + if isVmtype(vmType) { Skip(message) } } func skipIfNotVmtype(vmType machine.VMType, message string) { - if testProvider.VMType() != vmType { + if !isVmtype(vmType) { Skip(message) } } @@ -217,3 +217,12 @@ func skipIfNotVmtype(vmType machine.VMType, message string) { func skipIfWSL(message string) { skipIfVmtype(machine.WSLVirt, message) } + +func isVmtype(vmType machine.VMType) bool { + return testProvider.VMType() == vmType +} + +// isWSL is a simple wrapper to determine if the testprovider is WSL +func isWSL() bool { + return isVmtype(machine.WSLVirt) +} diff --git a/pkg/machine/e2e/init_test.go b/pkg/machine/e2e/init_test.go index 3b0dff7d04..4ea370dff0 100644 --- a/pkg/machine/e2e/init_test.go +++ b/pkg/machine/e2e/init_test.go @@ -8,7 +8,6 @@ import ( "time" "github.com/containers/podman/v4/pkg/machine" - . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" . "github.com/onsi/gomega/gexec" @@ -52,7 +51,7 @@ var _ = Describe("podman machine init", func() { testMachine := inspectBefore[0] Expect(testMachine.Name).To(Equal(mb.names[0])) - if testProvider.VMType() != machine.WSLVirt { // WSL hardware specs are hardcoded + if testProvider.VMType() == machine.WSLVirt { // WSL hardware specs are hardcoded Expect(testMachine.Resources.CPUs).To(Equal(uint64(cpus))) Expect(testMachine.Resources.Memory).To(Equal(uint64(2048))) } @@ -82,6 +81,16 @@ var _ = Describe("podman machine init", func() { Expect(inspectBefore).ToNot(BeEmpty()) Expect(inspectAfter).ToNot(BeEmpty()) Expect(inspectAfter[0].State).To(Equal(machine.Running)) + + if isWSL() { // WSL does not use FCOS + return + } + + // check to see that zincati is masked + sshDisk := sshMachine{} + zincati, err := mb.setCmd(sshDisk.withSSHCommand([]string{"sudo", "systemctl", "is-enabled", "zincati"})).run() + Expect(err).ToNot(HaveOccurred()) + Expect(zincati.outputToString()).To(ContainSubstring("disabled")) }) It("simple init with username", func() { diff --git a/pkg/machine/ignition.go b/pkg/machine/ignition.go index ac457360d1..7a6ca7a617 100644 --- a/pkg/machine/ignition.go +++ b/pkg/machine/ignition.go @@ -210,6 +210,12 @@ WantedBy=sysinit.target Name: "remove-moby.service", Contents: &deMoby, }, + { + // Disable auto-updating of fcos images + // https://github.com/containers/podman/issues/20122 + Enabled: BoolToPtr(false), + Name: "zincati.service", + }, }} // Only qemu has the qemu firmware environment setting