Inherit from fedora-bootc's tier-x on Fedora 42+ #3177
Conversation
|
Targeting rawhide for now to exercise it in CI. Will retarget testing-devel once this is ready to go. Other outstanding items:
|
|
Some diff stats: testing-devel
rawhide
|
|
Huh, looks like the submodule isn't getting initialized in CI. Investigating. |
| # Firewall manipulation | ||
| - iptables nftables | ||
| - nftables |
There was a problem hiding this comment.
I'm surprised iptables is included in bootc tier-x, but nftables isn't.
There was a problem hiding this comment.
nftables actually is in tier-0 (and so also tier-x), as a dependency of the container stack. We could make it explicit there to make that clearer?
| # This manifest can go away in Fedora 42. It duplicates tier-x. | ||
|
|
||
| # Default to `bash` in our container, the same as other containers we ship. | ||
| # Note this changes to /sbin/init in f42 as inherited by tier-x. |
There was a problem hiding this comment.
does this make the generated container not podman run able without specifying more on the command line?
There was a problem hiding this comment.
Though more precisely it is still podman run able it just runs systemd and not a shell...
| @@ -5,9 +5,6 @@ | |||
| # One good model is to add fedora-coreos-config as a git submodule. See: | |||
| # https://github.com/coreos/coreos-assembler/pull/639 | |||
|
|
|||
| # Include rpm-ostree + kernel + bootloader | |||
| include: bootable-rpm-ostree.yaml | |||
|
|
|||
There was a problem hiding this comment.
notable that fedora-coreos-base.yaml isn't included in RHCOS, but ignition-and-ostree.yaml is. So there will be some fixups to that repo needed when we bump the f-c-c git submodule there.
There was a problem hiding this comment.
Yeah, there's a bunch of tweaks needed in openshift/os to adapt to this. I'm working on that in parallel with this PR but haven't published it yet.
| tmp-is-dir: true | ||
|
|
||
| # Required by Ignition, and makes the system not compatible with Anaconda | ||
| machineid-compat: false |
There was a problem hiding this comment.
This is also in manifests/tier-x.yaml
There was a problem hiding this comment.
Yes, this is by design. We need to keep this manifest until we only have tier-x. It's only included in the < 42 path.
.gitmodules
Outdated
There was a problem hiding this comment.
I'm not the biggest fan of a submodule here but I guess that's really the only way to share at this stage. I really don't know of anything better, but a lot of questions to come to mind.
- since we sync around things in this repo using
configbot, how are updates to the submodule going to work? - we sometimes have our "streams" on different versions of Fedora. Right now
stabletestingandtesting-develare on F40,nextandnext-develare on F41, andrawhideF42. How do we account for this with a submodule. https://gitlab.com/fedora/bootc/base-images.git isn't a linear definition, it has branches like the rest of Fedora.
There was a problem hiding this comment.
Filed https://gitlab.com/fedora/bootc/tracker/-/issues/39 related to this.
There was a problem hiding this comment.
since we sync around things in this repo using config bot, how are updates to the submodule going to work?
We should be able to propagate submodule bumps just like any other file. I need to make sure configbot handles this well.
gitlab.com/fedora/bootc/base-images.git isn't a linear definition, it has branches like the rest of Fedora
This is fixed now! The main branch of base-images tracks all active releases (and we can use releasever conditionals there like we do here, but don't yet).
There was a problem hiding this comment.
As of recently I started using subtree merges a bit...it has a huge set of advantages here but some disadvantages in that it's way easier to accidentally fork. But the plus side is it is easy to fork and we don't need hacks like "push downstream branch to upstream".
There was a problem hiding this comment.
The other way of course we should share is a variant of https://gitlab.com/fedora/bootc/tracker/-/issues/32 where we publish the manifests as a container image and it's required to COPY --from that image when doing a build.
This has its own advantages and disadvantages.
|
Sounds like this one isn't blocked, just needs a rebase and socializing? |
|
This was unblocked by https://gitlab.com/fedora/bootc/base-images/-/merge_requests/63. I'm planning to get back to it soon. |
There is a new tier-x in the fedora-bootc project whose goal is to provide a common base that all variants (including tier-1) can share. Move FCOS over to use this new tier, but only starting from Fedora 42. This is a profound change and the start of an exciting new future! This formalizes our relationship to other image-mode variants, encouraging us to innovate and solve problems together in a more direct way. Put more practically, e.g. bug fixes, new features, or temporary workarounds that concern all/most tier-x derivatives should probably be carried out at the tier-x level rather than the CoreOS level. Eventually, this inheritance will be made even more explicit by having FCOS be built `FROM` the tier-x image. For now, we share at the manifest level, which is a stepping stone towards that goal. Patches to actually dedupe our manifests with tier-x will follow. Though note there is no change in the resulting package set here.
All these manifests are already part of tier-x, so conditionalize them on <f42.
Split all the things redundant with tier-x into a separate manifest that only gets inherited on <f42.
Split all the things redundant with tier-x into a separate manifest that only gets inherited on <f42.
Split all the things redundant with tier-x into a separate manifest that only gets inherited on <f42.
No functional change. Prep for future patch.
No functional change. Prep for future patch.
All the requests in this manifest are part of tier-x, so conditionalize on <f42.
In the spirit of abusing `remove-from-packages` less and being more closely aligned with tier-x, stop literally nuking the systemd-firstboot binary and systemd unit. Instead, just disable the systemd unit. Note it's also disabled in the presets (in `40-coreos-systemd.preset`) and as mentioned in the comment, via a runtime dropin. So that's triple disablement already. But to be sure, also add a non-exclusive test to ensure it doesn't come back.
Split all the things redundant with tier-x into a separate manifest that only gets inherited on <f42.
No functional change. This just makes it easier to share the list of dupes with RHCOS downstream.
This workflow bumps the fedora-bootc submodule. It's better than just using Dependabot because it only checks for changes in tier-0 and tier-x. AFAICT, there isn't a way to tell Dependabot to do this.
jlebon
force-pushed
the
pr/inherit-tier-x-rawhide
branch
from
d1dd8ef
to
0009012
Compare
|
Rebased this now that https://gitlab.com/fedora/bootc/tracker/-/issues/39 is resolved and updated for comments! Also started tracking some of the outstanding items in #3177 (comment). |
There is a new tier-x in the fedora-bootc project whose goal is to
provide a common base that all variants (including tier-1) can share.
Move FCOS over to use this new tier, but only starting from Fedora 42.
This is a profound change and the start of an exciting new future! This
formalizes our relationship to other image-mode variants, encouraging us
to innovate and solve problems together in a more direct way.
Put more practically, e.g. bug fixes, new features, or temporary
workarounds that concern all/most tier-x derivatives should probably be
carried out at the tier-x level rather than the CoreOS level.
Eventually, this inheritance will be made even more explicit by having
FCOS be built
FROMthe tier-x image. For now, we share at the manifestlevel, which is a stepping stone towards that goal.
Patches to actually dedupe our manifests with tier-x will follow. Though
note there is no change in the resulting package set here.