Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tracker: Rebase onto Fedora 41 #1695

Closed
53 tasks done
jlebon opened this issue Mar 20, 2024 · 30 comments
Closed
53 tasks done

tracker: Rebase onto Fedora 41 #1695

jlebon opened this issue Mar 20, 2024 · 30 comments
Labels

Comments

@jlebon
Copy link
Member

jlebon commented Mar 20, 2024

Rebase to a new version of Fedora (N=41)

At previous Fedora major release

Open tickets to track related work for this release

At Branching

Branching is when a new stream is "branched" off of rawhide. This eventually becomes the next major Fedora (N).

Release engineering changes

  • Verify that a few tags were created when branching occurred:

  • f${N+1}-coreos-signing-pending

  • f${N+1}-coreos-continuous

  • Add and tag a package (any package) which is in the stable repos into the continuous tag. This will create the initial yum repo that's used as input for building the COSA container.

  • koji add-pkg --owner ${FAS_USERNAME} f${N+1}-coreos-continuous $PKG

    • example: koji add-pkg --owner dustymabe f36-coreos-continuous fedora-release
    • This example uses the fedora-release RPM, but it could be any other.
  • koji tag-build f${N+1}-coreos-continuous $BUILD

    • example: koji tag-build f36-coreos-continuous fedora-release-36-0.16
  • Add the N+1 signing key short hash (usually found here) to the tag info for the coreos-pool tag. The following commands view the current settings and then update the list to the 32/33/34/35 keys. You'll most likely have to get someone from releng to run the second command (edit-tag).

    • koji taginfo coreos-pool
    • koji edit-tag coreos-pool -x tag2distrepo.keys="12c944d0 9570ff31 45719a39 9867c58f"

See update tag2distrepo.keys for coreos-pool with f42 key: https://pagure.io/releng/issue/12264

coreos-installer changes

Example PR: coreos/coreos-installer#1113

Update rawhide stream

Enable branched stream

Misc

At Fedora (N) Beta

Update fedora-coreos-config next-devel

Ship rebased next

  • Ship next
  • Set a new update barrier for the final release of N-1 on next. In the barrier entry set a link to the docs. See discussion

Preparing for Fedora (N) GA

Do these steps as soon as we have a Go confirmation for GA, usually the Thursday of the week before GA.

Ship a final next release

If the packages in next-devel don't exactly match the last next release that was done, we need to do a release with the final GA content. This ensures that what we'll promote to testing has the exact content in GA (plus version fast-tracks). This usually happens on the Thursday of the announcement of Go.

  • Ensure final next release has GA content

Build rebased testing and final stable release on N-1

  • Build stable; promote it from the testing branch, which should still be on N-1. Don't release it yet (i.e. don't run the release job).
  • Build testing; promote it from the next branch instead of testing-devel. Don't release it yet (i.e. don't run the release job).

Update fedora-coreos-config testing-devel

  • Bump releasever in manifest.yaml
  • Update the repos in manifest.yaml if needed
  • Sync the lockfiles for all arches from next-devel
  • Bump the base Fedora version in ci/buildroot/Dockerfile
  • PR the result

At Fedora (N) GA

Do these steps on GA day.

Release rebased testing and final stable release on N-1

  • Run the release job for the staged testing and stable builds and start rollout.
  • Set a new update barrier for the final release of N-1 on testing. In the barrier entry set a link to the docs. See discussion

Disable next-devel stream if not needed

We prefer to disable next-devel when there is no difference between testing-devel and next-devel. This allows us to prevent wasting a bunch of resources (bandwidth, storage, compute) for no reason. After the switch to N if next-devel and testing-devel are in lockstep, then disable next-devel.

  • Follow the instructions here to disable next-devel

Switch upstream packages to shipping release binaries from Fedora (N)

Disable the fedora-candidate-compose repo

  • Remove from the manifest.yaml of next-devel the fedora-candidate-compose repo

After Fedora (N) GA

Ship rebased stable

  • Ship stable
  • Set a new update barrier for the final release of N-1 on stable. In the barrier entry set a link to the docs. See discussion

Untag old packages

koji untag N-2 packages from the pool (at some point we'll have GC in place to do this for us, but for now we must remember to do this manually or otherwise distRepo will fail once the signed packages are GC'ed). For example the following snippet finds all RPMs signed by the Fedora 32 key and untags them. Use this process:

  • Find the key short hash. Usually found here. Then:
f32key=12c944d0
key=$f32key
echo > untaglist # create or empty out file
for build in $(koji list-tagged --quiet coreos-pool | cut -f1 -d' '); do
    if koji buildinfo $build | grep $key 1>/dev/null; then
        echo "Adding $build to untag list"
        echo "${build}" >> untaglist
    fi
done

Now we have a list of builds to untag. But we need a few more sanity checks.

  • Make sure none of the builds are used in N based FCOS. Check by running:
f32key=12c944d0
key=$f32key
podman run -it --rm quay.io/fedora/fedora-coreos:testing-devel rpm -qai | grep -B 9 $key
podman rmi quay.io/fedora/fedora-coreos:testing-devel

If there are any RPMs signed by the old key they'll need to be investigated. Maybe they shouldn't be used any longer. Or maybe they're still needed. One example of this is the shim RPM where the same build could be used for many Fedora releases. In this case you'll need to untag the RPM from coreos-pool, run a koji distrepo, which will remove that RPM from the repo metadata, and then re-tag it into the pool. The RPM in the repo will now be signed with a newer signing key.

  • After verifying the list looks good, untag:
# use xargs so we don't exhaust bash string limit
cat untaglist | xargs -L50 koji untag-build -v coreos-pool
  • Now that untagging is done, give a heads up to rpm-ostree developers that N-2 packages have been untagged and that they may need to update their CI compose tests to freeze on a newer FCOS commit.

  • Remove the N-2 signing key from the tag info for the coreos-pool tag. The following commands view the current settings and then update the list to the 33/34/35 keys. You'll most likely have to get someone from releng to run the second command (edit-tag).

    • koji taginfo coreos-pool
    • koji edit-tag coreos-pool -x tag2distrepo.keys="9570ff31 45719a39 9867c58f"

Open ticket for the next Fedora rebase

  • Create a new ticket from the rebase template
    • label with FN label where N is the Fedora version.

Miscellaneous container updates

These are various containers in use throughout our ecosystem. We should update or open a ticket to track updating them once a new Fedora release is out. If you open a ticket instead of doing the update add a link to the ticket as comment.

@marmijo
Copy link
Member

marmijo commented Aug 15, 2024

@marmijo
Copy link
Member

marmijo commented Aug 15, 2024

Fedora Releng ticket requesting permissions for @marmijo to perform the "add and tag package into f42-coreos-continuous tag" step: https://pagure.io/releng/issue/12263

@marmijo
Copy link
Member

marmijo commented Aug 15, 2024

Fedora Releng ticket to add the F42 signing key short hash to the coreos-pool tag: https://pagure.io/releng/issue/12264

@marmijo
Copy link
Member

marmijo commented Aug 15, 2024

Add the Fedora 42 signing key: coreos/coreos-installer#1512

@travier
Copy link
Member

travier commented Aug 20, 2024

Package diff initial investigation in coreos/fedora-coreos-config#3092 (comment):

Copying the diff here for reference:

[2024-08-19T17:04:44.229Z] Downgraded:
[2024-08-19T17:04:44.234Z]   json-glib 1.8.0-3.fc40 -> 1.8.0-1.fc40
[2024-08-19T17:04:44.234Z] Removed:
[2024-08-19T17:04:44.234Z]   atheros-firmware-20240220-1.fc40.noarch
[2024-08-19T17:04:44.234Z]   bind-license-32:9.18.21-4.fc40.noarch
[2024-08-19T17:04:44.234Z]   brcmfmac-firmware-20240220-1.fc40.noarch
[2024-08-19T17:04:44.234Z]   fuse-2.9.9-21.fc40.x86_64
[2024-08-19T17:04:44.234Z]   fuse-libs-2.9.9-21.fc40.x86_64
[2024-08-19T17:04:44.234Z]   gvisor-tap-vsock-gvforwarder-6:0.7.3-2.fc40.x86_64
[2024-08-19T17:04:44.234Z]   mt7xxx-firmware-20240220-1.fc40.noarch
[2024-08-19T17:04:44.234Z]   pigz-2.8-4.fc40.x86_64
[2024-08-19T17:04:44.234Z]   polkit-pkla-compat-0.1-28.fc40.x86_64
[2024-08-19T17:04:44.234Z]   realtek-firmware-20240220-1.fc40.noarch
[2024-08-19T17:04:44.234Z] Added:
[2024-08-19T17:04:44.234Z]   clevis-pin-tpm2-0.5.3-7.fc41.x86_64
[2024-08-19T17:04:44.234Z]   dnf5-5.2.5.0-2.fc41.x86_64
[2024-08-19T17:04:44.234Z]   docker-cli-27.1.1-3.fc41.x86_64
[2024-08-19T17:04:44.234Z]   kdump-utils-1.0.44-2.fc41.x86_64
[2024-08-19T17:04:44.234Z]   libdnf5-5.2.5.0-2.fc41.x86_64
[2024-08-19T17:04:44.234Z]   libdnf5-cli-5.2.5.0-2.fc41.x86_64
[2024-08-19T17:04:44.234Z]   libkcapi-hasher-1.5.0-3.fc41.x86_64
[2024-08-19T17:04:44.234Z]   libtextstyle-0.22.5-6.fc41.x86_64
[2024-08-19T17:04:44.234Z]   lld-libs-18.1.8-2.fc41.x86_64
[2024-08-19T17:04:44.234Z]   llvm-libs-18.1.8-2.fc41.x86_64
[2024-08-19T17:04:44.234Z]   makedumpfile-1.7.5-13.fc41.x86_64
[2024-08-19T17:04:44.234Z]   moby-filesystem-27.1.1-3.fc41.x86_64
[2024-08-19T17:04:44.234Z]   qed-firmware-20240811-2.fc41.noarch
[2024-08-19T17:04:44.234Z]   sdbus-cpp-1.5.0-3.fc41.x86_64
[2024-08-19T17:04:44.234Z]   tini-static-0.19.0-9.fc41.x86_64

Downgrade is https://bugzilla.redhat.com/show_bug.cgi?id=2297094 which we should directly make a PR to fix as it's really minor and maybe we should just ignore it.

Removed:

Added:

  • qed-firmware is unexpected
  • sdbus-cpp is unexpected
  • the rest looks dnf5, docker or podman related and should be good.

@travier
Copy link
Member

travier commented Aug 20, 2024

Fixing the json-glib pin in https://src.fedoraproject.org/rpms/json-glib/pull-request/4

@travier
Copy link
Member

travier commented Aug 21, 2024

#1785 (comment)

@travier
Copy link
Member

travier commented Aug 21, 2024

We've discussed this topic in today's community meeting.

The priority is resolving the issues that we ave with systemd 256 to be able to unpin it. Then looking at the status of composefs and kdump.

@yasminvalim yasminvalim removed the meeting topics for meetings label Aug 28, 2024
@yasminvalim
Copy link
Contributor

We've discussed this topic in today's community meeting.

marmijo added a commit to marmijo/fedora-coreos-pipeline that referenced this issue Sep 13, 2024
Enabling next-devel for the Fedora 41 release process.

See: coreos/fedora-coreos-tracker#1695
marmijo added a commit to marmijo/fedora-coreos-pipeline that referenced this issue Sep 13, 2024
now that testing-devel has been enabled, we can disable the branched
stream.

coreos#1035

See: coreos/fedora-coreos-tracker#1695
marmijo added a commit to marmijo/fedora-coreos-pipeline that referenced this issue Sep 13, 2024
now that next-devel has been enabled, we can disable the branched
stream.

coreos#1035

See: coreos/fedora-coreos-tracker#1695
@marmijo
Copy link
Member

marmijo commented Sep 13, 2024

marmijo added a commit to coreos/fedora-coreos-pipeline that referenced this issue Sep 13, 2024
Enabling next-devel for the Fedora 41 release process.

See: coreos/fedora-coreos-tracker#1695
@marmijo
Copy link
Member

marmijo commented Sep 13, 2024

As we have done in the past we will be fast-tracking packages in next-devel/next to ensure no upgrade transition will ever include downgraded packages.

marmijo added a commit to marmijo/fedora-coreos-config that referenced this issue Sep 13, 2024
F41 is now in beta freeze. This means that some packages in F41 will
sort as newer than packages in F40. We'll prevent downgrades by
fast-tracking any packages that would violate this "no downgrade" rule.

see: coreos/fedora-coreos-tracker#1695 (comment)
marmijo added a commit to marmijo/fedora-coreos-config that referenced this issue Sep 13, 2024
F41 is now in beta freeze. This means that some packages in F41 will
sort as newer than packages in F40. We'll prevent downgrades by
fast-tracking any packages that would violate this "no downgrade" rule.

see: coreos/fedora-coreos-tracker#1695 (comment)
marmijo added a commit to marmijo/fedora-coreos-config that referenced this issue Sep 13, 2024
F41 is now in beta freeze. This means that some packages in F40 will
sort as newer than packages in F41. We'll prevent downgrades by
fast-tracking any packages that would violate this "no downgrade" rule.

see: coreos/fedora-coreos-tracker#1695 (comment)
marmijo added a commit to coreos/fedora-coreos-pipeline that referenced this issue Sep 14, 2024
now that next-devel has been enabled, we can disable the branched
stream.

#1035

See: coreos/fedora-coreos-tracker#1695
marmijo added a commit to marmijo/fedora-coreos-config that referenced this issue Sep 15, 2024
F41 is now in beta freeze. This means that some packages in F40 will
sort as newer than packages in F41. We'll prevent downgrades by
fast-tracking any packages that would violate this "no downgrade" rule.

see: coreos/fedora-coreos-tracker#1695 (comment)
marmijo added a commit to marmijo/fedora-coreos-config that referenced this issue Sep 15, 2024
F41 is now in beta freeze. This means that some packages in F40 will
sort as newer than packages in F41. We'll prevent downgrades by
fast-tracking any packages that would violate this "no downgrade" rule.

see: coreos/fedora-coreos-tracker#1695 (comment)
@dustymabe
Copy link
Member

koji edit-tag coreos-pool -x tag2distrepo.keys="a15B79cc e99d6ad1 105ef944"

got Kevin Fenzi to run this for me:

koji edit-tag coreos-pool -x tag2distrepo.keys="a15B79cc e99d6ad1 105ef944"

@dustymabe
Copy link
Member

all 709 F39 RPMs were removed from coreos-pool.

marmijo added a commit to marmijo/coreos-installer that referenced this issue Nov 25, 2024
marmijo added a commit to marmijo/ignition that referenced this issue Nov 25, 2024
marmijo added a commit to marmijo/butane that referenced this issue Nov 25, 2024
marmijo added a commit to marmijo/butane that referenced this issue Nov 25, 2024
marmijo added a commit to marmijo/fedora-coreos-cincinnati that referenced this issue Nov 26, 2024
marmijo added a commit to marmijo/fedora-coreos-releng-automation that referenced this issue Nov 26, 2024
marmijo added a commit to marmijo/fedora-coreos-releng-automation that referenced this issue Nov 26, 2024
marmijo added a commit to marmijo/fedora-coreos-releng-automation that referenced this issue Nov 26, 2024
@dustymabe
Copy link
Member

Update coreos-assembler or open ticket to update:

Done in coreos/coreos-assembler#3975

prestist pushed a commit to prestist/ignition that referenced this issue Dec 6, 2024
@marmijo
Copy link
Member

marmijo commented Dec 10, 2024

Update repo-templates config.yaml with the version number and GPG key ID for Fedora (N).

coreos/repo-templates#274

@marmijo
Copy link
Member

marmijo commented Dec 11, 2024

The rebase to Fedora 41 is complete.

@marmijo marmijo closed this as completed Dec 11, 2024
@dustymabe dustymabe unpinned this issue Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

6 participants