Merge branch 'main' into feature/cockpit-zfs-manager

ublue-os · Jan 9, 2025 · e492352 · e492352
2 parents 43e8b3b + 5de751b
commit e492352
Show file tree

Hide file tree

Showing 43 changed files with 819 additions and 394 deletions.
diff --git a/.github/workflows/build-stable.yml b/.github/workflows/build-stable.yml
@@ -1,9 +1,13 @@
 name: stable
 on:
-  pull_request:
   merge_group:
+  pull_request:
+    branches:
+      - main
+    paths-ignore:
+      - "**.md"
   schedule:
-    - cron: '40 23 * * *' # 11:45PM UTC everyday (approx 1.5 hours after coreos images publish)
+    - cron: '50 2 * * *'  # 2:50am-ish UTC everyday (approx 45 minutes after akmods images run)
   workflow_dispatch:
 
 jobs:

diff --git a/.github/workflows/build-testing.yml b/.github/workflows/build-testing.yml
@@ -1,9 +1,13 @@
 name: testing
 on:
-  pull_request:
   merge_group:
+  pull_request:
+    branches:
+      - main
+    paths-ignore:
+      - "**.md"
   schedule:
-    - cron: '55 23 * * *' # 11:45PM UTC everyday (approx 1.75 hours after coreos images publish)
+    - cron: '55 2 * * *'  # 2:55am-ish UTC everyday (approx 50 minutes after akmods images run)
   workflow_dispatch:
 
 jobs:

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
diff --git a/README.md b/README.md
diff --git a/cosign.pub b/cosign.pub
@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA
-cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHLRpBfPRYiMl9wb7s6fx47PzzNWu
+3zyJgXhWEvxoOgwv9CpwjbvUwR9qHxNMWkJhuGE6cjDA2hpy1I6NbA+24Q==
 -----END PUBLIC KEY-----
diff --git a/examples/ucore-autorebase.butane b/examples/ucore-autorebase.butane
@@ -10,33 +10,41 @@ storage:
   directories:
     - path: /etc/ucore-autorebase
       mode: 0754
-  files:
-    - path: /etc/ucore-autorebase/ucore-autorebase.sh
-      contents:
-        inline: |
-          #!/usr/bin/bash
-          echo "Rebasing to uCore OCI in 5 seconds"
-          sleep 5
-          rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/ucore:stable \
-            && touch /etc/ucore-autorebase/.complete \
-            && systemctl disable ucore-autorebase.service \
-            && systemctl reboot
-      mode: 0754
 systemd:
   units:
-    - name: ucore-autorebase.service
+    - name: ucore-unsigned-autorebase.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=uCore autorebase to unsigned OCI and reboot
+        ConditionPathExists=!/etc/ucore-autorebase/unverified
+        ConditionPathExists=!/etc/ucore-autorebase/signed
+        After=network-online.target
+        Wants=network-online.target
+        [Service]
+        Type=oneshot
+        StandardOutput=journal+console
+        ExecStart=/usr/bin/rpm-ostree rebase --bypass-driver ostree-unverified-registry:ghcr.io/ublue-os/ucore:stable
+        ExecStart=/usr/bin/touch /etc/ucore-autorebase/unverified
+        ExecStart=/usr/bin/systemctl disable ucore-unsigned-autorebase.service
+        ExecStart=/usr/bin/systemctl reboot
+        [Install]
+        WantedBy=multi-user.target
+    - name: ucore-signed-autorebase.service
       enabled: true
       contents: |
         [Unit]
-        Description=uCore autorebase to OCI and reboot
-        ConditionPathExists=!/etc/ucore-autorebase/.complete
-        ConditionFileIsExecutable=/etc/ucore-autorebase/ucore-autorebase.sh
+        Description=uCore autorebase to signed OCI and reboot
+        ConditionPathExists=/etc/ucore-autorebase/unverified
+        ConditionPathExists=!/etc/ucore-autorebase/verified
         After=network-online.target
         Wants=network-online.target
         [Service]
         Type=oneshot
         StandardOutput=journal+console
-        RemainAfterExit=yes
-        ExecStart=/etc/ucore-autorebase/ucore-autorebase.sh
+        ExecStart=/usr/bin/rpm-ostree rebase --bypass-driver ostree-image-signed:docker://ghcr.io/ublue-os/ucore:stable
+        ExecStart=/usr/bin/touch /etc/ucore-autorebase/signed
+        ExecStart=/usr/bin/systemctl disable ucore-signed-autorebase.service
+        ExecStart=/usr/bin/systemctl reboot
         [Install]
-        WantedBy=multi-user.target
+        WantedBy=multi-user.target
diff --git a/fedora-coreos/Containerfile b/fedora-coreos/Containerfile
@@ -1,4 +1,22 @@
 ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
+ARG FEDORA_VERSION="${FEDORA_VERSION:-40}"
+ARG IMAGE_REGISTRY="${IMAGE_REGISTRY:-ghcr.io/ublue-os}"
+ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-coreos-stable}"
+
+# FROMs for copying
+ARG AKMODS_COMMON="${IMAGE_REGISTRY}/akmods:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
+ARG AKMODS_NVIDIA="${IMAGE_REGISTRY}/akmods-nvidia:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
+ARG AKMODS_ZFS="${IMAGE_REGISTRY}/akmods-zfs:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
+ARG CONFIG="${IMAGE_REGISTRY}/config:latest"
+ARG KERNEL="${IMAGE_REGISTRY}/${KERNEL_FLAVOR}-kernel:${FEDORA_VERSION}"
+FROM ${AKMODS_COMMON} AS akmods-common
+FROM ${AKMODS_NVIDIA} AS akmods-nvidia
+FROM ${AKMODS_ZFS} AS akmods-zfs
+FROM ${CONFIG} AS config
+FROM ${KERNEL} AS kernel
+
+FROM scratch AS ctx
+COPY / /
 
 FROM quay.io/fedora/fedora-coreos:${COREOS_VERSION}
 
@@ -7,20 +25,21 @@ ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
 ARG NVIDIA_TAG="${NVIDIA_TAG}"
 # build with --build-arg ZFS_TAG="-zfs" to install zfs
 ARG ZFS_TAG="${ZFS_TAG}"
-ARG KMOD_SRC="${KMOD_SRC:-ghcr.io/ublue-os/ucore-kmods:${COREOS_VERSION}}"
-
-COPY --from=${KMOD_SRC} /rpms/kmods/*.rpm /tmp/rpms/
-COPY --from=${KMOD_SRC} /rpms/kmods/nvidia/*.rpm /tmp/rpms/nvidia/
-COPY --from=${KMOD_SRC} /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/
 
-COPY *.sh /tmp/
 
-RUN mkdir -p /var/lib/alternatives \
-    && /tmp/install.sh \
-    && /tmp/post-install.sh \
+RUN --mount=type=cache,dst=/var/cache/rpm-ostree \
+    --mount=type=bind,from=ctx,src=/,dst=/ctx \
+    --mount=type=bind,from=akmods-common,src=/rpms/ucore,dst=/tmp/rpms/akmods-common \
+    --mount=type=bind,from=akmods-nvidia,src=/rpms,dst=/tmp/rpms/akmods-nvidia \
+    --mount=type=bind,from=akmods-zfs,src=/rpms,dst=/tmp/rpms/akmods-zfs \
+    --mount=type=bind,from=config,src=/rpms,dst=/tmp/rpms/config \
+    --mount=type=bind,from=kernel,src=/tmp/rpms,dst=/tmp/rpms/kernel \
+    mkdir -p /var/lib/alternatives \
+    && /ctx/install.sh \
+    && /ctx/post-install.sh \
     && mv /var/lib/alternatives /staged-alternatives \
-    && rm -fr /tmp/* /var/* \
+    && /ctx/cleanup.sh \
     && ostree container commit \
     && mkdir -p /var/lib && mv /staged-alternatives /var/lib/alternatives \
-    && mkdir -p /tmp /var/tmp \
-    && chmod -R 1777 /tmp /var/tmp
+    && mkdir -p /var/tmp \
+    && chmod -R 1777 /var/tmp
diff --git a/fedora-coreos/cleanup.sh b/fedora-coreos/cleanup.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/bash
+
+set -eoux pipefail
+shopt -s extglob
+
+rm -rf /tmp/* || true
+rm -rf /var/!(cache)
+rm -rf /var/cache/!(rpm-ostree)
diff --git a/fedora-coreos/install.sh b/fedora-coreos/install.sh
@@ -2,8 +2,12 @@
 
 set -ouex pipefail
 
+ARCH="$(rpm -E %{_arch})"
 RELEASE="$(rpm -E %fedora)"
-KERNEL="$(rpm -q kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"
+pushd /tmp/rpms/kernel
+KERNEL_VERSION=$(find kernel-*.rpm | grep -P "kernel-(\d+\.\d+\.\d+)-.*\.fc${RELEASE}\.${ARCH}" | sed -E 's/kernel-//' | sed -E 's/\.rpm//')
+popd
+QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')"
 
 #### PREPARE
 # enable testing repos if not enabled on testing stream
@@ -23,25 +27,45 @@ sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo
 # inspect to see what RPMS we copied in
 find /tmp/rpms/
 
-rpm-ostree install /tmp/rpms/ublue-os-ucore-addons-*.rpm
+rpm-ostree install \
+    /tmp/rpms/akmods-common/ublue-os-ucore-addons*.rpm \
+    /tmp/rpms/config/ublue-os-signing*.rpm
+
+# Handle Kernel Skew with override replace
+rpm-ostree cliwrap install-to-root /
+if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then
+    echo "Installing signed kernel from kernel-cache."
+    cd /tmp
+    rpm2cpio /tmp/rpms/kernel/kernel-core-*.rpm | cpio -idmv
+    cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz
+    cd /
+else
+    echo "Install kernel version ${KERNEL_VERSION} from kernel-cache."
+    rpm-ostree override replace \
+        --experimental \
+        --install=zstd \
+        /tmp/rpms/kernel/kernel-[0-9]*.rpm \
+        /tmp/rpms/kernel/kernel-core-*.rpm \
+        /tmp/rpms/kernel/kernel-modules-*.rpm
+fi
 
 ## CONDITIONAL: install ZFS
 if [[ "-zfs" == "${ZFS_TAG}" ]]; then
-    rpm-ostree install pv /tmp/rpms/zfs/*.rpm
+    rpm-ostree install pv /tmp/rpms/akmods-zfs/kmods/zfs/*.rpm /tmp/rpms/akmods-zfs/kmods/zfs/other/zfs-dracut-*.rpm
     # for some reason depmod ran automatically with zfs 2.1 but not with 2.2
-    depmod -A ${KERNEL}
+    depmod -a -v ${KERNEL_VERSION}
 fi
 
 ## CONDITIONAL: install NVIDIA
 if [[ "-nvidia" == "${NVIDIA_TAG}" ]]; then
     # repo for nvidia rpms
     curl -L https://negativo17.org/repos/fedora-nvidia.repo -o /etc/yum.repos.d/fedora-nvidia.repo
 
-    rpm-ostree install /tmp/rpms/nvidia/ublue-os-ucore-nvidia-*.rpm
+    rpm-ostree install /tmp/rpms/akmods-nvidia/ucore/ublue-os-ucore-nvidia*.rpm
     sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo
 
     rpm-ostree install \
-        /tmp/rpms/nvidia/kmod-nvidia-*.rpm \
+        /tmp/rpms/akmods-nvidia/kmods/kmod-nvidia*.rpm \
         nvidia-driver-cuda \
         nvidia-container-toolkit
 fi
diff --git a/ucore/Containerfile b/ucore/Containerfile
@@ -1,5 +1,22 @@
 ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
-
+ARG FEDORA_VERSION="${FEDORA_VERSION:-40}"
+ARG IMAGE_REGISTRY="${IMAGE_REGISTRY:-ghcr.io/ublue-os}"
+ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-coreos-stable}"
+
+# FROMs for copying
+ARG AKMODS_COMMON="${IMAGE_REGISTRY}/akmods:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
+ARG AKMODS_NVIDIA="${IMAGE_REGISTRY}/akmods-nvidia:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
+ARG AKMODS_ZFS="${IMAGE_REGISTRY}/akmods-zfs:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
+ARG CONFIG="${IMAGE_REGISTRY}/config:latest"
+ARG KERNEL="${IMAGE_REGISTRY}/${KERNEL_FLAVOR}-kernel:${FEDORA_VERSION}"
+FROM ${AKMODS_COMMON} AS akmods-common
+FROM ${AKMODS_NVIDIA} AS akmods-nvidia
+FROM ${AKMODS_ZFS} AS akmods-zfs
+FROM ${CONFIG} AS config
+FROM ${KERNEL} AS kernel
+
+FROM scratch AS ctx
+COPY / /
 
 # ucore-minimal image section
 FROM quay.io/fedora/fedora-coreos:${COREOS_VERSION} AS ucore-minimal
@@ -9,49 +26,50 @@ ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
 ARG NVIDIA_TAG="${NVIDIA_TAG}"
 # build with --build-arg ZFS_TAG="-zfs" to install zfs
 ARG ZFS_TAG="${ZFS_TAG}"
-ARG KMOD_SRC="${KMOD_SRC:-ghcr.io/ublue-os/ucore-kmods:${COREOS_VERSION}}"
-
-COPY --from=${KMOD_SRC} /rpms/kmods/*.rpm /tmp/rpms/
-COPY --from=${KMOD_SRC} /rpms/kmods/nvidia/*.rpm /tmp/rpms/nvidia/
-COPY --from=${KMOD_SRC} /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/
-
-COPY *.sh /tmp/
-COPY packages.json /tmp/packages.json
 
-COPY usr /usr
-
-RUN mkdir -p /var/lib/alternatives \
-    && /tmp/install-ucore-minimal.sh \
-    && /tmp/post-install-ucore-minimal.sh \
+# 0.12.1 matches docker/moby 24.0.5 which FCOS ships as of 40.20240421
+ARG DOCKER_BUILDX_VERSION=0.12.1
+# 2.24.7 matches docker/moby 24.0.5  which FCOS ships as of 40.20240421
+ARG DOCKER_COMPOSE_VERSION=v2.24.7
+
+COPY system_files /
+COPY --from=docker.io/docker/buildx-bin:${DOCKER_BUILDX_VERSION} /buildx /usr/libexec/docker/cli-plugins/docker-buildx
+COPY --from=docker.io/docker/compose-bin:${DOCKER_COMPOSE_VERSION} /docker-compose /usr/libexec/docker/cli-plugins/docker-compose
+
+RUN --mount=type=cache,dst=/var/cache/rpm-ostree \
+    --mount=type=bind,from=ctx,src=/,dst=/ctx \
+    --mount=type=bind,from=akmods-common,src=/rpms/ucore,dst=/tmp/rpms/akmods-common \
+    --mount=type=bind,from=akmods-nvidia,src=/rpms,dst=/tmp/rpms/akmods-nvidia \
+    --mount=type=bind,from=akmods-zfs,src=/rpms,dst=/tmp/rpms/akmods-zfs \
+    --mount=type=bind,from=config,src=/rpms,dst=/tmp/rpms/config \
+    --mount=type=bind,from=kernel,src=/tmp/rpms,dst=/tmp/rpms/kernel \
+    mkdir -p /var/lib/alternatives \
+    && /ctx/install-ucore-minimal.sh \
+    && /ctx/post-install-ucore-minimal.sh \
     && mv /var/lib/alternatives /staged-alternatives \
-    && rm -fr /tmp/* /var/* \
+    && /ctx/cleanup.sh \
     && ostree container commit \
     && mkdir -p /var/lib && mv /staged-alternatives /var/lib/alternatives \
-    && mkdir -p /tmp /var/tmp \
-    && chmod -R 1777 /tmp /var/tmp
-
-COPY --from=docker.io/docker/compose-bin:latest /docker-compose /usr/bin/docker-compose
-
+    && mkdir -p /var/tmp \
+    && chmod -R 1777 /var/tmp
 
 # ucore image section
 FROM ucore-minimal AS ucore
 
 ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
+ARG NVIDIA_TAG="${NVIDIA_TAG}"
 ARG ZFS_TAG="${ZFS_TAG}"
 
-COPY *.sh /tmp/
-COPY packages.json /tmp/packages.json
-
-COPY usr /usr
-
-RUN mkdir -p /var/lib/alternatives \
-    && /tmp/install-ucore.sh \
+RUN --mount=type=cache,dst=/var/cache/rpm-ostree \
+    --mount=type=bind,from=ctx,src=/,dst=/ctx \
+    mkdir -p /var/lib/alternatives \
+    && /ctx/install-ucore.sh \
     && mv /var/lib/alternatives /staged-alternatives \
-    && rm -fr /tmp/* /var/* \
+    && /ctx/cleanup.sh \
     && ostree container commit \
     && mkdir -p /var/lib && mv /staged-alternatives /var/lib/alternatives \
-    && mkdir -p /tmp /var/tmp \
-    && chmod -R 1777 /tmp /var/tmp
+    && mkdir -p /var/tmp \
+    && chmod -R 1777 /var/tmp
 
 
 # ucore-hci image section
@@ -61,14 +79,13 @@ ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
 ARG NVIDIA_TAG="${NVIDIA_TAG}"
 ARG ZFS_TAG="${ZFS_TAG}"
 
-COPY *.sh /tmp/
-COPY packages.json /tmp/packages.json
-
-RUN mkdir -p /var/lib/alternatives \
-    && /tmp/install-ucore-hci.sh \
+RUN --mount=type=cache,dst=/var/cache/rpm-ostree \
+    --mount=type=bind,from=ctx,src=/,dst=/ctx \
+    mkdir -p /var/lib/alternatives \
+    && /ctx/install-ucore-hci.sh \
     && mv /var/lib/alternatives /staged-alternatives \
-    && rm -fr /tmp/* /var/* \
+    && /ctx/cleanup.sh \
     && ostree container commit \
     && mkdir -p /var/lib && mv /staged-alternatives /var/lib/alternatives \
-    && mkdir -p /tmp /var/tmp \
-    && chmod -R 1777 /tmp /var/tmp
+    && mkdir -p /var/tmp \
+    && chmod -R 1777 /var/tmp
diff --git a/ucore/cleanup.sh b/ucore/cleanup.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/bash
+
+set -eoux pipefail
+shopt -s extglob
+
+rm -rf /tmp/* || true
+rm -rf /var/!(cache)
+rm -rf /var/cache/!(rpm-ostree)
diff --git a/ucore/github-release-install.sh b/ucore/github-release-install.sh
@@ -47,14 +47,11 @@ API="https://api.github.com/repos/${ORG_PROJ}/releases/${RELTAG}"
 
 # retry up to 5 times with 5 second delays for any error included HTTP 404 etc
 curl --fail --retry 5 --retry-delay 5 --retry-all-errors -sL ${API} -o ${API_JSON}
-RPM_URLS=$(cat ${API_JSON} \
+RPM_URLS=($(cat ${API_JSON} \
   | jq \
     -r \
     --arg arch_filter "${ARCH_FILTER}" \
-    '.assets | sort_by(.created_at) | reverse | .[] | select(.name|test($arch_filter)) | select (.name|test("rpm$")) | .browser_download_url')
-for URL in ${RPM_URLS}; do
-  # WARNING: in case of multiple matches, this only installs the first matched release
-  echo "execute: rpm-ostree install \"${URL}\""
-  rpm-ostree install "${URL}"
-  break
-done
+    '.assets | sort_by(.created_at) | reverse | .[] | select(.name|test($arch_filter)) | select(.name|test("rpm$")) | .browser_download_url'))
+# WARNING: in case of multiple matches, this only installs the first matched release
+echo "execute: rpm-ostree install \"${RPM_URLS[0]}\""
+rpm-ostree install "${RPM_URLS[0]}"