diff --git a/.dockerignore b/.dockerignore index 973139e..3768d2c 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,3 +1,4 @@ priv-root/ tmp/ *Containerfile +.github/ \ No newline at end of file diff --git a/.github/workflows/microshift.yaml b/.github/workflows/microshift.yaml new file mode 100644 index 0000000..61fa8ff --- /dev/null +++ b/.github/workflows/microshift.yaml @@ -0,0 +1,51 @@ +name: Build OS Content +on: + push: + branches: + - master + workflow_dispatch: {} + schedule: + - cron: '10 5 * * *' + +env: + REGISTRY_USER: aleskandrox + IMAGE_REGISTRY: quay.io + IMAGE_NAME: fedora + REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + +jobs: + build-coreos-microshift: + if: ${{ github.event_name == 'push' || github.event.workflow_run.conclusion == 'success' }} + runs-on: ubuntu-latest + name: Build and Push Fedora ${{ matrix.variant }} (OS Content) + strategy: + matrix: + variant: + - coreos-microshift + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Set versioned tag + id: versioned-tag + run: | + VERSIONED_TAG=$(date -u --iso-8601=minutes | sed 's/://g;s/+.*$//')-${GITHUB_SHA} + echo "VERSIONED_TAG=${VERSIONED_TAG}" >> $GITHUB_OUTPUT + - name: Build OS content + uses: redhat-actions/buildah-build@v2 + id: build-image + with: + image: ${{ env.IMAGE_REGISTRY }}/${{ env.REGISTRY_USER }}/${{ env.IMAGE_NAME }} + oci: true + layers: true + tags: ${{ matrix.variant }}-custom ${{ matrix.variant }}-custom-${{ steps.versioned-tag.outputs.VERSIONED_TAG }} + containerfiles: | + ./microshift.Containerfile + - name: Push to registry + uses: redhat-actions/push-to-registry@v2 + with: + tags: >- + ${{ env.IMAGE_REGISTRY }}/${{ env.REGISTRY_USER }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-custom + ${{ env.IMAGE_REGISTRY }}/${{ env.REGISTRY_USER }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-custom-${{ steps.versioned-tag.outputs.VERSIONED_TAG }} + username: ${{ env.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_PASSWORD }} + diff --git a/microshift.Containerfile b/microshift.Containerfile new file mode 100644 index 0000000..c1bf12d --- /dev/null +++ b/microshift.Containerfile @@ -0,0 +1,72 @@ +ARG BASE_REPO=quay.io/fedora/fedora-coreos +ARG BASE_TAG=stable +FROM quay.io/fedora/fedora-minimal:latest as artifacts + +COPY overlay.d/00-temp/ / +RUN microdnf install --setopt=install_weak_deps=False \ + -y rpmbuild && chmod +x /usr/bin/fakerpm.sh \ + && mkdir -p /srv/fakerpms/ && pushd /srv/fakerpms/ \ + && /usr/bin/fakerpm.sh openvswitch3.1 \ + && /usr/bin/fakerpm.sh openshift-clients + +FROM ${BASE_REPO}:${BASE_TAG} + +ENTRYPOINT ["/bin/bash"] + +RUN set -x; arch=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/'); cat /etc/os-release \ + && rpm-ostree install \ + https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \ + https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm \ + && ostree container commit + +RUN cat /etc/os-release; rpm-ostree --version; ostree --version; \ + set -x; PACKAGES_INSTALL="bridge-utils conntrack-tools curl fping iftop iputils iproute mtr nethogs \ + socat net-tools bind-utils iperf iperf3 iputils mtr ethtool tftp wget ipmitool gawk htop ncdu procps \ + strace iotop subversion git git-lfs gnupg2 openssl openvpn rsync tcpdump nmap nmap-ncat krb5-workstation \ + qemu-kvm qemu-user-static libvirt virt-manager virt-install sudo screen unzip util-linux-user ignition \ + libcurl-devel zsh nmap-ncat netcat socat python3-pip skopeo jq vim neovim make gcc inotify-tools"; \ + rpm-ostree install $PACKAGES_INSTALL \ + && rm -rf /var/lib/{unbound,gssproxy,nfs} \ + && ostree container commit + +COPY overlay.d/01-common/ / +COPY overlay.d/05-systemd/ / +COPY overlay.d/10-fcos/ / +COPY overlay.d/15-microshift / +COPY --from=artifacts /srv/fakerpms/ /tmp/rpms/ + +RUN set -x; PACKAGES_INSTALL="NetworkManager-ovs cri-o cri-tools /tmp/rpms/*.rpm"; \ + rpm-ostree install $PACKAGES_INSTALL \ + && rpm-ostree install microshift \ + # Symlink ovs-vswitchd to dpdk version of OVS + && ln -s /usr/sbin/ovs-vswitchd.dpdk /usr/sbin/ovs-vswitchd \ + # Symlink nc to netcat due to known issue in rpm-ostree - https://github.com/coreos/rpm-ostree/issues/1614 + && ln -s /usr/bin/netcat /usr/bin/nc \ + && rm -rf /go /var/lib/unbound /tmp/rpms \ + && rm -rf /tmp/rpms \ + && ostree container commit + +RUN set -x; sed -i \ + 's/AutomaticUpdatePolicy=.*/AutomaticUpdatePolicy=stage/' \ + /etc/rpm-ostreed.conf \ + && systemctl preset-all \ + && ostree container commit + +RUN HOME=/tmp RUNZSH=no CHSH=no ZSH=/usr/lib/ohmyzsh \ + sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" \ + && set -x \ + && wget -qO /usr/lib/ohmyzsh/custom/kube-ps1.plugin.zsh \ + https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/plugins/kube-ps1/kube-ps1.plugin.zsh \ + && mv /usr/share/zsh/*.zsh /usr/lib/ohmyzsh/custom/ \ + && git clone https://github.com/zsh-users/zsh-history-substring-search \ + /usr/lib/ohmyzsh/custom/plugins/zsh-history-subscring-search \ + && git clone https://github.com/zsh-users/zsh-syntax-highlighting.git \ + /usr/lib/ohmyzsh/custom/plugins/zsh-syntax-highlighting \ + && chsh -s /bin/zsh root \ + && echo 'PATH=~/bin:~/.bin:~/.opt/bin:$PATH' >> /etc/zshenv \ + && sed -i 's|^SHELL=.*|SHELL=/usr/bin/zsh|' /etc/default/useradd \ + # ${VARIANT_ID^} is not posix compliant and is not parsed correctly by zsh \ + && sed -i 's/VARIANT_ID^/VARIANT_ID/' /etc/profile.d/toolbox.sh \ + && ostree container commit + +#RUN set -x; update-crypto-policies --set legacy --no-reload && ostree container commit diff --git a/overlay.d/00-temp/usr/bin/fakerpm.sh b/overlay.d/00-temp/usr/bin/fakerpm.sh new file mode 100644 index 0000000..90d4d82 --- /dev/null +++ b/overlay.d/00-temp/usr/bin/fakerpm.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# +# From: https://www.redhat.com/archives/rpm-list/2006-November/msg00062.html +# +# Generate dummy/fake RPMs - great for acceptance testing systems +# +NAME=$1 + +# +# GEnerate Provides: +PROVIDES="Provides: ${1}" + +# +# Generate Spec file +SPECFILE=$(mktemp) +cat < ${SPECFILE} +#----------- spec file starts --------------- +Name: ${NAME} +Version: 1.0.0 +Release: 0 +Vendor: dummy +Group: dummy +Summary: Provides %{name} +License: %{vendor} +# in Provides: you add whatever you want to fool the system +Buildroot: %{_tmppath}/%{name}-%{version}-root +${PROVIDES} + +%description +%{summary} + +%files +EOF + +# +# Build it +BUILD_LOG=$(mktemp) +rpmbuild --define '_rpmdir /tmp' -bb "${SPECFILE}" > "${BUILD_LOG}" +if [ $? != 0 ] +then + echo "ERROR: Could nto build dummy rpm!" +fi +PKG=$(awk '/^Wrote:/ { print $2 }' < "${BUILD_LOG}" ) +rm "${BUILD_LOG}" + +# +# Install it: +#rpm -Uvh "${PKG}" + +rm "${SPECFILE}" + +echo "DONE! created ${PKG} and moved it here..." +mv $PKG . \ No newline at end of file diff --git a/overlay.d/01-common/etc/ssh/sshd_config.d/10-insecure-rsa-keysig.conf b/overlay.d/01-common/etc/ssh/sshd_config.d/10-insecure-rsa-keysig.conf new file mode 100644 index 0000000..70a458b --- /dev/null +++ b/overlay.d/01-common/etc/ssh/sshd_config.d/10-insecure-rsa-keysig.conf @@ -0,0 +1 @@ +PubkeyAcceptedKeyTypes=+ssh-rsa diff --git a/overlay.d/01-common/etc/ssh/sshd_config.d/40-client-alive-interval.conf b/overlay.d/01-common/etc/ssh/sshd_config.d/40-client-alive-interval.conf new file mode 100644 index 0000000..6a87403 --- /dev/null +++ b/overlay.d/01-common/etc/ssh/sshd_config.d/40-client-alive-interval.conf @@ -0,0 +1 @@ +ClientAliveInterval 180 diff --git a/overlay.d/10-fcos/etc/rpm-ostree/origin.d/overrides.yaml b/overlay.d/10-fcos/etc/rpm-ostree/origin.d/overrides.yaml new file mode 100644 index 0000000..9e8712c --- /dev/null +++ b/overlay.d/10-fcos/etc/rpm-ostree/origin.d/overrides.yaml @@ -0,0 +1,3 @@ +override-remove: + - moby-engine + - zincati diff --git a/overlay.d/10-fcos/usr/lib/okd/selinux-fixes.cil b/overlay.d/10-fcos/usr/lib/okd/selinux-fixes.cil new file mode 100644 index 0000000..252846a --- /dev/null +++ b/overlay.d/10-fcos/usr/lib/okd/selinux-fixes.cil @@ -0,0 +1,11 @@ +; https://github.com/okd-project/okd/issues/1438 +(allow iscsid_t self (capability (dac_override))) +; iptables wrapper script fix +(allow iptables_t container_runtime_tmpfs_t (chr_file (read write))) +; https://github.com/okd-project/okd/discussions/1611 +(typeattributeset cil_gen_require ifconfig_t) +(typeattributeset cil_gen_require container_runtime_tmpfs_t) +(typeattributeset cil_gen_require container_runtime_t) +(allow ifconfig_t container_runtime_t (fifo_file (append))) +(allow ifconfig_t container_runtime_tmpfs_t (chr_file (read write))) +(allow ifconfig_t self (capability (dac_override dac_read_search sys_ptrace))) diff --git a/overlay.d/10-fcos/usr/lib/systemd/network/98-ovs-mac.link b/overlay.d/10-fcos/usr/lib/systemd/network/98-ovs-mac.link new file mode 100644 index 0000000..216bdc9 --- /dev/null +++ b/overlay.d/10-fcos/usr/lib/systemd/network/98-ovs-mac.link @@ -0,0 +1,5 @@ +[Match] +Driver=openvswitch + +[Link] +MACAddressPolicy=none diff --git a/overlay.d/10-fcos/usr/lib/systemd/system-preset/00-okd.preset b/overlay.d/10-fcos/usr/lib/systemd/system-preset/00-okd.preset new file mode 100644 index 0000000..c718368 --- /dev/null +++ b/overlay.d/10-fcos/usr/lib/systemd/system-preset/00-okd.preset @@ -0,0 +1 @@ +enable okd-selinux.service diff --git a/overlay.d/10-fcos/usr/lib/systemd/system-preset/43-manifest-rhcos.preset b/overlay.d/10-fcos/usr/lib/systemd/system-preset/43-manifest-rhcos.preset new file mode 100644 index 0000000..1335364 --- /dev/null +++ b/overlay.d/10-fcos/usr/lib/systemd/system-preset/43-manifest-rhcos.preset @@ -0,0 +1,4 @@ +enable rhcos-usrlocal-selinux-fixup.service +enable rhcos-selinux-policy-upgrade.service +enable auditd.service +enable nmstate.service diff --git a/overlay.d/10-fcos/usr/lib/systemd/system/okd-selinux.service b/overlay.d/10-fcos/usr/lib/systemd/system/okd-selinux.service new file mode 100644 index 0000000..698367f --- /dev/null +++ b/overlay.d/10-fcos/usr/lib/systemd/system/okd-selinux.service @@ -0,0 +1,6 @@ +[Service] +Type=oneshot +ExecStart=/usr/sbin/semodule -i /usr/lib/okd/selinux-fixes.cil +RemainAfterExit=yes +[Install] +WantedBy=multi-user.target diff --git a/overlay.d/10-fcos/usr/lib/systemd/system/rhcos-selinux-policy-upgrade.service b/overlay.d/10-fcos/usr/lib/systemd/system/rhcos-selinux-policy-upgrade.service new file mode 100644 index 0000000..d50ad3d --- /dev/null +++ b/overlay.d/10-fcos/usr/lib/systemd/system/rhcos-selinux-policy-upgrade.service @@ -0,0 +1,14 @@ +[Unit] +Description=RHEL CoreOS Rebuild SELinux Policy If Necessary +Documentation=https://bugzilla.redhat.com/2057497 +DefaultDependencies=false +After=systemd-tmpfiles-setup.service local-fs.target +Before=sysinit.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/rhcos-rebuild-selinux-policy + +[Install] +WantedBy=sysinit.target diff --git a/overlay.d/10-fcos/usr/lib/systemd/system/rhcos-usrlocal-selinux-fixup.service b/overlay.d/10-fcos/usr/lib/systemd/system/rhcos-usrlocal-selinux-fixup.service new file mode 100644 index 0000000..6384560 --- /dev/null +++ b/overlay.d/10-fcos/usr/lib/systemd/system/rhcos-usrlocal-selinux-fixup.service @@ -0,0 +1,19 @@ +[Unit] +Description=RHCOS Fix SELinux Labeling For /usr/local/sbin +Documentation=https://bugzilla.redhat.com/1956836 +DefaultDependencies=false +After=systemd-tmpfiles-setup.service local-fs.target +Before=sysinit.target +ConditionPathExists=/var/usrlocal/sbin + +[Service] +Type=oneshot +RemainAfterExit=yes +# Run every time because systemd-tmpfiles will reset it to the incorrect +# context on each boot. +ExecStart=chcon -v --reference=/usr/sbin /usr/local/sbin +# Only do this recursive relabeling once. +ExecStart=/bin/sh -c 'if ! test -f /var/lib/.coreos-usrlocal-fixup.stamp; then find /var/usrlocal/sbin -executable -mount -exec chcon -v --reference=/usr/sbin {} \\; && touch /var/lib/.coreos-usrlocal-fixup.stamp; fi' + +[Install] +WantedBy=sysinit.target diff --git a/overlay.d/10-fcos/usr/lib/systemd/system/zincati.service.d/okd-machine-os-disabled.conf b/overlay.d/10-fcos/usr/lib/systemd/system/zincati.service.d/okd-machine-os-disabled.conf new file mode 100644 index 0000000..922625e --- /dev/null +++ b/overlay.d/10-fcos/usr/lib/systemd/system/zincati.service.d/okd-machine-os-disabled.conf @@ -0,0 +1,2 @@ +[Unit] +ConditionPathExists=/enoent diff --git a/overlay.d/10-fcos/usr/libexec/rhcos-rebuild-selinux-policy b/overlay.d/10-fcos/usr/libexec/rhcos-rebuild-selinux-policy new file mode 100755 index 0000000..9d0f5c2 --- /dev/null +++ b/overlay.d/10-fcos/usr/libexec/rhcos-rebuild-selinux-policy @@ -0,0 +1,9 @@ +#!/bin/bash +# Executed by rhcos-selinux-policy-upgrade.service +set -euo pipefail + +ls -al /{usr/,}etc/selinux/targeted/policy/policy.33 +if ! cmp --quiet /{usr/,}etc/selinux/targeted/policy/policy.33; then + echo "Recompiling policy due to local modifications as workaround for https://bugzilla.redhat.com/2057497" + semodule -B +fi diff --git a/overlay.d/15-microshift/etc/crio/crio.conf.d/crun.conf b/overlay.d/15-microshift/etc/crio/crio.conf.d/crun.conf new file mode 100644 index 0000000..b3fbd3f --- /dev/null +++ b/overlay.d/15-microshift/etc/crio/crio.conf.d/crun.conf @@ -0,0 +1,8 @@ +[crio.runtime.runtimes.crun] +runtime_path = "" +runtime_type = "oci" +runtime_root = "/run/crun" +runtime_config_path = "" +monitor_path = "" +monitor_cgroup = "system.slice" +monitor_exec_cgroup = "" diff --git a/overlay.d/15-microshift/etc/yum.repos.d/coreos-continuous.repo b/overlay.d/15-microshift/etc/yum.repos.d/coreos-continuous.repo new file mode 100644 index 0000000..52f4721 --- /dev/null +++ b/overlay.d/15-microshift/etc/yum.repos.d/coreos-continuous.repo @@ -0,0 +1,10 @@ +[coreos-continuous] +name=Copr repo for continuous owned by @CoreOS +baseurl=https://download.copr.fedorainfracloud.org/results/@CoreOS/continuous/fedora-$releasever-$basearch/ +type=rpm-md +skip_if_unavailable=True +gpgcheck=1 +gpgkey=https://download.copr.fedorainfracloud.org/results/@CoreOS/continuous/pubkey.gpg +repo_gpgcheck=0 +enabled=1 +enabled_metadata=1 diff --git a/overlay.d/15-microshift/etc/yum.repos.d/microshift.repo b/overlay.d/15-microshift/etc/yum.repos.d/microshift.repo new file mode 100644 index 0000000..41073a2 --- /dev/null +++ b/overlay.d/15-microshift/etc/yum.repos.d/microshift.repo @@ -0,0 +1,6 @@ +[microshift] +name=microshift +type=rpm-md +baseurl=https://mirror.openshift.com/pub/openshift-v4/$basearch/microshift/ocp-dev-preview/4.14.0-ec.4/el9/os/ +gpgcheck=0 +enabled=1 diff --git a/overlay.d/15-microshift/etc/yum.repos.d/okd-copr.repo b/overlay.d/15-microshift/etc/yum.repos.d/okd-copr.repo new file mode 100644 index 0000000..61a27a1 --- /dev/null +++ b/overlay.d/15-microshift/etc/yum.repos.d/okd-copr.repo @@ -0,0 +1,8 @@ +[okd-copr] +name=Copr repo for OKD +baseurl=https://download.copr.fedorainfracloud.org/results/@OKD/okd/fedora-38-$basearch/ +gpgcheck=1 +gpgkey=https://download.copr.fedorainfracloud.org/results/@OKD/okd/pubkey.gpg +repo_gpgcheck=0 +enabled=1 +enabled_metadata=1 diff --git a/overlay.d/15-microshift/usr/lib/systemd/system/firewall-microshift.service b/overlay.d/15-microshift/usr/lib/systemd/system/firewall-microshift.service new file mode 100644 index 0000000..ea7cb12 --- /dev/null +++ b/overlay.d/15-microshift/usr/lib/systemd/system/firewall-microshift.service @@ -0,0 +1,19 @@ +[Unit] +Description="Configure firewalld for microshift" +Documentation="https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.14/html/installing/microshift-install-rpm" +After=network-online.target +ConditionPathExists=!/var/.microshift-firewall-configured + +[Service] +Type=oneshot +RemainAfterExit=true +# TODO: Take some values from the microshift config +ExecStartPre=/usr/bin/firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 +ExecStartPre=/usr/bin/firewall-cmd --permanent --zone=trusted --add-source=169.254.169.1 +ExecStartPre=/usr/bin/firewall-cmd --reload +ExecStart=/usr/bin/touch /var/.microshift-firewall-configured +Restart=on-failure +RestartSec=30 + +[Install] +WantedBy=multi-user.target