-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
donotmerge: IBX changes #958
base: main
Are you sure you want to change the base?
Conversation
@@ -0,0 +1,26 @@ | |||
FROM quay.io/centos/centos:stream9 as build |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We must build bootc because it doesn't ship with RHCOS yet
RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome make test-bin-archive && mkdir -p /out && cp target/bootc.tar /out | ||
RUN mkdir -p /build/target/dev-rootfs # This can hold arbitrary extra content | ||
|
||
FROM quay.io/otuchfel/ostbackup:serv1 as seed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your normal seed image goes here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In an ideal future all seeds will simply be "bootc seeds", but for now we have this Containerfile to make a "bootc seed" out of a normal seed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm not sure. we can generate new seeds I guess. no need to deal with backwards compatibility at this point. but whatever is easier for the POC of course
@@ -39,10 +39,10 @@ install-all: install install-ostree-hooks | |||
install -D -m 0755 target/release/tests-integration $(DESTDIR)$(prefix)/bin/bootc-integration-tests | |||
|
|||
bin-archive: all | |||
$(MAKE) install DESTDIR=tmp-install && $(TAR_REPRODUCIBLE) --zstd -C tmp-install -cf target/bootc.tar.zst . && rm tmp-install -rf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-zstd unsupported on quay.io/centos/centos:stream9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait that's definitely not true. Do you have a really old image? Builds don't pull by default so unfortunately you need to explicitly e.g. podman pull quay.io/centos-bootc/centos-bootc:stream9
or so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't believe I have an old image
build_seed.sh
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some helper script, ignore
hack/Containerfile
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file isn't really used in this PoC, ignore those changes
lib/src/install.rs
Outdated
@@ -946,7 +946,7 @@ pub(crate) fn reexecute_self_for_selinux_if_needed( | |||
override_disable_selinux: bool, | |||
) -> Result<SELinuxFinalState> { | |||
// If the target state has SELinux enabled, we need to check the host state. | |||
if srcdata.selinux { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The re-exec is failing for some reason, I skipped it and despite that things seems to work alright (maybe because I sudo setenforce permissive
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
update: it works even without setenforce
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Failing with what error message?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ERROR Installing to filesystem: Ensuring selinux install_t type: Ensuring selinux install_t type: fsetxattr(security.selinux): Operation not supported (os error 95)
But I'm now starting to think this just might be due to my removal of setup_tmp_mounts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Temporarily working around the setup_tmp_mounts
error mentioned in the other comment below using -v /tmp:/tmp -v /var/tmp:/var/tmp
But now the re-exec fails with a new error
ERROR Installing to filesystem: Ensuring selinux install_t type: Failed to enter install_t (running as unconfined_u:unconfined_r:spc_t:s0) - use BOOTC_SETENFORCE0_FALLBACK=1 to override
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Weirdly the error seems to disappear when -v /tmp:/tmp
is removed, leaving only the /var/tmp
mount. Confirming that this is true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep that is indeed the case.
To summarize:
-
No tmp mounts at all leads to
ERROR Installing to filesystem: Linking tmp mounts to host: Exchanging /var/tmp <=> /var/tmp.tmp: Invalid cross-device link (os error 18)
-
Both
/tmp/
and/var/tmp
mounts leads toERROR Installing to filesystem: Ensuring selinux install_t type: Failed to enter install_t (running as unconfined_u:unconfined_r:spc_t:s0) - use BOOTC_SETENFORCE0_FALLBACK=1 to override
-
Only
/var/tmp
mount works
lib/src/install.rs
Outdated
@@ -1222,7 +1162,7 @@ async fn prepare_install( | |||
crate::mount::ensure_mirrored_host_mount("/dev")?; | |||
crate::mount::ensure_mirrored_host_mount("/var/lib/containers")?; | |||
ensure_var()?; | |||
setup_tmp_mounts()?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was failing for some reason so I had to take it out, I'm not quite sure what purpose it serves anyway, but need to dig into why it was failing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again what error message?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ERROR Installing to filesystem: Linking tmp mounts to host: Exchanging /var/tmp <=> /var/tmp.tmp: Invalid cross-device link (os error 18)
Looking into it
While the install completes "successfully", SSHing after rebooting doesn't work
|
Host SSH keys were not created... Suspecting selinux? EDIT: neither did the key I added with |
Containerfile
Outdated
LABEL com.openshift.lifecycle-agent.seed_format_version=3 | ||
|
||
RUN mkdir -p /usr/lib/bootc/install | ||
RUN echo -e '[install.filesystem.root]\ntype = "xfs"' > /usr/lib/bootc/install/00-bootc.toml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is unnecessary after FCOS starts inheriting from fedora-bootc, you just haven't picked up that change in the base image here right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added that because I was just starting off from a very old PoC by @!javipolo, it might be completely unnecessary. I'll try to do without it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah it works fine without it
@@ -39,10 +39,10 @@ install-all: install install-ostree-hooks | |||
install -D -m 0755 target/release/tests-integration $(DESTDIR)$(prefix)/bin/bootc-integration-tests | |||
|
|||
bin-archive: all | |||
$(MAKE) install DESTDIR=tmp-install && $(TAR_REPRODUCIBLE) --zstd -C tmp-install -cf target/bootc.tar.zst . && rm tmp-install -rf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait that's definitely not true. Do you have a really old image? Builds don't pull by default so unfortunately you need to explicitly e.g. podman pull quay.io/centos-bootc/centos-bootc:stream9
or so.
lib/src/install.rs
Outdated
@@ -946,7 +946,7 @@ pub(crate) fn reexecute_self_for_selinux_if_needed( | |||
override_disable_selinux: bool, | |||
) -> Result<SELinuxFinalState> { | |||
// If the target state has SELinux enabled, we need to check the host state. | |||
if srcdata.selinux { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Failing with what error message?
lib/src/install.rs
Outdated
@@ -1222,7 +1162,7 @@ async fn prepare_install( | |||
crate::mount::ensure_mirrored_host_mount("/dev")?; | |||
crate::mount::ensure_mirrored_host_mount("/var/lib/containers")?; | |||
ensure_var()?; | |||
setup_tmp_mounts()?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again what error message?
Some (trash, temporary) changes I had to perform on bootc to get IBX to work - `./Containerfile` builds a bootable image from an existing normal IBX seed - `./build_seed.sh` is just a helper script To install on recipient ``` sudo podman run --privileged -v $PWD/authkeys:/authkeys --env RUST_LOG=trace -v /var/tmp:/var/tmp -v /var/lib/containers/storage:/var/lib/containers/storage --pid=host -it quay.io/otuchfel/bootc:seed bootc install to-existing-root --acknowledge-destructive --stateroot omeroot --root-ssh-authorized-keys /authkeys --bound-images pull ``` This PR only exists to start discussions around concrete issues, it's not meant to be merged.
Force push because of rebase |
OK figured out it was because of |
Ouch...maybe we should revisit that. |
Some (trash, temporary) changes I had to perform on bootc to get IBX to work
./Containerfile
builds a bootable image from an existing normal IBX seed./build_seed.sh
is just a helper scriptTo install on recipient:
This PR only exists to start discussions around concrete issues, it's not meant to be merged.
Current state:
But...
core
user as we would expect from OCPsshd
is running,/root/.authorized_keys
is populated with the key I expect... yet:Even though I'm using
ssh-ed25519
, so it's rather strange... Will look into it once I come back from vacationFuture work: