Reapply "manifests: enable cliwrap on Fedora 40+" #2887
Conversation
This reverts commit 3789b06. The reported issue that motivated the revert[[1]] is due to an rpm-ostree bug[[2]]. We can trivially work around this bug until the rpm-ostree fix lands in FCOS, so let's do that and re-enable cliwrap. [1]: coreos/fedora-coreos-tracker#1679 [2]: coreos/rpm-ostree#4848
|
Doing this means we are knowingly shipping a bug to anything on F40+? Normally this might be fine, but we just entered beta freeze which means we potentially ship this in `next`. I’m not super comfortable with that.
I think it would be better to get the fix back ported to rpm-ostree in Fedora and then fast track it to all branches that are on F40+?
…On Wed, Feb 28, 2024, at 21:33, Jonathan Lebon wrote:
This reverts commit3789b06.
The reported issue that motivated the revert[1 <coreos/fedora-coreos-tracker#1679>] is due to an rpm-ostree bug[2 <coreos/rpm-ostree#4848>].
We can trivially work around this bug until the rpm-ostree fix lands in FCOS, so let's do that and re-enable cliwrap.
You can view, comment on, or merge this pull request online at:
#2887
Commit Summary
• 3ce2f77 <3ce2f77> Reapply "manifests: enable cliwrap on Fedora 40+"
File Changes
(4 files <https://github.com/coreos/fedora-coreos-config/pull/2887/files>)
• *A* manifests/cliwrap.yaml <https://github.com/coreos/fedora-coreos-config/pull/2887/files#diff-58c8610e2193f25aa642ccdd8553d6dc9351b66629fabbc13ce85eb8d652a502> (2)
• *M* manifests/fedora-coreos.yaml <https://github.com/coreos/fedora-coreos-config/pull/2887/files#diff-7a0901e1ea4a3c8647549674fea7574437d9242945ff65ca49cd73819761f9de> (2)
• *M* tests/kola/extensions/package <https://github.com/coreos/fedora-coreos-config/pull/2887/files#diff-898decc50ad2b84e074c61ca72c987c37327d8ac904f2953ccc85991d5754409> (6)
• *M* tests/kola/rpm-ostree/kernel-replace <https://github.com/coreos/fedora-coreos-config/pull/2887/files#diff-ffd616bc9607b8abd660319a3679b1afa2d949dc673e752ffd58a6160eaa7a1e> (3)
Patch Links:
• https://github.com/coreos/fedora-coreos-config/pull/2887.patch
• https://github.com/coreos/fedora-coreos-config/pull/2887.diff
—
Reply to this email directly, view it on GitHub <#2887>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABCR63VM7HRUGOKYVOKESLTYV7SHXAVCNFSM6AAAAABD7D7K62VHI2DSMVQWIX3LMV43ASLTON2WKOZSGE3DAMRTGM2DSOI>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
|
An option here would be to just not workaround the issue in the test and just denylist that test on branched and rawhide. This would protect against us shipping a bug in our prod streams but would set a timer on getting rpm-ostree fixed.
…On Thu, Feb 29, 2024, at 06:22, Dusty Mabe wrote:
Doing this means we are knowingly shipping a bug to anything on F40+? Normally this might be fine, but we just entered beta freeze which means we potentially ship this in `next`. I’m not super comfortable with that.
I think it would be better to get the fix back ported to rpm-ostree in Fedora and then fast track it to all branches that are on F40+?
On Wed, Feb 28, 2024, at 21:33, Jonathan Lebon wrote:
>
>
> This reverts commit3789b06.
>
>
> The reported issue that motivated the revert[1 <coreos/fedora-coreos-tracker#1679>] is due to an rpm-ostree bug[2 <coreos/rpm-ostree#4848>].
>
> We can trivially work around this bug until the rpm-ostree fix lands in FCOS, so let's do that and re-enable cliwrap.
>
>
> You can view, comment on, or merge this pull request online at:
>
> #2887
>
> Commit Summary
>
> • 3ce2f77 <3ce2f77> Reapply "manifests: enable cliwrap on Fedora 40+"
> File Changes
>
> (4 files <https://github.com/coreos/fedora-coreos-config/pull/2887/files>)
>
> • *A* manifests/cliwrap.yaml <https://github.com/coreos/fedora-coreos-config/pull/2887/files#diff-58c8610e2193f25aa642ccdd8553d6dc9351b66629fabbc13ce85eb8d652a502> (2)
> • *M* manifests/fedora-coreos.yaml <https://github.com/coreos/fedora-coreos-config/pull/2887/files#diff-7a0901e1ea4a3c8647549674fea7574437d9242945ff65ca49cd73819761f9de> (2)
> • *M* tests/kola/extensions/package <https://github.com/coreos/fedora-coreos-config/pull/2887/files#diff-898decc50ad2b84e074c61ca72c987c37327d8ac904f2953ccc85991d5754409> (6)
> • *M* tests/kola/rpm-ostree/kernel-replace <https://github.com/coreos/fedora-coreos-config/pull/2887/files#diff-ffd616bc9607b8abd660319a3679b1afa2d949dc673e752ffd58a6160eaa7a1e> (3)
> Patch Links:
>
> • https://github.com/coreos/fedora-coreos-config/pull/2887.patch
> • https://github.com/coreos/fedora-coreos-config/pull/2887.diff
>
>
> —
> Reply to this email directly, view it on GitHub <#2887>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABCR63VM7HRUGOKYVOKESLTYV7SHXAVCNFSM6AAAAABD7D7K62VHI2DSMVQWIX3LMV43ASLTON2WKOZSGE3DAMRTGM2DSOI>.
> You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
>
>
|
|
Yes, this needs to be fixed in RHCOS too. I wasn't planning on immediately backporting everywhere in case more bugs show up. But I did plan to eventually make sure it's fixed before f40 GA, whether by backporting or just because we've cut a new release. (Notice I didn't mark this PR as closing coreos/fedora-coreos-tracker#1679 :) ). Not too concerned about leaving this in Beta for now. Guess we could denylist, yeah... Though kernel replacement in the layering flow is a important feature. I don't want us to lose coverage of that in f40+ in the meantime. |
|
FWIW (as the person who pushed for cliwrap and wrote a lot of the code) I now consider it a technological dead end and also a giant social mistake (effectively agreeing with initial feedback!) The big technology problem here is that upgrading a package in a container build (whether via rpm or dnf or rpm-ostree if it ever supported |
Yikes, yes that's not great. I'm still also not a big fan of the approach overall. The main thing I'm interested in really is trying to make |
|
Hmm but actually, the confusing thing here is that we definitely do at least need the I don't see a kernel replacement example in https://gitlab.com/bootc-org/examples and https://github.com/coreos/layering-examples/blob/main/replace-kernel/Containerfile still includes an explicit |
yeah cc coreos/rpm-ostree#4726
Yeah, would probably make sense except do note it comes from systemd and is hence pretty likely to get replaced when upgrading systemd |
All we really want to cliwrap is `dnf` so that a `dnf install ...` will work. Again, as mentioned in the commit that introduced this, ideally we can actually ship dnf itself once it's ready and then we can back this out. Also wrap `kernel-install` for now to make kernel replacements smoother until we can get it to work seamlessly (this matches [[1]]). [1]: CentOS/centos-bootc#377
|
OK, I changed the proposal here to only wrap
Done in CentOS/centos-bootc#377. |
This reverts commit ff686c6. With cliwrap, rpm-ostree runs rpm with less privileges. We special-case `--query`, so e.g. `rpm -qf` still runs with dropped privileges. But anyway, we actually want to reduce this to wrapping *just* `dnf` for now (see discussions in coreos/fedora-coreos-config#2887). Resolves: https://issues.redhat.com/browse/OCPBUGS-30149
|
Retracting this. Will open a tracker issue with another proposal. |
This reverts commit ff686c6. With cliwrap, rpm-ostree runs rpm with less privileges. We special-case `--query`, so e.g. `rpm -qf` still runs with dropped privileges. But anyway, we actually want to reduce this to wrapping *just* `dnf` for now (see discussions in coreos/fedora-coreos-config#2887). Resolves: https://issues.redhat.com/browse/OCPBUGS-30149
This reverts commit 3789b06.
The reported issue that motivated the revert[1] is due to an rpm-ostree bug[2].
We can trivially work around this bug until the rpm-ostree fix lands in FCOS, so let's do that and re-enable cliwrap.