From 79bf8749aff1fdd4e1c285598f8f9d68cea0caaf Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Thu, 20 Jun 2024 09:31:27 -0600 Subject: [PATCH] Semiregular VM catchup - rawhide now includes rpm-plugin-ima, which breaks rootless podman pods. Add a timebomb'ed workaround until there's a more definitive solution in podman or its containers-* libraries - bug fix for Makefile, handle indented timebombs - install composefs in rawhide Signed-off-by: Ed Santiago --- IMG_SFX | 2 +- Makefile | 2 +- cache_images/fedora_packaging.sh | 8 ++++++++ cache_images/rawhide_setup.sh | 4 ++++ 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/IMG_SFX b/IMG_SFX index afcec888..f7c2459b 100644 --- a/IMG_SFX +++ b/IMG_SFX @@ -1 +1 @@ -20240529t141726z-f40f39d13 +20240620t153000z-f40f39d13 diff --git a/Makefile b/Makefile index cd378f4a..a79f2549 100644 --- a/Makefile +++ b/Makefile @@ -140,7 +140,7 @@ timebomb-check: @now=$$(date --utc +%Y%m%d); \ found=; \ while read -r bomb; do \ - when=$$(echo "$$bomb" | awk '{print $$2}'); \ + when=$$(echo "$$bomb" | sed -e 's/^.*timebomb \([0-9]\+\).*/\1/'); \ if [ $$when -le $$now ]; then \ echo "$$bomb"; \ found=found; \ diff --git a/cache_images/fedora_packaging.sh b/cache_images/fedora_packaging.sh index 75c9756e..9384ed77 100644 --- a/cache_images/fedora_packaging.sh +++ b/cache_images/fedora_packaging.sh @@ -208,3 +208,11 @@ cd - # It was observed in F33, dnf install doesn't always get you the latest/greatest lilto $SUDO dnf update -y + +# Gah. FIXME 2024-06-20: rawhide now includes rpm-plugin-ima, +# which causes rootless podman pods to fail. +# https://github.com/containers/podman/issues/18543 +if ! ((CONTAINER)); then + timebomb 20240710 "Temporary workaround for signed rpms (ima) in rawhide" + $SUDO setfattr -x security.ima /usr/libexec/catatonit/catatonit || true +fi diff --git a/cache_images/rawhide_setup.sh b/cache_images/rawhide_setup.sh index 58509d1e..693fc99b 100644 --- a/cache_images/rawhide_setup.sh +++ b/cache_images/rawhide_setup.sh @@ -39,6 +39,10 @@ $SUDO sed -i -r -e 's/^gpgcheck=.+/gpgcheck=0/' /etc/yum.repos.d/*.repo $SUDO dnf5 -y distro-sync --releasever=rawhide --allowerasing $SUDO dnf5 upgrade -y +# As of May 2024 composefs is heating up +timebomb 20241231 "At some point, composefs should be available on all fedoras" +$SUDO dnf5 -y install composefs + # A shared fedora_packaging.sh script is called next that doesn't always support dnf5 $SUDO ln -s $(type -P dnf5) /usr/local/bin/dnf