-
Notifications
You must be signed in to change notification settings - Fork 154
/
fedora-coreos.yaml
169 lines (152 loc) · 5.91 KB
/
fedora-coreos.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
# This manifest file defines things that should really only go
# into "official" builds of Fedora CoreOS (such as including `fedora-release-coreos`)
# or are very "opinionated" like disabling SSH passwords by default.
ref: fedora/${basearch}/coreos/${stream}
rojig:
license: MIT
name: fedora-coreos
summary: Fedora CoreOS ${stream}
add-commit-metadata:
fedora-coreos.stream: ${stream}
include: fedora-coreos-base.yaml
conditional-include:
- if: prod == false
# long-term, would be good to support specifying a nested TreeComposeConfig
include: disable-zincati.yaml
- if: basearch == "aarch64"
# Fixup for kdump on aarch64 AWS instances
include: kdump-aarch64-aws-workaround.yaml
- if: basearch != "s390x"
# And remove some cruft from grub2
include: grub2-removals.yaml
ostree-layers:
- overlay/15fcos
automatic-version-prefix: "${releasever}.<date:%Y%m%d>.dev"
mutate-os-release: "${releasever}"
# All Fedora CoreOS streams share the same pool for locked files.
lockfile-repos:
- fedora-coreos-pool
packages:
- fedora-release-coreos
- fedora-repos-ostree
# fedora-repos-modular was converted into its own subpackage in f33
# Continue to include it in case users want to use it.
- fedora-repos-modular
# the archive repo for more reliable package layering
# https://github.com/coreos/fedora-coreos-tracker/issues/400
- fedora-repos-archive
# CL ships this.
- moby-engine
# Already pulled in by moby-engine, but let's be explicit. Typhoon uses it.
- containerd
# Updates
- zincati
# Include and set the default editor
- nano nano-default-editor
etc-group-members:
# Add the docker group to /etc/group
# https://github.com/coreos/fedora-coreos-tracker/issues/2
# This will be no longer needed when systemd-sysusers has been implemented:
# https://github.com/projectatomic/rpm-ostree/issues/49
- docker
# ⚠⚠⚠ ONLY TEMPORARY HACKS ALLOWED HERE; ALL ENTRIES NEED TRACKER LINKS ⚠⚠⚠
# See also the version of this in fedora-coreos-base.yaml
postprocess:
# Disable Zincati on non-release builds
# https://github.com/coreos/fedora-coreos-tracker/issues/212
- |
#!/usr/bin/env bash
set -euxo pipefail
source /etc/os-release
if [[ $OSTREE_VERSION = *.dev* ]]; then
mkdir -p /etc/zincati/config.d
echo -e '# https://github.com/coreos/fedora-coreos-tracker/issues/212\nupdates.enabled = false' > /etc/zincati/config.d/95-disable-on-dev.toml
fi
# Users shouldn't be configuring `rpm-ostreed.conf`
# https://github.com/coreos/fedora-coreos-tracker/issues/271
- |
#!/usr/bin/env bash
set -xeuo pipefail
cat > /tmp/rpm-ostreed.conf << 'EOF'
# By default, this system has its OS updates managed by
# `zincati.service`. Changes made to this file may
# conflict with the configuation of `zincati.service`.
# See https://github.com/coreos/zincati for additional
# information.
EOF
cat /usr/etc/rpm-ostreed.conf >> /tmp/rpm-ostreed.conf
cp /tmp/rpm-ostreed.conf /usr/etc/rpm-ostreed.conf
rm /tmp/rpm-ostreed.conf
# Make sure that we do not ship broken symlinks:
# https://github.com/coreos/fedora-coreos-config/issues/1782
# Remove known broken symlinks that point to non-existing files or directories:
# - Remove `.build-id` for binaries that we remove in other parts of the FCOS manifest
# - Remove links to man pages that we remove in FCOS
# Man pages are removed in FCOS thus the links in alternatives pointing to those are left there broken.
# Docs removal comes from manifests/fedora-coreos.yaml
# - systemd-firstboot comes from manifests/ignition-and-ostree.yaml
# - systemd-gpt-auto-generator comes from ignition-and-ostree.yaml
- |
#!/usr/bin/env bash
set -euo pipefail
list_broken_symlinks_folders=(
'/etc/alternatives/'
'/usr/lib/.build-id/'
)
# It is not possible to remove files from usr after first boot so that is
# why we are removing them in the postprocess scripts here.
# The .build-id links are pointing to binaries that we remove in other parts of the FCOS manifest.
list_known_removed_folders=(
'/usr/bin/systemd-firstboot'
'/usr/lib/systemd/system-generators/systemd-gpt-auto-generator'
'/usr/share/doc/'
'/usr/share/info/'
'/usr/share/man/'
)
for folder in "${list_broken_symlinks_folders[@]}"; do
find "${folder}" -type l | while read -r file_name; do
real_path=$(realpath -m "${file_name}");
if [[ -e "${real_path}" ]]; then
continue
fi
for element in "${list_known_removed_folders[@]}"; do
if [[ "${real_path}" == "${element}"* ]]; then
rm -r "${file_name}"
fi
done
done
done
remove-from-packages:
# Drop some buggy sysusers fragments which do not match static IDs allocation:
# https://bugzilla.redhat.com/show_bug.cgi?id=2105177
- [dbus-common, /usr/lib/sysusers.d/dbus.conf]
remove-files:
# We don't ship man(1) or info(1)
- usr/share/info
- usr/share/man
# Drop text docs too
- usr/share/doc
# Things we don't expect to ship on the host. We currently
# have recommends: false so these could only come in via
# hard requirement, in which case the build will fail.
exclude-packages:
- python
- python2
- python2-libs
- python3
- python3-libs
- perl
- perl-interpreter
- nodejs
- dnf
- grubby
- cowsay # Just in case
# Let's make sure initscripts doesn't get pulled back in
# https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254
- initscripts
# For (datacenter/cloud oriented) servers, we want to see the details by default.
# https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/
- plymouth
# Do not use legacy ifcfg config format in NetworkManager
# See https://github.com/coreos/fedora-coreos-config/pull/1991
- NetworkManager-initscripts-ifcfg-rh