cmd-fetch: Derive konflux lockfiles from rpm-ostree

jbtrystram · jbtrystram · commit 442cd35bbfe5 · 2025-09-29T16:55:26.000+02:00
Let's use our lockfiles to get hermeto download a set of matching RPMs. This is done by simply getting the package URL with `dnf repoquery` using the full NEVRA from the rpm-ostree lockfile. This will allow hermetic builds in Konflux. I also added an override yaml file to allow merging packages to the lock this will allow injecting arbitrary package. This will help enabling workarounds such as coreos/fedora-coreos-config@fb167ed See also coreos/fedora-coreos-config#3644 for the inital implementation and discussion.
diff --git a/src/cmd-fetch b/src/cmd-fetch
@@ -39,7 +39,7 @@ Usage: coreos-assembler fetch --help
   --write-lockfile-to=FILE Write updated base lockfile to separate file
   --with-cosa-overrides    Don't ignore cosa overrides in `overrides/rpm`
   --autolock=VERSION       If no base lockfile used, create one from any arch build of `VERSION`
-
+  --konflux                Generate hermeto lockfile for Konflux derived from the rpm-ostree lockfiles.
 EOF
 }
 
@@ -50,8 +50,9 @@ IGNORE_COSA_OVERRIDES_ARG=--ignore-cosa-overrides
 DRY_RUN=
 FORCE_ARG=
 STRICT=
+KONFLUX=
 rc=0
-options=$(getopt --options h --longoptions help,update-lockfile,dry-run,with-cosa-overrides,write-lockfile-to:,strict,force,autolock: -- "$@") || rc=$?
+options=$(getopt --options h --longoptions help,update-lockfile,dry-run,with-cosa-overrides,write-lockfile-to:,strict,force,autolock:,konflux -- "$@") || rc=$?
 [ $rc -eq 0 ] || {
     print_help
     exit 1
@@ -87,6 +88,9 @@ while true; do
             shift;
             AUTOLOCK_VERSION=$1
             ;;
+        --konflux)
+            KONFLUX=1
+            ;;
         --)
             shift
             break
@@ -176,3 +180,10 @@ if [ -n "${UPDATE_LOCKFILE}" ]; then
     (cd "${workdir}" && mv -f "${tmprepo}/tmp/manifest-lock.json" "${outfile}")
     echo "Wrote out lockfile ${outfile}"
 fi
+
+if [ -n "${KONFLUX}" ]; then
+   echo "Generating hermeto lockfile..."
+   /usr/lib/coreos-assembler/konflux-rpm-lockfile "${flattened_manifest}" --context "${configdir}" --output "${tmprepo}/tmp/rpms.lock.yaml" --arch all
+   (cd "${workdir}" && mv -f "${tmprepo}/tmp/rpms.lock.yaml" "konflux-rpms-lock.yaml")
+   echo "Wrote out hermeto lockfile: konflux-rpms-lock.yaml"
+fi
diff --git a/src/cosalib/cmdlib.py b/src/cosalib/cmdlib.py
@@ -575,3 +575,29 @@ def ensure_glob(pathname, **kwargs):
 def ncpu():
     '''Return the number of usable CPUs we have for parallelism.'''
     return int(subprocess.check_output(['kola', 'ncpu']))
+
+
+def get_locked_nevras(srcdir, arch=None):
+    """
+    Gathers all locked packages from the manifest-lock files.
+    The return format can be a dictionary of {pkgname: evr}
+    """
+    if not arch:
+        arch = get_basearch()
+    lockfile_path = os.path.join(srcdir, f"manifest-lock.{arch}.json")
+    overrides_path = os.path.join(srcdir, "manifest-lock.overrides.yaml")
+    overrides_arch_path = os.path.join(srcdir, f"manifest-lock.overrides.{arch}.json")
+
+    locks = {}
+    for path in [lockfile_path, overrides_path, overrides_arch_path]:
+        if os.path.exists(path):
+            with open(path) as f:
+                if path.endswith('.yaml'):
+                    data = yaml.safe_load(f)
+                else:
+                    data = json.load(f)
+                # this essentially re-implements the merge semantics of rpm-ostree
+                locks.update({pkgname: v.get('evra') or v.get('evr')
+                              for (pkgname, v) in data['packages'].items()})
+
+    return locks
diff --git a/src/konflux-rpm-lockfile b/src/konflux-rpm-lockfile
@@ -0,0 +1,229 @@
+#!/usr/bin/python
+
+import argparse
+import json
+import os
+import re
+import sys
+import subprocess
+import yaml
+
+sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
+from cosalib.cmdlib import get_locked_nevras, get_basearch
+
+
+def format_packages_with_repoid(pkgs, repos):
+    """
+    Takes a list of package URLs and repos and returns a list
+    of package dictionaries with repoids.
+    """
+    packages = []
+    local_repos = list(repos)
+    if "fedora-coreos-pool" in local_repos:
+        local_repos.remove("fedora-coreos-pool")
+
+    if not local_repos:
+        if pkgs:
+            print("Error: No repos available to associate with packages.", file=sys.stderr)
+            sys.exit(1)
+        return []
+
+    # trick to make sure we have at least an entry for each repoid
+    # this way hermeto will create all the matching repo definitions
+    # and rpm-ostree will find all the expected repos.
+    repo_numbers = len(local_repos)
+    i = 0
+    for pkg in pkgs:
+        packages.append({"url": pkg, "repoid": local_repos[i % repo_numbers]})
+        i = i+1
+    return packages
+
+
+def write_hermeto_lockfile(arch_packages, repos):
+    """
+    Writes the hermeto lockfile structure.
+    """
+    arches = []
+    for arch_data in arch_packages:
+        arch = arch_data['arch']
+        pkgs = arch_data['packages']
+        formatted_packages = format_packages_with_repoid(pkgs, repos)
+        arches.append({
+            'arch': arch,
+            'packages': formatted_packages
+        })
+
+    lockfile = {
+        'lockfileVersion': 1,
+        "lockfileVendor": "redhat",
+        "arches": arches
+    }
+
+    return lockfile
+
+
+def merge_lockfiles(base_lockfile, override_lockfile):
+    """
+    Merges an override lockfile into a base lockfile.
+    """
+    if not override_lockfile:
+        return base_lockfile
+
+    # Create a dictionary for base arches for easy lookup
+    base_arches = {arch['arch']: arch for arch in base_lockfile.get('arches', [])}
+
+    override = override_lockfile.get('arches', [])
+    if not override:
+        return base_lockfile
+
+    for override_entry in override:
+        # override_entry is a dict like {'arch': x86_64','packages': [...]}
+        if not isinstance(override_entry, dict):
+            continue
+        arch = override_entry.get('arch', None)
+        override_packages = override_entry.get('packages', [])
+        if arch in base_arches:
+            # Merge packages
+            base_packages = base_arches[arch].get('packages', [])
+            base_packages += override_packages
+        else:
+            print(f"Unexpected arch in override file : {arch}")
+
+    # Reconstruct the arches list
+    base_lockfile['arches'] = list(base_arches.values())
+    return base_lockfile
+
+
+def query_packages_location(locks, repoquery_args):
+    """
+    Resolves packages URLs for a given architecture.
+    """
+    pkg_urls = []
+    if not locks:
+        return pkg_urls
+
+    locked_nevras = [f'{k}-{v}' for (k, v) in locks.items()]
+    cmd = ['dnf', 'repoquery'] + locked_nevras + repoquery_args
+    result = subprocess.check_output(cmd, text=True)
+
+    processed_urls = {}
+    for line in result.strip().split('\n'):
+        # ignore empty lines
+        if not line:
+            continue
+        parts = line.split(' ', 1)
+        # If more than 1 URL is returned we pick the first one
+        if len(parts) == 2:
+            name, url = parts
+            if name not in processed_urls:
+                processed_urls[name] = url
+    pkg_urls = list(processed_urls.values())
+    # sanity check all the packages got resolved
+    if len(pkg_urls) < len(locked_nevras):
+        print("Some packages from the lockfile could not be resolved. The rpm-ostree lockfile is probably out of date.")
+        for name in locks.keys():
+            if name not in processed_urls:
+                print(f"could not resolve package {name}")
+        sys.exit(1)
+
+    return pkg_urls
+
+
+def generate_lockfile(contextdir, manifest, output_path, arches):
+    """
+    Generates the cachi2/hermeto RPM lock file.
+    """
+    if not arches:
+        arches_to_resolve = [get_basearch()]
+    elif 'all' in arches:
+        arches_to_resolve = ['x86_64', 'aarch64', 's390x', 'ppc64le']
+    else:
+        arches_to_resolve = arches
+
+    if os.path.exists(manifest):
+        with open(manifest, 'r', encoding="utf8") as f:
+            manifest_data = json.load(f)
+    else:
+        print(f"flattened manifest not found at {manifest}")
+        sys.exit(1)
+
+    repos = manifest_data.get('repos', [])
+    repos += manifest_data.get('lockfile-repos', [])
+    repofiles = [file for file in os.listdir(contextdir) if file.endswith('.repo')]
+
+    repoquery_args = ["--queryformat", "%{name} %{location}\n", "--disablerepo=*", "--refresh"]
+    # Tell dnf to load repos files from $contextdir
+    repoquery_args.extend([f"--setopt=reposdir={contextdir}"]) 
+
+    for repoid in set(repos):
+        repoquery_args.extend([f"--enablerepo={repoid}"])
+
+    packages = []
+    for arch in arches_to_resolve:
+        locks = get_locked_nevras(contextdir, arch)
+        if not locks:
+            print(f"This tool derive the konflux lockfile from rpm-ostree lockfiles. No manifest-lock exist for {arch} in {contextdir}")
+            sys.exit(1)
+        print(f"Resolving packages for {arch}...")
+        # append noarch as well because otherwise tose packages get excluded from results
+        # We use --forcearch here because otherwise dnf still respect the system basearch
+        # we have to specify both --arch and --forcearch to get both result for $arch and $noarch
+        repoquery_args += ['--forcearch', arch, '--arch', arch, '--arch', 'noarch']
+        pkg_urls = query_packages_location(locks, repoquery_args)
+        packages.append({'arch': arch, 'packages': pkg_urls})
+
+    lockfile = write_hermeto_lockfile(packages, repos)
+
+    override_path = os.path.join(contextdir, 'konflux-lockfile-override.yaml')
+    if os.path.exists(override_path):
+        try:
+            with open(override_path, 'r', encoding="utf8") as f:
+                override_data = yaml.safe_load(f)
+            print(f"Merging override from {override_path}")
+            lockfile = merge_lockfiles(lockfile, override_data)
+        except (IOError, yaml.YAMLError) as e:
+            print(f"\u274c Error: Could not read or parse override file '{override_path}'. Reason: {e}")
+            sys.exit(1)
+
+    try:
+        with open(output_path, 'w', encoding="utf8") as f:
+            yaml.safe_dump(lockfile, f, default_flow_style=False)
+        print(f"Successfully generated lockfile at {output_path}")
+    except IOError as e:
+        print(f"\u274c Error: Could not write to final output file '{output_path}'. Reason: {e}")
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        description="Generate hermeto lock files."
+    )
+
+    parser.add_argument(
+        'manifest',
+        help='Path to the flattened rpm-ostree manifest (e.g., tmp/manifest.json)'
+    )
+
+    parser.add_argument(
+        '--context',
+        default='.',
+        help="Path to the directory containing repofiles and lockfiles. (default: '.')"
+    )
+
+    parser.add_argument(
+        '--output',
+        default='./rpms.lock.yaml',
+        help="Path for the hermeto lockfile. (default: './rpms.lock.yaml')"
+    )
+
+    parser.add_argument(
+        '--arch',
+        action='append',
+        choices=['x86_64', 'aarch64', 's390x', 'ppc64le', 'all'],
+        help="The architecture to resolve. Can be specified multiple times. 'all' resolves all architectures."
+    )
+
+    args = parser.parse_args()
+
+    manifest_abs_path = os.path.abspath(args.manifest)
+    generate_lockfile(args.context, manifest_abs_path, args.output, args.arch)
