|
| 1 | +#!/usr/bin/env bash |
| 2 | +set -euo pipefail |
| 3 | + |
| 4 | +# uncomment this if you want to control the version of `oc` that gets installed |
| 5 | +#OCP_VERSION=4.12 |
| 6 | + |
| 7 | +# Keep this script idempotent for local development rebuild use cases: |
| 8 | +# any consecutive runs should produce the same result. |
| 9 | + |
| 10 | +# Detect what platform we are on |
| 11 | +if ! grep -q '^Fedora' /etc/redhat-release; then |
| 12 | + echo 1>&2 "should be on either Fedora" |
| 13 | + exit 1 |
| 14 | +fi |
| 15 | + |
| 16 | +arch=$(uname -m) |
| 17 | + |
| 18 | +if [ $# -gt 1 ]; then |
| 19 | + echo Usage: "build.sh [CMD]" |
| 20 | + echo "Supported commands:" |
| 21 | + echo " configure_user" |
| 22 | + echo " configure_yum_repos" |
| 23 | + echo " install_rpms" |
| 24 | + echo " make_and_makeinstall" |
| 25 | + echo " patch_osbuild" |
| 26 | + exit 1 |
| 27 | +fi |
| 28 | + |
| 29 | +set -x |
| 30 | +srcdir=$(pwd) |
| 31 | + |
| 32 | +configure_yum_repos() { |
| 33 | + local version_id |
| 34 | + version_id=$(. /etc/os-release && echo ${VERSION_ID}) |
| 35 | + # Add continuous tag for latest build tools and mark as required so we |
| 36 | + # can depend on those latest tools being available in all container |
| 37 | + # builds. |
| 38 | + echo -e "[f${version_id}-coreos-continuous]\nenabled=1\nmetadata_expire=1m\nbaseurl=https://kojipkgs.fedoraproject.org/repos-dist/f${version_id}-coreos-continuous/latest/\$basearch/\ngpgcheck=0\nskip_if_unavailable=False\n" > /etc/yum.repos.d/coreos.repo |
| 39 | +} |
| 40 | + |
| 41 | +install_rpms() { |
| 42 | + local builddeps |
| 43 | + local frozendeps |
| 44 | + |
| 45 | + frozendeps="" |
| 46 | + |
| 47 | + # First, a general update; this is best practice. We also hit an issue recently |
| 48 | + # where qemu implicitly depended on an updated libusbx but didn't have a versioned |
| 49 | + # requires https://bugzilla.redhat.com/show_bug.cgi?id=1625641 |
| 50 | + yum -y distro-sync |
| 51 | + |
| 52 | + # xargs is part of findutils, which may not be installed |
| 53 | + yum -y install /usr/bin/xargs |
| 54 | + |
| 55 | + # These are only used to build things in here. Today |
| 56 | + # we ship these in the container too to make it easier |
| 57 | + # to use the container as a development environment for itself. |
| 58 | + # Down the line we may strip these out, or have a separate |
| 59 | + # development version. |
| 60 | + builddeps=$(grep -v '^#' "${srcdir}"/src/build-deps.txt) |
| 61 | + |
| 62 | + # Process our base dependencies + build dependencies and install |
| 63 | + (echo "${builddeps}" && echo "${frozendeps}" && "${srcdir}"/src/print-dependencies.sh) | xargs yum -y install |
| 64 | + |
| 65 | + # Add fast-tracked packages here. We don't want to wait on bodhi for rpm-ostree |
| 66 | + # as we want to enable fast iteration there. |
| 67 | + yum -y --enablerepo=updates-testing upgrade rpm-ostree ostree |
| 68 | + |
| 69 | + # Delete file that only exists on ppc64le because it is causing |
| 70 | + # sudo to not work. |
| 71 | + # https://bugzilla.redhat.com/show_bug.cgi?id=2082149 |
| 72 | + rm -f /etc/security/limits.d/95-kvm-memlock.conf |
| 73 | + |
| 74 | + # Commented out for now, see above |
| 75 | + #dnf remove -y ${builddeps} |
| 76 | + # can't remove grubby on el7 because libguestfs-tools depends on it |
| 77 | + # Add --exclude for s390utils-base because we need it to not get removed. |
| 78 | + rpm -q grubby && yum remove --exclude=s390utils-base -y grubby |
| 79 | + |
| 80 | + # Allow Kerberos Auth to work from a keytab. The keyring is not |
| 81 | + # available in a Container. |
| 82 | + sed -e "s/^.*default_ccache_name/# default_ccache_name/g" -i /etc/krb5.conf |
| 83 | + |
| 84 | + # Open up permissions on /boot/efi files so we can copy them |
| 85 | + # for our ISO installer image, skip if not present |
| 86 | + if [ -e /boot/efi ]; then |
| 87 | + chmod -R a+rX /boot/efi |
| 88 | + fi |
| 89 | + # Similarly for kernel data and SELinux policy, which we want to inject into supermin |
| 90 | + chmod -R a+rX /usr/lib/modules /usr/share/selinux/targeted |
| 91 | + # Further cleanup |
| 92 | + yum clean all |
| 93 | +} |
| 94 | + |
| 95 | +# For now, we ship `oc` in coreos-assembler as {Fedora,RHEL} CoreOS is an essential part of OCP4, |
| 96 | +# and it is very useful to have in the same place/flow as where we do builds/tests related |
| 97 | +# to CoreOS. |
| 98 | +install_ocp_tools() { |
| 99 | + # If $OCP_VERSION is defined we'll grab that specific version. |
| 100 | + # Otherwise we'll get the latest. |
| 101 | + local url="https://mirror.openshift.com/pub/openshift-v4/${arch}/clients/ocp/latest${OCP_VERSION:+-$OCP_VERSION}/openshift-client-linux.tar.gz" |
| 102 | + curl -L "$url" | tar zxf - oc |
| 103 | + mv oc /usr/bin |
| 104 | +} |
| 105 | + |
| 106 | +# By default, we trust the official Red Hat GPG keys |
| 107 | +trust_redhat_gpg_keys() { |
| 108 | + for f in /usr/share/distribution-gpg-keys/redhat/*; do |
| 109 | + local base |
| 110 | + base=$(basename "$f") |
| 111 | + if [ ! -e "/etc/pki/rpm-gpg/$base" ]; then |
| 112 | + # libdnf at least ignores symlinks, so we need to copy. |
| 113 | + # but might as well keep symlinks as symlinks. |
| 114 | + cp -vPt /etc/pki/rpm-gpg "$f" |
| 115 | + fi |
| 116 | + done |
| 117 | +} |
| 118 | + |
| 119 | +make_and_makeinstall() { |
| 120 | + make |
| 121 | + make install |
| 122 | + # Remove go build cache |
| 123 | + # https://github.com/coreos/coreos-assembler/issues/2872 |
| 124 | + rm -rf /root/.cache/go-build |
| 125 | +} |
| 126 | + |
| 127 | +configure_user(){ |
| 128 | + # /dev/kvm might be bound in, but will have the gid from the host, and not all distros |
| 129 | + # a+rw permissions on /dev/kvm. create groups for all the common kvm gids and then add |
| 130 | + # builder to them. |
| 131 | + # systemd defaults to 0666 but other packages like qemu sometimes override this with 0660. |
| 132 | + # Adding the user to the kvm group should always work. |
| 133 | + |
| 134 | + # fedora uses gid 36 for kvm |
| 135 | + getent group kvm78 || groupadd -g 78 -o -r kvm78 # arch, gentoo |
| 136 | + getent group kvm124 || groupadd -g 124 -o -r kvm124 # debian |
| 137 | + getent group kvm232 || groupadd -g 232 -o -r kvm232 # ubuntu |
| 138 | + |
| 139 | + # We want to run what builds we can as an unprivileged user; |
| 140 | + # running as non-root is much better for the libvirt stack in particular |
| 141 | + # for the cases where we have --privileged in the container run for other reasons. |
| 142 | + # At some point we may make this the default. |
| 143 | + getent passwd builder || useradd builder --uid 1000 -G wheel,kvm,kvm78,kvm124,kvm232 |
| 144 | + echo '%wheel ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/wheel-nopasswd |
| 145 | + # Contents of /etc/sudoers.d need not to be world writable |
| 146 | + chmod 600 /etc/sudoers.d/wheel-nopasswd |
| 147 | + |
| 148 | + # Allow the builder user to run rootless podman |
| 149 | + # Referenced at: https://github.com/containers/podman/issues/4056#issuecomment-1245715492 |
| 150 | + # Lifted from: https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 |
| 151 | + echo -e "builder:1:999\nbuilder:1001:64535" > /etc/subuid |
| 152 | + echo -e "builder:1:999\nbuilder:1001:64535" > /etc/subgid |
| 153 | + |
| 154 | +} |
| 155 | + |
| 156 | +write_archive_info() { |
| 157 | + # shellcheck source=src/cmdlib.sh |
| 158 | + . "${srcdir}/src/cmdlib.sh" |
| 159 | + mkdir -p /cosa /lib/coreos-assembler |
| 160 | + touch -f /lib/coreos-assembler/.clean |
| 161 | + prepare_git_artifacts "${srcdir}" /cosa/coreos-assembler-git.json /cosa/coreos-assembler-git.tar.gz |
| 162 | +} |
| 163 | + |
| 164 | +patch_osbuild() { |
| 165 | + # Add a few patches that either haven't made it into a release or |
| 166 | + # that will be obsoleted with other work that will be done soon. |
| 167 | + |
| 168 | + # To make it easier to apply patches we'll move around the osbuild |
| 169 | + # code on the system first: |
| 170 | + rmdir /usr/lib/osbuild/osbuild |
| 171 | + mv /usr/lib/python3.13/site-packages/osbuild /usr/lib/osbuild/ |
| 172 | + mkdir /usr/lib/osbuild/tools |
| 173 | + mv /usr/bin/osbuild-mpp /usr/lib/osbuild/tools/ |
| 174 | + |
| 175 | + # Now all the software is under the /usr/lib/osbuild dir and we can patch |
| 176 | + cat /usr/lib/coreos-assembler/0001-parsing-add-parse_location_into_parts.patch \ |
| 177 | + /usr/lib/coreos-assembler/0002-parsing-treat-locations-without-scheme-as-belonging-.patch \ |
| 178 | + /usr/lib/coreos-assembler/0003-org.osbuild.selinux-support-operating-on-mounts.patch \ |
| 179 | + /usr/lib/coreos-assembler/0004-org.osbuild.selinux-support-for-specifying-where-fil.patch \ |
| 180 | + | patch -d /usr/lib/osbuild -p1 |
| 181 | + |
| 182 | + # And then move the files back; supermin appliance creation will need it back |
| 183 | + # in the places delivered by the RPM. |
| 184 | + mv /usr/lib/osbuild/tools/osbuild-mpp /usr/bin/osbuild-mpp |
| 185 | + mv /usr/lib/osbuild/osbuild /usr/lib/python3.13/site-packages/osbuild |
| 186 | + mkdir /usr/lib/osbuild/osbuild |
| 187 | +} |
| 188 | + |
| 189 | +if [ $# -ne 0 ]; then |
| 190 | + # Run the function specified by the calling script |
| 191 | + ${1} |
| 192 | +else |
| 193 | + # Otherwise, just run all the steps. NOTE: This is presently not actually |
| 194 | + # used in `Dockerfile`, so if you add a stage you'll need to do it both |
| 195 | + # here and there. |
| 196 | + configure_yum_repos |
| 197 | + install_rpms |
| 198 | + write_archive_info |
| 199 | + make_and_makeinstall |
| 200 | + install_ocp_tools |
| 201 | + trust_redhat_gpg_keys |
| 202 | + configure_user |
| 203 | + patch_osbuild |
| 204 | +fi |
0 commit comments