chore: Merge remote-tracking branch 'upstream/main'

.github/workflows/build-stable.yml

@@ -1,7 +1,9 @@
 name: stable
 on:
-  pull_request:
   merge_group:
+  pull_request:
+    branches:
+      - main
   schedule:
     - cron: '50 2 * * *'  # 2:50am-ish UTC everyday (approx 45 minutes after akmods images run)
   workflow_dispatch:

.github/workflows/build-testing.yml

@@ -1,7 +1,9 @@
 name: testing
 on:
-  pull_request:
   merge_group:
+  pull_request:
+    branches:
+      - main
   schedule:
     - cron: '55 2 * * *'  # 2:55am-ish UTC everyday (approx 50 minutes after akmods images run)
   workflow_dispatch:

.github/workflows/reusable-build.yml

@@ -45,7 +45,7 @@ jobs:
     steps:
       - name: Fetch CoreOS stream versions
         id: fetch
-        uses: Wandalen/wretry.action@v3.5.0
+        uses: Wandalen/wretry.action@v3.7.2
         with:
           attempt_limit: 3
           attempt_delay: 15000
@@ -54,12 +54,6 @@ jobs:
 
             skopeo inspect docker://quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} > inspect.json
 
-            kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
-            if [ -z "$kernel" ] || [ "null" = "$kernel" ]; then
-                echo "inspected linux (kernel) version must not be empty or null"
-                exit 1
-            fi
-
             image=$(jq -r '.["Labels"]["org.opencontainers.image.version"]' inspect.json)
             if [ -z "$image" ] || [ "null" = "$image" ]; then
                 echo "inspected image version must not be empty or null"
@@ -72,6 +66,13 @@ jobs:
                 exit 1
             fi
 
+            kernel=$(skopeo inspect docker://ghcr.io/ublue-os/coreos-${{ inputs.coreos_version }}-kernel:${fedora} | jq -r '.["Labels"]["ostree.linux"]')
+            if [ -z "$kernel" ] || [ "null" = "$kernel" ]; then
+                echo "inspected linux (kernel) version must not be empty or null"
+                exit 1
+            fi
+
+
             echo "kernel=$kernel" >> $GITHUB_OUTPUT
             echo "image=$image" >> $GITHUB_OUTPUT
             echo "fedora=$fedora" >> $GITHUB_OUTPUT
@@ -113,7 +114,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Pull base and kmod images
-        uses: Wandalen/wretry.action@v3.5.0
+        uses: Wandalen/wretry.action@v3.7.2
         with:
           attempt_limit: 3
           attempt_delay: 15000
@@ -143,20 +144,16 @@ jobs:
               echo "env.KERNEL_VERSION must not be empty or null"
               exit 1
           fi
-          skopeo inspect docker://quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} > inspect.json
-          kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
-          if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"*  ]]; then
-              echo "pulled coreos image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
-              exit 1
-          fi
-          skopeo inspect docker://${{ env.IMAGE_REGISTRY_AKMODS }}/${{ env.KERNEL_FLAVOR }}-kernel:${{ env.FEDORA_VERSION }} > inspect.json
-          kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
+
+          #Use Podman Inspect instead of skopeo for local checks.
+          podman inspect ${{ env.IMAGE_REGISTRY_AKMODS }}/${{ env.KERNEL_FLAVOR }}-kernel:${{ env.FEDORA_VERSION }} > inspect.json
+          kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json)
           if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"*  ]]; then
               echo "pulled kernel-cache image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
               exit 1
           fi
-          skopeo inspect docker://${{ env.IMAGE_REGISTRY_AKMODS }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
-          kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
+          podman inspect ${{ env.IMAGE_REGISTRY_AKMODS }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
+          kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json)
           if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"*  ]]; then
               echo "pulled akmods image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
               exit 1
@@ -167,8 +164,8 @@ jobs:
         shell: bash
         run: |
           set -x
-          skopeo inspect docker://${{ env.IMAGE_REGISTRY_AKMODS }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
-          kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
+          podman inspect ${{ env.IMAGE_REGISTRY_AKMODS }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
+          kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json)
           if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"*  ]]; then
               echo "pulled akmods-nvidia image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
               exit 1
@@ -179,8 +176,8 @@ jobs:
         shell: bash
         run: |
           set -x
-          skopeo inspect docker://${{ env.IMAGE_REGISTRY_AKMODS }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
-          kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
+          podman inspect ${{ env.IMAGE_REGISTRY_AKMODS }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
+          kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json)
           if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"*  ]]; then
               echo "pulled akmods-zfs image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
               exit 1
@@ -288,7 +285,7 @@ jobs:
 
       # Push the image to GHCR (Image Registry)
       - name: Push To GHCR
-        uses: Wandalen/wretry.action@v3.5.0
+        uses: Wandalen/wretry.action@v3.7.2
         id: push
         if: github.event_name != 'pull_request'
         env:
@@ -316,7 +313,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       # Sign container
-      - uses: sigstore/cosign-installer@v3.6.0
+      - uses: sigstore/cosign-installer@v3.7.0
         if: github.event_name != 'pull_request'
 
       - name: Sign container image
@@ -384,7 +381,7 @@ jobs:
           echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV
 
       - name: Pull base and kmod images
-        uses: Wandalen/wretry.action@v3.5.0
+        uses: Wandalen/wretry.action@v3.7.2
         with:
           attempt_limit: 3
           attempt_delay: 15000
@@ -414,20 +411,14 @@ jobs:
               echo "env.KERNEL_VERSION must not be empty or null"
               exit 1
           fi
-          skopeo inspect docker://quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} > inspect.json
-          kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
-          if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"*  ]]; then
-              echo "pulled coreos image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
-              exit 1
-          fi
-          skopeo inspect docker://${{ env.IMAGE_REGISTRY_AKMODS }}/${{ env.KERNEL_FLAVOR }}-kernel:${{ env.FEDORA_VERSION }} > inspect.json
-          kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
+          podman inspect ${{ env.IMAGE_REGISTRY_AKMODS }}/${{ env.KERNEL_FLAVOR }}-kernel:${{ env.FEDORA_VERSION }} > inspect.json
+          kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json)
           if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"*  ]]; then
               echo "pulled kernel-cache image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
               exit 1
           fi
-          skopeo inspect docker://${{ env.IMAGE_REGISTRY_AKMODS }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
-          kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
+          podman inspect ${{ env.IMAGE_REGISTRY_AKMODS }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
+          kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json)
           if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"*  ]]; then
               echo "pulled akmods image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
               exit 1
@@ -438,8 +429,8 @@ jobs:
         shell: bash
         run: |
           set -x
-          skopeo inspect docker://${{ env.IMAGE_REGISTRY_AKMODS }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
-          kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
+          podman inspect ${{ env.IMAGE_REGISTRY_AKMODS }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
+          kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json)
           if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"*  ]]; then
               echo "pulled akmods-nvidia image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
               exit 1
@@ -450,8 +441,8 @@ jobs:
         shell: bash
         run: |
           set -x
-          skopeo inspect docker://${{ env.IMAGE_REGISTRY_AKMODS }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
-          kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
+          podman inspect ${{ env.IMAGE_REGISTRY_AKMODS }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
+          kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json)
           if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"*  ]]; then
               echo "pulled akmods-zfs image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
               exit 1
@@ -565,7 +556,7 @@ jobs:
 
       # Push the image to GHCR (Image Registry)
       - name: Push To GHCR
-        uses: Wandalen/wretry.action@v3.5.0
+        uses: Wandalen/wretry.action@v3.7.2
         id: push
         if: github.event_name != 'pull_request'
         env:
@@ -593,7 +584,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       # Sign container
-      - uses: sigstore/cosign-installer@v3.6.0
+      - uses: sigstore/cosign-installer@v3.7.0
         if: github.event_name != 'pull_request'
 
       - name: Sign container image

README.md

@@ -9,6 +9,7 @@ Please take a look at the included modifications, and help us improve uCore if t
 
 ## Table of Contents <!-- omit in toc -->
 
+- [Announcements](#announcements)
 - [Features](#features)
   - [Images](#images)
     - [`fedora-coreos`](#fedora-coreos)
@@ -40,8 +41,23 @@ Please take a look at the included modifications, and help us improve uCore if t
   - [ZFS](#zfs)
     - [ZFS and immutable root filesystem](#zfs-and-immutable-root-filesystem)
     - [Sanoid/Syncoid](#sanoidsyncoid)
+- [DIY](#diy)
 - [Metrics](#metrics)
 
+## Announcements
+
+### 2024.11.12 - uCore has updated to Fedora 41
+
+As of today our upstream Fedora CoreOS stable image updated to Fedora 41 under the hood, so expect a lot of package updates.
+
+### 2024.11.12 - uCore *stable* has pinned to kernel version *6.11.3*
+
+Kernel version `6.11.3` was the previous *stable* update's kernel, and despite the update to Fedora 41, we've stuck with `6.11.3` rather than updating to `6.11.5` from upstream.
+
+This is due to a kernel bug in versions `6.11.4`/`6.11.5` which [breaks tailscale status reporting](https://github.com/tailscale/tailscale/issues/13863). As many users of uCore do use tailscale, we've decided to be extra cautious and hold back the kernel, even though the rest of stable updated as usual.
+
+We expect the next update of Fedora CoreOS to be on `6.11.6` per the current state of the testing stream. So uCore will follow when that update occurs.
+
 ## Features
 
 The uCore project builds four images, each with different tags for different features.
@@ -158,14 +174,15 @@ Hyper-Coverged Infrastructure(HCI) refers to storage and hypervisor in one place
 
 ## Installation
 
-**Please read the [CoreOS installation guide](https://docs.fedoraproject.org/en-US/fedora-coreos/bare-metal/)** before attempting installation. As uCore is an extension of CoreOS, it does not provide it's own custom or GUI installer.
+> [!IMPORTANT]
+> **Read the [CoreOS installation guide](https://docs.fedoraproject.org/en-US/fedora-coreos/bare-metal/)** before attempting installation. uCore extends Fedora CoreOS; it does not provide it's own custom or GUI installer.
 
 There are varying methods of installation for bare metal, cloud providers, and virtualization platforms.
 
 **All CoreOS installation methods require the user to [produce an Ignition file](https://docs.fedoraproject.org/en-US/fedora-coreos/producing-ign/).** This Ignition file should, at mimimum, set a password and SSH key for the default user (default username is `core`).
 
-> [!NOTE]
-> It is highly recommended that for bare metal installs, first test your ignition configuration by installing in a VM (or other test hardware) using the same bare metal process.
+> [!TIP]
+> For bare metal installs, first test your ignition configuration by installing in a VM (or other test hardware) using the bare metal process.
 
 ### Image Verification
 
@@ -187,7 +204,11 @@ One of the fastest paths to running uCore is using [examples/ucore-autorebase.bu
 
 Once a machine is running any Fedora CoreOS version, you can easily rebase to uCore.  Installing CoreOS itself can be done through [a number of provisioning methods](https://docs.fedoraproject.org/en-US/fedora-coreos/bare-metal/).
 
-To rebase an existing machine to the latest uCore:
+> [!WARNING]
+> **Rebasing from Fedora IoT or Atomic Desktops is not supported!**
+> If ignition doesn't provide a desired feature, then Fedora CoreOS doesn't support that feature. Rebasing from another system to gain a filesystem feature or GUI installation is very likely to cause problems later on.
+
+To rebase an existing CoreOS machine to the latest uCore:
 
 1. Execute the `rpm-ostree rebase` command (below) with desired `IMAGE` and `TAG`.
 1. Reboot, as instructed.
@@ -517,6 +538,12 @@ sanoid/syncoid is a great tool for manual and automated snapshot/transfer of ZFS
 
 `ucore` has pre-install all the (lightweight) required dependencies (perl-Config-IniFiles perl-Data-Dumper perl-Capture-Tiny perl-Getopt-Long lzop mbuffer mhash pv), such that a user wishing to use sanoid/syncoid only need install the "sbin" files and create configuration/systemd units for it.
 
+## DIY
+
+Is all this too easy, leaving you with the desire to create a custom uCore image?
+
+Then [create an image `FROM ucore`](https://github.com/ublue-os/image-template) using our [image template](https://github.com/ublue-os/image-template)!
+
 ## Metrics
 
 ![Alt](https://repobeats.axiom.co/api/embed/07d1ed133f5ed1a1048ea6a76bfe3a23227eedd5.svg "Repobeats analytics image")

fedora-coreos/install.sh

@@ -53,7 +53,7 @@ fi
 if [[ "-zfs" == "${ZFS_TAG}" ]]; then
     rpm-ostree install pv /tmp/rpms/akmods-zfs/kmods/zfs/*.rpm /tmp/rpms/akmods-zfs/kmods/zfs/other/zfs-dracut-*.rpm
     # for some reason depmod ran automatically with zfs 2.1 but not with 2.2
-    depmod -A ${KERNEL_VERSION}
+    depmod -a -v ${KERNEL_VERSION}
 fi
 
 ## CONDITIONAL: install NVIDIA

ucore/install-ucore-minimal.sh

@@ -56,7 +56,7 @@ fi
 if [[ "-zfs" == "${ZFS_TAG}" ]]; then
     rpm-ostree install pv /tmp/rpms/akmods-zfs/kmods/zfs/*.rpm /tmp/rpms/akmods-zfs/kmods/zfs/other/zfs-dracut-*.rpm
     # for some reason depmod ran automatically with zfs 2.1 but not with 2.2
-    depmod -A ${KERNEL_VERSION}
+    depmod -a -v ${KERNEL_VERSION}
 fi
 
 ## CONDITIONAL: install NVIDIA

ucore/install-ucore.sh

@@ -14,7 +14,15 @@ export IMAGE_NAME=ucore
 /ctx/packages.sh
 
 # install packages direct from github
-/ctx/github-release-install.sh trapexit/mergerfs fc${RELEASE}.x86_64
+# Fedora 41 packages missing for mergerfs
+#/ctx/github-release-install.sh trapexit/mergerfs fc${RELEASE}.x86_64
+curl --fail --retry 5 --retry-delay 5 --retry-all-errors -sSL -o /tmp/mfs-api.json \
+    "https://api.github.com/repos/trapexit/mergerfs/releases/latest"
+MFS_TGZ_URL=$(cat /tmp/mfs-api.json | \
+    jq -r --arg arch_filter "linux_amd64" \
+    '.assets | sort_by(.created_at) | reverse | .[] | select(.name|test($arch_filter)) | select (.name|test("tar.gz$")) | .browser_download_url')
+curl -sSL -o /tmp/mergerfs.tar.gz "${MFS_TGZ_URL}"
+tar -zxvf /tmp/mergerfs.tar.gz -C /usr --strip-components=2
 
 # tweak os-release
 sed -i '/^PRETTY_NAME/s/(uCore.*$/(uCore)"/' /usr/lib/os-release