From 416a2f5d4eba3d748a0662692f21beacc5c7a6d3 Mon Sep 17 00:00:00 2001 From: Benjamin Sherman Date: Sun, 21 Jul 2024 22:29:13 -0500 Subject: [PATCH] refactor: use akmods repo as source for kmods (#170) --- .github/workflows/reusable-build.yml | 265 +++++++++++++++++++++------ README.md | 4 +- fedora-coreos/Containerfile | 23 ++- fedora-coreos/install.sh | 29 ++- ucore/Containerfile | 24 ++- ucore/install-ucore-minimal.sh | 31 +++- 6 files changed, 304 insertions(+), 72 deletions(-) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 8b37922..42256c7 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -9,10 +9,14 @@ on: env: IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} +concurrency: + group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.fedora_version }} + cancel-in-progress: true + jobs: workflow_info: name: Get Workflow Info - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 outputs: pr_prefix: ${{ steps.pr_prefix.outputs.pr_prefix }} steps: @@ -34,8 +38,9 @@ jobs: name: Get Stream Info runs-on: ubuntu-latest outputs: - linux: ${{ fromJSON(steps.fetch.outputs.outputs).linux }} - version: ${{ fromJSON(steps.fetch.outputs.outputs).version }} + fedora: ${{ fromJSON(steps.fetch.outputs.outputs).fedora}} + image: ${{ fromJSON(steps.fetch.outputs.outputs).image}} + kernel: ${{ fromJSON(steps.fetch.outputs.outputs).kernel}} steps: - name: Fetch CoreOS stream versions id: fetch @@ -48,20 +53,27 @@ jobs: skopeo inspect docker://quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} > inspect.json - linux=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) - if [ -z "$linux" ] || [ "null" = "$linux" ]; then - echo "inspected linux version must not be empty or null" + kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) + if [ -z "$kernel" ] || [ "null" = "$kernel" ]; then + echo "inspected linux (kernel) version must not be empty or null" exit 1 fi - version=$(jq -r '.["Labels"]["org.opencontainers.image.version"]' inspect.json) - if [ -z "$version" ] || [ "null" = "$version" ]; then + image=$(jq -r '.["Labels"]["org.opencontainers.image.version"]' inspect.json) + if [ -z "$image" ] || [ "null" = "$image" ]; then echo "inspected image version must not be empty or null" exit 1 fi - echo "linux=$linux" >> $GITHUB_OUTPUT - echo "version=$version" >> $GITHUB_OUTPUT + fedora=$(echo "$image" | cut -f1 -d.) + if [ -z "$fedora" ] || [ "null" = "$fedora" ]; then + echo "fedora version must not be empty or null" + exit 1 + fi + + echo "kernel=$kernel" >> $GITHUB_OUTPUT + echo "image=$image" >> $GITHUB_OUTPUT + echo "fedora=$fedora" >> $GITHUB_OUTPUT - name: Echo outputs run: | echo "${{ steps.fetch.outputs.outputs }}" @@ -75,6 +87,13 @@ jobs: contents: read packages: write id-token: write + env: + FEDORA_VERSION: ${{ needs.stream_info.outputs.fedora}} + IMAGE_NAME: fedora-coreos + IMAGE_VERSION: ${{ needs.stream_info.outputs.image}} + KERNEL_FLAVOR: coreos-${{ inputs.coreos_version }} + KERNEL_VERSION: ${{ needs.stream_info.outputs.kernel}} + PR_PREFIX: ${{ needs.workflow_info.outputs.pr_prefix }} strategy: fail-fast: false matrix: @@ -84,10 +103,6 @@ jobs: zfs_tag: - "-zfs" - "" - include: - - image_name: fedora-coreos - - image_version: ${{ needs.stream_info.outputs.version }} - - pr_prefix: ${{ needs.workflow_info.outputs.pr_prefix }} exclude: - nvidia_tag: "" zfs_tag: "" @@ -96,11 +111,64 @@ jobs: - name: Checkout Push to Registry action uses: actions/checkout@v4 - - name: Verify version + - name: Pull base and kmod images + uses: Wandalen/wretry.action@v3.5.0 + with: + attempt_limit: 3 + attempt_delay: 15000 + command: | + # pull the base image used for FROM in containerfile so + # we can retry on that unfortunately common failure case + podman pull quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} + podman pull ${{ env.IMAGE_REGISTRY }}/${{ env.KERNEL_FLAVOR }}-kernel:${{ env.FEDORA_VERSION }} + podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} + podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} + podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} + + - name: Verify versions shell: bash run: | - if [ -z "${{ matrix.image_version }}" ] || [ "null" = "${{ matrix.image_version }}" ]; then - echo "matrix.image_version must not be empty or null" + set -x + if [ -z "${{ env.FEDORA_VERSION }}" ] || [ "null" = "${{ env.FEDORA_VERSION }}" ]; then + echo "env.FEDORA_VERSION must not be empty or null" + exit 1 + fi + if [ -z "${{ env.IMAGE_VERSION }}" ] || [ "null" = "${{ env.IMAGE_VERSION }}" ]; then + echo "env.IMAGE_VERSION must not be empty or null" + exit 1 + fi + if [ -z "${{ env.KERNEL_VERSION }}" ] || [ "null" = "${{ env.KERNEL_VERSION }}" ]; then + echo "env.KERNEL_VERSION must not be empty or null" + exit 1 + fi + skopeo inspect containers-storage:quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} > inspect.json + kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) + if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then + echo "pulled coreos image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" + exit 1 + fi + skopeo inspect containers-storage:${{ env.IMAGE_REGISTRY }}/${{ env.KERNEL_FLAVOR }}-kernel:${{ env.FEDORA_VERSION }} > inspect.json + kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) + if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then + echo "pulled kernel-cache image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" + exit 1 + fi + skopeo inspect containers-storage:${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json + kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) + if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then + echo "pulled akmods image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" + exit 1 + fi + skopeo inspect containers-storage:${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json + kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) + if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then + echo "pulled akmods-nvidia image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" + exit 1 + fi + skopeo inspect containers-storage:${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json + kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) + if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then + echo "pulled akmods-zfs image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" exit 1 fi @@ -146,23 +214,13 @@ jobs: id: meta with: images: | - ${{ matrix.image_name }} + ${{ env.IMAGE_NAME }} labels: | io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ucore/main/README.md org.opencontainers.image.description=An OCI image of Fedora CoreOS with NVIDIA and/or ZFS pre-installed - org.opencontainers.image.title=${{ matrix.image_name }} - org.opencontainers.image.version=${{ matrix.image_version }} - - - name: Pull base image - uses: Wandalen/wretry.action@v3.5.0 - with: - attempt_limit: 3 - attempt_delay: 15000 - command: | - # pull the base image used for FROM in containerfile so - # we can retry on that unfortunately common failure case - podman pull quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} + org.opencontainers.image.title=${{ env.IMAGE_NAME }} + org.opencontainers.image.version=${{ env.IMAGE_VERSION }} # Build image using Buildah action - name: Build Image @@ -172,17 +230,39 @@ jobs: containerfiles: | ./fedora-coreos/Containerfile context: ./fedora-coreos - image: ${{ matrix.image_name }} + image: ${{ env.IMAGE_NAME }} tags: | ${{ steps.generate-tags.outputs.alias_tags }} build-args: | COREOS_VERSION=${{ inputs.coreos_version }} - PR_PREFIX=${{ matrix.pr_prefix }} + FEDORA_VERSION=${{ env.FEDORA_VERSION }} + IMAGE_REGISTRY=${{ env.IMAGE_REGISTRY }} + KERNEL_FLAVOR=${{ env.KERNEL_FLAVOR }} + PR_PREFIX=${{ env.PR_PREFIX }} NVIDIA_TAG=${{ matrix.nvidia_tag }} ZFS_TAG=${{ matrix.zfs_tag }} labels: ${{ steps.meta.outputs.labels }} oci: false + - name: Check Secureboot + shell: bash + run: | + set -x + if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then + sudo apt update + sudo apt install sbsigntool curl openssl + fi + podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000 + podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz . + podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) + sbverify --list vmlinuz + curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der + curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der + openssl x509 -in kernel-sign.der -out kernel-sign.crt + openssl x509 -in akmods.der -out akmods.crt + sbverify --cert kernel-sign.crt vmlinuz || exit 1 + sbverify --cert akmods.crt vmlinuz || exit 1 + # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry @@ -247,6 +327,13 @@ jobs: contents: read packages: write id-token: write + env: + FEDORA_VERSION: ${{ needs.stream_info.outputs.fedora}} + IMAGE_VERSION: ${{ needs.stream_info.outputs.image}} + KERNEL_FLAVOR: coreos-${{ inputs.coreos_version }} + KERNEL_VERSION: ${{ needs.stream_info.outputs.kernel}} + PR_PREFIX: ${{ needs.workflow_info.outputs.pr_prefix }} + strategy: fail-fast: false matrix: @@ -261,9 +348,6 @@ jobs: - "-zfs" - "" include: - - image_base: ucore - - image_version: ${{ needs.stream_info.outputs.version }} - - pr_prefix: ${{ needs.workflow_info.outputs.pr_prefix }} - image_suffix: "-minimal" description: An OCI image of Fedora CoreOS with a few extra tools and suitable for running in a VM - image_suffix: "" @@ -276,11 +360,72 @@ jobs: - name: Checkout Push to Registry action uses: actions/checkout@v4 - - name: Verify version + # sent env variables which depend on the matrix + - name: Matrix variables shell: bash run: | - if [ -z "${{ matrix.image_version }}" ] || [ "null" = "${{ matrix.image_version }}" ]; then - echo "matrix.image_version must not be empty or null" + set -x + IMAGE_NAME=ucore${{ matrix.image_suffix }} + echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV + + - name: Pull base and kmod images + uses: Wandalen/wretry.action@v3.5.0 + with: + attempt_limit: 3 + attempt_delay: 15000 + command: | + # pull the base image used for FROM in containerfile so + # we can retry on that unfortunately common failure case + podman pull quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} + podman pull ${{ env.IMAGE_REGISTRY }}/${{ env.KERNEL_FLAVOR }}-kernel:${{ env.FEDORA_VERSION }} + podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} + podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} + podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} + + - name: Verify versions + shell: bash + run: | + set -x + if [ -z "${{ env.FEDORA_VERSION }}" ] || [ "null" = "${{ env.FEDORA_VERSION }}" ]; then + echo "env.FEDORA_VERSION must not be empty or null" + exit 1 + fi + if [ -z "${{ env.IMAGE_VERSION }}" ] || [ "null" = "${{ env.IMAGE_VERSION }}" ]; then + echo "env.IMAGE_VERSION must not be empty or null" + exit 1 + fi + if [ -z "${{ env.KERNEL_VERSION }}" ] || [ "null" = "${{ env.KERNEL_VERSION }}" ]; then + echo "env.KERNEL_VERSION must not be empty or null" + exit 1 + fi + skopeo inspect containers-storage:quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} > inspect.json + kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) + if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then + echo "pulled coreos image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" + exit 1 + fi + skopeo inspect containers-storage:${{ env.IMAGE_REGISTRY }}/${{ env.KERNEL_FLAVOR }}-kernel:${{ env.FEDORA_VERSION }} > inspect.json + kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) + if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then + echo "pulled kernel-cache image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" + exit 1 + fi + skopeo inspect containers-storage:${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json + kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) + if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then + echo "pulled akmods image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" + exit 1 + fi + skopeo inspect containers-storage:${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json + kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) + if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then + echo "pulled akmods-nvidia image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" + exit 1 + fi + skopeo inspect containers-storage:${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json + kernel=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json) + if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then + echo "pulled akmods-zfs image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" exit 1 fi @@ -330,23 +475,13 @@ jobs: id: meta with: images: | - ${{ matrix.image_base }}${{ matrix.image_suffix }} + ${{ env.IMAGE_NAME }} labels: | io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ucore/main/README.md org.opencontainers.image.description=${{ matrix.description }} - org.opencontainers.image.title=${{ matrix.image_base }}${{ matrix.image_suffix }} - org.opencontainers.image.version=${{ matrix.image_version }} - - - name: Pull base image - uses: Wandalen/wretry.action@v3.5.0 - with: - attempt_limit: 3 - attempt_delay: 15000 - command: | - # pull the base image used for FROM in containerfile so - # we can retry on that unfortunately common failure case - podman pull quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} + org.opencontainers.image.title=${{ env.IMAGE_NAME }} + org.opencontainers.image.version=${{ env.IMAGE_VERSION }} # Build image using Buildah action - name: Build Image @@ -356,18 +491,40 @@ jobs: containerfiles: | ./ucore/Containerfile context: ./ucore - image: ${{ matrix.image_base }}${{ matrix.image_suffix }} + image: ${{ env.IMAGE_NAME }} tags: | ${{ steps.generate-tags.outputs.alias_tags }} build-args: | COREOS_VERSION=${{ inputs.coreos_version }} - PR_PREFIX=${{ matrix.pr_prefix }} + FEDORA_VERSION=${{ env.FEDORA_VERSION }} + IMAGE_REGISTRY=${{ env.IMAGE_REGISTRY }} + KERNEL_FLAVOR=${{ env.KERNEL_FLAVOR }} + PR_PREFIX=${{ env.PR_PREFIX }} NVIDIA_TAG=${{ matrix.nvidia_tag }} ZFS_TAG=${{ matrix.zfs_tag }} labels: ${{ steps.meta.outputs.labels }} oci: false extra-args: | - --target=${{ matrix.image_base }}${{ matrix.image_suffix }} + --target=${{ env.IMAGE_NAME }} + + - name: Check Secureboot + shell: bash + run: | + set -x + if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then + sudo apt update + sudo apt install sbsigntool curl openssl + fi + podman run -d --rm --name ${{env.IMAGE_NAME }}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000 + podman cp ${{env.IMAGE_NAME }}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz . + podman rm -f ${{env.IMAGE_NAME }}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) + sbverify --list vmlinuz + curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der + curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der + openssl x509 -in kernel-sign.der -out kernel-sign.crt + openssl x509 -in akmods.der -out akmods.crt + sbverify --cert kernel-sign.crt vmlinuz || exit 1 + sbverify --cert akmods.crt vmlinuz || exit 1 # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 diff --git a/README.md b/README.md index 37e4cb5..8fcb5a8 100644 --- a/README.md +++ b/README.md @@ -68,11 +68,11 @@ The [tag matrix](#tag-matrix) includes combinations of the following: A generic [Fedora CoreOS image](https://quay.io/repository/fedora/fedora-coreos?tab=tags) image with choice of add-on kernel modules: - [nvidia versions](#tag-matrix) add: - - [nvidia driver](https://github.com/ublue-os/ucore-kmods) - latest driver built from negativo17's akmod package + - [nvidia driver](https://github.com/ublue-os/akmods) - latest driver built from negativo17's akmod package - [nvidia-container-toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/sample-workload.html) - latest toolkit which supports both root and rootless podman containers and CDI - [nvidia container selinux policy](https://github.com/NVIDIA/dgx-selinux/tree/master/src/nvidia-container-selinux) - allows using `--security-opt label=type:nvidia_container_t` for some jobs (some will still need `--security-opt label=disable` as suggested by nvidia) - [ZFS versions](#tag-matrix) add: - - [ZFS driver](https://github.com/ublue-os/ucore-kmods) - latest driver (currently pinned to 2.2.x series) + - [ZFS driver](https://github.com/ublue-os/akmods) - latest driver (currently pinned to 2.2.x series) > [!NOTE] > zincati fails to start on all systems with OCI based deployments (like uCore). Upstream efforts are active to develop an alternative. diff --git a/fedora-coreos/Containerfile b/fedora-coreos/Containerfile index 36e9fa1..42c8137 100644 --- a/fedora-coreos/Containerfile +++ b/fedora-coreos/Containerfile @@ -1,5 +1,19 @@ ARG COREOS_VERSION="${COREOS_VERSION:-stable}" +ARG FEDORA_VERSION="${FEDORA_VERSION:-40}" +ARG IMAGE_REGISTRY="${IMAGE_REGISTRY:-ghcr.io/ublue-os}" +ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-coreos-stable}" +# FROMs for copying +ARG AKMODS_COMMON="${IMAGE_REGISTRY}/akmods:${KERNEL_FLAVOR}-${FEDORA_VERSION}" +ARG AKMODS_NVIDIA="${IMAGE_REGISTRY}/akmods-nvidia:${KERNEL_FLAVOR}-${FEDORA_VERSION}" +ARG AKMODS_ZFS="${IMAGE_REGISTRY}/akmods-zfs:${KERNEL_FLAVOR}-${FEDORA_VERSION}" +ARG KERNEL="${IMAGE_REGISTRY}/${KERNEL_FLAVOR}-kernel:${FEDORA_VERSION}" +FROM ${AKMODS_COMMON} AS akmods-common +FROM ${AKMODS_NVIDIA} AS akmods-nvidia +FROM ${AKMODS_ZFS} AS akmods-zfs +FROM ${KERNEL} AS kernel + +# image base FROM quay.io/fedora/fedora-coreos:${COREOS_VERSION} ARG COREOS_VERSION="${COREOS_VERSION:-stable}" @@ -7,11 +21,12 @@ ARG COREOS_VERSION="${COREOS_VERSION:-stable}" ARG NVIDIA_TAG="${NVIDIA_TAG}" # build with --build-arg ZFS_TAG="-zfs" to install zfs ARG ZFS_TAG="${ZFS_TAG}" -ARG KMOD_SRC="${KMOD_SRC:-ghcr.io/ublue-os/ucore-kmods:${COREOS_VERSION}}" -COPY --from=${KMOD_SRC} /rpms/kmods/*.rpm /tmp/rpms/ -COPY --from=${KMOD_SRC} /rpms/kmods/nvidia/*.rpm /tmp/rpms/nvidia/ -COPY --from=${KMOD_SRC} /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/ +COPY --from=akmods-common /rpms/ucore/ublue*.rpm /tmp/rpms/ +COPY --from=akmods-nvidia /rpms/kmods/*.rpm /tmp/rpms/nvidia/ +COPY --from=akmods-nvidia /rpms/ucore/ublue*.rpm /tmp/rpms/nvidia/ +COPY --from=akmods-zfs /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/ +COPY --from=kernel /tmp/rpms/ /tmp/kernel-rpms/ COPY *.sh /tmp/ diff --git a/fedora-coreos/install.sh b/fedora-coreos/install.sh index f0559f4..eba3f66 100755 --- a/fedora-coreos/install.sh +++ b/fedora-coreos/install.sh @@ -2,8 +2,12 @@ set -ouex pipefail +ARCH="$(rpm -E %{_arch})" RELEASE="$(rpm -E %fedora)" -KERNEL="$(rpm -q kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" +pushd /tmp/kernel-rpms +KERNEL_VERSION=$(find kernel-*.rpm | grep -P "kernel-(\d+\.\d+\.\d+)-.*\.fc${RELEASE}\.${ARCH}" | sed -E 's/kernel-//' | sed -E 's/\.rpm//') +popd +QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')" #### PREPARE # enable testing repos if not enabled on testing stream @@ -22,14 +26,33 @@ sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo #### INSTALL # inspect to see what RPMS we copied in find /tmp/rpms/ +find /tmp/kernel-rpms/ -rpm-ostree install /tmp/rpms/ublue-os-ucore-addons-*.rpm +rpm-ostree install /tmp/rpms/*.rpm + +# Handle Kernel Skew with override replace +rpm-ostree cliwrap install-to-root / +if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then + echo "Installing signed kernel from kernel-cache." + cd /tmp + rpm2cpio /tmp/kernel-rpms/kernel-core-*.rpm | cpio -idmv + cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz + cd / +else + echo "Install kernel version ${KERNEL_VERSION} from kernel-cache." + rpm-ostree override replace \ + --experimental \ + --install=zstd \ + /tmp/kernel-rpms/kernel-[0-9]*.rpm \ + /tmp/kernel-rpms/kernel-core-*.rpm \ + /tmp/kernel-rpms/kernel-modules-*.rpm +fi ## CONDITIONAL: install ZFS if [[ "-zfs" == "${ZFS_TAG}" ]]; then rpm-ostree install pv /tmp/rpms/zfs/*.rpm # for some reason depmod ran automatically with zfs 2.1 but not with 2.2 - depmod -A ${KERNEL} + depmod -A ${KERNEL_VERSION} fi ## CONDITIONAL: install NVIDIA diff --git a/ucore/Containerfile b/ucore/Containerfile index 62d1052..c0a580e 100644 --- a/ucore/Containerfile +++ b/ucore/Containerfile @@ -1,5 +1,17 @@ ARG COREOS_VERSION="${COREOS_VERSION:-stable}" - +ARG FEDORA_VERSION="${FEDORA_VERSION:-40}" +ARG IMAGE_REGISTRY="${IMAGE_REGISTRY:-ghcr.io/ublue-os}" +ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-coreos-stable}" + +# FROMs for copying +ARG AKMODS_COMMON="${IMAGE_REGISTRY}/akmods:${KERNEL_FLAVOR}-${FEDORA_VERSION}" +ARG AKMODS_NVIDIA="${IMAGE_REGISTRY}/akmods-nvidia:${KERNEL_FLAVOR}-${FEDORA_VERSION}" +ARG AKMODS_ZFS="${IMAGE_REGISTRY}/akmods-zfs:${KERNEL_FLAVOR}-${FEDORA_VERSION}" +ARG KERNEL="${IMAGE_REGISTRY}/${KERNEL_FLAVOR}-kernel:${FEDORA_VERSION}" +FROM ${AKMODS_COMMON} AS akmods-common +FROM ${AKMODS_NVIDIA} AS akmods-nvidia +FROM ${AKMODS_ZFS} AS akmods-zfs +FROM ${KERNEL} AS kernel # ucore-minimal image section FROM quay.io/fedora/fedora-coreos:${COREOS_VERSION} AS ucore-minimal @@ -9,16 +21,17 @@ ARG COREOS_VERSION="${COREOS_VERSION:-stable}" ARG NVIDIA_TAG="${NVIDIA_TAG}" # build with --build-arg ZFS_TAG="-zfs" to install zfs ARG ZFS_TAG="${ZFS_TAG}" -ARG KMOD_SRC="${KMOD_SRC:-ghcr.io/ublue-os/ucore-kmods:${COREOS_VERSION}}" # 0.12.1 matches docker/moby 24.0.5 which FCOS ships as of 40.20240421 ARG DOCKER_BUILDX_VERSION=0.12.1 # 2.24.7 matches docker/moby 24.0.5 which FCOS ships as of 40.20240421 ARG DOCKER_COMPOSE_VERSION=v2.24.7 -COPY --from=${KMOD_SRC} /rpms/kmods/*.rpm /tmp/rpms/ -COPY --from=${KMOD_SRC} /rpms/kmods/nvidia/*.rpm /tmp/rpms/nvidia/ -COPY --from=${KMOD_SRC} /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/ +COPY --from=akmods-common /rpms/ucore/ublue*.rpm /tmp/rpms/ +COPY --from=akmods-nvidia /rpms/kmods/*.rpm /tmp/rpms/nvidia/ +COPY --from=akmods-nvidia /rpms/ucore/ublue*.rpm /tmp/rpms/nvidia/ +COPY --from=akmods-zfs /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/ +COPY --from=kernel /tmp/rpms/ /tmp/kernel-rpms/ COPY *.sh /tmp/ COPY packages.json /tmp/packages.json @@ -51,6 +64,7 @@ RUN ln -s /usr/libexec/docker/cli-plugins/docker-compose /usr/bin/docker-compose FROM ucore-minimal AS ucore ARG COREOS_VERSION="${COREOS_VERSION:-stable}" +ARG NVIDIA_TAG="${NVIDIA_TAG}" ARG ZFS_TAG="${ZFS_TAG}" COPY *.sh /tmp/ diff --git a/ucore/install-ucore-minimal.sh b/ucore/install-ucore-minimal.sh index 4d35eaa..d5ee27f 100755 --- a/ucore/install-ucore-minimal.sh +++ b/ucore/install-ucore-minimal.sh @@ -2,8 +2,12 @@ set -ouex pipefail -KERNEL="$(rpm -q kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" +ARCH="$(rpm -E %{_arch})" RELEASE="$(rpm -E %fedora)" +pushd /tmp/kernel-rpms +KERNEL_VERSION=$(find kernel-*.rpm | grep -P "kernel-(\d+\.\d+\.\d+)-.*\.fc${RELEASE}\.${ARCH}" | sed -E 's/kernel-//' | sed -E 's/\.rpm//') +popd +QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')" #### PREPARE # enable testing repos if not enabled on testing stream @@ -29,15 +33,34 @@ curl -L -o /etc/yum.repos.d/fedora-coreos-pool.repo \ #### INSTALL # inspect to see what RPMS we copied in find /tmp/rpms/ - -rpm-ostree install /tmp/rpms/ublue-os-ucore-addons-*.rpm +find /tmp/kernel-rpms/ + +rpm-ostree install /tmp/rpms/*.rpm + +# Handle Kernel Skew with override replace +rpm-ostree cliwrap install-to-root / +if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then + echo "Installing signed kernel from kernel-cache." + cd /tmp + rpm2cpio /tmp/kernel-rpms/kernel-core-*.rpm | cpio -idmv + cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz + cd / +else + echo "Install kernel version ${KERNEL_VERSION} from kernel-cache." + rpm-ostree override replace \ + --experimental \ + --install=zstd \ + /tmp/kernel-rpms/kernel-[0-9]*.rpm \ + /tmp/kernel-rpms/kernel-core-*.rpm \ + /tmp/kernel-rpms/kernel-modules-*.rpm +fi ## CONDITIONAL: install ZFS (and sanoid deps) if [[ "-zfs" == "${ZFS_TAG}" ]]; then rpm-ostree install /tmp/rpms/zfs/*.rpm \ pv # for some reason depmod ran automatically with zfs 2.1 but not with 2.2 - depmod -A ${KERNEL} + depmod -A ${KERNEL_VERSION} fi ## CONDITIONAL: install NVIDIA