donotmerge: IBX changes #958
Conversation
| @@ -0,0 +1,26 @@ | |||
| FROM quay.io/centos/centos:stream9 as build | |||
There was a problem hiding this comment.
We must build bootc because it doesn't ship with RHCOS yet
| RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome make test-bin-archive && mkdir -p /out && cp target/bootc.tar /out | ||
| RUN mkdir -p /build/target/dev-rootfs # This can hold arbitrary extra content | ||
|
|
||
| FROM quay.io/otuchfel/ostbackup:serv1 as seed |
There was a problem hiding this comment.
Your normal seed image goes here.
There was a problem hiding this comment.
In an ideal future all seeds will simply be "bootc seeds", but for now we have this Containerfile to make a "bootc seed" out of a normal seed
There was a problem hiding this comment.
hmm not sure. we can generate new seeds I guess. no need to deal with backwards compatibility at this point. but whatever is easier for the POC of course
| @@ -39,10 +39,10 @@ install-all: install install-ostree-hooks | |||
| install -D -m 0755 target/release/tests-integration $(DESTDIR)$(prefix)/bin/bootc-integration-tests | |||
|
|
|||
| bin-archive: all | |||
| $(MAKE) install DESTDIR=tmp-install && $(TAR_REPRODUCIBLE) --zstd -C tmp-install -cf target/bootc.tar.zst . && rm tmp-install -rf | |||
There was a problem hiding this comment.
-zstd unsupported on quay.io/centos/centos:stream9
There was a problem hiding this comment.
Wait that's definitely not true. Do you have a really old image? Builds don't pull by default so unfortunately you need to explicitly e.g. podman pull quay.io/centos-bootc/centos-bootc:stream9 or so.
There was a problem hiding this comment.
I don't believe I have an old image
build_seed.sh
Outdated
There was a problem hiding this comment.
Some helper script, ignore
hack/Containerfile
Outdated
There was a problem hiding this comment.
This file isn't really used in this PoC, ignore those changes
lib/src/install.rs
Outdated
| @@ -946,7 +946,7 @@ pub(crate) fn reexecute_self_for_selinux_if_needed( | |||
| override_disable_selinux: bool, | |||
| ) -> Result<SELinuxFinalState> { | |||
| // If the target state has SELinux enabled, we need to check the host state. | |||
| if srcdata.selinux { | |||
There was a problem hiding this comment.
The re-exec is failing for some reason, I skipped it and despite that things seems to work alright (maybe because I sudo setenforce permissive)
There was a problem hiding this comment.
update: it works even without setenforce
There was a problem hiding this comment.
Failing with what error message?
There was a problem hiding this comment.
ERROR Installing to filesystem: Ensuring selinux install_t type: Ensuring selinux install_t type: fsetxattr(security.selinux): Operation not supported (os error 95)
But I'm now starting to think this just might be due to my removal of setup_tmp_mounts
There was a problem hiding this comment.
Temporarily working around the setup_tmp_mounts error mentioned in the other comment below using -v /tmp:/tmp -v /var/tmp:/var/tmp
But now the re-exec fails with a new error
ERROR Installing to filesystem: Ensuring selinux install_t type: Failed to enter install_t (running as unconfined_u:unconfined_r:spc_t:s0) - use BOOTC_SETENFORCE0_FALLBACK=1 to override
There was a problem hiding this comment.
Weirdly the error seems to disappear when -v /tmp:/tmp is removed, leaving only the /var/tmp mount. Confirming that this is true
There was a problem hiding this comment.
Yep that is indeed the case.
To summarize:
-
No tmp mounts at all leads to
ERROR Installing to filesystem: Linking tmp mounts to host: Exchanging /var/tmp <=> /var/tmp.tmp: Invalid cross-device link (os error 18) -
Both
/tmp/and/var/tmpmounts leads toERROR Installing to filesystem: Ensuring selinux install_t type: Failed to enter install_t (running as unconfined_u:unconfined_r:spc_t:s0) - use BOOTC_SETENFORCE0_FALLBACK=1 to override -
Only
/var/tmpmount works
lib/src/install.rs
Outdated
| @@ -1222,7 +1162,7 @@ async fn prepare_install( | |||
| crate::mount::ensure_mirrored_host_mount("/dev")?; | |||
| crate::mount::ensure_mirrored_host_mount("/var/lib/containers")?; | |||
| ensure_var()?; | |||
| setup_tmp_mounts()?; | |||
There was a problem hiding this comment.
This was failing for some reason so I had to take it out, I'm not quite sure what purpose it serves anyway, but need to dig into why it was failing
There was a problem hiding this comment.
Again what error message?
There was a problem hiding this comment.
ERROR Installing to filesystem: Linking tmp mounts to host: Exchanging /var/tmp <=> /var/tmp.tmp: Invalid cross-device link (os error 18)
Looking into it
|
While the install completes "successfully", SSHing after rebooting doesn't work |
|
|
|
Host SSH keys were not created... Suspecting selinux? EDIT: neither did the key I added with |
Containerfile
Outdated
| LABEL com.openshift.lifecycle-agent.seed_format_version=3 | ||
|
|
||
| RUN mkdir -p /usr/lib/bootc/install | ||
| RUN echo -e '[install.filesystem.root]\ntype = "xfs"' > /usr/lib/bootc/install/00-bootc.toml |
There was a problem hiding this comment.
I think this is unnecessary after FCOS starts inheriting from fedora-bootc, you just haven't picked up that change in the base image here right?
There was a problem hiding this comment.
I've added that because I was just starting off from a very old PoC by @!javipolo, it might be completely unnecessary. I'll try to do without it
There was a problem hiding this comment.
Yeah it works fine without it
| @@ -39,10 +39,10 @@ install-all: install install-ostree-hooks | |||
| install -D -m 0755 target/release/tests-integration $(DESTDIR)$(prefix)/bin/bootc-integration-tests | |||
|
|
|||
| bin-archive: all | |||
| $(MAKE) install DESTDIR=tmp-install && $(TAR_REPRODUCIBLE) --zstd -C tmp-install -cf target/bootc.tar.zst . && rm tmp-install -rf | |||
There was a problem hiding this comment.
Wait that's definitely not true. Do you have a really old image? Builds don't pull by default so unfortunately you need to explicitly e.g. podman pull quay.io/centos-bootc/centos-bootc:stream9 or so.
lib/src/install.rs
Outdated
| @@ -946,7 +946,7 @@ pub(crate) fn reexecute_self_for_selinux_if_needed( | |||
| override_disable_selinux: bool, | |||
| ) -> Result<SELinuxFinalState> { | |||
| // If the target state has SELinux enabled, we need to check the host state. | |||
| if srcdata.selinux { | |||
There was a problem hiding this comment.
Failing with what error message?
lib/src/install.rs
Outdated
| @@ -1222,7 +1162,7 @@ async fn prepare_install( | |||
| crate::mount::ensure_mirrored_host_mount("/dev")?; | |||
| crate::mount::ensure_mirrored_host_mount("/var/lib/containers")?; | |||
| ensure_var()?; | |||
| setup_tmp_mounts()?; | |||
There was a problem hiding this comment.
Again what error message?
Some (trash, temporary) changes I had to perform on bootc to get IBX to work - `./Containerfile` builds a bootable image from an existing normal IBX seed - `./build_seed.sh` is just a helper script To install on recipient ``` sudo podman run --privileged -v $PWD/authkeys:/authkeys --env RUST_LOG=trace -v /var/tmp:/var/tmp -v /var/lib/containers/storage:/var/lib/containers/storage --pid=host -it quay.io/otuchfel/bootc:seed bootc install to-existing-root --acknowledge-destructive --stateroot omeroot --root-ssh-authorized-keys /authkeys --bound-images pull ``` This PR only exists to start discussions around concrete issues, it's not meant to be merged.
Some (trash, temporary) changes I had to perform on bootc to get IBX to work
./Containerfilebuilds a bootable image from an existing normal IBX seed./build_seed.shis just a helper scriptTo install on recipient:
This PR only exists to start discussions around concrete issues, it's not meant to be merged.
Current state:
But...
coreuser as we would expect from OCPsshdis running,/root/.authorized_keysis populated with the key I expect... yet:Even though I'm using
ssh-ed25519, so it's rather strange... Will look into it once I come back from vacationFuture work: