Merge branch 'testing-devel' into testing-devel-fedora-39

fedora-candidate-compose.repo

@@ -0,0 +1,21 @@
+# This yum repo entry represents the latest candidate compose for the given
+# Fedora release. During prep for final release some release blockers and
+# freeze exceptions are actually built in candidate composes first to
+# qualify them before they are promoted to the other repos. In order to pick
+# these packages up ASAP we'll pull from the latest candidate compose
+# as well. Note that if a package doesn't pass testing it will get
+# demoted from a later canddiate compose and never promoted to stable
+# repos. In this case a later bump-lockfile run will revert ot the
+# older NVR package that is currently in the stable repos. This should address:
+# https://github.com/coreos/fedora-coreos-tracker/issues/1602
+
+[fedora-candidate-compose]
+name=Fedora Candidate Compose $releasever - $basearch
+baseurl=https://kojipkgs.fedoraproject.org/compose/$releasever/latest-Fedora-$releasever/compose/Everything/$basearch/os/
+enabled=1
+#metadata_expire=7d
+repo_gpgcheck=0
+type=rpm
+gpgcheck=1
+gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
+skip_if_unavailable=False

kola-denylist.yaml

@@ -17,13 +17,13 @@
     - testing-devel
 - pattern: coreos.ignition.ssh.key
   tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1553
-  snooze: 2023-10-31
+  snooze: 2023-11-15
   warn: true
   platforms:
     - azure
 - pattern: ext.config.docker.basic
   tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1578
-  snooze: 2023-10-31
+  snooze: 2023-11-15
   warn: true
   streams:
     - rawhide

manifest-lock.aarch64.json

@@ -37,6 +37,7 @@
       "evra": "1.25-1.fc39.aarch64"
     },
     "amd-gpu-firmware": {
+
       "evra": "20231030-1.fc39.noarch"
     },
     "amd-ucode-firmware": {

manifest-lock.overrides.yaml

@@ -25,4 +25,4 @@ packages:
     metadata:
       bodhi: https://bodhi.fedoraproject.org/updates/FEDORA-2023-24872e50a0
       reason: https://github.com/coreos/fedora-coreos-tracker/issues/1490#issuecomment-1720020468
-      type: fast-track
+      type: fast-track

manifests/bootable-rpm-ostree.yaml

@@ -1,12 +1,11 @@
-# This minimal base starts just from: kernel + systemd + rpm-ostree + bootloader.
+# This minimal base is the userspace: systemd + rpm-ostree + bootloader.
 # The intent of this is to inherit from this if you are doing something highly
 # custom that e.g. might not involve Ignition or podman, but you do want
 # rpm-ostree.
 # We expect most people though using coreos-assembler to inherit from
 # fedora-coreos-base.yaml.
 packages:
- # Kernel + systemd.
- - kernel systemd
+ - systemd
  # linux-firmware now a recommends so let's explicitly include it
  # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
  # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide

manifests/fedora-coreos-base.yaml

@@ -3,6 +3,7 @@
 # core functionality.
 
 include:
+  - kernel.yaml
   - system-configuration.yaml
   - ignition-and-ostree.yaml
   - file-transfer.yaml

manifests/kernel.yaml

@@ -0,0 +1,3 @@
+packages:
+  # We use the default kernel package, but note c9s may differ
+  - kernel

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator

@@ -13,6 +13,7 @@ set -e
 exec 1>/dev/kmsg; exec 2>&1
 
 UNIT_DIR="${1:-/tmp}"
+EARLY_DIR="${2:-/tmp}"
 
 IFS=" " read -r -a cmdline <<< "$(</proc/cmdline)"
 cmdline_arg() {
@@ -84,17 +85,37 @@ if ! $(cmdline_bool 'ignition.firstboot' 0); then
     exit 0
 fi
 
-# coreos-ignition-setup-user.service should depend on the boot device node
-# only on diskful boots
+# coreos-ignition-setup-user.service and `coreos-copy-firstboot-network.service`
+# should depend on the boot device node only on diskful boots
 mkdir -p "${UNIT_DIR}/coreos-ignition-setup-user.service.d"
+mkdir -p "${UNIT_DIR}/coreos-copy-firstboot-network.service.d"
 cat > "${UNIT_DIR}/coreos-ignition-setup-user.service.d/diskful.conf" <<EOF
 [Unit]
 Requires=dev-disk-by\x2dlabel-boot.device
 After=dev-disk-by\x2dlabel-boot.device
-
-Requires=coreos-gpt-setup.service
-After=coreos-gpt-setup.service
 EOF
+cp "${UNIT_DIR}/coreos-ignition-setup-user.service.d/diskful.conf" \
+    "${UNIT_DIR}/coreos-copy-firstboot-network.service.d/diskful.conf"
+
+# If booting from iSCSI, then we need networking first before we
+# can see the bootfs. This has some implications.
+if test -n "$(cmdline_arg rd.iscsi.firmware)" || test -n "$(cmdline_arg netroot)"; then
+    mkdir -p "${EARLY_DIR}/ignition-complete.target.requires"
+
+    # In the injected Ignition config case, `coreos-ignition-setup-user.service`
+    # can't "pass" the config to `ignition-fetch-offline.service`. So we neuter
+    # the latter so that `ignition-fetch.service` (which runs after networking
+    # comes up) can pick it up instead.
+    ln -sf /dev/null "${EARLY_DIR}/ignition-complete.target.requires/ignition-fetch-offline.service"
+    # activate ignition-fetch.service
+    mkdir -p /run/ignition
+    touch /run/ignition/neednet
+
+    # With iSCSI, configuring networking via kargs is a hard requirement
+    # since it can't be picked up from the bootfs (i.e. injected via
+    # `--copy-network`). So neuter `coreos-copy-firstboot-network.service`.
+    ln -sf /dev/null "${EARLY_DIR}/ignition-complete.target.requires/coreos-copy-firstboot-network.service"
+fi
 
 # create symlink for udev rule
 mkdir -p /run/udev/rules.d/
@@ -124,4 +145,9 @@ StandardOutput=null
 StandardError=null
 EOF
     done
+
+    # This one is done dynamically because it hard Requires a device to appear
+    # and if it's always part of the transaction, systemd will want the device
+    # to appear regardless of ConditionPathExists.
+    add_requires coreos-secex-ignition-decrypt.service ignition-diskful.target
 fi

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.service

@@ -1,31 +1,25 @@
 [Unit]
 Description=Generate New UUID For Boot Disk GPT
 ConditionPathExists=/etc/initrd-release
-DefaultDependencies=no
-Before=local-fs-pre.target systemd-fsck-root.service
+Before=systemd-fsck-root.service
 Before=ignition-diskful.target
-Wants=systemd-udevd.service
-After=systemd-udevd.service
 
-# This unit must be the first to run when the disk holding the root partition
-# becomes available. To avoid relying on the name of the root partition which
-# is different between RHCOS LUKS setup and current FCOS setup, we wait for the
-# partition labeled 'boot' to become available. This is reliable as we don't
-# have any plan to support re-provisioning/re-writing the /boot partition,
-#
-# This is the only unit where it is safe to wait only on a specific disk label
-# as this will call udevadm settle after the GPT setup. Units that requires the
-# boot and root partitions to be available should order themselves after this
-# unit.
+# Have some ordering with this service since it also wants to access the bootfs.
+# We run after it since that service runs early and is skipped if we're on
+# iSCSI, but we still run.
+After=coreos-copy-firstboot-network.service
+
 Requires=dev-disk-by\x2dlabel-boot.device
 After=dev-disk-by\x2dlabel-boot.device
+
 # And since the boot device may be on multipath; optionally wait for it to
 # appear via the dynamic target.
-After=coreos-multipath-wait.target
+After=coreos-unique-boot.service
+Before=ignition-ostree-uuid-boot.service
 
 # Run before services that use device nodes, preventing them from racing
 # with udev activity generated by sgdisk
-Before=coreos-ignition-setup-user.service ignition-disks.service
+Before=ignition-kargs.service
 
 OnFailure=emergency.target
 OnFailureJobMode=isolate

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-ignition-setup-user.service

@@ -4,15 +4,17 @@ Documentation=https://github.com/coreos/ignition
 ConditionPathExists=/etc/initrd-release
 DefaultDependencies=false
 
-# We run before config fetch because we may copy in new/different configs
-# for Ignition to consume.
-Before=ignition-fetch-offline.service
+# We run before config fetch because we may copy in new/different
+# configs for Ignition to consume. We include both fetch stages since
+# ignition-fetch-offline.service is neutered in a root on iSCSI boot (see
+# `coreos-diskful-generator`).
+Before=ignition-fetch-offline.service ignition-fetch.service
 
 OnFailure=emergency.target
 OnFailureJobMode=isolate
 
 # On diskful boots, coreos-diskful-generator adds Requires/After on
-# dev-disk-by\x2dlabel-boot.device and coreos-gpt-setup.service
+# dev-disk-by\x2dlabel-boot.device
 
 [Service]
 Type=oneshot

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service

@@ -1,3 +1,5 @@
+# This service is enabled by coreos-diskful-generator
+
 [Unit]
 Description=CoreOS Secex Ignition Config Decryptor
 ConditionPathExists=/etc/initrd-release
@@ -7,8 +9,9 @@ DefaultDependencies=false
 OnFailure=emergency.target
 OnFailureJobMode=isolate
 
-# Run after virtio_blk and before Ignition
-After=coreos-gpt-setup.service
+# Run after the crypt device becomes available and before Ignition
+Requires=dev-disk-by\x2did-virtio\x2dignition_crypted.device
+After=dev-disk-by\x2did-virtio\x2dignition_crypted.device
 Before=ignition-fetch-offline.service
 
 [Service]

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-teardown-initramfs.sh

@@ -229,13 +229,22 @@ main() {
     # Load libraries from dracut
     load_dracut_libs
 
-    # Take down all interfaces set up in the initramfs
-    down_interfaces
+    # If we're using iSCSI, then we can't tear down networking since we'll lose
+    # root. This means in that case that the network config written to the real
+    # root won't be applied "from scratch". But anyway, since networking must
+    # stay on, it's simply not supported to configure the real root in a way
+    # that would require tearing down the connection on the interface involved.
+    if dracut_func getargbool 0 rd.iscsi.firmware || dracut_func getarg netroot; then
+        echo "info: iSCSI in use; not tearing down networking"
+    else
+        # Take down all interfaces set up in the initramfs
+        down_interfaces
 
-    # Clean up all routing
-    echo "info: flushing all routing"
-    ip route flush table main
-    ip route flush cache
+        # Clean up all routing
+        echo "info: flushing all routing"
+        ip route flush table main
+        ip route flush cache
+    fi
 
     # Hopefully our logic is sound enough that this is never needed, but
     # user's can explicitly disable initramfs network/hostname propagation

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh

@@ -83,7 +83,8 @@ install() {
 
     # IBM Secure Execution. Ignition config for reencryption of / and /boot
     inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign
-    install_ignition_unit "coreos-secex-ignition-decrypt.service"
+    inst_simple "$moddir/coreos-secex-ignition-decrypt.service" \
+        "$systemdsystemunitdir/coreos-secex-ignition-decrypt.service"
     inst_script "$moddir/coreos-secex-ignition-decrypt.sh" \
         "/usr/sbin/coreos-secex-ignition-decrypt"
 

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-multipath/coreos-multipath-wait.target

@@ -11,8 +11,8 @@ After=multipathd.service
 OnFailure=emergency.target
 OnFailureJobMode=isolate
 
-# This is already enforced transitively by coreos-gpt-setup.service, but
-# let's be more explicit and list it directly here too.
+# This is one of the earliest services that accesses the bootfs so make sure we
+# already have our multipath target.
 Before=coreos-ignition-setup-user.service
 
 # This is already enforced by coreos-multipath-trigger.service, though ideally

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-copy-firstboot-network.service

@@ -11,7 +11,7 @@
 # - In the diskful case, we need to look for networking configuration on the
 #   /boot partition
 #     - i.e. after /dev/disk/by-label/boot is available
-#     - which is implied by running after coreos-gpt-setup (see below)
+#     - which is injected via coreos-diskful-generator
 # - Need to run before networking is brought up.
 #     - This is done in nm-initrd.service [1]
 #     - i.e. Before=nm-initrd.service
@@ -41,9 +41,6 @@ Before=nm-initrd.service
 # compat: remove when everyone is on dracut 054+
 Before=dracut-initqueue.service
 After=dracut-cmdline.service
-# Any services looking at mounts need to order after this
-# because it causes device re-probing.
-After=coreos-gpt-setup.service
 # And since the boot device may be on multipath; optionally wait for it to
 # appear via the dynamic target.
 After=coreos-multipath-wait.target

overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-uuid-boot.service

@@ -1,16 +1,13 @@
 [Unit]
 Description=Ignition OSTree: Regenerate Filesystem UUID (boot)
-DefaultDependencies=false
 ConditionPathExists=/usr/lib/initrd-release
 ConditionKernelCommandLine=ostree
 ConditionPathExists=!/run/ostree-live
-# We run pretty early
-Before=coreos-copy-firstboot-network.service
-Before=coreos-ignition-setup-user.service
-Before=ignition-fetch-offline.service
 # Any services looking at mounts need to order after this
 # because it causes device re-probing.
 After=coreos-gpt-setup.service
+Before=ignition-disks.service
+
 # If we're going to reprovision the bootfs, then there's no need to restamp
 ConditionKernelCommandLine=!bootfs.roothash