Skip to content

Commit

Permalink
Initial commit of a Rocky Linux Containerfile refactor
Browse files Browse the repository at this point in the history
- Generate point-release containerfiles from templates
- Simplified configuration of dnf
- selinux support moved to examples/
- Update READMEs

Signed-off-by: Jonathon Anderson <[email protected]>
  • Loading branch information
anderbubble committed Dec 29, 2023
1 parent 1e64182 commit a59264c
Show file tree
Hide file tree
Showing 38 changed files with 244 additions and 441 deletions.
5 changes: 5 additions & 0 deletions .github/workflows/container-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,11 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v3

- name: Make Containerfiles
run: |
make -C rockylinux-8
make -C rockylinux-9
# Install the cosign tool
# https://github.com/sigstore/cosign-installer
- name: Install Cosign
Expand Down
19 changes: 17 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,22 @@
# Warewulf node images

Example node images for use with Warewulf 4.
Example node container images for use with Warewulf v4.

https://warewulf.org

Node images are published on Docker Hub at https://hub.docker.com/u/warewulf.
## Built examples

These node images are published on the [GitHub container registry][1].

[1]: https://github.com/orgs/hpcng/packages?repo_name=warewulf-node-images

* [Rocky Linux 8](rockylinux-8)
* [Rocky Linux 9](rockylinux-9)
* [openSUSE Leap](leap)

## Additional examples

Additional node container images that are not actively built and published, but
may still be useful.

* [Rocky Linux 9 with SELinux][examples/rockylinux-9-selinux]
16 changes: 16 additions & 0 deletions examples/rockylinux-9-selinux/Containerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
FROM ghcr.io/hpcng/warewulf-rockylinux:9

RUN dnf -y install \
policycoreutils-python-utils \
selinux-policy-targeted

# For SELinux enabled nodes:
# The wwclient service fails to start on boot if an appropriate SELinux file
# context label is not set for /warewulf/wwclient.
#
# NOTE: THE FOLLOWING EXITS NONZERO WITH libsemanage VERSIONS IN EL9
# PRIOR TO 3.3.3 SO WE FORCE A CLEAN EXIT CODE
#
# See: https://github.com/SELinuxProject/selinux/issues/343
#
RUN semanage fcontext -N -a -t bin_t /warewulf/wwclient || true
16 changes: 16 additions & 0 deletions examples/rockylinux-9-selinux/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Rocky Linux 9 with SELinux

Warewulf can be used to boot an selinux-equipped node. This example installs
required packages and configures SELinux policy for the `wwclient` binary
(which communicates with the Warewulf server and receives runtime overlays).

```
podman build . --tag rockylinux-selinux:9
```

Booting a node image with selinux enabled requires (at least up to Warewulf
v4.4.1) setting `--root=tmpfs` on the relevant node and setting
`rootfstype=ramfs` as a kernel argument. For more information on these
settings, look at [wwinit/init][1].

[1]: https://github.com/hpcng/warewulf/blob/main/overlays/wwinit/init
1 change: 1 addition & 0 deletions rockylinux-8/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Containerfile-8.*
15 changes: 10 additions & 5 deletions rockylinux-8/Containerfile
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
FROM docker.io/library/rockylinux:8

RUN localectl set-locale LANG=C.UTF-8

RUN dnf update -y \
&& dnf install -y --allowerasing \
coreutils \
Expand All @@ -14,7 +16,7 @@ RUN dnf update -y \
kernel-core \
kernel-modules \
net-tools \
network-scripts \
NetworkManager \
nfs-utils \
openssh-clients \
openssh-server \
Expand All @@ -28,10 +30,13 @@ RUN dnf update -y \
words \
&& dnf clean all

RUN rm -f /etc/sysconfig/network-scripts/ifcfg-e* \
&& systemctl unmask console-getty.service dev-hugepages.mount getty.target sys-fs-fuse-connections.mount systemd-logind.service systemd-remount-fs.service \
&& systemctl enable network \
&& touch /etc/sysconfig/disable-deprecation-warnings
RUN systemctl unmask \
console-getty.service \
dev-hugepages.mount \
getty.target \
sys-fs-fuse-connections.mount \
systemd-logind.service \
systemd-remount-fs.service

COPY excludes /etc/warewulf/
COPY container_exit.sh /etc/warewulf/
Expand Down
48 changes: 0 additions & 48 deletions rockylinux-8/Containerfile-8.6

This file was deleted.

48 changes: 0 additions & 48 deletions rockylinux-8/Containerfile-8.7

This file was deleted.

48 changes: 0 additions & 48 deletions rockylinux-8/Containerfile-8.8

This file was deleted.

48 changes: 0 additions & 48 deletions rockylinux-8/Containerfile-8.9

This file was deleted.

29 changes: 11 additions & 18 deletions rockylinux-9/Containerfile-9.1 → rockylinux-8/Containerfile-fixed
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
FROM docker.io/library/rockylinux:9.1
FROM docker.io/library/rockylinux:${releasever}

RUN rm -f /etc/yum.repos.d/*.repo \
&& dnf clean all
RUN localectl set-locale LANG=C.UTF-8

COPY yum.repos.d-9.1/*.repo /etc/yum.repos.d
RUN echo "${releasever}" >/etc/dnf/vars/releasever \
&& dnf clean all

RUN dnf update -y \
&& dnf install -y --allowerasing \
Expand All @@ -18,35 +18,28 @@ RUN dnf update -y \
iproute \
kernel-core \
kernel-modules \
ncurses \
net-tools \
NetworkManager \
nfs-utils \
openssh-clients \
openssh-server \
pciutils \
policycoreutils-python-utils \
psmisc \
rsync \
rsyslog \
strace \
selinux-policy-targeted \
wget \
which \
words \
rdma-core \
&& dnf clean all

RUN touch /etc/sysconfig/disable-deprecation-warnings

# For SELinux enabled nodes:
# The wwclient service fails to start on boot if appropriate SELinux file
# context label is not set for /warewulf/wwclient.
# Permanently assign bin_t fcontent label for wwclient binary that is
# deployed by wwinit overlay because warewulf runs `restorecon -R /` on node
# boot, clobbering any existing labels set in the overlay itself.
#
RUN semanage fcontext -N -a -t bin_t /warewulf/wwclient
RUN systemctl unmask \
console-getty.service \
dev-hugepages.mount \
getty.target \
sys-fs-fuse-connections.mount \
systemd-logind.service \
systemd-remount-fs.service

COPY excludes /etc/warewulf/
COPY container_exit.sh /etc/warewulf/
Expand Down
Loading

0 comments on commit a59264c

Please sign in to comment.