github-personal/ucore
1
0
Fork 0
mirror of https://github.com/outbackdingo/ucore.git synced 2026-01-27 10:20:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: streamline builds, drop fedora-coreos, include ZFS in all (#266)

Browse Source
This commit is contained in:
Benjamin Sherman
2025-06-13 17:07:35 -05:00
committed by GitHub
parent 0544106bad
commit cf175ba458
11 changed files with 64 additions and 474 deletions
Download Patch File Download Diff File Expand all files Collapse all files

273
.github/workflows/reusable-build.yml vendored
View File

@@ -84,247 +84,6 @@ jobs:
run: |
echo "${{ steps.fetch.outputs.outputs }}"
build_fcos:
name: fedora-coreos
runs-on: ubuntu-24.04
if: always() && !cancelled()
needs: [workflow_info, stream_info]
permissions:
contents: read
packages: write
id-token: write
env:
FEDORA_VERSION: ${{ needs.stream_info.outputs.fedora}}
IMAGE_NAME: fedora-coreos
IMAGE_VERSION: ${{ needs.stream_info.outputs.image}}
KERNEL_FLAVOR: coreos-${{ inputs.coreos_version }}
KERNEL_VERSION: ${{ needs.stream_info.outputs.kernel}}
PR_PREFIX: ${{ needs.workflow_info.outputs.pr_prefix }}
strategy:
fail-fast: false
matrix:
nvidia_tag:
- "-nvidia"
- ""
zfs_tag:
- "-zfs"
- ""
exclude:
- nvidia_tag: ""
zfs_tag: ""
steps:
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
uses: actions/checkout@v4
- name: Pull base and kmod images
uses: Wandalen/wretry.action@v3.8.0
with:
attempt_limit: 3
attempt_delay: 15000
command: |
# pull the base image used for FROM in containerfile so
# we can retry on that unfortunately common failure case
podman pull quay.io/fedora/fedora-coreos:${{ env.IMAGE_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/config:latest
- name: Verify versions
shell: bash
run: |
set -x
if [ -z "${{ env.FEDORA_VERSION }}" ] || [ "null" = "${{ env.FEDORA_VERSION }}" ]; then
echo "env.FEDORA_VERSION must not be empty or null"
exit 1
fi
if [ -z "${{ env.IMAGE_VERSION }}" ] || [ "null" = "${{ env.IMAGE_VERSION }}" ]; then
echo "env.IMAGE_VERSION must not be empty or null"
exit 1
fi
if [ -z "${{ env.KERNEL_VERSION }}" ] || [ "null" = "${{ env.KERNEL_VERSION }}" ]; then
echo "env.KERNEL_VERSION must not be empty or null"
exit 1
fi
podman inspect ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json)
if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then
echo "pulled akmods image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
exit 1
fi
- name: Verify versions (nvidia)
if: matrix.nvidia_tag == '-nvidia'
shell: bash
run: |
set -x
podman inspect ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json)
if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then
echo "pulled akmods-nvidia image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
exit 1
fi
- name: Verify versions (ZFS)
if: matrix.zfs_tag == '-zfs'
shell: bash
run: |
set -x
podman inspect ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json)
if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then
echo "pulled akmods-zfs image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
exit 1
fi
- name: Generate tags
id: generate-tags
shell: bash
run: |
# Generate a timestamp for creating an image version history
TIMESTAMP="$(date +%Y%m%d)"
COREOS_VERSION="${{ inputs.coreos_version }}${{ matrix.nvidia_tag }}${{ matrix.zfs_tag }}"
COMMIT_TAGS=()
BUILD_TAGS=()
# Have tags for tracking builds during pull request
SHA_SHORT="${GITHUB_SHA::7}"
COMMIT_TAGS+=("pr-${{ github.event.number }}-${COREOS_VERSION}")
COMMIT_TAGS+=("${SHA_SHORT}-${COREOS_VERSION}")
BUILD_TAGS=("${COREOS_VERSION}" "${COREOS_VERSION}-${TIMESTAMP}")
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "Generated the following commit tags: "
for TAG in "${COMMIT_TAGS[@]}"; do
echo "${TAG}"
done
alias_tags=("${COMMIT_TAGS[@]}")
else
alias_tags=("${BUILD_TAGS[@]}")
fi
echo "Generated the following build tags: "
for TAG in "${BUILD_TAGS[@]}"; do
echo "${TAG}"
done
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
# Build metadata
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ env.IMAGE_NAME }}
labels: |
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ucore/main/README.md
org.opencontainers.image.description=An OCI image of Fedora CoreOS with NVIDIA and/or ZFS pre-installed
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.version=${{ env.IMAGE_VERSION }}
# Build image using Buildah action
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./fedora-coreos/Containerfile
context: ./fedora-coreos
image: ${{ env.IMAGE_NAME }}
tags: |
${{ steps.generate-tags.outputs.alias_tags }}
build-args: |
COREOS_VERSION=${{ inputs.coreos_version }}
FEDORA_VERSION=${{ env.FEDORA_VERSION }}
IMAGE_VERSION=${{ env.IMAGE_VERSION }}
IMAGE_REGISTRY=${{ env.IMAGE_REGISTRY }}
KERNEL_FLAVOR=${{ env.KERNEL_FLAVOR }}
PR_PREFIX=${{ env.PR_PREFIX }}
NVIDIA_TAG=${{ matrix.nvidia_tag }}
ZFS_TAG=${{ matrix.zfs_tag }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
- name: Check Secureboot
shell: bash
run: |
set -x
if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then
sudo apt update
sudo apt install sbsigntool curl openssl
fi
podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000
podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz .
podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1)
sbverify --list vmlinuz
curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der
openssl x509 -in kernel-sign.der -out kernel-sign.crt
openssl x509 -in akmods.der -out akmods.crt
sbverify --cert kernel-sign.crt vmlinuz || exit 1
sbverify --cert akmods.crt vmlinuz || exit 1
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}
# Push the image to GHCR (Image Registry)
- name: Push To GHCR
uses: Wandalen/wretry.action@v3.8.0
id: push
if: github.event_name != 'pull_request'
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
with:
action: redhat-actions/push-to-registry@v2
attempt_limit: 3
attempt_delay: 15000
with: |
image: ${{ steps.build_image.outputs.image }}
tags: ${{ steps.build_image.outputs.tags }}
registry: ${{ steps.registry_case.outputs.lowercase }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
extra-args: |
--disable-content-trust
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
if: github.event_name != 'pull_request'
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Sign container
- uses: sigstore/cosign-installer@v3.8.2
if: github.event_name != 'pull_request'
- name: Sign container image
if: github.event_name != 'pull_request'
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
env:
TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
- name: Echo outputs
if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"
build_ucore:
name: ucore
runs-on: ubuntu-24.04
@@ -351,9 +110,6 @@ jobs:
nvidia_tag:
- "-nvidia"
- ""
zfs_tag:
- "-zfs"
- ""
include:
- image_suffix: "-minimal"
description: An OCI image of Fedora CoreOS with a few extra tools and suitable for running in a VM
@@ -389,7 +145,7 @@ jobs:
podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/config:latest
- name: Verify versions
- name: Verify versions (image, kernel, zfs)
shell: bash
run: |
set -x
@@ -411,6 +167,12 @@ jobs:
echo "pulled akmods image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
exit 1
fi
podman inspect ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json)
if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then
echo "pulled akmods-zfs image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
exit 1
fi
- name: Verify versions (nvidia)
if: matrix.nvidia_tag == '-nvidia'
@@ -424,25 +186,13 @@ jobs:
exit 1
fi
- name: Verify versions (ZFS)
if: matrix.zfs_tag == '-zfs'
shell: bash
run: |
set -x
podman inspect ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json
kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json)
if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then
echo "pulled akmods-zfs image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})"
exit 1
fi
- name: Generate tags
id: generate-tags
shell: bash
run: |
# Generate a timestamp for creating an image version history
TIMESTAMP="$(date +%Y%m%d)"
COREOS_VERSION="${{ inputs.coreos_version }}${{ matrix.nvidia_tag }}${{ matrix.zfs_tag }}"
COREOS_VERSION="${{ inputs.coreos_version }}${{ matrix.nvidia_tag }}"
COMMIT_TAGS=()
BUILD_TAGS=()
@@ -453,6 +203,10 @@ jobs:
COMMIT_TAGS+=("${SHA_SHORT}-${COREOS_VERSION}")
BUILD_TAGS=("${COREOS_VERSION}" "${COREOS_VERSION}-${TIMESTAMP}")
# always add the '-zfs' tag to each image since we include ZFS with them all
# and we want users of the existing '-zfs' images to still get updates
BUILD_TAGS+=("${COREOS_VERSION}-zfs")
BUILD_TAGS+=("${COREOS_VERSION}-zfs-${TIMESTAMP}")
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "Generated the following commit tags: "
@@ -509,7 +263,6 @@ jobs:
KERNEL_FLAVOR=${{ env.KERNEL_FLAVOR }}
PR_PREFIX=${{ env.PR_PREFIX }}
NVIDIA_TAG=${{ matrix.nvidia_tag }}
ZFS_TAG=${{ matrix.zfs_tag }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
extra-args: |
@@ -592,7 +345,7 @@ jobs:
check:
name: Check all successful
runs-on: ubuntu-latest
needs: [build_fcos, build_ucore]
needs: [build_ucore]
steps:
- name: Exit
shell: bash

69
README.md
View File

@@ -12,7 +12,6 @@ Please take a look at the included modifications, and help us improve uCore if t
- [Announcements](#announcements)
- [Features](#features)
- [Images](#images)
- [`fedora-coreos`](#fedora-coreos)
- [`ucore-minimal`](#ucore-minimal)
- [`ucore`](#ucore)
- [`ucore-hci`](#ucore-hci)
@@ -46,6 +45,20 @@ Please take a look at the included modifications, and help us improve uCore if t
## Announcements
### 2025.06.12 - uCore Build Streamlining
In general, the Universal Blue project has been working to streamline various aspects of our builds. In several areas
this means we've cut back on images which do not have significant use, or otherwise found ways to build fewer images.
For uCore, this means we are dropping builds of `fedora-coreos` images and reducing number of `ucore*` images by
including ZFS in all `ucore*` images both nvidia and non-nvidia.
Existing tag structure for ZFS specific images will contine to work. The difference is that users running any
non-ZFS image, ZFS will be available on your system after it next updates.
The team is committed to building and maintaing uCore. For questions about about recent project direction, please
see our discourse post, [uCore: Streamlining (not retiring)](https://universal-blue.discourse.group/t/ucore-lets-streamline-not-retiring/9098).
### 2025.05.14 - uCore update to Fedora 42
As of today, Fedora CoreOS upstream has updated to kernel 6.14.3 and uCore has unpinned and is building on F42.
@@ -72,41 +85,22 @@ We expect the next update of Fedora CoreOS to be on `6.11.6` per the current sta
## Features
The uCore project builds four images, each with different tags for different features.
The uCore project builds three images, optionally with nivida drivers.
The image names are:
- [`fedora-coreos`](#fedora-coreos)
- [`ucore-minimal`](#ucore-minimal)
- [`ucore`](#ucore)
- [`ucore-hci`](#ucore-hci)
The [tag matrix](#tag-matrix) includes combinations of the following:
- `stable` - for an image based on the Fedora CoreOS stable stream
- `testing` - for an image based on the Fedora CoreOS testing stream
- `nvidia` - for an image which includes nvidia driver and container runtime
- `zfs` - for an image which includes zfs driver and tools
- `stable` - images based on Fedora CoreOS stable stream including zfs driver and tools
- `testing` - images based on Fedora CoreOS testing stream including zfs driver and tools
- `nvidia` - images which include nvidia driver and container runtime
### Images
#### `fedora-coreos`
> [!IMPORTANT]
> This was previously named `fedora-coreos-zfs`, but that version of the image did not offer the nvidia option. If on the previous image name, please rebase with `rpm-ostree rebase`.
A generic [Fedora CoreOS image](https://quay.io/repository/fedora/fedora-coreos?tab=tags) image with choice of add-on kernel modules:
- [nvidia versions](#tag-matrix) add:
- [nvidia driver](https://github.com/ublue-os/akmods) - latest driver built from negativo17's akmod package
- [nvidia-container-toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/sample-workload.html) - latest toolkit which supports both root and rootless podman containers and CDI
- [nvidia container selinux policy](https://github.com/NVIDIA/dgx-selinux/tree/master/src/nvidia-container-selinux) - allows using `--security-opt label=type:nvidia_container_t` for some jobs (some will still need `--security-opt label=disable` as suggested by nvidia)
- [ZFS versions](#tag-matrix) add:
- [ZFS driver](https://github.com/ublue-os/akmods) - latest driver (currently pinned to 2.2.x series)
> [!NOTE]
> zincati fails to start on all systems with OCI based deployments (like uCore). Upstream efforts are active to develop an alternative.
#### `ucore-minimal`
Suitable for running containerized workloads on either bare metal or virtual machines, this image tries to stay lightweight but functional.
@@ -122,13 +116,12 @@ Suitable for running containerized workloads on either bare metal or virtual mac
- [tailscale](https://tailscale.com) and [wireguard-tools](https://www.wireguard.com)
- [tmux](https://github.com/tmux/tmux/wiki/Getting-Started)
- udev rules enabling full functionality on some [Realtek 2.5Gbit USB Ethernet](https://github.com/wget/realtek-r8152-linux/) devices
- [ZFS driver](https://github.com/ublue-os/ucore-kmods) - latest driver (currently pinned to 2.2.x series) - [see below](#zfs) for details
- `pv` is installed with zfs as a complementary tool
- Optional [nvidia versions](#tag-matrix) add:
- [nvidia driver](https://github.com/ublue-os/ucore-kmods) - latest driver built from negativo17's akmod package
- [nvidia-container-toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/sample-workload.html) - latest toolkit which supports both root and rootless podman containers and CDI
- [nvidia container selinux policy](https://github.com/NVIDIA/dgx-selinux/tree/master/src/nvidia-container-selinux) - allows using `--security-opt label=type:nvidia_container_t` for some jobs (some will still need `--security-opt label=disable` as suggested by nvidia)
- Optional [ZFS versions](#tag-matrix) add:
- [ZFS driver](https://github.com/ublue-os/ucore-kmods) - latest driver (currently pinned to 2.2.x series) - [see below](#zfs) for details
- `pv` is installed with zfs as a complementary tool
- Disables Zincati auto upgrade/reboot service
- Enables staging of automatic system updates via rpm-ostreed
- Enables password based SSH auth (required for locally running cockpit web interface)
@@ -137,6 +130,9 @@ Suitable for running containerized workloads on either bare metal or virtual mac
> [!IMPORTANT]
> Per [cockpit's instructions](https://cockpit-project.org/running.html#coreos) the cockpit-ws RPM is **not** installed, rather it is provided as a pre-defined systemd service which runs a podman container.
> [!NOTE]
> zincati fails to start on all systems with OCI based deployments (like uCore). Upstream efforts are active to develop an alternative.
#### `ucore`
This image builds on `ucore-minimal` but adds drivers, storage tools and utilities making it more useful on bare metal or as a storage server (NAS).
@@ -176,14 +172,12 @@ Hyper-Coverged Infrastructure(HCI) refers to storage and hypervisor in one place
| IMAGE | TAG |
|-|-|
| [`fedora-coreos`](#fedora-coreos) - *stable* | `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` |
| [`fedora-coreos`](#fedora-coreos) - *testing* | `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` |
| [`ucore-minimal`](#ucore-minimal) - *stable* | `stable`, `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` |
| [`ucore-minimal`](#ucore-minimal) - *testing* | `testing`, `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` |
| [`ucore`](#ucore) - *stable* | `stable`, `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` |
| [`ucore`](#ucore) - *testing* | `testing`, `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` |
| [`ucore-hci`](#ucore-hci) - *stable* | `stable`, `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` |
| [`ucore-hci`](#ucore-hci) - *testing* | `testing`, `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` |
| [`ucore-minimal`](#ucore-minimal) - *stable* | `stable`, `stable-nvidia` |
| [`ucore-minimal`](#ucore-minimal) - *testing* | `testing`, `testing-nvidia` |
| [`ucore`](#ucore) - *stable* | `stable`, `stable-nvidia` |
| [`ucore`](#ucore) - *testing* | `testing`, `testing-nvidia` |
| [`ucore-hci`](#ucore-hci) - *stable* | `stable`, `stable-nvidia` |
| [`ucore-hci`](#ucore-hci) - *testing* | `testing`, `testing-nvidia` |
## Installation
@@ -239,9 +233,6 @@ The `ucore*` images include container policies to support image verification for
sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/IMAGE:TAG
```
> [!NOTE]
> This policy is not included with `fedora-coreos:*` as those images are kept very stock.*
## Tips and Tricks
### CoreOS and ostree Docs
@@ -513,7 +504,7 @@ If going this path, you likely won't want to use the `ucore` `-nvidia` image, bu
### ZFS
If you installed an image with `-zfs` in the tag (or `fedora-coreos-zfs`), the ZFS kernel module and tools are pre-installed, but like other services, ZFS is not pre-configured to load on default.
The ZFS kernel module and tools are pre-installed, but like other services, ZFS is not pre-configured to load on default.
Load it with the command `modprobe zfs` and use `zfs` and `zpool` commands as desired.

35
fedora-coreos/Containerfile
View File

@@ -1,35 +0,0 @@
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
ARG FEDORA_VERSION="${FEDORA_VERSION:-40}"
ARG IMAGE_VERSION="${IMAGE_VERSION:-stable}"
ARG IMAGE_REGISTRY="${IMAGE_REGISTRY:-ghcr.io/ublue-os}"
ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-coreos-stable}"
# FROMs for copying
ARG AKMODS_COMMON="${IMAGE_REGISTRY}/akmods:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
ARG AKMODS_NVIDIA="${IMAGE_REGISTRY}/akmods-nvidia:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
ARG AKMODS_ZFS="${IMAGE_REGISTRY}/akmods-zfs:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
FROM ${AKMODS_COMMON} AS akmods-common
FROM ${AKMODS_NVIDIA} AS akmods-nvidia
FROM ${AKMODS_ZFS} AS akmods-zfs
FROM scratch AS ctx
COPY / /
FROM quay.io/fedora/fedora-coreos:${IMAGE_VERSION}
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
# build with --build-arg NVIDA_TAG="-nvidia" to install nvidia
ARG NVIDIA_TAG="${NVIDIA_TAG}"
# build with --build-arg ZFS_TAG="-zfs" to install zfs
ARG ZFS_TAG="${ZFS_TAG}"
RUN --mount=type=cache,dst=/var/cache/rpm-ostree \
--mount=type=bind,from=ctx,src=/,dst=/ctx \
--mount=type=bind,from=akmods-common,src=/rpms/ucore,dst=/tmp/rpms/akmods-common \
--mount=type=bind,from=akmods-nvidia,src=/rpms,dst=/tmp/rpms/akmods-nvidia \
--mount=type=bind,from=akmods-zfs,src=/rpms,dst=/tmp/rpms/akmods-zfs \
--mount=type=bind,from=akmods-common,src=/kernel-rpms,dst=/tmp/rpms/kernel \
/ctx/install.sh \
&& /ctx/post-install.sh \
&& /ctx/cleanup.sh

12
fedora-coreos/cleanup.sh
View File

@@ -1,12 +0,0 @@
#!/usr/bin/bash
set -eoux pipefail
rm -rf /tmp/* || true
find /var/* -maxdepth 0 -type d -exec rm -fr {} \;
# this currently fails on /usr/etc
#bootc container lint
ostree container commit
mkdir -p /var/tmp \
&& chmod -R 1777 /var/tmp

75
fedora-coreos/install.sh
View File

@@ -1,75 +0,0 @@
#!/bin/sh
set -ouex pipefail
ARCH="$(rpm -E %{_arch})"
RELEASE="$(rpm -E %fedora)"
pushd /tmp/rpms/kernel
KERNEL_VERSION=$(find kernel-*.rpm | grep -P "kernel-(\d+\.\d+\.\d+)-.*\.fc${RELEASE}\.${ARCH}" | sed -E 's/kernel-//' | sed -E 's/\.rpm//')
popd
QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')"
#### PREPARE
# enable testing repos if not enabled on testing stream
if [[ "testing" == "${COREOS_VERSION}" ]]; then
for REPO in $(ls /etc/yum.repos.d/fedora-updates-testing.repo); do
if [[ "$(grep enabled=1 ${REPO} > /dev/null; echo $?)" == "1" ]]; then
echo "enabling $REPO" &&
sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' ${REPO}
fi
done
fi
# enable ublue-os repos
dnf -y install dnf5-plugins
dnf -y copr enable ublue-os/packages
# always disable cisco-open264 repo
sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo
#### INSTALL
# inspect to see what RPMS we copied in
find /tmp/rpms/
dnf -y install /tmp/rpms/akmods-common/ublue-os-ucore-addons*.rpm
dnf -y install ublue-os-signing
# Handle Kernel Skew with override replace
if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then
echo "Installing signed kernel from kernel-cache."
cd /tmp
rpm2cpio /tmp/rpms/kernel/kernel-core-*.rpm | cpio -idmv
cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz
cd /
else
# Remove Existing Kernel
for pkg in kernel kernel-core kernel-modules kernel-modules-core kernel-modules-extra; do
rpm --erase $pkg --nodeps
done
echo "Install kernel version ${KERNEL_VERSION} from kernel-cache."
dnf -y install \
/tmp/rpms/kernel/kernel-[0-9]*.rpm \
/tmp/rpms/kernel/kernel-core-*.rpm \
/tmp/rpms/kernel/kernel-modules-*.rpm
fi
## CONDITIONAL: install ZFS
if [[ "-zfs" == "${ZFS_TAG}" ]]; then
dnf -y install pv /tmp/rpms/akmods-zfs/kmods/zfs/*.rpm /tmp/rpms/akmods-zfs/kmods/zfs/other/zfs-dracut-*.rpm
# for some reason depmod ran automatically with zfs 2.1 but not with 2.2
depmod -a -v ${KERNEL_VERSION}
fi
## CONDITIONAL: install NVIDIA
if [[ "-nvidia" == "${NVIDIA_TAG}" ]]; then
# repo for nvidia rpms
curl -L https://negativo17.org/repos/fedora-nvidia.repo -o /etc/yum.repos.d/fedora-nvidia.repo
dnf -y install /tmp/rpms/akmods-nvidia/ucore/ublue-os-ucore-nvidia*.rpm
sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo
dnf -y install \
/tmp/rpms/akmods-nvidia/kmods/kmod-nvidia*.rpm \
nvidia-driver-cuda \
nvidia-container-toolkit
fi

15
fedora-coreos/post-install.sh
View File

@@ -1,15 +0,0 @@
#!/bin/sh
set -ouex pipefail
## CONDITIONAL: post-install ZFS
if [[ "-zfs" == "${ZFS_TAG}" ]]; then
echo "no post-install tasks for ZFS"
fi
## CONDITIONAL: post-install NVIDIA
if [[ "-nvidia" == "${NVIDIA_TAG}" ]]; then
sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/nvidia-container-toolkit.repo
semodule --verbose --install /usr/share/selinux/packages/nvidia-container.pp
fi

4
ucore/Containerfile
View File

@@ -21,8 +21,6 @@ FROM quay.io/fedora/fedora-coreos:${IMAGE_VERSION} AS ucore-minimal
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
# build with --build-arg NVIDA_TAG="-nvidia" to install nvidia
ARG NVIDIA_TAG="${NVIDIA_TAG}"
# build with --build-arg ZFS_TAG="-zfs" to install zfs
ARG ZFS_TAG="${ZFS_TAG}"
# these versions match docker/moby 27.5.1 which FCOS ships as of 42.20250410
ARG DOCKER_BUILDX_VERSION=0.20.0
@@ -50,7 +48,6 @@ FROM ucore-minimal AS ucore
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
ARG NVIDIA_TAG="${NVIDIA_TAG}"
ARG ZFS_TAG="${ZFS_TAG}"
RUN --mount=type=cache,dst=/var/cache/libdnf5 \
--mount=type=cache,dst=/var/cache/rpm-ostree \
@@ -63,7 +60,6 @@ FROM ucore AS ucore-hci
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
ARG NVIDIA_TAG="${NVIDIA_TAG}"
ARG ZFS_TAG="${ZFS_TAG}"
RUN --mount=type=cache,dst=/var/cache/libdnf5 \
--mount=type=cache,dst=/var/cache/rpm-ostree \

10
ucore/install-ucore-minimal.sh
View File

@@ -55,12 +55,10 @@ else
/tmp/rpms/kernel/kernel-modules-*.rpm
fi
## CONDITIONAL: install ZFS (and sanoid deps)
if [[ "-zfs" == "${ZFS_TAG}" ]]; then
dnf -y install pv /tmp/rpms/akmods-zfs/kmods/zfs/*.rpm /tmp/rpms/akmods-zfs/kmods/zfs/other/zfs-dracut-*.rpm
# for some reason depmod ran automatically with zfs 2.1 but not with 2.2
depmod -a -v ${KERNEL_VERSION}
fi
## ALWAYS: install ZFS (and sanoid deps)
dnf -y install /tmp/rpms/akmods-zfs/kmods/zfs/*.rpm /tmp/rpms/akmods-zfs/kmods/zfs/other/zfs-dracut-*.rpm
# for some reason depmod ran automatically with zfs 2.1 but not with 2.2
depmod -a -v ${KERNEL_VERSION}
## CONDITIONAL: install NVIDIA
if [[ "-nvidia" == "${NVIDIA_TAG}" ]]; then

38
ucore/install-ucore.sh
View File

@@ -4,36 +4,28 @@ set -ouex pipefail
RELEASE="$(rpm -E %fedora)"
## CONDITIONAL: install sanoid if ZFS
if [[ "-zfs" == "${ZFS_TAG}" ]]; then
dnf -y install sanoid
fi
# install packages.json stuffs
export IMAGE_NAME=ucore
/ctx/packages.sh
## CONDITIONAL: ZFS support
if [[ "-zfs" == "${ZFS_TAG}" ]]; then
# cockpit plugin for ZFS management
curl --fail --retry 15 --retry-all-errors -sSL -o /tmp/cockpit-zfs-manager-api.json \
"https://api.github.com/repos/45Drives/cockpit-zfs-manager/releases/latest"
CZM_TGZ_URL=$(jq -r .tarball_url /tmp/cockpit-zfs-manager-api.json)
curl --fail --retry 15 --retry-all-errors -sSL -o /tmp/cockpit-zfs-manager.tar.gz "${CZM_TGZ_URL}"
# cockpit plugin for ZFS management
curl --fail --retry 15 --retry-all-errors -sSL -o /tmp/cockpit-zfs-manager-api.json \
"https://api.github.com/repos/45Drives/cockpit-zfs-manager/releases/latest"
CZM_TGZ_URL=$(jq -r .tarball_url /tmp/cockpit-zfs-manager-api.json)
curl --fail --retry 15 --retry-all-errors -sSL -o /tmp/cockpit-zfs-manager.tar.gz "${CZM_TGZ_URL}"
mkdir -p /tmp/cockpit-zfs-manager
tar -zxvf /tmp/cockpit-zfs-manager.tar.gz -C /tmp/cockpit-zfs-manager --strip-components=1
mv /tmp/cockpit-zfs-manager/polkit-1/actions/* /usr/share/polkit-1/actions/
mv /tmp/cockpit-zfs-manager/polkit-1/rules.d/* /usr/share/polkit-1/rules.d/
mv /tmp/cockpit-zfs-manager/zfs /usr/share/cockpit
mkdir -p /tmp/cockpit-zfs-manager
tar -zxvf /tmp/cockpit-zfs-manager.tar.gz -C /tmp/cockpit-zfs-manager --strip-components=1
mv /tmp/cockpit-zfs-manager/polkit-1/actions/* /usr/share/polkit-1/actions/
mv /tmp/cockpit-zfs-manager/polkit-1/rules.d/* /usr/share/polkit-1/rules.d/
mv /tmp/cockpit-zfs-manager/zfs /usr/share/cockpit
curl --fail --retry 15 --retry-all-errors -sSL -o /tmp/cockpit-zfs-manager-font-fix.sh \
https://raw.githubusercontent.com/45Drives/scripts/refs/heads/main/cockpit_font_fix/fix-cockpit.sh
chmod +x /tmp/cockpit-zfs-manager-font-fix.sh
/tmp/cockpit-zfs-manager-font-fix.sh
curl --fail --retry 15 --retry-all-errors -sSL -o /tmp/cockpit-zfs-manager-font-fix.sh \
https://raw.githubusercontent.com/45Drives/scripts/refs/heads/main/cockpit_font_fix/fix-cockpit.sh
chmod +x /tmp/cockpit-zfs-manager-font-fix.sh
/tmp/cockpit-zfs-manager-font-fix.sh
rm -rf /tmp/cockpit-zfs-manager*
fi
rm -rf /tmp/cockpit-zfs-manager*
# install packages direct from github
/ctx/github-release-install.sh trapexit/mergerfs "fc${RELEASE}.x86_64"

2
ucore/packages.json
View File

@@ -14,6 +14,7 @@
"open-vm-tools",
"podman",
"podman-compose",
"pv",
"qemu-guest-agent",
"tailscale",
"tmux",
@@ -40,6 +41,7 @@
"realtek-firmware",
"samba",
"samba-usershares",
"sanoid",
"snapraid",
"tiwilink-firmware",
"usbutils",

5
ucore/post-install-ucore-minimal.sh
View File

@@ -2,11 +2,6 @@
set -ouex pipefail
## CONDITIONAL: post-install ZFS
if [[ "-zfs" == "${ZFS_TAG}" ]]; then
echo "no post-install tasks for ZFS"
fi
## CONDITIONAL: post-install NVIDIA
if [[ "-nvidia" == "${NVIDIA_TAG}" ]]; then
sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/nvidia-container-toolkit.repo