diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index af29364..75d5b4f 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -84,247 +84,6 @@ jobs: run: | echo "${{ steps.fetch.outputs.outputs }}" - build_fcos: - name: fedora-coreos - runs-on: ubuntu-24.04 - if: always() && !cancelled() - needs: [workflow_info, stream_info] - permissions: - contents: read - packages: write - id-token: write - env: - FEDORA_VERSION: ${{ needs.stream_info.outputs.fedora}} - IMAGE_NAME: fedora-coreos - IMAGE_VERSION: ${{ needs.stream_info.outputs.image}} - KERNEL_FLAVOR: coreos-${{ inputs.coreos_version }} - KERNEL_VERSION: ${{ needs.stream_info.outputs.kernel}} - PR_PREFIX: ${{ needs.workflow_info.outputs.pr_prefix }} - strategy: - fail-fast: false - matrix: - nvidia_tag: - - "-nvidia" - - "" - zfs_tag: - - "-zfs" - - "" - exclude: - - nvidia_tag: "" - zfs_tag: "" - steps: - # Checkout push-to-registry action GitHub repository - - name: Checkout Push to Registry action - uses: actions/checkout@v4 - - - name: Pull base and kmod images - uses: Wandalen/wretry.action@v3.8.0 - with: - attempt_limit: 3 - attempt_delay: 15000 - command: | - # pull the base image used for FROM in containerfile so - # we can retry on that unfortunately common failure case - podman pull quay.io/fedora/fedora-coreos:${{ env.IMAGE_VERSION }} - podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} - podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} - podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} - podman pull ${{ env.IMAGE_REGISTRY }}/config:latest - - - name: Verify versions - shell: bash - run: | - set -x - if [ -z "${{ env.FEDORA_VERSION }}" ] || [ "null" = "${{ env.FEDORA_VERSION }}" ]; then - echo "env.FEDORA_VERSION must not be empty or null" - exit 1 - fi - if [ -z "${{ env.IMAGE_VERSION }}" ] || [ "null" = "${{ env.IMAGE_VERSION }}" ]; then - echo "env.IMAGE_VERSION must not be empty or null" - exit 1 - fi - if [ -z "${{ env.KERNEL_VERSION }}" ] || [ "null" = "${{ env.KERNEL_VERSION }}" ]; then - echo "env.KERNEL_VERSION must not be empty or null" - exit 1 - fi - podman inspect ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json - kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json) - if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then - echo "pulled akmods image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" - exit 1 - fi - - - name: Verify versions (nvidia) - if: matrix.nvidia_tag == '-nvidia' - shell: bash - run: | - set -x - podman inspect ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json - kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json) - if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then - echo "pulled akmods-nvidia image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" - exit 1 - fi - - - name: Verify versions (ZFS) - if: matrix.zfs_tag == '-zfs' - shell: bash - run: | - set -x - podman inspect ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json - kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json) - if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then - echo "pulled akmods-zfs image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" - exit 1 - fi - - - name: Generate tags - id: generate-tags - shell: bash - run: | - # Generate a timestamp for creating an image version history - TIMESTAMP="$(date +%Y%m%d)" - COREOS_VERSION="${{ inputs.coreos_version }}${{ matrix.nvidia_tag }}${{ matrix.zfs_tag }}" - - COMMIT_TAGS=() - BUILD_TAGS=() - - # Have tags for tracking builds during pull request - SHA_SHORT="${GITHUB_SHA::7}" - COMMIT_TAGS+=("pr-${{ github.event.number }}-${COREOS_VERSION}") - COMMIT_TAGS+=("${SHA_SHORT}-${COREOS_VERSION}") - - BUILD_TAGS=("${COREOS_VERSION}" "${COREOS_VERSION}-${TIMESTAMP}") - - if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "Generated the following commit tags: " - for TAG in "${COMMIT_TAGS[@]}"; do - echo "${TAG}" - done - - alias_tags=("${COMMIT_TAGS[@]}") - else - alias_tags=("${BUILD_TAGS[@]}") - fi - - echo "Generated the following build tags: " - for TAG in "${BUILD_TAGS[@]}"; do - echo "${TAG}" - done - - echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT - - # Build metadata - - name: Image Metadata - uses: docker/metadata-action@v5 - id: meta - with: - images: | - ${{ env.IMAGE_NAME }} - labels: | - io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 - io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ucore/main/README.md - org.opencontainers.image.description=An OCI image of Fedora CoreOS with NVIDIA and/or ZFS pre-installed - org.opencontainers.image.title=${{ env.IMAGE_NAME }} - org.opencontainers.image.version=${{ env.IMAGE_VERSION }} - - # Build image using Buildah action - - name: Build Image - id: build_image - uses: redhat-actions/buildah-build@v2 - with: - containerfiles: | - ./fedora-coreos/Containerfile - context: ./fedora-coreos - image: ${{ env.IMAGE_NAME }} - tags: | - ${{ steps.generate-tags.outputs.alias_tags }} - build-args: | - COREOS_VERSION=${{ inputs.coreos_version }} - FEDORA_VERSION=${{ env.FEDORA_VERSION }} - IMAGE_VERSION=${{ env.IMAGE_VERSION }} - IMAGE_REGISTRY=${{ env.IMAGE_REGISTRY }} - KERNEL_FLAVOR=${{ env.KERNEL_FLAVOR }} - PR_PREFIX=${{ env.PR_PREFIX }} - NVIDIA_TAG=${{ matrix.nvidia_tag }} - ZFS_TAG=${{ matrix.zfs_tag }} - labels: ${{ steps.meta.outputs.labels }} - oci: false - - - name: Check Secureboot - shell: bash - run: | - set -x - if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then - sudo apt update - sudo apt install sbsigntool curl openssl - fi - podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000 - podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz . - podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) - sbverify --list vmlinuz - curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der - curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der - openssl x509 -in kernel-sign.der -out kernel-sign.crt - openssl x509 -in akmods.der -out akmods.crt - sbverify --cert kernel-sign.crt vmlinuz || exit 1 - sbverify --cert akmods.crt vmlinuz || exit 1 - - # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. - # https://github.com/macbre/push-to-ghcr/issues/12 - - name: Lowercase Registry - id: registry_case - uses: ASzc/change-string-case-action@v6 - with: - string: ${{ env.IMAGE_REGISTRY }} - - # Push the image to GHCR (Image Registry) - - name: Push To GHCR - uses: Wandalen/wretry.action@v3.8.0 - id: push - if: github.event_name != 'pull_request' - env: - REGISTRY_USER: ${{ github.actor }} - REGISTRY_PASSWORD: ${{ github.token }} - with: - action: redhat-actions/push-to-registry@v2 - attempt_limit: 3 - attempt_delay: 15000 - with: | - image: ${{ steps.build_image.outputs.image }} - tags: ${{ steps.build_image.outputs.tags }} - registry: ${{ steps.registry_case.outputs.lowercase }} - username: ${{ env.REGISTRY_USER }} - password: ${{ env.REGISTRY_PASSWORD }} - extra-args: | - --disable-content-trust - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - if: github.event_name != 'pull_request' - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Sign container - - uses: sigstore/cosign-installer@v3.8.2 - if: github.event_name != 'pull_request' - - - name: Sign container image - if: github.event_name != 'pull_request' - run: | - cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} - env: - TAGS: ${{ steps.push.outputs.outputs && fromJSON(steps.push.outputs.outputs).digest }} - COSIGN_EXPERIMENTAL: false - COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} - - - name: Echo outputs - if: github.event_name != 'pull_request' - run: | - echo "${{ toJSON(steps.push.outputs) }}" - build_ucore: name: ucore runs-on: ubuntu-24.04 @@ -351,9 +110,6 @@ jobs: nvidia_tag: - "-nvidia" - "" - zfs_tag: - - "-zfs" - - "" include: - image_suffix: "-minimal" description: An OCI image of Fedora CoreOS with a few extra tools and suitable for running in a VM @@ -389,7 +145,7 @@ jobs: podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} podman pull ${{ env.IMAGE_REGISTRY }}/config:latest - - name: Verify versions + - name: Verify versions (image, kernel, zfs) shell: bash run: | set -x @@ -411,6 +167,12 @@ jobs: echo "pulled akmods image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" exit 1 fi + podman inspect ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json + kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json) + if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then + echo "pulled akmods-zfs image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" + exit 1 + fi - name: Verify versions (nvidia) if: matrix.nvidia_tag == '-nvidia' @@ -424,25 +186,13 @@ jobs: exit 1 fi - - name: Verify versions (ZFS) - if: matrix.zfs_tag == '-zfs' - shell: bash - run: | - set -x - podman inspect ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} > inspect.json - kernel=$(jq -r '.[]["Config"]["Labels"]["ostree.linux"]' inspect.json) - if [[ "${{ env.KERNEL_VERSION }}" != "$kernel"* ]]; then - echo "pulled akmods-zfs image kernel ($kernel) does not match expected kernel (${{ env.KERNEL_VERSION }})" - exit 1 - fi - - name: Generate tags id: generate-tags shell: bash run: | # Generate a timestamp for creating an image version history TIMESTAMP="$(date +%Y%m%d)" - COREOS_VERSION="${{ inputs.coreos_version }}${{ matrix.nvidia_tag }}${{ matrix.zfs_tag }}" + COREOS_VERSION="${{ inputs.coreos_version }}${{ matrix.nvidia_tag }}" COMMIT_TAGS=() BUILD_TAGS=() @@ -453,6 +203,10 @@ jobs: COMMIT_TAGS+=("${SHA_SHORT}-${COREOS_VERSION}") BUILD_TAGS=("${COREOS_VERSION}" "${COREOS_VERSION}-${TIMESTAMP}") + # always add the '-zfs' tag to each image since we include ZFS with them all + # and we want users of the existing '-zfs' images to still get updates + BUILD_TAGS+=("${COREOS_VERSION}-zfs") + BUILD_TAGS+=("${COREOS_VERSION}-zfs-${TIMESTAMP}") if [[ "${{ github.event_name }}" == "pull_request" ]]; then echo "Generated the following commit tags: " @@ -509,7 +263,6 @@ jobs: KERNEL_FLAVOR=${{ env.KERNEL_FLAVOR }} PR_PREFIX=${{ env.PR_PREFIX }} NVIDIA_TAG=${{ matrix.nvidia_tag }} - ZFS_TAG=${{ matrix.zfs_tag }} labels: ${{ steps.meta.outputs.labels }} oci: false extra-args: | @@ -592,7 +345,7 @@ jobs: check: name: Check all successful runs-on: ubuntu-latest - needs: [build_fcos, build_ucore] + needs: [build_ucore] steps: - name: Exit shell: bash diff --git a/README.md b/README.md index c2657eb..e33f93e 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,6 @@ Please take a look at the included modifications, and help us improve uCore if t - [Announcements](#announcements) - [Features](#features) - [Images](#images) - - [`fedora-coreos`](#fedora-coreos) - [`ucore-minimal`](#ucore-minimal) - [`ucore`](#ucore) - [`ucore-hci`](#ucore-hci) @@ -46,6 +45,20 @@ Please take a look at the included modifications, and help us improve uCore if t ## Announcements +### 2025.06.12 - uCore Build Streamlining + +In general, the Universal Blue project has been working to streamline various aspects of our builds. In several areas +this means we've cut back on images which do not have significant use, or otherwise found ways to build fewer images. + +For uCore, this means we are dropping builds of `fedora-coreos` images and reducing number of `ucore*` images by +including ZFS in all `ucore*` images both nvidia and non-nvidia. + +Existing tag structure for ZFS specific images will contine to work. The difference is that users running any +non-ZFS image, ZFS will be available on your system after it next updates. + +The team is committed to building and maintaing uCore. For questions about about recent project direction, please +see our discourse post, [uCore: Streamlining (not retiring)](https://universal-blue.discourse.group/t/ucore-lets-streamline-not-retiring/9098). + ### 2025.05.14 - uCore update to Fedora 42 As of today, Fedora CoreOS upstream has updated to kernel 6.14.3 and uCore has unpinned and is building on F42. @@ -72,41 +85,22 @@ We expect the next update of Fedora CoreOS to be on `6.11.6` per the current sta ## Features -The uCore project builds four images, each with different tags for different features. +The uCore project builds three images, optionally with nivida drivers. The image names are: -- [`fedora-coreos`](#fedora-coreos) - [`ucore-minimal`](#ucore-minimal) - [`ucore`](#ucore) - [`ucore-hci`](#ucore-hci) The [tag matrix](#tag-matrix) includes combinations of the following: -- `stable` - for an image based on the Fedora CoreOS stable stream -- `testing` - for an image based on the Fedora CoreOS testing stream -- `nvidia` - for an image which includes nvidia driver and container runtime -- `zfs` - for an image which includes zfs driver and tools +- `stable` - images based on Fedora CoreOS stable stream including zfs driver and tools +- `testing` - images based on Fedora CoreOS testing stream including zfs driver and tools +- `nvidia` - images which include nvidia driver and container runtime ### Images -#### `fedora-coreos` - -> [!IMPORTANT] -> This was previously named `fedora-coreos-zfs`, but that version of the image did not offer the nvidia option. If on the previous image name, please rebase with `rpm-ostree rebase`. - -A generic [Fedora CoreOS image](https://quay.io/repository/fedora/fedora-coreos?tab=tags) image with choice of add-on kernel modules: - -- [nvidia versions](#tag-matrix) add: - - [nvidia driver](https://github.com/ublue-os/akmods) - latest driver built from negativo17's akmod package - - [nvidia-container-toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/sample-workload.html) - latest toolkit which supports both root and rootless podman containers and CDI - - [nvidia container selinux policy](https://github.com/NVIDIA/dgx-selinux/tree/master/src/nvidia-container-selinux) - allows using `--security-opt label=type:nvidia_container_t` for some jobs (some will still need `--security-opt label=disable` as suggested by nvidia) -- [ZFS versions](#tag-matrix) add: - - [ZFS driver](https://github.com/ublue-os/akmods) - latest driver (currently pinned to 2.2.x series) - -> [!NOTE] -> zincati fails to start on all systems with OCI based deployments (like uCore). Upstream efforts are active to develop an alternative. - #### `ucore-minimal` Suitable for running containerized workloads on either bare metal or virtual machines, this image tries to stay lightweight but functional. @@ -122,13 +116,12 @@ Suitable for running containerized workloads on either bare metal or virtual mac - [tailscale](https://tailscale.com) and [wireguard-tools](https://www.wireguard.com) - [tmux](https://github.com/tmux/tmux/wiki/Getting-Started) - udev rules enabling full functionality on some [Realtek 2.5Gbit USB Ethernet](https://github.com/wget/realtek-r8152-linux/) devices + - [ZFS driver](https://github.com/ublue-os/ucore-kmods) - latest driver (currently pinned to 2.2.x series) - [see below](#zfs) for details + - `pv` is installed with zfs as a complementary tool - Optional [nvidia versions](#tag-matrix) add: - [nvidia driver](https://github.com/ublue-os/ucore-kmods) - latest driver built from negativo17's akmod package - [nvidia-container-toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/sample-workload.html) - latest toolkit which supports both root and rootless podman containers and CDI - [nvidia container selinux policy](https://github.com/NVIDIA/dgx-selinux/tree/master/src/nvidia-container-selinux) - allows using `--security-opt label=type:nvidia_container_t` for some jobs (some will still need `--security-opt label=disable` as suggested by nvidia) -- Optional [ZFS versions](#tag-matrix) add: - - [ZFS driver](https://github.com/ublue-os/ucore-kmods) - latest driver (currently pinned to 2.2.x series) - [see below](#zfs) for details - - `pv` is installed with zfs as a complementary tool - Disables Zincati auto upgrade/reboot service - Enables staging of automatic system updates via rpm-ostreed - Enables password based SSH auth (required for locally running cockpit web interface) @@ -137,6 +130,9 @@ Suitable for running containerized workloads on either bare metal or virtual mac > [!IMPORTANT] > Per [cockpit's instructions](https://cockpit-project.org/running.html#coreos) the cockpit-ws RPM is **not** installed, rather it is provided as a pre-defined systemd service which runs a podman container. +> [!NOTE] +> zincati fails to start on all systems with OCI based deployments (like uCore). Upstream efforts are active to develop an alternative. + #### `ucore` This image builds on `ucore-minimal` but adds drivers, storage tools and utilities making it more useful on bare metal or as a storage server (NAS). @@ -176,14 +172,12 @@ Hyper-Coverged Infrastructure(HCI) refers to storage and hypervisor in one place | IMAGE | TAG | |-|-| -| [`fedora-coreos`](#fedora-coreos) - *stable* | `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` | -| [`fedora-coreos`](#fedora-coreos) - *testing* | `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` | -| [`ucore-minimal`](#ucore-minimal) - *stable* | `stable`, `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` | -| [`ucore-minimal`](#ucore-minimal) - *testing* | `testing`, `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` | -| [`ucore`](#ucore) - *stable* | `stable`, `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` | -| [`ucore`](#ucore) - *testing* | `testing`, `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` | -| [`ucore-hci`](#ucore-hci) - *stable* | `stable`, `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` | -| [`ucore-hci`](#ucore-hci) - *testing* | `testing`, `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` | +| [`ucore-minimal`](#ucore-minimal) - *stable* | `stable`, `stable-nvidia` | +| [`ucore-minimal`](#ucore-minimal) - *testing* | `testing`, `testing-nvidia` | +| [`ucore`](#ucore) - *stable* | `stable`, `stable-nvidia` | +| [`ucore`](#ucore) - *testing* | `testing`, `testing-nvidia` | +| [`ucore-hci`](#ucore-hci) - *stable* | `stable`, `stable-nvidia` | +| [`ucore-hci`](#ucore-hci) - *testing* | `testing`, `testing-nvidia` | ## Installation @@ -239,9 +233,6 @@ The `ucore*` images include container policies to support image verification for sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/IMAGE:TAG ``` -> [!NOTE] -> This policy is not included with `fedora-coreos:*` as those images are kept very stock.* - ## Tips and Tricks ### CoreOS and ostree Docs @@ -513,7 +504,7 @@ If going this path, you likely won't want to use the `ucore` `-nvidia` image, bu ### ZFS -If you installed an image with `-zfs` in the tag (or `fedora-coreos-zfs`), the ZFS kernel module and tools are pre-installed, but like other services, ZFS is not pre-configured to load on default. +The ZFS kernel module and tools are pre-installed, but like other services, ZFS is not pre-configured to load on default. Load it with the command `modprobe zfs` and use `zfs` and `zpool` commands as desired. diff --git a/fedora-coreos/Containerfile b/fedora-coreos/Containerfile deleted file mode 100644 index 3bdb616..0000000 --- a/fedora-coreos/Containerfile +++ /dev/null @@ -1,35 +0,0 @@ -ARG COREOS_VERSION="${COREOS_VERSION:-stable}" -ARG FEDORA_VERSION="${FEDORA_VERSION:-40}" -ARG IMAGE_VERSION="${IMAGE_VERSION:-stable}" -ARG IMAGE_REGISTRY="${IMAGE_REGISTRY:-ghcr.io/ublue-os}" -ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-coreos-stable}" - -# FROMs for copying -ARG AKMODS_COMMON="${IMAGE_REGISTRY}/akmods:${KERNEL_FLAVOR}-${FEDORA_VERSION}" -ARG AKMODS_NVIDIA="${IMAGE_REGISTRY}/akmods-nvidia:${KERNEL_FLAVOR}-${FEDORA_VERSION}" -ARG AKMODS_ZFS="${IMAGE_REGISTRY}/akmods-zfs:${KERNEL_FLAVOR}-${FEDORA_VERSION}" -FROM ${AKMODS_COMMON} AS akmods-common -FROM ${AKMODS_NVIDIA} AS akmods-nvidia -FROM ${AKMODS_ZFS} AS akmods-zfs - -FROM scratch AS ctx -COPY / / - -FROM quay.io/fedora/fedora-coreos:${IMAGE_VERSION} - -ARG COREOS_VERSION="${COREOS_VERSION:-stable}" -# build with --build-arg NVIDA_TAG="-nvidia" to install nvidia -ARG NVIDIA_TAG="${NVIDIA_TAG}" -# build with --build-arg ZFS_TAG="-zfs" to install zfs -ARG ZFS_TAG="${ZFS_TAG}" - - -RUN --mount=type=cache,dst=/var/cache/rpm-ostree \ - --mount=type=bind,from=ctx,src=/,dst=/ctx \ - --mount=type=bind,from=akmods-common,src=/rpms/ucore,dst=/tmp/rpms/akmods-common \ - --mount=type=bind,from=akmods-nvidia,src=/rpms,dst=/tmp/rpms/akmods-nvidia \ - --mount=type=bind,from=akmods-zfs,src=/rpms,dst=/tmp/rpms/akmods-zfs \ - --mount=type=bind,from=akmods-common,src=/kernel-rpms,dst=/tmp/rpms/kernel \ - /ctx/install.sh \ - && /ctx/post-install.sh \ - && /ctx/cleanup.sh \ No newline at end of file diff --git a/fedora-coreos/cleanup.sh b/fedora-coreos/cleanup.sh deleted file mode 100755 index 1552eb5..0000000 --- a/fedora-coreos/cleanup.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/bash - -set -eoux pipefail - -rm -rf /tmp/* || true -find /var/* -maxdepth 0 -type d -exec rm -fr {} \; - -# this currently fails on /usr/etc -#bootc container lint -ostree container commit -mkdir -p /var/tmp \ -&& chmod -R 1777 /var/tmp \ No newline at end of file diff --git a/fedora-coreos/install.sh b/fedora-coreos/install.sh deleted file mode 100755 index 65d7a40..0000000 --- a/fedora-coreos/install.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/sh - -set -ouex pipefail - -ARCH="$(rpm -E %{_arch})" -RELEASE="$(rpm -E %fedora)" -pushd /tmp/rpms/kernel -KERNEL_VERSION=$(find kernel-*.rpm | grep -P "kernel-(\d+\.\d+\.\d+)-.*\.fc${RELEASE}\.${ARCH}" | sed -E 's/kernel-//' | sed -E 's/\.rpm//') -popd -QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')" - -#### PREPARE -# enable testing repos if not enabled on testing stream -if [[ "testing" == "${COREOS_VERSION}" ]]; then -for REPO in $(ls /etc/yum.repos.d/fedora-updates-testing.repo); do - if [[ "$(grep enabled=1 ${REPO} > /dev/null; echo $?)" == "1" ]]; then - echo "enabling $REPO" && - sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' ${REPO} - fi -done -fi - -# enable ublue-os repos -dnf -y install dnf5-plugins -dnf -y copr enable ublue-os/packages - -# always disable cisco-open264 repo -sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo - -#### INSTALL -# inspect to see what RPMS we copied in -find /tmp/rpms/ - -dnf -y install /tmp/rpms/akmods-common/ublue-os-ucore-addons*.rpm -dnf -y install ublue-os-signing - -# Handle Kernel Skew with override replace -if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then - echo "Installing signed kernel from kernel-cache." - cd /tmp - rpm2cpio /tmp/rpms/kernel/kernel-core-*.rpm | cpio -idmv - cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz - cd / -else - # Remove Existing Kernel - for pkg in kernel kernel-core kernel-modules kernel-modules-core kernel-modules-extra; do - rpm --erase $pkg --nodeps - done - echo "Install kernel version ${KERNEL_VERSION} from kernel-cache." - dnf -y install \ - /tmp/rpms/kernel/kernel-[0-9]*.rpm \ - /tmp/rpms/kernel/kernel-core-*.rpm \ - /tmp/rpms/kernel/kernel-modules-*.rpm -fi - -## CONDITIONAL: install ZFS -if [[ "-zfs" == "${ZFS_TAG}" ]]; then - dnf -y install pv /tmp/rpms/akmods-zfs/kmods/zfs/*.rpm /tmp/rpms/akmods-zfs/kmods/zfs/other/zfs-dracut-*.rpm - # for some reason depmod ran automatically with zfs 2.1 but not with 2.2 - depmod -a -v ${KERNEL_VERSION} -fi - -## CONDITIONAL: install NVIDIA -if [[ "-nvidia" == "${NVIDIA_TAG}" ]]; then - # repo for nvidia rpms - curl -L https://negativo17.org/repos/fedora-nvidia.repo -o /etc/yum.repos.d/fedora-nvidia.repo - - dnf -y install /tmp/rpms/akmods-nvidia/ucore/ublue-os-ucore-nvidia*.rpm - sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo - - dnf -y install \ - /tmp/rpms/akmods-nvidia/kmods/kmod-nvidia*.rpm \ - nvidia-driver-cuda \ - nvidia-container-toolkit -fi diff --git a/fedora-coreos/post-install.sh b/fedora-coreos/post-install.sh deleted file mode 100755 index 48c3969..0000000 --- a/fedora-coreos/post-install.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh - -set -ouex pipefail - -## CONDITIONAL: post-install ZFS -if [[ "-zfs" == "${ZFS_TAG}" ]]; then - echo "no post-install tasks for ZFS" -fi - -## CONDITIONAL: post-install NVIDIA -if [[ "-nvidia" == "${NVIDIA_TAG}" ]]; then - sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/nvidia-container-toolkit.repo - - semodule --verbose --install /usr/share/selinux/packages/nvidia-container.pp -fi \ No newline at end of file diff --git a/ucore/Containerfile b/ucore/Containerfile index 672cf6e..d548019 100644 --- a/ucore/Containerfile +++ b/ucore/Containerfile @@ -21,8 +21,6 @@ FROM quay.io/fedora/fedora-coreos:${IMAGE_VERSION} AS ucore-minimal ARG COREOS_VERSION="${COREOS_VERSION:-stable}" # build with --build-arg NVIDA_TAG="-nvidia" to install nvidia ARG NVIDIA_TAG="${NVIDIA_TAG}" -# build with --build-arg ZFS_TAG="-zfs" to install zfs -ARG ZFS_TAG="${ZFS_TAG}" # these versions match docker/moby 27.5.1 which FCOS ships as of 42.20250410 ARG DOCKER_BUILDX_VERSION=0.20.0 @@ -50,7 +48,6 @@ FROM ucore-minimal AS ucore ARG COREOS_VERSION="${COREOS_VERSION:-stable}" ARG NVIDIA_TAG="${NVIDIA_TAG}" -ARG ZFS_TAG="${ZFS_TAG}" RUN --mount=type=cache,dst=/var/cache/libdnf5 \ --mount=type=cache,dst=/var/cache/rpm-ostree \ @@ -63,7 +60,6 @@ FROM ucore AS ucore-hci ARG COREOS_VERSION="${COREOS_VERSION:-stable}" ARG NVIDIA_TAG="${NVIDIA_TAG}" -ARG ZFS_TAG="${ZFS_TAG}" RUN --mount=type=cache,dst=/var/cache/libdnf5 \ --mount=type=cache,dst=/var/cache/rpm-ostree \ diff --git a/ucore/install-ucore-minimal.sh b/ucore/install-ucore-minimal.sh index 75fb229..4a2f386 100755 --- a/ucore/install-ucore-minimal.sh +++ b/ucore/install-ucore-minimal.sh @@ -55,12 +55,10 @@ else /tmp/rpms/kernel/kernel-modules-*.rpm fi -## CONDITIONAL: install ZFS (and sanoid deps) -if [[ "-zfs" == "${ZFS_TAG}" ]]; then - dnf -y install pv /tmp/rpms/akmods-zfs/kmods/zfs/*.rpm /tmp/rpms/akmods-zfs/kmods/zfs/other/zfs-dracut-*.rpm - # for some reason depmod ran automatically with zfs 2.1 but not with 2.2 - depmod -a -v ${KERNEL_VERSION} -fi +## ALWAYS: install ZFS (and sanoid deps) +dnf -y install /tmp/rpms/akmods-zfs/kmods/zfs/*.rpm /tmp/rpms/akmods-zfs/kmods/zfs/other/zfs-dracut-*.rpm +# for some reason depmod ran automatically with zfs 2.1 but not with 2.2 +depmod -a -v ${KERNEL_VERSION} ## CONDITIONAL: install NVIDIA if [[ "-nvidia" == "${NVIDIA_TAG}" ]]; then diff --git a/ucore/install-ucore.sh b/ucore/install-ucore.sh index 87c44a7..399c868 100755 --- a/ucore/install-ucore.sh +++ b/ucore/install-ucore.sh @@ -4,36 +4,28 @@ set -ouex pipefail RELEASE="$(rpm -E %fedora)" -## CONDITIONAL: install sanoid if ZFS -if [[ "-zfs" == "${ZFS_TAG}" ]]; then - dnf -y install sanoid -fi - # install packages.json stuffs export IMAGE_NAME=ucore /ctx/packages.sh -## CONDITIONAL: ZFS support -if [[ "-zfs" == "${ZFS_TAG}" ]]; then - # cockpit plugin for ZFS management - curl --fail --retry 15 --retry-all-errors -sSL -o /tmp/cockpit-zfs-manager-api.json \ - "https://api.github.com/repos/45Drives/cockpit-zfs-manager/releases/latest" - CZM_TGZ_URL=$(jq -r .tarball_url /tmp/cockpit-zfs-manager-api.json) - curl --fail --retry 15 --retry-all-errors -sSL -o /tmp/cockpit-zfs-manager.tar.gz "${CZM_TGZ_URL}" +# cockpit plugin for ZFS management +curl --fail --retry 15 --retry-all-errors -sSL -o /tmp/cockpit-zfs-manager-api.json \ + "https://api.github.com/repos/45Drives/cockpit-zfs-manager/releases/latest" +CZM_TGZ_URL=$(jq -r .tarball_url /tmp/cockpit-zfs-manager-api.json) +curl --fail --retry 15 --retry-all-errors -sSL -o /tmp/cockpit-zfs-manager.tar.gz "${CZM_TGZ_URL}" - mkdir -p /tmp/cockpit-zfs-manager - tar -zxvf /tmp/cockpit-zfs-manager.tar.gz -C /tmp/cockpit-zfs-manager --strip-components=1 - mv /tmp/cockpit-zfs-manager/polkit-1/actions/* /usr/share/polkit-1/actions/ - mv /tmp/cockpit-zfs-manager/polkit-1/rules.d/* /usr/share/polkit-1/rules.d/ - mv /tmp/cockpit-zfs-manager/zfs /usr/share/cockpit +mkdir -p /tmp/cockpit-zfs-manager +tar -zxvf /tmp/cockpit-zfs-manager.tar.gz -C /tmp/cockpit-zfs-manager --strip-components=1 +mv /tmp/cockpit-zfs-manager/polkit-1/actions/* /usr/share/polkit-1/actions/ +mv /tmp/cockpit-zfs-manager/polkit-1/rules.d/* /usr/share/polkit-1/rules.d/ +mv /tmp/cockpit-zfs-manager/zfs /usr/share/cockpit - curl --fail --retry 15 --retry-all-errors -sSL -o /tmp/cockpit-zfs-manager-font-fix.sh \ - https://raw.githubusercontent.com/45Drives/scripts/refs/heads/main/cockpit_font_fix/fix-cockpit.sh - chmod +x /tmp/cockpit-zfs-manager-font-fix.sh - /tmp/cockpit-zfs-manager-font-fix.sh +curl --fail --retry 15 --retry-all-errors -sSL -o /tmp/cockpit-zfs-manager-font-fix.sh \ + https://raw.githubusercontent.com/45Drives/scripts/refs/heads/main/cockpit_font_fix/fix-cockpit.sh +chmod +x /tmp/cockpit-zfs-manager-font-fix.sh +/tmp/cockpit-zfs-manager-font-fix.sh - rm -rf /tmp/cockpit-zfs-manager* -fi +rm -rf /tmp/cockpit-zfs-manager* # install packages direct from github /ctx/github-release-install.sh trapexit/mergerfs "fc${RELEASE}.x86_64" diff --git a/ucore/packages.json b/ucore/packages.json index f021d45..fa4047b 100644 --- a/ucore/packages.json +++ b/ucore/packages.json @@ -14,6 +14,7 @@ "open-vm-tools", "podman", "podman-compose", + "pv", "qemu-guest-agent", "tailscale", "tmux", @@ -40,6 +41,7 @@ "realtek-firmware", "samba", "samba-usershares", + "sanoid", "snapraid", "tiwilink-firmware", "usbutils", diff --git a/ucore/post-install-ucore-minimal.sh b/ucore/post-install-ucore-minimal.sh index 9f117bf..3f783a1 100755 --- a/ucore/post-install-ucore-minimal.sh +++ b/ucore/post-install-ucore-minimal.sh @@ -2,11 +2,6 @@ set -ouex pipefail -## CONDITIONAL: post-install ZFS -if [[ "-zfs" == "${ZFS_TAG}" ]]; then - echo "no post-install tasks for ZFS" -fi - ## CONDITIONAL: post-install NVIDIA if [[ "-nvidia" == "${NVIDIA_TAG}" ]]; then sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/nvidia-container-toolkit.repo