Skip to content

Add CentOS Stream keys, add cosa podman-build#4054

Merged
jlebon merged 2 commits intocoreos:mainfrom
jlebon:pr/layering-tweaks
Apr 1, 2025
Merged

Add CentOS Stream keys, add cosa podman-build#4054
jlebon merged 2 commits intocoreos:mainfrom
jlebon:pr/layering-tweaks

Conversation

@jlebon
Copy link
Copy Markdown
Member

@jlebon jlebon commented Mar 31, 2025

See individual commit messages. Goes together with openshift/os#1780.

jlebon added 2 commits March 31, 2025 10:38
@jlebon
build.sh: add CentOS Stream keys into /etc/pki/rpm-gpg
e847b3e 
This goes together with a related patch in openshift/os. Copying the
same context from that one:

A long-standing issue that rears its head in various places in our
code is the fact that the repo files for CentOS Stream reference a
`gpgkey` path that is valid only for cosa but not within a CentOS Stream
environment. See e.g. 0a7ad3b ("extensions: Workaround for CentOS GPG
key paths") in the openshift/os repo for an example issue.

We don't have this problem with RHEL because cosa, being Fedora-based,
ships the Red Hat key in its `/etc/pki/rpm-gpg`. I want to address this
for CentOS Stream the same way, i.e. by adding the CentOS Stream keys to
`/etc/pki/rpm-gpg` in cosa. This should allow us to simplify code there.
@jlebon
Add cosa podman-build
91d5a36 
This is basically a thin wrapper around `podman build` to make it easier
to get the arguments right. The fanciest part really is the passing of
the secret repos file into the build environment.

Example usage:

```
cosa podman-build node
cosa podman-build extensions
```

Additional arguments are passed through to `podman build`.
@jlebon jlebon mentioned this pull request Mar 31, 2025
Merged
ravanelli
ravanelli approved these changes Mar 31, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@ravanelli ravanelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jlebon
Copy link
Copy Markdown
Member Author

jlebon commented Mar 31, 2025 

[2025-03-31T14:45:58.675Z] [logs:build/coreos-ci-coreos-assembler-84a03164-ed23-44e6-ba58-50a3926323f9-1] Updating and loading repositories:
[2025-03-31T14:46:00.282Z] [logs:build/coreos-ci-coreos-assembler-84a03164-ed23-44e6-ba58-50a3926323f9-1]  Fedora 41 - x86_64 - Updates           100% |   6.5 MiB/s |  12.0 MiB |  00m02s
[2025-03-31T14:46:00.506Z] [logs:build/coreos-ci-coreos-assembler-84a03164-ed23-44e6-ba58-50a3926323f9-1]  Fedora 41 openh264 (From Cisco) - x86_ 100% |  43.9 KiB/s |   6.0 KiB |  00m00s
[2025-03-31T14:46:00.547Z] [logs:build/coreos-ci-coreos-assembler-84a03164-ed23-44e6-ba58-50a3926323f9-1]  f41-coreos-continuous                  100% |  21.0 KiB/s | 796.0   B |  00m00s
[2025-03-31T14:46:00.547Z] [logs:build/coreos-ci-coreos-assembler-84a03164-ed23-44e6-ba58-50a3926323f9-1] >>> Status code: 403 for https://kojipkgs.fedoraproject.org/repos-dist/f41-coreo
[2025-03-31T14:46:00.547Z] [logs:build/coreos-ci-coreos-assembler-84a03164-ed23-44e6-ba58-50a3926323f9-1] >>> Status code: 403 for https://kojipkgs.fedoraproject.org/repos-dist/f41-coreo
[2025-03-31T14:46:00.547Z] [logs:build/coreos-ci-coreos-assembler-84a03164-ed23-44e6-ba58-50a3926323f9-1] >>> Status code: 403 for https://kojipkgs.fedoraproject.org/repos-dist/f41-coreo
[2025-03-31T14:46:00.547Z] [logs:build/coreos-ci-coreos-assembler-84a03164-ed23-44e6-ba58-50a3926323f9-1] >>> Status code: 403 for https://kojipkgs.fedoraproject.org/repos-dist/f41-coreo
[2025-03-31T14:46:00.547Z] [logs:build/coreos-ci-coreos-assembler-84a03164-ed23-44e6-ba58-50a3926323f9-1] >>> Librepo error: Cannot download repomd.xml: Cannot download repodata/repomd.x
[2025-03-31T14:46:02.057Z] [logs:build/coreos-ci-coreos-assembler-84a03164-ed23-44e6-ba58-50a3926323f9-1] Failed to download metadata (baseurl: "https://kojipkgs.fedoraproject.org/repos-dist/f41-coreos-continuous/latest/x86_64/") for repository "f41-coreos-continuous"

Sigh. Looks like our continuous repo was nuked again.

@jlebon
Copy link
Copy Markdown
Member Author

jlebon commented Mar 31, 2025

/retest

@jlebon jlebon merged commit 2e3b3ee into coreos:main Apr 1, 2025
5 checks passed
@jlebon jlebon deleted the pr/layering-tweaks branch April 1, 2025 02:40
@dustymabe
Copy link
Copy Markdown
Member

dustymabe commented Apr 3, 2025

Is this intended to be run inside the cosa container?

When I run it it gives me:

+ podman build --from 'oci-archive:builds/latest/x86_64/"rhcos-9.6.20250403-0-ostree.x86_64.ociarchive"' -t localhost/rhcos-4.19-9.6.20250403-0-node -f src/config/Containerfile --secret id=yumrepos,src=/srv/tmp/all.repo -v /etc/pki/ca-trust:/etc/pki/ca-trust:ro --security-opt label=disable src/config
ERRO[0000] running `/usr/bin/newuidmap 72 0 1000 1 1 1 999 1000 1001 64535`: newuidmap: write to uid_map failed: Operation not permitted 
Error: cannot set up namespace using "/usr/bin/newuidmap": should have setuid or have filecaps setuid: exit status 1
failed to execute cmd-podman-build: exit status 125

@jlebon
Copy link
Copy Markdown
Member Author

jlebon commented Apr 3, 2025

Is this intended to be run inside the cosa container?

When I run it it gives me:

+ podman build --from 'oci-archive:builds/latest/x86_64/"rhcos-9.6.20250403-0-ostree.x86_64.ociarchive"' -t localhost/rhcos-4.19-9.6.20250403-0-node -f src/config/Containerfile --secret id=yumrepos,src=/srv/tmp/all.repo -v /etc/pki/ca-trust:/etc/pki/ca-trust:ro --security-opt label=disable src/config
ERRO[0000] running `/usr/bin/newuidmap 72 0 1000 1 1 1 999 1000 1001 64535`: newuidmap: write to uid_map failed: Operation not permitted 
Error: cannot set up namespace using "/usr/bin/newuidmap": should have setuid or have filecaps setuid: exit status 1
failed to execute cmd-podman-build: exit status 125

Hmm.. yeah. This kinda was written for my workflow I guess :), which is that cosa is just in my pet container and podman proxies to the host podman. Could also support something similar in the cosa alias though.

I mean, we could also transparently do cosa supermin-run "$@" but the goal of this command isn't to have a "productized" path, it's just a helper to make it easier for you to run podman. I guess it could be something like podman build $(cosa podman-build --args)?

@dustymabe
Copy link
Copy Markdown
Member

dustymabe commented Apr 3, 2025

I guess it could be something like podman build $(cosa podman-build --args)?

Yeah this would be nice, but the problem there is the paths inside and outside of COSA are different so I don't think it would work.

@jlebon
Copy link
Copy Markdown
Member Author

jlebon commented Apr 3, 2025

Yeah, I guess it'd need to be podman build $(cosa podman-build --args --hostpath $(pwd)) and we could do the path tweaking necessary for the secret (everything else is relative so should be fine I think).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ravanelli ravanelli ravanelli approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jlebon @dustymabe @ravanelli