feat: switch from GNOME 48 to GNOME 49#1207
Merged
hanthor merged 2 commits intoublue-os:mainfrom Mar 21, 2026
Merged
Conversation
Switch the GNOME COPR from jreilly1821/c10s-gnome (48.x backport) to
jreilly1821/c10s-gnome-49 which tracks Fedora F43 dist-git.
EL10-specific workarounds required (all confirmed working in live VM
testing against a centos-bootc:stream10 base):
1. Pre-upgrade fontconfig before the GNOME group install — COPR pango
1.57 links FcConfigSetDefaultSubstitute which was added in fontconfig
2.17.0; EL10 base ships 2.15.0 causing a symbol lookup error that
prevents gnome-shell from starting.
2. Pre-upgrade gobject-introspection and gjs — glib2 2.84+ ships both
libgirepository-1.0 and libgirepository-2.0. If only one is upgraded,
both get loaded and the double-registration of GIRepository crashes
gnome-shell at startup.
3. Add dbus-daemon to the GNOME package install — GDM's
gdm-wayland-session requires dbus-daemon to start the session message
bus. It is only a Recommends: of gdm (not Requires:) so bootc image
builds prune it; must be installed explicitly.
4. Add gnome49-el10-compat — provides two things:
- PAM fix for systemd-user: GDM 49 allocates dynamic gdm-greeter-N
users via systemd's Varlink userdb API; pam_unix returns
PAM_AUTHINFO_UNAVAIL for these transient users, blocking login.
Override replaces the account phase with pam_permit.so.
- SELinux policy module (priority 300): selinux-policy 43.1 lacks
rules for GDM 49's userdb Varlink socket. Module grants xdm_t the
ability to create the socket in /run/systemd/userdb/ and allows the
required domains (systemd_userdbd_t, policykit_t, init_t, etc.) to
connect to it. Required for enforcing mode.
5. Remove the gnome-shell-48.3 swap and python3-dnf-plugin-versionlock
install (already handled by dnf-command(versionlock) earlier).
Extend versionlock to cover gobject-introspection, gjs, and pango —
all of which must stay at COPR versions to avoid library mismatches.
Tested on: quay.io/centos-bootc/centos-bootc:stream10
Result: GDM greeter reached, gnome-shell session started, enforcing
SELinux clean (AVC-free for GDM/GNOME paths).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
dosubot
bot
added
size:S
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the CentOS Stream 10 GNOME stack to track GNOME 49 by switching to the GNOME 49 COPR and adding several pre-install/workaround steps to ensure the desktop stack boots cleanly (including under enforcing SELinux).
Changes:
- Switch GNOME COPR from the GNOME 48 backport repo to the GNOME 49 tracking repo.
- Pre-upgrade and versionlock key runtime components (glib2/fontconfig and related GNOME deps) before GNOME installation to avoid known startup crashes.
- Ensure required runtime components are present (e.g.,
dbus-daemon) and install the EL10 compatibility package (gnome49-el10-compat); update versionlocks to match GNOME 49.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
build_scripts/overrides/base/10-packages-image-base.sh |
Switches COPR to GNOME 49; pre-upgrades key packages before GNOME install; adds dbus-daemon and gnome49-el10-compat to the base GNOME package set. |
build_scripts/20-packages.sh |
Removes the GNOME 48 pin/swap and updates versionlocks to keep GNOME 49-related components consistent. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Collaborator
|
Can we ship this after the next stable release on Tuesday (24th), that'll give us a full week of having it in testing? Can we tie this into an announcement? |
Collaborator
Author
|
Yeah let's merge so we can start testing |
Collaborator
|
Ok I'm going to merge the other things to land into LTS then add this. Let's gooooooooooooooooooooooo! |
auto-merge was automatically disabled
March 21, 2026 02:48
Pull request was converted to draft
|
Documentation Updates 4 document(s) were updated by changes in this PR: Bluefin LTS ErrataView Changes@@ -4,7 +4,7 @@
**containerd included:** The `containerd` package is now installed by default from EPEL, providing a robust container runtime for users who require container-native workflows and tooling. This enables out-of-the-box support for containerd-based workloads and tools. For details, see [PR #927](https://github.com/ublue-os/bluefin-lts/pull/927).
## Kernel & Filesystem
-Bluefin LTS offers two kernel options: `bluefin:lts` uses the stock CentOS 6.12 kernel, while `bluefin:lts-hwe` uses the CoreOS kernel (coreos-stable-42) with GNOME 48 from the "jreilly1821/c10s-gnome" COPR repository and additional hardware enablement modules (akmods). The `bluefin:lts` version uses XFS as the default filesystem layout, whereas `bluefin:lts-hwe` allows users to choose their filesystem. The stock kernel (`bluefin:lts`) maintains secure boot support, while the `-hwe` version is set as the default for new users. GNOME components are version-locked to prevent automatic upgrades.
+Bluefin LTS offers two kernel options: `bluefin:lts` uses the stock CentOS 6.12 kernel, while `bluefin:lts-hwe` uses the CoreOS kernel (coreos-stable-42) with GNOME 49 from the "jreilly1821/c10s-gnome-49" COPR repository (which tracks Fedora F43 dist-git for GNOME 49) and additional hardware enablement modules (akmods). The `bluefin:lts` version uses XFS as the default filesystem layout, whereas `bluefin:lts-hwe` allows users to choose their filesystem. The stock kernel (`bluefin:lts`) maintains secure boot support, while the `-hwe` version is set as the default for new users. GNOME components are version-locked to prevent automatic upgrades.
Kernel installation is performed via a kernel swap script that removes existing kernel packages and installs the kernel from mounted akmods containers. For HWE builds, the script selects the CoreOS kernel and installs common akmods (such as xone, openrazer, framework-laptop, v4l2loopback) from a dedicated container. Version locking is applied to maintain kernel package consistency. [Details](https://github.com/ublue-os/bluefin-lts/pull/835)
Bluefin Newsletter 2.0View Changes@@ -6,7 +6,7 @@
| 2026-01-31 | Add ibus-chewing to Bluefin LTS for zh_TW | The ibus-chewing input method is now included in Bluefin LTS, matching the default for the zh_TW locale in Bluefin Stable. This resolves issues where Chewing was configured but not available when installing from older ISOs, and improves the Traditional Chinese typing experience out of the box. | Ensures consistent and functional Traditional Chinese input for zh_TW users on both Stable and LTS. Reduces manual configuration and improves i18n parity. [Details](https://github.com/ublue-os/bluefin-lts/pull/1076) |
| 2025-12-16 | Reintroduce Renovate Automation | The Renovate dependency automation was restored. The `.github/renovate.json5` configuration was updated to include `ghcr.io/projectbluefin/common` in the automerge dependencies, ensuring that updates to this key dependency are now automatically merged. | Keeps dependencies up to date with less manual intervention, improving security and reliability. [Details](https://github.com/ublue-os/bluefin/pull/3853) |
| 2025-12-10 | Fix NVIDIA Container Toolkit in Bluefin DX | The `nvidia-container-toolkit` was missing from the Bluefin DX NVIDIA image, causing GPU sharing issues between the host and Podman containers. The toolkit was added to the image, resolving GPU passthrough and sharing problems for containerized workloads. | Enables proper GPU resource management and sharing between host and containers, critical for AI/ML and GPU-accelerated workflows. [Details](https://github.com/ublue-os/bluefin/issues/3560#issuecomment-3638711398) |
-| 2025-11-25 | Resolve GNOME Shell Drag-and-Drop Crash | A critical bug caused GNOME Shell to crash during drag-and-drop operations with certain applications (e.g., ONLYOFFICE, WPS Office, WeChat). The issue was traced to Mutter compositor version 49.1.1. The team first downgraded Mutter to 49.1, then updated to 49.2 once available, and unpinned the version. A new stable build was released, and users confirmed the fix. Bluefin LTS uses GNOME 48 from the "jreilly1821/c10s-gnome" COPR repository. (Note: GNOME 49 was briefly deployed but was reverted in March 2026 via PR #1192) | Restores stable drag-and-drop functionality in GNOME Shell, preventing data loss and session crashes for affected users. [Details](https://github.com/ublue-os/bluefin/issues/3696#issuecomment-3578074785) |
+| 2025-11-25 | Resolve GNOME Shell Drag-and-Drop Crash | A critical bug caused GNOME Shell to crash during drag-and-drop operations with certain applications (e.g., ONLYOFFICE, WPS Office, WeChat). The issue was traced to Mutter compositor version 49.1.1. The team first downgraded Mutter to 49.1, then updated to 49.2 once available, and unpinned the version. A new stable build was released, and users confirmed the fix. Bluefin LTS uses GNOME 49 from the "jreilly1821/c10s-gnome-49" COPR repository which tracks Fedora F43 dist-git. | Restores stable drag-and-drop functionality in GNOME Shell, preventing data loss and session crashes for affected users. [Details](https://github.com/ublue-os/bluefin/issues/3696#issuecomment-3578074785) |
## Activity Notes
- **2025-12-17 to 2026-01-05:** No new completed tasks have been marked as done on the project board during this period. The team encourages users to report issues and feature requests to help guide future work.GNOME Extensions on Immutable LinuxView Changes@@ -310,16 +310,16 @@
[Bluefin delivers updates as complete new images checked automatically every 6 hours](https://docs.projectbluefin.io/administration/). Major updates may include new GNOME Shell versions that break extension compatibility.
-#### Example: GNOME 49 Temporary Update and AppIndicator Extension
-
-Bluefin LTS briefly deployed GNOME 49 in late 2025, but [reverted to GNOME 48.3 in March 2026](https://github.com/ublue-os/bluefin-lts/pull/1192) due to compatibility concerns. Users are currently on GNOME 48.3. This temporary update illustrated how GNOME version changes can affect extensions.
-
-[During the GNOME 49 deployment, the AppIndicator extension was disabled by default](https://github.com/ublue-os/bluefin/discussions/3689#discussioncomment-15040882), causing system tray icons for background applications like Proton VPN to disappear. [This was a known issue affecting multiple users](https://github.com/ublue-os/bluefin/discussions/3689#discussioncomment-15040882).
+#### Example: GNOME 49 Update and AppIndicator Extension
+
+Bluefin LTS now runs GNOME 49, sourced from the `jreilly1821/c10s-gnome-49` COPR repository which tracks Fedora F43 dist-git. This upgrade from GNOME 48 illustrated how GNOME version changes can affect extensions.
+
+[During the initial GNOME 49 deployment, the AppIndicator extension was disabled by default](https://github.com/ublue-os/bluefin/discussions/3689#discussioncomment-15040882), causing system tray icons for background applications like Proton VPN to disappear. [This was a known issue affecting multiple users](https://github.com/ublue-os/bluefin/discussions/3689#discussioncomment-15040882).
**Root Cause:**
[GNOME 49 introduced changes that affected system tray support](https://github.com/ublue-os/bluefin/discussions/3689#discussioncomment-15040882). While Bluefin ships AppIndicator by default to provide system tray functionality, [extensions were automatically turned off during the update](https://github.com/ublue-os/bluefin/discussions/3689#discussioncomment-15040882).
-**Solution at the Time:**
+**Solution:**
1. Open Extension Manager
2. Find the AppIndicator extension
3. Toggle it on to re-enable
@@ -328,7 +328,7 @@
[The user who reported this confirmed the simple fix](https://github.com/ublue-os/bluefin/discussions/3689#discussioncomment-15040882): "The extensions were turned off after the update by default, so just turning them on via the Extension Manager worked."
-**Current Status:** Bluefin LTS has reverted to GNOME 48.3, which provides better extension compatibility and stability. The system now includes version locks to prevent automatic upgrades to GNOME 49 until broader compatibility is established.
+**Current Status:** Bluefin LTS runs GNOME 49 with version locks on core GNOME components to maintain stability and prevent version mismatches during updates.
#### General Compatibility Troubleshooting
Universal Blue Build and Update SystemView Changes@@ -190,6 +190,29 @@
- Fetches zram-generator configuration directly from Fedora's rawhide branch using the raw endpoint at `https://src.fedoraproject.org/rpms/zram-generator/raw/rawhide/f/zram-generator.conf` (required because c10s lacks the `-defaults` subpackage)
[As of September 2025, ublue-os/main builds only base, kinoite, and silverblue images](https://github.com/ublue-os/main/blob/ea9b037561f5babf4c9a924890ba8b0bf3a7bc78/README.md), streamlining the build matrix.
+
+### GNOME 49 Build Process (Bluefin LTS)
+
+For EL10-based builds (Bluefin LTS), the system uses GNOME 49 from the `jreilly1821/c10s-gnome-49` COPR repository, which tracks Fedora F43 dist-git. The build process includes several critical workarounds executed in `10-packages-image-base.sh`:
+
+**Pre-upgrade Phase** - Critical packages are upgraded before the GNOME group install to prevent runtime crashes:
+- **glib2**: EL10 ships 2.80.x; gnome-shell 49.x requires 2.82+ API symbols
+- **fontconfig**: COPR pango 1.57 links `FcConfigSetDefaultSubstitute` (added in fontconfig 2.17.0); EL10 base ships 2.15.0, causing symbol lookup errors
+- **gobject-introspection/gjs**: glib2 2.84+ ships both libgirepository-1.0 and libgirepository-2.0; upgrading only one causes both to load, crashing gnome-shell with duplicate GIRepository registration
+
+**EL10-Specific Workarounds:**
+
+| Component | Purpose | Implementation |
+|-----------|---------|----------------|
+| **dbus-daemon** | GDM's `gdm-wayland-session` requires `dbus-daemon` for session message bus; only a `Recommends:` dependency that bootc builds prune | Explicitly installed alongside GNOME packages |
+| **gnome49-el10-compat** | Bundles PAM configuration and SELinux policy fixes for GNOME 49's Varlink userdb architecture | Provides `pam_permit.so` for transient users and SELinux rules for `/run/systemd/userdb/` socket operations |
+
+**Version Locking** - The build process (in `20-packages.sh`) locks GNOME 49 components to prevent mismatched upgrades:
+```bash
+dnf versionlock add gnome-shell gdm gnome-session-wayland-session gobject-introspection gjs pango
+```
+
+All workarounds were validated on `quay.io/centos-bootc/centos-bootc:stream10` with GDM greeter reaching successfully and gnome-shell starting under enforcing SELinux.
### Modular Component Design
How did I do? Any feedback? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Switch the GNOME COPR from
jreilly1821/c10s-gnome(48.x backport) tojreilly1821/c10s-gnome-49which tracks Fedora F43 dist-git.EL10-Specific Workarounds
All of these were discovered and confirmed working through live VM testing on
quay.io/centos-bootc/centos-bootc:stream10. GDM greeter was reached and gnome-shell started cleanly under enforcing SELinux.1. Pre-upgrade fontconfig before group install
COPR pango 1.57 links
FcConfigSetDefaultSubstitute, added in fontconfig 2.17.0. EL10 base ships 2.15.0, causing a symbol lookup error that prevents gnome-shell from starting. fontconfig must be upgraded (and versionlocked) before installing the GNOME stack.2. Pre-upgrade gobject-introspection and gjs
glib2 2.84+ ships both
libgirepository-1.0andlibgirepository-2.0as separate implementations. If only glib2 is upgraded but not these, both libraries can be loaded simultaneously, causing a fatalcannot register existing type 'GIRepository'crash at gnome-shell startup.3. Explicit dbus-daemon install
GDM's
gdm-wayland-sessionrequiresdbus-daemonfor the session message bus. It is only aRecommends:of gdm (notRequires:), so bootc builds prune it. Without it, GDM exits with code 64 (Unable to run session message bus).4. gnome49-el10-compat package
A small compat package (source) that bundles two EL10 fixes:
PAM fix — GDM 49 dynamically allocates
gdm-greeter-Nusers via systemd's Varlink userdb API.pam_unix.socallsunix_chkpwdwhich cannot resolve these transient users and returnsPAM_AUTHINFO_UNAVAIL, blocking the greeter session. The package overrides thesystemd-userPAM service to usepam_permit.sofor the account phase.SELinux policy module (priority 300) —
selinux-policy43.1 lacks rules for GDM 49's Varlink userdb socket architecture. The module grantsxdm_tthe ability to create the socket in/run/systemd/userdb/and allows the required domains (systemd_userdbd_t,policykit_t,init_t,systemd_user_runtimedir_t, etc.) to connect to it. Without this, GDM crash-loops immediately under enforcing SELinux.Changes
overrides/base/10-packages-image-base.shbuild_scripts/20-packages.shTesting
Tested manually on a live
centos-bootc:stream10Lima VM: