Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 11 commits
- 45 files changed
- 4 contributors
Commits on Mar 17, 2025
-
manifest: rename OS pipeline ExtraBasePackages to BasePackages
In the OS pipeline, the word Extra in ExtraBasePackages is a bit misleading. The property is used to add the static image type package set to the pipeline. They are 'extra' in the sense that they are included in addition to the auto-selected packages required by the pipeline and its customizations, but IMO the wording makes it seem that they are a package set that's included from some other process separate from the image type and pipeline.
-
manifest: collect packages into separate slices in OS pipeline
Collect packages into separate slices to have a better idea of what we're combining. This makes it easier to see which list of packages goes into which transaction of the package set chain. This change has no effect on generated manifests.
-
manifest: remove OSTreeRef check for partition table packages
OSTree-based images don't have a partition table so the check is redundant and potentially confusing. The comment about LVM is also very outdated and originates from the time when lvm packages were added based on a plain 'HasLVM' boolean on the pipeline. The code is pretty self-explanatory now. This change has no effect on generated manifests.
-
manifest: depsolve OS packages in three transactions
The OS package set chain now consists of three transactions (up from two). The transactions contain the following packages: 1. Platform, Environment, Partition Table, and Base (static Image Type) packages, *with* Excludes from the Base package set. - Weak dependency installation is controlled by the Image Type's ImageConfig. 2. Customization packages: These are packages that are selected based on ImageConfig and Blueprint customizations (e.g. 'chrony' for NTP, 'firewalld' for firewall configuration). - Weak dependency installation is *disabled*. 3. Blueprint (Workload) packages: This is the same as the previous second transaction in the chain. This change solves the problem where a package selected by a customization could conflict with a base package set exclude. See linked issue for a full description of the problem. This change has no effect on generated manifests. Fixes #1323 -
test: add new firewall build config
Add a new config file called 'firewall' that sets firewall customizations. Build the configuration in CI with the minimal-raw image which explicitly excludes the firewalld package on Fedora 43. Building this configuration with Fedora 43 currently fails because firewalld is not part of the base image.
-
manifest: firewall customization installs firewalld
Make sure firewalld is available in the image. Note that org.osbuild.firewall runs 'firewall-offline-cmd' in the os tree using chroot, so we don't need a build package for this.
-
data/repositories/rhel-8*.json: don't include the "auxiliary key 2"
The `osbuild/images` go module supports distro cross-building. This means that you can build images for a different distribution than the one you are running on. For example, you can build a RHEL-8 image on RHEL-9. Nevertheless, the supported combinations are controlled by the end users of the `osbuild/images` go module. The `rhel-8*.json` repository definitions have been modified to contain only the [`4096R/199e2f91fd431d51 (2009-10-22): Red Hat, Inc. (release key 2) <security@redhat.com>`]( https://security.access.redhat.com/data/fd431d51.txt) as specified at [Red Hat Product Signing keys page]( https://access.redhat.com/security/team/key). The [`4096R/F76F66C3D4082792 (2018-06-27): Red Hat, Inc. (auxiliary key 2) <security@redhat.com>`]( https://security.access.redhat.com/data/d4082792.txt) is completely omitted from the `rhel-8*.json` repository definitions. The reasons are: * The `Red Hat, Inc. (auxiliary key 2)` is signed only with RSA-SHA1, which is not allowed by the default crypto-policy on RHEL-9 and newer. This means that importing such key when bootstrapping the RHEL-8 buildroot on RHEL-9 and newer would fail. * The `Red Hat, Inc. (auxiliary key 2)` is not commonly used for signing the RHEL-8 RPMs. It is a disaster recovery key that would be used in the unlikely event Red Hat loses the ability to sign with the master hardware keys. The key file uses a sub-key, that would be most probably used to sign RPMs in this unlikely event, so that the main key can be stored offline. Previously, we used to ship only the auxiliary key, without the sub-key in `rhel-8*.json` configurations on RHEL-9, because only the sub-key's signature was causing issues when importing it on RHEL-9 with the default crypto-policy. However, given the purpose of the sub-key, there's no reason to include the main key in the `rhel-8*.json` configurations without the sub-key. * None of the projects that use the repository definitions in the `osbuild/images` go module (`osbuild-composer`, `image-builder-cli`, etc.) are being released or updated in RHEL-8. The `rhel-8*.json` repository definitions are used only for cross-building RHEL-8 images on RHEL-9 and newer. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
-
-
rhel8: extract package sets into a single YAML file
Move the rhel9 packages into yaml. Similar to e.g. PR#1300. The existing structure in code was tried to be preserved. Tested via: ```console $ ./tools/gen-manifests-diff no diff found to main ``` Build on top of #1300
-
rhel9: extract package sets into a single YAML file
Move the rhel9 packages into yaml. Similar to e.g. PR#1300. The existing structure in code was tried to be preserved. Tested via: ```console $ ./tools/gen-manifests-diff no diff found to main ```
-
rhel7: extract package sets into a single YAML file
Move hte rhel7 packages into yaml. This was validate by running `./tools/gen-manifest-diff`.
There are no files selected for viewing