forked from openshift/os
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpackages-openshift.yaml
162 lines (149 loc) · 6.3 KB
/
packages-openshift.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
metadata:
# This should match the /etc/os-release manipulation we do below when
# injecting `OPENSHIFT_VERSION`. It's used by CI to determine the repos to
# inject when building the layered image.
ocp_version: "4.19"
packages:
# The packages below are required by OpenShift/OKD
# but are not present in CentOS Stream and RHEL.
- cri-o cri-tools conmon-rs
- openshift-clients openshift-kubelet
- openvswitch3.4
# The packages below are present in CentOS Stream/RHEL,
# and depend on one or more of the above.
- NetworkManager-ovs
- ose-aws-ecr-image-credential-provider
- ose-azure-acr-image-credential-provider
- ose-gcp-gcr-image-credential-provider
postprocess:
# This is part of e.g. fedora-repos in Fedora; we now want to include it by default
# so that the MCO can use it by default and not trip over SELinux issues trying
# to create it.
- |
#!/usr/bin/bash
set -euo pipefail
mkdir -p /etc/yum.repos.d
# If there *are* repos built-in (e.g. c9s), disable them.
# We need to work in disconnected environments by default, and default-enabled
# repos will be attempted to be fetched by rpm-ostree when doing node-local
# kernel overrides today for e.g. kernel-rt.
for x in $(find /etc/yum.repos.d/ -name '*.repo'); do
sed -i -e s,enabled=1,enabled=0, $x
done
# These enable librhsm which enables host subscriptions to work in containers
# https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30
- |
#!/usr/bin/bash
set -euo pipefail
ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
ln -sr /run/secrets/rhsm /etc/rhsm-host
- |
#!/usr/bin/env bash
set -xeuo pipefail
# manually modify SELinux booleans that are needed for OCP use cases
semanage boolean --modify --on container_use_cephfs # RHBZ#1694045
semanage boolean --modify --on virt_use_samba # RHBZ#1754825
# https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
# https://bugzilla.redhat.com/show_bug.cgi?id=1796537
- |
#!/usr/bin/bash
mkdir -p /usr/share/containers/oci/hooks.d
- |
#!/usr/bin/env bash
set -xeo pipefail
# Add the hugetlbfs group to the openvswitch user if the openvswitch-hugetlbfs.conf
# sysusers fragment exists. The usermod used to happen in the RPM scriptlets but
# that stopped working in the sysusers conversion. We should be able to drop this
# when a bug gets fixed in systemd: https://github.com/openshift/os/issues/1274#issuecomment-1605507390
if [ -f /usr/lib/sysusers.d/openvswitch-hugetlbfs.conf ]; then
if [ -f /run/.containerenv ]; then
# We're running as part of a derivation; `usermod` will not work
# because it doesn't go through NSS. Hackily put the /usr/lib files
# in /etc temporarily then put them back
mv /etc/passwd /etc/passwd.bak
mv /etc/group /etc/group.bak
mv /usr/lib/passwd /etc/passwd
mv /usr/lib/group /etc/group
fi
usermod -a -G hugetlbfs openvswitch
if [ -f /run/.containerenv ]; then
mv /etc/passwd /usr/lib/passwd
mv /etc/group /usr/lib/group
mv /etc/passwd.bak /etc/passwd
mv /etc/group.bak /etc/group
fi
fi
- |
#!/usr/bin/env bash
set -xeuo pipefail
# crio should stop hardcoding things in their config file!
# We are apparently somehow pulling in a conmon override in RHCOS
# that contains /usr/libexec/crio/conmon - WHY?
# sed -i '/conmon.*=/d' /etc/crio/crio.conf
# Oh right but the MCO overrides that too so...
mkdir -p /usr/libexec/crio
ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
# Inject OpenShift-specific release fields
- |
#!/usr/bin/env bash
set -xeuo pipefail
cat >> /usr/lib/os-release <<EOF
OPENSHIFT_VERSION="4.19"
EOF
- |
#!/usr/bin/env bash
set -xeuo pipefail
# Let's have a non-boring motd, just like CL (although theirs is more subdued
# nowadays compared to early versions with ASCII art). One thing we do here
# is add --- as a "separator"; the idea is that any "dynamic" information should
# be below that.
# See: https://projects.engineering.redhat.com/browse/COREOS-1029
. /etc/os-release
# This works around the fact that we can't currently access manifest
# variables from postprocess scripts, though we just use the name, since
# it's easier.
variant=$(jq -r .metadata.name /usr/share/rpm-ostree/treefile.json)
if [ $variant = "scos" ]; then
colloquial_name=SCOS
project_name=OKD
else
colloquial_name=RHCOS
project_name=OpenShift
fi
# in the el-only variants, we already have CoreOS in the NAME, so don't
# re-add it when building the node image
if [[ $NAME != *CoreOS* ]]; then
NAME="$NAME CoreOS"
fi
cat > /etc/motd <<EOF
$NAME $OSTREE_VERSION
Part of ${project_name} ${OPENSHIFT_VERSION}, ${colloquial_name} is a Kubernetes-native operating system
managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
WARNING: Direct SSH access to machines is not recommended; instead,
make configuration changes via \`machineconfig\` objects:
https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
---
EOF
- |
#!/usr/bin/env bash
set -xeo pipefail
# Delete a bunch of leftover files in the layering path
if [ -f /run/.containerenv ]; then
# lockfiles and backup files
rm -f /etc/.pwd.lock /etc/group- /etc/gshadow- /etc/shadow- /etc/passwd-
rm -f /etc/selinux/targeted/*.LOCK
# cache, logs, etc...
rm -rf /var && mkdir /var
# All the entries here should instead be part of their respective
# packages. But we carry them here for now to maintain compatibility.
cat > /usr/lib/tmpfiles.d/openshift.conf << EOF
L /opt/cni - - - - ../../usr/lib/opt/cni
d /var/lib/cni 0755 root root - -
d /var/lib/cni/bin 0755 root root - -
d /var/lib/containers 0755 root root - -
d /var/lib/openvswitch 0755 root root - -
d /var/lib/openvswitch/pki 0755 root root - -
d /var/log/openvswitch 0750 openvswitch hugetlbfs - -
d /var/lib/unbound 0755 unbound unbound - -
EOF
fi