deps: upgrade to Fedora 38 (#1909)

* image: upgrade mkosi distro version to Fedora 38
* image: remove downgrade of GCP kernel
* ci: upgrade expected measurements for Fedora 38
* deps: upgrade bazeldnf packages to Fedora 38
* deps: upgrade container images to Fedora 38

.github/workflows/build-os-image.yml

@@ -334,7 +334,7 @@ jobs:
 
       - name: Collect hashes
         id: collect-hashes
-        working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37
+        working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
         run: |
           {
             echo "image-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.raw | head -c 64)"
@@ -351,27 +351,27 @@ jobs:
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
-          path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.raw
+          path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw
 
       - name: Upload individual OS parts as artifacts
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
           path: |
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.cmdline
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.efi
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.esp.raw
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.root-x86-64.raw
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.root-x86-64-verity.raw
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.vmlinuz
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.cmdline
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.efi
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.esp.raw
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64.raw
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64-verity.raw
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.vmlinuz
 
       - name: Upload manifest as artifact
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}
           path: |
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.changelog
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.manifest
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.changelog
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.manifest
 
   upload-os-image:
     name: "Upload OS image to CSP"
@@ -399,10 +399,10 @@ jobs:
           - csp: openstack
             attestation_variant: qemu-vtpm
     env:
-      RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.raw
-      JSON_OUTPUT: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image-upload.json
-      AZURE_IMAGE_PATH: mkosi.output.azure_${{ matrix.attestation_variant }}/fedora~37/image.vhd
-      GCP_IMAGE_PATH: mkosi.output.gcp_${{ matrix.attestation_variant }}/fedora~37/image.tar.gz
+      RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw
+      JSON_OUTPUT: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image-upload.json
+      AZURE_IMAGE_PATH: mkosi.output.azure_${{ matrix.attestation_variant }}/fedora~38/image.vhd
+      GCP_IMAGE_PATH: mkosi.output.gcp_${{ matrix.attestation_variant }}/fedora~38/image.tar.gz
       SHORTNAME: ${{ needs.build-settings.outputs.imageNameShort }}
       ATTESTATION_VARIANT: ${{ matrix.attestation_variant }}
     steps:
@@ -415,7 +415,7 @@ jobs:
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
-          path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37
+          path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
 
       - name: Install tools
         shell: bash
@@ -655,7 +655,7 @@ jobs:
                 .measurements.6.warnOnly = true |
                 .measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
                 .measurements.7.warnOnly = true |
-                .measurements.7.expected = "b1e9b305325c51b93da58cbf7f92512d8eebfa01143e4d8844e40e062e9b6cd5" |
+                .measurements.7.expected = "a1d193dbfc3da1a5e93fe7b1384427fb78feeffcb06675a0cf840ec99406f237" |
                 .measurements.8.warnOnly = false |
                 .measurements.9.warnOnly = false |
                 .measurements.11.warnOnly = false |

bazel/container/Containerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.5-labs
-FROM fedora:37
+FROM fedora:38
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -12,20 +12,20 @@ ADD --checksum=sha256:${BAZELISK_SHA256} \
     /usr/local/bin/bazelisk
 
 RUN chmod +x /usr/local/bin/bazelisk && \
-	ln -s /usr/local/bin/bazelisk /usr/local/bin/bazel && \
-	dnf install -y \
-	git \
-	diffutils \
-	libxcrypt-compat \
-	python3 \
-	&& \
-	dnf clean all && \
-	groupadd --gid 1000 builder && \
-	useradd -rm -d /home/builder -s /bin/bash -g root -u 1000 --gid builder builder && \
-	mkdir -p /home/builder/.cache && \
-	mkdir -p /workspace && \
-	chown -R builder:builder /home/builder/.cache /workspace && \
-	git config --global --add safe.directory /workspace
+    ln -s /usr/local/bin/bazelisk /usr/local/bin/bazel && \
+    dnf install -y \
+    git \
+    diffutils \
+    libxcrypt-compat \
+    python3 \
+    && \
+    dnf clean all && \
+    groupadd --gid 1000 builder && \
+    useradd -rm -d /home/builder -s /bin/bash -g root -u 1000 --gid builder builder && \
+    mkdir -p /home/builder/.cache && \
+    mkdir -p /workspace && \
+    chown -R builder:builder /home/builder/.cache /workspace && \
+    git config --global --add safe.directory /workspace
 
 USER builder
 WORKDIR /workspace

debugd/internal/debugd/logcollector/filebeat/Dockerfile

@@ -1,4 +1,4 @@
-FROM fedora:37@sha256:ab2fd8de428f5dbdb147d43135902a776a6c64d2243fd7ac99629df3b47c9256 AS release
+FROM fedora:38@sha256:a29e3f593f5eb60a0a52d34bdc0147da22c97381d3667c5588dbe02ca35e1514 AS release
 
 RUN dnf install -y https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.6.2-x86_64.rpm
 

debugd/internal/debugd/logcollector/logstash/Dockerfile

@@ -1,11 +1,11 @@
-FROM fedora:37@sha256:ab2fd8de428f5dbdb147d43135902a776a6c64d2243fd7ac99629df3b47c9256 AS build
+FROM fedora:38@sha256:a29e3f593f5eb60a0a52d34bdc0147da22c97381d3667c5588dbe02ca35e1514 AS build
 
 ARG LOGSTASH_VER=8.6.1
 
 RUN curl -fsSLO https://artifacts.opensearch.org/logstash/logstash-oss-with-opensearch-output-plugin-$LOGSTASH_VER-linux-x64.tar.gz
 RUN tar -zxvf logstash-oss-with-opensearch-output-plugin-$LOGSTASH_VER-linux-x64.tar.gz
 
-FROM fedora:37@sha256:ab2fd8de428f5dbdb147d43135902a776a6c64d2243fd7ac99629df3b47c9256 AS release
+FROM fedora:38@sha256:a29e3f593f5eb60a0a52d34bdc0147da22c97381d3667c5588dbe02ca35e1514 AS release
 
 COPY --from=build logstash-* /usr/share/logstash
 

image/Makefile

@@ -27,11 +27,10 @@ AZURE_FIXED_KERNEL_RPMS := kernel-6.1.18-200.fc37.x86_64.rpm kernel-core-6.1.18-
 GCP_FIXED_KERNEL_RPMS := kernel-6.1.18-200.fc37.x86_64.rpm kernel-core-6.1.18-200.fc37.x86_64.rpm kernel-modules-6.1.18-200.fc37.x86_64.rpm
 PREBUILD_RPMS_SYSTEMD := $(addprefix prebuilt/rpms/systemd/,$(SYSTEMD_FIXED_RPMS))
 PREBUILT_RPMS_AZURE := $(addprefix prebuilt/rpms/azure/,$(AZURE_FIXED_KERNEL_RPMS))
-PREBUILT_RPMS_GCP := $(addprefix prebuilt/rpms/gcp/,$(GCP_FIXED_KERNEL_RPMS))
 
 .PHONY: all clean inject-bins $(csps) $(variants)
 
-.NOTPARALLEL: mkosi.output.%/fedora~37/image.raw clean-%
+.NOTPARALLEL: mkosi.output.%/fedora~38/image.raw clean-%
 
 all: $(csps)
 
@@ -41,27 +40,19 @@ gcp: gcp_gcp-sev-es gcp_gcp-sev-snp
 openstack: openstack_qemu-vtpm
 qemu: qemu_qemu-vtpm
 
-$(variants): %: mkosi.output.%/fedora~37/image.raw
+$(variants): %: mkosi.output.%/fedora~38/image.raw
 
 prebuilt/rpms/systemd/%.rpm:
 	@echo "Downloading $*"
 	@mkdir -p $(@D)
 	@curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/systemd/251.11/2.fc37/x86_64/$*.rpm
 
-# Currently, Azure and GCP use the same fixed kernels.
-# They will likely derive soon again, but for now we can just copy the file from Azure to save traffic.
-prebuilt/rpms/gcp/%.rpm: prebuilt/rpms/azure/%.rpm
-	@echo "Downloading $*"
-	@mkdir -p $(@D)
-	# @curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/kernel/6.1.18/200.fc37/x86_64/$*.rpm
-	cp prebuilt/rpms/azure/$*.rpm prebuilt/rpms/gcp/$*.rpm
-
 prebuilt/rpms/azure/%.rpm:
 	@echo "Downloading $*"
 	@mkdir -p $(@D)
 	@curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/kernel/6.1.18/200.fc37/x86_64/$*.rpm
 
-mkosi.output.%/fedora~37/image.raw: inject-bins inject-certs
+mkosi.output.%/fedora~38/image.raw: inject-bins inject-certs
 	rm -rf .csp/
 	mkdir -p .csp/
 	$(eval csp := $(firstword $(subst _, ,$*)))
@@ -85,7 +76,7 @@ mkosi.output.%/fedora~37/image.raw: inject-bins inject-certs
 	rm -rf .csp/
 	@echo "Image is ready: $@"
 
-inject-bins: $(PREBUILD_RPMS_SYSTEMD) $(PREBUILT_RPMS_AZURE) $(PREBUILT_RPMS_GCP)
+inject-bins: $(PREBUILD_RPMS_SYSTEMD) $(PREBUILT_RPMS_AZURE)
 	mkdir -p $(MKOSI_EXTRA)/usr/bin
 	mkdir -p $(MKOSI_EXTRA)/usr/sbin
 	cp $(UPGRADE_AGENT_BINARY) $(MKOSI_EXTRA)/usr/bin/upgrade-agent

image/README.md

@@ -113,7 +113,7 @@ After that, you can build the image with:
 sudo make EXTRA_SEARCH_PATHS="${SYSTEMD_BIN}" -j $(nproc)
 ```
 
-Raw images will be placed in `mkosi.output.<CSP>/fedora~37/image.raw`.
+Raw images will be placed in `mkosi.output.<CSP>/fedora~38/image.raw`.
 
 ## Prepare Secure Boot
 
@@ -125,7 +125,7 @@ For QEMU and Azure, you can pre-generate the NVRAM variables for secure boot. Th
 <summary><a id="qemu-secure-boot">libvirt / QEMU / KVM</a></summary>
 
 ```sh
-secure-boot/generate_nvram_vars.sh mkosi.output.qemu/fedora~37/image.raw
+secure-boot/generate_nvram_vars.sh mkosi.output.qemu/fedora~38/image.raw
 ```
 
 </details>
@@ -147,10 +147,10 @@ export AZURE_REGION=northeurope
 export AZURE_REPLICATION_REGIONS=
 export AZURE_DISK_NAME=constellation-$(date +%s)
 export AZURE_SNAPSHOT_NAME=${AZURE_DISK_NAME}
-export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~37/image.raw
-export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~37/image.vhd
+export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~38/image.raw
+export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~38/image.vhd
 export AZURE_VMGS_FILENAME=${AZURE_SECURITY_TYPE}.vmgs
-export AZURE_JSON_OUTPUT=${PWD}/mkosi.output.azure/fedora~37/image-upload.json
+export AZURE_JSON_OUTPUT=${PWD}/mkosi.output.azure/fedora~38/image-upload.json
 export BLOBS_DIR=${PWD}/blobs
 upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
 upload/upload_azure.sh --disk-name "${AZURE_DISK_NAME}-setup-secure-boot" ""
@@ -191,7 +191,7 @@ Warning! Never set `--version` to a value that is already used for a release ima
 ```sh
 # Warning! Never set `--version` to a value that is already used for a release image.
 # Instead, use a `ref` that corresponds to your branch name.
-bazel run //image/upload -- aws --verbose --raw-image mkosi.output.aws/fedora~37/image.raw --variant ""  --version ref/foo/stream/nightly/v2.7.0-pre-asdf
+bazel run //image/upload -- aws --verbose --raw-image mkosi.output.aws/fedora~38/image.raw --variant ""  --version ref/foo/stream/nightly/v2.7.0-pre-asdf
 ```
 
 </details>
@@ -207,8 +207,8 @@ bazel run //image/upload -- aws --verbose --raw-image mkosi.output.aws/fedora~37
     - `pki_prod` is used for release images
 
 ```sh
-export GCP_RAW_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~37/image.raw
-export GCP_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~37/image.tar.gz
+export GCP_RAW_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~38/image.raw
+export GCP_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~38/image.tar.gz
 upload/pack.sh gcp ${GCP_RAW_IMAGE_PATH} ${GCP_IMAGE_PATH}
 # Warning! Never set `--version` to a value that is already used for a release image.
 # Instead, use a `ref` that corresponds to your branch name.
@@ -230,8 +230,8 @@ Note:
 - Optional (if Secure Boot should be enabled) [Prepare virtual machine guest state (VMGS) with customized NVRAM or use existing VMGS blob](#azure-secure-boot)
 
 ```sh
-export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~37/image.raw
-export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~37/image.vhd
+export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~38/image.raw
+export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~38/image.vhd
 upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
 # Warning! Never set `--version` to a value that is already used for a release image.
 # Instead, use a `ref` that corresponds to your branch name.
@@ -254,7 +254,7 @@ Note:
 ```sh
 # Warning! Never set `--version` to a value that is already used for a release image.
 # Instead, use a `ref` that corresponds to your branch name.
-bazel run //image/upload -- openstack --verbose --raw-image mkosi.output.openstack/fedora~37/image.raw --variant "sev"  --version ref/foo/stream/nightly/v2.7.0-pre-asdf
+bazel run //image/upload -- openstack --verbose --raw-image mkosi.output.openstack/fedora~38/image.raw --variant "sev"  --version ref/foo/stream/nightly/v2.7.0-pre-asdf
 ```
 
 </details>
@@ -268,7 +268,7 @@ bazel run //image/upload -- openstack --verbose --raw-image mkosi.output.opensta
 ```sh
 # Warning! Never set `--version` to a value that is already used for a release image.
 # Instead, use a `ref` that corresponds to your branch name.
-bazel run //image/upload -- qemu --verbose --raw-image mkosi.output.qemu/fedora~37/image.raw --variant "default"  --version ref/foo/stream/nightly/v2.7.0-pre-asdf
+bazel run //image/upload -- qemu --verbose --raw-image mkosi.output.qemu/fedora~38/image.raw --variant "default"  --version ref/foo/stream/nightly/v2.7.0-pre-asdf
 ```
 
 </details>

image/mkosi.conf.d/mkosi.conf

@@ -1,6 +1,6 @@
 [Distribution]
 Distribution=fedora
-Release=37
+Release=38
 
 [Output]
 Format=disk

image/mkosi.conf.d/mkosi.gcp.conf

@@ -3,6 +3,6 @@ PathExists=../.csp/gcp
 
 # replace kernel
 [Content]
-Packages=prebuilt/rpms/gcp/kernel-6.1.18-200.fc37.x86_64.rpm
-         prebuilt/rpms/gcp/kernel-core-6.1.18-200.fc37.x86_64.rpm
-         prebuilt/rpms/gcp/kernel-modules-6.1.18-200.fc37.x86_64.rpm
+Packages=kernel
+         kernel-core
+         kernel-modules

rpm/repo.yaml

@@ -1,7 +1,7 @@
 repositories:
 - arch: x86_64
-  metalink: https://mirrors.fedoraproject.org/metalink?repo=fedora-37&arch=x86_64
-  name: 37-x86_64-primary-repo
+  metalink: https://mirrors.fedoraproject.org/metalink?repo=fedora-38&arch=x86_64
+  name: 38-x86_64-primary-repo
 - arch: x86_64
-  metalink: https://mirrors.fedoraproject.org/metalink?repo=updates-released-f37&arch=x86_64
-  name: 37-x86_64-update-repo
+  metalink: https://mirrors.fedoraproject.org/metalink?repo=updates-released-f38&arch=x86_64
+  name: 38-x86_64-update-repo

tools/dnf-init.sh

@@ -2,6 +2,6 @@
 
 rm -f rpm/repo.yaml
 bazel run //:bazeldnf -- init \
-  --fc 37 \
+  --fc 38 \
   --arch x86_64 \
   --output rpm/repo.yaml

tools/dnf-tree.sh

@@ -7,28 +7,28 @@ bazel run //:bazeldnf -- fetch \
   --repofile rpm/repo.yaml
 bazel run //:bazeldnf -- rpmtree \
   --workspace WORKSPACE.bazel \
-  --to_macro rpm/rpms.bzl%rpms \
+  --to-macro rpm/rpms.bzl%rpms \
   --buildfile rpm/BUILD.bazel \
   --repofile rpm/repo.yaml \
   --name cryptsetup-devel \
   cryptsetup-devel
 bazel run //:bazeldnf -- rpmtree \
   --workspace WORKSPACE.bazel \
-  --to_macro rpm/rpms.bzl%rpms \
+  --to-macro rpm/rpms.bzl%rpms \
   --buildfile rpm/BUILD.bazel \
   --repofile rpm/repo.yaml \
   --name glibc \
   glibc
 bazel run //:bazeldnf -- rpmtree \
   --workspace WORKSPACE.bazel \
-  --to_macro rpm/rpms.bzl%rpms \
+  --to-macro rpm/rpms.bzl%rpms \
   --buildfile rpm/BUILD.bazel \
   --repofile rpm/repo.yaml \
   --name libvirt-devel \
   libvirt-devel
 bazel run //:bazeldnf -- rpmtree \
   --workspace WORKSPACE.bazel \
-  --to_macro rpm/rpms.bzl%rpms \
+  --to-macro rpm/rpms.bzl%rpms \
   --buildfile rpm/BUILD.bazel \
   --repofile rpm/repo.yaml \
   --name containerized-libvirt \
@@ -42,7 +42,7 @@ bazel run //:bazeldnf -- rpmtree \
   libvirt-client
 bazel run //:bazeldnf -- prune \
   --workspace WORKSPACE.bazel \
-  --to_macro rpm/rpms.bzl%rpms \
+  --to-macro rpm/rpms.bzl%rpms \
   --buildfile rpm/BUILD.bazel
 bazel run //rpm:ldd-cryptsetup
 bazel run //rpm:ldd-libvirt