deps: upgrade to Fedora 38 (#1909)

* image: upgrade mkosi distro version to Fedora 38
* image: remove downgrade of GCP kernel
* ci: upgrade expected measurements for Fedora 38
* deps: upgrade bazeldnf packages to Fedora 38
* deps: upgrade container images to Fedora 38
This commit is contained in:
Malte Poll 2023-06-15 16:50:35 +02:00 committed by GitHub
parent 4d6d2b1fa2
commit 264b2df902
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 2407 additions and 2865 deletions

View File

@ -334,7 +334,7 @@ jobs:
- name: Collect hashes
id: collect-hashes
working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37
working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
run: |
{
echo "image-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.raw | head -c 64)"
@ -351,27 +351,27 @@ jobs:
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.raw
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw
- name: Upload individual OS parts as artifacts
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: |
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.cmdline
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.efi
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.esp.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.root-x86-64.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.root-x86-64-verity.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.vmlinuz
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.cmdline
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.efi
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.esp.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64-verity.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.vmlinuz
- name: Upload manifest as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: |
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.changelog
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.manifest
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.changelog
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.manifest
upload-os-image:
name: "Upload OS image to CSP"
@ -399,10 +399,10 @@ jobs:
- csp: openstack
attestation_variant: qemu-vtpm
env:
RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image.raw
JSON_OUTPUT: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37/image-upload.json
AZURE_IMAGE_PATH: mkosi.output.azure_${{ matrix.attestation_variant }}/fedora~37/image.vhd
GCP_IMAGE_PATH: mkosi.output.gcp_${{ matrix.attestation_variant }}/fedora~37/image.tar.gz
RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw
JSON_OUTPUT: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image-upload.json
AZURE_IMAGE_PATH: mkosi.output.azure_${{ matrix.attestation_variant }}/fedora~38/image.vhd
GCP_IMAGE_PATH: mkosi.output.gcp_${{ matrix.attestation_variant }}/fedora~38/image.tar.gz
SHORTNAME: ${{ needs.build-settings.outputs.imageNameShort }}
ATTESTATION_VARIANT: ${{ matrix.attestation_variant }}
steps:
@ -415,7 +415,7 @@ jobs:
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~37
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
- name: Install tools
shell: bash
@ -655,7 +655,7 @@ jobs:
.measurements.6.warnOnly = true |
.measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
.measurements.7.warnOnly = true |
.measurements.7.expected = "b1e9b305325c51b93da58cbf7f92512d8eebfa01143e4d8844e40e062e9b6cd5" |
.measurements.7.expected = "a1d193dbfc3da1a5e93fe7b1384427fb78feeffcb06675a0cf840ec99406f237" |
.measurements.8.warnOnly = false |
.measurements.9.warnOnly = false |
.measurements.11.warnOnly = false |

View File

@ -1,5 +1,5 @@
# syntax=docker/dockerfile:1.5-labs
FROM fedora:37
FROM fedora:38
ARG TARGETOS
ARG TARGETARCH
@ -12,20 +12,20 @@ ADD --checksum=sha256:${BAZELISK_SHA256} \
/usr/local/bin/bazelisk
RUN chmod +x /usr/local/bin/bazelisk && \
ln -s /usr/local/bin/bazelisk /usr/local/bin/bazel && \
dnf install -y \
git \
diffutils \
libxcrypt-compat \
python3 \
&& \
dnf clean all && \
groupadd --gid 1000 builder && \
useradd -rm -d /home/builder -s /bin/bash -g root -u 1000 --gid builder builder && \
mkdir -p /home/builder/.cache && \
mkdir -p /workspace && \
chown -R builder:builder /home/builder/.cache /workspace && \
git config --global --add safe.directory /workspace
ln -s /usr/local/bin/bazelisk /usr/local/bin/bazel && \
dnf install -y \
git \
diffutils \
libxcrypt-compat \
python3 \
&& \
dnf clean all && \
groupadd --gid 1000 builder && \
useradd -rm -d /home/builder -s /bin/bash -g root -u 1000 --gid builder builder && \
mkdir -p /home/builder/.cache && \
mkdir -p /workspace && \
chown -R builder:builder /home/builder/.cache /workspace && \
git config --global --add safe.directory /workspace
USER builder
WORKDIR /workspace

View File

@ -1,4 +1,4 @@
FROM fedora:37@sha256:ab2fd8de428f5dbdb147d43135902a776a6c64d2243fd7ac99629df3b47c9256 AS release
FROM fedora:38@sha256:a29e3f593f5eb60a0a52d34bdc0147da22c97381d3667c5588dbe02ca35e1514 AS release
RUN dnf install -y https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.6.2-x86_64.rpm

View File

@ -1,11 +1,11 @@
FROM fedora:37@sha256:ab2fd8de428f5dbdb147d43135902a776a6c64d2243fd7ac99629df3b47c9256 AS build
FROM fedora:38@sha256:a29e3f593f5eb60a0a52d34bdc0147da22c97381d3667c5588dbe02ca35e1514 AS build
ARG LOGSTASH_VER=8.6.1
RUN curl -fsSLO https://artifacts.opensearch.org/logstash/logstash-oss-with-opensearch-output-plugin-$LOGSTASH_VER-linux-x64.tar.gz
RUN tar -zxvf logstash-oss-with-opensearch-output-plugin-$LOGSTASH_VER-linux-x64.tar.gz
FROM fedora:37@sha256:ab2fd8de428f5dbdb147d43135902a776a6c64d2243fd7ac99629df3b47c9256 AS release
FROM fedora:38@sha256:a29e3f593f5eb60a0a52d34bdc0147da22c97381d3667c5588dbe02ca35e1514 AS release
COPY --from=build logstash-* /usr/share/logstash

View File

@ -27,11 +27,10 @@ AZURE_FIXED_KERNEL_RPMS := kernel-6.1.18-200.fc37.x86_64.rpm kernel-core-6.1.18-
GCP_FIXED_KERNEL_RPMS := kernel-6.1.18-200.fc37.x86_64.rpm kernel-core-6.1.18-200.fc37.x86_64.rpm kernel-modules-6.1.18-200.fc37.x86_64.rpm
PREBUILD_RPMS_SYSTEMD := $(addprefix prebuilt/rpms/systemd/,$(SYSTEMD_FIXED_RPMS))
PREBUILT_RPMS_AZURE := $(addprefix prebuilt/rpms/azure/,$(AZURE_FIXED_KERNEL_RPMS))
PREBUILT_RPMS_GCP := $(addprefix prebuilt/rpms/gcp/,$(GCP_FIXED_KERNEL_RPMS))
.PHONY: all clean inject-bins $(csps) $(variants)
.NOTPARALLEL: mkosi.output.%/fedora~37/image.raw clean-%
.NOTPARALLEL: mkosi.output.%/fedora~38/image.raw clean-%
all: $(csps)
@ -41,27 +40,19 @@ gcp: gcp_gcp-sev-es gcp_gcp-sev-snp
openstack: openstack_qemu-vtpm
qemu: qemu_qemu-vtpm
$(variants): %: mkosi.output.%/fedora~37/image.raw
$(variants): %: mkosi.output.%/fedora~38/image.raw
prebuilt/rpms/systemd/%.rpm:
@echo "Downloading $*"
@mkdir -p $(@D)
@curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/systemd/251.11/2.fc37/x86_64/$*.rpm
# Currently, Azure and GCP use the same fixed kernels.
# They will likely derive soon again, but for now we can just copy the file from Azure to save traffic.
prebuilt/rpms/gcp/%.rpm: prebuilt/rpms/azure/%.rpm
@echo "Downloading $*"
@mkdir -p $(@D)
# @curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/kernel/6.1.18/200.fc37/x86_64/$*.rpm
cp prebuilt/rpms/azure/$*.rpm prebuilt/rpms/gcp/$*.rpm
prebuilt/rpms/azure/%.rpm:
@echo "Downloading $*"
@mkdir -p $(@D)
@curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/kernel/6.1.18/200.fc37/x86_64/$*.rpm
mkosi.output.%/fedora~37/image.raw: inject-bins inject-certs
mkosi.output.%/fedora~38/image.raw: inject-bins inject-certs
rm -rf .csp/
mkdir -p .csp/
$(eval csp := $(firstword $(subst _, ,$*)))
@ -85,7 +76,7 @@ mkosi.output.%/fedora~37/image.raw: inject-bins inject-certs
rm -rf .csp/
@echo "Image is ready: $@"
inject-bins: $(PREBUILD_RPMS_SYSTEMD) $(PREBUILT_RPMS_AZURE) $(PREBUILT_RPMS_GCP)
inject-bins: $(PREBUILD_RPMS_SYSTEMD) $(PREBUILT_RPMS_AZURE)
mkdir -p $(MKOSI_EXTRA)/usr/bin
mkdir -p $(MKOSI_EXTRA)/usr/sbin
cp $(UPGRADE_AGENT_BINARY) $(MKOSI_EXTRA)/usr/bin/upgrade-agent

View File

@ -113,7 +113,7 @@ After that, you can build the image with:
sudo make EXTRA_SEARCH_PATHS="${SYSTEMD_BIN}" -j $(nproc)
```
Raw images will be placed in `mkosi.output.<CSP>/fedora~37/image.raw`.
Raw images will be placed in `mkosi.output.<CSP>/fedora~38/image.raw`.
## Prepare Secure Boot
@ -125,7 +125,7 @@ For QEMU and Azure, you can pre-generate the NVRAM variables for secure boot. Th
<summary><a id="qemu-secure-boot">libvirt / QEMU / KVM</a></summary>
```sh
secure-boot/generate_nvram_vars.sh mkosi.output.qemu/fedora~37/image.raw
secure-boot/generate_nvram_vars.sh mkosi.output.qemu/fedora~38/image.raw
```
</details>
@ -147,10 +147,10 @@ export AZURE_REGION=northeurope
export AZURE_REPLICATION_REGIONS=
export AZURE_DISK_NAME=constellation-$(date +%s)
export AZURE_SNAPSHOT_NAME=${AZURE_DISK_NAME}
export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~37/image.raw
export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~37/image.vhd
export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~38/image.raw
export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~38/image.vhd
export AZURE_VMGS_FILENAME=${AZURE_SECURITY_TYPE}.vmgs
export AZURE_JSON_OUTPUT=${PWD}/mkosi.output.azure/fedora~37/image-upload.json
export AZURE_JSON_OUTPUT=${PWD}/mkosi.output.azure/fedora~38/image-upload.json
export BLOBS_DIR=${PWD}/blobs
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
upload/upload_azure.sh --disk-name "${AZURE_DISK_NAME}-setup-secure-boot" ""
@ -191,7 +191,7 @@ Warning! Never set `--version` to a value that is already used for a release ima
```sh
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
bazel run //image/upload -- aws --verbose --raw-image mkosi.output.aws/fedora~37/image.raw --variant "" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
bazel run //image/upload -- aws --verbose --raw-image mkosi.output.aws/fedora~38/image.raw --variant "" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
```
</details>
@ -207,8 +207,8 @@ bazel run //image/upload -- aws --verbose --raw-image mkosi.output.aws/fedora~37
- `pki_prod` is used for release images
```sh
export GCP_RAW_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~37/image.raw
export GCP_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~37/image.tar.gz
export GCP_RAW_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~38/image.raw
export GCP_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~38/image.tar.gz
upload/pack.sh gcp ${GCP_RAW_IMAGE_PATH} ${GCP_IMAGE_PATH}
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
@ -230,8 +230,8 @@ Note:
- Optional (if Secure Boot should be enabled) [Prepare virtual machine guest state (VMGS) with customized NVRAM or use existing VMGS blob](#azure-secure-boot)
```sh
export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~37/image.raw
export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~37/image.vhd
export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~38/image.raw
export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~38/image.vhd
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
@ -254,7 +254,7 @@ Note:
```sh
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
bazel run //image/upload -- openstack --verbose --raw-image mkosi.output.openstack/fedora~37/image.raw --variant "sev" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
bazel run //image/upload -- openstack --verbose --raw-image mkosi.output.openstack/fedora~38/image.raw --variant "sev" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
```
</details>
@ -268,7 +268,7 @@ bazel run //image/upload -- openstack --verbose --raw-image mkosi.output.opensta
```sh
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
bazel run //image/upload -- qemu --verbose --raw-image mkosi.output.qemu/fedora~37/image.raw --variant "default" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
bazel run //image/upload -- qemu --verbose --raw-image mkosi.output.qemu/fedora~38/image.raw --variant "default" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
```
</details>

View File

@ -1,6 +1,6 @@
[Distribution]
Distribution=fedora
Release=37
Release=38
[Output]
Format=disk

View File

@ -3,6 +3,6 @@ PathExists=../.csp/gcp
# replace kernel
[Content]
Packages=prebuilt/rpms/gcp/kernel-6.1.18-200.fc37.x86_64.rpm
prebuilt/rpms/gcp/kernel-core-6.1.18-200.fc37.x86_64.rpm
prebuilt/rpms/gcp/kernel-modules-6.1.18-200.fc37.x86_64.rpm
Packages=kernel
kernel-core
kernel-modules

File diff suppressed because it is too large Load Diff

View File

@ -1,7 +1,7 @@
repositories:
- arch: x86_64
metalink: https://mirrors.fedoraproject.org/metalink?repo=fedora-37&arch=x86_64
name: 37-x86_64-primary-repo
metalink: https://mirrors.fedoraproject.org/metalink?repo=fedora-38&arch=x86_64
name: 38-x86_64-primary-repo
- arch: x86_64
metalink: https://mirrors.fedoraproject.org/metalink?repo=updates-released-f37&arch=x86_64
name: 37-x86_64-update-repo
metalink: https://mirrors.fedoraproject.org/metalink?repo=updates-released-f38&arch=x86_64
name: 38-x86_64-update-repo

File diff suppressed because it is too large Load Diff

View File

@ -2,6 +2,6 @@
rm -f rpm/repo.yaml
bazel run //:bazeldnf -- init \
--fc 37 \
--fc 38 \
--arch x86_64 \
--output rpm/repo.yaml

View File

@ -7,28 +7,28 @@ bazel run //:bazeldnf -- fetch \
--repofile rpm/repo.yaml
bazel run //:bazeldnf -- rpmtree \
--workspace WORKSPACE.bazel \
--to_macro rpm/rpms.bzl%rpms \
--to-macro rpm/rpms.bzl%rpms \
--buildfile rpm/BUILD.bazel \
--repofile rpm/repo.yaml \
--name cryptsetup-devel \
cryptsetup-devel
bazel run //:bazeldnf -- rpmtree \
--workspace WORKSPACE.bazel \
--to_macro rpm/rpms.bzl%rpms \
--to-macro rpm/rpms.bzl%rpms \
--buildfile rpm/BUILD.bazel \
--repofile rpm/repo.yaml \
--name glibc \
glibc
bazel run //:bazeldnf -- rpmtree \
--workspace WORKSPACE.bazel \
--to_macro rpm/rpms.bzl%rpms \
--to-macro rpm/rpms.bzl%rpms \
--buildfile rpm/BUILD.bazel \
--repofile rpm/repo.yaml \
--name libvirt-devel \
libvirt-devel
bazel run //:bazeldnf -- rpmtree \
--workspace WORKSPACE.bazel \
--to_macro rpm/rpms.bzl%rpms \
--to-macro rpm/rpms.bzl%rpms \
--buildfile rpm/BUILD.bazel \
--repofile rpm/repo.yaml \
--name containerized-libvirt \
@ -42,7 +42,7 @@ bazel run //:bazeldnf -- rpmtree \
libvirt-client
bazel run //:bazeldnf -- prune \
--workspace WORKSPACE.bazel \
--to_macro rpm/rpms.bzl%rpms \
--to-macro rpm/rpms.bzl%rpms \
--buildfile rpm/BUILD.bazel
bazel run //rpm:ldd-cryptsetup
bazel run //rpm:ldd-libvirt