suse-edge/Factory
SHA256
11
0
Fork 6
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: suse-edge:main
Branches Tags
suse-edge:main
suse-edge:devel
suse-edge:3.2
steven.hardy:arm_config
steven.hardy:turtles_3.2
steven.hardy:turtles_fix_3.2
steven.hardy:turtles_upgrade_fix
steven.hardy:cdi_fix
steven.hardy:kubevirt_chart
steven.hardy:sriov_update
steven.hardy:capm3_downgrade
steven.hardy:rm_capi_images
steven.hardy:kiwi_fix
steven.hardy:kiwi_builder
steven.hardy:metal3_chart_090
steven.hardy:turtles_013
steven.hardy:rm_old_ipa
steven.hardy:ipa-fix
steven.hardy:kube-rbac-proxy-fix2
steven.hardy:turtles_fix
steven.hardy:metal3_090
steven.hardy:metallb_rbac_proxy
steven.hardy:kube-rbac-proxy-fix
steven.hardy:kube_rbac_proxy
steven.hardy:main
steven.hardy:document-branch
steven.hardy:supportlvl-macro
steven.hardy:run-sync
..
compare: steven.hardy:main
Branches Tags
steven.hardy:arm_config
steven.hardy:turtles_3.2
steven.hardy:turtles_fix_3.2
steven.hardy:turtles_upgrade_fix
steven.hardy:cdi_fix
steven.hardy:kubevirt_chart
steven.hardy:sriov_update
steven.hardy:capm3_downgrade
steven.hardy:rm_capi_images
steven.hardy:kiwi_fix
steven.hardy:kiwi_builder
steven.hardy:metal3_chart_090
steven.hardy:turtles_013
steven.hardy:rm_old_ipa
steven.hardy:ipa-fix
steven.hardy:kube-rbac-proxy-fix2
steven.hardy:turtles_fix
steven.hardy:metal3_090
steven.hardy:metallb_rbac_proxy
steven.hardy:kube-rbac-proxy-fix
steven.hardy:kube_rbac_proxy
steven.hardy:main
steven.hardy:document-branch
steven.hardy:supportlvl-macro
steven.hardy:run-sync
suse-edge:main
suse-edge:devel
suse-edge:3.2

No commits in common. "main" and "main" have entirely different histories.
main ... main

210 changed files with 2686 additions and 15171 deletions
Show Stats Expand all files Collapse all files

62
.gitea/workflows/pr_project.yaml
View File

@ -1,62 +0,0 @@
name: Build PR in OBS
on:
pull_request_target:
types:
- opened
- reopened
- synchronize
- closed
branches-ignore:
- "devel"
concurrency:
group: ${{ gitea.workflow }}-${{ gitea.ref }}
cancel-in-progress: true
jobs:
sync-pr-project:
name: "Build PR in OBS"
runs-on: tumbleweed
steps:
- name: Setup OSC
run: |
zypper in -y python3-jinja2
mkdir -p ~/.config/osc
cat >~/.config/osc/oscrc <<'EOF'
[general]
apiurl = https://api.opensuse.org
[https://api.opensuse.org]
user=${{ vars.OBS_USERNAME }}
pass=${{ secrets.OBS_PASSWORD }}
EOF
# Waiting on PR to get merged for support in upstream action/checkout action
- uses: 'https://github.com/yangskyboxlabs/action-checkout@sha256'
name: Checkout repository
with:
object-format: 'sha256'
- name: "[if PR is closed] Delete project in OBS"
run: |
if [ "${{ gitea.event.action }}" = "closed" ]; then
PROJECT="$(grep PROJECT .obs/common.py | sed 's/PROJECT = "\(.*\)"/\1/')"
osc rdelete -f -r -m "PR closed" "${PROJECT}:Staging:PR-${{ gitea.event.number }}"
fi
- name: "Setup PR project in OBS"
env:
SCM_URL: ${{ gitea.event.pull_request.head.repo.clone_url }}#${{ gitea.head_ref }}
run: |
if [ "${{ gitea.event.action }}" != "closed" ]; then
PROJECT="$(grep PROJECT .obs/common.py | sed 's/PROJECT = "\(.*\)"/\1/')"
python3 .obs/render_meta.py --pr ${{ gitea.event.number }} --scm-url "${SCM_URL}" | osc meta prj "${PROJECT}:Staging:PR-${{ gitea.event.number }}" -F -
echo "Project created ${PROJECT}:Staging:PR-${{ gitea.event.number }}"
echo "Follow build at: https://build.opensuse.org/project/monitor/${PROJECT}:Staging:PR-${{ gitea.event.number }}"
fi
- env:
GIT_SHA: ${{ gitea.event.pull_request.head.sha }}
name: "Wait for OBS to build the project"
run: |
if [ "${{ gitea.event.action }}" != "closed" ]; then
PROJECT="$(grep PROJECT .obs/common.py | sed 's/PROJECT = "\(.*\)"/\1/')"
export OBS_PROJECT="${PROJECT}:Staging:PR-${{ gitea.event.number }}"
python3 .obs/wait_obs.py
fi

35
.gitea/workflows/sync_config.yaml
View File

@ -1,35 +0,0 @@
name: Synchronize Project Config
on:
push:
branches-ignore:
- "devel"
paths:
- "_config"
- ".gitea/workflows/sync_config.yaml"
jobs:
sync-prjconf:
name: "Update prjconf in OBS"
runs-on: tumbleweed
steps:
- name: Setup OSC
run: |
mkdir -p ~/.config/osc
cat >~/.config/osc/oscrc <<'EOF'
[general]
apiurl = https://api.opensuse.org
[https://api.opensuse.org]
user=${{ vars.OBS_USERNAME }}
pass=${{ secrets.OBS_PASSWORD }}
EOF
# Waiting on PR to get merged for support in upstream action/checkout action
- uses: 'https://github.com/yangskyboxlabs/action-checkout@sha256'
name: Checkout repository
with:
object-format: 'sha256'
- run: |
PROJECT="$(grep PROJECT .obs/common.py | sed 's/PROJECT = "\(.*\)"/\1/')"
if [ "$(osc meta prjconf "${PROJECT}" | sha256sum)" != "$(cat _config | sha256sum)" ] ; then
osc meta prjconf "${PROJECT}" -F _config
fi

45
.gitea/workflows/sync_meta.yaml
View File

@ -1,45 +0,0 @@
name: Synchronize Project Metadata
on:
push:
branches-ignore:
- "devel"
paths:
- "*" # Will trigger on new directories and changes to files in root of repository
- ".gitea/workflows/sync_meta.yaml"
- ".obs/common.py"
jobs:
sync-prj-meta:
runs-on: tumbleweed
steps:
- name: Setup OSC
run: |
zypper in -y python3-jinja2
mkdir -p ~/.config/osc
cat >~/.config/osc/oscrc <<'EOF'
[general]
apiurl = https://api.opensuse.org
[https://api.opensuse.org]
user=${{ vars.OBS_USERNAME }}
pass=${{ secrets.OBS_PASSWORD }}
EOF
# Waiting on PR to get merged for support in upstream action/checkout action
- uses: 'https://github.com/yangskyboxlabs/action-checkout@sha256'
name: Checkout repository
with:
object-format: 'sha256'
- name: "Update or create OBS Project"
run: |
PROJECT="$(grep PROJECT .obs/common.py | sed 's/PROJECT = "\(.*\)"/\1/')"
set -o pipefail
if meta="$(osc meta prj "${PROJECT}" 2>/dev/null | sha256sum)"; then
new_meta="$(python3 .obs/render_meta.py)"
if [ "${meta}" != "$(echo "${new_meta}" | sha256sum)" ]; then
echo "${new_meta}" | osc meta prj "${PROJECT}" -F -
fi
python3 .obs/sync_packages.py
else
# Create the projects
bash .obs/create_projects.sh
fi

30
.gitea/workflows/trigger_devel.yaml
View File

@ -1,30 +0,0 @@
name: Trigger Devel Packages
on:
schedule:
- cron: "@daily"
jobs:
sync-pr-project:
name: "Trigger source services for devel packages that changed"
runs-on: tumbleweed
steps:
- name: Setup OSC
run: |
mkdir -p ~/.config/osc
cat >~/.config/osc/oscrc <<'EOF'
[general]
apiurl = https://api.opensuse.org
[https://api.opensuse.org]
user=${{ vars.OBS_USERNAME }}
pass=${{ secrets.OBS_PASSWORD }}
EOF
# Waiting on PR to get merged for support in upstream action/checkout action
- uses: 'https://github.com/yangskyboxlabs/action-checkout@sha256'
name: Checkout repository
with:
object-format: 'sha256'
ref: 'devel'
- name: "Trigger packages"
run: |
python3 .obs/trigger_package.py

28
.obs/add_package.py
View File

@ -1,4 +1,5 @@
#!/usr/bin/env python3
import yaml
import subprocess
import argparse
import os
@ -6,6 +7,30 @@ import os.path
from common import PROJECT, REPOSITORY, BRANCH
def add_package_to_workflow(name: str):
modified = False
with open(".obs/workflows.yml", "r") as wf_file:
workflows = yaml.safe_load(wf_file)
if not any(
x
for x in workflows["staging_build"]["steps"]
if x["branch_package"]["source_package"] == name
):
workflows["staging_build"]["steps"].append(
{
"branch_package": {
"source_project": PROJECT,
"target_project": f"{PROJECT}:Staging",
"source_package": name,
}
}
)
modified = True
if modified:
with open(".obs/workflows.yml", "w") as wf_file:
yaml.dump(workflows, wf_file)
def add_package_to_project(name: str):
package_meta = f"""<package name="{name}" project="{PROJECT}">
<title/>
@ -28,6 +53,7 @@ def add_package(package_name: str):
os.exit(1)
add_package_to_project(package_name)
add_package_to_workflow(package_name)
def main():
@ -39,7 +65,7 @@ def main():
add_package(args.package)
print("Package created in OBS !")
print("Package created in OBS, you can now push the modified workflow file")
if __name__ == '__main__':

37
.obs/create_projects.sh
View File

@ -1,37 +0,0 @@
#!/bin/bash
show_help() {
echo "Usage: $(basename $0) [--internal]"
echo "options:"
echo "-h, --help display this help and exit"
echo "-i, --internal create project as internal"
exit 0
}
while [[ "$#" -gt 0 ]]; do
case $1 in
-h|--help) show_help;;
-i|--internal) internal="--internal" ;;
*) echo "Unknown parameter passed: $1";show_help ;;
esac
shift
done
PROJECT="$(grep PROJECT .obs/common.py | sed 's/PROJECT = "\(.*\)"/\1/')"
EXTRA_OSC_ARGS=""
if [ -n "$internal" ]; then
PROJECT="ISV${PROJECT:3}"
EXTRA_OSC_ARGS="-A https://api.suse.de"
python3 .obs/render_meta.py ${internal} Snapshot | osc ${EXTRA_OSC_ARGS} meta prj "${PROJECT}:Snapshot" -F -
osc ${EXTRA_OSC_ARGS} meta prjconf "${PROJECT}:Snapshot" -F _config
fi
python3 .obs/render_meta.py ${internal} ToTest | osc ${EXTRA_OSC_ARGS} meta prj "${PROJECT}:ToTest" -F -
python3 .obs/render_meta.py ${internal} | osc ${EXTRA_OSC_ARGS} meta prj "${PROJECT}" -F -
osc ${EXTRA_OSC_ARGS} meta prjconf "${PROJECT}:ToTest" -F _config
osc ${EXTRA_OSC_ARGS} meta prjconf "${PROJECT}" -F _config
if [ -z "$internal" ]; then
python3 .obs/sync_packages.py
fi

16
.obs/delete_package.py
View File

@ -1,4 +1,5 @@
#!/usr/bin/env python3
import yaml
import subprocess
import argparse
import os
@ -7,8 +8,20 @@ import os.path
from common import PROJECT
def delete_package_from_workflow(name: str):
with open(".obs/workflows.yml", "r") as wf_file:
workflows = yaml.safe_load(wf_file)
workflows["staging_build"]["steps"] = [
x
for x in workflows["staging_build"]["steps"]
if x["branch_package"]["source_package"] != name
]
with open(".obs/workflows.yml", "w") as wf_file:
yaml.dump(workflows, wf_file)
def delete_package_from_project(name: str):
p = subprocess.run(["osc", "rdelete", PROJECT, name, "-m \"Deleted via delete_package.py\"" ], stdout=subprocess.PIPE)
p = subprocess.run(["osc", "rdelete", PROJECT, name], stdout=subprocess.PIPE)
print(p.stdout)
print(p.stderr)
p.check_returncode()
@ -20,6 +33,7 @@ def delete_package(package_name: str):
os.exit(1)
delete_package_from_project(package_name)
delete_package_from_workflow(package_name)
def main():

62
.obs/render_meta.py
View File

@ -1,62 +0,0 @@
import argparse
from jinja2 import Template
from common import PROJECT
def render(base_project, subproject, internal, scm_url=None):
version = base_project.rsplit(':', 1)[-1]
context = {
"base_project": subproject == "",
"title": f"SUSE Edge {version} {subproject}".rstrip(),
}
if subproject == "ToTest":
context["project"] = f"{base_project}:ToTest"
context["description"] = (
f"This project doesn't build, it stores a snapshot of SUSE Edge {version} "
"project currently going through the automated test layer"
)
if "Factory" in base_project or internal:
context["release_project"] = f"{base_project}:Snapshot"
elif subproject == "Snapshot":
context["project"] = f"{base_project}:Snapshot"
context["release_project"] = f"{base_project.rsplit(':', 1)[0]}:Containers"
context["for_release"] = True
context["description"] = (
f"This project doesn't build, it stores a snapshot of SUSE Edge {version} "
"project that passed automated test layer"
)
elif subproject == "":
context["project"] = base_project
context["release_project"] = f"{base_project}:ToTest"
else: # PR case direct python call
context["base_project"] = True
context["project"] = f"{base_project}:{subproject}"
if scm_url is not None:
context["scm_url"] = scm_url
with open("_meta") as meta:
template = Template(meta.read())
return template.render(context)
def main():
parser = argparse.ArgumentParser(
prog='ProgramName',
description='What the program does',
epilog='Text at the bottom of help')
parser.add_argument("subproject", default="", choices=["", "ToTest", "Snapshot"], nargs="?")
parser.add_argument("--internal", action="store_true")
parser.add_argument("--pr")
parser.add_argument("--scm-url")
args = parser.parse_args()
base_project = PROJECT.replace("isv", "ISV", 1) if args.internal else PROJECT
print(render(
base_project=base_project,
subproject=args.subproject if args.pr is None else f"Staging:PR-{args.pr}",
internal=args.internal,
scm_url=args.scm_url,
))
if __name__ == "__main__":
main()

2
.obs/sync_packages.py
View File

@ -9,7 +9,7 @@ from common import PROJECT
def get_obs_packages() -> Set[str]:
packages = subprocess.run(["osc", "ls", PROJECT], encoding='utf-8' , capture_output=True)
return { p for p in packages.stdout.splitlines() if ":" not in p }
return set(packages.stdout.splitlines())
def get_local_packages() -> Set[str]:
p = pathlib.Path('.')

83
.obs/wait_obs.py
View File

@ -1,83 +0,0 @@
import xml.etree.ElementTree as ET
import subprocess
import time
import os
import sys
from collections import Counter
def get_buildstatus(project: str) -> ET.Element:
for _ in range(5):
try:
output = subprocess.check_output(["osc", "pr", "--xml", project])
return ET.fromstring(output)
except subprocess.CalledProcessError:
continue
print("Failed to get buildstatus from OBS")
def do_wait(project:str, commit:str) -> ET.Element:
last_state = None
while True:
time.sleep(5)
status = get_buildstatus(project)
if last_state == status.get("state"):
continue
else:
last_state = status.get("state")
scminfo = { e.text for e in status.findall(".//scminfo") }
if len(scminfo) != 1 or scminfo.pop() != commit:
print("Waiting for OBS to sync with SCM")
continue
if not all([ e.get('state') == "published" and e.get('dirty') is None for e in status.findall("./result")]):
print("Waiting for OBS to finish building")
continue
return status
def print_results(status: ET.Element) -> bool:
results = {}
failed = []
for e in status.findall("./result"):
repo = results.get(e.get("repository"), {})
repo[e.get("arch")] = e
results[e.get("repository")] = repo
for repo in results.keys():
print(f"{repo}:")
depth=1
for arch in results[repo].keys():
counts = Counter()
if repo != "charts":
print(f"\t{arch}:")
depth=2
for package in results[repo][arch].findall("./status"):
if package.get("code") in ["excluded", "disabled"]:
continue
if package.get("code") in ["failed", "unresolvable", "broken"]:
details = package.findtext("details")
if details:
failed.append(f"{package.get('package')} ({arch}): {details}")
else:
failed.append(f"{package.get('package')} ({arch})")
counts[package.get("code")] += 1
for (code, count) in counts.items():
print("\t"*depth, f"{code}: {count}")
failed.sort()
if failed:
print("\nPackages failing: ")
for fail in failed:
print("\t", fail)
return len(failed)
def main():
project = os.environ.get("OBS_PROJECT")
sha = os.environ.get("GIT_SHA")
print(f"Waiting for OBS to build {project} for commit {sha}")
status = do_wait(project, sha)
sys.exit(print_results(status))
if __name__ == "__main__":
main()

228
.obs/workflows.yml Normal file
View File

@ -0,0 +1,228 @@
staging_build:
filters:
event: pull_request
steps:
- branch_package:
source_package: endpoint-copier-operator
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: endpoint-copier-operator-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: endpoint-copier-operator-chart
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: akri
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: akri-agent-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: akri-chart
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: akri-controller-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: akri-dashboard-extension-chart
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: akri-debug-echo-discovery-handler-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: akri-onvif-discovery-handler-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: akri-opcua-discovery-handler-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: akri-udev-discovery-handler-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: akri-webhook-configuration-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: obs-service-set_version
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: cosign
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: frr-k8s
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: cluster-api
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: cluster-api-operator
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: kubectl
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: upgrade-controller
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: cluster-api-provider-rke2
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: nm-configurator
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: kube-rbac-proxy
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: edge-image-builder
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: metallb
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: hauler
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: ip-address-manager
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: baremetal-operator
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: cluster-api-provider-metal3
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: cdi-chart
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: cluster-api-controller-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: cluster-api-provider-metal3-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: metallb-chart
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: cluster-api-operator-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: sriov-crd-chart
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: upgrade-controller-chart
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: edge-image-builder-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: ironic-ipa-downloader-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: cluster-api-provider-rke2-controlplane-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: upgrade-controller-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: metal3-chart
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: baremetal-operator-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: cluster-api-provider-rke2-bootstrap-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: sriov-network-operator-chart
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: metallb-controller-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: ip-address-manager-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: metallb-speaker-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: ironic-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: cri-tools
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: openstack-ironic-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: crudini
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: fakeroot
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: ipcalc
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: autoconf
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: rancher-turtles-airgap-resources-chart
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: rancher-turtles-chart
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging

15
README.md
View File

@ -5,6 +5,15 @@ Contains the definition of the packages built on OBS for the SUSE Edge Solution
This repository is linked to an OBS project: <https://build.opensuse.org/project/show/isv:SUSE:Edge:Factory>
Every directory in this repository represents a package in that OBS project, those should be synced automatically from this repository.
## Adding a package
To add a package, first create a directory with your package as you intend it in OBS.
Then run the `.obs/add_package.py` script to create the package in the OBS project and add the required elements to the synchronization workflow.
This script is using the `osc` command behind the scenes, so ensure you have it installed and correctly configured, as well as you have the correct permissions to create a new package in the project.
You will then get asked to push your changes.
## Testing a fork or a development branch
You can create a project in your home space in OBS, use the same prjconf as the one of "isv:SUSE:Edge:Factory", and copy the repositories part of the metadata (adjust self references).
@ -14,14 +23,16 @@ Then add a scmsync stanza to your metadata like this (adjust repository path and
<scmsync>https://src.opensuse.org/suse-edge/Factory#main</scmsync>
```
This is done automatically for any PR filed against this repository.
## Cutting a release version branch
1. Do the appropriate git branch command
2. Change the project path in `.obs/common.py` file (e.g. from `isv:SUSE:Edge:Factory` to `isv:SUSE:Edge:3.2`)
3. Change the branch reference in `.obs/common.py` file (e.g. from `main` to `3.2`)
4. Edit the `.obs/workflows.yml` file to change the references to the correct projects
5. Commit those changes to the new branch and push the new branch
6. Create the base and to-test projects (e.g. `isv:SUSE:Edge:3.2` and `isv:SUSE:Edge:3.2:ToTest`), use the `isv:SUSE:Edge:Factory` projects as example for metadata part
7. Use the prjconf of Factory in all those projects
8. Run the `.obs/sync_packages.py` script to create all the packages in the base project
9. Go take a few cups of coffee/tea/mate/... while waiting for OBS to build everything
10. Once built do an `osc release` of the project for it to be copied over in the `ToTest` section
11. Hand over to QA to test whatever is in `ToTest`. (You can continue to work on the base branch if needed meanwhile)

125
_config
View File

@ -1,125 +0,0 @@
Prefer: -libqpid-proton10 -python311-urllib3_1
Macros:
%__python3 /usr/bin/python3.11
%registry_url %(echo %{vendor} | cut -d '/' -f 3 | sed 's/build/registry/')
:Macros
%if "%{sub %{lower %_project} 1 14}" != "isv:suse:edge:" || "%{sub %_project 15 21}" == "Factory"
# Here we are in Factory like project so set chart major version to 999
Macros:
%chart_major 999
:Macros
%else
# Here we are in version branch, so set the image prefix and chart major accordingly
Macros:
%project_branch %(echo %{_project} | cut -d ':' -f 4)
%img_prefix %{project_branch}/
%chart_major %(echo %{project_branch} | awk '{split($1,a,"."); print a[1]*100 + a[2]}')
:Macros
%endif
%if %{sub %_project 1 3} == ISV
Macros:
%img_repo registry.suse.com/edge
%chart_repo oci://registry.suse.com/edge
%manifest_repo registry.suse.com/edge
%support_level l3
:Macros
%else
Macros:
%img_repo registry.opensuse.org/isv/suse/edge/containers/images
%manifest_repo registry.opensuse.org/isv/suse/edge/containers/images
%chart_repo oci://registry.opensuse.org/isv/suse/edge/containers/charts
%support_level techpreview
:Macros
%endif
%if "%_repository" == "charts" || "%_repository" == "test_manifest_images"
Macros:
%img_repo %(echo %{registry_url}:%{_project}:images | tr ":" "/" | tr '[:upper:]' '[:lower:]')
%manifest_repo %(echo %{registry_url}:%{_project}:test_manifest_images | tr ":" "/" | tr '[:upper:]' '[:lower:]')
%chart_repo oci://%(echo %{registry_url}:%{_project}:charts | tr ":" "/" | tr '[:upper:]' '[:lower:]')
:Macros
%endif
# Missing deps for testsuite
BuildFlags: excludebuild:autoconf:el
BuildFlags: excludebuild:autoconf:testsuite
# Only build manifest embedding images here
%if "%_repository" == "test_manifest_images"
BuildFlags: onlybuild:edge-image-builder-image
BuildFlags: onlybuild:release-manifest-image
# Exclude the images selected by the following section
# as the standard repository is a dependency
%ifarch aarch64
BuildFlags: excludebuild:baremetal-operator-image
BuildFlags: excludebuild:endpoint-copier-operator-image
BuildFlags: excludebuild:ironic-image
BuildFlags: excludebuild:ironic-ipa-downloader-image
BuildFlags: excludebuild:kube-rbac-proxy-image
BuildFlags: excludebuild:metallb-controller-image
BuildFlags: excludebuild:metallb-speaker-image
%endif
%else
# Only a subset of stack is arm64 ready
%ifarch aarch64
BuildFlags: onlybuild:autoconf
BuildFlags: onlybuild:baremetal-operator
BuildFlags: onlybuild:baremetal-operator-image
BuildFlags: onlybuild:ca-certificates-suse
BuildFlags: onlybuild:cosign
BuildFlags: onlybuild:crudini
BuildFlags: onlybuild:edge-image-builder
BuildFlags: onlybuild:edge-image-builder-image
BuildFlags: onlybuild:endpoint-copier-operator
BuildFlags: onlybuild:endpoint-copier-operator-image
BuildFlags: onlybuild:fakeroot
BuildFlags: onlybuild:hauler
BuildFlags: onlybuild:ipcalc
BuildFlags: onlybuild:ironic-image
BuildFlags: onlybuild:ironic-ipa-downloader-image
BuildFlags: onlybuild:ironic-ipa-ramdisk
BuildFlags: onlybuild:kube-rbac-proxy
BuildFlags: onlybuild:kube-rbac-proxy-image
BuildFlags: onlybuild:metallb
BuildFlags: onlybuild:metallb-controller-image
BuildFlags: onlybuild:metallb-speaker-image
BuildFlags: onlybuild:nm-configurator
%endif
%endif
%if "%_repository" == "images" || "%_repository" == "test_manifest_images"
Prefer: container:sles15-image
Type: docker
Repotype: none
Patterntype: none
BuildEngine: podman
Prefer: sles-release
BuildFlags: dockerarg:SLE_VERSION=15.6
# Publish multi-arch container images only once all archs have been built
PublishFlags: archsync
%endif
%if "%_repository" == "charts" || "%_repository" == "phantomcharts" || "%_repository" == "releasecharts"
Type: helm
Repotype: helm
Patterntype: none
Required: perl-YAML-LibYAML
%endif
%if "%_repository" == "standard"
# for build openstack-ironic-image
BuildFlags: allowrootforbuild
%endif
# Enable reproducible builds
# https://en.opensuse.org/openSUSE:Reproducible_Builds\#With_OBS
Macros:
%source_date_epoch_from_changelog Y
%clamp_mtime_to_source_date_epoch Y
%use_source_date_epoch_as_buildtime Y
%_buildhost reproducible
:Macros

69
_meta
View File

@ -1,69 +0,0 @@
{#-
This template is rendered by the render_meta.py script
it is not automatically enforced by OBS
-#}
{%- set maintainers = [
"edge-engineering",
] -%}
<project name="{{ project }}">
<title>{{ title }}</title>
{%- if description is defined %}
<description>{{ description }}</description>
{%- else %}
<description/>
{%- endif %}
{%- if scm_url is defined %}
<scmsync>{{ scm_url }}</scmsync>
{%- endif %}
{%- for maintainer in maintainers %}
<person userid="{{ maintainer }}" role="maintainer"/>
{%- endfor %}
{%- if not base_project %}
<build>
<disable/>
<enable repository="charts"/>
<enable repository="test_manifest_images"/>
</build>
<publish>
<disable repository="phantomcharts"/>
</publish>
<repository name="phantomcharts">
<arch>x86_64</arch>
</repository>
{%- endif %}
{%- for repository in ["images", "test_manifest_images"] %}
<repository name="{{ repository }}">
{%- if release_project is defined and repository == "images" %}
<releasetarget project="{{ release_project }}" repository="images" trigger="manual"/>
{%- endif %}
<path project="SUSE:Registry" repository="standard"/>
<path project="SUSE:CA" repository="SLE_15_SP6"/>
<path project="{{ project }}" repository="standard"/>
<arch>x86_64</arch>
<arch>aarch64</arch>
</repository>
{%- endfor %}
<repository name="standard" block="local">
{%- if release_project is defined and not for_release %}
<releasetarget project="{{ release_project }}" repository="standard" trigger="manual"/>
{%- endif %}
<path project="Cloud:OpenStack:2024.2" repository="15.6"/>
<path project="SUSE:SLE-15-SP6:Update" repository="standard"/>
<arch>x86_64</arch>
<arch>aarch64</arch>
</repository>
<repository name="charts"{{ ' rebuild="local"' if not base_project }}>
{%- if release_project is defined and not for_release %}
<releasetarget project="{{ release_project }}" repository="phantomcharts" trigger="manual"/>
{%- endif %}
<path project="{{ project }}" repository="standard"/>
<arch>x86_64</arch>
</repository>
{%- if for_release %}
<repository name="releasecharts" rebuild="local">
<releasetarget project="{{ release_project }}" repository="charts" trigger="manual"/>
<path project="{{ project }}" repository="standard"/>
<arch>x86_64</arch>
</repository>
{%- endif %}
</project>

6
akri-chart/Chart.yaml
View File

@ -1,5 +1,5 @@
#!BuildTag: %%IMG_PREFIX%%akri-chart:%%CHART_MAJOR%%.0.0_up0.12.20
#!BuildTag: %%IMG_PREFIX%%akri-chart:%%CHART_MAJOR%%.0.0_up0.12.20-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%akri-chart:0.12.20
#!BuildTag: %%IMG_PREFIX%%akri-chart:0.12.20-%RELEASE%
annotations:
catalog.cattle.io/display-name: Akri
apiVersion: v2
@ -8,4 +8,4 @@ description: A Helm chart for Akri
icon: https://raw.githubusercontent.com/project-akri/akri-docs/main/art/icon/akri-icon-light.svg
name: akri
type: application
version: "%%CHART_MAJOR%%.0.0+up0.12.20"
version: 0.12.20

2
akri-chart/_service
View File

@ -11,7 +11,5 @@
<param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">CHART_MAJOR=$(rpm --macros=/root/.rpmmacros -E %{?chart_major})</param>
<param name="var">CHART_MAJOR</param>
</service>
</services>

17
akri-dashboard-extension-chart/Chart.yaml
View File

@ -1,21 +1,20 @@
#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:%%CHART_MAJOR%%.0.0
#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:%%CHART_MAJOR%%.0.0_up1.2.1
#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:%%CHART_MAJOR%%.0.0_up1.2.1-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:1.1.0
#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:1.1.0-%RELEASE%
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: Akri
catalog.cattle.io/kube-version: ">= v1.26.0-0"
catalog.cattle.io/kube-version: '>= v1.26.0-0'
catalog.cattle.io/namespace: cattle-ui-plugin-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux, windows
catalog.cattle.io/rancher-version: ">= 2.10.0-0"
catalog.cattle.io/rancher-version: '>= v2.9.0'
catalog.cattle.io/scope: management
catalog.cattle.io/ui-component: plugins
catalog.cattle.io/ui-extensions-version: ">= 3.0.0 < 4.0.0"
catalog.cattle.io/ui-extensions-version: '>= 2.0.1'
apiVersion: v2
appVersion: 1.2.1
description: "SUSE Edge: Akri extension for Rancher Dashboard"
appVersion: 1.1.0
description: 'SUSE Edge: Akri extension for Rancher Dashboard'
icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/akri/icon/color/akri-icon-color.svg
name: akri-dashboard-extension
type: application
version: "%%CHART_MAJOR%%.0.0+up1.2.1"
version: 1.1.0

2
akri-dashboard-extension-chart/_service
View File

@ -11,7 +11,5 @@
<param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">CHART_MAJOR=$(rpm --macros=/root/.rpmmacros -E %{?chart_major})</param>
<param name="var">CHART_MAJOR</param>
</service>
</services>

2
akri-dashboard-extension-chart/templates/_helpers.tpl
View File

@ -60,4 +60,4 @@ Pkg annotations
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

4
akri-dashboard-extension-chart/templates/cr.yaml
View File

@ -8,7 +8,7 @@ spec:
plugin:
name: {{ include "extension-server.fullname" . }}
version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/1.2.1
endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/1.1.0
noCache: {{ .Values.plugin.noCache }}
noAuth: {{ .Values.plugin.noAuth }}
metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}
metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}

4
akri-dashboard-extension-chart/values.yaml
View File

@ -7,6 +7,6 @@ plugin:
noAuth: false
metadata:
catalog.cattle.io/display-name: Akri
catalog.cattle.io/rancher-version: ">= 2.10.0-0"
catalog.cattle.io/ui-extensions-version: ">= 3.0.0 < 4.0.0"
catalog.cattle.io/rancher-version: ">= v2.9.0"
catalog.cattle.io/ui-extensions-version: ">= 2.0.1"
catalog.cattle.io/kube-version: ">= v1.26.0-0"

4
akri/_service
View File

@ -10,9 +10,7 @@
<service name="cargo_vendor" mode="manual">
<param name="srcdir">akri</param>
</service>
<service name="tar" mode="buildtime">
<param name="obsinfo">akri.obsinfo</param>
</service>
<service name="tar" mode="buildtime" />
<service name="set_version" mode="buildtime" >
<param name="fromfile">version.txt</param>
<param name="regex">^(.*)$</param>

10
baremetal-operator/_service
View File

@ -2,7 +2,7 @@
<service name="obs_scm">
<param name="url">https://github.com/metal3-io/baremetal-operator</param>
<param name="scm">git</param>
<param name="revision">v0.8.0</param>
<param name="revision">v0.6.1</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
@ -12,8 +12,10 @@
<param name="without-version">yes</param>
<param name="versionrewrite-replacement">\1</param>
</service>
<service mode="buildtime" name="tar">
<param name="obsinfo">baremetal-operator.obsinfo</param>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service name="go_modules">
</service>
@ -21,7 +23,7 @@
<param name="file">baremetal-operator.spec</param>
<param name="var">SOURCE_COMMIT</param>
<param name="eval">
SOURCE_COMMIT=$(grep commit baremetal-operator.obsinfo | cut -d" " -f2)
SOURCE_COMMIT=$(grep commit *.obsinfo | cut -d" " -f2)
</param>
<param name="verbose">1</param>
</service>

8
baremetal-operator/baremetal-operator.spec
View File

@ -17,14 +17,14 @@
Name: baremetal-operator
Version: 0.8.0
Release: 0.8.0
Version: 0.6.1
Release: 0.6.1
Summary: Implements a Kubernetes API for managing bare metal hosts
License: Apache-2.0
URL: https://github.com/metal3-io/baremetal-operator
Source: baremetal-operator-%{version}.tar
Source: baremetal-operator-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.22
BuildRequires: golang(API) = 1.21
ExcludeArch: s390
ExcludeArch: %{ix86}

6
cdi-chart/Chart.yaml
View File

@ -1,9 +1,9 @@
#!BuildTag: %%IMG_PREFIX%%cdi-chart:%%CHART_MAJOR%%.0.0_up0.4.0
#!BuildTag: %%IMG_PREFIX%%cdi-chart:%%CHART_MAJOR%%.0.0_up0.4.0-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%cdi-chart:0.4.0
#!BuildTag: %%IMG_PREFIX%%cdi-chart:0.4.0-%RELEASE%
apiVersion: v2
appVersion: 1.60.1
description: A Helm chart for Containerized Data Importer (CDI)
icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/kubevirt/icon/color/kubevirt-icon-color.svg
name: cdi
type: application
version: "%%CHART_MAJOR%%.0.0+up0.4.0"
version: 0.4.0

2
cdi-chart/_service
View File

@ -4,7 +4,5 @@
<param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">CHART_MAJOR=$(rpm --macros=/root/.rpmmacros -E %{?chart_major})</param>
<param name="var">CHART_MAJOR</param>
</service>
</services>

23
frr-k8s-image/Dockerfile → cluster-api-controller-image/Dockerfile
View File

@ -1,25 +1,26 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%frr-k8s:v%%frr-k8s_version%%
#!BuildTag: %%IMG_PREFIX%%frr-k8s:v%%frr-k8s_version%%-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%cluster-api-controller:v%%cluster-api_version%%
#!BuildTag: %%IMG_PREFIX%%cluster-api-controller:%%cluster-api_version%%
#!BuildTag: %%IMG_PREFIX%%cluster-api-controller:%%cluster-api_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends frr-k8s; zypper -n clean; rm -rf /var/log/*
RUN zypper --installroot /installroot --non-interactive install --no-recommends cluster-api shadow; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.endpoint-copier-operator
# labelprefix=com.suse.application.cluster-api
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE frr-k8s Container Image"
LABEL org.opencontainers.image.description="frr-k8s based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%frr-k8s_version%%"
LABEL org.opencontainers.image.title="SLE cluster-api Container Image"
LABEL org.opencontainers.image.description="cluster-api based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%cluster-api_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%frr-k8s:v%%frr-k8s_version%%-%RELEASE%"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api:%%cluster-api_version%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
@ -28,6 +29,8 @@ LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
#Install frr-k8s
COPY --from=base /installroot /
ENTRYPOINT ["/frr-k8s"]
RUN mv /usr/bin/cluster-api-controller /manager
# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
USER 65532
ENTRYPOINT [ "/manager" ]

4
frr-k8s-image/_service → cluster-api-controller-image/_service
View File

@ -3,8 +3,8 @@
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%frr-k8s_version%%</param>
<param name="package">frr-k8s</param>
<param name="regex">%%cluster-api_version%%</param>
<param name="package">cluster-api</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">

24
kube-rbac-proxy-image/Dockerfile → cluster-api-operator-image/Dockerfile
View File

@ -1,25 +1,25 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%
#!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%cluster-api-operator:%%cluster-api-operator_version%%
#!BuildTag: %%IMG_PREFIX%%cluster-api-operator:%%cluster-api-operator_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends kube-rbac-proxy; zypper -n clean; rm -rf /var/log/*
RUN zypper --installroot /installroot --non-interactive install --no-recommends cluster-api-operator shadow; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.kube-rbac-proxy
# labelprefix=com.suse.application.cluster-api-operator
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE kube-rbac-proxy Container Image"
LABEL org.opencontainers.image.description="kube-rbac-proxy based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%kube-rbac-proxy_version%%"
LABEL org.opencontainers.image.title="SLE cluster-api-operator Container Image"
LABEL org.opencontainers.image.description="cluster-api-operator based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%cluster-api-operator_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%-%RELEASE%"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-operator:%%cluster-api-operator_version%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
@ -29,7 +29,7 @@ LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
#Install kube-rbac-proxy
EXPOSE 8080
USER 65532:65532
ENTRYPOINT ["/kube-rbac-proxy"]
RUN mv /usr/bin/cluster-api-operator-controller /manager
# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
USER 65532
ENTRYPOINT [ "/manager" ]

6
frr-image/_service → cluster-api-operator-image/_service
View File

@ -1,6 +1,12 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%cluster-api-operator_version%%</param>
<param name="package">cluster-api-operator</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>

23
cluster-api-operator/_service Normal file
View File

@ -0,0 +1,23 @@
<services>
<service name="obs_scm">
<param name="url">https://github.com/kubernetes-sigs/cluster-api-operator</param>
<param name="scm">git</param>
<param name="revision">v0.12.0</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">steven.hardy@suse.com</param>
<param name="match-tag">v*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="without-version">yes</param>
<param name="versionrewrite-replacement">\1</param>
</service>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service name="go_modules">
</service>
<service mode="buildtime" name="set_version" />
</services>

52
cluster-api-operator/cluster-api-operator.spec Normal file
View File

@ -0,0 +1,52 @@
#
# spec file for package cluster-api-operator
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: cluster-api-operator
Version: 0.12.0
Release: 0
Summary: Cluster API Core Controller
License: Apache-2.0
URL: https://github.com/kubernetes-sigs/cluster-api-operator
Source: cluster-api-operator-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.21
ExcludeArch: s390
ExcludeArch: %{ix86}
%description
Cluster API operator
%prep
%autosetup -a1 -n cluster-api-operator-%{version}
%build
go build \
-mod=vendor \
-buildmode=pie \
-o cluster-api-operator cmd/main.go
%install
install -D -m0755 cluster-api-operator %{buildroot}%{_bindir}/cluster-api-operator-controller
%files
%license LICENSE
%doc README.md
%{_bindir}/cluster-api-operator-controller
%changelog

36
cluster-api-provider-metal3-image/Dockerfile Normal file
View File

@ -0,0 +1,36 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-metal3:v%%cluster-api-provider-metal3_version%%
#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-metal3:%%cluster-api-provider-metal3_version%%
#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-metal3:%%cluster-api-provider-metal3_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends cluster-api-provider-metal3 shadow; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.cluster-api-provider-metal3
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE cluster-api-provider-metal3 Container Image"
LABEL org.opencontainers.image.description="cluster-api-provider-metal3 based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%cluster-api-provider-metal3_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-metal3:%%cluster-api-provider-metal3_version%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
RUN mv /usr/bin/cluster-api-provider-metal3 /manager
# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
USER 65532
ENTRYPOINT [ "/manager" ]

12
kiwi-builder-image/_service → cluster-api-provider-metal3-image/_service
View File

@ -1,11 +1,11 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service name="replace_using_env" mode="buildtime">
<param name="file">README</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%cluster-api-provider-metal3_version%%</param>
<param name="package">cluster-api-provider-metal3</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Dockerfile</param>

23
cluster-api-provider-metal3/_service Normal file
View File

@ -0,0 +1,23 @@
<services>
<service name="obs_scm">
<param name="url">https://github.com/metal3-io/cluster-api-provider-metal3</param>
<param name="scm">git</param>
<param name="revision">v1.8.2</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">steven.hardy@suse.com</param>
<param name="match-tag">v*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="without-version">yes</param>
<param name="versionrewrite-replacement">\1</param>
</service>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service name="go_modules">
</service>
<service mode="buildtime" name="set_version" />
</services>

54
cluster-api-provider-metal3/cluster-api-provider-metal3.spec Normal file
View File

@ -0,0 +1,54 @@
#
# spec file for package cluster-api-provider-metal3
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: cluster-api-provider-metal3
Version: 1.8.2
Release: 0
Summary: Cluster API Infrastructure Provider for Metal3
License: Apache-2.0
URL: https://github.com/metal3-io/cluster-api-provider-metal3
Source: cluster-api-provider-metal3-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.22
ExcludeArch: s390
ExcludeArch: %{ix86}
%description
Cluster API Provider Metal3 is one of the providers for Cluster API and enables
users to deploy a Cluster API based cluster on top of bare metal infrastructure
using Metal3.
%prep
%autosetup -a1 -n cluster-api-provider-metal3-%{version}
%build
go build \
-mod=vendor \
-buildmode=pie \
-a -ldflags '-extldflags "-static"'
%install
install -D -m0755 cluster-api-provider-metal3 %{buildroot}%{_bindir}/cluster-api-provider-metal3
%files
%license LICENSE
%doc README.md
%{_bindir}/cluster-api-provider-metal3
%changelog

36
cluster-api-provider-rke2-bootstrap-image/Dockerfile Normal file
View File

@ -0,0 +1,36 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:v%%cluster-api-provider-rke2_version%%
#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:%%cluster-api-provider-rke2_version%%
#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:%%cluster-api-provider-rke2_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends cluster-api-provider-rke2-bootstrap shadow; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.cluster-api-provider-rke2
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE cluster-api-provider-rke2 Container Image"
LABEL org.opencontainers.image.description="cluster-api-provider-rke2 based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%cluster-api-provider-rke2_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:%%cluster-api-provider-rke2_version%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
RUN mv /usr/bin/rke2-bootstrap-manager /manager
# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
USER 65532
ENTRYPOINT [ "/manager" ]

19
cluster-api-provider-rke2-bootstrap-image/_service Normal file
View File

@ -0,0 +1,19 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%cluster-api-provider-rke2_version%%</param>
<param name="package">cluster-api-provider-rke2-bootstrap</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
<param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
<param name="var">SUPPORT_LEVEL</param>
</service>
</services>

36
cluster-api-provider-rke2-controlplane-image/Dockerfile Normal file
View File

@ -0,0 +1,36 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:v%%cluster-api-provider-rke2_version%%
#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:%%cluster-api-provider-rke2_version%%
#!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:%%cluster-api-provider-rke2_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends cluster-api-provider-rke2-control-plane shadow; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.cluster-api-provider-rke2
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE cluster-api-provider-rke2 Container Image"
LABEL org.opencontainers.image.description="cluster-api-provider-rke2 based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%cluster-api-provider-rke2_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:%%cluster-api-provider-rke2_version%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
RUN mv /usr/bin/rke2-control-plane-manager /manager
# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
USER 65532
ENTRYPOINT [ "/manager" ]

19
cluster-api-provider-rke2-controlplane-image/_service Normal file
View File

@ -0,0 +1,19 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%cluster-api-provider-rke2_version%%</param>
<param name="package">cluster-api-provider-rke2-control-plane</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
<param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
<param name="var">SUPPORT_LEVEL</param>
</service>
</services>

23
cluster-api-provider-rke2/_service Normal file
View File

@ -0,0 +1,23 @@
<services>
<service name="obs_scm">
<param name="url">https://github.com/rancher-sandbox/cluster-api-provider-rke2</param>
<param name="scm">git</param>
<param name="revision">v0.8.0</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">steven.hardy@suse.com</param>
<param name="match-tag">v*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="without-version">yes</param>
<param name="versionrewrite-replacement">\1</param>
</service>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service name="go_modules">
</service>
<service mode="buildtime" name="set_version" />
</services>

61
cluster-api-provider-rke2/cluster-api-provider-rke2.spec Normal file
View File

@ -0,0 +1,61 @@
#
# spec file for package cluster-api-provider-rke2
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: cluster-api-provider-rke2
Version: 0.8.0
Release: 0
Summary: Cluster API provider for RKE2
License: Apache-2.0
URL: https://github.com/rancher-sandbox/cluster-api-provider-rke2
Source: cluster-api-provider-rke2-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.22
ExcludeArch: s390
ExcludeArch: %{ix86}
%description
Cluster API provider for RKE2
%package bootstrap
Summary: Cluster API bootstrap controller for RKE2
%description bootstrap
Cluster API bootstrap controller for RKE2
%package control-plane
Summary: Cluster API control-plane controller for RKE2
%description control-plane
Cluster API control-plane controller for RKE2
%prep
%autosetup -a1 -n cluster-api-provider-rke2-%{version}
%build
make managers
%install
install -D -m0755 bin/rke2-bootstrap-manager %{buildroot}%{_bindir}/rke2-bootstrap-manager
install -D -m0755 bin/rke2-control-plane-manager %{buildroot}%{_bindir}/rke2-control-plane-manager
%files bootstrap
%{_bindir}/rke2-bootstrap-manager
%files control-plane
%{_bindir}/rke2-control-plane-manager
%changelog

23
cluster-api/_service Normal file
View File

@ -0,0 +1,23 @@
<services>
<service name="obs_scm">
<param name="url">https://github.com/kubernetes-sigs/cluster-api</param>
<param name="scm">git</param>
<param name="revision">v1.8.4</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">steven.hardy@suse.com</param>
<param name="match-tag">v*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="without-version">yes</param>
<param name="versionrewrite-replacement">\1</param>
</service>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service name="go_modules">
</service>
<service mode="buildtime" name="set_version" />
</services>

51
cluster-api/cluster-api.spec Normal file
View File

@ -0,0 +1,51 @@
#
# spec file for package cluster-api
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: cluster-api
Version: 1.8.4
Release: 0
Summary: Cluster API Core Controller
License: Apache-2.0
URL: https://github.com/kubernetes-sigs/cluster-api
Source: cluster-api-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.22
ExcludeArch: s390
ExcludeArch: %{ix86}
%description
Cluster API core controller
%prep
%autosetup -a1 -n cluster-api-%{version}
%build
go build \
-mod=vendor \
-buildmode=pie \
%install
install -D -m0755 cluster-api %{buildroot}%{_bindir}/cluster-api-controller
%files
%license LICENSE
%doc README.md
%{_bindir}/cluster-api-controller
%changelog

6
cosign/_service
View File

@ -8,8 +8,10 @@
<param name="versionrewrite-pattern">v(.*)</param>
<param name="changesgenerate">enable</param>
</service>
<service mode="buildtime" name="tar">
<param name="obsinfo">cosign.obsinfo</param>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service mode="buildtime" name="set_version" />
<service name="go_modules">

2
cosign/cosign.spec
View File

@ -24,7 +24,7 @@ Release: 0
Summary: Container Signing, Verification and Storage in an OCI registry
License: Apache-2.0
URL: https://github.com/rancher-government-carbide/cosign
Source: cosign-%{version}.tar
Source: cosign-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang-packaging

4
edge-image-builder-image/_service
View File

@ -7,14 +7,10 @@
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
<param name="file">artifacts.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">CHART_REPO=$(rpm --macros=/root/.rpmmacros -E %chart_repo)</param>
<param name="var">CHART_REPO</param>
<param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
<param name="var">SUPPORT_LEVEL</param>
<param name="eval">CHART_MAJOR=$(rpm --macros=/root/.rpmmacros -E %{?chart_major})</param>
<param name="var">CHART_MAJOR</param>
</service>
</services>

9
edge-image-builder-image/artifacts.yaml
View File

@ -1,11 +1,11 @@
metallb:
chart: metallb-chart
repository: "%%CHART_REPO%%/%%IMG_PREFIX%%"
version: "%%CHART_MAJOR%%.0.0+up0.14.9"
repository: %%CHART_REPO%%/3.1
version: 0.14.9
endpoint-copier-operator:
chart: endpoint-copier-operator-chart
repository: "%%CHART_REPO%%/%%IMG_PREFIX%%"
version: "%%CHART_MAJOR%%.0.0+up0.2.1"
repository: %%CHART_REPO%%/3.1
version: 0.2.1
kubernetes:
k3s:
selinuxPackage: k3s-selinux-1.6-1.slemicro.noarch
@ -13,3 +13,4 @@ kubernetes:
rke2:
selinuxPackage: rke2-selinux
selinuxRepository: https://rpm.rancher.io/rke2/stable/common/slemicro/noarch

6
edge-image-builder/_service
View File

@ -9,8 +9,10 @@
<param name="versionrewrite-replacement">\1.\2.\3</param>
<param name="changesgenerate">enable</param>
</service>
<service mode="buildtime" name="tar">
<param name="obsinfo">edge-image-builder.obsinfo</param>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service mode="buildtime" name="set_version" />
<service name="go_modules">

2
edge-image-builder/edge-image-builder.spec
View File

@ -22,7 +22,7 @@ Release: 0
Summary: Edge Image Builder
License: Apache-2.0
URL: https://github.com/suse-edge/edge-image-builder
Source: edge-image-builder-%{version}.tar
Source: edge-image-builder-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang(API) go1.22
BuildRequires: golang-packaging

6
endpoint-copier-operator-chart/Chart.yaml
View File

@ -1,8 +1,8 @@
#!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator-chart:%%CHART_MAJOR%%.0.0_up0.2.1
#!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator-chart:%%CHART_MAJOR%%.0.0_up0.2.1-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator-chart:0.2.1
#!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator-chart:0.2.1-%RELEASE%
apiVersion: v2
appVersion: v0.2.0
description: A Helm chart for Kubernetes
name: endpoint-copier-operator
type: application
version: "%%CHART_MAJOR%%.0.0+up0.2.1"
version: 0.2.1

2
endpoint-copier-operator-chart/_service
View File

@ -11,7 +11,5 @@
<param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">CHART_MAJOR=$(rpm --macros=/root/.rpmmacros -E %{?chart_major})</param>
<param name="var">CHART_MAJOR</param>
</service>
</services>

6
endpoint-copier-operator/_service
View File

@ -12,8 +12,10 @@
<param name="without-version">yes</param>
<param name="versionrewrite-replacement">\1</param>
</service>
<service mode="buildtime" name="tar">
<param name="obsinfo">endpoint-copier-operator.obsinfo</param>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service name="go_modules">
</service>

2
endpoint-copier-operator/endpoint-copier-operator.spec
View File

@ -22,7 +22,7 @@ Release: 0.2.0
Summary: Implements a Kubernetes API for copying endpoint resources
License: Apache-2.0
URL: https://github.com/suse-edge/endpoint-copier-operator
Source: endpoint-copier-operator-%{version}.tar
Source: endpoint-copier-operator-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.20
ExcludeArch: s390

58
frr-image/Dockerfile
View File

@ -1,58 +0,0 @@
# SPDX-License-Identifier: MIT
#!BuildTag: %%IMG_PREFIX%%frr:8.4
#!BuildTag: %%IMG_PREFIX%%frr:8.4-%RELEASE%
#!BuildVersion: 15.5
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends tcpdump libpcap-devel iproute2 iputils strace socat frr python3 catatonit sed util-linux; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.frr
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="FRR Container Image"
LABEL org.opencontainers.image.description="frr based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="8.4"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%frr:8.4-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
#Install frr
USER root
ENV PYTHONDONTWRITEBYTECODE yes
# frr.sh is the entry point. This script examines environment
# variables to direct operation and configure ovn
ADD frr.sh /root/
ADD daemons /etc/frr
ADD frr.conf /etc/frr
ADD vtysh.conf /etc/frr
RUN chown frr:frr /etc/frr/daemons /etc/frr/frr.conf
RUN ln -s /usr/bin/catatonit /sbin/tini
RUN usermod -a -G frrvty frr
COPY docker-start /usr/libexec/frr/docker-start
RUN cp -r /usr/libexec/frr /usr/lib/ # required because of the different path on rhel
WORKDIR /root
ENTRYPOINT ["/sbin/tini", "--"]
COPY docker-start /usr/lib/frr/docker-start
RUN chmod +x /usr/lib/frr/docker-start
CMD ["/usr/lib/frr/docker-start"]

82
frr-image/daemons
View File

@ -1,82 +0,0 @@
# This file tells the frr package which daemons to start.
#
# Entries are in the format: <daemon>=(yes|no|priority)
# 0, "no" = disabled
# 1, "yes" = highest priority
# 2 .. 10 = lower priorities
#
# For daemons which support multiple instances, a 2nd line listing
# the instances can be added. Eg for ospfd:
# ospfd=yes
# ospfd_instances="1,2"
#
# Priorities were suggested by Dancer <dancer@zeor.simegen.com>.
# They're used to start the FRR daemons in more than one step
# (for example start one or two at network initialization and the
# rest later). The number of FRR daemons being small, priorities
# must be between 1 and 9, inclusive (or the initscript has to be
# changed). /etc/init.d/frr then can be started as
#
# /etc/init.d/frr <start|stop|restart|<priority>>
#
# where priority 0 is the same as 'stop', priority 10 or 'start'
# means 'start all'
#
# Sample configurations for these daemons can be found in
# /usr/share/doc/frr/examples/.
#
# ATTENTION:
#
# When activation a daemon at the first time, a config file, even if it is
# empty, has to be present *and* be owned by the user and group "frr", else
# the daemon will not be started by /etc/init.d/frr. The permissions should
# be u=rw,g=r,o=.
# When using "vtysh" such a config file is also needed. It should be owned by
# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
#
watchfrr_enable=yes
watchfrr_options="-r '/usr/lib/frr/frr restart %s' -s '/usr/lib/frr/frr start %s' -k '/usr/lib/frr/frr stop %s'"
#
zebra=yes
bgpd=yes
ospfd=no
ospf6d=no
ripd=no
ripngd=no
isisd=no
pimd=no
nhrpd=no
eigrpd=no
sharpd=no
pbrd=no
staticd=yes
bfdd=yes
fabricd=no
#
# Command line options for the daemons
#
zebra_options=("-A 127.0.0.1")
bgpd_options=("-A 127.0.0.1")
ospfd_options=("-A 127.0.0.1")
ospf6d_options=("-A ::1")
ripd_options=("-A 127.0.0.1")
ripngd_options=("-A ::1")
isisd_options=("-A 127.0.0.1")
pimd_options=("-A 127.0.0.1")
nhrpd_options=("-A 127.0.0.1")
eigrpd_options=("-A 127.0.0.1")
sharpd_options=("-A 127.0.0.1")
pbrd_options=("-A 127.0.0.1")
staticd_options=("-A 127.0.0.1")
bfdd_options=("-A 127.0.0.1")
fabricd_options=("-A 127.0.0.1")
#
# If the vtysh_enable is yes, then the unified config is read
# and applied if it exists. If no unified frr.conf exists
# then the per-daemon <daemon>.conf files are used)
# If vtysh_enable is no or non-existant, the frr.conf is ignored.
# it is highly suggested to have this set to yes
vtysh_enable=yes

4
frr-image/docker-start
View File

@ -1,4 +0,0 @@
#!/bin/bash
source /usr/lib/frr/frrcommon.sh
/usr/lib/frr/watchfrr $(daemon_list)

53
frr-image/frr.conf
View File

@ -1,53 +0,0 @@
frr defaults traditional
log file /var/log/frr/frr.log
log syslog informational
log stdout debugging
ipv6 forwarding
service integrated-vtysh-config
!
debug bgp updates in
debug bgp updates out
debug bgp zebra
!
interface eth0
no ipv6 nd suppress-ra
ipv6 nd ra-interval 10
!
router bgp OCPASN
bgp router-id OCPROUTERID
bgp bestpath as-path multipath-relax
bgp bestpath compare-routerid
!
neighbor OCPnodes peer-group
neighbor OCPnodes description Internal OCP Nodes
neighbor OCPnodes remote-as OCPASN
neighbor OCPnodes bfd
neighbor OCPnodes capability extended-nexthop
!neighbor eth0 interface peer-group OCPnodes
!neighbor OCPPEER remote-as OCPASN peer-group OCPnodes
neighbor OCPPEER peer-group OCPnodes
!
address-family ipv4 unicast
redistribute connected
neighbor OCPnodes activate
exit-address-family
!
address-family ipv6 unicast
redistribute connected
neighbor OCPnodes activate
neighbor OCPnodes nexthop-local unchanged
exit-address-family
!
!
bfd
peer OCPPEER vrf default interface eth0
receive-interval 2000
transmit-interval 2000
echo-mode
echo-interval 3000
no shutdown
exit
!
line vty
!

124
frr-image/frr.sh
View File

@ -1,124 +0,0 @@
#!/bin/bash
#set -euo pipefail
# Enable verbose shell output if FRR_SH_VERBOSE is set to 'true'
if [[ "${FRR_SH_VERBOSE:-}" == "true" ]]; then
set -x
fi
# The argument to the command is the operation to be performed
# frr-node display display_env
# a cmd must be provided, there is no default
cmd=${1:-""}
# The frr user id, by default it is going to be frr:frr
frr_user_id=${FRR_USER_ID:-""}
# frr options
frr_options=${FRR_OPTIONS:-""}
# This script is the entrypoint to the image.
# frr.sh version (update when API between daemonset and script changes - v.x.y)
frr_version="3"
# The daemonset version must be compatible with this script.
# The default when FRR_DAEMONSET_VERSION is not set is version 3
frr_daemonset_version=${FRR_DAEMONSET_VERSION:-"3"}
# hostname is the host's hostname when using host networking,
# This is useful on the master
# otherwise it is the container ID (useful for debugging).
frr_pod_host=${K8S_NODE:-$(hostname)}
# The ovs user id, by default it is going to be root:root
frr_user_id=${FRR_USER_ID:-""}
# frr options
frr_options=${FRR_OPTIONS:-""}
# frr.conf variables
ocp_asn=${OCPASN:-65000}
ocp_routerid=${OCPROUTERID:-"10.10.10.1"}
ocp_peer=${OCPPEER:-"10.10.10.1"}
FRR_ETCDIR=/etc/frr
FRR_RUNDIR=/var/run/frr
FRR_LOGDIR=/var/log/frr
# =========================================
setup_frr_permissions() {
chown -R ${frr_user_id} ${FRR_RUNDIR}
chown -R ${frr_user_id} ${FRR_LOGDIR}
chown -R ${frr_user_id} ${FRR_ETCDIR}
}
# =========================================
display_version() {
echo " =================== hostname: ${frr_pod_host}"
echo " =================== daemonset version ${frr_daemonset_version}"
if [[ -f /root/git_info ]]; then
disp_ver=$(cat /root/git_info)
return
fi
}
display_env() {
echo FRR_USER_ID ${frr_user_id}
echo FRR_OPTIONS ${frr_options}
echo frr.sh version ${frr_version}
echo ocp_asn ${ocp_asn}
echo ocp_routerid ${ocp_routerid}
echo ocp_peer ${ocp_peer}
}
# frr-node - all nodes
frr-node() {
trap 'kill $(jobs -p) ; exit 0' TERM
rm -f ${FRR_RUNDIR}/frr.pid
echo "=============== frr-node ========== update frr.conf"
sed -i "s/OCPASN/$ocp_asn/" /etc/frr/frr.conf
sed -i "s/OCPPEER/$ocp_peer/" /etc/frr/frr.conf
sed -i "s/OCPROUTERID/$ocp_routerid/" /etc/frr/frr.conf
#chown -R frr:frr /etc/frr
chown -R frr:frr ${FRR_RUNDIR}
echo "=============== frr-node ========== starting"
# /usr/lib/frr/frrinit.sh start
# bash -x /usr/lib/frr/frrinit.sh start
bash -x
/usr/lib/frr/frrinit.sh start
frrResult=$?
echo "=============== frrinit result is ${frrResult} "
# Sleep forever
exec tail -f /dev/null
}
echo "================== frr.sh --- version: ${frr_version} ================"
display_version
display_env
case ${cmd} in
"frr-node")
frr-node
;;
"display_env")
display_env
exit 0
;;
"display")
display
exit 0
;;
*)
echo "invalid command ${cmd}"
echo "valid v3 commands: frr-node display_env display "
exit 0
;;
esac
exit 0

0
frr-image/vtysh.conf
View File

6
frr-k8s/_service
View File

@ -12,8 +12,10 @@
<param name="without-version">yes</param>
<param name="versionrewrite-replacement">\1</param>
</service>
<service mode="buildtime" name="tar">
<param name="obsinfo">frr-k8s.obsinfo</param>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service name="go_modules">
</service>

2
frr-k8s/frr-k8s.spec
View File

@ -22,7 +22,7 @@ Release: 0.0.14
Summary: A kubernetes based daemonset that exposes a subset of the FRR API in a kubernetes compliant manner.
License: Apache-2.0
URL: https://github.com/metallb/frr-k8s
Source: frr-k8s-%{version}.tar
Source: frr-k8s-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.22
ExcludeArch: s390

6
hauler/_service
View File

@ -8,8 +8,10 @@
<param name="versionrewrite-pattern">v(.*)</param>
<param name="changesgenerate">enable</param>
</service>
<service mode="buildtime" name="tar">
<param name="obsinfo">hauler.obsinfo</param>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service mode="buildtime" name="set_version" />
<service name="go_modules">

2
hauler/hauler.spec
View File

@ -23,7 +23,7 @@ Release: 0
Summary: Airgap Swiss Army Knife
License: Apache-2.0
URL: https://github.com/hauler-dev/hauler
Source: hauler-%{version}.tar
Source: hauler-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang-packaging
BuildRequires: cosign

36
ip-address-manager-image/Dockerfile Normal file
View File

@ -0,0 +1,36 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%ip-address-manager:v%%ip-address-manager_version%%
#!BuildTag: %%IMG_PREFIX%%ip-address-manager:%%ip-address-manager_version%%
#!BuildTag: %%IMG_PREFIX%%ip-address-manager:%%ip-address-manager_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends ip-address-manager shadow; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.ip-address-manager
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE ip-address-manager Container Image"
LABEL org.opencontainers.image.description="ip-address-manager based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%ip-address-manager_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ip-address-manager:%%ip-address-manager_version%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
RUN mv /usr/bin/ip-address-manager /manager
# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
USER 65532
ENTRYPOINT [ "/manager" ]

4
kube-rbac-proxy-image/_service → ip-address-manager-image/_service
View File

@ -3,8 +3,8 @@
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%kube-rbac-proxy_version%%</param>
<param name="package">kube-rbac-proxy</param>
<param name="regex">%%ip-address-manager_version%%</param>
<param name="package">ip-address-manager</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">

23
ip-address-manager/_service Normal file
View File

@ -0,0 +1,23 @@
<services>
<service name="obs_scm">
<param name="url">https://github.com/metal3-io/ip-address-manager</param>
<param name="scm">git</param>
<param name="revision">v1.8.1</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">steven.hardy@suse.com</param>
<param name="match-tag">v*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="without-version">yes</param>
<param name="versionrewrite-replacement">\1</param>
</service>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service name="go_modules">
</service>
<service mode="buildtime" name="set_version" />
</services>

51
ip-address-manager/ip-address-manager.spec Normal file
View File

@ -0,0 +1,51 @@
#
# spec file for package ip-address-manager
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: ip-address-manager
Version: 1.8.1
Release: 0
Summary: Metal3 IPAM controller
License: Apache-2.0
URL: https://github.com/metal3-io/ip-address-manager
Source: ip-address-manager-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.22
ExcludeArch: s390
ExcludeArch: %{ix86}
%description
Metal3 IPAM controller
%prep
%autosetup -a1 -n ip-address-manager-%{version}
%build
go build \
-mod=vendor \
-buildmode=pie \
%install
install -D -m0755 ip-address-manager %{buildroot}%{_bindir}/ip-address-manager
%files
%license LICENSE
%doc README.md
%{_bindir}/ip-address-manager
%changelog

57
ironic-image/Dockerfile
View File

@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.2
#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.2-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%ironic:24.1.2.0
#!BuildTag: %%IMG_PREFIX%%ironic:24.1.2.0-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
@ -8,14 +8,7 @@ FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
#!ArchExclusiveLine: x86_64
RUN if [ "$(uname -m)" = "x86_64" ];then \
zypper -n in --no-recommends gcc git make xz-devel shim dosfstools mtools glibc-extra grub2-x86_64-efi grub2; zypper -n clean; rm -rf /var/log/*; \
fi
#!ArchExclusiveLine: aarch64
RUN if [ "$(uname -m)" = "aarch64" ];then \
zypper -n rm kubic-locale-archive-2.31-10.36.noarch openssl-1_1-1.1.1l-150500.17.37.1.aarch64; zypper -n in --no-recommends gcc git make xz-devel openssl-3 mokutil shim dosfstools mtools glibc glibc-extra grub2 grub2-arm64-efi; zypper -n clean; rm -rf /var/log/* ;\
fi
RUN set -euo pipefail; zypper -n in --no-recommends gcc git make xz-devel shim dosfstools mtools glibc-extra grub2-x86_64-efi grub2; zypper -n clean; rm -rf /var/log/*
WORKDIR /tmp
COPY prepare-efi.sh /bin/
RUN set -euo pipefail; chmod +x /bin/prepare-efi.sh
@ -23,20 +16,7 @@ RUN /bin/prepare-efi.sh
COPY --from=micro / /installroot/
RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
#!ArchExclusiveLine: x86_64
RUN if [ "$(uname -m)" = "x86_64" ];then \
zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \
fi
#!ArchExclusiveLine: aarch64
RUN if [ "$(uname -m)" = "aarch64" ];then \
zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \
fi
# DATABASE
RUN mkdir -p /installroot/var/lib/ironic && \
/installroot/usr/bin/sqlite3 /installroot/var/lib/ironic/ironic.sqlite "pragma journal_mode=wal" && \
zypper --installroot /installroot --non-interactive remove sqlite3
RUN zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp syslinux ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api
FROM micro AS final
MAINTAINER SUSE LLC (https://www.suse.com/)
@ -46,8 +26,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opencontainers.image.version="26.1.2.2"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.2-%RELEASE%"
LABEL org.opencontainers.image.version="24.1.2.0"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:24.1.2.0-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
@ -68,8 +48,8 @@ RUN echo 'alias mkisofs="xorriso -as mkisofs"' >> ~/.bashrc
COPY mkisofs_wrapper /usr/bin/mkisofs
RUN set -euo pipefail; chmod +x /usr/bin/mkisofs
COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runlogwatch.sh tls-common.sh configure-nonroot.sh ironic-probe.j2 /bin/
RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runironic-api runironic-conductor runironic-exporter runironic-inspector runlogwatch.sh tls-common.sh configure-nonroot.sh /bin/
RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runironic-api; chmod +x /bin/runironic-conductor; chmod +x /bin/runironic-exporter; chmod +x /bin/runironic-inspector; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
RUN mkdir -p /tftpboot
RUN mkdir -p $GRUB_DIR
@ -79,19 +59,11 @@ RUN mkdir -p $GRUB_DIR
# IRONIC #
RUN cp /usr/share/ipxe/undionly.kpxe /tftpboot/undionly.kpxe
#!ArchExclusiveLine: x86_64
RUN if [ "$(uname -m)" = "x86_64" ];then \
cp /usr/share/ipxe/ipxe-x86_64.efi /tftpboot/ipxe.efi ;\
fi
#!ArchExclusiveLine: x86_64
RUN if [ "$(uname -m)" = "aarch64" ]; then\
cp /usr/share/ipxe/snp-arm64.efi /tftpboot/ipxe.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp-arm64.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp.efi ;\
fi
RUN cp /usr/share/ipxe/ipxe-x86_64.efi /tftpboot/ipxe.efi
COPY --from=base /tmp/esp.img /tmp/uefi_esp.img
COPY ironic.conf.j2 /etc/ironic/
COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 ipxe_config.template /tmp/
COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 /tmp/
COPY network-data-schema-empty.json /etc/ironic/
# DNSMASQ
@ -101,7 +73,14 @@ COPY dnsmasq.conf.j2 /etc/
COPY httpd.conf.j2 /etc/httpd/conf/
COPY httpd-modules.conf /etc/httpd/conf.modules.d/
COPY apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
COPY apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
# IRONIC-INSPECTOR #
RUN mkdir -p /var/lib/ironic /var/lib/ironic-inspector && \
sqlite3 /var/lib/ironic/ironic.db "pragma journal_mode=wal" && \
sqlite3 /var/lib/ironic-inspector/ironic-inspector.db "pragma journal_mode=wal"
COPY ironic-inspector.conf.j2 /etc/ironic-inspector/
COPY inspector-apache.conf.j2 /etc/httpd/conf.d/
# Workaround
# Removing the 010-ironic.conf file that comes with the package

35
ironic-image/apache2-ipxe.conf.j2
View File

@ -1,35 +0,0 @@
Listen {{ env.IPXE_TLS_PORT }}
<VirtualHost *:{{ env.IPXE_TLS_PORT }}>
ErrorLog /dev/stderr
LogLevel debug
CustomLog /dev/stdout combined
SSLEngine on
SSLProtocol {{ env.IPXE_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IPXE_CERT_FILE }}
SSLCertificateKeyFile {{ env.IPXE_KEY_FILE }}
<Directory "/shared/html">
Order Allow,Deny
Allow from all
</Directory>
<Directory "/shared/html/(redfish|ilo|images)/">
Order Deny,Allow
Deny from all
</Directory>
</VirtualHost>
<Location ~ "^/grub.*/">
SSLRequireSSL
</Location>
<Location ~ "^/pxelinux.cfg/">
SSLRequireSSL
</Location>
<Location ~ "^/.*\.conf/">
SSLRequireSSL
</Location>
<Location ~ "^/(([0-9]|[a-z]).*-){4}([0-9]|[a-z]).*/">
SSLRequireSSL
</Location>

20
ironic-image/apache2-vmedia.conf.j2
View File

@ -9,18 +9,16 @@ Listen {{ env.VMEDIA_TLS_PORT }}
SSLProtocol {{ env.IRONIC_VMEDIA_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
<Directory "/shared">
AllowOverride None
Require all granted
</Directory>
<Directory ~ "/shared/html">
Order deny,allow
deny from all
</Directory>
<Directory ~ "/shared/html/(redfish|ilo)/">
Order allow,deny
allow from all
</Directory>
<Directory ~ "/shared/html/images/">
Order allow,deny
allow from all
<Directory "/shared/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>

46
ironic-image/auth-common.sh
View File

@ -2,39 +2,36 @@
set -euxo pipefail
export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
export INSPECTOR_HTPASSWD=${INSPECTOR_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
export IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
# Backward compatibility
if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then
export IRONIC_EXPOSE_JSON_RPC=true
else
export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}"
fi
export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
if [[ -f "/auth/ironic/htpasswd" ]]; then
IRONIC_HTPASSWD=$(</auth/ironic/htpasswd)
fi
export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
INSPECTOR_HTPASSWD_FILE=/etc/ironic-inspector/htpasswd
configure_client_basic_auth()
{
local auth_config_file="/auth/$1/auth-config"
local dest="${2:-/etc/ironic/ironic.conf}"
if [[ -f "${auth_config_file}" ]]; then
# Merge configurations in the "auth" directory into the default ironic configuration file
# Merge configurations in the "auth" directory into the default ironic configuration file because there is no way to choose the configuration file
# when running the api as a WSGI app.
crudini --merge "${dest}" < "${auth_config_file}"
fi
}
configure_json_rpc_auth()
{
if [[ "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then
if [[ -z "${IRONIC_HTPASSWD}" ]]; then
echo "FATAL: enabling JSON RPC requires authentication"
exit 1
export JSON_RPC_AUTH_STRATEGY="noauth"
if [[ -n "${IRONIC_HTPASSWD}" ]]; then
if [[ "${IRONIC_DEPLOYMENT}" == "Conductor" ]]; then
export JSON_RPC_AUTH_STRATEGY="http_basic"
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
else
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
fi
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
fi
}
@ -51,9 +48,24 @@ configure_ironic_auth()
fi
}
configure_inspector_auth()
{
local config=/etc/ironic-inspector/ironic-inspector.conf
if [[ -n "${INSPECTOR_HTPASSWD}" ]]; then
printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "false" ]]; then
crudini --set "${config}" DEFAULT auth_strategy http_basic
crudini --set "${config}" DEFAULT http_basic_auth_user_file "${INSPECTOR_HTPASSWD_FILE}"
fi
fi
}
write_htpasswd_files()
{
if [[ -n "${IRONIC_HTPASSWD:-}" ]]; then
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
fi
if [[ -n "${INSPECTOR_HTPASSWD:-}" ]]; then
printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
fi
}

57
ironic-image/configure-ironic.sh
View File

@ -2,13 +2,14 @@
set -euxo pipefail
IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}"
# Define the VLAN interfaces to be included in introspection report, e.g.
# all - all VLANs on all interfaces using LLDP information
# <interface> - all VLANs on a particular interface using LLDP information
# <interface.vlan> - a particular VLAN on an interface, not relying on LLDP
export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}}
export IRONIC_INSPECTOR_VLAN_INTERFACES=${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}
# shellcheck disable=SC1091
. /bin/tls-common.sh
@ -19,17 +20,13 @@ export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_I
export HTTP_PORT=${HTTP_PORT:-80}
export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
if [[ "$IRONIC_USE_MARIADB" == "true" ]]; then
MARIADB_PASSWORD=${MARIADB_PASSWORD}
MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
MARIADB_USER=${MARIADB_USER:-ironic}
MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
fi
MARIADB_PASSWORD=${MARIADB_PASSWORD}
MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
MARIADB_USER=${MARIADB_USER:-ironic}
MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
fi
# TODO(dtantsur): remove the explicit default once we get
@ -40,6 +37,9 @@ if [[ "$NUMPROC" -lt 4 ]]; then
fi
export NUMWORKERS=${NUMWORKERS:-$NUMPROC}
export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-true}
# Whether to enable fast_track provisioning or not
export IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}
@ -58,14 +58,16 @@ wait_for_interface_or_ip
export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}}
export IRONIC_BASE_URL=${IRONIC_BASE_URL:-"${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"}
export IRONIC_INSPECTOR_BASE_URL=${IRONIC_INSPECTOR_BASE_URL:-"${IRONIC_INSPECTOR_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_INSPECTOR_ACCESS_PORT}"}
if [[ -n "$IRONIC_EXTERNAL_IP" ]]; then
export IRONIC_EXTERNAL_CALLBACK_URL=${IRONIC_EXTERNAL_CALLBACK_URL:-"${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"}
export IRONIC_EXTERNAL_CALLBACK_URL="${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"
if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"}
export IRONIC_EXTERNAL_HTTP_URL="https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"
else
export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"}
export IRONIC_EXTERNAL_HTTP_URL="http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"
fi
export IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE="https://${IRONIC_EXTERNAL_IP}:${IRONIC_INSPECTOR_ACCESS_PORT}"
fi
IMAGE_CACHE_PREFIX=/shared/html/images/ironic-python-agent
@ -88,32 +90,13 @@ mkdir -p /shared/ironic_prometheus_exporter
configure_json_rpc_auth
if [[ -f /proc/sys/crypto/fips_enabled ]]; then
ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)
export ENABLE_FIPS_IPA
fi
# The original ironic.conf is empty, and can be found in ironic.conf_orig
render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf
if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
configure_client_basic_auth ironic-inspector
fi
configure_client_basic_auth ironic-rpc
# Make sure ironic traffic bypasses any proxies
export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
PROBE_CURL_ARGS=
if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
if [[ "${IRONIC_PRIVATE_PORT}" == "unix" ]]; then
PROBE_URL="http://127.0.0.1:6385"
PROBE_CURL_ARGS="--unix-socket /shared/ironic.sock"
else
PROBE_URL="http://127.0.0.1:${IRONIC_PRIVATE_PORT}"
fi
else
PROBE_URL="${IRONIC_BASE_URL}"
fi
export PROBE_CURL_ARGS
export PROBE_URL
PROBE_KIND=readiness render_j2_config /bin/ironic-probe.j2 /bin/ironic-readiness
PROBE_KIND=liveness render_j2_config /bin/ironic-probe.j2 /bin/ironic-liveness

21
ironic-image/configure-nonroot.sh
View File

@ -10,12 +10,12 @@ useradd -r -g ${NONROOT_GID} \
-d /var/lib/ironic \
-s /sbin/nologin \
${USER}
# create ironic's http_root directory
mkdir -p /shared/html
chown "${NONROOT_UID}":"${NONROOT_GID}" /shared/html
# we'll bind mount shared ca and ironic certificate dirs here
# we'll bind mount shared ca and ironic/inspector certificate dirs here
# that need to have correct ownership as the entire ironic in BMO
# deployment shares a single fsGroup in manifest's securityContext
mkdir -p /certs/ca
@ -26,15 +26,17 @@ chmod 2775 /certs{,/ca}
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/apache2
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /run
# ironic and httpd related changes
mkdir -p /etc/httpd/conf.d
# ironic, inspector and httpd related changes
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic /etc/httpd /etc/httpd
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic-inspector
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/log
chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
chmod 2775 /etc/ironic /etc/ironic-inspector /etc/httpd/conf /etc/httpd/conf.d
chmod 664 /etc/ironic/* /etc/ironic-inspector/* /etc/httpd/conf/* /etc/httpd/conf.d/*
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic
chmod 664 /var/lib/ironic/ironic.sqlite
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic-inspector
chmod 2775 /var/lib/ironic /var/lib/ironic-inspector
chmod 664 /var/lib/ironic/ironic.db /var/lib/ironic-inspector/ironic-inspector.db
# dnsmasq, and the capabilities required to run it as non-root user
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/dnsmasq.conf /var/lib/dnsmasq
@ -46,8 +48,3 @@ chmod 664 /etc/dnsmasq.conf /var/lib/dnsmasq/dnsmasq.leases
touch /var/lib/ca-certificates/ca-bundle.pem.new
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ca-certificates/
chmod -R +w /var/lib/ca-certificates/
# probes that are created before start
touch /bin/ironic-{readi,live}ness
chown root:"${NONROOT_GID}" /bin/ironic-{readi,live}ness
chmod 775 /bin/ironic-{readi,live}ness

12
ironic-image/dnsmasq.conf.j2
View File

@ -29,23 +29,13 @@ dhcp-option=option{% if ":" in env["DNS_IP"] %}6{% endif %}:dns-server,{{ env["D
# IPv4 Configuration:
dhcp-match=ipxe,175
# Client is already running iPXE; move to next stage of chainloading
{%- if env.IPXE_TLS_SETUP == "true" %}
# iPXE with (U)EFI
dhcp-boot=tag:efi,tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/snponly.efi
# iPXE with BIOS
dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/undionly.kpxe
{% else %}
dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
{% endif %}
# Note: Need to test EFI booting
dhcp-match=set:efi,option:client-arch,7
dhcp-match=set:efi,option:client-arch,9
dhcp-match=set:efi,option:client-arch,11
# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader do the same also if iPXE ROM boots but TLS is enabled
{%- if env.IPXE_TLS_SETUP == "true" %}
dhcp-boot=tag:efi,tag:ipxe,snponly.efi
{% endif %}
# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader
dhcp-boot=tag:efi,tag:!ipxe,snponly.efi
# Client is running PXE over BIOS; send BIOS version of iPXE chainloader

25
ironic-image/httpd-ironic-api.conf.j2
View File

@ -19,6 +19,8 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
<VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
{% endif %}
{% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
{% if env.IRONIC_PRIVATE_PORT == "unix" %}
ProxyPass "/" "unix:/shared/ironic.sock|http://127.0.0.1/"
ProxyPassReverse "/" "unix:/shared/ironic.sock|http://127.0.0.1/"
@ -27,8 +29,14 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
ProxyPassReverse "/" "http://127.0.0.1:{{ env.IRONIC_PRIVATE_PORT }}/"
{% endif %}
{% else %}
WSGIDaemonProcess ironic user=ironic group=ironic threads=10 display-name=%{GROUP}
WSGIScriptAlias / /usr/bin/ironic-api-wsgi
{% endif %}
SetEnv APACHE_RUN_USER ironic-suse
SetEnv APACHE_RUN_GROUP ironic-suse
WSGIProcessGroup ironic-suse
ErrorLog /dev/stderr
LogLevel debug
@ -41,6 +49,7 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }}
{% endif %}
{% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
<Location />
{% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
AuthType Basic
@ -49,6 +58,22 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
Require valid-user
{% endif %}
</Location>
{% else %}
<Directory /usr/bin >
WSGIProcessGroup ironic
WSGIApplicationGroup %{GLOBAL}
AllowOverride None
{% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
AuthType Basic
AuthName "Restricted WSGI area"
AuthUserFile "/etc/ironic/htpasswd"
Require valid-user
{% else %}
Require all granted
{% endif %}
</Directory>
{% endif %}
<Location ~ "^/(v1/?)?$" >
Require all granted

1
ironic-image/httpd-modules.conf
View File

@ -5,6 +5,7 @@ LoadModule dir_module /usr/lib64/apache2/mod_dir.so
LoadModule authz_core_module /usr/lib64/apache2/mod_authz_core.so
#LoadModule unixd_module modules/mod_unixd.so
#LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule wsgi_module /usr/lib64/apache2/mod_wsgi.so
LoadModule ssl_module /usr/lib64/apache2/mod_ssl.so
LoadModule env_module /usr/lib64/apache2/mod_env.so
LoadModule proxy_module /usr/lib64/apache2/mod_proxy.so

2
ironic-image/httpd.conf.j2
View File

@ -1,6 +1,6 @@
ServerRoot "/etc/httpd"
{%- if env.LISTEN_ALL_INTERFACES | lower == "true" %}
Listen {{ env.HTTP_PORT }}
Listen [::]:{{ env.HTTP_PORT }}
{% else %}
Listen {{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
{% endif %}

4
ironic-image/inspector.ipxe.j2
View File

@ -5,6 +5,6 @@ echo In inspector.ipxe
imgfree
# NOTE(dtantsur): keep inspection kernel params in [mdns]params in
# ironic-inspector-image and configuration in configure-ironic.sh
kernel --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
initrd --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot
kernel --timeout 60000 http://{{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
initrd --timeout 60000 http://{{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot
boot

81
ironic-image/ipxe_config.template
View File

@ -1,81 +0,0 @@
#!ipxe
set attempts:int32 10
set i:int32 0
goto deploy
:deploy
imgfree
{%- if pxe_options.deployment_aki_path %}
{%- set aki_path_https_elements = pxe_options.deployment_aki_path.split(':') %}
{%- set aki_port_and_path = aki_path_https_elements[2].split('/') %}
{%- set aki_afterport = aki_port_and_path[1:]|join('/') %}
{%- set aki_path_https = ['https:', aki_path_https_elements[1], ':8084/', aki_afterport]|join %}
{%- endif %}
{%- if pxe_options.deployment_ari_path %}
{%- set ari_path_https_elements = pxe_options.deployment_ari_path.split(':') %}
{%- set ari_port_and_path = ari_path_https_elements[2].split('/') %}
{%- set ari_afterport = ari_port_and_path[1:]|join('/') %}
{%- set ari_path_https = ['https:', ari_path_https_elements[1], ':8084/', ari_afterport]|join %}
{%- endif %}
kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} selinux=0 troubleshoot=0 text {{ pxe_options.pxe_append_params|default("", true) }} BOOTIF=${mac} initrd={{ pxe_options.initrd_filename|default("deploy_ramdisk", true) }} || goto retry
initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto retry
boot
:retry
iseq ${i} ${attempts} && goto fail ||
inc i
echo No response, retrying in ${i} seconds.
sleep ${i}
goto deploy
:fail
echo Failed to get a response after ${attempts} attempts
echo Powering off in 30 seconds.
sleep 30
poweroff
:boot_anaconda
imgfree
kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} text {{ pxe_options.pxe_append_params|default("", true) }} inst.ks={{ pxe_options.ks_cfg_url }} {% if pxe_options.repo_url %}inst.repo={{ pxe_options.repo_url }}{% else %}inst.stage2={{ pxe_options.stage2_url }}{% endif %} initrd=ramdisk || goto boot_anaconda
initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_anaconda
boot
:boot_ramdisk
imgfree
{%- if pxe_options.boot_iso_url %}
sanboot {{ pxe_options.boot_iso_url }}
{%- else %}
kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} root=/dev/ram0 text {{ pxe_options.pxe_append_params|default("", true) }} {{ pxe_options.ramdisk_opts|default('', true) }} initrd=ramdisk || goto boot_ramdisk
initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_ramdisk
boot
{%- endif %}
{%- if pxe_options.boot_from_volume %}
:boot_iscsi
imgfree
{% if pxe_options.username %}set username {{ pxe_options.username }}{% endif %}
{% if pxe_options.password %}set password {{ pxe_options.password }}{% endif %}
{% if pxe_options.iscsi_initiator_iqn %}set initiator-iqn {{ pxe_options.iscsi_initiator_iqn }}{% endif %}
sanhook --drive 0x80 {{ pxe_options.iscsi_boot_url }} || goto fail_iscsi_retry
{%- if pxe_options.iscsi_volumes %}{% for i, volume in enumerate(pxe_options.iscsi_volumes) %}
set username {{ volume.username }}
set password {{ volume.password }}
{%- set drive_id = 129 + i %}
sanhook --drive {{ '0x%x' % drive_id }} {{ volume.url }} || goto fail_iscsi_retry
{%- endfor %}{% endif %}
{% if pxe_options.iscsi_volumes %}set username {{ pxe_options.username }}{% endif %}
{% if pxe_options.iscsi_volumes %}set password {{ pxe_options.password }}{% endif %}
sanboot --no-describe || goto fail_iscsi_retry
:fail_iscsi_retry
echo Failed to attach iSCSI volume(s), retrying in 10 seconds.
sleep 10
goto boot_iscsi
{%- endif %}
:boot_whole_disk
sanboot --no-describe || exit 0

25
ironic-image/ironic-common.sh
View File

@ -6,7 +6,6 @@ IRONIC_IP="${IRONIC_IP:-}"
PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}"
PROVISIONING_IP="${PROVISIONING_IP:-}"
PROVISIONING_MACS="${PROVISIONING_MACS:-}"
IPXE_CUSTOM_FIRMWARE_DIR="${IPXE_CUSTOM_FIRMWARE_DIR:-/shared/custom_ipxe_firmware}"
get_provisioning_interface()
{
@ -73,10 +72,7 @@ wait_for_interface_or_ip()
render_j2_config()
{
ls $1 # DEBUG
python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1"
python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
ls $2 # DEBUG
}
run_ironic_dbsync()
@ -90,18 +86,25 @@ run_ironic_dbsync()
done
else
# SQLite does not support some statements. Fortunately, we can just create
# the schema in one go if not already created, instead of going through an upgrade
DB_VERSION="$(ironic-dbsync --config-file /etc/ironic/ironic.conf version)"
if [[ "${DB_VERSION}" == "None" ]]; then
ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
fi
# the schema in one go instead of going through an upgrade.
ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
fi
}
# Use the special value "unix" for unix sockets
export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-unix}
export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-6388}
export IRONIC_INSPECTOR_PRIVATE_PORT=${IRONIC_INSPECTOR_PRIVATE_PORT:-5049}
export IRONIC_ACCESS_PORT=${IRONIC_ACCESS_PORT:-6385}
export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT}
export IRONIC_ENABLE_DISCOVERY=${IRONIC_ENABLE_DISCOVERY:-${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}}
export IRONIC_INSPECTOR_ACCESS_PORT=${IRONIC_INSPECTOR_ACCESS_PORT:-5050}
export IRONIC_INSPECTOR_LISTEN_PORT=${IRONIC_INSPECTOR_LISTEN_PORT:-$IRONIC_INSPECTOR_ACCESS_PORT}
# If this is false, built-in inspection is used.
export USE_IRONIC_INSPECTOR=${USE_IRONIC_INSPECTOR:-true}
export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}
if [[ "${USE_IRONIC_INSPECTOR}" != "true" ]] && [[ "${IRONIC_INSPECTOR_ENABLE_DISCOVERY}" == "true" ]]; then
echo "Discovery is only supported with ironic-inspector at this point"
exit 1
fi

9
ironic-image/ironic-probe.j2
View File

@ -1,9 +0,0 @@
#!/bin/bash
set -eu -o pipefail
curl -sSf {{ env.PROBE_CURL_ARGS }} "{{ env.PROBE_URL }}"
# TODO(dtantsur): when PROBE_KIND==readiness, try the conductor and driver API
# to make sure the conductor is ready. This requires having access to secrets
# since these endpoints are authenticated.

78
ironic-image/ironic.conf.j2
View File

@ -1,22 +1,28 @@
[DEFAULT]
{% if env.AUTH_STRATEGY is defined %}
auth_strategy = {{ env.AUTH_STRATEGY }}
{% if env.AUTH_STRATEGY == "http_basic" %}
http_basic_auth_user_file=/etc/ironic/htpasswd
{% endif %}
{% else %}
auth_strategy = noauth
{% endif %}
debug = true
default_deploy_interface = direct
default_inspect_interface = agent
default_inspect_interface = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %}
default_network_interface = noop
enabled_bios_interfaces = no-bios,redfish,idrac-redfish,irmc,ilo
enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media,redfish-https
enabled_bios_interfaces = idrac-wsman,no-bios,redfish,idrac-redfish,irmc,ilo
enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media
enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
enabled_firmware_interfaces = no-firmware,fake,redfish
# NOTE(dtantsur): when changing this, make sure to update the driver
# dependencies in Dockerfile.
enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management,ilo,ilo5
enabled_inspect_interfaces = agent,irmc,fake,redfish,ilo
enabled_management_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
enabled_network_interfaces = noop
enabled_power_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo
enabled_raid_interfaces = no-raid,irmc,agent,fake,redfish,idrac-redfish,ilo5
enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,ilo,fake
enabled_inspect_interfaces = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %},idrac-wsman,irmc,fake,redfish,ilo
enabled_management_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
enabled_power_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo
enabled_raid_interfaces = no-raid,irmc,agent,fake,idrac-wsman,redfish,idrac-redfish,ilo5
enabled_vendor_interfaces = no-vendor,ipmitool,idrac-wsman,idrac-redfish,redfish,ilo,fake
enabled_firmware_interfaces = no-firmware,fake,redfish
{% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
rpc_transport = json-rpc
{% else %}
@ -26,7 +32,14 @@ use_stderr = true
# NOTE(dtantsur): the default md5 is not compatible with FIPS mode
hash_ring_algorithm = sha256
my_ip = {{ env.IRONIC_IP }}
{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
# if access is unauthenticated, we bind only to localhost - use that as the
# host name also, so that the client can find the server
# If we run both API and conductor in the same pod, use localhost
host = localhost
{% else %}
host = {{ env.IRONIC_CONDUCTOR_HOST }}
{% endif %}
# If a path to a certificate is defined, use that first for webserver
{% if env.WEBSERVER_CACERT_FILE %}
@ -83,7 +96,7 @@ send_sensor_data = {{ env.SEND_SENSOR_DATA }}
# Power state is checked every 60 seconds and BMC activity should
# be avoided more often than once every sixty seconds.
send_sensor_data_interval = 160
bootloader = http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/uefi_esp.img
bootloader = {{ env.IRONIC_BOOT_BASE_URL }}/uefi_esp.img
verify_step_priority_override = management.clear_job_queue:90
# We don't use this feature, and it creates an additional load on the database
node_history = False
@ -112,7 +125,7 @@ default_boot_option = local
erase_devices_metadata_priority = 10
erase_devices_priority = 0
http_root = /shared/html/
http_url = http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
http_url = {{ env.IRONIC_BOOT_BASE_URL }}
fast_track = {{ env.IRONIC_FAST_TRACK }}
{% if env.IRONIC_BOOT_ISO_SOURCE %}
ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
@ -130,22 +143,26 @@ external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
dhcp_provider = none
[inspector]
# NOTE(dtantsur): we properly configure the "unmanaged" inspection boot (i.e.
# booting IPA through a separate inspector.ipxe rather than the driver's boot
# interface), so managed boot is not required.
require_managed_boot = False
power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
# NOTE(dtantsur): keep inspection arguments synchronized with inspector.ipxe
# Also keep in mind that only parameters unique for inspection go here.
# No need to duplicate pxe_append_params/kernel_append_params.
extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
{% if env.USE_IRONIC_INSPECTOR == "true" %}
endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
{% endif %}
{% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %}
callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }}
{% endif %}
{% else %}
hooks = $default_hooks,parse-lldp
add_ports = all
keep_ports = present
[auto_discovery]
enabled = {{ env.IRONIC_ENABLE_DISCOVERY }}
driver = ipmi
{% endif %}
[ipmi]
# use_ipmitool_retries transfers the responsibility of retrying to ipmitool
@ -174,9 +191,15 @@ cipher_suite_versions = 3,17
# authentication over localhost, using the same credentials as API, to prevent
# unauthenticated connections from other processes in the same host since the
# containers are in host networking.
auth_strategy = http_basic
auth_strategy = {{ env.JSON_RPC_AUTH_STRATEGY }}
http_basic_auth_user_file = /etc/ironic/htpasswd-rpc
{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
# if access is unauthenticated, we bind only to localhost - use that as the
# host name also, so that the client can find the server
host_ip = localhost
{% else %}
host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
{% endif %}
{% if env.IRONIC_TLS_SETUP == "true" %}
use_ssl = true
cafile = {{ env.IRONIC_CACERT_FILE }}
@ -201,27 +224,24 @@ images_path = /shared/html/tmp
instance_master_path = /shared/html/master_images
tftp_master_path = /shared/tftpboot/master_images
tftp_root = /shared/tftpboot
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
# This makes networking boot templates generated even for nodes using local
# boot (the default), ensuring that they boot correctly even if they start
# netbooting for some reason (e.g. with the noop management interface).
enable_netboot_fallback = true
# Enable the fallback path to in-band inspection
ipxe_fallback_script = inspector.ipxe
{% if env.IPXE_TLS_SETUP | lower == "true" %}
ipxe_config_template = /tmp/ipxe_config.template
{% endif %}
[redfish]
use_swift = false
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
[ilo]
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
use_web_server_for_images = true
[irmc]
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
[service_catalog]
endpoint_override = {{ env.IRONIC_BASE_URL }}

29
ironic-image/prepare-efi.sh
View File

@ -6,37 +6,22 @@ ARCH=$(uname -m)
DEST=${2:-/tmp/esp.img}
OS=${1:-sles}
if [ $ARCH = "aarch64" ]; then
BOOTEFI=BOOTAA64.EFI
GRUBEFI=grubaa64.efi
else
BOOTEFI=BOOTX64.efi
GRUBEFI=grubx64.efi
fi
BOOTEFI=BOOTX64.efi
GRUBEFI=grubx64.efi
dd bs=1024 count=6400 if=/dev/zero of=$DEST
mkfs.msdos -F 12 -n 'ESP_IMAGE' $DEST
mkdir -p /boot/efi/EFI/BOOT
cp -L /usr/lib64/efi/shim.efi /boot/efi/EFI/BOOT/$BOOTEFI
mkdir -p /boot/efi/EFI/$OS
if [ $ARCH = "aarch64" ]; then
cp -L /usr/share/efi/aarch64/shim.efi /boot/efi/EFI/BOOT/$BOOTEFI
cp -L /usr/share/efi/aarch64/grub.efi /boot/efi/EFI/BOOT/grub.efi
cp /usr/share/grub2/arm64-efi/grub.efi /boot/efi/EFI/$OS/grubaa64.efi
else
cp -L /usr/lib64/efi/shim.efi /boot/efi/EFI/BOOT/$BOOTEFI
#cp /usr/share/grub2/x86_64-efi/grub.efi /boot/efi/EFI/$OS/$GRUBEFI
cp /usr/share/grub2/x86_64-efi/grub.efi /boot/efi/EFI/$OS/grub.efi
fi
#cp /usr/share/grub2/x86_64-efi/grub.efi /boot/efi/EFI/$OS/$GRUBEFI
cp /usr/share/grub2/x86_64-efi/grub.efi /boot/efi/EFI/$OS/grub.efi
mmd -i $DEST EFI
mmd -i $DEST EFI/BOOT
mcopy -i $DEST -v /boot/efi/EFI/BOOT/$BOOTEFI ::EFI/BOOT
if [ $ARCH = "aarch64" ]; then
mcopy -i $DEST -v /boot/efi/EFI/BOOT/grub.efi ::EFI/BOOT
mcopy -i $DEST -v /boot/efi/EFI/$OS/$GRUBEFI ::EFI/BOOT
else
mcopy -i $DEST -v /boot/efi/EFI/$OS/grub.efi ::EFI/BOOT
fi
#mcopy -i $DEST -v /boot/efi/EFI/$OS/$GRUBEFI ::EFI/BOOT
mcopy -i $DEST -v /boot/efi/EFI/$OS/grub.efi ::EFI/BOOT
mdir -i $DEST ::EFI/BOOT;

10
ironic-image/rundnsmasq
View File

@ -4,8 +4,6 @@ set -eux
# shellcheck disable=SC1091
. /bin/ironic-common.sh
# shellcheck disable=SC1091
. /bin/tls-common.sh
export HTTP_PORT=${HTTP_PORT:-80}
DNSMASQ_EXCEPT_INTERFACE=${DNSMASQ_EXCEPT_INTERFACE:-lo}
@ -21,13 +19,7 @@ mkdir -p /shared/html/images
mkdir -p /shared/html/pxelinux.cfg
# Copy files to shared mount
if [[ -r "${IPXE_CUSTOM_FIRMWARE_DIR}" ]]; then
cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
"${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
"/shared/tftpboot"
else
cp /tftpboot/undionly.kpxe /tftpboot/snponly.efi /shared/tftpboot
fi
cp /tftpboot/undionly.kpxe /tftpboot/snponly.efi /shared/tftpboot
# Template and write dnsmasq.conf
# we template via /tmp as sed otherwise creates temp files in /etc directory

31
ironic-image/runhttpd
View File

@ -8,7 +8,10 @@
export HTTP_PORT=${HTTP_PORT:-80}
export VMEDIA_TLS_PORT=${VMEDIA_TLS_PORT:-8083}
INSPECTOR_ORIG_HTTPD_CONFIG=/etc/httpd/conf.d/inspector-apache.conf.j2
INSPECTOR_RESULT_HTTPD_CONFIG=/etc/httpd/conf.d/ironic-inspector.conf
export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
# In Metal3 context they are called node images in Ironic context they are
# called user images.
@ -30,7 +33,11 @@ chmod 0777 /shared/html
IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}"
INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue"
else
INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
fi
if [[ "$IRONIC_FAST_TRACK" == "true" ]]; then
INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}"
@ -44,6 +51,14 @@ cp /tmp/uefi_esp.img /shared/html/uefi_esp.img
# Render the core httpd config
render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf
if [[ "$USE_IRONIC_INSPECTOR" == "true" ]] && [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]]; then
render_j2_config "$INSPECTOR_ORIG_HTTPD_CONFIG" "$INSPECTOR_RESULT_HTTPD_CONFIG"
fi
else
export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
fi
if [[ "$IRONIC_TLS_SETUP" == "true" ]]; then
if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
render_j2_config /tmp/httpd-ironic-api.conf.j2 /etc/httpd/conf.d/ironic.conf
@ -59,14 +74,12 @@ if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
render_j2_config /etc/httpd-vmedia.conf.j2 /etc/httpd/conf.d/vmedia.conf
fi
# Render httpd TLS configuration for /shared/html
if [[ "$IPXE_TLS_SETUP" == "true" ]]; then
mkdir -p /shared/html/custom-ipxe
chmod 0777 /shared/html/custom-ipxe
render_j2_config "/etc/httpd-ipxe.conf.j2" "/etc/httpd/conf.d/ipxe.conf"
cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
"${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
"/shared/html/custom-ipxe"
# Set up inotify to kill the container (restart) whenever cert files for ironic inspector change
if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
# shellcheck disable=SC2034
inotifywait -m -e delete_self "${IRONIC_INSPECTOR_CERT_FILE}" | while read -r file event; do
kill -WINCH $(pgrep httpd)
done &
fi
# Set up inotify to kill the container (restart) whenever cert files for ironic api change

4
ironic-image/runironic
View File

@ -1,7 +1,9 @@
#!/usr/bin/bash
# This setting must go before configure-ironic since it has different defaults.
# These settings must go before configure-ironic since it has different
# defaults.
export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-false}
# shellcheck disable=SC1091
. /bin/configure-ironic.sh

27
ironic-image/runlogwatch.sh
View File

@ -1,19 +1,20 @@
#!/usr/bin/bash
# Ramdisk logs path
LOG_DIR="/shared/log/ironic/deploy"
LOG_DIRS=("/shared/log/ironic/deploy" "/shared/log/ironic-inspector/ramdisk")
# The ironic container creates the directory, wait for
# it to exist before running inotifywait or it can fail causing
# a spurious restart
while [ ! -d "${LOG_DIR}" ]; do
echo "Waiting for ${LOG_DIR}"
sleep 5
done
while :; do
for LOG_DIR in "${LOG_DIRS[@]}"; do
if ! ls "${LOG_DIR}"/*.tar.gz 1> /dev/null 2>&1; then
continue
fi
inotifywait -m "${LOG_DIR}" -e close_write |
while read -r path _action file; do
echo "************ Contents of ${path}/${file} ramdisk log file bundle **************"
tar -xOzvvf "${path}/${file}" | sed -e "s/^/${file}: /"
rm -f "${path}/${file}"
for fn in "${LOG_DIR}"/*.tar.gz; do
echo "************ Contents of $fn ramdisk log file bundle **************"
tar -xOzvvf "$fn" | sed -e "s/^/$(basename "$fn"): /"
rm -f "$fn"
done
done
sleep 5
done

54
ironic-image/tls-common.sh
View File

@ -5,25 +5,24 @@ export IRONIC_KEY_FILE=/certs/ironic/tls.key
export IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt
export IRONIC_INSECURE=${IRONIC_INSECURE:-false}
export IRONIC_SSL_PROTOCOL=${IRONIC_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
export IPXE_SSL_PROTOCOL=${IPXE_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
export IRONIC_VMEDIA_SSL_PROTOCOL=${IRONIC_VMEDIA_SSL_PROTOCOL:-"ALL"}
export IRONIC_INSPECTOR_CERT_FILE=/certs/ironic-inspector/tls.crt
export IRONIC_INSPECTOR_KEY_FILE=/certs/ironic-inspector/tls.key
export IRONIC_INSPECTOR_CACERT_FILE=/certs/ca/ironic-inspector/tls.crt
export IRONIC_INSPECTOR_INSECURE=${IRONIC_INSPECTOR_INSECURE:-$IRONIC_INSECURE}
export IRONIC_VMEDIA_CERT_FILE=/certs/vmedia/tls.crt
export IRONIC_VMEDIA_KEY_FILE=/certs/vmedia/tls.key
export IPXE_CERT_FILE=/certs/ipxe/tls.crt
export IPXE_KEY_FILE=/certs/ipxe/tls.key
export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPDATED:-"false"}
export MARIADB_CACERT_FILE=/certs/ca/mariadb/tls.crt
export IPXE_TLS_PORT="${IPXE_TLS_PORT:-8084}"
mkdir -p /certs/ironic
mkdir -p /certs/ironic-inspector
mkdir -p /certs/ca/ironic
mkdir -p /certs/ipxe
mkdir -p /certs/vmedia
mkdir -p /certs/ca/ironic-inspector
if [[ -f "$IRONIC_CERT_FILE" ]] && [[ ! -f "$IRONIC_KEY_FILE" ]]; then
echo "Missing TLS Certificate key file $IRONIC_KEY_FILE"
@ -34,6 +33,15 @@ if [[ ! -f "$IRONIC_CERT_FILE" ]] && [[ -f "$IRONIC_KEY_FILE" ]]; then
exit 1
fi
if [[ -f "$IRONIC_INSPECTOR_CERT_FILE" ]] && [[ ! -f "$IRONIC_INSPECTOR_KEY_FILE" ]]; then
echo "Missing TLS Certificate key file $IRONIC_INSPECTOR_KEY_FILE"
exit 1
fi
if [[ ! -f "$IRONIC_INSPECTOR_CERT_FILE" ]] && [[ -f "$IRONIC_INSPECTOR_KEY_FILE" ]]; then
echo "Missing TLS Certificate file $IRONIC_INSPECTOR_CERT_FILE"
exit 1
fi
if [[ -f "$IRONIC_VMEDIA_CERT_FILE" ]] && [[ ! -f "$IRONIC_VMEDIA_KEY_FILE" ]]; then
echo "Missing TLS Certificate key file $IRONIC_VMEDIA_KEY_FILE"
exit 1
@ -43,15 +51,6 @@ if [[ ! -f "$IRONIC_VMEDIA_CERT_FILE" ]] && [[ -f "$IRONIC_VMEDIA_KEY_FILE" ]];
exit 1
fi
if [[ -f "$IPXE_CERT_FILE" ]] && [[ ! -f "$IPXE_KEY_FILE" ]]; then
echo "Missing TLS Certificate key file $IPXE_KEY_FILE"
exit 1
fi
if [[ ! -f "$IPXE_CERT_FILE" ]] && [[ -f "$IPXE_KEY_FILE" ]]; then
echo "Missing TLS Certificate file $IPXE_CERT_FILE"
exit 1
fi
copy_atomic()
{
local src="$1"
@ -76,18 +75,23 @@ else
export IRONIC_SCHEME="http"
fi
if [[ -f "$IRONIC_VMEDIA_CERT_FILE" ]]; then
export IRONIC_VMEDIA_TLS_SETUP="true"
if [[ -f "$IRONIC_INSPECTOR_CERT_FILE" ]] || [[ -f "$IRONIC_INSPECTOR_CACERT_FILE" ]]; then
export IRONIC_INSPECTOR_TLS_SETUP="true"
export IRONIC_INSPECTOR_SCHEME="https"
if [[ ! -f "$IRONIC_INSPECTOR_CACERT_FILE" ]]; then
copy_atomic "$IRONIC_INSPECTOR_CERT_FILE" "$IRONIC_INSPECTOR_CACERT_FILE"
fi
else
export IRONIC_VMEDIA_TLS_SETUP="false"
export IRONIC_INSPECTOR_TLS_SETUP="false"
export IRONIC_INSPECTOR_SCHEME="http"
fi
if [[ -f "$IPXE_CERT_FILE" ]]; then
export IPXE_SCHEME="https"
export IPXE_TLS_SETUP="true"
if [[ -f "$IRONIC_VMEDIA_CERT_FILE" ]]; then
export IRONIC_VMEDIA_SCHEME="https"
export IRONIC_VMEDIA_TLS_SETUP="true"
else
export IPXE_SCHEME="http"
export IPXE_TLS_SETUP="false"
export IRONIC_VMEDIA_SCHEME="http"
export IRONIC_VMEDIA_TLS_SETUP="false"
fi
if [[ -f "$MARIADB_CACERT_FILE" ]]; then

17
ironic-ipa-downloader-image/Dockerfile
View File

@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.1
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.1-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:2.0.0
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:2.0.0-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@ -8,14 +8,7 @@ FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
#!ArchExclusiveLine: x86_64
RUN if [ "$(uname -m)" = "x86_64" ];then \
zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 python311-devel python311 python311-pip tar gawk git curl xz fakeroot shadow sed cpio; zypper -n clean; rm -rf /var/log/*; \
fi
#!ArchExclusiveLine: aarch64
RUN if [ "$(uname -m)" = "aarch64" ];then \
zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-aarch64 python311-devel python311 python311-pip tar gawk git curl xz fakeroot shadow sed cpio; zypper -n clean; rm -rf /var/log/*; \
fi
RUN zypper --installroot /installroot --non-interactive install --no-recommends openstack-ironic-image-x86_64 python311-devel python311 python311-pip tar gawk git curl xz fakeroot shadow sed cpio; zypper -n clean; rm -rf /var/log/*
#RUN zypper --installroot /installroot --non-interactive install --no-recommends sles-release;
RUN cp /usr/bin/getopt /installroot/
@ -26,11 +19,11 @@ FROM micro AS final
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="3.0.1"
LABEL org.opencontainers.image.version="2.0.0"
LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.1-%RELEASE%"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:2.0.0-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"

6
ironic-ipa-downloader-image/_service
View File

@ -1,6 +1,12 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%openstack-ironic-image-x86_64_version%%</param>
<param name="package">openstack-ironic-image-x86_64</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>

6
ironic-ipa-downloader-image/get-resource.sh
View File

@ -8,10 +8,10 @@ export no_proxy=${no_proxy:-$NO_PROXY}
# Which image should we use
if [ -z "${IPA_BASEURI}" ]; then
# SLES BASED IPA - ironic-ipa-ramdisk-x86_64 package
# SLES BASED IPA - openstack-ironic-image-x86_64 package
mkdir -p /shared/html/images
cp /tmp/initrd.xz /shared/html/images/ironic-python-agent.initramfs
cp /tmp/openstack-ironic-image*.kernel /shared/html/images/ironic-python-agent.kernel
cp /tmp/openstack-ironic-image*.x86_64*.kernel /shared/html/images/ironic-python-agent.kernel
else
FILENAME=ironic-python-agent
FILENAME_EXT=.tar
@ -68,4 +68,4 @@ if [ -d "/tmp/ironic-certificates" ]; then
mkdir -p etc/ironic-python-agent.d/ca-certs
cp /tmp/ironic-certificates/* etc/ironic-python-agent.d/ca-certs/
find . | fakeroot -i ../initrd.fakeroot cpio -o -H newc | xz --check=crc32 --x86 --lzma2 --fast > /shared/html/images/ironic-python-agent.initramfs
fi
fi

BIN
ironic-ipa-ramdisk/root.tar.bz2 (Stored with Git LFS)
View File

Binary file not shown.

35
kiwi-builder-image/Dockerfile
View File

@ -1,35 +0,0 @@
#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.1.16.1
#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.1.16.1-%RELEASE%
FROM registry.suse.com/bci/kiwi:10.1.16
MAINTAINER SUSE LLC (https://www.suse.com/)
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.akri
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE Kiwi Builder Container Image"
LABEL org.opencontainers.image.description="kiwi-builder based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%PACKAGE_VERSION%"
LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kiwi-builder:10.1.16.1"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
# Configure Kiwi to use kpartx
RUN echo -e "mapper:\n - part_mapper: kpartx" > /etc/kiwi.yml
# Copy build script into image and make it executable
ADD build-image.sh /usr/bin/build-image
RUN chmod a+x /usr/bin/build-image
# Make a directory for the standard SL Micro Kiwi definition and config file and copy them in
RUN mkdir -p /micro-sdk/defs
ADD SL-Micro.kiwi /micro-sdk/defs
ADD SL-Micro.kiwi.4096 /micro-sdk/defs
ADD config.sh /micro-sdk/defs

59
kiwi-builder-image/README
View File

@ -1,59 +0,0 @@
###########################
Kiwi SDK Image Instructions
###########################
Please ensure that you're running this on a registered SUSE Linux Micro 6.1 system, and make sure that SELinux is disabled:
# setenforce 0
Next, download the podman image:
# podman pull %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10.1.16.1
Make a local output directory (where the images will reside):
# mkdir output
Then, to build a standard "Base" image, run the following in podman:
# podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10.1.16.1 build-image
To build a "Base" SelfInstall ISO, you can add additional flags, for example:
# podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10.1.16.1 build-image -p Base-SelfInstall
Then, to build a standard "Default" image, run the following in podman:
# podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10.1.16.1 build-image -p Default
To build a "Default" SelfInstall ISO, you can add additional flags, for example:
# podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10.1.16.1 build-image -p Default-SelfInstall
To build an image with a RealTime kernel, e.g. a RAW disk image ("Default"), use the following:
# podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10.1.16.1 build-image -p Base-RT
To build an image that supports a large block/sectorsize (4096), use the "-b" flag, for example:
# podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10.1.16.1 build-image -p Default-SelfInstall -b
# mkdir mydefs/
# cp /path/to/SL-Micro.kiwi mydefs/
# cp /path/to/config.sh mydefs/
# podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -v ./mydefs/:/micro-sdk/defs/ -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10.1.16.1 build-image
All output will be in the local $(pwd)/output directory, for example:
# ls -1 output/
SLE-Micro.x86_64-6.1.changes
SLE-Micro.x86_64-6.1.packages
SLE-Micro.x86_64-6.1.raw
SLE-Micro.x86_64-6.1.verified
build
kiwi.result
kiwi.result.json
Note, if you want to rebuild the image, you'll need to empty the output directory, or Kiwi will error due to existing output files:
# rm -rf output/*

1053
kiwi-builder-image/SL-Micro.kiwi
View File

File diff suppressed because it is too large Load Diff

1061
kiwi-builder-image/SL-Micro.kiwi.4096
View File

File diff suppressed because it is too large Load Diff

93
kiwi-builder-image/build-image.sh
View File

@ -1,93 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) 2025 SUSE LLC
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# Set image build defaults, blocksize is an empty string
PROFILE="Base"
LARGEBLOCK=false
# Print usage
usage(){
cat <<-EOF
=====================================
SUSE Linux Micro 6.1 Kiwi SDK Builder
=====================================
Usage: ${0} [-p <profile>] [-b]
Profile Options (-p):
* Base: RAW Disk Image with podman
* Base-SelfInstall: SelfInstall ISO with podman
* Default: RAW Disk Image with podman and kvm
* Default-SelfInstall: SelfInstall ISO with podman and kvm
* Base-RT: RAW Disk Image with kernel-rt
* Base-RT-SelfInstall: SelfInstall ISO with kernel-rt
4096 Blocksize (-b): If specified, use a 4096 blocksize (rather than 512) when generating the image.
NOTE: If both options are omitted, the "Base" profile with a standard "512" blocksize is used.
EOF
}
# Grab CLI options and handle
while getopts 'p:bh' OPTION; do
case "${OPTION}" in
p)
PROFILE="${OPTARG}"
;;
b)
LARGEBLOCK=true
;;
?)
usage && exit 2
;;
esac
done
# To avoid wasting time, perform the loop creation test first, and exit with a warning to re-run.
# This only happens when the container hasn't been ran on the host before, and is avoided by mounting /dev/ into the image.
qemu-img create /tmp/output/test.img 1M
if LOOP=$(losetup -f --show /tmp/output/test.img); then
rm -f /tmp/output/test.img
losetup -d $LOOP
else
echo -e "\nERROR: Early loop device test failed, please retry the container run."
exit 1
fi
# Grab local SLE Micro repos and create a list to use as part of the image build
REPOS=`for i in $(cat /micro-sdk/repos/*.repo | awk '/baseurl/ {split($0,string,"="); print string[2]}'); do echo -n "--add-repo $i "; done`
if $LARGEBLOCK; then
mv /micro-sdk/defs/SL-Micro.kiwi.4096 /micro-sdk/defs/SL-Micro.kiwi
fi
# Build the image
kiwi-ng --debug --profile $PROFILE system build \
--description /micro-sdk/defs --target-dir /tmp/output --ignore-repos-used-for-build $REPOS
# Print output
RESULT=$?
if [ $RESULT -eq 0 ]; then
echo -e "\n\nINFO: Image build successful, generated images are available in the 'output' directory."
else
echo -e "\n\nERROR: Failed to build the image, please see above logs."
fi

316
kiwi-builder-image/config.sh
View File

@ -1,316 +0,0 @@
#!/bin/bash
# Copyright (c) 2023 SUSE LLC
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
#======================================
# Functions...
#--------------------------------------
test -f /.kconfig && . /.kconfig
test -f /.profile && . /.profile
set -euxo pipefail
mkdir /var/lib/misc/reconfig_system
#======================================
# Greeting...
#--------------------------------------
echo "Configure image: [$kiwi_iname]-[$kiwi_profiles]..."
#======================================
# add missing fonts
#--------------------------------------
CONSOLE_FONT="eurlatgr.psfu"
#======================================
# prepare for setting root pw, timezone
#--------------------------------------
echo ** "reset machine settings"
sed -i 's/^root:[^:]*:/root:*:/' /etc/shadow
rm /etc/machine-id
rm /var/lib/zypp/AnonymousUniqueId
#======================================
# Setup baseproduct link
#--------------------------------------
suseSetupProduct
#======================================
# Specify default runlevel
#--------------------------------------
baseSetRunlevel 3
#======================================
# Add missing gpg keys to rpm
#--------------------------------------
suseImportBuildKey
#======================================
# If SELinux is installed, configure it like transactional-update setup-selinux
#--------------------------------------
if [[ -e /etc/selinux/config ]]; then
# Check if we don't have selinux already enabled.
grep ^GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub | grep -q security=selinux || \
sed -i -e 's|\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)"|\1 security=selinux selinux=1"|g' "/etc/default/grub"
# Adjust selinux config
sed -i -e 's|^SELINUX=.*|SELINUX=enforcing|g' \
-e 's|^SELINUXTYPE=.*|SELINUXTYPE=targeted|g' \
"/etc/selinux/config"
# Move an /.autorelabel file from initial installation to writeable location
test -f /.autorelabel && mv /.autorelabel /etc/selinux/.autorelabel
fi
##======================================
## Enable DHCP on eth0
##--------------------------------------
#cat >/etc/sysconfig/network/ifcfg-eth0 <<EOF
#BOOTPROTO='dhcp'
#MTU=''
#REMOTE_IPADDR=''
#STARTMODE='auto'
#ETHTOOL_OPTIONS=''
#USERCONTROL='no'
#EOF
systemctl enable NetworkManager
systemctl enable ModemManager
#======================================
# Enable cloud-init
#--------------------------------------
suseInsertService cloud-init-local
suseInsertService cloud-init
suseInsertService cloud-config
suseInsertService cloud-final
# Enable chrony
suseInsertService chronyd
#======================================
# Sysconfig Update
#--------------------------------------
echo '** Update sysconfig entries...'
echo FONT="$CONSOLE_FONT" >> /etc/vconsole.conf
# fix security level (boo#1171174)
sed -e '/^PERMISSION_SECURITY=s/easy/paranoid/' /etc/sysconfig/security
chkstat --set --system
#======================================
# SSL Certificates Configuration
#--------------------------------------
echo '** Rehashing SSL Certificates...'
update-ca-certificates
#======================================
# Import trusted rpm keys
#--------------------------------------
for i in /usr/lib/rpm/gnupg/keys/gpg-pubkey*asc; do
# importing can fail if it already exists
rpm --import $i || true
done
#======================================
# Enable kubelet if installed
#--------------------------------------
if [ -e /usr/lib/systemd/system/kubelet.service ]; then
suseInsertService kubelet
fi
# Adjust zypp conf
# https://github.com/openSUSE/libzypp/issues/212
# in yast that's done in packager/cfa/zypp_conf.rb
sed -i 's/.*solver.onlyRequires.*/solver.onlyRequires = true/g' /etc/zypp/zypp.conf
sed -i 's/.*rpm.install.excludedocs.*/rpm.install.excludedocs = yes/g' /etc/zypp/zypp.conf
sed -i 's/^multiversion =.*/multiversion =/g' /etc/zypp/zypp.conf
#=====================================
# Configure snapper
#-------------------------------------
if [ "${kiwi_btrfs_root_is_snapshot-false}" = 'true' ]; then
echo "creating initial snapper config ..."
cp /usr/share/snapper/config-templates/default /etc/snapper/configs/root
baseUpdateSysConfig /etc/sysconfig/snapper SNAPPER_CONFIGS root
# Adjust parameters
sed -i'' 's/^TIMELINE_CREATE=.*$/TIMELINE_CREATE="no"/g' /etc/snapper/configs/root
sed -i'' 's/^NUMBER_LIMIT=.*$/NUMBER_LIMIT="2-10"/g' /etc/snapper/configs/root
sed -i'' 's/^NUMBER_LIMIT_IMPORTANT=.*$/NUMBER_LIMIT_IMPORTANT="4-10"/g' /etc/snapper/configs/root
fi
# Enable multipathd for MP images
if [ "${kiwi_oemmultipath_scan-false}" = 'true' ]; then
systemctl enable multipathd.service
fi
# On those s390 targets the console is not capable of running jeos-firstboot,
# use systemd-firstboot as minimal alternative.
if [[ "$kiwi_profiles" =~ s390-(dasd|fba|fcp) ]]; then
systemctl enable systemd-firstboot
# Enable prompting for the root password
echo 'root:!unprovisioned' | chpasswd -e
elif rpm -q --whatprovides jeos-firstboot >/dev/null; then
mkdir -p /var/lib/YaST2
touch /var/lib/YaST2/reconfig_system
systemctl enable jeos-firstboot.service
fi
# Enable cloud-init if installed
if rpm -q --whatprovides cloud-init >/dev/null; then
systemctl enable cloud-init
systemctl enable cloud-init-local
fi
# The %post script can't edit /etc/fstab sys due to https://github.com/OSInside/kiwi/issues/945
# so use the kiwi custom hack
cat >/etc/fstab.script <<"EOF"
#!/bin/sh
set -eux
/usr/sbin/setup-fstab-for-overlayfs
# If /var is on a different partition than /...
if [ "$(findmnt -snT / -o SOURCE)" != "$(findmnt -snT /var -o SOURCE)" ]; then
# ... set options for autoexpanding /var
gawk -i inplace '$2 == "/var" { $4 = $4",x-growpart.grow,x-systemd.growfs" } { print $0 }' /etc/fstab
fi
EOF
chmod a+x /etc/fstab.script
# To make x-systemd.growfs work from inside the initrd
cat >/etc/dracut.conf.d/50-microos-growfs.conf <<"EOF"
install_items+=" /usr/lib/systemd/systemd-growfs "
EOF
#======================================
# Add repos from control.xml
#--------------------------------------
if [ -x /usr/sbin/add-yast-repos ]; then
add-yast-repos
zypper --non-interactive rm -u live-add-yast-repos
fi
#======================================
# Configure SelfInstall specifics
#--------------------------------------
if [[ "$kiwi_profiles" == *"SelfInstall"* ]]; then
cat > /etc/systemd/system/selfinstallbootloader.service <<-EOF
[Unit]
Description=
After=systemd-machine-id-commit.service
Before=jeos-firstboot.service
[Service]
Type=oneshot
ExecStart=rm /etc/systemd/system/selfinstallbootloader.service
ExecStart=rm /etc/systemd/system/default.target.wants/selfinstallbootloader.service
ExecStart=/sbin/transactional-update bootloader
ExecStart=/sbin/transactional-update apply
[Install]
WantedBy=default.target
EOF
ln -s /etc/systemd/system/selfinstallbootloader.service /etc/systemd/system/default.target.wants/selfinstallbootloader.service
fi
#======================================
# Boot TimeOut Configuration for iSCSI
#--------------------------------------
cat > /etc/systemd/system/iscsi-init-delay.service <<-EOF
[Unit]
# Workaround for boo#1198457 delay gen-initiatorname after local-fs
Description=One time delay for the iscsid.service
ConditionPathExists=!/etc/iscsi/initiatorname.iscsi
ConditionPathExists=/sbin/iscsi-gen-initiatorname
DefaultDependencies=no
RequiresMountsFor=/etc/iscsi
After=local-fs.target
Before=iscsi-init.service
[Install]
WantedBy=default.target
[Service]
Type=oneshot
RemainAfterExit=no
ExecStart=/sbin/iscsi-gen-initiatorname
EOF
ln -s /etc/systemd/system/iscsi-init-delay.service /etc/systemd/system/default.target.wants/iscsi-init-delay.service
#======================================
# Configure Pine64 specifics
#--------------------------------------
if [[ "$kiwi_profiles" == *"Pine64" ]]; then
echo 'add_drivers+=" fixed sunxi-mmc axp20x-regulator axp20x-rsb "' > /etc/dracut.conf.d/sunxi_modules.conf
fi
#======================================
# Configure Raspberry Pi specifics
#--------------------------------------
if [[ "$kiwi_profiles" == *"RaspberryPi"* ]]; then
# Add necessary kernel modules to initrd (will disappear with bsc#1084272)
echo 'add_drivers+=" bcm2835_dma dwc2 "' > /etc/dracut.conf.d/raspberrypi_modules.conf
# Add necessary kernel modules to initrd (will disappear with boo#1162669)
echo 'add_drivers+=" pcie-brcmstb "' >> /etc/dracut.conf.d/raspberrypi_modules.conf
# Work around network issues
cat > /etc/modprobe.d/50-rpi3.conf <<-EOF
# Prevent too many page allocations (bsc#1012449)
options smsc95xx turbo_mode=N
EOF
cat > /etc/sysctl.d/50-rpi3.conf <<-EOF
# Avoid running out of DMA pages for smsc95xx (bsc#1012449)
vm.min_free_kbytes = 2048
EOF
fi
#======================================
# Configure Vagrant specifics
#--------------------------------------
if [[ "$kiwi_profiles" == *"Vagrant"* ]]; then
# create vagrant user
useradd vagrant
# allow password-less sudo
echo "vagrant ALL=(ALL)NOPASSWD:ALL" > /etc/sudoers.d/vagrant
# add vagrant's insecure key
mkdir -p /home/vagrant/.ssh
chmod 0700 /home/vagrant/.ssh
cat > /home/vagrant/.ssh/authorized_keys << EOF
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
EOF
chmod 0600 /home/vagrant/.ssh/authorized_keys
chown -R vagrant /home/vagrant
fi
#======================================
# cloud-init specific settings
#--------------------------------------
# We do not want cloud-init to run in an environment when there is no data
# source found. bsc#1222113
if [[ "$kiwi_profiles" =~ ^(x86-qcow|x86-vmware|aarch64-qcow)$ ]]; then
echo "policy: search,found=all,maybe=disabled,notfound=disabled" > /etc/cloud/ds-identify.cfg
fi
exit 0

10
kube-rbac-proxy/_service
View File

@ -2,7 +2,7 @@
<service name="obs_scm">
<param name="url">https://github.com/brancz/kube-rbac-proxy</param>
<param name="scm">git</param>
<param name="revision">v0.18.1</param>
<param name="revision">v0.18.0</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
@ -12,10 +12,12 @@
<param name="without-version">yes</param>
<param name="versionrewrite-replacement">\1</param>
</service>
<service mode="buildtime" name="tar" >
<param name="obsinfo">kube-rbac-proxy.obsinfo</param>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service name="go_modules">
</service>
<service mode="buildtime" name="set_version" />
</services>
</services>

Some files were not shown because too many files have changed in this diff Show More