ART-14453: Use rpm-ostree install directly in legacy build pipeline

Containerfile

@@ -4,7 +4,9 @@
 ARG IMAGE_FROM=overridden
 FROM ${IMAGE_FROM} as build
 ARG OPENSHIFT_CI=0
-RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/etc/yum.repos.d/secret.repo /run/src/build-node-image.sh
+ARG OPENSHIFT_VERSION=overridden
+ARG YUM_REPO_NAMES=overridden
+RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/run/src/secret.repo /run/src/build-node-image.sh
 
 FROM build as metadata
 ARG IMAGE_NAME

build-args-10.2-5.0.conf

@@ -1,3 +1,9 @@
+OPENSHIFT_VERSION=5.0
 IMAGE_FROM=registry.ci.openshift.org/coreos/rhel-coreos-base:10.2
+
+# Used by the generate-labels script
 IMAGE_NAME=openshift/ose-rhel-coreos-10
 IMAGE_CPE=cpe:/a:redhat:openshift:5.0::el10
+
+# The names of the yum repos to use for the node image build.
+YUM_REPO_NAMES=rhel-10.2-baseos,rhel-10.2-appstream,rhel-10.2-early-kernel,rhel-10.2-fast-datapath,rhel-10.2-server-ose-5.0

build-args-9.8-5.0.conf

@@ -1,3 +1,9 @@
+OPENSHIFT_VERSION=5.0
 IMAGE_FROM=registry.ci.openshift.org/coreos/rhel-coreos-base:9.8
+
+# Used by the generate-labels script
 IMAGE_NAME=openshift/ose-rhel-coreos-9
 IMAGE_CPE=cpe:/a:redhat:openshift:5.0::el9
+
+# The names of the yum repos to use for the node image build.
+YUM_REPO_NAMES=rhel-9.8-baseos,rhel-9.8-appstream,rhel-9.8-early-kernel,rhel-9.8-fast-datapath,rhel-9.8-server-ose-5.0

build-args-c10s-5.0.conf

@@ -1,2 +1,12 @@
+OPENSHIFT_VERSION=5.0
 IMAGE_FROM=registry.ci.openshift.org/coreos/stream-coreos-base:10
-# SCOS/OKD: no labels.json or OCI labels for name/cpe
+
+# SCOS/OKD: no labels.json or OCI labels for name/cpe (so don't define them)
+# IMAGE_NAME=
+# IMAGE_CPE=
+
+# The names of the yum repos to use for the node image build.
+# XXX: use of the rhel-*server-ose-* ART repo shouldn't happen for OKD; see related XXX
+#      in build-node-image.sh. Also we must put the ART repo last for the modification
+#      in the script to work.
+YUM_REPO_NAMES=c10s-baseos,c10s-appstream,c10s-sig-nfv,c10s-sig-cloud-okd,rhel-10.2-server-ose-5.0

build-node-image.sh

@@ -14,31 +14,127 @@ if [ "${OPENSHIFT_CI}" != 0 ]; then
     /run/src/ci/get-ocp-repo.sh /etc/yum.repos.d/ocp.repo
 fi
 
-# add all the repos from the src repo into `/etc/yum.repos.d` so dnf sees them
+# add all the repos from the src repo (including mounted in secret.repo)
+# into `/etc/yum.repos.d` so dnf sees them
 cat /run/src/*.repo >> /etc/yum.repos.d/git.repo
 
 source /etc/os-release
 
 # XXX: For SCOS, only allow certain packages to come from ART; everything else
 # should come from CentOS. We should eventually sever this.
 if [ $ID = centos ]; then
-    # this says: "if the line starts with [.*], turn off printing. if the line starts with [our-repo], turn it on."
-    awk "/\[.*\]/{p=0} /\[rhel-10.2-server-ose-5.0\]/{p=1} p" /etc/yum.repos.d/*.repo > /etc/yum.repos.d/okd.repo.tmp
-    sed -i -e 's,\[rhel-10.2-server-ose-5.0\],\[rhel-10.2-server-ose-5.0-okd\],' /etc/yum.repos.d/okd.repo.tmp
-    echo 'includepkgs=openshift-*,ose-aws-ecr-*,ose-azure-acr-*,ose-gcp-gcr-*,ose-crio-* ' >> /etc/yum.repos.d/okd.repo.tmp
-    mv /etc/yum.repos.d/okd.repo{.tmp,}
+    OPENSHIFT_ART_REPO_NAME=${YUM_REPO_NAMES/*,/} # ART repo == the last repo in the list
+    dnf config-manager --save \
+        --setopt="${OPENSHIFT_ART_REPO_NAME}.includepkgs=openshift-*,ose-aws-ecr-*,ose-azure-acr-*,ose-gcp-gcr-*,ose-crio-*"
 fi
 
 # XXX: patch cri-o spec to use tmpfiles
 # https://github.com/CentOS/centos-bootc/issues/393
 mkdir -p /var/opt
 
-# this is where all the real work happens
-rpm-ostree experimental compose treefile-apply \
-    --var "osversion=${ID}-${VERSION_ID}" /run/src/packages-openshift.yaml
+# Version lock to the specific packages installed on the system already
+dnf --disablerepo=* versionlock add '*'
 
-# cleanup any repo files we injected
-rm -f /etc/yum.repos.d/{ocp,git,okd}.repo
+# Install the OCP packages. Limit to appropriate repos for this stream.
+dnf --repo="${YUM_REPO_NAMES}" install -y \
+    cri-o cri-tools conmon-rs \
+    openshift-clients openshift-kubelet \
+    openvswitch3.5 \
+    NetworkManager-ovs \
+    ose-aws-ecr-image-credential-provider \
+    ose-azure-acr-image-credential-provider \
+    ose-gcp-gcr-image-credential-provider \
+    ose-crio-credential-provider
+
+# clear the versionlock and clean up any dnf caches / yum repo files we created.
+# note `redhat.repo` gets created when you run dnf (via subscription-manager plugin),
+# so we'll clean that up too.
+dnf --disablerepo=* versionlock clear
+dnf clean all
+rm -vf /etc/yum.repos.d/{ocp,git,redhat}.repo
+
+
+# --- postprocess steps ---
+# These were previously in the `postprocess` section of packages-openshift.yaml.
+
+# Disable any built-in repos. We need to work in disconnected environments by
+# default, and default-enabled repos will be attempted to be fetched by
+# rpm-ostree when doing node-local kernel overrides today for e.g. kernel-rt.
+for x in $(find /etc/yum.repos.d/ -name '*.repo'); do
+    sed -i -e 's/enabled\s*=\s*1/enabled=0/g' "$x"
+done
+
+# Enable librhsm which enables host subscriptions to work in containers
+# https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30
+ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
+ln -sr /run/secrets/rhsm /etc/rhsm-host
+
+# Manually modify SELinux booleans that are needed for OCP use cases
+semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
+semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
+
+# https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
+# https://bugzilla.redhat.com/show_bug.cgi?id=1796537
+mkdir -p /usr/share/containers/oci/hooks.d
+
+# crio conmon symlink
+mkdir -p /usr/libexec/crio
+ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
+
+# Inject OpenShift-specific release fields
+cat >> /usr/lib/os-release <<EOF
+OPENSHIFT_VERSION="${OPENSHIFT_VERSION}"
+EOF
+
+# Generate MOTD
+# Detect variant based on the Containerfile metadata. In the absence of
+# rpm-ostree treefile metadata, we use a heuristic: centos builds are SCOS.
+if [ "$ID" = "centos" ]; then
+    colloquial_name=SCOS
+    project_name=OKD
+else
+    colloquial_name=RHCOS
+    project_name=OpenShift
+fi
+# in the el-only variants, we already have CoreOS in the NAME, so don't
+# re-add it when building the node image
+if [[ $NAME != *CoreOS* ]]; then
+    NAME="$NAME CoreOS"
+fi
+cat > /etc/motd <<EOF
+$NAME $OSTREE_VERSION
+  Part of ${project_name} ${OPENSHIFT_VERSION}, ${colloquial_name} is a Kubernetes-native operating system
+  managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
+
+WARNING: Direct SSH access to machines is not recommended; instead,
+make configuration changes via \`machineconfig\` objects:
+  https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
+
+---
+EOF
+
+# Delete leftover files in the layering path
+if [ -f /run/.containerenv ]; then
+    # lockfiles and backup files
+    rm -f /etc/.pwd.lock /etc/group- /etc/gshadow- /etc/shadow- /etc/passwd-
+    rm -f /etc/selinux/targeted/*.LOCK
+    # cache, logs, etc...
+    rm -rf /var && mkdir /var
+    # All the entries here should instead be part of their respective
+    # packages. But we carry them here for now to maintain compatibility.
+    cat > /usr/lib/tmpfiles.d/openshift.conf << EOF
+L /opt/cni - - - - ../../usr/lib/opt/cni
+d /var/lib/cni 0755 root root - -
+d /var/lib/cni/bin 0755 root root - -
+d /var/lib/containers 0755 root root - -
+d /var/lib/openvswitch 0755 root root - -
+d /var/lib/openvswitch/pki 0755 root root - -
+d /var/log/openvswitch 0750 openvswitch hugetlbfs - -
+d /var/lib/unbound 0755 unbound unbound - -
+EOF
+fi
+
+# --- end postprocess steps ---
 
 find /usr -name '*.pyc.bak' -exec sh -c 'mv $1 ${1%.bak}' _ {} \;
 ostree container commit