Microshift on fcos

.dockerignore

@@ -1,3 +1,4 @@
 priv-root/
 tmp/
 *Containerfile
+.github/

.github/workflows/microshift.yaml

@@ -0,0 +1,51 @@
+name: Build OS Content
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch: {}
+  schedule:
+    - cron:  '10 5 * * *'
+
+env:
+  REGISTRY_USER: aleskandrox
+  IMAGE_REGISTRY: quay.io
+  IMAGE_NAME: fedora
+  REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+
+jobs:
+  build-coreos-microshift:
+    if: ${{ github.event_name == 'push' || github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    name: Build and Push Fedora ${{ matrix.variant }} (OS Content)
+    strategy:
+      matrix:
+        variant:
+          - coreos-microshift
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set versioned tag
+        id: versioned-tag
+        run: |
+          VERSIONED_TAG=$(date -u --iso-8601=minutes | sed 's/://g;s/+.*$//')-${GITHUB_SHA}
+          echo "VERSIONED_TAG=${VERSIONED_TAG}" >> $GITHUB_OUTPUT
+      - name: Build OS content
+        uses: redhat-actions/buildah-build@v2
+        id: build-image
+        with:
+          image: ${{ env.IMAGE_REGISTRY }}/${{ env.REGISTRY_USER }}/${{ env.IMAGE_NAME }}
+          oci: true
+          layers: true
+          tags: ${{ matrix.variant }}-custom ${{ matrix.variant }}-custom-${{ steps.versioned-tag.outputs.VERSIONED_TAG }}
+          containerfiles: |
+            ./microshift.Containerfile
+      - name: Push to registry
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          tags: >-
+            ${{ env.IMAGE_REGISTRY }}/${{ env.REGISTRY_USER }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-custom
+            ${{ env.IMAGE_REGISTRY }}/${{ env.REGISTRY_USER }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-custom-${{ steps.versioned-tag.outputs.VERSIONED_TAG }}
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+

microshift.Containerfile

@@ -0,0 +1,72 @@
+ARG BASE_REPO=quay.io/fedora/fedora-coreos
+ARG BASE_TAG=stable
+FROM quay.io/fedora/fedora-minimal:latest as artifacts
+
+COPY overlay.d/00-temp/ /
+RUN microdnf install --setopt=install_weak_deps=False \
+                     -y rpmbuild && chmod +x /usr/bin/fakerpm.sh \
+    && mkdir -p /srv/fakerpms/ && pushd /srv/fakerpms/ \
+    && /usr/bin/fakerpm.sh openvswitch3.1 \
+    && /usr/bin/fakerpm.sh openshift-clients
+
+FROM ${BASE_REPO}:${BASE_TAG}
+
+ENTRYPOINT ["/bin/bash"]
+
+RUN set -x; arch=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/'); cat /etc/os-release \
+    && rpm-ostree install \
+        https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
+        https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm \
+    && ostree container commit
+
+RUN cat /etc/os-release; rpm-ostree --version; ostree --version; \
+    set -x; PACKAGES_INSTALL="bridge-utils conntrack-tools curl fping iftop iputils iproute mtr nethogs \
+    socat net-tools bind-utils iperf iperf3 iputils mtr ethtool tftp wget ipmitool gawk htop ncdu procps \
+    strace iotop subversion git git-lfs gnupg2 openssl openvpn rsync tcpdump nmap nmap-ncat krb5-workstation \
+    qemu-kvm qemu-user-static libvirt virt-manager virt-install sudo screen unzip util-linux-user ignition \
+    libcurl-devel zsh nmap-ncat netcat socat python3-pip skopeo jq vim neovim make gcc inotify-tools"; \
+    rpm-ostree install $PACKAGES_INSTALL \
+    && rm -rf /var/lib/{unbound,gssproxy,nfs} \
+    && ostree container commit
+
+COPY overlay.d/01-common/ /
+COPY overlay.d/05-systemd/ /
+COPY overlay.d/10-fcos/ /
+COPY overlay.d/15-microshift /
+COPY --from=artifacts /srv/fakerpms/ /tmp/rpms/
+
+RUN set -x; PACKAGES_INSTALL="NetworkManager-ovs cri-o cri-tools /tmp/rpms/*.rpm"; \
+    rpm-ostree install $PACKAGES_INSTALL \
+    && rpm-ostree install microshift \
+    # Symlink ovs-vswitchd to dpdk version of OVS
+    && ln -s /usr/sbin/ovs-vswitchd.dpdk /usr/sbin/ovs-vswitchd \
+    # Symlink nc to netcat due to known issue in rpm-ostree - https://github.com/coreos/rpm-ostree/issues/1614
+    && ln -s /usr/bin/netcat /usr/bin/nc \
+    && rm -rf /go /var/lib/unbound /tmp/rpms \
+    && rm -rf /tmp/rpms \
+    && ostree container commit
+
+RUN set -x; sed -i \
+      's/AutomaticUpdatePolicy=.*/AutomaticUpdatePolicy=stage/' \
+      /etc/rpm-ostreed.conf \
+    && systemctl preset-all \
+    && ostree container commit
+
+RUN HOME=/tmp RUNZSH=no CHSH=no ZSH=/usr/lib/ohmyzsh \
+    sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" \
+    && set -x \
+    && wget -qO /usr/lib/ohmyzsh/custom/kube-ps1.plugin.zsh \
+        https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/plugins/kube-ps1/kube-ps1.plugin.zsh \
+    && mv /usr/share/zsh/*.zsh /usr/lib/ohmyzsh/custom/ \
+    && git clone https://github.com/zsh-users/zsh-history-substring-search \
+     /usr/lib/ohmyzsh/custom/plugins/zsh-history-subscring-search \
+    && git clone https://github.com/zsh-users/zsh-syntax-highlighting.git \
+     /usr/lib/ohmyzsh/custom/plugins/zsh-syntax-highlighting \
+    && chsh -s /bin/zsh root \
+    && echo 'PATH=~/bin:~/.bin:~/.opt/bin:$PATH' >> /etc/zshenv \
+    && sed -i 's|^SHELL=.*|SHELL=/usr/bin/zsh|' /etc/default/useradd \
+    # ${VARIANT_ID^} is not posix compliant and is not parsed correctly by zsh \
+    && sed -i 's/VARIANT_ID^/VARIANT_ID/' /etc/profile.d/toolbox.sh \
+    && ostree container commit
+
+#RUN set -x; update-crypto-policies --set legacy --no-reload && ostree container commit

overlay.d/00-temp/usr/bin/fakerpm.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+#
+# From: https://www.redhat.com/archives/rpm-list/2006-November/msg00062.html
+#
+# Generate dummy/fake RPMs - great for acceptance testing systems
+#
+NAME=$1
+
+#
+# GEnerate Provides:
+PROVIDES="Provides: ${1}"
+
+#
+# Generate Spec file
+SPECFILE=$(mktemp)
+cat <<EOF > ${SPECFILE}
+#----------- spec file starts ---------------
+Name:                   ${NAME}
+Version:                1.0.0
+Release:                0
+Vendor:                 dummy
+Group:                  dummy
+Summary:                Provides %{name}
+License:                %{vendor}
+# in Provides: you add whatever you want to fool the system
+Buildroot:              %{_tmppath}/%{name}-%{version}-root
+${PROVIDES}
+
+%description
+%{summary}
+
+%files
+EOF
+
+#
+# Build it
+BUILD_LOG=$(mktemp)
+rpmbuild --define '_rpmdir /tmp' -bb "${SPECFILE}" > "${BUILD_LOG}"
+if [ $? != 0 ]
+then
+  echo "ERROR: Could nto build dummy rpm!"
+fi
+PKG=$(awk '/^Wrote:/ { print $2 }' < "${BUILD_LOG}" )
+rm "${BUILD_LOG}"
+
+#
+# Install it:
+#rpm -Uvh "${PKG}"
+
+rm "${SPECFILE}"
+
+echo "DONE!  created ${PKG} and moved it here..."
+mv $PKG .

overlay.d/01-common/etc/ssh/sshd_config.d/10-insecure-rsa-keysig.conf

@@ -0,0 +1 @@
+PubkeyAcceptedKeyTypes=+ssh-rsa

overlay.d/01-common/etc/ssh/sshd_config.d/40-client-alive-interval.conf

@@ -0,0 +1 @@
+ClientAliveInterval 180

overlay.d/10-fcos/etc/rpm-ostree/origin.d/overrides.yaml

@@ -0,0 +1,3 @@
+override-remove:
+ - moby-engine
+ - zincati

overlay.d/10-fcos/usr/lib/okd/selinux-fixes.cil

@@ -0,0 +1,11 @@
+; https://github.com/okd-project/okd/issues/1438
+(allow iscsid_t self (capability (dac_override)))
+; iptables wrapper script fix
+(allow iptables_t container_runtime_tmpfs_t (chr_file (read write)))
+; https://github.com/okd-project/okd/discussions/1611
+(typeattributeset cil_gen_require ifconfig_t)
+(typeattributeset cil_gen_require container_runtime_tmpfs_t)
+(typeattributeset cil_gen_require container_runtime_t)
+(allow ifconfig_t container_runtime_t (fifo_file (append)))
+(allow ifconfig_t container_runtime_tmpfs_t (chr_file (read write)))
+(allow ifconfig_t self (capability (dac_override dac_read_search sys_ptrace)))

overlay.d/10-fcos/usr/lib/systemd/network/98-ovs-mac.link

@@ -0,0 +1,5 @@
+[Match]
+Driver=openvswitch
+
+[Link]
+MACAddressPolicy=none

overlay.d/10-fcos/usr/lib/systemd/system-preset/00-okd.preset

@@ -0,0 +1 @@
+enable okd-selinux.service

overlay.d/10-fcos/usr/lib/systemd/system-preset/43-manifest-rhcos.preset

@@ -0,0 +1,4 @@
+enable rhcos-usrlocal-selinux-fixup.service
+enable rhcos-selinux-policy-upgrade.service
+enable auditd.service
+enable nmstate.service

overlay.d/10-fcos/usr/lib/systemd/system/okd-selinux.service

@@ -0,0 +1,6 @@
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/semodule -i /usr/lib/okd/selinux-fixes.cil
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target

overlay.d/10-fcos/usr/lib/systemd/system/rhcos-selinux-policy-upgrade.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=RHEL CoreOS Rebuild SELinux Policy If Necessary
+Documentation=https://bugzilla.redhat.com/2057497
+DefaultDependencies=false
+After=systemd-tmpfiles-setup.service local-fs.target
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/rhcos-rebuild-selinux-policy
+
+[Install]
+WantedBy=sysinit.target

overlay.d/10-fcos/usr/lib/systemd/system/rhcos-usrlocal-selinux-fixup.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=RHCOS Fix SELinux Labeling For /usr/local/sbin
+Documentation=https://bugzilla.redhat.com/1956836
+DefaultDependencies=false
+After=systemd-tmpfiles-setup.service local-fs.target
+Before=sysinit.target
+ConditionPathExists=/var/usrlocal/sbin
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+# Run every time because systemd-tmpfiles will reset it to the incorrect
+# context on each boot.
+ExecStart=chcon -v --reference=/usr/sbin /usr/local/sbin
+# Only do this recursive relabeling once.
+ExecStart=/bin/sh -c 'if ! test -f /var/lib/.coreos-usrlocal-fixup.stamp; then find /var/usrlocal/sbin -executable -mount -exec chcon -v --reference=/usr/sbin {} \\; && touch /var/lib/.coreos-usrlocal-fixup.stamp; fi'
+
+[Install]
+WantedBy=sysinit.target

overlay.d/10-fcos/usr/lib/systemd/system/zincati.service.d/okd-machine-os-disabled.conf

@@ -0,0 +1,2 @@
+[Unit]
+ConditionPathExists=/enoent

overlay.d/10-fcos/usr/libexec/rhcos-rebuild-selinux-policy

@@ -0,0 +1,9 @@
+#!/bin/bash
+# Executed by rhcos-selinux-policy-upgrade.service
+set -euo pipefail
+
+ls -al /{usr/,}etc/selinux/targeted/policy/policy.33
+if ! cmp --quiet /{usr/,}etc/selinux/targeted/policy/policy.33; then
+    echo "Recompiling policy due to local modifications as workaround for https://bugzilla.redhat.com/2057497"
+    semodule -B
+fi

overlay.d/15-microshift/etc/crio/crio.conf.d/crun.conf

@@ -0,0 +1,8 @@
+[crio.runtime.runtimes.crun]
+runtime_path = ""
+runtime_type = "oci"
+runtime_root = "/run/crun"
+runtime_config_path = ""
+monitor_path = ""
+monitor_cgroup = "system.slice"
+monitor_exec_cgroup = ""

overlay.d/15-microshift/etc/yum.repos.d/coreos-continuous.repo

@@ -0,0 +1,10 @@
+[coreos-continuous]
+name=Copr repo for continuous owned by @CoreOS
+baseurl=https://download.copr.fedorainfracloud.org/results/@CoreOS/continuous/fedora-$releasever-$basearch/
+type=rpm-md
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://download.copr.fedorainfracloud.org/results/@CoreOS/continuous/pubkey.gpg
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1

overlay.d/15-microshift/etc/yum.repos.d/microshift.repo

@@ -0,0 +1,6 @@
+[microshift]
+name=microshift
+type=rpm-md
+baseurl=https://mirror.openshift.com/pub/openshift-v4/$basearch/microshift/ocp-dev-preview/4.14.0-ec.4/el9/os/
+gpgcheck=0
+enabled=1

overlay.d/15-microshift/etc/yum.repos.d/okd-copr.repo

@@ -0,0 +1,8 @@
+[okd-copr]
+name=Copr repo for OKD
+baseurl=https://download.copr.fedorainfracloud.org/results/@OKD/okd/fedora-38-$basearch/
+gpgcheck=1
+gpgkey=https://download.copr.fedorainfracloud.org/results/@OKD/okd/pubkey.gpg
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1

overlay.d/15-microshift/usr/lib/systemd/system/firewall-microshift.service

@@ -0,0 +1,19 @@
+[Unit]
+Description="Configure firewalld for microshift"
+Documentation="https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.14/html/installing/microshift-install-rpm"
+After=network-online.target
+ConditionPathExists=!/var/.microshift-firewall-configured
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+# TODO: Take some values from the microshift config
+ExecStartPre=/usr/bin/firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16
+ExecStartPre=/usr/bin/firewall-cmd --permanent --zone=trusted --add-source=169.254.169.1
+ExecStartPre=/usr/bin/firewall-cmd --reload
+ExecStart=/usr/bin/touch /var/.microshift-firewall-configured
+Restart=on-failure
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target