forked from openshift/os
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpackages-openshift.yaml
127 lines (116 loc) · 4.96 KB
/
packages-openshift.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
packages:
# The packages below are required by OpenShift/OKD
# but are not present in CentOS Stream and RHEL.
- cri-o cri-tools conmon-rs
- openshift-clients openshift-kubelet
- openvswitch3.3
# The packages below are present in CentOS Stream/RHEL,
# and depend on one or more of the above.
- NetworkManager-ovs
- ose-aws-ecr-image-credential-provider
- ose-azure-acr-image-credential-provider
- ose-gcp-gcr-image-credential-provider
postprocess:
# This is part of e.g. fedora-repos in Fedora; we now want to include it by default
# so that the MCO can use it by default and not trip over SELinux issues trying
# to create it.
- |
#!/usr/bin/bash
set -euo pipefail
mkdir -p /etc/yum.repos.d
# If there *are* repos built-in (e.g. c9s), disable them.
# We need to work in disconnected environments by default, and default-enabled
# repos will be attempted to be fetched by rpm-ostree when doing node-local
# kernel overrides today for e.g. kernel-rt.
for x in $(find /etc/yum.repos.d/ -name '*.repo'); do
sed -i -e s,enabled=1,enabled=0, $x
done
# These enable librhsm which enables host subscriptions to work in containers
# https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30
- |
#!/usr/bin/bash
set -euo pipefail
ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
ln -sr /run/secrets/rhsm /etc/rhsm-host
- |
#!/usr/bin/env bash
set -xeuo pipefail
# manually modify SELinux booleans that are needed for OCP use cases
semanage boolean --modify --on container_use_cephfs # RHBZ#1694045
semanage boolean --modify --on virt_use_samba # RHBZ#1754825
# https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
# https://bugzilla.redhat.com/show_bug.cgi?id=1796537
- |
#!/usr/bin/bash
mkdir -p /usr/share/containers/oci/hooks.d
- |
#!/usr/bin/env bash
set -xeo pipefail
# Add the hugetlbfs group to the openvswitch user if the openvswitch-hugetlbfs.conf
# sysusers fragment exists. The usermod used to happen in the RPM scriptlets but
# that stopped working in the sysusers conversion. We should be able to drop this
# when a bug gets fixed in systemd: https://github.com/openshift/os/issues/1274#issuecomment-1605507390
if [ -f /usr/lib/sysusers.d/openvswitch-hugetlbfs.conf ]; then
if [ -f /run/.containerenv ]; then
# We're running as part of a derivation; `usermod` will not work
# because it doesn't go through NSS. Hackily put the /usr/lib files
# in /etc temporarily then put them back
mv /etc/passwd /etc/passwd.bak
mv /etc/group /etc/group.bak
mv /usr/lib/passwd /etc/passwd
mv /usr/lib/group /etc/group
fi
usermod -a -G hugetlbfs openvswitch
if [ -f /run/.containerenv ]; then
mv /etc/passwd /usr/lib/passwd
mv /etc/group /usr/lib/group
mv /etc/passwd.bak /etc/passwd
mv /etc/group.bak /etc/group
fi
fi
- |
#!/usr/bin/env bash
set -xeuo pipefail
# crio should stop hardcoding things in their config file!
# We are apparently somehow pulling in a conmon override in RHCOS
# that contains /usr/libexec/crio/conmon - WHY?
# sed -i '/conmon.*=/d' /etc/crio/crio.conf
# Oh right but the MCO overrides that too so...
mkdir -p /usr/libexec/crio
ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
# Inject OpenShift-specific release fields
- |
#!/usr/bin/env bash
set -xeuo pipefail
cat >> /usr/lib/os-release <<EOF
OPENSHIFT_VERSION="4.18"
EOF
- |
#!/usr/bin/env bash
set -xeuo pipefail
# Let's have a non-boring motd, just like CL (although theirs is more subdued
# nowadays compared to early versions with ASCII art). One thing we do here
# is add --- as a "separator"; the idea is that any "dynamic" information should
# be below that.
# See: https://projects.engineering.redhat.com/browse/COREOS-1029
. /etc/os-release
# This works around the fact that we can't currently access manifest
# variables from postprocess scripts, though we just use the name, since
# it's easier.
variant=$(jq -r .rojig.name /usr/share/rpm-ostree/treefile.json)
if [ $variant = "scos" ]; then
colloquial_name=SCOS
project_name=OKD
else
colloquial_name=RHCOS
project_name=OpenShift
fi
cat > /etc/motd <<EOF
$NAME CoreOS $OSTREE_VERSION
Part of ${project_name} ${OPENSHIFT_VERSION}, ${colloquial_name} is a Kubernetes-native operating system
managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
WARNING: Direct SSH access to machines is not recommended; instead,
make configuration changes via \`machineconfig\` objects:
https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
---
EOF