From a5c1e0977ab3f08851b58d797287aedd453fb8be Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 20 Feb 2024 15:03:12 -0500
Subject: [PATCH] manifests: move OCP-related postprocessing to
 `packages-openshift.yaml`

As prep for #799, let's better split the postprocessing steps that are
related to OCP from those that have tighter binding to RHEL proper.

This should have no visible effect.
---
 common.yaml             | 49 ---------------------------------
 manifest-c9s.yaml       |  7 -----
 manifest-rhel-9.4.yaml  |  7 -----
 packages-openshift.yaml | 60 +++++++++++++++++++++++++++++++++++++++++
 4 files changed, 60 insertions(+), 63 deletions(-)

diff --git a/common.yaml b/common.yaml
index fbf828a6..ea65292c 100644
--- a/common.yaml
+++ b/common.yaml
@@ -67,33 +67,6 @@ postprocess:
     # We're not using resolved yet
     rm -f /usr/lib/systemd/system/systemd-resolved.service
 
-  # manually modify SELinux booleans that are needed for OCP use cases
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
-    semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
-
-  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
-  # https://bugzilla.redhat.com/show_bug.cgi?id=1796537
-  - |
-    #!/usr/bin/bash
-    mkdir -p /usr/share/containers/oci/hooks.d
-
-  # This is part of e.g. fedora-repos in Fedora; we now want to include it by default
-  # so that the MCO can use it by default and not trip over SELinux issues trying
-  # to create it.
-  - |
-    #!/usr/bin/bash
-    mkdir -p /etc/yum.repos.d
-
-  # These enable librhsm which enables host subscriptions to work in containers
-  # https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30
-  - |
-    #!/usr/bin/bash
-    ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
-    ln -sr /run/secrets/rhsm /etc/rhsm-host
-
   # This updates the PAM configuration to reference all of the SSSD modules.
   # Removes the `authselect` binary afterwards since `authselect` does not play well with `nss-altfiles`
   # (https://github.com/pbrezina/authselect/issues/48).
@@ -151,17 +124,6 @@ postprocess:
     # FIXME: Why is this only broken here?  NM isn't removing the link?
     sed -i '/etc.resolv/d' /usr/lib/tmpfiles.d/etc.conf
 
-  - |
-    #!/usr/bin/env bash
-    set -xeo pipefail
-    # crio should stop hardcoding things in their config file!
-    # We are apparently somehow pulling in a conmon override in RHCOS
-    # that contains /usr/libexec/crio/conmon - WHY?
-    # sed -i '/conmon.*=/d' /etc/crio/crio.conf
-    # Oh right but the MCO overrides that too so...
-    mkdir -p /usr/libexec/crio
-    ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
-
   - |
     #!/usr/bin/env bash
     set -xeuo pipefail
@@ -181,17 +143,6 @@ postprocess:
     # generating it.
     ln -sr /usr/share/zoneinfo/UTC /etc/localtime
 
-  - |
-    #!/usr/bin/env bash
-    set -xeo pipefail
-    # Add the hugetlbfs group to the openvswitch user if the openvswitch-hugetlbfs.conf
-    # sysusers fragment exists. The usermod used to happen in the RPM scriptlets but
-    # that stopped working in the sysusers conversion. We should be able to drop this
-    # when a bug gets fixed in systemd: https://github.com/openshift/os/issues/1274#issuecomment-1605507390
-    if [ -f /usr/lib/sysusers.d/openvswitch-hugetlbfs.conf ]; then
-        usermod -a -G hugetlbfs openvswitch
-    fi
-
 remove-files:
   # We don't ship man(1) or info(1)
   - usr/share/info
diff --git a/manifest-c9s.yaml b/manifest-c9s.yaml
index e828ae4c..bb0d240a 100644
--- a/manifest-c9s.yaml
+++ b/manifest-c9s.yaml
@@ -112,13 +112,6 @@ postprocess:
 
      ---
      EOF
-  - |
-     #!/usr/bin/env bash
-     set -xeo pipefail
-     # We need to work in disconnected environments by default, and default-enabled
-     # repos will be attempted to be fetched by rpm-ostree when doing node-local
-     # kernel overrides today for e.g. kernel-rt.
-     for x in /etc/yum.repos.d/*.repo; do sed -i -e s,enabled=1,enabled=0, $x; done
 
 # Packages that are only in SCOS and not in RHCOS or that have special
 # constraints that do not apply to RHCOS
diff --git a/manifest-rhel-9.4.yaml b/manifest-rhel-9.4.yaml
index 1f0fcdd8..f86db050 100644
--- a/manifest-rhel-9.4.yaml
+++ b/manifest-rhel-9.4.yaml
@@ -108,13 +108,6 @@ postprocess:
 
      ---
      EOF
-  - |
-     #!/usr/bin/env bash
-     set -xeo pipefail
-     # We need to work in disconnected environments by default, and default-enabled
-     # repos will be attempted to be fetched by rpm-ostree when doing node-local
-     # kernel overrides today for e.g. kernel-rt.
-     for x in /etc/yum.repos.d/*.repo; do sed -i -e s,enabled=1,enabled=0, $x; done
 
 # Packages that are only in RHCOS and not in SCOS or that have special
 # constraints that do not apply to SCOS
diff --git a/packages-openshift.yaml b/packages-openshift.yaml
index fece50b5..74c4bff3 100644
--- a/packages-openshift.yaml
+++ b/packages-openshift.yaml
@@ -10,3 +10,63 @@ packages:
   - ose-aws-ecr-image-credential-provider
   - ose-azure-acr-image-credential-provider
   - ose-gcp-gcr-image-credential-provider
+
+postprocess:
+  # This is part of e.g. fedora-repos in Fedora; we now want to include it by default
+  # so that the MCO can use it by default and not trip over SELinux issues trying
+  # to create it.
+  - |
+    #!/usr/bin/bash
+    set -euo pipefail
+    mkdir -p /etc/yum.repos.d
+
+    # If there *are* repos built-in (e.g. c9s), disable them.
+    # We need to work in disconnected environments by default, and default-enabled
+    # repos will be attempted to be fetched by rpm-ostree when doing node-local
+    # kernel overrides today for e.g. kernel-rt.
+    for x in $(find /etc/yum.repos.d/ -name '*.repo'); do
+      sed -i -e s,enabled=1,enabled=0, $x
+    done
+
+  # These enable librhsm which enables host subscriptions to work in containers
+  # https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30
+  - |
+    #!/usr/bin/bash
+    set -euo pipefail
+    ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
+    ln -sr /run/secrets/rhsm /etc/rhsm-host
+
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    # manually modify SELinux booleans that are needed for OCP use cases
+    semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
+    semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
+
+  # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1796537
+  - |
+    #!/usr/bin/bash
+    mkdir -p /usr/share/containers/oci/hooks.d
+
+  - |
+    #!/usr/bin/env bash
+    set -xeo pipefail
+    # Add the hugetlbfs group to the openvswitch user if the openvswitch-hugetlbfs.conf
+    # sysusers fragment exists. The usermod used to happen in the RPM scriptlets but
+    # that stopped working in the sysusers conversion. We should be able to drop this
+    # when a bug gets fixed in systemd: https://github.com/openshift/os/issues/1274#issuecomment-1605507390
+    if [ -f /usr/lib/sysusers.d/openvswitch-hugetlbfs.conf ]; then
+        usermod -a -G hugetlbfs openvswitch
+    fi
+
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    # crio should stop hardcoding things in their config file!
+    # We are apparently somehow pulling in a conmon override in RHCOS
+    # that contains /usr/libexec/crio/conmon - WHY?
+    # sed -i '/conmon.*=/d' /etc/crio/crio.conf
+    # Oh right but the MCO overrides that too so...
+    mkdir -p /usr/libexec/crio
+    ln -sr /usr/bin/conmon /usr/libexec/crio/conmon