Merge pull request #411 from mtrmac/podman-sequoia

WIP: Install podman-sequoia in rawhide images

.cirrus.yml

@@ -233,9 +233,6 @@ cache_images_task:
         - <<: *cache_image
           env:
             PACKER_BUILDS: "fedora-netavark"
-        - <<: *cache_image
-          env:
-            PACKER_BUILDS: "fedora-podman-py"
         - <<: *cache_image
           env:
             PACKER_BUILDS: "fedora-aws"
@@ -340,7 +337,6 @@ test_imgts_task: &imgts
             fedora-c${IMG_SFX}
             prior-fedora-c${IMG_SFX}
             fedora-netavark-c${IMG_SFX}
-            fedora-podman-py-c${IMG_SFX}
             rawhide-c${IMG_SFX}
             debian-c${IMG_SFX}
             build-push-c${IMG_SFX}

.github/workflows/check_cirrus_cron.yml

@@ -14,4 +14,9 @@ jobs:
   # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
   call_cron_failures:
     uses: containers/podman/.github/workflows/check_cirrus_cron.yml@main
-    secrets: inherit
+    secrets:
+      SECRET_CIRRUS_API_KEY: ${{secrets.SECRET_CIRRUS_API_KEY}}
+      ACTION_MAIL_SERVER: ${{secrets.ACTION_MAIL_SERVER}}
+      ACTION_MAIL_USERNAME: ${{secrets.ACTION_MAIL_USERNAME}}
+      ACTION_MAIL_PASSWORD: ${{secrets.ACTION_MAIL_PASSWORD}}
+      ACTION_MAIL_SENDER: ${{secrets.ACTION_MAIL_SENDER}}

.github/workflows/pr_image_id.yml

@@ -132,12 +132,10 @@ jobs:
 
             - if: steps.manifests.outputs.count > 0
               name: Post PR comment with image name/id table
-              uses: jungwinter/comment@v1.1.0
+              uses: thollander/actions-comment-pull-request@v3
               with:
-                  issue_number: '${{ steps.retro.outputs.prn }}'
-                  type: 'create'
-                  token: '${{ secrets.GITHUB_TOKEN }}'
-                  body: |
+                  pr-number: '${{ steps.retro.outputs.prn }}'
+                  message: |
                     ${{ env.IMAGE_TABLE }}
 
             # Ref: https://github.com/marketplace/actions/deploy-to-gist

IMG_SFX

@@ -1 +1 @@
-20250324t111922z-f41f40d13
+20250812t173301z-f42f41d13

Makefile

@@ -22,11 +22,11 @@ export CENTOS_STREAM_RELEASE = 9
 
 # Warning: Beta Fedora releases are not supported.  Verifiy EC2 AMI availability
 # here: https://fedoraproject.org/cloud/download
-export FEDORA_RELEASE = 41
-export PRIOR_FEDORA_RELEASE = 40
+export FEDORA_RELEASE = 42
+export PRIOR_FEDORA_RELEASE = 41
 
 # This should always be one-greater than $FEDORA_RELEASE (assuming it's actually the latest)
-export RAWHIDE_RELEASE = 42
+export RAWHIDE_RELEASE = 43
 
 # Automation assumes the actual release number (after SID upgrade)
 # is always one-greater than the latest DEBIAN_BASE_FAMILY (GCE image).
@@ -132,17 +132,17 @@ help: ## Default target, parses special in-line comments as documentation.
 # names and a max-length of 63.
 .PHONY: IMG_SFX
 IMG_SFX:  timebomb-check ## Generate a new date-based image suffix, store in the file IMG_SFX
-	$(file >$@,$(shell date --utc +%Y%m%dt%H%M%Sz)-f$(FEDORA_RELEASE)f$(PRIOR_FEDORA_RELEASE)d$(subst .,,$(DEBIAN_RELEASE)))
-	@echo "$(file <IMG_SFX)"
+	@echo "$$(date -u +%Y%m%dt%H%M%Sz)-f$(FEDORA_RELEASE)f$(PRIOR_FEDORA_RELEASE)d$(subst .,,$(DEBIAN_RELEASE))" > "$@"
+	@cat IMG_SFX
 
 # Prevent us from wasting CI time when we have expired timebombs
 .PHONY: timebomb-check
 timebomb-check:
-	@now=$$(date --utc +%Y%m%d); \
+	@now=$$(date -u +%Y%m%d); \
 	    found=; \
 	    while read -r bomb; do \
-	        when=$$(echo "$$bomb" | sed -e 's/^.*timebomb \([0-9]\+\).*/\1/'); \
-	        if [ $$when -le $$now ]; then \
+	        when=$$(echo "$$bomb" | sed -E -e 's/^.*timebomb ([0-9]+).*/\1/'); \
+	        if [ "$$when" -le "$$now" ]; then \
 	            echo "$$bomb"; \
 	            found=found; \
 	        fi; \

base_images/fedora_base-setup.sh

@@ -90,7 +90,9 @@ if ! ((CONTAINER)); then
         # This is necessary to prevent permission-denied errors on service-start
         # and also on the off-chance the package gets updated and context reset.
         $SUDO semanage fcontext --add --type bin_t /usr/bin/cloud-init
-        $SUDO restorecon -v /usr/bin/cloud-init
+        # This used restorecon before so we don't have to specify the file_contexts.local
+        # manually, however with f42 that stopped working: https://bugzilla.redhat.com/show_bug.cgi?id=2360183
+        $SUDO setfiles -v /etc/selinux/targeted/contexts/files/file_contexts.local /usr/bin/cloud-init
     else  # GCP Image
         echo "Setting GCP startup service (for Cirrus-CI agent) SELinux unconfined"
         # ref: https://cloud.google.com/compute/docs/startupscript

cache_images/cloud.yml

@@ -75,9 +75,6 @@ builders:
       source_image_family: 'fedora-base'
       labels: *fedora_gce_labels
 
-    - <<: *aux_fed_img
-      name: 'fedora-podman-py'
-
     - <<: *aux_fed_img
       name: 'fedora-netavark'
 

cache_images/debian_packaging.sh

@@ -103,6 +103,8 @@ INSTALL_PACKAGES=(\
     skopeo
     slirp4netns
     socat
+    libsqlite3-0
+    libsqlite3-dev
     systemd-container
     sudo
     time

cache_images/debian_setup.sh

@@ -47,6 +47,11 @@ req_env_vars PACKER_BUILD_NAME
 
 bash $SCRIPT_DIRPATH/debian_packaging.sh
 
+# dnsmasq is set to bind 0.0.0.0:53, that will conflict with our dns tests.
+# We don't need a local resolver.
+$SUDO systemctl disable dnsmasq.service
+$SUDO systemctl mask dnsmasq.service
+
 if ! ((CONTAINER)); then
     warn "Making Debian kernel enable cgroup swap accounting"
     SEDCMD='s/^GRUB_CMDLINE_LINUX="(.*)"/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1"/'

cache_images/fedora-podman-py_packaging.sh

@@ -1,100 +0,0 @@
-#!/bin/bash
-
-# This script is called from fedora_setup.sh and various Dockerfiles.
-# It's not intended to be used outside of those contexts.  It assumes the lib.sh
-# library has already been sourced, and that all "ground-up" package-related activity
-# needs to be done, including repository setup and initial update.
-
-set -e
-
-SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
-SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
-REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
-
-# shellcheck source=./lib.sh
-source "$REPO_DIRPATH/lib.sh"
-
-# shellcheck disable=SC2154
-warn "Enabling updates-testing repository for $PACKER_BUILD_NAME"
-lilto ooe.sh $SUDO dnf install -y 'dnf-command(config-manager)'
-lilto ooe.sh $SUDO dnf config-manager setopt updates-testing.enabled=1
-
-msg "Updating/Installing repos and packages for $OS_REL_VER"
-
-bigto ooe.sh $SUDO dnf update -y
-
-INSTALL_PACKAGES=(\
-    bash-completion
-    bridge-utils
-    buildah
-    bzip2
-    curl
-    findutils
-    fuse3
-    gcc
-    git
-    git-daemon
-    glib2-devel
-    glibc-devel
-    hostname
-    httpd-tools
-    iproute
-    iptables
-    jq
-    libtool
-    lsof
-    make
-    nmap-ncat
-    openssl
-    openssl-devel
-    pkgconfig
-    podman
-    policycoreutils
-    protobuf
-    protobuf-devel
-    python-pip-wheel
-    python-setuptools-wheel
-    python-toml
-    python-wheel-wheel
-    python3-PyYAML
-    python3-coverage
-    python3-dateutil
-    python3-docker
-    python3-fixtures
-    python3-libselinux
-    python3-libsemanage
-    python3-libvirt
-    python3-pip
-    python3-psutil
-    python3-pylint
-    python3-pytest
-    python3-requests
-    python3-requests-mock
-    python3-virtualenv
-    python3.6
-    python3.8
-    python3.9
-    python3.10
-    python3.11
-    python3.12
-    redhat-rpm-config
-    rsync
-    sed
-    skopeo
-    socat
-    tar
-    time
-    tox
-    unzip
-    vim
-    wget
-    xz
-    zip
-    zstd
-)
-
-echo "Installing general build/test dependencies"
-bigto $SUDO dnf install -y "${INSTALL_PACKAGES[@]}"
-
-# It was observed in F33, dnf install doesn't always get you the latest/greatest
-lilto $SUDO dnf update -y

cache_images/fedora_packaging.sh

@@ -56,6 +56,7 @@ INSTALL_PACKAGES=(\
     curl
     device-mapper-devel
     dnsmasq
+    docker-distribution
     e2fsprogs-devel
     emacs-nox
     fakeroot
@@ -64,6 +65,7 @@ INSTALL_PACKAGES=(\
     fuse3
     fuse3-devel
     gcc
+    gh
     git
     git-daemon
     glib2-devel
@@ -81,6 +83,7 @@ INSTALL_PACKAGES=(\
     iproute
     iptables
     jq
+    koji
     krb5-workstation
     libassuan
     libassuan-devel
@@ -122,6 +125,8 @@ INSTALL_PACKAGES=(\
     protobuf-c
     protobuf-c-devel
     protobuf-devel
+    python3-fedora-distro-aliases
+    python3-koji-cli-plugins
     redhat-rpm-config
     rpcbind
     rsync
@@ -131,6 +136,8 @@ INSTALL_PACKAGES=(\
     skopeo
     slirp4netns
     socat
+    sqlite-libs
+    sqlite-devel
     squashfs-tools
     tar
     time
@@ -167,6 +174,11 @@ if [[ "$PACKER_BUILD_NAME" =~ fedora ]]; then
         python3-requests
         python3-requests-mock
     )
+else # podman-sequoia is only available in Rawhide
+    timebomb 20251101 "Also install the package in future Fedora releases, and enable Sequoia support in users of the images."
+    INSTALL_PACKAGES+=( \
+        podman-sequoia
+    )
 fi
 
 # When installing during a container-build, having this present

cache_images/fedora_setup.sh

@@ -30,8 +30,6 @@ req_env_vars PACKER_BUILD_NAME
 # shellcheck disable=SC2154
 if [[ "$PACKER_BUILD_NAME" =~ "netavark" ]]; then
     bash $SCRIPT_DIRPATH/fedora-netavark_packaging.sh
-elif [[ "$PACKER_BUILD_NAME" =~ "podman-py" ]]; then
-    bash $SCRIPT_DIRPATH/fedora-podman-py_packaging.sh
 elif [[ "$PACKER_BUILD_NAME" =~ "build-push" ]]; then
     bash $SCRIPT_DIRPATH/build-push_packaging.sh
     # Registers qemu emulation for non-native execution

ccia/fake_manifests/fedora-podman-py Cache Image/manifest/cache_images/manifest.json

@@ -1,17 +0,0 @@
-{
-  "builds": [
-    {
-      "name": "fedora-podman-py",
-      "builder_type": "googlecompute",
-      "build_time": 1658176090,
-      "files": null,
-      "artifact_id": "fedora-podman-py-c5419329914142720",
-      "packer_run_uuid": "e5b1e6ab-37a5-a695-624d-47bf0060b272",
-      "custom_data": {
-        "IMG_SFX": "5419329914142720",
-        "STAGE": "cache"
-      }
-    }
-  ],
-  "last_run_uuid": "e5b1e6ab-37a5-a695-624d-47bf0060b272"
-}

ci/make.sh

@@ -35,6 +35,14 @@ if [[ -n "$AWS_INI" ]]; then
     set_aws_filepath
 fi
 
+id
+# FIXME: ssh-keygen seems to fail to create keys with Permission denied
+# in the base_images make target, I have no idea why but all CI jobs are
+# broken because of this. Let's try without selinux.
+if [[ "$(getenforce)" == "Enforcing" ]]; then
+    setenforce 0
+fi
+
 set -x
 cd "$REPO_DIRPATH"
 export IMG_SFX=$IMG_SFX

gcpprojects.txt

@@ -8,7 +8,6 @@ containers-build-source-image
 libpod-218412
 netavark-2021
 oci-seccomp-bpf-hook
-podman-py
 skopeo
 storage-240716
 udica-247612

skopeo_cidev/Containerfile

@@ -12,7 +12,6 @@ RUN dnf -y update && \
     dnf clean all
 
 ENV REG_REPO="https://github.com/docker/distribution.git" \
-    REG_COMMIT="b5ca020cfbe998e5af3457fda087444cf5116496" \
     REG_COMMIT_SCHEMA1="ec87e9b6971d831f0eff752ddb54fb64693e51cd" \
     OSO_REPO="https://github.com/openshift/origin.git" \
     OSO_TAG="v1.5.0-alpha.3"

skopeo_cidev/setup.sh

@@ -9,7 +9,6 @@ set -e
 declare -a req_vars
 req_vars=(\
     REG_REPO
-    REG_COMMIT
     REG_COMMIT_SCHEMA1
     OSO_REPO
     OSO_TAG
@@ -43,12 +42,6 @@ cd "$REG_GOSRC"
 (
     # This is required to be set like this by the build system
     export GOPATH="$PWD/Godeps/_workspace:$GOPATH"
-    # This comes in from the Containerfile
-    # shellcheck disable=SC2154
-    git checkout -q "$REG_COMMIT"
-    go build -o /usr/local/bin/registry-v2 \
-        github.com/docker/distribution/cmd/registry
-
     # This comes in from the Containerfile
     # shellcheck disable=SC2154
     git checkout -q "$REG_COMMIT_SCHEMA1"