.cirrus.yml

@@ -233,6 +233,9 @@ cache_images_task:
         - <<: *cache_image
           env:
             PACKER_BUILDS: "fedora-netavark"
+        - <<: *cache_image
+          env:
+            PACKER_BUILDS: "fedora-podman-py"
         - <<: *cache_image
           env:
             PACKER_BUILDS: "fedora-aws"
@@ -337,6 +340,7 @@ test_imgts_task: &imgts
             fedora-c${IMG_SFX}
             prior-fedora-c${IMG_SFX}
             fedora-netavark-c${IMG_SFX}
+            fedora-podman-py-c${IMG_SFX}
             rawhide-c${IMG_SFX}
             debian-c${IMG_SFX}
             build-push-c${IMG_SFX}

.github/workflows/check_cirrus_cron.yml

@@ -14,9 +14,4 @@ jobs:
   # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
   call_cron_failures:
     uses: containers/podman/.github/workflows/check_cirrus_cron.yml@main
-    secrets:
-      SECRET_CIRRUS_API_KEY: ${{secrets.SECRET_CIRRUS_API_KEY}}
-      ACTION_MAIL_SERVER: ${{secrets.ACTION_MAIL_SERVER}}
-      ACTION_MAIL_USERNAME: ${{secrets.ACTION_MAIL_USERNAME}}
-      ACTION_MAIL_PASSWORD: ${{secrets.ACTION_MAIL_PASSWORD}}
-      ACTION_MAIL_SENDER: ${{secrets.ACTION_MAIL_SENDER}}
+    secrets: inherit

.github/workflows/pr_image_id.yml

@@ -132,10 +132,12 @@ jobs:
 
             - if: steps.manifests.outputs.count > 0
               name: Post PR comment with image name/id table
-              uses: thollander/actions-comment-pull-request@v3
+              uses: jungwinter/comment@v1.1.0
               with:
-                  pr-number: '${{ steps.retro.outputs.prn }}'
-                  message: |
+                  issue_number: '${{ steps.retro.outputs.prn }}'
+                  type: 'create'
+                  token: '${{ secrets.GITHUB_TOKEN }}'
+                  body: |
                     ${{ env.IMAGE_TABLE }}
 
             # Ref: https://github.com/marketplace/actions/deploy-to-gist

IMG_SFX

@@ -1 +1 @@
-20250812t173301z-f42f41d13
+20241107t210000z-f41f40d13

Makefile

@@ -22,11 +22,11 @@ export CENTOS_STREAM_RELEASE = 9
 
 # Warning: Beta Fedora releases are not supported.  Verifiy EC2 AMI availability
 # here: https://fedoraproject.org/cloud/download
-export FEDORA_RELEASE = 42
-export PRIOR_FEDORA_RELEASE = 41
+export FEDORA_RELEASE = 41
+export PRIOR_FEDORA_RELEASE = 40
 
 # This should always be one-greater than $FEDORA_RELEASE (assuming it's actually the latest)
-export RAWHIDE_RELEASE = 43
+export RAWHIDE_RELEASE = 42
 
 # Automation assumes the actual release number (after SID upgrade)
 # is always one-greater than the latest DEBIAN_BASE_FAMILY (GCE image).
@@ -132,17 +132,17 @@ help: ## Default target, parses special in-line comments as documentation.
 # names and a max-length of 63.
 .PHONY: IMG_SFX
 IMG_SFX:  timebomb-check ## Generate a new date-based image suffix, store in the file IMG_SFX
-	@echo "$$(date -u +%Y%m%dt%H%M%Sz)-f$(FEDORA_RELEASE)f$(PRIOR_FEDORA_RELEASE)d$(subst .,,$(DEBIAN_RELEASE))" > "$@"
-	@cat IMG_SFX
+	$(file >$@,$(shell date --utc +%Y%m%dt%H%M%Sz)-f$(FEDORA_RELEASE)f$(PRIOR_FEDORA_RELEASE)d$(subst .,,$(DEBIAN_RELEASE)))
+	@echo "$(file <IMG_SFX)"
 
 # Prevent us from wasting CI time when we have expired timebombs
 .PHONY: timebomb-check
 timebomb-check:
-	@now=$$(date -u +%Y%m%d); \
+	@now=$$(date --utc +%Y%m%d); \
 	    found=; \
 	    while read -r bomb; do \
-	        when=$$(echo "$$bomb" | sed -E -e 's/^.*timebomb ([0-9]+).*/\1/'); \
-	        if [ "$$when" -le "$$now" ]; then \
+	        when=$$(echo "$$bomb" | sed -e 's/^.*timebomb \([0-9]\+\).*/\1/'); \
+	        if [ $$when -le $$now ]; then \
 	            echo "$$bomb"; \
 	            found=found; \
 	        fi; \

README-simplified.md

@@ -70,8 +70,8 @@ cases,
 [crun](https://github.com/containers/automation_images/pull/386/files) and
 [pasta](https://github.com/containers/automation_images/pull/383/files).
 Note the `timebomb` directives. Please use these: the time you save
-may be your own, one future day. And please use 2-6 week times.
-A timebomb that expires in a year is going to be hard to understand
+may be your own, one future day. And please use 2-6 week times. A
+timebomb that expires in a year is going to be hard to understand
 when it goes off.
 
 Bumping Distros

base_images/debian_base-setup.sh

@@ -52,6 +52,19 @@ install_automation_tooling
 # Ensure automation library is loaded
 source "$REPO_DIRPATH/lib.sh"
 
+# 2024-01-02 found debian 13 tar 1.35+dfsg-2
+# which has the horrible duplicate-path bug:
+#     https://github.com/containers/podman/issues/19407
+#     https://bugzilla.redhat.com/show_bug.cgi?id=2230127
+# 2024-01-25 dfsg-3 also has the bug
+# 2024-09-06 trixy still has 1.35+dfsg-3 (https://packages.debian.org/trixie/tar)
+timebomb 20241201 "prevent us from getting broken tar-1.35+dfsg-3"
+$SUDO tee /etc/apt/preferences.d/$(date +%Y%m%d)-tar <<EOF
+Package: tar
+Pin: version 1.35+dfsg-[23]
+Pin-Priority: -1
+EOF
+
 # Workaround 12->13 forward-incompatible change in grub scripts.
 # Without this, updating to the SID kernel may fail.
 echo "Upgrading grub-common"

base_images/fedora_base-setup.sh

@@ -90,9 +90,7 @@ if ! ((CONTAINER)); then
         # This is necessary to prevent permission-denied errors on service-start
         # and also on the off-chance the package gets updated and context reset.
         $SUDO semanage fcontext --add --type bin_t /usr/bin/cloud-init
-        # This used restorecon before so we don't have to specify the file_contexts.local
-        # manually, however with f42 that stopped working: https://bugzilla.redhat.com/show_bug.cgi?id=2360183
-        $SUDO setfiles -v /etc/selinux/targeted/contexts/files/file_contexts.local /usr/bin/cloud-init
+        $SUDO restorecon -v /usr/bin/cloud-init
     else  # GCP Image
         echo "Setting GCP startup service (for Cirrus-CI agent) SELinux unconfined"
         # ref: https://cloud.google.com/compute/docs/startupscript

cache_images/cloud.yml

@@ -75,6 +75,9 @@ builders:
       source_image_family: 'fedora-base'
       labels: *fedora_gce_labels
 
+    - <<: *aux_fed_img
+      name: 'fedora-podman-py'
+
     - <<: *aux_fed_img
       name: 'fedora-netavark'
 

cache_images/debian_packaging.sh

@@ -44,7 +44,7 @@ INSTALL_PACKAGES=(\
     fuse-overlayfs
     gcc
     gettext
-    git
+    git-daemon-run
     gnupg2
     go-md2man
     golang
@@ -103,8 +103,6 @@ INSTALL_PACKAGES=(\
     skopeo
     slirp4netns
     socat
-    libsqlite3-0
-    libsqlite3-dev
     systemd-container
     sudo
     time

cache_images/debian_setup.sh

@@ -47,11 +47,6 @@ req_env_vars PACKER_BUILD_NAME
 
 bash $SCRIPT_DIRPATH/debian_packaging.sh
 
-# dnsmasq is set to bind 0.0.0.0:53, that will conflict with our dns tests.
-# We don't need a local resolver.
-$SUDO systemctl disable dnsmasq.service
-$SUDO systemctl mask dnsmasq.service
-
 if ! ((CONTAINER)); then
     warn "Making Debian kernel enable cgroup swap accounting"
     SEDCMD='s/^GRUB_CMDLINE_LINUX="(.*)"/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1"/'

cache_images/fedora-podman-py_packaging.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+
+# This script is called from fedora_setup.sh and various Dockerfiles.
+# It's not intended to be used outside of those contexts.  It assumes the lib.sh
+# library has already been sourced, and that all "ground-up" package-related activity
+# needs to be done, including repository setup and initial update.
+
+set -e
+
+SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
+SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
+REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
+
+# shellcheck source=./lib.sh
+source "$REPO_DIRPATH/lib.sh"
+
+# shellcheck disable=SC2154
+warn "Enabling updates-testing repository for $PACKER_BUILD_NAME"
+lilto ooe.sh $SUDO dnf install -y 'dnf-command(config-manager)'
+lilto ooe.sh $SUDO dnf config-manager setopt updates-testing.enabled=1
+
+msg "Updating/Installing repos and packages for $OS_REL_VER"
+
+bigto ooe.sh $SUDO dnf update -y
+
+INSTALL_PACKAGES=(\
+    bash-completion
+    bridge-utils
+    buildah
+    bzip2
+    curl
+    findutils
+    fuse3
+    gcc
+    git
+    git-daemon
+    glib2-devel
+    glibc-devel
+    hostname
+    httpd-tools
+    iproute
+    iptables
+    jq
+    libtool
+    lsof
+    make
+    nmap-ncat
+    openssl
+    openssl-devel
+    pkgconfig
+    podman
+    policycoreutils
+    protobuf
+    protobuf-devel
+    python-pip-wheel
+    python-setuptools-wheel
+    python-toml
+    python-wheel-wheel
+    python3-PyYAML
+    python3-coverage
+    python3-dateutil
+    python3-docker
+    python3-fixtures
+    python3-libselinux
+    python3-libsemanage
+    python3-libvirt
+    python3-pip
+    python3-psutil
+    python3-pylint
+    python3-pytest
+    python3-requests
+    python3-requests-mock
+    python3-virtualenv
+    python3.6
+    python3.8
+    python3.9
+    python3.10
+    python3.11
+    python3.12
+    redhat-rpm-config
+    rsync
+    sed
+    skopeo
+    socat
+    tar
+    time
+    tox
+    unzip
+    vim
+    wget
+    xz
+    zip
+    zstd
+)
+
+echo "Installing general build/test dependencies"
+bigto $SUDO dnf install -y "${INSTALL_PACKAGES[@]}"
+
+# It was observed in F33, dnf install doesn't always get you the latest/greatest
+lilto $SUDO dnf update -y

cache_images/fedora_packaging.sh

@@ -56,7 +56,6 @@ INSTALL_PACKAGES=(\
     curl
     device-mapper-devel
     dnsmasq
-    docker-distribution
     e2fsprogs-devel
     emacs-nox
     fakeroot
@@ -65,7 +64,6 @@ INSTALL_PACKAGES=(\
     fuse3
     fuse3-devel
     gcc
-    gh
     git
     git-daemon
     glib2-devel
@@ -83,7 +81,6 @@ INSTALL_PACKAGES=(\
     iproute
     iptables
     jq
-    koji
     krb5-workstation
     libassuan
     libassuan-devel
@@ -118,15 +115,12 @@ INSTALL_PACKAGES=(\
     pigz
     pkgconfig
     podman
-    podman-remote
     pre-commit
     procps-ng
     protobuf
     protobuf-c
     protobuf-c-devel
     protobuf-devel
-    python3-fedora-distro-aliases
-    python3-koji-cli-plugins
     redhat-rpm-config
     rpcbind
     rsync
@@ -136,8 +130,6 @@ INSTALL_PACKAGES=(\
     skopeo
     slirp4netns
     socat
-    sqlite-libs
-    sqlite-devel
     squashfs-tools
     tar
     time
@@ -174,11 +166,6 @@ if [[ "$PACKER_BUILD_NAME" =~ fedora ]]; then
         python3-requests
         python3-requests-mock
     )
-else # podman-sequoia is only available in Rawhide
-    timebomb 20251101 "Also install the package in future Fedora releases, and enable Sequoia support in users of the images."
-    INSTALL_PACKAGES+=( \
-        podman-sequoia
-    )
 fi
 
 # When installing during a container-build, having this present
@@ -196,16 +183,6 @@ if ! ((CONTAINER)); then
         selinux-policy-devel
         policycoreutils
     )
-
-    # Extra packages needed by podman-machine-os
-    INSTALL_PACKAGES+=( \
-        podman-machine
-        osbuild
-        osbuild-tools
-        osbuild-ostree
-        xfsprogs
-        e2fsprogs
-    )
 fi
 
 
@@ -223,6 +200,18 @@ DOWNLOAD_PACKAGES=(\
 msg "Installing general build/test dependencies"
 bigto $SUDO dnf install -y "${INSTALL_PACKAGES[@]}"
 
+# 2024-11-07 not yet stable on f40
+timebomb 20241119 "pasta 20241030 desired for podman flake fix"
+if [[ "$OS_RELEASE_VER" -eq 40 ]]; then
+    arch=$(uname -m)
+    n=passt
+    v=0%5E20241030.gee7d0b6
+    r=1.fc$OS_RELEASE_VER
+    bigto $SUDO dnf install -y  \
+          https://kojipkgs.fedoraproject.org/packages/$n/$v/$r/$arch/$n-$v-$r.$arch.rpm \
+          https://kojipkgs.fedoraproject.org/packages/$n/$v/$r/noarch/$n-selinux-$v-$r.noarch.rpm
+fi
+
 msg "Downloading packages for optional installation at runtime, as needed."
 $SUDO mkdir -p "$PACKAGE_DOWNLOAD_DIR"
 cd "$PACKAGE_DOWNLOAD_DIR"

cache_images/fedora_setup.sh

@@ -30,6 +30,8 @@ req_env_vars PACKER_BUILD_NAME
 # shellcheck disable=SC2154
 if [[ "$PACKER_BUILD_NAME" =~ "netavark" ]]; then
     bash $SCRIPT_DIRPATH/fedora-netavark_packaging.sh
+elif [[ "$PACKER_BUILD_NAME" =~ "podman-py" ]]; then
+    bash $SCRIPT_DIRPATH/fedora-podman-py_packaging.sh
 elif [[ "$PACKER_BUILD_NAME" =~ "build-push" ]]; then
     bash $SCRIPT_DIRPATH/build-push_packaging.sh
     # Registers qemu emulation for non-native execution

cache_images/local-cache-registry

@@ -76,10 +76,6 @@ declare -a IMAGELIST=(
     registry:2.8.2
     registry:volume_omitted
     systemd-image:20240124
-    testartifact:20250206-single
-    testartifact:20250206-multi
-    testartifact:20250206-multi-no-title
-    testartifact:20250206-evil
     testdigest_v2s2
     testdigest_v2s2:20200210
     testimage:00000000

cache_images/rawhide_setup.sh

@@ -30,6 +30,10 @@ $SUDO sed -i -r -e 's/^gpgcheck=.+/gpgcheck=0/' /etc/yum.repos.d/*.repo
 $SUDO dnf5 -y distro-sync --releasever=rawhide --allowerasing
 $SUDO dnf5 upgrade -y
 
+# As of May 2024 composefs is heating up
+timebomb 20241231 "At some point, composefs should be available on all fedoras"
+$SUDO dnf5 -y install composefs
+
 # A shared fedora_packaging.sh script is called next that doesn't always support dnf5
 $SUDO ln -s $(type -P dnf5) /usr/local/bin/dnf
 

ccia/fake_manifests/fedora-podman-py Cache Image/manifest/cache_images/manifest.json

@@ -0,0 +1,17 @@
+{
+  "builds": [
+    {
+      "name": "fedora-podman-py",
+      "builder_type": "googlecompute",
+      "build_time": 1658176090,
+      "files": null,
+      "artifact_id": "fedora-podman-py-c5419329914142720",
+      "packer_run_uuid": "e5b1e6ab-37a5-a695-624d-47bf0060b272",
+      "custom_data": {
+        "IMG_SFX": "5419329914142720",
+        "STAGE": "cache"
+      }
+    }
+  ],
+  "last_run_uuid": "e5b1e6ab-37a5-a695-624d-47bf0060b272"
+}

ci/make.sh

@@ -35,14 +35,6 @@ if [[ -n "$AWS_INI" ]]; then
     set_aws_filepath
 fi
 
-id
-# FIXME: ssh-keygen seems to fail to create keys with Permission denied
-# in the base_images make target, I have no idea why but all CI jobs are
-# broken because of this. Let's try without selinux.
-if [[ "$(getenforce)" == "Enforcing" ]]; then
-    setenforce 0
-fi
-
 set -x
 cd "$REPO_DIRPATH"
 export IMG_SFX=$IMG_SFX

gcpprojects.txt

@@ -8,6 +8,7 @@ containers-build-source-image
 libpod-218412
 netavark-2021
 oci-seccomp-bpf-hook
+podman-py
 skopeo
 storage-240716
 udica-247612

skopeo_cidev/Containerfile

@@ -12,6 +12,7 @@ RUN dnf -y update && \
     dnf clean all
 
 ENV REG_REPO="https://github.com/docker/distribution.git" \
+    REG_COMMIT="b5ca020cfbe998e5af3457fda087444cf5116496" \
     REG_COMMIT_SCHEMA1="ec87e9b6971d831f0eff752ddb54fb64693e51cd" \
     OSO_REPO="https://github.com/openshift/origin.git" \
     OSO_TAG="v1.5.0-alpha.3"

skopeo_cidev/setup.sh

@@ -9,6 +9,7 @@ set -e
 declare -a req_vars
 req_vars=(\
     REG_REPO
+    REG_COMMIT
     REG_COMMIT_SCHEMA1
     OSO_REPO
     OSO_TAG
@@ -42,6 +43,12 @@ cd "$REG_GOSRC"
 (
     # This is required to be set like this by the build system
     export GOPATH="$PWD/Godeps/_workspace:$GOPATH"
+    # This comes in from the Containerfile
+    # shellcheck disable=SC2154
+    git checkout -q "$REG_COMMIT"
+    go build -o /usr/local/bin/registry-v2 \
+        github.com/docker/distribution/cmd/registry
+
     # This comes in from the Containerfile
     # shellcheck disable=SC2154
     git checkout -q "$REG_COMMIT_SCHEMA1"

win_images/win_packaging.ps1

@@ -9,7 +9,7 @@ iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocola
 
 # Install basic required tooling.
 #   psexec needed to workaround session 0 WSL bug
-retryInstall 7zip git archiver psexec golang mingw StrawberryPerl zstandard; Check-Exit
+retryInstall git archiver psexec golang mingw StrawberryPerl zstandard; Check-Exit
 
 # Update service is required for dotnet
 Set-Service -Name wuauserv -StartupType "Manual"; Check-Exit