-
Notifications
You must be signed in to change notification settings - Fork 129
Expand file tree
/
Copy pathbuild-node-image.sh
More file actions
executable file
·140 lines (116 loc) · 5.21 KB
/
Copy pathbuild-node-image.sh
File metadata and controls
executable file
·140 lines (116 loc) · 5.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
#!/bin/bash
set -euxo pipefail
# This script builds the OpenShift node image. It's called from `Containerfile`.
# Avoid shipping modified .pyc files. Due to
# https://github.com/ostreedev/ostree/issues/1469, any Python apps that
# run (e.g. dnf) will cause pyc creation. We do this by backing them up and
# restoring them at the end.
find /usr -name '*.pyc' -exec mv {} {}.bak \;
# fetch repos from in-cluster mirrors if we're running in OpenShift CI
if [ "${OPENSHIFT_CI}" != 0 ]; then
/run/src/ci/get-ocp-repo.sh /etc/yum.repos.d/ocp.repo
fi
# add all the repos from the src repo (including mounted in secret.repo)
# into `/etc/yum.repos.d` so dnf sees them
cat /run/src/*.repo >> /etc/yum.repos.d/git.repo
source /etc/os-release
# XXX: For SCOS, only allow certain packages to come from ART; everything else
# should come from CentOS. We should eventually sever this.
if [ $ID = centos ]; then
OPENSHIFT_ART_REPO_NAME=${YUM_REPO_NAMES/*,/} # ART repo == the last repo in the list
dnf config-manager --save \
--setopt="${OPENSHIFT_ART_REPO_NAME}.includepkgs=openshift-*,ose-aws-ecr-*,ose-azure-acr-*,ose-gcp-gcr-*,ose-crio-*"
fi
# XXX: patch cri-o spec to use tmpfiles
# https://github.com/CentOS/centos-bootc/issues/393
mkdir -p /var/opt
# Version lock to the specific packages installed on the system already
dnf --disablerepo=* versionlock add '*'
# Install the OCP packages. Limit to appropriate repos for this stream.
dnf --repo="${YUM_REPO_NAMES}" install -y \
cri-o cri-tools conmon-rs \
openshift-clients openshift-kubelet \
openvswitch3.5 \
NetworkManager-ovs \
ose-aws-ecr-image-credential-provider \
ose-azure-acr-image-credential-provider \
ose-gcp-gcr-image-credential-provider \
ose-crio-credential-provider
# clear the versionlock and clean up any dnf caches / yum repo files we created.
# note `redhat.repo` gets created when you run dnf (via subscription-manager plugin),
# so we'll clean that up too.
dnf --disablerepo=* versionlock clear
dnf clean all
rm -vf /etc/yum.repos.d/{ocp,git,redhat}.repo
# --- postprocess steps ---
# These were previously in the `postprocess` section of packages-openshift.yaml.
# Disable any built-in repos. We need to work in disconnected environments by
# default, and default-enabled repos will be attempted to be fetched by
# rpm-ostree when doing node-local kernel overrides today for e.g. kernel-rt.
for x in $(find /etc/yum.repos.d/ -name '*.repo'); do
sed -i -e 's/enabled\s*=\s*1/enabled=0/g' "$x"
done
# Enable librhsm which enables host subscriptions to work in containers
# https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30
ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
ln -sr /run/secrets/rhsm /etc/rhsm-host
# Manually modify SELinux booleans that are needed for OCP use cases
semanage boolean --modify --on container_use_cephfs # RHBZ#1694045
semanage boolean --modify --on virt_use_samba # RHBZ#1754825
# https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
# https://bugzilla.redhat.com/show_bug.cgi?id=1796537
mkdir -p /usr/share/containers/oci/hooks.d
# crio conmon symlink
mkdir -p /usr/libexec/crio
ln -sr /usr/bin/conmon /usr/libexec/crio/conmon
# Inject OpenShift-specific release fields
cat >> /usr/lib/os-release <<EOF
OPENSHIFT_VERSION="${OPENSHIFT_VERSION}"
EOF
# Generate MOTD
# Detect variant based on the Containerfile metadata. In the absence of
# rpm-ostree treefile metadata, we use a heuristic: centos builds are SCOS.
if [ "$ID" = "centos" ]; then
colloquial_name=SCOS
project_name=OKD
else
colloquial_name=RHCOS
project_name=OpenShift
fi
# in the el-only variants, we already have CoreOS in the NAME, so don't
# re-add it when building the node image
if [[ $NAME != *CoreOS* ]]; then
NAME="$NAME CoreOS"
fi
cat > /etc/motd <<EOF
$NAME $OSTREE_VERSION
Part of ${project_name} ${OPENSHIFT_VERSION}, ${colloquial_name} is a Kubernetes-native operating system
managed by the Machine Config Operator (\`clusteroperator/machine-config\`).
WARNING: Direct SSH access to machines is not recommended; instead,
make configuration changes via \`machineconfig\` objects:
https://docs.openshift.com/container-platform/${OPENSHIFT_VERSION}/architecture/architecture-rhcos.html
---
EOF
# Delete leftover files in the layering path
if [ -f /run/.containerenv ]; then
# lockfiles and backup files
rm -f /etc/.pwd.lock /etc/group- /etc/gshadow- /etc/shadow- /etc/passwd-
rm -f /etc/selinux/targeted/*.LOCK
# cache, logs, etc...
rm -rf /var && mkdir /var
# All the entries here should instead be part of their respective
# packages. But we carry them here for now to maintain compatibility.
cat > /usr/lib/tmpfiles.d/openshift.conf << EOF
L /opt/cni - - - - ../../usr/lib/opt/cni
d /var/lib/cni 0755 root root - -
d /var/lib/cni/bin 0755 root root - -
d /var/lib/containers 0755 root root - -
d /var/lib/openvswitch 0755 root root - -
d /var/lib/openvswitch/pki 0755 root root - -
d /var/log/openvswitch 0750 openvswitch hugetlbfs - -
d /var/lib/unbound 0755 unbound unbound - -
EOF
fi
# --- end postprocess steps ---
find /usr -name '*.pyc.bak' -exec sh -c 'mv $1 ${1%.bak}' _ {} \;
ostree container commit