diff --git a/Containerfile b/Containerfile index 9f84eeff5..e2e0667c3 100644 --- a/Containerfile +++ b/Containerfile @@ -1,15 +1,27 @@ # This builds the final OCP/OKD node image on top of the base CoreOS image. For # instructions on how to build this, see `docs/building.md`. -FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev:c9s-coreos as build +ARG IMAGE_FROM=registry.ci.openshift.org/coreos/stream-coreos-base:10 +FROM ${IMAGE_FROM} as build ARG OPENSHIFT_CI=0 RUN --mount=type=bind,target=/run/src --mount=type=secret,id=yumrepos,target=/etc/yum.repos.d/secret.repo /run/src/build-node-image.sh FROM build as metadata +ARG IMAGE_NAME +ARG IMAGE_CPE +ARG TARGETARCH RUN --mount=type=bind,target=/run/src /run/src/scripts/generate-metadata +RUN --mount=type=bind,target=/run/src /run/src/scripts/generate-labels FROM build COPY --from=metadata /usr/share/openshift /usr/share/openshift +COPY --from=metadata /usr/share/buildinfo /usr/share/buildinfo +ARG IMAGE_NAME +ARG IMAGE_CPE +ARG TARGETARCH +LABEL name=${IMAGE_NAME} +LABEL cpe=${IMAGE_CPE} +LABEL architecture=${TARGETARCH} LABEL io.openshift.metalayer=true # Add a hack to get OpenShift tests working again because a # revert of the new architecture happened in diff --git a/build-args-10.2-4.22.conf b/build-args-10.2-4.22.conf new file mode 100644 index 000000000..33e509600 --- /dev/null +++ b/build-args-10.2-4.22.conf @@ -0,0 +1,3 @@ +IMAGE_FROM=registry.ci.openshift.org/coreos/rhel-coreos-base:10.2 +IMAGE_NAME=openshift/ose-rhel-coreos-10 +IMAGE_CPE=cpe:/a:redhat:openshift:4.22::el10 diff --git a/build-args-9.8-4.22.conf b/build-args-9.8-4.22.conf new file mode 100644 index 000000000..879f96823 --- /dev/null +++ b/build-args-9.8-4.22.conf @@ -0,0 +1,3 @@ +IMAGE_FROM=registry.ci.openshift.org/coreos/rhel-coreos-base:9.8 +IMAGE_NAME=openshift/ose-rhel-coreos-9 +IMAGE_CPE=cpe:/a:redhat:openshift:4.22::el9 diff --git a/build-args-c10s-4.22.conf b/build-args-c10s-4.22.conf new file mode 100644 index 000000000..1ae66b2b1 --- /dev/null +++ b/build-args-c10s-4.22.conf @@ -0,0 +1,2 @@ +IMAGE_FROM=registry.ci.openshift.org/coreos/stream-coreos-base:10 +# SCOS/OKD: no labels.json or OCI labels for name/cpe diff --git a/c9s-mirror.repo b/c9s-mirror.repo deleted file mode 100644 index 801dada3d..000000000 --- a/c9s-mirror.repo +++ /dev/null @@ -1,36 +0,0 @@ -# These are the official c9s repos. They are slower to update, but contain older -# versions of packages, which is useful when pinning for lack of a "coreos-pool" -# equivalent. When no pinning is needed you may find the compose repo URLs -# defined in c9s.repo are quicker to get new content. - -[c9s-baseos-mirror] -name=CentOS Stream 9 - BaseOS -baseurl=https://mirror.stream.centos.org/9-stream/BaseOS/$basearch/os -gpgcheck=1 -repo_gpgcheck=0 -enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial - -[c9s-appstream-mirror] -name=CentOS Stream 9 - AppStream -baseurl=https://mirror.stream.centos.org/9-stream/AppStream/$basearch/os -gpgcheck=1 -repo_gpgcheck=0 -enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial - -[c9s-nfv-mirror] -name=CentOS Stream 9 - NFV -baseurl=https://mirror.stream.centos.org/9-stream/NFV/$basearch/os -gpgcheck=1 -repo_gpgcheck=0 -enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial - -[c9s-rt-mirror] -name=CentOS Stream 9 - RT -baseurl=https://mirror.stream.centos.org/9-stream/RT/$basearch/os -gpgcheck=1 -repo_gpgcheck=0 -enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial diff --git a/c9s.repo b/c9s.repo deleted file mode 100644 index 9ccc6bd69..000000000 --- a/c9s.repo +++ /dev/null @@ -1,76 +0,0 @@ -# These are compose repo URLs that represent the latest composes in -# CentOS Stream 9. Sometimes these repos get content a little faster -# than the mirror repos defined in c9s-mirror.repo, but they won't -# have multiple versions of packages, which make them not ideal when -# needing to pin on older package versions. - -[c9s-baseos] -name=CentOS Stream 9 - BaseOS -baseurl=https://composes.stream.centos.org/production/latest-CentOS-Stream/compose/BaseOS/$basearch/os -gpgcheck=1 -repo_gpgcheck=0 -enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial - -[c9s-appstream] -name=CentOS Stream 9 - AppStream -baseurl=https://composes.stream.centos.org/production/latest-CentOS-Stream/compose/AppStream/$basearch/os -gpgcheck=1 -repo_gpgcheck=0 -enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial - -[c9s-nfv] -name=CentOS Stream 9 - NFV -baseurl=https://composes.stream.centos.org/production/latest-CentOS-Stream/compose/NFV/$basearch/os -gpgcheck=1 -repo_gpgcheck=0 -enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial - -[c9s-rt] -name=CentOS Stream 9 - RT -baseurl=https://composes.stream.centos.org/production/latest-CentOS-Stream/compose/RT/$basearch/os -gpgcheck=1 -repo_gpgcheck=0 -enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial - -[c9s-extras-common] -name=CentOS Stream 9 - Extras packages -baseurl=https://mirror.stream.centos.org/SIGs/9-stream/extras/$basearch/extras-common -gpgcheck=1 -repo_gpgcheck=0 -enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512 - -# Note: We can't find a composes.stream.centos.org URL for this repo -# so we use the mirror.stream.centos.org URL here. -[c9s-sig-nfv] -name=CentOS Stream 9 - SIG NFV -baseurl=https://mirror.stream.centos.org/SIGs/9-stream/nfv/$basearch/openvswitch-2/ -gpgcheck=1 -repo_gpgcheck=0 -enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-NFV - -# Note: We can't find a composes.stream.centos.org URL for this repo -# so we use the mirror.stream.centos.org URL here. -[c9s-sig-virtualization] -name=CentOS Stream 9 - SIG Virtualization -baseurl=https://mirror.stream.centos.org/SIGs/9-stream/virt/$basearch/kata-containers/ -gpgcheck=1 -repo_gpgcheck=0 -enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Virtualization - -# Note: We can't find a composes.stream.centos.org URL for this repo -# so we use the mirror.stream.centos.org URL here. -# This needs to be updated to okd-4.21 once it becomes available -[c9s-sig-cloud-okd] -name=CentOS Stream 9 - SIG Cloud OKD 4.20 -baseurl=https://mirror.stream.centos.org/SIGs/9-stream/cloud/$basearch/okd-4.20/ -gpgcheck=1 -repo_gpgcheck=0 -enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud diff --git a/docs/building.md b/docs/building.md index 953f07723..1508a3360 100644 --- a/docs/building.md +++ b/docs/building.md @@ -27,28 +27,29 @@ SCOS or RHCOS image (see building instructions in ## Building -If the base image is SCOS, then the OKD node image is built (`stream-coreos`). -If the base image is RHCOS, then the OCP node image is built (`rhel-coreos`). -The default base image is SCOS. +Each variant has a `build-args-*.conf` file that specifies the base image +and metadata for that build. Choose the appropriate one for your target: -To build SCOS: +- `build-args-9.8-4.22.conf` — RHCOS on RHEL 9.8 +- `build-args-10.2-4.22.conf` — RHCOS on RHEL 10.2 +- `build-args-c10s-4.22.conf` — SCOS on CentOS Stream 10 -``` -podman build . --secret id=yumrepos,src=/path/to/all.repo \ - -v /etc/pki/ca-trust:/etc/pki/ca-trust:ro \ - --security-opt label=disable -t localhost/stream-coreos:4.21 -``` - -To build RHCOS, the command is identical, but you must pass in the RHCOS base -image using `--from`: +To build: ``` -podman build --from quay.io/openshift-release-dev/ocp-v4.0-art-dev:rhel-9.6-coreos ... +podman build . --build-arg-file build-args-c10s-4.22.conf \ + --secret id=yumrepos,src=/path/to/all.repo \ + -v /etc/pki/ca-trust:/etc/pki/ca-trust:ro \ + --security-opt label=disable -t localhost/stream-coreos:4.22 ``` -To build from a local OCI archive (e.g. from a cosa workdir), you can use the -`oci-archive` transport: +To override the base image (e.g. to use a locally built OCI archive), +pass `--from`: ``` -podman build --from oci-archive:$(ls builds/latest/x86_64/*.ociarchive) ... +podman build . --build-arg-file build-args-c10s-4.22.conf \ + --from oci-archive:$(ls builds/latest/x86_64/*.ociarchive) \ + --secret id=yumrepos,src=/path/to/all.repo \ + -v /etc/pki/ca-trust:/etc/pki/ca-trust:ro \ + --security-opt label=disable -t localhost/stream-coreos:4.22 ``` diff --git a/packages-openshift.yaml b/packages-openshift.yaml index 00057c795..b9bc1b932 100644 --- a/packages-openshift.yaml +++ b/packages-openshift.yaml @@ -8,7 +8,6 @@ conditional-include: - if: - osversion != "rhel-9.8" - osversion != "rhel-10.2" - - osversion != "centos-9" - osversion != "centos-10" include: repos: [ENOEXIST] # We want an error in this case @@ -28,15 +27,6 @@ conditional-include: - rhel-10.2-early-kernel - rhel-10.2-fast-datapath - rhel-10.2-server-ose-4.22 - - if: osversion == "centos-9" - include: - repos: - - c9s-baseos - - c9s-appstream - - c9s-sig-nfv - - c9s-sig-cloud-okd - # XXX: this shouldn't be here; see related XXX in build-node-image.sh - - rhel-9.8-server-ose-4.22-okd - if: osversion == "centos-10" include: repos: diff --git a/scripts/generate-labels b/scripts/generate-labels new file mode 100755 index 000000000..09a6d9772 --- /dev/null +++ b/scripts/generate-labels @@ -0,0 +1,56 @@ +#!/usr/bin/python3 -u + +""" +This script generates /usr/share/buildinfo/labels.json, which provides embedded +metadata for security scanners that only have filesystem access (not OCI image +metadata). +""" + +import datetime +import json +import os +import sys + +LABELS_FILE = "/usr/share/buildinfo/labels.json" + + +def main(): + image_name = os.environ.get('IMAGE_NAME', '') + image_cpe = os.environ.get('IMAGE_CPE', '') + target_arch = os.environ.get('TARGETARCH', '') + + if not all([image_name, image_cpe, target_arch]): + return + + # Ideally the creation date we set here is consistent with the creation date + # of the OCI image itself. We'll get that once we're hermetic and we hook + # up SOURCE_DATE_EPOCH. So prepare for that eventuality, but for now just + # use the current time (which will be a few seconds different from the OCI + # timestamp, which is still fine for our purposes). + source_date_epoch = os.environ.get('SOURCE_DATE_EPOCH', '') + if source_date_epoch: + created = datetime.datetime.fromtimestamp( + int(source_date_epoch), tz=datetime.timezone.utc + ).strftime('%Y-%m-%dT%H:%M:%SZ') + else: + created = datetime.datetime.now( + tz=datetime.timezone.utc + ).strftime('%Y-%m-%dT%H:%M:%SZ') + + # this schema is documented at: + # https://github.com/RedHatProductSecurity/security-data-guidelines/blob/main/schema/embedded_metadata.v1.schema.json + labels = { + 'architecture': target_arch, + 'cpe': image_cpe, + 'name': image_name, + 'org.opencontainers.image.created': created, + } + + os.makedirs(os.path.dirname(LABELS_FILE), exist_ok=True) + with open(LABELS_FILE, encoding='utf-8', mode='w') as f: + json.dump(labels, f, sort_keys=True, indent=2) + f.write('\n') + + +if __name__ == '__main__': + sys.exit(main())