build-sys: Enable CentOS Stream compose repos to avoid version skew

.github/workflows/build-and-publish.yml

@@ -18,7 +18,7 @@ jobs:
   publish-images:
     strategy:
       matrix:
-        test_os: [fedora-42, fedora-43, fedora-44, centos-9, centos-10]
+        test_os: [fedora-43, fedora-44, centos-9, centos-10]
         variant: [ostree, composefs-sealeduki-sdboot]
         exclude:
           # centos-9 UKI is experimental/broken (https://github.com/bootc-dev/bootc/issues/1812)

.github/workflows/ci.yml

@@ -120,7 +120,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        test_os: [fedora-42, fedora-43, fedora-44, centos-9, centos-10]
+        test_os: [fedora-43, fedora-44, centos-9, centos-10]
 
     runs-on: ubuntu-24.04
 
@@ -153,7 +153,7 @@ jobs:
       fail-fast: false
       matrix:
         # No fedora-44 due to https://bugzilla.redhat.com/show_bug.cgi?id=2429501
-        test_os: [fedora-42, fedora-43, centos-9, centos-10]
+        test_os: [fedora-43, centos-9, centos-10]
         variant: [ostree, composefs-sealeduki-sdboot]
         exclude:
           # centos-9 UKI is experimental/broken (https://github.com/bootc-dev/bootc/issues/1812)

.packit.yaml

@@ -40,9 +40,6 @@ jobs:
       - centos-stream-10-x86_64
       - centos-stream-10-aarch64
       - centos-stream-10-s390x
-      - fedora-42-x86_64
-      - fedora-42-aarch64
-      - fedora-42-s390x
       - fedora-43-x86_64
       - fedora-43-aarch64
       - fedora-43-s390x
@@ -70,8 +67,6 @@ jobs:
       - centos-stream-9-aarch64
       - centos-stream-10-x86_64
       - centos-stream-10-aarch64
-      - fedora-42-x86_64
-      - fedora-42-aarch64
       - fedora-43-x86_64
       - fedora-43-aarch64
       # https://bugzilla.redhat.com/show_bug.cgi?id=2429501

Dockerfile

@@ -23,7 +23,7 @@ FROM $base as buildroot
 ARG initramfs=1
 # This installs our buildroot, and we want to cache it independently of the rest.
 # Basically we don't want changing a .rs file to blow out the cache of packages.
-RUN --mount=type=tmpfs,target=/run \
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     /run/packaging/install-buildroot
 # Now copy the rest of the source
@@ -32,11 +32,11 @@ WORKDIR /src
 # See https://www.reddit.com/r/rust/comments/126xeyx/exploring_the_problem_of_faster_cargo_docker/
 # We aren't using the full recommendations there, just the simple bits.
 # First we download all of our Rust dependencies
-RUN --mount=type=tmpfs,target=/run --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome cargo fetch
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome cargo fetch
 
 FROM buildroot as sdboot-content
 # Writes to /out
-RUN --mount=type=tmpfs,target=/run /src/contrib/packaging/configure-systemdboot download
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp /src/contrib/packaging/configure-systemdboot download
 
 # We always do a "from scratch" build
 # https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/
@@ -47,14 +47,19 @@ RUN --mount=type=tmpfs,target=/run /src/contrib/packaging/configure-systemdboot
 #       local sources. We'll override it later.
 # NOTE: All your base belong to me.
 FROM $base as target-base
-RUN --mount=type=tmpfs,target=/run /usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard /target-rootfs
+# Handle version skew between base image and mirrors for CentOS Stream
+# xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    --mount=type=bind,from=packaging,src=/,target=/run/packaging \
+    /run/packaging/enable-compose-repos
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp /usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard /target-rootfs
 
 FROM scratch as base
 COPY --from=target-base /target-rootfs/ /
 # SKIP_CONFIGS=1 skips LBIs, test kargs, and install configs (for FCOS testing)
 ARG SKIP_CONFIGS
-# Use tmpfs,target=/run with bind mounts inside to avoid leaking mount stubs into the image
-RUN --mount=type=tmpfs,target=/run \
+# Use tmpfs for /run and /tmp with bind mounts inside to avoid leaking mount stubs into the image
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=src,src=/src/hack,target=/run/hack \
     cd /run/hack/ && SKIP_CONFIGS="${SKIP_CONFIGS}" ./provision-derived.sh
 # Note we don't do any customization here yet
@@ -83,12 +88,12 @@ ARG pkgversion
 ARG SOURCE_DATE_EPOCH
 ENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
 # Build RPM directly from source, using cached target directory
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome RPM_VERSION="${pkgversion}" /src/contrib/packaging/build-rpm
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome RPM_VERSION="${pkgversion}" /src/contrib/packaging/build-rpm
 
 FROM buildroot as sdboot-signed
 # The secureboot key and cert are passed via Justfile
 # We write the signed binary into /out
-RUN --network=none --mount=type=tmpfs,target=/run \
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=sdboot-content,src=/,target=/run/sdboot-package \
     --mount=type=secret,id=secureboot_key \
     --mount=type=secret,id=secureboot_cert \
@@ -99,22 +104,22 @@ FROM build as units
 # A place that we're more likely to be able to set xattrs
 VOLUME /var/tmp
 ENV TMPDIR=/var/tmp
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome make install-unit-tests
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome make install-unit-tests
 
 # This just does syntax checking
 FROM buildroot as validate
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome make validate
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome make validate
 
 # Common base for final images: configures variant, rootfs, and injects extra content
 FROM base as final-common
 ARG variant
-RUN --network=none --mount=type=tmpfs,target=/run \
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     --mount=type=bind,from=sdboot-content,src=/,target=/run/sdboot-content \
     --mount=type=bind,from=sdboot-signed,src=/,target=/run/sdboot-signed \
     /run/packaging/configure-variant "${variant}"
 ARG rootfs=""
-RUN --network=none --mount=type=tmpfs,target=/run \
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     /run/packaging/configure-rootfs "${variant}" "${rootfs}"
 COPY --from=packaging /usr-extras/ /usr/
@@ -123,10 +128,14 @@ COPY --from=packaging /usr-extras/ /usr/
 # Use with: podman build --target=final --build-context packages=path/to/packages
 # We use --build-context instead of -v to avoid volume mount stubs leaking into /run.
 FROM final-common as final
-RUN --network=none --mount=type=tmpfs,target=/run \
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     --mount=type=bind,from=packages,src=/,target=/run/packages \
     /run/packaging/install-rpm-and-setup /run/packages
-# Use tmpfs on /run to hide any content created by podman for DNS resolution
-# (e.g., /run/systemd/resolve/stub-resolv.conf on Ubuntu hosts)
-RUN --network=none --mount=type=tmpfs,target=/run bootc container lint --fatal-warnings
+# lint: allow non-tmpfs
+RUN --network=none <<EORUN
+set -xeuo pipefail
+# workaround for https://github.com/containers/buildah/pull/6233
+rm -vrf /run/systemd
+bootc container lint --fatal-warnings
+EORUN

Dockerfile.cfsuki

@@ -3,8 +3,8 @@ ARG base=localhost/bootc
 FROM $base AS base
 
 FROM base as kernel
-# Use tmpfs on /run to prevent podman's DNS resolver files from being committed
-RUN --mount=type=tmpfs,target=/run <<EORUN
+# Use tmpfs on /run and /tmp to prevent podman's DNS resolver files from being committed
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp <<EORUN
 set -xeuo pipefail
 . /usr/lib/os-release
 case $ID in
@@ -18,7 +18,7 @@ dnf -y install systemd-ukify sbsigntools
 EORUN
 # Must be passed
 ARG COMPOSEFS_FSVERITY
-RUN --network=none --mount=type=tmpfs,target=/run \
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=secret,id=secureboot_key \
     --mount=type=secret,id=secureboot_cert \
     --mount=type=bind,from=base,src=/,target=/target \
@@ -47,7 +47,7 @@ RUN --network=none --mount=type=tmpfs,target=/run \
 EOF
 
 FROM base as final
-RUN --network=none --mount=type=tmpfs,target=/run \
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=kernel,src=/,target=/run/kernel <<EOF
 set -xeuo pipefail
 kver=$(cd /usr/lib/modules && echo *)
@@ -61,8 +61,13 @@ rm -v /usr/lib/modules/${kver}/{vmlinuz,initramfs.img}
 # Symlink into the /usr/lib/modules location
 ln -sr $target /usr/lib/modules/${kver}/$(basename $kver.efi)
 EOF
-# Use tmpfs on /run to ensure lint sees empty /run (hiding any podman-created content)
-RUN --network=none --mount=type=tmpfs,target=/run bootc container lint --fatal-warnings
+# lint: allow non-tmpfs
+RUN --network=none <<EORUN
+set -xeuo pipefail
+# workaround for https://github.com/containers/buildah/pull/6233
+rm -vrf /run/systemd
+bootc container lint --fatal-warnings
+EORUN
 
 FROM base as final-final
 COPY --from=final /boot /boot

contrib/packaging/configure-systemdboot

@@ -4,7 +4,18 @@ set -euo pipefail
 op=$1
 shift
 
-sdboot="usr/lib/systemd/boot/efi/systemd-bootx64.efi"
+arch=$(arch)
+case $arch in
+  x86_64)
+    suffix="x64"
+    ;;
+  aarch64)
+    suffix="aa64"
+    ;;
+  *) echo "Unknown architecture $arch" 1>&2; exit 1
+  ;;
+esac
+sdboot="usr/lib/systemd/boot/efi/systemd-boot${suffix}.efi"
 sdboot_bn=$(basename ${sdboot})
 
 case $op in 

contrib/packaging/enable-compose-repos

@@ -0,0 +1,44 @@
+#!/bin/bash
+# Enable compose repos to avoid version skew between base image and mirrors
+# xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174
+set -euo pipefail
+
+. /usr/lib/os-release
+
+case "${ID}" in
+  centos)
+    # The base image may have been built from a compose that has newer packages
+    # than what's available on the public mirrors. Enable the compose repos
+    # with higher priority to ensure we get matching versions.
+
+    # Extract the gpgkey from the existing centos.repo - c9s uses
+    # RPM-GPG-KEY-centosofficial while c10s uses RPM-GPG-KEY-centosofficial-SHA256
+    gpgkey=$(grep -m1 '^gpgkey=' /etc/yum.repos.d/centos.repo | cut -d= -f2)
+    if [[ -z "${gpgkey}" ]]; then
+      echo "Error: Could not find gpgkey in /etc/yum.repos.d/centos.repo" >&2
+      exit 1
+    fi
+
+    cat > /etc/yum.repos.d/centos-compose.repo << EOF
+[compose-baseos]
+name=CentOS Stream \$releasever Compose BaseOS
+baseurl=https://composes.stream.centos.org/stream-\$releasever/production/latest-CentOS-Stream/compose/BaseOS/\$basearch/os/
+gpgcheck=1
+enabled=1
+priority=1
+gpgkey=${gpgkey}
+
+[compose-appstream]
+name=CentOS Stream \$releasever Compose AppStream
+baseurl=https://composes.stream.centos.org/stream-\$releasever/production/latest-CentOS-Stream/compose/AppStream/\$basearch/os/
+gpgcheck=1
+enabled=1
+priority=1
+gpgkey=${gpgkey}
+EOF
+    echo "Enabled CentOS Stream compose repos (gpgkey: ${gpgkey})"
+    ;;
+  *)
+    # No compose repo needed for other distros
+    ;;
+esac