build-sys: Enable CentOS Stream compose repos to avoid version skew #1926
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a mechanism to use CentOS Stream compose repositories to prevent version skew issues during image builds by adding a new script enable-compose-repos and executing it in the Dockerfile. However, a high-severity security vulnerability was identified: the script disables GPG signature checking, which exposes the build process to potential package-tampering attacks. It is strongly recommended to enable GPG checks and provide the official CentOS GPG key to mitigate this risk.
cgwalters
force-pushed
the
fix-c10s-skew
branch
from
150853e to
d3a4127
Compare
cgwalters
force-pushed
the
fix-c10s-skew
branch
from
d3a4127 to
37f71d3
Compare
|
Heh, the centos gpg filenames changed because of the PQC work...it looked obviously right to me in a quick diff but...yeah. I did test this one now. |
It's funny because I tested it with gpg keys after gemini mentioned it, but i had copied it out of the other repo file and didn't notice that it didn't match with the version here. Then when you switched gpgcheck on I said "great i just tested that!" |
cgwalters
force-pushed
the
fix-c10s-skew
branch
from
37f71d3 to
5ea1aec
Compare
|
OK so c9s is some kind of tmpfile leaking but I don't know from where, investigating. |
Ah no we actually need to roll #1927 into this |
The base image may be built from a compose that has newer packages than what's available on the public mirrors. This causes version skew where packages like bootupd have different versions between the base image and our built image. For example, bootupd 0.2.32 changed the EFI file layout from /usr/lib/bootupd/updates/EFI/ to /usr/lib/efi/, and if we build with an older bootupd from mirrors while the target image has the newer layout, bootloader installation fails. Enable the CentOS Stream compose repos with higher priority to ensure we get matching versions. xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174 Signed-off-by: Colin Walters <[email protected]> Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <[email protected]>
Use gpgcheck=1 and reference the official CentOS GPG key instead of disabling signature verification. This ensures package integrity during builds while still using compose repos to avoid version skew. Assisted-by: OpenCode (Claude Sonnet 4) Signed-off-by: Colin Walters <[email protected]>
Use copy-to-storage to add the booted container to podman storage instead of pulling a remote image. This matches the pattern used by other TMT tests and ensures we test the actual bootc under test. Changes: - Use localhost/bootc from copy-to-storage instead of remote image - Disable LBIs via bind mount of /usr/share/empty - Remove unnecessary host modifications (usr-overlay, dnf install, etc.) - Use 100%FREE for root LV to ensure sufficient space for deployment Assisted-by: OpenCode (Opus 4.5) Signed-off-by: ckyrouac <[email protected]> Signed-off-by: Colin Walters <[email protected]>
cgwalters
force-pushed
the
fix-c10s-skew
branch
from
5ea1aec to
0ade2c3
Compare
The install-outside-container and install-unified-flag tests were failing because they pulled centos-bootc:stream10 which has a newer bootupd with EFI files at /usr/lib/efi/, while the running Fedora image has the old layout at /usr/lib/bootupd/updates/EFI/. Use the booted image instead to ensure bootupd versions match. The original code is commented out for easy reversion once PR bootc-dev#1816 lands to properly handle cross-version installs. Assisted-by: OpenCode (Claude Sonnet 4) Signed-off-by: Colin Walters <[email protected]>
3 participants
This relates to coreos/bootupd#995
The base image may be built from a compose that has newer packages than what's available on the public mirrors. This causes version skew where packages like bootupd have different versions between the base image and our built image.
For example, bootupd 0.2.32 changed the EFI file layout from /usr/lib/bootupd/updates/EFI/ to /usr/lib/efi/, and if we build with an older bootupd from mirrors while the target image has the newer layout, bootloader installation fails.
Enable the CentOS Stream compose repos with higher priority to ensure we get matching versions.
xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174
Assisted-by: OpenCode (Opus 4.5)