├── .fmf └── version ├── .github └── workflows │ ├── build-image.yml │ └── pre-commit.yml ├── .gitmodules ├── .mdl_style.rb ├── .mdlrc ├── .pre-commit-config.yaml ├── .tekton ├── centos-bootc-integration-tests.yaml ├── centos-bootc-pull-request.yaml ├── centos-bootc-push.yaml ├── ostree-build.yaml └── testing-farm.yaml ├── COPYING ├── Containerfile.centos-stream-10 ├── Containerfile.centos-stream-9 ├── LICENSE ├── README.md ├── c9s.repo ├── catalog-info.yaml ├── centos-bootc-config.json ├── centos-stream-10-tier1.yaml ├── centos-stream-10.yaml ├── centos-stream-9-tier0-rt.yaml ├── centos-stream-9-tier0.yaml ├── centos-stream-9-tier1-rt.yaml ├── centos-stream-9-tier1.yaml ├── centos-stream-9.yaml ├── centos-stream-common.yaml ├── plans └── main.fmf ├── renovate.json ├── tier-0 └── tier-1 /.fmf/version: -------------------------------------------------------------------------------- 1 | 1 2 | -------------------------------------------------------------------------------- /.github/workflows/build-image.yml: -------------------------------------------------------------------------------- 1 | name: Build Image 2 | 3 | on: 4 | pull_request: 5 | branches: 6 | - main 7 | 8 | workflow_dispatch: 9 | 10 | jobs: 11 | build-image: 12 | runs-on: ubuntu-latest 13 | 14 | strategy: 15 | matrix: 16 | include: 17 | - os: centos 18 | version: stream-9 19 | - os: centos 20 | version: stream-10 21 | 22 | steps: 23 | - name: Update podman 24 | run: | 25 | # from https://askubuntu.com/questions/1414446/whats-the-recommended-way-of-installing-podman-4-in-ubuntu-22-04 26 | ubuntu_version='22.04' 27 | key_url="https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_${ubuntu_version}/Release.key" 28 | sources_url="https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_${ubuntu_version}" 29 | echo "deb $sources_url/ /" | sudo tee /etc/apt/sources.list.d/devel-kubic-libcontainers-unstable.list 30 | curl -fsSL $key_url | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null 31 | sudo apt update 32 | sudo apt install -y podman 33 | 34 | - name: Checkout repository 35 | uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 36 | with: 37 | submodules: recursive 38 | 39 | - name: Build 40 | run: | 41 | podman build --security-opt=label=disable --cap-add=all --device /dev/fuse \ 42 | -t localhost/${{ matrix.os }}-${{ matrix.version }}-bootc -f Containerfile.${{ matrix.os }}-${{ matrix.version }} 43 | 44 | - name: Run image 45 | run: podman run --rm -ti localhost/${{ matrix.os }}-${{ matrix.version }}-bootc bootc --help 46 | -------------------------------------------------------------------------------- /.github/workflows/pre-commit.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: pre_commit 3 | 4 | on: # yamllint disable-line rule:truthy 5 | pull_request: 6 | branches: 7 | - main 8 | 9 | workflow_dispatch: 10 | 11 | jobs: 12 | pre_commit: 13 | runs-on: ubuntu-latest 14 | steps: 15 | - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 16 | with: 17 | submodules: recursive 18 | - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 19 | - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 20 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "fedora-bootc"] 2 | path = fedora-bootc 3 | url = https://gitlab.com/fedora/bootc/base-images 4 | -------------------------------------------------------------------------------- /.mdl_style.rb: -------------------------------------------------------------------------------- 1 | all 2 | rule 'MD009', :br_spaces => 2 3 | rule 'MD013', :ignore_code_blocks => true 4 | exclude_rule 'MD041' 5 | -------------------------------------------------------------------------------- /.mdlrc: -------------------------------------------------------------------------------- 1 | style '.mdl_style.rb' 2 | ignore_front_matter true 3 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | repos: 3 | - repo: https://github.com/pre-commit/pre-commit-hooks 4 | rev: v4.6.0 5 | hooks: 6 | - id: end-of-file-fixer 7 | - id: trailing-whitespace 8 | args: 9 | - --markdown-linebreak-ext=md 10 | - id: check-docstring-first 11 | - id: requirements-txt-fixer 12 | - id: check-merge-conflict 13 | - id: no-commit-to-branch 14 | args: 15 | - "--branch" 16 | - "main" 17 | - id: check-symlinks 18 | - id: detect-private-key 19 | - id: detect-aws-credentials 20 | args: 21 | - --allow-missing-credentials 22 | - id: check-json 23 | - id: check-yaml 24 | - repo: https://github.com/markdownlint/markdownlint 25 | rev: v0.13.0 26 | hooks: 27 | - id: markdownlint 28 | - repo: https://github.com/maxbrunet/pre-commit-renovate 29 | rev: 37.342.1 30 | hooks: 31 | - id: renovate-config-validator 32 | -------------------------------------------------------------------------------- /.tekton/centos-bootc-integration-tests.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: Pipeline 3 | metadata: 4 | name: testing-farm 5 | spec: 6 | description: >- 7 | Expects a list of container images to be provided via the SNAPSHOT parameter. 8 | A secret containing the testing-farm API token should be made available via a secret with the name `testing-farm-secret` containing a key `testing-farm-token`. 9 | params: 10 | - name: SNAPSHOT 11 | description: A list of container images that should undergo testing 12 | type: string 13 | - name: GIT_URL 14 | description: URL of the GIT repository that contains the tests. 15 | type: string 16 | - name: GIT_REF 17 | default: "main" 18 | description: Branch of the git repository used containing the tests 19 | type: string 20 | - name: COMPOSE 21 | default: "Fedora-Rawhide" 22 | description: Compose to use for the system-under-test. 23 | type: string 24 | - name: ARCH 25 | default: "x86_64" 26 | description: Comma-separated list of architectures to run against. 27 | type: string 28 | - name: TIMEOUT 29 | default: "720" 30 | description: Set the timeout for the request in minutes. If the test takes longer than this, it will be terminated. 31 | type: string 32 | - name: TESTING_FARM_API_URL 33 | default: https://api.dev.testing-farm.io/v0.1 34 | description: The testing-farm instance API to use 35 | type: string 36 | tasks: 37 | - name: testing-farm 38 | taskRef: 39 | resolver: git 40 | params: 41 | - name: url 42 | value: https://github.com/centos/centos-bootc/ 43 | - name: revision 44 | value: main 45 | - name: pathInRepo 46 | value: .tekton/testing-farm.yaml 47 | params: 48 | - name: SNAPSHOT 49 | value: $(params.SNAPSHOT) 50 | - name: GIT_URL 51 | value: $(params.GIT_URL) 52 | - name: GIT_REF 53 | value: $(params.GIT_REF) 54 | - name: COMPOSE 55 | value: $(params.COMPOSE) 56 | - name: ARCH 57 | value: $(params.ARCH) 58 | - name: TIMEOUT 59 | value: $(params.TIMEOUT) 60 | - name: TESTING_FARM_API_URL 61 | value: $(params.TESTING_FARM_API_URL) 62 | -------------------------------------------------------------------------------- /.tekton/centos-bootc-pull-request.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1beta1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/CentOS/centos-bootc?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: "{{revision}}" 7 | build.appstudio.redhat.com/pull_request_number: "{{pull_request_number}}" 8 | build.appstudio.redhat.com/target_branch: "{{target_branch}}" 9 | pipelinesascode.tekton.dev/max-keep-runs: "3" 10 | pipelinesascode.tekton.dev/on-cel-expression: 11 | event == "pull_request" && target_branch == "main" 12 | creationTimestamp: null 13 | labels: 14 | appstudio.openshift.io/application: centos-bootc 15 | appstudio.openshift.io/component: centos-bootc 16 | pipelines.appstudio.openshift.io/type: build 17 | name: centos-bootc-on-pull-request 18 | namespace: centos-bootc-tenant 19 | spec: 20 | params: 21 | - name: image-file 22 | value: centos-stream-9-tier1.yaml 23 | - name: git-url 24 | value: "{{repo_url}}" 25 | - name: output-image 26 | value: quay.io/redhat-user-workloads/centos-bootc-tenant/centos-bootc/centos-bootc:on-pr-{{revision}} 27 | - name: path-context 28 | value: . 29 | - name: revision 30 | value: "{{revision}}" 31 | - name: config-file 32 | value: "centos-bootc-config.json" 33 | pipelineRef: 34 | name: ostree-build 35 | workspaces: 36 | - name: workspace 37 | volumeClaimTemplate: 38 | metadata: 39 | creationTimestamp: null 40 | spec: 41 | accessModes: 42 | - ReadWriteOnce 43 | resources: 44 | requests: 45 | storage: 1Gi 46 | status: {} 47 | - name: workspace-arm64 48 | volumeClaimTemplate: 49 | metadata: 50 | creationTimestamp: null 51 | spec: 52 | accessModes: 53 | - ReadWriteOnce 54 | resources: 55 | requests: 56 | storage: 2Gi 57 | status: {} 58 | - name: git-auth 59 | secret: 60 | secretName: "{{ git_auth_secret }}" 61 | status: {} 62 | -------------------------------------------------------------------------------- /.tekton/centos-bootc-push.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1beta1 2 | kind: PipelineRun 3 | metadata: 4 | annotations: 5 | build.appstudio.openshift.io/repo: https://github.com/CentOS/centos-bootc?rev={{revision}} 6 | build.appstudio.redhat.com/commit_sha: "{{revision}}" 7 | build.appstudio.redhat.com/pull_request_number: "{{pull_request_number}}" 8 | build.appstudio.redhat.com/target_branch: "{{target_branch}}" 9 | pipelinesascode.tekton.dev/max-keep-runs: "3" 10 | pipelinesascode.tekton.dev/on-cel-expression: 11 | event == "push" && target_branch == "main" 12 | creationTimestamp: null 13 | labels: 14 | appstudio.openshift.io/application: centos-bootc 15 | appstudio.openshift.io/component: centos-bootc 16 | pipelines.appstudio.openshift.io/type: build 17 | name: centos-bootc-on-push 18 | namespace: centos-bootc-tenant 19 | spec: 20 | params: 21 | - name: image-file 22 | value: centos-stream-9-tier1.yaml 23 | - name: git-url 24 | value: "{{repo_url}}" 25 | - name: output-image 26 | value: quay.io/redhat-user-workloads/centos-bootc-tenant/centos-bootc/centos-bootc:on-pr-{{revision}} 27 | - name: path-context 28 | value: . 29 | - name: revision 30 | value: "{{revision}}" 31 | - name: config-file 32 | value: "centos-bootc-config.json" 33 | pipelineRef: 34 | name: ostree-build 35 | workspaces: 36 | - name: workspace 37 | volumeClaimTemplate: 38 | metadata: 39 | creationTimestamp: null 40 | spec: 41 | accessModes: 42 | - ReadWriteOnce 43 | resources: 44 | requests: 45 | storage: 1Gi 46 | status: {} 47 | - name: workspace-arm64 48 | volumeClaimTemplate: 49 | metadata: 50 | creationTimestamp: null 51 | spec: 52 | accessModes: 53 | - ReadWriteOnce 54 | resources: 55 | requests: 56 | storage: 2Gi 57 | status: {} 58 | - name: git-auth 59 | secret: 60 | secretName: "{{ git_auth_secret }}" 61 | status: {} 62 | -------------------------------------------------------------------------------- /.tekton/ostree-build.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: Pipeline 3 | metadata: 4 | name: ostree-build 5 | spec: 6 | finally: 7 | - name: show-summary 8 | params: 9 | - name: pipelinerun-name 10 | value: $(context.pipelineRun.name) 11 | - name: git-url 12 | value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) 13 | - name: image-url 14 | value: $(params.output-image) 15 | - name: build-task-status 16 | value: $(tasks.build-container.status) 17 | taskRef: 18 | params: 19 | - name: name 20 | value: summary 21 | - name: bundle 22 | value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 23 | - name: kind 24 | value: task 25 | resolver: bundles 26 | params: 27 | - description: Source Repository URL 28 | name: git-url 29 | type: string 30 | - default: "" 31 | description: Revision of the Source Repository 32 | name: revision 33 | type: string 34 | - description: Fully Qualified Output Image 35 | name: output-image 36 | type: string 37 | - default: . 38 | description: 39 | Path to the source code of an application's component from where 40 | to build image. 41 | name: path-context 42 | type: string 43 | - description: 44 | Path to the image file inside the context specified by parameter 45 | path-context 46 | name: image-file 47 | type: string 48 | - default: "false" 49 | description: Force rebuild image 50 | name: rebuild 51 | type: string 52 | - default: "false" 53 | description: Skip checks against built image 54 | name: skip-checks 55 | type: string 56 | - default: "true" 57 | description: Skip optional checks, set false if you want to run optional checks 58 | name: skip-optional 59 | type: string 60 | - default: "false" 61 | description: Execute the build with network isolation 62 | name: hermetic 63 | type: string 64 | - default: "" 65 | description: Build dependencies to be prefetched by Cachi2 66 | name: prefetch-input 67 | type: string 68 | - default: "false" 69 | description: Java build 70 | name: java 71 | type: string 72 | - default: "" 73 | description: 74 | Image tag expiration time, time values could be something like 75 | 1h, 2d, 3w for hours, days, and weeks, respectively. 76 | name: image-expires-after 77 | - name: config-file 78 | description: config file to use for rpm-ostree tool 79 | type: string 80 | default: "" 81 | results: 82 | - description: "" 83 | name: IMAGE_URL 84 | value: $(tasks.build-container.results.IMAGE_URL) 85 | - description: "" 86 | name: IMAGE_DIGEST 87 | value: $(tasks.build-container.results.IMAGE_DIGEST) 88 | - description: "" 89 | name: CHAINS-GIT_URL 90 | value: $(tasks.clone-repository.results.url) 91 | - description: "" 92 | name: CHAINS-GIT_COMMIT 93 | value: $(tasks.clone-repository.results.commit) 94 | tasks: 95 | - name: init 96 | params: 97 | - name: image-url 98 | value: $(params.output-image) 99 | - name: rebuild 100 | value: $(params.rebuild) 101 | - name: skip-checks 102 | value: $(params.skip-checks) 103 | taskRef: 104 | params: 105 | - name: name 106 | value: init 107 | - name: bundle 108 | value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:99674c6fbedcb153945ea37729c951e86314746cfc2dbeeecef6ce8b60229383 109 | - name: kind 110 | value: task 111 | resolver: bundles 112 | - name: clone-repository 113 | params: 114 | - name: url 115 | value: $(params.git-url) 116 | - name: revision 117 | value: $(params.revision) 118 | runAfter: 119 | - init 120 | taskRef: 121 | params: 122 | - name: name 123 | value: git-clone 124 | - name: bundle 125 | value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba 126 | - name: kind 127 | value: task 128 | resolver: bundles 129 | when: 130 | - input: $(tasks.init.results.build) 131 | operator: in 132 | values: 133 | - "true" 134 | workspaces: 135 | - name: output 136 | workspace: workspace 137 | - name: basic-auth 138 | workspace: git-auth 139 | - name: clone-repository-arm64 140 | params: 141 | - name: url 142 | value: $(params.git-url) 143 | - name: revision 144 | value: $(params.revision) 145 | runAfter: 146 | - init 147 | taskRef: 148 | kind: Task 149 | params: 150 | - name: name 151 | value: git-clone 152 | - name: bundle 153 | value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba 154 | - name: kind 155 | value: task 156 | resolver: bundles 157 | when: 158 | - input: $(tasks.init.results.build) 159 | operator: in 160 | values: 161 | - "true" 162 | workspaces: 163 | - name: output 164 | workspace: workspace-arm64 165 | - name: basic-auth 166 | workspace: git-auth 167 | - name: build-container-amd64 168 | params: 169 | - name: IMAGE 170 | value: $(params.output-image)-amd64 171 | - name: IMAGE_FILE 172 | value: $(params.image-file) 173 | - name: CONTEXT 174 | value: $(params.path-context) 175 | - name: IMAGE_EXPIRES_AFTER 176 | value: $(params.image-expires-after) 177 | - name: COMMIT_SHA 178 | value: $(tasks.clone-repository.results.commit) 179 | - name: PLATFORM 180 | value: linux/amd64 181 | - name: BUILDER_IMAGE 182 | value: quay.io/centos-bootc/bootc-image-builder:latest 183 | - name: CONFIG_FILE 184 | value: $(params.config-file) 185 | runAfter: 186 | - clone-repository 187 | taskRef: 188 | params: 189 | - name: name 190 | value: rpm-ostree 191 | - name: bundle 192 | value: quay.io/redhat-appstudio-tekton-catalog/task-rpm-ostree:0.1@sha256:8691f0a12dca3a4066d3f18ec11473d5ec0d680d58f764fb0e77cd3ff27009fe 193 | - name: kind 194 | value: task 195 | resolver: bundles 196 | when: 197 | - input: $(tasks.init.results.build) 198 | operator: in 199 | values: 200 | - "true" 201 | workspaces: 202 | - name: source 203 | workspace: workspace 204 | - name: build-container-arm64 205 | params: 206 | - name: IMAGE 207 | value: $(params.output-image)-arm64 208 | - name: IMAGE_FILE 209 | value: $(params.image-file) 210 | - name: CONTEXT 211 | value: $(params.path-context) 212 | - name: IMAGE_EXPIRES_AFTER 213 | value: $(params.image-expires-after) 214 | - name: COMMIT_SHA 215 | value: $(tasks.clone-repository.results.commit) 216 | - name: PLATFORM 217 | value: linux/arm64 218 | - name: BUILDER_IMAGE 219 | value: quay.io/centos-bootc/bootc-image-builder:latest 220 | - name: CONFIG_FILE 221 | value: $(params.config-file) 222 | runAfter: 223 | - clone-repository-arm64 224 | taskRef: 225 | params: 226 | - name: name 227 | value: rpm-ostree 228 | - name: bundle 229 | value: quay.io/redhat-appstudio-tekton-catalog/task-rpm-ostree:0.1@sha256:8691f0a12dca3a4066d3f18ec11473d5ec0d680d58f764fb0e77cd3ff27009fe 230 | - name: kind 231 | value: task 232 | resolver: bundles 233 | when: 234 | - input: $(tasks.init.results.build) 235 | operator: in 236 | values: 237 | - "true" 238 | workspaces: 239 | - name: source 240 | workspace: workspace-arm64 241 | - name: build-container 242 | params: 243 | - name: IMAGE 244 | value: $(params.output-image) 245 | - name: COMMIT_SHA 246 | value: $(tasks.clone-repository.results.commit) 247 | - name: IMAGES 248 | value: 249 | - $(tasks.build-container-amd64.results.IMAGE_URL)@$(tasks.build-container-amd64.results.IMAGE_DIGEST) 250 | - $(tasks.build-container-arm64.results.IMAGE_URL)@$(tasks.build-container-arm64.results.IMAGE_DIGEST) 251 | runAfter: 252 | - build-container-amd64 253 | - build-container-arm64 254 | taskRef: 255 | params: 256 | - name: name 257 | value: build-image-manifest 258 | - name: bundle 259 | value: quay.io/redhat-appstudio-tekton-catalog/task-build-image-manifest:0.1@sha256:4f8da0144ac88fb8139d3f60c40b64db02a5bf8bdd3f500f22389de80c7807c8 260 | - name: kind 261 | value: task 262 | resolver: bundles 263 | when: 264 | - input: $(tasks.init.results.build) 265 | operator: in 266 | values: 267 | - "true" 268 | - name: inspect-image 269 | params: 270 | - name: IMAGE_URL 271 | value: $(tasks.build-container.results.IMAGE_URL) 272 | - name: IMAGE_DIGEST 273 | value: $(tasks.build-container.results.IMAGE_DIGEST) 274 | runAfter: 275 | - build-container 276 | taskRef: 277 | params: 278 | - name: name 279 | value: inspect-image 280 | - name: bundle 281 | value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:268632262685fe84400c9b346fe589f96b1930321334660d234037fc25f97806 282 | - name: kind 283 | value: task 284 | resolver: bundles 285 | when: 286 | - input: $(params.skip-checks) 287 | operator: in 288 | values: 289 | - "false" 290 | workspaces: 291 | - name: source 292 | workspace: workspace 293 | - name: deprecated-base-image-check 294 | params: 295 | - name: BASE_IMAGES_DIGESTS 296 | value: $(tasks.build-container-amd64.results.BASE_IMAGES_DIGESTS) 297 | taskRef: 298 | params: 299 | - name: name 300 | value: deprecated-image-check 301 | - name: bundle 302 | value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ae1fcb32b1aeac846e1a41019b2e735b9c25c27752496f17744d869860c80ff1 303 | - name: kind 304 | value: task 305 | resolver: bundles 306 | when: 307 | - input: $(params.skip-checks) 308 | operator: in 309 | values: 310 | - "false" 311 | - name: clair-scan 312 | params: 313 | - name: image-digest 314 | value: $(tasks.build-container.results.IMAGE_DIGEST) 315 | - name: image-url 316 | value: $(tasks.build-container.results.IMAGE_URL) 317 | runAfter: 318 | - build-container 319 | taskRef: 320 | params: 321 | - name: name 322 | value: clair-scan 323 | - name: bundle 324 | value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5bf4cd29dd515decb96dfc4e3e07cee05dea399fb3acc4905384272e497c9ae3 325 | - name: kind 326 | value: task 327 | resolver: bundles 328 | when: 329 | - input: $(params.skip-checks) 330 | operator: in 331 | values: 332 | - "false" 333 | - name: sast-snyk-check 334 | runAfter: 335 | - clone-repository 336 | taskRef: 337 | params: 338 | - name: name 339 | value: sast-snyk-check 340 | - name: bundle 341 | value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:fa722fdf4b82e5e856a2a43227262762c40070746d97c2b36c130870802ed0e3 342 | - name: kind 343 | value: task 344 | resolver: bundles 345 | when: 346 | - input: $(params.skip-checks) 347 | operator: in 348 | values: 349 | - "false" 350 | workspaces: 351 | - name: workspace 352 | workspace: workspace 353 | - name: sbom-json-check 354 | params: 355 | - name: IMAGE_URL 356 | value: $(tasks.build-container.results.IMAGE_URL) 357 | - name: IMAGE_DIGEST 358 | value: $(tasks.build-container.results.IMAGE_DIGEST) 359 | runAfter: 360 | - build-container 361 | taskRef: 362 | params: 363 | - name: name 364 | value: sbom-json-check 365 | - name: bundle 366 | value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:988213d48b64c8d2f3a1c511fbb819c14b244ab72d05cecd789a4778ec23fb5d 367 | - name: kind 368 | value: task 369 | resolver: bundles 370 | when: 371 | - input: $(params.skip-checks) 372 | operator: in 373 | values: 374 | - "false" 375 | workspaces: 376 | - name: workspace 377 | - name: workspace-arm64 378 | - name: git-auth 379 | optional: true 380 | -------------------------------------------------------------------------------- /.tekton/testing-farm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: Task 3 | metadata: 4 | name: testing-farm 5 | spec: 6 | description: Initiate testing-farm test given a list of container images 7 | params: 8 | - name: SNAPSHOT 9 | description: A list of container images that should undergo testing 10 | - name: GIT_URL 11 | description: URL of the GIT repository that contains the tests. 12 | - name: GIT_REF 13 | default: "main" 14 | description: Branch of the git repository used containing the tests 15 | - name: COMPOSE 16 | default: "Fedora-Rawhide" 17 | description: Compose to use for the system-under-test. 18 | - name: ARCH 19 | default: "x86_64" 20 | description: Comma-separated list of architectures to run against. 21 | - name: TIMEOUT 22 | default: "720" 23 | description: Set the timeout for the request in minutes. If the test takes longer than this, it will be terminated. 24 | - name: TESTING_FARM_API_URL 25 | default: https://api.dev.testing-farm.io/v0.1 26 | description: The testing-farm instance API to use 27 | volumes: 28 | - name: testing-farm-secret 29 | secret: 30 | secretName: testing-farm-secret 31 | steps: 32 | - image: quay.io/testing-farm/cli:latest 33 | volumeMounts: 34 | - name: testing-farm-secret 35 | mountPath: "/etc/secrets" 36 | readOnly: true 37 | env: 38 | - name: SNAPSHOT 39 | value: $(params.SNAPSHOT) 40 | - name: GIT_URL 41 | value: $(params.GIT_URL) 42 | - name: GIT_REF 43 | value: $(params.GIT_REF) 44 | - name: COMPOSE 45 | value: $(params.COMPOSE) 46 | - name: ARCH 47 | value: $(params.ARCH) 48 | - name: TIMEOUT 49 | value: $(params.TIMEOUT) 50 | - name: TESTING_FARM_API_URL 51 | value: $(params.TESTING_FARM_API_URL) 52 | script: | 53 | #!/usr/bin/env bash 54 | 55 | export TESTING_FARM_API_TOKEN=$(cat /etc/secrets/testing-farm-token) 56 | 57 | apk add jq 58 | 59 | GIT_URL=$(echo "${SNAPSHOT}" | jq -r '.components[0].source.git.url') 60 | GIT_REF=$(echo "${SNAPSHOT}" | jq -r '.components[0].source.git.revision') 61 | 62 | testing-farm request \ 63 | --environment SNAPSHOT="$(echo ${SNAPSHOT} | base64 -w 0)" \ 64 | --git-url "${GIT_URL}" \ 65 | --git-ref "${GIT_REF}" \ 66 | --compose "${COMPOSE}" \ 67 | --arch "${ARCH}" \ 68 | --timeout "${TIMEOUT}" 69 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | Copyright 2018 Fedora CoreOS Authors. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining 4 | a copy of this software and associated documentation files (the 5 | "Software"), to deal in the Software without restriction, including 6 | without limitation the rights to use, copy, modify, merge, publish, 7 | distribute, sublicense, and/or sell copies of the Software, and to 8 | permit persons to whom the Software is furnished to do so, subject to 9 | the following conditions: 10 | 11 | The above copyright notice and this permission notice shall be included 12 | in all copies or substantial portions of the Software. 13 | 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 15 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 16 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 17 | IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 18 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, 19 | TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 20 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /Containerfile.centos-stream-10: -------------------------------------------------------------------------------- 1 | # See Containerfile.centos-stream-9 for more information. 2 | 3 | FROM quay.io/centos/centos:stream10-development as repos 4 | 5 | FROM quay.io/centos-bootc/bootc-image-builder:latest as builder 6 | ARG MANIFEST=centos-stream-10-tier1.yaml 7 | RUN --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm -vf /buildcontext/*.repo 8 | # XXX: we should just make sure our in-tree c9s repo points to the c9s paths and doesn't require vars to avoid these steps entirely 9 | COPY --from=repos /etc/dnf/vars /etc/dnf/vars 10 | # The input git repository has .repo files committed to git rpm-ostree has historically 11 | # emphasized that. But here, we are fetching the repos from the container base image. 12 | # So copy the source, and delete the hardcoded ones in git, and use the container base 13 | # image ones. We can drop the ones commited to git when we hard switch to Containerfile. 14 | COPY . /src 15 | WORKDIR /src 16 | RUN rm -vf /src/*.repo 17 | COPY --from=repos /etc/yum.repos.d/centos.repo c10s.repo 18 | COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial /etc/pki/rpm-gpg 19 | # rpm-ostree doesn't honor /etc/dnf/vars right now 20 | RUN for n in $(ls /etc/dnf/vars); do v=$(cat /etc/dnf/vars/$n); sed -ie s,\$${n},$v, c10s.repo; done 21 | RUN --mount=type=cache,target=/workdir --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \ 22 | rpm-ostree compose image --image-config centos-bootc-config.json \ 23 | --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} /buildcontext/out.ociarchive 24 | 25 | FROM oci-archive:./out.ociarchive 26 | # Need to reference builder here to force ordering. But since we have to run 27 | # something anyway, we might as well cleanup after ourselves. 28 | RUN --mount=type=bind,from=builder,src=.,target=/var/tmp --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.ociarchive 29 | -------------------------------------------------------------------------------- /Containerfile.centos-stream-9: -------------------------------------------------------------------------------- 1 | # This container build uses some special features of podman that allow 2 | # a process executing as part of a container build to generate a new container 3 | # image "from scratch". 4 | # 5 | # This container build uses nested containerization, so you must build with e.g. 6 | # podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...> 7 | # 8 | # # Why are we doing this? 9 | # 10 | # Today this base image build process uses rpm-ostree. There is a lot of things that 11 | # rpm-ostree does when generating a container image...but important parts include: 12 | # 13 | # - auto-updating labels in the container metadata 14 | # - Generating "chunked" content-addressed reproducible image layers (notice 15 | # how there are ~60 layers in the generated image) 16 | # 17 | # The latter bit in particular is currently impossible to do from Containerfile. 18 | # A future goal is adding some support for this in a way that can be honored by 19 | # buildah (xref https://github.com/containers/podman/discussions/12605) 20 | # 21 | # # Why does this build process require additional privileges? 22 | # 23 | # Because it's generating a base image and uses containerization features itself. 24 | # In the future some of this can be lifted. 25 | 26 | FROM quay.io/centos/centos:stream9 as repos 27 | 28 | FROM quay.io/centos-bootc/bootc-image-builder:latest as builder 29 | ARG MANIFEST=centos-stream-9-tier1.yaml 30 | # XXX: we should just make sure our in-tree c9s repo points to the c9s paths and doesn't require vars to avoid these steps entirely 31 | COPY --from=repos /etc/dnf/vars /etc/dnf/vars 32 | # The input git repository has .repo files committed to git rpm-ostree has historically 33 | # emphasized that. But here, we are fetching the repos from the container base image. 34 | # So copy the source, and delete the hardcoded ones in git, and use the container base 35 | # image ones. We can drop the ones commited to git when we hard switch to Containerfile. 36 | COPY . /src 37 | WORKDIR /src 38 | RUN rm -vf /src/*.repo 39 | COPY --from=repos /etc/yum.repos.d/centos.repo c9s.repo 40 | COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial /etc/pki/rpm-gpg 41 | # rpm-ostree doesn't honor /etc/dnf/vars right now 42 | RUN for n in $(ls /etc/dnf/vars); do v=$(cat /etc/dnf/vars/$n); sed -ie s,\$${n},$v, c9s.repo; done 43 | RUN --mount=type=cache,target=/workdir --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \ 44 | rpm-ostree compose image --image-config centos-bootc-config.json --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} /buildcontext/out.ociarchive 45 | 46 | FROM oci-archive:./out.ociarchive 47 | # Need to reference builder here to force ordering. But since we have to run 48 | # something anyway, we might as well cleanup after ourselves. 49 | RUN --mount=type=bind,from=builder,src=.,target=/var/tmp --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.ociarchive 50 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | COPYING -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # centos-bootc 2 | 3 | ## This repo is archived in favor of gitlab.com/redhat/centos-stream/containers/bootc 4 | -------------------------------------------------------------------------------- /c9s.repo: -------------------------------------------------------------------------------- 1 | [baseos] 2 | name=CentOS Stream 9 - BaseOS 3 | baseurl=https://composes.stream.centos.org/production/CentOS-Stream-9-20240415.0/compose/BaseOS/$basearch/os 4 | gpgcheck=1 5 | repo_gpgcheck=0 6 | enabled=1 7 | gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official 8 | 9 | [appstream] 10 | name=CentOS Stream 9 - AppStream 11 | baseurl=https://composes.stream.centos.org/production/CentOS-Stream-9-20240415.0/compose/AppStream/$basearch/os 12 | gpgcheck=1 13 | repo_gpgcheck=0 14 | enabled=1 15 | gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official 16 | 17 | [nfv] 18 | name=CentOS Stream 9 - NFV 19 | baseurl=https://composes.stream.centos.org/production/CentOS-Stream-9-20240415.0/compose/NFV/$basearch/os 20 | gpgcheck=1 21 | repo_gpgcheck=0 22 | enabled=1 23 | gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official 24 | 25 | [rt] 26 | name=CentOS Stream 9 - RT 27 | baseurl=https://composes.stream.centos.org/production/CentOS-Stream-9-20240415.0/compose/RT/$basearch/os 28 | gpgcheck=1 29 | repo_gpgcheck=0 30 | enabled=1 31 | gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official 32 | -------------------------------------------------------------------------------- /catalog-info.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: backstage.io/v1alpha1 2 | kind: Component 3 | metadata: 4 | name: centos-bootc 5 | description: Create and maintain base bootable container images from Fedora ELN and CentOS Stream packages. 6 | annotations: 7 | github.com/project-slug: CentOS/centos-bootc 8 | jira/project-key: BIFROST 9 | feedback/type: JIRA 10 | feedback/host: https://issues.redhat.com 11 | links: 12 | - url: https://centos.github.io/centos-bootc/ 13 | title: documentation 14 | - url: https://app.slack.com/client/E030G10V24F/C02CU30L7GF 15 | title: slack channel 16 | icon: chat 17 | tags: 18 | - bifrost 19 | spec: 20 | type: library 21 | lifecycle: experimental 22 | owner: redhat/platform-engineering 23 | -------------------------------------------------------------------------------- /centos-bootc-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "Labels": { 3 | "containers.bootc": "1", 4 | "bootc.diskimage-builder": "quay.io/centos-bootc/bootc-image-builder", 5 | "redhat.compose-id": "CentOS-Stream-9-20240304.d.0", 6 | "redhat.id": "centos", 7 | "redhat.version-id": "9" 8 | }, 9 | "StopSignal": "SIGRTMIN+3" 10 | } 11 | -------------------------------------------------------------------------------- /centos-stream-10-tier1.yaml: -------------------------------------------------------------------------------- 1 | include: 2 | - centos-stream-10.yaml 3 | - tier-1/kernel.yaml 4 | - tier-1/manifest.yaml 5 | -------------------------------------------------------------------------------- /centos-stream-10.yaml: -------------------------------------------------------------------------------- 1 | releasever: stream10 2 | variables: 3 | distro: "stream10" 4 | 5 | include: 6 | - centos-stream-common.yaml 7 | -------------------------------------------------------------------------------- /centos-stream-9-tier0-rt.yaml: -------------------------------------------------------------------------------- 1 | include: 2 | - centos-stream-9.yaml 3 | - tier-0/kernel-rt.yaml 4 | - tier-0/manifest.yaml 5 | -------------------------------------------------------------------------------- /centos-stream-9-tier0.yaml: -------------------------------------------------------------------------------- 1 | include: 2 | - centos-stream-9.yaml 3 | - tier-0/kernel.yaml 4 | - tier-0/manifest.yaml 5 | -------------------------------------------------------------------------------- /centos-stream-9-tier1-rt.yaml: -------------------------------------------------------------------------------- 1 | include: 2 | - centos-stream-9.yaml 3 | - tier-0/kernel-rt.yaml 4 | - tier-1/manifest.yaml 5 | -------------------------------------------------------------------------------- /centos-stream-9-tier1.yaml: -------------------------------------------------------------------------------- 1 | include: 2 | - centos-stream-9.yaml 3 | - tier-1/kernel.yaml 4 | - tier-1/manifest.yaml 5 | -------------------------------------------------------------------------------- /centos-stream-9.yaml: -------------------------------------------------------------------------------- 1 | releasever: stream9 2 | variables: 3 | distro: "stream9" 4 | 5 | include: 6 | - centos-stream-common.yaml 7 | -------------------------------------------------------------------------------- /centos-stream-common.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - baseos 3 | - appstream 4 | 5 | packages: 6 | # To support builds *from* this host using entitled content 7 | - subscription-manager 8 | # https://issues.redhat.com/browse/RHEL-35291 9 | - dnf-yum 10 | 11 | # Configuration for bootc 12 | postprocess: 13 | # XFS is our default filesystem 14 | - | 15 | #!/usr/bin/env bash 16 | mkdir -p /usr/lib/bootc/install/ 17 | cat > /usr/lib/bootc/install/20-rhel.toml << EOF 18 | [install] 19 | root-fs-type = "xfs" 20 | EOF 21 | # These enable librhsm which enables host subscriptions to work in containers 22 | # https://github.com/rpm-software-management/librhsm/blob/fcd972cbe7c8a3907ba9f091cd082b1090231492/rhsm/rhsm-context.c#L30 23 | # https://github.com/openshift/os/pull/876/commits/dd35dd0e102aeed90df14f05c8ae9da4c8c5962a 24 | - | 25 | #!/usr/bin/bash 26 | set -xeuo pipefail 27 | ln -sr /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host 28 | ln -sr /run/secrets/rhsm /etc/rhsm-host 29 | -------------------------------------------------------------------------------- /plans/main.fmf: -------------------------------------------------------------------------------- 1 | summary: Example of working with Snapshots from RHTAP 2 | 3 | prepare: 4 | - name: Install packages 5 | how: install 6 | package: 7 | # For working with the SNAPSHOT var 8 | - jq 9 | # Just for interacting with the images 10 | - podman 11 | 12 | execute: 13 | # Note, the ' character works here because the ${SNAPSHOT} is not a shell 14 | # environment variable. it is treated by tmt as a tmt variable which is 15 | # injected into the script before it is evaluated by bash. 16 | script: | 17 | echo "This is where the test script goes." 18 | 19 | echo "The base64 encoded snapshot is: ${SNAPSHOT}" 20 | echo -n "The base64 decoded snapshot is: " 21 | echo $SNAPSHOT | base64 -d 22 | 23 | echo "It contains the following container images:" 24 | 25 | IMAGES=$(echo '${SNAPSHOT}' | base64 -d | jq -r '.components[].containerImage') 26 | 27 | # Then, perform some check 28 | for IMAGE in $IMAGES; do 29 | echo $IMAGE 30 | # Comment out this line due to the quay.io flakes 31 | # https://github.com/containers/podman/issues/16973 32 | # podman run $IMAGE cat /etc/os-release 33 | done 34 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "local>centos/.github:renovate-config" 5 | ], 6 | "customDatasources": { 7 | "c9s-compose": { 8 | "defaultRegistryUrlTemplate": "https://composes.stream.centos.org/production/", 9 | "format": "html" 10 | } 11 | }, 12 | "customManagers": [ 13 | { 14 | "customType": "regex", 15 | "fileMatch": [ 16 | "c9s.repo", 17 | "centos-bootc-config.json" 18 | ], 19 | "matchStrings": [ 20 | "https://composes.stream.centos.org/production/(?.*)/compose/(.*)", 21 | "\"redhat.compose-id\": \"(?.*)\"" 22 | ], 23 | "datasourceTemplate": "custom.c9s-compose", 24 | "depNameTemplate": "CentOS-Stream-9", 25 | "versioningTemplate": "regex:^CentOS-Stream-9-(?\\d{8})\\.d\\.0$" 26 | } 27 | ], 28 | "packageRules": [ 29 | { 30 | "matchDatasources": [ 31 | "custom.c9s-compose" 32 | ], 33 | "extractVersion": "(?.+)/$", 34 | "automerge": true, 35 | "schedule": [ 36 | "at any time" 37 | ], 38 | "groupName": null 39 | }, 40 | { 41 | "matchPackageNames": [ 42 | "quay.io/centos-bootc/bootc-image-builder" 43 | ], 44 | "pinDigests": false 45 | } 46 | ] 47 | } 48 | -------------------------------------------------------------------------------- /tier-0: -------------------------------------------------------------------------------- 1 | fedora-bootc/tier-0 -------------------------------------------------------------------------------- /tier-1: -------------------------------------------------------------------------------- 1 | fedora-bootc/tier-1 --------------------------------------------------------------------------------