On Thu, Dec 3, 2020, at 2:48 PM, Adam Williamson wrote: > I dunno when's the last time anyone tried without it, tbh. For CoreOS we spent a *lot* of time ensuring that Ignition has first class SELinux support, and actually making it work on the Live ISO in a not-horribly-hacky way required a kernel patch: https://lore.kernel.org/selinux/20190912133007.27545-1-jlebon@xxxxxxxxxx/T/#u Also related to the installer experience, note that because the installer ISO is the same thing as the OS, we ship `podman` and so it's fully supported to use Ignition to run containers before/after the install. And this is all really part of the story that a benefit of Ignition (in taking the role of both cloud-init and kickstart compared to traditional Fedora) is that we have a very consistent, uniform approach to provisioning/configuring the operating system that applies across cloud, on-premise metal etc. Also, because our installer environment *is* the OS, you also have `podman` there...so running containers before/during/after the install is natural and encouraged. This OpenShift enhancement covers a lot of this: https://github.com/openshift/enhancements/blob/master/enhancements/rhcos/liveisoinstall.md (Which is relevant here because the Live ISO in FCOS happened after RHCOS 4.1 shipped; before that we had a hacky shell script in a minimal initramfs) We are just constantly testing that flow (actually every PR to coreos-assembler, plus it gates FCOS releases) which particularly compared to Anaconda is massively simplified because there's no custom GUI involved. Related to testing, we actually didn't touch on the whole topic that FCOS is fairly Github oriented. I did a blog related to this, https://blog.verbum.org/2020/12/03/still-on-github/ Our release workflow involves submitting PRs which get tested just like other PRs and run through the same test suite. And on that topic, coreos-assembler contains not just *build* tooling but also *testing* tooling. Our single (yeah it's big) container image has everything you need to run all our build *and* tests as a single versioned unit, which runs completely as non-root with unprivileged podman; no need to touch the host (or for that matter, depend on Fedora as the host system at all, though the container is Fedora based the current pipeline uses RHCOS). Hm well I was just trying to talk about Ignition and SELinux but more ended up here =) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
