Wiki - https://fedoraproject.org/wiki/Changes/KickstartOciArtifacts Discussion Thread - https://discussion.fedoraproject.org/t/f42-change-proposal-distributing-kickstart-files-as-oci-artifacts-self-contained/131150 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Fedora distributed as bootable container ships via [https://quay.io/repository/fedora/fedora-bootc?tab=tags OCI registry]. Installation is typically done by conversion into a VM image or ISO installer via [https://osbuild.org/ osbuild] (image builder), however, booting from network is a useful workflow for bare-metal fleet deployments. Required files to perform such installation are not available in the OCI repository that could be fetched from registry in a similar manner as the bootable container. As of today, files are only available in the Fedora RPM repository and the installation workflow would be cumbersome to find appropriate RPM repo version and extract needed files instead of fetching all the needed assets from the registry only. The change introduces a new OCI repository with the files in question for each Fedora stable version. == Owner == * Name: [[User:ipanova| Ina Panova]], [[User:lzap| Lukáš Zapletal]] * Email: <ipanova@xxxxxxxxxx>, <lzap@xxxxxxxxxx> == Detailed Description == Fedora bootable container is shipped via OCI registries without any supplementary files for automated kickstart installations. The files needed for this workflow are typically: bootloader, anaconda kernel, initramdisk and anaconda main image. These files can be found in regular Fedora RPM repository, for example in case of x86_64 architecture: * [https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/images/pxeboot/vmlinuz vmlinuz] * [https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/images/pxeboot/initrd.img initrd.img] * [https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/images/install.img install.img] * [https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/s/shim-x64-15.8-3.x86_64.rpm shim.efi] * [https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/g/grub2-efi-x64-2.06-119.fc40.x86_64.rpm grubx64.efi] * [https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/s/syslinux-tftpboot-6.04-0.26.fc40.noarch.rpm pxelinux.0] * [https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/images/boot.iso boot.iso] Some files are distributed unsigned in the `images/` directory, others are signed and need to be extracted from RPM packages. A complete ISO "netboot" image is also available for network installations, the image can be customized using `mkksiso` tool found in Fedora. The main goal of this change is to start publishing the mentioned files as [https://oras.land/docs/concepts/artifact/ OCI artifacts] for each Fedora version and architecture. Buildah/Podman will be used for creating such manifest and [https://gitlab.com/fedora/bootc/netboot/netboot/-/blob/main/push.sh?ref_type=heads pushing it] to OCI registry and the process will be integrated into current or upcoming (Konflux) release processes. There is currently no support for downloading OCI artifacts with podman but the feature is currently being discussed and worked on upstream. However, Fedora contains `golang-oras` tool which understands the OCI artifact format. This tool can already be used by Fedora users to consume the content: <pre> $ oras pull quay.io/pulp/fedora-kickstart-artifacts:40-amd64 Downloading 8ea1dd040e97 initrd.img Downloading 80c3fe2ae106 boot.iso Downloading a3b7052d7b2f grubx64.efi Downloaded a3b7052d7b2f grubx64.efi Downloading fff4b2feeef3 pxelinux.0 Downloaded fff4b2feeef3 pxelinux.0 Downloading 4773d74d87c2 shimx64.efi Downloaded 4773d74d87c2 shimx64.efi Downloading 09cf5df01619 vmlinuz Downloaded 80c3fe2ae106 boot.iso Downloaded 09cf5df01619 vmlinuz Downloaded 8ea1dd040e97 initrd.img Restored 80c3fe2ae106 install.img Pulled quay.io/pulp/fedora-kickstart-artifacts:40-amd64 Digest: sha256:0306e10fd556e12ce8c3674150bceb88c0917b74b63c37eecc17070b3b30003b </pre> Alternatively, the content can be downloaded via `skopeo` tool with [https://github.com/theforeman/nboci-files/blob/main/artifact-pull.py some scripting] involving file renaming. The proposed repository for the content is: `quay.io/fedora/kickstart-artifacts` and tag convention will be `N` where N is Fedora version with manifest index for all supported architectures pointing to tags in the form of `N-arch`. Only stable and N-1 Fedora versions will be kept for storage reasons and old artifacts will be regularly removed and garbage collected. For more info, read [https://github.com/pulp/netboot-oci-specs/blob/main/netboot-oci-artifacts.md manifest specification]. Files are currently being published at a temporary space: [https://quay.io/repository/pulp/fedora-kickstart-artifacts?tab=tags&tag=latest quay.io/pulp/fedora-kickstart-artifacts] and can be consumed from there. The pipeline currently lives on Fedora's gitlab. == Benefit to Fedora == The change solves the situation for Fedora bootable containers users who currently need to find matching Fedora RPM repositories and use various tools like `curl` or `rpm2cpio` and `cpio` to download required files. This will significantly simplify provisioning workflows of Fedora systems en-masse via automation tools like Ansible or Foreman. All files will be also signed by Fedora GPG keys for increased security. Users of regular (RPM) Fedora spin will benefit as well since bare-metal provisioning workflows, scripts or tools can be further simplified. Additionally, many provisioning systems (Beaker, Foreman) use one shim/grub for installing all OS versions which does not work reliably when SecureBoot is turned on. Published files can be easily downloaded for each OS version. The newly published content is planned to be integrated with other open source projects: Foreman, Pulp and Ansible. This is out of scope for this change. == Scope == * Proposal owners: prepare CI/CD pipeline for fully automated build and push of kickstart artifacts, integrate the published repositories with related open-source project workflows [https://theforeman.org/ Foreman] and [https://pulpproject.org/ Pulp] * Release engineering: create new repository in fedora namespace [https://pagure.io/fedora-infrastructure/issue/12152 #12152] and assistance with integrating the new pipeline into the Fedora workflow == Documentation == The newly created repository will be features in documentation of several upstream projects that will make use of it: * osbuild * foreman * pulp == Release Notes == TBD -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue