lints: Add var-tmpfiles #1101

cgwalters · 2025-02-10T16:18:40Z

lints: Add unit test checking pass/fail counts

We have a bug here that this will catch.

Signed-off-by: Colin Walters walters@verbum.org

lints: Actually skip skipped lints

Oops.

Signed-off-by: Colin Walters walters@verbum.org

lint: Add --skip

This allows people to explicitly skip individual lints; especially
useful for warnings. But maybe people have a legitimate reason
to skip ones we're calling fatal too.

Prep especially for supporting --fix --skip.

Signed-off-by: Colin Walters walters@verbum.org

lints: Fix unit tests to use RootType::Alternative

Prep for adding unit tests which hard require the running root
(like tmpfiles.d) - we can't unit test those.

Signed-off-by: Colin Walters walters@verbum.org

utils: Fix compliation standalone

We use tokio::test so need the macros feature.

Signed-off-by: Colin Walters walters@verbum.org

utils: Add a method to split an iterator

Signed-off-by: Colin Walters walters@verbum.org

provision-derived: Clean lots more stuff

Yeah, we're going to need a dnf clean all --everything...

Signed-off-by: Colin Walters walters@verbum.org

tmpfiles: New crate

This adapts code rewritten from rpm-ostree to synthesize
tmpfiles.d entries.

Signed-off-by: Colin Walters walters@verbum.org

lints: Add var-tmpfiles

This checks for content in /var that is missing systemd tmpfiles.d
entries.

Signed-off-by: Colin Walters walters@verbum.org

cgwalters · 2025-02-12T13:33:06Z

OK cool! This one is working well! In our own hack/Containerfile without the "provision-derived: Clean lots more stuff" commit:

$ git revert 696abd6b0e1f0d83379d029cad27645f1c15cfad
[tmpfiles 77890237] Revert "provision-derived: Clean lots more stuff"
 1 file changed, 1 insertion(+), 5 deletions(-)
$ podman build --build-arg=base=quay.io/fedora/fedora-bootc:41 -t localhost/bootc -f hack/Containerfile .
[1/2] STEP 1/8: FROM quay.io/fedora/fedora-bootc:41 AS build
...
[1/2] STEP 8/8: RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome make test-bin-archive && mkdir -p /out && cp target/bootc.tar.zst /out
cargo build --release
   Compiling bootc-utils v0.0.0 (/build/utils)
   Compiling bootc-blockdev v0.0.0 (/build/blockdev)
   Compiling bootc-tmpfiles v0.1.0 (/build/tmpfiles)
   Compiling ostree-ext v0.15.3 (/build/ostree-ext)
   Compiling system-reinstall-bootc v0.1.9 (/build/system-reinstall-bootc)
   Compiling bootc-lib v1.1.5 (/build/lib)
   Compiling bootc v0.1.9 (/build/cli)
    Finished `release` profile [optimized + debuginfo] target(s) in 23.06s
...
--> eff513c3b45a
[2/2] STEP 9/10: COPY --from=build /build/target/dev-rootfs/ /
--> 42280021aa0a
[2/2] STEP 10/10: RUN bootc container lint
Lint warning: var-tmpfiles: Found content in /var missing systemd tmpfiles.d entries:
  d /var/cache/libdnf5 0755 root root - -
  d /var/lib/dnf 0755 root root - -
  d /var/lib/dnf/repos 0755 root root - -
  d /var/lib/dnf/repos/fedora-7efbab3c1dbcd0d4 0755 root root - -
  d /var/lib/dnf/repos/updates-e19adde8fd271134 0755 root root - -
  ...and 3 more
Found non-directory/non-symlink files in /var:
  "var/lib/dnf/repos/fedora-7efbab3c1dbcd0d4/countme"
  "var/lib/dnf/repos/updates-e19adde8fd271134/countme"
  "var/cache/ldconfig/aux-cache"
  "var/roothome/.config/nushell/config.nu"
  "var/roothome/.config/nushell/env.nu"

Checks passed: 8
Checks skipped: 1
Warnings: 1
[2/2] COMMIT localhost/bootc

cgwalters · 2025-02-12T13:34:50Z

And indeed taking the updated bootc from this PR and using it in https://gitlab.com/fedora/bootc/base-images/-/tree/wip-baseimage-rework

I see

Lint warning: var-tmpfiles: Found content in /var missing systemd tmpfiles.d entries:
  d /var/lib/rpm-state 0755 root root - -

And yeah as I noted in the commit message I think we really really want dnf clean all --container or so (ref rpm-software-management/dnf5#2011 at least).

cgwalters · 2025-02-12T14:25:00Z

https://artifacts.dev.testing-farm.io/370c7d10-3914-4736-a2a9-e118805e3b3b/

                out: STEP 3/3: RUN echo test content > /usr/share/blah.txt
                out: time="2025-02-12T14:15:22Z" level=warning msg="Failed to load cached network config: network podman not found in CNI cache, falling back to loading network podman from disk"
                out: time="2025-02-12T14:15:22Z" level=warning msg="1 error occurred:\n\t* plugin type=\"tuning\" failed (delete): failed to find plugin \"tuning\" in path [/usr/local/libexec/cni /usr/libexec/cni /usr/local/lib/cni /usr/lib/cni /opt/cni/bin]\n\n"
                out: error running container: did not get container start message from parent: EOF
                out: Error: building at STEP "RUN echo test content > /usr/share/blah.txt": setup network: plugin type="bridge" failed (add): failed to find plugin "bridge" in path [/usr/local/libexec/cni /usr/libexec/cni /usr/local/lib/cni /usr/lib/cni /opt/cni/bin]

OK did podman in c9s really just break?

Luap99 · 2025-02-12T15:59:30Z

https://artifacts.dev.testing-farm.io/370c7d10-3914-4736-a2a9-e118805e3b3b/

                out: STEP 3/3: RUN echo test content > /usr/share/blah.txt
                out: time="2025-02-12T14:15:22Z" level=warning msg="Failed to load cached network config: network podman not found in CNI cache, falling back to loading network podman from disk"
                out: time="2025-02-12T14:15:22Z" level=warning msg="1 error occurred:\n\t* plugin type=\"tuning\" failed (delete): failed to find plugin \"tuning\" in path [/usr/local/libexec/cni /usr/libexec/cni /usr/local/lib/cni /usr/lib/cni /opt/cni/bin]\n\n"
                out: error running container: did not get container start message from parent: EOF
                out: Error: building at STEP "RUN echo test content > /usr/share/blah.txt": setup network: plugin type="bridge" failed (add): failed to find plugin "bridge" in path [/usr/local/libexec/cni /usr/libexec/cni /usr/local/lib/cni /usr/lib/cni /opt/cni/bin]

OK did podman in c9s really just break?

What does podman info say? Is netavark installed? In general if netavark is installed podman should default to it and not use cni which is likely why cni is not pulled in as dependency.

I am not sure what you are doing there but there is some special smart logic in podman to default to cni when it detects existing images in the container store. This is because when we updated to podman 4.0 we had to remain backwards compatible but wanted to default to netavark. So in order to do that the first podman/buildah command tries to create a special flag file when it does not exist yet to record the chosen netavark backend bases on the is netavark installed and are ther eimages in the store conditions.

cgwalters · 2025-02-12T16:31:03Z

I am not sure what you are doing there but there is some special smart logic in podman to default to cni when it detects existing images in the container store.

Ah hah, that's it. I can reproduce this way:

podman-bootc run quay.io/centos-bootc/centos-bootc:stream9

$ rpm -q podman netavark
podman-5.3.2-2.el9.x86_64
netavark-1.13.1-1.el9.x86_64
$ skopeo copy docker://busybox containers-storage:busybox
INFO[0000] Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled 
Getting image source signatures
Copying blob 9c0abc9c5bd3 done   | 
Copying config af47096251 done   | 
Writing manifest to image destination
$ cat Dockerfile 
FROM busybox
RUN touch /blah
$ podman build -t localhost/test .
STEP 1/2: FROM busybox
STEP 2/2: RUN touch /blah
WARN[0000] Failed to load cached network config: network podman not found in CNI cache, falling back to loading network podman from disk 
WARN[0000] 1 error occurred:
	* plugin type="tuning" failed (delete): failed to find plugin "tuning" in path [/usr/local/libexec/cni /usr/libexec/cni /usr/local/lib/cni /usr/lib/cni /opt/cni/bin]
 
error running container: did not get container start message from parent: EOF
Error: building at STEP "RUN touch /blah": setup network: plugin type="bridge" failed (add): failed to find plugin "bridge" in path [/usr/local/libexec/cni /usr/libexec/cni /usr/local/lib/cni /usr/lib/cni /opt/cni/bin]

Yet if I do a podman pull busybox instead of the skopeo copy, it works of course. (If it didn't a whole lot more of our CI would be broken)

cgwalters · 2025-02-12T16:34:03Z

It does seem to work if I invoke just a plain no-op podman images as the very first operation.

I'm pretty sure this is a regression though in recent podman in c9s, because this job has been passing for a while, and we did just pick up newer changes.

Is it worth tracking as a bug on the podman side?

The workaround here is trivial but I do worry this is a bit of a canary for other potential failure scenarios.

cgwalters · 2025-02-12T16:37:14Z

Or is this just that we need to update skopeo with a newer vendored c/storage maybe?

See containers#1101 (comment) Basically things break unless "podman" initializes the c/storage instance right now. Signed-off-by: Colin Walters <walters@verbum.org>

Luap99 · 2025-02-12T16:44:35Z

The behavior has not changed since podman 4.0. If something has changed than not on the podman/buildah side. (just my guess of course)

Note using skopeo to import image before running podman/buildah before will bypass the detection because skopeo does not pull in any network code whatsoever so if you do that then yes it is expected to run podman before it.
The other alternative is to hard code the network backend in containers.conf so there is no need for podman to guess.

I know the detect logic sucks but it is what it is and we removed CNI support from podman 5.0 upstream and in Centos/RHEL 10 so this is "solved" already as we only use netavark going forward.

See containers#1101 (comment) Basically things break unless "podman" initializes the c/storage instance right now. Signed-off-by: Colin Walters <walters@verbum.org>

cgwalters · 2025-02-12T20:10:24Z

The behavior has not changed since podman 4.0. If something has changed than not on the podman/buildah side. (just my guess of course)

I am 93.7% confident that it was something that changed in the c9s images that triggered this; digging in only slightly:

$ podman run --pull=newer --rm -ti quay.io/centos-bootc/centos-bootc:stream9 rpm -qa |^sort -u | save -f /tmp/new.txt
$ podman run --pull=newer --rm -ti quay.io/centos-bootc/centos-bootc@sha256:e3663c79bd5fb70babb84355be9e4dae2825b0e5c877eafd4c50947ad67db170 rpm -qa |^sort -u | save -f /tmp/old.txt
$ diff -u /tmp/old.txt /tmp/new.txt
--- /tmp/old.txt	2025-02-12 15:06:26.149854209 -0500
+++ /tmp/new.txt	2025-02-12 15:06:13.903645358 -0500
@@ -1,14 +1,14 @@
-NetworkManager-1.51.5-1.el9.x86_64
-NetworkManager-cloud-setup-1.51.5-1.el9.x86_64
-NetworkManager-libnm-1.51.5-1.el9.x86_64
-NetworkManager-tui-1.51.5-1.el9.x86_64
-WALinuxAgent-udev-2.7.0.6-10.el9.noarch
+NetworkManager-1.51.6-1.el9.x86_64
+NetworkManager-cloud-setup-1.51.6-1.el9.x86_64
+NetworkManager-libnm-1.51.6-1.el9.x86_64
+NetworkManager-tui-1.51.6-1.el9.x86_64
+WALinuxAgent-udev-2.7.0.6-11.el9.noarch
 aardvark-dns-1.13.1-1.el9.x86_64
 acl-2.3.1-4.el9.x86_64
 adcli-0.9.2-1.el9.x86_64
 alternatives-1.24-1.el9.x86_64
 attr-2.5.1-3.el9.x86_64
-audit-libs-3.1.5-1.el9.x86_64
+audit-libs-3.1.5-3.el9.x86_64
 avahi-libs-0.8-21.el9.x86_64
 basesystem-11-13.el9.noarch
 bash-5.1.8-9.el9.x86_64
@@ -16,13 +16,13 @@
 bind-libs-9.16.23-24.el9.x86_64
 bind-license-9.16.23-24.el9.noarch
 bind-utils-9.16.23-24.el9.x86_64
-binutils-2.35.2-59.el9.x86_64
-binutils-gold-2.35.2-59.el9.x86_64
-bootc-1.1.2-1.el9.x86_64
+binutils-2.35.2-60.el9.x86_64
+binutils-gold-2.35.2-60.el9.x86_64
+bootc-1.1.4-2.el9.x86_64
 bootupd-0.2.25-1.el9.x86_64
 bubblewrap-0.4.1-8.el9.x86_64
-bzip2-1.0.8-9.el9.x86_64
-bzip2-libs-1.0.8-9.el9.x86_64
+bzip2-1.0.8-10.el9.x86_64
+bzip2-libs-1.0.8-10.el9.x86_64
 c-ares-1.19.1-2.el9.x86_64
 ca-certificates-2024.2.69_v8.0.303-91.4.el9.noarch
 centos-gpg-keys-9.0-26.el9.noarch
@@ -37,7 +37,7 @@
 console-login-helper-messages-issuegen-0.21.3-1.el9.noarch
 console-login-helper-messages-profile-0.21.3-1.el9.noarch
 container-selinux-2.234.2-1.el9.noarch
-containers-common-1-110.el9.x86_64
+containers-common-1-113.el9.x86_64
 coreutils-8.32-39.el9.x86_64
 coreutils-common-8.32-39.el9.x86_64
 cpio-2.13-16.el9.x86_64
@@ -57,15 +57,15 @@
 dbus-broker-28-7.el9.x86_64
 dbus-common-1.12.20-8.el9.noarch
 dbus-libs-1.12.20-8.el9.x86_64
-device-mapper-1.02.202-4.el9.x86_64
-device-mapper-event-1.02.202-4.el9.x86_64
-device-mapper-event-libs-1.02.202-4.el9.x86_64
-device-mapper-libs-1.02.202-4.el9.x86_64
+device-mapper-1.02.202-6.el9.x86_64
+device-mapper-event-1.02.202-6.el9.x86_64
+device-mapper-event-libs-1.02.202-6.el9.x86_64
+device-mapper-libs-1.02.202-6.el9.x86_64
 device-mapper-persistent-data-1.1.0-1.el9.x86_64
 diffutils-3.7-12.el9.x86_64
 dmidecode-3.6-1.el9.x86_64
-dnf-4.14.0-23.el9.noarch
-dnf-data-4.14.0-23.el9.noarch
+dnf-4.14.0-24.el9.noarch
+dnf-data-4.14.0-24.el9.noarch
 dosfstools-4.2-3.el9.x86_64
 dracut-057-79.git20241127.el9.x86_64
 dracut-network-057-79.git20241127.el9.x86_64
@@ -75,10 +75,10 @@
 efi-filesystem-6-2.el9.noarch
 efibootmgr-16-12.el9.x86_64
 efivar-libs-38-3.el9.x86_64
-elfutils-debuginfod-client-0.192-2.el9.x86_64
-elfutils-default-yama-scope-0.192-2.el9.noarch
-elfutils-libelf-0.192-2.el9.x86_64
-elfutils-libs-0.192-2.el9.x86_64
+elfutils-debuginfod-client-0.192-5.el9.x86_64
+elfutils-default-yama-scope-0.192-5.el9.noarch
+elfutils-libelf-0.192-5.el9.x86_64
+elfutils-libs-0.192-5.el9.x86_64
 ethtool-6.11-1.el9.x86_64
 expat-2.5.0-4.el9.x86_64
 file-5.39-16.el9.x86_64
@@ -102,10 +102,10 @@
 gettext-0.21-8.el9.x86_64
 gettext-libs-0.21-8.el9.x86_64
 glib2-2.68.4-16.el9.x86_64
-glibc-2.34-148.el9.x86_64
-glibc-common-2.34-148.el9.x86_64
-glibc-gconv-extra-2.34-148.el9.x86_64
-glibc-minimal-langpack-2.34-148.el9.x86_64
+glibc-2.34-163.el9.x86_64
+glibc-common-2.34-163.el9.x86_64
+glibc-gconv-extra-2.34-163.el9.x86_64
+glibc-minimal-langpack-2.34-163.el9.x86_64
 gmp-6.2.0-13.el9.x86_64
 gnupg2-2.3.3-4.el9.x86_64
 gnutls-3.8.3-4.el9.x86_64
@@ -123,31 +123,31 @@
 hostname-3.23-6.el9.x86_64
 ima-evm-utils-1.5-3.el9.x86_64
 inih-49-6.el9.x86_64
-iproute-6.2.0-5.el9.x86_64
-iproute-tc-6.2.0-5.el9.x86_64
-iptables-libs-1.8.10-7.el9.x86_64
-iptables-nft-1.8.10-7.el9.x86_64
-iptables-nft-services-1.8.10-7.el9.noarch
+iproute-6.11.0-1.el9.x86_64
+iproute-tc-6.11.0-1.el9.x86_64
+iptables-libs-1.8.10-11.el9.x86_64
+iptables-nft-1.8.10-11.el9.x86_64
+iptables-nft-services-1.8.10-11.el9.noarch
 iputils-20210202-11.el9.x86_64
-irqbalance-1.9.4-1.el9.x86_64
+irqbalance-1.9.4-2.el9.x86_64
 jansson-2.14-1.el9.x86_64
 jq-1.6-17.el9.x86_64
 json-c-0.14-11.el9.x86_64
 json-glib-1.6.6-1.el9.x86_64
-kbd-2.4.0-10.el9.x86_64
-kbd-legacy-2.4.0-10.el9.noarch
-kbd-misc-2.4.0-10.el9.noarch
-kernel-5.14.0-547.el9.x86_64
-kernel-core-5.14.0-547.el9.x86_64
-kernel-modules-5.14.0-547.el9.x86_64
-kernel-modules-core-5.14.0-547.el9.x86_64
-kexec-tools-2.0.29-2.el9.x86_64
+kbd-2.4.0-11.el9.x86_64
+kbd-legacy-2.4.0-11.el9.noarch
+kbd-misc-2.4.0-11.el9.noarch
+kernel-5.14.0-565.el9.x86_64
+kernel-core-5.14.0-565.el9.x86_64
+kernel-modules-5.14.0-565.el9.x86_64
+kernel-modules-core-5.14.0-565.el9.x86_64
+kexec-tools-2.0.29-5.el9.x86_64
 keyutils-1.6.3-1.el9.x86_64
 keyutils-libs-1.6.3-1.el9.x86_64
 kmod-28-10.el9.x86_64
 kmod-libs-28-10.el9.x86_64
-kpartx-0.8.7-34.el9.x86_64
-krb5-libs-1.21.1-4.el9.x86_64
+kpartx-0.8.7-35.el9.x86_64
+krb5-libs-1.21.1-6.el9.x86_64
 less-590-5.el9.x86_64
 libacl-2.3.1-4.el9.x86_64
 libaio-0.3.111-13.el9.x86_64
@@ -165,7 +165,7 @@
 libblockdev-part-2.28-12.el9.x86_64
 libblockdev-swap-2.28-12.el9.x86_64
 libblockdev-utils-2.28-12.el9.x86_64
-libbpf-1.4.0-1.el9.x86_64
+libbpf-1.5.0-1.el9.x86_64
 libbrotli-1.0.9-7.el9.x86_64
 libbytesize-2.5-3.el9.x86_64
 libcap-2.48-9.el9.x86_64
@@ -177,8 +177,8 @@
 libcurl-7.76.1-31.el9.x86_64
 libdb-5.3.28-55.el9.x86_64
 libdhash-0.5.0-53.el9.x86_64
-libdnf-0.69.0-12.el9.x86_64
-libdnf-plugin-subscription-manager-1.29.43-1.el9.x86_64
+libdnf-0.69.0-13.el9.x86_64
+libdnf-plugin-subscription-manager-1.29.44-1.el9.x86_64
 libeconf-0.4.1-4.el9.x86_64
 libedit-3.1-38.20210216cvs.el9.x86_64
 libev-4.33-6.el9.x86_64
@@ -186,16 +186,16 @@
 libfdisk-2.37.4-20.el9.x86_64
 libffi-3.4.2-8.el9.x86_64
 libfido2-1.13.0-2.el9.x86_64
-libgcc-11.5.0-2.el9.x86_64
+libgcc-11.5.0-5.el9.x86_64
 libgcrypt-1.10.0-11.el9.x86_64
-libgomp-11.5.0-2.el9.x86_64
+libgomp-11.5.0-5.el9.x86_64
 libgpg-error-1.42-5.el9.x86_64
 libgudev-237-1.el9.x86_64
 libgusb-0.3.8-2.el9.x86_64
 libicu-67.1-9.el9.x86_64
 libidn2-2.3.0-7.el9.x86_64
 libini_config-1.3.1-53.el9.x86_64
-libipa_hbac-2.9.6-1.el9.x86_64
+libipa_hbac-2.9.6-2.el9.x86_64
 libjcat-0.1.6-3.el9.x86_64
 libkcapi-1.4.0-2.el9.x86_64
 libkcapi-hmaccalc-1.4.0-2.el9.x86_64
@@ -209,7 +209,7 @@
 libnet-1.2-7.el9.x86_64
 libnetfilter_conntrack-1.0.9-1.el9.x86_64
 libnfnetlink-1.0.1-23.el9.x86_64
-libnfsidmap-2.5.4-29.el9.x86_64
+libnfsidmap-2.5.4-32.el9.x86_64
 libnftnl-1.2.6-4.el9.x86_64
 libnghttp2-1.43.0-6.el9.x86_64
 libnl3-3.11.0-1.el9.x86_64
@@ -222,9 +222,9 @@
 librepo-1.14.5-2.el9.x86_64
 libreport-filesystem-2.15.2-6.el9.noarch
 libseccomp-2.5.2-2.el9.x86_64
-libselinux-3.6-2.el9.x86_64
-libselinux-utils-3.6-2.el9.x86_64
-libsemanage-3.6-3.el9.x86_64
+libselinux-3.6-3.el9.x86_64
+libselinux-utils-3.6-3.el9.x86_64
+libsemanage-3.6-4.el9.x86_64
 libsepol-3.6-2.el9.x86_64
 libsigsegv-2.13-4.el9.x86_64
 libslirp-4.4.0-8.el9.x86_64
@@ -234,11 +234,11 @@
 libss-1.46.5-6.el9.x86_64
 libssh-0.10.4-13.el9.x86_64
 libssh-config-0.10.4-13.el9.noarch
-libsss_certmap-2.9.6-1.el9.x86_64
-libsss_idmap-2.9.6-1.el9.x86_64
-libsss_nss_idmap-2.9.6-1.el9.x86_64
-libsss_sudo-2.9.6-1.el9.x86_64
-libstdc++-11.5.0-2.el9.x86_64
+libsss_certmap-2.9.6-2.el9.x86_64
+libsss_idmap-2.9.6-2.el9.x86_64
+libsss_nss_idmap-2.9.6-2.el9.x86_64
+libsss_sudo-2.9.6-2.el9.x86_64
+libstdc++-11.5.0-5.el9.x86_64
 libtalloc-2.4.2-1.el9.x86_64
 libtasn1-4.16.0-8.el9.x86_64
 libtdb-1.4.12-1.el9.x86_64
@@ -267,8 +267,8 @@
 logrotate-3.18.0-9.el9.x86_64
 lsof-4.94.0-3.el9.x86_64
 lua-libs-5.4.4-4.el9.x86_64
-lvm2-2.03.28-4.el9.x86_64
-lvm2-libs-2.03.28-4.el9.x86_64
+lvm2-2.03.28-6.el9.x86_64
+lvm2-libs-2.03.28-6.el9.x86_64
 lz4-libs-1.9.3-5.el9.x86_64
 lzo-2.10-7.el9.x86_64
 mdadm-4.3-4.el9.x86_64
@@ -283,7 +283,7 @@
 netavark-1.13.1-1.el9.x86_64
 nettle-3.9.1-1.el9.x86_64
 newt-0.52.21-11.el9.x86_64
-nfs-utils-2.5.4-29.el9.x86_64
+nfs-utils-2.5.4-32.el9.x86_64
 nftables-1.0.9-3.el9.x86_64
 npth-1.6-8.el9.x86_64
 nspr-4.35.0-17.el9.x86_64
@@ -294,7 +294,7 @@
 nss-sysinit-3.101.0-10.el9.x86_64
 nss-util-3.101.0-10.el9.x86_64
 numactl-libs-2.0.19-1.el9.x86_64
-nvme-cli-2.11-2.el9.x86_64
+nvme-cli-2.11-4.el9.x86_64
 oniguruma-6.9.6-1.el9.6.x86_64
 openldap-2.6.8-3.el9.x86_64
 openssh-8.7p1-44.el9.x86_64
@@ -303,16 +303,16 @@
 openssl-3.2.2-6.el9.x86_64
 openssl-libs-3.2.2-6.el9.x86_64
 os-prober-1.77-12.el9.x86_64
-ostree-2024.10-1.el9.x86_64
-ostree-libs-2024.10-1.el9.x86_64
+ostree-2025.1-1.el9.x86_64
+ostree-libs-2025.1-1.el9.x86_64
 p11-kit-0.25.3-3.el9.x86_64
 p11-kit-trust-0.25.3-3.el9.x86_64
 pam-1.5.1-23.el9.x86_64
-parted-3.5-2.el9.x86_64
-passt-0^20241121.g238c69f-1.el9.x86_64
-passt-selinux-0^20241121.g238c69f-1.el9.noarch
+parted-3.5-3.el9.x86_64
+passt-0^20250121.g4f2c8e7-3.el9.x86_64
+passt-selinux-0^20250121.g4f2c8e7-3.el9.noarch
 passwd-0.80-12.el9.x86_64
-pciutils-libs-3.7.0-5.el9.x86_64
+pciutils-libs-3.7.0-7.el9.x86_64
 pcre-8.44-4.el9.x86_64
 pcre2-10.40-6.el9.x86_64
 pcre2-syntax-10.40-6.el9.noarch
@@ -320,7 +320,7 @@
 pkgconf-1.7.3-10.el9.x86_64
 pkgconf-m4-1.7.3-10.el9.noarch
 pkgconf-pkg-config-1.7.3-10.el9.x86_64
-podman-5.3.1-1.el9.x86_64
+podman-5.3.2-2.el9.x86_64
 policycoreutils-3.6-2.1.el9.x86_64
 polkit-0.117-13.el9.x86_64
 polkit-libs-0.117-13.el9.x86_64
@@ -333,22 +333,22 @@
 python-unversioned-command-3.9.21-1.el9.noarch
 python3-3.9.21-1.el9.x86_64
 python3-chardet-4.0.0-5.el9.noarch
-python3-cloud-what-1.29.43-1.el9.x86_64
+python3-cloud-what-1.29.44-1.el9.x86_64
 python3-dateutil-2.8.1-7.el9.noarch
 python3-dbus-1.2.18-2.el9.x86_64
 python3-decorator-4.4.2-6.el9.noarch
-python3-dnf-4.14.0-23.el9.noarch
+python3-dnf-4.14.0-24.el9.noarch
 python3-dnf-plugins-core-4.3.0-20.el9.noarch
 python3-file-magic-5.39-16.el9.noarch
 python3-gobject-base-3.40.1-6.el9.x86_64
 python3-gobject-base-noarch-3.40.1-6.el9.noarch
 python3-gpg-1.15.1-6.el9.x86_64
-python3-hawkey-0.69.0-12.el9.x86_64
+python3-hawkey-0.69.0-13.el9.x86_64
 python3-idna-2.10-7.el9.1.noarch
 python3-iniparse-0.4-45.el9.noarch
 python3-inotify-0.9.6-25.el9.noarch
 python3-libcomps-0.1.18-1.el9.x86_64
-python3-libdnf-0.69.0-12.el9.x86_64
+python3-libdnf-0.69.0-13.el9.x86_64
 python3-librepo-1.14.5-2.el9.x86_64
 python3-libs-3.9.21-1.el9.x86_64
 python3-pexpect-4.8.0-7.el9.noarch
@@ -357,31 +357,31 @@
 python3-pysocks-1.7.1-12.el9.noarch
 python3-pyyaml-5.4.1-6.el9.x86_64
 python3-requests-2.25.1-9.el9.noarch
-python3-rpm-4.16.1.3-36.el9.x86_64
+python3-rpm-4.16.1.3-37.el9.x86_64
 python3-setuptools-53.0.0-13.el9.noarch
 python3-setuptools-wheel-53.0.0-13.el9.noarch
 python3-six-1.15.0-9.el9.noarch
-python3-subscription-manager-rhsm-1.29.43-1.el9.x86_64
+python3-subscription-manager-rhsm-1.29.44-1.el9.x86_64
 python3-systemd-234-19.el9.x86_64
 python3-urllib3-1.26.5-6.el9.noarch
 quota-4.09-4.el9.x86_64
 quota-nls-4.09-4.el9.noarch
 readline-8.1-4.el9.x86_64
 rpcbind-1.2.6-7.el9.x86_64
-rpm-4.16.1.3-36.el9.x86_64
-rpm-build-libs-4.16.1.3-36.el9.x86_64
-rpm-libs-4.16.1.3-36.el9.x86_64
-rpm-ostree-2024.9-1.el9.x86_64
-rpm-ostree-libs-2024.9-1.el9.x86_64
-rpm-plugin-selinux-4.16.1.3-36.el9.x86_64
-rpm-plugin-systemd-inhibit-4.16.1.3-36.el9.x86_64
-rpm-sign-libs-4.16.1.3-36.el9.x86_64
+rpm-4.16.1.3-37.el9.x86_64
+rpm-build-libs-4.16.1.3-37.el9.x86_64
+rpm-libs-4.16.1.3-37.el9.x86_64
+rpm-ostree-2025.4-1.el9.x86_64
+rpm-ostree-libs-2025.4-1.el9.x86_64
+rpm-plugin-selinux-4.16.1.3-37.el9.x86_64
+rpm-plugin-systemd-inhibit-4.16.1.3-37.el9.x86_64
+rpm-sign-libs-4.16.1.3-37.el9.x86_64
 samba-client-libs-4.21.3-2.el9.x86_64
 samba-common-4.21.3-2.el9.noarch
 samba-common-libs-4.21.3-2.el9.x86_64
 sed-4.8-9.el9.x86_64
-selinux-policy-38.1.50-1.el9.noarch
-selinux-policy-targeted-38.1.50-1.el9.noarch
+selinux-policy-38.1.53-1.el9.noarch
+selinux-policy-targeted-38.1.53-1.el9.noarch
 setup-2.13.7-10.el9.noarch
 sg3_utils-1.47-10.el9.x86_64
 sg3_utils-libs-1.47-10.el9.x86_64
@@ -389,52 +389,51 @@
 shadow-utils-subid-4.9-12.el9.x86_64
 shared-mime-info-2.1-5.el9.x86_64
 shim-x64-15-15.el8_2.x86_64
-skopeo-1.17.0-1.el9.x86_64
+skopeo-1.17.0-2.el9.x86_64
 slang-2.3.2-11.el9.x86_64
 slirp4netns-1.3.1-1.el9.x86_64
 snappy-1.1.8-8.el9.x86_64
 socat-1.7.4.1-6.el9.x86_64
-sos-4.8.2-1.el9.noarch
+sos-4.8.2-2.el9.noarch
 sqlite-libs-3.34.1-7.el9.x86_64
 squashfs-tools-4.4-10.git1.el9.x86_64
-sssd-ad-2.9.6-1.el9.x86_64
-sssd-client-2.9.6-1.el9.x86_64
-sssd-common-2.9.6-1.el9.x86_64
-sssd-common-pac-2.9.6-1.el9.x86_64
-sssd-ipa-2.9.6-1.el9.x86_64
-sssd-krb5-2.9.6-1.el9.x86_64
-sssd-krb5-common-2.9.6-1.el9.x86_64
-sssd-ldap-2.9.6-1.el9.x86_64
-sssd-nfs-idmap-2.9.6-1.el9.x86_64
+sssd-ad-2.9.6-2.el9.x86_64
+sssd-client-2.9.6-2.el9.x86_64
+sssd-common-2.9.6-2.el9.x86_64
+sssd-common-pac-2.9.6-2.el9.x86_64
+sssd-ipa-2.9.6-2.el9.x86_64
+sssd-krb5-2.9.6-2.el9.x86_64
+sssd-krb5-common-2.9.6-2.el9.x86_64
+sssd-ldap-2.9.6-2.el9.x86_64
+sssd-nfs-idmap-2.9.6-2.el9.x86_64
 stalld-1.19.6-1.el9.x86_64
-subscription-manager-1.29.43-1.el9.x86_64
+subscription-manager-1.29.44-1.el9.x86_64
 subscription-manager-rhsm-certificates-20220623-1.el9.noarch
 sudo-1.9.5p2-10.el9.x86_64
-systemd-252-49.el9.x86_64
-systemd-libs-252-49.el9.x86_64
-systemd-pam-252-49.el9.x86_64
-systemd-resolved-252-49.el9.x86_64
-systemd-rpm-macros-252-49.el9.noarch
-systemd-udev-252-49.el9.x86_64
+systemd-252-51.el9.x86_64
+systemd-libs-252-51.el9.x86_64
+systemd-pam-252-51.el9.x86_64
+systemd-rpm-macros-252-51.el9.noarch
+systemd-udev-252-51.el9.x86_64
 tar-1.34-7.el9.x86_64
 toolbox-0.1.1-1.el9.x86_64
 tpm2-tools-5.2-4.el9.x86_64
 tpm2-tss-3.2.3-1.el9.x86_64
-tzdata-2024b-3.el9.noarch
+tzdata-2025a-1.el9.noarch
 udisks2-2.9.4-11.el9.x86_64
-usermode-1.114-5.el9.x86_64
+usermode-1.114-6.el9.x86_64
 userspace-rcu-0.12.1-6.el9.x86_64
 util-linux-2.37.4-20.el9.x86_64
 util-linux-core-2.37.4-20.el9.x86_64
 vim-minimal-8.2.2637-21.el9.x86_64
 virt-what-1.27-1.el9.x86_64
-volume_key-libs-0.3.12-15.el9.x86_64
+volume_key-libs-0.3.12-16.el9.x86_64
 which-2.21-29.el9.x86_64
 xfsprogs-6.4.0-5.el9.x86_64
 xz-5.2.5-8.el9.x86_64
 xz-libs-5.2.5-8.el9.x86_64
 yajl-2.1.0-22.el9.x86_64
-yum-4.14.0-23.el9.noarch
+yum-4.14.0-24.el9.noarch
 zlib-1.2.11-41.el9.x86_64
 zram-generator-0.3.2-7.el9.x86_64
 zstd-1.5.5-1.el9.x86_64

It is notable that both podman and skopeo rev'd. But obviously one would need to try reverting one or both of those individually on top the new base to see.

I know the detect logic sucks but it is what it is and we removed CNI support from podman 5.0 upstream and in Centos/RHEL 10 so this is "solved" already as we only use netavark going forward.

Yeah, this makes total sense - upgrades are hard and I certainly don't have any better suggestions offhand.

My suggestion is: let's just file this issue mentally in the background and if it happens in a way more likely other users or customers may hit it, we may need to think about a stronger workaround (perhaps skopeo detecting if it's the first thing writing to c/storage and running the same podman code?).

cgwalters · 2025-02-12T20:31:48Z

 Lint warning: var-tmpfiles: Found content in /var missing systemd tmpfiles.d entries:
  d /var/roothome/buildinfo 0755 root root - -
  d /var/roothome/buildinfo/content_manifests 0755 root root - -
Found non-directory/non-symlink files in /var:
  "var/lib/rhsm/productid.js"
  "var/lib/rhsm/repo_server_val/redhat.repo"
  "var/roothome/buildinfo/content_manifests/content-sets.json"

omg the set of files dropped by rpm-related stuff is TOO DAMN HIGH

cgwalters · 2025-02-12T22:25:54Z

d /var/roothome/buildinfo/content_manifests 0755 root root - -

➡️ konflux-ci/build-tasks-dockerfiles#243

This adapts code rewritten from rpm-ostree to synthesize tmpfiles.d entries. Signed-off-by: Colin Walters <walters@verbum.org>

This checks for content in `/var` that is missing systemd tmpfiles.d entries. Signed-off-by: Colin Walters <walters@verbum.org>

Because if failures somehow creep in we really want to know. Signed-off-by: Colin Walters <walters@verbum.org>

In some cases we have /var/lib/rhsm too... *cry* Signed-off-by: Colin Walters <walters@verbum.org>

I put these in https://gitlab.com/fedora/bootc/base-images/-/merge_requests/92 too but let's fast track them to our images here so we unblock testing tmpfiles.d translation. Signed-off-by: Colin Walters <walters@verbum.org>

For the same reason we avoid doing this in other code like in lints.rs; it's reasonable for someone to mount a volume on `/var/cache/dnf` for example in a container build, and we don't want to try to convert it to tmpfiles.d. Signed-off-by: Colin Walters <walters@verbum.org>

vrothberg · 2025-02-13T07:39:59Z

Note using skopeo to import image before running podman/buildah before will bypass the detection because skopeo does not pull in any network code whatsoever so if you do that then yes it is expected to run podman before it.

@Luap99, does the upper statement also apply to Podman 5.0+?

I am asking since the issue we ran into here could very well be hit by users on Image Mode going forward. Setting the option in containers.conf could solve the issue, right?

Luap99 · 2025-02-13T10:24:46Z

Note using skopeo to import image before running podman/buildah before will bypass the detection because skopeo does not pull in any network code whatsoever so if you do that then yes it is expected to run podman before it.

@Luap99, does the upper statement also apply to Podman 5.0+?

I am asking since the issue we ran into here could very well be hit by users on Image Mode going forward. Setting the option in containers.conf could solve the issue, right?

As long as CNI is compiled in (cni build tag) then yes, that should not be the case for most podman 5.0+ builds as we stopped "supporting" it upstream. But on RHEL 9 it is still enabled, we cannot just break people there. With RHEL 10 it will no longer be included in podman.

containers.conf will work but then I don't know where/how you run your code. Just setting in containers.conf faces the same problem as our auto detection logic, if a user is updating the system and was using CNI before you cannot just hard code netavark in there as this will break all their network configs. But if you 100% know that this is not an update you can set it to netavark.

That said you don't have to use containers.conf, the podman detection logic writes /var/lib/containers/storage/defaultNetworkBackend to cni or netavark, so in theory one could check if that file exist and if not you can assume podman 4.X was never used on this system (it won't help if users updated from 3.X and lower). So you could also create the this automatically over containers.conf.

I know this is not great bug given this problem is already solved by no longer using cni I rather not touch that logic in podman.

vrothberg · 2025-02-13T12:24:21Z

Thanks a lot for elaborating, @Luap99 !

containers.conf will work but then I don't know where/how you run your code. Just setting in containers.conf faces the same problem as our auto detection logic, if a user is updating the system and was using CNI before you cannot just hard code netavark in there as this will break all their network configs. But if you 100% know that this is not an update you can set it to netavark.

Image Mode is a new offering, so we won't run into the CNI issue other than the one discovered here. So we should be good.

Since bootc depends on Podman, a potential fix maybe to ship a containers.conf.d/bootc.conf that sets netavark.

cgwalters · 2025-02-13T12:48:12Z

OK lifting draft on this one!

openshift-ci bot added the do-not-merge/work-in-progress label Feb 10, 2025

cgwalters force-pushed the tmpfiles branch 3 times, most recently from 114ab01 to 2f8bb31 Compare February 12, 2025 13:30

cgwalters changed the title ~~tmpfiles: New crate~~ lints: Add var-tmpfiles Feb 12, 2025

cgwalters mentioned this pull request Feb 12, 2025

tests/pushpull: Work around podman/skopeo interaction bug #1109

Merged

cgwalters force-pushed the tmpfiles branch from 2f8bb31 to 1a3ee6c Compare February 12, 2025 20:04

cgwalters added 6 commits February 12, 2025 18:56

tmpfiles: New crate

3f48f54

This adapts code rewritten from rpm-ostree to synthesize tmpfiles.d entries. Signed-off-by: Colin Walters <walters@verbum.org>

lints: Add var-tmpfiles

ae6b39f

This checks for content in `/var` that is missing systemd tmpfiles.d entries. Signed-off-by: Colin Walters <walters@verbum.org>

hack: Use lint --fatal-warnings

293e9e2

Because if failures somehow creep in we really want to know. Signed-off-by: Colin Walters <walters@verbum.org>

provision: Clean even more rpm stuff

9363b23

In some cases we have /var/lib/rhsm too... *cry* Signed-off-by: Colin Walters <walters@verbum.org>

provision: Fast track some tmpfiles.d additions

eb55216

I put these in https://gitlab.com/fedora/bootc/base-images/-/merge_requests/92 too but let's fast track them to our images here so we unblock testing tmpfiles.d translation. Signed-off-by: Colin Walters <walters@verbum.org>

cgwalters force-pushed the tmpfiles branch from 1a3ee6c to 659218a Compare February 13, 2025 00:01

cgwalters marked this pull request as ready for review February 13, 2025 12:47

openshift-ci bot removed the do-not-merge/work-in-progress label Feb 13, 2025

cgwalters enabled auto-merge February 13, 2025 12:48

jeckersb approved these changes Feb 13, 2025

View reviewed changes

cgwalters merged commit cc025ed into containers:main Feb 13, 2025
23 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

lints: Add var-tmpfiles #1101

lints: Add var-tmpfiles #1101

cgwalters commented Feb 10, 2025 •

edited

Loading

cgwalters commented Feb 12, 2025

cgwalters commented Feb 12, 2025

cgwalters commented Feb 12, 2025

Luap99 commented Feb 12, 2025

cgwalters commented Feb 12, 2025 •

edited

Loading

cgwalters commented Feb 12, 2025

cgwalters commented Feb 12, 2025

Luap99 commented Feb 12, 2025

cgwalters commented Feb 12, 2025

cgwalters commented Feb 12, 2025

cgwalters commented Feb 12, 2025

vrothberg commented Feb 13, 2025

Luap99 commented Feb 13, 2025

vrothberg commented Feb 13, 2025

cgwalters commented Feb 13, 2025

lints: Add var-tmpfiles #1101

lints: Add var-tmpfiles #1101

Conversation

cgwalters commented Feb 10, 2025 • edited Loading

cgwalters commented Feb 12, 2025

cgwalters commented Feb 12, 2025

cgwalters commented Feb 12, 2025

Luap99 commented Feb 12, 2025

cgwalters commented Feb 12, 2025 • edited Loading

cgwalters commented Feb 12, 2025

cgwalters commented Feb 12, 2025

Luap99 commented Feb 12, 2025

cgwalters commented Feb 12, 2025

cgwalters commented Feb 12, 2025

cgwalters commented Feb 12, 2025

vrothberg commented Feb 13, 2025

Luap99 commented Feb 13, 2025

vrothberg commented Feb 13, 2025

cgwalters commented Feb 13, 2025

cgwalters commented Feb 10, 2025 •

edited

Loading

cgwalters commented Feb 12, 2025 •

edited

Loading