Skip to content

Commit af18adc

Browse files
committed
Start building images based on AlmaLinux 10.
1 parent 048e19d commit af18adc

File tree

4 files changed

+112
-1
lines changed

4 files changed

+112
-1
lines changed

.github/build-test-params.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,11 +45,15 @@ test-upgrade:
4545
fedora-41:
4646
- fedora-41-4.12.2
4747
- fedora-40-4.11.1
48+
almalinux-10:
49+
- almalinux-10-4.12.2
4850
almalinux-9:
4951
- centos-9-stream-4.10.0
5052
rocky-9:
5153
- rocky-9-4.12.2
5254
- almalinux-9-4.10.0
55+
centos-10-stream:
56+
- almalinux-10-4.12.2
5357
centos-9-stream:
5458
- centos-9-stream-4.12.2
5559
almalinux-8:

.github/workflows/build-test.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ on:
1818
- centos-9-stream
1919
- rocky-9
2020
- rocky-8
21+
- almalinux-10
2122
- almalinux-9
2223
- almalinux-8
2324
schedule:

.github/workflows/run-partial-tests.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ jobs:
3838
- id: default-matrix
3939
run: |
4040
(
41-
echo -n "matrix={'os': [ 'fedora-rawhide', 'fedora-42', 'fedora-41', 'centos-9-stream', 'rocky-9', 'rocky-8', 'almalinux-9', 'almalinux-8' ], \
41+
echo -n "matrix={'os': [ 'fedora-rawhide', 'fedora-42', 'fedora-41', 'centos-9-stream', 'rocky-9', 'rocky-8', 'almalinux-10', 'almalinux-9', 'almalinux-8' ], \
4242
'docker': [ 'docker', 'podman' ] "
4343
if [ -n "${{ secrets.REDHAT_ORG }}" -a -n "${{ secrets.REDHAT_ACTIVATIONKEY }}" ] ; then
4444
echo -n ", 'include': [ \

Dockerfile.almalinux-10

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
# Build on top of base AlmaLinux 10 image
2+
FROM docker.io/almalinux/10-init
3+
4+
RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -r -d / -s '/sbin/nologin' kdcproxy
5+
RUN groupadd -g 289 ipaapi; useradd -u 289 -g 289 -c 'IPA Framework User' -r -d / -s '/sbin/nologin' ipaapi
6+
RUN groupadd -g 285 sssd; useradd -u 285 -g 285 -c 'User for sssd' -r -d /run/sssd/ -s '/sbin/nologin' sssd
7+
RUN groupadd -g 225 ods; useradd -u 225 -g 225 -c 'opendnssec daemon account' -r -d / -s /sbin/nologin ods
8+
RUN groupadd -g 207 printadmin
9+
10+
# Workaround 1615948
11+
RUN ln -s /bin/false /usr/sbin/systemd-machine-id-setup
12+
RUN sed -i 's!%_install_langs.*!%_install_langs all!' /etc/rpm/macros.image-language-conf
13+
RUN dnf -y install --setopt=install_weak_deps=False ipa-server ipa-server-dns ipa-server-trust-ad patch ipa-healthcheck ipa-client-epn \
14+
&& dnf clean all
15+
16+
# debug: RUN test $( getent passwd | grep -E "^(dirsrv:x:389|ipaapi:x:289|kdcproxy:x:288|pkiuser:x:17|sssd:x:285|named:x:25|ods:x:225|tss:x:59):" | wc -l ) -eq 8
17+
# debug: RUN test $( getent group | grep -E "^(dirsrv:x:389|ipaapi:x:289|kdcproxy:x:288|pkiuser:x:17|sssd:x:285|named:x:25|utmp:x:22|wbpriv:x:88|systemd-journal:x:190|ods:x:225|printadmin:x:207|tss:x:59):" | wc -l ) -eq 12
18+
19+
COPY tmpfiles-ownership-fedora-41.conf /usr/lib/tmpfiles.d/ipa-ownership.conf
20+
21+
# var-lib-nfs-rpc_pipefs.mount would run (and fail) nondeterministically
22+
RUN systemctl mask rpc-gssd.service
23+
24+
RUN mkdir /usr/lib/systemd/system/sssd.service.d
25+
# Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334087
26+
RUN ( echo '[Service]' ; sed '/^CapabilityBoundingSet=/!d; s/CAP_DAC_READ_SEARCH/& CAP_DAC_OVERRIDE/' /usr/lib/systemd/system/sssd.service ) > /usr/lib/systemd/system/sssd.service.d/capabilities.conf
27+
RUN setcap cap_dac_override+ep /usr/libexec/sssd/ldap_child
28+
29+
# Container image which runs systemd
30+
# debug: RUN test -f /etc/machine-id && ! test -s /etc/machine-id
31+
# debug: RUN test -z "$container"
32+
ENV container oci
33+
34+
# Establish reasonably low open files limit in the container
35+
COPY DefaultLimitNOFILE.conf /usr/lib/systemd/system.conf.d/DefaultLimitNOFILE.conf
36+
37+
ENTRYPOINT [ "/usr/sbin/init" ]
38+
STOPSIGNAL RTMIN+3
39+
# test: systemd-container-failed.sh
40+
41+
# Minimize the systemd setup
42+
RUN find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type l \! -lname /dev/null | xargs rm -v
43+
RUN systemctl mask systemd-logind.service
44+
COPY patches/minimal-fedora-42.patch /root/
45+
RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-42.patch
46+
# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants /etc/tmpfiles.d -type f | grep .
47+
48+
RUN ln -s /usr/lib/systemd/system/dbus-broker.service /usr/lib/systemd/system/dbus.service
49+
COPY container-ipa.target /usr/lib/systemd/system/
50+
RUN systemctl set-default container-ipa.target
51+
RUN rmdir -v /etc/systemd/system/multi-user.target.wants \
52+
&& mkdir /etc/systemd/system/container-ipa.target.wants \
53+
&& ln -s /etc/systemd/system/container-ipa.target.wants /etc/systemd/system/multi-user.target.wants
54+
RUN systemd-sysusers
55+
# podman in systemd mode mounts /var/log/journal volume which creates
56+
# the directory anyway and pollutes podman diff, just pre-create it
57+
RUN mkdir /var/log/journal
58+
RUN systemd-tmpfiles --remove --create
59+
# debug: RUN ! test -f /var/lib/systemd/random-seed
60+
# test-addon: VOLUME [ "/var/tmp" ]
61+
# test: systemd-container-diff.sh list-dependencies-rhel-9.out /dev/null docker-diff-minimal-fedora-23.out
62+
63+
# Prepare for basic ipa-server-install in container
64+
# Address failing nis-domainname.service in the ipa-client-install step
65+
RUN mv /usr/bin/nisdomainname /usr/bin/nisdomainname.orig
66+
ADD hostnamectl-wrapper /usr/bin/nisdomainname
67+
68+
## # test: systemd-container-ipa-server-install.sh
69+
70+
# Move configuration and data to data volume
71+
COPY patches/ipa-data-fedora-39.patch /root
72+
RUN set -o pipefail ; patch --verbose -p0 --fuzz=0 < /root/ipa-data-fedora-39.patch | tee /dev/null | sed -n 's/^patching file //;T;/\.py$/p' | xargs /usr/libexec/platform-python -m compileall
73+
COPY ipaplatform-rhel.conf /usr/lib/systemd/system.conf.d/ipaplatform-override.conf
74+
ENV IPAPLATFORM_OVERRIDE=rhel_container
75+
76+
COPY journald-storage.conf /usr/lib/systemd/journald.conf.d/storage.conf
77+
78+
RUN authselect select sssd with-sudo --force
79+
80+
COPY utils/prepare-volume-template utils/populate-volume-from-template utils/extract-rpm-upgrade-scriptlets /usr/local/bin/
81+
COPY volume-data-list volume-tmp-list volume-data-autoupdate /etc/
82+
RUN /usr/local/bin/prepare-volume-template /etc/volume-data-list /data
83+
RUN /usr/local/bin/prepare-volume-template /etc/volume-tmp-list /tmp
84+
RUN /usr/local/bin/extract-rpm-upgrade-scriptlets
85+
86+
RUN echo 2.0 > /etc/volume-version
87+
VOLUME [ "/tmp", "/run", "/data" ]
88+
89+
COPY init-data-minimal /usr/local/sbin/init
90+
ENTRYPOINT [ "/usr/local/sbin/init" ]
91+
# test: systemd-container-ipa-server-install-data.sh /dev/null
92+
93+
# Configure master/replica upon the first invocation
94+
COPY init-data /usr/local/sbin/init
95+
COPY ipa-server-configure-first systemctl-exit-with-status ipa-volume-upgrade-* /usr/sbin/
96+
COPY ipa-server-configure-first.service ipa-server-upgrade.service ipa-server-update-self-ip-address.service /usr/lib/systemd/system/
97+
COPY service-success-poweroff.conf /usr/lib/systemd/system/ipa-server-configure-first.service.d/service-success-poweroff.conf.template
98+
RUN ln -sv /usr/lib/systemd/system/ipa-server-configure-first.service /data-template/etc/systemd/system/container-ipa.target.wants/ipa-server-configure-first.service
99+
COPY exit-status.conf /usr/lib/systemd/system/systemd-poweroff.service.d/
100+
101+
EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp
102+
103+
RUN uuidgen > /data-template/build-id
104+
105+
LABEL org.opencontainers.image.title="FreeIPA server"
106+
LABEL org.opencontainers.image.authors="FreeIPA Developers <[email protected]>"

0 commit comments

Comments
 (0)