From Fedora Project Wiki
(submitting change to fesco)
 
(7 intermediate revisions by 3 users not shown)
Line 4: Line 4:


== Summary ==
== Summary ==
Fedora distributed as bootable container ships via [https://quay.io/repository/fedora/fedora-bootc?tab=tags OCI registry]. Installation is typically done by conversion into a VM image or ISO installer via [https://osbuild.org/ osbuild] (image builder), however, booting from network is a useful workflow for bare-metal fleet deployments. Required files to perform such installation are not available in the OCI repository.
 
Fedora distributed as bootable container ships via [https://quay.io/repository/fedora/fedora-bootc?tab=tags OCI registry]. Installation is typically done by conversion into a VM image or ISO installer via [https://osbuild.org/ osbuild] (image builder), however, booting from network is a useful workflow for bare-metal fleet deployments. Required files to perform such installation are not available in the OCI repository that could be fetched from registry in a similar manner as the bootable container.
 
As of today, files are only available in the Fedora RPM repository and the installation workflow would be cumbersome to find appropriate RPM repo version and extract needed files instead of fetching all the needed assets from the registry only. The change introduces a new OCI repository with the files in question for each Fedora stable version.
 
The change is complementary to the current distribution of kickstart, we are not proposing to stop distributing these files in dnf repositories.


== Owner ==
== Owner ==
Line 14: Line 19:


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeReadyForFesco]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
 
[[Category:SelfContainedChange]]
[[Category:SelfContainedChange]]


* Targeted release: [https://docs.fedoraproject.org/en-US/releases/f42/ Fedora Linux 42]
* Targeted release: [https://docs.fedoraproject.org/en-US/releases/f42/ Fedora Linux 42]
* Last updated: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* [Announced]
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/IN4SB5QANHIN3GVV5VCSES5OFTCCRHZR/ Announced]
* [<will be assigned by the Wrangler> Discussion thread]
* [https://discussion.fedoraproject.org/t/f42-change-proposal-distributing-kickstart-files-as-oci-artifacts-self-contained/131150 Discussion thread]
* FESCo issue: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/3274 #3274]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
Line 44: Line 44:
Some files are distributed unsigned in the `images/` directory, others are signed and need to be extracted from RPM packages. A complete ISO "netboot" image is also available for network installations, the image can be customized using `mkksiso` tool found in Fedora.
Some files are distributed unsigned in the `images/` directory, others are signed and need to be extracted from RPM packages. A complete ISO "netboot" image is also available for network installations, the image can be customized using `mkksiso` tool found in Fedora.


The main goal of this change is to start publishing the mentioned file as OCI commits or also known [https://oras.land/docs/concepts/artifact/ OCI artifacts] for each Fedora version and architecture. Buildah/Podman will be used for creating such manifest and [https://gitlab.com/fedora/bootc/netboot/netboot/-/blob/main/push.sh?ref_type=heads pushing it] to OCI registry.
The main goal of this change is to start publishing the mentioned files as [https://oras.land/docs/concepts/artifact/ OCI artifacts] for each Fedora version and architecture. Buildah/Podman will be used for creating such manifest and [https://gitlab.com/fedora/bootc/netboot/netboot/-/blob/main/push.sh?ref_type=heads pushing it] to OCI registry and the process will be integrated into current or upcoming (Konflux) release processes.


There are currently no support for downloading OCI artifacts with podman and the feature is being discussed upstream, however, Fedora contains `golang-oras` tool which understands the OCI artifact format. This tool can be used by Fedora users to consume the content:
There is currently no support for downloading OCI artifacts with podman but the feature is currently being discussed and worked on upstream. However, Fedora contains `golang-oras` tool which understands the OCI artifact format. This tool can already be used by Fedora users to consume the content:


<pre>
<pre>
$ oras pull quay.io/lzapletal/fedora-bootfiles:40-amd64
$ oras pull quay.io/pulp/fedora-kickstart-artifacts:40-amd64
Downloaded  80c3fe2ae106 boot.iso
Downloading 8ea1dd040e97 initrd.img
Downloading 80c3fe2ae106 boot.iso
Downloading a3b7052d7b2f grubx64.efi
Downloaded  a3b7052d7b2f grubx64.efi
Downloaded  a3b7052d7b2f grubx64.efi
Downloading fff4b2feeef3 pxelinux.0
Downloaded  fff4b2feeef3 pxelinux.0
Downloaded  fff4b2feeef3 pxelinux.0
Downloading 4773d74d87c2 shimx64.efi
Downloaded  4773d74d87c2 shimx64.efi
Downloaded  4773d74d87c2 shimx64.efi
Downloading 09cf5df01619 vmlinuz
Downloaded  80c3fe2ae106 boot.iso
Downloaded  09cf5df01619 vmlinuz
Downloaded  09cf5df01619 vmlinuz
Downloaded  8ea1dd040e97 initrd.img
Downloaded  8ea1dd040e97 initrd.img
Restored    80c3fe2ae106 install.img
Restored    80c3fe2ae106 install.img
Pulled quay.io/lzapletal/fedora-bootfiles:40-amd64
Pulled quay.io/pulp/fedora-kickstart-artifacts:40-amd64
Digest: sha256:0306e10fd556e12ce8c3674150bceb88c0917b74b63c37eecc17070b3b30003b
Digest: sha256:0306e10fd556e12ce8c3674150bceb88c0917b74b63c37eecc17070b3b30003b
</pre>
</pre>


There is a [https://github.com/pulp/netboot-oci-specs/blob/main/netboot-oci-artifacts.md manifest specification] of such content describing required annotations.
Alternatively, the content can be downloaded via `skopeo` tool with [https://github.com/theforeman/nboci-files/blob/main/artifact-pull.py some scripting] involving file renaming.
 
The proposed repository for the content is: `quay.io/fedora/kickstart-artifacts` and tag convention will be `N` where N is Fedora version with manifest index for all supported architectures pointing to tags in the form of `N-arch`. Only stable and N-1 Fedora versions will be kept for storage reasons and old artifacts will be regularly removed and garbage collected. For more info, read [https://github.com/pulp/netboot-oci-specs/blob/main/netboot-oci-artifacts.md manifest specification].


Files are currently being published at a temporary space: [https://quay.io/repository/pulp/fedora-kickstart-artifacts?tab=tags&tag=latest quay.io/pulp/fedora-kickstart-artifacts] and can be consumed from there. The pipeline currently lives on Fedora's gitlab.


== Benefit to Fedora ==
== Benefit to Fedora ==


The change solves the situation for Fedora bootable containers users who currently need to find matching Fedora RPM repositories and use various tools like `curl` or `rpm2cpio` and `cpio` to download required files.
The change solves the situation for Fedora bootable containers users who currently need to find matching Fedora RPM repositories and use various tools like `curl` or `rpm2cpio` and `cpio` to download required files. This will significantly simplify provisioning workflows of Fedora systems en-masse via automation tools like Ansible or Foreman. All files will be also signed by Fedora GPG keys for increased security.


Users of regular (RPM) Fedora spin will benefit as well since bare-metal provisioning workflows, scripts or tools can be further simplified. All the content will be also signed by GPG which is not the case for some (executable) files today.
Users of regular (RPM) Fedora spin will benefit as well since bare-metal provisioning workflows, scripts or tools can be further simplified. Additionally, many provisioning systems (Beaker, Foreman) use one shim/grub for installing all OS versions which does not work reliably when SecureBoot is turned on. Published files can be easily downloaded for each OS version.


Using OCI artifacts also enables us to distribute the files in the Fedora bootable container registry if needed in the future: `quay.io/fedora/fedora-bootc`.
The newly published content is planned to be integrated with other open source projects: Foreman, Pulp and Ansible. This is out of scope for this change.


== Scope ==
== Scope ==


* Proposal owners: prepare CI/CD pipeline for fully automated build and push of artifacts, integrate the published repositories with related open-source project [https://theforeman.org/ Foreman] and [https://pulpproject.org/ Pulp]
* Proposal owners: prepare CI/CD pipeline for fully automated build and push of kickstart artifacts, integrate the published repositories with related open-source project workflows [https://theforeman.org/ Foreman] and [https://pulpproject.org/ Pulp]


* Release engineering: create new repository in fedora namespace [https://pagure.io/fedora-infrastructure/issue/12152 #12152]
* Release engineering: create new repository in fedora namespace [https://pagure.io/fedora-infrastructure/issue/12152 #12152] and assistance with integrating the new pipeline into the Fedora workflow


== Documentation ==
== Documentation ==


TBD
The newly created repository will be features in documentation of several upstream projects that will make use of it:
 
The newly created repository will be features in documentation of several projects that will make use of it:


* osbuild
* osbuild

Latest revision as of 10:31, 24 September 2024

Distributing Kickstart Files as OCI Artifacts

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Fedora distributed as bootable container ships via OCI registry. Installation is typically done by conversion into a VM image or ISO installer via osbuild (image builder), however, booting from network is a useful workflow for bare-metal fleet deployments. Required files to perform such installation are not available in the OCI repository that could be fetched from registry in a similar manner as the bootable container.

As of today, files are only available in the Fedora RPM repository and the installation workflow would be cumbersome to find appropriate RPM repo version and extract needed files instead of fetching all the needed assets from the registry only. The change introduces a new OCI repository with the files in question for each Fedora stable version.

The change is complementary to the current distribution of kickstart, we are not proposing to stop distributing these files in dnf repositories.

Owner

Current status

Detailed Description

Fedora bootable container is shipped via OCI registries without any supplementary files for automated kickstart installations. The files needed for this workflow are typically: bootloader, anaconda kernel, initramdisk and anaconda main image. These files can be found in regular Fedora RPM repository, for example in case of x86_64 architecture:

Some files are distributed unsigned in the images/ directory, others are signed and need to be extracted from RPM packages. A complete ISO "netboot" image is also available for network installations, the image can be customized using mkksiso tool found in Fedora.

The main goal of this change is to start publishing the mentioned files as OCI artifacts for each Fedora version and architecture. Buildah/Podman will be used for creating such manifest and pushing it to OCI registry and the process will be integrated into current or upcoming (Konflux) release processes.

There is currently no support for downloading OCI artifacts with podman but the feature is currently being discussed and worked on upstream. However, Fedora contains golang-oras tool which understands the OCI artifact format. This tool can already be used by Fedora users to consume the content: 

$ oras pull quay.io/pulp/fedora-kickstart-artifacts:40-amd64
Downloading 8ea1dd040e97 initrd.img
Downloading 80c3fe2ae106 boot.iso
Downloading a3b7052d7b2f grubx64.efi
Downloaded  a3b7052d7b2f grubx64.efi
Downloading fff4b2feeef3 pxelinux.0
Downloaded  fff4b2feeef3 pxelinux.0
Downloading 4773d74d87c2 shimx64.efi
Downloaded  4773d74d87c2 shimx64.efi
Downloading 09cf5df01619 vmlinuz
Downloaded  80c3fe2ae106 boot.iso
Downloaded  09cf5df01619 vmlinuz
Downloaded  8ea1dd040e97 initrd.img
Restored    80c3fe2ae106 install.img
Pulled quay.io/pulp/fedora-kickstart-artifacts:40-amd64
Digest: sha256:0306e10fd556e12ce8c3674150bceb88c0917b74b63c37eecc17070b3b30003b

Alternatively, the content can be downloaded via skopeo tool with some scripting involving file renaming.

The proposed repository for the content is: quay.io/fedora/kickstart-artifacts and tag convention will be N where N is Fedora version with manifest index for all supported architectures pointing to tags in the form of N-arch. Only stable and N-1 Fedora versions will be kept for storage reasons and old artifacts will be regularly removed and garbage collected. For more info, read manifest specification.

Files are currently being published at a temporary space: quay.io/pulp/fedora-kickstart-artifacts and can be consumed from there. The pipeline currently lives on Fedora's gitlab.

Benefit to Fedora

The change solves the situation for Fedora bootable containers users who currently need to find matching Fedora RPM repositories and use various tools like curl or rpm2cpio and cpio to download required files. This will significantly simplify provisioning workflows of Fedora systems en-masse via automation tools like Ansible or Foreman. All files will be also signed by Fedora GPG keys for increased security.

Users of regular (RPM) Fedora spin will benefit as well since bare-metal provisioning workflows, scripts or tools can be further simplified. Additionally, many provisioning systems (Beaker, Foreman) use one shim/grub for installing all OS versions which does not work reliably when SecureBoot is turned on. Published files can be easily downloaded for each OS version.

The newly published content is planned to be integrated with other open source projects: Foreman, Pulp and Ansible. This is out of scope for this change.

Scope

  • Proposal owners: prepare CI/CD pipeline for fully automated build and push of kickstart artifacts, integrate the published repositories with related open-source project workflows Foreman and Pulp
  • Release engineering: create new repository in fedora namespace #12152 and assistance with integrating the new pipeline into the Fedora workflow

Documentation

The newly created repository will be features in documentation of several upstream projects that will make use of it:

  • osbuild
  • foreman
  •  pulp

Release Notes

TBD

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/KickstartOciArtifacts&oldid=720534"