Table of Contents | ||
---|---|---|
|
Questions
Assuming at least some of packages we need to ship with SIMP already belong to modular repository streams, how can/should we handle:
building SIMP distributions (pkglist.txt + packages.yaml, ISO, etc.,)
Note |
---|
80% Confidence it’s Possible — but it will be complicated and hacky
|
Current methods of building/sourcing RPM packages
SIMP is distributed as a self-contained collection of RPM packages:
SIMP packages are built by the SIMP team, from the repos under
src/
in Puppetfile.pinned.Minimal Base OS packages are filtered from a base OS’s installation media (usually a DVD ISO), down to the files
DVD/<os.release.major>-
pkglist.txt.External packages are RPMs downloaded based on the data in
yum_data/
packages.yaml, and come from additional sources (e.g., EPEL, Puppet, base OS extras, various vendors).(Optionally): Custom packages placed manually into the
packages/
directory and treated like External packages.
Together, these RPMs MUST self-resolve (enough) to install a basic SIMP system on a network-isolated host.
Current process to build SIMP distributions
Build a DVD overlay directory (and tarball) containing the SIMP and External packages.
Unpack the base OS installation media into an ISO staging directory.
Prune the unpacked ISO RPMs down to the Minimal Base OS packages.
Merge the DVD overlay contents over the files already in the ISO staging directory.
Verify that all ISO staging directory’s RPMs can self-resolve by running repoclosure.
Build a SIMP distribution ISO from the contents of the ISO staging directory.
Potential problems with DNF modules
Filtering an OS ISO down to its pkglist + adding external packages in packages.yaml
both
We can use tools like dir2module and repo2module to re-package specific modular packages into slimmer versions of their own modules and then use mergerepo_c to collect them into a slimmed-down AppStream/ repo (based on pkglist.txt) or SIMP/ (based on packages.yml). However, there are several issues that make this complicated:
...
RPM packages from repo modules contain a ModularityLabel
header that is unique to the module’s name + stream + version + context + architecture (NVSCA). DNF must install these RPMs from modules (with modular metadata)—and will refuse to install them as ursine packages.
...
dir2module requires a complete NVSCA string generating module metadata for a directory of RPMs.
...
The dir2module script provided by the EPEL8 RPM modulemd-tools-0.7-1.el8.noarch
does not create a default (or any) profile for the module it creates.
The master in the GitHub repo at
At a minimum, a repackaged (slim) module’s name and stream must match its source repo’s module metadata.
...
This is required so the packages maintain continuity with the complete upstream repo (e.g., receiving update from the complete AppStream repo, epel-modular, etc)
...
The only canonical source for a module’s correct NVSCA/P data is the source repo’s metadata (generally under repodata/{XXXXX}-modules.yaml.gz
, and defined by repodata/repomd.xml
under <data type="modules">
`)
Note |
---|
Remaining unknowns:
|
Testing ISO RPMs' completeness with a repoclosure
Tip |
---|
Recommendation: Use |
To run a repoclosure against ISO-bound/based repos that are staged on the local filesystem:
Code Block |
---|
dnf repoclosure
--disablerepo=\* \
--repofrompath=base,/mnt/BaseOS \
--repofrompath=test1,/opt/dnf_reposync_from_iso \
--arch x86_64 \
--check base \
--check tes1 |
Notes:
Make sure there is a
--repofrompath=
for each local repository directory that should be considered during resolution.Using
--disablerepo=\* --repofrompath=
, the repoclosure doesn’t require purpose-built*.repo
files and doesn’t have to run inside a chroot/container/mock.The
--arch x86_64
may be needed to keep the closure focused on the ISO’s target arch.As released, the EL 8.3 ISO’s AppStream/ repo doesn’t close without it.
Impacts to unpack_dvd & self-hosted DNF repositories (for kickstarts, etc)
How should unpack_dvd handle repos that do/may contain modules?
...
Any necessary dnf module surgery MUST be completed during the tarball/ISO’s build process (described above)
Any “slimmed” dnf modules SHOULD be upgrade-compatible with an unpacked repository than contains the complete modules
then a site’s unpack_dvd tool should only need the files on the ISO.
This has been tested by mounting an ISO as a loopback device and syncing everything (including module metadata) with dnf reposync --download-metadata […] .
How does SELinux support this?
Where do the policies for the packages in various module streams come from?
Notes:
So far, the selinux-*policy RPMs have handled whatever I’ve tried
Ancient policy wikis at (last updated late 2018):
Supporting questions
Can we repackage a “thinned-out” module with only select packages?
probably:
...
EL8 RPM prereqs: createrepo_c (appstream) + modulemd-tools (epel)
Process:
...
Create initial repo with ursine modules
Code Block |
---|
mkdir -p $NEW_REPO_DIR/Packages/ursine
cp "${URSINE_PACKAGE_FILES[@]}" "$NEW_REPO_DIR/Packages/ursine/"
cd "$NEW_REPO_DIR"
createrepo_c . |
...
Create a modular repo from packages that already have a common module header
Status | ||||
---|---|---|---|---|
|
ModularityLabel
header can contain any StringStatus | ||||
---|---|---|---|---|
|
{XXXXX}-modules.yaml.gz
file)Code Block |
---|
# Get the ModularityLabel from the RPMs
### WARNING: All RPMs in the module must have a SINGLE and IDENTICAL ModularityLabel
find "$DIR_WITH_RPMS" -name \*.rpm \
-exec rpm -qp {} --qf '%{ModularityLabel}\n' \; \
| sort -u
### WARNING: the ModularityLabel headers in RPMs build by EL and EPEL
#### are (currently) in N:S:V:C format by convention, but in
##### reality this string is arbitrary and cannot be relied upon
##### to reflect the actual source module's metadata.
MODULE_HEADER=nodejs:10:8020020200707141642:6a468ee4
|
Modularity CLI examples
Simple dnf module commands
View all modules
Code Block |
---|
dnf module list --all |
View a module’s available streams
...
breakoutMode | wide |
---|
...
Table of Contents | ||
---|---|---|
|
Questions
Assuming at least some of packages we need to ship with SIMP already belong to modular repository streams, how can/should we handle:
Building SIMP RPM distributions (pkglist.txt + packages.yaml, repositories, ISOs, etc.,)
Note |
---|
80% Confidence it’s Possible — but it will be complicated and hacky
|
Current methods of building/sourcing RPM packages
A SIMP RPM distribution is a self-contained collection of RPM packages:
SIMP packages are built by the SIMP team, from the repos under
src/
in Puppetfile.pinned.Minimal Base OS packages are filtered from a base OS’s installation media (usually a DVD ISO), down to the files
DVD/<os.release.major>-
pkglist.txt.External packages are RPMs downloaded based on the data in
yum_data/
packages.yaml, and come from additional sources (e.g., EPEL, Puppet, base OS extras, various vendors).(Optionally): Custom packages placed manually into either the directory
yum_data/packages/
(which locates a yum source like External packages) oryum_data/packages/aux_packages/
(included but not checked).
These packages are distributed by the SIMP ISO. Together, these RPMs MUST self-resolve (enough) to install a basic SIMP system on a network-isolated host.
Current process to build and distribute SIMP ISO release
Here’s a quick summary of the SIMP 6.5.0 build process to illustrate where the problems with modularity will arise:
Build a DVD overlay directory (and tarball) containing the SIMP packages.
➡1️⃣ Download External packages (
rake build:yum:sync
) intoyum_data/packages/
Unpack the base OS installation media into an ISO staging directory.
➡1️⃣2️⃣ Prune the unpacked ISO RPMs down to the Minimal Base OS packages.
Merge the DVD overlay contents & External packages on top of the files already in the ISO staging directory.
➡3️⃣ Create new yum repositories using createrepo
➡4️⃣ Verify that all ISO staging directory’s RPMs can self-resolve by running repoclosure (
rake pkg:repoclosure
).
Build a SIMP distribution ISO from the contents of the ISO staging directory
➡1️⃣ Host yum mirrors containing subsets of External package repositories (like EPEL) on the SIMP download service (ex: https://download.simp-project.com/SIMP/yum/releases/6.5.0-1/el/7/x86_64/epel/).
Pain points with modularity + the current process
The DVD overlay directory (and tarball)should not be affected, because it won’t contain modular RPMs (the SIMP project doesn’t create them).
Downloading External packages (
rake build:yum:sync
) intoyum_data/packages/
has modularity problems:1️⃣: You can’t simply [download the modular RPMs you want → remove the modular RPMS you don’t need → collect various modular RPMs together in a directory] and run
createrepo
to re-host them in a new repository. You need the correct metadata (called modulemd metadata) for all downloaded modular RPMs' streams, and special new commands, like createrepo_c.This metadata can only be obtained from the modular RPMs' source repo.
There isn’t a “roll-your-own” solution to create arbitrary modular repositories yet The supported DNF repository tooling is mostly meant to mirror existing repositories.
There are community tools (
dir2module, repo2module), but they are incomplete, unsupported, and buggy. Some of these tools have been rolled into later versions of createrepo_c, but not the version on EL8 (and AFAIK, they may still be buggy).Pulp is the closest tool, because it supports some flavors of modular subsets
Unpack the base OS installation media into an ISO staging directory runs into problems with pruning:
2️⃣: https://simp-project.atlassian.net/browse/SIMP-9644
The naive pruning strategy of “rm RPM is it’s not in a*pkglist.txt
file” may work with very specific RPMs, but it will still need to the original modularity metadata and additional information to ensure the correct modules are used
Merging the DVD overlay
3️⃣: createrepo_c is needed to create a useable modular repository.
However, it requires quite a few things before it can work:⚠➡5️⃣ The correct modulemd data (see format specs) for
modules.yaml
from the original repository.➡5️⃣ Some way of generating the modulemd YAML data for each module.
➡5️⃣ The ability to add all the modules' modulemd data into a single
modules.yaml
file for the entire repository.⚠➡5️⃣ The correct tools to create/merge the repo and the module metadata (
createrepo_mod
or the *_c commands it runs)
4️⃣:
yum-utils
provides a CLI compatibility layer with the newer DNF sub-commands (includingrepoclosure
), but may require specific arguments (documented further below)dnf repoclosure
is sort of module-aware (bz#1547041), and may need extra logic tomodule enable
non-default streams that need to be considered while depsolving.
➡6️⃣: To generate the modulemd YAML data for each module and combine it into a single
modulemd.yaml
file for createrepo_c to consume, we will need to roll either:build logic to do it in one shot
build logic to glue together a process that combines the buggy community tools from modulemd-tools.
Build a SIMP distribution ISO from the contents of the ISO staging directory
Host yum mirrors containing subsets of External package repositories (like EPEL) on the SIMP download serv
Creating repos with useable modularity streams
⚠5️⃣ We can re-package specific packages into slimmer versions of their source modules and then use mergerepo_c (or creatrepo_mod) to collect them into a slimmed-down AppStream/ repo (based on pkglist.txt) or SIMP/ (based on packages.yml). However, there are several issues that make this complicated:
tools like dir2module and repo2module[note] to re-package specific packages into slimmer versions of their source modules and then use mergerepo_c (or creatrepo_mod) to collect them into a slimmed-down AppStream/ repo (based on pkglist.txt) or SIMP/ (based on packages.yml). However, there are several issues that make this complicated:
RPM packages from repo modules contain a
ModularityLabel
header that is unique to the module’s name + stream + version + context + architecture (NSVCA). DNF must install these RPMs from modules (with modular metadata)—and will refuse to install them as ursine packages.dir2module and repo2modules require a complete NSVCA string generating module metadata for a directory of RPMs.
6️⃣ The dir2module script provided by the EPEL8 RPM
modulemd-tools-0.7-1.el8.noarch
does not create a default (or any) profile for the module it creates. It is effectively useless. repo2module is better (which is still missing the Arch in NSVCA).
A repackaged (slim) module’s name and stream and context and architecture must match the values in the source repo’s metadata for the original module.
This is required so the packages maintain continuity with the complete upstream repo (e.g., receiving update from the complete AppStream repo, epel-modular, etc)
The versionnumber must evaluate to more than the earlier (module versions) and less than the version of later modules in the full source repository. This number (like stream and context) is an arbitrary string set by the build platform, so we have to get it
For practical purposes, you need to mirror the repo’s metadata YAML at the same time as you retrieve the packages—it might be updated later, even if the packages you see hosted there are the same
The
ModularityLabel
header is string unique to a module builds' NSVCfor a particular platform. The header data in RPMs packaged by RHEL/CentOS build system looks useful because a string it’s in NSVC format, however this data is actually arbitrary and cannot be relied uponto provide accurate NSVC data for the module.The only canonical source for a module’s correct NSVCA/P data is the source repo’s metadata (generally under
repodata/{XXXXX}-modules.yaml.gz
, and defined byrepodata/repomd.xml
under<data type="modules">
`)🎉 I’ve tested a repacked “slim” repo alongside a repo with the full module w/identical NSVCA details, and it successfully resolved its metadata/packages with the full module.
This should also behave correctly with updated modules, but I haven’t been able to stage that yet.
Testing ISO RPMs' completeness with a repoclosure
Tip |
---|
Recommendation: Use |
To run a repoclosure against ISO-bound/based repos that are staged on the local filesystem:
Code Block |
---|
dnf repoclosure
--disablerepo=\* \
--repofrompath=base,/mnt/BaseOS \
--repofrompath=test1,/opt/dnf_reposync_from_iso \
--arch x86_64 \
--check base \
--check tes1 |
Notes:
Make sure there is a
--repofrompath=
for each local repository directory that should be considered during resolution.Using
--disablerepo=\* --repofrompath=
, the repoclosure doesn’t require purpose-built*.repo
files and doesn’t have to run inside a chroot/container/mock.The
--arch x86_64
may be needed to keep the closure focused on the ISO’s target arch.As released, the EL 8.3 ISO’s AppStream/ repo doesn’t close without it.
Impacts to the ISO installation
Note |
---|
Recommendation: A minimum, change the createrepo . line in auto.cfg on systems installing modular repositories |
This is effectively impossible to test until we have a SIMP ISO with modular repositories.
Impacts to unpack_dvd & self-hosted DNF repositories (for kickstarts, etc)
How should unpack_dvd handle repos that do/may contain modules?
Tip |
---|
Recommendation: The unpack_dvd tool should assume that all ISO DNF repositories are complete enough to mirror.
|
If these recommendations are implemented, then a site’s unpack_dvd tool should only need to copy/reposync the files on the ISO.
This has been tested by mounting an ISO as a loopback device and syncing everything (including module metadata) with dnf reposync --download-metadata […] .
On a stock EL8 server,
dnf reposync
needs the dnf-plugins-core packageOn a stock EL7 server,
dnf reposync
needs the dnf and dnf-plugins-core packages
How does SELinux support this?
Where do the policies for the packages in various module streams come from?
Info |
---|
Notes:
|
Modularity CLI examples
Simple dnf module commands
View all modules and streams
Code Block |
---|
dnf module list --all |
View a module’s available streams
Code Block | ||
---|---|---|
| ||
# dnf module list --available nodejs
Waiting for process with pid 79896 to finish.
Last metadata expiration check: 0:00:01 ago on Fri 12 Mar 2021 02:03:02 AM UTC.
CentOS Linux 8 - AppStream
Name Stream Profiles Summary
nodejs 10 [d] common [d], development, minimal, s2i Javascript runtime
nodejs 12 common [d], development, minimal, s2i Javascript runtime
nodejs 14 common [d], development, minimal, s2i Javascript runtime
Extra Packages for Enterprise Linux Modular 8 - x86_64
Name Stream Profiles Summary
nodejs 13 default, development, minimal Javascript runtime
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
|
View all default streams
The 21 and 11 are the first two field widths. These may vary depending on the length of the stream names.
Code Block |
---|
dnf module list \
| awk -v FIELDWIDTHS="21 11" '{printf "%-20s %s\n", $1, $2}' \
| grep '\[d\]' |
A stab at at more automation-friendly formatting
Code Block |
---|
dnf module list \
| egrep -v '^(Extra|Name|Hint:|CentOS|Last)' \
| sed -e '/^$/d' \
| awk '{printf "%-20s %s\n", $1, $2}' \
| sort
389-directory-server next
389-directory-server stable
389-directory-server testing
389-ds 1.4
ant 1.10
avocado 82lts
avocado latest
cobbler 3
container-tools 1.0
container-tools 2.0
container-tools rhel8
dwm latest
freeradius 3.0
gimp 2.8
go-toolset rhel8
httpd 2.4
idm DL1
idm client
inkscape 0.92.3
javapackages-runtime 201801
jmc rhel8
libselinux-python 2.8
libuv epel8-buildroot
llvm-toolset rhel8
|
View packages in a module
Code Block |
---|
dnf module repoquery nodejs |
Info |
---|
It looks |
View modules/profiles that provide a package
Code Block |
---|
dnf module provides 389-ds-base |
Info |
---|
This is one of the few (two?) module commands that reports which DNF Repo hosts the module |
Info |
---|
Note that it also looks for packages across multiple repos and module:streams |
Example:
Code Block |
---|
# dnf module provides 389-ds-base
Last metadata expiration check: 1:20:30 ago on Wed Mar 24 18:09:28 2021.
389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
Module : 389-directory-server:stable:820201201092549:9edba152:x86_64
Profiles : default legacy minimal
Repo : epel-modular
Summary : 389 Directory Server
389-ds-base-1.4.3.8-6.module_el8.3.0+604+ab7bf9cc.x86_64
Module : 389-ds:1.4:8030020201222185615:618f7055:x86_64
Profiles :
Repo : appstream
Summary : 389 Directory Server (base)
389-ds-base-1.4.4.9-1.module_el8+10763+39cf6b48.x86_64
Module : 389-directory-server:testing:820201201092622:9edba152:x86_64
Profiles : default legacy minimal
Repo : epel-modular
Summary : 389 Directory Server
389-ds-base-2.0.1-1.module_el8+10522+e95198da.x86_64
Module : 389-directory-server:next:820201104083723:9edba152:x86_64
Profiles : default minimal
Repo : epel-modular
Summary : 389 Directory Server |
View the packages in each profile (for a specific stream)
Code Block | ||
---|---|---|
| ||
]# dnf module info --profile nodejs:12 Last metadata expiration check: 2:59:10 ago on Thu 11 Mar 2021 11:02:32 PM UTC. Name : nodejs:12:8030020210304194546:30b713e6:x86_64 common : nodejs : npm development : nodejs : nodejs-devel 14: npm minimal : nodejs s2i : nodejs common [d], development, minimal, s2i : nodejs-nodemon Javascript runtime Extra Packages for: Enterprise Linux Modular 8 - x86_64 Name Stream Profiles npm |
Anchor | ||||
---|---|---|---|---|
|
Find all modular RPM files that under a directory and print their module headers
This identifies modular RPMs that would need to have their module streams re-created when distributed independently from their source repos:
Code Block | ||
---|---|---|
| ||
find "$DIR_WITH_RPMS" -name \*.rpm \
-exec rpm -qp {} --qf '%-62{NVRA} %{ModularityLabel}\n' \; \
| grep -v '(none)' \
| tee modular_rpms.txt |
The %{ModularityLabel}
header is in (module)name:stream:version:context:arch
(N:S:V:C:A) format (on RedHat/CentOS/Fedora-built packages), so the result looks like this:
Code Block |
---|
389-ds-base-1.4.3.8-6.module_el8.3.0+604+ab7bf9cc.x86_64 Summary nodejs 389-ds:1.4:8030020201222185615:618f7055 389-ds-base-libs-1.4.3.8-6.module_el8.3.0+604+ab7bf9cc.x86_64 389-ds:1.4:8030020201222185615:618f7055 python3-distro-1.4.0-2.module_el8.3.0+562+e162826a.noarch 13 python36:3.6:8030020201104034153:24f1489c python3-lib389-1.4.3.8-6.module_el8.3.0+604+ab7bf9cc.noarch 389-ds:1.4:8030020201222185615:618f7055 ruby-2.5.5-106.module_el8.3.0+571+bab7c6bc.i686 default, development, minimal ruby:2.5:8030020201104071226:30b713e6 ruby-2.5.5-106.module_el8.3.0+571+bab7c6bc.x86_64 Javascript runtime Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled |
View packages in a module
Code Block |
---|
dnf module repoquery nodejs |
Info |
---|
It looks |
View modules/profiles that provide a package
Code Block |
---|
dnf module provides nodejs |
Info |
---|
This is one of the few (two?) module commands that reports which DNF Repo hosts the module |
View the packages in each profile (for a specific stream)
Code Block | ||
---|---|---|
| ||
]# dnf module info --profile nodejs:12
Last metadata expiration check: 2:59:10 ago on Thu 11 Mar 2021 11:02:32 PM UTC.
Name : nodejs:12:8030020210304194546:30b713e6:x86_64
common : nodejs
: npm
development : nodejs
: nodejs-devel
: npm
minimal : nodejs
s2i : nodejs
: nodejs-nodemon
: npm
|
...
Find all modular RPM files that under a directory and print their module headers
This could identify dnf modules that would need to be re-created when shipping modular RPMs independently from their base repos:
Code Block | ||
---|---|---|
| ||
find "$DIR_WITH_RPMS" -name \*.rpm \
-exec rpm -qp {} --qf '%{NVRA} %{ModularityLabel}\n' \; \
| grep -v '(none)' \
| tee modular_rpms.txt |
The %{ModularityLabel}
macro is returned in (module)name:stream:version:context:arch
(NSVCA) format , so the result looks like this:
Code Block |
---|
389-ds-base-1.4.3.8-5.module_el8.3.0+473+53682548.x86_64 389-ds:1.4:8030020200831174107:618f7055
389-ds-base-devel-1.4.3.8-5.module_el8.3.0+473+53682548.x86_64 389-ds:1.4:8030020200831174107:618f7055
389-ds-base-legacy-tools-1.4.3.8-5.module_el8.3.0+473+53682548.x86_64 389-ds:1.4:8030020200831174107:618f7055
389-ds-base-libs-1.4.3.8-5.module_el8.3.0+473+53682548.x86_64 389-ds:1.4:8030020200831174107:618f7055
389-ds-base-snmp-1.4.3.8-5.module_el8.3.0+473+53682548.x86_64 389-ds:1.4:8030020200831174107:618f7055
HdrHistogram-2.1.11-2.module_el8.2.0+460+6583c1d0.noarch jmc:rhel8:8020020200731165725:21dc74c6
HdrHistogram-javadoc-2.1.11-2.module_el8.2.0+460+6583c1d0.noarch jmc:rhel8:8020020200731165725:21dc74c6
Judy-1.0.5-18.module_el8.1.0+217+4d875839.x86_64 mariadb:10.3:8010020191115015915:cdc1202b
ant-1.10.5-1.module_el8.0.0+47+197dca37.noarch ant:1.10:8000020190624202340:f7e686af
ant-lib-1.10.5-1.module_el8.0.0+47+197dca37.noarch ant:1.10:8000020190624202340:f7e686af
aopalliance-1.0-17.module_el8.0.0+39+6a9b6e22.noarch maven:3.5:8000020190624140656:f7e686af
aopalliance-1.0-20.module_el8.3.0+568+0c23fd64.noarch maven:3.6:8030020201104064112:a623df05 |
It may be possible to re-create specific module/streams based on the RPM’s unique headers. However, there will need to be a second data source, because the RPM ModularityLabel
has significant limitations:
Note |
---|
By convention, RPMs' |
Note that the repo2module tool just creates a default profile called everything
.
...
We can’t rely on RPMs' ModularityLabel
string to be in NVSC format, either!
...
Identify all unique modules/streams from a collection of RPM files
Code Block |
---|
find "$DIR_WITH_RPMS" -name \*.rpm \
-exec rpm -qp {} --qf '%{ModularityLabel}\n' \; \
| grep -v '^(none)' | sort | uniq -c \
| sort -nk1,1 \
| tee unique_rpm_module_streams.txt |
...
Mirror the contents of a DNF repository, preserving all modules and package groups.
The current state of CentOS 8 createrepo_c + modulemd-tools (EPEL8) allow us to:
(Works from CentOS 8.3 and CentOS 7.8, requires packages dnf
and dnf-plugin-core
)
An example of this mirroring a mounted CentOS 8.3 ISO’s AppStream repository:
Code Block | ||
---|---|---|
| ||
PATH_TO_LOCAL_MIRROR=/path/to/Appstream
PATH_TO_SOURCE_REPO=/mnt/AppStream
dnf reposync \
--download-metadata --downloadcomps \
--download-path "$PATH_TO_LOCAL_MIRROR" \
--repofrompath iso,"$PATH_TO_SOURCE_REPO" \
--repoid iso
# Useful EL8-only options: --remote-time --norepopath |
dnf reposync
should probably be the only kind of modular-capable mirroring that on-site tools like unpack_dvd should use.
DNF repoclosure
The ISO build process (really the tar build process) runs repoclosure to make sure the packages on the ISO will be self-contained.
Code Block |
---|
dnf repoclosure --repofrompath iso,"$PWD" --repo appstream --repo baseos |
Info |
---|
Judging by the bug report at https://bugzilla.redhat.com/show_bug.cgi?id=1547041, The current behavior only resolves module packages using default or enabled streams & profiles. |
Clean DNF install --downloadonly with all deps
Make sure you enable/disable the repos to match what you intend for resolution; --config is an option, too.
Code Block | ||
---|---|---|
| ||
DNF_DLONLY_TARGET_PACKAGE=httpd
DNF_DLONLY_INSTALL_ROOT=/root/fake-install-dir
DNF_DLONLY_PACKAGE_DIR=/root/downloadonly
dnf install --downloadonly \
--setopt=install_weak_deps=False \
--installroot="$DNF_DLONLY_INSTALL_ROOT" \
--downloaddir="$DNF_DLONLY_PACKAGE_DIR" \
--disablerepo=\* \
--enablerepo=baseos \
--enablerepo=appstream \
--releasever=8 \
"$DNF_DLONLY_TARGET_PACKAGE" |
Notes:
...
An an --enablerepo=
for each repo to consider during resolution.
...
Pointing to an empty --installroot=
will cause dnf install --downloadonly
to download EVERY dependency, including the packages for the baseos.
In this case, --setopt=install_weak_deps=False
may be useful to ignore weak RPM dependencies and cut down on the download size.
Documentation
...
https://docs.fedoraproject.org/en-US/modularity/
...
https://dnf.readthedocs.io/en/latest/
...
https://dnf-plugins-core.readthedocs.io/en/latest/
...
https://sgallagh.wordpress.com/2019/08/14/sausage-factory-modules-fake-it-till-you-make-it/
Notes on building modules independently of Fedora’s hosted build system
https://pagure.io/modularity/issue/141
...
ruby:2.5:8030020201104071226:30b713e6 |
However, it isn’t possible to re-create specific module/streams based on the RPM’s ModularityLabel
headers.
A stream’s full modulemd metadata is only found in the source repo’s
*metadata.yaml.gz
The content of
ModularityLabel
is unique to a build, but its contents cannot be trusted.
Note |
---|
|
Note that the repo2module tool just creates a default profile called everything
.
Warning |
---|
We can’t rely on RPMs' “The |
Identify all unique modules/streams from a collection of RPM files
Code Block |
---|
find "$DIR_WITH_RPMS" -name \*.rpm \
-exec rpm -qp {} --qf '%{ModularityLabel}\n' \; \
| grep -v '^(none)' | sort | uniq -c \
| sort -nk1,1 \
| tee unique_rpm_module_streams.txt |
Anchor | ||||
---|---|---|---|---|
|
Mirror the contents of a DNF repository, preserving all modules and package groups.
The current state of CentOS 8 createrepo_c + modulemd-tools (EPEL8) allow us to:
(Works from CentOS 8.3 and CentOS 7.8, requires packages dnf
and dnf-plugins-core
)
An example of this mirroring a mounted CentOS 8.3 ISO’s AppStream repository:
Code Block | ||
---|---|---|
| ||
PATH_TO_LOCAL_MIRROR=/path/to/Appstream
PATH_TO_SOURCE_REPO=/mnt/AppStream
dnf reposync \
--download-metadata --downloadcomps \
--download-path "$PATH_TO_LOCAL_MIRROR" \
--repofrompath iso,"$PATH_TO_SOURCE_REPO" \
--repoid iso
# Useful EL8-only options: --remote-time --norepopath |
dnf reposync
should probably be the only kind of modular-capable mirroring that on-site tools like unpack_dvd should use.
DNF repoclosure
The ISO build process (really the tar build process) runs repoclosure to make sure the packages on the ISO will be self-contained.
Code Block |
---|
dnf repoclosure --repofrompath iso,"$PWD" --repo appstream --repo baseos |
Info |
---|
Judging by the bug report at https://bugzilla.redhat.com/show_bug.cgi?id=1547041, The current behavior only resolves module packages using default or enabled streams & profiles. |
Clean DNF install --downloadonly with all deps
Make sure you enable/disable the repos to match what you intend for resolution; --config is an option, too.
Code Block | ||
---|---|---|
| ||
DNF_DLONLY_TARGET_PACKAGE=httpd
DNF_DLONLY_INSTALL_ROOT=/root/fake-install-dir
DNF_DLONLY_PACKAGE_DIR=/root/downloadonly
dnf install --downloadonly \
--setopt=install_weak_deps=False \
--installroot="$DNF_DLONLY_INSTALL_ROOT" \
--downloaddir="$DNF_DLONLY_PACKAGE_DIR" \
--disablerepo=\* \
--enablerepo=baseos \
--enablerepo=appstream \
--releasever=8 \
"$DNF_DLONLY_TARGET_PACKAGE" |
Notes:
An an
--enablerepo=
for each repo to consider during resolution.Pointing to an empty
--installroot=
will causednf install --downloadonly
to download EVERY dependency, including the packages for the baseos.In this case,
--setopt=install_weak_deps=False
may be useful to ignore weak RPM dependencies and cut down on the download size.
Create initial repo with ursine modules
Code Block |
---|
mkdir -p $NEW_REPO_DIR/Packages/ursine
cp "${URSINE_PACKAGE_FILES[@]}" "$NEW_REPO_DIR/Packages/ursine/"
cd "$NEW_REPO_DIR"
createrepo_c . |
Create a modular repo from packages that already have a common module header
The approach of taking N:S:V:C:A from the RPM headers below is a.) incomplete and b.) cannot be relied upon to be accurate or present—theStatus colour Yellow title WARNING ModularityLabel
header can contain any String.
Use another means to obtain N:V:S:C:A data; preferably from the repo itself (the data is sourced from the source repository’sStatus colour Red title DO NOT PRODUCTIZE {XXXXX}-modules.yaml.gz
file)Code Block # Get the ModularityLabel from the RPMs ########################################################## #### UPDATE: DO NOT USE OR PRODUCTIZE THIS TECHNIQUE ##### ########################################################## # Notes: # - All RPMs in the module must have a SINGLE and IDENTICAL ModularityLabel # - The only thing required of this String is that it is unique to RPMs # from other modules (and different versions/contexts of this module) find "$DIR_WITH_RPMS" -name \*.rpm \ -exec rpm -qp {} --qf '%{ModularityLabel}\n' \; \ | sort -u ### WARNING: the ModularityLabel headers in RPMs build by EL and EPEL #### are (currently) in N:S:V:C format by convention, but in ##### reality this string is arbitrary and cannot be relied upon ##### to reflect the actual source module's metadata. ##### The actual NVSCA/P data can *ONLY* be obtained from the ##### original repo's metadata MODULE_HEADER=nodejs:10:8020020200707141642:6a468ee4
Documentation
https://sgallagh.wordpress.com/2019/08/14/sausage-factory-modules-fake-it-till-you-make-it/
Notes on building modules independently of Fedora’s hosted build system
https://pagure.io/modularity/issue/141
> * AGREED: Profiles cannot be removed during the lifetime of the stream in order to avoid breaking scripts. Options may exist for exceptional cases on an individual basis. (contyk, 15:41:06)
Modularity direction
In early 2020, modularity development moved from Fedora’s Modularity WG to RedHat’s internal DNF team. Fedora development and governance was very open and public, which made it relatively easy to hunt down clarifying information about otherwise obscure details in pagure or the WG’s meeting logs.
Since RedHat took over, it has become very difficult to find up-to-date documentation or discussions, even (especially?) in BZ.
Why Modularity? An explanation and list of links.
RHEL 9 and modularity (18 June 2020, Fedora devel@ mailing list)
Discussion with official RedHat rep, after taking modularity from Fedora and moving its development to an internal DNF team.
There’s also a side-discussion in the middle about the “inevitability” of moving the modular “namespacing” (N:S?) into RPM’s headers/tags (like
ModularityLabel
), where several of Fedora’s former modular WG members chime in with some educationalBonus: Stephen Gallagher on containers vs flatpak
Projects
More esoteric things that may come in handy in the future:
https://github.com/fedora-modularity/fus — 'This tool attempts to produce a viable "depsolved" collection of packages.
Unlike earlier tools of this type, it understands the concept of modules and module streams and can incorporate them into the dependency solving algorithm.'
See NOTES in README on limitations
https://github.com/fedora-modularity/depchase — “[a] simple script to lookup runtime (and/or buildtime) requirements of package(s).”