Bump Fedora to release 35beta

* Drop kube version lookup + CRI-O download, these are no-longer
  necessary.  See containers/conmon#299
* Add mlocate-updatedb.timer service to the naughty-list of services
  to disable (they could randomly interfere with testing)
* Cleanup a few misc. problems found when running shellcheck from
  pre-commit hook.
* Only run systemd_banish when building a VM + run it a second time
  during finalization to take care of any evil services pulled in
  by package dep. solving.
* Since it's not actually used anywhere, remove the custom cloud-init
  config. which prevents auto-expansion of the root filesystem on
  Fedora.
* Switch to sourcing the Ubuntu image based on "Family" name.  This
  will ease maintenance by always grabbing the latest build available.
* Fix update of google-startup-scripts service SELinux label
  unintentionally matching comment-text containing 'Type=oneshot'
  string.
* Enabled stronger temporary key for Ubuntu (already enabled for Fedora)
* Enabled clearing of temporary ssh keys to improve security.

Signed-off-by: Chris Evich <[email protected]>

base_images/fedora_base-setup.sh

@@ -16,6 +16,19 @@ REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
 # shellcheck source=./lib.sh
 source "$REPO_DIRPATH/lib.sh"
 
+# TODO: Workaround for broken/missing mirrors during beta
+if ((OS_RELEASE_VER==35)); then
+    for filepath in /etc/yum.repos.d/fedora*.repo; do
+        echo "Warning: Patching $filepath for F35 beta"
+        sed -i -r \
+            -e 's/^#(baseurl=.+)/\1/' \
+            -e 's/^(metalink=.+)/#\1/' \
+            -e 's/download.example/dl.fedoraproject.org/' \
+            -e 's/linux\/releases/linux\/development/' \
+            $filepath
+    done
+fi
+
 # When installing during a container-build, installing anything
 # selinux-related will seriously screw up the rest of your day
 # with rpm debugging.
@@ -24,7 +37,9 @@ declare -a PKGS
 PKGS=(rng-tools git coreutils)
 XSELINUX=
 if ((CONTAINER)); then
-    XSELINUX="--exclude=selinux*"
+    if ((OS_RELEASE_VER<35)); then
+        XSELINUX="--exclude=selinux*"
+    fi
 else
     PKGS+=(google-compute-engine-tools google-compute-engine-oslogin)
 fi
@@ -54,7 +69,7 @@ if ! ((CONTAINER)); then
     METADATA_SERVICE_CTX=unconfined_u:unconfined_r:unconfined_t:s0
     METADATA_SERVICE_PATH=systemd/system/google-startup-scripts.service
     sed -r -e \
-        "s/Type=oneshot/Type=oneshot\nSELinuxContext=$METADATA_SERVICE_CTX/" \
+        "s/^Type=oneshot/Type=oneshot\nSELinuxContext=$METADATA_SERVICE_CTX/" \
         /lib/$METADATA_SERVICE_PATH > /etc/$METADATA_SERVICE_PATH
 fi
 

base_images/gce.yml

@@ -21,18 +21,17 @@ variables:  # Empty value means it must be passed in on command-line
     # to build from - just as the sources below are the base-images to
     # start from building VM images.
 
-    # Upstream source for Ubuntu image duplication (prevents expiration)
-    # Look these up in the console by searching images for
-    # "Created by: Canonical"
-    UBUNTU_BASE_IMAGE: 'ubuntu-2104-hirsute-v20210511a'
+    # Upstream source for Ubuntu image to duplicate (prevents expiration).
+    # Use the most recent image based on this family name.
+    UBUNTU_BASE_FAMILY: 'ubuntu-2104'
 
     # Latest Fedora release download URL
-    FEDORA_IMAGE_URL: "https://dl.fedoraproject.org/pub/fedora/linux/releases/34/Cloud/x86_64/images/Fedora-Cloud-Base-34-1.2.x86_64.qcow2"
-    FEDORA_CSUM_URL: "https://dl.fedoraproject.org/pub/fedora/linux/releases/34/Cloud/x86_64/images/Fedora-Cloud-34-1.2-x86_64-CHECKSUM"
+    FEDORA_IMAGE_URL: "https://dl.fedoraproject.org/pub/fedora/linux/development/35/Cloud/x86_64/images/Fedora-Cloud-Base-35-20210930.n.0.x86_64.qcow2"
+    FEDORA_CSUM_URL: "https://dl.fedoraproject.org/pub/fedora/linux/development/35/Cloud/x86_64/images/Fedora-Cloud-35-x86_64-20210930.n.0-CHECKSUM"
 
     # Prior Fedora release
-    PRIOR_FEDORA_IMAGE_URL: "https://dl.fedoraproject.org/pub/fedora/linux/releases/33/Cloud/x86_64/images/Fedora-Cloud-Base-33-1.2.x86_64.qcow2"
-    PRIOR_FEDORA_CSUM_URL: "https://dl.fedoraproject.org/pub/fedora/linux/releases/33/Cloud/x86_64/images/Fedora-Cloud-33-1.2-x86_64-CHECKSUM"
+    PRIOR_FEDORA_IMAGE_URL: "https://dl.fedoraproject.org/pub/fedora/linux/releases/34/Cloud/x86_64/images/Fedora-Cloud-Base-34-1.2.x86_64.qcow2"
+    PRIOR_FEDORA_CSUM_URL: "https://dl.fedoraproject.org/pub/fedora/linux/releases/34/Cloud/x86_64/images/Fedora-Cloud-34-1.2-x86_64-CHECKSUM"
 
 
 # Don't leak sensitive values in error messages / output
@@ -86,13 +85,12 @@ builders:
       iso_url: '{{user `PRIOR_FEDORA_IMAGE_URL`}}'
       iso_checksum: 'file:{{user `PRIOR_FEDORA_CSUM_URL`}}'
 
-    - &imgcopy
-      name: 'ubuntu'
+    - name: 'ubuntu'
       type: 'googlecompute'
       # Prefix IMG_SFX with "b" so this is never confused with a cache_image name
       image_name: 'ubuntu-b{{user `IMG_SFX`}}'
       image_family: '{{build_name}}-base'
-      source_image: '{{user `UBUNTU_BASE_IMAGE`}}'
+      source_image_family: '{{user `UBUNTU_BASE_FAMILY`}}'
       source_image_project_id: 'ubuntu-os-cloud'
       project_id: '{{user `GCP_PROJECT_ID`}}'
       # Can't use env. var for this, googlecompute-import only supports filepath
@@ -105,6 +103,8 @@ builders:
         src: '{{user `UBUNTU_BASE_IMAGE`}}'
       # Gotcha: https://www.packer.io/docs/builders/googlecompute#gotchas
       ssh_username: 'packer'
+      temporary_key_pair_type: ed25519
+      ssh_clear_authorized_keys: true
 
 provisioners:  # Ubuntu images come bundled with GCE integrations provisioned
     - type: 'shell'

cache_images/fedora_packaging.sh

@@ -153,7 +153,8 @@ INSTALL_PACKAGES=(\
 case "$OS_RELEASE_VER" in
     32) INSTALL_PACKAGES+=( python3-pytoml ) ;;
     33) ;&
-    34) INSTALL_PACKAGES+=( perl-FindBin python-toml ) ;;
+    34) ;&
+    35) INSTALL_PACKAGES+=( perl-FindBin python-toml ) ;;
     *) die "Unknown/Unsupported \$OS_REL_VER '$OS_REL_VER'" ;;
 esac
 
@@ -167,20 +168,19 @@ if ! ((CONTAINER)); then
         policycoreutils
     )
 else
-    EXARG="--exclude=selinux*"
+    if [[ "$OS_RELEASE_VER" -lt 35 ]]; then
+        EXARG="--exclude=selinux*"
+    fi
 fi
 
 
 # Download these package files, but don't install them; Any tests
 # wishing to, may install them using their native tools at runtime.
 DOWNLOAD_PACKAGES=(\
-    "cri-o-$(get_kubernetes_version)*"
-    cri-tools
-    "kubernetes-$(get_kubernetes_version)*"
     oci-umount
     parallel
     podman-docker
-    python3-pytest4
+    python3-pytest
     python3-virtualenv
 )
 
@@ -189,8 +189,6 @@ bigto $SUDO dnf install -y $EXARG "${INSTALL_PACKAGES[@]}"
 
 if [[ ${#DOWNLOAD_PACKAGES[@]} -gt 0 ]]; then
     echo "Downloading packages for optional installation at runtime, as needed."
-    # Required for cri-o
-    ooe.sh $SUDO dnf -y module enable cri-o:$(get_kubernetes_version)
     $SUDO mkdir -p "$PACKAGE_DOWNLOAD_DIR"
     cd "$PACKAGE_DOWNLOAD_DIR"
     lilto ooe.sh $SUDO dnf install -y 'dnf-command(download)'

cache_images/fedora_setup.sh

@@ -9,8 +9,10 @@ SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
 SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
 REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
 
-# Run as quickly as possible after boot
-/bin/bash $REPO_DIRPATH/systemd_banish.sh
+if ! ((CONTAINER)); then
+    # Run as quickly as possible after boot
+    /bin/bash $REPO_DIRPATH/systemd_banish.sh
+fi
 
 # shellcheck source=./lib.sh
 source "$REPO_DIRPATH/lib.sh"

cache_images/gce.yml

@@ -38,6 +38,7 @@ builders:
       ssh_username: packer  # arbitrary, packer will create & setup w/ temp. keypair
       ssh_pty: 'true'
       temporary_key_pair_type: ed25519
+      ssh_clear_authorized_keys: true
       # Permit running nested VM's to support specialized testing
       image_licenses: ["projects/vm-options/global/licenses/enable-vmx"]
 

get_ci_vm/bad_repo_test/hack/get_ci_vm.sh

@@ -52,9 +52,6 @@ cleanup() {
     set +e
     wait
 
-    # set GCLOUD_DEBUG to leave tmpdir behind for postmortem
-    test -z "$GCLOUD_DEBUG" && rm -rf $TMPDIR
-
     # Not always called from an exit handler, but should always exit when called
     exit $RET
 }
@@ -116,7 +113,6 @@ parse_args(){
         show_usage "No image-name specified."
     fi
 
-    ENVS="$ENVS SPECIALMODE=\"$SPECIALMODE\""
     SETUP_CMD="env $ENVS $GOSRC/contrib/cirrus/setup.sh"
     VMNAME="${VMNAME:-${USER}-${IMAGE_NAME}}"
     CREATE_CMD="$PGCLOUD compute instances create --zone=$ZONE --image-project=libpod-218412 --image=${IMAGE_NAME} --custom-cpu=$CPUS --custom-memory=$MEMORY --boot-disk-size=$DISK --labels=in-use-by=$USER $VMNAME"

lib.sh

@@ -95,20 +95,6 @@ set_gac_filepath(){
     unset GAC_JSON;
 }
 
-get_kubernetes_version() {
-    local KUBERNETES_VERSION
-    case "$OS_REL_VER" in
-        fedora-32)
-            KUBERNETES_VERSION="1.15" ;;
-        fedora-33)
-            KUBERNETES_VERSION="1.18" ;;
-        fedora-34)
-            KUBERNETES_VERSION="1.20" ;;
-        *) die "Unknown/Unsupported \$OS_REL_VER '$OS_REL_VER'"
-    esac
-    echo "$KUBERNETES_VERSION"
-}
-
 # Warning: DO NOT USE the following functions willy-nilly!
 # They are only intended to be called by other setup scripts, as the very
 # last step during the build process.  They're purpose is to "reset" the
@@ -166,6 +152,10 @@ common_finalize() {
     echo -n "" | $SUDO tee /etc/machine-id
     $SUDO sync
     if ! ((CONTAINER)); then
+        # Be sure we got everything - dep. resolving may have pulled in more
+        /bin/bash $(dirname ${BASH_SOURCE[0]})/systemd_banish.sh
+
+        # This helps when google goes to compress the image
         $SUDO fstrim -av
     fi
 }

podman/fedora_release

@@ -1 +1 @@
-34
+35

podman/prior-fedora_release

@@ -1 +1 @@
-33
+34

skopeo_cidev/setup.sh

@@ -61,7 +61,7 @@ cd "$REG_GOSRC"
 git clone --depth 1 -b "$OSO_TAG" "$OSO_REPO" "$OSO_GOSRC"
 cd "$OSO_GOSRC"
 
-# Edit out a "go < 1.5" check which works incorrectly with go ≥ 1.10.
+# Edit out a "go < 1.5" check which works incorrectly with go >= 1.10.
 sed -i -e 's/\[\[ "\${go_version\[2]}" < "go1.5" ]]/false/' ./hack/common.sh
 
 # Fix a bug in 'options' line processing of resolv.conf when an option is

systemd_banish.sh

@@ -11,7 +11,7 @@ SUDO=""
 [[ "$UID" -eq 0 ]] || \
     SUDO="sudo"
 
-EVIL_UNITS="cron crond atd apt-daily-upgrade apt-daily fstrim motd-news systemd-tmpfiles-clean update-notifier-download"
+EVIL_UNITS="cron crond atd apt-daily-upgrade apt-daily fstrim motd-news systemd-tmpfiles-clean update-notifier-download mlocate-updatedb"
 
 if [[ "$1" == "--list" ]]
 then