Prototype of a host build in a Dockerfile

Dockerfile

@@ -0,0 +1,19 @@
+FROM centos:7 AS base
+
+COPY ostree-master.repo /etc/yum.repos.d/
+COPY . /srv/tree/
+
+RUN yum install -y rpm-ostree
+
+RUN cd /srv/tree/ && mkdir build-repo && \
+    ostree --repo=build-repo init --mode=bare-user && \
+    mkdir repo && \
+    ostree --repo=repo init --mode=archive-z2
+
+FROM base
+
+RUN cd /srv/tree && \
+    rpm-ostree compose tree --repo=/srv/tree/build-repo host.json && \
+    ostree --repo=repo pull-local build-repo openshift/7/x86_64/standard && \
+    ostree --repo=repo summary -u && \
+    rm -rf build-repo

Makefile

@@ -0,0 +1,3 @@
+refresh:
+	curl -q "https://storage.googleapis.com/origin-ci-test/releases/openshift/origin/master/origin.repo" 2>/dev/null >openshift.repo
+.PHONY: refresh

README.md

@@ -0,0 +1,43 @@
+# Example for bootstrapping
+
+Locally:
+
+```
+$ docker build .
+$ docker push SOME_IMAGE
+```
+
+Turn a CentOS Atomic AWS AMI booted machine into this OS:
+
+1. Launch an AMI for CentOS 7 (ami-a06447da) with at least 20GB disk (10GB is too small for now)
+2. Resize the disk:
+
+```
+$ lvextend -l +25%FREE atomicos/root
+$ xfs_growfs /
+```
+
+3. SSH to the machine and run:
+
+```
+$ docker run --network host -d -w /srv/tree/repo registry.svc.ci.openshift.org/ci/os:test python -m SimpleHTTPServer 8080
+$ ostree remote add --no-gpg-verify local http://localhost:8080 openshift/7/x86_64/standard
+$ rpm-ostree rebase -r local:openshift/7/x86_64/standard
+
+# wait, SSH back in
+$ openshift version
+```
+
+Within a Kubernetes cluster, serve this content to nodes for upgrades:
+
+```
+$ kubectl run os-content --image=registry.svc.ci.openshift.org/ci/os:test --command -- python -m HttpServer 8080
+$ kubectl expose os-content --port 8080
+
+$ ssh root@NODE_HOST
+$ ostree remote add --no-gpg-verify local http://os-content.namespace.svc:8080 openshift/7/x86_64/standard
+$ rpm-ostree rebase -r local:openshift/7/x86_64/standard
+
+# wait, SSH back in
+$ openshift version
+```

centos.repo

@@ -0,0 +1,60 @@
+
+[CentOS-Base]
+name=CentOS-Base
+mirrorlist=http://mirrorlist.centos.org/?release=7&arch=$basearch&repo=os&infra=$infra
+#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+exclude=cloud-utils-growpart
+
+[CentOS-extras]
+name=CentOS-$releasever - Extras
+mirrorlist=http://mirrorlist.centos.org/?release=7&arch=$basearch&repo=extras&infra=$infra
+#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+exclude=cloud-utils-growpart
+
+#released updates 
+[CentOS-updates]
+name=CentOS-releasever - Updates
+mirrorlist=http://mirrorlist.centos.org/?release=7&arch=$basearch&repo=updates&infra=$infra
+#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+exclude=cloud-utils-growpart
+
+# CentOS-CR.repo
+#
+# The Continuous Release ( CR )  repository contains rpms that are due in the next
+# release for a specific CentOS Version ( eg. next release in CentOS-7 ); these rpms
+# are far less tested, with no integration checking or update path testing having
+# taken place. They are still built from the upstream sources, but might not map 
+# to an exact upstream distro release.
+#
+# These packages are made available soon after they are built, for people willing 
+# to test their environments, provide feedback on content for the next release, and
+# for people looking for early-access to next release content.
+#
+# The CR repo is shipped in a disabled state by default; its important that users 
+# understand the implications of turning this on. 
+#
+# NOTE: We do not use a mirrorlist for the CR repos, to ensure content is available
+#       to everyone as soon as possible, and not need to wait for the external
+#       mirror network to seed first. However, many local mirrors will carry CR repos
+#       and if desired you can use one of these local mirrors by editing the baseurl
+#       line in the repo config below.
+#
+
+[CentOS-CR]
+name=CentOS-7 - cr
+baseurl=http://mirror.centos.org/centos/7/cr/$basearch/
+gpgcheck=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+enabled=0
+
+[rhel-atomic-rebuild]
+name=rhel-atomic-rebuild
+baseurl=http://mirror.centos.org/centos/7/atomic/x86_64/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

compose-post.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -e
+
+# The loops below are too spammy otherwise...
+set +x
+
+# Persistent journal by default, because Atomic doesn't have syslog
+echo 'Storage=persistent' >> /etc/systemd/journald.conf
+
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1051816
+# and: https://bugzilla.redhat.com/show_bug.cgi?id=1186757
+# Keep this in sync with the `install-langs` in the treefile JSON
+KEEPLANGS="
+en_US
+"
+
+# Filter out locales from glibc which aren't UTF-8 and in the above set.
+# TODO: https://github.com/projectatomic/rpm-ostree/issues/526
+localedef --list-archive | while read locale; do
+    lang=${locale%%.*}
+    lang=${lang%%@*}
+    if [[ $locale != *.utf8 ]] || ! grep -q "$lang" <<< "$KEEPLANGS"; then
+        localedef --delete-from-archive "$locale"
+    fi
+done
+
+set -x
+
+cp -f /usr/lib/locale/locale-archive /usr/lib/locale/locale-archive.tmpl
+build-locale-archive

group

@@ -0,0 +1,43 @@
+root:x:0:
+bin:x:1:
+daemon:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mem:x:8:
+kmem:x:9:
+wheel:x:10:
+cdrom:x:11:
+mail:x:12:
+man:x:15:
+dialout:x:18:
+floppy:x:19:
+games:x:20:
+tape:x:30:
+video:x:39:
+ftp:x:50:
+lock:x:54:
+audio:x:63:
+nobody:x:99:
+users:x:100:
+utmp:x:22:
+utempter:x:35:
+ssh_keys:x:999:
+systemd-journal:x:190:
+dbus:x:81:
+polkitd:x:998:
+etcd:x:997:
+dip:x:40:
+cgred:x:996:
+tss:x:59:
+avahi-autoipd:x:170:
+rpc:x:32:
+sssd:x:993:
+dockerroot:x:986:
+rpcuser:x:29:
+nfsnobody:x:65534:
+kube:x:994:
+sshd:x:74:
+chrony:x:992:

host.json

@@ -0,0 +1,138 @@
+{
+    "comment": "CentOS OpenShift Host",
+    "osname": "centos-openshift-host",
+    "ref": "openshift/7/x86_64/standard",
+    "repos": [
+        "CentOS-Base",
+        "CentOS-updates",
+        "CentOS-extras",
+        "rhel-atomic-rebuild",
+        "CentOS-CR",
+        "origin-repo"
+    ],
+    "selinux": true,
+    "install-langs-comment": "Keep this in sync with compose-post.sh",
+    "install-langs": [
+        "en_US"
+    ],
+    "documentation": false,
+    "initramfs-args": [
+        "--no-hostonly",
+        "--add",
+        "iscsi"
+    ],
+    "automatic_version_prefix": "7.1803",
+    "mutate-os-release": "7",
+    "postprocess-script": "compose-post.sh",
+    "etc-group-members": [
+        "wheel",
+        "docker"
+    ],
+    "ignore-removed-users": [
+        "root"
+    ],
+    "ignore-removed-groups": [
+        "root"
+    ],
+    "check-passwd": {
+        "type": "file",
+        "filename": "passwd"
+    },
+    "check-groups": {
+        "type": "file",
+        "filename": "group"
+    },
+    "packages": [
+        "filesystem",
+        "glibc",
+        "nss-altfiles",
+        "shadow-utils",
+        "centos-release-atomic",
+        "atomic",
+        "runc",
+        "systemd",
+        "kernel",
+        "microcode_ctl",
+        "rpm-ostree-client",
+        "dracut-network",
+        "biosdevname",
+        "coreutils",
+        "lvm2",
+        "grub2",
+        "grub2-efi",
+        "ostree-grub2",
+        "efibootmgr",
+        "shim",
+        "e2fsprogs",
+        "xfsprogs",
+        "mdadm",
+        "docker",
+        "selinux-policy-targeted",
+        "sssd",
+        "cloud-init",
+        "cloud-utils-growpart",
+        "tar",
+        "xz",
+        "gzip",
+        "bzip2",
+        "less",
+        "kexec-tools",
+        "iscsi-initiator-utils",
+        "bridge-utils",
+        "nfs-utils",
+        "subscription-manager",
+        "subscription-manager-plugin-ostree",
+        "subscription-manager-plugin-container",
+        "openssh-server",
+        "openssh-clients",
+        "chrony",
+        "logrotate",
+        "passwd",
+        "iptables-services",
+        "NetworkManager",
+        "vim-minimal",
+        "nano",
+        "sudo",
+        "tuned",
+        "tuned-profiles-atomic",
+        "cryptsetup",
+        "irqbalance",
+        "bash-completion",
+        "rsync",
+        "tmux",
+        "net-tools",
+        "nmap-ncat",
+        "bind-utils",
+        "authconfig",
+        "policycoreutils-python",
+        "setools-console",
+        "atomic-devmode",
+        "docker-lvm-plugin",
+        "docker-novolume-plugin",
+        "ceph-common",
+        "device-mapper-multipath",
+        "sg3_utils",
+        "glusterfs-fuse",
+        "gomtree",
+        "cronie",
+        "dnsmasq",
+        "oci-umount",
+        "origin-node"
+    ],
+    "remove-from-packages": [
+        [
+            "yum",
+            "/usr/bin/.*"
+        ],
+        [
+            "filesystem",
+            "/usr/share/backgrounds"
+        ]
+    ],
+    "units": [
+        "docker.service",
+        "tuned.service",
+        "docker-storage-setup.service"
+    ],
+    "default_target": "multi-user.target"
+}

openshift.repo

@@ -0,0 +1,5 @@
+[origin-repo]
+name=Origin RPMs
+baseurl=https://storage.googleapis.com/origin-ci-test/logs/test_branch_origin_extended_conformance_azure/64/artifacts/rpms
+enabled=1
+gpgcheck=0

ostree-master.repo

@@ -0,0 +1,5 @@
+[ostree-master]
+name=CentOS OSTree bleeding edge
+baseurl=https://ci.centos.org/artifacts/sig-atomic/centos-continuous/rdgo/build/
+enabled=1
+gpgcheck=0

passwd

@@ -0,0 +1,26 @@
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+operator:x:11:0:operator:/root:/sbin/nologin
+games:x:12:100:games:/usr/games:/sbin/nologin
+ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
+nobody:x:99:99:Nobody:/:/sbin/nologin
+dbus:x:81:81:System message bus:/:/sbin/nologin
+polkitd:x:999:998:User for polkitd:/:/sbin/nologin
+etcd:x:998:997:etcd user:/var/lib/etcd:/sbin/nologin
+tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
+avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
+rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
+sssd:x:995:993:User for sssd:/:/sbin/nologin
+dockerroot:x:997:986:Docker User:/var/lib/docker:/sbin/nologin
+rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
+nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
+kube:x:996:994:Kubernetes user:/:/sbin/nologin
+sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+chrony:x:994:992::/var/lib/chrony:/sbin/nologin