Rocky Linux Containerfile refactor

.github/workflows/container-publish.yml

@@ -91,6 +91,11 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
+      - name: Make Containerfiles
+        run: |
+          make -C rockylinux-8
+          make -C rockylinux-9
+
       # Install the cosign tool
       # https://github.com/sigstore/cosign-installer
       - name: Install Cosign

README.md

@@ -1,7 +1,34 @@
 # Warewulf node images
 
-Example node images for use with Warewulf 4.
+Example node container images for use with Warewulf v4.
 
 https://warewulf.org
 
-Node images are published on Docker Hub at https://hub.docker.com/u/warewulf.
+## Built examples
+
+These containers are published on the [GitHub container registry][1].
+
+[1]: https://github.com/orgs/hpcng/packages?repo_name=warewulf-node-images
+
+* [Rocky Linux 8](rockylinux-8)
+* [Rocky Linux 9](rockylinux-9)
+* [openSUSE Leap](leap)
+
+## Additional examples
+
+Additional container definitions that are not actively built and published, but
+may still be useful.
+
+* [Rocky Linux 9 with SELinux][examples/rockylinux-9-selinux]
+
+You can build any of these (or the other container definitions) locally for
+import into Warewulf v4.
+
+```shell
+
+podman build examples/rockylinux-9-selinux \
+  --file examples/rockylinux-9-selinux/Containerfile \
+  --tag warewulf-rockylinux-selinux:9
+podman save warewulf-rockylinux-selinux:9 --output warewulf-rockylinux-selinux-9.tar
+wwctl container import warewulf-rockylinux-selinux-9.tar rockylinux-selinux-9
+```

examples/rockylinux-9-selinux/Containerfile

@@ -0,0 +1,16 @@
+FROM ghcr.io/hpcng/warewulf-rockylinux:9
+
+RUN dnf -y install \
+      policycoreutils-python-utils \
+      selinux-policy-targeted
+
+# For SELinux enabled nodes:
+#   The wwclient service fails to start on boot if an appropriate SELinux file
+#   context label is not set for /warewulf/wwclient.
+#
+#   NOTE: THE FOLLOWING EXITS NONZERO WITH libsemanage VERSIONS IN EL9
+#         PRIOR TO 3.3.3 SO WE FORCE A CLEAN EXIT CODE
+#
+#         See: https://github.com/SELinuxProject/selinux/issues/343
+#
+RUN semanage fcontext -N -a -t bin_t /warewulf/wwclient || true

examples/rockylinux-9-selinux/README.md

@@ -0,0 +1,16 @@
+# Rocky Linux 9 with SELinux
+
+Warewulf can be used to boot an selinux-equipped node. This example installs
+required packages and configures SELinux policy for the `wwclient` binary
+(which communicates with the Warewulf server and receives runtime overlays).
+
+```
+podman build . --tag rockylinux-selinux:9
+```
+
+Booting a node image with selinux enabled requires (at least up to Warewulf
+v4.4.1) setting `--root=tmpfs` on the relevant node and setting
+`rootfstype=ramfs` as a kernel argument. For more information on these
+settings, look at [wwinit/init][1].
+
+[1]: https://github.com/hpcng/warewulf/blob/main/overlays/wwinit/init

rockylinux-8/.gitignore

@@ -0,0 +1 @@
+Containerfile-8.*

rockylinux-8/Containerfile

@@ -14,7 +14,7 @@ RUN dnf update -y \
       kernel-core \
       kernel-modules \
       net-tools \
-      network-scripts \
+      NetworkManager \
       nfs-utils \
       openssh-clients \
       openssh-server \
@@ -28,10 +28,13 @@ RUN dnf update -y \
       words \
     && dnf clean all
 
-RUN rm -f /etc/sysconfig/network-scripts/ifcfg-e* \
-    && systemctl unmask console-getty.service dev-hugepages.mount getty.target sys-fs-fuse-connections.mount systemd-logind.service systemd-remount-fs.service \
-    && systemctl enable network \
-    && touch /etc/sysconfig/disable-deprecation-warnings
+RUN systemctl unmask \
+      console-getty.service \
+      dev-hugepages.mount \
+      getty.target \
+      sys-fs-fuse-connections.mount \
+      systemd-logind.service \
+      systemd-remount-fs.service
 
 COPY excludes /etc/warewulf/
 COPY container_exit.sh /etc/warewulf/

rockylinux-9/Containerfile-9.1 → rockylinux-8/Containerfile-fixed

@@ -1,10 +1,8 @@
-FROM docker.io/library/rockylinux:9.1
+FROM docker.io/library/rockylinux:${releasever}
 
-RUN rm -f /etc/yum.repos.d/*.repo \
+RUN echo "${releasever}" >/etc/dnf/vars/releasever \
     && dnf clean all
 
-COPY yum.repos.d-9.1/*.repo /etc/yum.repos.d
-
 RUN dnf update -y \
     && dnf install -y --allowerasing \
       coreutils \
@@ -18,35 +16,28 @@ RUN dnf update -y \
       iproute \
       kernel-core \
       kernel-modules \
-      ncurses \
       net-tools \
       NetworkManager \
       nfs-utils \
       openssh-clients \
       openssh-server \
       pciutils \
-      policycoreutils-python-utils \
       psmisc \
       rsync \
       rsyslog \
       strace \
-      selinux-policy-targeted \
       wget \
       which \
       words \
-      rdma-core \
     && dnf clean all
 
-RUN touch /etc/sysconfig/disable-deprecation-warnings
-
-# For SELinux enabled nodes:
-#   The wwclient service fails to start on boot if appropriate SELinux file
-#   context label is not set for /warewulf/wwclient.
-#   Permanently assign bin_t fcontent label for wwclient binary that is
-#   deployed by wwinit overlay because warewulf runs `restorecon -R /` on node
-#   boot, clobbering any existing labels set in the overlay itself.
-#
-RUN semanage fcontext -N -a -t bin_t /warewulf/wwclient
+RUN systemctl unmask \
+      console-getty.service \
+      dev-hugepages.mount \
+      getty.target \
+      sys-fs-fuse-connections.mount \
+      systemd-logind.service \
+      systemd-remount-fs.service
 
 COPY excludes /etc/warewulf/
 COPY container_exit.sh /etc/warewulf/