feat: Exclude kmods from Fedora 39 and future images

.github/workflows/build.yml

@@ -7,8 +7,6 @@ on:
   workflow_dispatch:
 env:
   IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
-  BASE_FLAVOR: nokmods
-  MAIN_FLAVOR: main
 
 jobs:
   push-ghcr:
@@ -31,6 +29,7 @@ jobs:
           - mate
           - vauxite
         major_version: [37, 38, 39]
+        build_target: [nokmods, kmods]
         include:
           - major_version: 37
             is_latest_version: false
@@ -55,6 +54,11 @@ jobs:
             major_version: 38
           - image_name: vauxite
             major_version: 39
+          # THE FOLLOWING EXCLUDE IS MESSY BUT TEMPORARY UNTIL F38 IS GONE
+          # see: https://github.com/ublue-os/main/issues/369
+          # Fedora 39+ images do not include custom kmods (legacy)
+          - build_target: kmods
+            major_version: 39
     steps:
       - name: Maximize build space
         uses: ublue-os/remove-unwanted-software@v6
@@ -64,14 +68,27 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Matrix Variables
+        shell: bash
         run: |
           if [[ "${{ matrix.image_name }}" == "lxqt" || "${{ matrix.image_name }}" == "mate" ]]; then
               echo "SOURCE_IMAGE=base" >> $GITHUB_ENV
           else
               echo "SOURCE_IMAGE=${{ matrix.image_name }}" >> $GITHUB_ENV
           fi
-          echo "BASE_IMAGE=${{ matrix.image_name }}-${{ env.BASE_FLAVOR }}" >> $GITHUB_ENV
-          echo "MAIN_IMAGE=${{ matrix.image_name }}-${{ env.MAIN_FLAVOR }}" >> $GITHUB_ENV
+          # THE FOLLOWING IS MESSY BUT TEMPORARY UNTIL F38 IS GONE
+          # see: https://github.com/ublue-os/main/issues/369
+          # Fedora 39+ images do not include custom kmods (legacy)
+          if [[ "${{ matrix.major_version}}" -ge "39" && "${{ matrix.build_target }}" == "nokmods" ]]; then
+              export IMAGE_FLAVOR=main
+          elif [[ "${{ matrix.major_version}}" -lt "39" && "${{ matrix.build_target }}" == "nokmods" ]]; then
+              export IMAGE_FLAVOR=nokmods
+          elif [[ "${{ matrix.major_version}}" -lt "39" && "${{ matrix.build_target }}" == "kmods" ]]; then
+              export IMAGE_FLAVOR=main
+          else
+              echo "ERROR: invalid workflow request - ${{ matrix.major_version }} - ${{ matrix.build_target }}"
+              exit 1
+          fi
+          echo "IMAGE_NAME=${{ matrix.image_name }}-${IMAGE_FLAVOR}" >> $GITHUB_ENV
 
       - name: Generate tags
         id: generate-tags
@@ -134,59 +151,28 @@ jobs:
           ver=$(skopeo inspect docker://quay.io/fedora-ostree-desktops/${{ env.SOURCE_IMAGE }}:${{ matrix.major_version }} | jq -r '.Labels["org.opencontainers.image.version"]')
           echo "VERSION=$ver" >> $GITHUB_OUTPUT
 
-      # Build metadata
-      - name: Base Image Metadata
-        uses: docker/metadata-action@v5
-        id: meta-base
-        with:
-          images: |
-            ${{ env.BASE_IMAGE }}
-          labels: |
-            org.opencontainers.image.title=${{ env.BASE_IMAGE }}
-            org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
-            org.opencontainers.image.description=A base Universal Blue ${{ matrix.image_name }} image with no extra kmod or kernel packages
-            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
-            io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
-
-      - name: Main Image Metadata
+      # Generate image metadata
+      - name: Image Metadata
         uses: docker/metadata-action@v5
         id: meta-main
         with:
           images: |
-            ${{ env.MAIN_IMAGE }}
+            ${{ env.IMAGE_NAME }}
           labels: |
-            org.opencontainers.image.title=${{ env.MAIN_IMAGE }}
+            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
             org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
             org.opencontainers.image.description=A base Universal Blue ${{ matrix.image_name }} image with batteries included
             io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
             io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
 
       # Build image using Buildah action
-      - name: Build Base Image
-        id: build_image-base
-        uses: redhat-actions/buildah-build@v2
-        with:
-          containerfiles: |
-            ./Containerfile
-          image: ${{ env.BASE_IMAGE }}
-          tags: |
-            ${{ steps.generate-tags.outputs.alias_tags }}
-          build-args: |
-            IMAGE_NAME=${{ matrix.image_name }}
-            SOURCE_IMAGE=${{ env.SOURCE_IMAGE }}
-            FEDORA_MAJOR_VERSION=${{ matrix.major_version }}
-          labels: ${{ steps.meta-base.outputs.labels }}
-          oci: false
-          extra-args: |
-            --target=${{ env.BASE_FLAVOR }}
-
-      - name: Build Main Image
+      - name: Build Image
         id: build_image-main
         uses: redhat-actions/buildah-build@v2
         with:
           containerfiles: |
             ./Containerfile
-          image: ${{ env.MAIN_IMAGE }}
+          image: ${{ env.IMAGE_NAME }}
           tags: |
             ${{ steps.generate-tags.outputs.alias_tags }}
           build-args: |
@@ -196,7 +182,7 @@ jobs:
           labels: ${{ steps.meta-main.outputs.labels }}
           oci: false
           extra-args: |
-            --target=${{ env.MAIN_FLAVOR }}
+            --target=${{ matrix.build_target }}
 
       # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
       # https://github.com/macbre/push-to-ghcr/issues/12

Containerfile

@@ -9,40 +9,45 @@ ARG IMAGE_NAME="${IMAGE_NAME:-silverblue}"
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-38}"
 
 COPY github-release-install.sh \
-     nokmods-install.sh \
-     nokmods-post-install.sh \
-     nokmods-packages.json \
+     install.sh \
+     post-install.sh \
+     packages.sh \
+     packages.json \
         /tmp/
 
 COPY --from=ghcr.io/ublue-os/config:latest /rpms /tmp/rpms
+COPY --from=ghcr.io/ublue-os/akmods:main-${FEDORA_MAJOR_VERSION} /rpms/ublue-os /tmp/rpms
 
 RUN wget https://copr.fedorainfracloud.org/coprs/ublue-os/staging/repo/fedora-$(rpm -E %fedora)/ublue-os-staging-fedora-$(rpm -E %fedora).repo -O /etc/yum.repos.d/_copr_ublue-os_staging.repo && \
     wget https://copr.fedorainfracloud.org/coprs/kylegospo/oversteer/repo/fedora-$(rpm -E %fedora)/kylegospo-oversteer-fedora-$(rpm -E %fedora).repo -O /etc/yum.repos.d/_copr_kylegospo_oversteer.repo && \
-    /tmp/nokmods-install.sh && \
-    /tmp/nokmods-post-install.sh && \
+    /tmp/install.sh && \
+    /tmp/post-install.sh && \
     ## bootc 
     wget https://copr.fedorainfracloud.org/coprs/rhcontainerbot/bootc/repo/fedora-"${FEDORA_MAJOR_VERSION}"/bootc-"${FEDORA_MAJOR_VERSION}".repo -O /etc/yum.repos.d/bootc.repo && \
     rpm-ostree install bootc && \
     rm -f /etc/yum.repos.d/bootc.repo && \
     rm -f /etc/yum.repos.d/_copr_ublue-os_staging.repo && \
     rm -f /etc/yum.repos.d/_copr_kylegospo_oversteer.repo && \
-    rm -rf /tmp/* /var/*
-
-RUN ostree container commit && \
+    rm -rf /tmp/* /var/* && \
+    ostree container commit && \
     mkdir -p /var/tmp && chmod -R 1777 /var/tmp
 
-FROM nokmods AS main
+
+# !!! WARNING - KMODS IN MAIN IMAGES ARE DEPRECATED !!!
+
+# Only "legacy" (Fedora 38 and older) have custom kmods included in the "main" images.
+FROM nokmods AS kmods
 
 ARG IMAGE_NAME="${IMAGE_NAME:-silverblue}"
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-38}"
 
-COPY main-install.sh /tmp/main-install.sh
-COPY main-sys_files /
+COPY kmods-install.sh /tmp/kmods-install.sh
+COPY kmods-sys_files /tmp/kmods-files
 
 COPY --from=ghcr.io/ublue-os/akmods:main-${FEDORA_MAJOR_VERSION} /rpms /tmp/akmods-rpms
 
-RUN /tmp/main-install.sh && \
-    rm -rf /tmp/* /var/*
-
-RUN ostree container commit && \
+# kmods-install.sh will error if running in Fedora 39 or newer.
+RUN /tmp/kmods-install.sh && \
+    rm -rf /tmp/* /var/* && \
+    ostree container commit && \
     mkdir -p /var/tmp && chmod -R 1777 /var/tmp

install.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -ouex pipefail
+
+RELEASE="$(rpm -E %fedora)"
+
+wget -P /tmp/rpms \
+    https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-${RELEASE}.noarch.rpm \
+    https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-${RELEASE}.noarch.rpm
+
+rpm-ostree install \
+    /tmp/rpms/*.rpm \
+    fedora-repos-archive
+
+# force use of single rpmfusion mirror
+sed -i.bak 's%^metalink=%#metalink=%' /etc/yum.repos.d/rpmfusion-*.repo
+sed -i 's%^#baseurl=http://download1.rpmfusion.org%baseurl=http://mirrors.ocf.berkeley.edu/rpmfusion%' /etc/yum.repos.d/rpmfusion-*.repo
+# after F39 launches, bump to 40
+if [[ "${FEDORA_MAJOR_VERSION}" -ge 39 ]]; then
+    sed -i 's%free/fedora/releases%free/fedora/development%' /etc/yum.repos.d/rpmfusion-*.repo
+fi
+
+# run common packages script
+/tmp/packages.sh
+
+## install packages direct from github
+/tmp/github-release-install.sh sigstore/cosign x86_64
+
+# reset forced use of single rpmfusion mirror
+rename -v .repo.bak .repo /etc/yum.repos.d/rpmfusion-*repo.bak

main-install.sh → kmods-install.sh

@@ -2,7 +2,22 @@
 
 set -ouex pipefail
 
-rpm-ostree install /tmp/akmods-rpms/ublue-os/ublue-os-akmods-addons*.rpm
+# !!! WARNING - KMODS IN MAIN IMAGES ARE DEPRECATED !!!
+
+echo "DEPRECATED: Universal Blue will not include kmods in *-main images for Fedora 39 and newer."
+
+# Only run if FEDORA_MAJOR_VERSION is less than 39
+if [[ ${FEDORA_MAJOR_VERSION} -gt 38 ]]; then \
+    exit 1
+fi
+
+# proceed with rest of script without further version checks
+
+
+# copy kmods related files into image filesystem
+cp -rf /tmp/kmods-files/* /
+
+
 for REPO in $(rpm -ql ublue-os-akmods-addons|grep ^"/etc"|grep repo$); do
     echo "akmods: enable default entry: ${REPO}"
     sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' ${REPO}
@@ -16,18 +31,14 @@ if [[ "${FEDORA_MAJOR_VERSION}" -ge 39 ]]; then
     sed -i 's%free/fedora/releases%free/fedora/development%' /etc/yum.repos.d/rpmfusion-*.repo
 fi
 
-# Only run if FEDORA_MAJOR_VERSION is not 39
-if grep -qv "39" <<< $FEDORA_MAJOR_VERSION; then
-    rpm-ostree install \
-        kernel-devel-matched \
-        kernel-tools \
-        /tmp/akmods-rpms/kmods/*xpadneo*.rpm \
-        /tmp/akmods-rpms/kmods/*xpad-noone*.rpm \
-        /tmp/akmods-rpms/kmods/*xone*.rpm \
-        /tmp/akmods-rpms/kmods/*openrazer*.rpm \
-        /tmp/akmods-rpms/kmods/*v4l2loopback*.rpm \
-        /tmp/akmods-rpms/kmods/*wl*.rpm
-fi
+rpm-ostree install \
+    kernel-devel-matched \
+    /tmp/akmods-rpms/kmods/*xpadneo*.rpm \
+    /tmp/akmods-rpms/kmods/*xpad-noone*.rpm \
+    /tmp/akmods-rpms/kmods/*xone*.rpm \
+    /tmp/akmods-rpms/kmods/*openrazer*.rpm \
+    /tmp/akmods-rpms/kmods/*v4l2loopback*.rpm \
+    /tmp/akmods-rpms/kmods/*wl*.rpm
 
 for REPO in $(rpm -ql ublue-os-akmods-addons|grep ^"/etc"|grep repo$); do
     echo "akmods: disable per defaults: ${REPO}"

nokmods-packages.json → packages.json

@@ -16,6 +16,7 @@
                 "htop",
                 "intel-media-driver",
                 "just",
+                "kernel-tools",
                 "libheif-tools",
                 "libratbag-ratbagd",
                 "libva-intel-driver",

nokmods-install.sh → packages.sh

@@ -4,42 +4,28 @@ set -ouex pipefail
 
 RELEASE="$(rpm -E %fedora)"
 
+# build list of all packages requested for inclusion
 INCLUDED_PACKAGES=($(jq -r "[(.all.include | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[]), \
                              (select(.\"$FEDORA_MAJOR_VERSION\" != null).\"$FEDORA_MAJOR_VERSION\".include | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[])] \
-                             | sort | unique[]" /tmp/nokmods-packages.json))
+                             | sort | unique[]" /tmp/packages.json))
+
+# build list of all packages requested for exclusion
 EXCLUDED_PACKAGES=($(jq -r "[(.all.exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[]), \
                              (select(.\"$FEDORA_MAJOR_VERSION\" != null).\"$FEDORA_MAJOR_VERSION\".exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[])] \
-                             | sort | unique[]" /tmp/nokmods-packages.json))
+                             | sort | unique[]" /tmp/packages.json))
 
 
+# ensure exclusion list only contains packages already present on image
 if [[ "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
     EXCLUDED_PACKAGES=($(rpm -qa --queryformat='%{NAME} ' ${EXCLUDED_PACKAGES[@]}))
 fi
 
-wget -P /tmp/rpms \
-    https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-${RELEASE}.noarch.rpm \
-    https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-${RELEASE}.noarch.rpm
-
-rpm-ostree install \
-    /tmp/rpms/*.rpm \
-    fedora-repos-archive
-
-# force use of single rpmfusion mirror
-sed -i.bak 's%^metalink=%#metalink=%' /etc/yum.repos.d/rpmfusion-*.repo
-sed -i 's%^#baseurl=http://download1.rpmfusion.org%baseurl=http://mirrors.ocf.berkeley.edu/rpmfusion%' /etc/yum.repos.d/rpmfusion-*.repo
-# after F39 launches, bump to 40
-if [[ "${FEDORA_MAJOR_VERSION}" -ge 39 ]]; then
-    sed -i 's%free/fedora/releases%free/fedora/development%' /etc/yum.repos.d/rpmfusion-*.repo
-fi
-
+# simple case to install where no packages need excluding
 if [[ "${#INCLUDED_PACKAGES[@]}" -gt 0 && "${#EXCLUDED_PACKAGES[@]}" -eq 0 ]]; then
     rpm-ostree install \
         ${INCLUDED_PACKAGES[@]}
 
-elif [[ "${#INCLUDED_PACKAGES[@]}" -eq 0 && "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
-    rpm-ostree override remove \
-        ${EXCLUDED_PACKAGES[@]}
-
+# install/excluded packages both at same time
 elif [[ "${#INCLUDED_PACKAGES[@]}" -gt 0 && "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
     rpm-ostree override remove \
         ${EXCLUDED_PACKAGES[@]} \
@@ -50,8 +36,18 @@ else
 
 fi
 
-## install packages direct from github
-/tmp/github-release-install.sh sigstore/cosign x86_64
+# check if any excluded packages are still present
+# (this can happen if an included package pulls in a dependency)
+EXCLUDED_PACKAGES=($(jq -r "[(.all.exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[]), \
+                             (select(.\"$FEDORA_MAJOR_VERSION\" != null).\"$FEDORA_MAJOR_VERSION\".exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[])] \
+                             | sort | unique[]" /tmp/packages.json))
+
+if [[ "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
+    EXCLUDED_PACKAGES=($(rpm -qa --queryformat='%{NAME} ' ${EXCLUDED_PACKAGES[@]}))
+fi
 
-# reset forced use of single rpmfusion mirror
-rename -v .repo.bak .repo /etc/yum.repos.d/rpmfusion-*repo.bak
+# remove any excluded packages which are still present on image
+if [[ "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
+    rpm-ostree override remove \
+        ${EXCLUDED_PACKAGES[@]}
+fi