Image refresh for centos-9-stream#8975
Conversation
|
/image-refresh centos-9-stream |
|
Task scheduled: issue-8975 image-refresh/centos-9-stream Testing Farm link: https://artifacts.osci.redhat.com/testing-farm/ad5d7229-7ee1-4ded-a4d1-81c051eca1f2 Job JSON{
"repo": "cockpit-project/bots",
"sha": "823644ce0fec4f7c1b121023bff05e5d5964ef80",
"pull": null,
"slug": "image-refresh-centos-9-stream-823644ce-20260429-232812",
"context": "image-refresh/centos-9-stream",
"command": [
"./image-refresh",
"--verbose",
"--issue=8975",
"centos-9-stream"
],
"secrets": [
"github-token",
"image-upload"
]
} |
cockpituous
changed the title
|
image-refresh centos-9-stream done: https://github.com/cockpit-project/bots/commits/image-refresh-centos-9-stream-20260429-235833 |
cockpituous
force-pushed
the
image-refresh-centos-9-stream-20260429-235833
branch
from
8e673b5 to
c732e5b
Compare
cockpituous
changed the title
|
Eternal issue of: @allisonkarlitskaya I recall you had ideas here? |
We get an error sometimes when updating our centos-9-stream image: it gets a newer version of selinux-policy than our centos-9-bootc image, which is a problem because we can't have a newer version for building than we'll end up running with and centos-9-stream builds for the centos-9-bootc image. On Fedora we deal with this by pinning back to the version of selinux-policy from the original release repository (ie: not -updates). We can't do that on CentOS, but we can similarly arbitrarily pick an "old enough" version and just hardcode that.
|
/image-refresh centos-9-stream |
|
Task scheduled: issue-8975 image-refresh/centos-9-stream Testing Farm link: https://artifacts.osci.redhat.com/testing-farm/a297bf24-80f1-4818-8b40-c9cd9d86acec Job JSON{
"repo": "cockpit-project/bots",
"sha": "cc3ea2d220c101875ec2b444f31dfafa64d35f94",
"pull": 8975,
"slug": "image-refresh-centos-9-stream-cc3ea2d2-20260506-084905",
"context": "image-refresh/centos-9-stream",
"command": [
"./image-refresh",
"--verbose",
"--issue=8975",
"centos-9-stream"
],
"secrets": [
"github-token",
"image-upload"
]
} |
cockpituous
changed the title
|
image-refresh centos-9-stream done: https://github.com/cockpit-project/bots/commits/image-refresh-centos-9-stream-20260506-091717 |
cockpituous
changed the title
| mkdir /tmp/selinux-policy-rpms | ||
| dnf download --downloaddir /tmp/selinux-policy-rpms selinux-policy{,-devel,-targeted} | ||
| if [ "$IMAGE" = "centos-9-stream" ]; then | ||
| selinux_vr="38.1.76-1.el9" |
There was a problem hiding this comment.
Meh -- this will get increasingly out of date. At some point the compiled policy during rpm build might not even work any more at runtime, or silently pass while it would fail with the official builds?
This is a structural problem in C9S which is terribly hard to work around. Doesn't this break packit COPR builds and tests in the very same way while that happens? If yes, this just reflects reality, and we'll have to block the image refresh for some time and keep filing tickets. If not, then what does copr/TF do different to avoid this?
There was a problem hiding this comment.
I mean, we're basically doing exactly the same for Fedora, right? and it's getting increasingly out of date as well...
There was a problem hiding this comment.
Also: I don't really consider this to be a downstream issue: it's due to the fact that we build our centos-9-bootc packages on centos-9-stream and when stream gets updated it might end up with a later version of the policy package. There's really nothing that could be done at the distro level to help this...
There was a problem hiding this comment.
This is absolutely a downstream issue. New selinux packages are often already "visible" in the buildroot repo days or even weeks before they become visible in BaseOS. If the publishing was synchronous between the two (i.e. gating holds back buildroot as well), we would only run into this problem if we updated centos-9-bootc image after centos-9-stream.
But ok, one thing at a time..
There was a problem hiding this comment.
No wait, this is still wrong. We explicitly download the selinux package from BaseOS for that very reason. So how about refreshing centos-9-bootc first or in the same PR?
4 participants
Last updated in 9c8cb5f, 7 days ago.