On Thu, Dec 3, 2020, at 2:48 PM, Adam Williamson wrote:
I dunno when's the last time anyone tried without it, tbh.
For CoreOS we spent a *lot* of time ensuring that Ignition has first class SELinux
support, and actually making it work on the Live ISO in a not-horribly-hacky way required
a kernel patch:
https://lore.kernel.org/selinux/20190912133007.27545-1-jlebon@redhat.com/...
Also related to the installer experience, note that because the installer ISO is the same
thing as the OS, we ship `podman` and so it's fully supported to use Ignition to run
containers before/after the install.
And this is all really part of the story that a benefit of Ignition (in taking the role of
both cloud-init and kickstart compared to traditional Fedora) is that we have a very
consistent, uniform approach to provisioning/configuring the operating system that applies
across cloud, on-premise metal etc. Also, because our installer environment *is* the OS,
you also have `podman` there...so running containers before/during/after the install is
natural and encouraged.
This OpenShift enhancement covers a lot of this:
https://github.com/openshift/enhancements/blob/master/enhancements/rhcos/...
(Which is relevant here because the Live ISO in FCOS happened after RHCOS 4.1 shipped;
before that we had a hacky shell script in a minimal initramfs)
We are just constantly testing that flow (actually every PR to coreos-assembler, plus it
gates FCOS releases) which particularly compared to Anaconda is massively simplified
because there's no custom GUI involved.
Related to testing, we actually didn't touch on the whole topic that FCOS is fairly
Github oriented. I did a blog related to this,
https://blog.verbum.org/2020/12/03/still-on-github/
Our release workflow involves submitting PRs which get tested just like other PRs and run
through the same test suite. And on that topic, coreos-assembler contains not just
*build* tooling but also *testing* tooling. Our single (yeah it's big) container
image has everything you need to run all our build *and* tests as a single versioned unit,
which runs completely as non-root with unprivileged podman; no need to touch the host (or
for that matter, depend on Fedora as the host system at all, though the container is
Fedora based the current pipeline uses RHCOS).
Hm well I was just trying to talk about Ignition and SELinux but more ended up here =)