From Fedora Project Wiki

Changes/Build Fedora CoreOS on Konflux

Summary

We want to build Fedora CoreOS updates payloads in Konflux, instead of Jenkins.

Owner

Current status

Detailed Description

In F43 we switched Fedora CoreOS to be built with podman via a Containerfile. We can now leverage this to move our builds into the Fedora Konflux cluster.

Feedback

None right now.

Benefit to Fedora

The main benefit is the distribution of the SBOMs and attestations of the built artifacts to the end user. One will have the ability to verify how the OS was generated from the source code to the distribution.

Another nice side effect is that Konflux keeps the intermediate builds artifacts in a public namespace, which makes reproducing tests failures and debugging easier for the Fedora CoreOS maintainers.

Furthermore, this reduce the load on the Fedora CoreOS Jenkins pipeline, which is currently maintained by the CoreOS team. This will also increase the amount of shared code between CoreOS and bootc, helping with maintenance and exercising the code more.

Scope

  • Proposal owners:
    • Will switch Fedora CoreOS production streams (stable, testing, next) to be built in Konflux. This change was already done for our rawhide builds as an experiment. Proposal owner will also replace their current custom osbuild pipeline with bootc-image-builder. Theses changes are purely contained in the pipeline, they do not change the content of the produced artefacts compared to now. Notably, the Konflux release pipeline must integrate with the fedora message bus to get the artifact signed before release.
  • Release engineering:
    • Enable selected projects to sign artifacts from Konflux pipelines using Fedora signing keys.
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

There should be no impact for users as the product of the new pipeline (container images, disk images) should be identical.

How To Test

The testing artifacts builds with Konflux are currently published in https://quay.io/organization/coreos-devel.

One can rebase a Fedora CoreOS system to it with: 

rpm-ostree rebase ostree-image-signed:docker://quay.io/coreos-devel/fedora-coreos:stable --reboot

And observe no functional difference.

Note that the automatic updates won't work because the image is not from the official release repo.

User Experience

No visible change for users.

Dependencies

Contingency Plan

  • Contingency mechanism: The Jenkins pipeline will stay in place as we will rollout this progressively across Fedora CoreOS streams. We can revert to use the historical Jenkins pipeline at any time.
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change)

Documentation

See: https://github.com/coreos/fedora-coreos-tracker/issues/2031

Release Notes

Fedora CoreOS images are now built into the Fedora Konflux Cluster.

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/Build_FCOS_on_Fedora_Konflux&oldid=762400"