build-sys: Enable CentOS Stream compose repos to avoid version skew

cgwalters · cgwalters · commit 204d7296829a · 2026-01-20T19:36:58.000-05:00
The base image may be built from a compose that has newer packages than what's available on the public mirrors. This causes version skew where packages like bootupd have different versions between the base image and our built image. For example, bootupd 0.2.32 changed the EFI file layout from /usr/lib/bootupd/updates/EFI/ to /usr/lib/efi/, and if we build with an older bootupd from mirrors while the target image has the newer layout, bootloader installation fails. Enable the CentOS Stream compose repos with higher priority to ensure we get matching versions. xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174 Signed-off-by: Colin Walters <walters@verbum.org> Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
diff --git a/Dockerfile b/Dockerfile
@@ -47,6 +47,11 @@ RUN --mount=type=tmpfs,target=/run /src/contrib/packaging/configure-systemdboot
 #       local sources. We'll override it later.
 # NOTE: All your base belong to me.
 FROM $base as target-base
+# Handle version skew between base image and mirrors for CentOS Stream
+# xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174
+RUN --mount=type=tmpfs,target=/run \
+    --mount=type=bind,from=packaging,src=/,target=/run/packaging \
+    /run/packaging/enable-compose-repos
 RUN --mount=type=tmpfs,target=/run /usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard /target-rootfs
 
 FROM scratch as base
diff --git a/contrib/packaging/enable-compose-repos b/contrib/packaging/enable-compose-repos
@@ -0,0 +1,44 @@
+#!/bin/bash
+# Enable compose repos to avoid version skew between base image and mirrors
+# xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174
+set -euo pipefail
+
+. /usr/lib/os-release
+
+case "${ID}" in
+  centos)
+    # The base image may have been built from a compose that has newer packages
+    # than what's available on the public mirrors. Enable the compose repos
+    # with higher priority to ensure we get matching versions.
+    
+    # Extract the gpgkey from the existing centos.repo - c9s uses
+    # RPM-GPG-KEY-centosofficial while c10s uses RPM-GPG-KEY-centosofficial-SHA256
+    gpgkey=$(grep -m1 '^gpgkey=' /etc/yum.repos.d/centos.repo | cut -d= -f2)
+    if [[ -z "${gpgkey}" ]]; then
+      echo "Error: Could not find gpgkey in /etc/yum.repos.d/centos.repo" >&2
+      exit 1
+    fi
+
+    cat > /etc/yum.repos.d/centos-compose.repo << EOF
+[compose-baseos]
+name=CentOS Stream \$releasever Compose BaseOS
+baseurl=https://composes.stream.centos.org/stream-\$releasever/production/latest-CentOS-Stream/compose/BaseOS/\$basearch/os/
+gpgcheck=1
+enabled=1
+priority=1
+gpgkey=${gpgkey}
+
+[compose-appstream]
+name=CentOS Stream \$releasever Compose AppStream
+baseurl=https://composes.stream.centos.org/stream-\$releasever/production/latest-CentOS-Stream/compose/AppStream/\$basearch/os/
+gpgcheck=1
+enabled=1
+priority=1
+gpgkey=${gpgkey}
+EOF
+    echo "Enabled CentOS Stream compose repos (gpgkey: ${gpgkey})"
+    ;;
+  *)
+    # No compose repo needed for other distros
+    ;;
+esac
