Skip to content

kt vm: Pin Rocky repos to vault to prevent minor version drift#71

Open
roxanan1996 wants to merge 1 commit into
mainlinefrom
{rnicolescu}_kt_vm_pin
Open

kt vm: Pin Rocky repos to vault to prevent minor version drift#71
roxanan1996 wants to merge 1 commit into
mainlinefrom
{rnicolescu}_kt_vm_pin

Conversation

@roxanan1996
Copy link
Copy Markdown
Contributor

@roxanan1996 roxanan1996 commented May 22, 2026
edited
Loading

A.
Without this, dnf resolves packages from the latest minor release instead of the one the image was built with.

  • Disable mirrorlist to stop dnf from redirecting to the latest minor version
  • Point baseurl to the Rocky vault where old minor versions are permanently hosted
  • Replace $releasever with the actual VERSION_ID from /etc/os-release to pin to the exact minor version
  • Clear dnf cache to force metadata refresh from the new vault URLs

B. While testing found that lts8.6 does not install the kernel dependency.
Now that we're using maching basic images, there is a discrepancy
for rocky 8.6 images:
ROCKY_SUPPORT_PRODUCT='Rocky Linux'.
Since ROCKY_SUPPORT_PRODUCT is not the same for all versions, use VERSION_ID
instead.

Testing

[rnicolescu@localhost lts-9.6]$ uname -r
5.14.0-570.17.1.el9_6.x86_64
[rnicolescu@localhost lts-9.6]$ dnf repolist -v | grep Repo-baseurl
Extra Packages for Enterprise Linux 9 - x86_64  5.9 MB/s |  21 MB     00:03
Extra Packages for Enterprise Linux 9 openh264  2.2 kB/s | 2.5 kB     00:01
Rocky Linux 9.6 - BaseOS                        6.1 MB/s |  22 MB     00:03
Rocky Linux 9.6 - AppStream                      10 MB/s |  17 MB     00:01
Rocky Linux 9.6 - Extras                         50 kB/s |  17 kB     00:00
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.6/AppStream/x86_64/os/
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.6/BaseOS/x86_64/os/
Repo-baseurl       : https://mirror.netone.nl/other/epel/9/Everything/x86_64/ (227 more)
Repo-baseurl       : https://codecs.fedoraproject.org/openh264/epel/9/x86_64/os/ (0 more)
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.6/extras/x86_64/os/
[rnicolescu@localhost lts-9.6]$ sudo dnf install --assumeno curl
Last metadata expiration check: 0:03:30 ago on Fri 22 May 2026 02:57:15 PM UTC.
Package curl-7.76.1-31.el9_6.1.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

[rnicolescu@localhost lts-9.4]$ uname -r
5.14.0-427.18.1.el9_4.x86_64
[rnicolescu@localhost lts-9.4]$ dnf repolist -v | grep Repo-baseurl
Extra Packages for Enterprise Linux 9 - x86_64  1.2 MB/s |  21 MB     00:17
Extra Packages for Enterprise Linux 9 openh264  1.0 kB/s | 2.5 kB     00:02
Rocky Linux 9.4 - BaseOS                        6.5 MB/s |  16 MB     00:02
Rocky Linux 9.4 - AppStream                     8.9 MB/s |  15 MB     00:01
Rocky Linux 9.4 - Extras                         48 kB/s |  16 kB     00:00
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.4/AppStream/x86_64/os/
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.4/BaseOS/x86_64/os/
Repo-baseurl       : https://mirror.ams-1.serverforge.org/epel/9/Everything/x86_64/ (227 more)
Repo-baseurl       : https://codecs.fedoraproject.org/openh264/epel/9/x86_64/os/ (0 more)
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.4/extras/x86_64/os/
[rnicolescu@localhost lts-9.4]$ sudo dnf install --assumeno curl
Last metadata expiration check: 0:03:27 ago on Fri 22 May 2026 02:57:20 PM UTC.
Package curl-7.76.1-29.el9_4.1.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

[rnicolescu@localhost lts-9.2]$ dnf repolist -v | grep Repo-baseurl
Extra Packages for Enterprise Linux 9 - x86_64  5.1 MB/s |  21 MB     00:04
Extra Packages for Enterprise Linux 9 openh264  1.7 kB/s | 2.5 kB     00:01
Rocky Linux 9.2 - BaseOS                        2.8 MB/s | 1.9 MB     00:00
Rocky Linux 9.2 - AppStream                     2.6 MB/s | 7.1 MB     00:02
Rocky Linux 9.2 - Extras                         35 kB/s |  11 kB     00:00
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.2/AppStream/x86_64/os/
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.2/BaseOS/x86_64/os/
Repo-baseurl       : http://epel.mirror.wearetriple.com/9/Everything/x86_64/ (227 more)
Repo-baseurl       : https://codecs.fedoraproject.org/openh264/epel/9/x86_64/os/ (0 more)
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.2/extras/x86_64/os/
[rnicolescu@localhost lts-9.2]$ sudo dnf install --assumeno curl
Last metadata expiration check: 0:03:24 ago on Fri 22 May 2026 02:57:05 PM UTC.
Package curl-7.76.1-23.el9_2.1.x86_64 is already installed.
Dependencies resolved.
================================================================================
 Package         Architecture   Version                    Repository      Size
================================================================================
Upgrading:
 curl            x86_64         7.76.1-23.el9_2.4          baseos         294 k
 libcurl         x86_64         7.76.1-23.el9_2.4          baseos         283 k

Transaction Summary
================================================================================
Upgrade  2 Packages

Total download size: 576 k
Operation aborted.

[rnicolescu@localhost lts-8.6]$ uname -r
4.18.0-372.13.1.el8_6.x86_64
[rnicolescu@localhost lts-8.6]$ dnf repolist -v | grep Repo-baseurl
Rocky Linux 8.6 - AppStream                     4.5 MB/s |  11 MB     00:02
Rocky Linux 8.6 - BaseOS                        3.6 MB/s | 9.0 MB     00:02
Rocky Linux 8.6 - Extras                         38 kB/s |  12 kB     00:00
Extra Packages for Enterprise Linux 8 - x86_64  1.6 MB/s |  14 MB     00:09
Extra Packages for Enterprise Linux Modular 8 - 1.0 MB/s | 733 kB     00:00
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/8.6/AppStream/x86_64/os/
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/8.6/BaseOS/x86_64/os/
Repo-baseurl       : https://mirror.ams-1.serverforge.org/epel/8/Everything/x86_64/ (248 more)
Repo-baseurl       : https://ftp-stud.hs-esslingen.de/pub/Mirrors/archive.fedoraproject.org/epel/8/Modular/x86_64/ (19 more)
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/8.6/extras/x86_64/os/
[rnicolescu@localhost lts-8.6]$ sudo dnf install --assumeno curl
Last metadata expiration check: 0:03:52 ago on Fri 22 May 2026 02:56:43 PM UTC.
Package curl-7.61.1-22.el8_6.3.x86_64 is already installed.
Dependencies resolved.
================================================================================
 Package         Architecture   Version                    Repository      Size
================================================================================
Upgrading:
 curl            x86_64         7.61.1-22.el8_6.4          baseos         351 k
 libcurl         x86_64         7.61.1-22.el8_6.4          baseos         301 k

Transaction Summary
================================================================================
Upgrade  2 Packages

Total download size: 652 k
Operation aborted.

NOTE

I used ruaml instead of oyaml because it added extra chars when dumping the cloud-init.yaml file adapted for each kernel_workspace and user. But that broke lts8.6 because of the array format. That's why I changed
kt/data/cloud-init.yaml arrays so they are backwards compatible. For some reason, oyaml would modify that during dump, hence there was no issue there.

Copilot AI review requested due to automatic review settings May 22, 2026 12:44
Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins Rocky Linux DNF repository configuration inside kt vm cloud-init to avoid unintended minor-version drift when installing packages after the image is built.

Changes:

  • Disable mirrorlist= entries in Rocky repo files to prevent redirects to newer minor releases.
  • Rewrite baseurl to point to the Rocky vault location for the image’s minor version.
  • Replace $releasever with the OS VERSION_ID and clear DNF metadata cache.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread kt/data/cloud_init.yaml Outdated
@roxanan1996 roxanan1996 marked this pull request as draft May 22, 2026 12:58
@roxanan1996 roxanan1996 force-pushed the {rnicolescu}_kt_vm_pin branch from a4ed21b to f1394ce Compare May 22, 2026 13:06
Copilot AI review requested due to automatic review settings May 22, 2026 13:21
@roxanan1996 roxanan1996 force-pushed the {rnicolescu}_kt_vm_pin branch from f1394ce to 5627b50 Compare May 22, 2026 13:21
Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

Comment thread pyproject.toml
Comment thread kt/ktlib/vm.py Outdated
Comment thread kt/data/cloud_init.yaml Outdated
Comment thread kt/data/cloud_init.yaml Outdated
@roxanan1996 roxanan1996 force-pushed the {rnicolescu}_kt_vm_pin branch from 5627b50 to bde249f Compare May 22, 2026 13:27
Copilot AI review requested due to automatic review settings May 22, 2026 13:28
@roxanan1996 roxanan1996 force-pushed the {rnicolescu}_kt_vm_pin branch from bde249f to 85c4624 Compare May 22, 2026 13:28
Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

Comment thread pyproject.toml Outdated
Comment thread kt/data/cloud_init.yaml Outdated
Comment thread kt/data/cloud_init.yaml Outdated
@roxanan1996
kt vm: Pin Rocky repos to vault to prevent minor version drift
a8edde3 
Without this, dnf resolves packages from the latest minor release
instead of the one the image was built with.

- Disable mirrorlist to stop dnf from redirecting to the latest minor version
- Point baseurl to the Rocky vault where old minor versions are permanently hosted
- Replace $releasever with the actual VERSION_ID from /etc/os-release to pin to the exact minor version
- Clear dnf cache to force metadata refresh from the new vault URLs

All of these were added in kt/data/cloud-init.yaml that is the base
for all vms. When kt vm is run the first time for a kernel workspace,
a copy of cloud-init.yaml is created. Use ruamel instead so that comments
and the original formatting stays the same when the yaml file is read
and then dump in python.

Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
@roxanan1996 roxanan1996 force-pushed the {rnicolescu}_kt_vm_pin branch from 85c4624 to 0879576 Compare May 22, 2026 14:52
@roxanan1996 roxanan1996 marked this pull request as ready for review May 22, 2026 14:54
Copilot AI review requested due to automatic review settings May 22, 2026 14:54
Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

Comment thread kt/data/cloud_init.yaml
Comment thread kt/data/cloud_init.yaml
Comment on lines +44 to +46
- find /etc/yum.repos.d/ -iname "*.repo" -exec sed -i 's|^mirrorlist=|#mirrorlist=|g' {} \;
- find /etc/yum.repos.d/ -iname "*.repo" -exec sed -i 's|^#baseurl=http://dl.rockylinux.org/$contentdir|baseurl=https://dl.rockylinux.org/vault/rocky|g' {} \;
- find /etc/yum.repos.d/ -iname "*.repo" -exec sed -i "s|\$releasever|$(. /etc/os-release && echo $VERSION_ID)|g" {} \;
Comment thread kt/data/cloud_init.yaml
@roxanan1996 roxanan1996 mentioned this pull request May 22, 2026
Merged
@roxanan1996 roxanan1996 force-pushed the {rnicolescu}_kt_vm_pin branch from 0879576 to a8edde3 Compare May 22, 2026 15:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@roxanan1996