manifest: adapt for rpm-ostree modularity support

[jlebon]

With the latest rpm-ostree support for modules, rpm-ostree will no
longer pull in modular packages by default, which is something we've
been relying on so far. So if we don't adapt, composes would start
failing. This is a good thing, because it forces us to be more explicit
wrt modularity:

1. enable the container-tools:rhel8 module for the podman stack
2. enable the virt:rhel module for qemu-guest-agent

While we're here, use the new repo-packages key to clarify some more
of our intentions:

1. always pull in the kernel from BaseOS
2. always pull in nss-altfiles from AppStream
3. always pull in toolbox from RHAOS until we move over to the
   container-tools:rhel8 one
4. always pull in cri-o and conmon from RHAOS to ensure they're
   synced

All of the choices above should just be a reflection of our current
stance. I've derived them from the various exclude= hacks we have in
our repo files internally, and analyzing where we're currently getting
what from. So this shouldn't significantly change our composes here.
Though I will note that we now drop quite a few Perl-related modular
packages, which I don't think we were pulling in intentionally.

This then also allows us to drop all the exclude= hacks as well.

Closes: coreos/rpm-ostree#3035

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[jlebon]

Need to hold this until new rpm-ostree release with coreos/rpm-ostree#2760 hits cosa.

[jlebon]

This then also allows us to drop all the exclude= hacks as well.

https://url.corp.redhat.com/16481c3

[cgwalters]

This looks really good! Awesome work!

[jlebon]

Updated this, but now requires rpm-software-management/libdnf#1328.

[jlebon]

New cosa with rpm-software-management/libdnf#1328 is now built, so this is ready to go!

[cgwalters]

/lgtm

[cgwalters]

I think this is fine, but in the future we probably should have made this easier to ratchet in by adding something like compose tree --enable-modularity-previous-hack or something.

[jlebon]

I think this is fine, but in the future we probably should have made this easier to ratchet in by adding something like compose tree --enable-modularity-previous-hack or something.

Yeah... or I guess opt into the new behaviour via --enable-modularity, until we made it the default.

[jlebon]

Hmm, CI failing with

error: Parsing src/config/manifest.yaml: Unknown fields: modules

so I'm guessing it's some stale image issue again.

[cgwalters]

Yeah... or I guess opt into the new behaviour via --enable-modularity, until we made it the default.

Yep I like that even more given it's in theory experimental.

[cgwalters]

so I'm guessing it's some stale image issue again.

Yeah we mirror in Prow right now:

oc image info registry.ci.openshift.org/coreos/coreos-assembler:latest
Name:        registry.ci.openshift.org/coreos/coreos-assembler:latest
Digest:      sha256:91501d1807e35ee35cb29f347042a6397d7a9de69631cca2a2e7a1de8353549d
Media Type:  application/vnd.docker.distribution.manifest.v2+json
Created:     3h ago
Image Size:  2.524GB in 17 layers
Layers:      67.46MB sha256:79bfe0ad62c4ff47b8e95207e535ac3ef32bff2380303f0a091869c7b97a1af3
             161B    sha256:dc8307b158a0752480bc0559b819fe79a7f4464f8649f2940b4ce7aea8be6036
             2.299kB sha256:7177dd7ae805dc403a2bc0c9e84f31219b7706261bddf0f56cef25f75d62ba30
             2.236kB sha256:13110a40759d5d81000f2d17bc884f58ab184c64dbd5abdf7a241040bd95e9fa
             287B    sha256:5c1d08153ba6df6bea714313e14f4d361a1c3e856efb73214dc9dbf84da68d22
             914.8MB sha256:73a672842bcfb6e6a5fea2669cd7f98e5b3b3ba4176907deba7c7c4ce2a200f3
             132B    sha256:4c4d3c46e216e4af22cafaf8fe2c8a651cfdfeb83967417db4dd44045c0c264c
             2.282kB sha256:3f663a2c4388091508b1861cb6673ce998d2b34224793efa68fd129d649001d0
             2.238kB sha256:10a1900b5dc710ffb3ea56a3fcf669a9ec9c58605a30885bbb85e5390bfeaf0c
             289.6MB sha256:eff5d2ca2d46ba249cf64ddb99b35df716fc8e561a7ba9f1decdd985d9a51771
             107.3MB sha256:22071b285dae823226ce6ab8d61c9f312956b386e90a2eecf281c67b8846e2bc
             40.01MB sha256:decad81790998b12d799d009c6eb4bad0cc54e8922cc706451ccbb2cc5de6e49
             1.105GB sha256:9d6cf810299358d714dcf636394964f33297690909e357eacffd67feb7d2a035
             3.065kB sha256:7917dfe03dcddb1bd13b03f04e7649b6b94823927faf41b1205a66f4c37d8e04
             96B     sha256:3a413669e5999a5eab80188954d288a8efa0ec1e7b8889de32e6916f8c87ba64
             156B    sha256:83a9f67a69aa5d17a3618f542af75e0468088d6d713c2941a09f9cf4b5237d3f
             748B    sha256:f77250e5ea187ee5301e0fcb62926d084c2cf87cf7e8ec140e8a7f6e01025ce2
OS:          linux
Arch:        amd64
Entrypoint:  /usr/bin/dumb-init /usr/bin/coreos-assembler
Working Dir: /srv/
User:        builder
Environment: DISTTAG=f34container
             FGC=f34
             container=oci
             PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Labels:      license=MIT
             name=fedora
             vendor=Fedora Project
             version=34

[jlebon]

OK right, this is super confusing. The merge of coreos/coreos-assembler#2390 triggered both cosa-buildroot and coreos-assembler builds. But the latter uses FROM: on the former, so we actually need to wait for another build of coreos-assembler (I just triggered it) which uses the updated cosa-buildroot. And then wait for the OpenShift periodic importer to kick in. And then we can retry CI here.

[jlebon]

/retest

[jlebon]

/retest

[jlebon]

+ rpm-ostree --version
rpm-ostree:
 Version: '2021.7'

Hmm OK, so this is still using old rpm-ostree. Yet the coreos-assembler:latest image is updated and mirrored. So it's using some other image I think.

[cgwalters]

/retest

[cgwalters]

Yet the coreos-assembler:latest image is updated and mirrored. So it's using some other image I think.

I think there's a further replication lag between the main CI cluster and the build{01,02} etc. clusters.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[jlebon]

Ahhh cosa buildextend-extensions failing on

 Resolving dependencies...done
error: Could not depsolve transaction; 1 problem detected:
 Problem: package kata-containers-2.1.0-6.el8.x86_64 requires qemu-kiwi >= 5.1.0-16, but none of the providers can be installed
  - conflicting requests
  - package qemu-kiwi-15:5.1.0-20.module+el8.3.1+9918+230f5c26.x86_64 is filtered out by modular filtering
  - package qemu-kiwi-15:5.1.0-21.module+el8.3.1+10464+8ad18d1a.x86_64 is filtered out by modular filtering
  - package qemu-kiwi-15:5.2.0-16.module+el8.4.0+10806+b7d97207.x86_64 is filtered out by modular filtering
  - package qemu-kiwi-15:5.2.0-16.module+el8.4.0+11536+725e25d9.2.x86_64 is filtered out by modular filtering 

I was so focused on composes that I forgot about extensions entirely. Anyway, coreos/rpm-ostree#3095 adds support for it. Should be able to just backport that patch and tag it into the continuous tag.

Or cool too if you'd rather implement the --enable-modularity switch and hold off on all this for now. (Or could also freeze cosa on v2021.7).

[cgwalters]

/retest

[cgwalters]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters, jlebon, travier

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [cgwalters,jlebon,travier]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cgwalters]

NOTE: After this merges we'll require an updated coreos-assembler with newer rpm-ostree.