Fedora 41 was released.

.github/workflows/build-test.yaml

@@ -14,7 +14,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ fedora-rawhide, fedora-40, fedora-39, centos-9-stream, rocky-9, rocky-8, almalinux-9, almalinux-8 ]
+        os: [ fedora-rawhide, fedora-41, fedora-40, fedora-39, centos-9-stream, rocky-9, rocky-8, almalinux-9, almalinux-8 ]
         docker: [ docker ]
     timeout-minutes: 15
     steps:
@@ -68,13 +68,12 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: fedora-40
-          - os: fedora-40
+          - os: fedora-41
+          - os: fedora-41
             readonly: --read-only
             volume: freeipa-data
-          - os: fedora-40
+          - os: fedora-41
             readonly: --read-only
-            ca: --external-ca
           - os: fedora-rawhide
           - os: fedora-rawhide
             readonly: --read-only
@@ -87,7 +86,7 @@ jobs:
           - os: centos-9-stream
             readonly: --read-only
             ca: --external-ca
-        os: [ fedora-39, almalinux-9, rocky-8 ]
+        os: [ fedora-40, fedora-39, almalinux-9, rocky-8 ]
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4
@@ -115,7 +114,7 @@ jobs:
         include:
           - os: fedora-rawhide
             readonly: --read-only
-          - os: fedora-40
+          - os: fedora-41
             readonly: --read-only
             volume: freeipa-data
           - os: rocky-9
@@ -149,7 +148,7 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: fedora-40
+          - os: fedora-41
             readonly: --read-only
           - os: centos-9-stream
             readonly: --read-only
@@ -175,7 +174,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ fedora-40, centos-9-stream ]
+        os: [ fedora-41, centos-9-stream ]
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4
@@ -200,7 +199,7 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: fedora-40
+          - os: fedora-41
             readonly: --read-only
             volume: freeipa-data
           - os: almalinux-9
@@ -235,11 +234,13 @@ jobs:
       matrix:
         include:
           - os: fedora-rawhide
+            data-from: fedora-41
+          - os: fedora-41
+            data-from: fedora-41
+          - os: fedora-41
             data-from: fedora-40
           - os: fedora-40
             data-from: fedora-39
-          - os: fedora-40
-            data-from: fedora-38
           - os: rocky-8
             data-from: centos-8-certs-updated-data
     timeout-minutes: 20
@@ -264,8 +265,8 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: fedora-40
-            data-from: fedora-39
+          - os: fedora-41
+            data-from: fedora-40
           - os: almalinux-8
             data-from: centos-8-certs-updated-data
     timeout-minutes: 20
@@ -293,8 +294,8 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: fedora-40
-            data-from: fedora-39
+          - os: fedora-41
+            data-from: fedora-41
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v4
@@ -315,7 +316,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ fedora-rawhide, fedora-40, rocky-9, almalinux-8, centos-9-stream ]
+        os: [ fedora-rawhide, fedora-41, rocky-9, almalinux-8, centos-9-stream ]
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4
@@ -346,7 +347,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ fedora-rawhide, fedora-40, fedora-39, centos-9-stream, rocky-9, rocky-8, almalinux-9, almalinux-8 ]
+        os: [ fedora-rawhide, fedora-41, fedora-40, fedora-39, centos-9-stream, rocky-9, rocky-8, almalinux-9, almalinux-8 ]
     timeout-minutes: 30
     steps:
       - uses: actions/download-artifact@v4

.github/workflows/run-partial-tests.yaml

@@ -30,7 +30,7 @@ jobs:
       - id: default-matrix
         run: |
           (
-          echo -n "matrix={'os': [ 'fedora-rawhide', 'fedora-40', 'fedora-39', 'centos-9-stream', 'rocky-9', 'rocky-8', 'almalinux-9', 'almalinux-8' ], \
+          echo -n "matrix={'os': [ 'fedora-rawhide', 'fedora-41', 'fedora-40', 'fedora-39', 'centos-9-stream', 'rocky-9', 'rocky-8', 'almalinux-9', 'almalinux-8' ], \
           'docker': [ 'docker', 'podman' ] "
           if [ -n "${{ secrets.REDHAT_ORG }}" -a -n "${{ secrets.REDHAT_ACTIVATIONKEY }}" ] ; then
             echo -n ", 'include': [ \

Dockerfile.fedora-41

@@ -0,0 +1,99 @@
+# Clone from the Fedora 41 image
+FROM registry.fedoraproject.org/fedora:41
+
+# Workaround https://bugzilla.redhat.com/show_bug.cgi?id=1941142
+COPY resolv.conf hostname /etc/
+
+# Workaround 1615948
+RUN ln -s /bin/false /usr/sbin/systemd-machine-id-setup
+RUN sed -i 's!%_install_langs.*!%_install_langs all!' /etc/rpm/macros.image-language-conf
+RUN dnf upgrade -y --setopt=install_weak_deps=False \
+	&& dnf install -y --setopt=install_weak_deps=False shadow-utils \
+	&& groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -r -d / -s '/sbin/nologin' kdcproxy \
+	&& groupadd -g 289 ipaapi; useradd -u 289 -g 289 -c 'IPA Framework User' -r -d / -s '/sbin/nologin' ipaapi \
+	&& dnf install -y --setopt=install_weak_deps=False freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-healthcheck freeipa-client-epn patch \
+	&& dnf clean all
+
+# debug: RUN test $( getent passwd | grep -E "^(dirsrv:x:389|ipaapi:x:289|kdcproxy:x:288|pkiuser:x:17):" | wc -l ) -eq 4
+
+# var-lib-nfs-rpc_pipefs.mount would run (and fail) nondeterministically
+RUN systemctl mask rpc-gssd.service
+
+# Container image which runs systemd
+# debug: RUN test -f /etc/machine-id && ! test -s /etc/machine-id
+# debug: RUN test "$container" = oci
+
+# Establish reasonably low open files limit in the container
+RUN echo "DefaultLimitNOFILE=1024" >> /etc/systemd/system.conf
+
+ENTRYPOINT [ "/usr/sbin/init" ]
+STOPSIGNAL RTMIN+3
+# test: systemd-container-failed.sh
+
+# Minimize the systemd setup
+RUN find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type l \! -lname /dev/null | xargs rm -v
+RUN systemctl mask systemd-logind.service
+COPY patches/minimal-fedora-39.patch /root/
+RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-39.patch
+# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants /etc/tmpfiles.d -type f | grep .
+
+RUN ln -s /usr/lib/systemd/system/dbus-broker.service /usr/lib/systemd/system/dbus.service
+COPY container-ipa.target /usr/lib/systemd/system/
+RUN systemctl set-default container-ipa.target
+RUN rmdir -v /etc/systemd/system/multi-user.target.wants \
+	&& mkdir /etc/systemd/system/container-ipa.target.wants \
+	&& ln -s /etc/systemd/system/container-ipa.target.wants /etc/systemd/system/multi-user.target.wants
+RUN systemd-sysusers
+RUN systemd-tmpfiles --remove --create
+# debug: RUN test -d /var/log/journal
+# debug: RUN ! test -f /var/lib/systemd/random-seed
+# test-addon: VOLUME [ "/var/tmp" ]
+# test: systemd-container-diff.sh list-dependencies-fedora-38.out /dev/null docker-diff-minimal-fedora-23.out
+
+# Prepare for basic ipa-server-install in container
+# Address failing nis-domainname.service in the ipa-client-install step
+RUN mv /usr/bin/nisdomainname /usr/bin/nisdomainname.orig
+ADD hostnamectl-wrapper /usr/bin/nisdomainname
+
+## # test: systemd-container-ipa-server-install.sh
+
+# Move configuration and data to data volume
+COPY patches/ipa-data-fedora-41.patch /root
+RUN set -o pipefail ; patch --verbose -p0 --fuzz=0 < /root/ipa-data-fedora-41.patch | sed -n 's/^patching file //;T;/\.py$/p' | xargs python3 -m compileall
+COPY ipaplatform-fedora.conf /usr/lib/systemd/system.conf.d/ipaplatform-override.conf
+ENV IPAPLATFORM_OVERRIDE=fedora_container
+
+COPY journald-storage.conf /usr/lib/systemd/journald.conf.d/storage.conf
+
+RUN authselect select sssd with-sudo --force
+
+COPY utils/prepare-volume-template utils/populate-volume-from-template utils/extract-rpm-upgrade-scriptlets /usr/local/bin/
+COPY volume-data-list volume-tmp-list volume-data-autoupdate /etc/
+RUN /usr/local/bin/prepare-volume-template /etc/volume-data-list /data
+RUN /usr/local/bin/prepare-volume-template /etc/volume-tmp-list /tmp
+RUN /usr/local/bin/extract-rpm-upgrade-scriptlets
+
+RUN echo 2.0 > /etc/volume-version
+VOLUME [ "/tmp", "/run", "/data" ]
+
+COPY init-data-minimal /usr/local/sbin/init
+ENTRYPOINT [ "/usr/local/sbin/init" ]
+# test: systemd-container-ipa-server-install-data.sh /dev/null
+
+# Configure master/replica upon the first invocation
+COPY init-data /usr/local/sbin/init
+COPY ipa-server-configure-first systemctl-exit-with-status ipa-volume-upgrade-* /usr/sbin/
+COPY ipa-server-configure-first.service ipa-server-upgrade.service ipa-server-update-self-ip-address.service /usr/lib/systemd/system/
+COPY service-success-poweroff.conf /usr/lib/systemd/system/ipa-server-configure-first.service.d/service-success-poweroff.conf.template
+RUN ln -sv /usr/lib/systemd/system/ipa-server-configure-first.service /data-template/etc/systemd/system/container-ipa.target.wants/ipa-server-configure-first.service
+COPY exit-status.conf /usr/lib/systemd/system/systemd-poweroff.service.d/
+
+EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp
+
+RUN uuidgen > /data-template/build-id
+
+# Invocation:
+# docker run -ti -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
+
+LABEL org.opencontainers.image.title="FreeIPA server"
+LABEL org.opencontainers.image.authors="FreeIPA Developers <[email protected]>"

freeipa-server-openshift-image.json

@@ -25,6 +25,17 @@
                             "name": "fedora-39"
                         }
                     },
+                    {
+                        "name": "fedora-41",
+                        "annotations": {
+                            "openshift.io/display-name": "FreeIPA Server on Fedora 41",
+                            "tags": "freeipa, identity management"
+                        },
+                        "from": {
+                            "kind": "DockerImage",
+                            "name": "quay.io/freeipa/freeipa-server:fedora-41"
+                        }
+                    },
                     {
                         "name": "fedora-40",
                         "annotations": {

tests/pack-data-as-image.sh

@@ -7,20 +7,20 @@ set -x
 # Example of preparing data image for upgrade testing:
 # check /etc/hosts and /etc/resolv.conf
 # mkdir -p freeipa-server/data
-# replica=none docker=podman VOLUME=$(pwd)/freeipa-server/data tests/run-master-and-replica.sh quay.io/freeipa/freeipa-server:fedora-40
+# replica=none docker=podman VOLUME=$(pwd)/freeipa-server/data tests/run-master-and-replica.sh quay.io/freeipa/freeipa-server:fedora-41
 # podman rm -f freeipa-master
 # check freeipa-server/data/var/lib/ipa/sysrestore/*-resolv.conf
-# tests/pack-data-as-image.sh freeipa-server data-fedora-40
+# tests/pack-data-as-image.sh freeipa-server data-fedora-41
 # podman login quay.io
-# podman tag freeipa/freeipa-server:data-fedora-40 quay.io/freeipa/freeipa-server:data-fedora-40
-# TMPDIR=/tmp podman push quay.io/freeipa/freeipa-server:data-fedora-40
+# podman tag freeipa/freeipa-server:data-fedora-41 quay.io/freeipa/freeipa-server:data-fedora-41
+# TMPDIR=/tmp podman push quay.io/freeipa/freeipa-server:data-fedora-41
 # podman login index.docker.io
-# podman tag freeipa/freeipa-server:data-fedora-40 docker.io/freeipa/freeipa-server:data-fedora-40
-# TMPDIR=/tmp podman push docker.io/freeipa/freeipa-server:data-fedora-40
+# podman tag freeipa/freeipa-server:data-fedora-41 docker.io/freeipa/freeipa-server:data-fedora-41
+# TMPDIR=/tmp podman push docker.io/freeipa/freeipa-server:data-fedora-41
 #
 
 cd "$1"
-podman run --rm -v $(pwd)/data:/data:Z registry.fedoraproject.org/fedora:40 tar cf - data > data.tar
+podman run --rm -v $(pwd)/data:/data:Z registry.fedoraproject.org/fedora:41 tar cf - data > data.tar
 SUM=$( sha256sum data.tar )
 SUM=${SUM%% *}
 mv data.tar $SUM.tar