kt vm: Pin Rocky repos to vault to prevent minor version drift by roxanan1996 · Pull Request #71 · ctrliq/kernel-src-tree-tools

roxanan1996 · 2026-05-22T12:44:29Z

A.
Without this, dnf resolves packages from the latest minor release instead of the one the image was built with.

Disable mirrorlist to stop dnf from redirecting to the latest minor version
Point baseurl to the Rocky vault where old minor versions are permanently hosted
Replace $releasever with the actual VERSION_ID from /etc/os-release to pin to the exact minor version
Clear dnf cache to force metadata refresh from the new vault URLs

B. While testing found that lts8.6 does not install the kernel dependency.
Now that we're using maching basic images, there is a discrepancy
for rocky 8.6 images:
ROCKY_SUPPORT_PRODUCT='Rocky Linux'.
Since ROCKY_SUPPORT_PRODUCT is not the same for all versions, use VERSION_ID
instead.

Testing

[rnicolescu@localhost lts-9.6]$ uname -r
5.14.0-570.17.1.el9_6.x86_64
[rnicolescu@localhost lts-9.6]$ dnf repolist -v | grep Repo-baseurl
Extra Packages for Enterprise Linux 9 - x86_64  5.9 MB/s |  21 MB     00:03
Extra Packages for Enterprise Linux 9 openh264  2.2 kB/s | 2.5 kB     00:01
Rocky Linux 9.6 - BaseOS                        6.1 MB/s |  22 MB     00:03
Rocky Linux 9.6 - AppStream                      10 MB/s |  17 MB     00:01
Rocky Linux 9.6 - Extras                         50 kB/s |  17 kB     00:00
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.6/AppStream/x86_64/os/
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.6/BaseOS/x86_64/os/
Repo-baseurl       : https://mirror.netone.nl/other/epel/9/Everything/x86_64/ (227 more)
Repo-baseurl       : https://codecs.fedoraproject.org/openh264/epel/9/x86_64/os/ (0 more)
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.6/extras/x86_64/os/
[rnicolescu@localhost lts-9.6]$ sudo dnf install --assumeno curl
Last metadata expiration check: 0:03:30 ago on Fri 22 May 2026 02:57:15 PM UTC.
Package curl-7.76.1-31.el9_6.1.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

[rnicolescu@localhost lts-9.4]$ uname -r
5.14.0-427.18.1.el9_4.x86_64
[rnicolescu@localhost lts-9.4]$ dnf repolist -v | grep Repo-baseurl
Extra Packages for Enterprise Linux 9 - x86_64  1.2 MB/s |  21 MB     00:17
Extra Packages for Enterprise Linux 9 openh264  1.0 kB/s | 2.5 kB     00:02
Rocky Linux 9.4 - BaseOS                        6.5 MB/s |  16 MB     00:02
Rocky Linux 9.4 - AppStream                     8.9 MB/s |  15 MB     00:01
Rocky Linux 9.4 - Extras                         48 kB/s |  16 kB     00:00
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.4/AppStream/x86_64/os/
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.4/BaseOS/x86_64/os/
Repo-baseurl       : https://mirror.ams-1.serverforge.org/epel/9/Everything/x86_64/ (227 more)
Repo-baseurl       : https://codecs.fedoraproject.org/openh264/epel/9/x86_64/os/ (0 more)
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.4/extras/x86_64/os/
[rnicolescu@localhost lts-9.4]$ sudo dnf install --assumeno curl
Last metadata expiration check: 0:03:27 ago on Fri 22 May 2026 02:57:20 PM UTC.
Package curl-7.76.1-29.el9_4.1.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

[rnicolescu@localhost lts-9.2]$ dnf repolist -v | grep Repo-baseurl
Extra Packages for Enterprise Linux 9 - x86_64  5.1 MB/s |  21 MB     00:04
Extra Packages for Enterprise Linux 9 openh264  1.7 kB/s | 2.5 kB     00:01
Rocky Linux 9.2 - BaseOS                        2.8 MB/s | 1.9 MB     00:00
Rocky Linux 9.2 - AppStream                     2.6 MB/s | 7.1 MB     00:02
Rocky Linux 9.2 - Extras                         35 kB/s |  11 kB     00:00
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.2/AppStream/x86_64/os/
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.2/BaseOS/x86_64/os/
Repo-baseurl       : http://epel.mirror.wearetriple.com/9/Everything/x86_64/ (227 more)
Repo-baseurl       : https://codecs.fedoraproject.org/openh264/epel/9/x86_64/os/ (0 more)
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/9.2/extras/x86_64/os/
[rnicolescu@localhost lts-9.2]$ sudo dnf install --assumeno curl
Last metadata expiration check: 0:03:24 ago on Fri 22 May 2026 02:57:05 PM UTC.
Package curl-7.76.1-23.el9_2.1.x86_64 is already installed.
Dependencies resolved.
================================================================================
 Package         Architecture   Version                    Repository      Size
================================================================================
Upgrading:
 curl            x86_64         7.76.1-23.el9_2.4          baseos         294 k
 libcurl         x86_64         7.76.1-23.el9_2.4          baseos         283 k

Transaction Summary
================================================================================
Upgrade  2 Packages

Total download size: 576 k
Operation aborted.

[rnicolescu@localhost lts-8.6]$ uname -r
4.18.0-372.13.1.el8_6.x86_64
[rnicolescu@localhost lts-8.6]$ dnf repolist -v | grep Repo-baseurl
Rocky Linux 8.6 - AppStream                     4.5 MB/s |  11 MB     00:02
Rocky Linux 8.6 - BaseOS                        3.6 MB/s | 9.0 MB     00:02
Rocky Linux 8.6 - Extras                         38 kB/s |  12 kB     00:00
Extra Packages for Enterprise Linux 8 - x86_64  1.6 MB/s |  14 MB     00:09
Extra Packages for Enterprise Linux Modular 8 - 1.0 MB/s | 733 kB     00:00
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/8.6/AppStream/x86_64/os/
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/8.6/BaseOS/x86_64/os/
Repo-baseurl       : https://mirror.ams-1.serverforge.org/epel/8/Everything/x86_64/ (248 more)
Repo-baseurl       : https://ftp-stud.hs-esslingen.de/pub/Mirrors/archive.fedoraproject.org/epel/8/Modular/x86_64/ (19 more)
Repo-baseurl       : https://dl.rockylinux.org/vault/rocky/8.6/extras/x86_64/os/
[rnicolescu@localhost lts-8.6]$ sudo dnf install --assumeno curl
Last metadata expiration check: 0:03:52 ago on Fri 22 May 2026 02:56:43 PM UTC.
Package curl-7.61.1-22.el8_6.3.x86_64 is already installed.
Dependencies resolved.
================================================================================
 Package         Architecture   Version                    Repository      Size
================================================================================
Upgrading:
 curl            x86_64         7.61.1-22.el8_6.4          baseos         351 k
 libcurl         x86_64         7.61.1-22.el8_6.4          baseos         301 k

Transaction Summary
================================================================================
Upgrade  2 Packages

Total download size: 652 k
Operation aborted.

NOTE

I used ruaml instead of oyaml because it added extra chars when dumping the cloud-init.yaml file adapted for each kernel_workspace and user. But that broke lts8.6 because of the array format. That's why I changed
kt/data/cloud-init.yaml arrays so they are backwards compatible. For some reason, oyaml would modify that during dump, hence there was no issue there.

Copilot

Pull request overview

Pins Rocky Linux DNF repository configuration inside kt vm cloud-init to avoid unintended minor-version drift when installing packages after the image is built.

Changes:

Disable mirrorlist= entries in Rocky repo files to prevent redirects to newer minor releases.
Rewrite baseurl to point to the Rocky vault location for the image’s minor version.
Replace $releasever with the OS VERSION_ID and clear DNF metadata cache.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

Copilot

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

Without this, dnf resolves packages from the latest minor release instead of the one the image was built with. - Disable mirrorlist to stop dnf from redirecting to the latest minor version - Point baseurl to the Rocky vault where old minor versions are permanently hosted - Replace $releasever with the actual VERSION_ID from /etc/os-release to pin to the exact minor version - Clear dnf cache to force metadata refresh from the new vault URLs All of these were added in kt/data/cloud-init.yaml that is the base for all vms. When kt vm is run the first time for a kernel workspace, a copy of cloud-init.yaml is created. Use ruamel instead so that comments and the original formatting stays the same when the yaml file is read and then dump in python. Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

Copilot

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

PlaidCat · 2026-06-04T20:51:49Z

+  - find /etc/yum.repos.d/ -iname "*.repo" -exec sed -i 's|^mirrorlist=|#mirrorlist=|g' {} \;
+  - find /etc/yum.repos.d/ -iname "*.repo" -exec sed -i 's|^#baseurl=http://dl.rockylinux.org/$contentdir|baseurl=https://dl.rockylinux.org/vault/rocky|g' {} \;
+  - find /etc/yum.repos.d/ -iname "*.repo" -exec sed -i "s|\$releasever|$(. /etc/os-release && echo $VERSION_ID)|g" {} \;


I'm sorry I'm just now getting to this:

There is a little simpler way to do pinning.

https://github.com/ctrliq/kernel-src-tree/wiki#pin-to-vault

Feel free to rewrite the awk if you want.

yeah, this looks better as it just sets env variables instead of manually rewriting them in the repo files.
But, on friday, I ran into issues for all 9.x kernels because of epel-cisco-openh264. There is only one repo for 9. And what I don't understand is that the repo files already use 9.X, so there is no nice way to override that only for this repo.

I do not even know why we need this in the first place, maybe I can disable it..
I'll sleep on this a bit, I was busy with other stuff.

I'm actually not sure why the cisco stuff would be there, its on my host machine ... and I couldn't tell you why exactly but none of the VM images i create has it installed for the guest vm

Copilot AI review requested due to automatic review settings May 22, 2026 12:44

Copilot started reviewing on behalf of roxanan1996 May 22, 2026 12:44 View session

Copilot AI reviewed May 22, 2026

View reviewed changes

Comment thread kt/data/cloud_init.yaml Outdated

roxanan1996 marked this pull request as draft May 22, 2026 12:58

roxanan1996 force-pushed the {rnicolescu}_kt_vm_pin branch from a4ed21b to f1394ce Compare May 22, 2026 13:06

Copilot AI review requested due to automatic review settings May 22, 2026 13:21

roxanan1996 force-pushed the {rnicolescu}_kt_vm_pin branch from f1394ce to 5627b50 Compare May 22, 2026 13:21

Copilot started reviewing on behalf of roxanan1996 May 22, 2026 13:21 View session

Copilot AI reviewed May 22, 2026

View reviewed changes

Comment thread pyproject.toml

Comment thread kt/ktlib/vm.py Outdated

Comment thread kt/data/cloud_init.yaml Outdated

Comment thread kt/data/cloud_init.yaml Outdated

roxanan1996 force-pushed the {rnicolescu}_kt_vm_pin branch from 5627b50 to bde249f Compare May 22, 2026 13:27

Copilot AI review requested due to automatic review settings May 22, 2026 13:28

roxanan1996 force-pushed the {rnicolescu}_kt_vm_pin branch from bde249f to 85c4624 Compare May 22, 2026 13:28

Copilot started reviewing on behalf of roxanan1996 May 22, 2026 13:28 View session

Copilot AI reviewed May 22, 2026

View reviewed changes

Comment thread pyproject.toml Outdated

Comment thread kt/data/cloud_init.yaml Outdated

Comment thread kt/data/cloud_init.yaml Outdated

roxanan1996 force-pushed the {rnicolescu}_kt_vm_pin branch from 85c4624 to 0879576 Compare May 22, 2026 14:52

roxanan1996 marked this pull request as ready for review May 22, 2026 14:54

Copilot AI review requested due to automatic review settings May 22, 2026 14:54

Copilot started reviewing on behalf of roxanan1996 May 22, 2026 14:54 View session

Copilot AI reviewed May 22, 2026

View reviewed changes

Comment thread kt/data/cloud_init.yaml

Comment thread kt/data/cloud_init.yaml

Comment thread kt/data/cloud_init.yaml

roxanan1996 mentioned this pull request May 22, 2026

kernel_install_dep.sh: Use VERSION_ID to differentate between major versions #72

Merged

roxanan1996 force-pushed the {rnicolescu}_kt_vm_pin branch from 0879576 to a8edde3 Compare May 22, 2026 15:06

PlaidCat reviewed Jun 4, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

kt vm: Pin Rocky repos to vault to prevent minor version drift#71

kt vm: Pin Rocky repos to vault to prevent minor version drift#71
roxanan1996 wants to merge 1 commit into
mainlinefrom
{rnicolescu}_kt_vm_pin

roxanan1996 commented May 22, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

PlaidCat Jun 4, 2026 •

edited

Loading

Uh oh!

roxanan1996 Jun 8, 2026

Uh oh!

PlaidCat Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

Conversation

roxanan1996 commented May 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Testing

NOTE

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

PlaidCat Jun 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

roxanan1996 Jun 8, 2026

Choose a reason for hiding this comment

Uh oh!

PlaidCat Jun 8, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

roxanan1996 commented May 22, 2026 •

edited

Loading

PlaidCat Jun 4, 2026 •

edited

Loading