METAL-156: Use Live ISO for baremetal bootstrap VM

cmd/openshift-install/testdata/agent/image/overrides/os_image_override.txt

@@ -6,7 +6,7 @@ env OPENSHIFT_INSTALL_OS_IMAGE_OVERRIDE=<not-valid-image>
 
 ! exists $WORK/agent.x86_64.iso
 stderr 'level=warning msg=Found override for OS Image. Please be warned, this is not advised'
-stderr 'level=fatal msg=failed to fetch Agent Installer ISO: failed to fetch dependency of "Agent Installer ISO": failed to fetch dependency of "Agent Installer Artifacts": failed to generate asset "BaseIso Image": failed to get base ISO image: parse "<not-valid-image>": invalid URI for request'
+stderr 'level=fatal msg=failed to fetch Agent Installer ISO: failed to fetch dependency of "Agent Installer ISO": failed to fetch dependency of "Agent Installer Artifacts": failed to generate asset "Base ISO Image": failed to get base ISO image: parse "<not-valid-image>": invalid URI for request'
 
 -- install-config.yaml --
 apiVersion: v1

data/data/bootstrap/baremetal/files/etc/containers/systemd/image-customization.container

@@ -3,8 +3,8 @@ Description=Customized Machine OS Image Server
 BindsTo=ironic-volume.service
 Requires=build-ironic-env.service
 PartOf=ironic.service
-Wants=network-online.target extract-machine-os.service
-After=network-online.target ironic-volume.service build-ironic-env.service extract-machine-os.service
+Wants=network-online.target
+After=network-online.target ironic-volume.service build-ironic-env.service
 
 [Container]
 ContainerName=image-customization
@@ -17,8 +17,11 @@ Volume=/etc/containers:/tmp/containers:z
 Volume=${AUTH_DIR}:/auth:z,ro
 Volume=/opt/openshift:/opt/openshift:z,ro
 Volume=/etc/pki/ca-trust/source/anchors/ca.crt:/tmp/ca.crt:z,ro
-Environment="DEPLOY_ISO=/shared/html/images/ironic-python-agent.iso"
-Environment="DEPLOY_INITRD=/shared/html/images/ironic-python-agent.initramfs"
+AddDevice=/dev/sr0:/images/live.iso:r
+Volume=/run/media/iso/images/pxeboot:/images/pxe:ro
+SecurityLabelDisable=true
+Environment="DEPLOY_ISO=/images/live.iso"
+Environment="DEPLOY_INITRD=/images/pxe/initrd.img"
 Environment="IRONIC_BASE_URL=${IRONIC_BASE_URL}"
 Environment="IRONIC_RAMDISK_SSH_KEY=${IRONIC_RAMDISK_SSH_KEY}"
 Environment="IRONIC_AGENT_IMAGE=${IRONIC_AGENT_IMAGE}"

data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic-httpd.container.template

@@ -4,7 +4,7 @@ BindsTo=ironic-volume.service
 Requires=build-ironic-env.service
 PartOf=ironic.service
 Wants=network-online.target
-After=network-online.target ironic-volume.service build-ironic-env.service extract-machine-os.service provisioning-interface.service
+After=network-online.target ironic-volume.service build-ironic-env.service provisioning-interface.service
 
 [Container]
 ContainerName=httpd
@@ -21,6 +21,8 @@ Volume=ironic.volume:/shared:z
 Volume=/opt/openshift/tls/ironic/:/certs/vmedia/:z
 {{ end }}
 Volume=/opt/openshift/tls/ironic/:/certs/ironic/:z
+Volume=/run/media/iso/images/pxeboot/rootfs.img:/shared/html/images/ironic-python-agent.rootfs:ro
+SecurityLabelDisable=true
 Environment="IRONIC_RAMDISK_SSH_KEY=${IRONIC_RAMDISK_SSH_KEY}"
 Environment="PROVISIONING_INTERFACE=${PROVISIONING_INTERFACE}"
 Environment="HTTP_PORT=${HTTP_PORT}"

data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template

@@ -25,6 +25,9 @@ Volume=/opt/openshift/tls/ironic/:/certs/ironic/:z
 {{ if .PlatformData.BareMetal.BMCVerifyCA }}
 Volume=/opt/openshift/bmc-ca:/certs/ca/bmc:z
 {{ end }}
+# Note we are limited here by conductor.file_url_allowed_paths in the ironic config
+Volume=/run/media/iso/images/pxeboot/vmlinuz:/var/lib/ironic/pxe/vmlinuz:ro
+SecurityLabelDisable=true
 Environment="IRONIC_RAMDISK_SSH_KEY=${IRONIC_RAMDISK_SSH_KEY}"
 Environment="PROVISIONING_INTERFACE=${PROVISIONING_INTERFACE}"
 Environment="OS_CONDUCTOR__HEARTBEAT_TIMEOUT=120"

data/data/bootstrap/baremetal/files/etc/containers/systemd/metal3-baremetal-operator.container

@@ -14,7 +14,7 @@ Volume=/opt/openshift:/opt/openshift:z,ro
 Volume=/opt/openshift/tls/ironic/:/certs/ironic/:z
 Environment="XDG_RUNTIME_DIR=/run/user/${UID}"
 Environment="KUBECONFIG=/opt/openshift/auth/kubeconfig-loopback"
-Environment="DEPLOY_KERNEL_URL=file:///shared/html/images/ironic-python-agent.kernel"
+Environment="DEPLOY_KERNEL_URL=file:///var/lib/ironic/pxe/vmlinuz"
 Environment="IRONIC_ENDPOINT=${IRONIC_ENDPOINT}"
 Environment="IRONIC_EXTERNAL_URL_V6=${IRONIC_EXTERNAL_URL_V6}"
 Environment="LEASE_DURATION_SECONDS=137"

data/data/bootstrap/baremetal/files/usr/local/bin/setup-image-data.sh.template → data/data/bootstrap/baremetal/files/usr/local/bin/setup-image-data.sh

@@ -2,7 +2,5 @@
 
 set -euo pipefail
 
-export KUBECONFIG=/opt/openshift/auth/kubeconfig-loopback
-
 # Create a podman secret for the image-customization-server
 base64 -w 0 /root/.docker/config.json | podman secret create pull-secret -

data/data/bootstrap/files/etc/systemd/system/node-image-finish.service

@@ -11,3 +11,4 @@ Type=oneshot
 # and now, back to our regularly scheduled programming...
 ExecStart=/usr/bin/echo "Node image overlay complete; switching back to multi-user.target"
 ExecStart=/usr/bin/systemctl --no-block isolate multi-user.target
+KillMode=none

data/data/bootstrap/files/etc/systemd/system/var-ostreecontainer.mount

@@ -2,6 +2,7 @@
 Requires=run-ephemeral.mount
 After=run-ephemeral.mount
 ConditionPathExists=/run/ostree-live
+ConditionPathExists=!/etc/no-var-tmpfs
 
 [Mount]
 What=tmpfs

data/data/install.openshift.io_installconfigs.yaml

@@ -5857,6 +5857,7 @@ spec:
                       BootstrapOSImage is a URL to override the default OS image
                       for the bootstrap node. The URL must contain a sha256 hash of the image
                       e.g https://mirror.example.com/images/qemu.qcow2.gz?sha256=a07bd...
+                      Deprecated: This is no longer used.
                     type: string
                   bootstrapProvisioningIP:
                     description: |-
@@ -5870,6 +5871,8 @@ spec:
                       ClusterOSImage is a URL to override the default OS image
                       for cluster nodes. The URL must contain a sha256 hash of the image
                       e.g https://mirror.example.com/images/metal.qcow2.gz?sha256=3b5a8...
+                      Deprecated: This is no longer required, the OS image is now part of the
+                      OpenShift release.
                     type: string
                   clusterProvisioningIP:
                     description: |-

go.mod

@@ -44,7 +44,7 @@ require (
 	github.com/coreos/stream-metadata-go v0.4.10-0.20250806142651-4a7d280a6c7b
 	github.com/daixiang0/gci v0.13.5
 	github.com/digitalocean/go-libvirt v0.0.0-20240220204746-fcabe97a6eed
-	github.com/diskfs/go-diskfs v1.4.0
+	github.com/diskfs/go-diskfs v1.4.1
 	github.com/form3tech-oss/jwt-go v3.2.3+incompatible
 	github.com/go-logr/logr v1.4.3
 	github.com/go-openapi/errors v0.22.1
@@ -74,7 +74,7 @@ require (
 	github.com/nutanix-cloud-native/prism-go-client v0.5.0
 	github.com/onsi/gomega v1.38.2
 	github.com/openshift/api v0.0.0-20260228183123-9b2ee997d297
-	github.com/openshift/assisted-image-service v0.0.0-20240607085136-02df2e56dde6
+	github.com/openshift/assisted-image-service v0.0.0-20250917153356-4ca9ff81f712
 	github.com/openshift/assisted-service/api v0.0.0
 	github.com/openshift/assisted-service/client v0.0.0
 	github.com/openshift/assisted-service/models v0.0.0
@@ -96,7 +96,7 @@ require (
 	github.com/prometheus/common v0.67.4
 	github.com/rogpeppe/go-internal v1.14.1
 	github.com/shurcooL/vfsgen v0.0.0-20181202132449-6a9ea43bcacd
-	github.com/sirupsen/logrus v1.9.3
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af
 	github.com/spf13/cobra v1.10.1
 	github.com/stretchr/testify v1.11.1
 	github.com/thedevsaddam/retry v0.0.0-20200324223450-9769a859cc6d
@@ -230,6 +230,7 @@ require (
 	github.com/coreos/go-systemd/v22 v22.6.0 // indirect
 	github.com/coreos/vcontext v0.0.0-20230201181013-d72178a18687 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/djherbis/times v1.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
@@ -274,6 +275,7 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
@@ -338,7 +340,6 @@ require (
 	google.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
-	gopkg.in/djherbis/times.v1 v1.3.0 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/gcfg.v1 v1.2.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect

go.sum

@@ -347,10 +347,12 @@ github.com/denis-tingaikin/go-header v0.5.0 h1:SRdnP5ZKvcO9KKRP1KJrhFR3RrlGuD+42
 github.com/denis-tingaikin/go-header v0.5.0/go.mod h1:mMenU5bWrok6Wl2UsZjy+1okegmwQ3UgWl4V1D8gjlY=
 github.com/digitalocean/go-libvirt v0.0.0-20240220204746-fcabe97a6eed h1:pDXysiX24X+SE6MwVcfd5lGE21a4jNH9ZgaF9AyshHY=
 github.com/digitalocean/go-libvirt v0.0.0-20240220204746-fcabe97a6eed/go.mod h1:isF7ghADfbC01gQx4vZnIOrxXT5RXLG81y+UCb5XSwc=
-github.com/diskfs/go-diskfs v1.4.0 h1:MAybY6TPD+fmhY+a2qFhmdvMeIKvCqlgh4QIc1uCmBs=
-github.com/diskfs/go-diskfs v1.4.0/go.mod h1:G8cyy+ngM+3yKlqjweMmtqvE+TxsnIo1xumbJX1AeLg=
+github.com/diskfs/go-diskfs v1.4.1 h1:iODgkzHLmvXS+1VDztpW53T+dQm8GQzi20y9yUd5UCA=
+github.com/diskfs/go-diskfs v1.4.1/go.mod h1:+tOkQs8CMMog6Nvljg8DGIxEXrgL48iyT3OM3IlSz74=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
+github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
 github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -896,8 +898,8 @@ github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE
 github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/openshift/api v0.0.0-20260228183123-9b2ee997d297 h1:QoHTB3QS859LUGE6NUTg98XiMz6Kzm3svQmo4tmgmlg=
 github.com/openshift/api v0.0.0-20260228183123-9b2ee997d297/go.mod h1:ZYAxo9t1AALeEotN07tNzIvqqqWSxcZIqMUKnY/xCeQ=
-github.com/openshift/assisted-image-service v0.0.0-20240607085136-02df2e56dde6 h1:U6ve+dnHlHhAELoxX+rdFOHVhoaYl0l9qtxwYtsO6C0=
-github.com/openshift/assisted-image-service v0.0.0-20240607085136-02df2e56dde6/go.mod h1:o2H5VwQhUD8P6XsK6dRmKpCCJqVvv12KJQZBXmcCXCU=
+github.com/openshift/assisted-image-service v0.0.0-20250917153356-4ca9ff81f712 h1:UJVh+I/AWZcOJASGdiLcTXkWB1OYNhS/383DHMcRvCQ=
+github.com/openshift/assisted-image-service v0.0.0-20250917153356-4ca9ff81f712/go.mod h1:WGdSeSnK0voEWWwA4ar5eApNjGBLmGTpFurEKw/FXJc=
 github.com/openshift/assisted-service/api v0.0.0-20250922204150-a52b83145bea h1:YhJ9iHKKT5ooAdVr8qq3BdudhTxP/WF0XYDT5gzi1ak=
 github.com/openshift/assisted-service/api v0.0.0-20250922204150-a52b83145bea/go.mod h1:wA7MaLcf/KoUl7fhB1bHBdhRBLjWPih90sHpxOV6ZLE=
 github.com/openshift/assisted-service/client v0.0.0-20250922204150-a52b83145bea h1:nYepkoJZSEjQEadaZ7oZraaeTug0zSV43HISLaHTCF0=
@@ -1029,8 +1031,8 @@ github.com/shurcooL/vfsgen v0.0.0-20181202132449-6a9ea43bcacd/go.mod h1:TrYk7fJV
 github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0=
+github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sivchari/containedctx v1.0.3 h1:x+etemjbsh2fB5ewm5FeLNi5bUjK0V8n0RB+Wwfd0XE=
 github.com/sivchari/containedctx v1.0.3/go.mod h1:c1RDvCbnJLtH4lLcYD/GqwiBSSf4F5Qk0xld2rBqzJ4=
 github.com/sivchari/tenv v1.12.1 h1:+E0QzjktdnExv/wwsnnyk4oqZBUfuh89YMQT1cyuvSY=
@@ -1295,6 +1297,7 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1402,8 +1405,6 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/djherbis/times.v1 v1.3.0 h1:uxMS4iMtH6Pwsxog094W0FYldiNnfY/xba00vq6C2+o=
-gopkg.in/djherbis/times.v1 v1.3.0/go.mod h1:AQlg6unIsrsCEdQYhTzERy542dz6SFdQFZFv6mUY0P8=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
 gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=

pkg/asset/agent/image/agentartifacts.go

@@ -20,6 +20,8 @@ import (
 	"github.com/openshift/installer/pkg/asset/agent/mirror"
 	"github.com/openshift/installer/pkg/asset/agent/workflow"
 	workflowreport "github.com/openshift/installer/pkg/asset/agent/workflow/report"
+	"github.com/openshift/installer/pkg/asset/rhcos"
+	"github.com/openshift/installer/pkg/types"
 )
 
 const (
@@ -132,10 +134,10 @@ func (a *AgentArtifacts) Generate(ctx context.Context, dependencies asset.Parent
 	return nil
 }
 
-func (a *AgentArtifacts) fetchAgentTuiFiles(releaseImage string, pullSecret string, mirrorConfig []mirror.RegistriesConfig) ([]string, error) {
-	release := NewRelease(
-		Config{MaxTries: OcDefaultTries, RetryDelay: OcDefaultRetryDelay},
-		releaseImage, pullSecret, mirrorConfig, nil)
+func (a *AgentArtifacts) fetchAgentTuiFiles(releaseImage string, pullSecret string, mirrorConfig types.MirrorConfig) ([]string, error) {
+	release := rhcos.NewReleasePayload(
+		rhcos.ExtractConfig{},
+		releaseImage, pullSecret, mirrorConfig)
 
 	agentTuiFilenames := []string{"/usr/bin/agent-tui", "/usr/lib64/libnmstate.so.*"}
 	files := []string{}

pkg/asset/agent/image/agentimage.go

@@ -106,7 +106,7 @@ func (a *AgentImage) Generate(ctx context.Context, dependencies asset.Parents) e
 			logrus.Debugf("Using custom rootfs URL: %s", a.rootFSURL)
 		} else {
 			// Default to the URL from the RHCOS streams file
-			defaultRootFSURL, err := baseIso.getRootFSURL(ctx, a.cpuArch)
+			defaultRootFSURL, err := baseIso.getRootFSURL(ctx, a.cpuArch, agentWorkflow, clusterInfo)
 			if err != nil {
 				return err
 			}