fix(rpm): resolve Fedora 43 install and runtime failures#18
Merged
Conversation
Three issues discovered during comprehensive RPM testing on Fedora 43: 1. Set OPENSHELL_IMAGE_TAG=midstream at RPM build time so the CLI references container images that exist in the LobsterTrap GHCR registry (the default 'dev' tag does not exist). 2. Ship /etc/modules-load.d/openshell.conf to load legacy iptables kernel modules required by k3s flannel CNI. Modern Fedora loads only nf_tables by default, but k3s bundles its own iptables-legacy binary for flannel networking. Also add nftables kube-proxy mode detection to the cluster entrypoint as a forward-looking improvement for when k3s gains native nftables flannel support. 3. Change python3-openshell dependencies from Requires to Recommends because Fedora 43 ships grpcio 1.48 and protobuf 3.19, which are too old for the SDK (needs >=1.60 and >=4.25 respectively).
maxamillion
requested review from
cgwalters,
fatherlinux,
openchow and
sallyom
as code owners
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
The midstream-container-build workflow was not passing OPENSHELL_CARGO_VERSION to the Docker build, causing gateway and sandbox binaries inside the container images to report version 0.0.0. Add a compute-versions job that derives the cargo version from git tags via release.py, matching the upstream workflow pattern.
- Add COPR/dnf install method to quickstart guide alongside binary and uv - Add Fedora 43+ and RHEL/CentOS Stream 10+ to the support matrix - Add RPM install option to README install section
The %{_modulesloaddir} macro used in %install and %files is provided by
systemd-rpm-macros. Without this BuildRequires, COPR build roots do not
have the macro defined, causing RPM to expand it literally and fail with
'File must begin with "/"'.
maxamillion
added a commit
that referenced
this pull request
Apr 6, 2026
The nftables kube-proxy mode detection added in PR #18 breaks NodePort routing on hosts where nft is available (including Fedora 43). When kube-proxy runs in nftables mode, the gateway service NodePort (30051) becomes unreachable, causing the health check to time out and the gateway start to fail. The modules-load.d config shipped by the RPM already ensures the legacy iptables kernel modules are loaded, which is the correct fix for the original problem. Remove the nftables detection until k3s nftables mode is validated with the full openshell gateway service configuration.
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes three issues discovered during comprehensive RPM testing on a fresh Fedora 43 (x86_64) instance with Podman 5.8.1, testing both rootful and rootless container runtimes.
Changes
Fix 1: Default image tag
devdoes not exist (Critical)The RPM binary compiled by COPR defaults
OPENSHELL_IMAGE_TAGtodevat build time, but the LobsterTrap GHCR registry only publishesmidstreamtags. This causesopenshell gateway startto fail with a 404 on image pull.export OPENSHELL_IMAGE_TAG=midstreamto the spec's%buildsectionFix 2: Legacy iptables modules not loaded on Fedora 43 (High)
k3s bundles its own
iptables-legacybinary for flannel CNI networking. Fedora 43 only loadsnf_tablesby default and does not auto-load the legacyip_tables,iptable_nat,iptable_filter, andiptable_manglekernel modules. Without these, flannel fails to writesubnet.envand no pods can be scheduled./etc/modules-load.d/openshell.confin the RPM to load legacy modules at bootFix 3:
python3-openshelluninstallable on Fedora 43 (Medium)Fedora 43 ships
python3-grpcio 1.48.4(need >= 1.60) andpython3-protobuf 3.19.6(need >= 4.25). The version gap is too large to work around.RequirestoRecommendsso the package can be installed; users needing the SDK can install grpcio/protobuf via pip/uvTesting
Full test matrix on Fedora 43 (x86_64), Podman 5.8.1:
openshell)mise run pre-commitpassesChecklist