RPM lockfiles

MintMaker offers a custom extension on top of Renovate, that allows the automatic updates of RPM lockfiles through the rpm-lockfile-prototype project.

This extension is enabled by default for all repositories without any additional Renovate configuration.

The RPM lockfiles are different from the typical approach seen in many programming languages. Unlike in pyproject.toml or package.json, there is no way to pin dependencies (RPMs) to specific versions or ranges. The input file (rpms.in.yaml) describes how the RPMs are resolved and how the lockfile is generated. The lockfile (rpms.lock.yaml) contains a snapshot of the RPMs installed in your container image, however, these are always the latest versions available in the repositories. Once the repositories are updated to newer versions, the lockfile is not consistent anymore and needs to be updated.

In MintMaker, all RPM updates are grouped into a single PR/MR. This is because the lockfile implementation doesn’t allow for single dependency updates and it needs to be refreshed as a whole every time. While the individual RPM updates will be listed in the PR/MR description, it is not possible to break them into multiple PRs/MRs.

Please find how to generate RPM lockfile in documentation for enabling RPM prefetching.

Some projects require having multiple lockfiles in different subdirectories. These lockfiles will be updated, however matching CVE data against them is not currently supported.

MintMaker is able to update RPM lockfiles containing RPMs that require subscription, but some setup needs to be completed first. Firstly, activation key secret needs to be added to the user namespace. This process is described in detail in the Using Red Hat activation keys to access subscription content article. Secondly, the RPM repofile needs to be modified to make use of the custom authentication certificate and key. For each repository requiring authentication, please set sslclientkey = $SSL_CLIENT_KEY and sslclientcert = $SSL_CLIENT_CERT. This will ensure that MintMaker sets the correct paths for the authentication. For example: