From 85192cc9e9214169e4ba36cddf05fc6ac2d509ae Mon Sep 17 00:00:00 2001 From: Andrew Jeddeloh Date: Mon, 18 Feb 2019 13:44:18 -0800 Subject: [PATCH 1/6] bottlecap: drop privs, add --net=host --- bottlecap | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bottlecap b/bottlecap index e93acb5b3c..4e362a7f15 100755 --- a/bottlecap +++ b/bottlecap @@ -80,7 +80,7 @@ fi script_dir=$(dirname "$(readlink -f "$0")") -volumes="-v $build_dir:/srv " +volumes="-v $build_dir:/srv --device /dev/kvm" entrypoint="" @@ -101,4 +101,4 @@ fi # we actually want work splitting here since $volumes is multiple args # shellcheck disable=SC2086 -$runtime run --rm -ti --privileged --userns=host $volumes --workdir /srv $entrypoint "$container" "$@" +$runtime run --rm -ti --net=host --userns=host $volumes --workdir /srv $entrypoint "$container" "$@" From 9a0917e292d5aed5677517605f7f9dcd0992734f Mon Sep 17 00:00:00 2001 From: Andrew Jeddeloh Date: Mon, 18 Feb 2019 13:45:16 -0800 Subject: [PATCH 2/6] src/cmd-init: drop anaconda bits --- src/cmd-init | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/src/cmd-init b/src/cmd-init index 434007a6bb..14218e93c3 100755 --- a/src/cmd-init +++ b/src/cmd-init @@ -131,33 +131,6 @@ mkdir -p src fi fi) - -installer_bn=$(basename "${INSTALLER}") -checksums_bn=$(basename "${INSTALLER_CHECKSUM}") -mkdir -p installer - -if [ -n "${INSTALLER_DIR}" ]; then - if (cd "${INSTALLER_DIR}" && sha256sum -c "${checksums_bn}"); then - (cd installer - cp --reflink=auto "${INSTALLER_DIR}"/"${installer_bn}" . - cp --reflink=auto "${INSTALLER_DIR}"/"${checksums_bn}" . - ) - fi -fi - -(cd installer - if ! [ -f "${installer_bn}" ]; then - mkdir -p tmp - ( - cd tmp - curl -L --remote-name-all "${INSTALLER}" "${INSTALLER_CHECKSUM}" - sha256sum -c "${checksums_bn}" - mv "${installer_bn}" "${checksums_bn}" .. - ) - rm tmp -rf - fi -) - mkdir -p cache mkdir -p builds mkdir -p tmp From 31a5aee6c1cd48ecbe3edf42b6472d7983f1c0c4 Mon Sep 17 00:00:00 2001 From: Andrew Jeddeloh Date: Mon, 18 Feb 2019 13:46:39 -0800 Subject: [PATCH 3/6] src/cmdlib.sh: drop anaconda bits --- src/cmdlib.sh | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/src/cmdlib.sh b/src/cmdlib.sh index e6989c9ed7..0bce6f2ed4 100755 --- a/src/cmdlib.sh +++ b/src/cmdlib.sh @@ -36,35 +36,6 @@ release="29" export arch export release -# Download url is different for primary and secondary fedora -# Primary Fedora - https://download.fedoraproject.org/pub/fedora/linux/releases/ -# Secondary Fedora - https://download.fedoraproject.org/pub/fedora-secondary/releases/ -declare -A repository_dirs -repository_dirs[aarch64]=fedora/linux -repository_dirs[armhfp]=fedora/linux -repository_dirs[x86_64]=fedora/linux -repository_dirs[i386]=fedora-secondary -repository_dirs[ppc64le]=fedora-secondary -repository_dirs[s390x]=fedora-secondary - -repository_dir=${repository_dirs[$arch]} -INSTALLER=https://download.fedoraproject.org/pub/$repository_dir/releases/$release/Everything/$arch/iso/Fedora-Everything-netinst-$arch-$release-1.2.iso -INSTALLER_CHECKSUM=https://download.fedoraproject.org/pub/$repository_dir/releases/$release/Everything/$arch/iso/Fedora-Everything-$release-1.2-$arch-CHECKSUM - -# Overriding install URL -if [ -n "${INSTALLER_URL_OVERRIDE-}" ]; then - INSTALLER="${INSTALLER_URL_OVERRIDE}" - info "Overriding the install URL with contents of INSTALLER_URL_OVERRIDE" -fi -# Overriding install checksum URL -if [ -n "${INSTALLER_CHECKSUM_URL_OVERRIDE-}" ]; then - INSTALLER_CHECKSUM="${INSTALLER_CHECKSUM_URL_OVERRIDE}" - info "Overriding the install checksum URL with contents of INSTALLER_CHECKSUM_URL_OVERRIDE" -fi - -export INSTALLER -export INSTALLER_CHECKSUM - _privileged= has_privileges() { if [ -z "${_privileged:-}" ]; then From 81e209348c728fbf49ad802e2c189aa3d9c80711 Mon Sep 17 00:00:00 2001 From: Andrew Jeddeloh Date: Mon, 18 Feb 2019 13:47:31 -0800 Subject: [PATCH 4/6] src/vmdeps.txt: add tools for building images --- src/vmdeps.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/vmdeps.txt b/src/vmdeps.txt index ed77186200..1da0175e63 100644 --- a/src/vmdeps.txt +++ b/src/vmdeps.txt @@ -14,3 +14,6 @@ dhcp-client bind-export-libs iproute # SELinux selinux-policy selinux-policy-targeted policycoreutils + +# for building disk images +gdisk xfsprogs e2fsprogs grub2 dosfstools From cb6e7c6eee7ab50a7b63a2d29319fd9d79206df3 Mon Sep 17 00:00:00 2001 From: Andrew Jeddeloh Date: Mon, 18 Feb 2019 15:17:27 -0800 Subject: [PATCH 5/6] src/cmlib: add bits for creawking disk images --- src/cmdlib.sh | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/cmdlib.sh b/src/cmdlib.sh index 0bce6f2ed4..31f3a29ce3 100755 --- a/src/cmdlib.sh +++ b/src/cmdlib.sh @@ -251,6 +251,9 @@ echo \$rc > ${workdir}/tmp/rc /sbin/reboot -f EOF chmod a+x "${vmpreparedir}"/init + echo "/usr/lib/coreos-assembler/create_disk.sh" > "${vmpreparedir}/hostfiles" + echo "/usr/lib/coreos-assembler/grub.cfg" >> "${vmpreparedir}/hostfiles" + (cd "${vmpreparedir}" && tar -czf init.tar.gz --remove-files init) supermin --build "${vmpreparedir}" --size 5G -f ext2 -o "${vmbuilddir}" @@ -263,9 +266,17 @@ EOF srcvirtfs=("-virtfs" "local,id=source,path=${workdir}/src/config,security_model=none,mount_tag=source") fi + # add the diskimage if it exists + diskimage=() + if [ -f "$(pwd)/diskimage.raw" ]; then + diskimage=("-drive" "if=virtio,id=target,format=raw,file=$(pwd)/diskimage.raw") + fi + ${QEMU_KVM} -nodefaults -nographic -m 2048 -no-reboot \ -kernel "${vmbuilddir}/kernel" \ -initrd "${vmbuilddir}/initrd" \ + -append "root=/dev/sda init=/usr/lib/systemd/systemd console=ttyS0 selinux=1 enforcing=0 autorelabel=1" \ + -serial stdio \ -netdev user,id=eth0,hostname=supermin \ -device virtio-net-pci,netdev=eth0 \ -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x3 \ @@ -274,7 +285,8 @@ EOF -drive if=none,id=drive-scsi0-0-0-1,discard=unmap,file="${workdir}/cache/cache.qcow2" \ -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=1,drive=drive-scsi0-0-0-1,id=scsi0-0-0-1 \ -virtfs local,id=workdir,path="${workdir}",security_model=none,mount_tag=workdir \ - "${srcvirtfs[@]}" -serial stdio -append "root=/dev/sda console=ttyS0 selinux=1 enforcing=0 autorelabel=1" + "${diskimage[@]}" \ + "${srcvirtfs[@]}" if [ ! -f "${workdir}"/tmp/rc ]; then fatal "Couldn't find rc file, something went terribly wrong!" From 1103d6dadb38956e5f46046ba6f63343fb875cfd Mon Sep 17 00:00:00 2001 From: Andrew Jeddeloh Date: Mon, 18 Feb 2019 15:18:17 -0800 Subject: [PATCH 6/6] src/*: switch to using bash script to build iamges --- src/cmd-build | 59 ++++++---------------- src/create_disk.sh | 121 +++++++++++++++++++++++++++++++++++++++++++++ src/gf-oemid | 2 +- src/grub.cfg | 88 +++++++++++++++++++++++++++++++++ 4 files changed, 225 insertions(+), 45 deletions(-) create mode 100755 src/create_disk.sh create mode 100644 src/grub.cfg diff --git a/src/cmd-build b/src/cmd-build index fefb26aa34..168653bd5d 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -108,7 +108,6 @@ sha256sum_str() { # Calculate kickstart checksum now and gather previous image build variables if any image_config_path="${configdir:?}"/image.yaml -image_config=true if [ -f "${image_config_path}" ]; then image_input="${image_config_path}" else @@ -118,7 +117,6 @@ else echo "Sleeping for 10 seconds." sleep 10 image_input="${configdir:?}"/image.ks - image_config=false else fatal "Failed to find image.yaml in configdir" fi @@ -163,6 +161,7 @@ composejson=${PWD}/tmp/compose.json # --cache-only is here since `fetch` is a separate verb. runcompose --cache-only ${FORCE} --add-metadata-from-json "${commitmeta_input_json}" \ --write-composejson-to "${composejson}" + # Always update the summary, since we used to do so ostree --repo="${workdir}/repo" summary -u # Very special handling for --write-composejson-to as rpm-ostree doesn't @@ -219,50 +218,22 @@ echo "New build ID: ${buildid}" imageprefix="${name:?}"-"${buildid}" # Make these two verbose -set -x -mkdir -p tmp/anaconda +#set -x +#mkdir -p tmp/anaconda img_base=tmp/${imageprefix}-base.qcow2 -# These options don't work for EL7 so don't pass for now -# virt-install --console=log.file doesn't work for qemu in EL7 -# 9pfs isn't an option for EL7 so copying out anaconda logs doesn't work -extraargs= -if [ -n "${ISFEDORA}" ]; then - extraargs="${extraargs} --console-log-file ${PWD}/install.log --logs ${PWD}/tmp/anaconda" -fi +set -x -if ${image_config}; then - extraargs="${extraargs} --image-config ${image_input}" -else - extraargs="${extraargs} --kickstart ${image_input}" -fi +create_disk() { + dest="$1" + shift -# forgive me for this sin -iso_location="${workdir}/installer/$(basename "${INSTALLER}")" -checksum_location="${workdir}/installer/$(basename "${INSTALLER_CHECKSUM}")" + rm -f "$(pwd)/diskimage.raw" + truncate -s 8G "$(pwd)/diskimage.raw" -set +x -# This generates the "base image"; not specific to a platform. -run_virtinstall() { - dest=$1 - shift - tmpdest="${dest}.tmp" - # We want extraargs var to be split on words - # shellcheck disable=SC2086 - /usr/lib/coreos-assembler/virt-install --create-disk --dest=${tmpdest} \ - --kickstart-out "${PWD}"/tmp/flattened.ks \ - --ostree-remote="${name}" --ostree-stateroot="${name}" \ - --ostree-ref="${ref:-${commit}}" \ - --location "${iso_location}" \ - --ostree-repo="${workdir}"/repo ${extraargs-} "$@" - mv "${tmpdest}" "${dest}" -} + runvm /usr/lib/coreos-assembler/create_disk.sh -d /dev/vda -o "$workdir/repo" -r "${ref:-${commit}}" -build_cloud_base() { - if [ -f "${PWD}/${img_base}" ]; then - return - fi - run_virtinstall "${PWD}"/"${img_base}" --variant=cloud + qemu-img convert diskimage.raw "$dest" } declare -A images @@ -270,11 +241,12 @@ for itype in "${IMAGE_TYPES[@]}"; do case $itype in qemu) img_qemu=${imageprefix}-qemu.qcow2 images[$itype]="${img_qemu}" - build_cloud_base + create_disk "$(pwd)/${img_base}" + #build_cloud_base /usr/lib/coreos-assembler/gf-oemid "$(pwd)"/"${img_base}" "$(pwd)"/"${img_qemu}" qemu # Clear the MCS SELinux labels # See https://github.com/coreos/coreos-assembler/issues/292 - chcon -vl s0 "${img_qemu}" + #chcon -vl s0 "${img_qemu}" # make a version-less symlink to have a stable path # TODO: Remove this, things should be parsing the metadata ln -s "${img_qemu}" "${name}"-qemu.qcow2 @@ -295,7 +267,6 @@ for itype in "${IMAGE_TYPES[@]}"; do done build_timestamp=$(date -u +$RFC3339) -vm_iso_checksum=$(awk '/SHA256.*iso/{print$NF}' "${checksum_location}") src_location="container" if [ ! -f /lib/coreos-assembler/.clean ]; then @@ -321,7 +292,6 @@ cat > tmp/meta.json < commitmeta.json # Clean up our temporary data +chattr -R -i tmp rm tmp -rf # Back to the toplevel build directory, so we can rename this one cd "${workdir}"/builds diff --git a/src/create_disk.sh b/src/create_disk.sh new file mode 100755 index 0000000000..48c8e70888 --- /dev/null +++ b/src/create_disk.sh @@ -0,0 +1,121 @@ +#!/bin/sh + +usage() { + echo "create_disk -d disk -o ostree" +} + +export PATH=$PATH:/sbin:/usr/sbin + +getpart() { + # getpart /dev/loop0 1 -> /dev/loop0p1 + # getpart /dev/sda 1 -> /dev/sda1 + last="${1: -1}" + if [ $last -q $last 2>/dev/null ]; then + echo "${1}p${2}" + else + echo "${1}${2}" + fi +} + +rc=0 +TEMP=$(getopt -o "d:o:r:" --long "disk:,ostree:,ref:" -- "$@") || rc=$? +if [ "$rc" -ne 0 ]; then + usage + exit 1 +fi + +eval set -- "$TEMP" + +while : +do + case "$1" in + "-d"|"--disk") + shift + disk="$1" + shift + ;; + "-o"|"--ostree") + shift + ostree="$1" + shift + ;; + "-r"|"--ref") + shift + ref="$1" + shift + ;; + --) + shift + break + ;; + *) + echo "Error parsing args" + usage + exit 1 + ;; + esac +done + +[ -z "$disk" ] || [ -z "$ostree" ] && { + usage + exit 1 +} + +set -e + +script_dir=$(dirname $(readlink -f "$0")) +# partition and create fs +sgdisk -Z $disk \ + -n 1:0:+128M -c 1:boot \ + -n 2:0:+128M -c 2:EFI-SYSTEM -t 1:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \ + -n 3:0:+128M -c 3:BIOS-BOOT -t 2:21686148-6449-6E6F-744E-656564454649 \ + -n 4:0:0 -c 4:root -t 3:4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709 +sgdisk -p $disk + +# HACK ALERT - wait for partition rescans +sleep 2 +# FIXME ostree needs symlinks +mkfs.ext2 "$(getpart ${disk} 1)" -L boot +mkfs.fat "$(getpart ${disk} 2)" -n EFI-SYSTEM +mkfs.xfs "$(getpart ${disk} 4)" -L root + +# mount the partitions +rm -rf rootfs +mkdir rootfs +mount $(getpart ${disk} 4) rootfs +mkdir rootfs/boot +mount $(getpart ${disk} 1) rootfs/boot +mkdir rootfs/boot/efi +mount $(getpart ${disk} 2) rootfs/boot/efi + +# init the ostree +ostree admin init-fs rootfs +ostree pull-local "$ostree" --repo rootfs/ostree/repo +ostree admin os-init fedora-coreos --sysroot rootfs +ostree admin deploy "$ref" --sysroot rootfs --os fedora-coreos + +checksum=$(cat rootfs/boot/ostree/*/{vm*,init*} | sha256sum | cut -d ' ' -f 1) +vmlinuz=$(basename rootfs/boot/ostree/*/vm*) +initrd=$(basename rootfs/boot/ostree/*/init*) +echo "Checksum is: $checksum initrd is $initrd vmlinuz is $vmlinuz" + +# install bios grub (mostly lifted from the container linux scripts) +grub2-install \ + --target i386-pc \ + --boot-directory rootfs/boot \ + $disk + +#mkdir -p rootfs/boot/efi/EFI/boot +#grub2-mkimage \ +# --format x86_64-efi \ +# --output rootfs/boot/efi/EFI/grub.efi \ +# --prefix='(root)/boot/grub' +# serial linuxefi efi_gop getenv smbios efinet verify http tftp + +cat "$script_dir/grub.cfg" \ + | sed "s/HASHHASH/$checksum/" \ + | sed "s/VMLINUZ/$vmlinuz/" \ + | sed "s/INITRD/$initrd/" \ + | tee rootfs/boot/grub2/grub.cfg + +touch rootfs/boot/ignition.firstboot diff --git a/src/gf-oemid b/src/gf-oemid index 2d905555cb..d05a2a75e4 100755 --- a/src/gf-oemid +++ b/src/gf-oemid @@ -66,7 +66,7 @@ coreos_gf_run_mount "${tmp_dest}" # * grub config # * BLS config (for subsequent config regeneration) # First, the grub config. -grubcfg_path=/boot/loader/grub.cfg +grubcfg_path=/boot/grub2/grub.cfg coreos_gf download "${grubcfg_path}" "${tmpd}"/grub.cfg # Remove any oemid currently there sed -i -e 's, coreos.oem.id=[a-zA-Z0-9]*,,g' "${tmpd}"/grub.cfg diff --git a/src/grub.cfg b/src/grub.cfg new file mode 100644 index 0000000000..87bbb99657 --- /dev/null +++ b/src/grub.cfg @@ -0,0 +1,88 @@ +### BEGIN /etc/grub.d/00_header ### +set pager=1 + +if [ -f ${config_directory}/grubenv ]; then + load_env -f ${config_directory}/grubenv +elif [ -s $prefix/grubenv ]; then + load_env +fi + +if [ "${next_entry}" ] ; then + set default="${next_entry}" + set next_entry= + save_env next_entry + set boot_once=true +else + set default="${saved_entry}" +fi + +if [ x"${feature_menuentry_id}" = xy ]; then + menuentry_id_option="--id" +else + menuentry_id_option="" +fi + +export menuentry_id_option + +if [ "${prev_saved_entry}" ]; then + set saved_entry="${prev_saved_entry}" + save_env saved_entry + set prev_saved_entry= + save_env prev_saved_entry + set boot_once=true +fi + +function savedefault { + if [ -z "${boot_once}" ]; then + saved_entry="${chosen}" + save_env saved_entry + fi +} + +function load_video { + if [ x$feature_all_video_module = xy ]; then + insmod all_video + else + insmod efi_gop + insmod efi_uga + insmod ieee1275_fb + insmod vbe + insmod vga + insmod video_bochs + insmod video_cirrus + fi +} + +serial --speed=115200 +terminal_input serial console +terminal_output serial console +if [ x$feature_timeout_style = xy ] ; then + set timeout_style=menu + set timeout=1 +# Fallback normal timeout code in case the timeout_style feature is +# unavailable. +else + set timeout=1 +fi +### END /etc/grub.d/00_header ### + +### BEGIN /etc/grub.d/02_ignition_firstboot ### +set ignition_firstboot="" +# Determine if this is a first boot. +if [ -f "/ignition.firstboot" ]; then + set ignition_firstboot="ignition.firstboot" +fi +### END /etc/grub.d/02_ignition_firstboot ### + +### BEGIN /etc/grub.d/15_ostree ### +menuentry 'Fedora 29 (CoreOS preview) 29 (ostree)' --class gnu-linux --class gnu --class os --unrestricted 'ostree-0-a21cbad3-4dc6-4ad1-8ee5-01550c67dd01' { +load_video +set gfxpayload=keep +insmod gzio +insmod xfs +set root='hd0,gpt1' +set hash="HASHHASH" +linux16 /ostree/fedora-coreos-${hash}/VMLINUZ no_timer_check console=tty0 console=ttyS0,115200n8 net.ifnames=0 biosdevname=0 ip=dhcp rd.neednet=1 rw $ignition_firstboot root=LABEL=root ostree=/ostree/boot.1/fedora-coreos/${hash}/0 coreos.oem.id=qemu systemd.mask=systemd-firstboot.service +initrd16 /ostree/fedora-coreos-${hash}/INITRD +} +### END /etc/grub.d/15_ostree ###