diff --git a/mantle/cmd/ore/aws/upload.go b/mantle/cmd/ore/aws/upload.go index 880180926d..9c3c8c78cf 100644 --- a/mantle/cmd/ore/aws/upload.go +++ b/mantle/cmd/ore/aws/upload.go @@ -64,6 +64,9 @@ After a successful run, the final line of output will be a line of JSON describi uploadGrantUsers []string uploadGrantUsersSnapshot []string uploadTags []string + uploadIMDSv2Only bool + uploadVolumeType string + uploadX86BootMode string ) func init() { @@ -85,6 +88,9 @@ func init() { cmdUpload.Flags().StringSliceVar(&uploadGrantUsers, "grant-user", []string{}, "grant launch permission to this AWS user ID") cmdUpload.Flags().StringSliceVar(&uploadGrantUsersSnapshot, "grant-user-snapshot", []string{}, "grant snapshot volume permission to this AWS user ID") cmdUpload.Flags().StringSliceVar(&uploadTags, "tags", []string{}, "list of key=value tags to attach to the AMI") + cmdUpload.Flags().BoolVar(&uploadIMDSv2Only, "imdsv2-only", false, "enable IMDSv2-only support") + cmdUpload.Flags().StringVar(&uploadVolumeType, "volume-type", "gp3", "EBS volume type (gp3, gp2, io1, st1, sc1, standard, etc.)") + cmdUpload.Flags().StringVar(&uploadX86BootMode, "x86-boot-mode", "uefi-preferred", "Set boot mode (uefi-preferred, uefi)") } func defaultBucketNameForRegion(region string) string { @@ -243,7 +249,7 @@ func runUpload(cmd *cobra.Command, args []string) error { } // create AMIs and grant permissions - amiID, err := API.CreateHVMImage(sourceSnapshot, uploadDiskSizeGiB, uploadAMIName, uploadAMIDescription, uploadImageArchitecture) + amiID, err := API.CreateHVMImage(sourceSnapshot, uploadDiskSizeGiB, uploadAMIName, uploadAMIDescription, uploadImageArchitecture, uploadVolumeType, uploadIMDSv2Only, uploadX86BootMode) if err != nil { fmt.Fprintf(os.Stderr, "unable to create HVM image: %v\n", err) os.Exit(1) diff --git a/mantle/platform/api/aws/images.go b/mantle/platform/api/aws/images.go index c465ad4405..70779a4830 100644 --- a/mantle/platform/api/aws/images.go +++ b/mantle/platform/api/aws/images.go @@ -329,21 +329,28 @@ func (a *API) CreateImportRole(bucket string) error { return nil } -func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, description string, architecture string) (string, error) { +func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, description string, architecture string, volumetype string, imdsv2Only bool, X86BootMode string) (string, error) { var awsArch string + var bootmode string if architecture == "" { architecture = runtime.GOARCH } switch architecture { case "amd64", "x86_64": awsArch = ec2.ArchitectureTypeX8664 + bootmode = X86BootMode case "arm64", "aarch64": awsArch = ec2.ArchitectureTypeArm64 + bootmode = "uefi" default: return "", fmt.Errorf("unsupported ec2 architecture %q", architecture) } - return a.createImage(&ec2.RegisterImageInput{ + // default to gp3 + if volumetype == "" { + volumetype = "gp3" + } + params := &ec2.RegisterImageInput{ Name: aws.String(name), Description: aws.String(description), Architecture: aws.String(awsArch), @@ -356,7 +363,7 @@ func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, d SnapshotId: aws.String(snapshotID), DeleteOnTermination: aws.Bool(true), VolumeSize: aws.Int64(int64(diskSizeGiB)), - VolumeType: aws.String("gp2"), + VolumeType: aws.String(volumetype), }, }, { @@ -366,7 +373,13 @@ func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, d }, EnaSupport: aws.Bool(true), SriovNetSupport: aws.String("simple"), - }) + BootMode: aws.String(bootmode), + } + if imdsv2Only { + params.ImdsSupport = aws.String("v2.0") + } + + return a.createImage(params) } func (a *API) deregisterImageIfExists(name string) error { diff --git a/src/cosalib/aws.py b/src/cosalib/aws.py index 2cfe96be26..9c897a8579 100644 --- a/src/cosalib/aws.py +++ b/src/cosalib/aws.py @@ -5,9 +5,10 @@ import sys from cosalib.cmdlib import ( - retry_stop, + flatten_image_yaml, retry_boto_exception, - retry_callback + retry_callback, + retry_stop ) from tenacity import ( retry, @@ -126,6 +127,17 @@ def aws_run_ore(build, args): region = "us-east-1" if args.region is not None and len(args.region) > 0: region = args.region[0] + # Capture any input from image.yaml + image_yaml = flatten_image_yaml( + '/usr/lib/coreos-assembler/image-default.yaml', + flatten_image_yaml('src/config/image.yaml') + ) + if 'aws-imdsv2-only' in image_yaml and image_yaml['aws-imdsv2-only']: + ore_args.extend(['--imdsv2-only']) + if 'aws-volume-type' in image_yaml: + ore_args.extend(['--volume-type', image_yaml['aws-volume-type']]) + if 'aws-x86-boot-mode' in image_yaml: + ore_args.extend(['--x86-boot-mode', image_yaml['aws-x86-boot-mode']]) ore_args.extend([ '--region', f"{region}", diff --git a/src/image-default.yaml b/src/image-default.yaml index 8755f534ba..a3e6556729 100644 --- a/src/image-default.yaml +++ b/src/image-default.yaml @@ -27,3 +27,8 @@ squashfs-compression: zstd vmware-hw-version: 13 vmware-os-type: rhel7_64Guest vmware-secure-boot: true + +# Defaults for AWS +aws-imdsv2-only: true +aws-volume-type: "gp3" +aws-x86-boot-mode: "uefi-preferred"