From 3c037399dafa969898be1b3c520013bd208cc0bd Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Fri, 24 Mar 2023 11:35:19 -0400 Subject: [PATCH 1/3] mantle/aws: set boot mode to `uefi-preferred` AWS now allows marking an AMI as "UEFI-preferred"; i.e. that both BIOS and UEFI are supported, but the latter is preferred if the instance type supports it. Let's make use of it. A change proposal has been submitted for Fedora 39 to also do this for the Fedora Cloud image. Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html Ref: https://fedoraproject.org/wiki/Changes/CloudEC2UEFIPreferred --- mantle/platform/api/aws/images.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mantle/platform/api/aws/images.go b/mantle/platform/api/aws/images.go index c465ad4405..29f4f0e0f0 100644 --- a/mantle/platform/api/aws/images.go +++ b/mantle/platform/api/aws/images.go @@ -331,14 +331,17 @@ func (a *API) CreateImportRole(bucket string) error { func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, description string, architecture string) (string, error) { var awsArch string + var bootmode string if architecture == "" { architecture = runtime.GOARCH } switch architecture { case "amd64", "x86_64": awsArch = ec2.ArchitectureTypeX8664 + bootmode = "uefi-preferred" case "arm64", "aarch64": awsArch = ec2.ArchitectureTypeArm64 + bootmode = "uefi" default: return "", fmt.Errorf("unsupported ec2 architecture %q", architecture) } @@ -366,6 +369,7 @@ func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, d }, EnaSupport: aws.Bool(true), SriovNetSupport: aws.String("simple"), + BootMode: aws.String(bootmode), }) } From be0e69fe4fba6f2b6e2c748c7f333c7c2dc9ae5e Mon Sep 17 00:00:00 2001 From: Steven Presti Date: Tue, 12 Sep 2023 15:18:51 -0400 Subject: [PATCH 2/3] mantle/aws: add configuration support for VolumeType and IMDSv2 support IMDSV2-only has the potential to break existing systems, expose configuration through an environment vairable defined in 'image-default.yaml' to overide defaults. Default volume type to 'gp3', while 'gp3' is generally better there could be a reason to change it. Expose configuration through enviornment variable defined in 'image-default.yaml' to allow for overiding. Docs: IMDSv2: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances-ami-configuration GP3: https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-storage-compare-volume-types.html --- mantle/cmd/ore/aws/upload.go | 6 +++++- mantle/platform/api/aws/images.go | 17 +++++++++++++---- src/cosalib/aws.py | 14 ++++++++++++-- src/image-default.yaml | 4 ++++ 4 files changed, 34 insertions(+), 7 deletions(-) diff --git a/mantle/cmd/ore/aws/upload.go b/mantle/cmd/ore/aws/upload.go index 880180926d..d7d83b55a2 100644 --- a/mantle/cmd/ore/aws/upload.go +++ b/mantle/cmd/ore/aws/upload.go @@ -64,6 +64,8 @@ After a successful run, the final line of output will be a line of JSON describi uploadGrantUsers []string uploadGrantUsersSnapshot []string uploadTags []string + uploadIMDSv2Only bool + uploadVolumeType string ) func init() { @@ -85,6 +87,8 @@ func init() { cmdUpload.Flags().StringSliceVar(&uploadGrantUsers, "grant-user", []string{}, "grant launch permission to this AWS user ID") cmdUpload.Flags().StringSliceVar(&uploadGrantUsersSnapshot, "grant-user-snapshot", []string{}, "grant snapshot volume permission to this AWS user ID") cmdUpload.Flags().StringSliceVar(&uploadTags, "tags", []string{}, "list of key=value tags to attach to the AMI") + cmdUpload.Flags().BoolVar(&uploadIMDSv2Only, "imdsv2-only", false, "enable IMDSv2-only support") + cmdUpload.Flags().StringVar(&uploadVolumeType, "volume-type", "gp3", "EBS volume type (gp3, gp2, io1, st1, sc1, standard, etc.)") } func defaultBucketNameForRegion(region string) string { @@ -243,7 +247,7 @@ func runUpload(cmd *cobra.Command, args []string) error { } // create AMIs and grant permissions - amiID, err := API.CreateHVMImage(sourceSnapshot, uploadDiskSizeGiB, uploadAMIName, uploadAMIDescription, uploadImageArchitecture) + amiID, err := API.CreateHVMImage(sourceSnapshot, uploadDiskSizeGiB, uploadAMIName, uploadAMIDescription, uploadImageArchitecture, uploadVolumeType, uploadIMDSv2Only) if err != nil { fmt.Fprintf(os.Stderr, "unable to create HVM image: %v\n", err) os.Exit(1) diff --git a/mantle/platform/api/aws/images.go b/mantle/platform/api/aws/images.go index 29f4f0e0f0..4e81e5b8f2 100644 --- a/mantle/platform/api/aws/images.go +++ b/mantle/platform/api/aws/images.go @@ -329,7 +329,7 @@ func (a *API) CreateImportRole(bucket string) error { return nil } -func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, description string, architecture string) (string, error) { +func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, description string, architecture string, volumetype string, imdsv2Only bool) (string, error) { var awsArch string var bootmode string if architecture == "" { @@ -346,7 +346,11 @@ func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, d return "", fmt.Errorf("unsupported ec2 architecture %q", architecture) } - return a.createImage(&ec2.RegisterImageInput{ + // default to gp3 + if volumetype == "" { + volumetype = "gp3" + } + params := &ec2.RegisterImageInput{ Name: aws.String(name), Description: aws.String(description), Architecture: aws.String(awsArch), @@ -359,7 +363,7 @@ func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, d SnapshotId: aws.String(snapshotID), DeleteOnTermination: aws.Bool(true), VolumeSize: aws.Int64(int64(diskSizeGiB)), - VolumeType: aws.String("gp2"), + VolumeType: aws.String(volumetype), }, }, { @@ -370,7 +374,12 @@ func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, d EnaSupport: aws.Bool(true), SriovNetSupport: aws.String("simple"), BootMode: aws.String(bootmode), - }) + } + if imdsv2Only { + params.ImdsSupport = aws.String("v2.0") + } + + return a.createImage(params) } func (a *API) deregisterImageIfExists(name string) error { diff --git a/src/cosalib/aws.py b/src/cosalib/aws.py index 2cfe96be26..b9bae5abd2 100644 --- a/src/cosalib/aws.py +++ b/src/cosalib/aws.py @@ -5,9 +5,10 @@ import sys from cosalib.cmdlib import ( - retry_stop, + flatten_image_yaml, retry_boto_exception, - retry_callback + retry_callback, + retry_stop ) from tenacity import ( retry, @@ -126,6 +127,15 @@ def aws_run_ore(build, args): region = "us-east-1" if args.region is not None and len(args.region) > 0: region = args.region[0] + # Capture any input from image.yaml + image_yaml = flatten_image_yaml( + '/usr/lib/coreos-assembler/image-default.yaml', + flatten_image_yaml('src/config/image.yaml') + ) + if 'aws-imdsv2-only' in image_yaml and image_yaml['aws-imdsv2-only']: + ore_args.extend(['--imdsv2-only']) + if 'aws-volume-type' in image_yaml: + ore_args.extend(['--volume-type', image_yaml['aws-volume-type']]) ore_args.extend([ '--region', f"{region}", diff --git a/src/image-default.yaml b/src/image-default.yaml index 8755f534ba..97bf0fecd4 100644 --- a/src/image-default.yaml +++ b/src/image-default.yaml @@ -27,3 +27,7 @@ squashfs-compression: zstd vmware-hw-version: 13 vmware-os-type: rhel7_64Guest vmware-secure-boot: true + +# Defaults for AWS +aws-imdsv2-only: true +aws-volume-type: "gp3" From e1eaa31d2496fd94c11cdc1e098fb0c2502c0f60 Mon Sep 17 00:00:00 2001 From: Steven Presti Date: Wed, 13 Sep 2023 10:24:31 -0400 Subject: [PATCH 3/3] mantle/aws: add configuration support for boot mode Add configuration for boot mode when used with a supported architecture i.e. 'amd64/x86_64'. With a default of 'uefi-preferred'. --- mantle/cmd/ore/aws/upload.go | 4 +++- mantle/platform/api/aws/images.go | 4 ++-- src/cosalib/aws.py | 2 ++ src/image-default.yaml | 1 + 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/mantle/cmd/ore/aws/upload.go b/mantle/cmd/ore/aws/upload.go index d7d83b55a2..9c3c8c78cf 100644 --- a/mantle/cmd/ore/aws/upload.go +++ b/mantle/cmd/ore/aws/upload.go @@ -66,6 +66,7 @@ After a successful run, the final line of output will be a line of JSON describi uploadTags []string uploadIMDSv2Only bool uploadVolumeType string + uploadX86BootMode string ) func init() { @@ -89,6 +90,7 @@ func init() { cmdUpload.Flags().StringSliceVar(&uploadTags, "tags", []string{}, "list of key=value tags to attach to the AMI") cmdUpload.Flags().BoolVar(&uploadIMDSv2Only, "imdsv2-only", false, "enable IMDSv2-only support") cmdUpload.Flags().StringVar(&uploadVolumeType, "volume-type", "gp3", "EBS volume type (gp3, gp2, io1, st1, sc1, standard, etc.)") + cmdUpload.Flags().StringVar(&uploadX86BootMode, "x86-boot-mode", "uefi-preferred", "Set boot mode (uefi-preferred, uefi)") } func defaultBucketNameForRegion(region string) string { @@ -247,7 +249,7 @@ func runUpload(cmd *cobra.Command, args []string) error { } // create AMIs and grant permissions - amiID, err := API.CreateHVMImage(sourceSnapshot, uploadDiskSizeGiB, uploadAMIName, uploadAMIDescription, uploadImageArchitecture, uploadVolumeType, uploadIMDSv2Only) + amiID, err := API.CreateHVMImage(sourceSnapshot, uploadDiskSizeGiB, uploadAMIName, uploadAMIDescription, uploadImageArchitecture, uploadVolumeType, uploadIMDSv2Only, uploadX86BootMode) if err != nil { fmt.Fprintf(os.Stderr, "unable to create HVM image: %v\n", err) os.Exit(1) diff --git a/mantle/platform/api/aws/images.go b/mantle/platform/api/aws/images.go index 4e81e5b8f2..70779a4830 100644 --- a/mantle/platform/api/aws/images.go +++ b/mantle/platform/api/aws/images.go @@ -329,7 +329,7 @@ func (a *API) CreateImportRole(bucket string) error { return nil } -func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, description string, architecture string, volumetype string, imdsv2Only bool) (string, error) { +func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, description string, architecture string, volumetype string, imdsv2Only bool, X86BootMode string) (string, error) { var awsArch string var bootmode string if architecture == "" { @@ -338,7 +338,7 @@ func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, d switch architecture { case "amd64", "x86_64": awsArch = ec2.ArchitectureTypeX8664 - bootmode = "uefi-preferred" + bootmode = X86BootMode case "arm64", "aarch64": awsArch = ec2.ArchitectureTypeArm64 bootmode = "uefi" diff --git a/src/cosalib/aws.py b/src/cosalib/aws.py index b9bae5abd2..9c897a8579 100644 --- a/src/cosalib/aws.py +++ b/src/cosalib/aws.py @@ -136,6 +136,8 @@ def aws_run_ore(build, args): ore_args.extend(['--imdsv2-only']) if 'aws-volume-type' in image_yaml: ore_args.extend(['--volume-type', image_yaml['aws-volume-type']]) + if 'aws-x86-boot-mode' in image_yaml: + ore_args.extend(['--x86-boot-mode', image_yaml['aws-x86-boot-mode']]) ore_args.extend([ '--region', f"{region}", diff --git a/src/image-default.yaml b/src/image-default.yaml index 97bf0fecd4..a3e6556729 100644 --- a/src/image-default.yaml +++ b/src/image-default.yaml @@ -31,3 +31,4 @@ vmware-secure-boot: true # Defaults for AWS aws-imdsv2-only: true aws-volume-type: "gp3" +aws-x86-boot-mode: "uefi-preferred"