-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
qemu-secex: improve localbuild #3927
Conversation
086ce1e
to
4b2ae8e
Compare
6ffe317
to
d2d497a
Compare
f349993
to
6150a01
Compare
hey @nikita-dubrovskii - if possible can we hold this until #3930 merges? There are a bunch of changes in there, including moving code in buildextend-metal around quite a bit and I'd prefer not to have to do merges conflict resolution for all of those commits. |
No worries, this can wait. Mind a review? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks sane to me overall!
The other PR merged now. You'll need to put this logic inside |
d389014
to
4827d87
Compare
I'm trying to figure out why it was trying to mount on first boot with the units that existed before this change.. Does |
It doesn't. As i got from docs - generator with condition(s) should be used. |
e2b527b
to
c3fe4cb
Compare
ssh access to the VM is not required, was here just for debug purposes.
Cannot recall the reason why script was under '/etc', so removing this weird path.
We use CoreOS as base system for the FakeSecureVM, unfortunately it's not possible to generate 'sdboot' image during `firstboot`, because ignition checks for unique `boot` labeled fs, but added as a disk qemu-secex.qcow2 image has its onw 'boot' partition.
This fixes an issue when during firstboot system tried to mount genprotimg partition.
Automatically generates genprotimgvm during build, when official one is not available and/or there is no so-called "IBM Universal Hostkey". Main goal is to support local/custom build of qemu-secex target. Assuming there is a valid hostkey (/srv/secex-hostkey), it'd possible to generate coreos.qemu-secex.qcow2 just by running: ``` cosa cmd-buildextend-secex ``` If later there is a need to build some other variant, previously generated genprotimgvm could be used again: ``` cosa buildextend-secex --force --genprotimgvm path/to/fake-secure-vm.qcow2 ```
c3fe4cb
to
4cdb9b6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - thanks for explaining so much to me as I learn what is going on here.
Type=ext4 | ||
Options=rw,noatime | ||
EOF | ||
ln -sf "../var-build.mount" "${UNIT_DIR}/default.target.wants/" | ||
systemd: | ||
units: | ||
- name: [email protected] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
feel free to delete this if you want.. in my earlier code review comment I was just saying that if we do delete it lets put it in a separate commit with a reason even if that reason is "make it more like the ubuntu VM that is used to generate secex artifacts".
Type=ext4 | ||
Options=rw,noatime | ||
EOF | ||
ln -sf "../var-build.mount" "${UNIT_DIR}/default.target.wants/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Optional/wondering:
I'm guessing it wouldn't work to put this unit also in the systemd section of the butane along with genprotimg.service, but with both of them enabled false and then here we just
ln -sf "../var-build.mount" "${UNIT_DIR}/default.target.wants/" | |
ln -sf "../var-build.mount" "${UNIT_DIR}/default.target.wants/" | |
ln -sf "../genprotimg.service "${UNIT_DIR}/default.target.wants/" |
and thats pretty much all the generator does.
Automatically generates
genprotimgvm
during build, when official one is not available and/or there isno so-called "IBM Universal Hostkey". Main goal is to support local/custom build of
qemu-secex
target.Assuming there is a valid hostkey, now it's possible to generate
coreos.qemu-secex.qcow2
just by running:If later there is a need to build some other variant, user can use previously generated
genprotimgvm
: