Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qemu-secex: improve localbuild #3927

Merged
merged 6 commits into from
Nov 15, 2024
Merged

Conversation

nikita-dubrovskii
Copy link
Contributor

@nikita-dubrovskii nikita-dubrovskii commented Nov 8, 2024

Automatically generates genprotimgvm during build, when official one is not available and/or there is
no so-called "IBM Universal Hostkey". Main goal is to support local/custom build of qemu-secex target.
Assuming there is a valid hostkey, now it's possible to generate coreos.qemu-secex.qcow2 just by running:

cosa cmd-buildextend-secex --hostkey /srv/HKD-dev.crt

If later there is a need to build some other variant, user can use previously generated genprotimgvm:

cosa buildextend-secex --force --genprotimgvm /srv/fake-secure-vm.qcow2

@nikita-dubrovskii nikita-dubrovskii force-pushed the genprotimg_vm branch 2 times, most recently from 086ce1e to 4b2ae8e Compare November 11, 2024 13:08
@nikita-dubrovskii nikita-dubrovskii changed the title genprotimg.bu: update template qemu-secex: impove localbuild Nov 11, 2024
@nikita-dubrovskii nikita-dubrovskii force-pushed the genprotimg_vm branch 4 times, most recently from 6ffe317 to d2d497a Compare November 11, 2024 16:15
@nikita-dubrovskii nikita-dubrovskii changed the title qemu-secex: impove localbuild qemu-secex: improve localbuild Nov 12, 2024
@dustymabe
Copy link
Member

hey @nikita-dubrovskii - if possible can we hold this until #3930 merges?

There are a bunch of changes in there, including moving code in buildextend-metal around quite a bit and I'd prefer not to have to do merges conflict resolution for all of those commits.

@nikita-dubrovskii
Copy link
Contributor Author

hey @nikita-dubrovskii - if possible can we hold this until #3930 merges?

There are a bunch of changes in there, including moving code in buildextend-metal around quite a bit and I'd prefer not to have to do merges conflict resolution for all of those commits.

No worries, this can wait. Mind a review?

jlebon
jlebon previously approved these changes Nov 13, 2024
Copy link
Member

@jlebon jlebon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks sane to me overall!

src/cmd-buildextend-metal Outdated Show resolved Hide resolved
src/cmd-buildextend-metal Outdated Show resolved Hide resolved
@dustymabe
Copy link
Member

No worries, this can wait. Mind a review?

The other PR merged now. You'll need to put this logic inside cmd-osbuild now.

@dustymabe
Copy link
Member

genprotimg.bu: add coreos-genprotimg-generator

This fixes an issue when during firstboot system tried to mount
genprotimg partition.

I'm trying to figure out why it was trying to mount on first boot with the units that existed before this change.. Does ConditionKernelCommandLine=!ignition.firstboot not work on a .mount unit?

@nikita-dubrovskii
Copy link
Contributor Author

genprotimg.bu: add coreos-genprotimg-generator
This fixes an issue when during firstboot system tried to mount
genprotimg partition.

I'm trying to figure out why it was trying to mount on first boot with the units that existed before this change.. Does ConditionKernelCommandLine=!ignition.firstboot not work on a .mount unit?

It doesn't. As i got from docs - generator with condition(s) should be used.

src/secex-genprotimgvm-scripts/genprotimg.bu Outdated Show resolved Hide resolved
src/secex-genprotimgvm-scripts/genprotimg.bu Outdated Show resolved Hide resolved
src/secex-genprotimgvm-scripts/genprotimg.bu Show resolved Hide resolved
src/secex-genprotimgvm-scripts/genprotimg.bu Outdated Show resolved Hide resolved
src/secex-genprotimgvm-scripts/genprotimg.bu Show resolved Hide resolved
src/cmd-osbuild Show resolved Hide resolved
src/cmd-osbuild Show resolved Hide resolved
src/cmd-osbuild Show resolved Hide resolved
src/cmd-osbuild Outdated Show resolved Hide resolved
ssh access to the VM is not required, was here just for
debug purposes.
Cannot recall the reason why script was under '/etc', so removing this
weird path.
We use CoreOS as base system for the FakeSecureVM, unfortunately
it's not possible to generate 'sdboot' image during `firstboot`,
because ignition checks for unique `boot` labeled fs, but added
as a disk qemu-secex.qcow2 image has its onw 'boot' partition.
This fixes an issue when during firstboot system tried to mount
genprotimg partition.
Automatically generates genprotimgvm during build, when official one
is not available and/or there is no so-called "IBM Universal Hostkey".
Main goal is to support local/custom build of qemu-secex target.
Assuming there is a valid hostkey (/srv/secex-hostkey), it'd possible to
generate coreos.qemu-secex.qcow2 just by running:
```
cosa cmd-buildextend-secex
```

If later there is a need to build some other variant, previously
generated genprotimgvm could be used again:
```
cosa buildextend-secex --force --genprotimgvm path/to/fake-secure-vm.qcow2
```
Copy link
Member

@dustymabe dustymabe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thanks for explaining so much to me as I learn what is going on here.

Type=ext4
Options=rw,noatime
EOF
ln -sf "../var-build.mount" "${UNIT_DIR}/default.target.wants/"
systemd:
units:
- name: [email protected]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

feel free to delete this if you want.. in my earlier code review comment I was just saying that if we do delete it lets put it in a separate commit with a reason even if that reason is "make it more like the ubuntu VM that is used to generate secex artifacts".

Type=ext4
Options=rw,noatime
EOF
ln -sf "../var-build.mount" "${UNIT_DIR}/default.target.wants/"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optional/wondering:

I'm guessing it wouldn't work to put this unit also in the systemd section of the butane along with genprotimg.service, but with both of them enabled false and then here we just

Suggested change
ln -sf "../var-build.mount" "${UNIT_DIR}/default.target.wants/"
ln -sf "../var-build.mount" "${UNIT_DIR}/default.target.wants/"
ln -sf "../genprotimg.service "${UNIT_DIR}/default.target.wants/"

and thats pretty much all the generator does.

@dustymabe dustymabe merged commit 19998b3 into coreos:main Nov 15, 2024
5 checks passed
@nikita-dubrovskii nikita-dubrovskii deleted the genprotimg_vm branch November 15, 2024 17:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants