SetupOS 2

.gitignore

@@ -70,6 +70,7 @@ test_report.xml
 
 # IC-OS disk images
 *-os.iso
+*os.img
 *-img.tar.gz
 *-img.tar.zst
 

gitlab-ci/config/53--host-os-build--build-setupos.yml

@@ -12,21 +12,22 @@ setup-os-iso:
     - |
       set -xeuo pipefail
       VERSION=$(git rev-parse HEAD)
+      export VERSION
       echo "Build ID: ${VERSION}"
 
+      cd "${CI_PROJECT_DIR}"/ic-os/setupos
+
       # NOTE: This is currently hardcoded to a specific blessed version of guestOS
       "$CI_PROJECT_DIR"/gitlab-ci/src/artifacts/rclone_download.py --remote-path=guest-os --out=guestos --git-rev="${VERSION}"
       "$CI_PROJECT_DIR"/gitlab-ci/src/artifacts/rclone_download.py --remote-path=host-os --out=hostos --git-rev="${VERSION}"
 
-      BUILD_OUT="ic-os/setupos/build-out"
-      UPLOAD_TARGET="setup-os"
-
-      ic-os/setupos/scripts/build-iso.sh \
-        --guest-os=./guestos/disk-img/disk-img.tar.gz \
-        --host-os=./hostos/disk-img/host-disk-img.tar.gz \
-        --output="$BUILD_OUT"
+      BUILD_OUT="build-out/disk-img"
+      BUILD_TMP="build-tmp"
+      UPLOAD_TARGET="setup-os/disk-img"
 
-      "$CI_PROJECT_DIR"/gitlab-ci/src/artifacts/openssl-sign.sh "$BUILD_OUT"
+      buildevents cmd "${ROOT_PIPELINE_ID}" "${CI_JOB_ID}" build-host-img -- \
+      "${CI_PROJECT_DIR}"/gitlab-ci/src/job_scripts/lib/setup-os-diskimg.sh \
+        "$BUILD_OUT" "$BUILD_TMP" "$UPLOAD_TARGET" "$VERSION"
 
       buildevents cmd "$ROOT_PIPELINE_ID" "$CI_JOB_ID" rclone -- \
       "${CI_PROJECT_DIR}"/gitlab-ci/src/artifacts/rclone_upload.py --version="${VERSION}" "$BUILD_OUT" "$UPLOAD_TARGET"

gitlab-ci/config/53--host-os-build--setupos-base-image.yml

@@ -0,0 +1,33 @@
+deploy-setup-os-baseimg:
+  extends:
+    - .ubuntu-nix-docker-protected
+    - .rules-protected-branch-manual
+  stage: host-os-build
+  needs: []
+  script:
+   - |
+    set -euo pipefail
+
+    TAG=$(date '+%Y-%m-%d-%H%M')
+
+    docker login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASSWORD"
+    cd "${CI_PROJECT_DIR}/ic-os/setupos/rootfs"
+    docker build -q -t dfinity/setupos-base:"$TAG" -t dfinity/setupos-base:latest -f Dockerfile.base .
+    docker push dfinity/setupos-base:"$TAG"
+
+    echo "Use the image with it's SHA256 DIGEST below for IC-OS Dockerfile"
+    docker inspect --format='{{index .RepoDigests 0}}' dfinity/setupos-base:"$TAG"
+
+build-setup-os-baseimg:
+  extends:
+    - .cargo-build-docker
+    - .rules-dockerfile-base-changes
+  stage: host-os-build
+  needs: []
+  script:
+  - |
+    set -euo pipefail
+
+    TAG=$(date '+%Y-%m-%d-%H%M')
+    cd "${CI_PROJECT_DIR}/ic-os/setupos/rootfs"
+    docker build -t dfinity/setupos-base:"$TAG" -t dfinity/setupos-base:latest -f Dockerfile.base .

gitlab-ci/src/job_scripts/lib/setup-os-diskimg.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+#
+# Script for setup-os-diskimg CI job
+#
+
+set -euo pipefail
+
+BUILD_OUT=${1:-"build-out/disk-img"}
+BUILD_TMP=${2:-"build-tmp"}
+UPLOAD_TARGET=${3:-"setup-os/disk-img"}
+VERSION=${4:-$(git rev-parse --verify HEAD)}
+
+ROOT_DIR=$(git rev-parse --show-toplevel)
+ls -lah /var/run/docker.sock
+groups
+
+cd "$ROOT_DIR"
+
+cd "$ROOT_DIR"/ic-os/setupos
+mkdir -p "$BUILD_OUT" "$BUILD_TMP"
+echo "$VERSION" >"${BUILD_TMP}/version.txt"
+
+# XXX Temporarily build docker image
+cd rootfs
+docker build -f Dockerfile.base -t dfinity/setupos-base:local .
+cd ..
+
+if [ -z "$CI_JOB_ID" ]; then
+    ./scripts/build-disk-image.sh "-o=${BUILD_TMP}/disk.img" "-v=$VERSION" "--host-os=./hostos/disk-img/host-disk-img.tar.gz" "--guest-os=./guestos/disk-img/disk-img.tar.gz"
+    tar --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2020-01-01' --sparse \
+        -cvzf "${BUILD_OUT}/disk-img.tar.gz" -C "$BUILD_TMP" disk.img version.txt
+    tar --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2020-01-01' --sparse \
+        -cvf "${BUILD_OUT}/disk-img.tar.zst" --use-compress-program="zstd --threads=0 -10" \
+        -C "$BUILD_TMP" disk.img version.txt
+    ls -lah "$BUILD_TMP"
+else
+    buildevents cmd "${ROOT_PIPELINE_ID}" "${CI_JOB_ID}" build-disk-img -- \
+        ./scripts/build-disk-image.sh "-o=${BUILD_TMP}/disk.img" "-v=$VERSION" "--host-os=./hostos/disk-img/host-disk-img.tar.gz" "--guest-os=./guestos/disk-img/disk-img.tar.gz"
+    buildevents cmd "$ROOT_PIPELINE_ID" "$CI_JOB_ID" tar-build-out -- \
+        tar --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2020-01-01' --sparse \
+        -cvzf "${BUILD_OUT}/disk-img.tar.gz" -C "$BUILD_TMP" disk.img version.txt
+    buildevents cmd "$ROOT_PIPELINE_ID" "$CI_JOB_ID" tar-build-out -- \
+        tar --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2020-01-01' --sparse \
+        -cvf "${BUILD_OUT}/disk-img.tar.zst" --use-compress-program="zstd --threads=0 -10" \
+        -C "$BUILD_TMP" disk.img version.txt
+    ls -lah "$BUILD_TMP"
+
+    "$ROOT_DIR"/gitlab-ci/src/artifacts/openssl-sign.sh "$BUILD_OUT"
+fi

ic-os/setupos/bootloader/Dockerfile

@@ -0,0 +1,17 @@
+# 20.04
+FROM ubuntu:focal-20211006
+
+RUN apt-get -y update && apt-get -y upgrade && apt-get -y --no-install-recommends install \
+    grub-efi-amd64-bin faketime
+
+# Copy all grub modules into their requisite place
+RUN mkdir -p /boot/grub ; cp -r /usr/lib/grub/x86_64-efi /boot/grub
+
+# Build grub image itself into EFI directory tree
+RUN mkdir -p /boot/efi/EFI/Boot
+RUN faketime "1970-1-1 0" grub-mkimage -p "(,gpt2)/" -O x86_64-efi -o /boot/efi/EFI/Boot/bootx64.efi \
+    boot linux search normal configfile \
+    part_gpt btrfs ext2 fat iso9660 loopback \
+    test keystatus gfxmenu regexp probe \
+    efi_gop efi_uga all_video gfxterm font \
+    echo read ls cat png jpeg halt reboot loadenv \

ic-os/setupos/bootloader/grub.cfg

@@ -0,0 +1,31 @@
+regexp -s boot_disk '^\(([a-z0-9]*),[a-z0-9]*\)/EFI/BOOT' $cmdpath
+
+set prefix=($boot_disk,gpt2)
+
+if [ -s $prefix/grubenv ]; then
+  load_env
+fi
+
+set root=($boot_disk,gpt5)
+set linux_root=PARTUUID=7C0A626E-E5EA-E543-B5C5-300EB8304DB7
+
+echo Booting linux...
+
+if [ -f ${boot}/extra_boot_args ]; then
+    echo Loading extra boot args ${boot}/extra_boot_args
+    # This is not really great -- we are directly sourcing the target
+    # file while we would only want a single variable out of it.
+    # I don't think there is another way.
+    source ${boot}/extra_boot_args
+    echo Extra boot arguments $EXTRA_BOOT_ARGS
+fi
+
+linux /vmlinuz root=$linux_root console=ttyS0,115200 console=tty0 $EXTRA_BOOT_ARGS
+
+if [ -f ${boot}/initrd.img ] ; then
+    echo Loading initial ram disk ${boot}/initrd.img
+    initrd ${boot}/initrd.img
+fi
+
+
+boot

ic-os/setupos/bootloader/grubenv

@@ -0,0 +1,2 @@
+# GRUB Environment Block
+#######################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################

ic-os/setupos/containerfs/.dockerignore

@@ -0,0 +1 @@
+**/.gitignore

ic-os/setupos/containerfs/Dockerfile

@@ -0,0 +1,30 @@
+ARG UBUNTU_ROOTFS
+FROM ${UBUNTU_ROOTFS}
+
+# Copy in some config settings for the container -- particularly, a
+# deterministic set of ssh keys to avoid annoyances like key changes during
+# development.
+
+COPY etc /etc
+RUN chmod 400 /etc/ssh/ssh_host*key ; chmod 444 /etc/ssh/ssh_host*key.pub
+
+# Remove everything related to filesystem mounts and encrypted filesystem setup.
+# This would fail the boot when run as a docker container.
+RUN rm -rf /etc/fstab /etc/systemd/system-generators /etc/crypttab
+
+# Disable all our newly installed services that are going to fail unless run on
+# a VM (i.e. all those that set up filesystem mounts etc.).
+# Leave the replica service for bootstrap and running the node intact.
+# Also don't touch system-installed services (they exist as symbolic
+# links in the same directory).
+RUN for file in /etc/systemd/system/*.service ; do \
+    svc="${file#/etc/systemd/system/}" ; \
+    if [ "${svc}" != "ic-replica.service" -a "${svc}" != "bootstrap-ic-node.service" -a ! -L "/etc/systemd/system/${svc}" ]; then \
+        systemctl disable "$svc" ; rm "/etc/systemd/system/${svc}" ; \
+    fi ; \
+    done
+
+# Remove dependency on this service -- it is not started in container.
+RUN sed -e '/\(After\|Wants\)=systemd-networkd-wait-online/d' -i /etc/systemd/system/ic-replica.service
+
+ENTRYPOINT [ "/lib/systemd/systemd" ]

ic-os/setupos/containerfs/README.adoc

@@ -0,0 +1,24 @@
+= Docker container of IC node
+
+This directory contains glue code required to turn the Ubuntu rootfs (normally
+deployed as a VM on target systems) into a docker container. This allows
+booting an entire testnet on a laptop far faster than a VM deployment.
+
+In order to turn the system into a docker container, all services interacting
+with (virtual) devices are deactivated, and only services related to starting
+a node are left intact. The "simplest possible" launch of such a container
+can be performed using:
+
+    docker run \
+        --tmpfs /run \
+        --tmpfs /tmp:exec \
+        --tmpfs /run/lock \
+        -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
+        ${ID_OF_CONTAINER}
+
+Note that this is not _quite_ sufficient to run as a node (need
+network setup and node configuration), but it gets the software stack up
+and running to the point where it can be contacted via ssh and then
+manually interacted with.
+
+See also ../scripts/build-container.sh.

ic-os/setupos/containerfs/etc/ssh/.gitignore

@@ -0,0 +1,2 @@
+ssh_host*key
+ssh_host*key.pub

ic-os/setupos/containerfs/etc/systemd/system/systemd-logind.service.d/override.conf

@@ -0,0 +1,5 @@
+# This removes delay incurred at ssh login when running as
+# unprivileged docker containers (see bug
+# https://github.com/systemd/systemd/issues/15408)
+[Service]
+ProtectHostname=no

ic-os/setupos/extra_boot_args

@@ -0,0 +1,14 @@
+# Uncomment this to run system with SELinux in PERMISSIVE mode:
+# the system will use SELinux and keep track of operations that would
+# be prohibited, but will only log but not actually deny them. This is
+# useful for debug and policy development. The system behaves essentially the
+# same as if SELinux was not activated.
+#
+EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=0"
+
+# Uncomment this to run system with SELinux in ENFORCING mode: All rules
+# of the policy are enforced, and forbidden actions are not just logged but
+# stopped. This causes the system to behave differently than in either
+# "no SELinux" or "permissive" mode.
+#
+# EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=1"