From d37958af3d3c4e5337b5f5d7ddfe8932b0c67cef Mon Sep 17 00:00:00 2001 From: Nikita Dubrovskii Date: Mon, 1 Jul 2024 14:22:26 +0200 Subject: [PATCH] Remove obsolete create_disk.sh --- src/cmd-buildextend-metal | 31 +- src/create_disk.sh | 630 -------------------------------------- 2 files changed, 3 insertions(+), 658 deletions(-) delete mode 100755 src/create_disk.sh diff --git a/src/cmd-buildextend-metal b/src/cmd-buildextend-metal index a555b3677e..e4cd316e79 100755 --- a/src/cmd-buildextend-metal +++ b/src/cmd-buildextend-metal @@ -34,13 +34,12 @@ EOF } # Parse options -hostkey= genprotimgvm=/data.secex/genprotimgvm.qcow2 ignition_pubkey= rc=0 build= force= -options=$(getopt --options h --longoptions help,force,build:,hostkey:,genprotimgvm: -- "$@") || rc=$? +options=$(getopt --options h --longoptions help,force,build:,genprotimgvm: -- "$@") || rc=$? [ $rc -eq 0 ] || { print_help exit 1 @@ -59,10 +58,6 @@ while true; do build=$2 shift ;; - --hostkey) - hostkey=$(realpath "$2") - shift - ;; --genprotimgvm) genprotimgvm="$2" shift @@ -156,13 +151,6 @@ fi img=${name}-${build}-${image_type}${image_suffix}.${basearch}.${image_format} path=${PWD}/${img} -ignition_platform_id="${image_type}" - -# dasd and metal4k are different disk formats, but they're still metal -if [ "${image_type}" = dasd ] || [ "${image_type}" = metal4k ]; then - ignition_platform_id=metal -fi - # We do some extra handling of the rootfs here; it feeds into size estimation. rootfs_type=$(jq -re .rootfs < "${image_json}") @@ -242,18 +230,15 @@ image_dynamic_yaml="${tmp_builddir}/image-dynamic.yaml" image_dynamic_json="${tmp_builddir}/image-dynamic.json" image_for_disk_json="${tmp_builddir}/image-for-disk.json" cat >"${image_dynamic_yaml}" << EOF -# Used by create_disk.sh buildid: "${build}" imgid: "${img}" ostree-commit: "${commit}" -# Used by both create_disk.sh and runvm-osbuild container-imgref: "${container_imgref}" deploy-via-container: "${deploy_via_container}" osname: "${name}" ostree-container: "${ostree_container}" ostree-ref: "${ref}" extra-kargs-string: "${extra_kargs}" -# Used by runvm-osbuild image-type: "${image_type}" ostree-repo: "${ostree_repo}" metal-image-size: "${metal_image_size_mb}" @@ -287,18 +272,8 @@ if [ "${OSBUILD_SUPPORTED:-}" != "" ] && [ "${COSA_USE_OSBUILD:-}" != "0" ]; the --mpp "/usr/lib/coreos-assembler/osbuild-manifests/coreos.osbuild.${basearch}.mpp.yaml" \ --filepath "${path}.tmp" "${osbuild_extra_args[@]}" else - runvm "${qemu_args[@]}" -- \ - /usr/lib/coreos-assembler/create_disk.sh \ - --config "${image_for_disk_json}" \ - --platform "${ignition_platform_id}" \ - --platforms-json "${platforms_json}" \ - "${disk_args[@]}" - - # Now that we've created the image let's resize it to the desired - # size for qemu (and all images based on it). - if [[ $image_type == qemu ]]; then - qemu-img resize "${path}.tmp" "${cloud_image_size_mb}M" - fi + echo "OSBUILD_SUPPORTED is not supported or COSA_USE_OSBUILD is unset" + exit 1 fi if [[ $secure_execution -eq "1" ]]; then diff --git a/src/create_disk.sh b/src/create_disk.sh deleted file mode 100755 index 64bd82be2a..0000000000 --- a/src/create_disk.sh +++ /dev/null @@ -1,630 +0,0 @@ -#!/bin/bash -set -euo pipefail - -# This script is run in supermin to create a Fedora CoreOS style -# disk image, very much in the spirit of the original -# Container Linux (orig CoreOS) disk layout, although adapted -# for OSTree, and using XFS for /, among other things. -# Some more background in https://github.com/coreos/fedora-coreos-tracker/issues/18 -# The layout is intentionally not very configurable at this time, -# although see also https://github.com/coreos/coreos-assembler/pull/298 -# For people building "derived"/custom FCOS-like systems, feel free to file -# an issue and we can discuss configuration needs. - -# This fixed UUID is detected in ignition-dracut and changed -# on firstboot: -# https://github.com/coreos/ignition-dracut/blob/6136be3d9d38d7926a61cd4d1b4ba5f9baf0892f/dracut/30ignition/coreos-gpt-setup.sh#L7 -uninitialized_gpt_uuid="00000000-0000-4000-a000-000000000001" -# These UUIDs should be changed by code in fedora-coreos-config on firstboot, see -# https://github.com/coreos/fedora-coreos-tracker/issues/465 -bootfs_uuid="96d15588-3596-4b3c-adca-a2ff7279ea63" -rootfs_uuid="910678ff-f77e-4a7d-8d53-86f2ac47a823" -deploy_root= - -usage() { - cat <&2 - exit 1 -fi -# just copy it over to /tmp and work from there to minimize virtiofs I/O -cp "${platforms_json}" /tmp/platforms.json -platforms_json=/tmp/platforms.json -platform_grub_cmds=$(jq -r ".${arch}.${platform}.grub_commands // [] | join(\"\\\\n\")" < "${platforms_json}") -platform_kargs=$(jq -r ".${arch}.${platform}.kernel_arguments // [] | join(\" \")" < "${platforms_json}") - -disk=$(realpath /dev/disk/by-id/virtio-target) - -config="${config:?--config must be defined}" - -# https://github.com/coreos/coreos-assembler/pull/2480 -dump_err_info () { - lsblk -f || true -} -trap dump_err_info ERR - -# Parse the passed config JSON and extract a mandatory value -getconfig() { - k=$1 - jq -re .\""$k"\" < "${config}" -} -# Return a configuration value, or default if not set -getconfig_def() { - k=$1 - shift - default=$1 - shift - jq -re .\""$k"\"//\""${default}"\" < "${config}" -} - -rootfs_type=$(getconfig rootfs) -case "${rootfs_type}" in - xfs|ext4verity|btrfs) ;; - *) echo "Invalid rootfs type: ${rootfs_type}" 1>&2; exit 1;; -esac -rootfs_args=$(getconfig_def "rootfs-args" "") - -bootfs=$(getconfig "bootfs") -composefs=$(getconfig_def "composefs" "") -grub_script=$(getconfig "grub-script") -ostree_container=$(getconfig "ostree-container") -ostree_container_spec="ostree-unverified-image:oci-archive:${ostree_container}" -commit=$(getconfig "ostree-commit") -ref=$(getconfig "ostree-ref") -# We support not setting a remote name (used by RHCOS) -remote_name=$(getconfig_def "ostree-remote" "") -deploy_via_container=$(getconfig "deploy-via-container" "") -container_imgref=$(getconfig "container-imgref" "") -os_name=$(getconfig "osname") -buildid=$(getconfig "buildid") -imgid=$(getconfig "imgid") -extra_kargs=$(getconfig "extra-kargs-string" "") - -# populate remaining kargs -extra_kargs+=" ignition.platform.id=${platform}" -if [ -n "${platform_kargs}" ]; then - extra_kargs+=" ${platform_kargs}" -fi - -set -x - -# Partition and create fs's. The 0...4...a...1 uuid is a sentinal used by coreos-gpt-setup -# in ignition-dracut. It signals that the disk needs to have it's uuid randomized and the -# backup header moved to the end of the disk. -# Pin /se, /boot and / to the partition number 1, 3 and 4 respectively. Also insert reserved -# partitions on aarch64/ppc64le to keep the 1,2,3,4 partition numbers aligned across -# x86_64/aarch64/ppc64le. We decided not to try to achieve partition parity on s390x -# because a bare metal install onto an s390x DASD translates the GPT to DASD partitions -# and we only get three of those. https://github.com/coreos/fedora-coreos-tracker/issues/855 -BOOTPN=3 -ROOTPN=4 -if [[ ${secure_execution} -eq 1 ]]; then - SDPART=1 - BOOTVERITYHASHPN=5 - ROOTVERITYHASHPN=6 - extra_kargs="${extra_kargs} swiotlb=262144" -fi -# shellcheck disable=SC2031 -case "$arch" in - x86_64) - EFIPN=2 - sgdisk -Z "$disk" \ - -U "${uninitialized_gpt_uuid}" \ - -n 1:0:+1M -c 1:BIOS-BOOT -t 1:21686148-6449-6E6F-744E-656564454649 \ - -n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \ - -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \ - -n ${ROOTPN}:0:0 -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 - ;; - aarch64) - RESERVEDPN=1 - EFIPN=2 - sgdisk -Z "$disk" \ - -U "${uninitialized_gpt_uuid}" \ - -n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \ - -n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \ - -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \ - -n ${ROOTPN}:0:0 -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 - ;; - s390x) - sgdisk_args=() - rootp_end=0 - if [[ ${secure_execution} -eq 1 ]]; then - # shellcheck disable=SC2206 - sgdisk_args+=(-n ${SDPART}:0:+200M -c ${SDPART}:se -t ${SDPART}:0FC63DAF-8483-4772-8E79-3D69D8477DE4) - # we need to leave space for the verity hash partitions (and add 1MB otherwise sgdisk can't fit them for some reason) - rootp_end=-$((128+256+1))M - fi - - # shellcheck disable=SC2206 - sgdisk_args+=(-n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \ - -n ${ROOTPN}:0:${rootp_end} -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4) - if [[ ${secure_execution} -eq 1 ]]; then - # note these length values are hardcoded in both rootp_end above and in `cmd-buildextend-metal` - # shellcheck disable=SC2206 - sgdisk_args+=(-n ${BOOTVERITYHASHPN}:0:+128M -c ${BOOTVERITYHASHPN}:boothash \ - -n ${ROOTVERITYHASHPN}:0:+256M -c ${ROOTVERITYHASHPN}:roothash) - fi - # NB: in the bare metal case when targeting ECKD DASD disks, this - # partition table is not what actually gets written to disk in the end: - # coreos-installer has code which transforms it into a DASD-compatible - # partition table and copies each partition individually bitwise. - sgdisk -Z "$disk" -U "${uninitialized_gpt_uuid}" "${sgdisk_args[@]}" - ;; - ppc64le) - PREPPN=1 - RESERVEDPN=2 - # ppc64le doesn't use special uuid for root partition - sgdisk -Z "$disk" \ - -U "${uninitialized_gpt_uuid}" \ - -n ${PREPPN}:0:+4M -c ${PREPPN}:PowerPC-PReP-boot -t ${PREPPN}:9E1A2D38-C612-4316-AA26-8B49521E5A8B \ - -n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \ - -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \ - -n ${ROOTPN}:0:0 -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 - ;; -esac - -sgdisk -p "$disk" -udevtrig - -boot_dev="${disk}${BOOTPN}" -root_dev="${disk}${ROOTPN}" - -bootargs= -# Detect if the target system supports orphan_file. -# https://github.com/coreos/coreos-assembler/pull/3653#issuecomment-1813181723 -# Ideally, we'd do feature detection here but there's no clean way to do that. -# So just use version comparisons. (But ideally ideally, we use the mkfs.* -# binaries from the target system, not cosa.) -e2fsprogs_version=$(jq -r '.["rpmostree.rpmdb.pkglist"][] | select(.[0] == "e2fsprogs") | .[2]' \ - "builds/${buildid}/${arch}/commitmeta.json") -if [ "${e2fsprogs_version}" != "1.47.0" ] && \ - [ "$(echo -e "${e2fsprogs_version}\n1.47.0" | sort -V | tail -n1)" = "1.47.0" ]; then - # target system has e2fsprogs older than 1.47.0; it won't support - # orphan_file so make sure we opt out of it - bootargs+=" -O ^orphan_file" -fi - -case "${bootfs}" in - ext4verity) - # Need blocks to match host page size; TODO - # really mkfs.ext4 should know this. - bootargs+=" -b $(getconf PAGE_SIZE) -O verity" - ;; - ext4) ;; - *) echo "Unhandled bootfs: ${bootfs}" 1>&2; exit 1 ;; -esac - -if [[ ${secure_execution} -eq 1 ]]; then - # Unencrypted partition for sd-boot - # shellcheck disable=SC2086 - mkfs.ext4 ${bootargs} "${disk}${SDPART}" -L se -U random -fi - -# shellcheck disable=SC2086 -mkfs.ext4 ${bootargs} "${boot_dev}" -L boot -U "${bootfs_uuid}" -udevtrig - -if [ ${EFIPN:+x} ]; then - mkfs.fat "${disk}${EFIPN}" -n EFI-SYSTEM - # BIOS boot partition has no FS; it's for BIOS GRUB - # partition $PREPPN has no FS; it's for PowerPC PReP Boot -fi -case "${rootfs_type}" in - ext4verity) - # As of today, xfs doesn't support verity, so we have a choice of fs-verity or reflinks. - # Now, fs-verity doesn't in practice gain us a huge amount of security because - # there are other "persistence vectors". See - # https://blog.verbum.org/2017/06/12/on-dm-verity-and-operating-systems/ - # https://github.com/coreos/rpm-ostree/issues/702 - # And reflinks are *very* useful for the container stack with overlayfs (and in general). - # So basically, we're choosing performance over half-implemented security. - # Eventually, we'd like both - once XFS gains verity (probably not too hard), - # we could unconditionally enable it there. - # shellcheck disable=SC2086 - mkfs.ext4 -b "$(getconf PAGE_SIZE)" -O verity -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args} - ;; - btrfs) - # shellcheck disable=SC2086 - mkfs.btrfs -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args} - ;; - xfs|"") - # shellcheck disable=SC2086 - mkfs.xfs "${root_dev}" -L root -m reflink=1 -m uuid="${rootfs_uuid}" ${rootfs_args} - ;; - *) - echo "Unknown rootfs_type: $rootfs_type" 1>&2 - exit 1 - ;; -esac -udevtrig - -# since we normally run in supermin container and we need -# support parallel runs, use /tmp -rootfs=/tmp/rootfs - -# mount the partitions -rm -rf ${rootfs} -mkdir -p ${rootfs} -mount -o discard "${root_dev}" ${rootfs} -chcon "$(matchpathcon -n /)" ${rootfs} -mkdir ${rootfs}/boot -chcon "$(matchpathcon -n /boot)" $rootfs/boot -mount "${boot_dev}" $rootfs/boot -chcon "$(matchpathcon -n /boot)" $rootfs/boot -# FAT doesn't support SELinux labeling, it uses "genfscon", so we -# don't need to give it a label manually. -if [ ${EFIPN:+x} ]; then - mkdir ${rootfs}/boot/efi - mount "${disk}${EFIPN}" $rootfs/boot/efi -fi -if [[ ${secure_execution} -eq 1 ]]; then - mkdir ${rootfs}/se - chcon "$(matchpathcon -n /boot)" $rootfs/se -fi - -# Now that we have the basic disk layout, initialize the basic -# OSTree layout, load in the ostree commit and deploy it. -ostree admin init-fs --modern $rootfs -# May be overridden below (e.g. s390x) -ostree config --repo $rootfs/ostree/repo set sysroot.bootloader none -# Opt-in to https://github.com/ostreedev/ostree/pull/1767 AKA -# https://github.com/ostreedev/ostree/issues/1265 -ostree config --repo $rootfs/ostree/repo set sysroot.readonly true -if test -n "${composefs}"; then - ostree config --repo $rootfs/ostree/repo set ex-integrity.composefs true -fi -# Initialize the "stateroot" -ostree admin os-init "$os_name" --sysroot $rootfs - -# Propagate flags into target repository -if [ "${rootfs_type}" = "ext4verity" ] && [ -z "${composefs}" ]; then - ostree config --repo=$rootfs/ostree/repo set ex-fsverity.required 'true' -fi - -# Compute kargs -allkargs="$extra_kargs" -# shellcheck disable=SC2031 -if [ "$arch" != s390x ]; then - # Note that $ignition_firstboot is interpreted by grub at boot time, - # *not* the shell here. Hence the backslash escape. - allkargs+=" \$ignition_firstboot" -fi - -if test -n "${deploy_via_container}"; then - kargsargs="" - for karg in $allkargs - do - kargsargs+="--karg=$karg " - done - # shellcheck disable=SC2086 - ostree container image deploy --imgref "${ostree_container_spec}" \ - ${container_imgref:+--target-imgref $container_imgref} \ - --write-commitid-to /tmp/commit.txt \ - --stateroot "$os_name" --sysroot $rootfs $kargsargs - deploy_commit=$(cat /tmp/commit.txt) - rm /tmp/commit.txt -else - # Pull the container image... - time ostree container image pull $rootfs/ostree/repo "${ostree_container_spec}" - # But we default to not leaving a ref for the image around, so the - # layers will get GC'd on the first update if the - # user doesn't switch to a container image. - ostree --repo=$rootfs/ostree/repo refs --delete ostree/container/image - ostree --repo=$rootfs/ostree/repo prune --refs-only --depth=0 - # Deploy it, using an optional remote prefix - if test -n "${remote_name}"; then - deploy_ref="${remote_name}:${ref}" - ostree refs --repo $rootfs/ostree/repo --create "${deploy_ref}" "${commit}" - else - deploy_ref=$commit - fi - kargsargs="" - for karg in $allkargs - do - kargsargs+="--karg-append=$karg " - done - # shellcheck disable=SC2086 - ostree admin deploy "${deploy_ref}" --sysroot $rootfs --os "$os_name" $kargsargs - deploy_commit=$commit -fi -# Sanity check -deploy_root="$rootfs/ostree/deploy/${os_name}/deploy/${deploy_commit}.0" -test -d "${deploy_root}" || (echo "failed to find $deploy_root"; exit 1) - -# This will allow us to track the version that an install -# originally used; if we later need to understand something -# like "exactly what mkfs.xfs version was used" we can do -# that via looking at the upstream build and finding the -# build logs for it, getting the coreos-assembler version, -# and getting the `rpm -qa` from that. -# -# build: The coreos-assembler build ID; today we support -# having the same ostree commit in different image builds. -# ref: The ostree ref used; useful for cross-checking. -# ostree-commit: Similar to `ref`; one can derive this from looking -# at the coreos-assembler builds, but it's very -# convenient to have here as a strong cross-reference. -# imgid: The full image name, the same as will end up in the -# `images` dict in `meta.json`. -cat > $rootfs/.coreos-aleph-version.json << EOF -{ - "build": "${buildid}", - "ref": "${ref}", - "ostree-commit": "${commit}", - "imgid": "${imgid}" -} -EOF - -install_uefi() { - # https://github.com/coreos/fedora-coreos-tracker/issues/510 - # See also https://github.com/ostreedev/ostree/pull/1873#issuecomment-524439883 - chroot_run bootupctl backend install --src-root="/" "/sysroot" - # We have a "static" grub config file that basically configures grub to look - # in the RAID called "md-boot", if it exists, or the partition labeled "boot". - local target_efi="$rootfs/boot/efi" - local grubefi - grubefi=$(find "${target_efi}/EFI/" -maxdepth 1 -type d | grep -v BOOT) - local vendor_id="${grubefi##*/}" - local vendordir="${target_efi}/EFI/${vendor_id}" - mkdir -p "${vendordir}" - cat > "${vendordir}/grub.cfg" << 'EOF' -if [ -e (md/md-boot) ]; then - # The search command might pick a RAID component rather than the RAID, - # since the /boot RAID currently uses superblock 1.0. See the comment in - # the main grub.cfg. - set prefix=md/md-boot -else - if [ -f ${config_directory}/bootuuid.cfg ]; then - source ${config_directory}/bootuuid.cfg - fi - if [ -n "${BOOT_UUID}" ]; then - search --fs-uuid "${BOOT_UUID}" --set prefix --no-floppy - else - search --label boot --set prefix --no-floppy - fi -fi -set prefix=($prefix)/grub2 -configfile $prefix/grub.cfg -boot -EOF - install_grub_cfg -} - -# copy the grub config and any other files we might need -install_grub_cfg() { - # 0700 to match the RPM permissions which I think are mainly in case someone has - # manually set a grub password - mkdir -p $rootfs/boot/grub2 - chmod 0700 $rootfs/boot/grub2 - printf "%s\n" "$grub_script" | \ - sed -E 's@(^# CONSOLE-SETTINGS-START$)@\1'"${platform_grub_cmds:+\\n${platform_grub_cmds}}"'@' \ - > $rootfs/boot/grub2/grub.cfg - # Copy platforms table if it's non-empty for this arch - # shellcheck disable=SC2031 - if jq -e ".$arch" < "$platforms_json" > /dev/null; then - mkdir -p "$rootfs/boot/coreos" - jq ".$arch" < "$platforms_json" > "$rootfs/boot/coreos/platforms.json" - fi -} - -# For some commands, we need to make sure to use the binary and userspace of the -# target system. XXX: Switch to bwrap. -chroot_run() { - for mnt in dev proc sys run var tmp; do - mount --rbind "/$mnt" "${deploy_root}/$mnt" - done - mount --rbind "${rootfs}" "${deploy_root}/sysroot" - chroot "${deploy_root}" "$@" - umount --recursive "${deploy_root}/sysroot" - for mnt in dev proc sys run var tmp; do - umount --recursive "${deploy_root}/$mnt" - done -} - -generate_gpgkeys() { - local pkey - pkey="${1}" - local tmp_home - tmp_home=$(mktemp -d /tmp/gpg-XXXXXX) - gpg --homedir "${tmp_home}" --batch --passphrase '' --yes --quick-gen-key "Secure Execution (secex) $buildid" rsa4096 encr none - gpg --homedir "${tmp_home}" --armor --export secex > "${ignition_pubkey}" - gpg --homedir "${tmp_home}" --armor --export-secret-key secex > "${pkey}" - rm -rf "${tmp_home}" -} - -# Other arch-specific bootloader changes -# shellcheck disable=SC2031 -case "$arch" in -x86_64) - # UEFI - install_uefi - if [ "${x86_bios_bootloader}" = 1 ]; then - # And BIOS grub in addition. See also - # https://github.com/coreos/fedora-coreos-tracker/issues/32 - # Install BIOS/PReP bootloader using the target system's grub2-install, - # see https://github.com/coreos/coreos-assembler/issues/3156 - chroot_run /sbin/grub2-install \ - --target i386-pc \ - --boot-directory $rootfs/boot \ - --modules mdraid1x \ - "$disk" - fi - ;; -aarch64) - # Our aarch64 is UEFI only. - install_uefi - ;; -ppc64le) - # to populate PReP Boot, i.e. support pseries - chroot_run /sbin/grub2-install --target=powerpc-ieee1275 --boot-directory $rootfs/boot --no-nvram "${disk}${PREPPN}" - install_grub_cfg - ;; -s390x) - ostree config --repo $rootfs/ostree/repo set sysroot.bootloader zipl - rdcore_zipl_args=("--boot-mount=$rootfs/boot" "--append-karg=ignition.firstboot") - # in the secex case, we run zipl at the end; in the non-secex case, we need - # to run it now because zipl wants rw access to the bootfs - if [[ ${secure_execution} -ne 1 ]]; then - # in case builder itself runs with SecureExecution - rdcore_zipl_args+=("--secex-mode=disable") - chroot_run /usr/lib/dracut/modules.d/50rdcore/rdcore zipl "${rdcore_zipl_args[@]}" - fi - ;; -esac - -# enable support for GRUB password -# shellcheck disable=SC2031 -if [ "$arch" != s390x ]; then - ostree config --repo $rootfs/ostree/repo set sysroot.bls-append-except-default 'grub_users=""' -fi - -# For local secex build we create an empty file and later mount-bind real private key to it, -# so rdcore could append it to initrd. Best approach is to teach rdcore how to append file -# with different source and dest- paths. -if [[ ${secure_execution} -eq 1 ]] && [[ ! -e /dev/disk/by-id/virtio-genprotimg ]]; then - touch "${deploy_root}/usr/lib/coreos/ignition.asc" -fi -touch $rootfs/boot/ignition.firstboot - -fstrim -a -v -# Ensure the filesystem journals are flushed -for fs in $rootfs/boot $rootfs; do - mount -o remount,ro "$fs" - fsfreeze -f "$fs" - fsfreeze -u "$fs" -done - -umount -R $rootfs - -create_dmverity() { - local partlabel=$1; shift - local mountpoint=$1; shift - local datapart="/dev/disk/by-partlabel/${partlabel}" - local hashpart="/dev/disk/by-partlabel/${partlabel}hash" - # We have to use 512 here to match the filesystem sector size. It's less - # efficient, but meh, it's for first boot only. Alternatively we could - # change the filesystem sector size higher up. - veritysetup format "${datapart}" "${hashpart}" \ - --root-hash-file "/tmp/${partlabel}-roothash" \ - --data-block-size 512 - veritysetup open "${datapart}" "${partlabel}" "${hashpart}" \ - --root-hash-file "/tmp/${partlabel}-roothash" - mount -o ro "/dev/mapper/${partlabel}" "${mountpoint}" -} - -# Save genprotimg input for later and don't run zipl here -rdcore_replacement() { - local se_kargs_append se_initrd se_kernel se_parmfile - local blsfile kernel initrd - local se_script_dir se_tmp_disk se_tmp_mount se_tmp_boot - - se_kargs_append=("ignition.firstboot") - while [ $# -gt 0 ]; do - se_kargs_append+=("$1") - shift - done - - se_script_dir="/usr/lib/coreos-assembler/secex-genprotimgvm-scripts" - se_tmp_disk=$(realpath /dev/disk/by-id/virtio-genprotimg) - se_tmp_mount=$(mktemp -d /tmp/genprotimg-XXXXXX) - se_tmp_boot="${se_tmp_mount}/genprotimg" - mount "${se_tmp_disk}" "${se_tmp_mount}" - mkdir "${se_tmp_boot}" - - se_initrd="${se_tmp_boot}/initrd.img" - se_kernel="${se_tmp_boot}/vmlinuz" - se_parmfile="${se_tmp_boot}/parmfile" - - # Ignition GPG private key - mkdir -p "${se_tmp_boot}/usr/lib/coreos" - generate_gpgkeys "${se_tmp_boot}/usr/lib/coreos/ignition.asc" - - blsfile=$(find "${rootfs}"/boot/loader/entries/*.conf) - echo "$(grep options "${blsfile}" | cut -d' ' -f2-)" "${se_kargs_append[@]}" > "${se_parmfile}" - kernel="${rootfs}/boot/$(grep linux "${blsfile}" | cut -d' ' -f2)" - initrd="${rootfs}/boot/$(grep initrd "${blsfile}" | cut -d' ' -f2)" - cp "${kernel}" "${se_kernel}" - cp "${initrd}" "${se_initrd}" - - # genprotimg and zipl will be done outside this script - # copy scripts for that step to the tmp disk - cp "${se_script_dir}/genprotimg-script.sh" "${se_script_dir}/post-script.sh" "${se_tmp_mount}/" - - umount "${se_tmp_mount}" - rmdir "${se_tmp_mount}" -} - -if [[ ${secure_execution} -eq 1 ]]; then - # set up dm-verity for the rootfs and bootfs - create_dmverity root $rootfs - create_dmverity boot $rootfs/boot - # We need to run the genprotimg step in a separate step for rhcos release images - if [ ! -e /dev/disk/by-id/virtio-genprotimg ]; then - echo "Building local Secure Execution Image, running zipl and genprotimg" - generate_gpgkeys "/tmp/ignition.asc" - mount --rbind "/tmp/ignition.asc" "${deploy_root}/usr/lib/coreos/ignition.asc" - # run zipl with root hashes as kargs - rdcore_zipl_args+=("--secex-mode=enforce" "--hostkey=/dev/disk/by-id/virtio-hostkey") - rdcore_zipl_args+=("--append-karg=rootfs.roothash=$(cat /tmp/root-roothash)") - rdcore_zipl_args+=("--append-karg=bootfs.roothash=$(cat /tmp/boot-roothash)") - rdcore_zipl_args+=("--append-file=/usr/lib/coreos/ignition.asc") - chroot_run /usr/lib/dracut/modules.d/50rdcore/rdcore zipl "${rdcore_zipl_args[@]}" - else - echo "Building release Secure Execution Image, zipl and genprotimg will be run later" - rdcore_replacement "rootfs.roothash=$(cat /tmp/root-roothash)" "bootfs.roothash=$(cat /tmp/boot-roothash)" - fi - - # unmount and close everything - umount -R $rootfs - veritysetup close boot - veritysetup close root -fi - -rmdir $rootfs