From 1f81763a2749191b7de8d7c96a14ebf6eada2174 Mon Sep 17 00:00:00 2001
From: Malte Poll <mp@edgeless.systems>
Date: Mon, 3 Apr 2023 17:50:22 +0200
Subject: [PATCH] cli: convert libvirt container image to Bazel

---
 cli/internal/libvirt/BUILD.bazel       | 58 ++++++++++++++++++++++++++
 cli/internal/libvirt/etc/BUILD.bazel   |  8 ++++
 cli/internal/libvirt/etc/group         | 51 ++++++++++++++++++++++
 cli/internal/libvirt/etc/passwd        | 31 ++++++++++++++
 cli/internal/libvirt/libvirtd.conf     |  5 +++
 cli/internal/libvirt/nvram/BUILD.bazel |  8 ++++
 cli/internal/libvirt/qemu.conf         |  1 +
 cli/internal/libvirt/start.sh          |  5 +++
 8 files changed, 167 insertions(+)
 create mode 100644 cli/internal/libvirt/etc/BUILD.bazel
 create mode 100644 cli/internal/libvirt/etc/group
 create mode 100644 cli/internal/libvirt/etc/passwd
 create mode 100644 cli/internal/libvirt/libvirtd.conf
 create mode 100644 cli/internal/libvirt/nvram/BUILD.bazel
 create mode 100644 cli/internal/libvirt/qemu.conf

diff --git a/cli/internal/libvirt/BUILD.bazel b/cli/internal/libvirt/BUILD.bazel
index 2f4fbc66f..558ccb9f9 100644
--- a/cli/internal/libvirt/BUILD.bazel
+++ b/cli/internal/libvirt/BUILD.bazel
@@ -1,4 +1,7 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_library")
+load("@rules_oci//oci:defs.bzl", "oci_image")
+load("@rules_pkg//:pkg.bzl", "pkg_tar")
+load("@rules_pkg//pkg:mappings.bzl", "pkg_attributes", "pkg_files", "strip_prefix")
 
 go_library(
     name = "libvirt",
@@ -14,3 +17,58 @@ go_library(
         "@com_github_spf13_afero//:afero",
     ],
 )
+
+pkg_files(
+    name = "etc",
+    srcs = [
+        "//cli/internal/libvirt/etc:passwd_db",
+    ],
+    attributes = pkg_attributes(
+        group = "root",
+        mode = "0644",
+        owner = "root",
+    ),
+    prefix = "etc",
+    strip_prefix = strip_prefix.from_pkg(),
+)
+
+pkg_files(
+    name = "nvram",
+    srcs = [
+        "//cli/internal/libvirt/nvram:nvram_vars",
+    ],
+    prefix = "usr/share/OVMF",
+    strip_prefix = strip_prefix.from_pkg(),
+)
+
+pkg_files(
+    name = "libvirt_conf",
+    srcs = [
+        "libvirtd.conf",
+        "qemu.conf",
+    ],
+    prefix = "/etc/libvirt",
+)
+
+pkg_tar(
+    name = "start",
+    srcs = [
+        "start.sh",
+        ":etc",
+        ":libvirt_conf",
+        ":nvram",
+    ],
+    mode = "0755",
+)
+
+oci_image(
+    name = "constellation_libvirt",
+    architecture = "amd64",
+    entrypoint = ["/start.sh"],
+    os = "linux",
+    tars = [
+        "//rpm:containerized-libvirt",
+        ":start",
+    ],
+    visibility = ["//visibility:public"],
+)
diff --git a/cli/internal/libvirt/etc/BUILD.bazel b/cli/internal/libvirt/etc/BUILD.bazel
new file mode 100644
index 000000000..12aeaf34a
--- /dev/null
+++ b/cli/internal/libvirt/etc/BUILD.bazel
@@ -0,0 +1,8 @@
+filegroup(
+    name = "passwd_db",
+    srcs = glob(
+        ["**/*"],
+        exclude = ["BUILD"],
+    ),
+    visibility = ["//visibility:public"],
+)
diff --git a/cli/internal/libvirt/etc/group b/cli/internal/libvirt/etc/group
new file mode 100644
index 000000000..95c817fb1
--- /dev/null
+++ b/cli/internal/libvirt/etc/group
@@ -0,0 +1,51 @@
+root:x:0:
+bin:x:1:
+daemon:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mem:x:8:
+kmem:x:9:
+wheel:x:10:
+cdrom:x:11:
+mail:x:12:
+man:x:15:
+dialout:x:18:
+floppy:x:19:
+games:x:20:
+tape:x:33:
+video:x:39:
+ftp:x:50:
+lock:x:54:
+audio:x:63:
+users:x:100:
+nobody:x:65534:
+tss:x:59:
+dbus:x:81:
+unbound:x:999:
+utmp:x:22:
+utempter:x:35:
+saslauth:x:76:saslauth
+input:x:104:
+kvm:x:36:qemu
+render:x:105:
+sgx:x:106:
+systemd-journal:x:190:
+systemd-network:x:192:
+systemd-oom:x:997:
+systemd-resolve:x:193:
+polkitd:x:996:
+rtkit:x:172:
+gluster:x:995:
+dnsmasq:x:994:
+rpc:x:32:
+brlapi:x:993:
+rpcuser:x:29:
+qemu:x:107:
+pipewire:x:992:
+geoclue:x:991:
+libvirt:x:990:
+systemd-coredump:x:989:
+systemd-timesync:x:988:
diff --git a/cli/internal/libvirt/etc/passwd b/cli/internal/libvirt/etc/passwd
new file mode 100644
index 000000000..c20d8aad0
--- /dev/null
+++ b/cli/internal/libvirt/etc/passwd
@@ -0,0 +1,31 @@
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+operator:x:11:0:operator:/root:/sbin/nologin
+games:x:12:100:games:/usr/games:/sbin/nologin
+ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
+nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
+tss:x:59:59:Account used for TPM access:/:/usr/sbin/nologin
+dbus:x:81:81:System message bus:/:/sbin/nologin
+unbound:x:999:999:Unbound DNS resolver:/var/lib/unbound:/sbin/nologin
+saslauth:x:998:76:Saslauthd user:/run/saslauthd:/sbin/nologin
+systemd-network:x:192:192:systemd Network Management:/:/usr/sbin/nologin
+systemd-oom:x:997:997:systemd Userspace OOM Killer:/:/usr/sbin/nologin
+systemd-resolve:x:193:193:systemd Resolver:/:/usr/sbin/nologin
+polkitd:x:996:996:User for polkitd:/:/sbin/nologin
+rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
+gluster:x:995:995:GlusterFS daemons:/run/gluster:/sbin/nologin
+dnsmasq:x:994:994:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/usr/sbin/nologin
+rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
+rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
+qemu:x:107:107:qemu user:/:/sbin/nologin
+pipewire:x:993:992:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin
+geoclue:x:992:991:User for geoclue:/var/lib/geoclue:/sbin/nologin
+systemd-coredump:x:989:989:systemd Core Dumper:/:/usr/sbin/nologin
+systemd-timesync:x:988:988:systemd Time Synchronization:/:/usr/sbin/nologin
diff --git a/cli/internal/libvirt/libvirtd.conf b/cli/internal/libvirt/libvirtd.conf
new file mode 100644
index 000000000..0552fd4af
--- /dev/null
+++ b/cli/internal/libvirt/libvirtd.conf
@@ -0,0 +1,5 @@
+listen_tls = 0
+listen_tcp = 1
+tcp_port = "16599"
+listen_addr = "localhost"
+auth_tcp = "none"
diff --git a/cli/internal/libvirt/nvram/BUILD.bazel b/cli/internal/libvirt/nvram/BUILD.bazel
new file mode 100644
index 000000000..5731e5674
--- /dev/null
+++ b/cli/internal/libvirt/nvram/BUILD.bazel
@@ -0,0 +1,8 @@
+filegroup(
+    name = "nvram_vars",
+    srcs = glob(
+        ["**/*.fd"],
+        exclude = ["BUILD"],
+    ),
+    visibility = ["//visibility:public"],
+)
diff --git a/cli/internal/libvirt/qemu.conf b/cli/internal/libvirt/qemu.conf
new file mode 100644
index 000000000..f376e82f4
--- /dev/null
+++ b/cli/internal/libvirt/qemu.conf
@@ -0,0 +1 @@
+cgroup_controllers = []
diff --git a/cli/internal/libvirt/start.sh b/cli/internal/libvirt/start.sh
index b3a5ddcdf..6e84e0c39 100755
--- a/cli/internal/libvirt/start.sh
+++ b/cli/internal/libvirt/start.sh
@@ -3,6 +3,11 @@
 set -euo pipefail
 shopt -s inherit_errexit
 
+# ensure library cache is up to date
+ldconfig
+
+chown -R tss:root /var/lib/swtpm-localca
+
 # Assign qemu the GID of the host system's 'kvm' group to avoid permission issues for environments defaulting to 660 for /dev/kvm (e.g. Debian-based distros)
 KVM_HOST_GID="$(stat -c '%g' /dev/kvm)"
 groupadd -o -g "${KVM_HOST_GID}" host-kvm