diff --git a/image/Makefile b/image/Makefile deleted file mode 100644 index 706483a4f..000000000 --- a/image/Makefile +++ /dev/null @@ -1,170 +0,0 @@ -SRC_PATH = $(CURDIR) -BASE_PATH ?= $(SRC_PATH) -DEPENDENCIES ?= $(BASE_PATH)/dependencies -COREOS_BUILD_PATH ?= $(BASE_PATH)/build -OVERRIDES ?= $(COREOS_BUILD_PATH)/overrides -OVERRIDES_RPM ?= $(OVERRIDES)/rpm -OVERRIDES_ROOTFS ?= $(OVERRIDES)/rootfs -BOOTSTRAPPER_OVERRIDE_PATH ?= $(OVERRIDES_ROOTFS)/usr/bin/bootstrapper -KERNEL_RPM ?= $(OVERRIDES_RPM)/kernel.rpm -KERNEL_CORE_RPM ?= $(OVERRIDES_RPM)/kernel-core.rpm -KERNEL_MODULES_RPM ?= $(OVERRIDES_RPM)/kernel-modules.rpm -OVERRIDE_KERNEL ?= n -KERNEL_RPM_URL ?= "https://kojipkgs.fedoraproject.org/packages/kernel/5.17.0/0.rc3.89.fc36/x86_64/kernel-5.17.0-0.rc3.89.fc36.x86_64.rpm" -KERNEL_CORE_RPM_URL ?= "https://kojipkgs.fedoraproject.org/packages/kernel/5.17.0/0.rc3.89.fc36/x86_64/kernel-core-5.17.0-0.rc3.89.fc36.x86_64.rpm" -KERNEL_MODULES_RPM_URL ?= "https://kojipkgs.fedoraproject.org/packages/kernel/5.17.0/0.rc3.89.fc36/x86_64/kernel-modules-5.17.0-0.rc3.89.fc36.x86_64.rpm" -DOWNLOAD_BOOTSTRAPPER ?= n -BOOTSTRAPPER_BINARY ?= $(BASE_PATH)/../build/bootstrapper -DISK_MAPPER_BINARY ?= $(BASE_PATH)/../build/disk-mapper -DISK_MAPPER_OVERRIDE_PATH ?= $(OVERRIDES_ROOTFS)/usr/sbin/disk-mapper -IMAGES_PATH ?= $(BASE_PATH)/images -CONTAINER_ENGINE ?= podman -COSA_BUILDDIR ?= $(BASE_PATH)/../3rdparty/coreos-assembler -COSA_ENV ?= $(BASE_PATH)/$(CONTAINER_ENGINE).env -COSA_INIT_REPO ?= "https://github.com/edgelesssys/constellation-fedora-coreos-config" -COSA_INIT_BRANCH ?= "main" -COSA_LOCKFILE ?= $(BASE_PATH)/cosa.lock -NETRC ?= ~/.netrc -GCP_PROJECT ?= constellation-images -GCP_BUCKET ?= constellation-images -GCP_IMAGE_FAMILY ?= constellation -GCP_IMAGE_NAME ?= constellation-coreos -GCP_IMAGE_FILENAME ?= $(GCP_IMAGE_NAME)_gcp.tar.gz -GCP_IMAGE_PATH ?= $(IMAGES_PATH)/$(GCP_IMAGE_FILENAME) -GCP_REGION ?= europe-west3 -AZURE_IMAGE_NAME ?= constellation-coreos -AZURE_IMAGE_FILENAME ?= $(AZURE_IMAGE_NAME)_azure.vhd -AZURE_IMAGE_PATH ?= $(IMAGES_PATH)/$(AZURE_IMAGE_FILENAME) -AZURE_RESOURCE_GROUP_NAME ?= CONSTELLATION-IMAGES -AZURE_REGION ?= northeurope -AZURE_REPLICATION_REGIONS ?= northeurope eastus westeurope westus -AZURE_GALLERY_NAME ?= Constellation -AZURE_IMAGE_DEFINITION ?= $(AZURE_IMAGE_NAME) -AZURE_IMAGE_OFFER ?= $(AZURE_IMAGE_DEFINITION) -AZURE_IMAGE_VERSION ?= 0.0.1 -AZURE_PUBLISHER ?= edgelesssys -AZURE_SKU ?= constellation-coreos - --include $(CURDIR)/config.mk - -.PHONY: clean all kernel coreos run shell cosa-init cosa-fetch images image-gcp upload-gcp image-azure upload-azure-non-cvm $(BOOTSTRAPPER_OVERRIDE_PATH) $(DISK_MAPPER_OVERRIDE_PATH) -SHELL := /bin/bash - -all: coreos images - -ifeq ($(DOWNLOAD_BOOTSTRAPPER), y) -$(BOOTSTRAPPER_BINARY): - wget -q $(BOOTSTRAPPER_URL) -O $@ -endif - -$(BOOTSTRAPPER_OVERRIDE_PATH): $(BOOTSTRAPPER_BINARY) | cosa-init - mkdir -p $(COREOS_BUILD_PATH)/overrides/rootfs/usr/bin - cp $(BOOTSTRAPPER_BINARY) $@ - chmod +x $@ - -$(DISK_MAPPER_OVERRIDE_PATH): $(DISK_MAPPER_BINARY) | cosa-init - mkdir -p $(COREOS_BUILD_PATH)/overrides/rootfs/usr/sbin - cp $(DISK_MAPPER_BINARY) $@ - chmod +x $@ - -cosa-image: - -make -j 1 -C $(COSA_BUILDDIR) clean - make -j 1 -C $(COSA_BUILDDIR) - -cosa-init: - mkdir -p $(COREOS_BUILD_PATH) - -flock $(COSA_LOCKFILE) -c '. $(COSA_ENV) && cd $(COREOS_BUILD_PATH) && NETRC=$(NETRC) cosa init --branch $(COSA_INIT_BRANCH) $(COSA_INIT_REPO)' - -cosa-fetch: cosa-init kernel $(BOOTSTRAPPER_OVERRIDE_PATH) $(DISK_MAPPER_OVERRIDE_PATH) - flock $(COSA_LOCKFILE) -c '. $(COSA_ENV) && cd $(COREOS_BUILD_PATH) && NETRC=$(NETRC) cosa fetch' - -coreos: cosa-fetch $(BOOTSTRAPPER_OVERRIDE_PATH) $(DISK_MAPPER_OVERRIDE_PATH) - flock $(COSA_LOCKFILE) -c '. $(COSA_ENV) && cd $(COREOS_BUILD_PATH) && NETRC=$(NETRC) cosa build' - -run: $(BOOTSTRAPPER_OVERRIDE_PATH) $(DISK_MAPPER_OVERRIDE_PATH) - flock $(COSA_LOCKFILE) -c '. $(COSA_ENV) && cd $(COREOS_BUILD_PATH) && NETRC=$(NETRC) cosa run --devshell-console' - -shell: $(BOOTSTRAPPER_OVERRIDE_PATH) $(DISK_MAPPER_OVERRIDE_PATH) - flock $(COSA_LOCKFILE) -c '. $(COSA_ENV) && cd $(COREOS_BUILD_PATH) && NETRC=$(NETRC) cosa shell' - -$(GCP_IMAGE_PATH): coreos - flock $(COSA_LOCKFILE) -c '. $(COSA_ENV) && cd $(COREOS_BUILD_PATH) && NETRC=$(NETRC) cosa buildextend-gcp' - cp $(COREOS_BUILD_PATH)/builds/latest/x86_64/fedora-coreos-*.dev.*-gcp.x86_64.tar.gz $@ - $(BASE_PATH)/dm-verity/recalculate-dm-verity.sh gcp $@ - -$(AZURE_IMAGE_PATH): coreos - flock $(COSA_LOCKFILE) -c '. $(COSA_ENV) && cd $(COREOS_BUILD_PATH) && NETRC=$(NETRC) cosa buildextend-azure' - cp $(COREOS_BUILD_PATH)/builds/latest/x86_64/fedora-coreos-*.dev.*-azure.x86_64.vhd $@ - $(BASE_PATH)/dm-verity/recalculate-dm-verity.sh azure $@ - -images: image-gcp image-azure - -image-gcp: $(GCP_IMAGE_PATH) - -upload-gcp: $(GCP_IMAGE_PATH) - -gsutil mb -l $(GCP_REGION) gs://$(GCP_BUCKET) - gsutil pap set enforced gs://$(GCP_BUCKET) - gsutil cp $(GCP_IMAGE_PATH) gs://$(GCP_BUCKET) - gcloud compute images create $(GCP_IMAGE_NAME) \ - --family $(GCP_IMAGE_FAMILY) \ - --source-uri=gs://$(GCP_BUCKET)/$(GCP_IMAGE_FILENAME) \ - --guest-os-features=GVNIC,SEV_CAPABLE,VIRTIO_SCSI_MULTIQUEUE,UEFI_COMPATIBLE \ - --labels=bootstrapper-sha1=$$(shasum $(BOOTSTRAPPER_OVERRIDE_PATH) | cut -d " " -f 1),bootstrapper-sha512=$$(sha512sum $(BOOTSTRAPPER_OVERRIDE_PATH) | cut -d " " -f 1 | cut -c-63) \ - --project $(GCP_PROJECT) - gcloud compute images add-iam-policy-binding $(GCP_IMAGE_NAME) \ - --project $(GCP_PROJECT) \ - --member='allAuthenticatedUsers' \ - --role='roles/compute.imageUser' - gsutil rm gs://$(GCP_BUCKET)/$(GCP_IMAGE_FILENAME) - -image-azure: $(AZURE_IMAGE_PATH) - -# reference: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disks-upload-vhd-to-managed-disk-cli -# reference: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/upload-vhd -# reference: https://docs.microsoft.com/en-us/azure/virtual-machines/image-version -upload-azure: $(AZURE_IMAGE_PATH) - $(eval SIZE := $(shell wc -c $(AZURE_IMAGE_PATH) | cut -d " " -f1)) - @echo "creating disk of size $(SIZE)" - az disk create -n $(AZURE_IMAGE_NAME) -g $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) --hyper-v-generation V2 --os-type Linux --for-upload --upload-size-bytes $(SIZE) --sku standard_lrs - @echo "waiting for disk to be created" - az disk wait --created -n $(AZURE_IMAGE_NAME) -g $(AZURE_RESOURCE_GROUP_NAME) - @echo "created disk $(AZURE_IMAGE_NAME)" - az disk list --output table --query "[?name == '$(AZURE_IMAGE_NAME)' && resourceGroup == '$(AZURE_RESOURCE_GROUP_NAME)']" - @echo "Granting temporary write access on disk $(AZURE_IMAGE_NAME)" - @echo "Copying $(AZURE_IMAGE_PATH) to disk $(AZURE_IMAGE_NAME)" - azcopy copy "$(AZURE_IMAGE_PATH)" "$$(az disk grant-access -n $(AZURE_IMAGE_NAME) -g $(AZURE_RESOURCE_GROUP_NAME) --access-level Write --duration-in-seconds 86400 | jq -r .accessSas)" --blob-type PageBlob - @echo "Revoking write access" - az disk revoke-access -n $(AZURE_IMAGE_NAME) -g $(AZURE_RESOURCE_GROUP_NAME) - az image create -g $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) -n $(AZURE_IMAGE_NAME) --hyper-v-generation V2 --os-type Linux --source "$$(az disk list --query "[?name == '$(AZURE_IMAGE_NAME)' && resourceGroup == '$(AZURE_RESOURCE_GROUP_NAME)'] | [0].id" --output json | jq -r)" - @echo "Create shared image gallery (if it does not exist yet)" - -az sig create -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --resource-group $(AZURE_RESOURCE_GROUP_NAME) - @echo "Create image definition (if it does not exist yet)" - -az sig image-definition create --resource-group $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --gallery-image-definition $(AZURE_IMAGE_DEFINITION) --publisher $(AZURE_PUBLISHER) --offer $(AZURE_IMAGE_OFFER) --sku $(AZURE_SKU) --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=TrustedLaunch - az sig image-version create --resource-group $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --gallery-image-definition $(AZURE_IMAGE_DEFINITION) --gallery-image-version $(AZURE_IMAGE_VERSION) --target-regions $(AZURE_REPLICATION_REGIONS) --replica-count 1 --managed-image "$$(az image list --query "[?name == '$(AZURE_IMAGE_NAME)' && resourceGroup == '$(AZURE_RESOURCE_GROUP_NAME)'] | [0].id" --output json | jq -r)" - @echo "Create CVM image definition (if it does not exist yet)" - -az sig image-definition create --resource-group $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME)_CVM --gallery-image-definition $(AZURE_IMAGE_DEFINITION) --publisher $(AZURE_PUBLISHER) --offer $(AZURE_IMAGE_OFFER) --sku $(AZURE_SKU) --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=ConfidentialVmSupported - az sig image-version create --resource-group $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME)_CVM --gallery-image-definition $(AZURE_IMAGE_DEFINITION) --gallery-image-version $(AZURE_IMAGE_VERSION) --target-regions $(AZURE_REPLICATION_REGIONS) --replica-count 1 --managed-image "$$(az image list --query "[?name == '$(AZURE_IMAGE_NAME)' && resourceGroup == '$(AZURE_RESOURCE_GROUP_NAME)'] | [0].id" --output json | jq -r)" - @echo "Cleaning up resources" - az image delete --resource-group $(AZURE_RESOURCE_GROUP_NAME) -n $(AZURE_IMAGE_NAME) - az disk delete --resource-group $(AZURE_RESOURCE_GROUP_NAME) -n $(AZURE_IMAGE_NAME) --yes - -ifeq ($(OVERRIDE_KERNEL), y) -kernel: $(KERNEL_RPM) $(KERNEL_CORE_RPM) $(KERNEL_MODULES_RPM) -$(KERNEL_RPM): | cosa-init - -mkdir -p $$(dirname $@) - wget -q $(KERNEL_RPM_URL) -O $@ -$(KERNEL_CORE_RPM): | cosa-init - -mkdir -p $$(dirname $@) - wget -q $(KERNEL_CORE_RPM_URL) -O $@ -$(KERNEL_MODULES_RPM): | cosa-init - -mkdir -p $$(dirname $@) - wget -q $(KERNEL_MODULES_RPM_URL) -O $@ -else -kernel: -endif - -clean: - -rm $(COSA_LOCKFILE) - -rm $(IMAGES_PATH)/* - -rm -r $(COREOS_BUILD_PATH) - mkdir -p $(COREOS_BUILD_PATH) diff --git a/image/assembler/README.md b/image/assembler/README.md deleted file mode 100644 index 05335e22b..000000000 --- a/image/assembler/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Constellation-OS Assembler - -This container image uses [coreos assembler](https://coreos.github.io/coreos-assembler/) as a base (`quay.io/coreos-assembler/coreos-assembler`) to facilitate a build environment for the Constellation-OS. -The root filesystem takes its contents (OSTree) from [constellation-fedora-coreos-config](https://github.com/edgelesssys/constellation-fedora-coreos-config). -And the Constellation-OS Assembler can be pulled from ghcr.io/edgelesssys/constellation-coreos-assembler - -## Setup - -Prerequisites: `podman` and `qemu-kvm` are installed, nested virtualization is enabled. -Make sure your user is allowed read and write access on `/dev/kvm`. -If the device is not mounted in the container try the following command, and restart the container: -``` shell -sudo chmod 666 /dev/kvm -``` - -## Using the Assembler to create a bootable operating system - -1. Create the assembler image as described [here](#creating-the-assembler-image) -2. Source the `fcos/.env` file to enable the `cosa` bash alias: - ``` - source fcos/.env - ``` -3. Set the `BOOTSTRAPPER_BINARY` environment variable to a path of the compiled bootstrapper binary. It will be mounted in the cosa container and copied into the resulting coreos image. - ``` - BOOTSTRAPPER_BINARY="/path/to/bootstrapper" - ``` -4. Go into the build folder and initialize cosa: - ``` - cd fcos/build - cosa init https://github.com/edgelesssys/constellation-fedora-coreos-config - cosa fetch - ``` -5. Build the OS image: - ``` - cosa build - ``` -6. Create an image for a cloud provider - ``` - cosa buildextend-gcp - cosa buildextend-aws - cosa buildextend-azure - [...] - ``` - -## Using a locally checked out git repo of the coreos-config during development - -Simply set the environment variable `COREOS_ASSEMBLER_CONFIG_GIT` to the local folder and perform the rest of the steps as usual: -``` -COREOS_ASSEMBLER_CONFIG_GIT=/path/to/constellation-fedora-coreos-config -``` diff --git a/image/dm-verity/recalculate-dm-verity.sh b/image/dm-verity/recalculate-dm-verity.sh deleted file mode 100755 index 23cbe72b9..000000000 --- a/image/dm-verity/recalculate-dm-verity.sh +++ /dev/null @@ -1,182 +0,0 @@ -#!/usr/bin/env bash -set -xeuo pipefail - -# Show progress on pipes if `pv` is installed -# Otherwise use plain cat -if ! command -v pv &> /dev/null -then - PV="cat" -else - PV="pv" -fi - -mount_partition () { - local partition_file=$1 - local mountpoint=$2 - - # second, try to mount as current user - if mount -o loop "${partition_file}" "${mountpoint}"; then - return - fi - - # third, try to mount with sudo - sudo mount -o loop "${partition_file}" "${mountpoint}" - # temporarily change ownership of partition files - sudo chown -R "${USER}:${USER}" "${mountpoint}" -} - -umount_partition () { - sync - local mountpoint=$1 - - # second, try to umount as current user - if umount "${mountpoint}"; then - return - fi - - # third, try to umount with sudo - # repair ownership of partition files - sudo chown -R root:root "${mountpoint}" - sudo umount "${mountpoint}" -} - -# Unpacks finished cloud provider image to recalculate dm-verity hash -unpack () { - local cloudprovider=$1 - local packed_image=$2 - local unpacked_image=$3 - - case $cloudprovider in - - gcp) - echo "📤 Unpacking GCP image..." - "${PV}" "$packed_image" | tar -xzf - -O > "$unpacked_image" - echo " Unpacked image stored in ${unpacked_image}" - ;; - - azure) - echo "📤 Unpacking Azure image..." - qemu-img convert -p -f vpc -O raw "$packed_image" "$unpacked_image" - echo " Unpacked image stored in ${unpacked_image}" - ;; - - *) - echo "unknown cloud provider" - exit 1 - ;; - esac -} - -get_part_offset () { - local unpacked_image=$1 - local part_number=$2 - local offset - offset=$(parted -s "${unpacked_image}" unit s print | sed 's/^ //g' | grep "^${part_number}" | tr -s ' ' | cut -d ' ' -f2) - local offset=${offset::-1} - echo "${offset}" -} - -get_part_size () { - local unpacked_image=$1 - local part_number=$2 - local size - size=$(parted -s "${unpacked_image}" unit s print | sed 's/^ //g' | grep "^${part_number}" | tr -s ' ' | cut -d ' ' -f4) - local size=${size::-1} - echo "${size}" -} - -extract_partition () { - local unpacked_image=$1 - local part_number=$2 - local extracted_partition_path=$3 - - local part_offset - part_offset=$(get_part_offset "${unpacked_image}" "${part_number}") - local part_size - part_size=$(get_part_size "${unpacked_image}" "${part_number}") - dd status=progress "if=${unpacked_image}" "of=${extracted_partition_path}" bs=512 "skip=${part_offset}" "count=${part_size}" 2>/dev/null -} - -overwrite_partition () { - local unpacked_image=$1 - local part_number=$2 - local extracted_partition_path=$3 - - local part_offset - part_offset=$(get_part_offset "${unpacked_image}" "${part_number}") - local part_size - part_size=$(get_part_size "${unpacked_image}" "${part_number}") - dd status=progress conv=notrunc "if=${extracted_partition_path}" "of=${unpacked_image}" bs=512 "seek=${part_offset}" "count=${part_size}" 2>/dev/null -} - -update_verity () { - local tmp_dir=$1 - local raw_image=$2 - local boot_mountpoint=${tmp_dir}/boot.mount - local boot_partition=${tmp_dir}/part_boot.raw - local root_partition=${tmp_dir}/part_root.raw - local hashtree_partition=${tmp_dir}/part_hashtree.raw - - echo "⬅️ Extracting partitions..." - extract_partition "${raw_image}" 3 "${boot_partition}" - extract_partition "${raw_image}" 4 "${root_partition}" - extract_partition "${raw_image}" 5 "${hashtree_partition}" - - # recalculate verity hashtree - veritysetup_out=$(veritysetup format "${root_partition}" "${hashtree_partition}") - roothash=$(echo "${veritysetup_out}" | grep 'Root hash:' | sed --expression='s/Root hash:\s*//g') - echo "🧮 Recalculated dm-verity hashtree with roothash ${roothash}" - # update bootloader kernel cmdline - mkdir -p "${boot_mountpoint}" - mount_partition "${boot_partition}" "${boot_mountpoint}" - sed -i -r "s/verity.sysroot=[[:xdigit:]]+/verity.sysroot=${roothash}/g" "${boot_mountpoint}/loader.1/entries/ostree-1-fedora-coreos.conf" - echo "✍️ Updated bootloader kernel cmdline to include new dm-verity roothash: $(grep '^options ' "${boot_mountpoint}"/loader.1/entries/ostree-1-fedora-coreos.conf)" - umount_partition "${boot_mountpoint}" - rmdir "${boot_mountpoint}" - - echo "➡️ Overwriting partitions..." - overwrite_partition "${raw_image}" 3 "${boot_partition}" - overwrite_partition "${raw_image}" 5 "${hashtree_partition}" -} - -repack () { - local cloudprovider=$1 - local unpacked_image=$2 - local packed_image=$3 - local unpacked_image_dir - unpacked_image_dir=$(dirname "${unpacked_image}") - local unpacked_image_filename - unpacked_image_filename=$(basename "${unpacked_image}") - local tmp_tar_file - tmp_tar_file=$(mktemp -t verity.XXXXXX.tar) - - case $cloudprovider in - - gcp) - echo "📥 Repacking GCP image..." - tar --owner=0 --group=0 -C "${unpacked_image_dir}" -Sch --format=oldgnu -f "${tmp_tar_file}" "${unpacked_image_filename}" - "${PV}" "${tmp_tar_file}" | pigz -9c > "${packed_image}" - rm "${tmp_tar_file}" - echo " Repacked image stored in ${packed_image}" - ;; - - azure) - echo "📥 Repacking Azure image..." - qemu-img convert -p -f raw -O vpc -o force_size,subformat=fixed "${unpacked_image}" "$packed_image" - echo " Repacked image stored in ${packed_image}" - ;; - - *) - echo "unknown cloud provider" - exit 1 - ;; - esac -} - -echo "🔁 Recalculating dm-verity hashtree 🌳" -tmp_dir=$(mktemp -d -t verity-XXXXXXXXXX) -raw_image="${tmp_dir}/disk.raw" -unpack "$1" "$2" "${raw_image}" -update_verity "${tmp_dir}" "${raw_image}" -repack "$1" "${raw_image}" "${2}" -rm -r "${tmp_dir}" diff --git a/image/docker.env b/image/docker.env deleted file mode 100644 index 4ee92637a..000000000 --- a/image/docker.env +++ /dev/null @@ -1,15 +0,0 @@ -cosa() { - env | grep COREOS_ASSEMBLER - local -r COREOS_ASSEMBLER_CONTAINER_LATEST="localhost/coreos-assembler" - test -t 1 && USE_TTY="-ti" - set -x - docker run --rm ${USE_TTY} --security-opt label=disable --privileged \ - -v ${PWD}:/srv/ --device /dev/kvm --device /dev/fuse \ - --tmpfs /tmp -v /var/tmp:/var/tmp --name constellation-cosa \ - -v ${NETRC}:/home/builder/.netrc:ro \ - ${COREOS_ASSEMBLER_CONFIG_GIT:+-v $COREOS_ASSEMBLER_CONFIG_GIT:/srv/src/config/:ro} \ - ${COREOS_ASSEMBLER_GIT:+-v $COREOS_ASSEMBLER_GIT/src/:/usr/lib/coreos-assembler/:ro} \ - ${COREOS_ASSEMBLER_CONTAINER_RUNTIME_ARGS} \ - ${COREOS_ASSEMBLER_CONTAINER:-$COREOS_ASSEMBLER_CONTAINER_LATEST} "$@" - rc=$?; set +x; return $rc -} diff --git a/image/docs/README.md b/image/docs/README.md deleted file mode 100644 index ff867a3e7..000000000 --- a/image/docs/README.md +++ /dev/null @@ -1,208 +0,0 @@ -# Fedora CoreOS Assembler - -We use the [Fedora CoreOS Assembler](https://coreos.github.io/coreos-assembler/) to build the base image for Constellation nodes. - -## Setup - -Prerequisites: `podman` and `qemu-kvm` are installed, nested virtualization is enabled. -Make sure your user is allowed read and write access on `/dev/kvm`. -If the device is not mounted in the container try the following command, and restart the container: -``` shell -sudo chmod 666 /dev/kvm -``` - -* Pull the assembler container image - - ``` shell - podman pull quay.io/coreos-assembler/coreos-assembler - ``` - -* Create a working directory on your host system - - ``` shell - mkdir fcos && cd fcos - ``` - -* Set up a bash alias - - Add the following to your `.bashrc` to easily start the image assembler using `cosa`: - ``` bash - cosa() { - env | grep COREOS_ASSEMBLER - local -r COREOS_ASSEMBLER_CONTAINER_LATEST="quay.io/coreos-assembler/coreos-assembler:latest" - if [[ -z ${COREOS_ASSEMBLER_CONTAINER} ]] && $(podman image exists ${COREOS_ASSEMBLER_CONTAINER_LATEST}); then - local -r cosa_build_date_str="$(podman inspect -f "{{.Created}}" ${COREOS_ASSEMBLER_CONTAINER_LATEST} | awk '{print $1}')" - local -r cosa_build_date="$(date -d ${cosa_build_date_str} +%s)" - if [[ $(date +%s) -ge $((cosa_build_date + 60*60*24*7)) ]] ; then - echo -e "\e[0;33m----" >&2 - echo "The COSA container image is more that a week old and likely outdated." >&2 - echo "You should pull the latest version with:" >&2 - echo "podman pull ${COREOS_ASSEMBLER_CONTAINER_LATEST}" >&2 - echo -e "----\e[0m" >&2 - sleep 10 - fi - fi - set -x - podman run --rm -ti --security-opt label=disable --privileged \ - --uidmap=1000:0:1 --uidmap=0:1:1000 --uidmap 1001:1001:64536 \ - -v ${PWD}:/srv/ --device /dev/kvm --device /dev/fuse \ - --tmpfs /tmp -v /var/tmp:/var/tmp --name cosa \ - ${COREOS_ASSEMBLER_CONFIG_GIT:+-v $COREOS_ASSEMBLER_CONFIG_GIT:/srv/src/config/:ro} \ - ${COREOS_ASSEMBLER_GIT:+-v $COREOS_ASSEMBLER_GIT/src/:/usr/lib/coreos-assembler/:ro} \ - ${COREOS_ASSEMBLER_CONTAINER_RUNTIME_ARGS} \ - ${COREOS_ASSEMBLER_CONTAINER:-$COREOS_ASSEMBLER_CONTAINER_LATEST} "$@" - rc=$?; set +x; return $rc - } - ``` - -* Run the builder - - ``` shell - cosa shell - ``` - -* Initialize the build - - ``` shell - cosa init https://github.com/coreos/fedora-coreos-config - ``` - -* Fetch metadata and packages - - ``` shell - cosa fetch - ``` - -* Build a qemu VM image - - ``` shell - cosa build - ``` - - Each build will create a new directory in `$PWD/builds/`, containing the generated OSTree commit and the qemu VM image. - -* Run the image - - ``` shell - cosa run - ``` - -## Customization - -The CoreOS Assembler offers three main customization options: -* [`manifest.yaml`](https://coreos.github.io/coreos-assembler/working/#manifestyaml) - - An rpm-ostree "manifest" or "treefile", primarily, a list of RPMs and their associated repositories. - See the rpm-ostree documentation for the [treefile format reference](https://coreos.github.io/rpm-ostree/treefile/) - -* [`overlay.d/`](https://coreos.github.io/coreos-assembler/working/#overlayd) - - A generic way to embed architecture-independent configuration and scripts by creating subdirectories in `overlay.d/`. - Each subdirectory is added to the OSTree commit in lexicographic order. - -* [`image.yaml`](https://coreos.github.io/coreos-assembler/working/#imageyaml) - - Configuration for the output disk images - -Additionally, one may use [`overrides`](https://coreos.github.io/coreos-assembler/working/#using-overrides) to embed local RPMs from the build environment, that should not be pulled from a remote repository: - -1. Package the binary as an RPM - -2. Add any dependencies of the RPM to `manifest.yaml` - -3. Run `cosa fetch` to prepare dependencies - -4. Place the RPM in `overrides/rpm` - -5. Add the name of your RPM to `manifest.yaml` - -6. Run `cosa build`. Your RPM will be added to the final image. - - -Example: We want to build FCOS with our own kernel - -1. Follow [Kernel Building](#kernel-building) to build the kernel - - You should end up with at least three RPMs: `kernel`, `kernel-core`, `kernel-modules`. - `kernel` depends on `core` and `modules`, `modules` on `core`, and `core` on common FCOS packages (`bash`, `systemd`, etc.). - These dependencies should already be in the manifest. - -2. Run `cosa fetch` - -3. Place the kernel RPMs in `overrides/rpm` - - `kernel`, `kernel-core`, `kernel-modules` should already be in the manifest (`src/config/manifests/bootable-rpm-ostree.yaml`) - -4. Run `cosa build` to create the image - -5. Test the image with `cosa run` - -6. Run `cosa buildextend-gcp` and `cosa buildextend-azure` to additionaly create a VM image for GCP and Azure - -## RPM packaging - -If we want to make the most use of CoreOS assembler we should package our applications as RPM packages. -See [creating rpm packages](https://docs.fedoraproject.org/en-US/quick-docs/creating-rpm-packages/). - -Brief overview of the required steps: - -1. Create a directory with your source code or binary file - -2. Add a .spec file - - Run the following command to create a spec file template that you can update with information about your package - ``` shell - rpmdev-newspec - ``` - -3. Create the RPM - - ``` shell - fedpkg --release f35 local - ``` - -## Kernel Building - -See the [building a custom kernel](https://docs.fedoraproject.org/en-US/quick-docs/kernel/build-custom-kernel/) from the Fedora Project documentation. - -The following assumes you are running on a current release of Fedora. -We have a Fedora 35 image available on GCP, make sure you have enough space available and the VM is capable to build the kernel in a reasonable time (e2-standard-8 takes ~2h to finish the build). - -1. Install dependencies and clone the kernel - - ``` shell - sudo dnf install fedpkg fedora-packager rpmdevtools ncurses-devel pesign grubby qt3-devel libXi-devel gcc-c++ - fedpkg clone -a kernel && cd kernel - sudo dnf builddep kernel.spec - ``` - - Optionally install `ccache` to speed up rebuilds - ``` shell - sudo dnf install ccache - ``` - -2. Check out the kernel branch you want to base your build on - - Each release has its own branch. E.g. to customize the kernel for Fedora 35, check out `origin/f35`. `rawhide` tracks the latest iteration, following closely behind the mainline kernel. - ``` shell - git checkout origin/f35 - git checkout -b custom-kernel - ``` - -3. Customize buildid by chaning `# define buildid .local` to `%define buildid .` in `kernel.spec` - -4. Apply your changes and patches to the kernel - -5. Build the RPMs - - This will take a while - ``` shell - fedpkg local - ``` - The built kernel RPMs will be in `./x86_64/` - -6. You can now use and install the kernel packages - - ``` shell - sudo dnf install --nogpgcheck ./x86_64/kernel-$version.rpm - ``` diff --git a/image/docs/cloud-providers.md b/image/docs/cloud-providers.md deleted file mode 100644 index a1345b9ee..000000000 --- a/image/docs/cloud-providers.md +++ /dev/null @@ -1,45 +0,0 @@ -# Cloud Providers - -Custom CoreOS images created here can be uploaded to supported cloud providers. This documents contains information on how to manually spawn cloud provider instances using custom CoreOS images. - -## GCP - -```shell -gcloud compute instances create --zone= --machine-type= --image --maintenance-policy=TERMINATE --confidential-compute --shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring --scopes=https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/compute,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management,https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/trace.append -``` - -## Azure - -Non-CVM: -``` -az image list -# copy image id from output of previous command -az vm create --resource-group --location --name --os-type linux --public-ip-sku Standard --image -``` - -### Create Marketplace offer - -- Upload a vhd and image to azure portal using the Makefile -- Create (or reuse) a `shared image gallery`: - - Create image gallery if it does not exist yet - - Search for "Azure compute galleries" in azure portal - - Click "create" - - Choose "constellation-images" resource group and pick a name, then click create -- Create a VM image definition - - Search for "Azure compute galleries" in azure portal and choose the created gallery - - Click "Create a VM image definition" - - OS type: Linux - - OS state: Generalized - - VM generation: Gen 2 - - Publisher: EdgelessSystems - - Offer: constellation-coreos - - SKU: constellation-coreos - - Source image: Choose image uploaded using Makefile - - Create -- Create Marketplace offer (on https://partner.microsoft.com/) - - Navigate to marketplace offers overview (https://partner.microsoft.com/en-us/dashboard/marketplace-offers/overview) - - If you want to create a new version of an existing plan, skip this section - - Click "New offer" -> "Azure Virtual Machine" - - Choose an offer id and alias - - Create a new plan on "Plan overview" -> "Create new plan", choose a plan id and plan name - - In "Technical configuration", create a generation, choose "Azure shared image gallery" and select the image created earlier diff --git a/image/images/.gitkeep b/image/images/.gitkeep deleted file mode 100644 index e69de29bb..000000000 diff --git a/image/mkosi/mkosi.cache/.gitkeep b/image/mkosi/mkosi.cache/.gitkeep deleted file mode 100644 index e69de29bb..000000000 diff --git a/image/podman.env b/image/podman.env deleted file mode 100644 index 3bb3b3e53..000000000 --- a/image/podman.env +++ /dev/null @@ -1,16 +0,0 @@ -cosa() { - env | grep COREOS_ASSEMBLER - local -r COREOS_ASSEMBLER_CONTAINER_LATEST="localhost/coreos-assembler" - test -t 1 && USE_TTY="-ti" - set -x - podman run --rm ${USE_TTY} --security-opt label=disable --privileged \ - --uidmap=1000:0:1 --uidmap=0:1:1000 --uidmap 1001:1001:64536 \ - -v ${PWD}:/srv/ --device /dev/kvm --device /dev/fuse \ - --tmpfs /tmp -v /var/tmp:/var/tmp --name constellation-cosa \ - -v ${NETRC}:/home/builder/.netrc:ro \ - ${COREOS_ASSEMBLER_CONFIG_GIT:+-v $COREOS_ASSEMBLER_CONFIG_GIT:/srv/src/config/:ro} \ - ${COREOS_ASSEMBLER_GIT:+-v $COREOS_ASSEMBLER_GIT/src/:/usr/lib/coreos-assembler/:ro} \ - ${COREOS_ASSEMBLER_CONTAINER_RUNTIME_ARGS} \ - ${COREOS_ASSEMBLER_CONTAINER:-$COREOS_ASSEMBLER_CONTAINER_LATEST} "$@" - rc=$?; set +x; return $rc -} diff --git a/image/mkosi/.gitattributes b/mkosi/.gitattributes similarity index 100% rename from image/mkosi/.gitattributes rename to mkosi/.gitattributes diff --git a/image/mkosi/.gitignore b/mkosi/.gitignore similarity index 100% rename from image/mkosi/.gitignore rename to mkosi/.gitignore diff --git a/image/mkosi/Makefile b/mkosi/Makefile similarity index 100% rename from image/mkosi/Makefile rename to mkosi/Makefile diff --git a/image/mkosi/README.md b/mkosi/README.md similarity index 100% rename from image/mkosi/README.md rename to mkosi/README.md diff --git a/image/mkosi/measured-boot/extract_authentihash.py b/mkosi/measured-boot/extract_authentihash.py similarity index 100% rename from image/mkosi/measured-boot/extract_authentihash.py rename to mkosi/measured-boot/extract_authentihash.py diff --git a/image/mkosi/measured-boot/measure_util.sh b/mkosi/measured-boot/measure_util.sh similarity index 100% rename from image/mkosi/measured-boot/measure_util.sh rename to mkosi/measured-boot/measure_util.sh diff --git a/image/mkosi/measured-boot/pcr-stable.json b/mkosi/measured-boot/pcr-stable.json similarity index 100% rename from image/mkosi/measured-boot/pcr-stable.json rename to mkosi/measured-boot/pcr-stable.json diff --git a/image/mkosi/measured-boot/precalculate_pcr_4.sh b/mkosi/measured-boot/precalculate_pcr_4.sh similarity index 100% rename from image/mkosi/measured-boot/precalculate_pcr_4.sh rename to mkosi/measured-boot/precalculate_pcr_4.sh diff --git a/image/mkosi/measured-boot/precalculate_pcr_8.sh b/mkosi/measured-boot/precalculate_pcr_8.sh similarity index 100% rename from image/mkosi/measured-boot/precalculate_pcr_8.sh rename to mkosi/measured-boot/precalculate_pcr_8.sh diff --git a/image/mkosi/measured-boot/precalculate_pcr_9.sh b/mkosi/measured-boot/precalculate_pcr_9.sh similarity index 100% rename from image/mkosi/measured-boot/precalculate_pcr_9.sh rename to mkosi/measured-boot/precalculate_pcr_9.sh diff --git a/image/dependencies/.gitkeep b/mkosi/mkosi.cache/.gitkeep similarity index 100% rename from image/dependencies/.gitkeep rename to mkosi/mkosi.cache/.gitkeep diff --git a/image/mkosi/mkosi.conf.d/azure.conf b/mkosi/mkosi.conf.d/azure.conf similarity index 100% rename from image/mkosi/mkosi.conf.d/azure.conf rename to mkosi/mkosi.conf.d/azure.conf diff --git a/image/mkosi/mkosi.conf.d/containers.conf b/mkosi/mkosi.conf.d/containers.conf similarity index 100% rename from image/mkosi/mkosi.conf.d/containers.conf rename to mkosi/mkosi.conf.d/containers.conf diff --git a/image/mkosi/mkosi.conf.d/gcp.conf b/mkosi/mkosi.conf.d/gcp.conf similarity index 100% rename from image/mkosi/mkosi.conf.d/gcp.conf rename to mkosi/mkosi.conf.d/gcp.conf diff --git a/image/mkosi/mkosi.conf.d/mkosi.conf b/mkosi/mkosi.conf.d/mkosi.conf similarity index 100% rename from image/mkosi/mkosi.conf.d/mkosi.conf rename to mkosi/mkosi.conf.d/mkosi.conf diff --git a/image/mkosi/mkosi.conf.d/network.conf b/mkosi/mkosi.conf.d/network.conf similarity index 100% rename from image/mkosi/mkosi.conf.d/network.conf rename to mkosi/mkosi.conf.d/network.conf diff --git a/image/mkosi/mkosi.conf.d/secure-boot-tpm.conf b/mkosi/mkosi.conf.d/secure-boot-tpm.conf similarity index 100% rename from image/mkosi/mkosi.conf.d/secure-boot-tpm.conf rename to mkosi/mkosi.conf.d/secure-boot-tpm.conf diff --git a/image/mkosi/mkosi.conf.d/tools.conf b/mkosi/mkosi.conf.d/tools.conf similarity index 100% rename from image/mkosi/mkosi.conf.d/tools.conf rename to mkosi/mkosi.conf.d/tools.conf diff --git a/image/mkosi/mkosi.files/mkosi.azure.conf b/mkosi/mkosi.files/mkosi.azure.conf similarity index 100% rename from image/mkosi/mkosi.files/mkosi.azure.conf rename to mkosi/mkosi.files/mkosi.azure.conf diff --git a/image/mkosi/mkosi.files/mkosi.gcp.conf b/mkosi/mkosi.files/mkosi.gcp.conf similarity index 100% rename from image/mkosi/mkosi.files/mkosi.gcp.conf rename to mkosi/mkosi.files/mkosi.gcp.conf diff --git a/image/mkosi/mkosi.files/mkosi.qemu.conf b/mkosi/mkosi.files/mkosi.qemu.conf similarity index 100% rename from image/mkosi/mkosi.files/mkosi.qemu.conf rename to mkosi/mkosi.files/mkosi.qemu.conf diff --git a/image/mkosi/mkosi.finalize b/mkosi/mkosi.finalize similarity index 100% rename from image/mkosi/mkosi.finalize rename to mkosi/mkosi.finalize diff --git a/image/mkosi/mkosi.postinst b/mkosi/mkosi.postinst similarity index 100% rename from image/mkosi/mkosi.postinst rename to mkosi/mkosi.postinst diff --git a/image/mkosi/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf b/mkosi/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf similarity index 100% rename from image/mkosi/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf rename to mkosi/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf diff --git a/image/mkosi/mkosi.skeleton/etc/dracut.conf.d/azure.conf b/mkosi/mkosi.skeleton/etc/dracut.conf.d/azure.conf similarity index 100% rename from image/mkosi/mkosi.skeleton/etc/dracut.conf.d/azure.conf rename to mkosi/mkosi.skeleton/etc/dracut.conf.d/azure.conf diff --git a/image/mkosi/mkosi.skeleton/etc/dracut.conf.d/gce.conf b/mkosi/mkosi.skeleton/etc/dracut.conf.d/gce.conf similarity index 100% rename from image/mkosi/mkosi.skeleton/etc/dracut.conf.d/gce.conf rename to mkosi/mkosi.skeleton/etc/dracut.conf.d/gce.conf diff --git a/image/mkosi/mkosi.skeleton/etc/fstab b/mkosi/mkosi.skeleton/etc/fstab similarity index 100% rename from image/mkosi/mkosi.skeleton/etc/fstab rename to mkosi/mkosi.skeleton/etc/fstab diff --git a/image/mkosi/mkosi.skeleton/etc/profile.d/constellation.sh b/mkosi/mkosi.skeleton/etc/profile.d/constellation.sh similarity index 100% rename from image/mkosi/mkosi.skeleton/etc/profile.d/constellation.sh rename to mkosi/mkosi.skeleton/etc/profile.d/constellation.sh diff --git a/image/mkosi/mkosi.skeleton/usr/etc/containerd/config.toml b/mkosi/mkosi.skeleton/usr/etc/containerd/config.toml similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/etc/containerd/config.toml rename to mkosi/mkosi.skeleton/usr/etc/containerd/config.toml diff --git a/image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service b/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service rename to mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service diff --git a/image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/constellation-state-disk-generator b/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/constellation-state-disk-generator similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/constellation-state-disk-generator rename to mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/constellation-state-disk-generator diff --git a/image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.service b/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.service similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.service rename to mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.service diff --git a/image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.sh b/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.sh similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.sh rename to mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.sh diff --git a/image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh b/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh rename to mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh diff --git a/image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service b/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service rename to mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service diff --git a/image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh b/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh rename to mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh diff --git a/image/mkosi/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf b/mkosi/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf rename to mkosi/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf diff --git a/image/mkosi/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf b/mkosi/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf rename to mkosi/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf diff --git a/image/mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf b/mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf rename to mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf diff --git a/image/mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf b/mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf rename to mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf diff --git a/image/mkosi/mkosi.skeleton/usr/lib/systemd/network/20-wired.network b/mkosi/mkosi.skeleton/usr/lib/systemd/network/20-wired.network similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/systemd/network/20-wired.network rename to mkosi/mkosi.skeleton/usr/lib/systemd/network/20-wired.network diff --git a/image/mkosi/mkosi.skeleton/usr/lib/systemd/network/21-azure.network b/mkosi/mkosi.skeleton/usr/lib/systemd/network/21-azure.network similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/systemd/network/21-azure.network rename to mkosi/mkosi.skeleton/usr/lib/systemd/network/21-azure.network diff --git a/image/mkosi/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset b/mkosi/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset rename to mkosi/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset diff --git a/image/mkosi/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service b/mkosi/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service rename to mkosi/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service diff --git a/image/mkosi/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service b/mkosi/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service rename to mkosi/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service diff --git a/image/mkosi/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf b/mkosi/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf rename to mkosi/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf diff --git a/image/mkosi/mkosi.skeleton/usr/lib/systemd/system/tpm-pcrs.service b/mkosi/mkosi.skeleton/usr/lib/systemd/system/tpm-pcrs.service similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/systemd/system/tpm-pcrs.service rename to mkosi/mkosi.skeleton/usr/lib/systemd/system/tpm-pcrs.service diff --git a/image/mkosi/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf b/mkosi/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf rename to mkosi/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf diff --git a/image/mkosi/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf b/mkosi/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf rename to mkosi/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf diff --git a/image/mkosi/mkosi.skeleton/usr/lib/udev/google_nvme_id b/mkosi/mkosi.skeleton/usr/lib/udev/google_nvme_id similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/udev/google_nvme_id rename to mkosi/mkosi.skeleton/usr/lib/udev/google_nvme_id diff --git a/image/mkosi/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules b/mkosi/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules rename to mkosi/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules diff --git a/image/mkosi/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules b/mkosi/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules rename to mkosi/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules diff --git a/image/mkosi/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules b/mkosi/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules rename to mkosi/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules diff --git a/image/mkosi/mkosi.skeleton/usr/libexec/constellation-pcrs b/mkosi/mkosi.skeleton/usr/libexec/constellation-pcrs similarity index 100% rename from image/mkosi/mkosi.skeleton/usr/libexec/constellation-pcrs rename to mkosi/mkosi.skeleton/usr/libexec/constellation-pcrs diff --git a/image/mkosi/pki_testing/KEK.auth b/mkosi/pki_testing/KEK.auth similarity index 100% rename from image/mkosi/pki_testing/KEK.auth rename to mkosi/pki_testing/KEK.auth diff --git a/image/mkosi/pki_testing/KEK.cer b/mkosi/pki_testing/KEK.cer similarity index 100% rename from image/mkosi/pki_testing/KEK.cer rename to mkosi/pki_testing/KEK.cer diff --git a/image/mkosi/pki_testing/KEK.crt b/mkosi/pki_testing/KEK.crt similarity index 100% rename from image/mkosi/pki_testing/KEK.crt rename to mkosi/pki_testing/KEK.crt diff --git a/image/mkosi/pki_testing/KEK.esl b/mkosi/pki_testing/KEK.esl similarity index 100% rename from image/mkosi/pki_testing/KEK.esl rename to mkosi/pki_testing/KEK.esl diff --git a/image/mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.crt b/mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.crt similarity index 100% rename from image/mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.crt rename to mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.crt diff --git a/image/mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.esl b/mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.esl similarity index 100% rename from image/mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.esl rename to mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.esl diff --git a/image/mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.crt b/mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.crt similarity index 100% rename from image/mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.crt rename to mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.crt diff --git a/image/mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.esl b/mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.esl similarity index 100% rename from image/mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.esl rename to mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.esl diff --git a/image/mkosi/pki_testing/MicWinProPCA2011_2011-10-19.crt b/mkosi/pki_testing/MicWinProPCA2011_2011-10-19.crt similarity index 100% rename from image/mkosi/pki_testing/MicWinProPCA2011_2011-10-19.crt rename to mkosi/pki_testing/MicWinProPCA2011_2011-10-19.crt diff --git a/image/mkosi/pki_testing/MicWinProPCA2011_2011-10-19.esl b/mkosi/pki_testing/MicWinProPCA2011_2011-10-19.esl similarity index 100% rename from image/mkosi/pki_testing/MicWinProPCA2011_2011-10-19.esl rename to mkosi/pki_testing/MicWinProPCA2011_2011-10-19.esl diff --git a/image/mkosi/pki_testing/PK.auth b/mkosi/pki_testing/PK.auth similarity index 100% rename from image/mkosi/pki_testing/PK.auth rename to mkosi/pki_testing/PK.auth diff --git a/image/mkosi/pki_testing/PK.cer b/mkosi/pki_testing/PK.cer similarity index 100% rename from image/mkosi/pki_testing/PK.cer rename to mkosi/pki_testing/PK.cer diff --git a/image/mkosi/pki_testing/PK.crt b/mkosi/pki_testing/PK.crt similarity index 100% rename from image/mkosi/pki_testing/PK.crt rename to mkosi/pki_testing/PK.crt diff --git a/image/mkosi/pki_testing/PK.esl b/mkosi/pki_testing/PK.esl similarity index 100% rename from image/mkosi/pki_testing/PK.esl rename to mkosi/pki_testing/PK.esl diff --git a/image/mkosi/pki_testing/db.auth b/mkosi/pki_testing/db.auth similarity index 100% rename from image/mkosi/pki_testing/db.auth rename to mkosi/pki_testing/db.auth diff --git a/image/mkosi/pki_testing/db.cer b/mkosi/pki_testing/db.cer similarity index 100% rename from image/mkosi/pki_testing/db.cer rename to mkosi/pki_testing/db.cer diff --git a/image/mkosi/pki_testing/db.crt b/mkosi/pki_testing/db.crt similarity index 100% rename from image/mkosi/pki_testing/db.crt rename to mkosi/pki_testing/db.crt diff --git a/image/mkosi/pki_testing/db.esl b/mkosi/pki_testing/db.esl similarity index 100% rename from image/mkosi/pki_testing/db.esl rename to mkosi/pki_testing/db.esl diff --git a/image/mkosi/secure-boot/azure/delete.sh b/mkosi/secure-boot/azure/delete.sh similarity index 100% rename from image/mkosi/secure-boot/azure/delete.sh rename to mkosi/secure-boot/azure/delete.sh diff --git a/image/mkosi/secure-boot/azure/extract_vmgs.sh b/mkosi/secure-boot/azure/extract_vmgs.sh similarity index 100% rename from image/mkosi/secure-boot/azure/extract_vmgs.sh rename to mkosi/secure-boot/azure/extract_vmgs.sh diff --git a/image/mkosi/secure-boot/azure/launch.sh b/mkosi/secure-boot/azure/launch.sh similarity index 100% rename from image/mkosi/secure-boot/azure/launch.sh rename to mkosi/secure-boot/azure/launch.sh diff --git a/image/mkosi/secure-boot/generate_nvram_vars.sh b/mkosi/secure-boot/generate_nvram_vars.sh similarity index 100% rename from image/mkosi/secure-boot/generate_nvram_vars.sh rename to mkosi/secure-boot/generate_nvram_vars.sh diff --git a/image/mkosi/secure-boot/genkeys.sh b/mkosi/secure-boot/genkeys.sh similarity index 100% rename from image/mkosi/secure-boot/genkeys.sh rename to mkosi/secure-boot/genkeys.sh diff --git a/image/mkosi/secure-boot/signed-shim.sh b/mkosi/secure-boot/signed-shim.sh similarity index 100% rename from image/mkosi/secure-boot/signed-shim.sh rename to mkosi/secure-boot/signed-shim.sh diff --git a/image/mkosi/secure-boot/templates/dev_KEK.conf b/mkosi/secure-boot/templates/dev_KEK.conf similarity index 100% rename from image/mkosi/secure-boot/templates/dev_KEK.conf rename to mkosi/secure-boot/templates/dev_KEK.conf diff --git a/image/mkosi/secure-boot/templates/dev_PK.conf b/mkosi/secure-boot/templates/dev_PK.conf similarity index 100% rename from image/mkosi/secure-boot/templates/dev_PK.conf rename to mkosi/secure-boot/templates/dev_PK.conf diff --git a/image/mkosi/secure-boot/templates/dev_db.conf b/mkosi/secure-boot/templates/dev_db.conf similarity index 100% rename from image/mkosi/secure-boot/templates/dev_db.conf rename to mkosi/secure-boot/templates/dev_db.conf diff --git a/image/mkosi/secure-boot/templates/prod_KEK.conf b/mkosi/secure-boot/templates/prod_KEK.conf similarity index 100% rename from image/mkosi/secure-boot/templates/prod_KEK.conf rename to mkosi/secure-boot/templates/prod_KEK.conf diff --git a/image/mkosi/secure-boot/templates/prod_PK.conf b/mkosi/secure-boot/templates/prod_PK.conf similarity index 100% rename from image/mkosi/secure-boot/templates/prod_PK.conf rename to mkosi/secure-boot/templates/prod_PK.conf diff --git a/image/mkosi/secure-boot/templates/prod_db.conf b/mkosi/secure-boot/templates/prod_db.conf similarity index 100% rename from image/mkosi/secure-boot/templates/prod_db.conf rename to mkosi/secure-boot/templates/prod_db.conf diff --git a/image/mkosi/secure-boot/templates/testing_KEK.conf b/mkosi/secure-boot/templates/testing_KEK.conf similarity index 100% rename from image/mkosi/secure-boot/templates/testing_KEK.conf rename to mkosi/secure-boot/templates/testing_KEK.conf diff --git a/image/mkosi/secure-boot/templates/testing_PK.conf b/mkosi/secure-boot/templates/testing_PK.conf similarity index 100% rename from image/mkosi/secure-boot/templates/testing_PK.conf rename to mkosi/secure-boot/templates/testing_PK.conf diff --git a/image/mkosi/secure-boot/templates/testing_db.conf b/mkosi/secure-boot/templates/testing_db.conf similarity index 100% rename from image/mkosi/secure-boot/templates/testing_db.conf rename to mkosi/secure-boot/templates/testing_db.conf diff --git a/image/mkosi/upload/pack.sh b/mkosi/upload/pack.sh similarity index 100% rename from image/mkosi/upload/pack.sh rename to mkosi/upload/pack.sh diff --git a/image/mkosi/upload/upload_azure.sh b/mkosi/upload/upload_azure.sh similarity index 100% rename from image/mkosi/upload/upload_azure.sh rename to mkosi/upload/upload_azure.sh diff --git a/image/mkosi/upload/upload_gcp.sh b/mkosi/upload/upload_gcp.sh similarity index 100% rename from image/mkosi/upload/upload_gcp.sh rename to mkosi/upload/upload_gcp.sh