ci: implement "console" stream for OS images (#969)

* image: add AUTOLOGIN environment variable to conditionally enable serial console login
* ci: implement "console" stream for OS images
* debugd: remove serial console login access code

.github/workflows/build-os-image.yml

@@ -11,15 +11,14 @@ on:
         required: false
         default: false
       stream:
-        description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
+        description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)"
         type: choice
         required: true
         options:
           - "stable"
           - "nightly"
+          - "console"
           - "debug"
-          # TODO: implement console access enabled image
-          # - "console"
       ref:
         type: string
         description: "Git ref to checkout"
@@ -149,6 +148,8 @@ jobs:
         run: |
           if  [[ "${{ inputs.stream }}" == "debug" ]]; then
             echo "imageType=debug" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ inputs.stream }}" == "console" ]]; then
+            echo "imageType=console" >> "$GITHUB_OUTPUT"
           else
             echo "imageType=default" >> "$GITHUB_OUTPUT"
           fi
@@ -266,13 +267,14 @@ jobs:
         shell: bash
         run: |
           echo "::group::Build"
-          sudo make IMAGE_VERSION="${IMAGE_VERSION}" "${CSP}"
+          sudo make IMAGE_VERSION="${IMAGE_VERSION}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}"
           echo "::endgroup::"
         working-directory: ${{ github.workspace }}/image
         env:
           BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper
           DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper
           UPGRADE_AGENT_BINARY: ${{ github.workspace }}/build/upgrade-agent
+          AUTOLOGIN: ${{ (inputs.stream == 'console' || inputs.stream == 'debug' ) && 'true' || 'false' }}
           IMAGE_VERSION: ${{ needs.build-settings.outputs.imageVersion }}
           CSP: ${{ matrix.csp }}
 

debugd/cmd/debugd/debugd.go

@@ -51,10 +51,6 @@ func main() {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	if err := deploy.EnableAutoLogin(ctx, fs, serviceManager); err != nil {
-		log.Errorf("root login: %w")
-	}
-
 	wg := &sync.WaitGroup{}
 
 	csp := os.Getenv("CONSTEL_CSP")

debugd/internal/debugd/constants.go

@@ -31,8 +31,4 @@ ExecStart=/run/state/bin/bootstrapper
 [Install]
 WantedBy=multi-user.target
 `
-	GettyAutologinOverrideFilename     = "/run/systemd/system/serial-getty@ttyS0.service.d/autologin.conf"
-	GettyAutologinOverrideUnitContents = `[Service]
-ExecStart=
-ExecStart=-/sbin/agetty -o '-p -f -- \\u' --autologin root --keep-baud 115200,57600,38400,9600 - $TERM`
 )

debugd/internal/debugd/deploy/seriallogin.go

@@ -1,41 +0,0 @@
-/*
-Copyright (c) Edgeless Systems GmbH
-
-SPDX-License-Identifier: AGPL-3.0-only
-*/
-
-package deploy
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path"
-
-	"github.com/edgelesssys/constellation/v2/debugd/internal/debugd"
-	"github.com/spf13/afero"
-)
-
-// EnableAutoLogin installs a systemd unit override that allows passwordless root login
-// on the serial console.
-func EnableAutoLogin(ctx context.Context, fs afero.Fs, serviceManager serviceManager) error {
-	if err := fs.MkdirAll(path.Dir(debugd.GettyAutologinOverrideFilename), os.ModePerm); err != nil {
-		return fmt.Errorf("creating getty autologin override directory: %w", err)
-	}
-	if err := afero.WriteFile(fs, debugd.GettyAutologinOverrideFilename,
-		[]byte(debugd.GettyAutologinOverrideUnitContents), os.ModePerm); err != nil {
-		return fmt.Errorf("writing getty autologin override unit: %w", err)
-	}
-	if err := serviceManager.SystemdAction(ctx, ServiceManagerRequest{
-		Action: Reload,
-	}); err != nil {
-		return fmt.Errorf("reloading systemd units: %w", err)
-	}
-	if err := serviceManager.SystemdAction(ctx, ServiceManagerRequest{
-		Action: Restart,
-		Unit:   "serial-getty@ttyS0.service",
-	}); err != nil {
-		return fmt.Errorf("restarting getty: %w", err)
-	}
-	return nil
-}

image/Makefile

@@ -7,6 +7,9 @@ UPGRADE_AGENT_BINARY             ?= $(BASE_PATH)/../build/upgrade-agent
 PKI                              ?= $(BASE_PATH)/pki
 MKOSI_EXTRA                      ?= $(BASE_PATH)/mkosi.extra
 IMAGE_VERSION                    ?= v0.0.0
+AUTOLOGIN                        ?= false
+AUTOLOGIN_ARGS                   := $(if $(filter true,$(AUTOLOGIN)),--autologin) # set "--autologin" if AUTOLOGIN is true
+export CONSOLE_MOTD = $(AUTOLOGIN)
 -include $(CURDIR)/config.mk
 csps := aws qemu gcp azure
 certs := $(PKI)/PK.cer $(PKI)/KEK.cer $(PKI)/db.cer
@@ -33,7 +36,7 @@ prebuilt/rpms/azure/%.rpm:
 	@curl -sL -o $@ https://kojipkgs.fedoraproject.org/packages/kernel/5.19.4/300.fc37/x86_64/$*.rpm
 
 mkosi.output.%/fedora~37/image.raw: mkosi.files/mkosi.%.conf inject-bins inject-certs
-	mkosi --config mkosi.files/mkosi.$*.conf --image-version=$(IMAGE_VERSION) build
+	mkosi --config mkosi.files/mkosi.$*.conf --image-version=$(IMAGE_VERSION) $(AUTOLOGIN_ARGS) --environment=CONSOLE_MOTD build
 	secure-boot/signed-shim.sh $@
 	@if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \
 		chown -R $(SUDO_UID):$(SUDO_GID) mkosi.output.$*; \

image/README.md

@@ -70,6 +70,8 @@ After that, you can build the image with:
 ```sh
 # OPTIONAL: to create a debug image, export the following line
 # export BOOTSTRAPPER_BINARY=$(realpath ${PWD}/../../build/debugd)
+# OPTIONAL: to enable the serial console, export the following line
+# export AUTOLOGIN=true
 # OPTIONAL: symlink custom path to secure boot PKI to ./pki
 # ln -s /path/to/pki/folder ./pki
 sudo make -j $(nproc)