Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-11-19 03:22:02 -05:00
Code Issues Projects Releases Packages Wiki Activity

image: migrate mkosi config to systemd-repart

Browse source
This commit is contained in:
Malte Poll 2023-01-25 15:35:48 +01:00
parent bd37acfc84
commit c58412bcd2
9 changed files with 67 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

3
image/Makefile
View file

@ -6,6 +6,7 @@ DISK_MAPPER_BINARY ?= $(BASE_PATH)/../build/disk-mapper
UPGRADE_AGENT_BINARY ?= $(BASE_PATH)/../build/upgrade-agent UPGRADE_AGENT_BINARY ?= $(BASE_PATH)/../build/upgrade-agent
PKI ?= $(BASE_PATH)/pki PKI ?= $(BASE_PATH)/pki
MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra
EXTRA_SEARCH_PATHS ?=
IMAGE_VERSION ?= v0.0.0 IMAGE_VERSION ?= v0.0.0
AUTOLOGIN ?= false AUTOLOGIN ?= false
AUTOLOGIN_ARGS := $(if $(filter true,$(AUTOLOGIN)),--autologin) # set "--autologin" if AUTOLOGIN is true AUTOLOGIN_ARGS := $(if $(filter true,$(AUTOLOGIN)),--autologin) # set "--autologin" if AUTOLOGIN is true
@ -36,7 +37,7 @@ prebuilt/rpms/azure/%.rpm:
@curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/kernel/6.1.7/200.fc37/x86_64/$*.rpm @curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/kernel/6.1.7/200.fc37/x86_64/$*.rpm
mkosi.output.%/fedora~37/image.raw: mkosi.files/mkosi.%.conf inject-bins inject-certs mkosi.output.%/fedora~37/image.raw: mkosi.files/mkosi.%.conf inject-bins inject-certs
mkosi --config mkosi.files/mkosi.$*.conf --image-version=$(IMAGE_VERSION) $(AUTOLOGIN_ARGS) --environment=CONSOLE_MOTD build mkosi --config mkosi.files/mkosi.$*.conf --image-version=$(IMAGE_VERSION) $(AUTOLOGIN_ARGS) --environment=CONSOLE_MOTD --extra-search-paths "$(EXTRA_SEARCH_PATHS)" build
secure-boot/signed-shim.sh $@ secure-boot/signed-shim.sh $@
@if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \ @if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \
chown -R $(SUDO_UID):$(SUDO_GID) mkosi.output.$*; \ chown -R $(SUDO_UID):$(SUDO_GID) mkosi.output.$*; \

55
image/README.md
View file

@ -10,6 +10,26 @@
cp builddir/mkosi /usr/local/bin/ cp builddir/mkosi /usr/local/bin/
``` ```
- Build systemd tooling (from git):
Ubuntu and Fedora ship outdated versions of systemd tools, so you need to build them from source:
```sh
# Ubuntu
echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
sudo apt-get update
sudo apt-get build-dep systemd
sudo apt-get install libfdisk-dev
# Fedora
sudo dnf builddep systemd
git clone https://github.com/systemd/systemd --depth=1
meson systemd/build systemd -Drepart=true -Defi=true
ninja -C systemd/build systemd-nspawn systemd-dissect systemd-repart systemd-analyze bootctl ukify
SYSTEMD_BIN=$(realpath systemd/build)
echo installed systemd tools to "${SYSTEMD_BIN}"
```
- Install tools: - Install tools:
<details> <details>
@ -18,22 +38,24 @@
```sh ```sh
sudo apt-get update sudo apt-get update
sudo apt-get install --assume-yes --no-install-recommends \ sudo apt-get install --assume-yes --no-install-recommends \
dnf \
systemd-container \
qemu-system-x86 \
qemu-utils \
ovmf \
e2fsprogs \
squashfs-tools \
efitools \
sbsigntool \
coreutils \ coreutils \
curl \ curl \
dnf \
e2fsprogs \
efitools \
jq \ jq \
util-linux \ mtools \
virt-manager \ ovmf \
python3-crc32c \ python3-crc32c \
rpm python3-pefile \
qemu-system-x86 \
qemu-utils \
rpm \
sbsigntool \
squashfs-tools \
systemd-container \
util-linux \
virt-manager
``` ```
</details> </details>
@ -67,20 +89,23 @@ When building your first image, prepare the secure boot PKI (see `secure-boot/ge
Second, you need to prepare the local RPM repository. This is only necessary for the first build, or when you want to update the packages in the repository. Second, you need to prepare the local RPM repository. This is only necessary for the first build, or when you want to update the packages in the repository.
```sh: `SYSTEMD_BIN` is the path to the systemd tools you built in the previous step.
make -C ./packages pull repo
```sh
make EXTRA_SEARCH_PATHS="${SYSTEMD_BIN}" -C ./packages pull repo
``` ```
After that, you can build the image with: After that, you can build the image with:
```sh ```sh
# export SYSTEMD_BIN=<path to systemd tools>
# OPTIONAL: to create a debug image, export the following line # OPTIONAL: to create a debug image, export the following line
# export BOOTSTRAPPER_BINARY=$(realpath ${PWD}/../../build/debugd) # export BOOTSTRAPPER_BINARY=$(realpath ${PWD}/../../build/debugd)
# OPTIONAL: to enable the serial console, export the following line # OPTIONAL: to enable the serial console, export the following line
# export AUTOLOGIN=true # export AUTOLOGIN=true
# OPTIONAL: symlink custom path to secure boot PKI to ./pki # OPTIONAL: symlink custom path to secure boot PKI to ./pki
# ln -s /path/to/pki/folder ./pki # ln -s /path/to/pki/folder ./pki
sudo make -j $(nproc) sudo make EXTRA_SEARCH_PATHS="${SYSTEMD_BIN}" -j $(nproc)
``` ```
Raw images will be placed in `mkosi.output.<CSP>/fedora~37/image.raw`. Raw images will be placed in `mkosi.output.<CSP>/fedora~37/image.raw`.

5
image/mkosi.conf.d/mkosi.conf
View file

@ -3,13 +3,10 @@ Distribution=fedora
Release=37 Release=37
[Output] [Output]
Format=gpt_squashfs Format=disk
ManifestFormat=json,changelog ManifestFormat=json,changelog
Bootable=yes Bootable=yes
KernelCommandLine=mitigations=auto,nosmt preempt=full loglevel=8 KernelCommandLine=mitigations=auto,nosmt preempt=full loglevel=8
WithUnifiedKernelImages=yes
Verity=yes
CompressFs=zstd
SplitArtifacts=yes SplitArtifacts=yes
# Enable Secure Boot with own PKI # Enable Secure Boot with own PKI
SecureBoot=yes SecureBoot=yes

2
image/mkosi.conf.d/selinux.conf
View file

@ -1,3 +1,3 @@
[Output] [Output]
# set selinux to permissive # set selinux to permissive
KernelCommandLine=!selinux=0 selinux=1 enforcing=0 KernelCommandLine=!selinux=0 selinux=1 enforcing=0 audit=0

6
image/mkosi.repart/00-resp.conf Normal file
View file

@ -0,0 +1,6 @@
[Partition]
Type=esp
Format=vfat
CopyFiles=/boot:/
SizeMinBytes=256M
SizeMaxBytes=512M

7
image/mkosi.repart/10-root.conf Normal file
View file

@ -0,0 +1,7 @@
[Partition]
Type=root
Format=squashfs
Verity=data
VerityMatchKey=root
CopyFiles=/
Minimize=guess

6
image/mkosi.repart/20-root-verity.conf Normal file
View file

@ -0,0 +1,6 @@
[Partition]
Type=root-verity
Verity=hash
VerityMatchKey=root
SizeMinBytes=64M
SizeMaxBytes=64M

1
image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset
View file

@ -5,3 +5,4 @@ enable containerd.service
enable kubelet.service enable kubelet.service
enable systemd-networkd.service enable systemd-networkd.service
enable tpm-pcrs.service enable tpm-pcrs.service
mask systemd-journald-audit.socket

5
image/packages/Makefile
View file

@ -2,8 +2,9 @@ SHELL = /bin/bash
SRC_PATH = $(CURDIR) SRC_PATH = $(CURDIR)
BASE_PATH ?= $(SRC_PATH) BASE_PATH ?= $(SRC_PATH)
MKOSI_CACHE ?= $(BASE_PATH)/mkosi.cache MKOSI_CACHE ?= $(BASE_PATH)/mkosi.cache
REPODIR ?= $(BASE_PATH)/repo REPODIR ?= $(BASE_PATH)/repo
ORAS_IMAGE ?= ghcr.io/edgelesssys/constellation-rpms ORAS_IMAGE ?= ghcr.io/edgelesssys/constellation-rpms
EXTRA_SEARCH_PATHS ?=
MKOSI ?= mkosi MKOSI ?= mkosi
.PHONY: all clean update repo testrepo .PHONY: all clean update repo testrepo