From cd6e03049a42203491249003c5a1d164321d6849 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Tue, 28 Nov 2023 10:52:37 +0100 Subject: [PATCH] libvirt: build containerized libvirt as nix container image --- .github/workflows/build-libvirt-container.yml | 44 ++++++ bazel/oci/containers.bzl | 2 +- bazel/toolchains/container_images.bzl | 7 +- cli/internal/libvirt/BUILD.bazel | 60 -------- cli/internal/libvirt/etc/BUILD.bazel | 8 - cli/internal/libvirt/etc/group | 51 ------- cli/internal/libvirt/etc/passwd | 31 ---- cli/internal/libvirt/libvirtd.conf | 5 - cli/internal/libvirt/nvram/BUILD.bazel | 8 - .../nvram/constellation_vars.production.fd | Bin 131072 -> 0 bytes .../nvram/constellation_vars.testing.fd | Bin 131072 -> 0 bytes cli/internal/libvirt/qemu.conf | 1 - cli/internal/libvirt/start.sh | 20 --- dev-docs/workflows/qemu.md | 2 +- flake.nix | 2 + .../libvirt => nix/container}/README.md | 15 +- nix/container/libvirtd_base.nix | 139 ++++++++++++++++++ terraform/infrastructure/qemu/variables.tf | 2 +- 18 files changed, 204 insertions(+), 193 deletions(-) create mode 100644 .github/workflows/build-libvirt-container.yml delete mode 100644 cli/internal/libvirt/etc/BUILD.bazel delete mode 100644 cli/internal/libvirt/etc/group delete mode 100644 cli/internal/libvirt/etc/passwd delete mode 100644 cli/internal/libvirt/libvirtd.conf delete mode 100644 cli/internal/libvirt/nvram/BUILD.bazel delete mode 100644 cli/internal/libvirt/nvram/constellation_vars.production.fd delete mode 100644 cli/internal/libvirt/nvram/constellation_vars.testing.fd delete mode 100644 cli/internal/libvirt/qemu.conf delete mode 100755 cli/internal/libvirt/start.sh rename {cli/internal/libvirt => nix/container}/README.md (72%) create mode 100644 nix/container/libvirtd_base.nix diff --git a/.github/workflows/build-libvirt-container.yml b/.github/workflows/build-libvirt-container.yml new file mode 100644 index 000000000..91132fd78 --- /dev/null +++ b/.github/workflows/build-libvirt-container.yml @@ -0,0 +1,44 @@ +name: Build libvirtd base container + +on: + push: + branches: + - "main" + paths: + - "flake.nix" + - "flake.lock" + - "nix/containers/libvirtd_base.nix" + - ".github/workflows/build-libvirt-container.yml" + workflow_dispatch: + +jobs: + build-container: + runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write + steps: + - name: Checkout + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Setup bazel + uses: ./.github/actions/setup_bazel_nix + with: + useCache: "false" + nixTools: | + crane + gzip + + - name: Log in to the Container registry + uses: ./.github/actions/container_registry_login + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build container + run: | + nix build .#libvirtd_base + gunzip < result > libvirtd_base.tar + crane push libvirtd_base.tar ghcr.io/edgelesssys/constellation/libvirtd-base + rm -f libvirtd_base.tar diff --git a/bazel/oci/containers.bzl b/bazel/oci/containers.bzl index 8f9e47db1..b83ef8262 100644 --- a/bazel/oci/containers.bzl +++ b/bazel/oci/containers.bzl @@ -51,7 +51,7 @@ def containers(): "identifier": "libvirt", "image_name": "libvirt", "name": "libvirt", - "oci": "//cli/internal/libvirt:constellation_libvirt", + "oci": "@libvirtd_base//:libvirtd_base", "repotag_file": "//bazel/release:libvirt_tag.txt", "used_by": ["config"], }, diff --git a/bazel/toolchains/container_images.bzl b/bazel/toolchains/container_images.bzl index 70c9949dd..feaa27d06 100644 --- a/bazel/toolchains/container_images.bzl +++ b/bazel/toolchains/container_images.bzl @@ -1,5 +1,5 @@ """ -This file contains external container images used by the project. +This file contains container images that are pulled from container registries. """ load("@rules_oci//oci:pull.bzl", "oci_pull") @@ -14,3 +14,8 @@ def containter_image_deps(): "linux/arm64", ], ) + oci_pull( + name = "libvirtd_base", + digest = "sha256:f5aca956c8d67059725feb4bf8a7d96da71a51efe84288c74a52fcf6855a13bd", + image = "ghcr.io/edgelesssys/constellation/libvirtd-base", + ) diff --git a/cli/internal/libvirt/BUILD.bazel b/cli/internal/libvirt/BUILD.bazel index c41fbfb4e..d89676216 100644 --- a/cli/internal/libvirt/BUILD.bazel +++ b/cli/internal/libvirt/BUILD.bazel @@ -1,7 +1,4 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library") -load("@rules_oci//oci:defs.bzl", "oci_image") -load("@rules_pkg//:pkg.bzl", "pkg_tar") -load("@rules_pkg//pkg:mappings.bzl", "pkg_attributes", "pkg_files", "strip_prefix") go_library( name = "libvirt", @@ -17,60 +14,3 @@ go_library( "@com_github_spf13_afero//:afero", ], ) - -pkg_files( - name = "etc", - srcs = [ - "//cli/internal/libvirt/etc:passwd_db", - ], - attributes = pkg_attributes( - group = "root", - mode = "0644", - owner = "root", - ), - prefix = "etc", - strip_prefix = strip_prefix.from_pkg(), -) - -pkg_files( - name = "nvram", - srcs = [ - "//cli/internal/libvirt/nvram:nvram_vars", - ], - prefix = "usr/share/OVMF", - strip_prefix = strip_prefix.from_pkg(), -) - -pkg_files( - name = "libvirt_conf", - srcs = [ - "libvirtd.conf", - "qemu.conf", - ], - prefix = "/etc/libvirt", -) - -pkg_tar( - name = "start", - srcs = [ - "start.sh", - ":etc", - ":libvirt_conf", - ":nvram", - ], - mode = "0755", -) - -oci_image( - name = "constellation_libvirt", - architecture = "amd64", - entrypoint = ["/start.sh"], - os = "linux", - tars = [ - # TODO(malt3): test if libvirt works before merging this change!!! - "@libvirt_x86_64-linux//:closure.tar", - "@libvirt_x86_64-linux//:bin-linktree.tar", - ":start", - ], - visibility = ["//visibility:public"], -) diff --git a/cli/internal/libvirt/etc/BUILD.bazel b/cli/internal/libvirt/etc/BUILD.bazel deleted file mode 100644 index 12aeaf34a..000000000 --- a/cli/internal/libvirt/etc/BUILD.bazel +++ /dev/null @@ -1,8 +0,0 @@ -filegroup( - name = "passwd_db", - srcs = glob( - ["**/*"], - exclude = ["BUILD"], - ), - visibility = ["//visibility:public"], -) diff --git a/cli/internal/libvirt/etc/group b/cli/internal/libvirt/etc/group deleted file mode 100644 index 95c817fb1..000000000 --- a/cli/internal/libvirt/etc/group +++ /dev/null @@ -1,51 +0,0 @@ -root:x:0: -bin:x:1: -daemon:x:2: -sys:x:3: -adm:x:4: -tty:x:5: -disk:x:6: -lp:x:7: -mem:x:8: -kmem:x:9: -wheel:x:10: -cdrom:x:11: -mail:x:12: -man:x:15: -dialout:x:18: -floppy:x:19: -games:x:20: -tape:x:33: -video:x:39: -ftp:x:50: -lock:x:54: -audio:x:63: -users:x:100: -nobody:x:65534: -tss:x:59: -dbus:x:81: -unbound:x:999: -utmp:x:22: -utempter:x:35: -saslauth:x:76:saslauth -input:x:104: -kvm:x:36:qemu -render:x:105: -sgx:x:106: -systemd-journal:x:190: -systemd-network:x:192: -systemd-oom:x:997: -systemd-resolve:x:193: -polkitd:x:996: -rtkit:x:172: -gluster:x:995: -dnsmasq:x:994: -rpc:x:32: -brlapi:x:993: -rpcuser:x:29: -qemu:x:107: -pipewire:x:992: -geoclue:x:991: -libvirt:x:990: -systemd-coredump:x:989: -systemd-timesync:x:988: diff --git a/cli/internal/libvirt/etc/passwd b/cli/internal/libvirt/etc/passwd deleted file mode 100644 index c20d8aad0..000000000 --- a/cli/internal/libvirt/etc/passwd +++ /dev/null @@ -1,31 +0,0 @@ -root:x:0:0:root:/root:/bin/bash -bin:x:1:1:bin:/bin:/sbin/nologin -daemon:x:2:2:daemon:/sbin:/sbin/nologin -adm:x:3:4:adm:/var/adm:/sbin/nologin -lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin -sync:x:5:0:sync:/sbin:/bin/sync -shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown -halt:x:7:0:halt:/sbin:/sbin/halt -mail:x:8:12:mail:/var/spool/mail:/sbin/nologin -operator:x:11:0:operator:/root:/sbin/nologin -games:x:12:100:games:/usr/games:/sbin/nologin -ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin -nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin -tss:x:59:59:Account used for TPM access:/:/usr/sbin/nologin -dbus:x:81:81:System message bus:/:/sbin/nologin -unbound:x:999:999:Unbound DNS resolver:/var/lib/unbound:/sbin/nologin -saslauth:x:998:76:Saslauthd user:/run/saslauthd:/sbin/nologin -systemd-network:x:192:192:systemd Network Management:/:/usr/sbin/nologin -systemd-oom:x:997:997:systemd Userspace OOM Killer:/:/usr/sbin/nologin -systemd-resolve:x:193:193:systemd Resolver:/:/usr/sbin/nologin -polkitd:x:996:996:User for polkitd:/:/sbin/nologin -rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin -gluster:x:995:995:GlusterFS daemons:/run/gluster:/sbin/nologin -dnsmasq:x:994:994:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/usr/sbin/nologin -rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin -rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin -qemu:x:107:107:qemu user:/:/sbin/nologin -pipewire:x:993:992:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin -geoclue:x:992:991:User for geoclue:/var/lib/geoclue:/sbin/nologin -systemd-coredump:x:989:989:systemd Core Dumper:/:/usr/sbin/nologin -systemd-timesync:x:988:988:systemd Time Synchronization:/:/usr/sbin/nologin diff --git a/cli/internal/libvirt/libvirtd.conf b/cli/internal/libvirt/libvirtd.conf deleted file mode 100644 index 0552fd4af..000000000 --- a/cli/internal/libvirt/libvirtd.conf +++ /dev/null @@ -1,5 +0,0 @@ -listen_tls = 0 -listen_tcp = 1 -tcp_port = "16599" -listen_addr = "localhost" -auth_tcp = "none" diff --git a/cli/internal/libvirt/nvram/BUILD.bazel b/cli/internal/libvirt/nvram/BUILD.bazel deleted file mode 100644 index 5731e5674..000000000 --- a/cli/internal/libvirt/nvram/BUILD.bazel +++ /dev/null @@ -1,8 +0,0 @@ -filegroup( - name = "nvram_vars", - srcs = glob( - ["**/*.fd"], - exclude = ["BUILD"], - ), - visibility = ["//visibility:public"], -) diff --git a/cli/internal/libvirt/nvram/constellation_vars.production.fd b/cli/internal/libvirt/nvram/constellation_vars.production.fd deleted file mode 100644 index 7913e23880761b2f4a16992f8b797e92d3656cae..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 131072 zcmeI52_RJ4|G@87vkYpik=$%Mu3dZ|HyelihWSvR>aO*k7e@~lRNq|m7NqM4o4B-i=mmNS;AZ`NO0w_uycx$H~H3rn)+^3{!( ze)CqOm?!Mzh5EpIt#Y?>C(NCt_GI6=Dl^KcutLWo?iUAc4YaqFbS%Q@jT+NVz6wt0 zujA9iMJ8dSj1W8+=SOWVBTnJMF z!`+eAv=L13=Eial3F@w7T&i^ANu3dNHTTT1 z&3C!|!s~{P7vKNnApVC=K+b0Ue)scF3^|5ZHMf@DahBcGa%#`t6U~hU9u0jLov$ra zdCgGsj;@F$n^?AifNJq>nAb<Yn#|XG_;^tUIYDw)}OhqC%#RMuT9> zGOffn8cpw-23$*YK5DgpPlfTG7tMb4A%Qhhlr)PYGLr=-&_*muuc!2~k^tH3g3y%{2~3Sbrf`>aBD zFF%Or6rl8x8^eyIykG1-c%sFn9T@|%AB~_*F^`SMD{0|~izf)adfou@BPP zB1@k=zF6LDwZM5oKmDSI@}F9{-(4${$Ps%ud}V^qp-dUGhP>L%?O}TV~a73E^d|9?;&eh$NXKQYN@455F=Gi9(9h96+L=ekazY)8PD3|6=;&%nR=Q zugA2D2#fy8o5$aL(eFy(;k1shA!Mql=;tl89xG&J3LSB=}H~=7Jd^qOL6uTwigyAAOTGBFdJcAl?k+*3>&{wowg{=ks*seKs$A+?ptI zBWYM|-TGk#N`eU{Z6imChP=5Ey5mY<5%<~PXCjGfH=k&|&kXYv3AuLM;GWuyr12uP zb8T-9;!bMj-Kn=PeeowgsaK0^|4NGErf}6*?sm!~B#mreyrVx<@CgYAz~9y;!gJVpLqBq3*umRE5J_UaZsf&c>tN9jhbez~2{B(PP^qlRIg)yfd4{15D zQJy(2t$NM-*x*ek8N!D$q^aB+-=3Gq!)}x{l}d;PEL2M$av<5UX?Ff8yXhKN=~2hF z_SRRNN^$(6uV{)qz=Z;-8xypW3^Gb?Ulw+EW4fZJDhM4{kSsfHYOz*l_b%Oc8te2& z5_yS)qfhq{WOaU--lmVz5-A^=&n7dAMkwa#*0`pwGtJzPJS51n(55$e2DJrt%0sv= zBf*~K`FcFd+u`Y+_U!3yAWwIU?df;}Z3)3KzHW~S9 zsJa3E9!y^ba(0BlXm@ZloHm{|PK~BUXF0g`U3Fp?kBIsuqK-i$JC;+H|17E07(bDm{~Pf??8y}26K zG%i0UGk0{Tb1-*X^)zjYI@PDTtZre|=2DG-$Fa0~2|l%VH4pe3CXJjG<2YR9*j=L? z?r&x&ZuNc2yYpPp(1}*+p|uqaibXNftwraC^E0yy*BtjwnxtECAwzo(*8;N!#xVJj zvo+d2=?@TCUnRBw()|9=Xgph&n_?7JUou+eL&%shWJVIO2xb)`b6EeDi6+FTwI@RJ^jt> zev}xu{rZEl3aY%M7B|cs@qQ|q?d0^4lhgjDliM|lYy2w7vW-C(6W?t$Pk9h(v&ZV^ zIJxUBwii~{Z=db#aYbu=;;b9xDTB&z+jb{sj+@~o>Bi|s(FWh;}u524O#$aJ{Y3<0u+cK+T@9^Ike8yBjWB!8ph9Ng7 ziCKdNW~LTB)S+txmK~pY`dAI6^oeA}?voxboOj=|_O!t5cRmemUH|9wRm}~d(SCL( zEM@)FW;SKS+McD{=H-9(HmjsRz4|~F-m0S`%TwP(@C3GyG^M;Y>i*6?8wIQzx~F~o18P- zvEe>hG^>LDadS)3@`K?sR?Ih&O4y#?Un@e%gM0DeHKxuX2aoffDP9tzMiw@4UXuLy z{KxWXn&(Dm+J#EDYTYdqnfbo5Y#-Nht_e@}-SVzs$ZGx_ait|dirc+no!#6~L&l$d zKKjAM8Uw#sm#>yD$&r+bG_=1wcT2=R_dTBKuS#mQM?6&DE)c-eGRQXhT9C>W?jcVv zuOMy77JbQmzc@_AYv$cQpEATreC~$h3fm8Y^ z$H+)E=`JeOPJZl!D;#wYLkLVZ|)8{`D>9aZhx;f4Jy4=&6mCpYr;(q+0ltM|*iA{R9c zo-^d7MdG`CHc@&brKv{>@@7b!D&4(tgRFGo9g&ZVw{GxTv*P@bBbG(n7DD&!wx&Bh z6RP!+zojEGQ0HuU#ZRA84Qd`MA-Qnu-}B@1hu5Bo zy7}zMan;CNTa!VfUwUldy?Ck7w=wVVz3AneRAfz6l^aE-HG0GxSZhNM*tQ^Y!K4g% zvCL<=Hz;`*Zt6IsM_t)q>byp7u)j>amXYw3oi+KXYU+F6AGFF+iD<~=UUYU#VR8MC zDf4TLtc6$EhVM(0+*A;K*<*6z@B?G#uC`d7a5^D!p6<5hF+x?zS3Lu24l)kNM!)C1 z((=&k%I#d0#a2V*>6&LeEqymc=f6~US|IhhU}A)Y?N0jW*6l0b=|w9Jve_1SerD=h ze3P}rPNO9Gv1b)(bk`4_&81zNRK0xGq{-TcjU;_-9?Hw@y%kbN=26OcGc?igBqmfT zwX#}RUD27mXu!@Fmle~~9W))^j$2fsqafrI z)A4!AB~c-^YB836j^R7e46{bjoc4PX<@D7?BRld+RvMX9W?33+netce7!lKV#z;B_ zsxJeziYKOvzWF05y)YlNHAgZNOnr%K+uAwwbsq_oR|*MiU`%(I(ja8I_u`hlH7P-dHMKLd(6eo^qaONXw(hqn*{3n(vojp{r~%9r;h*suI3Nb zj%8~&vuVWak^k7Has6DIM(?T8?bBP(8MaO9F;`Dl{)5NBru7LMY+CP#z^3)ihJEHc zY#QM`|8tv0X7yM5^1z(-(^T2=cinat&bDbi=IVOIZ}<*2txxD+(|Sh)Hm!Fy>@(kC z(}*$b57;ycCvgH!ZJHWe{;pd>KvrVgv>tP@GySG5*t9;ugH7ul5!kfe*|5)ihfPD1 zDSpVNakK8#cYKvoyVf~5gk2Y6O9;tIY`fNDE_SBhv<17?CwQ=Hy(0p<);k;aneVV` z#4Ldy>8o+`{M@*j2D=Vjw;fX%KF8I1%+>XZ-|!vmTA$FtuJw)x>{{<^*k``Ot`YBA zf6T7&{?yo-Cc6$@x1BG9+5NR1b9KGqH+%=X)+cnZYrP`^yVg4!_8AVxhQz!MVvfiU z+BLqP8DAU6u0z)?AtWoY?OKny*qMIQ7VKJ|;K8o-jtJ~p?`+s-IJ9djC_jNS=Gu6d zVg(bulsO(@@;7u!h*@t&7#*93O+j-BZ82lCZ_u%4jlSuld2z;Q=Gt_0Et=lJQGZRL z&wJ^!N;E_z8(}t>C7LJK^)8&uza!=c63dzNULRW|y(RjcCR=)x`HRF^UB3T5v@z{( zZ`m(Ei2L+CFOi5z5>s2cucyME=h=1cAcnQe-r2SNqF$eO`lGLtzfmSyS%dY5Vf;un zR8UJWP)qorKQu>@R{}eCq%id9TQ&3SCzEUTxJhoK@JL{?*(!z-fn%;d^@>=>$J#t<1R{Y$R*|tb7U!y4q=Skp!{Jx@4k47>R^JJR~kM>Nt={OF3;f zVsfTjulFHlyP|gOewSe#M_BV3h&yp!CxSqC?i|;NMCnx)w9pPpWMOe)gJCDyT?-$H zL>7?1tc;FV9esCIEJYAYRMb9h)-Ezf&n>}cA^P+zGe>-Ws??l3i-hhN_aJk-HukDJ z9j*HPBsrBSzXzHA`L_RNa}a9tT}s4B-3cAq-)r6fSsnVBwdbVngf6b_q3*vz7ys$H z5$)R4L*3eS`oFYY5kwM20!y7aGkQ*;sZo@T+m)kHCJ#Fw3RK^Y)T?FXR4-njf_k>A zz1pbH{_UHMO-R@&aUZ_mn+1K3J@^UaIQOGhdSLgjex`l`9ZvL$cqX|}tM#l`|C`Sw zLQfXyNA!-{(3&;h*IyIqmF559GuolV+lKqw(_e6ZNrxhfu=vUQLbY=JW7S}Lx ze8oX==C3NyuY4cpSDoc;c z`>$}`cl>^R=)14*J!KNL=j0u&3d)D0PZ~waR8zOYY_n+G#w_hm@68Y!FIMC>7`?j) zMlo|Yq(R=Dac3e1&0xi1F^tfarRal}M($jKo!DoEB#|J59uUnTLTpjuL@uJPL|a?r z%yBfV!t`?vYTXpQ7dPArt+PPf+Z4$Y$Z9_f^K*9cSD~rUaXMP-9Q`v+puJz$`Li?P zradI0Unhbd+V1xt)`nP!?!aKJ7V-7!c*HeCYC<>Yel1!O={{QR{Y?9^ND_>ao$(q* zWdY=crTP`B$xRQ0#RI-tAgSv*c~cB%()eIv)i^#u@##!oS6>e|hBwvD&Ch>6THoE9 zCW0CaCLX{bo2A0S_S)|^$`51MqbWSY3x;21!eV_-srfe zCu_ynuNR=B(}{KR=ybH&swxdvLy1@y39XRSx%=gke!o}Lz7~XC6&;AgR58-hYZ$u{wkB~?R)!n#bWX+QKjB0UL zr3>n55)5y7z1^>v_w5Jx{V^(kbExTVOligQpqK7x^X90YX&X>~ajd&dzy*ndhI7$g z8~?iNxono;6RGwWrDg6g*R<&m^; ztu8AZwOvY8@VayG)8J2MpS`ia6J)6pck$~bUB6iHwTH#xRj(gfsz0syw7|zX+y?P) zqO30ucHZ(xaQULW8Jp#eXKLy-YRrhSS$cB!sr}x5F}PsqCVOp{d5eas_>W9T8hT7P zu2kCo(i!ntuO~krN)fmhXIBlG6T@&zmG#D$B)O>+s6(%TFx5YH!B5l65r2k7oo-IXp<#L9nQ~*Psup!Rv)3%!s$^>wPK(|hcbKDhY{c{x!c6qG z4h!+FkP|;j*eK55EB5U}h_OgM`gHf7zh%7Hz2kv(zJej#7pDPCj{A+oi2r1-b^pi5 zG+q1iX!QK^U~r;WgdVKzfyFNx7yPu!aZ)#;o&QBK&|lKd9pRQAc}>C57?{u#cu(=4 zy*nq^!Fvh>p@&4Uf!KOiz2YE%%HjMTPWudG)|i{KJ_E$4KPxezyZ>D=YVAJbDny+i zM$MW-*4YUqTAb5PD0+Ik`S~9Xg>p2`Ao@BGqyDaT`r(El;#YmeZi(mV-x#CjG$u<7 z!2Y{pvVFJ7_r_0&2?LOT01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e#00KY&2mk>f z00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e#00KY&2mk>f z00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e#00KY&2mk>f z00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e#00KY&2mk>f z00e*l5C8(di-7Vd`>h_Ke;B8iyJ4TwhHOyTqvG0%gsBoi|3i9|ewSQuUmySkfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx U0zd!=00AHX1b_e#__+lB5BxLC?*IS* diff --git a/cli/internal/libvirt/nvram/constellation_vars.testing.fd b/cli/internal/libvirt/nvram/constellation_vars.testing.fd deleted file mode 100644 index 95ea75dca87677a6a5744c8bc310f536f9ca555a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 131072 zcmeI52|x{9`@rXRZ>v%%k&3IND4K4YkoHZhR#{usO`G;3-UGuJeCX3m^>&hI?)Jm)-f?tx)nFG+GQ+f#!RO?NJn zG31=-$k#E;?8Bp$YC5(!Hl5fh$N z`gHy1Xz%!436(26{NCR;;Ve*FI)Lqry9d7IQFHUgsYMR8ib|Dqnqnf$++W1D78(^&T~RMXiE`^raGx zccL!%+;_p=tpPU#= z*|Yarba>6Kzm3^FKDF-g80M91W-mI~bso9(v{m}sl#6RUw|Z3OUfejpGPCfA|ENPII zUke+Vgpsns@i3el)wP5Wg$>7Wc@A#JSR+#GI~@`qWrT=?g`b;`wY4eL(9Orq-zg9& zgD$FB`aHS|+QB7=3kOm}D8iE)93QodZsiHj(s`YvGycH!P5w>z2;#I9WhgGPr1u10 z>m8~d5;n_hP5goAxe|Gaf=%~1b}Za3m!W3Mo8-feVm zWe-^VWVpJ}fyRUQBCViZn{)@<&p$496t8*RR({8M0_KE5YPmEtC3x9GWUQl2E6GCEWyLu5$(Bs!1u&H&ZO zEo!rx>NW4Iem`ixM%9yhgHP;P!A^BbU-x(V-Vgg`iPx=vaza^f*_#BJ(b;~gO}wp3 zHIm<|w!Ci{d@b4ei1mTJSB>|+cpXq59$c$8R;?r|dn4~e#Ze0~Yikb;J7-v%D|zun zkkgV!x`&MH0|Yff)9D!2mrcmenAc?!xX=?`&;6}UFv0Y}DliOLUxo;*0$7FrKC95v z%MT?Q1!(!ij$vhKA3_|+G_x{C+1F22g__{e?DfdgU+VDkJWf29;~8nm-Mt~<=A%|C z4q(`R3WpGzt+k>ME=V|iE+HO!rvMMSk9(l6kD>rRkT}RG#EDu0-o8Grio zU^BXlzi)u=yg;h1ufLx!@(*-$#UxyvI8PR$^?IIa<3aa#rCK`q2ZmA2oc!mz1^Rh8 zxwuiSP}73ZPEf>EY05NQS&^oW+6gq(j$IXE7mr%__L1KGFE(qy0iXw%MF~x2M(xj(wcZ-{k$YX>swR87{O4!66m{ z9}W0x!r-+lPra#$*_W0s|K!b~)i<~wJS?Z=?8e3K8?|s)rn&w#ZSk397OSYSRc#6n zGTNidpEX>ldTs6LJaK?-@k8m)ZS3!_RS54Ad?>X%$?s6Mgjv&`x=kNMj#nQ$cdfoc zp>E^zQHkWHq*sZJC#HVX6&y4mve0mi*WJgI)yEM0gN3cPA ziN%q-c?-r)&;2;?N|;7%y4$4lW5#BD@^{$wbkCX>ttvuGPO&xB&ON_5_`(a9HOKab zX~l%aEq-K`Q@=T!lfG(jN4p}LWPwPT-~t@navUTIDOznXiGtdlShq%l^C#U4nNzaQ zxevNB^Oo)I@bd=~=HjAV7YMUac!%>~)>shcjOk+9_yAN#68sb*n^>Hm*byR;+9~Wf z8Ew95ZRpRl(tQv)UGV4)^DR=gT$3hBdgkD>h$}`=Y;kLRTBb#&S*(diV4&Yb1qBy> zukqeYT_&2V3V!qH#8Cx5e_z)im%so8q!viWk?JD7MM{fwbuLl{d>s0RtBglUaYqg= zR8V$yP7;Y?gInR2%zd0KR0RpWUM^?YC)uLt8R` zb?S(^Cn+Ne#_}eaw9AeW2!C50vHfyzG5eXYXZ*=)HXU!f?;GjGAAaqa{ypVssp|Z7 zbL?&oWlw$0xkG1vX2@qQ(N_!X&S%6*WyhV{@p*dWHM;xY)sa!J77Nw!B_>Rci+TE} zs!X>oZ(PjUm7a1lBJ@63OLm;E=}W@WBvoB!mRkqZlXNHp6rguJ{BEk zK4G5%-$~&(-_J?oOVtlPd3>U#_JT~zixiy~V-k}Mv?oQ0x!-)R>)>{duk#pjjDGp~Rec!E@#xLn+a-lf&K|pI@^q1=y-LAj zi=YGfj$}#eJ*&ecZlr6E7#wTkSMWEV3V%etvVX~X$4Sj$Pq!6_&)z0d6nC;gthI2x zwC{wBN2@<1gl#xMA9yHBoXWob-C5y1San59xv)UceC15B!i|nCv+_^co2y=-#T?zz zS6k7D;`mit(G+=ra|NQ+6E#xxvr2DY8tCrk>x!PLP;`8>NX0Qz%QafNcWS>^U8^fg zq$L&{tv!2?kMb*YHhdBnPW$-!%tqhhQ8Ih9YhBaVnr5%tC>Cl}WZRcKL)(M9 zRXZrq!`GjVoE>2>IvkuLuBfg!L0M6m#&B>QyDG#k9u@OjL>-TMb_}O1{Y6xJx{s@G zNC4Hc!^k1uO|@jz$=%~UysdUT_oF8#-=@+_v5{qTC8Za6lyf#qo^vcce3BY->+O}q zmI?X0vh&78IES&fKbopZQK9-hs(3QLW>dLpP(y;^y(GW7yK04j2C1?$;~b^rkKQ%h z?*4X~%ohKroI5IuhflIriKx5UBvTwG-d0>G#qFD8u=SXP!=dv_svw4~|(ML$j z&QfjvtUH(|rAG9?#rwwxJv=^B=DAELo;Y(X_k79a){Y|b^}&eDbaJ}L$!UJq$?Y7&roK|7Vtwd^^U$Hnak_>u_=wxEXGeX`E>otN%kz4yiBd;3J*waBsNk zIGPf}z0F{{GvwaPaZ`LMb04|4DXh7-KJxC>u?c^QSTJpS*m0kN7wS_=CtLCR$Y}}) z1+?XOTr%3BY?hG9KKi+$L9$cWjrIxS_2<7XuahmhEwL)$4tMpi)22MC^E_8HiB(gQ zbA}GdPA`6_MN-6xH=$Vq-=B5-vR1#r|g>L z*mR#PkaLy0;dN{3vV)7K#m_SoP1=?}NF!>j2Yblj)uztj2aj={E?F3-Ode?Byl`W~ z*-uqd)hfqj+ee7EY1}R1pYh>F#eTMBY!e&z-}0%Yk5v0R>T+w4D7*XBwf1wyh^e1> zKJLMVTK#~Tm#$PT+$AC!Z7}`PoXt`D-S>K_yeh5J9Q9CT8&42N>rlIm*Fxnlvx_~w z6i?cmEAW#2eo3Uf%OQ?*sgV`$L%kkOAHtz3w|WryeD4+9RhS(fw5vqy;!#n*#UFeL@P6?J z-8ykpTYUp#mU}$gxx7qI>vMaW@Mf3CE#?T~)g{@u)`%?Te70uMfP#Rdyga9->N{ng z6d9L#^^IKSM>FGe?Ip>Ri)}tXF1@_DB711UV(o-k4of{~hgTR@K3`Be(jqM(qFqlj zX%($tw9%fR!snHy!>5Wy)<&mEgoc>$=9jhdUlqAp`ay2{v zY!+ZumMYVO*Ks}f+_#N%o#_mMku&he2X%E|P>+Y5aSoUIa*T}#m%ckT|Ip$P>!~f$ zY7*vKM~CxM{g!m=7zyPa)#WaW_S>}Lx`m?8b;%70V%L6+&-h>I7^!gSwBzTi-UjpL z33yCb8Dl^TmWg;VNLxlnY-+A|)C403A={RQ>B>7q21Mu1&WpaiWT`gCssj?Q$i*$g zW{bVFOn$%LHbzHQoLW|}XPWTI^4;s#jTBG5!~ZE{%esKo@n_4*tcuw!`R?0q$#iQ2Yp zeAakODLT*2Wazk;9_u(STx|Al-gEd~?6M8=BTbd$n)#6}<#+kfe@QxRkWHK`y)EwVUNGYlb^?O%h8XK3=TC;~u|GC@ogISSuks!`B>2G$F zIxL-z901W5>3kW+a0k8pkwgbcXgxh3tC?%Bo&LrOOn|#`qMkM8hPj})gFo8pV7}-R zh$8Dgm=o$Vd7)#(RjlMM(wRSRQ*gPg-$va`{{_!y=_O|9qPzo8p1znjW`_Q{GV=U3 z_Kz8Mt`Fm3cL5J~Bc`Jt@^l9^!YPh8vH!J)tV2&1&3NMLg~#Z@EF*%eqn=6>l+c+w7%Ie&-{Q* zBfRH-Zqvw&_G*6~nALWg5>x)}+pf%+Hm%oG-LLoq-@&H!3mt4)--y7b_05KP<_ByV z(TDvBn?_+JPQa>7Q)bHFeM<<)SeQ1g*Hp|ze`pIftzYn9)A~jPHmz?q%rie=)6igw zpR#G}jC=JTUuD&VCx^_zrfhU+7@h`bGqHt#3BWGe2P0h3i6S%&W0t{1}0_FAv0x?k}JzJp!s7dqIrz7c_4>zfVp42yk3Vq6C?M&u{$ z8rQFkuT5Z{`Fz!LId<2<%$lY?x7N4N%U8m@Q_7#>sWR3oGOAi1C5MbS8b5#|}wvg?^{WlpZDiYGJJ`KYky@@f~k( znJ++y`}999k%&nWLtA>zr@|cP*?sIFhIPo^)wKPpTwitup|4ZElP8*4gYm&IZloIW zs3z#BCj8I`jgjOO#wyE-BA&iew#aRqQoGkpWGjV37#o=@Zy+2@)?ezAaPaj!DaFO@ z6g1|v|MC%a)m!;&&^^7;m`GnV_B0TsVYO^Ty%4X>d-AeGqb{9LPV*QeM7=RnwC97l zqm*tw2pdCx`{TxgQWLe;Gw<$sxwBXY%yF#si}zFZv<@&TyRLR?#hm52c1SLNq@n)k zLyToLV8~6#$(p_p<86ocBBL(K%?CYQ9W>cUyx1jeGEpFmL_#4R5*ryc97v=ktkxSb zI8(CE`w*jDQN8xO%ZSb+jByRbomejuL7*phmdiw<^eGFPXa_CifkMOv!;W{j7A_Kr z%p;6h8y>4U^8Sio8ZVYCqj}7%Lu8hoTY}GgwDvADOMHH*)T}&s_z@H=jv_ zp3FahXdSnsIct8by~f`s%m2k^v{Q+!k=+`ET{%6_KV;V_iy6y3v`_*(|=>Xuei^8_{aUoPip2j=AY%h@4|l%gKrAK z>hl!eOBsGsTj^)&>4)Md|F-@;5#Q`Brq+9Wv*UN{oambGEku0N2dzDQ12fMKuSR$t zqM1%b@lAacXER3MrlD_UXrGGa$JRzsVm~%y)A|31&E$EgSf7n3cRk0V{e(@F0d<^(Fh)@m>;&of5uSqu<}R6HJJC z2Kvgkg9#0#AfZ*hiwI${h+nGvqb>2vbt)YONS5@ng=Tv{)-f%Tuy*Q@#`-J1 zuh|tmBiL6Sth};V+~AuDl9qLwY)DUEQ5+ve%o@kVD`f8L@9OX2M)#rGy9ET!L-V`) zDDtDr(OFJj4jo??k09@^nPGVc>$|$UdAS7yP_4rP(0m91R6}oPBSjfpnlT9-?{HmT zA9UQyi!oy?)dppWrkm}YeU3&WCdos8)oDs-&UjUvm@S@$fOhTTQU4M-`^lvS@R*ISNxreI16rR7taE4SJ$sy3PV*gWygmCSn2YwH>=P1Cm& z#x=JrKbT`9cxD(?w&>bXtIq+7+PR{OgvWop!e(cAetcu2?Ue}=kIcJxDAg+G?Srr| zpAF~LH;A1{qC5UAe5z%stkuwEHjl@wO(h#Q)TA3dq%Nsdm+;qKbeLSAZ5nG;RbH6e zTA0?l%(sM2~_A*U87hS_K(QYn# z**x>GWYzeGJH|D%2W&qOa(x@;?Y*lS;$LE($wjWYrg{qk8$9ZdSFC9qXLc^1U$sSA zBBD$wU2OO6jR7A9?0c8(X0XWLyu4t>&V8*1g=amFAHv~otiR|^_&Rro+7U8-JLfv( z#LJCIX!r}So>+OLgttxk^Y#jBdgI>lN>cJXc58!LuD;VB@4uzyhV}K}>+2qf+>rbD zwyh+1{f3tP`vMJO4_&y}=DaJPvl(;S#g|Q!xtQ%HG(qbVeTcyGX$7ZuJjgTSB<(tK zaUR$5;{0v5D+*;&s;(rvR|pf)*BmUwdqP%xC}E#if2Y{L{~-Dy`DpFwJO4;uvuC3N>w5h{xGq+Mmn^p# ziQfK+KFj`(_h-7dsbj7ezFU0fo zZ;Vf~8jmG9VEf00e*l5C8%|00;m9AOHk_01yBI zKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBI zKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBI zKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBI zKmZ5;0U!VbfB+Bx0zlx85|A4+eTzrLBIC>|H|%qU*gE;W@~&-2q8fhmpVFh{j|vAj z2LeC<2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e# z00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e# z00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e# z00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e# z00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e# z00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e# z00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e# z00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e# c00KY&2mk>f00e*l5C8%|00;nqUq;~n0EU{`I{*Lx diff --git a/cli/internal/libvirt/qemu.conf b/cli/internal/libvirt/qemu.conf deleted file mode 100644 index f376e82f4..000000000 --- a/cli/internal/libvirt/qemu.conf +++ /dev/null @@ -1 +0,0 @@ -cgroup_controllers = [] diff --git a/cli/internal/libvirt/start.sh b/cli/internal/libvirt/start.sh deleted file mode 100755 index 6e84e0c39..000000000 --- a/cli/internal/libvirt/start.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail -shopt -s inherit_errexit - -# ensure library cache is up to date -ldconfig - -chown -R tss:root /var/lib/swtpm-localca - -# Assign qemu the GID of the host system's 'kvm' group to avoid permission issues for environments defaulting to 660 for /dev/kvm (e.g. Debian-based distros) -KVM_HOST_GID="$(stat -c '%g' /dev/kvm)" -groupadd -o -g "${KVM_HOST_GID}" host-kvm -usermod -a -G host-kvm qemu - -# Start libvirt daemon -libvirtd --daemon --listen -virtlogd --daemon - -sleep infinity diff --git a/dev-docs/workflows/qemu.md b/dev-docs/workflows/qemu.md index d3dac6fbf..3f294cc8b 100644 --- a/dev-docs/workflows/qemu.md +++ b/dev-docs/workflows/qemu.md @@ -11,7 +11,7 @@ You may either use [your local libvirt setup](#local-libvirt-setup) if it meets ## Containerized libvirt Constellation will automatically deploy a containerized libvirt instance, if no connection URI is defined in the Constellation config file. -Follow the steps in our [libvirt readme](../../cli/internal/libvirt/README.md) if you wish to build your own image. +Follow the steps in our [libvirt readme](../../nix/container/README.md) if you wish to build your own image. ## Local libvirt setup diff --git a/flake.nix b/flake.nix index 20d68570d..681ea120e 100644 --- a/flake.nix +++ b/flake.nix @@ -49,6 +49,8 @@ packages.libvirt = callPackage ./nix/cc/libvirt.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; + packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; + packages.awscli2 = pkgsUnstable.awscli2; packages.bazel_6 = pkgsUnstable.bazel_6; diff --git a/cli/internal/libvirt/README.md b/nix/container/README.md similarity index 72% rename from cli/internal/libvirt/README.md rename to nix/container/README.md index 8eaf8a541..cbbc61f7d 100644 --- a/cli/internal/libvirt/README.md +++ b/nix/container/README.md @@ -11,14 +11,19 @@ Connecting to the libvirt daemon running in the container and manage the deploym virsh -c "qemu+tcp://localhost:16599/system" ``` -## Docker image +## Container image -Build the image: +Update the base image (`ghcr.io/edgelesssys/constellation/libvirtd-base`): + +```shell +nix build .#libvirtd_base +cat result | gunzip > libvirtd_base.tar +crane push libvirtd_base.tar ghcr.io/edgelesssys/constellation/libvirtd-base +``` + +Push the final image to your own registry (`ghcr.io//constellation/libvirtd`): ```shell -bazel build //cli/internal/libvirt:constellation_libvirt -bazel build //bazel/release:libvirt_sum -bazel build //bazel/release:libvirt_tar bazel run //bazel/release:libvirt_push ``` diff --git a/nix/container/libvirtd_base.nix b/nix/container/libvirtd_base.nix new file mode 100644 index 000000000..5ebaf3e91 --- /dev/null +++ b/nix/container/libvirtd_base.nix @@ -0,0 +1,139 @@ +{ pkgs +, pkgsLinux +, stdenv +}: +let + passwd = pkgs.writeTextDir "etc/passwd" '' + root:x:0:0:root:/root:/bin/sh + bin:x:1:1:bin:/bin:/sbin/nologin + daemon:x:2:2:daemon:/sbin:/sbin/nologin + adm:x:3:4:adm:/var/adm:/sbin/nologin + lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin + sync:x:5:0:sync:/sbin:/bin/sync + shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown + halt:x:7:0:halt:/sbin:/sbin/halt + nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin + tss:x:59:59:Account used for TPM access:/:/usr/sbin/nologin + saslauth:x:998:76:Saslauthd user:/run/saslauthd:/sbin/nologin + polkitd:x:996:996:User for polkitd:/:/sbin/nologin + dnsmasq:x:994:994:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/usr/sbin/nologin + rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin + rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin + qemu:x:107:107:qemu user:/:/sbin/nologin + ''; + group = pkgs.writeTextDir "etc/group" '' + root:x:0: + bin:x:1: + daemon:x:2: + sys:x:3: + adm:x:4: + tty:x:5: + disk:x:6: + lp:x:7: + mem:x:8: + kmem:x:9: + wheel:x:10: + lock:x:54: + users:x:100: + nobody:x:65534: + tss:x:59: + utmp:x:22: + utempter:x:35: + saslauth:x:76:saslauth + input:x:104: + kvm:x:36:qemu + sgx:x:106: + polkitd:x:996: + dnsmasq:x:994: + rpc:x:32: + rpcuser:x:29: + qemu:x:107: + libvirt:x:990: + ''; + libvirtdConf = pkgs.writeTextDir "etc/libvirt/libvirtd.conf" '' + listen_tls = 0 + listen_tcp = 1 + tcp_port = "16599" + listen_addr = "localhost" + auth_tcp = "none" + ''; + qemuConf = pkgs.writeTextDir "var/lib/libvirt/qemu.conf" '' + cgroup_controllers = [] + ''; + startScript = pkgsLinux.writeShellApplication { + name = "start.sh"; + runtimeInputs = with pkgsLinux; [ + shadow + coreutils + libvirt + qemu + swtpm + ]; + text = '' + set -euo pipefail + shopt -s inherit_errexit + + # Assign qemu the GID of the host system's 'kvm' group to avoid permission issues for environments defaulting to 660 for /dev/kvm (e.g. Debian-based distros) + KVM_HOST_GID="$(stat -c '%g' /dev/kvm)" + + groupadd -o -g "''${KVM_HOST_GID}" host-kvm || true + usermod -a -G host-kvm qemu || true + + # Start libvirt daemon + libvirtd -f /etc/libvirt/libvirtd.conf --daemon --listen + virtlogd --daemon + + sleep infinity + ''; + }; + ovmf = stdenv.mkDerivation { + name = "OVMF"; + postInstall = '' + mkdir -p $out/usr/share/ + ln -s ${pkgsLinux.OVMFFull.fd}/FV $out/usr/share/OVMF + ''; + propagatedBuildInputs = with pkgsLinux; [ + OVMF + ]; + dontUnpack = true; + }; +in +pkgs.dockerTools.buildImage { + name = "ghcr.io/edgelesssys/constellation/libvirtd-base"; + copyToRoot = with pkgsLinux.dockerTools; [ + passwd + group + libvirtdConf + qemuConf + ovmf + startScript + usrBinEnv + caCertificates + pkgsLinux.busybox + ]; + config = { + Cmd = [ "/bin/start.sh" ]; + }; + runAsRoot = '' + #!${pkgs.runtimeShell} + mkdir -p /tmp + mkdir -p /run + mkdir -p /var/lock + mkdir -p /var/log/libvirt + mkdir -p /var/lib/swtpm-localca + mkdir -p /var/lib/libvirt/boot + mkdir -p /var/lib/libvirt/dnsmasq + mkdir -p /var/lib/libvirt/filesystems + mkdir -p /var/lib/libvirt/images + mkdir -p /var/lib/libvirt/libxl + mkdir -p /var/lib/libvirt/lxc + mkdir -p /var/lib/libvirt/network + mkdir -p /var/lib/libvirt/qemu + mkdir -p /var/lib/libvirt/swtpm + + chmod 1777 /tmp + chown -R tss:root /var/lib/swtpm-localca + chown -R qemu:qemu /var/lib/libvirt/qemu + chown -R root:libvirt /var/log/libvirt/ + ''; +} diff --git a/terraform/infrastructure/qemu/variables.tf b/terraform/infrastructure/qemu/variables.tf index 80b293352..bd5b79afa 100644 --- a/terraform/infrastructure/qemu/variables.tf +++ b/terraform/infrastructure/qemu/variables.tf @@ -67,7 +67,7 @@ variable "image_format" { } variable "firmware" { type = string - default = "/usr/share/OVMF/OVMF_CODE.secboot.fd" + default = "/usr/share/OVMF/OVMF_CODE.fd" description = "path to UEFI firmware file. Use \"OVMF_CODE_4M.ms.fd\" on Ubuntu and \"OVMF_CODE.fd\" or \"OVMF_CODE.secboot.fd\" on Fedora." }