WIP: scripts to build FCOS images

Author: travier

examples/.gitignore

@@ -1,9 +1,13 @@
 test.img
 backups
-bootc-bls/bootc
+bootc-bls/extra-fcos/usr/bin/bootc
+bootc-bls/extra-fcos/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup
+bootc-bls/extra/usr/bin/bootc
 bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup
 bootc-uki/VARS_CUSTOM.secboot.qcow2.template
-bootc-uki/bootc
+bootc-uki/extra-fcos/usr/bin/bootc
+bootc-uki/extra-fcos/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup
+bootc-uki/extra/usr/bin/bootc
 bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup
 bootc-uki/secureboot/
 systemd-bootx64.efi

examples/bootc-bls/Containerfile

@@ -1,6 +1,5 @@
 FROM quay.io/fedora/fedora-bootc:42
-COPY extra /
-COPY bootc /usr/bin
+COPY . /
 
 RUN passwd -d root
 

examples/bootc-bls/build

@@ -4,12 +4,18 @@ set -eux
 
 cd "${0%/*}"
 
+FROM="${FROM:-quay.io/fedora/fedora-bootc:42}"
+TAG="${TAG:-quay.io/fedora/fedora-bootc-bls:42}"
+EXTRA="${EXTRA:-extra}"
+
 # cargo build --release --features=composefs-backend
 
-cp ../../target/release/bootc .
-cp ../../target/release/bootc-initramfs-setup extra/usr/lib/dracut/modules.d/37bootc/
+mkdir -p "${EXTRA}/usr/bin/"
+cp ../../target/release/bootc "${EXTRA}/usr/bin/"
+cp ../../target/release/bootc-initramfs-setup "${EXTRA}/usr/lib/dracut/modules.d/37bootc/"
 
 podman build \
-    -t quay.io/fedora/fedora-bootc-bls:42 \
+    --from "${FROM}" \
+    -t "${TAG}" \
     -f Containerfile \
-    .
+    "${EXTRA}"

examples/bootc-bls/build-fcos

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+export FROM="${IMAGE:-quay.io/fedora/fedora-coreos:stable}"
+export TAG="${IMAGE:-quay.io/fedora/fedora-coreos-bls:stable}"
+export EXTRA="extra-fcos"
+exec ./build

examples/bootc-bls/extra-fcos/usr/lib/dracut/dracut.conf.d/37composefs.conf

@@ -0,0 +1,3 @@
+# we need to force these in via the initramfs because we don't have modules in
+# the base image
+force_drivers+=" virtio_net vfat "

examples/bootc-bls/extra-fcos/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    if [[ $IN_KDUMP == 1 ]]; then
+        return 1
+    fi
+}
+
+depends() {
+    echo systemd network ignition coreos-live
+}
+
+install_ignition_unit() {
+    local unit="$1"; shift
+    local target="${1:-ignition-complete.target}"; shift
+    local instantiated="${1:-$unit}"; shift
+    inst_simple "$moddir/$unit" "$systemdsystemunitdir/$unit"
+    # note we `|| exit 1` here so we error out if e.g. the units are missing
+    # see https://github.com/coreos/fedora-coreos-config/issues/799
+    systemctl -q --root="$initdir" add-requires "$target" "$instantiated" || exit 1
+}
+
+install() {
+    inst_multiple \
+        basename \
+        diff \
+        lsblk \
+        sed \
+        grep \
+        uname
+
+
+    # In some cases we had to vendor gdisk in Ignition.
+    # If this is the case here use that one.
+    # See https://issues.redhat.com/browse/RHEL-56080
+    if [ -f /usr/libexec/ignition-sgdisk ]; then
+        inst /usr/libexec/ignition-sgdisk /usr/sbin/sgdisk
+    else
+        inst sgdisk
+    fi
+
+    # For IBM SecureExecution
+    if [[ $(uname -m) = s390x ]]; then
+        inst_multiple \
+            gpg \
+            gpg-agent
+    fi
+
+    inst_simple "$moddir/coreos-diskful-generator" \
+        "$systemdutildir/system-generators/coreos-diskful-generator"
+
+    inst_script "$moddir/coreos-gpt-setup.sh" \
+        "/usr/sbin/coreos-gpt-setup"
+
+    # This has to work only on diskful systems during firstboot.
+    # coreos-diskful-generator will create a symlink
+    inst_simple "$moddir/80-coreos-boot-disk.rules" \
+        "/usr/lib/coreos/80-coreos-boot-disk.rules"
+
+    inst_script "$moddir/coreos-disk-contains-fs.sh" \
+        "/usr/lib/udev/coreos-disk-contains-fs"
+
+    inst_script "$moddir/coreos-ignition-setup-user.sh" \
+        "/usr/sbin/coreos-ignition-setup-user"
+
+    inst_script "$moddir/coreos-post-ignition-checks.sh" \
+        "/usr/sbin/coreos-post-ignition-checks"
+
+    install_ignition_unit coreos-post-ignition-checks.service
+
+    # For consistency tear down the network and persist multipath between the initramfs and
+    # real root. See https://github.com/coreos/fedora-coreos-tracker/issues/394#issuecomment-599721763
+    inst_script "$moddir/coreos-teardown-initramfs.sh" \
+        "/usr/sbin/coreos-teardown-initramfs"
+    install_ignition_unit coreos-teardown-initramfs.service
+
+    # units only started when we have a boot disk
+    # path generated by systemd-escape --path /dev/disk/by-label/root
+    install_ignition_unit coreos-gpt-setup.service ignition-diskful.target
+
+    # dracut inst_script doesn't allow overwrites and we are replacing
+    # the default script placed by Ignition
+    binpath="/usr/sbin/ignition-kargs-helper"
+    cp "$moddir/coreos-kargs.sh" "$initdir$binpath"
+    install_ignition_unit coreos-kargs-reboot.service
+
+    install_ignition_unit coreos-ignition-unique-boot.service ignition-diskful.target
+    install_ignition_unit coreos-unique-boot.service ignition-diskful.target
+    install_ignition_unit coreos-ignition-setup-user.service
+
+    # IBM Secure Execution. Ignition config for reencryption of / and /boot
+    inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign
+    inst_simple "$moddir/coreos-secex-ignition-prepare.service" \
+        "$systemdsystemunitdir/coreos-secex-ignition-prepare.service"
+    inst_script "$moddir/coreos-secex-ignition-prepare.sh" \
+        "/usr/sbin/coreos-secex-ignition-prepare"
+
+    inst_multiple jq blkid
+    inst_script "$moddir/coreos-rootflags.sh" \
+        "/usr/sbin/coreos-rootflags"
+    # Install unit, but don't enable it. Will be pulled in by diskful generator.
+    inst_simple "$moddir/coreos-rootflags.service" "$systemdsystemunitdir/coreos-rootflags.service"
+}

examples/bootc-bls/extra-fcos/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service

@@ -0,0 +1,34 @@
+# Copyright (C) 2013 Colin Walters <[email protected]>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+DefaultDependencies=no
+ConditionKernelCommandLine=composefs
+ConditionPathExists=/etc/initrd-release
+After=sysroot.mount
+Requires=sysroot.mount
+Before=initrd-root-fs.target
+Before=initrd-switch-root.target
+
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/bootc-initramfs-setup
+StandardInput=null
+StandardOutput=journal
+StandardError=journal+console
+RemainAfterExit=yes

examples/bootc-bls/extra-fcos/usr/lib/dracut/modules.d/37bootc/module-setup.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+check() {
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    inst \
+        "${moddir}/bootc-initramfs-setup" /usr/bin/bootc-initramfs-setup
+    inst \
+        "${moddir}/bootc-initramfs-setup.service" \
+        "${systemdsystemunitdir}/bootc-initramfs-setup.service"
+
+    $SYSTEMCTL -q --root "${initdir}" add-wants \
+        'initrd-root-fs.target' 'bootc-initramfs-setup.service'
+}

examples/bootc-bls/extra-fcos/usr/lib/dracut/modules.d/40ignition-ostree/coreos-check-rootfs-size

@@ -0,0 +1,38 @@
+#!/bin/bash
+set -euo pipefail
+
+# See also ignition-ostree-check-rootfs-size.service
+# https://github.com/coreos/fedora-coreos-tracker/issues/586#issuecomment-777220000
+
+# /sysroot is the mounted deploy root, /sysroot/sysroot is the physical root filesystem
+srcdev=$(findmnt -nvr -o SOURCE /sysroot/sysroot | tail -n1)
+size=$(lsblk --nodeps --noheadings --bytes -o SIZE "${srcdev}")
+
+MINIMUM_GB=8
+MINIMUM_BYTES=$((1024 * 1024 * 1024 * MINIMUM_GB))
+
+MOTD_DROPIN=/etc/motd.d/60-coreos-rootfs-size.motd
+
+YELLOW=$(echo -e '\033[0;33m')
+RESET=$(echo -e '\033[0m')
+
+if [ "${size}" -lt "${MINIMUM_BYTES}" ]; then
+    mkdir -p "/sysroot/$(dirname "${MOTD_DROPIN}")"
+    cat > "/sysroot/${MOTD_DROPIN}" <<EOF
+${YELLOW}
+############################################################################
+WARNING: The root filesystem is too small. It is strongly recommended to
+allocate at least ${MINIMUM_GB} GiB of space to allow for upgrades. From June 2021, this
+condition will trigger a failure in some cases. For more information, see:
+https://docs.fedoraproject.org/en-US/fedora-coreos/storage/
+
+You may delete this warning using:
+sudo rm ${MOTD_DROPIN}
+############################################################################
+${RESET}
+EOF
+
+    # And also write it on stdout for the journal and console
+    cat "/sysroot/${MOTD_DROPIN}"
+    coreos-relabel "${MOTD_DROPIN}"
+fi

examples/bootc-bls/extra-fcos/usr/lib/dracut/modules.d/40ignition-ostree/coreos-relabel

@@ -0,0 +1,35 @@
+#!/bin/bash
+set -euo pipefail
+
+err() {
+    echo "$@" >&2
+}
+
+fatal() {
+    err "$@"
+    exit 1
+}
+
+if [ $# -eq 0 ]; then
+    err "Usage: $0 [PATTERN...]"
+    err " e.g.: $0 /etc/passwd '/etc/group*'"
+fi
+
+if [ ! -f /sysroot/etc/selinux/config ]; then
+    exit 0
+fi
+
+source /sysroot/etc/selinux/config
+
+if [ -z "${SELINUXTYPE:-}" ]; then
+    fatal "Couldn't find SELINUXTYPE in /sysroot/etc/selinux/config"
+fi
+
+file_contexts="/sysroot/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts"
+
+prefixed_patterns=()
+while [ $# -ne 0 ]; do
+    pattern=$1; shift
+    prefixed_patterns+=("/sysroot/$pattern")
+done
+setfiles -vFi0 -r /sysroot "$file_contexts" "${prefixed_patterns[@]}"