From 1c35326f5db90226393a726b28ad71289c6f7ef9 Mon Sep 17 00:00:00 2001 From: Alice Frosi Date: Mon, 24 Nov 2025 14:08:45 +0100 Subject: [PATCH 1/2] Usa cosa instead of osbuild to build the qcow2 image Signed-off-by: Alice Frosi --- coreos/justfile | 55 +++++++++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/coreos/justfile b/coreos/justfile index 281abd3..ef8c606 100644 --- a/coreos/justfile +++ b/coreos/justfile @@ -12,27 +12,52 @@ scos_os:= "rhcos" fcos_label:= "fedora-coreos" scos_label:= "centos-stream-coreos" +fcos_config:= "https://github.com/coreos/fedora-coreos-config" +scos_config:= "https://github.com/coreos/rhel-coreos-config.git" + base := if os == "scos" { scos_base_img } else { fcos_base_img } image := if os == "scos" { scos_img } else { fcos_img } os_name := if os == "scos" { scos_os } else { fcos_os } label := if os == "scos" { scos_label } else { fcos_label } archive := os + ".ociarchive" +config := if os == "scos" { scos_config } else { fcos_config } + build: - sudo podman build --no-cache --build-arg BASE={{base}} --build-arg COM_COREOS_OSNAME={{label}} -t {{image}} -f Containerfile . + podman build --no-cache --build-arg BASE={{base}} --build-arg COM_COREOS_OSNAME={{label}} -t {{image}} -f Containerfile . oci-archive: - sudo skopeo copy containers-storage:{{image}} oci-archive:{{archive}} - -osbuild-qemu: - #!/bin/bash - set -xeuo pipefail - - TMPDIR=$(mktemp -d) - git clone --depth 1 https://github.com/coreos/custom-coreos-disk-images ${TMPDIR} - - sudo -E ${TMPDIR}/custom-coreos-disk-images.sh --platform qemu \ - --ociarchive {{archive}} \ - --osname {{os_name}} - rm -rf "$TMPDIR" - sudo chown $USER:$USER {{os}}-qemu.x86_64.qcow2 + skopeo copy containers-storage:{{image}} oci-archive:{{archive}} + +# Reusable cosa function definition +cosa_function := ''' + #!/usr/bin/env bash + cosa() { + env | grep COREOS_ASSEMBLER || true + + # Default container image + COREOS_ASSEMBLER_CONTAINER_LATEST="quay.io/coreos-assembler/coreos-assembler:latest" + podman pull $COREOS_ASSEMBLER_CONTAINER_LATEST + + set -x + podman run --rm -ti --security-opt=label=disable --privileged \ + -v=${PWD}:/srv/ --device=/dev/kvm --device=/dev/fuse \ + --tmpfs=/tmp -v=/var/tmp:/var/tmp --name=cosa \ + ${COREOS_ASSEMBLER_CONFIG_GIT:+-v=$COREOS_ASSEMBLER_CONFIG_GIT:/srv/src/config/:ro} \ + ${COREOS_ASSEMBLER_GIT:+-v=$COREOS_ASSEMBLER_GIT/src/:/usr/lib/coreos-assembler/:ro} \ + ${COREOS_ASSEMBLER_ADD_CERTS:+-v=/etc/pki/ca-trust:/etc/pki/ca-trust:ro} \ + ${COREOS_ASSEMBLER_CONTAINER_RUNTIME_ARGS} \ + ${COREOS_ASSEMBLER_CONTAINER:-$COREOS_ASSEMBLER_CONTAINER_LATEST} "$@" + set +xe + } +''' + +build-qemu: + #!/usr/bin/env bash + {{cosa_function}} + mkdir -p cache + cp {{archive}} cache/{{archive}} + cd cache + cosa init --force {{config}} + cosa import oci-archive:/srv/{{archive}} + cosa osbuild qemu From 41edce24e94e4ef6e51e3eff7fa83b81c4a4a186 Mon Sep 17 00:00:00 2001 From: Alice Frosi Date: Wed, 8 Oct 2025 14:46:31 +0200 Subject: [PATCH 2/2] Build kubevirt container disk Build the container disk out of the fedora coreos with the clevis pin for Trustee support. Signed-off-by: Alice Frosi --- configs/remote-ign/pin-trustee.bu | 2 +- containerfiles/trustee.container | 2 +- coreos/Containerfile | 4 ++-- coreos/Containerfile.cd | 4 ++++ coreos/justfile | 26 +++++++++++++++++++------- scripts/populate-local-kbs.sh | 1 - 6 files changed, 27 insertions(+), 12 deletions(-) create mode 100644 coreos/Containerfile.cd diff --git a/configs/remote-ign/pin-trustee.bu b/configs/remote-ign/pin-trustee.bu index aec58d0..68df519 100644 --- a/configs/remote-ign/pin-trustee.bu +++ b/configs/remote-ign/pin-trustee.bu @@ -1,5 +1,5 @@ variant: fcos -version: 1.7.0-experimental +version: 1.6.0 storage: luks: - name: root diff --git a/containerfiles/trustee.container b/containerfiles/trustee.container index 5438da6..c62851b 100644 --- a/containerfiles/trustee.container +++ b/containerfiles/trustee.container @@ -11,7 +11,7 @@ RUN dnf install -y perl clang make git \ && dnf clean all RUN cd /usr/src/ && \ - git clone https://github.com/trusted-execution-clusters/trustee.git && \ + git clone https://github.com/confidential-containers/trustee.git && \ cd trustee && git checkout ${COMMIT} RUN cd /usr/src/trustee/kbs && \ diff --git a/coreos/Containerfile b/coreos/Containerfile index 3c31701..c392a03 100644 --- a/coreos/Containerfile +++ b/coreos/Containerfile @@ -1,7 +1,7 @@ ARG BASE -FROM quay.io/trusted-execution-clusters/trustee-attester:2025-11-12 as kbc +FROM quay.io/trusted-execution-clusters/trustee-attester:fedora-b13fd8a as kbc FROM quay.io/trusted-execution-clusters/clevis-pin-trustee as clevis -FROM quay.io/trusted-execution-clusters/ignition:attestation as ignition +FROM ghcr.io/trusted-execution-clusters/ignition:20260112-85608d6 as ignition FROM $BASE COPY ./usr /usr diff --git a/coreos/Containerfile.cd b/coreos/Containerfile.cd new file mode 100644 index 0000000..3234751 --- /dev/null +++ b/coreos/Containerfile.cd @@ -0,0 +1,4 @@ +FROM scratch +ARG IMAGE + +COPY $IMAGE /disk/disk.img diff --git a/coreos/justfile b/coreos/justfile index ef8c606..e41c934 100644 --- a/coreos/justfile +++ b/coreos/justfile @@ -22,12 +22,13 @@ label := if os == "scos" { scos_label } else { fcos_label } archive := os + ".ociarchive" config := if os == "scos" { scos_config } else { fcos_config } +full_name := if os == "scos" { "centos-stream-coreos" } else { "fedora-coreos" } build: - podman build --no-cache --build-arg BASE={{base}} --build-arg COM_COREOS_OSNAME={{label}} -t {{image}} -f Containerfile . + sudo podman build --no-cache --build-arg BASE={{base}} --build-arg COM_COREOS_OSNAME={{label}} -t {{image}} -f Containerfile . oci-archive: - skopeo copy containers-storage:{{image}} oci-archive:{{archive}} + sudo skopeo copy containers-storage:{{image}} oci-archive:{{archive}} # Reusable cosa function definition cosa_function := ''' @@ -37,10 +38,11 @@ cosa_function := ''' # Default container image COREOS_ASSEMBLER_CONTAINER_LATEST="quay.io/coreos-assembler/coreos-assembler:latest" - podman pull $COREOS_ASSEMBLER_CONTAINER_LATEST + sudo podman pull $COREOS_ASSEMBLER_CONTAINER_LATEST - set -x - podman run --rm -ti --security-opt=label=disable --privileged \ + set -ex + sudo podman run --rm -ti --security-opt=label=disable --privileged -u 0 \ + --network host \ -v=${PWD}:/srv/ --device=/dev/kvm --device=/dev/fuse \ --tmpfs=/tmp -v=/var/tmp:/var/tmp --name=cosa \ ${COREOS_ASSEMBLER_CONFIG_GIT:+-v=$COREOS_ASSEMBLER_CONFIG_GIT:/srv/src/config/:ro} \ @@ -48,11 +50,10 @@ cosa_function := ''' ${COREOS_ASSEMBLER_ADD_CERTS:+-v=/etc/pki/ca-trust:/etc/pki/ca-trust:ro} \ ${COREOS_ASSEMBLER_CONTAINER_RUNTIME_ARGS} \ ${COREOS_ASSEMBLER_CONTAINER:-$COREOS_ASSEMBLER_CONTAINER_LATEST} "$@" - set +xe } ''' -build-qemu: +init: #!/usr/bin/env bash {{cosa_function}} mkdir -p cache @@ -60,4 +61,15 @@ build-qemu: cd cache cosa init --force {{config}} cosa import oci-archive:/srv/{{archive}} + +build-qemu: + #!/usr/bin/env bash + {{cosa_function}} + cd cache cosa osbuild qemu + +kubevirt: + #!/usr/bin/env bash + {{cosa_function}} + cd cache + cosa osbuild kubevirt diff --git a/scripts/populate-local-kbs.sh b/scripts/populate-local-kbs.sh index 76cd768..0416d4e 100755 --- a/scripts/populate-local-kbs.sh +++ b/scripts/populate-local-kbs.sh @@ -41,7 +41,6 @@ default executables := 33 tpm_pcrs_valid if { input.tpm.pcr04 in data.reference.tpm_pcr4 - input.tpm.pcr07 in data.reference.tpm_pcr7 input.tpm.pcr14 in data.reference.tpm_pcr14 }