podvm:Enable se image build for rhel

Updated build-se script and added se-boot option for RHEL podvm image build process.

Signed-off-by: Saripalli Lavanya <Saripalli.Lavanya@ibm.com>
Signed-off-by: ANJANA-A-R-K1
<anjana.a.r.k1@ibm.com>
Co-Authored-By: ANJANA-A-R-K <149779123+ANJANA-A-R-K@users.noreply.github.com>

src/cloud-api-adaptor/Makefile

@@ -211,5 +211,6 @@ podvm-image:
 	--build-arg CLOUD_PROVIDER=$(or $(CLOUD_PROVIDER),generic) \
 	--build-arg IMAGE_URL=$(IMAGE_URL) \
 	--build-arg IMAGE_CHECKSUM=$(IMAGE_CHECKSUM) \
+	--build-arg SE_BOOT=$(SE_BOOT) \
 	$(DOCKER_OPTS) .
 	rm -rf .git

src/cloud-api-adaptor/podvm/Dockerfile.podvm.rhel

@@ -23,13 +23,14 @@ ENV CLOUD_PROVIDER=${CLOUD_PROVIDER}
 ENV PODVM_DISTRO=${PODVM_DISTRO}
 ENV ARCH=${ARCH}
 ENV UEFI=${UEFI}
-
+ARG SE_BOOT
 ARG IMAGE_URL
 ARG IMAGE_CHECKSUM
 
 ENV IMAGE_URL=${IMAGE_URL}
 ENV IMAGE_CHECKSUM=${IMAGE_CHECKSUM}
 
+ENV SE_BOOT=${SE_BOOT}
 # workaround to ensure hashicorp packer is called instead
 # of cracklib packer which is installed by default
 ENV PATH="/usr/bin:${PATH}"

src/cloud-api-adaptor/podvm/Makefile

@@ -53,8 +53,10 @@ else ifeq ($(PODVM_DISTRO),rhel)
 	@echo defined
 	$(eval OPTS := -var disk_size=11144)
 ifeq ($(ARCH),s390x)
+	$(eval OPTS += -var se_boot=${SE_BOOT})
 	$(eval OPTS += -var machine_type=${QEMU_MACHINE_TYPE_${ARCH}})
 	$(eval OPTS += -var cpu_type=max)
+	$(eval OPTS += -var os_arch=s390x)
 ifndef QEMU_BINARY
 	$(eval OPTS += -var qemu_binary=qemu-system-${ARCH})
 endif
@@ -87,7 +89,7 @@ $(IMAGE_FILE): $(BINARIES) $(FILES) setopts
 	if [ "${ARCH}" = "x86_64" ]; then \
 		packer plugins install github.com/hashicorp/qemu v1.1.0; \
 	fi
-	packer build ${PACKER_DEFAULT_OPTS} ${OPTS} qcow2/$(PODVM_DISTRO)
+	PACKER_LOG=1 packer build ${PACKER_DEFAULT_OPTS} ${OPTS} -debug qcow2/$(PODVM_DISTRO)
 	rm -fr toupload
 	rm -f cloud-init.img
 

src/cloud-api-adaptor/podvm/qcow2/build-s390x-se-image.sh

@@ -16,15 +16,38 @@ for i in /tmp/files/*.crt; do
     host_keys+="-k ${i} "
 done
 [[ -z $host_keys ]] && echo "Didn't find host key files, please download host key files to 'files' folder " && exit 1
-echo "Installing jq"
-export DEBIAN_FRONTEND=noninteractive
-sudo apt-get update > /dev/null 2>&1
-sudo apt-get install jq -y > /dev/null 2>&1
-sudo apt-get remove unattended-upgrades -y
-sudo apt-get autoremove
-sudo apt-get clean
+if [ "${DISTRO}" = "rhel" ]; then
+    export LANG=C.UTF-8
+    if ! command -v jq &> /dev/null || ! command -v cryptsetup &> /dev/null; then
+        if ! command -v jq &> /dev/null; then
+            echo >&2 "jq is required but it's not installed. Installing now..."
+            sudo yum install jq -y >/dev/null 2>&1
+            if [ $? -ne 0 ]; then
+                echo >&2 "Failed to install jq. Aborting."
+                exit 1
+            fi
+        fi
+
+        if ! command -v cryptsetup &> /dev/null; then
+            echo >&2 "cryptsetup is required but it's not installed. Installing now..."
+            sudo yum install cryptsetup -y >/dev/null 2>&1
+            if [ $? -ne 0 ]; then
+                echo >&2 "Failed to install cryptsetup. Aborting."
+                exit 1
+            fi
+        fi
+    fi
+    echo "jq and cryptsetup are installed. Proceeding with the script..."
+else
+    echo "Installing jq"
+    export DEBIAN_FRONTEND=noninteractive
+    sudo apt-get update > /dev/null 2>&1
+    sudo apt-get install jq -y > /dev/null 2>&1
+    sudo apt-get remove unattended-upgrades -y
+    sudo apt-get autoremove
+    sudo apt-get clean
+fi
 sudo rm -rf /var/lib/apt/lists/*
-
 workdir=$(pwd)
 disksize=100G
 device=$(sudo lsblk --json | jq -r --arg disksize "$disksize" '.blockdevices[] | select(.size == $disksize and .children == null and .mountpoint == null) | .name')
@@ -114,14 +137,19 @@ sudo -E bash -c 'echo s390_trng >> ${dst_mnt}/etc/modules'
 
 echo "Preparing files needed for mkinitrd"
 
-sudo -E bash -c 'echo "KEYFILE_PATTERN=\"/etc/keys/*.key\"" >> ${dst_mnt}/etc/cryptsetup-initramfs/conf-hook'
-sudo -E bash -c 'echo "UMASK=0077" >> ${dst_mnt}/etc/initramfs-tools/initramfs.conf'
-sudo -E bash -c 'cat <<END > ${dst_mnt}/etc/zipl.conf
+if [ "${DISTRO}" = "rhel" ]; then
+    sudo -E bash -c 'echo "install_items+=\"/etc/keys/*.key\"" >> ${dst_mnt}/etc/dracut.conf.d/cryptsetup.conf'
+    sudo -E bash -c 'echo "UMASK=0077" >> ${dst_mnt}/etc/dracut.conf.d/initramfs.conf'
+else 
+    sudo -E bash -c 'echo "KEYFILE_PATTERN=\"/etc/keys/*.key\"" >> ${dst_mnt}/etc/cryptsetup-initramfs/conf-hook'
+    sudo -E bash -c 'echo "UMASK=0077" >> ${dst_mnt}/etc/initramfs-tools/initramfs.conf'
+fi
+    sudo -E bash -c 'cat <<END > ${dst_mnt}/etc/zipl.conf
 [defaultboot]
 default=linux
 target=/boot-se
 
-targetbase=/dev/vda
+targetbase=${tmp_nbd}
 targettype=scsi
 targetblocksize=512
 targetoffset=2048
@@ -131,7 +159,11 @@ image = /boot-se/se.img
 END'
 
 echo "Updating initial ram disk"
-sudo chroot "${dst_mnt}" update-initramfs -u || true
+if [ "${DISTRO}" = "rhel" ]; then
+    sudo chroot "${dst_mnt}" dracut -f /boot/initramfs-$(uname -r).img $(uname -r) || true
+else
+    sudo chroot "${dst_mnt}" update-initramfs -u || true
+fi
 echo "!!! Bootloader install errors prior to this line are intentional !!!!!" 1>&2
 echo "Generating an IBM Secure Execution image"
 
@@ -149,6 +181,7 @@ sudo -E /usr/bin/genprotimg \
     ${host_keys} \
     -o ${dst_mnt}/boot-se/se.img
 
+
 # exit and throw an error if no se image was created
 [ ! -e ${dst_mnt}/boot-se/se.img ] && exit 1
 # if building the image succeeded wipe /boot

src/cloud-api-adaptor/podvm/qcow2/rhel/qemu-rhel.pkr.hcl

@@ -3,6 +3,19 @@ locals {
   machine_type = "${var.os_arch}" == "x86_64" && "${var.is_uefi}" ? "q35" : "${var.machine_type}"
   use_pflash   = "${var.os_arch}" == "x86_64" && "${var.is_uefi}" ? "true" : "false"
   firmware     = "${var.os_arch}" == "x86_64" && "${var.is_uefi}" ? "${var.uefi_firmware}" : ""
+  se_qemuargs = [
+    ["-drive", "file=se-${var.qemu_image_name},if=none,format=qcow2,id=se-virtio-drive"],
+    ["-device", "virtio-blk,drive=se-virtio-drive,id=virtio-disk1"]
+  ]
+  qemuargs = [
+    ["-m", "${var.memory}"],
+    ["-smp", "cpus=${var.cpus}"],
+    ["-drive", "file=output/podvm-e74e3ca-dirty-s390x.qcow2,if=virtio,cache=writeback,discard=ignore,format=qcow2"],
+    ["-cdrom", "${var.cloud_init_image}"],
+    ["-serial", "mon:stdio"],
+    ["-cpu", "${var.cpu_type}"]
+  ]
+final_qemuargs = "${var.se_boot}" == "1" ? concat(local.qemuargs, local.se_qemuargs) : local.qemuargs
 }
 
 source "qemu" "rhel" {
@@ -15,7 +28,7 @@ source "qemu" "rhel" {
   iso_checksum     = "${var.cloud_image_checksum}"
   iso_url          = "${var.cloud_image_url}"
   output_directory = "output"
-  qemuargs         = [["-m", "${var.memory}"], ["-smp", "cpus=${var.cpus}"], ["-cdrom", "${var.cloud_init_image}"], ["-serial", "mon:stdio"], ["-cpu", "${var.cpu_type}"]]
+  qemuargs         = "${local.final_qemuargs}"
   ssh_password     = "${var.ssh_password}"
   ssh_port         = 22
   ssh_username     = "${var.ssh_username}"
@@ -90,4 +103,30 @@ build {
       "sudo -E bash ~/misc-settings.sh"
     ]
   }
+  provisioner "file" {
+    source      = "qcow2/build-s390x-se-image.sh"
+    destination = "~/build-s390x-se-image.sh"
+  }
+
+  provisioner "shell" {
+    remote_folder = "~"
+    environment_vars = [
+      "SE_BOOT=${var.se_boot}",
+      "ARCH=${var.os_arch}",
+      "DISTRO=${var.podvm_distro}",
+    ]
+    inline = [
+      "sudo -E bash ~/build-s390x-se-image.sh"
+    ]
+  }
+  post-processor "shell-local" {
+    name   = "post-build-se-image"
+    script = "qcow2/build-s390x-se-image-post.sh"
+    environment_vars = [
+      "SE_BOOT=${var.se_boot}",
+      "ARCH=${var.os_arch}",
+      "OUTPUT_DIRECTORY=${var.output_directory}",
+      "IMAGE_NAME=${var.qemu_image_name}"
+    ]
+  }
 }

src/cloud-api-adaptor/podvm/qcow2/rhel/variables.pkr.hcl

@@ -101,4 +101,14 @@ variable "boot_wait" {
 variable "disable_cloud_config" {
   type    = string
   default = env("DISABLE_CLOUD_CONFIG")
+}
+
+variable "se_boot" {
+  type    = string
+  default = env("SE_BOOT")
+}
+
+variable "output_directory" {
+  type    = string
+  default = "output"
 }