From d472c6a061d5cac1c3ec1cc801becbb4c8e4d338 Mon Sep 17 00:00:00 2001 From: Saripalli Lavanya Date: Mon, 22 Jul 2024 07:02:57 +0530 Subject: [PATCH] podvm:Enable se image build for rhel Updated build-se script and added se-boot option for RHEL podvm image build process. Signed-off-by: Saripalli Lavanya Co-Authored-By: ANJANA-A-R-K <149779123+ANJANA-A-R-K@users.noreply.github.com> --- src/cloud-api-adaptor/Makefile | 1 + .../podvm/Dockerfile.podvm.rhel | 3 +- src/cloud-api-adaptor/podvm/Makefile | 2 + .../podvm/qcow2/build-s390x-se-image.sh | 81 +++++++++++++++---- .../podvm/qcow2/rhel/qemu-rhel.pkr.hcl | 41 +++++++++- .../podvm/qcow2/rhel/variables.pkr.hcl | 12 ++- 6 files changed, 120 insertions(+), 20 deletions(-) diff --git a/src/cloud-api-adaptor/Makefile b/src/cloud-api-adaptor/Makefile index 651f401f5..f123fd839 100644 --- a/src/cloud-api-adaptor/Makefile +++ b/src/cloud-api-adaptor/Makefile @@ -207,5 +207,6 @@ endif --build-arg CLOUD_PROVIDER=$(or $(CLOUD_PROVIDER),generic) \ --build-arg IMAGE_URL=$(IMAGE_URL) \ --build-arg IMAGE_CHECKSUM=$(IMAGE_CHECKSUM) \ + --build-arg SE_BOOT=$(SE_BOOT) \ $(DOCKER_OPTS) . rm -rf .git diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm.rhel b/src/cloud-api-adaptor/podvm/Dockerfile.podvm.rhel index 024a70e86..8d5a14ec9 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm.rhel +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm.rhel @@ -23,7 +23,7 @@ ENV CLOUD_PROVIDER=${CLOUD_PROVIDER} ENV PODVM_DISTRO=${PODVM_DISTRO} ENV ARCH=${ARCH} ENV UEFI=${UEFI} - +ARG SE_BOOT ARG IMAGE_URL ARG IMAGE_CHECKSUM @@ -31,6 +31,7 @@ ADD ${IMAGE_URL} /tmp/rhel.img ENV IMAGE_URL=/tmp/rhel.img ENV IMAGE_CHECKSUM=${IMAGE_CHECKSUM} +ENV SE_BOOT=${SE_BOOT} # workaround to ensure hashicorp packer is called instead # of cracklib packer which is installed by default ENV PATH="/usr/bin:${PATH}" diff --git a/src/cloud-api-adaptor/podvm/Makefile b/src/cloud-api-adaptor/podvm/Makefile index ff647a8f0..877185d69 100644 --- a/src/cloud-api-adaptor/podvm/Makefile +++ b/src/cloud-api-adaptor/podvm/Makefile @@ -53,8 +53,10 @@ else ifeq ($(PODVM_DISTRO),rhel) @echo defined $(eval OPTS := -var disk_size=11144) ifeq ($(ARCH),s390x) + $(eval OPTS += -var se_boot=${SE_BOOT}) $(eval OPTS += -var machine_type=${QEMU_MACHINE_TYPE_${ARCH}}) $(eval OPTS += -var cpu_type=max) + $(eval OPTS += -var os_arch=s390x) ifndef QEMU_BINARY $(eval OPTS += -var qemu_binary=qemu-system-${ARCH}) endif diff --git a/src/cloud-api-adaptor/podvm/qcow2/build-s390x-se-image.sh b/src/cloud-api-adaptor/podvm/qcow2/build-s390x-se-image.sh index 0746a2c05..be07234f7 100755 --- a/src/cloud-api-adaptor/podvm/qcow2/build-s390x-se-image.sh +++ b/src/cloud-api-adaptor/podvm/qcow2/build-s390x-se-image.sh @@ -16,13 +16,37 @@ for i in /tmp/files/*.crt; do host_keys+="-k ${i} " done [[ -z $host_keys ]] && echo "Didn't find host key files, please download host key files to 'files' folder " && exit 1 -echo "Installing jq" -export DEBIAN_FRONTEND=noninteractive -sudo apt-get update > /dev/null 2>&1 -sudo apt-get install jq -y > /dev/null 2>&1 -sudo apt-get remove unattended-upgrades -y -sudo apt-get autoremove -sudo apt-get clean +if [ "${DISTRO}" = "rhel" ]; then + export LANG=C.UTF-8 + if ! command -v jq &> /dev/null || ! command -v cryptsetup &> /dev/null; then + if ! command -v jq &> /dev/null; then + echo >&2 "jq is required but it's not installed. Installing now..." + sudo yum install jq -y >/dev/null 2>&1 + if [ $? -ne 0 ]; then + echo >&2 "Failed to install jq. Aborting." + exit 1 + fi + fi + + if ! command -v cryptsetup &> /dev/null; then + echo >&2 "cryptsetup is required but it's not installed. Installing now..." + sudo yum install cryptsetup -y >/dev/null 2>&1 + if [ $? -ne 0 ]; then + echo >&2 "Failed to install cryptsetup. Aborting." + exit 1 + fi + fi + fi + echo "jq and cryptsetup are installed. Proceeding with the script..." +else + echo "Installing jq" + export DEBIAN_FRONTEND=noninteractive + sudo apt-get update > /dev/null 2>&1 + sudo apt-get install jq -y > /dev/null 2>&1 + sudo apt-get remove unattended-upgrades -y + sudo apt-get autoremove + sudo apt-get clean +fi sudo rm -rf /var/lib/apt/lists/* workdir=$(pwd) @@ -114,14 +138,26 @@ sudo -E bash -c 'echo s390_trng >> ${dst_mnt}/etc/modules' echo "Preparing files needed for mkinitrd" -sudo -E bash -c 'echo "KEYFILE_PATTERN=\"/etc/keys/*.key\"" >> ${dst_mnt}/etc/cryptsetup-initramfs/conf-hook' -sudo -E bash -c 'echo "UMASK=0077" >> ${dst_mnt}/etc/initramfs-tools/initramfs.conf' -sudo -E bash -c 'cat < ${dst_mnt}/etc/zipl.conf +if [ "${DISTRO}" = "rhel" ]; then +sudo -E bash -c 'cat <> "${dst_mnt}/etc/dracut.conf.d/crypt.conf" +UMASK=0077 +add_drivers+=" dm_crypt " +add_dracutmodules+=" crypt " +install_items+=" /etc/keys/*.key " +install_items+=" /etc/fstab " +install_items+=" /etc/crypttab " +EOF' + +else + sudo -E bash -c 'echo "KEYFILE_PATTERN=\"/etc/keys/*.key\"" >> ${dst_mnt}/etc/cryptsetup-initramfs/conf-hook' + sudo -E bash -c 'echo "UMASK=0077" >> ${dst_mnt}/etc/initramfs-tools/initramfs.conf' +fi + sudo -E bash -c 'cat < ${dst_mnt}/etc/zipl.conf [defaultboot] default=linux target=/boot-se -targetbase=/dev/vda +targetbase=${tmp_nbd} targettype=scsi targetblocksize=512 targetoffset=2048 @@ -131,16 +167,27 @@ image = /boot-se/se.img END' echo "Updating initial ram disk" -sudo chroot "${dst_mnt}" update-initramfs -u || true +if [ "${DISTRO}" = "rhel" ]; then + sudo cp /boot/vmlinuz-$(uname -r) ${dst_mnt}/boot/vmlinuz-$(uname -r) + sudo cp /boot/initramfs-$(uname -r).img ${dst_mnt}/boot/initramfs-$(uname -r).img + sudo chroot ${dst_mnt} dracut --force --include /etc/crypttab --include /etc/fstab --include /etc/dracut.conf.d/ -f -v + KERNEL_FILE=vmlinuz-$(uname -r) + INITRD_FILE=initramfs-$(uname -r).img +else + sudo chroot "${dst_mnt}" update-initramfs -u || true + # Clean up kernel names and make sure they are where we expect them + KERNEL_FILE=$(readlink ${dst_mnt}/boot/vmlinuz) + INITRD_FILE=$(readlink ${dst_mnt}/boot/initrd.img) +fi echo "!!! Bootloader install errors prior to this line are intentional !!!!!" 1>&2 echo "Generating an IBM Secure Execution image" - -# Clean up kernel names and make sure they are where we expect them -KERNEL_FILE=$(readlink ${dst_mnt}/boot/vmlinuz) -INITRD_FILE=$(readlink ${dst_mnt}/boot/initrd.img) echo "Creating SE boot image" -export SE_PARMLINE="root=/dev/mapper/$LUKS_NAME console=ttysclp0 quiet panic=0 rd.shell=0 blacklist=virtio_rng swiotlb=262144" +export SE_PARMLINE="root=/dev/mapper/$LUKS_NAME console=ttysclp0 quiet panic=0 rd.shell=1 rd.debug=1 blacklist=virtio_rng swiotlb=262144" sudo -E bash -c 'echo "${SE_PARMLINE}" > ${dst_mnt}/boot/parmfile' +echo "ls ${dst_mnt}/" +ls ${dst_mnt}/ +echo "ls ${dst_mnt}/boot/" +ls ${dst_mnt}/boot/ sudo -E /usr/bin/genprotimg \ -i ${dst_mnt}/boot/${KERNEL_FILE} \ -r ${dst_mnt}/boot/${INITRD_FILE} \ diff --git a/src/cloud-api-adaptor/podvm/qcow2/rhel/qemu-rhel.pkr.hcl b/src/cloud-api-adaptor/podvm/qcow2/rhel/qemu-rhel.pkr.hcl index 381f03046..50e614aeb 100644 --- a/src/cloud-api-adaptor/podvm/qcow2/rhel/qemu-rhel.pkr.hcl +++ b/src/cloud-api-adaptor/podvm/qcow2/rhel/qemu-rhel.pkr.hcl @@ -3,6 +3,19 @@ locals { machine_type = "${var.os_arch}" == "x86_64" && "${var.is_uefi}" ? "q35" : "${var.machine_type}" use_pflash = "${var.os_arch}" == "x86_64" && "${var.is_uefi}" ? "true" : "false" firmware = "${var.os_arch}" == "x86_64" && "${var.is_uefi}" ? "${var.uefi_firmware}" : "" + se_qemuargs = [ + ["-drive", "file=se-${var.qemu_image_name},if=none,format=qcow2,id=se-virtio-drive"], + ["-device", "virtio-blk,drive=se-virtio-drive,id=virtio-disk1"] + ] + qemuargs = [ + ["-m", "${var.memory}"], + ["-smp", "cpus=${var.cpus}"], + ["-drive", "file=${var.output_directory}/${var.qemu_image_name},if=virtio,cache=writeback,discard=ignore,format=qcow2"], + ["-cdrom", "${var.cloud_init_image}"], + ["-serial", "mon:stdio"], + ["-cpu", "${var.cpu_type}"] + ] +final_qemuargs = "${var.se_boot}" == "1" ? concat(local.qemuargs, local.se_qemuargs) : local.qemuargs } source "qemu" "rhel" { @@ -15,7 +28,7 @@ source "qemu" "rhel" { iso_checksum = "${var.cloud_image_checksum}" iso_url = "${var.cloud_image_url}" output_directory = "output" - qemuargs = [["-m", "${var.memory}"], ["-smp", "cpus=${var.cpus}"], ["-cdrom", "${var.cloud_init_image}"], ["-serial", "mon:stdio"], ["-cpu", "${var.cpu_type}"]] + qemuargs = "${local.final_qemuargs}" ssh_password = "${var.ssh_password}" ssh_port = 22 ssh_username = "${var.ssh_username}" @@ -90,4 +103,30 @@ build { "sudo -E bash ~/misc-settings.sh" ] } + provisioner "file" { + source = "qcow2/build-s390x-se-image.sh" + destination = "~/build-s390x-se-image.sh" + } + + provisioner "shell" { + remote_folder = "~" + environment_vars = [ + "SE_BOOT=${var.se_boot}", + "ARCH=${var.os_arch}", + "DISTRO=${var.podvm_distro}", + ] + inline = [ + "sudo -E bash ~/build-s390x-se-image.sh" + ] + } + post-processor "shell-local" { + name = "post-build-se-image" + script = "qcow2/build-s390x-se-image-post.sh" + environment_vars = [ + "SE_BOOT=${var.se_boot}", + "ARCH=${var.os_arch}", + "OUTPUT_DIRECTORY=${var.output_directory}", + "IMAGE_NAME=${var.qemu_image_name}" + ] + } } diff --git a/src/cloud-api-adaptor/podvm/qcow2/rhel/variables.pkr.hcl b/src/cloud-api-adaptor/podvm/qcow2/rhel/variables.pkr.hcl index 6f0ccde1d..0016fc493 100644 --- a/src/cloud-api-adaptor/podvm/qcow2/rhel/variables.pkr.hcl +++ b/src/cloud-api-adaptor/podvm/qcow2/rhel/variables.pkr.hcl @@ -101,4 +101,14 @@ variable "boot_wait" { variable "disable_cloud_config" { type = string default = env("DISABLE_CLOUD_CONFIG") -} \ No newline at end of file +} + +variable "se_boot" { + type = string + default = env("SE_BOOT") +} + +variable "output_directory" { + type = string + default = "output" +}