diff --git a/.github/workflows/azure-podvm-image-build.yml b/.github/workflows/azure-podvm-image-build.yml index fff09a02f..460fd751a 100644 --- a/.github/workflows/azure-podvm-image-build.yml +++ b/.github/workflows/azure-podvm-image-build.yml @@ -49,9 +49,29 @@ jobs: path: cloud-api-adaptor ref: "${{ inputs.git-ref || 'main' }}" - - uses: cachix/install-nix-action@v30 - with: - nix_path: nixpkgs=channel:nixos-unstable + - name: Install build dependencies + run: | + sudo apt-get update -y + sudo apt-get install -y \ + alien \ + bubblewrap \ + dnf \ + mtools \ + qemu-utils \ + systemd-ukify \ + uidmap + sudo snap install yq + + - name: Read properties from versions.yaml + run: | + echo "MKOSI_VERSION=$(yq -e '.tools.mkosi' versions.yaml)" >> "$GITHUB_ENV" + + - name: Setup mkosi + run: | + git clone -b "$MKOSI_VERSION" https://github.com/systemd/mkosi + PATH="$PWD/mkosi/bin:$PATH" + mkosi --version + echo "PATH=$PWD/mkosi/bin:$PATH" >> "$GITHUB_ENV" - name: Install uplosi run: | @@ -67,11 +87,6 @@ jobs: run: | make binaries - - name: Install build dependencies - run: | - sudo apt-get update -y - sudo apt-get install -y qemu-utils - - name: Build image run: make image diff --git a/.github/workflows/podvm_mkosi.yaml b/.github/workflows/podvm_mkosi.yaml index 79ab34b65..32ff369c9 100644 --- a/.github/workflows/podvm_mkosi.yaml +++ b/.github/workflows/podvm_mkosi.yaml @@ -114,17 +114,30 @@ jobs: - name: Install build dependencies run: | sudo apt-get update -y - sudo apt-get install -y bubblewrap alien dnf qemu-utils uidmap + sudo apt-get install -y \ + alien \ + bubblewrap \ + dnf \ + mtools \ + qemu-utils \ + systemd-ukify \ + uidmap sudo snap install yq - name: Read properties from versions.yaml run: | + echo "MKOSI_VERSION=$(yq -e '.tools.mkosi' versions.yaml)" >> "$GITHUB_ENV" echo "ORAS_VERSION=$(yq -e '.tools.oras' versions.yaml)" >> "$GITHUB_ENV" - - uses: oras-project/setup-oras@v1 with: version: ${{ env.ORAS_VERSION }} + - name: Setup mkosi + run: | + git clone -b "$MKOSI_VERSION" https://github.com/systemd/mkosi + PATH="$PWD/mkosi/bin:$PATH" + mkosi --version + echo "PATH=$PWD/mkosi/bin:$PATH" >> "$GITHUB_ENV" - name: Build binaries id: build_binaries @@ -133,22 +146,6 @@ jobs: env: ARCH: ${{ inputs.arch }} - - name: Install mkosi - if: ${{ inputs.arch == 's390x' }} - run: | - git clone -b v22 https://github.com/systemd/mkosi - sudo rm -f /usr/local/bin/mkosi - sudo ln -s "$PWD/mkosi/bin/mkosi" /usr/local/bin/mkosi - mkosi --version - - - name: Install Nix - if: ${{ inputs.arch == 'amd64' }} - uses: cachix/install-nix-action@v30 - - - name: Build nix shell to cache dependencies - if: ${{ inputs.arch == 'amd64' }} - run: nix build .#devShells.x86_64-linux.podvm-mkosi - - name: Build mkosi debug image if: ${{ inputs.debug == 'true' }} working-directory: src/cloud-api-adaptor/podvm-mkosi @@ -192,13 +189,11 @@ jobs: subject-digest: ${{ steps.publish_oras_qcow2.outputs.digest }} push-to-registry: true - - name: Clean up some space for the docker provider build working-directory: src/cloud-api-adaptor/podvm-mkosi run: | sudo du --max-depth=2 /home/runner || true sudo du --max-depth=2 /var/lib || true - sudo rm -rf /nix sudo rm -rf ./build sudo rm -rf ./mkosi.cache diff --git a/src/cloud-api-adaptor/flake.lock b/src/cloud-api-adaptor/flake.lock deleted file mode 100644 index 36f7d25bd..000000000 --- a/src/cloud-api-adaptor/flake.lock +++ /dev/null @@ -1,61 +0,0 @@ -{ - "nodes": { - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "nixpkgsUnstable": { - "locked": { - "lastModified": 1696019113, - "narHash": "sha256-X3+DKYWJm93DRSdC5M6K5hLqzSya9BjibtBsuARoPco=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "f5892ddac112a1e9b3612c39af1b72987ee5783a", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgsUnstable": "nixpkgsUnstable" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/src/cloud-api-adaptor/flake.nix b/src/cloud-api-adaptor/flake.nix deleted file mode 100644 index 743f3ee8d..000000000 --- a/src/cloud-api-adaptor/flake.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ - description = "Cloud API Adaptor for Confidential Containers"; - - inputs = { - nixpkgsUnstable = { - url = "github:nixos/nixpkgs/nixos-unstable"; - }; - flake-utils = { - url = "github:numtide/flake-utils"; - }; - }; - - outputs = - { self - , nixpkgsUnstable - , flake-utils - }: - flake-utils.lib.eachDefaultSystem - (system: - let - pkgsUnstable = import nixpkgsUnstable { inherit system; }; - in - { - devShells = { - # Shell for building podvm images with mkosi. - podvm-mkosi = pkgsUnstable.mkShell { - nativeBuildInputs = with pkgsUnstable; [ - btrfs-progs - cryptsetup - dnf5 - dosfstools - mkosi-full - mtools - rpm - squashfsTools - util-linux - zstd - e2fsprogs # remove when switching to squashFS - ]; - }; - }; - - formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt; - }); -} diff --git a/src/cloud-api-adaptor/podvm-mkosi/Makefile b/src/cloud-api-adaptor/podvm-mkosi/Makefile index a5761f92d..aa51e4c53 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/Makefile +++ b/src/cloud-api-adaptor/podvm-mkosi/Makefile @@ -65,16 +65,13 @@ image: rm -rf ./build @echo "Building image..." ifeq ($(SE_BOOT),true) - touch resources/buildS390xImage sudo mkosi --profile production.conf --image system sudo -E ../hack/build-s390x-se-image.sh else ifeq ($(ARCH),s390x) - touch resources/buildS390xImage sudo mkosi --profile production.conf --image system sudo -E ../hack/build-s390x-image.sh else - touch resources/buildBootableImage - nix develop ..#podvm-mkosi --command mkosi --environment=VARIANT_ID=production + mkosi --profile production.conf qemu-img convert -f raw -O qcow2 build/system.raw build/podvm-$(PODVM_DISTRO)-$(ARCH).qcow2 endif @@ -82,20 +79,16 @@ PHONY: image-debug image-debug: @echo "Enabling debug preset..." rm -rf resources/build*Image - touch resources/buildDebugImage rm -rf ./build @echo "Building debug image..." ifeq ($(SE_BOOT),true) - touch resources/buildS390xImage sudo mkosi --profile debug.conf sudo -E ../hack/build-s390x-se-image.sh else ifeq ($(ARCH),s390x) - touch resources/buildS390xImage sudo mkosi --profile debug.conf sudo -E ../hack/build-s390x-image.sh else - touch resources/buildBootableImage - nix develop ..#podvm-mkosi --command mkosi --environment=VARIANT_ID=debug + mkosi --profile debug.conf qemu-img convert -f raw -O qcow2 build/system.raw build/podvm-$(PODVM_DISTRO)-$(ARCH).qcow2 endif diff --git a/src/cloud-api-adaptor/podvm-mkosi/README.md b/src/cloud-api-adaptor/podvm-mkosi/README.md index be920de23..67da3f0d9 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/README.md +++ b/src/cloud-api-adaptor/podvm-mkosi/README.md @@ -4,7 +4,9 @@ ## Prerequisites -Currently, mksoi and other related tools are provided through a [Nix](https://nixos.org/) flake. Nix ensures all tools used in the build of the image are itself reproducible and pinned. mkosi requires a very recent systemd version, so using tools installed on the host is usually not possible. Nix needs to be configured to enable `flakes` and `nix command`. It is recommended to install Nix with the `DeterminateSystems nix-installer`, which comes with a configuration that is ready to use. +There are various ways to install mkosi documented on the [project page](https://github.com/systemd/mkosi). Different distributions also package mkosi in their repositories, alongside the dependencies. + +Refer to the [CI workflow](../../../.github/workflows/podvm_mkosi.yaml) to see which additional tools are required to build an image. ### Building the image @@ -77,7 +79,7 @@ reduce complexity of configuration and CI and shall not be seen as open to-dos. from IMDS via the project's `process-user-data` tool. ## Build s390x image -Since the [nix OS](https://nixos.org/download/#download-nix) does not support s390x, we can use the mkosi **ToolsTree** feature defined in `mkosi.conf` to download latest tools automatically: +We can use the mkosi **ToolsTree** feature defined in `mkosi.conf` to download latest tools automatically: ``` [Host] ToolsTree=default diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/initrd/mkosi.conf.d/fedora-s390x.conf b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/initrd/mkosi.conf.d/fedora-s390x.conf index a0b32cc2e..05744158c 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/initrd/mkosi.conf.d/fedora-s390x.conf +++ b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/initrd/mkosi.conf.d/fedora-s390x.conf @@ -1,11 +1,6 @@ [Match] Distribution=fedora - -# mkosi version in nix is 17.1, -# which doesn't support Architecture in [Match] -# As a workaround, use a flag file instead. -#Architecture=s390x -PathExists=../../resources/buildS390xImage +Architecture=s390x [Content] Packages=kernel-core diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-bootable.conf b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-bootable.conf index 432feea10..9130e2557 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-bootable.conf +++ b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-bootable.conf @@ -1,11 +1,6 @@ [Match] Distribution=fedora - -# mkosi version in nix is 17.1, -# which doesn't support Architecture in [Match] -# As a workaround, use a flag file instead. -#Architecture=!s390x -PathExists=../../resources/buildBootableImage +Architecture=!s390x [Content] Packages=systemd-boot diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-debug-aux.conf b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-debug-aux.conf index 564920f61..3d659eebe 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-debug-aux.conf +++ b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-debug-aux.conf @@ -1,12 +1,9 @@ [Match] Distribution=fedora - -PathExists=../../resources/buildDebugImage - +Profile=debug # Overwrite default ssh config, but conflict with # cloud-init which is installed for s390x. -#Architecture=!s390x -PathExists=../../resources/buildBootableImage +Architecture=!s390x [Content] ExtraTrees=../../mkosi.skeleton-debug diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-debug-keys.conf b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-debug-keys.conf index e6c2ab875..284a7f40c 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-debug-keys.conf +++ b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-debug-keys.conf @@ -1,7 +1,6 @@ [Match] Distribution=fedora -# Only for debug images and if authorized_keys exists -PathExists=../../resources/buildDebugImage +Profile=debug PathExists=../../resources/authorized_keys [Content] diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-debug.conf b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-debug.conf index f8b3d1e04..d94602ff8 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-debug.conf +++ b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-debug.conf @@ -1,8 +1,6 @@ [Match] Distribution=fedora -# This is a little hack to define different image types in a mkosi config. -# There is also imageId, but it renames the output, which is not what we want. -PathExists=../../resources/buildDebugImage +Profile=debug [Content] Autologin=true diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-s390x.conf b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-s390x.conf index 10fa3af54..f1832a20b 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-s390x.conf +++ b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora-s390x.conf @@ -1,11 +1,6 @@ [Match] Distribution=fedora - -# mkosi version in nix is 17.1, -# which doesn't support Architecture in [Match] -# As a workaround, use a flag file instead. -#Architecture=s390x -PathExists=../../resources/buildS390xImage +Architecture=s390x [Content] Bootable=no diff --git a/src/cloud-api-adaptor/versions.yaml b/src/cloud-api-adaptor/versions.yaml index 9cb6d6c03..0dfc6c545 100644 --- a/src/cloud-api-adaptor/versions.yaml +++ b/src/cloud-api-adaptor/versions.yaml @@ -23,11 +23,12 @@ cloudimg: tools: bats: 1.10.0 + iptables-wrapper: v0.0.0-20240819165702-06cad2ec6cb5 golang: 1.22.7 + kcli: 99.0.202408152044 + mkosi: v22 protoc: 3.15.0 packer: v1.9.4 - kcli: 99.0.202408152044 - iptables-wrapper: v0.0.0-20240819165702-06cad2ec6cb5 oras: 1.2.0 # Referenced Git repositories git: