Assorted installer and test fixes

sorenisanerd · sorenisanerd · commit 3749b07b12f6 · 2025-12-18T17:56:32.000-08:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,11 +5,6 @@ on:
 
 jobs:
   build:
-    strategy:
-      matrix:
-        profiles:
-          - verity-full,docker-ext
-          - verity-full,docker
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -78,20 +73,35 @@ jobs:
           cat <<EOF > mkosi.key
           $MANGOS_KEY
           EOF
+      - name: Inject GnuPG key
+        env:
+          MANGOS_GNUPG_KEY: ${{ secrets.MANGOS_GNUPG_KEY }}
+        run: |
+          set -e
+          if [ -z "${MANGOS_GNUPG_KEY}" ]; then
+              echo '::warning title=Missing key::`MANGOS_GNUPG_KEY` was not set. Generating temporary key.'
+              echo '`MANGOS_GNUPG_KEY` was not set. Build performed with ephemeral key.' >> ${GITHUB_STEP_SUMMARY}
+              GNUPGHOME=$(pwd)/.gnupg gpg --batch --passphrase '' --quick-generate-key "ephemeral github.com/${GITHUB_REPOSITORY} signing Key"
+              exit 0
+          fi
+          GNUPGHOME=$(pwd)/.gnupg gpg --batch --import <<EOF
+          $MANGOS_GNUPG_KEY
+          EOF
       - name: Download Hashistack
         run: |
           ./hashiext-download.sh
       - name: Run mkosi
         env:
-          profiles: ${{ matrix.profiles }}
           MANGOS_GITHUB_URL: ${{ github.server_url }}/${{ github.repository }}
         run: |
-          mkosi -E RUNNER_ENVIRONMENT --debug --profile= --profile="${profiles},hashistack"
-          mkosi -E RUNNER_ENVIRONMENT --debug --profile= --profile="${profiles},installer"
+          mkosi -E RUNNER_ENVIRONMENT --debug
+          rm *.zip mkosi.images/*/bin/*
       - name: List built artifacts
-        run: find out/
+        run: ls out/
       - name: Export image version for later steps
         run: echo IMAGE_VERSION="$(./mkosi.version)" >> $GITHUB_ENV
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@main
       - name: Test it
         run: |
           #!/bin/bash
@@ -110,7 +120,7 @@ jobs:
           shopt -s nullglob
           for file in out/mangos{,-installer}_${IMAGE_VERSION}.{raw,efi} out/docker*_${IMAGE_VERSION}.raw
           do
-              zstd --rm "$file"
+              test -f "${file}" && zstd --rm "$file"
           done
 #      - name: Sign artifacts
 #        run: for file in out/mangos* ; do cosign sign-blob -d -y --bundle "${file}.sigbundle" "${file}" > /dev/null; done
@@ -136,31 +146,27 @@ jobs:
             out/mangos-installer_${{ env.IMAGE_VERSION }}.github.json
             out/mangos-installer_${{ env.IMAGE_VERSION }}.spdx.json
             out/mangos-installer_${{ env.IMAGE_VERSION }}.syft.json
-          name: mangos.${{ matrix.profiles }}
-
-  release:
-    if: github.ref_type == 'tag'
-    runs-on: ubuntu-latest
-    needs:
-      - build
-    permissions:
-      contents: write
-    steps:
-      - name: Download artifacts
-        uses: actions/download-artifact@v4
-        with:
-          path: artifacts
-      - name: Rename artifacts
-        run: |
-          mkdir release
-
-          mv artifacts/mangos.verity-full,docker-ext/* release/
-          for f in artifacts/mangos.verity-full,docker/* ; do
-            [ "$(basename $f)" == "mangosctl" ] && continue
-            mv "$f" "release/mangos+docker_$(basename $f | cut -f2- -d_)"
-          done
       - name: Release
+        if: github.ref_type == 'tag'
         uses: softprops/action-gh-release@v2
         with:
           draft: true
-          files: release/*
+          files: |
+            out/mangos_${{ env.IMAGE_VERSION }}.efi.zst
+            out/mangos_${{ env.IMAGE_VERSION }}.root-x86-64.*.zst
+            out/mangos_${{ env.IMAGE_VERSION }}.root-x86-64-verity.*.zst
+            out/mangos_${{ env.IMAGE_VERSION }}.root-x86-64-verity-sig.*.zst
+            out/mangos_${{ env.IMAGE_VERSION }}.raw.zst
+            out/mangos_${{ env.IMAGE_VERSION }}.cyclonedx.json
+            out/mangos_${{ env.IMAGE_VERSION }}.github.json
+            out/mangos_${{ env.IMAGE_VERSION }}.spdx.json
+            out/mangos_${{ env.IMAGE_VERSION }}.syft.json
+            out/mangos_${{ env.IMAGE_VERSION }}.manifest
+            out/mangosctl
+            out/docker*_${{ env.IMAGE_VERSION }}.raw.zst
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.raw.zst
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.cyclonedx.json
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.github.json
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.spdx.json
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.syft.json
+ 
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -5,11 +5,6 @@ on:
 
 jobs:
   build:
-    strategy:
-      matrix:
-        profiles:
-          - verity-full,docker-ext
-          - verity-full,docker
     runs-on: ubuntu-latest
     steps:
       - name: Install cosign
@@ -56,20 +51,19 @@ jobs:
                               dl/mangos.packages_*.tar.zst
       - name: Decompress and stage packages
         run: mkdir mkosi.packages ; tar -x --zstd -f dl/mangos.packages_*.tar.zst -C mkosi.packages
-      - name: Generate key
+      - name: Generate keys
         run: |
           #!/bin/sh
           mkosi genkey
+          GNUPGHOME=$(pwd)/.gnupg gpg --batch --passphrase '' --quick-generate-key "test key"
       - name: Download Hashistack
         run: |
           ./hashiext-download.sh
       - name: Run mkosi
         env:
-          profiles: ${{ matrix.profiles }}
           MANGOS_GITHUB_URL: ${{ github.server_url }}/${{ github.repository }}
         run: |
-          mkosi -E RUNNER_ENVIRONMENT --debug --profile= --profile="${profiles},hashistack"
-          mkosi -E RUNNER_ENVIRONMENT --debug --profile= --profile="${profiles},installer"
+          mkosi -E RUNNER_ENVIRONMENT --debug --profile= --profile=verity-full,docker-ext,hashistack
       - name: List built artifacts
         run: find out/
       - name: Export image version for later steps
@@ -92,7 +86,7 @@ jobs:
           shopt -s nullglob
           for file in out/mangos{,-installer}_${IMAGE_VERSION}.{raw,efi} out/docker*_${IMAGE_VERSION}.raw
           do
-              zstd --rm "$file"
+              test -f "${file}" && zstd --rm "$file"
           done
 #      - name: Sign artifacts
 #        run: for file in out/mangos* ; do cosign sign-blob -d -y --bundle "${file}.sigbundle" "${file}" > /dev/null; done
@@ -118,4 +112,3 @@ jobs:
             out/mangos-installer_${{ env.IMAGE_VERSION }}.github.json
             out/mangos-installer_${{ env.IMAGE_VERSION }}.spdx.json
             out/mangos-installer_${{ env.IMAGE_VERSION }}.syft.json
-          name: mangos.${{ matrix.profiles }}
diff --git a/.gitignore b/.gitignore
@@ -9,6 +9,8 @@
 /mkosi.packages
 /gpg
 /*.acast
+/.gnupg
+/dist
 /resources/cni/**
 mkosi.local
 mkosi.local.conf
diff --git a/hashiext-download.sh b/hashiext-download.sh
@@ -27,7 +27,7 @@ download() {
 
     local url="https://releases.hashicorp.com/${name}/${version}/${name}_${version}_linux_amd64.zip"
     local fname="${url##*/}"
-    wget -O "${fname}" "${url}"
+    wget --progress=dot:giga -O "${fname}" "${url}"
 
     sha256sums=https://releases.hashicorp.com/${name}/${version}/${name}_${version}_SHA256SUMS
     sha256sums_sig=https://releases.hashicorp.com/${name}/${version}/${name}_${version}_SHA256SUMS.sig
diff --git a/mkosi.conf b/mkosi.conf
@@ -31,7 +31,7 @@ Incremental=yes
 Environment=MANGOS_GITHUB_URL
 
 [Config]
-Profiles=verity-full,secureboot
+Profiles=verity-full,docker-ext,hashistack,secureboot
 Dependencies=initrd,base
 
 [Include]
diff --git a/mkosi.images/base/mkosi.extra/usr/share/mangos/test.nomad b/mkosi.images/base/mkosi.extra/usr/share/mangos/test.nomad
@@ -34,7 +34,9 @@ job "test" {
         #!/bin/bash
 
         set -e
+        cat /etc/resolv.conf || true
         
+        export CONSUL_HTTP_ADDR=http://127.0.0.1:8500
         consul acl token read -self -format json > consul.json
 
         jq -e '[(.Roles | length)==1, .Roles[0].Name=="nomad-workload"] | all' < consul.json
diff --git a/mkosi.images/base/mkosi.postinst.d/substitute-import-keyring b/mkosi.images/base/mkosi.postinst.d/substitute-import-keyring
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+if [ "${MKOSI_DEBUG:-}" = "1" ]
+then
+    set -x
+fi
+
+keyring="$(mktemp)"
+GNUPGHOME=$(pwd)/.gnupg gpg --export | gpg --no-default-keyring --keyring "${keyring}" --import
+cp "${keyring}" ${BUILDROOT}/usr/lib/systemd/import-pubring.pgp
diff --git a/mkosi.images/consul/mkosi.version b/mkosi.images/consul/mkosi.version
@@ -1 +1 @@
-1.22.1-1
+1.22.2-1
diff --git a/mkosi.images/initrd/mkosi.extra/usr/lib/mangos/mangos-install b/mkosi.images/initrd/mkosi.extra/usr/lib/mangos/mangos-install
@@ -55,7 +55,7 @@ mkdir /boot
 mount /dev/disk/by-partuuid/${boot_uuid@L} /boot
 
 # Apply the partition table to the target device.
-$echo systemd-repart --dry-run=no --empty=force --defer-partitions=swap,tmp,var --root=/ --definitions=/usr/lib/repart.installer.d "${install_target}"
+$echo systemd-repart --dry-run=no --empty=force --defer-partitions=swap,tmp,var --root=/ --definitions=/usr/lib/repart.d "${install_target}"
 
 # It would be neat if we coould use sd-sysypdate for the root partition, too,
 # but if there's not existing root partition on its target device, it bails.
@@ -95,7 +95,7 @@ umount /mnt/etc/kernel/entry-token
 cp /boot/EFI/BOOT/BOOTX64.EFI /mnt/boot/EFI/BOOT/BOOTX64.EFI
 cp /boot/EFI/BOOT/BOOTX64.EFI /mnt/boot/EFI/systemd/systemd-bootx64.efi
 
-if [ ! -f /sys/firmware/efi ]
+if [ ! -e /sys/firmware/efi ]
 then
     ip_arg="$(grep -oE 'ip=[^ ]+' /proc/cmdline)"
     nameserver_arg="$(grep -oE 'nameserver=[^ ]+' /proc/cmdline)"
diff --git a/mkosi.images/nomad/mkosi.version b/mkosi.images/nomad/mkosi.version
@@ -1 +1 @@
-1.11.0-1
+1.11.1-1
diff --git a/mkosi.images/terraform/mkosi.version b/mkosi.images/terraform/mkosi.version
@@ -1 +1 @@
-1.14.1-1
+1.14.3-1
diff --git a/mkosi.images/terraform/share/terraform/consul-service.tf b/mkosi.images/terraform/share/terraform/consul-service.tf
@@ -40,30 +40,30 @@ resource "consul_acl_binding_rule" "consul-job" {
   auth_method = consul_acl_auth_method.nomad-workload.name
   bind_type   = "policy"
   bind_name   = consul_acl_policy.consul-api.name
-#    selector    = "value.nomad_namespace==\"admin\" and value.nomad_task==\"main\""
   selector    = "value.nomad_namespace==\"admin\" and value.nomad_job_id==\"consul\""
 }
 
 resource "consul_acl_policy" "consul-api" {
-  name   = "consul-api"
+  name  = "consul-api"
   rules = <<-EOP
     node_prefix "consul-api-" {
       policy = "write"
     }
     EOP
 }
-resource "consul_config_entry_service_intentions" "test-consul" {
+resource "consul_config_entry_service_intentions" "consul" {
   name = "consul"
 
   sources {
-    name   = "admin--test"
-    type   = "consul"
-    action = "allow"
+    name       = "admin--test"
+    type       = "consul"
+    action     = "allow"
+    precedence = 9
   }
 }
 
 resource "nomad_job" "consul" {
-  jobspec  = file("${path.module}/consul.nomad")
+  jobspec = file("${path.module}/consul.nomad")
   depends_on = [
     nomad_namespace.admin,
     vault_consul_secret_backend_role.consul-api,
diff --git a/mkosi.images/terraform/share/terraform/consul.nomad b/mkosi.images/terraform/share/terraform/consul.nomad
@@ -3,6 +3,7 @@ job "consul" {
 
   group "client" {
     service {
+      tags = ["api"]
       name = "consul"
       port = "http"
       connect {
@@ -15,6 +16,10 @@ job "consul" {
       port "http" {
         static = 8500
       }
+      port "dns" {
+        static       = 8600
+        host_network = "default"
+      }
     }
 
     task "main" {
@@ -29,15 +34,23 @@ job "consul" {
       template {
         data = <<-EOF
         encrypt   = "{{ with secret "secrets/mangos/consul/gossip" }}{{ .Data.encryption_key | trimSpace }}{{ end }}"
-        node_name = "consul-api-{{ env "HOSTNAME" }}"
+        node_name = "consul-api-{{ env "NOMAD_SHORT_ALLOC_ID" }}"
+        addresses {
+          dns = "0.0.0.0"
+        }
         acl {
           enabled = true
           tokens {
-            agent = "{{ env "CONSUL_HTTP_TOKEN"}}"
+            default = "{{ env "CONSUL_HTTP_TOKEN" }}"
+            agent   = "{{ env "CONSUL_HTTP_TOKEN" }}"
           }
         }
+        ui_config {
+          enabled = true
+        }
         EOF
         destination = "${NOMAD_SECRETS_DIR}/consul.hcl"
+        change_mode = "restart"
       }
       driver = "docker"
       config {
diff --git a/mkosi.images/terraform/share/terraform/nomad-cluster.tf b/mkosi.images/terraform/share/terraform/nomad-cluster.tf
@@ -250,9 +250,9 @@ resource "consul_acl_binding_rule" "nomad-workload-nomad-workload" {
 resource "consul_acl_role" "nomad-workload" {
   name = "nomad-workload"
   policies = [
-    consul_acl_policy.nomad-workload.name,
-    consul_acl_policy.global-session.name,
-    consul_acl_policy.all-agent-read.name,
+    consul_acl_policy.nomad-workload.id,
+    consul_acl_policy.global-session.id,
+    consul_acl_policy.all-agent-read.id,
   ]
 }
 
diff --git a/resources/add-sysupdate-artifact b/resources/add-sysupdate-artifact
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+if [ "${MKOSI_DEBUG:-}" = "1" ]
+then
+    set -x
+fi
+
+component="$1"
+version="$2"
+
+shift 2
+
+sysupdate_publish_dir=${SYSUPDATE_DISTDIR:-/var/lib/dist/sysupdate}
+mkdir -p "${sysupdate_publish_dir}/${component}/${version}"
+
+for f in "$@"
+do
+        dpath="${sysupdate_publish_dir}/${component}/${version}/$(basename "${f}")"
+        if test -e "${dpath}"
+        then
+                echo "File already exists: ${dpath}. Skipping."
+                continue
+        fi
+        cp "${f}" "${sysupdate_publish_dir}/${component}/${version}"
+
+        (cd "${sysupdate_publish_dir}/${component}" ; ln -s "${version}/$(basename "${f}")")
+        (cd "${sysupdate_publish_dir}/${component}/${version}" ; sha256sum "$(basename "${f}")" >> SHA256SUMS)
+
+done
+
+cd "${sysupdate_publish_dir}/${component}"
+cat */SHA256SUMS > SHA256SUMS
diff --git a/resources/docker-sysext.transfer b/resources/docker-sysext.transfer
@@ -1,6 +1,6 @@
 [Source]
 Type=url-file
-Path=http://localhost:1002/
+Path=http://mangos.soren.tools/sysupdate/mangos
 MatchPattern=docker_@v.raw \
              docker_@v.raw.gz \
              docker_@v.raw.zst \
diff --git a/resources/mangosctl/mangosctl.sh b/resources/mangosctl/mangosctl.sh
diff --git a/resources/publish-build b/resources/publish-build
diff --git a/resources/repart.d/11-root-verity.conf b/resources/repart.d/11-root-verity.conf
diff --git a/resources/repart.d/12-root.conf b/resources/repart.d/12-root.conf
diff --git a/resources/repart.d/20-root-verity-sig.conf b/resources/repart.d/20-root-verity-sig.conf
diff --git a/resources/repart.d/21-root-verity.conf b/resources/repart.d/21-root-verity.conf
diff --git a/resources/repart.d/22-root.conf b/resources/repart.d/22-root.conf
diff --git a/run_tests.sh b/run_tests.sh
