examples: add test.thing workarounds

We want to start running images with test.thing, so add the workarounds
for improved ssh-vsock support.  These are no longer necessary in arch
and fedora-rawhide.

Unfortunately we can't put these in common/ because it's outside of the
build context.  Using an extra build context also seems not to work
because symlinks aren't copied properly unless it's from the primary
context.

Make a small fix to a comment in examples/uki/Containerfile that should
have been cleaned up as part of a4cbd3e ("Update approach to
handling boot resources").

Signed-off-by: Allison Karlitskaya <[email protected]>

Author: allisonkarlitskaya

examples/bls/Containerfile

@@ -17,6 +17,7 @@ EOF
 
 COPY cfsctl /usr/bin
 COPY extra /
+COPY test-thing.workarounds/fedora-42 /
 RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
     kernel-install add-all
     systemctl enable systemd-networkd

examples/bls/Containerfile.rhel9

@@ -19,6 +19,7 @@ EOF
 
 COPY cfsctl /usr/bin
 COPY extra /
+COPY test-thing.workarounds/rhel9 /
 RUN <<EOF
     set -eux
     mkdir -p /etc/kernel

examples/bls/Containerfile.ubuntu

@@ -35,4 +35,5 @@ RUN <<EOF
     passwd -d root
     mkdir /sysroot
 EOF
+COPY test-thing.workarounds/debian /
 COPY cfsctl /usr/bin

examples/bls/test-thing.workarounds/README.md

@@ -0,0 +1,18 @@
+# Guest support workarounds
+
+These are extra files that you can add to virtual machine guests to enable
+support for missing features required by `test.thing`:
+
+ - [debian/](debian/): enables ephemeral ssh key support
+ - [fedora-42/](fedora-42/): enables ephemeral ssh key support ([this is
+   supported without a workaround in Fedora 43 and
+   later](https://src.fedoraproject.org/rpms/openssh/pull-request/101))
+ - [rhel9/](rhel9/): enables sshd vsock listener (with ephemeral ssh key
+   support) and sends the expected `sd_notify` message when the guest reaches
+   `multi-user.target`
+
+`test.thing` can also work with guests lacking support for ephemeral ssh keys
+by including a fixed ssh key in the image, or by using the
+`ssh.authorized_keys.root` credential (since systemd 252), but this requires
+modifying root's home directory at runtime and only works if another ssh key
+isn't already present, so it isn't enabled by default.

examples/bls/test-thing.workarounds/debian/etc/default/ssh

@@ -0,0 +1,2 @@
+# Debian
+SSHD_OPTS=-o "AuthorizedKeysFile /run/credentials/@system/ssh.ephemeral-authorized_keys-all .ssh/authorized_keys"

examples/bls/test-thing.workarounds/fedora-42/etc/sysconfig/sshd

@@ -0,0 +1,3 @@
+# Needed for Fedora 42
+# https://src.fedoraproject.org/rpms/openssh/pull-request/101
+OPTIONS=-o "AuthorizedKeysFile /run/credentials/@system/ssh.ephemeral-authorized_keys-all .ssh/authorized_keys"

examples/bls/test-thing.workarounds/rhel9/etc/notify-multiuser.py

@@ -0,0 +1,15 @@
+#!/usr/bin/python3
+
+"""Notify that the system has reached multi-user.target."""
+
+import os
+import socket
+from pathlib import Path
+
+credentials = Path(os.environ["CREDENTIALS_DIRECTORY"])
+notify_socket = (credentials / "vmm.notify_socket").read_text()
+af, cid, port = notify_socket.split(":")
+assert af == "vsock"
+sock = socket.socket(socket.AF_VSOCK, socket.SOCK_SEQPACKET)
+sock.connect((int(cid), int(port)))
+sock.sendmsg([b"X_SYSTEMD_UNIT_ACTIVE=multi-user.target\n"])

examples/bls/test-thing.workarounds/rhel9/etc/systemd/system/multi-user.target.wants/notify-multiuser.service

@@ -0,0 +1 @@
+../notify-multiuser.service

examples/bls/test-thing.workarounds/rhel9/etc/systemd/system/notify-multiuser.service

@@ -0,0 +1,9 @@
+[Unit]
+After=multi-user.target
+Wants=multi-user.target
+
+[Service]
+LoadCredential=vmm.notify_socket
+ExecStart=/etc/notify-multiuser.py
+Type=exec
+RemainAfterExit=yes

examples/bls/test-thing.workarounds/rhel9/etc/systemd/system/sockets.target.wants/sshd-vsock.socket

@@ -0,0 +1 @@
+../sshd-vsock.socket