osbuild: allow for multiple files to be output from a pipeline

In this case we'll just copy out the entire exported tree for
a given pipeline (which we specify as --export=platform). For
individual artifacts we'll just name the file the same name as
the platform and then copy them into the right place in the
calling script.

The benefits of this can be seen immediately because now we don't
have to know about or copy around qemu-secex bootfs_hash and
rootfs_hash inside the supermin VM.

Author: dustymabe

src/cmd-buildextend-metal

@@ -226,12 +226,15 @@ EOF
 # This is OK because we don't checkpoint (cache) any of those stages.
 [ "${platform}" == "qemu" ] && snapshot="off" || snapshot="on"
 runvm_osbuild_config_json="$(generate_runvm_osbuild_config)"
+outdir=$(mktemp -p "${tmp_builddir}" -d)
 runvm_with_cache_snapshot "$snapshot" -- /usr/lib/coreos-assembler/runvm-osbuild                    \
             --config "${runvm_osbuild_config_json}"                                                 \
             --mpp "/usr/lib/coreos-assembler/osbuild-manifests/coreos.osbuild.${basearch}.mpp.yaml" \
-            --filepath "${imgpath}"                                                                 \
+            --outdir "${outdir}"                                                                    \
             --platform "${platform}"
 
+mv "${outdir}/${platform}/${platform}" "${imgpath}"
+
 if [[ "${platform}" == "qemu-secex" ]]; then
     if [ ! -f "${genprotimgvm}" ]; then
         fatal "No genprotimgvm provided at ${genprotimgvm}"
@@ -249,7 +252,9 @@ if [[ "${platform}" == "qemu-secex" ]]; then
     genprotimg_dir=$(mktemp -p "${tmp_builddir}" -d)
     cp "${se_script_dir}/genprotimg-script.sh" "${se_script_dir}/post-script.sh" "${genprotimg_dir}"
     # Extra kargs with dm-verity hashes
-    secex_kargs="ignition.firstboot rootfs.roothash=$(<"${PWD}"/rootfs_hash) bootfs.roothash=$(<"${PWD}"/bootfs_hash)"
+    secex_kargs="ignition.firstboot"
+    secex_kargs+=" rootfs.roothash=$(<"${outdir}/${platform}/rootfs_hash")"
+    secex_kargs+=" bootfs.roothash=$(<"${outdir}/${platform}/bootfs_hash")"
     echo "${secex_kargs}" > "${genprotimg_dir}/parmfile"
     virt-make-fs --format=raw --type=ext4 "${genprotimg_dir}" "${genprotimg_img}"
     rm -rf "${genprotimg_dir}"

src/osbuild-manifests/platform.applehv.ipp.yaml

@@ -65,5 +65,4 @@ pipelines:
         options:
           paths:
             - from: input://tree/disk.img
-              to:
-                mpp-format-string: 'tree:///{filename}'
+              to: tree:///applehv

src/osbuild-manifests/platform.gcp.ipp.yaml

@@ -85,5 +85,4 @@ pipelines:
               name:raw-gcp-image-tar:
                 file: disk.tar
         options:
-          filename:
-            mpp-format-string: '{filename}'
+          filename: gcp

src/osbuild-manifests/platform.hyperv.ipp.yaml

@@ -64,7 +64,6 @@ pipelines:
               name:raw-hyperv-image:
                 file: disk.img
         options:
-          filename:
-            mpp-format-string: '{filename}'
+          filename: hyperv
           format:
             type: vhdx

src/osbuild-manifests/platform.metal.ipp.yaml

@@ -90,8 +90,7 @@ pipelines:
         options:
           paths:
             - from: input://tree/disk.img
-              to:
-                mpp-format-string: 'tree:///{filename}'
+              to: tree:///metal
   - name: raw-metal4k-image
     build:
       mpp-format-string: '{buildroot}'
@@ -184,5 +183,4 @@ pipelines:
         options:
           paths:
             - from: input://tree/disk.img
-              to:
-                mpp-format-string: 'tree:///{filename}'
+              to: tree:///metal4k

src/osbuild-manifests/platform.qemu-secex.ipp.yaml

@@ -288,8 +288,7 @@ pipelines:
               name:raw-qemu-secex-image:
                 file: disk.img
         options:
-          filename:
-            mpp-format-string: '{filename}'
+          filename: qemu-secex
           format:
             type: qcow2
             compression: false

src/osbuild-manifests/platform.qemu.ipp.yaml

@@ -93,8 +93,7 @@ pipelines:
               name:raw-qemu-image:
                 file: disk.img
         options:
-          filename:
-            mpp-format-string: '{filename}'
+          filename: qemu
           format:
             type: qcow2
             compression: false

src/runvm-osbuild

@@ -10,7 +10,7 @@ Options:
     --config: JSON-formatted image.yaml
     --help: show this help
     --mpp: the path to the OSBuild mpp.yaml file
-    --filepath: where to write the created image file
+    --outdir: where to write the created files
     --platform: the platform to generate an artifact for
 
 You probably don't want to run this script by hand. This script is
@@ -39,15 +39,12 @@ do
         --config)                  config="${1}"; shift;;
         --help)                    usage; exit;;
         --mpp)                     mppyaml="${1}"; shift;;
-        --filepath)                filepath="${1}"; shift;;
+        --outdir)                  outdir="${1}"; shift;;
         --platform)                platform="${1}"; shift;;
          *) echo "${flag} is not understood."; usage; exit 10;;
      esac;
 done
 
-# Get the base filename of the desired file output path
-filename=$(basename "$filepath")
-
 ostree_container=$(getconfig "ostree-container")
 osname=$(getconfig "osname")
 deploy_via_container=$(getconfig_def "deploy-via-container" "")
@@ -70,12 +67,20 @@ fi
 # Since it doesn't exist create loop-control
 [ ! -e /dev/loop-control ] && mknod /dev/loop-control c 10 237
 
-# Put the store and the output dir on the cache. At the end we'll mv
-# out the created artifact from the output dir to the place it's supposed
-# to go.
-outdir=cache/osbuild/out
+# Put the store on the cache filesystem since in the case we are
+# running unprivileged in COSA we won't be able to create files
+# with SELinux labels that the host's policy doesn't know about.
 storedir=cache/osbuild/store
 
+# Musical chairs for now with the outdir because osbuild does
+# cp -a and that will fail to preserve ownership when copying
+# from the cache qcow2 (where files are owned by root) to the
+# virtiofs mount. Eventually we can use idmapped virtiofs mount
+# inside the supermin VM and we won't need this.
+# https://gitlab.com/virtio-fs/virtiofsd/-/merge_requests/245
+orig_outdir=$outdir
+outdir=cache/osbuild/out
+
 processed_json=$(mktemp -t osbuild-XXXX.json)
 
 # Run `podman images` here to initialize a few directories inside the
@@ -90,7 +95,6 @@ osbuild-mpp                                             \
     -D arch=\""$(arch)"\"                               \
     -D ostree_ref=\""${ostree_ref}"\"                   \
     -D ostree_repo=\""${ostree_repo}"\"                 \
-    -D filename=\""${filename}"\"                       \
     -D ociarchive=\""${ostree_container}"\"             \
     -D osname=\""${osname}"\"                           \
     -D container_imgref=\""${container_imgref}"\"       \
@@ -112,16 +116,5 @@ osbuild \
     --checkpoint raw-image       \
     --export "$platform" "${processed_json}"
 
-
-# Copy it out to the specified location. Use mv here so we remove it
-# from the cache qcow2 so we don't cache it.
-mv "${outdir}/${platform}/${filename}" "${filepath}"
-
-# In case of IBM Secure Execution there are more artifacts
-if [ "${platform}" == 'qemu-secex' ]; then
-    dir=$(dirname "${filepath}")
-    mv "${outdir}/${platform}/bootfs_hash" "${dir}"
-    mv "${outdir}/${platform}/rootfs_hash" "${dir}"
-fi
-
+mv "${outdir}"/* "${orig_outdir}/"
 rm -f "${processed_json}"