cmd-osbuild: add foundation for what will be cosa osbuild

This is a direct copy of cmd-buildextend-metal for now. Will update
it to be functional in the next commit.

Author: dustymabe

cmd/coreos-assembler.go

@@ -12,7 +12,7 @@ import (
 )
 
 // commands we'd expect to use in the local dev path
-var buildCommands = []string{"init", "fetch", "build", "run", "prune", "clean", "list"}
+var buildCommands = []string{"init", "fetch", "build", "osbuild", "run", "prune", "clean", "list"}
 var advancedBuildCommands = []string{"buildfetch", "buildupload", "oc-adm-release", "push-container"}
 var buildextendCommands = []string{"aliyun", "applehv", "aws", "azure", "digitalocean", "exoscale", "extensions-container", "gcp", "hyperv", "ibmcloud", "kubevirt", "live", "metal", "metal4k", "nutanix", "openstack", "qemu", "secex", "virtualbox", "vmware", "vultr"}
 

src/cmd-osbuild

@@ -0,0 +1,336 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+dn=$(dirname "$0")
+# shellcheck source=src/cmdlib.sh
+. "${dn}"/cmdlib.sh
+
+
+print_help() {
+    cat 1>&2 <<EOF
+Usage: coreos-assembler buildextend-${platform} --help
+       coreos-assembler buildextend-${platform} [--build ID]
+
+  Build a bare metal image.
+EOF
+}
+
+
+# Parse the passed config JSON and extract a mandatory value
+getconfig() {
+    k=$1
+    config=$2
+    jq -re .\""$k"\" < "${config}"
+}
+# Return a configuration value, or default if not set
+getconfig_def() {
+    k=$1
+    shift
+    default=$1
+    config=$2
+    jq -re .\""$k"\"//\""${default}"\" < "${config}"
+}
+
+# Store information about the artifact into meta.json and also
+# "finalize" it, copying it into the builddir.
+postprocess_artifact() {
+    local artifact_name=$1
+    local local_filepath=$2
+    local target_filename=$3
+    local skip_compress=$4
+    if [[ ! "${skip_compress}" =~ ^(True|False)$ ]]; then
+        fatal "Must specify 'True' or 'False' for skip_compress. Provided: '${skip_compress}'"
+    fi
+    cosa meta --workdir "${workdir}" --build "${build}" --dump | python3 -c "
+import sys, json
+j = json.load(sys.stdin)
+j['images']['${artifact_name}'] = {
+    'path': '${target_filename}',
+    'sha256': '$(sha256sum_str < "${local_filepath}")',
+    'size': $(stat -c '%s' "${local_filepath}")
+}
+if ${skip_compress}:
+    j['images']['${artifact_name}']['skip-compression'] = True
+json.dump(j, sys.stdout, indent=4)
+" > meta.json.new
+    cosa meta --workdir "${workdir}" --build "${build}" --artifact-json meta.json.new
+    /usr/lib/coreos-assembler/finalize-artifact "${local_filepath}" "${builddir}/${target_filename}"
+    echo "Successfully generated: ${target_filename}"
+}
+
+# For qemu-secex we need to do a few extra things like spin up a
+# VM to run genprotimg and save off the pubkey for Ignition.
+postprocess_qemu_secex() {
+   if [ ! -f "${genprotimgvm}" ]; then
+    fatal "No genprotimgvm provided at ${genprotimgvm}"
+   fi
+
+   # Basic qemu args:
+   qemu_args=(); blk_size="512"
+   [[ $platform == metal4k ]] && blk_size="4096"
+   qemu_args+=("-drive" "if=none,id=target,format=qcow,file=${imgpath},cache=unsafe" \
+    "-device" "virtio-blk,serial=target,drive=target,physical_block_size=${blk_size},logical_block_size=${blk_size}")
+
+   # SecureVM (holding Universal Key for all IBM Z Mainframes) requires scripts to execute genprotimg
+   se_script_dir="/usr/lib/coreos-assembler/secex-genprotimgvm-scripts"
+   genprotimg_img="${PWD}/secex-genprotimg.img"
+   genprotimg_dir=$(mktemp -p "${tmp_builddir}" -d)
+   cp "${se_script_dir}/genprotimg-script.sh" "${se_script_dir}/post-script.sh" "${genprotimg_dir}"
+   # Extra kargs with dm-verity hashes
+   secex_kargs="ignition.firstboot"
+   secex_kargs+=" rootfs.roothash=$(<"${outdir}/${platform}/rootfs_hash")"
+   secex_kargs+=" bootfs.roothash=$(<"${outdir}/${platform}/bootfs_hash")"
+   echo "${secex_kargs}" > "${genprotimg_dir}/parmfile"
+   virt-make-fs --format=raw --type=ext4 "${genprotimg_dir}" "${genprotimg_img}"
+   rm -rf "${genprotimg_dir}"
+   qemu_args+=("-drive" "if=none,id=genprotimg,format=raw,file=${genprotimg_img}" \
+            "-device" "virtio-blk,serial=genprotimg,drive=genprotimg")
+
+   # GPG keys used for protecting Ignition config
+   tmp_gpg_home=$(mktemp -p "${tmp_builddir}" -d)
+   ignition_pubkey=$(mktemp -p "${tmp_builddir}")
+   ignition_prikey=$(mktemp -p "${tmp_builddir}")
+   gpg --homedir "${tmp_gpg_home}" --batch --passphrase '' --yes --quick-gen-key "Secure Execution (secex) ${build}" rsa4096 encr none
+   gpg --homedir "${tmp_gpg_home}" --armor --export secex > "${ignition_pubkey}"
+   gpg --homedir "${tmp_gpg_home}" --armor --export-secret-key secex > "${ignition_prikey}"
+   exec 9<"${ignition_prikey}"
+   rm -rf "${tmp_gpg_home}" "${ignition_prikey}"
+   qemu_args+=("-add-fd" "fd=9,set=3" "-drive" "if=none,id=gpgkey,format=raw,file=/dev/fdset/3,readonly=on" \
+    "-device" "virtio-blk,serial=gpgkey,drive=gpgkey")
+
+   /usr/lib/coreos-assembler/secex-genprotimgvm-scripts/runvm.sh \
+    --genprotimgvm "${genprotimgvm}" -- "${qemu_args[@]}"
+   rm -f "${genprotimg_img}"
+   exec 9>&-
+
+   # Now store the generated ${ignition_pubkey} in the builddir and meta.json
+   gpg_key_filename="${name}-${build}-ignition-secex-key.gpg.pub"
+   postprocess_artifact "ignition-gpg-key" "${ignition_pubkey}" "${gpg_key_filename}" 'True'
+}
+
+# Here we generate the input JSON we pass to runvm_osbuild for all of our image builds
+generate_runvm_osbuild_config() {
+    runvm_osbuild_config_json="${workdir}/tmp/runvm-osbuild-config-${build}.json"
+    echo "${runvm_osbuild_config_json}" # Let the caller know where the config will be
+    if [ -f "${runvm_osbuild_config_json}" ]; then
+       return # only need to generate this once per build
+    fi
+    rm -f "${workdir}"/tmp/runvm-osbuild-config-*.json # clean up any previous configs
+
+    # reread these values from the build itself rather than rely on the ones loaded
+    # by prepare_build since the config might've changed since then
+    ostree_commit=$(meta_key ostree-commit)
+    ostree_ref=$(meta_key ref)
+    if [ "${ostree_ref}" = "None" ]; then
+        ostree_ref=""
+    fi
+
+    ostree_repo=${tmprepo}
+    # Ensure that we have the cached unpacked commit
+    import_ostree_commit_for_build "${build}"
+    # Note this overwrote the bits generated in prepare_build
+    # for image_json.  In the future we expect to split prepare_build
+    # into prepare_ostree_build and prepare_diskimage_build; the
+    # latter path would only run this.
+    image_json=${workdir}/tmp/image.json
+
+    # Grab a few values from $image_json
+    deploy_via_container=$(getconfig_def "deploy-via-container" "" "${image_json}")
+    extra_kargs="$(python3 -c 'import sys, json; args = json.load(sys.stdin)["extra-kargs"]; print(" ".join(args))' < "${image_json}")"
+
+    # OStree container ociarchive file path
+    ostree_container="${builddir}/$(meta_key images.ostree.path)"
+    # If no container_imgref was set let's just set it to some professional
+    # looking default. The name of the ociarchive file should suffice.
+    container_imgref_default="ostree-image-signed:oci-archive:/$(basename "${ostree_container}")"
+    container_imgref=$(getconfig_def "container_imgref" "${container_imgref_default}" "${image_json}")
+
+    echo "Estimating disk size..." >&2
+    # The additional 35% here is obviously a hack, but we can't easily completely fill the filesystem,
+    # and doing so has apparently negative performance implications.
+    ostree_size_json="$(/usr/lib/coreos-assembler/estimate-commit-disk-size --repo "$ostree_repo" "$ostree_commit" --add-percent 35)"
+    rootfs_size_mb="$(jq '."estimate-mb".final' <<< "${ostree_size_json}")"
+    # The minimum size of a disk image we'll need will be the rootfs_size
+    # estimate plus the size of the non-root partitions. We'll use this
+    # size for the metal images, but for the IaaS/virt image we'll use
+    # the size set in the configs since some of them have minimum sizes that
+    # the platforms require and we want a "default" disk size that has some
+    # free space.
+    nonroot_partition_sizes=513
+    # On s390x there is one more build - Secure Execution case, which has
+    # different image layout. We add the sizes of the se and verity
+    # partitions so that they don't "eat into" the 35% buffer (though note
+    # this is all blown away on first boot anyway). For 's390x.mpp.yaml'
+    # simplicity all s390x images have same size (of secex image).
+    if [[ $basearch == "s390x" ]]; then
+        nonroot_partition_sizes=$((nonroot_partition_sizes + 200 + 128 + 256 + 1))
+    fi
+    metal_image_size_mb="$(( rootfs_size_mb + nonroot_partition_sizes ))"
+    cloud_image_size_mb="$(jq -r ".size*1024" < "${image_json}")"
+    echo "Disk sizes: metal: ${metal_image_size_mb}M (estimated), cloud: ${cloud_image_size_mb}M" >&2
+
+    # Generate the JSON describing the disk we want to build
+    yaml2json /dev/stdin "${runvm_osbuild_config_json}" <<EOF
+container-imgref: "${container_imgref}"
+deploy-via-container: "${deploy_via_container}"
+osname: "${name}"
+ostree-container: "${ostree_container}"
+ostree-ref: "${ref}"
+extra-kargs-string: "${extra_kargs}"
+ostree-repo: "${ostree_repo}"
+metal-image-size: "${metal_image_size_mb}"
+cloud-image-size: "${cloud_image_size_mb}"
+# Note: this is only used in the secex case; there, the rootfs is
+# not the last partition on the disk so we need to explicitly size it
+rootfs-size: "${rootfs_size_mb}"
+EOF
+}
+
+
+main() {
+    # Set Some Defaults
+    genprotimgvm=/data.secex/genprotimgvm.qcow2
+    build=
+    force=
+
+    # This script is used for creating several artifacts. For example,
+    # `cmd-buildextend-qemu` is a symlink to `cmd-buildextend-metal`.
+    case "$(basename "$0")" in
+        "cmd-buildextend-metal") platform=metal;;
+        "cmd-buildextend-metal4k") platform=metal4k;;
+        "cmd-buildextend-qemu") platform=qemu;;
+        "cmd-buildextend-qemu-secex") platform=qemu-secex;;
+        "cmd-buildextend-secex") platform=qemu-secex;;
+        *) fatal "called as unexpected name $0";;
+    esac
+
+    options=$(getopt --options h --longoptions help,force,build:,genprotimgvm: -- "$@") || {
+        print_help
+        exit 1
+    }
+    eval set -- "$options"
+    while true; do
+        case "$1" in
+            -h | --help)
+                print_help
+                exit 0
+                ;;
+            --force)
+                force=1
+                ;;
+            --build)
+                build=$2
+                shift
+                ;;
+            --genprotimgvm)
+                genprotimgvm="$2"
+                shift
+                ;;
+            --)
+                shift
+                break
+                ;;
+            -*)
+                fatal "$0: unrecognized option: $1"
+                ;;
+            *)
+                break
+                ;;
+        esac
+        shift
+    done
+
+    if [ $# -ne 0 ]; then
+        print_help
+        fatal "Too many arguments passed"
+    fi
+
+    case "$basearch" in
+        "x86_64"|"aarch64"|"s390x"|"ppc64le") ;;
+        *) fatal "$basearch is not supported for this command" ;;
+    esac
+
+    # shellcheck disable=SC2031
+    export LIBGUESTFS_BACKEND=direct
+    export IMAGE_TYPE="${platform}"
+    prepare_build
+
+    if [ -z "${build}" ]; then
+        build=$(get_latest_build)
+        if [ -z "${build}" ]; then
+            fatal "No build found."
+        fi
+    fi
+
+    builddir=$(get_build_dir "$build")
+    if [ ! -d "${builddir}" ]; then
+        fatal "Build dir ${builddir} does not exist."
+    fi
+
+    # add building sempahore
+    build_semaphore="${builddir}/.${platform}.building"
+    if [ -e "${build_semaphore}" ]; then
+        fatal "${build_semaphore} found: another process is building ${platform}"
+    fi
+    touch "${build_semaphore}"
+    trap 'rm -f ${build_semaphore}' EXIT
+
+    # check if the image already exists in the meta.json
+    if [ -z "${force}" ]; then
+        meta_img=$(meta_key "images.${platform}.path")
+        if [ "${meta_img}" != "None" ]; then
+            echo "${platform} image already exists:"
+            echo "$meta_img"
+            exit 0
+        fi
+    fi
+
+    # reread these values from the build itself rather than rely on the ones loaded
+    # by prepare_build since the config might've changed since then
+    name=$(meta_key name)
+
+    image_format=raw
+    if [[ "${platform}" == "qemu" || "${platform}" == "qemu-secex" ]]; then
+        image_format=qcow2
+    fi
+
+    imgname=${name}-${build}-${platform}.${basearch}.${image_format}
+    imgpath=${PWD}/${imgname}
+
+    # In the jenkins pipelines we build the qemu image first and that operation
+    # will do a lot of the same work required for later artifacts (metal, metal4k, etc)
+    # so we want the cached output from that run to persist. The later artifacts get
+    # built in parallel, so we need to be able to access the cache by multiple processes,
+    # so for those we'll set `snapshot=on` so that each will get their own disk image.
+    # This is OK because we don't checkpoint (cache) any of those stages.
+    [ "${platform}" == "qemu" ] && snapshot="off" || snapshot="on"
+    runvm_osbuild_config_json="$(generate_runvm_osbuild_config)"
+    outdir=$(mktemp -p "${tmp_builddir}" -d)
+    runvm_with_cache_snapshot "$snapshot" -- /usr/lib/coreos-assembler/runvm-osbuild                    \
+                --config "${runvm_osbuild_config_json}"                                                 \
+                --mpp "/usr/lib/coreos-assembler/osbuild-manifests/coreos.osbuild.${basearch}.mpp.yaml" \
+                --outdir "${outdir}"                                                                    \
+                --platform "${platform}"
+
+    mv "${outdir}/${platform}/${platform}" "${imgpath}"
+
+    case "$platform" in
+        qemu-secex)
+            # Massage the generated artifact through an extra VM for secex. This
+            # will also create an Ignition pubkey and store it in the meta.json
+            # and builddir.
+            postprocess_qemu_secex
+            # Also need to update the meta.json and builddir with the main artifact.
+            postprocess_artifact "${platform}" "${imgpath}" "${imgname}" 'False'
+            ;;
+        *)
+            # Update the meta.json and builddir with the generated artifact.
+            postprocess_artifact "${platform}" "${imgpath}" "${imgname}" 'False'
+            ;;
+    esac
+
+    # clean up the tmpbuild
+    rm -rf "${tmp_builddir}"
+}
+
+main "$@"