Merge pull request #52 from rancher-sandbox/alpine

Add support for Alpine guest OS

Author: AkihiroSuda

.github/workflows/test.yml

@@ -52,7 +52,7 @@ jobs:
     timeout-minutes: 40
     strategy:
       matrix:
-        example: [examples/default.yaml, examples/debian.yaml, examples/fedora.yaml]
+        example: [default.yaml, alpine.yaml, debian.yaml, fedora.yaml]
     steps:
       - uses: actions/setup-go@v2
         with:
@@ -81,11 +81,11 @@ jobs:
         uses: actions/cache@v2
         with:
           path: ~/Library/Caches/lima/download
-          key: ${{ runner.os }}-${{ matrix.example }}
+          key: ${{ runner.os }}-examples/${{ matrix.example }}
       - name: Test
         env:
           EXAMPLE: ${{ matrix.example }}
-        run: ./hack/test-example.sh $EXAMPLE
+        run: ./hack/test-example.sh examples/$EXAMPLE
 
   artifacts:
     name: Artifacts

examples/alpine.yaml

@@ -0,0 +1,21 @@
+images:
+- location: https://github.com/rancher-sandbox/alpine-lima/releases/download/v0.0.1/alpine-lima-ci-3.13.5-x86_64.iso
+  arch: "x86_64"
+
+mounts:
+- location: "~"
+  writable: false
+- location: "/tmp/lima"
+  writable: true
+
+ssh:
+  # localPort is changed from 60022 to avoid conflicting with the default.
+  # (TODO: assign localPort automatically)
+  localPort: 60020
+
+firmware:
+  legacyBIOS: true
+
+containerd:
+  system: false
+  user: false

hack/test-example.sh

@@ -32,6 +32,11 @@ limactl validate "$FILE"
 declare -A CHECKS=(["systemd"]="1" ["systemd-strict"]="1" ["mount-home"]="1" ["containerd-user"]="1")
 
 case "$NAME" in
+"alpine")
+	WARNING "Alpine does not support systemd"
+	CHECKS["systemd"]=
+	CHECKS["containerd-user"]=
+	;;
 "k3s")
 	ERROR "File \"$FILE\" is not testable with this script"
 	exit 1

pkg/cidata/user-data.TEMPLATE

@@ -18,11 +18,142 @@ users:
     {{- end}}
 
 write_files:
+ - content: |
+      #!/bin/sh
+      # This script pretends that /bin/ash can be used as /bin/bash, so all following
+      # cloud-init scripts can use `#!/bin/bash` and `set -o pipefail`.
+      test -f /etc/alpine-release || exit 0
+
+      # Redirect bash to ash (built with CONFIG_ASH_BASH_COMPAT) and hope for the best :)
+      # It does support `set -o pipefail`, but not `[[`.
+      # /bin/bash can't be a symlink because /bin/ash is a symlink to /bin/busybox
+      cat >/bin/bash <<'EOF'
+      #!/bin/sh
+      exec /bin/ash "$@"
+      EOF
+      chmod +x /bin/bash
+   owner: root:root
+   path: /var/lib/cloud/scripts/per-boot/00-alpine-ash-as-bash.boot.sh
+   permissions: '0755'
  - content: |
       #!/bin/bash
       set -eux -o pipefail
 
-      {{- if .Containerd.User}}
+      # Restrict the rest of this script to Alpine until it has been tested with other distros
+      test -f /etc/alpine-release || exit 0
+
+      # Data directories that should be persisted across reboots
+      DATADIRS="/home /usr/local /etc/containerd /var/lib/containerd"
+
+      # When running from RAM try to move persistent data to data-volume
+      # FIXME: the test for tmpfs mounts is probably Alpine-specific
+      if [ "$(awk '$2 == "/" {print $3}' /proc/mounts)" == "tmpfs" ]; then
+        mkdir -p /mnt/data
+        if [ -e /dev/disk/by-label/data-volume ]; then
+          mount -t ext4 /dev/disk/by-label/data-volume /mnt/data
+        else
+          # Find an unpartitioned disk and create data-volume
+          DISKS=$(lsblk --list --noheadings --output name,type | awk '$2 == "disk" {print $1}')
+          for DISK in ${DISKS}; do
+            IN_USE=false
+            # Looking for a disk that is not mounted or partitioned
+            for PART in $(awk '/^\/dev\// {gsub("/dev/", ""); print $1}' /proc/mounts); do
+              if [ "${DISK}" == "${PART}" -o -e /sys/block/${DISK}/${PART} ]; then
+                IN_USE=true
+                break
+              fi
+            done
+            if [ "${IN_USE}" == "false" ]; then
+              echo 'type=83' | sfdisk --label dos /dev/${DISK}
+              PART=$(lsblk --list /dev/${DISK} --noheadings --output name,type | awk '$2 == "part" {print $1}')
+              mkfs.ext4 -L data-volume /dev/${PART}
+              mount -t ext4 /dev/disk/by-label/data-volume /mnt/data
+              for DIR in ${DATADIRS}; do
+                DEST="/mnt/data$(dirname ${DIR})"
+                mkdir -p ${DIR} ${DEST}
+                mv ${DIR} ${DEST}
+              done
+              break
+            fi
+          done
+        fi
+        for DIR in ${DATADIRS}; do
+          if [ -d /mnt/data${DIR} ]; then
+            [ -e ${DIR} ] && rm -rf ${DIR}
+            ln -s /mnt/data${DIR} ${DIR}
+          fi
+        done
+      fi
+   owner: root:root
+   path: /var/lib/cloud/scripts/per-boot/05-persistent-data-volume.boot.sh
+   permissions: '0755'
+ - content: |
+      #!/sbin/openrc-run
+      supervisor=supervise-daemon
+
+      name="lima-guestagent"
+      description="Forward ports to the lima-hostagent"
+
+      export XDG_RUNTIME_DIR="/run/user/{{.UID}}"
+      command=/usr/local/bin/lima-guestagent
+      command_args="daemon"
+      command_background=true
+      command_user="{{.User}}:{{.User}}"
+      pidfile="${XDG_RUNTIME_DIR}/lima-guestagent.pid"
+   owner: root:root
+   path: /var/lib/lima-guestagent/lima-guestagent.openrc
+   permissions: '0755'
+ - content: |
+      #!/bin/bash
+      set -eux -o pipefail
+
+      # This script prepares Alpine for lima; there is nothing in here for other distros
+      test -f /etc/alpine-release || exit 0
+
+      # Configure apk repos
+      BRANCH=edge
+      VERSION_ID=$(awk -F= '$1=="VERSION_ID" {print $2}' /etc/os-release)
+      case ${VERSION_ID} in
+      *_alpha*|*_beta*) BRANCH=edge;;
+      *.*.*) BRANCH=v${VERSION_ID%.*};;
+      esac
+
+      for REPO in main community; do
+        URL="https://dl-cdn.alpinelinux.org/alpine/${BRANCH}/${REPO}"
+        if ! grep -q "^${URL}$" /etc/apk/repositories; then
+          echo "${URL}" >> /etc/apk/repositories
+        fi
+      done
+
+      # Alpine doesn't use PAM so we need to explicitly allow public key auth
+      usermod -p '*' ""{{.User}}""
+
+      # Alpine disables TCP forwarding, which is needed by the lima-guestagent
+      sed -i 's/AllowTcpForwarding no/AllowTcpForwarding yes/g' /etc/ssh/sshd_config
+      rc-service sshd reload
+
+      # Create directory for the lima-guestagent socket (normally done by systemd)
+      mkdir -p /run/user/{{.UID}}
+      chown "{{.User}}" /run/user/{{.UID}}
+      chmod 700 /run/user/{{.UID}}
+
+      # Install the openrc lima-guestagent service script
+      mv /var/lib/lima-guestagent/lima-guestagent.openrc /etc/init.d/lima-guestagent
+
+      # `limactl stop` tells acpid to powerdown
+      rc-update add acpid
+      rc-service acpid start
+   owner: root:root
+   path: /var/lib/cloud/scripts/per-boot/10-alpine-prep.boot.sh
+   permissions: '0755'
+ {{- if .Containerd.User}}
+ - content: |
+      #!/bin/bash
+      set -eux -o pipefail
+
+      # This script does not work unless systemd is available
+      command -v systemctl 2>&1 >/dev/null || exit 0
+
       # Set up env
       for f in .profile .bashrc; do
         if ! grep -q "# Lima BEGIN" "/home/{{.User}}.linux/$f"; then
@@ -66,7 +197,14 @@ write_files:
 
       # Start systemd session
       loginctl enable-linger "{{.User}}"
-      {{- end}}
+   owner: root:root
+   # We do not use per-once.
+   path: /var/lib/cloud/scripts/per-boot/20-rootless-base.boot.sh
+   permissions: '0755'
+ {{- end}}
+ - content: |
+      #!/bin/bash
+      set -eux -o pipefail
 
       # Create mount points
       {{- range $val := .Mounts}}
@@ -81,16 +219,22 @@ write_files:
       umount /mnt/lima-cidata
 
       # Launch the guestagent service
-      until [ -e "/run/user/{{.UID}}/systemd/private" ]; do sleep 3; done
-      sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" lima-guestagent install-systemd
+      if [ -f /etc/alpine-release ]; then
+        rc-update add lima-guestagent default
+        rc-service lima-guestagent start
+      else
+        until [ -e "/run/user/{{.UID}}/systemd/private" ]; do sleep 3; done
+        sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" lima-guestagent install-systemd
+      fi
    owner: root:root
    # We do not use per-once.
-   path: /var/lib/cloud/scripts/per-boot/00-base.boot.sh
+   path: /var/lib/cloud/scripts/per-boot/25-guestagent-base.boot.sh
    permissions: '0755'
  {{- if or .Mounts .Containerd.System .Containerd.User }}
  - content: |
       #!/bin/bash
       set -eux -o pipefail
+
       # Install minimum dependencies
       if command -v apt-get 2>&1 >/dev/null; then
         export DEBIAN_FRONTEND=noninteractive
@@ -119,6 +263,15 @@ write_files:
           ln -s fusermount3 /usr/bin/fusermount
         fi
         {{- end}}
+      elif command -v apk 2>&1 >/dev/null; then
+        : {{/* make sure the "elif" block is never empty */}}
+        {{- if .Mounts}}
+        if ! command -v sshfs 2>&1 >/dev/null; then
+          apk update
+          apk add sshfs
+        fi
+        modprobe fuse
+        {{- end}}
       fi
       # Modify /etc/fuse.conf to allow "-o allow_root"
       {{- if .Mounts }}
@@ -127,13 +280,17 @@ write_files:
       fi
       {{- end}}
    owner: root:root
-   path: /var/lib/cloud/scripts/per-boot/10-install-packages.boot.sh
+   path: /var/lib/cloud/scripts/per-boot/30-install-packages.boot.sh
    permissions: '0755'
 {{- end}}
 {{- if or .Containerd.System .Containerd.User}}
  - content: |
       #!/bin/bash
       set -eux -o pipefail
+
+      # This script does not work unless systemd is available
+      command -v systemctl 2>&1 >/dev/null || exit 0
+
       if [ ! -x /usr/local/bin/nerdctl ]; then
         mkdir -p -m 600 /mnt/lima-cidata
         mount -t iso9660 -o ro /dev/disk/by-label/cidata /mnt/lima-cidata
@@ -191,7 +348,7 @@ write_files:
       fi
       {{- end}}
    owner: root:root
-   path: /var/lib/cloud/scripts/per-boot/20-install-containerd.boot.sh
+   path: /var/lib/cloud/scripts/per-boot/40-install-containerd.boot.sh
    permissions: '0755'
 {{- end}}
 {{- if .Provision}}
@@ -208,7 +365,7 @@ write_files:
       {{- end}}
       {{- end}}
    owner: root:root
-   path: /var/lib/cloud/scripts/per-boot/30-execute-provision-scripts.boot.sh
+   path: /var/lib/cloud/scripts/per-boot/50-execute-provision-scripts.boot.sh
    permissions: '0755'
 {{- end}}
 {{- range $i, $val := .Provision}}

pkg/hostagent/requirements.go

@@ -26,6 +26,12 @@ func (a *HostAgent) waitForRequirements(ctx context.Context, label string, requi
 				a.l.Infof("The %s requirement %d of %d is satisfied", label, i+1, len(requirements))
 				break retryLoop
 			}
+			if req.fatal {
+				a.l.Infof("No further %s requirements will be checked", label)
+				return multierror.Append(mErr,
+					errors.Wrapf(err, "failed to satisfy the %s requirement %d of %d %q: %s; skipping further checks",
+						label, i+1, len(requirements), req.description, req.debugHint))
+			}
 			if j == retries-1 {
 				mErr = multierror.Append(mErr,
 					errors.Wrapf(err, "failed to satisfy the %s requirement %d of %d %q: %s",
@@ -52,6 +58,7 @@ type requirement struct {
 	description string
 	script      string
 	debugHint   string
+	fatal       bool
 }
 
 func (a *HostAgent) essentialRequirements() []requirement {
@@ -100,7 +107,7 @@ fi
 		script: `#!/bin/bash
 set -eux -o pipefail
 sock="/run/user/$(id -u)/lima-guestagent.sock"
-if ! timeout 30s bash -c "until [[ -S \"${sock}\" ]]; do sleep 3; done"; then
+if ! timeout 30s bash -c "until [ -S \"${sock}\" ]; do sleep 3; done"; then
 	echo >&2 "lima-guestagent is not installed yet"
 	exit 1
 fi
@@ -117,20 +124,37 @@ A possible workaround is to run "lima-guestagent install-systemd" in the guest.
 func (a *HostAgent) optionalRequirements() []requirement {
 	req := make([]requirement, 0)
 	if *a.y.Containerd.System || *a.y.Containerd.User {
-		req = append(req, requirement{
-			description: "containerd binaries to be installed",
-			script: `#!/bin/bash
+		req = append(req,
+			requirement{
+				description: "systemd must be available",
+				fatal:       true,
+				script: `#!/bin/bash
+set -eux -o pipefail
+if ! command -v systemctl 2>&1 >/dev/null; then
+    echo >&2 "systemd is not available on this OS"
+    exit 1
+fi
+`,
+				debugHint: `systemd is required to run containerd, but does not seem to be available.
+Make sure that you use an image that supports systemd. If you do not want to run
+containerd, please make sure that both 'container.system' and 'containerd.user'
+are set to 'false' in the config file.
+`,
+			},
+			requirement{
+				description: "containerd binaries to be installed",
+				script: `#!/bin/bash
 set -eux -o pipefail
 if ! timeout 30s bash -c "until command -v nerdctl; do sleep 3; done"; then
 	echo >&2 "nerdctl is not installed yet"
 	exit 1
 fi
 `,
-			debugHint: `The nerdctl binary was not installed in the guest.
+				debugHint: `The nerdctl binary was not installed in the guest.
 Make sure that you are using an officially supported image.
 Also see "/var/log/cloud-init-output.log" in the guest.
 `,
-		})
+			})
 	}
 	for _, probe := range a.y.Probes {
 		if probe.Mode == limayaml.ProbeModeReadiness {

pkg/iso9660util/iso9660util.go

@@ -60,3 +60,18 @@ func WriteFile(fs filesystem.FileSystem, path string, r io.Reader) (int64, error
 	defer f.Close()
 	return io.Copy(f, r)
 }
+
+func IsISO9660(imagePath string) (bool, error) {
+	imageFile, err := os.Open(imagePath)
+	if err != nil {
+		return false, err
+	}
+	defer imageFile.Close()
+
+	fileInfo, err := imageFile.Stat()
+	if err != nil {
+		return false, err
+	}
+	_, err = iso9660.Read(imageFile, fileInfo.Size(), 0, 0)
+	return err == nil, nil
+}