osguard-amd64: initial config (#14439)

Introduce new osguard-amd64.yaml with the intent is to create a more full-featured Azure Linux OS Guard base image. This yaml file is expected to be used with Azure Linux Image Customizer, starting from a base image like the minimal-os base image, and will yield this new Azure Linux OS Guard image.

To help with migration from Ubuntu hosts to Azure Linux OS guard host, create a directory at the /usr/local/share/ca-certificates location to allow containers/pods to mount certs there at runtime.

Signed-off-by: Chris Co <[email protected]>

Author: christopherco

toolkit/imageconfigs/files/common/99-dhcp-eth0.network

@@ -0,0 +1,6 @@
+[Match]
+Name=eth0
+
+[Network]
+DHCP=yes
+IPv6AcceptRA=no

toolkit/imageconfigs/files/osguard/10-repart.conf

@@ -0,0 +1 @@
+add_dracutmodules+=" systemd-repart "

toolkit/imageconfigs/files/osguard/additional-repo-files.repo

@@ -0,0 +1,19 @@
+[azurelinux-cloud-native]
+name=Azure Linux Cloud Native $releasever $basearch
+baseurl=https://packages.microsoft.com/azurelinux/$releasever/prod/cloud-native/$basearch
+gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY
+gpgcheck=1
+repo_gpgcheck=1
+enabled=1
+skip_if_unavailable=True
+sslverify=1
+
+[azurelinux-official-extended]
+name=Azure Linux Official Extended $releasever $basearch
+baseurl=https://packages.microsoft.com/azurelinux/$releasever/prod/extended/$basearch
+gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY
+gpgcheck=1
+repo_gpgcheck=1
+enabled=1
+skip_if_unavailable=True
+sslverify=1

toolkit/imageconfigs/files/osguard/chrony.conf

@@ -0,0 +1,57 @@
+# CLOUD_IMG: This file was created/modified by the Cloud Image build process
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usable directives.
+# Include configuration files found in /etc/chrony.conf.d.
+confdir /etc/chrony.conf.d
+# This will use (up to):
+# - 4 sources from ntp.ubuntu.com which some are ipv6 enabled
+# - 2 sources from 2.ubuntu.pool.ntp.org which is ipv6 enabled as well
+# - 1 source from [01].ubuntu.pool.ntp.org each (ipv4 only atm)
+# This means by default, up to 6 dual-stack and up to 2 additional IPv4-only
+# sources will be used.
+# At the same time it retains some protection against one of the entries being
+# down (compare to just using one of the lines). See (LP: #1754358) for the
+# discussion.
+#
+# About using servers from the NTP Pool Project in general see (LP: #104525).
+# Approved by Ubuntu Technical Board on 2011-02-08.
+# See http://www.pool.ntp.org/join.html for more information.
+#pool ntp.ubuntu.com        iburst maxsources 4
+#pool 0.ubuntu.pool.ntp.org iburst maxsources 1
+#pool 1.ubuntu.pool.ntp.org iburst maxsources 1
+#pool 2.ubuntu.pool.ntp.org iburst maxsources 2
+# Use time sources from DHCP.
+sourcedir /run/chrony-dhcp
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony.keys
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/drift
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+# Log files location.
+logdir /var/log/chrony
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+rtcsync
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, with no limit to how many clock updates have occurred.
+makestep 1.0 -1
+# Get TAI-UTC offset and leap seconds from the system tz database.
+# This directive must be commented out when using time sources serving
+# leap-smeared time.
+leapsectz right/UTC
+# Azure hosts are synchronized to internal Microsoft time servers that
+# take their time from Microsoft-owned Stratum 1 devices.  The Hyper-V
+# drivers surface this time source as a PTP-based time source in the
+# guest. This configures chrony to use it.  This also causes chronyd
+# to require the /dev/ptp_hyperv device; chronyd will fail to start if
+# it is not present. If this line is removed (so chronyd no longer
+# uses the /dev/ptp_hyperv device), also remove (or comment out) the
+# /etc/systemd/system/chronyd.service.d/wait-for-ptp-hyperv.conf file.
+refclock PHC /dev/ptp_hyperv poll 3 dpoll -2 offset 0

toolkit/imageconfigs/files/osguard/cloud.cfg

@@ -0,0 +1,99 @@
+# The top level settings are used as module
+# and base configuration.
+
+# A set of users which may be applied and/or used by various modules
+# when a 'default' entry is found it will reference the 'default_user'
+# from the distro configuration specified below
+# users:
+#  - default
+
+# If this is set, 'root' will not be able to ssh in and they
+# will get a message to login instead as the default $user
+# disable_root: false
+
+# This will cause the set+update hostname module to not operate (if true)
+# preserve_hostname: false
+
+# If you use datasource_list array, keep array items in a single line.
+# If you use multi line array, ds-identify script won't read array items.
+# Example datasource config
+datasource:
+  Azure:
+    apply_network_config: false
+#   Ec2:
+#     metadata_urls: [ 'blah.com' ]
+#     timeout: 5 # (defaults to 50 seconds)
+#     max_wait: 10 # (defaults to 120 seconds)
+
+# The modules that run in the 'init' stage
+cloud_init_modules:
+#   - seed_random
+#   - bootcmd
+#   - write_files
+#   - growpart
+#   - resizefs
+  - disk_setup
+  - mounts
+  - set_hostname
+#   - update_hostname
+#   - update_etc_hosts
+#   - ca_certs
+#   - rsyslog
+#   - users_groups
+#   - ssh
+#   - set_passwords
+
+# The modules that run in the 'config' stage
+# cloud_config_modules:
+#   - ssh_import_id
+#   - keyboard
+#   - locale
+#   - spacewalk
+#   - yum_add_repo
+#   - ntp
+#   - timezone
+#   - disable_ec2_metadata
+#   - runcmd
+
+# The modules that run in the 'final' stage
+# cloud_final_modules:
+#   - package_update_upgrade_install
+#   - write_files_deferred
+#   - puppet
+#   - chef
+#   - ansible
+#   - mcollective
+#   - salt_minion
+#   - reset_rmc
+#   - scripts_vendor
+#   - scripts_per_once
+#   - scripts_per_boot
+#   - scripts_per_instance
+#   - scripts_user
+#   - ssh_authkey_fingerprints
+#   - keys_to_console
+#   - install_hotplug
+#   - phone_home
+#   - final_message
+#   - power_state_change
+
+# System and/or distro specific settings
+# (not accessible to handlers/transforms)
+# system_info:
+#  # This will affect which distro class gets used
+#  distro: azurelinux
+#  # Default user name + that default users groups (if added/used)
+#  default_user:
+#    name: azurelinux
+#    lock_passwd: True
+#    gecos: Azure Linux
+#    groups: [wheel]
+#    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+#    shell: /bin/bash
+#  # network:
+#  #   renderers: ['networkd']
+#  # # Other config here will be given to the distro class and/or path classes
+#  # paths:
+#  #   cloud_dir: /var/lib/cloud/
+#  #   templates_dir: /etc/cloud/templates/
+#  ssh_svcname: sshd

toolkit/imageconfigs/files/osguard/repart.d/10-esp.conf

@@ -0,0 +1,5 @@
+[Partition]
+Type=esp
+Label=esp
+SizeMinBytes=512M
+SizeMaxBytes=512M

toolkit/imageconfigs/files/osguard/repart.d/11-boot-a.conf

@@ -0,0 +1,5 @@
+[Partition]
+Type=linux-generic
+Label=boot-a
+SizeMinBytes=100M
+SizeMaxBytes=100M

toolkit/imageconfigs/files/osguard/repart.d/12-usr-a.conf

@@ -0,0 +1,5 @@
+[Partition]
+Type=usr
+Label=usr-a
+SizeMinBytes=1G
+SizeMaxBytes=1G

toolkit/imageconfigs/files/osguard/repart.d/13-usr-hash-a.conf

@@ -0,0 +1,5 @@
+[Partition]
+Type=usr-verity
+Label=usr-hash-a
+SizeMinBytes=128M
+SizeMaxBytes=128M

toolkit/imageconfigs/files/osguard/repart.d/14-root-a.conf

@@ -0,0 +1,6 @@
+[Partition]
+Type=root
+Label=root-a
+SizeMinBytes=10G
+Weight=1000
+GrowFileSystem=true