Skip to content

scripts: Simple script to boot an azure CVM #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

scripts: Simple script to boot an azure CVM #48

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
132 changes: 132 additions & 0 deletions scripts/boot-azure-fcos.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
#!/bin/bash

# Prefix that will go into every single item created in azure
# To remove everything run az group delete -n ${az_id}-group
az_id="aztestvm"

STREAM="stable"
STABLE_IMAGE="fedora-coreos-42.20250721.3.0-azure.x86_64.vhd.xz"
STABLE_IMAGE_UNCOMPRESSED="fedora-coreos-42.20250721.3.0-azure.x86_64.vhd"

butane="configs/simple.bu"
key="$(cat ~/.ssh/test_ocp_install.pub)"
if [ -z "${key}" ]; then
echo "Please, specify the public ssh key"
exit 1
fi

set -euo pipefail
set -x

if [[ ! -f "${STABLE_IMAGE_UNCOMPRESSED}" ]]; then
wget https://builds.coreos.fedoraproject.org/prod/streams/${STREAM}/builds/42.20250721.3.0/x86_64/fedora-coreos-42.20250721.3.0-azure.x86_64.vhd.xz
unxz "fedora-coreos-42.20250721.3.0-azure.x86_64.vhd.xz"
fi

# REFACTOR THIS FROM /scripts/install_vm.sh
mkdir -p tmp
butane_name="$(basename ${butane})"
IGNITION_FILE="tmp/${butane_name%.bu}.ign"
IGNITION_CONFIG="$(pwd)/${IGNITION_FILE}"
bufile="./tmp/${butane_name}"
sed "s|<KEY>|${key}|g" $butane > ${bufile}
butane_args=()
if [[ -d ${butane%.bu} ]]; then
butane_args=("--files-dir" "${butane%.bu}")
fi
podman run --interactive --rm --security-opt label=disable \
--volume "$(pwd)":/pwd \
--volume "${bufile}":/config.bu:z \
--workdir /pwd \
quay.io/coreos/butane:release \
--pretty --strict /config.bu --output "/pwd/${IGNITION_FILE}" \
"${butane_args[@]}"


az_region="eastus"
az_resource_group="${az_id}-group"
az_storage_account="${az_id}storageacct"
az_container="${az_id}-stg-container"
az_image_name="${az_id}-image"
az_image_blob="${az_image_name}.vhd"
gallery_name="${az_id}gallery"
gallery_image_definition="${az_id}-gallery-def"
vm_name="${az_id}-cvm"
vm_size="Standard_DC2as_v5"

# Create resource group
az group create \
-l "${az_region}" \
-n "${az_resource_group}"
# Create storage account for uploading FCOS image
az storage account create \
-g "${az_resource_group}" \
-n "${az_storage_account}"
# Retrieve connection string for storage account
cs=$(az storage account show-connection-string \
-n "${az_storage_account}" \
-g "${az_resource_group}" | jq \
-r .connectionString)
# Create storage container for uploading FCOS image
az storage container create \
--connection-string "${cs}" \
-n "${az_container}"
# Upload image blob
az storage blob upload \
--connection-string "${cs}" \
-c "${az_container}" \
-f "${STABLE_IMAGE_UNCOMPRESSED}" \
-n "${az_image_blob}"

# Create an image gallery
az sig create \
--resource-group "${az_resource_group}" \
--gallery-name "${gallery_name}"

# Create a gallery image definition
az sig image-definition create \
--resource-group "${az_resource_group}" \
--gallery-name "${gallery_name}" \
--gallery-image-definition "${gallery_image_definition}" \
--publisher azure \
--offer example \
--sku standard \
--features SecurityType=ConfidentialVmSupported \
--os-type Linux \
--hyper-v-generation V2

# Get the source VHD URI of OS disk
os_vhd_storage_account=$(az storage account list -g ${az_resource_group} | jq -r .[].id)

# Create a new image version
gallery_image_version="1.0.0"
az sig image-version create \
--resource-group "${az_resource_group}" \
--gallery-name "${gallery_name}" \
--gallery-image-definition "${gallery_image_definition}" \
--gallery-image-version "${gallery_image_version}" \
--os-vhd-storage-account "${os_vhd_storage_account}" \
--os-vhd-uri https://${az_storage_account}.blob.core.windows.net/${az_container}/${az_image_blob}

# Get gallery image id
gallery_image_id=$(az sig image-version show \
--gallery-image-definition "${gallery_image_definition}" \
--gallery-image-version "${gallery_image_version}" \
--gallery-name "${gallery_name}" \
--resource-group $az_resource_group | jq \
-r .id)

# Create a VM with confidential computing enabled using the gallery image and an ignition config as custom-data
az vm create \
--name "${vm_name}" \
--resource-group $az_resource_group \
--size "${vm_size}" \
--image "${gallery_image_id}" \
--admin-username core \
--generate-ssh-keys \
--custom-data "$(cat ${IGNITION_FILE})" \
--enable-vtpm true \
--public-ip-sku Standard \
--security-type ConfidentialVM \
--os-disk-security-encryption-type VMGuestStateOnly \
--enable-secure-boot true