From 17927f37f8f34e376be6f1318c812340294825f2 Mon Sep 17 00:00:00 2001 From: Jason N <33561705+JasonN3@users.noreply.github.com> Date: Tue, 5 Mar 2024 09:50:43 -0500 Subject: [PATCH 1/3] Ensure workspace dir is used and not current dir (#34) --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 8cedd8d..219cc6b 100644 --- a/action.yml +++ b/action.yml @@ -46,7 +46,7 @@ runs: # Check if running inside of the action repo if [[ -z "${{ github.action_ref }}" ]]; then if [[ "${{ github.ref_name }}" =~ (.*)/merge ]]; then tag=pr-${BASH_REMATCH[1]}; else tag=${{ github.ref_name }}; fi; fi if [[ -z "${tag}" ]]; then tag=${{ github.action_ref }}; fi - docker run --privileged --volume .:/github/workspace/ ghcr.io/jasonn3/build-container-installer:${tag} \ + docker run --privileged --volume ${{ github.workspace }}:/github/workspace/ ghcr.io/jasonn3/build-container-installer:${tag} \ ARCH=${{ inputs.arch }} \ IMAGE_NAME=${{ inputs.image_name }} \ IMAGE_REPO=${{ inputs.image_repo }} \ From ef90875a1c2460fb40643d7152f5fd0458623ddb Mon Sep 17 00:00:00 2001 From: Noel Miller <4983138+noelmiller@users.noreply.github.com> Date: Tue, 5 Mar 2024 12:11:52 -0600 Subject: [PATCH 2/3] Add Support for Secure Boot (#37) --- .dockerignore | 5 ++ .github/workflows/build-and-test.yml | 5 ++ Containerfile | 7 +-- Makefile | 58 ++++++++++++++----- action.yml | 9 +++ .../scripts/post/enroll-secureboot-key | 26 +++++++++ xorriso/gen_input.sh.in | 14 +++-- 7 files changed, 100 insertions(+), 24 deletions(-) create mode 100644 .dockerignore create mode 100755 lorax_templates/scripts/post/enroll-secureboot-key diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..06aa2e2 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,5 @@ +.devcontainer +.github +.gitignore +action.yml +Containerfile diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index a3b3650..942c763 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -15,6 +15,9 @@ env: IMAGE_REPO: 'quay.io/fedora-ostree-desktops' VERSION: '39' VARIANT: 'Server' + SECURE_BOOT_KEY_URL: 'https://github.com/ublue-os/akmods/raw/main/certs/public_key.der' + ENROLLMENT_PASSWORD: 'container-installer' + jobs: build-container: @@ -87,6 +90,8 @@ jobs: image_repo: ${{ env.IMAGE_REPO}} version: ${{ env.VERSION }} variant: ${{ env.VARIANT }} + secure_boot_key_url: ${{ env.SECURE_BOOT_KEY_URL }} + enrollment_password: ${{ env.ENROLLMENT_PASSWORD }} - name: Rename ISO run: | diff --git a/Containerfile b/Containerfile index 196a151..6ca8af4 100644 --- a/Containerfile +++ b/Containerfile @@ -11,10 +11,7 @@ ENV VERSION="${VERSION}" ENV WEB_UI="false" RUN mkdir /build-container-installer -COPY /lorax_templates /build-container-installer/lorax_templates -COPY /xorriso /build-container-installer/xorriso -COPY /Makefile /build-container-installer -COPY /entrypoint.sh / +COPY / /build-container-installer/ WORKDIR /build-container-installer @@ -22,5 +19,5 @@ RUN dnf install -y make && make install-deps VOLUME /build-container-installer/build -ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/build-container-installer/entrypoint.sh"] diff --git a/Makefile b/Makefile index 0362032..6064d01 100644 --- a/Makefile +++ b/Makefile @@ -8,6 +8,8 @@ IMAGE_TAG = $(VERSION) VARIANT = Server WEB_UI = false REPOS = /etc/yum.repos.d/fedora.repo /etc/yum.repos.d/fedora-updates.repo +ENROLLMENT_PASSWORD = +SECURE_BOOT_KEY_URL = ADDITIONAL_TEMPLATES = "" ROOTFS_SIZE = 4 @@ -19,7 +21,7 @@ _IMAGE_REPO_DOUBLE_ESCAPED = $(subst \,\\\,$(_IMAGE_REPO_ESCAPED)) _VOLID = $(firstword $(subst -, ,$(IMAGE_NAME)))-$(ARCH)-$(IMAGE_TAG) _REPO_FILES = $(subst /etc/yum.repos.d,repos,$(REPOS)) _LORAX_TEMPLATES = $(subst .in,,$(shell ls lorax_templates/*.tmpl.in)) $(foreach file,$(shell ls lorax_templates/scripts/post),lorax_templates/post_$(file).tmpl) -_TEMPLATE_VARS = ARCH VERSION IMAGE_REPO IMAGE_NAME IMAGE_TAG VARIANT WEB_UI REPOS _IMAGE_REPO_ESCAPED _IMAGE_REPO_DOUBLE_ESCAPED +_TEMPLATE_VARS = ARCH VERSION IMAGE_REPO IMAGE_NAME IMAGE_TAG VARIANT WEB_UI REPOS _IMAGE_REPO_ESCAPED _IMAGE_REPO_DOUBLE_ESCAPED ENROLLMENT_PASSWORD ifeq ($(VARIANT),Server) _LORAX_ARGS = --macboot --noupgrade @@ -44,19 +46,30 @@ lorax_templates/post_%.tmpl: lorax_templates/scripts/post/% $(eval _ISO_FILE = usr/share/anaconda/interactive-defaults.ks) header=0; \ + skip=0; \ while read -r line; \ do \ - if [[ $$line =~ ^\<\% ]]; \ - then \ + if [[ $$line =~ ^\<\% ]]; \ + then \ echo $$line >> lorax_templates/post_$*.tmpl; \ echo >> lorax_templates/post_$*.tmpl; \ - else \ - if [[ $$header == 0 ]]; \ + else \ + if [[ $$header == 0 ]]; \ then \ - echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \ + if [[ $$line =~ ^##\ (.*)$$ ]]; \ + then \ + echo "append $(_ISO_FILE) \"%post --erroronfail $${BASH_REMATCH[1]}\"" >> lorax_templates/post_$*.tmpl; \ + skip=1; \ + else \ + echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \ + fi; \ header=1; \ fi; \ - echo "append $(_ISO_FILE) \"$$line\"" >> lorax_templates/post_$*.tmpl; \ + if [[ $$skip == 0 ]]; \ + then \ + echo "append $(_ISO_FILE) \"$${line//\"/\\\"}\"" >> lorax_templates/post_$*.tmpl; \ + fi; \ + skip=0; \ fi; \ done < lorax_templates/scripts/post/$* echo "append $(_ISO_FILE) \"%end\"" >> lorax_templates/post_$*.tmpl @@ -65,18 +78,30 @@ lorax_templates/post_%.tmpl: lorax_templates/scripts/post/% $(eval _ISO_FILE = usr/share/anaconda/post-scripts/configure_upgrades.ks) header=0; \ + skip=0; \ while read -r line; \ do \ - if [[ $$line =~ ^\<\% ]]; \ - then \ + if [[ $$line =~ ^\<\% ]]; \ + then \ + echo $$line >> lorax_templates/post_$*.tmpl; \ echo >> lorax_templates/post_$*.tmpl; \ - else \ - if [[ $$header == 0 ]]; \ + else \ + if [[ $$header == 0 ]]; \ then \ - echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \ + if [[ $$line =~ ^##\ (.*)$$ ]]; \ + then \ + echo "append $(_ISO_FILE) \"%post --erroronfail $${BASH_REMATCH[1]}\"" >> lorax_templates/post_$*.tmpl; \ + skip=1; \ + else \ + echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \ + fi; \ header=1; \ fi; \ - echo "append $(_ISO_FILE) \"$$line\"" >> lorax_templates/post_$*.tmpl; \ + if [[ $$skip == 0 ]]; \ + then \ + echo "append $(_ISO_FILE) \"$${line//\"/\\\"}\"" >> lorax_templates/post_$*.tmpl; \ + fi; \ + skip=0; \ fi; \ done < lorax_templates/scripts/post/$* echo "append $(_ISO_FILE) \"%end\"" >> lorax_templates/post_$*.tmpl @@ -100,6 +125,13 @@ repos/%.repo: /etc/yum.repos.d/%.repo boot.iso: $(_LORAX_TEMPLATES) $(_REPO_FILES) rm -Rf $(_BASE_DIR)/results || true rm /etc/rpm/macros.image-language-conf || true + + # Download the secure boot key + if [ -n "$(SECURE_BOOT_KEY_URL)" ]; \ + then \ + curl --fail -L -o $(_BASE_DIR)/sb_pubkey.der $(SECURE_BOOT_KEY_URL); \ + fi + lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \ --isfinal --squashfs-only --buildarch=$(ARCH) --volid=$(_VOLID) \ $(_LORAX_ARGS) \ diff --git a/action.yml b/action.yml index 219cc6b..22914f1 100644 --- a/action.yml +++ b/action.yml @@ -29,6 +29,13 @@ inputs: description: Enable Anaconda WebUI required: false default: "false" + enrollment_password: + description: Used for supporting secure boot (requires SECURE_BOOT_KEY_URL to be defined) + required: false + default: "container-installer" + secure_boot_key_url: + description: Secure boot key that is installed from URL location + required: false action_version: description: Version of the action container to run deprecationMessage: No longer used. github.action_ref replaces the need for this. Will be removed in a future version. @@ -54,5 +61,7 @@ runs: VERSION=${{ inputs.version }} \ IMAGE_TAG=${{ inputs.image_tag || inputs.version }} \ WEB_UI=${{ inputs.web_ui }} \ + ENROLLMENT_PASSWORD=${{ inputs.enrollment_password }} \ + SECURE_BOOT_KEY_URL=${{ inputs.secure_boot_key_url }} \ "ADDITIONAL_TEMPLATES=${{ inputs.additional_templates }}" diff --git a/lorax_templates/scripts/post/enroll-secureboot-key b/lorax_templates/scripts/post/enroll-secureboot-key new file mode 100755 index 0000000..622a1ec --- /dev/null +++ b/lorax_templates/scripts/post/enroll-secureboot-key @@ -0,0 +1,26 @@ +<%page args="enrollment_password "/> +## --nochroot + +set -oue pipefail + +readonly ENROLLMENT_PASSWORD=${enrollment_password} +readonly SECUREBOOT_KEY="/run/install/repo/sb_pubkey.der" + +if [[ ! -d "/sys/firmware/efi" ]]; then + echo "EFI mode not detected. Skipping key enrollment." + exit 0 +fi + +if [[ ! -f "$SECUREBOOT_KEY" ]]; then + echo "Secure boot key not provided: $SECUREBOOT_KEY" + exit 0 +fi + +SYS_ID="$(cat /sys/devices/virtual/dmi/id/product_name)" +if [[ ":Jupiter:Galileo:" =~ ":$SYS_ID:" ]]; then + echo "Steam Deck hardware detected. Skipping key enrollment." + exit 0 +fi + +mokutil --timeout -1 || : +echo -e "$ENROLLMENT_PASSWORD\n$ENROLLMENT_PASSWORD" | mokutil --import "$SECUREBOOT_KEY" || : diff --git a/xorriso/gen_input.sh.in b/xorriso/gen_input.sh.in index b660e1b..00acd91 100644 --- a/xorriso/gen_input.sh.in +++ b/xorriso/gen_input.sh.in @@ -5,12 +5,14 @@ echo "-outdev $(pwd)/build/deploy.iso" echo "-boot_image any replay" echo "-joliet on" echo "-compliance joliet_long_names" -pushd container > /dev/null -for file in $(find ${IMAGE_NAME}-${IMAGE_TAG}) -do - echo "-map $(pwd)/${file} ${file}" - echo "-chmod 0444 ${file}" +if [ -f $(pwd)/sb_pubkey.der ]; then + echo "-map $(pwd)/sb_pubkey.der sb_pubkey.der" + echo "-chmod 0444 /sb_pubkey.der" +fi +pushd container >/dev/null +for file in $(find ${IMAGE_NAME}-${IMAGE_TAG}); do + echo "-map $(pwd)/${file} ${file}" + echo "-chmod 0444 ${file}" done popd > /dev/null echo "-end" - From 8d9ceeb5799eaf33f538797fa9b4bc7f932c4113 Mon Sep 17 00:00:00 2001 From: Jason N <33561705+JasonN3@users.noreply.github.com> Date: Tue, 5 Mar 2024 16:10:08 -0500 Subject: [PATCH 3/3] ci: Test resulting test ISO (#26) --- .github/workflows/build-and-test.yml | 110 ++++++++++++++++++++++++++- Makefile | 7 +- tests/iso/README.md | 1 + tests/iso/os-release.sh | 31 ++++++++ tests/vm/README.md | 1 + 5 files changed, 148 insertions(+), 2 deletions(-) create mode 100644 tests/iso/README.md create mode 100644 tests/iso/os-release.sh create mode 100644 tests/vm/README.md diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 942c763..2981e79 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -82,7 +82,7 @@ jobs: type=ref,event=branch type=ref,event=pr - - name: Build ISO + - name: Build ISO with new container uses: ./ with: arch: ${{ env.ARCH}} @@ -98,6 +98,7 @@ jobs: mv build/deploy.iso build/${{ env.IMAGE_NAME }}-${{ env.VERSION }}.iso - name: Upload ISO as artifact + id: upload uses: actions/upload-artifact@v4 with: name: ${{ env.IMAGE_NAME }}-${{ env.VERSION }}.iso @@ -106,3 +107,110 @@ jobs: retention-days: 0 compression-level: 0 overwrite: true + + test-qemu: + runs-on: ubuntu-latest + needs: + - build-and-push-iso + permissions: + contents: read + packages: write + steps: + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Ensure qemu is installed + run: | + sudo apt-get update + sudo apt-get install -y qemu qemu-utils xorriso unzip qemu-system-x86 netcat socat jq isomd5sum ansible make + + - name: Create disk + run: | + qemu-img create -f qcow2 disk.qcow2 50G + + - name: Download generated ISO + uses: actions/download-artifact@v4 + with: + name: ${{ env.IMAGE_NAME }}-${{ env.VERSION }}.iso + + - name: Verify ISO + run: checkisomd5 ${{ env.IMAGE_NAME }}-${{ env.VERSION }}.iso + + - name: Run ISO checks + run: | + mv ${{ env.IMAGE_NAME }}-${{ env.VERSION }}.iso deploy.iso + make test-iso + + - name: Add Kickstart and Grub options to ISO + run: | + sudo mkdir /mnt/iso || true + sudo mount -o loop deploy.iso /mnt/iso + cp /mnt/iso/boot/grub2/grub.cfg grub.cfg + sudo umount /mnt/iso + sed -i 's/quiet/console=ttyS0,115200n8 inst.ks=cdrom:\/ks.cfg/' grub.cfg + sed -i 's/set default="1"/set default="0"/' grub.cfg + sed -i 's/set timeout=60/set timeout=1/' grub.cfg + cat << EOF > ks.cfg + lang en_US.UTF-8 + keyboard us + timezone Americas/New_York + zerombr + clearpart --all --initlabel + autopart + poweroff + user --name=core --groups=wheel --password=foobar + %include /usr/share/anaconda/interactive-defaults.ks + EOF + xorriso -dialog on << EOF + -indev deploy.iso + -outdev test.iso + -boot_image any replay + -map ks.cfg ks.cfg + -chmod 0444 ks.cfg + -map grub.cfg boot/grub2/grub.cfg + -end + EOF + + - name: Install the test VM + run: | + timeout 1h qemu-system-x86_64 -name "Anaconda" -boot d -m 4096 -cpu qemu64 -display none -cdrom test.iso -smp 2 -hda disk.qcow2 -serial telnet:localhost:4321,server,nowait & QEMU_PID=$! + echo "PID: $QEMU_PID" + timeout 1m bash -c "while ! (echo > /dev/tcp/127.0.0.1/4321); do sleep 0.1; done" + (nc localhost 4321 | tee vm.stdout) & + wait $QEMU_PID + + - name: Start the test VM + env: + VM_USER: core + VM_PASS: foobar + run: | + mkfifo vm.stdin + qemu-system-x86_64 -name "Anaconda" \ + -m 4096 -cpu qemu64 -display none -smp 2 \ + -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 \ + -device virtio-serial \ + -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 \ + -boot c -hda disk.qcow2 -serial telnet:localhost:4321,server,nowait & export QEMU_PID=$! + echo "PID: $QEMU_PID" + + timeout 1m bash -c "while ! (echo > /dev/tcp/127.0.0.1/4321); do sleep 0.1; done" + (tail -f vm.stdin | nc localhost 4321 | tee vm.stdout) & + + timeout 30m bash -c "while ! (grep 'login:' vm.stdout); do sleep 1; done" + + export VM_IP=$({ echo '{"execute": "guest-network-get-interfaces"}'; sleep 2; } | socat unix-connect:/tmp/qga.sock - | jq -r '.return[1]["ip-addresses"][] | select(."ip-address-type"=="ipv4") | .["ip-address"]') + if ! (echo > /dev/tcp/${VM_IP}/22) + then + echo "SSH must be installed and enabled inside the container" + fi + + echo "VM ready for tests at IP ${VM_IP}" + for check in $(ls tests/vm) + do + if [[ -f $check && $check != "README.md" ]] + then + chmod +x $check + ./${check} + fi + done + diff --git a/Makefile b/Makefile index 6064d01..81db881 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ WEB_UI = false REPOS = /etc/yum.repos.d/fedora.repo /etc/yum.repos.d/fedora-updates.repo ENROLLMENT_PASSWORD = SECURE_BOOT_KEY_URL = -ADDITIONAL_TEMPLATES = "" +ADDITIONAL_TEMPLATES = ROOTFS_SIZE = 4 # Generated vars @@ -175,6 +175,11 @@ clean: install-deps: dnf install -y lorax xorriso skopeo + +test-iso: + $(eval _TESTS = $(filter-out README.md,$(shell ls tests/iso))) + $(foreach test,$(_TESTS),chmod +x tests/iso/$(test)) + $(foreach test,$(_TESTS),./tests/iso/$(test) deploy.iso) .PHONY: clean install-deps diff --git a/tests/iso/README.md b/tests/iso/README.md new file mode 100644 index 0000000..bd511d9 --- /dev/null +++ b/tests/iso/README.md @@ -0,0 +1 @@ +Place scripts that will test the ISO. The ISO file will be passed as the first argument \ No newline at end of file diff --git a/tests/iso/os-release.sh b/tests/iso/os-release.sh new file mode 100644 index 0000000..ea066bc --- /dev/null +++ b/tests/iso/os-release.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +iso=$1 + +sudo apt-get update +sudo apt-get install -y squashfs-tools + +sudo mkdir /mnt/{iso,install} + +# Mount ISO +sudo mount -o loop $iso /mnt/iso + +# Mount squashfs +sudo mount -t squashfs -o loop /mnt/iso/images/install.img /mnt/install + +FOUND_VERSION=$(cat /mnt/install/etc/os-release | grep VERSION_ID | cut -d= -f2) + +# Cleanup +sudo umount /mnt/install +sudo umount /mnt/iso + +if [[ ${FOUND_VERSION} != ${VERSION} ]] +then + echo "Version mismatch" + echo "Expected: ${VERSION}" + echo "Found: ${FOUND_VERSION}" + exit 1 +else + echo "Correct version found" + exit 0 +fi \ No newline at end of file diff --git a/tests/vm/README.md b/tests/vm/README.md new file mode 100644 index 0000000..39840b4 --- /dev/null +++ b/tests/vm/README.md @@ -0,0 +1 @@ +Place scripts that will test the VM. The VM will be available at ${VM_IP} using username ${VM_USER} and password ${VM_PASS} \ No newline at end of file