Merge branch 'main' into cache

.dockerignore

@@ -0,0 +1,5 @@
+.devcontainer
+.github
+.gitignore
+action.yml
+Containerfile

.github/workflows/build-and-test.yml

@@ -15,6 +15,9 @@ env:
   IMAGE_REPO: 'quay.io/fedora-ostree-desktops'
   VERSION: '39'
   VARIANT: 'Server'
+  SECURE_BOOT_KEY_URL: 'https://github.com/ublue-os/akmods/raw/main/certs/public_key.der'
+  ENROLLMENT_PASSWORD: 'container-installer'
+
 
 jobs:
   build-container:
@@ -79,7 +82,7 @@ jobs:
             type=ref,event=branch
             type=ref,event=pr
 
-      - name: Build ISO
+      - name: Build ISO with new container
         uses: ./
         with:
           arch: ${{ env.ARCH}}
@@ -87,12 +90,15 @@ jobs:
           image_repo: ${{ env.IMAGE_REPO}}
           version: ${{ env.VERSION }}
           variant: ${{ env.VARIANT }}
+          secure_boot_key_url: ${{ env.SECURE_BOOT_KEY_URL }}
+          enrollment_password: ${{ env.ENROLLMENT_PASSWORD }}
 
       - name: Rename ISO
         run: |
           mv build/deploy.iso build/${{ env.IMAGE_NAME }}-${{ env.VERSION }}.iso
 
       - name: Upload ISO as artifact
+        id: upload
         uses: actions/upload-artifact@v4
         with:
           name: ${{ env.IMAGE_NAME }}-${{ env.VERSION }}.iso
@@ -101,3 +107,110 @@ jobs:
           retention-days: 0
           compression-level: 0
           overwrite: true
+
+  test-qemu:
+    runs-on: ubuntu-latest
+    needs:
+      - build-and-push-iso
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Ensure qemu is installed
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y qemu qemu-utils xorriso unzip qemu-system-x86 netcat socat jq isomd5sum ansible make
+
+      - name: Create disk
+        run: |
+          qemu-img create -f qcow2 disk.qcow2 50G
+
+      - name: Download generated ISO
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.IMAGE_NAME }}-${{ env.VERSION }}.iso
+    
+      - name: Verify ISO
+        run: checkisomd5 ${{ env.IMAGE_NAME }}-${{ env.VERSION }}.iso
+
+      - name: Run ISO checks
+        run: |
+          mv ${{ env.IMAGE_NAME }}-${{ env.VERSION }}.iso deploy.iso
+          make test-iso
+
+      - name: Add Kickstart and Grub options to ISO
+        run: |
+          sudo mkdir /mnt/iso || true
+          sudo mount -o loop deploy.iso /mnt/iso
+          cp /mnt/iso/boot/grub2/grub.cfg grub.cfg
+          sudo umount /mnt/iso
+          sed -i 's/quiet/console=ttyS0,115200n8 inst.ks=cdrom:\/ks.cfg/' grub.cfg
+          sed -i 's/set default="1"/set default="0"/' grub.cfg
+          sed -i 's/set timeout=60/set timeout=1/' grub.cfg
+          cat << EOF > ks.cfg
+          lang en_US.UTF-8
+          keyboard us
+          timezone Americas/New_York
+          zerombr
+          clearpart --all --initlabel
+          autopart
+          poweroff
+          user --name=core --groups=wheel --password=foobar
+          %include /usr/share/anaconda/interactive-defaults.ks
+          EOF
+          xorriso -dialog on << EOF
+          -indev deploy.iso
+          -outdev test.iso
+          -boot_image any replay
+          -map ks.cfg ks.cfg
+          -chmod 0444 ks.cfg
+          -map grub.cfg boot/grub2/grub.cfg
+          -end
+          EOF
+
+      - name: Install the test VM
+        run: |
+          timeout 1h qemu-system-x86_64 -name "Anaconda" -boot d -m 4096 -cpu qemu64 -display none -cdrom test.iso -smp 2 -hda disk.qcow2 -serial telnet:localhost:4321,server,nowait & QEMU_PID=$!
+          echo "PID: $QEMU_PID"
+          timeout 1m bash -c "while ! (echo > /dev/tcp/127.0.0.1/4321); do sleep 0.1; done"
+          (nc localhost 4321 | tee vm.stdout) &
+          wait $QEMU_PID
+
+      - name: Start the test VM
+        env:
+          VM_USER: core
+          VM_PASS: foobar
+        run: |
+          mkfifo vm.stdin
+          qemu-system-x86_64 -name "Anaconda" \
+            -m 4096 -cpu qemu64 -display none -smp 2 \
+            -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 \
+            -device virtio-serial \
+            -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 \
+            -boot c -hda disk.qcow2 -serial telnet:localhost:4321,server,nowait & export QEMU_PID=$!
+          echo "PID: $QEMU_PID"
+
+          timeout 1m bash -c "while ! (echo > /dev/tcp/127.0.0.1/4321); do sleep 0.1; done"
+          (tail -f vm.stdin | nc localhost 4321 | tee vm.stdout) &
+          
+          timeout 30m bash -c "while ! (grep 'login:' vm.stdout); do sleep 1; done"
+
+          export VM_IP=$({ echo '{"execute": "guest-network-get-interfaces"}'; sleep 2; } | socat unix-connect:/tmp/qga.sock - | jq -r '.return[1]["ip-addresses"][] | select(."ip-address-type"=="ipv4") | .["ip-address"]')
+          if ! (echo > /dev/tcp/${VM_IP}/22)
+          then
+            echo "SSH must be installed and enabled inside the container"
+          fi
+          
+          echo "VM ready for tests at IP ${VM_IP}"
+          for check in $(ls tests/vm)
+          do
+            if [[ -f $check && $check != "README.md" ]]
+            then
+              chmod +x $check
+              ./${check}
+            fi
+          done
+

Containerfile

@@ -11,10 +11,7 @@ ENV VERSION="${VERSION}"
 ENV WEB_UI="false"
 
 RUN mkdir /build-container-installer
-COPY /lorax_templates /build-container-installer/lorax_templates
-COPY /xorriso /build-container-installer/xorriso
-COPY /Makefile /build-container-installer
-COPY /entrypoint.sh /
+COPY / /build-container-installer/
 
 WORKDIR /build-container-installer
 
@@ -24,5 +21,5 @@ RUN ln -s ~/.local/share/containers/cache /cache/skopeo
 VOLUME /build-container-installer/build
 VOLUME /cache
 
-ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
+ENTRYPOINT ["/bin/bash", "/build-container-installer/entrypoint.sh"]
 

Makefile

@@ -8,7 +8,9 @@ IMAGE_TAG = $(VERSION)
 VARIANT = Server
 WEB_UI = false
 REPOS = $(subst :,\:,$(shell ls /etc/yum.repos.d/*.repo))
-ADDITIONAL_TEMPLATES = ""
+ENROLLMENT_PASSWORD =
+SECURE_BOOT_KEY_URL =
+ADDITIONAL_TEMPLATES = 
 ROOTFS_SIZE = 4
 DNF_CACHE = 
 
@@ -20,7 +22,7 @@ _IMAGE_REPO_DOUBLE_ESCAPED = $(subst \,\\\,$(_IMAGE_REPO_ESCAPED))
 _VOLID = $(firstword $(subst -, ,$(IMAGE_NAME)))-$(ARCH)-$(IMAGE_TAG)
 _REPO_FILES = $(subst /etc/yum.repos.d,repos,$(REPOS))
 _LORAX_TEMPLATES = $(subst .in,,$(shell ls lorax_templates/*.tmpl.in)) $(foreach file,$(shell ls lorax_templates/scripts/post),lorax_templates/post_$(file).tmpl)
-_TEMPLATE_VARS = ARCH VERSION IMAGE_REPO IMAGE_NAME IMAGE_TAG VARIANT WEB_UI REPOS _IMAGE_REPO_ESCAPED _IMAGE_REPO_DOUBLE_ESCAPED
+_TEMPLATE_VARS = ARCH VERSION IMAGE_REPO IMAGE_NAME IMAGE_TAG VARIANT WEB_UI REPOS _IMAGE_REPO_ESCAPED _IMAGE_REPO_DOUBLE_ESCAPED ENROLLMENT_PASSWORD
 _LORAX_ARGS = 
 
 ifeq ($(findstring redhat.repo,$(REPOS)),redhat.repo)
@@ -52,19 +54,30 @@ lorax_templates/post_%.tmpl: lorax_templates/scripts/post/%
 	$(eval _ISO_FILE = usr/share/anaconda/interactive-defaults.ks)
 	
 	header=0; \
+	skip=0; \
 	while read -r line; \
 	do \
-	  if [[ $$line =~ ^\<\% ]]; \
-	  then \
+		if [[ $$line =~ ^\<\% ]]; \
+		then \
 			echo $$line >> lorax_templates/post_$*.tmpl; \
 			echo >> lorax_templates/post_$*.tmpl; \
-	  else \
-		  if [[ $$header == 0 ]]; \
+		else \
+			if [[ $$header == 0 ]]; \
 			then \
-			  echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \
+				if [[ $$line =~ ^##\ (.*)$$ ]]; \
+				then \
+					echo "append $(_ISO_FILE) \"%post --erroronfail $${BASH_REMATCH[1]}\"" >> lorax_templates/post_$*.tmpl; \
+					skip=1; \
+				else \
+					echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \
+				fi; \
 				header=1; \
 			fi; \
-	    echo "append $(_ISO_FILE) \"$$line\"" >> lorax_templates/post_$*.tmpl; \
+			if [[ $$skip == 0 ]]; \
+			then \
+				echo "append $(_ISO_FILE) \"$${line//\"/\\\"}\"" >> lorax_templates/post_$*.tmpl; \
+			fi; \
+			skip=0; \
 		fi; \
 	done < lorax_templates/scripts/post/$*
 	echo "append $(_ISO_FILE) \"%end\"" >> lorax_templates/post_$*.tmpl
@@ -73,18 +86,30 @@ lorax_templates/post_%.tmpl: lorax_templates/scripts/post/%
 	$(eval _ISO_FILE = usr/share/anaconda/post-scripts/configure_upgrades.ks)
 
 	header=0; \
+	skip=0; \
 	while read -r line; \
 	do \
-	  if [[ $$line =~ ^\<\% ]]; \
-	  then \
+		if [[ $$line =~ ^\<\% ]]; \
+		then \
+			echo $$line >> lorax_templates/post_$*.tmpl; \
 			echo >> lorax_templates/post_$*.tmpl; \
-	  else \
-		  if [[ $$header == 0 ]]; \
+		else \
+			if [[ $$header == 0 ]]; \
 			then \
-			  echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \
+				if [[ $$line =~ ^##\ (.*)$$ ]]; \
+				then \
+					echo "append $(_ISO_FILE) \"%post --erroronfail $${BASH_REMATCH[1]}\"" >> lorax_templates/post_$*.tmpl; \
+					skip=1; \
+				else \
+					echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \
+				fi; \
 				header=1; \
 			fi; \
-	    echo "append $(_ISO_FILE) \"$$line\"" >> lorax_templates/post_$*.tmpl; \
+			if [[ $$skip == 0 ]]; \
+			then \
+				echo "append $(_ISO_FILE) \"$${line//\"/\\\"}\"" >> lorax_templates/post_$*.tmpl; \
+			fi; \
+			skip=0; \
 		fi; \
 	done < lorax_templates/scripts/post/$*
 	echo "append $(_ISO_FILE) \"%end\"" >> lorax_templates/post_$*.tmpl
@@ -109,6 +134,13 @@ repos/%.repo: /etc/yum.repos.d/%.repo
 boot.iso: $(_LORAX_TEMPLATES) $(_REPO_FILES)
 	rm -Rf $(_BASE_DIR)/results || true
 	rm /etc/rpm/macros.image-language-conf || true
+
+	# Download the secure boot key
+	if [ -n "$(SECURE_BOOT_KEY_URL)" ]; \
+	then \
+    	curl --fail -L -o $(_BASE_DIR)/sb_pubkey.der $(SECURE_BOOT_KEY_URL); \
+	fi
+
 	lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \
 		--isfinal --squashfs-only --buildarch=$(ARCH) --volid=$(_VOLID) \
 		$(_LORAX_ARGS) \
@@ -152,6 +184,11 @@ clean:
 
 install-deps:
 	dnf install -y lorax xorriso skopeo
+
+test-iso:
+	$(eval _TESTS = $(filter-out README.md,$(shell ls tests/iso)))
+	$(foreach test,$(_TESTS),chmod +x tests/iso/$(test))
+	$(foreach test,$(_TESTS),./tests/iso/$(test) deploy.iso)
 	
 .PHONY: clean install-deps
 

action.yml

@@ -29,6 +29,13 @@ inputs:
     description: Enable Anaconda WebUI
     required: false
     default: "false"
+  enrollment_password:
+    description: Used for supporting secure boot (requires SECURE_BOOT_KEY_URL to be defined)
+    required: false
+    default: "container-installer"
+  secure_boot_key_url:
+    description: Secure boot key that is installed from URL location
+    required: false
   action_version:
     description: Version of the action container to run
     deprecationMessage: No longer used. github.action_ref replaces the need for this. Will be removed in a future version.
@@ -46,7 +53,7 @@ runs:
         # Check if running inside of the action repo
         if [[ -z "${{ github.action_ref }}" ]]; then if [[ "${{ github.ref_name }}" =~ (.*)/merge ]]; then tag=pr-${BASH_REMATCH[1]}; else tag=${{ github.ref_name }}; fi; fi
         if [[ -z "${tag}" ]]; then tag=${{ github.action_ref }}; fi
-        docker run --privileged --volume .:/github/workspace/ ghcr.io/jasonn3/build-container-installer:${tag} \
+        docker run --privileged --volume ${{ github.workspace }}:/github/workspace/ ghcr.io/jasonn3/build-container-installer:${tag} \
           ARCH=${{ inputs.arch }} \
           IMAGE_NAME=${{ inputs.image_name }} \
           IMAGE_REPO=${{ inputs.image_repo }} \
@@ -54,5 +61,7 @@ runs:
           VERSION=${{ inputs.version }} \
           IMAGE_TAG=${{ inputs.image_tag || inputs.version }} \
           WEB_UI=${{ inputs.web_ui }} \
+          ENROLLMENT_PASSWORD=${{ inputs.enrollment_password }} \
+          SECURE_BOOT_KEY_URL=${{ inputs.secure_boot_key_url }} \
           "ADDITIONAL_TEMPLATES=${{ inputs.additional_templates }}"
 

lorax_templates/scripts/post/enroll-secureboot-key

@@ -0,0 +1,26 @@
+<%page args="enrollment_password "/>
+## --nochroot
+
+set -oue pipefail
+
+readonly ENROLLMENT_PASSWORD=${enrollment_password}
+readonly SECUREBOOT_KEY="/run/install/repo/sb_pubkey.der"
+
+if [[ ! -d "/sys/firmware/efi" ]]; then
+	echo "EFI mode not detected. Skipping key enrollment."
+	exit 0
+fi
+
+if [[ ! -f "$SECUREBOOT_KEY" ]]; then
+	echo "Secure boot key not provided: $SECUREBOOT_KEY"
+	exit 0
+fi
+
+SYS_ID="$(cat /sys/devices/virtual/dmi/id/product_name)"
+if [[ ":Jupiter:Galileo:" =~ ":$SYS_ID:" ]]; then
+	echo "Steam Deck hardware detected. Skipping key enrollment."
+	exit 0
+fi
+
+mokutil --timeout -1 || :
+echo -e "$ENROLLMENT_PASSWORD\n$ENROLLMENT_PASSWORD" | mokutil --import "$SECUREBOOT_KEY" || :

tests/iso/README.md

@@ -0,0 +1 @@
+Place scripts that will test the ISO. The ISO file will be passed as the first argument

tests/iso/os-release.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+iso=$1
+
+sudo apt-get update
+sudo apt-get install -y squashfs-tools
+
+sudo mkdir /mnt/{iso,install}
+
+# Mount ISO
+sudo mount -o loop $iso /mnt/iso
+
+# Mount squashfs
+sudo mount -t squashfs -o loop /mnt/iso/images/install.img /mnt/install
+
+FOUND_VERSION=$(cat /mnt/install/etc/os-release | grep VERSION_ID | cut -d= -f2)
+
+# Cleanup
+sudo umount /mnt/install
+sudo umount /mnt/iso
+
+if [[ ${FOUND_VERSION} != ${VERSION} ]]
+then
+    echo "Version mismatch"
+    echo "Expected: ${VERSION}"
+    echo "Found: ${FOUND_VERSION}"
+    exit 1
+else
+    echo "Correct version found"
+    exit 0
+fi

tests/vm/README.md

@@ -0,0 +1 @@
+Place scripts that will test the VM. The VM will be available at ${VM_IP} using username ${VM_USER} and password ${VM_PASS}

xorriso/gen_input.sh.in

@@ -5,12 +5,14 @@ echo "-outdev $(pwd)/build/deploy.iso"
 echo "-boot_image any replay"
 echo "-joliet on"
 echo "-compliance joliet_long_names"
-pushd container > /dev/null
-for file in $(find ${IMAGE_NAME}-${IMAGE_TAG})
-do
-    echo "-map $(pwd)/${file} ${file}"
-    echo "-chmod 0444 ${file}"
+if [ -f $(pwd)/sb_pubkey.der ]; then
+	echo "-map $(pwd)/sb_pubkey.der sb_pubkey.der"
+	echo "-chmod 0444 /sb_pubkey.der"
+fi
+pushd container >/dev/null
+for file in $(find ${IMAGE_NAME}-${IMAGE_TAG}); do
+	echo "-map $(pwd)/${file} ${file}"
+	echo "-chmod 0444 ${file}"
 done
 popd > /dev/null
 echo "-end"
-