mirror of
https://github.com/JasonN3/build-container-installer.git
synced 2025-12-25 10:57:55 +01:00
chore: initial attempt
This commit is contained in:
Noel Miller
parent
38f41f7acc
commit
f4361359a3
6 changed files with 67 additions and 6 deletions
3
.github/workflows/build-and-test.yml
vendored
3
.github/workflows/build-and-test.yml
vendored
|
|
@ -15,6 +15,9 @@ env:
|
|||
IMAGE_REPO: 'quay.io/fedora-ostree-desktops'
|
||||
VERSION: '39'
|
||||
VARIANT: 'Server'
|
||||
SECURE_BOOT_KEY_URL: 'https://github.com/ublue-os/akmods/raw/main/certs/public_key.der'
|
||||
ENROLLMENT_PASSWORD: 'container-installer'
|
||||
|
||||
|
||||
jobs:
|
||||
build-container:
|
||||
|
|
|
|||
11
Makefile
11
Makefile
|
|
@ -8,6 +8,8 @@ IMAGE_TAG = $(VERSION)
|
|||
VARIANT = Server
|
||||
WEB_UI = false
|
||||
REPOS = /etc/yum.repos.d/fedora.repo /etc/yum.repos.d/fedora-updates.repo
|
||||
ENROLLMENT_PASSWORD =
|
||||
SECURE_BOOT_KEY_URL =
|
||||
ADDITIONAL_TEMPLATES = ""
|
||||
ROOTFS_SIZE = 4
|
||||
|
||||
|
|
@ -100,6 +102,15 @@ repos/%.repo: /etc/yum.repos.d/%.repo
|
|||
boot.iso: $(_LORAX_TEMPLATES) $(_REPO_FILES)
|
||||
rm -Rf $(_BASE_DIR)/results || true
|
||||
rm /etc/rpm/macros.image-language-conf || true
|
||||
|
||||
# Set the enrollment password
|
||||
sed 's/@ENROLLMENT_PASSWORD@/$(ENROLLMENT_PASSWORD)/' $(_BASE_DIR)/scripts/enroll-secureboot-key.sh.in > $(_BASE_DIR)/scripts/enroll-secureboot-key.sh
|
||||
|
||||
# Download the secure boot key
|
||||
if [ -n "$(SECURE_BOOT_KEY_URL)" ]; then\
|
||||
curl --fail -L -o $(_BASE_DIR)/sb_pubkey.der $(SECURE_BOOT_KEY_URL);\
|
||||
fi
|
||||
|
||||
lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \
|
||||
--isfinal --squashfs-only --buildarch=$(ARCH) --volid=$(_VOLID) \
|
||||
$(_LORAX_ARGS) \
|
||||
|
|
|
|||
|
|
@ -29,6 +29,13 @@ inputs:
|
|||
description: Enable Anaconda WebUI
|
||||
required: false
|
||||
default: "false"
|
||||
enrollment_password:
|
||||
description: Used for supporting secure boot (requires SECURE_BOOT_KEY_URL to be defined)
|
||||
required: false
|
||||
default: "container-installer"
|
||||
secure_boot_key_url:
|
||||
description: Secure boot key that is installed from URL location
|
||||
required: false
|
||||
action_version:
|
||||
description: Version of the action container to run
|
||||
deprecationMessage: No longer used. github.action_ref replaces the need for this. Will be removed in a future version.
|
||||
|
|
@ -54,5 +61,7 @@ runs:
|
|||
VERSION=${{ inputs.version }} \
|
||||
IMAGE_TAG=${{ inputs.image_tag || inputs.version }} \
|
||||
WEB_UI=${{ inputs.web_ui }} \
|
||||
ENROLLMENT_PASSWORD=${{ inputs.enrollment_password }} \
|
||||
SECURE_BOOT_KEY_URL=${{ inputs.secure_boot_key_url }} \
|
||||
"ADDITIONAL_TEMPLATES=${{ inputs.additional_templates }}"
|
||||
|
||||
|
|
|
|||
9
lorax_templates/secure_boot_key.tmpl.in
Normal file
9
lorax_templates/secure_boot_key.tmpl.in
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
append usr/share/anaconda/interactive-defaults.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot"
|
||||
append usr/share/anaconda/interactive-defaults.ks "set -m"
|
||||
append usr/share/anaconda/interactive-defaults.ks "/run/install/repo/enroll-secureboot-key.sh"
|
||||
append usr/share/anaconda/interactive-defaults.ks "%end"
|
||||
|
||||
append usr/share/anaconda/post-scripts/secure_boot_key.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot"
|
||||
append usr/share/anaconda/post-scripts/secure_boot_key.ks "set -m"
|
||||
append usr/share/anaconda/post-scripts/secure_boot_key.ks "/run/install/repo/enroll-secureboot-key.sh"
|
||||
append usr/share/anaconda/post-scripts/secure_boot_key.ks "%end"
|
||||
25
scripts/enroll-secureboot-key.sh.in
Executable file
25
scripts/enroll-secureboot-key.sh.in
Executable file
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -oue pipefail
|
||||
|
||||
readonly ENROLLMENT_PASSWORD=@ENROLLMENT_PASSWORD@
|
||||
readonly SECUREBOOT_KEY="/run/install/repo/sb_pubkey.der"
|
||||
|
||||
if [[ ! -d "/sys/firmware/efi" ]]; then
|
||||
echo "EFI mode not detected. Skipping key enrollment."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [[ ! -f "${SECUREBOOT_KEY}" ]]; then
|
||||
echo "Secure boot key not provided: ${SECUREBOOT_KEY}"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
SYS_ID="$(cat /sys/devices/virtual/dmi/id/product_name)"
|
||||
if [[ ":Jupiter:Galileo:" =~ ":$SYS_ID:" ]]; then
|
||||
echo "Steam Deck hardware detected. Skipping key enrollment."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
mokutil --timeout -1 || :
|
||||
echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" || :
|
||||
|
|
@ -5,12 +5,16 @@ echo "-outdev $(pwd)/build/deploy.iso"
|
|||
echo "-boot_image any replay"
|
||||
echo "-joliet on"
|
||||
echo "-compliance joliet_long_names"
|
||||
pushd container > /dev/null
|
||||
for file in $(find ${IMAGE_NAME}-${IMAGE_TAG})
|
||||
do
|
||||
echo "-map $(pwd)/${file} ${file}"
|
||||
echo "-chmod 0444 ${file}"
|
||||
if [ -f $(pwd)/sb_pubkey.der ]; then
|
||||
echo "-map $(pwd)/sb_pubkey.der sb_pubkey.der"
|
||||
echo "-chmod 0444 /sb_pubkey.der"
|
||||
fi
|
||||
echo "-map $(pwd)/scripts/enroll-secureboot-key.sh enroll-secureboot-key.sh"
|
||||
echo "-chmod 0777 enroll-secureboot-key.sh"
|
||||
pushd container >/dev/null
|
||||
for file in $(find ${IMAGE_NAME}-${IMAGE_TAG}); do
|
||||
echo "-map $(pwd)/${file} ${file}"
|
||||
echo "-chmod 0444 ${file}"
|
||||
done
|
||||
popd > /dev/null
|
||||
echo "-end"
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue