From 21e04f766c6e34b3dc5322b6ede51670a0b66d9c Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Thu, 11 Jan 2024 08:56:41 +0100 Subject: [PATCH 01/85] Update release template (#2137) Update release.md Signed-off-by: Mauro Morales --- .github/ISSUE_TEMPLATE/release.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/release.md b/.github/ISSUE_TEMPLATE/release.md index e63755f1d..ed63ad1c4 100644 --- a/.github/ISSUE_TEMPLATE/release.md +++ b/.github/ISSUE_TEMPLATE/release.md @@ -29,11 +29,14 @@ assignees: mudler - [ ] Fedora flavor install, and manual upgrade works - [ ] Any flavor interactive install - [ ] Any flavor recovery reset + - [ ] Any flavor k3s - [ ] ARM images (openSUSE, alpine) boots and manual upgrade works - [ ] ARM images passive and recovery booting - [ ] ARM images reset works - [ ] ARM images /oem exists - [ ] **Stage 3 - Release** - - [ ] Tag the release on master. + - [ ] Tag the release on master + - [ ] Update the release with any known issues - [ ] **Stage 4 - Announcement** + - [ ] Merge docs updates for kairos and k3s version updates - [ ] Blog post announcement From 643ad4313f56f05d6a3d99b5b15671018eb0ec70 Mon Sep 17 00:00:00 2001 From: Dimitris Karakasilis Date: Fri, 12 Jan 2024 12:12:21 +0200 Subject: [PATCH 02/85] Make sure test doesn't break when master matches the latest release (#2141) * Make sure test doesn't break when master matches the latest release Signed-off-by: Dimitris Karakasilis * Point to existing artifacts for 2.5.0 release Signed-off-by: Dimitris Karakasilis * Bump download-artifact action to hopefully fix the error: ``` Preparing to download the following artifacts: - kairos-alpine-3.19.iso.zip (ID: 1164540479, Size: 1053840217) Redirecting to blob download url: https://productionresultssa4.blob.core.windows.net/actions-results/e30c4747-a895-4fc2-a9ad-5c3c721fbe5c/workflow-job-run-54b5a70f-2f08-532f-96ed-a371e24f143d/artifacts/kairos-alpine-3.19.iso.zip.zip Starting download of artifact to: /runner/_work/kairos/kairos (node:1192) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead. (Use `node --trace-deprecation ...` to show where the warning was created) Error: Unable to download artifact(s): Unable to download and extract artifact: Artifact download failed after 5 retries. ``` Signed-off-by: Dimitris Karakasilis --------- Signed-off-by: Dimitris Karakasilis --- .github/workflows/image-pr.yaml | 2 +- .github/workflows/reusable-encryption-test.yaml | 2 +- .github/workflows/reusable-install-test.yaml | 2 +- .github/workflows/reusable-provider-tests.yaml | 2 +- .github/workflows/reusable-qemu-acceptance-test.yaml | 2 +- .github/workflows/reusable-qemu-bundles-test.yaml | 2 +- .github/workflows/reusable-qemu-reset-test.yaml | 2 +- .github/workflows/reusable-upgrade-with-cli-test.yaml | 2 +- .github/workflows/reusable-zfs-test.yaml | 2 +- Earthfile | 2 +- tests/provider_upgrade_test.go | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/image-pr.yaml b/.github/workflows/image-pr.yaml index 98b432abf..e233fa1c0 100644 --- a/.github/workflows/image-pr.yaml +++ b/.github/workflows/image-pr.yaml @@ -153,7 +153,7 @@ jobs: flavor: ubuntu flavor_release: "23.10" family: "ubuntu" - release_matcher: "23.04" # introduced so tests can be green while we wait for the kairos release with the latest flavor release + release_matcher: "23.10" # introduced so tests can be green while we wait for the kairos release with the latest flavor release needs: - core diff --git a/.github/workflows/reusable-encryption-test.yaml b/.github/workflows/reusable-encryption-test.yaml index a770ce39a..8b3460b60 100644 --- a/.github/workflows/reusable-encryption-test.yaml +++ b/.github/workflows/reusable-encryption-test.yaml @@ -80,7 +80,7 @@ jobs: LUET_NOLOCK=true sudo -E luet install -y container/kubectl utils/k3d utils/earthly - name: Download ISO id: iso - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v4.1.1 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-install-test.yaml b/.github/workflows/reusable-install-test.yaml index 6182a7587..01d3ec223 100644 --- a/.github/workflows/reusable-install-test.yaml +++ b/.github/workflows/reusable-install-test.yaml @@ -19,7 +19,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v4.1.1 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release}}.iso.zip - name: Install Go diff --git a/.github/workflows/reusable-provider-tests.yaml b/.github/workflows/reusable-provider-tests.yaml index e941b3151..144ee61d8 100644 --- a/.github/workflows/reusable-provider-tests.yaml +++ b/.github/workflows/reusable-provider-tests.yaml @@ -55,7 +55,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v4.1.1 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}-provider.iso.zip - name: Run tests diff --git a/.github/workflows/reusable-qemu-acceptance-test.yaml b/.github/workflows/reusable-qemu-acceptance-test.yaml index a44b4cdd6..98f3df75f 100644 --- a/.github/workflows/reusable-qemu-acceptance-test.yaml +++ b/.github/workflows/reusable-qemu-acceptance-test.yaml @@ -59,7 +59,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v4.1.1 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-qemu-bundles-test.yaml b/.github/workflows/reusable-qemu-bundles-test.yaml index 5ea57a02a..9d025e640 100644 --- a/.github/workflows/reusable-qemu-bundles-test.yaml +++ b/.github/workflows/reusable-qemu-bundles-test.yaml @@ -19,7 +19,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v4.1.1 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-qemu-reset-test.yaml b/.github/workflows/reusable-qemu-reset-test.yaml index 01caf7583..013539551 100644 --- a/.github/workflows/reusable-qemu-reset-test.yaml +++ b/.github/workflows/reusable-qemu-reset-test.yaml @@ -19,7 +19,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v4.1.1 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-upgrade-with-cli-test.yaml b/.github/workflows/reusable-upgrade-with-cli-test.yaml index 474a4360c..4704c7791 100644 --- a/.github/workflows/reusable-upgrade-with-cli-test.yaml +++ b/.github/workflows/reusable-upgrade-with-cli-test.yaml @@ -61,7 +61,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v4.1.1 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-zfs-test.yaml b/.github/workflows/reusable-zfs-test.yaml index be6e9af38..0c49f9d67 100644 --- a/.github/workflows/reusable-zfs-test.yaml +++ b/.github/workflows/reusable-zfs-test.yaml @@ -17,7 +17,7 @@ jobs: - uses: actions/checkout@v4 - name: Download ISO id: iso - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v4.1.1 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/Earthfile b/Earthfile index 94a886ec5..8021ecc43 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.48.2 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION="v2.5.7" +ARG KAIROS_FRAMEWORK_VERSION="v2.6.0" ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name diff --git a/tests/provider_upgrade_test.go b/tests/provider_upgrade_test.go index 5f5a3b1ed..8e69cc5dc 100644 --- a/tests/provider_upgrade_test.go +++ b/tests/provider_upgrade_test.go @@ -24,7 +24,7 @@ var _ = Describe("provider upgrade test", Label("provider", "provider-upgrade"), Context("kairos-agent upgrade list-releases", func() { It("returns at least one option to upgrade to", func() { - resultStr, _ := vm.Sudo(`kairos-agent upgrade list-releases | tail -1`) + resultStr, _ := vm.Sudo(`kairos-agent upgrade list-releases --all | tail -1`) Expect(resultStr).To(ContainSubstring("quay.io/kairos")) }) From 2e87283c8378d1b66a6f4e33fdd09b561831d139 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Fri, 12 Jan 2024 13:55:01 +0100 Subject: [PATCH 03/85] :wrenchIcon: Adapt uki test (#2145) --- .github/workflows/uki.yaml | 6 +++++- tests/uki_test.go | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/uki.yaml b/.github/workflows/uki.yaml index 0d98b9ccf..952482f9d 100644 --- a/.github/workflows/uki.yaml +++ b/.github/workflows/uki.yaml @@ -50,7 +50,10 @@ jobs: --MODEL=generic \ --VARIANT=core \ --BASE_IMAGE=fedora:38 - - name: Run tests + - name: Create datasource iso 🔧 + run: | + earthly +datasource-iso --CLOUD_CONFIG=tests/assets/autoinstall.yaml + - name: Run tests 🔧 env: USE_QEMU: true KVM: true @@ -60,6 +63,7 @@ jobs: EMULATE_TPM: true run: | export ISO=$(ls $PWD/build/kairos-${{ env.FLAVOR }}-${{ env.FLAVOR_RELEASE }}-core-amd64-generic-*.uki.iso) + export DATASOURCE=${PWD}/build/datasource.iso cp tests/go.* . go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "uki" --fail-fast -r ./tests/ - uses: actions/upload-artifact@v4 diff --git a/tests/uki_test.go b/tests/uki_test.go index 1f9c66eca..5b89aa3cd 100644 --- a/tests/uki_test.go +++ b/tests/uki_test.go @@ -20,6 +20,9 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() { }) BeforeEach(func() { + if os.Getenv("DATASOURCE") == "" { + Fail("DATASOURCE must be set and it should be the absolute path to a datasource iso") + } _, vm = startVM() vm.EventuallyConnects(300) }) @@ -48,7 +51,7 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() { Expect(out).ToNot(ContainSubstring("/dev/disk/by-label/COS_PERSISTENT")) }) By("installing kairos", func() { - out, err := vm.Sudo(`kairos-agent --debug uki install --device /dev/vda`) + out, err := vm.Sudo(`kairos-agent --debug install`) fmt.Println(string(out)) Expect(err).ToNot(HaveOccurred(), out) Expect(out).Should(ContainSubstring("Running after-install hook")) From dd5ea87dd143db7314af792ee93edfc63489df7b Mon Sep 17 00:00:00 2001 From: Itxaka Date: Tue, 16 Jan 2024 14:27:01 +0100 Subject: [PATCH 04/85] :sparkles: Enable secureboot for all flavors (minus alpine) (#2140) --- .github/workflows/image-pr.yaml | 10 ++++++ .github/workflows/image.yaml | 27 +++++++++++++++++ .github/workflows/reusable-install-test.yaml | 10 ++++-- Earthfile | 32 +++++++++++++++----- images/Dockerfile.debian | 1 + images/Dockerfile.kairos-debian | 1 + images/Dockerfile.kairos-opensuse | 1 + images/Dockerfile.kairos-ubuntu | 1 + images/Dockerfile.opensuse | 1 + images/Dockerfile.ubuntu | 1 + tests/install_test.go | 5 +++ tests/tests_suite_test.go | 13 ++++++++ 12 files changed, 93 insertions(+), 10 deletions(-) diff --git a/.github/workflows/image-pr.yaml b/.github/workflows/image-pr.yaml index e233fa1c0..c9f9681b9 100644 --- a/.github/workflows/image-pr.yaml +++ b/.github/workflows/image-pr.yaml @@ -48,6 +48,16 @@ jobs: with: flavor: ubuntu flavor_release: "23.10" + secureboot: false + needs: + - core + + install-secureboot: + uses: ./.github/workflows/reusable-install-test.yaml + with: + flavor: ubuntu + flavor_release: "23.10" + secureboot: true needs: - core diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 0780c5984..2b0f7c80a 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -94,6 +94,33 @@ jobs: include: - flavor: opensuse flavorRelease: leap-15.5 + secureboot: false + install-secureboot: + uses: ./.github/workflows/reusable-install-test.yaml + with: + flavor: ${{ matrix.flavor }} + flavor_release: ${{ matrix.flavorRelease }} + secureboot: true + needs: + - core + strategy: + fail-fast: true + matrix: + include: + - flavor: "opensuse" + flavorRelease: "leap-15.5" + - flavor: "opensuse" + flavorRelease: "tumbleweed" + - flavor: "debian" + flavorRelease: "bookworm" + - flavor: "ubuntu" + flavorRelease: "20.04" + - flavor: "ubuntu" + flavorRelease: "22.04" + - flavor: "ubuntu" + flavorRelease: "23.10" + - flavor: "fedora" + flavorRelease: "38" zfs: uses: ./.github/workflows/reusable-zfs-test.yaml with: diff --git a/.github/workflows/reusable-install-test.yaml b/.github/workflows/reusable-install-test.yaml index 01d3ec223..6a229669f 100644 --- a/.github/workflows/reusable-install-test.yaml +++ b/.github/workflows/reusable-install-test.yaml @@ -9,6 +9,9 @@ on: flavor_release: required: true type: string + secureboot: + required: false + type: boolean jobs: test: @@ -55,14 +58,17 @@ jobs: CREATE_VM: true FLAVOR: ${{ inputs.flavor }} run: | + if [ "${{ inputs.secureboot }}" = "true" ]; then + export FIRMWARE=/usr/share/OVMF/OVMF_CODE.fd + fi ls *.iso export ISO=$PWD/$(ls *.iso) echo "ISO is: $ISO" cp tests/go.* . - go run github.com/onsi/ginkgo/v2/ginkgo --label-filter "install-test" --fail-fast -r ./tests + go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "install-test" --fail-fast -r ./tests - uses: actions/upload-artifact@v4 if: failure() with: - name: ${{ inputs.flavor }}-vbox.logs.zip + name: ${{ inputs.flavor }}.logs.zip path: tests/**/logs/* if-no-files-found: warn diff --git a/Earthfile b/Earthfile index 8021ecc43..e37c8d576 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.48.2 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION="v2.6.0" +ARG KAIROS_FRAMEWORK_VERSION="v2.6.3" ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name @@ -21,7 +21,7 @@ END ARG COSIGN_EXPERIMENTAL=0 ARG CGO_ENABLED=0 # renovate: datasource=docker depName=quay.io/kairos/osbuilder-tools versioning=semver-coerced -ARG OSBUILDER_VERSION=v0.10.2 +ARG OSBUILDER_VERSION=v0.11.1 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION ARG GOLINT_VERSION=1.52.2 # renovate: datasource=docker depName=golang @@ -207,12 +207,20 @@ luet: kairos-dockerfile: ARG --required FAMILY COPY ./images . - RUN --no-cache cat <(echo "# This file is auto-generated with the command: earthly +kairos-dockerfile --FAMILY=${FAMILY}") \ - <(sed -n '/# WARNING:/!p' Dockerfile.$FAMILY) \ - <(echo) \ - <(sed -n '/# WARNING:/!p' Dockerfile.kairos) \ - > ./Dockerfile - SAVE ARTIFACT Dockerfile AS LOCAL images/Dockerfile.kairos-${FAMILY} + IF [ "$FAMILY" == "all" ] + ARG FAMILY_LIST="alpine debian opensuse rhel ubuntu" + ELSE + ARG FAMILY_LIST=$FAMILY + END + FOR F IN $FAMILY_LIST + RUN --no-cache cat <(echo "# This file is auto-generated with the command: earthly +kairos-dockerfile --FAMILY=${F}") \ + <(sed -n '/# WARNING:/!p' Dockerfile.$F) \ + <(echo) \ + <(sed -n '/# WARNING:/!p' Dockerfile.kairos) \ + > ./Dockerfile + SAVE ARTIFACT Dockerfile AS LOCAL images/Dockerfile.kairos-${F} + END + extract-framework-profile: ARG FRAMEWORK_VERSION @@ -286,6 +294,14 @@ base-image: ARG _CIMG=$(cat ./IMAGE) COPY +git-version/GIT_VERSION VERSION + ARG KAIROS_AGENT_DEV_BRANCH + + IF [ "$KAIROS_AGENT_DEV_BRANCH" != "" ] + RUN rm -rf /usr/bin/kairos-agent + COPY github.com/kairos-io/kairos-agent:$KAIROS_AGENT_DEV_BRANCH+build-kairos-agent/kairos-agent /usr/bin/kairos-agent + END + + RUN --no-cache kairos-agent version SAVE IMAGE $_CIMG SAVE ARTIFACT /IMAGE AS LOCAL build/IMAGE diff --git a/images/Dockerfile.debian b/images/Dockerfile.debian index 0d54c3016..4459551ce 100644 --- a/images/Dockerfile.debian +++ b/images/Dockerfile.debian @@ -97,6 +97,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ python3-pynvim \ rsync \ shared-mime-info \ + shim-signed \ snapd \ squashfs-tools \ sudo \ diff --git a/images/Dockerfile.kairos-debian b/images/Dockerfile.kairos-debian index 62e394fe1..e8171ba9f 100644 --- a/images/Dockerfile.kairos-debian +++ b/images/Dockerfile.kairos-debian @@ -96,6 +96,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ python3-pynvim \ rsync \ shared-mime-info \ + shim-signed \ snapd \ squashfs-tools \ sudo \ diff --git a/images/Dockerfile.kairos-opensuse b/images/Dockerfile.kairos-opensuse index aa941699a..06c89caaa 100644 --- a/images/Dockerfile.kairos-opensuse +++ b/images/Dockerfile.kairos-opensuse @@ -71,6 +71,7 @@ RUN zypper in --force-resolution -y \ procps \ rng-tools \ rsync \ + shim \ squashfs \ strace \ sudo \ diff --git a/images/Dockerfile.kairos-ubuntu b/images/Dockerfile.kairos-ubuntu index 71f2e1c46..006f3b776 100644 --- a/images/Dockerfile.kairos-ubuntu +++ b/images/Dockerfile.kairos-ubuntu @@ -79,6 +79,7 @@ RUN apt-get update \ openssh-server \ parted \ rsync \ + shim-signed \ snapd \ snmpd \ squashfs-tools \ diff --git a/images/Dockerfile.opensuse b/images/Dockerfile.opensuse index af4ae913e..9799c5967 100644 --- a/images/Dockerfile.opensuse +++ b/images/Dockerfile.opensuse @@ -72,6 +72,7 @@ RUN zypper in --force-resolution -y \ procps \ rng-tools \ rsync \ + shim \ squashfs \ strace \ sudo \ diff --git a/images/Dockerfile.ubuntu b/images/Dockerfile.ubuntu index 6e0cc52cb..3c0d3ea30 100644 --- a/images/Dockerfile.ubuntu +++ b/images/Dockerfile.ubuntu @@ -80,6 +80,7 @@ RUN apt-get update \ openssh-server \ parted \ rsync \ + shim-signed \ snapd \ snmpd \ squashfs-tools \ diff --git a/tests/install_test.go b/tests/install_test.go index ca5b28e3c..ee84093dd 100644 --- a/tests/install_test.go +++ b/tests/install_test.go @@ -69,6 +69,9 @@ var _ = Describe("kairos install test", Label("install-test"), func() { Context("install", func() { It("cloud-config syntax mixed with extended syntax", func() { + + expectSecureBootEnabled(vm) + _ = testInstall(`#cloud-config install: bind_mounts: @@ -94,6 +97,8 @@ bundles: - container://quay.io/mocaccino/extra:edgevpn-utils-0.15.0 `, vm) + expectSecureBootEnabled(vm) + Eventually(func() string { out, _ := vm.Sudo("cat /etc/foo") return out diff --git a/tests/tests_suite_test.go b/tests/tests_suite_test.go index ef79d4a04..33f8c3519 100644 --- a/tests/tests_suite_test.go +++ b/tests/tests_suite_test.go @@ -304,6 +304,19 @@ func expectRebootedToActive(vm VM) { }) } +func expectSecureBootEnabled(vm VM) { + // Check for secureboot before install, based on firmware env var + // if we set, then the test suite will load the secureboot firmware + secureboot := os.Getenv("FIRMWARE") + + if secureboot != "" { + By("checking that secureboot is enabled", func() { + out, _ := vm.Sudo("dmesg | grep -i secure") + Expect(out).To(ContainSubstring("Secure boot enabled")) + }) + } +} + // return the PID of the swtpm (to be killed later) and the state directory func emulateTPM(stateDir string) { t := path.Join(stateDir, "tpm") From 11567290c34ff0666f41d6add44fd30a005fe12a Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Wed, 17 Jan 2024 13:57:15 +0100 Subject: [PATCH 05/85] Add missing `\` on example Signed-off-by: Mauro Morales --- examples/byoi/ubuntu-non-hwe/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/byoi/ubuntu-non-hwe/README.md b/examples/byoi/ubuntu-non-hwe/README.md index cccdf0e17..7530f7828 100644 --- a/examples/byoi/ubuntu-non-hwe/README.md +++ b/examples/byoi/ubuntu-non-hwe/README.md @@ -34,7 +34,7 @@ docker build --build-arg="BASE_IMAGE=ubuntu-non-hwe:22.04" \ --build-arg="VARIANT=core" \ --build-arg="MODEL=generic" \ --build-arg="FRAMEWORK_VERSION=v2.5.5" \ - --build-arg="RELEASE=v0.0.1" + --build-arg="RELEASE=v0.0.1" \ -t kairos-ubuntu-non-hwe:22.04 \ -f Dockerfile.kairos-ubuntu . ``` From 1d1c26e9649ded169454ab2a0d3101a5f48929af Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 17 Jan 2024 14:45:39 +0000 Subject: [PATCH 06/85] Update aquasec/trivy Docker tag to v0.48.3 --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index e37c8d576..301503311 100644 --- a/Earthfile +++ b/Earthfile @@ -7,7 +7,7 @@ ARG GITHUB_REPO=kairos-io/kairos # renovate: datasource=docker depName=quay.io/luet/base ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy -ARG TRIVY_VERSION=0.48.2 +ARG TRIVY_VERSION=0.48.3 # renovate: datasource=github-releases depName=kairos-io/kairos-framework ARG KAIROS_FRAMEWORK_VERSION="v2.6.3" ARG COSIGN_SKIP=".*quay.io/kairos/.*" From ce947f3b83110280565730ae199439dba2a2ab5a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 19 Jan 2024 09:34:20 +0100 Subject: [PATCH 07/85] Update tj-actions/changed-files action to v42 (#2153) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/image-arm.yaml | 2 +- .github/workflows/reusable-build-base-image.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-arm.yaml b/.github/workflows/image-arm.yaml index 94738c408..057dfcf8b 100644 --- a/.github/workflows/image-arm.yaml +++ b/.github/workflows/image-arm.yaml @@ -78,7 +78,7 @@ jobs: fetch-depth: 0 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v41 + uses: tj-actions/changed-files@v42 with: files_yaml: | nvidia: diff --git a/.github/workflows/reusable-build-base-image.yaml b/.github/workflows/reusable-build-base-image.yaml index 8bf8d3b01..ef0aa5b4f 100644 --- a/.github/workflows/reusable-build-base-image.yaml +++ b/.github/workflows/reusable-build-base-image.yaml @@ -36,7 +36,7 @@ jobs: fetch-depth: 0 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v41 + uses: tj-actions/changed-files@v42 with: files_yaml: | dockerfiles: From 8de95805c16c30279e1c8b9ac8417c0de44c5f9d Mon Sep 17 00:00:00 2001 From: Dimitris Karakasilis Date: Fri, 19 Jan 2024 14:49:29 +0200 Subject: [PATCH 08/85] Add scp to fedora (#2154) --- images/Dockerfile.kairos-rhel | 1 + images/Dockerfile.rhel | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/images/Dockerfile.kairos-rhel b/images/Dockerfile.kairos-rhel index f3c15ad50..cf34e0ec6 100644 --- a/images/Dockerfile.kairos-rhel +++ b/images/Dockerfile.kairos-rhel @@ -60,6 +60,7 @@ RUN dnf install -y \ lvm2 \ nano \ openssh-server \ + openssh-clients \ parted \ polkit \ qemu-guest-agent \ diff --git a/images/Dockerfile.rhel b/images/Dockerfile.rhel index 30a89531b..ff19b5c97 100644 --- a/images/Dockerfile.rhel +++ b/images/Dockerfile.rhel @@ -61,6 +61,7 @@ RUN dnf install -y \ lvm2 \ nano \ openssh-server \ + openssh-clients \ parted \ polkit \ qemu-guest-agent \ @@ -84,4 +85,4 @@ RUN systemctl enable getty@tty3.service RUN systemctl enable systemd-networkd RUN systemctl enable systemd-resolved RUN systemctl disable dnf-makecache.service -RUN systemctl enable sshd \ No newline at end of file +RUN systemctl enable sshd From d150de031eb1bfb533bb1ccf291b451e31e5a71c Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Mon, 22 Jan 2024 14:40:59 +0100 Subject: [PATCH 09/85] Remove duplicated zfs installation on rhel (#2161) Signed-off-by: Mauro Morales --- images/Dockerfile.kairos-rhel | 3 +-- images/Dockerfile.rhel | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/images/Dockerfile.kairos-rhel b/images/Dockerfile.kairos-rhel index cf34e0ec6..2fcaf94f5 100644 --- a/images/Dockerfile.kairos-rhel +++ b/images/Dockerfile.kairos-rhel @@ -72,8 +72,7 @@ RUN dnf install -y \ systemd-networkd \ systemd-resolved \ tar \ - which \ - zfs && dnf clean all + which && dnf clean all FROM common AS all RUN mkdir -p /run/lock diff --git a/images/Dockerfile.rhel b/images/Dockerfile.rhel index ff19b5c97..ce5bdd203 100644 --- a/images/Dockerfile.rhel +++ b/images/Dockerfile.rhel @@ -74,7 +74,7 @@ RUN dnf install -y \ systemd-resolved \ tar \ which \ - zfs && dnf clean all + && dnf clean all FROM common AS all RUN mkdir -p /run/lock From 5944a15d64d6c253fa283d79a97ddd0ec5e929de Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Thu, 25 Jan 2024 14:02:36 +0100 Subject: [PATCH 10/85] Add target to transform kairos image into UKI (#2169) * Add target to transform kairos image into UKI Signed-off-by: Mauro Morales * oops that looks messy Signed-off-by: Mauro Morales * rename targets Signed-off-by: Mauro Morales * Adapt pipelines Signed-off-by: Mauro Morales * lint Signed-off-by: Mauro Morales * Use a variable for the enki version Signed-off-by: Mauro Morales --------- Signed-off-by: Mauro Morales --- .github/workflows/release.yaml | 31 ++++++++++--- .github/workflows/uki.yaml | 14 +++++- Earthfile | 84 +++++++++++++++++++++------------- 3 files changed, 89 insertions(+), 40 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 845ac1878..e5fe6a0c8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -26,6 +26,25 @@ jobs: content="${content//$'\r'/'%0D'}" # end of optional handling for multi line json echo "::set-output name=matrix::{\"include\": $content }" + get-uki-matrix: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - run: | + sudo apt update && sudo apt install -y jq + - id: set-matrix + run: | + content=`cat ./.github/flavors.json | jq -r 'map(select(.arch == "amd64" and .variant == "core" and .flavor == "fedora"))'` + # the following lines are only required for multi line json + content="${content//'%'/'%25'}" + content="${content//$'\n'/'%0A'}" + content="${content//$'\r'/'%0D'}" + # end of optional handling for multi line json + echo "::set-output name=matrix::{\"include\": $content }" # The matrix for standard (provider) images get-standard-matrix: @@ -182,6 +201,11 @@ jobs: category: ${{ matrix.flavor }} build-core-uki: runs-on: ubuntu-latest + needs: + - build-core + - get-uki-matrix + strategy: + matrix: ${{ fromJson(needs.get-uki-matrix.outputs.matrix) }} steps: - uses: actions/checkout@v4 with: @@ -195,12 +219,7 @@ jobs: run: | # Do fedora as its the smaller uki possible earthly +uki-iso \ - --FAMILY=rhel \ - --FLAVOR=fedora \ - --FLAVOR_RELEASE=38 \ - --VARIANT=core \ - --MODEL=generic \ - --BASE_IMAGE=fedora:38 + --BASE_IMAGE=quay.io/kairos/fedora:${{ matrix.flavorRelease }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-${{ github.ref_name }} - name: Release uses: softprops/action-gh-release@v1 diff --git a/.github/workflows/uki.yaml b/.github/workflows/uki.yaml index 952482f9d..74d76a043 100644 --- a/.github/workflows/uki.yaml +++ b/.github/workflows/uki.yaml @@ -41,15 +41,25 @@ jobs: with: repository: quay.io/kairos/packages packages: utils/earthly - - name: Build uki ISO 🔧 + - name: Build base image 🔧 run: | # known flavors to work with uki+encryption: fedora >= 38, ubuntu >= 23.10, anything with systemd 253 - earthly +uki-iso \ + earthly +base-image \ --FLAVOR=fedora \ --FLAVOR_RELEASE=38 \ --FAMILY=rhel \ --MODEL=generic \ --VARIANT=core \ --BASE_IMAGE=fedora:38 + - name: Push image to ttl.sh + env: + TEMP_IMAGE: ttl.sh/fedora-38-${{ github.head_ref || github.ref }}:24h + run: | + docker tag $(cat build/IMAGE) $TEMP_IMAGE + docker push $TEMP_IMAGE + - name: Build uki ISO 🔧 + run: | + earthly +uki-iso \ + --BASE_IMAGE=ttl.sh/fedora-38-${{ github.head_ref || github.ref }}:24h - name: Create datasource iso 🔧 run: | earthly +datasource-iso --CLOUD_CONFIG=tests/assets/autoinstall.yaml diff --git a/Earthfile b/Earthfile index 301503311..bf38ce80e 100644 --- a/Earthfile +++ b/Earthfile @@ -32,6 +32,8 @@ ARG HADOLINT_VERSION=2.12.0-alpine ARG RENOVATE_VERSION=37 # renovate: datasource=docker depName=koalaman/shellcheck-alpine versioning=docker ARG SHELLCHECK_VERSION=v0.9.0 +# renovate: datasource=docker depName=quay.io/kairos/enki versioning=docker +ARG ENKI_VERSION=v0.0.8 ARG IMAGE_REPOSITORY_ORG=quay.io/kairos @@ -317,12 +319,32 @@ image-rootfs: ## UKI Stuff Start +enki-image: + FROM quay.io/kairos/enki:${ENKI_VERSION} + SAVE ARTIFACT /enki enki + +uki-iso: + ARG --required BASE_IMAGE # BASE_IMAGE is existing kairos image which needs to be converted to uki + FROM $BASE_IMAGE + ARG ISO_NAME=$(cat /etc/os-release | grep 'KAIROS_ARTIFACT' | sed 's/KAIROS_ARTIFACT=\"//' | sed 's/\"//') + + FROM +uki-dev-tools-image + + COPY +enki-image/enki /usr/bin/enki + COPY ./tests/keys /keys + RUN echo $BASE_IMAGE > /IMAGE + + RUN --no-cache enki build-uki $(cat /IMAGE) /tmp/kairos.uki.iso /keys + SAVE ARTIFACT /tmp/kairos.uki.iso kairos.uki.iso AS LOCAL build/$ISO_NAME.uki.iso + +# WARNING the following targets are just for development purposes, use them at your own risk # Base image for uki operations so we only run the install once -uki-tools-image: +uki-dev-tools-image: FROM fedora:39 # objcopy from binutils and systemd-stub from systemd - RUN dnf install -y binutils systemd-boot mtools efitools sbsigntools shim openssl systemd-ukify + RUN dnf install -y binutils systemd-boot mtools efitools sbsigntools shim openssl systemd-ukify dosfstools xorriso + SAVE IMAGE uki-tools # HOW TO: Generate the keys # Platform key @@ -349,7 +371,7 @@ uki-tools-image: # cmdline # os-release # uname -uki-base: +uki-dev-base: WORKDIR build # Build kernel,uname, etc artifacts FROM +base-image --BUILD_INITRD=false @@ -371,15 +393,15 @@ uki-base: SAVE ARTIFACT /etc/os-release Osrelease # Now build, measure and sign the uki image -uki-build: - FROM +uki-tools-image +uki-dev-build: + FROM +uki-dev-tools-image WORKDIR /build COPY tests/keys/* . - COPY +uki-base/initrd . - COPY +uki-base/Kernel . - COPY +uki-base/Cmdline . - COPY +uki-base/Uname . - COPY +uki-base/Osrelease . + COPY +uki-dev-base/initrd . + COPY +uki-dev-base/Kernel . + COPY +uki-dev-base/Cmdline . + COPY +uki-dev-base/Uname . + COPY +uki-dev-base/Osrelease . COPY +git-version/GIT_VERSION ./ ARG KAIROS_VERSION=$(cat GIT_VERSION) @@ -409,29 +431,29 @@ uki-build: # Base target to set the directory structure for the image artifacts # as we need to create several dirs and copy files into them # Then we generate the image from scratch to not ring anything else -uki-image-artifacts: - FROM +uki-tools-image +uki-dev-image-artifacts: + FROM +uki-dev-tools-image COPY +git-version/GIT_VERSION ./ ARG KAIROS_VERSION=$(cat GIT_VERSION) - COPY +uki-build/systemd-bootx64.signed.efi /output/efi/EFI/BOOT/BOOTX64.EFI - COPY +uki-build/uki.signed.efi /output/efi/EFI/kairos/${KAIROS_VERSION}.efi - COPY +uki-build/${KAIROS_VERSION}.conf /output/efi/loader/entries/${KAIROS_VERSION}.conf - COPY +uki-build/loader.conf /output/efi/loader/loader.conf - COPY +uki-build/PK.der /output/efi/loader/keys/kairos/PK.der - COPY +uki-build/KEK.der /output/efi/loader/keys/kairos/KEK.der - COPY +uki-build/DB.der /output/efi/loader/keys/kairos/DB.der + COPY +uki-dev-build/systemd-bootx64.signed.efi /output/efi/EFI/BOOT/BOOTX64.EFI + COPY +uki-dev-build/uki.signed.efi /output/efi/EFI/kairos/${KAIROS_VERSION}.efi + COPY +uki-dev-build/${KAIROS_VERSION}.conf /output/efi/loader/entries/${KAIROS_VERSION}.conf + COPY +uki-dev-build/loader.conf /output/efi/loader/loader.conf + COPY +uki-dev-build/PK.der /output/efi/loader/keys/kairos/PK.der + COPY +uki-dev-build/KEK.der /output/efi/loader/keys/kairos/KEK.der + COPY +uki-dev-build/DB.der /output/efi/loader/keys/kairos/DB.der SAVE ARTIFACT /output/efi efi # This is the final artifact, only the files on it -uki-image: +uki-dev-image: COPY +base-image/IMAGE . ARG _CIMG=$(cat ./IMAGE) FROM scratch - COPY +uki-image-artifacts/efi / + COPY +uki-dev-image-artifacts/efi / SAVE IMAGE --push $_CIMG.uki -uki-iso: +uki-dev-iso: # +base-image will be called again by +uki but will be cached. # We just use it here to take a shortcut to the artifact name FROM +base-image @@ -444,17 +466,18 @@ uki-iso: ARG OSBUILDER_IMAGE FROM $OSBUILDER_IMAGE WORKDIR /build - COPY +uki-build/systemd-bootx64.signed.efi . - COPY +uki-build/uki.signed.efi . - COPY +uki-build/${KAIROS_VERSION}.conf . - COPY +uki-build/loader.conf . - COPY +uki-build/PK.der . - COPY +uki-build/KEK.der . - COPY +uki-build/DB.der . + COPY +uki-dev-build/systemd-bootx64.signed.efi . + COPY +uki-dev-build/uki.signed.efi . + COPY +uki-dev-build/${KAIROS_VERSION}.conf . + COPY +uki-dev-build/loader.conf . + COPY +uki-dev-build/PK.der . + COPY +uki-dev-build/KEK.der . + COPY +uki-dev-build/DB.der . RUN mkdir -p /tmp/efi RUN ls -ltra /build # get the size of the artifacts ARG SIZE=$(du -sm /build | cut -f1) + RUN ls -ltra /build # Create just the size we need + 50MB just in case? RUN dd if=/dev/zero of=/tmp/efi/efiboot.img bs=1M count=$((SIZE + 50)) RUN mkfs.msdos -F 32 /tmp/efi/efiboot.img @@ -475,11 +498,8 @@ uki-iso: RUN mcopy -i /tmp/efi/efiboot.img systemd-bootx64.signed.efi ::EFI/BOOT/BOOTX64.EFI RUN xorriso -as mkisofs -V 'UKI_ISO_INSTALL' -e efiboot.img -no-emul-boot -o $ISO_NAME.iso /tmp/efi SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.uki.iso - # Uki stuff End - - ### ### Artifacts targets (ISO, netboot, ARM) ### From c6929b484cb00c082a0ba83bc4a275d0cab06fbb Mon Sep 17 00:00:00 2001 From: Itxaka Date: Thu, 25 Jan 2024 14:31:15 +0100 Subject: [PATCH 11/85] [uki] Provide proper artifacts for auto-key-enrollment (#2172) --- .github/workflows/uki.yaml | 1 + Earthfile | 20 ++++++++++--- tests/assets/efivars.empty.fd | Bin 0 -> 131072 bytes tests/keys/DB.auth | Bin 0 -> 2037 bytes tests/keys/DB.esl | Bin 0 -> 825 bytes tests/keys/KEK.auth | Bin 0 -> 2036 bytes tests/keys/KEK.esl | Bin 0 -> 827 bytes tests/keys/PK.auth | Bin 0 -> 2034 bytes tests/keys/PK.esl | Bin 0 -> 825 bytes tests/keys/README.md | 51 +++++++++++++++++++++++++++++++++- tests/tests_suite_test.go | 16 ++++++++--- 11 files changed, 79 insertions(+), 9 deletions(-) create mode 100644 tests/assets/efivars.empty.fd create mode 100644 tests/keys/DB.auth create mode 100644 tests/keys/DB.esl create mode 100644 tests/keys/KEK.auth create mode 100644 tests/keys/KEK.esl create mode 100644 tests/keys/PK.auth create mode 100644 tests/keys/PK.esl diff --git a/.github/workflows/uki.yaml b/.github/workflows/uki.yaml index 74d76a043..0c3668689 100644 --- a/.github/workflows/uki.yaml +++ b/.github/workflows/uki.yaml @@ -71,6 +71,7 @@ jobs: CPUS: 2 FIRMWARE: /usr/share/OVMF/OVMF_CODE.fd EMULATE_TPM: true + UKI_TEST: true run: | export ISO=$(ls $PWD/build/kairos-${{ env.FLAVOR }}-${{ env.FLAVOR_RELEASE }}-core-amd64-generic-*.uki.iso) export DATASOURCE=${PWD}/build/datasource.iso diff --git a/Earthfile b/Earthfile index bf38ce80e..87ef2c124 100644 --- a/Earthfile +++ b/Earthfile @@ -421,8 +421,11 @@ uki-dev-build: RUN printf 'title Kairos %s\nefi /EFI/kairos/%s.efi\nversion %s' ${KAIROS_VERSION} ${KAIROS_VERSION} ${KAIROS_VERSION} > ${KAIROS_VERSION}.conf RUN printf 'default @saved\ntimeout 5\nconsole-mode max\neditor no\n' > loader.conf SAVE ARTIFACT PK.der PK.der + SAVE ARTIFACT PK.auth PK.auth SAVE ARTIFACT KEK.der KEK.der + SAVE ARTIFACT KEK.auth KEK.auth SAVE ARTIFACT DB.der DB.der + SAVE ARTIFACT DB.auth DB.auth SAVE ARTIFACT systemd-bootx64.signed.efi systemd-bootx64.signed.efi SAVE ARTIFACT uki.signed.efi uki.signed.efi SAVE ARTIFACT ${KAIROS_VERSION}.conf ${KAIROS_VERSION}.conf @@ -441,8 +444,11 @@ uki-dev-image-artifacts: COPY +uki-dev-build/${KAIROS_VERSION}.conf /output/efi/loader/entries/${KAIROS_VERSION}.conf COPY +uki-dev-build/loader.conf /output/efi/loader/loader.conf COPY +uki-dev-build/PK.der /output/efi/loader/keys/kairos/PK.der + COPY +uki-dev-build/PK.der /output/efi/loader/keys/kairos/PK.auth COPY +uki-dev-build/KEK.der /output/efi/loader/keys/kairos/KEK.der + COPY +uki-dev-build/KEK.der /output/efi/loader/keys/kairos/KEK.auth COPY +uki-dev-build/DB.der /output/efi/loader/keys/kairos/DB.der + COPY +uki-dev-build/DB.der /output/efi/loader/keys/kairos/DB.auth SAVE ARTIFACT /output/efi efi # This is the final artifact, only the files on it @@ -471,8 +477,11 @@ uki-dev-iso: COPY +uki-dev-build/${KAIROS_VERSION}.conf . COPY +uki-dev-build/loader.conf . COPY +uki-dev-build/PK.der . + COPY +uki-dev-build/PK.auth . COPY +uki-dev-build/KEK.der . + COPY +uki-dev-build/KEK.auth . COPY +uki-dev-build/DB.der . + COPY +uki-dev-build/DB.auth . RUN mkdir -p /tmp/efi RUN ls -ltra /build # get the size of the artifacts @@ -488,10 +497,13 @@ uki-dev-iso: RUN mmd -i /tmp/efi/efiboot.img ::loader RUN mmd -i /tmp/efi/efiboot.img ::loader/entries RUN mmd -i /tmp/efi/efiboot.img ::loader/keys - RUN mmd -i /tmp/efi/efiboot.img ::loader/keys/kairos - RUN mcopy -i /tmp/efi/efiboot.img PK.der ::loader/keys/kairos/PK.der - RUN mcopy -i /tmp/efi/efiboot.img KEK.der ::loader/keys/kairos/KEK.der - RUN mcopy -i /tmp/efi/efiboot.img DB.der ::loader/keys/kairos/DB.der + RUN mmd -i /tmp/efi/efiboot.img ::loader/keys/auto + RUN mcopy -i /tmp/efi/efiboot.img PK.der ::loader/keys/auto/PK.der + RUN mcopy -i /tmp/efi/efiboot.img PK.auth ::loader/keys/auto/PK.auth + RUN mcopy -i /tmp/efi/efiboot.img KEK.der ::loader/keys/auto/KEK.der + RUN mcopy -i /tmp/efi/efiboot.img KEK.auth ::loader/keys/auto/KEK.auth + RUN mcopy -i /tmp/efi/efiboot.img DB.der ::loader/keys/auto/DB.der + RUN mcopy -i /tmp/efi/efiboot.img DB.auth ::loader/keys/auto/DB.auth RUN mcopy -i /tmp/efi/efiboot.img ${KAIROS_VERSION}.conf ::loader/entries/${KAIROS_VERSION}.conf RUN mcopy -i /tmp/efi/efiboot.img loader.conf ::loader/loader.conf RUN mcopy -i /tmp/efi/efiboot.img uki.signed.efi ::EFI/kairos/${KAIROS_VERSION}.efi diff --git a/tests/assets/efivars.empty.fd b/tests/assets/efivars.empty.fd new file mode 100644 index 0000000000000000000000000000000000000000..6bab68620351568925e62e076ed91dc625d6b824 GIT binary patch literal 131072 zcmeI*3tWs@9|!PfW{RRDQiMt_Ma6WZLZzEhQAsYzZYm;@iYyizl8t34*G+P5bBVOO zv9Y;tu93@TQSN13w_Uq=m)>*cl4;B|Pm1jO{vMy{nQ5MRo^!tEod5Hj^PCC8)LfRD zJg-_cJ<03ag+>FL1`hFI7_MN0Puv3Bt6nQH?o7K%@(Zp3{cTJ7L%7T^t;n2}yv{j& zUQeyTN8?uHmN3ky*TVNQhdD4j@rH8N+T`~f@=$v;J>NKLt@Fm{sZU0`B&9hs)0h}0 zmYKp#X1vMIP$rD-p^EO)h(4=jX+hpoB9F*>hl;OHEB45_`khrLjgXlkWFOIFpP|fH z(H2#L{dKNoU-T_q@}Oxfy&JRq(WjA~Yk6LV{km!N3n2T8Bzv1e_UcKVe@0R~n3+zu zCj0HjG$qe!TU5xKG@Y7`QNMAuiZs89V>T8{i0EMcZm$8R&T> z!_PI<<;mek~)HIrYwo2%r=r~$r+jb?LC{i*S4goTFpHhFy>^tw-%Zi!7?B=Hf(ZKtbxp}#2YozI!~>U4*c&q zY?-23^6$w?gQv8*jyL$8|95sMh&AkD8a)HOb4=qlY)rF|RRY3OBzZ?1(`0TX>ysbw zcZg{Uu@Tec6CtL_w-LWnhnPmsp6?#hc!KLyMQ32P*J+mG^h>U*cP@@;GPjcaL?b*$ zOjC%Cm?obHF-^XW_?y+)BJrBdrnF6v88} z$tOZwlW!w_rw(zg3HeOD;#!l29arlu&V%HdCQ`77KN$#wM&VR2lOxs~K68sRzOnnHBMHTgt{Yw~Tx@38C} z(s>DS~rEqau)2-jqG_KGmP;g^W-Ft!e;&*ogYZ2M9R-k07< zIOaWtcW=cvK$&^e%IaFWT z*2veJ7p=%s`&#zNXN3P4MwL_zQ&JKWNJ&JIe`JniQ!S?8VD9YS{Lk#)^wih{KzlA|6^Qd^SM<@WWJ<>!g-gptYqcSpB!^CnG-pM%sq`I+px_W zEf;#*T-wWr%(@IFdm1O0Av&4yBCjHu@np-eNW#X-tr^*xmY(#!CHFO+Wf_R)v6ju< zr?mS;bN7Rn`xGx3vp6$=q$`@#&}j0H&SiBIq?@LbU45bRZS`cN(V6TmlC&6H^udmPR=xxdmK93m6WUWQS?Q>5zK3#M`E8RDj@C7 zI!_!WxoP1D#_f46T9f^g<%saqqQc?unrSgZ2OcgxRC!Tzof@;;$l=h$I8LMAyL zn)CJ9Je6a^1sB~s;YBygJ_zkE(Q~78Jr#cE?M=^(Y~tv9b#)r~HXnJ)u7AU3-=c4d ziT14{+PC8V0!{M?@{mqapl!@=#be*_H9Xv7feIZaIALxL?nj z`Bu1Q-B+FY@ff_73AXJiQAQr#)3r@~%BfD{9v`+pu6T|l9k-%mk{2Rf0-N8-9I{Ba zxBsKfpU$%;W5w2tm0;x1oIJNA&#f6cSIEwXLq=q?vgpVey)34S@OriS>n*}xzV(wH z%a}Ym-J82|cZ#m};_mKw#m$OzD|aoUQn*YP(edcWqJii+J(}e4+2yrgosa*( zm`C!Sl|^sF(c|$Y(qbwjEk6EC)$3MP0m5^%A`?1xOV88k8T-=)_1fl~_)Xzo-yfTK z*_n(JP9Wo@kz|b1gM6D@aFxJeIHnuQOa1&A(f$?3a9Xyq#yDkj|xGbukf+e=EL6LhH)l zTJ|k$KUN|aZHe~dO=3a}6GHOsLSn;o@{0c5jknthqa>?^usQG2_Cb3Xb<4Lh>-vyU z%f5yArt|D+eF%`qw+}OdM2_hs4jYg&h&Q==<;>WT^O5XxRCn@e>FB|5dCj{r!pKS9 zma}kpYVGB`RnM3stB)s+mv6@$9*Nn?Bu=sG=h6C9KpyhSOz29_-PAQshHLNl?y62t zysQ>S>8)f{Wmeb0v@X+gt2`I^?oC+`i7L+DHALs8#ZGJQYlnk}yY1Y<|+uI*?Yf44GFC3U>N!u$EO zj7QXR3}G4Ak}YT%m{wou(VjN_i%8LAP5(lY0hyr@PF_zETsg{{bufRc(ro(;9fs@* zEA6GD1zN+~tynk>?PldG&L z(@wQb&65=Uj4kPCoX&1{)vo_4*Ufp?3R{d1n2I1vA+b(x>`{+V$UXL zgDZUXCaOIW+!Ov%=Wv=UGkh)cR{WMtc*B%W6QZZY7`Qm`^>oxNEcvz;*57)tJ*+=1rBb2J!|qGsH94u^Sayk@4|PdnBBS}=Ns#>7v5 zUv=d3uP5*({;3kKx^?rO3*~FpUmH_axoF`Zuh$t}_08#}DPCFJyK2(}< za;w_DIJ=jt$4ba?a*mp^6VnbBuE zRxZ80$7M#BS8<2?e={Xge_CNWFaIaI{xjQ-Kf`qEXjYjN?zcMgl7(9Lal?gnUuDiLtHXOow!GY7 zdD?bu-RzXD{jP-n?1ffcK`6aNgc1IESwqlWvkFpu@zZd z9_ayY9?JLScO>E+TPSHOXS(@F>0cxdpfGMBUZdl=(QxX~A*FUN=<&?dE*1sZ_Wj zze4X^=h$dN zL&vBa+0kB=R`+M=1ug5(Pi}7uXNxdWERziK)6Vi9pIAi~ z=EU~yonzu}eLTKo*LOS8_hzlUIC93rjn}Ww+56&bh@WO+n>Ah5YOEV$KSFDE=N8w@ zkFI}gq*4C#z@1qM$M&TuXASDL+vk39`HK~6QVzy0pEfD_%8J83`0Flw@yTtwjgF~t zyoXu?^~&e>P>V2m9AKWC{A1|y%Kg1o3^xo;D4KS6$%FK0r;Gvm{WhwmpXXou;pV3Q zeA3bU#>s);FjaT=}_}V2eQ`+GK@1)V8_x_oe^r2pzDwLyW^IoBUH-)(%+{ zf9il~#Dqld@V(bJw)@uD`^8CSU&}>t)~Ww=>F28*zS*E}kg8{QeVrv~cgj21gy!kE znC!Bj)Z*|slm1gC&fjEUTy|~h(#xL9^M{?iurXu2dU@xw2W%{!oO)cNwrszv9WE4!Kf{;JEbd2x%(uQvU3_^TZ4A|pNBKb?R0 z^Ph=3?wRfTA^O#bJR>j59cDK!jlbUY$Ti=B$J2^(Mom=fI(XJCIqgq0vrE{F1m{b7 zMw4!TJ~CTh9nO6-woGsv@HC{Q{#?6~qc>Ea<#+Y6kZyf4&V4>ojnBfSM&lzdWu5!T zrxdllZ~uJ$dViP8mc`!TI~_;fayvBi_nV1Ndc~MTovU<-$ZnDH^hr$4`JU6x`ueF4 zOD%5aQq(NMrcK72;@RnUj}P>TS@`g8r=2mTs$c#%`m3YO{FTiNJU_Rr7~@zHZ{XQ# z-lGK>tK1^`w6S0Dk8|FP<0oc#JW@TCaPj`rUB{QXBt2*DxTo_vd^0vY+$Z|Sf2tr{bO4ZfU-5Rdz_+L4yksZ7%w{`E<(NoxGsW#s}NSROpP}?`sgB{fqhb z=oJ>FuF0A)TE-!#clP_q=~A)}Z>;^=ikTWV4lhpL)9Y52r>|oY|M+t1v~fKb=*FvV zy)8@G{3g%cukSEf+T%i1@$E-dt)1L0RNK1_+rKpXrq{E! z-;dj-GxgA~R|2>9=ap=WJzvnoEPuwNL|yOn*~7xy9H09*Fd=@8W7lJ+LN=|Ax4)^A z5i+qb-q+30&3##~RGkN0pMN^fvwc!^x5G`&n!sb1`k&v_f*trZP*S{fTW@AjS*XsSkirX-TMrg&V1 z#tY0ze7AY>)DCkJ34)A;+F%}?WW8cB`HJOOD7D3Wv^SNGdSE`9)OVq3z2cyDb-Mgw zbuOXj<&S7Sn$&r@-qW5~8(=;f``Yy(uX8*|{gmz(y^rf*+F@aH?M3h7;GPyi5INNE zo|fV{aSe4(YZpmxUG8Z$735I<4?3<+=dH>6|6AzT1e^Lq&x7du*Zi(|BYiJT>fF;{ z-D6g9h1LV~{UyF3Uh})#4R&QjcJyA#`9q!)(f60^qX~u@S+_Ct{YjvavC#N~zQ1I> z61C_C`koT{{%fdB*`009U<00Izz00bZa0SG_<0uX=z z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV= z5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHaf zKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=AB})X_YoVyXMgUo@mv`5 zDy@BrX_jf|Ym&NB4f;Q}Gt5VmP$UEb5P$##AOHafKmY;|fB*y_009U<00Izz00bZa z0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV= z5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHaf zKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_ z009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz z00bZa0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_< i0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*#QCGcNIyC?_% literal 0 HcmV?d00001 diff --git a/tests/keys/DB.auth b/tests/keys/DB.auth new file mode 100644 index 0000000000000000000000000000000000000000..2103d7a26cb433f0464244a1f576c42ee2e062cd GIT binary patch literal 2037 zcma)+dpy(o8^HJ7MkXw`A-0Ky<~Y7%gu-09x%HcJt3xeh(J6Nh;|N zptLB=2@aDGx22p4JR78HyT=y9C`jt*gT{IW1Y@ER(cp-Jr2a=$@3Zq?iw=N!^~CgoVpZ`a4+YzCX)ZQX)==D#>x|^w$c6lKT}Wn%V}8| zw}VqcP6s|oYi&5ZHE#LXbCY~hZWwGI^&S~RVE_auIs}qIw6NxADL4u)w|jM7dp2kxBa=_ zd)1o(%4F2Hl4nd`VS4yIK@>e3SNUqsS(MSlO8?(XFN-3TAoDIGc31JWgITn$rXT!H zB|u$jpXDo+YuPV%Kv-Mi!whoQaJ$JUYLV(LcZBT@tU^-WBwxkIt3||SQ_C>!)XBIf&&pE ztv**?ybxj8Ad#wMWI?>f*1&GyQa5CjGooJcW2=1Em>#z>T{4Yh7Cm1DwE4@VmG2!b zbm-E^aSBiCxc*|rO**`|D!Q>1Skn0GM`s?4w>pGU?i7*Ci+MyUna{^Ry-zOHuLpGtd zzsZ#UNqa8P81{)`XrYuA9yK+6eQRqOqH}l(Q-~#mun+T}v1HYX6#)F%6GQHigNqxk zHHB8HPyTCsK{wiJ%tyWfq$(>5c_pv{PBYlrA zT)lff^%Tr^NsNjpDXMwI&&uI>%n0J+-hIf{93)rl%+jS?=0^FOKO{XpGYb#zD3M@= znXKy8^)GG@y>~~!@9|^LptpGz(v@nvl7i1%@>`ARv|05s&yY(_?3~m5g_)lGyv8~l zw;tAN`rFwv*br_3jD5$%G(yp*8=`^M5hPL_Gb{S_BzEw18pX;)&muyKhi4Auwj8zd zdxDbkGvsZ|KD8XCS9HixNXkaF2C=ihk}0JuL472#wbpIRfJ#bU8ER`?M#*j-b?j#3 z)x!3q%%CwY=Q6o`6o090s`bKY^k7C@MA#)6uOq>W)!%|re}_y+)S(M`?fwZ51nT}d z%pb?4gMb}b-%HcP4Sdb!T04V->=A!jLvcoO+;^&h3~wmw4?L7m=w}X>t!J= zL9qwA=yC9JDb*hn)7UvN>Hk8Zu;O*1Wo$c1cU0`CNz@XBBsadL*f+v5@YcBwH#9nAsIAdW2itsl3-Y*K+RREXjYQF3?UuoQlM_Uoiz4 z%348<30fy}-C0TQGq>n<50ktw~S;pI~KNasF`Ebv>ioH MSV$E-NWUKU4?6TllmGw# literal 0 HcmV?d00001 diff --git a/tests/keys/DB.esl b/tests/keys/DB.esl new file mode 100644 index 0000000000000000000000000000000000000000..93467ca695b5b90ad215f29b008b5ca42ea64819 GIT binary patch literal 825 zcmZ1&d0^?2Da*aux2_hA(f&|m$;=l_P_5>EaC+U(T3)EAGY5_SP@| zW~pBfTxC8(Ke6vZU4i{+hnsn?SSpS$<=I?r^-F)#mCveWhxdzTU%HfB{C>Wp;2I_C zo|3$->|f0%y?&+GPZjCyKKVhta`oiiM;lx!RQ{G9w4IZmCtrGDA@hO#R<>0V>1PJC?%@o^Li#`Mh3>k!3Kc_vcM3RIB4HrbfL#GUNP#dT<9`-b17;wF9PGeY1qM4K!TS1E%TWjYdmPbLb=w44F3dadS?*lQzwT#RY2WQ#r$6xR-}O+XkfHj%+ViEsRSw=6 zVvH}W8`+{REIBFd7B<)E!|7KJ1$Q?U`TR6_RxKCXZ)-3`TBCSJheq1m*v&n$FLt(V zI^B~Zx3XQsq3lP-q-}B=ru=2K*X77iT4gF3spa;G$#KEdLpK&af2L@CK~D6~CMMRk zTkM{*zuWL2W6H^l#huTjDzECz<#f=!H|v4jfiIiocih;0)?$~cSX;-Zi9b(Fp4SQh D!?08; literal 0 HcmV?d00001 diff --git a/tests/keys/KEK.auth b/tests/keys/KEK.auth new file mode 100644 index 0000000000000000000000000000000000000000..b8bf705762893e91ed8d980769272a4e5efb38d6 GIT binary patch literal 2036 zcma)+c{JPk7Qpk%FSOC3S_FdxK}qpTP(iCHvBgrMmfBiNOYyoS3CV7FAo)hY%lqfPI1x zlEj110b$S?1@1@N_*`UMX5t)dAVrKQNf$CC=@Sk0$Rx5mMpXBMO8TgN!3zeIKMgO) z5QG77gdigkBn$wE`y2fC4fqk=QM1T7c z1XJ>`-?Q>#PfUl|4xq0|)_SBk`NU?|oTA!d6Ba{&mq$2Z7qsK#VDt~ev}}($ZNApa zPL~$!U582}2q1t0Cx{Ly2r8~1hLT1}VhsZ+<4>pqJ*$pNITmtVd%YO-5cb2f3Q7i& zzVUej@ec-v0ALp-1c3taY1su`6_j1@lL}NL?r%727vDlI$WX^!dQcMcHYrw^Z#7;< zNY)(K9i4fzd&ty^g#OChxgoiF(soVe-xrE7S0BH6;Zb}XoGJ?K>lW5(i3mxQv&)Ni z4wUMMS@vMTnH1G_u3!Eg*klq@;uq8p(=C)OtWtD1m<6Q6j>-+gmEG6!lR&0N`|$C; zeBo(=m(8_HR`w%z`~tq33zMT2G2ds6k1C8Qr6g7>mr@q^;mVxu-5A?!n8|T*TlV(s z&ZgP@>^_nV=FoE)_d zk9xo7LBgQ9$erh5q^7;qJgo|9m6pd+83*e|chr(5>P#t23l1p^2rmhq*n zD;yVUm%3+`bzXQrWnHnrWvQ_D9@*Wr7OfFAMl9B4ePihq+Hhbc?fWI%P_FuAz>1&90=y|L)A?@SnVoSr6G(%RAHZ!)taiE#YCA zlqX@0VGRC>FswjI2#&I{t}c~&P|qbIwM@XIeS$Wue`J!Rwd+aPPG_j-=uLxr)yW=E zd*|HWrWcYT9)cwPWRl27CfS((4N7|Ye}R%f{gT`NqSD=BH81nY3~BT)_-r>H3NBi` z!^VhCX(afHu&)*AJ2J1b?E=1O2^sbopn#8(Ux+s~_b0MUN=iW)&e!iu%Xyk-^%(uN zp+}F_5>D%Pz*7|u%kru!GX~E@Eai@mU$5Hi@pF_&l*+_siQn}$ag&Tz5gQ}6WiP9X z^Hv*Yqgd@VIYN~*od*u{qrA=Z%v;T&sbL|E7wN5ar{&@|&(0X-QaIt@lBA^~FIIDZ zFk#t+SkHdspSsnclkTeQ!x{>EowSh0FfBQWJ(i2k>x0JXCiDL|t3aISvJAw#rc8UG z`%Lp z`kWp7F}ieM0nXS9ZKHw3B<0NVhZDu29b`$!{w$!wKeTRS5 z6rMo*Y0o*=ceT<(>WXq3W_24oL1lAVHFb=4ZcXa8x@B4u!vW)}Psixp%V9&c?m_!i I?W3mu1C?hymjD0& literal 0 HcmV?d00001 diff --git a/tests/keys/KEK.esl b/tests/keys/KEK.esl new file mode 100644 index 0000000000000000000000000000000000000000..e083953d2c1e4b64452ddccb56cd6c944649a126 GIT binary patch literal 827 zcmZ1&d0^?2Da*aux2_hA(f&|m&CCD>@<3V;2$YnJja^)XOu{NAtTt$3<~C?z{Jemf ziIIs(M8q@PvB_8e@-nkd^EsP(qYaK6duqVT#;Mij(e|B}k&&B~!9dhd*g%ktIh2K& zhs!%LvnanB>Nb8mn;azAAv!~4CjYEBy9kjQWxiX6hiAW4=YRQr*W>E8Bb(>5uJ_Vk7x3)n z%WsorOx;^Dp){xH+N6WqL!?^2#XquI;4rtG`IU&f+{`s~RbEp2K zaHYhy%cW0xo-ZtNTHz>fvw(Bqd4pTq?=AWrFKc-BxO;|5c>lv#&hvH`=GPR2KHIx% z(()Zz9fywJdUU>~!bFo?q~A7lFSo5 zJMA|oY)IN-AP#$+_{(MiW7~zB1G3GzY?=}_~Xj& z)hUjPWs2=jSsXaEWTyX&rc=9gvNJoF!Z+SoAh}Y*_uFxX%>wP^rgQ(O*aV7YELO0N z<@DB+7w?(>_@#_R${ukS?X`9}dq zh0*)-XaD`YdnBds#NGKDPcGm4SL@taKl}An%qoYSuSWiFKkxigP50AZmD_vD+YPU? zCxrjqB6e9_PU@@k_OE}kRzKC?egj@M&V)7( z##Ck&CPr2U18z1>tu~Lg@4Srcj0>8Wc@3JFISrZ^KQ3TqVq{_xsaTTf=J-BYK)&AU z{^7fv9}cMc7=es{>S5#t8X;mRWFWxC9LmDX!|9!vS(IO_5a4YfC(dhRY+z|*YG`R< zVPp{{&T9Qr(qIQ%1IPa-AdaT0p4d0FDmu&8-CTEEy+_R=_N-p24a4}o- zQlMLa;*NDwTFe(bUmo{aJZ5L0Ler)jhRcg489i{FB3LYmVQv#Ti>}Gzh z;cKoTF+KWB%;@VAbug)z^(`%7x;#_*gYj*T@y^p##j)fhNpB1p4iJ6gsadEIg zpn)tf#AW$d#8^b+Ei)YM?030%_I;4zd^f4%9I-_^4CF!5$}AEFVhz|8@PiZxGcx{X zVKra|Qpmv$j8$N;18q_^*vy||`PjGhfW_j;>I!-5R@DFKX=eNAac8x5uhzx?Hy^$E zFYM%D#3}6>y0drFJ)aK}+tQYa7w)@#Eqb{v^ZjKd=TEZf9;nFakn&wv6Ph7i1f z^VN< z6xirI`e7HAu9Ro7FoQQ<_Wq)k1?Ct3Ck4+qUc)75vFQG5F@?P|>{(w1UvhiibANZA z`Rf}BUlxY%Oxm?8V28}KDVhJ*NqcN@%Wl|mCd6ZN|4)t+oY&6=oX(Mx-`G5X=Sjh? z6OO5W9fHoyxwZS^+~%a+-xN#s<*U1Egvit#-(;Qotz!pI^@oYxq{HG*<+=xSnALN=a}m4Ug5k)HwR zA}*#TMn;B}UqAlasdCl$rfv*SMtX**Kr%U!GzNzou6>mAOS9&%u zh&OcZO-Yx_T-g?)E9!36EPQg*J)pSt)eomN#X6i_yJPwebA_<#DtOl#e~xpw-=yFz z)bOTd#Wc5Ub5XlVf1LMJ96eUy`G)gU+ofmk*BHf&@*kd8H%$%f*jDVukhphd+ zybaO(|4TOaRFkvB67E^kHYJzuRk)ZfdMVH?Kyk;qDJ|v;o-dF4EFQBnP@!ql4a4O{ zlZ+m?P7y2?(MUeM#%90Ml_>$tNp>?oSMgiee>?tEPVL1Wd2#Kgw^!$urs=gvHE}Mz z;x#*ZyWU6L8^^*9$j=H`&&15gz_>WrAkaV-7~-;gEMhDo@|GD6clNtnJo`RKalV_> zagNxc9R~6sX=N4(1F;6|3iv?^gc%wCv#=U411aQS2gWKe*nu`F8*JuJv3%^?dcb1w zWOaqSbt~$B^fa@5^tiKHyI1St|C^8A{17LIAiEU}i#0&S`z81aQ zmihj&lJh6obPrVIbV&IwtO?B!JzD=Zx~*x3gX)n}$&02p+1(Rgk(_m*DbP*H&7)s` zuK07NfIrF&mhb*Qk-5h>Bl^e{+w+Uq9%{#W*XDWnU7ensF8#Dr%4=EiznOP#%HC4! z@7ScY%HjFPa;3Q^|JVD>ZYrJ|7V$PN=HzTI-v?1wCtki)RexMhnW<;VrKs3~nAl^1 zGu1d+UZ0r9_fmE3rl*rvWxr_MJAvWU-1%xpqjw~q$zo%6<(htGmAknc>smEA0K1|| A{{R30 literal 0 HcmV?d00001 diff --git a/tests/keys/README.md b/tests/keys/README.md index 440a256a7..c422b803c 100644 --- a/tests/keys/README.md +++ b/tests/keys/README.md @@ -5,4 +5,53 @@ You can install this keys on a VM EFI and test secureboot. They are pregenerated so you can iterate building Kairos UKI EFI and use the same signature without generating keys all the time. -They should never be installed anywhere different than a VM. \ No newline at end of file +They should never be installed anywhere different than a VM. + + +Sets of keys: + +*.key - Private key +*.crt - Certificate +*.der - Public certificate in DER format. Can be used to manually add the entries to the EFI database. +*.esl - EFI Signature List. +*.auth - SIGNED EFI Signature List. Can be used by systemd-boot to automatically add the entries to the EFI database. + + +So for a EFI firmware to trust Kairos UKI EFI, you need to add the following entries to the EFI database depending of its state. + +Setup mode (No keys installed, no PK key installed) systemd-boot will auto-add the following keys on the first boot and reset the system to continue booting: + - PK: PK.auth + - KEK: KEK.auth + - DB: DB.auth + +Adding secureboot keys manually to edk2 firmware: +[![Adding secureboot keys manually to edk2 firmware](https://img.youtube.com/vi/ITlxqQkFbwk/0.jpg)](https://www.youtube.com/watch?v=ITlxqQkFbwk "Adding secureboot keys manually to edk2 firmware") + +User mode (PK key installed, other certs already in there) you need to manually add the following keys in the firmware: + - KEK: KEK.der + - DB: DB.der + +Auto secureBoot key enrollment via systemd-boot: +[![Auto secureBoot key enrollment via systemd-boot](https://img.youtube.com/vi/zmxDNQ56P7s/0.jpg)](https://www.youtube.com/watch?v=zmxDNQ56P7s "Auto secureBoot key enrollment via systemd-boot") + +## Generate keys from scratch (key+pem+der+esl) + +```bash +uuid=$(uuidgen -N kairos --namespace @dns --sha1) +for key in PK KEK DB; do + openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.pem" + openssl x509 -outform DER -in "${key}.pem" -out "${key}.der" + sbsiglist --owner "${uuid}" --type x509 --output "${key}.esl" "${key}.der" +done +``` + + +## Generate auth files for systemd-boot auto-enrollment + +```bash +## Generate the auth files from the esl files by signing them. +attr=NON_VOLATILE,RUNTIME_ACCESS,BOOTSERVICE_ACCESS,TIME_BASED_AUTHENTICATED_WRITE_ACCESS +sbvarsign --attr "${attr}" --key PK.key --cert PK.crt --output PK.auth PK PK.esl +sbvarsign --attr "${attr}" --key PK.key --cert PK.crt --output KEK.auth KEK KEK.esl +sbvarsign --attr "${attr}" --key KEK.key --cert KEK.crt --output DB.auth DB DB.esl +``` \ No newline at end of file diff --git a/tests/tests_suite_test.go b/tests/tests_suite_test.go index 33f8c3519..3da7b8201 100644 --- a/tests/tests_suite_test.go +++ b/tests/tests_suite_test.go @@ -201,10 +201,18 @@ func startVM() (context.Context, VM) { fmt.Sprintf("file=%s,if=pflash,format=raw,readonly=on", FW), ) - // Set custom vars file for efi config so we boot first from disk then from DVD - m.Args = append(m.Args, "-drive", - fmt.Sprintf("file=%s,if=pflash,format=raw", filepath.Join(getwd, "assets/efivars.fd")), - ) + // Set custom vars file for efi config so we boot first from disk then from DVD with secureboot on + UKI := os.Getenv("UKI_TEST") + if UKI != "" { + // On uki use an empty efivars.fd so we can test the autoenrollment + m.Args = append(m.Args, "-drive", + fmt.Sprintf("file=%s,if=pflash,format=raw", filepath.Join(getwd, "assets/efivars.empty.fd")), + ) + } else { + m.Args = append(m.Args, "-drive", + fmt.Sprintf("file=%s,if=pflash,format=raw", filepath.Join(getwd, "assets/efivars.fd")), + ) + } // Needed to be set for secureboot! m.Args = append(m.Args, "-machine", "q35,smm=on") } From 37d0b01563aeda457685a60d34b00fe61fb2daaf Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Thu, 25 Jan 2024 15:50:02 +0100 Subject: [PATCH 12/85] Update enki to v0.0.9 (#2181) Signed-off-by: Mauro Morales --- Earthfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Earthfile b/Earthfile index 87ef2c124..908f579e0 100644 --- a/Earthfile +++ b/Earthfile @@ -33,7 +33,7 @@ ARG RENOVATE_VERSION=37 # renovate: datasource=docker depName=koalaman/shellcheck-alpine versioning=docker ARG SHELLCHECK_VERSION=v0.9.0 # renovate: datasource=docker depName=quay.io/kairos/enki versioning=docker -ARG ENKI_VERSION=v0.0.8 +ARG ENKI_VERSION=v0.0.9 ARG IMAGE_REPOSITORY_ORG=quay.io/kairos @@ -334,7 +334,7 @@ uki-iso: COPY ./tests/keys /keys RUN echo $BASE_IMAGE > /IMAGE - RUN --no-cache enki build-uki $(cat /IMAGE) /tmp/kairos.uki.iso /keys + RUN --no-cache enki build-uki $(cat /IMAGE) -o /tmp/kairos.uki.iso -k /keys SAVE ARTIFACT /tmp/kairos.uki.iso kairos.uki.iso AS LOCAL build/$ISO_NAME.uki.iso # WARNING the following targets are just for development purposes, use them at your own risk From f9bdec735728c0845d782bc446b8848e0271a4c4 Mon Sep 17 00:00:00 2001 From: Dimitris Karakasilis Date: Thu, 25 Jan 2024 20:38:47 +0200 Subject: [PATCH 13/85] Bump kairos framework (#2184) to get this change: https://github.com/kairos-io/kcrypt-challenger/pull/45 Signed-off-by: Dimitris Karakasilis --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 908f579e0..897341be3 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.48.3 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION="v2.6.3" +ARG KAIROS_FRAMEWORK_VERSION="v2.6.4" ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name From c6bc1e521ceb68a7100f76ab2292f66c00ece4d1 Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Thu, 25 Jan 2024 20:39:02 +0100 Subject: [PATCH 14/85] bump enki (#2185) Co-authored-by: Itxaka --- Earthfile | 2 +- tests/keys/{DB.crt => DB.pem} | 0 tests/keys/{KEK.crt => KEK.pem} | 0 tests/keys/{PK.crt => PK.pem} | 0 4 files changed, 1 insertion(+), 1 deletion(-) rename tests/keys/{DB.crt => DB.pem} (100%) rename tests/keys/{KEK.crt => KEK.pem} (100%) rename tests/keys/{PK.crt => PK.pem} (100%) diff --git a/Earthfile b/Earthfile index 897341be3..2c15515f8 100644 --- a/Earthfile +++ b/Earthfile @@ -33,7 +33,7 @@ ARG RENOVATE_VERSION=37 # renovate: datasource=docker depName=koalaman/shellcheck-alpine versioning=docker ARG SHELLCHECK_VERSION=v0.9.0 # renovate: datasource=docker depName=quay.io/kairos/enki versioning=docker -ARG ENKI_VERSION=v0.0.9 +ARG ENKI_VERSION=v0.0.10 ARG IMAGE_REPOSITORY_ORG=quay.io/kairos diff --git a/tests/keys/DB.crt b/tests/keys/DB.pem similarity index 100% rename from tests/keys/DB.crt rename to tests/keys/DB.pem diff --git a/tests/keys/KEK.crt b/tests/keys/KEK.pem similarity index 100% rename from tests/keys/KEK.crt rename to tests/keys/KEK.pem diff --git a/tests/keys/PK.crt b/tests/keys/PK.pem similarity index 100% rename from tests/keys/PK.crt rename to tests/keys/PK.pem From 77902dab0f611761065164c4b5cca94715c44729 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Fri, 26 Jan 2024 09:49:17 +0100 Subject: [PATCH 15/85] bump framework to 2.4.6 to use its cache (#2187) Signed-off-by: Mauro Morales --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 2c15515f8..d1bbd4eff 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.48.3 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION="v2.6.4" +ARG KAIROS_FRAMEWORK_VERSION="v2.6.5" ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name From 510574e9eac943c2a597e532bb9bedb35dc7ed01 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Mon, 29 Jan 2024 13:50:48 +0100 Subject: [PATCH 16/85] :robot: Allow passing flags to enki and bump version (#2193) --- Earthfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Earthfile b/Earthfile index d1bbd4eff..9c739b453 100644 --- a/Earthfile +++ b/Earthfile @@ -33,7 +33,7 @@ ARG RENOVATE_VERSION=37 # renovate: datasource=docker depName=koalaman/shellcheck-alpine versioning=docker ARG SHELLCHECK_VERSION=v0.9.0 # renovate: datasource=docker depName=quay.io/kairos/enki versioning=docker -ARG ENKI_VERSION=v0.0.10 +ARG ENKI_VERSION=v0.0.11 ARG IMAGE_REPOSITORY_ORG=quay.io/kairos @@ -327,6 +327,7 @@ uki-iso: ARG --required BASE_IMAGE # BASE_IMAGE is existing kairos image which needs to be converted to uki FROM $BASE_IMAGE ARG ISO_NAME=$(cat /etc/os-release | grep 'KAIROS_ARTIFACT' | sed 's/KAIROS_ARTIFACT=\"//' | sed 's/\"//') + ARG ENKI_FLAGS FROM +uki-dev-tools-image @@ -334,7 +335,7 @@ uki-iso: COPY ./tests/keys /keys RUN echo $BASE_IMAGE > /IMAGE - RUN --no-cache enki build-uki $(cat /IMAGE) -o /tmp/kairos.uki.iso -k /keys + RUN --no-cache enki build-uki $(cat /IMAGE) -o /tmp/kairos.uki.iso -k /keys ${ENKI_FLAGS} SAVE ARTIFACT /tmp/kairos.uki.iso kairos.uki.iso AS LOCAL build/$ISO_NAME.uki.iso # WARNING the following targets are just for development purposes, use them at your own risk From 870f65eedf14ebb5b489029fe20910e8cf19a64f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 20:41:41 +0000 Subject: [PATCH 17/85] Update quay.io/kairos/enki Docker tag to v0.0.12 --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 9c739b453..a8a84df74 100644 --- a/Earthfile +++ b/Earthfile @@ -33,7 +33,7 @@ ARG RENOVATE_VERSION=37 # renovate: datasource=docker depName=koalaman/shellcheck-alpine versioning=docker ARG SHELLCHECK_VERSION=v0.9.0 # renovate: datasource=docker depName=quay.io/kairos/enki versioning=docker -ARG ENKI_VERSION=v0.0.11 +ARG ENKI_VERSION=v0.0.12 ARG IMAGE_REPOSITORY_ORG=quay.io/kairos From 3421fc8b7a91610caa7f5544ecb4de8d0ccb42fc Mon Sep 17 00:00:00 2001 From: Itxaka Date: Fri, 2 Feb 2024 16:00:50 +0100 Subject: [PATCH 18/85] Bump framework and osbuilder (#2201) --- .../reusable-upgrade-latest-test.yaml | 2 +- Earthfile | 28 +++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/reusable-upgrade-latest-test.yaml b/.github/workflows/reusable-upgrade-latest-test.yaml index 6addf5686..6f7f9b3bd 100644 --- a/.github/workflows/reusable-upgrade-latest-test.yaml +++ b/.github/workflows/reusable-upgrade-latest-test.yaml @@ -18,7 +18,7 @@ on: jobs: test: - runs-on: ubuntu-latest + runs-on: kvm env: MATCHER: ${{ inputs.release_matcher || inputs.flavor_release }} steps: diff --git a/Earthfile b/Earthfile index a8a84df74..f74210c8d 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.48.3 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION="v2.6.5" +ARG KAIROS_FRAMEWORK_VERSION="v2.7.1" ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name @@ -21,7 +21,7 @@ END ARG COSIGN_EXPERIMENTAL=0 ARG CGO_ENABLED=0 # renovate: datasource=docker depName=quay.io/kairos/osbuilder-tools versioning=semver-coerced -ARG OSBUILDER_VERSION=v0.11.1 +ARG OSBUILDER_VERSION=v0.12.0 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION ARG GOLINT_VERSION=1.52.2 # renovate: datasource=docker depName=golang @@ -33,7 +33,7 @@ ARG RENOVATE_VERSION=37 # renovate: datasource=docker depName=koalaman/shellcheck-alpine versioning=docker ARG SHELLCHECK_VERSION=v0.9.0 # renovate: datasource=docker depName=quay.io/kairos/enki versioning=docker -ARG ENKI_VERSION=v0.0.12 +ARG ENKI_VERSION=v0.0.14 ARG IMAGE_REPOSITORY_ORG=quay.io/kairos @@ -324,19 +324,19 @@ enki-image: SAVE ARTIFACT /enki enki uki-iso: - ARG --required BASE_IMAGE # BASE_IMAGE is existing kairos image which needs to be converted to uki - FROM $BASE_IMAGE - ARG ISO_NAME=$(cat /etc/os-release | grep 'KAIROS_ARTIFACT' | sed 's/KAIROS_ARTIFACT=\"//' | sed 's/\"//') - ARG ENKI_FLAGS - - FROM +uki-dev-tools-image + ARG --required BASE_IMAGE # BASE_IMAGE is existing kairos image which needs to be converted to uki + FROM $BASE_IMAGE + ARG ISO_NAME=$(cat /etc/os-release | grep 'KAIROS_ARTIFACT' | sed 's/KAIROS_ARTIFACT=\"//' | sed 's/\"//') + ARG ENKI_FLAGS - COPY +enki-image/enki /usr/bin/enki - COPY ./tests/keys /keys - RUN echo $BASE_IMAGE > /IMAGE + FROM +uki-dev-tools-image - RUN --no-cache enki build-uki $(cat /IMAGE) -o /tmp/kairos.uki.iso -k /keys ${ENKI_FLAGS} - SAVE ARTIFACT /tmp/kairos.uki.iso kairos.uki.iso AS LOCAL build/$ISO_NAME.uki.iso + COPY +enki-image/enki /usr/bin/enki + COPY ./tests/keys /keys + RUN echo $BASE_IMAGE > /IMAGE + WORKDIR /build + RUN --no-cache enki build-uki $(cat /IMAGE) --output-dir /build/ -k /keys --output-type iso ${ENKI_FLAGS} + SAVE ARTIFACT /build/*.iso AS LOCAL build/ # WARNING the following targets are just for development purposes, use them at your own risk From dafff6865c9eed9e60579d03c9514bec235da5f1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 09:24:11 +0100 Subject: [PATCH 19/85] Update quay.io/kairos/osbuilder-tools Docker tag to v0.15.0 (#2207) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index f74210c8d..05f6d5f88 100644 --- a/Earthfile +++ b/Earthfile @@ -21,7 +21,7 @@ END ARG COSIGN_EXPERIMENTAL=0 ARG CGO_ENABLED=0 # renovate: datasource=docker depName=quay.io/kairos/osbuilder-tools versioning=semver-coerced -ARG OSBUILDER_VERSION=v0.12.0 +ARG OSBUILDER_VERSION=v0.15.0 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION ARG GOLINT_VERSION=1.52.2 # renovate: datasource=docker depName=golang From 3b4d9b311b66f50755c26e64e5225f1c1c5e304c Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 6 Feb 2024 10:22:24 +0100 Subject: [PATCH 20/85] Add warning to outdated example (#2211) Signed-off-by: Mauro Morales --- examples/byoi/fedora/README.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 examples/byoi/fedora/README.md diff --git a/examples/byoi/fedora/README.md b/examples/byoi/fedora/README.md new file mode 100644 index 000000000..a0a72d698 --- /dev/null +++ b/examples/byoi/fedora/README.md @@ -0,0 +1 @@ +Warning, this example is out of date. You can follow the ubuntu-non-hwe example which is quite similar but with fedora as a base. From 40205233b283d6082a769f31d873e1758ad76335 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 6 Feb 2024 17:15:12 +0100 Subject: [PATCH 21/85] :sparkles: Rework pipelines (#2216) * Remove base images Signed-off-by: Mauro Morales * Push core image from master Signed-off-by: Mauro Morales * Also for standard Signed-off-by: Mauro Morales --------- Signed-off-by: Mauro Morales --- .github/workflows/image-arm.yaml | 80 +------------ .github/workflows/image.yaml | 32 ----- .github/workflows/release-arm.yaml | 67 +---------- .../workflows/reusable-build-base-image.yaml | 109 ------------------ .github/workflows/reusable-build-flavor.yaml | 11 +- .../workflows/reusable-build-provider.yaml | 19 ++- 6 files changed, 22 insertions(+), 296 deletions(-) delete mode 100644 .github/workflows/reusable-build-base-image.yaml diff --git a/.github/workflows/image-arm.yaml b/.github/workflows/image-arm.yaml index 057dfcf8b..9e87c2549 100644 --- a/.github/workflows/image-arm.yaml +++ b/.github/workflows/image-arm.yaml @@ -70,92 +70,14 @@ jobs: # end of optional handling for multi line json echo "::set-output name=matrix::{\"include\": $content }" - build-nvidia-base: - runs-on: fast - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v42 - with: - files_yaml: | - nvidia: - - 'images/Dockerfile.nvidia' - - - name: Install kairos-agent (for versioneer) - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: system/kairos-agent - - name: Release space from worker - if: steps.changed-files.outputs.nvidia_any_changed == 'true' - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm || true - sudo apt-get remove -y powershell || true - sudo apt-get remove -y firefox || true - sudo apt-get remove -y monodoc-manual || true - sudo apt-get remove -y msbuild || true - sudo apt-get remove -y microsoft-edge-stable || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - df -h - - name: Set up Docker Buildx - if: steps.changed-files.outputs.nvidia_any_changed == 'true' - id: buildx - uses: docker/setup-buildx-action@master - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - if: steps.changed-files.outputs.nvidia_any_changed == 'true' - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - name: Login to Quay Registry - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && steps.changed-files.outputs.nvidia_any_changed == 'true' }} - run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - - name: Build 🔧 & Push 🚀 - if: steps.changed-files.outputs.nvidia_any_changed == 'true' - run: | - export IMAGE=$(FLAVOR=ubuntu FLAVOR_RELEASE="20.04" MODEL=nvidia-jetson-agx-orin VARIANT=core TARGETARCH=arm64 REGISTRY_AND_ORG="quay.io/kairos" ID=master kairos-agent versioneer base-container-artifact-name) - docker build --platform=linux/arm64 -t $IMAGE -f ./images/Dockerfile.nvidia ./images - docker push $IMAGE - nvidia-arm-core: - needs: build-nvidia-base uses: ./.github/workflows/reusable-docker-arm-build.yaml secrets: inherit with: flavor: ubuntu flavor_release: "20.04" family: ubuntu - # is there a way to run versioneer here? - base_image: quay.io/kairos/ubuntu:20.04-core-arm64-nvidia-jetson-agx-orin-master + base_image: ubuntu:20.04 model: nvidia-jetson-agx-orin worker: fast diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 2b0f7c80a..83c83151a 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -12,38 +12,6 @@ concurrency: env: FORCE_COLOR: 1 jobs: - get-base-matrix: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - - run: | - git fetch --prune --unshallow - - id: set-matrix - run: | - content=`cat ./.github/flavors.json | jq -r 'map(del(.variant,.worker)) | unique'` - # the following lines are only required for multi line json - content="${content//'%'/'%25'}" - content="${content//$'\n'/'%0A'}" - content="${content//$'\r'/'%0D'}" - # end of optional handling for multi line json - echo "::set-output name=matrix::{\"include\": $content }" - base: - uses: ./.github/workflows/reusable-build-base-image.yaml - secrets: inherit - needs: - - get-base-matrix - strategy: - fail-fast: false - matrix: ${{fromJson(needs.get-base-matrix.outputs.matrix)}} - with: - flavor: ${{ matrix.flavor }} - flavor_release: ${{ matrix.flavorRelease }} - family: ${{ matrix.family }} - model: ${{ matrix.model }} - base_image: ${{ matrix.baseImage }} - arch: ${{ matrix.arch }} get-core-matrix: runs-on: ubuntu-latest diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml index 0113582eb..79329aadb 100644 --- a/.github/workflows/release-arm.yaml +++ b/.github/workflows/release-arm.yaml @@ -62,70 +62,6 @@ jobs: # end of optional handling for multi line json echo "::set-output name=matrix::{\"include\": $content }" - build-nvidia-base: - runs-on: fast - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Install kairos-agent (for versioneer) - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: system/kairos-agent - - name: Release space from worker - if: steps.changed-files.outputs.nvidia_any_changed == 'true' - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm || true - sudo apt-get remove -y powershell || true - sudo apt-get remove -y firefox || true - sudo apt-get remove -y monodoc-manual || true - sudo apt-get remove -y msbuild || true - sudo apt-get remove -y microsoft-edge-stable || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - df -h - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@master - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - name: Login to Quay Registry - run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - - name: Build 🔧 & Push 🚀 - run: | - export IMAGE=$(FLAVOR=ubuntu FLAVOR_RELEASE="20.04" MODEL=nvidia-jetson-agx-orin VARIANT=core TARGETARCH=arm64 REGISTRY_AND_ORG="quay.io/kairos" ID=release kairos-agent versioneer base-container-artifact-name) - docker build --platform=linux/arm64 -t $IMAGE -f ./images/Dockerfile.nvidia ./images - docker push $IMAGE - nvidia-arm-core: uses: ./.github/workflows/reusable-docker-arm-build.yaml secrets: inherit @@ -133,8 +69,7 @@ jobs: flavor: ubuntu flavor_release: "20.04" family: ubuntu - # is there a way to run versioneer here? - base_image: quay.io/kairos/ubuntu:20.04-core-arm64-nvidia-jetson-agx-orin-release + base_image: quay.io/kairos/ubuntu:20.04 model: nvidia-jetson-agx-orin worker: fast diff --git a/.github/workflows/reusable-build-base-image.yaml b/.github/workflows/reusable-build-base-image.yaml deleted file mode 100644 index ef0aa5b4f..000000000 --- a/.github/workflows/reusable-build-base-image.yaml +++ /dev/null @@ -1,109 +0,0 @@ -name: Reusable Build Base Image - -on: - workflow_call: - inputs: - flavor: - required: true - type: string - flavor_release: - required: true - type: string - family: - required: true - type: string - model: - required: true - type: string - base_image: - required: true - type: string - arch: - required: true - type: string - -jobs: - build: - runs-on: ubuntu-latest - permissions: - id-token: write # OIDC support - contents: write - actions: read - security-events: write - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v42 - with: - files_yaml: | - dockerfiles: - - 'images/Dockerfile.${{ inputs.family }}' - - name: Release space from worker - if: steps.changed-files.outputs.dockerfiles_any_changed == 'true' - run: | - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - df -h - echo - sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true - sudo apt-get remove --auto-remove android-sdk-platform-tools || true - sudo apt-get purge --auto-remove android-sdk-platform-tools || true - sudo rm -rf /usr/local/lib/android - sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true - sudo rm -rf /usr/share/dotnet - sudo apt-get remove -y '^mono-.*' || true - sudo apt-get remove -y '^ghc-.*' || true - sudo apt-get remove -y '.*jdk.*|.*jre.*' || true - sudo apt-get remove -y 'php.*' || true - sudo apt-get remove -y hhvm || true - sudo apt-get remove -y powershell || true - sudo apt-get remove -y firefox || true - sudo apt-get remove -y monodoc-manual || true - sudo apt-get remove -y msbuild || true - sudo apt-get remove -y microsoft-edge-stable || true - sudo apt-get remove -y '^google-.*' || true - sudo apt-get remove -y azure-cli || true - sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true - sudo apt-get remove -y '^gfortran-.*' || true - sudo apt-get autoremove -y - sudo apt-get clean - echo - echo "Listing top largest packages" - pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) - head -n 30 <<< "${pkgs}" - echo - sudo rm -rfv build || true - df -h - - name: Set up QEMU - uses: docker/setup-qemu-action@master - with: - platforms: all - - name: Set up Docker Buildx - if: steps.changed-files.outputs.dockerfiles_any_changed == 'true' - id: buildx - uses: docker/setup-buildx-action@master - - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - if: steps.changed-files.outputs.dockerfiles_any_changed == 'true' - run: | - sudo iptables -I INPUT -s 169.254.169.254 -j DROP - sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - name: Login to Quay Registry - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && steps.changed-files.outputs.dockerfiles_any_changed == 'true' }} - run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - - name: Install kairos-agent (for versioneer) - uses: Luet-lab/luet-install-action@v1.1 - with: - repository: quay.io/kairos/packages - packages: system/kairos-agent - - name: Build 🔧 & Push 🚀 - if: steps.changed-files.outputs.dockerfiles_any_changed == 'true' - run: | - export IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release}}" MODEL=${{ inputs.model}} TARGETARCH=${{ inputs.arch }} VARIANT=core REGISTRY_AND_ORG="quay.io/kairos" ID=master kairos-agent versioneer base-container-artifact-name) - - docker build --platform=linux/${{ inputs.arch }} --build-arg="FAMILY=${{ inputs.family }}" --build-arg="FLAVOR=${{ inputs.flavor }}" --build-arg="FLAVOR_RELEASE=${{ inputs.flavor_release }}" --build-arg="MODEL=${{ inputs.model }}" --build-arg="BASE_IMAGE=${{ inputs.base_image }}" -t $IMAGE -f ./images/Dockerfile.${{ inputs.family }} ./images - docker push $IMAGE diff --git a/.github/workflows/reusable-build-flavor.yaml b/.github/workflows/reusable-build-flavor.yaml index 3a89a8480..9ff5a22b8 100644 --- a/.github/workflows/reusable-build-flavor.yaml +++ b/.github/workflows/reusable-build-flavor.yaml @@ -120,13 +120,12 @@ jobs: - name: Build master 🔧 if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} run: | - export BASE_IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release}}" MODEL=${{ inputs.model}} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant }} REGISTRY_AND_ORG="quay.io/kairos" ID=master kairos-agent versioneer base-container-artifact-name) earthly --platform=linux/${{ inputs.arch }} +ci \ --SECURITY_SCANS=true \ --VARIANT=${{ inputs.variant }} \ --FLAVOR=${{ inputs.flavor }} \ --FLAVOR_RELEASE=${{ inputs.flavor_release }} \ - --BASE_IMAGE=$BASE_IMAGE \ + --BASE_IMAGE=${{ inputs.base_image }} \ --MODEL=${{ inputs.model }} \ --FAMILY=${{ inputs.family }} @@ -157,15 +156,11 @@ jobs: *.spdx.json if-no-files-found: error - name: Push to quay - # do not push to release channels for now - if: ${{ false }} - #if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} env: COSIGN_YES: true run: | - IMAGE=$(cat IMAGE) - VERSION=$(cat VERSION) - IMAGE="${IMAGE/$VERSION/latest}" + IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name) docker push $IMAGE image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") spdx=$(ls *.spdx.json) diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index a4b8eb1b6..e4125c8f5 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -108,7 +108,6 @@ jobs: - name: Build master 🔧 if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} run: | - export BASE_IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release}}" MODEL=${{ inputs.model}} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant }} REGISTRY_AND_ORG="quay.io/kairos" ID=master kairos-agent versioneer base-container-artifact-name) earthly --platform=linux/${{ inputs.arch }} +extract-framework-profile K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique | last' | tr -d '"') earthly --platform=linux/${{ inputs.arch }} +ci \ @@ -116,7 +115,7 @@ jobs: --VARIANT=${{ inputs.variant }} \ --FLAVOR=${{ inputs.flavor }} \ --FLAVOR_RELEASE=${{ inputs.flavor_release }} \ - --BASE_IMAGE=$BASE_IMAGE \ + --BASE_IMAGE=${{ inputs.base_image }} \ --MODEL=${{ inputs.model }} \ --FAMILY=${{ inputs.family }} \ --K3S_VERSION=${K3S_VERSION} @@ -131,6 +130,22 @@ jobs: *.sha256 versions.yaml if-no-files-found: error + - name: Login to Quay Registry + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io + - name: Push to quay + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + env: + COSIGN_YES: true + run: | + IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name) + docker push $IMAGE + image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") + spdx=$(ls *.spdx.json) + cosign attach sbom --sbom $spdx $image_ref + cosign sign $image_ref --attachment sbom + # in-toto attestation + cosign attest --type spdx --predicate $spdx $image_ref - name: Push to testing run: | _IMG=$(cat IMAGE) From 946e377e36610a8c7b8c97c909660b1dbf728094 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 6 Feb 2024 17:32:30 +0100 Subject: [PATCH 22/85] Inherit secrets and re-tag before push Signed-off-by: Mauro Morales --- .github/workflows/image.yaml | 1 + .github/workflows/reusable-build-flavor.yaml | 1 + .github/workflows/reusable-build-provider.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 83c83151a..c3f57f00b 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -252,6 +252,7 @@ jobs: - "leap-15.5" standard: uses: ./.github/workflows/reusable-build-provider.yaml + secrets: inherit with: flavor: ${{ matrix.flavor }} flavor_release: ${{ matrix.flavorRelease }} diff --git a/.github/workflows/reusable-build-flavor.yaml b/.github/workflows/reusable-build-flavor.yaml index 9ff5a22b8..2ef48c4c4 100644 --- a/.github/workflows/reusable-build-flavor.yaml +++ b/.github/workflows/reusable-build-flavor.yaml @@ -161,6 +161,7 @@ jobs: COSIGN_YES: true run: | IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name) + docker tag $(cat IMAGE) $IMAGE docker push $IMAGE image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") spdx=$(ls *.spdx.json) diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index e4125c8f5..344d7a5c1 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -139,6 +139,7 @@ jobs: COSIGN_YES: true run: | IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name) + docker tag $(cat IMAGE) $IMAGE docker push $IMAGE image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") spdx=$(ls *.spdx.json) From 91c6660d1a511882d39a33d782c09f9474c5eca4 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 6 Feb 2024 18:45:53 +0100 Subject: [PATCH 23/85] Add cosign to push standard master images Signed-off-by: Mauro Morales --- .github/workflows/reusable-build-provider.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index 344d7a5c1..67d662764 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -133,6 +133,8 @@ jobs: - name: Login to Quay Registry if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io + - name: Install Cosign + uses: sigstore/cosign-installer@main - name: Push to quay if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} env: From e9663dd65edf12777b236d0ff75e3a8b065800ce Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 20:22:12 +0100 Subject: [PATCH 24/85] Update actions/download-artifact action to v4.1.2 (#2213) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/reusable-encryption-test.yaml | 2 +- .github/workflows/reusable-install-test.yaml | 2 +- .github/workflows/reusable-provider-tests.yaml | 2 +- .github/workflows/reusable-qemu-acceptance-test.yaml | 2 +- .github/workflows/reusable-qemu-bundles-test.yaml | 2 +- .github/workflows/reusable-qemu-reset-test.yaml | 2 +- .github/workflows/reusable-upgrade-with-cli-test.yaml | 2 +- .github/workflows/reusable-zfs-test.yaml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/reusable-encryption-test.yaml b/.github/workflows/reusable-encryption-test.yaml index 8b3460b60..a529d97e8 100644 --- a/.github/workflows/reusable-encryption-test.yaml +++ b/.github/workflows/reusable-encryption-test.yaml @@ -80,7 +80,7 @@ jobs: LUET_NOLOCK=true sudo -E luet install -y container/kubectl utils/k3d utils/earthly - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.1 + uses: actions/download-artifact@v4.1.2 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-install-test.yaml b/.github/workflows/reusable-install-test.yaml index 6a229669f..0a37053b6 100644 --- a/.github/workflows/reusable-install-test.yaml +++ b/.github/workflows/reusable-install-test.yaml @@ -22,7 +22,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.1 + uses: actions/download-artifact@v4.1.2 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release}}.iso.zip - name: Install Go diff --git a/.github/workflows/reusable-provider-tests.yaml b/.github/workflows/reusable-provider-tests.yaml index 144ee61d8..a345fa518 100644 --- a/.github/workflows/reusable-provider-tests.yaml +++ b/.github/workflows/reusable-provider-tests.yaml @@ -55,7 +55,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Download artifacts - uses: actions/download-artifact@v4.1.1 + uses: actions/download-artifact@v4.1.2 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}-provider.iso.zip - name: Run tests diff --git a/.github/workflows/reusable-qemu-acceptance-test.yaml b/.github/workflows/reusable-qemu-acceptance-test.yaml index 98f3df75f..0abf77f42 100644 --- a/.github/workflows/reusable-qemu-acceptance-test.yaml +++ b/.github/workflows/reusable-qemu-acceptance-test.yaml @@ -59,7 +59,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.1 + uses: actions/download-artifact@v4.1.2 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-qemu-bundles-test.yaml b/.github/workflows/reusable-qemu-bundles-test.yaml index 9d025e640..7041adac8 100644 --- a/.github/workflows/reusable-qemu-bundles-test.yaml +++ b/.github/workflows/reusable-qemu-bundles-test.yaml @@ -19,7 +19,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.1 + uses: actions/download-artifact@v4.1.2 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-qemu-reset-test.yaml b/.github/workflows/reusable-qemu-reset-test.yaml index 013539551..2c1341b4e 100644 --- a/.github/workflows/reusable-qemu-reset-test.yaml +++ b/.github/workflows/reusable-qemu-reset-test.yaml @@ -19,7 +19,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.1 + uses: actions/download-artifact@v4.1.2 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-upgrade-with-cli-test.yaml b/.github/workflows/reusable-upgrade-with-cli-test.yaml index 4704c7791..0cb52d583 100644 --- a/.github/workflows/reusable-upgrade-with-cli-test.yaml +++ b/.github/workflows/reusable-upgrade-with-cli-test.yaml @@ -61,7 +61,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.1 + uses: actions/download-artifact@v4.1.2 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-zfs-test.yaml b/.github/workflows/reusable-zfs-test.yaml index 0c49f9d67..3c0a96384 100644 --- a/.github/workflows/reusable-zfs-test.yaml +++ b/.github/workflows/reusable-zfs-test.yaml @@ -17,7 +17,7 @@ jobs: - uses: actions/checkout@v4 - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.1 + uses: actions/download-artifact@v4.1.2 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files From 6b548ad17bd457302eddcc20856661f381c883ca Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 20:22:55 +0100 Subject: [PATCH 25/85] Update aquasec/trivy Docker tag to v0.49.1 (#2206) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 05f6d5f88..9e79a97ac 100644 --- a/Earthfile +++ b/Earthfile @@ -7,7 +7,7 @@ ARG GITHUB_REPO=kairos-io/kairos # renovate: datasource=docker depName=quay.io/luet/base ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy -ARG TRIVY_VERSION=0.48.3 +ARG TRIVY_VERSION=0.49.1 # renovate: datasource=github-releases depName=kairos-io/kairos-framework ARG KAIROS_FRAMEWORK_VERSION="v2.7.1" ARG COSIGN_SKIP=".*quay.io/kairos/.*" From d410c8840a0e73cbfdbb945103594f7ba765672b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 20:24:33 +0100 Subject: [PATCH 26/85] Update earthly/earthly Docker tag to v0.8.3 (#2163) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- earthly.ps1 | 2 +- earthly.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/earthly.ps1 b/earthly.ps1 index 2bf2d5810..55010a2a6 100644 --- a/earthly.ps1 +++ b/earthly.ps1 @@ -1 +1 @@ -docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm -t -v ${pwd}:/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.7.23 --allow-privileged @args +docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm -t -v ${pwd}:/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.8.3 --allow-privileged @args diff --git a/earthly.sh b/earthly.sh index 83372f155..4b031a842 100755 --- a/earthly.sh +++ b/earthly.sh @@ -1,3 +1,3 @@ #!/bin/bash -docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -v "$(pwd)":/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.7.23 --allow-privileged "$@" +docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -v "$(pwd)":/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.8.3 --allow-privileged "$@" From bd4465e2803dba24e72a66a3ffc325cf21db8823 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 20:25:06 +0100 Subject: [PATCH 27/85] Update slackapi/slack-github-action action to v1.25.0 (#2190) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/image-arm.yaml | 2 +- .github/workflows/image.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-arm.yaml b/.github/workflows/image-arm.yaml index 9e87c2549..8f68e10f6 100644 --- a/.github/workflows/image-arm.yaml +++ b/.github/workflows/image-arm.yaml @@ -122,7 +122,7 @@ jobs: run: echo "COMMIT_MSG=$(git log -1 --pretty=format:%s)" >> $GITHUB_ENV - name: notify if failure if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} && failure() - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@v1.25.0 env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index c3f57f00b..929063b9c 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -351,7 +351,7 @@ jobs: run: echo "COMMIT_MSG=$(git log -1 --pretty=format:%s)" >> $GITHUB_ENV - name: notify if failure if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} && failure() - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@v1.25.0 env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK From 4b0526376ca005df1f341f912c5066717bfa7d9a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 20:26:09 +0100 Subject: [PATCH 28/85] Update robinraju/release-downloader action to v1.9 (#2191) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/reusable-provider-upgrade-latest-test.yaml | 2 +- .github/workflows/reusable-upgrade-latest-test.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/reusable-provider-upgrade-latest-test.yaml b/.github/workflows/reusable-provider-upgrade-latest-test.yaml index ab24395f4..6ca63486f 100644 --- a/.github/workflows/reusable-provider-upgrade-latest-test.yaml +++ b/.github/workflows/reusable-provider-upgrade-latest-test.yaml @@ -52,7 +52,7 @@ jobs: packages: utils/earthly - uses: actions/checkout@v4 - name: Download artifacts - uses: robinraju/release-downloader@v1.8 + uses: robinraju/release-downloader@v1.9 with: latest: true repository: "kairos-io/kairos" diff --git a/.github/workflows/reusable-upgrade-latest-test.yaml b/.github/workflows/reusable-upgrade-latest-test.yaml index 6f7f9b3bd..bf8f94406 100644 --- a/.github/workflows/reusable-upgrade-latest-test.yaml +++ b/.github/workflows/reusable-upgrade-latest-test.yaml @@ -62,7 +62,7 @@ jobs: - uses: actions/checkout@v4 - run: | git fetch --prune --unshallow - - uses: robinraju/release-downloader@v1.8 + - uses: robinraju/release-downloader@v1.9 with: # A flag to set the download target as latest release # The default value is 'false' From c130abd46610dd98ac1a9f420ff148d283e4aa3c Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Wed, 7 Feb 2024 09:47:57 +0100 Subject: [PATCH 29/85] Keep using cache for nvidia Signed-off-by: Mauro Morales --- .github/workflows/image-arm.yaml | 86 +++++++++++++++++++++++++++++- .github/workflows/release-arm.yaml | 66 ++++++++++++++++++++++- 2 files changed, 150 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-arm.yaml b/.github/workflows/image-arm.yaml index 8f68e10f6..b93334027 100644 --- a/.github/workflows/image-arm.yaml +++ b/.github/workflows/image-arm.yaml @@ -70,14 +70,98 @@ jobs: # end of optional handling for multi line json echo "::set-output name=matrix::{\"include\": $content }" + build-nvidia-base: + runs-on: fast + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Check if cache image is available + id: cache + run: | + if docker pull quay.io/kairos/cache:nvidia-base; then + echo "::set-output name=cache_available::true" + else + echo "::set-output name=cache_available::false" + fi + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v42 + with: + files_yaml: | + nvidia: + - 'images/Dockerfile.nvidia' + - name: Install kairos-agent (for versioneer) + uses: Luet-lab/luet-install-action@v1.1 + with: + repository: quay.io/kairos/packages + packages: system/kairos-agent + - name: Release space from worker + if: ${{ !steps.cache.outputs.cache_available || steps.changed-files.outputs.nvidia_any_changed == 'true' }} + run: | + echo "Listing top largest packages" + pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) + head -n 30 <<< "${pkgs}" + echo + df -h + echo + sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true + sudo apt-get remove --auto-remove android-sdk-platform-tools || true + sudo apt-get purge --auto-remove android-sdk-platform-tools || true + sudo rm -rf /usr/local/lib/android + sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true + sudo rm -rf /usr/share/dotnet + sudo apt-get remove -y '^mono-.*' || true + sudo apt-get remove -y '^ghc-.*' || true + sudo apt-get remove -y '.*jdk.*|.*jre.*' || true + sudo apt-get remove -y 'php.*' || true + sudo apt-get remove -y hhvm || true + sudo apt-get remove -y powershell || true + sudo apt-get remove -y firefox || true + sudo apt-get remove -y monodoc-manual || true + sudo apt-get remove -y msbuild || true + sudo apt-get remove -y microsoft-edge-stable || true + sudo apt-get remove -y '^google-.*' || true + sudo apt-get remove -y azure-cli || true + sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true + sudo apt-get remove -y '^gfortran-.*' || true + sudo apt-get autoremove -y + sudo apt-get clean + echo + echo "Listing top largest packages" + pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) + head -n 30 <<< "${pkgs}" + echo + sudo rm -rfv build || true + df -h + - name: Set up Docker Buildx + if: ${{ !steps.cache.outputs.cache_available || steps.changed-files.outputs.nvidia_any_changed == 'true' }} + id: buildx + uses: docker/setup-buildx-action@master + - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines + if: ${{ !steps.cache.outputs.cache_available || steps.changed-files.outputs.nvidia_any_changed == 'true' }} + run: | + sudo iptables -I INPUT -s 169.254.169.254 -j DROP + sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP + - name: Login to Quay Registry + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && (!steps.cache.outputs.cache_available || steps.changed-files.outputs.nvidia_any_changed == 'true') }} + run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io + - name: Build 🔧 & Push 🚀 + if: ${{ !steps.cache.outputs.cache_available || steps.changed-files.outputs.nvidia_any_changed == 'true' }} + run: | + export IMAGE=quay.io/kairos/cache:nvidia-base + docker build --platform=linux/arm64 -t $IMAGE -f ./images/Dockerfile.nvidia ./images + docker push $IMAGE + nvidia-arm-core: uses: ./.github/workflows/reusable-docker-arm-build.yaml + needs: build-nvidia-base secrets: inherit with: flavor: ubuntu flavor_release: "20.04" family: ubuntu - base_image: ubuntu:20.04 + base_image: quay.io/kairos/cache:nvidia-base model: nvidia-jetson-agx-orin worker: fast diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml index 79329aadb..799cb330a 100644 --- a/.github/workflows/release-arm.yaml +++ b/.github/workflows/release-arm.yaml @@ -62,14 +62,78 @@ jobs: # end of optional handling for multi line json echo "::set-output name=matrix::{\"include\": $content }" + build-nvidia-base: + runs-on: fast + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Install kairos-agent (for versioneer) + uses: Luet-lab/luet-install-action@v1.1 + with: + repository: quay.io/kairos/packages + packages: system/kairos-agent + - name: Release space from worker + run: | + echo "Listing top largest packages" + pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) + head -n 30 <<< "${pkgs}" + echo + df -h + echo + sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true + sudo apt-get remove --auto-remove android-sdk-platform-tools || true + sudo apt-get purge --auto-remove android-sdk-platform-tools || true + sudo rm -rf /usr/local/lib/android + sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true + sudo rm -rf /usr/share/dotnet + sudo apt-get remove -y '^mono-.*' || true + sudo apt-get remove -y '^ghc-.*' || true + sudo apt-get remove -y '.*jdk.*|.*jre.*' || true + sudo apt-get remove -y 'php.*' || true + sudo apt-get remove -y hhvm || true + sudo apt-get remove -y powershell || true + sudo apt-get remove -y firefox || true + sudo apt-get remove -y monodoc-manual || true + sudo apt-get remove -y msbuild || true + sudo apt-get remove -y microsoft-edge-stable || true + sudo apt-get remove -y '^google-.*' || true + sudo apt-get remove -y azure-cli || true + sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true + sudo apt-get remove -y '^gfortran-.*' || true + sudo apt-get autoremove -y + sudo apt-get clean + echo + echo "Listing top largest packages" + pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) + head -n 30 <<< "${pkgs}" + echo + sudo rm -rfv build || true + df -h + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@master + - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines + run: | + sudo iptables -I INPUT -s 169.254.169.254 -j DROP + sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP + - name: Login to Quay Registry + run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io + - name: Build 🔧 & Push 🚀 + run: | + export IMAGE=quay.io/kairos/cache:nvidia-base + docker build --platform=linux/arm64 -t $IMAGE -f ./images/Dockerfile.nvidia ./images + docker push $IMAGE + nvidia-arm-core: uses: ./.github/workflows/reusable-docker-arm-build.yaml + needs: build-nvidia-base secrets: inherit with: flavor: ubuntu flavor_release: "20.04" family: ubuntu - base_image: quay.io/kairos/ubuntu:20.04 + base_image: quay.io/kairos/cache:nvidia-base model: nvidia-jetson-agx-orin worker: fast From 4c545e80588843ca0f9451483778d1335be8c2e4 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Wed, 7 Feb 2024 09:58:54 +0100 Subject: [PATCH 30/85] Use GITHUB_OUTPUT Signed-off-by: Mauro Morales --- .github/workflows/image-arm.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/image-arm.yaml b/.github/workflows/image-arm.yaml index b93334027..35bf2aaba 100644 --- a/.github/workflows/image-arm.yaml +++ b/.github/workflows/image-arm.yaml @@ -80,9 +80,9 @@ jobs: id: cache run: | if docker pull quay.io/kairos/cache:nvidia-base; then - echo "::set-output name=cache_available::true" + echo "cache_available=true" >> $GITHUB_OUTPUT else - echo "::set-output name=cache_available::false" + echo "cache_available=false" >> $GITHUB_OUTPUT fi - name: Get changed files id: changed-files @@ -97,7 +97,7 @@ jobs: repository: quay.io/kairos/packages packages: system/kairos-agent - name: Release space from worker - if: ${{ !steps.cache.outputs.cache_available || steps.changed-files.outputs.nvidia_any_changed == 'true' }} + if: ${{ steps.cache.outputs.cache_available == 'false' || steps.changed-files.outputs.nvidia_any_changed == 'true' }} run: | echo "Listing top largest packages" pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) @@ -135,16 +135,16 @@ jobs: sudo rm -rfv build || true df -h - name: Set up Docker Buildx - if: ${{ !steps.cache.outputs.cache_available || steps.changed-files.outputs.nvidia_any_changed == 'true' }} + if: ${{ steps.cache.outputs.cache_available == 'false' || steps.changed-files.outputs.nvidia_any_changed == 'true' }} id: buildx uses: docker/setup-buildx-action@master - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines - if: ${{ !steps.cache.outputs.cache_available || steps.changed-files.outputs.nvidia_any_changed == 'true' }} + if: ${{ steps.cache.outputs.cache_available == 'false' || steps.changed-files.outputs.nvidia_any_changed == 'true' }} run: | sudo iptables -I INPUT -s 169.254.169.254 -j DROP sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - name: Login to Quay Registry - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && (!steps.cache.outputs.cache_available || steps.changed-files.outputs.nvidia_any_changed == 'true') }} + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && (steps.cache.outputs.cache_available == 'false' || steps.changed-files.outputs.nvidia_any_changed == 'true') }} run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - name: Build 🔧 & Push 🚀 if: ${{ !steps.cache.outputs.cache_available || steps.changed-files.outputs.nvidia_any_changed == 'true' }} From 2a75abb3f5ba69ccda2fa940008ba4b59d156b7c Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Wed, 7 Feb 2024 10:10:59 +0100 Subject: [PATCH 31/85] Forgot one of the the ifs :facepalm: Signed-off-by: Mauro Morales --- .github/workflows/image-arm.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-arm.yaml b/.github/workflows/image-arm.yaml index 35bf2aaba..2972c770e 100644 --- a/.github/workflows/image-arm.yaml +++ b/.github/workflows/image-arm.yaml @@ -147,7 +147,7 @@ jobs: if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && (steps.cache.outputs.cache_available == 'false' || steps.changed-files.outputs.nvidia_any_changed == 'true') }} run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - name: Build 🔧 & Push 🚀 - if: ${{ !steps.cache.outputs.cache_available || steps.changed-files.outputs.nvidia_any_changed == 'true' }} + if: ${{ steps.cache.outputs.cache_available == 'false' || steps.changed-files.outputs.nvidia_any_changed == 'true' }} run: | export IMAGE=quay.io/kairos/cache:nvidia-base docker build --platform=linux/arm64 -t $IMAGE -f ./images/Dockerfile.nvidia ./images From 2853f09f7a13bb702b86dcd0746971dc185df23a Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Thu, 8 Feb 2024 16:10:01 +0100 Subject: [PATCH 32/85] Do not push sbom master files to repo (#2234) Signed-off-by: Mauro Morales --- .github/workflows/reusable-build-flavor.yaml | 13 +++++++++---- .github/workflows/reusable-build-provider.yaml | 14 +++++++++----- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/.github/workflows/reusable-build-flavor.yaml b/.github/workflows/reusable-build-flavor.yaml index 2ef48c4c4..f4ebbbdfb 100644 --- a/.github/workflows/reusable-build-flavor.yaml +++ b/.github/workflows/reusable-build-flavor.yaml @@ -164,11 +164,16 @@ jobs: docker tag $(cat IMAGE) $IMAGE docker push $IMAGE image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") - spdx=$(ls *.spdx.json) - cosign attach sbom --sbom $spdx $image_ref - cosign sign $image_ref --attachment sbom + # TODO: on master we don't want to push all the sbom files since the tag is always the same and we don't go back to clean the old sbom files + # but we should also use this reusable job for releases and then it's important to do it + # For master: + cosign sign $image_ref + # For releases: + # spdx=$(ls *.spdx.json) + # cosign attach sbom --sbom $spdx $image_ref + # cosign sign $image_ref --attachment sbom # in-toto attestation - cosign attest --type spdx --predicate $spdx $image_ref + # cosign attest --type spdx --predicate $spdx $image_ref - name: Push to testing run: | _IMG=$(cat IMAGE) diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index 67d662764..e295de2a9 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -143,12 +143,16 @@ jobs: IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name) docker tag $(cat IMAGE) $IMAGE docker push $IMAGE - image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") - spdx=$(ls *.spdx.json) - cosign attach sbom --sbom $spdx $image_ref - cosign sign $image_ref --attachment sbom + # TODO: on master we don't want to push all the sbom files since the tag is always the same and we don't go back to clean the old sbom files + # but we should also use this reusable job for releases and then it's important to do it + # For master: + cosign sign $image_ref + # For releases: + # spdx=$(ls *.spdx.json) + # cosign attach sbom --sbom $spdx $image_ref + # cosign sign $image_ref --attachment sbom # in-toto attestation - cosign attest --type spdx --predicate $spdx $image_ref + # cosign attest --type spdx --predicate $spdx $image_ref - name: Push to testing run: | _IMG=$(cat IMAGE) From 28b43d9e39e4460b2e19ba5c2600d3edb55463ab Mon Sep 17 00:00:00 2001 From: Itxaka Date: Thu, 8 Feb 2024 17:06:42 +0100 Subject: [PATCH 33/85] :bug: Do not recompress compressed firmware (#2237) --- images/Dockerfile.kairos-ubuntu | 4 ++-- images/Dockerfile.ubuntu | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/images/Dockerfile.kairos-ubuntu b/images/Dockerfile.kairos-ubuntu index 006f3b776..f8610555c 100644 --- a/images/Dockerfile.kairos-ubuntu +++ b/images/Dockerfile.kairos-ubuntu @@ -245,8 +245,8 @@ FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-20.04 ############################################################### FROM ${FLAVOR}-${FLAVOR_RELEASE} AS all -# compress firmware -RUN find /usr/lib/firmware -type f -execdir zstd --rm -9 {} \+ +# compress firmware (from 23.10, fw files come compressed) +RUN find /usr/lib/firmware -type f ! -name "*.zst" -execdir zstd --rm -9 {} \+ # compress modules RUN find /usr/lib/modules -type f -name "*.ko" -execdir zstd --rm -9 {} \+ diff --git a/images/Dockerfile.ubuntu b/images/Dockerfile.ubuntu index 3c0d3ea30..930e99309 100644 --- a/images/Dockerfile.ubuntu +++ b/images/Dockerfile.ubuntu @@ -246,8 +246,8 @@ FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-20.04 ############################################################### FROM ${FLAVOR}-${FLAVOR_RELEASE} AS all -# compress firmware -RUN find /usr/lib/firmware -type f -execdir zstd --rm -9 {} \+ +# compress firmware (from 23.10, fw files come compressed) +RUN find /usr/lib/firmware -type f ! -name "*.zst" -execdir zstd --rm -9 {} \+ # compress modules RUN find /usr/lib/modules -type f -name "*.ko" -execdir zstd --rm -9 {} \+ From 9115f8f2377bf302f5e9c3a913a039ef9a6b49b8 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Fri, 9 Feb 2024 11:38:02 +0100 Subject: [PATCH 34/85] Test latest fedora-based osbuilder (#2232) --- .github/workflows/uki.yaml | 2 +- Earthfile | 30 ++++++++++++++++-------------- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/.github/workflows/uki.yaml b/.github/workflows/uki.yaml index 0c3668689..4517f7a5a 100644 --- a/.github/workflows/uki.yaml +++ b/.github/workflows/uki.yaml @@ -73,7 +73,7 @@ jobs: EMULATE_TPM: true UKI_TEST: true run: | - export ISO=$(ls $PWD/build/kairos-${{ env.FLAVOR }}-${{ env.FLAVOR_RELEASE }}-core-amd64-generic-*.uki.iso) + export ISO=$(ls $PWD/build/kairos_*.iso) export DATASOURCE=${PWD}/build/datasource.iso cp tests/go.* . go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "uki" --fail-fast -r ./tests/ diff --git a/Earthfile b/Earthfile index 9e79a97ac..fcffc78bc 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.49.1 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION="v2.7.1" +ARG KAIROS_FRAMEWORK_VERSION="main" ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name @@ -21,7 +21,7 @@ END ARG COSIGN_EXPERIMENTAL=0 ARG CGO_ENABLED=0 # renovate: datasource=docker depName=quay.io/kairos/osbuilder-tools versioning=semver-coerced -ARG OSBUILDER_VERSION=v0.15.0 +ARG OSBUILDER_VERSION=latest ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION ARG GOLINT_VERSION=1.52.2 # renovate: datasource=docker depName=golang @@ -32,8 +32,6 @@ ARG HADOLINT_VERSION=2.12.0-alpine ARG RENOVATE_VERSION=37 # renovate: datasource=docker depName=koalaman/shellcheck-alpine versioning=docker ARG SHELLCHECK_VERSION=v0.9.0 -# renovate: datasource=docker depName=quay.io/kairos/enki versioning=docker -ARG ENKI_VERSION=v0.0.14 ARG IMAGE_REPOSITORY_ORG=quay.io/kairos @@ -297,12 +295,25 @@ base-image: COPY +git-version/GIT_VERSION VERSION ARG KAIROS_AGENT_DEV_BRANCH + ARG IMMUCORE_DEV_BRANCH IF [ "$KAIROS_AGENT_DEV_BRANCH" != "" ] RUN rm -rf /usr/bin/kairos-agent COPY github.com/kairos-io/kairos-agent:$KAIROS_AGENT_DEV_BRANCH+build-kairos-agent/kairos-agent /usr/bin/kairos-agent END + IF [ "$IMMUCORE_DEV_BRANCH" != "" ] + RUN rm -rf /usr/bin/immucore + COPY github.com/kairos-io/immucore:$IMMUCORE_DEV_BRANCH+build-immucore/immucore /usr/bin/immucore + # Rebuild the initrd + RUN if [ -f "/usr/bin/dracut" ]; then \ + kernel=$(ls /lib/modules | head -n1) && \ + dracut -f "/boot/initrd-${kernel}" "${kernel}" && \ + ln -sf "initrd-${kernel}" /boot/initrd; \ + fi + END + + RUN --no-cache kairos-agent version SAVE IMAGE $_CIMG @@ -319,19 +330,13 @@ image-rootfs: ## UKI Stuff Start -enki-image: - FROM quay.io/kairos/enki:${ENKI_VERSION} - SAVE ARTIFACT /enki enki - uki-iso: ARG --required BASE_IMAGE # BASE_IMAGE is existing kairos image which needs to be converted to uki FROM $BASE_IMAGE ARG ISO_NAME=$(cat /etc/os-release | grep 'KAIROS_ARTIFACT' | sed 's/KAIROS_ARTIFACT=\"//' | sed 's/\"//') ARG ENKI_FLAGS - FROM +uki-dev-tools-image - - COPY +enki-image/enki /usr/bin/enki + FROM $OSBUILDER_IMAGE COPY ./tests/keys /keys RUN echo $BASE_IMAGE > /IMAGE WORKDIR /build @@ -883,7 +888,6 @@ pull-release: pull-build-artifacts: ARG OSBUILDER_IMAGE FROM $OSBUILDER_IMAGE - RUN zypper in -y jq docker COPY +uuidgen/UUIDGEN ./ ARG UUIDGEN=$(cat UUIDGEN) ARG BUNDLE_IMAGE=ttl.sh/$UUIDGEN:24h @@ -896,7 +900,6 @@ pull-build-artifacts: push-build-artifacts: ARG OSBUILDER_IMAGE FROM $OSBUILDER_IMAGE - RUN zypper in -y jq docker COPY +uuidgen/UUIDGEN ./ ARG UUIDGEN=$(cat UUIDGEN) ARG BUNDLE_IMAGE=ttl.sh/$UUIDGEN:24h @@ -916,7 +919,6 @@ push-build-artifacts: prepare-bundles-tests: ARG OSBUILDER_IMAGE FROM $OSBUILDER_IMAGE - RUN zypper in -y jq docker COPY +uuidgen/UUIDGEN ./ ARG UUIDGEN=$(cat UUIDGEN) ARG BUNDLE_IMAGE=ttl.sh/$UUIDGEN:24h From 6ff3f09930511a0adcb13002f0eaa9d3aec7894e Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Fri, 9 Feb 2024 12:43:52 +0100 Subject: [PATCH 35/85] Add missing step to sign standard images Signed-off-by: Mauro Morales --- .github/workflows/reusable-build-provider.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index e295de2a9..28cd63d02 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -143,6 +143,7 @@ jobs: IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name) docker tag $(cat IMAGE) $IMAGE docker push $IMAGE + image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") # TODO: on master we don't want to push all the sbom files since the tag is always the same and we don't go back to clean the old sbom files # but we should also use this reusable job for releases and then it's important to do it # For master: From 862dc2f214b03fb662b74263514e466835eb1c66 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Fri, 9 Feb 2024 13:19:23 +0100 Subject: [PATCH 36/85] Add missing .img prefix Signed-off-by: Mauro Morales --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index fcffc78bc..1f129795f 100644 --- a/Earthfile +++ b/Earthfile @@ -593,7 +593,7 @@ arm-image: ARG IMG_COMPRESSION=xz FROM --platform=linux/arm64 +base-image - ARG IMAGE_NAME=$(cat /etc/os-release | grep 'KAIROS_ARTIFACT' | sed 's/KAIROS_ARTIFACT=\"//' | sed 's/\"//') + ARG IMAGE_NAME=$(cat /etc/os-release | grep 'KAIROS_ARTIFACT' | sed 's/KAIROS_ARTIFACT=\"//' | sed 's/\"//').img FROM $OSBUILDER_IMAGE ARG --required MODEL From 28c2785624fcbfa784f61b26f5c7b10a4a3aef82 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Mon, 12 Feb 2024 10:00:16 +0100 Subject: [PATCH 37/85] Run zst per file (#2238) Signed-off-by: Mauro Morales --- images/Dockerfile.kairos-ubuntu | 3 ++- images/Dockerfile.ubuntu | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/images/Dockerfile.kairos-ubuntu b/images/Dockerfile.kairos-ubuntu index f8610555c..13ee5a934 100644 --- a/images/Dockerfile.kairos-ubuntu +++ b/images/Dockerfile.kairos-ubuntu @@ -246,7 +246,8 @@ FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-20.04 FROM ${FLAVOR}-${FLAVOR_RELEASE} AS all # compress firmware (from 23.10, fw files come compressed) -RUN find /usr/lib/firmware -type f ! -name "*.zst" -execdir zstd --rm -9 {} \+ +# for some reason \+ is breaking. Using \; instead despite being slower +RUN find /usr/lib/firmware -type f ! -name "*.zst" -execdir zstd --rm -9 {} \; # compress modules RUN find /usr/lib/modules -type f -name "*.ko" -execdir zstd --rm -9 {} \+ diff --git a/images/Dockerfile.ubuntu b/images/Dockerfile.ubuntu index 930e99309..2929d24a4 100644 --- a/images/Dockerfile.ubuntu +++ b/images/Dockerfile.ubuntu @@ -247,7 +247,8 @@ FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-20.04 FROM ${FLAVOR}-${FLAVOR_RELEASE} AS all # compress firmware (from 23.10, fw files come compressed) -RUN find /usr/lib/firmware -type f ! -name "*.zst" -execdir zstd --rm -9 {} \+ +# for some reason \+ is breaking. Using \; instead despite being slower +RUN find /usr/lib/firmware -type f ! -name "*.zst" -execdir zstd --rm -9 {} \; # compress modules RUN find /usr/lib/modules -type f -name "*.ko" -execdir zstd --rm -9 {} \+ From 7ded5bb27bdbc97b22a2d99e5acd8662e6645ae0 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 13 Feb 2024 00:02:49 +0100 Subject: [PATCH 38/85] Move versioneer call inside Dockerfile (#2242) * Move versioneer call inside Dockerfile * feedback Signed-off-by: Mauro Morales --------- Signed-off-by: Mauro Morales --- Earthfile | 8 +------- images/Dockerfile.kairos | 4 ++++ images/Dockerfile.kairos-alpine | 4 ++++ images/Dockerfile.kairos-debian | 4 ++++ images/Dockerfile.kairos-opensuse | 4 ++++ images/Dockerfile.kairos-rhel | 7 ++++++- images/Dockerfile.kairos-ubuntu | 4 ++++ 7 files changed, 27 insertions(+), 8 deletions(-) diff --git a/Earthfile b/Earthfile index 1f129795f..d59c2e71f 100644 --- a/Earthfile +++ b/Earthfile @@ -287,10 +287,6 @@ base-image: -f +kairos-dockerfile/Dockerfile \ ./images - - RUN kairos-agent versioneer container-artifact-name # To see the error if one occurs. - RUN kairos-agent versioneer container-artifact-name > /IMAGE - ARG _CIMG=$(cat ./IMAGE) COPY +git-version/GIT_VERSION VERSION @@ -313,9 +309,7 @@ base-image: fi END - - RUN --no-cache kairos-agent version - + ARG _CIMG=$(cat /IMAGE) SAVE IMAGE $_CIMG SAVE ARTIFACT /IMAGE AS LOCAL build/IMAGE SAVE ARTIFACT VERSION AS LOCAL build/VERSION diff --git a/images/Dockerfile.kairos b/images/Dockerfile.kairos index 0133e4277..ea1e724f0 100644 --- a/images/Dockerfile.kairos +++ b/images/Dockerfile.kairos @@ -73,8 +73,12 @@ LABEL io.kairos.software-version="${SOFTWARE_VERSION}" LABEL io.kairos.software-version-prefix="${SOFTWARE_VERSION_PREFIX}" LABEL io.kairos.targetarch="${TARGETARCH}" +# not duplicated but used to see the error RUN kairos-agent versioneer os-release-variables RUN kairos-agent versioneer os-release-variables >> /etc/os-release +# not duplicated but used to see the error +RUN kairos-agent versioneer container-artifact-name +RUN kairos-agent versioneer container-artifact-name > /IMAGE SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN luet database get-all-installed --output /etc/kairos/versions.yaml diff --git a/images/Dockerfile.kairos-alpine b/images/Dockerfile.kairos-alpine index e495d5725..e95d2b223 100644 --- a/images/Dockerfile.kairos-alpine +++ b/images/Dockerfile.kairos-alpine @@ -224,8 +224,12 @@ LABEL io.kairos.software-version="${SOFTWARE_VERSION}" LABEL io.kairos.software-version-prefix="${SOFTWARE_VERSION_PREFIX}" LABEL io.kairos.targetarch="${TARGETARCH}" +# not duplicated but used to see the error RUN kairos-agent versioneer os-release-variables RUN kairos-agent versioneer os-release-variables >> /etc/os-release +# not duplicated but used to see the error +RUN kairos-agent versioneer container-artifact-name +RUN kairos-agent versioneer container-artifact-name > /IMAGE SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN luet database get-all-installed --output /etc/kairos/versions.yaml diff --git a/images/Dockerfile.kairos-debian b/images/Dockerfile.kairos-debian index e8171ba9f..d64620afd 100644 --- a/images/Dockerfile.kairos-debian +++ b/images/Dockerfile.kairos-debian @@ -226,8 +226,12 @@ LABEL io.kairos.software-version="${SOFTWARE_VERSION}" LABEL io.kairos.software-version-prefix="${SOFTWARE_VERSION_PREFIX}" LABEL io.kairos.targetarch="${TARGETARCH}" +# not duplicated but used to see the error RUN kairos-agent versioneer os-release-variables RUN kairos-agent versioneer os-release-variables >> /etc/os-release +# not duplicated but used to see the error +RUN kairos-agent versioneer container-artifact-name +RUN kairos-agent versioneer container-artifact-name > /IMAGE SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN luet database get-all-installed --output /etc/kairos/versions.yaml diff --git a/images/Dockerfile.kairos-opensuse b/images/Dockerfile.kairos-opensuse index 06c89caaa..674605d23 100644 --- a/images/Dockerfile.kairos-opensuse +++ b/images/Dockerfile.kairos-opensuse @@ -233,8 +233,12 @@ LABEL io.kairos.software-version="${SOFTWARE_VERSION}" LABEL io.kairos.software-version-prefix="${SOFTWARE_VERSION_PREFIX}" LABEL io.kairos.targetarch="${TARGETARCH}" +# not duplicated but used to see the error RUN kairos-agent versioneer os-release-variables RUN kairos-agent versioneer os-release-variables >> /etc/os-release +# not duplicated but used to see the error +RUN kairos-agent versioneer container-artifact-name +RUN kairos-agent versioneer container-artifact-name > /IMAGE SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN luet database get-all-installed --output /etc/kairos/versions.yaml diff --git a/images/Dockerfile.kairos-rhel b/images/Dockerfile.kairos-rhel index 2fcaf94f5..ea04ce086 100644 --- a/images/Dockerfile.kairos-rhel +++ b/images/Dockerfile.kairos-rhel @@ -72,7 +72,8 @@ RUN dnf install -y \ systemd-networkd \ systemd-resolved \ tar \ - which && dnf clean all + which \ + && dnf clean all FROM common AS all RUN mkdir -p /run/lock @@ -159,8 +160,12 @@ LABEL io.kairos.software-version="${SOFTWARE_VERSION}" LABEL io.kairos.software-version-prefix="${SOFTWARE_VERSION_PREFIX}" LABEL io.kairos.targetarch="${TARGETARCH}" +# not duplicated but used to see the error RUN kairos-agent versioneer os-release-variables RUN kairos-agent versioneer os-release-variables >> /etc/os-release +# not duplicated but used to see the error +RUN kairos-agent versioneer container-artifact-name +RUN kairos-agent versioneer container-artifact-name > /IMAGE SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN luet database get-all-installed --output /etc/kairos/versions.yaml diff --git a/images/Dockerfile.kairos-ubuntu b/images/Dockerfile.kairos-ubuntu index 13ee5a934..15162aa36 100644 --- a/images/Dockerfile.kairos-ubuntu +++ b/images/Dockerfile.kairos-ubuntu @@ -331,8 +331,12 @@ LABEL io.kairos.software-version="${SOFTWARE_VERSION}" LABEL io.kairos.software-version-prefix="${SOFTWARE_VERSION_PREFIX}" LABEL io.kairos.targetarch="${TARGETARCH}" +# not duplicated but used to see the error RUN kairos-agent versioneer os-release-variables RUN kairos-agent versioneer os-release-variables >> /etc/os-release +# not duplicated but used to see the error +RUN kairos-agent versioneer container-artifact-name +RUN kairos-agent versioneer container-artifact-name > /IMAGE SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN luet database get-all-installed --output /etc/kairos/versions.yaml From 6242a5d875820258ca1009e7b61aed7f3d28caf4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 12 Feb 2024 23:03:48 +0000 Subject: [PATCH 39/85] Update module github.com/kairos-io/kairos-sdk to v0.0.24 --- profile-build/go.mod | 2 +- profile-build/go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/profile-build/go.mod b/profile-build/go.mod index ea9e53a35..ab6b69a13 100644 --- a/profile-build/go.mod +++ b/profile-build/go.mod @@ -3,7 +3,7 @@ module main go 1.20 require ( - github.com/kairos-io/kairos-sdk v0.0.23 + github.com/kairos-io/kairos-sdk v0.0.24 github.com/urfave/cli v1.22.14 ) diff --git a/profile-build/go.sum b/profile-build/go.sum index b312fc889..c6cfe5eb1 100644 --- a/profile-build/go.sum +++ b/profile-build/go.sum @@ -144,6 +144,8 @@ github.com/kairos-io/kairos-sdk v0.0.21 h1:iF1Wq+j4xTsR4TSNd/xkuOTTQDvf+yPB2E3Is github.com/kairos-io/kairos-sdk v0.0.21/go.mod h1:17dpFG2d3Q/TcT86DlLK5nNXEjlSrkYl7bsvO2cpYGE= github.com/kairos-io/kairos-sdk v0.0.23 h1:2osQaqIPDB0Tj0a0v8NGOPrgQWve3D6r8nHRf7NKe3I= github.com/kairos-io/kairos-sdk v0.0.23/go.mod h1:17dpFG2d3Q/TcT86DlLK5nNXEjlSrkYl7bsvO2cpYGE= +github.com/kairos-io/kairos-sdk v0.0.24 h1:BhOPrn8Hf8SVEX3eQKS+oJi2UFVL4BYNIl6FjYlni9U= +github.com/kairos-io/kairos-sdk v0.0.24/go.mod h1:17dpFG2d3Q/TcT86DlLK5nNXEjlSrkYl7bsvO2cpYGE= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI= From c2b6831e3366d74650f6a432533bdfbc6a8567d3 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 13 Feb 2024 09:08:36 +0100 Subject: [PATCH 40/85] Ubuntu 24.04 arm64 generic (#2241) * Add ubuntu 24.04 amd64 Signed-off-by: Mauro Morales * refactor * Add dhcp client --------- Signed-off-by: Mauro Morales --- images/Dockerfile.kairos-ubuntu | 16 +++++++++++++++- images/Dockerfile.ubuntu | 16 +++++++++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/images/Dockerfile.kairos-ubuntu b/images/Dockerfile.kairos-ubuntu index 15162aa36..1ab918e5b 100644 --- a/images/Dockerfile.kairos-ubuntu +++ b/images/Dockerfile.kairos-ubuntu @@ -24,6 +24,8 @@ ARG FRAMEWORK_VERSION=main ############################################################### #### Upstream Images #### ############################################################### +FROM ${BASE_IMAGE} AS ubuntu-24.04-upstream + FROM ${BASE_IMAGE} AS ubuntu-23.10-upstream FROM ${BASE_IMAGE} AS ubuntu-20.04-upstream @@ -167,6 +169,7 @@ RUN [ -z "$(ls -A /lib/modules/)" ] && apt-get install -y --no-install-recommend linux-image-generic-hwe-22.04 || true RUN apt-get clean && rm -rf /var/lib/apt/lists/* +FROM amd64-base-ubuntu-22.04 AS amd64-ubuntu-24.04 FROM amd64-base-ubuntu-22.04 AS amd64-ubuntu-23.10 FROM amd64-base-ubuntu-22.04 AS amd64-ubuntu-22.04 FROM amd64-base-ubuntu-20.04 AS amd64-ubuntu-20.04 @@ -201,6 +204,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ linux-modules-extra-raspi \ && apt-get clean && rm -rf /var/lib/apt/lists/* +FROM generic AS amd64-ubuntu-24.04-generic FROM generic AS amd64-ubuntu-23.10-generic FROM generic AS amd64-ubuntu-22.04-generic FROM generic AS amd64-ubuntu-20.04-generic @@ -221,7 +225,8 @@ FROM ubuntu-20.04-upstream AS arm64-ubuntu-20.04-nvidia-jetson-agx-orin ############################################################### #### Common to a Single Flavor #### ############################################################### -FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-23.10 +# As soon as 24.04 is released, this can be renamed to ubuntu-24.04 directly and remove all 23.10 references +FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-latest RUN apt-get update \ && apt-get install -y --no-install-recommends \ dbus-user-session \ @@ -230,6 +235,15 @@ RUN apt-get update \ systemd-resolved \ && apt-get clean && rm -rf /var/lib/apt/lists/* +FROM ubuntu-latest AS ubuntu-24.04 +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + isc-dhcp-common \ + isc-dhcp-client \ + && apt-get clean && rm -rf /var/lib/apt/lists/* + +FROM ubuntu-latest AS ubuntu-23.10 + FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-22.04 RUN apt-get update # If the generic kernel is installed we don't want to install HWE related packages diff --git a/images/Dockerfile.ubuntu b/images/Dockerfile.ubuntu index 2929d24a4..3ff3b8b01 100644 --- a/images/Dockerfile.ubuntu +++ b/images/Dockerfile.ubuntu @@ -25,6 +25,8 @@ ARG FRAMEWORK_VERSION=main ############################################################### #### Upstream Images #### ############################################################### +FROM ${BASE_IMAGE} AS ubuntu-24.04-upstream + FROM ${BASE_IMAGE} AS ubuntu-23.10-upstream FROM ${BASE_IMAGE} AS ubuntu-20.04-upstream @@ -168,6 +170,7 @@ RUN [ -z "$(ls -A /lib/modules/)" ] && apt-get install -y --no-install-recommend linux-image-generic-hwe-22.04 || true RUN apt-get clean && rm -rf /var/lib/apt/lists/* +FROM amd64-base-ubuntu-22.04 AS amd64-ubuntu-24.04 FROM amd64-base-ubuntu-22.04 AS amd64-ubuntu-23.10 FROM amd64-base-ubuntu-22.04 AS amd64-ubuntu-22.04 FROM amd64-base-ubuntu-20.04 AS amd64-ubuntu-20.04 @@ -202,6 +205,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ linux-modules-extra-raspi \ && apt-get clean && rm -rf /var/lib/apt/lists/* +FROM generic AS amd64-ubuntu-24.04-generic FROM generic AS amd64-ubuntu-23.10-generic FROM generic AS amd64-ubuntu-22.04-generic FROM generic AS amd64-ubuntu-20.04-generic @@ -222,7 +226,8 @@ FROM ubuntu-20.04-upstream AS arm64-ubuntu-20.04-nvidia-jetson-agx-orin ############################################################### #### Common to a Single Flavor #### ############################################################### -FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-23.10 +# As soon as 24.04 is released, this can be renamed to ubuntu-24.04 directly and remove all 23.10 references +FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-latest RUN apt-get update \ && apt-get install -y --no-install-recommends \ dbus-user-session \ @@ -231,6 +236,15 @@ RUN apt-get update \ systemd-resolved \ && apt-get clean && rm -rf /var/lib/apt/lists/* +FROM ubuntu-latest AS ubuntu-24.04 +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + isc-dhcp-common \ + isc-dhcp-client \ + && apt-get clean && rm -rf /var/lib/apt/lists/* + +FROM ubuntu-latest AS ubuntu-23.10 + FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-22.04 RUN apt-get update # If the generic kernel is installed we don't want to install HWE related packages From 9d570344ff151157e4a60d147e1a8fde51a66f37 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Wed, 14 Feb 2024 15:06:58 +0100 Subject: [PATCH 41/85] append k3s version to master builds (#2248) Fixes #2225 Signed-off-by: Mauro Morales --- .github/workflows/reusable-build-provider.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index 28cd63d02..da1aa07b8 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -140,7 +140,8 @@ jobs: env: COSIGN_YES: true run: | - IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name) + K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique | last' | tr -d '"') + IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master-k3sv${K3S_VERSION%%+*} kairos-agent versioneer container-artifact-name) docker tag $(cat IMAGE) $IMAGE docker push $IMAGE image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") From 7170dc2d5511cf3c61b32b7bb1958484a03bff0f Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Wed, 14 Feb 2024 21:20:22 +0100 Subject: [PATCH 42/85] add missing suffix for master standard builds --- .github/workflows/reusable-build-provider.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index da1aa07b8..008711cbf 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -141,7 +141,7 @@ jobs: COSIGN_YES: true run: | K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique | last' | tr -d '"') - IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master-k3sv${K3S_VERSION%%+*} kairos-agent versioneer container-artifact-name) + IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master-k3sv${K3S_VERSION%%+*}-k3s1 kairos-agent versioneer container-artifact-name) docker tag $(cat IMAGE) $IMAGE docker push $IMAGE image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE") From ac77fd8efdaa75bae8140316b42152b8db3320ce Mon Sep 17 00:00:00 2001 From: Dimitris Karakasilis Date: Mon, 19 Feb 2024 13:20:13 +0200 Subject: [PATCH 43/85] Remove unused Earthly targets (#2264) Fixes #2253 Signed-off-by: Dimitris Karakasilis --- Earthfile | 45 --------------------------------------------- 1 file changed, 45 deletions(-) diff --git a/Earthfile b/Earthfile index d59c2e71f..fedde980e 100644 --- a/Earthfile +++ b/Earthfile @@ -1019,48 +1019,3 @@ luet-versions: FROM +base-image SAVE ARTIFACT /framework/etc/kairos/versions.yaml versions.yaml AS LOCAL build/versions.yaml - -# Installs the needed bits for "standard" images (the provider ones) -PROVIDER_INSTALL: - COMMAND - - ARG PROVIDER_KAIROS_BRANCH - - COPY +luet/luet /usr/bin/luet - - IF [ "$PROVIDER_KAIROS_BRANCH" = "" ] # Install with luet (released versions of the binary) - # We don't specify a version. To bump, just change what the latest version - # in the repository is. - RUN luet install -y system/provider-kairos - RUN luet database get-all-installed --output /etc/kairos/versions.yaml - ELSE # Install from a branch - COPY github.com/kairos-io/provider-kairos:$PROVIDER_KAIROS_BRANCH+build-kairos-agent-provider/agent-provider-kairos /system/providers/agent-provider-kairos - RUN ln -s /system/providers/agent-provider-kairos /usr/bin/kairos - END - -# Installs k3s (for "standard" images) -INSTALL_K3S: - COMMAND - - ARG FLAVOR - - IF [ "$K3S_VERSION" = "" ] - RUN echo "$K3S_VERSION must be set" && exit 1 - END - - IF [ "$K3S_VERSION" = "latest" ] # Install latest using the upstream installer - ENV INSTALL_K3S_BIN_DIR="/usr/bin" - RUN curl -sfL https://get.k3s.io > installer.sh \ - && INSTALL_K3S_SELINUX_WARN=true INSTALL_K3S_SKIP_START="true" INSTALL_K3S_SKIP_ENABLE="true" INSTALL_K3S_SKIP_SELINUX_RPM="true" bash installer.sh \ - && INSTALL_K3S_SELINUX_WARN=true INSTALL_K3S_SKIP_START="true" INSTALL_K3S_SKIP_ENABLE="true" INSTALL_K3S_SKIP_SELINUX_RPM="true" bash installer.sh agent \ - && rm -rf installer.sh - ELSE - IF [[ "$FLAVOR" =~ ^alpine* ]] - ARG _LUET_K3S=$(echo k8s/k3s-openrc@${K3S_VERSION}) - ELSE - ARG _LUET_K3S=$(echo k8s/k3s-systemd@${K3S_VERSION}) - END - END - - RUN luet install -y ${_LUET_K3S} utils/edgevpn utils/k9s utils/nerdctl container/kubectl utils/kube-vip - RUN luet database get-all-installed --output /etc/kairos/versions.yaml From b44a283520e25d898188a4391636c61e6c04ac29 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 19 Feb 2024 12:57:27 +0000 Subject: [PATCH 44/85] Update module github.com/kairos-io/kairos-sdk to v0.0.25 --- profile-build/go.mod | 4 ++-- profile-build/go.sum | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/profile-build/go.mod b/profile-build/go.mod index ab6b69a13..443e5b1de 100644 --- a/profile-build/go.mod +++ b/profile-build/go.mod @@ -3,7 +3,7 @@ module main go 1.20 require ( - github.com/kairos-io/kairos-sdk v0.0.24 + github.com/kairos-io/kairos-sdk v0.0.25 github.com/urfave/cli v1.22.14 ) @@ -58,7 +58,7 @@ require ( golang.org/x/mod v0.10.0 // indirect golang.org/x/net v0.13.0 // indirect golang.org/x/sync v0.2.0 // indirect - golang.org/x/sys v0.10.0 // indirect + golang.org/x/sys v0.12.0 // indirect golang.org/x/term v0.10.0 // indirect golang.org/x/text v0.11.0 // indirect golang.org/x/tools v0.9.3 // indirect diff --git a/profile-build/go.sum b/profile-build/go.sum index c6cfe5eb1..48ca3e508 100644 --- a/profile-build/go.sum +++ b/profile-build/go.sum @@ -146,6 +146,8 @@ github.com/kairos-io/kairos-sdk v0.0.23 h1:2osQaqIPDB0Tj0a0v8NGOPrgQWve3D6r8nHRf github.com/kairos-io/kairos-sdk v0.0.23/go.mod h1:17dpFG2d3Q/TcT86DlLK5nNXEjlSrkYl7bsvO2cpYGE= github.com/kairos-io/kairos-sdk v0.0.24 h1:BhOPrn8Hf8SVEX3eQKS+oJi2UFVL4BYNIl6FjYlni9U= github.com/kairos-io/kairos-sdk v0.0.24/go.mod h1:17dpFG2d3Q/TcT86DlLK5nNXEjlSrkYl7bsvO2cpYGE= +github.com/kairos-io/kairos-sdk v0.0.25 h1:/wQ8lHmmqJgKPaxzLllTgMQNWRje80XKdj8F0XlFXl0= +github.com/kairos-io/kairos-sdk v0.0.25/go.mod h1:btSB2QAds/WSyIyPxnQ3jueMbkkZ75pHUUCj+yHpthQ= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI= @@ -316,6 +318,8 @@ golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= From deb4adea367262e580ef463b96a614788619df7c Mon Sep 17 00:00:00 2001 From: Itxaka Date: Mon, 19 Feb 2024 20:30:47 +0100 Subject: [PATCH 45/85] Set fixed versions for osbuilder/framework Signed-off-by: Itxaka --- Earthfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Earthfile b/Earthfile index fedde980e..34aab54ed 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.49.1 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION="main" +ARG KAIROS_FRAMEWORK_VERSION=v2.7.3 ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name @@ -21,7 +21,7 @@ END ARG COSIGN_EXPERIMENTAL=0 ARG CGO_ENABLED=0 # renovate: datasource=docker depName=quay.io/kairos/osbuilder-tools versioning=semver-coerced -ARG OSBUILDER_VERSION=latest +ARG OSBUILDER_VERSION=v0.200.0 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION ARG GOLINT_VERSION=1.52.2 # renovate: datasource=docker depName=golang From cd1f5c8fa96788a8e2f4248cc7f3eb0c9f5fe8eb Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 20 Feb 2024 09:54:47 +0100 Subject: [PATCH 46/85] Have different compression depending on the ubuntu release (#2270) * Have different compression depending on the ubuntu release Signed-off-by: Mauro Morales * Add kairos file Signed-off-by: Mauro Morales --------- Signed-off-by: Mauro Morales --- images/Dockerfile.kairos-ubuntu | 13 ++++++++----- images/Dockerfile.ubuntu | 13 ++++++++----- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/images/Dockerfile.kairos-ubuntu b/images/Dockerfile.kairos-ubuntu index 1ab918e5b..2ce947d84 100644 --- a/images/Dockerfile.kairos-ubuntu +++ b/images/Dockerfile.kairos-ubuntu @@ -234,6 +234,9 @@ RUN apt-get update \ systemd-hwe-hwdb \ systemd-resolved \ && apt-get clean && rm -rf /var/lib/apt/lists/* +# compress firmware (from 23.10, fw files come compressed) +# for some reason \+ is breaking. Using \; instead despite being slower +RUN find /usr/lib/firmware -type f ! -name "*.zst" -execdir zstd --rm -9 {} \; FROM ubuntu-latest AS ubuntu-24.04 RUN apt-get update \ @@ -244,7 +247,10 @@ RUN apt-get update \ FROM ubuntu-latest AS ubuntu-23.10 -FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-22.04 +FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-legacy +RUN find /usr/lib/firmware -type f ! -name "*.zst" -execdir zstd --rm -9 {} \+ + +FROM ubuntu-legacy AS ubuntu-22.04 RUN apt-get update # If the generic kernel is installed we don't want to install HWE related packages SHELL ["/bin/bash", "-o", "pipefail", "-c"] @@ -252,16 +258,13 @@ RUN apt-cache search linux-image-generic | grep hwe &> /dev/null && apt-get inst systemd-hwe-hwdb RUN apt-get clean && rm -rf /var/lib/apt/lists/* -FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-20.04 +FROM ubuntu-legacy AS ubuntu-20.04 ############################################################### #### Post-Process Common to All #### ############################################################### FROM ${FLAVOR}-${FLAVOR_RELEASE} AS all -# compress firmware (from 23.10, fw files come compressed) -# for some reason \+ is breaking. Using \; instead despite being slower -RUN find /usr/lib/firmware -type f ! -name "*.zst" -execdir zstd --rm -9 {} \; # compress modules RUN find /usr/lib/modules -type f -name "*.ko" -execdir zstd --rm -9 {} \+ diff --git a/images/Dockerfile.ubuntu b/images/Dockerfile.ubuntu index 3ff3b8b01..32b3af59d 100644 --- a/images/Dockerfile.ubuntu +++ b/images/Dockerfile.ubuntu @@ -235,6 +235,9 @@ RUN apt-get update \ systemd-hwe-hwdb \ systemd-resolved \ && apt-get clean && rm -rf /var/lib/apt/lists/* +# compress firmware (from 23.10, fw files come compressed) +# for some reason \+ is breaking. Using \; instead despite being slower +RUN find /usr/lib/firmware -type f ! -name "*.zst" -execdir zstd --rm -9 {} \; FROM ubuntu-latest AS ubuntu-24.04 RUN apt-get update \ @@ -245,7 +248,10 @@ RUN apt-get update \ FROM ubuntu-latest AS ubuntu-23.10 -FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-22.04 +FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-legacy +RUN find /usr/lib/firmware -type f ! -name "*.zst" -execdir zstd --rm -9 {} \+ + +FROM ubuntu-legacy AS ubuntu-22.04 RUN apt-get update # If the generic kernel is installed we don't want to install HWE related packages SHELL ["/bin/bash", "-o", "pipefail", "-c"] @@ -253,16 +259,13 @@ RUN apt-cache search linux-image-generic | grep hwe &> /dev/null && apt-get inst systemd-hwe-hwdb RUN apt-get clean && rm -rf /var/lib/apt/lists/* -FROM ${TARGETARCH}-${FLAVOR}-${FLAVOR_RELEASE}-${MODEL} AS ubuntu-20.04 +FROM ubuntu-legacy AS ubuntu-20.04 ############################################################### #### Post-Process Common to All #### ############################################################### FROM ${FLAVOR}-${FLAVOR_RELEASE} AS all -# compress firmware (from 23.10, fw files come compressed) -# for some reason \+ is breaking. Using \; instead despite being slower -RUN find /usr/lib/firmware -type f ! -name "*.zst" -execdir zstd --rm -9 {} \; # compress modules RUN find /usr/lib/modules -type f -name "*.ko" -execdir zstd --rm -9 {} \+ From e8f0c5cdfbc0126d996e68f5127fa0f2cfe301e2 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Wed, 21 Feb 2024 20:30:31 +0100 Subject: [PATCH 47/85] Bump osbuilder to v0.200.1 Brings proper systemd-boot artifacts for uki builds Signed-off-by: Itxaka --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 34aab54ed..39c2550a1 100644 --- a/Earthfile +++ b/Earthfile @@ -21,7 +21,7 @@ END ARG COSIGN_EXPERIMENTAL=0 ARG CGO_ENABLED=0 # renovate: datasource=docker depName=quay.io/kairos/osbuilder-tools versioning=semver-coerced -ARG OSBUILDER_VERSION=v0.200.0 +ARG OSBUILDER_VERSION=v0.200.1 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION ARG GOLINT_VERSION=1.52.2 # renovate: datasource=docker depName=golang From c2b51070b01036b9d237e17896f713c09c70609f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 22:05:11 +0000 Subject: [PATCH 48/85] Update earthly/earthly Docker tag to v0.8.4 --- earthly.ps1 | 2 +- earthly.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/earthly.ps1 b/earthly.ps1 index 55010a2a6..44ebee4d6 100644 --- a/earthly.ps1 +++ b/earthly.ps1 @@ -1 +1 @@ -docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm -t -v ${pwd}:/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.8.3 --allow-privileged @args +docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm -t -v ${pwd}:/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.8.4 --allow-privileged @args diff --git a/earthly.sh b/earthly.sh index 4b031a842..abf4bb5bb 100755 --- a/earthly.sh +++ b/earthly.sh @@ -1,3 +1,3 @@ #!/bin/bash -docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -v "$(pwd)":/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.8.3 --allow-privileged "$@" +docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -v "$(pwd)":/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.8.4 --allow-privileged "$@" From f8b0b9217bd231660854cef5f1161d00c49a5dbf Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 22:05:15 +0000 Subject: [PATCH 49/85] Update quay.io/kairos/osbuilder-tools Docker tag to v0.200.2 --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 39c2550a1..b564481ce 100644 --- a/Earthfile +++ b/Earthfile @@ -21,7 +21,7 @@ END ARG COSIGN_EXPERIMENTAL=0 ARG CGO_ENABLED=0 # renovate: datasource=docker depName=quay.io/kairos/osbuilder-tools versioning=semver-coerced -ARG OSBUILDER_VERSION=v0.200.1 +ARG OSBUILDER_VERSION=v0.200.2 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION ARG GOLINT_VERSION=1.52.2 # renovate: datasource=docker depName=golang From d8e230c4f1f3ffbfa04ca55fada1bae1e7b4cd73 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 22 Feb 2024 01:15:25 +0000 Subject: [PATCH 50/85] Update dependency kairos-io/kairos-framework to v2.7.4 --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index b564481ce..4274cd916 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.49.1 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION=v2.7.3 +ARG KAIROS_FRAMEWORK_VERSION=v2.7.4 ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name From 2f0b09015c2af29dc5b94be103dfaaf4d5307895 Mon Sep 17 00:00:00 2001 From: Dimitris Karakasilis Date: Thu, 22 Feb 2024 20:15:56 +0200 Subject: [PATCH 51/85] Bump framework version to get https://github.com/kairos-io/packages/commit/821de2dded0c2f590b539261002c5d257fb8ea07 Signed-off-by: Dimitris Karakasilis --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 4274cd916..6ed8639eb 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.49.1 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION=v2.7.4 +ARG KAIROS_FRAMEWORK_VERSION=v2.7.5 ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name From 9cc125ad9dd4b257780bd67147b36d3681cc2edf Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Fri, 23 Feb 2024 17:09:02 +0100 Subject: [PATCH 52/85] Slim down Ubuntu (#2284) * Base down from 1.34G to 1.08G Signed-off-by: Mauro Morales * Remove zfs, not heavy but problematic with nohang Signed-off-by: Mauro Morales * Add --no-install-suggests * From 1.08G to 992Mb Signed-off-by: Mauro Morales * Without dracut, the standard image goes down to 1.87G and can be booted Signed-off-by: Mauro Morales * Add BOOTLOADER arg Signed-off-by: Mauro Morales * feedback Signed-off-by: Mauro Morales * Refactor a bit Signed-off-by: Mauro Morales * refactor for ubuntu 20.04 Signed-off-by: Mauro Morales --------- Signed-off-by: Mauro Morales --- .gitignore | 1 + Earthfile | 2 + images/Dockerfile.kairos | 2 +- images/Dockerfile.ubuntu | 100 ++++++++++++++++++++++++++++++--------- 4 files changed, 81 insertions(+), 24 deletions(-) diff --git a/.gitignore b/.gitignore index 6c32f4e72..3ac5e31f4 100644 --- a/.gitignore +++ b/.gitignore @@ -12,6 +12,7 @@ pr-message node_modules/ +.tmp-earthly-out/ # editor and IDE paraphernalia .idea .envrc diff --git a/Earthfile b/Earthfile index 6ed8639eb..9f1fd08fd 100644 --- a/Earthfile +++ b/Earthfile @@ -246,6 +246,7 @@ base-image: ARG --required MODEL ARG --required BASE_IMAGE # BASE_IMAGE is the image to apply the strategy (aka FLAVOR) on. E.g. ubuntu:20.04 ARG FRAMEWORK_VERSION + ARG BOOTLOADER=grub # TODO for the framework image. Do we call the last stable version available or master? ARG K3S_VERSION # As it comes from luet package @@ -284,6 +285,7 @@ base-image: --build-arg SOFTWARE_LUET_VERSION=$_SOFTWARE_LUET_VERSION \ --build-arg SOFTWARE_VERSION_PREFIX=$SOFTWARE_VERSION_PREFIX \ --build-arg FRAMEWORK_VERSION=$_FRAMEWORK_VERSION \ + --build-arg BOOTLOADER=$BOOTLOADER \ -f +kairos-dockerfile/Dockerfile \ ./images diff --git a/images/Dockerfile.kairos b/images/Dockerfile.kairos index ea1e724f0..a645e9bd2 100644 --- a/images/Dockerfile.kairos +++ b/images/Dockerfile.kairos @@ -7,7 +7,7 @@ FROM all AS base-kairos RUN ORIG=/usr/sbin/grub-install; DEST=/usr/sbin/grub2-install; [ -e $ORIG ] && [ ! -e $DEST ] && ln -s $ORIG $DEST || true RUN ORIG=/usr/bin/grub-editenv; DEST=/usr/sbin/grub2-editenv; [ -e $ORIG ] && [ ! -e $DEST ] && ln -s $ORIG $DEST || true -# Originally done in Earthly +# here we add 100Mb aprox COPY --from=framework / / RUN rm -rf /etc/ssh/ssh_host_* diff --git a/images/Dockerfile.ubuntu b/images/Dockerfile.ubuntu index 32b3af59d..685030031 100644 --- a/images/Dockerfile.ubuntu +++ b/images/Dockerfile.ubuntu @@ -21,6 +21,7 @@ ARG BASE_IMAGE ARG VARIANT ARG VERSION ARG FRAMEWORK_VERSION=main +ARG BOOTLOADER=grub ############################################################### #### Upstream Images #### @@ -50,42 +51,32 @@ RUN apt-get update \ conntrack \ console-data \ cloud-guest-utils \ - coreutils \ cryptsetup \ curl \ debianutils \ dosfstools \ - dracut \ - dracut-network \ e2fsprogs \ fdisk \ file \ gawk \ gdisk \ - grub2-common \ haveged \ iproute2 \ iptables \ iputils-ping \ jq \ - kbd \ krb5-locales \ less \ - lldpd \ lvm2 \ nano \ nbd-client \ - neovim \ nohang \ open-iscsi \ open-vm-tools \ openssh-server \ parted \ rsync \ - shim-signed \ snapd \ - snmpd \ - squashfs-tools \ sudo \ systemd \ systemd-timesyncd \ @@ -96,41 +87,97 @@ RUN apt-get update \ tpm2-* \ && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* +# This target is aimed at UKI images and avoids to install GRUB and any other unnecesary packages +# to the image because there are limitations on the total size +FROM common AS systemd-boot + +# This target is aimed at non-UKI images where size is not a concern +FROM common AS grub +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + coreutils \ + dracut \ + dracut-network \ + grub2-common \ + kbd \ + lldpd \ + neovim \ + # this brings grub as a dependency + shim-signed \ + snmpd \ + squashfs-tools \ + && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* + +FROM systemd-boot AS systemd-boot-amd64 +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + shared-mime-info \ + && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* +FROM systemd-boot AS systemd-boot-arm64 + +FROM systemd-boot-amd64 AS systemd-boot-amd64-24.04 +FROM systemd-boot-amd64 AS systemd-boot-amd64-23.10 +FROM systemd-boot-arm64 AS systemd-boot-arm64-24.04 +FROM systemd-boot-arm64 AS systemd-boot-arm64-23.10 + +FROM grub AS grub-amd64 +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + grub2 \ + grub-efi-amd64-bin \ + grub-efi-amd64-signed \ + grub-pc-bin \ + && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* + +FROM grub AS grub-arm64 +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + grub-efi-arm64 \ + grub-efi-arm64-bin \ + grub-efi-arm64-signed \ + && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* + +FROM grub-amd64 AS grub-amd64-current +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + dracut-live \ + && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* + +FROM grub-amd64 AS grub-amd64-legacy + +FROM grub-amd64-current AS grub-amd64-24.04 +FROM grub-amd64-current AS grub-amd64-23.10 +FROM grub-amd64-current AS grub-amd64-22.04 +FROM grub-amd64-legacy AS grub-amd64-20.04 +FROM grub-arm64 AS grub-arm64-23.10 +FROM grub-arm64 AS grub-arm64-22.04 +FROM grub-arm64 AS grub-arm64-20.04 + ############################################################### #### Common to a Single Architecture #### ############################################################### -FROM common AS amd64 +FROM ${BOOTLOADER}-${TARGETARCH}-${FLAVOR_RELEASE} AS amd64 RUN apt-get update \ && apt-get install -y --no-install-recommends \ dmsetup \ efibootmgr \ - grub2 \ - grub-efi-amd64-bin \ - grub-efi-amd64-signed \ - grub-pc-bin \ isc-dhcp-common \ mdadm \ ncurses-term \ networkd-dispatcher \ nfs-common \ - os-prober \ packagekit-tools \ publicsuffix \ - shared-mime-info \ thermald \ xdg-user-dirs \ xxd \ zerofree \ - zfsutils-linux \ && apt-get clean && rm -rf /var/lib/apt/lists/* -FROM common AS arm64 +FROM ${BOOTLOADER}-${TARGETARCH} AS arm64 RUN apt-get update \ && apt-get install -y --no-install-recommends \ - grub-efi-arm64 \ - grub-efi-arm64-bin \ - grub-efi-arm64-signed \ keyutils \ && apt-get clean && rm -rf /var/lib/apt/lists/* @@ -147,7 +194,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ FROM ${TARGETARCH} AS base-ubuntu-22.04 RUN apt-get update && apt-get install -y --no-install-recommends \ - dracut-live \ firmware-sof-signed \ fuse3 \ pigz \ @@ -173,7 +219,15 @@ RUN apt-get clean && rm -rf /var/lib/apt/lists/* FROM amd64-base-ubuntu-22.04 AS amd64-ubuntu-24.04 FROM amd64-base-ubuntu-22.04 AS amd64-ubuntu-23.10 FROM amd64-base-ubuntu-22.04 AS amd64-ubuntu-22.04 +RUN apt-get update && apt-get install -y --no-install-recommends \ + # zfsutils-linux cannot be installed on 23+ because of a bug with nohang + zfsutils-linux \ + && apt-get clean && rm -rf /var/lib/apt/lists/* FROM amd64-base-ubuntu-20.04 AS amd64-ubuntu-20.04 +RUN apt-get update && apt-get install -y --no-install-recommends \ + # zfsutils-linux cannot be installed on 23+ because of a bug with nohang + zfsutils-linux \ + && apt-get clean && rm -rf /var/lib/apt/lists/* FROM base-ubuntu-22.04 AS arm64-ubuntu-23.10 FROM base-ubuntu-22.04 AS arm64-ubuntu-22.04 From ee6f2b1880742f12fd0ad8bc8e67f3c9a69d0683 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 27 Feb 2024 10:08:59 +0100 Subject: [PATCH 53/85] Add gettext to ubuntu Signed-off-by: Mauro Morales --- images/Dockerfile.kairos-alpine | 2 +- images/Dockerfile.kairos-debian | 2 +- images/Dockerfile.kairos-opensuse | 2 +- images/Dockerfile.kairos-rhel | 2 +- images/Dockerfile.kairos-ubuntu | 103 +++++++++++++++++++++++------- images/Dockerfile.ubuntu | 1 + 6 files changed, 84 insertions(+), 28 deletions(-) diff --git a/images/Dockerfile.kairos-alpine b/images/Dockerfile.kairos-alpine index e95d2b223..f944e76af 100644 --- a/images/Dockerfile.kairos-alpine +++ b/images/Dockerfile.kairos-alpine @@ -158,7 +158,7 @@ FROM all AS base-kairos RUN ORIG=/usr/sbin/grub-install; DEST=/usr/sbin/grub2-install; [ -e $ORIG ] && [ ! -e $DEST ] && ln -s $ORIG $DEST || true RUN ORIG=/usr/bin/grub-editenv; DEST=/usr/sbin/grub2-editenv; [ -e $ORIG ] && [ ! -e $DEST ] && ln -s $ORIG $DEST || true -# Originally done in Earthly +# here we add 100Mb aprox COPY --from=framework / / RUN rm -rf /etc/ssh/ssh_host_* diff --git a/images/Dockerfile.kairos-debian b/images/Dockerfile.kairos-debian index d64620afd..174dee446 100644 --- a/images/Dockerfile.kairos-debian +++ b/images/Dockerfile.kairos-debian @@ -160,7 +160,7 @@ FROM all AS base-kairos RUN ORIG=/usr/sbin/grub-install; DEST=/usr/sbin/grub2-install; [ -e $ORIG ] && [ ! -e $DEST ] && ln -s $ORIG $DEST || true RUN ORIG=/usr/bin/grub-editenv; DEST=/usr/sbin/grub2-editenv; [ -e $ORIG ] && [ ! -e $DEST ] && ln -s $ORIG $DEST || true -# Originally done in Earthly +# here we add 100Mb aprox COPY --from=framework / / RUN rm -rf /etc/ssh/ssh_host_* diff --git a/images/Dockerfile.kairos-opensuse b/images/Dockerfile.kairos-opensuse index 674605d23..243143687 100644 --- a/images/Dockerfile.kairos-opensuse +++ b/images/Dockerfile.kairos-opensuse @@ -167,7 +167,7 @@ FROM all AS base-kairos RUN ORIG=/usr/sbin/grub-install; DEST=/usr/sbin/grub2-install; [ -e $ORIG ] && [ ! -e $DEST ] && ln -s $ORIG $DEST || true RUN ORIG=/usr/bin/grub-editenv; DEST=/usr/sbin/grub2-editenv; [ -e $ORIG ] && [ ! -e $DEST ] && ln -s $ORIG $DEST || true -# Originally done in Earthly +# here we add 100Mb aprox COPY --from=framework / / RUN rm -rf /etc/ssh/ssh_host_* diff --git a/images/Dockerfile.kairos-rhel b/images/Dockerfile.kairos-rhel index ea04ce086..2b45386e8 100644 --- a/images/Dockerfile.kairos-rhel +++ b/images/Dockerfile.kairos-rhel @@ -94,7 +94,7 @@ FROM all AS base-kairos RUN ORIG=/usr/sbin/grub-install; DEST=/usr/sbin/grub2-install; [ -e $ORIG ] && [ ! -e $DEST ] && ln -s $ORIG $DEST || true RUN ORIG=/usr/bin/grub-editenv; DEST=/usr/sbin/grub2-editenv; [ -e $ORIG ] && [ ! -e $DEST ] && ln -s $ORIG $DEST || true -# Originally done in Earthly +# here we add 100Mb aprox COPY --from=framework / / RUN rm -rf /etc/ssh/ssh_host_* diff --git a/images/Dockerfile.kairos-ubuntu b/images/Dockerfile.kairos-ubuntu index 2ce947d84..b4bd7c6b1 100644 --- a/images/Dockerfile.kairos-ubuntu +++ b/images/Dockerfile.kairos-ubuntu @@ -20,6 +20,7 @@ ARG BASE_IMAGE ARG VARIANT ARG VERSION ARG FRAMEWORK_VERSION=main +ARG BOOTLOADER=grub ############################################################### #### Upstream Images #### @@ -49,42 +50,33 @@ RUN apt-get update \ conntrack \ console-data \ cloud-guest-utils \ - coreutils \ cryptsetup \ curl \ debianutils \ dosfstools \ - dracut \ - dracut-network \ e2fsprogs \ fdisk \ file \ gawk \ gdisk \ - grub2-common \ + gettext \ haveged \ iproute2 \ iptables \ iputils-ping \ jq \ - kbd \ krb5-locales \ less \ - lldpd \ lvm2 \ nano \ nbd-client \ - neovim \ nohang \ open-iscsi \ open-vm-tools \ openssh-server \ parted \ rsync \ - shim-signed \ snapd \ - snmpd \ - squashfs-tools \ sudo \ systemd \ systemd-timesyncd \ @@ -95,41 +87,97 @@ RUN apt-get update \ tpm2-* \ && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* +# This target is aimed at UKI images and avoids to install GRUB and any other unnecesary packages +# to the image because there are limitations on the total size +FROM common AS systemd-boot + +# This target is aimed at non-UKI images where size is not a concern +FROM common AS grub +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + coreutils \ + dracut \ + dracut-network \ + grub2-common \ + kbd \ + lldpd \ + neovim \ + # this brings grub as a dependency + shim-signed \ + snmpd \ + squashfs-tools \ + && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* + +FROM systemd-boot AS systemd-boot-amd64 +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + shared-mime-info \ + && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* +FROM systemd-boot AS systemd-boot-arm64 + +FROM systemd-boot-amd64 AS systemd-boot-amd64-24.04 +FROM systemd-boot-amd64 AS systemd-boot-amd64-23.10 +FROM systemd-boot-arm64 AS systemd-boot-arm64-24.04 +FROM systemd-boot-arm64 AS systemd-boot-arm64-23.10 + +FROM grub AS grub-amd64 +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + grub2 \ + grub-efi-amd64-bin \ + grub-efi-amd64-signed \ + grub-pc-bin \ + && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* + +FROM grub AS grub-arm64 +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + grub-efi-arm64 \ + grub-efi-arm64-bin \ + grub-efi-arm64-signed \ + && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* + +FROM grub-amd64 AS grub-amd64-current +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + dracut-live \ + && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* + +FROM grub-amd64 AS grub-amd64-legacy + +FROM grub-amd64-current AS grub-amd64-24.04 +FROM grub-amd64-current AS grub-amd64-23.10 +FROM grub-amd64-current AS grub-amd64-22.04 +FROM grub-amd64-legacy AS grub-amd64-20.04 +FROM grub-arm64 AS grub-arm64-23.10 +FROM grub-arm64 AS grub-arm64-22.04 +FROM grub-arm64 AS grub-arm64-20.04 + ############################################################### #### Common to a Single Architecture #### ############################################################### -FROM common AS amd64 +FROM ${BOOTLOADER}-${TARGETARCH}-${FLAVOR_RELEASE} AS amd64 RUN apt-get update \ && apt-get install -y --no-install-recommends \ dmsetup \ efibootmgr \ - grub2 \ - grub-efi-amd64-bin \ - grub-efi-amd64-signed \ - grub-pc-bin \ isc-dhcp-common \ mdadm \ ncurses-term \ networkd-dispatcher \ nfs-common \ - os-prober \ packagekit-tools \ publicsuffix \ - shared-mime-info \ thermald \ xdg-user-dirs \ xxd \ zerofree \ - zfsutils-linux \ && apt-get clean && rm -rf /var/lib/apt/lists/* -FROM common AS arm64 +FROM ${BOOTLOADER}-${TARGETARCH} AS arm64 RUN apt-get update \ && apt-get install -y --no-install-recommends \ - grub-efi-arm64 \ - grub-efi-arm64-bin \ - grub-efi-arm64-signed \ keyutils \ && apt-get clean && rm -rf /var/lib/apt/lists/* @@ -146,7 +194,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ FROM ${TARGETARCH} AS base-ubuntu-22.04 RUN apt-get update && apt-get install -y --no-install-recommends \ - dracut-live \ firmware-sof-signed \ fuse3 \ pigz \ @@ -172,7 +219,15 @@ RUN apt-get clean && rm -rf /var/lib/apt/lists/* FROM amd64-base-ubuntu-22.04 AS amd64-ubuntu-24.04 FROM amd64-base-ubuntu-22.04 AS amd64-ubuntu-23.10 FROM amd64-base-ubuntu-22.04 AS amd64-ubuntu-22.04 +RUN apt-get update && apt-get install -y --no-install-recommends \ + # zfsutils-linux cannot be installed on 23+ because of a bug with nohang + zfsutils-linux \ + && apt-get clean && rm -rf /var/lib/apt/lists/* FROM amd64-base-ubuntu-20.04 AS amd64-ubuntu-20.04 +RUN apt-get update && apt-get install -y --no-install-recommends \ + # zfsutils-linux cannot be installed on 23+ because of a bug with nohang + zfsutils-linux \ + && apt-get clean && rm -rf /var/lib/apt/lists/* FROM base-ubuntu-22.04 AS arm64-ubuntu-23.10 FROM base-ubuntu-22.04 AS arm64-ubuntu-22.04 @@ -282,7 +337,7 @@ FROM all AS base-kairos RUN ORIG=/usr/sbin/grub-install; DEST=/usr/sbin/grub2-install; [ -e $ORIG ] && [ ! -e $DEST ] && ln -s $ORIG $DEST || true RUN ORIG=/usr/bin/grub-editenv; DEST=/usr/sbin/grub2-editenv; [ -e $ORIG ] && [ ! -e $DEST ] && ln -s $ORIG $DEST || true -# Originally done in Earthly +# here we add 100Mb aprox COPY --from=framework / / RUN rm -rf /etc/ssh/ssh_host_* diff --git a/images/Dockerfile.ubuntu b/images/Dockerfile.ubuntu index 685030031..c65eae92d 100644 --- a/images/Dockerfile.ubuntu +++ b/images/Dockerfile.ubuntu @@ -60,6 +60,7 @@ RUN apt-get update \ file \ gawk \ gdisk \ + gettext \ haveged \ iproute2 \ iptables \ From 3974ce99baa2ab75a15b011b675d0b663a6c8b65 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 27 Feb 2024 10:16:40 +0100 Subject: [PATCH 54/85] Bump framework to use compressed binaries (#2289) Signed-off-by: Mauro Morales --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 9f1fd08fd..0b98f2ad2 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.49.1 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION=v2.7.5 +ARG KAIROS_FRAMEWORK_VERSION=v2.7.6 ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name From c891fda8bdb94df5317ec7c0965df1a28159205a Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 27 Feb 2024 11:12:59 +0100 Subject: [PATCH 55/85] Handle different openrc and systemd k3s packages --- .github/workflows/image-arm.yaml | 17 +++++++++++++--- .github/workflows/release-arm.yaml | 20 +++++++++++++++---- .github/workflows/release.yaml | 16 +++++++++++++-- .../workflows/reusable-build-provider.yaml | 9 ++++++--- 4 files changed, 50 insertions(+), 12 deletions(-) diff --git a/.github/workflows/image-arm.yaml b/.github/workflows/image-arm.yaml index 2972c770e..fcb6d0de8 100644 --- a/.github/workflows/image-arm.yaml +++ b/.github/workflows/image-arm.yaml @@ -60,9 +60,20 @@ jobs: sudo mv luet /usr/bin/luet # Construct an array like this from the found versions: earthly --platform=linux/arm64 +extract-framework-profile - sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique' > k3s_versions.json - # Create a combination of flavors and k3s versions. - content=$(jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}] | map(select(.arch == "arm64" and .variant == "standard" and .model != "generic"))' .github/flavors.json k3s_versions.json) + # fetch "k3s-openrc" versions + sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(select(.name == "k3s-openrc")) | map(.version) | unique' > k3s_openrc.json + # fetch alpine flavors + jq 'map(select(.arch == "arm64" and .variant == "standard" and .model != "generic" and .flavor == "alpine"))' .github/flavors.json > flavors_openrc.json + # generate combinations + jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}]' flavors_openrc.json k3s_openrc.json > combinations_openrc.json + # fetch "k3s-systemd" versions + sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(select(.name == "k3s-systemd")) | map(.version) | unique' > k3s_systemd.json + # fetch non-alpine flavors + jq 'map(select(.arch == "arm64" and .variant == "standard" and .model != "generic" and .flavor != "alpine"))' .github/flavors.json > flavors_systemd.json + # generate combinations + jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}]' flavors_systemd.json k3s_systemd.json > combinations_systemd.json + # merge the two combinations + content=$(jq -s 'add' combinations_openrc.json combinations_systemd.json) # the following lines are only required for multi line json content="${content//'%'/'%25'}" content="${content//$'\n'/'%0A'}" diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml index 799cb330a..6451cda25 100644 --- a/.github/workflows/release-arm.yaml +++ b/.github/workflows/release-arm.yaml @@ -52,9 +52,20 @@ jobs: sudo mv luet /usr/bin/luet # Construct an array like this from the found versions: earthly --platform=linux/arm64 +extract-framework-profile - sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique' > k3s_versions.json - # Create a combination of flavors and k3s versions. - content=$(jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}] | map(select(.variant == "standard" and .arch == "arm64" and .model != "generic" ))' .github/flavors.json k3s_versions.json) + # fetch "k3s-openrc" versions + sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(select(.name == "k3s-openrc")) | map(.version) | unique' > k3s_openrc.json + # fetch alpine flavors + jq 'map(select(.arch == "arm64" and .variant == "standard" and .model != "generic" and .flavor == "alpine"))' .github/flavors.json > flavors_openrc.json + # generate combinations + jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}]' flavors_openrc.json k3s_openrc.json > combinations_openrc.json + # fetch "k3s-systemd" versions + sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(select(.name == "k3s-systemd")) | map(.version) | unique' > k3s_systemd.json + # fetch non-alpine flavors + jq 'map(select(.arch == "arm64" and .variant == "standard" and .model != "generic" and .flavor != "alpine"))' .github/flavors.json > flavors_systemd.json + # generate combinations + jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}]' flavors_systemd.json k3s_systemd.json > combinations_systemd.json + # merge the two combinations + content=$(jq -s 'add' combinations_openrc.json combinations_systemd.json) # the following lines are only required for multi line json content="${content//'%'/'%25'}" content="${content//$'\n'/'%0A'}" @@ -430,7 +441,8 @@ jobs: run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - name: Build iso 🔧 run: | - K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique | last' | tr -d '"') + INIT=[[ "{{ matrix.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" + K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') earthly -P +all-arm-generic \ --FLAVOR=${{ matrix.flavor }} \ --FLAVOR_RELEASE=${{ matrix.flavor_release }} \ diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e5fe6a0c8..f35b3f5aa 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -69,8 +69,20 @@ jobs: sudo mv luet /usr/bin/luet # Construct an array like this from the found versions: earthly --platform=linux/amd64 +extract-framework-profile - sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique' > k3s_versions.json - content=$(jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}] | map(select(.arch == "amd64" and .variant == "standard"))' .github/flavors.json k3s_versions.json) + # fetch "k3s-openrc" versions + sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(select(.name == "k3s-openrc")) | map(.version) | unique' > k3s_openrc.json + # fetch alpine flavors + jq 'map(select(.arch == "amd64" and .variant == "standard" and .model != "generic" and .flavor == "alpine"))' .github/flavors.json > flavors_openrc.json + # generate combinations + jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}]' flavors_openrc.json k3s_openrc.json > combinations_openrc.json + # fetch "k3s-systemd" versions + sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(select(.name == "k3s-systemd")) | map(.version) | unique' > k3s_systemd.json + # fetch non-alpine flavors + jq 'map(select(.arch == "amd64" and .variant == "standard" and .model != "generic" and .flavor != "alpine"))' .github/flavors.json > flavors_systemd.json + # generate combinations + jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}]' flavors_systemd.json k3s_systemd.json > combinations_systemd.json + # merge the two combinations + content=$(jq -s 'add' combinations_openrc.json combinations_systemd.json) # the following lines are only required for multi line json content="${content//'%'/'%25'}" content="${content//$'\n'/'%0A'}" diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index 008711cbf..59d88c420 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -87,7 +87,8 @@ jobs: if: ${{ github.event_name == 'pull_request' }} run: | earthly --platform=linux/${{ inputs.arch }} +extract-framework-profile - K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique | last' | tr -d '"') + INIT=[[ "{{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" + K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') earthly --platform=linux/${{ inputs.arch }} +ci \ --SECURITY_SCANS=false \ --VARIANT=${{ inputs.variant }} \ @@ -109,7 +110,8 @@ jobs: if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} run: | earthly --platform=linux/${{ inputs.arch }} +extract-framework-profile - K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique | last' | tr -d '"') + INIT=[[ "{{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" + K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') earthly --platform=linux/${{ inputs.arch }} +ci \ --SECURITY_SCANS=true \ --VARIANT=${{ inputs.variant }} \ @@ -140,7 +142,8 @@ jobs: env: COSIGN_YES: true run: | - K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(.version) | unique | last' | tr -d '"') + INIT=[[ "{{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" + K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master-k3sv${K3S_VERSION%%+*}-k3s1 kairos-agent versioneer container-artifact-name) docker tag $(cat IMAGE) $IMAGE docker push $IMAGE From a832a68f9343c2e36a3438cb06b0a884479fed4b Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 27 Feb 2024 11:31:33 +0100 Subject: [PATCH 56/85] Missing dollar sign :facepalm: Signed-off-by: Mauro Morales --- .github/workflows/release-arm.yaml | 2 +- .github/workflows/reusable-build-provider.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml index 6451cda25..def2f1076 100644 --- a/.github/workflows/release-arm.yaml +++ b/.github/workflows/release-arm.yaml @@ -441,7 +441,7 @@ jobs: run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - name: Build iso 🔧 run: | - INIT=[[ "{{ matrix.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" + INIT=[[ "${{ matrix.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') earthly -P +all-arm-generic \ --FLAVOR=${{ matrix.flavor }} \ diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index 59d88c420..a7c2c45f0 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -87,7 +87,7 @@ jobs: if: ${{ github.event_name == 'pull_request' }} run: | earthly --platform=linux/${{ inputs.arch }} +extract-framework-profile - INIT=[[ "{{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" + INIT=[[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') earthly --platform=linux/${{ inputs.arch }} +ci \ --SECURITY_SCANS=false \ @@ -110,7 +110,7 @@ jobs: if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} run: | earthly --platform=linux/${{ inputs.arch }} +extract-framework-profile - INIT=[[ "{{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" + INIT=[[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') earthly --platform=linux/${{ inputs.arch }} +ci \ --SECURITY_SCANS=true \ @@ -142,7 +142,7 @@ jobs: env: COSIGN_YES: true run: | - INIT=[[ "{{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" + INIT=[[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master-k3sv${K3S_VERSION%%+*}-k3s1 kairos-agent versioneer container-artifact-name) docker tag $(cat IMAGE) $IMAGE From 87a1f2ff70f47d72a3f4ab0328bc3e34f1ebfb61 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 27 Feb 2024 12:09:54 +0100 Subject: [PATCH 57/85] Missing command substition Signed-off-by: Mauro Morales --- .github/workflows/release-arm.yaml | 2 +- .github/workflows/reusable-build-provider.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml index def2f1076..932a301fe 100644 --- a/.github/workflows/release-arm.yaml +++ b/.github/workflows/release-arm.yaml @@ -441,7 +441,7 @@ jobs: run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - name: Build iso 🔧 run: | - INIT=[[ "${{ matrix.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" + INIT=$([[ "${{ matrix.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd") K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') earthly -P +all-arm-generic \ --FLAVOR=${{ matrix.flavor }} \ diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index a7c2c45f0..21d58b1a4 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -87,7 +87,7 @@ jobs: if: ${{ github.event_name == 'pull_request' }} run: | earthly --platform=linux/${{ inputs.arch }} +extract-framework-profile - INIT=[[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" + INIT=$([[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd") K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') earthly --platform=linux/${{ inputs.arch }} +ci \ --SECURITY_SCANS=false \ @@ -110,7 +110,7 @@ jobs: if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} run: | earthly --platform=linux/${{ inputs.arch }} +extract-framework-profile - INIT=[[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" + INIT=$([[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd") K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') earthly --platform=linux/${{ inputs.arch }} +ci \ --SECURITY_SCANS=true \ @@ -142,7 +142,7 @@ jobs: env: COSIGN_YES: true run: | - INIT=[[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd" + INIT=$([[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd") K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master-k3sv${K3S_VERSION%%+*}-k3s1 kairos-agent versioneer container-artifact-name) docker tag $(cat IMAGE) $IMAGE From 22555e03b7d79ae48873e6083e29f4069306fac1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 27 Feb 2024 14:46:22 +0100 Subject: [PATCH 58/85] Update quay.io/kairos/osbuilder-tools Docker tag to v0.200.4 (#2280) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 0b98f2ad2..a6e89edf7 100644 --- a/Earthfile +++ b/Earthfile @@ -21,7 +21,7 @@ END ARG COSIGN_EXPERIMENTAL=0 ARG CGO_ENABLED=0 # renovate: datasource=docker depName=quay.io/kairos/osbuilder-tools versioning=semver-coerced -ARG OSBUILDER_VERSION=v0.200.2 +ARG OSBUILDER_VERSION=v0.200.4 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION ARG GOLINT_VERSION=1.52.2 # renovate: datasource=docker depName=golang From 90d565bf35d16958662b1ea36123a38108834cbc Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 27 Feb 2024 15:23:53 +0100 Subject: [PATCH 59/85] Update actions/download-artifact action to v4.1.3 (#2288) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/reusable-encryption-test.yaml | 2 +- .github/workflows/reusable-install-test.yaml | 2 +- .github/workflows/reusable-provider-tests.yaml | 2 +- .github/workflows/reusable-qemu-acceptance-test.yaml | 2 +- .github/workflows/reusable-qemu-bundles-test.yaml | 2 +- .github/workflows/reusable-qemu-reset-test.yaml | 2 +- .github/workflows/reusable-upgrade-with-cli-test.yaml | 2 +- .github/workflows/reusable-zfs-test.yaml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/reusable-encryption-test.yaml b/.github/workflows/reusable-encryption-test.yaml index a529d97e8..7235b2588 100644 --- a/.github/workflows/reusable-encryption-test.yaml +++ b/.github/workflows/reusable-encryption-test.yaml @@ -80,7 +80,7 @@ jobs: LUET_NOLOCK=true sudo -E luet install -y container/kubectl utils/k3d utils/earthly - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.2 + uses: actions/download-artifact@v4.1.3 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-install-test.yaml b/.github/workflows/reusable-install-test.yaml index 0a37053b6..eda35a4d1 100644 --- a/.github/workflows/reusable-install-test.yaml +++ b/.github/workflows/reusable-install-test.yaml @@ -22,7 +22,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.2 + uses: actions/download-artifact@v4.1.3 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release}}.iso.zip - name: Install Go diff --git a/.github/workflows/reusable-provider-tests.yaml b/.github/workflows/reusable-provider-tests.yaml index a345fa518..7551bea85 100644 --- a/.github/workflows/reusable-provider-tests.yaml +++ b/.github/workflows/reusable-provider-tests.yaml @@ -55,7 +55,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Download artifacts - uses: actions/download-artifact@v4.1.2 + uses: actions/download-artifact@v4.1.3 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}-provider.iso.zip - name: Run tests diff --git a/.github/workflows/reusable-qemu-acceptance-test.yaml b/.github/workflows/reusable-qemu-acceptance-test.yaml index 0abf77f42..dd5146737 100644 --- a/.github/workflows/reusable-qemu-acceptance-test.yaml +++ b/.github/workflows/reusable-qemu-acceptance-test.yaml @@ -59,7 +59,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.2 + uses: actions/download-artifact@v4.1.3 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-qemu-bundles-test.yaml b/.github/workflows/reusable-qemu-bundles-test.yaml index 7041adac8..54dce8613 100644 --- a/.github/workflows/reusable-qemu-bundles-test.yaml +++ b/.github/workflows/reusable-qemu-bundles-test.yaml @@ -19,7 +19,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.2 + uses: actions/download-artifact@v4.1.3 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-qemu-reset-test.yaml b/.github/workflows/reusable-qemu-reset-test.yaml index 2c1341b4e..a081c6a05 100644 --- a/.github/workflows/reusable-qemu-reset-test.yaml +++ b/.github/workflows/reusable-qemu-reset-test.yaml @@ -19,7 +19,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.2 + uses: actions/download-artifact@v4.1.3 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-upgrade-with-cli-test.yaml b/.github/workflows/reusable-upgrade-with-cli-test.yaml index 0cb52d583..700912b6b 100644 --- a/.github/workflows/reusable-upgrade-with-cli-test.yaml +++ b/.github/workflows/reusable-upgrade-with-cli-test.yaml @@ -61,7 +61,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.2 + uses: actions/download-artifact@v4.1.3 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-zfs-test.yaml b/.github/workflows/reusable-zfs-test.yaml index 3c0a96384..5c3d0a9bb 100644 --- a/.github/workflows/reusable-zfs-test.yaml +++ b/.github/workflows/reusable-zfs-test.yaml @@ -17,7 +17,7 @@ jobs: - uses: actions/checkout@v4 - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.2 + uses: actions/download-artifact@v4.1.3 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files From 8b5f930c2db0f9f139433f1a46292dd04555513c Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 27 Feb 2024 17:07:02 +0100 Subject: [PATCH 60/85] Publish uki base image (#2290) * Publish uki base image Signed-off-by: Mauro Morales * add a dash to split the suffix Signed-off-by: Mauro Morales * Revert "add a dash to split the suffix" This reverts commit 96c1facd12d4f5929847443e0fd365096ec967cb. * Revert "Publish uki base image" This reverts commit b6f339f63c125802b19c62cf3ebb62bd9bb13368. * only want base-image not ci target Signed-off-by: Mauro Morales * add release Signed-off-by: Mauro Morales * trigger happy Signed-off-by: Mauro Morales --------- Signed-off-by: Mauro Morales --- .github/workflows/release.yaml | 96 ++++++++++++++++++++++++++++--- .github/workflows/uki.yaml | 101 +++++++++++++++++++++++++++++++++ 2 files changed, 190 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f35b3f5aa..652b6e2e2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -38,7 +38,7 @@ jobs: sudo apt update && sudo apt install -y jq - id: set-matrix run: | - content=`cat ./.github/flavors.json | jq -r 'map(select(.arch == "amd64" and .variant == "core" and .flavor == "fedora"))'` + content=`cat ./.github/flavors.json | jq -r 'map(select(.arch == "amd64" and .variant == "core" and (.flavor == "fedora" or (.flavor == "ubuntu" and .flavorRelease == "23.10"))))'` # the following lines are only required for multi line json content="${content//'%'/'%25'}" content="${content//$'\n'/'%0A'}" @@ -214,25 +214,107 @@ jobs: build-core-uki: runs-on: ubuntu-latest needs: - - build-core - get-uki-matrix strategy: matrix: ${{ fromJson(needs.get-uki-matrix.outputs.matrix) }} steps: + - name: Release space from worker + run: | + echo "Listing top largest packages" + pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) + head -n 30 <<< "${pkgs}" + echo + df -h + echo + sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true + sudo apt-get remove --auto-remove android-sdk-platform-tools || true + sudo apt-get purge --auto-remove android-sdk-platform-tools || true + sudo rm -rf /usr/local/lib/android + sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true + sudo rm -rf /usr/share/dotnet + sudo apt-get remove -y '^mono-.*' || true + sudo apt-get remove -y '^ghc-.*' || true + sudo apt-get remove -y '.*jdk.*|.*jre.*' || true + sudo apt-get remove -y 'php.*' || true + sudo apt-get remove -y hhvm || true + sudo apt-get remove -y powershell || true + sudo apt-get remove -y firefox || true + sudo apt-get remove -y monodoc-manual || true + sudo apt-get remove -y msbuild || true + sudo apt-get remove -y microsoft-edge-stable || true + sudo apt-get remove -y '^google-.*' || true + sudo apt-get remove -y azure-cli || true + sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true + sudo apt-get remove -y '^gfortran-.*' || true + sudo apt-get autoremove -y + sudo apt-get clean + echo + echo "Listing top largest packages" + pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) + head -n 30 <<< "${pkgs}" + echo + sudo rm -rfv build || true + df -h - uses: actions/checkout@v4 + - run: | + git fetch --prune --unshallow + - name: Release space from worker + run: | + sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android + sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET + - name: Set up QEMU + uses: docker/setup-qemu-action@master with: - fetch-depth: 0 + platforms: all + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@master + - name: Install Cosign + uses: sigstore/cosign-installer@main + - name: Login to Quay Registry + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - name: Install earthly uses: Luet-lab/luet-install-action@v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly - - name: Build uki image 🔧 + - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines + run: | + sudo iptables -I INPUT -s 169.254.169.254 -j DROP + sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP + - name: Build 🔧 + run: | + earthly --platform=linux/amd64 +base-image \ + --VARIANT=${{ matrix.variant }} \ + --FLAVOR=${{ matrix.flavor }} \ + --FLAVOR_RELEASE="${{ matrix.flavorRelease }}" \ + --BASE_IMAGE=${{ matrix.baseImage }} \ + --MODEL=${{ matrix.model }} \ + --FAMILY=${{ matrix.family }} \ + --BOOTLOADER=systemd-boot + sudo mv build/* . + sudo rm -rf build + - name: Install kairos-agent (for versioneer) + uses: Luet-lab/luet-install-action@v1.1 + with: + repository: quay.io/kairos/packages + packages: system/kairos-agent + - name: Push to quay + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + env: + COSIGN_YES: true + run: | + SUFFIX="-uki" + IMAGE=$(cat IMAGE) + docker tag $(cat IMAGE) "$IMAGE$SUFFIX" + docker push "$IMAGE$SUFFIX" + image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE$SUFFIX") + cosign sign $image_ref + - name: Build UKI ISO run: | - # Do fedora as its the smaller uki possible earthly +uki-iso \ - --BASE_IMAGE=quay.io/kairos/fedora:${{ matrix.flavorRelease }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-${{ github.ref_name }} - + --BASE_IMAGE=quay.io/kairos/${{ matrix.flavor }}:${{ matrix.flavorRelease }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-${{ github.ref_name }}-uki - name: Release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') diff --git a/.github/workflows/uki.yaml b/.github/workflows/uki.yaml index 4517f7a5a..9d1fd9307 100644 --- a/.github/workflows/uki.yaml +++ b/.github/workflows/uki.yaml @@ -11,6 +11,107 @@ concurrency: env: FORCE_COLOR: 1 jobs: + core: + runs-on: ubuntu-latest + permissions: + id-token: write # OIDC support + contents: write + actions: read + security-events: write + steps: + - name: Release space from worker + run: | + echo "Listing top largest packages" + pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) + head -n 30 <<< "${pkgs}" + echo + df -h + echo + sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true + sudo apt-get remove --auto-remove android-sdk-platform-tools || true + sudo apt-get purge --auto-remove android-sdk-platform-tools || true + sudo rm -rf /usr/local/lib/android + sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true + sudo rm -rf /usr/share/dotnet + sudo apt-get remove -y '^mono-.*' || true + sudo apt-get remove -y '^ghc-.*' || true + sudo apt-get remove -y '.*jdk.*|.*jre.*' || true + sudo apt-get remove -y 'php.*' || true + sudo apt-get remove -y hhvm || true + sudo apt-get remove -y powershell || true + sudo apt-get remove -y firefox || true + sudo apt-get remove -y monodoc-manual || true + sudo apt-get remove -y msbuild || true + sudo apt-get remove -y microsoft-edge-stable || true + sudo apt-get remove -y '^google-.*' || true + sudo apt-get remove -y azure-cli || true + sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true + sudo apt-get remove -y '^gfortran-.*' || true + sudo apt-get autoremove -y + sudo apt-get clean + echo + echo "Listing top largest packages" + pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) + head -n 30 <<< "${pkgs}" + echo + sudo rm -rfv build || true + df -h + - uses: actions/checkout@v4 + - run: | + git fetch --prune --unshallow + - name: Release space from worker + run: | + sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android + sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET + - name: Set up QEMU + uses: docker/setup-qemu-action@master + with: + platforms: all + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@master + - name: Install Cosign + uses: sigstore/cosign-installer@main + - name: Login to Quay Registry + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io + - name: Install earthly + uses: Luet-lab/luet-install-action@v1.1 + with: + repository: quay.io/kairos/packages + packages: utils/earthly + - name: Block all traffic to metadata ip # For cloud runners, the metadata ip can interact with our test machines + run: | + sudo iptables -I INPUT -s 169.254.169.254 -j DROP + sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP + - name: Build 🔧 + run: | + earthly --platform=linux/amd64 +base-image \ + --VARIANT=core \ + --FLAVOR=ubuntu \ + --FLAVOR_RELEASE="23.10" \ + --BASE_IMAGE=ubuntu:23.10 \ + --MODEL=generic \ + --FAMILY=ubuntu \ + --BOOTLOADER=systemd-boot + sudo mv build/* . + sudo rm -rf build + - name: Install kairos-agent (for versioneer) + uses: Luet-lab/luet-install-action@v1.1 + with: + repository: quay.io/kairos/packages + packages: system/kairos-agent + - name: Push to quay + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + env: + COSIGN_YES: true + run: | + SUFFIX=$([["${{ inputs.bootloader }}" == "systemd-boot" ]] && echo "-uki" || echo "") + IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name) + docker tag $(cat IMAGE) "$IMAGE$SUFFIX" + docker push "$IMAGE$SUFFIX" + image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE$SUFFIX") + cosign sign $image_ref test-uki: runs-on: kvm env: From 15e5ad479a0c5abd20e0d9cdef09666b81ae03ec Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 27 Feb 2024 17:11:21 +0100 Subject: [PATCH 61/85] yamllint Signed-off-by: Mauro Morales --- .github/workflows/release.yaml | 2 +- .github/workflows/uki.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 652b6e2e2..c79970233 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -311,7 +311,7 @@ jobs: docker push "$IMAGE$SUFFIX" image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE$SUFFIX") cosign sign $image_ref - - name: Build UKI ISO + - name: Build UKI ISO run: | earthly +uki-iso \ --BASE_IMAGE=quay.io/kairos/${{ matrix.flavor }}:${{ matrix.flavorRelease }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-${{ github.ref_name }}-uki diff --git a/.github/workflows/uki.yaml b/.github/workflows/uki.yaml index 9d1fd9307..247cd3b4a 100644 --- a/.github/workflows/uki.yaml +++ b/.github/workflows/uki.yaml @@ -18,7 +18,7 @@ jobs: contents: write actions: read security-events: write - steps: + steps: - name: Release space from worker run: | echo "Listing top largest packages" From 74dda13b64aa58e1646bf4f1369d61f15b62a976 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 27 Feb 2024 17:22:58 +0100 Subject: [PATCH 62/85] suffix does not need to be calculated in uki workflow Signed-off-by: Mauro Morales --- .github/workflows/uki.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/uki.yaml b/.github/workflows/uki.yaml index 247cd3b4a..a671571e4 100644 --- a/.github/workflows/uki.yaml +++ b/.github/workflows/uki.yaml @@ -106,7 +106,7 @@ jobs: env: COSIGN_YES: true run: | - SUFFIX=$([["${{ inputs.bootloader }}" == "systemd-boot" ]] && echo "-uki" || echo "") + SUFFIX="-uki" IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name) docker tag $(cat IMAGE) "$IMAGE$SUFFIX" docker push "$IMAGE$SUFFIX" From ca6fe5d1709786290c0d9605e25e3313c3483c5c Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 27 Feb 2024 20:11:07 +0100 Subject: [PATCH 63/85] use hardcoded values for uki master Signed-off-by: Mauro Morales --- .github/workflows/uki.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/uki.yaml b/.github/workflows/uki.yaml index a671571e4..db5318b40 100644 --- a/.github/workflows/uki.yaml +++ b/.github/workflows/uki.yaml @@ -107,7 +107,7 @@ jobs: COSIGN_YES: true run: | SUFFIX="-uki" - IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=${{ inputs.model }} TARGETARCH=${{ inputs.arch }} VARIANT=${{ inputs.variant}} REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name) + IMAGE=$(FLAVOR=ubuntu FLAVOR_RELEASE="23.10" MODEL=generic TARGETARCH=amd64 VARIANT=core REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name) docker tag $(cat IMAGE) "$IMAGE$SUFFIX" docker push "$IMAGE$SUFFIX" image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE$SUFFIX") From 7ac8863cc9124190cc769ac091e4870b78cabaa1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 28 Feb 2024 14:15:43 +0100 Subject: [PATCH 64/85] Update dependency kairos-io/kairos-framework to v2.7.7 (#2294) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index a6e89edf7..83fe46d9d 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.49.1 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION=v2.7.6 +ARG KAIROS_FRAMEWORK_VERSION=v2.7.7 ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name From 1deabe30b7b3f0c3f99ce5d754d0cfcd3856e8b3 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Thu, 29 Feb 2024 14:29:17 +0100 Subject: [PATCH 65/85] Update Earthfile Signed-off-by: Itxaka --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 83fe46d9d..0600e6940 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.49.1 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION=v2.7.7 +ARG KAIROS_FRAMEWORK_VERSION=v2.7.8 ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name From 0329ce98988ced2e86deabb9e909dba01ece8074 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Thu, 29 Feb 2024 20:31:31 +0100 Subject: [PATCH 66/85] Add dracut-live to Ubuntu arm64 22+ (#2296) Signed-off-by: Mauro Morales --- images/Dockerfile.kairos-ubuntu | 25 +++++++++++++++---------- images/Dockerfile.ubuntu | 25 +++++++++++++++---------- 2 files changed, 30 insertions(+), 20 deletions(-) diff --git a/images/Dockerfile.kairos-ubuntu b/images/Dockerfile.kairos-ubuntu index b4bd7c6b1..16d2eb862 100644 --- a/images/Dockerfile.kairos-ubuntu +++ b/images/Dockerfile.kairos-ubuntu @@ -137,21 +137,26 @@ RUN apt-get update \ grub-efi-arm64-signed \ && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* -FROM grub-amd64 AS grub-amd64-current +FROM grub-${TARGETARCH} AS grub-current RUN apt-get update \ && apt-get install -y --no-install-recommends \ dracut-live \ && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* -FROM grub-amd64 AS grub-amd64-legacy +FROM grub-${TARGETARCH} AS grub-legacy -FROM grub-amd64-current AS grub-amd64-24.04 -FROM grub-amd64-current AS grub-amd64-23.10 -FROM grub-amd64-current AS grub-amd64-22.04 -FROM grub-amd64-legacy AS grub-amd64-20.04 -FROM grub-arm64 AS grub-arm64-23.10 -FROM grub-arm64 AS grub-arm64-22.04 -FROM grub-arm64 AS grub-arm64-20.04 +FROM grub-current AS grub-amd64-current +FROM grub-current AS grub-arm64-current +FROM grub-legacy AS grub-amd64-legacy +FROM grub-legacy AS grub-arm64-legacy + +FROM grub-current AS grub-amd64-24.04 +FROM grub-current AS grub-amd64-23.10 +FROM grub-current AS grub-amd64-22.04 +FROM grub-legacy AS grub-amd64-20.04 +FROM grub-current AS grub-arm64-23.10 +FROM grub-current AS grub-arm64-22.04 +FROM grub-legacy AS grub-arm64-20.04 ############################################################### #### Common to a Single Architecture #### @@ -175,7 +180,7 @@ RUN apt-get update \ zerofree \ && apt-get clean && rm -rf /var/lib/apt/lists/* -FROM ${BOOTLOADER}-${TARGETARCH} AS arm64 +FROM ${BOOTLOADER}-${TARGETARCH}-${FLAVOR_RELEASE} AS arm64 RUN apt-get update \ && apt-get install -y --no-install-recommends \ keyutils \ diff --git a/images/Dockerfile.ubuntu b/images/Dockerfile.ubuntu index c65eae92d..ef2ddb324 100644 --- a/images/Dockerfile.ubuntu +++ b/images/Dockerfile.ubuntu @@ -138,21 +138,26 @@ RUN apt-get update \ grub-efi-arm64-signed \ && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* -FROM grub-amd64 AS grub-amd64-current +FROM grub-${TARGETARCH} AS grub-current RUN apt-get update \ && apt-get install -y --no-install-recommends \ dracut-live \ && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* -FROM grub-amd64 AS grub-amd64-legacy +FROM grub-${TARGETARCH} AS grub-legacy -FROM grub-amd64-current AS grub-amd64-24.04 -FROM grub-amd64-current AS grub-amd64-23.10 -FROM grub-amd64-current AS grub-amd64-22.04 -FROM grub-amd64-legacy AS grub-amd64-20.04 -FROM grub-arm64 AS grub-arm64-23.10 -FROM grub-arm64 AS grub-arm64-22.04 -FROM grub-arm64 AS grub-arm64-20.04 +FROM grub-current AS grub-amd64-current +FROM grub-current AS grub-arm64-current +FROM grub-legacy AS grub-amd64-legacy +FROM grub-legacy AS grub-arm64-legacy + +FROM grub-current AS grub-amd64-24.04 +FROM grub-current AS grub-amd64-23.10 +FROM grub-current AS grub-amd64-22.04 +FROM grub-legacy AS grub-amd64-20.04 +FROM grub-current AS grub-arm64-23.10 +FROM grub-current AS grub-arm64-22.04 +FROM grub-legacy AS grub-arm64-20.04 ############################################################### #### Common to a Single Architecture #### @@ -176,7 +181,7 @@ RUN apt-get update \ zerofree \ && apt-get clean && rm -rf /var/lib/apt/lists/* -FROM ${BOOTLOADER}-${TARGETARCH} AS arm64 +FROM ${BOOTLOADER}-${TARGETARCH}-${FLAVOR_RELEASE} AS arm64 RUN apt-get update \ && apt-get install -y --no-install-recommends \ keyutils \ From a7819bdf91458c06efd459d525b65f78727a220f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 1 Mar 2024 12:17:26 +0100 Subject: [PATCH 67/85] Update module github.com/kairos-io/kairos-sdk to v0.0.26 (#2298) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- profile-build/go.mod | 2 +- profile-build/go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/profile-build/go.mod b/profile-build/go.mod index 443e5b1de..f070f01af 100644 --- a/profile-build/go.mod +++ b/profile-build/go.mod @@ -3,7 +3,7 @@ module main go 1.20 require ( - github.com/kairos-io/kairos-sdk v0.0.25 + github.com/kairos-io/kairos-sdk v0.0.26 github.com/urfave/cli v1.22.14 ) diff --git a/profile-build/go.sum b/profile-build/go.sum index 48ca3e508..558510a3b 100644 --- a/profile-build/go.sum +++ b/profile-build/go.sum @@ -148,6 +148,8 @@ github.com/kairos-io/kairos-sdk v0.0.24 h1:BhOPrn8Hf8SVEX3eQKS+oJi2UFVL4BYNIl6Fj github.com/kairos-io/kairos-sdk v0.0.24/go.mod h1:17dpFG2d3Q/TcT86DlLK5nNXEjlSrkYl7bsvO2cpYGE= github.com/kairos-io/kairos-sdk v0.0.25 h1:/wQ8lHmmqJgKPaxzLllTgMQNWRje80XKdj8F0XlFXl0= github.com/kairos-io/kairos-sdk v0.0.25/go.mod h1:btSB2QAds/WSyIyPxnQ3jueMbkkZ75pHUUCj+yHpthQ= +github.com/kairos-io/kairos-sdk v0.0.26 h1:whaKHSspkugnn25xVSEJnnG9bu/7jBjxRx5D6QXY1Uw= +github.com/kairos-io/kairos-sdk v0.0.26/go.mod h1:btSB2QAds/WSyIyPxnQ3jueMbkkZ75pHUUCj+yHpthQ= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI= From 548754b27418bbbb9dcbbd772aa9f2b388c53bbd Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 1 Mar 2024 13:44:32 +0100 Subject: [PATCH 68/85] Update dependency kairos-io/kairos-framework to v2.7.9 (#2299) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 0600e6940..90cee4321 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.49.1 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION=v2.7.8 +ARG KAIROS_FRAMEWORK_VERSION=v2.7.9 ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name From d97b9d0fe7f4464e663221675496187e51e6a536 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Fri, 1 Mar 2024 14:45:06 +0100 Subject: [PATCH 69/85] Bump framework Signed-off-by: Itxaka --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 90cee4321..9b0623afa 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.49.1 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION=v2.7.9 +ARG KAIROS_FRAMEWORK_VERSION=v2.7.10 ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name From 551c018ddee4f3a782c597048464f76541108d25 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Fri, 1 Mar 2024 19:10:30 +0100 Subject: [PATCH 70/85] Fix uki test (#2302) --- tests/tests_suite_test.go | 4 ++++ tests/uki_test.go | 29 +++++++++++++++++------------ 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/tests/tests_suite_test.go b/tests/tests_suite_test.go index 3da7b8201..6856502b7 100644 --- a/tests/tests_suite_test.go +++ b/tests/tests_suite_test.go @@ -77,6 +77,9 @@ func gatherLogs(vm VM) { vm.Sudo("blkid > /run/blkid") vm.Sudo("dmesg > /run/dmesg.log") + // zip all files under /var/log/kairos + vm.Sudo("tar -czf /run/kairos-agent-logs.tar.gz /var/log/kairos") + vm.GatherAllLogs( []string{ "edgevpn@kairos", @@ -105,6 +108,7 @@ func gatherLogs(vm VM) { "/run/immucore/initramfs_stage.log", "/run/immucore/rootfs_stage.log", "/tmp/ovmf_debug.log", + "/run/kairos-agent-logs.tar.gz", }) } diff --git a/tests/uki_test.go b/tests/uki_test.go index 5b89aa3cd..60a304f86 100644 --- a/tests/uki_test.go +++ b/tests/uki_test.go @@ -1,9 +1,9 @@ package mos_test import ( - "fmt" "os" "strings" + "time" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -51,16 +51,22 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() { Expect(out).ToNot(ContainSubstring("/dev/disk/by-label/COS_PERSISTENT")) }) By("installing kairos", func() { - out, err := vm.Sudo(`kairos-agent --debug install`) - fmt.Println(string(out)) - Expect(err).ToNot(HaveOccurred(), out) - Expect(out).Should(ContainSubstring("Running after-install hook")) - Expect(out).Should(ContainSubstring("Encrypting COS_OEM")) - Expect(out).Should(ContainSubstring("Encrypting COS_PERSISTENT")) - Expect(out).Should(ContainSubstring("Done encrypting COS_OEM")) - Expect(out).Should(ContainSubstring("Done encrypting COS_PERSISTENT")) - Expect(out).Should(ContainSubstring("New TPM2 token enrolled as key slot 1.")) + // Install has already started, so we can use Eventually here to track the logs + Eventually(func() string { + out, err := vm.Sudo("cat /var/log/kairos/agent*.log") + Expect(err).ToNot(HaveOccurred()) + return out + }, 5*time.Minute).Should(And( + ContainSubstring("Running after-install hook"), + ContainSubstring("Encrypting COS_OEM"), + ContainSubstring("Encrypting COS_PERSISTENT"), + ContainSubstring("Done encrypting COS_OEM"), + ContainSubstring("Done encrypting COS_PERSISTENT"), + ContainSubstring("Done executing stage 'kairos-uki-install.after.after'"), + ContainSubstring("Unmounting disk partitions"), + )) vm.Sudo("sync") + time.Sleep(10 * time.Second) }) By("Ejecting Cdrom", func() { @@ -139,8 +145,7 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() { By("checking corresponding state", func() { out, err := vm.Sudo("kairos-agent state") Expect(err).ToNot(HaveOccurred()) - // TODO: make agent report uki_mode or something? - Expect(out).To(ContainSubstring("boot: unknown")) + Expect(out).To(ContainSubstring("boot: active_boot")) currentVersion, err := vm.Sudo(getVersionCmd) Expect(err).ToNot(HaveOccurred(), currentVersion) From e4ac2768ab157b730432e97fdedea03f8453d323 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Mon, 4 Mar 2024 10:55:48 +0100 Subject: [PATCH 71/85] Always push UKI image on release workflow Signed-off-by: Mauro Morales --- .github/workflows/release.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c79970233..2c46a215f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -272,7 +272,6 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@main - name: Login to Quay Registry - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - name: Install earthly uses: Luet-lab/luet-install-action@v1.1 @@ -301,7 +300,6 @@ jobs: repository: quay.io/kairos/packages packages: system/kairos-agent - name: Push to quay - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} env: COSIGN_YES: true run: | From b5c7d76e5fc19e31946eccb1289459d32de8a35c Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Mon, 4 Mar 2024 14:17:40 +0100 Subject: [PATCH 72/85] Add permissions to build-core-uki release workflow Signed-off-by: Mauro Morales --- .github/workflows/release.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2c46a215f..fc5360b31 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -213,6 +213,11 @@ jobs: category: ${{ matrix.flavor }} build-core-uki: runs-on: ubuntu-latest + permissions: + id-token: write # OIDC support + contents: write + actions: read + security-events: write needs: - get-uki-matrix strategy: From f4a28f78546dab15ff8c09aabe05428ea28bb9bb Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Mon, 4 Mar 2024 16:35:16 +0100 Subject: [PATCH 73/85] Fix filtering for standard release combinations Signed-off-by: Mauro Morales --- .github/workflows/release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index fc5360b31..932a56d45 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -72,13 +72,13 @@ jobs: # fetch "k3s-openrc" versions sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(select(.name == "k3s-openrc")) | map(.version) | unique' > k3s_openrc.json # fetch alpine flavors - jq 'map(select(.arch == "amd64" and .variant == "standard" and .model != "generic" and .flavor == "alpine"))' .github/flavors.json > flavors_openrc.json + jq 'map(select(.arch == "amd64" and .variant == "standard" and .model == "generic" and .flavor == "alpine"))' .github/flavors.json > flavors_openrc.json # generate combinations jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}]' flavors_openrc.json k3s_openrc.json > combinations_openrc.json # fetch "k3s-systemd" versions sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq '.packages | map(select(.name == "k3s-systemd")) | map(.version) | unique' > k3s_systemd.json # fetch non-alpine flavors - jq 'map(select(.arch == "amd64" and .variant == "standard" and .model != "generic" and .flavor != "alpine"))' .github/flavors.json > flavors_systemd.json + jq 'map(select(.arch == "amd64" and .variant == "standard" and .model == "generic" and .flavor != "alpine"))' .github/flavors.json > flavors_systemd.json # generate combinations jq -s '. | [combinations | .[0] + {"k3s_version": .[1]}]' flavors_systemd.json k3s_systemd.json > combinations_systemd.json # merge the two combinations From d605c641a5e69f0d92a508d25e4b2f0aeb279728 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 16:37:59 +0100 Subject: [PATCH 74/85] Update actions/download-artifact action to v4.1.4 (#2303) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/reusable-encryption-test.yaml | 2 +- .github/workflows/reusable-install-test.yaml | 2 +- .github/workflows/reusable-provider-tests.yaml | 2 +- .github/workflows/reusable-qemu-acceptance-test.yaml | 2 +- .github/workflows/reusable-qemu-bundles-test.yaml | 2 +- .github/workflows/reusable-qemu-reset-test.yaml | 2 +- .github/workflows/reusable-upgrade-with-cli-test.yaml | 2 +- .github/workflows/reusable-zfs-test.yaml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/reusable-encryption-test.yaml b/.github/workflows/reusable-encryption-test.yaml index 7235b2588..f5321e03d 100644 --- a/.github/workflows/reusable-encryption-test.yaml +++ b/.github/workflows/reusable-encryption-test.yaml @@ -80,7 +80,7 @@ jobs: LUET_NOLOCK=true sudo -E luet install -y container/kubectl utils/k3d utils/earthly - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.3 + uses: actions/download-artifact@v4.1.4 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-install-test.yaml b/.github/workflows/reusable-install-test.yaml index eda35a4d1..cccc43146 100644 --- a/.github/workflows/reusable-install-test.yaml +++ b/.github/workflows/reusable-install-test.yaml @@ -22,7 +22,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.3 + uses: actions/download-artifact@v4.1.4 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release}}.iso.zip - name: Install Go diff --git a/.github/workflows/reusable-provider-tests.yaml b/.github/workflows/reusable-provider-tests.yaml index 7551bea85..e5a2befbd 100644 --- a/.github/workflows/reusable-provider-tests.yaml +++ b/.github/workflows/reusable-provider-tests.yaml @@ -55,7 +55,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Download artifacts - uses: actions/download-artifact@v4.1.3 + uses: actions/download-artifact@v4.1.4 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}-provider.iso.zip - name: Run tests diff --git a/.github/workflows/reusable-qemu-acceptance-test.yaml b/.github/workflows/reusable-qemu-acceptance-test.yaml index dd5146737..396b6cab0 100644 --- a/.github/workflows/reusable-qemu-acceptance-test.yaml +++ b/.github/workflows/reusable-qemu-acceptance-test.yaml @@ -59,7 +59,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.3 + uses: actions/download-artifact@v4.1.4 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-qemu-bundles-test.yaml b/.github/workflows/reusable-qemu-bundles-test.yaml index 54dce8613..01d058ef6 100644 --- a/.github/workflows/reusable-qemu-bundles-test.yaml +++ b/.github/workflows/reusable-qemu-bundles-test.yaml @@ -19,7 +19,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.3 + uses: actions/download-artifact@v4.1.4 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-qemu-reset-test.yaml b/.github/workflows/reusable-qemu-reset-test.yaml index a081c6a05..db3870c43 100644 --- a/.github/workflows/reusable-qemu-reset-test.yaml +++ b/.github/workflows/reusable-qemu-reset-test.yaml @@ -19,7 +19,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.3 + uses: actions/download-artifact@v4.1.4 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-upgrade-with-cli-test.yaml b/.github/workflows/reusable-upgrade-with-cli-test.yaml index 700912b6b..bff52cdc2 100644 --- a/.github/workflows/reusable-upgrade-with-cli-test.yaml +++ b/.github/workflows/reusable-upgrade-with-cli-test.yaml @@ -61,7 +61,7 @@ jobs: git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.3 + uses: actions/download-artifact@v4.1.4 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-zfs-test.yaml b/.github/workflows/reusable-zfs-test.yaml index 5c3d0a9bb..067b2ada1 100644 --- a/.github/workflows/reusable-zfs-test.yaml +++ b/.github/workflows/reusable-zfs-test.yaml @@ -17,7 +17,7 @@ jobs: - uses: actions/checkout@v4 - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.3 + uses: actions/download-artifact@v4.1.4 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files From 45b5bcda6b50a7e01bd4ed27809a75721d71475e Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Mon, 4 Mar 2024 17:52:41 +0100 Subject: [PATCH 75/85] Bump nodejs on action-gh-release > Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: softprops/action-gh-release@v1. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/. --- .github/workflows/release-arm.yaml | 6 +++--- .github/workflows/release.yaml | 6 +++--- .github/workflows/reusable-docker-arm-build.yaml | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml index 932a301fe..9d9c7ec91 100644 --- a/.github/workflows/release-arm.yaml +++ b/.github/workflows/release-arm.yaml @@ -265,7 +265,7 @@ jobs: sudo rm -rf build/IMAGE - name: Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@975c1b2 if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -393,7 +393,7 @@ jobs: sudo -E docker push "$IMAGE" sudo rm -rf build/IMAGE - name: Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@975c1b2 if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -458,7 +458,7 @@ jobs: run: | docker push $(cat release/IMAGE) - name: Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@975c1b2 if: startsWith(github.ref, 'refs/tags/') with: files: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 932a56d45..b193a833c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -200,7 +200,7 @@ jobs: cd .. rm release/IMAGE release/versions.yaml - name: Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@975c1b2 if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -319,7 +319,7 @@ jobs: earthly +uki-iso \ --BASE_IMAGE=quay.io/kairos/${{ matrix.flavor }}:${{ matrix.flavorRelease }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-${{ github.ref_name }}-uki - name: Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@975c1b2 if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -387,7 +387,7 @@ jobs: cd .. sudo rm -rf release/VERSION release/IMAGE release/versions.yaml - name: Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@975c1b2 if: startsWith(github.ref, 'refs/tags/') with: files: | diff --git a/.github/workflows/reusable-docker-arm-build.yaml b/.github/workflows/reusable-docker-arm-build.yaml index 83e5e4006..0443404bf 100644 --- a/.github/workflows/reusable-docker-arm-build.yaml +++ b/.github/workflows/reusable-docker-arm-build.yaml @@ -153,7 +153,7 @@ jobs: sudo rm -rf build/IMAGE - name: Release if: startsWith(github.ref, 'refs/tags/v') - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@975c1b2 with: files: | build/*scan-reports.tar.gz From 73d877ce627fe6025ab223c2b33c4c9c2e05fbc2 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 5 Mar 2024 12:43:04 +0100 Subject: [PATCH 76/85] Remove VERSION file from release artifacts to avoid race conditions Signed-off-by: Mauro Morales --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b193a833c..5c8ad723b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -198,7 +198,7 @@ jobs: sudo tar cvf "${filename}-scan-reports.tar.gz" *.json mv *.tar.gz ../release/ cd .. - rm release/IMAGE release/versions.yaml + rm release/IMAGE release/VERSION release/versions.yaml - name: Release uses: softprops/action-gh-release@975c1b2 if: startsWith(github.ref, 'refs/tags/') From 116c2906b3ccf7515f4d78a62d7758292c9eff6e Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 5 Mar 2024 15:10:16 +0100 Subject: [PATCH 77/85] Reference action-gh-release with full sha Signed-off-by: Mauro Morales --- .github/workflows/release-arm.yaml | 6 +++--- .github/workflows/release.yaml | 6 +++--- .github/workflows/reusable-docker-arm-build.yaml | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml index 9d9c7ec91..05c370c38 100644 --- a/.github/workflows/release-arm.yaml +++ b/.github/workflows/release-arm.yaml @@ -265,7 +265,7 @@ jobs: sudo rm -rf build/IMAGE - name: Release - uses: softprops/action-gh-release@975c1b2 + uses: softprops/action-gh-release@975c1b265e11dd76618af1c374e7981f9a6ff44a if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -393,7 +393,7 @@ jobs: sudo -E docker push "$IMAGE" sudo rm -rf build/IMAGE - name: Release - uses: softprops/action-gh-release@975c1b2 + uses: softprops/action-gh-release@975c1b265e11dd76618af1c374e7981f9a6ff44a if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -458,7 +458,7 @@ jobs: run: | docker push $(cat release/IMAGE) - name: Release - uses: softprops/action-gh-release@975c1b2 + uses: softprops/action-gh-release@975c1b265e11dd76618af1c374e7981f9a6ff44a if: startsWith(github.ref, 'refs/tags/') with: files: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5c8ad723b..bd4f535a2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -200,7 +200,7 @@ jobs: cd .. rm release/IMAGE release/VERSION release/versions.yaml - name: Release - uses: softprops/action-gh-release@975c1b2 + uses: softprops/action-gh-release@975c1b265e11dd76618af1c374e7981f9a6ff44a if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -319,7 +319,7 @@ jobs: earthly +uki-iso \ --BASE_IMAGE=quay.io/kairos/${{ matrix.flavor }}:${{ matrix.flavorRelease }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-${{ github.ref_name }}-uki - name: Release - uses: softprops/action-gh-release@975c1b2 + uses: softprops/action-gh-release@975c1b265e11dd76618af1c374e7981f9a6ff44a if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -387,7 +387,7 @@ jobs: cd .. sudo rm -rf release/VERSION release/IMAGE release/versions.yaml - name: Release - uses: softprops/action-gh-release@975c1b2 + uses: softprops/action-gh-release@975c1b265e11dd76618af1c374e7981f9a6ff44a if: startsWith(github.ref, 'refs/tags/') with: files: | diff --git a/.github/workflows/reusable-docker-arm-build.yaml b/.github/workflows/reusable-docker-arm-build.yaml index 0443404bf..3b87b2318 100644 --- a/.github/workflows/reusable-docker-arm-build.yaml +++ b/.github/workflows/reusable-docker-arm-build.yaml @@ -153,7 +153,7 @@ jobs: sudo rm -rf build/IMAGE - name: Release if: startsWith(github.ref, 'refs/tags/v') - uses: softprops/action-gh-release@975c1b2 + uses: softprops/action-gh-release@975c1b265e11dd76618af1c374e7981f9a6ff44a with: files: | build/*scan-reports.tar.gz From d046b56db1fd5532ce7ea328c455bde782d88836 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Tue, 5 Mar 2024 21:33:14 +0100 Subject: [PATCH 78/85] Add Ubuntu standard build on master (#2306) Signed-off-by: Mauro Morales --- .github/workflows/image.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 929063b9c..95534c6e7 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -273,6 +273,10 @@ jobs: flavorRelease: "3.19" family: alpine baseImage: alpine:3.19 + - flavor: ubuntu + flavorRelease: "23.10" + family: ubuntu + baseImage: ubuntu:23.10 various: uses: ./.github/workflows/reusable-provider-tests.yaml with: From d3f82b6662f422cea03e2ca991c9f8f41240e418 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Wed, 6 Mar 2024 11:24:46 +0100 Subject: [PATCH 79/85] Make extra space on standard release jobs Signed-off-by: Mauro Morales --- .github/workflows/release.yaml | 37 ++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index bd4f535a2..ff04539bb 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -345,8 +345,41 @@ jobs: uses: sigstore/cosign-installer@main - name: Release space from worker run: | - sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android - sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET + echo "Listing top largest packages" + pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) + head -n 30 <<< "${pkgs}" + echo + df -h + echo + sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true + sudo apt-get remove --auto-remove android-sdk-platform-tools || true + sudo apt-get purge --auto-remove android-sdk-platform-tools || true + sudo rm -rf /usr/local/lib/android + sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true + sudo rm -rf /usr/share/dotnet + sudo apt-get remove -y '^mono-.*' || true + sudo apt-get remove -y '^ghc-.*' || true + sudo apt-get remove -y '.*jdk.*|.*jre.*' || true + sudo apt-get remove -y 'php.*' || true + sudo apt-get remove -y hhvm || true + sudo apt-get remove -y powershell || true + sudo apt-get remove -y firefox || true + sudo apt-get remove -y monodoc-manual || true + sudo apt-get remove -y msbuild || true + sudo apt-get remove -y microsoft-edge-stable || true + sudo apt-get remove -y '^google-.*' || true + sudo apt-get remove -y azure-cli || true + sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true + sudo apt-get remove -y '^gfortran-.*' || true + sudo apt-get autoremove -y + sudo apt-get clean + echo + echo "Listing top largest packages" + pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr) + head -n 30 <<< "${pkgs}" + echo + sudo rm -rfv build || true + df -h - name: Install earthly uses: Luet-lab/luet-install-action@v1.1 with: From d27e4e6452e52c620b90b4b5a3588f764158b28a Mon Sep 17 00:00:00 2001 From: Itxaka Date: Wed, 6 Mar 2024 16:42:31 +0100 Subject: [PATCH 80/85] :robot: Do not double pull the BASE_IMAGE on uki iso (#2310) As we now dont need the IMAGE var to extract the iso, there is no point in having to pull the full BASE_IMAGE just to extrac the name.\ This should speed up the uki iso generation Signed-off-by: Itxaka --- Earthfile | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/Earthfile b/Earthfile index 9b0623afa..bb904dfe0 100644 --- a/Earthfile +++ b/Earthfile @@ -328,15 +328,11 @@ image-rootfs: ## UKI Stuff Start uki-iso: ARG --required BASE_IMAGE # BASE_IMAGE is existing kairos image which needs to be converted to uki - FROM $BASE_IMAGE - ARG ISO_NAME=$(cat /etc/os-release | grep 'KAIROS_ARTIFACT' | sed 's/KAIROS_ARTIFACT=\"//' | sed 's/\"//') ARG ENKI_FLAGS - FROM $OSBUILDER_IMAGE COPY ./tests/keys /keys - RUN echo $BASE_IMAGE > /IMAGE WORKDIR /build - RUN --no-cache enki build-uki $(cat /IMAGE) --output-dir /build/ -k /keys --output-type iso ${ENKI_FLAGS} + RUN --no-cache enki build-uki $BASE_IMAGE --output-dir /build/ -k /keys --output-type iso ${ENKI_FLAGS} SAVE ARTIFACT /build/*.iso AS LOCAL build/ # WARNING the following targets are just for development purposes, use them at your own risk From 00ed17c4d597be5157990b2a3ec328d314e851fa Mon Sep 17 00:00:00 2001 From: Itxaka Date: Wed, 6 Mar 2024 17:30:31 +0100 Subject: [PATCH 81/85] Actualizar Earthfile --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index bb904dfe0..7c27931db 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.49.1 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION=v2.7.10 +ARG KAIROS_FRAMEWORK_VERSION=v2.7.11 ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name From cffcfcd1614b2d40db4bf3c9b30c8fcc0c59a9de Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 09:07:44 +0100 Subject: [PATCH 82/85] Update dependency kairos-io/kairos-framework to v2.7.12 (#2313) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 7c27931db..b0d8cf0b8 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.49.1 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION=v2.7.11 +ARG KAIROS_FRAMEWORK_VERSION=v2.7.12 ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name From cd9921629931929bd9635a35019eb9f4b51f8b19 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Thu, 7 Mar 2024 15:13:28 +0100 Subject: [PATCH 83/85] Use Ubuntu 22 LTS for ZFS test (#2314) * Use Ubuntu 22 LTS for ZFS test This is because zfs is not being installed on 23+ since it clashes with nohang Signed-off-by: Mauro Morales * also in pr workflow Signed-off-by: Mauro Morales * Of course then we need to build it Signed-off-by: Mauro Morales * needs :facepalm: Signed-off-by: Mauro Morales --------- Signed-off-by: Mauro Morales --- .github/workflows/image-pr.yaml | 15 +++++++++++++-- .github/workflows/image.yaml | 2 +- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/.github/workflows/image-pr.yaml b/.github/workflows/image-pr.yaml index c9f9681b9..377b5208f 100644 --- a/.github/workflows/image-pr.yaml +++ b/.github/workflows/image-pr.yaml @@ -21,6 +21,17 @@ jobs: variant: core arch: amd64 + core-ubuntu-lts: + uses: ./.github/workflows/reusable-build-flavor.yaml + with: + flavor: ubuntu + flavor_release: "22.04" + family: ubuntu + base_image: ubuntu:22.04 + model: generic + variant: core + arch: amd64 + core-alpine: uses: ./.github/workflows/reusable-build-flavor.yaml with: @@ -73,9 +84,9 @@ jobs: uses: ./.github/workflows/reusable-zfs-test.yaml with: flavor: ubuntu - flavor_release: "23.10" + flavor_release: "22.04" needs: - - core + - core-ubuntu-lts acceptance: uses: ./.github/workflows/reusable-qemu-acceptance-test.yaml diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 95534c6e7..0790c6a67 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -101,7 +101,7 @@ jobs: matrix: include: - flavor: "ubuntu" - flavorRelease: "23.10" + flavorRelease: "22.04" acceptance: uses: ./.github/workflows/reusable-qemu-acceptance-test.yaml with: From 473800032484252b482b946a89dc34a9727d177e Mon Sep 17 00:00:00 2001 From: Itxaka Date: Thu, 7 Mar 2024 16:16:13 +0100 Subject: [PATCH 84/85] Bump framework Signed-off-by: Itxaka --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index b0d8cf0b8..f35208071 100644 --- a/Earthfile +++ b/Earthfile @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 # renovate: datasource=docker depName=aquasec/trivy ARG TRIVY_VERSION=0.49.1 # renovate: datasource=github-releases depName=kairos-io/kairos-framework -ARG KAIROS_FRAMEWORK_VERSION=v2.7.12 +ARG KAIROS_FRAMEWORK_VERSION=v2.7.14 ARG COSIGN_SKIP=".*quay.io/kairos/.*" # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name From 3547cf861f05cd5ea3961ed8e050df3b34d570dd Mon Sep 17 00:00:00 2001 From: Itxaka Date: Thu, 7 Mar 2024 21:23:18 +0100 Subject: [PATCH 85/85] Bump osbuilder for enki Signed-off-by: Itxaka --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index f35208071..58e5ed51f 100644 --- a/Earthfile +++ b/Earthfile @@ -21,7 +21,7 @@ END ARG COSIGN_EXPERIMENTAL=0 ARG CGO_ENABLED=0 # renovate: datasource=docker depName=quay.io/kairos/osbuilder-tools versioning=semver-coerced -ARG OSBUILDER_VERSION=v0.200.4 +ARG OSBUILDER_VERSION=v0.200.5 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION ARG GOLINT_VERSION=1.52.2 # renovate: datasource=docker depName=golang