From 20cb1889ba38557d8dd8ca279dfdbdeb6f39992c Mon Sep 17 00:00:00 2001 From: Tyler Gillson Date: Thu, 4 Jul 2024 14:38:56 -0600 Subject: [PATCH 01/41] chore: disable CIS hardening by default; sort distros (#224) Signed-off-by: Tyler Gillson --- Earthfile | 74 +++++++++++++++++++++++++++---------------------------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/Earthfile b/Earthfile index 3e29606..0d1457c 100644 --- a/Earthfile +++ b/Earthfile @@ -36,7 +36,7 @@ ARG CLUSTERCONFIG ARG EDGE_CUSTOM_CONFIG=.edge-custom-config.yaml ARG ARCH ARG DISABLE_SELINUX=true -ARG CIS_HARDENING=true +ARG CIS_HARDENING=false ARG UBUNTU_PRO_KEY ARG FIPS_ENABLED=false @@ -136,61 +136,61 @@ build-provider-images: IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] BUILD +$TARGET --K8S_VERSION=1.24.6 BUILD +$TARGET --K8S_VERSION=1.25.2 - BUILD +$TARGET --K8S_VERSION=1.26.4 - BUILD +$TARGET --K8S_VERSION=1.27.2 BUILD +$TARGET --K8S_VERSION=1.25.13 + BUILD +$TARGET --K8S_VERSION=1.25.15 + BUILD +$TARGET --K8S_VERSION=1.26.4 BUILD +$TARGET --K8S_VERSION=1.26.8 + BUILD +$TARGET --K8S_VERSION=1.26.10 + BUILD +$TARGET --K8S_VERSION=1.26.12 + BUILD +$TARGET --K8S_VERSION=1.26.15 + BUILD +$TARGET --K8S_VERSION=1.27.2 BUILD +$TARGET --K8S_VERSION=1.27.5 BUILD +$TARGET --K8S_VERSION=1.27.7 - BUILD +$TARGET --K8S_VERSION=1.26.10 - BUILD +$TARGET --K8S_VERSION=1.25.15 - BUILD +$TARGET --K8S_VERSION=1.28.2 - BUILD +$TARGET --K8S_VERSION=1.29.0 BUILD +$TARGET --K8S_VERSION=1.27.9 - BUILD +$TARGET --K8S_VERSION=1.26.12 - BUILD +$TARGET --K8S_VERSION=1.28.5 BUILD +$TARGET --K8S_VERSION=1.27.11 - BUILD +$TARGET --K8S_VERSION=1.26.15 + BUILD +$TARGET --K8S_VERSION=1.28.2 + BUILD +$TARGET --K8S_VERSION=1.28.5 BUILD +$TARGET --K8S_VERSION=1.28.9 + BUILD +$TARGET --K8S_VERSION=1.29.0 ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] - BUILD +$TARGET --K8S_VERSION=1.26.14 - BUILD +$TARGET --K8S_VERSION=1.27.11 - BUILD +$TARGET --K8S_VERSION=1.28.7 - BUILD +$TARGET --K8S_VERSION=1.29.3 BUILD +$TARGET --K8S_VERSION=1.24.6 BUILD +$TARGET --K8S_VERSION=1.25.2 - BUILD +$TARGET --K8S_VERSION=1.26.4 - BUILD +$TARGET --K8S_VERSION=1.27.2 BUILD +$TARGET --K8S_VERSION=1.25.13 + BUILD +$TARGET --K8S_VERSION=1.25.15 + BUILD +$TARGET --K8S_VERSION=1.26.4 BUILD +$TARGET --K8S_VERSION=1.26.8 - BUILD +$TARGET --K8S_VERSION=1.27.5 - BUILD +$TARGET --K8S_VERSION=1.27.7 BUILD +$TARGET --K8S_VERSION=1.26.10 - BUILD +$TARGET --K8S_VERSION=1.25.15 - BUILD +$TARGET --K8S_VERSION=1.28.2 - BUILD +$TARGET --K8S_VERSION=1.27.9 BUILD +$TARGET --K8S_VERSION=1.26.12 - BUILD +$TARGET --K8S_VERSION=1.28.5 + BUILD +$TARGET --K8S_VERSION=1.26.14 BUILD +$TARGET --K8S_VERSION=1.26.15 + BUILD +$TARGET --K8S_VERSION=1.27.2 + BUILD +$TARGET --K8S_VERSION=1.27.5 + BUILD +$TARGET --K8S_VERSION=1.27.7 + BUILD +$TARGET --K8S_VERSION=1.27.9 + BUILD +$TARGET --K8S_VERSION=1.27.11 BUILD +$TARGET --K8S_VERSION=1.27.13 + BUILD +$TARGET --K8S_VERSION=1.28.2 + BUILD +$TARGET --K8S_VERSION=1.28.5 + BUILD +$TARGET --K8S_VERSION=1.28.7 BUILD +$TARGET --K8S_VERSION=1.28.9 + BUILD +$TARGET --K8S_VERSION=1.29.3 BUILD +$TARGET --K8S_VERSION=1.29.4 ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ] - BUILD +$TARGET --K8S_VERSION=1.26.14 - BUILD +$TARGET --K8S_VERSION=1.27.11 - BUILD +$TARGET --K8S_VERSION=1.28.7 - BUILD +$TARGET --K8S_VERSION=1.29.2 BUILD +$TARGET --K8S_VERSION=1.24.6 BUILD +$TARGET --K8S_VERSION=1.25.2 - BUILD +$TARGET --K8S_VERSION=1.26.4 - BUILD +$TARGET --K8S_VERSION=1.27.2 BUILD +$TARGET --K8S_VERSION=1.25.13 + BUILD +$TARGET --K8S_VERSION=1.25.15 + BUILD +$TARGET --K8S_VERSION=1.26.4 BUILD +$TARGET --K8S_VERSION=1.26.8 + BUILD +$TARGET --K8S_VERSION=1.26.10 + BUILD +$TARGET --K8S_VERSION=1.26.14 + BUILD +$TARGET --K8S_VERSION=1.27.2 BUILD +$TARGET --K8S_VERSION=1.27.5 BUILD +$TARGET --K8S_VERSION=1.27.7 - BUILD +$TARGET --K8S_VERSION=1.26.10 - BUILD +$TARGET --K8S_VERSION=1.25.15 + BUILD +$TARGET --K8S_VERSION=1.27.11 BUILD +$TARGET --K8S_VERSION=1.28.2 + BUILD +$TARGET --K8S_VERSION=1.28.7 + BUILD +$TARGET --K8S_VERSION=1.29.2 END ELSE BUILD +$TARGET --K8S_VERSION="$K8S_VERSION" @@ -202,23 +202,23 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.24.13 BUILD +provider-image --K8S_VERSION=1.25.9 BUILD +provider-image --K8S_VERSION=1.26.4 - BUILD +provider-image --K8S_VERSION=1.27.2 - BUILD +provider-image --K8S_VERSION=1.29.0 - BUILD +provider-image --K8S_VERSION=1.27.9 BUILD +provider-image --K8S_VERSION=1.26.12 - BUILD +provider-image --K8S_VERSION=1.28.5 BUILD +provider-image --K8S_VERSION=1.26.15 + BUILD +provider-image --K8S_VERSION=1.27.2 + BUILD +provider-image --K8S_VERSION=1.27.9 BUILD +provider-image --K8S_VERSION=1.27.14 + BUILD +provider-image --K8S_VERSION=1.28.5 BUILD +provider-image --K8S_VERSION=1.28.10 + BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.5 ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] BUILD +provider-image --K8S_VERSION=1.24.6 - BUILD +provider-image --K8S_VERSION=1.25.2 BUILD +provider-image --K8S_VERSION=1.25.0 + BUILD +provider-image --K8S_VERSION=1.25.2 BUILD +provider-image --K8S_VERSION=1.26.4 + BUILD +provider-image --K8S_VERSION=1.26.12 BUILD +provider-image --K8S_VERSION=1.26.14 BUILD +provider-image --K8S_VERSION=1.27.2 - BUILD +provider-image --K8S_VERSION=1.26.12 BUILD +provider-image --K8S_VERSION=1.27.9 BUILD +provider-image --K8S_VERSION=1.27.11 BUILD +provider-image --K8S_VERSION=1.28.5 @@ -229,9 +229,9 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.24.6 BUILD +provider-image --K8S_VERSION=1.25.2 BUILD +provider-image --K8S_VERSION=1.26.4 - BUILD +provider-image --K8S_VERSION=1.27.2 BUILD +provider-image --K8S_VERSION=1.26.12 BUILD +provider-image --K8S_VERSION=1.26.14 + BUILD +provider-image --K8S_VERSION=1.27.2 BUILD +provider-image --K8S_VERSION=1.27.9 BUILD +provider-image --K8S_VERSION=1.27.11 BUILD +provider-image --K8S_VERSION=1.28.5 From 04965cb99fa6abffbb7fbc475158928d4f05acb0 Mon Sep 17 00:00:00 2001 From: Roshani Rathi <42164609+roshanirathi@users.noreply.github.com> Date: Thu, 11 Jul 2024 14:57:36 +0530 Subject: [PATCH 02/41] PE-4679 Update new k8s versions (#226) --- Earthfile | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/Earthfile b/Earthfile index 0d1457c..0e7f947 100644 --- a/Earthfile +++ b/Earthfile @@ -148,10 +148,13 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.27.7 BUILD +$TARGET --K8S_VERSION=1.27.9 BUILD +$TARGET --K8S_VERSION=1.27.11 + BUILD +$TARGET --K8S_VERSION=1.27.15 BUILD +$TARGET --K8S_VERSION=1.28.2 BUILD +$TARGET --K8S_VERSION=1.28.5 BUILD +$TARGET --K8S_VERSION=1.28.9 + BUILD +$TARGET --K8S_VERSION=1.28.11 BUILD +$TARGET --K8S_VERSION=1.29.0 + BUILD +$TARGET --K8S_VERSION=1.29.6 ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] BUILD +$TARGET --K8S_VERSION=1.24.6 BUILD +$TARGET --K8S_VERSION=1.25.2 @@ -169,12 +172,15 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.27.9 BUILD +$TARGET --K8S_VERSION=1.27.11 BUILD +$TARGET --K8S_VERSION=1.27.13 + BUILD +$TARGET --K8S_VERSION=1.27.14 BUILD +$TARGET --K8S_VERSION=1.28.2 BUILD +$TARGET --K8S_VERSION=1.28.5 BUILD +$TARGET --K8S_VERSION=1.28.7 BUILD +$TARGET --K8S_VERSION=1.28.9 + BUILD +$TARGET --K8S_VERSION=1.28.10 BUILD +$TARGET --K8S_VERSION=1.29.3 BUILD +$TARGET --K8S_VERSION=1.29.4 + BUILD +$TARGET --K8S_VERSION=1.29.5 ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ] BUILD +$TARGET --K8S_VERSION=1.24.6 BUILD +$TARGET --K8S_VERSION=1.25.2 @@ -188,9 +194,12 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.27.5 BUILD +$TARGET --K8S_VERSION=1.27.7 BUILD +$TARGET --K8S_VERSION=1.27.11 + BUILD +$TARGET --K8S_VERSION=1.27.15 BUILD +$TARGET --K8S_VERSION=1.28.2 BUILD +$TARGET --K8S_VERSION=1.28.7 + BUILD +$TARGET --K8S_VERSION=1.28.10 BUILD +$TARGET --K8S_VERSION=1.29.2 + BUILD +$TARGET --K8S_VERSION=1.29.6 END ELSE BUILD +$TARGET --K8S_VERSION="$K8S_VERSION" @@ -207,10 +216,13 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.27.2 BUILD +provider-image --K8S_VERSION=1.27.9 BUILD +provider-image --K8S_VERSION=1.27.14 + BUILD +provider-image --K8S_VERSION=1.27.15 BUILD +provider-image --K8S_VERSION=1.28.5 BUILD +provider-image --K8S_VERSION=1.28.10 + BUILD +provider-image --K8S_VERSION=1.28.11 BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.5 + BUILD +provider-image --K8S_VERSION=1.29.6 ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] BUILD +provider-image --K8S_VERSION=1.24.6 BUILD +provider-image --K8S_VERSION=1.25.0 @@ -221,10 +233,13 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.27.2 BUILD +provider-image --K8S_VERSION=1.27.9 BUILD +provider-image --K8S_VERSION=1.27.11 + BUILD +provider-image --K8S_VERSION=1.27.14 BUILD +provider-image --K8S_VERSION=1.28.5 BUILD +provider-image --K8S_VERSION=1.28.7 + BUILD +provider-image --K8S_VERSION=1.28.10 BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.3 + BUILD +provider-image --K8S_VERSION=1.29.6 ELSE BUILD +provider-image --K8S_VERSION=1.24.6 BUILD +provider-image --K8S_VERSION=1.25.2 @@ -234,10 +249,13 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.27.2 BUILD +provider-image --K8S_VERSION=1.27.9 BUILD +provider-image --K8S_VERSION=1.27.11 + BUILD +provider-image --K8S_VERSION=1.27.15 BUILD +provider-image --K8S_VERSION=1.28.5 BUILD +provider-image --K8S_VERSION=1.28.7 + BUILD +provider-image --K8S_VERSION=1.28.11 BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.2 + BUILD +provider-image --K8S_VERSION=1.29.6 END ELSE BUILD +provider-image --K8S_VERSION="$K8S_VERSION" From 3dfeb58a0754ae3913936ee7ad44fd66acc42d28 Mon Sep 17 00:00:00 2001 From: Santhosh Date: Mon, 15 Jul 2024 14:47:51 +0530 Subject: [PATCH 03/41] update luet and pe versions (#228) --- Earthfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Earthfile b/Earthfile index 0e7f947..98efd5d 100644 --- a/Earthfile +++ b/Earthfile @@ -11,8 +11,8 @@ ARG ETCD_REPO=https://github.com/etcd-io FROM $SPECTRO_PUB_REPO/canvos/alpine-cert:v1.0.0 # Spectro Cloud and Kairos tags. -ARG PE_VERSION=v4.4.1 -ARG SPECTRO_LUET_VERSION=v1.3.1 +ARG PE_VERSION=v4.4.4 +ARG SPECTRO_LUET_VERSION=v1.3.2 ARG KAIROS_VERSION=v3.0.14 ARG K3S_FLAVOR_TAG=k3s1 ARG RKE2_FLAVOR_TAG=rke2r1 From 4ca5a03a4c956aa00bb69dc5bdacde32e135ef67 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Mon, 15 Jul 2024 15:31:25 -0700 Subject: [PATCH 04/41] fix: BYOS pack info doesn't get printed while building all images (#229) Signed-off-by: Nianyu Shen --- earthly.sh | 70 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 39 insertions(+), 31 deletions(-) diff --git a/earthly.sh b/earthly.sh index 125f25f..fcec591 100755 --- a/earthly.sh +++ b/earthly.sh @@ -24,6 +24,38 @@ function build_without_proxy() { docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" } +function print_os_pack() { + # Print the output for use in Palette Profile. + echo -e '##########################################################################################################' + echo -e '\nPASTE THE CONTENT BELOW INTO YOUR CLUSTER PROFILE IN PALETTE REPLACING ALL THE CONTENTS IN THE PROFILE\n' + echo -e '##########################################################################################################' + echo -e '\n' + echo -e 'pack:' + echo -e ' content:' + echo -e ' images:' + echo -e ' - image: "{{.spectro.pack.edge-native-byoi.options.system.uri}}"' + echo -e ' # Below config is default value, please uncomment if you want to modify default values' + echo -e ' #drain:' + echo -e ' #cordon: true' + echo -e ' #timeout: 60 # The length of time to wait before giving up, zero means infinite' + echo -e ' #gracePeriod: 60 # Period of time in seconds given to each pod to terminate gracefully. If negative, the default value specified in the pod will be used' + echo -e ' #ignoreDaemonSets: true' + echo -e ' #deleteLocalData: true # Continue even if there are pods using emptyDir (local data that will be deleted when the node is drained)' + echo -e ' #force: true # Continue even if there are pods that do not declare a controller' + echo -e ' #disableEviction: false # Force drain to use delete, even if eviction is supported. This will bypass checking PodDisruptionBudgets, use with caution' + echo -e ' #skipWaitForDeleteTimeout: 60 # If pod DeletionTimestamp older than N seconds, skip waiting for the pod. Seconds must be greater than 0 to skip.' + echo -e 'options:' + echo -e ' system.uri: "{{ .spectro.pack.edge-native-byoi.options.system.registry }}/{{ .spectro.pack.edge-native-byoi.options.system.repo }}:{{ .spectro.pack.edge-native-byoi.options.system.k8sDistribution }}-{{ .spectro.system.kubernetes.version }}-{{ .spectro.pack.edge-native-byoi.options.system.peVersion }}-{{ .spectro.pack.edge-native-byoi.options.system.customTag }}"' + echo -e '\n' + echo -e " system.registry: $IMAGE_REGISTRY" + echo -e " system.repo: $IMAGE_REPO" + echo -e " system.k8sDistribution: $K8S_DISTRIBUTION" + echo -e " system.osName: $OS_DISTRIBUTION" + echo -e " system.peVersion: $PE_VERSION" + echo -e " system.customTag: $CUSTOM_TAG" + echo -e " system.osVersion: $OS_VERSION" +} + global_config="{disable_analytics: true}" PE_VERSION=$(git describe --abbrev=0 --tags) SPECTRO_PUB_REPO=gcr.io/spectro-images-public @@ -65,34 +97,10 @@ if [[ "$1" == "+uki-genkey" ]]; then ./keys.sh secure-boot/ fi -if [[ "$1" == "+build-provider-images" ]] || [[ "$1" == "+build-provider-images-fips" ]] ; then - # Print the output for use in Palette Profile. - echo -e '##########################################################################################################' - echo -e '\nPASTE THE CONTENT BELOW INTO YOUR CLUSTER PROFILE IN PALETTE REPLACING ALL THE CONTENTS IN THE PROFILE\n' - echo -e '##########################################################################################################' - echo -e '\n' - echo -e 'pack:' - echo -e ' content:' - echo -e ' images:' - echo -e ' - image: "{{.spectro.pack.edge-native-byoi.options.system.uri}}"' - echo -e ' # Below config is default value, please uncomment if you want to modify default values' - echo -e ' #drain:' - echo -e ' #cordon: true' - echo -e ' #timeout: 60 # The length of time to wait before giving up, zero means infinite' - echo -e ' #gracePeriod: 60 # Period of time in seconds given to each pod to terminate gracefully. If negative, the default value specified in the pod will be used' - echo -e ' #ignoreDaemonSets: true' - echo -e ' #deleteLocalData: true # Continue even if there are pods using emptyDir (local data that will be deleted when the node is drained)' - echo -e ' #force: true # Continue even if there are pods that do not declare a controller' - echo -e ' #disableEviction: false # Force drain to use delete, even if eviction is supported. This will bypass checking PodDisruptionBudgets, use with caution' - echo -e ' #skipWaitForDeleteTimeout: 60 # If pod DeletionTimestamp older than N seconds, skip waiting for the pod. Seconds must be greater than 0 to skip.' - echo -e 'options:' - echo -e ' system.uri: "{{ .spectro.pack.edge-native-byoi.options.system.registry }}/{{ .spectro.pack.edge-native-byoi.options.system.repo }}:{{ .spectro.pack.edge-native-byoi.options.system.k8sDistribution }}-{{ .spectro.system.kubernetes.version }}-{{ .spectro.pack.edge-native-byoi.options.system.peVersion }}-{{ .spectro.pack.edge-native-byoi.options.system.customTag }}"' - echo -e '\n' - echo -e " system.registry: $IMAGE_REGISTRY" - echo -e " system.repo: $IMAGE_REPO" - echo -e " system.k8sDistribution: $K8S_DISTRIBUTION" - echo -e " system.osName: $OS_DISTRIBUTION" - echo -e " system.peVersion: $PE_VERSION" - echo -e " system.customTag: $CUSTOM_TAG" - echo -e " system.osVersion: $OS_VERSION" -fi +# if $1 is in oen of the following values, print the output for use in Palette Profile. +targets=("+build-provider-images" "+build-provider-images-fips" "+build-all-images") +for arg in "${targets[@]}"; do + if [[ "$1" == "$arg" ]]; then + print_os_pack + fi +done From 79125f41aa699a64b08116a79e6a65594ae32e09 Mon Sep 17 00:00:00 2001 From: Chinmay Gabel Date: Thu, 18 Jul 2024 11:43:49 -0700 Subject: [PATCH 05/41] PE-4699: CanvOS Earthfile target to validate user-data (#230) --- Earthfile | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/Earthfile b/Earthfile index 98efd5d..bfb2899 100644 --- a/Earthfile +++ b/Earthfile @@ -98,9 +98,11 @@ END IF [ "$FIPS_ENABLED" = "true" ] ARG STYLUS_BASE=$SPECTRO_PUB_REPO/stylus-framework-fips-linux-$ARCH:$PE_VERSION ARG STYLUS_PACKAGE_BASE=$SPECTRO_PUB_REPO/stylus-fips-linux-$ARCH:$PE_VERSION + ARG CLI_IMAGE=$SPECTRO_PUB_REPO/palette-edge-cli-fips:${PE_VERSION} ELSE ARG STYLUS_BASE=$SPECTRO_PUB_REPO/stylus-framework-linux-$ARCH:$PE_VERSION ARG STYLUS_PACKAGE_BASE=$SPECTRO_PUB_REPO/stylus-linux-$ARCH:$PE_VERSION + ARG CLI_IMAGE=$SPECTRO_PUB_REPO/palette-edge-cli:${PE_VERSION} END IF [ "$CUSTOM_TAG" != "" ] @@ -358,7 +360,7 @@ build-uki-iso: FROM --platform=linux/${ARCH} $OSBUILDER_IMAGE ENV ISO_NAME=${ISO_NAME} COPY overlay/files-iso/ /overlay/ - COPY --if-exists user-data /overlay/config.yaml + COPY --if-exists +validate-user-data/user-data /overlay/config.yaml COPY --platform=linux/${ARCH} +stylus-image-pack/stylus-image.tar /overlay/stylus-image.tar COPY --platform=linux/${ARCH} +luet/luet /overlay/luet @@ -411,11 +413,24 @@ iso: END SAVE ARTIFACT /build/* AS LOCAL ./build/ +validate-user-data: + FROM --platform=linux/${TARGETARCH} $CLI_IMAGE + COPY --if-exists user-data /user-data + + RUN chmod +x /usr/local/bin/palette-edge-cli; + RUN if [ -f /user-data ]; then \ + /usr/local/bin/palette-edge-cli validate -f /user-data; \ + else \ + echo "user-data file does not exist."; \ + fi + SAVE ARTIFACT --if-exists /user-data + + build-iso: FROM --platform=linux/${ARCH} $OSBUILDER_IMAGE ENV ISO_NAME=${ISO_NAME} COPY overlay/files-iso/ /overlay/ - COPY --if-exists user-data /overlay/files-iso/config.yaml + COPY --if-exists +validate-user-data/user-data /overlay/files-iso/config.yaml COPY --if-exists content-*/*.zst /overlay/opt/spectrocloud/content/ COPY --if-exists "$EDGE_CUSTOM_CONFIG" /overlay/.edge_custom_config.yaml RUN if [ -n "$(ls /overlay/opt/spectrocloud/content/*.zst 2>/dev/null)" ]; then \ From 1663a3f1331cb53c44aa5e1ed65a963775c0c674 Mon Sep 17 00:00:00 2001 From: Chinmay Gabel Date: Tue, 23 Jul 2024 08:58:48 -0700 Subject: [PATCH 06/41] add arch in cli image (#234) --- Earthfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Earthfile b/Earthfile index bfb2899..c309aed 100644 --- a/Earthfile +++ b/Earthfile @@ -98,11 +98,11 @@ END IF [ "$FIPS_ENABLED" = "true" ] ARG STYLUS_BASE=$SPECTRO_PUB_REPO/stylus-framework-fips-linux-$ARCH:$PE_VERSION ARG STYLUS_PACKAGE_BASE=$SPECTRO_PUB_REPO/stylus-fips-linux-$ARCH:$PE_VERSION - ARG CLI_IMAGE=$SPECTRO_PUB_REPO/palette-edge-cli-fips:${PE_VERSION} + ARG CLI_IMAGE=$SPECTRO_PUB_REPO/palette-edge-cli-fips-${TARGETARCH}:${PE_VERSION} ELSE ARG STYLUS_BASE=$SPECTRO_PUB_REPO/stylus-framework-linux-$ARCH:$PE_VERSION ARG STYLUS_PACKAGE_BASE=$SPECTRO_PUB_REPO/stylus-linux-$ARCH:$PE_VERSION - ARG CLI_IMAGE=$SPECTRO_PUB_REPO/palette-edge-cli:${PE_VERSION} + ARG CLI_IMAGE=$SPECTRO_PUB_REPO/palette-edge-cli-${TARGETARCH}:${PE_VERSION} END IF [ "$CUSTOM_TAG" != "" ] From 4578a0c982be21d9329ac4e6633d8ae95fd80487 Mon Sep 17 00:00:00 2001 From: Roshani Rathi <42164609+roshanirathi@users.noreply.github.com> Date: Wed, 24 Jul 2024 16:55:29 +0530 Subject: [PATCH 07/41] PE-4760 Remove k3s 1.28.10 from canvos (#235) --- Earthfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Earthfile b/Earthfile index c309aed..12cbf3f 100644 --- a/Earthfile +++ b/Earthfile @@ -199,7 +199,6 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.27.15 BUILD +$TARGET --K8S_VERSION=1.28.2 BUILD +$TARGET --K8S_VERSION=1.28.7 - BUILD +$TARGET --K8S_VERSION=1.28.10 BUILD +$TARGET --K8S_VERSION=1.29.2 BUILD +$TARGET --K8S_VERSION=1.29.6 END From 769bfeec955c4ee62d3be51cd77e6ab3aaf3aca9 Mon Sep 17 00:00:00 2001 From: Arun Sharma Date: Sat, 27 Jul 2024 00:44:06 +0530 Subject: [PATCH 08/41] PE-4076: Rsyslog and logrotate changes (#225) * rsyslog logrotate installation * config update * conf changes * log duplicate issue fix and file permission and ownership fix * rsyslog conf in providers and adm group not in opensuse fix * group change --- Earthfile | 8 +++++--- overlay/files/etc/logrotate.d/stylus.conf | 12 ++++++++++++ overlay/files/etc/rsyslog.d/49-stylus.conf | 19 +++++++++++++++++++ slem/Dockerfile | 2 ++ 4 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 overlay/files/etc/logrotate.d/stylus.conf create mode 100644 overlay/files/etc/rsyslog.d/49-stylus.conf diff --git a/Earthfile b/Earthfile index 12cbf3f..e9e25af 100644 --- a/Earthfile +++ b/Earthfile @@ -290,6 +290,7 @@ uki-provider-image: RUN apt-get update && apt-get install -y rsync WORKDIR / + COPY overlay/files/etc/ /etc/ COPY +luet/luet /usr/bin/luet COPY +kairos-agent/kairos-agent /usr/bin/kairos-agent COPY --platform=linux/${ARCH} +trust-boot-unpack/ /trusted-boot @@ -589,6 +590,7 @@ provider-image: ARG BASE_K8S_VERSION=$K8S_VERSION-$K8S_DISTRIBUTION_TAG END + COPY overlay/files/etc/ /etc/ COPY --platform=linux/${ARCH} +kairos-provider-image/ / COPY +stylus-image/etc/kairos/branding /etc/kairos/branding COPY +stylus-image/oem/stylus_config.yaml /etc/kairos/branding/stylus_config.yaml @@ -725,7 +727,7 @@ base-image: END RUN apt-get update && \ - apt-get install --no-install-recommends kbd zstd vim iputils-ping bridge-utils curl tcpdump ethtool -y + apt-get install --no-install-recommends kbd zstd vim iputils-ping bridge-utils curl tcpdump ethtool rsyslog logrotate -y IF [ "$UPDATE_KERNEL" = "false" ] RUN if dpkg -l "linux-image-generic-hwe-$OS_VERSION" > /dev/null; then apt-mark hold "linux-image-generic-hwe-$OS_VERSION" "linux-headers-generic-hwe-$OS_VERSION" "linux-generic-hwe-$OS_VERSION" ; fi && \ @@ -785,7 +787,7 @@ base-image: END IF [ "$OS_DISTRIBUTION" = "opensuse-leap" ] - RUN zypper install -y apparmor-parser apparmor-profiles + RUN zypper install -y apparmor-parser apparmor-profiles rsyslog logrotate RUN zypper cc && \ zypper clean RUN if [ ! -e /usr/bin/apparmor_parser ]; then cp /sbin/apparmor_parser /usr/bin/apparmor_parser; fi @@ -804,7 +806,7 @@ base-image: RUN --no-cache luet repo update IF [ "$OS_DISTRIBUTION" = "rhel" ] - RUN yum install -y openssl + RUN yum install -y openssl rsyslog logrotate END IF [ "$OS_DISTRIBUTION" = "sles" ] diff --git a/overlay/files/etc/logrotate.d/stylus.conf b/overlay/files/etc/logrotate.d/stylus.conf new file mode 100644 index 0000000..e45df6a --- /dev/null +++ b/overlay/files/etc/logrotate.d/stylus.conf @@ -0,0 +1,12 @@ +/var/log/stylus-audit.log { + yearly + rotate 2 + missingok + notifempty + compress + delaycompress + dateext + dateformat -%m-%Y + size 100M + create 600 root root +} \ No newline at end of file diff --git a/overlay/files/etc/rsyslog.d/49-stylus.conf b/overlay/files/etc/rsyslog.d/49-stylus.conf new file mode 100644 index 0000000..a540b6b --- /dev/null +++ b/overlay/files/etc/rsyslog.d/49-stylus.conf @@ -0,0 +1,19 @@ +# Running rsyslog as root. +# TODO: should this be done or change acceptance criteria to about audit log file permissions accordingly +$PrivDropToUser root +# default config has $Umask 0022 set. That breaks any config related to masks and modes. +$Umask 0000 + +# Mesage format as per rfc5424. +$template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n" + +# route messages with facility local7 and severity notice to /var/log/stylus-audit.log +if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice') then{ + action( + type="omfile" + file="/var/log/stylus-audit.log" + FileCreateMode="0600" + fileowner="root" + template="ForwardFormat" + ) & stop +} diff --git a/slem/Dockerfile b/slem/Dockerfile index 1b2d47f..d252a92 100644 --- a/slem/Dockerfile +++ b/slem/Dockerfile @@ -22,6 +22,8 @@ RUN zypper in --force-resolution -y --no-allow-vendor-change \ fail2ban \ lldpd \ nethogs \ + rsyslog \ + logrotate \ && zypper cc # NOTE: removed dhcp-client RUN mkdir -p /run/lock From b3c240730660a1c562aa1a05d412e05e6e5ecf90 Mon Sep 17 00:00:00 2001 From: Santhosh Date: Tue, 30 Jul 2024 09:27:45 +0530 Subject: [PATCH 09/41] update fips base images (#236) --- rhel-fips/Dockerfile | 2 +- ubuntu-fips/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rhel-fips/Dockerfile b/rhel-fips/Dockerfile index 9f1b87f..2fbe02b 100644 --- a/rhel-fips/Dockerfile +++ b/rhel-fips/Dockerfile @@ -83,7 +83,7 @@ RUN mkdir -p /run/lock && \ # Copy the os-release file to identify the OS COPY --from=osbuilder /workspace/os-release /etc/os-release -COPY --from=quay.io/kairos/framework:v2.7.41-fips / / +COPY --from=gcr.io/spectro-images-public/kairos/framework:v2.7.41-fips-spectro / / RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml diff --git a/ubuntu-fips/Dockerfile b/ubuntu-fips/Dockerfile index caaa4b5..beb0558 100644 --- a/ubuntu-fips/Dockerfile +++ b/ubuntu-fips/Dockerfile @@ -1,6 +1,6 @@ # Kairos framework packages for ubuntu fips -FROM quay.io/kairos/framework:v2.7.41-fips as kairos-fips +FROM gcr.io/spectro-images-public/kairos/framework:v2.7.41-fips-spectro as kairos-fips # Base ubuntu image (focal) FROM ubuntu:focal as base From cd2b974d0673496be97e9559fbf4f9576bb47477 Mon Sep 17 00:00:00 2001 From: Roshani Rathi <42164609+roshanirathi@users.noreply.github.com> Date: Mon, 5 Aug 2024 22:02:16 +0530 Subject: [PATCH 10/41] PE-4749 Update Earthfile with latest k8s versions for 4.4.b (#241) --- Earthfile | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Earthfile b/Earthfile index e9e25af..54da531 100644 --- a/Earthfile +++ b/Earthfile @@ -151,12 +151,15 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.27.9 BUILD +$TARGET --K8S_VERSION=1.27.11 BUILD +$TARGET --K8S_VERSION=1.27.15 + BUILD +$TARGET --K8S_VERSION=1.27.16 BUILD +$TARGET --K8S_VERSION=1.28.2 BUILD +$TARGET --K8S_VERSION=1.28.5 BUILD +$TARGET --K8S_VERSION=1.28.9 BUILD +$TARGET --K8S_VERSION=1.28.11 + BUILD +$TARGET --K8S_VERSION=1.28.12 BUILD +$TARGET --K8S_VERSION=1.29.0 BUILD +$TARGET --K8S_VERSION=1.29.6 + BUILD +$TARGET --K8S_VERSION=1.29.7 ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] BUILD +$TARGET --K8S_VERSION=1.24.6 BUILD +$TARGET --K8S_VERSION=1.25.2 @@ -175,14 +178,17 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.27.11 BUILD +$TARGET --K8S_VERSION=1.27.13 BUILD +$TARGET --K8S_VERSION=1.27.14 + BUILD +$TARGET --K8S_VERSION=1.27.15 BUILD +$TARGET --K8S_VERSION=1.28.2 BUILD +$TARGET --K8S_VERSION=1.28.5 BUILD +$TARGET --K8S_VERSION=1.28.7 BUILD +$TARGET --K8S_VERSION=1.28.9 BUILD +$TARGET --K8S_VERSION=1.28.10 + BUILD +$TARGET --K8S_VERSION=1.28.11 BUILD +$TARGET --K8S_VERSION=1.29.3 BUILD +$TARGET --K8S_VERSION=1.29.4 BUILD +$TARGET --K8S_VERSION=1.29.5 + BUILD +$TARGET --K8S_VERSION=1.29.6 ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ] BUILD +$TARGET --K8S_VERSION=1.24.6 BUILD +$TARGET --K8S_VERSION=1.25.2 @@ -218,12 +224,15 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.27.9 BUILD +provider-image --K8S_VERSION=1.27.14 BUILD +provider-image --K8S_VERSION=1.27.15 + BUILD +provider-image --K8S_VERSION=1.27.16 BUILD +provider-image --K8S_VERSION=1.28.5 BUILD +provider-image --K8S_VERSION=1.28.10 BUILD +provider-image --K8S_VERSION=1.28.11 + BUILD +provider-image --K8S_VERSION=1.28.12 BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.5 BUILD +provider-image --K8S_VERSION=1.29.6 + BUILD +provider-image --K8S_VERSION=1.29.7 ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] BUILD +provider-image --K8S_VERSION=1.24.6 BUILD +provider-image --K8S_VERSION=1.25.0 @@ -235,11 +244,14 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.27.9 BUILD +provider-image --K8S_VERSION=1.27.11 BUILD +provider-image --K8S_VERSION=1.27.14 + BUILD +provider-image --K8S_VERSION=1.27.15 BUILD +provider-image --K8S_VERSION=1.28.5 BUILD +provider-image --K8S_VERSION=1.28.7 BUILD +provider-image --K8S_VERSION=1.28.10 + BUILD +provider-image --K8S_VERSION=1.28.11 BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.3 + BUILD +provider-image --K8S_VERSION=1.29.5 BUILD +provider-image --K8S_VERSION=1.29.6 ELSE BUILD +provider-image --K8S_VERSION=1.24.6 From 61ad9fd18e144801b26ed3413a4c3f8357b9156a Mon Sep 17 00:00:00 2001 From: Arun Sharma Date: Mon, 5 Aug 2024 23:16:36 +0530 Subject: [PATCH 11/41] logrotate issue fix (#242) --- Earthfile | 15 +++++++++++++-- overlay/files/etc/logrotate.d/stylus.conf | 9 +++++++-- overlay/files/etc/rsyslog.d/49-stylus.conf | 6 +++--- 3 files changed, 23 insertions(+), 7 deletions(-) diff --git a/Earthfile b/Earthfile index 54da531..f1f22b1 100644 --- a/Earthfile +++ b/Earthfile @@ -302,7 +302,10 @@ uki-provider-image: RUN apt-get update && apt-get install -y rsync WORKDIR / - COPY overlay/files/etc/ /etc/ + COPY --if-exists overlay/files/etc/ /etc/ + IF [ -f /etc/logrotate.d/stylus.conf ] + RUN chmod 644 /etc/logrotate.d/stylus.conf + END COPY +luet/luet /usr/bin/luet COPY +kairos-agent/kairos-agent /usr/bin/kairos-agent COPY --platform=linux/${ARCH} +trust-boot-unpack/ /trusted-boot @@ -602,7 +605,11 @@ provider-image: ARG BASE_K8S_VERSION=$K8S_VERSION-$K8S_DISTRIBUTION_TAG END - COPY overlay/files/etc/ /etc/ + COPY --if-exists overlay/files/etc/ /etc/ + IF [ -f /etc/logrotate.d/stylus.conf ] + RUN chmod 644 /etc/logrotate.d/stylus.conf + END + COPY --platform=linux/${ARCH} +kairos-provider-image/ / COPY +stylus-image/etc/kairos/branding /etc/kairos/branding COPY +stylus-image/oem/stylus_config.yaml /etc/kairos/branding/stylus_config.yaml @@ -852,6 +859,10 @@ iso-image: RUN rm -f /usr/bin/luet END COPY overlay/files/ / + + IF [ -f /etc/logrotate.d/stylus.conf ] + RUN chmod 644 /etc/logrotate.d/stylus.conf + END RUN rm -f /etc/ssh/ssh_host_* /etc/ssh/moduli RUN touch /etc/machine-id \ diff --git a/overlay/files/etc/logrotate.d/stylus.conf b/overlay/files/etc/logrotate.d/stylus.conf index e45df6a..5ccdab0 100644 --- a/overlay/files/etc/logrotate.d/stylus.conf +++ b/overlay/files/etc/logrotate.d/stylus.conf @@ -4,9 +4,14 @@ missingok notifempty compress - delaycompress dateext - dateformat -%m-%Y + dateformat -%d-%m-%Y size 100M create 600 root root + # to avoid 'writable by group or others' error + su root root + # reload or restart to point file handle to new log file + postrotate + systemctl try-reload-or-restart rsyslog 2>&1 || true + endscript } \ No newline at end of file diff --git a/overlay/files/etc/rsyslog.d/49-stylus.conf b/overlay/files/etc/rsyslog.d/49-stylus.conf index a540b6b..dfaafe8 100644 --- a/overlay/files/etc/rsyslog.d/49-stylus.conf +++ b/overlay/files/etc/rsyslog.d/49-stylus.conf @@ -1,6 +1,6 @@ -# Running rsyslog as root. -# TODO: should this be done or change acceptance criteria to about audit log file permissions accordingly +# Running rsyslog as root. $PrivDropToUser root +$PrivDropToGroup root # default config has $Umask 0022 set. That breaks any config related to masks and modes. $Umask 0000 @@ -8,7 +8,7 @@ $Umask 0000 $template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n" # route messages with facility local7 and severity notice to /var/log/stylus-audit.log -if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice') then{ +if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains 'stylus-audit') then{ action( type="omfile" file="/var/log/stylus-audit.log" From f5dd8d61a48eaddfa1a7662bde646c028a107bb3 Mon Sep 17 00:00:00 2001 From: Piyush Kumar Date: Tue, 6 Aug 2024 09:49:22 +0530 Subject: [PATCH 12/41] PE:4813: use alpine from gcr.io instead of docker.io (#244) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index f1f22b1..907ee8c 100644 --- a/Earthfile +++ b/Earthfile @@ -336,7 +336,7 @@ kairos-agent: SAVE ARTIFACT /usr/bin/kairos-agent /kairos-agent install-k8s: - FROM --platform=linux/${ARCH} alpine:3.19 + FROM --platform=linux/${ARCH} $ALPINE_IMG COPY +luet/luet /usr/bin/luet IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] || [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ] From 4913fad15b12babe567c0dc43de43e4e7805a122 Mon Sep 17 00:00:00 2001 From: Piyush Kumar Date: Tue, 6 Aug 2024 11:23:45 +0530 Subject: [PATCH 13/41] bump alpine img to 3.20.2 (#245) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 907ee8c..4782915 100644 --- a/Earthfile +++ b/Earthfile @@ -3,7 +3,7 @@ ARG TARGETOS ARG TARGETARCH # Default image repositories used in the builds. -ARG ALPINE_IMG=gcr.io/spectro-images-public/alpine:3.16.2 +ARG ALPINE_IMG=gcr.io/spectro-images-public/alpine:3.20.2 ARG SPECTRO_PUB_REPO=gcr.io/spectro-images-public ARG SPECTRO_LUET_REPO=gcr.io/spectro-dev-public ARG KAIROS_BASE_IMAGE_URL=gcr.io/spectro-images-public From 8c9a8a4934e713a3c427bbcd00c2e4b4c88b21c2 Mon Sep 17 00:00:00 2001 From: Arun Sharma Date: Tue, 6 Aug 2024 18:40:03 +0530 Subject: [PATCH 14/41] Readme update (#243) --- README.md | 53 ++++++++++++++++++++++ overlay/files/etc/logrotate.d/stylus.conf | 1 + overlay/files/etc/rsyslog.d/49-stylus.conf | 4 +- 3 files changed, 56 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f856648..4664dbc 100644 --- a/README.md +++ b/README.md @@ -346,3 +346,56 @@ EDGE_CUSTOM_CONFIG=/path/to/.edge.custom-config.yaml ```shell earthly --push +build-all-images ``` + + +### Audit Logs User Customisation + +#### Configuration +rsyslog config file: `overlay/files/etc/rsyslog.d/49-stylus.conf` copied to `/etc/rsyslog.d/49-stylus.conf` +logrotate config file: `overlay/files/etc/logrotate.d/stylus.conf` copied to `/etc/logrotate.d/stylus.conf` + +#### Send stylus audit events to user file +Users can log stylus audit events to additional files, in addition to `/var/log/stylus-audit.log`. To log stylus audit events to custom files, create a configuration file in the `overlay/files/etc/rsyslog.d` directory named `.conf` (must be before `49-stylus.conf` lexicographically). + +Example: `48-audit.conf` + +Users can use the following configuration as a base for their filtering logic. replace `` with the desired file name +``` +$PrivDropToUser root +$PrivDropToGroup root +if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains 'stylus-audit') then { + action( + type="omfile" + file="" + ) +} +``` + +#### Send user application audit events to stylus audit file +To include user application audit events in the `/var/log/stylus-audit.log` file, add the following to the same configuration file (e.g. `48-audit.conf`) or create a new config file before `49-stylus.conf`: + +`` : user application name or tag +``` +$PrivDropToUser root +$PrivDropToGroup root +$Umask 0000 +$template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n" +if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains '') then { + action( + type="omfile" + file="/var/log/stylus-audit.log" + FileCreateMode="0600" + fileowner="root" + template="ForwardFormat" + ) +} +``` + +To display user audit entries on the Local UI dashboard, audit entries must be logged in RFC 5424 format with the message (`msg`) part in JSON format. This JSON message must include the following keys: `edgeHostId`, `contentMsg`, `action`, `actor`, `actorType`, `resourceId`, `resourceName`, `resourceKind` + +Example syslog entry +``` +<189>1 2024-07-23T15:35:32.644461+00:00 edge-ce0a38422e4662887313fb673bbfb2a2 stylus-audit[2911]: 2911 - - {"edgeHostId":"edge-ce0a38422e4662887313fb6 73bbfb2a2","contentMsg":"kairos password reset failed","action":"activity","actor":"kairos","actorType":"user","resourceId":"kairos","resourceName":"kairos","resourceKi nd":"user"} +``` + +Entries without these keys in the MSG part of RFC 5424 will still be logged to the stylus-audit.log file but will not be displayed on LocalUI. \ No newline at end of file diff --git a/overlay/files/etc/logrotate.d/stylus.conf b/overlay/files/etc/logrotate.d/stylus.conf index 5ccdab0..8553c0d 100644 --- a/overlay/files/etc/logrotate.d/stylus.conf +++ b/overlay/files/etc/logrotate.d/stylus.conf @@ -6,6 +6,7 @@ compress dateext dateformat -%d-%m-%Y + extension .log size 100M create 600 root root # to avoid 'writable by group or others' error diff --git a/overlay/files/etc/rsyslog.d/49-stylus.conf b/overlay/files/etc/rsyslog.d/49-stylus.conf index dfaafe8..fc71256 100644 --- a/overlay/files/etc/rsyslog.d/49-stylus.conf +++ b/overlay/files/etc/rsyslog.d/49-stylus.conf @@ -12,8 +12,8 @@ if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $s action( type="omfile" file="/var/log/stylus-audit.log" - FileCreateMode="0600" - fileowner="root" + FileCreateMode="0600" + fileowner="root" template="ForwardFormat" ) & stop } From 89de00fc4a55aeadcc100e15202da1e97d34e898 Mon Sep 17 00:00:00 2001 From: Piyush Kumar Date: Wed, 7 Aug 2024 10:51:10 +0530 Subject: [PATCH 15/41] bump luet-repo to 1.3.3 (#246) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 4782915..4ddbbad 100644 --- a/Earthfile +++ b/Earthfile @@ -12,7 +12,7 @@ FROM $SPECTRO_PUB_REPO/canvos/alpine-cert:v1.0.0 # Spectro Cloud and Kairos tags. ARG PE_VERSION=v4.4.4 -ARG SPECTRO_LUET_VERSION=v1.3.2 +ARG SPECTRO_LUET_VERSION=v1.3.3 ARG KAIROS_VERSION=v3.0.14 ARG K3S_FLAVOR_TAG=k3s1 ARG RKE2_FLAVOR_TAG=rke2r1 From a8d166f6a3734a8db04f02a260ac889850836917 Mon Sep 17 00:00:00 2001 From: Vadim Zharov Date: Wed, 7 Aug 2024 13:34:03 -0500 Subject: [PATCH 16/41] RHEL 9 Dockerfile + RHEL8/9 Dockerfiles to build with RH Satellite (#221) * RHEL 9 Dockerfile + RHEL8/9 Dockerfiles to build with RH Satellite * Mistypo fixed --------- Co-authored-by: Vadim Zharov --- rhel-core-images/Dockerfile.rhel8.sat | 100 ++++++++++++++++++ rhel-core-images/Dockerfile.rhel9 | 96 +++++++++++++++++ rhel-core-images/Dockerfile.rhel9.sat | 99 +++++++++++++++++ rhel-core-images/README.md | 81 ++++++++++++++ .../rhel9/system/oem/33_tmp_mount.yaml | 10 ++ 5 files changed, 386 insertions(+) create mode 100644 rhel-core-images/Dockerfile.rhel8.sat create mode 100644 rhel-core-images/Dockerfile.rhel9 create mode 100644 rhel-core-images/Dockerfile.rhel9.sat create mode 100644 rhel-core-images/README.md create mode 100644 rhel-core-images/overlay/rhel9/system/oem/33_tmp_mount.yaml diff --git a/rhel-core-images/Dockerfile.rhel8.sat b/rhel-core-images/Dockerfile.rhel8.sat new file mode 100644 index 0000000..243075e --- /dev/null +++ b/rhel-core-images/Dockerfile.rhel8.sat @@ -0,0 +1,100 @@ +ARG BASE_IMAGE=registry.access.redhat.com/ubi8/ubi-init:8.7-10 +ARG KAIROS_FRAMEWORK_IMAGE=quay.io/kairos/framework:v2.7.41 + +FROM $KAIROS_FRAMEWORK_IMAGE as kairosframework + +FROM $BASE_IMAGE + +ARG KAIROS_FRAMEWORK_IMAGE +ARG ORGNAME +ARG KEYNAME +ARG SATHOSTNAME + +RUN dnf config-manager --disable ubi-8-appstream-rpms ubi-8-baseos-rpms ubi-8-codeready-builder-rpms +RUN rm /etc/rhsm-host +RUN rpm -Uvh http://${SATHOSTNAME}/pub/katello-ca-consumer-latest.noarch.rpm +RUN subscription-manager register --org=${ORGNAME} --activationkey=${KEYNAME} + +RUN echo "install_weak_deps=False" >> /etc/dnf/dnf.conf +# Generate machine-id because https://bugzilla.redhat.com/show_bug.cgi?id=1737355#c6 +RUN uuidgen > /etc/machine-id && dnf install -y \ + squashfs-tools \ + dracut-live \ + livecd-tools \ + dracut-squash \ + dracut-network \ + efibootmgr \ + dhclient \ + audit \ + sudo \ + systemd \ + systemd-networkd \ + systemd-timesyncd \ + parted \ + dracut \ + e2fsprogs \ + dosfstools \ + coreutils-single \ + device-mapper \ + grub2 \ + which \ + curl \ + nano \ + gawk \ + haveged \ + polkit \ + ncurses \ + tar \ + kbd \ + lvm2 \ + zstd \ + openssh-server \ + openssh-clients \ + shim-x64 \ + grub2-pc \ + grub2-efi-x64 \ + grub2-efi-x64-modules \ + open-vm-tools \ + iscsi-initiator-utils \ + iptables ethtool socat iproute-tc conntrack \ + kernel kernel-modules kernel-modules-extra \ + rsync jq && dnf clean all + + +COPY --from=kairosframework / / + +RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml + +RUN mkdir -p /run/lock +RUN touch /usr/libexec/.keep + + +# Configure the box. The ubi image masks services for containers, we unmask them +RUN systemctl list-unit-files |grep masked |cut -f 1 -d " " | xargs systemctl unmask +RUN systemctl enable getty@tty1.service +RUN systemctl enable getty@tty2.service +RUN systemctl enable getty@tty3.service +RUN systemctl enable systemd-networkd +RUN systemctl enable systemd-resolved +RUN systemctl enable sshd +RUN systemctl disable selinux-autorelabel-mark.service +#RUN systemctl enable tmp.mount + +COPY overlay/rhel8/ / + +RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ + ln -sf "${kernel#/boot/}" /boot/vmlinuz +RUN kernel=$(ls /lib/modules | head -n1) && \ + dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ + ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" +RUN rm -rf /boot/initramfs-* + +RUN envsubst >>/etc/os-release > /etc/dnf/dnf.conf +# Generate machine-id because https://bugzilla.redhat.com/show_bug.cgi?id=1737355#c6 +RUN uuidgen > /etc/machine-id && dnf install -y \ + squashfs-tools \ + dracut-live \ + livecd-tools \ + dracut-squash \ + dracut-network \ + efibootmgr \ + dhclient \ + audit \ + sudo \ + systemd \ + systemd-networkd \ + systemd-timesyncd \ + systemd-resolved \ + parted \ + dracut \ + e2fsprogs \ + dosfstools \ + coreutils-single \ + device-mapper \ + grub2 \ + which \ + nano \ + gawk \ + haveged \ + polkit \ + ncurses \ + tar \ + kbd \ + lvm2 \ + zstd \ + openssh-server \ + openssh-clients \ + shim-x64 \ + grub2-pc \ + grub2-efi-x64 \ + grub2-efi-x64-modules \ + open-vm-tools \ + iscsi-initiator-utils \ + iptables ethtool socat iproute-tc conntrack \ + kernel kernel-modules kernel-modules-extra \ + rsync jq && dnf clean all + + +COPY --from=quay.io/kairos/framework:v2.7.41 / / + +RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml + +RUN mkdir -p /run/lock +RUN touch /usr/libexec/.keep + + +# Configure the box. The ubi image masks services for containers, we unmask them +RUN systemctl list-unit-files |grep masked |cut -f 1 -d " " | xargs systemctl unmask +RUN systemctl enable getty@tty1.service +RUN systemctl enable getty@tty2.service +RUN systemctl enable getty@tty3.service +RUN systemctl enable systemd-networkd +RUN systemctl enable systemd-resolved +RUN systemctl enable sshd +RUN systemctl disable selinux-autorelabel-mark.service +#RUN systemctl enable tmp.mount + +COPY overlay/rhel9/ / + +RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ + ln -sf "${kernel#/boot/}" /boot/vmlinuz +RUN kernel=$(ls /lib/modules | head -n1) && \ + dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ + ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" +RUN rm -rf /boot/initramfs-* + +RUN envsubst >>/etc/os-release > /etc/dnf/dnf.conf +# Generate machine-id because https://bugzilla.redhat.com/show_bug.cgi?id=1737355#c6 +RUN uuidgen > /etc/machine-id && dnf install -y \ + squashfs-tools \ + dracut-live \ + livecd-tools \ + dracut-squash \ + dracut-network \ + efibootmgr \ + dhclient \ + audit \ + sudo \ + systemd \ + systemd-networkd \ + systemd-timesyncd \ + systemd-resolved \ + parted \ + dracut \ + e2fsprogs \ + dosfstools \ + coreutils-single \ + device-mapper \ + grub2 \ + which \ + nano \ + gawk \ + haveged \ + polkit \ + ncurses \ + tar \ + kbd \ + lvm2 \ + zstd \ + openssh-server \ + openssh-clients \ + shim-x64 \ + grub2-pc \ + grub2-efi-x64 \ + grub2-efi-x64-modules \ + open-vm-tools \ + iscsi-initiator-utils \ + iptables ethtool socat iproute-tc conntrack \ + kernel kernel-modules kernel-modules-extra \ + rsync jq && dnf clean all + +COPY --from=kairosframework / / + +RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml + +RUN mkdir -p /run/lock +RUN touch /usr/libexec/.keep + + +# Configure the box. The ubi image masks services for containers, we unmask them +RUN systemctl list-unit-files |grep masked |cut -f 1 -d " " | xargs systemctl unmask +RUN systemctl enable getty@tty1.service +RUN systemctl enable getty@tty2.service +RUN systemctl enable getty@tty3.service +RUN systemctl enable systemd-networkd +RUN systemctl enable systemd-resolved +RUN systemctl enable sshd +RUN systemctl disable selinux-autorelabel-mark.service +#RUN systemctl enable tmp.mount + +COPY overlay/rhel9/ / + +RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ + ln -sf "${kernel#/boot/}" /boot/vmlinuz +RUN kernel=$(ls /lib/modules | head -n1) && \ + dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ + ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" +RUN rm -rf /boot/initramfs-* + +RUN envsubst >>/etc/os-release /: --build-arg USERNAME= --build-arg PASSWORD='' -f Dockerfile.rhel8. +``` + +To build RHEL 9 Kairos Image, execute: +``` +docker build -t /: --build-arg USERNAME= --build-arg PASSWORD='' -f Dockerfile.rhel9 . +``` + +**In case of any errors during package installation steps - these errors might be caused by previous build attempts. Execute `docker build` command again by providing argument `--no-cache` to build the image from scratch** + +## Build the image using Red Hat Satellite and mirrored repositories + +This scenario is for the environment where Red Hat Satellite must be used and access to public Red Hat repositories is not possible. For this case use Dockerfiles `Dockerfile.rhel9.sat` and `Dockerfile.rhel8.sat` - these files are modified to use Red Hat Satellite Activation key to register host and install all required packages. + +### Prerequisites + +1. Mirror base RHEL UBI image (`registry.access.redhat.com/ubi9-init:9.4-6`) to the internal Container registry. Provide image path for the build process by using argument `BASE_IMAGE`. + +2. Mirror Kairos framework image (`quay.io/kairos/framework:v2.7.41`) to the internal Container registry. Provide image path for the build process by using argument `KAIROS_FRAMEWORK_IMAGE`. + +3. Have the following repostiories synced and available on Red Hat Satellite: + +For RHEL9: +* rhel-9-for-x86_64-appstream-rpms +* rhel-9-for-x86_64-baseos-rpms +* EPEL9 (upstream URL https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/) + +For RHEL8: +* rhel-8-for-x86_64-appstream-rpms +* rhel-8-for-x86_64-baseos-rpms +* EPEL8 (upstream URL https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/) + + +4. Create Activation Key in RH Satellite and add corresponding repositories listed above. Make these repositories enabled by default (set `Override Enabled` for these repositories in the Activation Key configuration). Provide Activation Key for the build process by using argument `KEYNAME`. + +### Build the image + +After all prerequisites completed, ensure all required build arguments are in place: + +BASE_IMAGE - path to RHEL8/9 UBI image, for example `redhat.spectrocloud.dev/ubi9-init:9.4-6` + +KAIROS_FRAMEWORK_IMAGE - path to Kairos framework image, for example `quay.spectrocloud.dev/kairos/framework:v2.7.33` + +SATHOSTNAME - Red Hat Satellite hostname, for example `katello.spectrocloud.dev` + +ORGNAME - Organization name in Red Hat Satellite, for example `test-org` + +KEYNAME - Name of the Activation key with repositories attached, for example `rhel9-canvos-key` + +To build RHEL 8 Kairos Image, execute: +``` +docker build -t /: --build-arg BASE_IMAGE= --build-arg KAIROS_FRAMEWORK_IMAGE='' --build-arg SATHOSTNAME= --build-arg ORGNAME= --build-arg KEYNAME= -f Dockerfile.rhel8.sat . +``` + +To build RHEL 9 Kairos Image, execute: +``` +docker build -t /: --build-arg BASE_IMAGE= --build-arg KAIROS_FRAMEWORK_IMAGE='' --build-arg SATHOSTNAME= --build-arg ORGNAME= --build-arg KEYNAME= -f Dockerfile.rhel9.sat . +``` + +For example, to build RHEL9 image: +``` +docker build -t localhost/palette-rhel9:latest --build-arg BASE_IMAGE=redhat.spectrocloud.dev/ubi9-init:9.4-6 --build-arg KAIROS_FRAMEWORK_IMAGE=quay.spectrocloud.dev/kairos/framework:v2.7.33 --build-arg SATHOSTNAME=katello.spectrocloud.dev --build-arg ORGNAME=test-org --build-arg KEYNAME=rhel9-canvos-key -f Dockerfile.rhel9.sat . +``` + +For example, to build RHEL8 image: +``` +docker build -t localhost/palette-rhel8:latest --build-arg BASE_IMAGE=redhat.spectrocloud.dev/ubi8/ubi-init:8.7-10 --build-arg KAIROS_FRAMEWORK_IMAGE=quay.spectrocloud.dev/kairos/framework:v2.7.33 --build-arg SATHOSTNAME=katello.spectrocloud.dev --build-arg ORGNAME=test-org --build-arg KEYNAME=rhel8-canvos-key -f Dockerfile.rhel8.sat . +``` + + + diff --git a/rhel-core-images/overlay/rhel9/system/oem/33_tmp_mount.yaml b/rhel-core-images/overlay/rhel9/system/oem/33_tmp_mount.yaml new file mode 100644 index 0000000..09a5f98 --- /dev/null +++ b/rhel-core-images/overlay/rhel9/system/oem/33_tmp_mount.yaml @@ -0,0 +1,10 @@ +name: " tmp layout setup" +stages: + initramfs.after: + - name: mount tmp + commands: + - systemctl enable tmp.mount + fs.before: + - name: start tmp + commands: + - systemctl start tmp.mount From 17ca6ddc9a0d4a6aeaa84546a8a455ef89696eb7 Mon Sep 17 00:00:00 2001 From: Piyush Kumar Date: Thu, 8 Aug 2024 11:53:09 +0530 Subject: [PATCH 17/41] added LUET_PROJECT args for dev builds (#247) --- Earthfile | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/Earthfile b/Earthfile index 4ddbbad..34378fb 100644 --- a/Earthfile +++ b/Earthfile @@ -8,6 +8,7 @@ ARG SPECTRO_PUB_REPO=gcr.io/spectro-images-public ARG SPECTRO_LUET_REPO=gcr.io/spectro-dev-public ARG KAIROS_BASE_IMAGE_URL=gcr.io/spectro-images-public ARG ETCD_REPO=https://github.com/etcd-io +ARG LUET_PROJECT=luet-repo FROM $SPECTRO_PUB_REPO/canvos/alpine-cert:v1.0.0 # Spectro Cloud and Kairos tags. @@ -352,12 +353,12 @@ install-k8s: WORKDIR /output IF [ "$ARCH" = "arm64" ] - ARG LUET_REPO=luet-repo-arm + ARG LUET_REPO=$LUET_PROJECT-arm ELSE IF [ "$ARCH" = "amd64" ] - ARG LUET_REPO=luet-repo + ARG LUET_REPO=$LUET_PROJECT END RUN mkdir -p /etc/luet/repos.conf.d && \ - luet repo add spectro --type docker --url gcr.io/spectro-dev-public/$LUET_REPO/$SPECTRO_LUET_VERSION --priority 1 -y && \ + luet repo add spectro --type docker --url $SPECTRO_LUET_REPO/$LUET_REPO/$SPECTRO_LUET_VERSION --priority 1 -y && \ luet repo update IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] @@ -712,15 +713,15 @@ base-image: END IF [ "$ARCH" = "arm64" ] - RUN mkdir -p /etc/luet/repos.conf.d && \ - SPECTRO_LUET_VERSION=$SPECTRO_LUET_VERSION luet repo add spectro --type docker --url gcr.io/spectro-dev-public/luet-repo-arm/$SPECTRO_LUET_VERSION --priority 1 -y && \ - luet repo update + ARG LUET_REPO=$LUET_PROJECT-arm ELSE IF [ "$ARCH" = "amd64" ] - RUN mkdir -p /etc/luet/repos.conf.d && \ - SPECTRO_LUET_VERSION=$SPECTRO_LUET_VERSION luet repo add spectro --type docker --url gcr.io/spectro-dev-public/luet-repo/$SPECTRO_LUET_VERSION --priority 1 -y && \ - luet repo update + ARG LUET_REPO=$LUET_PROJECT END + RUN mkdir -p /etc/luet/repos.conf.d && \ + SPECTRO_LUET_VERSION=$SPECTRO_LUET_VERSION luet repo add spectro --type docker --url $SPECTRO_LUET_REPO/$LUET_REPO/$SPECTRO_LUET_VERSION --priority 1 -y && \ + luet repo update + IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] || [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ] ARG BASE_K8S_VERSION=$K8S_VERSION ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ] @@ -813,9 +814,9 @@ base-image: END IF [ "$ARCH" = "arm64" ] - ARG LUET_REPO=luet-repo-arm + ARG LUET_REPO=$LUET_PROJECT-arm ELSE IF [ "$ARCH" = "amd64" ] - ARG LUET_REPO=luet-repo + ARG LUET_REPO=$LUET_PROJECT END RUN --no-cache mkdir -p /etc/luet/repos.conf.d && \ SPECTRO_LUET_VERSION=$SPECTRO_LUET_VERSION luet repo add spectro --type docker --url $SPECTRO_LUET_REPO/$LUET_REPO/$SPECTRO_LUET_VERSION --priority 1 -y From 561f3a370bd63711978369ff784777f24a6dc76d Mon Sep 17 00:00:00 2001 From: Arun Sharma Date: Fri, 9 Aug 2024 03:30:32 +0530 Subject: [PATCH 18/41] PE-4832: changing size to maxsize (#248) --- overlay/files/etc/logrotate.d/stylus.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlay/files/etc/logrotate.d/stylus.conf b/overlay/files/etc/logrotate.d/stylus.conf index 8553c0d..744ef7a 100644 --- a/overlay/files/etc/logrotate.d/stylus.conf +++ b/overlay/files/etc/logrotate.d/stylus.conf @@ -7,7 +7,7 @@ dateext dateformat -%d-%m-%Y extension .log - size 100M + maxsize 100M create 600 root root # to avoid 'writable by group or others' error su root root From fecb80259913a1a7bf4cbac6cf7a31e66606d880 Mon Sep 17 00:00:00 2001 From: Roshani Rathi <42164609+roshanirathi@users.noreply.github.com> Date: Fri, 9 Aug 2024 18:10:44 +0530 Subject: [PATCH 19/41] PE-4841 Add k3s 1.28.11 version (#249) --- Earthfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Earthfile b/Earthfile index 34378fb..8139862 100644 --- a/Earthfile +++ b/Earthfile @@ -206,6 +206,7 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.27.15 BUILD +$TARGET --K8S_VERSION=1.28.2 BUILD +$TARGET --K8S_VERSION=1.28.7 + BUILD +$TARGET --K8S_VERSION=1.28.11 BUILD +$TARGET --K8S_VERSION=1.29.2 BUILD +$TARGET --K8S_VERSION=1.29.6 END From 295b1c817e68870ee42d78b7102145e98fca9bf2 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Sun, 11 Aug 2024 18:52:48 -0700 Subject: [PATCH 20/41] PE-4842 use etcdctl and luet from spectro third party image (#250) * use etcdctl and luet from spectro third party image Signed-off-by: Nianyu Shen * use fips ubuntu systemd image Signed-off-by: Nianyu Shen * use fips systemd image Signed-off-by: Nianyu Shen * use BASE_ALPINE Signed-off-by: Nianyu Shen --------- Signed-off-by: Nianyu Shen --- Earthfile | 59 +++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 17 deletions(-) diff --git a/Earthfile b/Earthfile index 8139862..1c3ea17 100644 --- a/Earthfile +++ b/Earthfile @@ -72,6 +72,7 @@ ARG EFI_IMG_SIZE=2200 # internal variables ARG GOLANG_VERSION=1.22 ARG DEBUG=false +ARG BUILDER_3RDPARTY_VERSION=4.5 IF [ "$OS_DISTRIBUTION" = "ubuntu" ] && [ "$BASE_IMAGE" = "" ] IF [ "$OS_VERSION" == 22 ] || [ "$OS_VERSION" == 20 ] @@ -97,10 +98,12 @@ IF [[ "$BASE_IMAGE" =~ "nvidia-jetson-agx-orin" ]] END IF [ "$FIPS_ENABLED" = "true" ] + ARG BIN_TYPE=vertex ARG STYLUS_BASE=$SPECTRO_PUB_REPO/stylus-framework-fips-linux-$ARCH:$PE_VERSION ARG STYLUS_PACKAGE_BASE=$SPECTRO_PUB_REPO/stylus-fips-linux-$ARCH:$PE_VERSION ARG CLI_IMAGE=$SPECTRO_PUB_REPO/palette-edge-cli-fips-${TARGETARCH}:${PE_VERSION} ELSE + ARG BIN_TYPE=palette ARG STYLUS_BASE=$SPECTRO_PUB_REPO/stylus-framework-linux-$ARCH:$PE_VERSION ARG STYLUS_PACKAGE_BASE=$SPECTRO_PUB_REPO/stylus-linux-$ARCH:$PE_VERSION ARG CLI_IMAGE=$SPECTRO_PUB_REPO/palette-edge-cli-${TARGETARCH}:${PE_VERSION} @@ -280,16 +283,10 @@ BASE_ALPINE: COMMAND IF [ ! -z $PROXY_CERT_PATH ] COPY sc.crt /etc/ssl/certs - RUN update-ca-certificates + RUN update-ca-certificates END RUN apk add curl -download-etcdctl: - DO +BASE_ALPINE - RUN curl --retry 5 -Ls $ETCD_REPO/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-${TARGETARCH}.tar.gz | tar -xvzf - --strip-components=1 etcd-${ETCD_VERSION}-linux-${TARGETARCH}/etcdctl && \ - chmod +x etcdctl - SAVE ARTIFACT etcdctl - iso-image-rootfs: FROM --platform=linux/${ARCH} +iso-image SAVE ARTIFACT --keep-own /. rootfs @@ -308,7 +305,7 @@ uki-provider-image: IF [ -f /etc/logrotate.d/stylus.conf ] RUN chmod 644 /etc/logrotate.d/stylus.conf END - COPY +luet/luet /usr/bin/luet + COPY (+third-party/luet --binary=luet) /usr/bin/luet COPY +kairos-agent/kairos-agent /usr/bin/kairos-agent COPY --platform=linux/${ARCH} +trust-boot-unpack/ /trusted-boot COPY --platform=linux/${ARCH} +install-k8s/ /k8s @@ -316,30 +313,26 @@ uki-provider-image: SAVE IMAGE --push $IMAGE_PATH trust-boot-unpack: - COPY +luet/luet /usr/bin/luet + COPY (+third-party/luet --binary=luet) /usr/bin/luet COPY --platform=linux/${ARCH} +build-provider-trustedboot-image/ /image RUN FILE="file:/$(find /image -type f -name "*.tar" | head -n 1)" && \ luet util unpack $FILE /trusted-boot SAVE ARTIFACT /trusted-boot/* stylus-image-pack: - COPY +luet/luet /usr/bin/luet + COPY (+third-party/luet --binary=luet) /usr/bin/luet COPY --platform=linux/${ARCH} +stylus-package-image/ /stylus RUN cd stylus && tar -czf ../stylus.tar * RUN luet util pack $STYLUS_BASE stylus.tar stylus-image.tar SAVE ARTIFACT stylus-image.tar AS LOCAL ./build/ -luet: - FROM --platform=linux/${ARCH} quay.io/luet/base:latest - SAVE ARTIFACT /usr/bin/luet /luet - kairos-agent: FROM --platform=linux/${ARCH} $BASE_IMAGE SAVE ARTIFACT /usr/bin/kairos-agent /kairos-agent install-k8s: FROM --platform=linux/${ARCH} $ALPINE_IMG - COPY +luet/luet /usr/bin/luet + COPY (+third-party/luet --binary=luet) /usr/bin/luet IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] || [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ] ARG BASE_K8S_VERSION=$K8S_VERSION @@ -631,7 +624,7 @@ provider-image: RUN rm -f /etc/ssh/ssh_host_* /etc/ssh/moduli - COPY (+download-etcdctl/etcdctl) /usr/bin/ + COPY (+third-party/etcdctl --binary=etcdctl) /usr/bin/ RUN touch /etc/machine-id \ && chmod 444 /etc/machine-id @@ -957,7 +950,12 @@ iso-efi-size-check: SAVE ARTIFACT efi-size-check.iso AS LOCAL ./build/ ubuntu-systemd: - FROM $SPECTRO_PUB_REPO/ubuntu-systemd:22.04 + IF [ "$FIPS_ENABLED" = "true" ] + ARG SYSTEMD_IMAGE=$SPECTRO_PUB_REPO/third-party/ubuntu-systemd-fips:20.04 + ELSE + ARG SYSTEMD_IMAGE=$SPECTRO_PUB_REPO/third-party/ubuntu-systemd:22.04 + END + FROM $SYSTEMD_IMAGE OS_RELEASE: COMMAND @@ -976,3 +974,30 @@ OS_RELEASE: # update OS-release file # RUN sed -i -n '/KAIROS_/!p' /etc/os-release RUN envsubst >>/etc/os-release Date: Mon, 12 Aug 2024 09:06:59 +0530 Subject: [PATCH 21/41] Update BUILDER_3RDPARTY_VERSION to 4.4 (#251) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 1c3ea17..817fe86 100644 --- a/Earthfile +++ b/Earthfile @@ -72,7 +72,7 @@ ARG EFI_IMG_SIZE=2200 # internal variables ARG GOLANG_VERSION=1.22 ARG DEBUG=false -ARG BUILDER_3RDPARTY_VERSION=4.5 +ARG BUILDER_3RDPARTY_VERSION=4.4 IF [ "$OS_DISTRIBUTION" = "ubuntu" ] && [ "$BASE_IMAGE" = "" ] IF [ "$OS_VERSION" == 22 ] || [ "$OS_VERSION" == 20 ] From e105dc1ea066d6142555b7912405c19e4a5f9a2b Mon Sep 17 00:00:00 2001 From: Santhosh Date: Wed, 14 Aug 2024 00:07:19 +0530 Subject: [PATCH 22/41] Update luet-repo-version (#253) --- Earthfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Earthfile b/Earthfile index 817fe86..876de88 100644 --- a/Earthfile +++ b/Earthfile @@ -12,8 +12,8 @@ ARG LUET_PROJECT=luet-repo FROM $SPECTRO_PUB_REPO/canvos/alpine-cert:v1.0.0 # Spectro Cloud and Kairos tags. -ARG PE_VERSION=v4.4.4 -ARG SPECTRO_LUET_VERSION=v1.3.3 +ARG PE_VERSION=v4.4.7 +ARG SPECTRO_LUET_VERSION=v1.3.4-alpha1 ARG KAIROS_VERSION=v3.0.14 ARG K3S_FLAVOR_TAG=k3s1 ARG RKE2_FLAVOR_TAG=rke2r1 From 5f365a0dfe34925be03b35674778d6e00d3e18df Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Tue, 13 Aug 2024 21:58:05 -0700 Subject: [PATCH 23/41] fix luet copy in build-uki-iso (#254) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 876de88..b8d28fb 100644 --- a/Earthfile +++ b/Earthfile @@ -372,7 +372,7 @@ build-uki-iso: COPY overlay/files-iso/ /overlay/ COPY --if-exists +validate-user-data/user-data /overlay/config.yaml COPY --platform=linux/${ARCH} +stylus-image-pack/stylus-image.tar /overlay/stylus-image.tar - COPY --platform=linux/${ARCH} +luet/luet /overlay/luet + COPY --platform=linux/${ARCH} (+third-party/luet --binary=luet) /overlay/luet COPY --if-exists content-*/*.zst /overlay/opt/spectrocloud/content/ COPY --if-exists "$EDGE_CUSTOM_CONFIG" /overlay/.edge_custom_config.yaml From d2be48f382f2e76d34191df426f9eb47fbab60bc Mon Sep 17 00:00:00 2001 From: Santhosh Date: Fri, 16 Aug 2024 23:52:51 +0530 Subject: [PATCH 24/41] Update PE_VERSION to v4.4.8 (#256) * Update PE_VERSION to 4.4.8 * Update luet-repo version to v1.3.4 --- Earthfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Earthfile b/Earthfile index b8d28fb..cd349df 100644 --- a/Earthfile +++ b/Earthfile @@ -12,8 +12,8 @@ ARG LUET_PROJECT=luet-repo FROM $SPECTRO_PUB_REPO/canvos/alpine-cert:v1.0.0 # Spectro Cloud and Kairos tags. -ARG PE_VERSION=v4.4.7 -ARG SPECTRO_LUET_VERSION=v1.3.4-alpha1 +ARG PE_VERSION=v4.4.8 +ARG SPECTRO_LUET_VERSION=v1.3.4 ARG KAIROS_VERSION=v3.0.14 ARG K3S_FLAVOR_TAG=k3s1 ARG RKE2_FLAVOR_TAG=rke2r1 From d54f9b543fd36d726360191efaaa2174f4c593d4 Mon Sep 17 00:00:00 2001 From: Kevin Reeuwijk Date: Mon, 19 Aug 2024 12:14:33 +0200 Subject: [PATCH 25/41] Adjust net.ipv4.conf.all.rp_filter for CNI compatibility (#257) Sets net.ipv4.conf.all.rp_filter=0 during CIS hardening to ensure CNIs don't break when `sysctl -p` is run at any point later on (such as Stylus Agent upgrades) --- cis-harden/harden.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/cis-harden/harden.sh b/cis-harden/harden.sh index 2e44318..bb04965 100755 --- a/cis-harden/harden.sh +++ b/cis-harden/harden.sh @@ -174,8 +174,11 @@ harden_sysctl() { update_config_files 'net.ipv4.icmp_echo_ignore_broadcasts' 'net.ipv4.icmp_echo_ignore_broadcasts=1' ${config_file} update_config_files 'net.ipv4.icmp_ignore_bogus_error_responses' 'net.ipv4.icmp_ignore_bogus_error_responses=1' ${config_file} - update_config_files 'net.ipv4.conf.all.rp_filter' 'net.ipv4.conf.all.rp_filter=1' ${config_file} - update_config_files 'net.ipv4.conf.default.rp_filter' 'net.ipv4.conf.default.rp_filter=1' ${config_file} + + # CIS hardening requires "net.ipv4.conf.all.rp_filter=1" but this is incompatible with CNIs, hence we set this to 0 instead + update_config_files 'net.ipv4.conf.all.rp_filter' 'net.ipv4.conf.all.rp_filter=0' ${config_file} + + update_config_files 'net.ipv4.conf.default.rp_filter' 'net.ipv4.conf.default.rp_filter=1' ${config_file} update_config_files 'net.ipv4.tcp_syncookies' 'net.ipv4.tcp_syncookies=1' ${config_file} update_config_files 'kernel.randomize_va_space' 'kernel.randomize_va_space=2' ${config_file} update_config_files 'fs.suid_dumpable' 'fs.suid_dumpable=0' ${config_file} @@ -930,4 +933,4 @@ cleanup_cache mv /etc/os-release.bak /etc/os-release -exit 0 \ No newline at end of file +exit 0 From ef3c2c618273896f4112d516df9f2ae690d5e538 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Tue, 20 Aug 2024 22:48:12 -0700 Subject: [PATCH 26/41] use spectro alpine instead of offical one (#259) --- Earthfile | 2 +- earthly.sh | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Earthfile b/Earthfile index cd349df..caa3355 100644 --- a/Earthfile +++ b/Earthfile @@ -3,8 +3,8 @@ ARG TARGETOS ARG TARGETARCH # Default image repositories used in the builds. -ARG ALPINE_IMG=gcr.io/spectro-images-public/alpine:3.20.2 ARG SPECTRO_PUB_REPO=gcr.io/spectro-images-public +ARG ALPINE_IMG=$SPECTRO_PUB_REPO/alpine:3.20.2 ARG SPECTRO_LUET_REPO=gcr.io/spectro-dev-public ARG KAIROS_BASE_IMAGE_URL=gcr.io/spectro-images-public ARG ETCD_REPO=https://github.com/etcd-io diff --git a/earthly.sh b/earthly.sh index fcec591..ea0c323 100755 --- a/earthly.sh +++ b/earthly.sh @@ -61,7 +61,7 @@ PE_VERSION=$(git describe --abbrev=0 --tags) SPECTRO_PUB_REPO=gcr.io/spectro-images-public EARTHLY_VERSION=v0.8.5 source .arg - +ALPINE_IMG=$SPECTRO_PUB_REPO/alpine:3.20.2 ### Verify Depencies # Check if Docker is installed if command -v docker >/dev/null 2>&1; then @@ -70,7 +70,7 @@ else echo "Docker not found. Please use the guide for your platform located https://docs.docker.com/engine/install/ to install Docker." fi # Check if the current user has permission to run privileged containers -if ! docker run --rm --privileged alpine sh -c 'echo "Privileged container test"' &>/dev/null; then +if ! docker run --rm --privileged $ALPINE_IMG sh -c 'echo "Privileged container test"' &>/dev/null; then echo "Privileged containers are not allowed for the current user." exit 1 fi @@ -91,7 +91,7 @@ if [ "$(docker container inspect -f '{{.State.Running}}' earthly-buildkitd)" = " docker stop earthly-buildkitd fi docker rmi $SPECTRO_PUB_REPO/earthly/buildkitd:$EARTHLY_VERSION 2>/dev/null -docker rmi alpine:latest +docker rmi $ALPINE_IMG if [[ "$1" == "+uki-genkey" ]]; then ./keys.sh secure-boot/ From b9fb3337c78be9706bbc4aaad2d3abda7f3878c6 Mon Sep 17 00:00:00 2001 From: Kevin Reeuwijk Date: Wed, 28 Aug 2024 15:04:39 +0200 Subject: [PATCH 27/41] Postgresql fixes (#260) * Adjust PERL5LIB path so `psql` works interactively * Adjust `/lib/systemd/system/postgresql@.service` so postgresql waits for the network to be online, in order to prevent situations where it doesn't bind to the IP address on the NIC. --- Earthfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index caa3355..dfa3869 100644 --- a/Earthfile +++ b/Earthfile @@ -649,7 +649,10 @@ provider-image: curl -L https://github.com/k3s-io/kine/releases/download/v${KINE_VERSION}/kine-amd64 | install -m 755 /dev/stdin /opt/spectrocloud/bin/kine # Ensure psql works ootb for the postgres user - RUN su postgres -c 'echo "export PERL5LIB=/usr/share/perl/5.34:/usr/share/perl5:/usr/lib/x86_64-linux-gnu/perl/5.34" > ~/.bash_profile' + RUN su postgres -c 'echo "export PERL5LIB=/usr/share/perl/5.34:/etc/perl:/usr/lib/x86_64-linux-gnu/perl5/5.34:/usr/share/perl5:/usr/lib/x86_64-linux-gnu/perl/5.34:/usr/lib/x86_64-linux-gnu/perl-base" > ~/.bash_profile' + + # Ensure psql waits for the network to be online + RUN sed -i 's/After=network.target/After=network-online.target/' /lib/systemd/system/postgresql@.service END SAVE IMAGE --push $IMAGE_PATH From f8eec860358ac29f40f6e50058b1c59f886e9905 Mon Sep 17 00:00:00 2001 From: Kevin Reeuwijk Date: Wed, 28 Aug 2024 23:05:46 +0200 Subject: [PATCH 28/41] Disable postgresql by default (#261) To ensure Stylus only starts at after reconfiguring it first --- Earthfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Earthfile b/Earthfile index dfa3869..7e73aa3 100644 --- a/Earthfile +++ b/Earthfile @@ -653,6 +653,9 @@ provider-image: # Ensure psql waits for the network to be online RUN sed -i 's/After=network.target/After=network-online.target/' /lib/systemd/system/postgresql@.service + + # Disable psql by default, Stylus will enable it when it needs it + RUN systemctl disable postgresql END SAVE IMAGE --push $IMAGE_PATH From b142f59092427fd00c9f0a6cffd3870738d7b512 Mon Sep 17 00:00:00 2001 From: Santhosh Date: Sat, 31 Aug 2024 20:03:10 +0530 Subject: [PATCH 29/41] PAC-1983 new version of k8s 44c (#262) --- Earthfile | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Earthfile b/Earthfile index 7e73aa3..0e54bd2 100644 --- a/Earthfile +++ b/Earthfile @@ -212,6 +212,9 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.28.11 BUILD +$TARGET --K8S_VERSION=1.29.2 BUILD +$TARGET --K8S_VERSION=1.29.6 + BUILD +$TARGET --K8S_VERSION=1.28.13 + BUILD +$TARGET --K8S_VERSION=1.29.8 + BUILD +$TARGET --K8S_VERSION=1.30.4 END ELSE BUILD +$TARGET --K8S_VERSION="$K8S_VERSION" @@ -238,6 +241,9 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.29.5 BUILD +provider-image --K8S_VERSION=1.29.6 BUILD +provider-image --K8S_VERSION=1.29.7 + BUILD +provider-image --K8S_VERSION=1.28.13 + BUILD +provider-image --K8S_VERSION=1.29.8 + BUILD +provider-image --K8S_VERSION=1.30.4 ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] BUILD +provider-image --K8S_VERSION=1.24.6 BUILD +provider-image --K8S_VERSION=1.25.0 @@ -258,6 +264,9 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.29.3 BUILD +provider-image --K8S_VERSION=1.29.5 BUILD +provider-image --K8S_VERSION=1.29.6 + BUILD +provider-image --K8S_VERSION=1.28.12 + BUILD +provider-image --K8S_VERSION=1.29.7 + BUILD +provider-image --K8S_VERSION=1.30.3 ELSE BUILD +provider-image --K8S_VERSION=1.24.6 BUILD +provider-image --K8S_VERSION=1.25.2 @@ -274,6 +283,9 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.2 BUILD +provider-image --K8S_VERSION=1.29.6 + BUILD +provider-image --K8S_VERSION=1.28.13 + BUILD +provider-image --K8S_VERSION=1.29.8 + BUILD +provider-image --K8S_VERSION=1.30.4 END ELSE BUILD +provider-image --K8S_VERSION="$K8S_VERSION" From 7477bc5127a9c95aa07c365f44acbf21972212e3 Mon Sep 17 00:00:00 2001 From: Santhosh Date: Sat, 31 Aug 2024 20:04:32 +0530 Subject: [PATCH 30/41] Revert "PAC-1983 new version of k8s 44c (#262)" (#263) This reverts commit b142f59092427fd00c9f0a6cffd3870738d7b512. --- Earthfile | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/Earthfile b/Earthfile index 0e54bd2..7e73aa3 100644 --- a/Earthfile +++ b/Earthfile @@ -212,9 +212,6 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.28.11 BUILD +$TARGET --K8S_VERSION=1.29.2 BUILD +$TARGET --K8S_VERSION=1.29.6 - BUILD +$TARGET --K8S_VERSION=1.28.13 - BUILD +$TARGET --K8S_VERSION=1.29.8 - BUILD +$TARGET --K8S_VERSION=1.30.4 END ELSE BUILD +$TARGET --K8S_VERSION="$K8S_VERSION" @@ -241,9 +238,6 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.29.5 BUILD +provider-image --K8S_VERSION=1.29.6 BUILD +provider-image --K8S_VERSION=1.29.7 - BUILD +provider-image --K8S_VERSION=1.28.13 - BUILD +provider-image --K8S_VERSION=1.29.8 - BUILD +provider-image --K8S_VERSION=1.30.4 ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] BUILD +provider-image --K8S_VERSION=1.24.6 BUILD +provider-image --K8S_VERSION=1.25.0 @@ -264,9 +258,6 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.29.3 BUILD +provider-image --K8S_VERSION=1.29.5 BUILD +provider-image --K8S_VERSION=1.29.6 - BUILD +provider-image --K8S_VERSION=1.28.12 - BUILD +provider-image --K8S_VERSION=1.29.7 - BUILD +provider-image --K8S_VERSION=1.30.3 ELSE BUILD +provider-image --K8S_VERSION=1.24.6 BUILD +provider-image --K8S_VERSION=1.25.2 @@ -283,9 +274,6 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.2 BUILD +provider-image --K8S_VERSION=1.29.6 - BUILD +provider-image --K8S_VERSION=1.28.13 - BUILD +provider-image --K8S_VERSION=1.29.8 - BUILD +provider-image --K8S_VERSION=1.30.4 END ELSE BUILD +provider-image --K8S_VERSION="$K8S_VERSION" From 5e7f3e333cd3725ce652833563982476ff42a2c2 Mon Sep 17 00:00:00 2001 From: Santhosh Date: Sat, 31 Aug 2024 22:47:18 +0530 Subject: [PATCH 31/41] Update luet release version (#264) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 7e73aa3..131381d 100644 --- a/Earthfile +++ b/Earthfile @@ -13,7 +13,7 @@ FROM $SPECTRO_PUB_REPO/canvos/alpine-cert:v1.0.0 # Spectro Cloud and Kairos tags. ARG PE_VERSION=v4.4.8 -ARG SPECTRO_LUET_VERSION=v1.3.4 +ARG SPECTRO_LUET_VERSION=v1.3.5-alpha1 ARG KAIROS_VERSION=v3.0.14 ARG K3S_FLAVOR_TAG=k3s1 ARG RKE2_FLAVOR_TAG=rke2r1 From 636c039a2eb6b17f5800efe89dfefa4e24dd478e Mon Sep 17 00:00:00 2001 From: Medhakulam <30567613+Medhakulam@users.noreply.github.com> Date: Tue, 3 Sep 2024 19:39:31 +0530 Subject: [PATCH 32/41] PE-4944 add rc-44c k8s versions (#267) --- Earthfile | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/Earthfile b/Earthfile index 131381d..1197776 100644 --- a/Earthfile +++ b/Earthfile @@ -161,9 +161,12 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.28.9 BUILD +$TARGET --K8S_VERSION=1.28.11 BUILD +$TARGET --K8S_VERSION=1.28.12 + BUILD +$TARGET --K8S_VERSION=1.28.13 BUILD +$TARGET --K8S_VERSION=1.29.0 BUILD +$TARGET --K8S_VERSION=1.29.6 BUILD +$TARGET --K8S_VERSION=1.29.7 + BUILD +$TARGET --K8S_VERSION=1.29.8 + BUILD +$TARGET --K8S_VERSION=1.30.4 ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] BUILD +$TARGET --K8S_VERSION=1.24.6 BUILD +$TARGET --K8S_VERSION=1.25.2 @@ -189,10 +192,13 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.28.9 BUILD +$TARGET --K8S_VERSION=1.28.10 BUILD +$TARGET --K8S_VERSION=1.28.11 + BUILD +$TARGET --K8S_VERSION=1.28.12 BUILD +$TARGET --K8S_VERSION=1.29.3 BUILD +$TARGET --K8S_VERSION=1.29.4 BUILD +$TARGET --K8S_VERSION=1.29.5 BUILD +$TARGET --K8S_VERSION=1.29.6 + BUILD +$TARGET --K8S_VERSION=1.29.7 + BUILD +$TARGET --K8S_VERSION=1.30.3 ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ] BUILD +$TARGET --K8S_VERSION=1.24.6 BUILD +$TARGET --K8S_VERSION=1.25.2 @@ -210,8 +216,11 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.28.2 BUILD +$TARGET --K8S_VERSION=1.28.7 BUILD +$TARGET --K8S_VERSION=1.28.11 + BUILD +$TARGET --K8S_VERSION=1.28.13 BUILD +$TARGET --K8S_VERSION=1.29.2 BUILD +$TARGET --K8S_VERSION=1.29.6 + BUILD +$TARGET --K8S_VERSION=1.29.8 + BUILD +$TARGET --K8S_VERSION=1.30.4 END ELSE BUILD +$TARGET --K8S_VERSION="$K8S_VERSION" @@ -234,10 +243,13 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.28.10 BUILD +provider-image --K8S_VERSION=1.28.11 BUILD +provider-image --K8S_VERSION=1.28.12 + BUILD +provider-image --K8S_VERSION=1.28.13 BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.5 BUILD +provider-image --K8S_VERSION=1.29.6 BUILD +provider-image --K8S_VERSION=1.29.7 + BUILD +provider-image --K8S_VERSION=1.29.8 + BUILD +provider-image --K8S_VERSION=1.30.4 ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] BUILD +provider-image --K8S_VERSION=1.24.6 BUILD +provider-image --K8S_VERSION=1.25.0 @@ -254,10 +266,13 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.28.7 BUILD +provider-image --K8S_VERSION=1.28.10 BUILD +provider-image --K8S_VERSION=1.28.11 + BUILD +provider-image --K8S_VERSION=1.28.12 BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.3 BUILD +provider-image --K8S_VERSION=1.29.5 BUILD +provider-image --K8S_VERSION=1.29.6 + BUILD +provider-image --K8S_VERSION=1.29.7 + BUILD +provider-image --K8S_VERSION=1.30.4 ELSE BUILD +provider-image --K8S_VERSION=1.24.6 BUILD +provider-image --K8S_VERSION=1.25.2 @@ -274,6 +289,9 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.2 BUILD +provider-image --K8S_VERSION=1.29.6 + BUILD +provider-image --K8S_VERSION=1.28.13 + BUILD +provider-image --K8S_VERSION=1.29.8 + BUILD +provider-image --K8S_VERSION=1.30.4 END ELSE BUILD +provider-image --K8S_VERSION="$K8S_VERSION" From 30e1bb7ddc7d4f3f86c84262fec2d1c449631b4b Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Tue, 3 Sep 2024 11:10:03 -0700 Subject: [PATCH 33/41] PE-4942 define k8s version json (#266) * define k8s version json Signed-off-by: Nianyu Shen * add K8S_DISTRIBUTION check Signed-off-by: Nianyu Shen * fix merge Signed-off-by: Nianyu Shen --------- Signed-off-by: Nianyu Shen --- Earthfile | 188 ++++++++--------------------------------------- k8s_version.json | 106 ++++++++++++++++++++++++++ 2 files changed, 137 insertions(+), 157 deletions(-) create mode 100644 k8s_version.json diff --git a/Earthfile b/Earthfile index 1197776..0703804 100644 --- a/Earthfile +++ b/Earthfile @@ -4,12 +4,13 @@ ARG TARGETARCH # Default image repositories used in the builds. ARG SPECTRO_PUB_REPO=gcr.io/spectro-images-public -ARG ALPINE_IMG=$SPECTRO_PUB_REPO/alpine:3.20.2 ARG SPECTRO_LUET_REPO=gcr.io/spectro-dev-public ARG KAIROS_BASE_IMAGE_URL=gcr.io/spectro-images-public ARG ETCD_REPO=https://github.com/etcd-io ARG LUET_PROJECT=luet-repo -FROM $SPECTRO_PUB_REPO/canvos/alpine-cert:v1.0.0 +ARG ALPINE_TAG=3.20 +ARG ALPINE_IMG=$SPECTRO_PUB_REPO/canvos/alpine:$ALPINE_TAG +FROM $ALPINE_IMG # Spectro Cloud and Kairos tags. ARG PE_VERSION=v4.4.8 @@ -118,6 +119,16 @@ END ARG IMAGE_PATH=$IMAGE_REGISTRY/$IMAGE_REPO:$K8S_DISTRIBUTION-$K8S_VERSION-$IMAGE_TAG ARG CMDLINE="stylus.registration" +alpine-all: + BUILD --platform=linux/amd64 --platform=linux/arm64 +alpine + +alpine: + FROM alpine:$ALPINE_TAG + RUN apk add --no-cache bash curl jq ca-certificates upx + RUN update-ca-certificates + + SAVE IMAGE --push gcr.io/spectro-dev-public/canvos/alpine:$ALPINE_TAG + build-all-images: IF $FIPS_ENABLED BUILD +build-provider-images-fips @@ -133,170 +144,33 @@ build-all-images: END build-provider-images: + FROM $ALPINE_IMG + + IF [ !-n "$K8S_DISTRIBUTION"] + RUN echo "K8S_DISTRIBUTION is not set. Please set K8S_DISTRIBUTION to kubeadm, kubeadm-fips, k3s, or rke2." && exit 1 + END + IF [ "$IS_UKI" = "true" ] ARG TARGET=uki-provider-image ELSE ARG TARGET=provider-image END - IF [ "$K8S_VERSION" = "" ] - IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] - BUILD +$TARGET --K8S_VERSION=1.24.6 - BUILD +$TARGET --K8S_VERSION=1.25.2 - BUILD +$TARGET --K8S_VERSION=1.25.13 - BUILD +$TARGET --K8S_VERSION=1.25.15 - BUILD +$TARGET --K8S_VERSION=1.26.4 - BUILD +$TARGET --K8S_VERSION=1.26.8 - BUILD +$TARGET --K8S_VERSION=1.26.10 - BUILD +$TARGET --K8S_VERSION=1.26.12 - BUILD +$TARGET --K8S_VERSION=1.26.15 - BUILD +$TARGET --K8S_VERSION=1.27.2 - BUILD +$TARGET --K8S_VERSION=1.27.5 - BUILD +$TARGET --K8S_VERSION=1.27.7 - BUILD +$TARGET --K8S_VERSION=1.27.9 - BUILD +$TARGET --K8S_VERSION=1.27.11 - BUILD +$TARGET --K8S_VERSION=1.27.15 - BUILD +$TARGET --K8S_VERSION=1.27.16 - BUILD +$TARGET --K8S_VERSION=1.28.2 - BUILD +$TARGET --K8S_VERSION=1.28.5 - BUILD +$TARGET --K8S_VERSION=1.28.9 - BUILD +$TARGET --K8S_VERSION=1.28.11 - BUILD +$TARGET --K8S_VERSION=1.28.12 - BUILD +$TARGET --K8S_VERSION=1.28.13 - BUILD +$TARGET --K8S_VERSION=1.29.0 - BUILD +$TARGET --K8S_VERSION=1.29.6 - BUILD +$TARGET --K8S_VERSION=1.29.7 - BUILD +$TARGET --K8S_VERSION=1.29.8 - BUILD +$TARGET --K8S_VERSION=1.30.4 - ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] - BUILD +$TARGET --K8S_VERSION=1.24.6 - BUILD +$TARGET --K8S_VERSION=1.25.2 - BUILD +$TARGET --K8S_VERSION=1.25.13 - BUILD +$TARGET --K8S_VERSION=1.25.15 - BUILD +$TARGET --K8S_VERSION=1.26.4 - BUILD +$TARGET --K8S_VERSION=1.26.8 - BUILD +$TARGET --K8S_VERSION=1.26.10 - BUILD +$TARGET --K8S_VERSION=1.26.12 - BUILD +$TARGET --K8S_VERSION=1.26.14 - BUILD +$TARGET --K8S_VERSION=1.26.15 - BUILD +$TARGET --K8S_VERSION=1.27.2 - BUILD +$TARGET --K8S_VERSION=1.27.5 - BUILD +$TARGET --K8S_VERSION=1.27.7 - BUILD +$TARGET --K8S_VERSION=1.27.9 - BUILD +$TARGET --K8S_VERSION=1.27.11 - BUILD +$TARGET --K8S_VERSION=1.27.13 - BUILD +$TARGET --K8S_VERSION=1.27.14 - BUILD +$TARGET --K8S_VERSION=1.27.15 - BUILD +$TARGET --K8S_VERSION=1.28.2 - BUILD +$TARGET --K8S_VERSION=1.28.5 - BUILD +$TARGET --K8S_VERSION=1.28.7 - BUILD +$TARGET --K8S_VERSION=1.28.9 - BUILD +$TARGET --K8S_VERSION=1.28.10 - BUILD +$TARGET --K8S_VERSION=1.28.11 - BUILD +$TARGET --K8S_VERSION=1.28.12 - BUILD +$TARGET --K8S_VERSION=1.29.3 - BUILD +$TARGET --K8S_VERSION=1.29.4 - BUILD +$TARGET --K8S_VERSION=1.29.5 - BUILD +$TARGET --K8S_VERSION=1.29.6 - BUILD +$TARGET --K8S_VERSION=1.29.7 - BUILD +$TARGET --K8S_VERSION=1.30.3 - ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ] - BUILD +$TARGET --K8S_VERSION=1.24.6 - BUILD +$TARGET --K8S_VERSION=1.25.2 - BUILD +$TARGET --K8S_VERSION=1.25.13 - BUILD +$TARGET --K8S_VERSION=1.25.15 - BUILD +$TARGET --K8S_VERSION=1.26.4 - BUILD +$TARGET --K8S_VERSION=1.26.8 - BUILD +$TARGET --K8S_VERSION=1.26.10 - BUILD +$TARGET --K8S_VERSION=1.26.14 - BUILD +$TARGET --K8S_VERSION=1.27.2 - BUILD +$TARGET --K8S_VERSION=1.27.5 - BUILD +$TARGET --K8S_VERSION=1.27.7 - BUILD +$TARGET --K8S_VERSION=1.27.11 - BUILD +$TARGET --K8S_VERSION=1.27.15 - BUILD +$TARGET --K8S_VERSION=1.28.2 - BUILD +$TARGET --K8S_VERSION=1.28.7 - BUILD +$TARGET --K8S_VERSION=1.28.11 - BUILD +$TARGET --K8S_VERSION=1.28.13 - BUILD +$TARGET --K8S_VERSION=1.29.2 - BUILD +$TARGET --K8S_VERSION=1.29.6 - BUILD +$TARGET --K8S_VERSION=1.29.8 - BUILD +$TARGET --K8S_VERSION=1.30.4 - END - ELSE - BUILD +$TARGET --K8S_VERSION="$K8S_VERSION" - END -build-provider-images-fips: IF [ "$K8S_VERSION" = "" ] - IF [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ] - BUILD +provider-image --K8S_VERSION=1.24.13 - BUILD +provider-image --K8S_VERSION=1.25.9 - BUILD +provider-image --K8S_VERSION=1.26.4 - BUILD +provider-image --K8S_VERSION=1.26.12 - BUILD +provider-image --K8S_VERSION=1.26.15 - BUILD +provider-image --K8S_VERSION=1.27.2 - BUILD +provider-image --K8S_VERSION=1.27.9 - BUILD +provider-image --K8S_VERSION=1.27.14 - BUILD +provider-image --K8S_VERSION=1.27.15 - BUILD +provider-image --K8S_VERSION=1.27.16 - BUILD +provider-image --K8S_VERSION=1.28.5 - BUILD +provider-image --K8S_VERSION=1.28.10 - BUILD +provider-image --K8S_VERSION=1.28.11 - BUILD +provider-image --K8S_VERSION=1.28.12 - BUILD +provider-image --K8S_VERSION=1.28.13 - BUILD +provider-image --K8S_VERSION=1.29.0 - BUILD +provider-image --K8S_VERSION=1.29.5 - BUILD +provider-image --K8S_VERSION=1.29.6 - BUILD +provider-image --K8S_VERSION=1.29.7 - BUILD +provider-image --K8S_VERSION=1.29.8 - BUILD +provider-image --K8S_VERSION=1.30.4 - ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] - BUILD +provider-image --K8S_VERSION=1.24.6 - BUILD +provider-image --K8S_VERSION=1.25.0 - BUILD +provider-image --K8S_VERSION=1.25.2 - BUILD +provider-image --K8S_VERSION=1.26.4 - BUILD +provider-image --K8S_VERSION=1.26.12 - BUILD +provider-image --K8S_VERSION=1.26.14 - BUILD +provider-image --K8S_VERSION=1.27.2 - BUILD +provider-image --K8S_VERSION=1.27.9 - BUILD +provider-image --K8S_VERSION=1.27.11 - BUILD +provider-image --K8S_VERSION=1.27.14 - BUILD +provider-image --K8S_VERSION=1.27.15 - BUILD +provider-image --K8S_VERSION=1.28.5 - BUILD +provider-image --K8S_VERSION=1.28.7 - BUILD +provider-image --K8S_VERSION=1.28.10 - BUILD +provider-image --K8S_VERSION=1.28.11 - BUILD +provider-image --K8S_VERSION=1.28.12 - BUILD +provider-image --K8S_VERSION=1.29.0 - BUILD +provider-image --K8S_VERSION=1.29.3 - BUILD +provider-image --K8S_VERSION=1.29.5 - BUILD +provider-image --K8S_VERSION=1.29.6 - BUILD +provider-image --K8S_VERSION=1.29.7 - BUILD +provider-image --K8S_VERSION=1.30.4 - ELSE - BUILD +provider-image --K8S_VERSION=1.24.6 - BUILD +provider-image --K8S_VERSION=1.25.2 - BUILD +provider-image --K8S_VERSION=1.26.4 - BUILD +provider-image --K8S_VERSION=1.26.12 - BUILD +provider-image --K8S_VERSION=1.26.14 - BUILD +provider-image --K8S_VERSION=1.27.2 - BUILD +provider-image --K8S_VERSION=1.27.9 - BUILD +provider-image --K8S_VERSION=1.27.11 - BUILD +provider-image --K8S_VERSION=1.27.15 - BUILD +provider-image --K8S_VERSION=1.28.5 - BUILD +provider-image --K8S_VERSION=1.28.7 - BUILD +provider-image --K8S_VERSION=1.28.11 - BUILD +provider-image --K8S_VERSION=1.29.0 - BUILD +provider-image --K8S_VERSION=1.29.2 - BUILD +provider-image --K8S_VERSION=1.29.6 - BUILD +provider-image --K8S_VERSION=1.28.13 - BUILD +provider-image --K8S_VERSION=1.29.8 - BUILD +provider-image --K8S_VERSION=1.30.4 + WORKDIR /workdir + COPY k8s_version.json k8s_version.json + ENV K8S_DISTRIBUTION=$K8S_DISTRIBUTION + RUN jq -r ".$K8S_DISTRIBUTION[]" k8s_version.json > k8s_version.txt + FOR version IN $(cat k8s_version.txt) + BUILD +$TARGET --K8S_VERSION=$version END ELSE - BUILD +provider-image --K8S_VERSION="$K8S_VERSION" + BUILD +$TARGET --K8S_VERSION=$K8S_VERSION END +build-provider-images-fips: + BUILD +build-provider-images + BASE_ALPINE: COMMAND IF [ ! -z $PROXY_CERT_PATH ] @@ -534,6 +408,7 @@ uki-genkey: END download-sbctl: + FROM $ALPINE_IMG DO +BASE_ALPINE RUN curl -Ls https://github.com/Foxboron/sbctl/releases/download/0.13/sbctl-0.13-linux-amd64.tar.gz | tar -xvzf - && mv sbctl/sbctl /usr/bin/sbctl SAVE ARTIFACT /usr/bin/sbctl @@ -1008,9 +883,8 @@ download-third-party: SAVE ARTIFACT /binaries/${binary}/latest/$BIN_TYPE/$TARGETARCH/${binary}.version ${binary}.version third-party: - DO +BASE_ALPINE + FROM $ALPINE_IMG ARG binary - RUN apk add upx WORKDIR /WORKDIR COPY (+download-third-party/${binary} --binary=${binary}) /WORKDIR/${binary} diff --git a/k8s_version.json b/k8s_version.json new file mode 100644 index 0000000..9893ea3 --- /dev/null +++ b/k8s_version.json @@ -0,0 +1,106 @@ +{ + "k3s": [ + "1.24.6", + "1.25.2", + "1.26.4", + "1.26.12", + "1.26.14", + "1.27.2", + "1.27.9", + "1.27.11", + "1.27.15", + "1.28.5", + "1.28.7", + "1.28.11", + "1.28.13", + "1.29.0", + "1.29.2", + "1.29.6", + "1.29.8", + "1.30.4" + ], + "kubeadm": [ + "1.24.6", + "1.25.2", + "1.25.13", + "1.25.15", + "1.26.4", + "1.26.8", + "1.26.10", + "1.26.12", + "1.26.15", + "1.27.2", + "1.27.5", + "1.27.7", + "1.27.9", + "1.27.11", + "1.27.15", + "1.27.16", + "1.28.2", + "1.28.5", + "1.28.9", + "1.28.11", + "1.28.12", + "1.28.13", + "1.29.0", + "1.29.6", + "1.29.7", + "1.29.8", + "1.30.4" + ], + "rke2": [ + "1.24.6", + "1.25.2", + "1.25.13", + "1.26.4", + "1.26.8", + "1.26.10", + "1.26.12", + "1.26.14", + "1.26.15", + "1.27.2", + "1.27.5", + "1.27.7", + "1.27.9", + "1.27.11", + "1.27.13", + "1.27.14", + "1.27.15", + "1.28.2", + "1.28.5", + "1.28.7", + "1.28.9", + "1.28.10", + "1.28.11", + "1.28.12", + "1.29.3", + "1.29.4", + "1.29.5", + "1.29.6", + "1.29.7", + "1.30.3" + ], + "kubeadm-fips": [ + "1.24.13", + "1.25.9", + "1.26.4", + "1.26.12", + "1.26.15", + "1.27.2", + "1.27.9", + "1.27.14", + "1.27.15", + "1.27.16", + "1.28.5", + "1.28.10", + "1.28.11", + "1.28.12", + "1.28.13", + "1.29.0", + "1.29.5", + "1.29.6", + "1.29.7", + "1.29.8", + "1.30.4" + ] +} From 81a3b8d3581fa4337f019201ca3952651c87dc78 Mon Sep 17 00:00:00 2001 From: Santhosh Date: Wed, 4 Sep 2024 16:33:57 +0530 Subject: [PATCH 34/41] Update luet-repo version (#268) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 0703804..a815d0b 100644 --- a/Earthfile +++ b/Earthfile @@ -14,7 +14,7 @@ FROM $ALPINE_IMG # Spectro Cloud and Kairos tags. ARG PE_VERSION=v4.4.8 -ARG SPECTRO_LUET_VERSION=v1.3.5-alpha1 +ARG SPECTRO_LUET_VERSION=v1.3.5-alpha2 ARG KAIROS_VERSION=v3.0.14 ARG K3S_FLAVOR_TAG=k3s1 ARG RKE2_FLAVOR_TAG=rke2r1 From 42617694413315a3050ef2c8af0ed4ad844d5a27 Mon Sep 17 00:00:00 2001 From: Santhosh Date: Thu, 5 Sep 2024 14:26:50 +0530 Subject: [PATCH 35/41] Update luet version (#269) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index a815d0b..5967f7a 100644 --- a/Earthfile +++ b/Earthfile @@ -14,7 +14,7 @@ FROM $ALPINE_IMG # Spectro Cloud and Kairos tags. ARG PE_VERSION=v4.4.8 -ARG SPECTRO_LUET_VERSION=v1.3.5-alpha2 +ARG SPECTRO_LUET_VERSION=v1.3.5 ARG KAIROS_VERSION=v3.0.14 ARG K3S_FLAVOR_TAG=k3s1 ARG RKE2_FLAVOR_TAG=rke2r1 From 5fff96c1208f3aac055b8bcb073111f4071a9728 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Thu, 5 Sep 2024 12:25:52 -0700 Subject: [PATCH 36/41] fix kubeadm-fips (#270) Signed-off-by: Nianyu Shen --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 5967f7a..ba3dd78 100644 --- a/Earthfile +++ b/Earthfile @@ -160,7 +160,7 @@ build-provider-images: WORKDIR /workdir COPY k8s_version.json k8s_version.json ENV K8S_DISTRIBUTION=$K8S_DISTRIBUTION - RUN jq -r ".$K8S_DISTRIBUTION[]" k8s_version.json > k8s_version.txt + RUN jq -r --arg key "$K8S_DISTRIBUTION" 'if .[$key] then .[$key][] else empty end' k8s_version.json > k8s_version.txt FOR version IN $(cat k8s_version.txt) BUILD +$TARGET --K8S_VERSION=$version END From 23b80331a92aeb8461a299412ec6443fca4e2f86 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Thu, 5 Sep 2024 14:46:41 -0700 Subject: [PATCH 37/41] add os version json (#271) Signed-off-by: Nianyu Shen --- os_version.json | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 os_version.json diff --git a/os_version.json b/os_version.json new file mode 100644 index 0000000..ffd3abf --- /dev/null +++ b/os_version.json @@ -0,0 +1,4 @@ +{ + "ubuntu": ["22.04", "20.04"], + "opensuse-leap": ["15.5"] +} From 4f39ce5facc1d3e43e15cd0a001d6a9dcf700448 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Thu, 5 Sep 2024 22:58:43 -0700 Subject: [PATCH 38/41] use ubuntu image instead of ubuntu-systemd (#272) --- Earthfile | 14 +++++++------- earthly.sh | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Earthfile b/Earthfile index ba3dd78..fed7d50 100644 --- a/Earthfile +++ b/Earthfile @@ -189,7 +189,7 @@ uki-iso: SAVE ARTIFACT /build/* AS LOCAL ./build/ uki-provider-image: - FROM --platform=linux/${ARCH} +ubuntu-systemd + FROM --platform=linux/${ARCH} +ubuntu RUN apt-get update && apt-get install -y rsync WORKDIR / @@ -414,7 +414,7 @@ download-sbctl: SAVE ARTIFACT /usr/bin/sbctl uki-byok: - FROM +ubuntu-systemd + FROM +ubuntu RUN apt-get update && apt-get install -y efitools curl COPY +download-sbctl/sbctl /usr/bin/sbctl @@ -826,7 +826,7 @@ build-efi-size-check: SAVE ARTIFACT target/x86_64-unknown-uefi/debug/efi-size-check.efi iso-efi-size-check: - FROM +ubuntu-systemd + FROM +ubuntu RUN apt-get update RUN apt-get install -y mtools xorriso @@ -848,13 +848,13 @@ iso-efi-size-check: SAVE ARTIFACT efi-size-check.iso AS LOCAL ./build/ -ubuntu-systemd: +ubuntu: IF [ "$FIPS_ENABLED" = "true" ] - ARG SYSTEMD_IMAGE=$SPECTRO_PUB_REPO/third-party/ubuntu-systemd-fips:20.04 + ARG UBUNTU_IMAGE=$SPECTRO_PUB_REPO/third-party/ubuntu-fips:22.04 ELSE - ARG SYSTEMD_IMAGE=$SPECTRO_PUB_REPO/third-party/ubuntu-systemd:22.04 + ARG UBUNTU_IMAGE=$SPECTRO_PUB_REPO/third-party/ubuntu:22.04 END - FROM $SYSTEMD_IMAGE + FROM $UBUNTU_IMAGE OS_RELEASE: COMMAND diff --git a/earthly.sh b/earthly.sh index ea0c323..a9ff8a2 100755 --- a/earthly.sh +++ b/earthly.sh @@ -61,7 +61,7 @@ PE_VERSION=$(git describe --abbrev=0 --tags) SPECTRO_PUB_REPO=gcr.io/spectro-images-public EARTHLY_VERSION=v0.8.5 source .arg -ALPINE_IMG=$SPECTRO_PUB_REPO/alpine:3.20.2 +ALPINE_IMG=$SPECTRO_PUB_REPO/canvos/alpine:3.20 ### Verify Depencies # Check if Docker is installed if command -v docker >/dev/null 2>&1; then From 16832b75746e5f929e85b697062a42c51e14d0bc Mon Sep 17 00:00:00 2001 From: Santhosh Date: Sat, 7 Sep 2024 00:57:38 +0530 Subject: [PATCH 39/41] Update luet repo version (#273) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index fed7d50..c5ff469 100644 --- a/Earthfile +++ b/Earthfile @@ -14,7 +14,7 @@ FROM $ALPINE_IMG # Spectro Cloud and Kairos tags. ARG PE_VERSION=v4.4.8 -ARG SPECTRO_LUET_VERSION=v1.3.5 +ARG SPECTRO_LUET_VERSION=v1.3.6 ARG KAIROS_VERSION=v3.0.14 ARG K3S_FLAVOR_TAG=k3s1 ARG RKE2_FLAVOR_TAG=rke2r1 From 92f348ba6d21ef0025677d299dc0d1798d708e85 Mon Sep 17 00:00:00 2001 From: Santhosh Date: Wed, 11 Sep 2024 22:58:32 +0530 Subject: [PATCH 40/41] Update luet-repo version (#274) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index c5ff469..36465bf 100644 --- a/Earthfile +++ b/Earthfile @@ -14,7 +14,7 @@ FROM $ALPINE_IMG # Spectro Cloud and Kairos tags. ARG PE_VERSION=v4.4.8 -ARG SPECTRO_LUET_VERSION=v1.3.6 +ARG SPECTRO_LUET_VERSION=v1.3.7 ARG KAIROS_VERSION=v3.0.14 ARG K3S_FLAVOR_TAG=k3s1 ARG RKE2_FLAVOR_TAG=rke2r1 From 9ed2b036aabf8e55cdd5299eb23ed9d2a2cceb89 Mon Sep 17 00:00:00 2001 From: Santhosh Date: Fri, 13 Sep 2024 11:50:35 +0530 Subject: [PATCH 41/41] Update Earthfile - PE_VERSION to 4.4.12 (#275) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 36465bf..675f633 100644 --- a/Earthfile +++ b/Earthfile @@ -13,7 +13,7 @@ ARG ALPINE_IMG=$SPECTRO_PUB_REPO/canvos/alpine:$ALPINE_TAG FROM $ALPINE_IMG # Spectro Cloud and Kairos tags. -ARG PE_VERSION=v4.4.8 +ARG PE_VERSION=v4.4.12 ARG SPECTRO_LUET_VERSION=v1.3.7 ARG KAIROS_VERSION=v3.0.14 ARG K3S_FLAVOR_TAG=k3s1