diff --git a/Earthfile b/Earthfile index f011db7..90f01e6 100644 --- a/Earthfile +++ b/Earthfile @@ -3,16 +3,17 @@ ARG TARGETOS ARG TARGETARCH # Default image repositories used in the builds. -ARG ALPINE_IMG=gcr.io/spectro-images-public/alpine:3.16.2 +ARG ALPINE_IMG=gcr.io/spectro-images-public/alpine:3.20.2 ARG SPECTRO_PUB_REPO=gcr.io/spectro-images-public ARG SPECTRO_LUET_REPO=gcr.io/spectro-dev-public ARG KAIROS_BASE_IMAGE_URL=gcr.io/spectro-images-public ARG ETCD_REPO=https://github.com/etcd-io +ARG LUET_PROJECT=luet-repo FROM $SPECTRO_PUB_REPO/canvos/alpine-cert:v1.0.0 # Spectro Cloud and Kairos tags. -ARG PE_VERSION=v4.4.4 -ARG SPECTRO_LUET_VERSION=v1.3.2 +ARG PE_VERSION=v4.4.7 +ARG SPECTRO_LUET_VERSION=v1.3.4-alpha1 ARG KAIROS_VERSION=v3.0.14 ARG K3S_FLAVOR_TAG=k3s1 ARG RKE2_FLAVOR_TAG=rke2r1 @@ -22,6 +23,7 @@ ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION ARG K3S_PROVIDER_VERSION=v4.4.2 ARG KUBEADM_PROVIDER_VERSION=v4.4.1 ARG RKE2_PROVIDER_VERSION=v4.4.1 +ARG NODEADM_PROVIDER_VERSION=latest # Variables used in the builds. Update for ADVANCED use cases only. Modify in .arg file or via CLI arguments. ARG OS_DISTRIBUTION @@ -71,6 +73,7 @@ ARG EFI_IMG_SIZE=2200 # internal variables ARG GOLANG_VERSION=1.22 ARG DEBUG=false +ARG BUILDER_3RDPARTY_VERSION=4.4 IF [ "$OS_DISTRIBUTION" = "ubuntu" ] && [ "$BASE_IMAGE" = "" ] IF [ "$OS_VERSION" == 22 ] || [ "$OS_VERSION" == 20 ] @@ -120,10 +123,12 @@ IF [[ "$BASE_IMAGE" =~ "nvidia-jetson-agx-orin" ]] END IF [ "$FIPS_ENABLED" = "true" ] + ARG BIN_TYPE=vertex ARG STYLUS_BASE=$SPECTRO_PUB_REPO/stylus-framework-fips-linux-$ARCH:$PE_VERSION ARG STYLUS_PACKAGE_BASE=$SPECTRO_PUB_REPO/stylus-fips-linux-$ARCH:$PE_VERSION ARG CLI_IMAGE=$SPECTRO_PUB_REPO/palette-edge-cli-fips-${TARGETARCH}:${PE_VERSION} ELSE + ARG BIN_TYPE=palette ARG STYLUS_BASE=$SPECTRO_PUB_REPO/stylus-framework-linux-$ARCH:$PE_VERSION ARG STYLUS_PACKAGE_BASE=$SPECTRO_PUB_REPO/stylus-linux-$ARCH:$PE_VERSION ARG CLI_IMAGE=$SPECTRO_PUB_REPO/palette-edge-cli-${TARGETARCH}:${PE_VERSION} @@ -160,72 +165,81 @@ build-provider-images: END IF [ "$K8S_VERSION" = "" ] IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] - BUILD +$TARGET --K8S_VERSION=1.24.6 - BUILD +$TARGET --K8S_VERSION=1.25.2 - BUILD +$TARGET --K8S_VERSION=1.25.13 - BUILD +$TARGET --K8S_VERSION=1.25.15 - BUILD +$TARGET --K8S_VERSION=1.26.4 - BUILD +$TARGET --K8S_VERSION=1.26.8 - BUILD +$TARGET --K8S_VERSION=1.26.10 - BUILD +$TARGET --K8S_VERSION=1.26.12 - BUILD +$TARGET --K8S_VERSION=1.26.15 - BUILD +$TARGET --K8S_VERSION=1.27.2 - BUILD +$TARGET --K8S_VERSION=1.27.5 - BUILD +$TARGET --K8S_VERSION=1.27.7 - BUILD +$TARGET --K8S_VERSION=1.27.9 - BUILD +$TARGET --K8S_VERSION=1.27.11 - BUILD +$TARGET --K8S_VERSION=1.27.15 - BUILD +$TARGET --K8S_VERSION=1.28.2 - BUILD +$TARGET --K8S_VERSION=1.28.5 - BUILD +$TARGET --K8S_VERSION=1.28.9 - BUILD +$TARGET --K8S_VERSION=1.28.11 - BUILD +$TARGET --K8S_VERSION=1.29.0 - BUILD +$TARGET --K8S_VERSION=1.29.6 - ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] - BUILD +$TARGET --K8S_VERSION=1.24.6 - BUILD +$TARGET --K8S_VERSION=1.25.2 - BUILD +$TARGET --K8S_VERSION=1.25.13 - BUILD +$TARGET --K8S_VERSION=1.25.15 - BUILD +$TARGET --K8S_VERSION=1.26.4 - BUILD +$TARGET --K8S_VERSION=1.26.8 - BUILD +$TARGET --K8S_VERSION=1.26.10 - BUILD +$TARGET --K8S_VERSION=1.26.12 - BUILD +$TARGET --K8S_VERSION=1.26.14 - BUILD +$TARGET --K8S_VERSION=1.26.15 - BUILD +$TARGET --K8S_VERSION=1.27.2 - BUILD +$TARGET --K8S_VERSION=1.27.5 - BUILD +$TARGET --K8S_VERSION=1.27.7 - BUILD +$TARGET --K8S_VERSION=1.27.9 - BUILD +$TARGET --K8S_VERSION=1.27.11 - BUILD +$TARGET --K8S_VERSION=1.27.13 - BUILD +$TARGET --K8S_VERSION=1.27.14 - BUILD +$TARGET --K8S_VERSION=1.28.2 - BUILD +$TARGET --K8S_VERSION=1.28.5 - BUILD +$TARGET --K8S_VERSION=1.28.7 - BUILD +$TARGET --K8S_VERSION=1.28.9 - BUILD +$TARGET --K8S_VERSION=1.28.10 - BUILD +$TARGET --K8S_VERSION=1.29.3 - BUILD +$TARGET --K8S_VERSION=1.29.4 - BUILD +$TARGET --K8S_VERSION=1.29.5 - ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ] - BUILD +$TARGET --K8S_VERSION=1.24.6 - BUILD +$TARGET --K8S_VERSION=1.25.2 - BUILD +$TARGET --K8S_VERSION=1.25.13 - BUILD +$TARGET --K8S_VERSION=1.25.15 - BUILD +$TARGET --K8S_VERSION=1.26.4 - BUILD +$TARGET --K8S_VERSION=1.26.8 - BUILD +$TARGET --K8S_VERSION=1.26.10 - BUILD +$TARGET --K8S_VERSION=1.26.14 - BUILD +$TARGET --K8S_VERSION=1.27.2 - BUILD +$TARGET --K8S_VERSION=1.27.5 - BUILD +$TARGET --K8S_VERSION=1.27.7 - BUILD +$TARGET --K8S_VERSION=1.27.11 - BUILD +$TARGET --K8S_VERSION=1.27.15 - BUILD +$TARGET --K8S_VERSION=1.28.2 - BUILD +$TARGET --K8S_VERSION=1.28.7 - BUILD +$TARGET --K8S_VERSION=1.29.2 - BUILD +$TARGET --K8S_VERSION=1.29.6 - END + BUILD +$TARGET --K8S_VERSION=1.24.6 + BUILD +$TARGET --K8S_VERSION=1.25.2 + BUILD +$TARGET --K8S_VERSION=1.25.13 + BUILD +$TARGET --K8S_VERSION=1.25.15 + BUILD +$TARGET --K8S_VERSION=1.26.4 + BUILD +$TARGET --K8S_VERSION=1.26.8 + BUILD +$TARGET --K8S_VERSION=1.26.10 + BUILD +$TARGET --K8S_VERSION=1.26.12 + BUILD +$TARGET --K8S_VERSION=1.26.15 + BUILD +$TARGET --K8S_VERSION=1.27.2 + BUILD +$TARGET --K8S_VERSION=1.27.5 + BUILD +$TARGET --K8S_VERSION=1.27.7 + BUILD +$TARGET --K8S_VERSION=1.27.9 + BUILD +$TARGET --K8S_VERSION=1.27.11 + BUILD +$TARGET --K8S_VERSION=1.27.15 + BUILD +$TARGET --K8S_VERSION=1.27.16 + BUILD +$TARGET --K8S_VERSION=1.28.2 + BUILD +$TARGET --K8S_VERSION=1.28.5 + BUILD +$TARGET --K8S_VERSION=1.28.9 + BUILD +$TARGET --K8S_VERSION=1.28.11 + BUILD +$TARGET --K8S_VERSION=1.28.12 + BUILD +$TARGET --K8S_VERSION=1.29.0 + BUILD +$TARGET --K8S_VERSION=1.29.6 + BUILD +$TARGET --K8S_VERSION=1.29.7 + ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] + BUILD +$TARGET --K8S_VERSION=1.24.6 + BUILD +$TARGET --K8S_VERSION=1.25.2 + BUILD +$TARGET --K8S_VERSION=1.25.13 + BUILD +$TARGET --K8S_VERSION=1.25.15 + BUILD +$TARGET --K8S_VERSION=1.26.4 + BUILD +$TARGET --K8S_VERSION=1.26.8 + BUILD +$TARGET --K8S_VERSION=1.26.10 + BUILD +$TARGET --K8S_VERSION=1.26.12 + BUILD +$TARGET --K8S_VERSION=1.26.14 + BUILD +$TARGET --K8S_VERSION=1.26.15 + BUILD +$TARGET --K8S_VERSION=1.27.2 + BUILD +$TARGET --K8S_VERSION=1.27.5 + BUILD +$TARGET --K8S_VERSION=1.27.7 + BUILD +$TARGET --K8S_VERSION=1.27.9 + BUILD +$TARGET --K8S_VERSION=1.27.11 + BUILD +$TARGET --K8S_VERSION=1.27.13 + BUILD +$TARGET --K8S_VERSION=1.27.14 + BUILD +$TARGET --K8S_VERSION=1.27.15 + BUILD +$TARGET --K8S_VERSION=1.28.2 + BUILD +$TARGET --K8S_VERSION=1.28.5 + BUILD +$TARGET --K8S_VERSION=1.28.7 + BUILD +$TARGET --K8S_VERSION=1.28.9 + BUILD +$TARGET --K8S_VERSION=1.28.10 + BUILD +$TARGET --K8S_VERSION=1.28.11 + BUILD +$TARGET --K8S_VERSION=1.29.3 + BUILD +$TARGET --K8S_VERSION=1.29.4 + BUILD +$TARGET --K8S_VERSION=1.29.5 + BUILD +$TARGET --K8S_VERSION=1.29.6 + ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ] + BUILD +$TARGET --K8S_VERSION=1.24.6 + BUILD +$TARGET --K8S_VERSION=1.25.2 + BUILD +$TARGET --K8S_VERSION=1.25.13 + BUILD +$TARGET --K8S_VERSION=1.25.15 + BUILD +$TARGET --K8S_VERSION=1.26.4 + BUILD +$TARGET --K8S_VERSION=1.26.8 + BUILD +$TARGET --K8S_VERSION=1.26.10 + BUILD +$TARGET --K8S_VERSION=1.26.14 + BUILD +$TARGET --K8S_VERSION=1.27.2 + BUILD +$TARGET --K8S_VERSION=1.27.5 + BUILD +$TARGET --K8S_VERSION=1.27.7 + BUILD +$TARGET --K8S_VERSION=1.27.11 + BUILD +$TARGET --K8S_VERSION=1.27.15 + BUILD +$TARGET --K8S_VERSION=1.28.2 + BUILD +$TARGET --K8S_VERSION=1.28.7 + BUILD +$TARGET --K8S_VERSION=1.28.11 + BUILD +$TARGET --K8S_VERSION=1.29.2 + BUILD +$TARGET --K8S_VERSION=1.29.6 + ELSE IF [ "$K8S_DISTRIBUTION" = "nodeadm" ] + BUILD +$TARGET + END ELSE BUILD +$TARGET --K8S_VERSION="$K8S_VERSION" END @@ -242,12 +256,15 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.27.9 BUILD +provider-image --K8S_VERSION=1.27.14 BUILD +provider-image --K8S_VERSION=1.27.15 + BUILD +provider-image --K8S_VERSION=1.27.16 BUILD +provider-image --K8S_VERSION=1.28.5 BUILD +provider-image --K8S_VERSION=1.28.10 BUILD +provider-image --K8S_VERSION=1.28.11 + BUILD +provider-image --K8S_VERSION=1.28.12 BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.5 BUILD +provider-image --K8S_VERSION=1.29.6 + BUILD +provider-image --K8S_VERSION=1.29.7 ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] BUILD +provider-image --K8S_VERSION=1.24.6 BUILD +provider-image --K8S_VERSION=1.25.0 @@ -259,11 +276,14 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.27.9 BUILD +provider-image --K8S_VERSION=1.27.11 BUILD +provider-image --K8S_VERSION=1.27.14 + BUILD +provider-image --K8S_VERSION=1.27.15 BUILD +provider-image --K8S_VERSION=1.28.5 BUILD +provider-image --K8S_VERSION=1.28.7 BUILD +provider-image --K8S_VERSION=1.28.10 + BUILD +provider-image --K8S_VERSION=1.28.11 BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.3 + BUILD +provider-image --K8S_VERSION=1.29.5 BUILD +provider-image --K8S_VERSION=1.29.6 ELSE BUILD +provider-image --K8S_VERSION=1.24.6 @@ -290,16 +310,10 @@ BASE_ALPINE: COMMAND IF [ ! -z $PROXY_CERT_PATH ] COPY sc.crt /etc/ssl/certs - RUN update-ca-certificates + RUN update-ca-certificates END RUN apk add curl -download-etcdctl: - DO +BASE_ALPINE - RUN curl --retry 5 -Ls $ETCD_REPO/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-${TARGETARCH}.tar.gz | tar -xvzf - --strip-components=1 etcd-${ETCD_VERSION}-linux-${TARGETARCH}/etcdctl && \ - chmod +x etcdctl - SAVE ARTIFACT etcdctl - iso-image-rootfs: FROM --platform=linux/${ARCH} +iso-image SAVE ARTIFACT --keep-own /. rootfs @@ -314,7 +328,11 @@ uki-provider-image: RUN apt-get update && apt-get install -y rsync WORKDIR / - COPY +luet/luet /usr/bin/luet + COPY --if-exists overlay/files/etc/ /etc/ + IF [ -f /etc/logrotate.d/stylus.conf ] + RUN chmod 644 /etc/logrotate.d/stylus.conf + END + COPY (+third-party/luet --binary=luet) /usr/bin/luet COPY +kairos-agent/kairos-agent /usr/bin/kairos-agent COPY --platform=linux/${ARCH} +trust-boot-unpack/ /trusted-boot COPY --platform=linux/${ARCH} +install-k8s/ /k8s @@ -322,37 +340,33 @@ uki-provider-image: SAVE IMAGE --push $IMAGE_PATH trust-boot-unpack: - COPY +luet/luet /usr/bin/luet + COPY (+third-party/luet --binary=luet) /usr/bin/luet COPY --platform=linux/${ARCH} +build-provider-trustedboot-image/ /image RUN FILE="file:/$(find /image -type f -name "*.tar" | head -n 1)" && \ luet util unpack $FILE /trusted-boot SAVE ARTIFACT /trusted-boot/* stylus-image-pack: - COPY +luet/luet /usr/bin/luet + COPY (+third-party/luet --binary=luet) /usr/bin/luet COPY --platform=linux/${ARCH} +stylus-package-image/ /stylus RUN cd stylus && tar -czf ../stylus.tar * RUN luet util pack $STYLUS_BASE stylus.tar stylus-image.tar SAVE ARTIFACT stylus-image.tar AS LOCAL ./build/ -luet: - FROM --platform=linux/${ARCH} quay.io/luet/base:latest - SAVE ARTIFACT /usr/bin/luet /luet - kairos-agent: FROM --platform=linux/${ARCH} $BASE_IMAGE SAVE ARTIFACT /usr/bin/kairos-agent /kairos-agent install-k8s: - FROM --platform=linux/${ARCH} alpine:3.19 - COPY +luet/luet /usr/bin/luet + FROM --platform=linux/${ARCH} $ALPINE_IMG + COPY (+third-party/luet --binary=luet) /usr/bin/luet WORKDIR /output IF [ "$ARCH" = "arm64" ] - ARG LUET_REPO=luet-repo-arm + ARG LUET_REPO=$LUET_PROJECT-arm ELSE IF [ "$ARCH" = "amd64" ] - ARG LUET_REPO=luet-repo + ARG LUET_REPO=$LUET_PROJECT END RUN mkdir -p /etc/luet/repos.conf.d && \ luet repo add spectro --type docker --url $SPECTRO_LUET_REPO/$LUET_REPO/$SPECTRO_LUET_VERSION --priority 1 -y && \ @@ -361,15 +375,13 @@ install-k8s: IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] RUN luet install -y container-runtime/containerd --system-target /output END - + IF [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ] + RUN luet install -y container-runtime/containerd-fips --system-target /output + END IF [ "$K8S_DISTRIBUTION" = "kubeadm-edge-standard" ] RUN luet install -y container-runtime/containerd-edge-standard --system-target /output END - IF [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ] - RUN luet install -y container-runtime/containerd-fips --system-target /output - END - RUN luet install -y k8s/$K8S_DISTRIBUTION@$BASE_K8S_VERSION --system-target /output && luet cleanup RUN rm -rf /output/var/cache/* SAVE ARTIFACT /output/* @@ -390,7 +402,7 @@ build-uki-iso: # COPY --if-exists +validate-user-data/user-data /overlay/config.yaml COPY --if-exists user-data /overlay/config.yaml COPY --platform=linux/${ARCH} +stylus-image-pack/stylus-image.tar /overlay/stylus-image.tar - COPY --platform=linux/${ARCH} +luet/luet /overlay/luet + COPY --platform=linux/${ARCH} (+third-party/luet --binary=luet) /overlay/luet COPY --if-exists content-*/*.zst /overlay/opt/spectrocloud/content/ COPY --if-exists "$EDGE_CUSTOM_CONFIG" /overlay/.edge_custom_config.yaml @@ -401,7 +413,7 @@ build-uki-iso: rm -f /overlay/opt/spectrocloud/content/*.zst; \ fi - #check if clusterconfig is passed in + # check if clusterconfig is passed in IF [ "$CLUSTERCONFIG" != "" ] COPY --if-exists "$CLUSTERCONFIG" /overlay/opt/spectrocloud/clusterconfig/spc.tgz END @@ -468,7 +480,7 @@ build-iso: done; \ rm -f /overlay/opt/spectrocloud/content/*.zst; \ fi - #check if clusterconfig is passed in + # check if clusterconfig is passed in IF [ "$CLUSTERCONFIG" != "" ] COPY --if-exists "$CLUSTERCONFIG" /overlay/opt/spectrocloud/clusterconfig/spc.tgz END @@ -628,7 +640,7 @@ provider-image: RUN rm -f /etc/ssh/ssh_host_* /etc/ssh/moduli - COPY (+download-etcdctl/etcdctl) /usr/bin/ + COPY (+third-party/etcdctl --binary=etcdctl) /usr/bin/ RUN touch /etc/machine-id \ && chmod 444 /etc/machine-id @@ -700,15 +712,15 @@ base-image: END IF [ "$ARCH" = "arm64" ] - RUN mkdir -p /etc/luet/repos.conf.d && \ - SPECTRO_LUET_VERSION=$SPECTRO_LUET_VERSION luet repo add spectro --type docker --url gcr.io/spectro-dev-public/luet-repo-arm/$SPECTRO_LUET_VERSION --priority 1 -y && \ - luet repo update + ARG LUET_REPO=$LUET_PROJECT-arm ELSE IF [ "$ARCH" = "amd64" ] - RUN mkdir -p /etc/luet/repos.conf.d && \ - SPECTRO_LUET_VERSION=$SPECTRO_LUET_VERSION luet repo add spectro --type docker --url gcr.io/spectro-dev-public/luet-repo/$SPECTRO_LUET_VERSION --priority 1 -y && \ - luet repo update + ARG LUET_REPO=$LUET_PROJECT END + RUN mkdir -p /etc/luet/repos.conf.d && \ + SPECTRO_LUET_VERSION=$SPECTRO_LUET_VERSION luet repo add spectro --type docker --url $SPECTRO_LUET_REPO/$LUET_REPO/$SPECTRO_LUET_VERSION --priority 1 -y && \ + luet repo update + IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] || [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ] ARG BASE_K8S_VERSION=$K8S_VERSION ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ] @@ -734,7 +746,7 @@ base-image: END RUN apt-get update && \ - apt-get install --no-install-recommends kbd zstd vim iputils-ping bridge-utils curl tcpdump ethtool -y + apt-get install --no-install-recommends kbd zstd vim iputils-ping bridge-utils curl tcpdump ethtool rsyslog logrotate -y IF [ "$UPDATE_KERNEL" = "false" ] RUN if dpkg -l "linux-image-generic-hwe-$OS_VERSION" > /dev/null; then apt-mark hold "linux-image-generic-hwe-$OS_VERSION" "linux-headers-generic-hwe-$OS_VERSION" "linux-generic-hwe-$OS_VERSION" ; fi && \ @@ -794,16 +806,16 @@ base-image: END IF [ "$OS_DISTRIBUTION" = "opensuse-leap" ] - RUN zypper install -y apparmor-parser apparmor-profiles + RUN zypper install -y apparmor-parser apparmor-profiles rsyslog logrotate RUN zypper cc && \ zypper clean RUN if [ ! -e /usr/bin/apparmor_parser ]; then cp /sbin/apparmor_parser /usr/bin/apparmor_parser; fi END IF [ "$ARCH" = "arm64" ] - ARG LUET_REPO=luet-repo-arm + ARG LUET_REPO=$LUET_PROJECT-arm ELSE IF [ "$ARCH" = "amd64" ] - ARG LUET_REPO=luet-repo + ARG LUET_REPO=$LUET_PROJECT END RUN --no-cache mkdir -p /etc/luet/repos.conf.d && \ SPECTRO_LUET_VERSION=$SPECTRO_LUET_VERSION luet repo add spectro --type docker --url $SPECTRO_LUET_REPO/$LUET_REPO/$SPECTRO_LUET_VERSION --priority 1 -y @@ -813,7 +825,7 @@ base-image: RUN --no-cache luet repo update IF [ "$OS_DISTRIBUTION" = "rhel" ] - RUN yum install -y openssl + RUN yum install -y openssl rsyslog logrotate END IF [ "$OS_DISTRIBUTION" = "sles" ] @@ -847,6 +859,10 @@ iso-image: RUN rm -f /usr/bin/luet END COPY overlay/files/ / + + IF [ -f /etc/logrotate.d/stylus.conf ] + RUN chmod 644 /etc/logrotate.d/stylus.conf + END RUN rm -f /etc/ssh/ssh_host_* /etc/ssh/moduli RUN touch /etc/machine-id \ @@ -939,7 +955,12 @@ iso-efi-size-check: SAVE ARTIFACT efi-size-check.iso AS LOCAL ./build/ ubuntu-systemd: - FROM $SPECTRO_PUB_REPO/ubuntu-systemd:22.04 + IF [ "$FIPS_ENABLED" = "true" ] + ARG SYSTEMD_IMAGE=$SPECTRO_PUB_REPO/third-party/ubuntu-systemd-fips:20.04 + ELSE + ARG SYSTEMD_IMAGE=$SPECTRO_PUB_REPO/third-party/ubuntu-systemd:22.04 + END + FROM $SYSTEMD_IMAGE OS_RELEASE: COMMAND @@ -958,3 +979,30 @@ OS_RELEASE: # update OS-release file # RUN sed -i -n '/KAIROS_/!p' /etc/os-release RUN envsubst >>/etc/os-release .conf` (must be before `49-stylus.conf` lexicographically). + +Example: `48-audit.conf` + +Users can use the following configuration as a base for their filtering logic. replace `` with the desired file name +``` +$PrivDropToUser root +$PrivDropToGroup root +if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains 'stylus-audit') then { + action( + type="omfile" + file="" + ) +} +``` + +#### Send user application audit events to stylus audit file +To include user application audit events in the `/var/log/stylus-audit.log` file, add the following to the same configuration file (e.g. `48-audit.conf`) or create a new config file before `49-stylus.conf`: + +`` : user application name or tag +``` +$PrivDropToUser root +$PrivDropToGroup root +$Umask 0000 +$template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n" +if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains '') then { + action( + type="omfile" + file="/var/log/stylus-audit.log" + FileCreateMode="0600" + fileowner="root" + template="ForwardFormat" + ) +} +``` + +To display user audit entries on the Local UI dashboard, audit entries must be logged in RFC 5424 format with the message (`msg`) part in JSON format. This JSON message must include the following keys: `edgeHostId`, `contentMsg`, `action`, `actor`, `actorType`, `resourceId`, `resourceName`, `resourceKind` + +Example syslog entry +``` +<189>1 2024-07-23T15:35:32.644461+00:00 edge-ce0a38422e4662887313fb673bbfb2a2 stylus-audit[2911]: 2911 - - {"edgeHostId":"edge-ce0a38422e4662887313fb6 73bbfb2a2","contentMsg":"kairos password reset failed","action":"activity","actor":"kairos","actorType":"user","resourceId":"kairos","resourceName":"kairos","resourceKi nd":"user"} +``` + +Entries without these keys in the MSG part of RFC 5424 will still be logged to the stylus-audit.log file but will not be displayed on LocalUI. \ No newline at end of file diff --git a/overlay/files/etc/logrotate.d/stylus.conf b/overlay/files/etc/logrotate.d/stylus.conf new file mode 100644 index 0000000..744ef7a --- /dev/null +++ b/overlay/files/etc/logrotate.d/stylus.conf @@ -0,0 +1,18 @@ +/var/log/stylus-audit.log { + yearly + rotate 2 + missingok + notifempty + compress + dateext + dateformat -%d-%m-%Y + extension .log + maxsize 100M + create 600 root root + # to avoid 'writable by group or others' error + su root root + # reload or restart to point file handle to new log file + postrotate + systemctl try-reload-or-restart rsyslog 2>&1 || true + endscript +} \ No newline at end of file diff --git a/overlay/files/etc/rsyslog.d/49-stylus.conf b/overlay/files/etc/rsyslog.d/49-stylus.conf new file mode 100644 index 0000000..fc71256 --- /dev/null +++ b/overlay/files/etc/rsyslog.d/49-stylus.conf @@ -0,0 +1,19 @@ +# Running rsyslog as root. +$PrivDropToUser root +$PrivDropToGroup root +# default config has $Umask 0022 set. That breaks any config related to masks and modes. +$Umask 0000 + +# Mesage format as per rfc5424. +$template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n" + +# route messages with facility local7 and severity notice to /var/log/stylus-audit.log +if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains 'stylus-audit') then{ + action( + type="omfile" + file="/var/log/stylus-audit.log" + FileCreateMode="0600" + fileowner="root" + template="ForwardFormat" + ) & stop +} diff --git a/rhel-core-images/Dockerfile.rhel8.sat b/rhel-core-images/Dockerfile.rhel8.sat new file mode 100644 index 0000000..243075e --- /dev/null +++ b/rhel-core-images/Dockerfile.rhel8.sat @@ -0,0 +1,100 @@ +ARG BASE_IMAGE=registry.access.redhat.com/ubi8/ubi-init:8.7-10 +ARG KAIROS_FRAMEWORK_IMAGE=quay.io/kairos/framework:v2.7.41 + +FROM $KAIROS_FRAMEWORK_IMAGE as kairosframework + +FROM $BASE_IMAGE + +ARG KAIROS_FRAMEWORK_IMAGE +ARG ORGNAME +ARG KEYNAME +ARG SATHOSTNAME + +RUN dnf config-manager --disable ubi-8-appstream-rpms ubi-8-baseos-rpms ubi-8-codeready-builder-rpms +RUN rm /etc/rhsm-host +RUN rpm -Uvh http://${SATHOSTNAME}/pub/katello-ca-consumer-latest.noarch.rpm +RUN subscription-manager register --org=${ORGNAME} --activationkey=${KEYNAME} + +RUN echo "install_weak_deps=False" >> /etc/dnf/dnf.conf +# Generate machine-id because https://bugzilla.redhat.com/show_bug.cgi?id=1737355#c6 +RUN uuidgen > /etc/machine-id && dnf install -y \ + squashfs-tools \ + dracut-live \ + livecd-tools \ + dracut-squash \ + dracut-network \ + efibootmgr \ + dhclient \ + audit \ + sudo \ + systemd \ + systemd-networkd \ + systemd-timesyncd \ + parted \ + dracut \ + e2fsprogs \ + dosfstools \ + coreutils-single \ + device-mapper \ + grub2 \ + which \ + curl \ + nano \ + gawk \ + haveged \ + polkit \ + ncurses \ + tar \ + kbd \ + lvm2 \ + zstd \ + openssh-server \ + openssh-clients \ + shim-x64 \ + grub2-pc \ + grub2-efi-x64 \ + grub2-efi-x64-modules \ + open-vm-tools \ + iscsi-initiator-utils \ + iptables ethtool socat iproute-tc conntrack \ + kernel kernel-modules kernel-modules-extra \ + rsync jq && dnf clean all + + +COPY --from=kairosframework / / + +RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml + +RUN mkdir -p /run/lock +RUN touch /usr/libexec/.keep + + +# Configure the box. The ubi image masks services for containers, we unmask them +RUN systemctl list-unit-files |grep masked |cut -f 1 -d " " | xargs systemctl unmask +RUN systemctl enable getty@tty1.service +RUN systemctl enable getty@tty2.service +RUN systemctl enable getty@tty3.service +RUN systemctl enable systemd-networkd +RUN systemctl enable systemd-resolved +RUN systemctl enable sshd +RUN systemctl disable selinux-autorelabel-mark.service +#RUN systemctl enable tmp.mount + +COPY overlay/rhel8/ / + +RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ + ln -sf "${kernel#/boot/}" /boot/vmlinuz +RUN kernel=$(ls /lib/modules | head -n1) && \ + dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ + ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" +RUN rm -rf /boot/initramfs-* + +RUN envsubst >>/etc/os-release > /etc/dnf/dnf.conf +# Generate machine-id because https://bugzilla.redhat.com/show_bug.cgi?id=1737355#c6 +RUN uuidgen > /etc/machine-id && dnf install -y \ + squashfs-tools \ + dracut-live \ + livecd-tools \ + dracut-squash \ + dracut-network \ + efibootmgr \ + dhclient \ + audit \ + sudo \ + systemd \ + systemd-networkd \ + systemd-timesyncd \ + systemd-resolved \ + parted \ + dracut \ + e2fsprogs \ + dosfstools \ + coreutils-single \ + device-mapper \ + grub2 \ + which \ + nano \ + gawk \ + haveged \ + polkit \ + ncurses \ + tar \ + kbd \ + lvm2 \ + zstd \ + openssh-server \ + openssh-clients \ + shim-x64 \ + grub2-pc \ + grub2-efi-x64 \ + grub2-efi-x64-modules \ + open-vm-tools \ + iscsi-initiator-utils \ + iptables ethtool socat iproute-tc conntrack \ + kernel kernel-modules kernel-modules-extra \ + rsync jq && dnf clean all + + +COPY --from=quay.io/kairos/framework:v2.7.41 / / + +RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml + +RUN mkdir -p /run/lock +RUN touch /usr/libexec/.keep + + +# Configure the box. The ubi image masks services for containers, we unmask them +RUN systemctl list-unit-files |grep masked |cut -f 1 -d " " | xargs systemctl unmask +RUN systemctl enable getty@tty1.service +RUN systemctl enable getty@tty2.service +RUN systemctl enable getty@tty3.service +RUN systemctl enable systemd-networkd +RUN systemctl enable systemd-resolved +RUN systemctl enable sshd +RUN systemctl disable selinux-autorelabel-mark.service +#RUN systemctl enable tmp.mount + +COPY overlay/rhel9/ / + +RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ + ln -sf "${kernel#/boot/}" /boot/vmlinuz +RUN kernel=$(ls /lib/modules | head -n1) && \ + dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ + ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" +RUN rm -rf /boot/initramfs-* + +RUN envsubst >>/etc/os-release > /etc/dnf/dnf.conf +# Generate machine-id because https://bugzilla.redhat.com/show_bug.cgi?id=1737355#c6 +RUN uuidgen > /etc/machine-id && dnf install -y \ + squashfs-tools \ + dracut-live \ + livecd-tools \ + dracut-squash \ + dracut-network \ + efibootmgr \ + dhclient \ + audit \ + sudo \ + systemd \ + systemd-networkd \ + systemd-timesyncd \ + systemd-resolved \ + parted \ + dracut \ + e2fsprogs \ + dosfstools \ + coreutils-single \ + device-mapper \ + grub2 \ + which \ + nano \ + gawk \ + haveged \ + polkit \ + ncurses \ + tar \ + kbd \ + lvm2 \ + zstd \ + openssh-server \ + openssh-clients \ + shim-x64 \ + grub2-pc \ + grub2-efi-x64 \ + grub2-efi-x64-modules \ + open-vm-tools \ + iscsi-initiator-utils \ + iptables ethtool socat iproute-tc conntrack \ + kernel kernel-modules kernel-modules-extra \ + rsync jq && dnf clean all + +COPY --from=kairosframework / / + +RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml + +RUN mkdir -p /run/lock +RUN touch /usr/libexec/.keep + + +# Configure the box. The ubi image masks services for containers, we unmask them +RUN systemctl list-unit-files |grep masked |cut -f 1 -d " " | xargs systemctl unmask +RUN systemctl enable getty@tty1.service +RUN systemctl enable getty@tty2.service +RUN systemctl enable getty@tty3.service +RUN systemctl enable systemd-networkd +RUN systemctl enable systemd-resolved +RUN systemctl enable sshd +RUN systemctl disable selinux-autorelabel-mark.service +#RUN systemctl enable tmp.mount + +COPY overlay/rhel9/ / + +RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ + ln -sf "${kernel#/boot/}" /boot/vmlinuz +RUN kernel=$(ls /lib/modules | head -n1) && \ + dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ + ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" +RUN rm -rf /boot/initramfs-* + +RUN envsubst >>/etc/os-release /: --build-arg USERNAME= --build-arg PASSWORD='' -f Dockerfile.rhel8. +``` + +To build RHEL 9 Kairos Image, execute: +``` +docker build -t /: --build-arg USERNAME= --build-arg PASSWORD='' -f Dockerfile.rhel9 . +``` + +**In case of any errors during package installation steps - these errors might be caused by previous build attempts. Execute `docker build` command again by providing argument `--no-cache` to build the image from scratch** + +## Build the image using Red Hat Satellite and mirrored repositories + +This scenario is for the environment where Red Hat Satellite must be used and access to public Red Hat repositories is not possible. For this case use Dockerfiles `Dockerfile.rhel9.sat` and `Dockerfile.rhel8.sat` - these files are modified to use Red Hat Satellite Activation key to register host and install all required packages. + +### Prerequisites + +1. Mirror base RHEL UBI image (`registry.access.redhat.com/ubi9-init:9.4-6`) to the internal Container registry. Provide image path for the build process by using argument `BASE_IMAGE`. + +2. Mirror Kairos framework image (`quay.io/kairos/framework:v2.7.41`) to the internal Container registry. Provide image path for the build process by using argument `KAIROS_FRAMEWORK_IMAGE`. + +3. Have the following repostiories synced and available on Red Hat Satellite: + +For RHEL9: +* rhel-9-for-x86_64-appstream-rpms +* rhel-9-for-x86_64-baseos-rpms +* EPEL9 (upstream URL https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/) + +For RHEL8: +* rhel-8-for-x86_64-appstream-rpms +* rhel-8-for-x86_64-baseos-rpms +* EPEL8 (upstream URL https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/) + + +4. Create Activation Key in RH Satellite and add corresponding repositories listed above. Make these repositories enabled by default (set `Override Enabled` for these repositories in the Activation Key configuration). Provide Activation Key for the build process by using argument `KEYNAME`. + +### Build the image + +After all prerequisites completed, ensure all required build arguments are in place: + +BASE_IMAGE - path to RHEL8/9 UBI image, for example `redhat.spectrocloud.dev/ubi9-init:9.4-6` + +KAIROS_FRAMEWORK_IMAGE - path to Kairos framework image, for example `quay.spectrocloud.dev/kairos/framework:v2.7.33` + +SATHOSTNAME - Red Hat Satellite hostname, for example `katello.spectrocloud.dev` + +ORGNAME - Organization name in Red Hat Satellite, for example `test-org` + +KEYNAME - Name of the Activation key with repositories attached, for example `rhel9-canvos-key` + +To build RHEL 8 Kairos Image, execute: +``` +docker build -t /: --build-arg BASE_IMAGE= --build-arg KAIROS_FRAMEWORK_IMAGE='' --build-arg SATHOSTNAME= --build-arg ORGNAME= --build-arg KEYNAME= -f Dockerfile.rhel8.sat . +``` + +To build RHEL 9 Kairos Image, execute: +``` +docker build -t /: --build-arg BASE_IMAGE= --build-arg KAIROS_FRAMEWORK_IMAGE='' --build-arg SATHOSTNAME= --build-arg ORGNAME= --build-arg KEYNAME= -f Dockerfile.rhel9.sat . +``` + +For example, to build RHEL9 image: +``` +docker build -t localhost/palette-rhel9:latest --build-arg BASE_IMAGE=redhat.spectrocloud.dev/ubi9-init:9.4-6 --build-arg KAIROS_FRAMEWORK_IMAGE=quay.spectrocloud.dev/kairos/framework:v2.7.33 --build-arg SATHOSTNAME=katello.spectrocloud.dev --build-arg ORGNAME=test-org --build-arg KEYNAME=rhel9-canvos-key -f Dockerfile.rhel9.sat . +``` + +For example, to build RHEL8 image: +``` +docker build -t localhost/palette-rhel8:latest --build-arg BASE_IMAGE=redhat.spectrocloud.dev/ubi8/ubi-init:8.7-10 --build-arg KAIROS_FRAMEWORK_IMAGE=quay.spectrocloud.dev/kairos/framework:v2.7.33 --build-arg SATHOSTNAME=katello.spectrocloud.dev --build-arg ORGNAME=test-org --build-arg KEYNAME=rhel8-canvos-key -f Dockerfile.rhel8.sat . +``` + + + diff --git a/rhel-core-images/overlay/rhel9/system/oem/33_tmp_mount.yaml b/rhel-core-images/overlay/rhel9/system/oem/33_tmp_mount.yaml new file mode 100644 index 0000000..09a5f98 --- /dev/null +++ b/rhel-core-images/overlay/rhel9/system/oem/33_tmp_mount.yaml @@ -0,0 +1,10 @@ +name: " tmp layout setup" +stages: + initramfs.after: + - name: mount tmp + commands: + - systemctl enable tmp.mount + fs.before: + - name: start tmp + commands: + - systemctl start tmp.mount diff --git a/rhel-fips/Dockerfile b/rhel-fips/Dockerfile index 9f1b87f..2fbe02b 100644 --- a/rhel-fips/Dockerfile +++ b/rhel-fips/Dockerfile @@ -83,7 +83,7 @@ RUN mkdir -p /run/lock && \ # Copy the os-release file to identify the OS COPY --from=osbuilder /workspace/os-release /etc/os-release -COPY --from=quay.io/kairos/framework:v2.7.41-fips / / +COPY --from=gcr.io/spectro-images-public/kairos/framework:v2.7.41-fips-spectro / / RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml diff --git a/slem/Dockerfile b/slem/Dockerfile index 1b2d47f..d252a92 100644 --- a/slem/Dockerfile +++ b/slem/Dockerfile @@ -22,6 +22,8 @@ RUN zypper in --force-resolution -y --no-allow-vendor-change \ fail2ban \ lldpd \ nethogs \ + rsyslog \ + logrotate \ && zypper cc # NOTE: removed dhcp-client RUN mkdir -p /run/lock diff --git a/test/test-two-node.sh b/test/test-two-node.sh index c84607e..a84ef34 100755 --- a/test/test-two-node.sh +++ b/test/test-two-node.sh @@ -472,7 +472,7 @@ function build_canvos() { --TWO_NODE=true \ --TWO_NODE_BACKEND=${TWO_NODE_BACKEND} \ --CUSTOM_TAG=${STYLUS_HASH} \ - --PE_VERSION=v${PE_VERSION} + --PE_VERSION=v${PE_VERSION} docker push ${OCI_REGISTRY}/ubuntu:k3s-${K3S_VERSION}-v${PE_VERSION}-${STYLUS_HASH} } diff --git a/ubuntu-fips/Dockerfile b/ubuntu-fips/Dockerfile index caaa4b5..beb0558 100644 --- a/ubuntu-fips/Dockerfile +++ b/ubuntu-fips/Dockerfile @@ -1,6 +1,6 @@ # Kairos framework packages for ubuntu fips -FROM quay.io/kairos/framework:v2.7.41-fips as kairos-fips +FROM gcr.io/spectro-images-public/kairos/framework:v2.7.41-fips-spectro as kairos-fips # Base ubuntu image (focal) FROM ubuntu:focal as base