From 769bfeec955c4ee62d3be51cd77e6ab3aaf3aca9 Mon Sep 17 00:00:00 2001 From: Arun Sharma Date: Sat, 27 Jul 2024 00:44:06 +0530 Subject: [PATCH 01/17] PE-4076: Rsyslog and logrotate changes (#225) * rsyslog logrotate installation * config update * conf changes * log duplicate issue fix and file permission and ownership fix * rsyslog conf in providers and adm group not in opensuse fix * group change --- Earthfile | 8 +++++--- overlay/files/etc/logrotate.d/stylus.conf | 12 ++++++++++++ overlay/files/etc/rsyslog.d/49-stylus.conf | 19 +++++++++++++++++++ slem/Dockerfile | 2 ++ 4 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 overlay/files/etc/logrotate.d/stylus.conf create mode 100644 overlay/files/etc/rsyslog.d/49-stylus.conf diff --git a/Earthfile b/Earthfile index 12cbf3f..e9e25af 100644 --- a/Earthfile +++ b/Earthfile @@ -290,6 +290,7 @@ uki-provider-image: RUN apt-get update && apt-get install -y rsync WORKDIR / + COPY overlay/files/etc/ /etc/ COPY +luet/luet /usr/bin/luet COPY +kairos-agent/kairos-agent /usr/bin/kairos-agent COPY --platform=linux/${ARCH} +trust-boot-unpack/ /trusted-boot @@ -589,6 +590,7 @@ provider-image: ARG BASE_K8S_VERSION=$K8S_VERSION-$K8S_DISTRIBUTION_TAG END + COPY overlay/files/etc/ /etc/ COPY --platform=linux/${ARCH} +kairos-provider-image/ / COPY +stylus-image/etc/kairos/branding /etc/kairos/branding COPY +stylus-image/oem/stylus_config.yaml /etc/kairos/branding/stylus_config.yaml @@ -725,7 +727,7 @@ base-image: END RUN apt-get update && \ - apt-get install --no-install-recommends kbd zstd vim iputils-ping bridge-utils curl tcpdump ethtool -y + apt-get install --no-install-recommends kbd zstd vim iputils-ping bridge-utils curl tcpdump ethtool rsyslog logrotate -y IF [ "$UPDATE_KERNEL" = "false" ] RUN if dpkg -l "linux-image-generic-hwe-$OS_VERSION" > /dev/null; then apt-mark hold "linux-image-generic-hwe-$OS_VERSION" "linux-headers-generic-hwe-$OS_VERSION" "linux-generic-hwe-$OS_VERSION" ; fi && \ @@ -785,7 +787,7 @@ base-image: END IF [ "$OS_DISTRIBUTION" = "opensuse-leap" ] - RUN zypper install -y apparmor-parser apparmor-profiles + RUN zypper install -y apparmor-parser apparmor-profiles rsyslog logrotate RUN zypper cc && \ zypper clean RUN if [ ! -e /usr/bin/apparmor_parser ]; then cp /sbin/apparmor_parser /usr/bin/apparmor_parser; fi @@ -804,7 +806,7 @@ base-image: RUN --no-cache luet repo update IF [ "$OS_DISTRIBUTION" = "rhel" ] - RUN yum install -y openssl + RUN yum install -y openssl rsyslog logrotate END IF [ "$OS_DISTRIBUTION" = "sles" ] diff --git a/overlay/files/etc/logrotate.d/stylus.conf b/overlay/files/etc/logrotate.d/stylus.conf new file mode 100644 index 0000000..e45df6a --- /dev/null +++ b/overlay/files/etc/logrotate.d/stylus.conf @@ -0,0 +1,12 @@ +/var/log/stylus-audit.log { + yearly + rotate 2 + missingok + notifempty + compress + delaycompress + dateext + dateformat -%m-%Y + size 100M + create 600 root root +} \ No newline at end of file diff --git a/overlay/files/etc/rsyslog.d/49-stylus.conf b/overlay/files/etc/rsyslog.d/49-stylus.conf new file mode 100644 index 0000000..a540b6b --- /dev/null +++ b/overlay/files/etc/rsyslog.d/49-stylus.conf @@ -0,0 +1,19 @@ +# Running rsyslog as root. +# TODO: should this be done or change acceptance criteria to about audit log file permissions accordingly +$PrivDropToUser root +# default config has $Umask 0022 set. That breaks any config related to masks and modes. +$Umask 0000 + +# Mesage format as per rfc5424. +$template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n" + +# route messages with facility local7 and severity notice to /var/log/stylus-audit.log +if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice') then{ + action( + type="omfile" + file="/var/log/stylus-audit.log" + FileCreateMode="0600" + fileowner="root" + template="ForwardFormat" + ) & stop +} diff --git a/slem/Dockerfile b/slem/Dockerfile index 1b2d47f..d252a92 100644 --- a/slem/Dockerfile +++ b/slem/Dockerfile @@ -22,6 +22,8 @@ RUN zypper in --force-resolution -y --no-allow-vendor-change \ fail2ban \ lldpd \ nethogs \ + rsyslog \ + logrotate \ && zypper cc # NOTE: removed dhcp-client RUN mkdir -p /run/lock From b3c240730660a1c562aa1a05d412e05e6e5ecf90 Mon Sep 17 00:00:00 2001 From: Santhosh Date: Tue, 30 Jul 2024 09:27:45 +0530 Subject: [PATCH 02/17] update fips base images (#236) --- rhel-fips/Dockerfile | 2 +- ubuntu-fips/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rhel-fips/Dockerfile b/rhel-fips/Dockerfile index 9f1b87f..2fbe02b 100644 --- a/rhel-fips/Dockerfile +++ b/rhel-fips/Dockerfile @@ -83,7 +83,7 @@ RUN mkdir -p /run/lock && \ # Copy the os-release file to identify the OS COPY --from=osbuilder /workspace/os-release /etc/os-release -COPY --from=quay.io/kairos/framework:v2.7.41-fips / / +COPY --from=gcr.io/spectro-images-public/kairos/framework:v2.7.41-fips-spectro / / RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml diff --git a/ubuntu-fips/Dockerfile b/ubuntu-fips/Dockerfile index caaa4b5..beb0558 100644 --- a/ubuntu-fips/Dockerfile +++ b/ubuntu-fips/Dockerfile @@ -1,6 +1,6 @@ # Kairos framework packages for ubuntu fips -FROM quay.io/kairos/framework:v2.7.41-fips as kairos-fips +FROM gcr.io/spectro-images-public/kairos/framework:v2.7.41-fips-spectro as kairos-fips # Base ubuntu image (focal) FROM ubuntu:focal as base From cd2b974d0673496be97e9559fbf4f9576bb47477 Mon Sep 17 00:00:00 2001 From: Roshani Rathi <42164609+roshanirathi@users.noreply.github.com> Date: Mon, 5 Aug 2024 22:02:16 +0530 Subject: [PATCH 03/17] PE-4749 Update Earthfile with latest k8s versions for 4.4.b (#241) --- Earthfile | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Earthfile b/Earthfile index e9e25af..54da531 100644 --- a/Earthfile +++ b/Earthfile @@ -151,12 +151,15 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.27.9 BUILD +$TARGET --K8S_VERSION=1.27.11 BUILD +$TARGET --K8S_VERSION=1.27.15 + BUILD +$TARGET --K8S_VERSION=1.27.16 BUILD +$TARGET --K8S_VERSION=1.28.2 BUILD +$TARGET --K8S_VERSION=1.28.5 BUILD +$TARGET --K8S_VERSION=1.28.9 BUILD +$TARGET --K8S_VERSION=1.28.11 + BUILD +$TARGET --K8S_VERSION=1.28.12 BUILD +$TARGET --K8S_VERSION=1.29.0 BUILD +$TARGET --K8S_VERSION=1.29.6 + BUILD +$TARGET --K8S_VERSION=1.29.7 ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] BUILD +$TARGET --K8S_VERSION=1.24.6 BUILD +$TARGET --K8S_VERSION=1.25.2 @@ -175,14 +178,17 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.27.11 BUILD +$TARGET --K8S_VERSION=1.27.13 BUILD +$TARGET --K8S_VERSION=1.27.14 + BUILD +$TARGET --K8S_VERSION=1.27.15 BUILD +$TARGET --K8S_VERSION=1.28.2 BUILD +$TARGET --K8S_VERSION=1.28.5 BUILD +$TARGET --K8S_VERSION=1.28.7 BUILD +$TARGET --K8S_VERSION=1.28.9 BUILD +$TARGET --K8S_VERSION=1.28.10 + BUILD +$TARGET --K8S_VERSION=1.28.11 BUILD +$TARGET --K8S_VERSION=1.29.3 BUILD +$TARGET --K8S_VERSION=1.29.4 BUILD +$TARGET --K8S_VERSION=1.29.5 + BUILD +$TARGET --K8S_VERSION=1.29.6 ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ] BUILD +$TARGET --K8S_VERSION=1.24.6 BUILD +$TARGET --K8S_VERSION=1.25.2 @@ -218,12 +224,15 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.27.9 BUILD +provider-image --K8S_VERSION=1.27.14 BUILD +provider-image --K8S_VERSION=1.27.15 + BUILD +provider-image --K8S_VERSION=1.27.16 BUILD +provider-image --K8S_VERSION=1.28.5 BUILD +provider-image --K8S_VERSION=1.28.10 BUILD +provider-image --K8S_VERSION=1.28.11 + BUILD +provider-image --K8S_VERSION=1.28.12 BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.5 BUILD +provider-image --K8S_VERSION=1.29.6 + BUILD +provider-image --K8S_VERSION=1.29.7 ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] BUILD +provider-image --K8S_VERSION=1.24.6 BUILD +provider-image --K8S_VERSION=1.25.0 @@ -235,11 +244,14 @@ build-provider-images-fips: BUILD +provider-image --K8S_VERSION=1.27.9 BUILD +provider-image --K8S_VERSION=1.27.11 BUILD +provider-image --K8S_VERSION=1.27.14 + BUILD +provider-image --K8S_VERSION=1.27.15 BUILD +provider-image --K8S_VERSION=1.28.5 BUILD +provider-image --K8S_VERSION=1.28.7 BUILD +provider-image --K8S_VERSION=1.28.10 + BUILD +provider-image --K8S_VERSION=1.28.11 BUILD +provider-image --K8S_VERSION=1.29.0 BUILD +provider-image --K8S_VERSION=1.29.3 + BUILD +provider-image --K8S_VERSION=1.29.5 BUILD +provider-image --K8S_VERSION=1.29.6 ELSE BUILD +provider-image --K8S_VERSION=1.24.6 From 61ad9fd18e144801b26ed3413a4c3f8357b9156a Mon Sep 17 00:00:00 2001 From: Arun Sharma Date: Mon, 5 Aug 2024 23:16:36 +0530 Subject: [PATCH 04/17] logrotate issue fix (#242) --- Earthfile | 15 +++++++++++++-- overlay/files/etc/logrotate.d/stylus.conf | 9 +++++++-- overlay/files/etc/rsyslog.d/49-stylus.conf | 6 +++--- 3 files changed, 23 insertions(+), 7 deletions(-) diff --git a/Earthfile b/Earthfile index 54da531..f1f22b1 100644 --- a/Earthfile +++ b/Earthfile @@ -302,7 +302,10 @@ uki-provider-image: RUN apt-get update && apt-get install -y rsync WORKDIR / - COPY overlay/files/etc/ /etc/ + COPY --if-exists overlay/files/etc/ /etc/ + IF [ -f /etc/logrotate.d/stylus.conf ] + RUN chmod 644 /etc/logrotate.d/stylus.conf + END COPY +luet/luet /usr/bin/luet COPY +kairos-agent/kairos-agent /usr/bin/kairos-agent COPY --platform=linux/${ARCH} +trust-boot-unpack/ /trusted-boot @@ -602,7 +605,11 @@ provider-image: ARG BASE_K8S_VERSION=$K8S_VERSION-$K8S_DISTRIBUTION_TAG END - COPY overlay/files/etc/ /etc/ + COPY --if-exists overlay/files/etc/ /etc/ + IF [ -f /etc/logrotate.d/stylus.conf ] + RUN chmod 644 /etc/logrotate.d/stylus.conf + END + COPY --platform=linux/${ARCH} +kairos-provider-image/ / COPY +stylus-image/etc/kairos/branding /etc/kairos/branding COPY +stylus-image/oem/stylus_config.yaml /etc/kairos/branding/stylus_config.yaml @@ -852,6 +859,10 @@ iso-image: RUN rm -f /usr/bin/luet END COPY overlay/files/ / + + IF [ -f /etc/logrotate.d/stylus.conf ] + RUN chmod 644 /etc/logrotate.d/stylus.conf + END RUN rm -f /etc/ssh/ssh_host_* /etc/ssh/moduli RUN touch /etc/machine-id \ diff --git a/overlay/files/etc/logrotate.d/stylus.conf b/overlay/files/etc/logrotate.d/stylus.conf index e45df6a..5ccdab0 100644 --- a/overlay/files/etc/logrotate.d/stylus.conf +++ b/overlay/files/etc/logrotate.d/stylus.conf @@ -4,9 +4,14 @@ missingok notifempty compress - delaycompress dateext - dateformat -%m-%Y + dateformat -%d-%m-%Y size 100M create 600 root root + # to avoid 'writable by group or others' error + su root root + # reload or restart to point file handle to new log file + postrotate + systemctl try-reload-or-restart rsyslog 2>&1 || true + endscript } \ No newline at end of file diff --git a/overlay/files/etc/rsyslog.d/49-stylus.conf b/overlay/files/etc/rsyslog.d/49-stylus.conf index a540b6b..dfaafe8 100644 --- a/overlay/files/etc/rsyslog.d/49-stylus.conf +++ b/overlay/files/etc/rsyslog.d/49-stylus.conf @@ -1,6 +1,6 @@ -# Running rsyslog as root. -# TODO: should this be done or change acceptance criteria to about audit log file permissions accordingly +# Running rsyslog as root. $PrivDropToUser root +$PrivDropToGroup root # default config has $Umask 0022 set. That breaks any config related to masks and modes. $Umask 0000 @@ -8,7 +8,7 @@ $Umask 0000 $template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n" # route messages with facility local7 and severity notice to /var/log/stylus-audit.log -if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice') then{ +if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains 'stylus-audit') then{ action( type="omfile" file="/var/log/stylus-audit.log" From f5dd8d61a48eaddfa1a7662bde646c028a107bb3 Mon Sep 17 00:00:00 2001 From: Piyush Kumar Date: Tue, 6 Aug 2024 09:49:22 +0530 Subject: [PATCH 05/17] PE:4813: use alpine from gcr.io instead of docker.io (#244) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index f1f22b1..907ee8c 100644 --- a/Earthfile +++ b/Earthfile @@ -336,7 +336,7 @@ kairos-agent: SAVE ARTIFACT /usr/bin/kairos-agent /kairos-agent install-k8s: - FROM --platform=linux/${ARCH} alpine:3.19 + FROM --platform=linux/${ARCH} $ALPINE_IMG COPY +luet/luet /usr/bin/luet IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] || [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ] From 4913fad15b12babe567c0dc43de43e4e7805a122 Mon Sep 17 00:00:00 2001 From: Piyush Kumar Date: Tue, 6 Aug 2024 11:23:45 +0530 Subject: [PATCH 06/17] bump alpine img to 3.20.2 (#245) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 907ee8c..4782915 100644 --- a/Earthfile +++ b/Earthfile @@ -3,7 +3,7 @@ ARG TARGETOS ARG TARGETARCH # Default image repositories used in the builds. -ARG ALPINE_IMG=gcr.io/spectro-images-public/alpine:3.16.2 +ARG ALPINE_IMG=gcr.io/spectro-images-public/alpine:3.20.2 ARG SPECTRO_PUB_REPO=gcr.io/spectro-images-public ARG SPECTRO_LUET_REPO=gcr.io/spectro-dev-public ARG KAIROS_BASE_IMAGE_URL=gcr.io/spectro-images-public From 8c9a8a4934e713a3c427bbcd00c2e4b4c88b21c2 Mon Sep 17 00:00:00 2001 From: Arun Sharma Date: Tue, 6 Aug 2024 18:40:03 +0530 Subject: [PATCH 07/17] Readme update (#243) --- README.md | 53 ++++++++++++++++++++++ overlay/files/etc/logrotate.d/stylus.conf | 1 + overlay/files/etc/rsyslog.d/49-stylus.conf | 4 +- 3 files changed, 56 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f856648..4664dbc 100644 --- a/README.md +++ b/README.md @@ -346,3 +346,56 @@ EDGE_CUSTOM_CONFIG=/path/to/.edge.custom-config.yaml ```shell earthly --push +build-all-images ``` + + +### Audit Logs User Customisation + +#### Configuration +rsyslog config file: `overlay/files/etc/rsyslog.d/49-stylus.conf` copied to `/etc/rsyslog.d/49-stylus.conf` +logrotate config file: `overlay/files/etc/logrotate.d/stylus.conf` copied to `/etc/logrotate.d/stylus.conf` + +#### Send stylus audit events to user file +Users can log stylus audit events to additional files, in addition to `/var/log/stylus-audit.log`. To log stylus audit events to custom files, create a configuration file in the `overlay/files/etc/rsyslog.d` directory named `.conf` (must be before `49-stylus.conf` lexicographically). + +Example: `48-audit.conf` + +Users can use the following configuration as a base for their filtering logic. replace `` with the desired file name +``` +$PrivDropToUser root +$PrivDropToGroup root +if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains 'stylus-audit') then { + action( + type="omfile" + file="" + ) +} +``` + +#### Send user application audit events to stylus audit file +To include user application audit events in the `/var/log/stylus-audit.log` file, add the following to the same configuration file (e.g. `48-audit.conf`) or create a new config file before `49-stylus.conf`: + +`` : user application name or tag +``` +$PrivDropToUser root +$PrivDropToGroup root +$Umask 0000 +$template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n" +if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains '') then { + action( + type="omfile" + file="/var/log/stylus-audit.log" + FileCreateMode="0600" + fileowner="root" + template="ForwardFormat" + ) +} +``` + +To display user audit entries on the Local UI dashboard, audit entries must be logged in RFC 5424 format with the message (`msg`) part in JSON format. This JSON message must include the following keys: `edgeHostId`, `contentMsg`, `action`, `actor`, `actorType`, `resourceId`, `resourceName`, `resourceKind` + +Example syslog entry +``` +<189>1 2024-07-23T15:35:32.644461+00:00 edge-ce0a38422e4662887313fb673bbfb2a2 stylus-audit[2911]: 2911 - - {"edgeHostId":"edge-ce0a38422e4662887313fb6 73bbfb2a2","contentMsg":"kairos password reset failed","action":"activity","actor":"kairos","actorType":"user","resourceId":"kairos","resourceName":"kairos","resourceKi nd":"user"} +``` + +Entries without these keys in the MSG part of RFC 5424 will still be logged to the stylus-audit.log file but will not be displayed on LocalUI. \ No newline at end of file diff --git a/overlay/files/etc/logrotate.d/stylus.conf b/overlay/files/etc/logrotate.d/stylus.conf index 5ccdab0..8553c0d 100644 --- a/overlay/files/etc/logrotate.d/stylus.conf +++ b/overlay/files/etc/logrotate.d/stylus.conf @@ -6,6 +6,7 @@ compress dateext dateformat -%d-%m-%Y + extension .log size 100M create 600 root root # to avoid 'writable by group or others' error diff --git a/overlay/files/etc/rsyslog.d/49-stylus.conf b/overlay/files/etc/rsyslog.d/49-stylus.conf index dfaafe8..fc71256 100644 --- a/overlay/files/etc/rsyslog.d/49-stylus.conf +++ b/overlay/files/etc/rsyslog.d/49-stylus.conf @@ -12,8 +12,8 @@ if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $s action( type="omfile" file="/var/log/stylus-audit.log" - FileCreateMode="0600" - fileowner="root" + FileCreateMode="0600" + fileowner="root" template="ForwardFormat" ) & stop } From 89de00fc4a55aeadcc100e15202da1e97d34e898 Mon Sep 17 00:00:00 2001 From: Piyush Kumar Date: Wed, 7 Aug 2024 10:51:10 +0530 Subject: [PATCH 08/17] bump luet-repo to 1.3.3 (#246) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 4782915..4ddbbad 100644 --- a/Earthfile +++ b/Earthfile @@ -12,7 +12,7 @@ FROM $SPECTRO_PUB_REPO/canvos/alpine-cert:v1.0.0 # Spectro Cloud and Kairos tags. ARG PE_VERSION=v4.4.4 -ARG SPECTRO_LUET_VERSION=v1.3.2 +ARG SPECTRO_LUET_VERSION=v1.3.3 ARG KAIROS_VERSION=v3.0.14 ARG K3S_FLAVOR_TAG=k3s1 ARG RKE2_FLAVOR_TAG=rke2r1 From a8d166f6a3734a8db04f02a260ac889850836917 Mon Sep 17 00:00:00 2001 From: Vadim Zharov Date: Wed, 7 Aug 2024 13:34:03 -0500 Subject: [PATCH 09/17] RHEL 9 Dockerfile + RHEL8/9 Dockerfiles to build with RH Satellite (#221) * RHEL 9 Dockerfile + RHEL8/9 Dockerfiles to build with RH Satellite * Mistypo fixed --------- Co-authored-by: Vadim Zharov --- rhel-core-images/Dockerfile.rhel8.sat | 100 ++++++++++++++++++ rhel-core-images/Dockerfile.rhel9 | 96 +++++++++++++++++ rhel-core-images/Dockerfile.rhel9.sat | 99 +++++++++++++++++ rhel-core-images/README.md | 81 ++++++++++++++ .../rhel9/system/oem/33_tmp_mount.yaml | 10 ++ 5 files changed, 386 insertions(+) create mode 100644 rhel-core-images/Dockerfile.rhel8.sat create mode 100644 rhel-core-images/Dockerfile.rhel9 create mode 100644 rhel-core-images/Dockerfile.rhel9.sat create mode 100644 rhel-core-images/README.md create mode 100644 rhel-core-images/overlay/rhel9/system/oem/33_tmp_mount.yaml diff --git a/rhel-core-images/Dockerfile.rhel8.sat b/rhel-core-images/Dockerfile.rhel8.sat new file mode 100644 index 0000000..243075e --- /dev/null +++ b/rhel-core-images/Dockerfile.rhel8.sat @@ -0,0 +1,100 @@ +ARG BASE_IMAGE=registry.access.redhat.com/ubi8/ubi-init:8.7-10 +ARG KAIROS_FRAMEWORK_IMAGE=quay.io/kairos/framework:v2.7.41 + +FROM $KAIROS_FRAMEWORK_IMAGE as kairosframework + +FROM $BASE_IMAGE + +ARG KAIROS_FRAMEWORK_IMAGE +ARG ORGNAME +ARG KEYNAME +ARG SATHOSTNAME + +RUN dnf config-manager --disable ubi-8-appstream-rpms ubi-8-baseos-rpms ubi-8-codeready-builder-rpms +RUN rm /etc/rhsm-host +RUN rpm -Uvh http://${SATHOSTNAME}/pub/katello-ca-consumer-latest.noarch.rpm +RUN subscription-manager register --org=${ORGNAME} --activationkey=${KEYNAME} + +RUN echo "install_weak_deps=False" >> /etc/dnf/dnf.conf +# Generate machine-id because https://bugzilla.redhat.com/show_bug.cgi?id=1737355#c6 +RUN uuidgen > /etc/machine-id && dnf install -y \ + squashfs-tools \ + dracut-live \ + livecd-tools \ + dracut-squash \ + dracut-network \ + efibootmgr \ + dhclient \ + audit \ + sudo \ + systemd \ + systemd-networkd \ + systemd-timesyncd \ + parted \ + dracut \ + e2fsprogs \ + dosfstools \ + coreutils-single \ + device-mapper \ + grub2 \ + which \ + curl \ + nano \ + gawk \ + haveged \ + polkit \ + ncurses \ + tar \ + kbd \ + lvm2 \ + zstd \ + openssh-server \ + openssh-clients \ + shim-x64 \ + grub2-pc \ + grub2-efi-x64 \ + grub2-efi-x64-modules \ + open-vm-tools \ + iscsi-initiator-utils \ + iptables ethtool socat iproute-tc conntrack \ + kernel kernel-modules kernel-modules-extra \ + rsync jq && dnf clean all + + +COPY --from=kairosframework / / + +RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml + +RUN mkdir -p /run/lock +RUN touch /usr/libexec/.keep + + +# Configure the box. The ubi image masks services for containers, we unmask them +RUN systemctl list-unit-files |grep masked |cut -f 1 -d " " | xargs systemctl unmask +RUN systemctl enable getty@tty1.service +RUN systemctl enable getty@tty2.service +RUN systemctl enable getty@tty3.service +RUN systemctl enable systemd-networkd +RUN systemctl enable systemd-resolved +RUN systemctl enable sshd +RUN systemctl disable selinux-autorelabel-mark.service +#RUN systemctl enable tmp.mount + +COPY overlay/rhel8/ / + +RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ + ln -sf "${kernel#/boot/}" /boot/vmlinuz +RUN kernel=$(ls /lib/modules | head -n1) && \ + dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ + ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" +RUN rm -rf /boot/initramfs-* + +RUN envsubst >>/etc/os-release > /etc/dnf/dnf.conf +# Generate machine-id because https://bugzilla.redhat.com/show_bug.cgi?id=1737355#c6 +RUN uuidgen > /etc/machine-id && dnf install -y \ + squashfs-tools \ + dracut-live \ + livecd-tools \ + dracut-squash \ + dracut-network \ + efibootmgr \ + dhclient \ + audit \ + sudo \ + systemd \ + systemd-networkd \ + systemd-timesyncd \ + systemd-resolved \ + parted \ + dracut \ + e2fsprogs \ + dosfstools \ + coreutils-single \ + device-mapper \ + grub2 \ + which \ + nano \ + gawk \ + haveged \ + polkit \ + ncurses \ + tar \ + kbd \ + lvm2 \ + zstd \ + openssh-server \ + openssh-clients \ + shim-x64 \ + grub2-pc \ + grub2-efi-x64 \ + grub2-efi-x64-modules \ + open-vm-tools \ + iscsi-initiator-utils \ + iptables ethtool socat iproute-tc conntrack \ + kernel kernel-modules kernel-modules-extra \ + rsync jq && dnf clean all + + +COPY --from=quay.io/kairos/framework:v2.7.41 / / + +RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml + +RUN mkdir -p /run/lock +RUN touch /usr/libexec/.keep + + +# Configure the box. The ubi image masks services for containers, we unmask them +RUN systemctl list-unit-files |grep masked |cut -f 1 -d " " | xargs systemctl unmask +RUN systemctl enable getty@tty1.service +RUN systemctl enable getty@tty2.service +RUN systemctl enable getty@tty3.service +RUN systemctl enable systemd-networkd +RUN systemctl enable systemd-resolved +RUN systemctl enable sshd +RUN systemctl disable selinux-autorelabel-mark.service +#RUN systemctl enable tmp.mount + +COPY overlay/rhel9/ / + +RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ + ln -sf "${kernel#/boot/}" /boot/vmlinuz +RUN kernel=$(ls /lib/modules | head -n1) && \ + dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ + ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" +RUN rm -rf /boot/initramfs-* + +RUN envsubst >>/etc/os-release > /etc/dnf/dnf.conf +# Generate machine-id because https://bugzilla.redhat.com/show_bug.cgi?id=1737355#c6 +RUN uuidgen > /etc/machine-id && dnf install -y \ + squashfs-tools \ + dracut-live \ + livecd-tools \ + dracut-squash \ + dracut-network \ + efibootmgr \ + dhclient \ + audit \ + sudo \ + systemd \ + systemd-networkd \ + systemd-timesyncd \ + systemd-resolved \ + parted \ + dracut \ + e2fsprogs \ + dosfstools \ + coreutils-single \ + device-mapper \ + grub2 \ + which \ + nano \ + gawk \ + haveged \ + polkit \ + ncurses \ + tar \ + kbd \ + lvm2 \ + zstd \ + openssh-server \ + openssh-clients \ + shim-x64 \ + grub2-pc \ + grub2-efi-x64 \ + grub2-efi-x64-modules \ + open-vm-tools \ + iscsi-initiator-utils \ + iptables ethtool socat iproute-tc conntrack \ + kernel kernel-modules kernel-modules-extra \ + rsync jq && dnf clean all + +COPY --from=kairosframework / / + +RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml +RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml + +RUN mkdir -p /run/lock +RUN touch /usr/libexec/.keep + + +# Configure the box. The ubi image masks services for containers, we unmask them +RUN systemctl list-unit-files |grep masked |cut -f 1 -d " " | xargs systemctl unmask +RUN systemctl enable getty@tty1.service +RUN systemctl enable getty@tty2.service +RUN systemctl enable getty@tty3.service +RUN systemctl enable systemd-networkd +RUN systemctl enable systemd-resolved +RUN systemctl enable sshd +RUN systemctl disable selinux-autorelabel-mark.service +#RUN systemctl enable tmp.mount + +COPY overlay/rhel9/ / + +RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ + ln -sf "${kernel#/boot/}" /boot/vmlinuz +RUN kernel=$(ls /lib/modules | head -n1) && \ + dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ + ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" +RUN rm -rf /boot/initramfs-* + +RUN envsubst >>/etc/os-release /: --build-arg USERNAME= --build-arg PASSWORD='' -f Dockerfile.rhel8. +``` + +To build RHEL 9 Kairos Image, execute: +``` +docker build -t /: --build-arg USERNAME= --build-arg PASSWORD='' -f Dockerfile.rhel9 . +``` + +**In case of any errors during package installation steps - these errors might be caused by previous build attempts. Execute `docker build` command again by providing argument `--no-cache` to build the image from scratch** + +## Build the image using Red Hat Satellite and mirrored repositories + +This scenario is for the environment where Red Hat Satellite must be used and access to public Red Hat repositories is not possible. For this case use Dockerfiles `Dockerfile.rhel9.sat` and `Dockerfile.rhel8.sat` - these files are modified to use Red Hat Satellite Activation key to register host and install all required packages. + +### Prerequisites + +1. Mirror base RHEL UBI image (`registry.access.redhat.com/ubi9-init:9.4-6`) to the internal Container registry. Provide image path for the build process by using argument `BASE_IMAGE`. + +2. Mirror Kairos framework image (`quay.io/kairos/framework:v2.7.41`) to the internal Container registry. Provide image path for the build process by using argument `KAIROS_FRAMEWORK_IMAGE`. + +3. Have the following repostiories synced and available on Red Hat Satellite: + +For RHEL9: +* rhel-9-for-x86_64-appstream-rpms +* rhel-9-for-x86_64-baseos-rpms +* EPEL9 (upstream URL https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/) + +For RHEL8: +* rhel-8-for-x86_64-appstream-rpms +* rhel-8-for-x86_64-baseos-rpms +* EPEL8 (upstream URL https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/) + + +4. Create Activation Key in RH Satellite and add corresponding repositories listed above. Make these repositories enabled by default (set `Override Enabled` for these repositories in the Activation Key configuration). Provide Activation Key for the build process by using argument `KEYNAME`. + +### Build the image + +After all prerequisites completed, ensure all required build arguments are in place: + +BASE_IMAGE - path to RHEL8/9 UBI image, for example `redhat.spectrocloud.dev/ubi9-init:9.4-6` + +KAIROS_FRAMEWORK_IMAGE - path to Kairos framework image, for example `quay.spectrocloud.dev/kairos/framework:v2.7.33` + +SATHOSTNAME - Red Hat Satellite hostname, for example `katello.spectrocloud.dev` + +ORGNAME - Organization name in Red Hat Satellite, for example `test-org` + +KEYNAME - Name of the Activation key with repositories attached, for example `rhel9-canvos-key` + +To build RHEL 8 Kairos Image, execute: +``` +docker build -t /: --build-arg BASE_IMAGE= --build-arg KAIROS_FRAMEWORK_IMAGE='' --build-arg SATHOSTNAME= --build-arg ORGNAME= --build-arg KEYNAME= -f Dockerfile.rhel8.sat . +``` + +To build RHEL 9 Kairos Image, execute: +``` +docker build -t /: --build-arg BASE_IMAGE= --build-arg KAIROS_FRAMEWORK_IMAGE='' --build-arg SATHOSTNAME= --build-arg ORGNAME= --build-arg KEYNAME= -f Dockerfile.rhel9.sat . +``` + +For example, to build RHEL9 image: +``` +docker build -t localhost/palette-rhel9:latest --build-arg BASE_IMAGE=redhat.spectrocloud.dev/ubi9-init:9.4-6 --build-arg KAIROS_FRAMEWORK_IMAGE=quay.spectrocloud.dev/kairos/framework:v2.7.33 --build-arg SATHOSTNAME=katello.spectrocloud.dev --build-arg ORGNAME=test-org --build-arg KEYNAME=rhel9-canvos-key -f Dockerfile.rhel9.sat . +``` + +For example, to build RHEL8 image: +``` +docker build -t localhost/palette-rhel8:latest --build-arg BASE_IMAGE=redhat.spectrocloud.dev/ubi8/ubi-init:8.7-10 --build-arg KAIROS_FRAMEWORK_IMAGE=quay.spectrocloud.dev/kairos/framework:v2.7.33 --build-arg SATHOSTNAME=katello.spectrocloud.dev --build-arg ORGNAME=test-org --build-arg KEYNAME=rhel8-canvos-key -f Dockerfile.rhel8.sat . +``` + + + diff --git a/rhel-core-images/overlay/rhel9/system/oem/33_tmp_mount.yaml b/rhel-core-images/overlay/rhel9/system/oem/33_tmp_mount.yaml new file mode 100644 index 0000000..09a5f98 --- /dev/null +++ b/rhel-core-images/overlay/rhel9/system/oem/33_tmp_mount.yaml @@ -0,0 +1,10 @@ +name: " tmp layout setup" +stages: + initramfs.after: + - name: mount tmp + commands: + - systemctl enable tmp.mount + fs.before: + - name: start tmp + commands: + - systemctl start tmp.mount From 17ca6ddc9a0d4a6aeaa84546a8a455ef89696eb7 Mon Sep 17 00:00:00 2001 From: Piyush Kumar Date: Thu, 8 Aug 2024 11:53:09 +0530 Subject: [PATCH 10/17] added LUET_PROJECT args for dev builds (#247) --- Earthfile | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/Earthfile b/Earthfile index 4ddbbad..34378fb 100644 --- a/Earthfile +++ b/Earthfile @@ -8,6 +8,7 @@ ARG SPECTRO_PUB_REPO=gcr.io/spectro-images-public ARG SPECTRO_LUET_REPO=gcr.io/spectro-dev-public ARG KAIROS_BASE_IMAGE_URL=gcr.io/spectro-images-public ARG ETCD_REPO=https://github.com/etcd-io +ARG LUET_PROJECT=luet-repo FROM $SPECTRO_PUB_REPO/canvos/alpine-cert:v1.0.0 # Spectro Cloud and Kairos tags. @@ -352,12 +353,12 @@ install-k8s: WORKDIR /output IF [ "$ARCH" = "arm64" ] - ARG LUET_REPO=luet-repo-arm + ARG LUET_REPO=$LUET_PROJECT-arm ELSE IF [ "$ARCH" = "amd64" ] - ARG LUET_REPO=luet-repo + ARG LUET_REPO=$LUET_PROJECT END RUN mkdir -p /etc/luet/repos.conf.d && \ - luet repo add spectro --type docker --url gcr.io/spectro-dev-public/$LUET_REPO/$SPECTRO_LUET_VERSION --priority 1 -y && \ + luet repo add spectro --type docker --url $SPECTRO_LUET_REPO/$LUET_REPO/$SPECTRO_LUET_VERSION --priority 1 -y && \ luet repo update IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] @@ -712,15 +713,15 @@ base-image: END IF [ "$ARCH" = "arm64" ] - RUN mkdir -p /etc/luet/repos.conf.d && \ - SPECTRO_LUET_VERSION=$SPECTRO_LUET_VERSION luet repo add spectro --type docker --url gcr.io/spectro-dev-public/luet-repo-arm/$SPECTRO_LUET_VERSION --priority 1 -y && \ - luet repo update + ARG LUET_REPO=$LUET_PROJECT-arm ELSE IF [ "$ARCH" = "amd64" ] - RUN mkdir -p /etc/luet/repos.conf.d && \ - SPECTRO_LUET_VERSION=$SPECTRO_LUET_VERSION luet repo add spectro --type docker --url gcr.io/spectro-dev-public/luet-repo/$SPECTRO_LUET_VERSION --priority 1 -y && \ - luet repo update + ARG LUET_REPO=$LUET_PROJECT END + RUN mkdir -p /etc/luet/repos.conf.d && \ + SPECTRO_LUET_VERSION=$SPECTRO_LUET_VERSION luet repo add spectro --type docker --url $SPECTRO_LUET_REPO/$LUET_REPO/$SPECTRO_LUET_VERSION --priority 1 -y && \ + luet repo update + IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] || [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ] ARG BASE_K8S_VERSION=$K8S_VERSION ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ] @@ -813,9 +814,9 @@ base-image: END IF [ "$ARCH" = "arm64" ] - ARG LUET_REPO=luet-repo-arm + ARG LUET_REPO=$LUET_PROJECT-arm ELSE IF [ "$ARCH" = "amd64" ] - ARG LUET_REPO=luet-repo + ARG LUET_REPO=$LUET_PROJECT END RUN --no-cache mkdir -p /etc/luet/repos.conf.d && \ SPECTRO_LUET_VERSION=$SPECTRO_LUET_VERSION luet repo add spectro --type docker --url $SPECTRO_LUET_REPO/$LUET_REPO/$SPECTRO_LUET_VERSION --priority 1 -y From 561f3a370bd63711978369ff784777f24a6dc76d Mon Sep 17 00:00:00 2001 From: Arun Sharma Date: Fri, 9 Aug 2024 03:30:32 +0530 Subject: [PATCH 11/17] PE-4832: changing size to maxsize (#248) --- overlay/files/etc/logrotate.d/stylus.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlay/files/etc/logrotate.d/stylus.conf b/overlay/files/etc/logrotate.d/stylus.conf index 8553c0d..744ef7a 100644 --- a/overlay/files/etc/logrotate.d/stylus.conf +++ b/overlay/files/etc/logrotate.d/stylus.conf @@ -7,7 +7,7 @@ dateext dateformat -%d-%m-%Y extension .log - size 100M + maxsize 100M create 600 root root # to avoid 'writable by group or others' error su root root From fecb80259913a1a7bf4cbac6cf7a31e66606d880 Mon Sep 17 00:00:00 2001 From: Roshani Rathi <42164609+roshanirathi@users.noreply.github.com> Date: Fri, 9 Aug 2024 18:10:44 +0530 Subject: [PATCH 12/17] PE-4841 Add k3s 1.28.11 version (#249) --- Earthfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Earthfile b/Earthfile index 34378fb..8139862 100644 --- a/Earthfile +++ b/Earthfile @@ -206,6 +206,7 @@ build-provider-images: BUILD +$TARGET --K8S_VERSION=1.27.15 BUILD +$TARGET --K8S_VERSION=1.28.2 BUILD +$TARGET --K8S_VERSION=1.28.7 + BUILD +$TARGET --K8S_VERSION=1.28.11 BUILD +$TARGET --K8S_VERSION=1.29.2 BUILD +$TARGET --K8S_VERSION=1.29.6 END From 295b1c817e68870ee42d78b7102145e98fca9bf2 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Sun, 11 Aug 2024 18:52:48 -0700 Subject: [PATCH 13/17] PE-4842 use etcdctl and luet from spectro third party image (#250) * use etcdctl and luet from spectro third party image Signed-off-by: Nianyu Shen * use fips ubuntu systemd image Signed-off-by: Nianyu Shen * use fips systemd image Signed-off-by: Nianyu Shen * use BASE_ALPINE Signed-off-by: Nianyu Shen --------- Signed-off-by: Nianyu Shen --- Earthfile | 59 +++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 17 deletions(-) diff --git a/Earthfile b/Earthfile index 8139862..1c3ea17 100644 --- a/Earthfile +++ b/Earthfile @@ -72,6 +72,7 @@ ARG EFI_IMG_SIZE=2200 # internal variables ARG GOLANG_VERSION=1.22 ARG DEBUG=false +ARG BUILDER_3RDPARTY_VERSION=4.5 IF [ "$OS_DISTRIBUTION" = "ubuntu" ] && [ "$BASE_IMAGE" = "" ] IF [ "$OS_VERSION" == 22 ] || [ "$OS_VERSION" == 20 ] @@ -97,10 +98,12 @@ IF [[ "$BASE_IMAGE" =~ "nvidia-jetson-agx-orin" ]] END IF [ "$FIPS_ENABLED" = "true" ] + ARG BIN_TYPE=vertex ARG STYLUS_BASE=$SPECTRO_PUB_REPO/stylus-framework-fips-linux-$ARCH:$PE_VERSION ARG STYLUS_PACKAGE_BASE=$SPECTRO_PUB_REPO/stylus-fips-linux-$ARCH:$PE_VERSION ARG CLI_IMAGE=$SPECTRO_PUB_REPO/palette-edge-cli-fips-${TARGETARCH}:${PE_VERSION} ELSE + ARG BIN_TYPE=palette ARG STYLUS_BASE=$SPECTRO_PUB_REPO/stylus-framework-linux-$ARCH:$PE_VERSION ARG STYLUS_PACKAGE_BASE=$SPECTRO_PUB_REPO/stylus-linux-$ARCH:$PE_VERSION ARG CLI_IMAGE=$SPECTRO_PUB_REPO/palette-edge-cli-${TARGETARCH}:${PE_VERSION} @@ -280,16 +283,10 @@ BASE_ALPINE: COMMAND IF [ ! -z $PROXY_CERT_PATH ] COPY sc.crt /etc/ssl/certs - RUN update-ca-certificates + RUN update-ca-certificates END RUN apk add curl -download-etcdctl: - DO +BASE_ALPINE - RUN curl --retry 5 -Ls $ETCD_REPO/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-${TARGETARCH}.tar.gz | tar -xvzf - --strip-components=1 etcd-${ETCD_VERSION}-linux-${TARGETARCH}/etcdctl && \ - chmod +x etcdctl - SAVE ARTIFACT etcdctl - iso-image-rootfs: FROM --platform=linux/${ARCH} +iso-image SAVE ARTIFACT --keep-own /. rootfs @@ -308,7 +305,7 @@ uki-provider-image: IF [ -f /etc/logrotate.d/stylus.conf ] RUN chmod 644 /etc/logrotate.d/stylus.conf END - COPY +luet/luet /usr/bin/luet + COPY (+third-party/luet --binary=luet) /usr/bin/luet COPY +kairos-agent/kairos-agent /usr/bin/kairos-agent COPY --platform=linux/${ARCH} +trust-boot-unpack/ /trusted-boot COPY --platform=linux/${ARCH} +install-k8s/ /k8s @@ -316,30 +313,26 @@ uki-provider-image: SAVE IMAGE --push $IMAGE_PATH trust-boot-unpack: - COPY +luet/luet /usr/bin/luet + COPY (+third-party/luet --binary=luet) /usr/bin/luet COPY --platform=linux/${ARCH} +build-provider-trustedboot-image/ /image RUN FILE="file:/$(find /image -type f -name "*.tar" | head -n 1)" && \ luet util unpack $FILE /trusted-boot SAVE ARTIFACT /trusted-boot/* stylus-image-pack: - COPY +luet/luet /usr/bin/luet + COPY (+third-party/luet --binary=luet) /usr/bin/luet COPY --platform=linux/${ARCH} +stylus-package-image/ /stylus RUN cd stylus && tar -czf ../stylus.tar * RUN luet util pack $STYLUS_BASE stylus.tar stylus-image.tar SAVE ARTIFACT stylus-image.tar AS LOCAL ./build/ -luet: - FROM --platform=linux/${ARCH} quay.io/luet/base:latest - SAVE ARTIFACT /usr/bin/luet /luet - kairos-agent: FROM --platform=linux/${ARCH} $BASE_IMAGE SAVE ARTIFACT /usr/bin/kairos-agent /kairos-agent install-k8s: FROM --platform=linux/${ARCH} $ALPINE_IMG - COPY +luet/luet /usr/bin/luet + COPY (+third-party/luet --binary=luet) /usr/bin/luet IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] || [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ] ARG BASE_K8S_VERSION=$K8S_VERSION @@ -631,7 +624,7 @@ provider-image: RUN rm -f /etc/ssh/ssh_host_* /etc/ssh/moduli - COPY (+download-etcdctl/etcdctl) /usr/bin/ + COPY (+third-party/etcdctl --binary=etcdctl) /usr/bin/ RUN touch /etc/machine-id \ && chmod 444 /etc/machine-id @@ -957,7 +950,12 @@ iso-efi-size-check: SAVE ARTIFACT efi-size-check.iso AS LOCAL ./build/ ubuntu-systemd: - FROM $SPECTRO_PUB_REPO/ubuntu-systemd:22.04 + IF [ "$FIPS_ENABLED" = "true" ] + ARG SYSTEMD_IMAGE=$SPECTRO_PUB_REPO/third-party/ubuntu-systemd-fips:20.04 + ELSE + ARG SYSTEMD_IMAGE=$SPECTRO_PUB_REPO/third-party/ubuntu-systemd:22.04 + END + FROM $SYSTEMD_IMAGE OS_RELEASE: COMMAND @@ -976,3 +974,30 @@ OS_RELEASE: # update OS-release file # RUN sed -i -n '/KAIROS_/!p' /etc/os-release RUN envsubst >>/etc/os-release Date: Mon, 12 Aug 2024 09:06:59 +0530 Subject: [PATCH 14/17] Update BUILDER_3RDPARTY_VERSION to 4.4 (#251) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 1c3ea17..817fe86 100644 --- a/Earthfile +++ b/Earthfile @@ -72,7 +72,7 @@ ARG EFI_IMG_SIZE=2200 # internal variables ARG GOLANG_VERSION=1.22 ARG DEBUG=false -ARG BUILDER_3RDPARTY_VERSION=4.5 +ARG BUILDER_3RDPARTY_VERSION=4.4 IF [ "$OS_DISTRIBUTION" = "ubuntu" ] && [ "$BASE_IMAGE" = "" ] IF [ "$OS_VERSION" == 22 ] || [ "$OS_VERSION" == 20 ] From e105dc1ea066d6142555b7912405c19e4a5f9a2b Mon Sep 17 00:00:00 2001 From: Santhosh Date: Wed, 14 Aug 2024 00:07:19 +0530 Subject: [PATCH 15/17] Update luet-repo-version (#253) --- Earthfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Earthfile b/Earthfile index 817fe86..876de88 100644 --- a/Earthfile +++ b/Earthfile @@ -12,8 +12,8 @@ ARG LUET_PROJECT=luet-repo FROM $SPECTRO_PUB_REPO/canvos/alpine-cert:v1.0.0 # Spectro Cloud and Kairos tags. -ARG PE_VERSION=v4.4.4 -ARG SPECTRO_LUET_VERSION=v1.3.3 +ARG PE_VERSION=v4.4.7 +ARG SPECTRO_LUET_VERSION=v1.3.4-alpha1 ARG KAIROS_VERSION=v3.0.14 ARG K3S_FLAVOR_TAG=k3s1 ARG RKE2_FLAVOR_TAG=rke2r1 From 5f365a0dfe34925be03b35674778d6e00d3e18df Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Tue, 13 Aug 2024 21:58:05 -0700 Subject: [PATCH 16/17] fix luet copy in build-uki-iso (#254) --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 876de88..b8d28fb 100644 --- a/Earthfile +++ b/Earthfile @@ -372,7 +372,7 @@ build-uki-iso: COPY overlay/files-iso/ /overlay/ COPY --if-exists +validate-user-data/user-data /overlay/config.yaml COPY --platform=linux/${ARCH} +stylus-image-pack/stylus-image.tar /overlay/stylus-image.tar - COPY --platform=linux/${ARCH} +luet/luet /overlay/luet + COPY --platform=linux/${ARCH} (+third-party/luet --binary=luet) /overlay/luet COPY --if-exists content-*/*.zst /overlay/opt/spectrocloud/content/ COPY --if-exists "$EDGE_CUSTOM_CONFIG" /overlay/.edge_custom_config.yaml From 7881963ae9946af20cdff3b7cd42c036c63c824f Mon Sep 17 00:00:00 2001 From: Tyler Gillson Date: Mon, 19 Aug 2024 08:53:44 -0600 Subject: [PATCH 17/17] feat: support nodeadm provider for EKS hybrid [WIP] Signed-off-by: Tyler Gillson --- Earthfile | 168 ++++++++++++++++++++++-------------------- test/test-two-node.sh | 2 +- 2 files changed, 90 insertions(+), 80 deletions(-) diff --git a/Earthfile b/Earthfile index b8d28fb..06b263e 100644 --- a/Earthfile +++ b/Earthfile @@ -23,6 +23,7 @@ ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION ARG K3S_PROVIDER_VERSION=v4.4.2 ARG KUBEADM_PROVIDER_VERSION=v4.4.1 ARG RKE2_PROVIDER_VERSION=v4.4.1 +ARG NODEADM_PROVIDER_VERSION=latest # Variables used in the builds. Update for ADVANCED use cases only. Modify in .arg file or via CLI arguments. ARG OS_DISTRIBUTION @@ -140,79 +141,81 @@ build-provider-images: END IF [ "$K8S_VERSION" = "" ] IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] - BUILD +$TARGET --K8S_VERSION=1.24.6 - BUILD +$TARGET --K8S_VERSION=1.25.2 - BUILD +$TARGET --K8S_VERSION=1.25.13 - BUILD +$TARGET --K8S_VERSION=1.25.15 - BUILD +$TARGET --K8S_VERSION=1.26.4 - BUILD +$TARGET --K8S_VERSION=1.26.8 - BUILD +$TARGET --K8S_VERSION=1.26.10 - BUILD +$TARGET --K8S_VERSION=1.26.12 - BUILD +$TARGET --K8S_VERSION=1.26.15 - BUILD +$TARGET --K8S_VERSION=1.27.2 - BUILD +$TARGET --K8S_VERSION=1.27.5 - BUILD +$TARGET --K8S_VERSION=1.27.7 - BUILD +$TARGET --K8S_VERSION=1.27.9 - BUILD +$TARGET --K8S_VERSION=1.27.11 - BUILD +$TARGET --K8S_VERSION=1.27.15 - BUILD +$TARGET --K8S_VERSION=1.27.16 - BUILD +$TARGET --K8S_VERSION=1.28.2 - BUILD +$TARGET --K8S_VERSION=1.28.5 - BUILD +$TARGET --K8S_VERSION=1.28.9 - BUILD +$TARGET --K8S_VERSION=1.28.11 - BUILD +$TARGET --K8S_VERSION=1.28.12 - BUILD +$TARGET --K8S_VERSION=1.29.0 - BUILD +$TARGET --K8S_VERSION=1.29.6 - BUILD +$TARGET --K8S_VERSION=1.29.7 - ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] - BUILD +$TARGET --K8S_VERSION=1.24.6 - BUILD +$TARGET --K8S_VERSION=1.25.2 - BUILD +$TARGET --K8S_VERSION=1.25.13 - BUILD +$TARGET --K8S_VERSION=1.25.15 - BUILD +$TARGET --K8S_VERSION=1.26.4 - BUILD +$TARGET --K8S_VERSION=1.26.8 - BUILD +$TARGET --K8S_VERSION=1.26.10 - BUILD +$TARGET --K8S_VERSION=1.26.12 - BUILD +$TARGET --K8S_VERSION=1.26.14 - BUILD +$TARGET --K8S_VERSION=1.26.15 - BUILD +$TARGET --K8S_VERSION=1.27.2 - BUILD +$TARGET --K8S_VERSION=1.27.5 - BUILD +$TARGET --K8S_VERSION=1.27.7 - BUILD +$TARGET --K8S_VERSION=1.27.9 - BUILD +$TARGET --K8S_VERSION=1.27.11 - BUILD +$TARGET --K8S_VERSION=1.27.13 - BUILD +$TARGET --K8S_VERSION=1.27.14 - BUILD +$TARGET --K8S_VERSION=1.27.15 - BUILD +$TARGET --K8S_VERSION=1.28.2 - BUILD +$TARGET --K8S_VERSION=1.28.5 - BUILD +$TARGET --K8S_VERSION=1.28.7 - BUILD +$TARGET --K8S_VERSION=1.28.9 - BUILD +$TARGET --K8S_VERSION=1.28.10 - BUILD +$TARGET --K8S_VERSION=1.28.11 - BUILD +$TARGET --K8S_VERSION=1.29.3 - BUILD +$TARGET --K8S_VERSION=1.29.4 - BUILD +$TARGET --K8S_VERSION=1.29.5 - BUILD +$TARGET --K8S_VERSION=1.29.6 - ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ] - BUILD +$TARGET --K8S_VERSION=1.24.6 - BUILD +$TARGET --K8S_VERSION=1.25.2 - BUILD +$TARGET --K8S_VERSION=1.25.13 - BUILD +$TARGET --K8S_VERSION=1.25.15 - BUILD +$TARGET --K8S_VERSION=1.26.4 - BUILD +$TARGET --K8S_VERSION=1.26.8 - BUILD +$TARGET --K8S_VERSION=1.26.10 - BUILD +$TARGET --K8S_VERSION=1.26.14 - BUILD +$TARGET --K8S_VERSION=1.27.2 - BUILD +$TARGET --K8S_VERSION=1.27.5 - BUILD +$TARGET --K8S_VERSION=1.27.7 - BUILD +$TARGET --K8S_VERSION=1.27.11 - BUILD +$TARGET --K8S_VERSION=1.27.15 - BUILD +$TARGET --K8S_VERSION=1.28.2 - BUILD +$TARGET --K8S_VERSION=1.28.7 - BUILD +$TARGET --K8S_VERSION=1.28.11 - BUILD +$TARGET --K8S_VERSION=1.29.2 - BUILD +$TARGET --K8S_VERSION=1.29.6 - END + BUILD +$TARGET --K8S_VERSION=1.24.6 + BUILD +$TARGET --K8S_VERSION=1.25.2 + BUILD +$TARGET --K8S_VERSION=1.25.13 + BUILD +$TARGET --K8S_VERSION=1.25.15 + BUILD +$TARGET --K8S_VERSION=1.26.4 + BUILD +$TARGET --K8S_VERSION=1.26.8 + BUILD +$TARGET --K8S_VERSION=1.26.10 + BUILD +$TARGET --K8S_VERSION=1.26.12 + BUILD +$TARGET --K8S_VERSION=1.26.15 + BUILD +$TARGET --K8S_VERSION=1.27.2 + BUILD +$TARGET --K8S_VERSION=1.27.5 + BUILD +$TARGET --K8S_VERSION=1.27.7 + BUILD +$TARGET --K8S_VERSION=1.27.9 + BUILD +$TARGET --K8S_VERSION=1.27.11 + BUILD +$TARGET --K8S_VERSION=1.27.15 + BUILD +$TARGET --K8S_VERSION=1.27.16 + BUILD +$TARGET --K8S_VERSION=1.28.2 + BUILD +$TARGET --K8S_VERSION=1.28.5 + BUILD +$TARGET --K8S_VERSION=1.28.9 + BUILD +$TARGET --K8S_VERSION=1.28.11 + BUILD +$TARGET --K8S_VERSION=1.28.12 + BUILD +$TARGET --K8S_VERSION=1.29.0 + BUILD +$TARGET --K8S_VERSION=1.29.6 + BUILD +$TARGET --K8S_VERSION=1.29.7 + ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] + BUILD +$TARGET --K8S_VERSION=1.24.6 + BUILD +$TARGET --K8S_VERSION=1.25.2 + BUILD +$TARGET --K8S_VERSION=1.25.13 + BUILD +$TARGET --K8S_VERSION=1.25.15 + BUILD +$TARGET --K8S_VERSION=1.26.4 + BUILD +$TARGET --K8S_VERSION=1.26.8 + BUILD +$TARGET --K8S_VERSION=1.26.10 + BUILD +$TARGET --K8S_VERSION=1.26.12 + BUILD +$TARGET --K8S_VERSION=1.26.14 + BUILD +$TARGET --K8S_VERSION=1.26.15 + BUILD +$TARGET --K8S_VERSION=1.27.2 + BUILD +$TARGET --K8S_VERSION=1.27.5 + BUILD +$TARGET --K8S_VERSION=1.27.7 + BUILD +$TARGET --K8S_VERSION=1.27.9 + BUILD +$TARGET --K8S_VERSION=1.27.11 + BUILD +$TARGET --K8S_VERSION=1.27.13 + BUILD +$TARGET --K8S_VERSION=1.27.14 + BUILD +$TARGET --K8S_VERSION=1.27.15 + BUILD +$TARGET --K8S_VERSION=1.28.2 + BUILD +$TARGET --K8S_VERSION=1.28.5 + BUILD +$TARGET --K8S_VERSION=1.28.7 + BUILD +$TARGET --K8S_VERSION=1.28.9 + BUILD +$TARGET --K8S_VERSION=1.28.10 + BUILD +$TARGET --K8S_VERSION=1.28.11 + BUILD +$TARGET --K8S_VERSION=1.29.3 + BUILD +$TARGET --K8S_VERSION=1.29.4 + BUILD +$TARGET --K8S_VERSION=1.29.5 + BUILD +$TARGET --K8S_VERSION=1.29.6 + ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ] + BUILD +$TARGET --K8S_VERSION=1.24.6 + BUILD +$TARGET --K8S_VERSION=1.25.2 + BUILD +$TARGET --K8S_VERSION=1.25.13 + BUILD +$TARGET --K8S_VERSION=1.25.15 + BUILD +$TARGET --K8S_VERSION=1.26.4 + BUILD +$TARGET --K8S_VERSION=1.26.8 + BUILD +$TARGET --K8S_VERSION=1.26.10 + BUILD +$TARGET --K8S_VERSION=1.26.14 + BUILD +$TARGET --K8S_VERSION=1.27.2 + BUILD +$TARGET --K8S_VERSION=1.27.5 + BUILD +$TARGET --K8S_VERSION=1.27.7 + BUILD +$TARGET --K8S_VERSION=1.27.11 + BUILD +$TARGET --K8S_VERSION=1.27.15 + BUILD +$TARGET --K8S_VERSION=1.28.2 + BUILD +$TARGET --K8S_VERSION=1.28.7 + BUILD +$TARGET --K8S_VERSION=1.28.11 + BUILD +$TARGET --K8S_VERSION=1.29.2 + BUILD +$TARGET --K8S_VERSION=1.29.6 + ELSE IF [ "$K8S_DISTRIBUTION" = "nodeadm" ] + BUILD +$TARGET + END ELSE BUILD +$TARGET --K8S_VERSION="$K8S_VERSION" END @@ -357,12 +360,14 @@ install-k8s: IF [ "$K8S_DISTRIBUTION" = "kubeadm" ] RUN luet install -y container-runtime/containerd --system-target /output + ELSE IF [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ] + RUN luet install -y container-runtime/containerd-fips --system-target /output END - IF [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ] - RUN luet install -y container-runtime/containerd-fips --system-target /output + IF [ "$K8S_DISTRIBUTION" != "nodeadm" ] + RUN luet install -y k8s/$K8S_DISTRIBUTION@$BASE_K8S_VERSION --system-target /output && luet cleanup END - RUN luet install -y k8s/$K8S_DISTRIBUTION@$BASE_K8S_VERSION --system-target /output && luet cleanup + RUN rm -rf /output/var/cache/* SAVE ARTIFACT /output/* @@ -383,7 +388,7 @@ build-uki-iso: rm -f /overlay/opt/spectrocloud/content/*.zst; \ fi - #check if clusterconfig is passed in + # check if clusterconfig is passed in IF [ "$CLUSTERCONFIG" != "" ] COPY --if-exists "$CLUSTERCONFIG" /overlay/opt/spectrocloud/clusterconfig/spc.tgz END @@ -449,7 +454,7 @@ build-iso: done; \ rm -f /overlay/opt/spectrocloud/content/*.zst; \ fi - #check if clusterconfig is passed in + # check if clusterconfig is passed in IF [ "$CLUSTERCONFIG" != "" ] COPY --if-exists "$CLUSTERCONFIG" /overlay/opt/spectrocloud/clusterconfig/spc.tgz END @@ -598,6 +603,8 @@ provider-image: ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] ARG K8S_DISTRIBUTION_TAG=$RKE2_FLAVOR_TAG ARG BASE_K8S_VERSION=$K8S_VERSION-$K8S_DISTRIBUTION_TAG + ELSE IF [ "$K8S_DISTRIBUTION" = "nodeadm" ] && [ "$OS_DISTRIBUTION" = "ubuntu" ] + RUN apt install -y dnsutils strongswan END COPY --if-exists overlay/files/etc/ /etc/ @@ -686,7 +693,10 @@ kairos-provider-image: ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] && $FIPS_ENABLED ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/kairos-io/provider-rke2-fips:$RKE2_PROVIDER_VERSION ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] - ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/kairos-io/provider-rke2:$RKE2_PROVIDER_VERSION + ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/kairos-io/provider-rke2:$RKE2_PROVIDER_VERSION + ELSE IF [ "$K8S_DISTRIBUTION" = "nodeadm" ] + # ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/kairos-io/provider-nodeadm:$NODEADM_PROVIDER_VERSION + ARG PROVIDER_BASE=tylergillson/provider-nodeadm:$NODEADM_PROVIDER_VERSION END FROM --platform=linux/${ARCH} $PROVIDER_BASE SAVE ARTIFACT ./* diff --git a/test/test-two-node.sh b/test/test-two-node.sh index c84607e..a84ef34 100755 --- a/test/test-two-node.sh +++ b/test/test-two-node.sh @@ -472,7 +472,7 @@ function build_canvos() { --TWO_NODE=true \ --TWO_NODE_BACKEND=${TWO_NODE_BACKEND} \ --CUSTOM_TAG=${STYLUS_HASH} \ - --PE_VERSION=v${PE_VERSION} + --PE_VERSION=v${PE_VERSION} docker push ${OCI_REGISTRY}/ubuntu:k3s-${K3S_VERSION}-v${PE_VERSION}-${STYLUS_HASH} }