feat: support EKS hybrid nodes via edge standard flow

README.md

@@ -346,3 +346,56 @@ EDGE_CUSTOM_CONFIG=/path/to/.edge.custom-config.yaml
 ```shell
 earthly --push +build-all-images
 ```
+
+
+### Audit Logs User Customisation
+
+#### Configuration
+rsyslog config file: `overlay/files/etc/rsyslog.d/49-stylus.conf` copied to `/etc/rsyslog.d/49-stylus.conf`  
+logrotate config file: `overlay/files/etc/logrotate.d/stylus.conf` copied to `/etc/logrotate.d/stylus.conf`
+
+#### Send stylus audit events to user file
+Users can log stylus audit events to additional files, in addition to `/var/log/stylus-audit.log`. To log stylus audit events to custom files, create a configuration file in the `overlay/files/etc/rsyslog.d` directory named `<filename>.conf` (must be before `49-stylus.conf` lexicographically).
+
+Example: `48-audit.conf`
+
+Users can use the following configuration as a base for their filtering logic. replace `<log file name>` with the desired file name
+```
+$PrivDropToUser root
+$PrivDropToGroup root
+if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains 'stylus-audit') then {
+    action(
+        type="omfile" 
+        file="<log file name>" 
+    )
+}
+```
+
+#### Send user application audit events to stylus audit file
+To include user application audit events in the `/var/log/stylus-audit.log` file, add the following to the same configuration file (e.g. `48-audit.conf`) or create a new config file before `49-stylus.conf`:
+
+`<user app name>` : user application name or tag
+```
+$PrivDropToUser root
+$PrivDropToGroup root
+$Umask 0000
+$template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n"
+if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains '<user app name>') then {
+    action(
+        type="omfile" 
+        file="/var/log/stylus-audit.log" 
+        FileCreateMode="0600"
+        fileowner="root"
+        template="ForwardFormat"
+    )
+}
+```
+
+To display user audit entries on the Local UI dashboard, audit entries must be logged in RFC 5424 format with the message (`msg`) part in JSON format. This JSON message must include the following keys: `edgeHostId`, `contentMsg`, `action`, `actor`, `actorType`, `resourceId`, `resourceName`, `resourceKind`
+
+Example syslog entry
+```
+<189>1 2024-07-23T15:35:32.644461+00:00 edge-ce0a38422e4662887313fb673bbfb2a2 stylus-audit[2911]: 2911 - - {"edgeHostId":"edge-ce0a38422e4662887313fb6 73bbfb2a2","contentMsg":"kairos password reset failed","action":"activity","actor":"kairos","actorType":"user","resourceId":"kairos","resourceName":"kairos","resourceKi nd":"user"}
+```
+
+Entries without these keys in the MSG part of RFC 5424 will still be logged to the stylus-audit.log file but will not be displayed on LocalUI.

overlay/files/etc/logrotate.d/stylus.conf

@@ -0,0 +1,18 @@
+/var/log/stylus-audit.log {
+    yearly
+    rotate 2
+    missingok
+    notifempty
+    compress
+    dateext
+    dateformat -%d-%m-%Y
+    extension .log
+    maxsize 100M
+    create 600 root root
+    # to avoid 'writable by group or others' error
+    su root root
+    # reload or restart to point file handle to new log file
+    postrotate
+        systemctl try-reload-or-restart rsyslog 2>&1 || true
+    endscript
+}

overlay/files/etc/rsyslog.d/49-stylus.conf

@@ -0,0 +1,19 @@
+# Running rsyslog as root.
+$PrivDropToUser root
+$PrivDropToGroup root
+# default config has $Umask 0022 set. That breaks any config related to masks and modes.
+$Umask 0000
+
+# Mesage format as per rfc5424.
+$template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n"
+
+# route messages with facility local7 and severity notice to /var/log/stylus-audit.log
+if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains 'stylus-audit') then{
+    action(
+        type="omfile" 
+        file="/var/log/stylus-audit.log" 
+        FileCreateMode="0600"
+        fileowner="root"
+        template="ForwardFormat"
+	) & stop
+}

rhel-core-images/Dockerfile.rhel8.sat

@@ -0,0 +1,100 @@
+ARG BASE_IMAGE=registry.access.redhat.com/ubi8/ubi-init:8.7-10
+ARG KAIROS_FRAMEWORK_IMAGE=quay.io/kairos/framework:v2.7.41
+
+FROM $KAIROS_FRAMEWORK_IMAGE as kairosframework
+
+FROM $BASE_IMAGE 
+
+ARG KAIROS_FRAMEWORK_IMAGE
+ARG ORGNAME
+ARG KEYNAME
+ARG SATHOSTNAME
+
+RUN dnf config-manager --disable ubi-8-appstream-rpms ubi-8-baseos-rpms ubi-8-codeready-builder-rpms
+RUN rm /etc/rhsm-host
+RUN rpm -Uvh http://${SATHOSTNAME}/pub/katello-ca-consumer-latest.noarch.rpm
+RUN subscription-manager register --org=${ORGNAME} --activationkey=${KEYNAME}
+
+RUN echo "install_weak_deps=False" >> /etc/dnf/dnf.conf
+# Generate machine-id because https://bugzilla.redhat.com/show_bug.cgi?id=1737355#c6
+RUN uuidgen > /etc/machine-id && dnf install -y \
+    squashfs-tools \ 
+    dracut-live \
+    livecd-tools \
+    dracut-squash \
+    dracut-network \
+    efibootmgr \
+    dhclient \
+    audit \
+    sudo \
+    systemd \
+    systemd-networkd \
+    systemd-timesyncd \
+    parted \
+    dracut \
+    e2fsprogs \
+    dosfstools \
+    coreutils-single \
+    device-mapper \
+    grub2 \
+    which \
+    curl \
+    nano \
+    gawk \
+    haveged \
+    polkit \
+    ncurses \
+    tar \
+    kbd \
+    lvm2 \
+    zstd \
+    openssh-server \
+    openssh-clients \
+    shim-x64 \
+    grub2-pc \
+    grub2-efi-x64 \
+    grub2-efi-x64-modules \
+    open-vm-tools \
+    iscsi-initiator-utils \
+    iptables ethtool socat iproute-tc conntrack \
+    kernel kernel-modules kernel-modules-extra \
+    rsync jq && dnf clean all
+
+
+COPY --from=kairosframework / /
+
+RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml
+RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml
+RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml
+
+RUN mkdir -p /run/lock
+RUN touch /usr/libexec/.keep
+
+
+# Configure the box. The ubi image masks services for containers, we unmask them 
+RUN systemctl list-unit-files |grep masked |cut -f 1 -d " " | xargs systemctl unmask
+RUN systemctl enable [email protected]
+RUN systemctl enable [email protected]
+RUN systemctl enable [email protected]
+RUN systemctl enable systemd-networkd
+RUN systemctl enable systemd-resolved
+RUN systemctl enable sshd
+RUN systemctl disable selinux-autorelabel-mark.service 
+#RUN systemctl enable tmp.mount
+
+COPY overlay/rhel8/ /
+
+RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \
+            ln -sf "${kernel#/boot/}" /boot/vmlinuz
+RUN kernel=$(ls /lib/modules | head -n1) && \
+            dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \
+            ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}"
+RUN rm -rf /boot/initramfs-*
+
+RUN envsubst >>/etc/os-release </usr/lib/os-release.tmpl
+RUN mkdir -p /etc/luet/repos.conf.d
+## Clear cache
+RUN rm -rf /var/cache/* && journalctl --vacuum-size=1K  && rm /etc/machine-id
+
+
+RUN subscription-manager unregister

rhel-core-images/Dockerfile.rhel9

@@ -0,0 +1,96 @@
+ARG BASE_IMAGE=registry.access.redhat.com/ubi9-init:9.4-6
+
+FROM $BASE_IMAGE 
+ARG USERNAME
+ARG PASSWORD
+
+RUN dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm -y
+# Subscription manager in redhat does not run directly in containers unless you run on a redhat host, hence we remove the rhsm-host, login to the redhat subscription and add the repos
+RUN rm /etc/rhsm-host && subscription-manager register --username ${USERNAME} --password ${PASSWORD} \
+  && yum repolist \
+  && subscription-manager attach --auto \
+  && subscription-manager repos --enable rhel-9-for-x86_64-appstream-rpms \
+  && yum repolist
+RUN echo "install_weak_deps=False" >> /etc/dnf/dnf.conf
+# Generate machine-id because https://bugzilla.redhat.com/show_bug.cgi?id=1737355#c6
+RUN uuidgen > /etc/machine-id && dnf install -y \
+    squashfs-tools \ 
+    dracut-live \
+    livecd-tools \
+    dracut-squash \
+    dracut-network \
+    efibootmgr \
+    dhclient \
+    audit \
+    sudo \
+    systemd \
+    systemd-networkd \
+    systemd-timesyncd \
+    systemd-resolved \    
+    parted \
+    dracut \
+    e2fsprogs \
+    dosfstools \
+    coreutils-single \
+    device-mapper \
+    grub2 \
+    which \
+    nano \
+    gawk \
+    haveged \
+    polkit \
+    ncurses \
+    tar \
+    kbd \
+    lvm2 \
+    zstd \
+    openssh-server \
+    openssh-clients \
+    shim-x64 \
+    grub2-pc \
+    grub2-efi-x64 \
+    grub2-efi-x64-modules \
+    open-vm-tools \
+    iscsi-initiator-utils \
+    iptables ethtool socat iproute-tc conntrack \
+    kernel kernel-modules kernel-modules-extra \
+    rsync jq && dnf clean all
+
+
+COPY --from=quay.io/kairos/framework:v2.7.41 / /
+
+RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml
+RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml
+RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml
+
+RUN mkdir -p /run/lock
+RUN touch /usr/libexec/.keep
+
+
+# Configure the box. The ubi image masks services for containers, we unmask them 
+RUN systemctl list-unit-files |grep masked |cut -f 1 -d " " | xargs systemctl unmask
+RUN systemctl enable [email protected]
+RUN systemctl enable [email protected]
+RUN systemctl enable [email protected]
+RUN systemctl enable systemd-networkd
+RUN systemctl enable systemd-resolved
+RUN systemctl enable sshd
+RUN systemctl disable selinux-autorelabel-mark.service 
+#RUN systemctl enable tmp.mount
+
+COPY overlay/rhel9/ /
+
+RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \
+            ln -sf "${kernel#/boot/}" /boot/vmlinuz
+RUN kernel=$(ls /lib/modules | head -n1) && \
+            dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \
+            ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}"
+RUN rm -rf /boot/initramfs-*
+
+RUN envsubst >>/etc/os-release </usr/lib/os-release.tmpl
+RUN mkdir -p /etc/luet/repos.conf.d
+## Clear cache
+RUN rm -rf /var/cache/* && journalctl --vacuum-size=1K  && rm /etc/machine-id
+
+
+RUN subscription-manager unregister

rhel-core-images/Dockerfile.rhel9.sat

@@ -0,0 +1,99 @@
+ARG BASE_IMAGE=registry.access.redhat.com/ubi9-init:9.4-6
+ARG KAIROS_FRAMEWORK_IMAGE=quay.io/kairos/framework:v2.7.41
+
+FROM $KAIROS_FRAMEWORK_IMAGE as kairosframework
+
+FROM $BASE_IMAGE 
+
+ARG KAIROS_FRAMEWORK_IMAGE
+ARG ORGNAME
+ARG KEYNAME
+ARG SATHOSTNAME
+
+RUN dnf config-manager --disable ubi-9-appstream-rpms ubi-9-baseos-rpms ubi-9-codeready-builder
+RUN rm /etc/rhsm-host
+RUN rpm -Uvh http://${SATHOSTNAME}/pub/katello-ca-consumer-latest.noarch.rpm
+RUN subscription-manager register --org=${ORGNAME} --activationkey=${KEYNAME}
+
+RUN echo "install_weak_deps=False" >> /etc/dnf/dnf.conf
+# Generate machine-id because https://bugzilla.redhat.com/show_bug.cgi?id=1737355#c6
+RUN uuidgen > /etc/machine-id && dnf install -y \
+    squashfs-tools \ 
+    dracut-live \
+    livecd-tools \
+    dracut-squash \
+    dracut-network \
+    efibootmgr \
+    dhclient \
+    audit \
+    sudo \
+    systemd \
+    systemd-networkd \
+    systemd-timesyncd \
+    systemd-resolved \    
+    parted \
+    dracut \
+    e2fsprogs \
+    dosfstools \
+    coreutils-single \
+    device-mapper \
+    grub2 \
+    which \
+    nano \
+    gawk \
+    haveged \
+    polkit \
+    ncurses \
+    tar \
+    kbd \
+    lvm2 \
+    zstd \
+    openssh-server \
+    openssh-clients \
+    shim-x64 \
+    grub2-pc \
+    grub2-efi-x64 \
+    grub2-efi-x64-modules \
+    open-vm-tools \
+    iscsi-initiator-utils \
+    iptables ethtool socat iproute-tc conntrack \
+    kernel kernel-modules kernel-modules-extra \
+    rsync jq && dnf clean all
+
+COPY --from=kairosframework / /
+
+RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml
+RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml
+RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml
+
+RUN mkdir -p /run/lock
+RUN touch /usr/libexec/.keep
+
+
+# Configure the box. The ubi image masks services for containers, we unmask them 
+RUN systemctl list-unit-files |grep masked |cut -f 1 -d " " | xargs systemctl unmask
+RUN systemctl enable [email protected]
+RUN systemctl enable [email protected]
+RUN systemctl enable [email protected]
+RUN systemctl enable systemd-networkd
+RUN systemctl enable systemd-resolved
+RUN systemctl enable sshd
+RUN systemctl disable selinux-autorelabel-mark.service 
+#RUN systemctl enable tmp.mount
+
+COPY overlay/rhel9/ /
+
+RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \
+            ln -sf "${kernel#/boot/}" /boot/vmlinuz
+RUN kernel=$(ls /lib/modules | head -n1) && \
+            dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \
+            ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}"
+RUN rm -rf /boot/initramfs-*
+
+RUN envsubst >>/etc/os-release </usr/lib/os-release.tmpl
+RUN mkdir -p /etc/luet/repos.conf.d
+## Clear cache
+RUN rm -rf /var/cache/* && journalctl --vacuum-size=1K  && rm /etc/machine-id
+
+
+RUN subscription-manager unregister