[experiment] [Fedora 37] Install systemd-resolved in dracut to enable DNS

.github/actions/constellation_create/action.yml

@@ -69,13 +69,13 @@ runs:
             (.provider | select(. | has(\"azure\")).azure.resourceGroup) = \"${{ inputs.azureResourceGroup }}\" |
             (.provider | select(. | has(\"azure\")).azure.appClientID) = \"${{ inputs.azureClientID }}\" |
             (.provider | select(. | has(\"azure\")).azure.clientSecretValue) = \"${{ inputs.azureClientSecret }}\" |
-            (.provider | select(. | has(\"azure\")).azure.enforcedMeasurements) = [11,12]" \
+            (.provider | select(. | has(\"azure\")).azure.enforcedMeasurements) = [15]" \
           constellation-conf.yaml
         yq eval -i \
           "(.provider | select(. | has(\"gcp\")).gcp.project) = \"${{ inputs.gcpProject }}\" |
             (.provider | select(. | has(\"gcp\")).gcp.region) = \"europe-west3\" |
             (.provider | select(. | has(\"gcp\")).gcp.zone) = \"europe-west3-b\" |
-            (.provider | select(. | has(\"gcp\")).gcp.enforcedMeasurements) = [11,12] |
+            (.provider | select(. | has(\"gcp\")).gcp.enforcedMeasurements) = [15] |
             (.provider | select(. | has(\"gcp\")).gcp.serviceAccountKeyPath) = \"serviceAccountKey.json\"" \
           constellation-conf.yaml
 

.github/actions/os_build_variables/action.yml

@@ -78,6 +78,9 @@ outputs:
   azureImageDefinition:
     description: "Azure image definition"
     value: ${{ steps.azure.outputs.imageDefinition }}
+  azureImageOffer:
+    description: "Azure image offer"
+    value: ${{ steps.azure.outputs.imageOffer }}
   azureImageVersion:
     description: "Azure image version"
     value: ${{ steps.azure.outputs.imageVersion }}
@@ -134,9 +137,9 @@ runs:
         echo "region=eu-central-1" >> $GITHUB_OUTPUT
         echo "replicationRegions=us-east-2 ap-south-1" >> $GITHUB_OUTPUT
         echo "bucket=constellation-images" >> $GITHUB_OUTPUT
-        echo "efivarsPath=${basePath}/mkosi.output.aws/fedora~36/efivars.bin" >> $GITHUB_OUTPUT
-        echo "imagePath=${basePath}/mkosi.output.aws/fedora~36/image.raw" >> $GITHUB_OUTPUT
-        echo "amiOutput=${basePath}/mkosi.output.aws/fedora~36/ami.json" >> $GITHUB_OUTPUT
+        echo "efivarsPath=${basePath}/mkosi.output.aws/fedora~37/efivars.bin" >> $GITHUB_OUTPUT
+        echo "imagePath=${basePath}/mkosi.output.aws/fedora~37/image.raw" >> $GITHUB_OUTPUT
+        echo "amiOutput=${basePath}/mkosi.output.aws/fedora~37/ami.json" >> $GITHUB_OUTPUT
         echo "imageFilename=image-$(date +%s).raw" >> $GITHUB_OUTPUT
         if [ "${imageType}" = release ]
         then
@@ -170,8 +173,8 @@ runs:
         echo "replicationRegions=northeurope eastus westeurope westus" >> $GITHUB_OUTPUT
         echo "sku=constellation" >> $GITHUB_OUTPUT
         echo "publisher=edgelesssys" >> $GITHUB_OUTPUT
-        echo "rawImagePath=${basePath}/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_OUTPUT
-        echo "imagePath=${basePath}/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_OUTPUT
+        echo "rawImagePath=${basePath}/mkosi.output.azure/fedora~37/image.raw" >> $GITHUB_OUTPUT
+        echo "imagePath=${basePath}/mkosi.output.azure/fedora~37/image.vhd" >> $GITHUB_OUTPUT
         # TODO: set default security type to "ConfidentialVM" once replication is possible
         securityType=${{ inputs.uploadVariant }}
         if [ -z "${securityType}" ]; then
@@ -223,8 +226,8 @@ runs:
         echo "project=constellation-images" >> $GITHUB_OUTPUT
         echo "bucket=constellation-images" >> $GITHUB_OUTPUT
         echo "region=europe-west3" >> $GITHUB_OUTPUT
-        echo "rawImagePath=${basePath}/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_OUTPUT
-        echo "imagePath=${basePath}/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_OUTPUT
+        echo "rawImagePath=${basePath}/mkosi.output.gcp/fedora~37/image.raw" >> $GITHUB_OUTPUT
+        echo "imagePath=${basePath}/mkosi.output.gcp/fedora~37/image.tar.gz" >> $GITHUB_OUTPUT
         if [ "${imageType}" = release ]
         then
           echo "imageName=constellation-${imageVersion//./-}" >> $GITHUB_OUTPUT

.github/workflows/build-os-image.yml

@@ -194,14 +194,14 @@ jobs:
           echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" >> $GITHUB_OUTPUT
           echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" >> $GITHUB_OUTPUT
           echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" >> $GITHUB_OUTPUT
-        working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36
+        working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37
         continue-on-error: true
 
       - name: Upload raw OS image as artifact
         uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1
         with:
           name: image-${{ matrix.csp }}
-          path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw
+          path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw
         if: always()
         continue-on-error: true
 
@@ -210,13 +210,13 @@ jobs:
         with:
           name: parts-${{ matrix.csp }}
           path: |
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.cmdline
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.efi
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.initrd
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.raw
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.roothash
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.verity
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.vmlinuz
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.cmdline
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.efi
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.initrd
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.raw
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.roothash
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.verity
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.vmlinuz
         if: always()
         continue-on-error: true
 
@@ -225,8 +225,8 @@ jobs:
         with:
           name: manifest-${{ matrix.csp }}
           path: |
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.changelog
-            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.manifest
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.changelog
+            ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.manifest
         if: always()
         continue-on-error: true
 
@@ -253,7 +253,7 @@ jobs:
         uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
         with:
           name: image-${{ matrix.csp }}
-          path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36
+          path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37
 
       - name: Configure input variables
         id: vars

image/Makefile

@@ -13,9 +13,9 @@ certs := $(PKI)/PK.cer $(PKI)/KEK.cer $(PKI)/db.cer
 
 all: $(csps)
 
-$(csps): %: mkosi.output.%/fedora~36/image.raw
+$(csps): %: mkosi.output.%/fedora~37/image.raw
 
-mkosi.output.%/fedora~36/image.raw: mkosi.files/mkosi.%.conf inject-bins inject-certs
+mkosi.output.%/fedora~37/image.raw: mkosi.files/mkosi.%.conf inject-bins inject-certs
 	mkosi --config mkosi.files/mkosi.$*.conf build
 	secure-boot/signed-shim.sh $@
 	@if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \

image/README.md

@@ -75,7 +75,7 @@ After that, you can build the image with:
 sudo make -j $(nproc)
 ```
 
-Raw images will be placed in `mkosi.output.<CSP>/fedora~36/image.raw`.
+Raw images will be placed in `mkosi.output.<CSP>/fedora~37/image.raw`.
 
 ## Prepare Secure Boot
 
@@ -87,7 +87,7 @@ For QEMU and Azure, you can pre-generate the NVRAM variables for secure boot. Th
 <summary>libvirt / QEMU / KVM</summary>
 
 ```sh
-secure-boot/generate_nvram_vars.sh mkosi.output.qemu/fedora~36/image.raw
+secure-boot/generate_nvram_vars.sh mkosi.output.qemu/fedora~37/image.raw
 ```
 
 </details>
@@ -109,8 +109,8 @@ export AZURE_REGION=northeurope
 export AZURE_REPLICATION_REGIONS=
 export AZURE_DISK_NAME=constellation-$(date +%s)
 export AZURE_SNAPSHOT_NAME=${AZURE_DISK_NAME}
-export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.raw
-export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.vhd
+export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~37/image.raw
+export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~37/image.vhd
 export AZURE_VMGS_FILENAME=${AZURE_SECURITY_TYPE}.vmgs
 export BLOBS_DIR=${PWD}/blobs
 upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
@@ -155,10 +155,10 @@ export PKI=${PWD}/pki
 export AWS_REGION=eu-central-1
 export AWS_REPLICATION_REGIONS="us-east-2"
 export AWS_BUCKET=constellation-images
-export AWS_EFIVARS_PATH=${PWD}/mkosi.output.aws/fedora~36/efivars.bin
-export AWS_IMAGE_PATH=${PWD}/mkosi.output.aws/fedora~36/image.raw
+export AWS_EFIVARS_PATH=${PWD}/mkosi.output.aws/fedora~37/efivars.bin
+export AWS_IMAGE_PATH=${PWD}/mkosi.output.aws/fedora~37/image.raw
 export AWS_IMAGE_FILENAME=image-$(date +%s).raw
-export AWS_AMI_OUTPUT=${PWD}/mkosi.output.aws/fedora~36/ami.txt
+export AWS_AMI_OUTPUT=${PWD}/mkosi.output.aws/fedora~37/ami.txt
 secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}"
 upload/upload_aws.sh "${AWS_AMI_OUTPUT}"
 ```
@@ -184,9 +184,9 @@ export PKI=${PWD}/pki
 export GCP_PROJECT=constellation-images
 export GCP_REGION=europe-west3
 export GCP_BUCKET=constellation-images
-export GCP_RAW_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~36/image.raw
+export GCP_RAW_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~37/image.raw
 export GCP_IMAGE_FILENAME=$(date +%s).tar.gz
-export GCP_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~36/image.tar.gz
+export GCP_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~37/image.tar.gz
 upload/pack.sh gcp ${GCP_RAW_IMAGE_PATH} ${GCP_IMAGE_PATH}
 upload/upload_gcp.sh
 ```
@@ -215,8 +215,8 @@ export AZURE_IMAGE_OFFER=constellation
 export AZURE_SKU=constellation
 export AZURE_PUBLISHER=edgelesssys
 export AZURE_DISK_NAME=constellation-$(date +%s)
-export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.raw
-export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.vhd
+export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~37/image.raw
+export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~37/image.vhd
 upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
 upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
 ```

image/mkosi.conf.d/mkosi.conf

@@ -1,6 +1,6 @@
 [Distribution]
 Distribution=fedora
-Release=36
+Release=37
 
 [Output]
 Format=gpt_squashfs

image/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf

@@ -1,4 +1,5 @@
 # enable networking in initrd (initramfs) with dracut and systemd-networkd
 install_items+=" /usr/lib/systemd/network/20-wired.network "
 install_items+=" /usr/lib/systemd/network/21-azure.network "
-add_dracutmodules+=" systemd-networkd "
+# see https://github.com/dracutdevs/dracut/tree/master/modules.d for a list of modules
+add_dracutmodules+=" systemd-networkd systemd-resolved "

image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh

@@ -4,7 +4,8 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 depends() {
-    echo systemd
+    # expands to: systemd systemd-hostnamed systemd-networkd systemd-resolved systemd-timedated systemd-timesyncd
+    echo systemd-network-management
 }
 
 install_and_enable_unit() {
@@ -16,6 +17,11 @@ install_and_enable_unit() {
         "${systemdsystemconfdir}/${target}.wants/${unit}"
 }
 
+install_path() {
+    local dir="$1"; shift
+    mkdir -p "${initdir}/${dir}"
+}
+
 install() {
     inst_multiple \
         bash
@@ -59,4 +65,9 @@ install() {
         "/usr/sbin/aws-nvme-disk"
     install_and_enable_unit "aws-nvme-disk.service" \
         "basic.target"
+
+    # TLS / CA store in initramfs
+    install_path /etc/pki/tls/certs/
+    inst_simple /etc/pki/tls/certs/ca-bundle.crt \
+        /etc/pki/tls/certs/ca-bundle.crt
 }

image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Prepare encrypted state disk
 Before=initrd-fs.target
-After=network-online.target configure-constel-csp.service
+After=network-online.target nss-lookup.target configure-constel-csp.service
 Wants=network-online.target
 Requires=initrd-root-fs.target
 FailureAction=reboot-immediate