Bump examples to use new kairos init and improve them a bit (#3227)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/workflows/build-examples.yaml

@@ -0,0 +1,27 @@
+name: Build Examples
+
+on:
+  push:
+    paths:
+      - 'examples/builds/**'
+
+jobs:
+  build:
+    name: ${{ matrix.example-dir }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        example-dir:
+          - "fedora-fips"
+          - "rockylinux-fips"
+          - "ubuntu-non-hwe"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Build Dockerfile
+        uses: docker/build-push-action@v6
+        with:
+          file: examples/builds/${{ matrix.example-dir }}/Dockerfile
+          context: examples/builds/${{ matrix.example-dir }}

examples/builds/fedora-fips/Dockerfile

@@ -0,0 +1,16 @@
+FROM quay.io/kairos/kairos-init:v0.2.6 AS kairos-init
+
+FROM fedora:40
+ARG VERSION=v0.0.1
+
+COPY --from=kairos-init /kairos-init /kairos-init
+RUN /kairos-init -l debug -s install --fips --version "${VERSION}"
+
+# Copy the custom dracut config file which enables fips
+COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf
+
+RUN /kairos-init -l debug -s init --version "${VERSION}"
+RUN rm /kairos-init
+
+# Symlink kernel HMAC
+RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && ln -sf ."${kernel#/boot/}".hmac /boot/.vmlinuz.hmac

examples/byoi/fedora-fips/README.md → examples/builds/fedora-fips/README.md

@@ -19,7 +19,6 @@ install:
 ```
 
 Notes:
-- Most of the Dockerfile configuration are: packages being installed by fedora, and the framework files coming from Kairos containing FIPS-enabled packages
 - The LiveCD is not running in fips mode
 - You must add `selinux=0`. SELinux is not supported yet and must be explicitly disabled
 

examples/builds/fedora-fips/build.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -ex
+
+# Build the container image
+docker build -t fedora-40-fips .
+
+# Build ISO from that container
+docker run --rm -ti \
+-v "$PWD"/build:/tmp/auroraboot \
+-v /var/run/docker.sock:/var/run/docker.sock \
+quay.io/kairos/auroraboot:v0.5.0 \
+--set container_image=docker://fedora-40-fips \
+--set "disable_http_server=true" \
+--set "disable_netboot=true" \
+--set "state_dir=/tmp/auroraboot"

examples/builds/fedora-fips/run.sh

@@ -0,0 +1,9 @@
+qemu-img create -f qcow2 disk.img 40g
+
+qemu-system-x86_64 -m 8096 -smp cores=2 -nographic -cpu host -enable-kvm \
+-serial mon:stdio -rtc base=utc,clock=rt \
+-chardev socket,path=qga.sock,server,nowait,id=qga0 \
+-device virtio-serial \
+-device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 \
+-drive if=virtio,media=disk,file=disk.img \
+-drive if=ide,media=cdrom,file=build/kairos.iso

examples/builds/rockylinux-fips/Dockerfile

@@ -0,0 +1,15 @@
+FROM quay.io/kairos/kairos-init:v0.2.6 AS kairos-init
+
+FROM rockylinux:9
+ARG VERSION=v0.0.1
+
+COPY --from=kairos-init /kairos-init /kairos-init
+RUN /kairos-init -l debug -s install --fips --version "${VERSION}"
+# Copy the custom dracut config file
+COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf
+
+RUN /kairos-init -l debug -s init --version "${VERSION}"
+RUN rm /kairos-init
+
+# Symlink kernel HMAC
+RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && ln -sf ."${kernel#/boot/}".hmac /boot/.vmlinuz.hmac

examples/byoi/rockylinux-fips/README.md → examples/builds/rockylinux-fips/README.md

@@ -19,7 +19,6 @@ install:
 ```
 
 Notes:
-- Most of the Dockerfile configuration are: packages being installed by fedora, and the framework files coming from Kairos containing FIPS-enabled packages
 - The LiveCD is not running in fips mode
 - You must add `selinux=0`. SELinux is not supported yet and must be explicitly disabled
 

examples/builds/rockylinux-fips/build.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -ex
+
+# Build the container image
+docker build -t rocky-9-fips .
+
+# Build ISO from that container
+docker run --rm -ti \
+-v "$PWD"/build:/tmp/auroraboot \
+-v /var/run/docker.sock:/var/run/docker.sock \
+quay.io/kairos/auroraboot:v0.5.0 \
+--set container_image=docker://rocky-9-fips \
+--set "disable_http_server=true" \
+--set "disable_netboot=true" \
+--set "state_dir=/tmp/auroraboot"

examples/builds/rockylinux-fips/run.sh

@@ -0,0 +1,9 @@
+qemu-img create -f qcow2 disk.img 40g
+
+qemu-system-x86_64 -m 8096 -smp cores=2 -nographic -cpu host -enable-kvm \
+-serial mon:stdio -rtc base=utc,clock=rt \
+-chardev socket,path=qga.sock,server,nowait,id=qga0 \
+-device virtio-serial \
+-device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 \
+-drive if=virtio,media=disk,file=disk.img \
+-drive if=ide,media=cdrom,file=build/kairos.iso

examples/builds/ubuntu-fips/Dockerfile

@@ -0,0 +1,27 @@
+FROM quay.io/kairos/kairos-init:v0.2.6 AS kairos-init
+
+FROM ubuntu:20.04
+ARG VERSION=v0.0.1
+
+COPY --from=kairos-init /kairos-init /kairos-init
+RUN /kairos-init -l debug -s install --fips --version "${VERSION}"
+# Remove default kernel that Kairos-init installs
+RUN apt-get remove -y linux-base linux-image-generic-hwe-20.04 && apt-get autoremove -y
+## THIS comes from the Ubuntu documentation: https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/tutorials/create_a_fips_docker_image.html
+## I've just added "linux-image-fips" in the package list
+RUN --mount=type=secret,id=pro-attach-config \
+    apt-get update \
+    && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \
+    && pro attach --attach-config /run/secrets/pro-attach-config \
+    && apt-get upgrade -y \
+    && apt-get install -y openssl libssl1.1 libssl1.1-hmac libgcrypt20 libgcrypt20-hmac strongswan strongswan-hmac openssh-client openssh-server linux-image-fips \
+    && pro detach --assume-yes
+
+# Copy the custom dracut config file which enables fipsn
+COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf
+
+RUN /kairos-init -l debug -s init --version "${VERSION}"
+RUN rm /kairos-init
+
+# Symlink kernel HMAC
+RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && ln -sf ."${kernel#/boot/}".hmac /boot/.vmlinuz.hmac

examples/byoi/ubuntu-fips/README.md → examples/builds/ubuntu-fips/README.md

@@ -21,8 +21,8 @@ install:
 
 Notes:
 - The dracut patch is needed as Ubuntu has an older version of systemd
-- Most of the Dockerfile configuration are: packages being installed by Ubuntu, and the framework files coming from Kairos containing FIPS-enabled packages
 - The LiveCD is not running in fips mode
+- Ubuntu FIPS support is only available for 16.04 LTS, 18.04 LTS, or 20.04 LTS
 
 ## Verify FIPS is enabled
 

examples/builds/ubuntu-fips/build.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -ex
+
+# Build the container image
+docker build --secret id=pro-attach-config,src=pro-attach-config.yaml -t ubuntu-focal-fips .
+
+# Build ISO from that container
+docker run --rm -ti \
+-v "$PWD"/build:/tmp/auroraboot \
+-v /var/run/docker.sock:/var/run/docker.sock \
+quay.io/kairos/auroraboot:v0.5.0 \
+--set container_image=docker://ubuntu-focal-fips \
+--set "disable_http_server=true" \
+--set "disable_netboot=true" \
+--set "state_dir=/tmp/auroraboot"

examples/byoi/ubuntu-fips/pro-attach-config.yaml → examples/builds/ubuntu-fips/pro-attach-config.yaml

@@ -1,3 +1,3 @@
 token: YOUR_TOKEN_HERE
 enable_services:
-  - fips
+  - fips-updates

examples/builds/ubuntu-fips/run.sh

@@ -0,0 +1,9 @@
+qemu-img create -f qcow2 disk.img 40g
+
+qemu-system-x86_64 -m 8096 -smp cores=2 -nographic -cpu host -enable-kvm \
+-serial mon:stdio -rtc base=utc,clock=rt \
+-chardev socket,path=qga.sock,server,nowait,id=qga0 \
+-device virtio-serial \
+-device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 \
+-drive if=virtio,media=disk,file=disk.img \
+-drive if=ide,media=cdrom,file=build/kairos.iso

examples/builds/ubuntu-non-hwe/Dockerfile

@@ -0,0 +1,13 @@
+FROM quay.io/kairos/kairos-init:v0.2.6 AS kairos-init
+
+FROM ubuntu:22.04 AS base-kairos
+ARG VERSION=v0.0.1
+
+COPY --from=kairos-init /kairos-init /kairos-init
+RUN /kairos-init -l debug -s install --version "${VERSION}"
+# Remove default kernel that Kairos-init installs
+RUN apt-get remove -y linux-base linux-image-generic-hwe-22.04 && apt-get autoremove -y
+# Install generic linux image instead
+RUN apt-get install -y --no-install-recommends linux-image-generic
+RUN /kairos-init -l debug -s init --version "${VERSION}"
+RUN rm /kairos-init

examples/builds/ubuntu-non-hwe/README.md

@@ -0,0 +1,33 @@
+# Ubuntu non-HWE image
+
+Our Ubuntu based images, will use HWE kernels. If you need to use a non-HWE one, you can build an image of your own with the kernel of your choice, and then use it as your `BASE_IMAGE`. Here's an example:
+
+We are going to assume that you start the process at the root of the Kairos repo and that the non-HWE image is the one in the Dockerfile within the same directory as this README.md file.
+
+Let's start by building the base image.
+
+```
+$ cd examples/byoi/ubuntu-non-hwe
+$ docker build -t ubuntu-non-hwe:22.04 .
+[+] Building 58.7s (13/13) FINISHED                                                      docker:default
+ => [internal] load build definition from Dockerfile                                               0.0s
+ => => transferring dockerfile: 577B                                                               0.0s
+ => [internal] load metadata for docker.io/library/ubuntu:22.04                                    0.4s
+ => [internal] load metadata for quay.io/kairos/kairos-init:v0.2.6                                 0.5s
+ => [internal] load .dockerignore                                                                  0.0s
+ => => transferring context: 2B                                                                    0.0s
+ => [kairos-init 1/1] FROM quay.io/kairos/kairos-init:v0.2.6@sha256:35f581dbc480385b21f7a22317fc5  0.0s
+ => [base-kairos 1/7] FROM docker.io/library/ubuntu:22.04@sha256:ed1544e454989078f5dec1bfdabd8c5c  0.0s
+ => CACHED [base-kairos 2/7] COPY --from=kairos-init /kairos-init /kairos-init                     0.0s
+ => CACHED [base-kairos 3/7] RUN /kairos-init -l debug -s install --version "v0.0.1"               0.0s
+ => [base-kairos 4/7] RUN apt-get remove -y linux-base linux-image-generic-hwe-22.04 && apt-get a  2.3s
+ => [base-kairos 5/7] RUN apt-get install -y --no-install-recommends linux-image-generic          18.4s
+ => [base-kairos 6/7] RUN /kairos-init -l debug -s init --version "v0.0.1"                        34.1s 
+ => [base-kairos 7/7] RUN rm /kairos-init                                                          0.2s 
+ => exporting to image                                                                             3.3s 
+ => => exporting layers                                                                            3.3s 
+ => => writing image sha256:eea47e62c3238b7f51301ce7ab99bbe43036b401d288dd27b7f1eb6f4193a5fa       0.0s 
+ => => naming to docker.io/library/ubuntu-non-hwe:22.04   
+```
+
+You should now be able to use your container image `ubuntu-non-hwe:22.04` as base artifact to generate ISOs or raw images.Have a look at osbuilder-tools or AuroraBoot in the kairos documentation for how to build those.