From cb4bb56b93f49b11417eac172359f6b727a56c26 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Fri, 28 Feb 2025 15:45:16 +0100 Subject: [PATCH] Bump examples to use new kairos init and improve them a bit (#3227) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/build-examples.yaml | 27 ++++ examples/builds/fedora-fips/Dockerfile | 16 ++ .../{byoi => builds}/fedora-fips/README.md | 1 - examples/builds/fedora-fips/build.sh | 16 ++ .../{byoi => builds}/fedora-fips/dracut.conf | 0 examples/builds/fedora-fips/run.sh | 9 ++ examples/builds/rockylinux-fips/Dockerfile | 15 ++ .../rockylinux-fips/README.md | 1 - examples/builds/rockylinux-fips/build.sh | 16 ++ .../rockylinux-fips/dracut.conf | 0 examples/builds/rockylinux-fips/run.sh | 9 ++ examples/builds/ubuntu-fips/Dockerfile | 27 ++++ .../{byoi => builds}/ubuntu-fips/README.md | 2 +- examples/builds/ubuntu-fips/build.sh | 16 ++ .../{byoi => builds}/ubuntu-fips/dracut.conf | 0 .../ubuntu-fips/pro-attach-config.yaml | 2 +- examples/builds/ubuntu-fips/run.sh | 9 ++ examples/builds/ubuntu-non-hwe/Dockerfile | 13 ++ examples/builds/ubuntu-non-hwe/README.md | 33 ++++ examples/byoi/fedora-fips/Dockerfile | 103 ------------ examples/byoi/fedora-fips/build.sh | 14 -- examples/byoi/fedora-fips/run.sh | 3 - examples/byoi/fedora/Dockerfile | 91 ----------- examples/byoi/fedora/README.md | 1 - examples/byoi/fedora/build.sh | 15 -- examples/byoi/rockylinux-fips/Dockerfile | 106 ------------- examples/byoi/rockylinux-fips/build.sh | 14 -- examples/byoi/rockylinux-fips/run.sh | 3 - examples/byoi/ubuntu-fips/Dockerfile | 149 ------------------ examples/byoi/ubuntu-fips/build.sh | 2 - examples/byoi/ubuntu-fips/run.sh | 3 - examples/byoi/ubuntu-non-hwe/Dockerfile | 4 - examples/byoi/ubuntu-non-hwe/README.md | 44 ------ 33 files changed, 208 insertions(+), 556 deletions(-) create mode 100644 .github/workflows/build-examples.yaml create mode 100644 examples/builds/fedora-fips/Dockerfile rename examples/{byoi => builds}/fedora-fips/README.md (84%) create mode 100755 examples/builds/fedora-fips/build.sh rename examples/{byoi => builds}/fedora-fips/dracut.conf (100%) create mode 100755 examples/builds/fedora-fips/run.sh create mode 100644 examples/builds/rockylinux-fips/Dockerfile rename examples/{byoi => builds}/rockylinux-fips/README.md (84%) create mode 100755 examples/builds/rockylinux-fips/build.sh rename examples/{byoi => builds}/rockylinux-fips/dracut.conf (100%) create mode 100755 examples/builds/rockylinux-fips/run.sh create mode 100644 examples/builds/ubuntu-fips/Dockerfile rename examples/{byoi => builds}/ubuntu-fips/README.md (84%) create mode 100755 examples/builds/ubuntu-fips/build.sh rename examples/{byoi => builds}/ubuntu-fips/dracut.conf (100%) rename examples/{byoi => builds}/ubuntu-fips/pro-attach-config.yaml (70%) create mode 100755 examples/builds/ubuntu-fips/run.sh create mode 100644 examples/builds/ubuntu-non-hwe/Dockerfile create mode 100644 examples/builds/ubuntu-non-hwe/README.md delete mode 100644 examples/byoi/fedora-fips/Dockerfile delete mode 100644 examples/byoi/fedora-fips/build.sh delete mode 100644 examples/byoi/fedora-fips/run.sh delete mode 100644 examples/byoi/fedora/Dockerfile delete mode 100644 examples/byoi/fedora/README.md delete mode 100644 examples/byoi/fedora/build.sh delete mode 100644 examples/byoi/rockylinux-fips/Dockerfile delete mode 100644 examples/byoi/rockylinux-fips/build.sh delete mode 100644 examples/byoi/rockylinux-fips/run.sh delete mode 100644 examples/byoi/ubuntu-fips/Dockerfile delete mode 100644 examples/byoi/ubuntu-fips/build.sh delete mode 100644 examples/byoi/ubuntu-fips/run.sh delete mode 100644 examples/byoi/ubuntu-non-hwe/Dockerfile delete mode 100644 examples/byoi/ubuntu-non-hwe/README.md diff --git a/.github/workflows/build-examples.yaml b/.github/workflows/build-examples.yaml new file mode 100644 index 000000000..067260f6b --- /dev/null +++ b/.github/workflows/build-examples.yaml @@ -0,0 +1,27 @@ +name: Build Examples + +on: + push: + paths: + - 'examples/builds/**' + +jobs: + build: + name: ${{ matrix.example-dir }} + runs-on: ubuntu-latest + strategy: + matrix: + example-dir: + - "fedora-fips" + - "rockylinux-fips" + - "ubuntu-non-hwe" + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + - name: Build Dockerfile + uses: docker/build-push-action@v6 + with: + file: examples/builds/${{ matrix.example-dir }}/Dockerfile + context: examples/builds/${{ matrix.example-dir }} diff --git a/examples/builds/fedora-fips/Dockerfile b/examples/builds/fedora-fips/Dockerfile new file mode 100644 index 000000000..00b26deda --- /dev/null +++ b/examples/builds/fedora-fips/Dockerfile @@ -0,0 +1,16 @@ +FROM quay.io/kairos/kairos-init:v0.2.6 AS kairos-init + +FROM fedora:40 +ARG VERSION=v0.0.1 + +COPY --from=kairos-init /kairos-init /kairos-init +RUN /kairos-init -l debug -s install --fips --version "${VERSION}" + +# Copy the custom dracut config file which enables fips +COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf + +RUN /kairos-init -l debug -s init --version "${VERSION}" +RUN rm /kairos-init + +# Symlink kernel HMAC +RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && ln -sf ."${kernel#/boot/}".hmac /boot/.vmlinuz.hmac \ No newline at end of file diff --git a/examples/byoi/fedora-fips/README.md b/examples/builds/fedora-fips/README.md similarity index 84% rename from examples/byoi/fedora-fips/README.md rename to examples/builds/fedora-fips/README.md index 92ecdc9d3..ebac15a19 100644 --- a/examples/byoi/fedora-fips/README.md +++ b/examples/builds/fedora-fips/README.md @@ -19,7 +19,6 @@ install: ``` Notes: -- Most of the Dockerfile configuration are: packages being installed by fedora, and the framework files coming from Kairos containing FIPS-enabled packages - The LiveCD is not running in fips mode - You must add `selinux=0`. SELinux is not supported yet and must be explicitly disabled diff --git a/examples/builds/fedora-fips/build.sh b/examples/builds/fedora-fips/build.sh new file mode 100755 index 000000000..ea48c110f --- /dev/null +++ b/examples/builds/fedora-fips/build.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set -ex + +# Build the container image +docker build -t fedora-40-fips . + +# Build ISO from that container +docker run --rm -ti \ +-v "$PWD"/build:/tmp/auroraboot \ +-v /var/run/docker.sock:/var/run/docker.sock \ +quay.io/kairos/auroraboot:v0.5.0 \ +--set container_image=docker://fedora-40-fips \ +--set "disable_http_server=true" \ +--set "disable_netboot=true" \ +--set "state_dir=/tmp/auroraboot" \ No newline at end of file diff --git a/examples/byoi/fedora-fips/dracut.conf b/examples/builds/fedora-fips/dracut.conf similarity index 100% rename from examples/byoi/fedora-fips/dracut.conf rename to examples/builds/fedora-fips/dracut.conf diff --git a/examples/builds/fedora-fips/run.sh b/examples/builds/fedora-fips/run.sh new file mode 100755 index 000000000..bf1761682 --- /dev/null +++ b/examples/builds/fedora-fips/run.sh @@ -0,0 +1,9 @@ +qemu-img create -f qcow2 disk.img 40g + +qemu-system-x86_64 -m 8096 -smp cores=2 -nographic -cpu host -enable-kvm \ +-serial mon:stdio -rtc base=utc,clock=rt \ +-chardev socket,path=qga.sock,server,nowait,id=qga0 \ +-device virtio-serial \ +-device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 \ +-drive if=virtio,media=disk,file=disk.img \ +-drive if=ide,media=cdrom,file=build/kairos.iso diff --git a/examples/builds/rockylinux-fips/Dockerfile b/examples/builds/rockylinux-fips/Dockerfile new file mode 100644 index 000000000..fe91a5b4c --- /dev/null +++ b/examples/builds/rockylinux-fips/Dockerfile @@ -0,0 +1,15 @@ +FROM quay.io/kairos/kairos-init:v0.2.6 AS kairos-init + +FROM rockylinux:9 +ARG VERSION=v0.0.1 + +COPY --from=kairos-init /kairos-init /kairos-init +RUN /kairos-init -l debug -s install --fips --version "${VERSION}" +# Copy the custom dracut config file +COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf + +RUN /kairos-init -l debug -s init --version "${VERSION}" +RUN rm /kairos-init + +# Symlink kernel HMAC +RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && ln -sf ."${kernel#/boot/}".hmac /boot/.vmlinuz.hmac diff --git a/examples/byoi/rockylinux-fips/README.md b/examples/builds/rockylinux-fips/README.md similarity index 84% rename from examples/byoi/rockylinux-fips/README.md rename to examples/builds/rockylinux-fips/README.md index 6f2bcb92a..bd5f9bc7b 100644 --- a/examples/byoi/rockylinux-fips/README.md +++ b/examples/builds/rockylinux-fips/README.md @@ -19,7 +19,6 @@ install: ``` Notes: -- Most of the Dockerfile configuration are: packages being installed by fedora, and the framework files coming from Kairos containing FIPS-enabled packages - The LiveCD is not running in fips mode - You must add `selinux=0`. SELinux is not supported yet and must be explicitly disabled diff --git a/examples/builds/rockylinux-fips/build.sh b/examples/builds/rockylinux-fips/build.sh new file mode 100755 index 000000000..1c06d2992 --- /dev/null +++ b/examples/builds/rockylinux-fips/build.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set -ex + +# Build the container image +docker build -t rocky-9-fips . + +# Build ISO from that container +docker run --rm -ti \ +-v "$PWD"/build:/tmp/auroraboot \ +-v /var/run/docker.sock:/var/run/docker.sock \ +quay.io/kairos/auroraboot:v0.5.0 \ +--set container_image=docker://rocky-9-fips \ +--set "disable_http_server=true" \ +--set "disable_netboot=true" \ +--set "state_dir=/tmp/auroraboot" diff --git a/examples/byoi/rockylinux-fips/dracut.conf b/examples/builds/rockylinux-fips/dracut.conf similarity index 100% rename from examples/byoi/rockylinux-fips/dracut.conf rename to examples/builds/rockylinux-fips/dracut.conf diff --git a/examples/builds/rockylinux-fips/run.sh b/examples/builds/rockylinux-fips/run.sh new file mode 100755 index 000000000..bf1761682 --- /dev/null +++ b/examples/builds/rockylinux-fips/run.sh @@ -0,0 +1,9 @@ +qemu-img create -f qcow2 disk.img 40g + +qemu-system-x86_64 -m 8096 -smp cores=2 -nographic -cpu host -enable-kvm \ +-serial mon:stdio -rtc base=utc,clock=rt \ +-chardev socket,path=qga.sock,server,nowait,id=qga0 \ +-device virtio-serial \ +-device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 \ +-drive if=virtio,media=disk,file=disk.img \ +-drive if=ide,media=cdrom,file=build/kairos.iso diff --git a/examples/builds/ubuntu-fips/Dockerfile b/examples/builds/ubuntu-fips/Dockerfile new file mode 100644 index 000000000..ccdc72c1a --- /dev/null +++ b/examples/builds/ubuntu-fips/Dockerfile @@ -0,0 +1,27 @@ +FROM quay.io/kairos/kairos-init:v0.2.6 AS kairos-init + +FROM ubuntu:20.04 +ARG VERSION=v0.0.1 + +COPY --from=kairos-init /kairos-init /kairos-init +RUN /kairos-init -l debug -s install --fips --version "${VERSION}" +# Remove default kernel that Kairos-init installs +RUN apt-get remove -y linux-base linux-image-generic-hwe-20.04 && apt-get autoremove -y +## THIS comes from the Ubuntu documentation: https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/tutorials/create_a_fips_docker_image.html +## I've just added "linux-image-fips" in the package list +RUN --mount=type=secret,id=pro-attach-config \ + apt-get update \ + && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \ + && pro attach --attach-config /run/secrets/pro-attach-config \ + && apt-get upgrade -y \ + && apt-get install -y openssl libssl1.1 libssl1.1-hmac libgcrypt20 libgcrypt20-hmac strongswan strongswan-hmac openssh-client openssh-server linux-image-fips \ + && pro detach --assume-yes + +# Copy the custom dracut config file which enables fipsn +COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf + +RUN /kairos-init -l debug -s init --version "${VERSION}" +RUN rm /kairos-init + +# Symlink kernel HMAC +RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && ln -sf ."${kernel#/boot/}".hmac /boot/.vmlinuz.hmac \ No newline at end of file diff --git a/examples/byoi/ubuntu-fips/README.md b/examples/builds/ubuntu-fips/README.md similarity index 84% rename from examples/byoi/ubuntu-fips/README.md rename to examples/builds/ubuntu-fips/README.md index 24c93e9f6..e2452de0b 100644 --- a/examples/byoi/ubuntu-fips/README.md +++ b/examples/builds/ubuntu-fips/README.md @@ -21,8 +21,8 @@ install: Notes: - The dracut patch is needed as Ubuntu has an older version of systemd -- Most of the Dockerfile configuration are: packages being installed by Ubuntu, and the framework files coming from Kairos containing FIPS-enabled packages - The LiveCD is not running in fips mode +- Ubuntu FIPS support is only available for 16.04 LTS, 18.04 LTS, or 20.04 LTS ## Verify FIPS is enabled diff --git a/examples/builds/ubuntu-fips/build.sh b/examples/builds/ubuntu-fips/build.sh new file mode 100755 index 000000000..a6fb6c8e4 --- /dev/null +++ b/examples/builds/ubuntu-fips/build.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set -ex + +# Build the container image +docker build --secret id=pro-attach-config,src=pro-attach-config.yaml -t ubuntu-focal-fips . + +# Build ISO from that container +docker run --rm -ti \ +-v "$PWD"/build:/tmp/auroraboot \ +-v /var/run/docker.sock:/var/run/docker.sock \ +quay.io/kairos/auroraboot:v0.5.0 \ +--set container_image=docker://ubuntu-focal-fips \ +--set "disable_http_server=true" \ +--set "disable_netboot=true" \ +--set "state_dir=/tmp/auroraboot" diff --git a/examples/byoi/ubuntu-fips/dracut.conf b/examples/builds/ubuntu-fips/dracut.conf similarity index 100% rename from examples/byoi/ubuntu-fips/dracut.conf rename to examples/builds/ubuntu-fips/dracut.conf diff --git a/examples/byoi/ubuntu-fips/pro-attach-config.yaml b/examples/builds/ubuntu-fips/pro-attach-config.yaml similarity index 70% rename from examples/byoi/ubuntu-fips/pro-attach-config.yaml rename to examples/builds/ubuntu-fips/pro-attach-config.yaml index 0acb5bf50..a25c49ddc 100644 --- a/examples/byoi/ubuntu-fips/pro-attach-config.yaml +++ b/examples/builds/ubuntu-fips/pro-attach-config.yaml @@ -1,3 +1,3 @@ token: YOUR_TOKEN_HERE enable_services: - - fips + - fips-updates diff --git a/examples/builds/ubuntu-fips/run.sh b/examples/builds/ubuntu-fips/run.sh new file mode 100755 index 000000000..bf1761682 --- /dev/null +++ b/examples/builds/ubuntu-fips/run.sh @@ -0,0 +1,9 @@ +qemu-img create -f qcow2 disk.img 40g + +qemu-system-x86_64 -m 8096 -smp cores=2 -nographic -cpu host -enable-kvm \ +-serial mon:stdio -rtc base=utc,clock=rt \ +-chardev socket,path=qga.sock,server,nowait,id=qga0 \ +-device virtio-serial \ +-device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 \ +-drive if=virtio,media=disk,file=disk.img \ +-drive if=ide,media=cdrom,file=build/kairos.iso diff --git a/examples/builds/ubuntu-non-hwe/Dockerfile b/examples/builds/ubuntu-non-hwe/Dockerfile new file mode 100644 index 000000000..cbc475bcb --- /dev/null +++ b/examples/builds/ubuntu-non-hwe/Dockerfile @@ -0,0 +1,13 @@ +FROM quay.io/kairos/kairos-init:v0.2.6 AS kairos-init + +FROM ubuntu:22.04 AS base-kairos +ARG VERSION=v0.0.1 + +COPY --from=kairos-init /kairos-init /kairos-init +RUN /kairos-init -l debug -s install --version "${VERSION}" +# Remove default kernel that Kairos-init installs +RUN apt-get remove -y linux-base linux-image-generic-hwe-22.04 && apt-get autoremove -y +# Install generic linux image instead +RUN apt-get install -y --no-install-recommends linux-image-generic +RUN /kairos-init -l debug -s init --version "${VERSION}" +RUN rm /kairos-init diff --git a/examples/builds/ubuntu-non-hwe/README.md b/examples/builds/ubuntu-non-hwe/README.md new file mode 100644 index 000000000..397d9e645 --- /dev/null +++ b/examples/builds/ubuntu-non-hwe/README.md @@ -0,0 +1,33 @@ +# Ubuntu non-HWE image + +Our Ubuntu based images, will use HWE kernels. If you need to use a non-HWE one, you can build an image of your own with the kernel of your choice, and then use it as your `BASE_IMAGE`. Here's an example: + +We are going to assume that you start the process at the root of the Kairos repo and that the non-HWE image is the one in the Dockerfile within the same directory as this README.md file. + +Let's start by building the base image. + +``` +$ cd examples/byoi/ubuntu-non-hwe +$ docker build -t ubuntu-non-hwe:22.04 . +[+] Building 58.7s (13/13) FINISHED docker:default + => [internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 577B 0.0s + => [internal] load metadata for docker.io/library/ubuntu:22.04 0.4s + => [internal] load metadata for quay.io/kairos/kairos-init:v0.2.6 0.5s + => [internal] load .dockerignore 0.0s + => => transferring context: 2B 0.0s + => [kairos-init 1/1] FROM quay.io/kairos/kairos-init:v0.2.6@sha256:35f581dbc480385b21f7a22317fc5 0.0s + => [base-kairos 1/7] FROM docker.io/library/ubuntu:22.04@sha256:ed1544e454989078f5dec1bfdabd8c5c 0.0s + => CACHED [base-kairos 2/7] COPY --from=kairos-init /kairos-init /kairos-init 0.0s + => CACHED [base-kairos 3/7] RUN /kairos-init -l debug -s install --version "v0.0.1" 0.0s + => [base-kairos 4/7] RUN apt-get remove -y linux-base linux-image-generic-hwe-22.04 && apt-get a 2.3s + => [base-kairos 5/7] RUN apt-get install -y --no-install-recommends linux-image-generic 18.4s + => [base-kairos 6/7] RUN /kairos-init -l debug -s init --version "v0.0.1" 34.1s + => [base-kairos 7/7] RUN rm /kairos-init 0.2s + => exporting to image 3.3s + => => exporting layers 3.3s + => => writing image sha256:eea47e62c3238b7f51301ce7ab99bbe43036b401d288dd27b7f1eb6f4193a5fa 0.0s + => => naming to docker.io/library/ubuntu-non-hwe:22.04 +``` + +You should now be able to use your container image `ubuntu-non-hwe:22.04` as base artifact to generate ISOs or raw images.Have a look at osbuilder-tools or AuroraBoot in the kairos documentation for how to build those. \ No newline at end of file diff --git a/examples/byoi/fedora-fips/Dockerfile b/examples/byoi/fedora-fips/Dockerfile deleted file mode 100644 index db32e3b6d..000000000 --- a/examples/byoi/fedora-fips/Dockerfile +++ /dev/null @@ -1,103 +0,0 @@ -ARG BASE_IMAGE=fedora:36 - -FROM $BASE_IMAGE AS base -ARG TARGETARCH -RUN echo "install_weak_deps=False" >> /etc/dnf/dnf.conf - -RUN dnf install -y \ - audit \ - coreutils \ - cloud-utils-growpart \ - curl \ - device-mapper \ - dosfstools \ - dhcp-client \ - dracut \ - dracut-live \ - dracut-network \ - dracut-squash \ - e2fsprogs \ - efibootmgr \ - gawk \ - gdisk \ - grub2 \ - grub2-efi-x64 \ - grub2-efi-x64-modules \ - grub2-pc \ - haveged \ - kernel \ - kernel-modules \ - kernel-modules-extra \ - livecd-tools \ - lvm2 \ - nano \ - openssh-server \ - parted \ - polkit \ - qemu-guest-agent \ - rsync \ - shim-x64 \ - squashfs-tools \ - sudo \ - systemd \ - systemd-networkd \ - systemd-resolved \ - tar \ - which \ - && dnf clean all - -RUN mkdir -p /run/lock -RUN touch /usr/libexec/.keep -RUN systemctl enable getty@tty1.service -RUN systemctl enable getty@tty2.service -RUN systemctl enable getty@tty3.service -RUN systemctl enable systemd-networkd -RUN systemctl enable systemd-resolved -RUN systemctl disable dnf-makecache.service -RUN systemctl disable dnf-makecache.timer -RUN systemctl enable sshd - - -COPY --from=quay.io/kairos/framework:latest-fips / / - -# This is the version of your image -ENV RELEASE=v9.9.9 -# This is the version of the upstream image -ENV FLAVOR_RELEASE=36 -# This is the remote repository where you push your images to. It will be used for upgrades and such to search for latest releases -ENV REGISTRY_AND_ORG="quay.io/YOUR_ORG/fedora-fips" -# This is the model for which the os was built, i.e. rpi4, rpi3 or generic for x86/arm64 -ENV MODEL="generic" -# This is the variant of the image, i.e. fips, core, standard -ENV VARIANT="fips" -# Flavor being used, i.e. fedora, ubuntu, alpine -ENV FLAVOR="fedora" -# Family being used, i.e. debian, rhel, arch, suse -ENV FAMILY="rhel" -# This is the architecture of the image, i.e. x86_64, arm64. Gets autofilled by docker -ENV TARGETARCH=$TARGETARCH - -# Create the kairos-release file to identify the OS -RUN kairos-agent --debug versioneer os-release-variables > /etc/kairos-release - -# Copy the custom dracut config file -COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf - -# Empty the /etc/machine-id file -RUN printf "" > /etc/machine-id || true - -## Generate initrd -SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ - ln -sf "${kernel#/boot/}" /boot/vmlinuz -RUN kernel=$(ls /lib/modules | head -n1) && \ - dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ - ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" - -# Symlink kernel HMAC -RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && ln -sf ."${kernel#/boot/}".hmac /boot/.vmlinuz.hmac - -# Cleanup -RUN rm -rf /boot/initramfs-* -RUN rm /var/lib/dbus/machine-id || true -RUN rm /etc/hostname || true diff --git a/examples/byoi/fedora-fips/build.sh b/examples/byoi/fedora-fips/build.sh deleted file mode 100644 index addb57bcf..000000000 --- a/examples/byoi/fedora-fips/build.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -set -ex - -# Build the container image -docker build -t test-byoi-fips . - -docker run -v "$PWD"/build:/tmp/auroraboot \ - -v /var/run/docker.sock:/var/run/docker.sock \ - --rm -ti quay.io/kairos/auroraboot \ - --set container_image=docker://test-byoi-fips \ - --set "disable_http_server=true" \ - --set "disable_netboot=true" \ - --set "state_dir=/tmp/auroraboot" diff --git a/examples/byoi/fedora-fips/run.sh b/examples/byoi/fedora-fips/run.sh deleted file mode 100644 index cc5152470..000000000 --- a/examples/byoi/fedora-fips/run.sh +++ /dev/null @@ -1,3 +0,0 @@ -qemu-img create -f qcow2 disk.img 40g - -qemu-system-x86_64 -m 8096 -smp cores=2 -nographic -cpu host -enable-kvm -serial mon:stdio -rtc base=utc,clock=rt -chardev socket,path=qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 -drive if=virtio,media=disk,file=disk.img -drive if=ide,media=cdrom,file=build/iso/kairos.iso diff --git a/examples/byoi/fedora/Dockerfile b/examples/byoi/fedora/Dockerfile deleted file mode 100644 index ec72c4cff..000000000 --- a/examples/byoi/fedora/Dockerfile +++ /dev/null @@ -1,91 +0,0 @@ -ARG BASE_IMAGE=fedora:36 - -FROM $BASE_IMAGE -ARG TARGETARCH -RUN echo "install_weak_deps=False" >> /etc/dnf/dnf.conf - -RUN dnf install -y \ - audit \ - coreutils \ - curl \ - cloud-utils-growpart \ - device-mapper \ - dosfstools \ - dracut \ - dracut-live \ - dracut-network \ - dracut-squash \ - dhcp-client \ - e2fsprogs \ - efibootmgr \ - gawk \ - gdisk \ - grub2 \ - grub2-efi-x64 \ - grub2-efi-x64-modules \ - grub2-pc \ - haveged \ - kernel \ - kernel-modules \ - kernel-modules-extra \ - livecd-tools \ - nano \ - NetworkManager \ - openssh-server \ - parted \ - polkit \ - rsync \ - shim-x64 \ - squashfs-tools \ - sudo \ - systemd \ - systemd-networkd \ - systemd-resolved \ - tar \ - which \ - && dnf clean all - -RUN mkdir -p /run/lock -RUN touch /usr/libexec/.keep - -COPY --from=quay.io/kairos/framework:latest / / -# This is the version of your image -ENV RELEASE=v9.9.9 -# This is the version of the upstream image -ENV FLAVOR_RELEASE=focal -# This is the remote repository where you push your images to. It will be used for upgrades and such to search for latest releases -ENV REGISTRY_AND_ORG="quay.io/YOUR_ORG/ubuntu-fips" -# This is the model for which the os was built, i.e. rpi4, rpi3 or generic for x86/arm64 -ENV MODEL="generic" -# This is the variant of the image, i.e. fips, core, standard -ENV VARIANT="fips" -# Flavor being used, i.e. fedora, ubuntu, alpine -ENV FLAVOR="ubuntu" -# Family being used, i.e. debian, rhel, arch, suse -ENV FAMILY="debian" -# This is the architecture of the image, i.e. x86_64, arm64. Gets autofilled by docker -ENV TARGETARCH=$TARGETARCH - -# Create the kairos-release file to identify the OS -RUN kairos-agent --debug versioneer os-release-variables > /etc/kairos-release -# Empty the /etc/machine-id file -RUN printf "" > /etc/machine-id || true - -# Activate Kairos services -RUN systemctl enable cos-setup-reconcile.timer && \ - systemctl enable cos-setup-fs.service && \ - systemctl enable cos-setup-boot.service && \ - systemctl enable cos-setup-network.service - -## Generate initrd -SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ - ln -sf "${kernel#/boot/}" /boot/vmlinuz -RUN kernel=$(ls /lib/modules | head -n1) && \ - dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ - ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" - -# Cleanup -RUN rm -rf /boot/initramfs-* -RUN rm /var/lib/dbus/machine-id || true -RUN rm /etc/hostname || true \ No newline at end of file diff --git a/examples/byoi/fedora/README.md b/examples/byoi/fedora/README.md deleted file mode 100644 index a0a72d698..000000000 --- a/examples/byoi/fedora/README.md +++ /dev/null @@ -1 +0,0 @@ -Warning, this example is out of date. You can follow the ubuntu-non-hwe example which is quite similar but with fedora as a base. diff --git a/examples/byoi/fedora/build.sh b/examples/byoi/fedora/build.sh deleted file mode 100644 index d51f8493a..000000000 --- a/examples/byoi/fedora/build.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -set -ex - -# Build the container image -docker build -t test-byoi . - -# Create an ISO -docker run -v "$PWD"/build:/tmp/auroraboot \ - -v /var/run/docker.sock:/var/run/docker.sock \ - --rm -ti quay.io/kairos/auroraboot:v0.2.2 \ - --set container_image=docker://test-byoi \ - --set "disable_http_server=true" \ - --set "disable_netboot=true" \ - --set "state_dir=/tmp/auroraboot" \ No newline at end of file diff --git a/examples/byoi/rockylinux-fips/Dockerfile b/examples/byoi/rockylinux-fips/Dockerfile deleted file mode 100644 index c181f7369..000000000 --- a/examples/byoi/rockylinux-fips/Dockerfile +++ /dev/null @@ -1,106 +0,0 @@ -ARG BASE_IMAGE=rockylinux:9 - -FROM $BASE_IMAGE AS base -ARG TARGETARCH -RUN echo "install_weak_deps=False" >> /etc/dnf/dnf.conf - -RUN dnf install -y epel-release && dnf clean all -RUN dnf update -y -RUN dnf makecache -RUN dnf install -y \ - audit \ - cloud-utils-growpart \ - device-mapper \ - dosfstools \ - dracut \ - dracut-live \ - dracut-network \ - dracut-squash \ - dhcp-client \ - e2fsprogs \ - efibootmgr \ - epel-release \ - gawk \ - grub2 \ - grub2-efi-x64 \ - grub2-efi-x64-modules \ - grub2-pc \ - gdisk \ - kernel \ - kernel-modules \ - kernel-modules-extra \ - livecd-tools \ - lvm2 \ - nano \ - openssh-server \ - parted \ - polkit \ - qemu-guest-agent \ - rsync \ - shim-x64 \ - squashfs-tools \ - sudo \ - systemd \ - systemd-networkd \ - systemd-resolved \ - systemd-timesyncd \ - tar \ - which \ - https://zfsonlinux.org/epel/zfs-release-2-2.el9.noarch.rpm \ - && dnf clean all - -RUN mkdir -p /run/lock -RUN touch /usr/libexec/.keep -RUN systemctl enable getty@tty1.service -RUN systemctl enable getty@tty2.service -RUN systemctl enable getty@tty3.service -RUN systemctl enable systemd-networkd -RUN systemctl enable systemd-resolved -RUN systemctl disable dnf-makecache.service -RUN systemctl enable sshd - -COPY --from=quay.io/kairos/framework:latest-fips / / - -# This is the version of your image -ENV RELEASE=v9.9.9 -# This is the version of the upstream image -ENV FLAVOR_RELEASE=9 -# This is the remote repository where you push your images to. It will be used for upgrades and such to search for latest releases -ENV REGISTRY_AND_ORG="quay.io/YOUR_ORG/rockylinux-fips" -# This is the model for which the os was built, i.e. rpi4, rpi3 or generic for x86/arm64 -ENV MODEL="generic" -# This is the variant of the image, i.e. fips, core, standard -ENV VARIANT="fips" -# Flavor being used, i.e. fedora, ubuntu, alpine -ENV FLAVOR="rockylinux" -# Family being used, i.e. debian, rhel, arch, suse -ENV FAMILY="rhel" -# This is the architecture of the image, i.e. x86_64, arm64. Gets autofilled by docker -ENV TARGETARCH=$TARGETARCH - -# Create the kairos-release file to identify the OS -RUN kairos-agent --debug versioneer os-release-variables > /etc/kairos-release - -# Copy the custom dracut config file -COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf - -# Empty the /etc/machine-id file -RUN printf "" > /etc/machine-id || true - - -## Generate initrd -SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ - ln -sf "${kernel#/boot/}" /boot/vmlinuz -RUN kernel=$(ls /lib/modules | head -n1) && \ - dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ - ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" - -# Symlink kernel HMAC -RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && ln -sf ."${kernel#/boot/}".hmac /boot/.vmlinuz.hmac - -# Cleanup -RUN rm -rf /boot/initramfs-* -RUN rm /var/lib/dbus/machine-id || true -RUN rm /etc/hostname || true - diff --git a/examples/byoi/rockylinux-fips/build.sh b/examples/byoi/rockylinux-fips/build.sh deleted file mode 100644 index addb57bcf..000000000 --- a/examples/byoi/rockylinux-fips/build.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -set -ex - -# Build the container image -docker build -t test-byoi-fips . - -docker run -v "$PWD"/build:/tmp/auroraboot \ - -v /var/run/docker.sock:/var/run/docker.sock \ - --rm -ti quay.io/kairos/auroraboot \ - --set container_image=docker://test-byoi-fips \ - --set "disable_http_server=true" \ - --set "disable_netboot=true" \ - --set "state_dir=/tmp/auroraboot" diff --git a/examples/byoi/rockylinux-fips/run.sh b/examples/byoi/rockylinux-fips/run.sh deleted file mode 100644 index cc5152470..000000000 --- a/examples/byoi/rockylinux-fips/run.sh +++ /dev/null @@ -1,3 +0,0 @@ -qemu-img create -f qcow2 disk.img 40g - -qemu-system-x86_64 -m 8096 -smp cores=2 -nographic -cpu host -enable-kvm -serial mon:stdio -rtc base=utc,clock=rt -chardev socket,path=qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 -drive if=virtio,media=disk,file=disk.img -drive if=ide,media=cdrom,file=build/iso/kairos.iso diff --git a/examples/byoi/ubuntu-fips/Dockerfile b/examples/byoi/ubuntu-fips/Dockerfile deleted file mode 100644 index 7f8239017..000000000 --- a/examples/byoi/ubuntu-fips/Dockerfile +++ /dev/null @@ -1,149 +0,0 @@ -# Build the custom ubuntu image -FROM ubuntu:24.04 AS base -ARG TARGETARCH -# Don't get asked while running apt commands -ENV DEBIAN_FRONTEND=noninteractive - -## THIS comes from the Ubuntu documentation: https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/tutorials/create_a_fips_docker_image.html -## I've just added "linux-image-fips" in the package list -RUN --mount=type=secret,id=pro-attach-config \ - apt-get update \ - && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \ - && pro attach --attach-config /run/secrets/pro-attach-config \ - && apt-get upgrade -y \ - && apt-get install -y openssl libssl1.1 libssl1.1-hmac libgcrypt20 libgcrypt20-hmac strongswan strongswan-hmac openssh-client openssh-server linux-image-fips \ - && pro detach --assume-yes - - -## Kairos setup -## From documentation: https://kairos.io/docs/reference/build-from-scratch/ -RUN mkdir -p /run/lock -RUN mkdir -p /usr/libexec -RUN touch /usr/libexec/.keep - -## Kairos required packages -## See: https://github.com/kairos-io/kairos/blob/master/images/Dockerfile.ubuntu-20-lts -RUN apt-get install -y --no-install-recommends \ - conntrack \ - console-data \ - coreutils \ - cryptsetup \ - curl \ - debianutils \ - dmsetup \ - dosfstools \ - dracut \ - dracut-network \ - e2fsprogs \ - efibootmgr \ - file \ - fuse \ - gawk \ - gdisk \ - grub2 \ - grub2-common \ - grub-efi-amd64-bin \ - grub-efi-amd64-signed \ - grub-pc-bin \ - haveged \ - iproute2 \ - iptables \ - isc-dhcp-common \ - jq \ - kbd \ - krb5-locales \ - lldpd \ - lvm2 \ - mdadm \ - nano \ - nbd-client \ - ncurses-term \ - neovim \ - networkd-dispatcher \ - nfs-common \ - open-iscsi \ - openssh-server \ - open-vm-tools \ - os-prober \ - packagekit-tools \ - parted \ - patch \ - policykit-1 \ - publicsuffix \ - qemu-guest-agent \ - rsync \ - shared-mime-info \ - snapd \ - snmpd \ - squashfs-tools \ - sudo \ - systemd \ - systemd-timesyncd \ - thermald \ - ubuntu-advantage-tools \ - xdg-user-dirs \ - xxd \ - xz-utils \ - zerofree \ - zfsutils-linux \ - zstd \ - && apt-get remove -y unattended-upgrades && apt-get clean \ - && apt-get purge --auto-remove -y ubuntu-advantage-tools \ - && rm -rf /var/lib/apt/lists/* - -# Copy the Kairos framework files. We use master builds here for fedora. See https://quay.io/repository/kairos/framework?tab=tags for a list -COPY --from=quay.io/kairos/framework:latest-fips / / - -# This is the version of your image -ENV RELEASE=v9.9.9 -# This is the version of the upstream image -ENV FLAVOR_RELEASE=24.04 -# This is the remote repository where you push your images to. It will be used for upgrades and such to search for latest releases -ENV REGISTRY_AND_ORG="quay.io/YOUR_ORG/ubuntu-fips" -# This is the model for which the os was built, i.e. rpi4, rpi3 or generic for x86/arm64 -ENV MODEL="generic" -# This is the variant of the image, i.e. fips, core, standard -ENV VARIANT="fips" -# Flavor being used, i.e. fedora, ubuntu, alpine -ENV FLAVOR="ubuntu" -# Family being used, i.e. debian, rhel, arch, suse -ENV FAMILY="debian" -# This is the architecture of the image, i.e. x86_64, arm64. Gets autofilled by docker -ENV TARGETARCH=$TARGETARCH - -# Create the kairos-release file to identify the OS -RUN kairos-agent --debug versioneer os-release-variables > /etc/kairos-release -# Empty the /etc/machine-id file -RUN printf "" > /etc/machine-id || true - -## Configuration - -COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf -# CLEANUP -# Installing dracut and fips creates this default packages and symlinks and we dont want that -# We want to fully rebuild and link our initrd -RUN rm -Rf /boot/vmlinuz.old # symlink -RUN rm -Rf /boot/vmlinuz.img.old # symlink -RUN rm -Rf /boot/vmlinuz.img # symlink -RUN rm -Rf /boot/initrd.img.old # symlink to wrong initrd (no immucore, no kairos-agent) -RUN rm -Rf /boot/initrd.img # symlink to wrong initrd (no immucore, no kairos-agent) -RUN rm -Rf /boot/initrd.img-* # wrong initrd (no immucore, no kairos-agent) -## Generate initrd -RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ - ln -sf "${kernel#/boot/}" /boot/vmlinuz -RUN kernel=$(ls /lib/modules | head -n1) && \ - dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ - ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" -RUN rm -rf /boot/initramfs-* - -# Fixup sudo perms -RUN chown root:root /usr/bin/sudo && chmod 4755 /usr/bin/sudo - -# Symlink kernel HMAC -RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && ln -sf ."${kernel#/boot/}".hmac /boot/.vmlinuz.hmac - -# Cleanup -RUN rm -rf /var/cache/* && journalctl --vacuum-size=1K && rm /etc/machine-id && rm /var/lib/dbus/machine-id && rm /etc/hostname -RUN rm -rf /boot/initramfs-* -RUN rm /var/lib/dbus/machine-id || true -RUN rm /etc/hostname || true \ No newline at end of file diff --git a/examples/byoi/ubuntu-fips/build.sh b/examples/byoi/ubuntu-fips/build.sh deleted file mode 100644 index 47051fd1b..000000000 --- a/examples/byoi/ubuntu-fips/build.sh +++ /dev/null @@ -1,2 +0,0 @@ -DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t ubuntu-focal-fips -docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm -ti quay.io/kairos/auroraboot --set container_image=docker://ubuntu-focal-fips --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot" diff --git a/examples/byoi/ubuntu-fips/run.sh b/examples/byoi/ubuntu-fips/run.sh deleted file mode 100644 index cc5152470..000000000 --- a/examples/byoi/ubuntu-fips/run.sh +++ /dev/null @@ -1,3 +0,0 @@ -qemu-img create -f qcow2 disk.img 40g - -qemu-system-x86_64 -m 8096 -smp cores=2 -nographic -cpu host -enable-kvm -serial mon:stdio -rtc base=utc,clock=rt -chardev socket,path=qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 -drive if=virtio,media=disk,file=disk.img -drive if=ide,media=cdrom,file=build/iso/kairos.iso diff --git a/examples/byoi/ubuntu-non-hwe/Dockerfile b/examples/byoi/ubuntu-non-hwe/Dockerfile deleted file mode 100644 index 6118d3147..000000000 --- a/examples/byoi/ubuntu-non-hwe/Dockerfile +++ /dev/null @@ -1,4 +0,0 @@ -FROM ubuntu:22.04 -RUN apt-get update && \ - apt-get install -y --no-install-recommends \ - linux-image-generic diff --git a/examples/byoi/ubuntu-non-hwe/README.md b/examples/byoi/ubuntu-non-hwe/README.md deleted file mode 100644 index 1b70cfc76..000000000 --- a/examples/byoi/ubuntu-non-hwe/README.md +++ /dev/null @@ -1,44 +0,0 @@ -# Ubuntu non-HWE image - -Our Ubuntu based images, will use HWE kernels. If you need to use a non-HWE one, you can build an image of your own with the kernel of your choice, and then use it as your `BASE_IMAGE`. Here's an example: - -We are going to assume that you start the process at the root of the Kairos repo and that the non-HWE image is the one in the Dockerfile within the same directory as this README.md file. - -Let's start by building the base image. - -``` -$ cd examples/byoi/ubuntu-non-hwe -$ docker build -t ubuntu-non-hwe:22.04 . -[+] Building 42.8s (6/6) FINISHED docker:default - => [internal] load build definition from Dockerfile 0.0s - => => transferring dockerfile: 156B 0.0s - => [internal] load .dockerignore 0.0s - => => transferring context: 2B 0.0s - => [internal] load metadata for docker.io/library/ubuntu:22.04 0.0s - => CACHED [1/2] FROM docker.io/library/ubuntu:22.04 0.0s - => [2/2] RUN apt-get update && apt-get install -y --no-install-recommends linux-image-generic 37.9s - => exporting to image 4.9s - => => exporting layers 4.9s - => => writing image sha256:e68595542681417870bf3f0a2e51eafa898c3e43ee5c895f7c82d5f4e25df8db 0.0s - => => naming to docker.io/library/ubuntu-non-hwe:22.04 0.0s -``` - -Now, let's go to the images directory and build an Ubuntu Kairos image, based on `ubuntu-non-hwe:22.04` - -``` -cd ../../../images/ -docker build --build-arg="BASE_IMAGE=ubuntu-non-hwe:22.04" \ - --build-arg="FAMILY=ubuntu" \ - --build-arg="FLAVOR=ubuntu" \ - --build-arg="FLAVOR_RELEASE=22.04" \ - --build-arg="VARIANT=core" \ - --build-arg="MODEL=generic" \ - --build-arg="FRAMEWORK_VERSION=v2.5.5" \ - --build-arg="RELEASE=v0.0.1" \ - -t kairos-ubuntu-non-hwe:22.04 \ - -f Dockerfile.kairos-ubuntu . -``` - -The `Dockerfile.kairos-ubuntu` Dockerfile will install all kairos dependencies if they are missing. When it comes to the kernel it will only install one if there's no existing kernel on your base image, then it will proceed to install the karios agent and do the rest of the process to convert the base image into a kairos image. - -You should now be able to use your container image `kairos-ubuntu-non-hwe:22.04`. If you need an iso or other type of artifact, have a look at osbuilder-tools or AuroraBoot in the kairos documentation. \ No newline at end of file