diff --git a/.cirrus.yml b/.cirrus.yml index f82764bc..dba912fc 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -3,7 +3,7 @@ # Main collection of env. vars to set for all tasks and scripts. env: # Name of the ultimate destination branch for this CI run, PR or post-merge. - DEST_BRANCH: "master" + DEST_BRANCH: "main" # Shell used to execute all script commands CIRRUS_SHELL: "/bin/bash" # No need to go crazy, but grab enough to cover most PRs @@ -12,11 +12,6 @@ env: PACKER_VERSION: &PACKER_VERSION "1.7.0" # Unique suffix label to use for all images produced by _this_ run (build) IMG_SFX: "${CIRRUS_BUILD_ID}" - # Google Application Credentials (JSON) with access to create - # Note: Actual authZ specified by service-account roles. - # Ref: https://cloud.google.com/compute/docs/access/service-accounts?&_ga=2.102552833.-1670000616.1540407237#accesscopesiam - GAC_JSON: ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9] - gcp_credentials: ENCRYPTED[823fdbc2fee3c27fa054ba1e9cfca084829b5e71572f1703a28e0746b1a924ee5860193f931adce197d40bf89e7027fe] @@ -60,6 +55,10 @@ image_builder_task: memory: "2G" docker_arguments: PACKER_VERSION: *PACKER_VERSION + env: + # Google Application Credentials (JSON) with access to create VM images + GAC_JSON: ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9] + script: "ci/make_image_builder.sh" manifest_artifacts: path: image_builder/manifest.json @@ -160,6 +159,8 @@ base_images_task: - <<: *base_image env: PACKER_BUILDS: "ubuntu" + env: + GAC_JSON: ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9] script: "ci/make_base_images.sh" manifest_artifacts: path: base_images/manifest.json @@ -194,6 +195,8 @@ cache_images_task: - <<: *cache_image env: PACKER_BUILDS: "ubuntu" + env: + GAC_JSON: ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9] script: "ci/make_cache_images.sh" manifest_artifacts: path: cache_images/manifest.json diff --git a/Makefile b/Makefile index 32ffdce6..f3dc3b57 100644 --- a/Makefile +++ b/Makefile @@ -93,6 +93,7 @@ ci_debug: $(_TEMPDIR)/ci_debug.tar ## Build and enter container for local develo # Takes 4 arguments: export filepath, FQIN, context dir, package cache key define podman_build podman build -t $(2) \ + --security-opt seccomp=unconfined \ -v $(_TEMPDIR)/.cache/$(4):/var/cache/dnf:Z \ -v $(_TEMPDIR)/.cache/$(4):/var/cache/apt:Z \ --build-arg PACKER_VERSION=$(call err_if_empty,PACKER_VERSION) \ @@ -221,6 +222,7 @@ ubuntu_podman: ## Build Ubuntu podman development container $(_TEMPDIR)/%_podman.tar: podman/Containerfile podman/setup.sh $(wildcard base_images/*.sh) $(wildcard cache_images/*.sh) $(_TEMPDIR)/.cache/% podman build -t $*_podman:$(call err_if_empty,IMG_SFX) \ + --security-opt seccomp=unconfined \ --build-arg=BASE_NAME=$(subst prior-,,$*) \ --build-arg=BASE_TAG=$(call err_if_empty,BASE_TAG) \ --build-arg=PACKER_BUILD_NAME=$(subst _podman,,$*) \ @@ -234,6 +236,7 @@ $(_TEMPDIR)/%_podman.tar: podman/Containerfile podman/setup.sh $(wildcard base_i skopeo_cidev: $(_TEMPDIR)/skopeo_cidev.tar ## Build Skopeo development and CI container $(_TEMPDIR)/skopeo_cidev.tar: podman/fedora_release $(wildcard skopeo_base/*) $(_TEMPDIR)/.cache/fedora podman build -t skopeo_cidev:$(call err_if_empty,IMG_SFX) \ + --security-opt seccomp=unconfined \ --build-arg=BASE_TAG=$(_fedora_podman_release) \ -v $(_TEMPDIR)/.cache/fedora:/var/cache/dnf:Z \ skopeo_cidev diff --git a/base_images/cloud-init/fedora/cloud.cfg.d/40_defuser.cfg b/base_images/cloud-init/fedora/cloud.cfg.d/40_defuser.cfg new file mode 120000 index 00000000..48792ed5 --- /dev/null +++ b/base_images/cloud-init/fedora/cloud.cfg.d/40_defuser.cfg @@ -0,0 +1 @@ +../../ubuntu/cloud.cfg.d/40_defuser.cfg \ No newline at end of file diff --git a/base_images/cloud-init/fedora/cloud.cfg.d/40_enable_root.cfg b/base_images/cloud-init/fedora/cloud.cfg.d/40_enable_root.cfg new file mode 120000 index 00000000..7e56fc2f --- /dev/null +++ b/base_images/cloud-init/fedora/cloud.cfg.d/40_enable_root.cfg @@ -0,0 +1 @@ +../../ubuntu/cloud.cfg.d/40_enable_root.cfg \ No newline at end of file diff --git a/cache_images/cloud-init/fedora/cloud.cfg.d/50_custom_disk_setup.cfg b/base_images/cloud-init/fedora/cloud.cfg.d/50_custom_disk_setup.cfg similarity index 100% rename from cache_images/cloud-init/fedora/cloud.cfg.d/50_custom_disk_setup.cfg rename to base_images/cloud-init/fedora/cloud.cfg.d/50_custom_disk_setup.cfg diff --git a/base_images/cloud-init/ubuntu/cloud.cfg.d/40_defuser.cfg b/base_images/cloud-init/ubuntu/cloud.cfg.d/40_defuser.cfg new file mode 100644 index 00000000..12733bb1 --- /dev/null +++ b/base_images/cloud-init/ubuntu/cloud.cfg.d/40_defuser.cfg @@ -0,0 +1,2 @@ +# Avoid adding any users to the system by default. GCP OSLogin will do it at runtime. +users: {} diff --git a/cache_images/cloud-init/fedora/cloud.cfg.d/40_enable_root.cfg b/base_images/cloud-init/ubuntu/cloud.cfg.d/40_enable_root.cfg similarity index 100% rename from cache_images/cloud-init/fedora/cloud.cfg.d/40_enable_root.cfg rename to base_images/cloud-init/ubuntu/cloud.cfg.d/40_enable_root.cfg diff --git a/base_images/fedora_base-setup.sh b/base_images/fedora_base-setup.sh index a3900261..f30a23d3 100644 --- a/base_images/fedora_base-setup.sh +++ b/base_images/fedora_base-setup.sh @@ -38,12 +38,9 @@ fi install_automation_tooling -# There is a race that can happen on boot between the GCE services configuring -# the VM, and cloud-init trying to do similar activities. Use a customized -# unit file to make sure cloud-init starts after the google-compute-* services. -cp -v $SCRIPT_DIRPATH/fedora-cloud-init.service /etc/systemd/system/ - if ! ((CONTAINER)); then + custom_cloud_init + # ref: https://cloud.google.com/compute/docs/startupscript # The mechanism used by Cirrus-CI to execute tasks on the system is through an # "agent" process launched as a GCP startup-script (from the metadata service). @@ -54,7 +51,7 @@ if ! ((CONTAINER)); then METADATA_SERVICE_CTX=unconfined_u:unconfined_r:unconfined_t:s0 METADATA_SERVICE_PATH=systemd/system/google-startup-scripts.service sed -r -e \ - "s/Type=oneshot/Type=oneshot\nSELinuxContext=$METADATA_SERVICE_CTX/" \ + "s/^Type=oneshot/Type=oneshot\nSELinuxContext=$METADATA_SERVICE_CTX/" \ /lib/$METADATA_SERVICE_PATH > /etc/$METADATA_SERVICE_PATH fi diff --git a/base_images/gce.yml b/base_images/gce.yml index 345dd1d8..b6b9fa90 100644 --- a/base_images/gce.yml +++ b/base_images/gce.yml @@ -21,10 +21,9 @@ variables: # Empty value means it must be passed in on command-line # to build from - just as the sources below are the base-images to # start from building VM images. - # Upstream source for Ubuntu image duplication (prevents expiration) - # Look these up in the console by searching images for - # "Created by: Canonical" - UBUNTU_BASE_IMAGE: 'ubuntu-2104-hirsute-v20210511a' + # Upstream source for Ubuntu image to duplicate (prevents expiration). + # Use the most recent image based on this family name. + UBUNTU_BASE_FAMILY: 'ubuntu-2104' # Latest Fedora release download URL FEDORA_IMAGE_URL: "https://dl.fedoraproject.org/pub/fedora/linux/releases/34/Cloud/x86_64/images/Fedora-Cloud-Base-34-1.2.x86_64.qcow2" @@ -86,13 +85,12 @@ builders: iso_url: '{{user `PRIOR_FEDORA_IMAGE_URL`}}' iso_checksum: 'file:{{user `PRIOR_FEDORA_CSUM_URL`}}' - - &imgcopy - name: 'ubuntu' + - name: 'ubuntu' type: 'googlecompute' # Prefix IMG_SFX with "b" so this is never confused with a cache_image name image_name: 'ubuntu-b{{user `IMG_SFX`}}' image_family: '{{build_name}}-base' - source_image: '{{user `UBUNTU_BASE_IMAGE`}}' + source_image_family: '{{user `UBUNTU_BASE_FAMILY`}}' source_image_project_id: 'ubuntu-os-cloud' project_id: '{{user `GCP_PROJECT_ID`}}' # Can't use env. var for this, googlecompute-import only supports filepath @@ -102,9 +100,11 @@ builders: # Identify the instance labels: sfx: '{{user `IMG_SFX`}}' - src: '{{user `UBUNTU_BASE_IMAGE`}}' + src: '{{user `UBUNTU_BASE_FAMILY`}}' # Gotcha: https://www.packer.io/docs/builders/googlecompute#gotchas ssh_username: 'packer' + temporary_key_pair_type: ed25519 + ssh_clear_authorized_keys: true provisioners: # Ubuntu images come bundled with GCE integrations provisioned - type: 'shell' diff --git a/base_images/ubuntu_base-setup.sh b/base_images/ubuntu_base-setup.sh index 90ebd0b5..c1d6eaae 100644 --- a/base_images/ubuntu_base-setup.sh +++ b/base_images/ubuntu_base-setup.sh @@ -28,7 +28,14 @@ PKGS=( \ ) $SUDO apt-get -qq -y update -$SUDO apt-get -qq -y upgrade apt dpkg + +# At the time of this commit, upgrading past the stock +# cloud-init (21.3-1-g6803368d-0ubuntu1~21.04.3) causes +# failure of login w/ new ssh key after reset + reboot. +if ! ((CONTAINER)); then + $SUDO apt-mark hold cloud-init +fi + $SUDO apt-get -qq -y upgrade $SUDO apt-get -qq -y install "${PKGS[@]}" @@ -38,4 +45,8 @@ $SUDO DEBCONF_DB_OVERRIDE='File{'$SCRIPT_DIRPATH/no_dash.dat'}' \ install_automation_tooling +if ! ((CONTAINER)); then + custom_cloud_init +fi + finalize diff --git a/cache_images/cloud-init/ubuntu/cloud.cfg.d/40_enable_root.cfg b/cache_images/cloud-init/ubuntu/cloud.cfg.d/40_enable_root.cfg deleted file mode 100644 index 672d1907..00000000 --- a/cache_images/cloud-init/ubuntu/cloud.cfg.d/40_enable_root.cfg +++ /dev/null @@ -1 +0,0 @@ -disable_root: 0 diff --git a/cache_images/fedora_packaging.sh b/cache_images/fedora_packaging.sh index 08b72a60..a7cb4c7b 100644 --- a/cache_images/fedora_packaging.sh +++ b/cache_images/fedora_packaging.sh @@ -174,9 +174,6 @@ fi # Download these package files, but don't install them; Any tests # wishing to, may install them using their native tools at runtime. DOWNLOAD_PACKAGES=(\ - "cri-o-$(get_kubernetes_version)*" - cri-tools - "kubernetes-$(get_kubernetes_version)*" oci-umount parallel podman-docker @@ -187,10 +184,8 @@ DOWNLOAD_PACKAGES=(\ echo "Installing general build/test dependencies" bigto $SUDO dnf install -y $EXARG "${INSTALL_PACKAGES[@]}" -if [[ ${#DOWNLOAD_PACKAGES[@]} -gt 0 ]]; then +if ((CONTAINER==0)) && [[ ${#DOWNLOAD_PACKAGES[@]} -gt 0 ]]; then echo "Downloading packages for optional installation at runtime, as needed." - # Required for cri-o - ooe.sh $SUDO dnf -y module enable cri-o:$(get_kubernetes_version) $SUDO mkdir -p "$PACKAGE_DOWNLOAD_DIR" cd "$PACKAGE_DOWNLOAD_DIR" lilto ooe.sh $SUDO dnf install -y 'dnf-command(download)' diff --git a/cache_images/fedora_setup.sh b/cache_images/fedora_setup.sh index 033a7113..bf2cb5f5 100644 --- a/cache_images/fedora_setup.sh +++ b/cache_images/fedora_setup.sh @@ -9,8 +9,10 @@ SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}") SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH") REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../") -# Run as quickly as possible after boot -/bin/bash $REPO_DIRPATH/systemd_banish.sh +if ! ((CONTAINER)); then + # Run as quickly as possible after boot + /bin/bash $REPO_DIRPATH/systemd_banish.sh +fi # shellcheck source=./lib.sh source "$REPO_DIRPATH/lib.sh" @@ -26,8 +28,6 @@ if ! ((CONTAINER)); then ooe.sh $SUDO setsebool -P container_manage_cgroup true fi -custom_cloud_init - # shellcheck disable=SC2154 if ! ((CONTAINER)) && [[ "$PACKER_BUILD_NAME" =~ prior ]]; then warn "Disabling CgroupsV2 kernel command-line option for systemd" diff --git a/cache_images/gce.yml b/cache_images/gce.yml index abe201d8..d0e2891c 100644 --- a/cache_images/gce.yml +++ b/cache_images/gce.yml @@ -38,6 +38,7 @@ builders: ssh_username: packer # arbitrary, packer will create & setup w/ temp. keypair ssh_pty: 'true' temporary_key_pair_type: ed25519 + ssh_clear_authorized_keys: true # Permit running nested VM's to support specialized testing image_licenses: ["projects/vm-options/global/licenses/enable-vmx"] diff --git a/cache_images/podman_tooling.sh b/cache_images/podman_tooling.sh index da1a95e1..e1a9ba39 100644 --- a/cache_images/podman_tooling.sh +++ b/cache_images/podman_tooling.sh @@ -5,7 +5,7 @@ # not be used for any other purpose or from any other context. echo "Installing runtime tooling" -export GOPATH +export GOPATH="${GOPATH:/var/tmp/go}" export GOSRC=/var/tmp/go/src/github.com/containers/podman export GOCACHE="${GOCACHE:-/root/.cache/go-build}" lilto git clone --quiet https://github.com/containers/podman.git "$GOSRC" @@ -21,6 +21,7 @@ if [[ "$OS_RELEASE_ID" == "ubuntu" ]]; then lilto $SUDO make install.libseccomp.sudo fi -# Make pristine for other runtime usage/expectations -$SUDO rm -rf "$GOSRC" +# Make pristine for other runtime usage/expectations also save a bit +# of space in the images. +$SUDO rm -rf "$GOPATH/src" "$GOCACHE" $SUDO chown -R root.root /var/tmp/go diff --git a/cache_images/ubuntu_packaging.sh b/cache_images/ubuntu_packaging.sh index 8bd61eb0..60b88818 100644 --- a/cache_images/ubuntu_packaging.sh +++ b/cache_images/ubuntu_packaging.sh @@ -164,16 +164,22 @@ DOWNLOAD_PACKAGES=(\ docker-ce docker-ce-cli ) + curl --fail --silent --location \ --url https://download.docker.com/linux/ubuntu/gpg | \ gpg --dearmor | \ $SUDO tee /etc/apt/trusted.gpg.d/docker_com.gpg &> /dev/null echo "deb https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \ ooe.sh $SUDO tee /etc/apt/sources.list.d/docker.list &> /dev/null -lilto $SUDO apt-get -q -y update -echo "Downloading packages for optional installation at runtime." -$SUDO ln -s /var/cache/apt/archives "$PACKAGE_DOWNLOAD_DIR" -bigto $SUDO apt-get -q -y install --download-only "${DOWNLOAD_PACKAGES[@]}" + +if ((CONTAINER==0)) && [[ ${#DOWNLOAD_PACKAGES[@]} -gt 0 ]]; then + $SUDO apt-get clean # no reason to keep previous downloads around + # Needed to install .deb files + resolve dependencies + lilto $SUDO apt-get -q -y update + echo "Downloading packages for optional installation at runtime." + $SUDO ln -s /var/cache/apt/archives "$PACKAGE_DOWNLOAD_DIR" + bigto $SUDO apt-get -q -y install --download-only "${DOWNLOAD_PACKAGES[@]}" +fi echo "Configuring Go environment" # There are multiple (otherwise conflicting) versions of golang available diff --git a/cache_images/ubuntu_setup.sh b/cache_images/ubuntu_setup.sh index 3014c774..35780773 100644 --- a/cache_images/ubuntu_setup.sh +++ b/cache_images/ubuntu_setup.sh @@ -32,8 +32,6 @@ if ! ((CONTAINER)); then ooe.sh $SUDO update-grub fi -custom_cloud_init - nm_ignore_cni finalize diff --git a/get_ci_vm/bad_repo_test/hack/get_ci_vm.sh b/get_ci_vm/bad_repo_test/hack/get_ci_vm.sh index 1247e882..22dbf0bc 100755 --- a/get_ci_vm/bad_repo_test/hack/get_ci_vm.sh +++ b/get_ci_vm/bad_repo_test/hack/get_ci_vm.sh @@ -52,9 +52,6 @@ cleanup() { set +e wait - # set GCLOUD_DEBUG to leave tmpdir behind for postmortem - test -z "$GCLOUD_DEBUG" && rm -rf $TMPDIR - # Not always called from an exit handler, but should always exit when called exit $RET } @@ -116,7 +113,6 @@ parse_args(){ show_usage "No image-name specified." fi - ENVS="$ENVS SPECIALMODE=\"$SPECIALMODE\"" SETUP_CMD="env $ENVS $GOSRC/contrib/cirrus/setup.sh" VMNAME="${VMNAME:-${USER}-${IMAGE_NAME}}" CREATE_CMD="$PGCLOUD compute instances create --zone=$ZONE --image-project=libpod-218412 --image=${IMAGE_NAME} --custom-cpu=$CPUS --custom-memory=$MEMORY --boot-disk-size=$DISK --labels=in-use-by=$USER $VMNAME" diff --git a/lib.sh b/lib.sh index 8cb9327f..be99c2cb 100644 --- a/lib.sh +++ b/lib.sh @@ -67,13 +67,16 @@ install_automation_tooling() { custom_cloud_init() { #shellcheck disable=SC2154 - CUSTOM_CLOUD_CONFIG_DEFAULTS="$SCRIPT_DIRPATH/cloud-init/$OS_RELEASE_ID/cloud.cfg.d" - if [[ -n "$SCRIPT_DIRPATH" ]] && [[ -d "$CUSTOM_CLOUD_CONFIG_DEFAULTS" ]] + CUSTOM_CLOUD_CONFIG_DEFAULTS="$REPO_DIRPATH/base_images/cloud-init/$OS_RELEASE_ID/cloud.cfg.d" + if [[ -d "$CUSTOM_CLOUD_CONFIG_DEFAULTS" ]] then echo "Installing custom cloud-init defaults" - $SUDO cp -v "$CUSTOM_CLOUD_CONFIG_DEFAULTS"/* /etc/cloud/cloud.cfg.d/ + $SUDO cp -v --dereference \ + "$CUSTOM_CLOUD_CONFIG_DEFAULTS"/* \ + /etc/cloud/cloud.cfg.d/ else echo "Could not find any files in $CUSTOM_CLOUD_CONFIG_DEFAULTS" + exit 1 fi } @@ -95,20 +98,6 @@ set_gac_filepath(){ unset GAC_JSON; } -get_kubernetes_version() { - local KUBERNETES_VERSION - case "$OS_REL_VER" in - fedora-32) - KUBERNETES_VERSION="1.15" ;; - fedora-33) - KUBERNETES_VERSION="1.18" ;; - fedora-34) - KUBERNETES_VERSION="1.20" ;; - *) die "Unknown/Unsupported \$OS_REL_VER '$OS_REL_VER'" - esac - echo "$KUBERNETES_VERSION" -} - # Warning: DO NOT USE the following functions willy-nilly! # They are only intended to be called by other setup scripts, as the very # last step during the build process. They're purpose is to "reset" the @@ -158,6 +147,10 @@ common_finalize() { cd / clean_automatic_users $SUDO cloud-init clean --logs + if ! ((CONTAINER)); then + # Prevent periodically activated services interfering with testing + /bin/bash $(dirname ${BASH_SOURCE[0]})/systemd_banish.sh + fi $SUDO rm -rf /var/lib/cloud/instanc* $SUDO rm -rf /root/.ssh/* $SUDO rm -rf /etc/ssh/*key* @@ -166,6 +159,7 @@ common_finalize() { echo -n "" | $SUDO tee /etc/machine-id $SUDO sync if ! ((CONTAINER)); then + # This helps when google goes to compress the image $SUDO fstrim -av fi } @@ -173,6 +167,11 @@ common_finalize() { # Called during VM Image setup, not intended for general use. rh_finalize() { set +e # Don't fail at the very end + if ((CONTAINER)); then # try to save a little space + msg "Cleaning up packaging metadata and cache" + $SUDO dnf clean all + $SUDO rm -rf /var/cache/dnf + fi set -x # Packaging cache is preserved across builds of container images $SUDO rm -f /etc/udev/rules.d/*-persistent-*.rules @@ -183,6 +182,11 @@ rh_finalize() { # Called during VM Image setup, not intended for general use. ubuntu_finalize() { set +e # Don't fail at the very end + if ((CONTAINER)); then # try to save a little space + msg "Cleaning up packaging metadata and cache" + $SUDO apt-get clean + $SUDO rm -rf /var/cache/apt + fi set -x # Packaging cache is preserved across builds of container images common_finalize diff --git a/skopeo_cidev/setup.sh b/skopeo_cidev/setup.sh index 8a64b99b..df8f4c37 100644 --- a/skopeo_cidev/setup.sh +++ b/skopeo_cidev/setup.sh @@ -61,7 +61,7 @@ cd "$REG_GOSRC" git clone --depth 1 -b "$OSO_TAG" "$OSO_REPO" "$OSO_GOSRC" cd "$OSO_GOSRC" -# Edit out a "go < 1.5" check which works incorrectly with go ≥ 1.10. +# Edit out a "go < 1.5" check which works incorrectly with go >= 1.10. sed -i -e 's/\[\[ "\${go_version\[2]}" < "go1.5" ]]/false/' ./hack/common.sh # Fix a bug in 'options' line processing of resolv.conf when an option is diff --git a/systemd_banish.sh b/systemd_banish.sh index 26b51bb5..14678844 100644 --- a/systemd_banish.sh +++ b/systemd_banish.sh @@ -11,7 +11,7 @@ SUDO="" [[ "$UID" -eq 0 ]] || \ SUDO="sudo" -EVIL_UNITS="cron crond atd apt-daily-upgrade apt-daily fstrim motd-news systemd-tmpfiles-clean update-notifier-download" +EVIL_UNITS="cron crond atd apt-daily-upgrade apt-daily fstrim motd-news systemd-tmpfiles-clean update-notifier-download mlocate-updatedb" if [[ "$1" == "--list" ]] then