crameleon/Factory
SHA256
1
0
Fork 0
forked from suse-edge/Factory
Code Pull Requests Activity

Compare commits

base: crameleon:main
Branches Tags
crameleon:main crameleon:py311 crameleon:3.5 crameleon:3.4 crameleon:3.3 crameleon:3.2 crameleon:kubectl-1.32.4 crameleon:devel suse-edge:3.5 suse-edge:main suse-edge:3.4 suse-edge:3.3 suse-edge:3.2 suse-edge:devel
..
compare: crameleon:3.3
Branches Tags
crameleon:py311 crameleon:3.5 crameleon:main crameleon:3.4 crameleon:3.3 crameleon:3.2 crameleon:kubectl-1.32.4 crameleon:devel suse-edge:3.5 suse-edge:main suse-edge:3.4 suse-edge:3.3 suse-edge:3.2 suse-edge:devel

60 Commits
main ... 3.3

Author SHA256 Message Date
e-minguez
103b1f90f8 fix: Try to prevent OBS net hiccups 
(cherry picked from commit 8852fdad20)
 2025-12-18 11:57:30 +01:00
Eduardo Minguez
2e96827011 Merge pull request 'fix: Bump kiwi-builder container image version' (#338) from eminguez/suse-edge-factory:iptables-kiwi-3.3-fix into 3.3 
Reviewed-on: suse-edge/Factory#338
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
 2025-12-18 11:54:22 +01:00
e-minguez
96fe79c6cc fix: Bump kiwi-builder container image version 2025-12-17 15:39:03 +01:00
Eduardo Minguez
ce254ac125 Merge pull request 'fix: Bring back iptables' (#335) from eminguez/suse-edge-factory:iptables-kiwi-3.3 into 3.3 
Reviewed-on: suse-edge/Factory#335
Reviewed-by: Rhys Oxenham <roxenham@noreply.src.opensuse.org>
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
 2025-12-17 11:50:53 +01:00
e-minguez
3a1f005049 fix: Bring back iptables 
https://src.suse.de/products/SL-Micro/pulls/299
(cherry picked from commit f3c03cbd039092ffb32993599b026cf610fcac37d3d68342b5cdd83881ed6dd1)
 2025-12-17 10:37:16 +01:00
Nicolas Belouin
45343089f7 Merge pull request 'Backport LACP fix to 3.3' (#290) from nbelouin/Factory:IPA_Driver_33 into 3.3 
Reviewed-on: suse-edge/Factory#290
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
 2025-10-30 09:34:21 +01:00
Nicolas Belouin
3aae51cfae Bump metal3-chart version 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
 2025-10-29 14:08:27 +01:00
Nicolas Belouin
75cc915112 fix(ironic-ipa-downloader-image): Remove duplicate file in image 
Remove the initramfs and kernel being copied twice in the image

Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
 2025-10-29 14:08:27 +01:00
Nicolas Belouin
ad45235c74 Remove kernel modules filter 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
(cherry picked from commit 28f7c4b074)
 2025-10-29 14:08:27 +01:00
Nicolas Belouin
947493ce38 Update versions for metal3-chart 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
(cherry picked from commit 5cbf832b02)
 2025-10-29 14:08:27 +01:00
Nicolas Belouin
6e914e78fd Fix upgrade issue 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
(cherry picked from commit 7cf1b8ea26)
 2025-10-29 14:08:27 +01:00
Nicolas Belouin
9c481c528a Bump mariadb chart 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
(cherry picked from commit 83b44c9bc7)
 2025-10-29 14:08:27 +01:00
Denislav Prodanov
b784e686ce Merge pull request '[3.3.3] - bump release manifest versions' (#283) from dprodanov/Factory:3.3.3 into 3.3 
Reviewed-on: suse-edge/Factory#283
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
 2025-10-10 12:38:22 +02:00
dprodanov4
c82b927ab8 [3.3.3] - bump release manifest versions 2025-10-10 12:53:20 +03:00
Denislav Prodanov
c79a6c5dcc Merge pull request 'created 3.3.3 RM' (#265) from dprodanov/Factory:3.3.3 into 3.3 
Reviewed-on: suse-edge/Factory#265
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
 2025-09-11 09:49:08 +02:00
Denislav Prodanov
04e92de18a created 3.3.3 RM 2025-09-11 10:19:33 +03:00
Denislav Prodanov
1d8d3b3924 Merge pull request 'changed the entry point for pre-commit to call the script from the venv' (#249) from backport-pre-commit-fix into 3.3 
Reviewed-on: suse-edge/Factory#249
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
 2025-08-29 11:38:33 +02:00
Denislav Prodanov
019c3da9db changed the entry point for pre-commit to call the script from the venv 2025-08-29 10:54:43 +02:00
Denislav Prodanov
6029137fb3 Merge pull request '[3.3.2] - fixed neuvector version' (#242) from dprodanov/Factory:3.3.2-fix into 3.3 
Reviewed-on: suse-edge/Factory#242
Reviewed-by: Fatih Degirmenci <fdegirmenci@noreply.src.opensuse.org>
 2025-08-20 12:03:04 +02:00
Denislav Prodanov
51b4330cab [3.3.2] - fixed neuvector version 2025-08-20 12:25:17 +03:00
Denislav Prodanov
8596d9328b Update release-manifest-image/release_manifest.yaml 2025-08-05 14:45:43 +02:00
Denislav Prodanov
7649db04b8 Merge pull request 'create release manifest for 3.3.2' (#227) from dprodanov/Factory:3.3.2 into 3.3 
Reviewed-on: suse-edge/Factory#227
Reviewed-by: Fatih Degirmenci <fdegirmenci@noreply.src.opensuse.org>
 2025-08-05 10:47:51 +02:00
Denislav Prodanov
47ad45bfab create release manifest for 3.3.2 2025-08-05 10:15:01 +03:00
Nicolas Belouin
4fdcb0ecb7 Merge pull request '[3.3] Add pre-commit to update release manifest' (#219) from nbelouin/Factory:backport-precommit-3.3 into 3.3 
Reviewed-on: suse-edge/Factory#219
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
 2025-07-31 08:36:19 +02:00
Nicolas Belouin
7723e20aa0 Add pre-commit to update release manifest 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
(cherry picked from commit c3f1be5640)
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
 2025-07-31 08:35:01 +02:00
Steven Hardy
4434e36b70 release-manifest: Update rancher-turtles versions 
(cherry picked from commit d45c9764a4)
 2025-07-29 18:15:47 +03:00
Steven Hardy
2f235ceb1a rancher-turtles-airgap-resources: Update to 0.21.0 
Updates to align with rancher-turtles chart

This also overides the RKE2 provider version to 0.18.0 so we can consume
recent fixes, in particular rancher/cluster-api-provider-rke2#684

(cherry picked from commit efd8bf1075)
 2025-07-29 18:14:53 +03:00
Steven Hardy
8816f3b054 rancher-turtles: Update 0.21.0 
Also update CAPI operator and CAPM3 versions

This also overides the RKE2 provider version to 0.18.0 so we can consume
recent fixes, in particular rancher/cluster-api-provider-rke2#684

(cherry picked from commit 892400cea7)
 2025-07-29 18:14:41 +03:00
Denislav Prodanov
453f3564aa Merge pull request 'kiwi-builder-image: Remove failure if package version mismatch' (#190) from backport/kiwi-builder-image into 3.3 
Reviewed-on: suse-edge/Factory#190
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
 2025-06-10 16:44:33 +02:00
Denislav Prodanov
421b511d19 kiwi-builder-image: Remove failure if package version mismatch 
Remove the automatic failure if repo package and base image are
mismatched.
This is needed to prevent automation from failing when updated base
image doesn't exists.

Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
 2025-06-10 16:35:45 +02:00
Denislav Prodanov
1f1e6eae55 Merge pull request 'Fix issues with config and meta when releasing' (#191) from backport/config-issues into 3.3 
Reviewed-on: suse-edge/Factory#191
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
 2025-06-10 16:24:03 +02:00
Denislav Prodanov
d32507597f Fix issues with config and meta when releasing 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
 2025-06-10 16:22:51 +02:00
Denislav Prodanov
eaa7dad6f6 Merge pull request '[3.3.1] - bump turtles airgap version to align with the other turtle chart version' (#189) from backport/turtles-airgap into 3.3 
Reviewed-on: suse-edge/Factory#189
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
 2025-06-10 13:24:34 +02:00
Denislav Prodanov
9b502acd83 [3.3.1] - bump turtles airgap version to align with the other turtle chart version 2025-06-10 13:19:21 +02:00
Denislav Prodanov
49894ba16d Merge pull request 'bump uc and turtles version as a follow up of the kubectl image bump' (#186) from bump-charts into 3.3 
Reviewed-on: suse-edge/Factory#186
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
 2025-06-10 12:30:40 +02:00
Denislav Prodanov
43d5ffa2bd Merge pull request 'create new kubectl image' (#187) from kubectl-bump into 3.3 
Reviewed-on: suse-edge/Factory#187
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
 2025-06-10 12:30:02 +02:00
Denislav Prodanov
13b4cd50e2 create new kubectl image 2025-06-10 11:37:24 +02:00
Denislav Prodanov
93f5662ace bump uc and turtles version as a follow up of the kubectl image bump 2025-06-10 11:22:05 +02:00
Denislav Prodanov
a7284b5d35 Merge pull request 'release-manifest: fix version' (#182) from dprodanov/Factory:release-manifest-version into 3.3 
Reviewed-on: suse-edge/Factory#182
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
 2025-06-10 10:18:55 +02:00
Denislav Prodanov
312688449c release-manifest: fix version 2025-06-10 11:02:47 +03:00
dbw7
cfc89b579d EIB updates for 1.2.1 2025-06-09 13:57:45 -04:00
Steven Hardy
a089bf30e4 release-manifest: update rancher-turtles version 
(cherry picked from commit f92f3600e6)
 2025-06-06 14:28:29 +01:00
Steven Hardy
6dc2406148 rancher-turtles-airgap-resources: Updates for 0.20.0 
To align with https://github.com/suse-edge/charts/pull/221

(cherry picked from commit e379d5df4e)
 2025-06-06 14:28:13 +01:00
Steven Hardy
1928a4cc98 rancher-turtles-chart: Updates for 0.20.0 
To align with https://github.com/suse-edge/charts/pull/221

(cherry picked from commit 346d6137fe)
 2025-06-06 14:27:52 +01:00
Steven Hardy
5c48860dcd release-manifest: 3.3.1 version bumps 
Updates to consume the latest patch releases from Rancher, RKE2/k3s
and Neuvector

(cherry picked from commit 9dc5ba4c52)
 2025-06-06 13:42:07 +01:00
Nicolas Belouin
2f6c9b294c Merge pull request '[3.3] Metal3: fix BMO restart issues and NMC fix' (#170) from nbelouin/Factory:backport-metal3-fixes into 3.3 
Reviewed-on: suse-edge/Factory#170
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
 2025-06-06 14:20:37 +02:00
Nicolas Belouin
cfad38ccb4 Fix metal3 chart issues 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
(cherry picked from commit ec7da715f4)
 2025-06-05 08:41:35 +02:00
Nicolas Belouin
1872e09bdf metal3-chart: fixup remove forgotten file 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
(cherry picked from commit 1ad6c99257)
 2025-06-05 08:41:35 +02:00
Steven Hardy
d15eb56f43 Bump EIB tag to 1.2.0.1 
Follow up to #166 which bumped NMC and the related IPA downloader image,
we also need to bump EIB since it also consumes the updated NMC version

(cherry picked from commit 12e91c2102)
 2025-06-05 08:41:35 +02:00
Nicolas Belouin
c97db6d3a3 Bump ipa ramdisk version for nm-config fix 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
(cherry picked from commit bdaa422813)
 2025-06-03 15:07:22 +02:00
Nicolas Belouin
fbdab3228e Bump nm-configurator to 0.3.3 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
(cherry picked from commit c25bf622bc)
 2025-06-03 15:07:22 +02:00
Nicolas Belouin
e6f27f3ecc Add annotations to force rollout of pods on config change 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
(cherry picked from commit 629e96dded)
 2025-06-03 15:07:22 +02:00
Nicolas Belouin
4fab8da5d5 Add bmo inotify hook 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
(cherry picked from commit c190a1c800)
 2025-06-03 15:07:22 +02:00
Denislav Prodanov
1583758ffa Merge pull request 'fix typo in network-operator' (#163) from dprodanov-patch-1 into 3.3 
Reviewed-on: suse-edge/Factory#163
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
 2025-05-20 15:38:41 +02:00
Denislav Prodanov
9cf01c4934 fix typo in network-operator 2025-05-20 15:37:57 +02:00
Denislav Prodanov
5c9ab033b3 Merge pull request 'release-manifest-image: Update NeuVector Extension to 2.1.3' (#161) from dprodanov-patch-1 into 3.3 
Reviewed-on: suse-edge/Factory#161
Reviewed-by: Jiří Tomášek <jtomasek@noreply.src.opensuse.org>
 2025-05-20 10:04:00 +02:00
Denislav Prodanov
8138909378 release-manifest-image: Update NeuVector Extension to 2.1.3 
Chart: https://github.com/rancher/ui-plugin-charts/blob/main/charts/neuvector-ui-ext/2.1.3/Chart.yaml
Release: https://github.com/neuvector/manager-ext/releases/tag/neuvector-ui-ext-2.1.3
 2025-05-20 09:56:13 +02:00
Nicolas Belouin
e55661d20b Merge pull request '[3.3.0] Fix rancher turtles airgap chart prefix' (#159) from nbelouin/Factory:fix_airgap_prefix_3.3 into 3.3 
Reviewed-on: suse-edge/Factory#159
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
 2025-05-16 14:06:54 +02:00
Nicolas Belouin
7ba1026bf5 Fix rancher turtles airgap chart prefix 
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
(cherry picked from commit c37782e077)
 2025-05-16 13:14:44 +02:00
Denislav Prodanov
5b6a86f405 Update .obs/common.py 2025-05-16 10:41:06 +02:00
365 changed files with 41759 additions and 9619 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -1,4 +1,3 @@
*/.osc
*/__pycache__
.venv/
.idea/
.venv/

173
.gitmodules vendored
View File

@@ -1,170 +1,15 @@
[submodule "obs-service-set_version"]
path = obs-service-set_version
url = https://src.opensuse.org/SLFO-pool/obs-service-set_version.git
[submodule "cri-tools"]
path = cri-tools
url = https://src.opensuse.org/pool/cri-tools.git
[submodule "fakeroot"]
path = fakeroot
url = https://src.opensuse.org/pool/fakeroot.git
[submodule "crudini"]
path = crudini
url = https://src.opensuse.org/pool/crudini.git
[submodule "cni-plugins"]
path = cni-plugins
url = https://src.opensuse.org/pool/cni-plugins
[submodule "python-kubernetes"]
path = python-kubernetes
url = https://src.opensuse.org/pool/python-kubernetes
branch = leap-16.0
[submodule "python-durationpy"]
path = python-durationpy
url = https://src.opensuse.org/pool/python-durationpy
branch = leap-16.0
[submodule "python-recommonmark"]
path = python-recommonmark
url = https://src.opensuse.org/pool/python-recommonmark
branch = leap-16.0
[submodule "python-iniparse"]
path = python-iniparse
url = https://src.opensuse.org/pool/python-iniparse
branch = leap-16.0
[submodule "python-commonmark"]
path = python-commonmark
url = https://src.opensuse.org/pool/python-commonmark
branch = leap-16.0
[submodule "cni"]
path = cni
url = https://src.opensuse.org/pool/cni
[submodule "python-tenacity"]
path = python-tenacity
url = https://src.opensuse.org/pool/python-tenacity
[submodule "python-pint"]
path = python-pint
url = https://src.opensuse.org/pool/python-pint
branch = leap-16.0
[submodule "python-flexcache"]
path = python-flexcache
url = https://src.opensuse.org/pool/python-flexcache
branch = leap-16.0
[submodule "python-flexparser"]
path = python-flexparser
url = https://src.opensuse.org/pool/python-flexparser
branch = leap-16.0
[submodule "python-uncertainties"]
path = python-uncertainties
url = https://src.opensuse.org/pool/python-uncertainties
branch = leap-16.0
[submodule "python-dogpile.cache"]
path = python-dogpile.cache
url = https://src.opensuse.org/pool/python-dogpile.cache
branch = leap-16.0
[submodule "python-pytest-mpl"]
path = python-pytest-mpl
url = https://src.opensuse.org/pool/python-pytest-mpl
branch = leap-16.0
[submodule "python-zeroconf"]
path = python-zeroconf
url = https://src.opensuse.org/pool/python-zeroconf
branch = leap-16.0
[submodule "python-ifaddr"]
path = python-ifaddr
url = https://src.opensuse.org/pool/python-ifaddr
branch = leap-16.0
[submodule "python-yappi"]
path = python-yappi
url = https://src.opensuse.org/pool/python-yappi
[submodule "python-routes"]
path = python-routes
url = https://src.opensuse.org/pool/python-routes
branch = leap-16.0
[submodule "python-repoze.lru"]
path = python-repoze.lru
url = https://src.opensuse.org/pool/python-repoze.lru
branch = leap-16.0
[submodule "ipxe"]
path = ipxe
url = https://src.opensuse.org/pool/ipxe
branch = leap-16.0
[submodule "python-setproctitle"]
path = python-setproctitle
url = https://src.opensuse.org/pool/python-setproctitle
branch = leap-16.0
[submodule "python-requests-kerberos"]
path = python-requests-kerberos
url = https://src.opensuse.org/pool/python-requests-kerberos
branch = leap-16.0
[submodule "python-pecan"]
path = python-pecan
url = https://src.opensuse.org/pool/python-pecan
branch = leap-16.0
[submodule "python-pycdlib"]
path = python-pycdlib
url = https://src.opensuse.org/pool/python-pycdlib
[submodule "python-cliff"]
path = python-cliff
url = https://src.opensuse.org/pool/python-cliff
[submodule "python-autopage"]
path = python-autopage
url = https://src.opensuse.org/pool/python-autopage
[submodule "python-cmd2"]
path = python-cmd2
url = https://src.opensuse.org/pool/python-cmd2
branch = leap-16.0
[submodule "uwsgi"]
path = uwsgi
url = https://src.opensuse.org/pool/uwsgi
branch = leap-16.0
[submodule "python-requestsexceptions"]
path = python-requestsexceptions
url = https://src.opensuse.org/pool/python-requestsexceptions
[submodule "python-python-memcached"]
path = python-python-memcached
url = https://src.opensuse.org/pool/python-python-memcached
[submodule "python-kombu"]
path = python-kombu
url = https://src.opensuse.org/pool/python-kombu
[submodule "python-amqp"]
path = python-amqp
url = https://src.opensuse.org/pool/python-amqp
branch = leap-16.0
[submodule "python-statsd"]
path = python-statsd
url = https://src.opensuse.org/pool/python-statsd
[submodule "python-warlock"]
path = python-warlock
url = https://src.opensuse.org/pool/python-warlock
[submodule "python-case"]
path = python-case
url = https://src.opensuse.org/pool/python-case
branch = leap-16.0
[submodule "python-vine"]
path = python-vine
url = https://src.opensuse.org/pool/python-vine
branch = leap-16.0
[submodule "python-Pyro5"]
path = python-Pyro5
url = https://src.opensuse.org/pool/python-Pyro5
branch = leap-16.0
[submodule "python-pre-commit"]
path = python-pre-commit
url = https://src.opensuse.org/pool/python-pre-commit
[submodule "python-serpent"]
path = python-serpent
url = https://src.opensuse.org/pool/python-serpent
branch = leap-16.0
[submodule "python-google-cloud-monitoring"]
path = python-google-cloud-monitoring
url = https://src.opensuse.org/pool/python-google-cloud-monitoring
[submodule "python-google-cloud-pubsub"]
path = python-google-cloud-pubsub
url = https://src.opensuse.org/pool/python-google-cloud-pubsub
[submodule "python-cfgv"]
path = python-cfgv
url = https://src.opensuse.org/pool/python-cfgv
[submodule "python-identify"]
path = python-identify
url = https://src.opensuse.org/pool/python-identify
[submodule "python-pandas"]
path = python-pandas
url = https://src.opensuse.org/pool/python-pandas
[submodule "python-grpc-google-iam-v1"]
path = python-grpc-google-iam-v1
url = https://src.opensuse.org/pool/python-grpc-google-iam-v1
[submodule "python-editdistance"]
path = python-editdistance
url = https://src.opensuse.org/pool/python-editdistance
[submodule "autoconf"]
path = autoconf
url = https://src.opensuse.org/SLFO-pool/autoconf.git

4
.obs/common.py
View File

@@ -1,3 +1,3 @@
PROJECT = "isv:SUSE:Edge:Factory"
PROJECT = "isv:SUSE:Edge:3.3"
REPOSITORY = "https://src.opensuse.org/suse-edge/Factory"
BRANCH = "main"
BRANCH = "3.3"

40
.obs/wait_obs.py
View File

@@ -6,7 +6,6 @@ import sys
from collections import Counter
def get_buildstatus(project: str) -> ET.Element:
for _ in range(5):
try:
@@ -18,17 +17,8 @@ def get_buildstatus(project: str) -> ET.Element:
continue
print("Failed to get buildstatus from OBS")
def do_wait(project: str, commit: str) -> ET.Element:
def do_wait(project:str, commit:str) -> ET.Element:
last_state = None
waiting_states = (
"blocked",
"scheduled",
"dispatching",
"building",
"signing",
"finished",
)
while True:
time.sleep(5)
status = get_buildstatus(project)
@@ -43,25 +33,17 @@ def do_wait(project: str, commit: str) -> ET.Element:
else:
last_state = status.get("state")
scminfo = {e.text for e in status.findall(".//scminfo")}
scminfo = { e.text for e in status.findall(".//scminfo") }
if len(scminfo) != 1 or scminfo.pop() != commit:
print("Waiting for OBS to sync with SCM")
continue
if not all(
[
e.get("state") == "published" # Only consider if all packages are published
and e.get("dirty") is None # Exclude states needing recalculation
and e.get("code") not in waiting_states # Exclude transient/waiting states
for e in status.findall("./result")
] + [ e.get("code") not in waiting_states for e in status.findall("./status") ]
):
if not all([ e.get('state') == "published" and e.get('dirty') is None for e in status.findall("./result")]):
print("Waiting for OBS to finish building")
continue
return status
def print_results(status: ET.Element) -> bool:
results = {}
failed = []
@@ -69,15 +51,15 @@ def print_results(status: ET.Element) -> bool:
repo = results.get(e.get("repository"), {})
repo[e.get("arch")] = e
results[e.get("repository")] = repo
for repo in results.keys():
print(f"{repo}:")
depth = 1
depth=1
for arch in results[repo].keys():
counts = Counter()
if repo != "charts":
print(f"\t{arch}:")
depth = 2
depth=2
for package in results[repo][arch].findall("./status"):
if package.get("code") in ["excluded", "disabled"]:
continue
@@ -88,9 +70,9 @@ def print_results(status: ET.Element) -> bool:
else:
failed.append(f"{package.get('package')} ({arch})")
counts[package.get("code")] += 1
for code, count in counts.items():
print("\t" * depth, f"{code}: {count}")
for (code, count) in counts.items():
print("\t"*depth, f"{code}: {count}")
failed.sort()
if failed:
print("\nPackages failing: ")
@@ -98,7 +80,6 @@ def print_results(status: ET.Element) -> bool:
print("\t", fail)
return len(failed)
def main():
project = os.environ.get("OBS_PROJECT")
sha = os.environ.get("GIT_SHA")
@@ -106,6 +87,5 @@ def main():
status = do_wait(project, sha)
sys.exit(print_results(status))
if __name__ == "__main__":
main()

119
_config
View File

@@ -1,11 +1,7 @@
Prefer: -libqpid-proton10 -python313-urllib3_1
Prefer: -cargo1.58 -cargo1.57 cargo1.89
Prefer: chrony-pool-suse
Prefer: -postgresql17-devel-mini
BuildFlags: excludebuild:python-pandas:test-py313
Prefer: -libqpid-proton10 -python311-urllib3_1
Macros:
%__python3 /usr/bin/python3.11
%registry_url %(echo %{vendor} | cut -d '/' -f 3 | sed 's/build/registry/')
:Macros
@@ -49,42 +45,66 @@ Macros:
:Macros
%endif
# Missing deps for testsuite
BuildFlags: excludebuild:autoconf:el
BuildFlags: excludebuild:autoconf:testsuite
# Only build manifest embedding images here
%if "%_repository" == "test_manifest_images"
BuildFlags: onlybuild:edge-image-builder-image
BuildFlags: onlybuild:release-manifest-image
%else
# Only a subset of stack is arm64 ready exclude what is not ready
# Exclude the images selected by the following section
# as the standard repository is a dependency
%ifarch aarch64
# Akri
BuildFlags: excludebuild:akri
BuildFlags: excludebuild:akri-agent-image
BuildFlags: excludebuild:akri-controller-image
BuildFlags: excludebuild:akri-debug-echo-discovery-handler-image
BuildFlags: excludebuild:akri-onvif-discovery-handler-image
BuildFlags: excludebuild:akri-opcua-discovery-handler-image
BuildFlags: excludebuild:akri-udev-discovery-handler-image
BuildFlags: excludebuild:akri-webhook-configuration-image
BuildFlags: excludebuild:cri-tools
# FRR
BuildFlags: excludebuild:frr-image
BuildFlags: excludebuild:frr-k8s
BuildFlags: excludebuild:frr-k8s-image
# Upgrade controller
BuildFlags: excludebuild:upgrade-controller
BuildFlags: excludebuild:upgrade-controller-image
BuildFlags: excludebuild:baremetal-operator-image
BuildFlags: excludebuild:endpoint-copier-operator-image
BuildFlags: excludebuild:ironic-image
BuildFlags: excludebuild:ironic-ipa-downloader-image
BuildFlags: excludebuild:kubectl-image
BuildFlags: excludebuild:kube-rbac-proxy-image
BuildFlags: excludebuild:metallb-controller-image
BuildFlags: excludebuild:metallb-speaker-image
%endif
%else
# Only a subset of stack is arm64 ready
%ifarch aarch64
BuildFlags: onlybuild:autoconf
BuildFlags: onlybuild:baremetal-operator
BuildFlags: onlybuild:baremetal-operator-image
BuildFlags: onlybuild:ca-certificates-suse
BuildFlags: onlybuild:container-build-checks
BuildFlags: onlybuild:crudini
BuildFlags: onlybuild:edge-build-checks
BuildFlags: onlybuild:edge-image-builder
BuildFlags: onlybuild:edge-image-builder-image
BuildFlags: onlybuild:endpoint-copier-operator
BuildFlags: onlybuild:endpoint-copier-operator-image
BuildFlags: onlybuild:fakeroot
BuildFlags: onlybuild:hauler
BuildFlags: onlybuild:ipcalc
BuildFlags: onlybuild:ironic-image
BuildFlags: onlybuild:ironic-ipa-downloader-image
BuildFlags: onlybuild:ironic-ipa-ramdisk
BuildFlags: onlybuild:kubectl
BuildFlags: onlybuild:kubectl-image
BuildFlags: onlybuild:kube-rbac-proxy
BuildFlags: onlybuild:kube-rbac-proxy-image
BuildFlags: onlybuild:metallb
BuildFlags: onlybuild:metallb-controller-image
BuildFlags: onlybuild:metallb-speaker-image
BuildFlags: onlybuild:nm-configurator
BuildFlags: onlybuild:shim-noarch
%endif
%endif
%if "%_repository" == "images" || "%_repository" == "test_manifest_images"
Prefer: container:sles15-image
Type: docker
Repotype: none
Patterntype: none
BuildEngine: podman
Prefer: SLES-release
BuildFlags: dockerarg:SLE_VERSION=16.0
Prefer: sles-release
BuildFlags: dockerarg:SLE_VERSION=15.6
# Publish multi-arch container images only once all archs have been built
PublishFlags: archsync
@@ -99,6 +119,41 @@ BuildFlags: onlybuild:release-manifest-image
%endif
%if "%_repository" == "images_16.0"
Prefer: container:sles15-image
Type: docker
BuildEngine: podman
Repotype: none
Patterntype: none
BuildFlags: dockerarg:SLE_VERSION=16.0
BuildFlags: onlybuild:kiwi-builder-image
Substitute: system-packages:podman podman buildah createrepo_c release-compare skopeo umoci
# Publish multi-arch container images only once all archs have been built
PublishFlags: archsync
# Exclude the images selected by the aarch64 section
%ifarch aarch64
BuildFlags: excludebuild:baremetal-operator-image
BuildFlags: excludebuild:edge-image-builder-image
BuildFlags: excludebuild:endpoint-copier-operator-image
BuildFlags: excludebuild:ironic-image
BuildFlags: excludebuild:ironic-ipa-downloader-image
BuildFlags: excludebuild:kubectl-image
BuildFlags: excludebuild:kube-rbac-proxy-image
BuildFlags: excludebuild:metallb-controller-image
BuildFlags: excludebuild:metallb-speaker-image
%endif
%else
%if "%{sub %{reverse %_project} 1 7}" != "%{reverse :ToTest}" && "%{sub %{reverse %_project} 1 9}" != "%{reverse :Snapshot}"
BuildFlags: excludebuild:kiwi-builder-image
%endif
%endif
%if "%_repository" == "charts" || "%_repository" == "phantomcharts" || "%_repository" == "releasecharts"
Type: helm
Repotype: helm
@@ -115,16 +170,12 @@ BuildFlags: onlybuild:release-manifest-image
# ironic-ipa-ramdisk are noarch packages that need to be availble to both archs
ExportFilter: ^ironic-ipa-ramdisk-.*\.noarch\.rpm$ aarch64 x86_64
ExportFilter: ^grub2-.*-efi-.*\.noarch\.rpm$ aarch64 x86_64
%endif
%if "%_repository" != "standard"
BuildFlags: excludebuild:grub-aggregate
%endif
# Enable reproducible builds
# https://en.opensuse.org/openSUSE:Reproducible_Builds\#With_OBS
Macros:
%source_date_epoch_from_changelog N
%source_date_epoch_from_changelog Y
%clamp_mtime_to_source_date_epoch Y
%use_source_date_epoch_as_buildtime Y
%_buildhost reproducible

18
_meta
View File

@@ -34,15 +34,20 @@
<arch>x86_64</arch>
</repository>
{%- endif %}
{%- for repository in ["images", "test_manifest_images"] %}
{%- for repository in ["images", "images_16.0", "test_manifest_images"] %}
<repository name="{{ repository }}">
{%- if release_project is defined and repository != "test_manifest_images" %}
<releasetarget project="{{ release_project }}" repository="images" trigger="manual"/>
{%- endif %}
<path project="SUSE:Registry" repository="standard"/>
<path project="{{ ironic_base }}:Factory" repository="16.0"/>
<path project="SUSE:CA" repository="openSUSE_Tumbleweed"/>
<path project="{{ project }}" repository="standard"/>
{%- if repository == "images_16.0" %}
<path project="SUSE:CA" repository="16.0"/>
<path project="SUSE:SLFO:Products:SLES:16.0" repository="standard"/>
<path project="SUSE:SLFO:Main:Build" repository="standard"/>
{%- else %}
<path project="SUSE:CA" repository="SLE_15_SP6"/>
<path project="{{ project }}" repository="standard"/>
{%- endif %}
<arch>x86_64</arch>
<arch>aarch64</arch>
</repository>
@@ -51,9 +56,8 @@
{%- if release_project is defined and not for_release %}
<releasetarget project="{{ release_project }}" repository="standard" trigger="manual"/>
{%- endif %}
<path project="{{ ironic_base }}:Factory" repository="16.0"/>
<path project="SUSE:SLFO:Products:SLES:16.0" repository="standard"/>
<path project="SUSE:SLFO:1.2" repository="standard"/>
<path project="{{ ironic_base }}:2024.2" repository="15.6"/>
<path project="SUSE:SLE-15-SP6:Update" repository="standard"/>
<arch>x86_64</arch>
<arch>aarch64</arch>
</repository>

9
akri-dashboard-extension-chart/Chart.yaml
View File

@@ -1,5 +1,6 @@
#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.2
#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.2-%RELEASE%
#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.2
#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.2_up1.3.1
#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.2_up1.3.1-%RELEASE%
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/namespace: cattle-ui-plugin-system
@@ -12,10 +13,10 @@ annotations:
catalog.cattle.io/ui-extensions-version: '>= 3.0.2 < 4.0.0'
catalog.cattle.io/kube-version: '>= v1.26.0-0'
apiVersion: v2
appVersion: 1.3.2
appVersion: 303.0.2+up1.3.1
description: 'SUSE Edge: Akri extension for Rancher Dashboard'
name: akri-dashboard-extension
type: application
version: "%%CHART_MAJOR%%.0.4+up1.3.2"
version: "%%CHART_MAJOR%%.0.2+up1.3.1"
icon: >-
https://raw.githubusercontent.com/cncf/artwork/main/projects/akri/icon/color/akri-icon-color.svg

2
akri-dashboard-extension-chart/templates/cr.yaml
View File

@@ -8,7 +8,7 @@ spec:
plugin:
name: {{ include "extension-server.fullname" . }}
version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/1.3.2
endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/303.0.2+up1.3.1
noCache: {{ .Values.plugin.noCache }}
noAuth: {{ .Values.plugin.noAuth }}
metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}

1
autoconf Submodule

Submodule autoconf added at 0154270569

7
baremetal-operator-image/Dockerfile
View File

@@ -1,12 +1,13 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.0
#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.0-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.1
#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.1-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator python3-watchdog procps iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/*
RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator inotify-tools procps iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers

9
baremetal-operator-image/bmo-run
View File

@@ -3,11 +3,10 @@ export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPD
export IRONIC_CACERT_FILE=${IRONIC_CACERT_FILE:-"/opt/metal3/certs/ca/tls.crt"}
if [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
watchmedo shell-command \
--patterns="$(basename "${IRONIC_CACERT_FILE}")" \
--ignore-directories \
--command='if [[ "${watch_event_type}" == "deleted" ]]; then pkill -TERM baremetal-opera; fi' \
"$(dirname "${IRONIC_CACERT_FILE}")" &
# shellcheck disable=SC2034
inotifywait -m -e delete_self "${IRONIC_CACERT_FILE}" | while read -r file event; do
kill $(pgrep baremetal-opera)
done &
fi
exec /usr/bin/baremetal-operator $@

2
baremetal-operator/_service
View File

@@ -2,7 +2,7 @@
<service name="obs_scm">
<param name="url">https://github.com/metal3-io/baremetal-operator</param>
<param name="scm">git</param>
<param name="revision">v0.11.2</param>
<param name="revision">v0.9.1</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>

5
baremetal-operator/baremetal-operator.spec
View File

@@ -17,15 +17,14 @@
Name: baremetal-operator
Version: 0.11.2
Version: 0.9.1
Release: 0
Summary: Implements a Kubernetes API for managing bare metal hosts
License: Apache-2.0
URL: https://github.com/metal3-io/baremetal-operator
Source: baremetal-operator-%{version}.tar
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.24
BuildRequires: golang(API) = 1.23
ExcludeArch: s390
ExcludeArch: %{ix86}

8
cdi-chart/Chart.yaml
View File

@@ -1,9 +1,9 @@
#!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.1_up0.6.0
#!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.1_up0.6.0-%RELEASE%
#!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.0_up0.5.0
#!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.0_up0.5.0-%RELEASE%
apiVersion: v2
appVersion: 1.62.0
appVersion: 1.61.0
description: A Helm chart for Containerized Data Importer (CDI)
icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/kubevirt/icon/color/kubevirt-icon-color.svg
name: cdi
type: application
version: "%%CHART_MAJOR%%.0.1+up0.6.0"
version: "%%CHART_MAJOR%%.0.0+up0.5.0"

12
cdi-chart/crds/cdi.yaml
View File

@@ -109,9 +109,9 @@ spec:
description: CDIConfig at CDI level
properties:
dataVolumeTTLSeconds:
description: |-
DataVolumeTTLSeconds is the time in seconds after DataVolume completion it can be garbage collected. Disabled by default.
Deprecated: Removed in v1.62.
description: DataVolumeTTLSeconds is the time in seconds after
DataVolume completion it can be garbage collected. Disabled
by default.
format: int32
type: integer
featureGates:
@@ -2641,9 +2641,9 @@ spec:
description: CDIConfig at CDI level
properties:
dataVolumeTTLSeconds:
description: |-
DataVolumeTTLSeconds is the time in seconds after DataVolume completion it can be garbage collected. Disabled by default.
Deprecated: Removed in v1.62.
description: DataVolumeTTLSeconds is the time in seconds after
DataVolume completion it can be garbage collected. Disabled
by default.
format: int32
type: integer
featureGates:

2
cdi-chart/templates/cdi-operator.yaml
View File

@@ -599,8 +599,6 @@ spec:
strategy: {}
template:
metadata:
annotations:
openshift.io/required-scc: restricted-v2
labels:
cdi.kubevirt.io: cdi-operator
name: cdi-operator

6
cdi-chart/templates/cdi.yaml
View File

@@ -18,8 +18,4 @@ spec:
{{- with .Values.cdi.workload }}
workload:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.cdi.customizeComponents }}
customizeComponents:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

19
cdi-chart/values.yaml
View File

@@ -1,12 +1,12 @@
deployment:
version: 1.62.0-150700.9.3.1
operatorImage: registry.suse.com/suse/sles/15.7/cdi-operator
controllerImage: registry.suse.com/suse/sles/15.7/cdi-controller
importerImage: registry.suse.com/suse/sles/15.7/cdi-importer
clonerImage: registry.suse.com/suse/sles/15.7/cdi-cloner
apiserverImage: registry.suse.com/suse/sles/15.7/cdi-apiserver
uploadserverImage: registry.suse.com/suse/sles/15.7/cdi-uploadserver
uploadproxyImage: registry.suse.com/suse/sles/15.7/cdi-uploadproxy
version: 1.61.0-150600.3.12.1
operatorImage: registry.suse.com/suse/sles/15.6/cdi-operator
controllerImage: registry.suse.com/suse/sles/15.6/cdi-controller
importerImage: registry.suse.com/suse/sles/15.6/cdi-importer
clonerImage: registry.suse.com/suse/sles/15.6/cdi-cloner
apiserverImage: registry.suse.com/suse/sles/15.6/cdi-apiserver
uploadserverImage: registry.suse.com/suse/sles/15.6/cdi-uploadserver
uploadproxyImage: registry.suse.com/suse/sles/15.6/cdi-uploadproxy
pullPolicy: IfNotPresent
affinity:
podAffinity:
@@ -30,7 +30,6 @@ cdi:
featureGates:
- HonorWaitForFirstConsumer
imagePullPolicy: "IfNotPresent"
customizeComponents: {}
infra:
nodeSelector:
kubernetes.io/os: linux
@@ -42,7 +41,7 @@ cdi:
nodeSelector:
kubernetes.io/os: linux
hookImage: registry.rancher.com/rancher/kubectl:v1.33.1
hookImage: registry.rancher.com/rancher/kubectl:v1.30.10
hookRestartPolicy: OnFailure
hookSecurityContext:
seccompProfile:

1
cni

Submodule cni deleted from a18c16d6bd

1
cni-plugins

Submodule cni-plugins deleted from b6dd6951d9

2
cri-tools

Submodule cri-tools updated: 6b5145f3d4...fc6852f89d

2
crudini

Submodule crudini updated: a0919c82ee...c24bedd13b

14
edge-image-builder-image/Dockerfile
View File

@@ -1,5 +1,6 @@
#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.3.2
#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.3.2-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.2.1
#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.2.1-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-base:$SLE_VERSION
MAINTAINER SUSE LLC (https://www.suse.com/)
@@ -7,18 +8,18 @@ MAINTAINER SUSE LLC (https://www.suse.com/)
COPY artifacts.yaml artifacts.yaml
RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
RUN zypper --non-interactive install --no-recommends edge-image-builder qemu-x86 qemu-uefi-aarch64 cni-plugins pigz zstd cpio && zypper -n clean && rm -rf /var/log/*
RUN zypper --non-interactive install --no-recommends edge-image-builder qemu-x86 qemu-uefi-aarch64 cni-plugins; zypper -n clean; rm -rf /var/log/*
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.edge-image-builder
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE edge-image-builder Container Image"
LABEL org.opencontainers.image.description="edge-image-builder based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="1.3.2"
LABEL org.opencontainers.image.version="1.2.1"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%edge-image-builder:1.3.2-%RELEASE%"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%edge-image-builder:1.2.1-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -32,7 +33,8 @@ LABEL com.suse.release-stage="released"
# and also expects the boot kernel to be a portable executable (PE), not ELF.
RUN mkdir -p /usr/share/edk2/aarch64 && \
cp /usr/share/qemu/aavmf-aarch64-code.bin /usr/share/edk2/aarch64/QEMU_EFI-pflash.raw && \
cp /usr/share/qemu/aavmf-aarch64-vars.bin /usr/share/edk2/aarch64/vars-template-pflash.raw
cp /usr/share/qemu/aavmf-aarch64-vars.bin /usr/share/edk2/aarch64/vars-template-pflash.raw && \
mv /boot/vmlinux* /boot/backup-vmlinux
ENTRYPOINT ["/usr/bin/eib"]

8
edge-image-builder-image/artifacts.yaml
View File

@@ -1,19 +1,15 @@
metallb:
chart: metallb
repository: "%%CHART_REPO%%/%%CHART_PREFIX%%"
version: "%%CHART_MAJOR%%.0.1+up0.15.2"
version: "%%CHART_MAJOR%%.0.0+up0.14.9"
endpoint-copier-operator:
chart: endpoint-copier-operator
repository: "%%CHART_REPO%%/%%CHART_PREFIX%%"
version: "%%CHART_MAJOR%%.0.1+up0.3.0"
version: "%%CHART_MAJOR%%.0.0+up0.2.1"
kubernetes:
k3s:
selinuxPackage: k3s-selinux-1.6-1.slemicro.noarch
selinuxRepository: https://rpm.rancher.io/k3s/stable/common/slemicro/noarch
selinuxRepositoryPriority: 1
releaseURL: https://github.com/k3s-io/k3s/releases/download/
rke2:
selinuxPackage: rke2-selinux
selinuxRepository: https://rpm.rancher.io/rke2/stable/common/slemicro/noarch
selinuxRepositoryPriority: 1
releaseURL: https://github.com/rancher/rke2/releases/download/

8
edge-image-builder/_service
View File

@@ -3,17 +3,13 @@
<param name="url">https://github.com/suse-edge/edge-image-builder.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="revision">v1.3.2</param>
<param name="revision">v1.2.1</param>
<!-- Uncomment and set this For Pre-Release Version -->
<!-- <param name="version">1.3.2~rc0</param> -->
<!-- End Here -->
<!-- <param name="version">1.2.0~rc1</param> -->
<!-- Uncomment and this for regular version -->
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(\d+).(\d+).(\d+)</param>
<param name="versionrewrite-replacement">\1.\2.\3</param>
<!-- End Here -->
<param name="changesgenerate">enable</param>
</service>
<service mode="buildtime" name="tar">

4
edge-image-builder/edge-image-builder.spec
View File

@@ -17,7 +17,7 @@
Name: edge-image-builder
Version: 1.3.2
Version: 1.2.1
Release: 0
Summary: Edge Image Builder
License: Apache-2.0
@@ -52,7 +52,7 @@ Requires: ca-certificates-suse
Tool for creating and configuring a set of images to automate the deployment of Edge environments
%prep
%autosetup -a1 -n edge-image-builder-%{version} -p1
%autosetup -a1 -n edge-image-builder-%{version}
%build
tar -xf %{SOURCE1}

8
endpoint-copier-operator-chart/Chart.yaml
View File

@@ -1,8 +1,8 @@
#!BuildTag: %%CHART_PREFIX%%endpoint-copier-operator:%%CHART_MAJOR%%.0.1_up0.3.0
#!BuildTag: %%CHART_PREFIX%%endpoint-copier-operator:%%CHART_MAJOR%%.0.1_up0.3.0-%RELEASE%
#!BuildTag: %%CHART_PREFIX%%endpoint-copier-operator:%%CHART_MAJOR%%.0.0_up0.2.1
#!BuildTag: %%CHART_PREFIX%%endpoint-copier-operator:%%CHART_MAJOR%%.0.0_up0.2.1-%RELEASE%
apiVersion: v2
appVersion: v0.3.0
appVersion: v0.2.0
description: A Helm chart for Kubernetes
name: endpoint-copier-operator
type: application
version: "%%CHART_MAJOR%%.0.1+up0.3.0"
version: "%%CHART_MAJOR%%.0.0+up0.2.1"

15
endpoint-copier-operator-chart/templates/deployment.yaml
View File

@@ -20,23 +20,8 @@ spec:
labels:
{{- include "endpoint-copier-operator.selectorLabels" . | nindent 8 }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- command:
- /manager

4
endpoint-copier-operator-chart/templates/rbac/role.yaml
View File

@@ -7,9 +7,9 @@ metadata:
name: {{ include "endpoint-copier-operator.fullname" . }}
rules:
- apiGroups:
- "discovery.k8s.io"
- ""
resources:
- endpointslices
- endpoints
verbs:
- create
- delete

12
endpoint-copier-operator-chart/values.yaml
View File

@@ -8,7 +8,7 @@ image:
repository: %%IMG_REPO%%/%%IMG_PREFIX%%endpoint-copier-operator
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "0.3.0"
tag: "0.2.0"
nameOverride: "endpoint-copier-operator"
fullnameOverride: "endpoint-copier-operator"
@@ -29,8 +29,6 @@ podSecurityContext:
seccompProfile:
type: RuntimeDefault
priorityClassName: "system-cluster-critical"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -39,11 +37,11 @@ securityContext:
resources:
limits:
cpu: 100m
memory: 64Mi
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 32Mi
cpu: 10m
memory: 64Mi
autoscaling:
enabled: false

1
endpoint-copier-operator-image/Dockerfile
View File

@@ -1,6 +1,7 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator:%%endpoint-copier-operator_version%%
#!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator:%%endpoint-copier-operator_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro

2
endpoint-copier-operator/_service
View File

@@ -2,7 +2,7 @@
<service name="obs_scm">
<param name="url">https://github.com/suse-edge/endpoint-copier-operator</param>
<param name="scm">git</param>
<param name="revision">v0.3.0</param>
<param name="revision">v0.2.0</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>

6
endpoint-copier-operator/endpoint-copier-operator.spec
View File

@@ -17,14 +17,14 @@
Name: endpoint-copier-operator
Version: 0.3.0
Release: 0.3.0
Version: 0.2.0
Release: 0.2.0
Summary: Implements a Kubernetes API for copying endpoint resources
License: Apache-2.0
URL: https://github.com/suse-edge/endpoint-copier-operator
Source: endpoint-copier-operator-%{version}.tar
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.24
BuildRequires: golang(API) = 1.20
ExcludeArch: s390
ExcludeArch: %{ix86}

1
fakeroot Submodule

Submodule fakeroot added at a93afedfbd

9
frr-image/Dockerfile
View File

@@ -1,6 +1,7 @@
# SPDX-License-Identifier: MIT
#!BuildTag: %%IMG_PREFIX%%frr:10.2.1
#!BuildTag: %%IMG_PREFIX%%frr:10.2.1-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%frr:8.5.6
#!BuildTag: %%IMG_PREFIX%%frr:8.5.6-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -14,11 +15,11 @@ FROM micro AS final
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="FRR Container Image"
LABEL org.opencontainers.image.description="frr based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="10.2.1"
LABEL org.opencontainers.image.version="8.5.6"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%frr:10.2.1-%RELEASE%"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%frr:8.5.6-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"

1
frr-k8s-image/Dockerfile
View File

@@ -1,6 +1,7 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%frr-k8s:v%%frr-k8s_version%%
#!BuildTag: %%IMG_PREFIX%%frr-k8s:v%%frr-k8s_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro

4
frr-k8s/_service
View File

@@ -2,7 +2,7 @@
<service name="obs_scm">
<param name="url">https://github.com/metallb/frr-k8s</param>
<param name="scm">git</param>
<param name="revision">v0.0.20</param>
<param name="revision">v0.0.16</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
@@ -18,4 +18,4 @@
<service name="go_modules">
</service>
<service mode="buildtime" name="set_version" />
</services>
</services>

8
frr-k8s/frr-k8s.spec
View File

@@ -17,14 +17,14 @@
Name: frr-k8s
Version: 0.0.20
Release: 0.0.20
Version: 0.0.16
Release: 0.0.16
Summary: A kubernetes based daemonset that exposes a subset of the FRR API in a kubernetes compliant manner.
License: Apache-2.0
URL: https://github.com/metallb/frr-k8s
Source: frr-k8s-%{version}.tar
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.24
BuildRequires: golang(API) = 1.22
ExcludeArch: s390
ExcludeArch: %{ix86}
@@ -63,4 +63,4 @@ install -D -m0755 frr-k8s %{buildroot}/frr-k8s
/frr-metrics
/frr-k8s
%changelog
%changelog

7
grub-aggregate/_aggregate
View File

@@ -1,7 +0,0 @@
<aggregatelist>
<aggregate project="SUSE:SLFO:1.2" >
<binary>grub2-x86_64-efi</binary>
<binary>grub2-arm64-efi</binary>
<repository target="standard" source="standard" />
</aggregate>
</aggregatelist>

2
hauler/_service
View File

@@ -4,7 +4,7 @@
<param name="versionformat">@PARENT_TAG@</param>
<param name="scm">git</param>
<param name="exclude">.get</param>
<param name="revision">v1.2.5</param>
<param name="revision">v1.2.1</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="changesgenerate">enable</param>
</service>

2
hauler/hauler.spec
View File

@@ -18,7 +18,7 @@
%define project github.com/hauler-dev/hauler
Name: hauler
Version: 1.2.5
Version: 1.2.1
Release: 0
Summary: Airgap Swiss Army Knife
License: Apache-2.0

33
ib-sriov-cni-image/Dockerfile
View File

@@ -1,33 +0,0 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%ib-sriov-cni:v%%ib-sriov-cni_version%%
#!BuildTag: %%IMG_PREFIX%%ib-sriov-cni:v%%ib-sriov-cni_version%%-%RELEASE%
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends ib-sriov-cni gawk which; \
zypper -n clean; \
rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.ib-sriov-cni
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE ib-sriov-cni Container Image"
LABEL org.opencontainers.image.description="ib-sriov-cni based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%ib-sriov-cni_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ib-sriov-cni:%%ib-sriov-cni_version%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
ENTRYPOINT ["/entrypoint.sh"]

19
ib-sriov-cni-image/_service
View File

@@ -1,19 +0,0 @@
<services>
<service name="kiwi_metainfo_helper" mode="buildtime"/>
<service name="docker_label_helper" mode="buildtime"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%ib-sriov-cni_version%%</param>
<param name="package">ib-sriov-cni</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
<param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
<param name="var">SUPPORT_LEVEL</param>
</service>
</services>

25
ib-sriov-cni/_service
View File

@@ -1,25 +0,0 @@
<services>
<service name="obs_scm">
<param name="url">https://github.com/k8snetworkplumbingwg/ib-sriov-cni</param>
<param name="scm">git</param>
<param name="revision">v1.3.0</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">antonio.alarcon@suse.com</param>
<param name="match-tag">v*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="without-version">yes</param>
<param name="versionrewrite-replacement">\1</param>
</service>
<service mode="buildtime" name="tar">
<param name="obsinfo">ib-sriov-cni.obsinfo</param>
</service>
<service name="go_modules" />
<service mode="buildtime" name="set_version" />
<service name="replace_using_env" mode="buildtime">
<param name="file">ib-sriov-cni.spec</param>
<param name="var">SOURCE_COMMIT</param>
<param name="eval">SOURCE_COMMIT=$(grep commit ib-sriov-cni.obsinfo | cut -d" " -f2)</param>
</service>
</services>

64
ib-sriov-cni/ib-sriov-cni.spec
View File

@@ -1,64 +0,0 @@
#
# spec file for package ib-sriov-cni
#
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: ib-sriov-cni
Version: 0
Release: 0
Summary: Implements a Kubernetes CNI plugin operator for Infiniband SRIOV VFs
License: Apache-2.0
URL: https://github.com/k8snetworkplumbingwg/ib-sriov-cni
Source: %{name}-%{version}.tar
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.24
ExcludeArch: s390
ExcludeArch: %{ix86}
%description
Network Interface Cards (NICs) with SR-IOV capabilities are managed through physical functions (PFs) and virtual functions (VFs).
A PF is used by the host and usually represents a single NIC port. VF configurations are applied through the PF.
The SR-IOV CNI allows each VF to be treated as a separate network interface, assigned to a container, and configured with its own
MAC, VLAN, IP and more.
Infiniband SR-IOV CNI plugin works with Infiniband SR-IOV device plugin for VF allocation in Kubernetes. A CNI metaplugin such as Multus
gets the allocated VF's deviceID(PCI address) and is responsible for invoking the Infiniband SR-IOV CNI plugin with that deviceID.
%prep
%autosetup -a1 -n %{name}-%{version} -p1
%build
# CGO is disabled by default in upstream Makefile:
%define cgoenabled "0"
# go build constrain (aka tag) "no_openssl" is set by default in upstream Makefile
%define gotags "no_openssl"
%define buildtime %(date +%%Y-%%m-%%dT%%H:%%M:%%S%%z)
%define buildcommit %%SOURCE_COMMIT%%
%define buildldflags "-X main.version=%{version} -X main.commit=%{buildcommit}% -X main.date=%{buildtime}%"
CGO_ENABLED=%{cgoenabled} go build -mod=vendor -buildmode=pie -tags %{gotags} -ldflags %{buildldflags} -o ib-sriov cmd/ib-sriov-cni/main.go
%install
install -D -m0755 ib-sriov %{buildroot}%{_bindir}/ib-sriov
install -D -m0755 images/entrypoint.sh %{buildroot}/entrypoint.sh
%files
%license LICENSE
%doc README.md
%{_bindir}/ib-sriov
/entrypoint.sh
%changelog

1
ipxe

Submodule ipxe deleted from afcb631479

79
ironic-image/Dockerfile
View File

@@ -1,6 +1,7 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%ironic:32.0.0.1
#!BuildTag: %%IMG_PREFIX%%ironic:32.0.0.1-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.4
#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.4-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -17,19 +18,13 @@ RUN /bin/prepare-efi.sh
COPY --from=micro / /installroot/
RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
RUN zypper --installroot /installroot --non-interactive install --no-recommends \
python3-devel python3 python3-pip \
python313-sushy \
python3-watchdog python313-ironicclient \
git curl sles-release tar gzip vim gawk \
dnsmasq dosfstools apache2 ipcalc ipmitool iproute2 \
bind-utils procps qemu-tools sqlite3 util-linux xorriso \
tftp ipxe-bootimgs crudini \
openstack-ironic
#!ArchExclusiveLine: x86_64
RUN if [ "$(uname -m)" = "x86_64" ];then \
zypper --installroot /installroot --non-interactive install --no-recommends syslinux ; \
zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \
fi
#!ArchExclusiveLine: aarch64
RUN if [ "$(uname -m)" = "aarch64" ];then \
zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \
fi
# DATABASE
@@ -37,9 +32,7 @@ RUN mkdir -p /installroot/var/lib/ironic && \
/installroot/usr/bin/sqlite3 /installroot/var/lib/ironic/ironic.sqlite "pragma journal_mode=wal" && \
zypper --installroot /installroot --non-interactive remove sqlite3
# build actual image
FROM micro AS final
MAINTAINER SUSE LLC (https://www.suse.com/)
# Define labels according to https://en.opensuse.org/Building_derived_containers
LABEL org.opencontainers.image.title="SLE Openstack Ironic Container Image"
@@ -47,8 +40,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opencontainers.image.version="32.0.0.1"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:32.0.0.1-%RELEASE%"
LABEL org.opencontainers.image.version="26.1.2.4"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.4-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -59,8 +52,8 @@ LABEL com.suse.release-stage="released"
COPY --from=base /installroot /
RUN set -euo pipefail; ln -s /usr/bin/python3.13 /usr/local/bin/python3; \
ln -s /usr/bin/pydoc3.13 /usr/local/bin/pydoc
RUN set -euo pipefail; ln -s /usr/bin/python3.11 /usr/local/bin/python3; \
ln -s /usr/bin/pydoc3.11 /usr/local/bin/pydoc
ENV GRUB_DIR=/tftpboot/boot/grub
@@ -69,44 +62,46 @@ RUN echo 'alias mkisofs="xorriso -as mkisofs"' >> ~/.bashrc
COPY mkisofs_wrapper /usr/bin/mkisofs
RUN set -euo pipefail; chmod +x /usr/bin/mkisofs
COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runlogwatch.sh tls-common.sh configure-nonroot.sh ironic-probe.j2 /bin/
RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
RUN mkdir -p /tftpboot
RUN mkdir -p $GRUB_DIR
COPY scripts/ /bin/
COPY configure-nonroot.sh /bin/
RUN set -euo pipefail; chmod +x /bin/configure-ironic.sh /bin/ironic-probe.sh /bin/rundatabase-upgrade /bin/rundnsmasq /bin/runhttpd /bin/runironic /bin/runlogwatch.sh /bin/runonline-data-migrations /bin/configure-nonroot.sh
RUN mv /bin/ironic-probe.sh /bin/ironic-readiness
RUN cp /bin/ironic-readiness /bin/ironic-liveness
COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 \
ironic-config/ipxe_config.template ironic-config/dnsmasq.conf.j2 \
/templates/
# No need to support the Legacy BIOS boot
#RUN cp /usr/share/syslinux/pxelinux.0 /tftpboot
#RUN cp /usr/share/syslinux/chain.c32 /tftpboot/
# IRONIC #
RUN cp /usr/share/ipxe/undionly.kpxe /tftpboot/undionly.kpxe
#!ArchExclusiveLine: x86_64
RUN if [ "$(uname -m)" = "x86_64" ];then \
cp /usr/share/ipxe/snp-x86_64.efi /tftpboot/snponly.efi ;\
cp /usr/share/ipxe/ipxe-x86_64.efi /tftpboot/ipxe.efi ;\
fi
#!ArchExclusiveLine: aarch64
RUN if [ "$(uname -m)" = "aarch64" ]; then\
cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snponly.efi;\
#!ArchExclusiveLine: x86_64
RUN if [ "$(uname -m)" = "aarch64" ]; then\
cp /usr/share/ipxe/snp-arm64.efi /tftpboot/ipxe.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp-arm64.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp.efi ;\
fi
COPY --from=base /tmp/esp-x86_64.img /tmp/uefi_esp-x86_64.img
COPY --from=base /tmp/esp-aarch64.img /tmp/uefi_esp-arm64.img
COPY --from=base /tmp/uefi_esp_*.img /templates/
COPY ironic.conf.j2 /etc/ironic/
COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 ipxe_config.template /tmp/
COPY network-data-schema-empty.json /etc/ironic/
COPY ironic-config/ironic.conf.j2 ironic-config/network-data-schema-empty.json /etc/ironic/
# DNSMASQ
COPY dnsmasq.conf.j2 /etc/
# Custom httpd config, removes all but the bare minimum needed modules
COPY httpd.conf.j2 /etc/httpd/conf/
COPY httpd-modules.conf /etc/httpd/conf.modules.d/
COPY apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
COPY apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
# Workaround
# Removing the 010-ironic.conf file that comes with the package
RUN rm /etc/ironic/ironic.conf.d/010-ironic.conf
# Custom httpd config, removes all but the bare minimum needed modules
COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
COPY ironic-config/apache2-vmedia.conf.j2 /templates/httpd-vmedia.conf.j2
COPY ironic-config/apache2-ipxe.conf.j2 /templates/httpd-ipxe.conf.j2
# configure non-root user and set relevant permissions
RUN configure-nonroot.sh && rm -f /bin/configure-nonroot.sh
RUN configure-nonroot.sh && \
rm -f /bin/configure-nonroot.sh

35
ironic-image/apache2-ipxe.conf.j2 Normal file
View File

@@ -0,0 +1,35 @@
Listen {{ env.IPXE_TLS_PORT }}
<VirtualHost *:{{ env.IPXE_TLS_PORT }}>
ErrorLog /dev/stderr
LogLevel debug
CustomLog /dev/stdout combined
SSLEngine on
SSLProtocol {{ env.IPXE_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IPXE_CERT_FILE }}
SSLCertificateKeyFile {{ env.IPXE_KEY_FILE }}
<Directory "/shared/html">
Order Allow,Deny
Allow from all
</Directory>
<Directory "/shared/html/(redfish|ilo|images)/">
Order Deny,Allow
Deny from all
</Directory>
</VirtualHost>
<Location ~ "^/grub.*/">
SSLRequireSSL
</Location>
<Location ~ "^/pxelinux.cfg/">
SSLRequireSSL
</Location>
<Location ~ "^/.*\.conf/">
SSLRequireSSL
</Location>
<Location ~ "^/(([0-9]|[a-z]).*-){4}([0-9]|[a-z]).*/">
SSLRequireSSL
</Location>

27
ironic-image/apache2-vmedia.conf.j2 Normal file
View File

@@ -0,0 +1,27 @@
Listen {{ env.VMEDIA_TLS_PORT }}
<VirtualHost *:{{ env.VMEDIA_TLS_PORT }}>
ErrorLog /dev/stderr
LogLevel debug
CustomLog /dev/stdout combined
SSLEngine on
SSLProtocol {{ env.IRONIC_VMEDIA_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
<Directory "/shared">
AllowOverride None
Require all granted
</Directory>
<Directory "/shared/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<Location ~ "^/(redfish|ilo)/">
SSLRequireSSL
</Location>

59
ironic-image/auth-common.sh Normal file
View File

@@ -0,0 +1,59 @@
#!/usr/bin/bash
set -euxo pipefail
export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
# Backward compatibility
if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then
export IRONIC_EXPOSE_JSON_RPC=true
else
export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}"
fi
IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
if [[ -f "/auth/ironic/htpasswd" ]]; then
IRONIC_HTPASSWD=$(</auth/ironic/htpasswd)
fi
export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
configure_client_basic_auth()
{
local auth_config_file="/auth/$1/auth-config"
local dest="${2:-/etc/ironic/ironic.conf}"
if [[ -f "${auth_config_file}" ]]; then
# Merge configurations in the "auth" directory into the default ironic configuration file
crudini --merge "${dest}" < "${auth_config_file}"
fi
}
configure_json_rpc_auth()
{
if [[ "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then
if [[ -z "${IRONIC_HTPASSWD}" ]]; then
echo "FATAL: enabling JSON RPC requires authentication"
exit 1
fi
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
fi
}
configure_ironic_auth()
{
local config=/etc/ironic/ironic.conf
# Configure HTTP basic auth for API server
if [[ -n "${IRONIC_HTPASSWD}" ]]; then
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "false" ]]; then
crudini --set "${config}" DEFAULT auth_strategy http_basic
crudini --set "${config}" DEFAULT http_basic_auth_user_file "${IRONIC_HTPASSWD_FILE}"
fi
fi
}
write_htpasswd_files()
{
if [[ -n "${IRONIC_HTPASSWD:-}" ]]; then
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
fi
}

119
ironic-image/configure-ironic.sh Normal file
View File

@@ -0,0 +1,119 @@
#!/usr/bin/bash
set -euxo pipefail
IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}"
# Define the VLAN interfaces to be included in introspection report, e.g.
# all - all VLANs on all interfaces using LLDP information
# <interface> - all VLANs on a particular interface using LLDP information
# <interface.vlan> - a particular VLAN on an interface, not relying on LLDP
export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}}
# shellcheck disable=SC1091
. /bin/tls-common.sh
# shellcheck disable=SC1091
. /bin/ironic-common.sh
# shellcheck disable=SC1091
. /bin/auth-common.sh
export HTTP_PORT=${HTTP_PORT:-80}
export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
if [[ "$IRONIC_USE_MARIADB" == "true" ]]; then
MARIADB_PASSWORD=${MARIADB_PASSWORD}
MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
MARIADB_USER=${MARIADB_USER:-ironic}
MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
fi
fi
# TODO(dtantsur): remove the explicit default once we get
# https://review.opendev.org/761185 in the repositories
NUMPROC="$(grep -c "^processor" /proc/cpuinfo)"
if [[ "$NUMPROC" -lt 4 ]]; then
NUMPROC=4
fi
export NUMWORKERS=${NUMWORKERS:-$NUMPROC}
# Whether to enable fast_track provisioning or not
export IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}
# Whether cleaning disks before and after deployment
export IRONIC_AUTOMATED_CLEAN=${IRONIC_AUTOMATED_CLEAN:-true}
# Wheter to enable the sensor data collection
export SEND_SENSOR_DATA=${SEND_SENSOR_DATA:-false}
# Set of collectors that should be used with IPA inspection
export IRONIC_IPA_COLLECTORS=${IRONIC_IPA_COLLECTORS:-default,logs}
wait_for_interface_or_ip
# Hostname to use for the current conductor instance.
export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}}
export IRONIC_BASE_URL=${IRONIC_BASE_URL:-"${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"}
if [[ -n "$IRONIC_EXTERNAL_IP" ]]; then
export IRONIC_EXTERNAL_CALLBACK_URL=${IRONIC_EXTERNAL_CALLBACK_URL:-"${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"}
if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"}
else
export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"}
fi
fi
IMAGE_CACHE_PREFIX="/shared/html/images/ironic-python-agent-${DEPLOY_ARCHITECTURE}"
if [[ -f "${IMAGE_CACHE_PREFIX}.kernel" ]] && [[ -f "${IMAGE_CACHE_PREFIX}.initramfs" ]]; then
export IRONIC_DEFAULT_KERNEL="${IMAGE_CACHE_PREFIX}.kernel"
export IRONIC_DEFAULT_RAMDISK="${IMAGE_CACHE_PREFIX}.initramfs"
fi
if [[ -f /etc/ironic/ironic.conf ]]; then
# Make a copy of the original supposed empty configuration file
cp /etc/ironic/ironic.conf /etc/ironic/ironic.conf_orig
fi
# oslo.config also supports Config Opts From Environment, log them to stdout
echo 'Options set from Environment variables'
env | grep "^OS_" || true
mkdir -p /shared/html
mkdir -p /shared/ironic_prometheus_exporter
configure_json_rpc_auth
if [[ -f /proc/sys/crypto/fips_enabled ]]; then
ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)
export ENABLE_FIPS_IPA
fi
# The original ironic.conf is empty, and can be found in ironic.conf_orig
render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf
configure_client_basic_auth ironic-rpc
# Make sure ironic traffic bypasses any proxies
export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
PROBE_CURL_ARGS=
if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
if [[ "${IRONIC_PRIVATE_PORT}" == "unix" ]]; then
PROBE_URL="http://127.0.0.1:6385"
PROBE_CURL_ARGS="--unix-socket /shared/ironic.sock"
else
PROBE_URL="http://127.0.0.1:${IRONIC_PRIVATE_PORT}"
fi
else
PROBE_URL="${IRONIC_BASE_URL}"
fi
export PROBE_CURL_ARGS
export PROBE_URL
PROBE_KIND=readiness render_j2_config /bin/ironic-probe.j2 /bin/ironic-readiness
PROBE_KIND=liveness render_j2_config /bin/ironic-probe.j2 /bin/ironic-liveness

57
ironic-image/configure-nonroot.sh Executable file → Normal file
View File

@@ -1,70 +1,53 @@
#!/usr/bin/bash
# This script changes permissions to allow Ironic container to run as non-root
# user. As the same image is used to run ironic, ironic-httpd, ironic-dsnmasq,
# and ironic-log-watch via BMO's ironic k8s manifest, it has
# to be configured to work with multiple different users and groups, while they
# share files via bind mounts (/shared, /certs/*), which can only get one
# group id as "fsGroup". Additionally, dnsmasq needs three capabilities to run
# which we provide via "setcap", and "allowPrivilegeEscalation: true" in
# manifest.
set -eux
# user and group are from ironic rpms (uid 997, gid 994)
NONROOT_UID=10475
NONROOT_GID=10475
IRONIC_USER="ironic-suse"
IRONIC_GROUP="ironic-suse"
USER="ironic-suse"
groupadd -r -g ${NONROOT_GID} ${IRONIC_GROUP}
groupadd -r -g ${NONROOT_GID} ${USER}
useradd -r -g ${NONROOT_GID} \
-u ${NONROOT_UID} \
-d /var/lib/ironic \
-s /sbin/nologin \
${IRONIC_USER}
${USER}
# most containers mount /shared but dnsmasq can live without it
mkdir -p /shared
mkdir -p /data
mkdir -p /conf
chown "${IRONIC_USER}":"${IRONIC_GROUP}" /shared
chown "${IRONIC_USER}":"${IRONIC_GROUP}" /data
chown "${IRONIC_USER}":"${IRONIC_GROUP}" /conf
# create ironic's http_root directory
mkdir -p /shared/html
chown "${NONROOT_UID}":"${NONROOT_GID}" /shared/html
# we'll bind mount shared ca and ironic certificate dirs here
# that need to have correct ownership as the entire ironic in BMO
# deployment shares a single fsGroup in manifest's securityContext
mkdir -p /certs/ca
chown "${IRONIC_USER}":"${IRONIC_GROUP}" /certs{,/ca}
chown "${NONROOT_UID}":"${NONROOT_GID}" /certs{,/ca}
chmod 2775 /certs{,/ca}
# apache2 permission changes
chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/apache2
chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /run
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/apache2
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /run
# ironic and httpd related changes
mkdir -p /etc/httpd/conf.d
chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/ironic /etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf.modules.d/
chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf.modules.d/
#chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.modules.d/*
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic /etc/httpd /etc/httpd
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/log
chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /var/lib/ironic
chmod 2775 /var/lib/ironic
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic
chmod 664 /var/lib/ironic/ironic.sqlite
# dnsmasq, and the capabilities required to run it as non-root user
chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/dnsmasq.conf
#handled at chart level
#setcap "cap_net_raw,cap_net_admin,cap_net_bind_service=+eip" /usr/sbin/dnsmasq
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/dnsmasq.conf /var/lib/dnsmasq
chmod 2775 /var/lib/dnsmasq
touch /var/lib/dnsmasq/dnsmasq.leases
chmod 664 /etc/dnsmasq.conf /var/lib/dnsmasq/dnsmasq.leases
# ca-certificates permission changes
touch /var/lib/ca-certificates/ca-bundle.pem.new
chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /var/lib/ca-certificates/
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ca-certificates/
chmod -R +w /var/lib/ca-certificates/
# probes that are created before start
touch /bin/ironic-{readi,live}ness
chown root:"${IRONIC_GROUP}" /bin/ironic-{readi,live}ness
chown root:"${NONROOT_GID}" /bin/ironic-{readi,live}ness
chmod 775 /bin/ironic-{readi,live}ness

89
ironic-image/dnsmasq.conf.j2 Normal file
View File

@@ -0,0 +1,89 @@
interface={{ env.PROVISIONING_INTERFACE }}
bind-dynamic
enable-tftp
tftp-root=/shared/tftpboot
log-queries
# Configure listening for DNS (0 disables DNS)
port={{ env.DNS_PORT }}
{%- if env.DHCP_RANGE | length %}
log-dhcp
dhcp-range={{ env.DHCP_RANGE }}
# It can be used when setting DNS or GW variables.
{%- if env["GATEWAY_IP"] is undefined %}
# Disable default router(s)
dhcp-option=3
{% else %}
dhcp-option=option{% if ":" in env["GATEWAY_IP"] %}6{% endif %}:router,{{ env["GATEWAY_IP"] }}
{% endif %}
{%- if env["DNS_IP"] is undefined %}
# Disable DNS over provisioning network
dhcp-option=6
{% else %}
dhcp-option=option{% if ":" in env["DNS_IP"] %}6{% endif %}:dns-server,{{ env["DNS_IP"] }}
{% endif %}
{%- if env.IPV == "4" or env.IPV is undefined %}
# IPv4 Configuration:
dhcp-match=ipxe,175
# Client is already running iPXE; move to next stage of chainloading
{%- if env.IPXE_TLS_SETUP == "true" %}
# iPXE with (U)EFI
dhcp-boot=tag:efi,tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/snponly.efi
# iPXE with BIOS
dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/undionly.kpxe
{% else %}
dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
{% endif %}
# Note: Need to test EFI booting
dhcp-match=set:efi,option:client-arch,7
dhcp-match=set:efi,option:client-arch,9
dhcp-match=set:efi,option:client-arch,11
# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader do the same also if iPXE ROM boots but TLS is enabled
{%- if env.IPXE_TLS_SETUP == "true" %}
dhcp-boot=tag:efi,tag:ipxe,snponly.efi
{% endif %}
dhcp-boot=tag:efi,tag:!ipxe,snponly.efi
# Client is running PXE over BIOS; send BIOS version of iPXE chainloader
dhcp-boot=/undionly.kpxe,{{ env.IRONIC_IP }}
{% endif %}
{% if env.IPV == "6" %}
# IPv6 Configuration:
enable-ra
ra-param={{ env.PROVISIONING_INTERFACE }},0,0
dhcp-vendorclass=set:pxe6,enterprise:343,PXEClient
dhcp-userclass=set:ipxe6,iPXE
dhcp-option=tag:pxe6,option6:bootfile-url,tftp://{{ env.IRONIC_URL_HOST }}/snponly.efi
dhcp-option=tag:ipxe6,option6:bootfile-url,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
# It can be used when setting DNS or GW variables.
{%- if env["GATEWAY_IP"] is undefined %}
# Disable default router(s)
dhcp-option=3
{% else %}
dhcp-option=3,{{ env["GATEWAY_IP"] }}
{% endif %}
{%- if env["DNS_IP"] is undefined %}
# Disable DNS over provisioning network
dhcp-option=6
{% else %}
dhcp-option=6,{{ env["DNS_IP"] }}
{% endif %}
{% endif %}
{% endif %}
{%- if env.DHCP_IGNORE | length %}
dhcp-ignore={{ env.DHCP_IGNORE }}
{% endif %}
{%- if env.DHCP_HOSTS | length %}
{%- for item in env.DHCP_HOSTS.split(";") %}
dhcp-host={{ item }}
{%- endfor %}
{% endif %}

38
ironic-image/ironic-config/httpd-ironic-api.conf.j2 → ironic-image/httpd-ironic-api.conf.j2
View File

@@ -12,36 +12,12 @@
{% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
Listen 0.0.0.0:{{ env.IRONIC_LISTEN_PORT }}
Listen [::]:{{ env.IRONIC_LISTEN_PORT }}
Listen {{ env.IRONIC_LISTEN_PORT }}
<VirtualHost *:{{ env.IRONIC_LISTEN_PORT }}>
{% else %}
{% if env.ENABLE_IPV4 %}
Listen {{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}
Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
<VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
{% endif %}
{% if env.ENABLE_IPV6 %}
Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
{% endif %}
{% if env.IRONIC_URL_HOSTNAME is defined and env.IRONIC_URL_HOSTNAME|length %}
<VirtualHost {{ env.IRONIC_URL_HOSTNAME }}:{{ env.IRONIC_LISTEN_PORT }}>
{% else %}
<VirtualHost {% if env.ENABLE_IPV4 %}{{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}{% endif %} {% if env.ENABLE_IPV6 %}[{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}{% endif %}>
{% endif %}
{% endif %}
DocumentRoot "/shared/html"
<Directory "/shared/html">
Require all denied
</Directory>
<Directory "/shared/html/images">
Require all granted
</Directory>
# Exclude /images from proxying
ProxyPass "/images" !
ProxyPassReverse "/images" !
{% if env.IRONIC_PRIVATE_PORT == "unix" %}
ProxyPass "/" "unix:/shared/ironic.sock|http://127.0.0.1/"
@@ -65,12 +41,11 @@ Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }}
{% endif %}
<Location />
{% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
AuthType Basic
AuthName "Restricted area"
AuthUserFile {{ env.HTPASSWD_FILE }}
AuthUserFile "/etc/ironic/htpasswd"
Require valid-user
{% endif %}
</Location>
@@ -82,9 +57,4 @@ Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
<Location ~ "^/(v1/)?(lookup|heartbeat|continue_inspection)" >
Require all granted
</Location>
<Location ~ "^/images(/.*)?$">
Require all granted
</Location>
</VirtualHost>

4
ironic-image/ironic-config/httpd-modules.conf → ironic-image/httpd-modules.conf
View File

@@ -8,6 +8,8 @@ LoadModule authz_core_module /usr/lib64/apache2/mod_authz_core.so
LoadModule ssl_module /usr/lib64/apache2/mod_ssl.so
LoadModule env_module /usr/lib64/apache2/mod_env.so
LoadModule proxy_module /usr/lib64/apache2/mod_proxy.so
LoadModule proxy_ajp_module /usr/lib64/apache2/mod_proxy_ajp.so
LoadModule proxy_balancer_module /usr/lib64/apache2/mod_proxy_balancer.so
LoadModule proxy_http_module /usr/lib64/apache2/mod_proxy_http.so
LoadModule slotmem_shm_module /usr/lib64/apache2/mod_slotmem_shm.so
LoadModule headers_module /usr/lib64/apache2/mod_headers.so
@@ -15,4 +17,4 @@ LoadModule authn_core_module /usr/lib64/apache2/mod_authn_core.so
LoadModule auth_basic_module /usr/lib64/apache2/mod_auth_basic.so
LoadModule authn_file_module /usr/lib64/apache2/mod_authn_file.so
LoadModule authz_user_module /usr/lib64/apache2/mod_authz_user.so
#LoadModule access_compat_module /usr/lib64/apache2/mod_access_compat.so
LoadModule access_compat_module /usr/lib64/apache2/mod_access_compat.so

47
ironic-image/ironic-config/httpd.conf.j2 → ironic-image/httpd.conf.j2
View File

@@ -1,16 +1,10 @@
ServerRoot {{ env.HTTPD_DIR }}
ServerRoot "/etc/httpd"
{%- if env.LISTEN_ALL_INTERFACES | lower == "true" %}
Listen 0.0.0.0:{{ env.HTTP_PORT }}
Listen [::]:{{ env.HTTP_PORT }}
Listen {{ env.HTTP_PORT }}
{% else %}
{% if env.ENABLE_IPV4 %}
Listen {{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}
Listen {{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
{% endif %}
{% if env.ENABLE_IPV6 %}
Listen [{{ env.IRONIC_IPV6 }}]:{{ env.HTTP_PORT }}
{% endif %}
{% endif %}
Include /etc/httpd/conf.modules.d/*.conf
Include conf.modules.d/*.conf
User ironic-suse
Group ironic-suse
@@ -22,43 +16,18 @@ Group ironic-suse
DocumentRoot "/shared/html"
<Directory "/shared/html">
{%- if env.IPXE_TLS_SETUP | lower == "true" %}
Options Indexes FollowSymLinks
Require all denied
{%- else %}
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
{%- endif %}
</Directory>
<Directory ~ "/shared/html/(redfish|ilo)/">
{%- if env.IRONIC_VMEDIA_TLS_SETUP | lower == "true" %}
Require all denied
{%- else %}
Require all granted
{%- endif %}
</Directory>
{%- set serve_img = env.HTTPD_SERVE_NODE_IMAGES | lower %}
{%- set image_tls = env.IRONIC_TLS_SETUP | lower %}
{%- if env.HTTPD_SERVE_NODE_IMAGES | lower == "true" %}
<Directory "/shared/html/images">
Options Indexes FollowSymLinks
AllowOverride None
{%- if serve_img == "true" and image_tls != "true" %}
Require all granted
{%- else %}
Require all denied
{%- endif %}
<FilesMatch "^ironic.*">
{%- if env.IPXE_TLS_SETUP | lower == "true" %}
Require all denied
{%- else %}
Require all granted
{%- endif %}
</FilesMatch>
</Directory>
{% endif %}
<IfModule dir_module>
DirectoryIndex index.html
@@ -95,7 +64,7 @@ AddDefaultCharset UTF-8
MIMEMagicFile conf/magic
</IfModule>
PidFile {{ env.IRONIC_TMP_DATA_DIR }}/httpd.pid
PidFile /var/tmp/httpd.pid
# EnableSendfile directive could speed up deployments but it could also cause
# issues depending on the underlying file system, to learn more:

57
ironic-image/inspector-apache.conf.j2 Normal file
View File

@@ -0,0 +1,57 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
Listen {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
<VirtualHost *:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
{% else %}
Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
<VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
{% endif %}
{% if env.IRONIC_INSPECTOR_PRIVATE_PORT == "unix" %}
ProxyPass "/" "unix:/shared/inspector.sock|http://127.0.0.1/"
ProxyPassReverse "/" "unix:/shared/inspector.sock|http://127.0.0.1/"
{% else %}
ProxyPass "/" "http://127.0.0.1:{{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}/"
ProxyPassReverse "/" "http://127.0.0.1:{{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}/"
{% endif %}
SetEnv APACHE_RUN_USER ironic-suse
SetEnv APACHE_RUN_GROUP ironic-suse
ErrorLog /dev/stdout
LogLevel debug
CustomLog /dev/stdout combined
SSLEngine On
SSLProtocol {{ env.IRONIC_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }}
SSLCertificateKeyFile {{ env.IRONIC_INSPECTOR_KEY_FILE }}
{% if "INSPECTOR_HTPASSWD" in env and env.INSPECTOR_HTPASSWD | length %}
<Location / >
AuthType Basic
AuthName "Restricted area"
AuthUserFile "/etc/ironic-inspector/htpasswd"
Require valid-user
</Location>
<Location ~ "^/(v1/?)?$" >
Require all granted
</Location>
<Location /v1/continue >
Require all granted
</Location>
{% endif %}
</VirtualHost>

10
ironic-image/inspector.ipxe.j2 Normal file
View File

@@ -0,0 +1,10 @@
#!ipxe
:retry_boot
echo In inspector.ipxe
imgfree
# NOTE(dtantsur): keep inspection kernel params in [mdns]params in
# ironic-inspector-image and configuration in configure-ironic.sh
kernel --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent-${buildarch}.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
initrd --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent-${buildarch}.initramfs || goto retry_boot
boot

0
ironic-image/ironic-config/ipxe_config.template → ironic-image/ipxe_config.template
View File

107
ironic-image/ironic-common.sh Normal file
View File

@@ -0,0 +1,107 @@
#!/usr/bin/bash
set -euxo pipefail
IRONIC_IP="${IRONIC_IP:-}"
PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}"
PROVISIONING_IP="${PROVISIONING_IP:-}"
PROVISIONING_MACS="${PROVISIONING_MACS:-}"
IPXE_CUSTOM_FIRMWARE_DIR="${IPXE_CUSTOM_FIRMWARE_DIR:-/shared/custom_ipxe_firmware}"
get_provisioning_interface()
{
if [[ -n "$PROVISIONING_INTERFACE" ]]; then
# don't override the PROVISIONING_INTERFACE if one is provided
echo "$PROVISIONING_INTERFACE"
return
fi
local interface="provisioning"
if [[ -n "${PROVISIONING_IP}" ]]; then
if ip -br addr show | grep -qi " ${PROVISIONING_IP}/"; then
interface="$(ip -br addr show | grep -i " ${PROVISIONING_IP}/" | cut -f 1 -d ' ' | cut -f 1 -d '@')"
fi
fi
for mac in ${PROVISIONING_MACS//,/ }; do
if ip -br link show up | grep -qi "$mac"; then
interface="$(ip -br link show up | grep -i "$mac" | cut -f 1 -d ' ' | cut -f 1 -d '@')"
break
fi
done
echo "$interface"
}
PROVISIONING_INTERFACE="$(get_provisioning_interface)"
export PROVISIONING_INTERFACE
export LISTEN_ALL_INTERFACES="${LISTEN_ALL_INTERFACES:-true}"
# Wait for the interface or IP to be up, sets $IRONIC_IP
wait_for_interface_or_ip()
{
# If $PROVISIONING_IP is specified, then we wait for that to become available on an interface, otherwise we look at $PROVISIONING_INTERFACE for an IP
if [[ -n "$PROVISIONING_IP" ]]; then
# Convert the address using ipcalc which strips out the subnet. For IPv6 addresses, this will give the short-form address
IRONIC_IP="$(ipcalc "${PROVISIONING_IP}" | grep "^Address:" | awk '{print $2}')"
export IRONIC_IP
until grep -F " ${IRONIC_IP}/" <(ip -br addr show); do
echo "Waiting for ${IRONIC_IP} to be configured on an interface"
sleep 1
done
else
until [[ -n "$IRONIC_IP" ]]; do
echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured"
IRONIC_IP="$(ip -br add show scope global up dev "${PROVISIONING_INTERFACE}" | awk '{print $3}' | sed -e 's%/.*%%' | head -n 1)"
export IRONIC_IP
sleep 1
done
fi
# If the IP contains a colon, then it's an IPv6 address, and the HTTP
# host needs surrounding with brackets
if [[ "$IRONIC_IP" =~ .*:.* ]]; then
export IPV=6
export IRONIC_URL_HOST="[$IRONIC_IP]"
else
export IPV=4
export IRONIC_URL_HOST="$IRONIC_IP"
fi
}
render_j2_config()
{
ls $1 # DEBUG
python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1"
python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
ls $2 # DEBUG
}
run_ironic_dbsync()
{
if [[ "${IRONIC_USE_MARIADB:-true}" == "true" ]]; then
# It's possible for the dbsync to fail if mariadb is not up yet, so
# retry until success
until ironic-dbsync --config-file /etc/ironic/ironic.conf upgrade; do
echo "WARNING: ironic-dbsync failed, retrying"
sleep 1
done
else
# SQLite does not support some statements. Fortunately, we can just create
# the schema in one go if not already created, instead of going through an upgrade
DB_VERSION="$(ironic-dbsync --config-file /etc/ironic/ironic.conf version)"
if [[ "${DB_VERSION}" == "None" ]]; then
ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
fi
fi
}
# Use the special value "unix" for unix sockets
export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-unix}
export IRONIC_ACCESS_PORT=${IRONIC_ACCESS_PORT:-6385}
export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT}
export IRONIC_ENABLE_DISCOVERY=${IRONIC_ENABLE_DISCOVERY:-${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}}

27
ironic-image/ironic-config/apache2-ipxe.conf.j2
View File

@@ -1,27 +0,0 @@
Listen 0.0.0.0:{{ env.IPXE_TLS_PORT }}
Listen [::]:{{ env.IPXE_TLS_PORT }}
<VirtualHost *:{{ env.IPXE_TLS_PORT }}>
ErrorLog /dev/stderr
LogLevel debug
CustomLog /dev/stdout combined
SSLEngine on
SSLProtocol {{ env.IPXE_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IPXE_CERT_FILE }}
SSLCertificateKeyFile {{ env.IPXE_KEY_FILE }}
DocumentRoot "/shared/html"
<Directory "/shared/html">
Options Indexes FollowSymLinks
Require all granted
</Directory>
<Directory ~ "/shared/html/(redfish|ilo|images)/">
Require all denied
</Directory>
<Location ~ "^/.*">
SSLRequireSSL
</Location>
</VirtualHost>

39
ironic-image/ironic-config/apache2-vmedia.conf.j2
View File

@@ -1,39 +0,0 @@
Listen 0.0.0.0:{{ env.VMEDIA_TLS_PORT }}
Listen [::]:{{ env.VMEDIA_TLS_PORT }}
<VirtualHost *:{{ env.VMEDIA_TLS_PORT }}>
ErrorLog /dev/stderr
LogLevel debug
CustomLog /dev/stdout combined
SSLEngine on
SSLProtocol {{ env.IRONIC_VMEDIA_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
{% if "IRONIC_VMEDIA_TLS_12_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_12_CIPHERS %}
SSLCipherSuite {{ env.IRONIC_VMEDIA_TLS_12_CIPHERS }}
{% endif %}
{% if "IRONIC_VMEDIA_TLS_13_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_13_CIPHERS %}
SSLCipherSuite TLSv1.3 {{ env.IRONIC_VMEDIA_TLS_13_CIPHERS }}
{% endif %}
{% if "IRONIC_VMEDIA_CURVES" in env and env.IRONIC_VMEDIA_CURVES %}
SSLOpenSSLConfCmd Curves {{ env.IRONIC_VMEDIA_CURVES }}
{% endif %}
{% if env.IRONIC_VMEDIA_TLS_ENFORCE_SERVER_CIPHER_ORDER | lower == "true" %}
SSLHonorCipherOrder on
{% endif %}
<Directory ~ "/shared/html">
Require all denied
</Directory>
<Directory ~ "/shared/html/(redfish|ilo)/">
Require all granted
</Directory>
<Location ~ "^/.*">
SSLRequireSSL
</Location>
</VirtualHost>

74
ironic-image/ironic-config/dnsmasq.conf.j2
View File

@@ -1,74 +0,0 @@
interface={{ env.PROVISIONING_INTERFACE }}
bind-dynamic
enable-tftp
tftp-root=/shared/tftpboot
log-queries
dhcp-leasefile=/data/dnsmasq/dnsmasq.leases
# Configure listening for DNS (0 disables DNS)
port={{ env.DNS_PORT }}
{%- if env.DHCP_RANGE | length %}
log-dhcp
dhcp-range={{ env.DHCP_RANGE }}
{% endif %}
{%- if env["DNS_IP"] is undefined %}
# Disable DNS over provisioning network
dhcp-option=6
{% else %}
dhcp-option=option{% if ":" in env["DNS_IP"] %}6{% endif %}:dns-server,{{ env["DNS_IP"] }}
{% endif %}
{# Network boot options for IPv4 and IPv6 #}
{%- if env.IPV == "4" or env.IPV is undefined %}
# IPv4 Configuration:
dhcp-match=ipxe,175
{# Set the router or disable it. Setting router is IPv4 specific, in v6 there #}
{# are router advertisements that do the same thing. #}
{%- if env["GATEWAY_IP"] is undefined %}
# Disable default router(s)
dhcp-option=3
{% else %}
dhcp-option=option:router,{{ env["GATEWAY_IP"] }}
{% endif %}
# Note: Need to test EFI booting
dhcp-match=set:efi,option:client-arch,7
dhcp-match=set:efi,option:client-arch,9
dhcp-match=set:efi,option:client-arch,11
# Client is (i)PXE booting on EFI machine
dhcp-boot=tag:efi,/snponly.efi,{{ env.IRONIC_IP }}
# Client is running (i)PXE on BIOS machine
dhcp-boot=tag:!efi,/undionly.kpxe,{{ env.IRONIC_IP }}
{%- if env.IPXE_TLS_SETUP != "true" %}
dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
{% endif %}
{% endif %}
{% if env.IPV == "6" %}
# IPv6 Configuration:
enable-ra
ra-param={{ env.PROVISIONING_INTERFACE }},0,0
dhcp-vendorclass=set:pxe6,enterprise:343,PXEClient
dhcp-userclass=set:ipxe6,iPXE
# Client is (i)PXE booting on EFI machine
dhcp-option=tag:efi,option6:bootfile-url,{{ env.IRONIC_URL_HOST }}/snponly.efi
# Client is running (i)PXE on BIOS machine
dhcp-option=tag:!efi,option6:bootfile-url,{{ env.IRONIC_URL_HOST }}/undionly.kpxe
{%- if env.IPXE_TLS_SETUP != "true" %}
dhcp-option=tag:ipxe6,option6:bootfile-url,{{ env.IRONIC_HTTP_URL }}/boot.ipxe
{% endif %}
{% endif %}
{%- if env.DHCP_IGNORE | length %}
dhcp-ignore={{ env.DHCP_IGNORE }}
{% endif %}
{%- if env.DHCP_HOSTS | length %}
{%- for item in env.DHCP_HOSTS.split(";") %}
dhcp-host={{ item }}
{%- endfor %}
{% endif %}

10
ironic-image/ironic-config/inspector.ipxe.j2
View File

@@ -1,10 +0,0 @@
#!ipxe
:retry_boot
echo In inspector.ipxe
imgfree
# NOTE(dtantsur): keep inspection kernel params in [mdns]params in
# ironic-inspector-image and configuration in configure-ironic.sh
kernel --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.kernel ipa-insecure={{ env.IPA_INSECURE }} ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent-${buildarch}.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
initrd --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.initramfs || goto retry_boot
boot

68
ironic-image/ironic-inspector.conf.j2 Normal file
View File

@@ -0,0 +1,68 @@
[DEFAULT]
auth_strategy = noauth
debug = true
transport_url = fake://
use_stderr = true
{% if env.INSPECTOR_REVERSE_PROXY_SETUP == "true" %}
{% if env.IRONIC_INSPECTOR_PRIVATE_PORT == "unix" %}
listen_unix_socket = /shared/inspector.sock
# NOTE(dtantsur): this is not ideal, but since the socket is accessed from
# another container, we need to make it world-writeable.
listen_unix_socket_mode = 0666
{% else %}
listen_port = {{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}
listen_address = 127.0.0.1
{% endif %}
{% elif env.LISTEN_ALL_INTERFACES | lower == "true" %}
listen_port = {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
listen_address = ::
{% else %}
listen_port = {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
listen_address = {{ env.IRONIC_IP }}
{% endif %}
host = {{ env.IRONIC_IP }}
{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" and env.INSPECTOR_REVERSE_PROXY_SETUP == "false" %}
use_ssl = true
{% endif %}
[database]
connection = sqlite:////var/lib/ironic-inspector/ironic-inspector.db
{% if env.IRONIC_INSPECTOR_ENABLE_DISCOVERY == "true" %}
[discovery]
enroll_node_driver = ipmi
{% endif %}
[ironic]
auth_type = none
endpoint_override = {{ env.IRONIC_BASE_URL }}
{% if env.IRONIC_TLS_SETUP == "true" %}
cafile = {{ env.IRONIC_CACERT_FILE }}
insecure = {{ env.IRONIC_INSECURE }}
{% endif %}
[processing]
add_ports = all
always_store_ramdisk_logs = true
keep_ports = present
{% if env.IRONIC_INSPECTOR_ENABLE_DISCOVERY == "true" %}
node_not_found_hook = enroll
{% endif %}
permit_active_introspection = true
power_off = false
processing_hooks = $default_processing_hooks,lldp_basic
ramdisk_logs_dir = /shared/log/ironic-inspector/ramdisk
store_data = database
[pxe_filter]
driver = noop
[service_catalog]
auth_type = none
endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" and env.INSPECTOR_REVERSE_PROXY_SETUP == "false" %}
[ssl]
cert_file = {{ env.IRONIC_INSPECTOR_CERT_FILE }}
key_file = {{ env.IRONIC_INSPECTOR_KEY_FILE }}
{% endif %}

9
ironic-image/ironic-probe.j2 Normal file
View File

@@ -0,0 +1,9 @@
#!/bin/bash
set -eu -o pipefail
curl -sSf {{ env.PROBE_CURL_ARGS }} "{{ env.PROBE_URL }}"
# TODO(dtantsur): when PROBE_KIND==readiness, try the conductor and driver API
# to make sure the conductor is ready. This requires having access to secrets
# since these endpoints are authenticated.

109
ironic-image/ironic-config/ironic.conf.j2 → ironic-image/ironic.conf.j2
View File

@@ -4,19 +4,19 @@ debug = true
default_deploy_interface = direct
default_inspect_interface = agent
default_network_interface = noop
enabled_bios_interfaces = no-bios,redfish,idrac-redfish,irmc
enabled_boot_interfaces = ipxe,pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,redfish-https
enabled_bios_interfaces = no-bios,redfish,idrac-redfish,irmc,ilo
enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media,redfish-https
enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
enabled_firmware_interfaces = no-firmware,fake,redfish
# NOTE(dtantsur): when changing this, make sure to update the driver
# dependencies in Dockerfile.
enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management
enabled_inspect_interfaces = agent,irmc,fake,redfish
enabled_management_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,noop
enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management,ilo,ilo5
enabled_inspect_interfaces = agent,irmc,fake,redfish,ilo
enabled_management_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
enabled_network_interfaces = noop
enabled_power_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish
enabled_raid_interfaces = no-raid,irmc,agent,fake,redfish,idrac-redfish
enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,fake
enabled_power_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo
enabled_raid_interfaces = no-raid,irmc,agent,fake,redfish,idrac-redfish,ilo5
enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,ilo,fake
{% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
rpc_transport = json-rpc
{% else %}
@@ -25,13 +25,7 @@ rpc_transport = none
use_stderr = true
# NOTE(dtantsur): the default md5 is not compatible with FIPS mode
hash_ring_algorithm = sha256
{% if env.ENABLE_IPV4 %}
my_ip = {{ env.IRONIC_IP }}
{% endif %}
{% if env.ENABLE_IPV6 %}
my_ipv6 = {{ env.IRONIC_IPV6 }}
{% endif %}
host = {{ env.IRONIC_CONDUCTOR_HOST }}
# If a path to a certificate is defined, use that first for webserver
@@ -47,10 +41,6 @@ isolinux_bin = /usr/share/syslinux/isolinux.bin
# the ESP provided in [conductor]bootloader.
grub_config_path = EFI/BOOT/grub.cfg
# NOTE(hroyrh): updating the default temp directory to fix device cross links
# errors when hard linking
tempdir = /shared/tmp
[agent]
deploy_logs_collect = always
deploy_logs_local_path = /shared/log/ironic/deploy
@@ -59,7 +49,6 @@ deploy_logs_local_path = /shared/log/ironic/deploy
# retries here works around such problems without affecting the normal path.
# See https://bugzilla.redhat.com/show_bug.cgi?id=1822763
max_command_attempts = 30
certificates_path = {{ env.IRONIC_GEN_CERT_DIR }}
[api]
{% if env.IRONIC_REVERSE_PROXY_SETUP == "true" %}
@@ -74,7 +63,7 @@ port = {{ env.IRONIC_PRIVATE_PORT }}
{% endif %}
public_endpoint = {{ env.IRONIC_BASE_URL }}
{% else %}
host_ip = {{ env.IRONIC_HOST_IP }}
host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
port = {{ env.IRONIC_LISTEN_PORT }}
{% if env.IRONIC_TLS_SETUP == "true" %}
enable_ssl_api = true
@@ -89,40 +78,33 @@ network_data_schema = /etc/ironic/network-data-schema-empty.json
automated_clean = {{ env.IRONIC_AUTOMATED_CLEAN }}
# NOTE(dtantsur): keep aligned with [pxe]boot_retry_timeout below.
deploy_callback_timeout = 4800
bootloader_by_arch = {{ env.BOOTLOADER_BY_ARCH }}
send_sensor_data = {{ env.SEND_SENSOR_DATA }}
# NOTE(TheJulia): Do not lower this value below 120 seconds.
# Power state is checked every 60 seconds and BMC activity should
# be avoided more often than once every sixty seconds.
send_sensor_data_interval = 160
bootloader = {{ env.IRONIC_BOOT_BASE_URL }}/uefi_esp-{{ env.DEPLOY_ARCHITECTURE }}.img
verify_step_priority_override = management.clear_job_queue:90
# We don't use this feature, and it creates an additional load on the database
node_history = False
# Provide for a timeout longer than 60 seconds for certain vendor's hardware
power_state_change_timeout = 120
{% if env.DEPLOY_KERNEL_URL is defined %}
deploy_kernel = {{ env.DEPLOY_KERNEL_URL }}
{% if env.IRONIC_DEFAULT_KERNEL is defined %}
deploy_kernel = file://{{ env.IRONIC_DEFAULT_KERNEL }}
{% endif %}
{% if env.DEPLOY_KERNEL_BY_ARCH is defined %}
deploy_kernel_by_arch = {{ env.DEPLOY_KERNEL_BY_ARCH }}
{% if env.IRONIC_DEFAULT_RAMDISK is defined %}
deploy_ramdisk = file://{{ env.IRONIC_DEFAULT_RAMDISK }}
{% endif %}
{% if env.DEPLOY_RAMDISK_URL is defined %}
deploy_ramdisk = {{ env.DEPLOY_RAMDISK_URL }}
{% endif %}
{% if env.DEPLOY_RAMDISK_BY_ARCH is defined %}
deploy_ramdisk_by_arch = {{ env.DEPLOY_RAMDISK_BY_ARCH }}
{% endif %}
{% if env.DISABLE_DEEP_IMAGE_INSPECTION | lower == "true" %}
disable_deep_image_inspection = True
{% endif %}
# Allowed path for file:// links: ipa-downloader uses /shared/html/images,
# while the bootloader configuration above refers to /templates.
file_url_allowed_paths = /shared/html/images,/templates
[database]
{% if env.IRONIC_USE_MARIADB | lower == "true" %}
connection = {{ env.MARIADB_CONNECTION }}
{% else %}
connection = {{ env.LOCAL_DB_URI }}
{% if env.IRONIC_USE_MARIADB | lower == "false" %}
connection = sqlite:////var/lib/ironic/ironic.sqlite
# Synchronous mode is required for data integrity in case of operating system
# crash. In our case we restart the container from scratch, so we can save some
# IO by not doing syncs all the time.
sqlite_synchronous = False
{% else %}
connection = {{ env.MARIADB_CONNECTION }}
{% endif %}
[deploy]
@@ -130,16 +112,15 @@ default_boot_option = local
erase_devices_metadata_priority = 10
erase_devices_priority = 0
http_root = /shared/html/
http_url = {% if env.VMEDIA_TLS_PORT %}{{ env.IRONIC_HTTPS_VMEDIA_URL }}{% else %}{{ env.IRONIC_HTTP_URL }}{% endif %}
http_url = {{ env.IRONIC_BOOT_BASE_URL }}
fast_track = {{ env.IRONIC_FAST_TRACK }}
iso_master_path = /shared/html/master_iso_images
{% if env.IRONIC_BOOT_ISO_SOURCE %}
ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
{% endif %}
{% if env.IRONIC_EXTERNAL_HTTP_URL %}
external_http_url = {{ env.IRONIC_EXTERNAL_HTTP_URL }}
{% elif env.VMEDIA_TLS_PORT %}
external_http_url = {{ env.IRONIC_HTTPS_VMEDIA_URL }}
{% elif env.IRONIC_VMEDIA_TLS_SETUP == "true" %}
external_http_url = https://{{ env.IRONIC_URL_HOST }}:{{ env.VMEDIA_TLS_PORT }}
{% endif %}
{% if env.IRONIC_EXTERNAL_CALLBACK_URL %}
external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
@@ -194,9 +175,8 @@ cipher_suite_versions = 3,17
# unauthenticated connections from other processes in the same host since the
# containers are in host networking.
auth_strategy = http_basic
http_basic_auth_user_file = {{ env.IRONIC_RPC_HTPASSWD_FILE }}
host_ip = {{ env.IRONIC_HOST_IP }}
port = {{ env.IRONIC_JSON_RPC_PORT }}
http_basic_auth_user_file = /etc/ironic/htpasswd-rpc
host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
{% if env.IRONIC_TLS_SETUP == "true" %}
use_ssl = true
cafile = {{ env.IRONIC_CACERT_FILE }}
@@ -207,26 +187,11 @@ insecure = {{ env.IRONIC_INSECURE }}
[nova]
send_power_notifications = false
# Sections (oslo_messaging_notifications, sensor_data, metrics) required for sensor data collection using ironic-prometheus-exporter (IPE):
{% if env.SEND_SENSOR_DATA | lower == "true" %}
[oslo_messaging_notifications]
driver = prometheus_exporter
location = /shared/ironic_prometheus_exporter
transport_url = fake://
[sensor_data]
send_sensor_data = {{ env.SEND_SENSOR_DATA }}
# NOTE(TheJulia): Do not lower this value below 120 seconds.
# Power state is checked every 60 seconds and BMC activity should
# be avoided more often than once every sixty seconds.
interval = 160
# Additional sensor_data options can be configured via OS_ environment variables:
# https://docs.openstack.org/ironic/latest/configuration/config.html#sensor-data
[metrics]
backend = collector
{% endif %}
[pxe]
# NOTE(dtantsur): keep this value at least 3x lower than
# [conductor]deploy_callback_timeout so that at least some retries happen.
@@ -244,22 +209,19 @@ enable_netboot_fallback = true
# Enable the fallback path to in-band inspection
ipxe_fallback_script = inspector.ipxe
{% if env.IPXE_TLS_SETUP | lower == "true" %}
ipxe_config_template = /templates/ipxe_config.template
ipxe_config_template = /tmp/ipxe_config.template
{% endif %}
[redfish]
use_swift = false
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
{% if env.BMC_TLS_ENABLED == "true" %}
# idrac uses the same options as the redfish driver
verify_ca = {{ env.BMC_CACERT_FILE }}
{% endif %}
[ilo]
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
use_web_server_for_images = true
[irmc]
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
{% if env.BMC_TLS_ENABLED == "true" %}
verify_ca = {{ env.BMC_CACERT_FILE }}
{% endif %}
[service_catalog]
endpoint_override = {{ env.IRONIC_BASE_URL }}
@@ -269,8 +231,3 @@ endpoint_override = {{ env.IRONIC_BASE_URL }}
cert_file = {{ env.IRONIC_CERT_FILE }}
key_file = {{ env.IRONIC_KEY_FILE }}
{% endif %}
[oci]
{% if env.IRONIC_OCI_AUTH_CONFIG is defined %}
authentication_config = {{ env.IRONIC_OCI_AUTH_CONFIG }}
{% endif %}

0
ironic-image/ironic-config/network-data-schema-empty.json → ironic-image/network-data-schema-empty.json
View File

2
ironic-image/prepare-efi.sh
View File

@@ -9,7 +9,7 @@ declare -A efi_arch=(
for arch in "${!efi_arch[@]}"; do
DEST=/tmp/uefi_esp_${arch}.img
DEST=/tmp/esp-${arch}.img
dd bs=1024 count=6400 if=/dev/zero of=$DEST
mkfs.msdos -F 12 -n 'ESP_IMAGE' $DEST

17
ironic-image/scripts/rundnsmasq → ironic-image/rundnsmasq Executable file → Normal file
View File

@@ -7,16 +7,13 @@ set -eux
# shellcheck disable=SC1091
. /bin/tls-common.sh
export HTTP_PORT=${HTTP_PORT:-80}
DNSMASQ_EXCEPT_INTERFACE=${DNSMASQ_EXCEPT_INTERFACE:-lo}
export DNS_PORT=${DNS_PORT:-0}
wait_for_interface_or_ip
if [[ "${DNS_IP:-}" == "provisioning" ]]; then
if [[ "${IPV}" == "4" ]]; then
export DNS_IP="${IRONIC_IP}"
else
export DNS_IP="[${IRONIC_IP}]"
fi
export DNS_IP="$IRONIC_URL_HOST"
fi
mkdir -p /shared/tftpboot
@@ -35,12 +32,12 @@ fi
# Template and write dnsmasq.conf
# we template via /tmp as sed otherwise creates temp files in /etc directory
# where we can't write
python3.13 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/templates/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' </etc/dnsmasq.conf.j2 >/tmp/dnsmasq.conf
for iface in $(echo "$DNSMASQ_EXCEPT_INTERFACE" | tr ',' ' '); do
sed -i -e "/^interface=.*/ a\except-interface=${iface}" "${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
sed -i -e "/^interface=.*/ a\except-interface=${iface}" /tmp/dnsmasq.conf
done
cat "${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf" > "${DNSMASQ_CONF_DIR}/dnsmasq.conf"
rm "${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
cat /tmp/dnsmasq.conf > /etc/dnsmasq.conf
rm /tmp/dnsmasq.conf
exec /usr/sbin/dnsmasq -d -q -C "${DNSMASQ_CONF_DIR}/dnsmasq.conf"
exec /usr/sbin/dnsmasq -d -q -C /etc/dnsmasq.conf

41
ironic-image/scripts/runhttpd → ironic-image/runhttpd Executable file → Normal file
View File

@@ -5,6 +5,7 @@
. /bin/ironic-common.sh
. /bin/auth-common.sh
export HTTP_PORT=${HTTP_PORT:-80}
export VMEDIA_TLS_PORT=${VMEDIA_TLS_PORT:-8083}
export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
@@ -27,28 +28,25 @@ wait_for_interface_or_ip
mkdir -p /shared/html
chmod 0777 /shared/html
INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}/v1/continue_inspection"
IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}"
INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
if [[ "$IRONIC_FAST_TRACK" == "true" ]]; then
INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}"
INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}"
fi
export INSPECTOR_EXTRA_ARGS
# Copy files to shared mount
render_j2_config /templates/inspector.ipxe.j2 /shared/html/inspector.ipxe
# cp -r /etc/httpd/* "${HTTPD_DIR}"
if [[ -f "${HTTPD_CONF_DIR}/httpd.conf" ]]; then
mv "${HTTPD_CONF_DIR}/httpd.conf" "${HTTPD_CONF_DIR}/httpd.conf.example"
fi
render_j2_config /tmp/inspector.ipxe.j2 /shared/html/inspector.ipxe
cp /tmp/uefi_esp*.img /shared/html/
# Render the core httpd config
render_j2_config "/etc/httpd/conf/httpd.conf.j2" \
"${HTTPD_CONF_DIR}/httpd.conf"
render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf
if [[ "$IRONIC_TLS_SETUP" == "true" ]]; then
if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
render_j2_config "/templates/httpd-ironic-api.conf.j2" \
"${HTTPD_CONF_DIR_D}/ironic.conf"
render_j2_config /tmp/httpd-ironic-api.conf.j2 /etc/httpd/conf.d/ironic.conf
fi
else
export IRONIC_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
@@ -58,24 +56,33 @@ write_htpasswd_files
# Render httpd TLS configuration for /shared/html/<redifsh;ilo>
if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
render_j2_config "/templates/httpd-vmedia.conf.j2" \
"${HTTPD_CONF_DIR_D}/vmedia.conf"
render_j2_config /etc/httpd-vmedia.conf.j2 /etc/httpd/conf.d/vmedia.conf
fi
# Render httpd TLS configuration for /shared/html
if [[ "$IPXE_TLS_SETUP" == "true" ]]; then
mkdir -p /shared/html/custom-ipxe
chmod 0777 /shared/html/custom-ipxe
render_j2_config "/templates/httpd-ipxe.conf.j2" "${HTTPD_CONF_DIR_D}/ipxe.conf"
render_j2_config "/etc/httpd-ipxe.conf.j2" "/etc/httpd/conf.d/ipxe.conf"
cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
"${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
"/shared/html/custom-ipxe"
fi
# Set up inotify to kill the container (restart) whenever cert files for ironic api change
configure_restart_on_certificate_update "${IRONIC_TLS_SETUP}" httpd "${IRONIC_CERT_FILE}"
if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
# shellcheck disable=SC2034
inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do
kill -WINCH $(pgrep httpd)
done &
fi
# Set up inotify to kill the container (restart) whenever cert of httpd for /shared/html/<redifsh;ilo> path change
configure_restart_on_certificate_update "${IRONIC_VMEDIA_TLS_SETUP}" httpd "${IRONIC_VMEDIA_CERT_FILE}"
if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
# shellcheck disable=SC2034
inotifywait -m -e delete_self "${IRONIC_VMEDIA_CERT_FILE}" | while read -r file event; do
kill -WINCH $(pgrep httpd)
done &
fi
exec /usr/sbin/httpd -DFOREGROUND -f "${HTTPD_CONF_DIR}/httpd.conf"
exec /usr/sbin/httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf

23
ironic-image/runironic Normal file
View File

@@ -0,0 +1,23 @@
#!/usr/bin/bash
# This setting must go before configure-ironic since it has different defaults.
export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
# shellcheck disable=SC1091
. /bin/configure-ironic.sh
# Ramdisk logs
mkdir -p /shared/log/ironic/deploy
run_ironic_dbsync
if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
# shellcheck disable=SC2034
inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do
kill $(pgrep ironic)
done &
fi
configure_ironic_auth
exec /usr/bin/ironic

13
ironic-image/runironic-api Normal file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/bash
export IRONIC_DEPLOYMENT="API"
# shellcheck disable=SC1091
. /bin/configure-ironic.sh
export IRONIC_REVERSE_PROXY_SETUP=false
python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < /tmp/httpd-ironic-api.conf.j2 > /etc/httpd/conf.d/ironic.conf
# shellcheck disable=SC1091
. /bin/runhttpd

20
ironic-image/runironic-conductor Normal file
View File

@@ -0,0 +1,20 @@
#!/usr/bin/bash
export IRONIC_DEPLOYMENT="Conductor"
# shellcheck disable=SC1091
. /bin/configure-ironic.sh
# Ramdisk logs
mkdir -p /shared/log/ironic/deploy
run_ironic_dbsync
if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
# shellcheck disable=SC2034
inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do
kill $(pgrep ironic)
done &
fi
exec /usr/bin/ironic-conductor

12
ironic-image/runironic-exporter Normal file
View File

@@ -0,0 +1,12 @@
#!/usr/bin/bash
# shellcheck disable=SC1091
. /bin/configure-ironic.sh
FLASK_RUN_HOST=${FLASK_RUN_HOST:-0.0.0.0}
FLASK_RUN_PORT=${FLASK_RUN_PORT:-9608}
export IRONIC_CONFIG="/etc/ironic/ironic.conf"
exec gunicorn -b "${FLASK_RUN_HOST}:${FLASK_RUN_PORT}" -w 4 \
ironic_prometheus_exporter.app.wsgi:application

62
ironic-image/runironic-inspector Normal file
View File

@@ -0,0 +1,62 @@
#!/usr/bin/bash
set -euxo pipefail
CONFIG=/etc/ironic-inspector/ironic-inspector.conf
export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}
export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
# shellcheck disable=SC1091
. /bin/tls-common.sh
# shellcheck disable=SC1091
. /bin/ironic-common.sh
# shellcheck disable=SC1091
. /bin/auth-common.sh
if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then
echo "FATAL: ironic-inspector is disabled via USE_IRONIC_INSPECTOR"
exit 1
fi
wait_for_interface_or_ip
IRONIC_INSPECTOR_PORT=${IRONIC_INSPECTOR_ACCESS_PORT}
if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]] && [[ "${IRONIC_INSPECTOR_PRIVATE_PORT}" != "unix" ]]; then
IRONIC_INSPECTOR_PORT=$IRONIC_INSPECTOR_PRIVATE_PORT
fi
else
export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
fi
export IRONIC_INSPECTOR_BASE_URL="${IRONIC_INSPECTOR_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_INSPECTOR_PORT}"
export IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"
build_j2_config()
{
local CONFIG_FILE="$1"
python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$CONFIG_FILE.j2"
}
# Merge with the original configuration file from the package.
build_j2_config "$CONFIG" | crudini --merge "$CONFIG"
configure_inspector_auth
configure_client_basic_auth ironic "${CONFIG}"
ironic-inspector-dbsync --config-file "${CONFIG}" upgrade
if [[ "$INSPECTOR_REVERSE_PROXY_SETUP" == "false" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
# shellcheck disable=SC2034
inotifywait -m -e delete_self "${IRONIC_INSPECTOR_CERT_FILE}" | while read -r file event; do
kill $(pgrep ironic)
done &
fi
# Make sure ironic traffic bypasses any proxies
export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
# shellcheck disable=SC2086
exec /usr/bin/ironic-inspector

19
ironic-image/runlogwatch.sh Normal file
View File

@@ -0,0 +1,19 @@
#!/usr/bin/bash
# Ramdisk logs path
LOG_DIR="/shared/log/ironic/deploy"
# The ironic container creates the directory, wait for
# it to exist before running inotifywait or it can fail causing
# a spurious restart
while [ ! -d "${LOG_DIR}" ]; do
echo "Waiting for ${LOG_DIR}"
sleep 5
done
inotifywait -m "${LOG_DIR}" -e close_write |
while read -r path _action file; do
echo "************ Contents of ${path}/${file} ramdisk log file bundle **************"
tar -xOzvvf "${path}/${file}" | sed -e "s/^/${file}: /"
rm -f "${path}/${file}"
done

101
ironic-image/scripts/auth-common.sh
View File

@@ -1,101 +0,0 @@
#!/usr/bin/bash
set -euxo pipefail
export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
# CUSTOM_CONFIG_DIR is also managed in the ironic-common.sh, in order to
# keep auth-common and ironic-common separate (to stay consistent with the
# architecture) part of the ironic-common logic had to be duplicated
CUSTOM_CONFIG_DIR="${CUSTOM_CONFIG_DIR:-/conf}"
IRONIC_CONF_DIR="${CUSTOM_CONFIG_DIR}/ironic"
# Backward compatibility
if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then
export IRONIC_EXPOSE_JSON_RPC=true
else
export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}"
fi
IRONIC_HTPASSWD_FILE="${IRONIC_CONF_DIR}/htpasswd"
export IRONIC_RPC_HTPASSWD_FILE="${IRONIC_HTPASSWD_FILE}-rpc"
if [[ -f "/auth/ironic/htpasswd" ]]; then
IRONIC_HTPASSWD=$(</auth/ironic/htpasswd)
fi
if [[ -f "/auth/ironic-rpc/htpasswd" ]]; then
IRONIC_RPC_HTPASSWD=$(</auth/ironic-rpc/htpasswd)
fi
export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
export IRONIC_RPC_HTPASSWD=${IRONIC_RPC_HTPASSWD:-${IRONIC_HTPASSWD}}
if [[ -n "${MARIADB_PASSWORD:-}" ]]; then
echo "WARNING: passing MARIADB_PASSWORD is deprecated, mount a secret under /auth/mariadb instead"
elif [[ -f /auth/mariadb/password ]]; then
MARIADB_PASSWORD=$(</auth/mariadb/password)
fi
if [[ -z "${MARIADB_USER:-}" ]] && [[ -f /auth/mariadb/username ]]; then
MARIADB_USER=$(</auth/mariadb/username)
fi
IRONIC_CONFIG="${IRONIC_CONF_DIR}/ironic.conf"
if [[ -z "${IRONIC_OCI_AUTH_CONFIG:-}" ]] && [[ -f "/auth/oci.json" ]]; then
export IRONIC_OCI_AUTH_CONFIG="/auth/oci.json"
fi
configure_json_rpc_auth()
{
if [[ "${IRONIC_EXPOSE_JSON_RPC}" != "true" ]]; then
return
fi
local auth_config_file="/auth/ironic-rpc/auth-config"
local username_file="/auth/ironic-rpc/username"
local password_file="/auth/ironic-rpc/password"
if [[ -f "${username_file}" ]] && [[ -f "${password_file}" ]]; then
crudini --set "${IRONIC_CONFIG}" json_rpc username "$(<${username_file})"
set +x
crudini --set "${IRONIC_CONFIG}" json_rpc password "$(<${password_file})"
set -x
elif [[ -f "${auth_config_file}" ]]; then
echo "WARNING: using auth-config is deprecated, mount a secret directly"
# Merge configurations in the "auth" directory into the default ironic configuration file
crudini --merge "${IRONIC_CONFIG}" < "${auth_config_file}"
else
echo "FATAL: no client-side credentials provided for JSON RPC"
echo "HINT: mount a secret with username and password fields under /auth/ironic-rpc"
exit 1
fi
if [[ -z "${IRONIC_RPC_HTPASSWD}" ]]; then
if [[ -f "${username_file}" ]] && [[ -f "${password_file}" ]]; then
htpasswd -c -i -B "${IRONIC_RPC_HTPASSWD_FILE}" "$(<${username_file})" <"${password_file}"
else
echo "FATAL: enabling JSON RPC requires authentication"
echo "HINT: mount a secret with either username and password or htpasswd under /auth/ironic-rpc"
exit 1
fi
else
printf "%s\n" "${IRONIC_RPC_HTPASSWD}" > "${IRONIC_RPC_HTPASSWD_FILE}"
fi
}
configure_ironic_auth()
{
# Configure HTTP basic auth for API server
if [[ -n "${IRONIC_HTPASSWD}" ]]; then
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "false" ]]; then
crudini --set "${IRONIC_CONFIG}" DEFAULT auth_strategy http_basic
crudini --set "${IRONIC_CONFIG}" DEFAULT http_basic_auth_user_file "${IRONIC_HTPASSWD_FILE}"
fi
fi
}
write_htpasswd_files()
{
if [[ -n "${IRONIC_HTPASSWD:-}" ]]; then
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
fi
}

153
ironic-image/scripts/configure-ironic.sh
View File

@@ -1,153 +0,0 @@
#!/usr/bin/bash
set -euxo pipefail
IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}"
export VMEDIA_TLS_PORT="${VMEDIA_TLS_PORT:-}"
# Define the VLAN interfaces to be included in introspection report, e.g.
# all - all VLANs on all interfaces using LLDP information
# <interface> - all VLANs on a particular interface using LLDP information
# <interface.vlan> - a particular VLAN on an interface, not relying on LLDP
export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}}
# shellcheck disable=SC1091
. /bin/tls-common.sh
# shellcheck disable=SC1091
. /bin/ironic-common.sh
# shellcheck disable=SC1091
. /bin/auth-common.sh
if [[ "${IRONIC_USE_MARIADB}" == true ]]; then
if [[ -z "${MARIADB_PASSWORD:-}" ]]; then
echo "FATAL: IRONIC_USE_MARIADB requires password, mount a secret under /auth/mariadb"
exit 1
fi
MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
MARIADB_USER=${MARIADB_USER:-ironic}
MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
fi
fi
# zero makes it do cpu number detection on Ironic side
export NUMWORKERS=${NUMWORKERS:-0}
# Whether to enable fast_track provisioning or not
export IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}
# Whether cleaning disks before and after deployment
export IRONIC_AUTOMATED_CLEAN=${IRONIC_AUTOMATED_CLEAN:-true}
# Wheter to enable the sensor data collection
export SEND_SENSOR_DATA=${SEND_SENSOR_DATA:-false}
# Set of collectors that should be used with IPA inspection
export IRONIC_IPA_COLLECTORS=${IRONIC_IPA_COLLECTORS:-default,logs}
wait_for_interface_or_ip
if [[ "$(echo "$LISTEN_ALL_INTERFACES" | tr '[:upper:]' '[:lower:]')" == "true" ]]; then
export IRONIC_HOST_IP="::"
elif [[ -n "${ENABLE_IPV6}" ]]; then
export IRONIC_HOST_IP="$IRONIC_IPV6"
else
export IRONIC_HOST_IP="$IRONIC_IP"
fi
if [[ "${VMEDIA_TLS_PORT}" ]]; then
export IRONIC_HTTPS_VMEDIA_URL="https://${IRONIC_URL_HOST}:${VMEDIA_TLS_PORT}"
fi
# Hostname to use for the current conductor instance.
export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}}
if [[ -n "$IRONIC_EXTERNAL_IP" ]]; then
export IRONIC_EXTERNAL_CALLBACK_URL=${IRONIC_EXTERNAL_CALLBACK_URL:-"${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"}
if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"}
else
export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"}
fi
fi
IMAGE_CACHE_PREFIX="/shared/html/images/ironic-python-agent"
if [[ -z "${DEPLOY_KERNEL_URL:-}" ]] && [[ -z "${DEPLOY_RAMDISK_URL:-}" ]] && \
[[ -f "${IMAGE_CACHE_PREFIX}.kernel" ]] && [[ -f "${IMAGE_CACHE_PREFIX}.initramfs" ]]; then
export DEPLOY_KERNEL_URL="file://${IMAGE_CACHE_PREFIX}.kernel"
export DEPLOY_RAMDISK_URL="file://${IMAGE_CACHE_PREFIX}.initramfs"
fi
declare -A detected_arch
for var_arch in "${!DEPLOY_KERNEL_URL_@}"; do
IPA_ARCH="${var_arch#DEPLOY_KERNEL_URL}"
detected_arch["${IPA_ARCH,,}"]=1
done
for file_arch in "${IMAGE_CACHE_PREFIX}"_*.kernel; do
if [[ -f "${file_arch}" ]]; then
IPA_ARCH="$(basename "${file_arch#"${IMAGE_CACHE_PREFIX}"_}" .kernel)"
detected_arch["${IPA_ARCH}"]=1
fi
done
DEPLOY_KERNEL_BY_ARCH=""
DEPLOY_RAMDISK_BY_ARCH=""
for IPA_ARCH in "${!detected_arch[@]}"; do
kernel_var="DEPLOY_KERNEL_URL_${IPA_ARCH^^}"
ramdisk_var="DEPLOY_RAMDISK_URL_${IPA_ARCH^^}"
if [[ -z "${!kernel_var:-}" ]] && [[ -z "${!ramdisk_var:-}" ]] && \
[[ -f "${IMAGE_CACHE_PREFIX}_${IPA_ARCH}.kernel" ]] && [[ -f "${IMAGE_CACHE_PREFIX}_${IPA_ARCH}.initramfs" ]]; then
export "${kernel_var}"="file://${IMAGE_CACHE_PREFIX}_${IPA_ARCH}.kernel"
export "${ramdisk_var}"="file://${IMAGE_CACHE_PREFIX}_${IPA_ARCH}.initramfs"
fi
DEPLOY_KERNEL_BY_ARCH+="${!kernel_var:+${IPA_ARCH}:${!kernel_var},}"
DEPLOY_RAMDISK_BY_ARCH+="${!ramdisk_var:+${IPA_ARCH}:${!ramdisk_var},}"
done
if [[ -n "${DEPLOY_KERNEL_BY_ARCH}" ]] && [[ -n "${DEPLOY_RAMDISK_BY_ARCH}" ]]; then
export DEPLOY_KERNEL_BY_ARCH="${DEPLOY_KERNEL_BY_ARCH%?}"
export DEPLOY_RAMDISK_BY_ARCH="${DEPLOY_RAMDISK_BY_ARCH%?}"
fi
if [[ -f "${IRONIC_CONF_DIR}/ironic.conf" ]]; then
# Make a copy of the original supposed empty configuration file
cp "${IRONIC_CONF_DIR}/ironic.conf" "${IRONIC_CONF_DIR}/ironic.conf.orig"
fi
BOOTLOADER_BY_ARCH=""
for bootloader in /templates/uefi_esp_*.img; do
BOOTLOADER_ARCH="$(basename "${bootloader#/templates/uefi_esp_}" .img)"
BOOTLOADER_BY_ARCH+="${BOOTLOADER_ARCH}:file://${bootloader},"
done
export BOOTLOADER_BY_ARCH="${BOOTLOADER_BY_ARCH%?}"
# oslo.config also supports Config Opts From Environment, log them to stdout
echo 'Options set from Environment variables'
env | grep "^OS_" || true
mkdir -p /shared/html
mkdir -p /shared/tmp
mkdir -p /shared/ironic_prometheus_exporter
if [[ -f /proc/sys/crypto/fips_enabled ]]; then
ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)
export ENABLE_FIPS_IPA
fi
# The original ironic.conf is empty, and can be found in ironic.conf_orig
render_j2_config "/etc/ironic/ironic.conf.j2" \
"${IRONIC_CONF_DIR}/ironic.conf"
configure_json_rpc_auth
# Make sure ironic traffic bypasses any proxies
export NO_PROXY="${NO_PROXY:-}"
if [[ -n "$IRONIC_IPV6" ]]; then
export NO_PROXY="${NO_PROXY},${IRONIC_IPV6}"
fi
if [[ -n "$IRONIC_IP" ]]; then
export NO_PROXY="${NO_PROXY},${IRONIC_IP}"
fi

300
ironic-image/scripts/ironic-common.sh
View File

@@ -1,300 +0,0 @@
#!/usr/bin/bash
set -euxo pipefail
# Export IRONIC_IP to avoid needing to lean on IRONIC_URL_HOST for consumption in
# e.g. dnsmasq configuration
export IRONIC_IP="${IRONIC_IP:-}"
IRONIC_IPV6="${IRONIC_IPV6:-}"
PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}"
PROVISIONING_IP="${PROVISIONING_IP:-}"
PROVISIONING_MACS="${PROVISIONING_MACS:-}"
IRONIC_URL_HOSTNAME="${IRONIC_URL_HOSTNAME:-}"
IPXE_CUSTOM_FIRMWARE_DIR="${IPXE_CUSTOM_FIRMWARE_DIR:-/shared/custom_ipxe_firmware}"
CUSTOM_CONFIG_DIR="${CUSTOM_CONFIG_DIR:-/conf}"
CUSTOM_DATA_DIR="${CUSTOM_DATA_DIR:-/data}"
export DNSMASQ_CONF_DIR="${CUSTOM_CONFIG_DIR}/dnsmasq"
export DNSMASQ_DATA_DIR="${CUSTOM_DATA_DIR}/dnsmasq"
export DNSMASQ_TEMP_DIR="${CUSTOM_CONFIG_DIR}/dnsmasq"
export HTTPD_DIR="${CUSTOM_CONFIG_DIR}/httpd"
export HTTPD_CONF_DIR="${HTTPD_DIR}/conf"
export HTTPD_CONF_DIR_D="${HTTPD_DIR}/conf.d"
export IRONIC_CONF_DIR="${CUSTOM_CONFIG_DIR}/ironic"
export IRONIC_DB_DIR="${CUSTOM_DATA_DIR}/db"
export IRONIC_GEN_CERT_DIR="${CUSTOM_DATA_DIR}/auto_gen_certs"
export IRONIC_TMP_DATA_DIR="${CUSTOM_DATA_DIR}/tmp"
export PROBE_CONF_DIR="${CUSTOM_CONFIG_DIR}/probes"
export HTTP_PORT=${HTTP_PORT:-80}
# NOTE(elfosardo): the default port for json_rpc in ironic is 8089, but
# we need to use a different port to avoid conflicts with other services
export IRONIC_JSON_RPC_PORT=${IRONIC_JSON_RPC_PORT:-6189}
mkdir -p "${IRONIC_CONF_DIR}" "${PROBE_CONF_DIR}" "${HTTPD_CONF_DIR}" \
"${HTTPD_CONF_DIR_D}" "${DNSMASQ_CONF_DIR}" "${DNSMASQ_TEMP_DIR}" \
"${IRONIC_DB_DIR}" "${IRONIC_GEN_CERT_DIR}" "${DNSMASQ_DATA_DIR}" \
"${IRONIC_TMP_DATA_DIR}"
export HTPASSWD_FILE="${IRONIC_CONF_DIR}/htpasswd"
export LOCAL_DB_URI="sqlite:///${IRONIC_DB_DIR}/ironic.sqlite"
export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
get_ip_of_hostname()
{
if [[ "$#" -ne 2 ]]; then
echo "${FUNCNAME}: two parameters required, $# provided" >&2
return 1
fi
case $2 in
4)
QUERY="a";;
6)
QUERY="aaaa";;
*)
echo "${FUNCNAME}: the second parameter should be [a|aaaa] for A and AAAA records"
return 1;;
esac
local HOSTNAME=$1
echo $(nslookup -type=${QUERY} "${HOSTNAME}" | tail -n2 | grep -w "Address:" | cut -d " " -f2)
}
get_interface_of_ip()
{
local IP_VERS=""
if [[ "$#" -gt 2 ]]; then
echo "${FUNCNAME}: too many parameters" >&2
return 1
fi
if [[ "$#" -eq 2 ]]; then
case $2 in
4|6)
local IP_VERS="-${2}"
;;
*)
echo "${FUNCNAME}: the second parameter should be [4|6] (or missing for both)" >&2
return 2
;;
esac
fi
local IP_ADDR=$1
# Convert the address using ipcalc which strips out the subnet.
# For IPv6 addresses, this will give the short-form address
IP_ADDR="$(ipcalc "${IP_ADDR}" | grep "^Address:" | awk '{print $2}')"
echo $(ip ${IP_VERS} -br addr show scope global | grep -i " ${IP_ADDR}/" | cut -f 1 -d ' ' | cut -f 1 -d '@')
}
get_ip_of_interface()
{
local IP_VERS=""
if [[ "$#" -gt 2 ]]; then
echo "${FUNCNAME}: too many parameters" >&2
return 1
fi
if [[ "$#" -eq 2 ]]; then
case $2 in
4|6)
local IP_VERS="-${2}"
;;
*)
echo "${FUNCNAME}: the second parameter should be [4|6] (or missing for both)" >&2
return 2
;;
esac
fi
local IFACE=$1
echo $(ip ${IP_VERS} -br addr show scope global up dev ${IFACE} | awk '{print $3}' | sed -e 's%/.*%%' | head -n 1)
}
get_provisioning_interface()
{
if [[ -n "$PROVISIONING_INTERFACE" ]]; then
# don't override the PROVISIONING_INTERFACE if one is provided
echo "$PROVISIONING_INTERFACE"
return
fi
local interface=""
for mac in ${PROVISIONING_MACS//,/ }; do
if ip -br link show up | grep -i "$mac" &>/dev/null; then
interface="$(ip -br link show up | grep -i "$mac" | cut -f 1 -d ' ' | cut -f 1 -d '@')"
break
fi
done
echo "$interface"
}
PROVISIONING_INTERFACE="$(get_provisioning_interface)"
export PROVISIONING_INTERFACE
export LISTEN_ALL_INTERFACES="${LISTEN_ALL_INTERFACES:-true}"
# Wait for the interface or IP to be up, sets $IRONIC_IP
wait_for_interface_or_ip()
{
# If $PROVISIONING_IP is specified, then we wait for that to become
# available on an interface, otherwise we look at $PROVISIONING_INTERFACE
# for an IP
if [[ -n "${PROVISIONING_IP}" ]]; then
local IFACE_OF_IP=""
until [[ -n "$IFACE_OF_IP" ]]; do
echo "Waiting for ${PROVISIONING_IP} to be configured on an interface..."
IFACE_OF_IP="$(get_interface_of_ip "${PROVISIONING_IP}")"
sleep 1
done
echo "Found $PROVISIONING_IP on interface \"${IFACE_OF_IP}\"!"
export PROVISIONING_INTERFACE="$IFACE_OF_IP"
# If the IP contains a colon, then it's an IPv6 address
if [[ "$PROVISIONING_IP" =~ .*:.* ]]; then
export IRONIC_IPV6="$PROVISIONING_IP"
export IRONIC_IP=""
else
export IRONIC_IP="$PROVISIONING_IP"
fi
elif [[ -n "${IRONIC_IP}" ]]; then
if [[ "$IRONIC_IP" =~ .*:.* ]]; then
export IRONIC_IPV6="$IRONIC_IP"
export IRONIC_IP=""
fi
elif [[ -n "${PROVISIONING_INTERFACE}" ]]; then
until [[ -n "$IRONIC_IPV6" ]] || [[ -n "$IRONIC_IP" ]]; do
echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured..."
IRONIC_IPV6="$(get_ip_of_interface "${PROVISIONING_INTERFACE}" 6)"
sleep 1
IRONIC_IP="$(get_ip_of_interface "${PROVISIONING_INTERFACE}" 4)"
sleep 1
done
if [[ -n "$IRONIC_IPV6" ]]; then
echo "Found $IRONIC_IPV6 on interface \"${PROVISIONING_INTERFACE}\"!"
export IRONIC_IPV6
fi
if [[ -n "$IRONIC_IP" ]]; then
echo "Found $IRONIC_IP on interface \"${PROVISIONING_INTERFACE}\"!"
export IRONIC_IP
fi
elif [[ -n "$IRONIC_URL_HOSTNAME" ]]; then
local IPV6_IFACE=""
local IPV4_IFACE=""
# we should get at least one IP address
until [[ -n "$IPV6_IFACE" ]] || [[ -n "$IPV4_IFACE" ]]; do
local IPV6_RECORD=""
local IPV4_RECORD=""
IPV6_RECORD="$(get_ip_of_hostname "${IRONIC_URL_HOSTNAME}" 6)"
IPV4_RECORD="$(get_ip_of_hostname "${IRONIC_URL_HOSTNAME}" 4)"
# We couldn't get any IP
if [[ -z "$IPV4_RECORD" ]] && [[ -z "$IPV6_RECORD" ]]; then
echo "${FUNCNAME}: no valid IP found for hostname ${IRONIC_URL_HOSTNAME}" >&2
return 1
fi
echo "Waiting for ${IPV6_RECORD} to be configured on an interface"
IPV6_IFACE="$(get_interface_of_ip "${IPV6_RECORD}" 6)"
sleep 1
echo "Waiting for ${IPV4_RECORD} to be configured on an interface"
IPV4_IFACE="$(get_interface_of_ip "${IPV4_RECORD}" 4)"
sleep 1
done
# Add some debugging output
if [[ -n "$IPV6_IFACE" ]]; then
echo "Found $IPV6_RECORD on interface \"${IPV6_IFACE}\"!"
export IRONIC_IPV6="$IPV6_RECORD"
fi
if [[ -n "$IPV4_IFACE" ]]; then
echo "Found $IPV4_RECORD on interface \"${IPV4_IFACE}\"!"
export IRONIC_IP="$IPV4_RECORD"
fi
# Make sure both IPs are asigned to the same interface
if [[ -n "$IPV6_IFACE" ]] && [[ -n "$IPV4_IFACE" ]] && [[ "$IPV6_IFACE" != "$IPV4_IFACE" ]]; then
echo "Warning, the IPv4 and IPv6 addresses from \"${HOSTNAME}\" are assigned to different " \
"interfaces (\"${IPV6_IFACE}\" and \"${IPV4_IFACE}\")" >&2
fi
else
echo "Cannot determine an interface or an IP for binding and creating URLs"
return 1
fi
# Define the URLs based on the what we have found,
# prioritize IPv6 for IRONIC_URL_HOST
if [[ -n "$IRONIC_IP" ]]; then
export ENABLE_IPV4=yes
export IRONIC_URL_HOST="$IRONIC_IP"
fi
if [[ -n "$IRONIC_IPV6" ]]; then
export ENABLE_IPV6=yes
export IRONIC_URL_HOST="[${IRONIC_IPV6}]" # The HTTP host needs surrounding with brackets
fi
# Once determined if we have IPv4 and/or IPv6, override the hostname if provided
if [[ -n "$IRONIC_URL_HOSTNAME" ]]; then
IRONIC_URL_HOST=$IRONIC_URL_HOSTNAME
fi
# Avoid having to construct full URL multiple times while allowing
# the override of IRONIC_HTTP_URL for environments in which IRONIC_IP
# is unreachable from hosts being provisioned.
export IRONIC_HTTP_URL="${IRONIC_HTTP_URL:-http://${IRONIC_URL_HOST}:${HTTP_PORT}}"
export IRONIC_TFTP_URL="${IRONIC_TFTP_URL:-tftp://${IRONIC_URL_HOST}}"
export IRONIC_BASE_URL=${IRONIC_BASE_URL:-"${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"}
}
render_j2_config()
{
python3.13 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
}
run_ironic_dbsync()
{
if [[ "${IRONIC_USE_MARIADB}" == "true" ]]; then
# It's possible for the dbsync to fail if mariadb is not up yet, so
# retry until success
until ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" upgrade; do
echo "WARNING: ironic-dbsync failed, retrying"
sleep 1
done
else
# SQLite does not support some statements. Fortunately, we can just
# create the schema in one go if not already created, instead of going
# through an upgrade
cp "/var/lib/ironic/ironic.sqlite" "${IRONIC_DB_DIR}/ironic.sqlite"
DB_VERSION="$(ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" version)"
if [[ "${DB_VERSION}" == "None" ]]; then
ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" create_schema
fi
fi
}
# Use the special value "unix" for unix sockets
export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-unix}
export IRONIC_ACCESS_PORT=${IRONIC_ACCESS_PORT:-6385}
export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT}
export IRONIC_ENABLE_DISCOVERY=${IRONIC_ENABLE_DISCOVERY:-${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}}

23
ironic-image/scripts/ironic-probe.sh
View File

@@ -1,23 +0,0 @@
#!/bin/bash
set -eu -o pipefail
# shellcheck disable=SC1091
. /bin/ironic-common.sh
# shellcheck disable=SC1091
. /bin/auth-common.sh
PROBE_CURL_ARGS=
if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
if [[ "${IRONIC_PRIVATE_PORT}" == "unix" ]]; then
PROBE_URL="http://127.0.0.1:6385"
PROBE_CURL_ARGS="--unix-socket /shared/ironic.sock"
else
PROBE_URL="http://127.0.0.1:${IRONIC_PRIVATE_PORT}"
fi
else
PROBE_URL="${IRONIC_BASE_URL}"
fi
# shellcheck disable=SC2086
curl -sSf ${PROBE_CURL_ARGS} "${PROBE_URL}"

10
ironic-image/scripts/rundatabase-upgrade
View File

@@ -1,10 +0,0 @@
#!/usr/bin/bash
set -euxo pipefail
# shellcheck disable=SC1091
. /bin/configure-ironic.sh
# NOTE(dtantsur): no retries here: this script is supposed to be run as a Job
# that is retried on failure.
exec ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" upgrade

27
ironic-image/scripts/runironic
View File

@@ -1,27 +0,0 @@
#!/usr/bin/bash
# shellcheck disable=SC1091
. /bin/configure-ironic.sh
# Ramdisk logs
mkdir -p /shared/log/ironic/deploy
# Allows skipping dbsync if it's done by an external job
if [[ "${IRONIC_SKIP_DBSYNC:-false}" != true ]]; then
run_ironic_dbsync
fi
configure_restart_on_certificate_update "${IRONIC_TLS_SETUP}" ironic "${IRONIC_CERT_FILE}"
configure_ironic_auth
if [[ -d "${BMC_CACERTS_PATH}" ]]; then
# shellcheck disable=SC2034
watchmedo shell-command \
--patterns="*" \
--ignore-directories \
--command='cat "${BMC_CACERTS_PATH}"/* > "${BMC_CACERT_FILE}"' \
"${BMC_CACERTS_PATH}" &
fi
exec /usr/bin/ironic --config-dir "${IRONIC_CONF_DIR}"

20
ironic-image/scripts/runironic-exporter
View File

@@ -1,20 +0,0 @@
#!/usr/bin/bash
# Set dummy provisioning IP to avoid interface detection issues (not needed to run IPE to service `/metrics`)
export PROVISIONING_IP="127.0.0.1"
# Set to true since running this script implies sensor data metrics are needed
# ironic-prometheus-exporter (IPE) needs to read from oslo_messaging_notifications.location (i.e content under /shared) where Ironic writes to
export SEND_SENSOR_DATA=true
# shellcheck disable=SC1091
. /bin/configure-ironic.sh
# shellcheck disable=SC1091
. /bin/ironic-common.sh
FLASK_RUN_HOST=${FLASK_RUN_HOST:-0.0.0.0}
FLASK_RUN_PORT=${FLASK_RUN_PORT:-9608}
export IRONIC_CONFIG="${IRONIC_CONF_DIR}/ironic.conf"
exec gunicorn -b "${FLASK_RUN_HOST}:${FLASK_RUN_PORT}" -w 4 \
ironic_prometheus_exporter.app.wsgi:application

32
ironic-image/scripts/runlogwatch.sh
View File

@@ -1,32 +0,0 @@
#!/usr/bin/bash
# Ramdisk logs path
export LOG_DIR="/shared/log/ironic/deploy"
mkdir -p "${LOG_DIR}"
# Function to process log files
process_log_file() {
local FILEPATH="$1"
# shellcheck disable=SC2155
local FILENAME=$(basename "${FILEPATH}")
echo "************ Contents of ${LOG_DIR}/${FILENAME} ramdisk log file bundle **************"
tar -tzf "${FILEPATH}" | while read -r entry; do
echo "${FILENAME}: **** Entry: ${entry} ****"
tar -xOzf "${FILEPATH}" "${entry}" | sed -e "s/^/${FILENAME}: /"
echo
done
rm -f "${FILEPATH}"
}
# Export the function so watchmedo can use it
export -f process_log_file
# Use watchmedo to monitor for file close events
# shellcheck disable=SC2016
watchmedo shell-command \
--patterns="*" \
--ignore-directories \
--command='if [[ "${watch_event_type}" == "closed" ]]; then process_log_file "${watch_src_path}"; fi' \
"${LOG_DIR}"

10
ironic-image/scripts/runonline-data-migrations
View File

@@ -1,10 +0,0 @@
#!/usr/bin/bash
set -euxo pipefail
# shellcheck disable=SC1091
. /bin/configure-ironic.sh
# NOTE(dtantsur): no retries here: this script is supposed to be run as a Job
# that is retried on failure.
exec ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" online_data_migrations

48
ironic-image/scripts/tls-common.sh → ironic-image/tls-common.sh
View File

@@ -1,14 +1,13 @@
#!/bin/bash
export IRONIC_CERT_FILE=/certs/ironic/tls.crt
export IRONIC_KEY_FILE=/certs/ironic/tls.key
export IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt
export IRONIC_INSECURE=${IRONIC_INSECURE:-false}
export IRONIC_SSL_PROTOCOL=${IRONIC_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
export IPXE_SSL_PROTOCOL=${IPXE_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
export IRONIC_VMEDIA_SSL_PROTOCOL=${IRONIC_VMEDIA_SSL_PROTOCOL:-"ALL"}
# Node image storage is using the same cert and port as the API
export IRONIC_CERT_FILE=/certs/ironic/tls.crt
export IRONIC_KEY_FILE=/certs/ironic/tls.key
export IRONIC_VMEDIA_CERT_FILE=/certs/vmedia/tls.crt
export IRONIC_VMEDIA_KEY_FILE=/certs/vmedia/tls.key
@@ -17,15 +16,15 @@ export IPXE_KEY_FILE=/certs/ipxe/tls.key
export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPDATED:-"false"}
# By default every cert has to be signed with Ironic's
# CA otherwise node image and IPA verification would fail
export MARIADB_CACERT_FILE=/certs/ca/mariadb/tls.crt
export BMC_CACERTS_PATH=/certs/ca/bmc
export BMC_CACERT_FILE=/conf/bmc-tls.pem
export IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt
export IPXE_TLS_PORT="${IPXE_TLS_PORT:-8084}"
mkdir -p /certs/ironic
mkdir -p /certs/ca/ironic
mkdir -p /certs/ipxe
mkdir -p /certs/vmedia
if [[ -f "$IRONIC_CERT_FILE" ]] && [[ ! -f "$IRONIC_KEY_FILE" ]]; then
echo "Missing TLS Certificate key file $IRONIC_KEY_FILE"
exit 1
@@ -70,7 +69,6 @@ if [[ -f "$IRONIC_CERT_FILE" ]] || [[ -f "$IRONIC_CACERT_FILE" ]]; then
export IRONIC_TLS_SETUP="true"
export IRONIC_SCHEME="https"
if [[ ! -f "$IRONIC_CACERT_FILE" ]]; then
mkdir -p "$(dirname "${IRONIC_CACERT_FILE}")"
copy_atomic "$IRONIC_CERT_FILE" "$IRONIC_CACERT_FILE"
fi
else
@@ -97,33 +95,3 @@ if [[ -f "$MARIADB_CACERT_FILE" ]]; then
else
export MARIADB_TLS_ENABLED="false"
fi
configure_restart_on_certificate_update()
{
local enabled="$1"
local service="$2"
local cert_file="$3"
local signal="TERM"
if [[ "${enabled}" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
if [[ "${service}" == httpd ]]; then
# shellcheck disable=SC2034
signal="WINCH"
fi
# Use watchmedo to monitor certificate file deletion
# shellcheck disable=SC2016
watchmedo shell-command \
--patterns="$(basename "${cert_file}")" \
--ignore-directories \
--command='if [[ "${watch_event_type}" == "deleted" ]]; then pkill -'"${signal}"' '"${service}"'; fi' \
"$(dirname "${cert_file}")" &
fi
}
if [ -d "${BMC_CACERTS_PATH}" ]; then
export BMC_TLS_ENABLED="true"
cat "${BMC_CACERTS_PATH}"/* > "${BMC_CACERT_FILE}"
else
export BMC_TLS_ENABLED="false"
fi

11
ironic-ipa-downloader-image/Dockerfile
View File

@@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.10
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.10-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.8
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -9,6 +9,8 @@ COPY --from=micro / /installroot/
RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 ironic-ipa-ramdisk-aarch64 tar gawk curl xz zstd shadow cpio findutils
RUN cp /usr/bin/getopt /installroot/
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -16,11 +18,11 @@ FROM micro AS final
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="3.0.10"
LABEL org.opencontainers.image.version="3.0.8"
LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.10-%RELEASE%"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -30,6 +32,7 @@ LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
RUN cp /getopt /usr/bin/
RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
# configure non-root user
COPY configure-nonroot.sh /bin/

11
ironic-ipa-downloader-image/Dockerfile.aarch64
View File

@@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.10
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.10-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.8
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.8-%RELEASE%
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -9,6 +9,8 @@ COPY --from=micro / /installroot/
RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-aarch64 tar gawk curl xz zstd shadow cpio findutils
RUN cp /usr/bin/getopt /installroot/
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -16,11 +18,11 @@ FROM micro AS final
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="3.0.10"
LABEL org.opencontainers.image.version="3.0.8"
LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.10-%RELEASE%"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -30,6 +32,7 @@ LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
RUN cp /getopt /usr/bin/
RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
# configure non-root user
COPY configure-nonroot.sh /bin/

11
ironic-ipa-downloader-image/Dockerfile.x86_64
View File

@@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.10
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.10-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.8
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.8-%RELEASE%
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -9,6 +9,8 @@ COPY --from=micro / /installroot/
RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 tar gawk curl xz zstd shadow cpio findutils
RUN cp /usr/bin/getopt /installroot/
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -16,11 +18,11 @@ FROM micro AS final
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="3.0.10"
LABEL org.opencontainers.image.version="3.0.8"
LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.10-%RELEASE%"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -30,6 +32,7 @@ LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
RUN cp /getopt /usr/bin/
RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
# configure non-root user
COPY configure-nonroot.sh /bin/

15
ironic-ipa-downloader-image/get-resource.sh
View File

@@ -29,12 +29,13 @@ if [ -z "${IPA_BASEURI}" ]; then
# SLES BASED IPA - ironic-ipa-ramdisk-x86_64 and ironic-ipa-ramdisk-aarch64 packages
mkdir -p /shared/html/images
if [ -f ${IMAGES_BASE_PATH}/initrd-x86_64.zst ]; then
cp ${IMAGES_BASE_PATH}/initrd-x86_64.zst /shared/html/images/ironic-python-agent_x86_64.initramfs
cp ${IMAGES_BASE_PATH}/openstack-ironic-image.x86_64*.kernel /shared/html/images/ironic-python-agent_x86_64.kernel
cp ${IMAGES_BASE_PATH}/initrd-x86_64.zst /shared/html/images/ironic-python-agent-x86_64.initramfs
cp ${IMAGES_BASE_PATH}/openstack-ironic-image.x86_64*.kernel /shared/html/images/ironic-python-agent-x86_64.kernel
fi
# Use arm64 as destination for iPXE compatibility
if [ -f ${IMAGES_BASE_PATH}/initrd-aarch64.zst ]; then
cp ${IMAGES_BASE_PATH}/initrd-aarch64.zst /shared/html/images/ironic-python-agent_aarch64.initramfs
cp ${IMAGES_BASE_PATH}/openstack-ironic-image.aarch64*.kernel /shared/html/images/ironic-python-agent_aarch64.kernel
cp ${IMAGES_BASE_PATH}/initrd-aarch64.zst /shared/html/images/ironic-python-agent-arm64.initramfs
cp ${IMAGES_BASE_PATH}/openstack-ironic-image.aarch64*.kernel /shared/html/images/ironic-python-agent-arm64.kernel
fi
cp /tmp/images.sha256 /shared/images.sha256
@@ -86,8 +87,8 @@ else
chmod 755 "$TMPDIR"
mv "$TMPDIR" "$FILENAME-$ETAG"
ln -sf "$FILENAME-$ETAG/$FFILENAME.headers" "$FFILENAME.headers"
ln -sf "$FILENAME-$ETAG/$FILENAME.initramfs" "${FILENAME}_${ARCH,,}.initramfs"
ln -sf "$FILENAME-$ETAG/$FILENAME.kernel" "${FILENAME}_${ARCH,,}.kernel"
ln -sf "$FILENAME-$ETAG/$FILENAME.initramfs" "$FILENAME-${ARCH,,}.initramfs"
ln -sf "$FILENAME-$ETAG/$FILENAME.kernel" "$FILENAME-${ARCH,,}.kernel"
IMAGE_CHANGED=1
else
@@ -99,7 +100,7 @@ if [ "${CERTS_CHANGED:-0}" = "1" ] || [ "${IMAGE_CHANGED:-0}" = "1" ]; then
mkdir -p /tmp/ca/tmp-initrd && cd /tmp/ca/tmp-initrd
mkdir -p etc/ironic-python-agent.d/ca-certs
cp /tmp/ironic-certificates/* etc/ironic-python-agent.d/ca-certs/
for initramfs in /shared/html/images/ironic-python-agent_*.initramfs; do
for initramfs in /shared/html/images/ironic-python-agent-*.initramfs; do
find . | cpio -o -H newc --reproducible | zstd -c >> "${initramfs}"
done
cp /tmp/certificates.sha256 /shared/certificates.sha256

5
ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi
View File

@@ -76,7 +76,6 @@
<package name="grub2-i386-pc" arch="x86_64"/>
<package name="grub2-x86_64-efi" arch="x86_64"/>
<package name="grub2"/>
<package name="gettext-runtime"/>
<package name="iproute2"/>
<package name="iputils"/>
<package name="kernel-default"/>
@@ -88,7 +87,6 @@
<package name="timezone"/>
<package name="which"/>
<!-- ironic-python-agent specific -->
<package name="chrony"/>
<package name="dmidecode"/>
<package name="efibootmgr"/>
<package name="gptfdisk"/>
@@ -97,14 +95,15 @@
<package name="ipmitool"/>
<package name="iputils"/>
<package name="kbd"/>
<package name="krb5"/>
<package name="lshw"/>
<package name="lvm2"/>
<package name="net-tools"/>
<package name="ntp"/>
<package name="open-iscsi"/>
<package name="openstack-ironic-python-agent"/>
<package name="parted"/>
<package name="psmisc"/>
<package name="python311-proliantutils"/>
<package name="qemu-tools"/>
<package name="timezone"/>
<package name="which"/>

16
ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec
View File

@@ -19,7 +19,7 @@
Name: ironic-ipa-ramdisk
Version: 3.0.8
Version: 3.0.7
Release: 0
Summary: Kernel and ramdisk image for OpenStack Ironic
License: SUSE-EULA
@@ -29,12 +29,12 @@ Source0: config.sh
Source10: ironic-ipa-ramdisk.kiwi
Source20: root
#!BuildIgnore: systemd-mini
BuildRequires: systemd
BuildRequires: -post-build-checks
BuildRequires: bash
BuildRequires: kiwi
BuildRequires: kiwi-tools
BuildRequires: zypper
BuildArch: noarch
BuildRequires: checkmedia
BuildRequires: acl
@@ -55,6 +55,7 @@ BuildRequires: grub2-x86_64-efi
%ifarch aarch64
BuildRequires: grub2-arm64-efi
%endif
BuildRequires: haveged
BuildRequires: hdparm
BuildRequires: hwinfo
BuildRequires: ipmitool
@@ -64,7 +65,7 @@ BuildRequires: kernel-default
BuildRequires: kernel-firmware-all
BuildRequires: lvm2
BuildRequires: net-tools
BuildRequires: chrony
BuildRequires: ntp
BuildRequires: open-iscsi
BuildRequires: openssh
BuildRequires: openstack-ironic-python-agent
@@ -76,6 +77,7 @@ BuildRequires: pkgconfig
BuildRequires: Mesa-gallium
BuildRequires: plymouth
BuildRequires: plymouth-scripts
BuildRequires: python311-proliantutils
BuildRequires: psmisc
BuildRequires: qemu-tools
BuildRequires: sg3_utils
@@ -103,9 +105,6 @@ BuildRequires: lshw
BuildRequires: kbd
BuildRequires: dmidecode
BuildRequires: efibootmgr
BuildRequires: glibc-locale
BuildRequires: krb5
BuildRequires: gettext-runtime
%ifarch x86_64
BuildRequires: syslinux
%endif
@@ -114,9 +113,10 @@ BuildRequires: syslinux
Kernel and ramdisk image for use with Metal3
%package %{_arch}
BuildArch: noarch
Summary: Kernel and ramdisk image for Metal3
Group: System/Management
Provides: openstack-ironic-python-agent = %{version}
Obsoletes: openstack-ironic-python-agent < %{version}
%description %{_arch}
Kernel and ramdisk image for use with Metal3

10
kiwi-builder-image/Dockerfile
View File

@@ -1,8 +1,8 @@
#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.29.1-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.29.1
#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.12.1-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.12.1
# Base image version, should match the tag above
ARG KIWIVERSION="10.2.29"
ARG KIWIVERSION="10.2.12"
FROM registry.suse.com/bci/kiwi:${KIWIVERSION}
ARG KIWIVERSION
@@ -15,7 +15,7 @@ LABEL org.opencontainers.image.version="${KIWIVERSION}"
LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kiwi-builder:${KIWIVERSION}.0-%RELEASE%"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kiwi-builder:${KIWIVERSION}.1-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -33,6 +33,4 @@ RUN mkdir -p /micro-sdk/defs
ADD SL-Micro.kiwi /micro-sdk/defs
ADD SL-Micro.kiwi.4096 /micro-sdk/defs
ADD config.sh /micro-sdk/defs
ADD disk.sh /micro-sdk/defs
ADD editbootinstall_rpi.sh /micro-sdk/defs
ADD editbootinstall_pine64.sh /micro-sdk/defs

28
kiwi-builder-image/README.build.md
View File

@@ -1,28 +0,0 @@
The following files are coming from _upstream_ https://build.opensuse.org/package/show/SUSE:SLFO:Products:SL-Micro:6.2/SL-Micro :
* SL-Micro.kiwi
* disk.sh
* config.sh
* editbootinstall_pine64.sh
* editbootinstall_rpi.sh
Those can be downloaded as:
```
curl -LO https://src.suse.de/products/SL-Micro/raw/branch/6.2/SL-Micro/SL-Micro.kiwi
```
The SL-Micro.kiwi file needs to be modified to append a few packages on the bootstrap stanza to be able to generate images with no SSL errors:
```
<packages type="bootstrap">
<package name="filesystem"/>
+ <package name="coreutils"/>
+ <package name="ca-certificates"/>
+ <package name="ca-certificates-mozilla"/>
</packages>
```
The SL-Micro.kiwi.4096 file needs to be modified to modify the `target_blocksize="4096"` where appropiate.
All the other files are used verbatim.

308
kiwi-builder-image/SL-Micro.kiwi
View File

@@ -30,13 +30,16 @@
<profile name="x86-self_install" description="Raw disk for x86_64 - uEFI" arch="x86_64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64" description="Raw disk for aarch64 - uEFI" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-self_install" description="Raw disk for aarch64" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-rt" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-rt-encrypted" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
<profile name="aarch64-rt-rpi" description="Raw disk for aarch64 with RT kernel on Raspberry Pi" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-rt-self_install" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
@@ -57,15 +60,6 @@
<profile name="rpi" description="Raw disk for Raspberry Pi" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="rpi-self_install" description="Raw disk for Raspberry Pi" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64" description="Raw disk for Raspberry Pi" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-encrypted" description="Raw disk for Raspberry Pi" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="x86-qcow" description="qcow2 for x86_64 - uEFI" arch="x86_64">
<requires profile="bootloader"/>
</profile>
@@ -95,15 +89,6 @@
</profile>
<profile name="ppc64le-4096ss-self_install" description="Raw disk for PPc64 - 4096 sector size" arch="ppc64le">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-64kb" description="Build 64K page size aarch64 images" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-64kb-encrypted" description="Build 64K page size aarch64 images" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-64kb-self_install" description="Build 64K page size aarch64 images" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<!-- Images (flavor + platform) -->
<profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
@@ -169,10 +154,18 @@
<requires profile="full"/>
<requires profile="aarch64"/>
</profile>
<profile name="Default-RPi" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="aarch64">
<requires profile="full"/>
<requires profile="rpi"/>
</profile>
<profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
<requires profile="container-host"/>
<requires profile="aarch64"/>
</profile>
<profile name="Base-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
<requires profile="container-host"/>
<requires profile="rpi"/>
</profile>
<profile name="Base-RT" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
<requires profile="container-host"/>
<requires profile="x86-rt"/>
@@ -186,6 +179,10 @@
<requires profile="container-host"/>
<requires profile="aarch64-rt"/>
</profile>
<profile name="Base-RT-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
<requires profile="container-host"/>
<requires profile="aarch64-rt-rpi"/>
</profile>
<profile name="Base-RT-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="aarch64">
<requires profile="container-host"/>
<requires profile="aarch64-rt-self_install"/>
@@ -280,42 +277,10 @@
<requires profile="ppc64le-4096ss-self_install"/>
<requires profile="self_install"/>
</profile>
<profile name="Default-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
<requires profile="full"/>
<requires profile="aarch64-64kb-self_install"/>
</profile>
<profile name="Base-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
<requires profile="container-host"/>
<requires profile="aarch64-64kb-self_install"/>
</profile>
<profile name="Default-64kb" description="SL Micro with 64K page size images" arch="aarch64">
<requires profile="full"/>
<requires profile="aarch64-64kb"/>
</profile>
<profile name="Base-64kb" description="SL Micro with 64K page size images" arch="aarch64">
<requires profile="container-host"/>
<requires profile="aarch64-64kb"/>
</profile>
<profile name="Default-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
<requires profile="full"/>
<requires profile="aarch64-64kb-encrypted"/>
</profile>
<profile name="Base-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
<requires profile="container-host"/>
<requires profile="aarch64-64kb-encrypted"/>
</profile>
<profile name="RaspberryPi-SelfInstall" description="SL Micro for Rapsberry Pi" arch="aarch64">
<requires profile="full"/>
<requires profile="rpi-self_install"/>
</profile>
<profile name="RaspberryPi" description="SL Micro for Raspberry Pi" arch="aarch64">
<requires profile="full"/>
<requires profile="rpi"/>
</profile>
</profiles>
<preferences profiles="x86-encrypted,x86-rt-encrypted">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -326,8 +291,7 @@
initrd_system="dracut"
filesystem="btrfs"
firmware="uefi"
efipartsize="512"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -359,7 +323,7 @@
</type>
</preferences>
<preferences profiles="x86,x86-rt">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -370,8 +334,7 @@
initrd_system="dracut"
filesystem="btrfs"
firmware="uefi"
efipartsize="512"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -396,7 +359,7 @@
</preferences>
<preferences profiles="x86-self_install,x86-rt-self_install">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -411,8 +374,7 @@
installboot="install"
install_continue_on_timeout="false"
firmware="uefi"
efipartsize="512"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -435,8 +397,9 @@
</systemdisk>
</type>
</preferences>
<preferences profiles="aarch64,aarch64-rt,aarch64-64kb">
<version>6.2</version>
<preferences profiles="rpi,aarch64-rt-rpi">
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -451,96 +414,11 @@
install_continue_on_timeout="false"
fsmountoptions="noatime"
firmware="uefi"
efipartsize="512"
kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
bootpartition="false"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
btrfs_root_is_readonly_snapshot="true"
btrfs_quota_groups="false"
disk_start_sector="8192"
>
<bootloader name="grub2" console="gfxterm" timeout="3" />
<systemdisk>
<volume name="home"/>
<volume name="root"/>
<!-- on tmpfs jsc#SMO-2 <volume name="tmp"/> -->
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
<volume name="boot/writable"/>
<volume name="usr/local"/>
<volume name="var" copy_on_write="false"/>
</systemdisk>
</type>
</preferences>
<preferences profiles="aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
<version>6.2</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
<rpm-excludedocs>true</rpm-excludedocs>
<locale>en_US</locale>
<type
image="oem"
initrd_system="dracut"
installiso="true"
filesystem="btrfs"
installboot="install"
install_continue_on_timeout="false"
fsmountoptions="noatime"
firmware="uefi"
efipartsize="512"
kernelcmdline="security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
bootpartition="false"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
btrfs_root_is_readonly_snapshot="true"
btrfs_quota_groups="false"
disk_start_sector="8192"
luks_version="luks2"
luks="1234"
luks_randomize="false"
luks_pbkdf="pbkdf2"
>
<luksformat>
<option name="--cipher" value="aes-xts-plain64"/>
</luksformat>
<bootloader name="grub2" console="gfxterm" use_disk_password="true" timeout="3" />
<systemdisk>
<volume name="home"/>
<volume name="root"/>
<!-- on tmpfs jsc#SMO-2 <volume name="tmp"/> -->
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
<volume name="boot/writable"/>
<volume name="usr/local"/>
<volume name="var" copy_on_write="false"/>
</systemdisk>
</type>
</preferences>
<preferences profiles="rpi">
<version>6.2</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
<rpm-excludedocs>true</rpm-excludedocs>
<locale>en_US</locale>
<type
image="oem"
initrd_system="dracut"
installiso="true"
filesystem="btrfs"
installboot="install"
install_continue_on_timeout="false"
fsmountoptions="noatime"
firmware="uefi"
efipartsize="512"
kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
bootpartition="false"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
efipartsize="128"
editbootinstall="editbootinstall_rpi.sh"
btrfs_root_is_readonly_snapshot="true"
btrfs_quota_groups="false"
@@ -560,8 +438,9 @@
</systemdisk>
</type>
</preferences>
<preferences profiles="aarch64-self_install,aarch64-rt-self_install,aarch64-64kb-self_install">
<version>6.2</version>
<preferences profiles="aarch64,aarch64-rt">
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -571,20 +450,19 @@
image="oem"
initrd_system="dracut"
installiso="true"
installpxe="true"
filesystem="btrfs"
installboot="install"
install_continue_on_timeout="false"
fsmountoptions="noatime"
firmware="uefi"
efipartsize="512"
kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
efipartsize="128"
btrfs_root_is_readonly_snapshot="true"
btrfs_quota_groups="true"
disk_start_sector="8192"
btrfs_quota_groups="false"
disk_start_sector="4096"
>
<bootloader name="grub2" console="gfxterm" timeout="3" />
<systemdisk>
@@ -600,8 +478,8 @@
</systemdisk>
</type>
</preferences>
<preferences profiles="rpi-self_install">
<version>6.2</version>
<preferences profiles="aarch64-self_install,aarch64-rt-self_install">
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -616,14 +494,13 @@
installboot="install"
install_continue_on_timeout="false"
firmware="uefi"
efipartsize="512"
kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
efipartsize="128"
kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
btrfs_root_is_readonly_snapshot="true"
editbootinstall="editbootinstall_rpi.sh"
btrfs_quota_groups="true"
disk_start_sector="4096"
>
@@ -643,7 +520,7 @@
</preferences>
<preferences profiles="s390-kvm">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -681,7 +558,7 @@
<preferences profiles="s390-dasd">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -719,7 +596,7 @@
<preferences profiles="s390-fba">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -754,7 +631,7 @@
</preferences>
<preferences profiles="s390-fcp">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -793,7 +670,7 @@
</preferences>
<preferences profiles="x86-vmware">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -804,7 +681,6 @@
filesystem="btrfs"
format="vmdk"
firmware="uefi"
efipartsize="512"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -825,11 +701,11 @@
<volume name="var" copy_on_write="false"/>
</systemdisk>
<size unit="G">24</size>
<machine memory="1024" HWversion="17" guestOS="suse-64"/>
<machine memory="1024" HWversion="10" guestOS="suse-64"/>
</type>
</preferences>
<preferences profiles="x86-qcow">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -840,8 +716,7 @@
format="qcow2"
filesystem="btrfs"
firmware="uefi"
efipartsize="512"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -865,9 +740,9 @@
<size unit="G">32</size>
</type>
</preferences>
<preferences profiles="aarch64-qcow">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -878,8 +753,8 @@
format="qcow2"
filesystem="btrfs"
firmware="uefi"
efipartsize="512"
kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
efipartsize="128"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -890,7 +765,7 @@
<systemdisk>
<volume name="home"/>
<volume name="root"/>
<volume name="opt"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
<volume name="boot/writable"/>
@@ -902,7 +777,7 @@
</preferences>
<preferences profiles="ppc64le-512ss">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -913,7 +788,7 @@
image="oem"
filesystem="btrfs"
firmware="ofw"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -925,7 +800,7 @@
<volume name="home"/>
<volume name="root"/>
<!-- on tmpfs jsc#SMO-2 <volume name="tmp"/> -->
<volume name="opt"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/powerpc-ieee1275"/>
<volume name="boot/writable"/>
@@ -935,7 +810,7 @@
</type>
</preferences>
<preferences profiles="ppc64le-4096ss">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -949,7 +824,7 @@
target_blocksize="4096"
filesystem="btrfs"
firmware="ofw"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -961,7 +836,7 @@
<volume name="home"/>
<volume name="root"/>
<!-- on tmpfs jsc#SMO-2 <volume name="tmp"/> -->
<volume name="opt"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/powerpc-ieee1275"/>
<volume name="boot/writable"/>
@@ -972,7 +847,7 @@
</preferences>
<preferences profiles="ppc64le-512ss-self_install">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -985,7 +860,7 @@
installpxe="true"
filesystem="btrfs"
firmware="ofw"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet ignition.platform.id=metal"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=metal"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -1002,7 +877,7 @@
<volume name="home"/>
<volume name="root"/>
<!-- on tmpfs jsc#SMO-2 <volume name="tmp"/> -->
<volume name="opt"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/powerpc-ieee1275"/>
<volume name="boot/writable"/>
@@ -1012,7 +887,7 @@
</type>
</preferences>
<preferences profiles="ppc64le-4096ss-self_install">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -1028,7 +903,7 @@
target_blocksize="4096"
filesystem="btrfs"
firmware="ofw"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -1045,7 +920,7 @@
<volume name="home"/>
<volume name="root"/>
<!-- on tmpfs jsc#SMO-2 <volume name="tmp"/> -->
<volume name="opt"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/powerpc-ieee1275"/>
<volume name="boot/writable"/>
@@ -1061,17 +936,20 @@
</repository>
<packages type="image" profiles="full">
<namedCollection name="transactional_base"/>
<package name="patterns-base-transactional_base"/>
<namedCollection name="base_transactional"/>
<package name="patterns-base-transactional"/>
<namedCollection name="salt_minion"/>
<package name="patterns-base-salt_minion"/>
<namedCollection name="kvm_host"/>
<package name="patterns-micro-kvm_host"/>
<package name="patterns-base-kvm_host"/>
<package name="lzop"/>
<namedCollection name="container_runtime_podman"/>
<package name="patterns-container-runtime_podman"/>
<package name="patterns-container-runtime_podman"/>
<namedCollection name="cockpit"/>
<package name="patterns-cockpit"/>
<package name="patterns-base-cockpit"/>
<namedCollection name="selinux"/>
<package name="patterns-base-selinux"/>
<package name="policycoreutils-python-utils"/>
<package name="suseconnect-ng"/>
<package name="SL-Micro-release"/>
<package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -1081,7 +959,7 @@
<package name="libpwquality-tools"/>
</packages>
<packages type="image" profiles="x86-encrypted,x86-rt-encrypted,aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
<packages type="image" profiles="x86-encrypted,x86-rt-encrypted">
<!-- full disk encryption stuff -->
<package name="device-mapper"/>
<package name="cryptsetup"/>
@@ -1094,12 +972,13 @@
</packages>
<packages type="image" profiles="container-host">
<namedCollection name="transactional_base"/>
<package name="patterns-base-transactional_base"/>
<namedCollection name="base_transactional"/>
<package name="patterns-base-transactional"/>
<namedCollection name="container_runtime_podman"/>
<package name="patterns-container-runtime_podman"/>
<namedCollection name="selinux"/>
<package name="patterns-base-selinux"/>
<package name="policycoreutils-python-utils"/>
<package name="suseconnect-ng"/>
<package name="SL-Micro-release"/>
<package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -1123,16 +1002,16 @@
<package name="jeos-firstboot"/>
</packages>
<packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow,ppc64le-512ss,ppc64le-4096ss,s390-dasd,s390-fcp">
<packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow">
<package name="cloud-init"/>
<package name="cloud-init-config-suse"/>
</packages>
<packages type="image">
<namedCollection name="transactional_base"/>
<package name="patterns-base-transactional_base"/>
<namedCollection name="base_transactional"/>
<package name="patterns-base-transactional"/>
<namedCollection name="hardware"/>
<package name="patterns-micro-hardware"/>
<package name="patterns-base-hardware"/>
<package name="grub2"/>
<package name="glibc-locale-base"/>
<package name="ca-certificates"/>
@@ -1151,7 +1030,7 @@
<package name="NetworkManager"/>
<package name="NetworkManager-branding-SLE"/>
<package name="ModemManager"/>
<!-- FIXME does not build without control file which is obsolete
<!-- FIXME does not build without control file which is obsolete
<package name="live-add-yast-repos"/> -->
<package name="parted"/> <!-- seems missing to deploy the image -->
<package name="iptables"/> <!-- needed by RKE2 -->
@@ -1171,18 +1050,14 @@
<package name="kpartx" arch="s390x"/>--> <!-- previous releases picked it always, now kiwi picks partx instead -->
</packages>
<!-- rpi kernel-default-base does not provide all necessary drivers -->
<packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,x86,x86-encrypted,aarch64-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
<packages type="image" profiles="rpi,aarch64-self_install,x86,x86-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
<package name="kernel-default"/>
<package name="kernel-firmware-all"/>
</packages>
<packages type="image" profiles="aarch64-64kb,aarch64-64kb-encrypted,aarch64-64kb-self_install">
<package name="kernel-64kb"/>
<package name="kernel-firmware-all"/>
</packages>
<packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
<packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
<package name="kernel-rt"/>
<package name="kernel-firmware-all"/>
<!-- FIXME intentionally removed from ALP code stream
<!-- FIXME intentionally removed from ALP code stream
<package name="cpuset"/> -->
</packages>
<packages type="image" profiles="s390-kvm,s390-dasd,s390-fba,s390-fcp">
@@ -1194,18 +1069,17 @@
<packages type="image" profiles="s390-fcp">
<package name="multipath-tools"/>
</packages>
<!-- "oem" images uses kiwi for partition/fs resize (-repart) and SelfInstall images in addition for deployment (-dump). -->
<packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64-qcow,aarch64,aarch64-encrypted,aarch64-64kb-encrypted,rpi,rpi-self_install,aarch64-self_install,aarch64-64kb,aarch64-64kb-self_install,aarch64-rt,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
<packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64,aarch64-qcow,rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
<package name="dracut-kiwi-oem-repart"/>
<package name="dracut-kiwi-oem-dump"/>
</packages>
<packages type="image" profiles="rpi,rpi-self_install">
<packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
<package name="raspberrypi-firmware" arch="aarch64"/>
<package name="raspberrypi-firmware-config" arch="aarch64"/>
<package name="raspberrypi-firmware-dt" arch="aarch64"/>
<package name="u-boot-rpiarm64" arch="aarch64"/>
</packages>
<packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,aarch64-rt,aarch64-64kb,aarch64-rt-self_install,aarch64-encrypted,aarch64-rt-encrypted,aarchte-64kb-encrypted">
<packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-self_install">
<package name="dracut-kiwi-oem-repart"/>
<package name="bcm43xx-firmware"/>
<package name="wireless-regdb"/>
@@ -1213,7 +1087,6 @@
<package name="wpa_supplicant"/>
<package name="grub2-arm64-efi"/>
</packages>
<!-- NOTE(edge): Added coreutils, ca-certificates and ca-certificates-mozilla to prevent SSL errors when building the images -->
<packages type="bootstrap">
<package name="filesystem"/>
<package name="coreutils"/>
@@ -1230,15 +1103,14 @@
<packages type="image" profiles="x86-qcow,aarch64-qcow">
<package name="qemu-guest-agent"/>
</packages>
<!-- jsc#PED-8599 -->
<packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096,Base-64kb-encrypted,Default-64kb-encrypted">
<packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096">
<package name="usbguard"/>
</packages>
<!-- jsc#PED-8788 -->
<packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
<packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-self_install">
<package name="stalld"/>
</packages>
</image>

324
kiwi-builder-image/SL-Micro.kiwi.4096
View File

@@ -30,13 +30,16 @@
<profile name="x86-self_install" description="Raw disk for x86_64 - uEFI" arch="x86_64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64" description="Raw disk for aarch64 - uEFI" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-self_install" description="Raw disk for aarch64" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-rt" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-rt-encrypted" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
<profile name="aarch64-rt-rpi" description="Raw disk for aarch64 with RT kernel on Raspberry Pi" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-rt-self_install" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
@@ -57,15 +60,6 @@
<profile name="rpi" description="Raw disk for Raspberry Pi" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="rpi-self_install" description="Raw disk for Raspberry Pi" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64" description="Raw disk for Raspberry Pi" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-encrypted" description="Raw disk for Raspberry Pi" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="x86-qcow" description="qcow2 for x86_64 - uEFI" arch="x86_64">
<requires profile="bootloader"/>
</profile>
@@ -95,15 +89,6 @@
</profile>
<profile name="ppc64le-4096ss-self_install" description="Raw disk for PPc64 - 4096 sector size" arch="ppc64le">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-64kb" description="Build 64K page size aarch64 images" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-64kb-encrypted" description="Build 64K page size aarch64 images" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<profile name="aarch64-64kb-self_install" description="Build 64K page size aarch64 images" arch="aarch64">
<requires profile="bootloader"/>
</profile>
<!-- Images (flavor + platform) -->
<profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
@@ -169,10 +154,18 @@
<requires profile="full"/>
<requires profile="aarch64"/>
</profile>
<profile name="Default-RPi" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="aarch64">
<requires profile="full"/>
<requires profile="rpi"/>
</profile>
<profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
<requires profile="container-host"/>
<requires profile="aarch64"/>
</profile>
<profile name="Base-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
<requires profile="container-host"/>
<requires profile="rpi"/>
</profile>
<profile name="Base-RT" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
<requires profile="container-host"/>
<requires profile="x86-rt"/>
@@ -186,6 +179,10 @@
<requires profile="container-host"/>
<requires profile="aarch64-rt"/>
</profile>
<profile name="Base-RT-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
<requires profile="container-host"/>
<requires profile="aarch64-rt-rpi"/>
</profile>
<profile name="Base-RT-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="aarch64">
<requires profile="container-host"/>
<requires profile="aarch64-rt-self_install"/>
@@ -280,55 +277,21 @@
<requires profile="ppc64le-4096ss-self_install"/>
<requires profile="self_install"/>
</profile>
<profile name="Default-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
<requires profile="full"/>
<requires profile="aarch64-64kb-self_install"/>
</profile>
<profile name="Base-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
<requires profile="container-host"/>
<requires profile="aarch64-64kb-self_install"/>
</profile>
<profile name="Default-64kb" description="SL Micro with 64K page size images" arch="aarch64">
<requires profile="full"/>
<requires profile="aarch64-64kb"/>
</profile>
<profile name="Base-64kb" description="SL Micro with 64K page size images" arch="aarch64">
<requires profile="container-host"/>
<requires profile="aarch64-64kb"/>
</profile>
<profile name="Default-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
<requires profile="full"/>
<requires profile="aarch64-64kb-encrypted"/>
</profile>
<profile name="Base-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
<requires profile="container-host"/>
<requires profile="aarch64-64kb-encrypted"/>
</profile>
<profile name="RaspberryPi-SelfInstall" description="SL Micro for Rapsberry Pi" arch="aarch64">
<requires profile="full"/>
<requires profile="rpi-self_install"/>
</profile>
<profile name="RaspberryPi" description="SL Micro for Raspberry Pi" arch="aarch64">
<requires profile="full"/>
<requires profile="rpi"/>
</profile>
</profiles>
<preferences profiles="x86-encrypted,x86-rt-encrypted">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
<rpm-excludedocs>true</rpm-excludedocs>
<locale>en_US</locale>
<!-- NOTE: Added 4096 support here -->
<type
image="oem"
initrd_system="dracut"
filesystem="btrfs"
firmware="uefi"
efipartsize="512"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -338,8 +301,9 @@
luks_version="luks2"
luks="1234"
luks_randomize="false"
luks_pbkdf="pbkdf2"
luks_pbkdf="pbkdf2"
target_blocksize="4096"
efipartsize="200"
>
<luksformat>
<option name="--cipher" value="aes-xts-plain64"/>
@@ -361,20 +325,18 @@
</type>
</preferences>
<preferences profiles="x86,x86-rt">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
<rpm-excludedocs>true</rpm-excludedocs>
<locale>en_US</locale>
<!-- NOTE: Added 4096 support here -->
<type
image="oem"
initrd_system="dracut"
filesystem="btrfs"
firmware="uefi"
efipartsize="512"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -382,6 +344,7 @@
btrfs_root_is_readonly_snapshot="true"
btrfs_quota_groups="true"
target_blocksize="4096"
efipartsize="200"
>
<bootloader name="grub2" console="gfxterm" timeout="3"/>
<systemdisk>
@@ -400,13 +363,12 @@
</preferences>
<preferences profiles="x86-self_install,x86-rt-self_install">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
<rpm-excludedocs>true</rpm-excludedocs>
<locale>en_US</locale>
<!-- NOTE: Added 4096 support here -->
<type
image="oem"
initrd_system="dracut"
@@ -416,8 +378,7 @@
installboot="install"
install_continue_on_timeout="false"
firmware="uefi"
efipartsize="512"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -425,6 +386,7 @@
btrfs_root_is_readonly_snapshot="true"
btrfs_quota_groups="true"
target_blocksize="4096"
efipartsize="200"
>
<bootloader name="grub2" console="gfxterm" timeout="3" />
<systemdisk>
@@ -441,97 +403,9 @@
</systemdisk>
</type>
</preferences>
<preferences profiles="aarch64,aarch64-rt,aarch64-64kb">
<version>6.2</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
<rpm-excludedocs>true</rpm-excludedocs>
<locale>en_US</locale>
<!-- NOTE: Added 4096 support here -->
<type
image="oem"
initrd_system="dracut"
installiso="true"
filesystem="btrfs"
installboot="install"
install_continue_on_timeout="false"
fsmountoptions="noatime"
firmware="uefi"
efipartsize="512"
kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
bootpartition="false"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
btrfs_root_is_readonly_snapshot="true"
btrfs_quota_groups="false"
disk_start_sector="8192"
target_blocksize="4096"
>
<bootloader name="grub2" console="gfxterm" timeout="3" />
<systemdisk>
<volume name="home"/>
<volume name="root"/>
<!-- on tmpfs jsc#SMO-2 <volume name="tmp"/> -->
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
<volume name="boot/writable"/>
<volume name="usr/local"/>
<volume name="var" copy_on_write="false"/>
</systemdisk>
</type>
</preferences>
<preferences profiles="aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
<version>6.2</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
<rpm-excludedocs>true</rpm-excludedocs>
<locale>en_US</locale>
<!-- NOTE: Added 4096 support here -->
<type
image="oem"
initrd_system="dracut"
installiso="true"
filesystem="btrfs"
installboot="install"
install_continue_on_timeout="false"
fsmountoptions="noatime"
firmware="uefi"
efipartsize="512"
kernelcmdline="security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
bootpartition="false"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
btrfs_root_is_readonly_snapshot="true"
btrfs_quota_groups="false"
disk_start_sector="8192"
luks_version="luks2"
luks="1234"
luks_randomize="false"
luks_pbkdf="pbkdf2"
target_blocksize="4096"
>
<luksformat>
<option name="--cipher" value="aes-xts-plain64"/>
</luksformat>
<bootloader name="grub2" console="gfxterm" use_disk_password="true" timeout="3" />
<systemdisk>
<volume name="home"/>
<volume name="root"/>
<!-- on tmpfs jsc#SMO-2 <volume name="tmp"/> -->
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
<volume name="boot/writable"/>
<volume name="usr/local"/>
<volume name="var" copy_on_write="false"/>
</systemdisk>
</type>
</preferences>
<preferences profiles="rpi">
<version>6.2</version>
<preferences profiles="rpi,aarch64-rt-rpi">
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -546,11 +420,11 @@
install_continue_on_timeout="false"
fsmountoptions="noatime"
firmware="uefi"
efipartsize="512"
kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
bootpartition="false"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
efipartsize="128"
editbootinstall="editbootinstall_rpi.sh"
btrfs_root_is_readonly_snapshot="true"
btrfs_quota_groups="false"
@@ -570,33 +444,31 @@
</systemdisk>
</type>
</preferences>
<preferences profiles="aarch64-self_install,aarch64-rt-self_install,aarch64-64kb-self_install">
<version>6.2</version>
<preferences profiles="aarch64,aarch64-rt">
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
<rpm-excludedocs>true</rpm-excludedocs>
<locale>en_US</locale>
<!-- NOTE: Added 4096 support here -->
<type
image="oem"
initrd_system="dracut"
installiso="true"
installpxe="true"
filesystem="btrfs"
installboot="install"
install_continue_on_timeout="false"
fsmountoptions="noatime"
firmware="uefi"
efipartsize="512"
kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
efipartsize="128"
btrfs_root_is_readonly_snapshot="true"
btrfs_quota_groups="true"
disk_start_sector="8192"
target_blocksize="4096"
btrfs_quota_groups="false"
disk_start_sector="4096"
>
<bootloader name="grub2" console="gfxterm" timeout="3" />
<systemdisk>
@@ -612,8 +484,8 @@
</systemdisk>
</type>
</preferences>
<preferences profiles="rpi-self_install">
<version>6.2</version>
<preferences profiles="aarch64-self_install,aarch64-rt-self_install">
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -628,14 +500,13 @@
installboot="install"
install_continue_on_timeout="false"
firmware="uefi"
efipartsize="512"
kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
efipartsize="128"
kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
btrfs_root_is_readonly_snapshot="true"
editbootinstall="editbootinstall_rpi.sh"
btrfs_quota_groups="true"
disk_start_sector="4096"
>
@@ -655,7 +526,7 @@
</preferences>
<preferences profiles="s390-kvm">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -693,7 +564,7 @@
<preferences profiles="s390-dasd">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -731,7 +602,7 @@
<preferences profiles="s390-fba">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -766,7 +637,7 @@
</preferences>
<preferences profiles="s390-fcp">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -805,7 +676,7 @@
</preferences>
<preferences profiles="x86-vmware">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -816,7 +687,6 @@
filesystem="btrfs"
format="vmdk"
firmware="uefi"
efipartsize="512"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -837,11 +707,11 @@
<volume name="var" copy_on_write="false"/>
</systemdisk>
<size unit="G">24</size>
<machine memory="1024" HWversion="17" guestOS="suse-64"/>
<machine memory="1024" HWversion="10" guestOS="suse-64"/>
</type>
</preferences>
<preferences profiles="x86-qcow">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -852,14 +722,15 @@
format="qcow2"
filesystem="btrfs"
firmware="uefi"
efipartsize="512"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
btrfs_root_is_readonly_snapshot="true"
btrfs_quota_groups="true"
target_blocksize="4096"
efipartsize="200"
>
<bootloader name="grub2" console="gfxterm" timeout="3" />
<systemdisk>
@@ -877,9 +748,9 @@
<size unit="G">32</size>
</type>
</preferences>
<preferences profiles="aarch64-qcow">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -890,8 +761,8 @@
format="qcow2"
filesystem="btrfs"
firmware="uefi"
efipartsize="512"
kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
efipartsize="128"
kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -902,7 +773,7 @@
<systemdisk>
<volume name="home"/>
<volume name="root"/>
<volume name="opt"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
<volume name="boot/writable"/>
@@ -914,7 +785,7 @@
</preferences>
<preferences profiles="ppc64le-512ss">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -925,7 +796,7 @@
image="oem"
filesystem="btrfs"
firmware="ofw"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -937,7 +808,7 @@
<volume name="home"/>
<volume name="root"/>
<!-- on tmpfs jsc#SMO-2 <volume name="tmp"/> -->
<volume name="opt"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/powerpc-ieee1275"/>
<volume name="boot/writable"/>
@@ -947,7 +818,7 @@
</type>
</preferences>
<preferences profiles="ppc64le-4096ss">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -961,7 +832,7 @@
target_blocksize="4096"
filesystem="btrfs"
firmware="ofw"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -973,7 +844,7 @@
<volume name="home"/>
<volume name="root"/>
<!-- on tmpfs jsc#SMO-2 <volume name="tmp"/> -->
<volume name="opt"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/powerpc-ieee1275"/>
<volume name="boot/writable"/>
@@ -984,7 +855,7 @@
</preferences>
<preferences profiles="ppc64le-512ss-self_install">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -997,7 +868,7 @@
installpxe="true"
filesystem="btrfs"
firmware="ofw"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet ignition.platform.id=metal"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=metal"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -1014,7 +885,7 @@
<volume name="home"/>
<volume name="root"/>
<!-- on tmpfs jsc#SMO-2 <volume name="tmp"/> -->
<volume name="opt"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/powerpc-ieee1275"/>
<volume name="boot/writable"/>
@@ -1024,7 +895,7 @@
</type>
</preferences>
<preferences profiles="ppc64le-4096ss-self_install">
<version>6.2</version>
<version>6.1</version>
<packagemanager>zypper</packagemanager>
<bootsplash-theme>SLE</bootsplash-theme>
<bootloader-theme>SLE</bootloader-theme>
@@ -1040,7 +911,7 @@
target_blocksize="4096"
filesystem="btrfs"
firmware="ofw"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
@@ -1057,7 +928,7 @@
<volume name="home"/>
<volume name="root"/>
<!-- on tmpfs jsc#SMO-2 <volume name="tmp"/> -->
<volume name="opt"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/powerpc-ieee1275"/>
<volume name="boot/writable"/>
@@ -1073,17 +944,20 @@
</repository>
<packages type="image" profiles="full">
<namedCollection name="transactional_base"/>
<package name="patterns-base-transactional_base"/>
<namedCollection name="base_transactional"/>
<package name="patterns-base-transactional"/>
<namedCollection name="salt_minion"/>
<package name="patterns-base-salt_minion"/>
<namedCollection name="kvm_host"/>
<package name="patterns-micro-kvm_host"/>
<package name="patterns-base-kvm_host"/>
<package name="lzop"/>
<namedCollection name="container_runtime_podman"/>
<package name="patterns-container-runtime_podman"/>
<package name="patterns-container-runtime_podman"/>
<namedCollection name="cockpit"/>
<package name="patterns-cockpit"/>
<package name="patterns-base-cockpit"/>
<namedCollection name="selinux"/>
<package name="patterns-base-selinux"/>
<package name="policycoreutils-python-utils"/>
<package name="suseconnect-ng"/>
<package name="SL-Micro-release"/>
<package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -1093,7 +967,7 @@
<package name="libpwquality-tools"/>
</packages>
<packages type="image" profiles="x86-encrypted,x86-rt-encrypted,aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
<packages type="image" profiles="x86-encrypted,x86-rt-encrypted">
<!-- full disk encryption stuff -->
<package name="device-mapper"/>
<package name="cryptsetup"/>
@@ -1106,12 +980,13 @@
</packages>
<packages type="image" profiles="container-host">
<namedCollection name="transactional_base"/>
<package name="patterns-base-transactional_base"/>
<namedCollection name="base_transactional"/>
<package name="patterns-base-transactional"/>
<namedCollection name="container_runtime_podman"/>
<package name="patterns-container-runtime_podman"/>
<namedCollection name="selinux"/>
<package name="patterns-base-selinux"/>
<package name="policycoreutils-python-utils"/>
<package name="suseconnect-ng"/>
<package name="SL-Micro-release"/>
<package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -1135,16 +1010,16 @@
<package name="jeos-firstboot"/>
</packages>
<packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow,ppc64le-512ss,ppc64le-4096ss,s390-dasd,s390-fcp">
<packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow">
<package name="cloud-init"/>
<package name="cloud-init-config-suse"/>
</packages>
<packages type="image">
<namedCollection name="transactional_base"/>
<package name="patterns-base-transactional_base"/>
<namedCollection name="base_transactional"/>
<package name="patterns-base-transactional"/>
<namedCollection name="hardware"/>
<package name="patterns-micro-hardware"/>
<package name="patterns-base-hardware"/>
<package name="grub2"/>
<package name="glibc-locale-base"/>
<package name="ca-certificates"/>
@@ -1163,7 +1038,7 @@
<package name="NetworkManager"/>
<package name="NetworkManager-branding-SLE"/>
<package name="ModemManager"/>
<!-- FIXME does not build without control file which is obsolete
<!-- FIXME does not build without control file which is obsolete
<package name="live-add-yast-repos"/> -->
<package name="parted"/> <!-- seems missing to deploy the image -->
<package name="iptables"/> <!-- needed by RKE2 -->
@@ -1183,18 +1058,14 @@
<package name="kpartx" arch="s390x"/>--> <!-- previous releases picked it always, now kiwi picks partx instead -->
</packages>
<!-- rpi kernel-default-base does not provide all necessary drivers -->
<packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,x86,x86-encrypted,aarch64-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
<packages type="image" profiles="rpi,aarch64-self_install,x86,x86-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
<package name="kernel-default"/>
<package name="kernel-firmware-all"/>
</packages>
<packages type="image" profiles="aarch64-64kb,aarch64-64kb-encrypted,aarch64-64kb-self_install">
<package name="kernel-64kb"/>
<package name="kernel-firmware-all"/>
</packages>
<packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
<packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
<package name="kernel-rt"/>
<package name="kernel-firmware-all"/>
<!-- FIXME intentionally removed from ALP code stream
<!-- FIXME intentionally removed from ALP code stream
<package name="cpuset"/> -->
</packages>
<packages type="image" profiles="s390-kvm,s390-dasd,s390-fba,s390-fcp">
@@ -1206,18 +1077,17 @@
<packages type="image" profiles="s390-fcp">
<package name="multipath-tools"/>
</packages>
<!-- "oem" images uses kiwi for partition/fs resize (-repart) and SelfInstall images in addition for deployment (-dump). -->
<packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64-qcow,aarch64,aarch64-encrypted,aarch64-64kb-encrypted,rpi,rpi-self_install,aarch64-self_install,aarch64-64kb,aarch64-64kb-self_install,aarch64-rt,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
<packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64,aarch64-qcow,rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
<package name="dracut-kiwi-oem-repart"/>
<package name="dracut-kiwi-oem-dump"/>
</packages>
<packages type="image" profiles="rpi,rpi-self_install">
<packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
<package name="raspberrypi-firmware" arch="aarch64"/>
<package name="raspberrypi-firmware-config" arch="aarch64"/>
<package name="raspberrypi-firmware-dt" arch="aarch64"/>
<package name="u-boot-rpiarm64" arch="aarch64"/>
</packages>
<packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,aarch64-rt,aarch64-64kb,aarch64-rt-self_install,aarch64-encrypted,aarch64-rt-encrypted,aarchte-64kb-encrypted">
<packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-self_install">
<package name="dracut-kiwi-oem-repart"/>
<package name="bcm43xx-firmware"/>
<package name="wireless-regdb"/>
@@ -1225,7 +1095,6 @@
<package name="wpa_supplicant"/>
<package name="grub2-arm64-efi"/>
</packages>
<!-- NOTE(edge): Added coreutils, ca-certificates and ca-certificates-mozilla to prevent SSL errors when building the images -->
<packages type="bootstrap">
<package name="filesystem"/>
<package name="coreutils"/>
@@ -1242,15 +1111,14 @@
<packages type="image" profiles="x86-qcow,aarch64-qcow">
<package name="qemu-guest-agent"/>
</packages>
<!-- jsc#PED-8599 -->
<packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096,Base-64kb-encrypted,Default-64kb-encrypted">
<packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096">
<package name="usbguard"/>
</packages>
<!-- jsc#PED-8788 -->
<packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
<packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-self_install">
<package name="stalld"/>
</packages>
</image>

31
kiwi-builder-image/build-image.sh
View File

@@ -28,7 +28,7 @@ LARGEBLOCK=false
usage(){
cat <<-EOF
=====================================
SUSE Linux Micro 6.2 Kiwi SDK Builder
SUSE Linux Micro 6.1 Kiwi SDK Builder
=====================================
Usage: ${0} [-p <profile>] [-b]
@@ -36,12 +36,13 @@ usage(){
Profile Options (-p):
* Default: RAW Disk Image with default packages (incl. Podman & KVM)
* Default-SelfInstall: SelfInstall ISO with default packages
* Default-RPi: RAW Disk Image for Raspberry Pi (aarch64 only with MBR)
* Base: RAW Disk Image with reduced package set (no KVM)
* Base-SelfInstall: SelfInstall ISO with reduced packages
* Base-RT: RAW Disk Image with reduced packages and kernel-rt
* Base-RT-SelfInstall: SelfInstall ISO with reduced packages and kernel-rt
* RaspberryPi: RAW Disk Image for Raspberry Pi with default packages (aarch64 only with MBR)
* RaspberryPi-SelfInstall: SelfInstall ISO for Raspberry Pi with default packages (aarch64 only with MBR)
* Base-RT-RPi: RAW Disk image for Raspberry Pi with kernel-rt (aarch64 only with MBR)
* Base-RPi: RAW Disk Image for Raspberry Pi with reduced packages (aarch64 only with MBR)
4096 Blocksize (-b): If specified, use a 4096 blocksize (rather than 512) when generating the image.
@@ -82,34 +83,14 @@ if $LARGEBLOCK; then
mv /micro-sdk/defs/SL-Micro.kiwi.4096 /micro-sdk/defs/SL-Micro.kiwi
fi
# Create temporary directory that supports seclabel
dir=$(mktemp -d)
mkdir -p /tmp/output/tmp-dir
mount -t tmpfs $dir /tmp/output/tmp-dir
# Build the image
kiwi-ng --temp-dir /tmp/output/tmp-dir --debug --profile $PROFILE \
system build --description /micro-sdk/defs --target-dir /tmp/output \
--ignore-repos-used-for-build $REPOS
kiwi-ng --debug --profile $PROFILE system build \
--description /micro-sdk/defs --target-dir /tmp/output --ignore-repos-used-for-build $REPOS
# Print output
RESULT=$?
if [ $RESULT -eq 0 ]; then
echo -e "\n\nINFO: Image build successful, generated images are available in the 'output' directory."
# The -n flag is being used to avoid the \n at the end of the line
echo -n "INFO: Generating sha256 checksum file... " && {
# This returns the iso or raw image from the kiwi.result.json file, preferring iso
FILE_PATH=$(python3 -c 'import json, sys; data = json.load(sys.stdin); iso = data.get("installation_image", {}).get("filename"); raw = data.get("disk_image", {}).get("filename"); print(iso if iso else raw)' < /tmp/output/kiwi.result.json)
# Generate the checksum if the file path was successfully extracted
if [ -n "$FILE_PATH" ]; then
# The sed trims the full path to just the filename (e.g., "sum filename")
sha256sum "$FILE_PATH" | sed -E 's/\s+.*\/([^/]+)$/ \1/' > "$FILE_PATH.sha256" && echo "done"
else
# Or fail if it is not there
echo "ERROR: Neither ISO nor RAW file path found in JSON."
fi
# Catch-all just in case something fails inside the block
} || echo "ERROR: Command failed during processing."
else
echo -e "\n\nERROR: Failed to build the image, please see above logs."
fi

1
kiwi-builder-image/config.sh
View File

@@ -188,6 +188,7 @@ cat >/etc/fstab.script <<"EOF"
#!/bin/sh
set -eux
/usr/sbin/setup-fstab-for-overlayfs
# If /var is on a different partition than /...
if [ "$(findmnt -snT / -o SOURCE)" != "$(findmnt -snT /var -o SOURCE)" ]; then
# ... set options for autoexpanding /var

24
kiwi-builder-image/disk.sh
View File

@@ -1,24 +0,0 @@
#!/bin/bash
# Copyright (c) 2025 SUSE LLC
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
set -euxo pipefail
/usr/libexec/setup-etc-subvol

Some files were not shown because too many files have changed in this diff Show More