tools/debian-mirror-tools/config/debian/common/base-bullseye.yaml

425 lines
15 KiB
YAML

---
name: starlingx
machine: intel-x86-64
image_type:
- iso
- ostree-repo
debootstrap-mirror: deb-merge-all
package_feeds: []
package_type: external-debian
wic:
OSTREE_WKS_BOOT_SIZE: ''
OSTREE_WKS_EFI_SIZE: --size=32M
OSTREE_WKS_ROOT_SIZE: ''
OSTREE_WKS_FLUX_SIZE: ''
OSTREE_FLUX_PART: fluxdata
gpg:
gpg_path: /tmp/.lat_gnupg_root
ostree:
gpgid: Wind-River-Linux-Sample
gpgkey: $OECORE_NATIVE_SYSROOT/usr/share/genimage/rpm_keys/RPM-GPG-PRIVKEY-Wind-River-Linux-Sample
gpg_password: windriver
grub:
BOOT_GPG_NAME: SecureBootCore
BOOT_GPG_PASSPHRASE: SecureCore
BOOT_KEYS_DIR: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys
BOOT_GPG_KEY: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys/BOOT-GPG-PRIVKEY-SecureBootCore
BOOT_SINGED_SHIM: $IMAGE_ROOTFS/usr/lib/shim/bootx64.efi
BOOT_SINGED_SHIMTOOL: $IMAGE_ROOTFS/usr/lib/shim/mmx64.efi
BOOT_SINGED_GRUB: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/grubx64.efi
BOOT_EFITOOL: $IMAGE_ROOTFS/usr/lib/efitools/x86_64-linux-gnu/LockDown.efi
BOOT_GRUB_CFG: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/grub.cfg
BOOT_NOSIG_GRUB: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/bootx64-nosig.efi
EFI_SECURE_BOOT: disable
packages: []
external-packages: []
include-default-packages: '0'
rootfs-pre-scripts:
- |
# The StarlingX customize pacakges includes:
# - ostree 2019.1
export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
chroot $IMAGE_ROOTFS bash << SCRIPT_ENDOF
set -e
# Speed up apt/dpkg used for running build-image
echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/unsafe-io
apt update
apt install -y --no-install-recommends linux-image-stx-amd64 linux-rt-image-stx-amd64 grub-common
apt install -y --allow-downgrades --allow-unauthenticated --no-install-recommends ostree ostree-boot libostree-1-1 ostree-upgrade-mgr
apt install --no-install-recommends -y ifupdown
apt install -y bc vim uuid-runtime iputils-ping
# Move dpkg database to /usr so it's accessible after the OS /var is
# mounted, but make a symlink so it works without modifications to
# dpkg or apt
mv /var/lib/dpkg /usr/share/dpkg/database
ln -sr /usr/share/dpkg/database /var/lib/dpkg
SCRIPT_ENDOF
rootfs-post-scripts:
- |-
# Set bash as default shell
ln -snf --relative $IMAGE_ROOTFS/bin/bash $IMAGE_ROOTFS/bin/sh
- |-
# Allow root ssh login
export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
chroot $IMAGE_ROOTFS sed -i 's/^[#[:space:]]*PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config
- |-
# FIXME: OSTree will not set up a link to scratch automagically. Need to
# relocate scratch to a more ostree friendly locale
mkdir $IMAGE_ROOTFS/var/rootdirs/scratch
ln -snf --relative $IMAGE_ROOTFS/var/rootdirs/scratch $IMAGE_ROOTFS/scratch
- |-
# Make /opt/branding to writable (To make end-user enable to place their branding archive)
mkdir $IMAGE_ROOTFS/var/branding
mkdir -p $IMAGE_ROOTFS/var/rootdirs/opt
ln -snf --relative $IMAGE_ROOTFS/var/branding $IMAGE_ROOTFS/var/rootdirs/opt/branding
- |-
cat /dev/null > $IMAGE_ROOTFS/etc/resolv.conf
- |-
cat /dev/null > $IMAGE_ROOTFS/etc/apt/sources.list
- |-
# Only used for running build-image
rm -f etc/dpkg/dpkg.cfg.d/unsafe-io
- |-
# There is ${IMAGE_ROOTFS}/var/pxeboot/grubx64.efi from parent linux installed
# For secure boot feature, it should be replaced with the right one
if [ "$EFI_SECURE_BOOT" = enable ]; then
install -m 0644 ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/grubx64.efi ${IMAGE_ROOTFS}/var/pxeboot/grubx64.efi
fi
environments:
- NO_RECOMMENDATIONS="1"
- DEBIAN_FRONTEND=noninteractive
- KERNEL_PARAMS=crashkernel=2048M apparmor=0 security=apparmor
ostree:
ostree_use_ab: '0'
ostree_osname: debian
ostree_skip_boot_diff: '2'
ostree_remote_url: ''
ostree_install_device: '/dev/sda'
OSTREE_GRUB_USER: root
OSTREE_GRUB_PW_FILE: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys/ostree_grub_pw
OSTREE_FDISK_BLM: 2506
OSTREE_FDISK_BSZ: 512
OSTREE_FDISK_RSZ: 20480
OSTREE_FDISK_VSZ: 20480
OSTREE_FDISK_FSZ: 32
OSTREE_CONSOLE: console=ttyS0,115200
debootstrap-key: ''
apt-keys:
- /opt/LAT/pubkey.rsa
iso-grub-entry: |
submenu 'UEFI Debian Controller Install' --unrestricted --id=standard {
menuentry 'Serial Console' --unrestricted --id=serial {
set fallback=1
efi-watchdog enable 0 1200
linux /bzImage-std %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64
initrd @INITRD@
}
menuentry 'Graphical Console' --unrestricted --id=graphical {
set fallback=1
efi-watchdog enable 0 1200
linux /bzImage-std %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
initrd @INITRD@
}
}
submenu 'UEFI Debian All-in-one Install' --unrestricted --id=aio {
menuentry 'Serial Console' --unrestricted --id=serial {
set fallback=1
efi-watchdog enable 0 1200
linux /bzImage-std %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64
initrd @INITRD@
}
menuentry 'Graphical Console' --unrestricted --id=graphical {
set fallback=1
efi-watchdog enable 0 1200
linux /bzImage-std %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
initrd @INITRD@
}
}
submenu 'UEFI Debian All-in-one (lowlatency) Install' --unrestricted --id=aio-lowlat {
menuentry 'Serial Console' --unrestricted --id=serial {
set fallback=1
efi-watchdog enable 0 1200
linux /bzImage-rt %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 efi=runtime
initrd @INITRD@
}
menuentry 'Graphical Console' --unrestricted --id=graphical {
set fallback=1
efi-watchdog enable 0 1200
linux /bzImage-rt %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 efi=runtime console=tty1
initrd @INITRD@
}
}
iso-syslinux-entry: |
menu start
ontimeout 1
menu begin
menu title Debian Controller Install
menu default
label 1
menu label Serial Console
kernel /bzImage-std
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64
label 2
menu label Graphical Console
kernel /bzImage-std
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
menu end
menu begin
menu title Debian All-in-one Install
label 3
menu label Serial Console
kernel /bzImage-std
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64
label 4
menu label Graphical Console
kernel /bzImage-std
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
menu end
menu begin
menu title Debian All-in-one (lowlatency) Install
label 5
menu label Serial Console
kernel /bzImage-rt
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64
label 6
menu label Graphical Console
kernel /bzImage-rt
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 console=tty1
menu end
iso-post-script: |
cd ${ISO_DIR}
# 0. Prepare
# According to `multiple-kernels' in lat yaml, install std
# or rt kernel to ISO
for k in ${OSTREE_MULTIPLE_KERNELS}; do
if [ "${k%%-rt-amd64}" != "${k}" ]; then
cp ${DEPLOY_DIR_IMAGE}/${k} bzImage-rt
if [ -e ${DEPLOY_DIR_IMAGE}/${k}.sig ]; then
cp ${DEPLOY_DIR_IMAGE}/${k}.sig bzImage-rt.sig
fi
else
cp ${DEPLOY_DIR_IMAGE}/${k} bzImage-std
if [ -e ${DEPLOY_DIR_IMAGE}/${k}.sig ]; then
cp ${DEPLOY_DIR_IMAGE}/${k}.sig bzImage-std.sig
fi
fi
done
# 1. Kickstart
mkdir -p kickstart
# 1.1 Kickstart example for PXE
cat << ENDOF > kickstart/pxe-ks.cfg
lat-disk --install-device=/dev/disk/by-path/pci-0000:af:00.0-scsi-0:2:0:0
ENDOF
# 1.2 Kickstart example for ISO
cat << ENDOF > kickstart/iso-ks.cfg
lat-disk --install-device=/dev/sda
ENDOF
# 1.3 Kickstart from image rootfs (provided by package platform-kickstarts)
if [ -e $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/kickstart.cfg ]; then
cp $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/kickstart.cfg kickstart/
fi
if [ -e $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/miniboot.cfg ]; then
cp $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/miniboot.cfg kickstart/
fi
if [ -d $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/centos ]; then
cp -r $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/centos kickstart/
fi
# 2. PXE
mkdir -p pxeboot/pxelinux.cfg
# 2.1 Kernel and initramfs
install -m 644 bzImage* pxeboot
install -m 644 initrd* pxeboot
# 2.2 Bootloader
# 2.2.1 Legacy BIOS PXE
cp $OECORE_TARGET_SYSROOT/usr/share/syslinux/pxelinux.0 pxeboot/
cp isolinux/isolinux.cfg pxeboot/pxelinux.cfg/default
for f in libcom32.c32 ldlinux.c32 libutil.c32 vesamenu.c32; do
cp isolinux/$f pxeboot/
done
# 2.2.2 EFI PXE
cp -a EFI pxeboot
if [ -e ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/bootx64-nosig.efi ]; then
cp ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/bootx64-nosig.efi pxeboot/EFI/BOOT/
fi
# 2.3 Edit grub.cfg and pxelinux.cfg/default
# 2.3.1 Drop to install from local ostree repo
sed -i "s#instl=/ostree_repo#@BOOTPARAMS@#g" \
pxeboot/EFI/BOOT/grub.cfg \
pxeboot/pxelinux.cfg/default
# 2.3.2 Install from remote ostree repo
sed -i "s#insturl=file://NOT_SET#insturl=http://pxecontroller:8080/feed/debian/ostree_repo#g" \
pxeboot/EFI/BOOT/grub.cfg \
pxeboot/pxelinux.cfg/default
# 2.3.3 Configure kickstart url
BOOT_PARAMS="ks=http://pxecontroller:8080/feed/debian/kickstart/pxe-ks.cfg"
# 2.3.4 Verbose installation
#BOOT_PARAMS="${BOOT_PARAMS} instsh=2"
# 2.3.5 Update boot params
sed -i "s#@BOOTPARAMS@#${BOOT_PARAMS}#g" \
pxeboot/EFI/BOOT/grub.cfg \
pxeboot/pxelinux.cfg/default
# 2.3.6 Add `Boot from hard drive' entry to grub.cfg
cat <<ENDOF>> pxeboot/EFI/BOOT/grub.cfg
export skip_check_cfg
menuentry 'UEFI Boot from hard drive' {
search --set=root --label otaefi
configfile /efi/boot/grub.cfg
}
ENDOF
# 2.4 Tweak PXE if EFI secure boot enabled
if [ "$EFI_SECURE_BOOT" = enable ]; then
# On some host, PXE make bootx64.efi search grubx64.efi
# from tftp/ dir other than tftp/EFI/BOOT/
install -m 0644 EFI/BOOT/grubx64.efi pxeboot/
# Resign grub.cfg
rm pxeboot/EFI/BOOT/grub.cfg.sig
echo 'SecureCore' | gpg --pinentry-mode loopback \
--batch \
--homedir /tmp/.lat_gnupg_root \
-u SecureBootCore \
--detach-sign \
--passphrase-fd 0 \
pxeboot/EFI/BOOT/grub.cfg
fi
# 2.5 copy pxeboot config template files to pxeboot/pxelinux.cfg
mkdir -p pxeboot/pxelinux.cfg.files
cp ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/efi-pxe-* pxeboot/pxelinux.cfg.files/
cp ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/pxe-* pxeboot/pxelinux.cfg.files/
# 2.6 upgrades directory and upgrade meta files
RELEASE_VER=$(cat ${IMAGE_ROOTFS}/etc/build.info | grep SW_VERSION | cut -f2 -d'=' | tr -d '"')
mkdir -p upgrades
cp ${IMAGE_ROOTFS}/etc/pxeboot-update-${RELEASE_VER}.sh upgrades/
cp ${IMAGE_ROOTFS}/usr/sbin/deploy-precheck upgrades/
cp ${IMAGE_ROOTFS}/usr/sbin/upgrade_utils.py upgrades/
cp ${IMAGE_ROOTFS}/opt/upgrades/import.sh upgrades/
cp ${IMAGE_ROOTFS}/opt/upgrades/metadata.xml upgrades/
cp ${IMAGE_ROOTFS}/usr/sbin/usm_load_import upgrades/
sed -i "s/xxxSW_VERSIONxxx/${RELEASE_VER}/g" upgrades/metadata.xml
mkdir -p patches
cp ${IMAGE_ROOTFS}/etc/software/*-metadata.xml upgrades/
cp ${IMAGE_ROOTFS}/etc/software/*-metadata.xml patches/
echo -n "VERSION=${RELEASE_VER}" > upgrades/version
mkdir -p upgrades/software-deploy
# Copy all software-deploy scripts to upgrades/software-deploy in ISO
cp ${IMAGE_ROOTFS}/usr/sbin/software-deploy/* upgrades/software-deploy/
# 3. ISO
# 3.1 Edit grub.cfg and isolinux.cfg
# 3.1.1 Configure local kickstart url and LVM root and fluxdata device
BOOT_PARAMS="ks=file:///kickstart/kickstart.cfg"
BOOT_PARAMS="${BOOT_PARAMS} inst_ostree_root=/dev/mapper/cgts--vg-root--lv"
BOOT_PARAMS="${BOOT_PARAMS} inst_ostree_var=/dev/mapper/cgts--vg-var--lv"
# 3.1.2 Verbose installation
#BOOT_PARAMS="${BOOT_PARAMS} instsh=2"
# 3.1.3 Update boot params
sed -i "s#instl=/ostree_repo#& ${BOOT_PARAMS}#g" \
EFI/BOOT/grub.cfg \
isolinux/isolinux.cfg
# According to `default-kernel' in lat yaml, set which
# bootloader menu entry to boot
sed -i "s/^DEFAULT .*//g" \
isolinux/isolinux.cfg
if [ "${OSTREE_DEFAULT_KERNEL%%-rt-amd64}" != "${OSTREE_DEFAULT_KERNEL}" ]; then
# Boot rt kernel by default
sed -i "s/ set default=.*/ set default=2/g" \
EFI/BOOT/grub.cfg
else
# Boot std kernel by default
sed -i "s/ set default=.*/ set default=0/g" \
EFI/BOOT/grub.cfg
fi
# 3.2 Resign grub.cfg if EFI secure boot enabled
if [ "$EFI_SECURE_BOOT" = enable ]; then
rm EFI/BOOT/grub.cfg.sig
echo 'SecureCore' | gpg --pinentry-mode loopback \
--batch \
--homedir /tmp/.lat_gnupg_root \
-u SecureBootCore \
--detach-sign \
--passphrase-fd 0 \
EFI/BOOT/grub.cfg
fi
# Update the grub.cfg in efi.img according to above setting.
# Don't update grub.cfg.sig because the grub.cfg signature checking
# has been omitted.
mdel -i efi.img ::/EFI/BOOT/grub.cfg
mcopy -i efi.img EFI/BOOT/grub.cfg ::/EFI/BOOT/
# Put the controller-0 pxeboot install grub menu samples and
# setup script into a new the ISO's pxeboot/samples directory.
install -v -d -m 0755 pxeboot/samples
install -m 0555 ${IMAGE_ROOTFS}/usr/sbin/pxeboot_setup.sh pxeboot/samples
echo "See pxeboot_setup.sh --help for usage details" > pxeboot/samples/README
install -m 0664 ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/pxeboot.cfg.debian pxeboot/samples
install -m 0664 ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/efi-pxeboot.cfg.debian pxeboot/samples
# Added CERTS into efi.img
if [ "$EFI_SECURE_BOOT" = enable ]; then
mmd -i efi.img ::/CERTS
mcopy -i efi.img -s /localdisk/CERTS/* ::/CERTS/
mkdir images
ln -snf ../efi.img images/efiboot.img
fi
# Generate package list file in the iso root
echo "Verifying package list for ${IMAGE_NAME}"
if [ -f "/localdisk/workdir/${IMAGE_NAME}/packages.yaml" ]; then
echo "Copying ISO package list"
cp /localdisk/workdir/${IMAGE_NAME}/packages.yaml sw_package_list.yaml
fi
initramfs-sign-script: |
echo "End of initramfs-sign-script!"
multiple-kernels: vmlinuz-*[!t]-amd64 vmlinuz-*-rt-amd64
default-kernel: vmlinuz-*[!t]-amd64
system:
- contains:
- /localdisk/deploy/lat-initramfs.yaml