425 lines
15 KiB
YAML
425 lines
15 KiB
YAML
---
|
|
name: starlingx
|
|
machine: intel-x86-64
|
|
image_type:
|
|
- iso
|
|
- ostree-repo
|
|
debootstrap-mirror: deb-merge-all
|
|
package_feeds: []
|
|
package_type: external-debian
|
|
wic:
|
|
OSTREE_WKS_BOOT_SIZE: ''
|
|
OSTREE_WKS_EFI_SIZE: --size=32M
|
|
OSTREE_WKS_ROOT_SIZE: ''
|
|
OSTREE_WKS_FLUX_SIZE: ''
|
|
OSTREE_FLUX_PART: fluxdata
|
|
gpg:
|
|
gpg_path: /tmp/.lat_gnupg_root
|
|
ostree:
|
|
gpgid: Wind-River-Linux-Sample
|
|
gpgkey: $OECORE_NATIVE_SYSROOT/usr/share/genimage/rpm_keys/RPM-GPG-PRIVKEY-Wind-River-Linux-Sample
|
|
gpg_password: windriver
|
|
grub:
|
|
BOOT_GPG_NAME: SecureBootCore
|
|
BOOT_GPG_PASSPHRASE: SecureCore
|
|
BOOT_KEYS_DIR: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys
|
|
BOOT_GPG_KEY: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys/BOOT-GPG-PRIVKEY-SecureBootCore
|
|
BOOT_SINGED_SHIM: $IMAGE_ROOTFS/usr/lib/shim/bootx64.efi
|
|
BOOT_SINGED_SHIMTOOL: $IMAGE_ROOTFS/usr/lib/shim/mmx64.efi
|
|
BOOT_SINGED_GRUB: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/grubx64.efi
|
|
BOOT_EFITOOL: $IMAGE_ROOTFS/usr/lib/efitools/x86_64-linux-gnu/LockDown.efi
|
|
BOOT_GRUB_CFG: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/grub.cfg
|
|
BOOT_NOSIG_GRUB: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/bootx64-nosig.efi
|
|
EFI_SECURE_BOOT: disable
|
|
packages: []
|
|
external-packages: []
|
|
include-default-packages: '0'
|
|
rootfs-pre-scripts:
|
|
- |
|
|
# The StarlingX customize pacakges includes:
|
|
# - ostree 2019.1
|
|
export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
|
|
chroot $IMAGE_ROOTFS bash << SCRIPT_ENDOF
|
|
set -e
|
|
# Speed up apt/dpkg used for running build-image
|
|
echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/unsafe-io
|
|
apt update
|
|
apt install -y --no-install-recommends linux-image-stx-amd64 linux-rt-image-stx-amd64 grub-common
|
|
apt install -y --allow-downgrades --allow-unauthenticated --no-install-recommends ostree ostree-boot libostree-1-1 ostree-upgrade-mgr
|
|
apt install --no-install-recommends -y ifupdown
|
|
apt install -y bc vim uuid-runtime iputils-ping
|
|
# Move dpkg database to /usr so it's accessible after the OS /var is
|
|
# mounted, but make a symlink so it works without modifications to
|
|
# dpkg or apt
|
|
mv /var/lib/dpkg /usr/share/dpkg/database
|
|
ln -sr /usr/share/dpkg/database /var/lib/dpkg
|
|
SCRIPT_ENDOF
|
|
rootfs-post-scripts:
|
|
- |-
|
|
# Set bash as default shell
|
|
ln -snf --relative $IMAGE_ROOTFS/bin/bash $IMAGE_ROOTFS/bin/sh
|
|
- |-
|
|
# Allow root ssh login
|
|
export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
|
|
chroot $IMAGE_ROOTFS sed -i 's/^[#[:space:]]*PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config
|
|
- |-
|
|
# FIXME: OSTree will not set up a link to scratch automagically. Need to
|
|
# relocate scratch to a more ostree friendly locale
|
|
mkdir $IMAGE_ROOTFS/var/rootdirs/scratch
|
|
ln -snf --relative $IMAGE_ROOTFS/var/rootdirs/scratch $IMAGE_ROOTFS/scratch
|
|
- |-
|
|
# Make /opt/branding to writable (To make end-user enable to place their branding archive)
|
|
mkdir $IMAGE_ROOTFS/var/branding
|
|
mkdir -p $IMAGE_ROOTFS/var/rootdirs/opt
|
|
ln -snf --relative $IMAGE_ROOTFS/var/branding $IMAGE_ROOTFS/var/rootdirs/opt/branding
|
|
- |-
|
|
cat /dev/null > $IMAGE_ROOTFS/etc/resolv.conf
|
|
- |-
|
|
cat /dev/null > $IMAGE_ROOTFS/etc/apt/sources.list
|
|
- |-
|
|
# Only used for running build-image
|
|
rm -f etc/dpkg/dpkg.cfg.d/unsafe-io
|
|
- |-
|
|
# There is ${IMAGE_ROOTFS}/var/pxeboot/grubx64.efi from parent linux installed
|
|
# For secure boot feature, it should be replaced with the right one
|
|
if [ "$EFI_SECURE_BOOT" = enable ]; then
|
|
install -m 0644 ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/grubx64.efi ${IMAGE_ROOTFS}/var/pxeboot/grubx64.efi
|
|
fi
|
|
environments:
|
|
- NO_RECOMMENDATIONS="1"
|
|
- DEBIAN_FRONTEND=noninteractive
|
|
- KERNEL_PARAMS=crashkernel=2048M apparmor=0 security=apparmor
|
|
ostree:
|
|
ostree_use_ab: '0'
|
|
ostree_osname: debian
|
|
ostree_skip_boot_diff: '2'
|
|
ostree_remote_url: ''
|
|
ostree_install_device: '/dev/sda'
|
|
OSTREE_GRUB_USER: root
|
|
OSTREE_GRUB_PW_FILE: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys/ostree_grub_pw
|
|
OSTREE_FDISK_BLM: 2506
|
|
OSTREE_FDISK_BSZ: 512
|
|
OSTREE_FDISK_RSZ: 20480
|
|
OSTREE_FDISK_VSZ: 20480
|
|
OSTREE_FDISK_FSZ: 32
|
|
OSTREE_CONSOLE: console=ttyS0,115200
|
|
debootstrap-key: ''
|
|
apt-keys:
|
|
- /opt/LAT/pubkey.rsa
|
|
iso-grub-entry: |
|
|
submenu 'UEFI Debian Controller Install' --unrestricted --id=standard {
|
|
menuentry 'Serial Console' --unrestricted --id=serial {
|
|
set fallback=1
|
|
efi-watchdog enable 0 1200
|
|
linux /bzImage-std %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64
|
|
initrd @INITRD@
|
|
}
|
|
menuentry 'Graphical Console' --unrestricted --id=graphical {
|
|
set fallback=1
|
|
efi-watchdog enable 0 1200
|
|
linux /bzImage-std %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
|
|
initrd @INITRD@
|
|
}
|
|
}
|
|
|
|
submenu 'UEFI Debian All-in-one Install' --unrestricted --id=aio {
|
|
menuentry 'Serial Console' --unrestricted --id=serial {
|
|
set fallback=1
|
|
efi-watchdog enable 0 1200
|
|
linux /bzImage-std %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64
|
|
initrd @INITRD@
|
|
}
|
|
menuentry 'Graphical Console' --unrestricted --id=graphical {
|
|
set fallback=1
|
|
efi-watchdog enable 0 1200
|
|
linux /bzImage-std %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
|
|
initrd @INITRD@
|
|
}
|
|
}
|
|
|
|
submenu 'UEFI Debian All-in-one (lowlatency) Install' --unrestricted --id=aio-lowlat {
|
|
menuentry 'Serial Console' --unrestricted --id=serial {
|
|
set fallback=1
|
|
efi-watchdog enable 0 1200
|
|
linux /bzImage-rt %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 efi=runtime
|
|
initrd @INITRD@
|
|
}
|
|
menuentry 'Graphical Console' --unrestricted --id=graphical {
|
|
set fallback=1
|
|
efi-watchdog enable 0 1200
|
|
linux /bzImage-rt %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 efi=runtime console=tty1
|
|
initrd @INITRD@
|
|
}
|
|
}
|
|
|
|
iso-syslinux-entry: |
|
|
menu start
|
|
ontimeout 1
|
|
|
|
menu begin
|
|
menu title Debian Controller Install
|
|
menu default
|
|
|
|
label 1
|
|
menu label Serial Console
|
|
kernel /bzImage-std
|
|
ipappend 2
|
|
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64
|
|
|
|
label 2
|
|
menu label Graphical Console
|
|
kernel /bzImage-std
|
|
ipappend 2
|
|
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
|
|
menu end
|
|
|
|
menu begin
|
|
menu title Debian All-in-one Install
|
|
|
|
label 3
|
|
menu label Serial Console
|
|
kernel /bzImage-std
|
|
ipappend 2
|
|
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64
|
|
|
|
label 4
|
|
menu label Graphical Console
|
|
kernel /bzImage-std
|
|
ipappend 2
|
|
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
|
|
menu end
|
|
|
|
menu begin
|
|
menu title Debian All-in-one (lowlatency) Install
|
|
|
|
label 5
|
|
menu label Serial Console
|
|
kernel /bzImage-rt
|
|
ipappend 2
|
|
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64
|
|
|
|
label 6
|
|
menu label Graphical Console
|
|
kernel /bzImage-rt
|
|
ipappend 2
|
|
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 console=tty1
|
|
menu end
|
|
|
|
iso-post-script: |
|
|
cd ${ISO_DIR}
|
|
|
|
# 0. Prepare
|
|
# According to `multiple-kernels' in lat yaml, install std
|
|
# or rt kernel to ISO
|
|
for k in ${OSTREE_MULTIPLE_KERNELS}; do
|
|
if [ "${k%%-rt-amd64}" != "${k}" ]; then
|
|
cp ${DEPLOY_DIR_IMAGE}/${k} bzImage-rt
|
|
if [ -e ${DEPLOY_DIR_IMAGE}/${k}.sig ]; then
|
|
cp ${DEPLOY_DIR_IMAGE}/${k}.sig bzImage-rt.sig
|
|
fi
|
|
else
|
|
cp ${DEPLOY_DIR_IMAGE}/${k} bzImage-std
|
|
if [ -e ${DEPLOY_DIR_IMAGE}/${k}.sig ]; then
|
|
cp ${DEPLOY_DIR_IMAGE}/${k}.sig bzImage-std.sig
|
|
fi
|
|
fi
|
|
done
|
|
|
|
# 1. Kickstart
|
|
mkdir -p kickstart
|
|
# 1.1 Kickstart example for PXE
|
|
cat << ENDOF > kickstart/pxe-ks.cfg
|
|
lat-disk --install-device=/dev/disk/by-path/pci-0000:af:00.0-scsi-0:2:0:0
|
|
ENDOF
|
|
|
|
# 1.2 Kickstart example for ISO
|
|
cat << ENDOF > kickstart/iso-ks.cfg
|
|
lat-disk --install-device=/dev/sda
|
|
ENDOF
|
|
|
|
# 1.3 Kickstart from image rootfs (provided by package platform-kickstarts)
|
|
if [ -e $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/kickstart.cfg ]; then
|
|
cp $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/kickstart.cfg kickstart/
|
|
fi
|
|
|
|
if [ -e $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/miniboot.cfg ]; then
|
|
cp $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/miniboot.cfg kickstart/
|
|
fi
|
|
|
|
if [ -d $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/centos ]; then
|
|
cp -r $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/centos kickstart/
|
|
fi
|
|
|
|
# 2. PXE
|
|
mkdir -p pxeboot/pxelinux.cfg
|
|
|
|
# 2.1 Kernel and initramfs
|
|
install -m 644 bzImage* pxeboot
|
|
install -m 644 initrd* pxeboot
|
|
|
|
# 2.2 Bootloader
|
|
# 2.2.1 Legacy BIOS PXE
|
|
cp $OECORE_TARGET_SYSROOT/usr/share/syslinux/pxelinux.0 pxeboot/
|
|
cp isolinux/isolinux.cfg pxeboot/pxelinux.cfg/default
|
|
for f in libcom32.c32 ldlinux.c32 libutil.c32 vesamenu.c32; do
|
|
cp isolinux/$f pxeboot/
|
|
done
|
|
|
|
# 2.2.2 EFI PXE
|
|
cp -a EFI pxeboot
|
|
if [ -e ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/bootx64-nosig.efi ]; then
|
|
cp ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/bootx64-nosig.efi pxeboot/EFI/BOOT/
|
|
fi
|
|
|
|
# 2.3 Edit grub.cfg and pxelinux.cfg/default
|
|
# 2.3.1 Drop to install from local ostree repo
|
|
sed -i "s#instl=/ostree_repo#@BOOTPARAMS@#g" \
|
|
pxeboot/EFI/BOOT/grub.cfg \
|
|
pxeboot/pxelinux.cfg/default
|
|
|
|
# 2.3.2 Install from remote ostree repo
|
|
sed -i "s#insturl=file://NOT_SET#insturl=http://pxecontroller:8080/feed/debian/ostree_repo#g" \
|
|
pxeboot/EFI/BOOT/grub.cfg \
|
|
pxeboot/pxelinux.cfg/default
|
|
|
|
# 2.3.3 Configure kickstart url
|
|
BOOT_PARAMS="ks=http://pxecontroller:8080/feed/debian/kickstart/pxe-ks.cfg"
|
|
|
|
# 2.3.4 Verbose installation
|
|
#BOOT_PARAMS="${BOOT_PARAMS} instsh=2"
|
|
|
|
# 2.3.5 Update boot params
|
|
sed -i "s#@BOOTPARAMS@#${BOOT_PARAMS}#g" \
|
|
pxeboot/EFI/BOOT/grub.cfg \
|
|
pxeboot/pxelinux.cfg/default
|
|
|
|
# 2.3.6 Add `Boot from hard drive' entry to grub.cfg
|
|
cat <<ENDOF>> pxeboot/EFI/BOOT/grub.cfg
|
|
|
|
export skip_check_cfg
|
|
menuentry 'UEFI Boot from hard drive' {
|
|
search --set=root --label otaefi
|
|
configfile /efi/boot/grub.cfg
|
|
}
|
|
ENDOF
|
|
|
|
# 2.4 Tweak PXE if EFI secure boot enabled
|
|
if [ "$EFI_SECURE_BOOT" = enable ]; then
|
|
# On some host, PXE make bootx64.efi search grubx64.efi
|
|
# from tftp/ dir other than tftp/EFI/BOOT/
|
|
install -m 0644 EFI/BOOT/grubx64.efi pxeboot/
|
|
|
|
# Resign grub.cfg
|
|
rm pxeboot/EFI/BOOT/grub.cfg.sig
|
|
echo 'SecureCore' | gpg --pinentry-mode loopback \
|
|
--batch \
|
|
--homedir /tmp/.lat_gnupg_root \
|
|
-u SecureBootCore \
|
|
--detach-sign \
|
|
--passphrase-fd 0 \
|
|
pxeboot/EFI/BOOT/grub.cfg
|
|
fi
|
|
|
|
# 2.5 copy pxeboot config template files to pxeboot/pxelinux.cfg
|
|
mkdir -p pxeboot/pxelinux.cfg.files
|
|
cp ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/efi-pxe-* pxeboot/pxelinux.cfg.files/
|
|
cp ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/pxe-* pxeboot/pxelinux.cfg.files/
|
|
|
|
# 2.6 upgrades directory and upgrade meta files
|
|
RELEASE_VER=$(cat ${IMAGE_ROOTFS}/etc/build.info | grep SW_VERSION | cut -f2 -d'=' | tr -d '"')
|
|
mkdir -p upgrades
|
|
cp ${IMAGE_ROOTFS}/etc/pxeboot-update-${RELEASE_VER}.sh upgrades/
|
|
cp ${IMAGE_ROOTFS}/usr/sbin/deploy-precheck upgrades/
|
|
cp ${IMAGE_ROOTFS}/usr/sbin/upgrade_utils.py upgrades/
|
|
cp ${IMAGE_ROOTFS}/opt/upgrades/import.sh upgrades/
|
|
cp ${IMAGE_ROOTFS}/opt/upgrades/metadata.xml upgrades/
|
|
cp ${IMAGE_ROOTFS}/usr/sbin/usm_load_import upgrades/
|
|
sed -i "s/xxxSW_VERSIONxxx/${RELEASE_VER}/g" upgrades/metadata.xml
|
|
mkdir -p patches
|
|
cp ${IMAGE_ROOTFS}/etc/software/*-metadata.xml upgrades/
|
|
cp ${IMAGE_ROOTFS}/etc/software/*-metadata.xml patches/
|
|
echo -n "VERSION=${RELEASE_VER}" > upgrades/version
|
|
mkdir -p upgrades/software-deploy
|
|
# Copy all software-deploy scripts to upgrades/software-deploy in ISO
|
|
cp ${IMAGE_ROOTFS}/usr/sbin/software-deploy/* upgrades/software-deploy/
|
|
|
|
# 3. ISO
|
|
# 3.1 Edit grub.cfg and isolinux.cfg
|
|
# 3.1.1 Configure local kickstart url and LVM root and fluxdata device
|
|
BOOT_PARAMS="ks=file:///kickstart/kickstart.cfg"
|
|
BOOT_PARAMS="${BOOT_PARAMS} inst_ostree_root=/dev/mapper/cgts--vg-root--lv"
|
|
BOOT_PARAMS="${BOOT_PARAMS} inst_ostree_var=/dev/mapper/cgts--vg-var--lv"
|
|
|
|
# 3.1.2 Verbose installation
|
|
#BOOT_PARAMS="${BOOT_PARAMS} instsh=2"
|
|
|
|
# 3.1.3 Update boot params
|
|
sed -i "s#instl=/ostree_repo#& ${BOOT_PARAMS}#g" \
|
|
EFI/BOOT/grub.cfg \
|
|
isolinux/isolinux.cfg
|
|
|
|
# According to `default-kernel' in lat yaml, set which
|
|
# bootloader menu entry to boot
|
|
sed -i "s/^DEFAULT .*//g" \
|
|
isolinux/isolinux.cfg
|
|
|
|
if [ "${OSTREE_DEFAULT_KERNEL%%-rt-amd64}" != "${OSTREE_DEFAULT_KERNEL}" ]; then
|
|
# Boot rt kernel by default
|
|
sed -i "s/ set default=.*/ set default=2/g" \
|
|
EFI/BOOT/grub.cfg
|
|
else
|
|
# Boot std kernel by default
|
|
sed -i "s/ set default=.*/ set default=0/g" \
|
|
EFI/BOOT/grub.cfg
|
|
fi
|
|
|
|
# 3.2 Resign grub.cfg if EFI secure boot enabled
|
|
if [ "$EFI_SECURE_BOOT" = enable ]; then
|
|
rm EFI/BOOT/grub.cfg.sig
|
|
echo 'SecureCore' | gpg --pinentry-mode loopback \
|
|
--batch \
|
|
--homedir /tmp/.lat_gnupg_root \
|
|
-u SecureBootCore \
|
|
--detach-sign \
|
|
--passphrase-fd 0 \
|
|
EFI/BOOT/grub.cfg
|
|
fi
|
|
|
|
# Update the grub.cfg in efi.img according to above setting.
|
|
# Don't update grub.cfg.sig because the grub.cfg signature checking
|
|
# has been omitted.
|
|
mdel -i efi.img ::/EFI/BOOT/grub.cfg
|
|
mcopy -i efi.img EFI/BOOT/grub.cfg ::/EFI/BOOT/
|
|
|
|
# Put the controller-0 pxeboot install grub menu samples and
|
|
# setup script into a new the ISO's pxeboot/samples directory.
|
|
install -v -d -m 0755 pxeboot/samples
|
|
install -m 0555 ${IMAGE_ROOTFS}/usr/sbin/pxeboot_setup.sh pxeboot/samples
|
|
echo "See pxeboot_setup.sh --help for usage details" > pxeboot/samples/README
|
|
install -m 0664 ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/pxeboot.cfg.debian pxeboot/samples
|
|
install -m 0664 ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/efi-pxeboot.cfg.debian pxeboot/samples
|
|
|
|
# Added CERTS into efi.img
|
|
if [ "$EFI_SECURE_BOOT" = enable ]; then
|
|
mmd -i efi.img ::/CERTS
|
|
mcopy -i efi.img -s /localdisk/CERTS/* ::/CERTS/
|
|
mkdir images
|
|
ln -snf ../efi.img images/efiboot.img
|
|
fi
|
|
|
|
# Generate package list file in the iso root
|
|
echo "Verifying package list for ${IMAGE_NAME}"
|
|
if [ -f "/localdisk/workdir/${IMAGE_NAME}/packages.yaml" ]; then
|
|
echo "Copying ISO package list"
|
|
cp /localdisk/workdir/${IMAGE_NAME}/packages.yaml sw_package_list.yaml
|
|
fi
|
|
|
|
initramfs-sign-script: |
|
|
echo "End of initramfs-sign-script!"
|
|
|
|
multiple-kernels: vmlinuz-*[!t]-amd64 vmlinuz-*-rt-amd64
|
|
default-kernel: vmlinuz-*[!t]-amd64
|
|
system:
|
|
- contains:
|
|
- /localdisk/deploy/lat-initramfs.yaml
|