starlingx/tools
Code Issues Proposed changes
46647df7db
tools/debian-mirror-tools/config/debian/common/base-bullseye.yaml

411 lines
14 KiB
YAML
Raw Blame History

---
name: starlingx
machine: intel-x86-64
image_type:
- iso
- ostree-repo
debootstrap-mirror: http://deb.debian.org/debian
package_feeds: []
package_type: external-debian
wic:
OSTREE_WKS_BOOT_SIZE: ''
OSTREE_WKS_EFI_SIZE: --size=32M
OSTREE_WKS_ROOT_SIZE: ''
OSTREE_WKS_FLUX_SIZE: ''
OSTREE_FLUX_PART: fluxdata
gpg:
gpg_path: /tmp/.lat_gnupg_root
ostree:
gpgid: Wind-River-Linux-Sample
gpgkey: $OECORE_NATIVE_SYSROOT/usr/share/genimage/rpm_keys/RPM-GPG-PRIVKEY-Wind-River-Linux-Sample
gpg_password: windriver
grub:
BOOT_GPG_NAME: SecureBootCore
BOOT_GPG_PASSPHRASE: SecureCore
BOOT_KEYS_DIR: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys
BOOT_GPG_KEY: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys/BOOT-GPG-PRIVKEY-SecureBootCore
BOOT_SINGED_SHIM: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64.efi
BOOT_SINGED_SHIMTOOL: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/mmx64.efi
BOOT_SINGED_GRUB: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/grubx64.efi
BOOT_EFITOOL: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/LockDown.efi
BOOT_GRUB_CFG: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/grub.cfg
BOOT_NOSIG_GRUB: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64-nosig.efi
EFI_SECURE_BOOT: enable
packages: []
external-packages: []
include-default-packages: '0'
rootfs-pre-scripts:
- |
# The StarlingX customize pacakges includes:
# - ostree 2019.1
export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
chroot $IMAGE_ROOTFS bash << SCRIPT_ENDOF
set -e
# Speed up apt/dpkg used for running build-image
echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/unsafe-io
apt update
apt install -y --no-install-recommends linux-image-5.10.0-6-amd64-unsigned linux-rt-image-5.10.0-6-rt-amd64-unsigned grub-common
apt install -y --allow-downgrades --allow-unauthenticated --no-install-recommends ostree ostree-boot libostree-1-1 ostree-upgrade-mgr
apt install --no-install-recommends -y ifupdown
apt install -y bc vim uuid-runtime iputils-ping
SCRIPT_ENDOF
- |
export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
chroot $IMAGE_ROOTFS bash << SCRIPT_ENDOF
groupadd nobody
SCRIPT_ENDOF
- |-
# FIXME: openstack-dashboard will not install without this due to
# FileNotFoundError: [Errno 2] No such file or directory: '/etc/platform/platform.conf'
# dpkg: error processing package openstack-dashboard (--configure):
mkdir -p -m 0775 $IMAGE_ROOTFS/etc/platform
cat << SCRIPT_ENDOF > $IMAGE_ROOTFS/etc/platform/platform.conf
SCRIPT_ENDOF
rootfs-post-scripts:
- |-
# Remove user admin whether it exists or not
export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
chroot $IMAGE_ROOTFS deluser admin || true
- |-
# Set password 'root' to root"
export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
chroot $IMAGE_ROOTFS usermod -p '$6$hEv/K.fPeg/$ezIWhJPrMG3WtdEwqQRdyBwdYmPZkqW2PONFAcDd6TqWliYc9dHAwW4MFTlLanVH3/clE0/34FheDMpbAqZVG.' root;
- |-
# Set bash as default shell
ln -snf --relative $IMAGE_ROOTFS/bin/bash $IMAGE_ROOTFS/bin/sh
- |-
# Allow root ssh login
export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
chroot $IMAGE_ROOTFS sed -i 's/^[#[:space:]]*PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config
- |-
# Setup the sysadmin user and force the user to change the password
# on first login.
# Lock the root account
export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
chroot $IMAGE_ROOTFS useradd sysadmin -m --shell /bin/bash -G sudo --password 4SuW8cnXFyxsk
chroot $IMAGE_ROOTFS chage -d 0 sysadmin
# chroot $IMAGE_ROOTFS passwd -l root
- |-
# FIXME: OSTree will not set up a link to scratch automagically. Need to
# relocate scratch to a more ostree friendly locale
mkdir $IMAGE_ROOTFS/var/rootdirs/scratch
ln -snf --relative $IMAGE_ROOTFS/var/rootdirs/scratch $IMAGE_ROOTFS/scratch
- |-
cat /dev/null > $IMAGE_ROOTFS/etc/resolv.conf
- |-
# Work around to fix the failing systemd-sysusers.service job at boot
chroot $IMAGE_ROOTFS /usr/sbin/grpconv
- |-
# Only used for running build-image
rm -f etc/dpkg/dpkg.cfg.d/unsafe-io
environments:
- NO_RECOMMENDATIONS="1"
- DEBIAN_FRONTEND=noninteractive
- KERNEL_PARAMS=crashkernel=2048M apparmor=0 security=apparmor
ostree:
ostree_use_ab: '0'
ostree_osname: debian
ostree_skip_boot_diff: '2'
ostree_remote_url: ''
ostree_install_device: '/dev/sda'
OSTREE_GRUB_USER: root
OSTREE_GRUB_PW_FILE: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys/ostree_grub_pw
OSTREE_FDISK_BLM: 2506
OSTREE_FDISK_BSZ: 512
OSTREE_FDISK_RSZ: 20480
OSTREE_FDISK_VSZ: 20480
OSTREE_FDISK_FSZ: 32
OSTREE_CONSOLE: console=ttyS0,115200
debootstrap-key: ''
apt-keys:
- /opt/LAT/pubkey.rsa
iso-grub-entry: |
submenu 'UEFI Debian Controller Install' --unrestricted --id=standard {
menuentry 'Serial Console' --unrestricted --id=serial {
set fallback=1
efi-watchdog enable 0 180
linux /bzImage-std %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64
initrd @INITRD@
}
menuentry 'Graphical Console' --unrestricted --id=graphical {
set fallback=1
efi-watchdog enable 0 180
linux /bzImage-std %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
initrd @INITRD@
}
}
submenu 'UEFI Debian All-in-one Install' --unrestricted --id=aio {
menuentry 'Serial Console' --unrestricted --id=serial {
set fallback=1
efi-watchdog enable 0 180
linux /bzImage-std %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64
initrd @INITRD@
}
menuentry 'Graphical Console' --unrestricted --id=graphical {
set fallback=1
efi-watchdog enable 0 180
linux /bzImage-std %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
initrd @INITRD@
}
}
submenu 'UEFI Debian All-in-one (lowlatency) Install' --unrestricted --id=aio-lowlat {
menuentry 'Serial Console' --unrestricted --id=serial {
set fallback=1
efi-watchdog enable 0 180
linux /bzImage-rt %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 efi=runtime
initrd @INITRD@
}
menuentry 'Graphical Console' --unrestricted --id=graphical {
set fallback=1
efi-watchdog enable 0 180
linux /bzImage-rt %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 efi=runtime console=tty1
initrd @INITRD@
}
}
iso-syslinux-entry: |
menu start
ontimeout LABEL
menu begin
menu title Debian Controller Install
label 1
menu label Serial Console
kernel /bzImage-std
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64
label 2
menu label Graphical Console
kernel /bzImage-std
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
menu end
menu begin
menu title Debian All-in-one Install
menu DEFAULT-STD
label 3
menu label Serial Console
kernel /bzImage-std
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64
label 4
menu label Graphical Console
kernel /bzImage-std
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
menu end
menu begin
menu title Debian All-in-one (lowlatency) Install
menu DEFAULT-RT
label 5
menu label Serial Console
kernel /bzImage-rt
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64
label 6
menu label Graphical Console
kernel /bzImage-rt
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 console=tty1
menu end
iso-post-script: |
cd ${ISO_DIR}
# 0. Prepare
# According to `multiple-kernels' in lat yaml, install std
# or rt kernel to ISO
for k in ${OSTREE_MULTIPLE_KERNELS}; do
if [ "${k%%-rt-amd64}" != "${k}" ]; then
cp ${DEPLOY_DIR_IMAGE}/${k} bzImage-rt
if [ -e ${DEPLOY_DIR_IMAGE}/${k}.sig ]; then
cp ${DEPLOY_DIR_IMAGE}/${k}.sig bzImage-rt.sig
fi
else
cp ${DEPLOY_DIR_IMAGE}/${k} bzImage-std
if [ -e ${DEPLOY_DIR_IMAGE}/${k}.sig ]; then
cp ${DEPLOY_DIR_IMAGE}/${k}.sig bzImage-std.sig
fi
fi
done
# 1. Kickstart
mkdir -p kickstart
# 1.1 Kickstart example for PXE
cat << ENDOF > kickstart/pxe-ks.cfg
lat-disk --install-device=/dev/disk/by-path/pci-0000:af:00.0-scsi-0:2:0:0
ENDOF
# 1.2 Kickstart example for ISO
cat << ENDOF > kickstart/iso-ks.cfg
lat-disk --install-device=/dev/sda
ENDOF
# 1.3 Kickstart from image rootfs (provided by package platform-kickstarts)
if [ -e $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart.cfg ]; then
cp $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart.cfg kickstart/
fi
if [ -e $IMAGE_ROOTFS/var/www/pages/feed/rel-*/miniboot.cfg ]; then
cp $IMAGE_ROOTFS/var/www/pages/feed/rel-*/miniboot.cfg kickstart/
fi
# 2. PXE
mkdir -p pxeboot/pxelinux.cfg
# 2.1 Kernel and initramfs
install -m 644 bzImage* pxeboot
install -m 644 initrd* pxeboot
# 2.2 Bootloader
# 2.2.1 Legacy BIOS PXE
cp $OECORE_TARGET_SYSROOT/usr/share/syslinux/pxelinux.0 pxeboot/
cp isolinux/isolinux.cfg pxeboot/pxelinux.cfg/default
for f in libcom32.c32 ldlinux.c32 libutil.c32 vesamenu.c32; do
cp isolinux/$f pxeboot/
done
# 2.2.2 EFI PXE
cp -a EFI pxeboot
if [ -e $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64-nosig.efi ]; then
cp $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64-nosig.efi pxeboot/EFI/BOOT/
fi
# 2.3 Edit grub.cfg and pxelinux.cfg/default
# 2.3.1 Drop to install from local ostree repo
sed -i "s#instl=/ostree_repo#@BOOTPARAMS@#g" \
pxeboot/EFI/BOOT/grub.cfg \
pxeboot/pxelinux.cfg/default
# 2.3.2 Install from remote ostree repo
sed -i "s#insturl=file://NOT_SET#insturl=http://pxecontroller:8080/feed/debian/ostree_repo#g" \
pxeboot/EFI/BOOT/grub.cfg \
pxeboot/pxelinux.cfg/default
# 2.3.3 Configure kickstart url
BOOT_PARAMS="ks=http://pxecontroller:8080/feed/debian/kickstart/pxe-ks.cfg"
# 2.3.4 Verbose installation
#BOOT_PARAMS="${BOOT_PARAMS} instsh=2"
# 2.3.5 Update boot params
sed -i "s#@BOOTPARAMS@#${BOOT_PARAMS}#g" \
pxeboot/EFI/BOOT/grub.cfg \
pxeboot/pxelinux.cfg/default
# 2.3.6 Add `Boot from hard drive' entry to grub.cfg
cat <<ENDOF>> pxeboot/EFI/BOOT/grub.cfg
export skip_check_cfg
menuentry 'UEFI Boot from hard drive' {
search --set=root --label otaefi
configfile /efi/boot/grub.cfg
}
ENDOF
# 2.4 Tweak PXE if EFI secure boot enabled
if [ "$EFI_SECURE_BOOT" = enable ]; then
# On some host, PXE make bootx64.efi search grubx64.efi
# from tftp/ dir other than tftp/EFI/BOOT/
install -m 0644 EFI/BOOT/grubx64.efi pxeboot/
# Resign grub.cfg
rm pxeboot/EFI/BOOT/grub.cfg.sig
echo 'SecureCore' | gpg --pinentry-mode loopback \
--batch \
--homedir /tmp/.lat_gnupg_root \
-u SecureBootCore \
--detach-sign \
--passphrase-fd 0 \
pxeboot/EFI/BOOT/grub.cfg
fi
# 2.5 copy pxeboot config template files to pxeboot/pxelinux.cfg
mkdir -p pxeboot/pxelinux.cfg.files
cp ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/efi-pxe-* pxeboot/pxelinux.cfg.files/
cp ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/pxe-* pxeboot/pxelinux.cfg.files/
# 2.6 upgrades directory and upgrade meta files
RELEASE_VER=$(cat ${IMAGE_ROOTFS}/etc/build.info | grep SW_VERSION | cut -f2 -d'=' | tr -d '"')
mkdir -p upgrades
cp ${IMAGE_ROOTFS}/usr/sbin/pxeboot-update-${RELEASE_VER}.sh upgrades/
cp ${IMAGE_ROOTFS}/opt/upgrades/import.sh upgrades/
cp ${IMAGE_ROOTFS}/opt/upgrades/metadata.xml upgrades/
sed -i "s/xxxSW_VERSIONxxx/${RELEASE_VER}/g" upgrades/metadata.xml
echo -n "VERSION=${RELEASE_VER}" > upgrades/version
# 3. ISO
# 3.1 Edit grub.cfg and isolinux.cfg
# 3.1.1 Configure local kickstart url
BOOT_PARAMS="ks=file:///kickstart/kickstart.cfg"
# 3.1.2 Verbose installation
#BOOT_PARAMS="${BOOT_PARAMS} instsh=2"
# 3.1.3 Update boot params
sed -i "s#instl=/ostree_repo#& ${BOOT_PARAMS}#g" \
EFI/BOOT/grub.cfg \
isolinux/isolinux.cfg
# According to `default-kernel' in lat yaml, set which
# bootloader menu entry to boot
sed -i "s/^DEFAULT .*//g" \
isolinux/isolinux.cfg
if [ "${OSTREE_DEFAULT_KERNEL%%-rt-amd64}" != "${OSTREE_DEFAULT_KERNEL}" ]; then
# Boot rt kernel by default
sed -i "s/ set default=.*/ set default=2/g" \
EFI/BOOT/grub.cfg
sed -i "s/menu DEFAULT-STD//g" \
isolinux/isolinux.cfg
sed -i "s/menu DEFAULT-RT/menu default/g" \
isolinux/isolinux.cfg
sed -i "s/ontimeout LABEL/ontimeout 5/g" \
isolinux/isolinux.cfg
else
# Boot std kernel by default
sed -i "s/ set default=.*/ set default=1/g" \
EFI/BOOT/grub.cfg
sed -i "s/menu DEFAULT-STD/menu default/g" \
isolinux/isolinux.cfg
sed -i "s/menu DEFAULT-RT//g" \
isolinux/isolinux.cfg
sed -i "s/ontimeout LABEL/ontimeout 3/g" \
isolinux/isolinux.cfg
fi
# 3.2 Resign grub.cfg if EFI secure boot enabled
if [ "$EFI_SECURE_BOOT" = enable ]; then
rm EFI/BOOT/grub.cfg.sig
echo 'SecureCore' | gpg --pinentry-mode loopback \
--batch \
--homedir /tmp/.lat_gnupg_root \
-u SecureBootCore \
--detach-sign \
--passphrase-fd 0 \
EFI/BOOT/grub.cfg
fi
# Put the controller-0 pxeboot install grub menu samples and
# setup script into a new the ISO's pxeboot/samples directory.
install -v -d -m 0755 pxeboot/samples
install -m 0555 ${IMAGE_ROOTFS}/usr/sbin/pxeboot_setup.sh pxeboot/samples
echo "See pxeboot_setup.sh --help for usage details" > pxeboot/samples/README
install -m 0664 ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/pxeboot.cfg.debian pxeboot/samples
install -m 0664 ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/efi-pxeboot.cfg.debian pxeboot/samples
multiple-kernels: vmlinuz-*[!t]-amd64 vmlinuz-*-rt-amd64
default-kernel: vmlinuz-*[!t]-amd64
system:
- contains:
- /localdisk/deploy/lat-initramfs.yaml
View Git Blame Copy Permalink