edk2-bin now supports multiple platforms, including QEMU on arm64, so we
no longer need to use Fedora's build. Note that the Secure Boot
implementation is currently insecure as it lacks SMM, which is needed to
protect the EFI variable store.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
The new arm64 firmware supporting Secure Boot (see next commit) is in
QCOW2 format only, avoiding the extra space taken up by the 64MB
padding. Supporting both raw and QCOW2 images would be messy, so switch
entirely to QCOW2.
Only the 4MB images are in QCOW2 format on amd64, so also switch away
from the 2MB images. 4MB images are now the default for most
distributions as they are needed to apply certain Windows updates.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We initially thought we would need Red Hat's patch set. Then it looked
like we wouldn't because the TPM Event Log appeared to work without it.
We later discovered that on amd64, it only works with Secure Boot
disabled. The patch set also fixes Secure Boot on arm64, which would
have otherwise needed a couple of patches from Canonical.
We have to drop Gentoo's patches because they conflict, but they don't
affect Flatcar anyway.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
* oem-azure: add hyperv daemons
This change adds hyperv daemons hv_fcopy, hv_kvp, and hv_vss to the
Azure and HyperV OEM sysexts. hv_kvp specifically is needed to submit OS version
information to the Azure hypervisor.
The daemons, tough userspace programs, are built from the kernel sources
as they are included in the Linux kernel.
As the ebuild is (somewhat) kernel specific, it should be updated when the kernel
is updated. Respective additions have been made to the kernel update GitHub actions
automation.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
Co-authored-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Landlock is a feature to create security sandboxes thanks to 3 dedicated
system calls. They are designed to be safe to used by any processes,
which can only drop their privileges, similarly to seccomp.
The new Landlock LSM is build in the kernel (CONFIG_SECURITY_LANDLOCK=y)
but it is not enough to make it usable by default. As a stackable LSM,
it is required to enable it at boot time with the CONFIG_LSM list. See
https://docs.kernel.org/userspace-api/landlock.html#kernel-support
As for other stackable LSMs, prepending Landlock to the default LSM list
enables users to potentially get more protection by default by letting
programs sandbox themselves.
As a dependency, CONFIG_SECURITY_PATH=y will be automatically set.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Catalyst 4 has totally changed the way repositories are handled. It only
works when the name of the directory containing the repository matches
the configured name of that repository. This was not the case for us,
with the coreos repository residing in the coreos-overlay directory. We
wanted to move and rename our repositories anyway, but this is a big
change, so we'll do separately. For now, this just renames coreos to
coreos-overlay.
Catalyst 4 also ingests the main repository snapshot as a squashfs
rather than a tarball. It features a utility to generate such a
snapshot, but it doesn't fit Flatcar well, particularly because it
expects each ebuild repository to reside at the top level of its own git
repository. It was very easy to call tar2sqfs manually though.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Change `flatcar-openstack-hostname.service` to use afterburn `openstack` provider implemented on coreos/afterburn#462 instead of `openstack-metadata`.
BootEngine PR: flatcar/bootengine#96
Enabled user session dbus in base image to support podman rootless mode.
Extension images can now be created from multiple packages by seperating
them with a comma. The podman sysext includes app-containers/podman and
net-misc/passt.
It can be enabled by adding podman to /etc/flatcar/enabled-sysext.conf.
Potential TODO: gpgme had to be added as BDEPEND to podman ebuild.
As Ignition supports KubeVirt, add a custom oem for it and also the
required parts to be able to build an image in .qcow2 format that
is already using internal .qcow2 gzip compression.
Fixes: https://github.com/flatcar/Flatcar/issues/1358
Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
On Windows, the .bz2 compression format is not supported by native
tooling and external tools like 7zip need to be installed.
Switching to .zip compression, there will be no need for the extra step
of having external tools.
See: https://github.com/flatcar/Flatcar/issues/1009
Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
So far the console in OpenStack (or Brightbox which shares the image)
was not usable well until one issues a reboot to add the autologin in
the GRUB menu.
Add it by default so that one doesn't need this reboot trick.
The qemu and qemu_uefi_secure images have the same contents as the
qemu_uefi image which wastes space on the release server. A similar
case is the PXE vmlinuz which is the same as the regular one, too.
Set up symlinks for same images, and also detect this when compressing
to set up symlinks there as well. To reduce complexity, the qemu and
qemu_uefi_secure images are not supported anymore and the Jenkins or
GitHub CI will skip over them if specified. Users that build their own
images need to adapt, though.
Add support for Gen 2 Hyper-V VMs.
`./image_to_vm` tool has now a new supported format: `hyperv_vhdx`,
that produces .vhdx dynamic disks.
How to use:
```bash
./image_to_vm.sh --from ../build/images/amd64-usr/developer-latest/ --format hyperv_vhdx
```
See: https://github.com/flatcar/Flatcar/issues/1009
Uses PR: https://github.com/flatcar/bootengine/pull/92
Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
While Flatcar itself runs fine with 1 GB, many workloads do not and
having to debug this is time consuming when one forgets to bump the VM
memory, e.g., in the Qemu script.
Default to 2 GB as known-good setting for things like Kubernetes or
setting up LUKS devices.
This commit is part of the effort to decrease the initrd size:
Partially-Fixes: https://github.com/flatcar/Flatcar/issues/1381
Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
