The final part of the script differed only the name of the qemu binary
to execute and in network device driver (virtio-net-pci on amd64 vs
virtio-net-device on arm64). virtio-net-pci seems to be working also
on arm64, so simplify the code to avoid repetition.
There's no need to differentiate between amd64 and arm64 boards here
any more. This also adds bootindex=1 option to the -device flag, so we
can pass more secondary disks without affecting the boot order.
This version writes fewer temporary files and tries cpio multiple times
for concatenated archives again.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
I couldn't take it anymore! The launcher script could not handle paths
outside the script's own directory, and it was driving me crazy. Now
only the default values are relative to the script's directory. Given
paths are relative to the current directory and absolute paths work as
you would expect.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
On Linux >= 6.10, the first rootfs is an extra ghost rootfs of 336K,
that has a corrupted CPIO.
To overcome this issue, do not fail on `cpio --extract`.
Setting a profile in a newly created sysroot when building native
toolchains broke after an eselect update. Apparently eselect gets the
path to the coreos-overlay repository and then prefixes it with
ROOT. Since ROOT was set to /build/<arch>-usr, the resulting patch was
wrong. Fix this by telling eselect where to find our make.profile
symlink in new sysroot by setting PORTAGE_CONFIGROOT to
/build/<arch>-usr and where to find our profiles by setting ROOT (and
SYSROOT, because it must match ROOT) to /.
This change removes the legacy_boot flag from the EFI system partition.
We already have a BIOS boot partition which should offer compatibility with
legacy bios systems.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Mentions of virtual/rust in some scripts were replaced with
dev-lang/rust-bin. These were usually about skipping the update/build
of the package, and these already contained dev-lang/rust, so added
the -bin variant for completeness.
docs: Add entrance to the changelog about the fix
Update changelog/changes/2025-01-15-qemu-startup-script-comma-fix.md
Co-authored-by: Mathieu Tortuyaux <mathieu.tortuyaux@gmail.com>
I know I recently deduplicated the code between extract_update and
generate_update recently, but now that generate_update will sometimes be
called at a later time, I've realised that it is compressing and
uploading the partition twice.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We would normally remove these for an official build so that the signed
versions can be uploaded later. However, we are not doing that signing
until we pass the shim review.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Apparently `local -x FOO` does not locally export an already existing
variable, but rather does some whole weird lot of nothing - it shadows
an existing variable with a new unset one, but it won't export it
until it gets assigned.
We previously did the AKV signing in the image job but temporarily
nobbled that code path while we completed the shim review.
Now the AKV signing has been split out into a separate job that will
only be invoked once changes to the jenkins-os repo have been merged.
The only thing we now need to nobble here is copying the signed shim. In
the meantime, we copy the unsigned shim instead. Revert this commit once
the shim review is complete.
We only want to do the signing in Azure, not the whole image job. This
new job downloads the unsigned image, signs it, and replaces it.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
The --extract_update option used to do exactly that, just extract the
USR-A partition for updates and no more. Now it does the same thing as
--generate_update, except it names the file flatcar_test_update.gz
rather than flatcar_production_update.gz. --generate_update is never
actually used because official update payloads are manually generated
with the generate_payload script later on.
Resolve this confusion by deduplicating the common code between them.
Any update payload produced during this stage of the build is only
useful for testing, so change --generate_update to always create
flatcar_test_update.gz. --generate_update now implies --extract_update
and both are enabled by default.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We were supposed to collect allowed users and allowed groups into
separate arrays. Due to the copy-paste mistake, we overwrote allowed
users array with allowed groups while leaving the array for allowed
groups empty, so we ended up passing only allowed groups instead of
both.
Most of this hinges on the --upload option being passed, and it never is
any more. Much of it also uses Google Buckets, which we no longer use,
save for some GCE-specific bits.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Giving the --best or -9 option results in a heavier decompression cost
with no gain on such small files.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Secure Boot prevents you from loading additional modules so remove them
to save space. These modules could be useful for debugging with Secure
Boot disabled, but manually copying the modules with debug symbols is
even more useful and not that difficult.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We don't want to be blocked from doing releases in the meantime. Revert
this commit when ready.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
These are only needed when you are going to ship DB updates to existing
systems, which we are not going to do. Our EFI variables are only for
testing. End users are expected to use EFI variables provided by their
hosts or hardware vendors. We presumably provided these before because
some PK and KEK does need to be provided, but we can now use the
Microsoft and Red Hat ones provided via Gentoo's edk2 package.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Rather than starting with a blank image, reuse the image that already
has the Microsoft certificates and the latest DBX revocation list
applied. Gentoo also applies the Red Hat certificates, which we don't
need, but this is okay.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
edk2-bin now supports multiple platforms, including QEMU on arm64, so we
no longer need to use Fedora's build. Note that the Secure Boot
implementation is currently insecure as it lacks SMM, which is needed to
protect the EFI variable store.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
The new arm64 firmware supporting Secure Boot (see next commit) is in
QCOW2 format only, avoiding the extra space taken up by the 64MB
padding. Supporting both raw and QCOW2 images would be messy, so switch
entirely to QCOW2.
Only the 4MB images are in QCOW2 format on amd64, so also switch away
from the 2MB images. 4MB images are now the default for most
distributions as they are needed to apply certain Windows updates.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
virt-fw-vars handles X.509 conversion and QCOW2 conversion transparently
and can update all the variables in a single invocation.
Bonus: Asking it to list the variables doesn't cause a segfault due to
the feature not really being implemented. :D
The 00000000-0000-0000-0000-000000000000 owner GUID is what flash-var
used to set, as we didn't specify the -g argument. We don't need to set
a meaningful value as this file is only for testing.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
They were previously in /usr/share/docker/contrib which means they were
deleted at build time and not shipped into Docker sysext.
New ebuild version of Docker now provides those two files as symlinks to
/usr/share/docker/contrib from /usr/bin.
We can't really remove symlinks using find as docker-runc,
docker-containerd, etc. are broken symlinks too during the build phase.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
The build_docker_aci script only supported docker 12.x, which we don't
have since ages, so it's a clear sign of a script being obsolete.
Removing it results in some other scripts in build_library being
unused, so drop them too.
The docker and containerd copy files from the repository, which are owned by
the sdk user. This ownership leaks into the final image, which means the first
created user could edit systemd files. This is bad.
Modify the cp invocation to copy files without preserving ownership. The
sysext-mangle script is called by build_sysext, which is executed using sudo.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
