cmd-osbuild

#!/usr/bin/env bash
set -euo pipefail

dn=$(dirname "$0")
# shellcheck source=src/cmdlib.sh
. "${dn}"/cmdlib.sh

# A list of supported platforms and the filename suffix of the main
# artifact that platform produces.
declare -A SUPPORTED_PLATFORMS=(
    ['aliyun']='qcow2'
    ['applehv']='raw'
    ['aws']='vmdk'
    ['azure']='vhd'
    ['azurestack']='vhd'
    ['digitalocean']='qcow2'
    ['exoscale']='qcow2'
    ['gcp']='tar.gz'
    ['hetzner']='raw'
    ['hyperv']='vhdx'
    ['ibmcloud']='qcow2'
    ['metal4k']='raw'
    ['metal']='raw'
    ['nutanix']='qcow2'
    ['openstack']='qcow2'
    ['qemu']='qcow2'
    ['qemu-secex']='qcow2'
    ['vultr']='raw'
    ['live']='iso'
)

print_help() {
    cat 1>&2 <<EOF
Usage: coreos-assembler osbuild --help
       coreos-assembler osbuild --supported-platforms
       coreos-assembler osbuild [--build ID] qemu metal metal4k...

  Build artifacts for the given platforms using OSBuild.
EOF
}


# Parse the passed config JSON and extract a mandatory value
getconfig() {
    k=$1
    config=$2
    jq -re .\""$k"\" < "${config}"
}
# Return a configuration value, or default if not set
getconfig_def() {
    k=$1
    shift
    default=$1
    config=$2
    jq -re .\""$k"\"//\""${default}"\" < "${config}"
}

# Store information about the artifact into meta.json and also
# "finalize" it, copying it into the builddir.
postprocess_artifact() {
    local artifact_name=$1
    local local_filepath=$2
    local target_filename=$3
    local skip_compress=$4
    if [[ ! "${skip_compress}" =~ ^(True|False)$ ]]; then
        fatal "Must specify 'True' or 'False' for skip_compress. Provided: '${skip_compress}'"
    fi
    cosa meta --workdir "${workdir}" --build "${build}" --dump | python3 -c "
import sys, json
j = json.load(sys.stdin)
j['images']['${artifact_name}'] = {
    'path': '${target_filename}',
    'sha256': '$(sha256sum_str < "${local_filepath}")',
    'size': $(stat -c '%s' "${local_filepath}")
}
# backwards conditional here because of a invalid (for this code) CI check
# https://github.com/coreos/coreos-assembler/pull/3930#issuecomment-2473714222
if False:
    pass
elif ${skip_compress}:
    j['images']['${artifact_name}']['skip-compression'] = True
json.dump(j, sys.stdout, indent=4)
" > meta.json.new
    cosa meta --workdir "${workdir}" --build "${build}" --artifact-json meta.json.new
    /usr/lib/coreos-assembler/finalize-artifact "${local_filepath}" "${builddir}/${target_filename}"
    echo "Successfully generated: ${target_filename}"
}

# For qemu-secex we need to do a few extra things like spin up a
# VM to run genprotimg and save off the pubkey for Ignition.
postprocess_qemu_secex() {
    if [ ! -f "${genprotimgvm}" ]; then
        echo "No genprotimgvm provided"
        genprotimgvm="${workdir}/tmp/fake-secure-vm.qcow2"
        if [ -f "${genprotimgvm}" ]; then
            echo "Found locally generated ${genprotimgvm}, skipping generation"
        else
            if [ ! -f "${hostkey}" ]; then
                fatal "No hostkey and no genprotimgvm provided"
            fi
            echo "Injecting user-provided hostkey into config"
            ignition_cfg=$(mktemp -p "${tmp_builddir}")
            butane_cfg=$(mktemp -p "${tmp_builddir}")
            hostkey_name=$(basename "${hostkey}")
            hostkey_path=$(dirname "${hostkey}")
            cp /usr/lib/coreos-assembler/secex-genprotimgvm-scripts/genprotimg.bu "${butane_cfg}"
            sed -i 's/HOSTKEY-FILE/'"${hostkey_name}"'/g' "${butane_cfg}"
            butane -p -d "${hostkey_path}" "${butane_cfg}" -o "${ignition_cfg}"

            cp "/srv/builds/latest/${basearch}/${name}-${build}-qemu.${basearch}.${suffix}" "${genprotimgvm}"
            chmod +w "${genprotimgvm}"
            genvm_args=("-drive" "if=none,id=hda,format=qcow2,file=${genprotimgvm},auto-read-only=off,cache=unsafe" \
                        "-device" "virtio-blk,drive=hda,bootindex=1")
            kola qemuexec -i "${ignition_cfg}" -- "${genvm_args[@]}"
        fi
    fi

    # Basic qemu args:
    qemu_args=(); blk_size="512"
    [[ $platform == metal4k ]] && blk_size="4096"
    qemu_args+=("-drive" "if=none,id=target,format=qcow2,file=${imgpath},cache=unsafe" \
        "-device" "virtio-blk,serial=target,drive=target,physical_block_size=${blk_size},logical_block_size=${blk_size}")

    # SecureVM (holding Universal Key for all IBM Z Mainframes) requires scripts to execute genprotimg
    se_script_dir="/usr/lib/coreos-assembler/secex-genprotimgvm-scripts"
    genprotimg_img="${PWD}/secex-genprotimg.img"
    genprotimg_dir=$(mktemp -p "${tmp_builddir}" -d)
    cp "${se_script_dir}/genprotimg-script.sh" "${se_script_dir}/post-script.sh" "${genprotimg_dir}"
    # Extra kargs with dm-verity hashes
    secex_kargs="ignition.firstboot"
    secex_kargs+=" rootfs.roothash=$(<"${outdir}/${platform}/rootfs_hash")"
    secex_kargs+=" bootfs.roothash=$(<"${outdir}/${platform}/bootfs_hash")"
    echo "${secex_kargs}" > "${genprotimg_dir}/parmfile"
    virt-make-fs --format=raw --type=ext4 "${genprotimg_dir}" "${genprotimg_img}"
    rm -rf "${genprotimg_dir}"
    qemu_args+=("-drive" "if=none,id=genprotimg,format=raw,file=${genprotimg_img}" \
                "-device" "virtio-blk,serial=genprotimg,drive=genprotimg")

    # GPG keys used for protecting Ignition config
    tmp_gpg_home=$(mktemp -p "${tmp_builddir}" -d)
    ignition_pubkey=$(mktemp -p "${tmp_builddir}")
    ignition_prikey=$(mktemp -p "${tmp_builddir}")
    gpg --homedir "${tmp_gpg_home}" --batch --passphrase '' --yes --quick-gen-key "Secure Execution (secex) ${build}" rsa4096 encr none
    gpg --homedir "${tmp_gpg_home}" --armor --export secex > "${ignition_pubkey}"
    gpg --homedir "${tmp_gpg_home}" --armor --export-secret-key secex > "${ignition_prikey}"
    exec 9<"${ignition_prikey}"
    rm -rf "${tmp_gpg_home}" "${ignition_prikey}"
    qemu_args+=("-add-fd" "fd=9,set=3" "-drive" "if=none,id=gpgkey,format=raw,file=/dev/fdset/3,readonly=on" \
        "-device" "virtio-blk,serial=gpgkey,drive=gpgkey")

    /usr/lib/coreos-assembler/secex-genprotimgvm-scripts/runvm.sh \
        --genprotimgvm "${genprotimgvm}" -- "${qemu_args[@]}"
    rm -f "${genprotimg_img}"
    exec 9>&-

    # Now store the generated ${ignition_pubkey} in the builddir and meta.json
    gpg_key_filename="${name}-${build}-ignition-secex-key.gpg.pub"
    postprocess_artifact "ignition-gpg-key" "${ignition_pubkey}" "${gpg_key_filename}" 'True'
}

# Here we generate the input JSON we pass to runvm_osbuild for all of our image builds
generate_runvm_osbuild_config() {
    runvm_osbuild_config_json="${workdir}/tmp/runvm-osbuild-config-${build}.json"
    echo "${runvm_osbuild_config_json}" # Let the caller know where the config will be
    if [ -f "${runvm_osbuild_config_json}" ]; then
       return # only need to generate this once per build
    fi
    rm -f "${workdir}"/tmp/runvm-osbuild-config-*.json # clean up any previous configs

    # reread these values from the build itself rather than rely on the ones loaded
    # by prepare_build since the config might've changed since then
    ostree_commit=$(meta_key ostree-commit)
    ostree_ref=$(meta_key ref)
    if [ "${ostree_ref}" = "None" ]; then
        ostree_ref=""
    fi

    ostree_repo=${tmprepo}
    # Ensure that we have the cached unpacked commit
    import_ostree_commit_for_build "${build}"
    # Note this overwrote the bits generated in prepare_build
    # for image_json.  In the future we expect to split prepare_build
    # into prepare_ostree_build and prepare_diskimage_build; the
    # latter path would only run this.
    image_json=${workdir}/tmp/image.json

    # Grab a few values from $image_json
    deploy_via_container=$(getconfig_def "deploy-via-container" "" "${image_json}")
    extra_kargs="$(python3 -c 'import sys, json; args = json.load(sys.stdin)["extra-kargs"]; print(" ".join(args))' < "${image_json}")"

    # OStree container ociarchive file path
    ostree_container="${builddir}/$(meta_key images.ostree.path)"
    # If no container_imgref was set let's just set it to some professional
    # looking default. The name of the ociarchive file should suffice.
    container_imgref_default="ostree-image-signed:oci-archive:/$(basename "${ostree_container}")"
    container_imgref=$(getconfig_def "container_imgref" "${container_imgref_default}" "${image_json}")

    echo "Estimating disk size..." >&2
    # The additional 35% here is obviously a hack, but we can't easily completely fill the filesystem,
    # and doing so has apparently negative performance implications.
    ostree_size_json="$(/usr/lib/coreos-assembler/estimate-commit-disk-size --repo "$ostree_repo" "$ostree_commit" --add-percent 35)"
    rootfs_size_mb="$(jq '."estimate-mb".final' <<< "${ostree_size_json}")"
    # The minimum size of a disk image we'll need will be the rootfs_size
    # estimate plus the size of the non-root partitions. We'll use this
    # size for the metal images, but for the IaaS/virt image we'll use
    # the size set in the configs since some of them have minimum sizes that
    # the platforms require and we want a "default" disk size that has some
    # free space.
    nonroot_partition_sizes=513
    # On s390x there is one more build - Secure Execution case, which has
    # different image layout. We add the sizes of the se and verity
    # partitions so that they don't "eat into" the 35% buffer (though note
    # this is all blown away on first boot anyway). For 's390x.mpp.yaml'
    # simplicity all s390x images have same size (of secex image).
    if [[ $basearch == "s390x" ]]; then
        nonroot_partition_sizes=$((nonroot_partition_sizes + 200 + 128 + 256 + 1))
    fi
    metal_image_size_mb="$(( rootfs_size_mb + nonroot_partition_sizes ))"
    cloud_image_size_mb="$(jq -r ".size*1024" < "${image_json}")"
    echo "Disk sizes: metal: ${metal_image_size_mb}M (estimated), cloud: ${cloud_image_size_mb}M" >&2

    # Generate the JSON describing the disk we want to build
    yaml2json /dev/stdin "${runvm_osbuild_config_json}" <<EOF
artifact-name-prefix: "${name}-${build}"
container-imgref: "${container_imgref}"
deploy-via-container: "${deploy_via_container}"
osname: "${name}"
ostree-container: "${ostree_container}"
ostree-ref: "${ref}"
extra-kargs-string: "${extra_kargs}"
ostree-repo: "${ostree_repo}"
metal-image-size: "${metal_image_size_mb}"
cloud-image-size: "${cloud_image_size_mb}"
# Note: this is only used in the secex case; there, the rootfs is
# not the last partition on the disk so we need to explicitly size it
rootfs-size: "${rootfs_size_mb}"
EOF
}


main() {
    # Set Some Defaults
    genprotimgvm=/data.secex/genprotimgvm.qcow2
    hostkey=/srv/secex-hostkey
    build=
    force=

    # This script is used for creating several artifacts. For example,
    # `cmd-buildextend-qemu` is a symlink to `cmd-buildextend-metal`.
    case "$(basename "$0")" in
        "cmd-osbuild") platforms=();;
        "cmd-buildextend-metal") platforms=(metal);;
        "cmd-buildextend-metal4k") platforms=(metal4k);;
        "cmd-buildextend-qemu") platforms=(qemu);;
        "cmd-buildextend-qemu-secex") platforms=(qemu-secex);;
        "cmd-buildextend-secex") platforms=(qemu-secex);;
        "cmd-buildextend-live") platforms=(live);;
        *) fatal "called as unexpected name $0";;
    esac

    options=$(getopt --options h --longoptions help,force,build:,genprotimgvm:,supported-platforms -- "$@") || {
        print_help
        exit 1
    }
    eval set -- "$options"
    while true; do
        case "$1" in
            -h | --help)
                print_help
                exit 0
                ;;
            --force)
                force=1
                ;;
            --build)
                build=$2
                shift
                ;;
            --genprotimgvm)
                genprotimgvm="$2"
                shift
                ;;
            --hostkey)
                hostkey="$2"
                shift
                ;;
            --platforms)
                shift # The arg is next in position args
                # Split the comma separated string of platforms into an array
                IFS=, read -ra platforms <<<"$1"
                ;;
            --supported-platforms)
                # Just print the platforms we support and exit
                echo "${!SUPPORTED_PLATFORMS[*]}"
                exit 0
                ;;
            --)
                shift
                break
                ;;
            -*)
                fatal "$0: unrecognized option: $1"
                ;;
            *)
                break
                ;;
        esac
        shift
    done

    # If we didn't come in via one of the buildextend symlinks then
    # pick up the platforms from positional args.
    if [ ${#platforms[@]} == "0" ]; then
        if [ $# -eq 0 ]; then
            print_help
            fatal "Too few arguments arguments passed to cosa osbuild"
        fi
        # The platforms are in the remaining positional arguments
        read -ra platforms <<<"$@"
    fi

    case "$basearch" in
        "x86_64"|"aarch64"|"s390x"|"ppc64le") ;;
        *) fatal "$basearch is not supported for this command" ;;
    esac

    # shellcheck disable=SC2031
    export LIBGUESTFS_BACKEND=direct
    export IMAGE_TYPE="${platforms[0]}"
    prepare_build

    if [ -z "${build}" ]; then
        build=$(get_latest_build)
        if [ -z "${build}" ]; then
            fatal "No build found."
        fi
    fi

    builddir=$(get_build_dir "$build")
    if [ ! -d "${builddir}" ]; then
        fatal "Build dir ${builddir} does not exist."
    fi

    # add building sempahore
    build_semaphore="${builddir}/.${platforms[0]}.building"
    if [ -e "${build_semaphore}" ]; then
        fatal "${build_semaphore} found: another process is running a build for ${platforms[0]}"
    fi
    touch "${build_semaphore}"
    trap 'rm -f ${build_semaphore}' EXIT

    # reread these values from the build itself rather than rely on the ones loaded
    # by prepare_build since the config might've changed since then
    name=$(meta_key name)

    for platform in "${platforms[@]}"; do
        if [ -z "${SUPPORTED_PLATFORMS[$platform]:-}" ]; then
            fatal "unknown platform provided: ${platform}"
        fi
    done

    tobuild=()
    for platform in "${platforms[@]}"; do
        # check if the image already exists in the meta.json
        meta_img=$(meta_key "images.${platform}.path")
        if [ -z "${force}" ] && [ "${meta_img}" != "None" ]; then
                echo "${platform} image already exists: $meta_img"
                echo "Removing ${platform} from list of platforms to build"
        else
            tobuild+=("${platform}")
            echo "Will build $platform"
        fi
    done
    if [ ${#tobuild[@]} == "0" ]; then
        echo "All requested platforms have already been built"
        exit 0
    fi
    platforms=("${tobuild[@]}")

    # Run OSBuild now to build the platforms that were requested.
    runvm_osbuild_config_json="$(generate_runvm_osbuild_config)"
    outdir=$(mktemp -p "${tmp_builddir}" -d)
    runvm_with_cache -- /usr/lib/coreos-assembler/runvm-osbuild                                         \
                --config "${runvm_osbuild_config_json}"                                                 \
                --mpp "/usr/lib/coreos-assembler/osbuild-manifests/coreos.osbuild.${basearch}.mpp.yaml" \
                --outdir "${outdir}"                                                                    \
                --platforms "$(IFS=,; echo "${platforms[*]}")"

    for platform in "${platforms[@]}"; do
        # Set the filename of the artifact and the local image path
        # where from the OSBuild out directory where it resides.
        suffix="${SUPPORTED_PLATFORMS[$platform]}"
        imgname=${name}-${build}-${platform}.${basearch}.${suffix}
        imgpath="${outdir}/${platform}/${imgname}"

        # Perform postprocessing
        case "$platform" in
            gcp|nutanix)
                # Update the meta.json and builddir with the generated artifact.
                # Skip Compression on these platforms as they are either already
                # compressed or the artifact itself has internal compression enabled.
                postprocess_artifact "${platform}" "${imgpath}" "${imgname}" 'True'
                ;;
            live)
                # For live we have more artifacts
                artifact_types=("iso.${basearch}.${suffix}" "kernel.${basearch}" "rootfs.${basearch}.img" "initramfs.${basearch}.img")
                artifact_prefixes=("-iso" "-kernel" "-rootfs" "-initramfs")
                for i in "${!artifact_types[@]}"; do
                    artifact_type="${artifact_types[$i]}"
                    artifact_prefix="${artifact_prefixes[$i]}"
                    artifact_name="${name}-${build}-${platform}-${artifact_type}"
                    imgpath="${outdir}/${platform}/${artifact_name}"
                    postprocess_artifact "${platform}${artifact_prefix}" "${imgpath}" "${artifact_name}" 'True'
                done
                ;;
            qemu-secex)
                # Massage the generated artifact through an extra VM for secex. This
                # will also create an Ignition pubkey and store it in the meta.json
                # and builddir.
                postprocess_qemu_secex
                # Also need to update the meta.json and builddir with the main artifact.
                postprocess_artifact "${platform}" "${imgpath}" "${imgname}" 'False'
                ;;
            *)
                # Update the meta.json and builddir with the generated artifact.
                postprocess_artifact "${platform}" "${imgpath}" "${imgname}" 'False'
                ;;
        esac
    done

    # clean up the tmpbuild
    rm -rf "${tmp_builddir}"
}

main "$@"