Add scripts to create iso using bootc-image-builder

openshift · Jan 7, 2025 · 9c4895a · 9c4895a
1 parent b1a54e7
commit 9c4895a
Show file tree

Hide file tree

Showing 3 changed files with 253 additions and 0 deletions.
diff --git a/scripts/image-mode/build.sh b/scripts/image-mode/build.sh
@@ -0,0 +1,136 @@
+#!/bin/bash
+set -exo pipefail
+
+ROOTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../../" && pwd )"
+SCRIPTDIR=${ROOTDIR}/scripts/image-mode
+IMGNAME=microshift
+USHIFT_VERSION=4.17
+BUILD_ARCH=$(uname -m)
+OSVERSION=$(awk -F: '{print $5}' /etc/system-release-cpe)
+LVM_SYSROOT_SIZE_MIN=10240
+LVM_SYSROOT_SIZE=${LVM_SYSROOT_SIZE_MIN}
+OCP_PULL_SECRET_FILE=
+AUTHORIZED_KEYS_FILE=
+AUTHORIZED_KEYS=
+USE_MIRROR_REPO=
+
+# shellcheck disable=SC2034
+STARTTIME="$(date +%s)"
+BUILDDIR=${ROOTDIR}/_output/image-mode
+
+usage() {
+    local error_message="$1"
+
+    if [ -n "${error_message}" ]; then
+        echo "ERROR: ${error_message}"
+        echo
+    fi
+
+    echo "Usage: $(basename "$0") <-pull_secret_file path_to_file> [OPTION]..."
+    echo ""
+    echo "  -pull_secret_file path_to_file"
+    echo "          Path to a file containing the OpenShift pull secret, which can be"
+    echo "          obtained from https://console.redhat.com/openshift/downloads#tool-pull-secret"
+    echo ""
+    echo "Optional arguments:"
+    echo "  -lvm_sysroot_size num_in_MB"
+    echo "          Size of the system root LVM partition. The remaining"
+    echo "          disk space will be allocated for data (default: ${LVM_SYSROOT_SIZE})"
+    echo "  -authorized_keys_file path_to_file"
+    echo "          Path to an SSH authorized_keys file to allow SSH access"
+    echo "          into the default 'redhat' account"
+    echo "  -use-mirror-repo <mirror_repo>"
+    echo "          Use mirror repo to get release candidate and engineering preview rpms"
+    echo "          like (https://mirror.openshift.com/pub/openshift-v4/x86_64/microshift/ocp-dev-preview/latest-4.18/el9/os/)"
+    echo "  -ushift-version <microshift-version>"
+    echo "          Version of microshift for image generation (default: ${USHIFT_VERSION}"
+    exit 1
+}
+
+title() {
+    echo -e "\E[34m\n# $1\E[00m"
+}
+
+# Parse the command line
+while [ $# -gt 0 ] ; do
+    case $1 in
+    -pull_secret_file)
+        shift
+        OCP_PULL_SECRET_FILE="$1"
+        [ -z "${OCP_PULL_SECRET_FILE}" ] && usage "Pull secret file not specified"
+        [ ! -s "${OCP_PULL_SECRET_FILE}" ] && usage "Empty or missing pull secret file"
+        shift
+        ;;
+    -lvm_sysroot_size)
+        shift
+        LVM_SYSROOT_SIZE="$1"
+        [ -z "${LVM_SYSROOT_SIZE}" ] && usage "System root LVM partition size not specified"
+        [ "${LVM_SYSROOT_SIZE}" -lt ${LVM_SYSROOT_SIZE_MIN} ] && usage "System root LVM partition size cannot be smaller than ${LVM_SYSROOT_SIZE_MIN}MB"
+        shift
+        ;;
+    -authorized_keys_file)
+        shift
+        AUTHORIZED_KEYS_FILE="$1"
+        [ -z "${AUTHORIZED_KEYS_FILE}" ] && usage "Authorized keys file not specified"
+        shift
+        ;;
+    -use-mirror-repo)
+        shift
+        USE_MIRROR_REPO="$1"
+        [ -z "${USE_MIRROR_REPO}" ] && usage "Mirror repo not specified"
+        shift
+        ;;
+    -ushift-version)
+        shift
+        USHIFT_VERSION="$1"
+        [ -z "${USHIFT_VERSION}" ] && usage "MicroShift version not specified"
+        shift
+        ;;
+    *)
+        usage
+        ;;
+    esac
+done
+
+if [ ! -r "${OCP_PULL_SECRET_FILE}" ] ; then
+    echo "ERROR: pull_secret_file file does not exist or not readable: ${OCP_PULL_SECRET_FILE}"
+    exit 1
+fi
+if [ -n "${AUTHORIZED_KEYS_FILE}" ]; then
+    if [ ! -e "${AUTHORIZED_KEYS_FILE}" ]; then
+        echo "ERROR: authorized_keys_file does not exist: ${AUTHORIZED_KEYS_FILE}"
+        exit 1
+    else
+        AUTHORIZED_KEYS=$(cat "${AUTHORIZED_KEYS_FILE}")
+    fi
+fi
+
+mkdir -p "${BUILDDIR}"
+
+title "Preparing kickstart config"
+# Create a kickstart file from a template, compacting pull secret contents if necessary
+cat < "${SCRIPTDIR}/config/config.toml.template" \
+    | sed "s;REPLACE_LVM_SYSROOT_SIZE;${LVM_SYSROOT_SIZE};g" \
+    | sed "s;REPLACE_OCP_PULL_SECRET_CONTENTS;$(cat < "${OCP_PULL_SECRET_FILE}" | jq -c);g" \
+    | sed "s^REPLACE_REDHAT_AUTHORIZED_KEYS_CONTENTS^${AUTHORIZED_KEYS}^g" \
+    > config.toml
+
+title "Building bootc image for microshift"
+sudo podman build --authfile ${OCP_PULL_SECRET_FILE} -t ${IMGNAME}:${USHIFT_VERSION}  \
+  --build-arg USHIFT_VER=${USHIFT_VERSION} \
+  --env MIRROR_REPO=${USE_MIRROR_REPO} \
+  -f "${SCRIPTDIR}/config/Containerfile.bootc-rhel9"
+
+title "Creating ISO image"
+sudo podman run --authfile ${OCP_PULL_SECRET_FILE} --rm -it \
+    --privileged \
+    --security-opt label=type:unconfined_t \
+    -v /var/lib/containers/storage:/var/lib/containers/storage \
+    -v "${SCRIPTDIR}"/config.toml:/config.toml \
+    -v "${BUILDDIR}":/output \
+    registry.redhat.io/rhel9/bootc-image-builder:latest \
+    --local \
+    --type iso \
+    --config /config.toml \
+    ${IMAGE_NAME}:${IMAGE_VERSION}
+
diff --git a/scripts/image-mode/config/Containerfile.bootc-rhel9 b/scripts/image-mode/config/Containerfile.bootc-rhel9
@@ -0,0 +1,27 @@
+FROM registry.redhat.io/rhel9/rhel-bootc:9.4
+
+ARG USHIFT_VER=4.17
+RUN if [ -z "${MIRROR_REPO}" ]; then \
+      dnf config-manager --set-enabled "rhocp-${USHIFT_VER}-for-rhel-9-$(uname -m)-rpms" \
+          --set-enabled "fast-datapath-for-rhel-9-$(uname -m)-rpms"; \
+    else \
+      # This is required to update the gpgcheck for repoID
+      repoID=$(echo "${MIRROR_REPO#*://}" | tr '/:' '_'); \
+      dnf config-manager --add-repo "${MIRROR_REPO}" \
+          --set-enabled "fast-datapath-for-rhel-9-$(uname -m)-rpms"; \
+      dnf config-manager --save --setopt="${repoID}".gpgcheck=0; \
+    fi
+RUN dnf install -y firewalld microshift microshift-release-info && \
+    systemctl enable microshift && \
+    dnf clean all
+
+# Mandatory firewall configuration
+RUN firewall-offline-cmd --zone=public --add-port=22/tcp && \
+    firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 && \
+    firewall-offline-cmd --zone=trusted --add-source=169.254.169.1 && \
+    firewall-offline-cmd --zone=trusted --add-source=fd01::/48
+# Application-specific firewall configuration
+RUN firewall-offline-cmd --zone=public --add-port=80/tcp && \
+    firewall-offline-cmd --zone=public --add-port=443/tcp && \
+    firewall-offline-cmd --zone=public --add-port=30000-32767/tcp && \
+    firewall-offline-cmd --zone=public --add-port=30000-32767/udp
diff --git a/scripts/image-mode/config/config.toml.template b/scripts/image-mode/config/config.toml.template
@@ -0,0 +1,90 @@
+[customizations.installer.kickstart]
+contents = """
+lang en_US.UTF-8
+keyboard us
+timezone UTC
+text
+reboot
+
+# Configure network to use DHCP and activate on boot
+network --bootproto=dhcp --device=link --activate --onboot=on
+
+# Partition disk with a 1MB BIOS boot, 200M EFI, 800M boot XFS partition and
+# an LVM volume containing a 10GB+ system root. The remainder of the volume
+# will be used by the CSI driver for storing data
+#
+# For example, a 20GB disk would be partitioned in the following way:
+#
+# NAME          MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+# sda             8:0    0  20G  0 disk
+# ├─sda1          8:1    0   1M  0 part
+# ├─sda2          8:2    0 200M  0 part /boot/efi
+# ├─sda3          8:3    0 800M  0 part /boot
+# └─sda4          8:4    0  19G  0 part
+#  └─rhel-root  253:0    0  10G  0 lvm  /sysroot
+#
+zerombr
+clearpart --all --disklabel gpt
+part biosboot --fstype=biosboot --size=1
+part /boot/efi --fstype=efi --size=200
+part /boot --fstype=xfs --asprimary --size=800
+# Uncomment this line to add a SWAP partition of the recommended size
+#part swap --fstype=swap --recommended
+part pv.01 --grow
+volgroup rhel pv.01
+logvol / --vgname=rhel --fstype=xfs --size=REPLACE_LVM_SYSROOT_SIZE --name=root
+
+# Lock root user account
+rootpw --lock
+
+# Configure ostree
+ostreesetup --nogpg --osname=rhel --remote=edge --url=file:///run/install/repo/ostree/repo --ref=rhel/REPLACE_OSVERSION/REPLACE_BUILD_ARCH/edge
+
+%post --log=/var/log/anaconda/post-install.log --erroronfail
+
+# Update the ostree server URL
+ostree remote delete edge
+ostree remote add --no-gpg-verify edge REPLACE_OSTREE_SERVER_URL
+
+# The pull secret is mandatory for MicroShift builds on top of OpenShift, but not OKD
+# The /etc/crio/crio.conf.d/microshift.conf references the /etc/crio/openshift-pull-secret file
+cat > /etc/crio/openshift-pull-secret <<EOF
+REPLACE_OCP_PULL_SECRET_CONTENTS
+EOF
+chmod 600 /etc/crio/openshift-pull-secret
+
+# Create a default redhat user, allowing it to run sudo commands without password
+useradd -m -d /home/redhat -p redhat redhat
+echo -e 'redhat\tALL=(ALL)\tNOPASSWD: ALL' > /etc/sudoers.d/microshift
+
+# Add authorized ssh keys
+mkdir -m 700 /home/redhat/.ssh
+cat > /home/redhat/.ssh/authorized_keys <<EOF
+REPLACE_REDHAT_AUTHORIZED_KEYS_CONTENTS
+EOF
+chmod 600 /home/redhat/.ssh/authorized_keys
+
+# Make sure redhat user directory contents ownership is correct
+chown -R redhat:redhat /home/redhat/
+
+# Configure the firewall (rules reload is not necessary here)
+firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16
+firewall-offline-cmd --zone=trusted --add-source=169.254.169.1
+
+# Make the KUBECONFIG from MicroShift directly available for the root user
+echo -e 'export KUBECONFIG=/var/lib/microshift/resources/kubeadmin/kubeconfig' >> /root/.profile
+
+# Configure systemd journal service to persist logs between boots and limit their size to 1G
+sudo mkdir -p /etc/systemd/journald.conf.d
+cat > /etc/systemd/journald.conf.d/microshift.conf <<EOF
+[Journal]
+Storage=persistent
+SystemMaxUse=1G
+RuntimeMaxUse=1G
+EOF
+
+# Update certificate trust storage in case new certificates were
+# installed at /etc/pki/ca-trust/source/anchors directory
+update-ca-trust
+%end
+"""