-
Notifications
You must be signed in to change notification settings - Fork 203
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add scripts to create iso using bootc-image-builder
- Loading branch information
1 parent
b1a54e7
commit c9b2352
Showing
3 changed files
with
254 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,136 @@ | ||
#!/bin/bash | ||
set -exo pipefail | ||
|
||
ROOTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../../" && pwd )" | ||
SCRIPTDIR=${ROOTDIR}/scripts/image-mode | ||
IMGNAME=microshift | ||
USHIFT_VERSION=4.17 | ||
BUILD_ARCH=$(uname -m) | ||
OSVERSION=$(awk -F: '{print $5}' /etc/system-release-cpe) | ||
LVM_SYSROOT_SIZE_MIN=10240 | ||
LVM_SYSROOT_SIZE=${LVM_SYSROOT_SIZE_MIN} | ||
OCP_PULL_SECRET_FILE= | ||
AUTHORIZED_KEYS_FILE= | ||
AUTHORIZED_KEYS= | ||
USE_MIRROR_REPO= | ||
|
||
# shellcheck disable=SC2034 | ||
STARTTIME="$(date +%s)" | ||
BUILDDIR=${ROOTDIR}/_output/image-mode | ||
|
||
usage() { | ||
local error_message="$1" | ||
|
||
if [ -n "${error_message}" ]; then | ||
echo "ERROR: ${error_message}" | ||
echo | ||
fi | ||
|
||
echo "Usage: $(basename "$0") <-pull_secret_file path_to_file> [OPTION]..." | ||
echo "" | ||
echo " -pull_secret_file path_to_file" | ||
echo " Path to a file containing the OpenShift pull secret, which can be" | ||
echo " obtained from https://console.redhat.com/openshift/downloads#tool-pull-secret" | ||
echo "" | ||
echo "Optional arguments:" | ||
echo " -lvm_sysroot_size num_in_MB" | ||
echo " Size of the system root LVM partition. The remaining" | ||
echo " disk space will be allocated for data (default: ${LVM_SYSROOT_SIZE})" | ||
echo " -authorized_keys_file path_to_file" | ||
echo " Path to an SSH authorized_keys file to allow SSH access" | ||
echo " into the default 'redhat' account" | ||
echo " -use-mirror-repo <mirror_repo>" | ||
echo " Use mirror repo to get release candidate and engineering preview rpms" | ||
echo " like (https://mirror.openshift.com/pub/openshift-v4/x86_64/microshift/ocp-dev-preview/latest-4.18/el9/os/)" | ||
echo " -ushift-version <microshift-version>" | ||
echo " Version of microshift for image generation (default: ${USHIFT_VERSION}" | ||
exit 1 | ||
} | ||
|
||
title() { | ||
echo -e "\E[34m\n# $1\E[00m" | ||
} | ||
|
||
# Parse the command line | ||
while [ $# -gt 0 ] ; do | ||
case $1 in | ||
-pull_secret_file) | ||
shift | ||
OCP_PULL_SECRET_FILE="$1" | ||
[ -z "${OCP_PULL_SECRET_FILE}" ] && usage "Pull secret file not specified" | ||
[ ! -s "${OCP_PULL_SECRET_FILE}" ] && usage "Empty or missing pull secret file" | ||
shift | ||
;; | ||
-lvm_sysroot_size) | ||
shift | ||
LVM_SYSROOT_SIZE="$1" | ||
[ -z "${LVM_SYSROOT_SIZE}" ] && usage "System root LVM partition size not specified" | ||
[ "${LVM_SYSROOT_SIZE}" -lt ${LVM_SYSROOT_SIZE_MIN} ] && usage "System root LVM partition size cannot be smaller than ${LVM_SYSROOT_SIZE_MIN}MB" | ||
shift | ||
;; | ||
-authorized_keys_file) | ||
shift | ||
AUTHORIZED_KEYS_FILE="$1" | ||
[ -z "${AUTHORIZED_KEYS_FILE}" ] && usage "Authorized keys file not specified" | ||
shift | ||
;; | ||
-use-mirror-repo) | ||
shift | ||
USE_MIRROR_REPO="$1" | ||
[ -z "${USE_MIRROR_REPO}" ] && usage "Mirror repo not specified" | ||
shift | ||
;; | ||
-ushift-version) | ||
shift | ||
USHIFT_VERSION="$1" | ||
[ -z "${USHIFT_VERSION}" ] && usage "MicroShift version not specified" | ||
shift | ||
;; | ||
*) | ||
usage | ||
;; | ||
esac | ||
done | ||
|
||
if [ ! -r "${OCP_PULL_SECRET_FILE}" ] ; then | ||
echo "ERROR: pull_secret_file file does not exist or not readable: ${OCP_PULL_SECRET_FILE}" | ||
exit 1 | ||
fi | ||
if [ -n "${AUTHORIZED_KEYS_FILE}" ]; then | ||
if [ ! -e "${AUTHORIZED_KEYS_FILE}" ]; then | ||
echo "ERROR: authorized_keys_file does not exist: ${AUTHORIZED_KEYS_FILE}" | ||
exit 1 | ||
else | ||
AUTHORIZED_KEYS=$(cat "${AUTHORIZED_KEYS_FILE}") | ||
fi | ||
fi | ||
|
||
mkdir -p "${BUILDDIR}" | ||
|
||
title "Preparing kickstart config" | ||
# Create a kickstart file from a template, compacting pull secret contents if necessary | ||
cat < "${SCRIPTDIR}/config/config.toml.template" \ | ||
| sed "s;REPLACE_LVM_SYSROOT_SIZE;${LVM_SYSROOT_SIZE};g" \ | ||
| sed "s;REPLACE_OCP_PULL_SECRET_CONTENTS;$(cat < "${OCP_PULL_SECRET_FILE}" | jq -c);g" \ | ||
| sed "s^REPLACE_REDHAT_AUTHORIZED_KEYS_CONTENTS^${AUTHORIZED_KEYS}^g" \ | ||
> config.toml | ||
|
||
title "Building bootc image for microshift" | ||
sudo podman build --authfile ${OCP_PULL_SECRET_FILE} -t ${IMGNAME}:${USHIFT_VERSION} \ | ||
--build-arg USHIFT_VER=${USHIFT_VERSION} \ | ||
--env MIRROR_REPO=${USE_MIRROR_REPO} \ | ||
-f "${SCRIPTDIR}/config/Containerfile.bootc-rhel9" | ||
|
||
title "Creating ISO image" | ||
sudo podman run --authfile ${OCP_PULL_SECRET_FILE} --rm -it \ | ||
--privileged \ | ||
--security-opt label=type:unconfined_t \ | ||
-v /var/lib/containers/storage:/var/lib/containers/storage \ | ||
-v "${SCRIPTDIR}"/config.toml:/config.toml \ | ||
-v "${BUILDDIR}":/output \ | ||
registry.redhat.io/rhel9/bootc-image-builder:latest \ | ||
--local \ | ||
--type iso \ | ||
--config /config.toml \ | ||
${IMAGE_NAME}:${IMAGE_VERSION} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
FROM registry.redhat.io/rhel9/rhel-bootc:9.4 | ||
|
||
ARG USHIFT_VER=4.17 | ||
RUN if [ -z "${MIRROR_REPO}" ]; then \ | ||
dnf config-manager --set-enabled "rhocp-${USHIFT_VER}-for-rhel-9-$(uname -m)-rpms" \ | ||
--set-enabled "fast-datapath-for-rhel-9-$(uname -m)-rpms"; \ | ||
else \ | ||
# This is required to update the gpgcheck for repoID | ||
repoID=$(echo "${MIRROR_REPO#*://}" | tr '/:' '_'); \ | ||
dnf config-manager --add-repo "${MIRROR_REPO}" \ | ||
--add-repo "https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/dependencies/rpms/${USHIFT_VER}-el9-beta" \ | ||
--set-enabled "fast-datapath-for-rhel-9-$(uname -m)-rpms"; \ | ||
dnf config-manager --save --setopt="${repoID}".gpgcheck=0 --setopt=*-el9-beta.gpgcheck=0; \ | ||
fi | ||
RUN dnf install -y firewalld microshift microshift-release-info && \ | ||
systemctl enable microshift && \ | ||
dnf clean all | ||
|
||
# Mandatory firewall configuration | ||
RUN firewall-offline-cmd --zone=public --add-port=22/tcp && \ | ||
firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 && \ | ||
firewall-offline-cmd --zone=trusted --add-source=169.254.169.1 && \ | ||
firewall-offline-cmd --zone=trusted --add-source=fd01::/48 | ||
# Application-specific firewall configuration | ||
RUN firewall-offline-cmd --zone=public --add-port=80/tcp && \ | ||
firewall-offline-cmd --zone=public --add-port=443/tcp && \ | ||
firewall-offline-cmd --zone=public --add-port=30000-32767/tcp && \ | ||
firewall-offline-cmd --zone=public --add-port=30000-32767/udp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
[customizations.installer.kickstart] | ||
contents = """ | ||
lang en_US.UTF-8 | ||
keyboard us | ||
timezone UTC | ||
text | ||
reboot | ||
|
||
# Configure network to use DHCP and activate on boot | ||
network --bootproto=dhcp --device=link --activate --onboot=on | ||
|
||
# Partition disk with a 1MB BIOS boot, 200M EFI, 800M boot XFS partition and | ||
# an LVM volume containing a 10GB+ system root. The remainder of the volume | ||
# will be used by the CSI driver for storing data | ||
# | ||
# For example, a 20GB disk would be partitioned in the following way: | ||
# | ||
# NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT | ||
# sda 8:0 0 20G 0 disk | ||
# ├─sda1 8:1 0 1M 0 part | ||
# ├─sda2 8:2 0 200M 0 part /boot/efi | ||
# ├─sda3 8:3 0 800M 0 part /boot | ||
# └─sda4 8:4 0 19G 0 part | ||
# └─rhel-root 253:0 0 10G 0 lvm /sysroot | ||
# | ||
zerombr | ||
clearpart --all --disklabel gpt | ||
part biosboot --fstype=biosboot --size=1 | ||
part /boot/efi --fstype=efi --size=200 | ||
part /boot --fstype=xfs --asprimary --size=800 | ||
# Uncomment this line to add a SWAP partition of the recommended size | ||
#part swap --fstype=swap --recommended | ||
part pv.01 --grow | ||
volgroup rhel pv.01 | ||
logvol / --vgname=rhel --fstype=xfs --size=REPLACE_LVM_SYSROOT_SIZE --name=root | ||
|
||
# Lock root user account | ||
rootpw --lock | ||
|
||
# Configure ostree | ||
ostreesetup --nogpg --osname=rhel --remote=edge --url=file:///run/install/repo/ostree/repo --ref=rhel/REPLACE_OSVERSION/REPLACE_BUILD_ARCH/edge | ||
|
||
%post --log=/var/log/anaconda/post-install.log --erroronfail | ||
|
||
# Update the ostree server URL | ||
ostree remote delete edge | ||
ostree remote add --no-gpg-verify edge REPLACE_OSTREE_SERVER_URL | ||
|
||
# The pull secret is mandatory for MicroShift builds on top of OpenShift, but not OKD | ||
# The /etc/crio/crio.conf.d/microshift.conf references the /etc/crio/openshift-pull-secret file | ||
cat > /etc/crio/openshift-pull-secret <<EOF | ||
REPLACE_OCP_PULL_SECRET_CONTENTS | ||
EOF | ||
chmod 600 /etc/crio/openshift-pull-secret | ||
|
||
# Create a default redhat user, allowing it to run sudo commands without password | ||
useradd -m -d /home/redhat -p redhat redhat | ||
echo -e 'redhat\tALL=(ALL)\tNOPASSWD: ALL' > /etc/sudoers.d/microshift | ||
|
||
# Add authorized ssh keys | ||
mkdir -m 700 /home/redhat/.ssh | ||
cat > /home/redhat/.ssh/authorized_keys <<EOF | ||
REPLACE_REDHAT_AUTHORIZED_KEYS_CONTENTS | ||
EOF | ||
chmod 600 /home/redhat/.ssh/authorized_keys | ||
|
||
# Make sure redhat user directory contents ownership is correct | ||
chown -R redhat:redhat /home/redhat/ | ||
|
||
# Configure the firewall (rules reload is not necessary here) | ||
firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 | ||
firewall-offline-cmd --zone=trusted --add-source=169.254.169.1 | ||
|
||
# Make the KUBECONFIG from MicroShift directly available for the root user | ||
echo -e 'export KUBECONFIG=/var/lib/microshift/resources/kubeadmin/kubeconfig' >> /root/.profile | ||
|
||
# Configure systemd journal service to persist logs between boots and limit their size to 1G | ||
sudo mkdir -p /etc/systemd/journald.conf.d | ||
cat > /etc/systemd/journald.conf.d/microshift.conf <<EOF | ||
[Journal] | ||
Storage=persistent | ||
SystemMaxUse=1G | ||
RuntimeMaxUse=1G | ||
EOF | ||
|
||
# Update certificate trust storage in case new certificates were | ||
# installed at /etc/pki/ca-trust/source/anchors directory | ||
update-ca-trust | ||
%end | ||
""" |