[UKI] Measure #2028
[UKI] Measure #2028
Conversation
Earthfile
Outdated
| @@ -456,7 +456,7 @@ uki-tools-image: | |||
| # This is for easy testing SecureBoot locally for development purposes | |||
| # Installing this keys in other place than a VM for testing SecureBoot is irresponsible | |||
| uki: | |||
| FROM ubuntu | |||
| FROM +uki-tools-image | |||
There was a problem hiding this comment.
I think this is the only mention of uki-tools-image target, should we get rid of the target?
There was a problem hiding this comment.
For now, but other targets will probably reuse it, the one that creates the upgrade artifacts probably
This used to be consumed by at least 3 targets, not sure what have I done to screw that up
build_uki.sh
Outdated
| @@ -0,0 +1,144 @@ | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
i miss where this file is being consumed
There was a problem hiding this comment.
Currently a manual process to generate the images as I'm still working on it, order, retouches and also needs an extra path to generate the artifacts
Earthfile
Outdated
| ARG KAIROS_VERSION=$(cat VERSION) | ||
| FROM scratch | ||
| COPY +uki-image-artifacts/efi / | ||
| SAVE IMAGE --push $IMAGE_REPOSITORY_ORG/${FAMILY}:${KAIROS_VERSION}-uki |
There was a problem hiding this comment.
yup as discussed you should be able to compose the new name with naming.sh
ARG OS_NAME=kairos-${VARIANT}-${FLAVOR}-${FLAVOR_RELEASE}
RUN KAIROS_VERSION=$(cat ./VERSION) \
OS_VERSION=$(cat ./VERSION) \
OS_LABEL=$(cat ./VERSION) \
OS_LABEL=$(naming.sh container_artifact_label) \
OS_REPO=$(naming.sh container_artifact_repo) \
ARTIFACT=$(naming.sh bootable_artifact_name) \
envsubst >>/etc/os-release </usr/lib/os-release.tmpl
RUN KAIROS_VERSION=$(cat ./VERSION) naming.sh container_artifact_name > /IMAGE
ARG _CIMG=$(cat ./IMAGE)
There was a problem hiding this comment.
we used to have a command for this, but since for a little while it was done in the dockerfile, I removed it, maybe I should bring it back, but we can do that after this PR
There was a problem hiding this comment.
We will soon replace the naming.sh script with versioneer (though the standalone cli or kairos-agent). If you find naming.sh needing any changes, let's coordinate first.
There was a problem hiding this comment.
yes indeed, we could have the uki as part of the name maybe in the versioneer? no idea where, if as the model or something (so generic and uki) ?
- dont save unsigned artifact as its not used - use the same base image for uki target instead of 2 different ones - save local artifacts on uki-artifacts target Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Also add agent dev branch to uki build script Add also init stanza to uki cmdline Signed-off-by: Itxaka <itxaka@kairos.io>
Also add the version to config and efi files Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
tests/keys/private.pem
Outdated
| @@ -0,0 +1,28 @@ | |||
| -----BEGIN PRIVATE KEY----- | |||
There was a problem hiding this comment.
Are we signing with a publicly available private key? We are not pushing the uki artifact when we release right?
There was a problem hiding this comment.
We currently are not pushing anything anywhere.
This is for testing mainly and done with public private keys and certs, all of them used in the uki test pipeline.
Final releases would need a specific workflow to sign and measure them with our private keys.
But that is like a whole other conversation on how to sign them, where, who has the key, how we cycle them, etc..
Not willing to open that discussion right now as it's a big one 🤣
There was a problem hiding this comment.
Sure, I'm just making sure I got this right.
Move to ubuntu 23.04 to test TPM encryption on uki Use immmucore from master brnahc until we have a new release Expand uki tests to check that we are encrypting partitions Signed-off-by: Itxaka <itxaka@kairos.io>
Itsd known to work with the encryption as it has a high enough systemd version Adds cracklib-dicts as those are used when validating the luks password Uses agent from main branch as that one has support for uki and newer kcrypt libs Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
|
tested and it seems to work on fedora >=38 and ubuntu >= 23.10 |
so its compatible with fedora 38 and 39 Signed-off-by: Itxaka <itxaka@kairos.io>
They are already in the kairos folder, so only the version is needed in the file name. Same thing with conf file, we keep the name and thats it Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
|
cancelled everything but the uki job |
| @@ -367,79 +348,158 @@ uki-tools-image: | |||
| # NOTE: NEVER EVER EVER use this keys for signing anything that its going outside your computer | |||
| # This is for easy testing SecureBoot locally for development purposes | |||
| # Installing this keys in other place than a VM for testing SecureBoot is irresponsible | |||
| uki: | |||
There was a problem hiding this comment.
I'm also making some changes on this. We may get some conflicts: https://github.com/kairos-io/kairos/pull/2081/files#diff-2705f6016a64189abd14041e2f3e8dbb829553295d9088e4eb42eccb5e61bf47R367
New versions are now in the latest framework so we should be able to use those directly Signed-off-by: Itxaka <itxaka@kairos.io>
|
This should be finished. A big change here is that we are moving to use the "main" framework image. That ok for you @mauromorales @jimmykarily @mudler ? I could also cut a new version once @jimmykarily has merged the versioneer stuff, but currently the main framework version has a kairos-agent RC version, so it feels bad to cut a release with RC versions. |
Oh I forgot we now need to build a new framework image in order to get a new kairos-agent tested. My changes on the kairos-agent should be done. I tagged another rc this morning but it's still building the arm package: https://github.com/kairos-io/packages/actions/runs/7260525990/job/19779962604 If you can to tag kairos-agent as stable and release a framework image with that, I'm fine with it. It will help me test my PR too. |
Earthfile
Outdated
| @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0 | |||
| # renovate: datasource=docker depName=aquasec/trivy | |||
| ARG TRIVY_VERSION=0.47.0 | |||
| # renovate: datasource=github-releases depName=kairos-io/kairos-framework | |||
| ARG KAIROS_FRAMEWORK_VERSION="v2.4.4" | |||
| ARG KAIROS_FRAMEWORK_VERSION="main" | |||
There was a problem hiding this comment.
I don't think we override this in release pipelines. This means we will be releasing from "main" images. Is it needed only because of the kairos-agent rc? Let's cut a stable one then.
For me it's ok to move to main but in that case I don't see the value of producing versions for the framework images. I think relying on main can be tricky because what do we release against? It means that either we always have a moving target or that master tests nightly while release build a version. What I mean is that if we consider these issues not to cause many problems then it's a go for me. But for a different component that moves faster I would say it's better not to. |
|
what maybe makes sense is having releases using tagged framework images, while main can just consume main (so can be used for development) |
Signed-off-by: Itxaka <itxaka.garcia@spectrocloud.com>
|
bumped to use latest framework released version. |
We changed the messages and exit values if the kcrypt failed so we need to adapt the tests Signed-off-by: Itxaka <itxaka@kairos.io>
Part of #1152