diff --git a/oracle-linux-image-tools/README.md b/oracle-linux-image-tools/README.md index 8aa51d7..7f57514 100755 --- a/oracle-linux-image-tools/README.md +++ b/oracle-linux-image-tools/README.md @@ -11,7 +11,9 @@ The tool currently supports: - Distributions: - Oracle Linux 7 update 9 -- Slim (x86_64) - - Oracle Linux 8 update 5 -- Slim (x86_64 and aarch64) + - Oracle Linux 8 update 6 -- Slim (x86_64 and aarch64) + __Note__: for aarch64, only Generic and OCI clouds are supported + - Oracle Linux 9 update 0 -- Slim (x86_64 and aarch64) __Note__: for aarch64, only Generic and OCI clouds are supported - Clouds: - Microsoft Azure cloud @@ -87,12 +89,13 @@ The build script requires a Linux environment and has been tested on Oracle Linu Instead of providing an Oracle Linux distribution ISO you can use a _boot_ ISO image. In that case, you will have to provide an URL to an installation tree and optionally additional yum repositories required by the installation. -Example for an Oracle Linux 8 Update 5 using the UEK boot ISO: +Example for an Oracle Linux 9 using the UEK boot ISO: ```Shell -ISO_URL="https://yum.oracle.com/ISOS/OracleLinux/OL8/u5/x86_64/x86_64-boot-uek.iso" -REPO_URL="https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64" -REPO[AppStream]="https://yum.oracle.com/repo/OracleLinux/OL8/appstream/x86_64" +ISO_URL="https://yum.oracle.com/ISOS/OracleLinux/OL9/u0/x86_64/OracleLinux-R9-U0-x86_64-boot-uek.iso" +REPO_URL="https://yum.oracle.com/repo/OracleLinux/OL9/baseos/latest/x86_64" +REPO[AppStream]="https://yum.oracle.com/repo/OracleLinux/OL9/appstream/x86_64" +REPO[ol9_UEKR7]="https://yum.oracle.com/repo/OracleLinux/OL9/UEKR7/x86_64" ``` ### Customizing builds @@ -211,7 +214,8 @@ The builder will process the directories in the following order: - cloud_distr::cleanup - cloud::cleanup - distr::cleanup -1. Image cleanup: the generated image is mounted on the host and the `image-scripts` scripts are run: + - distr::seal[^1] +1. Image cleanup: the generated image is mounted on the host and the `image-scripts` scripts are run[^1]: - custom::cleanup - cloud_distr::cleanup - cloud::cleanup @@ -222,6 +226,11 @@ The builder will process the directories in the following order: - cloud_distr::image_package - cloud::image_package +[^1]: `provision` `seal` vs. `image-scripts` `cleanup`. +These functions have the same purpose: _seal_ the image before packaging. +The difference is that the former runs in the VM while the latter runs on the host. +Sealing on the host might be more efficient, but when it is not possible to mount the image disk on the host, in-VM sealing can be used. When no `image-scripts` `cleanup` are defined, no attempt will be made to mount the filesystem on the host. + ## Feedback Please provide feedback of any kind via GitHub issues on this repository. diff --git a/oracle-linux-image-tools/bin/build-image.sh b/oracle-linux-image-tools/bin/build-image.sh index 08c8fdb..3c32205 100755 --- a/oracle-linux-image-tools/bin/build-image.sh +++ b/oracle-linux-image-tools/bin/build-image.sh @@ -3,7 +3,7 @@ # # Create minimal Oracle Linux images # -# Copyright (c) 2019-2022 Oracle and/or its affiliates. +# Copyright (c) 2019, 2022 Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at # https://oss.oracle.com/licenses/upl. # @@ -545,7 +545,7 @@ image_cleanup() { cd "${WORKSPACE}/${VM_NAME}" if common::is_vbox ; then tar -xf "${VM_NAME}.ova" - rm "${VM_NAME}.ova" + mv "${VM_NAME}.ova" System.ova mv -f "${VM_NAME}"-disk*.vmdk System.vmdk vbox-img convert \ --srcfilename System.vmdk \ @@ -555,68 +555,76 @@ image_cleanup() { rm -f System.vmdk fi - echo_message "Loopback mount image" - # Loopback mount the image - # We will have the following subdirectories: - # - 1: /boot - # - 2: root filesystem (/) - # In case of a btrfs filesystem, / will be in root subvolume - # Should /boot be part of the btrfs volume we then have: - # - 1: btrfs volume with boot and root subvolumes - rm -rf "${mnt}" - mkdir "${mnt}" - sudo "${MOUNT_IMAGE}" System.img "${mnt}" - if [[ $(stat -f -c "%T" "${mnt}/1") = "btrfs" ]]; then - # Both / and /boot are on BTRFS - boot_fs="${mnt}/1/boot" - root_fs="${mnt}/1/root" - else - boot_fs="${mnt}/1" - if [[ $(stat -f -c "%T" "${mnt}/2") = "btrfs" ]]; then - root_fs="${mnt}/2/root" + # Run cleanup scripts + if [[ "$(type -t custom::image_cleanup)" = 'function' || + "$(type -t cloud_distr::image_cleanup)" = 'function' || + "$(type -t cloud::image_cleanup)" = 'function' || + "$(type -t distr::image_cleanup)" = 'function' ]]; then + # Only mount the image if we have an image_cleanup function defined + echo_message "Loopback mount image" + # Loopback mount the image + # We will have the following subdirectories: + # - 1: /boot + # - 2: root filesystem (/) + # In case of a btrfs filesystem, / will be in root subvolume + # Should /boot be part of the btrfs volume we then have: + # - 1: btrfs volume with boot and root subvolumes + rm -rf "${mnt}" + mkdir "${mnt}" + sudo "${MOUNT_IMAGE}" System.img "${mnt}" + if [[ $(stat -f -c "%T" "${mnt}/1") = "btrfs" ]]; then + # Both / and /boot are on BTRFS + boot_fs="${mnt}/1/boot" + root_fs="${mnt}/1/root" else - root_fs="${mnt}/2" + boot_fs="${mnt}/1" + if [[ $(stat -f -c "%T" "${mnt}/2") = "btrfs" ]]; then + root_fs="${mnt}/2/root" + else + root_fs="${mnt}/2" + fi + fi + + # Basic check to see if we have the "right" partitions mounted + if [[ ! -d "${root_fs}/etc" || ! -d "${boot_fs}/grub2" ]]; then + sudo "${MOUNT_IMAGE}" -u System.img + rm -rf "${mnt}" + error "Loopback mount failed" + fi + + # Run cleanup scripts + if [[ "$(type -t custom::image_cleanup)" = 'function' ]]; then + echo_message "Run custom cleanup" + custom::image_cleanup "${root_fs}" "${boot_fs}" + fi + if [[ "$(type -t cloud_distr::image_cleanup)" = 'function' ]]; then + echo_message "Run cloud distribution cleanup" + cloud_distr::image_cleanup "${root_fs}" "${boot_fs}" + fi + if [[ "$(type -t cloud::image_cleanup)" = 'function' ]]; then + echo_message "Run cloud cleanup" + cloud::image_cleanup "${root_fs}" "${boot_fs}" + fi + if [[ "$(type -t distr::image_cleanup)" = 'function' ]]; then + echo_message "Run distribution cleanup" + distr::image_cleanup "${root_fs}" "${boot_fs}" fi - fi - # Basic check to see if we have the "right" partitions mounted - if [[ ! -d "${root_fs}/etc" || ! -d "${boot_fs}/grub2" ]]; then + # Ensure we are still in the image directory + cd "${WORKSPACE}/${VM_NAME}" + # unmount and trim image + echo_message "Unmount and trim image" + sudo -- bash -c ' + sync; sync; sync; + fstrim "'"${boot_fs}"'"; + fstrim "'"${root_fs}"'"; + ' sudo "${MOUNT_IMAGE}" -u System.img rm -rf "${mnt}" - error "Loopback mount failed" - fi - # Run cleanup scripts - if [[ "$(type -t custom::image_cleanup)" = 'function' ]]; then - echo_message "Run custom cleanup" - custom::image_cleanup "${root_fs}" "${boot_fs}" - fi - if [[ "$(type -t cloud_distr::image_cleanup)" = 'function' ]]; then - echo_message "Run cloud distribution cleanup" - cloud_distr::image_cleanup "${root_fs}" "${boot_fs}" + cp --sparse=always System.img System.img.sparse + mv -f System.img.sparse System.img fi - if [[ "$(type -t cloud::image_cleanup)" = 'function' ]]; then - echo_message "Run cloud cleanup" - cloud::image_cleanup "${root_fs}" "${boot_fs}" - fi - if [[ "$(type -t distr::image_cleanup)" = 'function' ]]; then - echo_message "Run distribution cleanup" - distr::image_cleanup "${root_fs}" "${boot_fs}" - fi - - # Ensure we are still in the image directory - cd "${WORKSPACE}/${VM_NAME}" - # unmount and trim image - echo_message "Unmount and trim image" - sudo -- bash -c ' - sync; sync; sync; - fstrim "'"${boot_fs}"'"; - fstrim "'"${root_fs}"'"; - ' - sudo "${MOUNT_IMAGE}" -u System.img - cp --sparse=always System.img System.img.sparse - mv -f System.img.sparse System.img - rm -rf "${mnt}" echo_message "Package image" if [[ "$(type -t custom::image_package)" = 'function' ]]; then @@ -631,6 +639,7 @@ image_cleanup() { if common::is_vbox ; then rm "${WORKSPACE}/${VM_NAME}/${VM_NAME}.ovf" + rm "${WORKSPACE}/${VM_NAME}/System.ova" fi } diff --git a/oracle-linux-image-tools/bin/provision.sh b/oracle-linux-image-tools/bin/provision.sh index 8700975..dc5bd6b 100755 --- a/oracle-linux-image-tools/bin/provision.sh +++ b/oracle-linux-image-tools/bin/provision.sh @@ -3,11 +3,14 @@ # # Packer main provisioning script # -# Copyright (c) 2019,2020 Oracle and/or its affiliates. +# Copyright (c) 2019, 2022 Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at # https://oss.oracle.com/licenses/upl. # -# Description: provision image by calling child provisioners +# Description: +# - provision image by calling child provisioners +# - Seal image by calling distribution seal function (final cleanup +# cleanup before packaging) # # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. # @@ -57,7 +60,9 @@ echo_error() { load_env() { local dir - source "${ENV_FILE}" + if [[ -r "${ENV_FILE}" ]]; then + source "${ENV_FILE}" + fi if [[ -n "${PROXY_URL}" ]]; then export http_proxy="${PROXY_URL}" @@ -79,9 +84,9 @@ load_env() { } ####################################### -# Main +# provision ####################################### -main () { +provision () { echo_header "Load environment" load_env if [[ "$(type -t distr::provision)" = 'function' ]]; then @@ -118,4 +123,38 @@ main () { fi } +####################################### +# seal +####################################### +seal () { + echo_header "Load environment" + load_env + if [[ "$(type -t distr::seal)" = 'function' ]]; then + echo_header "Seal VM image" + distr::seal + else + echo_message "No seal function defined" + fi +} + +####################################### +# Main +####################################### +main () { + if [[ -z ${OLIT_ACTION} ]]; then + echo_error "OLIT_ACTION undefined" + fi + case "${OLIT_ACTION}" in + provision) + provision + ;; + seal) + seal + ;; + *) + echo_error "Unexpected action: ${OLIT_ACTION}" + ;; + esac +} + main "$@" diff --git a/oracle-linux-image-tools/cloud/azure/image-scripts.sh b/oracle-linux-image-tools/cloud/azure/image-scripts.sh index acfa26c..0bc44f0 100755 --- a/oracle-linux-image-tools/cloud/azure/image-scripts.sh +++ b/oracle-linux-image-tools/cloud/azure/image-scripts.sh @@ -2,7 +2,7 @@ # # Cleanup and package image for Azure # -# Copyright (c) 2019-2022 Oracle and/or its affiliates. +# Copyright (c) 2019, 2022 Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at # https://oss.oracle.com/licenses/upl # @@ -25,9 +25,9 @@ # Returns: # None ####################################### -cloud::image_cleanup() { - : -} +# cloud::image_cleanup() { +# : +# } ####################################### # Image packaging diff --git a/oracle-linux-image-tools/cloud/none/image-scripts.sh b/oracle-linux-image-tools/cloud/none/image-scripts.sh index 2bd8fdd..b78efd2 100755 --- a/oracle-linux-image-tools/cloud/none/image-scripts.sh +++ b/oracle-linux-image-tools/cloud/none/image-scripts.sh @@ -2,7 +2,7 @@ # # Cleanup and package image for the "None" image # -# Copyright (c) 2019-2022 Oracle and/or its affiliates. +# Copyright (c) 2019, 2022 Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at # https://oss.oracle.com/licenses/upl # @@ -25,9 +25,9 @@ # Returns: # None ####################################### -cloud::image_cleanup() { - : -} +# cloud::image_cleanup() { +# : +# } ####################################### # Image packaging: diff --git a/oracle-linux-image-tools/cloud/oci/image-scripts.sh b/oracle-linux-image-tools/cloud/oci/image-scripts.sh index c62060c..cc55173 100755 --- a/oracle-linux-image-tools/cloud/oci/image-scripts.sh +++ b/oracle-linux-image-tools/cloud/oci/image-scripts.sh @@ -2,7 +2,7 @@ # # Cleanup and package image for OCI # -# Copyright (c) 2020-2022 Oracle and/or its affiliates. +# Copyright (c) 2020, 2022 Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at # https://oss.oracle.com/licenses/upl # @@ -25,9 +25,9 @@ # Returns: # None ####################################### -cloud::image_cleanup() { - : -} +# cloud::image_cleanup() { +# : +# } ####################################### # Image packaging - creates a PVM and PVHVM OVA diff --git a/oracle-linux-image-tools/cloud/olvm/image-scripts.sh b/oracle-linux-image-tools/cloud/olvm/image-scripts.sh index 9025880..fa4a146 100755 --- a/oracle-linux-image-tools/cloud/olvm/image-scripts.sh +++ b/oracle-linux-image-tools/cloud/olvm/image-scripts.sh @@ -2,7 +2,7 @@ # # Cleanup and package image for OLVM # -# Copyright (c) 2020-2022 Oracle and/or its affiliates. +# Copyright (c) 2020, 2022 Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at # https://oss.oracle.com/licenses/upl # @@ -40,9 +40,9 @@ cloud::validate() { # Returns: # None ####################################### -cloud::image_cleanup() { - : -} +# cloud::image_cleanup() { +# : +# } ####################################### # Image packaging - creates an OVA diff --git a/oracle-linux-image-tools/cloud/olvm/mk-envelope.py b/oracle-linux-image-tools/cloud/olvm/mk-envelope.py index 5d9724a..89234dc 100755 --- a/oracle-linux-image-tools/cloud/olvm/mk-envelope.py +++ b/oracle-linux-image-tools/cloud/olvm/mk-envelope.py @@ -3,7 +3,7 @@ """ Generate OLVM compatible OVF file. -Copyright (c) 2020-2022 Oracle and/or its affiliates. +Copyright (c) 2020, 2022 Oracle and/or its affiliates. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl @@ -26,6 +26,7 @@ 'OL6': 5002, 'OL7': 5003, 'OL8': 5006, + 'OL9': 5006, # Use OL8 ID for now, to support older OLVM versions } diff --git a/oracle-linux-image-tools/cloud/ovm/image-scripts.sh b/oracle-linux-image-tools/cloud/ovm/image-scripts.sh index adf7610..7e11e79 100755 --- a/oracle-linux-image-tools/cloud/ovm/image-scripts.sh +++ b/oracle-linux-image-tools/cloud/ovm/image-scripts.sh @@ -2,7 +2,7 @@ # # Cleanup and package image for OVM # -# Copyright (c) 2019-2022 Oracle and/or its affiliates. +# Copyright (c) 2019, 2022 Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at # https://oss.oracle.com/licenses/upl # @@ -39,9 +39,9 @@ cloud::validate() { # Returns: # None ####################################### -cloud::image_cleanup() { - : -} +# cloud::image_cleanup() { +# : +# } ####################################### # Image packaging - creates a PVM and PVHVM OVA diff --git a/oracle-linux-image-tools/cloud/vagrant-libvirt/image-scripts.sh b/oracle-linux-image-tools/cloud/vagrant-libvirt/image-scripts.sh index 10296ce..e5ae90e 100755 --- a/oracle-linux-image-tools/cloud/vagrant-libvirt/image-scripts.sh +++ b/oracle-linux-image-tools/cloud/vagrant-libvirt/image-scripts.sh @@ -2,7 +2,7 @@ # # Cleanup and package image for the "vagrant-libvirt" image # -# Copyright (c) 2020-2022 Oracle and/or its affiliates. +# Copyright (c) 2020, 2022 Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at # https://oss.oracle.com/licenses/upl # @@ -41,9 +41,9 @@ cloud::validate() { # Returns: # None ####################################### -cloud::image_cleanup() { - : -} +# cloud::image_cleanup() { +# : +# } ####################################### # Image packaging: generate box using vagrant tool diff --git a/oracle-linux-image-tools/cloud/vagrant-virtualbox/files/vagrant-common.sh b/oracle-linux-image-tools/cloud/vagrant-virtualbox/files/vagrant-common.sh index e727499..9d4312c 100755 --- a/oracle-linux-image-tools/cloud/vagrant-virtualbox/files/vagrant-common.sh +++ b/oracle-linux-image-tools/cloud/vagrant-virtualbox/files/vagrant-common.sh @@ -2,7 +2,7 @@ # # Common scripts for vagrant provisioners # -# Copyright (c) 2020 Oracle and/or its affiliates. +# Copyright (c) 2020, 2022 Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at # https://oss.oracle.com/licenses/upl # @@ -30,12 +30,19 @@ vagrant::config() sed -i "s/^.*requiretty/#Defaults requiretty/" /etc/sudoers # sshd: disable password authentication and DNS checks - ex -s /etc/ssh/sshd_config < /etc/ssh/sshd_config.d/90-vagrant.conf <<-EOF + PasswordAuthentication no + UseDNS no + EOF + else + ex -s /etc/ssh/sshd_config <<-EOF + :%substitute/^#\?\(PasswordAuthentication\) .*$/\1 no/ + :%substitute/^#\?\(UseDNS\) .*$/\1 no/ + :update + :quit + EOF + fi cat >>/etc/sysconfig/sshd < /var/log/wtmp - : > /var/log/lastlog + : > /var/log/wtmp + : > /var/log/lastlog rm -f /var/log/audit/audit.log rm -f /var/log/tuned/tuned.log rm -rf /root/.gemrc /root/.gem diff --git a/oracle-linux-image-tools/distr/ol8-aarch64/ol8-aarch64-ks.cfg b/oracle-linux-image-tools/distr/ol8-aarch64/ol8-aarch64-ks.cfg index a3cdf31..0e8a022 100644 --- a/oracle-linux-image-tools/distr/ol8-aarch64/ol8-aarch64-ks.cfg +++ b/oracle-linux-image-tools/distr/ol8-aarch64/ol8-aarch64-ks.cfg @@ -199,13 +199,21 @@ dnf upgrade -y oraclelinux-release-el8 # Install latest kernel, that way it will be available at first boot and # allow proper cleanup KERNEL=uek +UEK_RELEASE=7 echo "Kernel update (${KERNEL^^})" echo "Running kernel: $(uname -r)" echo "Kernel(s) installed:" rpm -qa | grep '^kernel' | sort -kernel="kernel-uek" +echo "UEK release selected: ${UEK_RELEASE}" +if [[ ${UEK_RELEASE} == 6 ]]; then + kernel="kernel-uek" + dnf_options="--disablerepo ol8_UEKR\*" +else + kernel="kernel-uek-core" + dnf_options="--disablerepo ol8_UEKR\* --enablerepo ol8_UEKR${UEK_RELEASE}" +fi # Set default kernel sed -i -e 's/^DEFAULTKERNEL=.*/DEFAULTKERNEL='"${kernel}"'/' /etc/sysconfig/kernel diff --git a/oracle-linux-image-tools/distr/ol8-aarch64/provision.sh b/oracle-linux-image-tools/distr/ol8-aarch64/provision.sh index c829871..c4bc8b9 100644 --- a/oracle-linux-image-tools/distr/ol8-aarch64/provision.sh +++ b/oracle-linux-image-tools/distr/ol8-aarch64/provision.sh @@ -62,32 +62,46 @@ distr::ks_log() { distr::kernel_config() { local current_kernel kernel kernels old_kernel + # Ensure swap is properly formatted (UEK6/7 change) + if [[ ${SETUP_SWAP,,} == "yes" ]]; then + swapon -a || swapon -a --fixpgsz + fi + # shellcheck disable=SC2153 echo_message "Configure kernel: ${KERNEL^^}" echo_message "Running kernel: $(uname -r)" - # Available virtio modules depends on kernel build... - local virtio modules - modules=$(find "/lib/modules/$(uname -r)" -name "virtio*.ko*" -printf '%f\n') - while read -r module; do - virtio="${virtio} ${module%.ko*}" - done <<<"${modules}" - - cat > /etc/dracut.conf.d/01-dracut-vm.conf <<-EOF - add_drivers+=" ${virtio} " - EOF + # Note: there is no need to force drivers in intrd as dracut-config-generic + # is installed # Remove old kernels - kernel="kernel-uek" + dnf config-manager --disable ol8_UEKR\* || : + if [[ ${UEK_RELEASE} != 6 ]]; then + # UEK R6 doesn't have its own repo + dnf config-manager --enable "ol8_UEKR${UEK_RELEASE}" + fi current_kernel=$(uname -r) - kernels=$(rpm -q ${kernel} --qf "%{VERSION}-%{RELEASE}.%{ARCH} ") - for old_kernel in $kernels; do - if [[ ${old_kernel} != "${current_kernel}" ]]; then - distr::remove_rpms "${kernel}-${old_kernel}" + for kernel in "kernel-uek" "kernel-uek-core"; do + if kernels=$(rpm -q ${kernel} --qf "%{VERSION}-%{RELEASE}.%{ARCH} "); then + for old_kernel in $kernels; do + if [[ ${old_kernel} != "${current_kernel}" ]]; then + distr::remove_rpms "${kernel}-${old_kernel}" + fi + done fi done + if [[ ${UEK_RELEASE} != 6 ]]; then + if [[ ${KERNEL_MODULES,,} == "no" ]]; then + echo_message "Removing kernel modules" + distr::remove_rpms kernel-uek-modules + else + echo_message "Ensure kernel modules are installed" + dnf install -y kernel-uek + fi + fi + # Regenerate initrd ${DRACUT_CMD} -f "/boot/initramfs-${current_kernel}.img" "${current_kernel}" @@ -97,6 +111,7 @@ distr::kernel_config() { echo_message "Linux firmware: ${LINUX_FIRMWARE^^}" if [[ "${LINUX_FIRMWARE,,}" = "no" ]]; then + echo_message "Removing linux firmware" distr::remove_rpms linux-firmware fi } diff --git a/oracle-linux-image-tools/distr/ol8-slim/env.properties b/oracle-linux-image-tools/distr/ol8-slim/env.properties index 8e14fba..b0b6a98 100644 --- a/oracle-linux-image-tools/distr/ol8-slim/env.properties +++ b/oracle-linux-image-tools/distr/ol8-slim/env.properties @@ -21,6 +21,9 @@ BOOT_COMMAND=( '${CONSOLE} inst.text inst.ks=${KS_CONFIG} setup_swap=${ # Kernel: uek, rhck KERNEL="uek" +# UEK release: 6, 7 +UEK_RELEASE=6 + # Keep rescue kernel: yes, no # Keeping rescue kernel will increase the image size and is most propbalbly # not very useful in cloud environment. @@ -38,10 +41,17 @@ AUTHSELECT="" # Update: yes, security, no UPDATE_TO_LATEST="yes" +# Keep kernel-modules packages: yes, no +# In UEK7 kernel is split into core/modules. Core should suffice for all cloud +# images +KERNEL_MODULES="no" + # Keep linux-firmware package? yes, no # Linux firmware is not needed on VM instances. -# Note that kernel packages have an install dependency on linux-firmware; if +# On UEK6 kernel packages have an install dependency on linux-firmware; if # removed it will be re-installed when a new kernel is installed. +# On UEK7 dependency is on kernel-modules; removing firmware will also +# remove it LINUX_FIRMWARE="yes" # Exclude documentation (man pages, info files, doc files)? yes, no, minimal diff --git a/oracle-linux-image-tools/distr/ol8-slim/image-scripts.sh b/oracle-linux-image-tools/distr/ol8-slim/image-scripts.sh index 67b8b33..6946942 100755 --- a/oracle-linux-image-tools/distr/ol8-slim/image-scripts.sh +++ b/oracle-linux-image-tools/distr/ol8-slim/image-scripts.sh @@ -2,13 +2,14 @@ # # image scripts for OL8 # -# Copyright (c) 2020,2022 Oracle and/or its affiliates. +# Copyright (c) 2020, 2022 Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at # https://oss.oracle.com/licenses/upl # # Description: this module provides the following function: # distr::validate: basic parameter validation # distr::kickstart: hook for kickstart file updates +# distr::packer_conf: hook for packer configuration file updates # distr::image_cleanup: distribution specific actions to cleanup the image # All functions are optional # @@ -27,10 +28,12 @@ distr::validate() { [[ "${ROOT_FS,,}" =~ ^(xfs)|(btrfs)|(lvm)$ ]] || error "ROOT_FS must be xfs, btrfs or lvm" [[ "${ROOT_FS,,}" = "btrfs" ]] && echo_message "Note that for btrfs root filesystem you need to use an UEK boot ISO" + [[ "${UEK_RELEASE}" =~ ^[67]$ ]] || error "UEK_RELEASE must be 6 or 7" [[ "${RESCUE_KERNEL,,}" =~ ^(yes)|(no)$ ]] || error "RESCUE_KERNEL must be yes or no" + [[ "${KERNEL_MODULES,,}" =~ ^(yes)|(no)$ ]] || error "KERNEL_MODULES must be yes or no" [[ "${LINUX_FIRMWARE,,}" =~ ^(yes)|(no)$ ]] || error "LINUX_FIRMWARE must be yes or no" [[ "${EXCLUDE_DOCS,,}" =~ ^(yes)|(no)|(minimal)$ ]] || error "EXCLUDE_DOCS must be yes, no or minimal" - readonly ROOT_FS RESCUE_KERNEL LINUX_FIRMWARE EXCLUDE_DOCS + readonly ROOT_FS UEK_RELEASE RESCUE_KERNEL KERNEL_MODULES LINUX_FIRMWARE EXCLUDE_DOCS } ####################################### @@ -67,6 +70,7 @@ logvol / --fstype=\"xfs\" --vgname=vg_main --size=4096 --name=lv_root --gr # Pass kernel and rescue kernel selections sed -i -e 's!^KERNEL=.*$!KERNEL='"${KERNEL}"'!' "${ks_file}" + sed -i -e 's!^UEK_RELEASE=.*$!UEK_RELEASE='"${UEK_RELEASE}"'!' "${ks_file}" sed -i -e 's!^RESCUE_KERNEL=.*$!RESCUE_KERNEL='"${RESCUE_KERNEL}"'!' "${ks_file}" # Override authselect if needed @@ -81,6 +85,23 @@ logvol / --fstype=\"xfs\" --vgname=vg_main --size=4096 --name=lv_root --gr fi } +####################################### +# Packer configuration +# Globals: +# BUILD_INFO +# Arguments: +# Packer configuration file +# Returns: +# None +####################################### +distr::packer_conf() { + if [[ -n "${BUILD_INFO}" ]]; then + cat >>"$1" <<-EOF + build_info = "${BUILD_INFO}" + EOF + fi +} + ####################################### # Cleanup actions run directly on the image # Globals: @@ -91,27 +112,6 @@ logvol / --fstype=\"xfs\" --vgname=vg_main --size=4096 --name=lv_root --gr # Returns: # None ####################################### -distr::image_cleanup() { - local root_fs="$1" - local boot_fs="$2" - - # Ensure we don't blindly cleanup local host! - [[ -z ${root_fs} ]] && error "Undefined root filesystem" - [[ -z ${boot_fs} ]] && error "Undefined boot filesystem" - - if [[ -n ${BUILD_INFO} && -d "${root_fs}${BUILD_INFO}" ]]; then - find "${root_fs}${BUILD_INFO}" -type f -exec cp {} "${WORKSPACE}/${VM_NAME}/" \; - fi - - sudo chroot "${root_fs}" /bin/bash <<-EOF - : > /var/log/wtmp - : > /var/log/lastlog - rm -f /var/log/audit/audit.log - rm -f /var/log/tuned/tuned.log - rm -rf /root/.gemrc /root/.gem - rm -rf /var/spool/root /var/spool/mail/root - rm -rf /var/lib/NetworkManager - rm -rf /var/tmp/* - [[ -n "${BUILD_INFO}" ]] && rm -rf "${BUILD_INFO}" - EOF -} +# distr::image_cleanup_no() { +# : +# } diff --git a/oracle-linux-image-tools/distr/ol8-slim/ol8-ks.cfg b/oracle-linux-image-tools/distr/ol8-slim/ol8-ks.cfg index 6e1809f..2bcb1c0 100644 --- a/oracle-linux-image-tools/distr/ol8-slim/ol8-ks.cfg +++ b/oracle-linux-image-tools/distr/ol8-slim/ol8-ks.cfg @@ -98,6 +98,9 @@ part / --fstype="xfs" --ondisk=sda --size=4096 --label=root --grow # hwdata blacklists several modules, a.o. the fb (frame buffer) ones hwdata + +# Create a generic image +dracut-config-generic %end %post --interpreter /bin/bash --log=/root/ks-post.log @@ -165,6 +168,7 @@ dnf upgrade -y oraclelinux-release-el8 # Install latest kernel, that way it will be available at first boot and # allow proper cleanup KERNEL=uek +UEK_RELEASE=7 echo "Kernel update (${KERNEL^^})" echo "Running kernel: $(uname -r)" @@ -174,8 +178,12 @@ rpm -qa | grep '^kernel' | sort kernel="kernel" dnf_options="" if [[ "${KERNEL,,}" = "uek" ]]; then - dnf_options="${dnf_options} --enablerepo ol8_UEKR6" - kernel="kernel-uek" + dnf_options="--disablerepo ol8_UEKR\* --enablerepo ol8_UEKR${UEK_RELEASE}" + if [[ ${UEK_RELEASE} == 6 ]]; then + kernel="kernel-uek" + else + kernel="kernel-uek-core" + fi fi # Set default kernel diff --git a/oracle-linux-image-tools/distr/ol8-slim/provision.sh b/oracle-linux-image-tools/distr/ol8-slim/provision.sh index 9e4d5ad..4a422fb 100644 --- a/oracle-linux-image-tools/distr/ol8-slim/provision.sh +++ b/oracle-linux-image-tools/distr/ol8-slim/provision.sh @@ -2,14 +2,15 @@ # # Packer provisioning script for OL8 # -# Copyright (c) 2019,2022 Oracle and/or its affiliates. +# Copyright (c) 2019, 2022 Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at # https://oss.oracle.com/licenses/upl # -# Description: provision an OL8 image. This module provides 2 functions, +# Description: provision an OL8 image. This module provides 3 functions, # both are optional. # distr::provision: provision the instance # distr::cleanup: instance cleanup before shutdown +# distr::seal: final instance sealing # # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. # @@ -65,43 +66,42 @@ distr::kernel_config() { # shellcheck disable=SC2153 echo_message "Configure kernel: ${KERNEL^^}" echo_message "Running kernel: $(uname -r)" - # Add virtual drivers for xen,virtualbox and hyperv into the initrd using - # dracut configuration files so that they get installed into the initrd - # during fresh kernel installs. - # This makes it is easy to move VM images between these virtual environments - - # Available virtio modules depends on kernel build... - local virtio modules - modules=$(find "/lib/modules/$(uname -r)" -name "virtio*.ko*" -printf '%f\n') - while read -r module; do - virtio="${virtio} ${module%.ko*}" - done <<<"${modules}" - - cat > /etc/dracut.conf.d/01-dracut-vm.conf <<-EOF - add_drivers+=" xen_netfront xen_blkfront " - add_drivers+=" ${virtio} " - add_drivers+=" hyperv_keyboard hv_netvsc hid_hyperv hv_utils hv_storvsc hyperv_fb " - add_drivers+=" ahci libahci " - EOF + + # Note: there is no need to force drivers in intrd as dracut-config-generic + # is installed # Configure repos and remove old kernels if [[ "${KERNEL,,}" = "uek" ]]; then - kernel="kernel-uek" - dnf config-manager --set-enabled ol8_UEKR6 + dnf config-manager --disable ol8_UEKR\* || : + dnf config-manager --enable "ol8_UEKR${UEK_RELEASE}" + kernel_list=( "kernel-uek" "kernel-uek-core" ) distr::remove_rpms kernel else - kernel="kernel" - distr::remove_rpms kernel-uek + kernel_list=( "kernel" ) + distr::remove_rpms kernel-uek kernel-uek-core fi current_kernel=$(uname -r) - kernels=$(rpm -q ${kernel} --qf "%{VERSION}-%{RELEASE}.%{ARCH} ") - for old_kernel in $kernels; do - if [[ ${old_kernel} != "${current_kernel}" ]]; then - distr::remove_rpms "${kernel}-${old_kernel}" + for kernel in "${kernel_list[@]}"; do + if kernels=$(rpm -q "${kernel}" --qf "%{VERSION}-%{RELEASE}.%{ARCH} "); then + for old_kernel in $kernels; do + if [[ ${old_kernel} != "${current_kernel}" ]]; then + distr::remove_rpms "${kernel}-${old_kernel}" + fi + done fi done + if [[ ${KERNEL,,} = "uek" && ${UEK_RELEASE} != 6 ]]; then + if [[ ${KERNEL_MODULES,,} == "no" ]]; then + echo_message "Removing kernel modules" + distr::remove_rpms kernel-uek-modules + else + echo_message "Ensure kernel modules are installed" + dnf install -y kernel-uek + fi + fi + # Workaround for orabug 32816428 if [[ "${KERNEL,,}" = "uek" && -f "/etc/ld.so.conf.d/kernel-${current_kernel}.conf" ]]; then cat > "/etc/ld.so.conf.d/kernel-${current_kernel}.conf" <<-EOF @@ -118,6 +118,7 @@ distr::kernel_config() { echo_message "Linux firmware: ${LINUX_FIRMWARE^^}" if [[ "${LINUX_FIRMWARE,,}" = "no" ]]; then + echo_message "Removing linux firmware" distr::remove_rpms linux-firmware fi } @@ -347,7 +348,6 @@ distr::cleanup() { rm -rf /var/log/sa/* rm -rf /var/log/acpid /var/log/boot.log /var/log/cron /var/log/dmesg.* /var/log/ovm* rm -rf /poweroff - rm -rf /tmp/* rm -f /etc/ssh/ssh_host_* rm -rf /root/* rm -f /etc/udev/rules.d/70-persistent-net.rules @@ -365,11 +365,37 @@ distr::cleanup() { rpm -qa --qf "%{name}.%{arch}\n" | sort -u > "${BUILD_INFO}/pkglist.txt" rpm -qa --qf '"%{NAME}","%{EPOCHNUM}","%{VERSION}","%{RELEASE}","%{ARCH}"\n' | sort > "${BUILD_INFO}/pkglist.csv" uname -r > "${BUILD_INFO}/kernel.txt" +} + +####################################### +# Final seal of the image +# Globals: +# BUILD_INFO +# Returns: +# None +####################################### +distr::seal() { + echo_message "File cleanup" + : > /var/log/wtmp + : > /var/log/lastlog + rm -f /var/log/audit/audit.log + rm -f /var/log/tuned/tuned.log + rm -rf /root/.gemrc /root/.gem + rm -rf /var/spool/root /var/spool/mail/root + rm -rf /var/lib/NetworkManager + [[ -n "${BUILD_INFO}" ]] && rm -rf "${BUILD_INFO}" + rm -rf /var/tmp/* /tmp/* echo_message "Relabel SELinux" genhomedircon fixfiles -f -F relabel restorecon -R / || true - history -c - swapoff -a + + echo_message "Trim filesystem" + sync; sync; sync + for fs in /boot /; do + echo_message " ${fs}" + dd if=/dev/zero of="${fs}"/EMPTY bs=1M >/dev/null 2>&1 || : + rm -f "${fs}"/EMPTY + done } diff --git a/oracle-linux-image-tools/distr/ol9-aarch64/env.properties b/oracle-linux-image-tools/distr/ol9-aarch64/env.properties new file mode 100644 index 0000000..3a7a99a --- /dev/null +++ b/oracle-linux-image-tools/distr/ol9-aarch64/env.properties @@ -0,0 +1,65 @@ +# Default parameter for the distribution. +# Do NOT change anything in this file, customisation must be done in separate +# env file. + +# Distribution name +DISTR_NAME="OL9U0_aarch64" + +# Distribution release +readonly ORACLE_RELEASE=9 + +# Setup swap? +SETUP_SWAP="yes" + +# Root filesystem: xfs, lvm or btrfs +ROOT_FS="xfs" + +# Label of the ISO image +ISO_LABEL="OL-9-0-0-BaseOS-aarch64" + +# Boot command +# Variables MUST be escaped as they are evaluated at build time. +BOOT_COMMAND=( + 'c' + 'linux /images/pxeboot/vmlinuz inst.stage2=hd:LABEL=${ISO_LABEL} ro ' + 'inst.text inst.notmux inst.ks=${KS_CONFIG} setup_swap=${SETUP_SWAP} ' + 'biosdevname=0 net.ifnames=0' + 'initrd /images/pxeboot/initrd.img' + 'boot' +) + +# Kernel: must be UEK! +readonly KERNEL="uek" + +# Keep rescue kernel: yes, no +# Keeping rescue kernel will increase the image size and is most propbalbly +# not very useful in cloud environment. +# Note that if you enable rescue kernel and due the way BLS config works, you +# will have a second rescue kernel the first time kernel is upgrade as the +# machine-id differs between image build and deployed VM. +RESCUE_KERNEL="no" + +# Authselect: default is set to "minimal" which should cover most use cases. +# If an alternative auth profile is needed it can be specified with the +# AUTHSELECT parameter, e.g.: +# AUTHSELECT="select sssd" +AUTHSELECT="" + +# Update: yes, security, no +UPDATE_TO_LATEST="yes" + +# Keep kernel-modules packages: yes, no +# Core kernel should suffice for all cloud images +KERNEL_MODULES="no" + +# Exclude documentation (man pages, info files, doc files)? yes, no, minimal +# When "yes" is selected, dnf wil be configured to exclude all documentation +# ("tsflags=nodocs" parameter). +# If you plan to re-distribute the image, you might need to keep the +# "/usr/share/doc" directory which contains the packages licence terms. +# The "minimal" option will remove man pages and info files, but will keep the +# "/usr/share/doc" directory. +EXCLUDE_DOCS="no" + +# Directory used to save build information +readonly BUILD_INFO="/.build-info" diff --git a/oracle-linux-image-tools/distr/ol9-aarch64/image-scripts.sh b/oracle-linux-image-tools/distr/ol9-aarch64/image-scripts.sh new file mode 100755 index 0000000..9cf2926 --- /dev/null +++ b/oracle-linux-image-tools/distr/ol9-aarch64/image-scripts.sh @@ -0,0 +1,121 @@ +#!/usr/bin/env bash +# +# image scripts for OL9 - aarch64 +# +# Copyright (c) 2022 Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at +# https://oss.oracle.com/licenses/upl +# +# Description: this module provides the following function: +# distr::validate: basic parameter validation +# distr::kickstart: hook for kickstart file updates +# distr::packer_conf: hook for packer configuration file updates +# distr::image_cleanup: distribution specific actions to cleanup the image +# All functions are optional +# +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. +# + +####################################### +# Validate distribution parameters +# Globals: +# ISO_LABEL RESCUE_LERNEL ROOT_FS +# Arguments: +# None +# Returns: +# None +####################################### +distr::validate() { + [[ "${ROOT_FS,,}" =~ ^(xfs)|(btrfs)|(lvm)$ ]] || error "ROOT_FS must be xfs, btrfs or lvm" + [[ "${ROOT_FS,,}" = "btrfs" ]] && echo_message "Note that for btrfs root filesystem you need to use an UEK boot ISO" + [[ "${RESCUE_KERNEL,,}" =~ ^(yes)|(no)$ ]] || error "RESCUE_KERNEL must be yes or no" + [[ -n ${ISO_LABEL} ]] || error "ISO_LABEL must be provided" + [[ "${KERNEL_MODULES,,}" =~ ^(yes)|(no)$ ]] || error "KERNEL_MODULES must be yes or no" + [[ "${EXCLUDE_DOCS,,}" =~ ^(yes)|(no)|(minimal)$ ]] || error "EXCLUDE_DOCS must be yes, no or minimal" + readonly ROOT_FS RESCUE_KERNEL ISO_LABEL KERNEL_MODULES EXCLUDE_DOCS +} + +####################################### +# Kickcstart fixup +# Globals: +# RESCUE_KERNEL ROOT_FS +# Arguments: +# kickstart file name +# Returns: +# None +####################################### +distr::kickstart() { + local ks_file="$1" + + local btrfs="\ +part btrfs.01 --fstype=\"btrfs\" --ondisk=sda --size=4096 --grow\n\ +btrfs none --label=btrfs_vol --data=single btrfs.01\n\ +btrfs / --subvol --name=root LABEL=btrfs_vol\n\ +btrfs /boot --subvol --name=boot LABEL=btrfs_vol\n\ +btrfs /home --subvol --name=home LABEL=btrfs_vol\ +" + local lvm="\ +part pv.01 --ondisk=sda --size=4096 --grow\n\ +volgroup vg_main pv.01\n\ +logvol swap --fstype=\"swap\" --vgname=vg_main --size=4096 --name=lv_swap\n\ +logvol / --fstype=\"xfs\" --vgname=vg_main --size=4096 --name=lv_root --grow\ +" + + # Kickstart file is populated for xfs + if [[ "${ROOT_FS,,}" = "btrfs" ]]; then + sed -i -e '/^part \/boot /d' -e 's!^part / .*$!'"${btrfs}"'!' "${ks_file}" + elif [[ "${ROOT_FS,,}" = "lvm" ]]; then + sed -i -e '/^part swap/d' -e 's!^part / .*$!'"${lvm}"'!' "${ks_file}" + fi + + # Pass kernel and rescue kernel selections + sed -i -e 's!^KERNEL=.*$!KERNEL='"${KERNEL}"'!' "${ks_file}" + sed -i -e 's!^RESCUE_KERNEL=.*$!RESCUE_KERNEL='"${RESCUE_KERNEL}"'!' "${ks_file}" + + # Override authselect if needed + if [[ -n ${AUTHSELECT} ]]; then + sed -i -e 's!^authselect .*$!authselect '"${AUTHSELECT}"'!' "${ks_file}" + fi + + # Docs + sed -i -e 's!^EXCLUDE_DOCS=.*$!EXCLUDE_DOCS='"${EXCLUDE_DOCS}"'!' "${ks_file}" + if [[ "${EXCLUDE_DOCS,,}" = "yes" ]]; then + sed -i -e 's!^%packages!%packages --excludedocs!' "${ks_file}" + fi +} + +####################################### +# Packer configuration +# Globals: +# BUILD_INFO +# Arguments: +# Packer configuration file +# Returns: +# None +####################################### +distr::packer_conf() { + if [[ -c /dev/kvm ]]; then + cat >>"$1" <<-EOF + accel = "kvm" + EOF + fi + if [[ -n "${BUILD_INFO}" ]]; then + cat >>"$1" <<-EOF + build_info = "${BUILD_INFO}" + EOF + fi +} + +####################################### +# Cleanup actions run directly on the image +# Globals: +# WORKSPACE VM_NAME BUILD_INFO +# Arguments: +# root filesystem directory +# boot filesystem directory +# Returns: +# None +####################################### +# distr::image_cleanup() { +# : +# } diff --git a/oracle-linux-image-tools/distr/ol9-aarch64/ol9-aarch64-ks.cfg b/oracle-linux-image-tools/distr/ol9-aarch64/ol9-aarch64-ks.cfg new file mode 100644 index 0000000..0b834ec --- /dev/null +++ b/oracle-linux-image-tools/distr/ol9-aarch64/ol9-aarch64-ks.cfg @@ -0,0 +1,217 @@ +# OL9 aarch64 kickstart file +# System authorization information +authselect select minimal with-faillock with-silent-lastlog with-pamaccess + +# Command line install +cmdline +text + +# Run the Setup Agent on first boot +eula --agreed +firstboot --disable + +# Only use the "system disk" +ignoredisk --only-use=sda + +# Keyboard layouts +keyboard --vckeymap=us --xlayouts='us' + +# System language +lang en_US.UTF-8 + +# reboot at the end +reboot + +# System timezone +timezone UTC --utc + +# Network information +network --bootproto=dhcp --device=eth0 --onboot=yes --ipv6=auto --hostname=localhost.localdomain + +# URL to an installation tree on a remote server + +# Additional yum repositories that may be used as sources for package installation. + +# Root password -- will be overridden by the builder +rootpw --lock + +# System services +services --disabled="kdump,rhsmcertd" --enabled="firewalld,sshd,rsyslog,chronyd" +selinux --enforcing +firewall --service=ssh + +# System bootloader configuration +bootloader --append="no_timer_check net.ifnames=0 biosdevname=0 crashkernel=auto" --location=mbr --timeout=1 --boot-drive=sda + +# Partition clearing information +zerombr +clearpart --all --initlabel --drives=sda + +# Disk partitioning information +part /boot/efi --fstype="efi" --ondisk=sda --size=512 +part /boot --fstype="xfs" --ondisk=sda --size=1024 --label=/boot +part swap --fstype="swap" --ondisk=sda --size=4096 --label=swap +part / --fstype="xfs" --ondisk=sda --size=4096 --label=root --grow + +# '--nocore' adds @core to the exclusion list, which generates issues when it +# is added in the package list... +%packages +# Removed from the "Mandatory" Core group packages: +-audit +-dnf-plugin-spacewalk +-iproute-tc +-irqbalance +-parted +-rhn-client-tools +-rhn-setup +-rhnlib +-rhnsd +-rng-tools +-sssd-common +-sssd-kcm + +# Removed from the "Default" Core group packages: +-NetworkManager-team +-NetworkManager-tui +-iwl100-firmware +-iwl1000-firmware +-iwl105-firmware +-iwl135-firmware +-iwl2000-firmware +-iwl2030-firmware +-iwl3160-firmware +-iwl3945-firmware +-iwl4965-firmware +-iwl5000-firmware +-iwl5150-firmware +-iwl6000g2a-firmware +-iwl6050-firmware +-iwl7260-firmware +-lshw +-lsscsi +-microcode_ctl +-prefixdevname +-sg3_utils +-sg3_utils-libs + +# hwdata blacklists several modules, a.o. the fb (frame buffer) ones +hwdata + +# Create a generic image +dracut-config-generic +cloud-utils-growpart + +# Guest agent is missing when build in emulated tcg mode +qemu-guest-agent + +# Ironing out differences between full dvd and boot iso +elfutils-debuginfod-client +-flashrom +freetype +-gawk-all-langpacks +-glibc-all-langpacks +glibc-langpack-en +-glibc-gconv-extra +graphite2 +grub2-tools-extra +harfbuzz +-libcap-ng-python3 +libpng +openssl-pkcs11 +python-unversioned-command.noarch +rpm-plugin-systemd-inhibit +rsyslog-logrotate +zstd +%end + +# dracut-shutdown services can take a bit longer than the default 90 seconds +# If it doesn't finish, the system won't be able to reboot after install... +%pre --interpreter /bin/bash +mkdir -p /run/systemd/system/dracut-shutdown.service.d +cat > /run/systemd/system/dracut-shutdown.service.d/override.conf <<-EOF +[Service] +TimeoutStopSec=900 +EOF +systemctl daemon-reload +%end + +%post --interpreter /bin/bash --log=/root/ks-post.log + +# ToDo: this might not be necessary +echo "Network fixes" +cat > /etc/sysconfig/network << EOF +NETWORKING=yes +NOZEROCONF=yes +EOF + +# generic localhost names +cat > /etc/hosts << EOF +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +EOF + +# make sure firstboot doesn't start +echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot + +echo "Kernel configuration" +# Remove the big rescue image if present +RESCUE_KERNEL=no +if [[ "${RESCUE_KERNEL,,}" = "no" ]]; then + dnf remove -y dracut-config-rescue + rm -f /boot/{initramfs,vmlinuz}-0-rescue-$(cat /etc/machine-id)* + rm -f /boot/loader/entries/$(cat /etc/machine-id)-0-rescue.conf +fi + +# Allow password login +cat > /etc/ssh/sshd_config.d/01-permitrootlogin.conf << EOF +# Allow root to log in using ssh. Remove this file to opt-out. +PermitRootLogin yes +EOF + +EXCLUDE_DOCS="no" +echo "Exclude documentation: ${EXCLUDE_DOCS^^}" +if [[ "${EXCLUDE_DOCS,,}" = "yes" ]]; then + echo "tsflags=nodocs" >> /etc/dnf/dnf.conf +fi + +# Get latest release file +dnf upgrade -y oraclelinux-release-el9 + +# Install latest kernel, that way it will be available at first boot and +# allow proper cleanup +KERNEL=uek +echo "Kernel update (${KERNEL^^})" + +echo "Running kernel: $(uname -r)" +echo "Kernel(s) installed:" +rpm -qa | grep '^kernel' | sort + +dnf_options="--enablerepo ol9_UEKR7" +kernel="kernel-uek-core" + +# Set default kernel +sed -i -e 's/^DEFAULTKERNEL=.*/DEFAULTKERNEL='"${kernel}"'/' /etc/sysconfig/kernel + +if rpm --quiet -q "${kernel}"; then + echo "Kernel ${kernel} already installed" + dnf check-update ${dnf_options} ${kernel} + if [[ $? == "100" ]]; then + # Get latest version + dnf update -y ${dnf_options} ${kernel} + else + # No update available; ensure it is the default boot kernel + version=$(rpm -q "${kernel}") + grubby --set-default="/boot/vmlinuz${version#${kernel}}" + fi +else + dnf install -y ${dnf_options} ${kernel} +fi + +# Ensure we have the correct boot options +grub2-mkconfig -o /boot/grub2/grub.cfg + +%end + +%addon com_redhat_kdump --disable +%end diff --git a/oracle-linux-image-tools/distr/ol9-aarch64/provision.sh b/oracle-linux-image-tools/distr/ol9-aarch64/provision.sh new file mode 100644 index 0000000..65233f9 --- /dev/null +++ b/oracle-linux-image-tools/distr/ol9-aarch64/provision.sh @@ -0,0 +1,351 @@ +#!/usr/bin/env bash +# +# Packer provisioning script for OL9 - aarch64 +# +# Copyright (c) 2022 Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at +# https://oss.oracle.com/licenses/upl +# +# Description: provision an OL9 image. This module provides 3 functions, +# both are optional. +# distr::provision: provision the instance +# distr::cleanup: instance cleanup before shutdown +# distr::seal: final instance sealing +# +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. +# + +# Constants +readonly DRACUT_CMD="dracut --no-early-microcode --force" + +####################################### +# Invoke dnf to remove packages +# Globals: +# None +# Arguments: +# List of packages to be removed +# Returns: +# None +####################################### +distr::remove_rpms() { + # clean_requirements_on_remove is default with dnf + dnf -C -y remove "$@" +} + +####################################### +# Print kickstart log +# Globals: +# Arguments: +# None +# Returns: +# None +####################################### +distr::ks_log() { + if [[ -f "/root/ks-post.log" ]]; then + echo_message "Kickstart post log - Start" + cat /root/ks-post.log + rm /root/ks-post.log + echo_message "Kickstart post log - End" + fi +} + +####################################### +# Kernel configuration +# Assume that we already run the latest selected kernel +# (Asserted in the kickstart file) +# Globals: +# DRACUT_CMD, KERNEL, UPDATE_TO_LATEST +# Arguments: +# None +# Returns: +# None +####################################### +distr::kernel_config() { + local current_kernel kernel kernels old_kernel + + # shellcheck disable=SC2153 + echo_message "Configure kernel: ${KERNEL^^}" + echo_message "Running kernel: $(uname -r)" + + # Note: there is no need to force drivers in intrd as dracut-config-generic + # is installed + + # Configure repos and remove old kernels + kernel="kernel-uek" + dnf config-manager --set-enabled ol9_UEKR7 + + current_kernel=$(uname -r) + kernels=$(rpm -q "${kernel}-core" --qf "%{VERSION}-%{RELEASE}.%{ARCH} ") + for old_kernel in $kernels; do + if [[ ${old_kernel} != "${current_kernel}" ]]; then + distr::remove_rpms "${kernel}-core-${old_kernel}" + fi + done + + # Clean dnf cache which contains odd dependencies and prevents removal + # of kernel modules + rm -rf /var/cache/dnf/* + rm -rf /var/lib/dnf/* + if [[ ${KERNEL_MODULES,,} == "no" ]]; then + echo_message "Removing kernel modules and linux firmware" + distr::remove_rpms "${kernel}-modules" linux-firmware + else + echo_message "Ensure kernel modules are installed" + dnf install -y ${kernel} linux-firmware + fi + + # Regenerate initrd + ${DRACUT_CMD} -f "/boot/initramfs-${current_kernel}.img" "${current_kernel}" + + # Ensure grub is properly setup + grub2-mkconfig -o /etc/grub2-efi.cfg + grubby --set-default="/boot/vmlinuz-${current_kernel}" +} + +####################################### +# Common configuration +# Globals: +# UPDATE_TO_LATEST, BUILD_INFO +# Arguments: +# None +# Returns: +# None +####################################### +distr::common_cfg() { + local service + + # Directory to save build information + mkdir -p "${BUILD_INFO}" + + # Run dnf update if flag is set to yes in image build page + echo_message "Update image: ${UPDATE_TO_LATEST^^}" + if [[ "${UPDATE_TO_LATEST,,}" = "yes" ]]; then + dnf update -y + elif [[ "${UPDATE_TO_LATEST,,}" = "security" ]]; then + dnf update --security -y + fi + + # SSSD profile needs clients + if authselect current -r | grep -q '^sssd'; then + echo_message "Installing SSSD client" + dnf install -y sssd-client + fi + + # If you want to remove rsyslog and just use journald, remove this! + echo_message "Disabling persistent journal" + rm -rf /var/log/journal/ + + # setup systemd to boot to the right runlevel + echo_message "Setting default runlevel to multiuser text mode" + rm -f /etc/systemd/system/default.target + ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target + + echo_message "Disable services" + # NetworkManager.service + for service in \ + kdump.service \ + ntpd.service \ + ntpdate.service \ + plymouth-quit-wait.service \ + plymouth-start.service \ + rhnsd.service \ + sendmail.service \ + sntp.service \ + syslog.target + do + # Most of these aren't enabled, errors are expected... + echo_message " ${service}" + systemctl disable ${service} 2>&1 || true + done + + echo_message "Set rp_filter to loose mode" + echo "net.ipv4.conf.default.rp_filter = 2" >> /etc/sysctl.conf + + echo_message "Set SELinux to ${SELINUX^^}" + sed -i -e "s/^SELINUX[ ]*=.*/SELINUX=${SELINUX,,}/" /etc/selinux/config + if [[ ${SELINUX,,} != "enforcing" ]]; then + # Relax SELinux for the provisioning as well + setenforce Permissive + fi + + echo_message "Clear network persistent data" + rm -f /etc/udev/rules.d/70-persistent-net.rules + + echo_message "Configure dnf" + # bypass update kernel-uek-headers + echo "exclude=kernel-uek-headers" >> /etc/dnf/dnf.conf + # fix "Metadata file does not match checksum" for public-yum + # https://forums.oracle.com/thread/2550364 + echo "http_caching=none" >> /etc/dnf/dnf.conf + + echo_message "Remove unneeded RPMs" + distr::remove_rpms \ + iwl7265-firmware \ + mozjs17 \ + polkit \ + polkit-pkla-compat \ + microcode_ctl +} + +####################################### +# Provisioning +# Globals: +# Arguments: +# None +# Returns: +# None +####################################### +distr::provision() { + distr::ks_log + distr::kernel_config + distr::common_cfg +} + +####################################### +# Cleanup +# Globals: +# BUILD_INFO +# Arguments: +# None +# Returns: +# None +####################################### +distr::cleanup() { + echo_message "Stoppping services" + systemctl stop rsyslog || true + systemctl stop auditd || true + + echo_message "Dnf cleanup" + dnf -q repolist > "${BUILD_INFO}/repolist.txt" + : > /etc/dnf/vars/ociregion + rm -rf /var/cache/dnf/* + rm -rf /var/lib/dnf/* + find /etc/ -name "./*.uln-*" -exec rm -rf {} \; + + # Cleanup and regenerate /etc/machine-id + echo_message "Reset machine id" + : > /etc/machine-id + if ! grep -q setup-machine-id /usr/lib/systemd/system/systemd-firstboot.service; then + sed -i -e "/^ExecStart=/s/$/ --setup-machine-id/" /usr/lib/systemd/system/systemd-firstboot.service + fi + rm -f /var/lib/systemd/random-seed + + echo_message "Cleanup all log files" + rm -f /var/log/anaconda.* /var/log/oraclevm-template.log + rm -f /tmp/ks* + rm -f /root/install.log /root/install.log.syslog /root/anaconda-ks.cfg + : > /etc/resolv.conf + /bin/rm -f /etc/resolv.conf.* + /bin/rm -f /var/lib/dhclient/* + [ -e /var/log/acpid ] && : > /var/log/acpid + [ -e /var/log/messages ] && : > /var/log/messages + [ -e /var/log/btmp ] && : > /var/log/btmp + [ -e /var/log/grubby ] && : > /var/log/grubby + [ -e /var/log/secure ] && : > /var/log/secure + [ -e /var/log/wtmp ] && : > /var/log/wtmp + [ -e /var/log/boot.log ] && : > /var/log/boot.log + [ -e /var/log/dracut.log ] && : > /var/log/dracut.log + [ -e /var/log/tuned/tuned.log ] && : > /var/log/tuned/tuned.log + [ -e /var/log/maillog ] && : > /var/log/maillog + [ -e /var/log/lastlog ] && : > /var/log/lastlog + [ -e /var/log/dnf.log ] && : > /var/log/dnf.log + [ -e /var/log/dnf.librepo.log ] && : > /var/log/dnf.librepo.log + [ -e /var/log/dnf.rpm.log ] && : > /var/log/dnf.rpm.log + [ -e /var/log/ovm-template-config.log ] && rm -f /var/log/ovm-template-config.log + /bin/rm -f /var/log/audit/audit.log* + [ -e /var/log/audit/audit.log ] && : > /var/log/audit/audit.log + + # Lock root user + if [[ "${LOCK_ROOT,,}" = "yes" ]]; then + passwd -d root + passwd -l root + fi + rm -f /etc/ssh/sshd_config.d/01-permitrootlogin.conf + + # cleanup ssh config files + if [ -z "${SSH_KEY_FILE}" ]; then + [ -d /root/.ssh ] && /bin/rm -fr /root/.ssh + else + find /root/.ssh -type f -not -name authorized_keys -delete + fi + + # Rebuild rpmdb to save some space + rpm --rebuilddb + + # Remove man and info pages + echo_message "Exclude documentation: ${EXCLUDE_DOCS^^}" + if [[ "${EXCLUDE_DOCS,,}" = "minimal" ]]; then + rm -rf /usr/share/{man,info} + fi + + # cleanup vnc cache files + if [ -d /root/.vnc ]; then + /bin/rm -f /root/.vnc/*.log + /bin/rm -f /root/.vnc/passwd + fi + + rm -rf /var/log/cups/error_log + rm -rf /var/log/setroubleshoot/setroubleshootd.log + rm -rf /var/log/spooler + # cleanup bash history + [ -e /root/.bash_history ] && : > /root/.bash_history + rm -f /root/.viminfo + rm -rf /.autorelabel + rm -rf /var/log/mail/statistics + rm -rf /var/log/sa/* + rm -rf /var/log/acpid /var/log/boot.log /var/log/cron /var/log/dmesg.* /var/log/ovm* + rm -rf /poweroff + rm -f /etc/ssh/ssh_host_* + rm -rf /root/* + rm -f /etc/udev/rules.d/70-persistent-net.rules + rm -f /etc/udev/rules.d/70-persistent-cd.rules + + find /var/log -type f | while read -r f; do echo -ne '' > "$f"; done; + find /etc/ -name "*.old" -exec rm -f {} \; + rm -f /etc/sysconfig/network-scripts/ifcfg-enp* + rm -rf /lost+found/* + rm -rf /root/.vbox_version + export HISTSIZE=0 + rm -f /var/log/ovm-template-config.log + + echo_message "Save list of installed packages" + rpm -qa --qf "%{name}.%{arch}\n" | sort -u > "${BUILD_INFO}/pkglist.txt" + rpm -qa --qf '"%{NAME}","%{EPOCHNUM}","%{VERSION}","%{RELEASE}","%{ARCH}"\n' | sort > "${BUILD_INFO}/pkglist.csv" + uname -r > "${BUILD_INFO}/kernel.txt" + + history -c + swapoff -a +} + +####################################### +# Final seal of the image +# Globals: +# BUILD_INFO +# Returns: +# None +####################################### +distr::seal() { + echo_message "File cleanup" + : > /var/log/wtmp + : > /var/log/lastlog + rm -f /var/log/audit/audit.log + rm -f /var/log/tuned/tuned.log + rm -rf /root/.gemrc /root/.gem + rm -rf /var/spool/root /var/spool/mail/root + rm -rf /var/lib/NetworkManager + [[ -n "${BUILD_INFO}" ]] && rm -rf "${BUILD_INFO}" + rm -rf /var/tmp/* /tmp/* + + echo_message "Relabel SELinux" + genhomedircon + fixfiles -f -F relabel + restorecon -R / || true + + echo_message "Trim filesystem" + sync; sync; sync + for fs in /boot /; do + echo_message " ${fs}" + dd if=/dev/zero of="${fs}"/EMPTY bs=1M >/dev/null 2>&1 || : + rm -f "${fs}"/EMPTY + done +} diff --git a/oracle-linux-image-tools/distr/ol9-slim/env.properties b/oracle-linux-image-tools/distr/ol9-slim/env.properties new file mode 100644 index 0000000..ecfd4cb --- /dev/null +++ b/oracle-linux-image-tools/distr/ol9-slim/env.properties @@ -0,0 +1,55 @@ +# Default parameter for the distribution. +# Do NOT change anything in this file, customisation must be done in separate +# env file. + +# Distribution name +DISTR_NAME="OL9U0_x86_64" + +# Distribution release +readonly ORACLE_RELEASE=9 + +# Setup swap? +SETUP_SWAP="yes" + +# Root filesystem: xfs, lvm or btrfs +ROOT_FS="xfs" + +# Boot command +# Variables MUST be escaped as they are evaluated at build time. +BOOT_COMMAND=( '${CONSOLE} inst.text inst.ks=${KS_CONFIG} setup_swap=${SETUP_SWAP} ' ) + +# Kernel: uek, rhck +KERNEL="uek" + +# Keep rescue kernel: yes, no +# Keeping rescue kernel will increase the image size and is most propbalbly +# not very useful in cloud environment. +# Note that if you enable rescue kernel and due the way BLS config works, you +# will have a second rescue kernel the first time kernel is upgrade as the +# machine-id differs between image build and deployed VM. +RESCUE_KERNEL="no" + +# Authselect: default is set to "minimal" which should cover most use cases. +# If an alternative auth profile is needed it can be specified with the +# AUTHSELECT parameter, e.g.: +# AUTHSELECT="select sssd" +AUTHSELECT="" + +# Update: yes, security, no +UPDATE_TO_LATEST="yes" + +# Keep kernel-modules packages: yes, no +# Core kernel should suffice for all cloud images +KERNEL_MODULES="no" + +# Exclude documentation (man pages, info files, doc files)? yes, no, minimal +# When "yes" is selected, dnf wil be configured to exclude all documentation +# ("tsflags=nodocs" parameter). +# If you plan to re-distribute the image, you might need to keep the +# "/usr/share/doc" directory which contains the packages licence terms. +# The "minimal" option will remove man pages and info files, but will keep the +# "/usr/share/doc" directory. +EXCLUDE_DOCS="no" + +# Directory used to save build information +readonly BUILD_INFO="/.build-info" diff --git a/oracle-linux-image-tools/distr/ol9-slim/image-scripts.sh b/oracle-linux-image-tools/distr/ol9-slim/image-scripts.sh new file mode 100755 index 0000000..c72944b --- /dev/null +++ b/oracle-linux-image-tools/distr/ol9-slim/image-scripts.sh @@ -0,0 +1,114 @@ +#!/usr/bin/env bash +# +# image scripts for OL9 +# +# Copyright (c) 2022 Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at +# https://oss.oracle.com/licenses/upl +# +# Description: this module provides the following function: +# distr::validate: basic parameter validation +# distr::kickstart: hook for kickstart file updates +# distr::packer_conf: hook for packer configuration file updates +# distr::image_cleanup: distribution specific actions to cleanup the image +# All functions are optional +# +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. +# + +####################################### +# Validate distribution parameters +# Globals: +# RESCUE_LERNEL ROOT_FS +# Arguments: +# None +# Returns: +# None +####################################### +distr::validate() { + [[ "${ROOT_FS,,}" =~ ^(xfs)|(btrfs)|(lvm)$ ]] || error "ROOT_FS must be xfs, btrfs or lvm" + [[ "${ROOT_FS,,}" = "btrfs" ]] && echo_message "Note that for btrfs root filesystem you need to use an UEK boot ISO" + [[ "${RESCUE_KERNEL,,}" =~ ^(yes)|(no)$ ]] || error "RESCUE_KERNEL must be yes or no" + [[ "${KERNEL_MODULES,,}" =~ ^(yes)|(no)$ ]] || error "KERNEL_MODULES must be yes or no" + [[ "${EXCLUDE_DOCS,,}" =~ ^(yes)|(no)|(minimal)$ ]] || error "EXCLUDE_DOCS must be yes, no or minimal" + readonly ROOT_FS RESCUE_KERNEL KERNEL_MODULES EXCLUDE_DOCS +} + +####################################### +# Kickcstart fixup +# Globals: +# RESCUE_KERNEL ROOT_FS +# Arguments: +# kickstart file name +# Returns: +# None +####################################### +distr::kickstart() { + local ks_file="$1" + + local btrfs="\ +part btrfs.01 --fstype=\"btrfs\" --ondisk=sda --size=4096 --grow\n\ +btrfs none --label=btrfs_vol --data=single btrfs.01\n\ +btrfs / --subvol --name=root LABEL=btrfs_vol\n\ +btrfs /home --subvol --name=home LABEL=btrfs_vol\ +" + local lvm="\ +part pv.01 --ondisk=sda --size=4096 --grow\n\ +volgroup vg_main pv.01\n\ +logvol swap --fstype=\"swap\" --vgname=vg_main --size=4096 --name=lv_swap\n\ +logvol / --fstype=\"xfs\" --vgname=vg_main --size=4096 --name=lv_root --grow\ +" + + # Kickstart file is populated for xfs + if [[ "${ROOT_FS,,}" = "btrfs" ]]; then + sed -i -e 's!^part / .*$!'"${btrfs}"'!' "${ks_file}" + elif [[ "${ROOT_FS,,}" = "lvm" ]]; then + sed -i -e '/^part swap/d' -e 's!^part / .*$!'"${lvm}"'!' "${ks_file}" + fi + + # Pass kernel and rescue kernel selections + sed -i -e 's!^KERNEL=.*$!KERNEL='"${KERNEL}"'!' "${ks_file}" + sed -i -e 's!^RESCUE_KERNEL=.*$!RESCUE_KERNEL='"${RESCUE_KERNEL}"'!' "${ks_file}" + + # Override authselect if needed + if [[ -n ${AUTHSELECT} ]]; then + sed -i -e 's!^authselect .*$!authselect '"${AUTHSELECT}"'!' "${ks_file}" + fi + + # Docs + sed -i -e 's!^EXCLUDE_DOCS=.*$!EXCLUDE_DOCS='"${EXCLUDE_DOCS}"'!' "${ks_file}" + if [[ "${EXCLUDE_DOCS,,}" = "yes" ]]; then + sed -i -e 's!^%packages!%packages --excludedocs!' "${ks_file}" + fi +} + +####################################### +# Packer configuration +# Globals: +# BUILD_INFO +# Arguments: +# Packer configuration file +# Returns: +# None +####################################### +distr::packer_conf() { + if [[ -n "${BUILD_INFO}" ]]; then + cat >>"$1" <<-EOF + build_info = "${BUILD_INFO}" + EOF + fi +} + +####################################### +# Cleanup actions run directly on the image +# Globals: +# WORKSPACE VM_NAME BUILD_INFO +# Arguments: +# root filesystem directory +# boot filesystem directory +# Returns: +# None +####################################### +# distr::image_cleanup() { +# : +# } diff --git a/oracle-linux-image-tools/distr/ol9-slim/ol9-ks.cfg b/oracle-linux-image-tools/distr/ol9-slim/ol9-ks.cfg new file mode 100644 index 0000000..3d05bbb --- /dev/null +++ b/oracle-linux-image-tools/distr/ol9-slim/ol9-ks.cfg @@ -0,0 +1,214 @@ +# OL9 kickstart file +# System authorization information +authselect select minimal with-faillock with-silent-lastlog with-pamaccess + +# Command line install +cmdline +text + +# Run the Setup Agent on first boot +eula --agreed +firstboot --disable + +# Only use the "system disk" +ignoredisk --only-use=sda + +# Keyboard layouts +keyboard --vckeymap=us --xlayouts='us' + +# System language +lang en_US.UTF-8 + +# reboot at the end +reboot + +# System timezone +timezone UTC --utc + +# Network information +network --bootproto=dhcp --device=eth0 --onboot=yes --ipv6=auto --hostname=localhost.localdomain + +# URL to an installation tree on a remote server + +# Additional yum repositories that may be used as sources for package installation. + +# Root password -- will be overridden by the builder +rootpw --lock + +# System services +services --disabled="kdump,rhsmcertd" --enabled="firewalld,sshd,rsyslog,chronyd" +selinux --enforcing +firewall --service=ssh + +# System bootloader configuration +bootloader --append="console=tty0 no_timer_check net.ifnames=0 biosdevname=0 crashkernel=auto" --location=mbr --timeout=1 --boot-drive=sda + +# Partition clearing information +zerombr +clearpart --all --initlabel + +# Disk partitioning information +part /boot --fstype="xfs" --ondisk=sda --size=1024 --label=/boot +part swap --fstype="swap" --ondisk=sda --size=4096 --label=swap +part / --fstype="xfs" --ondisk=sda --size=4096 --label=root --grow + +# '--nocore' adds @core to the exclusion list, which generates issues when it +# is added in the package list... +%packages +# Removed from the "Mandatory" Core group packages: +-audit +-dnf-plugin-spacewalk +-iproute-tc +-irqbalance +-parted +-rhn-client-tools +-rhn-setup +-rhnlib +-rhnsd +-rng-tools +-sssd-common +-sssd-kcm + +# Removed from the "Default" Core group packages: +-NetworkManager-team +-NetworkManager-tui +-iwl100-firmware +-iwl1000-firmware +-iwl105-firmware +-iwl135-firmware +-iwl2000-firmware +-iwl2030-firmware +-iwl3160-firmware +-iwl3945-firmware +-iwl4965-firmware +-iwl5000-firmware +-iwl5150-firmware +-iwl6000g2a-firmware +-iwl6050-firmware +-iwl7260-firmware +-lshw +-lsscsi +-microcode_ctl +-prefixdevname +-sg3_utils +-sg3_utils-libs + +# hwdata blacklists several modules, a.o. the fb (frame buffer) ones +hwdata + +# Create a generic image +dracut-config-generic + +# Ironing out differences between full dvd and boot iso +elfutils-debuginfod-client +freetype +-gawk-all-langpacks +-glibc-all-langpacks +glibc-langpack-en +-glibc-gconv-extra +graphite2 +grub2-tools-efi +grub2-tools-extra +harfbuzz +-libcap-ng-python3 +libpng +-libxcrypt-compat +openssl-pkcs11 +python-unversioned-command.noarch +rpm-plugin-systemd-inhibit +rsyslog-logrotate +zstd +%end + +%post --interpreter /bin/bash --log=/root/ks-post.log + +# ToDo: this might not be necessary +echo "Network fixes" +cat > /etc/sysconfig/network << EOF +NETWORKING=yes +NOZEROCONF=yes +EOF + +# generic localhost names +cat > /etc/hosts << EOF +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +EOF + +# make sure firstboot doesn't start +echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot + +echo "Kernel configuration" +# Remove the big rescue image if present +RESCUE_KERNEL=no +if [[ "${RESCUE_KERNEL,,}" = "no" ]]; then + dnf remove -y dracut-config-rescue + rm -f /boot/{initramfs,vmlinuz}-0-rescue-$(cat /etc/machine-id)* + rm -f /boot/loader/entries/$(cat /etc/machine-id)-0-rescue.conf +fi + +# Ensure we don't reboot with the serial console enabled +sed -i \ + -e 's/ console=ttyS0//' \ + -e 's/^GRUB_TERMINAL.*/GRUB_TERMINAL_OUTPUT="console"'/ \ + -e '/^GRUB_SERIAL_COMMAND/d' \ + /etc/default/grub +grub2-mkconfig -o /boot/grub2/grub.cfg + +# Allow password login +cat > /etc/ssh/sshd_config.d/01-permitrootlogin.conf << EOF +# Allow root to log in using ssh. Remove this file to opt-out. +PermitRootLogin yes +EOF + +EXCLUDE_DOCS="no" +echo "Exclude documentation: ${EXCLUDE_DOCS^^}" +if [[ "${EXCLUDE_DOCS,,}" = "yes" ]]; then + echo "tsflags=nodocs" >> /etc/dnf/dnf.conf +fi + +# Get latest release file (Needed for UEK) +dnf upgrade -y oraclelinux-release-el9 + +# Install latest kernel, that way it will be available at first boot and +# allow proper cleanup +KERNEL=uek +echo "Kernel update (${KERNEL^^})" + +echo "Running kernel: $(uname -r)" +echo "Kernel(s) installed:" +rpm -qa | grep '^kernel' | sort + +kernel="kernel-core" +dnf_options="" +if [[ "${KERNEL,,}" = "uek" ]]; then + dnf_options="${dnf_options} --enablerepo ol9_UEKR7" + kernel="kernel-uek-core" +fi + +# Set default kernel +sed -i -e 's/^DEFAULTKERNEL=.*/DEFAULTKERNEL='"${kernel}"'/' /etc/sysconfig/kernel + +if rpm --quiet -q "${kernel}"; then + echo "Kernel ${kernel} already installed" + dnf check-update ${dnf_options} ${kernel} + if [[ $? == "100" ]]; then + # Get latest version + dnf update -y ${dnf_options} ${kernel} + else + # No update available; ensure it is the default boot kernel + version=$(rpm -q "${kernel}") + grubby --set-default="/boot/vmlinuz${version#${kernel}}" + fi +else + dnf install -y ${dnf_options} ${kernel} +fi + +# Ensure we have the correct boot options +grub2-mkconfig -o /boot/grub2/grub.cfg + +%end + +%addon com_redhat_kdump --disable +%end diff --git a/oracle-linux-image-tools/distr/ol9-slim/provision.sh b/oracle-linux-image-tools/distr/ol9-slim/provision.sh new file mode 100644 index 0000000..20077ee --- /dev/null +++ b/oracle-linux-image-tools/distr/ol9-slim/provision.sh @@ -0,0 +1,363 @@ +#!/usr/bin/env bash +# +# Packer provisioning script for OL9 +# +# Copyright (c) 2022 Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at +# https://oss.oracle.com/licenses/upl +# +# Description: provision an OL9 image. This module provides 3 functions, +# both are optional. +# distr::provision: provision the instance +# distr::cleanup: instance cleanup before shutdown +# distr::seal: final instance sealing +# +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. +# + +# Constants +readonly DRACUT_CMD="dracut --no-early-microcode --force" + +####################################### +# Invoke dnf to remove packages +# Globals: +# None +# Arguments: +# List of packages to be removed +# Returns: +# None +####################################### +distr::remove_rpms() { + # clean_requirements_on_remove is default with dnf + dnf -C -y remove "$@" +} + +####################################### +# Print kickstart log +# Globals: +# Arguments: +# None +# Returns: +# None +####################################### +distr::ks_log() { + if [[ -f "/root/ks-post.log" ]]; then + echo_message "Kickstart post log - Start" + cat /root/ks-post.log + rm /root/ks-post.log + echo_message "Kickstart post log - End" + fi +} + +####################################### +# Kernel configuration +# Assume that we already run the latest selected kernel +# (Asserted in the kickstart file) +# Globals: +# DRACUT_CMD, KERNEL, UPDATE_TO_LATEST +# Arguments: +# None +# Returns: +# None +####################################### +distr::kernel_config() { + local current_kernel kernel kernels old_kernel + + # shellcheck disable=SC2153 + echo_message "Configure kernel: ${KERNEL^^}" + echo_message "Running kernel: $(uname -r)" + + # Note: there is no need to force drivers in intrd as dracut-config-generic + # is installed + + # Configure repos and remove old kernels + if [[ "${KERNEL,,}" = "uek" ]]; then + kernel="kernel-uek" + dnf config-manager --set-enabled ol9_UEKR7 + distr::remove_rpms kernel kernel-core + else + kernel="kernel" + distr::remove_rpms kernel-uek kernel-uek-core + fi + + current_kernel=$(uname -r) + kernels=$(rpm -q "${kernel}-core" --qf "%{VERSION}-%{RELEASE}.%{ARCH} ") + for old_kernel in $kernels; do + if [[ ${old_kernel} != "${current_kernel}" ]]; then + distr::remove_rpms "${kernel}-core-${old_kernel}" + fi + done + + # Clean dnf cache which contains odd dependencies and prevents removal + # of kernel modules + rm -rf /var/cache/dnf/* + rm -rf /var/lib/dnf/* + if [[ ${KERNEL_MODULES,,} == "no" ]]; then + echo_message "Removing kernel modules and linux firmware" + distr::remove_rpms "${kernel}-modules" linux-firmware + else + echo_message "Ensure kernel modules are installed" + dnf install -y ${kernel} linux-firmware + fi + + # Regenerate initrd + ${DRACUT_CMD} -f "/boot/initramfs-${current_kernel}.img" "${current_kernel}" + + # Ensure grub is properly setup + grub2-mkconfig -o /boot/grub2/grub.cfg + grubby --set-default="/boot/vmlinuz-${current_kernel}" +} + +####################################### +# Common configuration +# Globals: +# UPDATE_TO_LATEST, BUILD_INFO +# Arguments: +# None +# Returns: +# None +####################################### +distr::common_cfg() { + local service tty + + # Directory to save build information + mkdir -p "${BUILD_INFO}" + + # Run dnf update if flag is set to yes in image build page + echo_message "Update image: ${UPDATE_TO_LATEST^^}" + if [[ "${UPDATE_TO_LATEST,,}" = "yes" ]]; then + dnf update -y + elif [[ "${UPDATE_TO_LATEST,,}" = "security" ]]; then + dnf update --security -y + fi + + # SSSD profile needs clients + if authselect current -r | grep -q '^sssd'; then + echo_message "Installing SSSD client" + dnf install -y sssd-client + fi + + # If you want to remove rsyslog and just use journald, remove this! + echo_message "Disabling persistent journal" + rm -rf /var/log/journal/ + + # setup systemd to boot to the right runlevel + echo_message "Setting default runlevel to multiuser text mode" + rm -f /etc/systemd/system/default.target + ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target + + echo_message "Disable services" + # NetworkManager.service + for service in \ + kdump.service \ + ntpd.service \ + ntpdate.service \ + plymouth-quit-wait.service \ + plymouth-start.service \ + rhnsd.service \ + sendmail.service \ + sntp.service \ + syslog.target + do + # Most of these aren't enabled, errors are expected... + echo_message " ${service}" + systemctl disable ${service} 2>&1 || true + done + + echo_message "Set rp_filter to loose mode" + echo "net.ipv4.conf.default.rp_filter = 2" >> /etc/sysctl.conf + + echo_message "Set SELinux to ${SELINUX^^}" + sed -i -e "s/^SELINUX[ ]*=.*/SELINUX=${SELINUX,,}/" /etc/selinux/config + if [[ ${SELINUX,,} != "enforcing" ]]; then + # Relax SELinux for the provisioning as well + setenforce Permissive + fi + + echo_message "Clear network persistent data" + rm -f /etc/udev/rules.d/70-persistent-net.rules + + echo_message "Configure dnf" + # bypass update kernel-uek-headers + echo "exclude=kernel-uek-headers" >> /etc/dnf/dnf.conf + # fix "Metadata file does not match checksum" for public-yum + # https://forums.oracle.com/thread/2550364 + echo "http_caching=none" >> /etc/dnf/dnf.conf + + echo_message "Enable login on serial console ports" + for tty in "hvc0" "ttyS0" "ttyS0" + do + grep -q "${tty}" /etc/securetty || echo "${tty}" >>/etc/securetty + done + + echo_message "Remove unneeded RPMs" + distr::remove_rpms \ + iwl7265-firmware \ + mozjs17 \ + polkit \ + polkit-pkla-compat \ + microcode_ctl +} + +####################################### +# Provisioning +# Globals: +# Arguments: +# None +# Returns: +# None +####################################### +distr::provision() { + distr::ks_log + distr::kernel_config + distr::common_cfg +} + +####################################### +# Cleanup +# Globals: +# BUILD_INFO +# Arguments: +# None +# Returns: +# None +####################################### +distr::cleanup() { + echo_message "Stoppping services" + systemctl stop rsyslog || true + systemctl stop auditd || true + + echo_message "Dnf cleanup" + dnf -q repolist > "${BUILD_INFO}/repolist.txt" + : > /etc/dnf/vars/ociregion + rm -rf /var/cache/dnf/* + rm -rf /var/lib/dnf/* + find /etc/ -name "./*.uln-*" -exec rm -rf {} \; + + # Cleanup and regenerate /etc/machine-id + echo_message "Reset machine id" + : > /etc/machine-id + if ! grep -q setup-machine-id /usr/lib/systemd/system/systemd-firstboot.service; then + sed -i -e "/^ExecStart=/s/$/ --setup-machine-id/" /usr/lib/systemd/system/systemd-firstboot.service + fi + rm -f /var/lib/systemd/random-seed + + echo_message "Cleanup all log files" + rm -f /var/log/anaconda.* /var/log/oraclevm-template.log + rm -f /tmp/ks* + rm -f /root/install.log /root/install.log.syslog /root/anaconda-ks.cfg + : > /etc/resolv.conf + /bin/rm -f /etc/resolv.conf.* + /bin/rm -f /var/lib/dhclient/* + [ -e /var/log/acpid ] && : > /var/log/acpid + [ -e /var/log/messages ] && : > /var/log/messages + [ -e /var/log/btmp ] && : > /var/log/btmp + [ -e /var/log/grubby ] && : > /var/log/grubby + [ -e /var/log/secure ] && : > /var/log/secure + [ -e /var/log/wtmp ] && : > /var/log/wtmp + [ -e /var/log/boot.log ] && : > /var/log/boot.log + [ -e /var/log/dracut.log ] && : > /var/log/dracut.log + [ -e /var/log/tuned/tuned.log ] && : > /var/log/tuned/tuned.log + [ -e /var/log/maillog ] && : > /var/log/maillog + [ -e /var/log/lastlog ] && : > /var/log/lastlog + [ -e /var/log/dnf.log ] && : > /var/log/dnf.log + [ -e /var/log/dnf.librepo.log ] && : > /var/log/dnf.librepo.log + [ -e /var/log/dnf.rpm.log ] && : > /var/log/dnf.rpm.log + [ -e /var/log/ovm-template-config.log ] && rm -f /var/log/ovm-template-config.log + /bin/rm -f /var/log/audit/audit.log* + [ -e /var/log/audit/audit.log ] && : > /var/log/audit/audit.log + + # Lock root user + if [[ "${LOCK_ROOT,,}" = "yes" ]]; then + passwd -d root + passwd -l root + fi + rm -f /etc/ssh/sshd_config.d/01-permitrootlogin.conf + + # cleanup ssh config files + if [ -z "${SSH_KEY_FILE}" ]; then + [ -d /root/.ssh ] && /bin/rm -fr /root/.ssh + else + find /root/.ssh -type f -not -name authorized_keys -delete + fi + + # Rebuild rpmdb to save some space + rpm --rebuilddb + + # Remove man and info pages + echo_message "Exclude documentation: ${EXCLUDE_DOCS^^}" + if [[ "${EXCLUDE_DOCS,,}" = "minimal" ]]; then + rm -rf /usr/share/{man,info} + fi + + # cleanup vnc cache files + if [ -d /root/.vnc ]; then + /bin/rm -f /root/.vnc/*.log + /bin/rm -f /root/.vnc/passwd + fi + + rm -rf /var/log/cups/error_log + rm -rf /var/log/setroubleshoot/setroubleshootd.log + rm -rf /var/log/spooler + # cleanup bash history + [ -e /root/.bash_history ] && : > /root/.bash_history + rm -f /root/.viminfo + rm -rf /.autorelabel + rm -rf /var/log/mail/statistics + rm -rf /var/log/sa/* + rm -rf /var/log/acpid /var/log/boot.log /var/log/cron /var/log/dmesg.* /var/log/ovm* + rm -rf /poweroff + rm -f /etc/ssh/ssh_host_* + rm -rf /root/* + rm -f /etc/udev/rules.d/70-persistent-net.rules + rm -f /etc/udev/rules.d/70-persistent-cd.rules + + find /var/log -type f | while read -r f; do echo -ne '' > "$f"; done; + find /etc/ -name "*.old" -exec rm -f {} \; + rm -f /etc/sysconfig/network-scripts/ifcfg-enp* + rm -rf /lost+found/* + rm -rf /root/.vbox_version + export HISTSIZE=0 + rm -f /var/log/ovm-template-config.log + + echo_message "Save list of installed packages" + rpm -qa --qf "%{name}.%{arch}\n" | sort -u > "${BUILD_INFO}/pkglist.txt" + rpm -qa --qf '"%{NAME}","%{EPOCHNUM}","%{VERSION}","%{RELEASE}","%{ARCH}"\n' | sort > "${BUILD_INFO}/pkglist.csv" + uname -r > "${BUILD_INFO}/kernel.txt" + + history -c + swapoff -a +} + +####################################### +# Final seal of the image +# Globals: +# BUILD_INFO +# Returns: +# None +####################################### +distr::seal() { + echo_message "File cleanup" + : > /var/log/wtmp + : > /var/log/lastlog + rm -f /var/log/audit/audit.log + rm -f /var/log/tuned/tuned.log + rm -rf /root/.gemrc /root/.gem + rm -rf /var/spool/root /var/spool/mail/root + rm -rf /var/lib/NetworkManager + [[ -n "${BUILD_INFO}" ]] && rm -rf "${BUILD_INFO}" + rm -rf /var/tmp/* /tmp/* + + echo_message "Relabel SELinux" + genhomedircon + fixfiles -f -F relabel + restorecon -R / || true + + echo_message "Trim filesystem" + sync; sync; sync + for fs in /boot /; do + echo_message " ${fs}" + dd if=/dev/zero of="${fs}"/EMPTY bs=1M >/dev/null 2>&1 || : + rm -f "${fs}"/EMPTY + done +} diff --git a/oracle-linux-image-tools/env.properties b/oracle-linux-image-tools/env.properties index 4022493..8f46e86 100644 --- a/oracle-linux-image-tools/env.properties +++ b/oracle-linux-image-tools/env.properties @@ -111,9 +111,10 @@ CLOUD="none" # - an URL to an installation tree on a remote server # - optionally an associative array of additional yum repositories that may # be used as sources for package installation. -# Example for an OL8 install: -# REPO_URL="https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64" -# REPO[AppStream]="https://yum.oracle.com/repo/OracleLinux/OL8/appstream/x86_64" +# Example for an OL9 install: +# REPO_URL="https://yum.oracle.com/repo/OracleLinux/OL9/baseos/latest/x86_64" +# REPO[AppStream]="https://yum.oracle.com/repo/OracleLinux/OL9/appstream/x86_64" +# REPO[ol9_UEKR7]="https://yum.oracle.com/repo/OracleLinux/OL9/UEKR7/x86_64" # OVM Image version (Default: 1.0) # IMAGE_VERSION= diff --git a/oracle-linux-image-tools/packer-template/build.pkr.hcl b/oracle-linux-image-tools/packer-template/build.pkr.hcl index 839284e..2f91720 100644 --- a/oracle-linux-image-tools/packer-template/build.pkr.hcl +++ b/oracle-linux-image-tools/packer-template/build.pkr.hcl @@ -11,5 +11,20 @@ build { } provisioner "shell" { script = var.provision_script + environment_vars = [ + "OLIT_ACTION=provision", + ] + } + provisioner "file" { + only = local.get_build_info + direction = "download" + source = "${var.build_info}/*" + destination = "${local.output_directory}/" + } + provisioner "shell" { + script = var.provision_script + environment_vars = [ + "OLIT_ACTION=seal", + ] } } diff --git a/oracle-linux-image-tools/packer-template/qemu-x86-64.pkr.hcl b/oracle-linux-image-tools/packer-template/qemu-x86-64.pkr.hcl index 2a1bc69..eae63c6 100644 --- a/oracle-linux-image-tools/packer-template/qemu-x86-64.pkr.hcl +++ b/oracle-linux-image-tools/packer-template/qemu-x86-64.pkr.hcl @@ -23,5 +23,10 @@ source "qemu" "x86-64" { boot_command = var.boot_command shutdown_command = var.shutdown_command qemu_binary = var.qemu_binary - qemuargs = var.qemu_args + qemuargs = concat( + var.qemu_args, + [ + ["-cpu", "host"] + ] + ) } diff --git a/oracle-linux-image-tools/packer-template/variables.pkr.hcl b/oracle-linux-image-tools/packer-template/variables.pkr.hcl index e2b9778..448961c 100644 --- a/oracle-linux-image-tools/packer-template/variables.pkr.hcl +++ b/oracle-linux-image-tools/packer-template/variables.pkr.hcl @@ -108,8 +108,15 @@ variable "qemu_args" { default = [] } +variable "build_info" { + description = "Guest directory with build information" + type = string + default = "" +} + # Locals locals { output_directory = "${var.workspace}/${var.vm_name}" http_directory = var.workspace + get_build_info = var.build_info == "" ? [ "none" ] : [] } diff --git a/oracle-linux-image-tools/packer-template/virtualbox-x86-64.pkr.hcl b/oracle-linux-image-tools/packer-template/virtualbox-x86-64.pkr.hcl index e502a7b..3fab07b 100644 --- a/oracle-linux-image-tools/packer-template/virtualbox-x86-64.pkr.hcl +++ b/oracle-linux-image-tools/packer-template/virtualbox-x86-64.pkr.hcl @@ -28,6 +28,7 @@ source "virtualbox-iso" "x86-64" { ["modifyvm", "{{.Name}}", "--x2apic", var.x2apic], ["modifyvm", "{{.Name}}", "--memory", var.memory], ["modifyvm", "{{.Name}}", "--cpus", var.cpus], + ["modifyvm", "{{.Name}}", "--nictype1", "virtio"], ] ) vboxmanage_post = [