Move OEM sysext build from vms phase to build_image

build_image

@@ -60,10 +60,12 @@ different forms.  This scripts can be used to build the following:
 prod - Production image for CoreOS. This image is for booting (default if no argument is given).
 prodtar - Production container tar ball (implies prod). This can e.g. be used to run the Flatcar production image as a container (run machinectl import-tar or docker import).
 container - Developer image with single filesystem, bootable by nspawn.
+sysext - Build extra sysexts (podman, python, zfs, etc.).
+oem_sysext - Build OEM sysexts for all supported platforms.
 
 Examples:
 
-build_image --board=<board> [prod] [prodtar] [container] - builds developer and production images/tars.
+build_image --board=<board> [prod] [prodtar] [container] [sysext] [oem_sysext] - builds developer and production images/tars.
 ...
 "
 show_help_if_requested "$@"
@@ -81,7 +83,7 @@ DEFINE_string version "" \
 # Parse command line.
 FLAGS "$@" || exit 1
 
-eval set -- "${FLAGS_ARGV:-prod}"
+eval set -- "${FLAGS_ARGV:-prod oem_sysext}"
 
 # Only now can we die on error.  shflags functions leak non-zero error codes,
 # so will die prematurely if 'switch_to_strict_mode' is specified before now.
@@ -103,17 +105,20 @@ fi
 . "${BUILD_LIBRARY_DIR}/test_image_content.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/vm_image_util.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/extra_sysexts.sh" || exit 1
+. "${BUILD_LIBRARY_DIR}/oem_sysexts.sh" || exit 1
 
 PROD_IMAGE=0
 PROD_TAR=0
 CONTAINER=0
 SYSEXT=0
+OEM_SYSEXT=0
 for arg in "$@"; do
   case "${arg}" in
     prod) PROD_IMAGE=1 ;;
     prodtar) PROD_IMAGE=1 PROD_TAR=1 ;;
     container) CONTAINER=1 ;;
     sysext) SYSEXT=1 ;;
+    oem_sysext) OEM_SYSEXT=1 ;;
     *)    die_notrace "Unknown image type ${arg}" ;;
   esac
 done
@@ -187,6 +192,9 @@ fi
 if [[ "${SYSEXT}" -eq 1 ]]; then
   create_prod_sysexts "${FLATCAR_PRODUCTION_IMAGE_NAME}"
 fi
+if [[ "${OEM_SYSEXT}" -eq 1 ]]; then
+  create_oem_sysexts "${FLATCAR_PRODUCTION_IMAGE_NAME}"
+fi
 
 if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then
   zip_update_tools

build_library/oem_sysexts.sh

@@ -0,0 +1,39 @@
+# OEM sysexts table mapping OEM IDs to their packages and USE flags.
+# Format: "name|metapackage|useflag|arches"
+#
+# VM types that use each OEM sysext:
+#   oem-akamai       -> akamai
+#   oem-ami          -> ami, ami_vmdk
+#   oem-azure        -> azure
+#   oem-digitalocean -> digitalocean
+#   oem-gce          -> gce
+#   oem-hetzner      -> hetzner
+#   oem-hyperv       -> hyperv, hyperv_vhdx
+#   oem-kubevirt     -> kubevirt
+#   oem-nutanix      -> nutanix
+#   oem-openstack    -> openstack, openstack_mini
+#   oem-packet       -> packet
+#   oem-proxmoxve    -> proxmoxve
+#   oem-qemu         -> qemu_uefi
+#   oem-scaleway     -> scaleway
+#   oem-stackit      -> stackit
+#   oem-vmware       -> vmware, vmware_ova, vmware_raw
+
+OEM_SYSEXTS=(
+  "oem-akamai|coreos-base/oem-akamai|akamai|amd64,arm64"
+  "oem-ami|coreos-base/oem-ami|ami|amd64,arm64"
+  "oem-azure|coreos-base/oem-azure|azure|amd64,arm64"
+  "oem-digitalocean|coreos-base/oem-digitalocean|digitalocean|amd64"
+  "oem-gce|coreos-base/oem-gce|gce|amd64"
+  "oem-hetzner|coreos-base/oem-hetzner|hetzner|amd64,arm64"
+  "oem-hyperv|coreos-base/oem-hyperv|hyperv|amd64"
+  "oem-kubevirt|coreos-base/oem-kubevirt|kubevirt|amd64,arm64"
+  "oem-nutanix|coreos-base/oem-nutanix|nutanix|amd64"
+  "oem-openstack|coreos-base/oem-openstack|openstack|amd64,arm64"
+  "oem-packet|coreos-base/oem-packet|packet|amd64,arm64"
+  "oem-proxmoxve|coreos-base/oem-proxmoxve|proxmoxve|amd64,arm64"
+  "oem-qemu|coreos-base/oem-qemu|qemu|amd64,arm64"
+  "oem-scaleway|coreos-base/oem-scaleway|scaleway|amd64,arm64"
+  "oem-stackit|coreos-base/oem-stackit|stackit|amd64,arm64"
+  "oem-vmware|coreos-base/oem-vmware|vmware|amd64"
+)

build_library/prod_image_util.sh

@@ -170,6 +170,10 @@ EOF
   # Remove source locale data, only need to ship the compiled archive.
   sudo rm -rf ${root_fs_dir}/usr/share/i18n/
 
+  # Inject ephemeral sysext signing certificate
+  sudo mkdir -p "${root_fs_dir}/usr/lib/verity.d"
+  sudo cp "${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" "${root_fs_dir}/usr/lib/verity.d"
+
   # Finish image will move files from /etc to /usr/share/flatcar/etc.
   # Note that image filesystem contents generated by finish_image will not
   # include sysext contents (only the sysext squashfs files themselves).
@@ -269,6 +273,67 @@ create_prod_sysexts() {
   done
 }
 
+create_oem_sysexts() {
+  local image_name="$1"
+  local image_sysext_base="${image_name%.bin}_sysext.squashfs"
+  local overlay_path
+  overlay_path=$(portageq get_repo_path / coreos-overlay)
+
+  for sysext in "${OEM_SYSEXTS[@]}"; do
+    local name metapkg useflags arches
+    IFS="|" read -r name metapkg useflags arches <<< "$sysext"
+
+    if [[ "${name}" != oem-* ]]; then
+      die "OEM sysext name must start with 'oem-', got '${name}'"
+    fi
+
+    local arch_array=(${arches//,/ })
+
+    if [[ -n "$arches" ]]; then
+      local should_skip=1
+      for arch in "${arch_array[@]}"; do
+        if [[ $arch == "$ARCH" ]]; then
+          should_skip=0
+        fi
+      done
+      if [[ $should_skip -eq 1 ]]; then
+        continue
+      fi
+    fi
+
+    # Check for manglefs script in the package's files directory
+    local mangle_script="${overlay_path}/${metapkg}/files/manglefs.sh"
+    if [[ ! -x "${mangle_script}" ]]; then
+      mangle_script=
+    fi
+
+    sudo rm -f "${BUILD_DIR}/${name}.raw" \
+        "${BUILD_DIR}/flatcar_test_update-${name}.gz" \
+        "${BUILD_DIR}/${name}_"*
+
+    info "Building OEM sysext ${name} with USE=${useflags}"
+    # The --install_root_basename="${name}-oem-sysext-rootfs" flag is
+    # important - it sets the name of a rootfs directory, which is
+    # used to determine the package target in
+    # coreos/base/profile.bashrc
+    #
+    # OEM sysexts use no compression here since they will be stored
+    # in a compressed OEM partition.
+    USE="${useflags}" sudo -E "${SCRIPT_ROOT}/build_sysext" --board="${BOARD}" \
+        --squashfs_base="${BUILD_DIR}/${image_sysext_base}" \
+        --image_builddir="${BUILD_DIR}" \
+        --metapkgs="${metapkg}" \
+        --install_root_basename="${name}-oem-sysext-rootfs" \
+        --compression=none \
+        ${mangle_script:+--manglefs_script="${mangle_script}"} \
+        "${name}"
+    delta_generator \
+      -private_key "/usr/share/update_engine/update-payload-key.key.pem" \
+      -new_image "${BUILD_DIR}/${name}.raw" \
+      -out_file "${BUILD_DIR}/flatcar_test_update-${name}.gz"
+  done
+}
+
 sbsign_prod_image() {
   local image_name="$1"
   local disk_layout="$2"

build_library/sysext_prod_builder

@@ -63,11 +63,15 @@ create_prod_sysext() {
   # The --install_root_basename="${name}-base-sysext-rootfs" flag is
   # important - it sets the name of a rootfs directory, which is used
   # to determine the package target in coreos/base/profile.bashrc
-  sudo "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
+  #
+  # Built-in sysexts are stored in the compressed /usr partition, so we
+  # disable compression to avoid double-compression.
+  sudo -E "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
             --board="${BOARD}" \
             --image_builddir="${workdir}/sysext-build" \
             --squashfs_base="${base_sysext}" \
             --generate_pkginfo \
+            --compression=none \
             --install_root_basename="${name}-base-sysext-rootfs" \
             "${build_sysext_opts[@]}" \
             "${name}" "${grp_pkg[@]}"
@@ -99,6 +103,14 @@ sysext_mountdir="${BUILD_DIR}/prod-sysext-work/mounts"
 sysext_base="${sysext_workdir}/base-os.squashfs"
 
 function cleanup() {
+  IFS=':' read -r -a mounted_sysexts <<< "$sysext_lowerdirs"
+  # skip the rootfs
+  mounted_sysexts=("${mounted_sysexts[@]:1}")
+
+  for sysext in "${mounted_sysexts[@]}"; do
+    sudo systemd-dissect --umount --rmdir "$sysext"
+  done
+
   sudo umount "${sysext_mountdir}"/* || true
   rm -rf "${sysext_workdir}" || true
 }
@@ -116,6 +128,7 @@ sudo mksquashfs "${root_fs_dir}" "${sysext_base}" -noappend -xattrs-exclude '^bt
 # for combined overlay later.
 prev_pkginfo=""
 sysext_lowerdirs="${sysext_mountdir}/rootfs-lower"
+mkdir -p "${sysext_mountdir}"
 for sysext in ${sysexts_list//,/ }; do
   # format is "<name>:<group>/<package>"
   name="${sysext%|*}"
@@ -129,12 +142,21 @@ for sysext in ${sysexts_list//,/ }; do
                      "${grp_pkg}" \
                      "${prev_pkginfo}"
 
-  mkdir -p "${sysext_mountdir}/${name}" \
-           "${sysext_mountdir}/${name}_pkginfo"
-  sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}.raw" \
-                                    "${sysext_mountdir}/${name}"
-  sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}_pkginfo.raw" \
-                                    "${sysext_mountdir}/${name}_pkginfo"
+  sudo systemd-dissect \
+    --read-only \
+    --mount \
+    --mkdir \
+    --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
+    "${sysext_output_dir}/${name}.raw" \
+    "${sysext_mountdir}/${name}"
+
+  sudo systemd-dissect \
+    --read-only \
+    --mount \
+    --mkdir \
+    --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
+    "${sysext_output_dir}/${name}_pkginfo.raw" \
+    "${sysext_mountdir}/${name}_pkginfo"
 
   sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}"
   sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}_pkginfo"

build_library/vm_image_util.sh

@@ -568,67 +568,33 @@ install_oem_package() {
     sudo rm -rf "${oem_tmp}"
 }
 
-# Write the OEM sysext file into the OEM partition.
+# Install the prebuilt OEM sysext file into the OEM partition.
+# The sysext should have been built by 'build_image oem_sysext'.
 install_oem_sysext() {
     local oem_sysext=$(_get_vm_opt OEM_SYSEXT)
 
     if [[ -z "${oem_sysext}" ]]; then
         return 0
     fi
 
-    local built_sysext_dir="${FLAGS_to}/${oem_sysext}-sysext"
-    local built_sysext_filename="${oem_sysext}.raw"
-    local built_sysext_path="${built_sysext_dir}/${built_sysext_filename}"
+    local prebuilt_sysext_filename="${oem_sysext}.raw"
+    local prebuilt_sysext_path="${FLAGS_from}/${prebuilt_sysext_filename}"
     local version="${FLATCAR_VERSION}"
-    local metapkg="coreos-base/${oem_sysext}"
-    # The --install_root_basename="${name}-oem-sysext-rootfs" flag is
-    # important - it sets the name of a rootfs directory, which is
-    # used to determine the package target in
-    # coreos/base/profile.bashrc
-    local build_sysext_flags=(
-        --board="${BOARD}"
-        --squashfs_base="${VM_SRC_SYSEXT_IMG}"
-        --image_builddir="${built_sysext_dir}"
-        --metapkgs="${metapkg}"
-        --install_root_basename="${VM_IMG_TYPE}-oem-sysext-rootfs"
-    )
-    local overlay_path mangle_fs
-    overlay_path=$(portageq get_repo_path / coreos-overlay)
-    mangle_fs="${overlay_path}/${metapkg}/files/manglefs.sh"
-    if [[ -x "${mangle_fs}" ]]; then
-        build_sysext_flags+=(
-            --manglefs_script="${mangle_fs}"
-        )
-    fi
 
-    mkdir -p "${built_sysext_dir}"
-    sudo "${build_sysext_env[@]}" "${SCRIPT_ROOT}/build_sysext" "${build_sysext_flags[@]}" "${oem_sysext}"
+    if [[ ! -f "${prebuilt_sysext_path}" ]]; then
+        die "Prebuilt OEM sysext not found at ${prebuilt_sysext_path}. Run 'build_image oem_sysext' first."
+    fi
 
     local installed_sysext_oem_dir='/oem/sysext'
     local installed_sysext_file_prefix="${oem_sysext}-${version}"
     local installed_sysext_filename="${installed_sysext_file_prefix}.raw"
     local installed_sysext_abspath="${installed_sysext_oem_dir}/${installed_sysext_filename}"
-    info "Installing ${oem_sysext} sysext"
+
+    info "Installing ${oem_sysext} sysext from prebuilt image"
     sudo install -Dpm 0644 \
-         "${built_sysext_path}" \
+         "${prebuilt_sysext_path}" \
          "${VM_TMP_ROOT}${installed_sysext_abspath}" ||
         die "Could not install ${oem_sysext} sysext"
-    # Move sysext image and reports to a destination directory to
-    # upload them, thus making them available as separate artifacts to
-    # download.
-    local upload_dir to_move
-    upload_dir="$(_dst_dir)"
-    for to_move in "${built_sysext_dir}/${oem_sysext}"*; do
-        mv "${to_move}" "${upload_dir}/${to_move##*/}"
-    done
-    # Generate dev-key-signed update payload for testing
-    delta_generator \
-      -private_key "/usr/share/update_engine/update-payload-key.key.pem" \
-      -new_image "${upload_dir}/${built_sysext_filename}" \
-      -out_file "${upload_dir}/flatcar_test_update-${oem_sysext}.gz"
-    # Remove sysext_dir if building sysext and installing it
-    # succeeded.
-    rm -rf "${built_sysext_dir}"
 
     # Mark the installed sysext as active.
     sudo touch "${VM_TMP_ROOT}${installed_sysext_oem_dir}/active-${oem_sysext}"