Page MenuHomeFreeBSD
Differential D34746

add minimal OCI-compliant image builder
ClosedPublic
Actions

Authored by dch on Apr 2 2022, 9:38 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Nov 20, 4:02 AM
Unknown Object (File)
Sat, Nov 16, 12:38 PM
Unknown Object (File)
Thu, Nov 14, 6:33 AM
Unknown Object (File)
Sun, Nov 3, 4:22 AM
Unknown Object (File)
Tue, Oct 29, 2:22 PM
Unknown Object (File)
Sun, Oct 27, 10:38 AM
Unknown Object (File)
Sat, Oct 26, 1:44 PM
Unknown Object (File)
Wed, Oct 23, 4:48 PM
View All Files
Subscribers
imp
lwhsu
thj

Details

Reviewers
emaste
gjb
Commits
rGf8bbe032b286: release/oci: add Oracle Cloud image builder
rG0af49f00b309: release/oci: add Oracle Cloud image builder
Summary

First cut of an OCI release target for A1-Flex, the Ampere KVM-based VM
implementation in Oracle Cloud Infrastructure, based on 13.1-RELEASE.

  • โœ… built with 13.1-RELEASE & this diff
  • โœ… "works on my machine" (A1.Flex VM only)
  • โœ… automated deployment steps to usable cloud-init image
  • ๐Ÿ’” documented & automated Makefile.oci for re@ deployment
  • โœ… cloudinit runs at startup
  • โœ… cloudinit runs custom scripts (if provided)
  • โœ… ssh-keys fetched via cloud-init
  • โœ… ssh works with keys only (to a freebsd@ user)
  • โœ… freebsd@ user can sudo to root
  • โœ… root user disabled over ssh & console
  • โœ… uses OCI ntp server
  • ๐Ÿ’” linuxisms - cloudinit puts files into /var/lib & /run

I could do with some advice on what re@ needs to put this
into production. Any prior art for other clown providers?

Not planned in this release:

  • zfs flavour
  • support A1.BM (Altra bare metal instances)
Test Plan

Build & test via:

cd /usr/src \
    && sudo chflags -R noschg /usr/obj/*/*/arm64.aarch64/release/ \
    ;  sudo rm -rf /usr/obj/*/*/arm64.aarch64/release /tmp/FreeBSD-* /tmp/freebsd-arm64-schema.json \
    ;  make -j32 buildworld  TARGET_ARCH=aarch64 TARGET=arm64 -s \
    && make -j32 buildkernel TARGET_ARCH=aarch64 TARGET=arm64 KERNCONF=GENERIC -s \
    && cd ./release \
    && sudo make -j32 clean \
    && sudo make -DNOPORTS -DNOSRC \
      KERNCONF=GENERIC TARGET_ARCH=aarch64 TARGET=arm64 \
      WITH_CLOUDWARE=yes \
      CLOUDWARE=OCI -s cloudware-release \
    && upload-to-oci

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 45920
Build 42808: arc lint + arc unit

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
dch added a comment.Apr 5 2022, 2:50 PM

add base64, minor tweaks

Harbormaster completed remote builds in B45006: Diff 104625.Apr 5 2022, 2:50 PM
dch edited the summary of this revision. (Show Details)Apr 5 2022, 8:12 PM
dch updated this revision to Diff 104638.Apr 5 2022, 8:40 PM
  • enable working cloudinit
  • drop personal ssh keys
  • leave pkg list untrimmed until further cloudinit testing is done
Harbormaster completed remote builds in B45011: Diff 104638.Apr 5 2022, 8:40 PM
dch edited the summary of this revision. (Show Details)Apr 5 2022, 8:43 PM
gjb added a comment.Apr 5 2022, 8:53 PM

It is entirely too late for this to be added for 13.1.

Let's wait until 13.1 is done, so I can properly allocate the time to test.

dch edited the summary of this revision. (Show Details)Apr 5 2022, 9:14 PM
dch marked 2 inline comments as done.
In D34746#788403, @gjb wrote:

It is entirely too late for this to be added for 13.1.

Let's wait until 13.1 is done, so I can properly allocate the time to test.

Absolutely! I'm still working on docs & testing myself.

gjb added a comment.Apr 5 2022, 9:29 PM
In D34746#788407, @dch wrote:
In D34746#788403, @gjb wrote:

It is entirely too late for this to be added for 13.1.

Let's wait until 13.1 is done, so I can properly allocate the time to test.

Absolutely! I'm still working on docs & testing myself.

Awesome. Thank you!

dch updated this revision to Diff 104758.Apr 7 2022, 11:28 PM
  • trim packages
  • still needs a few TODOs to be pruned
  • can we exclude ifconfig_DEFAULT=SYNCDHCP if cloudinit is enabled?
Harbormaster completed remote builds in B45073: Diff 104758.Apr 7 2022, 11:28 PM
dch updated this revision to Diff 105542.Apr 28 2022, 10:42 PM

tested more cloud-init functionality, LGTM

Harbormaster completed remote builds in B45423: Diff 105542.Apr 28 2022, 10:42 PM
dch updated this revision to Diff 105689.EditedMay 4 2022, 8:52 PM
  • update for 13.1-RELEASE & 14.0-CURRENT
  • update cloudinit test results
Harbormaster completed remote builds in B45471: Diff 105689.May 4 2022, 8:52 PM
dch edited the summary of this revision. (Show Details)May 4 2022, 8:54 PM
dch edited the test plan for this revision. (Show Details)
thj added a subscriber: thj.May 13 2022, 9:44 AM
emaste added a comment.May 13 2022, 2:15 PM

See also Oracle image guidelines at https://docs.oracle.com/en/cloud/marketplace/partner-portal/ocmpd/how-to-publish-an-oci-image-listing.pdf

emaste added inline comments.May 13 2022, 2:19 PM
release/Makefile.vm
39

Should we follow naming of other image types, ${OSRELEASE}.${OCI_FORMAT} or ${OSRELEASE}.oci.${OCI_FORMAT}

gjb added inline comments.May 17 2022, 7:59 PM
release/Makefile.vm
39

I think this does follow at least some of the naming schemes.

Notably, EC2_DISK=${OSRELEASE}.${EC2_FORMAT}, however GCE_DISK=disk.${GCE_FORMAT}.

I forget exactly why there was divergence there, to be honest.

185

I have not had a chance to take a very close look, but until these can be uncommented, I consider these two lines to be blockers.

There is a similar change in the pipeline to add back support for Azure, however one of the Azure provisioning scripts changes the hostname to 'localhost.localdomain', which I will not allow to be committed until that is resolved. Orthogonal, sure, but the point being, commented, not-yet-ready functionality is a no-go as far as I am concerned.

While these lines are commented, so should the 'OCI' addition to CLOUDWARE on line 22.

emaste added inline comments.May 20 2022, 7:13 PM
release/Makefile.vm
39

Huh, it looks like despite this we actually create oci.qcow2

185

I think it is reasonable to add oci.conf now, even if we don't have Makefile.oci yet. (I would not commit it commented out, but just omit it entirely.)

It is possible to use this infrastructure to build images for OCI even if the support for uploading them isn't available yet (it could be done via the OCI web interface in any case).

emaste added a comment.May 31 2022, 12:33 AM
sudo make -DNOPORTS -DNOSRC \
        KERNCONF=GENERIC \
        WITH_CLOUDWARE=yes CLOUDWARE=OCI \
        -s cloudware-release \

this needs some TARGET and TARGET_ARCH?

emaste added a comment.May 31 2022, 12:40 AM

And my attempt failed with:

===>  Installing for perl5-5.32.1_1
===>  Checking if perl5 is already installed
===>   Registering installation for perl5-5.32.1_1 as automatic
pkg-static: cannot load keyword from /usr/ports/Keywords/postexec.ucl: No such file or directory
pkg-static: unknown keyword postexec: @postexec
pkg-static: cannot load keyword from /usr/ports/Keywords/postexec.ucl: No such file or directory
pkg-static: unknown keyword postexec: @postexec
*** Error code 1
emaste added inline comments.May 31 2022, 6:18 PM
release/tools/oci.conf
76

OCI wants PermitRootLogin no (S14 in their requirements)

80

OCI also suggests UsePAM no but we might want to leave PAM enabled; it provides account and session processing for all auth types.

emaste added a comment.May 31 2022, 6:27 PM

pkg-static: cannot load keyword from /usr/ports/Keywords/postexec.ucl: No such file or directory

Solved by having a ports tree available.

emaste added inline comments.May 31 2022, 7:47 PM
release/tools/oci.conf
83

Perhaps pw -R ${DESTDIR} usermod root -w no

But that said, the cloud-init config currently installs the provided ssh key in /root/.ssh/authorized_keys.

emaste added a comment.Jun 2 2022, 4:42 PM
+       # S14 Root user login must be disabled.
+       pw -R ${DESTDIR} usermod root -w no
+       cat <<-EOF >> ${DESTDIR}/usr/local/etc/cloud/cloud.cfg.d/98_oci.cfg
+    disable_root: true
+EOF
+
release/tools/oci.conf
83

Perhaps:

       # S14 Root user login must be disabled.
       pw -R ${DESTDIR} usermod root -w no
       cat <<-EOF >> ${DESTDIR}/usr/local/etc/cloud/cloud.cfg.d/98_oci.cfg
    disable_root: true
EOF
emaste added a comment.Jun 2 2022, 8:37 PM

I built a freebsd/arm64 13.1 image for OCI using this oci.conf with the pw command and 98_oci.cfg file in the inline comment.

dch marked 9 inline comments as done.Jun 2 2022, 8:40 PM
dch added inline comments.
release/Makefile.vm
39

hah I remember. GCE needs GNU tar/zip and also the image file had to be named disk.raw. Can't find the official docs but https://khushbu-parakh.medium.com/create-instances-in-google-cloud-with-private-image-328409916744 is what we need.

185

removed; I do have an upload script here that works, but it is missing the additional OCI Marketplace plumbing that Ed is still working through.

gjb: I'm happy to finish this, but I don't know what re@ needs wrt docs, usage - how you store the secrets for uploads etc, whether this runs in some CI or other build env?. Makefile.ec2 seems like a reasonable example to start from, once we have the Marketplace stuff working.

release/tools/oci.conf
83

I think we're ok here with the cloud-init line only.

dch updated this revision to Diff 106582.Jun 2 2022, 8:42 PM
dch edited the summary of this revision. (Show Details)
dch edited the test plan for this revision. (Show Details)

incorporate gjb@ & emaste@ feedback

Harbormaster completed remote builds in B45823: Diff 106582.Jun 2 2022, 8:42 PM
dch updated this revision to Diff 106584.Jun 2 2022, 9:53 PM
  • oci: stop heredoc from doing expansion
Harbormaster completed remote builds in B45824: Diff 106584.Jun 2 2022, 9:53 PM
dch added a comment.Jun 2 2022, 9:59 PM

NB - still waiting on testing, and for build of devel/oci-cli to appear on backported quarterly branch before we can proceed.

dch edited the summary of this revision. (Show Details)Jun 2 2022, 10:01 PM
dch updated this revision to Diff 106585.Jun 2 2022, 10:33 PM
fix ntp.conf path
Harbormaster completed remote builds in B45825: Diff 106585.Jun 2 2022, 10:33 PM
dch updated this revision to Diff 106586.Jun 2 2022, 11:11 PM
fix egregious late-night-dev ntp.conf path
Harbormaster completed remote builds in B45826: Diff 106586.Jun 2 2022, 11:11 PM
dch added a comment.Jun 2 2022, 11:12 PM

looks like root without password from serial console works. we should fix this to comply.

emaste added a comment.Jun 3 2022, 2:01 AM
In D34746#802372, @dch wrote:

looks like root without password from serial console works. we should fix this to comply.

I built with pw -R ${DESTDIR} usermod root -w no as in the above comment, which disables root passwd login.

dch added a comment.Jun 3 2022, 6:44 AM
In D34746#802381, @emaste wrote:
In D34746#802372, @dch wrote:

looks like root without password from serial console works. we should fix this to comply.

I built with pw -R ${DESTDIR} usermod root -w no as in the above comment, which disables root passwd login.

added.

dch edited the summary of this revision. (Show Details)Jun 3 2022, 9:27 AM
dch edited the test plan for this revision. (Show Details)
dch updated this revision to Diff 106614.Jun 3 2022, 7:23 PM
dch edited the test plan for this revision. (Show Details)

final check testing in OCI VM

  • rc.conf & loader.conf ok
  • sshd_config settings ok
  • firstboot scripts run
  • cloudinit works
  • root via console is blocked
  • root via ssh is blocked
  • freebsd user is created, gets ssh keys, and sudo
  • ntp uses OCI servers
Harbormaster completed remote builds in B45835: Diff 106614.Jun 3 2022, 7:23 PM
emaste accepted this revision.Jun 3 2022, 8:27 PM
This revision is now accepted and ready to land.Jun 3 2022, 8:27 PM
emaste added inline comments.Jun 7 2022, 4:54 PM
release/tools/oci.conf
8

should be in alpha order?

dch added inline comments.Jun 8 2022, 8:53 AM
release/tools/oci.conf
8

This is the placeholder for devel/oci-cli (the command line tool, that depends on py-oci as well) which I backported to quarterly last week. It's not yet gotten through the build pipeline:

pkg: No packages available to install matching 'devel/oci-cli' have been found in the repositories

dch updated this revision to Diff 106794.Jun 9 2022, 5:54 PM

update since devel/oci-cli is in quarterly packages now

This revision now requires review to proceed.Jun 9 2022, 5:54 PM
Harbormaster completed remote builds in B45919: Diff 106794.Jun 9 2022, 5:54 PM
emaste accepted this revision.Jun 9 2022, 6:00 PM
This revision is now accepted and ready to land.Jun 9 2022, 6:00 PM
dch updated this revision to Diff 106796.Jun 9 2022, 6:33 PM

prune egregious TODO

This revision now requires review to proceed.Jun 9 2022, 6:33 PM
Harbormaster completed remote builds in B45920: Diff 106796.Jun 9 2022, 6:33 PM
lwhsu added a subscriber: lwhsu.Jun 14 2022, 3:18 PM
dch marked an inline comment as done.Jul 31 2022, 11:10 AM

do we need anything further to commit this yet?

dch edited the summary of this revision. (Show Details)Jul 31 2022, 11:10 AM
gjb added a comment.Aug 1 2022, 7:44 PM
In D34746#817400, @dch wrote:

do we need anything further to commit this yet?

Sorry for taking so long getting back to reviewing this. Please give me another day or two, as I had made some notes regarding this addition, but my notebooks recently rotated, so I need to find where I put them. Apologies.

emaste added a comment.Nov 22 2022, 7:16 PM

@gjb can we get this approved? (This is what was used to generate the 13.1 image available in Oracle Cloud.)

gjb added a comment.Nov 22 2022, 7:28 PM
In D34746#851841, @emaste wrote:

@gjb can we get this approved? (This is what was used to generate the 13.1 image available in Oracle Cloud.)

I thought we were waiting on API keys/credentials. Am I wrong in this regard?

In any case, provided OCI is not enabled by default in the CLOUDWARE list, approved.

release/Makefile.vm
22

See comment below, but please do not enable this by default yet.

gjb accepted this revision.Nov 22 2022, 7:28 PM
This revision is now accepted and ready to land.Nov 22 2022, 7:28 PM
gjb added inline comments.Nov 22 2022, 7:32 PM
release/Makefile.vm
22

To be more clear, do not enable this by default yet as I will need to add logic to thermite.sh to do the upload to OCI (with which, I will also need to have API keys/credentials for RE use).

gjb added a comment.Nov 22 2022, 7:55 PM
In D34746#851847, @gjb wrote:
In D34746#851841, @emaste wrote:

@gjb can we get this approved? (This is what was used to generate the 13.1 image available in Oracle Cloud.)

I thought we were waiting on API keys/credentials. Am I wrong in this regard?

In any case, provided OCI is not enabled by default in the CLOUDWARE list, approved.

Apologies. Ed reminded me that upload operations are separete than building images, so you can keep the OCI image listed in the CLOUDWARE list.

Closed by commit rG0af49f00b309: release/oci: add Oracle Cloud image builder (authored by dch). ยท Explain WhyNov 27 2022, 11:14 AM
This revision was automatically updated to reflect the committed changes.
dch added a commit: rG0af49f00b309: release/oci: add Oracle Cloud image builder.
emaste added a commit: rGf8bbe032b286: release/oci: add Oracle Cloud image builder.Apr 11 2023, 1:50 PM

Revision Contents
Changeset List

PathSize
release/
4 lines
2 lines
tools/
94 lines

Diff 106796

View Options

release/Makefile.vm

Loading...
View Options

release/release.conf.sample

Loading...
View Options

release/tools/oci.conf

Loading...