--- name: starlingx machine: intel-x86-64 image_type: - iso - ostree-repo debootstrap-mirror: deb-merge-all package_feeds: [] package_type: external-debian wic: OSTREE_WKS_BOOT_SIZE: '' OSTREE_WKS_EFI_SIZE: --size=32M OSTREE_WKS_ROOT_SIZE: '' OSTREE_WKS_FLUX_SIZE: '' OSTREE_FLUX_PART: fluxdata gpg: gpg_path: /tmp/.lat_gnupg_root ostree: gpgid: Wind-River-Linux-Sample gpgkey: $OECORE_NATIVE_SYSROOT/usr/share/genimage/rpm_keys/RPM-GPG-PRIVKEY-Wind-River-Linux-Sample gpg_password: windriver grub: BOOT_GPG_NAME: SecureBootCore BOOT_GPG_PASSPHRASE: SecureCore BOOT_KEYS_DIR: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys BOOT_GPG_KEY: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys/BOOT-GPG-PRIVKEY-SecureBootCore BOOT_SINGED_SHIM: $IMAGE_ROOTFS/usr/lib/shim/bootx64.efi BOOT_SINGED_SHIMTOOL: $IMAGE_ROOTFS/usr/lib/shim/mmx64.efi BOOT_SINGED_GRUB: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/grubx64.efi BOOT_EFITOOL: $IMAGE_ROOTFS/usr/lib/efitools/x86_64-linux-gnu/LockDown.efi BOOT_GRUB_CFG: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/grub.cfg BOOT_NOSIG_GRUB: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/bootx64-nosig.efi EFI_SECURE_BOOT: disable packages: [] external-packages: [] include-default-packages: '0' rootfs-pre-scripts: - | # The StarlingX customize pacakges includes: # - ostree 2019.1 export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin chroot $IMAGE_ROOTFS bash << SCRIPT_ENDOF set -e # Speed up apt/dpkg used for running build-image echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/unsafe-io apt update apt install -y --no-install-recommends linux-image-stx-amd64 linux-rt-image-stx-amd64 grub-common apt install -y --allow-downgrades --allow-unauthenticated --no-install-recommends ostree ostree-boot libostree-1-1 ostree-upgrade-mgr apt install --no-install-recommends -y ifupdown apt install -y bc vim uuid-runtime iputils-ping # Move dpkg database to /usr so it's accessible after the OS /var is # mounted, but make a symlink so it works without modifications to # dpkg or apt mv /var/lib/dpkg /usr/share/dpkg/database ln -sr /usr/share/dpkg/database /var/lib/dpkg SCRIPT_ENDOF rootfs-post-scripts: - |- # Set bash as default shell ln -snf --relative $IMAGE_ROOTFS/bin/bash $IMAGE_ROOTFS/bin/sh - |- # Allow root ssh login export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin chroot $IMAGE_ROOTFS sed -i 's/^[#[:space:]]*PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config - |- # FIXME: OSTree will not set up a link to scratch automagically. Need to # relocate scratch to a more ostree friendly locale mkdir $IMAGE_ROOTFS/var/rootdirs/scratch ln -snf --relative $IMAGE_ROOTFS/var/rootdirs/scratch $IMAGE_ROOTFS/scratch - |- # Make /opt/branding to writable (To make end-user enable to place their branding archive) mkdir $IMAGE_ROOTFS/var/branding mkdir -p $IMAGE_ROOTFS/var/rootdirs/opt ln -snf --relative $IMAGE_ROOTFS/var/branding $IMAGE_ROOTFS/var/rootdirs/opt/branding - |- cat /dev/null > $IMAGE_ROOTFS/etc/resolv.conf - |- cat /dev/null > $IMAGE_ROOTFS/etc/apt/sources.list - |- # Only used for running build-image rm -f etc/dpkg/dpkg.cfg.d/unsafe-io - |- # There is ${IMAGE_ROOTFS}/var/pxeboot/grubx64.efi from parent linux installed # For secure boot feature, it should be replaced with the right one if [ "$EFI_SECURE_BOOT" = enable ]; then install -m 0644 ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/grubx64.efi ${IMAGE_ROOTFS}/var/pxeboot/grubx64.efi fi environments: - NO_RECOMMENDATIONS="1" - DEBIAN_FRONTEND=noninteractive - KERNEL_PARAMS=crashkernel=2048M apparmor=0 security=apparmor ostree: ostree_use_ab: '0' ostree_osname: debian ostree_skip_boot_diff: '2' ostree_remote_url: '' ostree_install_device: '/dev/sda' OSTREE_GRUB_USER: root OSTREE_GRUB_PW_FILE: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys/ostree_grub_pw OSTREE_FDISK_BLM: 2506 OSTREE_FDISK_BSZ: 512 OSTREE_FDISK_RSZ: 20480 OSTREE_FDISK_VSZ: 20480 OSTREE_FDISK_FSZ: 32 OSTREE_CONSOLE: console=ttyS0,115200 debootstrap-key: '' apt-keys: - /opt/LAT/pubkey.rsa iso-grub-entry: | submenu 'UEFI Debian Controller Install' --unrestricted --id=standard { menuentry 'Serial Console' --unrestricted --id=serial { set fallback=1 efi-watchdog enable 0 1200 linux /bzImage-std %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64 initrd @INITRD@ } menuentry 'Graphical Console' --unrestricted --id=graphical { set fallback=1 efi-watchdog enable 0 1200 linux /bzImage-std %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64 console=tty1 initrd @INITRD@ } } submenu 'UEFI Debian All-in-one Install' --unrestricted --id=aio { menuentry 'Serial Console' --unrestricted --id=serial { set fallback=1 efi-watchdog enable 0 1200 linux /bzImage-std %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64 initrd @INITRD@ } menuentry 'Graphical Console' --unrestricted --id=graphical { set fallback=1 efi-watchdog enable 0 1200 linux /bzImage-std %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64 console=tty1 initrd @INITRD@ } } submenu 'UEFI Debian All-in-one (lowlatency) Install' --unrestricted --id=aio-lowlat { menuentry 'Serial Console' --unrestricted --id=serial { set fallback=1 efi-watchdog enable 0 1200 linux /bzImage-rt %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 efi=runtime initrd @INITRD@ } menuentry 'Graphical Console' --unrestricted --id=graphical { set fallback=1 efi-watchdog enable 0 1200 linux /bzImage-rt %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 efi=runtime console=tty1 initrd @INITRD@ } } iso-syslinux-entry: | menu start ontimeout 1 menu begin menu title Debian Controller Install menu default label 1 menu label Serial Console kernel /bzImage-std ipappend 2 append initrd=@INITRD@ %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64 label 2 menu label Graphical Console kernel /bzImage-std ipappend 2 append initrd=@INITRD@ %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64 console=tty1 menu end menu begin menu title Debian All-in-one Install label 3 menu label Serial Console kernel /bzImage-std ipappend 2 append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64 label 4 menu label Graphical Console kernel /bzImage-std ipappend 2 append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64 console=tty1 menu end menu begin menu title Debian All-in-one (lowlatency) Install label 5 menu label Serial Console kernel /bzImage-rt ipappend 2 append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 label 6 menu label Graphical Console kernel /bzImage-rt ipappend 2 append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 console=tty1 menu end iso-post-script: | cd ${ISO_DIR} # 0. Prepare # According to `multiple-kernels' in lat yaml, install std # or rt kernel to ISO for k in ${OSTREE_MULTIPLE_KERNELS}; do if [ "${k%%-rt-amd64}" != "${k}" ]; then cp ${DEPLOY_DIR_IMAGE}/${k} bzImage-rt if [ -e ${DEPLOY_DIR_IMAGE}/${k}.sig ]; then cp ${DEPLOY_DIR_IMAGE}/${k}.sig bzImage-rt.sig fi else cp ${DEPLOY_DIR_IMAGE}/${k} bzImage-std if [ -e ${DEPLOY_DIR_IMAGE}/${k}.sig ]; then cp ${DEPLOY_DIR_IMAGE}/${k}.sig bzImage-std.sig fi fi done # 1. Kickstart mkdir -p kickstart # 1.1 Kickstart example for PXE cat << ENDOF > kickstart/pxe-ks.cfg lat-disk --install-device=/dev/disk/by-path/pci-0000:af:00.0-scsi-0:2:0:0 ENDOF # 1.2 Kickstart example for ISO cat << ENDOF > kickstart/iso-ks.cfg lat-disk --install-device=/dev/sda ENDOF # 1.3 Kickstart from image rootfs (provided by package platform-kickstarts) if [ -e $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/kickstart.cfg ]; then cp $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/kickstart.cfg kickstart/ fi if [ -e $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/miniboot.cfg ]; then cp $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/miniboot.cfg kickstart/ fi if [ -d $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/centos ]; then cp -r $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/centos kickstart/ fi # 2. PXE mkdir -p pxeboot/pxelinux.cfg # 2.1 Kernel and initramfs install -m 644 bzImage* pxeboot install -m 644 initrd* pxeboot # 2.2 Bootloader # 2.2.1 Legacy BIOS PXE cp $OECORE_TARGET_SYSROOT/usr/share/syslinux/pxelinux.0 pxeboot/ cp isolinux/isolinux.cfg pxeboot/pxelinux.cfg/default for f in libcom32.c32 ldlinux.c32 libutil.c32 vesamenu.c32; do cp isolinux/$f pxeboot/ done # 2.2.2 EFI PXE cp -a EFI pxeboot if [ -e ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/bootx64-nosig.efi ]; then cp ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/bootx64-nosig.efi pxeboot/EFI/BOOT/ fi # 2.3 Edit grub.cfg and pxelinux.cfg/default # 2.3.1 Drop to install from local ostree repo sed -i "s#instl=/ostree_repo#@BOOTPARAMS@#g" \ pxeboot/EFI/BOOT/grub.cfg \ pxeboot/pxelinux.cfg/default # 2.3.2 Install from remote ostree repo sed -i "s#insturl=file://NOT_SET#insturl=http://pxecontroller:8080/feed/debian/ostree_repo#g" \ pxeboot/EFI/BOOT/grub.cfg \ pxeboot/pxelinux.cfg/default # 2.3.3 Configure kickstart url BOOT_PARAMS="ks=http://pxecontroller:8080/feed/debian/kickstart/pxe-ks.cfg" # 2.3.4 Verbose installation #BOOT_PARAMS="${BOOT_PARAMS} instsh=2" # 2.3.5 Update boot params sed -i "s#@BOOTPARAMS@#${BOOT_PARAMS}#g" \ pxeboot/EFI/BOOT/grub.cfg \ pxeboot/pxelinux.cfg/default # 2.3.6 Add `Boot from hard drive' entry to grub.cfg cat <> pxeboot/EFI/BOOT/grub.cfg export skip_check_cfg menuentry 'UEFI Boot from hard drive' { search --set=root --label otaefi configfile /efi/boot/grub.cfg } ENDOF # 2.4 Tweak PXE if EFI secure boot enabled if [ "$EFI_SECURE_BOOT" = enable ]; then # On some host, PXE make bootx64.efi search grubx64.efi # from tftp/ dir other than tftp/EFI/BOOT/ install -m 0644 EFI/BOOT/grubx64.efi pxeboot/ # Resign grub.cfg rm pxeboot/EFI/BOOT/grub.cfg.sig echo 'SecureCore' | gpg --pinentry-mode loopback \ --batch \ --homedir /tmp/.lat_gnupg_root \ -u SecureBootCore \ --detach-sign \ --passphrase-fd 0 \ pxeboot/EFI/BOOT/grub.cfg fi # 2.5 copy pxeboot config template files to pxeboot/pxelinux.cfg mkdir -p pxeboot/pxelinux.cfg.files cp ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/efi-pxe-* pxeboot/pxelinux.cfg.files/ cp ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/pxe-* pxeboot/pxelinux.cfg.files/ # 2.6 upgrades directory and upgrade meta files RELEASE_VER=$(cat ${IMAGE_ROOTFS}/etc/build.info | grep SW_VERSION | cut -f2 -d'=' | tr -d '"') mkdir -p upgrades cp ${IMAGE_ROOTFS}/etc/pxeboot-update-${RELEASE_VER}.sh upgrades/ cp ${IMAGE_ROOTFS}/usr/sbin/deploy-precheck upgrades/ cp ${IMAGE_ROOTFS}/usr/sbin/upgrade_utils.py upgrades/ cp ${IMAGE_ROOTFS}/opt/upgrades/import.sh upgrades/ cp ${IMAGE_ROOTFS}/opt/upgrades/metadata.xml upgrades/ sed -i "s/xxxSW_VERSIONxxx/${RELEASE_VER}/g" upgrades/metadata.xml mkdir -p patches cp ${IMAGE_ROOTFS}/etc/software/*-metadata.xml upgrades/ cp ${IMAGE_ROOTFS}/etc/software/*-metadata.xml patches/ echo -n "VERSION=${RELEASE_VER}" > upgrades/version # 3. ISO # 3.1 Edit grub.cfg and isolinux.cfg # 3.1.1 Configure local kickstart url and LVM root and fluxdata device BOOT_PARAMS="ks=file:///kickstart/kickstart.cfg" BOOT_PARAMS="${BOOT_PARAMS} inst_ostree_root=/dev/mapper/cgts--vg-root--lv" BOOT_PARAMS="${BOOT_PARAMS} inst_ostree_var=/dev/mapper/cgts--vg-var--lv" # 3.1.2 Verbose installation #BOOT_PARAMS="${BOOT_PARAMS} instsh=2" # 3.1.3 Update boot params sed -i "s#instl=/ostree_repo#& ${BOOT_PARAMS}#g" \ EFI/BOOT/grub.cfg \ isolinux/isolinux.cfg # According to `default-kernel' in lat yaml, set which # bootloader menu entry to boot sed -i "s/^DEFAULT .*//g" \ isolinux/isolinux.cfg if [ "${OSTREE_DEFAULT_KERNEL%%-rt-amd64}" != "${OSTREE_DEFAULT_KERNEL}" ]; then # Boot rt kernel by default sed -i "s/ set default=.*/ set default=2/g" \ EFI/BOOT/grub.cfg else # Boot std kernel by default sed -i "s/ set default=.*/ set default=0/g" \ EFI/BOOT/grub.cfg fi # 3.2 Resign grub.cfg if EFI secure boot enabled if [ "$EFI_SECURE_BOOT" = enable ]; then rm EFI/BOOT/grub.cfg.sig echo 'SecureCore' | gpg --pinentry-mode loopback \ --batch \ --homedir /tmp/.lat_gnupg_root \ -u SecureBootCore \ --detach-sign \ --passphrase-fd 0 \ EFI/BOOT/grub.cfg fi # Update the grub.cfg in efi.img according to above setting. # Don't update grub.cfg.sig because the grub.cfg signature checking # has been omitted. mdel -i efi.img ::/EFI/BOOT/grub.cfg mcopy -i efi.img EFI/BOOT/grub.cfg ::/EFI/BOOT/ # Put the controller-0 pxeboot install grub menu samples and # setup script into a new the ISO's pxeboot/samples directory. install -v -d -m 0755 pxeboot/samples install -m 0555 ${IMAGE_ROOTFS}/usr/sbin/pxeboot_setup.sh pxeboot/samples echo "See pxeboot_setup.sh --help for usage details" > pxeboot/samples/README install -m 0664 ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/pxeboot.cfg.debian pxeboot/samples install -m 0664 ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/efi-pxeboot.cfg.debian pxeboot/samples # Added CERTS into efi.img if [ "$EFI_SECURE_BOOT" = enable ]; then mmd -i efi.img ::/CERTS mcopy -i efi.img -s /localdisk/CERTS/* ::/CERTS/ mkdir images ln -snf ../efi.img images/efiboot.img fi # Generate package list file in the iso root echo "Verifying package list for ${IMAGE_NAME}" if [ -f "/localdisk/workdir/${IMAGE_NAME}/packages.yaml" ]; then echo "Copying ISO package list" cp /localdisk/workdir/${IMAGE_NAME}/packages.yaml sw_package_list.yaml fi initramfs-sign-script: | echo "End of initramfs-sign-script!" multiple-kernels: vmlinuz-*[!t]-amd64 vmlinuz-*-rt-amd64 default-kernel: vmlinuz-*[!t]-amd64 system: - contains: - /localdisk/deploy/lat-initramfs.yaml