ERL-352: switch to using Keg to manage image descriptions

.github/workflows/debian-packages.yaml

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
 ---
 name: "Debian Packages"
 on:

.github/workflows/nemos-images.yaml

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
 ---
 name: nemos-images
 on:

Makefile

@@ -0,0 +1,40 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+SERIES = \
+	lunar \
+	mantic
+
+CONFIGURATIONS = \
+	minimal \
+	reference
+
+PLATFORMS = \
+	qemu-amd64 \
+	qemu-arm64 \
+	s32g274ardb2
+
+TARGETS = \
+	$(foreach platform,$(PLATFORMS), \
+		$(addsuffix -$(platform), \
+			$(foreach series,$(SERIES), \
+				$(addsuffix -$(series), \
+					$(addprefix nemos-images-,$(CONFIGURATIONS)) \
+				) \
+			) \
+		) \
+	)
+
+.PHONY: all
+all: $(TARGETS)
+
+.PHONY: $(TARGETS)
+$(TARGETS):
+	@CONFIG="$$(echo $(@) | cut -f 3 -d-)"; \
+	SERIES="$$(echo $(@) | cut -f 4 -d-)"; \
+	PLATFORM="$$(echo $(@) | cut -f 5- -d-)"; \
+		echo "Generating $${SERIES}/$${CONFIG}/$${PLATFORM}"; \
+		keg -v --disable-multibuild -f -r . -d \
+			"nemos-images-$${CONFIG}-$${SERIES}/$${PLATFORM}" \
+			"$${SERIES}/$${CONFIG}/$${PLATFORM}"; \
+		mv nemos-images-$${CONFIG}-$${SERIES}/$${PLATFORM}/config.kiwi \
+			nemos-images-$${CONFIG}-$${SERIES}/$${PLATFORM}/appliance.kiwi

data/base/common.yaml

@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+packages:
+  _namespace_common_pkgs:
+    package:
+      - "linux-s32-eb"
+      - "usrmerge"
+      - "netbase"
+      - "locales"
+      - "busybox-static"
+      - "systemd"
+      - "dbus"
+      - "dracut"
+      - "dracut-network"
+      - "kiwi-dracut-overlay"

data/base/common/admin.yaml

@@ -0,0 +1,35 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  files:
+    admin-user:
+      - path: /etc/polkit-1/localauthority/10-vendor.d/admin-org.freedesktop.login1.pkla
+        append: False
+        content: |-
+          [Admin - Power off the system]
+          Identity=unix-user:admin
+          Action=org.freedesktop.login1.power-off
+          ResultAny=yes
+
+          [Admin - Reboot the system]
+          Identity=unix-user:admin
+          Action=org.freedesktop.login1.reboot
+          ResultAny=yes
+
+          [Admin - Halt the system]
+          Identity=unix-user:admin
+          Action=org.freedesktop.login1.halt
+          ResultAny=yes
+      - path: /etc/sudoers
+        append: False
+        content: |-
+          Defaults always_set_home
+          Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
+          Defaults env_reset
+          Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+          Defaults !insults
+          Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          Defaults targetpw   # ask for the password of the target user i.e. root
+          ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
+          root ALL=(ALL) ALL
+          admin ALL=(ALL) NOPASSWD: ALL

data/base/common/dracut.yaml

@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  files:
+    dracut-common:
+      - path: /etc/dracut.conf.d/50-common.conf
+        append: False
+        content: |-
+          force_drivers+=" squashfs nls_iso8859-1 binfmt_misc overlay "
+          add_dracutmodules+=" bash "

data/base/common/scripts.yaml

@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  scripts:
+    common:
+      - "cleanup"
+      - "busybox"
+      - "osinfo"

data/base/common/snapd.yaml

@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  scripts:
+    snapd:
+      - "snapd"

data/base/common/sysctl.yaml

@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  files:
+    sysctl:
+      - path: /etc/sysctl.d/50-kernel-kptr-restrict.conf
+        append: False
+        content: kernel.kptr_restrict=1
+      - path: /etc/sysctl.d/50-randomize-va-space.conf
+        append: False
+        content: kernel.randomize_va_space=2
+      - path: /etc/sysctl.d/50-vm-overcommit.conf
+        append: False
+        content: vm.overcommit_memory=2
+      - path: /etc/sysctl.d/50-yama-ptrace-scope.conf
+        append: False
+        content: kernel.yama.ptrace_scope=1

data/base/common/watchdog.yaml

@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  files:
+    watchdog:
+      - path: /etc/systemd/system.conf.d/watchdog.conf
+        append: False
+        content: |-
+          [Manager]
+          WatchdogDevice=/dev/watchdog0
+          RuntimeWatchdogSec=10

data/base/efi/amd64/grub.yaml

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+packages:
+  _namespace_grub_efi_pkgs:
+    package:
+      - "grub-efi-amd64-signed"
+      - "grub-pc"

data/base/efi/arm64/grub.yaml

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+packages:
+  _namespace_grub_efi_pkgs:
+    package:
+      - "grub-efi-arm64-signed"
+      - "grub-pc"

data/base/efi/disable-selinux.yaml

@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+# ERL-72: This is a temporary workaround to disable SELinux until it's properly
+#         implemented.
+
+config:
+  files:
+    disable-selinux:
+      - path: /etc/default/grub.d/50-disable-selinux.cfg
+        append: False
+        content: GRUB_CMDLINE_LINUX_DEFAULT="\${GRUB_CMDLINE_LINUX_DEFAULT} selinux=0"

data/base/efi/dracut.yaml

@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  files:
+    dracut-efi-pstore:
+      - path: /etc/dracut.conf.d/51-efi-pstore.conf
+        append: False
+        content: force_drivers+=" efi-pstore "

data/base/efi/fix-kiwi-efi.yaml

@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  files:
+    disable-selinux:
+      - path: /etc/grub.d/01_fix_linuxefi
+        append: False
+        content: |-
+          #!/bin/sh
+
+          # Override Kiwi's template which tries to boot with the linuxefi command,
+          # which doesn't exist in GRUB 2.12
+
+          echo "set linux=linux"
+          echo "set initrd=initrd"

data/base/minimal/packages.yaml

@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+packages:
+  _namespace_minimal_pkgs:
+    package:
+      - "openssh-client"
+      - "openssh-server"
+      - "usrmerge"
+      - "netbase"
+      - "netplan.io"
+      - "sudo"
+      - "cron"
+      - "zstd"
+      - "networkd-dispatcher"

data/base/minimal/systemd-journald.yaml

@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  files:
+    systemd-journald:
+      - path: /etc/systemd/journald.conf
+        append: False
+        content: |-
+          [Journal]
+          Storage=volatile
+          ForwardToSyslog=no

data/base/qemu/dracut.yaml

@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  files:
+    dracut-virtio:
+      - path: /etc/dracut.conf.d/50-virtio.conf
+        append: False
+        content: force_drivers+=" virtio virtio_net virtio_blk virtio_scsi virtio_rng virtio_dma_buf virtio_pci "

data/base/qemu/serial.yaml

@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  files:
+    serial:
+      - path: /etc/systemd/system/[email protected]/override.conf
+        append: False
+        content: |-
+          [Service]
+          ExecStart=
+          ExecStart=-/usr/sbin/agetty --autologin root --noclear --keep-baud 115200,38400,9600 ttyAMA0 $TERM
+      - path: /etc/systemd/system/[email protected]/override.conf
+        append: False
+        content: |-
+          [Service]
+          ExecStart=
+          ExecStart=-/usr/sbin/agetty --autologin root --noclear --keep-baud 115200,38400,9600 hvc0 $TERM

data/base/reference/dracut.yaml

@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  files:
+    dracut-reference:
+      - path: /etc/dracut.conf.d/50-luks.conf
+        append: False
+        content: install_items+=" /etc/cryptsetup-keys.d/luks.key "
+      - path: /etc/dracut.conf.d/50-kiwi-root.conf
+        append: False
+        content: |-
+          add_dracutmodules+=" kiwi-overlay kiwi-verity crypt "
+          force_drivers+=" overlay "

data/base/reference/insecure-luks.yaml

@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  files:
+    insecure-luks:
+      - path: /etc/cryptsetup-keys.d/luks.key
+        append: False
+        content: insecure

data/base/reference/oci-containers.yaml

@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+config:
+  files:
+    oci-containers:
+      - path: /var/lib/containers/storage/TODO
+        append: False
+        content: TODO
+      - path: /var/lib/containers/loaded/TODO
+        append: False
+        content: TODO

data/base/reference/packages.yaml

@@ -0,0 +1,40 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+---
+packages:
+  _namespace_reference_pkgs:
+    package:
+      - "usrmerge"
+      - "netbase"
+      - "netplan.io"
+      - "sudo"
+      - "cron"
+      - "xz-utils"
+      - "zstd"
+      - "tuptime"
+      - "polkitd"
+      - "busybox-static"
+      - "cryptsetup"
+      - "kiwi-dracut-verity"
+      - "dbus"
+      - "systemd-resolved"
+      - "systemd-coredump"
+      - "xfsprogs"
+      - "parted"
+      - "auditd"
+      - "tpm2-tools"
+      - "mokutil"
+      - "sbsigntool"
+      - "openssh-client"
+      - "openssh-server"
+      - "net-tools"
+      - "bridge-utils"
+      - "ethtool"
+      - "openssl"
+      - "linuxptp"
+      - "udhcpd"
+      - "udhcpc"
+      - "iptables"
+      - "iotop"
+      - "kdump-tools"
+      - "strace"
+      - "systemtap"