From aa765e9bd0b51135133cb59141286d2cdf80e0f9 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Wed, 4 Sep 2024 12:54:32 +0200 Subject: [PATCH 1/9] Add sysext command It will turn the last layer of a given container into a signed sysext ready to use The idea is, to have a dockerfile and in the last step add the files you want to turn into a sysext, and then call this command to transform them into one Signed-off-by: Itxaka --- cmd/sysext.go | 139 ++++++++++++++++++++++++++++++++++++++++++++++++++ go.mod | 5 +- go.sum | 6 +++ 3 files changed, 148 insertions(+), 2 deletions(-) create mode 100644 cmd/sysext.go diff --git a/cmd/sysext.go b/cmd/sysext.go new file mode 100644 index 0000000..e4eb39b --- /dev/null +++ b/cmd/sysext.go @@ -0,0 +1,139 @@ +package cmd + +import ( + "fmt" + "github.com/gofrs/uuid" + "github.com/kairos-io/enki/pkg/config" + "github.com/kairos-io/kairos-sdk/sysext" + "github.com/kairos-io/kairos-sdk/utils" + "github.com/spf13/cobra" + "github.com/spf13/viper" + "os" + "os/exec" + "path/filepath" + "regexp" + "strings" +) + +func NewSysextCmd() *cobra.Command { + c := &cobra.Command{ + Use: "sysext NAME CONTAINER", + Short: "Generate a sysextension from the last layer of the given CONTAINER", + Args: cobra.ExactArgs(2), + PreRunE: func(cmd *cobra.Command, args []string) error { + arch := viper.GetString("arch") + if arch != "amd64" && arch != "arm64" { + return fmt.Errorf("unsupported architecture: %s", arch) + } + return nil + }, + RunE: func(cobraCmd *cobra.Command, args []string) error { + // Set this after parsing of the flags, so it fails on parsing and prints usage properly + cobraCmd.SilenceUsage = true + // we log the errors with our nice logger so stop cobra from logging them, just let it return the exit codes + cobraCmd.SilenceErrors = true + + cfg, err := config.ReadConfigBuild(viper.GetString("config-dir"), cobraCmd.Flags()) + if err != nil { + return err + } + + name := args[0] + _, err = os.Stat(fmt.Sprintf("%s.sysext.raw", name)) + if err == nil { + _ = os.Remove(fmt.Sprintf("%s.sysext.raw", name)) + } + cfg.Logger.Logger.Info().Msg("🚀 Start sysext creation") + + dir, _ := os.MkdirTemp("", "") + defer func(path string) { + err := os.RemoveAll(path) + if err != nil { + cfg.Logger.Logger.Error().Str("dir", dir).Err(err).Msg("⛔ removing dir") + } + }(dir) + cfg.Logger.Logger.Debug().Str("dir", dir).Msg("creating directory") + // Get the image struct + cfg.Logger.Logger.Info().Msg("💿 Getting image info") + + platform := fmt.Sprintf("linux/%s", viper.Get("arch")) + image, err := utils.GetImage(args[1], platform, nil, nil) + if err != nil { + cfg.Logger.Logger.Error().Str("image", args[1]).Err(err).Msg("⛔ getting image") + return err + } + // Only for sysext, confext not supported yet + AllowList := regexp.MustCompile(`^usr|^/usr`) + // extract the files into the temp dir + cfg.Logger.Logger.Info().Msg("📤 Extracting archives from image layer") + err = sysext.ExtractFilesFromLastLayer(image, dir, cfg.Logger, AllowList) + if err != nil { + cfg.Logger.Logger.Error().Str("image", args[1]).Err(err).Msg("⛔ extracting layer") + } + + // Now create the file that tells systemd that this is a sysext! + err = os.MkdirAll(filepath.Join(dir, "/usr/lib/extension-release.d/"), os.ModeDir|os.ModePerm) + if err != nil { + cfg.Logger.Logger.Error().Str("dir", filepath.Join(dir, "/usr/lib/extension-release.d/")).Err(err).Msg("⛔ creating dir") + } + + extensionData := "ID=_any\nARCHITECTURE=x86-64" + + if viper.Get("arch") == "arm64" { + extensionData = "ID=_any\nARCHITECTURE=arm64" + } + + // If the extension ships any service files, we want this so systemd is reloaded and the service available immediately + if viper.GetBool("service-reload") { + extensionData = fmt.Sprintf("%s\nEXTENSION_RELOAD_MANAGER=1", extensionData) + } + err = os.WriteFile(filepath.Join(dir, "/usr/lib/extension-release.d/", fmt.Sprintf("extension-release.%s", name)), []byte(extensionData), os.ModePerm) + if err != nil { + cfg.Logger.Logger.Error().Str("file", fmt.Sprintf("extension-release.%s", name)).Err(err).Msg("⛔ creating releasefile") + } + + cfg.Logger.Logger.Info().Msg("📦 Packing sysext into raw image") + // Call systemd-repart to create the sysext based off the files + command := exec.Command( + "systemd-repart", + "--make-ddi=sysext", + "--image-policy=root=verity+signed+absent:usr=verity+signed+absent", + fmt.Sprintf("--architecture=%s", viper.Get("arch")), + // Having a fixed predictable seed makes the Image UUID be always the same if the inputs are the same, + // so its a reproducible image. So getting the same files and same cert/key should produce a reproducible image always + // Another layer to verify images, even if its a manual check, we make it easier + fmt.Sprintf("--seed=%s", uuid.NewV5(uuid.NamespaceDNS, "kairos-sysext")), + fmt.Sprintf("--copy-source=%s", dir), + fmt.Sprintf("%s.sysext.raw", name), // output sysext image + fmt.Sprintf("--private-key=%s", viper.Get("private-key")), + fmt.Sprintf("--certificate=%s", viper.Get("certificate")), + ) + out, err := command.CombinedOutput() + cfg.Logger.Logger.Debug().Str("output", string(out)).Msg("building sysext") + if err != nil { + cfg.Logger.Logger.Error().Err(err).Str("command", strings.Join(command.Args, " ")).Msg("⛔ building sysext") + return err + } + + cfg.Logger.Logger.Info().Str("output", fmt.Sprintf("%s.sysext.raw", name)).Msg("🎉 Done sysext creation") + return nil + }, + } + c.Flags().String("private-key", "", "Private key to sign the sysext with") + c.Flags().String("certificate", "", "Certificate to sign the sysext with") + c.Flags().Bool("service-reload", false, "Make systemctl reload the service when loading the sysext. This is useful for sysext that provide systemd service files.") + c.Flags().String("arch", "amd64", "Arch to get the image from and build the sysext for. Accepts amd64 and arm64 values.") + _ = c.MarkFlagRequired("private-key") + _ = c.MarkFlagRequired("certificate") + + err := viper.BindPFlags(c.Flags()) + if err != nil { + return nil + } + + return c +} + +func init() { + rootCmd.AddCommand(NewSysextCmd()) +} diff --git a/go.mod b/go.mod index b3fca7b..138fd2e 100644 --- a/go.mod +++ b/go.mod @@ -6,11 +6,12 @@ require ( github.com/containerd/containerd v1.7.21 github.com/foxboron/go-uefi v0.0.0-20240805124652-e2076f0e58ca github.com/foxboron/sbctl v0.0.0-20240526163235-64e649b31c8e + github.com/gofrs/uuid v4.4.0+incompatible github.com/google/go-containerregistry v0.20.2 github.com/google/uuid v1.6.0 github.com/kairos-io/go-ukify v0.2.2 github.com/kairos-io/kairos-agent/v2 v2.13.4 - github.com/kairos-io/kairos-sdk v0.4.1 + github.com/kairos-io/kairos-sdk v0.4.2-0.20240903105642-a509f9388eb6 github.com/klauspost/compress v1.17.9 github.com/mitchellh/mapstructure v1.5.0 github.com/mudler/go-processmanager v0.0.0-20240820160718-8b802d3ecf82 @@ -60,7 +61,7 @@ require ( github.com/distribution/reference v0.6.0 // indirect github.com/docker/cli v27.1.1+incompatible // indirect github.com/docker/distribution v2.8.2+incompatible // indirect - github.com/docker/docker v27.1.2+incompatible // indirect + github.com/docker/docker v27.2.0+incompatible // indirect github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-units v0.5.0 // indirect diff --git a/go.sum b/go.sum index 99dbb34..3aa6c31 100644 --- a/go.sum +++ b/go.sum @@ -303,6 +303,8 @@ github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+Lnq github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v27.1.2+incompatible h1:AhGzR1xaQIy53qCkxARaFluI00WPGtXn0AJuoQsVYTY= github.com/docker/docker v27.1.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4= +github.com/docker/docker v27.2.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= @@ -419,6 +421,8 @@ github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw= github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= +github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA= +github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -693,6 +697,8 @@ github.com/kairos-io/kairos-sdk v0.3.2 h1:xPs6RKjVdMpv6N//iwkjeJHdieliWRCIJ5bNAJ github.com/kairos-io/kairos-sdk v0.3.2/go.mod h1:EznuHrE6zGyUsVr1xYj7qYUFWCVKAjXLyKjDUzffME8= github.com/kairos-io/kairos-sdk v0.4.1 h1:WF+X30URojMxV7AlzVj0uejvPWG4zq1WNga0swAX4dY= github.com/kairos-io/kairos-sdk v0.4.1/go.mod h1:lgQAYkh0aWIZg4/CQcC+OPQp95ONs2PzkMIcAq8w6OY= +github.com/kairos-io/kairos-sdk v0.4.2-0.20240903105642-a509f9388eb6 h1:auCG/aP/esvKCq1aeeoyqieTMbRO7WHKs4fY05WWXc0= +github.com/kairos-io/kairos-sdk v0.4.2-0.20240903105642-a509f9388eb6/go.mod h1:0ltpn7BODc+ztbee+2y/GfJMW125H1OFqHxSNqgWObE= github.com/kendru/darwin/go/depgraph v0.0.0-20221105232959-877d6a81060c h1:eKb4PqwAMhlqwXw0W3atpKaYaPGlXE/Fwh+xpCEYaPk= github.com/kendru/darwin/go/depgraph v0.0.0-20221105232959-877d6a81060c/go.mod h1:VOfm8h1NySetVlpHDSnbpCMsvCgYaU+YDn4XezUy2+4= github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= From ffbc707e9e94f26e4d106a4f5306eb8ae869a5d1 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Thu, 5 Sep 2024 10:12:46 +0200 Subject: [PATCH 2/9] Bump to latest sdk with some sysext fixes Signed-off-by: Itxaka --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 07ecaa8..44be26f 100644 --- a/go.mod +++ b/go.mod @@ -10,8 +10,8 @@ require ( github.com/google/go-containerregistry v0.20.2 github.com/google/uuid v1.6.0 github.com/kairos-io/go-ukify v0.2.2 - github.com/kairos-io/kairos-sdk v0.4.2-0.20240903105642-a509f9388eb6 github.com/kairos-io/kairos-agent/v2 v2.13.5 + github.com/kairos-io/kairos-sdk v0.4.3-0.20240905081210-705fa3ebfa2a github.com/klauspost/compress v1.17.9 github.com/mitchellh/mapstructure v1.5.0 github.com/mudler/go-processmanager v0.0.0-20240820160718-8b802d3ecf82 diff --git a/go.sum b/go.sum index 8198eb5..ff0b996 100644 --- a/go.sum +++ b/go.sum @@ -667,6 +667,8 @@ github.com/kairos-io/kairos-sdk v0.4.1 h1:WF+X30URojMxV7AlzVj0uejvPWG4zq1WNga0sw github.com/kairos-io/kairos-sdk v0.4.1/go.mod h1:lgQAYkh0aWIZg4/CQcC+OPQp95ONs2PzkMIcAq8w6OY= github.com/kairos-io/kairos-sdk v0.4.2-0.20240903105642-a509f9388eb6 h1:auCG/aP/esvKCq1aeeoyqieTMbRO7WHKs4fY05WWXc0= github.com/kairos-io/kairos-sdk v0.4.2-0.20240903105642-a509f9388eb6/go.mod h1:0ltpn7BODc+ztbee+2y/GfJMW125H1OFqHxSNqgWObE= +github.com/kairos-io/kairos-sdk v0.4.3-0.20240905081210-705fa3ebfa2a h1:zBGCh/ZPeOHdcbZdATg+LPCypdwx+3WzfD4a1TVwCYs= +github.com/kairos-io/kairos-sdk v0.4.3-0.20240905081210-705fa3ebfa2a/go.mod h1:0ltpn7BODc+ztbee+2y/GfJMW125H1OFqHxSNqgWObE= github.com/kendru/darwin/go/depgraph v0.0.0-20221105232959-877d6a81060c h1:eKb4PqwAMhlqwXw0W3atpKaYaPGlXE/Fwh+xpCEYaPk= github.com/kendru/darwin/go/depgraph v0.0.0-20221105232959-877d6a81060c/go.mod h1:VOfm8h1NySetVlpHDSnbpCMsvCgYaU+YDn4XezUy2+4= github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= From 2c0d0914161bfbbbe3ab6dedc372fc64dce824f8 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Thu, 5 Sep 2024 10:13:07 +0200 Subject: [PATCH 3/9] Improve regex for sysext Signed-off-by: Itxaka --- cmd/sysext.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/sysext.go b/cmd/sysext.go index e4eb39b..95d1e02 100644 --- a/cmd/sysext.go +++ b/cmd/sysext.go @@ -63,7 +63,7 @@ func NewSysextCmd() *cobra.Command { return err } // Only for sysext, confext not supported yet - AllowList := regexp.MustCompile(`^usr|^/usr`) + AllowList := regexp.MustCompile(`^usr/|^/usr/`) // extract the files into the temp dir cfg.Logger.Logger.Info().Msg("📤 Extracting archives from image layer") err = sysext.ExtractFilesFromLastLayer(image, dir, cfg.Logger, AllowList) From 71ecf4512d63de7fd9f621c21074be75311af0ed Mon Sep 17 00:00:00 2001 From: Itxaka Date: Thu, 5 Sep 2024 10:26:52 +0200 Subject: [PATCH 4/9] Fix regex for sysext Signed-off-by: Itxaka --- cmd/sysext.go | 2 +- go.mod | 2 +- go.sum | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/cmd/sysext.go b/cmd/sysext.go index 95d1e02..7cbb568 100644 --- a/cmd/sysext.go +++ b/cmd/sysext.go @@ -63,7 +63,7 @@ func NewSysextCmd() *cobra.Command { return err } // Only for sysext, confext not supported yet - AllowList := regexp.MustCompile(`^usr/|^/usr/`) + AllowList := regexp.MustCompile(`^usr/*|^/usr/*`) // extract the files into the temp dir cfg.Logger.Logger.Info().Msg("📤 Extracting archives from image layer") err = sysext.ExtractFilesFromLastLayer(image, dir, cfg.Logger, AllowList) diff --git a/go.mod b/go.mod index 44be26f..88f895e 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/google/uuid v1.6.0 github.com/kairos-io/go-ukify v0.2.2 github.com/kairos-io/kairos-agent/v2 v2.13.5 - github.com/kairos-io/kairos-sdk v0.4.3-0.20240905081210-705fa3ebfa2a + github.com/kairos-io/kairos-sdk v0.4.3-0.20240905082603-42cf473c006c github.com/klauspost/compress v1.17.9 github.com/mitchellh/mapstructure v1.5.0 github.com/mudler/go-processmanager v0.0.0-20240820160718-8b802d3ecf82 diff --git a/go.sum b/go.sum index ff0b996..78bb32f 100644 --- a/go.sum +++ b/go.sum @@ -669,6 +669,8 @@ github.com/kairos-io/kairos-sdk v0.4.2-0.20240903105642-a509f9388eb6 h1:auCG/aP/ github.com/kairos-io/kairos-sdk v0.4.2-0.20240903105642-a509f9388eb6/go.mod h1:0ltpn7BODc+ztbee+2y/GfJMW125H1OFqHxSNqgWObE= github.com/kairos-io/kairos-sdk v0.4.3-0.20240905081210-705fa3ebfa2a h1:zBGCh/ZPeOHdcbZdATg+LPCypdwx+3WzfD4a1TVwCYs= github.com/kairos-io/kairos-sdk v0.4.3-0.20240905081210-705fa3ebfa2a/go.mod h1:0ltpn7BODc+ztbee+2y/GfJMW125H1OFqHxSNqgWObE= +github.com/kairos-io/kairos-sdk v0.4.3-0.20240905082603-42cf473c006c h1:jJ1KRqVEHN8QodFaA4maYlbygDwCdvSGbROFDDMk4lo= +github.com/kairos-io/kairos-sdk v0.4.3-0.20240905082603-42cf473c006c/go.mod h1:0ltpn7BODc+ztbee+2y/GfJMW125H1OFqHxSNqgWObE= github.com/kendru/darwin/go/depgraph v0.0.0-20221105232959-877d6a81060c h1:eKb4PqwAMhlqwXw0W3atpKaYaPGlXE/Fwh+xpCEYaPk= github.com/kendru/darwin/go/depgraph v0.0.0-20221105232959-877d6a81060c/go.mod h1:VOfm8h1NySetVlpHDSnbpCMsvCgYaU+YDn4XezUy2+4= github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= From 3d4b41c2fcbe92360d7cd3d027dfca6b14be8f0a Mon Sep 17 00:00:00 2001 From: Itxaka Date: Fri, 6 Sep 2024 13:46:19 +0200 Subject: [PATCH 5/9] Bump sdk Signed-off-by: Itxaka --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 88f895e..8c8834b 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/google/uuid v1.6.0 github.com/kairos-io/go-ukify v0.2.2 github.com/kairos-io/kairos-agent/v2 v2.13.5 - github.com/kairos-io/kairos-sdk v0.4.3-0.20240905082603-42cf473c006c + github.com/kairos-io/kairos-sdk v0.4.3-0.20240905131825-2d092e9edd4d github.com/klauspost/compress v1.17.9 github.com/mitchellh/mapstructure v1.5.0 github.com/mudler/go-processmanager v0.0.0-20240820160718-8b802d3ecf82 diff --git a/go.sum b/go.sum index 78bb32f..3315b23 100644 --- a/go.sum +++ b/go.sum @@ -671,6 +671,8 @@ github.com/kairos-io/kairos-sdk v0.4.3-0.20240905081210-705fa3ebfa2a h1:zBGCh/ZP github.com/kairos-io/kairos-sdk v0.4.3-0.20240905081210-705fa3ebfa2a/go.mod h1:0ltpn7BODc+ztbee+2y/GfJMW125H1OFqHxSNqgWObE= github.com/kairos-io/kairos-sdk v0.4.3-0.20240905082603-42cf473c006c h1:jJ1KRqVEHN8QodFaA4maYlbygDwCdvSGbROFDDMk4lo= github.com/kairos-io/kairos-sdk v0.4.3-0.20240905082603-42cf473c006c/go.mod h1:0ltpn7BODc+ztbee+2y/GfJMW125H1OFqHxSNqgWObE= +github.com/kairos-io/kairos-sdk v0.4.3-0.20240905131825-2d092e9edd4d h1:l2YccCeCefd9AnhO8JxgoqWiI/9aqo/knIV+zsBF/ms= +github.com/kairos-io/kairos-sdk v0.4.3-0.20240905131825-2d092e9edd4d/go.mod h1:0ltpn7BODc+ztbee+2y/GfJMW125H1OFqHxSNqgWObE= github.com/kendru/darwin/go/depgraph v0.0.0-20221105232959-877d6a81060c h1:eKb4PqwAMhlqwXw0W3atpKaYaPGlXE/Fwh+xpCEYaPk= github.com/kendru/darwin/go/depgraph v0.0.0-20221105232959-877d6a81060c/go.mod h1:VOfm8h1NySetVlpHDSnbpCMsvCgYaU+YDn4XezUy2+4= github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= From e41e6153257f629704ac25037b9834b4c38c4f11 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Fri, 6 Sep 2024 15:56:50 +0200 Subject: [PATCH 6/9] Fix arch Signed-off-by: Itxaka --- cmd/sysext.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/cmd/sysext.go b/cmd/sysext.go index 7cbb568..fe6961c 100644 --- a/cmd/sysext.go +++ b/cmd/sysext.go @@ -77,12 +77,14 @@ func NewSysextCmd() *cobra.Command { cfg.Logger.Logger.Error().Str("dir", filepath.Join(dir, "/usr/lib/extension-release.d/")).Err(err).Msg("⛔ creating dir") } - extensionData := "ID=_any\nARCHITECTURE=x86-64" + arch := "x86-64" if viper.Get("arch") == "arm64" { - extensionData = "ID=_any\nARCHITECTURE=arm64" + arch = "arm64" } + extensionData := fmt.Sprintf("ID=_any\nARCHITECTURE=%s", arch) + // If the extension ships any service files, we want this so systemd is reloaded and the service available immediately if viper.GetBool("service-reload") { extensionData = fmt.Sprintf("%s\nEXTENSION_RELOAD_MANAGER=1", extensionData) @@ -98,7 +100,7 @@ func NewSysextCmd() *cobra.Command { "systemd-repart", "--make-ddi=sysext", "--image-policy=root=verity+signed+absent:usr=verity+signed+absent", - fmt.Sprintf("--architecture=%s", viper.Get("arch")), + fmt.Sprintf("--architecture=%s", arch), // Having a fixed predictable seed makes the Image UUID be always the same if the inputs are the same, // so its a reproducible image. So getting the same files and same cert/key should produce a reproducible image always // Another layer to verify images, even if its a manual check, we make it easier From 00da5cd2c0bc7c8cf5df5d87fcd272dea07b4075 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Tue, 10 Sep 2024 10:07:14 +0200 Subject: [PATCH 7/9] Pin sdk to release version Signed-off-by: Itxaka --- go.mod | 4 ++-- go.sum | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 8c8834b..34c6927 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/kairos-io/enki -go 1.22.5 +go 1.23.1 require ( github.com/containerd/containerd v1.7.21 @@ -11,7 +11,7 @@ require ( github.com/google/uuid v1.6.0 github.com/kairos-io/go-ukify v0.2.2 github.com/kairos-io/kairos-agent/v2 v2.13.5 - github.com/kairos-io/kairos-sdk v0.4.3-0.20240905131825-2d092e9edd4d + github.com/kairos-io/kairos-sdk v0.4.3 github.com/klauspost/compress v1.17.9 github.com/mitchellh/mapstructure v1.5.0 github.com/mudler/go-processmanager v0.0.0-20240820160718-8b802d3ecf82 diff --git a/go.sum b/go.sum index 3315b23..06a546d 100644 --- a/go.sum +++ b/go.sum @@ -673,6 +673,8 @@ github.com/kairos-io/kairos-sdk v0.4.3-0.20240905082603-42cf473c006c h1:jJ1KRqVE github.com/kairos-io/kairos-sdk v0.4.3-0.20240905082603-42cf473c006c/go.mod h1:0ltpn7BODc+ztbee+2y/GfJMW125H1OFqHxSNqgWObE= github.com/kairos-io/kairos-sdk v0.4.3-0.20240905131825-2d092e9edd4d h1:l2YccCeCefd9AnhO8JxgoqWiI/9aqo/knIV+zsBF/ms= github.com/kairos-io/kairos-sdk v0.4.3-0.20240905131825-2d092e9edd4d/go.mod h1:0ltpn7BODc+ztbee+2y/GfJMW125H1OFqHxSNqgWObE= +github.com/kairos-io/kairos-sdk v0.4.3 h1:gIC/PsWjv9/Z+6RIHRG9IS5MB9gACw1ZjPAi7VydSSo= +github.com/kairos-io/kairos-sdk v0.4.3/go.mod h1:bxUPzirl8vNtqB48FJ2835QKio3d3PrHbkAejkibV8I= github.com/kendru/darwin/go/depgraph v0.0.0-20221105232959-877d6a81060c h1:eKb4PqwAMhlqwXw0W3atpKaYaPGlXE/Fwh+xpCEYaPk= github.com/kendru/darwin/go/depgraph v0.0.0-20221105232959-877d6a81060c/go.mod h1:VOfm8h1NySetVlpHDSnbpCMsvCgYaU+YDn4XezUy2+4= github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= From b5f9fbcc774fcab8e1d2d516ae36da4ac63602ea Mon Sep 17 00:00:00 2001 From: Itxaka Date: Tue, 10 Sep 2024 10:07:52 +0200 Subject: [PATCH 8/9] Pin gosec Signed-off-by: Itxaka --- .github/workflows/secscan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/secscan.yaml b/.github/workflows/secscan.yaml index 2d51bb8..ee32db1 100644 --- a/.github/workflows/secscan.yaml +++ b/.github/workflows/secscan.yaml @@ -19,7 +19,7 @@ jobs: - name: Checkout Source uses: actions/checkout@v4 - name: Run Gosec Security Scanner - uses: securego/gosec@master + uses: securego/gosec@v2.21.0 with: # we let the report trigger content trigger a failure using the GitHub Security features. args: '-no-fail -fmt sarif -out results.sarif ./...' From 089dc0dc3b9029e39c4bdc10c75fdfe0939aa400 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Tue, 10 Sep 2024 10:11:12 +0200 Subject: [PATCH 9/9] Track 1.23 instead of 1.23.X Signed-off-by: Itxaka --- Dockerfile | 2 +- Earthfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index a291b15..9fb200d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ ARG LUET_VERSION=0.35.5 -ARG GO_VERSION=1.23.0-alpine +ARG GO_VERSION=1.23-alpine FROM quay.io/luet/base:$LUET_VERSION AS luet FROM golang:$GO_VERSION AS builder diff --git a/Earthfile b/Earthfile index afeab04..8f1364c 100644 --- a/Earthfile +++ b/Earthfile @@ -1,7 +1,7 @@ VERSION 0.7 # renovate: datasource=docker depName=golang versioning=docker -ARG --global GO_VERSION=1.23.0-bookworm +ARG --global GO_VERSION=1.23-bookworm # renovate: datasource=github-releases depName=kairos-io/kairos ARG IMAGE_VERSION=v3.1.2 ARG --global BASE_IMAGE=quay.io/kairos/ubuntu:24.04-core-amd64-generic-${IMAGE_VERSION}-uki