From 6152629fc92902ca701614ad9ab9df631f3dd4b2 Mon Sep 17 00:00:00 2001 From: Snir Schreiber Date: Mon, 17 Nov 2025 13:41:22 +0200 Subject: [PATCH 01/13] local: verity: pick latest EFI file you need to make sure /boot/efi/EFI/redhat/BOOTX64.CSV points to the right one --- scripts/verity/verity.sh | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/scripts/verity/verity.sh b/scripts/verity/verity.sh index fc088e48..f3c61ec3 100755 --- a/scripts/verity/verity.sh +++ b/scripts/verity/verity.sh @@ -225,15 +225,28 @@ function create_uki_addon() mount /dev/$EFI_PN mnt esp_mounted=1 efi_files=($UKI_FOLDER/*.efi) - if [[ ${#efi_files[@]} -eq 1 && -f "${efi_files[0]}" ]]; then - UKI_NAME=${efi_files[0]} - echo "Found UKI $UKI_NAME" - mkdir -p "$UKI_NAME.extra.d" - else - echo "Error: Either no .efi file or multiple .efi files found." - echo "Cannot create the UKI addon." + + # Check if any EFI files exist + if [[ ${#efi_files[@]} -eq 0 || ! -f "${efi_files[0]}" ]]; then + echo "Error: No .efi files found in $UKI_FOLDER" exit 1 fi + + # If multiple files, pick the most recent one + if [[ ${#efi_files[@]} -gt 1 ]]; then + echo "Found ${#efi_files[@]} EFI files: ${efi_files[@]}" + echo "" + echo "Current EFI fallback value (/boot/efi/EFI/redhat/BOOTX64.CSV):" + cat mnt/EFI/redhat/BOOTX64.CSV + echo "" + echo "Selecting the most recently modified UKI..." + UKI_NAME=$(ls -t "${efi_files[@]}" | head -1) + else + UKI_NAME=${efi_files[0]} + fi + + echo "Using UKI: $UKI_NAME" + mkdir -p "$UKI_NAME.extra.d" cd $UKI_NAME.extra.d rm -f $ADDON_NAME @@ -295,4 +308,4 @@ fi qemu-nbd --disconnect $NBD_DEVICE nbd_mounted=0 rm -rf mnt -cd $here \ No newline at end of file +cd $here From f37720f186142394fc94bd2d09cec2332f045355 Mon Sep 17 00:00:00 2001 From: Snir Schreiber Date: Wed, 17 Dec 2025 15:29:31 +0200 Subject: [PATCH 02/13] konflux: verity: pick latest EFI file you need to make sure /boot/efi/EFI/redhat/BOOTX64.CSV points to the right one --- .tekton/build-dm-verity-image-debug.yaml | 26 ++++++++++++++----- .../0.1/build-dm-verity-image.yaml | 26 ++++++++++++++----- 2 files changed, 38 insertions(+), 14 deletions(-) diff --git a/.tekton/build-dm-verity-image-debug.yaml b/.tekton/build-dm-verity-image-debug.yaml index d336ebf8..7698842c 100644 --- a/.tekton/build-dm-verity-image-debug.yaml +++ b/.tekton/build-dm-verity-image-debug.yaml @@ -321,15 +321,27 @@ spec: ADDON_NAME=verity.addon.efi mount /dev/$EFI_PN $temp_mount efi_files=($UKI_FOLDER/*.efi) - if [[ ${#efi_files[@]} -eq 1 && -f "${efi_files[0]}" ]]; then - UKI_NAME=${efi_files[0]} - echo "Found UKI $UKI_NAME" - mkdir -p "$UKI_NAME.extra.d" - else - echo "Error: Either no .efi file or multiple .efi files found." - echo "Cannot create the UKI addon." + # Check if any EFI files exist + if [[ ${#efi_files[@]} -eq 0 || ! -f "${efi_files[0]}" ]]; then + echo "Error: No .efi files found in $UKI_FOLDER" exit 1 fi + + # If multiple files, pick the most recent one + if [[ ${#efi_files[@]} -gt 1 ]]; then + echo "Found ${#efi_files[@]} EFI files: ${efi_files[@]}" + echo "" + echo "Current EFI fallback value (/boot/efi/EFI/redhat/BOOTX64.CSV):" + cat mnt/EFI/redhat/BOOTX64.CSV + echo "" + echo "Selecting the most recently modified UKI..." + UKI_NAME=$(ls -t "${efi_files[@]}" | head -1) + else + UKI_NAME=${efi_files[0]} + fi + + echo "Using UKI: $UKI_NAME" + mkdir -p "$UKI_NAME.extra.d" cd $UKI_NAME.extra.d rm -f $ADDON_NAME diff --git a/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml b/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml index a6afb93d..01539896 100644 --- a/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml +++ b/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml @@ -321,15 +321,27 @@ spec: ADDON_NAME=verity.addon.efi mount /dev/$EFI_PN $temp_mount efi_files=($UKI_FOLDER/*.efi) - if [[ ${#efi_files[@]} -eq 1 && -f "${efi_files[0]}" ]]; then - UKI_NAME=${efi_files[0]} - echo "Found UKI $UKI_NAME" - mkdir -p "$UKI_NAME.extra.d" - else - echo "Error: Either no .efi file or multiple .efi files found." - echo "Cannot create the UKI addon." + # Check if any EFI files exist + if [[ ${#efi_files[@]} -eq 0 || ! -f "${efi_files[0]}" ]]; then + echo "Error: No .efi files found in $UKI_FOLDER" exit 1 fi + + # If multiple files, pick the most recent one + if [[ ${#efi_files[@]} -gt 1 ]]; then + echo "Found ${#efi_files[@]} EFI files: ${efi_files[@]}" + echo "" + echo "Current EFI fallback value (/boot/efi/EFI/redhat/BOOTX64.CSV):" + cat mnt/EFI/redhat/BOOTX64.CSV + echo "" + echo "Selecting the most recently modified UKI..." + UKI_NAME=$(ls -t "${efi_files[@]}" | head -1) + else + UKI_NAME=${efi_files[0]} + fi + + echo "Using UKI: $UKI_NAME" + mkdir -p "$UKI_NAME.extra.d" cd $UKI_NAME.extra.d rm -f $ADDON_NAME From 2cd11999aee2c9d365b62ae79dd8325a52b19cc4 Mon Sep 17 00:00:00 2001 From: Snir Schreiber Date: Mon, 17 Nov 2025 13:43:05 +0200 Subject: [PATCH 03/13] helpers: make sure grub is removed correctly if grub2-tools-extra is missing it the command will fail --- helpers/rhel10-dm-root.ks | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/rhel10-dm-root.ks b/helpers/rhel10-dm-root.ks index 4106b30d..5d7000d3 100644 --- a/helpers/rhel10-dm-root.ks +++ b/helpers/rhel10-dm-root.ks @@ -105,7 +105,7 @@ touch /etc/kernel/install.d/50-dracut.install printf "shimx64.efi,redhat,\\\EFI\\\Linux\\\\"`cat /etc/machine-id`"-"`rpm -q --queryformat %{VERSION}-%{RELEASE} kernel-uki-virt`".x86_64.efi ,UKI bootentry\n" | iconv -f ASCII -t UCS-2 > /boot/efi/EFI/redhat/BOOTX64.CSV # remove 'standard' grub -rpm -e grub2-efi-x64 grub2-common grub2-tools grub2-tools-minimal grubby os-prober +rpm -e grub2-efi-x64 grub2-common grub2-tools grub2-tools-minimal grubby os-prober grub2-tools-extra # lock shim to the installed version yum versionlock add shim-x64 From 2a55cfdd6edaed44fb98b822d00cb352878c0bf1 Mon Sep 17 00:00:00 2001 From: Snir Schreiber Date: Wed, 17 Dec 2025 16:09:43 +0200 Subject: [PATCH 04/13] konflux: bump kernel version of the image --- .tekton/build-dm-verity-image-debug.yaml | 18 ++++++++++++++++++ .../0.1/build-dm-verity-image.yaml | 19 +++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/.tekton/build-dm-verity-image-debug.yaml b/.tekton/build-dm-verity-image-debug.yaml index 7698842c..d697c11f 100644 --- a/.tekton/build-dm-verity-image-debug.yaml +++ b/.tekton/build-dm-verity-image-debug.yaml @@ -24,6 +24,10 @@ spec: type: string description: The checksum to use for downloading the RHEL image default: edce2dd6f8e1d1b2ff0b204f89b0659bc9e320d175beb7caad60712957a19608 + - name: KERNEL_VERSION + type: string + description: The kernel version we update the stock one comes with the mentioned ISO + default: 6.12.0-124.21.1.el10_1 - default: redhat-api-secret description: Name of secret which contains the offline token for the Red Hat API name: REDHAT_OFFLINE_TOKEN_SECRET @@ -42,6 +46,8 @@ spec: value: $(params.OUTPUT_IMAGE) - name: ACTIVATION_KEY value: $(params.ACTIVATION_KEY) + - name: KERNEL_VERSION + value: $(params.KERNEL_VERSION) - name: BUILDAH_IMAGE value: 'registry.access.redhat.com/ubi9/buildah:9.5-1739778322' - name: SBOM_TYPE @@ -174,6 +180,8 @@ spec: time sudo podman exec -t --latest virt-install --virt-type qemu --cpu host-model --os-variant rhel10.0 --arch x86_64 --boot uefi --name disk --memory 8192 --location /workspace/rhel.iso --disk path=$DISK,format=qcow2,bus=scsi,size=7 --initrd-inject=/workspace/source/helpers/rhel10-dm-root.ks --nographics --extra-args 'console=ttyS0 inst.ks=file:/rhel10-dm-root.ks' --transient + time sudo podman exec -t --latest virt-customize --run /workspace/scripts/script-disk-mods.sh -a $DISK # disk modifications + time sudo podman exec -t --latest /workspace/scripts/script-podvm-maker.sh time sudo podman exec -t --latest virt-customize --root-password password:1234 -a $DISK # This is debug variant, setting root password @@ -196,6 +204,16 @@ spec: REMOTESSHEOF + cat >>scripts/script-disk-mods.sh < /boot/efi/EFI/redhat/BOOTX64.CSV + + REMOTESSHEOF + cat >>scripts/script-podvm-maker.sh <<'REMOTESSHEOF' #!/bin/bash set -ex diff --git a/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml b/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml index 01539896..e5ec2816 100644 --- a/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml +++ b/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml @@ -24,6 +24,10 @@ spec: type: string description: The checksum to use for downloading the RHEL image default: edce2dd6f8e1d1b2ff0b204f89b0659bc9e320d175beb7caad60712957a19608 + - name: KERNEL_VERSION + type: string + description: The kernel version we update the stock one comes with the mentioned ISO + default: 6.12.0-124.21.1.el10_1 - default: redhat-api-secret description: Name of secret which contains the offline token for the Red Hat API name: REDHAT_OFFLINE_TOKEN_SECRET @@ -42,6 +46,8 @@ spec: value: $(params.OUTPUT_IMAGE) - name: ACTIVATION_KEY value: $(params.ACTIVATION_KEY) + - name: KERNEL_VERSION + value: $(params.KERNEL_VERSION) - name: BUILDAH_IMAGE value: 'registry.access.redhat.com/ubi9/buildah:9.5-1739778322' - name: SBOM_TYPE @@ -174,6 +180,8 @@ spec: time sudo podman exec -t --latest virt-install --virt-type qemu --cpu host-model --os-variant rhel10.0 --arch x86_64 --boot uefi --name disk --memory 8192 --location /workspace/rhel.iso --disk path=$DISK,format=qcow2,bus=scsi,size=7 --initrd-inject=/workspace/source/helpers/rhel10-dm-root.ks --nographics --extra-args 'console=ttyS0 inst.ks=file:/rhel10-dm-root.ks' --transient + time sudo podman exec -t --latest virt-customize --run /workspace/scripts/script-disk-mods.sh -a $DISK # disk modifications + time sudo podman exec -t --latest /workspace/scripts/script-podvm-maker.sh # debug varient is being created at this point @@ -194,6 +202,17 @@ spec: "$BUILDAH_IMAGE" \ /script-push.sh $DISK $MEASUREMENTS + REMOTESSHEOF + + cat >>scripts/script-disk-mods.sh < /boot/efi/EFI/redhat/BOOTX64.CSV + + REMOTESSHEOF cat >>scripts/script-podvm-maker.sh <<'REMOTESSHEOF' From c6b502dccfc13bf8372f0abd0c9e041800cb69eb Mon Sep 17 00:00:00 2001 From: Snir Schreiber Date: Wed, 17 Dec 2025 16:17:17 +0200 Subject: [PATCH 05/13] debug: fix: don't append newline to image digest result This causes the release pipeline to be unable to figure out which digest the sbom blob url is associated with. --- .tekton/build-dm-verity-image-debug.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/build-dm-verity-image-debug.yaml b/.tekton/build-dm-verity-image-debug.yaml index d697c11f..13f9ef84 100644 --- a/.tekton/build-dm-verity-image-debug.yaml +++ b/.tekton/build-dm-verity-image-debug.yaml @@ -431,7 +431,7 @@ spec: # Finally, record all that in our results echo -n "$OUTPUT_IMAGE" | tee /tekton-results/IMAGE_URL - echo $MANIFEST_DIGEST | tee /tekton-results/IMAGE_DIGEST + echo -n $MANIFEST_DIGEST | tee /tekton-results/IMAGE_DIGEST # Saving also these two output in one unique variable. This task is using a matrix reference. # Unfortunately it seems that in Tekton, when using a matrix, each task run is executed in isolation, # and result values can't be dynamically constructed or reused across matrix combinations. From 1993a87892e4b0ce4257000688e1d0e1e09211ed Mon Sep 17 00:00:00 2001 From: Snir Schreiber Date: Thu, 18 Dec 2025 10:51:55 +0200 Subject: [PATCH 06/13] konflux: allow explicit registertion using subscription-manager for the disk modifications script --- .tekton/build-dm-verity-image-debug.yaml | 10 +++++++++- .../0.1/build-dm-verity-image.yaml | 10 +++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/.tekton/build-dm-verity-image-debug.yaml b/.tekton/build-dm-verity-image-debug.yaml index 13f9ef84..fe717ae9 100644 --- a/.tekton/build-dm-verity-image-debug.yaml +++ b/.tekton/build-dm-verity-image-debug.yaml @@ -168,6 +168,7 @@ spec: -v ${BUILD_DIR}:/workspace \ -v $(pwd)/output:/output \ -v /lib/modules:/lib/modules:ro,Z \ + -v $BUILD_DIR/activation-key/:/activation-key/:Z \ --user 0 \ --security-opt=apparmor=unconfined \ --security-opt=seccomp=unconfined \ @@ -180,7 +181,14 @@ spec: time sudo podman exec -t --latest virt-install --virt-type qemu --cpu host-model --os-variant rhel10.0 --arch x86_64 --boot uefi --name disk --memory 8192 --location /workspace/rhel.iso --disk path=$DISK,format=qcow2,bus=scsi,size=7 --initrd-inject=/workspace/source/helpers/rhel10-dm-root.ks --nographics --extra-args 'console=ttyS0 inst.ks=file:/rhel10-dm-root.ks' --transient - time sudo podman exec -t --latest virt-customize --run /workspace/scripts/script-disk-mods.sh -a $DISK # disk modifications + # disk modifications in registered system + time sudo podman exec -t --latest virt-customize \ + --copy-in /activation-key:/tmp/ \ + --run-command "subscription-manager register --org \$(cat /tmp/activation-key/org) --activationkey \$(cat /tmp/activation-key/activationkey)" \ + --run /workspace/scripts/script-disk-mods.sh \ + --run-command "subscription-manager unregister" \ + --run-command "rm -rf /tmp/activation-key" \ + -a $DISK time sudo podman exec -t --latest /workspace/scripts/script-podvm-maker.sh diff --git a/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml b/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml index e5ec2816..aa18f570 100644 --- a/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml +++ b/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml @@ -168,6 +168,7 @@ spec: -v ${BUILD_DIR}:/workspace \ -v $(pwd)/output:/output \ -v /lib/modules:/lib/modules:ro,Z \ + -v $BUILD_DIR/activation-key/:/activation-key/:Z \ --user 0 \ --security-opt=apparmor=unconfined \ --security-opt=seccomp=unconfined \ @@ -180,7 +181,14 @@ spec: time sudo podman exec -t --latest virt-install --virt-type qemu --cpu host-model --os-variant rhel10.0 --arch x86_64 --boot uefi --name disk --memory 8192 --location /workspace/rhel.iso --disk path=$DISK,format=qcow2,bus=scsi,size=7 --initrd-inject=/workspace/source/helpers/rhel10-dm-root.ks --nographics --extra-args 'console=ttyS0 inst.ks=file:/rhel10-dm-root.ks' --transient - time sudo podman exec -t --latest virt-customize --run /workspace/scripts/script-disk-mods.sh -a $DISK # disk modifications + # disk modifications in registered system + time sudo podman exec -t --latest virt-customize \ + --copy-in /activation-key:/tmp/ \ + --run-command "subscription-manager register --org \$(cat /tmp/activation-key/org) --activationkey \$(cat /tmp/activation-key/activationkey)" \ + --run /workspace/scripts/script-disk-mods.sh \ + --run-command "subscription-manager unregister" \ + --run-command "rm -rf /tmp/activation-key" \ + -a $DISK time sudo podman exec -t --latest /workspace/scripts/script-podvm-maker.sh From a643973843380dd5be129f6f71f6f1bff52a44a2 Mon Sep 17 00:00:00 2001 From: Snir Schreiber Date: Mon, 22 Dec 2025 09:42:13 +0200 Subject: [PATCH 07/13] konflux: bump base iso to RHEL 10.1 The rhel-10.1-x86_64-dvd.iso image sha256sum: 5925e05c32d8324a72e146a29293d60707571817769de73df63eab8dbd6d3196 (stock kernel: 6.12.0-124.8.1.el10_1) --- .tekton/build-dm-verity-image-debug.yaml | 2 +- task/build-dm-verity-image/0.1/build-dm-verity-image.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/build-dm-verity-image-debug.yaml b/.tekton/build-dm-verity-image-debug.yaml index fe717ae9..4877f2b4 100644 --- a/.tekton/build-dm-verity-image-debug.yaml +++ b/.tekton/build-dm-verity-image-debug.yaml @@ -23,7 +23,7 @@ spec: - name: RHEL_IMAGE_CHECKSUM type: string description: The checksum to use for downloading the RHEL image - default: edce2dd6f8e1d1b2ff0b204f89b0659bc9e320d175beb7caad60712957a19608 + default: 5925e05c32d8324a72e146a29293d60707571817769de73df63eab8dbd6d3196 - name: KERNEL_VERSION type: string description: The kernel version we update the stock one comes with the mentioned ISO diff --git a/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml b/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml index aa18f570..1e0231eb 100644 --- a/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml +++ b/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml @@ -23,7 +23,7 @@ spec: - name: RHEL_IMAGE_CHECKSUM type: string description: The checksum to use for downloading the RHEL image - default: edce2dd6f8e1d1b2ff0b204f89b0659bc9e320d175beb7caad60712957a19608 + default: 5925e05c32d8324a72e146a29293d60707571817769de73df63eab8dbd6d3196 - name: KERNEL_VERSION type: string description: The kernel version we update the stock one comes with the mentioned ISO From a2f3a6031e6259c50d7ad320df4d9a0bb172c671 Mon Sep 17 00:00:00 2001 From: Snir Schreiber Date: Wed, 24 Dec 2025 12:59:32 +0200 Subject: [PATCH 08/13] konflux: adapt to the new Selinux equivalency rules of RHEL 10.1 --- .tekton/build-dm-verity-image-debug.yaml | 2 +- task/build-dm-verity-image/0.1/build-dm-verity-image.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/build-dm-verity-image-debug.yaml b/.tekton/build-dm-verity-image-debug.yaml index 4877f2b4..c2dda6b0 100644 --- a/.tekton/build-dm-verity-image-debug.yaml +++ b/.tekton/build-dm-verity-image-debug.yaml @@ -253,7 +253,7 @@ spec: dnf remove -y cloud-init WALinuxAgent # fixes a failure of the podns@netns service - semanage fcontext -a -t bin_t /usr/sbin/ip && restorecon -v /usr/sbin/ip + semanage fcontext -a -t bin_t /usr/bin/ip && restorecon -v /usr/sbin/ip # this will allow /run/issue and /run/issue.d to take precedence mv /etc/issue.d /usr/lib/issue.d || true diff --git a/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml b/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml index 1e0231eb..5ee5462c 100644 --- a/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml +++ b/task/build-dm-verity-image/0.1/build-dm-verity-image.yaml @@ -254,7 +254,7 @@ spec: dnf remove -y cloud-init WALinuxAgent # fixes a failure of the podns@netns service - semanage fcontext -a -t bin_t /usr/sbin/ip && restorecon -v /usr/sbin/ip + semanage fcontext -a -t bin_t /usr/bin/ip && restorecon -v /usr/sbin/ip # this will allow /run/issue and /run/issue.d to take precedence mv /etc/issue.d /usr/lib/issue.d || true From 757e656a80249276612f923e6b4248cfbb6f201e Mon Sep 17 00:00:00 2001 From: Snir Schreiber Date: Sun, 2 Nov 2025 14:59:42 +0200 Subject: [PATCH 09/13] local: allow explicit registertion using subscription-manager by exporting ORG_ID & ACTIVATION_KEY for example run --- Dockerfile | 7 ++----- example_run.sh | 16 ++++++++++------ scripts/coco/coco-components.sh | 8 +++++++- scripts/coco/podvm/podvm_maker.sh | 7 ++++++- 4 files changed, 25 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2b4d71bf..29df4a53 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,12 @@ FROM registry.access.redhat.com/ubi9/ubi:latest -ARG ORG_ID -ARG ACTIVATION_KEY - # This registering RHEL when building on an unsubscribed system # If you are running a UBI container on a registered and subscribed RHEL host, # the main RHEL Server repository is enabled inside the standard UBI container. # Provide the associated ARG variables to register. -RUN if [[ -n "${ACTIVATION_KEY}" && -n "${ORG_ID}" ]]; then \ +RUN --mount=type=secret,id=org_id --mount=type=secret,id=activation_key if [[ -f /run/secrets/org_id && -f /run/secrets/activation_key ]]; then \ rm -f /etc/rhsm-host && rm -f /etc/pki/entitlement-host; \ - subscription-manager register --org=${ORG_ID} --activationkey=${ACTIVATION_KEY}; \ + subscription-manager register --org=$(cat /run/secrets/org_id) --activationkey=$(cat /run/secrets/activation_key); \ fi RUN dnf -y update diff --git a/example_run.sh b/example_run.sh index 7291a8b6..ee052501 100755 --- a/example_run.sh +++ b/example_run.sh @@ -7,23 +7,26 @@ IMAGE_PRIVATE_KEY=$3 [[ -f $QCOW2 ]] || \ { printf "One or more required files are missing:\n\tQCOW2=$QCOW2\n "; exit 1; } -[[ -n "${ACTIVATION_KEY}" && -n "${ORG_ID}" ]] && subscription=" --build-arg ORG_ID=${ORG_ID} --build-arg ACTIVATION_KEY=${ACTIVATION_KEY} " +[[ -n "${ACTIVATION_KEY}" && -n "${ORG_ID}" ]] && echo "Subscription credentials has been found" && SM_SECRET_BUILD_CMD=" --secret=id=activation_key,env=ACTIVATION_KEY --secret=id=org_id,env=ORG_ID " + +sudo -E podman build -t coco-podvm \ + ${SM_SECRET_BUILD_CMD} \ + -f Dockerfile . || printf "\n\n!!! Faild to build coco-podvm, will used cached image if exist !!!\n" if [[ -n "${IMAGE_CERTIFICATE_PEM}" && -n "${IMAGE_PRIVATE_KEY}" ]]; then CERT_OPTIONS="-v $IMAGE_CERTIFICATE_PEM:/public.pem:ro,Z -v $IMAGE_PRIVATE_KEY:/private.key:ro,Z" fi -sudo podman build -t coco-podvm \ - ${subscription} \ - -f Dockerfile . - [[ -n "$ROOT_PASSWORD" ]] && run_extras+=" -e ROOT_PASSWORD=$ROOT_PASSWORD " -sudo podman run --rm \ +[[ -n "${ACTIVATION_KEY}" && -n "${ORG_ID}" ]] && sudo -E podman secret create activation_key --env ACTIVATION_KEY && sudo -E podman secret create org_id --env ORG_ID && \ + SM_SECRET_RUN_CMD="--secret activation_key,type=env,target=ACTIVATION_KEY --secret org_id,type=env,target=ORG_ID " +sudo -E podman run --rm \ --privileged \ -v $QCOW2:/disk.qcow2 \ $CERT_OPTIONS \ -v /lib/modules:/lib/modules:ro,Z \ + ${SM_SECRET_RUN_CMD} \ --user 0 \ --security-opt=apparmor=unconfined \ --security-opt=seccomp=unconfined \ @@ -32,3 +35,4 @@ sudo podman run --rm \ $run_extras \ localhost/coco-podvm +[[ -n "${ACTIVATION_KEY}" && -n "${ORG_ID}" ]] && sudo podman secret rm activation_key org_id diff --git a/scripts/coco/coco-components.sh b/scripts/coco/coco-components.sh index 755cdeab..da6c7bdc 100755 --- a/scripts/coco/coco-components.sh +++ b/scripts/coco/coco-components.sh @@ -79,11 +79,17 @@ ls $ARTIFACTS_FOLDER echo "" EXTRA_ARGS="" +SM_REGISTER="" [[ -n "$ROOT_PASSWORD" ]] && EXTRA_ARGS=" --root-password password:${ROOT_PASSWORD} " -virt-customize \ +[[ -n "${ACTIVATION_KEY}" && -n "${ORG_ID}" ]] && SM_REGISTER=(--run-command "subscription-manager register --org=${ORG_ID} --activationkey=${ACTIVATION_KEY}") || SM_REGISTER=() + +virt-customize --memsize 8192 \ + "${SM_REGISTER[@]}" \ --copy-in $ARTIFACTS_FOLDER/podvm-binaries.tar.gz:/tmp/ \ --copy-in $ARTIFACTS_FOLDER/pause-bundle.tar.gz:/tmp/ \ --copy-in $ARTIFACTS_FOLDER/luks-config.tar.gz:/tmp/ \ --run $ARTIFACTS_FOLDER/podvm_maker.sh \ ${EXTRA_ARGS} \ -a $INPUT_IMAGE + +[[ ${#SM_REGISTER[@]} -gt 0 ]] && virt-customize --memsize 8192 --run-command "subscription-manager unregister" -a $INPUT_IMAGE || true diff --git a/scripts/coco/podvm/podvm_maker.sh b/scripts/coco/podvm/podvm_maker.sh index 426fd5fd..c99ee065 100755 --- a/scripts/coco/podvm/podvm_maker.sh +++ b/scripts/coco/podvm/podvm_maker.sh @@ -1,6 +1,11 @@ #! /bin/bash -dnf config-manager --add-repo=https://mirror.stream.centos.org/10-stream/AppStream/x86_64/os/ && dnf install -y --nogpgcheck afterburn e2fsprogs && dnf clean all && dnf config-manager --set-disabled "*centos*" +if subscription-manager identity &>/dev/null; then + dnf install -y afterburn e2fsprogs && dnf clean all +else + dnf config-manager --add-repo=https://mirror.stream.centos.org/10-stream/AppStream/x86_64/os/ && dnf install -y --nogpgcheck afterburn e2fsprogs && dnf clean all && dnf config-manager --set-disabled "*centos*" +fi + cat < /etc/systemd/system/afterburn-checkin.service [Unit] ConditionKernelCommandLine= From c716ba29879304c8b0eedb17e901ef8c21e21141 Mon Sep 17 00:00:00 2001 From: Snir Schreiber Date: Tue, 30 Dec 2025 11:37:56 +0200 Subject: [PATCH 10/13] local: bump kernel version of the image (and ISO in use) KERNEL_VERSION 6.12.0-124.21.1.el10_1 To be used with RHEL 10.1 ISO: rhel-10.1-x86_64-dvd.iso image sha256sum: 5925e05c32d8324a72e146a29293d60707571817769de73df63eab8dbd6d3196 (stock kernel: 6.12.0-124.8.1.el10_1) --- example_run.sh | 2 +- scripts/coco/coco-components.sh | 1 + scripts/coco/podvm/script-disk-mods.sh | 8 ++++++++ 3 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 scripts/coco/podvm/script-disk-mods.sh diff --git a/example_run.sh b/example_run.sh index ee052501..c76735d5 100755 --- a/example_run.sh +++ b/example_run.sh @@ -1,6 +1,6 @@ #! /bin/bash -QCOW2=${1:-${QCOW2:-~/.local/share/libvirt/images/rhel10.0-created-ks.qcow2}} +QCOW2=${1:-${QCOW2:-~/.local/share/libvirt/images/rhel10.1-created-ks.qcow2}} IMAGE_CERTIFICATE_PEM=$2 IMAGE_PRIVATE_KEY=$3 diff --git a/scripts/coco/coco-components.sh b/scripts/coco/coco-components.sh index da6c7bdc..3d7aaf9e 100755 --- a/scripts/coco/coco-components.sh +++ b/scripts/coco/coco-components.sh @@ -85,6 +85,7 @@ SM_REGISTER="" virt-customize --memsize 8192 \ "${SM_REGISTER[@]}" \ + --run $ARTIFACTS_FOLDER/script-disk-mods.sh \ --copy-in $ARTIFACTS_FOLDER/podvm-binaries.tar.gz:/tmp/ \ --copy-in $ARTIFACTS_FOLDER/pause-bundle.tar.gz:/tmp/ \ --copy-in $ARTIFACTS_FOLDER/luks-config.tar.gz:/tmp/ \ diff --git a/scripts/coco/podvm/script-disk-mods.sh b/scripts/coco/podvm/script-disk-mods.sh new file mode 100644 index 00000000..c8bfd0af --- /dev/null +++ b/scripts/coco/podvm/script-disk-mods.sh @@ -0,0 +1,8 @@ +#!/bin/bash +set -ex + +export KERNEL_VERSION=6.12.0-124.21.1.el10_1 + +dnf install -y kernel-{uki-virt,modules,modules-extra}-${KERNEL_VERSION} +# Update shim fallback CSV to ensure Azure VM boots latest UKI (needed only when kernel is updated) +printf "shimx64.efi,redhat,\\\EFI\\\Linux\\\\"`cat /etc/machine-id`"-"`rpm -q --queryformat %{VERSION}-%{RELEASE}\\\n kernel-uki-virt | tail -1`".x86_64.efi ,UKI bootentry\n" | iconv -f ASCII -t UCS-2 > /boot/efi/EFI/redhat/BOOTX64.CSV From 04422c9da18950ab94d86cd4346ec1942b98879d Mon Sep 17 00:00:00 2001 From: Snir Schreiber Date: Tue, 30 Dec 2025 11:41:44 +0200 Subject: [PATCH 11/13] local: adapt to the new Selinux equivalency rules of RHEL 10.1 --- scripts/coco/podvm/podvm_maker.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/coco/podvm/podvm_maker.sh b/scripts/coco/podvm/podvm_maker.sh index c99ee065..604f7ff7 100755 --- a/scripts/coco/podvm/podvm_maker.sh +++ b/scripts/coco/podvm/podvm_maker.sh @@ -24,8 +24,8 @@ tar -xzvf /tmp/luks-config.tar.gz -C / dnf remove -y cloud-init WALinuxAgent -# fixes a failure of the podns@netns service #TODO: still needed? -semanage fcontext -a -t bin_t /usr/sbin/ip && restorecon -v /usr/sbin/ip +# fixes a failure of the podns@netns service +semanage fcontext -a -t bin_t /usr/bin/ip && restorecon -v /usr/sbin/ip systemctl enable /etc/systemd/system/luks-scratch.service From 3cabc07c7efb10824d8e06c18992643e88d4a1c7 Mon Sep 17 00:00:00 2001 From: Snir Schreiber Date: Wed, 3 Dec 2025 12:27:05 +0200 Subject: [PATCH 12/13] local: update default payload to 1.11.1 --- scripts/coco/coco-components.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/coco/coco-components.sh b/scripts/coco/coco-components.sh index 3d7aaf9e..160d864b 100755 --- a/scripts/coco/coco-components.sh +++ b/scripts/coco/coco-components.sh @@ -5,9 +5,9 @@ INPUT_IMAGE=$1 SCRIPT_FOLDER=${SCRIPT_FOLDER:-$(dirname $0)} SCRIPT_FOLDER=$(realpath $SCRIPT_FOLDER) -PODVM_BINARY_DEF=quay.io/redhat-user-workloads/ose-osc-tenant/osc-podvm-payload:osc-podvm-payload-on-push-rmvjh-build-image-index +PODVM_BINARY_DEF=quay.io/redhat-user-workloads/ose-osc-tenant/osc-podvm-payload@sha256:b14cce805fe56da2fd4bb584b786be5f6b92eda87482dd7399ef84793f202684 PODVM_BINARY_LOCATION_DEF=/podvm-binaries.tar.gz -PAUSE_BUNDLE_DEF=quay.io/redhat-user-workloads/ose-osc-tenant/osc-podvm-payload:osc-podvm-payload-on-push-rmvjh-build-image-index +PAUSE_BUNDLE_DEF=quay.io/redhat-user-workloads/ose-osc-tenant/osc-podvm-payload@sha256:b14cce805fe56da2fd4bb584b786be5f6b92eda87482dd7399ef84793f202684 PAUSE_BUNDLE_LOCATION_DEF=/pause-bundle.tar.gz function local_help() From 3d8dafba5557e5689a79412e46bf23d48499c11c Mon Sep 17 00:00:00 2001 From: Snir Schreiber Date: Tue, 4 Nov 2025 11:53:19 +0200 Subject: [PATCH 13/13] local: nvidia driver installtion option by passing NVIDIA=true and subscription keys to be used with rhel-10.1-x86_64-dvd.iso image sha256sum: 5925e05c32d8324a72e146a29293d60707571817769de73df63eab8dbd6d3196 using the stock kernel (KERNEL_VERSION=6.12.0-124.21.1.el10_1) --- example_run.sh | 1 + scripts/coco/coco-components.sh | 1 + scripts/coco/podvm/podvm_nvidia_maker.sh | 59 ++++++++++++++++++++++++ 3 files changed, 61 insertions(+) create mode 100755 scripts/coco/podvm/podvm_nvidia_maker.sh diff --git a/example_run.sh b/example_run.sh index c76735d5..75a8bb15 100755 --- a/example_run.sh +++ b/example_run.sh @@ -18,6 +18,7 @@ if [[ -n "${IMAGE_CERTIFICATE_PEM}" && -n "${IMAGE_PRIVATE_KEY}" ]]; then fi [[ -n "$ROOT_PASSWORD" ]] && run_extras+=" -e ROOT_PASSWORD=$ROOT_PASSWORD " +[[ -n "$NVIDIA" ]] && run_extras+=" --env NVIDIA=${NVIDIA} " [[ -n "${ACTIVATION_KEY}" && -n "${ORG_ID}" ]] && sudo -E podman secret create activation_key --env ACTIVATION_KEY && sudo -E podman secret create org_id --env ORG_ID && \ SM_SECRET_RUN_CMD="--secret activation_key,type=env,target=ACTIVATION_KEY --secret org_id,type=env,target=ORG_ID " diff --git a/scripts/coco/coco-components.sh b/scripts/coco/coco-components.sh index 160d864b..acdaba9f 100755 --- a/scripts/coco/coco-components.sh +++ b/scripts/coco/coco-components.sh @@ -82,6 +82,7 @@ EXTRA_ARGS="" SM_REGISTER="" [[ -n "$ROOT_PASSWORD" ]] && EXTRA_ARGS=" --root-password password:${ROOT_PASSWORD} " [[ -n "${ACTIVATION_KEY}" && -n "${ORG_ID}" ]] && SM_REGISTER=(--run-command "subscription-manager register --org=${ORG_ID} --activationkey=${ACTIVATION_KEY}") || SM_REGISTER=() +[[ -n "$NVIDIA" ]] && EXTRA_ARGS+=" --run $ARTIFACTS_FOLDER/podvm_nvidia_maker.sh " virt-customize --memsize 8192 \ "${SM_REGISTER[@]}" \ diff --git a/scripts/coco/podvm/podvm_nvidia_maker.sh b/scripts/coco/podvm/podvm_nvidia_maker.sh new file mode 100755 index 00000000..a335a97c --- /dev/null +++ b/scripts/coco/podvm/podvm_nvidia_maker.sh @@ -0,0 +1,59 @@ +#! /bin/bash +set -euo pipefail + +# this script assumes system is already registered with subscription-manager + +# Nvidia driver and configuration + +subscription-manager repos --enable=rhel-10-for-x86_64-supplementary-rpms +subscription-manager repos --enable=rhel-10-for-x86_64-extensions-rpms + +# update UKI +# make sure driver and kernel match +KERNEL_VERSION=`rpm -q --queryformat %{VERSION}-%{RELEASE}\\\n kernel-uki-virt | tail -1` +NVIDIA_DRIVER_VERSION=580.95.05 + +dnf install -y kernel-{uki-virt,modules,modules-extra}-${KERNEL_VERSION} +# Update shim fallback CSV to ensure Azure VM boots latest UKI (needed only when kernel is updated) +#printf "shimx64.efi,redhat,\\\EFI\\\Linux\\\\"`cat /etc/machine-id`"-"`rpm -q --queryformat %{VERSION}-%{RELEASE}\\\n kernel-uki-virt | tail -1`".x86_64.efi ,UKI bootentry\n" | iconv -f ASCII -t UCS-2 > /boot/efi/EFI/redhat/BOOTX64.CSV +dnf install -y nvidia-driver-${NVIDIA_DRIVER_VERSION} \ + nvidia-driver-cuda-${NVIDIA_DRIVER_VERSION} \ + nvidia-driver-libs-${NVIDIA_DRIVER_VERSION} \ + nvidia-persistenced-${NVIDIA_DRIVER_VERSION} \ + kmod-nvidia-open-${NVIDIA_DRIVER_VERSION}-${KERNEL_VERSION%.el*} +dnf config-manager --add-repo=https://nvidia.github.io/libnvidia-container/stable/rpm/nvidia-container-toolkit.repo +dnf install --repo nvidia-container-toolkit -y nvidia-container-toolkit +dnf clean all + +echo -e "blacklist nouveau\nblacklist nova_core" > /etc/modprobe.d/blacklist_nv_alt.conf +sed -i 's/^#no-cgroups = false/no-cgroups = true/' /etc/nvidia-container-runtime/config.toml + +cat << EOF > /usr/local/bin/generate-nvidia-cdi.sh +#!/bin/bash + +#load drivers +nvidia-ctk -d system create-device-nodes --control-devices --load-kernel-modules + +nvidia-persistenced +# set confidential compute to ready state +nvidia-smi conf-compute -srs 1 +# Generate NVIDIA CDI configuration +nvidia-ctk cdi generate --output=/var/run/cdi/nvidia.yaml > /var/log/nvidia-cdi-gen.log 2>&1 +EOF +chmod 755 /usr/local/bin/generate-nvidia-cdi.sh + +cat < /etc/systemd/system/nvidia-cdi.service +[Unit] +Description=Generate NVIDIA CDI Configuration +Before=kata-agent.service + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/generate-nvidia-cdi.sh +RemainAfterExit=true + +[Install] +WantedBy=multi-user.target +EOF +chmod 644 /etc/systemd/system/nvidia-cdi.service +ln -s /etc/systemd/system/nvidia-cdi.service /etc/systemd/system/multi-user.target.wants/nvidia-cdi.service