Add support for importing generic cloud images

***DEPENDS ON:***
containers#178

Downstream CI needs dictate early testing on new Fedora releases at the
Beta stage or earlier.  Unfortunately at the time of this commit, the
Fedora cloud-sig does not provide ready-made beta images in AWS EC2.

Add a new image-build stage called `import_images`, that takes care of
bringing the generic images into AWS.  Update the `base_images` stage
such that it will locate and use the imported images.  Unify all the
build-stage wrapper scripts into a single/common `ci/make.sh` wrapper.

Finally, make a few semi-related comment/readability improvements in
various places.

Signed-off-by: Chris Evich <[email protected]>

.cirrus.yml

@@ -32,6 +32,7 @@ validate_task:
         - "make clean"
         - "make help"
         - "make image_builder/gce.json"
+        - "make import_images/cloud.json"
         - "make base_images/cloud.json"
         - "make cache_images/cloud.json"
 
@@ -49,7 +50,7 @@ image_builder_task:
     auto_cancellation: $CI != "true"
     stateful: true
     timeout_in: 40m
-    container:
+    container: &image_builder_container
         dockerfile: "image_builder/Containerfile"
         cpu: 2
         memory: "2G"
@@ -60,8 +61,7 @@ image_builder_task:
       # Google Application Credentials (JSON) with access to create VM images
       GAC_JSON: ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9]
       AWS_SHARED_CREDENTIALS_FILE: notused
-
-    script: "ci/make_image_builder.sh"
+    script: "ci/make.sh image_builder"
     manifest_artifacts:
         path: image_builder/manifest.json
         type: application/json
@@ -133,14 +133,43 @@ tooling_images_task:
         fingerprint_key: "tooling-cache-version-1"
 
 
+import_images_task:
+    name: "Build VM import-images"
+    alias: "import_images"
+    only_if: *is_pr
+    skip: *ci_docs_tooling
+    depends_on:
+        - container_images
+        - image_builder
+    # Packer needs time to clean up partially created VM images
+    auto_cancellation: $CI != "true"
+    stateful: true
+    timeout_in: 30m
+    container: *image_builder_container
+    matrix:
+        - &import_image
+          name: "${PACKER_BUILDS} Import Image"
+          env:
+            PACKER_BUILDS: "fedora-aws"
+        - <<: *import_image
+          env:
+            PACKER_BUILDS: "fedora-aws-arm64"
+    env:
+      AWS_INI: &awsini ENCRYPTED[4cd69097cd29a9899e51acf3bbacceeb83cb5c907d272ca1e2a8ccd515b03f2368a0680870c0d120fc32bc578bb0a930]
+      GAC_JSON: &gacjson ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9]
+    script: "ci/make.sh import_images"
+    manifest_artifacts: &manifest_artifacts
+        path: import_images/manifest.json
+        type: application/json
+
+
 base_images_task:
     name: "Build VM Base-images"
     alias: "base_images"
     only_if: *is_pr
     skip: *ci_docs_tooling
     depends_on:
-        - container_images
-        - image_builder
+        - import_images
     # Packer needs time to clean up partially created VM images
     auto_cancellation: $CI != "true"
     stateful: true
@@ -170,12 +199,10 @@ base_images_task:
           env:
             PACKER_BUILDS: "ubuntu"
     env:
-      GAC_JSON: ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9]
-      AWS_INI: ENCRYPTED[4cd69097cd29a9899e51acf3bbacceeb83cb5c907d272ca1e2a8ccd515b03f2368a0680870c0d120fc32bc578bb0a930]
-    script: "ci/make_base_images.sh"
-    manifest_artifacts:
-        path: base_images/manifest.json
-        type: application/json
+      GAC_JSON: *gacjson
+      AWS_INI: *awsini
+    script: "ci/make.sh base_images"
+    manifest_artifacts: *manifest_artifacts
 
 
 cache_images_task:
@@ -228,10 +255,8 @@ cache_images_task:
     env:
       GAC_JSON: ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9]
       AWS_INI: ENCRYPTED[4cd69097cd29a9899e51acf3bbacceeb83cb5c907d272ca1e2a8ccd515b03f2368a0680870c0d120fc32bc578bb0a930]
-    script: "ci/make_cache_images.sh"
-    manifest_artifacts:
-        path: cache_images/manifest.json
-        type: application/json
+    script: "ci/make.sh cache_images"
+    manifest_artifacts: *manifest_artifacts
 
 
 # Test metadata addition to images (built or not) to ensure container functions
@@ -459,6 +484,7 @@ success_task:
         - image_builder
         - container_images
         - tooling_images
+        - import_images
         - base_images
         - cache_images
         - test_imgts

Makefile

@@ -85,8 +85,8 @@ export PACKER_CACHE_DIR = $(call err_if_empty,_TEMPDIR)
 override _fedora_release = $(call get_image_info,fedora.release)
 override _fedora_image_url = $(call get_image_info,fedora.image_url)
 override _fedora_csum_url = $(call get_image_info,fedora.csum_url)
-override _fedora_ami = $(call get_image_info,fedora.ami)
-override _fedora_arm64_ami = $(call get_image_info,fedora.arm64_ami)
+override _fedora_arm64_image_url = $(call get_image_info,fedora.arm64_image_url)
+override _fedora_arm64_csum_url = $(call get_image_info,fedora.arm64_csum_url)
 override _prior_fedora_release = $(call get_image_info,prior_fedora.release)
 override _prior_fedora_image_url = $(call get_image_info,prior_fedora.image_url)
 override _prior_fedora_csum_url = $(call get_image_info,prior_fedora.csum_url)
@@ -189,8 +189,8 @@ define packer_build
 		FEDORA_RELEASE="$(call err_if_empty,_fedora_release)" \
 		FEDORA_IMAGE_URL="$(call err_if_empty,_fedora_image_url)" \
 		FEDORA_CSUM_URL="$(call err_if_empty,_fedora_csum_url)" \
-		FEDORA_AMI="$(call err_if_empty,_fedora_ami)" \
-		FEDORA_ARM64_AMI="$(call err_if_empty,_fedora_arm64_ami)" \
+		FEDORA_ARM64_IMAGE_URL="$(call err_if_empty,_fedora_arm64_image_url)" \
+		FEDORA_ARM64_CSUM_URL="$(call err_if_empty,_fedora_arm64_csum_url)" \
 		PRIOR_FEDORA_RELEASE="$(call err_if_empty,_prior_fedora_release)" \
 		PRIOR_FEDORA_IMAGE_URL="$(call err_if_empty,_prior_fedora_image_url)" \
 		PRIOR_FEDORA_CSUM_URL="$(call err_if_empty,_prior_fedora_csum_url)" \
@@ -233,15 +233,21 @@ image_builder_debug: $(_TEMPDIR)/image_builder_debug.tar ## Build and enter cont
 $(_TEMPDIR)/image_builder_debug.tar: $(_TEMPDIR)/.cache/centos $(wildcard image_builder/*)
 	$(call podman_build,$@,image_builder_debug,image_builder,centos)
 
+.PHONY: import_images
+import_images: import_images/manifest.json ## Import generic Fedora cloud images into AWS EC2.
+
+import_images/manifest.json: import_images/cloud.json
+	$(call packer_build,import_images/cloud.json,$(call err_if_empty,AWS_SHARED_CREDENTIALS_FILE))
+
 .PHONY: base_images
 # This needs to run in a virt/nested-virt capable environment
-base_images: base_images/manifest.json ## Create, prepare, and import base-level images into GCE.  Optionally, set PACKER_BUILDS=<csv> to select builder(s).
+base_images: base_images/manifest.json ## Create, prepare, and import base-level images into GCE.
 
 base_images/manifest.json: image_info.json base_images/cloud.json $(wildcard base_images/*.sh) cidata $(_TEMPDIR)/cidata.ssh $(PACKER_INSTALL_DIR)/packer
 	$(call packer_build,base_images/cloud.json)
 
 .PHONY: cache_images
-cache_images: cache_images/manifest.json ## Create, prepare, and import top-level images into GCE.  Optionally, set PACKER_BUILDS=<csv> to select builder(s).
+cache_images: cache_images/manifest.json ## Create, prepare, and import top-level images into GCE.
 cache_images/manifest.json: image_info.json cache_images/cloud.json $(wildcard cache_images/*.sh) $(PACKER_INSTALL_DIR)/packer
 	$(call packer_build,cache_images/cloud.json)
 
@@ -333,5 +339,5 @@ clean: ## Remove all generated files referenced in this Makefile
 	-rm -rf $(_TEMPDIR)
 	-rm -f image_info.json
 	-rm -f image_builder/*.json
-	-rm -f base_images/{*.json,cidata*,*-data}
+	-rm -f *_images/{*.json,cidata*,*-data}
 	-rm -f ci_debug.tar

base_images/cloud.yml

@@ -21,8 +21,6 @@ variables:  # Empty value means it must be passed in on command-line
     FEDORA_RELEASE: "{{env `FEDORA_RELEASE`}}"
     FEDORA_IMAGE_URL: "{{env `FEDORA_IMAGE_URL`}}"
     FEDORA_CSUM_URL: "{{env `FEDORA_CSUM_URL`}}"
-    FEDORA_AMI: "{{env `FEDORA_AMI`}}"
-    FEDORA_ARM64_AMI: "{{env `FEDORA_ARM64_AMI`}}"
 
     PRIOR_FEDORA_RELEASE: "{{env `PRIOR_FEDORA_RELEASE`}}"
     PRIOR_FEDORA_IMAGE_URL: "{{env `PRIOR_FEDORA_IMAGE_URL`}}"
@@ -108,8 +106,24 @@ builders:
     - &fedora-aws
       name: 'fedora-aws'
       type: 'amazon-ebs'
-      source_ami: '{{user `FEDORA_AMI`}}'
       instance_type: 'm5zn.metal'
+      source_ami_filter:  # Will fail if >1 or no AMI found
+        owners:
+            # Docs are wrong, specifying the Account ID required to make AMIs private.
+            # The Account ID is hard-coded here out of expediency, since passing in
+            # more packer args from the command-line (in Makefile) is non-trivial.
+            - &accountid '449134212816'
+        # It's necessary to 'search' for the base-image by these criteria.  If
+        # more than one image is found, Packer will fail the build (and display
+        # the conflicting AMI IDs).
+        filters: &ami_filters
+            architecture: 'x86_64'
+            image-type: 'machine'
+            is-public: 'false'
+            name: '{{build_name}}-i{{user `IMG_SFX`}}'
+            root-device-type: 'ebs'
+            state: 'available'
+            virtualization-type: 'hvm'
       # In case of packer problem or ungraceful exit, don't wait for shutdown.
       # This doesn't always work properly, sometimes leaving EC2 instances in
       # a 'stopped' instead of terminated state :(
@@ -120,7 +134,7 @@ builders:
       # Required for network access, must be the 'default' group used by Cirrus-CI
       security_group_id: "sg-042c75677872ef81c"
       # Prefix IMG_SFX with "b" so this is never confused with a cache_image
-      ami_name: 'fedora-aws-b{{user `IMG_SFX`}}'
+      ami_name: &ami_name '{{build_name}}-b{{user `IMG_SFX`}}'
       ami_description: 'Built in https://cirrus-ci.com/task/{{user `CIRRUS_TASK_ID`}}'
       ebs_optimized: true
       launch_block_device_mappings:
@@ -133,19 +147,17 @@ builders:
       tags: &awstags
         <<: *imgcpylabels
         # EC2 expects "Name" to be capitalized
-        Name: 'fedora-aws-b{{user `IMG_SFX`}}'
-        src: '{{user `FEDORA_AMI`}}'
+        Name: *ami_name
+        src: '{{.SourceAMI}}'
         automation: 'true'
         release: 'fedora-{{user `FEDORA_RELEASE`}}'
       run_tags: *awstags
       run_volume_tags: *awstags
       snapshot_tags: *awstags
-      # Docs are wrong, specifying the Account ID required to make AMIs private.
       # This is necessary for security - The CI service accounts are not permitted
-      # to use AMI's from any other account, including public ones.  The Account
-      # ID is hard-coded here out of expediency, since passing in more packer args
-      # from the command-line (in Makefile) is non-trivial.
-      ami_users: ["449134212816"]
+      # to use AMI's from any other account, including public ones.
+      ami_users:
+        - *accountid
       ssh_username: 'fedora'
       ssh_clear_authorized_keys: true
       # N/B: Required Packer >= 1.8.0
@@ -154,12 +166,15 @@ builders:
 
     - <<: *fedora-aws
       name: 'fedora-aws-arm64'
-      source_ami: '{{user `FEDORA_ARM64_AMI`}}'
+      source_ami_filter:
+        owners:
+            - *accountid
+        filters:
+            <<: *ami_filters
+            architecture: 'arm64'
       instance_type: 't4g.medium'  # arm64 type
-      ami_name: 'fedora-aws-arm64-b{{user `IMG_SFX`}}'  # must be unique
       tags: &awsarm64tags
         <<: *awstags
-        src: '{{user `FEDORA_ARM64_AMI`}}'
         arch: 'arm64'
       run_tags: *awsarm64tags
       run_volume_tags: *awsarm64tags
@@ -213,6 +228,7 @@ post-processors:
         only: ['prior-fedora']
         image_name: "prior-fedora-b{{user `IMG_SFX`}}"
         image_family: '{{build_name}}-base'
+        image_description: '{{user `PRIOR_FEDORA_IMAGE_URL`}}'
         image_labels:
           <<: *imgcpylabels
           src: 'fedoraproject'

ci/make_base_images.sh → ci/make.sh

@@ -1,9 +1,12 @@
 #!/bin/bash
 
+set -eo pipefail
+
 # This script is intended to be used by Cirrus-CI, from the VM
-# built by the 'image_builder' makefile target in this repo.  Use
-# of this script in any other context/environment is unlikely to
-# function as intended.
+# built by the 'image_builder' Makefile target in this repo.
+# It's purpose is simply to verify & configure the runtime
+# environment from data provided by CI, and call the make
+# with the first argument passed to this script.
 
 SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
 SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
@@ -17,17 +20,25 @@ if [[ -z "$CI" ]] || [[ "$CI" != "true" ]] || [[ "$CIRRUS_CI" != "$CI" ]]; then
     die "Unexpected \$CI=$CI and/or \$CIRRUS_CI=$CIRRUS_CI"
 elif [[ -z "$IMG_SFX" ]] || [[ -z "$PACKER_BUILDS" ]]; then
     die "Required non-empty values for \$IMG_SFX=$IMG_SFX and \$PACKER_BUILDS=$PACKER_BUILDS"
+elif [[ -z "$1" ]]; then
+    die "Build stage name is required as the first argument"
 fi
 
 if skip_on_pr_label; then
     exit 0  # skip build
 fi
 
-set_gac_filepath
-set_aws_filepath
+# In case we're running under -x, don't expose secret values
+if [[ "${#GAC_JSON}" -gt 0 ]]; then
+    set_gac_filepath
+fi
+
+if [[ "${#AWS_INI}" -gt 0 ]]; then
+    set_aws_filepath
+fi
 
-set -exo pipefail
+set -x
 cd "$REPO_DIRPATH"
 export IMG_SFX=$IMG_SFX
 export PACKER_BUILDS=$PACKER_BUILDS
-make base_images
+make ${1}

image_info.yml

@@ -2,19 +2,17 @@
 
 # Latest Fedora release (qcow and CHECKSUM) download URLs
 fedora:
-    release: "36"
-    image_url: "https://dl.fedoraproject.org/pub/fedora/linux/releases/36/Cloud/x86_64/images/Fedora-Cloud-Base-36-1.5.x86_64.qcow2"
-    csum_url: "https://dl.fedoraproject.org/pub/fedora/linux/releases/36/Cloud/x86_64/images/Fedora-Cloud-36-1.5-x86_64-CHECKSUM"
-    # AWS base image in 'US East (N. Virginia)' region
-    # from https://alt.fedoraproject.org/cloud
-    ami: "ami-08b7bda26f4071b80"
-    arm64_ami: "ami-01925eb0821988986"
+    release: "37"
+    image_url: "https://dl.fedoraproject.org/pub/fedora/linux/development/37/Cloud/x86_64/images/Fedora-Cloud-Base-37-20220825.n.0.x86_64.qcow2"
+    csum_url: "https://dl.fedoraproject.org/pub/fedora/linux/development/37/Cloud/x86_64/images/Fedora-Cloud-37-x86_64-20220825.n.0-CHECKSUM"
+    arm64_image_url: "https://dl.fedoraproject.org/pub/fedora/linux/development/37/Cloud/aarch64/images/Fedora-Cloud-Base-37-20220825.n.0.aarch64.qcow2"
+    arm64_csum_url: "https://dl.fedoraproject.org/pub/fedora/linux/development/37/Cloud/aarch64/images/Fedora-Cloud-37-aarch64-20220825.n.0-CHECKSUM"
 
 # Prior Fedora release (qcow and CHECKSUM) download URLs
 prior_fedora:
-    release: "35"
-    image_url: "https://dl.fedoraproject.org/pub/fedora/linux/releases/35/Cloud/x86_64/images/Fedora-Cloud-Base-35-1.2.x86_64.qcow2"
-    csum_url: "https://dl.fedoraproject.org/pub/fedora/linux/releases/35/Cloud/x86_64/images/Fedora-Cloud-35-1.2-x86_64-CHECKSUM"
+    release: "36"
+    image_url: "https://dl.fedoraproject.org/pub/fedora/linux/releases/36/Cloud/x86_64/images/Fedora-Cloud-Base-36-1.5.x86_64.qcow2"
+    csum_url: "https://dl.fedoraproject.org/pub/fedora/linux/releases/36/Cloud/x86_64/images/Fedora-Cloud-36-1.5-x86_64-CHECKSUM"
 
 # Upstream GCP image family name for Ubuntu image.
 ubuntu: