FIXME: A Better set of commits

containers · May 13, 2022 · af89840 · af89840
1 parent ae5289e
commit af89840
Show file tree

Hide file tree

Showing 13 changed files with 154 additions and 19 deletions.
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -9,7 +9,7 @@ env:
     # No need to go crazy, but grab enough to cover most PRs
     CIRRUS_CLONE_DEPTH: 50
     # Version of packer to use when building images
-    PACKER_VERSION: &PACKER_VERSION "1.7.0"
+    PACKER_VERSION: &PACKER_VERSION "1.8.0"
     # Unique suffix label to use for all images produced by _this_ run (build)
     IMG_SFX: "${CIRRUS_BUILD_ID}"
 
@@ -154,6 +154,9 @@ base_images_task:
           name: "${PACKER_BUILDS} Base Image"
           env:
             PACKER_BUILDS: "fedora"
+        - <<: *base_image
+          env:
+            PACKER_BUILDS: "fedora-aws"
         - <<: *base_image
           env:
             PACKER_BUILDS: "prior-fedora"

diff --git a/Makefile b/Makefile
@@ -20,6 +20,10 @@ if_ci_else = $(if $(findstring true,$(CI)),$(1),$(2))
 # VM images, and storage objects.
 export GAC_FILEPATH
 
+# Ditto for AWS credentials (INI file) with access to create VMs and images.
+# ref: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where
+export AWS_SHARED_CREDENTIALS_FILE
+
 PACKER_LOG ?=
 # Uncomment the following to enable additional logging from packer.
 #override PACKER_LOG := 1
@@ -82,11 +86,13 @@ ci_debug: $(_TEMPDIR)/ci_debug.tar ## Build and enter container for local develo
 	/usr/bin/podman run -it --rm \
 		--security-opt label=disable \
 		-v $(_MKFILE_DIR):$(_MKFILE_DIR) -w $(_MKFILE_DIR) \
-		-v $(_TEMPDIR):$(_TEMPDIR):Z \
-		-v $(call err_if_empty,GAC_FILEPATH):$(GAC_FILEPATH):Z \
+		-v $(_TEMPDIR):$(_TEMPDIR) \
+		-v $(call err_if_empty,GAC_FILEPATH):$(GAC_FILEPATH) \
+		-v $(call err_if_empty,AWS_SHARED_CREDENTIALS_FILE):$(AWS_SHARED_CREDENTIALS_FILE) \
 		-e PACKER_INSTALL_DIR=/usr/local/bin \
 		-e PACKER_VERSION=$(call err_if_empty,PACKER_VERSION) \
-		-e GAC_FILEPATH=$(call err_if_empty,GAC_FILEPATH) \
+		-e GAC_FILEPATH=$(GAC_FILEPATH) \
+		-e AWS_SHARED_CREDENTIALS_FILE=$(AWS_SHARED_CREDENTIALS_FILE) \
 		-e TEMPDIR=$(_TEMPDIR) \
 		docker-archive:$<
 
@@ -102,7 +108,7 @@ define podman_build
 	podman save --quiet -o $(1) $(2)
 endef
 
-$(_TEMPDIR)/ci_debug.tar: $(_TEMPDIR)/.cache/fedora ci/Containerfile ci/install_packages.txt ci/install_packages.sh lib.sh
+$(_TEMPDIR)/ci_debug.tar: $(_TEMPDIR)/.cache/fedora $(wildcard ci/*)
 	$(call podman_build,$@,ci_debug,ci,fedora)
 
 $(_TEMPDIR):
@@ -152,11 +158,12 @@ cidata: $(_TEMPDIR)/user-data $(_TEMPDIR)/meta-data
 
 define packer_build
 	env PACKER_CACHE_DIR="$(_TEMPDIR)" \
+		AWS_SHARED_CREDENTIALS_FILE="$(call err_if_empty,AWS_SHARED_CREDENTIALS_FILE)" \
+		GAC_FILEPATH="$(call err_if_empty,GAC_FILEPATH)" \
 		CHECKPOINT_DISABLE=1 \
 			$(PACKER_INSTALL_DIR)/packer build \
 			-force \
 			-var TEMPDIR="$(_TEMPDIR)" \
-			-var GAC_FILEPATH="$(call err_if_empty,GAC_FILEPATH)" \
 			$(if $(PACKER_BUILDS),-only=$(PACKER_BUILDS)) \
 			$(if $(IMG_SFX),-var IMG_SFX=$(IMG_SFX)) \
 			$(if $(DEBUG_NESTED_VM),-var TTYDEV=$(shell tty),-var TTYDEV=/dev/null) \
@@ -177,24 +184,27 @@ image_builder/manifest.json: image_builder/gce.json image_builder/setup.sh lib.s
 image_builder_debug: $(_TEMPDIR)/image_builder_debug.tar ## Build and enter container for local development/debugging of targets requiring packer + virtualization
 	/usr/bin/podman run -it --rm \
 		--security-opt label=disable -v $$HOME:$$HOME -w $(_MKFILE_DIR) \
-		-v $(_TEMPDIR):$(_TEMPDIR):Z \
-		-v $(call err_if_empty,GAC_FILEPATH):$(GAC_FILEPATH):Z \
+		-v $(_TEMPDIR):$(_TEMPDIR) \
+		-v $(call err_if_empty,GAC_FILEPATH):$(GAC_FILEPATH) \
+		-v $(call err_if_empty,AWS_SHARED_CREDENTIALS_FILE):$(AWS_SHARED_CREDENTIALS_FILE) \
 		-v /dev/kvm:/dev/kvm \
 		-e PACKER_INSTALL_DIR=/usr/local/bin \
 		-e PACKER_VERSION=$(call err_if_empty,PACKER_VERSION) \
 		-e IMG_SFX=$(call err_if_empty,IMG_SFX) \
-		-e GAC_FILEPATH=$(call err_if_empty,GAC_FILEPATH) \
+		-e GAC_FILEPATH=$(GAC_FILEPATH) \
+		-e AWS_SHARED_CREDENTIALS_FILE=$(AWS_SHARED_CREDENTIALS_FILE) \
 		docker-archive:$<
 
-$(_TEMPDIR)/image_builder_debug.tar: $(_TEMPDIR)/.cache/centos image_builder/Containerfile image_builder/install_packages.txt ci/install_packages.sh lib.sh
+$(_TEMPDIR)/image_builder_debug.tar: $(_TEMPDIR)/.cache/centos $(wildcard image_builder/*)
 	$(call podman_build,$@,image_builder_debug,image_builder,centos)
 
 .PHONY: base_images
 # This needs to run in a virt/nested-virt capable environment
 base_images: base_images/manifest.json ## Create, prepare, and import base-level images into GCE.  Optionally, set PACKER_BUILDS=<csv> to select builder(s).
 
-base_images/manifest.json: base_images/gce.json base_images/fedora_base-setup.sh cidata $(_TEMPDIR)/cidata.ssh $(PACKER_INSTALL_DIR)/packer
-	$(call packer_build,$<)
+base_images/manifest.json: base_images/gce.json base_images/aws.json base_images/fedora_base-setup.sh cidata $(_TEMPDIR)/cidata.ssh $(PACKER_INSTALL_DIR)/packer
+	$(call packer_build,base_images/gce.json)
+	$(call packer_build,base_images/aws.json)
 
 .PHONY: cache_images
 cache_images: cache_images/manifest.json ## Create, prepare, and import top-level images into GCE.  Optionally, set PACKER_BUILDS=<csv> to select builder(s).

diff --git a/base_images/aws.yml b/base_images/aws.yml
@@ -0,0 +1,83 @@
+---
+
+# All AMI's by default have an expiration date, after which they are
+# automatically deleted.  Since CI images may be in place and needed
+# for an extended period of time, a copy of the vendor image needs
+# to be produced such that we may dictate it's deprecation date and
+# lifecycle.  This is also a handy point at which to install some
+# fundimental tooling (like the common automation library).
+
+variables:  # Empty value means it must be passed in on command-line
+    # Naming suffix for images to prevent clashes (default to timestamp)
+    # N/B: There are length/character limitations in GCE for image names
+    IMG_SFX:
+
+    # Required for access to ssh key
+    TEMPDIR:
+
+    # BIG-FAT-WARNING:  When updating the base AMI below,
+    # ensure the distro version numbers contained in the `podman/*_release`
+    # files exactly match.  These represent the container base-image tags
+    # to build from - just as the sources below are the base-images to
+    # start from building VM images.
+
+    # Upstream base image in 'US East (N. Virginia)' region
+    # from https://alt.fedoraproject.org/cloud
+    FEDORA_BASE_AMI: "ami-08b7bda26f4071b80"
+
+builders:
+    # ref: https://www.packer.io/plugins/builders/amazon/ebs
+    - name: 'fedora-aws'
+      type: 'amazon-ebs'
+      source_ami: '{{user `FEDORA_BASE_AMI`}}'
+      instance_type: 'm5zn.metal'
+      force_deregister: true
+      force_delete_snapshot: true
+      security_group_id: "sg-042c75677872ef81c"
+      # Prefix IMG_SFX with "b" so this is never confused with a cache_image
+      ami_name: '{{build_name}}-b{{user `IMG_SFX`}}'
+      ami_description: 'Built in https://cirrus-ci.com/build/{{user `IMG_SFX`}}'
+      tags: &tags
+        name: '{{build_name}}-b{{user `IMG_SFX`}}'
+        sfx: '{{user `IMG_SFX`}}'
+        src: '{{user `FEDORA_BASE_AMI`}}'
+        automation: 'true'
+      run_tags: *tags
+      run_volume_tags: *tags
+      snapshot_tags: *tags
+      ami_groups: "all"
+      launch_block_device_mappings:
+        - device_name: '/dev/sda1'
+          volume_size: 20
+          volume_type: 'gp2'
+          delete_on_termination: true
+      # In case of packer problem or ungraceful exit, don't wait for shutdown.
+      shutdown_behavior: 'terminate'
+      ssh_username: 'fedora'
+      ssh_clear_authorized_keys: true
+      # N/B: Required Packer >= 1.8.0
+      # https://github.com/hashicorp/packer/issues/10074#issuecomment-1070469367
+      temporary_key_pair_type: 'ed25519'
+
+provisioners:
+    - type: 'shell'
+      inline:
+        - 'set -e'
+        - 'mkdir -p /tmp/automation_images'
+
+    - type: 'file'
+      source: '{{ pwd }}/'
+      destination: '/tmp/automation_images/'
+
+    - type: 'shell'
+      inline:
+        - 'set -e'
+        - '/bin/bash /tmp/automation_images/base_images/fedora_base-setup.sh'
+
+post-processors:
+    # Must be double-nested to guarantee execution order
+    - - type: 'manifest'
+        output: 'base_images/manifest.json'  # Collected by Cirrus-CI
+        strip_path: true
+        custom_data:
+            IMG_SFX: '{{ user `IMG_SFX` }}'
diff --git a/base_images/fedora_base-setup.sh b/base_images/fedora_base-setup.sh
@@ -28,6 +28,9 @@ if ((CONTAINER)); then
         XSELINUX="--exclude=selinux*"
     fi
 else
+    # FIXME: if $PACKER_BUILD_NAME name contains 'aws' then install/update
+    # https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-agent.html
+    # otherwise install the google goodies.
     PKGS+=(google-compute-engine-oslogin)
     if ((OS_RELEASE_VER<35)); then
         PKGS+=(google-compute-engine-tools)

diff --git a/base_images/gce.yml b/base_images/gce.yml
@@ -6,7 +6,7 @@ variables:  # Empty value means it must be passed in on command-line
     # Pre-existing google storage bucket w/ very short lifecycle enabled
     XFERBUCKET: "packer-import"
     # Required path to service account credentials file
-    GAC_FILEPATH:
+    GAC_FILEPATH: "{{env `GAC_FILEPATH`}}"
     # Required for presenting output from qemu builders
     TTYDEV:
     # Required for 'make clean' support and not clobbering a memory-backed /tmp

diff --git a/cache_images/gce.yml b/cache_images/gce.yml
@@ -4,7 +4,7 @@ variables:
     # GCE Project ID where images will be produced
     GCP_PROJECT_ID: "libpod-218412"
     # Required path to service account credentials file
-    GAC_FILEPATH:
+    GAC_FILEPATH: "{{env `GAC_FILEPATH`}}"
     # For produced images
     IMG_SFX: '{{ timestamp }}'
 

diff --git a/image_builder/install_packages.sh b/image_builder/install_packages.sh
@@ -35,4 +35,11 @@ if (("${CONTAINER:-0}")); then
     dnf autoremove -y
 fi
 
+cd /tmp
+curl --location --fail -O \
+        "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"
+unzip awscli-exe-linux-x86_64.zip
+./aws/install
+rm -rf /tmp/aws*
+
 install_automation_tooling
diff --git a/image_builder/install_packages.txt b/image_builder/install_packages.txt
@@ -1,12 +1,14 @@
-buildah
 bash-completion
+buildah
 curl
 findutils
 gawk
 genisoimage
 git
 google-cloud-sdk
+groff-base
 jq
+less
 libvirt
 libvirt-admin
 libvirt-client

diff --git a/imgobsolete/Containerfile b/imgobsolete/Containerfile
@@ -3,7 +3,8 @@ FROM imgts:latest
 COPY /imgobsolete/entrypoint.sh /usr/local/bin/entrypoint.sh
 RUN chmod 755 /usr/local/bin/entrypoint.sh
 
-# These are only needed by imgts
+# These are only needed by imgts, but AWSINI is required
 ENV IMGNAMES="" \
     BUILDID="" \
-    REPOREF=""
+    REPOREF="" \
+    AWSINI="__unknown__"
diff --git a/imgobsolete/entrypoint.sh b/imgobsolete/entrypoint.sh
@@ -11,7 +11,7 @@ set -e
 # shellcheck source=imgts/lib_entrypoint.sh
 source /usr/local/bin/lib_entrypoint.sh
 
-req_env_var GCPJSON GCPNAME GCPPROJECT
+req_env_var GCPJSON GCPNAME GCPPROJECT AWSINI
 
 gcloud_init
 

diff --git a/imgts/Containerfile b/imgts/Containerfile
@@ -5,7 +5,16 @@ COPY /imgts/google-cloud-sdk.repo /etc/yum.repos.d/google-cloud-sdk.repo
 RUN dnf -y --setopt=keepcache=true update && \
     dnf -y --setopt=keepcache=true install epel-release python3 && \
     dnf -y --setopt=keepcache=true --exclude=google-cloud-sdk-366.0.0-1 \
-        install google-cloud-sdk
+        install google-cloud-sdk && \
+    dnf -y --setopt=keepcache=true install curl glibc groff-base less unzip
+
+# https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
+RUN cd /tmp && \
+    curl --location --fail -O \
+        "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \
+    unzip awscli-exe-linux-x86_64.zip && \
+    ./aws/install && \
+    rm -rf /tmp/aws*
 
 # These all represent required variables which must be set by caller
 ENV GCPJSON="__unknown__" \

diff --git a/imgts/entrypoint.sh b/imgts/entrypoint.sh
@@ -4,6 +4,9 @@
 # entrypoint. It's purpose is to operate on a list of VM Images, adding
 # metadata to each.  It must be executed alongside any repository's
 # automation, which produces or uses GCP VM Images.
+#
+# N/B: Timestamp updating is not required for AWS EC2 images as they
+# have a 'LastLaunchedTime' attribute which is updated automatically.
 
 set -e
 

diff --git a/imgts/lib_entrypoint.sh b/imgts/lib_entrypoint.sh
@@ -9,6 +9,8 @@ SENTINEL="__unknown__"  # default set in dockerfile
 # Disable all input prompts
 # https://cloud.google.com/sdk/docs/scripting-gcloud
 GCLOUD="gcloud --quiet"
+# https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-options.html#cli-configure-options-list
+AWS="aws --cli-connect-timeout 30 --cli-read-timeout 30 --no-cli-auto-prompt --no-cli-pager --no-paginate"
 
 die() {
     EXIT=$1
@@ -50,11 +52,23 @@ gcloud_init() {
         # shellcheck disable=SC2154
         echo "$GCPJSON" > $TMPF
     fi
+    unset GCPJSON
     # Required variable must be set by caller
     # shellcheck disable=SC2154
     $GCLOUD auth activate-service-account --project="$GCPPROJECT" --key-file="$TMPF" || \
         die 5 "Authentication error, please verify \$GCPJSON contents"
     rm -f $TMPF &> /dev/null || true  # ignore any read-only error
+    trap - EXIT
+}
+
+aws_init() {
+    req_env_var AWSINI
+    set +xe
+    mkdir $HOME/.aws
+    # shellcheck disable=SC2154
+    echo "$AWSINI" > $HOME/.aws/config
+    unset AWSINI
+    ln -s $HOME/.aws/config $HOME/.aws/credentials
 }
 
 # Obsolete and Prune search-loops runs in a sub-process,