From 4f9197d50261fac2e21f69dbe13769f7cbcf5504 Mon Sep 17 00:00:00 2001 From: Jan Schintag Date: Tue, 24 Jan 2023 11:27:48 +0100 Subject: [PATCH] Add files and services to initialize secex-data volume Add a script to initialize secex-data volume during installation. This is achieved by having the tarball stored on a second disk. Also run a podman container that mounts the volume to keep it from being pruned. See: https://github.com/containers/podman/issues/17051 Signed-off-by: Jan Schintag --- .../coreos-s390x-rhcos-builder.bu | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/multi-arch-builders/coreos-s390x-rhcos-builder.bu b/multi-arch-builders/coreos-s390x-rhcos-builder.bu index 0fb0fb861..c863a7a95 100644 --- a/multi-arch-builders/coreos-s390x-rhcos-builder.bu +++ b/multi-arch-builders/coreos-s390x-rhcos-builder.bu @@ -3,6 +3,7 @@ # - Merge in the builder-common.ign Ignition file # - Allow the builder user to log in with the associated ssh key # - Set a hostname +# - Create and initialize the secex-data volume # variant: fcos version: 1.4.0 @@ -14,3 +15,89 @@ kernel_arguments: should_exist: # enables Secure Execution Host - prot_virt=1 +systemd: + units: + - name: secex-data-volume.service + enabled: true + contents: | + [Unit] + Description=Create secex-data volume + [Service] + Type=oneshot + ExecStart=/home/core/create-secex-data.sh + [Install] + WantedBy=multi-user.target +storage: + directories: + - path: /home/builder/.config/systemd/user/default.target.wants + user: + name: builder + group: + name: builder + files: + - path: /home/core/create-secex-data.sh + mode: 0744 + user: + name: core + group: + name: core + contents: + inline: | + #!/bin/bash + + set -e + + DISK_PART="/dev/disk/by-partuuid/80442b5f-01" + DISK_FCP="0.0.a800" + DISK_WWWN="0x5005076810154e60" + DISK_LUN="0x0000000000000000" + MNTP="/mnt/secex-data" + TARBALL="secex.tar" + + if ! $(whoami | grep -q "root"); then + echo "This script must be run as root" + exit 1 + fi + + if ! $(lszdev | grep -q "${DISK_LUN}"); then + echo "Adding LUN to system" + echo "${DISK_LUN}" > /sys/bus/ccw/drivers/zfcp/${DISK_FCP}/${DISK_WWWN}/unit_add + fi + + if ! $(mountpoint -q "${MNTP}"); then + echo "Mounting disk" + mkdir -p "${MNTP}" + mount "${DISK_PART}" "${MNTP}" + fi + + echo "Copying tarball from disk to builder" + cp "${MNTP}/${TARBALL}" "/var/home/builder/${TARBALL}" + chown builder:builder "/var/home/builder/${TARBALL}" + + if ! $(sudo -u builder -H /bin/bash -c "cd /var/home/builder; podman volume list" | grep -q secex-data); then + echo "Creating volume secex-data" + sudo -u builder -H /bin/bash -c "cd /var/home/builder; podman volume create --label=persistent secex-data" + fi + + echo "Importing tarball into volume" + sudo -u builder -H /bin/bash -c "cd /var/home/builder; podman volume import secex-data /var/home/builder/${TARBALL}" + - path: /home/builder/.config/systemd/user/secex-data-keepalive.service + mode: 0644 + user: + name: builder + group: + name: builder + contents: + inline: | + [Unit] + Description=Run keepalive container for secex-data volume. See: https://github.com/containers/podman/issues/17051 + [Service] + Type=oneshot + ExecStart=podman run -d --replace --name secex-data-keepalive -v secex-data:/data.secex:ro registry.fedoraproject.org/fedora:36 sleep infinity + links: + - path: /home/builder/.config/systemd/user/default.target.wants/secex-data-keepalive.service + target: /home/builder/.config/systemd/user/secex-data-keepalive.service + user: + name: builder + group: + name: builder