From ad65ca85636cc4b5ea563c02221a5681d3049e16 Mon Sep 17 00:00:00 2001
From: Jan Schintag <jan.schintag@de.ibm.com>
Date: Wed, 28 Sep 2022 13:30:33 +0200
Subject: [PATCH 1/2] s390x: Add builder config for RHCOS

Add the builder config for the s390x RHCOS builder.

Signed-off-by: Jan Schintag <jan.schintag@de.ibm.com>
---
 multi-arch-builders/builder-common.bu             |  1 +
 multi-arch-builders/coreos-s390x-rhcos-builder.bu | 15 +++++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 multi-arch-builders/coreos-s390x-rhcos-builder.bu

diff --git a/multi-arch-builders/builder-common.bu b/multi-arch-builders/builder-common.bu
index b2c062e38..0a1db0c76 100644
--- a/multi-arch-builders/builder-common.bu
+++ b/multi-arch-builders/builder-common.bu
@@ -20,6 +20,7 @@ passwd:
         - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1IXvPWcfgEVhRCwZe5WZNemqsEL8zGUfKdoCA5ZSR557Oi/TnL/3v+oLvH1o2iKo69D/7nkSjP+PuHkjEBtyG7riIpTmsRsRNwJcMXS+wl3iWw855Bl97S1D9krY3D1szF0CI9E57EgDwccmAHixQMrFrzG3OBttzawhI2y74QdcGeJtIa/kENIziInM/sPwPL9M6eKeQjuMyb6ZyvkgaQlr7PJrHqs3Y0j6RFa/ns2ViOSZYIj0VxNy+hiTbCWnbE6qpzJJysB3YinwStmotrPk33XgBpDdEunhrEywk7eAc1ZoFvmVtYR/CcDktpAz9VhjQEz43nE6pZc0fjjGb jlebon@lux
         - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7OMAAunnoSsakYuUqWGHutt9EyafHfbUrZzzHYLdksBdL2mbarnRVqc3yl0iHIPx1g2l8p68iJ3ESkQjpOESAv51hEUWun1+vdJnCI9c22G9M+3mhL3DoDvzgcTx6ayhBChhIMg1sIhmvUMx0ZNC1HPdpJIkUTWiICY3JYlcnkh+IHlmBbaq0b/Rtrufd/utJRITeWQlK74Y+n+VQms0eMjTi0djEA/4mdUbBgAEPWmCeqQEsd8oZiHsHSVxlZ8ymkRsHniIZTMqSUJzVr+PrsxP1E8B3ruUdRs9vBvYjt7PXiGLoStwrgK/sFAR+j8Aerz4sPD6MeNHRBPLOE4BtxVe59IKLY9+LS/+01FRkFkRhJ4IcRzajf8xJn/KoBPv+mj45AWcL5l2g8gu7sFNbBohXhLlSFXjb/5mGyTN7TH3qmNkq58raG4faTUUO8om0AdqfuBHiSMeLl4l5Mt0eFrPzTiDf6EYzy7BwSec63Z9+EwQL1wh8/+hpjHaxoBXhqdRns1XFe4xOhowoVRpyYzU0Cz+k6ZXzownUp68aziytibPMw5vsRcyCm12I+t9AI5wuG4Vl34l308Ufzh6YWd/TX9Kw3pC+Fe7RE+XvTwixVNPEJi6U8WgamtRTN62lP369lnimzpIRpum8UiLco/bjbHD7TnygLFb6hSI1tQ== kevins-yubikey@scrye.com
         - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgBv89yZuWD1AfOi+3CGI7FWawpwYQVrxLCjfxPnP7KjEGGAHGsorce5XGNu1W57ND8HrdLyQf4SLfHAwVyRvRfIf8NzakUuxR4khHCpxE+F8ByTyg23Y17DkfBM/RCXcdMU1vvDkfCdsVMOY8KKhLL412560KfxQhQBKsCmssMZQ4Ii5b18cJfbwk+JnNC0fRiV/h2qrOsRQ7XvJynHHxMfqfih3BLnVo83FSf3G7T9LwpS7BQK4BsO14ahztMXxkU7j+ZdRd3+gUK3L9E0Y/fdtrMXgnG6OphkFEGTY7hlpV9Ppr7t5mDDl6LPMDWpWaZ0xz61IqKbrjXVPv63xF ravanelli@renatas-air.br.ibm.com
+        - ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkNiuIximCsbukdOoG99V8dZB3FexJC6CHLuuRUT3xYYXqtcKQXcvb7Nj02zHOiHk34mFpAKNKISFV2pM9qd3TE1Iv7iFkfZanYf4USzHhb5Lm7ZU16H7RyPiCF/YkZ7obmIRb6MOqClGwPTqtYQtOuMR8d35/fJcOijXun1Mt07QG2AHrRVt3Z1gtyxaFz5hln9UUW1Wqby9FKANw3OIZ1xwn/qEZr5dKxGea0mE2PVC5hEerzrC5xIGO00zivKvwtyKnKB5dFCLtvQrPhaYAHKHJBTpMmzjQWgs4MdD6JwFrUSICuiiaVLd8bMGjJgSKsM0t3CJS7J2v9l0ZO0yRd1UdTau6JEbYOjMdE5MRutBUfCLhxkFIfOEQgLf0lE1UxU2XsJQ/zdnMXtExwhSMKfYlOyw1PgP7j8tUuEElY9Pr1pDEm0th4SAwq3+hnFGyP00gddhHY9qYUHi+lwj82lvjPQccSBso+nuJ8L2485e8WUultAUAYQ2MGscPYihkSJXxs0O17k7aLVzz+E8e1UgSuUAcQlrdxson6+P/O9qFnLAKQ+fYJHfoET+RVht4f94lbhr15M9IJGHZGQexwqshuABhsE2DKtT1/nizsl+85CpF1Esj3w1mEGhuDEiuCmC7wI0i12+YMuuYMdGcM75mhWFD0QjIjwcQjmmZyk= jan.schintag@de.ibm.com
 kernel_arguments:
   should_exist:
     - mitigations=off
diff --git a/multi-arch-builders/coreos-s390x-rhcos-builder.bu b/multi-arch-builders/coreos-s390x-rhcos-builder.bu
new file mode 100644
index 000000000..ddf3d16ee
--- /dev/null
+++ b/multi-arch-builders/coreos-s390x-rhcos-builder.bu
@@ -0,0 +1,15 @@
+# This butane config will do the following:
+#
+# - Merge in the coreos-s390x-builder.ign Ignition file
+# - Enable the Secure Execution Host
+#
+variant: fcos
+version: 1.4.0
+ignition:
+  config:
+    merge:
+      - local: coreos-s390x-builder.ign
+kernel_arguments:
+  should_exist:
+    # enables Secure Execution Host
+    - prot_virt=1

From 07254254389f2e53a3dfd40c7bcf20920fcbff9f Mon Sep 17 00:00:00 2001
From: Jan Schintag <jan.schintag@de.ibm.com>
Date: Tue, 24 Jan 2023 11:27:48 +0100
Subject: [PATCH 2/2] Add files and services to initialize secex-data volume

Add a script to initialize secex-data volume during installation.
This is achieved by having the tarball stored on a second disk.

Also run a podman container that mounts the volume to keep it from being
pruned. See: https://github.com/containers/podman/issues/17051

Signed-off-by: Jan Schintag <jan.schintag@de.ibm.com>
---
 .../coreos-s390x-rhcos-builder.bu             | 88 +++++++++++++++++++
 1 file changed, 88 insertions(+)

diff --git a/multi-arch-builders/coreos-s390x-rhcos-builder.bu b/multi-arch-builders/coreos-s390x-rhcos-builder.bu
index ddf3d16ee..ddbc112de 100644
--- a/multi-arch-builders/coreos-s390x-rhcos-builder.bu
+++ b/multi-arch-builders/coreos-s390x-rhcos-builder.bu
@@ -2,6 +2,8 @@
 #
 # - Merge in the coreos-s390x-builder.ign Ignition file
 # - Enable the Secure Execution Host
+# - Create and initialize the secex-data volume
+# - Run keepalive container for secex-data volume. See: https://github.com/containers/podman/issues/17051
 #
 variant: fcos
 version: 1.4.0
@@ -13,3 +15,89 @@ kernel_arguments:
   should_exist:
     # enables Secure Execution Host
     - prot_virt=1
+systemd:
+  units:
+    - name: secex-data-volume.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=Create secex-data volume
+        [Service]
+        Type=oneshot
+        ExecStart=/home/core/create-secex-data.sh
+        [Install]
+        WantedBy=multi-user.target
+storage:
+  directories:
+    - path: /home/builder/.config/systemd/user/default.target.wants
+      user:
+        name: builder
+      group:
+        name: builder
+  files:
+    - path: /home/core/create-secex-data.sh
+      mode: 0744
+      user:
+        name: core
+      group:
+        name: core
+      contents:
+        inline: |
+            #!/bin/bash
+
+            set -e
+
+            DISK_PART="/dev/disk/by-partuuid/80442b5f-01"
+            DISK_FCP="0.0.a800"
+            DISK_WWWN="0x5005076810154e60"
+            DISK_LUN="0x0000000000000000"
+            MNTP="/mnt/secex-data"
+            TARBALL="secex.tar"
+
+            if ! $(whoami | grep -q "root"); then
+                echo "This script must be run as root"
+                exit 1
+            fi
+
+            if ! $(lszdev | grep -q "${DISK_LUN}"); then
+                echo "Adding LUN to system"
+                echo "${DISK_LUN}" > /sys/bus/ccw/drivers/zfcp/${DISK_FCP}/${DISK_WWWN}/unit_add
+            fi
+
+            if ! $(mountpoint -q "${MNTP}"); then
+                echo "Mounting disk"
+                mkdir -p "${MNTP}"
+                mount "${DISK_PART}" "${MNTP}"
+            fi
+
+            echo "Copying tarball from disk to builder"
+            cp "${MNTP}/${TARBALL}" "/var/home/builder/${TARBALL}"
+            chown builder:builder "/var/home/builder/${TARBALL}"
+
+            if ! $(sudo -u builder -H /bin/bash -c "cd /var/home/builder; podman volume list" | grep -q secex-data); then
+                echo "Creating volume secex-data"
+                sudo -u builder -H /bin/bash -c "cd /var/home/builder; podman volume create --label=persistent secex-data"
+            fi
+
+            echo "Importing tarball into volume"
+            sudo -u builder -H /bin/bash -c "cd /var/home/builder; podman volume import secex-data /var/home/builder/${TARBALL}"
+    - path: /home/builder/.config/systemd/user/secex-data-keepalive.service
+      mode: 0644
+      user:
+        name: builder
+      group:
+        name: builder
+      contents:
+        inline: |
+            [Unit]
+            Description=Run keepalive container for secex-data volume. See: https://github.com/containers/podman/issues/17051
+            [Service]
+            Type=oneshot
+            ExecStart=podman run -d --replace --name secex-data-keepalive -v secex-data:/data.secex:ro registry.fedoraproject.org/fedora:36 sleep infinity
+  links:
+    - path: /home/builder/.config/systemd/user/default.target.wants/secex-data-keepalive.service
+      target: /home/builder/.config/systemd/user/secex-data-keepalive.service
+      user:
+        name: builder
+      group:
+        name: builder