examples/nofsverity: add example without fsverity

Signed-off-by: Sanne Raymaekers <[email protected]>

Author: croissanne

examples/nofsverity/Containerfile.arch

@@ -0,0 +1,35 @@
+FROM archlinux AS base
+COPY extra /
+RUN <<EOF
+    set -eux
+
+    touch /etc/machine-id
+    mkdir -p boot/EFI/Linux
+
+    pacman -Syu --noconfirm
+    pacman -Sy --noconfirm \
+        composefs \
+        dosfstools \
+        linux \
+        openssh \
+        strace \
+        skopeo
+
+    systemctl enable systemd-networkd systemd-resolved sshd
+    passwd -d root
+    mkdir /sysroot
+EOF
+COPY cfsctl /usr/bin
+
+FROM base AS kernel
+ARG COMPOSEFS_FSVERITY
+RUN <<EOF
+    set -eux
+    # systemd-boot-unsigned: ditto
+    echo "root=/dev/vda2 console=ttyS0,115200 composefs=${COMPOSEFS_FSVERITY} rw" > /etc/kernel/cmdline
+    pacman -Sy --noconfirm systemd-ukify
+    mkinitcpio -p linux
+EOF
+
+FROM base AS bootable
+COPY --from=kernel /boot /boot

examples/nofsverity/build

@@ -0,0 +1,56 @@
+#!/bin/sh
+
+set -eux
+
+os="${1:-fedora}"
+cd "${0%/*}"
+
+FIX_VERITY=1 ../common/check-config
+
+case "${os}" in
+    arch)
+        containerfile='Containerfile.arch'
+        features='--features=pre-6.15'
+        ;;
+    *)
+        echo "*** unknown variant ${os}"
+        false
+        ;;
+esac
+
+# https://github.com/containers/buildah/issues/5656
+PODMAN_BUILD="podman build --no-cache"
+
+cargo build --release "${features}"
+
+cp ../../target/release/cfsctl .
+cp ../../target/release/composefs-setup-root extra/usr/lib/dracut/modules.d/37composefs/
+CFSCTL='./cfsctl --repo tmp/sysroot/composefs'
+
+rm -rf tmp
+mkdir -p tmp/sysroot/composefs
+
+${PODMAN_BUILD} \
+    --iidfile=tmp/base.iid \
+    --target=base \
+    -f "${containerfile}" \
+    .
+
+BASE_ID="$(sed s/sha256:// tmp/base.iid)"
+${CFSCTL} oci pull containers-storage:"${BASE_ID}"
+BASE_IMAGE_FSVERITY="$(${CFSCTL} oci compute-id --bootable "${BASE_ID}")"
+
+${PODMAN_BUILD} \
+    --iidfile=tmp/final.iid \
+    --build-context=base="container-image://${BASE_ID}" \
+    --build-arg=COMPOSEFS_FSVERITY="?${BASE_IMAGE_FSVERITY}" \
+    --label=containers.composefs.fsverity="${BASE_IMAGE_FSVERITY}" \
+    -f "${containerfile}" \
+    .
+
+FINAL_ID="$(sed s/sha256:// tmp/final.iid)"
+${CFSCTL} oci pull containers-storage:"${FINAL_ID}"
+${CFSCTL} oci prepare-boot "${FINAL_ID}" --bootdir tmp/efi
+
+../common/install-systemd-boot
+../common/make-image -sr "${os}-nofsverity-efi.qcow2"

examples/nofsverity/extra/etc/dracut.conf.d/no-xattr.conf

@@ -0,0 +1 @@
+export DRACUT_NO_XATTR=1

examples/nofsverity/extra/etc/mkinitcpio.conf

@@ -0,0 +1,3 @@
+MODULES=(overlay erofs)
+BINARIES=(strace)
+HOOKS=(base udev composefs autodetect microcode modconf kms keyboard keymap block filesystems)

examples/nofsverity/extra/etc/mkinitcpio.d/linux.preset

@@ -0,0 +1,10 @@
+ALL_kver="/boot/vmlinuz-linux"
+
+MODULES=(ext4 overlay erofs)
+BINARIES=(fsck.ext4 strace)
+HOOKS=(base udev composefs autodetect microcode modconf kms keyboard keymap consolefont block filesystems fsck)
+
+PRESETS=('default')
+
+default_uki="/boot/EFI/Linux/arch-linux.efi"
+default_options="--splash=/usr/share/systemd/bootctl/splash-arch.bmp"

examples/nofsverity/extra/etc/resolv.conf

@@ -0,0 +1 @@
+../run/systemd/resolve/stub-resolv.conf

examples/nofsverity/extra/root/.ssh/authorized_keys

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUOtNJdBEXyKxBB898rdT54ULjMGuO6v4jLXmRsdRhR5Id/lKNc9hsdioPWUePgYlqML2iSV72vKQoVhkyYkpcsjr3zvBny9+5xej3+TBLoEMAm2hmllKPmxYJDU8jQJ7wJuRrOVOnk0iSNF+FcY/yaQ0owSF02Nphx47j2KWc0IjGGlt4fl0fmHJuZBA2afN/4IYIIsEWZziDewVtaEjWV3InMRLllfdqGMllhFR+ed2hQz9PN2QcapmEvUR4UCy/mJXrke5htyFyHi8ECfyMMyYeHwbWLFQIve4CWix9qtksvKjcetnxT+WWrutdr3c9cfIj/c0v/Zg/c4zETxtp cockpit-test

examples/nofsverity/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf

@@ -0,0 +1,6 @@
+# we want to make sure the virtio disk drivers get included
+hostonly=no
+
+# we need to force these in via the initramfs because we don't have modules in
+# the base image
+force_drivers+=" virtio_net vfat "

examples/nofsverity/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service

@@ -0,0 +1,34 @@
+# Copyright (C) 2013 Colin Walters <[email protected]>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+DefaultDependencies=no
+ConditionKernelCommandLine=composefs
+ConditionPathExists=/etc/initrd-release
+After=sysroot.mount
+Requires=sysroot.mount
+Before=initrd-root-fs.target
+Before=initrd-switch-root.target
+
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/composefs-setup-root
+StandardInput=null
+StandardOutput=journal
+StandardError=journal+console
+RemainAfterExit=yes

examples/nofsverity/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+check() {
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    inst \
+        "${moddir}/composefs-setup-root" /bin/composefs-setup-root
+    inst \
+        "${moddir}/composefs-setup-root.service" \
+        "${systemdsystemunitdir}/composefs-setup-root.service"
+
+    $SYSTEMCTL -q --root "${initdir}" add-wants \
+        'initrd-root-fs.target' 'composefs-setup-root.service'
+}

examples/nofsverity/extra/usr/lib/initcpio/hooks/composefs

@@ -0,0 +1,12 @@
+#!/usr/bin/ash
+
+run_latehook() {
+    local composefs
+
+    composefs="$(getarg composefs)"
+    if [ -z "$composefs" ]; then
+        return 0
+    fi
+
+    /usr/bin/composefs-setup-root --sysroot /new_root
+}

examples/nofsverity/extra/usr/lib/initcpio/install/composefs

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+build() {
+    add_binary "/usr/lib/dracut/modules.d/37composefs/composefs-setup-root" "/usr/bin/composefs-setup-root"
+    add_runscript
+}

examples/nofsverity/extra/usr/lib/kernel/install.conf.d/37composefs.conf

@@ -0,0 +1,2 @@
+layout = uki
+uki_generator = ukify

examples/nofsverity/extra/usr/lib/systemd/network/37-wired.network

@@ -0,0 +1,9 @@
+[Match]
+Type=ether
+
+[Link]
+RequiredForOnline=routable
+
+[Network]
+DHCP=yes
+

examples/nofsverity/extra/usr/lib/systemd/system/systemd-growfs-root.service.d/37-composefs.conf

@@ -0,0 +1,6 @@
+# Make sure we grow the right root filesystem
+
+[Service]
+ExecStart=
+ExecStart=/usr/lib/systemd/systemd-growfs /sysroot
+