engineering: migrate image build definitions from test-images to trident#644
Open
bfjelds wants to merge 15 commits into
Open
engineering: migrate image build definitions from test-images to trident#644bfjelds wants to merge 15 commits into
bfjelds wants to merge 15 commits into
Conversation
Copy image definitions that trident pipelines need but were only in the test-images repo: - trident-testimage/ - trident-container-testimage/ - trident-container-installer/ - trident-verity-testimage/ (used by verity, usrverity, container variants) - trident-installer/base/baseimg.yaml (standard installer) - trident-installer/base/baseimg-split.yaml (split installer) - trident-installer supporting files (services, config placeholders) Rename trident-installer/base/post-install.sh to post-install-direct-streaming.sh for the direct-streaming variant, and use the standard post-install.sh from test-images for the regular installer images. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Update builder/sign.py with newer signing code from test-images: - Detect efikeygen --kernel flag support via --help probe - Handle pesign --certficate typo in older versions - Stage PE and verity artifacts through temp dirs with sudo cp for root-owned artifact handling - Improve sign_verity_hash with temp staging and logging Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add image definitions previously only in test-images repo: - trident-installer (standard, split, arm64) - trident-container-installer - trident-testimage (+ arm64) - trident-verity-testimage - trident-usrverity-testimage - trident-container-verity-testimage - trident-container-usrverity-testimage - trident-container-testimage Organize entries by category (installers, test images, direct streaming, AZL installer, VM test images). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace the call to build-image.yml@test-images with the local build-image-template.yml. This runs testimages.py from trident's own tests/images/ instead of checking out the test-images repo. Also add nss-tools and pesign to the native dependency install for SecureBoot signing support, and remove the migration TODO comment since this completes that work. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Remove repository: test-images resource blocks from 11 pipeline files. Image builds now use local definitions and build templates instead of checking out the test-images repo. Also update the disabled mshvch-dom0 stage template with a comment noting it needs updating if re-enabled. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The container-installer image runs trident via a container service, not from local RPMs. Setting requires_trident=False prevents the builder from requiring bin/RPMS which won't be populated for container-runtime images (the pipeline stage skips RPM download for runtimeEnv=container). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The old sign_boot_artifacts used items_to_sign list with regex matching against inject-files.yaml, which fails with newer Image Customizer output format. Replace with the test-images approach that iterates injectFiles entries directly, reading type/source/unsignedSource from each entry. Supports both MIC v1.1+ (type field) and older versions (filename-based type detection via get_artifact_type_from_name). Remove unused get_artifact_path function and items_to_sign parameter. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The signed_path.parent dir (e.g. ukis/) is created by Image Customizer and owned by root. The mkdir+chmod in sign_boot_artifacts fails with PermissionError. Remove it — sign_pe_artifact and sign_verity_hash already handle permissions via sudo cp through temp dirs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bfjelds
changed the title
The verity test images install openssh-server but don't enable the sshd service. Pipeline e2e tests require SSH access to the deployed VMs. Add sshd to the enabled services list in: - base/baseimg.yaml (root-verity host) - base/baseimg-container.yaml (root-verity container) - usr/host.yaml (usr-verity host) usr/container.yaml already had sshd enabled. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
Author
|
/azp run [GITHUB]-trident-pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Image Customizer's --rpm-source may not search subdirectories. The old test-images pipeline staged RPMs directly in base/trident/ (flat). Our template was creating bin/RPMS/x86_64/ and placing RPMs there, so IC couldn't find them in the top-level scan. Use find + mv to flatten all RPMs into bin/RPMS/ regardless of artifact directory structure. Also fix duplicate sshd entry in baseimg-container.yaml. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
Author
|
/azp run [GITHUB]-trident-pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
bfjelds
force-pushed
the
user/bfjelds/mjolnir/sync-test-images
branch
from
8a86655 to
d6211af
Compare
Merge the test-images improvements (ln -s -T, audit dir, override mechanism) with the original direct-streaming conditional into a single post-install.sh. Standard installer path: sets up config symlink + override Direct-streaming path: strips ConditionPathExists + sets up rcp-agent Removes the separate post-install-direct-streaming.sh that was created during the initial copy. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bfjelds
force-pushed
the
user/bfjelds/mjolnir/sync-test-images
branch
from
d6211af to
145951a
Compare
Member
Author
|
/azp run [GITHUB]-trident-pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Files copied from test-images on Windows lost their Unix execute bits (100755 -> 100644). This caused etc-mount.sh to be non-executable, which made etc-mount.service fail at boot on root-verity images. Fix execute permissions on all .sh scripts that were copied from test-images. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
Author
|
/azp run [GITHUB]-trident-pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Restore the original mshvch-dom0 test image build stage from main, undoing the disabled-pending-migration placeholder. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Fix build commands: use testimages.py instead of old make targets - Fix RPM paths: bin/RPMS/ via make bin/trident-rpms.tar.gz (not base/trident/*.rpm) - Fix output paths: artifacts/<name>.cosi (not build/<name>/partition files) - Note which images do/don't require Trident RPMs - Remove stale test-images ADO build badge Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
Author
|
/azp run [GITHUB]-trident-pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 58 out of 58 changed files in this pull request and generated 6 comments.
Comments suppressed due to low confidence (4)
tests/images/trident-verity-testimage/base/etc-mount.sh:1
- The overlay paths used by
etc-mount.sh(/var/lib/trident-overlay/etc-rw/...) do not match the paths configured inbase/etc.mount(/var/lib/trident-overlay/etc/...). With the currentetc-mount.servicerequiringetc.mount, this mismatch can lead to inconsistent overlay state or mount failures. Align the upper/work dirs between the unit and the script, or remove one of the two mounting mechanisms to avoid double-mounting/etc.
tests/images/trident-verity-testimage/base/create-web-dir.sh:1 - This script is installed and executed as part of
postCustomizationbut does not include a shebang or strict-mode settings. Add a#!/bin/bashshebang and basic safety flags (e.g., exit-on-error) to ensure consistent execution across environments.
tests/images/trident-verity-testimage/usr/host.yaml:1 efibootmgris listed twice in the package install list. Dropping the duplicate avoids confusion and keeps the manifest easier to audit.
tests/images/trident-verity-testimage/usr/host.yaml:1efibootmgris listed twice in the package install list. Dropping the duplicate avoids confusion and keeps the manifest easier to audit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrates all trident image build definitions from the test-images repo into the trident repo, so trident pipelines no longer depend on test-images.
Changes
Image definitions copied from test-images:
Build system updates:
Pipeline changes:
Build-image-template.ymlinstead oftest-imagesrepository: test-imagesfrom all 11 pipeline filesCompanion PR
test-images cleanup: removes trident image definitions that moved here.
Testing
https://dev.azure.com/mariner-org/ECF/_build/results?buildId=1117244&view=results