diff options
Diffstat (limited to 'release/tools')
| -rw-r--r-- | release/tools/arm.subr | 86 | ||||
| -rw-r--r-- | release/tools/azure.conf | 15 | ||||
| -rw-r--r-- | release/tools/basic-ci.conf | 5 | ||||
| -rw-r--r-- | release/tools/basic-cloudinit.conf | 40 | ||||
| -rw-r--r-- | release/tools/ec2-base.conf | 39 | ||||
| -rw-r--r-- | release/tools/ec2-builder.conf | 57 | ||||
| -rw-r--r-- | release/tools/ec2-cloud-init.conf | 32 | ||||
| -rw-r--r-- | release/tools/ec2-small.conf | 44 | ||||
| -rw-r--r-- | release/tools/ec2.conf | 187 | ||||
| -rw-r--r-- | release/tools/gce.conf | 21 | ||||
| -rw-r--r-- | release/tools/mkami.sh | 65 | ||||
| -rw-r--r-- | release/tools/oci-image-dynamic.conf | 11 | ||||
| -rw-r--r-- | release/tools/oci-image-runtime.conf | 23 | ||||
| -rw-r--r-- | release/tools/oci-image-static.conf | 46 | ||||
| -rw-r--r-- | release/tools/openstack.conf | 3 | ||||
| -rw-r--r-- | release/tools/oracle.conf | 94 | ||||
| -rw-r--r-- | release/tools/rc.amibuilder | 74 | ||||
| -rw-r--r-- | release/tools/vagrant-virtualbox.conf | 2 | ||||
| -rw-r--r-- | release/tools/vagrant-vmware.conf | 2 | ||||
| -rw-r--r-- | release/tools/vagrant.conf | 8 | ||||
| -rw-r--r-- | release/tools/vmimage.subr | 165 |
21 files changed, 814 insertions, 205 deletions
diff --git a/release/tools/arm.subr b/release/tools/arm.subr index 89b52077e836..5c5ebd29681d 100644 --- a/release/tools/arm.subr +++ b/release/tools/arm.subr @@ -1,7 +1,6 @@ #!/bin/sh #- # Copyright (c) 2015-2017 The FreeBSD Foundation -# All rights reserved. # # Portions of this software were developed by Glen Barber # under sponsorship from the FreeBSD Foundation. @@ -29,7 +28,6 @@ # # Common subroutines used to build arm, arm64, or RISC-V SD card images. # -# $FreeBSD$ # cleanup() { @@ -37,7 +35,7 @@ cleanup() { umount_loop ${DESTDIR}/dev 2>/dev/null fi umount_loop ${DESTDIR} - if [ ! -z "${mddev}" ]; then + if [ -n "${mddev}" ]; then mdconfig -d -u ${mddev} fi @@ -63,24 +61,31 @@ umount_loop() { } arm_create_disk() { + if [ $(sysctl -n kern.geom.part.mbr.enforce_chs) != 0 ]; then + return 1 + fi + # Create the target raw file and temporary work directory. chroot ${CHROOTDIR} gpart create -s ${PART_SCHEME} ${mddev} + + arm_create_partitions + if [ "${PART_SCHEME}" = "GPT" ]; then chroot ${CHROOTDIR} gpart add -t efi -l efi -a 512k -s ${FAT_SIZE} ${mddev} - chroot ${CHROOTDIR} newfs_msdos -L efi -F ${FAT_TYPE} /dev/${mddev}p1 chroot ${CHROOTDIR} gpart add -t freebsd-ufs -l rootfs -a 64k ${mddev} - chroot ${CHROOTDIR} newfs -U -L rootfs /dev/${mddev}p2 fi if [ "${PART_SCHEME}" = "MBR" ]; then chroot ${CHROOTDIR} gpart add -t '!12' -a 512k -s ${FAT_SIZE} ${mddev} chroot ${CHROOTDIR} gpart set -a active -i 1 ${mddev} - chroot ${CHROOTDIR} newfs_msdos -L msdosboot -F ${FAT_TYPE} /dev/${mddev}s1 chroot ${CHROOTDIR} gpart add -t freebsd ${mddev} - chroot ${CHROOTDIR} gpart create -s bsd ${mddev}s2 - chroot ${CHROOTDIR} gpart add -t freebsd-ufs -a 64k /dev/${mddev}s2 - chroot ${CHROOTDIR} newfs -U -L rootfs /dev/${mddev}s2a + chroot ${CHROOTDIR} gpart create -s bsd ${mddev}${BSDLABEL_SUFFIX} + chroot ${CHROOTDIR} gpart add -t freebsd-ufs -a 64k -b 64k ${mddev}${BSDLABEL_SUFFIX} fi + # Create the EFI and UFS filesystems + chroot ${CHROOTDIR} newfs_msdos -L efi -F ${FAT_TYPE} /dev/${mddev}${EFIPART_SUFFIX} + chroot ${CHROOTDIR} newfs -U -L rootfs /dev/${mddev}${ROOTFSPART_SUFFIX} + return 0 } @@ -169,12 +174,7 @@ arm_setup_minimal_loader() { } arm_install_base() { - if [ "${PART_SCHEME}" = "GPT" ]; then - chroot ${CHROOTDIR} mount /dev/${mddev}p2 ${DESTDIR} - fi - if [ "${PART_SCHEME}" = "MBR" ]; then - chroot ${CHROOTDIR} mount /dev/${mddev}s2a ${DESTDIR} - fi + chroot ${CHROOTDIR} mount /dev/${mddev}${ROOTFSPART_SUFFIX} ${DESTDIR} _OSVERSION=$(chroot ${CHROOTDIR} /usr/bin/uname -U) REVISION=$(chroot ${CHROOTDIR} make -C /usr/src/release -V REVISION) BRANCH=$(chroot ${CHROOTDIR} make -C /usr/src/release -V BRANCH) @@ -185,7 +185,8 @@ arm_install_base() { DESTDIR=${DESTDIR} KERNCONF=${KERNEL} \ ${CONF_FILES} installworld installkernel distribution chroot ${CHROOTDIR} mkdir -p ${DESTDIR}/boot/efi - chroot ${CHROOTDIR} mkdir -p ${DESTDIR}/boot/msdos + # Compatibility symlink to /boot/msdos for 13.1 and earlier + chroot ${CHROOTDIR} ln -s efi ${DESTDIR}/boot/msdos arm_create_user arm_setup_usb_otg @@ -196,31 +197,26 @@ arm_install_base() { echo '# Custom /etc/fstab for FreeBSD embedded images' \ > ${CHROOTDIR}/${DESTDIR}/etc/fstab - if [ "${PART_SCHEME}" = "GPT" ]; then - echo "/dev/ufs/rootfs / ufs rw 1 1" \ - >> ${CHROOTDIR}/${DESTDIR}/etc/fstab - echo "/dev/msdosfs/EFI /boot/efi msdosfs rw,noatime 0 0" \ - >> ${CHROOTDIR}/${DESTDIR}/etc/fstab - fi - if [ "${PART_SCHEME}" = "MBR" ]; then - echo "/dev/ufs/rootfs / ufs rw 1 1" \ - >> ${CHROOTDIR}/${DESTDIR}/etc/fstab - echo "/dev/msdosfs/MSDOSBOOT /boot/msdos msdosfs rw,noatime 0 0" \ - >> ${CHROOTDIR}/${DESTDIR}/etc/fstab - fi + echo "/dev/ufs/rootfs / ufs rw 1 1" \ + >> ${CHROOTDIR}/${DESTDIR}/etc/fstab + echo "/dev/msdosfs/EFI /boot/efi msdosfs rw,noatime 0 0" \ + >> ${CHROOTDIR}/${DESTDIR}/etc/fstab echo "tmpfs /tmp tmpfs rw,mode=1777 0 0" \ >> ${CHROOTDIR}/${DESTDIR}/etc/fstab local hostname hostname="$(echo ${KERNEL} | tr '[:upper:]' '[:lower:]')" echo "hostname=\"${hostname}\"" > ${CHROOTDIR}/${DESTDIR}/etc/rc.conf - echo 'ifconfig_DEFAULT="DHCP"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf + echo 'ifconfig_DEFAULT="DHCP inet6 accept_rtadv"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf echo 'sshd_enable="YES"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf echo 'sendmail_enable="NONE"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf echo 'sendmail_submit_enable="NO"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf echo 'sendmail_outbound_enable="NO"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf echo 'sendmail_msp_queue_enable="NO"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf echo 'growfs_enable="YES"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf + if [ -n "${CONFIG_POWERD_ENABLE}" ]; then + echo 'powerd_enable="YES"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf + fi sync umount_loop ${CHROOTDIR}/${DESTDIR} @@ -232,23 +228,12 @@ arm_install_boot() { FATMOUNT="${DESTDIR%${KERNEL}}/fat" UFSMOUNT="${DESTDIR%${KERNEL}}/ufs" chroot ${CHROOTDIR} mkdir -p "${FATMOUNT}" "${UFSMOUNT}" - if [ "${PART_SCHEME}" = "GPT" ]; then - dospart="/dev/${mddev}p1" - ufspart="/dev/${mddev}p2" - fi - if [ "${PART_SCHEME}" = "MBR" ]; then - dospart="/dev/${mddev}s1" - ufspart="/dev/${mddev}s2a" - fi + dospart="/dev/${mddev}${EFIPART_SUFFIX}" + ufspart="/dev/${mddev}${ROOTFSPART_SUFFIX}" chroot ${CHROOTDIR} mount_msdosfs ${dospart} ${FATMOUNT} chroot ${CHROOTDIR} mount ${ufspart} ${UFSMOUNT} - if [ "${EMBEDDED_TARGET}" = "arm" ]; then - chroot ${CHROOTDIR} cp -p ${UFSMOUNT}/boot/ubldr.bin \ - ${FATMOUNT}/ubldr.bin - fi - BOOTFILES="$(chroot ${CHROOTDIR} \ env TARGET=${EMBEDDED_TARGET} TARGET_ARCH=${EMBEDDED_TARGET_ARCH} \ WITH_UNIFIED_OBJDIR=yes \ @@ -278,3 +263,20 @@ arm_install_uboot() { arm_do_quirk() { # Override in the ${EMBEDDED_TARGET}/${BOARDNAME}.conf file. } + +arm_create_partitions() { + # Override in the ${EMBEDDED_TARGET}/${BOARDNAME}.conf file. + + # Set defaults for EFIPART_SUFFIX, ROOTFSPART_SUFFIX, and + # BSDLABEL_SUFFIX (MBR only), needed elsewhere. + + if [ "${PART_SCHEME}" = "GPT" ]; then + export EFIPART_SUFFIX=p1 + export ROOTFSPART_SUFFIX=p2 + fi + if [ "${PART_SCHEME}" = "MBR" ]; then + export EFIPART_SUFFIX=s1 + export BSDLABEL_SUFFIX=s2 + export ROOTFSPART_SUFFIX=s2a + fi +} diff --git a/release/tools/azure.conf b/release/tools/azure.conf index a9126ed8c389..519ab13fe432 100644 --- a/release/tools/azure.conf +++ b/release/tools/azure.conf @@ -1,6 +1,5 @@ #!/bin/sh # -# $FreeBSD$ # # Convention of Linux type VM on Azure is 30G @@ -16,21 +15,23 @@ export VM_RC_LIST="ntpd sshd waagent firstboot_freebsd_update firstboot_pkgs" # See ResourceDisk.EnableSwap and ResourceDisk.SwapSizeMB in waagent.conf export NOSWAP=YES -# https://docs.microsoft.com/en-us/azure/marketplace/azure-vm-create-certification-faq#vm-images-must-have-1mb-free-space +# https://learn.microsoft.com/en-us/partner-center/marketplace/azure-vm-certification-faq#vm-images-must-have-1-mb-of-free-space export VM_BOOTPARTSOFFSET=1M vm_extra_pre_umount() { + mount -t devfs devfs ${DESTDIR}/dev + # The firstboot_pkgs rc.d script will download the repository # catalogue and install or update pkg when the instance first # launches, so these files would just be replaced anyway; removing # them from the image allows it to boot faster. - mount -t devfs devfs ${DESTDIR}/dev chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \ /usr/sbin/pkg delete -f -y pkg - umount ${DESTDIR}/dev - rm ${DESTDIR}/var/db/pkg/repo-*.sqlite + rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD - yes | chroot ${DESTDIR} ${EMULATOR} /usr/local/sbin/waagent -deprovision + chroot ${DESTDIR} ${EMULATOR} pw usermod root -h - + + umount ${DESTDIR}/dev cat << EOF >> ${DESTDIR}/etc/rc.conf ifconfig_hn0="SYNCDHCP" @@ -52,7 +53,5 @@ EOF touch ${DESTDIR}/firstboot - rm -f ${DESTDIR}/etc/resolv.conf - return 0 } diff --git a/release/tools/basic-ci.conf b/release/tools/basic-ci.conf index 9dc05c57d0f4..12c9abb15fb1 100644 --- a/release/tools/basic-ci.conf +++ b/release/tools/basic-ci.conf @@ -1,6 +1,5 @@ #!/bin/sh # -# $FreeBSD$ # # Should be enough for base image, image can be resized in needed @@ -22,6 +21,8 @@ beastie_disable="YES" loader_logo="none" console="comconsole,vidconsole" EOF + metalog_add_data ./boot/loader.conf + cat <<EOF >> ${DESTDIR}/etc/ssh/sshd_config PermitRootLogin yes PasswordAuthentication yes @@ -29,7 +30,7 @@ PermitEmptyPasswords yes UsePAM no EOF - touch ${DESTDIR}/firstboot + touch_firstboot return 0 } diff --git a/release/tools/basic-cloudinit.conf b/release/tools/basic-cloudinit.conf new file mode 100644 index 000000000000..7088c0a5f72a --- /dev/null +++ b/release/tools/basic-cloudinit.conf @@ -0,0 +1,40 @@ +#!/bin/sh + +# Should be enough for base image, image can be resized in needed +export VMSIZE=5g + +# 1M config drive should be enough in most cases +export CONFIG_DRIVE=YES +export CONFIG_DRIVE_SIZE=1M + +# Packages to install into the image we're creating. +# * firstboot-freebsd-update, to install security updates at first boot. +export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} firstboot-freebsd-update" + +# Set to a list of third-party software to enable in rc.conf(5). +export VM_RC_LIST="${VM_RC_LIST} firstboot_freebsd_update growfs sshd nuageinit" + +vm_extra_pre_umount() { + cat << EOF >> ${DESTDIR}/etc/rc.conf +dumpdev="AUTO" +ifconfig_DEFAULT="SYNCDHCP accept_rtadv" +# RSA host keys are obsolete and also very slow to generate +sshd_rsa_enable="NO" +EOF + + cat << EOF >> ${DESTDIR}/boot/loader.conf +autoboot_delay="-1" +beastie_disable="YES" +loader_logo="none" +console="comconsole,vidconsole" +EOF + + cat << EOF >> ${DESTDIR}/etc/ssh/sshd_config +PasswordAuthentication yes +UsePAM no +EOF + + touch ${DESTDIR}/firstboot + + return 0 +} diff --git a/release/tools/ec2-base.conf b/release/tools/ec2-base.conf new file mode 100644 index 000000000000..3ed20474a4e8 --- /dev/null +++ b/release/tools/ec2-base.conf @@ -0,0 +1,39 @@ +#!/bin/sh + +. ${WORLDDIR}/release/tools/ec2.conf + +# Packages to install into the image we're creating. In addition to packages +# present on all EC2 AMIs, we install: +# * amazon-ssm-agent (not enabled by default, but some users need to use +# it on systems not connected to the internet), +# * ec2-scripts, which provides a range of EC2ification startup scripts, +# * firstboot-freebsd-update, to install security updates at first boot, +# * firstboot-pkgs, to install packages at first boot, and +# * isc-dhcp44-client, used for IPv6 network setup. +export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} amazon-ssm-agent ec2-scripts \ + firstboot-freebsd-update firstboot-pkgs isc-dhcp44-client" + +# Services to enable in rc.conf(5). +export VM_RC_LIST="${VM_RC_LIST} ec2_configinit ec2_ephemeral_swap \ + ec2_fetchkey ec2_loghostkey firstboot_freebsd_update firstboot_pkgs \ + growfs sshd" + +vm_extra_pre_umount() { + # The AWS CLI tools are generally useful, and small enough that they + # will download quickly; but users will often override this setting + # via EC2 user-data. + echo 'firstboot_pkgs_list="devel/py-awscli"' >> ${DESTDIR}/etc/rc.conf + + # Any EC2 ephemeral disks seen when the system first boots will + # be "new" disks; there is no "previous boot" when they might have + # been seen and used already. + touch ${DESTDIR}/var/db/ec2_ephemeral_diskseen + + # Configuration common to all EC2 AMIs + ec2_common + + # Standard FreeBSD network configuration + ec2_base_networking + + return 0 +} diff --git a/release/tools/ec2-builder.conf b/release/tools/ec2-builder.conf new file mode 100644 index 000000000000..7927fc13a74d --- /dev/null +++ b/release/tools/ec2-builder.conf @@ -0,0 +1,57 @@ +#!/bin/sh + +. ${WORLDDIR}/release/tools/ec2.conf + +# Build with a 7.9 GB partition; this is enough for our stripped-down +# base system plus the compressed ec2-base image. +export VMSIZE=8000m + +# Flags to installworld/kernel: We don't want debug symbols (kernel or +# userland), 32-bit libraries, tests, or the debugger. +export INSTALLOPTS="WITHOUT_DEBUG_FILES=YES WITHOUT_KERNEL_SYMBOLS=YES \ + WITHOUT_LIB32=YES WITHOUT_TESTS=YES WITHOUT_LLDB=YES" + +# Packages to install into the image we're creating. In addition to packages +# present on all EC2 AMIs, we install: +# * ec2-scripts, which provides a range of EC2ification startup scripts, +# * isc-dhcp44-client, used for IPv6 network setup, and +# * py-awscli, to make it easier for users to create AMIs. +export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} ec2-scripts \ + isc-dhcp44-client devel/py-awscli" + +# Services to enable in rc.conf(5). +export VM_RC_LIST="${VM_RC_LIST} ec2_configinit ec2_ephemeral_swap \ + ec2_fetchkey ec2_loghostkey sshd" + +vm_extra_pre_umount() { + # Any EC2 ephemeral disks seen when the system first boots will + # be "new" disks; there is no "previous boot" when they might have + # been seen and used already. + touch ${DESTDIR}/var/db/ec2_ephemeral_diskseen + + # Configuration common to all EC2 AMIs + ec2_common + + # Standard FreeBSD network configuration + ec2_base_networking + + # Grab a copy of the ec2-base disk image, and compress it + zstd < ${EC2BASEIMG} > ${DESTDIR}/image.zst + + # Disable fortune so we don't have extra noise at login + chmod a-x ${DESTDIR}/usr/bin/fortune + + # Install the AMI-building script + install -m 755 ${WORLDDIR}/release/tools/mkami.sh ${DESTDIR}/bin/mkami + + # Install an /etc/rc which juggles disks around for us + install -m 755 ${WORLDDIR}/release/tools/rc.amibuilder ${DESTDIR}/etc + + # We want to mount from the UFS disk and juggle disks first + cat >> ${DESTDIR}/boot/loader.conf <<-EOF + vfs.root.mountfrom="ufs:/dev/gpt/rootfs" + init_script="/etc/rc.amibuilder" + EOF + + return 0 +} diff --git a/release/tools/ec2-cloud-init.conf b/release/tools/ec2-cloud-init.conf new file mode 100644 index 000000000000..048202e252f6 --- /dev/null +++ b/release/tools/ec2-cloud-init.conf @@ -0,0 +1,32 @@ +#!/bin/sh + +. ${WORLDDIR}/release/tools/ec2.conf + +# Packages to install into the image we're creating. In addition to packages +# present on all EC2 AMIs, we install amazon-ssm-agent and cloud-init. +export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} amazon-ssm-agent net/cloud-init" + +# Services to enable in rc.conf(5). +export VM_RC_LIST="${VM_RC_LIST} cloudinit sshd" + +vm_extra_pre_umount() { + # Configuration common to all EC2 AMIs + ec2_common + + # Configure cloud-init + cat <<-'EOF' > ${DESTDIR}/usr/local/etc/cloud/cloud.cfg.d/98_ec2.cfg + disable_root: true + system_info: + distro: freebsd + default_user: + name: ec2-user + lock_passwd: True + groups: [wheel] + shell: /bin/sh + homedir: /home/ec2-user + doas: + - permit nopass ec2-user + EOF + + return 0 +} diff --git a/release/tools/ec2-small.conf b/release/tools/ec2-small.conf new file mode 100644 index 000000000000..858836717f5a --- /dev/null +++ b/release/tools/ec2-small.conf @@ -0,0 +1,44 @@ +#!/bin/sh + +. ${WORLDDIR}/release/tools/ec2.conf + +# Build with a 4.9 GB partition; the growfs rc.d script will expand +# the partition to fill the root disk after the EC2 instance is launched. +# Note that if this is set to <N>G, we will end up with an <N+1> GB disk +# image since VMSIZE is the size of the filesystem partition, not the disk +# which it resides within. (This overrides the default in ec2.conf.) +export VMSIZE=5000m + +# Flags to installworld/kernel: We don't want debug symbols (kernel or +# userland), 32-bit libraries, tests, or the debugger. +export INSTALLOPTS="WITHOUT_DEBUG_FILES=YES WITHOUT_KERNEL_SYMBOLS=YES \ + WITHOUT_LIB32=YES WITHOUT_TESTS=YES WITHOUT_LLDB=YES" + +# Packages to install into the image we're creating. In addition to packages +# present on all EC2 AMIs, we install: +# * ec2-scripts, which provides a range of EC2ification startup scripts, +# * firstboot-freebsd-update, to install security updates at first boot, +# * firstboot-pkgs, to install packages at first boot, and +# * isc-dhcp44-client, used for IPv6 network setup. +export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} ec2-scripts \ + firstboot-freebsd-update firstboot-pkgs isc-dhcp44-client" + +# Services to enable in rc.conf(5). +export VM_RC_LIST="${VM_RC_LIST} ec2_configinit ec2_ephemeral_swap \ + ec2_fetchkey ec2_loghostkey firstboot_freebsd_update firstboot_pkgs \ + growfs sshd" + +vm_extra_pre_umount() { + # Any EC2 ephemeral disks seen when the system first boots will + # be "new" disks; there is no "previous boot" when they might have + # been seen and used already. + touch ${DESTDIR}/var/db/ec2_ephemeral_diskseen + + # Configuration common to all EC2 AMIs + ec2_common + + # Standard FreeBSD network configuration + ec2_base_networking + + return 0 +} diff --git a/release/tools/ec2.conf b/release/tools/ec2.conf index f0665646088b..ef7a603efea9 100644 --- a/release/tools/ec2.conf +++ b/release/tools/ec2.conf @@ -1,101 +1,49 @@ #!/bin/sh -# -# $FreeBSD$ -# - -# Packages to install into the image we're creating. This is a deliberately -# minimalist set, providing only the packages necessary to bootstrap further -# package installation as specified via EC2 user-data. -export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} ec2-scripts \ - firstboot-freebsd-update firstboot-pkgs isc-dhcp44-client \ - ebsnvme-id" - -# Include the amazon-ssm-agent package in amd64 images, since some users want -# to be able to use it on systems which are not connected to the Internet. -# (It is not enabled by default, however.) This package does not exist for -# aarch64, so we have to be selective about when we install it. -if [ "${TARGET_ARCH}" = "amd64" ]; then - export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} amazon-ssm-agent" -fi -# Set to a list of third-party software to enable in rc.conf(5). -export VM_RC_LIST="ec2_configinit ec2_fetchkey ec2_loghostkey firstboot_freebsd_update firstboot_pkgs ntpd dev_aws_disk" +# Package which should be installed onto all EC2 AMIs: +# * ebsnvme-id, which is very minimal and provides important EBS-specific +# functionality, +export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} ebsnvme-id" + +# Services which should be enabled by default in rc.conf(5). +export VM_RC_LIST="dev_aws_disk ntpd" -# Build with a 4.9 GB UFS partition; the growfs rc.d script will expand +# Build with a 7.9 GB partition; the growfs rc.d script will expand # the partition to fill the root disk after the EC2 instance is launched. # Note that if this is set to <N>G, we will end up with an <N+1> GB disk -# image since VMSIZE is the size of the UFS partition, not the disk which -# it resides within. -export VMSIZE=5000m - -# No swap space; the ec2_ephemeralswap rc.d script will allocate swap -# space on EC2 ephemeral disks. (If they exist -- the T2 low-cost instances -# and the C4 compute-optimized instances don't have ephemeral disks. But -# it would be silly to bloat the image and increase costs for every instance -# just for those two families, especially since instances ranging in size -# from 1 GB of RAM to 60 GB of RAM would need different sizes of swap space -# anyway.) +# image since VMSIZE is the size of the filesystem partition, not the disk +# which it resides within. +export VMSIZE=8000m + +# No swap space; it doesn't make sense to provision any as part of the disk +# image when we could be launching onto a system with anywhere between 0.5 +# and 4096 GB of RAM. export NOSWAP=YES -vm_extra_pre_umount() { - # The firstboot_pkgs rc.d script will download the repository - # catalogue and install or update pkg when the instance first - # launches, so these files would just be replaced anyway; removing - # them from the image allows it to boot faster. +ec2_common() { + # Delete the pkg package and the repo database; they will likely be + # long out of date before the EC2 instance is launched. mount -t devfs devfs ${DESTDIR}/dev chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \ /usr/sbin/pkg delete -f -y pkg umount ${DESTDIR}/dev - rm ${DESTDIR}/var/db/pkg/repo-*.sqlite - - # The size of the EC2 root disk can be configured at instance launch - # time; expand our filesystem to fill the disk. - echo 'growfs_enable="YES"' >> ${DESTDIR}/etc/rc.conf - - # EC2 instances use DHCP to get their network configuration. IPv6 - # requires accept_rtadv. - echo 'ifconfig_DEFAULT="SYNCDHCP accept_rtadv"' >> ${DESTDIR}/etc/rc.conf - - # Unless the system has been configured via EC2 user-data, the user - # will need to SSH in to do anything. - echo 'sshd_enable="YES"' >> ${DESTDIR}/etc/rc.conf - - # The AWS CLI tools are generally useful, and small enough that they - # will download quickly; but users will often override this setting - # via EC2 user-data. - echo 'firstboot_pkgs_list="awscli"' >> ${DESTDIR}/etc/rc.conf - - # Enable IPv6 on all interfaces, and spawn DHCPv6 via rtsold - echo 'ipv6_activate_all_interfaces="YES"' >> ${DESTDIR}/etc/rc.conf - echo 'rtsold_enable="YES"' >> ${DESTDIR}/etc/rc.conf - echo 'rtsold_flags="-M /usr/local/libexec/rtsold-M -a"' >> ${DESTDIR}/etc/rc.conf + rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD # Turn off IPv6 Duplicate Address Detection; the EC2 networking # configuration makes it unnecessary. echo 'net.inet6.ip6.dad_count=0' >> ${DESTDIR}/etc/sysctl.conf - # Provide a script which rtsold can use to launch DHCPv6 - mkdir -p ${DESTDIR}/usr/local/libexec - cat > ${DESTDIR}/usr/local/libexec/rtsold-M <<'EOF' -#!/bin/sh - -/usr/local/sbin/dhclient -6 -nw -N -cf /dev/null $1 -EOF - chmod 755 ${DESTDIR}/usr/local/libexec/rtsold-M - - # The EC2 console is output-only, so while printing a backtrace can - # be useful, there's no point dropping into a debugger or waiting - # for a keypress. - echo 'debug.trace_on_panic=1' >> ${DESTDIR}/boot/loader.conf - echo 'debug.debugger_on_panic=0' >> ${DESTDIR}/boot/loader.conf - echo 'kern.panic_reboot_wait_time=0' >> ${DESTDIR}/boot/loader.conf - - # The console is not interactive, so we might as well boot quickly. + # Booting quickly is more important than giving users a chance to + # access the boot loader via the serial port. echo 'autoboot_delay="-1"' >> ${DESTDIR}/boot/loader.conf echo 'beastie_disable="YES"' >> ${DESTDIR}/boot/loader.conf - # Tell gptboot not to wait 3 seconds for a keypress which won't - # arrive either. + # The EFI RNG on Graviton 2 is particularly slow if we ask for the + # default 2048 bytes of entropy; ask for 64 bytes instead. + echo 'entropy_efi_seed_size="64"' >> ${DESTDIR}/boot/loader.conf + + # Tell gptboot not to wait 3 seconds for a keypress which will + # never arrive. printf -- "-n\n" > ${DESTDIR}/boot.config # The emulated keyboard attached to EC2 instances is inaccessible to @@ -105,15 +53,32 @@ EOF echo 'hint.atkbd.0.disabled=1' >> ${DESTDIR}/boot/loader.conf echo 'hint.atkbdc.0.disabled=1' >> ${DESTDIR}/boot/loader.conf + # There is no floppy drive on EC2 instances so disable the driver. + echo 'hint.fd.0.disabled=1' >> ${DESTDIR}/boot/loader.conf + echo 'hint.fdc.0.disabled=1' >> ${DESTDIR}/boot/loader.conf + + # There is no parallel port on EC2 instances so disable driver. + echo 'hint.ppc.0.disabled=1' >> ${DESTDIR}/boot/loader.conf + # EC2 has two consoles: An emulated serial port ("system log"), # which has been present since 2006; and a VGA console ("instance # screenshot") which was introduced in 2016. echo 'boot_multicons="YES"' >> ${DESTDIR}/boot/loader.conf - # Some older EC2 hardware used a version of Xen with a bug in its - # emulated serial port. It is not clear if EC2 still has any such - # nodes, but apply the workaround just in case. - echo 'hw.broken_txfifo="1"' >> ${DESTDIR}/boot/loader.conf + # Graviton 1 through Graviton 4 have a bug in their ACPI where they + # mark the PL061's pins as needing to be configured in PullUp mode + # (in fact the PL061 has no pullup/pulldown resistors). Graviton 1 + # through Graviton 3 have non-functional PCI _EJ0 and need a value + # written to the PCI power status register in order to eject a + # device. EC2 instances with PCI (not PCIe) buses need a short + # delay before rescanning upon device detach. + echo 'debug.acpi.quirks="56"' >> ${DESTDIR}/boot/loader.conf + + # The default behaviour of re-routing INTx interrupts causes a + # resource leak on INTRng (aka on Graviton systems). Repeated + # hotplug/unplug on PCI (not PCIe) Graviton systems ends up with + # a kernel panic unless we disable this. + echo 'hw.pci.intx_reroute=0' >> ${DESTDIR}/boot/loader.conf # Load the kernel module for the Amazon "Elastic Network Adapter" echo 'if_ena_load="YES"' >> ${DESTDIR}/boot/loader.conf @@ -122,17 +87,23 @@ EOF # historical "nvd" driver. echo 'hw.nvme.use_nvd="0"' >> ${DESTDIR}/boot/loader.conf - # Disable ChallengeResponseAuthentication according to EC2 - # requirements. + # Reduce the timeout for PCIe Eject ("hotunplug") requests. PCIe + # mandates a 5 second timeout to allow someone to cancel the eject + # by pressing the "Attention button" a second time, but in the EC2 + # environment this delay serves no purpose. + echo 'hw.pci.pcie_hp_detach_timeout="0"' >> ${DESTDIR}/boot/loader.conf + + # Disable KbdInteractiveAuthentication according to EC2 requirements. sed -i '' -e \ - 's/^#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' \ + 's/^#KbdInteractiveAuthentication yes/KbdInteractiveAuthentication no/' \ ${DESTDIR}/etc/ssh/sshd_config - # Use FreeBSD Update and Portsnap mirrors hosted in AWS + # RSA host keys are obsolete and also very slow to generate + echo 'sshd_rsa_enable="NO"' >> ${DESTDIR}/etc/rc.conf + + # Use FreeBSD Update mirrors hosted in AWS sed -i '' -e 's/update.FreeBSD.org/aws.update.FreeBSD.org/' \ ${DESTDIR}/etc/freebsd-update.conf - sed -i '' -e 's/portsnap.FreeBSD.org/aws.portsnap.FreeBSD.org/' \ - ${DESTDIR}/etc/portsnap.conf # Use the NTP service provided by Amazon sed -i '' -e 's/^pool/#pool/' \ @@ -156,19 +127,35 @@ echo "-nfsv4,minorversion=1,oneopenown ${FS}.efs.${REGION}.amazonaws.com:/" EOF chmod 755 ${DESTDIR}/etc/autofs/special_efs - # The first time the AMI boots, the installed "first boot" scripts - # should be allowed to run: - # * ec2_configinit (download and process EC2 user-data) - # * ec2_fetchkey (arrange for SSH using the EC2-provided public key) - # * growfs (expand the filesystem to fill the provided disk) - # * firstboot_freebsd_update (install critical updates) - # * firstboot_pkgs (install packages) + # The first time the AMI boots, run "first boot" scripts. touch ${DESTDIR}/firstboot - if ! [ -z "${QEMUSTATIC}" ]; then - rm -f ${DESTDIR}/${EMULATOR} - fi - rm -f ${DESTDIR}/etc/resolv.conf + return 0 +} + +ec2_base_networking () { + # EC2 instances use DHCP to get their network configuration. IPv6 + # requires accept_rtadv. + echo 'ifconfig_DEFAULT="SYNCDHCP accept_rtadv"' >> ${DESTDIR}/etc/rc.conf + + # The EC2 DHCP server can be trusted to know whether an IP address is + # assigned to us; we don't need to ARP to check if anyone else is using + # the address before we start using it. + echo 'dhclient_arpwait="NO"' >> ${DESTDIR}/etc/rc.conf + + # Enable IPv6 on all interfaces, and spawn DHCPv6 via rtsold + echo 'ipv6_activate_all_interfaces="YES"' >> ${DESTDIR}/etc/rc.conf + echo 'rtsold_enable="YES"' >> ${DESTDIR}/etc/rc.conf + echo 'rtsold_flags="-M /usr/local/libexec/rtsold-M -a"' >> ${DESTDIR}/etc/rc.conf + + # Provide a script which rtsold can use to launch DHCPv6 + mkdir -p ${DESTDIR}/usr/local/libexec + cat > ${DESTDIR}/usr/local/libexec/rtsold-M <<'EOF' +#!/bin/sh + +/usr/local/sbin/dhclient -6 -nw -N -cf /dev/null $1 +EOF + chmod 755 ${DESTDIR}/usr/local/libexec/rtsold-M return 0 } diff --git a/release/tools/gce.conf b/release/tools/gce.conf index 745477f0bc8e..fc72b381a02d 100644 --- a/release/tools/gce.conf +++ b/release/tools/gce.conf @@ -1,6 +1,5 @@ #!/bin/sh # -# $FreeBSD$ # # The default of 3GB is too small for GCE, so override the size here. @@ -8,8 +7,8 @@ export VMSIZE=20g # Set to a list of packages to install. export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} firstboot-freebsd-update \ - firstboot-pkgs \ google-cloud-sdk panicmail sudo \ - sysutils/py-google-compute-engine lang/python lang/python2 \ + firstboot-pkgs google-cloud-sdk panicmail sudo \ + sysutils/py-google-compute-engine lang/python \ lang/python3" # Set to a list of third-party software to enable in rc.conf(5). @@ -70,7 +69,7 @@ EOF EOF cat << EOF >> ${DESTDIR}/etc/ssh/sshd_config -ChallengeResponseAuthentication no +KbdInteractiveAuthentication no X11Forwarding no AcceptEnv LANG AllowAgentForwarding no @@ -84,9 +83,7 @@ EOF cat << EOF >> ${DESTDIR}/etc/sysctl.conf net.inet.icmp.drop_redirect=1 net.inet.ip.redirect=0 -net.inet.tcp.blackhole=2 -net.inet.udp.blackhole=1 -kern.ipc.somaxconn=1024 +kern.ipc.soacceptqueue=1024 debug.trace_on_panic=1 debug.debugger_on_panic=0 EOF @@ -121,7 +118,15 @@ EOF touch ${DESTDIR}/firstboot - rm -f ${DESTDIR}/etc/resolv.conf + return 0 +} +# Do everything except deleting resolv.conf since we construct our own +# Googlized resolv.conf file in vm_extra_install_base. +vm_emulation_cleanup() { + if [ -n "${QEMUSTATIC}" ]; then + rm -f ${DESTDIR}/${EMULATOR} + fi + umount_loop ${DESTDIR}/dev return 0 } diff --git a/release/tools/mkami.sh b/release/tools/mkami.sh new file mode 100644 index 000000000000..cfbbcd3bc8a9 --- /dev/null +++ b/release/tools/mkami.sh @@ -0,0 +1,65 @@ +#!/bin/sh -e +# +# Copyright (c) 2015 Colin Percival +# +# SPDX-License-Identifier: BSD-2-Clause +# +# mkami.sh: Create an AMI from the currently running EC2 instance. +# + +export PATH=$PATH:/usr/local/bin + +NAME=$1 +if [ -z "$NAME" ]; then + echo "usage: mkami <AMI name> [<AMI description>]" + exit 1 +fi +DESC=$2 +if ! [ -z "$DESC" ]; then + DESCOPT="--description '$DESC'" +fi + +# Get the instance ID and region from the EC2 Instance Metadata Service: +# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html +TMPFILE=`mktemp` +fetch -qo $TMPFILE http://169.254.169.254/latest/dynamic/instance-identity/document +INST=`awk -F \" '/"instanceId"/ { print $4 }' $TMPFILE` +REGION=`awk -F \" '/"region"/ { print $4 }' $TMPFILE` +rm $TMPFILE +CMD="aws --region $REGION ec2 create-image --instance-id $INST --output text --no-reboot --name '$NAME' $DESCOPT" + +# Unmount the new system image +if mount -p | grep -q '/mnt.*ufs'; then + echo -n "Unmounting new system image..." + sync + umount /mnt + sync + sleep 5 + sync + echo " done." +elif mount -p | grep -q '/mnt.*zfs'; then + echo -n "Unmounting new system image..." + sync + zfs umount -a + zfs umount zroot/ROOT/default + sync + sleep 5 + sync + echo " done." +fi + +if eval "$CMD" --dry-run 2>&1 | + grep -qE 'UnauthorizedOperation|Unable to locate credentials'; then + echo "This EC2 instance does not have permission to create AMIs." + echo "Launch an AMI-builder instance with an appropriate IAM Role," + echo "create an AMI from this instance via the AWS Console, or run" + echo "the following command from a system with the necessary keys:" + echo + echo "$CMD" + exit +fi + +echo -n "Creating AMI..." +AMINAME=`eval "$CMD"` +echo " done." +echo "AMI created in $REGION: $AMINAME" diff --git a/release/tools/oci-image-dynamic.conf b/release/tools/oci-image-dynamic.conf new file mode 100644 index 000000000000..61cb90187764 --- /dev/null +++ b/release/tools/oci-image-dynamic.conf @@ -0,0 +1,11 @@ +#! /bin/sh + +# Build Open Container Initiative (OCI) container image suitable as a base for +# dynamic-linked workloads. This adds libraries from the FreeBSD-clibs and +# FreeBSD-openssl-lib packages. + +OCI_BASE_IMAGE=static + +oci_image_build() { + install_packages ${abi} ${workdir} FreeBSD-clibs FreeBSD-openssl-lib +} diff --git a/release/tools/oci-image-runtime.conf b/release/tools/oci-image-runtime.conf new file mode 100644 index 000000000000..93aad1e39250 --- /dev/null +++ b/release/tools/oci-image-runtime.conf @@ -0,0 +1,23 @@ +#! /bin/sh + +# Build Open Container Initiative (OCI) container image suitable as a base for +# shell-based workloads. This adds FreeBSD-runtime, FreeBSD-pkg-bootstrap and a +# handful of others packages to create a small image which can be easily +# extended by installing packages. + +OCI_BASE_IMAGE=dynamic + +oci_image_build() { + set_cmd ${workdir} /bin/sh + install_packages ${abi} ${workdir} \ + FreeBSD-runtime \ + FreeBSD-certctl \ + FreeBSD-kerberos-lib \ + FreeBSD-libarchive \ + FreeBSD-libexecinfo \ + FreeBSD-libucl \ + FreeBSD-fetch \ + FreeBSD-rc \ + FreeBSD-pkg-bootstrap \ + FreeBSD-mtree +} diff --git a/release/tools/oci-image-static.conf b/release/tools/oci-image-static.conf new file mode 100644 index 000000000000..753a03af653b --- /dev/null +++ b/release/tools/oci-image-static.conf @@ -0,0 +1,46 @@ +#! /bin/sh + +# Build Open Container Initiative (OCI) container image suitable as a base for +# static-linked workloads. This contains mtree directories, SSL certificates and +# a few other config files. + +OCI_BASE_IMAGE= + +oci_image_build() { + local srcdir=${curdir}/.. + local m=${workdir}/rootfs + mtree -deU -p $m/ -f ${srcdir}/etc/mtree/BSD.root.dist > /dev/null + mtree -deU -p $m/var -f ${srcdir}/etc/mtree/BSD.var.dist > /dev/null + mtree -deU -p $m/usr -f ${srcdir}/etc/mtree/BSD.usr.dist > /dev/null + mtree -deU -p $m/usr/include -f ${srcdir}/etc/mtree/BSD.include.dist > /dev/null + mtree -deU -p $m/usr/lib -f ${srcdir}/etc/mtree/BSD.debug.dist > /dev/null + install_packages ${abi} ${workdir} FreeBSD-caroot FreeBSD-zoneinfo + cp ${srcdir}/etc/master.passwd $m/etc + pwd_mkdb -p -d $m/etc $m/etc/master.passwd || return $? + cp ${srcdir}/etc/group $m/etc || return $? + # termcap.small is generated so we get it from OBJDIR - make sets our + # working directory to OBJDIR/release + cp ../etc/termcap/termcap.small $m/etc/termcap.small || return $? + cp ../etc/termcap/termcap.small $m/usr/share/misc/termcap || return $? + env DESTDIR=$m /usr/sbin/certctl rehash + # Generate a suitable repo config for pkgbase + case ${branch} in + CURRENT|STABLE|BETA*) + repo=base_latest + ;; + *) + repo=base_release_${minor} + ;; + esac + mkdir -p $m/usr/local/etc/pkg/repos + cat > $m/usr/local/etc/pkg/repos/base.conf <<EOF +FreeBSD-base: { + url: "https://pkg.FreeBSD.org/\${ABI}/${repo}", + mirror_type: "srv", + signature_type: "fingerprints", + fingerprints: "/usr/share/keys/pkg", + enabled: yes +} +EOF + +} diff --git a/release/tools/openstack.conf b/release/tools/openstack.conf index ff156333cb17..05d2d13bbb39 100644 --- a/release/tools/openstack.conf +++ b/release/tools/openstack.conf @@ -1,6 +1,5 @@ #!/bin/sh # -# $FreeBSD$ # # Set to a list of packages to install. @@ -36,8 +35,6 @@ vm_extra_pre_umount() { echo 'ALL ALL=(ALL) NOPASSWD:ALL' >> \ ${DESTDIR}/usr/local/etc/sudoers.d/cloud-init - rm -f ${DESTDIR}/etc/resolv.conf - # The console is not interactive, so we might as well boot quickly. echo 'autoboot_delay="-1"' >> ${DESTDIR}/boot/loader.conf echo 'beastie_disable="YES"' >> ${DESTDIR}/boot/loader.conf diff --git a/release/tools/oracle.conf b/release/tools/oracle.conf new file mode 100644 index 000000000000..8a4206c05623 --- /dev/null +++ b/release/tools/oracle.conf @@ -0,0 +1,94 @@ +#!/bin/sh +# Set to a list of packages to install. +export VM_EXTRA_PACKAGES=" + comms/py-pyserial + converters/base64 + devel/oci-cli + devel/py-babel + devel/py-iso8601 + devel/py-pbr + devel/py-six + ftp/curl + lang/python + lang/python3 + net/cloud-init + net/py-eventlet + net/py-netaddr + net/py-netifaces + net/py-oauth + net/rsync + panicmail + security/ca_root_nss + security/sudo@default + sysutils/firstboot-freebsd-update + sysutils/firstboot-pkgs + sysutils/panicmail + textproc/jq + " + +# Should be enough for base image, image can be resized in needed +export VMSIZE=8g + +# Set to a list of third-party software to enable in rc.conf(5). +export VM_RC_LIST=" + cloudinit + firstboot_pkgs + firstboot_freebsd_update + growfs + ntpd + ntpd_sync_on_start + sshd + zfs" + +vm_extra_pre_umount() { + cat <<-'EOF' >> ${DESTDIR}/etc/rc.conf + dumpdev=AUTO + sendmail_enable=NONE +EOF + + cat <<-'EOF' >> ${DESTDIR}/boot/loader.conf + autoboot_delay="5" + beastie_disable="YES" + boot_serial="YES" + loader_logo="none" + cryptodev_load="YES" + opensolaris_load="YES" + xz_load="YES" + zfs_load="YES" +EOF + + cat <<-'EOF' >> ${DESTDIR}/etc/ssh/sshd_config + # S11 Configure the SSH service to prevent password-based login + PermitRootLogin prohibit-password + PasswordAuthentication no + KbdInteractiveAuthentication no + PermitEmptyPasswords no + UseDNS no +EOF + + # S14 Root user login must be disabled on serial-over-ssh console + pw -R ${DESTDIR} usermod root -w no + # Oracle requirements override the default FreeBSD cloud-init settings + cat <<-'EOF' >> ${DESTDIR}/usr/local/etc/cloud/cloud.cfg.d/98_oracle.cfg + disable_root: true + system_info: + distro: freebsd + default_user: + name: freebsd + lock_passwd: True + gecos: "Oracle Cloud Default User" + groups: [wheel] + sudo: ["ALL=(ALL) NOPASSWD:ALL"] + shell: /bin/sh + network: + renderers: ['freebsd'] +EOF + + # Use Oracle Cloud Infrastructure NTP server + sed -i '' -E -e 's/^pool.*iburst/server 169.254.169.254 iburst/' \ + ${DESTDIR}/etc/ntp.conf + + touch ${DESTDIR}/firstboot + + return 0 +} diff --git a/release/tools/rc.amibuilder b/release/tools/rc.amibuilder new file mode 100644 index 000000000000..b25e8facb597 --- /dev/null +++ b/release/tools/rc.amibuilder @@ -0,0 +1,74 @@ +#!/bin/sh +# +# Copyright (c) 2025 Colin Percival +# +# SPDX-License-Identifier: BSD-2-Clause +# +# rc.amibuilder: Juggle disks to reroot into a memory disk and install a clean +# copy of FreeBSD onto the root disk. +# + +# Do nothing if init(8) is in the middle of rerooting +if ps -p 1 -o command | grep -q reroot; then + exit 0 +fi + +# Figure out which partition we boot from +BOOTPART=$(sysctl -n kern.geom.conftxt | + grep -E 'PART|gpt/rootfs' | + grep -B 1 gpt/rootfs | + awk '{ print $3 }' | + head -1) +BOOTDISK=${BOOTPART%%p*} +BOOTPARTNUM=${BOOTPART##*p} + +# First pass: Copy ourselves into a memory disk and reroot into it +if ! [ -c /dev/md0 ]; then + # Create a memory disk of appropriate size and copy the disk + echo "Copying FreeBSD into memory disk..." + DISKBYTES=$(diskinfo ${BOOTDISK} | awk '{print $3}') + mdconfig -a -t swap -s ${DISKBYTES}b -u 0 + dd if=/dev/${BOOTDISK} of=/dev/md0 bs=1M + + # Reboot into the memory disk we just created + echo "Rebooting into memory disk..." + kenv vfs.root.mountfrom="ufs:/dev/md0p${BOOTPARTNUM}" + reboot -r + + # Lose a race against init + sleep 10 + exit 1 +fi + +# Second pass: Extract a clean copy of FreeBSD onto the physical disk +echo "Installing base FreeBSD image..." +sysctl kern.geom.debugflags=16 +zstdcat < /image.zst | dd bs=1M of=/dev/${BOOTDISK} + +# Mount the clean image +if gpart show ${BOOTDISK} | grep -q freebsd-ufs; then + mount /dev/${BOOTPART} /mnt +else + zpool import -aNR /mnt + zfs mount zroot/ROOT/default + zfs mount -a +fi + +# Provide instructions for when the user logs in +mount -w / +cat >/etc/motd.template <<EOF +Welcome to the FreeBSD AMI builder! + +FreeBSD `uname -r` is now installed onto the disk /dev/${BOOTDISK}, +and mounted at /mnt. Make any further changes you wish, then run + +# mkami <AMI name> [<AMI description>] + +to create the AMI. Don't forget to shut down this instance when +you're done! + +EOF +mount -o ro / + +# After we exit, the boot proceeds with init spawning /etc/rc normally +exit 0 diff --git a/release/tools/vagrant-virtualbox.conf b/release/tools/vagrant-virtualbox.conf index c29d5716bac2..9e0e430bbc88 100644 --- a/release/tools/vagrant-virtualbox.conf +++ b/release/tools/vagrant-virtualbox.conf @@ -1,6 +1,5 @@ #!/bin/sh # -# $FreeBSD$ # . ${WORLDDIR}/release/tools/vagrant.conf @@ -15,5 +14,4 @@ vm_extra_pre_umount () { # Setup the Vagrant common items vagrant_common - rm -f ${DESTDIR}/etc/resolv.conf } diff --git a/release/tools/vagrant-vmware.conf b/release/tools/vagrant-vmware.conf index 4e0f02c0e76c..fff929829222 100644 --- a/release/tools/vagrant-vmware.conf +++ b/release/tools/vagrant-vmware.conf @@ -1,6 +1,5 @@ #!/bin/sh # -# $FreeBSD$ # . ${WORLDDIR}/release/tools/vagrant.conf @@ -19,5 +18,4 @@ vm_extra_pre_umount () { # Setup the Vagrant common items vagrant_common - rm -f ${DESTDIR}/etc/resolv.conf } diff --git a/release/tools/vagrant.conf b/release/tools/vagrant.conf index ebf69338b7d7..c212af7d012e 100644 --- a/release/tools/vagrant.conf +++ b/release/tools/vagrant.conf @@ -1,6 +1,5 @@ #!/bin/sh # -# $FreeBSD$ # # The default of 3GB is too small for Vagrant, so override the size here. @@ -21,7 +20,7 @@ vagrant_common () { # them from the image allows it to boot faster. env ASSUME_ALWAYS_YES=yes pkg -c ${DESTDIR} clean -y -a env ASSUME_ALWAYS_YES=yes pkg -c ${DESTDIR} delete -f -y pkg - rm ${DESTDIR}/var/db/pkg/repo-*.sqlite + rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD # Vagrant instances use DHCP to get their network configuration. echo 'ifconfig_DEFAULT="SYNCDHCP"' >> ${DESTDIR}/etc/rc.conf @@ -51,12 +50,13 @@ vagrant_common () { usermod root -h 0 # Configure sudo to allow the vagrant user - echo 'vagrant ALL=(ALL) NOPASSWD: ALL' >> ${DESTDIR}/usr/local/etc/sudoers + echo 'vagrant ALL=(ALL:ALL) NOPASSWD: ALL' >> ${DESTDIR}/usr/local/etc/sudoers - # Configure the vagrant ssh key + # Configure the vagrant ssh keys mkdir ${DESTDIR}/home/vagrant/.ssh chmod 700 ${DESTDIR}/home/vagrant/.ssh echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" > ${DESTDIR}/home/vagrant/.ssh/authorized_keys + echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1YdxBpNlzxDqfJyw/QKow1F+wvG9hXGoqiysfJOn5Y vagrant insecure public key" >> ${DESTDIR}/home/vagrant/.ssh/authorized_keys chown -R 1001 ${DESTDIR}/home/vagrant/.ssh chmod 600 ${DESTDIR}/home/vagrant/.ssh/authorized_keys diff --git a/release/tools/vmimage.subr b/release/tools/vmimage.subr index 0d9202431822..ce0ea03c096c 100644 --- a/release/tools/vmimage.subr +++ b/release/tools/vmimage.subr @@ -1,6 +1,5 @@ #!/bin/sh # -# $FreeBSD$ # # # Common functions for virtual machine image build scripts. @@ -38,9 +37,14 @@ cleanup() { return 0 } +metalog_add_data() { + if [ -n "${NO_ROOT}" ]; then + echo "$1 type=file uname=root gname=wheel mode=0644" >> \ + ${DESTDIR}/METALOG + fi +} + vm_create_base() { - # Creates the UFS root filesystem for the virtual machine disk, - # written to the formatted disk image with mkimg(1). mkdir -p ${DESTDIR} @@ -49,39 +53,64 @@ vm_create_base() { vm_copy_base() { # Defunct + return 0 } vm_install_base() { # Installs the FreeBSD userland/kernel to the virtual machine disk. cd ${WORLDDIR} && \ - make DESTDIR=${DESTDIR} \ + make DESTDIR=${DESTDIR} ${INSTALLOPTS} \ installworld installkernel distribution || \ err "\n\nCannot install the base system to ${DESTDIR}." - # Bootstrap etcupdate(8) and mergemaster(8) databases. + # Bootstrap etcupdate(8) database. mkdir -p ${DESTDIR}/var/db/etcupdate etcupdate extract -B \ -M "TARGET=${TARGET} TARGET_ARCH=${TARGET_ARCH}" \ - -s ${WORLDDIR} -d ${DESTDIR}/var/db/etcupdate - sh ${WORLDDIR}/release/scripts/mm-mtree.sh -m ${WORLDDIR} \ - -F "TARGET=${TARGET} TARGET_ARCH=${TARGET_ARCH}" \ - -D ${DESTDIR} + -s ${WORLDDIR} -d ${DESTDIR}/var/db/etcupdate \ + -L /dev/stdout ${NO_ROOT:+-N} + if [ -n "${NO_ROOT}" ]; then + # Reroot etcupdate's internal METALOG to the whole tree + sed -n 's,^\.,./var/db/etcupdate/current,p' \ + ${DESTDIR}/var/db/etcupdate/current/METALOG | \ + env -i LC_COLLATE=C sort >> ${DESTDIR}/METALOG + rm ${DESTDIR}/var/db/etcupdate/current/METALOG + fi echo '# Custom /etc/fstab for FreeBSD VM images' \ > ${DESTDIR}/etc/fstab - echo "/dev/${ROOTLABEL}/rootfs / ufs rw 1 1" \ - >> ${DESTDIR}/etc/fstab + if [ "${VMFS}" != zfs ]; then + echo "/dev/${ROOTLABEL}/rootfs / ${VMFS} rw 1 1" \ + >> ${DESTDIR}/etc/fstab + fi if [ -z "${NOSWAP}" ]; then echo '/dev/gpt/swapfs none swap sw 0 0' \ >> ${DESTDIR}/etc/fstab fi + metalog_add_data ./etc/fstab local hostname hostname="$(echo $(uname -o) | tr '[:upper:]' '[:lower:]')" echo "hostname=\"${hostname}\"" >> ${DESTDIR}/etc/rc.conf + metalog_add_data ./etc/rc.conf + if [ "${VMFS}" = zfs ]; then + echo "zfs_enable=\"YES\"" >> ${DESTDIR}/etc/rc.conf + echo "zpool_reguid=\"zroot\"" >> ${DESTDIR}/etc/rc.conf + echo "zpool_upgrade=\"zroot\"" >> ${DESTDIR}/etc/rc.conf + echo "kern.geom.label.disk_ident.enable=0" >> ${DESTDIR}/boot/loader.conf + echo "zfs_load=YES" >> ${DESTDIR}/boot/loader.conf + metalog_add_data ./boot/loader.conf + fi - if ! [ -z "${QEMUSTATIC}" ]; then + return 0 +} + +vm_emulation_setup() { + if [ -n "${WITHOUT_QEMU}" ]; then + return 0 + fi + if [ -n "${QEMUSTATIC}" ]; then export EMULATOR=/qemu cp ${QEMUSTATIC} ${DESTDIR}/${EMULATOR} fi @@ -90,8 +119,6 @@ vm_install_base() { mount -t devfs devfs ${DESTDIR}/dev chroot ${DESTDIR} ${EMULATOR} /usr/bin/newaliases chroot ${DESTDIR} ${EMULATOR} /bin/sh /etc/rc.d/ldconfig forcestart - umount_loop ${DESTDIR}/dev - cp /etc/resolv.conf ${DESTDIR}/etc/resolv.conf return 0 @@ -106,7 +133,7 @@ vm_extra_install_base() { } vm_extra_enable_services() { - if [ ! -z "${VM_RC_LIST}" ]; then + if [ -n "${VM_RC_LIST}" ]; then for _rcvar in ${VM_RC_LIST}; do echo ${_rcvar}_enable="YES" >> ${DESTDIR}/etc/rc.conf done @@ -124,18 +151,19 @@ vm_extra_enable_services() { } vm_extra_install_packages() { + if [ -n "${WITHOUT_QEMU}" ]; then + return 0 + fi + if [ -z "${VM_EXTRA_PACKAGES}" ]; then return 0 fi - mkdir -p ${DESTDIR}/dev - mount -t devfs devfs ${DESTDIR}/dev chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \ /usr/sbin/pkg bootstrap -y for p in ${VM_EXTRA_PACKAGES}; do chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \ /usr/sbin/pkg install -y ${p} done - umount_loop ${DESTDIR}/dev return 0 } @@ -150,13 +178,20 @@ vm_extra_install_ports() { vm_extra_pre_umount() { # Prototype. When overridden, performs additional tasks within the # virtual machine environment prior to unmounting the filesystem. - # Note: When overriding this function, removing resolv.conf in the - # disk image must be included. + + return 0 +} + +vm_emulation_cleanup() { + if [ -n "${WITHOUT_QEMU}" ]; then + return 0 + fi if ! [ -z "${QEMUSTATIC}" ]; then rm -f ${DESTDIR}/${EMULATOR} fi rm -f ${DESTDIR}/etc/resolv.conf + umount_loop ${DESTDIR}/dev return 0 } @@ -169,6 +204,41 @@ vm_extra_pkg_rmcache() { return 0 } +buildfs() { + local md tmppool + + case "${VMFS}" in + ufs) + cd ${DESTDIR} && makefs ${MAKEFSARGS} -o label=rootfs -o version=2 -o softupdates=1 \ + ${VMBASE} .${NO_ROOT:+/METALOG} + ;; + zfs) + cd ${DESTDIR} && makefs -t zfs ${MAKEFSARGS} \ + -o poolname=zroot -o bootfs=zroot/ROOT/default -o rootpath=/ \ + -o fs=zroot\;mountpoint=none \ + -o fs=zroot/ROOT\;mountpoint=none \ + -o fs=zroot/ROOT/default\;mountpoint=/\;canmount=noauto \ + -o fs=zroot/home\;mountpoint=/home \ + -o fs=zroot/tmp\;mountpoint=/tmp\;exec=on\;setuid=off \ + -o fs=zroot/usr\;mountpoint=/usr\;canmount=off \ + -o fs=zroot/usr/ports\;setuid=off \ + -o fs=zroot/usr/src \ + -o fs=zroot/usr/obj \ + -o fs=zroot/var\;mountpoint=/var\;canmount=off \ + -o fs=zroot/var/audit\;setuid=off\;exec=off \ + -o fs=zroot/var/crash\;setuid=off\;exec=off \ + -o fs=zroot/var/log\;setuid=off\;exec=off \ + -o fs=zroot/var/mail\;atime=on \ + -o fs=zroot/var/tmp\;setuid=off \ + ${VMBASE} .${NO_ROOT:+/METALOG} + ;; + *) + echo "Unexpected VMFS value '${VMFS}'" + exit 1 + ;; + esac +} + umount_loop() { DIR=$1 i=0 @@ -188,8 +258,7 @@ umount_loop() { } vm_create_disk() { - echo "Creating image... Please wait." - echo + local BOOTFILES BOOTPARTSOFFSET FSPARTTYPE X86GPTBOOTFILE if [ -z "${NOSWAP}" ]; then SWAPOPT="-p freebsd-swap/swapfs::${SWAPSIZE}" @@ -199,34 +268,56 @@ vm_create_disk() { BOOTPARTSOFFSET=":${VM_BOOTPARTSOFFSET}" fi + if [ -n "${CONFIG_DRIVE}" ]; then + CONFIG_DRIVE="-p freebsd/config-drive::${CONFIG_DRIVE_SIZE}" + fi + + case "${VMFS}" in + ufs) + FSPARTTYPE=freebsd-ufs + X86GPTBOOTFILE=i386/gptboot/gptboot + ;; + zfs) + FSPARTTYPE=freebsd-zfs + X86GPTBOOTFILE=i386/gptzfsboot/gptzfsboot + ;; + *) + echo "Unexpected VMFS value '${VMFS}'" + return 1 + ;; + esac + + echo "Creating image... Please wait." + echo BOOTFILES="$(env TARGET=${TARGET} TARGET_ARCH=${TARGET_ARCH} \ WITH_UNIFIED_OBJDIR=yes \ make -C ${WORLDDIR}/stand -V .OBJDIR)" BOOTFILES="$(realpath ${BOOTFILES})" + MAKEFSARGS="-s ${VMSIZE} -D" case "${TARGET}:${TARGET_ARCH}" in amd64:amd64 | i386:i386) ESP=yes BOOTPARTS="-b ${BOOTFILES}/i386/pmbr/pmbr \ - -p freebsd-boot/bootfs:=${BOOTFILES}/i386/gptboot/gptboot${BOOTPARTSOFFSET}" - ROOTFSPART="-p freebsd-ufs/rootfs:=${VMBASE}" - MAKEFSARGS="-B little" + -p freebsd-boot/bootfs:=${BOOTFILES}/${X86GPTBOOTFILE}${BOOTPARTSOFFSET}" + ROOTFSPART="-p ${FSPARTTYPE}/rootfs:=${VMBASE}" + MAKEFSARGS="$MAKEFSARGS -B little" ;; - arm64:aarch64 | riscv:riscv64*) + arm:armv7 | arm64:aarch64 | riscv:riscv64*) ESP=yes BOOTPARTS= - ROOTFSPART="-p freebsd-ufs/rootfs:=${VMBASE}" - MAKEFSARGS="-B little" + ROOTFSPART="-p ${FSPARTTYPE}/rootfs:=${VMBASE}" + MAKEFSARGS="$MAKEFSARGS -B little" ;; powerpc:powerpc*) ESP=no BOOTPARTS="-p prepboot:=${BOOTFILES}/powerpc/boot1.chrp/boot1.elf -a 1" ROOTFSPART="-p freebsd:=${VMBASE}" if [ ${TARGET_ARCH} = powerpc64le ]; then - MAKEFSARGS="-B little" + MAKEFSARGS="$MAKEFSARGS -B little" else - MAKEFSARGS="-B big" + MAKEFSARGS="$MAKEFSARGS -B big" fi ;; *) @@ -239,25 +330,27 @@ vm_create_disk() { # Create an ESP espfilename=$(mktemp /tmp/efiboot.XXXXXX) make_esp_file ${espfilename} ${fat32min} ${BOOTFILES}/efi/loader_lua/loader_lua.efi - BOOTPARTS="${BOOTPARTS} -p efi/efiesp:=${espfilename}" + BOOTPARTS="${BOOTPARTS} -p efi/efiboot0:=${espfilename}" # Add this to fstab mkdir -p ${DESTDIR}/boot/efi - echo "/dev/${ROOTLABEL}/efiesp /boot/efi msdosfs rw 2 2" \ + echo "/dev/${ROOTLABEL}/efiboot0 /boot/efi msdosfs rw 2 2" \ >> ${DESTDIR}/etc/fstab fi echo "Building filesystem... Please wait." - makefs ${MAKEFSARGS} -o label=rootfs -o version=2 -o softupdates=1 \ - -s ${VMSIZE} ${VMBASE} ${DESTDIR} + buildfs echo "Building final disk image... Please wait." mkimg -s ${PARTSCHEME} -f ${VMFORMAT} \ ${BOOTPARTS} \ ${SWAPOPT} \ + ${CONFIG_DRIVE} \ ${ROOTFSPART} \ -o ${VMIMAGE} + echo "Disk image ${VMIMAGE} created." + if [ ${ESP} = "yes" ]; then rm ${espfilename} fi @@ -270,3 +363,7 @@ vm_extra_create_disk() { return 0 } +touch_firstboot() { + touch ${DESTDIR}/firstboot + metalog_add_data ./firstboot +} |