6 files changed, 205 insertions, 39 deletions
diff --git a/release/tools/arm.subr b/release/tools/arm.subr
index 89b52077e836..a5d101c0c4fd 100644
--- a/release/tools/arm.subr
+++ b/release/tools/arm.subr
@@ -1,7 +1,6 @@
 #!/bin/sh
 #-
 # Copyright (c) 2015-2017 The FreeBSD Foundation
-# All rights reserved.
 #
 # Portions of this software were developed by Glen Barber
 # under sponsorship from the FreeBSD Foundation.
@@ -63,6 +62,10 @@ umount_loop() {
 }
 
 arm_create_disk() {
+	if [ $(sysctl -n kern.geom.part.mbr.enforce_chs) != 0 ]; then
+		return 1
+	fi
+
 	# Create the target raw file and temporary work directory.
 	chroot ${CHROOTDIR} gpart create -s ${PART_SCHEME} ${mddev}
 	if [ "${PART_SCHEME}" = "GPT" ]; then
@@ -74,10 +77,10 @@ arm_create_disk() {
 	if [ "${PART_SCHEME}" = "MBR" ]; then
 		chroot ${CHROOTDIR} gpart add -t '!12' -a 512k -s ${FAT_SIZE} ${mddev}
 		chroot ${CHROOTDIR} gpart set -a active -i 1 ${mddev}
-		chroot ${CHROOTDIR} newfs_msdos -L msdosboot -F ${FAT_TYPE} /dev/${mddev}s1
+		chroot ${CHROOTDIR} newfs_msdos -L efi -F ${FAT_TYPE} /dev/${mddev}s1
 		chroot ${CHROOTDIR} gpart add -t freebsd ${mddev}
 		chroot ${CHROOTDIR} gpart create -s bsd ${mddev}s2
-		chroot ${CHROOTDIR} gpart add -t freebsd-ufs -a 64k /dev/${mddev}s2
+		chroot ${CHROOTDIR} gpart add -t freebsd-ufs -a 64k -b 64k ${mddev}s2
 		chroot ${CHROOTDIR} newfs -U -L rootfs /dev/${mddev}s2a
 	fi
 
@@ -185,7 +188,8 @@ arm_install_base() {
 		DESTDIR=${DESTDIR} KERNCONF=${KERNEL} \
 		${CONF_FILES} installworld installkernel distribution
 	chroot ${CHROOTDIR} mkdir -p ${DESTDIR}/boot/efi
-	chroot ${CHROOTDIR} mkdir -p ${DESTDIR}/boot/msdos
+	# Compatibility symlink to /boot/msdos for 13.1 and earlier
+	chroot ${CHROOTDIR} ln -s efi ${DESTDIR}/boot/msdos
 
 	arm_create_user
 	arm_setup_usb_otg
@@ -205,7 +209,7 @@ arm_install_base() {
 	if [ "${PART_SCHEME}" = "MBR" ]; then
 		echo "/dev/ufs/rootfs		/		ufs	rw		1	1" \
 			>> ${CHROOTDIR}/${DESTDIR}/etc/fstab
-		echo "/dev/msdosfs/MSDOSBOOT	/boot/msdos 	msdosfs	rw,noatime	0	0" \
+		echo "/dev/msdosfs/EFI		/boot/efi 	msdosfs	rw,noatime	0	0" \
 			>> ${CHROOTDIR}/${DESTDIR}/etc/fstab
 	fi
 	echo "tmpfs			/tmp		tmpfs	rw,mode=1777	0	0" \
@@ -214,7 +218,7 @@ arm_install_base() {
 	local hostname
 	hostname="$(echo ${KERNEL} | tr '[:upper:]' '[:lower:]')"
 	echo "hostname=\"${hostname}\"" > ${CHROOTDIR}/${DESTDIR}/etc/rc.conf
-	echo 'ifconfig_DEFAULT="DHCP"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf
+	echo 'ifconfig_DEFAULT="DHCP inet6 accept_rtadv"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf
 	echo 'sshd_enable="YES"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf
 	echo 'sendmail_enable="NONE"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf
 	echo 'sendmail_submit_enable="NO"' >> ${CHROOTDIR}/${DESTDIR}/etc/rc.conf
@@ -244,11 +248,6 @@ arm_install_boot() {
 	chroot ${CHROOTDIR} mount_msdosfs ${dospart} ${FATMOUNT}
 	chroot ${CHROOTDIR} mount ${ufspart} ${UFSMOUNT}
 
-	if [ "${EMBEDDED_TARGET}" = "arm" ]; then
-	chroot ${CHROOTDIR} cp -p ${UFSMOUNT}/boot/ubldr.bin \
-		${FATMOUNT}/ubldr.bin
-	fi
-
 	BOOTFILES="$(chroot ${CHROOTDIR} \
 		env TARGET=${EMBEDDED_TARGET} TARGET_ARCH=${EMBEDDED_TARGET_ARCH} \
 		WITH_UNIFIED_OBJDIR=yes \
diff --git a/release/tools/azure.conf b/release/tools/azure.conf
index a9126ed8c389..dd43260201aa 100644
--- a/release/tools/azure.conf
+++ b/release/tools/azure.conf
@@ -20,17 +20,19 @@ export NOSWAP=YES
 export VM_BOOTPARTSOFFSET=1M
 
 vm_extra_pre_umount() {
+	mount -t devfs devfs ${DESTDIR}/dev
+
 	# The firstboot_pkgs rc.d script will download the repository
 	# catalogue and install or update pkg when the instance first
 	# launches, so these files would just be replaced anyway; removing
 	# them from the image allows it to boot faster.
-	mount -t devfs devfs ${DESTDIR}/dev
 	chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \
 		/usr/sbin/pkg delete -f -y pkg
-	umount ${DESTDIR}/dev
 	rm ${DESTDIR}/var/db/pkg/repo-*.sqlite
 
-	yes | chroot ${DESTDIR} ${EMULATOR} /usr/local/sbin/waagent -deprovision
+	chroot ${DESTDIR} ${EMULATOR} pw usermod root -h -
+
+	umount ${DESTDIR}/dev
 
 	cat << EOF >> ${DESTDIR}/etc/rc.conf
 ifconfig_hn0="SYNCDHCP"
diff --git a/release/tools/ec2.conf b/release/tools/ec2.conf
index f0665646088b..eb14337f5703 100644
--- a/release/tools/ec2.conf
+++ b/release/tools/ec2.conf
@@ -19,13 +19,13 @@ if [ "${TARGET_ARCH}" = "amd64" ]; then
 fi
 
 # Set to a list of third-party software to enable in rc.conf(5).
-export VM_RC_LIST="ec2_configinit ec2_fetchkey ec2_loghostkey firstboot_freebsd_update firstboot_pkgs ntpd dev_aws_disk"
+export VM_RC_LIST="ec2_configinit ec2_fetchkey ec2_loghostkey firstboot_freebsd_update firstboot_pkgs ntpd dev_aws_disk ec2_ephemeral_swap"
 
-# Build with a 4.9 GB UFS partition; the growfs rc.d script will expand
+# Build with a 4.9 GB partition; the growfs rc.d script will expand
 # the partition to fill the root disk after the EC2 instance is launched.
 # Note that if this is set to <N>G, we will end up with an <N+1> GB disk
-# image since VMSIZE is the size of the UFS partition, not the disk which
-# it resides within.
+# image since VMSIZE is the size of the filesystem partition, not the disk
+# which it resides within.
 export VMSIZE=5000m
 
 # No swap space; the ec2_ephemeralswap rc.d script will allocate swap
@@ -63,7 +63,7 @@ vm_extra_pre_umount() {
 	# The AWS CLI tools are generally useful, and small enough that they
 	# will download quickly; but users will often override this setting
 	# via EC2 user-data.
-	echo 'firstboot_pkgs_list="awscli"' >> ${DESTDIR}/etc/rc.conf
+	echo 'firstboot_pkgs_list="devel/py-awscli"' >> ${DESTDIR}/etc/rc.conf
 
 	# Enable IPv6 on all interfaces, and spawn DHCPv6 via rtsold
 	echo 'ipv6_activate_all_interfaces="YES"' >> ${DESTDIR}/etc/rc.conf
@@ -122,10 +122,9 @@ EOF
 	# historical "nvd" driver.
 	echo 'hw.nvme.use_nvd="0"' >> ${DESTDIR}/boot/loader.conf
 
-	# Disable ChallengeResponseAuthentication according to EC2
-	# requirements.
+	# Disable KbdInteractiveAuthentication according to EC2 requirements.
 	sed -i '' -e \
-		's/^#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' \
+		's/^#KbdInteractiveAuthentication yes/KbdInteractiveAuthentication no/' \
 		${DESTDIR}/etc/ssh/sshd_config
 
 	# Use FreeBSD Update and Portsnap mirrors hosted in AWS
@@ -165,6 +164,11 @@ EOF
 	# * firstboot_pkgs (install packages)
 	touch ${DESTDIR}/firstboot
 
+	# Any EC2 ephemeral disks seen when the system first boots will
+	# be "new" disks; there is no "previous boot" when they might have
+	# been seen and used already.
+	touch ${DESTDIR}/var/db/ec2_ephemeral_diskseen
+
 	if ! [ -z "${QEMUSTATIC}" ]; then
 		rm -f ${DESTDIR}/${EMULATOR}
 	fi
diff --git a/release/tools/gce.conf b/release/tools/gce.conf
index 745477f0bc8e..1acd789a88e6 100644
--- a/release/tools/gce.conf
+++ b/release/tools/gce.conf
@@ -70,7 +70,7 @@ EOF
 EOF
 
 	cat << EOF >> ${DESTDIR}/etc/ssh/sshd_config
-ChallengeResponseAuthentication no
+KbdInteractiveAuthentication no
 X11Forwarding no
 AcceptEnv LANG
 AllowAgentForwarding no
@@ -86,7 +86,7 @@ net.inet.icmp.drop_redirect=1
 net.inet.ip.redirect=0
 net.inet.tcp.blackhole=2
 net.inet.udp.blackhole=1
-kern.ipc.somaxconn=1024
+kern.ipc.soacceptqueue=1024
 debug.trace_on_panic=1
 debug.debugger_on_panic=0
 EOF
diff --git a/release/tools/oci.conf b/release/tools/oci.conf
new file mode 100644
index 000000000000..47231d65d79b
--- /dev/null
+++ b/release/tools/oci.conf
@@ -0,0 +1,99 @@
+#!/bin/sh
+# Set to a list of packages to install.
+export VM_EXTRA_PACKAGES="
+    comms/py-pyserial
+    converters/base64
+    devel/oci-cli
+    devel/py-babel
+    devel/py-iso8601
+    devel/py-pbr
+    devel/py-six
+    ftp/curl
+    lang/python
+    lang/python3
+    net/cloud-init
+    net/py-eventlet
+    net/py-netaddr
+    net/py-netifaces
+    net/py-oauth
+    net/rsync
+    panicmail
+    security/ca_root_nss
+    security/sudo
+    sysutils/firstboot-freebsd-update
+    sysutils/firstboot-pkgs
+    sysutils/panicmail
+    textproc/jq
+    "
+
+# Should be enough for base image, image can be resized in needed
+export VMSIZE=5g
+
+# Set to a list of third-party software to enable in rc.conf(5).
+export VM_RC_LIST="
+    cloudinit
+    firstboot_pkgs
+    firstboot_freebsd_update
+    growfs
+    ntpd
+    ntpd_sync_on_start
+    sshd
+    zfs"
+
+vm_extra_pre_umount() {
+	cat <<-'EOF' >> ${DESTDIR}/etc/rc.conf
+		dumpdev=AUTO
+		sendmail_enable=NONE
+EOF
+
+	cat <<-'EOF' >> ${DESTDIR}/boot/loader.conf
+		autoboot_delay="5"
+		beastie_disable="YES"
+		boot_serial="YES"
+		loader_logo="none"
+		cryptodev_load="YES"
+		opensolaris_load="YES"
+		xz_load="YES"
+		zfs_load="YES"
+EOF
+
+	cat <<-'EOF' >> ${DESTDIR}/etc/ssh/sshd_config
+		# S11 Configure the SSH service to prevent password-based login
+		PermitRootLogin prohibit-password
+		PasswordAuthentication no
+		KbdInteractiveAuthentication no
+		PermitEmptyPasswords no
+		UseDNS no
+EOF
+
+	 # S14 Root user login must be disabled on serial-over-ssh console
+	 pw -R ${DESTDIR} usermod root -w no
+	 # OCI requirements override the default FreeBSD cloud-init settings
+	 cat <<-'EOF' >> ${DESTDIR}/usr/local/etc/cloud/cloud.cfg.d/98_oci.cfg
+		disable_root: true
+		system_info:
+		   distro: freebsd
+		   default_user:
+		     name: freebsd
+		     lock_passwd: True
+		     gecos: "OCI Default User"
+		     groups: [wheel]
+		     sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+		     shell: /bin/sh
+		   network:
+		      renderers: ['freebsd']
+EOF
+
+	# Use Oracle Cloud Infrastructure NTP server
+	sed -i '' -E -e 's/^pool.*iburst/server 169.254.169.254 iburst/' \
+        ${DESTDIR}/etc/ntp.conf
+
+	touch ${DESTDIR}/firstboot
+
+	if ! [ -z "${QEMUSTATIC}" ]; then
+		rm -f ${DESTDIR}/${EMULATOR}
+	fi
+	rm -f ${DESTDIR}/etc/resolv.conf
+
+	return 0
+}
diff --git a/release/tools/vmimage.subr b/release/tools/vmimage.subr
index 0d9202431822..7245dbdca33e 100644
--- a/release/tools/vmimage.subr
+++ b/release/tools/vmimage.subr
@@ -39,8 +39,6 @@ cleanup() {
 }
 
 vm_create_base() {
-	# Creates the UFS root filesystem for the virtual machine disk,
-	# written to the formatted disk image with mkimg(1).
 
 	mkdir -p ${DESTDIR}
 
@@ -70,8 +68,10 @@ vm_install_base() {
 
 	echo '# Custom /etc/fstab for FreeBSD VM images' \
 		> ${DESTDIR}/etc/fstab
-	echo "/dev/${ROOTLABEL}/rootfs   /       ufs     rw      1       1" \
-		>> ${DESTDIR}/etc/fstab
+	if [ "${VMFS}" != zfs ]; then
+		echo "/dev/${ROOTLABEL}/rootfs   /       ${VMFS}   rw      1       1" \
+			>> ${DESTDIR}/etc/fstab
+	fi
 	if [ -z "${NOSWAP}" ]; then
 		echo '/dev/gpt/swapfs  none    swap    sw      0       0' \
 			>> ${DESTDIR}/etc/fstab
@@ -80,6 +80,11 @@ vm_install_base() {
 	local hostname
 	hostname="$(echo $(uname -o) | tr '[:upper:]' '[:lower:]')"
 	echo "hostname=\"${hostname}\"" >> ${DESTDIR}/etc/rc.conf
+	if [ "${VMFS}" = zfs ]; then
+		echo "zfs_enable=\"YES\"" >> ${DESTDIR}/etc/rc.conf
+		echo "zpool_reguid=\"zroot\"" >> ${DESTDIR}/etc/rc.conf
+		echo "zpool_upgrade=\"zroot\"" >> ${DESTDIR}/etc/rc.conf
+	fi
 
 	if ! [ -z "${QEMUSTATIC}" ]; then
 		export EMULATOR=/qemu
@@ -94,6 +99,11 @@ vm_install_base() {
 
 	cp /etc/resolv.conf ${DESTDIR}/etc/resolv.conf
 
+        if [ "${VMFS}" = zfs ]; then
+		echo "kern.geom.label.disk_ident.enable=0" >> ${DESTDIR}/boot/loader.conf
+		echo "zfs_load=YES" >> ${DESTDIR}/boot/loader.conf
+        fi
+
 	return 0
 }
 
@@ -169,6 +179,40 @@ vm_extra_pkg_rmcache() {
 	return 0
 }
 
+buildfs() {
+	local md tmppool
+
+	case "${VMFS}" in
+	ufs)
+		makefs ${MAKEFSARGS} -o label=rootfs -o version=2 -o softupdates=1 \
+			${VMBASE} ${DESTDIR}
+		;;
+	zfs)
+		makefs -t zfs ${MAKEFSARGS} \
+			-o poolname=zroot -o bootfs=zroot/ROOT/default -o rootpath=/ \
+			-o fs=zroot\;mountpoint=none \
+			-o fs=zroot/ROOT\;mountpoint=none \
+			-o fs=zroot/ROOT/default\;mountpoint=/ \
+			-o fs=zroot/home\;mountpoint=/home \
+			-o fs=zroot/tmp\;mountpoint=/tmp\;exec=on\;setuid=off \
+			-o fs=zroot/usr\;mountpoint=/usr\;canmount=off \
+			-o fs=zroot/usr/ports\;setuid=off \
+			-o fs=zroot/usr/src \
+			-o fs=zroot/usr/obj \
+			-o fs=zroot/var\;mountpoint=/var\;canmount=off \
+			-o fs=zroot/var/audit\;setuid=off\;exec=off \
+			-o fs=zroot/var/log\;setuid=off\;exec=off \
+			-o fs=zroot/var/mail\;atime=on \
+			-o fs=zroot/var/tmp\;setuid=off \
+			${VMBASE} ${DESTDIR}
+		;;
+	*)
+		echo "Unexpected VMFS value '${VMFS}'"
+		exit 1
+		;;
+	esac
+}
+
 umount_loop() {
 	DIR=$1
 	i=0
@@ -188,8 +232,7 @@ umount_loop() {
 }
 
 vm_create_disk() {
-	echo "Creating image...  Please wait."
-	echo
+	local BOOTFILES BOOTPARTSOFFSET FSPARTTYPE X86GPTBOOTFILE
 
 	if [ -z "${NOSWAP}" ]; then
 		SWAPOPT="-p freebsd-swap/swapfs::${SWAPSIZE}"
@@ -199,34 +242,52 @@ vm_create_disk() {
 		BOOTPARTSOFFSET=":${VM_BOOTPARTSOFFSET}"
 	fi
 
+	case "${VMFS}" in
+	ufs)
+		FSPARTTYPE=freebsd-ufs
+		X86GPTBOOTFILE=i386/gptboot/gptboot
+		;;
+	zfs)
+		FSPARTTYPE=freebsd-zfs
+		X86GPTBOOTFILE=i386/gptzfsboot/gptzfsboot
+		;;
+	*)
+		echo "Unexpected VMFS value '${VMFS}'"
+		return 1
+		;;
+	esac
+
+	echo "Creating image...  Please wait."
+	echo
 
 	BOOTFILES="$(env TARGET=${TARGET} TARGET_ARCH=${TARGET_ARCH} \
 		WITH_UNIFIED_OBJDIR=yes \
 		make -C ${WORLDDIR}/stand -V .OBJDIR)"
 	BOOTFILES="$(realpath ${BOOTFILES})"
+	MAKEFSARGS="-s ${VMSIZE}"
 
 	case "${TARGET}:${TARGET_ARCH}" in
 		amd64:amd64 | i386:i386)
 			ESP=yes
 			BOOTPARTS="-b ${BOOTFILES}/i386/pmbr/pmbr \
-				   -p freebsd-boot/bootfs:=${BOOTFILES}/i386/gptboot/gptboot${BOOTPARTSOFFSET}"
-			ROOTFSPART="-p freebsd-ufs/rootfs:=${VMBASE}"
-			MAKEFSARGS="-B little"
+				   -p freebsd-boot/bootfs:=${BOOTFILES}/${X86GPTBOOTFILE}${BOOTPARTSOFFSET}"
+			ROOTFSPART="-p ${FSPARTTYPE}/rootfs:=${VMBASE}"
+			MAKEFSARGS="$MAKEFSARGS -B little"
 			;;
 		arm64:aarch64 | riscv:riscv64*)
 			ESP=yes
 			BOOTPARTS=
-			ROOTFSPART="-p freebsd-ufs/rootfs:=${VMBASE}"
-			MAKEFSARGS="-B little"
+			ROOTFSPART="-p ${FSPARTTYPE}/rootfs:=${VMBASE}"
+			MAKEFSARGS="$MAKEFSARGS -B little"
 			;;
 		powerpc:powerpc*)
 			ESP=no
 			BOOTPARTS="-p prepboot:=${BOOTFILES}/powerpc/boot1.chrp/boot1.elf -a 1"
 			ROOTFSPART="-p freebsd:=${VMBASE}"
 			if [ ${TARGET_ARCH} = powerpc64le ]; then
-				MAKEFSARGS="-B little"
+				MAKEFSARGS="$MAKEFSARGS -B little"
 			else
-				MAKEFSARGS="-B big"
+				MAKEFSARGS="$MAKEFSARGS -B big"
 			fi
 			;;
 		*)
@@ -248,8 +309,7 @@ vm_create_disk() {
 	fi
 
 	echo "Building filesystem...  Please wait."
-	makefs ${MAKEFSARGS} -o label=rootfs -o version=2 -o softupdates=1 \
-	    -s ${VMSIZE} ${VMBASE} ${DESTDIR}
+	buildfs
 
 	echo "Building final disk image...  Please wait."
 	mkimg -s ${PARTSCHEME} -f ${VMFORMAT} \
@@ -258,6 +318,8 @@ vm_create_disk() {
 		${ROOTFSPART} \
 		-o ${VMIMAGE}
 
+	echo "Disk image ${VMIMAGE} created."
+
 	if [ ${ESP} = "yes" ]; then
 		rm ${espfilename}
 	fi