-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathpublish-gardenlinux-ironcore.yml
More file actions
134 lines (108 loc) · 5.92 KB
/
publish-gardenlinux-ironcore.yml
File metadata and controls
134 lines (108 loc) · 5.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Publish GardenLinux New OCI Image with UKI
on:
workflow_dispatch:
inputs:
version:
description: "Specify the GardenLinux version (e.g., 1877.0)"
required: true
jobs:
publish:
runs-on: ubuntu-latest
env:
VERSION: ${{ github.event.inputs.version }}
GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }}
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Install Dependencies and Build ukify + stub
run: |
sudo apt-get update -qq
sudo apt-get install -y \
jq curl git make meson ninja-build gperf \
python3-pip python3-pyelftools \
libssl-dev liblz4-dev libzstd-dev libacl1-dev \
libblkid-dev libkmod-dev libmount-dev libpam0g-dev \
libcryptsetup-dev libaudit-dev libmicrohttpd-dev \
libcap-dev pkg-config uuid-dev \
libefivar-dev gnu-efi
sudo pip3 install pefile
git clone --depth=1 --branch v256 https://github.com/systemd/systemd.git
cd systemd
meson setup build
ninja -C build
sudo cp build/ukify /usr/local/bin/ukify
sudo mkdir -p /usr/lib/systemd/boot/efi
sudo cp build/src/boot/efi/linuxx64.efi.stub /usr/lib/systemd/boot/efi/
- name: Setup ORAS
uses: oras-project/setup-oras@v1
- name: Authenticate with GHCR
run: |
echo "$GITHUB_TOKEN" | oras login ghcr.io -u github --password-stdin
echo "$GITHUB_TOKEN" | docker login ghcr.io -u ${GITHUB_ACTOR} --password-stdin
- name: Clone Ironcore Image Repo
run: |
git clone https://x-access-token:${GITHUB_TOKEN}@github.com/ironcore-dev/ironcore-image.git
- name: Build and Push OCI Images (Vanilla/Gardener/CAPI)
run: |
set -euo pipefail
cd ironcore-image
make build
for VARIANT in vanilla gardener capi; do
echo "Starting build for variant: $VARIANT"
case "$VARIANT" in
vanilla)
IMAGE_TAG="$VERSION"
CNAME_PREFIX="metal_pxe"
;;
gardener)
IMAGE_TAG="${VERSION}-gardener"
CNAME_PREFIX="metal-gardener_pxe"
;;
capi)
IMAGE_TAG="${VERSION}-capi"
CNAME_PREFIX="metal-capi"
;;
esac
mkdir -p ../binaries/amd64 ../binaries/arm64
for ARCH in amd64 arm64; do
echo "Fetching layer for $VARIANT $ARCH"
INDEX_JSON=$(oras manifest fetch ghcr.io/gardenlinux/gardenlinux:$VERSION)
echo "$INDEX_JSON" | jq . > index-${ARCH}.json
DIGEST=$(jq -r --arg arch "$ARCH" --arg prefix "$CNAME_PREFIX" \
'.manifests[] | select(.platform.architecture == $arch and ((.annotations.cname? // "") | tostring | startswith($prefix))) | .digest' index-${ARCH}.json)
echo "Found digest: $DIGEST"
oras manifest fetch ghcr.io/gardenlinux/gardenlinux@$DIGEST > manifest-${ARCH}.json
for BIN in initrd vmlinuz root.squashfs; do
DIGEST_BIN=$(jq -r --arg bin "$BIN" '.layers[] | select(.annotations."org.opencontainers.image.title" == $bin).digest' manifest-${ARCH}.json)
oras blob fetch ghcr.io/gardenlinux/gardenlinux@$DIGEST_BIN -o ../binaries/$ARCH/$BIN
done
done
echo "First build (without UKI)"
./bin/ironcore-image build \
--tag ghcr.io/ironcore-dev/os-images/gardenlinux:$IMAGE_TAG \
--config arch=amd64,squashfs=../binaries/amd64/root.squashfs,initramfs=../binaries/amd64/initrd,kernel=../binaries/amd64/vmlinuz \
--config arch=arm64,squashfs=../binaries/arm64/root.squashfs,initramfs=../binaries/arm64/initrd,kernel=../binaries/arm64/vmlinuz
echo "Inspecting squashfs digest for cmdline"
for ARCH in amd64 arm64; do
REF_TAG="${VERSION}-${ARCH}"
[[ "$VARIANT" != "vanilla" ]] && REF_TAG="${VERSION}-${VARIANT}-${ARCH}"
DIGEST=$(./bin/ironcore-image inspect ghcr.io/ironcore-dev/os-images/gardenlinux:$REF_TAG \
| jq -r '.manifest.layers[] | select(.mediaType == "application/vnd.ironcore.image.squashfs").digest')
CMDLINE="initrd=initrd gl.ovl=/:tmpfs gl.live=1 ip=any console=ttyS0,115200 console=tty0 earlyprintk=ttyS0,115200 consoleblank=0 ignition.firstboot=1 ignition.config.url=http://boot-operator-service.boot-operator-system.svc.cluster.local:8083/ignition ignition.config.url.append.uuid=true ignition.platform.id=metal gl.url=http://boot-operator-service.boot-operator-system.svc.cluster.local:8083/image?imageName=ghcr.io/ironcore-dev/os-images/gardenlinux&version=${VERSION}&layerDigest=${DIGEST}"
echo "Building UKI for $ARCH with squashfs digest $DIGEST"
ukify build \
--linux ../binaries/$ARCH/vmlinuz \
--initrd ../binaries/$ARCH/initrd \
--stub /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
--cmdline "$CMDLINE" \
--output ../binaries/$ARCH/uki.img
done
echo "Final image build with UKI for $VARIANT"
./bin/ironcore-image build \
--tag ghcr.io/ironcore-dev/os-images/gardenlinux:$IMAGE_TAG \
--config arch=amd64,squashfs=../binaries/amd64/root.squashfs,initramfs=../binaries/amd64/initrd,kernel=../binaries/amd64/vmlinuz,uki=../binaries/amd64/uki.img \
--config arch=arm64,squashfs=../binaries/arm64/root.squashfs,initramfs=../binaries/arm64/initrd,kernel=../binaries/arm64/vmlinuz,uki=../binaries/arm64/uki.img
echo "Pushing final image with UKI: $IMAGE_TAG"
./bin/ironcore-image push ghcr.io/ironcore-dev/os-images/gardenlinux:$IMAGE_TAG --push-sub-manifests
echo "Finished $VARIANT"
done