From 0af49f00b3096a5809f992d87b416cc0f70435ea Mon Sep 17 00:00:00 2001 From: Dave Cottlehuber Date: Sun, 27 Nov 2022 11:12:02 +0000 Subject: [PATCH] release/oci: add Oracle Cloud image builder Provides an OCI (Oracle Cloud Infrastructure) release target for Oracle's KVM-based VM implementation. Tested using 13.1-RELEASE, primarily on Ampere CPU on A1.Flex VM shapes, but also works on amd64 shapes. - supports cloud-init and custom scripts - provides a freebsd@ sudo-enabled user - root user disabled over ssh & console Approved by: gjb Reviewed by: emaste MFS after: 1 week Sponsored by: The FreeBSD Foundation Sponsored by: SkunkWerks, GmbH Technical assistance from: Oracle Differential Revision: https://reviews.freebsd.org/D34746 --- release/Makefile.vm | 4 ++ release/release.conf.sample | 2 +- release/tools/oci.conf | 94 +++++++++++++++++++++++++++++++++++++ 3 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 release/tools/oci.conf diff --git a/release/Makefile.vm b/release/Makefile.vm index 2ab5b4e373e3..81f46a23b2ac 100644 --- a/release/Makefile.vm +++ b/release/Makefile.vm @@ -20,6 +20,7 @@ RAW_DESC= Unformatted raw disk image CLOUDWARE?= BASIC-CI \ EC2 \ GCE \ + OCI \ VAGRANT-VIRTUALBOX \ VAGRANT-VMWARE AZURE_FORMAT= vhdf @@ -34,6 +35,9 @@ EC2_DISK= ${OSRELEASE}.${EC2_FORMAT} GCE_FORMAT= raw GCE_DESC= Google Compute Engine image GCE_DISK= disk.${GCE_FORMAT} +OCI_FORMAT= qcow2 +OCI_DESC= Oracle Cloud Infrastructure image +OCI_DISK= ${OSRELEASE}.${OCI_FORMAT} OPENSTACK_FORMAT=qcow2 OPENSTACK_DESC= OpenStack platform image OPENSTACK_DISK= ${OSRELEASE}.${OPENSTACK_FORMAT} diff --git a/release/release.conf.sample b/release/release.conf.sample index bd7be15b0227..40f8457e8f89 100644 --- a/release/release.conf.sample +++ b/release/release.conf.sample @@ -113,4 +113,4 @@ PORTBRANCH="main" ## If WITH_CLOUDWARE is set to a non-empty value, this is a list of providers ## to create disk images. -#CLOUDWARE="EC2 GCE VAGRANT-VIRTUALBOX VAGRANT-VMWARE" +#CLOUDWARE="EC2 GCE OCI VAGRANT-VIRTUALBOX VAGRANT-VMWARE" diff --git a/release/tools/oci.conf b/release/tools/oci.conf new file mode 100644 index 000000000000..7260cd24defd --- /dev/null +++ b/release/tools/oci.conf @@ -0,0 +1,94 @@ +#!/bin/sh +# Set to a list of packages to install. +export VM_EXTRA_PACKAGES=" + comms/py-pyserial + converters/base64 + devel/oci-cli + devel/py-babel + devel/py-iso8601 + devel/py-pbr + devel/py-six + ftp/curl + lang/python + lang/python3 + net/cloud-init + net/py-eventlet + net/py-netaddr + net/py-netifaces + net/py-oauth + net/rsync + panicmail + security/ca_root_nss + security/sudo + sysutils/firstboot-freebsd-update + sysutils/firstboot-pkgs + sysutils/panicmail + textproc/jq + " + +# Should be enough for base image, image can be resized in needed +export VMSIZE=5g + +# Set to a list of third-party software to enable in rc.conf(5). +export VM_RC_LIST=" + cloudinit + firstboot_pkgs + firstboot_freebsd_update + growfs + ntpd + ntpd_sync_on_start + sshd + zfs" + +vm_extra_pre_umount() { + cat <<-'EOF' >> ${DESTDIR}/etc/rc.conf + dumpdev=AUTO + sendmail_enable=NONE +EOF + + cat <<-'EOF' >> ${DESTDIR}/boot/loader.conf + autoboot_delay="5" + beastie_disable="YES" + boot_serial="YES" + loader_logo="none" + cryptodev_load="YES" + opensolaris_load="YES" + xz_load="YES" + zfs_load="YES" +EOF + + cat <<-'EOF' >> ${DESTDIR}/etc/ssh/sshd_config + # S11 Configure the SSH service to prevent password-based login + PermitRootLogin prohibit-password + PasswordAuthentication no + KbdInteractiveAuthentication no + PermitEmptyPasswords no + UseDNS no +EOF + + # S14 Root user login must be disabled on serial-over-ssh console + pw -R ${DESTDIR} usermod root -w no + # OCI requirements override the default FreeBSD cloud-init settings + cat <<-'EOF' >> ${DESTDIR}/usr/local/etc/cloud/cloud.cfg.d/98_oci.cfg + disable_root: true + system_info: + distro: freebsd + default_user: + name: freebsd + lock_passwd: True + gecos: "OCI Default User" + groups: [wheel] + sudo: ["ALL=(ALL) NOPASSWD:ALL"] + shell: /bin/sh + network: + renderers: ['freebsd'] +EOF + + # Use Oracle Cloud Infrastructure NTP server + sed -i '' -E -e 's/^pool.*iburst/server 169.254.169.254 iburst/' \ + ${DESTDIR}/etc/ntp.conf + + touch ${DESTDIR}/firstboot + + return 0 +}