Initial cleanups for #156

.github/workflows/examples.yml

@@ -56,7 +56,6 @@ jobs:
           python3-libvirt \
           qemu-system \
           systemd-boot-efi
-        sudo apt-get build-dep systemd e2fsprogs
 
     - name: Get a newer podman for heredoc support (from plucky)
       run: |
@@ -66,10 +65,20 @@ jobs:
 
     - uses: actions/checkout@v4
 
-    - name: Install patched tools
+    - name: Check cache for patched tools
+      uses: actions/cache@v3
+      with:
+        path: ~/bin
+        key: patched-tools-bin-${{ hashFiles('examples/common/install-patched-tools') }}
+
+    - name: Ensure patched tools are installed
       run: |
-        mkdir ~/bin
-        examples/common/install-patched-tools ~/bin
+        set -eux
+        if [ ! -x "$HOME/bin/mkfs.ext4" ]; then
+          sudo apt-get build-dep systemd e2fsprogs
+          mkdir ~/bin
+          examples/common/install-patched-tools ~/bin
+        fi
 
     - name: Run example tests
       run: |

examples/bls/Containerfile

@@ -1,5 +1,4 @@
 FROM fedora:42
-COPY extra /
 RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
     set -eux
 
@@ -12,9 +11,16 @@ RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
         strace \
         util-linux \
         systemd
+EOF
 
+# --- Everything above this line should hopefully stay cached ---
+
+COPY cfsctl /usr/bin
+COPY extra /
+COPY test-thing.workarounds/fedora-42 /
+RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
+    kernel-install add-all
     systemctl enable systemd-networkd
     passwd -d root
     mkdir /sysroot
 EOF
-COPY cfsctl /usr/bin

examples/bls/Containerfile.arch

@@ -1,11 +1,8 @@
 FROM archlinux AS base
-COPY extra /
-RUN <<EOF
+RUN --mount=type=cache,target=/var/cache/pacman/pkg \
+    --mount=type=cache,target=/var/lib/pacman/sync <<EOF
     set -eux
 
-    touch /etc/machine-id
-    echo 'root=/dev/vda2' > /etc/kernel/cmdline
-
     pacman -Syu --noconfirm
     pacman -Sy --noconfirm \
         btrfs-progs \
@@ -16,11 +13,19 @@ RUN <<EOF
         openssh \
         skopeo \
         strace
+EOF
+
+# --- Everything above this line should hopefully stay cached ---
 
-    kernel-install add "$(ls /usr/lib/modules)" /usr/lib/modules/"$(ls /usr/lib/modules)"/vmlinuz
+COPY cfsctl /usr/bin
+COPY extra /
+RUN <<EOF
+    touch /etc/machine-id
+    echo 'root=/dev/vda2' > /etc/kernel/cmdline
+
+    kernel-install add-all
 
     systemctl enable systemd-networkd systemd-resolved sshd
     passwd -d root
     mkdir /sysroot
 EOF
-COPY cfsctl /usr/bin

examples/bls/Containerfile.rawhide

@@ -1,5 +1,4 @@
 FROM fedora:rawhide
-COPY extra /
 RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
     set -eux
 
@@ -12,9 +11,15 @@ RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
         strace \
         systemd \
         util-linux
+EOF
+
+# --- Everything above this line should hopefully stay cached ---
 
+COPY cfsctl /usr/bin
+COPY extra /
+RUN <<EOF
     systemctl enable systemd-networkd
     passwd -d root
+    kernel-install add-all
     mkdir /sysroot
 EOF
-COPY cfsctl /usr/bin

examples/bls/Containerfile.rhel9

@@ -1,13 +1,7 @@
 # FROM docker.io/redhat/ubi9  missing: dosfstools, kernel
 FROM quay.io/centos/centos:9
-COPY extra /
 RUN --mount=type=cache,target=/var/cache/dnf <<EOF
     set -eux
-    mkdir -p /etc/kernel
-    touch /etc/kernel/cmdline
-
-    echo layout=bls | tee /etc/kernel/install.conf
-
     dnf --setopt keepcache=1 install --allowerasing -y \
         NetworkManager \
         composefs \
@@ -19,9 +13,22 @@ RUN --mount=type=cache,target=/var/cache/dnf <<EOF
         strace \
         systemd \
         util-linux
+EOF
+
+# --- Everything above this line should hopefully stay cached ---
+
+COPY cfsctl /usr/bin
+COPY extra /
+COPY test-thing.workarounds/rhel9 /
+RUN <<EOF
+    set -eux
+    mkdir -p /etc/kernel
+    touch /etc/kernel/cmdline
+
+    echo layout=bls | tee /etc/kernel/install.conf
+    kernel-install add $(ls /usr/lib/modules) /usr/lib/modules/*/vmlinuz
 
     systemctl enable tmp.mount
     passwd -d root
     mkdir /sysroot
 EOF
-COPY cfsctl /usr/bin

examples/bls/Containerfile.ubuntu

@@ -1,13 +1,14 @@
 FROM ubuntu:devel
-COPY extra /
-RUN <<EOF
+RUN --mount=type=cache,target=/var/lib/apt/lists \
+    --mount=type=cache,target=/var/cache/apt/archives <<EOF
     set -eux
 
-    touch /etc/machine-id
-    touch /etc/fstab
+    mkdir -p /etc/dracut.conf.d
+    echo export DRACUT_NO_XATTR=1 > /etc/dracut.conf.d/no-xattr.conf
 
-    apt update
-    DEBIAN_FRONTEND=noninteractive apt install -y \
+    rm /etc/apt/apt.conf.d/docker-clean
+    apt-get update
+    DEBIAN_FRONTEND=noninteractive apt-get install -y \
         btrfs-progs \
         dosfstools \
         dracut \
@@ -22,17 +23,27 @@ RUN <<EOF
         strace \
         systemd \
         udev
-    apt clean
+EOF
+
+# --- Everything above this line should hopefully stay cached ---
+
+COPY cfsctl /usr/bin
+COPY extra /
+COPY test-thing.workarounds/debian /
+RUN <<EOF
+    set -eux
+
+    touch /etc/machine-id
+    touch /etc/fstab
 
     dracut \
      -a "systemd-initrd composefs bash" \
      -d "erofs overlay" \
      -I "/usr/lib/systemd/systemd-sysroot-fstab-check" \
      --kver $(ls /usr/lib/modules)   --force
-    kernel-install add $(cd /usr/lib/modules && echo *) /boot/vmlinuz-$(cd /usr/lib/modules && echo *)
+    kernel-install add $(ls /usr/lib/modules) /boot/vmlinuz-*
 
     systemctl enable systemd-networkd systemd-resolved
     passwd -d root
     mkdir /sysroot
 EOF
-COPY cfsctl /usr/bin

examples/bls/build

@@ -44,6 +44,7 @@ cp ../../target/release/composefs-setup-root extra/usr/lib/dracut/modules.d/37co
 CFSCTL='./cfsctl --repo tmp/sysroot/composefs'
 
 rm -rf tmp
+rm -rf tmp/efi tmp/sysroot/composefs/images
 mkdir -p tmp/sysroot/composefs
 
 podman build \

examples/bls/test-thing.workarounds/README.md

@@ -0,0 +1,18 @@
+# Guest support workarounds
+
+These are extra files that you can add to virtual machine guests to enable
+support for missing features required by `test.thing`:
+
+ - [debian/](debian/): enables ephemeral ssh key support
+ - [fedora-42/](fedora-42/): enables ephemeral ssh key support ([this is
+   supported without a workaround in Fedora 43 and
+   later](https://src.fedoraproject.org/rpms/openssh/pull-request/101))
+ - [rhel9/](rhel9/): enables sshd vsock listener (with ephemeral ssh key
+   support) and sends the expected `sd_notify` message when the guest reaches
+   `multi-user.target`
+
+`test.thing` can also work with guests lacking support for ephemeral ssh keys
+by including a fixed ssh key in the image, or by using the
+`ssh.authorized_keys.root` credential (since systemd 252), but this requires
+modifying root's home directory at runtime and only works if another ssh key
+isn't already present, so it isn't enabled by default.

examples/bls/test-thing.workarounds/debian/etc/default/ssh

@@ -0,0 +1,2 @@
+# Debian
+SSHD_OPTS=-o "AuthorizedKeysFile /run/credentials/@system/ssh.ephemeral-authorized_keys-all .ssh/authorized_keys"

examples/bls/test-thing.workarounds/fedora-42/etc/sysconfig/sshd

@@ -0,0 +1,3 @@
+# Needed for Fedora 42
+# https://src.fedoraproject.org/rpms/openssh/pull-request/101
+OPTIONS=-o "AuthorizedKeysFile /run/credentials/@system/ssh.ephemeral-authorized_keys-all .ssh/authorized_keys"

examples/bls/test-thing.workarounds/rhel9/etc/notify-multiuser.py

@@ -0,0 +1,15 @@
+#!/usr/bin/python3
+
+"""Notify that the system has reached multi-user.target."""
+
+import os
+import socket
+from pathlib import Path
+
+credentials = Path(os.environ["CREDENTIALS_DIRECTORY"])
+notify_socket = (credentials / "vmm.notify_socket").read_text()
+af, cid, port = notify_socket.split(":")
+assert af == "vsock"
+sock = socket.socket(socket.AF_VSOCK, socket.SOCK_SEQPACKET)
+sock.connect((int(cid), int(port)))
+sock.sendmsg([b"X_SYSTEMD_UNIT_ACTIVE=multi-user.target\n"])

examples/bls/test-thing.workarounds/rhel9/etc/systemd/system/multi-user.target.wants/notify-multiuser.service

@@ -0,0 +1 @@
+../notify-multiuser.service

examples/bls/test-thing.workarounds/rhel9/etc/systemd/system/notify-multiuser.service

@@ -0,0 +1,9 @@
+[Unit]
+After=multi-user.target
+Wants=multi-user.target
+
+[Service]
+LoadCredential=vmm.notify_socket
+ExecStart=/etc/notify-multiuser.py
+Type=exec
+RemainAfterExit=yes

examples/bls/test-thing.workarounds/rhel9/etc/systemd/system/sockets.target.wants/sshd-vsock.socket

@@ -0,0 +1 @@
+../sshd-vsock.socket

examples/bls/test-thing.workarounds/rhel9/etc/systemd/system/sshd-vsock.socket

@@ -0,0 +1,7 @@
+[Unit]
+Wants=ssh-access.target
+Before=ssh-access.target
+
+[Socket]
+ListenStream=vsock::22
+Accept=yes

examples/bls/test-thing.workarounds/rhel9/etc/systemd/system/sshd-vsock@.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
+Wants=sshd-keygen.target
+After=sshd-keygen.target
+
+[Service]
+EnvironmentFile=-/etc/sysconfig/sshd
+ExecStart=-/usr/sbin/sshd -i $OPTIONS -o "AuthorizedKeysFile ${CREDENTIALS_DIRECTORY}/ssh.ephemeral-authorized_keys-all .ssh/authorized_keys"
+StandardInput=socket
+LoadCredential=ssh.ephemeral-authorized_keys-all

examples/bls/test-thing.workarounds/systemd-ssh-proxy

@@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+
+"""Polyfill for systemd-ssh-proxy on systems that don't have it."""
+
+import argparse
+import socket
+import sys
+
+parser = argparse.ArgumentParser(description="systemd-ssh-proxy polyfill")
+parser.add_argument("addr", type=lambda value: int(value.removeprefix("vsock/")))
+parser.add_argument("port", type=int)
+args = parser.parse_args()
+
+stdout = socket.socket(fileno=sys.stdout.fileno())
+
+vsock = socket.socket(socket.AF_VSOCK, socket.SOCK_STREAM)
+vsock.connect((args.addr, args.port))
+socket.send_fds(stdout, [b"\0"], [vsock.fileno()])
+vsock.close()

examples/common/install-systemd-boot

@@ -3,7 +3,7 @@
 set -eux
 
 mkdir -p tmp/efi/loader
-echo 'timeout 3' > tmp/efi/loader/loader.conf
+echo 'timeout 1' > tmp/efi/loader/loader.conf
 mkdir -p tmp/efi/EFI/BOOT tmp/efi/EFI/systemd
 cp /usr/lib/systemd/boot/efi/systemd-bootx64.efi tmp/efi/EFI/systemd
 cp /usr/lib/systemd/boot/efi/systemd-bootx64.efi tmp/efi/EFI/BOOT/BOOTX64.EFI

examples/uki/Containerfile

@@ -5,51 +5,64 @@
 #    files of the final image, but not the kernel
 #
 #  - further stages, ultimately resulting in the final container image.  In
-#    this image, the kernel must be present in a whiteout-obscured directory
-#    /composefs-meta/boot/ and otherwise no other changes may be made vs. the
-#    base image.  This is best-accomplished with a multi-stage build.
+#    this image, the kernel must be present in /boot and otherwise no other
+#    changes may be made vs. the base image.  This is best-accomplished with a
+#    multi-stage build.
 #
 #  - during the build stages following 'base', the `COMPOSEFS_FSVERITY` build
 #    arg will be set to the fsverity digest of the container image.  This should
 #    be baked into the UKI.
 
 FROM fedora:42 AS base
-COPY extra /
 RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
     set -eux
 
-    # we should install kernel-modules here, but can't
-    # because it'll pull in the entire kernel with it
-    # it seems to work fine for now....
+    mkdir -p /etc/dracut.conf.d
+    echo export DRACUT_NO_XATTR=1 > /etc/dracut.conf.d/no-xattr.conf
+
     dnf --setopt keepcache=1 install --allowerasing -y \
+        btrfs-progs \
         composefs \
         dosfstools \
+        kernel \
         openssh-server \
         policycoreutils-python-utils \
         selinux-policy-targeted \
         skopeo \
         strace \
         systemd \
+        systemd-boot-unsigned \
+        systemd-ukify \
         util-linux
+EOF
+
+# --- Everything above this line should hopefully stay cached ---
+
+COPY cfsctl /usr/bin
+COPY extra /
+COPY test-thing.fedora-42 /
+RUN <<EOF
+    set -eux
 
     systemctl enable systemd-networkd
-    semanage permissive -a systemd_gpt_generator_t  # for volatile-root workaround
+
+    checkmodule -M -m -o /etc/composefs_workarounds.mod /etc/composefs_workarounds.te
+    semodule_package -o /etc/composefs_workarounds.pp -m /etc/composefs_workarounds.mod
+    semodule -i /etc/composefs_workarounds.pp
+
     passwd -d root
     mkdir /sysroot
 EOF
-COPY cfsctl /usr/bin
 
 FROM base AS kernel
 ARG COMPOSEFS_FSVERITY
 RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
     set -eux
+
     mkdir -p /etc/kernel /etc/dracut.conf.d
     echo "console=ttyS0,115200 composefs=${COMPOSEFS_FSVERITY} rw" > /etc/kernel/cmdline
 
-    # systemd-boot-unsigned: ditto
-    # btrfs-progs: dracut wants to include this in the initramfs
-    # ukify: dracut doesn't want to take our cmdline args?
-    dnf --setopt keepcache=1 install -y kernel btrfs-progs systemd-boot-unsigned systemd-ukify
+    kernel-install add-all
 EOF
 
 FROM base AS bootable