0630b3cb69
RHEL-9 base images are whole-disk images with the /boot/efi partition correctly set up for EFI Secure Boot. This doesn't work with extract-image because it only mounts the root partition, leaving /boot/efi empty even though grub2-efi & shim packages are "installed". This change mounts discovered partitions to mnt/boot, mnt/boot/efi so all content can be extracted from the image. Partition detection is done by reading block device attributes and matching on Boot Loader Specification[1] UIDs or labels as observed in supported base images. [1] https://systemd.io/BOOT_LOADER_SPECIFICATION/ Change-Id: I8487002a18ae6ca98609ab68d92ae9173a2b864f
189 lines
7.2 KiB
Bash
Executable File
189 lines
7.2 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Intended to be called from the root.d cloud-image script as follows:
|
|
# $TMP_HOOKS_PATH/bin/extract-image $BASE_IMAGE_FILE $BASE_IMAGE_TAR $IMAGE_LOCATION $CACHED_IMAGE
|
|
|
|
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
|
|
set -x
|
|
fi
|
|
set -eu
|
|
set -o pipefail
|
|
|
|
BASE_IMAGE_FILE=$1
|
|
BASE_IMAGE_TAR=$2
|
|
IMAGE_LOCATION=$3
|
|
CACHED_IMAGE=$4
|
|
|
|
CACHED_TAR=$DIB_IMAGE_CACHE/$BASE_IMAGE_TAR
|
|
DIB_LOCAL_IMAGE=${DIB_LOCAL_IMAGE:-""}
|
|
TAR_LOCK=$CACHED_TAR.lock
|
|
|
|
# GPT GUIDs of interest.
|
|
# See https://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs
|
|
# also https://systemd.io/BOOT_LOADER_SPECIFICATION/
|
|
GUID_EFI="c12a7328-f81f-11d2-ba4b-00a0c93ec93b"
|
|
GUID_LINUX_BOOT="bc13c2ff-59e6-4262-a352-b275fd6f7172"
|
|
|
|
function extract_image() {
|
|
if [ -n "$DIB_OFFLINE" -a -f "$CACHED_TAR" ] ; then
|
|
echo "Not checking freshness of cached $CACHED_TAR."
|
|
else
|
|
if [ -z "$DIB_LOCAL_IMAGE" ]; then
|
|
echo "Fetching Base Image"
|
|
|
|
# There seems to be some bad Fedora mirrors returning http 404's for the cloud image.
|
|
# If the image fails to download due to a 404 we retry once.
|
|
set +e
|
|
$TMP_HOOKS_PATH/bin/cache-url $IMAGE_LOCATION $CACHED_IMAGE
|
|
RV=$?
|
|
set -e
|
|
|
|
if [ "$RV" == "44" ] ; then
|
|
$TMP_HOOKS_PATH/bin/cache-url $IMAGE_LOCATION $CACHED_IMAGE
|
|
elif [ "$RV" != "0" ] ; then
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
if [ ! -f $CACHED_TAR -o \
|
|
$CACHED_IMAGE -nt $CACHED_TAR ] ; then
|
|
echo "Repacking base image as tarball."
|
|
|
|
WORKING=$(mktemp --tmpdir=${TMP_DIR:-/tmp} -d)
|
|
EACTION="rm -r $WORKING"
|
|
trap "$EACTION" EXIT
|
|
echo "Working in $WORKING"
|
|
|
|
RAW_FILE=$(mktemp --tmpdir=$WORKING XXXXXX.raw)
|
|
|
|
if [ "${CACHED_IMAGE: -3}" == ".xz" ] ; then
|
|
QCOW2_FILE=$(mktemp --tmpdir=$WORKING XXXXXX.qcow2)
|
|
# This leaves the old image in place so cache-url wont get it again
|
|
unxz --stdout $CACHED_IMAGE > $QCOW2_FILE
|
|
CACHED_IMAGE=$QCOW2_FILE
|
|
fi
|
|
|
|
qemu-img convert -f qcow2 -O raw $CACHED_IMAGE $RAW_FILE
|
|
|
|
# kpartx fails if no /dev/loop* exists, "losetup -f" prints first unused
|
|
# loop device and creates it if it doesn't exist
|
|
LOOPDEV_BASE=$(basename $(sudo losetup -f))
|
|
|
|
# add partition mappings
|
|
sudo kpartx -av $RAW_FILE
|
|
|
|
# If running inside Docker, make our nodes manually, because udev will not be working.
|
|
if [ -f /.dockerenv ]; then
|
|
sudo dmsetup --noudevsync mknodes
|
|
fi
|
|
if ! timeout 5 sh -c "while ! ls /dev/mapper/${LOOPDEV_BASE}p* ; do sleep 1; done"; then
|
|
echo "Error: Could not find any ${LOOPDEV_BASE} devices"
|
|
exit 1
|
|
fi
|
|
EACTION="sudo kpartx -d $RAW_FILE ; $EACTION"
|
|
trap "$EACTION" EXIT
|
|
|
|
ROOT_LOOPDEV=""
|
|
BOOT_LOOPDEV=""
|
|
EFI_LOOPDEV=""
|
|
|
|
LOOPDEVS=$(ls /dev/mapper/${LOOPDEV_BASE}p* | sort -r)
|
|
|
|
for LOOPDEV in ${LOOPDEVS}; do
|
|
lsblk --all --nodeps -P --output-all $LOOPDEV
|
|
fstype=$(lsblk --all --nodeps --noheadings --output FSTYPE $LOOPDEV)
|
|
label=$(lsblk --all --nodeps --noheadings --output LABEL $LOOPDEV)
|
|
part_type_name=$(lsblk --all --nodeps --noheadings --output PARTTYPENAME $LOOPDEV || echo "")
|
|
part_type=$(lsblk --all --nodeps --noheadings --output PARTTYPE $LOOPDEV)
|
|
|
|
if [ -z "${fstype}" ]; then
|
|
# Ignore block device with no filesystem type
|
|
continue
|
|
fi
|
|
|
|
# look for EFI partition to mount at /boot/efi either by GUID or
|
|
# label convention
|
|
if [ -z "$EFI_LOOPDEV" ]; then
|
|
if [[ ${part_type} == ${GUID_EFI} || ${part_type_name} == "EFI System" ]]; then
|
|
EFI_LOOPDEV=$LOOPDEV
|
|
continue
|
|
fi
|
|
fi
|
|
|
|
# look for EFI partition to mount at /boot/efi either by GUID or
|
|
# label convention.
|
|
if [ -z "$BOOT_LOOPDEV" ]; then
|
|
if [[ ${part_type} == ${GUID_LINUX_BOOT} || ${label} == "boot" ]]; then
|
|
BOOT_LOOPDEV=$LOOPDEV
|
|
continue
|
|
fi
|
|
fi
|
|
|
|
if [ -z "$ROOT_LOOPDEV" ]; then
|
|
ROOT_LOOPDEV=$LOOPDEV
|
|
continue
|
|
fi
|
|
done
|
|
|
|
mkdir $WORKING/mnt
|
|
if [ "xfs" = "$(sudo blkid -o value -s TYPE $ROOT_LOOPDEV)" ]; then
|
|
# mount xfs with nouuid, just in case that uuid is already mounted
|
|
# use ro to avoid/workaround xfs uuid issues on older
|
|
# kernels with newer rhel images which seem to set
|
|
# flags to generate unique uuid's:
|
|
# xfs superblock has incompatible features (0x4)
|
|
# we don't need to worry about this, we just want the data
|
|
MOUNTOPTS="-o nouuid,ro"
|
|
else
|
|
MOUNTOPTS=""
|
|
fi
|
|
|
|
sudo mount $MOUNTOPTS $ROOT_LOOPDEV $WORKING/mnt
|
|
EACTION="sudo umount -f $WORKING/mnt ; $EACTION"
|
|
trap "$EACTION" EXIT
|
|
|
|
if [ ! -z "$BOOT_LOOPDEV" ]; then
|
|
# mount to /boot
|
|
sudo mount $BOOT_LOOPDEV $WORKING/mnt/boot
|
|
EACTION="sudo umount -f $BOOT_LOOPDEV ; $EACTION"
|
|
trap "$EACTION" EXIT
|
|
fi
|
|
if [ ! -z "$EFI_LOOPDEV" ]; then
|
|
# mount to /boot/efi
|
|
sudo mount $EFI_LOOPDEV $WORKING/mnt/boot/efi
|
|
EACTION="sudo umount -f $EFI_LOOPDEV ; $EACTION"
|
|
trap "$EACTION" EXIT
|
|
fi
|
|
|
|
# find out if chroot tar has full xattr support
|
|
if [ 0 == `sudo chroot $WORKING/mnt bin/tar --help | grep -c xattrs-exclude` ]; then
|
|
TAROPTS="--no-xattrs"
|
|
else
|
|
TAROPTS="--xattrs --xattrs-include=* --xattrs-exclude=security.selinux"
|
|
fi
|
|
# Chroot in so that we get the correct uid/gid
|
|
sudo chroot $WORKING/mnt bin/tar $TAROPTS -cz . > $WORKING/tmp.tar
|
|
mv $WORKING/tmp.tar $CACHED_TAR
|
|
else
|
|
echo "Using cached tar from $CACHED_TAR"
|
|
fi
|
|
fi
|
|
|
|
# Extract the base image (use --numeric-owner to avoid UID/GID mismatch between
|
|
# image tarball and host OS e.g. when building Fedora image on an openSUSE host)
|
|
# Include all xattrs except selinux because the selinux ones cause issues in our
|
|
# chroot environment, and we restore all of those at the end of the build anyway.
|
|
echo "Extracting base root image from $CACHED_TAR"
|
|
sudo tar -C $TARGET_ROOT --numeric-owner --xattrs --xattrs-include='*' --xattrs-exclude='security.selinux' -xzf $CACHED_TAR
|
|
}
|
|
|
|
(
|
|
echo "Getting $TAR_LOCK: $(date)"
|
|
# Wait up to 20 minutes for another process to download
|
|
if ! flock -w 1200 9 ; then
|
|
echo "Did not get $TAR_LOCK: $(date)"
|
|
exit 1
|
|
fi
|
|
extract_image
|
|
) 9> $TAR_LOCK
|