Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for arbitrary kickstart file injection into ISOs (HMS-3879) #631

Merged
merged 19 commits into from
May 16, 2024

Conversation

achilleas-k
Copy link
Member

@achilleas-k achilleas-k commented Apr 24, 2024

Adds a new blueprint customization [installer.kickstart.contents] that will allow users to inject their own kickstart file into an ISO build.

This PR also includes a partial implementation of a recommendation I made in a previous PR: #614 (comment)

A new internal customization struct called kickstart.Options holds all kickstart options that we can set in pipelines and is attached to Anaconda pipelines and image kinds that support them. This is similar to other internal options structs like users.User, users.Group, fsnode.File, etc.
There's a bit more we can do with this (for example a ks.GetPath() method that returns the default when it's not set, even with ks == nil, instead of checking all the time) but I wanted to get this PR open and merged to get this into bootc-image-builder.

Note that our initial idea was to make any other kickstart option illegal when this option is used. Leaving it wide open can cause all sorts of issues for users who don't know what we're adding to the kickstart when they append their own, but from what I understand, it should be safe in the general case where they add some %post bits or enable options we don't support.

I'm fine with restricting it if others disagree.

@achilleas-k
Copy link
Member Author

This will need to be rebased once #632 is merged.

@bcl bcl self-requested a review April 25, 2024 18:54
Copy link
Member

@thozza thozza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work. Overall this looks good, but one commit needs cleanup.

bd6234b contains a syntax error, which is then fixed by d639950.

pkg/manifest/anaconda_installer_iso_tree_test.go Outdated Show resolved Hide resolved
thozza
thozza previously approved these changes Apr 26, 2024
Copy link
Member

@thozza thozza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Contributor

@mvo5 mvo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not do a super deep review (too many distractions) but I read through and it looks very nice. I especially like that the kickstart options are now all consolidated, very nice work!

@bcl
Copy link
Contributor

bcl commented Apr 26, 2024

I wonder if we should run ksvalidator on the user blob at some point, either here or in osbuild? As long as you have a newer version of pykickstart installed it can validate other supported versions by passing it --version RHEL9 for example.

@supakeen
Copy link
Member

I wonder if we should run ksvalidator on the user blob at some point, either here or in osbuild? As long as you have a newer version of pykickstart installed it can validate other supported versions by passing it --version RHEL9 for example.

That would be a good idea yes; we currently only do so in testcases.

@achilleas-k
Copy link
Member Author

I wonder if we should run ksvalidator on the user blob at some point, either here or in osbuild?

Could be a good idea, yeah. Though, it gets tricky with cross-distro builds doesn't it? If you're building a RHEL N image on RHEL N+1, you'd want to run it through the validator for RHEL N, not the newer one. So it should probably happen in the buildroot in osbuild I guess?

@bcl
Copy link
Contributor

bcl commented Apr 29, 2024

As long as it knows the release name that pykickstart recoginizes (RHEL9, RHEL10, etc.) and is running on the same or newer release it will work. No need to try and work this into this PR though, it can come later.

@achilleas-k achilleas-k force-pushed the user-kickstarts branch 3 times, most recently from c0578d6 to b4a7ad7 Compare May 7, 2024 10:03
@achilleas-k
Copy link
Member Author

After discussing with @ondrejbudai and @mvo5, we decided that user kickstarts combined with any other kickstart customization would not be supported and produce errors. So now, if a user adds a kickstart file/contents, we only add the install line for the payload and then have the user's kickstart file include ours.

For that last part, it would be nicer if our kickstart had an %include to the user's, but that requires osbuild stage changes so we'll do it later.

@achilleas-k
Copy link
Member Author

achilleas-k commented May 7, 2024

The test config file, test/configs/interactive-iso-userkickstart.json, creates the following in the root of the ISO:

› head -n-0 *.ks
==> osbuild-base.ks <==
liveimg --url file:///run/install/repo/liveimg.tar.gz

==> osbuild.ks <==
%include /run/install/repo/osbuild-base.ks
%post

echo "=== Custom user kickstart ==="

echo -e "%sudo\tALL=(ALL)\tNOPASSWD: ALL" > "/etc/sudoers.d/%sudo"
chmod 0440 /etc/sudoers.d/%sudo
echo -e "%wheel\tALL=(ALL)\tNOPASSWD: ALL" > "/etc/sudoers.d/%wheel"
chmod 0440 /etc/sudoers.d/%wheel
restorecon -rvF /etc/sudoers.d
%end

Copy link
Contributor

@mvo5 mvo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! I really like the new kickstart.Options struct, this makes a lot of things cleaner. I added some ideas inline, I hope they are useful. But no blockers, so could be followups of course.

pkg/distro/fedora/images.go Outdated Show resolved Hide resolved
pkg/distro/fedora/imagetype.go Outdated Show resolved Hide resolved
pkg/distro/fedora/imagetype.go Show resolved Hide resolved
pkg/distro/rhel/images.go Outdated Show resolved Hide resolved
pkg/distro/rhel/images.go Outdated Show resolved Hide resolved
pkg/distro/rhel/rhel10/options.go Outdated Show resolved Hide resolved
pkg/distro/rhel/rhel8/options.go Outdated Show resolved Hide resolved
pkg/distro/rhel/rhel9/options.go Outdated Show resolved Hide resolved
pkg/manifest/anaconda_installer_iso_tree.go Show resolved Hide resolved
pkg/manifest/anaconda_installer_iso_tree.go Outdated Show resolved Hide resolved
Do not allow or add any kickstart options to the bootc container
installer ISO when a user kickstart is included.
The only line that we add is the ostree container installation line in
its own kickstart.  The user kickstart file is then added separately and
it %includes our own.
Do not allow or add any kickstart options to the tar payload installer
(image-installer) or the ostree installer (edge/iot-installer).
The only line that we add is the installation line in its own kickstart.
The user kickstart file is then added separately and it %includes our
own.
1. Kickstart tests now check if the pipeline serialization panic()s when
   unsupported options are combined.
2. When "extra" kickstart content is defined (user kickstart file), the
   pre-defined hardcoded kickstart bits aren't added to the checksum
   calculation.
Unattended + kickstart.contents is no longer allowed, so set unattended
to false.
achilleas-k and others added 3 commits May 14, 2024 02:07
Initialise kickstart customizations for an image with the common options
from the blueprint customizations.  The kickstart options are
initialised with Users, Groups, the Unattended and SudoNopasswd
installer options, and the custom kickstart content.  Other options
(Language, Keyboard, Timezone, and payload options) must be set
separately, since they aren't based solely on the blueprint
customizations and interact with other configs, like image config or the
ostree payload options.

Co-authored-by: Michael Vogt <[email protected]>
Validate kickstart options in a Validate() function so unify option
compatibility handling.  The function is called from the kickstart.New()
initialiser, but we also call it before stage creation to make sure
everything is valid right before stage creation.

Co-authored-by: Michael Vogt <[email protected]>
@achilleas-k achilleas-k requested a review from mvo5 May 14, 2024 17:14
@noelmiller
Copy link

One major issue I see for this is the User Module is disabled in Anaconda, meaning if I don't specify a user in the kickstart, I cannot create a user in Anaconda:
image

Copy link
Contributor

@mvo5 mvo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some quick drive by comments but I like it and nothing blocks it, really just optimizing :)

pkg/customizations/kickstart/kickstart.go Show resolved Hide resolved
pkg/customizations/kickstart/kickstart.go Show resolved Hide resolved
pkg/distro/fedora/imagetype.go Show resolved Hide resolved
@achilleas-k
Copy link
Member Author

achilleas-k commented May 16, 2024

@mvo5 @noelmiller I created issues with your comments to look into later (#691, #692). The PR is already long enough and does the basics. We can polish the code in separate PRs (for Michael's comments). We need to have a discussion about the mechanics of Anaconda Kickstart modules (for Noel's comments) and I think that might block this for too long and make the PR even harder to review.

I propose we merge this as is unless there are other blockers.

mvo5
mvo5 previously approved these changes May 16, 2024
Copy link
Contributor

@mvo5 mvo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! This looks great, I had ideas in the previous comment but they should not be blockers, could be a followup as well (or ignored if I missed something there of course :)

pkg/manifest/anaconda_installer_iso_tree.go Show resolved Hide resolved
Copy link
Contributor

@mvo5 mvo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still looking good! Sorry, I accidentally pushed to this branch but fixed it right away.

@mvo5 mvo5 added this pull request to the merge queue May 16, 2024
Merged via the queue into osbuild:main with commit d56a4e6 May 16, 2024
29 of 33 checks passed
@achilleas-k achilleas-k deleted the user-kickstarts branch May 16, 2024 18:16
@ochosi ochosi changed the title Add support for arbitrary kickstart file injection into ISOs Add support for arbitrary kickstart file injection into ISOs (HMS-3879) May 16, 2024
mvo5 added a commit to mvo5/bootc-image-builder that referenced this pull request May 27, 2024
Update to accomodate for the changes in the API that got introduced
in osbuild/images#631 (ideally that PR would
have been split into a part that changes the API and one that adds
the new feature. This would have made it slightly easier to see
the API changes in isolation).
mvo5 added a commit to mvo5/bootc-image-builder that referenced this pull request May 27, 2024
Update to accomodate for the changes in the API that got introduced
in osbuild/images#631 (ideally that PR would
have been split into a part that changes the API and one that adds
the new feature. This would have made it slightly easier to see
the API changes in isolation).
ondrejbudai added a commit to ondrejbudai/osbuild-deploy-container that referenced this pull request Jun 21, 2024
I also had to adjust our use of AnacondaContainerInstaller because
it was changed in osbuild/images#631.
github-merge-queue bot pushed a commit to osbuild/bootc-image-builder that referenced this pull request Jun 25, 2024
I also had to adjust our use of AnacondaContainerInstaller because
it was changed in osbuild/images#631.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants