From e59b2b7b559b33d1561860b06129e82ba72338ae Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Fri, 29 Jul 2022 21:56:09 -0700 Subject: [PATCH] Update Flatcar Linux examples and use Ignition * Discontinue using Matchbox's Container Linux Config features * Flatcar Linux OS now supports Ignition v2.13+ which means it can accept Ignition v3.x spec's, like Fedora CoreOS. Matchbox supports this by serving Ignition documents directly * Users of the poseidon/matchbox Terraform provider can pass a `matchbox_profile` `raw_ignition` contents with the desired Ignition v3.3 spec * Users of the poseidon/ct Terraform provider can write Butane Config YAML, perform templating, and render an Ignition document using either the fcos or the flatcar variant --- docs/deployment.md | 4 +-- docs/getting-started-docker.md | 2 +- examples/README.md | 35 +++++++++--------- examples/groups/flatcar-install/flatcar.json | 3 +- examples/groups/flatcar-install/install.json | 7 +--- examples/ignition/flatcar-install.ign | 36 +++++++++++++++++++ examples/ignition/flatcar-install.yaml | 22 +++++------- examples/ignition/flatcar.ign | 15 ++++++++ examples/ignition/flatcar.yaml | 9 ++--- examples/profiles/flatcar-install.json | 8 ++--- examples/profiles/flatcar.json | 8 ++--- .../fedora-coreos-install/profiles.tf | 8 ++--- .../fedora-coreos-install/provider.tf | 2 +- .../{clc => butane}/flatcar-install.yaml | 15 ++++---- .../{clc => butane}/flatcar.yaml | 4 ++- examples/terraform/flatcar-install/groups.tf | 16 ++------- .../terraform/flatcar-install/profiles.tf | 28 +++++++++++---- .../terraform/flatcar-install/provider.tf | 6 +++- scripts/README.md | 2 +- 19 files changed, 137 insertions(+), 93 deletions(-) create mode 100644 examples/ignition/flatcar-install.ign create mode 100644 examples/ignition/flatcar.ign rename examples/terraform/flatcar-install/{clc => butane}/flatcar-install.yaml (64%) rename examples/terraform/flatcar-install/{clc => butane}/flatcar.yaml (50%) diff --git a/docs/deployment.md b/docs/deployment.md index 040fb78b..03ae1455 100644 --- a/docs/deployment.md +++ b/docs/deployment.md @@ -248,7 +248,7 @@ Download a recent Fedora CoreOS or Flatcar Linux release. ``` $ ./scripts/get-fedora-coreos stable 36.20220618.3.1 . -$ ./scripts/get-flatcar stable 2605.6.0 . +$ ./scripts/get-flatcar stable 3227.2.0 . ``` Move the images to `/var/lib/matchbox/assets`, @@ -260,7 +260,7 @@ Move the images to `/var/lib/matchbox/assets`, ├── fedora-coreos-36.20220618.3.1-live-rootfs.x86_64.img /var/lib/matchbox/assets/flatcar/ -└── 2605.6.0 +└── 3227.2.0 ├── Flatcar_Image_Signing_Key.asc ├── flatcar_production_image.bin.bz2 ├── flatcar_production_image.bin.bz2.sig diff --git a/docs/getting-started-docker.md b/docs/getting-started-docker.md index 296ba7b7..6271fd85 100644 --- a/docs/getting-started-docker.md +++ b/docs/getting-started-docker.md @@ -30,7 +30,7 @@ Download Fedora CoreOS or Flatcar Linux image assets to `examples/assets`. ```sh $ ./scripts/get-fedora-coreos stable 36.20220618.3.1 ./examples/assets -$ ./scripts/get-flatcar stable 2605.6.0 ./examples/assets +$ ./scripts/get-flatcar stable 3227.2.0 ./examples/assets ``` For development convenience, add `/etc/hosts` entries for nodes so they may be referenced by name. diff --git a/examples/README.md b/examples/README.md index ad357f89..74ecea79 100644 --- a/examples/README.md +++ b/examples/README.md @@ -26,36 +26,37 @@ These examples mount raw Matchbox objects into a Matchbox server's `/var/lib/mat | flatcar | Flatcar Linux live PXE | RAM | [docs](https://docs.flatcar-linux.org/os/booting-with-ipxe/) | | flatcar-install | Flatcar Linux install | Disk | [docs](https://docs.flatcar-linux.org/os/booting-with-ipxe/) | -### Customization +### SSH Access -For Fedora CoreOS, add an SSH authorized key to Fedora CoreOS Config (`ignition/fedora-coreos.yaml`) and regenerate the Ignition Config. +For Fedora CoreOS, add an SSH authorized key to the Butane Config (`ignition/fedora-coreos.yaml`) and regenerate the Ignition Config. ```yaml variant: fcos -version: 1.1.0 +version: 1.4.0 passwd: users: - name: core ssh_authorized_keys: - - ssh-rsa pub-key-goes-here + - ssh-ed25519 SET_PUBKEY_HERE ``` ``` podman run -i --rm quay.io/coreos/fcct:release --pretty --strict < fedora-coreos.yaml > fedora-coreos.ign ``` -For Flatcar Linux, add a Matchbox variable to a Group (`groups/flatcar-install/flatcar.json`) to set the SSH authorized key (or directly update the Container Linux Config). +For Flatcar Linux, add an SSH authorized key to the Butane config (`ignition/flatcar.yaml` or `ignition/flatcar-install.yaml`) and regenerate the Ignition Config. -```json -{ - "id": "stage-1", - "name": "Flatcar Linux", - "profile": "flatcar", - "selector": { - "os": "installed" - }, - "metadata": { - "ssh_authorized_keys": ["ssh-rsa pub-key-goes-here"] - } -} +```yaml +variant: flatcar +version: 1.0.0 +passwd: + users: + - name: core + ssh_authorized_keys: + - ssh-ed25519 SET_PUBKEY_HERE +``` + +``` +podman run -i --rm quay.io/coreos/fcct:release --pretty --strict < flatcar.yaml > flatcar.ign +podman run -i --rm quay.io/coreos/fcct:release --pretty --strict < flatcar-install.yaml > flatcar-install.ign ``` diff --git a/examples/groups/flatcar-install/flatcar.json b/examples/groups/flatcar-install/flatcar.json index 43355284..1ac1d5b0 100644 --- a/examples/groups/flatcar-install/flatcar.json +++ b/examples/groups/flatcar-install/flatcar.json @@ -5,6 +5,5 @@ "selector": { "os": "installed" }, - "metadata": { - } + "metadata": {} } diff --git a/examples/groups/flatcar-install/install.json b/examples/groups/flatcar-install/install.json index a6dba384..a43d530d 100644 --- a/examples/groups/flatcar-install/install.json +++ b/examples/groups/flatcar-install/install.json @@ -2,10 +2,5 @@ "id": "stage-0", "name": "Flatcar Linux install", "profile": "flatcar-install", - "metadata": { - "os_channel": "stable", - "os_version": "2605.6.0", - "ignition_endpoint": "http://matchbox.example.com:8080/ignition", - "baseurl": "http://matchbox.example.com:8080/assets/flatcar" - } + "metadata": {} } diff --git a/examples/ignition/flatcar-install.ign b/examples/ignition/flatcar-install.ign new file mode 100644 index 00000000..e35d18e4 --- /dev/null +++ b/examples/ignition/flatcar-install.ign @@ -0,0 +1,36 @@ +{ + "ignition": { + "version": "3.3.0" + }, + "passwd": { + "users": [ + { + "name": "core", + "sshAuthorizedKeys": [ + "ssh-ed25519 SET_PUBKEY_HERE" + ] + } + ] + }, + "storage": { + "files": [ + { + "path": "/opt/installer", + "contents": { + "compression": "gzip", + "source": "data:;base64,H4sIAAAAAAAC/4SOsU4DMRBEe3/FEmrbx1EQRUIU/AMVzdrecEZrb+TdnC5/T3GhoaF8mhnNe3yIqfaYUBfwtLl8HQzeD7Jxg6cJvD9jZTgsZpdTjA0tL0m2QBu2C1PI0k7H6TjF+tWrVelvoq+1qyEzlQN4gd8kfKt0d2a0jMPfO/DpAHyBWGiNa8Gd30ENE9NOH/A8zy9hDtPOCf61QVUyjfezfVb/mFwLrVgaKJkxOb2pUcvGMCiJmPsJAAD//1GtasgbAQAA" + }, + "mode": 320 + } + ] + }, + "systemd": { + "units": [ + { + "contents": "[Unit]\nRequires=network-online.target\nAfter=network-online.target\n[Service]\nType=simple\nExecStart=/opt/installer\n[Install]\nWantedBy=multi-user.target\n", + "enabled": true, + "name": "installer.service" + } + ] + } +} diff --git a/examples/ignition/flatcar-install.yaml b/examples/ignition/flatcar-install.yaml index 855e6f2f..1e3f8f5a 100644 --- a/examples/ignition/flatcar-install.yaml +++ b/examples/ignition/flatcar-install.yaml @@ -1,8 +1,10 @@ --- +variant: flatcar +version: 1.0.0 systemd: units: - name: installer.service - enable: true + enabled: true contents: | [Unit] Requires=network-online.target @@ -15,28 +17,22 @@ systemd: storage: files: - path: /opt/installer - filesystem: root mode: 0500 contents: inline: | #!/bin/bash -ex - curl --retry 10 --fail "{{.ignition_endpoint}}?{{.request.raw_query}}&os=installed" -o ignition.json + curl --retry 10 --fail "http://matchbox.example.com:8080/ignition?os=installed" -o ignition.json flatcar-install \ - -d /dev/sda \ - -C {{.os_channel}} \ - -V {{.os_version}} \ - {{- if index . "baseurl"}}-b {{.baseurl}} \{{end}} + -d /dev/vda \ + -C stable \ + -V 3227.2.0 \ + -b http://matchbox.example.com:8080/assets/flatcar \ -i ignition.json udevadm settle systemctl reboot -{{ if index . "ssh_authorized_keys" }} passwd: users: - name: core ssh_authorized_keys: - {{ range $element := .ssh_authorized_keys }} - - {{$element}} - {{end}} -{{end}} - + - ssh-ed25519 SET_PUBKEY_HERE diff --git a/examples/ignition/flatcar.ign b/examples/ignition/flatcar.ign new file mode 100644 index 00000000..393a4ef4 --- /dev/null +++ b/examples/ignition/flatcar.ign @@ -0,0 +1,15 @@ +{ + "ignition": { + "version": "3.3.0" + }, + "passwd": { + "users": [ + { + "name": "core", + "sshAuthorizedKeys": [ + "ssh-ed25519 SET_PUBKEY_HERE" + ] + } + ] + } +} diff --git a/examples/ignition/flatcar.yaml b/examples/ignition/flatcar.yaml index e0c3edad..cd203412 100644 --- a/examples/ignition/flatcar.yaml +++ b/examples/ignition/flatcar.yaml @@ -1,10 +1,7 @@ ---- -{{ if index . "ssh_authorized_keys" }} +variant: flatcar +version: 1.0.0 passwd: users: - name: core ssh_authorized_keys: - {{ range $element := .ssh_authorized_keys }} - - {{$element}} - {{end}} -{{end}} + - ssh-ed25519 SET_PUBKEY_HERE diff --git a/examples/profiles/flatcar-install.json b/examples/profiles/flatcar-install.json index f82f78a9..37f95365 100644 --- a/examples/profiles/flatcar-install.json +++ b/examples/profiles/flatcar-install.json @@ -2,18 +2,16 @@ "id": "flatcar-install", "name": "Flatcar Linux install to disk", "boot": { - "kernel": "/assets/flatcar/2605.6.0/flatcar_production_pxe.vmlinuz", + "kernel": "/assets/flatcar/3227.2.0/flatcar_production_pxe.vmlinuz", "initrd": [ - "/assets/flatcar/2605.6.0/flatcar_production_pxe_image.cpio.gz" + "/assets/flatcar/3227.2.0/flatcar_production_pxe_image.cpio.gz" ], "args": [ "initrd=flatcar_production_pxe_image.cpio.gz", "flatcar.config.url=http://matchbox.example.com:8080/ignition?uuid=${uuid}&mac=${mac:hexhyp}", "flatcar.first_boot=yes", - "console=tty0", - "console=ttyS0", "flatcar.autologin" ] }, - "ignition_id": "flatcar-install.yaml" + "ignition_id": "flatcar-install.ign" } diff --git a/examples/profiles/flatcar.json b/examples/profiles/flatcar.json index 4f84c216..84f7602c 100644 --- a/examples/profiles/flatcar.json +++ b/examples/profiles/flatcar.json @@ -2,18 +2,16 @@ "id": "flatcar", "name": "Flatcar Linux", "boot": { - "kernel": "/assets/flatcar/2605.6.0/flatcar_production_pxe.vmlinuz", + "kernel": "/assets/flatcar/3227.2.0/flatcar_production_pxe.vmlinuz", "initrd": [ - "/assets/flatcar/2605.6.0/flatcar_production_pxe_image.cpio.gz" + "/assets/flatcar/3227.2.0/flatcar_production_pxe_image.cpio.gz" ], "args": [ "initrd=flatcar_production_pxe_image.cpio.gz", "flatcar.config.url=http://matchbox.example.com:8080/ignition?uuid=${uuid}&mac=${mac:hexhyp}", "flatcar.first_boot=yes", - "console=tty0", - "console=ttyS0", "flatcar.autologin" ] }, - "ignition_id": "flatcar.yaml" + "ignition_id": "flatcar.ign" } diff --git a/examples/terraform/fedora-coreos-install/profiles.tf b/examples/terraform/fedora-coreos-install/profiles.tf index 55a49c8c..2dced270 100644 --- a/examples/terraform/fedora-coreos-install/profiles.tf +++ b/examples/terraform/fedora-coreos-install/profiles.tf @@ -1,15 +1,15 @@ // Fedora CoreOS profile resource "matchbox_profile" "fedora-coreos-install" { name = "worker" - kernel = "https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-kernel-x86_64" + kernel = "/assets/fedora-coreos/fedora-coreos-${var.os_version}-live-kernel-x86_64" initrd = [ - "--name main https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-initramfs.x86_64.img" + "--name main /assets/fedora-coreos/fedora-coreos-${var.os_version}-live-initramfs.x86_64.img" ] args = [ "initrd=main", - "coreos.live.rootfs_url=https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-rootfs.x86_64.img", - "coreos.inst.install_dev=/dev/sda", + "coreos.live.rootfs_url=${var.matchbox_http_endpoint}/assets/fedora-coreos/fedora-coreos-${var.os_version}-live-rootfs.x86_64.img", + "coreos.inst.install_dev=/dev/vda", "coreos.inst.ignition_url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}", ] diff --git a/examples/terraform/fedora-coreos-install/provider.tf b/examples/terraform/fedora-coreos-install/provider.tf index 39db99f4..67a73066 100644 --- a/examples/terraform/fedora-coreos-install/provider.tf +++ b/examples/terraform/fedora-coreos-install/provider.tf @@ -10,7 +10,7 @@ terraform { required_providers { ct = { source = "poseidon/ct" - version = "0.10.0" + version = "0.11.0" } matchbox = { source = "poseidon/matchbox" diff --git a/examples/terraform/flatcar-install/clc/flatcar-install.yaml b/examples/terraform/flatcar-install/butane/flatcar-install.yaml similarity index 64% rename from examples/terraform/flatcar-install/clc/flatcar-install.yaml rename to examples/terraform/flatcar-install/butane/flatcar-install.yaml index 5bb44ef7..71485241 100644 --- a/examples/terraform/flatcar-install/clc/flatcar-install.yaml +++ b/examples/terraform/flatcar-install/butane/flatcar-install.yaml @@ -1,8 +1,10 @@ --- +variant: flatcar +version: 1.0.0 systemd: units: - name: installer.service - enable: true + enabled: true contents: | [Unit] Requires=network-online.target @@ -15,17 +17,14 @@ systemd: storage: files: - path: /opt/installer - filesystem: root mode: 0500 contents: inline: | #!/bin/bash -ex - curl --retry 10 "{{.ignition_endpoint}}?{{.request.raw_query}}&os=installed" -o ignition.json + curl --retry 10 "${matchbox_http_endpoint}/ignition?os=installed" -o ignition.json flatcar-install \ - -d /dev/sda \ - -C stable \ - -V current \ - {{- if index . "baseurl"}}-b {{.baseurl}} \{{end}} + -d /dev/vda \ + -b ${matchbox_http_endpoint}/assets/flatcar \ -i ignition.json udevadm settle systemctl reboot @@ -33,4 +32,4 @@ passwd: users: - name: core ssh_authorized_keys: - - {{.ssh_authorized_key}} + - ${ssh_authorized_key} diff --git a/examples/terraform/flatcar-install/clc/flatcar.yaml b/examples/terraform/flatcar-install/butane/flatcar.yaml similarity index 50% rename from examples/terraform/flatcar-install/clc/flatcar.yaml rename to examples/terraform/flatcar-install/butane/flatcar.yaml index 9473100e..9c16cb70 100644 --- a/examples/terraform/flatcar-install/clc/flatcar.yaml +++ b/examples/terraform/flatcar-install/butane/flatcar.yaml @@ -1,6 +1,8 @@ --- +variant: flatcar +version: 1.0.0 passwd: users: - name: core ssh_authorized_keys: - - {{.ssh_authorized_key}} + - ${ssh_authorized_key} diff --git a/examples/terraform/flatcar-install/groups.tf b/examples/terraform/flatcar-install/groups.tf index b4bb2300..8115ca84 100644 --- a/examples/terraform/flatcar-install/groups.tf +++ b/examples/terraform/flatcar-install/groups.tf @@ -2,24 +2,14 @@ resource "matchbox_group" "default" { name = "default" profile = matchbox_profile.flatcar-install.name - - # no selector means all machines can be matched - metadata = { - ignition_endpoint = "${var.matchbox_http_endpoint}/ignition" - ssh_authorized_key = var.ssh_authorized_key - } } -// Match machines which have CoreOS Container Linux installed -resource "matchbox_group" "node1" { - name = "node1" +// Match install stage Flatcar Linux machines +resource "matchbox_group" "stage-1" { + name = "worker" profile = matchbox_profile.worker.name selector = { os = "installed" } - - metadata = { - ssh_authorized_key = var.ssh_authorized_key - } } diff --git a/examples/terraform/flatcar-install/profiles.tf b/examples/terraform/flatcar-install/profiles.tf index 6c4451af..163ce336 100644 --- a/examples/terraform/flatcar-install/profiles.tf +++ b/examples/terraform/flatcar-install/profiles.tf @@ -1,24 +1,38 @@ // Create a flatcar-install profile resource "matchbox_profile" "flatcar-install" { name = "flatcar-install" - kernel = "http://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_pxe.vmlinuz" + kernel = "/assets/flatcar/3227.2.0/flatcar_production_pxe.vmlinuz" initrd = [ - "http://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_pxe_image.cpio.gz", + "/assets/flatcar/3227.2.0/flatcar_production_pxe_image.cpio.gz", ] args = [ "initrd=flatcar_production_pxe_image.cpio.gz", "flatcar.config.url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}", "flatcar.first_boot=yes", - "console=tty0", - "console=ttyS0", ] - container_linux_config = file("./clc/flatcar-install.yaml") + raw_ignition = data.ct_config.install.rendered } +data "ct_config" "install" { + content = templatefile("butane/flatcar-install.yaml", { + matchbox_http_endpoint = var.matchbox_http_endpoint + ssh_authorized_key = var.ssh_authorized_key + }) + strict = true +} + + // Profile to set an SSH authorized key on first boot from disk resource "matchbox_profile" "worker" { - name = "worker" - container_linux_config = file("./clc/flatcar.yaml") + name = "worker" + raw_ignition = data.ct_config.worker.rendered +} + +data "ct_config" "worker" { + content = templatefile("butane/flatcar.yaml", { + ssh_authorized_key = var.ssh_authorized_key + }) + strict = true } diff --git a/examples/terraform/flatcar-install/provider.tf b/examples/terraform/flatcar-install/provider.tf index ee7e9a33..67a73066 100644 --- a/examples/terraform/flatcar-install/provider.tf +++ b/examples/terraform/flatcar-install/provider.tf @@ -8,9 +8,13 @@ provider "matchbox" { terraform { required_providers { + ct = { + source = "poseidon/ct" + version = "0.11.0" + } matchbox = { source = "poseidon/matchbox" - version = "0.4.1" + version = "0.5.0" } } } diff --git a/scripts/README.md b/scripts/README.md index 94dde018..8892471a 100644 --- a/scripts/README.md +++ b/scripts/README.md @@ -31,7 +31,7 @@ This will create: ``` examples/assets/flatcar/ -└── 2605.6.0 +└── 3227.2.0 ├── Flatcar_Image_Signing_Key.asc ├── flatcar_production_image.bin.bz2 ├── flatcar_production_image.bin.bz2.sig