Date: Tue, 30 Sep 2025 15:23:33 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 43a765bdedda - stable/15 - release: Prepare EC2 cloudware images to be buildable as non-root Message-ID: <202509301523.58UFNXr2045551@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=43a765bdeddaf53bfc3bf624aa52625251edcc4f commit 43a765bdeddaf53bfc3bf624aa52625251edcc4f Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2025-09-16 16:53:35 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2025-09-30 09:43:07 +0000 release: Prepare EC2 cloudware images to be buildable as non-root - Avoid chrooting to uninstall pkg, as it will not be installed in the first place when in non-root mode. - Add metalog entries. Reviewed by: cperciva MFC after: 3 days Sponsored by: The FreeBSD Foundation Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D52452 (cherry picked from commit 8027de008d9f3c5cd5509d586f14846abd0f3db2) --- release/tools/ec2-base.conf | 1 + release/tools/ec2-builder.conf | 5 +++++ release/tools/ec2-cloud-init.conf | 1 + release/tools/ec2-small.conf | 1 + release/tools/ec2.conf | 31 ++++++++++++++++++++----------- 5 files changed, 28 insertions(+), 11 deletions(-) diff --git a/release/tools/ec2-base.conf b/release/tools/ec2-base.conf index 3ed20474a4e8..b6354db3d9d1 100644 --- a/release/tools/ec2-base.conf +++ b/release/tools/ec2-base.conf @@ -28,6 +28,7 @@ vm_extra_pre_umount() { # be "new" disks; there is no "previous boot" when they might have # been seen and used already. touch ${DESTDIR}/var/db/ec2_ephemeral_diskseen + metalog_add_data ./var/db/ec2_ephemeral_diskseen # Configuration common to all EC2 AMIs ec2_common diff --git a/release/tools/ec2-builder.conf b/release/tools/ec2-builder.conf index 7927fc13a74d..993dffc565eb 100644 --- a/release/tools/ec2-builder.conf +++ b/release/tools/ec2-builder.conf @@ -28,6 +28,7 @@ vm_extra_pre_umount() { # be "new" disks; there is no "previous boot" when they might have # been seen and used already. touch ${DESTDIR}/var/db/ec2_ephemeral_diskseen + metalog_add_data ./var/db/ec2_ephemeral_diskseen # Configuration common to all EC2 AMIs ec2_common @@ -37,21 +38,25 @@ vm_extra_pre_umount() { # Grab a copy of the ec2-base disk image, and compress it zstd < ${EC2BASEIMG} > ${DESTDIR}/image.zst + metalog_add_data ./image.zst # Disable fortune so we don't have extra noise at login chmod a-x ${DESTDIR}/usr/bin/fortune # Install the AMI-building script install -m 755 ${WORLDDIR}/release/tools/mkami.sh ${DESTDIR}/bin/mkami + metalog_add_data ./bin/mkami 0755 # Install an /etc/rc which juggles disks around for us install -m 755 ${WORLDDIR}/release/tools/rc.amibuilder ${DESTDIR}/etc + metalog_add_data ./etc/rc.amibuilder 0755 # We want to mount from the UFS disk and juggle disks first cat >> ${DESTDIR}/boot/loader.conf <<-EOF vfs.root.mountfrom="ufs:/dev/gpt/rootfs" init_script="/etc/rc.amibuilder" EOF + metalog_add_data ./boot/loader.conf return 0 } diff --git a/release/tools/ec2-cloud-init.conf b/release/tools/ec2-cloud-init.conf index 048202e252f6..2a15ae5c57d8 100644 --- a/release/tools/ec2-cloud-init.conf +++ b/release/tools/ec2-cloud-init.conf @@ -27,6 +27,7 @@ vm_extra_pre_umount() { doas: - permit nopass ec2-user EOF + metalog_add_data ./usr/local/etc/cloud/cloud.cfg.d/98_ec2.cfg return 0 } diff --git a/release/tools/ec2-small.conf b/release/tools/ec2-small.conf index 858836717f5a..e2a348d6ba8f 100644 --- a/release/tools/ec2-small.conf +++ b/release/tools/ec2-small.conf @@ -33,6 +33,7 @@ vm_extra_pre_umount() { # be "new" disks; there is no "previous boot" when they might have # been seen and used already. touch ${DESTDIR}/var/db/ec2_ephemeral_diskseen + metalog_add_data ./var/db/ec2_ephemeral_diskseen # Configuration common to all EC2 AMIs ec2_common diff --git a/release/tools/ec2.conf b/release/tools/ec2.conf index 31f40962b19d..aecaabfcd277 100644 --- a/release/tools/ec2.conf +++ b/release/tools/ec2.conf @@ -22,17 +22,27 @@ export NOSWAP=YES ec2_common() { # Delete the pkg package and the repo database; they will likely be - # long out of date before the EC2 instance is launched. - mount -t devfs devfs ${DESTDIR}/dev - chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \ - /usr/sbin/pkg delete -f -y pkg - umount ${DESTDIR}/dev - rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD-ports - rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD-ports-kmods + # long out of date before the EC2 instance is launched. In + # unprivileged builds this is unnecessary as pkg will not be + # installed to begin with. + if [ -z "${NO_ROOT}" ]; then + mount -t devfs devfs ${DESTDIR}/dev + chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \ + /usr/sbin/pkg delete -f -y pkg + umount ${DESTDIR}/dev + rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD-ports + rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD-ports-kmods + fi # Turn off IPv6 Duplicate Address Detection; the EC2 networking # configuration makes it unnecessary. echo 'net.inet6.ip6.dad_count=0' >> ${DESTDIR}/etc/sysctl.conf + metalog_add_data ./etc/sysctl.conf + + # Tell gptboot not to wait 3 seconds for a keypress which will + # never arrive. + printf -- "-n\n" > ${DESTDIR}/boot.config + metalog_add_data ./boot.config # Booting quickly is more important than giving users a chance to # access the boot loader via the serial port. @@ -43,10 +53,6 @@ ec2_common() { # default 2048 bytes of entropy; ask for 64 bytes instead. echo 'entropy_efi_seed_size="64"' >> ${DESTDIR}/boot/loader.conf - # Tell gptboot not to wait 3 seconds for a keypress which will - # never arrive. - printf -- "-n\n" > ${DESTDIR}/boot.config - # The emulated keyboard attached to EC2 instances is inaccessible to # users, and there is no mouse attached at all; disable to keyboard # and the keyboard controller (to which the mouse would attach, if @@ -93,6 +99,7 @@ ec2_common() { # by pressing the "Attention button" a second time, but in the EC2 # environment this delay serves no purpose. echo 'hw.pci.pcie_hp_detach_timeout="0"' >> ${DESTDIR}/boot/loader.conf + metalog_add_data ./boot/loader.conf # Disable KbdInteractiveAuthentication according to EC2 requirements. sed -i '' -e \ @@ -127,6 +134,7 @@ REGION=`fetch -qo- http://169.254.169.254/latest/meta-data/placement/availabilit echo "-nfsv4,minorversion=1,oneopenown ${FS}.efs.${REGION}.amazonaws.com:/" EOF chmod 755 ${DESTDIR}/etc/autofs/special_efs + metalog_add_data ./etc/autofs/special_efs 0755 # The first time the AMI boots, run "first boot" scripts. touch ${DESTDIR}/firstboot @@ -157,6 +165,7 @@ ec2_base_networking () { /usr/local/sbin/dhclient -6 -nw -N -cf /dev/null $1 EOF chmod 755 ${DESTDIR}/usr/local/libexec/rtsold-M + metalog_add_data ./usr/local/libexec/rtsold-M 0755 return 0 }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202509301523.58UFNXr2045551>