From nobody Tue Sep 30 15:23:33 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cbhfG3tsnz69Dcm;
	Tue, 30 Sep 2025 15:23:34 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cbhfF6n6Dz3LVb;
	Tue, 30 Sep 2025 15:23:33 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1759245814;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zPxVgMwyv81TxkBYYCxRfzxV3siEdnPsl4390DtspeM=;
	b=BT23Qt+OQuceVecuQ9utKqALG4EO/lDUnw7UiJIWXPZUqVXGrrEdFpfJMKJRe9uBY57/pf
	n9Cd/rZnLVTnuCxNFx35/HN+lnlGsaGdYcD3p0Rm6dxmNsn2cOpWSabOghOKOCMu0rM5bP
	kAocggKRL2C1QV+9aaQlCxtc+BY3QWfMmZOXIuMjIFHbZc5u4Sy1mcWYeh1hm2bTHjfN0s
	MjnjQv0BKsNshu+mOtqKbD8lvDPBcB6rIbs6YfdS3TDuvCZHqagw/Bq/MjSkPNy/c8RMcm
	0gFUNV9RZMfB5LUXSQ79+6CmWN0FtumLultjMRrIhOhI+MExYbG8BiGGDFGRUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1759245814;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zPxVgMwyv81TxkBYYCxRfzxV3siEdnPsl4390DtspeM=;
	b=urJPtBvO8R8pS9QRcqDieeii6BtIyD7Ge1E5lSlEaz1LISTUIwUP8d0omOUGa8A4O1qKiE
	O5R/rPbs71K3DNfTXEtht/Z4ikV/uw7ltlgmvBbBZSK/j60jjYGypmd0lZhOSRM9LNHZIC
	h+W9dw1xymECApVXSQJWx6jHhCYW4mqmlp4KdCrgVKw10Sm2oCqSEOyVs+KLrQ6SPL/Zkp
	jpGreNslGmtAfZLoTunnrxlvk3dmKPDS3cDy3Anevttc6hAJmbGzB+oRnk7yAp0uCbg5eD
	WfqPcuYzO7rtpHoUxhf636BuIs0QwkyVhXroLqP1L2DuRwurLffwq6dP3RuY5A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1759245814; a=rsa-sha256; cv=none;
	b=OUR8YOSvp1h8o0HNdJLhVhdQJucCPhk2NuPJiSrooD6L6zLirdCI2eivAOjNl3PJCK6Pxr
	23bKO1ppj4br+3kPmoxjf5Tc7nwA3jMR7ScmkpcizIXGxi0BG/29GRiDeh4GtaRRUxudWa
	gXARVxafNP4VaLiKakPC4q/7G5wqNG1kCSIhsU2MKpsTKnuWBeX/F0Fep+mfPqJx0vDKfh
	+AycRYOUYa4BYQWEGHW+w92hmoWF51en6MHv9JbXbW+8mtHwzHtT0DESuJNgzofkhjfc8l
	bDnF5eor1aZBKmzMFsjwwtWV7kHK2Tt7Yww6DcEM+uWDr6moClGmRP1b4F6Mog==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cbhfF5xtBzjVK;
	Tue, 30 Sep 2025 15:23:33 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58UFNXb8045554;
	Tue, 30 Sep 2025 15:23:33 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58UFNXr2045551;
	Tue, 30 Sep 2025 15:23:33 GMT
	(envelope-from git)
Date: Tue, 30 Sep 2025 15:23:33 GMT
Message-Id: <202509301523.58UFNXr2045551@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 43a765bdedda - stable/15 - release: Prepare EC2
  cloudware images to be buildable as non-root
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 43a765bdeddaf53bfc3bf624aa52625251edcc4f
Auto-Submitted: auto-generated

The branch stable/15 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=43a765bdeddaf53bfc3bf624aa52625251edcc4f

commit 43a765bdeddaf53bfc3bf624aa52625251edcc4f
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-09-16 16:53:35 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-09-30 09:43:07 +0000

    release: Prepare EC2 cloudware images to be buildable as non-root
    
    - Avoid chrooting to uninstall pkg, as it will not be installed in the
      first place when in non-root mode.
    - Add metalog entries.
    
    Reviewed by:    cperciva
    MFC after:      3 days
    Sponsored by:   The FreeBSD Foundation
    Sponsored by:   Klara, Inc.
    Differential Revision:  https://reviews.freebsd.org/D52452
    
    (cherry picked from commit 8027de008d9f3c5cd5509d586f14846abd0f3db2)
---
 release/tools/ec2-base.conf       |  1 +
 release/tools/ec2-builder.conf    |  5 +++++
 release/tools/ec2-cloud-init.conf |  1 +
 release/tools/ec2-small.conf      |  1 +
 release/tools/ec2.conf            | 31 ++++++++++++++++++++-----------
 5 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/release/tools/ec2-base.conf b/release/tools/ec2-base.conf
index 3ed20474a4e8..b6354db3d9d1 100644
--- a/release/tools/ec2-base.conf
+++ b/release/tools/ec2-base.conf
@@ -28,6 +28,7 @@ vm_extra_pre_umount() {
 	# be "new" disks; there is no "previous boot" when they might have
 	# been seen and used already.
 	touch ${DESTDIR}/var/db/ec2_ephemeral_diskseen
+	metalog_add_data ./var/db/ec2_ephemeral_diskseen
 
 	# Configuration common to all EC2 AMIs
 	ec2_common
diff --git a/release/tools/ec2-builder.conf b/release/tools/ec2-builder.conf
index 7927fc13a74d..993dffc565eb 100644
--- a/release/tools/ec2-builder.conf
+++ b/release/tools/ec2-builder.conf
@@ -28,6 +28,7 @@ vm_extra_pre_umount() {
 	# be "new" disks; there is no "previous boot" when they might have
 	# been seen and used already.
 	touch ${DESTDIR}/var/db/ec2_ephemeral_diskseen
+	metalog_add_data ./var/db/ec2_ephemeral_diskseen
 
 	# Configuration common to all EC2 AMIs
 	ec2_common
@@ -37,21 +38,25 @@ vm_extra_pre_umount() {
 
 	# Grab a copy of the ec2-base disk image, and compress it
 	zstd < ${EC2BASEIMG} > ${DESTDIR}/image.zst
+	metalog_add_data ./image.zst
 
 	# Disable fortune so we don't have extra noise at login
 	chmod a-x ${DESTDIR}/usr/bin/fortune
 
 	# Install the AMI-building script
 	install -m 755 ${WORLDDIR}/release/tools/mkami.sh ${DESTDIR}/bin/mkami
+	metalog_add_data ./bin/mkami 0755
 
 	# Install an /etc/rc which juggles disks around for us
 	install -m 755 ${WORLDDIR}/release/tools/rc.amibuilder ${DESTDIR}/etc
+	metalog_add_data ./etc/rc.amibuilder 0755
 
 	# We want to mount from the UFS disk and juggle disks first
 	cat >> ${DESTDIR}/boot/loader.conf <<-EOF
 		vfs.root.mountfrom="ufs:/dev/gpt/rootfs"
 		init_script="/etc/rc.amibuilder"
 	EOF
+	metalog_add_data ./boot/loader.conf
 
 	return 0
 }
diff --git a/release/tools/ec2-cloud-init.conf b/release/tools/ec2-cloud-init.conf
index 048202e252f6..2a15ae5c57d8 100644
--- a/release/tools/ec2-cloud-init.conf
+++ b/release/tools/ec2-cloud-init.conf
@@ -27,6 +27,7 @@ vm_extra_pre_umount() {
 		    doas:
 		    - permit nopass ec2-user
 	EOF
+	metalog_add_data ./usr/local/etc/cloud/cloud.cfg.d/98_ec2.cfg
 
 	return 0
 }
diff --git a/release/tools/ec2-small.conf b/release/tools/ec2-small.conf
index 858836717f5a..e2a348d6ba8f 100644
--- a/release/tools/ec2-small.conf
+++ b/release/tools/ec2-small.conf
@@ -33,6 +33,7 @@ vm_extra_pre_umount() {
 	# be "new" disks; there is no "previous boot" when they might have
 	# been seen and used already.
 	touch ${DESTDIR}/var/db/ec2_ephemeral_diskseen
+	metalog_add_data ./var/db/ec2_ephemeral_diskseen
 
 	# Configuration common to all EC2 AMIs
 	ec2_common
diff --git a/release/tools/ec2.conf b/release/tools/ec2.conf
index 31f40962b19d..aecaabfcd277 100644
--- a/release/tools/ec2.conf
+++ b/release/tools/ec2.conf
@@ -22,17 +22,27 @@ export NOSWAP=YES
 
 ec2_common() {
 	# Delete the pkg package and the repo database; they will likely be
-	# long out of date before the EC2 instance is launched.
-	mount -t devfs devfs ${DESTDIR}/dev
-	chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \
-		/usr/sbin/pkg delete -f -y pkg
-	umount ${DESTDIR}/dev
-	rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD-ports
-	rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD-ports-kmods
+	# long out of date before the EC2 instance is launched.  In
+	# unprivileged builds this is unnecessary as pkg will not be
+	# installed to begin with.
+	if [ -z "${NO_ROOT}" ]; then
+		mount -t devfs devfs ${DESTDIR}/dev
+		chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \
+			/usr/sbin/pkg delete -f -y pkg
+		umount ${DESTDIR}/dev
+		rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD-ports
+		rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD-ports-kmods
+	fi
 
 	# Turn off IPv6 Duplicate Address Detection; the EC2 networking
 	# configuration makes it unnecessary.
 	echo 'net.inet6.ip6.dad_count=0' >> ${DESTDIR}/etc/sysctl.conf
+	metalog_add_data ./etc/sysctl.conf
+
+	# Tell gptboot not to wait 3 seconds for a keypress which will
+	# never arrive.
+	printf -- "-n\n" > ${DESTDIR}/boot.config
+	metalog_add_data ./boot.config
 
 	# Booting quickly is more important than giving users a chance to
 	# access the boot loader via the serial port.
@@ -43,10 +53,6 @@ ec2_common() {
 	# default 2048 bytes of entropy; ask for 64 bytes instead.
 	echo 'entropy_efi_seed_size="64"' >> ${DESTDIR}/boot/loader.conf
 
-	# Tell gptboot not to wait 3 seconds for a keypress which will
-	# never arrive.
-	printf -- "-n\n" > ${DESTDIR}/boot.config
-
 	# The emulated keyboard attached to EC2 instances is inaccessible to
 	# users, and there is no mouse attached at all; disable to keyboard
 	# and the keyboard controller (to which the mouse would attach, if
@@ -93,6 +99,7 @@ ec2_common() {
 	# by pressing the "Attention button" a second time, but in the EC2
 	# environment this delay serves no purpose.
 	echo 'hw.pci.pcie_hp_detach_timeout="0"' >> ${DESTDIR}/boot/loader.conf
+	metalog_add_data ./boot/loader.conf
 
 	# Disable KbdInteractiveAuthentication according to EC2 requirements.
 	sed -i '' -e \
@@ -127,6 +134,7 @@ REGION=`fetch -qo- http://169.254.169.254/latest/meta-data/placement/availabilit
 echo "-nfsv4,minorversion=1,oneopenown ${FS}.efs.${REGION}.amazonaws.com:/"
 EOF
 	chmod 755 ${DESTDIR}/etc/autofs/special_efs
+	metalog_add_data ./etc/autofs/special_efs 0755
 
 	# The first time the AMI boots, run "first boot" scripts.
 	touch ${DESTDIR}/firstboot
@@ -157,6 +165,7 @@ ec2_base_networking () {
 /usr/local/sbin/dhclient -6 -nw -N -cf /dev/null $1
 EOF
 	chmod 755 ${DESTDIR}/usr/local/libexec/rtsold-M
+	metalog_add_data ./usr/local/libexec/rtsold-M 0755
 
 	return 0
 }