metropolis/node/BUILD.bazel - monogon - Gitiles

 load("@io_bazel_rules_go//go:def.bzl", "go_library")
 load("//metropolis/node/build:def.bzl", "erofs_image", "verity_image")
 load("//metropolis/node/build:efi.bzl", "efi_unified_kernel_image")
 load("//metropolis/node/build/fwprune:def.bzl", "fsspec_linux_firmware")
 load("//metropolis/node/build/mkucode:def.bzl", "cpio_ucode")
 load("@rules_pkg//:pkg.bzl", "pkg_zip")

 go_library(
     name = "node",
     srcs = [
         "ids.go",
         "ports.go",
     ],
     importpath = "source.monogon.dev/metropolis/node",
     visibility = ["//metropolis:__subpackages__"],
 )

 # debug_build checks if we're building in debug mode and enables various debug features for the image.
 config_setting(
     name = "debug_build",
     values = {
         "compilation_mode": "dbg",
     },
 )

 fsspec_linux_firmware(
     name = "firmware",
     firmware_files = ["@linux-firmware//:all_files"],
     kernel = "//third_party/linux",
     metadata = "@linux-firmware//:metadata",
 )

 cpio_ucode(
     name = "ucode",
     ucode = {
         "@linux-firmware//:amd_ucode": "AuthenticAMD",
         "@intel_ucode//:fam6h": "GenuineIntel",
     },
     visibility = ["//metropolis:__subpackages__"],
 )

 erofs_image(
     name = "rootfs",
     files = {
         "//metropolis/node/core": "/core",

         # CA Certificate bundle & os-release & resolv.conf
         # These should not be explicitly used by Metropolis code and are only here for compatibility with
         # paths hardcoded by standard libraries (like Go's).
         "@cacerts//file": "/etc/ssl/cert.pem",
         "//metropolis/node/core/network/dns:resolv.conf": "/etc/resolv.conf",
         ":os-release-info": "/etc/os-release",

         # Hyperkube
         "//metropolis/node/kubernetes/hyperkube": "/kubernetes/bin/kube",

         # CoreDNS
         "@com_github_coredns_coredns//:coredns": "/kubernetes/bin/coredns",

         # runsc/gVisor
         "@dev_gvisor_gvisor//runsc": "/containerd/bin/runsc",
         "@dev_gvisor_gvisor//shim": "/containerd/bin/containerd-shim-runsc-v1",

         # runc (runtime in files_cc because of cgo)
         "@com_github_containerd_containerd//cmd/containerd-shim-runc-v2": "/containerd/bin/containerd-shim-runc-v2",

         # Containerd
         "@com_github_containerd_containerd//cmd/containerd": "/containerd/bin/containerd",

         # Containerd config files
         "//metropolis/node/kubernetes/containerd:runsc.toml": "/containerd/conf/runsc.toml",
         "//metropolis/node/kubernetes/containerd:config.toml": "/containerd/conf/config.toml",
         "//metropolis/node/kubernetes/containerd:cnispec.gojson": "/containerd/conf/cnispec.gojson",

         # Containerd preseed bundles
         "//metropolis/test/e2e/preseedtest:preseedtest_image.tar": "/containerd/preseed/k8s.io/preseedtest.tar",
         "//metropolis/vm/smoketest:smoketest_container.tar": "/containerd/preseed/k8s.io/smoketest.tar",

         # CNI Plugins
         "@com_github_containernetworking_plugins//plugins/main/loopback": "/containerd/bin/cni/loopback",
         "@com_github_containernetworking_plugins//plugins/main/ptp": "/containerd/bin/cni/ptp",
         "@com_github_containernetworking_plugins//plugins/ipam/host-local": "/containerd/bin/cni/host-local",

         # Delve
         "@com_github_go_delve_delve//cmd/dlv:dlv": "/dlv",
     },
     files_cc = {
         "//metropolis/node/core/minit": "/init",
         # runc runtime, with cgo
         "@com_github_opencontainers_runc//:runc": "/containerd/bin/runc",
         "@xfsprogs//:mkfs": "/bin/mkfs.xfs",
         "@chrony//:chrony": "/time/chrony",
     },
     fsspecs = [
         ":erofs-layout.fsspec",
         "//metropolis/node/build:earlydev.fsspec",
         ":firmware",
     ],
     symlinks = {
         "/ephemeral/machine-id": "/etc/machine-id",
         "/ephemeral/hosts": "/etc/hosts",
     },
 )

 verity_image(
     name = "verity_rootfs",
     source = ":rootfs",
 )

 efi_unified_kernel_image(
     name = "kernel_efi",
     cmdline = "console=ttyS0,115200 console=tty0 quiet rootfstype=erofs init=/init",
     initrd = [":ucode"],
     kernel = "//third_party/linux",
     os_release = ":os-release-info",
     verity = ":verity_rootfs",
 )

 # An intermediary "bundle" format until we finalize the actual bundle format. This is NOT stable until migrated
 # to the actual bundle format.
 # TODO(lorenz): Replace this
 pkg_zip(
     name = "bundle",
     srcs = [
         ":kernel_efi",
         ":verity_rootfs",
     ],
     visibility = ["//visibility:public"],
 )

 genrule(
     name = "image",
     srcs = [
         ":kernel_efi",
         ":verity_rootfs",
     ],
     outs = [
         "node.img",
     ],
     cmd = """
     $(location //metropolis/node/build/mkimage) \
         -efi $(location :kernel_efi) \
         -system $(location :verity_rootfs) \
         -out $@
     """,
     tools = [
         "//metropolis/node/build/mkimage",
     ],
     visibility = [
         "//metropolis/test/e2e:__subpackages__",
         "//metropolis/test/launch:__subpackages__",
     ],
 )

 # Create a tar.gz of the image, suitable for importing to GCP as a custom image.
 # (see https://cloud.google.com/compute/docs/import/import-existing-image#create_image_file)
 #
 # We can't use Bazel's "pkg_tar" rule because it insists on adding a "./" prefix to the
 # file name inside the archive, which is not compatible with GCP's importer.
 genrule(
     name = "image_gcp",
     srcs = [
         ":image",
     ],
     outs = [
         "node.tar.gz",
     ],
     cmd = """
     # make it reproducible and fast (it doesn't compress well anyway)
     export GZIP="--no-name --fast"

     ln -rs $< $(@D)/disk.raw  # GCP insists it be called "disk.raw"

     cd $(@D)
     tar --format=oldgnu --mtime='1970-01-01' -Sczhf node.tar.gz disk.raw
     """,
 )

 genrule(
     name = "swtpm_data",
     outs = [
         "tpm/tpm2-00.permall",
         "tpm/signkey.pem",
         "tpm/issuercert.pem",
     ],
     cmd = """
     mkdir -p tpm/ca

     cat <<EOF > tpm/swtpm.conf
 create_certs_tool= /usr/share/swtpm/swtpm-localca
 create_certs_tool_config = tpm/swtpm-localca.conf
 create_certs_tool_options = /etc/swtpm-localca.options
 EOF

     cat <<EOF > tpm/swtpm-localca.conf
 statedir = tpm/ca
 signingkey = tpm/ca/signkey.pem
 issuercert = tpm/ca/issuercert.pem
 certserial = tpm/ca/certserial
 EOF

     swtpm_setup \
         --tpmstate tpm \
         --create-ek-cert \
         --create-platform-cert \
         --allow-signing \
         --tpm2 \
         --display \
         --pcr-banks sha1,sha256,sha384,sha512 \
         --config tpm/swtpm.conf

     cp tpm/tpm2-00.permall $(location tpm/tpm2-00.permall)
     cp tpm/ca/issuercert.pem $(location tpm/issuercert.pem)
     cp tpm/ca/signkey.pem $(location tpm/signkey.pem)
     """,
     visibility = [
         "//metropolis/test/e2e:__subpackages__",
         "//metropolis/test/launch:__subpackages__",
     ],
 )

 load("//metropolis/node/build/genosrelease:defs.bzl", "os_release")

 os_release(
     name = "os-release-info",
     os_id = "metropolis-node",
     os_name = "Metropolis Node",
     stamp_var = "STABLE_METROPOLIS_version",
 )
	load("@io_bazel_rules_go//go:def.bzl", "go_library")
	load("//metropolis/node/build:def.bzl", "erofs_image", "verity_image")
	load("//metropolis/node/build:efi.bzl", "efi_unified_kernel_image")
	load("//metropolis/node/build/fwprune:def.bzl", "fsspec_linux_firmware")
	load("//metropolis/node/build/mkucode:def.bzl", "cpio_ucode")
	load("@rules_pkg//:pkg.bzl", "pkg_zip")

	go_library(
	name = "node",
	srcs = [
	"ids.go",
	"ports.go",
	],
	importpath = "source.monogon.dev/metropolis/node",
	visibility = ["//metropolis:__subpackages__"],
	)

	# debug_build checks if we're building in debug mode and enables various debug features for the image.
	config_setting(
	name = "debug_build",
	values = {
	"compilation_mode": "dbg",
	},
	)

	fsspec_linux_firmware(
	name = "firmware",
	firmware_files = ["@linux-firmware//:all_files"],
	kernel = "//third_party/linux",
	metadata = "@linux-firmware//:metadata",
	)

	cpio_ucode(
	name = "ucode",
	ucode = {
	"@linux-firmware//:amd_ucode": "AuthenticAMD",
	"@intel_ucode//:fam6h": "GenuineIntel",
	},
	visibility = ["//metropolis:__subpackages__"],
	)

	erofs_image(
	name = "rootfs",
	files = {
	"//metropolis/node/core": "/core",

	# CA Certificate bundle & os-release & resolv.conf
	# These should not be explicitly used by Metropolis code and are only here for compatibility with
	# paths hardcoded by standard libraries (like Go's).
	"@cacerts//file": "/etc/ssl/cert.pem",
	"//metropolis/node/core/network/dns:resolv.conf": "/etc/resolv.conf",
	":os-release-info": "/etc/os-release",

	# Hyperkube
	"//metropolis/node/kubernetes/hyperkube": "/kubernetes/bin/kube",

	# CoreDNS
	"@com_github_coredns_coredns//:coredns": "/kubernetes/bin/coredns",

	# runsc/gVisor
	"@dev_gvisor_gvisor//runsc": "/containerd/bin/runsc",
	"@dev_gvisor_gvisor//shim": "/containerd/bin/containerd-shim-runsc-v1",

	# runc (runtime in files_cc because of cgo)
	"@com_github_containerd_containerd//cmd/containerd-shim-runc-v2": "/containerd/bin/containerd-shim-runc-v2",

	# Containerd
	"@com_github_containerd_containerd//cmd/containerd": "/containerd/bin/containerd",

	# Containerd config files
	"//metropolis/node/kubernetes/containerd:runsc.toml": "/containerd/conf/runsc.toml",
	"//metropolis/node/kubernetes/containerd:config.toml": "/containerd/conf/config.toml",
	"//metropolis/node/kubernetes/containerd:cnispec.gojson": "/containerd/conf/cnispec.gojson",

	# Containerd preseed bundles
	"//metropolis/test/e2e/preseedtest:preseedtest_image.tar": "/containerd/preseed/k8s.io/preseedtest.tar",
	"//metropolis/vm/smoketest:smoketest_container.tar": "/containerd/preseed/k8s.io/smoketest.tar",

	# CNI Plugins
	"@com_github_containernetworking_plugins//plugins/main/loopback": "/containerd/bin/cni/loopback",
	"@com_github_containernetworking_plugins//plugins/main/ptp": "/containerd/bin/cni/ptp",
	"@com_github_containernetworking_plugins//plugins/ipam/host-local": "/containerd/bin/cni/host-local",

	# Delve
	"@com_github_go_delve_delve//cmd/dlv:dlv": "/dlv",
	},
	files_cc = {
	"//metropolis/node/core/minit": "/init",
	# runc runtime, with cgo
	"@com_github_opencontainers_runc//:runc": "/containerd/bin/runc",
	"@xfsprogs//:mkfs": "/bin/mkfs.xfs",
	"@chrony//:chrony": "/time/chrony",
	},
	fsspecs = [
	":erofs-layout.fsspec",
	"//metropolis/node/build:earlydev.fsspec",
	":firmware",
	],
	symlinks = {
	"/ephemeral/machine-id": "/etc/machine-id",
	"/ephemeral/hosts": "/etc/hosts",
	},
	)

	verity_image(
	name = "verity_rootfs",
	source = ":rootfs",
	)

	efi_unified_kernel_image(
	name = "kernel_efi",
	cmdline = "console=ttyS0,115200 console=tty0 quiet rootfstype=erofs init=/init",
	initrd = [":ucode"],
	kernel = "//third_party/linux",
	os_release = ":os-release-info",
	verity = ":verity_rootfs",
	)

	# An intermediary "bundle" format until we finalize the actual bundle format. This is NOT stable until migrated
	# to the actual bundle format.
	# TODO(lorenz): Replace this
	pkg_zip(
	name = "bundle",
	srcs = [
	":kernel_efi",
	":verity_rootfs",
	],
	visibility = ["//visibility:public"],
	)

	genrule(
	name = "image",
	srcs = [
	":kernel_efi",
	":verity_rootfs",
	],
	outs = [
	"node.img",
	],
	cmd = """
	$(location //metropolis/node/build/mkimage) \
	-efi $(location :kernel_efi) \
	-system $(location :verity_rootfs) \
	-out $@
	""",
	tools = [
	"//metropolis/node/build/mkimage",
	],
	visibility = [
	"//metropolis/test/e2e:__subpackages__",
	"//metropolis/test/launch:__subpackages__",
	],
	)

	# Create a tar.gz of the image, suitable for importing to GCP as a custom image.
	# (see https://cloud.google.com/compute/docs/import/import-existing-image#create_image_file)
	#
	# We can't use Bazel's "pkg_tar" rule because it insists on adding a "./" prefix to the
	# file name inside the archive, which is not compatible with GCP's importer.
	genrule(
	name = "image_gcp",
	srcs = [
	":image",
	],
	outs = [
	"node.tar.gz",
	],
	cmd = """
	# make it reproducible and fast (it doesn't compress well anyway)
	export GZIP="--no-name --fast"

	ln -rs $< $(@D)/disk.raw # GCP insists it be called "disk.raw"

	cd $(@D)
	tar --format=oldgnu --mtime='1970-01-01' -Sczhf node.tar.gz disk.raw
	""",
	)

	genrule(
	name = "swtpm_data",
	outs = [
	"tpm/tpm2-00.permall",
	"tpm/signkey.pem",
	"tpm/issuercert.pem",
	],
	cmd = """
	mkdir -p tpm/ca

	cat <<EOF > tpm/swtpm.conf
	create_certs_tool= /usr/share/swtpm/swtpm-localca
	create_certs_tool_config = tpm/swtpm-localca.conf
	create_certs_tool_options = /etc/swtpm-localca.options
	EOF

	cat <<EOF > tpm/swtpm-localca.conf
	statedir = tpm/ca
	signingkey = tpm/ca/signkey.pem
	issuercert = tpm/ca/issuercert.pem
	certserial = tpm/ca/certserial
	EOF

	swtpm_setup \
	--tpmstate tpm \
	--create-ek-cert \
	--create-platform-cert \
	--allow-signing \
	--tpm2 \
	--display \
	--pcr-banks sha1,sha256,sha384,sha512 \
	--config tpm/swtpm.conf

	cp tpm/tpm2-00.permall $(location tpm/tpm2-00.permall)
	cp tpm/ca/issuercert.pem $(location tpm/issuercert.pem)
	cp tpm/ca/signkey.pem $(location tpm/signkey.pem)
	""",
	visibility = [
	"//metropolis/test/e2e:__subpackages__",
	"//metropolis/test/launch:__subpackages__",
	],
	)

	load("//metropolis/node/build/genosrelease:defs.bzl", "os_release")

	os_release(
	name = "os-release-info",
	os_id = "metropolis-node",
	os_name = "Metropolis Node",
	stamp_var = "STABLE_METROPOLIS_version",
	)