metropolis/node/BUILD.bazel

load("@io_bazel_rules_go//go:def.bzl", "go_library")
load("//metropolis/node/build:def.bzl", "erofs_image", "verity_image")
load("//metropolis/node/build:efi.bzl", "efi_unified_kernel_image")
load("//metropolis/node/build/fwprune:def.bzl", "fsspec_linux_firmware")
load("//metropolis/node/build/mkucode:def.bzl", "cpio_ucode")
load("@rules_pkg//:pkg.bzl", "pkg_zip")

go_library(
    name = "node",
    srcs = [
        "ids.go",
        "net_ips.go",
        "net_protocols.go",
        "ports.go",
    ],
    importpath = "source.monogon.dev/metropolis/node",
    visibility = [
        "//metropolis:__subpackages__",
        "@io_k8s_kubernetes//pkg/registry:__subpackages__",
    ],
    deps = ["@com_github_vishvananda_netlink//:netlink"],
)

# debug_build checks if we're building in debug mode and enables various debug features for the image.
config_setting(
    name = "debug_build",
    values = {
        "compilation_mode": "dbg",
    },
)

fsspec_linux_firmware(
    name = "firmware",
    firmware_files = ["@linux-firmware//:all_files"],
    kernel = "//third_party/linux",
    metadata = "@linux-firmware//:metadata",
)

cpio_ucode(
    name = "ucode",
    ucode = {
        "@linux-firmware//:amd_ucode": "AuthenticAMD",
        "@intel_ucode//:fam6h": "GenuineIntel",
    },
    visibility = ["//metropolis:__subpackages__"],
)

erofs_image(
    name = "rootfs",
    files = {
        "//metropolis/node/core": "/core",

        # CA Certificate bundle & os-release & resolv.conf
        # These should not be explicitly used by Metropolis code and are only here for compatibility with
        # paths hardcoded by standard libraries (like Go's).
        "@cacerts//file": "/etc/ssl/cert.pem",
        "//metropolis/node/core/network/dns:resolv.conf": "/etc/resolv.conf",
        ":os-release-info": "/etc/os-release",

        # Metrics exporters
        "@com_github_prometheus_node_exporter//:node_exporter": "/metrics/bin/node_exporter",

        # Hyperkube
        "//metropolis/node/kubernetes/hyperkube": "/kubernetes/bin/kube",

        # CoreDNS
        "@com_github_coredns_coredns//:coredns": "/kubernetes/bin/coredns",

        # runsc/gVisor
        "@dev_gvisor_gvisor//runsc": "/containerd/bin/runsc",
        "@dev_gvisor_gvisor//shim": "/containerd/bin/containerd-shim-runsc-v1",

        # runc (runtime in files_cc because of cgo)
        "@com_github_containerd_containerd//cmd/containerd-shim-runc-v2": "/containerd/bin/containerd-shim-runc-v2",

        # Containerd
        "@com_github_containerd_containerd//cmd/containerd": "/containerd/bin/containerd",

        # Containerd config files
        "//metropolis/node/kubernetes/containerd:runsc.toml": "/containerd/conf/runsc.toml",
        "//metropolis/node/kubernetes/containerd:config.toml": "/containerd/conf/config.toml",
        "//metropolis/node/kubernetes/containerd:cnispec.gojson": "/containerd/conf/cnispec.gojson",

        # Containerd preseed bundles
        "//metropolis/test/e2e/preseedtest:preseedtest_image.tar": "/containerd/preseed/k8s.io/preseedtest.tar",
        "//metropolis/test/e2e/selftest:selftest_image.tar": "/containerd/preseed/k8s.io/selftest.tar",
        "//metropolis/vm/smoketest:smoketest_container.tar": "/containerd/preseed/k8s.io/smoketest.tar",

        # CNI Plugins
        "@com_github_containernetworking_plugins//plugins/main/loopback": "/containerd/bin/cni/loopback",
        "@com_github_containernetworking_plugins//plugins/main/ptp": "/containerd/bin/cni/ptp",
        "@com_github_containernetworking_plugins//plugins/ipam/host-local": "/containerd/bin/cni/host-local",

        # Delve
        "@com_github_go_delve_delve//cmd/dlv:dlv": "/dlv",
    },
    files_cc = {
        "//metropolis/node/core/minit": "/init",
        # runc runtime, with cgo
        "@com_github_opencontainers_runc//:runc": "/containerd/bin/runc",
        "@xfsprogs//:mkfs": "/bin/mkfs.xfs",
        "@chrony//:chrony": "/time/chrony",
    },
    fsspecs = [
        ":erofs-layout.fsspec",
        "//metropolis/node/build:earlydev.fsspec",
        ":firmware",
    ],
    symlinks = {
        "/ephemeral/machine-id": "/etc/machine-id",
        "/ephemeral/hosts": "/etc/hosts",
    },
)

verity_image(
    name = "verity_rootfs",
    source = ":rootfs",
)

efi_unified_kernel_image(
    name = "kernel_efi",
    cmdline = "console=ttyS0,115200 console=ttyS1,115200 console=tty0 quiet rootfstype=erofs init=/init",
    initrd = [":ucode"],
    kernel = "//third_party/linux",
    os_release = ":os-release-info",
    verity = ":verity_rootfs",
)

# An intermediary "bundle" format until we finalize the actual bundle format. This is NOT stable until migrated
# to the actual bundle format.
# TODO(lorenz): Replace this
pkg_zip(
    name = "bundle",
    srcs = [
        ":kernel_efi",
        ":verity_rootfs",
    ],
    visibility = ["//visibility:public"],
)

genrule(
    name = "image",
    srcs = [
        ":kernel_efi",
        ":verity_rootfs",
    ],
    outs = [
        "node.img",
    ],
    cmd = """
    $(location //metropolis/node/build/mkimage) \
        -efi $(location :kernel_efi) \
        -system $(location :verity_rootfs) \
        -out $@
    """,
    tools = [
        "//metropolis/node/build/mkimage",
    ],
    visibility = [
        "//metropolis/cli/metroctl/test:__subpackages__",
        "//metropolis/test/e2e:__subpackages__",
        "//metropolis/test/launch:__subpackages__",
    ],
)

# Create a tar.gz of the image, suitable for importing to GCP as a custom image.
# (see https://cloud.google.com/compute/docs/import/import-existing-image#create_image_file)
#
# We can't use Bazel's "pkg_tar" rule because it insists on adding a "./" prefix to the
# file name inside the archive, which is not compatible with GCP's importer.
genrule(
    name = "image_gcp",
    srcs = [
        ":image",
    ],
    outs = [
        "node.tar.gz",
    ],
    cmd = """
    # make it reproducible and fast (it doesn't compress well anyway)
    export GZIP="--no-name --fast"

    ln -rs $< $(@D)/disk.raw  # GCP insists it be called "disk.raw"

    cd $(@D)
    tar --format=oldgnu --mtime='1970-01-01' -Sczhf node.tar.gz disk.raw
    """,
)

genrule(
    name = "swtpm_data",
    outs = [
        "tpm/tpm2-00.permall",
        "tpm/signkey.pem",
        "tpm/issuercert.pem",
    ],
    cmd = """
    mkdir -p tpm/ca

    cat <<EOF > tpm/swtpm.conf
create_certs_tool= /usr/share/swtpm/swtpm-localca
create_certs_tool_config = tpm/swtpm-localca.conf
create_certs_tool_options = /etc/swtpm-localca.options
EOF

    cat <<EOF > tpm/swtpm-localca.conf
statedir = tpm/ca
signingkey = tpm/ca/signkey.pem
issuercert = tpm/ca/issuercert.pem
certserial = tpm/ca/certserial
EOF

    swtpm_setup \
        --tpmstate tpm \
        --create-ek-cert \
        --create-platform-cert \
        --allow-signing \
        --tpm2 \
        --display \
        --pcr-banks sha1,sha256,sha384,sha512 \
        --config tpm/swtpm.conf

    cp tpm/tpm2-00.permall $(location tpm/tpm2-00.permall)
    cp tpm/ca/issuercert.pem $(location tpm/issuercert.pem)
    cp tpm/ca/signkey.pem $(location tpm/signkey.pem)
    """,
    visibility = [
        "//metropolis/cli/metroctl/test:__subpackages__",
        "//metropolis/test/e2e:__subpackages__",
        "//metropolis/test/launch:__subpackages__",
    ],
)

load("//metropolis/node/build/genosrelease:defs.bzl", "os_release")

os_release(
    name = "os-release-info",
    os_id = "metropolis-node",
    os_name = "Metropolis Node",
    stamp_var = "STABLE_METROPOLIS_version",
)