Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 0508c6df9ab35ebbf0f0367ba1f7ed74bdfb20c8 / . / metropolis / node / BUILD.bazel
blob: 7ff504fe5128f0d9ce6a0fcfba27be8e08b85154 [file] [log] [blame]
Serge Bazanski77cb6c52020-12-19 00:09:22 +0100[diff] [blame]1load("@io_bazel_rules_go//go:def.bzl", "go_library")
Mateusz Zalega8c2c7712022-01-25 19:42:21 +0100[diff] [blame]2load("//metropolis/node/build:def.bzl", "erofs_image", "verity_image")
Lorenz Brun2f9f3872021-09-29 19:48:08 +0200[diff] [blame]3load("//metropolis/node/build:efi.bzl", "efi_unified_kernel_image")
Lorenz Brun17c4c8b2022-02-01 12:59:47 +0100[diff] [blame]4load("//metropolis/node/build/fwprune:def.bzl", "fsspec_linux_firmware")
Lorenz Brun80deba52022-02-24 17:07:13 +0100[diff] [blame]5load("//metropolis/node/build/mkucode:def.bzl", "cpio_ucode")
Lorenz Brunf758ce42021-11-09 03:40:43 +0100[diff] [blame]6load("@rules_pkg//:pkg.bzl", "pkg_zip")
Serge Bazanski77cb6c52020-12-19 00:09:22 +0100[diff] [blame]7
8go_library(
Lorenz Brund13c1c62022-03-30 19:58:58 +0200[diff] [blame]9 name = "node",
Lorenz Brune306d782021-09-01 13:01:06 +0200[diff] [blame]10 srcs = [
11 "ids.go",
Serge Bazanski93d593b2023-03-28 16:43:47 +0200[diff] [blame]12 "net_protocols.go",
Lorenz Brune306d782021-09-01 13:01:06 +0200[diff] [blame]13 "ports.go",
14 ],
Serge Bazanski31370b02021-01-07 16:31:14 +0100[diff] [blame]15 importpath = "source.monogon.dev/metropolis/node",
Serge Bazanski0be9be82021-01-07 15:23:44 +0100[diff] [blame]16 visibility = ["//metropolis:__subpackages__"],
Serge Bazanski93d593b2023-03-28 16:43:47 +0200[diff] [blame]17 deps = ["@com_github_vishvananda_netlink//:netlink"],
Serge Bazanski77cb6c52020-12-19 00:09:22 +0100[diff] [blame]18)
Serge Bazanski140bddc2020-06-05 21:01:19 +0200[diff] [blame]19
Lorenz Brun313816f2020-12-22 16:52:26 +0100[diff] [blame]20# debug_build checks if we're building in debug mode and enables various debug features for the image.
Lorenz Brun70f65b22020-07-08 17:02:47 +0200[diff] [blame]21config_setting(
22 name = "debug_build",
23 values = {
24 "compilation_mode": "dbg",
25 },
26)
27
Lorenz Brun17c4c8b2022-02-01 12:59:47 +0100[diff] [blame]28fsspec_linux_firmware(
29 name = "firmware",
30 firmware_files = ["@linux-firmware//:all_files"],
31 kernel = "//third_party/linux",
Lorenz Brund3ce0ac2022-03-03 12:51:21 +0100[diff] [blame]32 metadata = "@linux-firmware//:metadata",
Lorenz Brun17c4c8b2022-02-01 12:59:47 +0100[diff] [blame]33)
34
Lorenz Brun80deba52022-02-24 17:07:13 +0100[diff] [blame]35cpio_ucode(
36 name = "ucode",
37 ucode = {
38 "@linux-firmware//:amd_ucode": "AuthenticAMD",
39 "@intel_ucode//:fam6h": "GenuineIntel",
40 },
41 visibility = ["//metropolis:__subpackages__"],
42)
43
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]44erofs_image(
45 name = "rootfs",
Serge Bazanski140bddc2020-06-05 21:01:19 +0200[diff] [blame]46 files = {
Serge Bazanskieac8f732021-10-05 23:30:37 +0200[diff] [blame]47 "//metropolis/node/core": "/core",
Serge Bazanski140bddc2020-06-05 21:01:19 +0200[diff] [blame]48
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]49 # CA Certificate bundle & os-release & resolv.conf
50 # These should not be explicitly used by Metropolis code and are only here for compatibility with
51 # paths hardcoded by standard libraries (like Go's).
Serge Bazanski140bddc2020-06-05 21:01:19 +0200[diff] [blame]52 "@cacerts//file": "/etc/ssl/cert.pem",
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]53 "//metropolis/node/core/network/dns:resolv.conf": "/etc/resolv.conf",
Serge Bazanski140bddc2020-06-05 21:01:19 +0200[diff] [blame]54 ":os-release-info": "/etc/os-release",
55
56 # Hyperkube
Serge Bazanski77cb6c52020-12-19 00:09:22 +0100[diff] [blame]57 "//metropolis/node/kubernetes/hyperkube": "/kubernetes/bin/kube",
Serge Bazanski140bddc2020-06-05 21:01:19 +0200[diff] [blame]58
Lorenz Brun339582b2020-07-29 18:13:35 +0200[diff] [blame]59 # CoreDNS
60 "@com_github_coredns_coredns//:coredns": "/kubernetes/bin/coredns",
61
Serge Bazanski140bddc2020-06-05 21:01:19 +0200[diff] [blame]62 # runsc/gVisor
Lorenz Brund13c1c62022-03-30 19:58:58 +0200[diff] [blame]63 "@dev_gvisor_gvisor//runsc": "/containerd/bin/runsc",
64 "@dev_gvisor_gvisor//shim": "/containerd/bin/containerd-shim-runsc-v1",
Serge Bazanski140bddc2020-06-05 21:01:19 +0200[diff] [blame]65
Lorenz Brun5e4fc2d2020-09-22 18:35:15 +0200[diff] [blame]66 # runc (runtime in files_cc because of cgo)
67 "@com_github_containerd_containerd//cmd/containerd-shim-runc-v2": "/containerd/bin/containerd-shim-runc-v2",
68
Serge Bazanski140bddc2020-06-05 21:01:19 +0200[diff] [blame]69 # Containerd
70 "@com_github_containerd_containerd//cmd/containerd": "/containerd/bin/containerd",
71
72 # Containerd config files
Serge Bazanski77cb6c52020-12-19 00:09:22 +0100[diff] [blame]73 "//metropolis/node/kubernetes/containerd:runsc.toml": "/containerd/conf/runsc.toml",
74 "//metropolis/node/kubernetes/containerd:config.toml": "/containerd/conf/config.toml",
75 "//metropolis/node/kubernetes/containerd:cnispec.gojson": "/containerd/conf/cnispec.gojson",
Serge Bazanski140bddc2020-06-05 21:01:19 +0200[diff] [blame]76
Lorenz Brun8b0431a2020-07-13 16:56:36 +0200[diff] [blame]77 # Containerd preseed bundles
Lorenz Brund13c1c62022-03-30 19:58:58 +0200[diff] [blame]78 "//metropolis/test/e2e/preseedtest:preseedtest_image.tar": "/containerd/preseed/k8s.io/preseedtest.tar",
Serge Bazanski9104e382023-04-04 20:08:21 +0200[diff] [blame]79 "//metropolis/test/e2e/selftest:selftest_image.tar": "/containerd/preseed/k8s.io/selftest.tar",
Lorenz Brun30167f52021-03-17 17:49:01 +0100[diff] [blame]80 "//metropolis/vm/smoketest:smoketest_container.tar": "/containerd/preseed/k8s.io/smoketest.tar",
Lorenz Brun8b0431a2020-07-13 16:56:36 +0200[diff] [blame]81
Serge Bazanski140bddc2020-06-05 21:01:19 +0200[diff] [blame]82 # CNI Plugins
83 "@com_github_containernetworking_plugins//plugins/main/loopback": "/containerd/bin/cni/loopback",
84 "@com_github_containernetworking_plugins//plugins/main/ptp": "/containerd/bin/cni/ptp",
85 "@com_github_containernetworking_plugins//plugins/ipam/host-local": "/containerd/bin/cni/host-local",
Serge Bazanskic3ae7582020-06-08 17:15:26 +0200[diff] [blame]86
Lorenz Brun70f65b22020-07-08 17:02:47 +0200[diff] [blame]87 # Delve
88 "@com_github_go_delve_delve//cmd/dlv:dlv": "/dlv",
Serge Bazanski140bddc2020-06-05 21:01:19 +0200[diff] [blame]89 },
Lorenz Brun5e4fc2d2020-09-22 18:35:15 +0200[diff] [blame]90 files_cc = {
Serge Bazanskieac8f732021-10-05 23:30:37 +0200[diff] [blame]91 "//metropolis/node/core/minit": "/init",
Lorenz Brun5e4fc2d2020-09-22 18:35:15 +0200[diff] [blame]92 # runc runtime, with cgo
93 "@com_github_opencontainers_runc//:runc": "/containerd/bin/runc",
Lorenz Brunddd6caf2021-03-04 17:16:04 +0100[diff] [blame]94 "@xfsprogs//:mkfs": "/bin/mkfs.xfs",
Lorenz Brune306d782021-09-01 13:01:06 +0200[diff] [blame]95 "@chrony//:chrony": "/time/chrony",
Lorenz Brun5e4fc2d2020-09-22 18:35:15 +0200[diff] [blame]96 },
Serge Bazanskia3938142022-04-04 17:04:47 +0200[diff] [blame]97 fsspecs = [
98 ":erofs-layout.fsspec",
99 "//metropolis/node/build:earlydev.fsspec",
100 ":firmware",
101 ],
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]102 symlinks = {
103 "/ephemeral/machine-id": "/etc/machine-id",
104 "/ephemeral/hosts": "/etc/hosts",
105 },
Serge Bazanski731d00a2020-02-03 19:08:07 +0100[diff] [blame]106)
107
Mateusz Zalega8c2c7712022-01-25 19:42:21 +0100[diff] [blame]108verity_image(
109 name = "verity_rootfs",
110 source = ":rootfs",
111)
112
Lorenz Brun2f9f3872021-09-29 19:48:08 +0200[diff] [blame]113efi_unified_kernel_image(
114 name = "kernel_efi",
Lorenz Brunf0b22ff2023-05-02 16:04:20 +0200[diff] [blame]115 cmdline = "console=ttyS0,115200 console=ttyS1,115200 console=tty0 quiet rootfstype=erofs init=/init",
Lorenz Brunb6c0aa92022-02-24 17:53:40 +0100[diff] [blame]116 initrd = [":ucode"],
Lorenz Brun2f9f3872021-09-29 19:48:08 +0200[diff] [blame]117 kernel = "//third_party/linux",
118 os_release = ":os-release-info",
Mateusz Zalega8c2c7712022-01-25 19:42:21 +0100[diff] [blame]119 verity = ":verity_rootfs",
Lorenz Brun2f9f3872021-09-29 19:48:08 +0200[diff] [blame]120)
121
Lorenz Brunf758ce42021-11-09 03:40:43 +0100[diff] [blame]122# An intermediary "bundle" format until we finalize the actual bundle format. This is NOT stable until migrated
123# to the actual bundle format.
124# TODO(lorenz): Replace this
125pkg_zip(
Lorenz Brund13c1c62022-03-30 19:58:58 +0200[diff] [blame]126 name = "bundle",
Lorenz Brunf758ce42021-11-09 03:40:43 +0100[diff] [blame]127 srcs = [
128 ":kernel_efi",
Mateusz Zalega8c2c7712022-01-25 19:42:21 +0100[diff] [blame]129 ":verity_rootfs",
Lorenz Brunf758ce42021-11-09 03:40:43 +0100[diff] [blame]130 ],
Lorenz Brunf8ede092021-11-08 20:50:57 +0100[diff] [blame]131 visibility = ["//visibility:public"],
Lorenz Brunf758ce42021-11-09 03:40:43 +0100[diff] [blame]132)
133
Serge Bazanski731d00a2020-02-03 19:08:07 +0100[diff] [blame]134genrule(
Hendrik Hofstadt0d7c91e2019-10-23 21:44:47 +0200[diff] [blame]135 name = "image",
136 srcs = [
Lorenz Brun2f9f3872021-09-29 19:48:08 +0200[diff] [blame]137 ":kernel_efi",
Mateusz Zalega8c2c7712022-01-25 19:42:21 +0100[diff] [blame]138 ":verity_rootfs",
Hendrik Hofstadt0d7c91e2019-10-23 21:44:47 +0200[diff] [blame]139 ],
140 outs = [
Serge Bazanski662b5b32020-12-21 13:49:00 +0100[diff] [blame]141 "node.img",
Hendrik Hofstadt0d7c91e2019-10-23 21:44:47 +0200[diff] [blame]142 ],
143 cmd = """
Serge Bazanski77cb6c52020-12-19 00:09:22 +0100[diff] [blame]144 $(location //metropolis/node/build/mkimage) \
Lorenz Brun2f9f3872021-09-29 19:48:08 +0200[diff] [blame]145 -efi $(location :kernel_efi) \
Mateusz Zalega8c2c7712022-01-25 19:42:21 +0100[diff] [blame]146 -system $(location :verity_rootfs) \
Leopold Schabel65493072019-11-06 13:40:44 +0000[diff] [blame]147 -out $@
Hendrik Hofstadt0d7c91e2019-10-23 21:44:47 +0200[diff] [blame]148 """,
Lorenz Brun0bcaaee2019-11-06 12:42:39 +0100[diff] [blame]149 tools = [
Serge Bazanski77cb6c52020-12-19 00:09:22 +0100[diff] [blame]150 "//metropolis/node/build/mkimage",
Lorenz Brun0bcaaee2019-11-06 12:42:39 +0100[diff] [blame]151 ],
Serge Bazanski0be9be82021-01-07 15:23:44 +0100[diff] [blame]152 visibility = [
Mateusz Zalegafed8fe52022-07-14 16:19:35 +0200[diff] [blame]153 "//metropolis/cli/metroctl/test:__subpackages__",
Serge Bazanski0be9be82021-01-07 15:23:44 +0100[diff] [blame]154 "//metropolis/test/e2e:__subpackages__",
Serge Bazanskif12bedf2021-01-15 16:58:50 +0100[diff] [blame]155 "//metropolis/test/launch:__subpackages__",
Serge Bazanski0be9be82021-01-07 15:23:44 +0100[diff] [blame]156 ],
Hendrik Hofstadt0d7c91e2019-10-23 21:44:47 +0200[diff] [blame]157)
158
Leopold Schabel957c5b12021-12-04 01:34:40 +0100[diff] [blame]159# Create a tar.gz of the image, suitable for importing to GCP as a custom image.
160# (see https://cloud.google.com/compute/docs/import/import-existing-image#create_image_file)
161#
162# We can't use Bazel's "pkg_tar" rule because it insists on adding a "./" prefix to the
163# file name inside the archive, which is not compatible with GCP's importer.
164genrule(
165 name = "image_gcp",
166 srcs = [
167 ":image",
168 ],
169 outs = [
170 "node.tar.gz",
171 ],
172 cmd = """
173 # make it reproducible and fast (it doesn't compress well anyway)
174 export GZIP="--no-name --fast"
175
176 ln -rs $< $(@D)/disk.raw # GCP insists it be called "disk.raw"
177
178 cd $(@D)
179 tar --format=oldgnu --mtime='1970-01-01' -Sczhf node.tar.gz disk.raw
180 """,
181)
182
Hendrik Hofstadt0d7c91e2019-10-23 21:44:47 +0200[diff] [blame]183genrule(
184 name = "swtpm_data",
185 outs = [
186 "tpm/tpm2-00.permall",
187 "tpm/signkey.pem",
188 "tpm/issuercert.pem",
189 ],
190 cmd = """
191 mkdir -p tpm/ca
192
193 cat <<EOF > tpm/swtpm.conf
194create_certs_tool= /usr/share/swtpm/swtpm-localca
195create_certs_tool_config = tpm/swtpm-localca.conf
196create_certs_tool_options = /etc/swtpm-localca.options
197EOF
198
199 cat <<EOF > tpm/swtpm-localca.conf
200statedir = tpm/ca
201signingkey = tpm/ca/signkey.pem
202issuercert = tpm/ca/issuercert.pem
203certserial = tpm/ca/certserial
204EOF
205
206 swtpm_setup \
207 --tpmstate tpm \
208 --create-ek-cert \
209 --create-platform-cert \
210 --allow-signing \
211 --tpm2 \
212 --display \
213 --pcr-banks sha1,sha256,sha384,sha512 \
214 --config tpm/swtpm.conf
215
216 cp tpm/tpm2-00.permall $(location tpm/tpm2-00.permall)
217 cp tpm/ca/issuercert.pem $(location tpm/issuercert.pem)
218 cp tpm/ca/signkey.pem $(location tpm/signkey.pem)
219 """,
Serge Bazanski0be9be82021-01-07 15:23:44 +0100[diff] [blame]220 visibility = [
Mateusz Zalegafed8fe52022-07-14 16:19:35 +0200[diff] [blame]221 "//metropolis/cli/metroctl/test:__subpackages__",
Serge Bazanski0be9be82021-01-07 15:23:44 +0100[diff] [blame]222 "//metropolis/test/e2e:__subpackages__",
Serge Bazanskif12bedf2021-01-15 16:58:50 +0100[diff] [blame]223 "//metropolis/test/launch:__subpackages__",
Serge Bazanski0be9be82021-01-07 15:23:44 +0100[diff] [blame]224 ],
Hendrik Hofstadt0d7c91e2019-10-23 21:44:47 +0200[diff] [blame]225)
Lorenz Brun878f5f92020-05-12 16:15:39 +0200[diff] [blame]226
Serge Bazanski77cb6c52020-12-19 00:09:22 +0100[diff] [blame]227load("//metropolis/node/build/genosrelease:defs.bzl", "os_release")
Lorenz Brun878f5f92020-05-12 16:15:39 +0200[diff] [blame]228
229os_release(
230 name = "os-release-info",
Serge Bazanski662b5b32020-12-21 13:49:00 +0100[diff] [blame]231 os_id = "metropolis-node",
232 os_name = "Metropolis Node",
233 stamp_var = "STABLE_METROPOLIS_version",
Lorenz Brun878f5f92020-05-12 16:15:39 +0200[diff] [blame]234)