1
// This Source Code Form is subject to the terms of the Mozilla Public
2
// License, v. 2.0. If a copy of the MPL was not distributed with this
3
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
17
"github.com/google/go-containerregistry/pkg/name"
18
v1 "github.com/google/go-containerregistry/pkg/v1"
19
"github.com/google/go-containerregistry/pkg/v1/empty"
20
"github.com/google/go-containerregistry/pkg/v1/mutate"
21
"github.com/google/go-containerregistry/pkg/v1/tarball"
22
"github.com/google/go-containerregistry/pkg/v1/types"
23
"github.com/siderolabs/go-pointer"
24
"github.com/siderolabs/go-procfs/procfs"
27
"github.com/siderolabs/talos/cmd/installer/pkg/install"
28
"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/bootloader/options"
29
"github.com/siderolabs/talos/internal/pkg/secureboot/database"
30
"github.com/siderolabs/talos/internal/pkg/secureboot/pesign"
31
"github.com/siderolabs/talos/pkg/imager/filemap"
32
"github.com/siderolabs/talos/pkg/imager/iso"
33
"github.com/siderolabs/talos/pkg/imager/ova"
34
"github.com/siderolabs/talos/pkg/imager/profile"
35
"github.com/siderolabs/talos/pkg/imager/qemuimg"
36
"github.com/siderolabs/talos/pkg/imager/utils"
37
"github.com/siderolabs/talos/pkg/machinery/constants"
38
"github.com/siderolabs/talos/pkg/machinery/imager/quirks"
39
"github.com/siderolabs/talos/pkg/reporter"
42
func (i *Imager) outInitramfs(path string, report *reporter.Reporter) error {
43
printf := progressPrintf(report, reporter.Update{Message: "copying initramfs...", Status: reporter.StatusRunning})
45
if err := utils.CopyFiles(printf, utils.SourceDestination(i.initramfsPath, path)); err != nil {
49
report.Report(reporter.Update{Message: "initramfs output ready", Status: reporter.StatusSucceeded})
54
func (i *Imager) outKernel(path string, report *reporter.Reporter) error {
55
printf := progressPrintf(report, reporter.Update{Message: "copying kernel...", Status: reporter.StatusRunning})
57
if err := utils.CopyFiles(printf, utils.SourceDestination(i.prof.Input.Kernel.Path, path)); err != nil {
61
report.Report(reporter.Update{Message: "kernel output ready", Status: reporter.StatusSucceeded})
66
func (i *Imager) outUKI(path string, report *reporter.Reporter) error {
67
printf := progressPrintf(report, reporter.Update{Message: "copying kernel...", Status: reporter.StatusRunning})
69
if err := utils.CopyFiles(printf, utils.SourceDestination(i.ukiPath, path)); err != nil {
73
report.Report(reporter.Update{Message: "UKI output ready", Status: reporter.StatusSucceeded})
78
func (i *Imager) outCmdline(path string) error {
79
return os.WriteFile(path, []byte(i.cmdline), 0o644)
83
func (i *Imager) outISO(ctx context.Context, path string, report *reporter.Reporter) error {
84
printf := progressPrintf(report, reporter.Update{Message: "building ISO...", Status: reporter.StatusRunning})
86
scratchSpace := filepath.Join(i.tempDir, "iso")
90
if i.prof.SecureBootEnabled() {
91
isoOptions := pointer.SafeDeref(i.prof.Output.ISOOptions)
93
var signer pesign.CertificateSigner
95
signer, err = i.prof.Input.SecureBoot.SecureBootSigner.GetSigner(ctx)
97
return fmt.Errorf("failed to get SecureBoot signer: %w", err)
100
derCrtPath := filepath.Join(i.tempDir, "uki.der")
102
if err = os.WriteFile(derCrtPath, signer.Certificate().Raw, 0o600); err != nil {
103
return fmt.Errorf("failed to write uki.der: %w", err)
106
options := iso.UEFIOptions{
108
SDBootPath: i.sdBootPath,
110
SDBootSecureBootEnrollKeys: isoOptions.SDBootEnrollKeys.String(),
112
UKISigningCertDerPath: derCrtPath,
114
PlatformKeyPath: i.prof.Input.SecureBoot.PlatformKeyPath,
115
KeyExchangeKeyPath: i.prof.Input.SecureBoot.KeyExchangeKeyPath,
116
SignatureKeyPath: i.prof.Input.SecureBoot.SignatureKeyPath,
119
Version: i.prof.Version,
121
ScratchDir: scratchSpace,
125
if i.prof.Input.SecureBoot.PlatformKeyPath == "" {
126
report.Report(reporter.Update{Message: "generating SecureBoot database...", Status: reporter.StatusRunning})
128
// generate the database automatically from provided values
129
enrolledPEM := pem.EncodeToMemory(&pem.Block{
131
Bytes: signer.Certificate().Raw,
134
var entries []database.Entry
136
entries, err = database.Generate(enrolledPEM, signer)
138
return fmt.Errorf("failed to generate database: %w", err)
141
for _, entry := range entries {
142
entryPath := filepath.Join(i.tempDir, entry.Name)
144
if err = os.WriteFile(entryPath, entry.Contents, 0o600); err != nil {
149
case constants.PlatformKeyAsset:
150
options.PlatformKeyPath = entryPath
151
case constants.KeyExchangeKeyAsset:
152
options.KeyExchangeKeyPath = entryPath
153
case constants.SignatureKeyAsset:
154
options.SignatureKeyPath = entryPath
156
return fmt.Errorf("unknown database entry: %s", entry.Name)
160
options.PlatformKeyPath = i.prof.Input.SecureBoot.PlatformKeyPath
161
options.KeyExchangeKeyPath = i.prof.Input.SecureBoot.KeyExchangeKeyPath
162
options.SignatureKeyPath = i.prof.Input.SecureBoot.SignatureKeyPath
165
err = iso.CreateUEFI(printf, options)
167
err = iso.CreateGRUB(printf, iso.GRUBOptions{
168
KernelPath: i.prof.Input.Kernel.Path,
169
InitramfsPath: i.initramfsPath,
171
Version: i.prof.Version,
173
ScratchDir: scratchSpace,
182
report.Report(reporter.Update{Message: "ISO ready", Status: reporter.StatusSucceeded})
187
func (i *Imager) outImage(ctx context.Context, path string, report *reporter.Reporter) error {
188
printf := progressPrintf(report, reporter.Update{Message: "creating disk image...", Status: reporter.StatusRunning})
190
if err := i.buildImage(ctx, path, printf); err != nil {
194
switch i.prof.Output.ImageOptions.DiskFormat {
195
case profile.DiskFormatRaw:
197
case profile.DiskFormatQCOW2:
198
if err := qemuimg.Convert("raw", "qcow2", i.prof.Output.ImageOptions.DiskFormatOptions, path, printf); err != nil {
201
case profile.DiskFormatVPC:
202
if err := qemuimg.Convert("raw", "vpc", i.prof.Output.ImageOptions.DiskFormatOptions, path, printf); err != nil {
205
case profile.DiskFormatOVA:
206
scratchPath := filepath.Join(i.tempDir, "ova")
208
if err := ova.CreateOVAFromRAW(path, i.prof.Arch, scratchPath, i.prof.Output.ImageOptions.DiskSize, printf); err != nil {
211
case profile.DiskFormatUnknown:
214
return fmt.Errorf("unsupported disk format: %s", i.prof.Output.ImageOptions.DiskFormat)
217
report.Report(reporter.Update{Message: "disk image ready", Status: reporter.StatusSucceeded})
222
func (i *Imager) buildImage(ctx context.Context, path string, printf func(string, ...any)) error {
223
if err := utils.CreateRawDisk(printf, path, i.prof.Output.ImageOptions.DiskSize); err != nil {
227
printf("attaching loopback device")
234
if loDevice, err = utils.Loattach(path); err != nil {
239
printf("detaching loopback device")
241
if e := utils.Lodetach(loDevice); e != nil {
246
cmdline := procfs.NewCmdline(i.cmdline)
248
scratchSpace := filepath.Join(i.tempDir, "image")
250
opts := &install.Options{
252
Platform: i.prof.Platform,
255
MetaValues: install.FromMeta(i.prof.Customization.MetaContents),
257
ImageSecureboot: i.prof.SecureBootEnabled(),
258
Version: i.prof.Version,
259
BootAssets: options.BootAssets{
260
KernelPath: i.prof.Input.Kernel.Path,
261
InitramfsPath: i.initramfsPath,
263
SDBootPath: i.sdBootPath,
264
DTBPath: i.prof.Input.DTB.Path,
265
UBootPath: i.prof.Input.UBoot.Path,
266
RPiFirmwarePath: i.prof.Input.RPiFirmware.Path,
268
MountPrefix: scratchSpace,
272
if i.overlayInstaller != nil {
273
opts.OverlayInstaller = i.overlayInstaller
274
opts.ExtraOptions = i.prof.Overlay.ExtraOptions
275
opts.OverlayExtractedDir = i.tempDir
278
if opts.Board == "" {
279
opts.Board = constants.BoardNone
282
installer, err := install.NewInstaller(ctx, cmdline, install.ModeImage, opts)
284
return fmt.Errorf("failed to create installer: %w", err)
287
if err := installer.Install(ctx, install.ModeImage); err != nil {
288
return fmt.Errorf("failed to install: %w", err)
294
//nolint:gocyclo,cyclop
295
func (i *Imager) outInstaller(ctx context.Context, path string, report *reporter.Reporter) error {
296
printf := progressPrintf(report, reporter.Update{Message: "building installer...", Status: reporter.StatusRunning})
298
baseInstallerImg, err := i.prof.Input.BaseInstaller.Pull(ctx, i.prof.Arch, printf)
303
baseLayers, err := baseInstallerImg.Layers()
305
return fmt.Errorf("failed to get layers: %w", err)
308
configFile, err := baseInstallerImg.ConfigFile()
310
return fmt.Errorf("failed to get config file: %w", err)
313
config := *configFile.Config.DeepCopy()
315
printf("creating empty image")
317
newInstallerImg := mutate.MediaType(empty.Image, types.OCIManifestSchema1)
318
newInstallerImg = mutate.ConfigMediaType(newInstallerImg, types.OCIConfigJSON)
320
newInstallerImg, err = mutate.Config(newInstallerImg, config)
322
return fmt.Errorf("failed to set config: %w", err)
325
newInstallerImg, err = mutate.CreatedAt(newInstallerImg, v1.Time{Time: time.Now()})
327
return fmt.Errorf("failed to set created at: %w", err)
330
// Talos v1.5+ optimizes the install layers to be easily replaceable with new artifacts
331
// other Talos versions will have an overhead of artifacts being stored twice
332
if len(baseLayers) == 2 {
333
// optimized for installer image for artifacts replacements
334
baseLayers = baseLayers[:1]
337
newInstallerImg, err = mutate.AppendLayers(newInstallerImg, baseLayers...)
339
return fmt.Errorf("failed to append layers: %w", err)
342
var artifacts []filemap.File
344
printf("generating artifacts layer")
346
if i.prof.SecureBootEnabled() {
347
artifacts = append(artifacts,
349
ImagePath: strings.TrimLeft(fmt.Sprintf(constants.UKIAssetPath, i.prof.Arch), "/"),
350
SourcePath: i.ukiPath,
353
ImagePath: strings.TrimLeft(fmt.Sprintf(constants.SDBootAssetPath, i.prof.Arch), "/"),
354
SourcePath: i.sdBootPath,
358
artifacts = append(artifacts,
360
ImagePath: strings.TrimLeft(fmt.Sprintf(constants.KernelAssetPath, i.prof.Arch), "/"),
361
SourcePath: i.prof.Input.Kernel.Path,
364
ImagePath: strings.TrimLeft(fmt.Sprintf(constants.InitramfsAssetPath, i.prof.Arch), "/"),
365
SourcePath: i.initramfsPath,
370
if !quirks.New(i.prof.Version).SupportsOverlay() {
371
for _, extraArtifact := range []struct {
376
sourcePath: i.prof.Input.DTB.Path,
377
imagePath: strings.TrimLeft(fmt.Sprintf(constants.DTBAssetPath, i.prof.Arch), "/"),
380
sourcePath: i.prof.Input.UBoot.Path,
381
imagePath: strings.TrimLeft(fmt.Sprintf(constants.UBootAssetPath, i.prof.Arch), "/"),
384
sourcePath: i.prof.Input.RPiFirmware.Path,
385
imagePath: strings.TrimLeft(fmt.Sprintf(constants.RPiFirmwareAssetPath, i.prof.Arch), "/"),
388
if extraArtifact.sourcePath == "" {
392
var extraFiles []filemap.File
394
extraFiles, err = filemap.Walk(extraArtifact.sourcePath, extraArtifact.imagePath)
396
return fmt.Errorf("failed to walk extra artifact %s: %w", extraArtifact.sourcePath, err)
399
artifacts = append(artifacts, extraFiles...)
403
artifactsLayer, err := filemap.Layer(artifacts)
405
return fmt.Errorf("failed to create artifacts layer: %w", err)
408
newInstallerImg, err = mutate.AppendLayers(newInstallerImg, artifactsLayer)
410
return fmt.Errorf("failed to append artifacts layer: %w", err)
413
if i.overlayInstaller != nil {
414
tempOverlayPath := filepath.Join(i.tempDir, "overlay-installer", constants.ImagerOverlayBasePath)
416
if err := os.MkdirAll(tempOverlayPath, 0o755); err != nil {
417
return fmt.Errorf("failed to create overlay directory: %w", err)
420
if err := i.prof.Input.OverlayInstaller.Extract(
424
progressPrintf(report, reporter.Update{Message: "pulling overlay for installer...", Status: reporter.StatusRunning}),
429
extraOpts, internalErr := yaml.Marshal(i.prof.Overlay.ExtraOptions)
430
if internalErr != nil {
431
return fmt.Errorf("failed to marshal extra options: %w", internalErr)
434
if internalErr = os.WriteFile(filepath.Join(i.tempDir, constants.ImagerOverlayExtraOptionsPath), extraOpts, 0o644); internalErr != nil {
435
return fmt.Errorf("failed to write extra options yaml: %w", internalErr)
438
printf("generating overlay installer layer")
440
var overlayArtifacts []filemap.File
442
for _, extraArtifact := range []struct {
448
sourcePath: filepath.Join(i.tempDir, "overlay-installer", constants.ImagerOverlayArtifactsPath),
449
imagePath: strings.TrimLeft(constants.ImagerOverlayArtifactsPath, "/"),
452
sourcePath: filepath.Join(i.tempDir, "overlay-installer", constants.ImagerOverlayInstallersPath, i.prof.Overlay.Name),
453
imagePath: strings.TrimLeft(constants.ImagerOverlayInstallerDefaultPath, "/"),
457
sourcePath: filepath.Join(i.tempDir, constants.ImagerOverlayExtraOptionsPath),
458
imagePath: strings.TrimLeft(constants.ImagerOverlayExtraOptionsPath, "/"),
461
var extraFiles []filemap.File
463
extraFiles, err = filemap.Walk(extraArtifact.sourcePath, extraArtifact.imagePath)
465
return fmt.Errorf("failed to walk extra artifact %s: %w", extraArtifact.sourcePath, err)
468
for i := range extraFiles {
469
extraFiles[i].ImageMode = int64(extraArtifact.mode)
472
overlayArtifacts = append(overlayArtifacts, extraFiles...)
475
overlayArtifactsLayer, internalErr := filemap.Layer(overlayArtifacts)
476
if internalErr != nil {
477
return fmt.Errorf("failed to create overlay artifacts layer: %w", internalErr)
480
newInstallerImg, internalErr = mutate.AppendLayers(newInstallerImg, overlayArtifactsLayer)
481
if internalErr != nil {
482
return fmt.Errorf("failed to append overlay artifacts layer: %w", internalErr)
486
ref, err := name.ParseReference(i.prof.Input.BaseInstaller.ImageRef)
488
return fmt.Errorf("failed to parse image reference: %w", err)
491
printf("writing image tarball")
493
if err := tarball.WriteToFile(path, ref, newInstallerImg); err != nil {
494
return fmt.Errorf("failed to write image tarball: %w", err)
497
report.Report(reporter.Update{Message: "installer container image ready", Status: reporter.StatusSucceeded})