-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: adds GCP support, refactors machine, kernel and image configuration #20
base: main
Are you sure you want to change the base?
Conversation
ffbbbf5
to
f506b32
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Not approving before we test current images
You can check on how we achieved this in the meta-custom-podman layer |
#DISTRO_FEATURES:class-native = "${CVM_DISTRO_FEATURES_NATIVE} tpm2" | ||
#DISTRO_FEATURES:class-nativesdk = "${CVM_DISTRO_FEATURES_NATIVE} tpm2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
instead of commenting them out, we can remove them right?
# enable mdev/busybox for init | ||
#POKY_INIT_MANAGER:cvm = "mdev-busybox" | ||
DISTRO_EXTRA_RDEPENDS = "date-sync ca-certificates" | ||
DISTRO_EXTRA_RDEPENDS:append = '${@bb.utils.contains_any("IMAGE_FEATURES", [ "debug-tweaks" ], " dropbear", "",d)}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should consider making the dropbear (ssh access) not tightly coupled with debug-tweaks in the image features in case we want to have ssh access to the machine but not necessarily building it with debug tweaks.
Do you know by change what debug-tweaks add to the image when adding it to the IMAGE_FEAUTRES?
I mean beside giving root access without password? It probably sets the image in debugging state and add some debugging info and symbols to the image, which in practice would have "some" impact on the performance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
instead of copying these file and the recipe of the linux yocto tiny version 6_10, can't we just use them from the meta-openembedded-core they are coming from instead ?
https://git.openembedded.org/openembedded-core/commit/?id=0b47b5900df9b808a7fe47b8c5054164b579ec00
I mean, we could add the layer and use that recipe directly, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the best way would be to upgrade to poky 5.1, which includes this 6.10 kernel recipe.
Upgrading to 5.1 means we're leaving the LTS branch, so this is something we should consider and discuss.
IMO we have so many dependencies having close dependencies to upstream (i.e. reth usually depends on latest rust) that we can't afford to stay put on yocto LTS. But it will mean there's going to be more integration work moving yocto versions from time to time.
8f2d291
to
7038f70
Compare
# doesnt work, no idea why | ||
# IMAGE_FSTYPES:append:core-image-minimal = " wic.vhd" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
didn't we have that before working as part of the cvm-image-azure custom image?
KERNEL_FEATURES:append:pn-linux-yocto-rt = " cfg/virtio.scc cfg/paravirt_kvm.scc" | ||
|
||
# doesnt work, no idea why | ||
# IMAGE_FSTYPES:append:core-image-minimal = " wic.qcow2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here as the comment above 🤔
KMACHINE:sev-snp ?= "common-pc-64" | ||
COMPATIBLE_MACHINE:sev-snp = "sev-snp" | ||
FILESEXTRAPATHS:prepend := "${THISDIR}/linux-yocto:" | ||
# adding one config to the SRC_URI will add all others in this folder as well |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what do you mean by this?
COMPATIBLE_MACHINE:sev-snp = "sev-snp" | ||
FILESEXTRAPATHS:prepend := "${THISDIR}/linux-yocto:" | ||
# adding one config to the SRC_URI will add all others in this folder as well | ||
SRC_URI += "file://tdx-guest.scc" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do this add tdx-guest.scc also for the target sev-snp if you build for that too?
python tinyinitrd () { | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is piece needed ?
KERNEL_FEATURES:append:pn-linux-yocto-tiny = " tdx-guest.scc" | ||
KERNEL_FEATURES:append:pn-linux-yocto = " tdx-guest.scc" | ||
KERNEL_FEATURES:append:pn-linux-yocto-rt = " tdx-guest.scc" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
aren't we only using the linux yocto tiny? why do we need to adjust the other ones too if we don't necessarily use them in any other image?
This PR adds support for creating GCP VM images.
The previous setup defined 2 machines (
tdx
andsev-snp
) plus one image (cvm-image-azure
)Over time a lot of things have been added, such that a lot of features had been added without feature flag, even though they're not needed, or added behind the wrong feature flag.
This refactor aims to resolve most of these issues by creating a clear machine, kernel and image configuration.
Machines created:
[ "tdx-gcp", "tdx-qemu", "tdx-azure", "sev-snp-azure" ]
The machine configurations are simple and heavily lend from common include files, i.e. tdx-guest.inc
The cvm-image-azure was removed and replaced by .bbappending the default "core-image-minimal" and "core-image-tiny-initramfs"
Most of the kernel configuration was moved into the specific machine or distro configuration, creating a lean kernel config.
Debug tweaks are now again enabled by adding "debug-tweaks" to the EXTRA_IMAGE_FEATURES env var. this will automatically pick up the dropbear dependency.
This refactor will break stuff in other layers depending on this layer. As a next step, the goal is to refactor these layers as well and make them more conformant with yocto design principles as well.
What I haven't achieved is hide recipe based kernel configuration behind recipes, i.e. disk-encryption.scc should only be added to the kernel if disk-encryption is added as part of the image.