🐧 Add Ubuntu flavors for RPi (#1170)

* added initial Dockerfile for ubuntu-arm-rpi flavor

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* added Dockerfiles for the other ubuntu arm rpi flavors

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* added overlay files for ubuntu-arm-rpi

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* propagate new flavor ubuntu-arm-rpi through repo

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* propagate ubuntu-20-lts-arm-rpi and ubuntu-22-lts-arm-rpi through the repo

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* ubuntu-20-lts-arm-rpi: use the correct firmware package

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* use dracut-network-legacy-compat for all ubuntu lts flavors

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* one package per line for rpi ubuntu dockerfiles

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* some cosmetic changes on the rpi dockefiles

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* removed unnecessary network interface files from dockerfile

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* hadolint: ignore apt pinned version and missing no-install-recommend for now

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* added explicit systemd-timesyncd to rpi dockerfiles

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* removed more unneeded apt-get clean from dockerfiles

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* minor name corrections and removing commented out stuff

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>

* Change sizes for rpi ubuntu images

Signed-off-by: Mauro Morales <[email protected]>

* Lint

Signed-off-by: Mauro Morales <[email protected]>

* This was fixed on #821

Signed-off-by: Mauro Morales <[email protected]>

* Keep use of cos instead of kairos in bootargs.cfg

Signed-off-by: Mauro Morales <[email protected]>

* Add ports to RPi Docker images

Signed-off-by: Mauro Morales <[email protected]>

* Force platform arm64 on all-arm target

Signed-off-by: Mauro Morales <[email protected]>

* Use model to generate the generic ubuntu arm image

Signed-off-by: Mauro Morales <[email protected]>

* lint and apply changes to other ubuntu versions

Signed-off-by: Mauro Morales <[email protected]>

* force platform and model for all-arm

fix issues with ubuntu 20 lts arm rpi

remove unnecessary dockerfile

Signed-off-by: Mauro Morales <[email protected]>

* Add missing reference in dockerfiles

Signed-off-by: Mauro Morales <[email protected]>

* Increment trivy timeout

Signed-off-by: Mauro Morales <[email protected]>

* Update packages for 20.04

Signed-off-by: Mauro Morales <[email protected]>

* Remove dl3015

Signed-off-by: Mauro Morales <[email protected]>

* Fix issue with ubuntu arm rpi overlay files

Signed-off-by: Mauro Morales <[email protected]>

* Refactor overlay files for rpi

Signed-off-by: Mauro Morales <[email protected]>

* Part of last commit

Signed-off-by: Mauro Morales <[email protected]>

* Pass model to framework

Signed-off-by: Mauro Morales <[email protected]>

* No need to have a different persistency config for the rpi

Signed-off-by: Mauro Morales <[email protected]>

* Disable rpi-eeprom-update

Signed-off-by: Mauro Morales <[email protected]>

* review feedback

Signed-off-by: Mauro Morales <[email protected]>

---------

Signed-off-by: Martin Schuessler <[email protected]>
Signed-off-by: Mauro Morales <[email protected]>
Co-authored-by: Martin Schuessler <[email protected]>

.github/flavors-arm.json

@@ -10,5 +10,17 @@
     {
         "flavor": "alpine-arm-rpi",
         "model": "rpi64"
+    },
+    {
+        "flavor": "ubuntu-arm-rpi",
+        "model": "rpi64"
+    },
+    {
+        "flavor": "ubuntu-20-lts-arm-rpi",
+        "model": "rpi64"
+    },
+    {
+        "flavor": "ubuntu-22-lts-arm-rpi",
+        "model": "rpi64"
     }
-]
+]

Earthfile

@@ -36,24 +36,30 @@ ARG IMAGE_REPOSITORY_ORG=quay.io/kairos
 
 
 all:
+  ARG SECURITY_SCANS=true
   BUILD +image
-  BUILD +image-sbom
-  BUILD +trivy-scan
-  BUILD +grype-scan
+  IF [ "$SECURITY_SCANS" = "true" ]
+      BUILD +image-sbom
+      BUILD +trivy-scan
+      BUILD +grype-scan
+  END
   BUILD +iso
   BUILD +netboot
   BUILD +ipxe-iso
 
 all-arm:
-  BUILD --platform=linux/arm64 +image
-  BUILD +image-sbom
-  BUILD +trivy-scan
-  BUILD +grype-scan
-  BUILD +arm-image
+  ARG SECURITY_SCANS=true
+  BUILD --platform=linux/arm64 +image --MODEL=rpi64
+  IF [ "$SECURITY_SCANS" = "true" ]
+      BUILD --platform=linux/arm64 +image-sbom --MODEL=rpi64
+      BUILD --platform=linux/arm64 +trivy-scan --MODEL=rpi64
+      BUILD --platform=linux/arm64 +grype-scan --MODEL=rpi64
+  END
+  BUILD +arm-image --MODEL=rpi64
 
 all-arm-generic:
-  BUILD --platform=linux/arm64 +image
-  BUILD --platform=linux/arm64 +iso
+  BUILD --platform=linux/arm64 +image --MODEL=generic
+  BUILD --platform=linux/arm64 +iso --MODEL=generic
 
 go-deps-test:
     ARG GO_VERSION
@@ -187,27 +193,29 @@ framework-luet:
 framework:
     FROM alpine
     ARG FLAVOR
+    ARG MODEL
     # This ARG does nothing?
     ARG VERSION
     COPY +framework-luet/framework-luet /framework
 
     # Copy overlay files
     # TODO: Make this also a package?
     COPY overlay/files /framework
-    # Copy flavor-specific overlay files
-    IF [ "$FLAVOR" = "alpine-opensuse-leap" ] || [ "$FLAVOR" = "alpine-ubuntu" ]
-        COPY overlay/files-alpine/ /framework
+
+    # Copy common overlay files for Raspberry Pi
+    IF [ "$MODEL" = "rpi64" ]
+        COPY overlay/files-rpi/ /framework
     END
-
-    IF [ "$FLAVOR" = "alpine-arm-rpi" ]
+
+    # Copy flavor-specific overlay files
+    IF [[ "$FLAVOR" =~ ^alpine* ]]
         COPY overlay/files-alpine/ /framework
-        COPY overlay/files-opensuse-arm-rpi/ /framework
-    ELSE IF [ "$FLAVOR" = "opensuse-leap-arm-rpi" ] || [ "$FLAVOR" = "opensuse-tumbleweed-arm-rpi" ]
-        COPY overlay/files-opensuse-arm-rpi/ /framework
     ELSE IF [ "$FLAVOR" = "fedora" ] || [ "$FLAVOR" = "rockylinux" ]
         COPY overlay/files-fedora/ /framework
     ELSE IF [ "$FLAVOR" = "debian" ] || [ "$FLAVOR" = "ubuntu" ] || [ "$FLAVOR" = "ubuntu-20-lts" ] || [ "$FLAVOR" = "ubuntu-22-lts" ]
         COPY overlay/files-ubuntu/ /framework
+    ELSE IF [[ "$FLAVOR" =~ ^ubuntu-arm* ]]
+        COPY overlay/files-ubuntu-arm-rpi/ /framework
     END
 
     SAVE ARTIFACT --keep-own /framework/ framework
@@ -227,11 +235,12 @@ framework-image:
     SAVE IMAGE --push $IMAGE_REPOSITORY_ORG/framework:${VERSION}_${FLAVOR}
 
 base-image:
+    ARG MODEL
     ARG FLAVOR
     ARG VARIANT
     IF [ "$BASE_IMAGE" = "" ]
         # Source the flavor-provided docker file
-        FROM DOCKERFILE -f images/Dockerfile.$FLAVOR .
+        FROM DOCKERFILE --build-arg MODEL=$MODEL -f images/Dockerfile.$FLAVOR .
     ELSE 
         FROM $BASE_IMAGE
     END
@@ -248,7 +257,7 @@ base-image:
     END
 
     # Includes overlay/files
-    COPY (+framework/framework --FLAVOR=$FLAVOR --VERSION=$OS_VERSION) /
+    COPY (+framework/framework --FLAVOR=$FLAVOR --VERSION=$OS_VERSION --MODEL=$MODEL) /
 
     RUN rm -rf /etc/machine-id && touch /etc/machine-id && chmod 444 /etc/machine-id
 
@@ -304,7 +313,7 @@ base-image:
 
     # END
 
-    IF [ "$FLAVOR" = "ubuntu-20-lts" ] || [ "$FLAVOR" = "ubuntu" ] || [ "$FLAVOR" = "ubuntu-22-lts" ]
+    IF [[ "$FLAVOR" =~ ^ubuntu* ]]
         # compress firmware
         RUN find /usr/lib/firmware -type f -execdir zstd --rm -9 {} \+
         # compress modules
@@ -356,6 +365,7 @@ image:
     FROM +base-image
     ARG FLAVOR
     ARG VARIANT
+    ARG MODEL
     ARG KAIROS_VERSION
     IF [ "$KAIROS_VERSION" = "" ]
         COPY +version/VERSION ./
@@ -367,6 +377,7 @@ image:
         ARG OS_VERSION=${KAIROS_VERSION}
     END
     ARG OS_ID
+    # should we add the model to the resulting iso?
     ARG OS_NAME=${OS_ID}-${VARIANT}-${FLAVOR}
     ARG OS_REPO=quay.io/kairos/${VARIANT}-${FLAVOR}
     ARG OS_LABEL=latest
@@ -437,21 +448,33 @@ netboot:
 
 arm-image:
   ARG OSBUILDER_IMAGE
+  ARG COMPRESS_IMG=true
   FROM $OSBUILDER_IMAGE
   ARG MODEL=rpi64
   ARG IMAGE_NAME=${FLAVOR}.img
   WORKDIR /build
-  ENV STATE_SIZE="6200"
-  ENV RECOVERY_SIZE="4200"
+  # These sizes are in MB
   ENV SIZE="15200"
-  ENV DEFAULT_ACTIVE_SIZE="2000"
+  IF [[ "$FLAVOR" =~ ^ubuntu* ]]
+    ENV STATE_SIZE="6900"
+    ENV RECOVERY_SIZE="4600"
+    ENV DEFAULT_ACTIVE_SIZE="2300"
+  ELSE
+    ENV STATE_SIZE="6200"
+    ENV RECOVERY_SIZE="4200"
+    ENV DEFAULT_ACTIVE_SIZE="2000"
+  END
   COPY --platform=linux/arm64 +image-rootfs/rootfs /build/image
   # With docker is required for loop devices
   WITH DOCKER --allow-privileged
     RUN /build-arm-image.sh --use-lvm --model $MODEL --directory "/build/image" /build/$IMAGE_NAME
   END
-  RUN xz -v /build/$IMAGE_NAME
-  SAVE ARTIFACT /build/$IMAGE_NAME.xz img AS LOCAL build/$IMAGE_NAME.xz
+  IF [ "$COMPRESS_IMG" = "true" ]
+      RUN xz -v /build/$IMAGE_NAME
+      SAVE ARTIFACT /build/$IMAGE_NAME.xz img AS LOCAL build/$IMAGE_NAME.xz
+  ELSE
+      SAVE ARTIFACT /build/$IMAGE_NAME img AS LOCAL build/$IMAGE_NAME
+  END
   SAVE ARTIFACT /build/$IMAGE_NAME.sha256 img-sha256 AS LOCAL build/$IMAGE_NAME.sha256
 
 ipxe-iso:
@@ -512,9 +535,9 @@ trivy-scan:
     ARG FLAVOR
     ARG VARIANT
     WORKDIR /build
-    RUN /trivy filesystem --skip-dirs /tmp --format sarif -o report.sarif --no-progress /
-    RUN /trivy filesystem --skip-dirs /tmp --format template --template "@/contrib/html.tpl" -o report.html --no-progress /
-    RUN /trivy filesystem --skip-dirs /tmp -f json -o results.json --no-progress /
+    RUN /trivy filesystem --skip-dirs /tmp --timeout 30m --format sarif -o report.sarif --no-progress /
+    RUN /trivy filesystem --skip-dirs /tmp --timeout 30m --format template --template "@/contrib/html.tpl" -o report.html --no-progress /
+    RUN /trivy filesystem --skip-dirs /tmp --timeout 30m -f json -o results.json --no-progress /
     SAVE ARTIFACT /build/report.sarif report.sartif AS LOCAL build/${VARIANT}-${FLAVOR}-${VERSION}-trivy.sarif
     SAVE ARTIFACT /build/report.html report.html AS LOCAL build/${VARIANT}-${FLAVOR}-${VERSION}-trivy.html
     SAVE ARTIFACT /build/results.json results.json AS LOCAL build/${VARIANT}-${FLAVOR}-${VERSION}-trivy.json

docs/content/en/docs/Reference/image_matrix.md

@@ -31,7 +31,7 @@ Base images are tagged with specific upstream versions (e.g. Ubuntu 20 LTS is pi
 | **Fedora based**                         | [core][c-fedora], [standard][k-fedora]                             |                                                                                                                                                            |
 | **openSUSE Leap based**                  | [core][c-opensuse-leap], [standard][k-opensuse-leap]               | [core][c-opensuse-leap-arm-rpi], [core-img][c-opensuse-leap-arm-rpi-img], [standard][k-opensuse-leap-arm-rpi], [standard-img][k-opensuse-leap-arm-rpi-img] |
 | **openSUSE Tumbleweed based**            | [core][c-opensuse-tumbleweed], [standard][k-opensuse-tumbleweed]   | [core][c-opensuse-tumbleweed-arm-rpi], [standard][k-opensuse-tumbleweed-arm-rpi]                                                                           |
-| **Ubuntu based (rolling)** **            | [core][c-ubuntu], [standard][k-ubuntu]                             |                                                                                                                                                            |
+| **Ubuntu based (rolling)** **            | [core][c-ubuntu], [standard][k-ubuntu]                             | [core][c-ubuntu-rpi], [standard][k-ubuntu-rpi]                                                                                                             |
 | **Ubuntu based (22 LTS)** **             | [core][c-ubuntu-22-lts], [standard][k-ubuntu-22-lts]               |                                                                                                                                                            |
 | **Ubuntu based (20 LTS)** **             | [core][c-ubuntu-20-lts], [standard][k-ubuntu-20-lts]               |                                                                                                                                                            |
 | **Rocky Linux based**                    | [core][c-rockylinux], [standard][k-rockylinux]                     |                                                                                                                                                            |
@@ -52,6 +52,7 @@ Base images are tagged with specific upstream versions (e.g. Ubuntu 20 LTS is pi
 [c-ubuntu]: https://quay.io/repository/kairos/core-ubuntu
 [c-ubuntu-22-lts]: https://quay.io/repository/kairos/core-ubuntu-22-lts
 [c-ubuntu-20-lts]: https://quay.io/repository/kairos/core-ubuntu-20-lts
+[c-ubuntu-rpi]: https://quay.io/repository/kairos/core-ubuntu-arm-rpi
 [c-rockylinux]: https://quay.io/repository/kairos/core-rockylinux
 
 [k-alpine-opensuse-leap]: https://quay.io/repository/kairos/kairos-alpine-opensuse-leap
@@ -69,9 +70,9 @@ Base images are tagged with specific upstream versions (e.g. Ubuntu 20 LTS is pi
 [k-ubuntu]: https://quay.io/repository/kairos/kairos-ubuntu
 [k-ubuntu-22-lts]: https://quay.io/repository/kairos/kairos-ubuntu-22-lts
 [k-ubuntu-20-lts]: https://quay.io/repository/kairos/kairos-ubuntu-20-lts
+[k-ubuntu-rpi]: https://quay.io/repository/kairos/kairos-ubuntu-arm-rpi
 [k-rockylinux]: https://quay.io/repository/kairos/kairos-rockylinux
 
-
 {{% alert title="Note" color="info" %}}
 
 ** The `ubuntu` flavor tracks the latest available Ubuntu release (at the time of writing 22.10). The LTS flavors, on the other hand, track the latest LTS available on DockerHub. For example, ubuntu-22-lts uses 22.04 as the base image.

framework-profile.yaml

@@ -15,6 +15,15 @@ flavors:
   ubuntu:
     - systemd-base
     - dracut-network-legacy
+  ubuntu-arm-rpi:
+    - systemd-base
+    - dracut-network-legacy
+  ubuntu-20-lts-arm-rpi:
+    - systemd-base
+    - dracut-network-legacy-compat
+  ubuntu-22-lts-arm-rpi:
+    - systemd-base
+    - dracut-network-legacy-compat
   ubuntu-22-lts:
     - systemd-base
     - dracut-network-legacy-compat

images/Dockerfile.ubuntu-20-lts-arm-rpi

@@ -0,0 +1,79 @@
+ARG BASE_IMAGE=ubuntu:20.04
+ARG MODEL=generic
+
+FROM $BASE_IMAGE as base
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update \
+    && apt-get install -y software-properties-common \
+    && add-apt-repository ppa:oibaf/test \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+FROM base AS generic
+RUN apt-get update && apt-get install -y linux-base \
+    linux-image-generic-hwe-22.04 \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+FROM base AS rpi64
+# Normally we install also linux-modules-extra-raspi but this is not available for 20.04, not sure what's the impact to
+# remove it.
+RUN apt-get update && apt-get install -y linux-firmware-raspi2 \
+    linux-raspi \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+FROM ${MODEL} AS all
+
+FROM all
+RUN apt-get update && apt-get install -y \
+    conntrack \
+    console-data \
+    coreutils \
+    curl \
+    debianutils \
+    dosfstools \
+    dracut \
+    dracut-network \
+    e2fsprogs \
+    gawk \
+    gdisk \
+    grub-efi-arm64-bin \
+    grub2-common \
+    haveged \
+    iproute2 \
+    iptables \
+    jq \
+    linux-firmware-raspi2 \
+    linux-raspi \
+    lldpd \
+    nano \
+    neovim \
+    open-vm-tools \
+    openssh-server \
+    parted \
+    policykit-1 \
+    rpi-eeprom \
+    rsync \
+    snapd \
+    snmpd \
+    squashfs-tools \
+    sudo \
+    systemd \
+    systemd-timesyncd \
+    tar \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+RUN ln -s /usr/sbin/grub-install /usr/sbin/grub2-install
+RUN ln -s /usr/bin/grub-editenv /usr/bin/grub2-editenv
+RUN systemctl enable systemd-networkd
+RUN systemctl enable ssh
+RUN systemctl disable rpi-eeprom-update
+
+# Enable tmp
+RUN cp -v /usr/share/systemd/tmp.mount /etc/systemd/system/
+RUN systemctl enable tmp.mount
+
+# Fixup sudo perms
+RUN chown root:root /usr/bin/sudo && chmod 4755 /usr/bin/sudo
+
+
+# Clear cache
+RUN rm -rf /var/cache/* && journalctl --vacuum-size=1K && rm /etc/machine-id && rm /var/lib/dbus/machine-id && rm /etc/hostname