diff --git a/.pipelines/.vsts-vhd-builder-release.yaml b/.pipelines/.vsts-vhd-builder-release.yaml index d85d38077f8..17413397153 100644 --- a/.pipelines/.vsts-vhd-builder-release.yaml +++ b/.pipelines/.vsts-vhd-builder-release.yaml @@ -1174,7 +1174,7 @@ stages: echo '##vso[task.setvariable variable=IMG_SKU]20_04-lts-cvm' echo '##vso[task.setvariable variable=IMG_VERSION]latest' echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' - echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5' + echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_DC16ads_v5' echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' echo '##vso[task.setvariable variable=CONTAINER_RUNTIME]containerd' echo '##vso[task.setvariable variable=ARCHITECTURE]X86_64' diff --git a/.pipelines/templates/.builder-release-template.yaml b/.pipelines/templates/.builder-release-template.yaml index 1ef02928e46..cc50c528a9c 100644 --- a/.pipelines/templates/.builder-release-template.yaml +++ b/.pipelines/templates/.builder-release-template.yaml @@ -111,6 +111,12 @@ steps: echo "##vso[task.setvariable variable=SKU_NAME]$SKU_NAME" echo "Set SKU_NAME to $SKU_NAME" displayName: Set SKU Name + + - bash: make -f packer.mk az-login && make -f packer.mk init-packer + displayName: Initialize Variables + env: + UA_TOKEN: $(ua-token) + - bash: make -f packer.mk run-packer displayName: Build VHD retryCountOnTaskFailure: 3 diff --git a/packer.mk b/packer.mk index 88199c325c7..b7d2dbbaad9 100755 --- a/packer.mk +++ b/packer.mk @@ -29,8 +29,13 @@ else $(error HYPERV_GENERATION was invalid ${HYPERV_GENERATION}) endif ifeq (${OS_SKU},Ubuntu) - @echo "Using packer template file: vhd-image-builder-base.json" +ifeq (${IMG_SKU},20_04-lts-cvm) + @echo "Using packer template file vhd-image-builder-cvm.json" + @packer build -var-file=vhdbuilder/packer/settings.json vhdbuilder/packer/vhd-image-builder-cvm.json +else + @echo "Using packer template file vhd-image-builder-base.json" @packer build -var-file=vhdbuilder/packer/settings.json vhdbuilder/packer/vhd-image-builder-base.json +endif else ifeq (${OS_SKU},CBLMariner) @echo "Using packer template file vhd-image-builder-mariner.json" @packer build -var-file=vhdbuilder/packer/settings.json vhdbuilder/packer/vhd-image-builder-mariner.json @@ -80,7 +85,7 @@ init-packer: @./vhdbuilder/packer/init-variables.sh run-packer: az-login - @packer init ./vhdbuilder/packer/linux-packer-plugin.pkr.hcl && packer version && ($(MAKE) -f packer.mk init-packer | tee packer-output) && ($(MAKE) -f packer.mk build-packer | tee -a packer-output) + @packer init ./vhdbuilder/packer/linux-packer-plugin.pkr.hcl && packer version && ($(MAKE) -f packer.mk build-packer | tee -a packer-output) run-packer-windows: az-login @packer init ./vhdbuilder/packer/packer-plugin.pkr.hcl && packer version && ($(MAKE) -f packer.mk init-packer | tee packer-output) && ($(MAKE) -f packer.mk build-packer-windows | tee -a packer-output) diff --git a/vhdbuilder/packer/convert-sig-to-classic-storage-account-blob.sh b/vhdbuilder/packer/convert-sig-to-classic-storage-account-blob.sh index b08dd2d90fc..e3924a30fe8 100755 --- a/vhdbuilder/packer/convert-sig-to-classic-storage-account-blob.sh +++ b/vhdbuilder/packer/convert-sig-to-classic-storage-account-blob.sh @@ -67,6 +67,21 @@ if [[ ${OS_TYPE} == "Linux" && ${ENABLE_TRUSTED_LAUNCH} == "True" ]]; then } \ } \ }" +elif [ "${OS_TYPE}" == "Linux" ] && [ "${IMG_SKU,,}" == "20_04-lts-cvm" ]; then + az resource create --id $disk_resource_id --is-full-object --location $LOCATION --properties "{\"location\": \"$LOCATION\", \ + \"properties\": { \ + \"osType\": \"$OS_TYPE\", \ + \"securityProfile\": { \ + \"securityType\": \"ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey\" \ + }, \ + \"creationData\": { \ + \"createOption\": \"FromImage\", \ + \"galleryImageReference\": { \ + \"id\": \"${sig_resource_id}\" \ + } \ + } \ + } \ + }" else az resource create --id $disk_resource_id --is-full-object --location $LOCATION --properties "{\"location\": \"$LOCATION\", \ \"properties\": { \ diff --git a/vhdbuilder/packer/init-variables.sh b/vhdbuilder/packer/init-variables.sh index fb08106cf56..673d37f300c 100755 --- a/vhdbuilder/packer/init-variables.sh +++ b/vhdbuilder/packer/init-variables.sh @@ -71,6 +71,13 @@ if [ "$MODE" == "linuxVhdMode" ] && [ -z "${PACKER_BUILD_LOCATION}" ]; then exit 1 fi +if [ "${IMG_SKU,,}" == "20_04-lts-cvm" ] && [ -n "${CVM_PACKER_BUILD_LOCATION}" ]; then + PACKER_BUILD_LOCATION="${CVM_PACKER_BUILD_LOCATION}" + # Must persist new value of PACKER_BUILD_LOCATION for future pipeline steps, bash variable assignment is only scoped to this script + echo "##vso[task.setvariable variable=PACKER_BUILD_LOCATION;]${CVM_PACKER_BUILD_LOCATION}" + echo "CVM: PACKER_BUILD_LOCATION is set to ${PACKER_BUILD_LOCATION}" +fi + # Currently only used for linux builds. This determines the environment in which the build is running (either prod or test). # Used to construct the name of the resource group in which the 1ES pool the build is running on lives in, which also happens. # to be the resource group in which the packer VNET lives in. @@ -111,6 +118,7 @@ if [ -z "${VNET_NAME}" ]; then fi fi + if [ -z "${SUBNET_NAME}" ]; then SUBNET_NAME="packer" fi @@ -167,6 +175,8 @@ if [[ "${MODE}" == "linuxVhdMode" ]]; then elif [[ "${IMG_OFFER,,}" == "azure-linux-3" ]]; then # for Azure Linux 3.0, only use AzureLinux prefix SIG_IMAGE_NAME="AzureLinux${SIG_IMAGE_NAME}" + elif [[ "${IMG_SKU,,}" == "20_04-lts-cvm" ]]; then + SIG_IMAGE_NAME+="Specialized" fi echo "No input for SIG_IMAGE_NAME was provided, defaulting to: ${SIG_IMAGE_NAME}" else @@ -259,7 +269,7 @@ if [[ "$MODE" == "linuxVhdMode" || "$MODE" == "windowsVhdMode" ]]; then if [[ ${ARCHITECTURE,,} == "arm64" ]]; then TARGET_COMMAND_STRING+="--architecture Arm64" elif [[ ${IMG_SKU} == "20_04-lts-cvm" ]]; then - TARGET_COMMAND_STRING+="--features SecurityType=ConfidentialVMSupported" + TARGET_COMMAND_STRING+="--os-state Specialized --features SecurityType=ConfidentialVM" fi az sig image-definition create \ diff --git a/vhdbuilder/packer/pre-install-dependencies.sh b/vhdbuilder/packer/pre-install-dependencies.sh index ea5e9f64e52..3981f203c16 100644 --- a/vhdbuilder/packer/pre-install-dependencies.sh +++ b/vhdbuilder/packer/pre-install-dependencies.sh @@ -92,32 +92,14 @@ else set -x fi - # Run apt get update to refresh repo list - # Run apt dist get upgrade to install packages/kernels - - # CVM breaks on kernel image updates due to nullboot package post-install. - # it relies on boot measurements from real tpm hardware. - # building on a real CVM would solve this, but packer doesn't support it. - # we could make upstream changes but that takes time, and we are broken now. - # so we just hold the kernel image packages for now on CVM. - # this still allows us base image and package updates on a weekly cadence. - if [[ "$IMG_SKU" != "20_04-lts-cvm" ]]; then - # Canonical snapshot is only implemented for 20.04 LTS, 22.04 LTS and 23.10 and above - # For 20.04, the only SKUs we support are FIPS, and it reaches out to ESM to get the packages, ESM does not have canonical snapshot support - # Therefore keeping this to 22.04 only for now - if [[ -n "${VHD_BUILD_TIMESTAMP}" && "${OS_VERSION}" == "22.04" ]]; then - sed -i "s#http://azure.archive.ubuntu.com/ubuntu/#https://snapshot.ubuntu.com/ubuntu/${VHD_BUILD_TIMESTAMP}#g" /etc/apt/sources.list - fi - apt_get_update || exit $ERR_APT_UPDATE_TIMEOUT - apt_get_dist_upgrade || exit $ERR_APT_DIST_UPGRADE_TIMEOUT + if [[ -n "${VHD_BUILD_TIMESTAMP}" && "${OS_VERSION}" == "22.04" ]]; then + sed -i "s#http://azure.archive.ubuntu.com/ubuntu/#https://snapshot.ubuntu.com/ubuntu/${VHD_BUILD_TIMESTAMP}#g" /etc/apt/sources.list fi - if [[ "$IMG_SKU" == "20_04-lts-cvm" ]]; then - # Can not currently update kernel in CVM builds due to nullboot post-installation failure when no TPM is present on the VM - # But we can at least update/install the below packages - apt_get_update || exit $ERR_APT_UPDATE_TIMEOUT - apt-get -y install libpython3.8 python3.8-minimal libpython3.8-minimal libpython3.8-stdlib python3.8 libglib2.0-0 libglib2.0-data libglib2.0-bin python3-urllib3 libpython2.7-stdlib libpython2.7-stdlib python2.7-minimal libpython2.7-minimal nano libarchive13 - fi + # Run apt get update to refresh repo list + # Run apt dist get upgrade to install packages/kernels + apt_get_update || exit $ERR_APT_UPDATE_TIMEOUT + apt_get_dist_upgrade || exit $ERR_APT_DIST_UPGRADE_TIMEOUT if [[ "${ENABLE_FIPS,,}" == "true" ]]; then # This is FIPS Install for Ubuntu, it purges non FIPS Kernel and attaches UA FIPS Updates diff --git a/vhdbuilder/packer/test/run-test.sh b/vhdbuilder/packer/test/run-test.sh index 60e23adc21f..c88e176c2de 100755 --- a/vhdbuilder/packer/test/run-test.sh +++ b/vhdbuilder/packer/test/run-test.sh @@ -27,7 +27,7 @@ if [ "${OS_TYPE,,}" == "linux" ]; then echo "PACKER_BUILD_LOCATION must be set for linux builds" exit 1 fi - AZURE_LOCATION=$PACKER_BUILD_LOCATION + AZURE_LOCATION=${PACKER_BUILD_LOCATION} fi if [ "${OS_TYPE,,}" == "linux" ]; then @@ -75,6 +75,10 @@ if [ "${OS_TYPE}" == "Linux" ] && [ "${ENABLE_TRUSTED_LAUNCH}" == "True" ]; then TARGET_COMMAND_STRING+="--security-type TrustedLaunch --enable-secure-boot true --enable-vtpm true" fi +if [ "${OS_TYPE}" == "Linux" ] && [ ${IMG_SKU} == "20_04-lts-cvm" ]; then + TARGET_COMMAND_STRING="--size Standard_DC8ads_v5 --security-type ConfidentialVM --enable-secure-boot true --enable-vtpm true --os-disk-security-encryption-type VMGuestStateOnly --specialized true" +fi + if [ "${OS_TYPE,,}" == "linux" ]; then # in linux mode, explicitly create the NIC referencing the existing packer subnet to be attached to the testing VM so we avoid creating ephemeral vnets PACKER_SUBNET_ID="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${PACKER_VNET_RESOURCE_GROUP_NAME}/providers/Microsoft.Network/virtualNetworks/${PACKER_VNET_NAME}/subnets/packer" diff --git a/vhdbuilder/packer/vhd-image-builder-cvm.json b/vhdbuilder/packer/vhd-image-builder-cvm.json new file mode 100644 index 00000000000..5934fe0e768 --- /dev/null +++ b/vhdbuilder/packer/vhd-image-builder-cvm.json @@ -0,0 +1,691 @@ +{ + "variables": { + "subscription_id": "{{env `AZURE_SUBSCRIPTION_ID`}}", + "location": "{{env `PACKER_BUILD_LOCATION`}}", + "vm_size": "{{env `AZURE_VM_SIZE`}}", + "build_definition_name": "{{env `BUILD_DEFINITION_NAME`}}", + "build_number": "{{env `BUILD_NUMBER`}}", + "build_id": "{{env `BUILD_ID`}}", + "commit": "{{env `GIT_VERSION`}}", + "feature_flags": "{{env `FEATURE_FLAGS`}}", + "image_version": "{{env `IMAGE_VERSION`}}", + "os_version": "{{env `OS_VERSION`}}", + "sku_name": "{{env `SKU_NAME`}}", + "hyperv_generation": "{{env `HYPERV_GENERATION`}}", + "sig_gallery_name": "{{env `SIG_GALLERY_NAME`}}", + "sig_image_name": "{{env `SIG_IMAGE_NAME`}}", + "sig_image_version": "{{env `SIG_IMAGE_VERSION`}}", + "container_runtime": "{{env `CONTAINER_RUNTIME`}}", + "teleportd_plugin_download_url": "{{env `TELEPORTD_PLUGIN_DOWNLOAD_URL`}}", + "captured_sig_version": "{{env `${CAPTURED_SIG_VERSION`}}", + "enable_fips": "{{env `ENABLE_FIPS`}}", + "img_publisher": "{{env `IMG_PUBLISHER`}}", + "img_offer": "{{env `IMG_OFFER`}}", + "img_sku": "{{env `IMG_SKU`}}", + "img_version": "{{env `IMG_VERSION`}}", + "sgx_install": "{{env `SGX_INSTALL`}}", + "vnet_resource_group_name": "{{env `VNET_RESOURCE_GROUP_NAME`}}", + "vnet_name": "{{env `VNET_NAME`}}", + "subnet_name": "{{env `SUBNET_NAME`}}", + "private_packages_url": "{{env `PRIVATE_PACKAGES_URL`}}", + "branch": "{{env `BRANCH`}}", + "ua_token": "{{env `UA_TOKEN`}}", + "vhd_build_timestamp": "{{user `VHD_BUILD_TIMESTAMP`}}" + }, + "builders": [ + { + "type": "azure-arm", + "subscription_id": "{{user `subscription_id`}}", + "virtual_network_resource_group_name": "{{user `vnet_resource_group_name`}}", + "virtual_network_name": "{{user `vnet_name`}}", + "virtual_network_subnet_name": "{{user `subnet_name`}}", + "ssh_read_write_timeout": "5m", + "os_type": "Linux", + "os_disk_size_gb": 30, + "image_publisher": "{{user `img_publisher`}}", + "image_offer": "{{user `img_offer`}}", + "image_sku": "{{user `img_sku`}}", + "image_version": "{{user `img_version`}}", + "azure_tags": { + "buildDefinitionName": "{{user `build_definition_name`}}", + "buildNumber": "{{user `build_number`}}", + "buildId": "{{user `build_id`}}", + "SkipLinuxAzSecPack": "true", + "os": "Linux", + "now": "{{user `create_time`}}", + "createdBy": "aks-vhd-pipeline", + "image_sku": "{{user `img_sku`}}", + "branch": "{{user `branch`}}" + }, + "location": "{{user `location`}}", + "vm_size": "{{user `vm_size`}}", + "polling_duration_timeout": "1h", + "managed_image_storage_account_type": "Premium_LRS", + "secure_boot_enabled": true, + "vtpm_enabled": true, + "security_type": "ConfidentialVM", + "security_encryption_type": "VMGuestStateOnly", + "shared_image_gallery_destination": { + "specialized": true, + "confidential_vm_image_encryption_type": "EncryptedVMGuestStateOnlyWithPmk", + "resource_group": "{{user `resource_group_name`}}", + "gallery_name": "{{user `sig_gallery_name`}}", + "image_name": "{{user `sig_image_name`}}", + "image_version": "{{user `captured_sig_version`}}", + "replication_regions": [ + "{{user `location`}}" + ] + }, + "user_assigned_managed_identities": "{{user `msi_resource_strings`}}" + } + ], + "provisioners": [ + { + "type": "shell", + "inline": [ + "sudo mkdir -p /opt/azure/containers", + "sudo chown -R $USER /opt/azure/containers" + ] + }, + { + "type": "shell", + "inline": [ + "sudo mkdir -p /opt/scripts", + "sudo chown -R $USER /opt/scripts", + "sudo mkdir -p /opt/certs", + "sudo chown -R $USER /opt/certs" + ] + }, + { + "type": "file", + "source": "vhdbuilder/lister/bin/lister", + "destination": "/home/packer/lister" + }, + { + "type": "file", + "source": "aks-node-controller/bin/aks-node-controller-linux-amd64", + "destination": "/home/packer/aks-node-controller" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/aks-node-controller.service", + "destination": "/home/packer/aks-node-controller.service" + }, + { + "type": "file", + "source": "vhdbuilder/packer/prefetch.sh", + "destination": "/home/packer/prefetch.sh" + }, + { + "type": "file", + "source": "vhdbuilder/packer/cleanup-vhd.sh", + "destination": "/home/packer/cleanup-vhd.sh" + }, + { + "type": "file", + "source": "vhdbuilder/packer/packer_source.sh", + "destination": "/home/packer/packer_source.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cse_install.sh", + "destination": "/home/packer/provision_installs.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ubuntu/cse_install_ubuntu.sh", + "destination": "/home/packer/provision_installs_distro.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cse_helpers.sh", + "destination": "/home/packer/provision_source.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cse_benchmark_functions.sh", + "destination": "/home/packer/provision_source_benchmarks.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ubuntu/cse_helpers_ubuntu.sh", + "destination": "/home/packer/provision_source_distro.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cse_config.sh", + "destination": "/home/packer/provision_configs.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cse_main.sh", + "destination": "/home/packer/provision.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cse_start.sh", + "destination": "/home/packer/provision_start.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/containerd_exec_start.conf", + "destination": "/home/packer/containerd_exec_start.conf" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/kubelet.service", + "destination": "/home/packer/kubelet.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/reconcile-private-hosts.sh", + "destination": "/home/packer/reconcile-private-hosts.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/block_wireserver.sh", + "destination": "/home/packer/block_wireserver.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ensure_imds_restriction.sh", + "destination": "/home/packer/ensure_imds_restriction.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cse_redact_cloud_config.py", + "destination": "/home/packer/cse_redact_cloud_config.py" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cse_send_logs.py", + "destination": "/home/packer/cse_send_logs.py" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/init-aks-custom-cloud.sh", + "destination": "/home/packer/init-aks-custom-cloud.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/reconcile-private-hosts.service", + "destination": "/home/packer/reconcile-private-hosts.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/mig-partition.service", + "destination": "/home/packer/mig-partition.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/bind-mount.sh", + "destination": "/home/packer/bind-mount.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/bind-mount.service", + "destination": "/home/packer/bind-mount.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/enable-dhcpv6.sh", + "destination": "/home/packer/enable-dhcpv6.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/dhcpv6.service", + "destination": "/home/packer/dhcpv6.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/sync-container-logs.sh", + "destination": "/home/packer/sync-container-logs.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/sync-container-logs.service", + "destination": "/home/packer/sync-container-logs.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/crictl.yaml", + "destination": "/home/packer/crictl.yaml" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ensure-no-dup.sh", + "destination": "/home/packer/ensure-no-dup.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ensure-no-dup.service", + "destination": "/home/packer/ensure-no-dup.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/teleportd.service", + "destination": "/home/packer/teleportd.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/setup-custom-search-domains.sh", + "destination": "/home/packer/setup-custom-search-domains.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ubuntu/ubuntu-snapshot-update.sh", + "destination": "/home/packer/ubuntu-snapshot-update.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ubuntu/snapshot-update.service", + "destination": "/home/packer/snapshot-update.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ubuntu/snapshot-update.timer", + "destination": "/home/packer/snapshot-update.timer" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cis.sh", + "destination": "/home/packer/cis.sh" + }, + { + "type": "file", + "source": "vhdbuilder/scripts/linux/tool_installs.sh", + "destination": "/home/packer/tool_installs.sh" + }, + { + "type": "file", + "source": "vhdbuilder/scripts/linux/ubuntu/tool_installs_ubuntu.sh", + "destination": "/home/packer/tool_installs_distro.sh" + }, + { + "type": "file", + "source": "vhdbuilder/packer/asc-baseline-1.1.0-268.amd64.deb", + "destination": "/home/packer/asc-baseline.deb" + }, + { + "type": "file", + "source": "vhdbuilder/packer/pre-install-dependencies.sh", + "destination": "/home/packer/pre-install-dependencies.sh" + }, + { + "type": "file", + "source": "vhdbuilder/packer/install-dependencies.sh", + "destination": "/home/packer/install-dependencies.sh" + }, + { + "type": "file", + "source": "vhdbuilder/packer/post-install-dependencies.sh", + "destination": "/home/packer/post-install-dependencies.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/components.json", + "destination": "/home/packer/components.json" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/manifest.json", + "destination": "/home/packer/manifest.json" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/sysctl-d-60-CIS.conf", + "destination": "/home/packer/sysctl-d-60-CIS.conf" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/sshd_config", + "destination": "/home/packer/sshd_config" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/sshd_config_1604", + "destination": "/home/packer/sshd_config_1604" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/sshd_config_1804_fips", + "destination": "/home/packer/sshd_config_1804_fips" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/sshd_config_2204_fips", + "destination": "/home/packer/sshd_config_2204_fips" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/rsyslog-d-60-CIS.conf", + "destination": "/home/packer/rsyslog-d-60-CIS.conf" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/logrotate-d-rsyslog-CIS.conf", + "destination": "/home/packer/logrotate-d-rsyslog-CIS.conf" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/etc-issue", + "destination": "/home/packer/etc-issue" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/etc-issue.net", + "destination": "/home/packer/etc-issue.net" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/modprobe-CIS.conf", + "destination": "/home/packer/modprobe-CIS.conf" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/pwquality-CIS.conf", + "destination": "/home/packer/pwquality-CIS.conf" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/pam-d-su", + "destination": "/home/packer/pam-d-su" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/pam-d-common-auth", + "destination": "/home/packer/pam-d-common-auth" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/pam-d-common-auth-2204", + "destination": "/home/packer/pam-d-common-auth-2204" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/pam-d-common-password", + "destination": "/home/packer/pam-d-common-password" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/profile-d-cis.sh", + "destination": "/home/packer/profile-d-cis.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/disk_queue.service", + "destination": "/home/packer/disk_queue.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cgroup-memory-telemetry.sh", + "destination": "/home/packer/cgroup-memory-telemetry.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cgroup-memory-telemetry.service", + "destination": "/home/packer/cgroup-memory-telemetry.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cgroup-memory-telemetry.timer", + "destination": "/home/packer/cgroup-memory-telemetry.timer" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cgroup-pressure-telemetry.sh", + "destination": "/home/packer/cgroup-pressure-telemetry.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cgroup-pressure-telemetry.service", + "destination": "/home/packer/cgroup-pressure-telemetry.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/cgroup-pressure-telemetry.timer", + "destination": "/home/packer/cgroup-pressure-telemetry.timer" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/update_certs.service", + "destination": "/home/packer/update_certs.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/update_certs.path", + "destination": "/home/packer/update_certs.path" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/update_certs.sh", + "destination": "/home/packer/update_certs.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ci-syslog-watcher.path", + "destination": "/home/packer/ci-syslog-watcher.path" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ci-syslog-watcher.service", + "destination": "/home/packer/ci-syslog-watcher.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ci-syslog-watcher.sh", + "destination": "/home/packer/ci-syslog-watcher.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/aks-log-collector.sh", + "destination": "/home/packer/aks-log-collector.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/aks-log-collector-send.py", + "destination": "/home/packer/aks-log-collector-send.py" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/aks-log-collector.service", + "destination": "/home/packer/aks-log-collector.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/aks-log-collector.slice", + "destination": "/home/packer/aks-log-collector.slice" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/aks-log-collector.timer", + "destination": "/home/packer/aks-log-collector.timer" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/aks-check-network.sh", + "destination": "/home/packer/aks-check-network.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/aks-check-network.service", + "destination": "/home/packer/aks-check-network.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/aks-logrotate.sh", + "destination": "/home/packer/logrotate.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/aks-logrotate.service", + "destination": "/home/packer/logrotate.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/aks-logrotate.timer", + "destination": "/home/packer/logrotate.timer" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/aks-logrotate-override.conf", + "destination": "/home/packer/override.conf" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/aks-rsyslog", + "destination": "/home/packer/rsyslog" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ipv6_nftables", + "destination": "/home/packer/ipv6_nftables" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ipv6_nftables.service", + "destination": "/home/packer/ipv6_nftables.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/ipv6_nftables.sh", + "destination": "/home/packer/ipv6_nftables.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/apt-preferences", + "destination": "/home/packer/apt-preferences" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/kms.service", + "destination": "/home/packer/kms.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/mig-partition.sh", + "destination": "/home/packer/mig-partition.sh" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/docker_clear_mount_propagation_flags.conf", + "destination": "/home/packer/docker_clear_mount_propagation_flags.conf" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/nvidia-modprobe.service", + "destination": "/home/packer/nvidia-modprobe.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/nvidia-docker-daemon.json", + "destination": "/home/packer/nvidia-docker-daemon.json" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/nvidia-device-plugin.service", + "destination": "/home/packer/nvidia-device-plugin.service" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/pam-d-common-auth", + "destination": "/home/packer/pam-d-common-auth" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/pam-d-common-password", + "destination": "/home/packer/pam-d-common-password" + }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/pam-d-su", + "destination": "/home/packer/pam-d-su" + }, + { + "type": "file", + "source": "vhdbuilder/notice.txt", + "destination": "/home/packer/NOTICE.txt" + }, + { + "type": "shell", + "inline": [ + "sudo FEATURE_FLAGS={{user `feature_flags`}} BUILD_NUMBER={{user `build_number`}} BUILD_ID={{user `build_id`}} COMMIT={{user `commit`}} HYPERV_GENERATION={{user `hyperv_generation`}} CONTAINER_RUNTIME={{user `container_runtime`}} TELEPORTD_PLUGIN_DOWNLOAD_URL={{user `teleportd_plugin_download_url`}} ENABLE_FIPS={{user `enable_fips`}} SGX_INSTALL={{user `sgx_install`}} IMG_SKU={{user `img_sku`}} UA_TOKEN={{user `ua_token`}} VHD_BUILD_TIMESTAMP={{user `vhd_build_timestamp`}} /bin/bash -ux /home/packer/pre-install-dependencies.sh" + ] + }, + { + "type": "shell", + "inline": "sudo reboot", + "expect_disconnect": true, + "skip_clean": true, + "pause_after": "60s" + }, + { + "type": "shell", + "inline": [ + "sudo FEATURE_FLAGS={{user `feature_flags`}} BUILD_NUMBER={{user `build_number`}} BUILD_ID={{user `build_id`}} COMMIT={{user `commit`}} HYPERV_GENERATION={{user `hyperv_generation`}} CONTAINER_RUNTIME={{user `container_runtime`}} TELEPORTD_PLUGIN_DOWNLOAD_URL={{user `teleportd_plugin_download_url`}} ENABLE_FIPS={{user `enable_fips`}} SGX_INSTALL={{user `sgx_install`}} IMG_SKU={{user `img_sku`}} PRIVATE_PACKAGES_URL={{user `private_packages_url`}} VHD_BUILD_TIMESTAMP={{user `vhd_build_timestamp`}} /bin/bash -ux /home/packer/install-dependencies.sh" + ] + }, + { + "type": "file", + "direction": "download", + "source": "/var/log/bcc_installation.log", + "destination": "bcc-tools-installation.log" + }, + { + "type": "shell", + "inline": "sudo reboot", + "expect_disconnect": true, + "skip_clean": true, + "pause_after": "60s" + }, + { + "type": "shell", + "inline": [ + "sudo FEATURE_FLAGS={{user `feature_flags`}} BUILD_NUMBER={{user `build_number`}} BUILD_ID={{user `build_id`}} COMMIT={{user `commit`}} HYPERV_GENERATION={{user `hyperv_generation`}} CONTAINER_RUNTIME={{user `container_runtime`}} TELEPORTD_PLUGIN_DOWNLOAD_URL={{user `teleportd_plugin_download_url`}} ENABLE_FIPS={{user `enable_fips`}} SGX_INSTALL={{user `sgx_install`}} IMG_SKU={{user `img_sku`}} /bin/bash -ux /home/packer/post-install-dependencies.sh" + ] + }, + { + "type": "file", + "source": "vhdbuilder/packer/list-images.sh", + "destination": "/home/packer/list-images.sh" + }, + { + "type": "shell", + "inline": [ + "sudo SKU_NAME={{user `sku_name`}} IMAGE_VERSION={{user `image_version`}} CONTAINER_RUNTIME={{user `container_runtime`}} /bin/bash -ux /home/packer/list-images.sh" + ] + }, + { + "type": "file", + "direction": "download", + "source": "/opt/azure/containers/image-bom.json", + "destination": "image-bom.json" + }, + { + "type": "file", + "direction": "download", + "source": "/opt/azure/vhd-install.complete", + "destination": "release-notes.txt" + }, + { + "type": "file", + "direction": "download", + "source": "/opt/azure/vhd-build-performance-data.json", + "destination": "vhd-build-performance-data.json" + }, + { + "type": "shell", + "inline": [ + "sudo rm /opt/azure/vhd-build-performance-data.json" + ] + }, + { + "type": "shell", + "inline": [ + "sudo /bin/bash -eux /home/packer/cis.sh", + "sudo /bin/bash -eux /opt/azure/containers/cleanup-vhd.sh", + "sudo /usr/sbin/waagent -force -deprovision+user && export HISTSIZE=0 && sync || exit 125" + ] + } + ] +} \ No newline at end of file diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index 36a6d2e0988..739fc64420e 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -63,6 +63,10 @@ if [[ "${OS_TYPE}" == "Linux" && "${ENABLE_TRUSTED_LAUNCH}" == "True" ]]; then VM_OPTIONS+=" --security-type TrustedLaunch --enable-secure-boot true --enable-vtpm true" fi +if [ "${OS_TYPE}" == "Linux" ] && [ ${IMG_SKU} == "20_04-lts-cvm" ]; then + VM_OPTIONS="--size Standard_DC8ads_v5 --security-type ConfidentialVM --enable-secure-boot true --enable-vtpm true --os-disk-security-encryption-type VMGuestStateOnly --specialized true" +fi + SCANNING_NIC_ID=$(az network nic create --resource-group $RESOURCE_GROUP_NAME --name "scanning$(date +%s)${RANDOM}" --subnet $SCANNING_SUBNET_ID | jq -r '.NewNIC.id') if [ -z "$SCANNING_NIC_ID" ]; then echo "unable to create new NIC for scanning VM"