Install extensions via Containerfile for OCL

umohnani8 · umohnani8 · commit 58a3428c97f2 · 2024-11-19T09:25:28.000-05:00
Add logic to the Containerfile used to build the new
OS image to be able to install extensions when using OCL.
Extensions are installed via rpm-ostree and commited to
the container image.

Signed-off-by: Urvashi &lt;umohnani@redhat.com&gt;
diff --git a/pkg/controller/build/buildrequest/assets/Containerfile.on-cluster-build-template b/pkg/controller/build/buildrequest/assets/Containerfile.on-cluster-build-template
@@ -10,16 +10,6 @@ COPY ./machineconfig/machineconfig.json.gz /tmp/machineconfig.json.gz
 RUN mkdir -p /etc/machine-config-daemon && \
 	cat /tmp/machineconfig.json.gz | base64 -d | gunzip - > /etc/machine-config-daemon/currentconfig
 
-{{if .ExtensionsImage}}
-# Pull our extensions image. Not sure yet what / how this should be wired up
-# though. Ideally, I'd like to use some Buildah tricks to have the extensions
-# directory mounted into the container at build-time so that I don't have to
-# copy the RPMs into the container, configure the repo, and do the
-# installation. Alternatively, I'd have to start a pod with an HTTP server.
-FROM {{.ExtensionsImage}} AS extensions
-{{end}}
-
-
 FROM {{.BaseOSImage}} AS configs
 # Copy the extracted MachineConfig into the expected place in the image.
 COPY --from=extract /etc/machine-config-daemon/currentconfig /etc/machine-config-daemon/currentconfig
@@ -28,6 +18,25 @@ COPY --from=extract /etc/machine-config-daemon/currentconfig /etc/machine-config
 # since it should be set by the container runtime / builder.
 RUN container="oci" exec -a ignition-apply /usr/lib/dracut/modules.d/30ignition/ignition --ignore-unsupported <(cat /etc/machine-config-daemon/currentconfig | jq '.spec.config') && \
 	ostree container commit
+{{if and .ExtensionsImage .Extensions}}
+COPY --from={{.ExtensionsImage}} / /run/mco-extensions/os-extensions-content
+# Add the extensions repo to /etc/yum.repos.d/coreos-extensions.repo
+RUN cat <<EOF > /etc/yum.repos.d/coreos-extensions.repo
+[coreos-extensions]
+enabled=1
+metadata_expire=1m
+baseurl=/run/mco-extensions/os-extensions-content/usr/share/rpm-ostree/extensions/
+gpgcheck=0
+skip_if_unavailable=False
+EOF
+# Set file permissions
+RUN chmod 644 /etc/yum.repos.d/coreos-extensions.repo
+# Install the extensions via rpm-ostree
+RUN extensions="{{- range $index, $item := .Extensions }}{{- if $index }} {{ end }}{{$item}}{{- end }}" && \
+    echo "Installing packages: $extensions" && \
+    rpm-ostree install $extensions && \
+    ostree container commit
+{{end}}
 
 LABEL machineconfig={{.MachineOSBuild.Spec.DesiredConfig.Name}}
 LABEL machineconfigpool={{.MachineOSConfig.Spec.MachineConfigPool.Name}}
diff --git a/pkg/controller/build/buildrequest/buildrequest.go b/pkg/controller/build/buildrequest/buildrequest.go
@@ -211,13 +211,15 @@ func (br buildRequestImpl) renderContainerfile() (string, error) {
 		ReleaseVersion    string
 		BaseOSImage       string
 		ExtensionsImage   string
+		Extensions        []string
 	}{
 		MachineOSBuild:    br.opts.MachineOSBuild,
 		MachineOSConfig:   br.opts.MachineOSConfig,
 		UserContainerfile: br.userContainerfile,
 		ReleaseVersion:    br.opts.getReleaseVersion(),
 		BaseOSImage:       br.opts.getBaseOSImagePullspec(),
 		ExtensionsImage:   br.opts.getExtensionsImagePullspec(),
+		Extensions:        br.opts.getExtensions(),
 	}
 
 	if err := tmpl.Execute(out, items); err != nil {
diff --git a/pkg/controller/build/buildrequest/buildrequest_test.go b/pkg/controller/build/buildrequest/buildrequest_test.go
@@ -40,21 +40,26 @@ func TestBuildRequest(t *testing.T) {
 		unexpectedContainerfileContents []string
 	}{
 		{
-			name:     "With extensions image",
-			optsFunc: getBuildRequestOpts,
+			name: "With extensions image and extensions",
+			optsFunc: func() BuildRequestOpts {
+				opts := getBuildRequestOpts()
+				opts.MachineConfig.Spec.Extensions = []string{"usbguard"}
+				return opts
+			},
 			expectedContainerfileContents: append(expectedContents(), []string{
-				fmt.Sprintf("FROM %s AS extensions", osImageURLConfig.BaseOSExtensionsContainerImage),
+				fmt.Sprintf("COPY --from=%s", osImageURLConfig.BaseOSExtensionsContainerImage),
 			}...),
 		},
 		{
-			name: "Missing extensions image",
+			name: "Missing extensions image and extensions",
 			optsFunc: func() BuildRequestOpts {
 				opts := getBuildRequestOpts()
 				opts.OSImageURLConfig.BaseOSExtensionsContainerImage = ""
+				opts.MachineConfig.Spec.Extensions = []string{"usbguard"}
 				return opts
 			},
 			unexpectedContainerfileContents: []string{
-				fmt.Sprintf("FROM %s AS extensions", osImageURLConfig.BaseOSContainerImage),
+				fmt.Sprintf("COPY --from=%s", osImageURLConfig.BaseOSContainerImage),
 			},
 		},
 		{
@@ -98,12 +103,13 @@ func TestBuildRequest(t *testing.T) {
 				opts.MachineOSConfig.Spec.BuildInputs.BaseOSImagePullspec = "base-os-image-from-machineosconfig"
 				opts.MachineOSConfig.Spec.BuildInputs.BaseOSExtensionsImagePullspec = "base-ext-image-from-machineosconfig"
 				opts.MachineOSConfig.Spec.BuildInputs.ReleaseVersion = "release-version-from-machineosconfig"
+				opts.MachineConfig.Spec.Extensions = []string{"usbguard"}
 				return opts
 			},
 			expectedContainerfileContents: []string{
 				"FROM base-os-image-from-machineosconfig AS extract",
 				"FROM base-os-image-from-machineosconfig AS configs",
-				"FROM base-ext-image-from-machineosconfig AS extensions",
+				"COPY --from=base-ext-image-from-machineosconfig",
 				"LABEL releaseversion=release-version-from-machineosconfig",
 			},
 			unexpectedContainerfileContents: expectedContents(),
diff --git a/pkg/controller/build/buildrequest/buildrequestopts.go b/pkg/controller/build/buildrequest/buildrequestopts.go
@@ -68,6 +68,14 @@ func (b BuildRequestOpts) getReleaseVersion() string {
 	return b.OSImageURLConfig.ReleaseVersion
 }
 
+// Gets the extensions from the MachineConfig if available.
+func (b BuildRequestOpts) getExtensions() []string {
+	if len(b.MachineConfig.Spec.Extensions) > 0 {
+		return b.MachineConfig.Spec.Extensions
+	}
+	return []string{}
+}
+
 // Gets all of the image build request opts from the Kube API server.
 func newBuildRequestOptsFromAPI(ctx context.Context, kubeclient clientset.Interface, mcfgclient mcfgclientset.Interface, mosb *mcfgv1alpha1.MachineOSBuild, mosc *mcfgv1alpha1.MachineOSConfig) (*BuildRequestOpts, error) {
 	og := optsGetter{
diff --git a/test/e2e-techpreview/onclusterlayering_test.go b/test/e2e-techpreview/onclusterlayering_test.go
@@ -1053,3 +1053,76 @@ func TestSSHKeyAndPasswordForOSBuilder(t *testing.T) {
 		t.Logf("Deleted MachineConfig %s", testConfig.Name)
 	})
 }
+
+func TestExtensionsForOSBuilder(t *testing.T) {
+	t.Helper()
+
+	cs := framework.NewClientSet("")
+
+	// label random node from pool, get the node
+	unlabelFunc := helpers.LabelRandomNodeFromPool(t, cs, "worker", "node-role.kubernetes.io/layered")
+
+	// prepare for on cluster build test
+	prepareForOnClusterLayeringTest(t, cs, onClusterLayeringTestOpts{
+		poolName:             layeredMCPName,
+		customDockerfiles:    map[string]string{},
+		useEtcPkiEntitlement: true,
+	})
+
+	testConfig := &mcfgv1.MachineConfig{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   "99-extensions",
+			Labels: helpers.MCLabelForRole(layeredMCPName),
+		},
+		Spec: mcfgv1.MachineConfigSpec{
+			Config: runtime.RawExtension{
+				Raw: helpers.MarshalOrDie(ctrlcommon.NewIgnConfig()),
+			},
+			Extensions: []string{"usbguard", "kerberos"},
+		},
+	}
+
+	helpers.SetMetadataOnObject(t, testConfig)
+
+	// Create the MachineConfig and wait for the configuration to be applied
+	_, err := cs.MachineConfigs().Create(context.TODO(), testConfig, metav1.CreateOptions{})
+	require.Nil(t, err, "failed to create MC")
+	t.Logf("Created MC %s", testConfig.Name)
+
+	// wait for rendered config to finish creating
+	renderedConfig, err := helpers.WaitForRenderedConfig(t, cs, layeredMCPName, testConfig.Name)
+	require.Nil(t, err)
+	t.Logf("Finished rendering config %s", renderedConfig)
+
+	// wait for mcp to complete updating
+	err = helpers.WaitForPoolComplete(t, cs, layeredMCPName, renderedConfig)
+	require.Nil(t, err)
+	t.Logf("Pool %s completed updating", layeredMCPName)
+
+	// Validate the extensions are installed
+	osNode := helpers.GetSingleNodeByRole(t, cs, layeredMCPName) // Re-fetch node with updated configurations
+
+	foundPkg := helpers.ExecCmdOnNode(t, cs, osNode, "rpm", "-q", "usbguard")
+	if strings.Contains(foundPkg, "package usbguard is not installed") {
+		t.Fatalf("usbguard extensions not found, got %s", foundPkg)
+	}
+	t.Logf("usbguard extension installed, got %s", foundPkg)
+
+	foundPkg = helpers.ExecCmdOnNode(t, cs, osNode, "rpm", "-q", "kerberos")
+	if strings.Contains(foundPkg, "package kerberos is not installed") {
+		t.Fatalf("kerberos extensions not found, got %s", foundPkg)
+	}
+	t.Logf("kerberos extension installed, got %s", foundPkg)
+
+	t.Logf("Node %s has both usbguard and kerberos extensions installed", osNode.Name)
+
+	// Clean-up: Delete the applied MachineConfig and ensure configurations are rolled back
+
+	t.Cleanup(func() {
+		unlabelFunc()
+		if err := cs.MachineConfigs().Delete(context.TODO(), testConfig.Name, metav1.DeleteOptions{}); err != nil {
+			t.Error(err)
+		}
+		t.Logf("Deleted MachineConfig %s", testConfig.Name)
+	})
+}
