Enable 2.0 Mariner images

Author: Camelron

.pipelines/.vsts-vhd-builder-release.yaml

@@ -49,6 +49,10 @@ parameters:
   displayName: Build MarinerV1 Gen2
   type: boolean
   default: true
+- name: buildMarinerV2gen2
+  displayName: Build MarinerV2 Gen2
+  type: boolean
+  default: true
 - name: build1804fipscontainerd
   displayName: Build 1804 FIPS containerd
   type: boolean
@@ -325,6 +329,29 @@ stages:
         - template: ./templates/.builder-release-template.yaml
           parameters:
             artifactName: marinerv1-gen2
+  - stage: build_vhd_marinerv2_gen2
+    dependsOn: []
+    condition: eq('${{ parameters.buildMarinerV2gen2 }}', true)
+    jobs:
+    - job: build
+      timeoutInMinutes: 180
+      steps:
+        - bash: |
+            echo '##vso[task.setvariable variable=DRY_RUN]${{parameters.dryrun}}'
+            echo '##vso[task.setvariable variable=OS_SKU]CBLMariner'
+            echo '##vso[task.setvariable variable=OS_VERSION]V2'
+            echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner'
+            echo '##vso[task.setvariable variable=IMG_OFFER]cbl-mariner'
+            echo '##vso[task.setvariable variable=IMG_SKU]cbl-mariner-2-gen2'
+            echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
+            echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_DS2_v2'
+            echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'
+            echo '##vso[task.setvariable variable=CONTAINER_RUNTIME]containerd'
+            echo '##vso[task.setvariable variable=ENABLE_FIPS]false'
+          displayName: Setup Build Variables
+        - template: ./templates/.builder-release-template.yaml
+          parameters:
+            artifactName: marinerv2-gen2
   - stage: build_vhd_1804_fips_containerd
     dependsOn: []
     condition: eq('${{ parameters.build1804fipscontainerd }}', true)

packer.mk

@@ -29,6 +29,7 @@ else
 endif
 endif
 else ifeq (${OS_SKU},CBLMariner)
+ifeq (${OS_VERSION},V1)
 ifeq (${MODE},gen2Mode)
 	@echo "${MODE}: Building with Hyper-v generation 2 VM and save to Classic Storage Account"
 	@packer build -var-file=vhdbuilder/packer/settings.json vhdbuilder/packer/vhd-image-builder-mariner-gen2.json
@@ -38,6 +39,18 @@ else
 	@echo "${MODE}: Building with Hyper-v generation 1 VM and save to Classic Storage Account"
 	@packer build -var-file=vhdbuilder/packer/settings.json vhdbuilder/packer/vhd-image-builder-mariner.json
 endif
+else ifeq (${OS_VERSION},V2)
+ifeq (${MODE},gen2Mode)
+	@echo "${MODE}: Building with Hyper-v generation 2 VM"
+	@packer build -var-file=vhdbuilder/packer/settings.json vhdbuilder/packer/vhd-image-builder-mariner2-gen2.json
+else ifeq (${MODE},sigMode)
+	$(error sigMode not supported yet)
+else
+	$(error MarinerV2 gen1 VMs are not supported yet)
+endif
+else
+	$(error OS_VERSION was invalid ${OS_VERSION})
+endif
 else
 	$(error OS_SKU was invalid ${OS_SKU})
 endif

parts/linux/cloud-init/artifacts/mariner/cse_install_mariner.sh

@@ -14,6 +14,15 @@ installDeps() {
         exit $ERR_APT_INSTALL_TIMEOUT
       fi
     done
+
+    # install additional apparmor deps for 2.0
+    if [[ $OS_VERSION == "2.0" ]]; then
+      for dnf_package in apparmor-parser libapparmor; do
+        if ! dnf_install 30 1 600 $dnf_package; then
+          exit $ERR_APT_INSTALL_TIMEOUT
+        fi
+      done
+    fi
 }
 
 downloadGPUDrivers() {

pkg/templates/templates_generated.go

@@ -160,8 +160,8 @@ else
 	echo "Skipping SIG check for $MODE"
 fi
 
-# Image import from storage account. Required to build CBLMariner images.
-if [[ "$OS_SKU" == "CBLMariner" ]]; then
+# Image import from storage account. Required to build CBLMariner V1 images.
+if [[ "$OS_SKU" == "CBLMariner" && "$OS_VERSION" == "V1" ]]; then
 	if [[ $HYPERV_GENERATION == "V2" ]]; then
 		IMPORT_IMAGE_URL=${IMPORT_IMAGE_URL_GEN2}
 	elif [[ $HYPERV_GENERATION == "V1" ]]; then

vhdbuilder/packer/init-variables.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
+OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
 UBUNTU_OS_NAME="UBUNTU"
 MARINER_OS_NAME="MARINER"
 THIS_DIR="$(cd "$(dirname ${BASH_SOURCE[0]})" && pwd)"
@@ -114,7 +115,11 @@ if [[ $OS == $MARINER_OS_NAME ]]; then
     disableSystemdResolvedCache
     disableSystemdIptables
     forceEnableIpForward
-    networkdWorkaround
+    if [[ $OS_VERSION == "2.0" ]]; then 
+      setMarinerNetworkdConfig
+    else
+      networkdWorkaround
+    fi
     enableDNFAutomatic
     fixCBLMarinerPermissions
     overrideNetworkConfig || exit 1

vhdbuilder/packer/install-dependencies.sh

@@ -0,0 +1,6 @@
+#cloud-config to reenable sha1 temporarily for packer
+runcmd:
+  - echo -e "HostkeyAlgorithms +ssh-rsa \nPubkeyAcceptedAlgorithms +ssh-rsa" | sudo tee -a /etc/ssh/sshd_config
+  - sudo systemctl restart sshd
+  - sudo sed -i "/HostkeyAlgorithms +ssh-rsa/d" /etc/ssh/sshd_config
+  - sudo sed -i "/PubkeyAcceptedAlgorithms +ssh-rsa/d" /etc/ssh/sshd_config