osbuilder: Add support for openSUSE rootfs image

Add support for building a rootfs image based on openSUSE Leap.

Fixes: #33

Signed-off-by: Marco Vedovati <mvedovati@suse.com>

README.md

@@ -120,8 +120,8 @@ For further details, see [the tests documentation](tests/README.md).
 
 ## Platform-Distro Compatibility Matrix
 
-| | Alpine | CentOS | ClearLinux | EulerOS | Fedora | 
+|           |Alpine            |CentOS            |ClearLinux        |Debian/Ubuntu     |EulerOS           |Fedora            |openSUSE          |
-  |--|--|--|--|--|--|
+|--         |--                |--                |--                |--                |--                |--                |--                |
-  | **ARM64** | :heavy_check_mark: | :heavy_check_mark: |  | :heavy_check_mark: | :heavy_check_mark: | 
+|**ARM64**  |:heavy_check_mark:|:heavy_check_mark:|                  |                  |:heavy_check_mark:|:heavy_check_mark:|                  |
-  | **PPC64le** | :heavy_check_mark: | :heavy_check_mark: |  |  | :heavy_check_mark: | 
+|**PPC64le**|:heavy_check_mark:|:heavy_check_mark:|                  |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-  | **x86_64** | :heavy_check_mark: |:heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+|**x86_64** |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|

rootfs-builder/rootfs.sh

@@ -84,17 +84,29 @@ check_function_exist()
 	[ "$(type -t ${function_name})" == "function" ] || die "${function_name} function was not defined"
 }
 
-distro_needs_admin_caps()
+docker_extra_args()
 {
-		if [ "$1" = "ubuntu" ]
+	local args=""
-		then
+
-			echo "true"
+	case "$1" in
-		elif [ "$1" = "debian" ]
+	 ubuntu | debian)
-		then
+		# Requred to chroot
-			echo "true"
+		args+=" --cap-add SYS_CHROOT"
-		else
+		# debootstrap needs to create device nodes to properly function
-			echo "false"
+		args+=" --cap-add MKNOD"
-		fi
+		;&
+	suse)
+		# Required to mount inside a container
+		args+=" --cap-add SYS_ADMIN"
+		# When AppArmor is enabled, mounting inside a container is blocked with docker-default profile.
+		# See https://github.com/moby/moby/issues/16429
+		args+=" --security-opt apparmor:unconfined"
+		;;
+	*)
+		;;
+	esac
+
+	echo "$args"
 }
 
 generate_dockerfile()
@@ -239,17 +251,7 @@ if [ -n "${USE_DOCKER}" ] ; then
 	docker_run_args+=" --rm"
 	docker_run_args+=" --runtime runc"
 
-	admin_caps=$(distro_needs_admin_caps "$distro")
+	docker_run_args+=" $(docker_extra_args $distro)"
-	if [ "$admin_caps" = "true" ]; then
-		# Required by debootstrap to mount inside a container
-		docker_run_args+=" --cap-add SYS_ADMIN"
-		# Requred to chroot
-		docker_run_args+=" --cap-add SYS_CHROOT"
-		# debootstrap needs to create device nodes to properly function
-		docker_run_args+=" --cap-add MKNOD"
-		# See https://github.com/moby/moby/issues/16429
-		docker_run_args+=" --security-opt apparmor:unconfined"
-	fi
 
 	#Make sure we use a compatible runtime to build rootfs
 	# In case Clear Containers Runtime is installed we dont want to hit issue:

rootfs-builder/suse/Dockerfile.in

@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2018 SUSE LLC
+#
+# SPDX-License-Identifier: Apache-2.0
+
+#suse: docker image to be used to create a rootfs
+#@OS_VERSION@: Docker image version to build this dockerfile
+from opensuse/leap
+
+# This dockerfile needs to provide all the componets need to build a rootfs
+# Install any package need to create a rootfs (package manager, extra tools)
+
+COPY install-packages.sh config.sh /
+# RUN commands
+RUN chmod +x /install-packages.sh; /install-packages.sh
+
+# This will install the proper golang to build Kata components
+@INSTALL_GO@

rootfs-builder/suse/config.sh

@@ -0,0 +1,47 @@
+#
+# Copyright (c) 2018 SUSE LLC
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# May also be "Tumbleweed"
+OS_DISTRO="Leap"
+
+# Leave this empty for distro "Tumbleweed"
+OS_VERSION=${OS_VERSION:-15.0}
+
+OS_IDENTIFIER="$OS_DISTRO${OS_VERSION:+:$OS_VERSION}"
+
+# Extra packages to install in the rootfs
+PACKAGES="systemd iptables libudev1"
+
+#  http or https
+REPO_TRANSPORT="https"
+
+# Can specify an alternative domain
+REPO_DOMAIN="download.opensuse.org"
+
+# NOTE: you probably dont need to edit things below this
+#
+###############################################################################
+
+SUSE_URL_BASE="${REPO_TRANSPORT}://${REPO_DOMAIN}"
+SUSE_PATH_OSS="/distribution/${OS_DISTRO,,}/$OS_VERSION/repo/oss"
+SUSE_PATH_UPDATE="/update/${OS_DISTRO,,}/$OS_VERSION/oss"
+
+case "$(uname -m)" in
+	x86_64)
+		REPO_URL_PORT=""
+		;;
+	ppc|ppc64le)
+		REPO_URL_PORT="/ports/ppc"
+		;;
+	*)
+		REPO_URL_PORT="/ports/$arch"
+		;;
+esac
+SUSE_FULLURL_OSS="${SUSE_URL_BASE}${REPO_URL_PORT}${SUSE_PATH_OSS}"
+SUSE_FULLURL_UPDATE="${SUSE_URL_BASE}${SUSE_PATH_UPDATE}"
+
+if [ -z "${REPO_URL:-}" ]; then
+	REPO_URL="$SUSE_FULLURL_OSS"
+fi

rootfs-builder/suse/config.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- 
+ Copyright (c) 2018 SUSE LLC
+ 
+ SPDX-License-Identifier: Apache-2.0
+-->
+<image schemaversion="6.8" name="openSUSE-rootfs-for-Kata-vm">
+    <description type="system">
+        <author>SUSE</author>
+        <contact>mvedovati@suse.com</contact>
+        <specification>openSUSE rootfs for Kata Containers guest vm</specification>
+    </description>
+    <preferences>
+        <version>1.0.0</version>
+        <packagemanager>zypper</packagemanager>
+        <locale>en_US</locale>
+        <keytable>us</keytable>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <type image="vmx" filesystem="ext4" />
+    </preferences>
+    <repository type="rpm-md">
+        <!-- NOTE: the following is a placeholder, specify the actual path with kiwi option set-repo=... -->
+        <source path="obs://"/>
+    </repository>
+    <packages type="image">
+        <package name=""/>
+    </packages>
+    <packages type="delete">
+        <package name="zypper"/>
+        <package name="rpm"/>
+    </packages>
+    <packages type="bootstrap" patternType="onlyRequired">
+        <package name="udev"/>
+        <package name="filesystem"/>
+        <package name="ca-certificates"/>
+        <package name="ca-certificates-mozilla"/>
+        <package name="openSUSE-release"/>
+    </packages>
+
+</image>

rootfs-builder/suse/install-packages.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2018 SUSE LLC
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -euo pipefail
+
+source config.sh
+
+removeRepos=(repo-non-oss repo-update-non-oss repo-oss repo-update)
+
+for r in ${removeRepos[@]}; do
+	zypper --non-interactive removerepo $r
+done
+
+zypper --non-interactive addrepo ${SUSE_FULLURL_OSS} osbuilder-oss
+zypper --non-interactive addrepo ${SUSE_FULLURL_UPDATE} osbuilder-update
+
+
+# Workaround for zypper slowdowns observed when running inside
+# a container: see https://github.com/openSUSE/zypper/pull/209
+# The fix is upstream but it will take a while before landing
+# in Leap
+ulimit -n 1024
+zypper --non-interactive refresh
+zypper --non-interactive install --no-recommends --force-resolution curl git gcc make python3-kiwi tar
+zypper --non-interactive clean --all
+

rootfs-builder/suse/rootfs_lib.sh

@@ -0,0 +1,76 @@
+#
+# Copyright (c) 2018 SUSE LLC
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# - Arguments
+# rootfs_dir=$1
+#
+# - Optional environment variables
+#
+# EXTRA_PKGS: Variable to add extra PKGS provided by the user
+#
+# BIN_AGENT: Name of the Kata-Agent binary
+#
+# REPO_URL: URL to distribution repository ( should be configured in
+#           config.sh file)
+#
+# Any other configuration variable for a specific distro must be added
+# and documented on its own config.sh
+#
+# - Expected result
+#
+# rootfs_dir populated with rootfs pkgs
+# It must provide a binary in /sbin/init
+#
+# Note: For some distros, the build_rootfs() function provided in scripts/lib.sh
+#       will suffice. If a new distro is introduced with a special requirement,
+#       then, a rootfs_builder/<distro>/rootfs_lib.sh file should be created
+#       using this template.
+
+build_rootfs() {
+	# Mandatory
+	local ROOTFS_DIR=$1
+
+	#Name of the Kata-Agent binary
+	local BIN_AGENT=${BIN_AGENT}
+
+	# In case of support EXTRA packages, use it to allow
+	# users add more packages to the base rootfs
+	local EXTRA_PKGS=${EXTRA_PKGS:-}
+
+	#PATH where files this script is placed
+	#Use it to refer to files in the same directory
+	#Exmaple: ${CONFIG_DIR}/foo
+	local CONFIG_DIR=${CONFIG_DIR}
+
+	# Populate ROOTFS_DIR
+	# Must provide /sbin/init and /bin/${BIN_AGENT}
+	if [ -e "$ROOTFS_DIR" ] && ! [ -z "$(ls -A $ROOTFS_DIR)" ]; then
+		echo "ERROR: $ROOTFS_DIR is not empty"
+		exit 1
+	fi
+
+	local addPackages=""
+	for p in $PACKAGES $EXTRA_PKGS; do
+		addPackages+=" --add-package=$p"
+	done
+
+	# set-repo format: <source,type,alias,priority,imageinclude,package_gpgcheck>
+	# man kiwi::system::build for details
+	local setRepo=" --set-repo $REPO_URL,rpm-md,$OS_IDENTIFIER,99,false,false"
+
+	# Workaround for zypper slowdowns observed when running inside
+	# a container: see https://github.com/openSUSE/zypper/pull/209
+	# The fix is upstream but it will take a while before landing
+	# in Leap
+	ulimit -n 1024
+	kiwi system prepare \
+		--description $CONFIG_DIR \
+		--allow-existing-root \
+		--root $ROOTFS_DIR \
+		$addPackages \
+		$setRepo
+	install -d $ROOTFS_DIR/lib/systemd
+	ln -s /usr/lib/systemd/systemd $ROOTFS_DIR/lib/systemd/systemd
+}

tests/test_config.sh

@@ -3,7 +3,7 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-distrosSystemd=(fedora centos ubuntu debian)
+distrosSystemd=(fedora centos ubuntu debian suse)
 distrosAgent=(alpine)
 
 if [ $MACHINE_TYPE != "ppc64le" ]; then