Add Image Customizer configuration for linuxguard, baremetal, hyperv-guest, qemu-guest, marketplace-gen1, and marketplace-gen2 images (microsoft#13251)

Co-authored-by: Dallas Delaney <dadelan@microsoft.com>

Author: vinceaperri

toolkit/imageconfigs/baremetal-amd64.yaml

@@ -0,0 +1,66 @@
+storage:
+  bootType: efi
+
+  disks:
+  - partitionTableType: gpt
+    maxSize: 1024M
+    partitions:
+    - id: esp
+      type: esp
+      size: 8M
+
+    - id: rootfs
+      type: root
+      size: grow
+
+  filesystems:
+  - deviceId: esp
+    type: fat32
+    mountPoint:
+      path: /boot/efi
+      options: umask=0077
+
+  - deviceId: rootfs
+    type: ext4
+    mountPoint:
+      path: /
+
+os:
+  bootloader:
+    resetType: hard-reset
+
+  hostname: azure-linux
+
+  kernelCommandLine:
+    extraCommandLine:
+    - console=tty0
+    - console=ttyS0
+    - rd.info
+    - log_buf_len=1M
+
+  selinux:
+    mode: enforcing
+
+  packages:
+    remove:
+    - dracut-hostonly
+
+    installLists:
+    - packagelists/baremetal-packages.yaml
+    - packagelists/base-image-packages.yaml
+    - packagelists/cloud-init-packages.yaml
+    - packagelists/selinux.yaml
+
+scripts:
+  finalizeCustomization:
+  - path: scripts/cleanup.sh
+  - path: scripts/set_os_release_variant_entries.sh
+    arguments:
+    - --variant-id
+    - baremetal
+    - --variant
+    - Bare Metal Image
+
+output:
+  image:
+    format: vhdx

toolkit/imageconfigs/baremetal-arm64.yaml

@@ -0,0 +1,66 @@
+storage:
+  bootType: efi
+
+  disks:
+  - partitionTableType: gpt
+    maxSize: 1024M
+    partitions:
+    - id: esp
+      type: esp
+      size: 8M
+
+    - id: rootfs
+      type: root
+      size: grow
+
+  filesystems:
+  - deviceId: esp
+    type: fat32
+    mountPoint:
+      path: /boot/efi
+      options: umask=0077
+
+  - deviceId: rootfs
+    type: ext4
+    mountPoint:
+      path: /
+
+os:
+  bootloader:
+    resetType: hard-reset
+
+  hostname: azure-linux
+
+  kernelCommandLine:
+    extraCommandLine:
+    - console=tty0
+    - console=ttyS0
+    - rd.info
+    - log_buf_len=1M
+
+  selinux:
+    mode: enforcing
+
+  packages:
+    remove:
+    - dracut-hostonly
+
+    installLists:
+    - packagelists/baremetal-packages.yaml
+    - packagelists/base-image-packages.yaml
+    - packagelists/cloud-init-packages.yaml
+    - packagelists/selinux.yaml
+
+scripts:
+  finalizeCustomization:
+  - path: scripts/cleanup.sh
+  - path: scripts/set_os_release_variant_entries.sh
+    arguments:
+    - --variant-id
+    - baremetal
+    - --variant
+    - Bare Metal Image
+
+output:
+  image:
+    format: vhdx

toolkit/imageconfigs/files/linuxguard/99-dhcp-eth0.network

@@ -0,0 +1,6 @@
+[Match]
+Name=eth0
+
+[Network]
+DHCP=yes
+IPv6AcceptRA=no

toolkit/imageconfigs/files/linuxguard/no-password-prompt-on-sudo

@@ -0,0 +1,2 @@
+# Do not prompt for password on sudo
+azuresu ALL=(ALL) NOPASSWD:ALL

toolkit/imageconfigs/files/linuxguard/selinux-ci-uki.semanage

@@ -0,0 +1,23 @@
+boolean -D
+login -D
+interface -D
+user -D
+port -D
+node -D
+fcontext -D
+module -D
+ibendport -D
+ibpkey -D
+permissive -D
+boolean -m -1 cloudinit_manage_non_security
+boolean -m -1 container_mounton_non_security
+boolean -m -1 init_mounton_non_security
+login -m -s ci_unconfined_u -r 's0' root
+login -m -s ci_unconfined_u -r 's0' __default__
+fcontext -a -f f -t bin_t -r 's0' '/etc/grub\.d/.*'
+fcontext -a -f d -t root_t -r 's0' '/overlays'
+fcontext -a -f d -t lost_found_t -r 's0' '/overlays/lost\+found'
+fcontext -a -f f -t fsadm_exec_t -r 's0' '/usr/bin/lsblk'
+fcontext -a -f f -t dockerd_exec_t -r 's0' '/usr/bin/tardev-snapshotter'
+fcontext -a -f f -t bin_t -r 's0' '/usr/share/netplan/netplan\.script'
+fcontext -a -e / /rw

toolkit/imageconfigs/files/linuxguard/sshd-keygen.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Generate sshd host keys
+ConditionPathExists=|!/rw/etc/ssh/ssh_host_rsa_key
+ConditionPathExists=|!/rw/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=|!/rw/etc/ssh/ssh_host_ed25519_key
+Before=sshd.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/ssh-keygen -A -f /rw
+
+[Install]
+WantedBy=multi-user.target

toolkit/imageconfigs/files/linuxguard/verity-signature/10-mountbootpartition.conf

@@ -0,0 +1 @@
+add_dracutmodules+=" mountbootpartition "

toolkit/imageconfigs/files/linuxguard/verity-signature/90mountbootpartition/module-setup.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# called by dracut
+check() {
+    return 255
+}
+
+# called by dracut
+depends() {
+    return 0
+}
+
+# called by dracut
+installkernel() {
+    return 0
+}
+
+# called by dracut
+install() {
+    # install utilities
+    inst_multiple lsblk umount
+    # generate udev rule - i.e. schedule things post udev settlement
+    inst_hook pre-udev 30 "$moddir/mountbootpartition-genrules.sh"
+    # script to run post udev to mout
+    inst_script "$moddir/mountbootpartition.sh" "/sbin/mountbootpartition"
+    # script runs early on when systemd is initialized...
+    if dracut_module_included "systemd-initrd"; then
+        inst_script "$moddir/mountbootpartition-generator.sh" "$systemdutildir"/system-generators/dracut-mountbootpartition-generator
+    fi
+    dracut_need_initqueue
+}

toolkit/imageconfigs/files/linuxguard/verity-signature/90mountbootpartition/mountbootpartition-generator.sh

@@ -0,0 +1,79 @@
+#!/bin/sh
+
+set -x
+set -e
+
+echo "Running mountbootpartition-generator.sh" > /dev/kmsg
+
+# type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
+
+function updateVeritySetupUnit () {
+    systemdDropInDir=/etc/systemd/system
+    verityDropInDir=$systemdDropInDir/systemd-veritysetup@root.service.d
+
+    mkdir -p $verityDropInDir
+    verityConfiguration=$verityDropInDir/verity-azl-extension.conf
+
+    cat <<EOF > $verityConfiguration
+[Unit]
+After=bootmountmonitor.service
+Requires=bootmountmonitor.service
+EOF
+
+    chmod 644 $verityConfiguration
+    chown root:root $verityConfiguration
+}
+
+# -----------------------------------------------------------------------------
+function createBootPartitionMonitorScript () {
+    local bootPartitionMonitorCmd=$1
+    local semaphorefile=$2
+
+    cat <<EOF > $bootPartitionMonitorCmd
+#!/bin/sh
+while [ ! -e "$semaphorefile" ]; do
+    echo "Waiting for $semaphorefile to exist..."
+    sleep 1
+done    
+EOF
+    chmod +x $bootPartitionMonitorCmd
+}
+
+# -----------------------------------------------------------------------------
+function createBootPartitionMonitorUnit() {
+    local bootPartitionMonitorCmd=$1
+
+    bootMountMonitorName="bootmountmonitor.service"
+    systemdDropInDir=/etc/systemd/system
+    bootMountMonitorDir=$systemdDropInDir
+    bootMountMonitorUnitFile=$bootMountMonitorDir/$bootMountMonitorName
+
+    cat <<EOF > $bootMountMonitorUnitFile
+[Unit]
+Description=bootpartitionmounter
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+ExecStart=$bootPartitionMonitorCmd
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+}
+
+# -----------------------------------------------------------------------------
+
+updateVeritySetupUnit
+
+systemdScriptsDir=/usr/local/bin
+bootPartitionMonitorCmd=$systemdScriptsDir/boot-partition-monitor.sh
+semaphorefile=/run/boot-parition-mount-complete.sem
+
+mkdir -p $systemdScriptsDir
+
+createBootPartitionMonitorScript $bootPartitionMonitorCmd $semaphorefile
+createBootPartitionMonitorUnit $bootPartitionMonitorCmd
+
+echo "mountbootpartition-generator.sh completed successfully." > /dev/kmsg

toolkit/imageconfigs/files/linuxguard/verity-signature/90mountbootpartition/mountbootpartition-genrules.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+echo "Running mountbootpartition-genrules.sh" > /dev/kmsg
+
+# this gets called after all devices have settled.
+/sbin/initqueue --finished --onetime --unique /sbin/mountbootpartition > /dev/kmsg