Support loading and testing random ISO images without the need for
build/manifest.json. If the file is detected - tests are run. If file is
not found - those tests are skipped.
VyOS is based on Debian
* VyOS 1.3 -> Debian Buster (VyOS equuleus)
* VyOS 1.4 -> Debian Bookworm (VyOS sagitta)
* VyOS 1.5 -> Debian Bookworm (and then trixie) (VyOS circinus)
* VyOS rolling -> Debian Bookworm (and then trixie) (VyOS t.b.d.)
When running
vyos@vyos:~$ lsb_release -a
Distributor ID: VyOS
Description: VyOS 1.5-rolling-202501031241 (current)
Release: 1.5-rolling-202501031241
Codename: bookworm
The codename in use is the Debian base distribution. This should be changed to
the VyOS release name.
Commit 085df7615a ("Testsuite: T861: always use 2 VCPUs") also altered the base
MAC address used by QEMU to a locally administered one. Something that looked
"right" in the beginning turned out to break the smoketest platform.
The reason is the locally administered bit is evaluated in [1] and if set and
not on the exclusion list (as it was a Realtek base MAC address before), the
interface in question is not considered persistent and thus not added to the
configuration file upon system startup.
1: 825743b6bc/src/helpers/vyos-interface-rescan.py (L73-L74)
The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:
* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules
The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".
In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.
This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux
Kernel and enforces module signing. This results in an additional security
layer where untrusted (unsigned) Kernel modules can no longer be loaded into
the live system.
NOTE: This commit will not work unless signing keys are present. Arbitrary
keys can be generated using instructions found in:
data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
In the past the CLI based smoketest was always executed under an else branch in
the testcase if-statement. Instead of using negative logic move all testcases
to positive logic adding an empty "catch all" else path.
When moving to UEFI and secure-boot it's better to just reboot the system
for Machine Owner Key installation, then powercycling the machine.
This commit will use `reboot now` over `poweroff` after base system installation
and boot into installed image for smoketest handling.
Simply boot a live qemu version from the latest ISO build
(10:18) cpo lnx01:~/vyos-build [current] # sudo make qemu-live
if [ ! -f build/live-image-amd64.hybrid.iso ]; then
echo "Could not find build/live-image-amd64.hybrid.iso"
exit 1
fi
scripts/check-qemu-install --qemu-cmd build/live-image-amd64.hybrid.iso
INFO - Creating Disk image testinstall-20231119-101823-4483.img
SeaBIOS (version 1.16.2-debian-1.16.2-1)
Machine UUID f48b60b2-e6ad-49ef-9d09-4245d0585e52
Booting from DVD/CD...
ISOLINUX 6.04 20200816 ETCD Copyright (C) 1994-2015 H. Peter Anvin et al
