Currently there are 1 major and 2 minor problems that prevent using stages directly in machinectl. 1. https://bugs.gentoo.org/787194 https://github.com/systemd/systemd/issues/16605 since our stages are pixz compressed and it adds an index - it confuses machinectl, because internally it passes --ignore-zeros it's almost fixed. https://github.com/dol-sen/pyDeComp/commit/e60dffe2043a1b963e9ba6325e32795d3aa6993c landed and we have it in 3.0-r2 I'm testing on ppc64le right now. 2. machnectl pull-tar expects a *.sha256 file that contains a checksum, that can be used to verify the image. some code needs to be added to catalyst to create those files. probably base/genbase.py, it already handles other digests. doc: https://www.freedesktop.org/software/systemd/man/machinectl.html#pull-tar%20URL%20[NAME] 3. signing above sha256 files. they are expected to be ascii-armoured by infra. that code is in https://gitweb.gentoo.org/infra/mastermirror-scripts.git/tree/sign-autobuilds.sh and it already contains logic for inline signing, so should be easy to plug. 4. machinectl also looks for .nspawn file matching image name, this file is optional but can be used to provide some initial configuration, like maybe bind-mounting distfiles from host. doc: https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=7457cd3b1a5f3ed4a566bbf23e36c939af06967c commit 7457cd3b1a5f3ed4a566bbf23e36c939af06967c Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-11-05 02:14:00 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-11-25 02:43:21 +0000 catalyst: generate .sha256 file if any digest is enabled checksum format is simple one, identical to one sha256sum from coreutils produces, lines starting with # are ignored. example:[1] # SHA256 HASH xxxx..... stage3-....tar.xz systemd upstream calls it suse-style .sha256 files.[0] infra already supports inline signing of files. Bug: https://bugs.gentoo.org/821568 [0] https://github.com/systemd/systemd/blob/aedec452b9e5dd197881f2164fb205dfe8bfdcec/src/import/pull-common.c#L236 [1] https://mirrors.edge.kernel.org/opensuse/distribution/leap/15.0/iso/openSUSE-Leap-15.0-DVD-x86_64.iso.sha256 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> catalyst/base/genbase.py | 3 +++ doc/catalyst-config.5.txt | 7 ++++--- 2 files changed, 7 insertions(+), 3 deletions(-)
> Currently there are 1 major and 2 minor problems that prevent using stages > directly in machinectl. > > 1. https://bugs.gentoo.org/787194 > https://github.com/systemd/systemd/issues/16605 > since our stages are pixz compressed and it adds an index - it confuses > machinectl, because internally it passes --ignore-zeros > > it's almost fixed. > https://github.com/dol-sen/pyDeComp/commit/ > e60dffe2043a1b963e9ba6325e32795d3aa6993c landed and we have it in 3.0-r2 > > I'm testing on ppc64le right now. This is stable now, so 1 should be done. > 2. machnectl pull-tar expects a *.sha256 file that contains a checksum, > that can be used to verify the image. > some code needs to be added to catalyst to create those files. > probably base/genbase.py, it already handles other digests. > > doc: > https://www.freedesktop.org/software/systemd/man/machinectl.html#pull- > tar%20URL%20[NAME] This is done as per comment #1. > 3. signing above sha256 files. they are expected to be ascii-armoured by > infra. > that code is in > https://gitweb.gentoo.org/infra/mastermirror-scripts.git/tree/sign- > autobuilds.sh > and it already contains logic for inline signing, so should be easy to > plug. > > 4. machinectl also looks for .nspawn file matching image name, this file is > optional but can be used to provide some initial configuration, like maybe > bind-mounting distfiles from host. > doc: https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html Still need to be done. Should be easy enough though.
All done, at least for the hosts running git-master catalyst. The rest will eventually follow.
I'm going to reopen this as it seems this has not make it into a catalyst release, and thus machinectl cannot be used in this way yet for Gentoo.
(In reply to John Helmert III from comment #4) > I'm going to reopen this as it seems this has not make it into a catalyst > release, and thus machinectl cannot be used in this way yet for Gentoo. In catalyst-3.0.22