icybear/cloudbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
iceBear67
2026-06-03 16:04:41 +08:00
commit ecc027a685
11 changed files with 1081 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
.gitignore vendored Normal file
View File

@@ -0,0 +1,26 @@
# Build artifacts
*.qcow2
*.raw
*.img
# Extracted kernel / initramfs
*-vmlinuz
*-initramfs
*-boot/
# Downloaded tool
alpine-make-vm-image
# Generated GPG keys (secrets)
overlay/root/gpg-key.asc
overlay/root/gpg-pubkey.asc
# Build marker
.gpg-done
# Editor / OS
.DS_Store
*.swp
*.swo
*~
.reasonix/**

142
Makefile Normal file
View File

@@ -0,0 +1,142 @@
# Alpine VM Image Builder
# ------------------------
# Builds a bootable Alpine Linux disk image for Cloud Hypervisor direct boot.
#
# Usage:
# make build — generate GPG key + build qcow2 image
# make build-raw — build raw image (for Cloud Hypervisor direct boot)
# make extract-kernel — extract kernel + initramfs from image
# make clean — remove build artifacts
#
# Configurable variables (override on command line):
# IMAGE_SIZE Size of the disk image (default: 4G)
# ALPINE_BRANCH Alpine release branch (default: latest-stable)
# KERNEL_FLAVOR Kernel variant (default: virt)
# ALPINE_MIRROR APK mirror (default: http://dl-cdn.alpinelinux.org/alpine)
SHELL := /bin/sh
# --- configurable ----------------------------------------------------
IMAGE_NAME ?= alpine-vm
IMAGE_SIZE ?= 4G
IMAGE_FORMAT ?= qcow2
ALPINE_BRANCH ?= latest-stable
KERNEL_FLAVOR ?= virt
ALPINE_MIRROR ?= http://dl-cdn.alpinelinux.org/alpine
INITFS_FEATURES ?= kms scsi virtio
IMAGE_FILE = $(IMAGE_NAME).$(IMAGE_FORMAT)
SCRIPT_DIR = $(dir $(realpath $(lastword $(MAKEFILE_LIST))))
OVERLAY_DIR = $(SCRIPT_DIR)/overlay
CONFIGURE_SH = $(SCRIPT_DIR)/configure.sh
GEN_GPG_SH = $(SCRIPT_DIR)/gen-gpg-key.sh
# alpine-make-vm-image — download if not found
MAKE_VM_IMAGE = $(SCRIPT_DIR)/alpine-make-vm-image
MAKE_VM_IMAGE_URL = https://raw.githubusercontent.com/alpinelinux/alpine-make-vm-image/v0.13.4/alpine-make-vm-image
# --- helper ----------------------------------------------------------
$(MAKE_VM_IMAGE):
@echo ">>> Downloading alpine-make-vm-image ..."
wget -q -O $@ $(MAKE_VM_IMAGE_URL)
chmod +x $@
# --- GPG key ---------------------------------------------------------
.gpg-done: $(GEN_GPG_SH)
@echo ">>> Generating GPG key ..."
cd $(SCRIPT_DIR) && $(GEN_GPG_SH)
@touch $@
# --- build -----------------------------------------------------------
build: .gpg-done $(MAKE_VM_IMAGE)
@echo ">>> Building $(IMAGE_FILE) ..."
@test -f $(OVERLAY_DIR)/root/gpg-key.asc || { \
echo "ERROR: GPG key not found. Run 'make gpg-key' first." >&2; \
exit 1; \
}
$(MAKE_VM_IMAGE) \
--branch $(ALPINE_BRANCH) \
--image-format $(IMAGE_FORMAT) \
--image-size $(IMAGE_SIZE) \
--kernel-flavor $(KERNEL_FLAVOR) \
--mirror-uri $(ALPINE_MIRROR) \
--initfs-features '$(INITFS_FEATURES)' \
--serial-console \
--fs-skel-dir $(OVERLAY_DIR) \
--fs-skel-chown root:root \
--script-chroot \
--packages "python3 py3-yaml py3-pydantic git curl gnupg docker docker-cli-buildx docker-cli-compose" \
$(IMAGE_FILE) \
$(CONFIGURE_SH)
@echo ">>> Image built: $(IMAGE_FILE)"
@ls -lh $(IMAGE_FILE)
# Raw image (best for Cloud Hypervisor)
build-raw:
$(MAKE) build IMAGE_FORMAT=raw
# Build without GPG key (for testing / CI without GPG)
build-no-gpg: $(MAKE_VM_IMAGE)
@echo ">>> Building $(IMAGE_FILE) without GPG key ..."
$(MAKE_VM_IMAGE) \
--branch $(ALPINE_BRANCH) \
--image-format $(IMAGE_FORMAT) \
--image-size $(IMAGE_SIZE) \
--kernel-flavor $(KERNEL_FLAVOR) \
--mirror-uri $(ALPINE_MIRROR) \
--initfs-features '$(INITFS_FEATURES)' \
--serial-console \
--fs-skel-dir $(OVERLAY_DIR) \
--fs-skel-chown root:root \
--script-chroot \
--packages "python3 py3-yaml py3-pydantic git curl gnupg docker docker-cli-buildx docker-cli-compose" \
$(IMAGE_FILE) \
$(CONFIGURE_SH)
@echo ">>> Image built: $(IMAGE_FILE)"
@ls -lh $(IMAGE_FILE)
# --- kernel extraction -----------------------------------------------
extract-kernel: $(IMAGE_FILE)
@echo ">>> Extracting kernel and initramfs from $(IMAGE_FILE) ..."
@which guestmount >/dev/null 2>&1 || { \
echo "ERROR: guestmount (libguestfs) required. Install: apk add libguestfs" >&2; \
exit 1; \
}
@mkdir -p $(IMAGE_NAME)-boot
guestmount -a $(IMAGE_FILE) -m /dev/sda --ro $(IMAGE_NAME)-boot
cp $(IMAGE_NAME)-boot/boot/vmlinuz-$(KERNEL_FLAVOR) $(IMAGE_NAME)-vmlinuz
cp $(IMAGE_NAME)-boot/boot/initramfs-$(KERNEL_FLAVOR) $(IMAGE_NAME)-initramfs
guestunmount $(IMAGE_NAME)-boot
rmdir $(IMAGE_NAME)-boot
@echo ">>> Kernel : $(IMAGE_NAME)-vmlinuz"
@echo ">>> Initrd : $(IMAGE_NAME)-initramfs"
# --- utilities -------------------------------------------------------
gpg-key: .gpg-done
@echo ">>> GPG key ready"
gpg-fingerprint:
@gpg --batch --fingerprint "builder@localhost" || echo "GPG key not found in host keyring"
# --- cleanup ---------------------------------------------------------
clean:
rm -f $(IMAGE_FILE)
rm -f $(IMAGE_NAME).raw
rm -f $(IMAGE_NAME)-vmlinuz $(IMAGE_NAME)-initramfs
rm -f .gpg-done
rm -f $(MAKE_VM_IMAGE)
rm -rf $(IMAGE_NAME)-boot
@echo ">>> Cleaned (GPG key in overlay/ preserved — use 'make clean-all' to remove)"
clean-all: clean
rm -f $(OVERLAY_DIR)/root/gpg-key.asc
rm -f $(OVERLAY_DIR)/root/gpg-pubkey.asc
@echo ">>> All artifacts cleaned"
.PHONY: build build-raw build-no-gpg extract-kernel gpg-key gpg-fingerprint clean clean-all

749
alpine-make-vm-image Executable file
View File

@@ -0,0 +1,749 @@
#!/bin/sh
# vim: set ts=4 sw=4:
# SPDX-FileCopyrightText: © 2017 Jakub Jirutka <jakub@jirutka.cz>
# SPDX-License-Identifier: MIT
#---help---
# Usage: alpine-make-vm-image [options] [--] <image> [<script> [<script-opts...>]]
#
# This script creates a bootable Alpine Linux disk image for virtual machines.
# If running on Alpine system (detected by file /etc/alpine-release), then it
# also installs needed packages on the host system. On other systems you must
# install them yourself: qemu-img, qemu-nbd, rsync, sfdisk, dosfstools (for UEFI
# mode) and mkfs utility for the chosen ROOTFS. If $APK is not available on the
# host system, then static apk-tools specified by $APK_TOOLS_URI is downloaded
# and used.
#
# Note that in BIOS mode, it does not create any partitions by default (it's
# really not needed), filesystem is created directly on the image. If you must
# use some platform that foolishly requires partitions in images, use
# --partition.
#
# Arguments:
# <image> Path of block device or disk image file to use or create
# if it does not exist.
#
# <script> Path of script to execute after installing base system in
# the mounted image and before umounting it.
#
# <script-opts> Arguments to pass to the script.
#
# Options and Environment Variables:
# -a --arch ARCH Target CPU architecture. If it doesn't match the host's
# architecture, you must register an interpreter (emulator)
# for the target architecture in binfmt, e.g. qemu userspace
# emulator. Options: x86_64, aarch64 (Alpine v3.19+ / edge).
#
# -B --boot-mode BOOT_MODE Either "BIOS" (default on x86/x86_64) or "UEFI" (default
# on others). "BIOS" is supported only on x86/x86_64.
#
# -b --branch ALPINE_BRANCH Alpine branch to install; used only when
# --repositories-file is not specified. Default is
# latest-stable.
#
# -S --fs-skel-dir FS_SKEL_DIR Path of directory which content to recursively copy
# (using rsync) into / in the image.
#
# --fs-skel-chown FS_SKEL_CHOWN Force all files from FS_SKEL_DIR to be owned by the
# specified USER:GROUP.
#
# -P --partition (PARTITION) Create GUID Partition Table (GPT) with a single partition.
# GPT is always created if --boot-mode is UEFI.
#
# -f --image-format IMAGE_FORMAT Format of the disk image (see qemu-img --help). Not
# applicable if the target image is a block device.
#
# -s --image-size IMAGE_SIZE Size of the disk image to create in bytes or with suffix
# (e.g. 1G, 1024M). Default is 2G. Not applicable if the
# target image is a block device.
#
# -i --initfs-features INITFS_FEATURES List of additional mkinitfs features (basically modules)
# to be included in initramfs (see mkinitfs -L). "base" and
# $ROOTFS is always included, don't specify them here.
# Default is "kms scsi virtio".
#
# -k --kernel-flavor KERNEL_FLAVOR The kernel flavour to install; virt (default), lts
# (Alpine >=3.11), or vanilla (Alpine <3.11).
#
# --keys-dir KEYS_DIR Path of directory with Alpine keys to copy into the image.
# Default is /etc/apk/keys if --arch matches the host arch.
# If does not exist, keys for aarch64 and x86_64 embedded in
# this script will be used.
#
# -m --mirror-uri ALPINE_MIRROR URI of the Aports mirror to fetch packages; used only
# when --repositories-file is not specified. Default is
# http://dl-cdn.alpinelinux.org/alpine.
#
# -C --no-cleanup (CLEANUP) Don't umount and disconnect image when done.
#
# -p --packages PACKAGES Additional packages to install into the image.
#
# -r --repositories-file REPOS_FILE Path of the repositories file to copy into the rootfs.
# If not provided, Alpine's main and community repositories
# on --mirror-uri will be used.
#
# --rootfs ROOTFS Filesystem to create on the image. Default is ext4.
#
# -c --script-chroot (SCRIPT_CHROOT) Bind <script>'s directory at /mnt inside image and chroot
# into the image before executing <script>.
#
# -t --serial-console (SERIAL_CONSOLE) Add configuration for a serial console on ttyS0.
#
# -h --help Show this help message and exit.
#
# -V --version Print version and exit.
#
# APK APK command to use. Default is "apk".
#
# APK_OPTS Options to pass into apk on each execution.
# Default is "--no-progress".
#
# APK_TOOLS_URI URL of apk-tools binary to download if $APK is not found
# on the host system. Default is apk.static from
# https://gitlab.alpinelinux.org/alpine/apk-tools/-/packages.
#
# APK_TOOLS_SHA256 SHA-256 checksum of $APK_TOOLS_URI.
#
# Each option can be also provided by environment variable. If both option and
# variable is specified and the option accepts only one argument, then the
# option takes precedence.
#
# https://github.com/alpinelinux/alpine-make-vm-image
#---help---
set -eu
# Some distros (e.g. Arch Linux) does not have /bin or /sbin in PATH.
PATH="$PATH:/usr/sbin:/usr/bin:/sbin:/bin"
readonly PROGNAME='alpine-make-vm-image'
readonly VERSION='0.13.4'
readonly VIRTUAL_PKG=".make-$PROGNAME"
# An opaque string used to detect changes in resolv.conf.
readonly RESOLVCONF_MARK="### created by $PROGNAME ###"
# Alpine APK keys for verification of packages for x86_64 and aarch64.
readonly ALPINE_KEYS='
4a6a0840:MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1yHJxQgsHQREclQu4Ohe\nqxTxd1tHcNnvnQTu/UrTky8wWvgXT+jpveroeWWnzmsYlDI93eLI2ORakxb3gA2O\nQ0Ry4ws8vhaxLQGC74uQR5+/yYrLuTKydFzuPaS1dK19qJPXB8GMdmFOijnXX4SA\njixuHLe1WW7kZVtjL7nufvpXkWBGjsfrvskdNA/5MfxAeBbqPgaq0QMEfxMAn6/R\nL5kNepi/Vr4S39Xvf2DzWkTLEK8pcnjNkt9/aafhWqFVW7m3HCAII6h/qlQNQKSo\nGuH34Q8GsFG30izUENV9avY7hSLq7nggsvknlNBZtFUcmGoQrtx3FmyYsIC8/R+B\nywIDAQAB
5261cecb:MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwlzMkl7b5PBdfMzGdCT0\ncGloRr5xGgVmsdq5EtJvFkFAiN8Ac9MCFy/vAFmS8/7ZaGOXoCDWbYVLTLOO2qtX\nyHRl+7fJVh2N6qrDDFPmdgCi8NaE+3rITWXGrrQ1spJ0B6HIzTDNEjRKnD4xyg4j\ng01FMcJTU6E+V2JBY45CKN9dWr1JDM/nei/Pf0byBJlMp/mSSfjodykmz4Oe13xB\nCa1WTwgFykKYthoLGYrmo+LKIGpMoeEbY1kuUe04UiDe47l6Oggwnl+8XD1MeRWY\nsWgj8sF4dTcSfCMavK4zHRFFQbGp/YFJ/Ww6U9lA3Vq0wyEI6MCMQnoSMFwrbgZw\nwwIDAQAB
6165ee59:MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAutQkua2CAig4VFSJ7v54\nALyu/J1WB3oni7qwCZD3veURw7HxpNAj9hR+S5N/pNeZgubQvJWyaPuQDm7PTs1+\ntFGiYNfAsiibX6Rv0wci3M+z2XEVAeR9Vzg6v4qoofDyoTbovn2LztaNEjTkB+oK\ntlvpNhg1zhou0jDVYFniEXvzjckxswHVb8cT0OMTKHALyLPrPOJzVtM9C1ew2Nnc\n3848xLiApMu3NBk0JqfcS3Bo5Y2b1FRVBvdt+2gFoKZix1MnZdAEZ8xQzL/a0YS5\nHd0wj5+EEKHfOd3A75uPa/WQmA+o0cBFfrzm69QDcSJSwGpzWrD1ScH3AK8nWvoj\nv7e9gukK/9yl1b4fQQ00vttwJPSgm9EnfPHLAtgXkRloI27H6/PuLoNvSAMQwuCD\nhQRlyGLPBETKkHeodfLoULjhDi1K2gKJTMhtbnUcAA7nEphkMhPWkBpgFdrH+5z4\nLxy+3ek0cqcI7K68EtrffU8jtUj9LFTUC8dERaIBs7NgQ/LfDbDfGh9g6qVj1hZl\nk9aaIPTm/xsi8v3u+0qaq7KzIBc9s59JOoA8TlpOaYdVgSQhHHLBaahOuAigH+VI\nisbC9vmqsThF2QdDtQt37keuqoda2E6sL7PUvIyVXDRfwX7uMDjlzTxHTymvq2Ck\nhtBqojBnThmjJQFgZXocHG8CAwEAAQ==
58199dcc:MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3v8/ye/V/t5xf4JiXLXa\nhWFRozsnmn3hobON20GdmkrzKzO/eUqPOKTpg2GtvBhK30fu5oY5uN2ORiv2Y2ht\neLiZ9HVz3XP8Fm9frha60B7KNu66FO5P2o3i+E+DWTPqqPcCG6t4Znk2BypILcit\nwiPKTsgbBQR2qo/cO01eLLdt6oOzAaF94NH0656kvRewdo6HG4urbO46tCAizvCR\nCA7KGFMyad8WdKkTjxh8YLDLoOCtoZmXmQAiwfRe9pKXRH/XXGop8SYptLqyVVQ+\ntegOD9wRs2tOlgcLx4F/uMzHN7uoho6okBPiifRX+Pf38Vx+ozXh056tjmdZkCaV\naQIDAQAB
616ae350:MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyduVzi1mWm+lYo2Tqt/0\nXkCIWrDNP1QBMVPrE0/ZlU2bCGSoo2Z9FHQKz/mTyMRlhNqTfhJ5qU3U9XlyGOPJ\npiM+b91g26pnpXJ2Q2kOypSgOMOPA4cQ42PkHBEqhuzssfj9t7x47ppS94bboh46\nxLSDRff/NAbtwTpvhStV3URYkxFG++cKGGa5MPXBrxIp+iZf9GnuxVdST5PGiVGP\nODL/b69sPJQNbJHVquqUTOh5Ry8uuD2WZuXfKf7/C0jC/ie9m2+0CttNu9tMciGM\nEyKG1/Xhk5iIWO43m4SrrT2WkFlcZ1z2JSf9Pjm4C2+HovYpihwwdM/OdP8Xmsnr\nDzVB4YvQiW+IHBjStHVuyiZWc+JsgEPJzisNY0Wyc/kNyNtqVKpX6dRhMLanLmy+\nf53cCSI05KPQAcGj6tdL+D60uKDkt+FsDa0BTAobZ31OsFVid0vCXtsbplNhW1IF\nHwsGXBTVcfXg44RLyL8Lk/2dQxDHNHzAUslJXzPxaHBLmt++2COa2EI1iWlvtznk\nOk9WP8SOAIj+xdqoiHcC4j72BOVVgiITIJNHrbppZCq6qPR+fgXmXa+sDcGh30m6\n9Wpbr28kLMSHiENCWTdsFij+NQTd5S47H7XTROHnalYDuF1RpS+DpQidT5tUimaT\nJZDr++FjKrnnijbyNF8b98UCAwEAAQ==
'
readonly HOST_ARCH="$(uname -m)"
# SHA256 checksum of $APK_TOOLS_URI for each architecture.
case "$HOST_ARCH" in
aarch64) : ${APK_TOOLS_SHA256:="e471d35aa221d031abe9b6288aede12a8e9f1a398954e5a2e1d1bce1727b4ef4"};;
x86_64) : ${APK_TOOLS_SHA256:="34bb1a96f0258982377a289392d4ea9f3f4b767a4bb5806b1b87179b79ad8a1c"};;
esac
: ${APK_TOOLS_URI:="https://gitlab.alpinelinux.org/api/v4/projects/5/packages/generic/v2.14.10/$HOST_ARCH/apk.static"}
: ${APK:="apk"}
: ${APK_OPTS:="--no-progress"}
# For compatibility with systems that does not have "realpath" command.
if ! command -v realpath >/dev/null; then
alias realpath='readlink -f'
fi
die() {
printf '\033[1;31mERROR:\033[0m %s\n' "$@" >&2 # bold red
exit 1
}
einfo() {
printf '\n\033[1;36m> %s\033[0m\n' "$@" >&2 # bold cyan
}
# Prints help and exists with the specified status.
help() {
sed -En '/^#---help---/,/^#---help---/p' "$0" | sed -E 's/^# ?//; 1d;$d;'
exit ${1:-0}
}
# Cleans the host system. This function is executed before exiting the script.
cleanup() {
set +eu
trap '' EXIT HUP INT TERM # unset trap to avoid loop
cd /
if [ -d "$temp_dir" ]; then
rm -Rf "$temp_dir"
fi
if [ "$mount_dir" ]; then
umount_recursively "$mount_dir" \
|| die "Failed to unmount $mount_dir; unmount it and disconnect $disk_dev manually"
rm -Rf "$mount_dir"
fi
if [ "$disk_dev" ] && ! [ -b "$IMAGE_FILE" ]; then
qemu-nbd --disconnect "$disk_dev" \
|| die "Failed to disconnect $disk_dev; disconnect it manually"
fi
if [ "$INSTALL_HOST_PKGS" = yes ]; then
_apk del $VIRTUAL_PKG
fi
}
_apk() {
"$APK" $APK_OPTS "$@"
}
# Attaches the specified image as a NBD block device and prints its path.
attach_image() {
local image="$1"
local format="${2:-}"
local disk_dev
disk_dev=$(get_available_nbd) || {
modprobe nbd max_part=16
sleep 1
disk_dev=$(get_available_nbd)
} || die 'No available nbd device found!'
qemu-nbd --connect="$disk_dev" --cache=writeback \
${format:+--format=$format} "$image" || return 1
sleep 1 # see #45
echo "$disk_dev"
}
# Prints UUID of filesystem on the specified block device.
blk_uuid() {
local dev="$1"
blkid "$dev" | sed -En 's/.*\bUUID="([^"]+)".*/\1/p'
}
# Creates GPT parition table on the device $1 for boot mode $2 (BIOS or UEFI).
create_gpt() {
local dev="$1"
local mode="$2"
case "$mode" in
BIOS) printf '%s\n' \
'label: gpt' \
'name=system,type=L,bootable,attrs=LegacyBIOSBootable' \
| sfdisk "$dev" ;;
UEFI) printf '%s\n' \
'label: gpt' \
'name=efi,type=U,size=128M,bootable' \
'name=system,type=L' \
| sfdisk "$dev" ;;
*) die "Invalid mode: $mode" ;;
esac
}
# Writes Alpine APK keys embedded in this script into directory $1.
dump_alpine_keys() {
local dest_dir="$1"
local content id line
mkdir -p "$dest_dir"
for line in $ALPINE_KEYS; do
id=${line%%:*}
content=${line#*:}
printf -- "-----BEGIN PUBLIC KEY-----\n$content\n-----END PUBLIC KEY-----\n" \
> "$dest_dir/alpine-devel@lists.alpinelinux.org-$id.rsa.pub"
done
}
# Prints path of available nbdX device, or returns 1 if not any.
get_available_nbd() {
local dev; for dev in $(find /dev -maxdepth 2 -name 'nbd[0-9]*'); do
if [ "$(blockdev --getsize64 "$dev")" -eq 0 ]; then
echo "$dev"; return 0
fi
done
return 1
}
# Prints name of the package needed for creating the specified filesystem.
fs_progs_pkg() {
local fs="$1" # filesystem name
case "$fs" in
ext4) echo 'e2fsprogs';;
btrfs) echo 'btrfs-progs';;
xfs) echo 'xfsprogs';;
esac
}
# Tests if the specified command exists on the system.
has_cmd() {
command -v "$1" >/dev/null
}
# Binds the directory $1 at the mountpoint $2 and sets propagation to private.
mount_bind() {
mkdir -p "$2"
mount --bind "$1" "$2"
mount --make-private "$2"
}
# Prepares chroot at the specified path.
prepare_chroot() {
local dest="$1"
mkdir -p "$dest"/proc
mount -t proc none "$dest"/proc
mount_bind /dev "$dest"/dev
mount_bind /sys "$dest"/sys
install -D -m 644 /etc/resolv.conf "$dest"/etc/resolv.conf
echo "$RESOLVCONF_MARK" >> "$dest"/etc/resolv.conf
}
# Adds specified services to the runlevel. Current working directory must be
# root of the image.
rc_add() {
local runlevel="$1"; shift # runlevel name
local services="$*" # names of services
local svc; for svc in $services; do
mkdir -p etc/runlevels/$runlevel
ln -s /etc/init.d/$svc etc/runlevels/$runlevel/$svc
echo " * service $svc added to runlevel $runlevel"
done
}
# Ensures that the specified device node exists.
settle_dev_node() {
local dev="$1"
[ -e "$dev" ] && return 0
sleep 1 # give hotplug handler some time to kick in
[ -e "$dev" ] && return 0
if has_cmd udevadm; then
udevadm settle --exit-if-exists="$dev"
elif has_cmd mdev; then
mdev -s
fi
[ -e "$dev" ] && return 0
return 1
}
# Installs and configures extlinux.
setup_extlinux() {
local mnt="$1" # path of directory where is root device currently mounted
local root_dev="$2" # root device
local modules="$3" # modules which should be loaded before pivot_root
local kernel_flavor="$4" # name of default kernel to boot
local serial_port="$5" # serial port number for serial console
local default_kernel="$kernel_flavor"
local kernel_opts=''
[ -z "$serial_port" ] || kernel_opts="console=$serial_port"
if [ "$kernel_flavor" = 'virt' ]; then
_apk search --root . --exact --quiet linux-lts | grep -q . \
&& default_kernel='lts' \
|| default_kernel='vanilla'
fi
sed -Ei \
-e "s|^[# ]*(root)=.*|\1=$root_dev|" \
-e "s|^[# ]*(default_kernel_opts)=.*|\1=\"$kernel_opts\"|" \
-e "s|^[# ]*(modules)=.*|\1=\"$modules\"|" \
-e "s|^[# ]*(default)=.*|\1=$default_kernel|" \
-e "s|^[# ]*(serial_port)=.*|\1=$serial_port|" \
"$mnt"/etc/update-extlinux.conf
chroot "$mnt" extlinux --install /boot
chroot "$mnt" update-extlinux --warn-only 2>&1 \
| { grep -Fv 'extlinux: cannot open device /dev' ||:; } >&2
}
# Configures mkinitfs.
setup_mkinitfs() {
local mnt="$1" # path of directory where is root device currently mounted
local features="$2" # list of mkinitfs features
features=$(printf '%s\n' $features | sort | uniq | xargs)
sed -Ei "s|^[# ]*(features)=.*|\1=\"$features\"|" \
"$mnt"/etc/mkinitfs/mkinitfs.conf
}
# Unmounts all filesystem under the specified directory tree.
umount_recursively() {
local mount_point="$1"
test -n "$mount_point" || return 1
cat /proc/mounts \
| cut -d ' ' -f 2 \
| grep "^$mount_point" \
| sort -r \
| xargs -r -n 1 umount
}
# Downloads the specified file using wget and checks checksum.
wgets() (
local url="$1"
local sha256="$2"
local dest="${3:-.}"
cd "$dest" \
&& wget -T 10 --no-verbose "$url" \
&& echo "$sha256 ${url##*/}" | sha256sum -c
)
#============================= M a i n ==============================#
opts=$(getopt -n $PROGNAME -o a:b:B:cCf:hi:k:m:p:Pr:s:S:tV \
-l arch:,boot-mode:,branch:,fs-skel-chown:,fs-skel-dir:,image-format:,image-size:,initfs-features:,kernel-flavor:,keys-dir:,mirror-uri:,no-cleanup,packages:,partition,repositories-file:,rootfs:,script-chroot,serial-console,help,version \
-- "$@") || help 1 >&2
eval set -- "$opts"
while [ $# -gt 0 ]; do
n=2
case "$1" in
-a | --arch) ARCH="$2";;
-B | --boot-mode) BOOT_MODE="$2";;
-b | --branch) ALPINE_BRANCH="$2";;
-S | --fs-skel-dir) FS_SKEL_DIR="$(realpath "$2")";;
--fs-skel-chown) FS_SKEL_CHOWN="$2";;
-f | --image-format) IMAGE_FORMAT="$2";;
-s | --image-size) IMAGE_SIZE="$2";;
-i | --initfs-features) INITFS_FEATURES="${INITFS_FEATURES:-} $2";;
-k | --kernel-flavor) KERNEL_FLAVOR="$2";;
--keys-dir) KEYS_DIR="$(realpath "$2")";;
-m | --mirror-uri) ALPINE_MIRROR="$2";;
-C | --no-cleanup) CLEANUP='no'; n=1;;
-p | --packages) PACKAGES="${PACKAGES:-} $2";;
-P | --partition) PARTITION='yes'; n=1;;
-r | --repositories-file) REPOS_FILE="$(realpath "$2")";;
--rootfs) ROOTFS="$2";;
-t | --serial-console) SERIAL_CONSOLE='yes'; n=1;;
-c | --script-chroot) SCRIPT_CHROOT='yes'; n=1;;
-h | --help) help 0;;
-V | --version) echo "$PROGNAME $VERSION"; exit 0;;
--) shift; break;;
esac
shift $n
done
: ${ALPINE_BRANCH:="latest-stable"}
: ${ALPINE_MIRROR:="http://dl-cdn.alpinelinux.org/alpine"}
: ${ARCH:=}
: ${CLEANUP:="yes"}
: ${FS_SKEL_CHOWN:=}
: ${FS_SKEL_DIR:=}
: ${IMAGE_FORMAT:=}
: ${IMAGE_SIZE:="2G"}
# kms includes virtio-gpu drivers used for graphical output. This is needed
# for aarch64 where '-vga std' is not supported, but useful even for x86_64.
: ${INITFS_FEATURES:="kms scsi virtio"}
: ${KERNEL_FLAVOR:="virt"}
: ${PACKAGES:=}
: ${PARTITION:="no"}
: ${REPOS_FILE:=}
: ${ROOTFS:="ext4"}
: ${SCRIPT_CHROOT:="no"}
: ${SERIAL_CONSOLE:="no"}
case "$ALPINE_BRANCH" in
[0-9]*) ALPINE_BRANCH="v$ALPINE_BRANCH";;
esac
if [ -z "$ARCH" ] || [ "$HOST_ARCH" = "$ARCH" ]; then
: ${KEYS_DIR:="/etc/apk/keys"}
else
: ${KEYS_DIR:=}
fi
case "${ARCH:-"$HOST_ARCH"}" in
x86*) : ${BOOT_MODE:="BIOS"};;
*) : ${BOOT_MODE:="UEFI"}
[ "$BOOT_MODE" = 'BIOS' ] && die 'BIOS boot mode is supported only on x86/x86_64';;
esac
case "$BOOT_MODE" in
BIOS | UEFI) ;;
*) die "Invalid boot-mode: $BOOT_MODE";;
esac
if [ -f /etc/alpine-release ]; then
: ${INSTALL_HOST_PKGS:="yes"}
else
: ${INSTALL_HOST_PKGS:="no"}
fi
SERIAL_PORT=
[ "$SERIAL_CONSOLE" = 'no' ] || SERIAL_PORT='ttyS0'
[ $# -ne 0 ] || help 1 >&2
IMAGE_FILE="$1"; shift
SCRIPT=
[ $# -eq 0 ] || { SCRIPT=$(realpath "$1"); shift; }
if [ "$CLEANUP" != 'no' ]; then
trap 'cleanup; exit 0' EXIT
trap 'cleanup; exit 130' HUP INT TERM
fi
#-----------------------------------------------------------------------
if [ "$INSTALL_HOST_PKGS" = yes ]; then
einfo 'Installing needed packages on host system'
# We need load btrfs module to avoid the error message:
# 'failed to open /dev/btrfs-control'
if ! grep -q -w "$ROOTFS" /proc/filesystems; then
modprobe $ROOTFS
fi
[ "$BOOT_MODE" = 'UEFI' ] && vfatpkg='dosfstools' || vfatpkg=
_apk add -t $VIRTUAL_PKG qemu-img $(fs_progs_pkg "$ROOTFS") $vfatpkg rsync sfdisk
fi
#-----------------------------------------------------------------------
temp_dir=''
if ! command -v "$APK" >/dev/null; then
einfo "$APK not found, downloading static apk-tools"
temp_dir="$(mktemp -d /tmp/$PROGNAME.XXXXXX)"
wgets "$APK_TOOLS_URI" "$APK_TOOLS_SHA256" "$temp_dir"
APK="$temp_dir/apk.static"
chmod +x "$APK"
fi
#-----------------------------------------------------------------------
if [ ! -f "$IMAGE_FILE" ] && [ ! -b "$IMAGE_FILE" ]; then
einfo "Creating $IMAGE_FORMAT image of size $IMAGE_SIZE"
qemu-img create ${IMAGE_FORMAT:+-f $IMAGE_FORMAT} "$IMAGE_FILE" "$IMAGE_SIZE"
fi
#-----------------------------------------------------------------------
if [ -b "$IMAGE_FILE" ]; then
echo "Provided target $IMAGE_FILE is a block device" >&2
disk_dev="$IMAGE_FILE"
else
einfo "Attaching image $IMAGE_FILE as a NBD device"
disk_dev=$(attach_image "$IMAGE_FILE" "$IMAGE_FORMAT")
fi
#-----------------------------------------------------------------------
if [ "$PARTITION" = yes ] || [ "$BOOT_MODE" = 'UEFI' ]; then
einfo 'Creating GPT partition table'
create_gpt "$disk_dev" "$BOOT_MODE"
if [ "$BOOT_MODE" = 'BIOS' ]; then
root_dev="${disk_dev}p1"
else
esp_dev="${disk_dev}p1"
root_dev="${disk_dev}p2"
fi
# This is needed when running in a container.
settle_dev_node "$root_dev" || die "system didn't create $root_dev node"
else
root_dev="$disk_dev"
fi
#-----------------------------------------------------------------------
einfo 'Creating filesystem(s)'
if [ "$BOOT_MODE" = 'UEFI' ]; then
mkfs.fat -F32 -n EFI "$esp_dev"
fi
# syslinux 6.0.3 cannot boot from ext4 w/ 64bit feature enabled.
# -E nodiscard / -K - do not attempt to discard blocks at mkfs time (it's
# useless for NBD image and prints confusing error).
[ "$ROOTFS" = ext4 ] && mkfs_args='-O ^64bit -E nodiscard' || mkfs_args='-K'
mkfs.$ROOTFS -L root $mkfs_args "$root_dev"
root_uuid=$(blk_uuid "$root_dev")
mount_dir=$(mktemp -d /tmp/$PROGNAME.XXXXXX)
#-----------------------------------------------------------------------
einfo "Mounting image at $mount_dir"
mount "$root_dev" "$mount_dir"
if [ "$BOOT_MODE" = 'UEFI' ]; then
install -d -m 000 "$mount_dir"/boot
mount -t vfat "$esp_dev" "$mount_dir"/boot
fi
#-----------------------------------------------------------------------
einfo 'Installing base system'
cd "$mount_dir"
mkdir -p etc/apk/keys
if [ "$REPOS_FILE" ]; then
install -m 644 "$REPOS_FILE" etc/apk/repositories
else
cat > etc/apk/repositories <<-EOF
$ALPINE_MIRROR/$ALPINE_BRANCH/main
$ALPINE_MIRROR/$ALPINE_BRANCH/community
EOF
fi
if [ -d "$KEYS_DIR" ]; then
cp "$KEYS_DIR"/* etc/apk/keys/
else
dump_alpine_keys etc/apk/keys/
fi
# Use APK cache if available.
if [ -L /etc/apk/cache ]; then
ln -s "$(realpath /etc/apk/cache)" etc/apk/cache
fi
_apk add --root . ${ARCH:+--arch "$ARCH"} --update-cache --initdb alpine-base
fsprogs_pkgs=
# btrfs doesn't use fsck, so we don't have to install btrfs-progs.
[ "$ROOTFS" != 'btrfs' ] && fsprogs_pkgs="$(fs_progs_pkg "$ROOTFS")"
[ "$BOOT_MODE" = 'UEFI' ] && fsprogs_pkgs="$fsprogs_pkgs dosfstools"
[ "$fsprogs_pkgs" ] && _apk add --root . $fsprogs_pkgs
prepare_chroot .
#-----------------------------------------------------------------------
einfo "Installing kernel linux-$KERNEL_FLAVOR"
if [ "$KERNEL_FLAVOR" = 'virt' ]; then
_apk add --root . linux-$KERNEL_FLAVOR
else
# Avoid installing *all* linux-firmware-* packages (see #21).
_apk add --root . linux-$KERNEL_FLAVOR linux-firmware-none
fi
#-----------------------------------------------------------------------
einfo "Installing and configuring mkinitfs"
_apk add --root . mkinitfs
setup_mkinitfs . "base $ROOTFS $INITFS_FEATURES"
#-----------------------------------------------------------------------
if [ "$BOOT_MODE" = 'BIOS' ]; then
einfo 'Setting up extlinux bootloader'
_apk add --root . --no-scripts syslinux
setup_extlinux . "UUID=$root_uuid" "$ROOTFS" "$KERNEL_FLAVOR" "$SERIAL_PORT"
if [ "$PARTITION" = yes ]; then
dd bs=440 count=1 conv=notrunc if=usr/share/syslinux/gptmbr.bin of="$disk_dev"
sync
fi
fi
#-----------------------------------------------------------------------
einfo 'Configuring system'
cat > etc/fstab <<-EOF
# <fs> <mountpoint> <type> <opts> <dump/pass>
UUID=$root_uuid / $ROOTFS relatime 0 1
EOF
if [ "$BOOT_MODE" = 'UEFI' ]; then
echo "LABEL=EFI /boot vfat\
rw,relatime,fmask=0133,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2" \
>> etc/fstab
# This script is interpreted by UEFI.
# NOTE: When console=$SERIAL_PORT is added here, no messages are printed to
# console on QEMU after switch_root. 'console=tty0' must be explicitly set
# for aarch64 (it's the default on x86_64).
echo "vmlinuz-$KERNEL_FLAVOR" \
"initrd=initramfs-$KERNEL_FLAVOR" \
"root=UUID=$root_uuid" \
"rootfstype=$ROOTFS" \
"modules=$(echo $INITFS_FEATURES | tr ' ' ',')" \
'console=tty0' \
> boot/startup.nsh
fi
# We just prepare this config, but don't start the networking service.
cat > etc/network/interfaces <<-EOF
auto eth0
iface eth0 inet dhcp
post-up /etc/network/if-post-up.d/*
post-down /etc/network/if-post-down.d/*
EOF
mkdir -p etc/network/if-post-up.d
mkdir -p etc/network/if-post-down.d
if [ "$SERIAL_PORT" ]; then
echo "$SERIAL_PORT" >> etc/securetty
sed -Ei "s|^[# ]*($SERIAL_PORT:.*)|\1|" etc/inittab
fi
#-----------------------------------------------------------------------
einfo 'Enabling base system services'
rc_add sysinit devfs dmesg mdev hwdrivers
[ -e etc/init.d/cgroups ] && rc_add sysinit cgroups ||: # since v3.8
rc_add boot modules hwclock swap hostname sysctl bootmisc syslog
# urandom was renamed to seedrng in v3.17
[ -e etc/init.d/seedrng ] && rc_add boot seedrng || rc_add boot urandom
rc_add shutdown killprocs savecache mount-ro
#-----------------------------------------------------------------------
if [ "$PACKAGES" ]; then
einfo 'Installing additional packages'
_apk add --root . $PACKAGES
fi
#-----------------------------------------------------------------------
if [ -L /etc/apk/cache ]; then
rm etc/apk/cache >/dev/null 2>&1
fi
#-----------------------------------------------------------------------
if [ "$FS_SKEL_DIR" ]; then
einfo "Copying content of $FS_SKEL_DIR into image"
[ "$FS_SKEL_CHOWN" ] \
&& rsync_opts="--chown $FS_SKEL_CHOWN" \
|| rsync_opts='--numeric-ids'
rsync --archive --info=NAME2 --whole-file $rsync_opts "$FS_SKEL_DIR"/ . >&2
# rsync may modify perms of the rootfs dir itself, so make sure it's correct.
install -d -m 0755 -o root -g root .
fi
#-----------------------------------------------------------------------
if [ "$SCRIPT" ]; then
script_name="${SCRIPT##*/}"
if [ "$SCRIPT_CHROOT" = 'no' ]; then
einfo "Executing script: $script_name $*"
"$SCRIPT" "$@" || die 'Script failed'
else
einfo "Executing script in chroot: $script_name $*"
mount_bind "${SCRIPT%/*}" mnt/
chroot . /bin/sh -c "cd /mnt && ./$script_name \"\$@\"" -- "$@" \
|| die 'Script failed'
fi
fi
#-----------------------------------------------------------------------
if grep -qw "$RESOLVCONF_MARK" etc/resolv.conf 2>/dev/null; then
cat > etc/resolv.conf <<-EOF
# Default nameservers, replace them with your own.
nameserver 1.1.1.1
nameserver 2606:4700:4700::1111
EOF
fi
rm -Rf var/cache/apk/* ||:
einfo 'Completed'
cd - >/dev/null
ls -lh "$IMAGE_FILE"

69
configure.sh Executable file
View File

@@ -0,0 +1,69 @@
#!/bin/sh
# configure.sh — runs inside chroot after base install and overlay copy.
# Invoked via alpine-make-vm-image --script-chroot.
set -eu
_step_counter=0
step() {
_step_counter=$(( _step_counter + 1 ))
printf '\n\033[1;36m%d) %s\033[0m\n' $_step_counter "$@" >&2
}
uname -a
# -------------------------------------------------------------------
step 'Set timezone to UTC'
setup-timezone -z UTC
# -------------------------------------------------------------------
step 'Set up networking'
# The interfaces file was placed by --fs-skel-dir; link init.d scripts.
ln -sf networking /etc/init.d/net.lo
ln -sf networking /etc/init.d/net.eth0
# -------------------------------------------------------------------
step 'Adjust rc.conf'
sed -Ei \
-e 's/^[# ](rc_depend_strict)=.*/\1=NO/' \
-e 's/^[# ](rc_logger)=.*/\1=YES/' \
-e 's/^[# ](unicode)=.*/\1=YES/' \
/etc/rc.conf
# -------------------------------------------------------------------
step 'Enable base services'
rc-update add net.lo boot
rc-update add net.eth0 default
rc-update add acpid default
# -------------------------------------------------------------------
step 'Enable Docker'
rc-update add docker default
# -------------------------------------------------------------------
step 'Create docker data directory on /data'
mkdir -p /data/docker
# -------------------------------------------------------------------
step 'Import GPG key for root'
GPG_KEY_FILE="/root/gpg-key.asc"
if [ -f "$GPG_KEY_FILE" ]; then
echo "Found GPG key file: $GPG_KEY_FILE"
gpg --batch --import "$GPG_KEY_FILE"
# Mark the imported key as ultimately trusted (non-interactive)
fingerprint=$(gpg --batch --with-colons --fingerprint \
| grep '^fpr:' | head -1 | cut -d: -f10)
if [ -n "$fingerprint" ]; then
echo "$fingerprint:6:" | gpg --batch --import-ownertrust
echo " * GPG key trusted: $fingerprint"
fi
rm -f "$GPG_KEY_FILE"
else
echo "WARNING: GPG key file not found at $GPG_KEY_FILE — skipping import" >&2
fi
# -------------------------------------------------------------------
step 'Clean up APK cache'
rm -rf /var/cache/apk/* || true
echo ''
echo '=== Configure script completed ==='

63
gen-gpg-key.sh Executable file
View File

@@ -0,0 +1,63 @@
#!/bin/sh
# gen-gpg-key.sh — Generate a passwordless GPG key and export to overlay/.
# Run this BEFORE alpine-make-vm-image on the build host.
set -eu
OVERLAY_DIR="$(dirname "$0")/overlay"
KEY_FILE="$OVERLAY_DIR/root/gpg-key.asc"
KEY_NAME="VM Builder"
KEY_EMAIL="builder@localhost"
if ! command -v gpg >/dev/null 2>&1; then
echo "ERROR: gpg (gnupg) is required on the build host" >&2
exit 1
fi
# Ensure the target directory exists
mkdir -p "$(dirname "$KEY_FILE")"
# Only generate if the key file doesn't already exist
if [ -f "$KEY_FILE" ]; then
echo "GPG key already exists: $KEY_FILE"
echo "Remove it first if you want to regenerate."
exit 0
fi
echo "=== Generating passwordless RSA 4096 GPG key ==="
# Create a batch specification for unattended key generation.
# %no-protection means no passphrase.
BATCH_FILE="$(mktemp /tmp/gpg-batch.XXXXXX)"
cat > "$BATCH_FILE" <<'GPGBATCH'
%echo Generating RSA 4096 key...
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: VM Builder
Name-Email: builder@localhost
Expire-Date: 0
%no-protection
%commit
%echo Done
GPGBATCH
gpg --batch --yes --pinentry-mode loopback --generate-key "$BATCH_FILE"
rm -f "$BATCH_FILE"
echo ""
echo "=== Exporting secret key to $KEY_FILE ==="
gpg --batch --yes --pinentry-mode loopback --export-secret-keys --armor "$KEY_EMAIL" > "$KEY_FILE"
# Also export just the public key for reference
gpg --batch --yes --pinentry-mode loopback --export --armor "$KEY_EMAIL" > "$OVERLAY_DIR/root/gpg-pubkey.asc"
echo ""
echo "=== GPG key generated ==="
echo "Public key : $OVERLAY_DIR/root/gpg-pubkey.asc"
echo "Secret key : $KEY_FILE"
echo ""
# Print fingerprint
gpg --batch --fingerprint "$KEY_EMAIL" || true

2
overlay/data/PLACEHOLDER Normal file
View File

@@ -0,0 +1,2 @@
# This directory is the virtiofs mount point for host-shared data.
# Do not store critical data here before the virtiofs share is mounted.

9
overlay/etc/docker/daemon.json Normal file
View File

@@ -0,0 +1,9 @@
{
"data-root": "/data/docker",
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"storage-driver": "overlay2"
}

5
overlay/etc/fstab Normal file
View File

@@ -0,0 +1,5 @@
# /etc/fstab: static file system information
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/root / ext4 rw,noatime 0 1
data /data virtiofs rw,noatime,_netdev 0 0

5
overlay/etc/network/interfaces Normal file
View File

@@ -0,0 +1,5 @@
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp

9
packages Normal file
View File

@@ -0,0 +1,9 @@
python3
py3-yaml
py3-pydantic
git
curl
gnupg
docker
docker-cli-buildx
docker-cli-compose

2
repositories Normal file
View File

@@ -0,0 +1,2 @@
https://dl-cdn.alpinelinux.org/alpine/latest-stable/main
https://dl-cdn.alpinelinux.org/alpine/latest-stable/community