🐧 Enable boot assesment for UKI

This adds the missing package on ubuntu and enables boot assesment services for UKI Signed-off-by: Itxaka <itxaka@kairos.io>
kairos-io · Nov 22, 2024 · b1e25dc · b1e25dc
1 parent ab7b23f
commit b1e25dc
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 11 deletions.
diff --git a/images/Dockerfile.kairos-rhel b/images/Dockerfile.kairos-rhel
@@ -79,6 +79,7 @@ RUN dnf install -y \
     && dnf clean all
 
 FROM common AS systemd-boot
+RUN systemctl enable systemd-bless-boot
 
 FROM ${BOOTLOADER} AS all
 RUN dnf install -y \

diff --git a/images/Dockerfile.kairos-ubuntu b/images/Dockerfile.kairos-ubuntu
@@ -105,21 +105,26 @@ RUN rm -rf /tmp/nohang.deb
 
 # This target is aimed at UKI images and avoids to install GRUB and any other unnecesary packages
 # to the image because there are limitations on the total size
+# systemd-boot is neccesary as it brings the /usr/lib/systemd/systemd-bless-boot for boot assesment
 FROM common AS systemd-boot
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN apt-get update && apt-get install -y --no-install-recommends \
   iucode-tool \
   kmod \
   linux-base \
+  systemd-boot \
   && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/*
 # for UKI, install the linux-modules pkg if no modules are found
 RUN [ -z "$(ls -A /lib/modules/)" ] && apt-get update && apt-get install -y --no-install-recommends \
   "$(apt-cache search linux-modules | grep -oP 'linux-modules-\d+.\d+.\d+-\d+-generic' | sort -V | tail -1)" \
-  && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/*
+  && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* || true
 # for UKI, install the linux-image pkg if no kernel is found
 RUN [ -z "$(ls -A /boot/vmlinuz*)" ] && apt-get update && apt-get install -y --no-install-recommends \
   "$(apt-cache search linux-image | grep -oP 'linux-image-\d+.\d+.\d+-\d+-generic' | sort -V | tail -1)" \
-  && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/*
+  && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* || true
+# Enable systemd-bless-boot for boot assesment
+RUN systemctl enable systemd-bless-boot
+
 
 # This target is aimed at non-UKI images where size is not a concern
 FROM common AS grub
@@ -141,17 +146,14 @@ RUN apt-get update \
 
 FROM systemd-boot AS systemd-boot-amd64
 RUN apt-get update \
-  && apt-get install -y --no-install-recommends \
-    shared-mime-info \
-    && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/*
+  && apt-get install -y --no-install-recommends shared-mime-info \
+  && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/*
 RUN [ -z "$(ls -A /lib/firmware/amd/)" ] && apt-get update && apt-get install -y --no-install-recommends \
-  && apt-get install -y --no-install-recommends \
-    amd64-microcode \
-    && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/*
+  && apt-get install -y --no-install-recommends amd64-microcode \
+  && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* || true
 RUN [ -z "$(ls -A /lib/firmware/intel-ucode/)" ] && apt-get update && apt-get install -y --no-install-recommends \
-  && apt-get install -y --no-install-recommends \
-    intel-microcode \
-    && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/*
+  && apt-get install -y --no-install-recommends intel-microcode \
+  && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* || true
 
 FROM systemd-boot AS systemd-boot-arm64
 

diff --git a/images/Dockerfile.rhel b/images/Dockerfile.rhel
@@ -80,6 +80,7 @@ RUN dnf install -y \
     && dnf clean all
 
 FROM common AS systemd-boot
+RUN systemctl enable systemd-bless-boot
 
 FROM ${BOOTLOADER} AS all
 RUN dnf install -y \

diff --git a/images/Dockerfile.ubuntu b/images/Dockerfile.ubuntu
@@ -106,12 +106,14 @@ RUN rm -rf /tmp/nohang.deb
 
 # This target is aimed at UKI images and avoids to install GRUB and any other unnecesary packages
 # to the image because there are limitations on the total size
+# systemd-boot is neccesary as it brings the /usr/lib/systemd/systemd-bless-boot for boot assesment
 FROM common AS systemd-boot
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN apt-get update && apt-get install -y --no-install-recommends \
   iucode-tool \
   kmod \
   linux-base \
+  systemd-boot \
   && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/*
 # for UKI, install the linux-modules pkg if no modules are found
 RUN [ -z "$(ls -A /lib/modules/)" ] && apt-get update && apt-get install -y --no-install-recommends \
@@ -121,6 +123,9 @@ RUN [ -z "$(ls -A /lib/modules/)" ] && apt-get update && apt-get install -y --no
 RUN [ -z "$(ls -A /boot/vmlinuz*)" ] && apt-get update && apt-get install -y --no-install-recommends \
   "$(apt-cache search linux-image | grep -oP 'linux-image-\d+.\d+.\d+-\d+-generic' | sort -V | tail -1)" \
   && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/* || true
+# Enable systemd-bless-boot for boot assesment
+RUN systemctl enable systemd-bless-boot
+
 
 # This target is aimed at non-UKI images where size is not a concern
 FROM common AS grub