docs: Guide to add new mkosi images for new OS support in sev-certify…#235
docs: Guide to add new mkosi images for new OS support in sev-certify…#235LakshmiSaiHarika wants to merge 1 commit intoAMDEPYC:mainfrom
Conversation
… project Signed-off-by: Harika Nittala <lnittala@amd.com>
| ## System Set Up | ||
| Install mkosi-v25.3 on the system to match mkosi version present in sev-certify GH project: | ||
|
|
||
| - **Option 1:** Install mkosi version 25.3 directly on the supported operating systems using package manager |
There was a problem hiding this comment.
What do we do when we move to a new version of mkosi? Will we update the docs or something else?
There was a problem hiding this comment.
Also - add a period (.) after the word "manager".
There was a problem hiding this comment.
What do we do when we move to a new version of mkosi?
As per the current build-and-release.yaml workflow, we are installing the mkosi package in the Ubuntu Plucky version.
As per mkosi packaging status, mkosi version 25.3 is available in ubuntu plucky (Ubuntu 25.10)
Will we update the docs or something else?
Sure, I can update the docs in future if there is any update in mkosi version.
There was a problem hiding this comment.
Would prefer not having to update manually, can we just rely on asking the user to check that link for the latest ubuntu version?
benland72
left a comment
benland72
left a comment
There was a problem hiding this comment.
Overall looks good, but needs a little fine tuning.
| ## System Set Up | ||
| Install mkosi-v25.3 on the system to match mkosi version present in sev-certify GH project: | ||
|
|
||
| - **Option 1:** Install mkosi version 25.3 directly on the supported operating systems using package manager |
There was a problem hiding this comment.
Also - add a period (.) after the word "manager".
| ``` | ||
| Check if mkosi version 25.3 is installed correctly: | ||
| ``` | ||
| mkosi --version |
There was a problem hiding this comment.
You should show what the expected output is from the at command so that users can validate that it matches what they see.
| ``` | ||
| mkosi --version | ||
| ``` | ||
| Ensure QEMU and OVMF guest firmwares are installed to test the launch of built mkosi images on the system. |
There was a problem hiding this comment.
Are there instructions some place for how the user can validate this?
There was a problem hiding this comment.
Sure, I can add additional lines to validate this
| ### Configure and Build new Host Image | ||
| The new host image for the sev-certify can be built using the following steps: | ||
|
|
||
| 1. **Create a mkosi config for the new host image:** New mkosi configuration to make new host image should be created under `sev-certify/images/host-<new-os-name>-<new-os-release>` folder: |
There was a problem hiding this comment.
I'd reword New mkosi configuration to make new host image as The mkosi configuration for creating the new host image....
Is it a configuration file? You don't specify a filename in the example
There was a problem hiding this comment.
Sure, I will update this with the filename.
| ``` | ||
| [Include] | ||
| # Include required modules in the host image | ||
| Include=../../modules/host |
There was a problem hiding this comment.
In the preview all of the configuration details show as underlined. Not sure if that's just a preview issue with the markdown or some other formatting issue?
There was a problem hiding this comment.
https://github.com/LakshmiSaiHarika/snpcert/blob/mkosi-doc-add-new-images/docs/how-to-add-mkosi-images.md
I think it's just a preview issue - you can see the normal version in Harika's branch above
| # Add required host os packages | ||
| Packages= <add-host-os-packages> | ||
| ``` | ||
| 2. **Build new host image using mkosi:** New guest image can be built in the system from sev-certify root directory using mkosi tool as follows: |
There was a problem hiding this comment.
The heading here is to build a new host image, but the sub-heading refers to building a new guest image. Is that on purpose?
There was a problem hiding this comment.
Thank you so much for catching this point, it is a typo here.
Sure, I will update
| Packages= <add-guest-os-packages> | ||
| ``` | ||
|
|
||
| 2. **Build new host image using mkosi:** New guest image can be built from sev-certify root directory in the system using mkosi tool as follows: |
| EOF | ||
| ``` | ||
|
|
||
| Launch the built host/guest image using QEMU on the QEMU enabled KVM hypervisor host: |
| @@ -0,0 +1,128 @@ | |||
| # Create, test and publish new guest/host images | |||
|
|
|||
| Users can create and publish new host or guest images in sev-certify with mkosi tool in the following steps: | |||
There was a problem hiding this comment.
Would it make sense to mention that this is for new OS support, as in the PR title?
| ``` | ||
| 2. **Build new host image using mkosi:** New guest image can be built in the system from sev-certify root directory using mkosi tool as follows: | ||
| ``` | ||
| mkosi --image-id=host-<new-distro>-<new-release> \ |
There was a problem hiding this comment.
not sure if other people have run into this often, but on ubuntu there are permission errors out of the box related to apparmor, documented here: systemd/mkosi#3265. Can run sysctl systemwide or make an exception for mkosi. I believe in the build scripts it uses sudo, so may be worth linking to that issue here briefly.
|
|
||
| guest_image="$1" | ||
|
|
||
| ovmf_path="${2:-/usr/share/edk2/ovmf/OVMF_CODE.fd}" |
There was a problem hiding this comment.
I would mention somewhere the other common ovmf path - /usr/share/ovmf/OVMF.amdsev.fd
There was a problem hiding this comment.
/usr/share/ovmf/OVMF.amdsev.fd OVMF path requires the use of additional QEMU parameters with SEV.
Are we just testing builthost/guest-mkosi-images using simple guest launch?
There was a problem hiding this comment.
ah I see, I didn't realize that was the case, that's probably my other issue. My install didn't come with that version, will try to find it.
There was a problem hiding this comment.
Ok on ubuntu it appears to be at: /usr/share/ovmf/OVMF.fd
| -nographic \ | ||
| -m 2G \ | ||
| -bios "${ovmf_path}" \ | ||
| -kernel "${guest_image}" |
There was a problem hiding this comment.
this qemu command fails to find the image for me on my ubuntu dev server:
BdsDxe: failed to load Boot0001 "Grub Bootloader" from Fv(7CB8BDC9-F8EB-4F34-AAEA-3EE4AF6516A1)/FvFile(B5AE312C-BC8A-43B1-9C62-EBB826DD5D07): Not Found
BdsDxe: No bootable option was found.
If I add all the sev parameters it starts working for guest images for me.
There was a problem hiding this comment.
host images appears to fail with some resources issue - tried giving it 16G memory but still got the same error. Not sure if this is some issue with my configuration or ubuntu.
There was a problem hiding this comment.
as mentioned earlier, this was b/c I was using the sev-enabled firmware. But even with the non-sev firmware, host image is still not booting for me: ../src/boot/linux.c:153@linux_exec: Error starting kernel image: Out of resources - is this testing method only valid for guest images?
There was a problem hiding this comment.
Ok, on my dev box, the host image took a little longer boot time compared to the guest image, but later comes up with a login page.
3 participants
This PR adds documentation on how to create, test and publish new guest/host images to add new OS support in this sev-certify project.