diff options
| author | unitexe <unitexe70@gmail.com> | 2026-02-23 08:25:47 -0600 |
|---|---|---|
| committer | unitexe <unitexe70@gmail.com> | 2026-03-02 22:51:24 -0600 |
| commit | 0c027f613039db54bc87fb6de63c0ffe253cabf2 (patch) | |
| tree | d636b1e73bf82f0f25528c0d1c9887bd31b5506b /meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen | |
| parent | 69509e438d1417d25d646ff1a3ba88e27e4ed282 (diff) | |
Introduce meta-unit-virtualization
Primary motivation for this is removing observability containers from beaglebone black because of RAM limitations. Images can now include the observability containers by adding `observability` to `IMAGE_FEATURES`.
Diffstat (limited to 'meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen')
| -rw-r--r-- | meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.service | 19 | ||||
| -rw-r--r-- | meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.sh | 70 |
2 files changed, 89 insertions, 0 deletions
diff --git a/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.service b/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.service new file mode 100644 index 0000000..e5f2cab --- /dev/null +++ b/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.service @@ -0,0 +1,19 @@ +[Unit] +Description=Generate registry TLS keys for device +ConditionPathExists=!/home/svc/.config/containers/distribution/certs/domain.crt +ConditionPathExists=!/home/svc/.config/containers/distribution/certs/domain.key +ConditionPathExists=!/usr/local/share/ca-certificates/registry.crt +ConditionPathExists=!/etc/containers/certs.d/localhost:5000/ca.crt +ConditionPathExists=!/home/svc/.config/containers/certs.d/localhost:5000/ca.crt +ConditionPathExists=!/home/svc/.local/share/distribution/certs-ready-signal +After=time-sync.target +Wants=time-sync.target systemd-time-wait-sync.service + +[Service] +Type=oneshot +ExecStart=/usr/bin/regkeygen.sh +Environment="TARGET_USR=svc" +Environment="DISTRIBUTION_REGISTRY_URL=localhost:5000" + +[Install] +WantedBy=multi-user.target diff --git a/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.sh b/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.sh new file mode 100644 index 0000000..f1286dd --- /dev/null +++ b/meta-unit-virtualization/recipes-core/systemd/systemd-regkeygen/regkeygen.sh @@ -0,0 +1,70 @@ +#!/bin/sh + +XDG_LOCAL_HOME="/home/$TARGET_USR/.local" +XDG_CONFIG_HOME="/home/$TARGET_USR/.config" + +set -e + +echo "Cleaning up any previous artifacts..." + +rm -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key" +rm -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" +rm -f /usr/local/share/ca-certificates/registry.crt +rm -f "/etc/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt" +rm -f "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt" +rm -f "$XDG_LOCAL_HOME/share/distribution/certs-ready-signal" + +echo "Creating necessary system directories..." + +mkdir -p "/etc/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/" +mkdir -p /usr/local/share/ca-certificates + +echo "Creating necessary user directories..." + +mkdir -p "$XDG_CONFIG_HOME/containers/distribution/certs" +mkdir -p "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL" +mkdir -p "$XDG_LOCAL_HOME/share/distribution" + +echo "Generating TLS certificate and key for local registry..." + +openssl req -x509 -newkey ec \ + -pkeyopt ec_paramgen_curve:P-256 \ + -keyout "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key" \ + -out "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" \ + -days 365 \ + -nodes \ + -subj '/C=US/ST=Minnesota/L=St. Paul/O=Closed Circuit Consulting/OU=R&D/CN=localhost/emailAddress=unitexe70@gmail.com' \ + -addext 'subjectAltName=DNS:localhost,IP:127.0.0.1,IP:::1' + +echo "Setting permissions on generated artifacts..." + +chown $TARGET_USR:$TARGET_USR "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key" +chown $TARGET_USR:$TARGET_USR "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" +chmod 640 "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key" +chmod 644 "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" + +echo "Adding CA to system trust store..." + +cp -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" /usr/local/share/ca-certificates/registry.crt +update-ca-certificates + +echo "Adding CA to containers trust store..." + +cp -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" "/etc/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt" + +echo "Adding CA to user containers trust store..." + +chown -R $TARGET_USR:$TARGET_USR "$XDG_CONFIG_HOME/containers/certs.d" +chmod 755 "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL" + +cp -f "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt" +chown $TARGET_USR:$TARGET_USR "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt" +chmod 644 "$XDG_CONFIG_HOME/containers/certs.d/$DISTRIBUTION_REGISTRY_URL/ca.crt" + +echo "Creating signal file..." + +chown -R $TARGET_USR:$TARGET_USR "$XDG_LOCAL_HOME/share/distribution" +touch "$XDG_LOCAL_HOME/share/distribution/certs-ready-signal" +chmod 644 "$XDG_LOCAL_HOME/share/distribution/certs-ready-signal" + +echo "Registry TLS configuration created and ready for use" |