Skip to content

Add PAYG early boot support #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Oct 15, 2025
Merged

Add PAYG early boot support #160

merged 11 commits into from
Oct 15, 2025

Conversation

ssssam
Copy link
Contributor

@ssssam ssssam commented Oct 10, 2025
edited
Loading

This depends on and includes #159.

In this PR:

  • Add -o payg project option, to disable PAYG elements by default
  • Add elements to build PAYG components (including private ones)
  • Add signing/payg/signed-uki-snakeoil.bst (this probably isn't very useful)
  • Mention PAYG images in the documentation.
  • Modify eos_sb_signer element plugin to allow selecting the cert to sign with
  • Figure out how to deal with the PAYG UKI install path depending on kernel version. (Probably we just move it into place later).
  • Add signing/payg/signed-uki-endless.bst element
  • Merge https://github.com/endlessm/eos-payg-nonfree/pull/131 and update its element
  • Push systemd rebase to official repo and update the its element
  • Update CI to enable -o payg true setting

Still to do:

@ssssam ssssam mentioned this pull request Oct 13, 2025
Open
@ssssam ssssam mentioned this pull request Oct 13, 2025
Closed
@ssssam ssssam force-pushed the sam/payg-uki branch 5 times, most recently from a6a3f2c to 134f959 Compare October 14, 2025 16:12
starnight and others added 4 commits October 14, 2025 18:11
@starnight @ssssam
Introduce black.bst
192d1bf 
eos-payg-nonfree's build depends on python module black.
@ssssam
project: Add payg option
c1cc543 
The PAYG components include private code so we need to gate this behind
a flag.
@ssssam
payg: Add elements for PAYG system components
29b4bf7 
Some of the Endless PAYG support is private, so this is gated
behind a project option that is off by default (`-o payg`) to
ensure eos-build-meta is still buildable by contributors outside of
Endless.

Changes based on:
<https://github.com/endlessm/eos-ostree-builder/blob/master/hooks/os/85-dracut-payg-image.chroot>

Part of #11
@ssssam
plugins/eos_sb_signer: Allow selecting certificate
7bd8c20 
This is needed for PAYG which uses a special cert.
@ssssam ssssam marked this pull request as ready for review October 14, 2025 17:11
@ssssam ssssam changed the title WIP: Add PAYG early boot support Add PAYG early boot support Oct 14, 2025
dsd
dsd approved these changes Oct 15, 2025
View reviewed changes
Copy link
Member

@dsd dsd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume the build failure will be checked. Looks good to me from a brief look!

starnight
starnight reviewed Oct 15, 2025
View reviewed changes
elements/eos/deps.bst Outdated
- payg == true:
depends:
(>):
- eos/payg/deps.bst
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line 46 has already included eos/payg/deps.bst. Is it duplicated?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes! good spot

ssssam added 7 commits October 15, 2025 11:38
@ssssam
payg: Add UKI signing and installing elements
f3df5d2
@ssssam
Add compat symlink for update-ca-certificates program.
e6d2064
@ssssam
doc: Include PAYG variant in docs and testing.
446352b
@ssssam
Use systemd v256 with Endless patches
fedf9ec 
At least one patch to systemd-boot is essential for PAYG
support. (Which enables reading the `loaders/` folder via
a symlink in a text file -- necessary as OSTree requires
some sort of symlink support to deploy the boot config,
even on the ESP which is a FAT filesystem).

See: #161
@ssssam
ci: Build the PAYG components
78cf951 
This involves a new token so the runner can clone private repos.
@ssssam
Enable verbose logging in BuildStream
b7151a4 
So we can see error messages
@ssssam
Use --retry-failed in all builds
29616c6 
This helps if e.g. you suspect there's a build failure due to a
bug in a particular BuildStream plugin, you update requirements.txt
and want to force a rebuild instead of using a cached build.
@ssssam ssssam merged commit 1896c12 into main Oct 15, 2025
1 check passed
@ssssam ssssam deleted the sam/payg-uki branch October 15, 2025 12:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@starnight starnight starnight left review comments

@dsd dsd dsd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ssssam @dsd @starnight