README.md

# Iconograph

Iconograph ("icon") is a system for building and deploying Ubuntu system images.
It allows you to distribute your software intended to run on real hardware or
inside a container as a single unit with its system dependencies, and to roll
forward and backward in a secure, repeatable, staged manner.

Images utilize a tmpfs overlay filesystem, so by default filesystem changes
are discarded on reboot or upgrade.

## Setup

```bash
sudo apt-get install --assume-yes git grub-pc xorriso squashfs-tools openssl python3-openssl debootstrap
git clone https://github.com/robot-tools/iconograph.git
cd iconograph
```

## Image creation

### Overview

Icon creates images by merging the kernel and boot system of a desktop live CD
with a server/custom filesystem. You'll need to download the desktop live CD
ISO for the version that you're building. You can get them [here](http://mirror.pnl.gov/releases/).

### Serving

Images are fetched via HTTP. You should write images to a directory accessible
via HTTP. Install apache2 if need be.

### Simple image build

build_image.py will call debootstrap, which will fetch packages from Ubuntu
servers. You may want to
[set up caching](https://medium.com/where-the-flamingcow-roams/apt-caching-for-debootstrap-bac499deebd5#.dvevbcc9z)
to make this process fast on subsequent runs.

```bash
# Must run as sudo to mount/umount images, tmpfs, and overlayfs
sudo server/build_image.py --image-dir=/output/path --release=trusty --source-iso=path/to/ubuntu-14.04.4-desktop-amd64.iso
```

## Modules

Modules are scripts that run after the chroot has been created. They can install
packages, do configuration, etc. Icon has several stock modules, but you can
also create your own using them as examples. You can pass multiple --module
flags to build_image.py as long as the modules are compatible with each other.

Stock modules:

### iconograph.py

Install icon inside the image. This allows the image to auto-update over HTTP.
Use the build_image.py flag:

```bash
--module="server/modules/iconograph.py --base-url=http://yourhost/ --ca-cert=/path/to/signing/cert.pem"
```

Optional flags:

`--max-images` sets the number of recent images to keep. Older images are
deleted. Defaults to 5. 0 means unlimited.

### persistent.py

Mount a /persistent partition from a filesystem with LABEL=PERSISTENT. Allows
data to persist across reboots, when it would normally be wiped by tmpfs.
Use the build_image.py flag:

```bash
--module="server/modules/persistent.py"
```

### autoimage.py

Build an image that will partition, mkfs, and install an image from a different
URL onto a target system. Used to create install USB drives, PXE boot, etc.
Use the build_image.py flag:

```bash
--module="server/modules/autoimage.py --base-url=http://yourhost/ --ca-cert=/path/to/signing/cert.pem --device=/dev/sdx --persistent-percent=50"
```

`--device` specifies the device to partition and install to on the target
system.

`--persistent-percent`, if non-zero, specifies the percent of the target
device to allocate to a LABEL=PERSISTENT filesystem. If the inner image uses
persistent.py, this filesystem will be automatically mounted.

## Module API

Modules are passed the following long-style arguments:

`--chroot-path` specifies the absolute path to the root of the debootstrap
chroot that will become the root filesystem of the inner image.

## Manifests

Clients download a manifest file to determine available images and to verify
authenticity and integrity of the image. You'll need to generate one on the
server after each new image is built.

Manifest files are signed using OpenSSL. You should run your own CA to do this;
do NOT use a public CA cert. You can find instructions for setting up a CA
[here](https://medium.com/where-the-flamingcow-roams/elliptic-curve-certificate-authority-bbdb9c3855f7#.7v40ox70s).

To build a manifest, run:

```bash
server/publish_manifest.py --cert=/path/to/signing/cert.pem --key=/path/to/signing/key.pem --image-dir=/image/path
```

Optional flags:

`--default-rollout` specifies the percentage rollout for new images; it
defaults to zero. The units are
[basis points](https://en.wikipedia.org/wiki/Basis_point); 10000 means 100%.

`--max-images` sets the number of recent images to keep. Older images are
deleted. Defaults to 0, meaning unlimited.

`--other-cert` specifies a chain certificate, such as your intermediate cert.
It may be specified more than once.

To push a rollout to more targets, edit /image/path/manifest.json.unsigned,
and change rollout_\u2031 (u2031 is ‱, the symbol for basis point). Save,
then re-run publish_manifest.py to generate the signed version.

## Imaging

You can write created images to flash drives for installation on other systems,
or manually write them to a drive. To do so:

```bash
# Needs sudo to partition and mkfs devices
sudo imager/image.py --base-url=http://yourhost/ --ca-cert=/path/to/signing/cert.pem --device=/dev/sdx --persistent-percent=50
```
Start of a doc 2016-04-01 13:48:58 -07:00			`# Iconograph`

Typos 2016-04-01 21:07:23 -07:00			`Iconograph ("icon") is a system for building and deploying Ubuntu system images.`
Start of a doc 2016-04-01 13:48:58 -07:00			`It allows you to distribute your software intended to run on real hardware or`
			`inside a container as a single unit with its system dependencies, and to roll`
More docs 2016-04-01 20:46:20 -07:00			`forward and backward in a secure, repeatable, staged manner.`
Start of a doc 2016-04-01 13:48:58 -07:00
Typos 2016-04-01 21:07:23 -07:00			`Images utilize a tmpfs overlay filesystem, so by default filesystem changes`
			`are discarded on reboot or upgrade.`
Docs 2016-04-01 21:03:57 -07:00
Start of a doc 2016-04-01 13:48:58 -07:00			`## Setup`

			```bash
			`sudo apt-get install --assume-yes git grub-pc xorriso squashfs-tools openssl python3-openssl debootstrap`
			`git clone https://github.com/robot-tools/iconograph.git`
			`cd iconograph`
			```
More docs 2016-04-01 20:46:20 -07:00
			`## Image creation`

			`### Overview`

			`Icon creates images by merging the kernel and boot system of a desktop live CD`
			`with a server/custom filesystem. You'll need to download the desktop live CD`
Docs 2016-04-01 21:03:57 -07:00			`ISO for the version that you're building. You can get them [here](http://mirror.pnl.gov/releases/).`
More docs 2016-04-01 20:46:20 -07:00
			`### Serving`

			`Images are fetched via HTTP. You should write images to a directory accessible`
Docs 2016-04-01 21:03:57 -07:00			`via HTTP. Install apache2 if need be.`
More docs 2016-04-01 20:46:20 -07:00
			`### Simple image build`

Add caching link. 2016-04-02 10:54:46 -07:00			`build_image.py will call debootstrap, which will fetch packages from Ubuntu`
			`servers. You may want to`
			`[set up caching](https://medium.com/where-the-flamingcow-roams/apt-caching-for-debootstrap-bac499deebd5#.dvevbcc9z)`
			`to make this process fast on subsequent runs.`

More docs 2016-04-01 20:46:20 -07:00			```bash
			`# Must run as sudo to mount/umount images, tmpfs, and overlayfs`
			`sudo server/build_image.py --image-dir=/output/path --release=trusty --source-iso=path/to/ubuntu-14.04.4-desktop-amd64.iso`
			```
Docs 2016-04-01 21:03:57 -07:00
Style 2016-04-02 13:32:27 -07:00			`## Modules`
Docs 2016-04-01 21:03:57 -07:00
Typos 2016-04-01 21:07:23 -07:00			`Modules are scripts that run after the chroot has been created. They can install`
			`packages, do configuration, etc. Icon has several stock modules, but you can`
Docs 2016-04-01 21:03:57 -07:00			`also create your own using them as examples. You can pass multiple --module`
			`flags to build_image.py as long as the modules are compatible with each other.`

Typos 2016-04-01 21:07:23 -07:00			`Stock modules:`

Style 2016-04-02 13:32:27 -07:00			`### iconograph.py`
Docs 2016-04-01 21:03:57 -07:00
			`Install icon inside the image. This allows the image to auto-update over HTTP.`
			`Use the build_image.py flag:`

			```bash
			`--module="server/modules/iconograph.py --base-url=http://yourhost/ --ca-cert=/path/to/signing/cert.pem"`
			```

Client-side image lifetime management. 2016-04-02 13:22:24 -07:00			`Optional flags:`

			`--max-images` sets the number of recent images to keep. Older images are
			`deleted. Defaults to 5. 0 means unlimited.`

Style 2016-04-02 13:32:27 -07:00			`### persistent.py`
Docs 2016-04-01 21:03:57 -07:00
			`Mount a /persistent partition from a filesystem with LABEL=PERSISTENT. Allows`
			`data to persist across reboots, when it would normally be wiped by tmpfs.`
			`Use the build_image.py flag:`

			```bash
			`--module="server/modules/persistent.py"`
			```

Style 2016-04-02 13:32:27 -07:00			`### autoimage.py`
Docs 2016-04-01 21:03:57 -07:00
			`Build an image that will partition, mkfs, and install an image from a different`
			`URL onto a target system. Used to create install USB drives, PXE boot, etc.`
			`Use the build_image.py flag:`

			```bash
			`--module="server/modules/autoimage.py --base-url=http://yourhost/ --ca-cert=/path/to/signing/cert.pem --device=/dev/sdx --persistent-percent=50"`
			```

			`--device` specifies the device to partition and install to on the target
			`system.`

			`--persistent-percent`, if non-zero, specifies the percent of the target
			`device to allocate to a LABEL=PERSISTENT filesystem. If the inner image uses`
			`persistent.py, this filesystem will be automatically mounted.`
More docs 2016-04-01 21:13:50 -07:00
Module API 2016-04-02 13:34:02 -07:00			`## Module API`

			`Modules are passed the following long-style arguments:`

			`--chroot-path` specifies the absolute path to the root of the debootstrap
			`chroot that will become the root filesystem of the inner image.`

Style 2016-04-02 13:31:45 -07:00			`## Manifests`
More docs 2016-04-01 21:13:50 -07:00
			`Clients download a manifest file to determine available images and to verify`
			`authenticity and integrity of the image. You'll need to generate one on the`
			`server after each new image is built.`

			`Manifest files are signed using OpenSSL. You should run your own CA to do this;`
			`do NOT use a public CA cert. You can find instructions for setting up a CA`
			`[here](https://medium.com/where-the-flamingcow-roams/elliptic-curve-certificate-authority-bbdb9c3855f7#.7v40ox70s).`

			`To build a manifest, run:`

			```bash
			`server/publish_manifest.py --cert=/path/to/signing/cert.pem --key=/path/to/signing/key.pem --image-dir=/image/path`
			```

			`Optional flags:`

			`--default-rollout` specifies the percentage rollout for new images; it
			`defaults to zero. The units are`
			`[basis points](https://en.wikipedia.org/wiki/Basis_point); 10000 means 100%.`

Document --max-images server-side 2016-04-02 13:16:06 -07:00			`--max-images` sets the number of recent images to keep. Older images are
Client-side image lifetime management. 2016-04-02 13:22:24 -07:00			`deleted. Defaults to 0, meaning unlimited.`
Document --max-images server-side 2016-04-02 13:16:06 -07:00
			`--other-cert` specifies a chain certificate, such as your intermediate cert.
			`It may be specified more than once.`

Explain rollout procedure 2016-04-01 21:17:25 -07:00			`To push a rollout to more targets, edit /image/path/manifest.json.unsigned,`
			`and change rollout_\u2031 (u2031 is ‱, the symbol for basis point). Save,`
			`then re-run publish_manifest.py to generate the signed version.`

Style 2016-04-02 13:31:45 -07:00			`## Imaging`
More docs 2016-04-01 21:13:50 -07:00
			`You can write created images to flash drives for installation on other systems,`
			`or manually write them to a drive. To do so:`

			```bash
sudo explanation 2016-04-01 21:21:12 -07:00			`# Needs sudo to partition and mkfs devices`
			`sudo imager/image.py --base-url=http://yourhost/ --ca-cert=/path/to/signing/cert.pem --device=/dev/sdx --persistent-percent=50`
More docs 2016-04-01 21:13:50 -07:00			```