libvirt-executor improvements

A bunch of improvements to the libvirt-executor, with the major one being that the image is now built in the arch-boxes projects (arch-boxes!200 (merged)), instead of on each runner.

Please see the commit messages for more details.

---

Deployed on runner1.archlinux.org and secure-runner1.archlinux.org.

roles/gitlab_runner/files/libvirt-executor-update-base-image

 #!/bin/bash
-set -o nounset -o errexit
+set -o nounset -o errexit -o pipefail
 readonly libvirt_pool="images"
 readonly arch_boxes_signing_key=/usr/local/lib/libvirt-executor/arch-boxes.asc
 readonly arch_boxes_fingerprint=1B9A16984A4E8CB448712D2AE0B78BF4326C6F8F
 
-loopdev=""
-
 cleanup() {
-  set +o errexit
-
-  if mountpoint -q mnt; then
-    umount -R mnt
-  fi
-  if [[ -n ${loopdev} ]]; then
-    losetup -d "${loopdev}"
-  fi
   rm -r "${tmpdir}"
 }
 
@@ -22,44 +12,27 @@ tmpdir="$(mktemp --directory --tmpdir="/var/tmp")"
 trap cleanup EXIT
 
 cd "${tmpdir}"
-curl -sSf --remote-name-all https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-basic.qcow2{,.sig}
-sq cert import "${arch_boxes_signing_key}"
-sq pki link add --all "${arch_boxes_fingerprint}"
-sq verify --signer-cert "${arch_boxes_fingerprint}" --detached Arch-Linux-x86_64-basic.qcow2.sig Arch-Linux-x86_64-basic.qcow2
-
-image=Arch-Linux-x86_64-basic.img
-qemu-img convert -f qcow2 -O raw Arch-Linux-x86_64-basic.qcow2 Arch-Linux-x86_64-basic.img
-
-loopdev="$(losetup --find --partscan --show "${image}")"
-mount --mkdir "${loopdev}p3" mnt
-mount --mkdir --bind -o ro /etc/pacman.d/gnupg mnt/etc/pacman.d/gnupg
 
-arch-chroot mnt systemctl disable systemd-time-wait-sync
-arch-chroot mnt pacman -Sy --noconfirm --needed archlinux-keyring
-arch-chroot mnt pacman -Syu --noconfirm --needed git git-lfs gitlab-runner
-sed -E 's/^#(IgnorePkg *=)/\1 linux/' -i mnt/etc/pacman.conf
-arch-chroot mnt userdel -r arch
-sed 's/^\(GRUB_CMDLINE_LINUX=".*\)"$/\1 lockdown=confidentiality"/' -i mnt/etc/default/grub
-arch-chroot mnt /usr/bin/grub-mkconfig -o /boot/grub/grub.cfg
-# We want to use the transient hostname
-# https://github.com/systemd/systemd/pull/30814
-rm -f mnt/etc/machine-id mnt/etc/hostname
+# FIXME: libvirt-executor-image -> master and build -> build:secure
+version="$(curl -sSfL 'https://gitlab.archlinux.org/archlinux/arch-boxes/-/jobs/artifacts/libvirt-executor-image/raw/build.env?job=build' | awk -F= '$1=="BUILD_VERSION" {print $2}')"
+image_name="Arch-Linux-x86_64-libvirt-executor-${version}.qcow2"
 
-cp -a mnt/boot/{initramfs-linux-fallback.img,initramfs-linux.img}
+if cmp --quiet <(echo "${image_name}") /usr/local/lib/libvirt-executor/backing-vol-name; then
+  echo "Nothing to do"
+  exit
+fi
 
-umount mnt/etc/pacman.d/gnupg
-rmdir mnt/etc/pacman.d/gnupg
-umount mnt
-losetup -d "${loopdev}"
-loopdev=""
+curl -sSfL --remote-name-all https://gitlab.archlinux.org/archlinux/arch-boxes/-/jobs/artifacts/libvirt-executor-image/raw/output/${image_name}?job=build
+#curl -sSfL --remote-name-all https://gitlab.archlinux.org/archlinux/arch-boxes/-/jobs/artifacts/master/raw/output/Arch-Linux-x86_64-libvirt-executor-20241027.274098.qcow2{,.sig}?job=build:secure
+#sq cert import "${arch_boxes_signing_key}"
+#sq pki link add --all "${arch_boxes_fingerprint}"
+#sq verify --signer-cert "${arch_boxes_fingerprint}" --detached "${image_name}.sig" "${image_name}"
 
-qemu-img convert -f raw -O qcow2 Arch-Linux-x86_64-basic.img Arch-Linux-x86_64-basic.qcow2
-printf -v vol_name 'runner-base-%(%s)T.qcow2'
-virsh vol-create-as "${libvirt_pool}" "${vol_name}" 0 --format qcow2
-virsh vol-upload "${vol_name}" Arch-Linux-x86_64-basic.qcow2 "${libvirt_pool}"
+virsh vol-create-as "${libvirt_pool}" "${image_name}" 0 --format qcow2
+virsh vol-upload "${image_name}" "${image_name}" "${libvirt_pool}"
 
-echo "${vol_name}" > /usr/local/lib/libvirt-executor/backing-vol-name.tmp
+echo "${image_name}" > /usr/local/lib/libvirt-executor/backing-vol-name.tmp
 mv /usr/local/lib/libvirt-executor/backing-vol-name{.tmp,}
 
 # Keep one week of base images
-virsh vol-list "${libvirt_pool}" | awk '$1~"runner-base-[0-9]*\\.qcow2" {print $1}' | sort -n -t - -k3,3 | head -n -7 | xargs -I{} --no-run-if-empty virsh vol-delete {} "${libvirt_pool}"
+virsh vol-list "${libvirt_pool}" | awk '$1~"Arch-Linux-x86_64-libvirt-executor-[0-9]*\\.[0-9]*\\.qcow2" {print $1}' | sort -n -t - -k6,6 | head -n -7 | xargs -I{} --no-run-if-empty virsh vol-delete {} "${libvirt_pool}"