metal-stack · majst01 · Mar 3, 2026 · Mar 4, 2026 · Mar 4, 2026 · Mar 4, 2026
@@ -1,28 +1,31 @@
 package cmd
 
 import (
+	"context"
 	"encoding/base64"
 	"fmt"
 	"os"
-	"os/exec"
 	"path"
 	"path/filepath"
-	"strings"
-	"syscall"
 	"time"
 
+	apiv2 "github.com/metal-stack/api/go/metalstack/api/v2"
 	"github.com/metal-stack/metal-hammer/cmd/utils"
-	"github.com/metal-stack/metal-hammer/pkg/api"
+	"github.com/metal-stack/metal-lib/pkg/pointer"
+
+	installerv1 "github.com/metal-stack/os-installer/api/v1"
+	"github.com/metal-stack/os-installer/pkg/installer"
 
 	"github.com/metal-stack/metal-go/api/models"
 	img "github.com/metal-stack/metal-hammer/cmd/image"
 	"github.com/metal-stack/metal-hammer/cmd/storage"
+	"github.com/metal-stack/metal-hammer/pkg/chroot"
 	"github.com/metal-stack/metal-hammer/pkg/kernel"
 	"gopkg.in/yaml.v3"
 )
 
 // Install a given image to the disk by using genuinetools/img
-func (h *hammer) Install(machine *models.V1MachineResponse) (*api.Bootinfo, error) {
+func (h *hammer) Install(machine *models.V1MachineResponse) (*installerv1.Bootinfo, error) {
 	s := storage.New(h.log, h.chrootPrefix, *h.filesystemLayout)
 	err := s.Run()
 	if err != nil {
@@ -58,14 +61,14 @@ func (h *hammer) Install(machine *models.V1MachineResponse) (*api.Bootinfo, erro
 	return info, nil
 }
 
-// install will execute /install.sh in the pulled docker image which was extracted onto disk
+// install will execute Install from os-installer in the chroot where the os-image was extracted
 // to finish installation e.g. install mbr, grub, write network and filesystem config
-func (h *hammer) install(prefix string, machine *models.V1MachineResponse, rootUUID string) (*api.Bootinfo, error) {
+func (h *hammer) install(prefix string, machine *models.V1MachineResponse, rootUUID string) (*installerv1.Bootinfo, error) {
 	h.log.Info("install", "image", machine.Allocation.Image.URL)
 
-	err := h.writeInstallerConfig(machine, rootUUID)
+	lldpdConfig, machineDetails, machineAllocation, err := h.convertConfigs(machine, rootUUID)
 	if err != nil {
-		return nil, fmt.Errorf("writing configuration install.yaml failed %w", err)
+		return nil, fmt.Errorf("error converting configuration: %w", err)
 	}
 
 	err = h.writeUserData(machine)
@@ -78,47 +81,35 @@ func (h *hammer) install(prefix string, machine *models.V1MachineResponse, rootU
 		return nil, err
 	}
 
-	installBinary := "/install.sh"
-	if fileExists(path.Join(prefix, "install-go")) {
-		installBinary = "/install-go"
-	}
-
-	h.log.Info("running install", "binary", installBinary, "prefix", prefix)
-	err = os.Chdir(prefix)
-	if err != nil {
-		return nil, fmt.Errorf("unable to chdir to: %s error %w", prefix, err)
-	}
-	cmd := exec.Command(installBinary)
-	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	// these syscalls are required to execute the command in a chroot env.
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		Credential: &syscall.Credential{
-			Uid:    uint32(0),
-			Gid:    uint32(0),
-			Groups: []uint32{0},
-		},
-		Chroot: prefix,
-	}
-	if err := cmd.Run(); err != nil {
-		return nil, fmt.Errorf("running %q in chroot failed %w", installBinary, err)
-	}
+	// Write configuration to /etc/metal and execute the installer in chroot
+	if err := chroot.RunInChroot(h.log, prefix, func() error {
+		h.log.Debug("write configs in chroot")
+		err = h.writeConfigs(lldpdConfig, machineDetails, machineAllocation)
+		if err != nil {
+			return fmt.Errorf("error writing configuration: %w", err)
+		}
 
-	err = os.Chdir("/")
-	if err != nil {
-		return nil, fmt.Errorf("unable to chdir to: / error %w", err)
+		h.log.Debug("start install in chroot", "details", machineDetails, "allocation", machineAllocation)
+		i := installer.New(h.log, machineDetails, machineAllocation)
+		err = i.Install(context.TODO())
+		if err != nil {
+			h.log.Error("error during install", "error", err)
+			return fmt.Errorf("error during install: %w", err)
+		}
+		return nil
+	}); err != nil {
+		return nil, fmt.Errorf("unable to run the installer %w", err)
 	}
-	h.log.Info("finish running", "binary", installBinary)
 
-	err = os.Remove(path.Join(prefix, installBinary))
-	if err != nil {
-		h.log.Warn("unable to remove, ignoring", "binary", installBinary, "error", err)
-	}
+	h.log.Info("finish running the installer")
 
 	info, err := kernel.ReadBootinfo(path.Join(prefix, "etc", "metal", "boot-info.yaml"))
 	if err != nil {
 		return info, fmt.Errorf("unable to read boot-info.yaml %w", err)
 	}
 
+	h.log.Info("bootinfo", "info", info)
+
 	err = h.EnsureBootOrder(info.BootloaderID)
 	if err != nil {
 		return info, fmt.Errorf("unable to ensure boot order %w", err)
@@ -192,21 +183,40 @@ func (h *hammer) writeUserData(machine *models.V1MachineResponse) error {
 	return nil
 }
 
-func (h *hammer) writeInstallerConfig(machine *models.V1MachineResponse, rootUUiD string) error {
+func (h *hammer) writeConfigs(lldpconfig *installerv1.LLDPDConfig, details *installerv1.MachineDetails, allocation *apiv2.MachineAllocation) error {
 	h.log.Info("write installation configuration")
-	configdir := path.Join(h.chrootPrefix, "etc", "metal")
+	configdir := path.Join("etc", "metal")
 	err := os.MkdirAll(configdir, 0755)
 	if err != nil {
 		return fmt.Errorf("mkdir of %s target os failed %w", configdir, err)
 	}
-	destination := path.Join(configdir, "install.yaml")
 
+	i := installer.New(h.log, details, allocation)
+
+	err = i.PersistConfigurations()
+	if err != nil {
+		return fmt.Errorf("unable to persist configuration: %w", err)
+	}
+
+	yamlContent, err := yaml.Marshal(lldpconfig)
+	if err != nil {
+		return err
+	}
+
+	err = os.WriteFile(installerv1.LLDPDConfigPath, yamlContent, os.ModePerm)
+	if err != nil {
+		return fmt.Errorf("unable to write lldpd config %w", err)
+	}
+
+	return nil
+}
+
+func (h *hammer) convertConfigs(machine *models.V1MachineResponse, rootUUiD string) (*installerv1.LLDPDConfig, *installerv1.MachineDetails, *apiv2.MachineAllocation, error) {
 	alloc := machine.Allocation
 
-	sshPubkeys := strings.Join(alloc.SSHPubKeys, "\n")
 	cmdline, err := kernel.ParseCmdline()
 	if err != nil {
-		return fmt.Errorf("unable to get kernel cmdline map %w", err)
+		return nil, nil, nil, fmt.Errorf("unable to get kernel cmdline map %w", err)
 	}
 
 	console, ok := cmdline["console"]
@@ -219,32 +229,167 @@ func (h *hammer) writeInstallerConfig(machine *models.V1MachineResponse, rootUUi
 		raidEnabled = true
 	}
 
-	y := &api.InstallerConfig{
-		Hostname:      *alloc.Hostname,
-		SSHPublicKey:  sshPubkeys,
-		Networks:      alloc.Networks,
-		MachineUUID:   h.spec.MachineUUID,
-		Password:      h.spec.ConsolePassword,
-		Console:       console,
-		Timestamp:     time.Now().Format(time.RFC3339),
-		Nics:          h.onlyNicsWithNeighbors(machine.Hardware.Nics),
-		VPN:           alloc.Vpn,
-		Role:          *alloc.Role,
-		RaidEnabled:   raidEnabled,
-		RootUUID:      rootUUiD,
-		FirewallRules: alloc.FirewallRules,
-		DNSServers:    alloc.DNSServers,
-		NTPServers:    alloc.NtpServers,
-	}
-
-	yamlContent, err := yaml.Marshal(y)
-	if err != nil {
-		return err
+	lldpdConfig := &installerv1.LLDPDConfig{
+		MachineUUID: h.spec.MachineUUID,
+		Timestamp:   time.Now().Format(time.RFC3339),
+	}
+
+	machineDetails := &installerv1.MachineDetails{
+		ID:          h.spec.MachineUUID,
+		Password:    h.spec.ConsolePassword,
+		Console:     console,
+		RaidEnabled: raidEnabled,
+		RootUUID:    rootUUiD,
+		Nics:        h.onlyNicsWithNeighbors(machine.Hardware.Nics),
+	}
+
+	h.log.Info("generated apiv2 machinedetails", "details", machineDetails)
+
+	var vpn *apiv2.MachineVPN
+	if alloc.Vpn != nil {
+		vpn = &apiv2.MachineVPN{
+			ControlPlaneAddress: pointer.SafeDeref(alloc.Vpn.Address),
+			AuthKey:             pointer.SafeDeref(alloc.Vpn.AuthKey),
+			Connected:           pointer.SafeDeref(alloc.Vpn.Connected),
+		}
+	}
+
+	allocationType := apiv2.MachineAllocationType_MACHINE_ALLOCATION_TYPE_MACHINE
+	if alloc.Role != nil && *alloc.Role == "firewall" {
+		allocationType = apiv2.MachineAllocationType_MACHINE_ALLOCATION_TYPE_FIREWALL
+	}
+
+	var dnsservers []*apiv2.DNSServer
+	for _, dns := range alloc.DNSServers {
+		dnsservers = append(dnsservers, &apiv2.DNSServer{
+			Ip: pointer.SafeDeref(dns.IP),
+		})
+	}
+	var ntpservers []*apiv2.NTPServer
+	for _, ntp := range alloc.NtpServers {
+		ntpservers = append(ntpservers, &apiv2.NTPServer{
+			Address: pointer.SafeDeref(ntp.Address),
+		})
+	}
+
+	var firewallRules *apiv2.FirewallRules
+	if alloc.FirewallRules != nil {
+		var egressrules []*apiv2.FirewallEgressRule
+
+		for _, egress := range alloc.FirewallRules.Egress {
+			var proto apiv2.IPProtocol
+			if egress.Protocol == "tcp" {
+				proto = apiv2.IPProtocol_IP_PROTOCOL_TCP
+			}
+			if egress.Protocol == "udp" {
+				proto = apiv2.IPProtocol_IP_PROTOCOL_UDP
+			}
+			var ports []uint32
+			for _, port := range egress.Ports {
+				ports = append(ports, uint32(port))
+			}
+
+			egressrules = append(egressrules, &apiv2.FirewallEgressRule{
+				Comment:  egress.Comment,
+				Protocol: proto,
+				Ports:    ports,
+				To:       egress.To,
+			})
+		}
+
+		var ingressrules []*apiv2.FirewallIngressRule
+		for _, ingress := range alloc.FirewallRules.Ingress {
+			var proto apiv2.IPProtocol
+			if ingress.Protocol == "tcp" {
+				proto = apiv2.IPProtocol_IP_PROTOCOL_TCP
+			}
+			if ingress.Protocol == "udp" {
+				proto = apiv2.IPProtocol_IP_PROTOCOL_UDP
+			}
+			var ports []uint32
+			for _, port := range ingress.Ports {
+				ports = append(ports, uint32(port))
+			}
+
+			ingressrules = append(ingressrules, &apiv2.FirewallIngressRule{
+				Comment:  ingress.Comment,
+				Protocol: proto,
+				Ports:    ports,
+				To:       ingress.To,
+				From:     ingress.From,
+			})
+		}
+
+		firewallRules = &apiv2.FirewallRules{
+			Egress:  egressrules,
+			Ingress: ingressrules,
+		}
 	}
 
-	return os.WriteFile(destination, yamlContent, 0600)
+	var networks []*apiv2.MachineNetwork
+	for _, nw := range alloc.Networks {
+
+		natType := apiv2.NATType_NAT_TYPE_NONE
+		if nw.Nat != nil && *nw.Nat {
+			natType = apiv2.NATType_NAT_TYPE_IPV4_MASQUERADE
+		}
+
+		var networkType apiv2.NetworkType
+		switch pointer.SafeDeref(nw.Networktypev2) {
+		case "external":
+			networkType = apiv2.NetworkType_NETWORK_TYPE_EXTERNAL
+		case "underlay":
+			networkType = apiv2.NetworkType_NETWORK_TYPE_UNDERLAY
+		case "super":
+			networkType = apiv2.NetworkType_NETWORK_TYPE_SUPER
+		case "super-namespaced":
+			networkType = apiv2.NetworkType_NETWORK_TYPE_SUPER_NAMESPACED
+		case "child":
+			networkType = apiv2.NetworkType_NETWORK_TYPE_CHILD
+		case "child-shared":
+			networkType = apiv2.NetworkType_NETWORK_TYPE_CHILD_SHARED
+		}
+
+		networks = append(networks, &apiv2.MachineNetwork{
+			Network:             pointer.SafeDeref(nw.Networkid),
+			Prefixes:            nw.Prefixes,
+			DestinationPrefixes: nw.Destinationprefixes,
+			Ips:                 nw.Ips,
+			Vrf:                 uint64(pointer.SafeDeref(nw.Vrf)),
+			Asn:                 uint32(pointer.SafeDeref(nw.Asn)),
+			Project:             nw.Projectid,
+			NatType:             natType,
+			NetworkType:         networkType,
+		})
+	}
+
+	machineAllocation := &apiv2.MachineAllocation{
+		Uuid:        pointer.SafeDeref(alloc.Allocationuuid),
+		Name:        pointer.SafeDeref(alloc.Name),
+		Description: alloc.Description,
+		CreatedBy:   pointer.SafeDeref(alloc.Creator),
+		Project:     pointer.SafeDeref(alloc.Project),
+		Image: &apiv2.Image{
+			Id:  pointer.SafeDeref(alloc.Image.ID),
+			Url: alloc.Image.URL,
+		},
+		Hostname:       pointer.SafeDeref(alloc.Hostname),
+		SshPublicKeys:  alloc.SSHPubKeys,
+		Userdata:       alloc.UserData,
+		AllocationType: allocationType,
+		FirewallRules:  firewallRules,
+		Networks:       networks,
+		DnsServers:     dnsservers,
+		NtpServers:     ntpservers,
+		Vpn:            vpn,
+	}
+
+	h.log.Info("generated apiv2 allocation", "allocation", machineAllocation)
+
+	return lldpdConfig, machineDetails, machineAllocation, nil
 }
-func (h *hammer) onlyNicsWithNeighbors(nics []*models.V1MachineNic) []*models.V1MachineNic {
+
+func (h *hammer) onlyNicsWithNeighbors(nics []*models.V1MachineNic) []*apiv2.MachineNic {
 	noNeighbors := func(neighbors []*models.V1MachineNic) bool {
 		if len(neighbors) == 0 {
 			return true
@@ -257,22 +402,22 @@ func (h *hammer) onlyNicsWithNeighbors(nics []*models.V1MachineNic) []*models.V1
 		return false
 	}
 
-	result := []*models.V1MachineNic{}
+	result := []*apiv2.MachineNic{}
 	for i := range nics {
 		nic := nics[i]
 		if noNeighbors(nic.Neighbors) {
 			continue
 		}
-		result = append(result, nic)
+		n := &apiv2.MachineNic{
+			Mac:        pointer.SafeDeref(nic.Mac),
+			Name:       pointer.SafeDeref(nic.Name),
+			Identifier: pointer.SafeDeref(nic.Identifier),
+			Neighbors: []*apiv2.MachineNic{
+				{Mac: pointer.SafeDeref(nic.Neighbors[0].Mac), Name: pointer.SafeDeref(nic.Neighbors[0].Name)},
+			},
+		}
+		result = append(result, n)
 	}
 	h.log.Info("onlyNicWithNeighbors add", "result", result)
 	return result
 }
-
-func fileExists(filename string) bool {
-	info, err := os.Stat(filename)
-	if os.IsNotExist(err) {
-		return false
-	}
-	return !info.IsDir()
-}