[qa][ops] Light-weight guest image for UEFI boot and secure boot
Hi, I've been trying to implement a few tempest tests to verify functionality of UEFI boot and secure boot, and I noticed that cirros, which is used as a primary guest image for tests, do not support UEFI boot. I'm wondering if anyone can share a good light-weight guest image used in their own tests of these features ? I guess that ubuntu guest image might be a primary choice (given the fact that ubuntu is the default operating system for tests) but I'm wondering if we have more light-weight one. Thank you, Takashi -- Takashi Kajinami irc: tkajinam github: https://github.com/kajinamit launchpad: https://launchpad.net/~kajinamit
On Mon, Nov 17, 2025, at 9:15 AM, Takashi Kajinami wrote:
Hi,
I've been trying to implement a few tempest tests to verify functionality of UEFI boot and secure boot, and I noticed that cirros, which is used as a primary guest image for tests, do not support UEFI boot.
I'm wondering if anyone can share a good light-weight guest image used in their own tests of these features ? I guess that ubuntu guest image might be a primary choice (given the fact that ubuntu is the default operating system for tests) but I'm wondering if we have more light-weight one.
OpenWrt has x86_64 (U)EFI images here https://downloads.openwrt.org/releases/24.10.4/targets/x86/64/ I suspect that these images don't know how to auto configure themselves using metadata service or config drive though. Depending on what you need to check for functionality this may not be a problem. Perhaps console logs will work and can be checked for functionality rather than ssh'ing in? In general I think this may be the main issue. The super minimal images that exist out there likely don't have something like Cloud Init or Glean installed in them. Its possible we could modify these images to keep them small and add that support (maybe by porting the system cirros uses). Outside of cirros I suspect that many pre-built lightweight images lack this functionality as it drags in a lot of dependencies if done in the easy way.
Thank you, Takashi
-- Takashi Kajinami irc: tkajinam github: https://github.com/kajinamit launchpad: https://launchpad.net/~kajinamit
On Mon, Nov 17, 2025, at 9:15 AM, Takashi Kajinami wrote:
Hi,
I've been trying to implement a few tempest tests to verify functionality of UEFI boot and secure boot, and I noticed that cirros, which is used as a primary guest image for tests, do not support UEFI boot.
I'm wondering if anyone can share a good light-weight guest image used in their own tests of these features ? I guess that ubuntu guest image might be a primary choice (given the fact that ubuntu is the default operating system for tests) but I'm wondering if we have more light-weight one. OpenWrt has x86_64 (U)EFI images here https://downloads.openwrt.org/releases/24.10.4/targets/x86/64/ I suspect that these images don't know how to auto configure themselves using metadata service or config drive though. Depending on what you need to check for functionality this may not be a problem. Perhaps console logs will work and can be checked for functionality rather than ssh'ing in? cirros can be used fo rbasi boot testing but it does not have any tools
On 17/11/2025 18:26, Clark Boylan wrote: pre installed to enable access the uefi nvram or to do attestation ectra. it will just allow basic boot testing. most modern cloud image should work if you need more then that.
In general I think this may be the main issue. The super minimal images that exist out there likely don't have something like Cloud Init or Glean installed in them. Its possible we could modify these images to keep them small and add that support (maybe by porting the system cirros uses). Outside of cirros I suspect that many pre-built lightweight images lack this functionality as it drags in a lot of dependencies if done in the easy way.
Thank you, Takashi
-- Takashi Kajinami irc: tkajinam github: https://github.com/kajinamit launchpad: https://launchpad.net/~kajinamit
On 11/18/25 3:33 AM, Sean Mooney wrote:
On 17/11/2025 18:26, Clark Boylan wrote:
On Mon, Nov 17, 2025, at 9:15 AM, Takashi Kajinami wrote:
Hi,
I've been trying to implement a few tempest tests to verify functionality of UEFI boot and secure boot, and I noticed that cirros, which is used as a primary guest image for tests, do not support UEFI boot.
I'm wondering if anyone can share a good light-weight guest image used in their own tests of these features ? I guess that ubuntu guest image might be a primary choice (given the fact that ubuntu is the default operating system for tests) but I'm wondering if we have more light-weight one. OpenWrt has x86_64 (U)EFI images here https://downloads.openwrt.org/releases/24.10.4/targets/x86/64/ I suspect that these images don't know how to auto configure themselves using metadata service or config drive though. Depending on what you need to check for functionality this may not be a problem. Perhaps console logs will work and can be checked for functionality rather than ssh'ing in? cirros can be used fo rbasi boot testing but it does not have any tools pre installed to enable access the uefi nvram or to do attestation ectra. it will just allow basic boot testing. most modern cloud image should work if you need more then that.
Specifically talking about UEFI boot/secure boot use case ideally we want some tools like efivar which can be used to read/write EFI variables. But as minimum I think just supporting ssh (using the existing keypair injection mechanism using metadata) would be enough as it allows us to check the presence of EFI partition to confirm that the instance is actually booted by UEFI. I've not examined the path to use a console log but that might be the last option. I was also
In general I think this may be the main issue. The super minimal images that exist out there likely don't have something like Cloud Init or Glean installed in them. Its possible we could modify these images to keep them small and add that support (maybe by porting the system cirros uses). Outside of cirros I suspect that many pre-built lightweight images lack this functionality as it drags in a lot of dependencies if done in the easy way.
Thank you, Takashi
-- Takashi Kajinami irc: tkajinam github: https://github.com/kajinamit launchpad: https://launchpad.net/~kajinamit
On 18/11/2025 03:21, Takashi Kajinami wrote:
On 11/18/25 3:33 AM, Sean Mooney wrote:
On 17/11/2025 18:26, Clark Boylan wrote:
Hi,
I've been trying to implement a few tempest tests to verify functionality of UEFI boot and secure boot, and I noticed that cirros, which is used as a primary guest image for tests, do not support UEFI boot.
I'm wondering if anyone can share a good light-weight guest image used in their own tests of these features ? I guess that ubuntu guest image might be a primary choice (given the fact that ubuntu is the default operating system for tests) but I'm wondering if we have more light-weight one. OpenWrt has x86_64 (U)EFI images here https://downloads.openwrt.org/releases/24.10.4/targets/x86/64/ I suspect that these images don't know how to auto configure
On Mon, Nov 17, 2025, at 9:15 AM, Takashi Kajinami wrote: themselves using metadata service or config drive though. Depending on what you need to check for functionality this may not be a problem. Perhaps console logs will work and can be checked for functionality rather than ssh'ing in? cirros can be used fo rbasi boot testing but it does not have any tools pre installed to enable access the uefi nvram or to do attestation ectra. it will just allow basic boot testing. most modern cloud image should work if you need more then that.
Specifically talking about UEFI boot/secure boot use case ideally we want some tools like efivar which can be used to read/write EFI variables. But as minimum I think just supporting ssh (using the existing keypair injection mechanism using metadata) would be enough as it allows us to check the presence of EFI partition to confirm that the instance is actually booted by UEFI.
so secure boot and uefi boot are two seperatre feature that are enabeld independly in openstack but your right i just tested cirros again and 0.6.3 indeed does not fully boot in uefi mode https://paste.opendev.org/show/bvRgq2kmZ6DYP79Ft3ew/ i actully do recall hitting this before when we were doing the image inspecrot work 2 years ago. it boots enouch for nova /qemu to consider it booted but it wont actully load into the os. the tinycore 16.3 iso is 20 mb http://tinycorelinux.net/16.x/x86/release/Core-current.iso has the same issue with droping to a efi promt the generic alpine cloud image https://dl-cdn.alpinelinux.org/alpine/v3.22/releases/cloud/generic_alpine-3.... 128MB or the slightly large cloud-init version https://dl-cdn.alpinelinux.org/alpine/v3.22/releases/cloud/generic_alpine-3.... 192mb both work https://termbin.com/s0am i have not had time to revive my alpine diskimag builder serise bu ti was exploring that as an evenutal replacement for cirros in the future. it a large image then i woudl like but still relitively small and importantly works with or lower ram flavors. so for now i woudl recommend trying https://dl-cdn.alpinelinux.org/alpine/v3.22/releases/cloud/generic_alpine-3....
I've not examined the path to use a console log but that might be the last option.
I was also
In general I think this may be the main issue. The super minimal images that exist out there likely don't have something like Cloud Init or Glean installed in them. Its possible we could modify these images to keep them small and add that support (maybe by porting the system cirros uses). Outside of cirros I suspect that many pre-built lightweight images lack this functionality as it drags in a lot of dependencies if done in the easy way.
Thank you, Takashi
-- Takashi Kajinami irc: tkajinam github: https://github.com/kajinamit launchpad: https://launchpad.net/~kajinamit
Hi, I’m pretty sure CirrOS GitHub [1] mentions UEFI should work. What’s the actual problem here? [1]: https://github.com/cirros-dev/cirros Michał Nasiadka mnasiadka@gmail.com W dniu pon., 17 lis 2025 o 19:27 Clark Boylan <cboylan@sapwetik.org> napisał(a):
On Mon, Nov 17, 2025, at 9:15 AM, Takashi Kajinami wrote:
Hi,
I've been trying to implement a few tempest tests to verify functionality of UEFI boot and secure boot, and I noticed that cirros, which is used as a primary guest image for tests, do not support UEFI boot.
I'm wondering if anyone can share a good light-weight guest image used in their own tests of these features ? I guess that ubuntu guest image might be a primary choice (given the fact that ubuntu is the default operating system for tests) but I'm wondering if we have more light-weight one.
OpenWrt has x86_64 (U)EFI images here https://downloads.openwrt.org/releases/24.10.4/targets/x86/64/ I suspect that these images don't know how to auto configure themselves using metadata service or config drive though. Depending on what you need to check for functionality this may not be a problem. Perhaps console logs will work and can be checked for functionality rather than ssh'ing in?
In general I think this may be the main issue. The super minimal images that exist out there likely don't have something like Cloud Init or Glean installed in them. Its possible we could modify these images to keep them small and add that support (maybe by porting the system cirros uses). Outside of cirros I suspect that many pre-built lightweight images lack this functionality as it drags in a lot of dependencies if done in the easy way.
Thank you, Takashi
-- Takashi Kajinami irc: tkajinam github: https://github.com/kajinamit launchpad: https://launchpad.net/~kajinamit
On 11/18/25 3:37 AM, Michał Nasiadka wrote:
Hi,
I’m pretty sure CirrOS GitHub [1] mentions UEFI should work. What’s the actual problem here?
[1]: https://github.com/cirros-dev/cirros <https://github.com/cirros-dev/cirros>
Hmm. as far as I was trying to enable UEFI test in gate (which uses cirros 0.6.3) I see cirros fails to boot when UEFI is selected. https://review.opendev.org/c/openstack/tempest/+/966029 The following error appears in console log so I suspect there is still some problems with cirros for UEFI boot. ``` EFI stub: ERROR: efi_relocate_kernel() failed! EFI stub: ERROR: efi_main() failed! ``` I'll double check it, though I don't think cirros may support secure boot so we need a different guest for it at least.
Michał Nasiadka mnasiadka@gmail.com <mailto:mnasiadka@gmail.com>
W dniu pon., 17 lis 2025 o 19:27 Clark Boylan <cboylan@sapwetik.org <mailto:cboylan@sapwetik.org>> napisał(a):
On Mon, Nov 17, 2025, at 9:15 AM, Takashi Kajinami wrote: > Hi, > > > I've been trying to implement a few tempest tests to verify > functionality > of UEFI boot and secure boot, and I noticed that cirros, which is used > as a primary > guest image for tests, do not support UEFI boot. > > I'm wondering if anyone can share a good light-weight guest image used > in their > own tests of these features ? I guess that ubuntu guest image might be > a primary > choice (given the fact that ubuntu is the default operating system for > tests) but > I'm wondering if we have more light-weight one.
OpenWrt has x86_64 (U)EFI images here https://downloads.openwrt.org/releases/24.10.4/targets/x86/64/ <https://downloads.openwrt.org/releases/24.10.4/targets/x86/64/> I suspect that these images don't know how to auto configure themselves using metadata service or config drive though. Depending on what you need to check for functionality this may not be a problem. Perhaps console logs will work and can be checked for functionality rather than ssh'ing in?
In general I think this may be the main issue. The super minimal images that exist out there likely don't have something like Cloud Init or Glean installed in them. Its possible we could modify these images to keep them small and add that support (maybe by porting the system cirros uses). Outside of cirros I suspect that many pre-built lightweight images lack this functionality as it drags in a lot of dependencies if done in the easy way.
> > Thank you, > Takashi > > -- > Takashi Kajinami > irc: tkajinam > github: https://github.com/kajinamit <https://github.com/kajinamit> > launchpad: https://launchpad.net/~kajinamit <https://launchpad.net/~kajinamit>
On Tue, Nov 18, 2025 at 4:16 AM Takashi Kajinami <kajinamit@oss.nttdata.com> wrote:
Hi,
I've been trying to implement a few tempest tests to verify functionality of UEFI boot and secure boot, and I noticed that cirros, which is used as a primary guest image for tests, do not support UEFI boot.
I'm wondering if anyone can share a good light-weight guest image used in their own tests of these features ? I guess that ubuntu guest image might be a primary choice (given the fact that ubuntu is the default operating system for tests) but I'm wondering if we have more light-weight one.
I don't think it's what you're asking for, but just in case... Kerbside has a lightweight UEFI test image to help verify console latency. It does this by running a UEFI binary instead of booting into an operating system at all. It would be relatively easy to therefore detect that UEFI is working by inspecting the instance's SPICE console. It however does not do secure boot. Cheers, Michael
participants (5)
-
Clark Boylan
-
Michael Still
-
Michał Nasiadka
-
Sean Mooney
-
Takashi Kajinami