@underpostnet/underpost 2.95.8 → 2.96.0

package/packer/images/Rocky9Amd64/rocky9.pkr.hcl

@@ -0,0 +1,160 @@
+packer {
+  required_version = ">= 1.11.0"
+  required_plugins {
+    qemu = {
+      version = ">= 1.1.0, < 1.1.2"
+      source  = "github.com/hashicorp/qemu"
+    }
+  }
+}
+
+variable "filename" {
+  type        = string
+  default     = "rocky9.tar.gz"
+  description = "The filename of the tarball to produce"
+}
+
+variable ks_proxy {
+  type    = string
+  default = "${env("KS_PROXY")}"
+}
+
+variable ks_mirror {
+  type    = string
+  default = "${env("KS_MIRROR")}"
+}
+
+variable "timeout" {
+  type        = string
+  default     = "1h"
+  description = "Timeout for building the image"
+}
+
+variable "architecture" {
+  type        = string
+  default     = "amd64"
+  description = "The architecture to build the image for (amd64 or arm64)"
+}
+
+variable "host_is_arm" {
+  type        = bool
+  default     = false
+  description = "The host architecture is aarch64"
+}
+
+variable "ovmf_suffix" {
+  type        = string
+  default     = ""
+  description = "Suffix for OVMF CODE and VARS files. Newer systems such as Noble use _4M."
+}
+
+variable "headless" {
+  type        = bool
+  default     = true
+  description = "Run packer in headless mode"
+}
+
+locals {
+  iso_arch_map = {
+    "amd64"   = "x86_64"
+    "x86_64"  = "x86_64"
+    "arm64"   = "aarch64"
+    "aarch64" = "aarch64"
+  }
+  iso_arch = lookup(local.iso_arch_map, var.architecture, "x86_64")
+
+  qemu_arch = {
+    "amd64"   = "x86_64"
+    "x86_64"  = "x86_64"
+    "arm64"   = "aarch64"
+    "aarch64" = "aarch64"
+  }
+  uefi_imp = {
+    "amd64"   = "OVMF"
+    "x86_64"  = "OVMF"
+    "arm64"   = "AAVMF"
+    "aarch64" = "AAVMF"
+  }
+  uefi_sfx = {
+    "amd64"   = "${var.ovmf_suffix}"
+    "x86_64"  = "${var.ovmf_suffix}"
+    "arm64"   = ""
+    "aarch64" = ""
+  }
+  qemu_machine = {
+    "amd64"   = "accel=kvm"
+    "x86_64"  = "accel=kvm"
+    "arm64"   = var.host_is_arm ? "virt,accel=kvm" : "virt"
+    "aarch64" = var.host_is_arm ? "virt,accel=kvm" : "virt"
+  }
+  qemu_cpu = {
+    "amd64"   = "host"
+    "x86_64"  = "host"
+    "arm64"   = var.host_is_arm ? "host" : "max"
+    "aarch64" = var.host_is_arm ? "host" : "max"
+  }
+
+  ks_proxy           = var.ks_proxy != "" ? "--proxy=${var.ks_proxy}" : ""
+  ks_os_repos        = var.ks_mirror != "" ? "--url=${var.ks_mirror}/BaseOS/${local.iso_arch}/os" : "--mirrorlist='http://mirrors.rockylinux.org/mirrorlist?arch=${local.iso_arch}&repo=BaseOS-9'"
+  ks_appstream_repos = var.ks_mirror != "" ? "--baseurl=${var.ks_mirror}/AppStream/${local.iso_arch}/os" : "--mirrorlist='https://mirrors.rockylinux.org/mirrorlist?release=9&arch=${local.iso_arch}&repo=AppStream-9'"
+  ks_extras_repos    = var.ks_mirror != "" ? "--baseurl=${var.ks_mirror}/extras/${local.iso_arch}/os" : "--mirrorlist='https://mirrors.rockylinux.org/mirrorlist?arch=${local.iso_arch}&repo=extras-9'"
+}
+
+source "qemu" "rocky9" {
+  boot_command     = ["<up><wait>", "e", "<down><down><down><left>", " console=ttyS0 inst.cmdline inst.text inst.ks=http://{{.HTTPIP}}:{{.HTTPPort}}/rocky9.ks <f10>"]
+  boot_wait        = "5s"
+  communicator     = "none"
+  disk_size        = "45G"
+  format           = "qcow2"
+  headless         = var.headless
+  iso_checksum     = "file:http://download.rockylinux.org/pub/rocky/9/isos/${local.iso_arch}/CHECKSUM"
+  iso_url          = "http://download.rockylinux.org/pub/rocky/9/isos/${local.iso_arch}/Rocky-9-latest-${local.iso_arch}-boot.iso"
+  iso_target_path  = "packer_cache/Rocky-9-latest-${local.iso_arch}-boot.iso"
+  memory           = 2048
+  cores            = 4
+  qemu_binary      = "qemu-system-${lookup(local.qemu_arch, var.architecture, "")}"
+  qemuargs = [
+    ["-serial", "stdio"],
+    ["-boot", "strict=off"],
+    ["-device", "qemu-xhci"],
+    ["-device", "usb-kbd"],
+    ["-device", "virtio-net-pci,netdev=net0"],
+    ["-netdev", "user,id=net0"],
+    ["-device", "virtio-blk-pci,drive=drive0,bootindex=0"],
+    ["-device", "virtio-blk-pci,drive=cdrom0,bootindex=1"],
+    ["-machine", "${lookup(local.qemu_machine, var.architecture, "")}"],
+    ["-cpu", "${lookup(local.qemu_cpu, var.architecture, "")}"],
+    ["-device", "virtio-gpu-pci"],
+    ["-global", "driver=cfi.pflash01,property=secure,value=off"],
+    ["-drive", "if=pflash,format=raw,unit=0,id=ovmf_code,readonly=on,file=/usr/share/${lookup(local.uefi_imp, var.architecture, "")}/${lookup(local.uefi_imp, var.architecture, "")}_CODE${lookup(local.uefi_sfx, var.architecture, "")}.fd"],
+    ["-drive", "if=pflash,format=raw,unit=1,id=ovmf_vars,file=${local.iso_arch}_VARS.fd"],
+    ["-drive", "file=output-rocky9/packer-rocky9,if=none,id=drive0,cache=writeback,discard=ignore,format=qcow2"],
+    ["-drive", "file=packer_cache/Rocky-9-latest-${local.iso_arch}-boot.iso,if=none,id=cdrom0,media=cdrom"]
+  ]
+  shutdown_timeout = var.timeout
+  http_content = {
+    "/rocky9.ks" = templatefile("${path.root}/http/rocky9.ks.pkrtpl.hcl",
+      {
+        KS_PROXY           = local.ks_proxy,
+        KS_OS_REPOS        = local.ks_os_repos,
+        KS_APPSTREAM_REPOS = local.ks_appstream_repos,
+        KS_EXTRAS_REPOS    = local.ks_extras_repos
+      }
+    )
+  }
+}
+
+build {
+  sources = ["source.qemu.rocky9"]
+
+  post-processor "shell-local" {
+    inline = [
+      "SOURCE=${source.name}",
+      "OUTPUT=${var.filename}",
+      "source ../../scripts/fuse-nbd",
+      "source ../../scripts/fuse-tar-root",
+      "rm -rf output-${source.name}",
+    ]
+    inline_shebang = "/bin/bash -e"
+  }
+}

package/packer/scripts/fuse-nbd

@@ -0,0 +1,64 @@
+#!/bin/bash -e
+# vi: ts=4 expandtab
+#
+# Script to mount a qcow2 image using NBD (Network Block Device)
+# This is part of the MAAS image build process
+
+OUTPUT_DIR="output-${SOURCE}"
+OUTPUT_QCOW2="${OUTPUT_DIR}/packer-${SOURCE}"
+
+if [ ! -f "${OUTPUT_QCOW2}" ]; then
+    echo "ERROR: ${OUTPUT_QCOW2} not found"
+    exit 1
+fi
+
+# Load NBD kernel module if not already loaded
+if ! lsmod | grep -q nbd; then
+    modprobe nbd
+fi
+
+# Find an available NBD device
+for i in {0..15}; do
+    if [ ! -e "/sys/class/block/nbd${i}/pid" ]; then
+        NBD_DEV="/dev/nbd${i}"
+        break
+    fi
+done
+
+if [ -z "${NBD_DEV}" ]; then
+    echo "ERROR: No available NBD devices found"
+    exit 1
+fi
+
+# Connect the QCOW2 image to the NBD device
+qemu-nbd -c "${NBD_DEV}" -f qcow2 -r "${OUTPUT_QCOW2}"
+
+# Wait for the device to be ready
+sleep 2
+udevadm settle
+
+# Find the root partition (usually the largest partition)
+ROOT_PART=""
+MAX_SIZE=0
+
+for part in "${NBD_DEV}"p*; do
+    if [ -b "${part}" ]; then
+        SIZE=$(blockdev --getsize64 "${part}" 2>/dev/null || echo 0)
+        if [ "${SIZE}" -gt "${MAX_SIZE}" ]; then
+            MAX_SIZE=${SIZE}
+            ROOT_PART="${part}"
+        fi
+    fi
+done
+
+if [ -z "${ROOT_PART}" ]; then
+    # If no partitions found, try the whole device
+    ROOT_PART="${NBD_DEV}"
+fi
+
+echo "Using NBD device: ${NBD_DEV}"
+echo "Root partition: ${ROOT_PART}"
+
+# Export variables for use in subsequent scripts
+export NBD_DEV
+export ROOT_PART

package/packer/scripts/fuse-tar-root

@@ -0,0 +1,63 @@
+#!/bin/bash -e
+# vi: ts=4 expandtab
+#
+# Script to extract root filesystem from NBD device to tarball for MAAS
+# This is part of the MAAS image build process
+
+if [ -z "${NBD_DEV}" ]; then
+    echo "ERROR: NBD_DEV not set. Run fuse-nbd first."
+    exit 1
+fi
+
+if [ -z "${ROOT_PART}" ]; then
+    echo "ERROR: ROOT_PART not set. Run fuse-nbd first."
+    exit 1
+fi
+
+if [ -z "${OUTPUT}" ]; then
+    echo "ERROR: OUTPUT not set."
+    exit 1
+fi
+
+# Create temporary mount point
+MOUNT_POINT=$(mktemp -d /tmp/packer-maas-mount.XXXXXX)
+
+cleanup() {
+    echo "Cleaning up..."
+    if mountpoint -q "${MOUNT_POINT}"; then
+        umount "${MOUNT_POINT}" || true
+    fi
+    if [ -n "${NBD_DEV}" ] && [ -b "${NBD_DEV}" ]; then
+        qemu-nbd -d "${NBD_DEV}" || true
+    fi
+    if [ -d "${MOUNT_POINT}" ]; then
+        rmdir "${MOUNT_POINT}" || true
+    fi
+}
+
+trap cleanup EXIT
+
+# Mount the root partition
+echo "Mounting ${ROOT_PART} to ${MOUNT_POINT}..."
+mount -o ro "${ROOT_PART}" "${MOUNT_POINT}"
+
+# Create tarball from the mounted filesystem
+echo "Creating tarball ${OUTPUT}..."
+tar -czf "${OUTPUT}" -C "${MOUNT_POINT}" \
+    --exclude='./dev/*' \
+    --exclude='./proc/*' \
+    --exclude='./sys/*' \
+    --exclude='./tmp/*' \
+    --exclude='./run/*' \
+    --exclude='./mnt/*' \
+    --exclude='./media/*' \
+    --exclude='./lost+found' \
+    --exclude='./boot/efi/*' \
+    --numeric-owner \
+    .
+
+echo "Tarball created successfully: ${OUTPUT}"
+echo "Size: $(du -h "${OUTPUT}" | cut -f1)"
+
+# Cleanup will be called by trap
+exit 0

package/scripts/maas-setup.sh

@@ -99,7 +99,18 @@ echo "Configuring DHCP for fabric-1 (untagged VLAN)..."
 SUBNET_CIDR="192.168.1.0/24"
 SUBNET_ID=$(maas "$MAAS_ADMIN_USERNAME" subnets read | jq -r '.[] | select(.cidr == "'"$SUBNET_CIDR"'") | .id')
 FABRIC_ID=$(maas "$MAAS_ADMIN_USERNAME" fabrics read | jq -r '.[] | select(.name == "fabric-1") | .id')
-RACK_CONTROLLER_ID=$(maas "$MAAS_ADMIN_USERNAME" rack-controllers read | jq -r '.[] | select(.ip_addresses[] == "'"$IP_ADDRESS"'") | .system_id')
+RACK_CONTROLLER_ID=$(maas "$MAAS_ADMIN_USERNAME" rack-controllers read | jq -r '[.[] | select(.ip_addresses[] == "'"$IP_ADDRESS"'") | .system_id] | .[0]')
+
+if [ -z "$RACK_CONTROLLER_ID" ] || [ "$RACK_CONTROLLER_ID" == "null" ]; then
+    echo "Warning: Could not find Rack Controller by IP $IP_ADDRESS. Attempting to use the first available Rack Controller..."
+    RACK_CONTROLLER_ID=$(maas "$MAAS_ADMIN_USERNAME" rack-controllers read | jq -r '.[0].system_id')
+fi
+
+if [ -z "$RACK_CONTROLLER_ID" ] || [ "$RACK_CONTROLLER_ID" == "null" ]; then
+    echo "Error: Could not find any Rack Controller."
+    exit 1
+fi
+
 START_IP="192.168.1.191"
 END_IP="192.168.1.254"
 
@@ -110,7 +121,7 @@ fi
 
 # Create a Dynamic IP Range for enlistment, commissioning, and deployment
 echo "Creating dynamic IP range from $START_IP to $END_IP..."
-maas "$MAAS_ADMIN_USERNAME" ipranges create type=dynamic start_ip="$START_IP" end_ip="$END_IP"
+maas "$MAAS_ADMIN_USERNAME" ipranges create type=dynamic start_ip="$START_IP" end_ip="$END_IP" || echo "Dynamic IP range likely already exists or conflicts. Proceeding..."
 
 # Enable DHCP on the untagged VLAN (VLAN tag 0)
 echo "Enabling DHCP on VLAN 0 for fabric-1 (ID: $FABRIC_ID)..."

package/scripts/maas-upload-boot-resource.sh

@@ -0,0 +1,183 @@
+#!/usr/bin/env bash
+# Script to upload boot resources to MAAS using the REST API with OAuth
+# Usage: ./maas-upload-boot-resource.sh <profile> <name> <title> <architecture> <base_image> <filetype> <file_path>
+
+set -euo pipefail
+
+if [ $# -lt 7 ]; then
+    echo "Usage: $0 <profile> <name> <title> <architecture> <base_image> <filetype> <file_path>"
+    echo ""
+    echo "Example:"
+    echo "  $0 maas custom/rocky9 'Rocky 9 Custom' amd64/generic rhel/9 tgz rocky9.tar.gz"
+    exit 1
+fi
+
+PROFILE="$1"
+NAME="$2"
+TITLE="$3"
+ARCHITECTURE="$4"
+BASE_IMAGE="$5"
+FILETYPE="$6"
+FILE_PATH="$7"
+
+# Verify file exists
+if [ ! -f "$FILE_PATH" ]; then
+    echo "Error: File not found: $FILE_PATH"
+    exit 1
+fi
+
+# Verify jq is installed
+if ! command -v jq &> /dev/null; then
+    echo "Error: jq is required for this script but not installed."
+    exit 1
+fi
+
+# Get MAAS API URL and credentials from profile
+MAAS_INFO=$(maas list | grep "^${PROFILE}" || true)
+if [ -z "$MAAS_INFO" ]; then
+    echo "Error: MAAS profile '${PROFILE}' not found"
+    echo "Available profiles:"
+    maas list
+    exit 1
+fi
+
+API_URL=$(echo "$MAAS_INFO" | awk '{print $2}')
+API_KEY=$(echo "$MAAS_INFO" | awk '{print $3}')
+
+# Parse OAuth credentials
+CONSUMER_KEY=$(echo "$API_KEY" | cut -d: -f1)
+TOKEN_KEY=$(echo "$API_KEY" | cut -d: -f2)
+TOKEN_SECRET=$(echo "$API_KEY" | cut -d: -f3)
+
+# Calculate file hash and size
+echo "Calculating SHA256 checksum..."
+SHA256=$(sha256sum "$FILE_PATH" | awk '{print $1}')
+SIZE=$(stat -c%s "$FILE_PATH")
+
+echo "File: $FILE_PATH"
+echo "Size: $SIZE bytes ($(numfmt --to=iec-i --suffix=B $SIZE))"
+echo "SHA256: $SHA256"
+echo ""
+
+# Endpoint for boot resources
+ENDPOINT="${API_URL}boot-resources/"
+
+# Generate OAuth timestamp and nonce
+TIMESTAMP=$(date +%s)
+NONCE=$(openssl rand -hex 16)
+
+# OAuth parameters
+OAUTH_VERSION="1.0"
+OAUTH_SIGNATURE_METHOD="PLAINTEXT"
+OAUTH_SIGNATURE="&${TOKEN_SECRET}"
+
+echo "Initiating upload to MAAS..."
+echo "API URL: $ENDPOINT"
+echo "Name: $NAME"
+echo "Title: $TITLE"
+echo "Architecture: $ARCHITECTURE"
+echo "Base Image: $BASE_IMAGE"
+echo "Filetype: $FILETYPE"
+echo ""
+
+# 1. Initiate Upload (POST metadata)
+# We do NOT send the content here, just the metadata to create the resource and get the upload URI.
+RESPONSE=$(curl -s -X POST "${ENDPOINT}" \
+    -H "Authorization: OAuth oauth_version=\"${OAUTH_VERSION}\", oauth_signature_method=\"${OAUTH_SIGNATURE_METHOD}\", oauth_consumer_key=\"${CONSUMER_KEY}\", oauth_token=\"${TOKEN_KEY}\", oauth_signature=\"${OAUTH_SIGNATURE}\", oauth_timestamp=\"${TIMESTAMP}\", oauth_nonce=\"${NONCE}\"" \
+    -F "name=${NAME}" \
+    -F "title=${TITLE}" \
+    -F "architecture=${ARCHITECTURE}" \
+    -F "base_image=${BASE_IMAGE}" \
+    -F "filetype=${FILETYPE}" \
+    -F "sha256=${SHA256}" \
+    -F "size=${SIZE}")
+CURL_RET=$?
+
+if [ $CURL_RET -ne 0 ]; then
+    echo "Error: curl failed with exit code $CURL_RET"
+    exit 1
+fi
+
+# Validate JSON before parsing
+if ! echo "$RESPONSE" | jq . >/dev/null 2>&1; then
+    echo "Error: MAAS returned invalid JSON."
+    echo "Raw response:"
+    echo "$RESPONSE"
+    exit 1
+fi
+
+# Extract Upload URI
+UPLOAD_URI=$(echo "$RESPONSE" | jq -r '.sets | to_entries | sort_by(.key) | reverse | .[0].value.files | to_entries | .[0].value.upload_uri // empty')
+
+if [ -z "$UPLOAD_URI" ]; then
+    echo "✗ Failed to get upload URI from MAAS response."
+    echo "Response:"
+    echo "$RESPONSE" | jq . 2>/dev/null || echo "$RESPONSE"
+    exit 1
+fi
+
+echo "Upload URI obtained: $UPLOAD_URI"
+
+# Construct the full upload URL
+if [[ "$UPLOAD_URI" == http* ]]; then
+    FULL_UPLOAD_URL="$UPLOAD_URI"
+else
+    # Extract scheme and authority from API_URL
+    # e.g. http://192.168.1.5:5240/MAAS/api/2.0/ -> http://192.168.1.5:5240
+    MAAS_ROOT=$(echo "$API_URL" | sed -E 's|^(https?://[^/]+).*|\1|')
+
+    # Ensure UPLOAD_URI starts with /
+    [[ "$UPLOAD_URI" != /* ]] && UPLOAD_URI="/$UPLOAD_URI"
+
+    FULL_UPLOAD_URL="${MAAS_ROOT}${UPLOAD_URI}"
+fi
+
+echo "Full Upload URL: $FULL_UPLOAD_URL"
+
+# 2. Split file into chunks
+CHUNK_SIZE=$((4 * 1024 * 1024)) # 4MB
+TMP_DIR=$(mktemp -d)
+echo "Splitting file into 4MB chunks in $TMP_DIR..."
+split -b ${CHUNK_SIZE} "${FILE_PATH}" "${TMP_DIR}/chunk_"
+
+# 3. Upload chunks
+echo "Starting chunked upload..."
+CHUNK_COUNT=$(ls "${TMP_DIR}"/chunk_* | wc -l)
+CURRENT_CHUNK=0
+
+for chunk in "${TMP_DIR}"/chunk_*; do
+    CURRENT_CHUNK=$((CURRENT_CHUNK + 1))
+    CHUNK_SIZE_BYTES=$(stat -c%s "$chunk")
+
+    # Progress indicator
+    echo -ne "Uploading chunk $CURRENT_CHUNK of $CHUNK_COUNT ($CHUNK_SIZE_BYTES bytes)...\r"
+
+    # Generate new nonce/timestamp for each request
+    TIMESTAMP=$(date +%s)
+    NONCE=$(openssl rand -hex 16)
+
+    # Upload chunk
+    CHUNK_RESPONSE=$(curl -s -X PUT "${FULL_UPLOAD_URL}" \
+        -H "Content-Type: application/octet-stream" \
+        -H "Content-Length: ${CHUNK_SIZE_BYTES}" \
+        -H "Authorization: OAuth oauth_version=\"${OAUTH_VERSION}\", oauth_signature_method=\"${OAUTH_SIGNATURE_METHOD}\", oauth_consumer_key=\"${CONSUMER_KEY}\", oauth_token=\"${TOKEN_KEY}\", oauth_signature=\"${OAUTH_SIGNATURE}\", oauth_timestamp=\"${TIMESTAMP}\", oauth_nonce=\"${NONCE}\"" \
+        --data-binary @"${chunk}" \
+        -w "%{http_code}")
+
+    HTTP_CODE="${CHUNK_RESPONSE: -3}"
+
+    if [ "$HTTP_CODE" != "200" ] && [ "$HTTP_CODE" != "201" ]; then
+        echo ""
+        echo "✗ Chunk upload failed with status: $HTTP_CODE"
+        echo "Response: ${CHUNK_RESPONSE::-3}"
+        rm -r "${TMP_DIR}"
+        exit 1
+    fi
+
+    rm "$chunk"
+done
+
+echo ""
+echo "✓ Upload complete!"
+rm -r "${TMP_DIR}"
+exit 0

package/scripts/packer-init-vars-file.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Script to Initialize VARS files for Packer builds
+# Usage: sudo ./scripts/packer-setup.sh
+
+set -euo pipefail
+
+# Packer needs writable VARS files for UEFI boot
+PACKER_DIR="$(dirname "$0")/../packer/images"
+
+# Find all packer image directories and create VARS files
+for image_dir in "$PACKER_DIR"/*; do
+    if [ -d "$image_dir" ]; then
+        image_name=$(basename "$image_dir")
+        echo "Checking UEFI VARS files for $image_name..."
+
+        # Create x86_64 VARS file if it doesn't exist
+        if [ -f /usr/share/edk2/ovmf/OVMF_VARS.fd ] && [ ! -f "$image_dir/x86_64_VARS.fd" ]; then
+            cp /usr/share/edk2/ovmf/OVMF_VARS.fd "$image_dir/x86_64_VARS.fd"
+            echo "Created $image_dir/x86_64_VARS.fd"
+        fi
+
+        # Create aarch64 VARS file if it doesn't exist
+        if [ -f /usr/share/edk2/aarch64/AAVMF_VARS.fd ] && [ ! -f "$image_dir/aarch64_VARS.fd" ]; then
+            cp /usr/share/edk2/aarch64/AAVMF_VARS.fd "$image_dir/aarch64_VARS.fd"
+            echo "Created $image_dir/aarch64_VARS.fd"
+        fi
+    fi
+done
+
+echo "Packer and QEMU setup complete!"

package/scripts/packer-setup.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+# Script to install Packer and libvirt/qemu tooling on Rocky Linux.
+# Usage: sudo ./scripts/packer-setup.sh
+
+set -euo pipefail
+
+
+# 1) Replace/add the correct HashiCorp repo for RHEL/Rocky
+sudo dnf config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
+
+# Refresh dnf metadata
+sudo dnf clean all
+sudo dnf makecache --refresh
+
+# 2) Try to install packer from the repo
+sudo dnf install -y packer || echo "packer install from repo failed, try manual install (see below)"
+
+# 3) Install libvirt/qemu tooling then start the service
+sudo dnf install -y libvirt libvirt-daemon qemu-kvm qemu-img virt-install bridge-utils
+sudo systemctl enable --now libvirtd
+sudo systemctl status libvirtd --no-pager
+
+# 3a) Install NBD and filesystem tools required for MAAS image creation
+sudo dnf install -y libnbd nbdkit e2fsprogs kmod-kvdo kmod
+
+# 4) Install UEFI firmware for x86_64 and ARM64
+sudo dnf install -y edk2-ovmf edk2-aarch64
+
+# 5) Create symlinks for qemu-system-* binaries (Rocky/RHEL uses qemu-kvm instead)
+# Packer expects standard qemu-system-* names, but RHEL-based distros use qemu-kvm
+if [ -f /usr/libexec/qemu-kvm ] && [ ! -f /usr/bin/qemu-system-x86_64 ]; then
+    echo "Creating symlink: /usr/bin/qemu-system-x86_64 -> /usr/libexec/qemu-kvm"
+    sudo ln -sf /usr/libexec/qemu-kvm /usr/bin/qemu-system-x86_64
+fi
+
+if [ -f /usr/libexec/qemu-kvm ] && [ ! -f /usr/bin/qemu-system-aarch64 ]; then
+    echo "Creating symlink: /usr/bin/qemu-system-aarch64 -> /usr/libexec/qemu-kvm"
+    sudo ln -sf /usr/libexec/qemu-kvm /usr/bin/qemu-system-aarch64
+fi
+
+# 6) Create symlinks for OVMF/AAVMF firmware files in expected locations
+# Rocky/RHEL stores OVMF in /usr/share/edk2/ovmf, but Packer expects /usr/share/OVMF
+if [ -f /usr/share/edk2/ovmf/OVMF_CODE.fd ] && [ ! -f /usr/share/OVMF/OVMF_CODE.fd ]; then
+    echo "Creating symlink: /usr/share/OVMF/OVMF_CODE.fd -> /usr/share/edk2/ovmf/OVMF_CODE.fd"
+    sudo ln -sf /usr/share/edk2/ovmf/OVMF_CODE.fd /usr/share/OVMF/OVMF_CODE.fd
+fi
+
+# Create AAVMF symlinks for ARM64 support
+if [ -d /usr/share/edk2/aarch64 ] && [ ! -d /usr/share/AAVMF ]; then
+    echo "Creating symlink: /usr/share/AAVMF -> /usr/share/edk2/aarch64"
+    sudo ln -sf /usr/share/edk2/aarch64 /usr/share/AAVMF
+fi