@underpostnet/underpost 2.95.8 → 2.96.1

package/packer/scripts/fuse-nbd

@@ -0,0 +1,64 @@
+#!/bin/bash -e
+# vi: ts=4 expandtab
+#
+# Script to mount a qcow2 image using NBD (Network Block Device)
+# This is part of the MAAS image build process
+
+OUTPUT_DIR="output-${SOURCE}"
+OUTPUT_QCOW2="${OUTPUT_DIR}/packer-${SOURCE}"
+
+if [ ! -f "${OUTPUT_QCOW2}" ]; then
+    echo "ERROR: ${OUTPUT_QCOW2} not found"
+    exit 1
+fi
+
+# Load NBD kernel module if not already loaded
+if ! lsmod | grep -q nbd; then
+    modprobe nbd
+fi
+
+# Find an available NBD device
+for i in {0..15}; do
+    if [ ! -e "/sys/class/block/nbd${i}/pid" ]; then
+        NBD_DEV="/dev/nbd${i}"
+        break
+    fi
+done
+
+if [ -z "${NBD_DEV}" ]; then
+    echo "ERROR: No available NBD devices found"
+    exit 1
+fi
+
+# Connect the QCOW2 image to the NBD device
+qemu-nbd -c "${NBD_DEV}" -f qcow2 -r "${OUTPUT_QCOW2}"
+
+# Wait for the device to be ready
+sleep 2
+udevadm settle
+
+# Find the root partition (usually the largest partition)
+ROOT_PART=""
+MAX_SIZE=0
+
+for part in "${NBD_DEV}"p*; do
+    if [ -b "${part}" ]; then
+        SIZE=$(blockdev --getsize64 "${part}" 2>/dev/null || echo 0)
+        if [ "${SIZE}" -gt "${MAX_SIZE}" ]; then
+            MAX_SIZE=${SIZE}
+            ROOT_PART="${part}"
+        fi
+    fi
+done
+
+if [ -z "${ROOT_PART}" ]; then
+    # If no partitions found, try the whole device
+    ROOT_PART="${NBD_DEV}"
+fi
+
+echo "Using NBD device: ${NBD_DEV}"
+echo "Root partition: ${ROOT_PART}"
+
+# Export variables for use in subsequent scripts
+export NBD_DEV
+export ROOT_PART

package/packer/scripts/fuse-tar-root

@@ -0,0 +1,63 @@
+#!/bin/bash -e
+# vi: ts=4 expandtab
+#
+# Script to extract root filesystem from NBD device to tarball for MAAS
+# This is part of the MAAS image build process
+
+if [ -z "${NBD_DEV}" ]; then
+    echo "ERROR: NBD_DEV not set. Run fuse-nbd first."
+    exit 1
+fi
+
+if [ -z "${ROOT_PART}" ]; then
+    echo "ERROR: ROOT_PART not set. Run fuse-nbd first."
+    exit 1
+fi
+
+if [ -z "${OUTPUT}" ]; then
+    echo "ERROR: OUTPUT not set."
+    exit 1
+fi
+
+# Create temporary mount point
+MOUNT_POINT=$(mktemp -d /tmp/packer-maas-mount.XXXXXX)
+
+cleanup() {
+    echo "Cleaning up..."
+    if mountpoint -q "${MOUNT_POINT}"; then
+        umount "${MOUNT_POINT}" || true
+    fi
+    if [ -n "${NBD_DEV}" ] && [ -b "${NBD_DEV}" ]; then
+        qemu-nbd -d "${NBD_DEV}" || true
+    fi
+    if [ -d "${MOUNT_POINT}" ]; then
+        rmdir "${MOUNT_POINT}" || true
+    fi
+}
+
+trap cleanup EXIT
+
+# Mount the root partition
+echo "Mounting ${ROOT_PART} to ${MOUNT_POINT}..."
+mount -o ro "${ROOT_PART}" "${MOUNT_POINT}"
+
+# Create tarball from the mounted filesystem
+echo "Creating tarball ${OUTPUT}..."
+tar -czf "${OUTPUT}" -C "${MOUNT_POINT}" \
+    --exclude='./dev/*' \
+    --exclude='./proc/*' \
+    --exclude='./sys/*' \
+    --exclude='./tmp/*' \
+    --exclude='./run/*' \
+    --exclude='./mnt/*' \
+    --exclude='./media/*' \
+    --exclude='./lost+found' \
+    --exclude='./boot/efi/*' \
+    --numeric-owner \
+    .
+
+echo "Tarball created successfully: ${OUTPUT}"
+echo "Size: $(du -h "${OUTPUT}" | cut -f1)"
+
+# Cleanup will be called by trap
+exit 0

package/scripts/maas-setup.sh

@@ -99,7 +99,18 @@ echo "Configuring DHCP for fabric-1 (untagged VLAN)..."
 SUBNET_CIDR="192.168.1.0/24"
 SUBNET_ID=$(maas "$MAAS_ADMIN_USERNAME" subnets read | jq -r '.[] | select(.cidr == "'"$SUBNET_CIDR"'") | .id')
 FABRIC_ID=$(maas "$MAAS_ADMIN_USERNAME" fabrics read | jq -r '.[] | select(.name == "fabric-1") | .id')
-RACK_CONTROLLER_ID=$(maas "$MAAS_ADMIN_USERNAME" rack-controllers read | jq -r '.[] | select(.ip_addresses[] == "'"$IP_ADDRESS"'") | .system_id')
+RACK_CONTROLLER_ID=$(maas "$MAAS_ADMIN_USERNAME" rack-controllers read | jq -r '[.[] | select(.ip_addresses[] == "'"$IP_ADDRESS"'") | .system_id] | .[0]')
+
+if [ -z "$RACK_CONTROLLER_ID" ] || [ "$RACK_CONTROLLER_ID" == "null" ]; then
+    echo "Warning: Could not find Rack Controller by IP $IP_ADDRESS. Attempting to use the first available Rack Controller..."
+    RACK_CONTROLLER_ID=$(maas "$MAAS_ADMIN_USERNAME" rack-controllers read | jq -r '.[0].system_id')
+fi
+
+if [ -z "$RACK_CONTROLLER_ID" ] || [ "$RACK_CONTROLLER_ID" == "null" ]; then
+    echo "Error: Could not find any Rack Controller."
+    exit 1
+fi
+
 START_IP="192.168.1.191"
 END_IP="192.168.1.254"
 
@@ -110,7 +121,7 @@ fi
 
 # Create a Dynamic IP Range for enlistment, commissioning, and deployment
 echo "Creating dynamic IP range from $START_IP to $END_IP..."
-maas "$MAAS_ADMIN_USERNAME" ipranges create type=dynamic start_ip="$START_IP" end_ip="$END_IP"
+maas "$MAAS_ADMIN_USERNAME" ipranges create type=dynamic start_ip="$START_IP" end_ip="$END_IP" || echo "Dynamic IP range likely already exists or conflicts. Proceeding..."
 
 # Enable DHCP on the untagged VLAN (VLAN tag 0)
 echo "Enabling DHCP on VLAN 0 for fabric-1 (ID: $FABRIC_ID)..."

package/scripts/maas-upload-boot-resource.sh

@@ -0,0 +1,183 @@
+#!/usr/bin/env bash
+# Script to upload boot resources to MAAS using the REST API with OAuth
+# Usage: ./maas-upload-boot-resource.sh <profile> <name> <title> <architecture> <base_image> <filetype> <file_path>
+
+set -euo pipefail
+
+if [ $# -lt 7 ]; then
+    echo "Usage: $0 <profile> <name> <title> <architecture> <base_image> <filetype> <file_path>"
+    echo ""
+    echo "Example:"
+    echo "  $0 maas custom/rocky9 'Rocky 9 Custom' amd64/generic rhel/9 tgz rocky9.tar.gz"
+    exit 1
+fi
+
+PROFILE="$1"
+NAME="$2"
+TITLE="$3"
+ARCHITECTURE="$4"
+BASE_IMAGE="$5"
+FILETYPE="$6"
+FILE_PATH="$7"
+
+# Verify file exists
+if [ ! -f "$FILE_PATH" ]; then
+    echo "Error: File not found: $FILE_PATH"
+    exit 1
+fi
+
+# Verify jq is installed
+if ! command -v jq &> /dev/null; then
+    echo "Error: jq is required for this script but not installed."
+    exit 1
+fi
+
+# Get MAAS API URL and credentials from profile
+MAAS_INFO=$(maas list | grep "^${PROFILE}" || true)
+if [ -z "$MAAS_INFO" ]; then
+    echo "Error: MAAS profile '${PROFILE}' not found"
+    echo "Available profiles:"
+    maas list
+    exit 1
+fi
+
+API_URL=$(echo "$MAAS_INFO" | awk '{print $2}')
+API_KEY=$(echo "$MAAS_INFO" | awk '{print $3}')
+
+# Parse OAuth credentials
+CONSUMER_KEY=$(echo "$API_KEY" | cut -d: -f1)
+TOKEN_KEY=$(echo "$API_KEY" | cut -d: -f2)
+TOKEN_SECRET=$(echo "$API_KEY" | cut -d: -f3)
+
+# Calculate file hash and size
+echo "Calculating SHA256 checksum..."
+SHA256=$(sha256sum "$FILE_PATH" | awk '{print $1}')
+SIZE=$(stat -c%s "$FILE_PATH")
+
+echo "File: $FILE_PATH"
+echo "Size: $SIZE bytes ($(numfmt --to=iec-i --suffix=B $SIZE))"
+echo "SHA256: $SHA256"
+echo ""
+
+# Endpoint for boot resources
+ENDPOINT="${API_URL}boot-resources/"
+
+# Generate OAuth timestamp and nonce
+TIMESTAMP=$(date +%s)
+NONCE=$(openssl rand -hex 16)
+
+# OAuth parameters
+OAUTH_VERSION="1.0"
+OAUTH_SIGNATURE_METHOD="PLAINTEXT"
+OAUTH_SIGNATURE="&${TOKEN_SECRET}"
+
+echo "Initiating upload to MAAS..."
+echo "API URL: $ENDPOINT"
+echo "Name: $NAME"
+echo "Title: $TITLE"
+echo "Architecture: $ARCHITECTURE"
+echo "Base Image: $BASE_IMAGE"
+echo "Filetype: $FILETYPE"
+echo ""
+
+# 1. Initiate Upload (POST metadata)
+# We do NOT send the content here, just the metadata to create the resource and get the upload URI.
+RESPONSE=$(curl -s -X POST "${ENDPOINT}" \
+    -H "Authorization: OAuth oauth_version=\"${OAUTH_VERSION}\", oauth_signature_method=\"${OAUTH_SIGNATURE_METHOD}\", oauth_consumer_key=\"${CONSUMER_KEY}\", oauth_token=\"${TOKEN_KEY}\", oauth_signature=\"${OAUTH_SIGNATURE}\", oauth_timestamp=\"${TIMESTAMP}\", oauth_nonce=\"${NONCE}\"" \
+    -F "name=${NAME}" \
+    -F "title=${TITLE}" \
+    -F "architecture=${ARCHITECTURE}" \
+    -F "base_image=${BASE_IMAGE}" \
+    -F "filetype=${FILETYPE}" \
+    -F "sha256=${SHA256}" \
+    -F "size=${SIZE}")
+CURL_RET=$?
+
+if [ $CURL_RET -ne 0 ]; then
+    echo "Error: curl failed with exit code $CURL_RET"
+    exit 1
+fi
+
+# Validate JSON before parsing
+if ! echo "$RESPONSE" | jq . >/dev/null 2>&1; then
+    echo "Error: MAAS returned invalid JSON."
+    echo "Raw response:"
+    echo "$RESPONSE"
+    exit 1
+fi
+
+# Extract Upload URI
+UPLOAD_URI=$(echo "$RESPONSE" | jq -r '.sets | to_entries | sort_by(.key) | reverse | .[0].value.files | to_entries | .[0].value.upload_uri // empty')
+
+if [ -z "$UPLOAD_URI" ]; then
+    echo "✗ Failed to get upload URI from MAAS response."
+    echo "Response:"
+    echo "$RESPONSE" | jq . 2>/dev/null || echo "$RESPONSE"
+    exit 1
+fi
+
+echo "Upload URI obtained: $UPLOAD_URI"
+
+# Construct the full upload URL
+if [[ "$UPLOAD_URI" == http* ]]; then
+    FULL_UPLOAD_URL="$UPLOAD_URI"
+else
+    # Extract scheme and authority from API_URL
+    # e.g. http://192.168.1.5:5240/MAAS/api/2.0/ -> http://192.168.1.5:5240
+    MAAS_ROOT=$(echo "$API_URL" | sed -E 's|^(https?://[^/]+).*|\1|')
+
+    # Ensure UPLOAD_URI starts with /
+    [[ "$UPLOAD_URI" != /* ]] && UPLOAD_URI="/$UPLOAD_URI"
+
+    FULL_UPLOAD_URL="${MAAS_ROOT}${UPLOAD_URI}"
+fi
+
+echo "Full Upload URL: $FULL_UPLOAD_URL"
+
+# 2. Split file into chunks
+CHUNK_SIZE=$((4 * 1024 * 1024)) # 4MB
+TMP_DIR=$(mktemp -d)
+echo "Splitting file into 4MB chunks in $TMP_DIR..."
+split -b ${CHUNK_SIZE} "${FILE_PATH}" "${TMP_DIR}/chunk_"
+
+# 3. Upload chunks
+echo "Starting chunked upload..."
+CHUNK_COUNT=$(ls "${TMP_DIR}"/chunk_* | wc -l)
+CURRENT_CHUNK=0
+
+for chunk in "${TMP_DIR}"/chunk_*; do
+    CURRENT_CHUNK=$((CURRENT_CHUNK + 1))
+    CHUNK_SIZE_BYTES=$(stat -c%s "$chunk")
+
+    # Progress indicator
+    echo -ne "Uploading chunk $CURRENT_CHUNK of $CHUNK_COUNT ($CHUNK_SIZE_BYTES bytes)...\r"
+
+    # Generate new nonce/timestamp for each request
+    TIMESTAMP=$(date +%s)
+    NONCE=$(openssl rand -hex 16)
+
+    # Upload chunk
+    CHUNK_RESPONSE=$(curl -s -X PUT "${FULL_UPLOAD_URL}" \
+        -H "Content-Type: application/octet-stream" \
+        -H "Content-Length: ${CHUNK_SIZE_BYTES}" \
+        -H "Authorization: OAuth oauth_version=\"${OAUTH_VERSION}\", oauth_signature_method=\"${OAUTH_SIGNATURE_METHOD}\", oauth_consumer_key=\"${CONSUMER_KEY}\", oauth_token=\"${TOKEN_KEY}\", oauth_signature=\"${OAUTH_SIGNATURE}\", oauth_timestamp=\"${TIMESTAMP}\", oauth_nonce=\"${NONCE}\"" \
+        --data-binary @"${chunk}" \
+        -w "%{http_code}")
+
+    HTTP_CODE="${CHUNK_RESPONSE: -3}"
+
+    if [ "$HTTP_CODE" != "200" ] && [ "$HTTP_CODE" != "201" ]; then
+        echo ""
+        echo "✗ Chunk upload failed with status: $HTTP_CODE"
+        echo "Response: ${CHUNK_RESPONSE::-3}"
+        rm -r "${TMP_DIR}"
+        exit 1
+    fi
+
+    rm "$chunk"
+done
+
+echo ""
+echo "✓ Upload complete!"
+rm -r "${TMP_DIR}"
+exit 0

package/scripts/packer-init-vars-file.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+# Script to Initialize VARS files for Packer builds
+# Usage: sudo ./scripts/packer-setup.sh
+
+set -euo pipefail
+
+# Packer needs writable VARS files for UEFI boot
+PACKER_DIR="$(dirname "$0")/../packer/images"
+
+# Find all packer image directories and create VARS files
+for image_dir in "$PACKER_DIR"/*; do
+    if [ -d "$image_dir" ]; then
+        image_name=$(basename "$image_dir")
+        echo "Checking UEFI VARS files for $image_name..."
+
+        # Create x86_64 VARS file if it doesn't exist
+        if [ ! -f "$image_dir/x86_64_VARS.fd" ]; then
+            for src in /usr/share/edk2/ovmf/OVMF_VARS.fd /usr/share/OVMF/OVMF_VARS.fd; do
+                if [ -f "$src" ]; then
+                    cp "$src" "$image_dir/x86_64_VARS.fd"
+                    echo "Created $image_dir/x86_64_VARS.fd from $src"
+                    break
+                fi
+            done
+        fi
+
+        # Create aarch64 VARS file if it doesn't exist
+        if [ ! -f "$image_dir/aarch64_VARS.fd" ]; then
+            for src in /usr/share/AAVMF/AAVMF_VARS.fd /usr/share/edk2/aarch64/AAVMF_VARS.fd /usr/share/edk2/aarch64/QEMU_VARS.fd; do
+                if [ -f "$src" ]; then
+                    cp "$src" "$image_dir/aarch64_VARS.fd"
+                    echo "Created $image_dir/aarch64_VARS.fd from $src"
+                    break
+                fi
+            done
+        fi
+    fi
+done
+
+echo "Packer and QEMU setup complete!"

package/scripts/packer-setup.sh

@@ -0,0 +1,289 @@
+#!/usr/bin/env bash
+# packer-setup.sh
+# RHEL/CentOS/Rocky helper to prepare a host for building both amd64 and aarch64 Packer images.
+# Installs packer (repo fallback), libvirt/qemu tooling, NBD/filesystem tools, UEFI firmware for x86_64 and aarch64,
+# registers qemu-user binfmt for cross-chroot use and compiles qemu-system-aarch64 when repo packages are missing.
+# Usage: sudo ./packer-setup.sh
+
+set -euo pipefail
+
+print(){ printf "[setup] %s\n" "$*"; }
+err(){ printf "[setup] ERROR: %s\n" "$*" >&2; }
+
+if [[ $(id -u) -ne 0 ]]; then
+  err "This script requires root. Run with sudo."; exit 3
+fi
+
+# Detect host arch
+HOST_RAW_ARCH=$(uname -m)
+case "$HOST_RAW_ARCH" in
+  x86_64) HOST_ARCH=amd64;;
+  aarch64) HOST_ARCH=arm64;;
+  *) HOST_ARCH="$HOST_RAW_ARCH";;
+esac
+print "Host architecture: $HOST_RAW_ARCH -> normalized: $HOST_ARCH"
+
+# Ensure RHEL-family
+if [[ -f /etc/os-release ]]; then
+  . /etc/os-release
+  ID_LC=${ID,,}
+  ID_LIKE=${ID_LIKE,,}
+else
+  ID_LC=unknown; ID_LIKE=unknown
+fi
+if [[ $ID_LC != "rocky" && $ID_LC != "rhel" && $ID_LC != "centos" && $ID_LIKE != *"rhel"* ]]; then
+  err "This script targets RHEL/CentOS/Rocky family. Detected: $ID_LC (like: $ID_LIKE). Exiting."; exit 4
+fi
+print "Distro detected: $PRETTY_NAME"
+
+# Enable helpful repos and install helpers
+print "Installing dnf-plugins-core and enabling CRB/PowerTools (if available)"
+set +e
+dnf install -y dnf-plugins-core >/dev/null 2>&1 || true
+dnf config-manager --set-enabled crb >/dev/null 2>&1 || true
+dnf config-manager --set-enabled powertools >/dev/null 2>&1 || true
+# EPEL
+if ! rpm -q epel-release >/dev/null 2>&1; then
+  print "Installing epel-release"
+  dnf install -y epel-release || true
+fi
+set -e
+
+# 1) Try to install packer from distro repos, otherwise add HashiCorp repo and install
+print "Attempting to install packer from distro repos"
+if dnf install -y packer >/dev/null 2>&1; then
+  print "Packer installed from distro repo"
+else
+  print "packer not available in distro repos or install failed. Adding HashiCorp repo and retrying."
+  # HashiCorp RPM repo for RHEL/CentOS/Rocky family (works for EL8/EL9)
+  if ! rpm -q hashicorp >/dev/null 2>&1; then
+    cat >/etc/yum.repos.d/hashicorp.repo <<'EOF'
+[hashicorp]
+name=HashiCorp Stable - $basearch
+baseurl=https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable
+enabled=1
+gpgcheck=1
+gpgkey=https://rpm.releases.hashicorp.com/gpg
+EOF
+  fi
+  if dnf makecache >/dev/null 2>&1 && dnf install -y packer >/dev/null 2>&1; then
+    print "Packer installed from HashiCorp repo"
+  else
+    err "Packer install from repo failed. You can install packer manually from HashiCorp releases if needed.";
+  fi
+fi
+
+# 2) Install libvirt, qemu tooling and enable libvirtd
+print "Installing libvirt, qemu and related tooling (best-effort)"
+LIBVIRT_PKGS=(libvirt libvirt-daemon qemu-kvm qemu-img virt-install bridge-utils)
+# attempt to include qemu-system-aarch64 and qemu-system-x86_64 if available
+LIBVIRT_PKGS+=(qemu-system-aarch64 qemu-system-x86_64 qemu-system-arm)
+
+# Some packages may not exist exactly with those names; install best-effort
+for pkg in "${LIBVIRT_PKGS[@]}"; do
+  dnf install -y "$pkg" >/dev/null 2>&1 || print "Package $pkg not available via dnf (skipping)"
+done
+
+print "Enabling and starting libvirtd"
+systemctl enable --now libvirtd || err "Failed to enable/start libvirtd"
+systemctl status libvirtd --no-pager || true
+
+# 3) Install NBD and filesystem tools required for MAAS image creation
+print "Installing NBD and filesystem tooling: libnbd, nbdkit, e2fsprogs, kmod packages (best-effort)"
+NBDS=(libnbd nbdkit e2fsprogs kmod-kvdo kmod)
+for pkg in "${NBDS[@]}"; do
+  dnf install -y "$pkg" >/dev/null 2>&1 || print "Package $pkg not available via dnf (skipping)"
+done
+
+# 4) Install UEFI firmware for x86_64 and ARM64
+print "Installing edk2 / OVMF UEFI firmware packages (x86_64 and aarch64)"
+UEFI_PKGS=(edk2-ovmf edk2-aarch64 edk2-ovmf-aarch64)
+for pkg in "${UEFI_PKGS[@]}"; do
+  dnf install -y "$pkg" >/dev/null 2>&1 || print "UEFI package $pkg not available (skipping)"
+done
+
+# 5) Ensure qemu-user-static for chroot/debootstrap cross-execution and register binfmt via podman
+print "Installing qemu-user-static and registering binfmt handlers via podman"
+if ! rpm -q qemu-user-static >/dev/null 2>&1; then
+  dnf install -y qemu-user-static >/dev/null 2>&1 || print "qemu-user-static not in repos (will extract from container)"
+fi
+
+if command -v podman >/dev/null 2>&1; then
+  # Register binfmt handlers
+  podman run --rm --privileged multiarch/qemu-user-static --reset -p yes || print "podman run for qemu-user-static failed (skip)"
+
+  # Extract static binaries to /usr/bin if not already present from RPM
+  if ! command -v qemu-aarch64-static >/dev/null 2>&1; then
+    print "Extracting qemu static binaries from multiarch/qemu-user-static container"
+    CONTAINER_ID=$(podman create multiarch/qemu-user-static:latest)
+
+    # Extract the binaries we need
+    for arch in aarch64 arm armeb; do
+      if podman cp "$CONTAINER_ID:/usr/bin/qemu-${arch}-static" "/usr/bin/qemu-${arch}-static" 2>/dev/null; then
+        chmod +x "/usr/bin/qemu-${arch}-static"
+        print "Installed qemu-${arch}-static to /usr/bin/"
+      fi
+    done
+
+    podman rm "$CONTAINER_ID" >/dev/null 2>&1 || true
+  fi
+else
+  print "podman not available. Install podman to register binfmt for container/chroot convenience."
+fi
+
+# 6) Check qemu-system-aarch64 availability and 'virt' machine support; offer compile if missing
+check_qemu_system_aarch64(){
+  # Explicitly check /usr/local/bin first (where compiled QEMU installs)
+  if [ -x /usr/local/bin/qemu-system-aarch64 ]; then
+    QBIN=/usr/local/bin/qemu-system-aarch64
+  elif command -v qemu-system-aarch64 >/dev/null 2>&1; then
+    QBIN=$(command -v qemu-system-aarch64)
+  else
+    return 1
+  fi
+
+  print "qemu-system-aarch64 found at $QBIN"
+  if ! $QBIN -machine help 2>/dev/null | grep -q '\bvirt\b'; then
+    err "qemu-system-aarch64 present but 'virt' not listed -> may be missing aarch64 softmmu"
+    return 2
+  fi
+
+  # Check for user networking (slirp) support.
+  # We specify -machine virt to avoid "No machine specified" errors on some QEMU versions.
+  if ! $QBIN -machine virt -netdev help 2>&1 | grep -q '\buser\b'; then
+    err "qemu-system-aarch64 present but 'user' network backend not listed -> missing libslirp support"
+    return 3
+  fi
+
+  print "qemu-system-aarch64 supports 'virt' and 'user' network -> good for full-system ARM emulation"
+  return 0
+}
+
+if check_qemu_system_aarch64; then
+  print "qemu-system-aarch64 is ready"
+else
+  rc=$?
+  if [[ $rc -eq 1 ]]; then
+    print "qemu-system-aarch64 not found in installed packages"
+  else
+    print "qemu-system-aarch64 present but incomplete"
+  fi
+
+  # Try install from repo explicitly
+  print "Attempting to install qemu-system-aarch64 via dnf (best-effort)"
+  if dnf install -y qemu-system-aarch64 >/dev/null 2>&1; then
+    print "Installed qemu-system-aarch64 from repo"
+  else
+    print "qemu-system-aarch64 not available in enabled repos."
+  fi
+
+  if check_qemu_system_aarch64; then
+    print "qemu-system-aarch64 now available after package install"
+  else
+    print "Compiling QEMU with aarch64-softmmu target. Installing build deps..."
+    dnf groupinstall -y 'Development Tools' || true
+    dnf install -y git libaio-devel libgcrypt-devel libfdt-devel glib2-devel zlib-devel pixman-devel libseccomp-devel libusb1-devel openssl-devel bison flex python3 python3-pip ninja-build || true
+
+    # Enforce libslirp-devel for user networking
+    if ! dnf install -y libslirp-devel; then
+        err "Failed to install libslirp-devel. User networking will not work."
+        exit 1
+    fi
+
+    # Install required Python packages for QEMU build
+    print "Installing Python dependencies for QEMU build"
+    python3 -m pip install --upgrade pip || true
+    python3 -m pip install tomli meson || true
+
+    TMPDIR=$(mktemp -d)
+    print "Cloning QEMU source to $TMPDIR/qemu"
+    # Use a stable release tag (v9.0.0) to ensure consistency
+    git clone --depth 1 --branch v9.0.0 https://gitlab.com/qemu-project/qemu.git "$TMPDIR/qemu"
+    cd "$TMPDIR/qemu"
+
+    print "Configuring QEMU build"
+    if ./configure --target-list=aarch64-softmmu --enable-virtfs --enable-slirp; then
+      print "Configure successful, building QEMU..."
+      if make -j"$(nproc)"; then
+        print "Build successful, installing..."
+        make install || err "QEMU install failed"
+        # Update PATH to include /usr/local/bin where QEMU was installed
+        export PATH="/usr/local/bin:$PATH"
+        hash -r || true
+      else
+        err "QEMU build (make) failed"
+      fi
+    else
+      err "QEMU configure failed. Check dependencies."
+    fi
+
+    if check_qemu_system_aarch64; then
+      print "Successfully compiled and installed qemu-system-aarch64"
+    else
+      err "Compiled QEMU but qemu-system-aarch64 still missing or lacks 'virt'. Check logs in $TMPDIR/qemu"
+    fi
+
+    cd /
+    rm -rf "$TMPDIR" || true
+    print "Removed build directory $TMPDIR"
+  fi
+fi
+
+# 7) Summary and verification commands for the user
+print "\n=== Summary / Quick verification commands ==="
+if command -v packer >/dev/null 2>&1; then print "packer: $(command -v packer)"; else print "packer: NOT INSTALLED"; fi
+# Check /usr/local/bin explicitly for compiled qemu
+if [ -x /usr/local/bin/qemu-system-aarch64 ]; then
+  print "qemu-system-aarch64: /usr/local/bin/qemu-system-aarch64"
+elif command -v qemu-system-aarch64 >/dev/null 2>&1; then
+  print "qemu-system-aarch64: $(command -v qemu-system-aarch64)"
+else
+  print "qemu-system-aarch64: NOT INSTALLED"
+fi
+if command -v qemu-aarch64-static >/dev/null 2>&1; then print "qemu-aarch64-static: $(command -v qemu-aarch64-static)"; else print "qemu-aarch64-static: NOT INSTALLED"; fi
+print "libvirtd status:"
+systemctl status libvirtd --no-pager || true
+
+cat <<'EOF'
+
+=== Example Packer qemu builder snippets ===
+
+# aarch64 on x86_64 host (use qemu-system-aarch64 with TCG):
+{
+  "type": "qemu",
+  "qemu_binary": "/usr/local/bin/qemu-system-aarch64",
+  "accelerator": "tcg",
+  "format": "raw",
+  "disk_size": "8192",
+  "headless": true,
+  "qemuargs": [
+    ["-machine", "virt,highmem=on"],
+    ["-cpu", "cortex-a57"],
+    ["-bios", "/usr/share/edk2-aarch64/QEMU_EFI.fd"],
+    ["-device", "virtio-net-device,netdev=net0"],
+    ["-netdev", "user,id=net0,hostfwd=tcp::2222-:22"]
+  ]
+}
+
+# x86_64 on arm64 host (use kvm when available):
+{
+  "type": "qemu",
+  "qemu_binary": "/usr/bin/qemu-system-x86_64",
+  "accelerator": "kvm",
+  "format": "raw",
+  "disk_size": "8192",
+  "headless": true,
+  "qemuargs": [
+    ["-machine", "pc,q35"],
+    ["-cpu", "host"],
+    ["-bios", "/usr/share/ovmf/OVMF_CODE.fd"],
+    ["-device", "virtio-net-pci,netdev=net0"],
+    ["-netdev", "user,id=net0,hostfwd=tcp::2223-:22"]
+  ]
+}
+
+EOF
+
+print "Done. If any package failed to install due to repo availability, consider enabling CRB/powertools, adding a trusted COPR or rebuild repo for qemu, or compiling QEMU locally as the script offered."
+
+exit 0