underpost 2.96.0 → 2.96.1

package/README.md

@@ -18,7 +18,7 @@
 
 <!-- badges -->
 
-[![Node.js CI](https://github.com/underpostnet/engine/actions/workflows/docker-image.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/docker-image.yml) [![Test](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml) [![Downloads](https://img.shields.io/npm/dm/underpost.svg)](https://www.npmjs.com/package/underpost) [![Socket Badge](https://socket.dev/api/badge/npm/package/underpost/2.96.0)](https://socket.dev/npm/package/underpost/overview/2.96.0) [![Coverage Status](https://coveralls.io/repos/github/underpostnet/engine/badge.svg?branch=master)](https://coveralls.io/github/underpostnet/engine?branch=master) [![Version](https://img.shields.io/npm/v/underpost.svg)](https://www.npmjs.org/package/underpost) [![License](https://img.shields.io/npm/l/underpost.svg)](https://www.npmjs.com/package/underpost)
+[![Node.js CI](https://github.com/underpostnet/engine/actions/workflows/docker-image.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/docker-image.yml) [![Test](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml) [![Downloads](https://img.shields.io/npm/dm/underpost.svg)](https://www.npmjs.com/package/underpost) [![Socket Badge](https://socket.dev/api/badge/npm/package/underpost/2.96.1)](https://socket.dev/npm/package/underpost/overview/2.96.1) [![Coverage Status](https://coveralls.io/repos/github/underpostnet/engine/badge.svg?branch=master)](https://coveralls.io/github/underpostnet/engine?branch=master) [![Version](https://img.shields.io/npm/v/underpost.svg)](https://www.npmjs.org/package/underpost) [![License](https://img.shields.io/npm/l/underpost.svg)](https://www.npmjs.com/package/underpost)
 
 <!-- end-badges -->
 
@@ -66,7 +66,7 @@ Run dev client server
 npm run dev
 ```
 <!-- -->
-## underpost ci/cd cli v2.96.0
+## underpost ci/cd cli v2.96.1
 
 ### Usage: `underpost [options] [command]`
   ```

package/baremetal/packer-workflows.json

@@ -9,5 +9,16 @@
       "filetype": "tgz",
       "content": "rocky9.tar.gz"
     }
+  },
+  "Rocky9Arm64": {
+    "dir": "packer/images/Rocky9Arm64",
+    "maas": {
+      "name": "custom/rocky9-arm64",
+      "title": "Rocky 9 Arm64 Custom",
+      "architecture": "arm64/generic",
+      "base_image": "rhel/9",
+      "filetype": "tgz",
+      "content": "rocky9.tar.gz"
+    }
   }
 }

package/cli.md

@@ -1,4 +1,4 @@
-## underpost ci/cd cli v2.96.0
+## underpost ci/cd cli v2.96.1
 
 ### Usage: `underpost [options] [command]`
   ```
@@ -909,6 +909,7 @@ Options:
   --packer-workflow-id <workflow-id>            Specifies the workflow ID for Packer MAAS image operations.
   --packer-maas-image-build                     Builds a MAAS image using Packer for the workflow specified by --packer-workflow-id.
   --packer-maas-image-upload                    Uploads an existing MAAS image artifact without rebuilding for the workflow specified by --packer-workflow-id.
+  --packer-maas-image-cached                    Continue last build without removing artifacts (used with --packer-maas-image-build).
   --commission                                  Init workflow for commissioning a physical machine.
   --nfs-build                                   Builds an NFS root filesystem for a workflow id config architecture using QEMU emulation.
   --nfs-mount                                   Mounts the NFS root filesystem for a workflow id config architecture.

package/manifests/deployment/dd-default-development/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-blue
-          image: localhost/rockylinux9-underpost:v2.96.0
+          image: localhost/rockylinux9-underpost:v2.96.1
           #          resources:
           #            requests:
           #              memory: "124Ki"
@@ -100,7 +100,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-green
-          image: localhost/rockylinux9-underpost:v2.96.0
+          image: localhost/rockylinux9-underpost:v2.96.1
           #          resources:
           #            requests:
           #              memory: "124Ki"

package/manifests/deployment/dd-test-development/deployment.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
         - name: dd-test-development-blue
-          image: localhost/rockylinux9-underpost:v2.96.0
+          image: localhost/rockylinux9-underpost:v2.96.1
 
           command:
             - /bin/sh
@@ -103,7 +103,7 @@ spec:
     spec:
       containers:
         - name: dd-test-development-green
-          image: localhost/rockylinux9-underpost:v2.96.0
+          image: localhost/rockylinux9-underpost:v2.96.1
 
           command:
             - /bin/sh

package/package.json

@@ -2,7 +2,7 @@
     "type": "module",
     "main": "src/index.js",
     "name": "underpost",
-    "version": "2.96.0",
+    "version": "2.96.1",
     "description": "pwa api rest template",
     "scripts": {
         "start": "env-cmd -f .env.production node --max-old-space-size=8192 src/server",

package/packer/images/Rocky9Amd64/rocky9.pkr.hcl

@@ -107,8 +107,12 @@ source "qemu" "rocky9" {
   disk_size        = "45G"
   format           = "qcow2"
   headless         = var.headless
-  iso_checksum     = "file:http://download.rockylinux.org/pub/rocky/9/isos/${local.iso_arch}/CHECKSUM"
-  iso_url          = "http://download.rockylinux.org/pub/rocky/9/isos/${local.iso_arch}/Rocky-9-latest-${local.iso_arch}-boot.iso"
+  iso_checksum     = "file:https://download.rockylinux.org/pub/rocky/9/isos/${local.iso_arch}/CHECKSUM"
+  iso_urls         = [
+    "https://download.rockylinux.org/pub/rocky/9/isos/${local.iso_arch}/Rocky-9-latest-${local.iso_arch}-boot.iso",
+    "https://dl.rockylinux.org/pub/rocky/9/isos/${local.iso_arch}/Rocky-9-latest-${local.iso_arch}-boot.iso",
+    "https://mirrors.edge.kernel.org/rocky/9/isos/${local.iso_arch}/Rocky-9-latest-${local.iso_arch}-boot.iso"
+  ]
   iso_target_path  = "packer_cache/Rocky-9-latest-${local.iso_arch}-boot.iso"
   memory           = 2048
   cores            = 4

package/packer/images/Rocky9Arm64/Makefile

@@ -0,0 +1,69 @@
+#!/usr/bin/make -f
+
+include ../../scripts/check.mk
+
+PACKER ?= packer
+PACKER_LOG ?= 0
+TIMEOUT ?= 1h
+ARCH ?= arm64
+
+# Detect if running on ARM host
+ifeq ($(shell uname -m),aarch64)
+    HOST_IS_ARM = true
+else
+    HOST_IS_ARM = false
+endif
+
+ifeq ($(wildcard /usr/share/OVMF/OVMF_CODE.fd),)
+	OVMF_SFX ?= _4M
+else
+	OVMF_SFX ?=
+endif
+
+export PACKER_LOG
+
+# Fallback
+ifeq ($(strip $(ARCH)),amd64)
+	ARCH = x86_64
+endif
+ifeq ($(strip $(ARCH)),arm64)
+	ARCH = aarch64
+endif
+
+.PHONY: all clean
+
+all: rocky9.tar.gz
+
+$(eval $(call check_packages_deps))
+
+lint:
+	packer validate .
+	packer fmt -check -diff .
+
+format:
+	packer fmt .
+
+OVMF_VARS.fd:
+ifeq ($(strip $(ARCH)),aarch64)
+	cp -v /usr/share/AAVMF/AAVMF_VARS.fd ${ARCH}_VARS.fd
+else
+	cp -v /usr/share/OVMF/OVMF_VARS${OVMF_SFX}.fd ${ARCH}_VARS.fd
+endif
+
+SIZE_VARS.fd:
+ifeq ($(strip $(ARCH)),aarch64)
+	truncate -s 64m ${ARCH}_VARS.fd
+else
+	truncate -s 2m ${ARCH}_VARS.fd
+endif
+
+rocky9.tar.gz: check-deps clean OVMF_VARS.fd SIZE_VARS.fd
+	${PACKER} init rocky9.pkr.hcl && ${PACKER} build \
+		-var architecture=${ARCH} \
+		-var host_is_arm=${HOST_IS_ARM} \
+		-var timeout=${TIMEOUT} \
+		-var ovmf_suffix=${OVMF_SFX} \
+		rocky9.pkr.hcl
+
+clean:
+	${RM} -rf *.fd output-rocky9 rocky9.tar.gz

package/packer/images/Rocky9Arm64/README.md

@@ -0,0 +1,122 @@
+# Rocky 9 Packer template for MAAS
+
+## Introduction
+
+The Packer template in this directory creates a Rocky 9 AMD64/ARM64 image for use with MAAS.
+
+## Prerequisites to create the image
+
+* A machine running Ubuntu 22.04+ with the ability to run KVM virtual machines.
+* qemu-utils, libnbd-bin, nbdkit and fuse2fs
+* qemu-system
+* qemu-system-modules-spice (If building on Ubuntu 24.04 LTS "Noble")
+* ovmf
+* cloud-image-utils
+* parted
+* [Packer.](https://www.packer.io/intro/getting-started/install.html), v1.11.0 or newer
+
+## Requirements to deploy the image
+
+* [MAAS](https://maas.io) 3.3 or later, as that version introduces support for Rocky
+* [Curtin](https://launchpad.net/curtin) 22.1. If you have a MAAS with an earlier Curtin version, you can [patch](https://code.launchpad.net/~xnox/curtin/+git/curtin/+merge/415604) distro.py to deploy Rocky.
+
+## Customizing the image
+
+You can customize the deployment image by modifying http/rocky.ks. See the [RHEL kickstart documentation](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/performing_an_advanced_rhel_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#part-or-partition_kickstart-commands-for-handling-storage) for more information.
+
+## Building the image using a proxy
+
+The Packer template downloads the Rocky ISO image from the Internet. You can tell Packer to use a proxy by setting the HTTP_PROXY environment variable to point to your proxy server. You can also redefine rocky_iso_url to a local file. If you want to skip the base image integrity check, set iso_checksum_type to none and remove iso_checksum.
+
+To use a proxy during the installation define the `KS_PROXY` variable in the environment, as bellow:
+
+```shell
+export KS_PROXY="\"${HTTP_PROXY}\""
+```
+
+# Building the image using a kickstart mirror
+
+To tell Packer to use a specific mirror set the `KS_MIRROR` environment variable
+poiniting to the mirror URL.
+
+```shell
+export KS_MIRROR="https://dl.rockylinux.org/pub/rocky/9"
+```
+
+## Building an image
+
+You can build the image using the Makefile:
+
+```shell
+make
+```
+
+You can also manually run packer. Set your current working directory to packer-maas/rocky9, where this file resides, and generate an image with:
+
+```shell
+packer init
+PACKER_LOG=1 packer build .
+```
+
+The installation runs in a non-interactive mode.
+
+Note: rocky9.pkr.hcl runs Packer in headless mode, with the serial port output from qemu redirected to stdio to give feedback on image creation process. If you wish to see more, change the value of `headless` to `false` in rocky9.pkr.hcl, remove `[ "-serial", "stdio" ]` from `qemuargs` section and select `View`, then `serial0` in the qemu window that appears during build. This lets you watch progress of the image build script. Press `ctrl-b 2` to switch to shell to explore more, and `ctrl-b 1` to go back to log view.
+
+### Makefile Parameters
+
+#### ARCH
+
+Defaults to x86_64 to build AMD64 compatible images. In order to build ARM64 images, use ARCH=aarch64
+
+#### TIMEOUT
+
+The timeout to apply when building the image. The default value is set to 1h.
+
+## Uploading an image to MAAS
+
+```shell
+maas $PROFILE boot-resources create name='custom/rocky9' \
+    title='Rocky 9 Custom' architecture='amd64/generic' \
+    base_image='rhel/9' filetype='tgz' \
+    content@=rocky9.tar.gz
+```
+
+For ARM64, use:
+
+```shell
+maas $PROFILE boot-resources create name='custom/rocky9' \
+    title='Rocky 9 Custom' architecture='arm64/generic' \
+    base_image='rhel/9' filetype='tgz' \
+    content@=rocky9.tar.gz
+```
+
+Please note that, currently due to lack of support in curtin, deploying ARM64 images needs a preseed file. This is due to [LP# 2090874](https://bugs.launchpad.net/curtin/+bug/2090874) and currently is in the process of getting fixed.
+
+```
+#cloud-config
+debconf_selections:
+ maas: |
+  {{for line in str(curtin_preseed).splitlines()}}
+  {{line}}
+  {{endfor}}
+
+extract_commands:
+  grub_install: curtin in-target -- cp -v /boot/efi/EFI/rocky/shimaa64.efi /boot/efi/EFI/rocky/shimx64.efi
+
+late_commands:
+  maas: [wget, '--no-proxy', '{{node_disable_pxe_url}}', '--post-data', '{{node_disable_pxe_data}}', '-O', '/dev/null']
+  bootloader_01: ["curtin", "in-target", "--", "cp", "-v", "/boot/efi/EFI/rocky/shimaa64.efi", "/boot/efi/EFI/BOOT/bootaa64.efi"]
+  bootloader_02: ["curtin", "in-target", "--", "cp", "-v", "/boot/efi/EFI/rocky/grubaa64.efi", "/boot/efi/EFI/BOOT/"]
+```
+
+This file needs to be saved on Region Controllers under /var/snap/maas/current/preseeds/curtin_userdata_custom_arm64_generic_rocky9 or /etc/maas/preseeds/curtin_userdata_custom_arm64_generic_rocky9. The last portion of this file must match the image name uploaded in MAAS.
+
+## Default username
+
+MAAS uses cloud-init to create ```cloud-user``` account using the ssh keys configured for the MAAS admin user (e.g. imported from Launchpad). Log in to the machine:
+
+```shell
+ssh -i ~/.ssh/<your_identity_file> cloud-user@<machine-ip-address>
+```
+
+Next to that, the kickstart script creates an account with both username and password set to  ```rocky```. Note that the default sshd configuration in Rocky 9 disallows password-based authentication when logging in via ssh, so trying `ssh rocky@<machine-ip-address>` will fail. Password-based authentication can be enabled by having `PasswordAuthentication yes` in /etc/ssh/sshd_config after logging in with ```cloud-user```. Perhaps there is a way to make that change using kickstart script, but it is not obvious as ```anaconda```, the installer, makes its own changes to sshd_config file during installation. If you know how to do this, a PR is welcome.

package/packer/images/Rocky9Arm64/http/rocky9.ks.pkrtpl.hcl

@@ -0,0 +1,114 @@
+url ${KS_OS_REPOS} ${KS_PROXY}
+repo --name="AppStream" ${KS_APPSTREAM_REPOS} ${KS_PROXY}
+repo --name="Extras" ${KS_EXTRAS_REPOS} ${KS_PROXY}
+
+eula --agreed
+
+# Turn off after installation
+poweroff
+
+# Do not start the Inital Setup app
+firstboot --disable
+
+# System language, keyboard and timezone
+lang en_US.UTF-8
+keyboard us
+timezone UTC --utc
+
+# Set the first NIC to acquire IPv4 address via DHCP
+network --device eth0 --bootproto=dhcp
+# Enable firewal, let SSH through
+firewall --enabled --service=ssh
+# Enable SELinux with default enforcing policy
+selinux --enforcing
+
+# Do not set up XX Window System
+skipx
+
+# Initial disk setup
+# Use the first paravirtualized disk
+ignoredisk --only-use=vda
+# No need for bootloader
+bootloader --disabled
+# Wipe invalid partition tables
+zerombr
+# Erase all partitions and assign default labels
+clearpart --all --initlabel
+# Initialize the primary root partition with ext4 filesystem
+part / --size=1 --grow --asprimary --fstype=ext4
+
+# Set root password
+rootpw --plaintext password
+
+# Add a user named packer
+user --groups=wheel --name=rocky --password=rocky --plaintext --gecos="rocky"
+
+%post --erroronfail
+# workaround anaconda requirements and clear root password
+passwd -d root
+passwd -l root
+
+# Clean up install config not applicable to deployed environments.
+for f in resolv.conf fstab; do
+    rm -f /etc/$f
+    touch /etc/$f
+    chown root:root /etc/$f
+    chmod 644 /etc/$f
+done
+
+rm -f /etc/sysconfig/network-scripts/ifcfg-[^lo]*
+
+# Kickstart copies install boot options. Serial is turned on for logging with
+# Packer which disables console output. Disable it so console output is shown
+# during deployments
+sed -i 's/^GRUB_TERMINAL=.*/GRUB_TERMINAL_OUTPUT="console"/g' /etc/default/grub
+sed -i '/GRUB_SERIAL_COMMAND="serial"/d' /etc/default/grub
+sed -ri 's/(GRUB_CMDLINE_LINUX=".*)\s+console=ttyAMA0(.*")/\1\2/' /etc/default/grub
+sed -i 's/GRUB_ENABLE_BLSCFG=.*/GRUB_ENABLE_BLSCFG=false/g' /etc/default/grub
+
+dnf clean all
+
+# Passwordless sudo for the user 'rocky'
+echo "rocky ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/rocky
+chmod 440 /etc/sudoers.d/rocky
+
+#---- Optional - Install your SSH key ----
+# mkdir -m0700 /home/rocky/.ssh/
+#
+# cat <<EOF >/home/rocky/.ssh/authorized_keys
+# ssh-rsa <your_public_key_here> you@your.domain
+# EOF
+#
+### set permissions
+# chmod 0600 /home/rocky/.ssh/authorized_keys
+#
+#### fix up selinux context
+# restorecon -R /home/rocky/.ssh/
+
+%end
+
+%packages  --ignoremissing
+@core
+bash-completion
+cloud-init
+cloud-utils-growpart
+rsync
+tar
+patch
+yum-utils
+grub2-pc
+grub2-efi-*
+shim-*
+grub2-efi-*-modules
+efibootmgr
+dosfstools
+lvm2
+mdadm
+device-mapper-multipath
+iscsi-initiator-utils
+-plymouth
+# Remove ALSA firmware
+-a*-firmware
+# Remove Intel wireless firmware
+-i*-firmware
+%end

package/packer/images/Rocky9Arm64/rocky9.pkr.hcl

@@ -0,0 +1,171 @@
+packer {
+  required_version = ">= 1.11.0"
+  required_plugins {
+    qemu = {
+      version = ">= 1.1.0, < 1.1.2"
+      source  = "github.com/hashicorp/qemu"
+    }
+  }
+}
+
+variable "filename" {
+  type        = string
+  default     = "rocky9.tar.gz"
+  description = "The filename of the tarball to produce"
+}
+
+variable ks_proxy {
+  type    = string
+  default = "${env("KS_PROXY")}"
+}
+
+variable ks_mirror {
+  type    = string
+  default = "${env("KS_MIRROR")}"
+}
+
+variable "timeout" {
+  type        = string
+  default     = "1h"
+  description = "Timeout for building the image"
+}
+
+variable "architecture" {
+  type        = string
+  default     = "arm64"
+  description = "The architecture to build the image for (amd64 or arm64)"
+}
+
+variable "host_is_arm" {
+  type        = bool
+  default     = false
+  description = "The host architecture is aarch64"
+}
+
+variable "ovmf_suffix" {
+  type        = string
+  default     = ""
+  description = "Suffix for OVMF CODE and VARS files. Newer systems such as Noble use _4M."
+}
+
+variable "headless" {
+  type        = bool
+  default     = true
+  description = "Run packer in headless mode"
+}
+
+locals {
+  iso_arch_map = {
+    "amd64"   = "x86_64"
+    "x86_64"  = "x86_64"
+    "arm64"   = "aarch64"
+    "aarch64" = "aarch64"
+  }
+  iso_arch = lookup(local.iso_arch_map, var.architecture, "aarch64")
+
+  iso_checksum_map = {
+    "amd64"   = "sha256:3b5c87b2f9e62fdf0235d424d64c677906096965aad8a580e0e98fcb9f97f267"
+    "x86_64"  = "sha256:3b5c87b2f9e62fdf0235d424d64c677906096965aad8a580e0e98fcb9f97f267"
+    "arm64"   = "sha256:a9ba9ff1187300cecccfaea021eeac04b6408b1180071fb22ee73249f075485e"
+    "aarch64" = "sha256:a9ba9ff1187300cecccfaea021eeac04b6408b1180071fb22ee73249f075485e"
+  }
+
+  qemu_arch = {
+    "amd64"   = "x86_64"
+    "x86_64"  = "x86_64"
+    "arm64"   = "aarch64"
+    "aarch64" = "aarch64"
+  }
+  uefi_imp = {
+    "amd64"   = "OVMF"
+    "x86_64"  = "OVMF"
+    "arm64"   = "AAVMF"
+    "aarch64" = "AAVMF"
+  }
+  uefi_sfx = {
+    "amd64"   = "${var.ovmf_suffix}"
+    "x86_64"  = "${var.ovmf_suffix}"
+    "arm64"   = ""
+    "aarch64" = ""
+  }
+  qemu_machine = {
+    "amd64"   = "accel=kvm"
+    "x86_64"  = "accel=kvm"
+    "arm64"   = var.host_is_arm ? "virt,accel=kvm" : "virt"
+    "aarch64" = var.host_is_arm ? "virt,accel=kvm" : "virt"
+  }
+  qemu_cpu = {
+    "amd64"   = "host"
+    "x86_64"  = "host"
+    "arm64"   = var.host_is_arm ? "host" : "max"
+    "aarch64" = var.host_is_arm ? "host" : "max"
+  }
+
+  ks_proxy           = var.ks_proxy != "" ? "--proxy=${var.ks_proxy}" : ""
+  ks_os_repos        = var.ks_mirror != "" ? "--url=${var.ks_mirror}/BaseOS/${local.iso_arch}/os" : "--mirrorlist='http://mirrors.rockylinux.org/mirrorlist?arch=${local.iso_arch}&repo=BaseOS-9'"
+  ks_appstream_repos = var.ks_mirror != "" ? "--baseurl=${var.ks_mirror}/AppStream/${local.iso_arch}/os" : "--mirrorlist='https://mirrors.rockylinux.org/mirrorlist?release=9&arch=${local.iso_arch}&repo=AppStream-9'"
+  ks_extras_repos    = var.ks_mirror != "" ? "--baseurl=${var.ks_mirror}/extras/${local.iso_arch}/os" : "--mirrorlist='https://mirrors.rockylinux.org/mirrorlist?arch=${local.iso_arch}&repo=extras-9'"
+}
+
+source "qemu" "rocky9" {
+  boot_command     = ["<up><wait>", "e", "<down><down><down><left>", " console=ttyAMA0 inst.cmdline inst.text inst.ks=http://{{.HTTPIP}}:{{.HTTPPort}}/rocky9.ks <f10>"]
+  boot_wait        = "5s"
+  communicator     = "none"
+  disk_size        = "45G"
+  format           = "qcow2"
+  headless         = var.headless
+  iso_checksum     = lookup(local.iso_checksum_map, var.architecture, "file:https://download.rockylinux.org/pub/rocky/9/isos/${local.iso_arch}/CHECKSUM")
+  iso_urls         = [
+    "https://download.rockylinux.org/pub/rocky/9/isos/${local.iso_arch}/Rocky-9-latest-${local.iso_arch}-boot.iso",
+    "https://dl.rockylinux.org/pub/rocky/9/isos/${local.iso_arch}/Rocky-9-latest-${local.iso_arch}-boot.iso",
+    "https://mirrors.edge.kernel.org/rocky/9/isos/${local.iso_arch}/Rocky-9-latest-${local.iso_arch}-boot.iso"
+  ]
+  iso_target_path  = "packer_cache/Rocky-9-latest-${local.iso_arch}-boot.iso"
+  memory           = 2048
+  cores            = 4
+  qemu_binary      = "qemu-system-${lookup(local.qemu_arch, var.architecture, "")}"
+  qemuargs = [
+    ["-serial", "stdio"],
+    ["-boot", "strict=off"],
+    ["-device", "qemu-xhci"],
+    ["-device", "usb-kbd"],
+    ["-device", "virtio-net-pci,netdev=net0"],
+    ["-netdev", "user,id=net0"],
+    ["-device", "virtio-blk-pci,drive=drive0,bootindex=0"],
+    ["-device", "virtio-blk-pci,drive=cdrom0,bootindex=1"],
+    ["-machine", "${lookup(local.qemu_machine, var.architecture, "")}"],
+    ["-cpu", "${lookup(local.qemu_cpu, var.architecture, "")}"],
+    ["-device", "virtio-gpu-pci"],
+    ["-global", "driver=cfi.pflash01,property=secure,value=off"],
+    ["-drive", "if=pflash,format=raw,unit=0,id=ovmf_code,readonly=on,file=/usr/share/${lookup(local.uefi_imp, var.architecture, "")}/${lookup(local.uefi_imp, var.architecture, "")}_CODE${lookup(local.uefi_sfx, var.architecture, "")}.fd"],
+    ["-drive", "if=pflash,format=raw,unit=1,id=ovmf_vars,file=${local.iso_arch}_VARS.fd"],
+    ["-drive", "file=output-rocky9/packer-rocky9,if=none,id=drive0,cache=writeback,discard=ignore,format=qcow2"],
+    ["-drive", "file=packer_cache/Rocky-9-latest-${local.iso_arch}-boot.iso,if=none,id=cdrom0,media=cdrom"]
+  ]
+  shutdown_timeout = var.timeout
+  http_content = {
+    "/rocky9.ks" = templatefile("${path.root}/http/rocky9.ks.pkrtpl.hcl",
+      {
+        KS_PROXY           = local.ks_proxy,
+        KS_OS_REPOS        = local.ks_os_repos,
+        KS_APPSTREAM_REPOS = local.ks_appstream_repos,
+        KS_EXTRAS_REPOS    = local.ks_extras_repos
+      }
+    )
+  }
+}
+
+build {
+  sources = ["source.qemu.rocky9"]
+
+  post-processor "shell-local" {
+    inline = [
+      "SOURCE=${source.name}",
+      "OUTPUT=${var.filename}",
+      "source ../../scripts/fuse-nbd",
+      "source ../../scripts/fuse-tar-root",
+      "rm -rf output-${source.name}",
+    ]
+    inline_shebang = "/bin/bash -e"
+  }
+}

package/scripts/packer-init-vars-file.sh

@@ -14,15 +14,25 @@ for image_dir in "$PACKER_DIR"/*; do
         echo "Checking UEFI VARS files for $image_name..."
 
         # Create x86_64 VARS file if it doesn't exist
-        if [ -f /usr/share/edk2/ovmf/OVMF_VARS.fd ] && [ ! -f "$image_dir/x86_64_VARS.fd" ]; then
-            cp /usr/share/edk2/ovmf/OVMF_VARS.fd "$image_dir/x86_64_VARS.fd"
-            echo "Created $image_dir/x86_64_VARS.fd"
+        if [ ! -f "$image_dir/x86_64_VARS.fd" ]; then
+            for src in /usr/share/edk2/ovmf/OVMF_VARS.fd /usr/share/OVMF/OVMF_VARS.fd; do
+                if [ -f "$src" ]; then
+                    cp "$src" "$image_dir/x86_64_VARS.fd"
+                    echo "Created $image_dir/x86_64_VARS.fd from $src"
+                    break
+                fi
+            done
         fi
 
         # Create aarch64 VARS file if it doesn't exist
-        if [ -f /usr/share/edk2/aarch64/AAVMF_VARS.fd ] && [ ! -f "$image_dir/aarch64_VARS.fd" ]; then
-            cp /usr/share/edk2/aarch64/AAVMF_VARS.fd "$image_dir/aarch64_VARS.fd"
-            echo "Created $image_dir/aarch64_VARS.fd"
+        if [ ! -f "$image_dir/aarch64_VARS.fd" ]; then
+            for src in /usr/share/AAVMF/AAVMF_VARS.fd /usr/share/edk2/aarch64/AAVMF_VARS.fd /usr/share/edk2/aarch64/QEMU_VARS.fd; do
+                if [ -f "$src" ]; then
+                    cp "$src" "$image_dir/aarch64_VARS.fd"
+                    echo "Created $image_dir/aarch64_VARS.fd from $src"
+                    break
+                fi
+            done
         fi
     fi
 done

package/scripts/packer-setup.sh

@@ -1,52 +1,289 @@
 #!/usr/bin/env bash
-# Script to install Packer and libvirt/qemu tooling on Rocky Linux.
-# Usage: sudo ./scripts/packer-setup.sh
+# packer-setup.sh
+# RHEL/CentOS/Rocky helper to prepare a host for building both amd64 and aarch64 Packer images.
+# Installs packer (repo fallback), libvirt/qemu tooling, NBD/filesystem tools, UEFI firmware for x86_64 and aarch64,
+# registers qemu-user binfmt for cross-chroot use and compiles qemu-system-aarch64 when repo packages are missing.
+# Usage: sudo ./packer-setup.sh
 
 set -euo pipefail
 
+print(){ printf "[setup] %s\n" "$*"; }
+err(){ printf "[setup] ERROR: %s\n" "$*" >&2; }
 
-# 1) Replace/add the correct HashiCorp repo for RHEL/Rocky
-sudo dnf config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
+if [[ $(id -u) -ne 0 ]]; then
+  err "This script requires root. Run with sudo."; exit 3
+fi
+
+# Detect host arch
+HOST_RAW_ARCH=$(uname -m)
+case "$HOST_RAW_ARCH" in
+  x86_64) HOST_ARCH=amd64;;
+  aarch64) HOST_ARCH=arm64;;
+  *) HOST_ARCH="$HOST_RAW_ARCH";;
+esac
+print "Host architecture: $HOST_RAW_ARCH -> normalized: $HOST_ARCH"
+
+# Ensure RHEL-family
+if [[ -f /etc/os-release ]]; then
+  . /etc/os-release
+  ID_LC=${ID,,}
+  ID_LIKE=${ID_LIKE,,}
+else
+  ID_LC=unknown; ID_LIKE=unknown
+fi
+if [[ $ID_LC != "rocky" && $ID_LC != "rhel" && $ID_LC != "centos" && $ID_LIKE != *"rhel"* ]]; then
+  err "This script targets RHEL/CentOS/Rocky family. Detected: $ID_LC (like: $ID_LIKE). Exiting."; exit 4
+fi
+print "Distro detected: $PRETTY_NAME"
+
+# Enable helpful repos and install helpers
+print "Installing dnf-plugins-core and enabling CRB/PowerTools (if available)"
+set +e
+dnf install -y dnf-plugins-core >/dev/null 2>&1 || true
+dnf config-manager --set-enabled crb >/dev/null 2>&1 || true
+dnf config-manager --set-enabled powertools >/dev/null 2>&1 || true
+# EPEL
+if ! rpm -q epel-release >/dev/null 2>&1; then
+  print "Installing epel-release"
+  dnf install -y epel-release || true
+fi
+set -e
+
+# 1) Try to install packer from distro repos, otherwise add HashiCorp repo and install
+print "Attempting to install packer from distro repos"
+if dnf install -y packer >/dev/null 2>&1; then
+  print "Packer installed from distro repo"
+else
+  print "packer not available in distro repos or install failed. Adding HashiCorp repo and retrying."
+  # HashiCorp RPM repo for RHEL/CentOS/Rocky family (works for EL8/EL9)
+  if ! rpm -q hashicorp >/dev/null 2>&1; then
+    cat >/etc/yum.repos.d/hashicorp.repo <<'EOF'
+[hashicorp]
+name=HashiCorp Stable - $basearch
+baseurl=https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable
+enabled=1
+gpgcheck=1
+gpgkey=https://rpm.releases.hashicorp.com/gpg
+EOF
+  fi
+  if dnf makecache >/dev/null 2>&1 && dnf install -y packer >/dev/null 2>&1; then
+    print "Packer installed from HashiCorp repo"
+  else
+    err "Packer install from repo failed. You can install packer manually from HashiCorp releases if needed.";
+  fi
+fi
 
-# Refresh dnf metadata
-sudo dnf clean all
-sudo dnf makecache --refresh
+# 2) Install libvirt, qemu tooling and enable libvirtd
+print "Installing libvirt, qemu and related tooling (best-effort)"
+LIBVIRT_PKGS=(libvirt libvirt-daemon qemu-kvm qemu-img virt-install bridge-utils)
+# attempt to include qemu-system-aarch64 and qemu-system-x86_64 if available
+LIBVIRT_PKGS+=(qemu-system-aarch64 qemu-system-x86_64 qemu-system-arm)
 
-# 2) Try to install packer from the repo
-sudo dnf install -y packer || echo "packer install from repo failed, try manual install (see below)"
+# Some packages may not exist exactly with those names; install best-effort
+for pkg in "${LIBVIRT_PKGS[@]}"; do
+  dnf install -y "$pkg" >/dev/null 2>&1 || print "Package $pkg not available via dnf (skipping)"
+done
 
-# 3) Install libvirt/qemu tooling then start the service
-sudo dnf install -y libvirt libvirt-daemon qemu-kvm qemu-img virt-install bridge-utils
-sudo systemctl enable --now libvirtd
-sudo systemctl status libvirtd --no-pager
+print "Enabling and starting libvirtd"
+systemctl enable --now libvirtd || err "Failed to enable/start libvirtd"
+systemctl status libvirtd --no-pager || true
 
-# 3a) Install NBD and filesystem tools required for MAAS image creation
-sudo dnf install -y libnbd nbdkit e2fsprogs kmod-kvdo kmod
+# 3) Install NBD and filesystem tools required for MAAS image creation
+print "Installing NBD and filesystem tooling: libnbd, nbdkit, e2fsprogs, kmod packages (best-effort)"
+NBDS=(libnbd nbdkit e2fsprogs kmod-kvdo kmod)
+for pkg in "${NBDS[@]}"; do
+  dnf install -y "$pkg" >/dev/null 2>&1 || print "Package $pkg not available via dnf (skipping)"
+done
 
 # 4) Install UEFI firmware for x86_64 and ARM64
-sudo dnf install -y edk2-ovmf edk2-aarch64
+print "Installing edk2 / OVMF UEFI firmware packages (x86_64 and aarch64)"
+UEFI_PKGS=(edk2-ovmf edk2-aarch64 edk2-ovmf-aarch64)
+for pkg in "${UEFI_PKGS[@]}"; do
+  dnf install -y "$pkg" >/dev/null 2>&1 || print "UEFI package $pkg not available (skipping)"
+done
 
-# 5) Create symlinks for qemu-system-* binaries (Rocky/RHEL uses qemu-kvm instead)
-# Packer expects standard qemu-system-* names, but RHEL-based distros use qemu-kvm
-if [ -f /usr/libexec/qemu-kvm ] && [ ! -f /usr/bin/qemu-system-x86_64 ]; then
-    echo "Creating symlink: /usr/bin/qemu-system-x86_64 -> /usr/libexec/qemu-kvm"
-    sudo ln -sf /usr/libexec/qemu-kvm /usr/bin/qemu-system-x86_64
+# 5) Ensure qemu-user-static for chroot/debootstrap cross-execution and register binfmt via podman
+print "Installing qemu-user-static and registering binfmt handlers via podman"
+if ! rpm -q qemu-user-static >/dev/null 2>&1; then
+  dnf install -y qemu-user-static >/dev/null 2>&1 || print "qemu-user-static not in repos (will extract from container)"
 fi
 
-if [ -f /usr/libexec/qemu-kvm ] && [ ! -f /usr/bin/qemu-system-aarch64 ]; then
-    echo "Creating symlink: /usr/bin/qemu-system-aarch64 -> /usr/libexec/qemu-kvm"
-    sudo ln -sf /usr/libexec/qemu-kvm /usr/bin/qemu-system-aarch64
+if command -v podman >/dev/null 2>&1; then
+  # Register binfmt handlers
+  podman run --rm --privileged multiarch/qemu-user-static --reset -p yes || print "podman run for qemu-user-static failed (skip)"
+
+  # Extract static binaries to /usr/bin if not already present from RPM
+  if ! command -v qemu-aarch64-static >/dev/null 2>&1; then
+    print "Extracting qemu static binaries from multiarch/qemu-user-static container"
+    CONTAINER_ID=$(podman create multiarch/qemu-user-static:latest)
+
+    # Extract the binaries we need
+    for arch in aarch64 arm armeb; do
+      if podman cp "$CONTAINER_ID:/usr/bin/qemu-${arch}-static" "/usr/bin/qemu-${arch}-static" 2>/dev/null; then
+        chmod +x "/usr/bin/qemu-${arch}-static"
+        print "Installed qemu-${arch}-static to /usr/bin/"
+      fi
+    done
+
+    podman rm "$CONTAINER_ID" >/dev/null 2>&1 || true
+  fi
+else
+  print "podman not available. Install podman to register binfmt for container/chroot convenience."
 fi
 
-# 6) Create symlinks for OVMF/AAVMF firmware files in expected locations
-# Rocky/RHEL stores OVMF in /usr/share/edk2/ovmf, but Packer expects /usr/share/OVMF
-if [ -f /usr/share/edk2/ovmf/OVMF_CODE.fd ] && [ ! -f /usr/share/OVMF/OVMF_CODE.fd ]; then
-    echo "Creating symlink: /usr/share/OVMF/OVMF_CODE.fd -> /usr/share/edk2/ovmf/OVMF_CODE.fd"
-    sudo ln -sf /usr/share/edk2/ovmf/OVMF_CODE.fd /usr/share/OVMF/OVMF_CODE.fd
+# 6) Check qemu-system-aarch64 availability and 'virt' machine support; offer compile if missing
+check_qemu_system_aarch64(){
+  # Explicitly check /usr/local/bin first (where compiled QEMU installs)
+  if [ -x /usr/local/bin/qemu-system-aarch64 ]; then
+    QBIN=/usr/local/bin/qemu-system-aarch64
+  elif command -v qemu-system-aarch64 >/dev/null 2>&1; then
+    QBIN=$(command -v qemu-system-aarch64)
+  else
+    return 1
+  fi
+
+  print "qemu-system-aarch64 found at $QBIN"
+  if ! $QBIN -machine help 2>/dev/null | grep -q '\bvirt\b'; then
+    err "qemu-system-aarch64 present but 'virt' not listed -> may be missing aarch64 softmmu"
+    return 2
+  fi
+
+  # Check for user networking (slirp) support.
+  # We specify -machine virt to avoid "No machine specified" errors on some QEMU versions.
+  if ! $QBIN -machine virt -netdev help 2>&1 | grep -q '\buser\b'; then
+    err "qemu-system-aarch64 present but 'user' network backend not listed -> missing libslirp support"
+    return 3
+  fi
+
+  print "qemu-system-aarch64 supports 'virt' and 'user' network -> good for full-system ARM emulation"
+  return 0
+}
+
+if check_qemu_system_aarch64; then
+  print "qemu-system-aarch64 is ready"
+else
+  rc=$?
+  if [[ $rc -eq 1 ]]; then
+    print "qemu-system-aarch64 not found in installed packages"
+  else
+    print "qemu-system-aarch64 present but incomplete"
+  fi
+
+  # Try install from repo explicitly
+  print "Attempting to install qemu-system-aarch64 via dnf (best-effort)"
+  if dnf install -y qemu-system-aarch64 >/dev/null 2>&1; then
+    print "Installed qemu-system-aarch64 from repo"
+  else
+    print "qemu-system-aarch64 not available in enabled repos."
+  fi
+
+  if check_qemu_system_aarch64; then
+    print "qemu-system-aarch64 now available after package install"
+  else
+    print "Compiling QEMU with aarch64-softmmu target. Installing build deps..."
+    dnf groupinstall -y 'Development Tools' || true
+    dnf install -y git libaio-devel libgcrypt-devel libfdt-devel glib2-devel zlib-devel pixman-devel libseccomp-devel libusb1-devel openssl-devel bison flex python3 python3-pip ninja-build || true
+
+    # Enforce libslirp-devel for user networking
+    if ! dnf install -y libslirp-devel; then
+        err "Failed to install libslirp-devel. User networking will not work."
+        exit 1
+    fi
+
+    # Install required Python packages for QEMU build
+    print "Installing Python dependencies for QEMU build"
+    python3 -m pip install --upgrade pip || true
+    python3 -m pip install tomli meson || true
+
+    TMPDIR=$(mktemp -d)
+    print "Cloning QEMU source to $TMPDIR/qemu"
+    # Use a stable release tag (v9.0.0) to ensure consistency
+    git clone --depth 1 --branch v9.0.0 https://gitlab.com/qemu-project/qemu.git "$TMPDIR/qemu"
+    cd "$TMPDIR/qemu"
+
+    print "Configuring QEMU build"
+    if ./configure --target-list=aarch64-softmmu --enable-virtfs --enable-slirp; then
+      print "Configure successful, building QEMU..."
+      if make -j"$(nproc)"; then
+        print "Build successful, installing..."
+        make install || err "QEMU install failed"
+        # Update PATH to include /usr/local/bin where QEMU was installed
+        export PATH="/usr/local/bin:$PATH"
+        hash -r || true
+      else
+        err "QEMU build (make) failed"
+      fi
+    else
+      err "QEMU configure failed. Check dependencies."
+    fi
+
+    if check_qemu_system_aarch64; then
+      print "Successfully compiled and installed qemu-system-aarch64"
+    else
+      err "Compiled QEMU but qemu-system-aarch64 still missing or lacks 'virt'. Check logs in $TMPDIR/qemu"
+    fi
+
+    cd /
+    rm -rf "$TMPDIR" || true
+    print "Removed build directory $TMPDIR"
+  fi
 fi
 
-# Create AAVMF symlinks for ARM64 support
-if [ -d /usr/share/edk2/aarch64 ] && [ ! -d /usr/share/AAVMF ]; then
-    echo "Creating symlink: /usr/share/AAVMF -> /usr/share/edk2/aarch64"
-    sudo ln -sf /usr/share/edk2/aarch64 /usr/share/AAVMF
+# 7) Summary and verification commands for the user
+print "\n=== Summary / Quick verification commands ==="
+if command -v packer >/dev/null 2>&1; then print "packer: $(command -v packer)"; else print "packer: NOT INSTALLED"; fi
+# Check /usr/local/bin explicitly for compiled qemu
+if [ -x /usr/local/bin/qemu-system-aarch64 ]; then
+  print "qemu-system-aarch64: /usr/local/bin/qemu-system-aarch64"
+elif command -v qemu-system-aarch64 >/dev/null 2>&1; then
+  print "qemu-system-aarch64: $(command -v qemu-system-aarch64)"
+else
+  print "qemu-system-aarch64: NOT INSTALLED"
 fi
+if command -v qemu-aarch64-static >/dev/null 2>&1; then print "qemu-aarch64-static: $(command -v qemu-aarch64-static)"; else print "qemu-aarch64-static: NOT INSTALLED"; fi
+print "libvirtd status:"
+systemctl status libvirtd --no-pager || true
+
+cat <<'EOF'
+
+=== Example Packer qemu builder snippets ===
+
+# aarch64 on x86_64 host (use qemu-system-aarch64 with TCG):
+{
+  "type": "qemu",
+  "qemu_binary": "/usr/local/bin/qemu-system-aarch64",
+  "accelerator": "tcg",
+  "format": "raw",
+  "disk_size": "8192",
+  "headless": true,
+  "qemuargs": [
+    ["-machine", "virt,highmem=on"],
+    ["-cpu", "cortex-a57"],
+    ["-bios", "/usr/share/edk2-aarch64/QEMU_EFI.fd"],
+    ["-device", "virtio-net-device,netdev=net0"],
+    ["-netdev", "user,id=net0,hostfwd=tcp::2222-:22"]
+  ]
+}
+
+# x86_64 on arm64 host (use kvm when available):
+{
+  "type": "qemu",
+  "qemu_binary": "/usr/bin/qemu-system-x86_64",
+  "accelerator": "kvm",
+  "format": "raw",
+  "disk_size": "8192",
+  "headless": true,
+  "qemuargs": [
+    ["-machine", "pc,q35"],
+    ["-cpu", "host"],
+    ["-bios", "/usr/share/ovmf/OVMF_CODE.fd"],
+    ["-device", "virtio-net-pci,netdev=net0"],
+    ["-netdev", "user,id=net0,hostfwd=tcp::2223-:22"]
+  ]
+}
+
+EOF
+
+print "Done. If any package failed to install due to repo availability, consider enabling CRB/powertools, adding a trusted COPR or rebuild repo for qemu, or compiling QEMU locally as the script offered."
+
+exit 0

package/src/cli/baremetal.js

@@ -87,6 +87,7 @@ class UnderpostBaremetal {
         packerWorkflowId: '',
         packerMaasImageBuild: false,
         packerMaasImageUpload: false,
+        packerMaasImageCached: false,
         cloudInitUpdate: false,
         commission: false,
         nfsBuild: false,
@@ -141,8 +142,9 @@ class UnderpostBaremetal {
       }
 
       if (options.packerMaasImageTemplate) {
+        workflowId = options.packerWorkflowId;
         if (!workflowId) {
-          throw new Error('workflow-id is required when using --packer-maas-image-template');
+          throw new Error('--packer-workflow-id is required when using --packer-maas-image-template');
         }
 
         const templatePath = options.packerMaasImageTemplate;
@@ -187,7 +189,7 @@ class UnderpostBaremetal {
           logger.info(`1. Review and customize the Packer template files in: ${targetDir}`);
           logger.info(`2. Review the workflow configuration in engine/baremetal/packer-workflows.json`);
           logger.info(
-            `3. Build the image with: underpost baremetal ${workflowId} --packer-maas-image-build ${workflowId}`,
+            `3. Build the image with: underpost baremetal --packer-workflow-id ${workflowId} --packer-maas-image-build`,
           );
         } catch (error) {
           throw new Error(`Failed to extract template: ${error.message}`);
@@ -217,10 +219,26 @@ class UnderpostBaremetal {
             throw new Error('Packer is not installed. Please install Packer to proceed.');
           }
 
+          // Check for QEMU support if building for a different architecture (validator bots case)
+          UnderpostBaremetal.API.checkQemuCrossArchSupport(workflow);
+
           logger.info(`Building Packer image for ${workflowId} in ${packerDir}...`);
-          const artifacts = ['output-rocky9', 'packer_cache', 'x86_64_VARS.fd', 'rocky9.tar.gz'];
-          shellExec(`cd packer/images/${workflowId}
+
+          // Only remove artifacts if not using cached mode
+          if (!options.packerMaasImageCached) {
+            const artifacts = [
+              'output-rocky9',
+              'packer_cache',
+              'x86_64_VARS.fd',
+              'aarch64_VARS.fd',
+              workflow.maas.content,
+            ];
+            shellExec(`cd packer/images/${workflowId}
 rm -rf ${artifacts.join(' ')}`);
+            logger.info('Removed previous build artifacts');
+          } else {
+            logger.info('Cached mode: Keeping existing artifacts for incremental build');
+          }
           shellExec(`chmod +x ${underpostRoot}/scripts/packer-init-vars-file.sh`);
           shellExec(`${underpostRoot}/scripts/packer-init-vars-file.sh`);
 
@@ -229,10 +247,17 @@ rm -rf ${artifacts.join(' ')}`);
             throw new Error('Packer init failed');
           }
 
-          const build = spawnSync('packer', ['build', '.'], {
+          const isArm = process.arch === 'arm64';
+          // Add /usr/local/bin to PATH so Packer can find compiled QEMU binaries
+          const packerEnv = {
+            ...process.env,
+            PACKER_LOG: '1',
+            PATH: `/usr/local/bin:${process.env.PATH || '/usr/bin:/bin'}`,
+          };
+          const build = spawnSync('packer', ['build', '-var', `host_is_arm=${isArm}`, '.'], {
             stdio: 'inherit',
             cwd: packerDir,
-            env: { ...process.env, PACKER_LOG: '1' },
+            env: packerEnv,
           });
 
           if (build.status !== 0) {
@@ -244,7 +269,7 @@ rm -rf ${artifacts.join(' ')}`);
           if (!fs.existsSync(tarballPath)) {
             throw new Error(
               `Build artifact not found: ${tarballPath}\n` +
-                `Please build first with: --packer-maas-image-build ${workflowId}`,
+                `Please build first with: --packer-workflow-id ${workflowId} --packer-maas-image-build`,
             );
           }
           const stats = fs.statSync(tarballPath);
@@ -1388,6 +1413,80 @@ udp-port = 32766
       logger.info('NFS server restarted.');
     },
 
+    /**
+     * @method checkQemuCrossArchSupport
+     * @description Checks for QEMU support when building for a different architecture.
+     * This is essential for validator bots that need to build images for architectures
+     * different from the host system (e.g., building arm64 on x86_64 or vice versa).
+     * @param {object} workflow - The workflow configuration object.
+     * @param {object} workflow.maas - The MAAS configuration.
+     * @param {string} workflow.maas.architecture - Target architecture (e.g., 'arm64/generic', 'amd64/generic').
+     * @memberof UnderpostBaremetal
+     * @throws {Error} If QEMU is not installed or doesn't support required machine types.
+     * @returns {void}
+     */
+    checkQemuCrossArchSupport(workflow) {
+      // Check for QEMU support if building for a different architecture (validator bots case)
+      if (workflow.maas.architecture.startsWith('arm64') && process.arch !== 'arm64') {
+        // Building arm64/aarch64 on x86_64 host
+        // Check both /usr/local/bin (compiled) and system paths
+        let qemuAarch64Path = null;
+
+        if (shellExec('test -x /usr/local/bin/qemu-system-aarch64', { silent: true }).code === 0) {
+          qemuAarch64Path = '/usr/local/bin/qemu-system-aarch64';
+        } else if (shellExec('which qemu-system-aarch64', { silent: true }).code === 0) {
+          qemuAarch64Path = shellExec('which qemu-system-aarch64', { silent: true }).stdout.trim();
+        }
+
+        if (!qemuAarch64Path) {
+          throw new Error(
+            'qemu-system-aarch64 is not installed. Please install it to build ARM64 images on x86_64 hosts.\n' +
+              'Run: node bin baremetal --dev --install-packer',
+          );
+        }
+
+        logger.info(`Found qemu-system-aarch64 at: ${qemuAarch64Path}`);
+
+        // Verify that the installed qemu supports the 'virt' machine type (required for arm64)
+        const machineHelp = shellExec(`${qemuAarch64Path} -machine help`, { silent: true }).stdout;
+        if (!machineHelp.includes('virt')) {
+          throw new Error(
+            'The installed qemu-system-aarch64 does not support the "virt" machine type.\n' +
+              'This usually happens if qemu-system-aarch64 is a symlink to qemu-kvm on x86_64.\n' +
+              'Run: node bin baremetal --dev --install-packer',
+          );
+        }
+      } else if (workflow.maas.architecture.startsWith('amd64') && process.arch !== 'x64') {
+        // Building amd64/x86_64 on aarch64 host
+        // Check both /usr/local/bin (compiled) and system paths
+        let qemuX86Path = null;
+
+        if (shellExec('test -x /usr/local/bin/qemu-system-x86_64', { silent: true }).code === 0) {
+          qemuX86Path = '/usr/local/bin/qemu-system-x86_64';
+        } else if (shellExec('which qemu-system-x86_64', { silent: true }).code === 0) {
+          qemuX86Path = shellExec('which qemu-system-x86_64', { silent: true }).stdout.trim();
+        }
+
+        if (!qemuX86Path) {
+          throw new Error(
+            'qemu-system-x86_64 is not installed. Please install it to build x86_64 images on aarch64 hosts.\n' +
+              'Run: node bin baremetal --dev --install-packer',
+          );
+        }
+
+        logger.info(`Found qemu-system-x86_64 at: ${qemuX86Path}`);
+
+        // Verify that the installed qemu supports the 'pc' or 'q35' machine type (required for x86_64)
+        const machineHelp = shellExec(`${qemuX86Path} -machine help`, { silent: true }).stdout;
+        if (!machineHelp.includes('pc') && !machineHelp.includes('q35')) {
+          throw new Error(
+            'The installed qemu-system-x86_64 does not support the "pc" or "q35" machine type.\n' +
+              'Run: node bin baremetal --dev --install-packer',
+          );
+        }
+      }
+    },
+
     /**
      * @method bootConfFactory
      * @description Generates the boot configuration file for specific workflows,

package/src/cli/index.js

@@ -625,6 +625,10 @@ program
     '--packer-maas-image-upload',
     'Uploads an existing MAAS image artifact without rebuilding for the workflow specified by --packer-workflow-id.',
   )
+  .option(
+    '--packer-maas-image-cached',
+    'Continue last build without removing artifacts (used with --packer-maas-image-build).',
+  )
   .option('--commission', 'Init workflow for commissioning a physical machine.')
   .option('--nfs-build', 'Builds an NFS root filesystem for a workflow id config architecture using QEMU emulation.')
   .option('--nfs-mount', 'Mounts the NFS root filesystem for a workflow id config architecture.')

package/src/index.js

@@ -36,7 +36,7 @@ class Underpost {
    * @type {String}
    * @memberof Underpost
    */
-  static version = 'v2.96.0';
+  static version = 'v2.96.1';
   /**
    * Repository cli API
    * @static
@@ -193,6 +193,7 @@ export {
   UnderpostRootEnv,
   UnderpostFileStorage,
   UnderpostImage,
+  UnderpostStatic,
   UnderpostLxd,
   UnderpostMonitor,
   UnderpostRepository,

package/manifests/mariadb/config.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: mariadb-config
-data:
-  my.cnf: | # bind-address=0.0.0.0
-    [mysqld]
-    default_storage_engine=InnoDB
-    innodb_file_per_table=1
-    max_connections=1000

package/manifests/mariadb/secret.yaml

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: mariadb-secret
-type: Opaque
-data:
-  password:
-  username: