all: switch vmx-enabled Debian over to Bullseye

I basically just did a find-and-replace, and we'll see if it works?

I've updated and built the new disk images so this should be ready to
deploy.

For golang/go#56414.

Change-Id: Iaac41d6f7a1244c3682e624f7a4ee4fa7477dfa1
Reviewed-on: https://go-review.googlesource.com/c/build/+/445617
Run-TryBot: Heschi Kreinick <[email protected]>
Reviewed-by: Carlos Amedee <[email protected]>
Auto-Submit: Heschi Kreinick <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

Author: heschi

dashboard/builders.go

@@ -281,9 +281,9 @@ var Hosts = map[string]*HostConfig{
 		SSHUsername:    "root",
 	},
 	"host-linux-amd64-androidemu": {
-		Notes:          "Debian Buster w/ Android SDK + emulator (use nested virt)",
+		Notes:          "Debian Bullseye w/ Android SDK + emulator (use nested virt)",
 		ContainerImage: "android-amd64-emu:bff27c0c9263",
-		KonletVMImage:  "android-amd64-emu",
+		KonletVMImage:  "android-amd64-emu-bullseye",
 		NestedVirt:     true,
 		SSHUsername:    "root",
 	},
@@ -292,6 +292,12 @@ var Hosts = map[string]*HostConfig{
 		ContainerImage: "linux-x86-bullseye:latest",
 		SSHUsername:    "root",
 	},
+	"host-linux-amd64-bullseye-vmx": {
+		Notes:          "Debian Bullseye w/ Nested Virtualization (VMX CPU bit) enabled",
+		ContainerImage: "linux-x86-bullseye:latest",
+		NestedVirt:     true,
+		SSHUsername:    "root",
+	},
 	"host-linux-amd64-buster": {
 		Notes:          "Debian Buster",
 		ContainerImage: "linux-x86-buster:latest",
@@ -339,12 +345,6 @@ var Hosts = map[string]*HostConfig{
 		ContainerImage: "linux-x86-stretch:latest",
 		SSHUsername:    "root",
 	},
-	"host-linux-amd64-stretch-vmx": {
-		Notes:          "Debian Stretch w/ Nested Virtualization (VMX CPU bit) enabled, for testing",
-		ContainerImage: "linux-x86-stretch:latest",
-		NestedVirt:     true,
-		SSHUsername:    "root",
-	},
 	"host-linux-amd64-wsl": {
 		Notes:     "Windows 10 WSL2 Ubuntu",
 		Owners:    []*gophers.Person{gh("mengzhuo")},
@@ -1332,7 +1332,7 @@ func (c *HostConfig) ContainerVMImage() string {
 		return c.KonletVMImage
 	}
 	if c.NestedVirt {
-		return "debian-stretch-vmx"
+		return "debian-bullseye-vmx"
 	}
 	if c.isEC2 && c.ContainerImage != "" {
 		return fmt.Sprintf("gcr.io/%s/%s", buildenv.Production.ProjectName, c.ContainerImage)
@@ -1532,7 +1532,7 @@ func init() {
 	})
 	addBuilder(BuildConfig{
 		Name:       "linux-amd64-vmx",
-		HostType:   "host-linux-amd64-stretch-vmx",
+		HostType:   "host-linux-amd64-bullseye-vmx",
 		buildsRepo: disabledBuilder,
 	})
 	addBuilder(BuildConfig{

env/android-amd64-emu/create-vm.sh

@@ -7,18 +7,19 @@ set -e
 set -x
 
 ZONE=us-central1-f
-TARGET_IMAGE=android-amd64-emu
+DEBIAN=bullseye
+TARGET_IMAGE=android-amd64-emu-$DEBIAN
 
 TMP_DISK=dev-android-amd64-emu-tmpdisk
 TMP_IMG=dev-android-amd64-emu-image
 TMP_VM=dev-android-amd64-emu
 
-# Create disk, forking debian-vmx-stretch
+# Create disk, forking our vmx-enabled image
 gcloud compute disks delete $TMP_DISK --zone=$ZONE --quiet || true
 gcloud compute disks create $TMP_DISK \
        --zone=$ZONE \
        --size=40GB \
-       --image=debian-stretch-vmx
+       --image=debian-$DEBIAN-vmx
 
 gcloud compute images delete $TMP_IMG --quiet || true
 gcloud compute images create \
@@ -35,20 +36,18 @@ gcloud compute instances create \
        $TMP_VM \
        --zone=$ZONE \
        --image=$TMP_IMG \
-       --min-cpu-platform "Intel Haswell"
+       --min-cpu-platform "Intel Haswell" \
+       --network default-vpc \
+       --no-service-account --no-scopes
 
-INTERNAL_IP=$(gcloud --format="value(networkInterfaces[0].networkIP)" compute instances list --filter="name=('$TMP_VM')")
 echo "Waiting for SSH port to be available..."
-while ! nc -w 2 -z $INTERNAL_IP 22; do
+while ! gcloud compute ssh $TMP_VM --zone=$ZONE --tunnel-through-iap -- echo hi; do
     sleep 1
 done
 
-VER=$(docker images "--format={{.ID}}" golang/android-amd64-emu:latest)
-CONTAINER=gcr.io/symbolic-datum-552/android-amd64-emu:$VER
-
 echo "SSH is up. Pulling docker container $CONTAINER on VM..."
 
-gcloud compute ssh $TMP_VM --zone=$ZONE --internal-ip -- sudo docker pull $CONTAINER
+gcloud compute ssh $TMP_VM --zone=$ZONE --tunnel-through-iap -- sudo docker pull gcr.io/symbolic-datum-552/android-amd64-emu:latest
 
 echo "Done pulling; shutting down"
 

env/linux-x86-vmx/README.md

@@ -1,6 +1,6 @@
 # linux-x86-vmx
 
 These scripts create a GCE VM image that acts like Container-Optimized
-Linux but uses a Debian 9 (Stretch) kernel + userspace instead. We do
-this because Debian 9 includes CONFIG_KVM for nested virtualization,
+Linux but uses a Debian 11 (Bullseye) kernel + userspace instead. We do
+this because Debian 11 includes CONFIG_KVM for nested virtualization,
 whereas that's not compiled in for Container-Optimized Linux.

env/linux-x86-vmx/create.sh

@@ -3,16 +3,16 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 
-# This creates the debian-stretch-vmx buildlet VM that's
-# like the Container-Optimized OS but using Debian Stretch
+# This creates the debian-bullseye-vmx buildlet VM that's
+# like the Container-Optimized OS but using Debian Bullseye
 # instead of the Chromium OS, and with nested virtualization
 # enabled.
 
 set -e
 set -x
 
 ZONE=us-central1-f
-TARGET_IMAGE=debian-stretch-vmx
+TARGET_IMAGE=debian-bullseye-vmx
 
 TMP_DISK=dev-debian-vmx-tmpdisk
 TMP_IMG=dev-debian-vmx-image
@@ -24,7 +24,7 @@ gcloud compute disks create $TMP_DISK \
        --zone=$ZONE \
        --size=40GB \
        --image-project=debian-cloud \
-       --image-family debian-9
+       --image-family debian-11
 
 # Create image based on that disk, with the nested virtualization
 # opt-in flag ("license").
@@ -44,25 +44,23 @@ gcloud compute instances create \
        $TMP_VM \
        --zone=$ZONE \
        --image=$TMP_IMG \
-       --min-cpu-platform "Intel Haswell"
-
-INTERNAL_IP=$(gcloud --format="value(networkInterfaces[0].networkIP)" compute instances list --filter="name=('$TMP_VM')")
-EXTERNAL_IP=$(gcloud --format="value(networkInterfaces[0].accessConfigs[0].natIP)" compute instances list --filter="name=('$TMP_VM')")
-echo "external IP: $EXTERNAL_IP, internal IP: $INTERNAL_IP"
+       --min-cpu-platform "Intel Haswell" \
+       --network default-vpc \
+       --no-service-account --no-scopes
 
 echo "Waiting for SSH port to be available..."
-while ! nc -w 2 -z $INTERNAL_IP 22; do
+while ! gcloud compute ssh $TMP_VM --zone=$ZONE --tunnel-through-iap -- echo hi; do
     sleep 1
 done
 
 echo "SSH is up. Copying prep-vm.sh script to VM..."
 
 # gcloud compute scp lacks an --internal-ip flag, even though gcloud
 # compute ssh has it. Annoying. Workaround:
-gcloud compute scp --dry-run --zone=$ZONE prep-vm.sh bradfitz@$TMP_VM: | perl -npe "s/$EXTERNAL_IP/$INTERNAL_IP/" | sh
+gcloud compute scp --zone=$ZONE --tunnel-through-iap prep-vm.sh $TMP_VM:
 
 # And prep the machine.
-gcloud compute ssh $TMP_VM --zone=$ZONE --internal-ip -- sudo bash ./prep-vm.sh
+gcloud compute ssh $TMP_VM --zone=$ZONE --tunnel-through-iap -- sudo bash ./prep-vm.sh
 
 echo "Done prepping machine; shutting down"
 

env/linux-x86-vmx/prep-vm.sh

@@ -29,7 +29,7 @@ systemctl start konlet-startup
 
 # Pre-pull some common images/layers to speed up future boots:
 gcloud auth configure-docker --quiet
-docker pull gcr.io/symbolic-datum-552/linux-x86-stretch:latest
+docker pull gcr.io/symbolic-datum-552/linux-x86-bullseye:latest
 docker pull gcr.io/gce-containers/konlet:v.0.9-latest
 
 apt-get dist-upgrade --yes