Add network overrides and build a qemu image

[binujp]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

We have to make sure systemd-networkd is managing all interfaces. Add a package to deliver the override.

Brought in logic to build a vm-image with the current package selection. This is based on Nan Liu's changes which accomplished the same.

Change Log

• Change
• Change
• Change

Does this affect the toolchain?

YES/NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-YYYY-XXXX

Test Methodology

• Pipeline build id: xxxx

[Copilot]

Pull request overview

This PR adds systemd-networkd configuration for managing all network interfaces and introduces VM image build capability using QEMU. The changes enable building both container and VM images from the Azure Linux base packages.

Changes:

• Added azurelinux-overrides package to deliver systemd-networkd configuration files
• Extended demo-build.sh script to support VM image building with QEMU
• Updated vm-base.kiwi configuration to include the new override package and user setup

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
base/comps/azurelinux-overrides/azurelinux-overrides.spec	New RPM spec file for systemd network override package
base/comps/azurelinux-overrides/azurelinux-overrides.comp.toml	Component definition for the azurelinux-overrides package
base/comps/azurelinux-overrides/50-default.network	Systemd-networkd configuration to manage all interfaces with DHCP
scripts/demo-build.sh	Extended build script with VM image support, SELinux checks, and QEMU launch capability
base/images/vm-base/vm-base.kiwi	Updated VM image configuration with azurelinux-overrides package, user accounts, and adjusted disk size

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Typo in comment: 'sytemd' should be 'systemd'.

Suggested change

	# We want sytemd to manage all interfaces
	# We want systemd to manage all interfaces

[Copilot]

The command substitution is not quoted, which could cause issues if getenforce returns unexpected output or is not found. This should be quoted to handle whitespace and prevent word splitting. Consider using: if [ "$(getenforce)" != "Permissive" ]

Suggested change

	if [ $(getenforce) != "Permissive" ] ; then
	if [ "$(getenforce)" != "Permissive" ] ; then

[Copilot]

The getenforce command is used but is not checked as a prerequisite. If SELinux tools are not installed, this will fail with an unclear error. Consider adding 'getenforce' to the prerequisite check list at lines 16-21, or handling its absence gracefully.

[Copilot]

Hardcoded password hash for the 'azureuser' account poses a security risk. Anyone with access to this code can use this password to login. Consider using a placeholder like 'INSERT-PASSWORD-HERE' (as used for root), or generating a unique password during image build, or relying on cloud-init to set up user credentials.

Suggested change

	<user name="azureuser" password="$6$LTUZg7I3kpIkQhkr$4P2pvOdWEocGfUZP17AVtKpKDPIKsvmYoRSBFwaf5rfoS2/QEVj5HMvU0vPvNJ/5GfvBDpVibT5I8s4OBS8j3/" home="/home/azureuser" groups="root,wheel" />
	<user name="azureuser" password="INSERT-PASSWORD-HERE" home="/home/azureuser" groups="root,wheel" />

[Copilot]

Inconsistent indentation: this line uses tabs while surrounding lines use spaces. This creates inconsistent formatting in the XML file.

[Copilot]

Inconsistent indentation: these lines use tabs while surrounding lines use spaces. This creates inconsistent formatting in the shell script.

[Copilot]

The package 'systemd-resolved' is listed twice (lines 89 and 90). This is redundant and should be removed.

Suggested change

<package name="systemd-resolved" />

[Copilot]

The root password is set to the placeholder 'INSERT-PASSWORD-HERE', which means the root account will not be accessible with a password. Ensure this is intentional and that there is an alternative method for root access (e.g., via sudo or cloud-init SSH keys).

Suggested change

	<user name="root" password="INSERT-PASSWORD-HERE" groups="root" />
	<user name="root" password="!" groups="root" />

[Copilot]

Changed from '&&' to ';' operator between commands. With the script's 'set -e' at line 2, this change means that if 'azldev comp build' fails, the script will still exit (due to -e), but the behavior is less explicit than using '&&'. If the intent is to run createrepo_c regardless of build failure, this conflicts with 'set -e'. Consider using '&&' for explicit error propagation or handling failures explicitly.

[Copilot]

Extra space in 'system build ' (double space between 'build' and the line continuation). This is a minor formatting inconsistency.

Suggested change

	system build \
	system build \

[reubeno]

If this is really specific to network config, can we please change the name to match? Something like azurelinux-config-network or some variant thereof?

You could do something like:

/base/comps/azurelinux-config/
    * azurelinux-config-network.spec
    * azurelinux-config-somethingelse.spec

Alternatively, if you want to have them in one spec, we could at least start with multiple sub-packages.

The main thinking here is that general overrides packages can quickly become dumping grounds.

[reubeno]

Should include the dist tag; and might as well start at 1 like most specs.

[reubeno]

Reminder for us to talk about auto-changelog and auto-release later.

[reubeno]

Absolutely no checked in passwords.

[reubeno]

The && was there intentionally; why remove it? Ditto for below.

[reubeno]

Booting sounds like it should be a separate script or at least an option. Ultimately a script's not awesome, but you're right -- it gets things to move forward.