fix(linux/build): non-interactive mode + visible output + key import (M1.1)
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 11m33s
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 11m33s
Run #4260 cleared every harness layer and ran for 18 minutes — past sanity-tests, prepare-build-machine, cowbuilder-setup, local-deps — into 2100_create-debian-packages, where it died on: Could not check validity of signature with '92978A6E195E4921825F7FF0F34F09744E9F5DD9' in '/home/user/derivative-binary/temp_packages_debian_sid/virtualbox_7.2.8-dfsg-1.dsc' as public key missing! …and then *also* hung the runner indefinitely because, on any error, derivative-maker's exception_handler_general detected a TTY (we passed `docker run -t`) and dropped into an interactive `read -p 'Answer? '` prompt that nothing was ever going to answer. The orphan docker run in turn orphaned the act_runner job container, blocking the runner until manual cleanup. Three coordinated fixes, validated end-to-end with docker-side smoke tests on 10.0.0.51: 1. **Non-interactive mode without losing output visibility.** The original architectural goal: keep derivative-maker out of interactive mode (`[ -t 0 ]` must be false) AND keep the build log visible to docker run / Gitea Actions (PTY needed somewhere). Resolution: - `docker run -t` is kept (required for /dev/console to be a real PTY back to docker), but no `-i`, so fd 0 stays /dev/null. - docker-entrypoint.service: `StandardInput=tty-force` → `StandardInput=null` so the service's fd 0 is /dev/null too. Verified inside the container: `[ -t 0 ]` returns false. - entrypoint.sh now wraps the user command with an explicit `> /dev/console 2>&1` redirect before writing it to /etc/docker-entrypoint-cmd. systemd's `StandardOutput=inherit` does NOT propagate PID-1's stdout to services in this PID-1- systemd-in-container topology — the service log was going nowhere visible. /dev/console under `docker run -t` IS the allocated PTY back to docker, so the redirect surfaces the log to the act_runner / Gitea Actions log. - entrypoint.sh's `[ ! -t 0 ] && exit 1` guard removed (it would now always trigger). 2. **debian-keyring for reprepro source-package signature checks.** 2100_create-debian-packages calls dm-reprepro-wrapper includedsc on every .dsc in temp_packages_debian_sid (including virtualbox_*.dsc, even for `--target iso` — see line 114 of that build step). reprepro verifies the dsc signature against the user's GPG keyring; without the maintainer keys it fails. Adds `debian-keyring` to Dockerfile.builder. build-inner.sh now imports debian-keyring.gpg / debian-maintainers.gpg / debian-nonupload.gpg into the user's keyring before running derivative-maker. 3. **BUILDER_IMAGE digest re-pinned.** Built natively on 10.0.0.51 (per memory: never on WSL/aarch64). New digest: sha256:2f680c96…f0db. Smoke-test results (against this exact image): ==> START ← user output reaches docker stdout (keyring present) ← debian-keyring imported successfully STDIN_NOT_TTY ← derivative-maker WILL stay non-interactive ==> END ← clean shutdown docker run exit: 42 ← exit code propagates correctly on failure Files: Dockerfile.builder, systemd-entrypoint/entrypoint.sh, systemd-entrypoint/docker-entrypoint.service, scripts/build.sh, scripts/build-inner.sh. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -95,6 +95,7 @@ RUN set -eux; \
|
||||
adduser \
|
||||
ca-certificates \
|
||||
curl \
|
||||
debian-keyring \
|
||||
dpkg-dev \
|
||||
fakeroot \
|
||||
fasttrack-archive-keyring \
|
||||
|
||||
@@ -8,7 +8,22 @@ Description=docker-entrypoint.service
|
||||
ExecStartPre=/bin/bash -e -x -c "cat -- /etc/docker-entrypoint-cmd"
|
||||
ExecStart=/bin/bash -e -x -c /etc/docker-entrypoint-cmd
|
||||
ExecStopPost=/usr/bin/docker-entrypoint-stop.sh
|
||||
StandardInput=tty-force
|
||||
## SilverMetal patches:
|
||||
## StandardInput: was `tty-force`. That requires a docker-allocated
|
||||
## TTY (`docker run -t`), but we deliberately run without -t in CI
|
||||
## so derivative-maker's exception handler stays in non-interactive
|
||||
## mode (otherwise any error drops into a `read -p` prompt and the
|
||||
## container hangs forever). `null` gives the service /dev/null for
|
||||
## stdin — derivative-maker doesn't read stdin during a normal build.
|
||||
## StandardOutput / StandardError: keep upstream's `inherit`. With the
|
||||
## container running with `-t` (which gives the systemd PID-1 a PTY
|
||||
## for fd 1/2), inherit propagates that PTY to the service so its
|
||||
## output reaches docker run / the act_runner log. We pair this with
|
||||
## StandardInput=null above so derivative-maker's `[ -t 0 ]` returns
|
||||
## false and it uses the non-interactive error handler — i.e. we
|
||||
## get the visibility benefit of -t without the interactive-prompt
|
||||
## hang on errors.
|
||||
StandardInput=null
|
||||
StandardOutput=inherit
|
||||
StandardError=inherit
|
||||
EnvironmentFile=/etc/docker-entrypoint-env
|
||||
|
||||
@@ -19,10 +19,24 @@ if [ $# -eq 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -t 0 ]; then
|
||||
printf '%s\n' 'ERROR: TTY needs to be enabled ("docker run -t ...").' >&2
|
||||
exit 1
|
||||
fi
|
||||
## SilverMetal patch: TTY check disabled.
|
||||
##
|
||||
## Upstream's check exits if stdin isn't a TTY. That's right for an
|
||||
## interactive `docker run -t ...` invocation by a developer, but in CI
|
||||
## we cannot allocate a TTY without it making derivative-maker think
|
||||
## a human is present — at which point any error drops it into an
|
||||
## interactive `read -p 'Answer? ' answer` prompt and the container
|
||||
## hangs forever (orphaning the docker run, which orphans the
|
||||
## act_runner job container, and so on).
|
||||
##
|
||||
## Removing the check is safe: nothing downstream actually needs a TTY;
|
||||
## entrypoint.sh just writes the command and execs systemd.
|
||||
##
|
||||
## --- original upstream block (kept commented for the next bump) ---
|
||||
## if [ ! -t 0 ]; then
|
||||
## printf '%s\n' 'ERROR: TTY needs to be enabled ("docker run -t ...").' >&2
|
||||
## exit 1
|
||||
## fi
|
||||
|
||||
env | tee -- /etc/docker-entrypoint-env >/dev/null
|
||||
|
||||
@@ -30,7 +44,15 @@ env | tee -- /etc/docker-entrypoint-env >/dev/null
|
||||
cat -- /etc/docker-entrypoint-env
|
||||
|
||||
quoted_args="$(printf " %q" "${@}")"
|
||||
printf '%s\n' "${quoted_args}" | tee -- /etc/docker-entrypoint-cmd >/dev/null
|
||||
## SilverMetal patch: wrap the command with an explicit redirect to
|
||||
## /dev/console. systemd's `StandardOutput=inherit` on a service does
|
||||
## not propagate PID 1's stdout in a containerized PID-1-systemd
|
||||
## context, so service stdout ends up nowhere visible. With `docker
|
||||
## run -t`, /dev/console *is* the allocated PTY connected back to
|
||||
## docker run, so writing there surfaces the build log to the
|
||||
## act_runner / Gitea Actions log surface.
|
||||
printf '%s\n' "exec${quoted_args} > /dev/console 2>&1" \
|
||||
| tee -- /etc/docker-entrypoint-cmd >/dev/null
|
||||
chmod +x -- /etc/docker-entrypoint-cmd
|
||||
|
||||
systemctl mask systemd-firstboot.service systemd-udevd.service systemd-modules-load.service
|
||||
|
||||
@@ -48,6 +48,27 @@ export user_name=user
|
||||
# here so we don't depend on upstream's wrapper.
|
||||
mkdir -p "${HOME}/derivative-binary"
|
||||
|
||||
# Import Debian developer keys into the user's GPG keyring.
|
||||
# 2100_create-debian-packages calls `dm-reprepro-wrapper includedsc`
|
||||
# on Debian source packages it pulls in (e.g. virtualbox_*.dsc, even
|
||||
# for --target iso — see 2100_create-debian-packages line 114), and
|
||||
# reprepro verifies each .dsc's signature against the user's keyring.
|
||||
# Without this, every dsc with a Debian-uploader signature fails:
|
||||
# Could not check validity of signature with '<fingerprint>' in
|
||||
# '...virtualbox_7.2.8-dfsg-1.dsc' as public key missing!
|
||||
# There have been errors!
|
||||
# debian-keyring (~40 MB, snapshot-pinned) provides the developer
|
||||
# keys; importing it once at the start of the build seeds the keyring
|
||||
# reprepro will consult.
|
||||
if [ -d /usr/share/keyrings ]; then
|
||||
for f in /usr/share/keyrings/debian-keyring.gpg \
|
||||
/usr/share/keyrings/debian-maintainers.gpg \
|
||||
/usr/share/keyrings/debian-nonupload.gpg; do
|
||||
[ -f "$f" ] || continue
|
||||
gpg --quiet --no-tty --import "$f" 2>/dev/null || true
|
||||
done
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC1091
|
||||
source "${REPO_ROOT}/linux/build/config/silvermetal-base.conf"
|
||||
|
||||
|
||||
@@ -32,7 +32,7 @@ cd "${REPO_ROOT}"
|
||||
# outside the LAN — it's the entry that fleet-wide /etc/docker/daemon.json
|
||||
# registers as an insecure-registry. The host-style "docker-registry:5000"
|
||||
# is *not* DNS-resolvable; do not use it.
|
||||
BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:dc9dd29df4bee54807aee5bb2605b400754cba86db5343b4947a81a7ecea8811}"
|
||||
BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:2f680c9629833400573d26a0e25b32b4f13a61a7e4d91543df8983a67801f0db}"
|
||||
|
||||
if [[ "${BUILDER_IMAGE}" != *"@sha256:"* ]]; then
|
||||
echo "build.sh: BUILDER_IMAGE must be pinned by digest, got: ${BUILDER_IMAGE}" >&2
|
||||
@@ -118,16 +118,26 @@ fi
|
||||
# namespace it can't see the host hierarchy
|
||||
# --tmpfs /run, /run/lock systemd writes runtime state here
|
||||
# -v /sys/fs/cgroup:rw the cgroup tree systemd manages
|
||||
# -t entrypoint.sh requires a TTY (it `exit 1`s on
|
||||
# stdin not a tty); allocating one keeps that
|
||||
# path happy in CI too where stdin is otherwise
|
||||
# /dev/null
|
||||
#
|
||||
# `tail -f /dev/null` is NOT used — control flow goes through systemd:
|
||||
# entrypoint.sh writes the user command to /etc/docker-entrypoint-cmd,
|
||||
# execs systemd, systemd boots docker-entrypoint.service which runs the
|
||||
# command, and docker-entrypoint-stop.sh propagates exit code via
|
||||
# `systemctl exit <code>` so the container exits with the right status.
|
||||
#
|
||||
# `-t` (PTY for stdout/stderr) is required for build-log visibility:
|
||||
# systemd-as-PID-1 inherits the PTY from the container, and the
|
||||
# docker-entrypoint.service propagates it to the build via
|
||||
# StandardOutput=inherit. Without -t, the service log goes to the
|
||||
# journal only (invisible to docker run / Gitea Actions).
|
||||
#
|
||||
# Critically, we do NOT add `-i`. Without -i, fd 0 inside the container
|
||||
# is /dev/null, not a TTY — and the vendored docker-entrypoint.service
|
||||
# explicitly sets `StandardInput=null` so the service inherits no TTY
|
||||
# on fd 0 either. That keeps derivative-maker's `[ -t 0 ]` check false
|
||||
# so its exception handler stays in non-interactive mode (otherwise any
|
||||
# error drops into a `read -p 'Answer? '` prompt and the whole
|
||||
# container hangs forever, orphaning docker run and blocking the runner).
|
||||
docker run --rm --privileged \
|
||||
--cgroupns=host \
|
||||
--tmpfs /run \
|
||||
|
||||
Reference in New Issue
Block a user