SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7058fb775c1f608e1caafa28b5d509efb598ae75
SilverMetal/linux/build
History
SysAdmin 7058fb775c
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 2m20s
Details
fix(linux/build): add systemctl no-op shim for the build container (M1.1) 
Run #4257 cleared sanity-tests entirely (sq-git verification of every
submodule signature: ; tag/uncommitted relaxation: ) and reached
1200_prepare-build-machine, where it died:

    + sudo systemctl daemon-reload
    sudo: systemctl: command not found
    ERROR detected in script!: ././build-steps.d/1200_prepare-build-machine

derivative-maker assumes systemd is PID 1 on the build host. Upstream's
own container (linux/build/derivative-maker/docker/) runs
systemd-as-init via an entrypoint that masks irrelevant units and
declares its own. We don't want that surgery for M1.1 — it pulls in
cgroup mounts, --cgroupns=host, and a much bigger debugging surface.

Shim approach instead: install /usr/local/bin/systemctl that logs the
attempt to stderr and exits 0. /usr/local/bin precedes /usr/bin in
both default $PATH and sudo's secure_path, so it satisfies any
systemctl call regardless of whether the real binary later gets pulled
in by a package install. Standard pattern for systemd-aware Debian
build scripts in transient containers.

Risk if it doesn't suffice: the shim makes daemon-reload / restart /
mask calls succeed, but doesn't actually run any service. If a later
build step depends on (say) approx actually being up to serve cached
debs, we'll see the next failure and decide whether to escalate to
real systemd-in-container or skip the relevant build step.

Changes:
- Dockerfile.builder: add the shim with a brief log line to stderr;
  comment block documents the trade-off.
- build.sh: BUILDER_IMAGE digest re-pinned to sha256:70f160ab…5460
  (built natively on 10.0.0.51, shim verified working with
  `docker run … systemctl daemon-reload` returning 0).

Verified: shim emits "systemctl-shim: daemon-reload" to stderr and
exits 0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 11:45:13 +01:00
..
config
fix(linux/build): bump builder base bookworm → trixie (M1.1)
2026-05-07 11:25:40 +01:00
derivative-maker @ 51358698cd
feat(linux/build): scaffold reproducible ISO build pipeline (M1.1)
2026-04-26 04:25:48 +01:00
docker
fix(linux/build): add systemctl no-op shim for the build container (M1.1)
2026-05-07 11:45:13 +01:00
runner
feat(linux/build): silvermetal-builder Gitea Actions runner deployment
2026-04-26 11:59:44 +01:00
scripts
fix(linux/build): add systemctl no-op shim for the build container (M1.1)
2026-05-07 11:45:13 +01:00
.gitignore
feat(linux/build): scaffold reproducible ISO build pipeline (M1.1)
2026-04-26 04:25:48 +01:00
derivative-maker.PIN.md
feat(linux/build): scaffold reproducible ISO build pipeline (M1.1)
2026-04-26 04:25:48 +01:00
README.md
feat(linux/build): scaffold reproducible ISO build pipeline (M1.1)
2026-04-26 04:25:48 +01:00

README.md

SilverMetal Linux — reproducible ISO build pipeline

Milestone: Phase 1 / M1.1 — Kicksecure fork builds reproducibly. Exit criterion: two clean builds of the same commit produce a byte-identical SHA256.

This directory holds everything that turns a SilverMetal commit into a SilverMetal Linux ISO. M1.1 ships only the base (un-hardened) Kicksecure derivative. Hardening overlay, kernel swap, AppArmor profiles, etc. land in M1.2+ and must not be added here in the M1.1 PR.

Layout

linux/build/
├── README.md                    (this file)
├── derivative-maker/            git submodule -> Kicksecure/derivative-maker
├── config/
│   ├── silvermetal-base.conf    derivative selection + branding
│   ├── snapshot-pin.env         pinned snapshot.debian.org timestamp
│   └── source-date-epoch.env    optional SOURCE_DATE_EPOCH override
├── docker/
│   └── Dockerfile.builder       pinned debian:bookworm-slim builder image
└── scripts/
    ├── build.sh                 wrapper: container run -> derivative-maker
    ├── verify-reproducibility.sh build twice, compare SHA256
    └── diagnose-divergence.sh   diffoscope on mismatch

How reproducibility is achieved

The same levers any deterministic Debian build relies on, stacked together:

Lever Where it lives
Pinned snapshot.debian.org mirror config/snapshot-pin.env
SOURCE_DATE_EPOCH from commit time scripts/build.sh (auto)
Pinned builder image (by digest) docker/Dockerfile.builder + BUILDER_IMAGE
Deterministic mksquashfs flags MKSQUASHFS_OPTIONS in base conf
Pinned upstream toolchain derivative-maker/ submodule
LC_ALL=C.UTF-8, TZ=UTC scripts/build.sh

diffoscope is the diagnostic tool used by diagnose-divergence.sh; the gate itself is plain sha256sum.

Reproduce a release locally

Procedure mirrors docs/trust-model.md § Reproducible builds.

Prerequisites: a Linux host (or WSL2) with Docker, ~30 GB free disk, ~8 GB RAM.

# 1. Clone the repo at the release tag.
git clone --recurse-submodules https://git.silverlabs.uk/SilverLABS/SilverMetal.git
cd SilverMetal
git checkout v1.1.0   # whichever release you want to verify

# 2. Build twice and compare. ~60-90 minutes per build.
linux/build/scripts/verify-reproducibility.sh

# 3. Compare against the published release.
sha256sum -c <(curl -fsSL https://git.silverlabs.uk/SilverLABS/SilverMetal/releases/download/v1.1.0/SHA256SUMS)

Mismatch with the published artefact = supply-chain anomaly. Report channel: security@silverlabs.uk.

Build once (no reproducibility check)

linux/build/scripts/build.sh
# Output lands in linux/build/output/<short-sha>/

The wrapper requires BUILDER_IMAGE to be pinned by digest. Local dev that hasn't built and pushed an image yet should override:

BUILDER_IMAGE=docker-registry:5000/silvermetal-builder@sha256:<digest> \
    linux/build/scripts/build.sh

Gitea Actions

The CI workflow (.gitea/workflows/build-iso-linux.yaml) is the authority for "did this commit build reproducibly?". It:

  1. Checks out the commit with submodules.
  2. Runs build.sh twice in ${GITHUB_WORKSPACE}/build-{a,b}.
  3. Fails the run if the two ISO SHA256s differ, and uploads a diffoscope report as an artefact.
  4. On a tag push, attaches the verified ISO + SHA256SUMS + BUILD_INFO to a Gitea release.

Self-hosted runner setup

The workflow runs on runs-on: silvermetal-builder, a self-hosted, privileged-capable Gitea Actions runner. Create it before merging the workflow:

  1. Provision a Debian 12 VM on the cluster with ≥ 8 vCPU, ≥ 16 GB RAM, ≥ 100 GB disk.
  2. Install Docker (apt install docker.io); ensure the runner user can run docker run --privileged.
  3. Register act_runner against git.silverlabs.uk with label silvermetal-builder.
  4. Pre-pull the builder image so the first reproducibility run isn't a cold start: docker pull docker-registry:5000/silvermetal-builder:latest
  5. Cache the apt snapshot in a Docker volume to avoid throttling: docker volume create silvermetal-apt-cache

The runner host name must not leak into ISO content. LC_ALL=C.UTF-8 and a constant TZ in the wrapper guard against that, but spot-check with diagnose-divergence.sh.

Bumping pinned inputs

Each of these is a deliberate, reviewed action — never automate:

  • derivative-maker submodule — bump in its own PR, with a verification log showing two clean builds match.
  • snapshot-pin.env — same procedure.
  • Builder image (Dockerfile.builder digest) — rebuild, push, update BUILDER_IMAGE in build.sh, run reproducibility check, commit all four together.

What this milestone is not

  • No hardening overlay (M1.2)
  • No SilverBrowser/SilverVPN/SilverSync/SilverChat integration (M1.61.9)
  • No installer branding (M1.5)
  • No update server (M1.10)
  • No SBOM publication (M1.11)
  • No signing ceremony / MOK / Secure Boot wiring (separate milestone)

If a change to this directory expands its scope into one of those, push back — the M1.1 gate is intentionally narrow.

Reference in New Issue View Git Blame Copy Permalink