SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9c406598e21f7fa8fdf75bf6be105f1f977f6bbc
SilverMetal/linux/build/docker/Dockerfile.builder
SysAdmin 38ac4f8a96
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 15m34s
Details
fix(linux/build): systemd-in-container build host (M1.1) 
Run #4258 cleared the systemctl shim only to die two seconds later on
the *next* expectation derivative-maker has of a real systemd host:
its sources.list points at http://127.0.0.1:9977/debian (the approx
package-cache socket-activated by systemd) and apt-get update could
not reach the daemon because nothing was actually started by the
no-op shim:

    Err:1 http://127.0.0.1:9977/debian trixie InRelease
      Could not connect to 127.0.0.1:9977 (127.0.0.1).
      - connect (111: Connection refused)

Whack-a-mole'ing each service derivative-maker tries to start (approx
today, then journald, then systemd-logind, then who-knows-what
tomorrow) is going to keep failing for a while — derivative-maker is
fundamentally designed for a real systemd-managed Debian host. The
container pattern upstream itself ships
(linux/build/derivative-maker/docker/) runs systemd as PID 1 inside
the container; this commit adopts that approach.

Architecture:

  - PID 1 in the build container is now systemd. Upstream's vendored
    entrypoint.sh records the user-supplied command into
    /etc/docker-entrypoint-cmd, captures env into
    /etc/docker-entrypoint-env, masks irrelevant units, and execs
    systemd. systemd boots, docker-entrypoint.service runs the
    command, docker-entrypoint-stop.sh propagates the exit code via
    `systemctl exit <code>` so the container exits with the right
    status.

  - The four entrypoint files (entrypoint.sh,
    docker-entrypoint.service / .target, docker-entrypoint-stop.sh)
    are vendored at linux/build/docker/systemd-entrypoint/ rather
    than COPY'd from the submodule path — Docker build context can
    only reach below itself, and bumping is tracked in that dir's
    README.

  - Container runtime now requires --cgroupns=host, --tmpfs /run,
    --tmpfs /run/lock, and -v /sys/fs/cgroup:/sys/fs/cgroup:rw so
    systemd can manage cgroups properly. -t allocates a TTY,
    satisfying entrypoint.sh's `[ ! -t 0 ] && exit 1` check in CI
    where stdin is otherwise /dev/null.

  - User renamed builder → user (uid 1000, passwordless sudo) to
    match upstream's USER=user / HOME=/home/user convention. chown
    in build.sh now uses uid 1000:1000 so it's name-agnostic.

  - Image package list grew to match upstream's
    derivative-maker-docker-setup (sq stack + dbus + approx + the
    rest) plus our ISO toolchain (live-build / debootstrap / xorriso
    / squashfs-tools / etc.). Snapshot.debian.org pinning is
    preserved (same APT_SNAPSHOT_URL, two-phase install pattern).

Verified:

  Smoke test on 10.0.0.51 — `docker run --rm --privileged
  --cgroupns=host --tmpfs /run --tmpfs /run/lock -v /sys/fs/cgroup:...:rw
  -t <image> /bin/bash -c 'echo OK'` — booted systemd, ran the
  command via docker-entrypoint.service, captured the output, shut
  down filesystems and exited cleanly.

build.sh BUILDER_IMAGE pin → sha256:dc9dd29d…8811. Image rebuilt
natively on 10.0.0.51, pushed to docker-registry.silverlabs.uk.

The systemctl shim is removed by virtue of the Dockerfile rewrite —
real systemd makes it unnecessary. The previous "iter6 / iter7"
intermediate digests stay in the registry until we GC; the live one
is m1.1-iter8-systemd.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 12:06:47 +01:00

138 lines
5.8 KiB
Ruby
Raw Blame History

# SilverMetal Linux — reproducible-build runner image (systemd-in-container).
#
# This image is the "build host" for the ISO. derivative-maker's build
# steps assume a real systemd-managed Debian host — they call
# `systemctl restart approx-...`, `systemctl daemon-reload`, etc. and
# expect the services they configure to actually run. The clean way to
# satisfy that without a per-service whack-a-mole is to follow upstream's
# own container pattern: systemd as PID 1 inside the container, with an
# entrypoint that records the user-supplied command, masks irrelevant
# units, and execs systemd. systemd then runs `docker-entrypoint.service`
# which executes the recorded command, propagating its exit code back to
# `docker run`.
#
# The vendored systemd entrypoint files live in
# linux/build/docker/systemd-entrypoint/ and are pinned 1:1 to upstream's
# pattern (see that directory's README for the bump procedure).
#
# Pinning by digest is the only thing keeping host-toolchain drift out
# of the reproducibility gate, so do NOT replace the FROM line with a
# tag-only reference.
#
# Build & push (run on 10.0.0.51 — never on the WSL/aarch64 dev box):
# docker build \
# -f linux/build/docker/Dockerfile.builder \
# -t docker-registry.silverlabs.uk/silvermetal-builder:<commit> \
# -t docker-registry.silverlabs.uk/silvermetal-builder:latest \
# linux/build/docker
# docker push docker-registry.silverlabs.uk/silvermetal-builder:<commit>
#
# To bump the base image: replace the digest, rebuild, push, update
# BUILDER_IMAGE in linux/build/scripts/build.sh, run a full reproducibility
# check, commit all the changes together.
# debian:trixie-slim — pinned by digest.
# Resolved 2026-05-07 via `docker pull debian:trixie-slim` on 10.0.0.51.
FROM debian:trixie-slim@sha256:cedb1ef40439206b673ee8b33a46a03a0c9fa90bf3732f54704f99cb061d2c5a
ENV DEBIAN_FRONTEND=noninteractive \
LC_ALL=C.UTF-8 \
LANG=C.UTF-8 \
SOURCE_DATE_EPOCH=0 \
USER=user \
HOME=/home/user \
container=docker
# Pinned package versions. These come from the same snapshot.debian.org
# timestamp as the ISO build, so a Dockerfile rebuild against that
# snapshot produces the same toolchain bit-for-bit.
ARG APT_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian/20260415T000000Z"
ARG APT_SECURITY_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian-security/20260415T000000Z"
# Two-phase install:
# 1. Use the base image's default mirror to seed ca-certificates so
# HTTPS to snapshot.debian.org works. (slim images don't ship
# CA bundles by default.)
# 2. Pin sources.list to the snapshot and install the actual toolchain.
# Phase 1 touches deb.debian.org without a pin; that's fine because
# nothing it installs ends up in the final ISO — only the toolchain
# installed in phase 2 does, and that is fully snapshot-pinned.
#
# Package set explanation:
# - systemd / systemd-sysv / dbus / dbus-user-session
# systemd-in-container runtime; PID 1 of the build container
# - sq sqv sqop sequoia-git sequoia-chameleon-gnupg gpg-agent
# upstream's commit-signature verification stack (sq-git etc.)
# - approx
# package proxy started by 1200_prepare-build-machine; with
# systemd as PID 1, the .socket / @.service units actually fire
# - dpkg-dev fakeroot fasttrack-archive-keyring safe-rm adduser sudo
# ca-certificates git time curl lsb-release
# baseline tools derivative-maker assumes are present
# - debootstrap diffoscope-minimal dosfstools isolinux live-build
# mtools reprepro rsync squashfs-tools syslinux-common xorriso
# SilverMetal ISO toolchain (live-build chain + diff for the
# reproducibility gate)
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends ca-certificates; \
rm -f /etc/apt/sources.list.d/*; \
printf 'deb [check-valid-until=no] %s trixie main\n' "$APT_SNAPSHOT_URL" > /etc/apt/sources.list; \
printf 'deb [check-valid-until=no] %s trixie-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \
apt-get -o Acquire::Check-Valid-Until=false update; \
apt-get install -y --no-install-recommends \
systemd \
systemd-sysv \
dbus \
dbus-user-session \
sq \
sqv \
sqop \
sequoia-git \
sequoia-chameleon-gnupg \
gpg-agent \
approx \
adduser \
ca-certificates \
curl \
dpkg-dev \
fakeroot \
fasttrack-archive-keyring \
git \
gnupg \
lsb-release \
safe-rm \
sudo \
time \
debootstrap \
diffoscope-minimal \
dosfstools \
isolinux \
live-build \
mtools \
reprepro \
rsync \
squashfs-tools \
syslinux-common \
xorriso; \
apt-get clean; \
rm -rf /var/lib/apt/lists/*
# Non-root build user with passwordless sudo.
# Naming matches upstream's docker setup (USER=user, HOME=/home/user)
# so derivative-maker's docker-aware checks line up.
RUN adduser --quiet --disabled-password --home "${HOME}" --gecos "${USER},,,," "${USER}" \
&& printf '%s\n' "${USER} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/passwordless_sudo \
&& chmod 440 /etc/sudoers.d/passwordless_sudo
# systemd-in-container entrypoint — vendored from upstream's
# derivative-maker/docker/. See systemd-entrypoint/README.md.
COPY systemd-entrypoint/entrypoint.sh /usr/local/bin/entrypoint.sh
COPY systemd-entrypoint/docker-entrypoint.service /etc/systemd/system/docker-entrypoint.service
COPY systemd-entrypoint/docker-entrypoint.target /etc/systemd/system/docker-entrypoint.target
COPY systemd-entrypoint/docker-entrypoint-stop.sh /usr/bin/docker-entrypoint-stop.sh
RUN chmod +x /usr/local/bin/entrypoint.sh /usr/bin/docker-entrypoint-stop.sh
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
CMD ["/bin/bash"]
Reference in New Issue View Git Blame Copy Permalink