SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b0f1ab30f4ae85149e73a66c949b13828d38a68c
SilverMetal/linux/build/scripts/build-inner.sh
SysAdmin b0f1ab30f4
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / builder-image (push) Successful in 1s
Details
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 17m24s
Details
fix(linux/build): symlink /home/user/derivative-maker to checkout (M1.1 iter23) 
Run #4270's Build A made it 2:40 deep — past sanity-tests, prepare-
build-machine, local-deps, into 2100_create-debian-packages — then
died on:

    + /workspace/.../genmkfile/usr/bin/genmkfile reprepro-remove
    running: dm-reprepro-wrapper remove local age-api
    + /usr/bin/dm-reprepro-wrapper: line 28:
        /home/user/derivative-maker/help-steps/pre: No such file or directory

Earlier `dm-reprepro-wrapper includedsc/includedeb` calls succeeded
because 2100_create-debian-packages invokes them by absolute path
(`$source_code_folder_dist/packages/.../developer-meta-files/usr/bin/
dm-reprepro-wrapper`) — the in-repo copy resolves help-steps/pre
relative to its own location.

`genmkfile reprepro-remove` calls `dm-reprepro-wrapper` via PATH
instead, so the system copy at /usr/bin/dm-reprepro-wrapper wins. That
copy was installed by 1500_local-deps `apt install`-ing the in-repo
developer-meta-files.deb into the silvermetal-builder image at runtime.
The .deb's intended layout assumes the matching derivative-maker
checkout lives at /home/user/derivative-maker — the upstream-blessed
path. Ours is at /workspace/SilverLABS/SilverMetal/linux/build/
derivative-maker, so the relative source() at line 28 walks off into
nowhere.

Bridge the gap with a symlink at the start of build-inner.sh:

    ln -sfn "${REPO_ROOT}/linux/build/derivative-maker" \
            /home/user/derivative-maker

That keeps our self-referential CI bind-mount topology (we still cd
into REPO_ROOT/.../derivative-maker, derivative-maker still computes
paths relative to itself), but also makes the system copy of
dm-reprepro-wrapper find help-steps/pre and friends.

Both reprepro wrappers (in-repo and system-installed) now resolve to
the same files via the symlink, so the silvermetal-reprepro-wrap.sh
PATH precedence shadow at /usr/local/bin/reprepro keeps applying to
both code paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 18:11:58 +01:00

126 lines
6.3 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# SilverMetal Linux — inner build step.
#
# Runs *inside* the silvermetal-builder container, as the unprivileged
# `user` (uid 1000). build.sh's docker-run cmd chowns the workspace and
# sudoes here. The container's PID 1 is systemd (upstream's
# systemd-in-container pattern), so any `systemctl` calls derivative-
# maker makes — to start approx, daemon-reload, etc. — actually do
# what they're supposed to. derivative-maker uses sudo internally for
# its privileged ops.
#
# Why this is its own file:
# The previous incarnation lived as a heredoc inside build.sh's docker
# run command. Once we needed to drop privileges from root to user,
# the nested-heredoc / nested-quoting situation became unreadable; a
# plain script with normal quoting is far easier to maintain.
#
# Required env vars (set by build.sh and forwarded into the container):
# REPO_ROOT — absolute path to the SilverMetal repo root
# BUILD_DIR — where to drop the resulting *.iso and manifests
# SOURCE_DATE_EPOCH — reproducibility timestamp (forwarded to live-build)
# SNAPSHOT_TIMESTAMP — apt snapshot pin (forwarded to live-build)
set -euo pipefail
: "${REPO_ROOT:?REPO_ROOT must be set}"
: "${BUILD_DIR:?BUILD_DIR must be set}"
# Explicit user_name pin.
# derivative-maker/help-steps/variables (lines 80-93) computes user_name
# from $SUDO_USER as its first non-empty fallback. We enter this script
# via `sudo --preserve-env -u user --` from root, which makes sudo set
# SUDO_USER=root (the *calling* user). Variables.sh then picks
# user_name="root" and computes HOMEVAR=/home/root — which doesn't exist
# (root's home is /root). The first thing that breaks under that path
# is the aptgetopt config tee in 1100_sanity-tests:
# tee: /home/root/derivative-binary/30_derivative-maker.conf:
# No such file or directory
# Setting user_name explicitly satisfies the first-priority check in
# variables.sh and short-circuits the SUDO_USER fallback.
export user_name=user
# Create the binary output directory derivative-maker writes into.
# variables.sh sets binary_build_folder_dist=$HOMEVAR/derivative-binary
# (= /home/user/derivative-binary), and 1100_sanity-tests / later steps
# expect it to exist. Upstream's docker-start does the equivalent
# `mkdir --parents -- "${HOME}/derivative-binary"`; we replicate that
# here so we don't depend on upstream's wrapper.
mkdir -p "${HOME}/derivative-binary"
# Import Debian developer keys into the user's GPG keyring.
# 2100_create-debian-packages calls `dm-reprepro-wrapper includedsc`
# on Debian source packages it pulls in (e.g. virtualbox_*.dsc, even
# for --target iso — see 2100_create-debian-packages line 114), and
# reprepro verifies each .dsc's signature against the user's keyring.
# Without this, every dsc with a Debian-uploader signature fails:
# Could not check validity of signature with '<fingerprint>' in
# '...virtualbox_7.2.8-dfsg-1.dsc' as public key missing!
# There have been errors!
# debian-keyring (~40 MB, snapshot-pinned) provides the developer
# keys; importing it once at the start of the build seeds the keyring
# reprepro will consult.
if [ -d /usr/share/keyrings ]; then
for f in /usr/share/keyrings/debian-keyring.gpg \
/usr/share/keyrings/debian-maintainers.gpg \
/usr/share/keyrings/debian-nonupload.gpg; do
[ -f "$f" ] || continue
gpg --quiet --no-tty --import "$f" 2>/dev/null || true
done
fi
# Bridge the upstream-blessed checkout path.
# 1500_local-deps installs the in-repo `developer-meta-files.deb` system-
# wide. That deb ships /usr/bin/dm-reprepro-wrapper, which begins with
# source "${0%/*}/../../help-steps/pre"
# resolved against the install location (/usr/bin) and a user_name-relative
# layout that lands at /home/user/derivative-maker/help-steps/pre.
# When 2100_create-debian-packages calls `dm-reprepro-wrapper` via PATH
# (e.g. through `genmkfile reprepro-remove`), the system copy wins over
# the in-repo one, and the source fails:
# /usr/bin/dm-reprepro-wrapper: line 28:
# /home/user/derivative-maker/help-steps/pre: No such file or directory
# Make /home/user/derivative-maker resolve to our actual checkout so both
# the in-repo and system-installed wrappers find the same support files.
ln -sfn "${REPO_ROOT}/linux/build/derivative-maker" /home/user/derivative-maker
# shellcheck disable=SC1091
source "${REPO_ROOT}/linux/build/config/silvermetal-base.conf"
cd "${REPO_ROOT}/linux/build/derivative-maker"
# CLI grammar comes from derivative-maker/help-steps/parse-cmd. The
# valid options are a closed set; passing anything else (including
# --build, --dist, or --config) trips the "unknown option" guard at
# parse-cmd line 725. Spelling matters too: upstream uses --flavor
# (American), not --flavour. --freedom is mandatory for amd64/i386.
# Dist is implicit from --flavor (kicksecure-cli => trixie), and
# the silvermetal-base.conf is sourced into the env above rather than
# passed as a flag because derivative-maker has no --config option.
#
# --allow-untagged true / --allow-uncommitted true: the pinned upstream
# tag (18.1.7.4-developers-only — name says it all) deliberately ships
# with some submodules at intermediate / merge commits. sq-git still
# verifies every signature in the chain — these flags only relax the
# additional "must be at a release tag" check. Appropriate for a
# downstream consumer pinned to a developer tag.
./derivative-maker \
--flavor "${DERIVATIVE_FLAVOUR}" \
--target "${DERIVATIVE_BUILD_TARGET}" \
--arch "${DERIVATIVE_TARGET_ARCH}" \
--freedom "${DERIVATIVE_FREEDOM}" \
--allow-untagged true \
--allow-uncommitted true
# derivative-maker writes its outputs into ${HOME}/derivative-binary
# (per help-steps/variables: binary_build_folder_dist=$HOMEVAR/derivative-binary),
# *not* into the source tree. Collect from there into BUILD_DIR.
# Exact upstream output paths can shift between tags — keep this tolerant.
find "${HOME}/derivative-binary" -maxdepth 6 -type f -name "*.iso" -print0 \
| xargs -0 -I{} cp -av "{}" "${BUILD_DIR}/"
# Manifest of file metadata that lives inside the ISO. Useful when
# diagnosing reproducibility regressions without re-extracting.
find "${HOME}/derivative-binary" -maxdepth 6 -type f -name "*.manifest" -print0 \
| xargs -0 -I{} cp -av "{}" "${BUILD_DIR}/" 2>/dev/null || true
Reference in New Issue View Git Blame Copy Permalink