SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bd215cba547111da40c9ff8f519172bb1ca29126
SilverMetal/linux/build/docker/Dockerfile.builder
SysAdmin e260fe1c81
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / builder-image (push) Failing after 2s
Details
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Has been skipped
Details
ci(linux/build): self-host the builder image build + iter16 reprepro wrap (M1.1) 
Two coupled changes that unblock the M1.1 iter loop. Both belong in CI;
iter1-15 was wrong to require human-in-the-loop steps to make progress.

1. **CI now builds Dockerfile.builder.**

   `.gitea/workflows/build-iso-linux.yaml` grows a `builder-image` job
   that runs ahead of `build-and-verify`. It rebuilds the silvermetal-
   builder image from `linux/build/docker/Dockerfile.builder`, pushes it
   to `docker-registry.silverlabs.uk/silvermetal-builder:m1.1-<sha>` (and
   `:latest`), reads the resulting digest off `docker inspect`, and
   feeds it forward as a job output. `build-and-verify` consumes that
   digest as the `BUILDER_IMAGE` env override that `build.sh` already
   honours (and validates is digest-form on line ~37).

   That kills the old workflow where every Dockerfile.builder change
   required a human to `docker build` + `docker push` on 10.0.0.51 by
   hand and then bump the digest in `build.sh` in lockstep. The crash
   that triggered this (exit 126 mid-iter16 build run) was a symptom of
   that off-CI step still existing.

   Both jobs run on the existing `silvermetal-builder` runner; the host
   docker daemon is shared via DooD and is already authenticated to
   `docker-registry.silverlabs.uk` (linux/build/runner/docker-compose.yml
   mounts `/root/.docker:/root/.docker:ro`), so no extra login step.

   The hardcoded `BUILDER_IMAGE` digest in `build.sh` stays as the
   local-developer / offline-rebuild fallback. Comments updated in
   `build.sh`, `Dockerfile.builder`, and `linux/build/README.md` to
   match the new flow.

2. **reprepro wrapper for the benign "No priority for X" case.**

   Pinned derivative-maker's `2100_create-debian-packages` (with
   --target iso) re-imports source packages from snapshot.debian.org
   into a local apt repo via `reprepro --basedir … includedsc local
   <foo>.dsc`. The local repo's `conf/distributions` ships no
   `DscOverride` entries, so any source package whose `.dsc` lacks an
   explicit Priority field trips:

       No priority for 'X', skipping.
       There have been errors!

   …and reprepro exits 255. dm-reprepro-wrapper bubbles that up,
   2100_create-debian-packages aborts. The current offender is
   `virtualbox_*.dsc` (key import is now fine — debian-keyring landed in
   commit 4aa59ba — but the priority field gap remains). VirtualBox is
   not in SilverMetal's `--target iso` set, so the sane behaviour is
   "log it, continue".

   New `linux/build/docker/silvermetal-reprepro-wrap.sh` shadows
   `/usr/bin/reprepro` at `/usr/local/bin/reprepro` (PATH precedence).
   It runs the real reprepro, captures merged stdout+stderr, and:
   - if rc != 0 AND every non-blank output line matches one of the
     known-benign patterns ("No priority for 'X', skipping." plus the
     trailing "There have been errors!"), emits the output, logs one
     line of explanation to stderr, and exits 0;
   - otherwise emits the output and propagates rc unchanged.

   Any *other* reprepro error path stays fatal — only the specific
   "No priority for X" pattern is neutralised. `dm-reprepro-wrapper`
   resolves `reprepro` via `\$PATH` so it picks up the wrapper
   transparently.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 17:30:08 +01:00

144 lines
6.2 KiB
Ruby
Raw Blame History

# SilverMetal Linux — reproducible-build runner image (systemd-in-container).
#
# This image is the "build host" for the ISO. derivative-maker's build
# steps assume a real systemd-managed Debian host — they call
# `systemctl restart approx-...`, `systemctl daemon-reload`, etc. and
# expect the services they configure to actually run. The clean way to
# satisfy that without a per-service whack-a-mole is to follow upstream's
# own container pattern: systemd as PID 1 inside the container, with an
# entrypoint that records the user-supplied command, masks irrelevant
# units, and execs systemd. systemd then runs `docker-entrypoint.service`
# which executes the recorded command, propagating its exit code back to
# `docker run`.
#
# The vendored systemd entrypoint files live in
# linux/build/docker/systemd-entrypoint/ and are pinned 1:1 to upstream's
# pattern (see that directory's README for the bump procedure).
#
# Pinning by digest is the only thing keeping host-toolchain drift out
# of the reproducibility gate, so do NOT replace the FROM line with a
# tag-only reference.
#
# Build & push: handled by .gitea/workflows/build-iso-linux.yaml
# (`builder-image` job). Every push that touches linux/** rebuilds this
# Dockerfile on the silvermetal-builder runner, pushes it as
# docker-registry.silverlabs.uk/silvermetal-builder:m1.1-<sha> + :latest,
# and feeds the resulting digest into the build-and-verify job via the
# BUILDER_IMAGE env override that build.sh supports. Do NOT build it
# locally during normal iter cycles — let CI do it. The pin in
# build.sh#BUILDER_IMAGE is only the local-developer / offline-rebuild
# fallback.
# debian:trixie-slim — pinned by digest.
# Resolved 2026-05-07 via `docker pull debian:trixie-slim` on 10.0.0.51.
FROM debian:trixie-slim@sha256:cedb1ef40439206b673ee8b33a46a03a0c9fa90bf3732f54704f99cb061d2c5a
ENV DEBIAN_FRONTEND=noninteractive \
LC_ALL=C.UTF-8 \
LANG=C.UTF-8 \
SOURCE_DATE_EPOCH=0 \
USER=user \
HOME=/home/user \
container=docker
# Pinned package versions. These come from the same snapshot.debian.org
# timestamp as the ISO build, so a Dockerfile rebuild against that
# snapshot produces the same toolchain bit-for-bit.
ARG APT_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian/20260415T000000Z"
ARG APT_SECURITY_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian-security/20260415T000000Z"
# Two-phase install:
# 1. Use the base image's default mirror to seed ca-certificates so
# HTTPS to snapshot.debian.org works. (slim images don't ship
# CA bundles by default.)
# 2. Pin sources.list to the snapshot and install the actual toolchain.
# Phase 1 touches deb.debian.org without a pin; that's fine because
# nothing it installs ends up in the final ISO — only the toolchain
# installed in phase 2 does, and that is fully snapshot-pinned.
#
# Package set explanation:
# - systemd / systemd-sysv / dbus / dbus-user-session
# systemd-in-container runtime; PID 1 of the build container
# - sq sqv sqop sequoia-git sequoia-chameleon-gnupg gpg-agent
# upstream's commit-signature verification stack (sq-git etc.)
# - approx
# package proxy started by 1200_prepare-build-machine; with
# systemd as PID 1, the .socket / @.service units actually fire
# - dpkg-dev fakeroot fasttrack-archive-keyring safe-rm adduser sudo
# ca-certificates git time curl lsb-release
# baseline tools derivative-maker assumes are present
# - debootstrap diffoscope-minimal dosfstools isolinux live-build
# mtools reprepro rsync squashfs-tools syslinux-common xorriso
# SilverMetal ISO toolchain (live-build chain + diff for the
# reproducibility gate)
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends ca-certificates; \
rm -f /etc/apt/sources.list.d/*; \
printf 'deb [check-valid-until=no] %s trixie main\n' "$APT_SNAPSHOT_URL" > /etc/apt/sources.list; \
printf 'deb [check-valid-until=no] %s trixie-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \
apt-get -o Acquire::Check-Valid-Until=false update; \
apt-get install -y --no-install-recommends \
systemd \
systemd-sysv \
dbus \
dbus-user-session \
sq \
sqv \
sqop \
sequoia-git \
sequoia-chameleon-gnupg \
gpg-agent \
approx \
adduser \
ca-certificates \
curl \
debian-keyring \
dpkg-dev \
fakeroot \
fasttrack-archive-keyring \
git \
gnupg \
lsb-release \
safe-rm \
sudo \
time \
debootstrap \
diffoscope-minimal \
dosfstools \
isolinux \
live-build \
mtools \
reprepro \
rsync \
squashfs-tools \
syslinux-common \
xorriso; \
apt-get clean; \
rm -rf /var/lib/apt/lists/*
# Non-root build user with passwordless sudo.
# Naming matches upstream's docker setup (USER=user, HOME=/home/user)
# so derivative-maker's docker-aware checks line up.
RUN adduser --quiet --disabled-password --home "${HOME}" --gecos "${USER},,,," "${USER}" \
&& printf '%s\n' "${USER} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/passwordless_sudo \
&& chmod 440 /etc/sudoers.d/passwordless_sudo
# systemd-in-container entrypoint — vendored from upstream's
# derivative-maker/docker/. See systemd-entrypoint/README.md.
COPY systemd-entrypoint/entrypoint.sh /usr/local/bin/entrypoint.sh
COPY systemd-entrypoint/docker-entrypoint.service /etc/systemd/system/docker-entrypoint.service
COPY systemd-entrypoint/docker-entrypoint.target /etc/systemd/system/docker-entrypoint.target
COPY systemd-entrypoint/docker-entrypoint-stop.sh /usr/bin/docker-entrypoint-stop.sh
RUN chmod +x /usr/local/bin/entrypoint.sh /usr/bin/docker-entrypoint-stop.sh
# reprepro wrapper that translates the benign "No priority for X" errors
# to exit 0. /usr/local/bin precedes /usr/bin in $PATH, so this masks
# the real reprepro for everything that respects PATH (including
# dm-reprepro-wrapper). See the script header for the full rationale.
COPY silvermetal-reprepro-wrap.sh /usr/local/bin/reprepro
RUN chmod +x /usr/local/bin/reprepro
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
CMD ["/bin/bash"]
Reference in New Issue View Git Blame Copy Permalink