SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ced77e305ffac03056d270c68643b7f1ff8c2c84
SilverMetal/linux/build/scripts/build.sh
SysAdmin e260fe1c81
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / builder-image (push) Failing after 2s
Details
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Has been skipped
Details
ci(linux/build): self-host the builder image build + iter16 reprepro wrap (M1.1) 
Two coupled changes that unblock the M1.1 iter loop. Both belong in CI;
iter1-15 was wrong to require human-in-the-loop steps to make progress.

1. **CI now builds Dockerfile.builder.**

   `.gitea/workflows/build-iso-linux.yaml` grows a `builder-image` job
   that runs ahead of `build-and-verify`. It rebuilds the silvermetal-
   builder image from `linux/build/docker/Dockerfile.builder`, pushes it
   to `docker-registry.silverlabs.uk/silvermetal-builder:m1.1-<sha>` (and
   `:latest`), reads the resulting digest off `docker inspect`, and
   feeds it forward as a job output. `build-and-verify` consumes that
   digest as the `BUILDER_IMAGE` env override that `build.sh` already
   honours (and validates is digest-form on line ~37).

   That kills the old workflow where every Dockerfile.builder change
   required a human to `docker build` + `docker push` on 10.0.0.51 by
   hand and then bump the digest in `build.sh` in lockstep. The crash
   that triggered this (exit 126 mid-iter16 build run) was a symptom of
   that off-CI step still existing.

   Both jobs run on the existing `silvermetal-builder` runner; the host
   docker daemon is shared via DooD and is already authenticated to
   `docker-registry.silverlabs.uk` (linux/build/runner/docker-compose.yml
   mounts `/root/.docker:/root/.docker:ro`), so no extra login step.

   The hardcoded `BUILDER_IMAGE` digest in `build.sh` stays as the
   local-developer / offline-rebuild fallback. Comments updated in
   `build.sh`, `Dockerfile.builder`, and `linux/build/README.md` to
   match the new flow.

2. **reprepro wrapper for the benign "No priority for X" case.**

   Pinned derivative-maker's `2100_create-debian-packages` (with
   --target iso) re-imports source packages from snapshot.debian.org
   into a local apt repo via `reprepro --basedir … includedsc local
   <foo>.dsc`. The local repo's `conf/distributions` ships no
   `DscOverride` entries, so any source package whose `.dsc` lacks an
   explicit Priority field trips:

       No priority for 'X', skipping.
       There have been errors!

   …and reprepro exits 255. dm-reprepro-wrapper bubbles that up,
   2100_create-debian-packages aborts. The current offender is
   `virtualbox_*.dsc` (key import is now fine — debian-keyring landed in
   commit 4aa59ba — but the priority field gap remains). VirtualBox is
   not in SilverMetal's `--target iso` set, so the sane behaviour is
   "log it, continue".

   New `linux/build/docker/silvermetal-reprepro-wrap.sh` shadows
   `/usr/bin/reprepro` at `/usr/local/bin/reprepro` (PATH precedence).
   It runs the real reprepro, captures merged stdout+stderr, and:
   - if rc != 0 AND every non-blank output line matches one of the
     known-benign patterns ("No priority for 'X', skipping." plus the
     trailing "There have been errors!"), emits the output, logs one
     line of explanation to stderr, and exits 0;
   - otherwise emits the output and propagates rc unchanged.

   Any *other* reprepro error path stays fatal — only the specific
   "No priority for X" pattern is neutralised. `dm-reprepro-wrapper`
   resolves `reprepro` via `\$PATH` so it picks up the wrapper
   transparently.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 17:30:08 +01:00

203 lines
8.9 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# SilverMetal Linux — ISO build wrapper.
#
# Runs the Kicksecure derivative-maker inside the pinned builder container
# with the reproducibility levers locked down. This script is the single
# entry point for both local developer builds and CI — there is no separate
# CI-only path. If you need to debug, run *this*, not lb directly.
#
# Usage:
# linux/build/scripts/build.sh # writes to linux/build/output/<commit>
# BUILD_DIR=/tmp/build-a linux/build/scripts/build.sh # override output root
#
# Exit codes:
# 0 ISO produced and SHA256SUMS written
# 1 argument / environment error
# 2 derivative-maker submodule missing
# 3 build failed
# 4 post-build hash/manifest step failed
set -euo pipefail
# --- Locate repo root -------------------------------------------------------
SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd -- "${SCRIPT_DIR}/../../.." && pwd)"
cd "${REPO_ROOT}"
# --- Pinned builder image ---------------------------------------------------
# In CI this is always overridden by the BUILDER_IMAGE env var that the
# `builder-image` job in .gitea/workflows/build-iso-linux.yaml passes in
# (the digest of the silvermetal-builder image it just built and pushed).
# The hardcoded default below is the local-developer / offline-rebuild
# fallback; bump it after any meaningful Dockerfile.builder change merges
# so `linux/build/scripts/build.sh` works without CI for the same commit.
# The digest form is required either way; refusing the tag-only form is
# what stops a silent host drift.
#
# docker-registry.silverlabs.uk is the canonical hostname both inside and
# outside the LAN — it's the entry that fleet-wide /etc/docker/daemon.json
# registers as an insecure-registry. The host-style "docker-registry:5000"
# is *not* DNS-resolvable; do not use it.
BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:2f680c9629833400573d26a0e25b32b4f13a61a7e4d91543df8983a67801f0db}"
if [[ "${BUILDER_IMAGE}" != *"@sha256:"* ]]; then
echo "build.sh: BUILDER_IMAGE must be pinned by digest, got: ${BUILDER_IMAGE}" >&2
exit 1
fi
# --- Sanity: submodule present ---------------------------------------------
if [[ ! -f "linux/build/derivative-maker/.git" && ! -d "linux/build/derivative-maker/.git" ]]; then
echo "build.sh: linux/build/derivative-maker submodule is not initialised." >&2
echo " Run: git submodule update --init --recursive" >&2
exit 2
fi
# --- Compute SOURCE_DATE_EPOCH ---------------------------------------------
# Order of preference:
# 1. Explicit env var passed in (CI may set it for cross-runner consistency)
# 2. config/source-date-epoch.env override (offline rebuilds)
# 3. git commit timestamp of HEAD (default)
# shellcheck disable=SC1091
source linux/build/config/source-date-epoch.env || true
if [[ -z "${SOURCE_DATE_EPOCH:-}" ]]; then
if [[ -n "${SOURCE_DATE_EPOCH_OVERRIDE:-}" ]]; then
SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH_OVERRIDE}"
echo "build.sh: using SOURCE_DATE_EPOCH override = ${SOURCE_DATE_EPOCH}"
else
SOURCE_DATE_EPOCH="$(git log -1 --pretty=%ct)"
fi
fi
export SOURCE_DATE_EPOCH
# --- Pinned snapshot timestamp ---------------------------------------------
# shellcheck disable=SC1091
source linux/build/config/snapshot-pin.env
export SNAPSHOT_TIMESTAMP
# --- Resolve commit & output dir -------------------------------------------
COMMIT_SHA="$(git rev-parse --short=12 HEAD)"
BUILD_DIR="${BUILD_DIR:-${REPO_ROOT}/linux/build/output/${COMMIT_SHA}}"
mkdir -p "${BUILD_DIR}"
echo "build.sh: commit=${COMMIT_SHA} epoch=${SOURCE_DATE_EPOCH} snapshot=${SNAPSHOT_TIMESTAMP}"
echo "build.sh: output -> ${BUILD_DIR}"
# --- Mount strategy: local vs CI -------------------------------------------
# Locally we bind-mount the repo into the build container at the *same*
# path (self-referential), so internal references work transparently and
# the inner script doesn't need to care which host it's on.
#
# In CI we can't do that. build.sh runs inside a Gitea Actions job
# container which talks to the *host's* docker daemon via /var/run/docker.sock.
# Bind-mounting REPO_ROOT (= /workspace/<owner>/<repo>) would resolve
# against the host filesystem where that path doesn't exist; docker
# silently creates an empty dir on the host and mounts that, leaving the
# build container with an empty /work and a confusing "No such file or
# directory" error on the first config source.
#
# The standard fix for that DooD topology is --volumes-from of the parent
# job container, which inherits its /workspace mount intact. That keeps
# paths identical inside and outside, so the inner heredoc below is the
# same in both environments.
if [[ -n "${GITHUB_ACTIONS:-}" ]]; then
BIND_ARGS=(--volumes-from "$(hostname)")
else
BIND_ARGS=(-v "${REPO_ROOT}:${REPO_ROOT}:rw")
# If BUILD_DIR lives outside REPO_ROOT (uncommon, but the env-var
# override allows it), mount it explicitly too.
if [[ "${BUILD_DIR}" != "${REPO_ROOT}/"* && "${BUILD_DIR}" != "${REPO_ROOT}" ]]; then
BIND_ARGS+=(-v "${BUILD_DIR}:${BUILD_DIR}:rw")
fi
fi
# --- Run the build inside the container ------------------------------------
# This is a systemd-in-container build host. Upstream Kicksecure's
# derivative-maker assumes a real systemd-managed Debian — its build steps
# call `systemctl restart approx-derivative-maker.socket`,
# `systemctl daemon-reload`, etc. and depend on those services *actually*
# running. Without systemd as PID 1 we'd be playing whack-a-mole with
# every service derivative-maker starts.
#
# Required runtime flags for systemd-in-container:
# --privileged live-build needs loop devices + chroot mounts
# --cgroupns=host systemd needs to manage cgroups; with its own
# namespace it can't see the host hierarchy
# --tmpfs /run, /run/lock systemd writes runtime state here
# -v /sys/fs/cgroup:rw the cgroup tree systemd manages
#
# `tail -f /dev/null` is NOT used — control flow goes through systemd:
# entrypoint.sh writes the user command to /etc/docker-entrypoint-cmd,
# execs systemd, systemd boots docker-entrypoint.service which runs the
# command, and docker-entrypoint-stop.sh propagates exit code via
# `systemctl exit <code>` so the container exits with the right status.
#
# `-t` (PTY for stdout/stderr) is required for build-log visibility:
# systemd-as-PID-1 inherits the PTY from the container, and the
# docker-entrypoint.service propagates it to the build via
# StandardOutput=inherit. Without -t, the service log goes to the
# journal only (invisible to docker run / Gitea Actions).
#
# Critically, we do NOT add `-i`. Without -i, fd 0 inside the container
# is /dev/null, not a TTY — and the vendored docker-entrypoint.service
# explicitly sets `StandardInput=null` so the service inherits no TTY
# on fd 0 either. That keeps derivative-maker's `[ -t 0 ]` check false
# so its exception handler stays in non-interactive mode (otherwise any
# error drops into a `read -p 'Answer? '` prompt and the whole
# container hangs forever, orphaning docker run and blocking the runner).
docker run --rm --privileged \
--cgroupns=host \
--tmpfs /run \
--tmpfs /run/lock \
-v /sys/fs/cgroup:/sys/fs/cgroup:rw \
--network=host \
-t \
"${BIND_ARGS[@]}" \
-e SOURCE_DATE_EPOCH \
-e SNAPSHOT_TIMESTAMP \
-e LC_ALL=C.UTF-8 \
-e LANG=C.UTF-8 \
-e TZ=UTC \
-e REPO_ROOT="${REPO_ROOT}" \
-e BUILD_DIR="${BUILD_DIR}" \
"${BUILDER_IMAGE}" \
bash -c '
# docker-entrypoint.service runs this as root via systemd, with
# the env vars captured by entrypoint.sh into
# /etc/docker-entrypoint-env. We hand workspace ownership to the
# unprivileged user (uid 1000), then sudo into it for the
# derivative-maker invocation. derivative-maker uses sudo
# internally for the bits that need root.
set -e
chown -R 1000:1000 "${REPO_ROOT}" "${BUILD_DIR}"
exec sudo --non-interactive --preserve-env -u user -- \
"${REPO_ROOT}/linux/build/scripts/build-inner.sh"
' \
|| { echo "build.sh: derivative-maker failed"; exit 3; }
# --- Hash artefacts ---------------------------------------------------------
# Run hashing on the host (not in the container) so a busted container image
# can't tamper with the digests we publish.
shopt -s nullglob
ISO_FILES=("${BUILD_DIR}"/*.iso)
shopt -u nullglob
if (( ${#ISO_FILES[@]} == 0 )); then
echo "build.sh: no ISO produced in ${BUILD_DIR}" >&2
exit 4
fi
(
cd "${BUILD_DIR}"
sha256sum -- *.iso > SHA256SUMS
cp -- "${REPO_ROOT}/linux/build/config/snapshot-pin.env" snapshot-pin.env
{
echo "commit=${COMMIT_SHA}"
echo "source_date_epoch=${SOURCE_DATE_EPOCH}"
echo "snapshot_timestamp=${SNAPSHOT_TIMESTAMP}"
echo "builder_image=${BUILDER_IMAGE}"
echo "host_uname=$(uname -srm)"
} > BUILD_INFO
)
echo "build.sh: SHA256SUMS:"
cat "${BUILD_DIR}/SHA256SUMS"
Reference in New Issue View Git Blame Copy Permalink