diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..a9fa5bbc --- /dev/null +++ b/.dockerignore @@ -0,0 +1,8 @@ +# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. +# +# Generated on 2023-11-02T15:47:10Z by kres 32170a7-dirty. + +* +!CHANGELOG.md +!README.md +!pkg.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index bac74a67..c5811f54 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,8 +1,12 @@ +# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. +# +# Generated on 2023-11-03T11:00:40Z by kres latest. + name: default concurrency: group: ${{ github.head_ref || github.run_id }} cancel-in-progress: true -on: +"on": push: branches: - main @@ -15,46 +19,49 @@ on: - release-* jobs: default: - if: (!startsWith(github.head_ref, 'renovate/') && !startsWith(github.head_ref, 'dependabot/')) permissions: + actions: read + contents: write packages: write + pull-requests: read runs-on: - self-hosted - pkgs + if: (!startsWith(github.head_ref, 'renovate/') && !startsWith(github.head_ref, 'dependabot/')) outputs: labels: ${{ steps.workflow-run-info.outputs.pullRequestLabels }} services: buildkitd: - image: moby/buildkit:buildx-stable-1 + image: moby/buildkit:v0.12.2 + options: --privileged ports: - 1234:1234 - options: --privileged volumes: - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Unshallow run: | git fetch --prune --unshallow - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: - driver: remote - endpoint: tcp://localhost:1234 append: | - endpoint: tcp://buildkit-arm64.ci.svc.cluster.local:1234 platforms: linux/arm64 - - name: build + driver: remote + endpoint: tcp://localhost:1234 + - name: Build run: | make - - name: build nonfree + - name: Build nonfree run: | make nonfree - name: Login to registry if: github.event_name != 'pull_request' - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: password: ${{ secrets.GITHUB_TOKEN }} registry: ghcr.io @@ -62,8 +69,16 @@ jobs: - name: Push to registry if: github.event_name != 'pull_request' run: | - make PUSH=true + make PUSH=true + - name: Push nonfree + if: github.event_name != 'pull_request' + run: | make nonfree PUSH=true + - name: Retrieve workflow info + id: workflow-run-info + uses: potiuk/get-workflow-origin@v1_5 + with: + token: ${{ secrets.GITHUB_TOKEN }} - name: release-notes if: startsWith(github.ref, 'refs/tags/') run: | @@ -74,8 +89,36 @@ jobs: with: body_path: _out/RELEASE_NOTES.md draft: "true" - - name: Retrieve workflow info - id: workflow-run-info - uses: potiuk/get-workflow-origin@v1_5 + reproducibility: + runs-on: + - self-hosted + - pkgs + if: contains(needs.default.outputs.labels, 'integration/reproducibility') + needs: + - default + services: + buildkitd: + image: moby/buildkit:v0.12.2 + options: --privileged + ports: + - 1234:1234 + volumes: + - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit + - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 with: - token: ${{ secrets.GITHUB_TOKEN }} + append: | + - endpoint: tcp://buildkit-arm64.ci.svc.cluster.local:1234 + platforms: linux/arm64 + driver: remote + endpoint: tcp://localhost:1234 + - name: reproducibility-test + run: | + make reproducibility-test diff --git a/.github/workflows/slack-notify.yaml b/.github/workflows/slack-notify.yaml index 34074c25..46abd21f 100644 --- a/.github/workflows/slack-notify.yaml +++ b/.github/workflows/slack-notify.yaml @@ -1,12 +1,13 @@ # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. # -# Generated on 2023-11-01T12:40:50Z by kres f0cdabb-dirty. +# Generated on 2023-11-03T11:00:40Z by kres latest. name: slack-notify "on": workflow_run: workflows: - default + - weekly types: - completed jobs: diff --git a/.github/workflows/weekly.yaml b/.github/workflows/weekly.yaml new file mode 100644 index 00000000..15ce0a59 --- /dev/null +++ b/.github/workflows/weekly.yaml @@ -0,0 +1,42 @@ +# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. +# +# Generated on 2023-11-03T11:00:40Z by kres latest. + +name: weekly +concurrency: + group: ${{ github.head_ref || github.run_id }} + cancel-in-progress: true +"on": + schedule: + - cron: 30 1 * * 1 +jobs: + reproducibility: + runs-on: + - self-hosted + - pkgs + services: + buildkitd: + image: moby/buildkit:v0.12.2 + options: --privileged + ports: + - 1234:1234 + volumes: + - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit + - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + append: | + - endpoint: tcp://buildkit-arm64.ci.svc.cluster.local:1234 + platforms: linux/arm64 + driver: remote + endpoint: tcp://localhost:1234 + - name: reproducibility-test + run: | + make reproducibility-test diff --git a/.gitignore b/.gitignore index 01b6a2d5..734b7cba 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ -_out/ +# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. +# +# Generated on 2023-11-02T15:50:53Z by kres latest. + +_out internal/extensions/image-digests diff --git a/.kres.yaml b/.kres.yaml new file mode 100644 index 00000000..040b35f3 --- /dev/null +++ b/.kres.yaml @@ -0,0 +1,114 @@ +--- +kind: pkgfile.Build +spec: + targets: + - amdgpu-firmware + - amd-ucode + - binfmt-misc + - bnx2-bnx2x + - btrfs + - chelsio-drivers + - chelsio-firmware + - drbd + - fuse3 + - gasket-driver + - gvisor + - hello-world-service + - i915-ucode + - intel-ice-firmware + - intel-ucode + - iscsi-tools + - nut-client + - nvidia-container-toolkit + - nvidia-fabricmanager + - nvidia-open-gpu-kernel-modules + - qemu-guest-agent + - stargz-snapshotter + - tailscale + - thunderbolt + - usb-modem-drivers + - util-linux-tools + - xe-guest-utilities + - zfs + additionalTargets: + nonfree: + - nonfree-kmod-nvidia + reproducibleTargetName: reproducibility + extraBuildArgs: + - TAG + - PKGS + useBldrPkgTagResolver: true +--- +kind: common.Build +spec: + ignoredPaths: + - "internal/extensions/image-digests" +--- +kind: auto.CustomSteps +spec: + steps: + - name: extensions + toplevel: true + - name: extensions-metadata + toplevel: true + - name: internal/extensions/image-digests + toplevel: true + - name: sign-images + toplevel: true +--- +kind: custom.Step +name: extensions +spec: + makefile: + enabled: true + phony: true + variables: + - name: EXTENSIONS_IMAGE_REF + defaultValue: $(REGISTRY_AND_USERNAME)/extensions:$(TAG) + - name: PKGS + defaultValue: v1.6.0-alpha.0-26-g5f84302 + depends: + - internal/extensions/image-digests + script: + - | + @$(MAKE) docker-$@ TARGET_ARGS="--tag=$(EXTENSIONS_IMAGE_REF) --push=$(PUSH)" +--- +kind: custom.Step +name: extensions-metadata +spec: + makefile: + enabled: true + phony: true + depends: + - $(ARTIFACTS)/bldr + script: + - | + @rm -f _out/extensions-metadata + @$(foreach target,$(TARGETS),echo $(REGISTRY)/$(USERNAME)/$(target):$(shell $(ARTIFACTS)/bldr eval --target $(target) --build-arg TAG=$(TAG) '{{.VERSION}}' 2>/dev/null) >> _out/extensions-metadata;) + @$(foreach target,$(NONFREE_TARGETS),echo $(REGISTRY)/$(USERNAME)/$(target):$(shell $(ARTIFACTS)/bldr eval --target $(target) --build-arg TAG=$(TAG) '{{.VERSION}}' 2>/dev/null) >> _out/extensions-metadata;) +--- +kind: custom.Step +name: internal/extensions/image-digests +spec: + makefile: + enabled: true + phony: true + depends: + - extensions-metadata + script: + - | + @cat _out/extensions-metadata | xargs -I{} sh -c 'echo {}@$$(crane digest {})' > internal/extensions/image-digests +--- +kind: custom.Step +name: sign-images +spec: + makefile: + enabled: true + phony: true + script: + - | + @for image in $(shell crane export $(EXTENSIONS_IMAGE_REF) | tar x --to-stdout image-digests) $(EXTENSIONS_IMAGE_REF)@$$(crane digest $(EXTENSIONS_IMAGE_REF)); do \ + echo '==>' $$image; \ + cosign verify $$image --certificate-identity-regexp '@siderolabs\.com$$' --certificate-oidc-issuer https://accounts.google.com || \ + cosign sign --yes $$image; \ + done diff --git a/Makefile b/Makefile index 1dcf062a..2e07297f 100644 --- a/Makefile +++ b/Makefile @@ -1,132 +1,196 @@ -REGISTRY ?= ghcr.io -USERNAME ?= siderolabs -SHA ?= $(shell git describe --match=none --always --abbrev=8 --dirty) -TAG ?= $(shell git describe --tag --always --dirty) -BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD) -REGISTRY_AND_USERNAME := $(REGISTRY)/$(USERNAME) -# inital commit time -# git rev-list --max-parents=0 HEAD -# git log a46b3f24d158614d582da5e6e7e34b596d10cb8e --pretty=%ct -SOURCE_DATE_EPOCH ?= "1642703752" -ARTIFACTS ?= _out/ -OPERATING_SYSTEM := $(shell uname -s | tr "[:upper:]" "[:lower:]") +# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. +# +# Generated on 2023-11-03T11:00:40Z by kres latest. + +# common variables + +SHA := $(shell git describe --match=none --always --abbrev=8 --dirty) +TAG := $(shell git describe --tag --always --dirty) +ABBREV_TAG := $(shell git describe --tags >/dev/null 2>/dev/null && git describe --tag --always --match v[0-9]\* --abbrev=0 || echo 'undefined') +BRANCH := $(shell git rev-parse --abbrev-ref HEAD) +ARTIFACTS := _out +OPERATING_SYSTEM := $(shell uname -s | tr '[:upper:]' '[:lower:]') GOARCH := $(shell uname -m | tr '[:upper:]' '[:lower:]') -EXTENSIONS_IMAGE_REF := $(REGISTRY)/$(USERNAME)/extensions:$(TAG) ifeq ($(GOARCH),x86_64) -GOARCH := amd64 + GOARCH := amd64 endif +REGISTRY ?= ghcr.io +USERNAME ?= siderolabs +REGISTRY_AND_USERNAME ?= $(REGISTRY)/$(USERNAME) +KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest +CONFORMANCE_IMAGE ?= ghcr.io/siderolabs/conform:latest + +# source date epoch of first commit + +INITIAL_COMMIT_SHA := $(shell git rev-list --max-parents=0 HEAD) +SOURCE_DATE_EPOCH := $(shell git log $(INITIAL_COMMIT_SHA) --pretty=%ct) -# keep in sync with Pkgfile -BLDR_RELEASE ?= v0.2.2 -PKGS ?= v1.6.0-alpha.0-23-g2e892fd +# sync bldr image with pkgfile + +BLDR_RELEASE := v0.2.3 +BLDR_IMAGE := ghcr.io/siderolabs/bldr:$(BLDR_RELEASE) +BLDR := docker run --rm --user $(shell id -u):$(shell id -g) --volume $(PWD):/src --entrypoint=/bldr $(BLDR_IMAGE) --root=/src + +# docker build settings BUILD := docker buildx build PLATFORM ?= linux/amd64,linux/arm64 PROGRESS ?= auto PUSH ?= false -COMMON_ARGS := --file=Pkgfile +CI_ARGS ?= +COMMON_ARGS = --file=Pkgfile COMMON_ARGS += --provenance=false COMMON_ARGS += --progress=$(PROGRESS) COMMON_ARGS += --platform=$(PLATFORM) -COMMON_ARGS += --build-arg=http_proxy=$(http_proxy) -COMMON_ARGS += --build-arg=https_proxy=$(https_proxy) COMMON_ARGS += --build-arg=SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) -COMMON_ARGS += --build-arg=TAG=$(TAG) -COMMON_ARGS += --build-arg=PKGS=$(PKGS) - -, := , -empty := -space = $(empty) $(empty) - -TARGETS = \ - amdgpu-firmware \ - amd-ucode \ - binfmt-misc \ - bnx2-bnx2x \ - btrfs \ - chelsio-drivers \ - chelsio-firmware \ - drbd \ - fuse3 \ - gasket-driver \ - gvisor \ - hello-world-service \ - i915-ucode \ - intel-ice-firmware \ - intel-ucode \ - iscsi-tools \ - nut-client \ - nvidia-container-toolkit \ - nvidia-fabricmanager \ - nvidia-open-gpu-kernel-modules \ - qemu-guest-agent \ - stargz-snapshotter \ - tailscale \ - thunderbolt \ - usb-modem-drivers \ - util-linux-tools \ - xe-guest-utilities \ - zfs - -# Temporarily disabled, as mellanox-ofed fails to build with Linux 6.1 -# mellanox-ofed \ - -NONFREE_TARGETS = \ - nonfree-kmod-nvidia \ - -all: $(TARGETS) ## Builds all known pkgs. - -.PHONY: nonfree -nonfree: $(NONFREE_TARGETS) ## Builds all known non-free pkgs. +COMMON_ARGS += --build-arg=TAG="$(TAG)" +COMMON_ARGS += --build-arg=PKGS="$(PKGS)" -.PHONY: extensions -extensions: internal/extensions/image-digests ## Builds a list of generated extension images as an image. - @$(MAKE) docker-$@ \ - TARGET_ARGS="--tag=$(EXTENSIONS_IMAGE_REF) --push=$(PUSH)" +# targets defines all the available targets -.PHONY: help -help: ## This help menu. - @grep -E '^[a-zA-Z%_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' +TARGETS = amdgpu-firmware +TARGETS += amd-ucode +TARGETS += binfmt-misc +TARGETS += bnx2-bnx2x +TARGETS += btrfs +TARGETS += chelsio-drivers +TARGETS += chelsio-firmware +TARGETS += drbd +TARGETS += fuse3 +TARGETS += gasket-driver +TARGETS += gvisor +TARGETS += hello-world-service +TARGETS += i915-ucode +TARGETS += intel-ice-firmware +TARGETS += intel-ucode +TARGETS += iscsi-tools +TARGETS += nut-client +TARGETS += nvidia-container-toolkit +TARGETS += nvidia-fabricmanager +TARGETS += nvidia-open-gpu-kernel-modules +TARGETS += qemu-guest-agent +TARGETS += stargz-snapshotter +TARGETS += tailscale +TARGETS += thunderbolt +TARGETS += usb-modem-drivers +TARGETS += util-linux-tools +TARGETS += xe-guest-utilities +TARGETS += zfs +NONFREE_TARGETS = nonfree-kmod-nvidia -local-%: ## Builds the specified target defined in the Dockerfile using the local output type. The build result will be output to the specified local destination. - @$(MAKE) target-$* TARGET_ARGS="--output=type=local,dest=$(DEST) $(TARGET_ARGS)" - @PLATFORM=$(PLATFORM) \ +# extra variables + +EXTENSIONS_IMAGE_REF ?= $(REGISTRY_AND_USERNAME)/extensions:$(TAG) +PKGS ?= v1.6.0-alpha.0-26-g5f84302 + +# help menu + +export define HELP_MENU_HEADER +# Getting Started + +To build this project, you must have the following installed: + +- git +- make +- docker (19.03 or higher) + +## Creating a Builder Instance + +The build process makes use of experimental Docker features (buildx). +To enable experimental features, add 'experimental: "true"' to '/etc/docker/daemon.json' on +Linux or enable experimental features in Docker GUI for Windows or Mac. + +To create a builder instance, run: + + docker buildx create --name local --use + + +If you already have a compatible builder instance, you may use that instead. + +## Artifacts -target-%: ## Builds the specified target defined in the Dockerfile. The build result will only remain in the build cache. - @$(BUILD) \ - --target=$* \ - $(COMMON_ARGS) \ - $(TARGET_ARGS) . +All artifacts will be output to ./$(ARTIFACTS). Images will be tagged with the +registry "$(REGISTRY)", username "$(USERNAME)", and a dynamic tag (e.g. $(IMAGE):$(TAG)). +The registry and username can be overridden by exporting REGISTRY, and USERNAME +respectively. -docker-%: ## Builds the specified target defined in the Dockerfile using the docker output type. The build result will be loaded into docker. +endef + +all: $(TARGETS) ## Builds all targets defined. + +.PHONY: clean +clean: ## Cleans up all artifacts. + @rm -rf $(ARTIFACTS) + +$(ARTIFACTS): ## Creates artifacts directory. + @mkdir -p $(ARTIFACTS) + +target-%: ## Builds the specified target defined in the Pkgfile. The build result will only remain in the build cache. + @$(BUILD) --target=$* $(COMMON_ARGS) $(TARGET_ARGS) $(CI_ARGS) . + +local-%: ## Builds the specified target defined in the Pkgfile using the local output type. The build result will be output to the specified local destination. + @$(MAKE) target-$* TARGET_ARGS="--output=type=local,dest=$(DEST) $(TARGET_ARGS)" + +docker-%: ## Builds the specified target defined in the Pkgfile using the docker output type. The build result will be loaded into Docker. @$(MAKE) target-$* TARGET_ARGS="$(TARGET_ARGS)" +reproducibility-test: ## Builds the reproducibility test target + @$(MAKE) reproducibility-test-local-reproducibility + +reproducibility-test-local-%: ## Builds the specified target defined in the Pkgfile using the local output type with and without cahce. The build result will be output to the specified local destination + @rm -rf $(ARTIFACTS)/build-a $(ARTIFACTS)/build-b + @$(MAKE) local-$* DEST=$(ARTIFACTS)/build-a + @$(MAKE) local-$* DEST=$(ARTIFACTS)/build-b TARGET_ARGS="--no-cache" + @touch -ch -t $$(date -d @$(SOURCE_DATE_EPOCH) +%Y%m%d0000) $(ARTIFACTS)/build-a $(ARTIFACTS)/build-b + @diffoscope $(ARTIFACTS)/build-a $(ARTIFACTS)/build-b + @rm -rf $(ARTIFACTS)/build-a $(ARTIFACTS)/build-b + +nonfree: $(NONFREE_TARGETS) ## Builds all nonfree targets defined. + .PHONY: $(TARGETS) $(NONFREE_TARGETS) $(TARGETS) $(NONFREE_TARGETS): $(ARTIFACTS)/bldr - @$(MAKE) docker-$@ \ - TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/$@:$(shell $(ARTIFACTS)/bldr eval --target $@ --build-arg TAG=$(TAG) '{{.VERSION}}' 2>/dev/null) --push=$(PUSH)" + @$(MAKE) docker-$@ TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/$@:$(shell $(ARTIFACTS)/bldr eval --target $@ --build-arg TAG=$(TAG) '{{.VERSION}}' 2>/dev/null) --push=$(PUSH)" + +$(ARTIFACTS)/bldr: $(ARTIFACTS) ## Downloads bldr binary. + @curl -sSL https://github.com/siderolabs/bldr/releases/download/$(BLDR_RELEASE)/bldr-$(OPERATING_SYSTEM)-$(GOARCH) -o $(ARTIFACTS)/bldr + @chmod +x $(ARTIFACTS)/bldr + +.PHONY: deps.png +deps.png: ## Generates a dependency graph of the Pkgfile. + @$(BLDR) graph | dot -Tpng -o deps.png +.PHONY: extensions +extensions: internal/extensions/image-digests + @$(MAKE) docker-$@ TARGET_ARGS="--tag=$(EXTENSIONS_IMAGE_REF) --push=$(PUSH)" + +.PHONY: extensions-metadata extensions-metadata: $(ARTIFACTS)/bldr @rm -f _out/extensions-metadata @$(foreach target,$(TARGETS),echo $(REGISTRY)/$(USERNAME)/$(target):$(shell $(ARTIFACTS)/bldr eval --target $(target) --build-arg TAG=$(TAG) '{{.VERSION}}' 2>/dev/null) >> _out/extensions-metadata;) @$(foreach target,$(NONFREE_TARGETS),echo $(REGISTRY)/$(USERNAME)/$(target):$(shell $(ARTIFACTS)/bldr eval --target $(target) --build-arg TAG=$(TAG) '{{.VERSION}}' 2>/dev/null) >> _out/extensions-metadata;) .PHONY: internal/extensions/image-digests -internal/extensions/image-digests: extensions-metadata ## Stores a list of all images built by this Makefile with digests. +internal/extensions/image-digests: extensions-metadata @cat _out/extensions-metadata | xargs -I{} sh -c 'echo {}@$$(crane digest {})' > internal/extensions/image-digests .PHONY: sign-images -sign-images: ## Run cosign to sign all images built by this Makefile. +sign-images: @for image in $(shell crane export $(EXTENSIONS_IMAGE_REF) | tar x --to-stdout image-digests) $(EXTENSIONS_IMAGE_REF)@$$(crane digest $(EXTENSIONS_IMAGE_REF)); do \ - echo '==>' $$image; \ - cosign verify $$image --certificate-identity-regexp '@siderolabs\.com$$' --certificate-oidc-issuer https://accounts.google.com || \ - cosign sign --yes $$image; \ + echo '==>' $$image; \ + cosign verify $$image --certificate-identity-regexp '@siderolabs\.com$$' --certificate-oidc-issuer https://accounts.google.com || \ + cosign sign --yes $$image; \ done -.PHONY: deps.png -deps.png: $(ARTIFACTS)/bldr - $(ARTIFACTS)/bldr graph | dot -Tpng > deps.png +.PHONY: rekres +rekres: + @docker pull $(KRES_IMAGE) + @docker run --rm --net=host --user $(shell id -u):$(shell id -g) -v $(PWD):/src -w /src -e GITHUB_TOKEN $(KRES_IMAGE) + +.PHONY: help +help: ## This help menu. + @echo "$$HELP_MENU_HEADER" + @grep -E '^[a-zA-Z%_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' .PHONY: release-notes release-notes: @@ -134,10 +198,6 @@ release-notes: @ARTIFACTS=$(ARTIFACTS) ./hack/release.sh $@ $(ARTIFACTS)/RELEASE_NOTES.md $(TAG) .PHONY: conformance -conformance: ## Performs policy checks against the commit and source code. - docker run --rm -it -v $(PWD):/src -w /src ghcr.io/siderolabs/conform:latest enforce - -$(ARTIFACTS)/bldr: - @mkdir -p $(ARTIFACTS) - @curl -L https://github.com/siderolabs/bldr/releases/download/$(BLDR_RELEASE)/bldr-$(OPERATING_SYSTEM)-$(GOARCH) -o $(ARTIFACTS)/bldr - @chmod +x $(ARTIFACTS)/bldr +conformance: + @docker pull $(CONFORMANCE_IMAGE) + @docker run --rm -it -v $(PWD):/src -w /src $(CONFORMANCE_IMAGE) enforce diff --git a/Pkgfile b/Pkgfile index 9b0d5058..14505ec2 100644 --- a/Pkgfile +++ b/Pkgfile @@ -1,10 +1,10 @@ -# syntax = ghcr.io/siderolabs/bldr:v0.2.2 +# syntax = ghcr.io/siderolabs/bldr:v0.2.3 format: v1alpha2 vars: PKGS_PREFIX: ghcr.io/siderolabs - LINUX_FIRMWARE_VERSION: "20230919" # update this when updating PKGS_VERSION in Makefile + LINUX_FIRMWARE_VERSION: "20231030" # update this when updating PKGS_VERSION in Makefile DRBD_DRIVER_VERSION: 9.2.5 # update this when updating PKGS_VERSION in Makefile ZFS_DRIVER_VERSION: 2.1.13 # update this when updating PKGS_VERSION in Makefile UTIL_LINUX_VERSION: 2.39.2 # update this when updating PKGS_VERSION in Makefile diff --git a/deps.png b/deps.png index 76556b20..de691ed3 100644 Binary files a/deps.png and b/deps.png differ diff --git a/hack/release.sh b/hack/release.sh index 18d4fa6f..cc4d9c5d 100755 --- a/hack/release.sh +++ b/hack/release.sh @@ -1,4 +1,8 @@ -#!/usr/bin/env bash +#!/bin/bash + +# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. +# +# Generated on 2023-11-02T15:47:10Z by kres 32170a7-dirty. set -e @@ -59,3 +63,4 @@ EOF exit 1 fi + diff --git a/hack/release.toml b/hack/release.toml index 375c8871..bcdd9aea 100644 --- a/hack/release.toml +++ b/hack/release.toml @@ -64,7 +64,7 @@ stargz-snapshotter extension is now supported as Talos System Extension. * QEMU agent: v8.1.1 * Tailscale: 1.50.0 * Xen Guest Utilities: 8.3.1 -* Linux Firmware: 20230919 +* Linux Firmware: 20231030 * gasket driver: 09385d4 """ diff --git a/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/pkg.yaml b/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/pkg.yaml index ef5db600..2e1b90f2 100644 --- a/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/pkg.yaml +++ b/nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/pkg.yaml @@ -33,6 +33,7 @@ steps: sha256: 4beebedd045468e8174895f5d4a563f7880cf7a10f062d996719c061fcdaa0db sha512: a16f163cb8689f4b6279bed1a5965ee4c56f413918cae6acf272ca5adf7dd929818d977dd6657ce496abeb842b56e03bfd83bda828a7b953625b2999ac174b93 env: + SOURCE_DATE_EPOCH: {{ .BUILD_ARG_SOURCE_DATE_EPOCH }} REVISION: {{ .LIBNVIDIA_CONTAINER_REF }} WITH_NVCGO: yes WITH_LIBELF: yes diff --git a/reproducibility/pkg.yaml b/reproducibility/pkg.yaml new file mode 100644 index 00000000..d1b598df --- /dev/null +++ b/reproducibility/pkg.yaml @@ -0,0 +1,63 @@ +name: reproducibility +variant: scratch +dependencies: + # amdgpu-firmware can be ignored from reproducibility test since it's linux-firmware copied from pkgs + # - stage: amdgpu-firmware + # amd-ucode can be ignored from reproducibility test since it's linux-firmware copied from pkgs + # - stage: amd-ucode + # binfmt-misc can be ignored from reproducibility test since it's kernel modules copied from pkgs + # - stage: binfmt-misc + # bnx2-bnx2x can be ignored from reproducibility test since it's kernel modules copied from pkgs + # - stage: bnx2-bnx2x + # btrfs can be ignored from reproducibility test since it's kernel modules copied from pkgs + # - stage: btrfs + # chelsio-drivers can be ignored from reproducibility test since it's kernel modules copied from pkgs + # - stage: chelsio-drivers + # chelsio-firmware can be ignored from reproducibility test since it's linux-firmware copied from pkgs + # - stage: chelsio-firmware + # drbd can be ignored from reproducibility test since it's kernel modules copied from pkgs + # - stage: drbd + + - stage: fuse3 + + # gasket-driver can be ignored from reproducibility test since it's kernel modules copied from pkgs + # - stage: gasket-driver + + - stage: gvisor + - stage: hello-world-service + + # i915-ucode can be ignored from reproducibility test since it's linux-firmware copied from pkgs + # - stage: i915-ucode + # intel-ice-firmware can be ignored from reproducibility test since it's linux-firmware copied from pkgs + # - stage: intel-ice-firmware + # intel-ucode can be ignored from reproducibility test since it's a tarball downloaded and extracted (no build happens) + # - stage: intel-ucode + + - stage: iscsi-tools + - stage: nut-client + - stage: nvidia-container-toolkit + + # nvidia-fabricmanager can be ignored from reproducibility test since it's a tarball downloaded and extracted (no build happens) + # - stage: nvidia-fabricmanager + # nvidia-open-gpu-kernel-modules can be ignored from reproducibility test since it's kernel modules copied from pkgs + # - stage: nvidia-open-gpu-kernel-modules + + - stage: qemu-guest-agent + - stage: stargz-snapshotter + - stage: tailscale + + # thunderbolt can be ignored from reproducibility test since it's kernel modules copied from pkgs + # - stage: thunderbolt + # usb-modem-drivers can be ignored from reproducibility test since it's kernel modules copied from pkgs + # - stage: usb-modem-drivers + + - stage: util-linux-tools + - stage: xe-guest-utilities + - stage: zfs + + # nonfree-kmod-nvidia can be ignored from reproducibility test since it's kernel modules copied from pkgs + # - stage: nonfree-kmod-nvidia +finalize: + # here we're only copying /rootfs since we don't want the manifest.yaml files + - from: /rootfs + to: / diff --git a/storage/iscsi-tools/open-iscsi/pkg.yaml b/storage/iscsi-tools/open-iscsi/pkg.yaml index ef62ba06..fa320767 100644 --- a/storage/iscsi-tools/open-iscsi/pkg.yaml +++ b/storage/iscsi-tools/open-iscsi/pkg.yaml @@ -14,11 +14,14 @@ steps: destination: open-iscsi.tar.gz sha256: 60e2a1e3058a8af7f702e86a5a0511b05b8754d29d3d2df4e0e301399b5cf70a sha512: 25c28da5918b775ca54d3e55591eca0b4f7b5be33d803cad28fce1e9b2334b43cee1423a4e1819497b322e0f420dcd8d74226f442ca432233d1753565b11a5bb + env: + SOURCE_DATE_EPOCH: {{ .BUILD_ARG_SOURCE_DATE_EPOCH }} prepare: - | mkdir -p /usr/bin \ && ln -sf /toolchain/bin/env /usr/bin/env \ - && ln -sf /toolchain/bin/install /usr/bin/install + && ln -sf /toolchain/bin/install /usr/bin/install \ + && ln -s /toolchain/bin/python3 /toolchain/bin/python tar -xzf open-iscsi.tar.gz --strip-components=1 @@ -33,23 +36,27 @@ steps: patch -p1 < /pkg/patches/add-missing-headers.patch patch -p1 < /pkg/patches/dont-use-lib64.patch patch -p1 < /pkg/patches/remove-werror.patch + + pip3 install ninja build: - | export PKG_CONFIG_PATH=/usr/lib/pkgconfig - # musl doesn't have glob_onlydir but by spec it's also not guaranteed to return only dirs anyway + mkdir -p output + LDFLAGS="$LDFLAGS -L/usr/local/lib" \ - make \ - prefix=/usr/local \ - exec_prefix=/usr/local \ - localstatedir=/var \ - sysconfdir=/usr/local/etc \ - mandir=/usr/local/share/man \ - OPTFLAGS="$CFLAGS -I/usr/local/include -DNO_SYSTEMD -DGLOB_ONLYDIR=0" + meson setup \ + -Db_lto=true \ + -Dno_systemd=true \ + -Drulesdir="/usr/local/etc/udev/rules.d" \ + -Dc_args="$CFLAGS -I/usr/local/include -DNO_SYSTEMD -DGLOB_ONLYDIR=0" \ + output + + ninja -C output install: - | - mkdir -p /usr/local/etc - make prefix=/usr/local exec_prefix=/usr/local/ etcdir=/usr/local/etc DESTDIR=/rootfs install + mkdir -p /rootfs/usr/local/etc + DESTDIR=/rootfs ninja -C output install # cleanup rm -rf /rootfs/usr/local/share