Recently we changed the region from DA (Dallas) to DC (Washington),
because there are more ARM64 servers available. Reflect this change in
the new pipeline too.
Some packages are currently missing from the /usr/share/SLSA directory
compared to flatcar_production_image_packages.txt. For torcx packages,
extract the reports from the torcx bundle when adding it to the rootfs.
For initramfs packages, as a substitute we enumerate build dependencies
of coreos-kernel (image_packages_implicit()). At this time these are
bootengine and intel-microcode.
Prod images need libstdc++.so and other libraries produced by
sys-devel/gcc build, but because we don't want all of gcc in the image,
the binpkg is manually unpacked instead of installed with emerge. Make
sure to preserve SLSA metadata when unpacking as well.
Catalyst runs builds with copies of the portage/coreos overlays in a
chroot, which prevents us from accessing the git metadata necessary to
create provenance information. Copy some files over into the
root_overlay used by the toolchains catalyst build so that provenance
can be correctly captured.
install_cross_libs installs TOOLCHAIN_PKGS deps into /usr/$BOARD_CHOST,
so that TOOLCHAIN_PKGS binpkgs can be built. We also need binpkgs for
the TOOLCHAIN_PKGS deps so that we can install them into /build/$BOARD
later together with TOOLCHAIN_PKGS. This is where the flow is currently
broken. Due to a change in semantics, --emptyroot tries to rebuild host
packages as well, and dropping it leaves --onlydeps which results in no
binpkgs being built because they are already installed.
We can solve resolve this by reusing the dependency list generated by
install_cross_libs, and explicitly building those binpkgs. It is worth
remarking that this flow of building the toolchain binpkgs through
setup_board is not in use in Flatcar, because we normally build
toolchains with catalyst. We are interested in reviving it because we
want to build everything with SLSA provenance information.
`./setup_board --nousepkg --nogetbinpkg` currently fails with a
circular dependency due to pulling in the whole systemd-cryptsetup-udev
dependency chain. This is due to several issue:
* `emerge --root=$ROOT --emptytree` considers ROOT=/ to also be empty,
so it pulls in all host packages. This must've not always been the case.
So we need to pipe the dependency package list through `egrep $ROOT`
to filter only those that would get installed into the desired ROOT
* if SYSROOT=/ and not SYSROOT=ROOT, then virtual/os-headers is missing
from $ROOT package list
* the final filter expression tries to previously looked like this:
(=sys-devel/gcc|sys-devel/binutils-0.9) which also matches
sys-devel/gcc-config and sys-devel/binutils-config, which are
necessary dependencies. Rework the match expression to not filter
those out.
This made no difference back when lib was a symlink to lib64, but now that they are separate,
libs belongs in /usr/lib64. This mostly doesn't show up because ldconfig configures the ld.so cache
to include both locations, but when updating from an older release ld.so.cache is out of date.
Unfortunately ld.so.cache does not get updated until after multipathd, which causes
multipathd to dump core. This may also affect other packages that need access to
libgcc early.
See also: https://github.com/flatcar-linux/Flatcar/issues/809
`c3.large.arm64` instances of Equinix Metal are available in metro
either `DA` or `DC`. However, recently arm64 CI builds started to fail
due to too few servers available in the DA metro. As the DC metro has
more servers available, let's change metro to DC.
How to check how many servers are available in a specific metro:
```
curl -X POST \
-H "Content-Type: application/json" -H "X-Auth-Token: ..." \
https://api.equinix.com/metal/v1/capacity/metros \
-d '{"servers": [ { \
"metro": "dc", \
"plan": "c3.large.arm64", \
"quantity": 34 \
} ] }'
curl -X POST \
-H "Content-Type: application/json" -H "X-Auth-Token: ..." \
https://api.equinix.com/metal/v1/capacity/metros \
-d '{"servers": [ { \
"metro": "da", \
"plan": "c3.large.arm64", \
"quantity": 17 \
} ] }'
```
When the specified remote contains a same-named branch as origin,
the checkout fails with "fatal: 'X' matched multiple (Y) remote
tracking branches".
Add the remote name as prefix to make the reference unambiguous.
When the build system runs the packages jobs for both architectures in
parallel and has to create a new tag, tagging fails due to the race in
the tagging.
Move the git tagging to its own script that is run from a new top-level
job that starts the packages jobs for both architectures.
Since v0.51.0 syft supports generating parsing the gentoo package
database. This is a first go at integrating that into our image build
process. This doesn't yet include packages inside torcx packages, or the
kernel, or initramfs-only packages.
While we moved the arm64 tests to lxc containers, amd64 stayed on VMs
which were not easy to scale up.
Now the GitHub Action runner is running on lxc containers and we can
spawn more VMs in parallel because it has no memory limit.
There is some cruft left after grub hashes generation. After the
contents are zipped into archive, they don't need to be around any
more.
Try to remove the rootfs directory after unmounting the
image. disk_util can recreate it again if there is a need for it.
Remove the build directory used for generating ACI images - it's not
needed after successful installation.
The image comparison was done against the old release in the channel
we release to instead of the previous release with the same major
version. This means when a channel transition happens we see a large
diff instead of the diff against the previous release. While not bad
for finding problems, this is normally not needed. However, we want
to have two changelogs generated, one against the old release in the
channel we relese to and one against the previous release with the same
major version when a transition happens. There was no changelog
printing yet, and this is added now.
* arm64 tests now run in LXD containers instead of VMs
* parallelism increased for arm64
* some setup steps are skipped on arm64
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
