Recently we changed the region from DA (Dallas) to DC (Washington),
because there are more ARM64 servers available. Reflect this change in
the new pipeline too.
Some packages are currently missing from the /usr/share/SLSA directory
compared to flatcar_production_image_packages.txt. For torcx packages,
extract the reports from the torcx bundle when adding it to the rootfs.
For initramfs packages, as a substitute we enumerate build dependencies
of coreos-kernel (image_packages_implicit()). At this time these are
bootengine and intel-microcode.
Prod images need libstdc++.so and other libraries produced by
sys-devel/gcc build, but because we don't want all of gcc in the image,
the binpkg is manually unpacked instead of installed with emerge. Make
sure to preserve SLSA metadata when unpacking as well.
Catalyst runs builds with copies of the portage/coreos overlays in a
chroot, which prevents us from accessing the git metadata necessary to
create provenance information. Copy some files over into the
root_overlay used by the toolchains catalyst build so that provenance
can be correctly captured.
install_cross_libs installs TOOLCHAIN_PKGS deps into /usr/$BOARD_CHOST,
so that TOOLCHAIN_PKGS binpkgs can be built. We also need binpkgs for
the TOOLCHAIN_PKGS deps so that we can install them into /build/$BOARD
later together with TOOLCHAIN_PKGS. This is where the flow is currently
broken. Due to a change in semantics, --emptyroot tries to rebuild host
packages as well, and dropping it leaves --onlydeps which results in no
binpkgs being built because they are already installed.
We can solve resolve this by reusing the dependency list generated by
install_cross_libs, and explicitly building those binpkgs. It is worth
remarking that this flow of building the toolchain binpkgs through
setup_board is not in use in Flatcar, because we normally build
toolchains with catalyst. We are interested in reviving it because we
want to build everything with SLSA provenance information.
`./setup_board --nousepkg --nogetbinpkg` currently fails with a
circular dependency due to pulling in the whole systemd-cryptsetup-udev
dependency chain. This is due to several issue:
* `emerge --root=$ROOT --emptytree` considers ROOT=/ to also be empty,
so it pulls in all host packages. This must've not always been the case.
So we need to pipe the dependency package list through `egrep $ROOT`
to filter only those that would get installed into the desired ROOT
* if SYSROOT=/ and not SYSROOT=ROOT, then virtual/os-headers is missing
from $ROOT package list
* the final filter expression tries to previously looked like this:
(=sys-devel/gcc|sys-devel/binutils-0.9) which also matches
sys-devel/gcc-config and sys-devel/binutils-config, which are
necessary dependencies. Rework the match expression to not filter
those out.
This made no difference back when lib was a symlink to lib64, but now that they are separate,
libs belongs in /usr/lib64. This mostly doesn't show up because ldconfig configures the ld.so cache
to include both locations, but when updating from an older release ld.so.cache is out of date.
Unfortunately ld.so.cache does not get updated until after multipathd, which causes
multipathd to dump core. This may also affect other packages that need access to
libgcc early.
See also: https://github.com/flatcar-linux/Flatcar/issues/809
`c3.large.arm64` instances of Equinix Metal are available in metro
either `DA` or `DC`. However, recently arm64 CI builds started to fail
due to too few servers available in the DA metro. As the DC metro has
more servers available, let's change metro to DC.
How to check how many servers are available in a specific metro:
```
curl -X POST \
-H "Content-Type: application/json" -H "X-Auth-Token: ..." \
https://api.equinix.com/metal/v1/capacity/metros \
-d '{"servers": [ { \
"metro": "dc", \
"plan": "c3.large.arm64", \
"quantity": 34 \
} ] }'
curl -X POST \
-H "Content-Type: application/json" -H "X-Auth-Token: ..." \
https://api.equinix.com/metal/v1/capacity/metros \
-d '{"servers": [ { \
"metro": "da", \
"plan": "c3.large.arm64", \
"quantity": 17 \
} ] }'
```
When the specified remote contains a same-named branch as origin,
the checkout fails with "fatal: 'X' matched multiple (Y) remote
tracking branches".
Add the remote name as prefix to make the reference unambiguous.
When the build system runs the packages jobs for both architectures in
parallel and has to create a new tag, tagging fails due to the race in
the tagging.
Move the git tagging to its own script that is run from a new top-level
job that starts the packages jobs for both architectures.
Since v0.51.0 syft supports generating parsing the gentoo package
database. This is a first go at integrating that into our image build
process. This doesn't yet include packages inside torcx packages, or the
kernel, or initramfs-only packages.
While we moved the arm64 tests to lxc containers, amd64 stayed on VMs
which were not easy to scale up.
Now the GitHub Action runner is running on lxc containers and we can
spawn more VMs in parallel because it has no memory limit.
