build_sysext uses a base squashfs (basically a full snapshot of the
Flatcar OS image) to build custom sysexts on top. Before building it
ensures the base image actualy matches the OS version in the repository
root.
The version string includes a BUILD_ID which might be auto-generated (by
including common.sh) if it is not present in the version file - e.g.
when the version is an official release (tag). This build ID
auto-generation causes issues with the version check when image build
and sysext build scripts run independently - each will generate its own
build ID, and this will cause build_sysext's version check to fail.
build_sysext will now use the build id from the base squashfs when it is
not set in the source tree's version.txt to work around that issue. This
is a more general solution than 361eda220b
(which this patch reverts) as it directly addresses the issue in
build_sysext instead of working around it in sysext_prod_builder.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
This change fixes a version mismatch of FLATCAR_BUILD_ID when performing
a dev build of an existing release tag. The build ID is part of the
version string of dev builds, separated by a "+" from the main version.
If common.sh detects a dev build (COREOS_OFFICIAL != 1) and
FLATCAR_BUILD_ID is empty, common.sh will generate a new ID based on a
timestamp.
For official releases, FLATCAR_BUILD_ID is not set in version.txt. A dev
build of a release tag would make common.sh generate a new ID each time
it is sourced by different processes. build_image sources common.sh
first, and writes the resulting version string the OS image's
os-release file. build_sysext runs later and also sources common.sh,
leading its version check to fail as its own VERSION now differs from
the version of the OS image it's supposed to generate sysexts for.
This change reads BUILD_ID from the OS image rootfs in
sysext_prod_builder and exports FLATCAR_BUILD_ID accordingly before
calling build_sysext. Hence FLATCAR_BUILD_ID is not empty, so common.sh
in build_sysext will not re-generate it.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
Recently we had some problems with read-only filesystems, that pop up
in different places. It may be easier to catch if the debugging info
is printed in an error case instead of just one specific location.
We see occasional failures due to a read-only filesystem on GitHub
Action runners:
mkdir: cannot create directory ‘/home/sdk/trunk/src/scripts/artifacts/amd64-usr/developer-3790.0.0+nightly-20231116-2100-5-g49eb1a4c07-a1/rootfs/usr/share/flatcar/sysext’: Read-only file system
Add commands for a debug output.
This change removes Flatcar specific builds of docker[-cli], containerd,
runc, and cri-tools and instead switches to upstream Gentoo ebuilds
added to portage-stable.
The change updates docker to 24.0.6.
NOTE that there currently is no upstream ebuild for containerd-1.7.7, so
this change adds that ebuild based on the upstream containerd-1.7.6
ebuild.
Flatcar customisations like systemd units etc. are now applied in the
manglefs script of the respective sysexts, based on file system trees in
coreos-overlay/coreos/sysext/(containerd|docker).
The build_sysext script has been extended by an option to strip all
binaries in a sysext; the option is active by default. This takes care
of removing debug symbols from docker and containerd - which are not
removed by the default Gentoo build. The overall size of both containerd
and docker sysext is reduced by ~50%.
Lastly, the sysext command line syntax of build_image has been extended
to allow specifying multiple packages for a sysext. This was necessary
because docker-cli and docker do not have any runtime relationships and
therefore must both be specified for installation to correctly mirror
Flatcar's own docker packaging.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
This change refactors base OS sysext builds to use a separate build
script `build_library/sysext_prod_builder`, which is called from
`build_library/prod_image_util.sh` when `build_image` runs.
This allows for better separation of cleanup traps: prod image sysext
builds need its own trap / cleanup function for temporary build
directories and loopback mounts.
Prod sysext builds properly generate lincense and SBOM information, and
provide detailed file listings and disk space usage stats.
- SBOM / licenses JSON now include all packages of the
final image, i.e. a combined list of base image and all base OS
sysexts.
- Packages lists, files list and detailed files list include the sysext
squashfs files for the base image, and separate sections with files /
packages lists for each sysext.
- Disk usage contains both final disk image usage as well as usage of
each individual sysext squashfs.
