chore: build with new toolchain

Move modules, firmware and libraries to accommodate usrmerged rootfs

Only use network where needed via new bldr, pre-download Go dependencies in prepare step, improve Go cache

Bump xen-guest-agent to make it build with current Alpine Rust

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>

.kres.yaml

@@ -66,7 +66,7 @@ spec:
       - name: EXTENSIONS_IMAGE_REF
         defaultValue: $(REGISTRY_AND_USERNAME)/extensions:$(TAG)
       - name: PKGS
-        defaultValue: v1.10.0-alpha.0-34-g5763e3e
+        defaultValue: v1.10.0-alpha.0-35-g85f8901
       - name: PKGS_PREFIX
         defaultValue: ghcr.io/siderolabs
   useBldrPkgTagResolver: true

Makefile

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-01-31T12:02:15Z by kres 987bf4d.
+# Generated on 2025-02-07T11:47:31Z by kres 3bb2b12.
 
 # common variables
 
@@ -25,7 +25,7 @@ SOURCE_DATE_EPOCH := $(shell git log $(INITIAL_COMMIT_SHA) --pretty=%ct)
 
 # sync bldr image with pkgfile
 
-BLDR_RELEASE := v0.3.2
+BLDR_RELEASE := v0.4.1
 BLDR_IMAGE := ghcr.io/siderolabs/bldr:$(BLDR_RELEASE)
 BLDR := docker run --rm --user $(shell id -u):$(shell id -g) --volume $(PWD):/src --entrypoint=/bldr $(BLDR_IMAGE) --root=/src
 
@@ -48,7 +48,7 @@ COMMON_ARGS += --build-arg=PKGS_PREFIX="$(PKGS_PREFIX)"
 # extra variables
 
 EXTENSIONS_IMAGE_REF ?= $(REGISTRY_AND_USERNAME)/extensions:$(TAG)
-PKGS ?= v1.10.0-alpha.0-34-g5763e3e
+PKGS ?= v1.10.0-alpha.0-35-g85f8901
 PKGS_PREFIX ?= ghcr.io/siderolabs
 
 # targets defines all the available targets

Pkgfile

@@ -1,4 +1,4 @@
-# syntax = ghcr.io/siderolabs/bldr:v0.3.2
+# syntax = ghcr.io/siderolabs/bldr:v0.4.0-1-g76a2c8f
 
 format: v1alpha2
 

README.md

@@ -209,9 +209,10 @@ The following restrictions are applied to the contents of the `rootfs` of the sy
 Any paths in the `rootfs` should be contained within the following hierarchies:
 
 - `/etc/cri/conf.d/`
-- `/lib/firmware/`
+- `/usr/lib/firmware/`
-- `/lib/modules/`
+- `/usr/lib/modules/`
-- `/lib64/ld-linux-x86-64.so.2`
+- `/usr/lib/ld-linux-x86-64.so.2`
+- `/usr/bin/ldconfig` (used by NVIDIA Container Toolkit)
 - `/usr/lib/udev/rules.d/`
 - `/usr/local/`
 - `/usr/share/glvnd/`

container-runtime/crun/pkg.yaml

@@ -1,6 +1,6 @@
 name: crun
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:

container-runtime/ecr-credential-provider/pkg.yaml

@@ -1,6 +1,6 @@
 name: ecr-credential-provider
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:
@@ -10,10 +10,11 @@ steps:
         sha256: 0bd75a18faab15dae7a603e1d6b57691953f1b6427f6eaa4c14e9fbfc1a75348
         sha512: e85b0c4a79f6c087147a5868520693f7cb98a471d5497dcda27a6e341e719868f5308ccf8d9781e601ff1b52f332a0447033a096c929e768553e937e154db25e
     env:
-      GOPATH: /go
+      GOPATH: /tmp/go
     cachePaths:
       - /.cache/go-build
-      - /go/pkg
+      - /tmp/go/pkg
+  - network: default
     prepare:
       - |
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
@@ -21,10 +22,12 @@ steps:
         mkdir -p ${GOPATH}/src/k8s.io/cloud-provider-aws
 
         tar -xzf cloud-provider-aws.tar.gz --strip-components=1 -C ${GOPATH}/src/k8s.io/cloud-provider-aws
+      - |
+        cd ${GOPATH}/src/k8s.io/cloud-provider-aws
+        go mod download
+  - network: none
     build:
       - |
-        export PATH=${PATH}:${TOOLCHAIN}/go/bin
-
         go build \
           -C ${GOPATH}/src/k8s.io/cloud-provider-aws \
           -o ./dist/ecr-credential-provider \

container-runtime/gvisor-debug/pkg.yaml

@@ -1,6 +1,6 @@
 name: gvisor-debug
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:

container-runtime/gvisor/pkg.yaml

@@ -1,6 +1,6 @@
 name: gvisor
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:
@@ -12,10 +12,11 @@ steps:
         sha256: 63419d6c5744f17f8f8229919ed2399e5e8d567735379b22f34acba2cfc8ab34
         sha512: 567f72bbf701176e394ca5ad6ba1be8432e56d8f48344dc9561dba668536ca3132c7f9b8a19485b9518d35783b32426318def14e7ca9cc7c682ab26f1db9e293
     env:
-      GOPATH: /go
+      GOPATH: /tmp/go
     cachePaths:
       - /.cache/go-build
-      - /go/pkg
+      - /tmp/go/pkg
+  - network: default
     prepare:
       - |
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
@@ -23,9 +24,12 @@ steps:
         mkdir -p ${GOPATH}/src/github.com/google/gvisor
 
         tar -xzf gvisor.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/google/gvisor
+      - |
+        cd ${GOPATH}/src/github.com/google/gvisor
+        go mod download
+  - network: none
     build:
       - |
-        export PATH=${PATH}:${TOOLCHAIN}/go/bin
         cd ${GOPATH}/src/github.com/google/gvisor
 
         mkdir ./bin

container-runtime/kata-containers/pkg.yaml

@@ -1,6 +1,6 @@
 name: kata-containers
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:
@@ -21,10 +21,11 @@ steps:
         sha256: 6567498577888f29d186d14629e7e987e8afc49ab988c72e0bc80918fe99295a
         sha512: 54b989b1db27e56266d1e40b18d3c4f353a3f876dad358afecbba7fb7e1238da1f0856c73f627cbb24e36176f784e2a809bb1b7a990ad21644b06e7b43d64a68
     env:
-      GOPATH: /go
+      GOPATH: /tmp/go
     cachePaths:
       - /.cache/go-build
-      - /go/pkg
+      - /tmp/go/pkg
+  - network: default
     prepare:
       - |
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
@@ -34,9 +35,12 @@ steps:
       - |
         mkdir -p ${GOPATH}/src/github.com/kata-containers
         tar -xzf kata-containers.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/kata-containers
+      - |
+        cd ${GOPATH}/src/github.com/kata-containers/src/runtime
+        go mod download
+  - network: none
     build:
       - |
-        export PATH=${PATH}:${TOOLCHAIN}/go/bin
         cd ${GOPATH}/src/github.com/kata-containers
         PREFIX=/usr/local make -C src/runtime SKIP_GO_VERSION_CHECK=y containerd-shim-v2
     install:

container-runtime/spin/pkg.yaml

@@ -1,6 +1,6 @@
 name: spin
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:

container-runtime/stargz-snapshotter/pkg.yaml

@@ -1,6 +1,6 @@
 name: stargz-snapshotter
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:
@@ -10,10 +10,11 @@ steps:
         sha256: 576f59d4375ac2cab24310d28e3ac98148c05dc6714649e1ec27e8d4fa8a9679
         sha512: 3a8226e29305f55e9244017cd3063e9ba9b8b4a79a404000677e0e99a84d1337b12a37f6d1b5539c9579f54b1c118fb0ce373eb402296a18d8e55474d549986a
     env:
-      GOPATH: /go
+      GOPATH: /tmp/go
     cachePaths:
       - /.cache/go-build
-      - /go/pkg
+      - /tmp/go/pkg
+  - network: default
     prepare:
       - |
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
@@ -21,9 +22,12 @@ steps:
         mkdir -p ${GOPATH}/src/github.com/containerd/stargz-snapshotter
 
         tar -xzf stargz-snapshotter.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/containerd/stargz-snapshotter
+      - |
+        cd ${GOPATH}/src/github.com/containerd/stargz-snapshotter/cmd
+        go mod download
+  - network: none
     build:
       - |
-        export PATH=${PATH}:${TOOLCHAIN}/go/bin
         cd ${GOPATH}/src/github.com/containerd/stargz-snapshotter
 
         make containerd-stargz-grpc

container-runtime/wasmedge/pkg.yaml

@@ -1,6 +1,6 @@
 name: wasmedge
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:

drivers/chelsio/pkg.yaml

@@ -1,6 +1,6 @@
 name: chelsio-drivers
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   # The pkgs version for a particular release of Talos as defined in
@@ -12,16 +12,16 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        export KERNELRELEASE=$(find /lib/modules -type d -name "*-talos" -exec basename {} \+)
+        export KERNELRELEASE=$(find /usr/lib/modules -type d -name "*-talos" -exec basename {} \+)
 
         mkdir -p /rootfs
 
-        xargs -a /pkg/files/modules.txt -I {} install -D /lib/modules/${KERNELRELEASE}/{} /rootfs/lib/modules/${KERNELRELEASE}/{}
+        xargs -a /pkg/files/modules.txt -I {} install -D /usr/lib/modules/${KERNELRELEASE}/{} /rootfs/usr/lib/modules/${KERNELRELEASE}/{}
-        depmod -b /rootfs ${KERNELRELEASE}
+        depmod -b /rootfs/usr ${KERNELRELEASE}
   - test:
       - |
         # https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
-        find /rootfs/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
+        find /rootfs/usr/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
       - |
         mkdir -p /extensions-validator-rootfs
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs

drivers/gasket/pkg.yaml

@@ -1,6 +1,6 @@
 name: gasket-driver
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   # The pkgs version for a particular release of Talos as defined in
@@ -12,9 +12,9 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        mkdir -p /rootfs/lib/modules
+        mkdir -p /rootfs/usr/lib/modules
 
-        cp -R /lib/modules/* /rootfs/lib/modules
+        cp -R /usr/lib/modules/* /rootfs/usr/lib/modules
   - test:
       - |
         mkdir -p /extensions-validator-rootfs

drivers/mei/pkg.yaml

@@ -1,6 +1,6 @@
 name: mei
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   # The pkgs version for a particular release of Talos as defined in
@@ -15,14 +15,14 @@ steps:
   # {{ if eq .ARCH "x86_64" }} This in fact is YAML comment, but Go templating instruction is evaluated by bldr
   - install:
       - |
-        export KERNELRELEASE=$(find /lib/modules -type d -name "*-talos" -exec basename {} \+)
+        export KERNELRELEASE=$(find /usr/lib/modules -type d -name "*-talos" -exec basename {} \+)
 
-        xargs -a /pkg/files/modules.txt -I {} install -D /lib/modules/${KERNELRELEASE}/{} /rootfs/lib/modules/${KERNELRELEASE}/{}
+        xargs -a /pkg/files/modules.txt -I {} install -D /usr/lib/modules/${KERNELRELEASE}/{} /rootfs/usr/lib/modules/${KERNELRELEASE}/{}
-        depmod -b /rootfs ${KERNELRELEASE}
+        depmod -b /rootfs/usr ${KERNELRELEASE}
   - test:
       - |
         # https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
-        find /rootfs/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
+        find /rootfs/usr/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
       - |
         mkdir -p /extensions-validator-rootfs
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs

drivers/mellanox-ofed/pkg.yaml

@@ -1,6 +1,6 @@
 name: mellanox-ofed
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
  - stage: base
  # The pkgs version for a particular release of Talos as defined in
@@ -12,9 +12,9 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        mkdir -p /rootfs/lib/modules
+        mkdir -p /rootfs/usr/lib/modules
 
-        cp -R /lib/modules/* /rootfs/lib/modules
+        cp -R /usr/lib/modules/* /rootfs/usr/lib/modules
   - test:
       - |
         mkdir -p /extensions-validator-rootfs

drivers/thunderbolt/pkg.yaml

@@ -1,6 +1,6 @@
 name: thunderbolt
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   # The pkgs version for a particular release of Talos as defined in
@@ -12,16 +12,16 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        export KERNELRELEASE=$(find /lib/modules -type d -name "*-talos" -exec basename {} \+)
+        export KERNELRELEASE=$(find /usr/lib/modules -type d -name "*-talos" -exec basename {} \+)
 
         mkdir -p /rootfs
 
-        xargs -a /pkg/files/modules.txt -I {} install -D /lib/modules/${KERNELRELEASE}/{} /rootfs/lib/modules/${KERNELRELEASE}/{}
+        xargs -a /pkg/files/modules.txt -I {} install -D /usr/lib/modules/${KERNELRELEASE}/{} /rootfs/usr/lib/modules/${KERNELRELEASE}/{}
-        depmod -b /rootfs ${KERNELRELEASE}
+        depmod -b /rootfs/usr ${KERNELRELEASE}
   - test:
       - |
         # https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
-        find /rootfs/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
+        find /rootfs/usr/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
       - |
         mkdir -p /extensions-validator-rootfs
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs

drivers/uinput/pkg.yaml

@@ -1,6 +1,6 @@
 name: uinput
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   # The pkgs version for a particular release of Talos as defined in
@@ -12,16 +12,16 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        export KERNELRELEASE=$(find /lib/modules -type d -name "*-talos" -exec basename {} \+)
+        export KERNELRELEASE=$(find /usr/lib/modules -type d -name "*-talos" -exec basename {} \+)
 
         mkdir -p /rootfs
 
-        xargs -a /pkg/files/modules.txt -I {} install -D /lib/modules/${KERNELRELEASE}/{} /rootfs/lib/modules/${KERNELRELEASE}/{}
+        xargs -a /pkg/files/modules.txt -I {} install -D /usr/lib/modules/${KERNELRELEASE}/{} /rootfs/usr/lib/modules/${KERNELRELEASE}/{}
-        depmod -b /rootfs ${KERNELRELEASE}
+        depmod -b /rootfs/usr ${KERNELRELEASE}
   - test:
       - |
         # https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
-        find /rootfs/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
+        find /rootfs/usr/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
       - |
         mkdir -p /extensions-validator-rootfs
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs

drivers/usb-modem/pkg.yaml

@@ -1,6 +1,6 @@
 name: usb-modem-drivers
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   # The pkgs version for a particular release of Talos as defined in
@@ -12,16 +12,16 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        export KERNELRELEASE=$(find /lib/modules -type d -name "*-talos" -exec basename {} \+)
+        export KERNELRELEASE=$(find /usr/lib/modules -type d -name "*-talos" -exec basename {} \+)
 
         mkdir -p /rootfs
 
-        xargs -a /pkg/files/modules-{{ .ARCH }}.txt -I {} install -D /lib/modules/${KERNELRELEASE}/{} /rootfs/lib/modules/${KERNELRELEASE}/{}
+        xargs -a /pkg/files/modules-{{ .ARCH }}.txt -I {} install -D /usr/lib/modules/${KERNELRELEASE}/{} /rootfs/usr/lib/modules/${KERNELRELEASE}/{}
-        depmod -b /rootfs ${KERNELRELEASE}
+        depmod -b /rootfs/usr ${KERNELRELEASE}
   - test:
       - |
         # https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
-        find /rootfs/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
+        find /rootfs/usr/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
       - |
         mkdir -p /extensions-validator-rootfs
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs

drivers/v4l-uvc/pkg.yaml

@@ -1,6 +1,6 @@
 name: v4l-uvc-drivers
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   # The pkgs version for a particular release of Talos as defined in
@@ -12,16 +12,16 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        export KERNELRELEASE=$(find /lib/modules -type d -name "*-talos" -exec basename {} \+)
+        export KERNELRELEASE=$(find /usr/lib/modules -type d -name "*-talos" -exec basename {} \+)
 
         mkdir -p /rootfs
 
-        xargs -a /pkg/files/modules.txt -I {} install -D /lib/modules/${KERNELRELEASE}/{} /rootfs/lib/modules/${KERNELRELEASE}/{}
+        xargs -a /pkg/files/modules.txt -I {} install -D /usr/lib/modules/${KERNELRELEASE}/{} /rootfs/usr/lib/modules/${KERNELRELEASE}/{}
-        depmod -b /rootfs ${KERNELRELEASE}
+        depmod -b /rootfs/usr ${KERNELRELEASE}
   - test:
       - |
         # https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
-        find /rootfs/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
+        find /rootfs/usr/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
       - |
         mkdir -p /extensions-validator-rootfs
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs

drm/amdgpu/pkg.yaml

@@ -1,6 +1,6 @@
 name: amdgpu
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   # The pkgs version for a particular release of Talos as defined in
@@ -16,16 +16,16 @@ steps:
   # {{ if eq .ARCH "x86_64" }} This in fact is YAML comment, but Go templating instruction is evaluated by bldr
   - install:
       - |
-        export KERNELRELEASE=$(find /lib/modules -type d -name "*-talos" -exec basename {} \+)
+        export KERNELRELEASE=$(find /usr/lib/modules -type d -name "*-talos" -exec basename {} \+)
 
-        xargs -a /pkg/files/modules.txt -I {} install -D /lib/modules/${KERNELRELEASE}/{} /rootfs/lib/modules/${KERNELRELEASE}/{}
+        xargs -a /pkg/files/modules.txt -I {} install -D /usr/lib/modules/${KERNELRELEASE}/{} /rootfs/usr/lib/modules/${KERNELRELEASE}/{}
       - |
-        mkdir -p /rootfs/lib/firmware
+        mkdir -p /rootfs/usr/lib/firmware
-        cp -R -p /lib/firmware/amdgpu /rootfs/lib/firmware
+        cp -R -p /usr/lib/firmware/amdgpu /rootfs/usr/lib/firmware
   - test:
       - |
         # https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
-        find /rootfs/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
+        find /rootfs/usr/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
       - |
         mkdir -p /extensions-validator-rootfs
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs

drm/i915/pkg.yaml

@@ -1,6 +1,6 @@
 name: i915
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   # The pkgs version for a particular release of Talos as defined in
@@ -16,16 +16,16 @@ steps:
   # {{ if eq .ARCH "x86_64" }} This in fact is YAML comment, but Go templating instruction is evaluated by bldr
   - install:
       - |
-        export KERNELRELEASE=$(find /lib/modules -type d -name "*-talos" -exec basename {} \+)
+        export KERNELRELEASE=$(find /usr/lib/modules -type d -name "*-talos" -exec basename {} \+)
 
-        xargs -a /pkg/files/modules.txt -I {} install -D /lib/modules/${KERNELRELEASE}/{} /rootfs/lib/modules/${KERNELRELEASE}/{}
+        xargs -a /pkg/files/modules.txt -I {} install -D /usr/lib/modules/${KERNELRELEASE}/{} /rootfs/usr/lib/modules/${KERNELRELEASE}/{}
       - |
-        mkdir -p /rootfs/lib/firmware
+        mkdir -p /rootfs/usr/lib/firmware
-        cp -R -p /lib/firmware/i915 /rootfs/lib/firmware
+        cp -R -p /usr/lib/firmware/i915 /rootfs/usr/lib/firmware
   - test:
       - |
         # https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
-        find /rootfs/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
+        find /rootfs/usr/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
       - |
         mkdir -p /extensions-validator-rootfs
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs

dvb/cx23885/pkg.yaml

@@ -1,6 +1,6 @@
 name: dvb-cx23885
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - stage: v4l-uvc-drivers
@@ -23,24 +23,24 @@ steps:
         tar xf dvb-firmware.tar.gz
     install:
       - |
-        export KERNELRELEASE=$(find /lib/modules -type d -name "*-talos" -exec basename {} \+)
+        export KERNELRELEASE=$(find /usr/lib/modules -type d -name "*-talos" -exec basename {} \+)
 
         mkdir -p /rootfs
 
-        xargs -a /pkg/files/modules.txt -I {} install -D /lib/modules/${KERNELRELEASE}/{} /rootfs/lib/modules/${KERNELRELEASE}/{}
+        xargs -a /pkg/files/modules.txt -I {} install -D /usr/lib/modules/${KERNELRELEASE}/{} /rootfs/usr/lib/modules/${KERNELRELEASE}/{}
-        depmod -b /rootfs ${KERNELRELEASE}
+        depmod -b /rootfs/usr ${KERNELRELEASE}
       - |
         mkdir -p /rootfs/usr/local/lib/modprobe.d
         cp /pkg/files/dvb.conf /rootfs/usr/local/lib/modprobe.d/dvb-cx23885.conf
       - |
-        mkdir -p /rootfs/lib/firmware
+        mkdir -p /rootfs/usr/lib/firmware
-        cp dvb-firmware-{{ .LINUX_DVB_FIRMWARE }}/firmware/dvb-demod-si2168-02.fw /rootfs/lib/firmware
+        cp dvb-firmware-{{ .LINUX_DVB_FIRMWARE }}/firmware/dvb-demod-si2168-02.fw /rootfs/usr/lib/firmware
-        cp dvb-firmware-{{ .LINUX_DVB_FIRMWARE }}/firmware/dvb-demod-si2168-b40-01.fw /rootfs/lib/firmware
+        cp dvb-firmware-{{ .LINUX_DVB_FIRMWARE }}/firmware/dvb-demod-si2168-b40-01.fw /rootfs/usr/lib/firmware
-        cp dvb-firmware-{{ .LINUX_DVB_FIRMWARE }}/firmware/v4l-cx23885-avcore-01.fw /rootfs/lib/firmware
+        cp dvb-firmware-{{ .LINUX_DVB_FIRMWARE }}/firmware/v4l-cx23885-avcore-01.fw /rootfs/usr/lib/firmware
     test:
       - |
         # https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
-        find /rootfs/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
+        find /rootfs/usr/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
       - |
         mkdir -p /extensions-validator-rootfs
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs

examples/hello-world-service/pkg.yaml

@@ -1,21 +1,19 @@
 name: hello-world-service
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:
   - env:
-      GOPATH: /go
+      GOPATH: /tmp/go
     cachePaths:
       - /.cache/go-build
-      - /go/pkg
+      - /tmp/go/pkg
     prepare:
       - |
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
     build:
       - |
-        export PATH=${PATH}:${TOOLCHAIN}/go/bin
-
         cd /pkg/src
         CGO_ENABLED=0 go build -o ./hello-world .
     install:

firmware/amd-ucode/pkg.yaml

@@ -1,6 +1,6 @@
 name: amd-ucode
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/linux-firmware:{{ .BUILD_ARG_PKGS }}"
@@ -10,8 +10,8 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
     install:
       - |
-        mkdir -p /rootfs/lib/firmware
+        mkdir -p /rootfs/usr/lib/firmware
-        cp -R -p /lib/firmware/amd-ucode /rootfs/lib/firmware
+        cp -R -p /usr/lib/firmware/amd-ucode /rootfs/usr/lib/firmware
     test:
       - |
         mkdir -p /extensions-validator-rootfs

firmware/bnx2-bnx2x/pkg.yaml

@@ -1,6 +1,6 @@
 name: bnx2-bnx2x
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/linux-firmware:{{ .BUILD_ARG_PKGS }}"
@@ -10,9 +10,9 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
     install:
       - |
-        mkdir -p /rootfs/lib/firmware
+        mkdir -p /rootfs/usr/lib/firmware
-        cp -R -p /lib/firmware/bnx2 /rootfs/lib/firmware
+        cp -R -p /usr/lib/firmware/bnx2 /rootfs/usr/lib/firmware
-        cp -R -p /lib/firmware/bnx2x /rootfs/lib/firmware
+        cp -R -p /usr/lib/firmware/bnx2x /rootfs/usr/lib/firmware
     test:
       - |
         mkdir -p /extensions-validator-rootfs

firmware/chelsio/pkg.yaml

@@ -1,6 +1,6 @@
 name: chelsio-firmware
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/linux-firmware:{{ .BUILD_ARG_PKGS }}"
@@ -10,9 +10,9 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
     install:
       - |
-        mkdir -p /rootfs/lib/firmware
+        mkdir -p /rootfs/usr/lib/firmware
-        cp -R -p /lib/firmware/cxgb3 /rootfs/lib/firmware
+        cp -R -p /usr/lib/firmware/cxgb3 /rootfs/usr/lib/firmware
-        cp -R -p /lib/firmware/cxgb4 /rootfs/lib/firmware
+        cp -R -p /usr/lib/firmware/cxgb4 /rootfs/usr/lib/firmware
     test:
       - |
         mkdir -p /extensions-validator-rootfs

firmware/intel-ice-firmware/pkg.yaml

@@ -1,6 +1,6 @@
 name: intel-ice-firmware
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/linux-firmware:{{ .BUILD_ARG_PKGS }}"
@@ -10,8 +10,8 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
     install:
       - |
-        mkdir -p /rootfs/lib/firmware/intel/ice/ddp
+        mkdir -p /rootfs/usr/lib/firmware/intel/ice/ddp
-        cp /lib/firmware/intel/ice/ddp/ice-*.pkg /rootfs/lib/firmware/intel/ice/ddp/ice.pkg
+        cp /usr/lib/firmware/intel/ice/ddp/ice-*.pkg /rootfs/usr/lib/firmware/intel/ice/ddp/ice.pkg
     test:
       - |
         mkdir -p /extensions-validator-rootfs

firmware/intel-ucode/pkg.yaml

@@ -1,6 +1,6 @@
 name: intel-ucode
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:
@@ -16,8 +16,8 @@ steps:
         tar -xzf intel-ucode.tar.gz --strip-components=1
     install:
       - |
-        mkdir -p /rootfs/lib/firmware
+        mkdir -p /rootfs/usr/lib/firmware
-        cp -R -p intel-ucode /rootfs/lib/firmware
+        cp -R -p intel-ucode /rootfs/usr/lib/firmware
     test:
       - |
         mkdir -p /extensions-validator-rootfs

firmware/qlogic-firmware/pkg.yaml

@@ -1,6 +1,6 @@
 name: qlogic-firmware
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/linux-firmware:{{ .BUILD_ARG_PKGS }}"
@@ -10,8 +10,8 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
     install:
       - |
-        mkdir -p /rootfs/lib/firmware
+        mkdir -p /rootfs/usr/lib/firmware
-        cp -R -p /lib/firmware/qed /rootfs/lib/firmware
+        cp -R -p /usr/lib/firmware/qed /rootfs/usr/lib/firmware
     test:
       - |
         mkdir -p /extensions-validator-rootfs

firmware/realtek-firmware/pkg.yaml

@@ -1,6 +1,6 @@
 name: realtek-firmware
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/linux-firmware:{{ .BUILD_ARG_PKGS }}"
@@ -10,11 +10,11 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
     install:
       - |
-        mkdir -p /rootfs/lib/firmware
+        mkdir -p /rootfs/usr/lib/firmware
-        cp -R -p /lib/firmware/rtl_bt /rootfs/lib/firmware
+        cp -R -p /usr/lib/firmware/rtl_bt /rootfs/usr/lib/firmware
-        cp -R -p /lib/firmware/rtl_nic /rootfs/lib/firmware
+        cp -R -p /usr/lib/firmware/rtl_nic /rootfs/usr/lib/firmware
-        cp -R -p /lib/firmware/rtlwifi /rootfs/lib/firmware
+        cp -R -p /usr/lib/firmware/rtlwifi /rootfs/usr/lib/firmware
-        cp -R -p /lib/firmware/rtw88 /rootfs/lib/firmware
+        cp -R -p /usr/lib/firmware/rtw88 /rootfs/usr/lib/firmware
     test:
       - |
         mkdir -p /extensions-validator-rootfs

guest-agents/metal-agent/pkg.yaml

@@ -1,5 +1,6 @@
 name: metal-agent
 variant: scratch
+shell: /bin/bash
 dependencies:
   - stage: base
 

guest-agents/qemu-guest-agent/glib/pkg.yaml

@@ -1,6 +1,6 @@
 name: glib
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/openssl:{{ .BUILD_ARG_PKGS }}"
@@ -11,17 +11,15 @@ steps:
         destination: glib.tar.xz
         sha256: 8428d672c8485636d940f03ce8dcdc174f9b3892ac8b2eea76dd281af6a6e937
         sha512: 1686ef719122d2b3e8bcc569ba1e125cde51fbe645811e1eb7ddd49e300ff834eed712bb619bba13629f23ad5f801fdc2d37e3103b5150ad3cb7ff9d1168d902
+  - network: default
     prepare:
       - |
         tar -xf glib.tar.xz --strip-components=1
         rm glib.tar.xz
       - |
         mkdir -p /usr/bin
-
-        ln -s /toolchain/bin/env /usr/bin/env
-        ln -s /toolchain/bin/python3 /toolchain/bin/python
-
         pip3 install ninja packaging
+  - network: none
     build:
       - |
         export PKG_CONFIG_PATH=/usr/lib/pkgconfig

guest-agents/qemu-guest-agent/pcre2/pkg.yaml

@@ -1,6 +1,6 @@
 name: pcre2
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:

guest-agents/qemu-guest-agent/pkg.yaml

@@ -1,6 +1,6 @@
 name: qemu-guest-agent
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/openssl:{{ .BUILD_ARG_PKGS }}"
@@ -12,6 +12,7 @@ steps:
         destination: qemu.tar.xz
         sha256: f859f0bc65e1f533d040bbe8c92bcfecee5af2c921a6687c652fb44d089bd894
         sha512: f92548623e4e31400c823a2d78417a8a4ecfccb07f3ee4883e2f2ad33054539d2a37d076dbc64df42c6c86c08fa7c2c975cd6e823aa14d5f20cef83348006813
+  - network: default
     prepare:
       - |
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
@@ -21,9 +22,6 @@ steps:
       - |
         mkdir -p /usr/bin
 
-        ln -s /toolchain/bin/env /usr/bin/env
-        ln -s /toolchain/bin/python3 /toolchain/bin/python
-
         pip3 install ninja
 
         extra_args=( )
@@ -47,6 +45,7 @@ steps:
           --enable-guest-agent \
           --enable-stack-protector \
           "${extra_args[@]}"
+  - network: none
     build:
       - |
         make -j $(nproc) qemu-ga

guest-agents/vars.yaml

@@ -5,7 +5,7 @@ GLIB_VERSION: 2.83.2
 # renovate: datasource=github-releases extractVersion=^pcre2-(?<version>.*)$ depName=PCRE2Project/pcre2
 PCRE2_VERSION: 10.42
 # renovate: datasource=git-tags depName=https://gitlab.com/xen-project/xen-guest-agent.git
-XEN_GUEST_AGENT_VERSION: 0.4.0
+XEN_GUEST_AGENT_VERSION: 5c274e651c29f92fc0c418fda486373b0f34f0da
 # renovate: datasource=github-releases depName=siderolabs/talos-vmtoolsd
 TALOS_VMTOOLSD_VERSION: v0.6.1
 # renovate: datasource=github-releases depName=siderolabs/talos-metal-agent

guest-agents/vmtoolsd-guest-agent/pkg.yaml

@@ -1,5 +1,6 @@
 name: vmtoolsd-guest-agent
 variant: scratch
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: {{ .BUILD_ARG_PKGS_PREFIX }}/talos-vmtoolsd:{{ .TALOS_VMTOOLSD_VERSION }}

guest-agents/xen-guest-agent/pkg.yaml

@@ -17,14 +17,18 @@ steps:
       RUSTFLAGS: '-C target-feature=+crt-static'
   - sources:
       - url: https://gitlab.com/xen-project/xen-guest-agent/-/archive/{{ .XEN_GUEST_AGENT_VERSION }}/xen-guest-agent-{{ .XEN_GUEST_AGENT_VERSION }}.tar.gz
-        sha256: 492ba2022b4155b38443ddf34a5bdbb0d72966d0936aab8545b4a135fa69c990
+        sha256: c52f4781739e500e98a3298c9e44fe9bcbe1892c22aa6bb031d1a847123deaaa
-        sha512: 527611f1d0c4fec81ac44434304f426bb9ebe75ceeaac84a417397ec845da6a225514d6ff8b9dc03b5c27d4fa3b59a47fd1a64276fbf6b492664244796ef483c
+        sha512: 49bf15d7257f7fcb5ac919ca57e8c16bb6f8199684adef034bd1e7683dd9fb23a5604667fb75e27eadd02a2f9b130339409873b5720d7d3f5e4153feb5fa98ba
         destination: xe-guest-agent.tar.gz
+  - network: default
     prepare:
       - |
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
       - |
         tar -xzvf xe-guest-agent.tar.gz --strip-components=1
+      - |
+        cargo fetch --target {{ .ARCH }}-alpine-linux-musl
+  - network: none
     build:
       - cargo build --release -F static --target {{ .ARCH }}-alpine-linux-musl
     install:

guest-agents/xen-guest-agent/vars.yaml

@@ -1 +1,3 @@
-VERSION: "{{ .XEN_GUEST_AGENT_VERSION }}"
+# VERSION: "{{ .XEN_GUEST_AGENT_VERSION }}"
+# FIXME: Replace once a building tag is available
+VERSION: "0.4.0-g5c274e6"

internal/base/pkg.yaml

@@ -1,10 +1,10 @@
 name: base
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/base:{{ .BUILD_ARG_PKGS }}"
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/ca-certificates:{{ .BUILD_ARG_PKGS }}"
-  - image: ghcr.io/siderolabs/extensions-validator:617ea3f
+  - image: ghcr.io/siderolabs/extensions-validator:7d4395d
 finalize:
   - from: /
     to: /

misc/binfmt-misc/pkg.yaml

@@ -1,6 +1,6 @@
 name: binfmt-misc
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   # The pkgs version for a particular release of Talos as defined in
@@ -12,16 +12,16 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        export KERNELRELEASE=$(find /lib/modules -type d -name "*-talos" -exec basename {} \+)
+        export KERNELRELEASE=$(find /usr/lib/modules -type d -name "*-talos" -exec basename {} \+)
 
         mkdir -p /rootfs
 
-        xargs -a /pkg/files/modules.txt -I {} install -D /lib/modules/${KERNELRELEASE}/{} /rootfs/lib/modules/${KERNELRELEASE}/{}
+        xargs -a /pkg/files/modules.txt -I {} install -D /usr/lib/modules/${KERNELRELEASE}/{} /rootfs/usr/lib/modules/${KERNELRELEASE}/{}
-        depmod -b /rootfs ${KERNELRELEASE}
+        depmod -b /rootfs/usr ${KERNELRELEASE}
   - test:
       - |
         # https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
-        find /rootfs/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
+        find /rootfs/usr/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
       - |
         mkdir -p /extensions-validator-rootfs
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs

misc/glibc/pkg.yaml

@@ -52,9 +52,9 @@ steps:
 
         cp /pkg/ld.so.conf /rootfs/usr/local/glibc/etc/ld.so.conf
 
-        mkdir -p /rootfs/lib64 /rootfs/sbin
+        mkdir -p /rootfs/usr/lib /rootfs/usr/bin
-        ln -s /usr/local/glibc/usr/lib/ld-linux-x86-64.so.2 /rootfs/lib64/ld-linux-x86-64.so.2
+        ln -s /usr/local/glibc/usr/lib/ld-linux-x86-64.so.2 /rootfs/usr/lib/ld-linux-x86-64.so.2
-        ln -s /usr/local/glibc/usr/sbin/ldconfig /rootfs/sbin/ldconfig
+        ln -s /usr/local/glibc/usr/sbin/ldconfig /rootfs/usr/bin/ldconfig
 
         # cleanup
         rm -rf /rootfs/usr/local/glibc/include

network/lldpd/pkg.yaml

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: MPL-2.0
 name: lldpd
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
     - stage: base
 steps:
@@ -29,8 +29,6 @@ steps:
         mkdir -p /usr/local/include/sys
         cp sys-queue.h /usr/local/include/sys/queue.h
       - |
-        ln -sf /toolchain/bin/env /usr/bin/env
-
         export CFLAGS="${CFLAGS} -I/usr/local/include"
 
         ./configure \

network/tailscale/pkg.yaml

@@ -1,30 +1,32 @@
 name: tailscale
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:
   - env:
-      GOPATH: /go
+      GOPATH: /tmp/go
   - cachePaths:
       - /.cache/go-build
-      - /go/pkg
+      - /tmp/go/pkg
     sources:
       - url: https://github.com/tailscale/tailscale/archive/refs/tags/v{{ .TAILSCALE_VERSION }}.tar.gz
         destination: tailscale.tar.gz
         sha256: dbc25cc241bb233f183475f003d5508af7b45add1ca548b35a6a6fea91fb91af
         sha512: 1286971554f15c601ee36050cbe361170de2ea4955fc8dde01a4a231f966a1049b9d85d2854637077c1900d4e67ef15352250e412f9e13b2d1cb6b34b2dce05a
+  - network: default
     prepare:
       - |
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
-
       - |
         mkdir tailscale dist
         tar -xzvf tailscale.tar.gz --strip-components=1 -C tailscale
+      - |
+        cd tailscale
+        go mod download
+  - network: none
     build:
       - |
-        export PATH=${PATH}:${TOOLCHAIN}/go/bin
-
         go build \
           -C tailscale \
           -o ../dist \

nvidia-gpu/nonfree/kmod-nvidia/lts/pkg.yaml

@@ -1,6 +1,6 @@
 name: nonfree-kmod-nvidia-lts
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
  - stage: base
 # The pkgs version for a particular release of Talos as defined in
@@ -12,12 +12,12 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        mkdir -p /rootfs/lib/modules \
+        mkdir -p /rootfs/usr/lib/modules \
           /rootfs/usr/local/lib/modprobe.d
 
         cp /pkg/files/nvidia.conf /rootfs/usr/local/lib/modprobe.d/nvidia.conf
 
-        cp -R /lib/modules/* /rootfs/lib/modules
+        cp -R /usr/lib/modules/* /rootfs/usr/lib/modules
     test:
       - |
         mkdir -p /extensions-validator-rootfs

nvidia-gpu/nonfree/kmod-nvidia/production/pkg.yaml

@@ -1,6 +1,6 @@
 name: nonfree-kmod-nvidia-production
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
  - stage: base
 # The pkgs version for a particular release of Talos as defined in
@@ -12,12 +12,12 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        mkdir -p /rootfs/lib/modules \
+        mkdir -p /rootfs/usr/lib/modules \
           /rootfs/usr/local/lib/modprobe.d
 
         cp /pkg/files/nvidia.conf /rootfs/usr/local/lib/modprobe.d/nvidia.conf
 
-        cp -R /lib/modules/* /rootfs/lib/modules
+        cp -R /usr/lib/modules/* /rootfs/usr/lib/modules
     test:
       - |
         mkdir -p /extensions-validator-rootfs

nvidia-gpu/nvidia-container-toolkit/lts/pkg.yaml

@@ -1,6 +1,6 @@
 name: nvidia-container-toolkit-lts
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - stage: nvidia-container-cli-lts
@@ -19,7 +19,6 @@ steps:
     install:
       - |
         mkdir -p /rootfs/usr/local/etc/containers
-
         cp /pkg/nvidia-persistenced.yaml /rootfs/usr/local/etc/containers/nvidia-persistenced.yaml
     test:
       - |

nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/lts/pkg.yaml

@@ -46,12 +46,15 @@ steps:
       - |
         mkdir libnvidia-container
         tar -xzf  libnvidia-container.tar.gz --strip-components=1 -C libnvidia-container
+  # FIXME: make downloads nvidia-modprobe
+  - network: default
     build:
       - |
         cd libnvidia-container
 
         # LDLIBS=-L/usr/local/glibc/lib is set so that libnvidia-container-cli libs which are hardcoded as -llibname and not using pkg-config
         CPPFLAGS="-I/usr/local/glibc/include/tirpc" LDLIBS="-L/usr/local/glibc/lib -ltirpc -lelf -lseccomp" LDFLAGS='-Wl,--rpath=\$$ORIGIN/../glibc/\$$LIB' make
+  - network: none
     install:
       - |
         mkdir -p /rootfs

nvidia-gpu/nvidia-container-toolkit/nvidia-container-cli/production/pkg.yaml

@@ -46,12 +46,15 @@ steps:
       - |
         mkdir libnvidia-container
         tar -xzf  libnvidia-container.tar.gz --strip-components=1 -C libnvidia-container
+  # FIXME: make downloads nvidia-modprobe
+  - network: default
     build:
       - |
         cd libnvidia-container
 
         # LDLIBS=-L/usr/local/glibc/lib is set so that libnvidia-container-cli libs which are hardcoded as -llibname and not using pkg-config
         CPPFLAGS="-I/usr/local/glibc/include/tirpc" LDLIBS="-L/usr/local/glibc/lib -ltirpc -lelf -lseccomp" LDFLAGS='-Wl,--rpath=\$$ORIGIN/../glibc/\$$LIB' make
+  - network: none
     install:
       - |
         mkdir -p /rootfs

nvidia-gpu/nvidia-container-toolkit/nvidia-container-runtime-wrapper/pkg.yaml

@@ -1,18 +1,23 @@
 name: nvidia-container-runtime-wrapper
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:
+  - env:
+      GOPATH: /tmp/go
   - cachePaths:
       - /.cache/go-build
-      - /go/pkg
+      - /tmp/go/pkg
+  - network: default
+    prepare:
+      - |
+        cp -r /pkg/* .
+      - |
+        go mod download
+  - network: none
     build:
     - |
-      export PATH=${PATH}:${TOOLCHAIN}/go/bin
-
-      cp -r /pkg/* .
-
       CGO_ENABLED=0 go build -o nvidia-container-runtime-wrapper main.go
     install:
     - |

nvidia-gpu/nvidia-container-toolkit/nvidia-persistenced-wrapper/pkg.yaml

@@ -1,18 +1,23 @@
 name: nvidia-persistenced-wrapper
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:
+  - env:
+      GOPATH: /tmp/go
   - cachePaths:
       - /.cache/go-build
-      - /go/pkg
+      - /tmp/go/pkg
+  - network: default
+    prepare:
+      - |
+        cp -r /pkg/* .
+      - |
+        go mod download
+  - network: none
     build:
     - |
-      export PATH=${PATH}:${TOOLCHAIN}/go/bin
-
-      cp -r /pkg/* .
-
       CGO_ENABLED=0 go build -o nvidia-persistenced-wrapper main.go
     install:
     - |

nvidia-gpu/nvidia-container-toolkit/nvidia-pkgs/lts/pkg.yaml

@@ -66,7 +66,7 @@ steps:
           --no-kernel-module-source \
           --no-check-for-alternate-installs \
           --override-file-type-destination=NVIDIA_MODPROBE:/rootfs/usr/local/bin \
-          --override-file-type-destination=FIRMWARE:/rootfs/lib/firmware/nvidia/{{ .NVIDIA_DRIVER_LTS_VERSION }} \
+          --override-file-type-destination=FIRMWARE:/rootfs/usr/lib/firmware/nvidia/{{ .NVIDIA_DRIVER_LTS_VERSION }} \
           --no-systemd \
           # {{ if eq .ARCH "x86_64" }}--no-install-compat32-libs{{ end }}
 

nvidia-gpu/nvidia-container-toolkit/nvidia-pkgs/production/pkg.yaml

@@ -65,7 +65,7 @@ steps:
           --no-kernel-module-source \
           --no-check-for-alternate-installs \
           --override-file-type-destination=NVIDIA_MODPROBE:/rootfs/usr/local/bin \
-          --override-file-type-destination=FIRMWARE:/rootfs/lib/firmware/nvidia/{{ .NVIDIA_DRIVER_PRODUCTION_VERSION }} \
+          --override-file-type-destination=FIRMWARE:/rootfs/usr/lib/firmware/nvidia/{{ .NVIDIA_DRIVER_PRODUCTION_VERSION }} \
           --no-systemd
 
         # copy vulkan/OpenGL json files

nvidia-gpu/nvidia-container-toolkit/production/pkg.yaml

@@ -1,6 +1,6 @@
 name: nvidia-container-toolkit-production
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - stage: nvidia-container-cli-production

nvidia-gpu/nvidia-fabricmanager/lts/pkg.yaml

@@ -1,6 +1,6 @@
 name: nvidia-fabricmanager-lts
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
  - stage: base
 steps:

nvidia-gpu/nvidia-fabricmanager/production/pkg.yaml

@@ -1,6 +1,6 @@
 name: nvidia-fabricmanager-production
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
  - stage: base
 steps:

nvidia-gpu/nvidia-modules/lts/pkg.yaml

@@ -1,6 +1,6 @@
 name: nvidia-open-gpu-kernel-modules-lts
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
  - stage: base
 # The pkgs version for a particular release of Talos as defined in
@@ -12,12 +12,12 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        mkdir -p /rootfs/lib/modules \
+        mkdir -p /rootfs/usr/lib/modules \
           /rootfs/usr/local/lib/modprobe.d
 
         cp /pkg/files/nvidia.conf /rootfs/usr/local/lib/modprobe.d/nvidia.conf
 
-        cp -R /lib/modules/* /rootfs/lib/modules
+        cp -R /usr/lib/modules/* /rootfs/usr/lib/modules
     test:
       - |
         mkdir -p /extensions-validator-rootfs

nvidia-gpu/nvidia-modules/production/pkg.yaml

@@ -1,6 +1,6 @@
 name: nvidia-open-gpu-kernel-modules-production
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
  - stage: base
 # The pkgs version for a particular release of Talos as defined in
@@ -12,12 +12,12 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        mkdir -p /rootfs/lib/modules \
+        mkdir -p /rootfs/usr/lib/modules \
           /rootfs/usr/local/lib/modprobe.d
 
         cp /pkg/files/nvidia.conf /rootfs/usr/local/lib/modprobe.d/nvidia.conf
 
-        cp -R /lib/modules/* /rootfs/lib/modules
+        cp -R /usr/lib/modules/* /rootfs/usr/lib/modules
     test:
       - |
         mkdir -p /extensions-validator-rootfs

power/nut-client/pkg.yaml

@@ -1,6 +1,6 @@
 name: nut-client
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/openssl:{{ .BUILD_ARG_PKGS }}"
@@ -21,12 +21,6 @@ steps:
         patch -p1 < /pkg/patches/replace_system.patch
       - |
         mkdir -p /usr/bin
-        ln -sf /toolchain/bin/env /usr/bin/env
-
-        # Create symlinks for files used when building.
-        ln -s /toolchain/bin/pkg-config /usr/bin/pkg-config
-        ln -s /toolchain/bin/file /usr/bin/file
-
         autoreconf -if
 
         export PKG_CONFIG_PATH=/usr/lib/pkgconfig

storage/btrfs/pkg.yaml

@@ -1,6 +1,6 @@
 name: btrfs
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   # The pkgs version for a particular release of Talos as defined in
@@ -12,16 +12,16 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        export KERNELRELEASE=$(find /lib/modules -type d -name "*-talos" -exec basename {} \+)
+        export KERNELRELEASE=$(find /usr/lib/modules -type d -name "*-talos" -exec basename {} \+)
 
         mkdir -p /rootfs
 
-        xargs -a /pkg/files/modules.txt -I {} install -D /lib/modules/${KERNELRELEASE}/{} /rootfs/lib/modules/${KERNELRELEASE}/{}
+        xargs -a /pkg/files/modules.txt -I {} install -D /usr/lib/modules/${KERNELRELEASE}/{} /rootfs/usr/lib/modules/${KERNELRELEASE}/{}
-        depmod -b /rootfs ${KERNELRELEASE}
+        depmod -b /rootfs/usr ${KERNELRELEASE}
   - test:
       - |
         # https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
-        find /rootfs/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
+        find /rootfs/usr/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
       - |
         mkdir -p /extensions-validator-rootfs
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs

storage/drbd/pkg.yaml

@@ -1,6 +1,6 @@
 name: drbd
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
  - stage: base
 # The pkgs version for a particular release of Talos as defined in
@@ -12,9 +12,9 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        mkdir -p /rootfs/lib/modules
+        mkdir -p /rootfs/usr/lib/modules
 
-        cp -R /lib/modules/* /rootfs/lib/modules
+        cp -R /usr/lib/modules/* /rootfs/usr/lib/modules
     test:
       - |
         mkdir -p /extensions-validator-rootfs

storage/fuse3/pkg.yaml

@@ -1,6 +1,6 @@
 name: fuse3
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/openssl:{{ .BUILD_ARG_PKGS }}"
@@ -10,6 +10,7 @@ steps:
         destination: fuse.tar.gz
         sha256: f797055d9296b275e981f5f62d4e32e089614fc253d1ef2985851025b8a0ce87
         sha512: 3e8889863cd67dada67271f095f694dc9e5aaf2561fd1e2285aee95b5a54e692bb195ab8fce57fc2bdf08d0ea17b6d56ca4967b4e4371d639d6133907b2370d3
+  - network: default
     prepare:
       - |
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
@@ -17,8 +18,6 @@ steps:
         tar -xzf fuse.tar.gz --strip-components=1
 
         mkdir -p /usr/bin
-        ln -s /toolchain/bin/env /usr/bin/env
-        ln -s /toolchain/bin/python3 /toolchain/bin/python
         pip3 install ninja
 
         mkdir -p /rootfs/usr/local/etc
@@ -28,6 +27,7 @@ steps:
         mkdir _build
         meson setup _build
         meson configure -D useroot=false -D initscriptdir='' _build
+  - network: none
     build:
       - |
         ninja -C _build

storage/iscsi-tools/open-iscsi/pkg.yaml

@@ -1,6 +1,6 @@
 name: open-iscsi
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/kmod:{{ .BUILD_ARG_PKGS }}"
@@ -14,22 +14,11 @@ steps:
         sha512: 18b92d3e9a85d8de66734d95e9ca74a8acc5167a98830134c18ad5e226b29a00d358f952edfab67b643c454ec63c0a382c7ab7e7e76970f7574b46cea0d5c82d
     env:
       SOURCE_DATE_EPOCH: {{ .BUILD_ARG_SOURCE_DATE_EPOCH }}
+  - network: default
     prepare:
       - |
-        mkdir -p /usr/bin \
-            && ln -sf /toolchain/bin/env /usr/bin/env \
-            && ln -sf /toolchain/bin/install /usr/bin/install \
-            && ln -s /toolchain/bin/python3 /toolchain/bin/python
-
         tar -xzf open-iscsi.tar.gz --strip-components=1
 
-        # Create symlinks for binaries required by libtoolize.
-        ln -s /toolchain/bin/sed /usr/bin/sed
-
-        # Create symlinks for files used when building.
-        ln -s /toolchain/bin/pkg-config /usr/bin/pkg-config
-        ln -s /toolchain/bin/file /usr/bin/file
-
         patch -p1 < /pkg/patches/login-scan-manual.patch
         patch -p1 < /pkg/patches/musl-fixes.patch
         patch -p1 < /pkg/patches/add-missing-headers.patch
@@ -37,6 +26,7 @@ steps:
         patch -p1 < /pkg/patches/remove-werror.patch
 
         pip3 install ninja
+  - network: none
     build:
       - |
         export PKG_CONFIG_PATH=/usr/lib/pkgconfig

storage/iscsi-tools/pkg.yaml

@@ -1,6 +1,6 @@
 name: iscsi-tools
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   # `base` dependency is used for doing cleanups
   # not copied to rootfs

storage/mdadm/pkg.yaml

@@ -1,6 +1,6 @@
 name: mdadm
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/systemd-udevd:{{ .BUILD_ARG_PKGS }}"

storage/zfs/pkg.yaml

@@ -1,6 +1,6 @@
 name: zfs
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 # The pkgs version for a particular release of Talos as defined in
@@ -16,8 +16,8 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
   - install:
       - |
-        mkdir -p /rootfs/lib/modules
+        mkdir -p /rootfs/usr/lib/modules
-        cp -R /lib/modules/* /rootfs/lib/modules/
+        cp -R /usr/lib/modules/* /rootfs/usr/lib/modules/
       - |
         mkdir -p /rootfs/usr/local/etc/containers
         cp /pkg/zfs-service.yaml /rootfs/usr/local/etc/containers/

storage/zfs/zfs-service/pkg.yaml

@@ -1,16 +1,23 @@
 name: zfs-service
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:
+  - env:
+      GOPATH: /tmp/go
   - cachePaths:
       - /.cache/go-build
-      - /go/pkg
+      - /tmp/go/pkg
+  - network: default
+    prepare:
+      - |
+        cp -r /pkg/* .
+      - |
+        go mod download
+  - network: none
     build:
       - |
-        export PATH=${PATH}:${TOOLCHAIN}/go/bin
-        cp -r /pkg/* .
         CGO_ENABLED=0 go build -ldflags "-s -w" -trimpath -o zfs-service main.go
     install:
       - |

storage/zfs/zfs-tools/libtirpc/pkg.yaml

@@ -1,7 +1,7 @@
 
 name: libtirpc-zfs
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:

storage/zfs/zfs-tools/pkg.yaml

@@ -1,6 +1,6 @@
 name: zfs-tools
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - stage: libtirpc-zfs

storage/zfs/zfs-tools/zlib/pkg.yaml

@@ -1,6 +1,6 @@
 name: zlib-zfs
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:

tools/nvme-cli/libnvme/pkg.yaml

@@ -1,6 +1,6 @@
 name: libnvme
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/openssl:{{ .BUILD_ARG_PKGS }}"
@@ -11,13 +11,12 @@ steps:
         destination: libnvme.tar.gz
         sha256: 6d5d8ba2cc4c94a61a994c9f7f25b3b26ef973fb5c0daa37729890903f37a1f1
         sha512: 8720f2907a3d13af44fb3deec883cd6eb247d5861c4459b5fe0e67ff9ecfb565462a5faf39d43e08b5284f3e8ca8e72d41b333984beaa45d3287b1a258f3e59d
+  - network: default
     prepare:
       - |
         tar xf libnvme.tar.gz --strip-components=1
 
         mkdir -p /usr/bin
-        ln -s /toolchain/bin/env /usr/bin/env
-        ln -s /toolchain/bin/python3 /toolchain/bin/python
         pip3 install ninja
 
         export PKG_CONFIG_PATH=/usr/lib/pkgconfig
@@ -27,6 +26,7 @@ steps:
           -Djson-c=enabled \
           -Dpython=disabled \
           .build
+  - network: none
     build:
       - |
         meson compile -C .build

tools/nvme-cli/pkg.yaml

@@ -1,6 +1,6 @@
 name: nvme-cli
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/openssl:{{ .BUILD_ARG_PKGS }}"
@@ -16,6 +16,7 @@ steps:
         destination: nvme-cli.tar.gz
         sha256: 5e4dc73dbb488c6b1e6ad1c78d0c62b624076fcb0c052bd9039674a1dbd6517b
         sha512: 33de20ad990a3b87fef46fa486832edde41907223aa6b8a47606e605b360745fd7e2054226bf93a59b2a09c6bc04d0b684e4b3bb27c3fc0e6110c64a558cadc0
+  - network: default
     prepare:
       - |
         tar xf nvme-cli.tar.gz --strip-components=1
@@ -23,8 +24,6 @@ steps:
         export PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/local/lib/pkgconfig
 
         mkdir -p /usr/bin
-        ln -s /toolchain/bin/env /usr/bin/env
-        ln -s /toolchain/bin/python3 /toolchain/bin/python
         pip3 install ninja
 
         export PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/local/lib/pkgconfig
@@ -39,6 +38,7 @@ steps:
           .build
       - |
         sed -i 's#$VERSION#{{ .NVME_CLI_VERSION }}#' /pkg/manifest.yaml
+  - network: none
     build:
       - |
         meson compile -C .build

tools/util-linux/pkg.yaml

@@ -1,6 +1,6 @@
 name: util-linux-tools
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps: