From 8146546c08735ac84a864a9be4d2b5a86d5ccd53 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Fri, 20 Mar 2026 01:02:33 +0000 Subject: [PATCH 1/5] build: consolidate reproducible builder scripts into build/shared/ Move pin-packages.sh, config-qemu.sh, and common build functions into a single build/shared/ directory, eliminating divergent copies across gateway, kms, and verifier builders. Key changes: - Create build/shared/build-lib.sh with shared functions (ensure_buildkit, docker_build, extract_packages, sync_shared_scripts, check_clean_tree) - Fix pin-packages.sh: use printf instead of echo for correct newline handling, proper quoting, use HTTP for snapshot.debian.org (APT does its own GPG verification) - Unify snapshot date to 20260317T000000Z across all services - Rewrite all build-image.sh scripts to source shared build-lib.sh - Add DSTACK_SRC_URL ARG to gateway Dockerfile (was hardcoded) - Fix kms GIT_REV handling to use Dockerfile ARG instead of host file - Rename kms-pinned-packages.txt to builder-pinned-packages.txt for consistency across services - Regenerate all pinned-packages.txt files with unified snapshot date - Fix verifier's corrupt builder-pinned-packages.txt (was 435 lines of '=') --- .gitignore | 3 +- build/shared/build-lib.sh | 92 ++ .../builder => build}/shared/config-qemu.sh | 0 build/shared/pin-packages.sh | 36 + gateway/dstack-app/builder/Dockerfile | 3 +- gateway/dstack-app/builder/build-image.sh | 68 +- gateway/dstack-app/builder/shared/.gitignore | 3 + .../shared/builder-pinned-packages.txt | 906 +++++++++--------- .../dstack-app/builder/shared/pin-packages.sh | 21 - .../builder/shared/pinned-packages.txt | 38 +- kms/dstack-app/builder/Dockerfile | 5 +- kms/dstack-app/builder/build-image.sh | 72 +- kms/dstack-app/builder/shared/.gitignore | 3 + .../shared/builder-pinned-packages.txt | 477 +++++++++ .../builder/shared/kms-pinned-packages.txt | 435 --------- kms/dstack-app/builder/shared/pin-packages.sh | 21 - .../builder/shared/qemu-pinned-packages.txt | 58 +- verifier/builder/build-image.sh | 67 +- verifier/builder/shared/.gitignore | 3 + .../shared/builder-pinned-packages.txt | 870 ++++++++--------- verifier/builder/shared/config-qemu.sh | 28 - verifier/builder/shared/pin-packages.sh | 21 - verifier/builder/shared/pinned-packages.txt | 6 +- .../builder/shared/qemu-pinned-packages.txt | 34 +- 24 files changed, 1649 insertions(+), 1621 deletions(-) create mode 100755 build/shared/build-lib.sh rename {kms/dstack-app/builder => build}/shared/config-qemu.sh (100%) create mode 100755 build/shared/pin-packages.sh create mode 100644 gateway/dstack-app/builder/shared/.gitignore delete mode 100755 gateway/dstack-app/builder/shared/pin-packages.sh create mode 100644 kms/dstack-app/builder/shared/.gitignore create mode 100644 kms/dstack-app/builder/shared/builder-pinned-packages.txt delete mode 100644 kms/dstack-app/builder/shared/kms-pinned-packages.txt delete mode 100755 kms/dstack-app/builder/shared/pin-packages.sh create mode 100644 verifier/builder/shared/.gitignore delete mode 100755 verifier/builder/shared/config-qemu.sh delete mode 100755 verifier/builder/shared/pin-packages.sh diff --git a/.gitignore b/.gitignore index 8c0d716f7..321130a72 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,8 @@ /target /certs /build-config.sh -/build +/build/* +!/build/shared/ generated/ node_modules/ /.cargo diff --git a/build/shared/build-lib.sh b/build/shared/build-lib.sh new file mode 100755 index 000000000..48ec84daa --- /dev/null +++ b/build/shared/build-lib.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: © 2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +# Shared build library for reproducible Docker image builds. +# +# Expected variables (set by the sourcing script): +# REPO_ROOT - absolute path to the git repo root +# CONTEXT_DIR - Docker build context directory +# DOCKERFILE - path to the Dockerfile +# GIT_REV - git revision to build +# DSTACK_SRC_URL - git URL for dstack source + +set -euo pipefail + +BUILDKIT_VERSION="v0.20.2" +BUILDKIT_BUILDER="buildkit_20" + +ensure_buildkit() { + if ! docker buildx inspect "$BUILDKIT_BUILDER" &>/dev/null; then + docker buildx create --use --driver-opt "image=moby/buildkit:$BUILDKIT_VERSION" --name "$BUILDKIT_BUILDER" + fi +} + +extract_packages() { + local image_name=$1 + local pkg_list_file=${2:-} + if [ -z "$pkg_list_file" ]; then + return + fi + docker run --rm --entrypoint bash "$image_name" \ + -c "dpkg -l | grep '^ii' | awk '{print \$2\"=\"\$3}' | sort" \ + >"$pkg_list_file" +} + +docker_build() { + local image_name=$1 + local target=${2:-} + local pkg_list_file=${3:-} + + local commit_timestamp + commit_timestamp=$(git -C "$REPO_ROOT" show -s --format=%ct "$GIT_REV") + + local args=( + --builder "$BUILDKIT_BUILDER" + --progress=plain + --output "type=docker,name=$image_name,rewrite-timestamp=true" + --build-arg "SOURCE_DATE_EPOCH=$commit_timestamp" + --build-arg "DSTACK_REV=$GIT_REV" + --build-arg "DSTACK_SRC_URL=$DSTACK_SRC_URL" + ) + + if [ -n "${NO_CACHE:-}" ]; then + args+=(--no-cache) + fi + + if [ -n "$target" ]; then + args+=(--target "$target") + fi + + docker buildx build "${args[@]}" \ + --file "$DOCKERFILE" \ + "$CONTEXT_DIR" + + extract_packages "$image_name" "$pkg_list_file" +} + +# Copy shared build scripts into the local shared directory used by Dockerfile COPY. +sync_shared_scripts() { + local dest_dir=$1 + local need_qemu=${2:-false} + + cp "$REPO_ROOT/build/shared/pin-packages.sh" "$dest_dir/pin-packages.sh" + if [ "$need_qemu" = "true" ]; then + cp "$REPO_ROOT/build/shared/config-qemu.sh" "$dest_dir/config-qemu.sh" + fi +} + +# Verify that pinned-packages files haven't changed (idempotency check). +check_clean_tree() { + local check_path=$1 + local rel_path + rel_path=$(realpath --relative-to="$REPO_ROOT" "$check_path") + local git_status + git_status=$(git -C "$REPO_ROOT" status --porcelain -- "$rel_path") + if [ -n "$git_status" ]; then + echo "The working tree has updates in $rel_path. Commit or stash before re-running." >&2 + exit 1 + fi +} diff --git a/kms/dstack-app/builder/shared/config-qemu.sh b/build/shared/config-qemu.sh similarity index 100% rename from kms/dstack-app/builder/shared/config-qemu.sh rename to build/shared/config-qemu.sh diff --git a/build/shared/pin-packages.sh b/build/shared/pin-packages.sh new file mode 100755 index 000000000..bb5bc6e27 --- /dev/null +++ b/build/shared/pin-packages.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: © 2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +# Pin APT packages to exact versions from a frozen Debian snapshot. +# Usage: pin-packages.sh +# +# This script: +# 1. Points APT at a frozen snapshot.debian.org mirror (reproducible package sources) +# 2. Reads package=version pairs from the given file and creates APT pin preferences +# with priority 1001 to force exact versions + +set -e + +PKG_LIST=$1 +SNAPSHOT_DATE=${SNAPSHOT_DATE:-20260317T000000Z} + +if [ -z "$PKG_LIST" ]; then + echo "Usage: $0 " >&2 + exit 1 +fi + +echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/${SNAPSHOT_DATE} bookworm main" > /etc/apt/sources.list +echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/${SNAPSHOT_DATE} bookworm-security main" >> /etc/apt/sources.list +echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until + +mkdir -p /etc/apt/preferences.d +while IFS= read -r line; do + pkg=$(echo "$line" | cut -d= -f1) + ver=$(echo "$line" | cut -d= -f2) + if [ -n "$pkg" ] && [ -n "$ver" ]; then + printf 'Package: %s\nPin: version %s\nPin-Priority: 1001\n\n' "$pkg" "$ver" >> /etc/apt/preferences.d/pinned-packages + fi +done < "$PKG_LIST" diff --git a/gateway/dstack-app/builder/Dockerfile b/gateway/dstack-app/builder/Dockerfile index 3f0076429..ea7103091 100644 --- a/gateway/dstack-app/builder/Dockerfile +++ b/gateway/dstack-app/builder/Dockerfile @@ -5,6 +5,7 @@ FROM rust:1.92.0@sha256:48851a839d6a67370c9dbe0e709bedc138e3e404b161c5233aedcf2b717366e4 AS gateway-builder COPY ./shared /build ARG DSTACK_REV +ARG DSTACK_SRC_URL=https://github.com/Dstack-TEE/dstack.git WORKDIR /build RUN ./pin-packages.sh ./builder-pinned-packages.txt RUN apt-get update && \ @@ -17,7 +18,7 @@ RUN apt-get update && \ libprotobuf-dev \ clang \ libclang-dev -RUN git clone https://github.com/Dstack-TEE/dstack.git && \ +RUN git clone ${DSTACK_SRC_URL} && \ cd dstack && \ git checkout ${DSTACK_REV} RUN rustup target add x86_64-unknown-linux-musl diff --git a/gateway/dstack-app/builder/build-image.sh b/gateway/dstack-app/builder/build-image.sh index 9c7a56c65..8f3d70594 100755 --- a/gateway/dstack-app/builder/build-image.sh +++ b/gateway/dstack-app/builder/build-image.sh @@ -4,62 +4,34 @@ # # SPDX-License-Identifier: Apache-2.0 -set -e +set -euo pipefail -#NO_CACHE=--no-cache +SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) +REPO_ROOT=$(git -C "$SCRIPT_DIR" rev-parse --show-toplevel) +CONTEXT_DIR="$SCRIPT_DIR" +SHARED_DIR="$SCRIPT_DIR/shared" +DOCKERFILE="$SCRIPT_DIR/Dockerfile" -extract-packages() { - local name=$1 - local pkg_list_file=$2 - if [ -z "$pkg_list_file" ]; then - return - fi - docker run --rm --entrypoint bash $name -c "dpkg -l | grep '^ii' | awk '{print \$2\"=\"\$3}' | sort" > "$pkg_list_file" -} +source "$REPO_ROOT/build/shared/build-lib.sh" -# Function to build Docker image and optionally extract package list -docker-build() { - local name=$1 - local target=$2 - local pkg_list_file=$3 - # Get the commit timestamp for SOURCE_DATE_EPOCH - local commit_timestamp=$(git show -s --format=%ct $GIT_REV) - local build_args="--build-arg SOURCE_DATE_EPOCH=$commit_timestamp --build-arg DSTACK_REV=$GIT_REV" - - local args="--builder buildkit_20 $NO_CACHE $build_args" - - # Add target if specified - if [ -n "$target" ]; then - args="$args --target $target" - fi - - # Build the image - docker buildx build $args --output type=docker,name=$name,rewrite-timestamp=true --progress=plain . - extract-packages $name $pkg_list_file -} - -NAME=$1 +NAME=${1:-} if [ -z "$NAME" ]; then - echo "Usage: $0 [:]" + echo "Usage: $0 [:]" >&2 exit 1 fi -# Check if buildkit_20 already exists before creating it -if ! docker buildx inspect buildkit_20 &>/dev/null; then - docker buildx create --use --driver-opt image=moby/buildkit:v0.20.2 --name buildkit_20 -fi - -touch shared/builder-pinned-packages.txt -touch shared/pinned-packages.txt +NO_CACHE=${NO_CACHE:-} GIT_REV=${GIT_REV:-HEAD} -GIT_REV=$(git rev-parse $GIT_REV) +GIT_REV=$(git -C "$REPO_ROOT" rev-parse "$GIT_REV") +DSTACK_SRC_URL=${DSTACK_SRC_URL:-https://github.com/Dstack-TEE/dstack.git} -docker-build "$NAME" "" "shared/pinned-packages.txt" -docker-build "gateway-builder-temp" "gateway-builder" "shared/builder-pinned-packages.txt" +ensure_buildkit +sync_shared_scripts "$SHARED_DIR" -git_status=$(git status --porcelain -- shared/) -if [ -n "$git_status" ]; then - echo "The working tree is not clean, please commit or stash your changes before re-running the build" - exit 1 -fi +touch "$SHARED_DIR/builder-pinned-packages.txt" +touch "$SHARED_DIR/pinned-packages.txt" + +docker_build "$NAME" "" "$SHARED_DIR/pinned-packages.txt" +docker_build "gateway-builder-temp" "gateway-builder" "$SHARED_DIR/builder-pinned-packages.txt" +check_clean_tree "$SHARED_DIR" diff --git a/gateway/dstack-app/builder/shared/.gitignore b/gateway/dstack-app/builder/shared/.gitignore new file mode 100644 index 000000000..eaf106ff1 --- /dev/null +++ b/gateway/dstack-app/builder/shared/.gitignore @@ -0,0 +1,3 @@ +# Copied from build/shared/ at build time by build-image.sh +pin-packages.sh +config-qemu.sh diff --git a/gateway/dstack-app/builder/shared/builder-pinned-packages.txt b/gateway/dstack-app/builder/shared/builder-pinned-packages.txt index 63c13b124..e390e80bc 100644 --- a/gateway/dstack-app/builder/shared/builder-pinned-packages.txt +++ b/gateway/dstack-app/builder/shared/builder-pinned-packages.txt @@ -1,435 +1,477 @@ -adduser=3.134 -apt=2.6.1 -autoconf=2.71-3 -automake=1:1.16.5-1.3 -autotools-dev=20220109.1 -base-files=12.4+deb12u10 -base-passwd=3.6.1 -bash=5.2.15-2+b7 -binutils-common:amd64=2.40-2 -binutils-x86-64-linux-gnu=2.40-2 -binutils=2.40-2 -bsdutils=1:2.38.1-5+deb12u3 -build-essential=12.9 -bzip2=1.0.8-5+b1 -ca-certificates=20230311 -clang-14=1:14.0.6-12 -clang=1:14.0-55.7~deb12u1 -comerr-dev:amd64=2.1-1.47.0-2 -coreutils=9.1-1 -cpp-12=12.2.0-14+deb12u1 -cpp=4:12.2.0-3 -curl=7.88.1-10+deb12u12 -dash=0.5.12-2 -debconf=1.5.82 -debian-archive-keyring=2023.3+deb12u1 -debianutils=5.7-0.5~deb12u1 -default-libmysqlclient-dev:amd64=1.1.0 -diffutils=1:3.8-4 -dirmngr=2.2.40-1.1 -dpkg-dev=1.21.22 -dpkg=1.21.22 -e2fsprogs=1.47.0-2 -file=1:5.44-3 -findutils=4.9.0-4 -fontconfig-config=2.14.1-4 -fontconfig=2.14.1-4 -fonts-dejavu-core=2.37-6 -g++-12=12.2.0-14+deb12u1 -g++=4:12.2.0-3 -gcc-12-base:amd64=12.2.0-14+deb12u1 -gcc-12=12.2.0-14+deb12u1 -gcc=4:12.2.0-3 -gir1.2-freedesktop:amd64=1.74.0-3 -gir1.2-gdkpixbuf-2.0:amd64=2.42.10+dfsg-1+deb12u1 -gir1.2-glib-2.0:amd64=1.74.0-3 -gir1.2-rsvg-2.0:amd64=2.54.7+dfsg-1~deb12u1 -git-man=1:2.39.5-0+deb12u2 -git=1:2.39.5-0+deb12u2 -gnupg-l10n=2.2.40-1.1 -gnupg-utils=2.2.40-1.1 -gnupg=2.2.40-1.1 -gpg-agent=2.2.40-1.1 -gpg-wks-client=2.2.40-1.1 -gpg-wks-server=2.2.40-1.1 -gpg=2.2.40-1.1 -gpgconf=2.2.40-1.1 -gpgsm=2.2.40-1.1 -gpgv=2.2.40-1.1 -grep=3.8-5 -gzip=1.12-1 -hicolor-icon-theme=0.17-2 -hostname=3.23+nmu1 -icu-devtools=72.1-3 -imagemagick-6-common=8:6.9.11.60+dfsg-1.6+deb12u2 -imagemagick-6.q16=8:6.9.11.60+dfsg-1.6+deb12u2 -imagemagick=8:6.9.11.60+dfsg-1.6+deb12u2 -init-system-helpers=1.65.2 -krb5-multidev:amd64=1.20.1-2+deb12u2 -libacl1:amd64=2.3.1-3 -libaom3:amd64=3.6.0-1+deb12u1 -libapr1:amd64=1.7.2-3+deb12u1 -libaprutil1:amd64=1.6.3-1 -libapt-pkg6.0:amd64=2.6.1 -libasan8:amd64=12.2.0-14+deb12u1 -libassuan0:amd64=2.5.5-5 -libatomic1:amd64=12.2.0-14+deb12u1 -libattr1:amd64=1:2.5.1-4 -libaudit-common=1:3.0.9-1 -libaudit1:amd64=1:3.0.9-1 -libbinutils:amd64=2.40-2 -libblkid-dev:amd64=2.38.1-5+deb12u3 -libblkid1:amd64=2.38.1-5+deb12u3 -libbrotli-dev:amd64=1.0.9-2+b6 -libbrotli1:amd64=1.0.9-2+b6 -libbsd0:amd64=0.11.7-2 -libbz2-1.0:amd64=1.0.8-5+b1 -libbz2-dev:amd64=1.0.8-5+b1 -libc-bin=2.36-9+deb12u10 -libc-dev-bin=2.36-9+deb12u10 -libc6-dev:amd64=2.36-9+deb12u10 -libc6:amd64=2.36-9+deb12u10 -libcairo-gobject2:amd64=1.16.0-7 -libcairo-script-interpreter2:amd64=1.16.0-7 -libcairo2-dev:amd64=1.16.0-7 -libcairo2:amd64=1.16.0-7 -libcap-ng0:amd64=0.8.3-1+b3 -libcap2:amd64=1:2.66-4 -libcbor0.8:amd64=0.8.0-2+b1 -libcc1-0:amd64=12.2.0-14+deb12u1 -libclang-14-dev=1:14.0.6-12 -libclang-common-14-dev=1:14.0.6-12 -libclang-cpp14=1:14.0.6-12 -libclang-dev=1:14.0-55.7~deb12u1 -libclang1-14=1:14.0.6-12 -libcom-err2:amd64=1.47.0-2 -libcrypt-dev:amd64=1:4.4.33-2 -libcrypt1:amd64=1:4.4.33-2 -libctf-nobfd0:amd64=2.40-2 -libctf0:amd64=2.40-2 -libcurl3-gnutls:amd64=7.88.1-10+deb12u12 -libcurl4-openssl-dev:amd64=7.88.1-10+deb12u12 -libcurl4:amd64=7.88.1-10+deb12u12 -libdatrie1:amd64=0.2.13-2+b1 -libdav1d6:amd64=1.0.0-2+deb12u1 -libdb-dev:amd64=5.3.2 -libdb5.3-dev=5.3.28+dfsg2-1 -libdb5.3:amd64=5.3.28+dfsg2-1 -libde265-0:amd64=1.0.11-1+deb12u2 -libdebconfclient0:amd64=0.270 -libdeflate-dev:amd64=1.14-1 -libdeflate0:amd64=1.14-1 -libdjvulibre-dev:amd64=3.5.28-2+b1 -libdjvulibre-text=3.5.28-2 -libdjvulibre21:amd64=3.5.28-2+b1 -libdpkg-perl=1.21.22 -libedit2:amd64=3.1-20221030-2 -libelf1:amd64=0.188-2.1 -liberror-perl=0.17029-2 -libevent-2.1-7:amd64=2.1.12-stable-8 -libevent-core-2.1-7:amd64=2.1.12-stable-8 -libevent-dev=2.1.12-stable-8 -libevent-extra-2.1-7:amd64=2.1.12-stable-8 -libevent-openssl-2.1-7:amd64=2.1.12-stable-8 -libevent-pthreads-2.1-7:amd64=2.1.12-stable-8 -libexif-dev:amd64=0.6.24-1+b1 -libexif12:amd64=0.6.24-1+b1 -libexpat1-dev:amd64=2.5.0-1+deb12u1 -libexpat1:amd64=2.5.0-1+deb12u1 -libext2fs2:amd64=1.47.0-2 -libffi-dev:amd64=3.4.4-1 -libffi8:amd64=3.4.4-1 -libfftw3-double3:amd64=3.3.10-1 -libfido2-1:amd64=1.12.0-2+b1 -libfontconfig-dev:amd64=2.14.1-4 -libfontconfig1:amd64=2.14.1-4 -libfreetype-dev:amd64=2.12.1+dfsg-5+deb12u4 -libfreetype6-dev:amd64=2.12.1+dfsg-5+deb12u4 -libfreetype6:amd64=2.12.1+dfsg-5+deb12u4 -libfribidi0:amd64=1.0.8-2.1 -libgc1:amd64=1:8.2.2-3 -libgcc-12-dev:amd64=12.2.0-14+deb12u1 -libgcc-s1:amd64=12.2.0-14+deb12u1 -libgcrypt20:amd64=1.10.1-3 -libgdbm-compat4:amd64=1.23-3 -libgdbm-dev:amd64=1.23-3 -libgdbm6:amd64=1.23-3 -libgdk-pixbuf-2.0-0:amd64=2.42.10+dfsg-1+deb12u1 -libgdk-pixbuf-2.0-dev:amd64=2.42.10+dfsg-1+deb12u1 -libgdk-pixbuf2.0-bin=2.42.10+dfsg-1+deb12u1 -libgdk-pixbuf2.0-common=2.42.10+dfsg-1+deb12u1 -libgirepository-1.0-1:amd64=1.74.0-3 -libglib2.0-0:amd64=2.74.6-2+deb12u5 -libglib2.0-bin=2.74.6-2+deb12u5 -libglib2.0-data=2.74.6-2+deb12u5 -libglib2.0-dev-bin=2.74.6-2+deb12u5 -libglib2.0-dev:amd64=2.74.6-2+deb12u5 -libgmp-dev:amd64=2:6.2.1+dfsg1-1.1 -libgmp10:amd64=2:6.2.1+dfsg1-1.1 -libgmpxx4ldbl:amd64=2:6.2.1+dfsg1-1.1 -libgnutls30:amd64=3.7.9-2+deb12u4 -libgomp1:amd64=12.2.0-14+deb12u1 -libgpg-error0:amd64=1.46-1 -libgprofng0:amd64=2.40-2 -libgraphite2-3:amd64=1.3.14-1 -libgssapi-krb5-2:amd64=1.20.1-2+deb12u2 -libgssrpc4:amd64=1.20.1-2+deb12u2 -libharfbuzz0b:amd64=6.0.0+dfsg-3 -libheif1:amd64=1.15.1-1+deb12u1 -libhogweed6:amd64=3.8.1-2 -libice-dev:amd64=2:1.0.10-1 -libice6:amd64=2:1.0.10-1 -libicu-dev:amd64=72.1-3 -libicu72:amd64=72.1-3 -libidn2-0:amd64=2.3.3-1+b1 -libimath-3-1-29:amd64=3.1.6-1 -libimath-dev:amd64=3.1.6-1 -libisl23:amd64=0.25-1.1 -libitm1:amd64=12.2.0-14+deb12u1 -libjansson4:amd64=2.14-2 -libjbig-dev:amd64=2.1-6.1 -libjbig0:amd64=2.1-6.1 -libjpeg-dev:amd64=1:2.1.5-2 -libjpeg62-turbo-dev:amd64=1:2.1.5-2 -libjpeg62-turbo:amd64=1:2.1.5-2 -libk5crypto3:amd64=1.20.1-2+deb12u2 -libkadm5clnt-mit12:amd64=1.20.1-2+deb12u2 -libkadm5srv-mit12:amd64=1.20.1-2+deb12u2 -libkdb5-10:amd64=1.20.1-2+deb12u2 -libkeyutils1:amd64=1.6.3-2 -libkrb5-3:amd64=1.20.1-2+deb12u2 -libkrb5-dev:amd64=1.20.1-2+deb12u2 -libkrb5support0:amd64=1.20.1-2+deb12u2 -libksba8:amd64=1.6.3-2 -liblcms2-2:amd64=2.14-2 -liblcms2-dev:amd64=2.14-2 -libldap-2.5-0:amd64=2.5.13+dfsg-5 -liblerc-dev:amd64=4.0.0+ds-2 -liblerc4:amd64=4.0.0+ds-2 -libllvm14:amd64=1:14.0.6-12 -liblqr-1-0-dev:amd64=0.4.2-2.1 -liblqr-1-0:amd64=0.4.2-2.1 -liblsan0:amd64=12.2.0-14+deb12u1 -libltdl-dev:amd64=2.4.7-7~deb12u1 -libltdl7:amd64=2.4.7-7~deb12u1 -liblz4-1:amd64=1.9.4-1 -liblzma-dev:amd64=5.4.1-1 -liblzma5:amd64=5.4.1-1 -liblzo2-2:amd64=2.10-2 -libmagic-mgc=1:5.44-3 -libmagic1:amd64=1:5.44-3 -libmagickcore-6-arch-config:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickcore-6-headers=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickcore-6.q16-6-extra:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickcore-6.q16-6:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickcore-6.q16-dev:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickcore-dev=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickwand-6-headers=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickwand-6.q16-6:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickwand-6.q16-dev:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickwand-dev=8:6.9.11.60+dfsg-1.6+deb12u2 -libmariadb-dev-compat=1:10.11.11-0+deb12u1 -libmariadb-dev=1:10.11.11-0+deb12u1 -libmariadb3:amd64=1:10.11.11-0+deb12u1 -libmaxminddb-dev:amd64=1.7.1-1 -libmaxminddb0:amd64=1.7.1-1 -libmd0:amd64=1.0.4-2 -libmount-dev:amd64=2.38.1-5+deb12u3 -libmount1:amd64=2.38.1-5+deb12u3 -libmpc3:amd64=1.3.1-1 -libmpfr6:amd64=4.2.0-1 -libncurses-dev:amd64=6.4-4 -libncurses5-dev:amd64=6.4-4 -libncurses6:amd64=6.4-4 -libncursesw5-dev:amd64=6.4-4 -libncursesw6:amd64=6.4-4 -libnettle8:amd64=3.8.1-2 -libnghttp2-14:amd64=1.52.0-1+deb12u2 -libnpth0:amd64=1.6-3 -libnsl-dev:amd64=1.3.0-2 -libnsl2:amd64=1.3.0-2 -libnuma1:amd64=2.0.16-1 -libobjc-12-dev:amd64=12.2.0-14+deb12u1 -libobjc4:amd64=12.2.0-14+deb12u1 -libopenexr-3-1-30:amd64=3.1.5-5 -libopenexr-dev=3.1.5-5 -libopenjp2-7-dev:amd64=2.5.0-2+deb12u1 -libopenjp2-7:amd64=2.5.0-2+deb12u1 -libp11-kit0:amd64=0.24.1-2 -libpam-modules-bin=1.5.2-6+deb12u1 -libpam-modules:amd64=1.5.2-6+deb12u1 -libpam-runtime=1.5.2-6+deb12u1 -libpam0g:amd64=1.5.2-6+deb12u1 -libpango-1.0-0:amd64=1.50.12+ds-1 -libpangocairo-1.0-0:amd64=1.50.12+ds-1 -libpangoft2-1.0-0:amd64=1.50.12+ds-1 -libpcre2-16-0:amd64=10.42-1 -libpcre2-32-0:amd64=10.42-1 -libpcre2-8-0:amd64=10.42-1 -libpcre2-dev:amd64=10.42-1 -libpcre2-posix3:amd64=10.42-1 -libperl5.36:amd64=5.36.0-7+deb12u2 -libpixman-1-0:amd64=0.42.2-1 -libpixman-1-dev:amd64=0.42.2-1 -libpkgconf3:amd64=1.8.1-1 -libpng-dev:amd64=1.6.39-2 -libpng16-16:amd64=1.6.39-2 -libpq-dev=15.12-0+deb12u2 -libpq5:amd64=15.12-0+deb12u2 -libproc2-0:amd64=2:4.0.2-3 -libprotobuf-dev:amd64=3.21.12-3 -libprotobuf-lite32:amd64=3.21.12-3 -libprotobuf32:amd64=3.21.12-3 -libprotoc32:amd64=3.21.12-3 -libpsl5:amd64=0.21.2-1 -libpthread-stubs0-dev:amd64=0.4-1 -libpython3-stdlib:amd64=3.11.2-1+b1 -libpython3.11-minimal:amd64=3.11.2-6+deb12u5 -libpython3.11-stdlib:amd64=3.11.2-6+deb12u5 -libquadmath0:amd64=12.2.0-14+deb12u1 -libreadline-dev:amd64=8.2-1.3 -libreadline8:amd64=8.2-1.3 -librsvg2-2:amd64=2.54.7+dfsg-1~deb12u1 -librsvg2-common:amd64=2.54.7+dfsg-1~deb12u1 -librsvg2-dev:amd64=2.54.7+dfsg-1~deb12u1 -librtmp1:amd64=2.4+20151223.gitfa8646d.1-2+b2 -libsasl2-2:amd64=2.1.28+dfsg-10 -libsasl2-modules-db:amd64=2.1.28+dfsg-10 -libseccomp2:amd64=2.5.4-1+deb12u1 -libselinux1-dev:amd64=3.4-1+b6 -libselinux1:amd64=3.4-1+b6 -libsemanage-common=3.4-1 -libsemanage2:amd64=3.4-1+b5 -libsepol-dev:amd64=3.4-2.1 -libsepol2:amd64=3.4-2.1 -libserf-1-1:amd64=1.3.9-11 -libsm-dev:amd64=2:1.2.3-1 -libsm6:amd64=2:1.2.3-1 -libsmartcols1:amd64=2.38.1-5+deb12u3 -libsqlite3-0:amd64=3.40.1-2+deb12u1 -libsqlite3-dev:amd64=3.40.1-2+deb12u1 -libss2:amd64=1.47.0-2 -libssh2-1:amd64=1.10.0-3+b1 -libssl-dev:amd64=3.0.16-1~deb12u1 -libssl3:amd64=3.0.16-1~deb12u1 -libstdc++-12-dev:amd64=12.2.0-14+deb12u1 -libstdc++6:amd64=12.2.0-14+deb12u1 -libsvn1:amd64=1.14.2-4+deb12u1 -libsystemd0:amd64=252.36-1~deb12u1 -libtasn1-6:amd64=4.19.0-2+deb12u1 -libthai-data=0.1.29-1 -libthai0:amd64=0.1.29-1 -libtiff-dev:amd64=4.5.0-6+deb12u2 -libtiff6:amd64=4.5.0-6+deb12u2 -libtiffxx6:amd64=4.5.0-6+deb12u2 -libtinfo6:amd64=6.4-4 -libtirpc-common=1.3.3+ds-1 -libtirpc-dev:amd64=1.3.3+ds-1 -libtirpc3:amd64=1.3.3+ds-1 -libtool=2.4.7-7~deb12u1 -libtsan2:amd64=12.2.0-14+deb12u1 -libubsan1:amd64=12.2.0-14+deb12u1 -libudev1:amd64=252.36-1~deb12u1 -libunistring2:amd64=1.0-2 -libutf8proc2:amd64=2.8.0-1 -libuuid1:amd64=2.38.1-5+deb12u3 -libwebp-dev:amd64=1.2.4-0.2+deb12u1 -libwebp7:amd64=1.2.4-0.2+deb12u1 -libwebpdemux2:amd64=1.2.4-0.2+deb12u1 -libwebpmux3:amd64=1.2.4-0.2+deb12u1 -libwmf-0.2-7:amd64=0.2.12-5.1 -libwmf-dev=0.2.12-5.1 -libwmflite-0.2-7:amd64=0.2.12-5.1 -libx11-6:amd64=2:1.8.4-2+deb12u2 -libx11-data=2:1.8.4-2+deb12u2 -libx11-dev:amd64=2:1.8.4-2+deb12u2 -libx265-199:amd64=3.5-2+b1 -libxau-dev:amd64=1:1.0.9-1 -libxau6:amd64=1:1.0.9-1 -libxcb-render0-dev:amd64=1.15-1 -libxcb-render0:amd64=1.15-1 -libxcb-shm0-dev:amd64=1.15-1 -libxcb-shm0:amd64=1.15-1 -libxcb1-dev:amd64=1.15-1 -libxcb1:amd64=1.15-1 -libxdmcp-dev:amd64=1:1.1.2-3 -libxdmcp6:amd64=1:1.1.2-3 -libxext-dev:amd64=2:1.3.4-1+b1 -libxext6:amd64=2:1.3.4-1+b1 -libxml2-dev:amd64=2.9.14+dfsg-1.3~deb12u1 -libxml2:amd64=2.9.14+dfsg-1.3~deb12u1 -libxrender-dev:amd64=1:0.9.10-1.1 -libxrender1:amd64=1:0.9.10-1.1 -libxslt1-dev:amd64=1.1.35-1+deb12u1 -libxslt1.1:amd64=1.1.35-1+deb12u1 -libxt-dev:amd64=1:1.2.1-1.1 -libxt6:amd64=1:1.2.1-1.1 -libxxhash0:amd64=0.8.1-1 -libyaml-0-2:amd64=0.2.5-1 -libyaml-dev:amd64=0.2.5-1 -libz3-4:amd64=4.8.12-3.1 -libzstd-dev:amd64=1.5.4+dfsg2-5 -libzstd1:amd64=1.5.4+dfsg2-5 -linux-libc-dev:amd64=6.1.135-1 -llvm-14-linker-tools=1:14.0.6-12 -login=1:4.13+dfsg1-1+b1 -logsave=1.47.0-2 -m4=1.4.19-3 -make=4.3-4.1 -mariadb-common=1:10.11.11-0+deb12u1 -mawk=1.3.4.20200120-3.1 -media-types=10.0.0 -mercurial-common=6.3.2-1+deb12u1 -mercurial=6.3.2-1+deb12u1 -mount=2.38.1-5+deb12u3 -musl-dev:amd64=1.2.3-1 -musl-tools=1.2.3-1 -musl:amd64=1.2.3-1 -mysql-common=5.8+1.1.0 -ncurses-base=6.4-4 -ncurses-bin=6.4-4 -netbase=6.4 -openssh-client=1:9.2p1-2+deb12u5 -openssl=3.0.16-1~deb12u1 -passwd=1:4.13+dfsg1-1+b1 -patch=2.7.6-7 -perl-base=5.36.0-7+deb12u2 -perl-modules-5.36=5.36.0-7+deb12u2 -perl=5.36.0-7+deb12u2 -pinentry-curses=1.2.1-1 -pkg-config:amd64=1.8.1-1 -pkgconf-bin=1.8.1-1 -pkgconf:amd64=1.8.1-1 -procps=2:4.0.2-3 -protobuf-compiler=3.21.12-3 -python3-distutils=3.11.2-3 -python3-lib2to3=3.11.2-3 -python3-minimal=3.11.2-1+b1 -python3.11-minimal=3.11.2-6+deb12u5 -python3.11=3.11.2-6+deb12u5 -python3=3.11.2-1+b1 -readline-common=8.2-1.3 +adduser=3.152 +apt=3.0.3 +autoconf=2.72-3.1 +automake=1:1.17-4 +autotools-dev=20240727.1 +base-files=13.8+deb13u2 +base-passwd=3.6.7 +bash=5.2.37-2+b5 +binutils-common:amd64=2.44-3 +binutils-x86-64-linux-gnu=2.44-3 +binutils=2.44-3 +bsdutils=1:2.41-5 +build-essential=12.12 +bzip2=1.0.8-6 +ca-certificates=20250419 +clang-19=1:19.1.7-3+b1 +clang=1:19.0-63 +comerr-dev:amd64=2.1-1.47.2-3+b3 +coreutils=9.7-3 +cpp-14-x86-64-linux-gnu=14.2.0-19 +cpp-14=14.2.0-19 +cpp-x86-64-linux-gnu=4:14.2.0-1 +cpp=4:14.2.0-1 +curl=8.14.1-2+deb13u2 +dash=0.5.12-12 +debconf=1.5.91 +debian-archive-keyring=2025.1 +debianutils=5.23.2 +default-libmysqlclient-dev:amd64=1.1.1 +diffutils=1:3.10-4 +dirmngr=2.4.7-21+b3 +dpkg-dev=1.22.21 +dpkg=1.22.21 +file=1:5.46-5 +findutils=4.10.0-3 +fontconfig-config=2.15.0-2.3 +fontconfig=2.15.0-2.3 +fonts-dejavu-core=2.37-8 +fonts-dejavu-mono=2.37-8 +g++-14-x86-64-linux-gnu=14.2.0-19 +g++-14=14.2.0-19 +g++-x86-64-linux-gnu=4:14.2.0-1 +g++=4:14.2.0-1 +gcc-14-base:amd64=14.2.0-19 +gcc-14-x86-64-linux-gnu=14.2.0-19 +gcc-14=14.2.0-19 +gcc-x86-64-linux-gnu=4:14.2.0-1 +gcc=4:14.2.0-1 +gir1.2-freedesktop-dev:amd64=1.84.0-1 +gir1.2-freedesktop:amd64=1.84.0-1 +gir1.2-gdkpixbuf-2.0:amd64=2.42.12+dfsg-4 +gir1.2-glib-2.0-dev:amd64=2.84.4-3~deb13u1 +gir1.2-glib-2.0:amd64=2.84.4-3~deb13u1 +gir1.2-harfbuzz-0.0:amd64=10.2.0-1+b1 +gir1.2-pango-1.0:amd64=1.56.3-1 +gir1.2-rsvg-2.0:amd64=2.60.0+dfsg-1 +girepository-tools:amd64=2.84.4-3~deb13u1 +git-man=1:2.47.3-0+deb13u1 +git=1:2.47.3-0+deb13u1 +gnupg-l10n=2.4.7-21 +gnupg=2.4.7-21 +gpg-agent=2.4.7-21+b3 +gpg=2.4.7-21+b3 +gpgconf=2.4.7-21+b3 +gpgsm=2.4.7-21+b3 +grep=3.11-4 +gzip=1.13-1 +hicolor-icon-theme=0.18-2 +hostname=3.25 +icu-devtools=76.1-4 +imagemagick-7-common=8:7.1.1.43+dfsg1-1+deb13u3 +imagemagick-7.q16=8:7.1.1.43+dfsg1-1+deb13u3 +imagemagick=8:7.1.1.43+dfsg1-1+deb13u3 +init-system-helpers=1.69~deb13u1 +krb5-multidev:amd64=1.21.3-5 +libacl1:amd64=2.3.2-2+b1 +libapr1t64:amd64=1.7.5-1 +libaprutil1t64:amd64=1.6.3-3+b1 +libapt-pkg7.0:amd64=3.0.3 +libasan8:amd64=14.2.0-19 +libassuan9:amd64=3.0.2-2 +libatomic1:amd64=14.2.0-19 +libattr1:amd64=1:2.5.2-3 +libaudit-common=1:4.0.2-2 +libaudit1:amd64=1:4.0.2-2+b2 +libbinutils:amd64=2.44-3 +libblkid-dev:amd64=2.41-5 +libblkid1:amd64=2.41-5 +libbrotli-dev:amd64=1.1.0-2+b7 +libbrotli1:amd64=1.1.0-2+b7 +libbsd0:amd64=0.12.2-2 +libbz2-1.0:amd64=1.0.8-6 +libbz2-dev:amd64=1.0.8-6 +libc-bin=2.41-12 +libc-dev-bin=2.41-12 +libc6-dev:amd64=2.41-12 +libc6:amd64=2.41-12 +libcairo-gobject2:amd64=1.18.4-1+b1 +libcairo-script-interpreter2:amd64=1.18.4-1+b1 +libcairo2-dev:amd64=1.18.4-1+b1 +libcairo2:amd64=1.18.4-1+b1 +libcap-ng0:amd64=0.8.5-4+b1 +libcap2:amd64=1:2.75-10+b1 +libcbor0.10:amd64=0.10.2-2 +libcc1-0:amd64=14.2.0-19 +libclang-19-dev=1:19.1.7-3+b1 +libclang-common-19-dev:amd64=1:19.1.7-3+b1 +libclang-cpp19=1:19.1.7-3+b1 +libclang-dev=1:19.0-63 +libclang1-19=1:19.1.7-3+b1 +libcom-err2:amd64=1.47.2-3+b3 +libcrypt-dev:amd64=1:4.4.38-1 +libcrypt1:amd64=1:4.4.38-1 +libctf-nobfd0:amd64=2.44-3 +libctf0:amd64=2.44-3 +libcurl3t64-gnutls:amd64=8.14.1-2+deb13u2 +libcurl4-openssl-dev:amd64=8.14.1-2+deb13u2 +libcurl4t64:amd64=8.14.1-2+deb13u2 +libdatrie-dev:amd64=0.2.13-3+b1 +libdatrie1:amd64=0.2.13-3+b1 +libdav1d-dev:amd64=1.5.1-1 +libdav1d7:amd64=1.5.1-1 +libdb-dev:amd64=5.3.4 +libdb5.3-dev=5.3.28+dfsg2-9 +libdb5.3t64:amd64=5.3.28+dfsg2-9 +libde265-0:amd64=1.0.15-1+b3 +libdebconfclient0:amd64=0.280 +libdeflate-dev:amd64=1.23-2 +libdeflate0:amd64=1.23-2 +libdjvulibre-dev:amd64=3.5.28-2.2 +libdjvulibre-text=3.5.28-2.2 +libdjvulibre21:amd64=3.5.28-2.2 +libdpkg-perl=1.22.21 +libedit2:amd64=3.1-20250104-1 +libelf1t64:amd64=0.192-4 +liberror-perl=0.17030-1 +libevent-2.1-7t64:amd64=2.1.12-stable-10+b1 +libevent-core-2.1-7t64:amd64=2.1.12-stable-10+b1 +libevent-dev=2.1.12-stable-10+b1 +libevent-extra-2.1-7t64:amd64=2.1.12-stable-10+b1 +libevent-openssl-2.1-7t64:amd64=2.1.12-stable-10+b1 +libevent-pthreads-2.1-7t64:amd64=2.1.12-stable-10+b1 +libexif-dev:amd64=0.6.25-1 +libexif12:amd64=0.6.25-1 +libexpat1-dev:amd64=2.7.1-2 +libexpat1:amd64=2.7.1-2 +libffi-dev:amd64=3.4.8-2 +libffi8:amd64=3.4.8-2 +libfftw3-bin=3.3.10-2+b1 +libfftw3-dev:amd64=3.3.10-2+b1 +libfftw3-double3:amd64=3.3.10-2+b1 +libfftw3-long3:amd64=3.3.10-2+b1 +libfftw3-quad3:amd64=3.3.10-2+b1 +libfftw3-single3:amd64=3.3.10-2+b1 +libfido2-1:amd64=1.15.0-1+b1 +libfontconfig-dev:amd64=2.15.0-2.3 +libfontconfig1:amd64=2.15.0-2.3 +libfreetype-dev:amd64=2.13.3+dfsg-1 +libfreetype6:amd64=2.13.3+dfsg-1 +libfribidi-dev:amd64=1.0.16-1 +libfribidi0:amd64=1.0.16-1 +libgc1:amd64=1:8.2.8-1 +libgcc-14-dev:amd64=14.2.0-19 +libgcc-s1:amd64=14.2.0-19 +libgcrypt20:amd64=1.11.0-7 +libgdbm-compat4t64:amd64=1.24-2 +libgdbm-dev:amd64=1.24-2 +libgdbm6t64:amd64=1.24-2 +libgdk-pixbuf-2.0-0:amd64=2.42.12+dfsg-4 +libgdk-pixbuf-2.0-dev:amd64=2.42.12+dfsg-4 +libgdk-pixbuf2.0-bin=2.42.12+dfsg-4 +libgdk-pixbuf2.0-common=2.42.12+dfsg-4 +libgio-2.0-dev-bin=2.84.4-3~deb13u1 +libgio-2.0-dev:amd64=2.84.4-3~deb13u1 +libgirepository-2.0-0:amd64=2.84.4-3~deb13u1 +libglib2.0-0t64:amd64=2.84.4-3~deb13u1 +libglib2.0-bin=2.84.4-3~deb13u1 +libglib2.0-data=2.84.4-3~deb13u1 +libglib2.0-dev-bin=2.84.4-3~deb13u1 +libglib2.0-dev:amd64=2.84.4-3~deb13u1 +libgmp-dev:amd64=2:6.3.0+dfsg-3 +libgmp10:amd64=2:6.3.0+dfsg-3 +libgmpxx4ldbl:amd64=2:6.3.0+dfsg-3 +libgnutls-dane0t64:amd64=3.8.9-3 +libgnutls-openssl27t64:amd64=3.8.9-3 +libgnutls28-dev:amd64=3.8.9-3 +libgnutls30t64:amd64=3.8.9-3 +libgomp1:amd64=14.2.0-19 +libgpg-error0:amd64=1.51-4 +libgprofng0:amd64=2.44-3 +libgraphite2-3:amd64=1.3.14-2+b1 +libgraphite2-dev:amd64=1.3.14-2+b1 +libgssapi-krb5-2:amd64=1.21.3-5 +libgssrpc4t64:amd64=1.21.3-5 +libharfbuzz-cairo0:amd64=10.2.0-1+b1 +libharfbuzz-dev:amd64=10.2.0-1+b1 +libharfbuzz-gobject0:amd64=10.2.0-1+b1 +libharfbuzz-icu0:amd64=10.2.0-1+b1 +libharfbuzz-subset0:amd64=10.2.0-1+b1 +libharfbuzz0b:amd64=10.2.0-1+b1 +libheif-plugin-dav1d:amd64=1.19.8-1 +libheif-plugin-libde265:amd64=1.19.8-1 +libheif1:amd64=1.19.8-1 +libhogweed6t64:amd64=3.10.1-1 +libhwasan0:amd64=14.2.0-19 +libice-dev:amd64=2:1.1.1-1 +libice6:amd64=2:1.1.1-1 +libicu-dev:amd64=76.1-4 +libicu76:amd64=76.1-4 +libidn2-0:amd64=2.3.8-2 +libidn2-dev:amd64=2.3.8-2 +libimath-3-1-29t64:amd64=3.1.12-1+b3 +libimath-dev:amd64=3.1.12-1+b3 +libisl23:amd64=0.27-1 +libitm1:amd64=14.2.0-19 +libjansson4:amd64=2.14-2+b3 +libjbig-dev:amd64=2.1-6.1+b2 +libjbig0:amd64=2.1-6.1+b2 +libjpeg-dev:amd64=1:2.1.5-4 +libjpeg62-turbo-dev:amd64=1:2.1.5-4 +libjpeg62-turbo:amd64=1:2.1.5-4 +libk5crypto3:amd64=1.21.3-5 +libkadm5clnt-mit12:amd64=1.21.3-5 +libkadm5srv-mit12:amd64=1.21.3-5 +libkdb5-10t64:amd64=1.21.3-5 +libkeyutils1:amd64=1.6.3-6 +libkrb5-3:amd64=1.21.3-5 +libkrb5-dev:amd64=1.21.3-5 +libkrb5support0:amd64=1.21.3-5 +libksba8:amd64=1.6.7-2+b1 +liblastlog2-2:amd64=2.41-5 +liblcms2-2:amd64=2.16-2 +liblcms2-dev:amd64=2.16-2 +libldap-dev:amd64=2.6.10+dfsg-1 +libldap2:amd64=2.6.10+dfsg-1 +liblerc-dev:amd64=4.0.0+ds-5 +liblerc4:amd64=4.0.0+ds-5 +libllvm19:amd64=1:19.1.7-3+b1 +liblqr-1-0-dev:amd64=0.4.2-2.1+b2 +liblqr-1-0:amd64=0.4.2-2.1+b2 +liblsan0:amd64=14.2.0-19 +libltdl-dev:amd64=2.5.4-4 +libltdl7:amd64=2.5.4-4 +liblz4-1:amd64=1.10.0-4 +liblzma-dev:amd64=5.8.1-1 +liblzma5:amd64=5.8.1-1 +liblzo2-2:amd64=2.10-3+b1 +libmagic-mgc=1:5.46-5 +libmagic1t64:amd64=1:5.46-5 +libmagickcore-7-arch-config:amd64=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickcore-7-headers=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickcore-7.q16-10-extra:amd64=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickcore-7.q16-10:amd64=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickcore-7.q16-dev:amd64=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickcore-dev=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickwand-7-headers=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickwand-7.q16-10:amd64=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickwand-7.q16-dev:amd64=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickwand-dev=8:7.1.1.43+dfsg1-1+deb13u3 +libmariadb-dev-compat=1:11.8.3-0+deb13u1 +libmariadb-dev=1:11.8.3-0+deb13u1 +libmariadb3:amd64=1:11.8.3-0+deb13u1 +libmaxminddb-dev:amd64=1.12.2-1 +libmaxminddb0:amd64=1.12.2-1 +libmd0:amd64=1.1.0-2+b1 +libmount-dev:amd64=2.41-5 +libmount1:amd64=2.41-5 +libmpc3:amd64=1.3.1-1+b3 +libmpfr6:amd64=4.2.2-1 +libncurses-dev:amd64=6.5+20250216-2 +libncurses6:amd64=6.5+20250216-2 +libncursesw6:amd64=6.5+20250216-2 +libnettle8t64:amd64=3.10.1-1 +libnghttp2-14:amd64=1.64.0-1.1 +libnghttp2-dev:amd64=1.64.0-1.1 +libnghttp3-9:amd64=1.8.0-1 +libnghttp3-dev:amd64=1.8.0-1 +libngtcp2-16:amd64=1.11.0-1 +libngtcp2-crypto-gnutls8:amd64=1.11.0-1 +libnpth0t64:amd64=1.8-3 +libobjc-14-dev:amd64=14.2.0-19 +libobjc4:amd64=14.2.0-19 +libopenexr-3-1-30:amd64=3.1.13-2 +libopenexr-dev=3.1.13-2 +libopenjp2-7-dev:amd64=2.5.3-2.1~deb13u1 +libopenjp2-7:amd64=2.5.3-2.1~deb13u1 +libp11-kit-dev:amd64=0.25.5-3 +libp11-kit0:amd64=0.25.5-3 +libpam-modules-bin=1.7.0-5 +libpam-modules:amd64=1.7.0-5 +libpam-runtime=1.7.0-5 +libpam0g:amd64=1.7.0-5 +libpango-1.0-0:amd64=1.56.3-1 +libpango1.0-dev:amd64=1.56.3-1 +libpangocairo-1.0-0:amd64=1.56.3-1 +libpangoft2-1.0-0:amd64=1.56.3-1 +libpangoxft-1.0-0:amd64=1.56.3-1 +libpcre2-16-0:amd64=10.46-1~deb13u1 +libpcre2-32-0:amd64=10.46-1~deb13u1 +libpcre2-8-0:amd64=10.46-1~deb13u1 +libpcre2-dev:amd64=10.46-1~deb13u1 +libpcre2-posix3:amd64=10.46-1~deb13u1 +libperl5.40:amd64=5.40.1-6 +libpixman-1-0:amd64=0.44.0-3 +libpixman-1-dev:amd64=0.44.0-3 +libpkgconf3:amd64=1.8.1-4 +libpng-dev:amd64=1.6.48-1 +libpng16-16t64:amd64=1.6.48-1 +libpq-dev=17.6-0+deb13u1 +libpq5:amd64=17.6-0+deb13u1 +libproc2-0:amd64=2:4.0.4-9 +libprotobuf-dev:amd64=3.21.12-11 +libprotobuf-lite32t64:amd64=3.21.12-11 +libprotobuf32t64:amd64=3.21.12-11 +libprotoc32t64:amd64=3.21.12-11 +libpsl-dev:amd64=0.21.2-1.1+b1 +libpsl5t64:amd64=0.21.2-1.1+b1 +libpython3-stdlib:amd64=3.13.5-1 +libpython3.13-minimal:amd64=3.13.5-2 +libpython3.13-stdlib:amd64=3.13.5-2 +libquadmath0:amd64=14.2.0-19 +libraw23t64:amd64=0.21.4-2 +libreadline-dev:amd64=8.2-6 +libreadline8t64:amd64=8.2-6 +librsvg2-2:amd64=2.60.0+dfsg-1 +librsvg2-common:amd64=2.60.0+dfsg-1 +librsvg2-dev:amd64=2.60.0+dfsg-1 +librtmp-dev:amd64=2.4+20151223.gitfa8646d.1-2+b5 +librtmp1:amd64=2.4+20151223.gitfa8646d.1-2+b5 +libsasl2-2:amd64=2.1.28+dfsg1-9 +libsasl2-modules-db:amd64=2.1.28+dfsg1-9 +libseccomp2:amd64=2.6.0-2 +libselinux1-dev:amd64=3.8.1-1 +libselinux1:amd64=3.8.1-1 +libsemanage-common=3.8.1-1 +libsemanage2:amd64=3.8.1-1 +libsepol-dev:amd64=3.8.1-1 +libsepol2:amd64=3.8.1-1 +libserf-1-1:amd64=1.3.10-3+b1 +libsframe1:amd64=2.44-3 +libsharpyuv-dev:amd64=1.5.0-0.1 +libsharpyuv0:amd64=1.5.0-0.1 +libsm-dev:amd64=2:1.2.6-1 +libsm6:amd64=2:1.2.6-1 +libsmartcols1:amd64=2.41-5 +libsqlite3-0:amd64=3.46.1-7 +libsqlite3-dev:amd64=3.46.1-7 +libssh2-1-dev:amd64=1.11.1-1 +libssh2-1t64:amd64=1.11.1-1 +libssl-dev:amd64=3.5.5-1~deb13u1 +libssl3t64:amd64=3.5.5-1~deb13u1 +libstdc++-14-dev:amd64=14.2.0-19 +libstdc++6:amd64=14.2.0-19 +libsvn1:amd64=1.14.5-3 +libsysprof-capture-4-dev:amd64=48.0-2 +libsystemd0:amd64=257.9-1~deb13u1 +libtasn1-6-dev:amd64=4.20.0-2 +libtasn1-6:amd64=4.20.0-2 +libtext-charwidth-perl:amd64=0.04-11+b4 +libtext-wrapi18n-perl=0.06-10 +libthai-data=0.1.29-2 +libthai-dev:amd64=0.1.29-2+b1 +libthai0:amd64=0.1.29-2+b1 +libtiff-dev:amd64=4.7.0-3+deb13u1 +libtiff6:amd64=4.7.0-3+deb13u1 +libtiffxx6:amd64=4.7.0-3+deb13u1 +libtinfo6:amd64=6.5+20250216-2 +libtool=2.5.4-4 +libtsan2:amd64=14.2.0-19 +libubsan1:amd64=14.2.0-19 +libudev1:amd64=257.9-1~deb13u1 +libunbound8:amd64=1.22.0-2+deb13u1 +libunistring5:amd64=1.3-2 +libutf8proc3:amd64=2.9.0-1+b2 +libuuid1:amd64=2.41-5 +libwebp-dev:amd64=1.5.0-0.1 +libwebp7:amd64=1.5.0-0.1 +libwebpdecoder3:amd64=1.5.0-0.1 +libwebpdemux2:amd64=1.5.0-0.1 +libwebpmux3:amd64=1.5.0-0.1 +libwmf-0.2-7:amd64=0.2.13-1.1+b3 +libwmf-dev=0.2.13-1.1+b3 +libwmflite-0.2-7:amd64=0.2.13-1.1+b3 +libx11-6:amd64=2:1.8.12-1 +libx11-data=2:1.8.12-1 +libx11-dev:amd64=2:1.8.12-1 +libxau-dev:amd64=1:1.0.11-1 +libxau6:amd64=1:1.0.11-1 +libxcb-render0-dev:amd64=1.17.0-2+b1 +libxcb-render0:amd64=1.17.0-2+b1 +libxcb-shm0-dev:amd64=1.17.0-2+b1 +libxcb-shm0:amd64=1.17.0-2+b1 +libxcb1-dev:amd64=1.17.0-2+b1 +libxcb1:amd64=1.17.0-2+b1 +libxdmcp-dev:amd64=1:1.1.5-1 +libxdmcp6:amd64=1:1.1.5-1 +libxext-dev:amd64=2:1.3.4-1+b3 +libxext6:amd64=2:1.3.4-1+b3 +libxft-dev:amd64=2.3.6-1+b4 +libxft2:amd64=2.3.6-1+b4 +libxml2-dev:amd64=2.12.7+dfsg+really2.9.14-2.1+deb13u2 +libxml2:amd64=2.12.7+dfsg+really2.9.14-2.1+deb13u2 +libxrender-dev:amd64=1:0.9.12-1 +libxrender1:amd64=1:0.9.12-1 +libxslt1-dev:amd64=1.1.35-1.2+deb13u2 +libxslt1.1:amd64=1.1.35-1.2+deb13u2 +libxt-dev:amd64=1:1.2.1-1.2+b2 +libxt6t64:amd64=1:1.2.1-1.2+b2 +libxxhash0:amd64=0.8.3-2 +libyaml-0-2:amd64=0.2.5-2 +libyaml-dev:amd64=0.2.5-2 +libz3-4:amd64=4.13.3-1 +libzstd-dev:amd64=1.5.7+dfsg-1 +libzstd1:amd64=1.5.7+dfsg-1 +linux-libc-dev=6.12.57-1 +llvm-19-linker-tools=1:19.1.7-3+b1 +login.defs=1:4.17.4-2 +login=1:4.16.0-2+really2.41-5 +m4=1.4.19-8 +make=4.4.1-2 +mariadb-common=1:11.8.3-0+deb13u1 +mawk=1.3.4.20250131-1 +media-types=13.0.0 +mercurial-common=7.0.1-2 +mercurial=7.0.1-2 +mount=2.41-5 +musl-dev:amd64=1.2.5-3 +musl-tools=1.2.5-3 +musl:amd64=1.2.5-3 +mysql-common=5.8+1.1.1 +native-architecture=0.2.6 +ncurses-base=6.5+20250216-2 +ncurses-bin=6.5+20250216-2 +netbase=6.5 +nettle-dev:amd64=3.10.1-1 +openssh-client=1:10.0p1-7 +openssl-provider-legacy=3.5.5-1~deb13u1 +openssl=3.5.5-1~deb13u1 +pango1.0-tools=1.56.3-1 +passwd=1:4.17.4-2 +patch=2.8-2 +perl-base=5.40.1-6 +perl-modules-5.40=5.40.1-6 +perl=5.40.1-6 +pinentry-curses=1.3.1-2 +pkgconf-bin=1.8.1-4 +pkgconf:amd64=1.8.1-4 +procps=2:4.0.4-9 +protobuf-compiler=3.21.12-11 +python3-minimal=3.13.5-1 +python3-packaging=25.0-1 +python3.13-minimal=3.13.5-2 +python3.13=3.13.5-2 +python3=3.13.5-1 +readline-common=8.2-6 rpcsvc-proto=1.4.3-1 -sed=4.9-1 -sensible-utils=0.0.17+nmu1 -shared-mime-info=2.2-1 -sq=0.27.0-2+b1 -subversion=1.14.2-4+deb12u1 -sysvinit-utils=3.06-4 -tar=1.34+dfsg-1.2+deb12u1 -tzdata=2025b-0+deb12u1 -ucf=3.0043+nmu1+deb12u1 -unzip=6.0-28 -usr-is-merged=37~deb12u1 -util-linux-extra=2.38.1-5+deb12u3 -util-linux=2.38.1-5+deb12u3 -uuid-dev:amd64=2.38.1-5+deb12u3 -wget=1.21.3-1+deb12u1 -x11-common=1:7.7+23 -x11proto-core-dev=2022.1-1 -x11proto-dev=2022.1-1 +sed=4.9-2 +sensible-utils=0.0.25 +shared-mime-info=2.4-5+b2 +sq=1.3.1-2+b1 +sqv=1.3.0-3 +subversion=1.14.5-3 +sysvinit-utils=3.14-4 +tar=1.35+dfsg-3.1 +tzdata=2025b-4+deb13u1 +ucf=3.0052 +unzip=6.0-29 +util-linux=2.41-5 +uuid-dev:amd64=2.41-5 +wget=1.25.0-2 +x11-common=1:7.7+24+deb13u1 +x11proto-dev=2024.1-1 xorg-sgml-doctools=1:1.11-1.1 xtrans-dev=1.4.0-1 -xz-utils=5.4.1-1 -zlib1g-dev:amd64=1:1.2.13.dfsg-1 -zlib1g:amd64=1:1.2.13.dfsg-1 +xz-utils=5.8.1-1 +zlib1g-dev:amd64=1:1.3.dfsg+really1.3.1-1+b1 +zlib1g:amd64=1:1.3.dfsg+really1.3.1-1+b1 diff --git a/gateway/dstack-app/builder/shared/pin-packages.sh b/gateway/dstack-app/builder/shared/pin-packages.sh deleted file mode 100755 index 3c750b1bb..000000000 --- a/gateway/dstack-app/builder/shared/pin-packages.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -# SPDX-FileCopyrightText: © 2025 Phala Network -# -# SPDX-License-Identifier: Apache-2.0 - -set -e -PKG_LIST=$1 - -echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20250626T204007Z bookworm main' > /etc/apt/sources.list -echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20250626T204007Z bookworm-security main' >> /etc/apt/sources.list -echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until - -mkdir -p /etc/apt/preferences.d -cat $PKG_LIST | while read line; do - pkg=$(echo $line | cut -d= -f1); - ver=$(echo $line | cut -d= -f2); - if [ ! -z "$pkg" ] && [ ! -z "$ver" ]; then - echo "Package: $pkg\nPin: version $ver\nPin-Priority: 1001\n" >> /etc/apt/preferences.d/pinned-packages; - fi; -done \ No newline at end of file diff --git a/gateway/dstack-app/builder/shared/pinned-packages.txt b/gateway/dstack-app/builder/shared/pinned-packages.txt index 316147ce7..f45296ccd 100644 --- a/gateway/dstack-app/builder/shared/pinned-packages.txt +++ b/gateway/dstack-app/builder/shared/pinned-packages.txt @@ -4,6 +4,7 @@ base-files=12.4+deb12u11 base-passwd=3.6.1 bash=5.2.15-2+b8 bsdutils=1:2.38.1-5+deb12u3 +ca-certificates=20230311+deb12u1 coreutils=9.1-1 dash=0.5.12-2 debconf=1.5.82 @@ -14,38 +15,38 @@ dpkg=1.21.22 e2fsprogs=1.47.0-2 findutils=4.9.0-4 gcc-12-base:amd64=12.2.0-14+deb12u1 -git-man=1:2.39.5-0+deb12u2 -git=1:2.39.5-0+deb12u2 +git-man=1:2.39.5-0+deb12u3 +git=1:2.39.5-0+deb12u3 gpgv=2.2.40-1.1 grep=3.8-5 gzip=1.12-1 hostname=3.23+nmu1 init-system-helpers=1.65.2 iproute2=6.1.0-3 -jq=1.6-2.1 +jq=1.6-2.1+deb12u1 libacl1:amd64=2.3.1-3 libapt-pkg6.0:amd64=2.6.1 libattr1:amd64=1:2.5.1-4 libaudit-common=1:3.0.9-1 libaudit1:amd64=1:3.0.9-1 libblkid1:amd64=2.38.1-5+deb12u3 -libbpf1:amd64=1:1.1.0-1 +libbpf1:amd64=1:1.1.2-0+deb12u1 libbrotli1:amd64=1.0.9-2+b6 libbsd0:amd64=0.11.7-2 libbz2-1.0:amd64=1.0.8-5+b1 libc-bin=2.36-9+deb12u10 libc6:amd64=2.36-9+deb12u10 libcap-ng0:amd64=0.8.3-1+b3 -libcap2-bin=1:2.66-4+deb12u1 -libcap2:amd64=1:2.66-4+deb12u1 +libcap2-bin=1:2.66-4+deb12u2+b2 +libcap2:amd64=1:2.66-4+deb12u2+b2 libcom-err2:amd64=1.47.0-2 libcrypt1:amd64=1:4.4.33-2 -libcurl3-gnutls:amd64=7.88.1-10+deb12u12 +libcurl3-gnutls:amd64=7.88.1-10+deb12u14 libdb5.3:amd64=5.3.28+dfsg2-1 libdebconfclient0:amd64=0.270 libelf1:amd64=0.188-2.1 liberror-perl=0.17029-2 -libexpat1:amd64=2.5.0-1+deb12u1 +libexpat1:amd64=2.5.0-1+deb12u2 libext2fs2:amd64=1.47.0-2 libffi8:amd64=3.4.4-1 libgcc-s1:amd64=12.2.0-14+deb12u1 @@ -55,14 +56,14 @@ libgdbm6:amd64=1.23-3 libgmp10:amd64=2:6.2.1+dfsg1-1.1 libgnutls30:amd64=3.7.9-2+deb12u4 libgpg-error0:amd64=1.46-1 -libgssapi-krb5-2:amd64=1.20.1-2+deb12u3 +libgssapi-krb5-2:amd64=1.20.1-2+deb12u4 libhogweed6:amd64=3.8.1-2 libidn2-0:amd64=2.3.3-1+b1 -libjq1:amd64=1.6-2.1 -libk5crypto3:amd64=1.20.1-2+deb12u3 +libjq1:amd64=1.6-2.1+deb12u1 +libk5crypto3:amd64=1.20.1-2+deb12u4 libkeyutils1:amd64=1.6.3-2 -libkrb5-3:amd64=1.20.1-2+deb12u3 -libkrb5support0:amd64=1.20.1-2+deb12u3 +libkrb5-3:amd64=1.20.1-2+deb12u4 +libkrb5support0:amd64=1.20.1-2+deb12u4 libldap-2.5-0:amd64=2.5.13+dfsg-5 liblz4-1:amd64=1.9.4-1 liblzma5:amd64=5.4.1-1 @@ -78,7 +79,7 @@ libpam-modules:amd64=1.5.2-6+deb12u1 libpam-runtime=1.5.2-6+deb12u1 libpam0g:amd64=1.5.2-6+deb12u1 libpcre2-8-0:amd64=10.42-1 -libperl5.36:amd64=5.36.0-7+deb12u2 +libperl5.36:amd64=5.36.0-7+deb12u3 libpsl5:amd64=0.21.2-1 librtmp1:amd64=2.4+20151223.gitfa8646d.1-2+b2 libsasl2-2:amd64=2.1.28+dfsg-10 @@ -91,7 +92,7 @@ libsepol2:amd64=3.4-2.1 libsmartcols1:amd64=2.38.1-5+deb12u3 libss2:amd64=1.47.0-2 libssh2-1:amd64=1.10.0-3+b1 -libssl3:amd64=3.0.16-1~deb12u1 +libssl3:amd64=3.0.18-1~deb12u2 libstdc++6:amd64=12.2.0-14+deb12u1 libsystemd0:amd64=252.38-1~deb12u1 libtasn1-6:amd64=4.19.0-2+deb12u1 @@ -110,10 +111,11 @@ mawk=1.3.4.20200120-3.1 mount=2.38.1-5+deb12u3 ncurses-base=6.4-4 ncurses-bin=6.4-4 +openssl=3.0.18-1~deb12u2 passwd=1:4.13+dfsg1-1+deb12u1 -perl-base=5.36.0-7+deb12u2 -perl-modules-5.36=5.36.0-7+deb12u2 -perl=5.36.0-7+deb12u2 +perl-base=5.36.0-7+deb12u3 +perl-modules-5.36=5.36.0-7+deb12u3 +perl=5.36.0-7+deb12u3 sed=4.9-1 sysvinit-utils=3.06-4 tar=1.34+dfsg-1.2+deb12u1 diff --git a/kms/dstack-app/builder/Dockerfile b/kms/dstack-app/builder/Dockerfile index d62015359..8a1243bbd 100644 --- a/kms/dstack-app/builder/Dockerfile +++ b/kms/dstack-app/builder/Dockerfile @@ -7,7 +7,7 @@ COPY ./shared /build ARG DSTACK_REV ARG DSTACK_SRC_URL=https://github.com/Dstack-TEE/dstack.git WORKDIR /build -RUN ./pin-packages.sh ./kms-pinned-packages.txt +RUN ./pin-packages.sh ./builder-pinned-packages.txt RUN apt-get update && \ apt-get install -y --no-install-recommends \ git \ @@ -23,6 +23,7 @@ RUN git clone ${DSTACK_SRC_URL} && \ git checkout ${DSTACK_REV} RUN rustup target add x86_64-unknown-linux-musl RUN cd dstack && cargo build --release -p dstack-kms --target x86_64-unknown-linux-musl +RUN echo "${DSTACK_REV}" > /build/.GIT_REV FROM debian:bookworm@sha256:0d8498a0e9e6a60011df39aab78534cfe940785e7c59d19dfae1eb53ea59babe COPY ./shared /build @@ -58,5 +59,5 @@ RUN git clone https://github.com/kvinwang/qemu-tdx.git --depth 1 --branch dstack install -m 644 pc-bios/linuxboot_dma.bin /usr/local/share/qemu/ && \ cd .. && rm -rf qemu-tdx COPY --from=kms-builder /build/dstack/target/x86_64-unknown-linux-musl/release/dstack-kms /usr/local/bin/dstack-kms -COPY .GIT_REV /etc/.GIT_REV +COPY --from=kms-builder /build/.GIT_REV /etc/ CMD ["dstack-kms"] diff --git a/kms/dstack-app/builder/build-image.sh b/kms/dstack-app/builder/build-image.sh index 7290cd204..7dbedf647 100755 --- a/kms/dstack-app/builder/build-image.sh +++ b/kms/dstack-app/builder/build-image.sh @@ -4,66 +4,34 @@ # # SPDX-License-Identifier: Apache-2.0 -set -e +set -euo pipefail -NO_CACHE=--no-cache +SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) +REPO_ROOT=$(git -C "$SCRIPT_DIR" rev-parse --show-toplevel) +CONTEXT_DIR="$SCRIPT_DIR" +SHARED_DIR="$SCRIPT_DIR/shared" +DOCKERFILE="$SCRIPT_DIR/Dockerfile" -extract-packages() { - local name=$1 - local pkg_list_file=$2 - if [ -z "$pkg_list_file" ]; then - return - fi - docker run --rm --entrypoint bash $name -c "dpkg -l | grep '^ii' | awk '{print \$2\"=\"\$3}' | sort" > "$pkg_list_file" -} +source "$REPO_ROOT/build/shared/build-lib.sh" -# Function to build Docker image and optionally extract package list -docker-build() { - local name=$1 - local target=$2 - local pkg_list_file=$3 - # Get the commit timestamp for SOURCE_DATE_EPOCH - local commit_timestamp=$(git show -s --format=%ct $GIT_REV) - local build_args="--build-arg SOURCE_DATE_EPOCH=$commit_timestamp --build-arg DSTACK_REV=$GIT_REV" - - local args="--builder buildkit_20 $NO_CACHE $build_args" - - # Add target if specified - if [ -n "$target" ]; then - args="$args --target $target" - fi - - # Build the image - docker buildx build $args --output type=docker,name=$name,rewrite-timestamp=true --progress=plain . - extract-packages $name $pkg_list_file -} - -NAME=$1 +NAME=${1:-} if [ -z "$NAME" ]; then - echo "Usage: $0 [:]" + echo "Usage: $0 [:]" >&2 exit 1 fi -# Check if buildkit_20 already exists before creating it -if ! docker buildx inspect buildkit_20 &>/dev/null; then - docker buildx create --use --driver-opt image=moby/buildkit:v0.20.2 --name buildkit_20 -fi - -touch shared/kms-pinned-packages.txt -touch shared/qemu-pinned-packages.txt +NO_CACHE=${NO_CACHE:-} GIT_REV=${GIT_REV:-HEAD} -GIT_REV=$(git rev-parse $GIT_REV) -echo $GIT_REV > .GIT_REV +GIT_REV=$(git -C "$REPO_ROOT" rev-parse "$GIT_REV") +DSTACK_SRC_URL=${DSTACK_SRC_URL:-https://github.com/Dstack-TEE/dstack.git} -# First build the qemu-builder stage and extract package list -docker-build "$NAME" "" "shared/qemu-pinned-packages.txt" -# Then build the kms-builder stage and extract package list -docker-build "kms-builder-temp" "kms-builder" "shared/kms-pinned-packages.txt" +ensure_buildkit +sync_shared_scripts "$SHARED_DIR" true -git_status=$(git status --porcelain -- shared/) -if [ -n "$git_status" ]; then - echo "The working tree is not clean, please commit or stash your changes before re-running the build" - exit 1 -fi +touch "$SHARED_DIR/builder-pinned-packages.txt" +touch "$SHARED_DIR/qemu-pinned-packages.txt" + +docker_build "$NAME" "" "$SHARED_DIR/qemu-pinned-packages.txt" +docker_build "kms-builder-temp" "kms-builder" "$SHARED_DIR/builder-pinned-packages.txt" -rm .GIT_REV +check_clean_tree "$SHARED_DIR" diff --git a/kms/dstack-app/builder/shared/.gitignore b/kms/dstack-app/builder/shared/.gitignore new file mode 100644 index 000000000..eaf106ff1 --- /dev/null +++ b/kms/dstack-app/builder/shared/.gitignore @@ -0,0 +1,3 @@ +# Copied from build/shared/ at build time by build-image.sh +pin-packages.sh +config-qemu.sh diff --git a/kms/dstack-app/builder/shared/builder-pinned-packages.txt b/kms/dstack-app/builder/shared/builder-pinned-packages.txt new file mode 100644 index 000000000..e390e80bc --- /dev/null +++ b/kms/dstack-app/builder/shared/builder-pinned-packages.txt @@ -0,0 +1,477 @@ +adduser=3.152 +apt=3.0.3 +autoconf=2.72-3.1 +automake=1:1.17-4 +autotools-dev=20240727.1 +base-files=13.8+deb13u2 +base-passwd=3.6.7 +bash=5.2.37-2+b5 +binutils-common:amd64=2.44-3 +binutils-x86-64-linux-gnu=2.44-3 +binutils=2.44-3 +bsdutils=1:2.41-5 +build-essential=12.12 +bzip2=1.0.8-6 +ca-certificates=20250419 +clang-19=1:19.1.7-3+b1 +clang=1:19.0-63 +comerr-dev:amd64=2.1-1.47.2-3+b3 +coreutils=9.7-3 +cpp-14-x86-64-linux-gnu=14.2.0-19 +cpp-14=14.2.0-19 +cpp-x86-64-linux-gnu=4:14.2.0-1 +cpp=4:14.2.0-1 +curl=8.14.1-2+deb13u2 +dash=0.5.12-12 +debconf=1.5.91 +debian-archive-keyring=2025.1 +debianutils=5.23.2 +default-libmysqlclient-dev:amd64=1.1.1 +diffutils=1:3.10-4 +dirmngr=2.4.7-21+b3 +dpkg-dev=1.22.21 +dpkg=1.22.21 +file=1:5.46-5 +findutils=4.10.0-3 +fontconfig-config=2.15.0-2.3 +fontconfig=2.15.0-2.3 +fonts-dejavu-core=2.37-8 +fonts-dejavu-mono=2.37-8 +g++-14-x86-64-linux-gnu=14.2.0-19 +g++-14=14.2.0-19 +g++-x86-64-linux-gnu=4:14.2.0-1 +g++=4:14.2.0-1 +gcc-14-base:amd64=14.2.0-19 +gcc-14-x86-64-linux-gnu=14.2.0-19 +gcc-14=14.2.0-19 +gcc-x86-64-linux-gnu=4:14.2.0-1 +gcc=4:14.2.0-1 +gir1.2-freedesktop-dev:amd64=1.84.0-1 +gir1.2-freedesktop:amd64=1.84.0-1 +gir1.2-gdkpixbuf-2.0:amd64=2.42.12+dfsg-4 +gir1.2-glib-2.0-dev:amd64=2.84.4-3~deb13u1 +gir1.2-glib-2.0:amd64=2.84.4-3~deb13u1 +gir1.2-harfbuzz-0.0:amd64=10.2.0-1+b1 +gir1.2-pango-1.0:amd64=1.56.3-1 +gir1.2-rsvg-2.0:amd64=2.60.0+dfsg-1 +girepository-tools:amd64=2.84.4-3~deb13u1 +git-man=1:2.47.3-0+deb13u1 +git=1:2.47.3-0+deb13u1 +gnupg-l10n=2.4.7-21 +gnupg=2.4.7-21 +gpg-agent=2.4.7-21+b3 +gpg=2.4.7-21+b3 +gpgconf=2.4.7-21+b3 +gpgsm=2.4.7-21+b3 +grep=3.11-4 +gzip=1.13-1 +hicolor-icon-theme=0.18-2 +hostname=3.25 +icu-devtools=76.1-4 +imagemagick-7-common=8:7.1.1.43+dfsg1-1+deb13u3 +imagemagick-7.q16=8:7.1.1.43+dfsg1-1+deb13u3 +imagemagick=8:7.1.1.43+dfsg1-1+deb13u3 +init-system-helpers=1.69~deb13u1 +krb5-multidev:amd64=1.21.3-5 +libacl1:amd64=2.3.2-2+b1 +libapr1t64:amd64=1.7.5-1 +libaprutil1t64:amd64=1.6.3-3+b1 +libapt-pkg7.0:amd64=3.0.3 +libasan8:amd64=14.2.0-19 +libassuan9:amd64=3.0.2-2 +libatomic1:amd64=14.2.0-19 +libattr1:amd64=1:2.5.2-3 +libaudit-common=1:4.0.2-2 +libaudit1:amd64=1:4.0.2-2+b2 +libbinutils:amd64=2.44-3 +libblkid-dev:amd64=2.41-5 +libblkid1:amd64=2.41-5 +libbrotli-dev:amd64=1.1.0-2+b7 +libbrotli1:amd64=1.1.0-2+b7 +libbsd0:amd64=0.12.2-2 +libbz2-1.0:amd64=1.0.8-6 +libbz2-dev:amd64=1.0.8-6 +libc-bin=2.41-12 +libc-dev-bin=2.41-12 +libc6-dev:amd64=2.41-12 +libc6:amd64=2.41-12 +libcairo-gobject2:amd64=1.18.4-1+b1 +libcairo-script-interpreter2:amd64=1.18.4-1+b1 +libcairo2-dev:amd64=1.18.4-1+b1 +libcairo2:amd64=1.18.4-1+b1 +libcap-ng0:amd64=0.8.5-4+b1 +libcap2:amd64=1:2.75-10+b1 +libcbor0.10:amd64=0.10.2-2 +libcc1-0:amd64=14.2.0-19 +libclang-19-dev=1:19.1.7-3+b1 +libclang-common-19-dev:amd64=1:19.1.7-3+b1 +libclang-cpp19=1:19.1.7-3+b1 +libclang-dev=1:19.0-63 +libclang1-19=1:19.1.7-3+b1 +libcom-err2:amd64=1.47.2-3+b3 +libcrypt-dev:amd64=1:4.4.38-1 +libcrypt1:amd64=1:4.4.38-1 +libctf-nobfd0:amd64=2.44-3 +libctf0:amd64=2.44-3 +libcurl3t64-gnutls:amd64=8.14.1-2+deb13u2 +libcurl4-openssl-dev:amd64=8.14.1-2+deb13u2 +libcurl4t64:amd64=8.14.1-2+deb13u2 +libdatrie-dev:amd64=0.2.13-3+b1 +libdatrie1:amd64=0.2.13-3+b1 +libdav1d-dev:amd64=1.5.1-1 +libdav1d7:amd64=1.5.1-1 +libdb-dev:amd64=5.3.4 +libdb5.3-dev=5.3.28+dfsg2-9 +libdb5.3t64:amd64=5.3.28+dfsg2-9 +libde265-0:amd64=1.0.15-1+b3 +libdebconfclient0:amd64=0.280 +libdeflate-dev:amd64=1.23-2 +libdeflate0:amd64=1.23-2 +libdjvulibre-dev:amd64=3.5.28-2.2 +libdjvulibre-text=3.5.28-2.2 +libdjvulibre21:amd64=3.5.28-2.2 +libdpkg-perl=1.22.21 +libedit2:amd64=3.1-20250104-1 +libelf1t64:amd64=0.192-4 +liberror-perl=0.17030-1 +libevent-2.1-7t64:amd64=2.1.12-stable-10+b1 +libevent-core-2.1-7t64:amd64=2.1.12-stable-10+b1 +libevent-dev=2.1.12-stable-10+b1 +libevent-extra-2.1-7t64:amd64=2.1.12-stable-10+b1 +libevent-openssl-2.1-7t64:amd64=2.1.12-stable-10+b1 +libevent-pthreads-2.1-7t64:amd64=2.1.12-stable-10+b1 +libexif-dev:amd64=0.6.25-1 +libexif12:amd64=0.6.25-1 +libexpat1-dev:amd64=2.7.1-2 +libexpat1:amd64=2.7.1-2 +libffi-dev:amd64=3.4.8-2 +libffi8:amd64=3.4.8-2 +libfftw3-bin=3.3.10-2+b1 +libfftw3-dev:amd64=3.3.10-2+b1 +libfftw3-double3:amd64=3.3.10-2+b1 +libfftw3-long3:amd64=3.3.10-2+b1 +libfftw3-quad3:amd64=3.3.10-2+b1 +libfftw3-single3:amd64=3.3.10-2+b1 +libfido2-1:amd64=1.15.0-1+b1 +libfontconfig-dev:amd64=2.15.0-2.3 +libfontconfig1:amd64=2.15.0-2.3 +libfreetype-dev:amd64=2.13.3+dfsg-1 +libfreetype6:amd64=2.13.3+dfsg-1 +libfribidi-dev:amd64=1.0.16-1 +libfribidi0:amd64=1.0.16-1 +libgc1:amd64=1:8.2.8-1 +libgcc-14-dev:amd64=14.2.0-19 +libgcc-s1:amd64=14.2.0-19 +libgcrypt20:amd64=1.11.0-7 +libgdbm-compat4t64:amd64=1.24-2 +libgdbm-dev:amd64=1.24-2 +libgdbm6t64:amd64=1.24-2 +libgdk-pixbuf-2.0-0:amd64=2.42.12+dfsg-4 +libgdk-pixbuf-2.0-dev:amd64=2.42.12+dfsg-4 +libgdk-pixbuf2.0-bin=2.42.12+dfsg-4 +libgdk-pixbuf2.0-common=2.42.12+dfsg-4 +libgio-2.0-dev-bin=2.84.4-3~deb13u1 +libgio-2.0-dev:amd64=2.84.4-3~deb13u1 +libgirepository-2.0-0:amd64=2.84.4-3~deb13u1 +libglib2.0-0t64:amd64=2.84.4-3~deb13u1 +libglib2.0-bin=2.84.4-3~deb13u1 +libglib2.0-data=2.84.4-3~deb13u1 +libglib2.0-dev-bin=2.84.4-3~deb13u1 +libglib2.0-dev:amd64=2.84.4-3~deb13u1 +libgmp-dev:amd64=2:6.3.0+dfsg-3 +libgmp10:amd64=2:6.3.0+dfsg-3 +libgmpxx4ldbl:amd64=2:6.3.0+dfsg-3 +libgnutls-dane0t64:amd64=3.8.9-3 +libgnutls-openssl27t64:amd64=3.8.9-3 +libgnutls28-dev:amd64=3.8.9-3 +libgnutls30t64:amd64=3.8.9-3 +libgomp1:amd64=14.2.0-19 +libgpg-error0:amd64=1.51-4 +libgprofng0:amd64=2.44-3 +libgraphite2-3:amd64=1.3.14-2+b1 +libgraphite2-dev:amd64=1.3.14-2+b1 +libgssapi-krb5-2:amd64=1.21.3-5 +libgssrpc4t64:amd64=1.21.3-5 +libharfbuzz-cairo0:amd64=10.2.0-1+b1 +libharfbuzz-dev:amd64=10.2.0-1+b1 +libharfbuzz-gobject0:amd64=10.2.0-1+b1 +libharfbuzz-icu0:amd64=10.2.0-1+b1 +libharfbuzz-subset0:amd64=10.2.0-1+b1 +libharfbuzz0b:amd64=10.2.0-1+b1 +libheif-plugin-dav1d:amd64=1.19.8-1 +libheif-plugin-libde265:amd64=1.19.8-1 +libheif1:amd64=1.19.8-1 +libhogweed6t64:amd64=3.10.1-1 +libhwasan0:amd64=14.2.0-19 +libice-dev:amd64=2:1.1.1-1 +libice6:amd64=2:1.1.1-1 +libicu-dev:amd64=76.1-4 +libicu76:amd64=76.1-4 +libidn2-0:amd64=2.3.8-2 +libidn2-dev:amd64=2.3.8-2 +libimath-3-1-29t64:amd64=3.1.12-1+b3 +libimath-dev:amd64=3.1.12-1+b3 +libisl23:amd64=0.27-1 +libitm1:amd64=14.2.0-19 +libjansson4:amd64=2.14-2+b3 +libjbig-dev:amd64=2.1-6.1+b2 +libjbig0:amd64=2.1-6.1+b2 +libjpeg-dev:amd64=1:2.1.5-4 +libjpeg62-turbo-dev:amd64=1:2.1.5-4 +libjpeg62-turbo:amd64=1:2.1.5-4 +libk5crypto3:amd64=1.21.3-5 +libkadm5clnt-mit12:amd64=1.21.3-5 +libkadm5srv-mit12:amd64=1.21.3-5 +libkdb5-10t64:amd64=1.21.3-5 +libkeyutils1:amd64=1.6.3-6 +libkrb5-3:amd64=1.21.3-5 +libkrb5-dev:amd64=1.21.3-5 +libkrb5support0:amd64=1.21.3-5 +libksba8:amd64=1.6.7-2+b1 +liblastlog2-2:amd64=2.41-5 +liblcms2-2:amd64=2.16-2 +liblcms2-dev:amd64=2.16-2 +libldap-dev:amd64=2.6.10+dfsg-1 +libldap2:amd64=2.6.10+dfsg-1 +liblerc-dev:amd64=4.0.0+ds-5 +liblerc4:amd64=4.0.0+ds-5 +libllvm19:amd64=1:19.1.7-3+b1 +liblqr-1-0-dev:amd64=0.4.2-2.1+b2 +liblqr-1-0:amd64=0.4.2-2.1+b2 +liblsan0:amd64=14.2.0-19 +libltdl-dev:amd64=2.5.4-4 +libltdl7:amd64=2.5.4-4 +liblz4-1:amd64=1.10.0-4 +liblzma-dev:amd64=5.8.1-1 +liblzma5:amd64=5.8.1-1 +liblzo2-2:amd64=2.10-3+b1 +libmagic-mgc=1:5.46-5 +libmagic1t64:amd64=1:5.46-5 +libmagickcore-7-arch-config:amd64=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickcore-7-headers=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickcore-7.q16-10-extra:amd64=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickcore-7.q16-10:amd64=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickcore-7.q16-dev:amd64=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickcore-dev=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickwand-7-headers=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickwand-7.q16-10:amd64=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickwand-7.q16-dev:amd64=8:7.1.1.43+dfsg1-1+deb13u3 +libmagickwand-dev=8:7.1.1.43+dfsg1-1+deb13u3 +libmariadb-dev-compat=1:11.8.3-0+deb13u1 +libmariadb-dev=1:11.8.3-0+deb13u1 +libmariadb3:amd64=1:11.8.3-0+deb13u1 +libmaxminddb-dev:amd64=1.12.2-1 +libmaxminddb0:amd64=1.12.2-1 +libmd0:amd64=1.1.0-2+b1 +libmount-dev:amd64=2.41-5 +libmount1:amd64=2.41-5 +libmpc3:amd64=1.3.1-1+b3 +libmpfr6:amd64=4.2.2-1 +libncurses-dev:amd64=6.5+20250216-2 +libncurses6:amd64=6.5+20250216-2 +libncursesw6:amd64=6.5+20250216-2 +libnettle8t64:amd64=3.10.1-1 +libnghttp2-14:amd64=1.64.0-1.1 +libnghttp2-dev:amd64=1.64.0-1.1 +libnghttp3-9:amd64=1.8.0-1 +libnghttp3-dev:amd64=1.8.0-1 +libngtcp2-16:amd64=1.11.0-1 +libngtcp2-crypto-gnutls8:amd64=1.11.0-1 +libnpth0t64:amd64=1.8-3 +libobjc-14-dev:amd64=14.2.0-19 +libobjc4:amd64=14.2.0-19 +libopenexr-3-1-30:amd64=3.1.13-2 +libopenexr-dev=3.1.13-2 +libopenjp2-7-dev:amd64=2.5.3-2.1~deb13u1 +libopenjp2-7:amd64=2.5.3-2.1~deb13u1 +libp11-kit-dev:amd64=0.25.5-3 +libp11-kit0:amd64=0.25.5-3 +libpam-modules-bin=1.7.0-5 +libpam-modules:amd64=1.7.0-5 +libpam-runtime=1.7.0-5 +libpam0g:amd64=1.7.0-5 +libpango-1.0-0:amd64=1.56.3-1 +libpango1.0-dev:amd64=1.56.3-1 +libpangocairo-1.0-0:amd64=1.56.3-1 +libpangoft2-1.0-0:amd64=1.56.3-1 +libpangoxft-1.0-0:amd64=1.56.3-1 +libpcre2-16-0:amd64=10.46-1~deb13u1 +libpcre2-32-0:amd64=10.46-1~deb13u1 +libpcre2-8-0:amd64=10.46-1~deb13u1 +libpcre2-dev:amd64=10.46-1~deb13u1 +libpcre2-posix3:amd64=10.46-1~deb13u1 +libperl5.40:amd64=5.40.1-6 +libpixman-1-0:amd64=0.44.0-3 +libpixman-1-dev:amd64=0.44.0-3 +libpkgconf3:amd64=1.8.1-4 +libpng-dev:amd64=1.6.48-1 +libpng16-16t64:amd64=1.6.48-1 +libpq-dev=17.6-0+deb13u1 +libpq5:amd64=17.6-0+deb13u1 +libproc2-0:amd64=2:4.0.4-9 +libprotobuf-dev:amd64=3.21.12-11 +libprotobuf-lite32t64:amd64=3.21.12-11 +libprotobuf32t64:amd64=3.21.12-11 +libprotoc32t64:amd64=3.21.12-11 +libpsl-dev:amd64=0.21.2-1.1+b1 +libpsl5t64:amd64=0.21.2-1.1+b1 +libpython3-stdlib:amd64=3.13.5-1 +libpython3.13-minimal:amd64=3.13.5-2 +libpython3.13-stdlib:amd64=3.13.5-2 +libquadmath0:amd64=14.2.0-19 +libraw23t64:amd64=0.21.4-2 +libreadline-dev:amd64=8.2-6 +libreadline8t64:amd64=8.2-6 +librsvg2-2:amd64=2.60.0+dfsg-1 +librsvg2-common:amd64=2.60.0+dfsg-1 +librsvg2-dev:amd64=2.60.0+dfsg-1 +librtmp-dev:amd64=2.4+20151223.gitfa8646d.1-2+b5 +librtmp1:amd64=2.4+20151223.gitfa8646d.1-2+b5 +libsasl2-2:amd64=2.1.28+dfsg1-9 +libsasl2-modules-db:amd64=2.1.28+dfsg1-9 +libseccomp2:amd64=2.6.0-2 +libselinux1-dev:amd64=3.8.1-1 +libselinux1:amd64=3.8.1-1 +libsemanage-common=3.8.1-1 +libsemanage2:amd64=3.8.1-1 +libsepol-dev:amd64=3.8.1-1 +libsepol2:amd64=3.8.1-1 +libserf-1-1:amd64=1.3.10-3+b1 +libsframe1:amd64=2.44-3 +libsharpyuv-dev:amd64=1.5.0-0.1 +libsharpyuv0:amd64=1.5.0-0.1 +libsm-dev:amd64=2:1.2.6-1 +libsm6:amd64=2:1.2.6-1 +libsmartcols1:amd64=2.41-5 +libsqlite3-0:amd64=3.46.1-7 +libsqlite3-dev:amd64=3.46.1-7 +libssh2-1-dev:amd64=1.11.1-1 +libssh2-1t64:amd64=1.11.1-1 +libssl-dev:amd64=3.5.5-1~deb13u1 +libssl3t64:amd64=3.5.5-1~deb13u1 +libstdc++-14-dev:amd64=14.2.0-19 +libstdc++6:amd64=14.2.0-19 +libsvn1:amd64=1.14.5-3 +libsysprof-capture-4-dev:amd64=48.0-2 +libsystemd0:amd64=257.9-1~deb13u1 +libtasn1-6-dev:amd64=4.20.0-2 +libtasn1-6:amd64=4.20.0-2 +libtext-charwidth-perl:amd64=0.04-11+b4 +libtext-wrapi18n-perl=0.06-10 +libthai-data=0.1.29-2 +libthai-dev:amd64=0.1.29-2+b1 +libthai0:amd64=0.1.29-2+b1 +libtiff-dev:amd64=4.7.0-3+deb13u1 +libtiff6:amd64=4.7.0-3+deb13u1 +libtiffxx6:amd64=4.7.0-3+deb13u1 +libtinfo6:amd64=6.5+20250216-2 +libtool=2.5.4-4 +libtsan2:amd64=14.2.0-19 +libubsan1:amd64=14.2.0-19 +libudev1:amd64=257.9-1~deb13u1 +libunbound8:amd64=1.22.0-2+deb13u1 +libunistring5:amd64=1.3-2 +libutf8proc3:amd64=2.9.0-1+b2 +libuuid1:amd64=2.41-5 +libwebp-dev:amd64=1.5.0-0.1 +libwebp7:amd64=1.5.0-0.1 +libwebpdecoder3:amd64=1.5.0-0.1 +libwebpdemux2:amd64=1.5.0-0.1 +libwebpmux3:amd64=1.5.0-0.1 +libwmf-0.2-7:amd64=0.2.13-1.1+b3 +libwmf-dev=0.2.13-1.1+b3 +libwmflite-0.2-7:amd64=0.2.13-1.1+b3 +libx11-6:amd64=2:1.8.12-1 +libx11-data=2:1.8.12-1 +libx11-dev:amd64=2:1.8.12-1 +libxau-dev:amd64=1:1.0.11-1 +libxau6:amd64=1:1.0.11-1 +libxcb-render0-dev:amd64=1.17.0-2+b1 +libxcb-render0:amd64=1.17.0-2+b1 +libxcb-shm0-dev:amd64=1.17.0-2+b1 +libxcb-shm0:amd64=1.17.0-2+b1 +libxcb1-dev:amd64=1.17.0-2+b1 +libxcb1:amd64=1.17.0-2+b1 +libxdmcp-dev:amd64=1:1.1.5-1 +libxdmcp6:amd64=1:1.1.5-1 +libxext-dev:amd64=2:1.3.4-1+b3 +libxext6:amd64=2:1.3.4-1+b3 +libxft-dev:amd64=2.3.6-1+b4 +libxft2:amd64=2.3.6-1+b4 +libxml2-dev:amd64=2.12.7+dfsg+really2.9.14-2.1+deb13u2 +libxml2:amd64=2.12.7+dfsg+really2.9.14-2.1+deb13u2 +libxrender-dev:amd64=1:0.9.12-1 +libxrender1:amd64=1:0.9.12-1 +libxslt1-dev:amd64=1.1.35-1.2+deb13u2 +libxslt1.1:amd64=1.1.35-1.2+deb13u2 +libxt-dev:amd64=1:1.2.1-1.2+b2 +libxt6t64:amd64=1:1.2.1-1.2+b2 +libxxhash0:amd64=0.8.3-2 +libyaml-0-2:amd64=0.2.5-2 +libyaml-dev:amd64=0.2.5-2 +libz3-4:amd64=4.13.3-1 +libzstd-dev:amd64=1.5.7+dfsg-1 +libzstd1:amd64=1.5.7+dfsg-1 +linux-libc-dev=6.12.57-1 +llvm-19-linker-tools=1:19.1.7-3+b1 +login.defs=1:4.17.4-2 +login=1:4.16.0-2+really2.41-5 +m4=1.4.19-8 +make=4.4.1-2 +mariadb-common=1:11.8.3-0+deb13u1 +mawk=1.3.4.20250131-1 +media-types=13.0.0 +mercurial-common=7.0.1-2 +mercurial=7.0.1-2 +mount=2.41-5 +musl-dev:amd64=1.2.5-3 +musl-tools=1.2.5-3 +musl:amd64=1.2.5-3 +mysql-common=5.8+1.1.1 +native-architecture=0.2.6 +ncurses-base=6.5+20250216-2 +ncurses-bin=6.5+20250216-2 +netbase=6.5 +nettle-dev:amd64=3.10.1-1 +openssh-client=1:10.0p1-7 +openssl-provider-legacy=3.5.5-1~deb13u1 +openssl=3.5.5-1~deb13u1 +pango1.0-tools=1.56.3-1 +passwd=1:4.17.4-2 +patch=2.8-2 +perl-base=5.40.1-6 +perl-modules-5.40=5.40.1-6 +perl=5.40.1-6 +pinentry-curses=1.3.1-2 +pkgconf-bin=1.8.1-4 +pkgconf:amd64=1.8.1-4 +procps=2:4.0.4-9 +protobuf-compiler=3.21.12-11 +python3-minimal=3.13.5-1 +python3-packaging=25.0-1 +python3.13-minimal=3.13.5-2 +python3.13=3.13.5-2 +python3=3.13.5-1 +readline-common=8.2-6 +rpcsvc-proto=1.4.3-1 +sed=4.9-2 +sensible-utils=0.0.25 +shared-mime-info=2.4-5+b2 +sq=1.3.1-2+b1 +sqv=1.3.0-3 +subversion=1.14.5-3 +sysvinit-utils=3.14-4 +tar=1.35+dfsg-3.1 +tzdata=2025b-4+deb13u1 +ucf=3.0052 +unzip=6.0-29 +util-linux=2.41-5 +uuid-dev:amd64=2.41-5 +wget=1.25.0-2 +x11-common=1:7.7+24+deb13u1 +x11proto-dev=2024.1-1 +xorg-sgml-doctools=1:1.11-1.1 +xtrans-dev=1.4.0-1 +xz-utils=5.8.1-1 +zlib1g-dev:amd64=1:1.3.dfsg+really1.3.1-1+b1 +zlib1g:amd64=1:1.3.dfsg+really1.3.1-1+b1 diff --git a/kms/dstack-app/builder/shared/kms-pinned-packages.txt b/kms/dstack-app/builder/shared/kms-pinned-packages.txt deleted file mode 100644 index 63c13b124..000000000 --- a/kms/dstack-app/builder/shared/kms-pinned-packages.txt +++ /dev/null @@ -1,435 +0,0 @@ -adduser=3.134 -apt=2.6.1 -autoconf=2.71-3 -automake=1:1.16.5-1.3 -autotools-dev=20220109.1 -base-files=12.4+deb12u10 -base-passwd=3.6.1 -bash=5.2.15-2+b7 -binutils-common:amd64=2.40-2 -binutils-x86-64-linux-gnu=2.40-2 -binutils=2.40-2 -bsdutils=1:2.38.1-5+deb12u3 -build-essential=12.9 -bzip2=1.0.8-5+b1 -ca-certificates=20230311 -clang-14=1:14.0.6-12 -clang=1:14.0-55.7~deb12u1 -comerr-dev:amd64=2.1-1.47.0-2 -coreutils=9.1-1 -cpp-12=12.2.0-14+deb12u1 -cpp=4:12.2.0-3 -curl=7.88.1-10+deb12u12 -dash=0.5.12-2 -debconf=1.5.82 -debian-archive-keyring=2023.3+deb12u1 -debianutils=5.7-0.5~deb12u1 -default-libmysqlclient-dev:amd64=1.1.0 -diffutils=1:3.8-4 -dirmngr=2.2.40-1.1 -dpkg-dev=1.21.22 -dpkg=1.21.22 -e2fsprogs=1.47.0-2 -file=1:5.44-3 -findutils=4.9.0-4 -fontconfig-config=2.14.1-4 -fontconfig=2.14.1-4 -fonts-dejavu-core=2.37-6 -g++-12=12.2.0-14+deb12u1 -g++=4:12.2.0-3 -gcc-12-base:amd64=12.2.0-14+deb12u1 -gcc-12=12.2.0-14+deb12u1 -gcc=4:12.2.0-3 -gir1.2-freedesktop:amd64=1.74.0-3 -gir1.2-gdkpixbuf-2.0:amd64=2.42.10+dfsg-1+deb12u1 -gir1.2-glib-2.0:amd64=1.74.0-3 -gir1.2-rsvg-2.0:amd64=2.54.7+dfsg-1~deb12u1 -git-man=1:2.39.5-0+deb12u2 -git=1:2.39.5-0+deb12u2 -gnupg-l10n=2.2.40-1.1 -gnupg-utils=2.2.40-1.1 -gnupg=2.2.40-1.1 -gpg-agent=2.2.40-1.1 -gpg-wks-client=2.2.40-1.1 -gpg-wks-server=2.2.40-1.1 -gpg=2.2.40-1.1 -gpgconf=2.2.40-1.1 -gpgsm=2.2.40-1.1 -gpgv=2.2.40-1.1 -grep=3.8-5 -gzip=1.12-1 -hicolor-icon-theme=0.17-2 -hostname=3.23+nmu1 -icu-devtools=72.1-3 -imagemagick-6-common=8:6.9.11.60+dfsg-1.6+deb12u2 -imagemagick-6.q16=8:6.9.11.60+dfsg-1.6+deb12u2 -imagemagick=8:6.9.11.60+dfsg-1.6+deb12u2 -init-system-helpers=1.65.2 -krb5-multidev:amd64=1.20.1-2+deb12u2 -libacl1:amd64=2.3.1-3 -libaom3:amd64=3.6.0-1+deb12u1 -libapr1:amd64=1.7.2-3+deb12u1 -libaprutil1:amd64=1.6.3-1 -libapt-pkg6.0:amd64=2.6.1 -libasan8:amd64=12.2.0-14+deb12u1 -libassuan0:amd64=2.5.5-5 -libatomic1:amd64=12.2.0-14+deb12u1 -libattr1:amd64=1:2.5.1-4 -libaudit-common=1:3.0.9-1 -libaudit1:amd64=1:3.0.9-1 -libbinutils:amd64=2.40-2 -libblkid-dev:amd64=2.38.1-5+deb12u3 -libblkid1:amd64=2.38.1-5+deb12u3 -libbrotli-dev:amd64=1.0.9-2+b6 -libbrotli1:amd64=1.0.9-2+b6 -libbsd0:amd64=0.11.7-2 -libbz2-1.0:amd64=1.0.8-5+b1 -libbz2-dev:amd64=1.0.8-5+b1 -libc-bin=2.36-9+deb12u10 -libc-dev-bin=2.36-9+deb12u10 -libc6-dev:amd64=2.36-9+deb12u10 -libc6:amd64=2.36-9+deb12u10 -libcairo-gobject2:amd64=1.16.0-7 -libcairo-script-interpreter2:amd64=1.16.0-7 -libcairo2-dev:amd64=1.16.0-7 -libcairo2:amd64=1.16.0-7 -libcap-ng0:amd64=0.8.3-1+b3 -libcap2:amd64=1:2.66-4 -libcbor0.8:amd64=0.8.0-2+b1 -libcc1-0:amd64=12.2.0-14+deb12u1 -libclang-14-dev=1:14.0.6-12 -libclang-common-14-dev=1:14.0.6-12 -libclang-cpp14=1:14.0.6-12 -libclang-dev=1:14.0-55.7~deb12u1 -libclang1-14=1:14.0.6-12 -libcom-err2:amd64=1.47.0-2 -libcrypt-dev:amd64=1:4.4.33-2 -libcrypt1:amd64=1:4.4.33-2 -libctf-nobfd0:amd64=2.40-2 -libctf0:amd64=2.40-2 -libcurl3-gnutls:amd64=7.88.1-10+deb12u12 -libcurl4-openssl-dev:amd64=7.88.1-10+deb12u12 -libcurl4:amd64=7.88.1-10+deb12u12 -libdatrie1:amd64=0.2.13-2+b1 -libdav1d6:amd64=1.0.0-2+deb12u1 -libdb-dev:amd64=5.3.2 -libdb5.3-dev=5.3.28+dfsg2-1 -libdb5.3:amd64=5.3.28+dfsg2-1 -libde265-0:amd64=1.0.11-1+deb12u2 -libdebconfclient0:amd64=0.270 -libdeflate-dev:amd64=1.14-1 -libdeflate0:amd64=1.14-1 -libdjvulibre-dev:amd64=3.5.28-2+b1 -libdjvulibre-text=3.5.28-2 -libdjvulibre21:amd64=3.5.28-2+b1 -libdpkg-perl=1.21.22 -libedit2:amd64=3.1-20221030-2 -libelf1:amd64=0.188-2.1 -liberror-perl=0.17029-2 -libevent-2.1-7:amd64=2.1.12-stable-8 -libevent-core-2.1-7:amd64=2.1.12-stable-8 -libevent-dev=2.1.12-stable-8 -libevent-extra-2.1-7:amd64=2.1.12-stable-8 -libevent-openssl-2.1-7:amd64=2.1.12-stable-8 -libevent-pthreads-2.1-7:amd64=2.1.12-stable-8 -libexif-dev:amd64=0.6.24-1+b1 -libexif12:amd64=0.6.24-1+b1 -libexpat1-dev:amd64=2.5.0-1+deb12u1 -libexpat1:amd64=2.5.0-1+deb12u1 -libext2fs2:amd64=1.47.0-2 -libffi-dev:amd64=3.4.4-1 -libffi8:amd64=3.4.4-1 -libfftw3-double3:amd64=3.3.10-1 -libfido2-1:amd64=1.12.0-2+b1 -libfontconfig-dev:amd64=2.14.1-4 -libfontconfig1:amd64=2.14.1-4 -libfreetype-dev:amd64=2.12.1+dfsg-5+deb12u4 -libfreetype6-dev:amd64=2.12.1+dfsg-5+deb12u4 -libfreetype6:amd64=2.12.1+dfsg-5+deb12u4 -libfribidi0:amd64=1.0.8-2.1 -libgc1:amd64=1:8.2.2-3 -libgcc-12-dev:amd64=12.2.0-14+deb12u1 -libgcc-s1:amd64=12.2.0-14+deb12u1 -libgcrypt20:amd64=1.10.1-3 -libgdbm-compat4:amd64=1.23-3 -libgdbm-dev:amd64=1.23-3 -libgdbm6:amd64=1.23-3 -libgdk-pixbuf-2.0-0:amd64=2.42.10+dfsg-1+deb12u1 -libgdk-pixbuf-2.0-dev:amd64=2.42.10+dfsg-1+deb12u1 -libgdk-pixbuf2.0-bin=2.42.10+dfsg-1+deb12u1 -libgdk-pixbuf2.0-common=2.42.10+dfsg-1+deb12u1 -libgirepository-1.0-1:amd64=1.74.0-3 -libglib2.0-0:amd64=2.74.6-2+deb12u5 -libglib2.0-bin=2.74.6-2+deb12u5 -libglib2.0-data=2.74.6-2+deb12u5 -libglib2.0-dev-bin=2.74.6-2+deb12u5 -libglib2.0-dev:amd64=2.74.6-2+deb12u5 -libgmp-dev:amd64=2:6.2.1+dfsg1-1.1 -libgmp10:amd64=2:6.2.1+dfsg1-1.1 -libgmpxx4ldbl:amd64=2:6.2.1+dfsg1-1.1 -libgnutls30:amd64=3.7.9-2+deb12u4 -libgomp1:amd64=12.2.0-14+deb12u1 -libgpg-error0:amd64=1.46-1 -libgprofng0:amd64=2.40-2 -libgraphite2-3:amd64=1.3.14-1 -libgssapi-krb5-2:amd64=1.20.1-2+deb12u2 -libgssrpc4:amd64=1.20.1-2+deb12u2 -libharfbuzz0b:amd64=6.0.0+dfsg-3 -libheif1:amd64=1.15.1-1+deb12u1 -libhogweed6:amd64=3.8.1-2 -libice-dev:amd64=2:1.0.10-1 -libice6:amd64=2:1.0.10-1 -libicu-dev:amd64=72.1-3 -libicu72:amd64=72.1-3 -libidn2-0:amd64=2.3.3-1+b1 -libimath-3-1-29:amd64=3.1.6-1 -libimath-dev:amd64=3.1.6-1 -libisl23:amd64=0.25-1.1 -libitm1:amd64=12.2.0-14+deb12u1 -libjansson4:amd64=2.14-2 -libjbig-dev:amd64=2.1-6.1 -libjbig0:amd64=2.1-6.1 -libjpeg-dev:amd64=1:2.1.5-2 -libjpeg62-turbo-dev:amd64=1:2.1.5-2 -libjpeg62-turbo:amd64=1:2.1.5-2 -libk5crypto3:amd64=1.20.1-2+deb12u2 -libkadm5clnt-mit12:amd64=1.20.1-2+deb12u2 -libkadm5srv-mit12:amd64=1.20.1-2+deb12u2 -libkdb5-10:amd64=1.20.1-2+deb12u2 -libkeyutils1:amd64=1.6.3-2 -libkrb5-3:amd64=1.20.1-2+deb12u2 -libkrb5-dev:amd64=1.20.1-2+deb12u2 -libkrb5support0:amd64=1.20.1-2+deb12u2 -libksba8:amd64=1.6.3-2 -liblcms2-2:amd64=2.14-2 -liblcms2-dev:amd64=2.14-2 -libldap-2.5-0:amd64=2.5.13+dfsg-5 -liblerc-dev:amd64=4.0.0+ds-2 -liblerc4:amd64=4.0.0+ds-2 -libllvm14:amd64=1:14.0.6-12 -liblqr-1-0-dev:amd64=0.4.2-2.1 -liblqr-1-0:amd64=0.4.2-2.1 -liblsan0:amd64=12.2.0-14+deb12u1 -libltdl-dev:amd64=2.4.7-7~deb12u1 -libltdl7:amd64=2.4.7-7~deb12u1 -liblz4-1:amd64=1.9.4-1 -liblzma-dev:amd64=5.4.1-1 -liblzma5:amd64=5.4.1-1 -liblzo2-2:amd64=2.10-2 -libmagic-mgc=1:5.44-3 -libmagic1:amd64=1:5.44-3 -libmagickcore-6-arch-config:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickcore-6-headers=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickcore-6.q16-6-extra:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickcore-6.q16-6:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickcore-6.q16-dev:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickcore-dev=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickwand-6-headers=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickwand-6.q16-6:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickwand-6.q16-dev:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 -libmagickwand-dev=8:6.9.11.60+dfsg-1.6+deb12u2 -libmariadb-dev-compat=1:10.11.11-0+deb12u1 -libmariadb-dev=1:10.11.11-0+deb12u1 -libmariadb3:amd64=1:10.11.11-0+deb12u1 -libmaxminddb-dev:amd64=1.7.1-1 -libmaxminddb0:amd64=1.7.1-1 -libmd0:amd64=1.0.4-2 -libmount-dev:amd64=2.38.1-5+deb12u3 -libmount1:amd64=2.38.1-5+deb12u3 -libmpc3:amd64=1.3.1-1 -libmpfr6:amd64=4.2.0-1 -libncurses-dev:amd64=6.4-4 -libncurses5-dev:amd64=6.4-4 -libncurses6:amd64=6.4-4 -libncursesw5-dev:amd64=6.4-4 -libncursesw6:amd64=6.4-4 -libnettle8:amd64=3.8.1-2 -libnghttp2-14:amd64=1.52.0-1+deb12u2 -libnpth0:amd64=1.6-3 -libnsl-dev:amd64=1.3.0-2 -libnsl2:amd64=1.3.0-2 -libnuma1:amd64=2.0.16-1 -libobjc-12-dev:amd64=12.2.0-14+deb12u1 -libobjc4:amd64=12.2.0-14+deb12u1 -libopenexr-3-1-30:amd64=3.1.5-5 -libopenexr-dev=3.1.5-5 -libopenjp2-7-dev:amd64=2.5.0-2+deb12u1 -libopenjp2-7:amd64=2.5.0-2+deb12u1 -libp11-kit0:amd64=0.24.1-2 -libpam-modules-bin=1.5.2-6+deb12u1 -libpam-modules:amd64=1.5.2-6+deb12u1 -libpam-runtime=1.5.2-6+deb12u1 -libpam0g:amd64=1.5.2-6+deb12u1 -libpango-1.0-0:amd64=1.50.12+ds-1 -libpangocairo-1.0-0:amd64=1.50.12+ds-1 -libpangoft2-1.0-0:amd64=1.50.12+ds-1 -libpcre2-16-0:amd64=10.42-1 -libpcre2-32-0:amd64=10.42-1 -libpcre2-8-0:amd64=10.42-1 -libpcre2-dev:amd64=10.42-1 -libpcre2-posix3:amd64=10.42-1 -libperl5.36:amd64=5.36.0-7+deb12u2 -libpixman-1-0:amd64=0.42.2-1 -libpixman-1-dev:amd64=0.42.2-1 -libpkgconf3:amd64=1.8.1-1 -libpng-dev:amd64=1.6.39-2 -libpng16-16:amd64=1.6.39-2 -libpq-dev=15.12-0+deb12u2 -libpq5:amd64=15.12-0+deb12u2 -libproc2-0:amd64=2:4.0.2-3 -libprotobuf-dev:amd64=3.21.12-3 -libprotobuf-lite32:amd64=3.21.12-3 -libprotobuf32:amd64=3.21.12-3 -libprotoc32:amd64=3.21.12-3 -libpsl5:amd64=0.21.2-1 -libpthread-stubs0-dev:amd64=0.4-1 -libpython3-stdlib:amd64=3.11.2-1+b1 -libpython3.11-minimal:amd64=3.11.2-6+deb12u5 -libpython3.11-stdlib:amd64=3.11.2-6+deb12u5 -libquadmath0:amd64=12.2.0-14+deb12u1 -libreadline-dev:amd64=8.2-1.3 -libreadline8:amd64=8.2-1.3 -librsvg2-2:amd64=2.54.7+dfsg-1~deb12u1 -librsvg2-common:amd64=2.54.7+dfsg-1~deb12u1 -librsvg2-dev:amd64=2.54.7+dfsg-1~deb12u1 -librtmp1:amd64=2.4+20151223.gitfa8646d.1-2+b2 -libsasl2-2:amd64=2.1.28+dfsg-10 -libsasl2-modules-db:amd64=2.1.28+dfsg-10 -libseccomp2:amd64=2.5.4-1+deb12u1 -libselinux1-dev:amd64=3.4-1+b6 -libselinux1:amd64=3.4-1+b6 -libsemanage-common=3.4-1 -libsemanage2:amd64=3.4-1+b5 -libsepol-dev:amd64=3.4-2.1 -libsepol2:amd64=3.4-2.1 -libserf-1-1:amd64=1.3.9-11 -libsm-dev:amd64=2:1.2.3-1 -libsm6:amd64=2:1.2.3-1 -libsmartcols1:amd64=2.38.1-5+deb12u3 -libsqlite3-0:amd64=3.40.1-2+deb12u1 -libsqlite3-dev:amd64=3.40.1-2+deb12u1 -libss2:amd64=1.47.0-2 -libssh2-1:amd64=1.10.0-3+b1 -libssl-dev:amd64=3.0.16-1~deb12u1 -libssl3:amd64=3.0.16-1~deb12u1 -libstdc++-12-dev:amd64=12.2.0-14+deb12u1 -libstdc++6:amd64=12.2.0-14+deb12u1 -libsvn1:amd64=1.14.2-4+deb12u1 -libsystemd0:amd64=252.36-1~deb12u1 -libtasn1-6:amd64=4.19.0-2+deb12u1 -libthai-data=0.1.29-1 -libthai0:amd64=0.1.29-1 -libtiff-dev:amd64=4.5.0-6+deb12u2 -libtiff6:amd64=4.5.0-6+deb12u2 -libtiffxx6:amd64=4.5.0-6+deb12u2 -libtinfo6:amd64=6.4-4 -libtirpc-common=1.3.3+ds-1 -libtirpc-dev:amd64=1.3.3+ds-1 -libtirpc3:amd64=1.3.3+ds-1 -libtool=2.4.7-7~deb12u1 -libtsan2:amd64=12.2.0-14+deb12u1 -libubsan1:amd64=12.2.0-14+deb12u1 -libudev1:amd64=252.36-1~deb12u1 -libunistring2:amd64=1.0-2 -libutf8proc2:amd64=2.8.0-1 -libuuid1:amd64=2.38.1-5+deb12u3 -libwebp-dev:amd64=1.2.4-0.2+deb12u1 -libwebp7:amd64=1.2.4-0.2+deb12u1 -libwebpdemux2:amd64=1.2.4-0.2+deb12u1 -libwebpmux3:amd64=1.2.4-0.2+deb12u1 -libwmf-0.2-7:amd64=0.2.12-5.1 -libwmf-dev=0.2.12-5.1 -libwmflite-0.2-7:amd64=0.2.12-5.1 -libx11-6:amd64=2:1.8.4-2+deb12u2 -libx11-data=2:1.8.4-2+deb12u2 -libx11-dev:amd64=2:1.8.4-2+deb12u2 -libx265-199:amd64=3.5-2+b1 -libxau-dev:amd64=1:1.0.9-1 -libxau6:amd64=1:1.0.9-1 -libxcb-render0-dev:amd64=1.15-1 -libxcb-render0:amd64=1.15-1 -libxcb-shm0-dev:amd64=1.15-1 -libxcb-shm0:amd64=1.15-1 -libxcb1-dev:amd64=1.15-1 -libxcb1:amd64=1.15-1 -libxdmcp-dev:amd64=1:1.1.2-3 -libxdmcp6:amd64=1:1.1.2-3 -libxext-dev:amd64=2:1.3.4-1+b1 -libxext6:amd64=2:1.3.4-1+b1 -libxml2-dev:amd64=2.9.14+dfsg-1.3~deb12u1 -libxml2:amd64=2.9.14+dfsg-1.3~deb12u1 -libxrender-dev:amd64=1:0.9.10-1.1 -libxrender1:amd64=1:0.9.10-1.1 -libxslt1-dev:amd64=1.1.35-1+deb12u1 -libxslt1.1:amd64=1.1.35-1+deb12u1 -libxt-dev:amd64=1:1.2.1-1.1 -libxt6:amd64=1:1.2.1-1.1 -libxxhash0:amd64=0.8.1-1 -libyaml-0-2:amd64=0.2.5-1 -libyaml-dev:amd64=0.2.5-1 -libz3-4:amd64=4.8.12-3.1 -libzstd-dev:amd64=1.5.4+dfsg2-5 -libzstd1:amd64=1.5.4+dfsg2-5 -linux-libc-dev:amd64=6.1.135-1 -llvm-14-linker-tools=1:14.0.6-12 -login=1:4.13+dfsg1-1+b1 -logsave=1.47.0-2 -m4=1.4.19-3 -make=4.3-4.1 -mariadb-common=1:10.11.11-0+deb12u1 -mawk=1.3.4.20200120-3.1 -media-types=10.0.0 -mercurial-common=6.3.2-1+deb12u1 -mercurial=6.3.2-1+deb12u1 -mount=2.38.1-5+deb12u3 -musl-dev:amd64=1.2.3-1 -musl-tools=1.2.3-1 -musl:amd64=1.2.3-1 -mysql-common=5.8+1.1.0 -ncurses-base=6.4-4 -ncurses-bin=6.4-4 -netbase=6.4 -openssh-client=1:9.2p1-2+deb12u5 -openssl=3.0.16-1~deb12u1 -passwd=1:4.13+dfsg1-1+b1 -patch=2.7.6-7 -perl-base=5.36.0-7+deb12u2 -perl-modules-5.36=5.36.0-7+deb12u2 -perl=5.36.0-7+deb12u2 -pinentry-curses=1.2.1-1 -pkg-config:amd64=1.8.1-1 -pkgconf-bin=1.8.1-1 -pkgconf:amd64=1.8.1-1 -procps=2:4.0.2-3 -protobuf-compiler=3.21.12-3 -python3-distutils=3.11.2-3 -python3-lib2to3=3.11.2-3 -python3-minimal=3.11.2-1+b1 -python3.11-minimal=3.11.2-6+deb12u5 -python3.11=3.11.2-6+deb12u5 -python3=3.11.2-1+b1 -readline-common=8.2-1.3 -rpcsvc-proto=1.4.3-1 -sed=4.9-1 -sensible-utils=0.0.17+nmu1 -shared-mime-info=2.2-1 -sq=0.27.0-2+b1 -subversion=1.14.2-4+deb12u1 -sysvinit-utils=3.06-4 -tar=1.34+dfsg-1.2+deb12u1 -tzdata=2025b-0+deb12u1 -ucf=3.0043+nmu1+deb12u1 -unzip=6.0-28 -usr-is-merged=37~deb12u1 -util-linux-extra=2.38.1-5+deb12u3 -util-linux=2.38.1-5+deb12u3 -uuid-dev:amd64=2.38.1-5+deb12u3 -wget=1.21.3-1+deb12u1 -x11-common=1:7.7+23 -x11proto-core-dev=2022.1-1 -x11proto-dev=2022.1-1 -xorg-sgml-doctools=1:1.11-1.1 -xtrans-dev=1.4.0-1 -xz-utils=5.4.1-1 -zlib1g-dev:amd64=1:1.2.13.dfsg-1 -zlib1g:amd64=1:1.2.13.dfsg-1 diff --git a/kms/dstack-app/builder/shared/pin-packages.sh b/kms/dstack-app/builder/shared/pin-packages.sh deleted file mode 100755 index 3c750b1bb..000000000 --- a/kms/dstack-app/builder/shared/pin-packages.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -# SPDX-FileCopyrightText: © 2025 Phala Network -# -# SPDX-License-Identifier: Apache-2.0 - -set -e -PKG_LIST=$1 - -echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20250626T204007Z bookworm main' > /etc/apt/sources.list -echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20250626T204007Z bookworm-security main' >> /etc/apt/sources.list -echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until - -mkdir -p /etc/apt/preferences.d -cat $PKG_LIST | while read line; do - pkg=$(echo $line | cut -d= -f1); - ver=$(echo $line | cut -d= -f2); - if [ ! -z "$pkg" ] && [ ! -z "$ver" ]; then - echo "Package: $pkg\nPin: version $ver\nPin-Priority: 1001\n" >> /etc/apt/preferences.d/pinned-packages; - fi; -done \ No newline at end of file diff --git a/kms/dstack-app/builder/shared/qemu-pinned-packages.txt b/kms/dstack-app/builder/shared/qemu-pinned-packages.txt index 67a293d78..8cb00cf86 100644 --- a/kms/dstack-app/builder/shared/qemu-pinned-packages.txt +++ b/kms/dstack-app/builder/shared/qemu-pinned-packages.txt @@ -32,8 +32,8 @@ g++=4:12.2.0-3 gcc-12-base:amd64=12.2.0-14+deb12u1 gcc-12=12.2.0-14+deb12u1 gcc=4:12.2.0-3 -git-man=1:2.39.5-0+deb12u2 -git=1:2.39.5-0+deb12u2 +git-man=1:2.39.5-0+deb12u3 +git=1:2.39.5-0+deb12u3 gpgv=2.2.40-1.1 grep=3.8-5 gzip=1.12-1 @@ -51,10 +51,10 @@ libblkid-dev:amd64=2.38.1-5+deb12u3 libblkid1:amd64=2.38.1-5+deb12u3 libbrotli1:amd64=1.0.9-2+b6 libbz2-1.0:amd64=1.0.8-5+b1 -libc-bin=2.36-9+deb12u10 -libc-dev-bin=2.36-9+deb12u10 -libc6-dev:amd64=2.36-9+deb12u10 -libc6:amd64=2.36-9+deb12u10 +libc-bin=2.36-9+deb12u13 +libc-dev-bin=2.36-9+deb12u13 +libc6-dev:amd64=2.36-9+deb12u13 +libc6:amd64=2.36-9+deb12u13 libcap-ng0:amd64=0.8.3-1+b3 libcap2:amd64=1:2.66-4+deb12u1 libcc1-0:amd64=12.2.0-14+deb12u1 @@ -63,13 +63,13 @@ libcrypt-dev:amd64=1:4.4.33-2 libcrypt1:amd64=1:4.4.33-2 libctf-nobfd0:amd64=2.40-2 libctf0:amd64=2.40-2 -libcurl3-gnutls:amd64=7.88.1-10+deb12u12 +libcurl3-gnutls:amd64=7.88.1-10+deb12u14 libdb5.3:amd64=5.3.28+dfsg2-1 libdebconfclient0:amd64=0.270 libdpkg-perl=1.21.22 libelf1:amd64=0.188-2.1 liberror-perl=0.17029-2 -libexpat1:amd64=2.5.0-1+deb12u1 +libexpat1:amd64=2.5.0-1+deb12u2 libext2fs2:amd64=1.47.0-2 libffi-dev:amd64=3.4.4-1 libffi8:amd64=3.4.4-1 @@ -78,17 +78,17 @@ libgcc-s1:amd64=12.2.0-14+deb12u1 libgcrypt20:amd64=1.10.1-3 libgdbm-compat4:amd64=1.23-3 libgdbm6:amd64=1.23-3 -libglib2.0-0:amd64=2.74.6-2+deb12u6 -libglib2.0-bin=2.74.6-2+deb12u6 -libglib2.0-data=2.74.6-2+deb12u6 -libglib2.0-dev-bin=2.74.6-2+deb12u6 -libglib2.0-dev:amd64=2.74.6-2+deb12u6 +libglib2.0-0:amd64=2.74.6-2+deb12u8 +libglib2.0-bin=2.74.6-2+deb12u8 +libglib2.0-data=2.74.6-2+deb12u8 +libglib2.0-dev-bin=2.74.6-2+deb12u8 +libglib2.0-dev:amd64=2.74.6-2+deb12u8 libgmp10:amd64=2:6.2.1+dfsg1-1.1 libgnutls30:amd64=3.7.9-2+deb12u4 libgomp1:amd64=12.2.0-14+deb12u1 libgpg-error0:amd64=1.46-1 libgprofng0:amd64=2.40-2 -libgssapi-krb5-2:amd64=1.20.1-2+deb12u3 +libgssapi-krb5-2:amd64=1.20.1-2+deb12u4 libhogweed6:amd64=3.8.1-2 libidn2-0:amd64=2.3.3-1+b1 libisl23:amd64=0.25-1.1 @@ -98,10 +98,10 @@ libjs-jquery=3.6.1+dfsg+~3.5.14-1 libjs-sphinxdoc=5.3.0-4 libjs-underscore=1.13.4~dfsg+~1.11.4-3 libjson-perl=4.10000-1 -libk5crypto3:amd64=1.20.1-2+deb12u3 +libk5crypto3:amd64=1.20.1-2+deb12u4 libkeyutils1:amd64=1.6.3-2 -libkrb5-3:amd64=1.20.1-2+deb12u3 -libkrb5support0:amd64=1.20.1-2+deb12u3 +libkrb5-3:amd64=1.20.1-2+deb12u4 +libkrb5support0:amd64=1.20.1-2+deb12u4 libldap-2.5-0:amd64=2.5.13+dfsg-5 liblsan0:amd64=12.2.0-14+deb12u1 liblz4-1:amd64=1.9.4-1 @@ -126,7 +126,7 @@ libpcre2-32-0:amd64=10.42-1 libpcre2-8-0:amd64=10.42-1 libpcre2-dev:amd64=10.42-1 libpcre2-posix3:amd64=10.42-1 -libperl5.36:amd64=5.36.0-7+deb12u2 +libperl5.36:amd64=5.36.0-7+deb12u3 libpkgconf3:amd64=1.8.1-1 libpsl5:amd64=0.21.2-1 libpython3-stdlib:amd64=3.11.2-1+b1 @@ -147,10 +147,10 @@ libsepol2:amd64=3.4-2.1 libslirp-dev:amd64=4.7.0-1 libslirp0:amd64=4.7.0-1 libsmartcols1:amd64=2.38.1-5+deb12u3 -libsqlite3-0:amd64=3.40.1-2+deb12u1 +libsqlite3-0:amd64=3.40.1-2+deb12u2 libss2:amd64=1.47.0-2 libssh2-1:amd64=1.10.0-3+b1 -libssl3:amd64=3.0.16-1~deb12u1 +libssl3:amd64=3.0.18-1~deb12u2 libstdc++-12-dev:amd64=12.2.0-14+deb12u1 libstdc++6:amd64=12.2.0-14+deb12u1 libsystemd0:amd64=252.38-1~deb12u1 @@ -166,7 +166,7 @@ libunistring2:amd64=1.0-2 libuuid1:amd64=2.38.1-5+deb12u3 libxxhash0:amd64=0.8.1-1 libzstd1:amd64=1.5.4+dfsg2-5 -linux-libc-dev:amd64=6.1.140-1 +linux-libc-dev:amd64=6.1.164-1 login=1:4.13+dfsg1-1+deb12u1 logsave=1.47.0-2 m4=1.4.19-3 @@ -177,12 +177,12 @@ mount=2.38.1-5+deb12u3 ncurses-base=6.4-4 ncurses-bin=6.4-4 ninja-build=1.11.1-2~deb12u1 -openssl=3.0.16-1~deb12u1 +openssl=3.0.18-1~deb12u2 passwd=1:4.13+dfsg1-1+deb12u1 patch=2.7.6-7 -perl-base=5.36.0-7+deb12u2 -perl-modules-5.36=5.36.0-7+deb12u2 -perl=5.36.0-7+deb12u2 +perl-base=5.36.0-7+deb12u3 +perl-modules-5.36=5.36.0-7+deb12u3 +perl=5.36.0-7+deb12u3 pkg-config:amd64=1.8.1-1 pkgconf-bin=1.8.1-1 pkgconf:amd64=1.8.1-1 @@ -196,23 +196,23 @@ python3-distutils=3.11.2-3 python3-docutils=0.19+dfsg-6 python3-idna=3.3-1+deb12u1 python3-imagesize=1.4.1-1 -python3-jinja2=3.1.2-1+deb12u2 +python3-jinja2=3.1.2-1+deb12u3 python3-lib2to3=3.11.2-3 python3-markupsafe=2.1.2-1+b1 python3-minimal=3.11.2-1+b1 python3-packaging=23.0-1 python3-pip=23.0.1+dfsg-1 -python3-pkg-resources=66.1.1-1+deb12u1 +python3-pkg-resources=66.1.1-1+deb12u2 python3-pygments=2.14.0+dfsg-1 python3-requests=2.28.1+dfsg-1 python3-roman=3.3-3 -python3-setuptools=66.1.1-1+deb12u1 +python3-setuptools=66.1.1-1+deb12u2 python3-six=1.16.0-4 python3-snowballstemmer=2.2.0-2 python3-sphinx-rtd-theme=1.2.0+dfsg-1 python3-sphinx=5.3.0-4 python3-tz=2022.7.1-4 -python3-urllib3=1.26.12-1+deb12u1 +python3-urllib3=1.26.12-1+deb12u3 python3-wheel=0.38.4-2 python3.11-minimal=3.11.2-6+deb12u6 python3.11=3.11.2-6+deb12u6 diff --git a/verifier/builder/build-image.sh b/verifier/builder/build-image.sh index 75bcca791..2e09ea1c5 100755 --- a/verifier/builder/build-image.sh +++ b/verifier/builder/build-image.sh @@ -7,81 +7,34 @@ set -euo pipefail SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) -CONTEXT_DIR=$(dirname "$SCRIPT_DIR") REPO_ROOT=$(git -C "$SCRIPT_DIR" rev-parse --show-toplevel) +CONTEXT_DIR=$(dirname "$SCRIPT_DIR") SHARED_DIR="$SCRIPT_DIR/shared" -SHARED_GIT_PATH=$(realpath --relative-to="$REPO_ROOT" "$SHARED_DIR") DOCKERFILE="$SCRIPT_DIR/Dockerfile" -NO_CACHE=${NO_CACHE:-} +source "$REPO_ROOT/build/shared/build-lib.sh" + NAME=${1:-} if [ -z "$NAME" ]; then echo "Usage: $0 [:]" >&2 exit 1 fi -extract_packages() { - local image_name=$1 - local pkg_list_file=$2 - if [ -z "$pkg_list_file" ]; then - return - fi - docker run --rm --entrypoint bash "$image_name" \ - -c "dpkg -l | grep '^ii' | awk '{print \$2\"=\"\$3}' | sort" \ - >"$pkg_list_file" -} - -docker_build() { - local image_name=$1 - local target=$2 - local pkg_list_file=$3 - - local commit_timestamp - commit_timestamp=$(git -C "$REPO_ROOT" show -s --format=%ct "$GIT_REV") - - local args=( - --builder buildkit_20 - --progress=plain - --output type=docker,name="$image_name",rewrite-timestamp=true - --build-arg SOURCE_DATE_EPOCH="$commit_timestamp" - --build-arg DSTACK_REV="$GIT_REV" - --build-arg DSTACK_SRC_URL="$DSTACK_SRC_URL" - ) - - if [ -n "$NO_CACHE" ]; then - args+=(--no-cache) - fi - - if [ -n "$target" ]; then - args+=(--target "$target") - fi - - docker buildx build "${args[@]}" \ - --file "$DOCKERFILE" \ - "$CONTEXT_DIR" - - extract_packages "$image_name" "$pkg_list_file" -} +NO_CACHE=${NO_CACHE:-} +GIT_REV=${GIT_REV:-HEAD} +GIT_REV=$(git -C "$REPO_ROOT" rev-parse "$GIT_REV") +DSTACK_SRC_URL=${DSTACK_SRC_URL:-https://github.com/Dstack-TEE/dstack.git} -if ! docker buildx inspect buildkit_20 &>/dev/null; then - docker buildx create --use --driver-opt image=moby/buildkit:v0.20.2 --name buildkit_20 -fi +ensure_buildkit +sync_shared_scripts "$SHARED_DIR" true mkdir -p "$SHARED_DIR" touch "$SHARED_DIR/builder-pinned-packages.txt" touch "$SHARED_DIR/qemu-pinned-packages.txt" touch "$SHARED_DIR/pinned-packages.txt" -GIT_REV=${GIT_REV:-HEAD} -GIT_REV=$(git -C "$REPO_ROOT" rev-parse "$GIT_REV") -DSTACK_SRC_URL=${DSTACK_SRC_URL:-https://github.com/Dstack-TEE/dstack.git} - docker_build "$NAME" "" "$SHARED_DIR/pinned-packages.txt" docker_build "verifier-builder-temp" "verifier-builder" "$SHARED_DIR/builder-pinned-packages.txt" docker_build "verifier-acpi-builder-temp" "acpi-builder" "$SHARED_DIR/qemu-pinned-packages.txt" -git_status=$(git -C "$REPO_ROOT" status --porcelain -- "$SHARED_GIT_PATH") -if [ -n "$git_status" ]; then - echo "The working tree has updates in $SHARED_GIT_PATH. Commit or stash before re-running." >&2 - exit 1 -fi +check_clean_tree "$SHARED_DIR" diff --git a/verifier/builder/shared/.gitignore b/verifier/builder/shared/.gitignore new file mode 100644 index 000000000..eaf106ff1 --- /dev/null +++ b/verifier/builder/shared/.gitignore @@ -0,0 +1,3 @@ +# Copied from build/shared/ at build time by build-image.sh +pin-packages.sh +config-qemu.sh diff --git a/verifier/builder/shared/builder-pinned-packages.txt b/verifier/builder/shared/builder-pinned-packages.txt index b755865bd..75a2bc37d 100644 --- a/verifier/builder/shared/builder-pinned-packages.txt +++ b/verifier/builder/shared/builder-pinned-packages.txt @@ -1,435 +1,435 @@ -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= +adduser=3.134 +apt=2.6.1 +autoconf=2.71-3 +automake=1:1.16.5-1.3 +autotools-dev=20220109.1 +base-files=12.4+deb12u13 +base-passwd=3.6.1 +bash=5.2.15-2+b10 +binutils-common:amd64=2.40-2 +binutils-x86-64-linux-gnu=2.40-2 +binutils=2.40-2 +bsdutils=1:2.38.1-5+deb12u3 +build-essential=12.9 +bzip2=1.0.8-5+b1 +ca-certificates=20230311+deb12u1 +clang-14=1:14.0.6-12 +clang=1:14.0-55.7~deb12u1 +comerr-dev:amd64=2.1-1.47.0-2+b2 +coreutils=9.1-1 +cpp-12=12.2.0-14+deb12u1 +cpp=4:12.2.0-3 +curl=7.88.1-10+deb12u14 +dash=0.5.12-2 +debconf=1.5.82 +debian-archive-keyring=2023.3+deb12u2 +debianutils=5.7-0.5~deb12u1 +default-libmysqlclient-dev:amd64=1.1.0 +diffutils=1:3.8-4 +dirmngr=2.2.40-1.1+deb12u2 +dpkg-dev=1.21.22 +dpkg=1.21.22 +e2fsprogs=1.47.0-2+b2 +file=1:5.44-3 +findutils=4.9.0-4 +fontconfig-config=2.14.1-4 +fontconfig=2.14.1-4 +fonts-dejavu-core=2.37-6 +g++-12=12.2.0-14+deb12u1 +g++=4:12.2.0-3 +gcc-12-base:amd64=12.2.0-14+deb12u1 +gcc-12=12.2.0-14+deb12u1 +gcc=4:12.2.0-3 +gir1.2-freedesktop:amd64=1.74.0-3 +gir1.2-gdkpixbuf-2.0:amd64=2.42.10+dfsg-1+deb12u3 +gir1.2-glib-2.0:amd64=1.74.0-3 +gir1.2-rsvg-2.0:amd64=2.54.7+dfsg-1~deb12u1 +git-man=1:2.39.5-0+deb12u3 +git=1:2.39.5-0+deb12u3 +gnupg-l10n=2.2.40-1.1+deb12u2 +gnupg-utils=2.2.40-1.1+deb12u2 +gnupg=2.2.40-1.1+deb12u2 +gpg-agent=2.2.40-1.1+deb12u2 +gpg-wks-client=2.2.40-1.1+deb12u2 +gpg-wks-server=2.2.40-1.1+deb12u2 +gpg=2.2.40-1.1+deb12u2 +gpgconf=2.2.40-1.1+deb12u2 +gpgsm=2.2.40-1.1+deb12u2 +gpgv=2.2.40-1.1+deb12u2 +grep=3.8-5 +gzip=1.12-1 +hicolor-icon-theme=0.17-2 +hostname=3.23+nmu1 +icu-devtools=72.1-3+deb12u1 +imagemagick-6-common=8:6.9.11.60+dfsg-1.6+deb12u5 +imagemagick-6.q16=8:6.9.11.60+dfsg-1.6+deb12u5 +imagemagick=8:6.9.11.60+dfsg-1.6+deb12u5 +init-system-helpers=1.65.2+deb12u1 +krb5-multidev:amd64=1.20.1-2+deb12u4 +libacl1:amd64=2.3.1-3 +libaom3:amd64=3.6.0-1+deb12u2 +libapr1:amd64=1.7.2-3+deb12u1 +libaprutil1:amd64=1.6.3-1 +libapt-pkg6.0:amd64=2.6.1 +libasan8:amd64=12.2.0-14+deb12u1 +libassuan0:amd64=2.5.5-5 +libatomic1:amd64=12.2.0-14+deb12u1 +libattr1:amd64=1:2.5.1-4 +libaudit-common=1:3.0.9-1 +libaudit1:amd64=1:3.0.9-1 +libbinutils:amd64=2.40-2 +libblkid-dev:amd64=2.38.1-5+deb12u3 +libblkid1:amd64=2.38.1-5+deb12u3 +libbrotli-dev:amd64=1.0.9-2+b6 +libbrotli1:amd64=1.0.9-2+b6 +libbsd0:amd64=0.11.7-2 +libbz2-1.0:amd64=1.0.8-5+b1 +libbz2-dev:amd64=1.0.8-5+b1 +libc-bin=2.36-9+deb12u13 +libc-dev-bin=2.36-9+deb12u13 +libc6-dev:amd64=2.36-9+deb12u13 +libc6:amd64=2.36-9+deb12u13 +libcairo-gobject2:amd64=1.16.0-7 +libcairo-script-interpreter2:amd64=1.16.0-7 +libcairo2-dev:amd64=1.16.0-7 +libcairo2:amd64=1.16.0-7 +libcap-ng0:amd64=0.8.3-1+b3 +libcap2:amd64=1:2.66-4+deb12u2+b2 +libcbor0.8:amd64=0.8.0-2+b1 +libcc1-0:amd64=12.2.0-14+deb12u1 +libclang-14-dev=1:14.0.6-12 +libclang-common-14-dev=1:14.0.6-12 +libclang-cpp14=1:14.0.6-12 +libclang-dev=1:14.0-55.7~deb12u1 +libclang1-14=1:14.0.6-12 +libcom-err2:amd64=1.47.0-2+b2 +libcrypt-dev:amd64=1:4.4.33-2 +libcrypt1:amd64=1:4.4.33-2 +libctf-nobfd0:amd64=2.40-2 +libctf0:amd64=2.40-2 +libcurl3-gnutls:amd64=7.88.1-10+deb12u14 +libcurl4-openssl-dev:amd64=7.88.1-10+deb12u14 +libcurl4:amd64=7.88.1-10+deb12u14 +libdatrie1:amd64=0.2.13-2+b1 +libdav1d6:amd64=1.0.0-2+deb12u1 +libdb-dev:amd64=5.3.2 +libdb5.3-dev=5.3.28+dfsg2-1 +libdb5.3:amd64=5.3.28+dfsg2-1 +libde265-0:amd64=1.0.11-1+deb12u2 +libdebconfclient0:amd64=0.270 +libdeflate-dev:amd64=1.14-1 +libdeflate0:amd64=1.14-1 +libdjvulibre-dev:amd64=3.5.28-2.2~deb12u1 +libdjvulibre-text=3.5.28-2.2~deb12u1 +libdjvulibre21:amd64=3.5.28-2.2~deb12u1 +libdpkg-perl=1.21.22 +libedit2:amd64=3.1-20221030-2 +libelf1:amd64=0.188-2.1 +liberror-perl=0.17029-2 +libevent-2.1-7:amd64=2.1.12-stable-8 +libevent-core-2.1-7:amd64=2.1.12-stable-8 +libevent-dev=2.1.12-stable-8 +libevent-extra-2.1-7:amd64=2.1.12-stable-8 +libevent-openssl-2.1-7:amd64=2.1.12-stable-8 +libevent-pthreads-2.1-7:amd64=2.1.12-stable-8 +libexif-dev:amd64=0.6.24-1+b1 +libexif12:amd64=0.6.24-1+b1 +libexpat1-dev:amd64=2.5.0-1+deb12u2 +libexpat1:amd64=2.5.0-1+deb12u2 +libext2fs2:amd64=1.47.0-2+b2 +libffi-dev:amd64=3.4.4-1 +libffi8:amd64=3.4.4-1 +libfftw3-double3:amd64=3.3.10-1 +libfido2-1:amd64=1.12.0-2+b1 +libfontconfig-dev:amd64=2.14.1-4 +libfontconfig1:amd64=2.14.1-4 +libfreetype-dev:amd64=2.12.1+dfsg-5+deb12u4 +libfreetype6-dev:amd64=2.12.1+dfsg-5+deb12u4 +libfreetype6:amd64=2.12.1+dfsg-5+deb12u4 +libfribidi0:amd64=1.0.8-2.1 +libgc1:amd64=1:8.2.2-3 +libgcc-12-dev:amd64=12.2.0-14+deb12u1 +libgcc-s1:amd64=12.2.0-14+deb12u1 +libgcrypt20:amd64=1.10.1-3 +libgdbm-compat4:amd64=1.23-3 +libgdbm-dev:amd64=1.23-3 +libgdbm6:amd64=1.23-3 +libgdk-pixbuf-2.0-0:amd64=2.42.10+dfsg-1+deb12u3 +libgdk-pixbuf-2.0-dev:amd64=2.42.10+dfsg-1+deb12u3 +libgdk-pixbuf2.0-bin=2.42.10+dfsg-1+deb12u3 +libgdk-pixbuf2.0-common=2.42.10+dfsg-1+deb12u3 +libgirepository-1.0-1:amd64=1.74.0-3 +libglib2.0-0:amd64=2.74.6-2+deb12u8 +libglib2.0-bin=2.74.6-2+deb12u8 +libglib2.0-data=2.74.6-2+deb12u8 +libglib2.0-dev-bin=2.74.6-2+deb12u8 +libglib2.0-dev:amd64=2.74.6-2+deb12u8 +libgmp-dev:amd64=2:6.2.1+dfsg1-1.1 +libgmp10:amd64=2:6.2.1+dfsg1-1.1 +libgmpxx4ldbl:amd64=2:6.2.1+dfsg1-1.1 +libgnutls30:amd64=3.7.9-2+deb12u5 +libgomp1:amd64=12.2.0-14+deb12u1 +libgpg-error0:amd64=1.46-1 +libgprofng0:amd64=2.40-2 +libgraphite2-3:amd64=1.3.14-1 +libgssapi-krb5-2:amd64=1.20.1-2+deb12u4 +libgssrpc4:amd64=1.20.1-2+deb12u4 +libharfbuzz0b:amd64=6.0.0+dfsg-3 +libheif1:amd64=1.15.1-1+deb12u1 +libhogweed6:amd64=3.8.1-2 +libice-dev:amd64=2:1.0.10-1 +libice6:amd64=2:1.0.10-1 +libicu-dev:amd64=72.1-3+deb12u1 +libicu72:amd64=72.1-3+deb12u1 +libidn2-0:amd64=2.3.3-1+b1 +libimath-3-1-29:amd64=3.1.6-1 +libimath-dev:amd64=3.1.6-1 +libisl23:amd64=0.25-1.1 +libitm1:amd64=12.2.0-14+deb12u1 +libjansson4:amd64=2.14-2 +libjbig-dev:amd64=2.1-6.1 +libjbig0:amd64=2.1-6.1 +libjpeg-dev:amd64=1:2.1.5-2 +libjpeg62-turbo-dev:amd64=1:2.1.5-2 +libjpeg62-turbo:amd64=1:2.1.5-2 +libk5crypto3:amd64=1.20.1-2+deb12u4 +libkadm5clnt-mit12:amd64=1.20.1-2+deb12u4 +libkadm5srv-mit12:amd64=1.20.1-2+deb12u4 +libkdb5-10:amd64=1.20.1-2+deb12u4 +libkeyutils1:amd64=1.6.3-2 +libkrb5-3:amd64=1.20.1-2+deb12u4 +libkrb5-dev:amd64=1.20.1-2+deb12u4 +libkrb5support0:amd64=1.20.1-2+deb12u4 +libksba8:amd64=1.6.3-2 +liblcms2-2:amd64=2.14-2 +liblcms2-dev:amd64=2.14-2 +libldap-2.5-0:amd64=2.5.13+dfsg-5 +liblerc-dev:amd64=4.0.0+ds-2 +liblerc4:amd64=4.0.0+ds-2 +libllvm14:amd64=1:14.0.6-12 +liblqr-1-0-dev:amd64=0.4.2-2.1 +liblqr-1-0:amd64=0.4.2-2.1 +liblsan0:amd64=12.2.0-14+deb12u1 +libltdl-dev:amd64=2.4.7-7~deb12u1 +libltdl7:amd64=2.4.7-7~deb12u1 +liblz4-1:amd64=1.9.4-1 +liblzma-dev:amd64=5.4.1-1 +liblzma5:amd64=5.4.1-1 +liblzo2-2:amd64=2.10-2 +libmagic-mgc=1:5.44-3 +libmagic1:amd64=1:5.44-3 +libmagickcore-6-arch-config:amd64=8:6.9.11.60+dfsg-1.6+deb12u5 +libmagickcore-6-headers=8:6.9.11.60+dfsg-1.6+deb12u5 +libmagickcore-6.q16-6-extra:amd64=8:6.9.11.60+dfsg-1.6+deb12u5 +libmagickcore-6.q16-6:amd64=8:6.9.11.60+dfsg-1.6+deb12u5 +libmagickcore-6.q16-dev:amd64=8:6.9.11.60+dfsg-1.6+deb12u5 +libmagickcore-dev=8:6.9.11.60+dfsg-1.6+deb12u5 +libmagickwand-6-headers=8:6.9.11.60+dfsg-1.6+deb12u5 +libmagickwand-6.q16-6:amd64=8:6.9.11.60+dfsg-1.6+deb12u5 +libmagickwand-6.q16-dev:amd64=8:6.9.11.60+dfsg-1.6+deb12u5 +libmagickwand-dev=8:6.9.11.60+dfsg-1.6+deb12u5 +libmariadb-dev-compat=1:10.11.14-0+deb12u2 +libmariadb-dev=1:10.11.14-0+deb12u2 +libmariadb3:amd64=1:10.11.14-0+deb12u2 +libmaxminddb-dev:amd64=1.7.1-1 +libmaxminddb0:amd64=1.7.1-1 +libmd0:amd64=1.0.4-2 +libmount-dev:amd64=2.38.1-5+deb12u3 +libmount1:amd64=2.38.1-5+deb12u3 +libmpc3:amd64=1.3.1-1 +libmpfr6:amd64=4.2.0-1 +libncurses-dev:amd64=6.4-4 +libncurses5-dev:amd64=6.4-4 +libncurses6:amd64=6.4-4 +libncursesw5-dev:amd64=6.4-4 +libncursesw6:amd64=6.4-4 +libnettle8:amd64=3.8.1-2 +libnghttp2-14:amd64=1.52.0-1+deb12u2 +libnpth0:amd64=1.6-3 +libnsl-dev:amd64=1.3.0-2 +libnsl2:amd64=1.3.0-2 +libnuma1:amd64=2.0.16-1 +libobjc-12-dev:amd64=12.2.0-14+deb12u1 +libobjc4:amd64=12.2.0-14+deb12u1 +libopenexr-3-1-30:amd64=3.1.5-5 +libopenexr-dev=3.1.5-5 +libopenjp2-7-dev:amd64=2.5.0-2+deb12u2 +libopenjp2-7:amd64=2.5.0-2+deb12u2 +libp11-kit0:amd64=0.24.1-2 +libpam-modules-bin=1.5.2-6+deb12u2 +libpam-modules:amd64=1.5.2-6+deb12u2 +libpam-runtime=1.5.2-6+deb12u2 +libpam0g:amd64=1.5.2-6+deb12u2 +libpango-1.0-0:amd64=1.50.12+ds-1 +libpangocairo-1.0-0:amd64=1.50.12+ds-1 +libpangoft2-1.0-0:amd64=1.50.12+ds-1 +libpcre2-16-0:amd64=10.42-1 +libpcre2-32-0:amd64=10.42-1 +libpcre2-8-0:amd64=10.42-1 +libpcre2-dev:amd64=10.42-1 +libpcre2-posix3:amd64=10.42-1 +libperl5.36:amd64=5.36.0-7+deb12u3 +libpixman-1-0:amd64=0.42.2-1 +libpixman-1-dev:amd64=0.42.2-1 +libpkgconf3:amd64=1.8.1-1 +libpng-dev:amd64=1.6.39-2+deb12u1 +libpng16-16:amd64=1.6.39-2+deb12u1 +libpq-dev=15.15-0+deb12u1 +libpq5:amd64=15.15-0+deb12u1 +libproc2-0:amd64=2:4.0.2-3 +libprotobuf-dev:amd64=3.21.12-3 +libprotobuf-lite32:amd64=3.21.12-3 +libprotobuf32:amd64=3.21.12-3 +libprotoc32:amd64=3.21.12-3 +libpsl5:amd64=0.21.2-1 +libpthread-stubs0-dev:amd64=0.4-1 +libpython3-stdlib:amd64=3.11.2-1+b1 +libpython3.11-minimal:amd64=3.11.2-6+deb12u6 +libpython3.11-stdlib:amd64=3.11.2-6+deb12u6 +libquadmath0:amd64=12.2.0-14+deb12u1 +libreadline-dev:amd64=8.2-1.3 +libreadline8:amd64=8.2-1.3 +librsvg2-2:amd64=2.54.7+dfsg-1~deb12u1 +librsvg2-common:amd64=2.54.7+dfsg-1~deb12u1 +librsvg2-dev:amd64=2.54.7+dfsg-1~deb12u1 +librtmp1:amd64=2.4+20151223.gitfa8646d.1-2+b2 +libsasl2-2:amd64=2.1.28+dfsg-10 +libsasl2-modules-db:amd64=2.1.28+dfsg-10 +libseccomp2:amd64=2.5.4-1+deb12u1 +libselinux1-dev:amd64=3.4-1+b6 +libselinux1:amd64=3.4-1+b6 +libsemanage-common=3.4-1 +libsemanage2:amd64=3.4-1+b5 +libsepol-dev:amd64=3.4-2.1 +libsepol2:amd64=3.4-2.1 +libserf-1-1:amd64=1.3.9-11 +libsm-dev:amd64=2:1.2.3-1 +libsm6:amd64=2:1.2.3-1 +libsmartcols1:amd64=2.38.1-5+deb12u3 +libsqlite3-0:amd64=3.40.1-2+deb12u2 +libsqlite3-dev:amd64=3.40.1-2+deb12u2 +libss2:amd64=1.47.0-2+b2 +libssh2-1:amd64=1.10.0-3+b1 +libssl-dev:amd64=3.0.18-1~deb12u2 +libssl3:amd64=3.0.18-1~deb12u2 +libstdc++-12-dev:amd64=12.2.0-14+deb12u1 +libstdc++6:amd64=12.2.0-14+deb12u1 +libsvn1:amd64=1.14.2-4+deb12u1 +libsystemd0:amd64=252.39-1~deb12u1 +libtasn1-6:amd64=4.19.0-2+deb12u1 +libthai-data=0.1.29-1 +libthai0:amd64=0.1.29-1 +libtiff-dev:amd64=4.5.0-6+deb12u3 +libtiff6:amd64=4.5.0-6+deb12u3 +libtiffxx6:amd64=4.5.0-6+deb12u3 +libtinfo6:amd64=6.4-4 +libtirpc-common=1.3.3+ds-1 +libtirpc-dev:amd64=1.3.3+ds-1 +libtirpc3:amd64=1.3.3+ds-1 +libtool=2.4.7-7~deb12u1 +libtsan2:amd64=12.2.0-14+deb12u1 +libubsan1:amd64=12.2.0-14+deb12u1 +libudev1:amd64=252.39-1~deb12u1 +libunistring2:amd64=1.0-2 +libutf8proc2:amd64=2.8.0-1 +libuuid1:amd64=2.38.1-5+deb12u3 +libwebp-dev:amd64=1.2.4-0.2+deb12u1 +libwebp7:amd64=1.2.4-0.2+deb12u1 +libwebpdemux2:amd64=1.2.4-0.2+deb12u1 +libwebpmux3:amd64=1.2.4-0.2+deb12u1 +libwmf-0.2-7:amd64=0.2.12-5.1 +libwmf-dev=0.2.12-5.1 +libwmflite-0.2-7:amd64=0.2.12-5.1 +libx11-6:amd64=2:1.8.4-2+deb12u2 +libx11-data=2:1.8.4-2+deb12u2 +libx11-dev:amd64=2:1.8.4-2+deb12u2 +libx265-199:amd64=3.5-2+b1 +libxau-dev:amd64=1:1.0.9-1 +libxau6:amd64=1:1.0.9-1 +libxcb-render0-dev:amd64=1.15-1 +libxcb-render0:amd64=1.15-1 +libxcb-shm0-dev:amd64=1.15-1 +libxcb-shm0:amd64=1.15-1 +libxcb1-dev:amd64=1.15-1 +libxcb1:amd64=1.15-1 +libxdmcp-dev:amd64=1:1.1.2-3 +libxdmcp6:amd64=1:1.1.2-3 +libxext-dev:amd64=2:1.3.4-1+b1 +libxext6:amd64=2:1.3.4-1+b1 +libxml2-dev:amd64=2.9.14+dfsg-1.3~deb12u5 +libxml2:amd64=2.9.14+dfsg-1.3~deb12u5 +libxrender-dev:amd64=1:0.9.10-1.1 +libxrender1:amd64=1:0.9.10-1.1 +libxslt1-dev:amd64=1.1.35-1+deb12u3 +libxslt1.1:amd64=1.1.35-1+deb12u3 +libxt-dev:amd64=1:1.2.1-1.1 +libxt6:amd64=1:1.2.1-1.1 +libxxhash0:amd64=0.8.1-1 +libyaml-0-2:amd64=0.2.5-1 +libyaml-dev:amd64=0.2.5-1 +libz3-4:amd64=4.8.12-3.1 +libzstd-dev:amd64=1.5.4+dfsg2-5 +libzstd1:amd64=1.5.4+dfsg2-5 +linux-libc-dev:amd64=6.1.159-1 +llvm-14-linker-tools=1:14.0.6-12 +login=1:4.13+dfsg1-1+deb12u2 +logsave=1.47.0-2+b2 +m4=1.4.19-3 +make=4.3-4.1 +mariadb-common=1:10.11.14-0+deb12u2 +mawk=1.3.4.20200120-3.1 +media-types=10.0.0 +mercurial-common=6.3.2-1+deb12u1 +mercurial=6.3.2-1+deb12u1 +mount=2.38.1-5+deb12u3 +musl-dev:amd64=1.2.3-1 +musl-tools=1.2.3-1 +musl:amd64=1.2.3-1 +mysql-common=5.8+1.1.0 +ncurses-base=6.4-4 +ncurses-bin=6.4-4 +netbase=6.4 +openssh-client=1:9.2p1-2+deb12u7 +openssl=3.0.18-1~deb12u2 +passwd=1:4.13+dfsg1-1+deb12u2 +patch=2.7.6-7 +perl-base=5.36.0-7+deb12u3 +perl-modules-5.36=5.36.0-7+deb12u3 +perl=5.36.0-7+deb12u3 +pinentry-curses=1.2.1-1 +pkg-config:amd64=1.8.1-1 +pkgconf-bin=1.8.1-1 +pkgconf:amd64=1.8.1-1 +procps=2:4.0.2-3 +protobuf-compiler=3.21.12-3 +python3-distutils=3.11.2-3 +python3-lib2to3=3.11.2-3 +python3-minimal=3.11.2-1+b1 +python3.11-minimal=3.11.2-6+deb12u6 +python3.11=3.11.2-6+deb12u6 +python3=3.11.2-1+b1 +readline-common=8.2-1.3 +rpcsvc-proto=1.4.3-1 +sed=4.9-1 +sensible-utils=0.0.17+nmu1 +shared-mime-info=2.2-1 +sq=0.27.0-2+b1 +subversion=1.14.2-4+deb12u1 +sysvinit-utils=3.06-4 +tar=1.34+dfsg-1.2+deb12u1 +tzdata=2025b-0+deb12u2 +ucf=3.0043+nmu1+deb12u1 +unzip=6.0-28 +usr-is-merged=37~deb12u1 +util-linux-extra=2.38.1-5+deb12u3 +util-linux=2.38.1-5+deb12u3 +uuid-dev:amd64=2.38.1-5+deb12u3 +wget=1.21.3-1+deb12u1 +x11-common=1:7.7+23 +x11proto-core-dev=2022.1-1 +x11proto-dev=2022.1-1 +xorg-sgml-doctools=1:1.11-1.1 +xtrans-dev=1.4.0-1 +xz-utils=5.4.1-1 +zlib1g-dev:amd64=1:1.2.13.dfsg-1 +zlib1g:amd64=1:1.2.13.dfsg-1 diff --git a/verifier/builder/shared/config-qemu.sh b/verifier/builder/shared/config-qemu.sh deleted file mode 100755 index 94174a585..000000000 --- a/verifier/builder/shared/config-qemu.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash - -# SPDX-FileCopyrightText: © 2025 Phala Network -# -# SPDX-License-Identifier: Apache-2.0 - -BUILD_DIR="$1" -PREFIX="$2" -if [ -z "$BUILD_DIR" ]; then - echo "Usage: $0 " - exit 1 -fi - -mkdir -p "$BUILD_DIR" -cd "$BUILD_DIR" - -export SOURCE_DATE_EPOCH=$(git -C .. log -1 --pretty=%ct) -export CFLAGS="-DDUMP_ACPI_TABLES -Wno-builtin-macro-redefined -D__DATE__=\"\" -D__TIME__=\"\" -D__TIMESTAMP__=\"\"" -export LDFLAGS="-Wl,--build-id=none" - -../configure \ - --prefix="$PREFIX" \ - --target-list=x86_64-softmmu \ - --disable-werror - -echo "" -echo "Build configured for reproducibility in $BUILD_DIR" -echo "To build, run: cd $BUILD_DIR && make" diff --git a/verifier/builder/shared/pin-packages.sh b/verifier/builder/shared/pin-packages.sh deleted file mode 100755 index aacef3138..000000000 --- a/verifier/builder/shared/pin-packages.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -# SPDX-FileCopyrightText: © 2025 Phala Network -# -# SPDX-License-Identifier: Apache-2.0 - -set -e -PKG_LIST=$1 - -echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20260317T000000Z bookworm main' > /etc/apt/sources.list -echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20260317T000000Z bookworm-security main' >> /etc/apt/sources.list -echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until - -mkdir -p /etc/apt/preferences.d -while IFS= read -r line; do - pkg=$(echo "$line" | cut -d= -f1) - ver=$(echo "$line" | cut -d= -f2) - if [ -n "$pkg" ] && [ -n "$ver" ]; then - printf 'Package: %s\nPin: version %s\nPin-Priority: 1001\n\n' "$pkg" "$ver" >> /etc/apt/preferences.d/pinned-packages - fi -done < "$PKG_LIST" diff --git a/verifier/builder/shared/pinned-packages.txt b/verifier/builder/shared/pinned-packages.txt index 409c097cf..286103f56 100644 --- a/verifier/builder/shared/pinned-packages.txt +++ b/verifier/builder/shared/pinned-packages.txt @@ -42,7 +42,7 @@ libext2fs2:amd64=1.47.0-2 libffi8:amd64=3.4.4-1 libgcc-s1:amd64=12.2.0-14+deb12u1 libgcrypt20:amd64=1.10.1-3 -libglib2.0-0:amd64=2.74.6-2+deb12u7 +libglib2.0-0:amd64=2.74.6-2+deb12u8 libgmp10:amd64=2:6.2.1+dfsg1-1.1 libgnutls30:amd64=3.7.9-2+deb12u4 libgpg-error0:amd64=1.46-1 @@ -79,7 +79,7 @@ libslirp0:amd64=4.7.0-1 libsmartcols1:amd64=2.38.1-5+deb12u3 libss2:amd64=1.47.0-2 libssh2-1:amd64=1.10.0-3+b1 -libssl3:amd64=3.0.17-1~deb12u2 +libssl3:amd64=3.0.18-1~deb12u2 libstdc++6:amd64=12.2.0-14+deb12u1 libsystemd0:amd64=252.38-1~deb12u1 libtasn1-6:amd64=4.19.0-2+deb12u1 @@ -95,7 +95,7 @@ mawk=1.3.4.20200120-3.1 mount=2.38.1-5+deb12u3 ncurses-base=6.4-4 ncurses-bin=6.4-4 -openssl=3.0.17-1~deb12u2 +openssl=3.0.18-1~deb12u2 passwd=1:4.13+dfsg1-1+deb12u1 perl-base=5.36.0-7+deb12u2 sed=4.9-1 diff --git a/verifier/builder/shared/qemu-pinned-packages.txt b/verifier/builder/shared/qemu-pinned-packages.txt index 1ae0d6b93..8cb00cf86 100644 --- a/verifier/builder/shared/qemu-pinned-packages.txt +++ b/verifier/builder/shared/qemu-pinned-packages.txt @@ -32,8 +32,8 @@ g++=4:12.2.0-3 gcc-12-base:amd64=12.2.0-14+deb12u1 gcc-12=12.2.0-14+deb12u1 gcc=4:12.2.0-3 -git-man=1:2.39.5-0+deb12u2 -git=1:2.39.5-0+deb12u2 +git-man=1:2.39.5-0+deb12u3 +git=1:2.39.5-0+deb12u3 gpgv=2.2.40-1.1 grep=3.8-5 gzip=1.12-1 @@ -51,7 +51,7 @@ libblkid-dev:amd64=2.38.1-5+deb12u3 libblkid1:amd64=2.38.1-5+deb12u3 libbrotli1:amd64=1.0.9-2+b6 libbz2-1.0:amd64=1.0.8-5+b1 -libc-bin=2.36-9+deb12u10 +libc-bin=2.36-9+deb12u13 libc-dev-bin=2.36-9+deb12u13 libc6-dev:amd64=2.36-9+deb12u13 libc6:amd64=2.36-9+deb12u13 @@ -69,7 +69,7 @@ libdebconfclient0:amd64=0.270 libdpkg-perl=1.21.22 libelf1:amd64=0.188-2.1 liberror-perl=0.17029-2 -libexpat1:amd64=2.5.0-1+deb12u1 +libexpat1:amd64=2.5.0-1+deb12u2 libext2fs2:amd64=1.47.0-2 libffi-dev:amd64=3.4.4-1 libffi8:amd64=3.4.4-1 @@ -78,11 +78,11 @@ libgcc-s1:amd64=12.2.0-14+deb12u1 libgcrypt20:amd64=1.10.1-3 libgdbm-compat4:amd64=1.23-3 libgdbm6:amd64=1.23-3 -libglib2.0-0:amd64=2.74.6-2+deb12u7 -libglib2.0-bin=2.74.6-2+deb12u7 -libglib2.0-data=2.74.6-2+deb12u7 -libglib2.0-dev-bin=2.74.6-2+deb12u7 -libglib2.0-dev:amd64=2.74.6-2+deb12u7 +libglib2.0-0:amd64=2.74.6-2+deb12u8 +libglib2.0-bin=2.74.6-2+deb12u8 +libglib2.0-data=2.74.6-2+deb12u8 +libglib2.0-dev-bin=2.74.6-2+deb12u8 +libglib2.0-dev:amd64=2.74.6-2+deb12u8 libgmp10:amd64=2:6.2.1+dfsg1-1.1 libgnutls30:amd64=3.7.9-2+deb12u4 libgomp1:amd64=12.2.0-14+deb12u1 @@ -126,7 +126,7 @@ libpcre2-32-0:amd64=10.42-1 libpcre2-8-0:amd64=10.42-1 libpcre2-dev:amd64=10.42-1 libpcre2-posix3:amd64=10.42-1 -libperl5.36:amd64=5.36.0-7+deb12u2 +libperl5.36:amd64=5.36.0-7+deb12u3 libpkgconf3:amd64=1.8.1-1 libpsl5:amd64=0.21.2-1 libpython3-stdlib:amd64=3.11.2-1+b1 @@ -150,7 +150,7 @@ libsmartcols1:amd64=2.38.1-5+deb12u3 libsqlite3-0:amd64=3.40.1-2+deb12u2 libss2:amd64=1.47.0-2 libssh2-1:amd64=1.10.0-3+b1 -libssl3:amd64=3.0.17-1~deb12u2 +libssl3:amd64=3.0.18-1~deb12u2 libstdc++-12-dev:amd64=12.2.0-14+deb12u1 libstdc++6:amd64=12.2.0-14+deb12u1 libsystemd0:amd64=252.38-1~deb12u1 @@ -166,7 +166,7 @@ libunistring2:amd64=1.0-2 libuuid1:amd64=2.38.1-5+deb12u3 libxxhash0:amd64=0.8.1-1 libzstd1:amd64=1.5.4+dfsg2-5 -linux-libc-dev:amd64=6.1.148-1 +linux-libc-dev:amd64=6.1.164-1 login=1:4.13+dfsg1-1+deb12u1 logsave=1.47.0-2 m4=1.4.19-3 @@ -177,12 +177,12 @@ mount=2.38.1-5+deb12u3 ncurses-base=6.4-4 ncurses-bin=6.4-4 ninja-build=1.11.1-2~deb12u1 -openssl=3.0.17-1~deb12u2 +openssl=3.0.18-1~deb12u2 passwd=1:4.13+dfsg1-1+deb12u1 patch=2.7.6-7 -perl-base=5.36.0-7+deb12u2 -perl-modules-5.36=5.36.0-7+deb12u2 -perl=5.36.0-7+deb12u2 +perl-base=5.36.0-7+deb12u3 +perl-modules-5.36=5.36.0-7+deb12u3 +perl=5.36.0-7+deb12u3 pkg-config:amd64=1.8.1-1 pkgconf-bin=1.8.1-1 pkgconf:amd64=1.8.1-1 @@ -212,7 +212,7 @@ python3-snowballstemmer=2.2.0-2 python3-sphinx-rtd-theme=1.2.0+dfsg-1 python3-sphinx=5.3.0-4 python3-tz=2022.7.1-4 -python3-urllib3=1.26.12-1+deb12u1 +python3-urllib3=1.26.12-1+deb12u3 python3-wheel=0.38.4-2 python3.11-minimal=3.11.2-6+deb12u6 python3.11=3.11.2-6+deb12u6 From 53d7e949a938b99281c64c078044857a78f06161 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Fri, 20 Mar 2026 01:27:17 +0000 Subject: [PATCH 2/5] fix(ci): copy shared build scripts before docker build The CI workflows use docker/build-push-action directly (not build-image.sh), so shared scripts must be copied into each service's shared/ directory before building. Also update REUSE.toml for the renamed kms pinned-packages file, and remove the obsolete .GIT_REV file creation from kms workflows (now handled via Dockerfile ARG). --- .github/workflows/docker-build-check.yml | 14 ++++++++++++-- .github/workflows/gateway-release.yml | 3 +++ .github/workflows/kms-release.yml | 6 ++++-- .github/workflows/verifier-release.yml | 5 +++++ REUSE.toml | 2 +- 5 files changed, 25 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-build-check.yml b/.github/workflows/docker-build-check.yml index 623f6f829..aeaf386a2 100644 --- a/.github/workflows/docker-build-check.yml +++ b/.github/workflows/docker-build-check.yml @@ -19,8 +19,10 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Write GIT_REV - run: git rev-parse HEAD > kms/dstack-app/builder/.GIT_REV + - name: Copy shared build scripts + run: | + cp build/shared/pin-packages.sh kms/dstack-app/builder/shared/ + cp build/shared/config-qemu.sh kms/dstack-app/builder/shared/ - name: Build KMS Docker image uses: docker/build-push-action@v5 @@ -47,6 +49,9 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Copy shared build scripts + run: cp build/shared/pin-packages.sh gateway/dstack-app/builder/shared/ + - name: Build Gateway Docker image uses: docker/build-push-action@v5 with: @@ -65,6 +70,11 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Copy shared build scripts + run: | + cp build/shared/pin-packages.sh verifier/builder/shared/ + cp build/shared/config-qemu.sh verifier/builder/shared/ + - name: Build Verifier Docker image uses: docker/build-push-action@v5 with: diff --git a/.github/workflows/gateway-release.yml b/.github/workflows/gateway-release.yml index e983b89a0..43bc01da8 100644 --- a/.github/workflows/gateway-release.yml +++ b/.github/workflows/gateway-release.yml @@ -38,6 +38,9 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Copy shared build scripts + run: cp build/shared/pin-packages.sh gateway/dstack-app/builder/shared/ + - name: Get Git commit timestamps run: | echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV diff --git a/.github/workflows/kms-release.yml b/.github/workflows/kms-release.yml index b53843720..8982f4170 100644 --- a/.github/workflows/kms-release.yml +++ b/.github/workflows/kms-release.yml @@ -38,8 +38,10 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Write GIT_REV - run: git rev-parse HEAD > kms/dstack-app/builder/.GIT_REV + - name: Copy shared build scripts + run: | + cp build/shared/pin-packages.sh kms/dstack-app/builder/shared/ + cp build/shared/config-qemu.sh kms/dstack-app/builder/shared/ - name: Get Git commit timestamps run: | diff --git a/.github/workflows/verifier-release.yml b/.github/workflows/verifier-release.yml index a7a4d28dc..bb22a08c0 100644 --- a/.github/workflows/verifier-release.yml +++ b/.github/workflows/verifier-release.yml @@ -37,6 +37,11 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Copy shared build scripts + run: | + cp build/shared/pin-packages.sh verifier/builder/shared/ + cp build/shared/config-qemu.sh verifier/builder/shared/ + - name: Get Git commit timestamps run: | echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV diff --git a/REUSE.toml b/REUSE.toml index ef5b08ec1..3441a4112 100644 --- a/REUSE.toml +++ b/REUSE.toml @@ -32,7 +32,7 @@ path = [ "sdk/simulator/*.json", "sdk/go/go.sum", "sdk/go/ratls/go.sum", - "kms/dstack-app/builder/shared/kms-pinned-packages.txt", + "kms/dstack-app/builder/shared/builder-pinned-packages.txt", "kms/dstack-app/builder/shared/qemu-pinned-packages.txt", "gateway/dstack-app/builder/shared/builder-pinned-packages.txt", "gateway/dstack-app/builder/shared/pinned-packages.txt", From 74a1b1834467b4abc1ab8665f4bff280805ab1cb Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Fri, 20 Mar 2026 02:12:21 +0000 Subject: [PATCH 3/5] fix: track shared scripts in git and add CI sync check Instead of gitignoring the per-service copies and copying them at build time, track them in git so `docker build` works standalone without build-image.sh. - Remove .gitignore files, track pin-packages.sh and config-qemu.sh in each service's shared/ directory - build-image.sh now verifies copies match build/shared/ (not copies) - CI: add check-shared-scripts job that fails if copies are out of sync - CI: remove manual copy steps (no longer needed) - CI: remove obsolete .GIT_REV file creation from kms workflows - CI: add DSTACK_SRC_URL build-arg to gateway workflows --- .github/workflows/docker-build-check.yml | 50 ++++++++++++++----- .github/workflows/gateway-release.yml | 3 -- .github/workflows/kms-release.yml | 5 -- .github/workflows/verifier-release.yml | 5 -- build/shared/build-lib.sh | 21 ++++++-- gateway/dstack-app/builder/build-image.sh | 2 +- gateway/dstack-app/builder/shared/.gitignore | 3 -- .../dstack-app/builder/shared/pin-packages.sh | 36 +++++++++++++ kms/dstack-app/builder/build-image.sh | 2 +- kms/dstack-app/builder/shared/.gitignore | 3 -- kms/dstack-app/builder/shared/config-qemu.sh | 28 +++++++++++ kms/dstack-app/builder/shared/pin-packages.sh | 36 +++++++++++++ verifier/builder/build-image.sh | 2 +- verifier/builder/shared/.gitignore | 3 -- verifier/builder/shared/config-qemu.sh | 28 +++++++++++ verifier/builder/shared/pin-packages.sh | 36 +++++++++++++ 16 files changed, 221 insertions(+), 42 deletions(-) delete mode 100644 gateway/dstack-app/builder/shared/.gitignore create mode 100755 gateway/dstack-app/builder/shared/pin-packages.sh delete mode 100644 kms/dstack-app/builder/shared/.gitignore create mode 100755 kms/dstack-app/builder/shared/config-qemu.sh create mode 100755 kms/dstack-app/builder/shared/pin-packages.sh delete mode 100644 verifier/builder/shared/.gitignore create mode 100755 verifier/builder/shared/config-qemu.sh create mode 100755 verifier/builder/shared/pin-packages.sh diff --git a/.github/workflows/docker-build-check.yml b/.github/workflows/docker-build-check.yml index aeaf386a2..8dcdb1c6f 100644 --- a/.github/workflows/docker-build-check.yml +++ b/.github/workflows/docker-build-check.yml @@ -11,19 +11,47 @@ on: branches: [ master, next, dev-* ] jobs: + check-shared-scripts: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Verify shared build scripts are in sync + run: | + failed=false + for dir in gateway/dstack-app/builder/shared kms/dstack-app/builder/shared verifier/builder/shared; do + if ! diff -q build/shared/pin-packages.sh "$dir/pin-packages.sh" >/dev/null 2>&1; then + echo "ERROR: $dir/pin-packages.sh is out of sync with build/shared/pin-packages.sh" + failed=true + fi + done + for dir in kms/dstack-app/builder/shared verifier/builder/shared; do + if ! diff -q build/shared/config-qemu.sh "$dir/config-qemu.sh" >/dev/null 2>&1; then + echo "ERROR: $dir/config-qemu.sh is out of sync with build/shared/config-qemu.sh" + failed=true + fi + done + if [ "$failed" = "true" ]; then + echo "" + echo "Run the following to fix:" + echo " cp build/shared/pin-packages.sh gateway/dstack-app/builder/shared/" + echo " cp build/shared/pin-packages.sh kms/dstack-app/builder/shared/" + echo " cp build/shared/pin-packages.sh verifier/builder/shared/" + echo " cp build/shared/config-qemu.sh kms/dstack-app/builder/shared/" + echo " cp build/shared/config-qemu.sh verifier/builder/shared/" + exit 1 + fi + echo "All shared build scripts are in sync." + kms: runs-on: ubuntu-latest + needs: check-shared-scripts steps: - uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Copy shared build scripts - run: | - cp build/shared/pin-packages.sh kms/dstack-app/builder/shared/ - cp build/shared/config-qemu.sh kms/dstack-app/builder/shared/ - - name: Build KMS Docker image uses: docker/build-push-action@v5 with: @@ -43,15 +71,13 @@ jobs: gateway: runs-on: ubuntu-latest + needs: check-shared-scripts steps: - uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Copy shared build scripts - run: cp build/shared/pin-packages.sh gateway/dstack-app/builder/shared/ - - name: Build Gateway Docker image uses: docker/build-push-action@v5 with: @@ -61,20 +87,17 @@ jobs: provenance: false build-args: | DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }} + DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }} verifier: runs-on: ubuntu-latest + needs: check-shared-scripts steps: - uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Copy shared build scripts - run: | - cp build/shared/pin-packages.sh verifier/builder/shared/ - cp build/shared/config-qemu.sh verifier/builder/shared/ - - name: Build Verifier Docker image uses: docker/build-push-action@v5 with: @@ -85,3 +108,4 @@ jobs: provenance: false build-args: | DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }} + DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }} diff --git a/.github/workflows/gateway-release.yml b/.github/workflows/gateway-release.yml index 43bc01da8..e983b89a0 100644 --- a/.github/workflows/gateway-release.yml +++ b/.github/workflows/gateway-release.yml @@ -38,9 +38,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Copy shared build scripts - run: cp build/shared/pin-packages.sh gateway/dstack-app/builder/shared/ - - name: Get Git commit timestamps run: | echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV diff --git a/.github/workflows/kms-release.yml b/.github/workflows/kms-release.yml index 8982f4170..41959f715 100644 --- a/.github/workflows/kms-release.yml +++ b/.github/workflows/kms-release.yml @@ -38,11 +38,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Copy shared build scripts - run: | - cp build/shared/pin-packages.sh kms/dstack-app/builder/shared/ - cp build/shared/config-qemu.sh kms/dstack-app/builder/shared/ - - name: Get Git commit timestamps run: | echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV diff --git a/.github/workflows/verifier-release.yml b/.github/workflows/verifier-release.yml index bb22a08c0..a7a4d28dc 100644 --- a/.github/workflows/verifier-release.yml +++ b/.github/workflows/verifier-release.yml @@ -37,11 +37,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Copy shared build scripts - run: | - cp build/shared/pin-packages.sh verifier/builder/shared/ - cp build/shared/config-qemu.sh verifier/builder/shared/ - - name: Get Git commit timestamps run: | echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV diff --git a/build/shared/build-lib.sh b/build/shared/build-lib.sh index 48ec84daa..cb89a1940 100755 --- a/build/shared/build-lib.sh +++ b/build/shared/build-lib.sh @@ -67,14 +67,27 @@ docker_build() { extract_packages "$image_name" "$pkg_list_file" } -# Copy shared build scripts into the local shared directory used by Dockerfile COPY. -sync_shared_scripts() { +# Verify that local copies of shared scripts match the canonical versions in build/shared/. +check_shared_scripts() { local dest_dir=$1 local need_qemu=${2:-false} + local canonical="$REPO_ROOT/build/shared" + local failed=false - cp "$REPO_ROOT/build/shared/pin-packages.sh" "$dest_dir/pin-packages.sh" + if ! diff -q "$canonical/pin-packages.sh" "$dest_dir/pin-packages.sh" &>/dev/null; then + echo "ERROR: $dest_dir/pin-packages.sh is out of sync with build/shared/pin-packages.sh" >&2 + echo " Run: cp build/shared/pin-packages.sh $dest_dir/" >&2 + failed=true + fi if [ "$need_qemu" = "true" ]; then - cp "$REPO_ROOT/build/shared/config-qemu.sh" "$dest_dir/config-qemu.sh" + if ! diff -q "$canonical/config-qemu.sh" "$dest_dir/config-qemu.sh" &>/dev/null; then + echo "ERROR: $dest_dir/config-qemu.sh is out of sync with build/shared/config-qemu.sh" >&2 + echo " Run: cp build/shared/config-qemu.sh $dest_dir/" >&2 + failed=true + fi + fi + if [ "$failed" = "true" ]; then + exit 1 fi } diff --git a/gateway/dstack-app/builder/build-image.sh b/gateway/dstack-app/builder/build-image.sh index 8f3d70594..1c9dc78d6 100755 --- a/gateway/dstack-app/builder/build-image.sh +++ b/gateway/dstack-app/builder/build-image.sh @@ -26,7 +26,7 @@ GIT_REV=$(git -C "$REPO_ROOT" rev-parse "$GIT_REV") DSTACK_SRC_URL=${DSTACK_SRC_URL:-https://github.com/Dstack-TEE/dstack.git} ensure_buildkit -sync_shared_scripts "$SHARED_DIR" +check_shared_scripts "$SHARED_DIR" touch "$SHARED_DIR/builder-pinned-packages.txt" touch "$SHARED_DIR/pinned-packages.txt" diff --git a/gateway/dstack-app/builder/shared/.gitignore b/gateway/dstack-app/builder/shared/.gitignore deleted file mode 100644 index eaf106ff1..000000000 --- a/gateway/dstack-app/builder/shared/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -# Copied from build/shared/ at build time by build-image.sh -pin-packages.sh -config-qemu.sh diff --git a/gateway/dstack-app/builder/shared/pin-packages.sh b/gateway/dstack-app/builder/shared/pin-packages.sh new file mode 100755 index 000000000..bb5bc6e27 --- /dev/null +++ b/gateway/dstack-app/builder/shared/pin-packages.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: © 2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +# Pin APT packages to exact versions from a frozen Debian snapshot. +# Usage: pin-packages.sh +# +# This script: +# 1. Points APT at a frozen snapshot.debian.org mirror (reproducible package sources) +# 2. Reads package=version pairs from the given file and creates APT pin preferences +# with priority 1001 to force exact versions + +set -e + +PKG_LIST=$1 +SNAPSHOT_DATE=${SNAPSHOT_DATE:-20260317T000000Z} + +if [ -z "$PKG_LIST" ]; then + echo "Usage: $0 " >&2 + exit 1 +fi + +echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/${SNAPSHOT_DATE} bookworm main" > /etc/apt/sources.list +echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/${SNAPSHOT_DATE} bookworm-security main" >> /etc/apt/sources.list +echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until + +mkdir -p /etc/apt/preferences.d +while IFS= read -r line; do + pkg=$(echo "$line" | cut -d= -f1) + ver=$(echo "$line" | cut -d= -f2) + if [ -n "$pkg" ] && [ -n "$ver" ]; then + printf 'Package: %s\nPin: version %s\nPin-Priority: 1001\n\n' "$pkg" "$ver" >> /etc/apt/preferences.d/pinned-packages + fi +done < "$PKG_LIST" diff --git a/kms/dstack-app/builder/build-image.sh b/kms/dstack-app/builder/build-image.sh index 7dbedf647..146699be2 100755 --- a/kms/dstack-app/builder/build-image.sh +++ b/kms/dstack-app/builder/build-image.sh @@ -26,7 +26,7 @@ GIT_REV=$(git -C "$REPO_ROOT" rev-parse "$GIT_REV") DSTACK_SRC_URL=${DSTACK_SRC_URL:-https://github.com/Dstack-TEE/dstack.git} ensure_buildkit -sync_shared_scripts "$SHARED_DIR" true +check_shared_scripts "$SHARED_DIR" true touch "$SHARED_DIR/builder-pinned-packages.txt" touch "$SHARED_DIR/qemu-pinned-packages.txt" diff --git a/kms/dstack-app/builder/shared/.gitignore b/kms/dstack-app/builder/shared/.gitignore deleted file mode 100644 index eaf106ff1..000000000 --- a/kms/dstack-app/builder/shared/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -# Copied from build/shared/ at build time by build-image.sh -pin-packages.sh -config-qemu.sh diff --git a/kms/dstack-app/builder/shared/config-qemu.sh b/kms/dstack-app/builder/shared/config-qemu.sh new file mode 100755 index 000000000..94174a585 --- /dev/null +++ b/kms/dstack-app/builder/shared/config-qemu.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: © 2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +BUILD_DIR="$1" +PREFIX="$2" +if [ -z "$BUILD_DIR" ]; then + echo "Usage: $0 " + exit 1 +fi + +mkdir -p "$BUILD_DIR" +cd "$BUILD_DIR" + +export SOURCE_DATE_EPOCH=$(git -C .. log -1 --pretty=%ct) +export CFLAGS="-DDUMP_ACPI_TABLES -Wno-builtin-macro-redefined -D__DATE__=\"\" -D__TIME__=\"\" -D__TIMESTAMP__=\"\"" +export LDFLAGS="-Wl,--build-id=none" + +../configure \ + --prefix="$PREFIX" \ + --target-list=x86_64-softmmu \ + --disable-werror + +echo "" +echo "Build configured for reproducibility in $BUILD_DIR" +echo "To build, run: cd $BUILD_DIR && make" diff --git a/kms/dstack-app/builder/shared/pin-packages.sh b/kms/dstack-app/builder/shared/pin-packages.sh new file mode 100755 index 000000000..bb5bc6e27 --- /dev/null +++ b/kms/dstack-app/builder/shared/pin-packages.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: © 2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +# Pin APT packages to exact versions from a frozen Debian snapshot. +# Usage: pin-packages.sh +# +# This script: +# 1. Points APT at a frozen snapshot.debian.org mirror (reproducible package sources) +# 2. Reads package=version pairs from the given file and creates APT pin preferences +# with priority 1001 to force exact versions + +set -e + +PKG_LIST=$1 +SNAPSHOT_DATE=${SNAPSHOT_DATE:-20260317T000000Z} + +if [ -z "$PKG_LIST" ]; then + echo "Usage: $0 " >&2 + exit 1 +fi + +echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/${SNAPSHOT_DATE} bookworm main" > /etc/apt/sources.list +echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/${SNAPSHOT_DATE} bookworm-security main" >> /etc/apt/sources.list +echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until + +mkdir -p /etc/apt/preferences.d +while IFS= read -r line; do + pkg=$(echo "$line" | cut -d= -f1) + ver=$(echo "$line" | cut -d= -f2) + if [ -n "$pkg" ] && [ -n "$ver" ]; then + printf 'Package: %s\nPin: version %s\nPin-Priority: 1001\n\n' "$pkg" "$ver" >> /etc/apt/preferences.d/pinned-packages + fi +done < "$PKG_LIST" diff --git a/verifier/builder/build-image.sh b/verifier/builder/build-image.sh index 2e09ea1c5..ef43d8736 100755 --- a/verifier/builder/build-image.sh +++ b/verifier/builder/build-image.sh @@ -26,7 +26,7 @@ GIT_REV=$(git -C "$REPO_ROOT" rev-parse "$GIT_REV") DSTACK_SRC_URL=${DSTACK_SRC_URL:-https://github.com/Dstack-TEE/dstack.git} ensure_buildkit -sync_shared_scripts "$SHARED_DIR" true +check_shared_scripts "$SHARED_DIR" true mkdir -p "$SHARED_DIR" touch "$SHARED_DIR/builder-pinned-packages.txt" diff --git a/verifier/builder/shared/.gitignore b/verifier/builder/shared/.gitignore deleted file mode 100644 index eaf106ff1..000000000 --- a/verifier/builder/shared/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -# Copied from build/shared/ at build time by build-image.sh -pin-packages.sh -config-qemu.sh diff --git a/verifier/builder/shared/config-qemu.sh b/verifier/builder/shared/config-qemu.sh new file mode 100755 index 000000000..94174a585 --- /dev/null +++ b/verifier/builder/shared/config-qemu.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: © 2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +BUILD_DIR="$1" +PREFIX="$2" +if [ -z "$BUILD_DIR" ]; then + echo "Usage: $0 " + exit 1 +fi + +mkdir -p "$BUILD_DIR" +cd "$BUILD_DIR" + +export SOURCE_DATE_EPOCH=$(git -C .. log -1 --pretty=%ct) +export CFLAGS="-DDUMP_ACPI_TABLES -Wno-builtin-macro-redefined -D__DATE__=\"\" -D__TIME__=\"\" -D__TIMESTAMP__=\"\"" +export LDFLAGS="-Wl,--build-id=none" + +../configure \ + --prefix="$PREFIX" \ + --target-list=x86_64-softmmu \ + --disable-werror + +echo "" +echo "Build configured for reproducibility in $BUILD_DIR" +echo "To build, run: cd $BUILD_DIR && make" diff --git a/verifier/builder/shared/pin-packages.sh b/verifier/builder/shared/pin-packages.sh new file mode 100755 index 000000000..bb5bc6e27 --- /dev/null +++ b/verifier/builder/shared/pin-packages.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: © 2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +# Pin APT packages to exact versions from a frozen Debian snapshot. +# Usage: pin-packages.sh +# +# This script: +# 1. Points APT at a frozen snapshot.debian.org mirror (reproducible package sources) +# 2. Reads package=version pairs from the given file and creates APT pin preferences +# with priority 1001 to force exact versions + +set -e + +PKG_LIST=$1 +SNAPSHOT_DATE=${SNAPSHOT_DATE:-20260317T000000Z} + +if [ -z "$PKG_LIST" ]; then + echo "Usage: $0 " >&2 + exit 1 +fi + +echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/${SNAPSHOT_DATE} bookworm main" > /etc/apt/sources.list +echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/${SNAPSHOT_DATE} bookworm-security main" >> /etc/apt/sources.list +echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until + +mkdir -p /etc/apt/preferences.d +while IFS= read -r line; do + pkg=$(echo "$line" | cut -d= -f1) + ver=$(echo "$line" | cut -d= -f2) + if [ -n "$pkg" ] && [ -n "$ver" ]; then + printf 'Package: %s\nPin: version %s\nPin-Priority: 1001\n\n' "$pkg" "$ver" >> /etc/apt/preferences.d/pinned-packages + fi +done < "$PKG_LIST" From dd642025e42952a03cd2b95dac473591d8a710ab Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Fri, 20 Mar 2026 02:22:17 +0000 Subject: [PATCH 4/5] ci: add pinned-packages drift detection after docker builds After each Docker image build, extract installed packages with dpkg -l and diff against the committed pinned-packages.txt files. Fails CI if Dockerfile changes cause package drift without regenerating the pinned lists. This catches the scenario where someone modifies a Dockerfile (e.g., adds a new apt package or updates the base image) but forgets to run build-image.sh to regenerate pinned-packages.txt. --- .github/workflows/docker-build-check.yml | 110 ++++++++++++++++++++--- build/shared/verify-pinned-packages.sh | 38 ++++++++ 2 files changed, 135 insertions(+), 13 deletions(-) create mode 100755 build/shared/verify-pinned-packages.sh diff --git a/.github/workflows/docker-build-check.yml b/.github/workflows/docker-build-check.yml index 8dcdb1c6f..0b5513990 100644 --- a/.github/workflows/docker-build-check.yml +++ b/.github/workflows/docker-build-check.yml @@ -43,7 +43,7 @@ jobs: fi echo "All shared build scripts are in sync." - kms: + gateway: runs-on: ubuntu-latest needs: check-shared-scripts steps: @@ -52,24 +52,40 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Build KMS Docker image + - name: Build Gateway Docker image uses: docker/build-push-action@v5 with: - context: kms/dstack-app/builder + context: gateway/dstack-app/builder push: false - platforms: linux/amd64 + load: true + tags: dstack-gateway-check:latest provenance: false build-args: | DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }} DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }} - - name: Build KMS contracts + - name: Verify pinned packages run: | - cd kms/auth-eth - npm ci - npx hardhat compile + build/shared/verify-pinned-packages.sh dstack-gateway-check:latest \ + gateway/dstack-app/builder/shared/pinned-packages.txt - gateway: + - name: Build gateway-builder target + run: | + docker buildx build \ + --load \ + --target gateway-builder \ + --tag gateway-builder-check:latest \ + --provenance=false \ + --build-arg "DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }}" \ + --build-arg "DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }}" \ + gateway/dstack-app/builder + + - name: Verify builder pinned packages + run: | + build/shared/verify-pinned-packages.sh gateway-builder-check:latest \ + gateway/dstack-app/builder/shared/builder-pinned-packages.txt + + kms: runs-on: ubuntu-latest needs: check-shared-scripts steps: @@ -78,17 +94,45 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Build Gateway Docker image + - name: Build KMS Docker image uses: docker/build-push-action@v5 with: - context: gateway/dstack-app/builder + context: kms/dstack-app/builder push: false - platforms: linux/amd64 + load: true + tags: dstack-kms-check:latest provenance: false build-args: | DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }} DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }} + - name: Verify pinned packages (qemu stage) + run: | + build/shared/verify-pinned-packages.sh dstack-kms-check:latest \ + kms/dstack-app/builder/shared/qemu-pinned-packages.txt + + - name: Build kms-builder target + run: | + docker buildx build \ + --load \ + --target kms-builder \ + --tag kms-builder-check:latest \ + --provenance=false \ + --build-arg "DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }}" \ + --build-arg "DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }}" \ + kms/dstack-app/builder + + - name: Verify builder pinned packages + run: | + build/shared/verify-pinned-packages.sh kms-builder-check:latest \ + kms/dstack-app/builder/shared/builder-pinned-packages.txt + + - name: Build KMS contracts + run: | + cd kms/auth-eth + npm ci + npx hardhat compile + verifier: runs-on: ubuntu-latest needs: check-shared-scripts @@ -104,8 +148,48 @@ jobs: context: verifier file: verifier/builder/Dockerfile push: false - platforms: linux/amd64 + load: true + tags: dstack-verifier-check:latest provenance: false build-args: | DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }} DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }} + + - name: Verify pinned packages (runtime) + run: | + build/shared/verify-pinned-packages.sh dstack-verifier-check:latest \ + verifier/builder/shared/pinned-packages.txt + + - name: Build verifier-builder target + run: | + docker buildx build \ + --load \ + --target verifier-builder \ + --tag verifier-builder-check:latest \ + --provenance=false \ + --file verifier/builder/Dockerfile \ + --build-arg "DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }}" \ + --build-arg "DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }}" \ + verifier + + - name: Verify builder pinned packages + run: | + build/shared/verify-pinned-packages.sh verifier-builder-check:latest \ + verifier/builder/shared/builder-pinned-packages.txt + + - name: Build acpi-builder target + run: | + docker buildx build \ + --load \ + --target acpi-builder \ + --tag verifier-acpi-check:latest \ + --provenance=false \ + --file verifier/builder/Dockerfile \ + --build-arg "DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }}" \ + --build-arg "DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }}" \ + verifier + + - name: Verify qemu pinned packages + run: | + build/shared/verify-pinned-packages.sh verifier-acpi-check:latest \ + verifier/builder/shared/qemu-pinned-packages.txt diff --git a/build/shared/verify-pinned-packages.sh b/build/shared/verify-pinned-packages.sh new file mode 100755 index 000000000..69d03e0bb --- /dev/null +++ b/build/shared/verify-pinned-packages.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: © 2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +# Verify that installed packages in a Docker image match the committed +# pinned-packages file. Detects when Dockerfile changes cause package +# drift without regenerating the pinned-packages list. +# +# Usage: verify-pinned-packages.sh + +set -euo pipefail + +IMAGE=$1 +PKG_FILE=$2 + +if [ -z "$IMAGE" ] || [ -z "$PKG_FILE" ]; then + echo "Usage: $0 " >&2 + exit 1 +fi + +ACTUAL=$(docker run --rm --entrypoint bash "$IMAGE" \ + -c "dpkg -l | grep '^ii' | awk '{print \$2\"=\"\$3}' | sort") + +EXPECTED=$(sort "$PKG_FILE") + +if [ "$ACTUAL" = "$EXPECTED" ]; then + echo "OK: packages in $IMAGE match $PKG_FILE" + exit 0 +fi + +echo "ERROR: packages in $IMAGE differ from $PKG_FILE" >&2 +echo "" >&2 +diff --unified <(echo "$EXPECTED") <(echo "$ACTUAL") >&2 || true +echo "" >&2 +echo "Regenerate pinned packages by running the service's build-image.sh" >&2 +exit 1 From 0886f9835e83d232647d69f5adc28824131d4946 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Fri, 20 Mar 2026 02:34:34 +0000 Subject: [PATCH 5/5] refactor: use BuildKit --build-context to eliminate script copies Instead of copying pin-packages.sh and config-qemu.sh into each service's shared/ directory, use BuildKit's named build contexts (--build-context build-shared=build/shared) so Dockerfiles can directly COPY --from=build-shared. This means: - Scripts exist only in build/shared/ (single source of truth) - No copies to track, no sync checks needed - docker build works standalone with: --build-context build-shared=build/shared - build-image.sh passes it automatically via build-lib.sh - Each service's shared/ dir contains only pinned-packages data files --- .github/workflows/docker-build-check.yml | 45 +++++-------------- .github/workflows/gateway-release.yml | 2 + .github/workflows/kms-release.yml | 2 + .github/workflows/verifier-release.yml | 2 + build/shared/build-lib.sh | 26 +---------- gateway/dstack-app/builder/Dockerfile | 6 ++- gateway/dstack-app/builder/build-image.sh | 1 - .../dstack-app/builder/shared/pin-packages.sh | 36 --------------- kms/dstack-app/builder/Dockerfile | 6 ++- kms/dstack-app/builder/build-image.sh | 1 - kms/dstack-app/builder/shared/config-qemu.sh | 28 ------------ kms/dstack-app/builder/shared/pin-packages.sh | 36 --------------- verifier/builder/Dockerfile | 11 +++-- verifier/builder/build-image.sh | 1 - verifier/builder/shared/config-qemu.sh | 28 ------------ verifier/builder/shared/pin-packages.sh | 36 --------------- 16 files changed, 33 insertions(+), 234 deletions(-) delete mode 100755 gateway/dstack-app/builder/shared/pin-packages.sh delete mode 100755 kms/dstack-app/builder/shared/config-qemu.sh delete mode 100755 kms/dstack-app/builder/shared/pin-packages.sh delete mode 100755 verifier/builder/shared/config-qemu.sh delete mode 100755 verifier/builder/shared/pin-packages.sh diff --git a/.github/workflows/docker-build-check.yml b/.github/workflows/docker-build-check.yml index 0b5513990..0bd5cc189 100644 --- a/.github/workflows/docker-build-check.yml +++ b/.github/workflows/docker-build-check.yml @@ -11,41 +11,8 @@ on: branches: [ master, next, dev-* ] jobs: - check-shared-scripts: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Verify shared build scripts are in sync - run: | - failed=false - for dir in gateway/dstack-app/builder/shared kms/dstack-app/builder/shared verifier/builder/shared; do - if ! diff -q build/shared/pin-packages.sh "$dir/pin-packages.sh" >/dev/null 2>&1; then - echo "ERROR: $dir/pin-packages.sh is out of sync with build/shared/pin-packages.sh" - failed=true - fi - done - for dir in kms/dstack-app/builder/shared verifier/builder/shared; do - if ! diff -q build/shared/config-qemu.sh "$dir/config-qemu.sh" >/dev/null 2>&1; then - echo "ERROR: $dir/config-qemu.sh is out of sync with build/shared/config-qemu.sh" - failed=true - fi - done - if [ "$failed" = "true" ]; then - echo "" - echo "Run the following to fix:" - echo " cp build/shared/pin-packages.sh gateway/dstack-app/builder/shared/" - echo " cp build/shared/pin-packages.sh kms/dstack-app/builder/shared/" - echo " cp build/shared/pin-packages.sh verifier/builder/shared/" - echo " cp build/shared/config-qemu.sh kms/dstack-app/builder/shared/" - echo " cp build/shared/config-qemu.sh verifier/builder/shared/" - exit 1 - fi - echo "All shared build scripts are in sync." - gateway: runs-on: ubuntu-latest - needs: check-shared-scripts steps: - uses: actions/checkout@v4 @@ -60,6 +27,8 @@ jobs: load: true tags: dstack-gateway-check:latest provenance: false + build-contexts: | + build-shared=build/shared build-args: | DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }} DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }} @@ -76,6 +45,7 @@ jobs: --target gateway-builder \ --tag gateway-builder-check:latest \ --provenance=false \ + --build-context build-shared=build/shared \ --build-arg "DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }}" \ --build-arg "DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }}" \ gateway/dstack-app/builder @@ -87,7 +57,6 @@ jobs: kms: runs-on: ubuntu-latest - needs: check-shared-scripts steps: - uses: actions/checkout@v4 @@ -102,6 +71,8 @@ jobs: load: true tags: dstack-kms-check:latest provenance: false + build-contexts: | + build-shared=build/shared build-args: | DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }} DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }} @@ -118,6 +89,7 @@ jobs: --target kms-builder \ --tag kms-builder-check:latest \ --provenance=false \ + --build-context build-shared=build/shared \ --build-arg "DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }}" \ --build-arg "DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }}" \ kms/dstack-app/builder @@ -135,7 +107,6 @@ jobs: verifier: runs-on: ubuntu-latest - needs: check-shared-scripts steps: - uses: actions/checkout@v4 @@ -151,6 +122,8 @@ jobs: load: true tags: dstack-verifier-check:latest provenance: false + build-contexts: | + build-shared=build/shared build-args: | DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }} DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }} @@ -168,6 +141,7 @@ jobs: --tag verifier-builder-check:latest \ --provenance=false \ --file verifier/builder/Dockerfile \ + --build-context build-shared=build/shared \ --build-arg "DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }}" \ --build-arg "DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }}" \ verifier @@ -185,6 +159,7 @@ jobs: --tag verifier-acpi-check:latest \ --provenance=false \ --file verifier/builder/Dockerfile \ + --build-context build-shared=build/shared \ --build-arg "DSTACK_REV=${{ github.event.pull_request.head.sha || github.sha }}" \ --build-arg "DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }}" \ verifier diff --git a/.github/workflows/gateway-release.yml b/.github/workflows/gateway-release.yml index e983b89a0..3f531aa1e 100644 --- a/.github/workflows/gateway-release.yml +++ b/.github/workflows/gateway-release.yml @@ -54,6 +54,8 @@ jobs: tags: ${{ vars.DOCKERHUB_ORG }}/dstack-gateway:${{ env.VERSION }} platforms: linux/amd64 provenance: false + build-contexts: | + build-shared=build/shared build-args: | DSTACK_REV=${{ env.GIT_REV }} SOURCE_DATE_EPOCH=${{ env.TIMESTAMP }} diff --git a/.github/workflows/kms-release.yml b/.github/workflows/kms-release.yml index 41959f715..0cbb86418 100644 --- a/.github/workflows/kms-release.yml +++ b/.github/workflows/kms-release.yml @@ -54,6 +54,8 @@ jobs: tags: ${{ vars.DOCKERHUB_ORG }}/dstack-kms:${{ env.VERSION }} platforms: linux/amd64 provenance: false + build-contexts: | + build-shared=build/shared build-args: | DSTACK_REV=${{ env.GIT_REV }} DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }} diff --git a/.github/workflows/verifier-release.yml b/.github/workflows/verifier-release.yml index a7a4d28dc..98d752ff0 100644 --- a/.github/workflows/verifier-release.yml +++ b/.github/workflows/verifier-release.yml @@ -54,6 +54,8 @@ jobs: tags: ${{ vars.DOCKERHUB_ORG }}/dstack-verifier:${{ env.VERSION }} platforms: linux/amd64 provenance: false + build-contexts: | + build-shared=build/shared build-args: | DSTACK_REV=${{ env.GIT_REV }} DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }}.git diff --git a/build/shared/build-lib.sh b/build/shared/build-lib.sh index cb89a1940..0f4565031 100755 --- a/build/shared/build-lib.sh +++ b/build/shared/build-lib.sh @@ -17,6 +17,7 @@ set -euo pipefail BUILDKIT_VERSION="v0.20.2" BUILDKIT_BUILDER="buildkit_20" +BUILD_SHARED_DIR="$REPO_ROOT/build/shared" ensure_buildkit() { if ! docker buildx inspect "$BUILDKIT_BUILDER" &>/dev/null; then @@ -47,6 +48,7 @@ docker_build() { --builder "$BUILDKIT_BUILDER" --progress=plain --output "type=docker,name=$image_name,rewrite-timestamp=true" + --build-context "build-shared=$BUILD_SHARED_DIR" --build-arg "SOURCE_DATE_EPOCH=$commit_timestamp" --build-arg "DSTACK_REV=$GIT_REV" --build-arg "DSTACK_SRC_URL=$DSTACK_SRC_URL" @@ -67,30 +69,6 @@ docker_build() { extract_packages "$image_name" "$pkg_list_file" } -# Verify that local copies of shared scripts match the canonical versions in build/shared/. -check_shared_scripts() { - local dest_dir=$1 - local need_qemu=${2:-false} - local canonical="$REPO_ROOT/build/shared" - local failed=false - - if ! diff -q "$canonical/pin-packages.sh" "$dest_dir/pin-packages.sh" &>/dev/null; then - echo "ERROR: $dest_dir/pin-packages.sh is out of sync with build/shared/pin-packages.sh" >&2 - echo " Run: cp build/shared/pin-packages.sh $dest_dir/" >&2 - failed=true - fi - if [ "$need_qemu" = "true" ]; then - if ! diff -q "$canonical/config-qemu.sh" "$dest_dir/config-qemu.sh" &>/dev/null; then - echo "ERROR: $dest_dir/config-qemu.sh is out of sync with build/shared/config-qemu.sh" >&2 - echo " Run: cp build/shared/config-qemu.sh $dest_dir/" >&2 - failed=true - fi - fi - if [ "$failed" = "true" ]; then - exit 1 - fi -} - # Verify that pinned-packages files haven't changed (idempotency check). check_clean_tree() { local check_path=$1 diff --git a/gateway/dstack-app/builder/Dockerfile b/gateway/dstack-app/builder/Dockerfile index ea7103091..7889c1f3b 100644 --- a/gateway/dstack-app/builder/Dockerfile +++ b/gateway/dstack-app/builder/Dockerfile @@ -3,7 +3,8 @@ # SPDX-License-Identifier: Apache-2.0 FROM rust:1.92.0@sha256:48851a839d6a67370c9dbe0e709bedc138e3e404b161c5233aedcf2b717366e4 AS gateway-builder -COPY ./shared /build +COPY --from=build-shared pin-packages.sh /build/ +COPY ./shared/*-pinned-packages.txt /build/ ARG DSTACK_REV ARG DSTACK_SRC_URL=https://github.com/Dstack-TEE/dstack.git WORKDIR /build @@ -26,7 +27,8 @@ RUN cd dstack && cargo build --release -p dstack-gateway --target x86_64-unknown RUN echo "${DSTACK_REV}" > /build/.GIT_REV FROM debian:bookworm@sha256:0d8498a0e9e6a60011df39aab78534cfe940785e7c59d19dfae1eb53ea59babe -COPY ./shared /build +COPY --from=build-shared pin-packages.sh /build/ +COPY ./shared/pinned-packages.txt /build/ WORKDIR /build RUN ./pin-packages.sh ./pinned-packages.txt && \ apt-get update && \ diff --git a/gateway/dstack-app/builder/build-image.sh b/gateway/dstack-app/builder/build-image.sh index 1c9dc78d6..685e2019f 100755 --- a/gateway/dstack-app/builder/build-image.sh +++ b/gateway/dstack-app/builder/build-image.sh @@ -26,7 +26,6 @@ GIT_REV=$(git -C "$REPO_ROOT" rev-parse "$GIT_REV") DSTACK_SRC_URL=${DSTACK_SRC_URL:-https://github.com/Dstack-TEE/dstack.git} ensure_buildkit -check_shared_scripts "$SHARED_DIR" touch "$SHARED_DIR/builder-pinned-packages.txt" touch "$SHARED_DIR/pinned-packages.txt" diff --git a/gateway/dstack-app/builder/shared/pin-packages.sh b/gateway/dstack-app/builder/shared/pin-packages.sh deleted file mode 100755 index bb5bc6e27..000000000 --- a/gateway/dstack-app/builder/shared/pin-packages.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash - -# SPDX-FileCopyrightText: © 2025 Phala Network -# -# SPDX-License-Identifier: Apache-2.0 - -# Pin APT packages to exact versions from a frozen Debian snapshot. -# Usage: pin-packages.sh -# -# This script: -# 1. Points APT at a frozen snapshot.debian.org mirror (reproducible package sources) -# 2. Reads package=version pairs from the given file and creates APT pin preferences -# with priority 1001 to force exact versions - -set -e - -PKG_LIST=$1 -SNAPSHOT_DATE=${SNAPSHOT_DATE:-20260317T000000Z} - -if [ -z "$PKG_LIST" ]; then - echo "Usage: $0 " >&2 - exit 1 -fi - -echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/${SNAPSHOT_DATE} bookworm main" > /etc/apt/sources.list -echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/${SNAPSHOT_DATE} bookworm-security main" >> /etc/apt/sources.list -echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until - -mkdir -p /etc/apt/preferences.d -while IFS= read -r line; do - pkg=$(echo "$line" | cut -d= -f1) - ver=$(echo "$line" | cut -d= -f2) - if [ -n "$pkg" ] && [ -n "$ver" ]; then - printf 'Package: %s\nPin: version %s\nPin-Priority: 1001\n\n' "$pkg" "$ver" >> /etc/apt/preferences.d/pinned-packages - fi -done < "$PKG_LIST" diff --git a/kms/dstack-app/builder/Dockerfile b/kms/dstack-app/builder/Dockerfile index 8a1243bbd..da88aef39 100644 --- a/kms/dstack-app/builder/Dockerfile +++ b/kms/dstack-app/builder/Dockerfile @@ -3,7 +3,8 @@ # SPDX-License-Identifier: Apache-2.0 FROM rust:1.92.0@sha256:48851a839d6a67370c9dbe0e709bedc138e3e404b161c5233aedcf2b717366e4 AS kms-builder -COPY ./shared /build +COPY --from=build-shared pin-packages.sh /build/ +COPY ./shared/*-pinned-packages.txt /build/ ARG DSTACK_REV ARG DSTACK_SRC_URL=https://github.com/Dstack-TEE/dstack.git WORKDIR /build @@ -26,7 +27,8 @@ RUN cd dstack && cargo build --release -p dstack-kms --target x86_64-unknown-lin RUN echo "${DSTACK_REV}" > /build/.GIT_REV FROM debian:bookworm@sha256:0d8498a0e9e6a60011df39aab78534cfe940785e7c59d19dfae1eb53ea59babe -COPY ./shared /build +COPY --from=build-shared pin-packages.sh config-qemu.sh /build/ +COPY ./shared/qemu-pinned-packages.txt /build/ WORKDIR /build ARG QEMU_REV=dbcec07c0854bf873d346a09e87e4c993ccf2633 RUN ./pin-packages.sh ./qemu-pinned-packages.txt && \ diff --git a/kms/dstack-app/builder/build-image.sh b/kms/dstack-app/builder/build-image.sh index 146699be2..73be520e9 100755 --- a/kms/dstack-app/builder/build-image.sh +++ b/kms/dstack-app/builder/build-image.sh @@ -26,7 +26,6 @@ GIT_REV=$(git -C "$REPO_ROOT" rev-parse "$GIT_REV") DSTACK_SRC_URL=${DSTACK_SRC_URL:-https://github.com/Dstack-TEE/dstack.git} ensure_buildkit -check_shared_scripts "$SHARED_DIR" true touch "$SHARED_DIR/builder-pinned-packages.txt" touch "$SHARED_DIR/qemu-pinned-packages.txt" diff --git a/kms/dstack-app/builder/shared/config-qemu.sh b/kms/dstack-app/builder/shared/config-qemu.sh deleted file mode 100755 index 94174a585..000000000 --- a/kms/dstack-app/builder/shared/config-qemu.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash - -# SPDX-FileCopyrightText: © 2025 Phala Network -# -# SPDX-License-Identifier: Apache-2.0 - -BUILD_DIR="$1" -PREFIX="$2" -if [ -z "$BUILD_DIR" ]; then - echo "Usage: $0 " - exit 1 -fi - -mkdir -p "$BUILD_DIR" -cd "$BUILD_DIR" - -export SOURCE_DATE_EPOCH=$(git -C .. log -1 --pretty=%ct) -export CFLAGS="-DDUMP_ACPI_TABLES -Wno-builtin-macro-redefined -D__DATE__=\"\" -D__TIME__=\"\" -D__TIMESTAMP__=\"\"" -export LDFLAGS="-Wl,--build-id=none" - -../configure \ - --prefix="$PREFIX" \ - --target-list=x86_64-softmmu \ - --disable-werror - -echo "" -echo "Build configured for reproducibility in $BUILD_DIR" -echo "To build, run: cd $BUILD_DIR && make" diff --git a/kms/dstack-app/builder/shared/pin-packages.sh b/kms/dstack-app/builder/shared/pin-packages.sh deleted file mode 100755 index bb5bc6e27..000000000 --- a/kms/dstack-app/builder/shared/pin-packages.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash - -# SPDX-FileCopyrightText: © 2025 Phala Network -# -# SPDX-License-Identifier: Apache-2.0 - -# Pin APT packages to exact versions from a frozen Debian snapshot. -# Usage: pin-packages.sh -# -# This script: -# 1. Points APT at a frozen snapshot.debian.org mirror (reproducible package sources) -# 2. Reads package=version pairs from the given file and creates APT pin preferences -# with priority 1001 to force exact versions - -set -e - -PKG_LIST=$1 -SNAPSHOT_DATE=${SNAPSHOT_DATE:-20260317T000000Z} - -if [ -z "$PKG_LIST" ]; then - echo "Usage: $0 " >&2 - exit 1 -fi - -echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/${SNAPSHOT_DATE} bookworm main" > /etc/apt/sources.list -echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/${SNAPSHOT_DATE} bookworm-security main" >> /etc/apt/sources.list -echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until - -mkdir -p /etc/apt/preferences.d -while IFS= read -r line; do - pkg=$(echo "$line" | cut -d= -f1) - ver=$(echo "$line" | cut -d= -f2) - if [ -n "$pkg" ] && [ -n "$ver" ]; then - printf 'Package: %s\nPin: version %s\nPin-Priority: 1001\n\n' "$pkg" "$ver" >> /etc/apt/preferences.d/pinned-packages - fi -done < "$PKG_LIST" diff --git a/verifier/builder/Dockerfile b/verifier/builder/Dockerfile index 85226d7bb..b58c8cdcb 100644 --- a/verifier/builder/Dockerfile +++ b/verifier/builder/Dockerfile @@ -3,11 +3,12 @@ # SPDX-License-Identifier: Apache-2.0 FROM rust:1.92.0-bookworm@sha256:e90e846de4124376164ddfbaab4b0774c7bdeef5e738866295e5a90a34a307a2 AS verifier-builder -COPY builder/shared /build/shared +COPY --from=build-shared pin-packages.sh /build/ +COPY builder/shared/*-pinned-packages.txt /build/ ARG DSTACK_REV ARG DSTACK_SRC_URL=https://github.com/Dstack-TEE/dstack.git WORKDIR /build -RUN ./shared/pin-packages.sh ./shared/builder-pinned-packages.txt +RUN ./pin-packages.sh ./builder-pinned-packages.txt RUN apt-get update && \ apt-get install -y --no-install-recommends \ git \ @@ -30,7 +31,8 @@ RUN cd dstack && cargo build --release -p dstack-verifier --target x86_64-unknow RUN echo "${DSTACK_REV}" > /build/.GIT_REV FROM debian:bookworm@sha256:0d8498a0e9e6a60011df39aab78534cfe940785e7c59d19dfae1eb53ea59babe AS acpi-builder -COPY builder/shared /build +COPY --from=build-shared pin-packages.sh config-qemu.sh /build/ +COPY builder/shared/qemu-pinned-packages.txt /build/ WORKDIR /build ARG QEMU_REV=dbcec07c0854bf873d346a09e87e4c993ccf2633 RUN ./pin-packages.sh ./qemu-pinned-packages.txt && \ @@ -64,7 +66,8 @@ RUN git clone https://github.com/kvinwang/qemu-tdx.git --depth 1 --branch dstack cd .. && rm -rf qemu-tdx FROM debian:bookworm@sha256:0d8498a0e9e6a60011df39aab78534cfe940785e7c59d19dfae1eb53ea59babe -COPY builder/shared /build +COPY --from=build-shared pin-packages.sh /build/ +COPY builder/shared/pinned-packages.txt /build/ WORKDIR /build RUN ./pin-packages.sh ./pinned-packages.txt && \ apt-get update && \ diff --git a/verifier/builder/build-image.sh b/verifier/builder/build-image.sh index ef43d8736..002a26e17 100755 --- a/verifier/builder/build-image.sh +++ b/verifier/builder/build-image.sh @@ -26,7 +26,6 @@ GIT_REV=$(git -C "$REPO_ROOT" rev-parse "$GIT_REV") DSTACK_SRC_URL=${DSTACK_SRC_URL:-https://github.com/Dstack-TEE/dstack.git} ensure_buildkit -check_shared_scripts "$SHARED_DIR" true mkdir -p "$SHARED_DIR" touch "$SHARED_DIR/builder-pinned-packages.txt" diff --git a/verifier/builder/shared/config-qemu.sh b/verifier/builder/shared/config-qemu.sh deleted file mode 100755 index 94174a585..000000000 --- a/verifier/builder/shared/config-qemu.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash - -# SPDX-FileCopyrightText: © 2025 Phala Network -# -# SPDX-License-Identifier: Apache-2.0 - -BUILD_DIR="$1" -PREFIX="$2" -if [ -z "$BUILD_DIR" ]; then - echo "Usage: $0 " - exit 1 -fi - -mkdir -p "$BUILD_DIR" -cd "$BUILD_DIR" - -export SOURCE_DATE_EPOCH=$(git -C .. log -1 --pretty=%ct) -export CFLAGS="-DDUMP_ACPI_TABLES -Wno-builtin-macro-redefined -D__DATE__=\"\" -D__TIME__=\"\" -D__TIMESTAMP__=\"\"" -export LDFLAGS="-Wl,--build-id=none" - -../configure \ - --prefix="$PREFIX" \ - --target-list=x86_64-softmmu \ - --disable-werror - -echo "" -echo "Build configured for reproducibility in $BUILD_DIR" -echo "To build, run: cd $BUILD_DIR && make" diff --git a/verifier/builder/shared/pin-packages.sh b/verifier/builder/shared/pin-packages.sh deleted file mode 100755 index bb5bc6e27..000000000 --- a/verifier/builder/shared/pin-packages.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash - -# SPDX-FileCopyrightText: © 2025 Phala Network -# -# SPDX-License-Identifier: Apache-2.0 - -# Pin APT packages to exact versions from a frozen Debian snapshot. -# Usage: pin-packages.sh -# -# This script: -# 1. Points APT at a frozen snapshot.debian.org mirror (reproducible package sources) -# 2. Reads package=version pairs from the given file and creates APT pin preferences -# with priority 1001 to force exact versions - -set -e - -PKG_LIST=$1 -SNAPSHOT_DATE=${SNAPSHOT_DATE:-20260317T000000Z} - -if [ -z "$PKG_LIST" ]; then - echo "Usage: $0 " >&2 - exit 1 -fi - -echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/${SNAPSHOT_DATE} bookworm main" > /etc/apt/sources.list -echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/${SNAPSHOT_DATE} bookworm-security main" >> /etc/apt/sources.list -echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until - -mkdir -p /etc/apt/preferences.d -while IFS= read -r line; do - pkg=$(echo "$line" | cut -d= -f1) - ver=$(echo "$line" | cut -d= -f2) - if [ -n "$pkg" ] && [ -n "$ver" ]; then - printf 'Package: %s\nPin: version %s\nPin-Priority: 1001\n\n' "$pkg" "$ver" >> /etc/apt/preferences.d/pinned-packages - fi -done < "$PKG_LIST"