New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Determine exact SBOM for building a single JDK linux library using strace #2813
Comments
Hi I've been working on this and followed https://github.com/adoptium/temurin-build/blob/master/docker/dockerfile-generator.sh for building. I've seen the following output from my terminal, but there're no images output in the /termurin-build/workspace/target. May I ask if the above docker guide should produce such result? Thanks!
|
hi @JeromeJu - Andrew added this wiki page https://github.com/adoptium/temurin-build/wiki/Building-OpenJDK-using-temurin-build-scripts-within-the-adopt-build-docker-container to give guidance. |
hi @JeromeJu the dockerfile-generator.sh script is used to produce docker images on dockerhub, not for building openjdk. As Shelley pointed you to, I wrote the above wiki guide. |
@JeromeJu i've just tried using strace in a docker container and it does seem to work, eg:
|
Thanks for the wiki and the pointers @andrew-m-leonard ! Finaly got through the longest local build in my life :) Following on the steps, I'd like to check my understanding regarding Thanks! |
To be clear, the above statement is not correct - those dockerfiles are for producing a build environment suitable for building OpenJDK - you can see that from the prerequisites that it puts in :-) |
Yeah that's correct as you've confirmed. I think it's possible to work around it but I don't have the process to hand. I've only ever used it running on a native machine. If you can create a VM and set it up with the playbooks that would allow the use of |
running it on my local machine: RHEL8 amd64
|
Excellent. So we need to categorize all those as to what "pkg" or component they are part of ? that would need defining in an sbom build dependency... |
I am thinking to do a test in the docker image (889fd9bd7658 docker.io/adoptopenjdk/alpine3_build_image:latest) as well ( so we are certain both my local machine and container can run the same command) e.g
|
image docker.io/adoptopenjdk/centos6_build_image does not work with jdk18 using docker.io/adoptopenjdk/alpine3_build_image.
or
so the packages we need is
|
a full build on my local RHEL generates 59637 strace files.
|
what if some tools are not installed by rpm? |
Looks like the only one in that last which is unaccounted for is |
3 strace files marked with ruamel.yaml. one example strace.txt |
In a new container with both strace run on "configure" and "make" commands:
packages from both result files
files not found by "apk" from both result files:
|
We could add to the generate SBOM script on Linux a function to generate the SBOM "build tools" for this set:
|
See: #3104 (comment) |
strace dpkg scripting: #3104 (comment) |
The above scripting provide the necessary detail. #3104 (comment) |
A reproducible build investigation task to determine the what the complete input bill of materials are for building just a single native library.
For this task I suggest using a base library, eg. libnet.so, and determine the complete source, tooling input to re-build just that library.
The task would involve something along the lines of:
bash configure --with-source-date=version
make images
touch src/java.base/share/native/libnet/*
follow instructions here: Prototype "Reproducible Build" using current available Adopt jenkins job & infra framework and "build info" #2594 (comment)
Determine packagelist.txt and filesnotinpackage.txt
The text was updated successfully, but these errors were encountered: