wip: l2 images #42
wip: l2 images #42
Conversation
0x416e746f6e
force-pushed
the
trunk/l2
branch
from
e58ab4b to
447a823
Compare
0x416e746f6e
force-pushed
the
trunk/l2
branch
from
d26faee to
145218b
Compare
0x416e746f6e
force-pushed
the
trunk/l2
branch
from
0e37839 to
e85b24d
Compare
0x416e746f6e
force-pushed
the
trunk/l2
branch
7 times, most recently
from
1127cde to
dbaeecc
Compare
0x416e746f6e
force-pushed
the
trunk/l2
branch
from
dbaeecc to
427002a
Compare
Prior to this commit, env_wrapper's 'setup_lima' command would only work for Linux because it uses the 'nproc' and 'free' shell commands, which do not exist on Mac. Now, the script detects the platform and uses the appropriate shell commands
…mands fix: fix setup_lima when run on a mac
| cd "$build_dir" | ||
| cp "$config_file" .config | ||
| export KBUILD_BUILD_TIMESTAMP="$(date -u -d @${SOURCE_DATE_EPOCH:-$(date +%s)})" | ||
| export KBUILD_BUILD_TIMESTAMP="$(date -u -d @$(git log -1 --pretty=%ct))" |
There was a problem hiding this comment.
We should probably just hard code it to zero
There was a problem hiding this comment.
I believe pinning the timestamps to the commit one is a standard practice
| mkosi-chroot --chdir "/build/kernel-${KERNEL_VERSION}" make -j "$(nproc 2>/dev/null || echo 2)" bzImage ARCH=x86_64 CONFIG_EFI_STUB=y | ||
|
|
||
| echo "# kernel config:" | ||
| mkosi-chroot --chdir "/build/kernel-${KERNEL_VERSION}" cat .config |
There was a problem hiding this comment.
this snippet was necessary to understand what's going on with non-reproducible builds of the kernel under ubuntu kernel config.
can be removed now, I guess.
There was a problem hiding this comment.
What's the purpose of this?
There was a problem hiding this comment.
to make sure that /etc/sysconfig directory is always present (vault-agent renders some of the secrets into the envs of the systemd services)
There was a problem hiding this comment.
We don't need this in buildernet/l2 stuff at the moment, AFAIU, defer question to @0x416e746f6e
There was a problem hiding this comment.
They both have their own persistent mounting specifics
There was a problem hiding this comment.
it's not in use in l2
| @@ -0,0 +1,14 @@ | |||
| rust: | |||
There was a problem hiding this comment.
When we just grab rust from debian backports this wont be necessary. I'll take care of it.
There was a problem hiding this comment.
we would still need a way to pin rust version somehow per image type (backports or not).
|
|
||
| BuildPackages=golang | ||
| libssl-dev | ||
| rustup |
There was a problem hiding this comment.
Switch to backports rust, I'll take care of this
There was a problem hiding this comment.
yes, just pls make it possible to use different versions of rust on different image kinds.
| # | ||
| # rendered by vault-agent/gomplate | ||
| # | ||
| [[- range ( ( gcp.Meta "attributes/ssh-keys" ) | strings.Split "\n" ) ]] |
There was a problem hiding this comment.
Isn't allowing ppl to SSH in a security risk?
There was a problem hiding this comment.
it is.
however this line makes sure that the keys are rendered only on the image built with dev profile. so, we are ok on prod images.
and on dev images, well we already allow anyone with console access in + use predefined root password. I don't think that (secret and non public) ssh keys added by vault-agent are making it any worse security-wise here.
|
|
||
| # Limit root filesystem size to 4GB | ||
|
|
||
| mkosi-chroot sed -i '1a mount -o remount,size=4G /' /init |
There was a problem hiding this comment.
I feel like this should be an L2 or op_rbuilder postinst thing, not a GCP postinst thing
There was a problem hiding this comment.
since some images may have filesystems larger than 4GB
(move snippets around to the right places)
0x416e746f6e
force-pushed
the
trunk/l2
branch
from
62da9c3 to
e7954c7
Compare
(cherry picked from commit ea20da4)
0x416e746f6e
force-pushed
the
trunk/l2
branch
from
ea20da4 to
cf2f4b2
Compare
L2 nondeterminism fixes
4 participants
implement scripts for l2 workloads building