New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Autobuild support #10
Conversation
I realise I haven't updated the main README yet, but I'd like to get some initial feedback on this first. |
After some thinking, I'm not really convinced that this is a good idea, because:
|
Hey @attilaolah, I've been thinking about this (but haven't had time to act much). My thoughts are:
Let me know if you have any other thoughts. Feel free to move this discussion to gentoo-containers@lists.gentoo.org if you feel it's appropriate. |
I hear you. I can add my own All other points should already be doable with the current branch. I'll mention this on the mailing list or the IRC channel some time tonight. |
ADD stage3-amd64-hardened.tar.xz / | ||
|
||
# Setup the (virtually) current runlevel | ||
RUN echo "default" > /run/openrc/softlevel |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought the recent stage3 tarballs come with systemd (and no openrc).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, the default RC system is–and probably will be for some time–openrc.
Why would we have a tarred version of buxybox rather than a statically linked version? What's missing from the busybox base image to require us to build our own? We can validate the build process by creating a checksum that shouldn't change between builds. Thus, a person can validate this source gives me the given binary (all they could do anyway). |
The busybox base image is not statically linked, it is dynamically linked. Moreover, the base directory layout in the busybox base image has the
This makes it impossible to unpack the tarball, without "swapping" the directories first. But with only a dynamically linked busybox in This, in short, is why we need a statically built busybox to start with. Also, our busybox does not have the |
Aah. You mean, why don't we just build a statically linked
Let me make those changes & rebase this branch. |
OK, this still needs a rebase, but there is no intermediate busybox image any more. However, there are still a few quirks:
|
commit 8406999 Author: Attila Oláh <attilaolah@gmail.com> Date: Wed Jan 21 19:41:48 2015 +0100 rm unused udhcpd.conf commit 3d56f22 Author: Attila Oláh <attilaolah@gmail.com> Date: Wed Jan 21 19:25:32 2015 +0100 rm unused busybox dir commit 11f24b2 Author: Attila Oláh <attilaolah@gmail.com> Date: Wed Jan 21 19:25:06 2015 +0100 modify amd64 and amd64-hardened to include the busybox binary commit ecefbcf Author: Attila Oláh <attilaolah@gmail.com> Date: Wed Jan 21 18:51:43 2015 +0100 add a busybox binary commit 9c33d1f Author: Attila Oláh <attilaolah@gmail.com> Date: Mon Jan 19 00:28:26 2015 +0100 fix a typo in the build script commit 52a1e98 Author: Attila Oláh <attilaolah@gmail.com> Date: Mon Jan 19 00:07:32 2015 +0100 add autobuild script for amd64-hardened based on amd64 commit e57e92c Author: Attila Oláh <attilaolah@gmail.com> Date: Mon Jan 19 00:03:58 2015 +0100 add autobuild script for amd64
Sounds good. Let's put your changes into |
Submodule sounds good. Build script will be a bit tricky ( I'm a bit busy right now with the @gophergala going on, but I'll move around the files on Monday. Thanks so much for the feedback, hoping to get this working soon! |
No rush, get to it when you can. Why do we need to use crossdev to build busybox? |
Because we need one that is statically linked against something other than GNU libc. I used uClibc, but musl would probably also work. I don't know how to do that without crossdev. |
We can use official latest binary (statically linked) from http://www.busybox.net/downloads/binaries/latest/ |
Actually, we could. Let me update this PR. |
Those binaries look really outdated to me; 2013...
|
That's not a problem as long as they work. We only need them to unpack the stage3 tarball, which would contain a newer busybox anyway, which we can use to replace this old one. |
+1 @attilaolah |
Ah, that makes sense. 👍
|
OK my first tests have shown that the "official" binaries work. We should just stick to them for the initial unpacking stage then. I'll update this PR. Unfortunately however, it seems we will still need to "vendor" those binaries here in the repo to have the autobuilds working. If I do this in the Dockerfile:
…I don't get the right file permissions, the binary will not be executable. And we have no If I do this:
…it still won't work because recent Docker versions will not unpack archives coming from remote locations. Bummer. I'll follow @alunduil's suggestions and put the binary under something like I'll also drop the hardened changes from this PR to make things simpler so we can finally move forward with this. |
@attilaolah I have managed to overcome this. I will do another PR. It might be easier to look at. |
Thanks @ChaosEngine — let's see what you have 😄 |
@attilaolah, can you see how this work merges with @ChaosEngine's work and update this pull request appropriately? Thanks. |
I've changed the way the images are build, so this is not required anymore. |
This adds autobuild support for
amd64
andamd64-hardened
. To achieve this, the images are no longer based ondraft
, they are based on a simple busybox build now,gentoo/busybox
. That image still needs to be built manually. See the new README file for details.Note that the Busybox is built for
amd64
(~amd64
to be precise), so the naming might have to change if we plan on supporting docker images on other architectures.Also note that currently the stage tarballs are not verified against their signature — we are basically trusting the mirror, which might not be suitable for all.