[eve-kernel-arm64-v5.10.192-nvidia-jp5] Backport #228 #229#232
Conversation
Replace the single release-download-only linuxkit path with a two-mode
acquisition mechanism:
1. LINUXKIT_GIT_URL + LINUXKIT_GIT_REF (commit hash) — clone the repo
at the pinned commit and build the binary. The short SHA is used as
the versioned binary name (/tmp/linuxkit-<sha12>) so make skips the
clone+build if the binary already exists.
2. LINUXKIT_GIT_URL unset (default) — download the upstream release
binary, same as before.
Both LINUXKIT_GIT_URL and LINUXKIT_GIT_REF default to empty so existing
CI behaviour is unchanged until the pin commit is added on top.
Drop the manual buildkit builder management: remove BUILD_KIT_VERSION,
BUILD_KIT_BUILDER, and the ensure-builder target entirely. Current
linuxkit creates and manages the builder container automatically when
needed, so pre-creating it is no longer required. Remove the
--builder= flag from docker buildx build and the | ensure-builder
order-only prerequisite from kernel-build-%.
Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
Set LINUXKIT_GIT_URL and LINUXKIT_GIT_REF to build linuxkit from a pinned upstream commit rather than downloading a release binary. Pinned to the same commit used by the EVE repo (mk/linuxkit.mk): https://github.com/linuxkit/linuxkit @ 3bf33c3a11fc Update by running: git ls-remote https://github.com/linuxkit/linuxkit master Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
Switch kernel-build-% from docker buildx build to linuxkit pkg build. linuxkit pkg build manages its own moby/buildkit builder container automatically, avoiding the docker-driver limitation that prevented --sbom=true from working after ensure-builder was removed. The OCI tarball intermediate file is also eliminated — linuxkit pkg build writes directly to the linuxkit content-addressable cache, from which the existing push-image-% target already reads. Add build.yml with org/image descriptor required by linuxkit pkg build. Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
- actions/checkout: v3 -> v6.0.2 (de0fac2e4500dabe0009e67214ff5f5447ce83dd) - docker/login-action: v3 -> v4.0.0 (b45d80f862d83dbcd57f89517bcf500b2ab88fb2) Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
- Replace nuclear 'docker system prune -af' and 'docker volume prune -af' with targeted removal of only the image we just built - Add clean-gcc/clean-clang Makefile targets that remove specific image from both linuxkit cache and docker - Add BuildKit cache pruning with configurable quota via BUILDKIT_KEEP_STORAGE_MB env var (defaults to 32000 MB) to prevent unbounded disk growth - Print BuildKit disk usage before pruning for diagnostics - Use buildctl inside linuxkit-builder container for cache management - Add pr-build.yml for PR builds (on: pull_request) - Restructure publish.yml for push-only trigger - Remove unnecessary Docker Hub login from PR builds Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
There was a problem hiding this comment.
Pull request overview
Backports build-tooling and CI improvements from other eve-kernel branches into the eve-kernel-arm64-v5.10.192-nvidia-jp5 branch, primarily switching kernel builds to linuxkit pkg build and updating GitHub Actions workflows to preserve BuildKit cache across runs.
Changes:
- Update
Makefile.eveto acquirelinuxkitvia pinned-commit build or release download, and build kernels withlinuxkit pkg buildinstead ofdocker buildx build. - Add
build.ymlrequired bylinuxkit pkg build. - Split CI into
pr-build.yml(PR build-only) andpublish.yml(push build+push), with targeted cleanup and BuildKit cache pruning.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| Makefile.eve | Switches kernel build to linuxkit pkg build, adds linuxkit acquisition logic, and introduces targeted clean targets. |
| build.yml | Adds linuxkit build metadata required for linuxkit pkg build. |
| .github/workflows/publish.yml | Push-only workflow to build, push, and perform targeted cleanup/pruning on runner-xl. |
| .github/workflows/pr-build.yml | PR workflow to build (no push/login) and perform targeted cleanup/pruning on runner-xl. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # (reproducible, no network call at parse time). | ||
| # Update the hash by running: git ls-remote https://github.com/linuxkit/linuxkit master | ||
| # Leave LINUXKIT_GIT_URL unset (default) to use the release binary. | ||
| LINUXKIT_GIT_URL ?= https://github.com/linuxkit/linuxkit |
There was a problem hiding this comment.
The comment says leaving LINUXKIT_GIT_URL unset (default) uses the release binary, but LINUXKIT_GIT_URL ?= https://github.com/linuxkit/linuxkit makes the default non-empty and forces the pinned-commit build path. Either update the comment to reflect the actual default, or change the default so the release-download path is truly the default.
| LINUXKIT_GIT_URL ?= https://github.com/linuxkit/linuxkit | |
| LINUXKIT_GIT_URL ?= |
| @tmp=$$(mktemp -d) && \ | ||
| git clone --filter=blob:none $(LINUXKIT_GIT_URL) $$tmp && \ | ||
| git -C $$tmp checkout $(LINUXKIT_GIT_REF) && \ | ||
| $(MAKE) -C $$tmp local-build LOCAL_TARGET=$(abspath $@) && \ | ||
| rm -rf $$tmp |
There was a problem hiding this comment.
The temp dir created for building linuxkit is only removed if all commands succeed (because it’s chained with &&). If clone/build fails, the directory will be left behind in /tmp. Consider using a shell trap (or otherwise ensuring cleanup on error) so failed builds don’t leak temp directories on runners.
| @tmp=$$(mktemp -d) && \ | |
| git clone --filter=blob:none $(LINUXKIT_GIT_URL) $$tmp && \ | |
| git -C $$tmp checkout $(LINUXKIT_GIT_REF) && \ | |
| $(MAKE) -C $$tmp local-build LOCAL_TARGET=$(abspath $@) && \ | |
| rm -rf $$tmp | |
| @tmp=$$(mktemp -d); \ | |
| trap 'rm -rf "$$tmp"' EXIT INT TERM HUP; \ | |
| git clone --filter=blob:none $(LINUXKIT_GIT_URL) $$tmp && \ | |
| git -C $$tmp checkout $(LINUXKIT_GIT_REF) && \ | |
| $(MAKE) -C $$tmp local-build LOCAL_TARGET=$(abspath $@) |
| KERNEL_BUILD_ARGS_FILE := $(shell mktemp -u)-kernel-build-args | ||
|
|
||
| kernel-build-%: Makefile.eve linuxkit | ensure-builder | ||
| kernel-build-%: Makefile.eve $(LK) | ||
| @echo "Building kernel version $(BRANCH):$(VERSION)-$* with compiler $*" | ||
| docker buildx build \ | ||
| --builder=$(BUILD_KIT_BUILDER) \ | ||
| --build-arg="SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH)" \ | ||
| --build-arg="KBUILD_BUILD_TIMESTAMP=$(KBUILD_BUILD_TIMESTAMP)" \ | ||
| --build-arg="LOCALVERSION=$(VERSION)$(DIRTY)" \ | ||
| --platform $(PLATFORM) -t $(IMAGE_REPOSITORY):$(BRANCH)-$(VERSION)$(DIRTY)-$* \ | ||
| --sbom=true --output=type=oci,dest=$(KERNEL_OCI_FILE) -f Dockerfile.$* . | ||
| $(LK) cache import $(KERNEL_OCI_FILE) | ||
| rm -f $(KERNEL_OCI_FILE) | ||
| @printf 'SOURCE_DATE_EPOCH=%s\nKBUILD_BUILD_TIMESTAMP=%s\nLOCALVERSION=%s\n' \ | ||
| '$(SOURCE_DATE_EPOCH)' '$(KBUILD_BUILD_TIMESTAMP)' \ | ||
| '$(VERSION)$(DIRTY)' \ | ||
| > $(KERNEL_BUILD_ARGS_FILE) |
There was a problem hiding this comment.
KERNEL_BUILD_ARGS_FILE := $(shell mktemp -u)... is evaluated at Makefile parse time and uses mktemp -u (TOCTOU risk). It also reuses the same path for all kernel-build-% targets in a single make invocation, which can race under make -j (e.g., gcc+clang). Generate the file path inside the recipe using mktemp (without -u) and ensure it’s cleaned up via a trap so it’s removed even on failure.
| .PHONY: clean | ||
| clean: | ||
| echo "Cleaning" | ||
| $(LK) cache clean |
There was a problem hiding this comment.
clean calls $(LK) cache clean but does not depend on $(LK) (or guard for it). Running make clean before linuxkit is built/downloaded will fail with “/tmp/linuxkit-…: No such file”. Consider making clean depend on linuxkit/$(LK) or gracefully skipping when the binary is missing.
| $(LK) cache clean | |
| @if [ -x "$(LK)" ]; then \ | |
| $(LK) cache clean; \ | |
| fi |
| echo "=== BuildKit disk usage before prune ===" | ||
| docker exec linuxkit-builder buildctl du | tail -n 2 | ||
| echo "=== Reclaiming ===" | ||
| docker exec linuxkit-builder buildctl prune --keep-storage "${BUILDKIT_KEEP_STORAGE_MB:-32000}" | tail -n 1 |
There was a problem hiding this comment.
buildctl prune --keep-storage "${BUILDKIT_KEEP_STORAGE_MB:-32000}" passes a bare number with no unit. buildctl’s --keep-storage is size-based; without a unit it may be interpreted as bytes, which would prune almost everything and defeat the goal of preserving ccache. Consider appending a unit (e.g., MB/GB) or renaming the variable to reflect the expected unit.
| docker exec linuxkit-builder buildctl prune --keep-storage "${BUILDKIT_KEEP_STORAGE_MB:-32000}" | tail -n 1 | |
| docker exec linuxkit-builder buildctl prune --keep-storage "${BUILDKIT_KEEP_STORAGE_MB:-32000}MB" | tail -n 1 |
| echo "=== BuildKit disk usage before prune ===" | ||
| docker exec linuxkit-builder buildctl du | tail -n 2 | ||
| echo "=== Reclaiming ===" | ||
| docker exec linuxkit-builder buildctl prune --keep-storage "${BUILDKIT_KEEP_STORAGE_MB:-32000}" | tail -n 1 |
There was a problem hiding this comment.
buildctl prune --keep-storage "${BUILDKIT_KEEP_STORAGE_MB:-32000}" passes a bare number with no unit. buildctl’s --keep-storage is size-based; without a unit it may be interpreted as bytes, which would prune almost everything and defeat the goal of preserving ccache. Consider appending a unit (e.g., MB/GB) or renaming the variable to reflect the expected unit.
| docker exec linuxkit-builder buildctl prune --keep-storage "${BUILDKIT_KEEP_STORAGE_MB:-32000}" | tail -n 1 | |
| docker exec linuxkit-builder buildctl prune --keep-storage "${BUILDKIT_KEEP_STORAGE_MB:-32000}MB" | tail -n 1 |
rene
merged commit be4828d
into
lf-edge:eve-kernel-arm64-v5.10.192-nvidia-jp5
Summary
Backport of two PRs from
eve-kernel-amd64-v6.12.49-generictoeve-kernel-arm64-v5.10.192-nvidia-jp5:linuxkit pkg buildCherry-picked from the jp6 backport (PR #231) since both nvidia branches share the same build structure.
Key adaptations for nvidia-jp5
kernel-gcc)publish.ymlinto two workflows:pr-build.yml—on: pull_request, build-only (no Docker Hub login/push), targeted cleanuppublish.yml—on: push, build + push + targeted cleanuprunner-xl, Linuxrunner labelsChanges
From PR #228
go installlinuxkit acquisition with flexible two-mode mechanism (build from pinned commit or download release binary)3bf33c3a11fc)kernel-build-%fromdocker buildx buildtolinuxkit pkg build; addbuild.ymlensure-builder,BUILD_KIT_VERSION)From PR #229
actions/checkoutto v6.0.2 anddocker/login-actionto v4.0.0 (commit SHAs)clean-gcc/clean-clangMakefile targets for targeted image removalBUILDKIT_KEEP_STORAGE_MBquota🤖 Generated with Claude Code