To ease the development of Wolfi OS, you can use the Wolfi sdk image that already includes both apko and melange.
On Linux and Mac it is also possible to install both the above tools directly into your system.
If you choose not to install the tooling onto your local machine, you can start a container based development environment using
make dev-containerWhat it does is start the ghcr.io/wolfi-dev/sdk image and mount the current working directory into it.
Wolfi packages are built using melange. If you want to learn how packages are built, you can see all the details in the ci-build workflow and in the Makefile.
Start by cloning this repository and create a build configuration YAML file named <your-new-package-name>.yaml in its root directory. If you have any patch files that are needed to build this package, create a folder at the root of the repository with the same name as the package and put the patches there.
Once you're done writing the new package configuration file, you can test it by building the new package.
To build an individual package, you can use a make command like this:
make package/<your-new-package-name>
For example, if your package name is "foo", run make package/foo.
This will build the package by invoking melange in a particular way. This invocation is defined in the Makefile, if you're interested to see how this is wired up. Also, you can run Melange directly without using make if you understand what you're doing.
Note: The buildsystem has a cache of source files that may help reduce the time your build takes. Feel free to see if this cache helps you by adding USE_CACHE=yes to the command above. If you encounter issues with this approach, the best advice is to remove the USE_CACHE=no from your command and carry on with your builds.
When the build finishes, your package(s) should be found in the generated ./packages directory.
While you're here, you can scan the package you just built for vulnerabilities, using wolfictl's scan command:
wolfictl scan ./packages/some-architecture/your-package-name-and-version.apkCheck for anything unexpected, or for any CVEs you can patch.
-
When bumping version of a package, you will need to update the version, epoch & shasum (sha256 or sha512) in package YAML file. The version and epoch also need to be bumped in Makefile.
-
epochneeds to be bump when package version remains the same but something else changes.epochneeds to be reset to 0 when it's a new version of the package. -
melangeCLI has a commandbumpto make it easier. More details are available here.
-
melange has a few built-in pipelines. You can see their source code in the melange repository.
-
You don't need to add
environment.contents.repositoriesandenvironment.contents.keyring. Those are added automatically in theci-build.yamlscript during CI. -
For patching CVEs, you can follow the documentation here.
-
If you don't want to build all the packages locally, you can install
gsutiland use it to sync the prebuilt packages fromgs://wolfi-production-registry-destination/os/bucket:
gsutil -m rsync -r gs://wolfi-production-registry-destination/os/ ./packages-
If you dont want to install
gsutillocally, you can use this imagegcr.io/google.com/cloudsdktool/google-cloud-cli:slimwhich is the official SDK image from GCP and already includegsutilin there. -
When deciding how to add
update:configuration see the update docs -
When you're ready to submit a PR for a new package or to update a package, make sure your YAML file(s) are formatted correctly, so that they'll pass CI. We use yam for YAML formatting. You should be able to run the
yamcommand from the root of this repo to get all files formatted correctly. -
When running a lot of melange builds using
dockeras a runner (default on Mac) you may want to increase the Docker VM CPU, Memory and especially storage resources, else Docker can easily run out of disk space.