feat: make pkgs build bootstrapped

Build pkgs using only [Stageˣ]-derived tools image, without relying on Alpine Fixes: siderolabs/toolchain#129 Fixes: #1151 - feat: update bldr - fix: remove /toolchain prefix - feat: build what is possible using network: none - feat: usrmerge and unified /usr/lib - chore: use StageX bash instead of Alpine bash - fix: make iptables build - chore: move kernel modules under /usr/lib/modules - refactor: remove git requirement - test: check nvidia nonfree drivers' signatures Signed-off-by: Dmitry Sharshakov <[email protected]>
siderolabs · Feb 6, 2025 · 18df4d7 · 18df4d7
1 parent 5763e3e
commit 18df4d7
Show file tree

Hide file tree

Showing 56 changed files with 267 additions and 284 deletions.
diff --git a/.kres.yaml b/.kres.yaml
@@ -84,7 +84,7 @@ spec:
         for platform in $(shell echo $(PLATFORM) | tr "," " "); do \
           arch=`basename $$platform` ; \
           $(MAKE) docker-kernel-prepare PLATFORM=$$platform BUILDKIT_MULTI_PLATFORM=0 TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch --load"; \
-          docker run --rm -it --entrypoint=/toolchain/bin/bash -e PATH=/toolchain/bin:/bin -w /src -v $$PWD/kernel/build/config-$$arch:/host/.hostconfig $(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch -c 'cp /host/.hostconfig .config && make $* && cp .config /host/.hostconfig'; \
+          docker run --rm -it --entrypoint=/bin/bash -w /src -v $$PWD/kernel/build/config-$$arch:/host/.hostconfig $(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch -c 'cp /host/.hostconfig .config && make $* && cp .config /host/.hostconfig'; \
         done
 ---
 kind: common.Renovate

diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-01-20T16:24:34Z by kres 3b3f992.
+# Generated on 2025-02-03T20:51:08Z by kres 987bf4d.
 
 # common variables
 
@@ -25,7 +25,7 @@ SOURCE_DATE_EPOCH := $(shell git log $(INITIAL_COMMIT_SHA) --pretty=%ct)
 
 # sync bldr image with pkgfile
 
-BLDR_RELEASE := v0.3.2
+BLDR_RELEASE := v0.4.0-1-g76a2c8f
 BLDR_IMAGE := ghcr.io/siderolabs/bldr:$(BLDR_RELEASE)
 BLDR := docker run --rm --user $(shell id -u):$(shell id -g) --volume $(PWD):/src --entrypoint=/bldr $(BLDR_IMAGE) --root=/src
 
@@ -189,7 +189,7 @@ kernel-%:
 	for platform in $(shell echo $(PLATFORM) | tr "," " "); do \
 	  arch=`basename $$platform` ; \
 	  $(MAKE) docker-kernel-prepare PLATFORM=$$platform BUILDKIT_MULTI_PLATFORM=0 TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch --load"; \
-	  docker run --rm -it --entrypoint=/toolchain/bin/bash -e PATH=/toolchain/bin:/bin -w /src -v $$PWD/kernel/build/config-$$arch:/host/.hostconfig $(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch -c 'cp /host/.hostconfig .config && make $* && cp .config /host/.hostconfig'; \
+	  docker run --rm -it --entrypoint=/bin/bash -w /src -v $$PWD/kernel/build/config-$$arch:/host/.hostconfig $(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch -c 'cp /host/.hostconfig .config && make $* && cp .config /host/.hostconfig'; \
 	done
 
 .PHONY: rekres

diff --git a/Pkgfile b/Pkgfile
@@ -1,9 +1,9 @@
-# syntax = ghcr.io/siderolabs/bldr:v0.3.2
+# syntax = ghcr.io/siderolabs/bldr:v0.4.0-1-g76a2c8f
 
 format: v1alpha2
 
 vars:
-  TOOLS_IMAGE: ghcr.io/siderolabs/tools:v1.10.0-alpha.0-7-g7200845
+  TOOLS_IMAGE: ghcr.io/siderolabs/tools:v1.10.0-alpha.0-10-g9db33dd
 
   # renovate: datasource=github-releases depName=containernetworking/plugins
   cni_version: v1.6.2
@@ -72,6 +72,11 @@ vars:
   ipxe_sha256: 6ba8c70598666c8393c424c774329303ed198c3dc6e294fac14ff3c34368b0e4
   ipxe_sha512: 576c8abd7ad8ff738f935d40bc93eb3a25aff1053f1853af1d75d33b40573b4cf6f96bc19e6084b78a5454ca0b708abfc06e69c8c5a2d0efd57e9b5ad182b92c
 
+  # renovate: datasource=git-refs versioning=git depName=https://github.com/a13xp0p0v/kernel-hardening-checker.git
+  kspp_ref: 0c00f3fa766496d221ae3b79ce3f6730468f3641
+  kspp_sha256: b3c25019d75355fff63f129e5df86090dc7b0d295565fff2eeb414f7f6e4c263
+  kspp_sha512: 996f8baad6d58583b23fe7b8d2cabe73d65b85fcc81ef2aa1d42a4a106e5adf9891876579d6a7ca76cb67f6241b2f980310c19785ef94af40e2eda1f372a3933
+
   # renovate: datasource=git-tags extractVersion=^v(?<version>.*)$ depName=git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
   linux_version: 6.12.11
   linux_sha256: 475172fdbd87a153f123a57952672e773bdb6daf5b58a417d1a5e419fcfeec49

diff --git a/apparmor/pkg.yaml b/apparmor/pkg.yaml
@@ -1,6 +1,6 @@
 name: apparmor
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - stage: util-linux
@@ -16,17 +16,13 @@ steps:
 
         patch -p1 < /pkg/patches/basename.patch
 
-        mkdir -p /usr/bin \
-            && ln -sf /toolchain/bin/env /usr/bin/env
-        ln -s /toolchain/bin/echo /toolchain/bin/which
-        ln -s /toolchain/include/linux /usr/include/linux
-
         cd libraries/libapparmor
         ./autogen.sh
 
         ./configure \
           --disable-dependency-tracking \
-          --disable-man-pages
+          --disable-man-pages \
+          --prefix=/usr
     build:
       - |
         cd libraries/libapparmor
@@ -37,7 +33,7 @@ steps:
     install:
       - |
         cd parser
-        DISTRO=unknown make install-arch DESTDIR=/rootfs
+        DISTRO=unknown make install-arch DESTDIR=/rootfs SBINDIR=/rootfs/usr/sbin
 finalize:
   - from: /rootfs
     to: /
diff --git a/base/pkg.yaml b/base/pkg.yaml
@@ -1,22 +1,9 @@
 name: base
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - image: "{{ .TOOLS_IMAGE }}"
   - stage: musl
-steps:
-  - prepare:
-      - |
-        cp -R /toolchain/lib/gcc /lib
-        cp -R /toolchain/lib/libgcc* /lib
-        cp -R /toolchain/lib/libstdc* /lib
-        cp -R /toolchain/lib/libz* /lib
-
-        mkdir /bin
-        find /toolchain/bin -type f -executable -printf "%f\n" | xargs -I {} ln -s /toolchain/bin/{} /bin/{}
-        ln -sv /toolchain/bin/bash /bin/sh
-
-        adjust.sh
 finalize:
   - from: /
     to: /
diff --git a/ca-certificates/pkg.yaml b/ca-certificates/pkg.yaml
@@ -1,4 +1,8 @@
 name: ca-certificates
+variant: scratch
+shell: /bin/bash
+dependencies:
+  - stage: base
 steps:
 - sources:
   - url: https://curl.se/ca/cacert-2024-12-31.pem

diff --git a/cni/pkg.yaml b/cni/pkg.yaml
@@ -1,6 +1,6 @@
 name: cni
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:
@@ -9,22 +9,17 @@ steps:
         destination: cni-plugins.tar.gz
         sha256: "{{ .cni_sha256 }}"
         sha512: "{{ .cni_sha512 }}"
-    env:
-      GOPATH: /go
     prepare:
       - |
-        mkdir -p ${GOPATH}/src/
-        tar -xzf cni-plugins.tar.gz --strip-components=1 -C ${GOPATH}/src/
+        tar -xzf cni-plugins.tar.gz --strip-components=1
     build:
       - |
-        export PATH=${PATH}:${TOOLCHAIN}/go/bin
-        cd ${GOPATH}/src/
-        CGO_ENABLED=0 GOFLAGS="-ldflags=-s" /toolchain/bin/bash ./build_linux.sh
+        CGO_ENABLED=0 GOFLAGS="-ldflags=-s" bash ./build_linux.sh
     install:
       - |
         mkdir -p /rootfs/opt/cni/bin
 
-        mv ${GOPATH}/src/bin/* /rootfs/opt/cni/bin
+        mv bin/* /rootfs/opt/cni/bin
 finalize:
   - from: /rootfs
     to: /
diff --git a/containerd/pkg.yaml b/containerd/pkg.yaml
@@ -1,6 +1,6 @@
 name: containerd
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - stage: libseccomp
@@ -13,8 +13,7 @@ steps:
         sha512: "{{ .containerd_sha512 }}"
     env:
       PKG_CONFIG_PATH: /usr/lib/pkgconfig
-      CC: /toolchain/bin/gcc
-      PATH: /toolchain/go/bin:/toolchain/bin:{{ .PATH }}
+      CC: gcc
       BUILDTAGS: 'seccomp no_aufs no_btrfs no_devmapper no_dynamic_plugins no_systemd no_zfs'
     prepare:
       - |
@@ -26,10 +25,10 @@ steps:
         make VERSION={{ .containerd_version }} REVISION={{ .containerd_ref }}
     install:
       - |
-        mkdir -p /rootfs/bin
-        make install PREFIX=/ DESTDIR=/rootfs
+        mkdir -p /rootfs/usr/bin
+        make install PREFIX=/usr DESTDIR=/rootfs
 
-        rm /rootfs/bin/{containerd-stress,ctr}
+        rm /rootfs/usr/bin/{containerd-stress,ctr}
 finalize:
   - from: /rootfs
     to: /
diff --git a/cryptsetup/pkg.yaml b/cryptsetup/pkg.yaml
@@ -1,6 +1,6 @@
 name: cryptsetup
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - stage: systemd-udevd # dependency for libdevmapper

diff --git a/deps.png b/deps.png
diff --git a/dosfstools/pkg.yaml b/dosfstools/pkg.yaml
@@ -1,6 +1,6 @@
 name: dosfstools
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:

diff --git a/drbd/pkg.yaml b/drbd/pkg.yaml
@@ -1,6 +1,6 @@
 name: drbd-pkg
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: kernel-build
 steps:
@@ -14,21 +14,22 @@ steps:
     prepare:
       - |
         tar -xzf drbd.tar.gz --strip-components=1
+  - network: default
     build:
       - |
         make -j $(nproc) -C drbd KERNEL_SOURCES=/src MODVERSIONS=detect KDIR=/src
     install:
       - |
-        mkdir -p /rootfs/lib/modules/$(cat /src/include/config/kernel.release)/
-        cp /src/modules.order /rootfs/lib/modules/$(cat /src/include/config/kernel.release)/
-        cp /src/modules.builtin /rootfs/lib/modules/$(cat /src/include/config/kernel.release)/
-        cp /src/modules.builtin.modinfo /rootfs/lib/modules/$(cat /src/include/config/kernel.release)/
+        mkdir -p /rootfs/usr/lib/modules/$(cat /src/include/config/kernel.release)/
+        cp /src/modules.order /rootfs/usr/lib/modules/$(cat /src/include/config/kernel.release)/
+        cp /src/modules.builtin /rootfs/usr/lib/modules/$(cat /src/include/config/kernel.release)/
+        cp /src/modules.builtin.modinfo /rootfs/usr/lib/modules/$(cat /src/include/config/kernel.release)/
 
-        make -C /src M=$(pwd)/drbd/build-current modules_install DESTDIR=/rootfs INSTALL_MOD_PATH=/rootfs INSTALL_MOD_DIR=extras INSTALL_MOD_STRIP=1 CONFIG_MODULE_SIG_ALL=y
+        make -C /src M=$(pwd)/drbd/build-current modules_install DESTDIR=/rootfs INSTALL_MOD_PATH=/rootfs/usr INSTALL_MOD_DIR=extras INSTALL_MOD_STRIP=1 CONFIG_MODULE_SIG_ALL=y
     test:
       - |
         # https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
-        find /rootfs/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
+        find /rootfs/usr/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
 finalize:
   - from: /rootfs
     to: /
diff --git a/e2fsprogs/pkg.yaml b/e2fsprogs/pkg.yaml
@@ -1,6 +1,6 @@
 name: e2fsprogs
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - stage: util-linux
@@ -38,10 +38,10 @@ steps:
 
         rm -rf /rootfs-temp/usr/{bin,etc,include,share}
 
-        mkdir -p /rootfs/{sbin,usr/lib}
+        mkdir -p /rootfs/usr/{sbin,lib}
 
         cp -r /rootfs-temp/usr/lib /rootfs/usr
-        cp -r /rootfs-temp/usr/sbin/{e2fsck,fsck.*,mke2fs,mkfs.*,resize2fs,tune2fs} /rootfs/sbin
+        cp -r /rootfs-temp/usr/sbin/{e2fsck,fsck.*,mke2fs,mkfs.*,resize2fs,tune2fs} /rootfs/usr/sbin
 finalize:
   - from: /rootfs
     to: /
diff --git a/fhs/pkg.yaml b/fhs/pkg.yaml
@@ -1,14 +1,26 @@
 name: fhs
+variant: scratch
+shell: /bin/bash
+dependencies:
+  - stage: base
 steps:
 - install:
   - |
     PREFIX=/rootfs
-    mkdir -pv ${PREFIX}/{dev,lib,proc,sys,bin,sbin,etc,opt,run}
+    mkdir -pv ${PREFIX}/{dev,proc,sys,etc,opt,run}
+    mkdir -pv ${PREFIX}/run/lock
     mkdir -pv ${PREFIX}/usr/{bin,sbin,lib,var,include,src}
-    mkdir -pv ${PREFIX}/usr/local/{bin,sbin,lib,include}
-    mkdir -pv ${PREFIX}/var/{log,run,mail,spool}
+    mkdir -pv ${PREFIX}/var/{log,mail,spool}
     install -dv -m 0750 ${PREFIX}/root
     install -dv -m 1777 ${PREFIX}/tmp ${PREFIX}/var/tmp
+    cd ${PREFIX}
+    ln -sT usr/lib lib64
+    ln -sT usr/lib lib
+    ln -sT usr/bin bin
+    ln -sT usr/sbin sbin
+    ln -sT lib usr/lib64
+    ln -sT ../run var/run
+    ln -sT ../run/lock var/lock
 finalize:
 - from: /rootfs
   to: /
diff --git a/flannel-cni/pkg.yaml b/flannel-cni/pkg.yaml
@@ -1,6 +1,6 @@
 name: flannel-cni
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
 steps:
@@ -9,20 +9,12 @@ steps:
         destination: flannel-cni.tar.gz
         sha256: "{{ .flannel_cni_sha256 }}"
         sha512: "{{ .flannel_cni_sha512 }}"
-    env:
-      GOPATH: /go
     prepare:
       - |
-        mkdir -p ${GOPATH}/src/
-        tar -xzf flannel-cni.tar.gz --strip-components=1 -C ${GOPATH}/src/
-
-        mkdir -p /etc/ssl/certs/
-        ln -s /toolchain/etc/ssl/certs/ca-certificates /etc/ssl/certs/ca-certificates
+        tar -xzf flannel-cni.tar.gz --strip-components=1
+  - network: default
     build:
       - |
-        export PATH=${PATH}:${TOOLCHAIN}/go/bin
-        cd ${GOPATH}/src/
-
         export GOARCH=$(go env GOARCH)
         export VERSION={{ .flannel_cni_version }}
         export TAG=${VERSION}
@@ -36,15 +28,14 @@ steps:
         sed -i '/BUILD_DATE=/c BUILD_DATE="1"' scripts/version.sh
         sed -i '/COMMIT=/c COMMIT={{ .flannel_cni_ref }}' scripts/version.sh
 
-        EXTRA_LDFLAGS=-s /toolchain/bin/bash scripts/build_flannel.sh
+        EXTRA_LDFLAGS=-s bash scripts/build_flannel.sh
     install:
       - |
         mkdir -p /rootfs/opt/cni/bin
 
-        export PATH=${PATH}:${TOOLCHAIN}/go/bin
         export GOARCH=$(go env GOARCH)
 
-        mv ${GOPATH}/src/dist/flannel-${GOARCH} /rootfs/opt/cni/bin/flannel
+        mv dist/flannel-${GOARCH} /rootfs/opt/cni/bin/flannel
 finalize:
   - from: /rootfs
     to: /
diff --git a/gasket-driver/pkg.yaml b/gasket-driver/pkg.yaml
@@ -1,6 +1,6 @@
 name: gasket-driver-pkg
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: kernel-build
 steps:
@@ -25,16 +25,16 @@ steps:
 
     install:
       - |
-        mkdir -p /rootfs/lib/modules/$(cat /src/include/config/kernel.release)/
-        cp /src/modules.order /rootfs/lib/modules/$(cat /src/include/config/kernel.release)/
-        cp /src/modules.builtin /rootfs/lib/modules/$(cat /src/include/config/kernel.release)/
-        cp /src/modules.builtin.modinfo /rootfs/lib/modules/$(cat /src/include/config/kernel.release)/
+        mkdir -p /rootfs/usr/lib/modules/$(cat /src/include/config/kernel.release)/
+        cp /src/modules.order /rootfs/usr/lib/modules/$(cat /src/include/config/kernel.release)/
+        cp /src/modules.builtin /rootfs/usr/lib/modules/$(cat /src/include/config/kernel.release)/
+        cp /src/modules.builtin.modinfo /rootfs/usr/lib/modules/$(cat /src/include/config/kernel.release)/
 
-        make -C /src M=$(pwd)/src modules_install INSTALL_MOD_PATH=/rootfs INSTALL_MOD_DIR=extras INSTALL_MOD_STRIP=1
+        make -C /src M=$(pwd)/src modules_install INSTALL_MOD_PATH=/rootfs/usr INSTALL_MOD_DIR=extras INSTALL_MOD_STRIP=1
     test:
       - |
         # https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
-        find /rootfs/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
+        find /rootfs/usr/lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
 finalize:
   - from: /rootfs
     to: /
diff --git a/grub/pkg.yaml b/grub/pkg.yaml
@@ -1,6 +1,6 @@
 name: grub
 variant: scratch
-shell: /toolchain/bin/bash
+shell: /bin/bash
 dependencies:
   - stage: base
   - stage: util-linux
@@ -20,7 +20,7 @@ steps:
 
         patch -p1 < /pkg/patches/efi-fat-serial-number.patch
 
-        PYTHON=python3 /toolchain/bin/bash ./autogen.sh
+        PYTHON=python3 bash ./autogen.sh
 
         touch ./grub-core/extra_deps.lst
     build: