Skip to content

Commit

Permalink
start of generic image build and rechunking
Browse files Browse the repository at this point in the history
  • Loading branch information
@detiber
detiber committed Dec 16, 2024
1 parent 763954a commit 1245c1b
Show file tree
Hide file tree
Showing 5 changed files with 241 additions and 9 deletions.
189 changes: 189 additions & 0 deletions just/build.just
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,189 @@
import 'cosign.just'
import 'common.just'

repo_organization := "detiber"
rechunker_image := "ghcr.io/hhd-dev/rechunk:v1.0.1"

# Get Fedora Version of an image
_fedora_version base_image tag:
#!/usr/bin/bash
set -eou pipefail
if [[ ! -f /tmp/manifest.json ]]; then
if [[ "{{ tag }}" =~ stable ]]; then
# CoreOS does not uses cosign
skopeo inspect --retry-times 3 docker://quay.io/fedora/fedora-coreos:stable > /tmp/manifest.json
else
skopeo inspect --retry-times 3 docker://"{{ base_image }}:{{ tag }}" > /tmp/manifest.json
fi
fi
fedora_version=$(jq -r '.Labels["ostree.linux"]' < /tmp/manifest.json | grep -oP 'fc\K[0-9]+')
echo "${fedora_version}"

# Build Image
_build image tag base_image args: _disk-use (_header "Build Image") (verify-image base_image + ":" + `just _fedora_version '{{ base_image }}' '{{ tag }}'`) && (_footer "Build Image") _disk-use
# Build Image
podman build \
--tag "{{ image }}:{{ tag }}" \
{{ args }} \
.

# Rechunk Image
_rechunk image tag base_image rechunk-dir: (_ensure-directory rechunk-dir) _disk-use (_header "Rechunk") && (_footer "Rechunk") _disk-use
#!/usr/bin/bash
set -eoux pipefail

# Check if image is already built
ID=$(podman images --filter reference=localhost/"{{ image }}":"{{ tag }}" --format "'{{ '{{.ID}}' }}'")
if [[ -z "$ID" ]]; then
just _build "{{ image }}" "{{ tag }}" "{{ base_image }}" ""
fi

# Load into Rootful Podman
ID=$(just sudoif podman images --filter reference=localhost/"{{ image }}":"{{ tag }}" --format "'{{ '{{.ID}}' }}'")
if [[ -z "$ID" ]]; then
COPYTMP=$(mktemp -p "{{ rechunk-dir }}" -d -t podman_scp.XXXXXXXXXX)
just sudoif TMPDIR="${COPYTMP}" podman image scp ${UID}@localhost::localhost/"{{ image }}":"{{ tag }}" root@localhost::localhost/"{{ image }}":"{{ tag }}"
rm -rf "${COPYTMP}"
fi

# Prep Container
CREF=$(just sudoif podman create localhost/"{{ image }}":"{{ tag }}" bash)
OLD_IMAGE=$(just sudoif podman inspect $CREF | jq -r '.[].Image')
OUT_NAME="{{ image }}_build"
MOUNT=$(just sudoif podman mount "${CREF}")

# Fedora Version
fedora_version=$(just sudoif podman inspect $CREF | jq -r '.[].Config.Labels["ostree.linux"]' | grep -oP 'fc\K[0-9]+')

# Label Version
if [[ "{{ tag }}" =~ stable ]]; then
VERSION="${fedora_version}.$(date +%Y%m%d)"
else
VERSION="{{ tag }}-${fedora_version}.$(date +%Y%m%d)"
fi

# # TODO: Cleanup Space during Github Action

# Run Rechunker's Prune
just sudoif podman run --rm \
--pull=newer \
--security-opt label=disable \
--volume "$MOUNT":/var/tree \
--env TREE=/var/tree \
--user 0:0 \
"{{ rechunker_image }}" \
/sources/rechunk/1_prune.sh

# Run Rechunker's Create
just sudoif podman run --rm \
--security-opt label=disable \
--volume "$MOUNT":/var/tree \
--volume "cache_ostree:/var/ostree" \
--env TREE=/var/tree \
--env REPO=/var/ostree/repo \
--env RESET_TIMESTAMP=1 \
--user 0:0 \
"{{ rechunker_image }}" \
/sources/rechunk/2_create.sh

# Cleanup Temp Container Reference
just sudoif podman unmount "$CREF"
just sudoif podman rm "$CREF"
just sudoif podman rmi "$OLD_IMAGE"

SHA="dedbeef"
if [[ -z "$(git status -s)" ]]; then
SHA=$(git rev-parse HEAD)
fi
# Run Rechunker
just sudoif podman run --rm \
--pull=newer \
--security-opt label=disable \
--volume "{{ rechunk-dir }}:/workspace" \
--volume "{{ root-dir }}:/var/git" \
--volume cache_ostree:/var/ostree \
--env REPO=/var/ostree/repo \
--env PREV_REF=ghcr.io/detiber/"{{ image }}":"{{ tag }}" \
--env OUT_NAME="$OUT_NAME" \
--env LABELS="org.opencontainers.image.title={{ image }}$'\n''io.artifacthub.package.readme-url=https://raw.githubusercontent.com/detiber/beardy-os/refs/heads/main/README.md'$'\n''io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4'$'\n'" \
--env "DESCRIPTION='The preferred bluefin-based OS of bearded developers'" \
--env "VERSION=${VERSION}" \
--env VERSION_FN=/workspace/version.txt \
--env OUT_REF="oci:$OUT_NAME" \
--env GIT_DIR="/var/git" \
--env REVISION="$SHA" \
--user 0:0 \
"{{ rechunker_image }}" \
/sources/rechunk/3_chunk.sh

# Fix Permissions of OCI
if [[ "${UID}" -gt "0" ]]; then
just sudoif chown "${UID}:${GROUPS}" -R "{{ rechunk-dir }}"
elif [[ -n "${SUDO_UID:-}" ]]; then
chown "${SUDO_UID}":"${SUDO_GID}" -R "{{ rechunk-dir }}"
fi

# Remove cache_ostree
just sudoif podman volume rm cache_ostree

# Show OCI Labels
just sudoif skopeo inspect oci:"{{ rechunk-dir }}"/"${OUT_NAME}" | jq -r '.Labels'

# Load OCI into Podman Store
_load-rechunk image tag rechunk-dir: _disk-use (_header "Load Rechunk") && (_footer "Load Rechunk") _disk-use
#!/usr/bin/bash
set -eou pipefail

# Load Image
OUT_NAME="{{ image }}_build"
IMAGE=$(podman pull oci:"{{ rechunk-dir }}"/"${OUT_NAME}")
podman tag ${IMAGE} localhost/"{{ image }}":{{ tag }}

# Cleanup
just sudoif "rm -rf ${OUT_NAME}*"
just sudoif "rm -f previous.manifest.json"

# Secureboot Check
[group('Utility')]
_secureboot image tag: _disk-use (_header "Secureboot") && (_footer "Secureboot") _disk-use
#!/usr/bin/bash
set -eoux pipefail

# Get the vmlinuz to check
kernel_release=$(podman inspect "{{ image }}":"{{ tag }}" | jq -r '.[].Config.Labels["ostree.linux"]')
TMP=$(podman create "{{ image }}":"{{ tag }}" bash)
podman cp "$TMP":/usr/lib/modules/"${kernel_release}"/vmlinuz /tmp/vmlinuz
podman rm "$TMP"

# Get the Public Certificates
curl --retry 3 -Lo /tmp/kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
curl --retry 3 -Lo /tmp/akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der
openssl x509 -in /tmp/kernel-sign.der -out /tmp/kernel-sign.crt
openssl x509 -in /tmp/akmods.der -out /tmp/akmods.crt

# Make sure we have sbverify
CMD="$(command -v sbverify)"
if [[ -z "${CMD:-}" ]]; then
temp_name="sbverify-${RANDOM}"
podman run -dt \
--entrypoint /bin/sh \
--volume /tmp/vmlinuz:/tmp/vmlinuz:z \
--volume /tmp/kernel-sign.crt:/tmp/kernel-sign.crt:z \
--volume /tmp/akmods.crt:/tmp/akmods.crt:z \
--name ${temp_name} \
alpine:edge
podman exec ${temp_name} apk add sbsigntool
CMD="podman exec ${temp_name} /usr/bin/sbverify"
fi

# Confirm that Signatures Are Good
$CMD --list /tmp/vmlinuz
returncode=0
if ! $CMD --cert /tmp/kernel-sign.crt /tmp/vmlinuz || ! $CMD --cert /tmp/akmods.crt /tmp/vmlinuz; then
echo "Secureboot Signature Failed...."
returncode=1
fi
if [[ -n "${temp_name:-}" ]]; then
podman rm -f "${temp_name}"
fi
exit "$returncode"
18 changes: 18 additions & 0 deletions just/common.just
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,21 @@ generate-default-tag tag="latest" ghcr="0":
fi

echo "${DEFAULT_TAG}"

_disk-use: (_header "Disk Use") && (_footer "Disk Use")
just sudoif du -hs /var/tmp /tmp
find {{ build-dir }} -type d -exec du -hs {} \; | sort -h
podman system df
just sudoif podman system df

_header title:
@echo ""
@echo '============================================'
@echo "Start: {{ title }}"
@echo '============================================'

_footer title:
@echo '============================================'
@echo "End: {{ title }}"
@echo '============================================'
@echo ""
18 changes: 9 additions & 9 deletions just/cosign.just
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
# Verify Container with Cosign
import 'common.just'

# Verify Container with Cosign TODO: remove after replacing use in bluefin justfile
[group('Utility')]
verify-container container="" registry="ghcr.io/ublue-os" key="https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub": && (verify-image registry + "/" + container key)

# Verify Container Image with Cosign
[group('Utility')]
verify-container container="" registry="ghcr.io/ublue-os" key="":
verify-image image="ghcr.io/ublue-os/base-main" key="https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub":
#!/usr/bin/bash
set -eoux pipefail

Expand All @@ -19,14 +25,8 @@ verify-container container="" registry="ghcr.io/ublue-os" key="":
fi
fi

# Public Key for Container Verification
key={{ key }}
if [[ -z "${key:-}" ]]; then
key="https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub"
fi

# Verify Container using cosign public key
if ! cosign verify --key "${key}" "{{ registry }}"/"{{ container }}" >/dev/null; then
if ! cosign verify --key "{{ key }}" "{{ image }}" >/dev/null; then
echo "NOTICE: Verification failed. Please ensure your public key is correct."
exit 1
fi
1 change: 1 addition & 0 deletions justfile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
mod bootc 'variants/bootc/justfile'
mod bluefin 'variants/bluefin/justfile'
mod ublue 'variants/ublue/justfile'

import 'just/common.just'

Expand Down
24 changes: 24 additions & 0 deletions variants/ublue/justfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
import '../../just/common.just'
import '../../just/build.just'

ublue-build-dir := join(build-dir, 'output', 'variants', 'ublue')
ublue-cache-dir := join(build-dir, 'cache', 'ublue')
rechunk-dir := join(ublue-cache-dir, 'rechunk')

# Build Image
[group('Image')]
build image="beardy-ublue" tag="latest" base_image="ghcr.io/ublue-os/base-main" args="": && (_build image tag base_image args)

# Rechunk Image
[group('Utility')]
rechunk image="beardy-ublue" tag="latest" base_image="ghcr.io/ublue-os/base-main": && (_rechunk image tag base_image rechunk-dir)

# Load OCI into Podman Store
[group('Utility')]
load-rechunk image="beardy-ublue" tag="latest": && (_load-rechunk image tag rechunk-dir)

# Secureboot Check
[group('Utility')]
secureboot image="beardy-ublue" tag="latest": && (_secureboot image tag)

try: build rechunk load-rechunk secureboot

0 comments on commit 1245c1b

Please sign in to comment.