From 78b77b761c636f65b6c3fc80b1a7c82bb34a4755 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 5 Aug 2024 17:10:58 +0200 Subject: [PATCH 1/7] app-containers/docker-buildx: Add from Gentoo It's from Gentoo commit 78a80d67558ed5ae0f14ba8ecb8bee5d9aadd329. --- .../app-containers/docker-buildx/Manifest | 3 + .../docker-buildx-0.10.4-r1.ebuild | 61 ++++++++++++++++++ .../docker-buildx/docker-buildx-0.11.2.ebuild | 61 ++++++++++++++++++ .../docker-buildx/docker-buildx-0.14.0.ebuild | 62 +++++++++++++++++++ .../docker-buildx/docker-buildx-9999.ebuild | 62 +++++++++++++++++++ .../app-containers/docker-buildx/metadata.xml | 23 +++++++ 6 files changed, 272 insertions(+) create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-0.10.4-r1.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-0.11.2.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-0.14.0.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-9999.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/metadata.xml diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/Manifest new file mode 100644 index 00000000000..c9a6377e58d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/Manifest @@ -0,0 +1,3 @@ +DIST docker-buildx-0.10.4.tar.gz 9184825 BLAKE2B f0e71c0f6dda5f02da4cf0b0514f67f5d339ba10359afc69aae25abf907447fd22fe3d92427299bc67aeaa6a84e748a8a5cbd86151b2baba2dd01f25cc04a793 SHA512 f82b89b8dd4e45524c8d353c4d7588f47b1c7b7ecf759fd9605247c1c7aa0ca152c3ecdec0e0b62b5eef05e6b65d2ca1f5ccab6d75819b92fc92ff62b44105b7 +DIST docker-buildx-0.11.2.tar.gz 10342565 BLAKE2B 1e034e9a07f36b46096f8f035869adc93b63af46cd9886f5ed4bc0939ce2f76b7f029a11ee536a34be23952e5c85251d757cec9ff05df172e3a26ea82a1bf0b1 SHA512 6f3718edf1e86c4422e1419580e4c38cf378a59555067be2aa6fac3e7f8878afe39d777765ace274cd9c47630f39cbacfacfdc4ecadd6ff46d5ee37d8f9bc75c +DIST docker-buildx-0.14.0.tar.gz 11120356 BLAKE2B 01fec6b29665088a4778cb6a926f071c1beacb22d7a50593d55afff1225d0e74d083a82eaab4ae96ffee8a6f653ce048fd81b3410e7113bc29da210d77042b64 SHA512 bc09f29096cfd08c60efd8fca7976a1db896f0ed08d33dfc64dfca2c6487a1dc1722b3fe80b6a175ebebeacf8b460bcc214806d0c7a637f17ed5d09793d8c9d8 diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-0.10.4-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-0.10.4-r1.ebuild new file mode 100644 index 00000000000..982bd439623 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-0.10.4-r1.ebuild @@ -0,0 +1,61 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module + +MY_PN="buildx" +DESCRIPTION="Docker CLI plugin for extended build capabilities with BuildKit" +HOMEPAGE="https://github.com/docker/buildx" +if [[ ${PV} == 9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/docker/buildx.git" +else + SRC_URI="https://github.com/docker/buildx/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" + S="${WORKDIR}/${MY_PN}-${PV}" +fi + +LICENSE="Apache-2.0" +SLOT="0" + +# This gives us the ability to neatly `-skip` tests. +# not required once ::gentoo is all > 1.20 +RESTRICT="!test? ( test )" +IUSE="test" + +BDEPEND=" + test? ( >=dev-lang/go-1.20 ) +" +RDEPEND="app-containers/docker-cli" + +src_compile() { + local _buildx_r='github.com/docker/buildx' + local version=${PV} + if [[ ${PV} == 9999 ]]; then + version="$(git rev-parse --short HEAD)" + fi + ego build -o docker-buildx \ + -ldflags "-linkmode=external + -X $_buildx_r/version.Version=${version} + -X $_buildx_r/version.Revision=$(date -u +%FT%T%z) + -X $_buildx_r/version.Package=$_buildx_r" \ + ./cmd/buildx +} + +src_test() { + # TestGit can't work in a source tarball; TestReadTargets fails seemingly due to parallelism. + if [[ ${PV} == 9999 ]]; then + ego test ./... -skip "TestReadTargets" + else + ego test ./... -skip "TestGit|TestReadTargets" + fi +} + +src_install() { + exeinto /usr/libexec/docker/cli-plugins + doexe docker-buildx + + dodoc README.md +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-0.11.2.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-0.11.2.ebuild new file mode 100644 index 00000000000..8cecb6eed7a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-0.11.2.ebuild @@ -0,0 +1,61 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module + +MY_PN="buildx" +DESCRIPTION="Docker CLI plugin for extended build capabilities with BuildKit" +HOMEPAGE="https://github.com/docker/buildx" +if [[ ${PV} == 9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/docker/buildx.git" +else + SRC_URI="https://github.com/docker/buildx/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" + S="${WORKDIR}/${MY_PN}-${PV}" +fi + +LICENSE="Apache-2.0" +SLOT="0" + +# This gives us the ability to neatly `-skip` tests. +# not required once ::gentoo is all > 1.20 +RESTRICT="!test? ( test )" +IUSE="test" + +BDEPEND=" + test? ( >=dev-lang/go-1.20 ) +" +RDEPEND="app-containers/docker-cli" + +src_compile() { + local _buildx_r='github.com/docker/buildx' + local version=${PV} + if [[ ${PV} == 9999 ]]; then + version="$(git rev-parse --short HEAD)" + fi + ego build -o docker-buildx \ + -ldflags "-linkmode=external + -X $_buildx_r/version.Version=${version} + -X $_buildx_r/version.Revision=$(date -u +%FT%T%z) + -X $_buildx_r/version.Package=$_buildx_r" \ + ./cmd/buildx +} + +src_test() { + # TestGit can't work in a source tarball; TestReadTargets fails seemingly due to parallelism. + if [[ ${PV} == 9999 ]]; then + ego test ./... -skip "TestReadTargets|TestIntegration" + else + ego test ./... -skip "TestGit|TestReadTargets|TestIntegration" + fi +} + +src_install() { + exeinto /usr/libexec/docker/cli-plugins + doexe docker-buildx + + dodoc README.md +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-0.14.0.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-0.14.0.ebuild new file mode 100644 index 00000000000..d36ee06a545 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-0.14.0.ebuild @@ -0,0 +1,62 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module + +MY_PN="buildx" +DESCRIPTION="Docker CLI plugin for extended build capabilities with BuildKit" +HOMEPAGE="https://github.com/docker/buildx" +if [[ ${PV} == 9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/docker/buildx.git" +else + SRC_URI="https://github.com/docker/buildx/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" + S="${WORKDIR}/${MY_PN}-${PV}" +fi + +LICENSE="Apache-2.0" +SLOT="0" + +IUSE="test" + +# This gives us the ability to neatly `-skip` tests. +# not required once ::gentoo is all > 1.20 +RESTRICT="!test? ( test )" + +BDEPEND=" + test? ( >=dev-lang/go-1.20 ) +" +RDEPEND="app-containers/docker-cli" + +src_compile() { + local _buildx_r='github.com/docker/buildx' + local version=${PV} + if [[ ${PV} == 9999 ]]; then + version="$(git rev-parse --short HEAD)" + fi + ego build -o docker-buildx \ + -ldflags "-linkmode=external + -X $_buildx_r/version.Version=${version} + -X $_buildx_r/version.Revision=$(date -u +%FT%T%z) + -X $_buildx_r/version.Package=$_buildx_r" \ + ./cmd/buildx +} + +src_test() { + # TestGit can't work in a source tarball; TestReadTargets fails seemingly due to parallelism. + if [[ ${PV} == 9999 ]]; then + ego test ./... -skip "TestReadTargets|TestIntegration" + else + ego test ./... -skip "TestGit|TestReadTargets|TestIntegration" + fi +} + +src_install() { + exeinto /usr/libexec/docker/cli-plugins + doexe docker-buildx + + dodoc README.md +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-9999.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-9999.ebuild new file mode 100644 index 00000000000..d36ee06a545 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/docker-buildx-9999.ebuild @@ -0,0 +1,62 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module + +MY_PN="buildx" +DESCRIPTION="Docker CLI plugin for extended build capabilities with BuildKit" +HOMEPAGE="https://github.com/docker/buildx" +if [[ ${PV} == 9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/docker/buildx.git" +else + SRC_URI="https://github.com/docker/buildx/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" + S="${WORKDIR}/${MY_PN}-${PV}" +fi + +LICENSE="Apache-2.0" +SLOT="0" + +IUSE="test" + +# This gives us the ability to neatly `-skip` tests. +# not required once ::gentoo is all > 1.20 +RESTRICT="!test? ( test )" + +BDEPEND=" + test? ( >=dev-lang/go-1.20 ) +" +RDEPEND="app-containers/docker-cli" + +src_compile() { + local _buildx_r='github.com/docker/buildx' + local version=${PV} + if [[ ${PV} == 9999 ]]; then + version="$(git rev-parse --short HEAD)" + fi + ego build -o docker-buildx \ + -ldflags "-linkmode=external + -X $_buildx_r/version.Version=${version} + -X $_buildx_r/version.Revision=$(date -u +%FT%T%z) + -X $_buildx_r/version.Package=$_buildx_r" \ + ./cmd/buildx +} + +src_test() { + # TestGit can't work in a source tarball; TestReadTargets fails seemingly due to parallelism. + if [[ ${PV} == 9999 ]]; then + ego test ./... -skip "TestReadTargets|TestIntegration" + else + ego test ./... -skip "TestGit|TestReadTargets|TestIntegration" + fi +} + +src_install() { + exeinto /usr/libexec/docker/cli-plugins + doexe docker-buildx + + dodoc README.md +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/metadata.xml b/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/metadata.xml new file mode 100644 index 00000000000..14dd56055ea --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-buildx/metadata.xml @@ -0,0 +1,23 @@ + + + + + nic@boet.cc + Nic Boet + + + proxy-maint@gentoo.org + Proxy Maintainers + + + containers@gentoo.org + Containers + + + docker/buildx + + + buildx is a Docker CLI plugin for extended build capabilities with BuildKit. + BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. + + From 4f62b200f9b42619256e8f43cb7d554d09baec04 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 5 Aug 2024 17:11:49 +0200 Subject: [PATCH 2/7] .github: Add app-containers/docker-buildx to automation --- .github/workflows/portage-stable-packages-list | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index dbbe4d69dae..da6523ace2e 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -108,6 +108,7 @@ app-containers/containers-storage app-containers/cri-tools app-containers/crun app-containers/docker +app-containers/docker-buildx app-containers/docker-cli app-containers/netavark app-containers/podman From 0d5f31a4eb2756ff5bd790ae9901dcde0070c937 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 5 Aug 2024 17:06:59 +0200 Subject: [PATCH 3/7] overlay coreos-devel/board-packages: Add app-containers/docker-buildx --- ...packages-0.0.1-r14.ebuild => board-packages-0.0.1-r15.ebuild} | 0 .../coreos-devel/board-packages/board-packages-0.0.1.ebuild | 1 + 2 files changed, 1 insertion(+) rename sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/{board-packages-0.0.1-r14.ebuild => board-packages-0.0.1-r15.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r14.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r15.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r14.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r15.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild index 00b13c433ed..9b1d2690726 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild @@ -29,6 +29,7 @@ RDEPEND=" app-containers/containerd app-containers/docker app-containers/docker-cli + app-containers/docker-buildx app-emulation/amazon-ssm-agent app-emulation/wa-linux-agent coreos-base/coreos From babc0e6e3323efc2d8a0e1795c3cf48ad4f36e72 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 5 Aug 2024 17:08:06 +0200 Subject: [PATCH 4/7] build_docker_aci, build_library: Remove obsolete scripts The build_docker_aci script only supported docker 12.x, which we don't have since ages, so it's a clear sign of a script being obsolete. Removing it results in some other scripts in build_library being unused, so drop them too. --- build_docker_aci | 110 --------------------------- build_library/ebuild_aci_manifest.in | 14 ---- build_library/ebuild_aci_util.sh | 97 ----------------------- 3 files changed, 221 deletions(-) delete mode 100755 build_docker_aci delete mode 100644 build_library/ebuild_aci_manifest.in delete mode 100644 build_library/ebuild_aci_util.sh diff --git a/build_docker_aci b/build_docker_aci deleted file mode 100755 index 4613f57ffed..00000000000 --- a/build_docker_aci +++ /dev/null @@ -1,110 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2016 The CoreOS Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -# This is a wrapper around the ebuild_aci_util.sh functions to set up the -# necessary environment, similar to the build_image script. - -SCRIPT_ROOT=$(dirname $(readlink -f "$0")) -. "${SCRIPT_ROOT}/common.sh" || exit 1 - -# Script must run inside the chroot -assert_inside_chroot - -assert_not_root_user - -# Developer-visible flags. -DEFINE_string board "${DEFAULT_BOARD}" \ - "The board to build an image for." -DEFINE_string build_dir "" \ - "Directory in which to place image result directories (named by version)" -DEFINE_boolean getbinpkg "${FLAGS_FALSE}" \ - "Download binary packages from remote repository." -DEFINE_string getbinpkgver "" \ - "Use binary packages from a specific version." - -FLAGS_HELP="USAGE: build_docker_aci [flags] [docker version] [aci version number]. -This script is used to build a CoreOS docker-skim ACI. - -The docker version should identify an existent ebuild (i.e. -app-containers/docker-\$version). - -The aci version number is an atomically incrementing number that will be -appended to the aci version (to create e.g. :v1.12.6_coreos.0). - -Examples: - -build_docker_aci --board=amd64-usr --build_dir= 1.12.6 0 -... -" -show_help_if_requested "$@" - -# The following options are advanced options, only available to those willing -# to read the source code. They are not shown in help output, since they are -# not needed for the typical developer workflow. -DEFINE_integer build_attempt 1 \ - "The build attempt for this image build." -DEFINE_string group "docker-aci" \ - "The update group (not used for actual updates here)" -DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \ - "Directory in which to place image result directories (named by version)" -DEFINE_string version "" \ - "Sets the docker version to build." -DEFINE_integer aci_version "" \ - "Sets the aci version tag identifier." - -# Parse command line. -FLAGS "$@" || exit 1 -[ -z "${FLAGS_ARGV}" ] && echo 'No version given' && exit 0 -eval set -- "${FLAGS_ARGV}" - -version="${1:?Docker version}" -aci_version="${2:?Docker version}" - - -# Only now can we die on error. shflags functions leak non-zero error codes, -# so will die prematurely if 'switch_to_strict_mode' is specified before now. -switch_to_strict_mode - -# If downloading packages is enabled ensure the board is configured properly. -if [[ ${FLAGS_getbinpkg} -eq ${FLAGS_TRUE} ]]; then - "${SRC_ROOT}/scripts/setup_board" --board="${FLAGS_board}" \ - --getbinpkgver="${FLAGS_getbinpkgver}" --regen_configs_only -fi - -# N.B. Ordering matters for some of the libraries below, because -# some of the files contain initialization used by later files. -. "${BUILD_LIBRARY_DIR}/toolchain_util.sh" || exit 1 -. "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1 -. "${BUILD_LIBRARY_DIR}/build_image_util.sh" || exit 1 -. "${BUILD_LIBRARY_DIR}/prod_image_util.sh" || exit 1 -. "${BUILD_LIBRARY_DIR}/test_image_content.sh" || exit 1 -. "${BUILD_LIBRARY_DIR}/ebuild_aci_util.sh" || exit 1 - -BUILD_DIR=${FLAGS_build_dir:-$BUILD_DIR} - -case "${version}" in - 1.12.[0-9]*) - packaged_files=( - "/usr/bin/docker" - "/usr/bin/dockerd" - "/usr/bin/docker-containerd" - "/usr/bin/docker-containerd-shim" - "/usr/bin/docker-proxy" - "/usr/bin/docker-runc" - "/usr/lib/flatcar/dockerd" - ) - ebuild_aci_create "users.developer.core-os.net/skim/docker" \ - "coreos_docker-${BOARD}-${version}_coreos.${aci_version}" \ - "app-containers/docker" \ - "${version}" \ - "${aci_version}" \ - "${packaged_files[@]}" - ;; - *) - 1>&2 echo "Unrecognized version; please enter a supported version" - exit 1 - ;; -esac diff --git a/build_library/ebuild_aci_manifest.in b/build_library/ebuild_aci_manifest.in deleted file mode 100644 index 17365203a10..00000000000 --- a/build_library/ebuild_aci_manifest.in +++ /dev/null @@ -1,14 +0,0 @@ -{ - "acKind": "ImageManifest", - "acVersion": "0.8.6", - "name": "@ACI_NAME@", - "labels": [ - {"name": "arch", "value": "@ACI_ARCH@"}, - {"name": "os", "value": "linux"}, - {"name": "version", "value": "@ACI_VERSION@"} - ], - "app": { - "user": "0", - "group": "0" - } -} diff --git a/build_library/ebuild_aci_util.sh b/build_library/ebuild_aci_util.sh deleted file mode 100644 index b25449bc197..00000000000 --- a/build_library/ebuild_aci_util.sh +++ /dev/null @@ -1,97 +0,0 @@ -# Copyright (c) 2016 The CoreOS Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -# Expects BOARD, BUILD_DIR, BUILD_LIBRARY_DIR, and FLATCAR_VERSION in env. - -# Copied from create_prod_image() -create_ebuild_aci_image() { - local image_name="$1" - local disk_layout="$2" - local update_group="$3" - local pkg="$4" - - info "Building ACI staging image ${image_name}" - local root_fs_dir="${BUILD_DIR}/rootfs" - local image_contents="${image_name%.bin}_contents.txt" - local image_packages="${image_name%.bin}_packages.txt" - local image_licenses="${image_name%.bin}_licenses.json" - - start_image \ - "${image_name}" "${disk_layout}" "${root_fs_dir}" "${update_group}" - - # Install minimal GCC (libs only) and then everything else - extract_prod_gcc "${root_fs_dir}" - - emerge_to_image_unchecked "${root_fs_dir}" "${pkg}" - run_ldconfig "${root_fs_dir}" - write_packages "${root_fs_dir}" "${BUILD_DIR}/${image_packages}" - write_licenses "${root_fs_dir}" "${BUILD_DIR}/${image_licenses}" - insert_licenses "${BUILD_DIR}/${image_licenses}" "${root_fs_dir}" - - cleanup_mounts "${root_fs_dir}" - trap - EXIT -} - -ebuild_aci_write_manifest() { - local manifest="${1?No output path was specified}" - local name="${2?No ACI name was specified}" - local version="${3?No ACI version was specified}" - local appc_arch= - - case "${BOARD}" in - amd64-usr) appc_arch=amd64 ;; - arm64-usr) appc_arch=aarch64 ;; - *) die_notrace "Cannot map \"${BOARD}\" to an appc arch" ;; - esac - - sudo cp "${BUILD_LIBRARY_DIR}/ebuild_aci_manifest.in" "${manifest}" - sudo sed "${manifest}" -i \ - -e "s,@ACI_NAME@,${name}," \ - -e "s,@ACI_VERSION@,${version}," \ - -e "s,@ACI_ARCH@,${appc_arch}," -} - -ebuild_aci_create() { - local aciroot="${BUILD_DIR}" - local aci_name="${1?No aci name was specified}"; shift - local output_image="${1?No output file specified}"; shift - local pkg="${1?No package given}"; shift - local version="${1?No package version given}"; shift - local extra_version="${1?No extra version number given}"; shift - local pkg_files=( "${@}" ) - - local staging_image="flatcar_pkg_staging_aci_stage.bin" - - local ebuild_atom="=${pkg}-${version}" - - local ebuild=$(equery-"${BOARD}" w "${ebuild_atom}" 2>/dev/null) - [ -n "${ebuild}" ] || die_notrace "No ebuild exists for ebuild \"${pkg}\"" - - # Build a staging image for this ebuild. - create_ebuild_aci_image "${staging_image}" container stable "${ebuild_atom}" - - # Remount the staging image to brutalize the rootfs for broken services. - "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout=container \ - mount "${BUILD_DIR}/${staging_image}" "${aciroot}/rootfs" - trap "cleanup_mounts '${aciroot}/rootfs' && delete_prompt" EXIT - - # Substitute variables into the manifest to produce the final version. - ebuild_aci_write_manifest \ - "${aciroot}/manifest" \ - "${aci_name}" \ - "${version}_flatcar.${extra_version}" - - local pkg_files_in_rootfs=( "${pkg_files[@]/#/rootfs}" ) - - # Write a tar ACI file containing the manifest and desired parts of the mounted rootfs - sudo tar -C "${aciroot}" -hczf "${BUILD_DIR}/${output_image}.aci" \ - manifest ${pkg_files_in_rootfs[@]} - - # Unmount the staging image, and delete it to save space. - cleanup_mounts "${aciroot}/rootfs" - trap - EXIT - rm -f "${BUILD_DIR}/${staging_image}" - - echo "Created aci for ${pkg}-${version}: ${BUILD_DIR}/${output_image}.aci" -} From 9a3e26bf9bee7341ee758ef9d54b8d94d01b0d13 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 5 Aug 2024 17:10:28 +0200 Subject: [PATCH 5/7] build_image,ci-automation: Add app-containers/docker-buildx to docker-flatcar sysext --- build_image | 2 +- ci-automation/base_sysexts.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build_image b/build_image index e916d0df1b6..fb68cf36235 100755 --- a/build_image +++ b/build_image @@ -33,7 +33,7 @@ DEFINE_string base_pkg "coreos-base/coreos" \ "The base portage package to base the build off of (only applies to prod images)" DEFINE_string base_dev_pkg "coreos-base/coreos-dev" \ "The base portage package to base the build off of (only applies to dev containers)" -DEFINE_string base_sysexts "containerd-flatcar:app-containers/containerd,docker-flatcar:app-containers/docker&app-containers/docker-cli" \ +DEFINE_string base_sysexts "containerd-flatcar:app-containers/containerd,docker-flatcar:app-containers/docker&app-containers/docker-cli&app-containers/docker-buildx" \ "Comma-separated list of name:package[&package[&package]] - build 'package' (a single package or a list of packages separated by '&') into sysext 'name', and include with OS image and update payload. Must be in order of dependencies, base sysexts come first." DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \ "Directory in which to place image result directories (named by version)" diff --git a/ci-automation/base_sysexts.sh b/ci-automation/base_sysexts.sh index e73af856faf..8d8c685bbe1 100644 --- a/ci-automation/base_sysexts.sh +++ b/ci-automation/base_sysexts.sh @@ -7,5 +7,5 @@ fi ciabs_base_sysexts=( 'containerd-flatcar:app-containers/containerd' - 'docker-flatcar:app-containers/docker&app-containers/docker-cli' + 'docker-flatcar:app-containers/docker&app-containers/docker-cli&app-containers/docker-buildx' ) From a4ace4e43aa843cdcda958869bc2f4389f1cd42c Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 5 Aug 2024 17:22:21 +0200 Subject: [PATCH 6/7] changelog: Add an entry --- changelog/changes/2024-08-05-buildx.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/changes/2024-08-05-buildx.md diff --git a/changelog/changes/2024-08-05-buildx.md b/changelog/changes/2024-08-05-buildx.md new file mode 100644 index 00000000000..53dfa0d63f4 --- /dev/null +++ b/changelog/changes/2024-08-05-buildx.md @@ -0,0 +1 @@ +- The `docker build` command will now use buildx as its backend as the old one became deprecated and a loud "DEPRECATED" information is printed every time it's used. From 6d308428bd1afccb37e7dad761b6c90b118a4a90 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 6 Aug 2024 12:15:05 +0200 Subject: [PATCH 7/7] coreos/user-patches: Update a patch for sec-policy packages --- .../0001-Flatcar-modifications.patch | 31 +++++++++++++------ 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch index e1d7cac08a6..3368bab3766 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch @@ -1,4 +1,4 @@ -From f646fccd3b737a79ae0e0d0de049166e531fb48b Mon Sep 17 00:00:00 2001 +From 07cf1b05c8b3b9460b4afc2998a9f170881faa16 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 4 Dec 2023 12:17:25 +0100 Subject: [PATCH] Flatcar modifications @@ -8,13 +8,13 @@ Subject: [PATCH] Flatcar modifications policy/modules/kernel/corenetwork.if.in | 26 ++++ policy/modules/kernel/corenetwork.te.in | 12 +- policy/modules/kernel/files.if | 45 +++++++ - policy/modules/kernel/kernel.te | 84 +++++++++++++ + policy/modules/kernel/kernel.te | 84 ++++++++++++ policy/modules/services/container.fc | 6 + - policy/modules/services/container.te | 159 +++++++++++++++++++++++- + policy/modules/services/container.te | 170 +++++++++++++++++++++++- policy/modules/system/init.te | 8 ++ policy/modules/system/locallogin.te | 9 +- policy/modules/system/logging.te | 9 ++ - 10 files changed, 375 insertions(+), 3 deletions(-) + 10 files changed, 386 insertions(+), 3 deletions(-) diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 3c43a1d84..429c67220 100644 @@ -115,10 +115,10 @@ index 53bf7849c..9edac05e8 100644 # Infiniband corenet_ib_access_all_pkeys(corenet_unconfined_type) diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if -index e0337d044..ffd6a25bf 100644 +index b9c451321..104dc1e3e 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if -@@ -8004,3 +8004,48 @@ interface(`files_relabel_all_pidfiles',` +@@ -8023,3 +8023,48 @@ interface(`files_relabel_all_pidfiles',` relabel_files_pattern($1, pidfile, pidfile) relabel_lnk_files_pattern($1, pidfile, pidfile) ') @@ -280,7 +280,7 @@ index f98e68ba0..045b1b5b2 100644 /run/containers(/.*)? gen_context(system_u:object_r:container_runtime_t,s0) /run/crun(/.*)? gen_context(system_u:object_r:container_runtime_t,s0) diff --git a/refpolicy/policy/modules/services/container.te b/refpolicy/policy/modules/services/container.te -index 096d6c23d..4bbab3c69 100644 +index 095308a13..7cd6e45e4 100644 --- a/refpolicy/policy/modules/services/container.te +++ b/refpolicy/policy/modules/services/container.te @@ -58,6 +58,52 @@ gen_tunable(container_use_dri, false) @@ -345,7 +345,7 @@ index 096d6c23d..4bbab3c69 100644 ## ##

-@@ -1191,3 +1237,114 @@ optional_policy(` +@@ -1192,3 +1238,125 @@ optional_policy(` unconfined_domain_noaudit(spc_user_t) domain_ptrace_all_domains(spc_user_t) ') @@ -460,11 +460,22 @@ index 096d6c23d..4bbab3c69 100644 +# avc: denied { map_create } for pid=[0-9]* comm="cilium-operator" scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tclass=bpf permissive=0 +# +allow container_t self:bpf { map_create }; ++ ++# ++# FLATCAR: ++# ++# These ones happen in docker.base, docker.network and docker.userns. ++# Basically tests that build some docker images. And these started ++# breaking after moving to buildx as a backend of docker build. ++# ++# avc: denied { read } for pid=[0-9]* comm="echo, sleep, whatever" path="/lib64/libc.so.6" dev="vda9" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0 ++# ++allow container_t tmp_t:file { read }; diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te -index 8f3772dcb..435f62db6 100644 +index 03d0de8ed..16b75d04d 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te -@@ -1674,3 +1674,11 @@ optional_policy(` +@@ -1678,3 +1678,11 @@ optional_policy(` userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) userdom_dontaudit_write_user_tmp_files(systemprocess) ')