tools: Fix tag for eve-mkimage-iso-efi

[rene]

Commit ee15f4d introduced changes to fetch the eve-mkimage-iso-efi container for the right target architecture, the fix was needed to generate ISO images for arm64. However, the ARCH prefix was missing for the linuxkit pkg tag resolution. This commit adds the ARCH prefix just as it's done in the tools/parse-pkgs.sh script.

PS: I just figured out this error now because I was changing the pkg/mkimage-iso-efi and it turns out the tag was missing.

[deitch]

Why do we need the -${ARCH}? The images are all indexes, so it should resolve properly. If the lack of ${ARCH} is breaking something, shouldn't we fix that?

[rene]

Why do we need the -${ARCH}? The images are all indexes, so it should resolve properly. If the lack of ${ARCH} is breaking something, shouldn't we fix that?

AFAIK we use that with packages that must be loaded to docker, for instance, pkg/mkconf is one of them, if I build this package: make pkg/mkconf it will load to docker both images:

Loaded image: lfedge/eve-mkconf:d602916021a67af33b8f8c43108059741724e1ef-arm64
Loaded image: lfedge/eve-mkconf:d602916021a67af33b8f8c43108059741724e1ef-amd64

here I just did the same thing done in tools/parse-pkgs.sh to get the final tag....

[deitch]

here I just did the same thing done in tools/parse-pkgs.sh to get the final tag

Yeah, that probably is wrong, too, but it is not your problem; it long predates this. If make pkg/mkconf loads into docker, it should be able to do it generically and determine the arch. I will look at it shortly.

But this shouldn't hold you up. I will look at what is breaking here.

[deitch]

I took another look at how this is used, I don't understand what doesn't work.

1. We run MKIMAGE_TAG="$(linuxkit pkg show-tag "$EVE/pkg/mkimage-iso-efi")". That returns, e.g. lfedge/eve-mkimage-iso-efi:abcd1234
2. Last line, we run cat $INSTALLER_TAR | docker run -i --platform "linux/${ARCH}" --rm -e DEBUG="$DEBUG" -e VOLUME_LABEL=EVEISO -v "$ISO:/output.iso" "$MKIMAGE_TAG" $3

That line has an explicit --platform linux/${ARCH}, so it should find lfedge/eve-mkimage-iso-efi:abcd1234, see that it is an index, and load explicitly the desired platform.

What is not working that this is needed?

[rene]

I took another look at how this is used, I don't understand what doesn't work.

1. We run `MKIMAGE_TAG="$(linuxkit pkg show-tag "$EVE/pkg/mkimage-iso-efi")"`. That returns, e.g. `lfedge/eve-mkimage-iso-efi:abcd1234`

2. Last line, we run `cat $INSTALLER_TAR | docker run -i --platform "linux/${ARCH}" --rm -e DEBUG="$DEBUG" -e VOLUME_LABEL=EVEISO -v "$ISO:/output.iso" "$MKIMAGE_TAG" $3`

That line has an explicit --platform linux/${ARCH}, so it should find lfedge/eve-mkimage-iso-efi:abcd1234, see that it is an index, and load explicitly the desired platform.

What is not working that this is needed?

Because lfedge/eve-mkimage-iso-efi:abcd1234 it's not exported to docker, it exports as lfedge/eve-mkimage-iso-efi:abcd1234-amd64 and lfedge/eve-mkimage-iso-efi:abcd1234-arm64 instead....

[deitch]

Because lfedge/eve-mkimage-iso-efi:abcd1234 it's not exported to docker, it exports as lfedge/eve-mkimage-iso-efi:abcd1234-amd64 and lfedge/eve-mkimage-iso-efi:abcd1234-arm64 instead

Why would it do that? Do you mind linking where it does?

[rene]

Because lfedge/eve-mkimage-iso-efi:abcd1234 it's not exported to docker, it exports as lfedge/eve-mkimage-iso-efi:abcd1234-amd64 and lfedge/eve-mkimage-iso-efi:abcd1234-arm64 instead

Why would it do that? Do you mind linking where it does?

I think this is linuxkit behavior, isn't? I don't see if this is explicitly set... FWIW, just ran manually the following:

build-tools/bin/linuxkit pkg build --docker --platforms linux/amd64 --build-yml build.yml pkg/mkimage-iso-efi/

Output:

Building "lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b"
checking for docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b in local cache...
docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b amd64 not found in local cache, trying to pull
docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b not found, will build: could not find image or index for docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b
building docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b for arches: amd64
Building for arch amd64 as docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b-amd64
No image pulled for arch amd64, continuing with build
using existing container linuxkit-builder
building for platform linux/amd64
[+] Building 3.5s (14/14) FINISHED                                                                                   
 => [internal] load remote build context                                                                        0.1s
 => copy /context /                                                                                             0.1s
 => resolve image config for docker.io/docker/buildkit-syft-scanner:stable-1                                    1.0s
 => [internal] load metadata for docker.io/lfedge/eve-alpine:591df01e581889c3027514c8a91feaca1c8ad49f           0.5s
 => CACHED docker-image://docker.io/docker/buildkit-syft-scanner:stable-1                                       0.2s
 => => resolve docker.io/docker/buildkit-syft-scanner:stable-1                                                  0.2s
 => [build 1/5] FROM docker.io/lfedge/eve-alpine:591df01e581889c3027514c8a91feaca1c8ad49f@sha256:911fd63beaf13  0.0s
 => => resolve docker.io/lfedge/eve-alpine:591df01e581889c3027514c8a91feaca1c8ad49f@sha256:911fd63beaf13cd6093  0.0s
 => CACHED [build 2/5] RUN eve-alpine-deploy.sh                                                                 0.0s
 => CACHED [build 3/5] RUN echo "mtools_skip_check=1" >> /out/etc/mtools.conf                                   0.0s
 => CACHED [build 4/5] RUN if ! grep -q -w /sbin/nlplug-findfs  /out/etc/mkinitfs/features.d/base.files; then   0.0s
 => CACHED [build 5/5] RUN echo /bin/grep >> /out/etc/mkinitfs/features.d/base.files                            0.0s
 => CACHED [stage-1 1/3] COPY --from=build /out /                                                               0.0s
 => [stage-1 2/3] COPY . /                                                                                      0.1s
 => [linux/amd64] generating sbom using docker.io/docker/buildkit-syft-scanner:stable-1                         0.9s
 => exporting to oci image format                                                                               0.4s 
 => => exporting layers                                                                                         0.1s
 => => exporting manifest sha256:6c3f268f50dabdf58bc1af3eff0f3ca39ae51cda2720c4453105cdafb1c797b0               0.0s
 => => exporting config sha256:491c5b9937e945ec605c186ba0d9c5942cfe9a50c8928b6a1e8b333428aa0542                 0.0s
 => => exporting attestation manifest sha256:daf32d774d020e1eaa3866685c9624d5c4ebc49af01597ad03d2710ff01b00c9   0.1s
 => => exporting manifest list sha256:b212566bcc06dc3f061421e2359508f3baf0839bac20bfb8796d9d047e37c453          0.0s
 => => sending tarball                                                                                          0.1s
5d50a4332148: Loading layer [==================================================>]  5.919kB/5.919kB
Loaded image: lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b-amd64
Tagging docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b-amd64 as docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b
Build complete, not pushing, all done.

Exported container is <HASH>-amd64 (forget about the dirty, I'm working on this pkg):

Loaded image: lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b-amd64
Tagging docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b-amd64 as docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b

Edit:
Notice that here we have tagged:

Tagging docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b-amd64 as docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b

However, if I build for arm64:

build-tools/bin/linuxkit pkg build --docker --platforms linux/arm64 --build-yml build.yml pkg/mkimage-iso-efi/

Output:

Building "lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b"
checking for docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b in local cache...
docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b arm64 not found in local cache, trying to pull
docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b not found, will build: error retrieving image docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b for platform linux/arm64 from cache: <nil>
building docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b for arches: arm64
Building for arch arm64 as docker.io/lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b-arm64
No image pulled for arch arm64, continuing with build
using existing container linuxkit-builder
building for platform linux/arm64
[+] Building 3.3s (14/14) FINISHED                                                                                   
 => CACHED [internal] load remote build context                                                                 0.1s
 => CACHED copy /context /                                                                                      0.0s
 => resolve image config for docker.io/docker/buildkit-syft-scanner:stable-1                                    0.9s
 => [internal] load metadata for docker.io/lfedge/eve-alpine:591df01e581889c3027514c8a91feaca1c8ad49f           0.4s
 => CACHED docker-image://docker.io/docker/buildkit-syft-scanner:stable-1                                       0.2s
 => => resolve docker.io/docker/buildkit-syft-scanner:stable-1                                                  0.2s
 => [build 1/5] FROM docker.io/lfedge/eve-alpine:591df01e581889c3027514c8a91feaca1c8ad49f@sha256:911fd63beaf13  0.0s
 => => resolve docker.io/lfedge/eve-alpine:591df01e581889c3027514c8a91feaca1c8ad49f@sha256:911fd63beaf13cd6093  0.0s
 => CACHED [build 2/5] RUN eve-alpine-deploy.sh                                                                 0.0s
 => CACHED [build 3/5] RUN echo "mtools_skip_check=1" >> /out/etc/mtools.conf                                   0.0s
 => CACHED [build 4/5] RUN if ! grep -q -w /sbin/nlplug-findfs  /out/etc/mkinitfs/features.d/base.files; then   0.0s
 => CACHED [build 5/5] RUN echo /bin/grep >> /out/etc/mkinitfs/features.d/base.files                            0.0s
 => CACHED [stage-1 1/3] COPY --from=build /out /                                                               0.0s
 => [stage-1 2/3] COPY . /                                                                                      0.1s
 => [linux/arm64] generating sbom using docker.io/docker/buildkit-syft-scanner:stable-1                         1.0s
 => exporting to oci image format                                                                               0.5s 
 => => exporting layers                                                                                         0.2s
 => => exporting manifest sha256:161c82157f646dc3d84e3297d7776ca9806b4fdec165747198d8279c86a40d06               0.0s
 => => exporting config sha256:3758a6145743017a0d0d384725a69777b293f1c47f8397693f02b92e4580367c                 0.0s
 => => exporting attestation manifest sha256:12acc8006e0720465edbb826664ecf782ce81290e4021356c6e63800109b79df   0.1s
 => => exporting manifest list sha256:d213fcbe1f953b7780ab05123ea186d9dfe318da5f354cebd9906074e640ad53          0.0s
 => => sending tarball                                                                                          0.1s
5d50a4332148: Loading layer [==================================================>]  5.919kB/5.919kB
Loaded image: lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b-arm64
Build complete, not pushing, all done.

We do have the following image exported:

Loaded image: lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b-arm64

But no TAG to lfedge/eve-mkimage-iso-efi:050091842bc99e306410fcdd366a7da7cde16986-dirty-906f47b and that's why it works for amd64 and not for arm64....

[deitch]

Yeah, I see that. That is because of how docker stores (or stored, this is a bit changed) images. It doesn't actually store the index and the images for all architectures; when you do docker pull x, and x is an index, it actually resolves that index to the specific architecture, and pulls that, but then tags it locally. So in the hub, x -> {x for amd64, x for arm64, x for riscv64, etc.}. When you do docker pull x, it replaces it locally as x -> for amd64.

If you want to have the images for different architectures locally, you have to give them different tags. Hence, lkt pkg build --docker adds the arch to the tag, or docker would override anything else. So to keep both x for arm64 and x for amd64, lkt pkg build --docker tags x-amd64 and x-arm64, and then adds x to point to x for amd64, since 90% of the time, when you try to do docker run x, you mean "docker run x for my platform".

[deitch]

Having understood that, let's say I am running lfedge/eve-mkimage on my platform. I ran make pkg/mkimage, it built it and it loaded it up into my amd64 host as mkimage-amd64 and as mkimage (pointing to mkimage-amd64).

Why is that not enough that I need this PR? If I want to run mkimage, that will work, since it is tagged to amd64; if I want to run the arm64 version, why would I? Why run arm64 mkimage on my amd64 host?

[rene]

Having understood that, let's say I am running lfedge/eve-mkimage on my platform. I ran make pkg/mkimage, it built it and it loaded it up into my amd64 host as mkimage-amd64 and as mkimage (pointing to mkimage-amd64).

Why is that not enough that I need this PR? If I want to run mkimage, that will work, since it is tagged to amd64; if I want to run the arm64 version, why would I? Why run arm64 mkimage on my amd64 host?

Thanks, I think it's clear now. To your question: I do run these containers for arm64 a lot of my x86 host to develop and test arm64 stuff. For instance, for the mkimage-iso-efi I was using to generate ISO for arm64 (and test my fix on arm64), at the end of the day any user that wants to generate arm64 images (installer, rootfs, etc) on a x86 host will eventually need to run an arm64 container on x86....

[deitch]

For instance, for the mkimage-iso-efi I was using to generate ISO for arm64 (and test my fix on arm64), at the end of the day any user that wants to generate arm64 images (installer, rootfs, etc) on a x86 host will eventually need to run an arm64 container on x86

That seems strange to me. Why should you have to run mkimage-iso-efi as an arm64 container to generate arm64 ISOs? You should be able to run mkimage-iso-efi on your local architecture to generate any other architecture you want. If not, that is a bug in mkimage-iso-efi that we should fix.

When I build images with upstream linuxkit - which works not too differently, it builds a tar stream of the target contents, then passes that tar stream through a container that generates the final output - it does it all natively, but can target any architecture. The first part is no big deal, since it is just copying contents from various OCI images into a tar stream. But the second part is fairly easy too.

Did I understand you correctly? The reason you are running mkimage-iso-efi platform arm64 on your local x86 is solely because you want to generate arm64 output images?

[rene]

For instance, for the mkimage-iso-efi I was using to generate ISO for arm64 (and test my fix on arm64), at the end of the day any user that wants to generate arm64 images (installer, rootfs, etc) on a x86 host will eventually need to run an arm64 container on x86

That seems strange to me. Why should you have to run mkimage-iso-efi as an arm64 container to generate arm64 ISOs? You should be able to run mkimage-iso-efi on your local architecture to generate any other architecture you want. If not, that is a bug in mkimage-iso-efi that we should fix.

When I build images with upstream linuxkit - which works not too differently, it builds a tar stream of the target contents, then passes that tar stream through a container that generates the final output - it does it all natively, but can target any architecture. The first part is no big deal, since it is just copying contents from various OCI images into a tar stream. But the second part is fairly easy too.

Did I understand you correctly? The reason you are running mkimage-iso-efi platform arm64 on your local x86 is solely because you want to generate arm64 output images?

@deitch , I think I've got lost on this discussion 😆

Did I understand you correctly? The reason you are running mkimage-iso-efi platform arm64 on your local x86 is solely because you want to generate arm64 output images?

Yes, the reason is explained here: #4592

IIRC my original fix was exactly add the -{ARCH} and you complained 😆

TBH I don't understand why it worked before (without the -{ARCH}), I mean, the fix is correct (using --platform), but we still need the -{ARCH} because of the TAG. Perhaps I tested only x86 after the fix or I tested on my arm64 host, so in anycase, it's clear that we need -{ARCH} exactly to be able to run arm64 container on a x86 host....

[deitch]

Yes, the reason is explained here: #4592

Oh, now I see! I had forgotten about that one.

I mean, the fix is correct (using --platform), but we still need the -{ARCH} because of the TAG.

I don't know either. If these were pushed to a registry, or if run on docker with full multi-architecture support, all of this would go away. But as far as I know, it remains experimental.

IIRC my original fix was exactly add the -{ARCH} and you complained 😆

This really does bother me. The entire contents of make-efi is 101 lines, almost a third is comments, and the vast majority of the rest is basic copy stuff. What in there would not work to cross-build?

Can you give me a simple replication, how it gets used to build an arm64 ISO on x86_64 or vice-versa? This bothers me, and it is causing you issues. I want to see where the problem is and either fix it, or comment on it why it won't work.

What is the most basic input I can run, e.g. after I already have an installer.tar or similar and call that container to do it?

[rene]

Yes, the reason is explained here: #4592

Oh, now I see! I had forgotten about that one.

I mean, the fix is correct (using --platform), but we still need the -{ARCH} because of the TAG.

I don't know either. If these were pushed to a registry, or if run on docker with full multi-architecture support, all of this would go away. But as far as I know, it remains experimental.

IIRC my original fix was exactly add the -{ARCH} and you complained 😆

This really does bother me. The entire contents of make-efi is 101 lines, almost a third is comments, and the vast majority of the rest is basic copy stuff. What in there would not work to cross-build?

Can you give me a simple replication, how it gets used to build an arm64 ISO on x86_64 or vice-versa? This bothers me, and it is causing you issues. I want to see where the problem is and either fix it, or comment on it why it won't work.

What is the most basic input I can run, e.g. after I already have an installer.tar or similar and call that container to do it?

Sure, I think the easiest way to test is run the following on a x86 host:

make ZARCH=arm64 installer-iso
make ZARCH=arm64 run-installer-iso

It is going to fail on the first command....

Edit:
Ok, now I think I understood exactly what is going on.... I forgot to mention, you need to change the pkg/mkimage-iso-efi so you won't get the container from dockerhub....

I think this is actually the issue here.... we do have multi-platform container published to dockerhub, but when building it locally we do not export multi-architecture single container, instead, we export using <HASH>-<ARCH> form, and we only create the tag <HASH> for the local (host) container...

My first fix is correct, since I didn't change the pkg/mkimage-iso-efi back them, it just fetched from dockerhub the multi-architecture container and it used (correctly) the arm64 version.... but now I'm changing the pkg/mkimage-iso-efi and then it's not published yet... and we don't have a single multi-architecture container published locally....

So now comes the question, what is the best way to address that?

[deitch]

Ah, I missed your comment.

The makeiso.sh does the following:

cat $INSTALLER_TAR | docker run -i --platform "linux/${ARCH}" --rm -e DEBUG="$DEBUG" -e VOLUME_LABEL=EVEISO -v "$ISO:/output.iso" "$MKIMAGE_TAG" $3

That --platform is just wrong. It should run the local architecture, whatever it is. Whether I am running arm64 or amd64 or riscv64 or s390x (maybe exaggerating a bit), the scripts just convert and copy input and output files. Whatever the tar contains, that is what the output will be.

So run it for amd64 on arm64, it works; same for arm64 on amd64, etc.

cat $INSTALLER_TAR | docker run -i --rm -e DEBUG="$DEBUG" -e VOLUME_LABEL=EVEISO -v "$ISO:/output.iso" "$MKIMAGE_TAG" $3

I cannot tell you why that --platform is there in the first place. the mkimage-iso-efi just works without even knowing the target platform.

Ok, now I think I understood exactly what is going on.... I forgot to mention, you need to change the pkg/mkimage-iso-efi so you won't get the container from dockerhub....

Ah so that is the case. OK, I will try that. But I already can see: as long as the basic tag, i.e. mkimage-iso-efi:abcd123 (no extension) loaded in docker is the one for the current architecture, it will just work.

We don't actually need multi-architecture anywhere. We need that when you call mkimage-iso-efi:abcd123 that it always resolves to the local architecture, whether because that is what is loaded, or because that is what comes from published on the hub.

[deitch]

now I'm changing the pkg/mkimage-iso-efi and then it's not published yet... and we don't have a single multi-architecture container published locally

So do you run make pkg/mkimage-iso-efi before running make ZARCH=arm64 installer-iso?

I tried that, ran it, it worked. Almost. I had to edit makeiso.sh to remove the --platform from the last line.

[deitch]

Since @rene didn't comment here but did explain to me in private channels, I will include his comment here for posterity. This is his discovery, credit where it is due.

True, mkimage-iso-efi is platform-agnostic for almost anything. However, if initrd.img is missing from the tar stream, mkimage-iso-efi creates it here.

if [ ! -e boot/initrd.img ]; then
   # all of the things we need to make a simple initrd
   mkdir -p /tmp/initrd
   (cd /tmp/initrd
   mkdir -p bin lib sbin etc proc sys newroot
   cp /initrd.sh init
   cp /bin/busybox bin/
   cp /lib/ld-musl* lib/
   /bin/busybox --install -s /tmp/initrd/bin
   find . | cpio -H newc -o | gzip > /tmp/initrd.img)
   mv /tmp/initrd.img boot/initrd.img
fi

It copies things from its running platform, specifically /lib/ld-musl* and bin/busybox, to the target initrd.img, and those are of the local platform.

The busybox --install doesn't matter, as it just creates links. The ld-musl* libs and /bin/busybox are the issues.

[deitch]

There are a few ways to fix this:

• include lib-musl* and busybox for all target platforms inside mkimage-iso-efi for all platforms, and copy over what is needed. This is not as hard as it sounds, as you can install any packages for any platforms on alpine.
• Do what we do now, i.e. docker run --platform linux/${ARCH} but with the specific extension.

As clean as the first one is, the real problem is not running --platform linux/${ARCH}; the real problem is that we have mkimage-iso-efi:ver-amd64 and mkimage-iso-efi:ver-arm64 on local docker as separate images, and that is because docker does not support multi-arch indexes locally yet, which is the real "original sin".

I think we should do both. Let's get this fix in - given the messy constraints, @rene has the right answer, and did from the beginning - but let's fix mkimage-iso-efi to be multi-arch friendly from the get-go. I will approach that shortly.

[deitch]

I managed to fix mkimage-iso-efi so it can run on any arch (well, any we support, like arm64 and amd64) and build for any other such arch. Instead of docker run --platform linux/arm64 mkimage-iso-efi, you can just do docker run -e ARCH=arm64 mkimage-iso-efi. That should ease things up.

This one still can do in, although once #4665 is in, we have the option to simplify makeiso.sh.