feat: use kernel-cache images and fedora for builds (#214)

ublue-os · Jul 11, 2024 · 0c3223e · 0c3223e
1 parent d0e7b95
commit 0c3223e
Show file tree

Hide file tree

Showing 28 changed files with 149 additions and 253 deletions.
diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
@@ -31,7 +31,6 @@ jobs:
           - main
           - asus
           - fsync
-          - fsync-lts
           - surface
           - coreos-stable
           - coreos-testing
@@ -44,8 +43,9 @@ jobs:
             kernel_flavor: fsync
           - fedora_version: 39
             kernel_flavor: asus
-          - fedora_version: 40
-            kernel_flavor: fsync-lts # kernel-ba packages are not being built for F40 yet.
+          - fedora_version: 39
+            kernel_flavor: coreos-testing
+
     steps:
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
@@ -59,11 +59,56 @@ jobs:
           else
               echo "IMAGE_NAME=${{ env.IMAGE_BASE_NAME }}-${{ matrix.cfile_suffix }}" >> $GITHUB_ENV
           fi
-          export SOURCE_IMAGE=base
-          export SOURCE_ORG=fedora-ostree-desktops
-          echo "SOURCE_IMAGE=${SOURCE_IMAGE}" >> $GITHUB_ENV
-          echo "SOURCE_ORG=${SOURCE_ORG}" >> $GITHUB_ENV
-          echo "FQ_SOURCE_IMAGE=quay.io/${SOURCE_ORG}/${SOURCE_IMAGE}:${{ matrix.fedora_version }}" >> $GITHUB_ENV
+          export BUILDER_IMAGE=quay.io/fedora/fedora
+          echo "BUILDER_IMAGE=${BUILDER_IMAGE}" >> $GITHUB_ENV
+          echo "FQ_BUILDER_IMAGE=${BUILDER_IMAGE}:${{ matrix.fedora_version }}" >> $GITHUB_ENV
+          export KERNEL_IMAGE=${{ matrix.kernel_flavor }}-kernel
+          echo "KERNEL_IMAGE=${KERNEL_IMAGE}" >> $GITHUB_ENV
+          echo "FQ_KERNEL_IMAGE=${{ env.IMAGE_REGISTRY }}/${KERNEL_IMAGE}:${{ matrix.fedora_version }}" >> $GITHUB_ENV
+
+      - name: AppArmor Disable
+        run: |
+          set -x
+          systemctl status apparmor
+          sudo systemctl stop apparmor
+          systemctl status apparmor || true
+
+      - name: Pull build images
+        uses: Wandalen/[email protected]
+        with:
+          attempt_limit: 3
+          attempt_delay: 15000
+          command: |
+            # pull the base image used for FROM in containerfile so
+            # we can retry on that unfortunately common failure case
+            podman pull ${{ env.FQ_BUILDER_IMAGE }}
+            podman pull ${{ env.FQ_KERNEL_IMAGE }}
+
+      - name: Get current version
+        shell: bash
+        run: |
+          set -eo pipefail
+
+          #skopeo inspect containers-storage:${{ env.FQ_KERNEL_IMAGE }} > kernel.json
+          # We SHOULD be able to use container-storage to inspect already pulled image here
+          # BUT... ubuntu-24.04 builders prevent with this error:
+          #     Error during unshare(...): Operation not permitted
+          # I intend to investigate/fix later, but need to move forward
+          skopeo inspect docker://${{ env.FQ_KERNEL_IMAGE }} > kernel.json
+
+          linux=$(jq -r '.["Labels"]["ostree.linux"]' kernel.json)
+          if [ -z "$linux" ] || [ "null" = "$linux" ]; then
+            echo "inspected linux version must not be empty or null"
+            exit 1
+          fi
+          echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV
+
+          img_version=$(jq -r '.["Labels"]["org.opencontainers.image.version"]' kernel.json)
+          if [ -z "$img_version" ] || [ "null" = "$img_version" ]; then
+            echo "inspected image version must not be empty or null"
+            exit 1
+          fi
+          echo "KERNEL_IMAGE_VERSION=$img_version" >> $GITHUB_ENV
 
       - name: Generate tags
         id: generate-tags
@@ -101,94 +146,6 @@ jobs:
 
           echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
 
-      - name: Retrieve akmods signing key
-        run: |
-          mkdir -p certs
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              echo "Using test signing key"
-          else
-              echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key.priv
-          fi
-          # DEBUG: get character count of key
-          wc -c certs/private_key.priv
-
-      - name: Pull build image
-        uses: Wandalen/[email protected]
-        with:
-          attempt_limit: 3
-          attempt_delay: 15000
-          command: |
-            # pull the base image used for FROM in containerfile so
-            # we can retry on that unfortunately common failure case
-            podman pull ${{ env.FQ_SOURCE_IMAGE }}
-
-      - name: Get current version
-        run: |
-          set -eo pipefail
-
-          # skopeo must always run to inspect image labels for build version
-          skopeo inspect docker://${{ env.FQ_SOURCE_IMAGE }} > inspect.json
-          ver=$(jq -r '.Labels["org.opencontainers.image.version"]' inspect.json)
-          if [ -z "$ver" ] || [ "null" = "$ver" ]; then
-            echo "inspected image version must not be empty or null"
-            exit 1
-          fi
-
-          if [ "main" == "${{ matrix.kernel_flavor }}" ]; then
-            # main kernel_flavor: use ostree.linux to determine kernel version
-            linux=$(jq -r '.Labels["ostree.linux"]' inspect.json)
-          else
-            # other kernel_flavor: start container use dnf to find kernel version
-            container_name="fq-$(uuidgen)"
-            podman run --entrypoint /bin/bash --name "$container_name" -dt "${{ env.FQ_SOURCE_IMAGE }}"
-            podman exec $container_name rpm-ostree install dnf dnf-plugins-core
-
-            # Fetch kernel version
-            dnf="podman exec $container_name dnf"
-            case "${{ matrix.kernel_flavor }}" in
-              "asus")
-                $dnf copr enable -y lukenukem/asus-kernel
-                linux=$($dnf repoquery --repoid copr:copr.fedorainfracloud.org:lukenukem:asus-kernel --whatprovides kernel | tail -n1 | sed 's/.*://')
-                ;;
-              "fsync")
-                $dnf copr enable -y sentry/kernel-fsync
-                linux=$($dnf repoquery --repoid copr:copr.fedorainfracloud.org:sentry:kernel-fsync --whatprovides kernel | tail -n1 | sed 's/.*://')
-                ;;
-              "fsync-lts")
-                $dnf copr enable -y sentry/kernel-ba
-                linux=$($dnf repoquery --repoid copr:copr.fedorainfracloud.org:sentry:kernel-ba --whatprovides kernel | tail -n1 | sed 's/.*://')
-                ;;
-              "main")
-                linux=$($dnf repoquery --whatprovides kernel | tail -n1 | sed 's/.*://')
-                ;;
-              "surface")
-                $dnf config-manager --add-repo=https://pkg.surfacelinux.com/fedora/linux-surface.repo
-                linux=$($dnf repoquery --repoid linux-surface --whatprovides kernel-surface | tail -n1 | sed 's/.*://')
-                ;;
-              "coreos-stable"|"coreos-testing")
-                coreos_stream=$(echo "${{ matrix.kernel_flavor }}" | cut -f2 -d-)
-                coreos_kernel_release=$(skopeo inspect docker://quay.io/fedora/fedora-coreos:${coreos_stream} | jq -r '.Labels["ostree.linux"] | split(".x86_64")[0]')
-                coreos_fedora_version=$(echo $coreos_kernel_release | grep -oP 'fc\K[0-9]+')
-                if [[ "${{ matrix.fedora_version }}" == "$coreos_fedora_version" ]]; then
-                    linux="${coreos_kernel_release}"
-                elif [[ "$(( "${coreos_fedora_version}" - 1 ))" == ${{ matrix.fedora_version }} ]]; then
-                    major_minor_patch=$(echo "$coreos_kernel_release" | cut -d '-' -f 1)
-                    linux="${major_minor_patch}-200.fc$(($coreos_fedora_version - 1))"
-                fi
-                ;;
-              *)
-                echo "unexpected kernel_flavor '${{ matrix.kernel_flavor }}' for dnf repoquery"
-                ;;
-            esac
-          fi
-
-          if [ -z "$linux" ] || [ "null" = "$linux" ]; then
-            echo "inspected image linux version must not be empty or null"
-            exit 1
-          fi
-          echo "SOURCE_IMAGE_VERSION=$ver" >> $GITHUB_ENV
-          echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV
-
       # Build metadata
       - name: Image Metadata
         uses: docker/metadata-action@v5
@@ -199,11 +156,22 @@ jobs:
           labels: |
             org.opencontainers.image.title=${{ env.IMAGE_BASE_NAME }}
             org.opencontainers.image.description=A caching layer for pre-built akmod RPMs
-            org.opencontainers.image.version=${{ env.SOURCE_IMAGE_VERSION }}
+            org.opencontainers.image.version=${{ env.KERNEL_IMAGE_VERSION }}
             ostree.linux=${{ env.KERNEL_VERSION }}
             io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
             io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/1728152?s=200&v=4
 
+      - name: Retrieve akmods signing key
+        run: |
+          mkdir -p certs
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+              echo "Using test signing key"
+          else
+              echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key.priv
+          fi
+          # DEBUG: get character count of key
+          wc -c certs/private_key.priv
+
       # Build image using Buildah action
       - name: Build Image
         id: build_image
@@ -215,10 +183,9 @@ jobs:
           tags: |
             ${{ steps.generate-tags.outputs.alias_tags }}
           build-args: |
-            SOURCE_IMAGE=${{ env.SOURCE_IMAGE }}
-            SOURCE_ORG=${{ env.SOURCE_ORG }}
+            BUILDER_IMAGE=${{ env.BUILDER_IMAGE }}
+            KERNEL_ORG=${{ github.repository_owner }}
             KERNEL_FLAVOR=${{ matrix.kernel_flavor }}
-            KERNEL_VERSION=${{ env.KERNEL_VERSION }}
             FEDORA_MAJOR_VERSION=${{ matrix.fedora_version }}
             RPMFUSION_MIRROR=${{ vars.RPMFUSION_MIRROR }}
           labels: ${{ steps.meta.outputs.labels }}

diff --git a/Containerfile.common b/Containerfile.common
@@ -2,21 +2,26 @@
 ### Containerfile.common - used to build ONLY NON-nvidia kmods
 ###
 
-#Build from base, simpley because it's the smallest image
-ARG SOURCE_IMAGE="${SOURCE_IMAGE:-base}"
-ARG SOURCE_ORG="${SOURCE_ORG:-fedora-ostree-desktops}"
-ARG BASE_IMAGE="quay.io/${SOURCE_ORG}/${SOURCE_IMAGE}"
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
+ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}"
+ARG KERNEL_IMAGE="${KERNEL_IMAGE:-${KERNEL_FLAVOR}-kernel}"
+ARG KERNEL_ORG="${KERNEL_ORG:-ublue-os}"
+ARG KERNEL_BASE="ghcr.io/${KERNEL_ORG}/${KERNEL_IMAGE}:${FEDORA_MAJOR_VERSION}"
+ARG BUILDER_IMAGE="${BUILDER_IMAGE:-quay.io/fedora/fedora}"
+ARG BUILDER_BASE="${BUILDER_IMAGE}:${FEDORA_MAJOR_VERSION}"
+FROM ${KERNEL_BASE} AS kernel_cache
+FROM ${BUILDER_BASE} AS builder
 
-FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION} AS builder
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
-ARG KERNEL_FLAVOR="{KERNEL_FLAVOR:-main}"
-ARG KERNEL_VERSION=""
+ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}"
 ARG RPMFUSION_MIRROR=""
 
 COPY build*.sh /tmp
 COPY certs /tmp/certs
 
+# cached kernel rpms
+COPY --from=kernel_cache /tmp/rpms /tmp/kernel_cache
+
 # files for akmods
 COPY ublue-os-akmods-addons.spec /tmp/ublue-os-akmods-addons/ublue-os-akmods-addons.spec
 ADD https://copr.fedorainfracloud.org/coprs/ublue-os/akmods/repo/fedora-${FEDORA_MAJOR_VERSION}/ublue-os-akmods-fedora-${FEDORA_MAJOR_VERSION}.repo \

diff --git a/Containerfile.extra b/Containerfile.extra
@@ -2,21 +2,26 @@
 ### Containerfile.extra - used to build extra kmods
 ###
 
-#Build from base, simpley because it's the smallest image
-ARG SOURCE_IMAGE="${SOURCE_IMAGE:-base}"
-ARG SOURCE_ORG="${SOURCE_ORG:-fedora-ostree-desktops}"
-ARG BASE_IMAGE="quay.io/${SOURCE_ORG}/${SOURCE_IMAGE}"
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
+ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}"
+ARG KERNEL_IMAGE="${KERNEL_IMAGE:-${KERNEL_FLAVOR}-kernel}"
+ARG KERNEL_ORG="${KERNEL_ORG:-ublue-os}"
+ARG KERNEL_BASE="ghcr.io/${KERNEL_ORG}/${KERNEL_IMAGE}:${FEDORA_MAJOR_VERSION}"
+ARG BUILDER_IMAGE="${BUILDER_IMAGE:-quay.io/fedora/fedora}"
+ARG BUILDER_BASE="${BUILDER_IMAGE}:${FEDORA_MAJOR_VERSION}"
+FROM ${KERNEL_BASE} AS kernel_cache
+FROM ${BUILDER_BASE} AS builder
 
-FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION} AS builder
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
-ARG KERNEL_FLAVOR="{KERNEL_FLAVOR:-main}"
-ARG KERNEL_VERSION=""
+ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}"
 ARG RPMFUSION_MIRROR=""
 
 COPY build*.sh /tmp
 COPY certs /tmp/certs
 
+# cached kernel rpms
+COPY --from=kernel_cache /tmp/rpms /tmp/kernel_cache
+
 # files for akmods
 COPY ublue-os-akmods-addons.spec /tmp/ublue-os-akmods-addons/ublue-os-akmods-addons.spec
 ADD https://copr.fedorainfracloud.org/coprs/ublue-os/akmods/repo/fedora-${FEDORA_MAJOR_VERSION}/ublue-os-akmods-fedora-${FEDORA_MAJOR_VERSION}.repo \

diff --git a/Containerfile.nvidia b/Containerfile.nvidia
@@ -2,21 +2,26 @@
 ### Containerfile.nvidia - used to build ONLY NVIDIA kmods
 ###
 
-#Build from base, simply because it's the smallest image
-ARG SOURCE_IMAGE="${SOURCE_IMAGE:-base}"
-ARG SOURCE_ORG="${SOURCE_ORG:-fedora-ostree-desktops}"
-ARG BASE_IMAGE="quay.io/${SOURCE_ORG}/${SOURCE_IMAGE}"
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
+ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}"
+ARG KERNEL_IMAGE="${KERNEL_IMAGE:-${KERNEL_FLAVOR}-kernel}"
+ARG KERNEL_ORG="${KERNEL_ORG:-ublue-os}"
+ARG KERNEL_BASE="ghcr.io/${KERNEL_ORG}/${KERNEL_IMAGE}:${FEDORA_MAJOR_VERSION}"
+ARG BUILDER_IMAGE="${BUILDER_IMAGE:-quay.io/fedora/fedora}"
+ARG BUILDER_BASE="${BUILDER_IMAGE}:${FEDORA_MAJOR_VERSION}"
+FROM ${KERNEL_BASE} AS kernel_cache
+FROM ${BUILDER_BASE} AS builder
 
-FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION} AS builder
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
-ARG KERNEL_FLAVOR="{KERNEL_FLAVOR:-main}"
-ARG KERNEL_VERSION=""
+ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}"
 ARG RPMFUSION_MIRROR=""
 
 COPY build*.sh /tmp
 COPY certs /tmp/certs
 
+# cached kernel rpms
+COPY --from=kernel_cache /tmp/rpms /tmp/kernel_cache
+
 # files for nvidia
 COPY ublue-os-nvidia-addons.spec /tmp/ublue-os-nvidia-addons/ublue-os-nvidia-addons.spec
 COPY files/etc/sway/environment /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/environment

diff --git a/build-kmod-VirtualBox.sh b/build-kmod-VirtualBox.sh
@@ -8,7 +8,7 @@ RELEASE="$(rpm -E '%fedora')"
 
 
 ### BUILD VirtualBox (succeed or fail-fast with debug output)
-rpm-ostree install \
+dnf install -y \
     akmod-VirtualBox-*.fc${RELEASE}.${ARCH}
 akmods --force --kernels "${KERNEL}" --kmod VirtualBox
 modinfo /usr/lib/modules/${KERNEL}/extra/VirtualBox/{vboxdrv,vboxnetadp,vboxnetflt}.ko.xz > /dev/null \

diff --git a/build-kmod-ayaneo-platform.sh b/build-kmod-ayaneo-platform.sh
@@ -8,7 +8,7 @@ RELEASE="$(rpm -E '%fedora')"
 
 cp /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/_copr_ublue-os-akmods.repo /etc/yum.repos.d/
 
-rpm-ostree install \
+dnf install -y \
     akmod-ayaneo-platform-*.fc${RELEASE}.${ARCH}
 akmods --force --kernels "${KERNEL}" --kmod ayaneo-platform
 modinfo /usr/lib/modules/${KERNEL}/extra/ayaneo-platform/ayaneo-platform.ko.xz > /dev/null \

diff --git a/build-kmod-ayn-platform.sh b/build-kmod-ayn-platform.sh
@@ -8,7 +8,7 @@ RELEASE="$(rpm -E '%fedora')"
 
 cp /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/_copr_ublue-os-akmods.repo /etc/yum.repos.d/
 
-rpm-ostree install \
+dnf install -y \
     akmod-ayn-platform-*.fc${RELEASE}.${ARCH}
 akmods --force --kernels "${KERNEL}" --kmod ayn-platform
 modinfo /usr/lib/modules/${KERNEL}/extra/ayn-platform/ayn-platform.ko.xz > /dev/null \

diff --git a/build-kmod-bmi260.sh b/build-kmod-bmi260.sh
@@ -8,7 +8,7 @@ RELEASE="$(rpm -E '%fedora')"
 
 cp /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/_copr_ublue-os-akmods.repo /etc/yum.repos.d/
 
-rpm-ostree install \
+dnf install -y \
     akmod-bmi260-*.fc${RELEASE}.${ARCH}
 akmods --force --kernels "${KERNEL}" --kmod bmi260
 modinfo /usr/lib/modules/${KERNEL}/extra/bmi260/bmi260_{core,i2c}.ko.xz > /dev/null \

diff --git a/build-kmod-evdi.sh b/build-kmod-evdi.sh
@@ -11,7 +11,7 @@ cp /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/negativo17-fedora-multimedia.rep
 
 ### BUILD evdi (succeed or fail-fast with debug output)
 export CFLAGS="-fno-pie -no-pie"
-rpm-ostree install \
+dnf install -y \
     akmod-evdi-*.fc${RELEASE}.${ARCH}
 akmods --force --kernels "${KERNEL}" --kmod evdi
 modinfo /usr/lib/modules/${KERNEL}/extra/evdi/evdi.ko.xz > /dev/null \

diff --git a/build-kmod-facetimehd.sh b/build-kmod-facetimehd.sh
@@ -16,7 +16,7 @@ curl -LsSf -o /etc/yum.repos.d/_copr_mulderje-facetimehd-kmod.repo \
     "https://copr.fedorainfracloud.org/coprs/mulderje/facetimehd-kmod/repo/fedora-${COPR_RELEASE}/mulderje-facetimehd-kmod-fedora-${COPR_RELEASE}.repo"
 
 ### BUILD facetimehd (succeed or fail-fast with debug output)
-rpm-ostree install \
+dnf install -y \
     akmod-facetimehd-*.fc${RELEASE}.${ARCH}
 akmods --force --kernels "${KERNEL}" --kmod facetimehd
 modinfo "/usr/lib/modules/${KERNEL}/extra/facetimehd/facetimehd.ko.xz" > /dev/null \

diff --git a/build-kmod-framework-laptop.sh b/build-kmod-framework-laptop.sh
@@ -9,7 +9,7 @@ RELEASE="$(rpm -E '%fedora')"
 cp /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/_copr_ublue-os-akmods.repo /etc/yum.repos.d/
 
 ### BUILD framework-laptop (succeed or fail-fast with debug output)
-rpm-ostree install \
+dnf install -y \
     akmod-framework-laptop-*.fc${RELEASE}.${ARCH}
 akmods --force --kernels "${KERNEL}" --kmod framework-laptop
 modinfo /usr/lib/modules/${KERNEL}/extra/framework-laptop/framework_laptop.ko.xz > /dev/null \

diff --git a/build-kmod-gcadapter_oc.sh b/build-kmod-gcadapter_oc.sh
@@ -8,7 +8,7 @@ RELEASE="$(rpm -E '%fedora')"
 
 cp /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/_copr_ublue-os-akmods.repo /etc/yum.repos.d/
 
-rpm-ostree install \
+dnf install -y \
     akmod-gcadapter_oc-*.fc${RELEASE}.${ARCH}
 akmods --force --kernels "${KERNEL}" --kmod gcadapter_oc
 modinfo /usr/lib/modules/${KERNEL}/extra/gcadapter_oc/gcadapter_oc.ko.xz > /dev/null \

diff --git a/build-kmod-kvmfr.sh b/build-kmod-kvmfr.sh
@@ -15,7 +15,7 @@ fi
 curl -LsSf -o /etc/yum.repos.d/_copr_hikariknight-looking-glass-kvmfr.repo "https://copr.fedorainfracloud.org/coprs/hikariknight/looking-glass-kvmfr/repo/fedora-${COPR_RELEASE}/hikariknight-looking-glass-kvmfr-fedora-${COPR_RELEASE}.repo"
 
 ### BUILD kvmfr (succeed or fail-fast with debug output)
-rpm-ostree install \
+dnf install -y \
     "akmod-kvmfr-*.fc${RELEASE}.${ARCH}"
 akmods --force --kernels "${KERNEL}" --kmod kvmfr
 modinfo "/usr/lib/modules/${KERNEL}/extra/kvmfr/kvmfr.ko.xz" > /dev/null \