Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

image: mkosi from nixpkgs #2360

Merged
merged 24 commits into from
Sep 27, 2023
Merged

image: mkosi from nixpkgs #2360

merged 24 commits into from
Sep 27, 2023

Conversation

malt3
Copy link
Contributor

@malt3 malt3 commented Sep 25, 2023
edited
Loading

Context

This is a large step towards reproducible OS image builds. With this change, mkosi and all required tools are installed with nix.
In a follow up step, we will pin all RPMs required to build a Fedora image.

Proposed change(s)

  • use rules_nixpkgs
  • provide toolchains from nixpkgs (allows running bazel build directly on NixOS)
  • mkosi ruleset
  • refactor image build for new mkosi version
  • reimplement measurement precalculation

How to review

Since this PR is quite large, it is probably a good idea to not have everyone review it in full.
Instead, review a part that you are the expert of and comment what you reviewed.
Also, please test if you can build an image on your (Linux) workstation.

How to test

  • When creating a cluster, you can use the following debug image created by the pipeline: ref/feat-image-nix-mkosi-toolchain/stream/debug/v2.12.0-pre.0.20230926093438-08d3e02d2353
  • On NixOS, add common --config=nix to .bazeloverwriterc and build images (see image/README.md)
  • On non-NixOS
    • notice how image build fails without nix installed
    • notice how the rest still works as expected (go binaries)
    • install nix using the determinate systems installer
    • add common --config=nix to .bazeloverwriterc
    • run bazel clean --expunge and build images (see image/README.md)

Checklist

@netlify
Copy link

netlify bot commented Sep 25, 2023
edited
Loading

Deploy Preview for constellation-docs canceled.

Name Link
🔨 Latest commit 0820989
🔍 Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/65143de62f018b000881c2c9

@malt3 malt3 force-pushed the feat/image/nix-mkosi-toolchain branch from e9ad93b to 00b73e2 Compare September 25, 2023 17:25
@malt3 malt3 added the no changelog Change won't be listed in release changelog label Sep 25, 2023
@malt3 malt3 added this to the v2.12.0 milestone Sep 25, 2023
@malt3 malt3 marked this pull request as ready for review September 25, 2023 17:35
katexochen
katexochen reviewed Sep 25, 2023
View reviewed changes
dev-docs/workflows/build-develop-deploy.md Show resolved Hide resolved
flake.nix

devShells.default = import ./nix/shells/default.nix { pkgs = pkgsUnstable; };

formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add a formatter/linter/instantiate workflow to the CI (not in this PR, but soon).

msanft
msanft reviewed Sep 26, 2023
View reviewed changes
Copy link
Contributor

@msanft msanft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image builds complete successfully on NixOS after a cache clean, nice work!🤟

malt3 and others added 17 commits September 26, 2023 11:34
@malt3 malt3 force-pushed the feat/image/nix-mkosi-toolchain branch from 9284498 to 08d3e02 Compare September 26, 2023 09:34
daniel-weisse
daniel-weisse approved these changes Sep 26, 2023
View reviewed changes
Copy link
Member

@daniel-weisse daniel-weisse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image build worked for me on Fedora 37

3u13r
3u13r approved these changes Sep 26, 2023
View reviewed changes
Copy link
Member

@3u13r 3u13r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nit. Works on Ubuntu 22.04. Did not really review the bazel code as it is too complex for me.

image/measured-boot/extract/extract.go Outdated Show resolved Hide resolved
elchead
elchead approved these changes Sep 27, 2023
View reviewed changes
Copy link
Contributor

@elchead elchead left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't build the image (on Mac) and have only overlooked the Terraform changes. Should we document the change to disabled secure boot on GCP?

@malt3
Copy link
Contributor Author

malt3 commented Sep 27, 2023

Should we document the change to disabled secure boot on GCP?

I'll document this and also update the docs with the boot measurement table

@malt3 malt3 force-pushed the feat/image/nix-mkosi-toolchain branch 2 times, most recently from 60f6cd4 to db79823 Compare September 27, 2023 14:18
@malt3 malt3 force-pushed the feat/image/nix-mkosi-toolchain branch from db79823 to 0820989 Compare September 27, 2023 14:36
@github-actions
Copy link
Contributor

Coverage report

Package Old New Trend
bootstrapper/cmd/bootstrapper [no test files] [no test files] 🚧
cli/internal/terraform 71.40% 71.40% ↔️
debugd/cmd/debugd [no test files] [no test files] 🚧
disk-mapper/cmd [no test files] [no test files] 🚧
image/measured-boot/cmd 0.00% [no test files] 🚨
image/measured-boot/extract 0.00% 84.40% 🆕
image/measured-boot/fixtures 0.00% [no test files] 🚨
image/measured-boot/measure 0.00% 76.70% 🆕
image/measured-boot/pesection 0.00% [no test files] 🚨
image/upload/internal/cmd [no test files] [no test files] 🚧
internal/osimage [no test files] [no test files] 🚧
internal/osimage/aws [no test files] [no test files] 🚧
internal/osimage/gcp [no test files] [no test files] 🚧
measurement-reader/cmd [no test files] [no test files] 🚧
upgrade-agent/cmd [no test files] [no test files] 🚧

@malt3 malt3 merged commit 4a66899 into main Sep 27, 2023
9 of 10 checks passed
@malt3 malt3 deleted the feat/image/nix-mkosi-toolchain branch September 27, 2023 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msanft msanft msanft left review comments

@katexochen katexochen katexochen left review comments

@daniel-weisse daniel-weisse daniel-weisse approved these changes

@elchead elchead elchead approved these changes

@3u13r 3u13r 3u13r approved these changes

@thomasten thomasten Awaiting requested review from thomasten thomasten is a code owner

Assignees
No one assigned
Labels
no changelog Change won't be listed in release changelog
Projects
None yet
Milestone
v2.12.0
Development

Successfully merging this pull request may close these issues.
6 participants
@malt3 @3u13r @elchead @katexochen @msanft @daniel-weisse