Skip to content

Commit

Permalink
feat: use cached kernel (#605)
Browse files Browse the repository at this point in the history
  • Loading branch information
m2Giles authored Jul 12, 2024
1 parent f99e5cb commit a7af108
Show file tree
Hide file tree
Showing 3 changed files with 66 additions and 29 deletions.
56 changes: 35 additions & 21 deletions .github/workflows/reusable-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ on:
workflow_call:
inputs:
fedora_version:
description: 'The Fedora release version: 39, 40, 41 etc'
description: "The Fedora release version: 39, 40, 41 etc"
required: true
type: string
env:
Expand Down Expand Up @@ -141,8 +141,27 @@ jobs:
echo "inspected image version must not be empty or null"
exit 1
fi
linux=$(skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/main-kernel:${{ matrix.fedora_version }} | jq -r '.Labels["ostree.linux"]')
AKMODS_KERNEL_VERSION=$(skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/akmods:main-${{ matrix.fedora_version }} | jq -r '.Labels["ostree.linux"]')
if [[ "${linux}" != "${AKMODS_KERNEL_VERSION}" ]]; then
echo "Kernel Versions do not match between AKMODS and Cached-Kernel."
exit 1
fi
echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV
echo "SOURCE_IMAGE_VERSION=$ver" >> $GITHUB_ENV
- name: Pull Images
uses: Wandalen/[email protected]
with:
attempt_limit: 3
attempt_delay: 15000
command: |
# pull the base image used for FROM in containerfile so
# we can retry on that unfortunately common failure case
podman pull quay.io/${{ env.SOURCE_ORG }}/${{ env.SOURCE_IMAGE }}:${{ matrix.fedora_version }}
podman pull ${{ env.IMAGE_REGISTRY }}/akmods:main-${{ matrix.fedora_version }}
podman pull ghcr.io/ublue-os/main-kernel:${{ env.KERNEL_VERSION }}
# Generate image metadata
- name: Image Metadata
uses: docker/metadata-action@v5
Expand All @@ -154,19 +173,10 @@ jobs:
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.version=${{ env.SOURCE_IMAGE_VERSION }}
org.opencontainers.image.description=A base Universal Blue ${{ matrix.image_name }} image with batteries included
ostree.linux=${{ env.KERNEL_VERSION }}
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
- name: Pull base image
uses: Wandalen/[email protected]
with:
attempt_limit: 3
attempt_delay: 15000
command: |
# pull the base image used for FROM in containerfile so
# we can retry on that unfortunately common failure case
podman pull quay.io/${{ env.SOURCE_ORG }}/${{ env.SOURCE_IMAGE }}:${{ matrix.fedora_version }}
# Build image using Buildah action
- name: Build Image
id: build_image
Expand All @@ -183,19 +193,23 @@ jobs:
SOURCE_IMAGE=${{ env.SOURCE_IMAGE }}
FEDORA_MAJOR_VERSION=${{ matrix.fedora_version }}
RPMFUSION_MIRROR=${{ vars.RPMFUSION_MIRROR }}
KERNEL_VERSION=${{ env.KERNEL_VERSION }}
labels: ${{ steps.meta.outputs.labels }}
oci: false

- name: Sign kernel
uses: ublue-os/[email protected]
if: github.event_name != 'pull_request'
with:
image: ${{ steps.build_image.outputs.image }}
default-tag: ${{ env.DEFAULT_TAG }}
privkey: ${{ secrets.AKMOD_PRIVKEY_20230518 }}
pubkey: /etc/pki/akmods/certs/akmods-ublue.der
tags: ${{ steps.build_image.outputs.tags }}
strip: false
# - name: Secureboot Signature Confirmation
# id: secureboot_confirm
# shell: bash
# run: |
# sudo apt-get update && sudo apt-get install -y sbsigntool curl openssl
# curl -Lo /tmp/kernel-signing.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
# curl -Lo /tmp/akmods-signing.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der
# openssl x509 -in /tmp/kernel-signing.der -out /tmp/kernel-signing.crt
# openssl x509 -in /tmp/akmods-signing.der -out /tmp/akmods-signing.crt
# /usr/bin/podman run --rm --entrypoint /bin/bash "${{ steps.build_image.outputs.image }}":"$(echo '${{ steps.build_image.outputs.tags }}' | cut -d ' ' -f 1)" -c "cat /usr/lib/modules/*/vmlinuz" > /tmp/extracted-kernel
# sbverify --list /tmp/extracted-kernel
# sbverify --cert /tmp/kernel-signing.crt /tmp/extracted-kernel || exit 1
# sbverify --cert /tmp/akmods-signing.crt /tmp/extracted-kernel || exit 1

# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
Expand Down
10 changes: 7 additions & 3 deletions Containerfile
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,18 @@ ARG SOURCE_IMAGE="${SOURCE_IMAGE:-silverblue}"
ARG SOURCE_ORG="${SOURCE_ORG:-fedora-ostree-desktops}"
ARG BASE_IMAGE="quay.io/${SOURCE_ORG}/${SOURCE_IMAGE}"
ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
ARG KERNEL_VERSION="${KERNEL_VERSION:-6.9.7-200.fc40.x86_64}"

FROM ghcr.io/ublue-os/config:latest as config
FROM ghcr.io/ublue-os/akmods:main-${FEDORA_MAJOR_VERSION} as akmods
FROM ghcr.io/ublue-os/config:latest AS config
FROM ghcr.io/ublue-os/akmods:main-${FEDORA_MAJOR_VERSION} AS akmods
FROM ghcr.io/ublue-os/main-kernel:${KERNEL_VERSION} AS kernel

FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION}

ARG IMAGE_NAME="${IMAGE_NAME:-silverblue}"
ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
ARG RPMFUSION_MIRROR=""
ARG RPMFUSION_MIRROR="${:-}"
ARG KERNEL_VERSION="${KERNEL_VERSION:-6.9.7-200.fc40.x86_64}"

COPY github-release-install.sh \
install.sh \
Expand All @@ -22,6 +25,7 @@ COPY github-release-install.sh \

COPY --from=config /rpms /tmp/rpms
COPY --from=akmods /rpms/ublue-os /tmp/rpms
COPY --from=kernel /tmp/rpms /tmp/kernel-rpms
COPY sys_files/usr /usr

RUN mkdir -p /var/lib/alternatives && \
Expand Down
29 changes: 24 additions & 5 deletions install.sh
Original file line number Diff line number Diff line change
@@ -1,24 +1,43 @@
#!/bin/sh
#!/usr/bin/bash

set -ouex pipefail

RELEASE="$(rpm -E %fedora)"
KERNEL_SUFFIX=""
QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(|'"$KERNEL_SUFFIX"'-)(\d+\.\d+\.\d+)' | sed -E 's/kernel-(|'"$KERNEL_SUFFIX"'-)//')"

RPMFUSION_MIRROR_RPMS="https://mirrors.rpmfusion.org"
if [ -n "${RPMFUSION_MIRROR}" ]; then
RPMFUSION_MIRROR_RPMS=${RPMFUSION_MIRROR}
fi

curl -Lo /tmp/rpms/rpmfusion-free-release-${RELEASE}.noarch.rpm ${RPMFUSION_MIRROR_RPMS}/free/fedora/rpmfusion-free-release-${RELEASE}.noarch.rpm
curl -Lo /tmp/rpms/rpmfusion-nonfree-release-${RELEASE}.noarch.rpm ${RPMFUSION_MIRROR_RPMS}/nonfree/fedora/rpmfusion-nonfree-release-${RELEASE}.noarch.rpm
curl -Lo /tmp/rpms/rpmfusion-free-release-"${RELEASE}".noarch.rpm "${RPMFUSION_MIRROR_RPMS}"/free/fedora/rpmfusion-free-release-"${RELEASE}".noarch.rpm
curl -Lo /tmp/rpms/rpmfusion-nonfree-release-"${RELEASE}".noarch.rpm "${RPMFUSION_MIRROR_RPMS}"/nonfree/fedora/rpmfusion-nonfree-release-"${RELEASE}".noarch.rpm

curl -Lo /etc/yum.repos.d/_copr_ublue-os_staging.repo https://copr.fedorainfracloud.org/coprs/ublue-os/staging/repo/fedora-${RELEASE}/ublue-os-staging-fedora-${RELEASE}.repo
curl -Lo /etc/yum.repos.d/_copr_kylegospo_oversteer.repo https://copr.fedorainfracloud.org/coprs/kylegospo/oversteer/repo/fedora-${RELEASE}/kylegospo-oversteer-fedora-${RELEASE}.repo
curl -Lo /etc/yum.repos.d/_copr_ublue-os_staging.repo https://copr.fedorainfracloud.org/coprs/ublue-os/staging/repo/fedora-"${RELEASE}"/ublue-os-staging-fedora-"${RELEASE}".repo
curl -Lo /etc/yum.repos.d/_copr_kylegospo_oversteer.repo https://copr.fedorainfracloud.org/coprs/kylegospo/oversteer/repo/fedora-"${RELEASE}"/kylegospo-oversteer-fedora-"${RELEASE}".repo

rpm-ostree install \
/tmp/rpms/*.rpm \
fedora-repos-archive

# Handle Kernel Skew with override replace
rpm-ostree cliwrap install-to-root /
if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then
echo "Installing signed kernel from kernel-cache."
cd /tmp/kernel-rpms
rpm2cpio /tmp/kernel-rpms/kernel-core-*.rpm | cpio -idmv
cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz
cd /
else
echo "Install kernel version ${KERNEL_VERSION} from kernel-cache."
rpm-ostree override replace \
--experimental \
/tmp/kernel-rpms/kernel-[0-9]*.rpm \
/tmp/kernel-rpms/kernel-core-*.rpm \
/tmp/kernel-rpms/kernel-modules-*.rpm
fi

if [[ "${FEDORA_MAJOR_VERSION}" -ge 39 ]]; then
# note: this is done before single mirror hack to ensure this persists in image and is not reset
echo "Enable rpmfusion-(non)free-updates-testing with low priority for Fedora ${FEDORA_MAJOR_VERSION}"
Expand Down

0 comments on commit a7af108

Please sign in to comment.