Demi Marie Obenour <demiobenour@gmail.com> writes:
This step provides versioned release artifacts. Writing a detached OpenPGP signature of SHA256SUMS to SHA256SUMS.gpg is sufficient to create a directory usable by systemd-sysupdate.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/Makefile | 4 ++-- host/rootfs/default.nix | 6 +++--- release/checks/integration/default.nix | 2 +- release/combined/eosimages.nix | 2 +- release/live/Makefile | 14 ++++++++++++++ release/live/default.nix | 5 +---- 6 files changed, 22 insertions(+), 11 deletions(-)
And then on the server we'd only serve one of these at a time, so we'd use the SHA256SUMS file generated by the build?
diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index 84f1b385198ecfa5905b69e4901e56150ea1b424..35adb3d972c1a30705a5b123c65abf837617eb72 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -91,7 +91,7 @@ clean: # supports one output per rule, so we combine the two outputs then # define two more rules to separate them again. build/rootfs.verity: $(dest) - $(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \ + set -euo pipefail; $(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \ | awk -F ':[[:blank:]]*' '$$1 == "Root hash" {print $$2; exit}' \ > build/rootfs.verity.roothash.tmp cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp \
Correct but unrelated change.
@@ -100,7 +100,7 @@ build/rootfs.verity: $(dest) build/rootfs.verity.roothash: build/rootfs.verity head -n 1 build/rootfs.verity > $@ build/rootfs.verity.superblock: build/rootfs.verity - tail -n +2 build/rootfs.verity > $@ + { read -r && cat; } < build/rootfs.verity > $@
Why?
diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix index bc364b930b30e00c55b17b5e4248a303392cf3a0..995b9bfd4c53edf9fa060011c128464518d15d6e 100644 --- a/host/rootfs/default.nix +++ b/host/rootfs/default.nix @@ -8,8 +8,8 @@ import ../../lib/call-package.nix ( }: pkgsStatic.callPackage (
-{ busybox, cloud-hypervisor, cryptsetup, dbus, erofs-utils, execline -, inkscape, inotify-tools, iproute2, jq, lib, mdevd, nixos +{ btrfs-progs, busybox, cloud-hypervisor, cryptsetup, dbus, erofs-utils +, execline, inkscape, inotify-tools, iproute2, jq, lib, mdevd, nixos , runCommand, s6, s6-linux-init, s6-rc, socat, spectrum-host-tools , stdenvNoCC, util-linux, virtiofsd, writeClosure , xdg-desktop-portal-spectrum-host, xorg @@ -82,7 +82,7 @@ let # Packages that should be fully linked into /usr, # (not just their bin/* files). usrPackages = [ - appvm kernel.modules firmware kmod kmod.lib + appvm btrfs-progs firmware kernel.modules kmod kmod.lib netvm mesa dejavu_fonts systemd util-linux westonLite ];
Unrelated.
diff --git a/release/checks/integration/default.nix b/release/checks/integration/default.nix index 340fb6e11fed5971caf879d0a8a40baf395a7589..947d9cb8f2a5e1d7e93b6814581d33e342b522fc 100644 --- a/release/checks/integration/default.nix +++ b/release/checks/integration/default.nix @@ -86,7 +86,7 @@ stdenv.mkDerivation (finalAttrs: { env = { QEMU_SYSTEM = "qemu-system-${stdenv.hostPlatform.qemuArch} -nographic"; EFI_PATH = "${qemu_kvm}/share/qemu/edk2-${stdenv.hostPlatform.qemuArch}-code.fd"; - IMG_PATH = live; + IMG_PATH = "${live}/live.img"; USER_DATA_PATH = userData; };
diff --git a/release/combined/eosimages.nix b/release/combined/eosimages.nix index ba44d9cd82d55d491293ed36cc0402db8ebd3ffe..b168dcf61a74f96fed1d52858c0c3ebfc311873c 100644 --- a/release/combined/eosimages.nix +++ b/release/combined/eosimages.nix @@ -7,7 +7,7 @@ import ../../lib/call-package.nix ( runCommand "eosimages.img" { nativeBuildInputs = [ e2fsprogs tar2ext4 ]; imageName = "Spectrum-0.0-x86_64-generic.0.Live.img"; - image = callSpectrumPackage ../live {}; + image = "${callSpectrumPackage ../live {}}/live.img"; __structuredAttrs = true; unsafeDiscardReferences = { out = true; }; dontFixup = true; diff --git a/release/live/Makefile b/release/live/Makefile index 3072d869f13efbf5ea196d191881aeab85726d2e..9aa2488a57ba583ff49f0d95af4f91878a0cd5dd 100644 --- a/release/live/Makefile +++ b/release/live/Makefile @@ -30,6 +30,20 @@ build/spectrum.efi: build/rootfs.verity.roothash $(DTBS) $(KERNEL) $(INITRAMFS) --os-release $$'NAME="Spectrum"\n' \ --cmdline "ro intel_iommu=on x-spectrum-roothash=$$roothash x-spectrum-version=$$VERSION"
+install: build/rootfs.verity.superblock $(ROOT_FS) build/spectrum.efi $(dest) + set -euo pipefail; \
I don't think this needs to hack around the normal Make thing of having one shell per line.
+ $(READ_ROOTHASH); \ + mkdir -p -- $(DESTDIR) build; \ + cp -- build/rootfs.verity.superblock $(DESTDIR)/"Spectrum_OS_$$VERSION.verity"; \ + cp -- $(ROOT_FS) $(DESTDIR)/"Spectrum_OS_$$VERSION.root"; \ + cp -- build/spectrum.efi $(DESTDIR)/"Spectrum_OS_$$VERSION.efi"; \ + cp $(dest) $(DESTDIR)/live.img; \ + cd $(DESTDIR); \ + sha256sum live.img \ + "Spectrum_OS_$$VERSION.root" \ + "Spectrum_OS_$$VERSION.verity" \ + "Spectrum_OS_$$VERSION.efi" > SHA256SUMS +
No "OS" in the project name. Given that we won't ever want the live image and the individual partition updates at the same time, it probably makes sense to put these into separate builds. Maybe we add host/verity and host/efi to build those, assemble them into an image in release/live, and also add release/update that combines the partition images and the SHA256SUMS file.
diff --git a/release/live/default.nix b/release/live/default.nix index b5c0c8df31d4c6cb7fdd2337e8169f36655dd1a8..c6dcabd49363e113eb0783ced2a167633a6e19c3 100644 --- a/release/live/default.nix +++ b/release/live/default.nix @@ -56,14 +56,11 @@ stdenv.mkDerivation { SYSTEMD_BOOT_EFI = "${systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi"; EFINAME = "BOOT${toUpper efiArch}.EFI"; VERSION = import ../../lib/version.nix; + DESTDIR = "$(out)"; } // lib.optionalAttrs stdenv.hostPlatform.linux-kernel.DTB or false { DTBS = "${rootfs.kernel}/dtbs"; };
- buildFlags = [ "dest=$(out)" ]; -
DESTDIR should stay in buildFlags so it's not in the environment for nix-shell.
- dontInstall = true; - enableParallelBuilding = true;
__structuredAttrs = true;
-- 2.51.2