Merge pull request #191 from palainp/podman

allow podman as building system
This commit is contained in:
Pierre Alain 2024-01-30 11:07:33 +01:00 committed by GitHub
commit b318fabd43
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 77 additions and 23 deletions

View File

@ -21,9 +21,9 @@ jobs:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v2 uses: actions/checkout@v2
- run: ./build-with-docker.sh - run: ./build-with.sh docker
- run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with-docker.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi' - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi'
- name: Upload Artifact - name: Upload Artifact
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3

32
.github/workflows/podman.yml vendored Normal file
View File

@ -0,0 +1,32 @@
name: Main workflow
on:
pull_request:
push:
schedule:
# Prime the caches every Monday
- cron: 0 1 * * MON
jobs:
build:
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
runs-on: ${{ matrix.os }}
steps:
- name: Checkout code
uses: actions/checkout@v2
- run: ./build-with.sh podman
- run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi'
- name: Upload Artifact
uses: actions/upload-artifact@v3
with:
name: mirage-firewall.tar.bz2
path: mirage-firewall.tar.bz2

View File

@ -6,7 +6,7 @@ tar: build
cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz
touch _build/mirage-firewall/modules.img touch _build/mirage-firewall/modules.img
cat /dev/null | gzip -n > _build/mirage-firewall/initramfs cat /dev/null | gzip -n > _build/mirage-firewall/initramfs
tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with-docker.sh mirage-firewall tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with.sh mirage-firewall
sha256sum mirage-firewall.tar.bz2 > mirage-firewall.sha256 sha256sum mirage-firewall.tar.bz2 > mirage-firewall.sha256
fetchmotron: qubes_firewall.xen fetchmotron: qubes_firewall.xen

View File

@ -13,13 +13,13 @@ See the [Deploy](#deploy) section below for installation instructions.
## Build from source ## Build from source
Note: The most reliable way to build is using Docker. Note: The most reliable way to build is using Docker or Podman.
Fedora 38 works well for this, Debian 12 also works, but you'll need to follow the instructions at [docker.com][debian-docker] to get Docker Fedora 38 works well for this, Debian 12 also works, but you'll need to follow the instructions at [docker.com][debian-docker] to get Docker
(don't use Debian's version). (don't use Debian's version).
Create a new Fedora-38 AppVM (or reuse an existing one). In the Qube's Settings (Basic / Disk storage), increase the private storage max size from the default 2048 MiB to 8192 MiB. Open a terminal. Create a new Fedora-38 AppVM (or reuse an existing one). In the Qube's Settings (Basic / Disk storage), increase the private storage max size from the default 2048 MiB to 8192 MiB. Open a terminal.
Clone this Git repository and run the `build-with-docker.sh` script (Note: The `chcon` call is mandatory on Fedora with new SELinux policies which do not allow to standardly keep the docker images in homedir): Clone this Git repository and run the `build-with.sh` script with either `docker` or `podman` as argument (Note: The `chcon` call is mandatory on Fedora with new SELinux policies which do not allow to standardly keep the docker images in homedir):
mkdir /home/user/docker mkdir /home/user/docker
sudo ln -s /home/user/docker /var/lib/docker sudo ln -s /home/user/docker /var/lib/docker
@ -28,23 +28,30 @@ Clone this Git repository and run the `build-with-docker.sh` script (Note: The `
sudo systemctl start docker sudo systemctl start docker
git clone https://github.com/mirage/qubes-mirage-firewall.git git clone https://github.com/mirage/qubes-mirage-firewall.git
cd qubes-mirage-firewall cd qubes-mirage-firewall
sudo ./build-with-docker.sh sudo ./build-with.sh docker
Or
sudo systemctl start podman
git clone https://github.com/mirage/qubes-mirage-firewall.git
cd qubes-mirage-firewall
./build-with.sh podman
This took about 15 minutes on my laptop (it will be much quicker if you run it again). This took about 15 minutes on my laptop (it will be much quicker if you run it again).
The symlink step at the start isn't needed if your build VM is standalone. The symlink step at the start isn't needed if your build VM is standalone. It gives Docker more disk space and avoids losing the Docker image cache when you reboot the Qube.
It gives Docker more disk space and avoids losing the Docker image cache when you reboot the Qube. It's not needed with Podman as the containers lives in your home directory by default.
Note: the object files are stored in the `_build` directory to speed up incremental builds. Note: the object files are stored in the `_build` directory to speed up incremental builds.
If you change the dependencies, you will need to delete this directory before rebuilding. If you change the dependencies, you will need to delete this directory before rebuilding.
It's OK to install the Docker package in a template VM if you want it to remain It's OK to install the Docker or Podman package in a template VM if you want it to remain
after a reboot, but the build of the firewall itself should be done in a regular AppVM. after a reboot, but the build of the firewall itself should be done in a regular AppVM.
You can also build without Docker, as for any normal Mirage unikernel; You can also build without that script, as for any normal Mirage unikernel;
see [the Mirage installation instructions](https://mirage.io/wiki/install) for details. see [the Mirage installation instructions](https://mirage.io/wiki/install) for details.
The Docker build fixes the versions of the libraries it uses, ensuring that you will get The build script fixes the versions of the libraries it uses, ensuring that you will get
exactly the same binary that is in the release. If you build without Docker, it will build exactly the same binary that is in the release. If you build without it, it will build
against the latest versions instead (and the hash will therefore probably not match). against the latest versions instead (and the hash will therefore probably not match).
However, it should still work fine. However, it should still work fine.

View File

@ -42,9 +42,9 @@ download-and-unpack-in-DownloadVM4mirage:
check-checksum-in-DownloadVM: check-checksum-in-DownloadVM:
cmd.run: cmd.run:
- names: - names:
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }} - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }}
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }} - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }}
- qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img
- require: - require:
- download-and-unpack-in-DownloadVM4mirage - download-and-unpack-in-DownloadVM4mirage

View File

@ -1,9 +0,0 @@
#!/bin/sh
set -eu
echo Building Docker image with dependencies..
docker build -t qubes-mirage-firewall .
echo Building Firewall...
docker run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall
echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)"
echo "SHA2 last known: 2c3f68f49afdeaeedd2c03f8ef6d30d6bb4d6306bda0a1ff40f95f440a90034c"
echo "(hashes should match for released versions)"

24
build-with.sh Executable file
View File

@ -0,0 +1,24 @@
#!/bin/sh
set -eu
if [[ $# -ne 1 ]] ; then
echo "Usage: build-with.sh { docker | podman }"
exit 1
fi
builder=$1
case $builder in
docker|podman)
;;
*)
echo "You should use either docker or podman for building"
exit 2
esac
echo Building $builder image with dependencies..
$builder build -t qubes-mirage-firewall .
echo Building Firewall...
$builder run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall
echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)"
echo "SHA2 last known: 2c3f68f49afdeaeedd2c03f8ef6d30d6bb4d6306bda0a1ff40f95f440a90034c"
echo "(hashes should match for released versions)"