From ba6629f4ca5cfe99a0bf546eb28be55eb777314c Mon Sep 17 00:00:00 2001 From: Hannes Mehnert Date: Sun, 13 Nov 2022 12:22:59 +0100 Subject: [PATCH] Reproducible build systems: use in GitHub action the build-with-docker.sh Also upload the artifact to GitHub action, and in addition use the same setup (ubuntu 20.04 image) and build directories as done on builds.robur.coop. Also use `strip` on the resulting binary to reduce it's size (since the debug section aren't mapped into the running unikernel, there's nothing we get from them -- also they are preserved (as .debug file) and uploaded to https://builds.robur.coop if one needs them). This entails binary reproducibility between the different systems: - a developer using ./build-with-docker.sh - GitHub action (run on every PR) - builds.robur.coop with the ubuntu-20.04 worker --- .github/workflows/main.yml | 23 ++++++----------------- Dockerfile | 25 +++++++++++++------------ Makefile.user | 2 ++ build-with-docker.sh | 4 ++-- 4 files changed, 23 insertions(+), 31 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 379dce8..d5efec6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -14,8 +14,6 @@ jobs: matrix: os: - ubuntu-latest - ocaml-compiler: - - 4.14.x runs-on: ${{ matrix.os }} @@ -23,19 +21,10 @@ jobs: - name: Checkout code uses: actions/checkout@v2 - - name: Use OCaml ${{ matrix.ocaml-compiler }} - uses: ocaml/setup-ocaml@v2 + - run: ./build-with-docker.sh + + - name: Upload Artifact + uses: actions/upload-artifact@v3 with: - ocaml-compiler: ${{ matrix.ocaml-compiler }} - - - run: opam depext solo5 "mirage>4" - - - run: opam install solo5 "mirage>4" - - - run: opam exec -- mirage configure -t xen - - - run: opam exec -- make depend - - - run: opam exec -- dune build - - - run: sha256sum dist/qubes-firewall.xen + name: mirage-firewall.tar.bz2 + path: mirage-firewall.tar.bz2 diff --git a/Dockerfile b/Dockerfile index 564f56e..c511cdb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,21 @@ # Pin the base image to a specific hash for maximum reproducibility. # It will probably still work on newer images, though, unless an update # changes some compiler optimisations (unlikely). -# fedora-35-ocaml-4.14 -FROM ocaml/opam@sha256:68b7ce1fd4c992d6f3bfc9b4b0a88ee572ced52427f0547b6e4eb6194415f585 -ENV PATH="${PATH}:/home/opam/.opam/4.14/bin" +# ubuntu-20.04 +FROM ubuntu@sha256:b25ef49a40b7797937d0d23eca3b0a41701af6757afca23d504d50826f0b37ce -# Since mirage 4.2 we must use opam version 2.1 or later -RUN sudo ln -sf /usr/bin/opam-2.1 /usr/bin/opam +RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip make gcc g++ libc-dev +RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.3/opam-2.1.3-i686-linux && chmod 755 /usr/bin/opam +ENV OPAMROOT=/tmp +ENV OPAMCONFIRMLEVEL=unsafe-yes # Pin last known-good version for reproducible builds. # Remove this line (and the base image pin above) if you want to test with the # latest versions. -RUN cd /home/opam/opam-repository && git fetch origin master && git reset --hard 685eb4efcebfa671660e55d76dea017f00fed4d9 && opam update - -RUN opam install -y mirage opam-monorepo ocaml-solo5 -RUN mkdir /home/opam/qubes-mirage-firewall -ADD config.ml /home/opam/qubes-mirage-firewall/config.ml -WORKDIR /home/opam/qubes-mirage-firewall -CMD opam exec -- mirage configure -t xen && make depend && make tar +RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#685eb4efcebfa671660e55d76dea017f00fed4d9 +RUN opam switch create myswitch 4.14.0 +RUN opam exec -- opam install -y mirage opam-monorepo ocaml-solo5 +RUN mkdir /tmp/orb-build +ADD config.ml /tmp/orb-build/config.ml +WORKDIR /tmp/orb-build +CMD opam exec -- sh -exc 'mirage configure -t xen --allocation-policy=best-fit && make depend && make tar' diff --git a/Makefile.user b/Makefile.user index 04d772b..fb04a23 100644 --- a/Makefile.user +++ b/Makefile.user @@ -1,6 +1,8 @@ tar: build rm -rf _build/mirage-firewall mkdir _build/mirage-firewall + cp dist/qubes-firewall.xen dist/qubes-firewall.xen.debug + strip dist/qubes-firewall.xen cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz touch _build/mirage-firewall/modules.img cat /dev/null | gzip -n > _build/mirage-firewall/initramfs diff --git a/build-with-docker.sh b/build-with-docker.sh index e3ddce7..4dfbb34 100755 --- a/build-with-docker.sh +++ b/build-with-docker.sh @@ -3,7 +3,7 @@ set -eu echo Building Docker image with dependencies.. docker build -t qubes-mirage-firewall . echo Building Firewall... -docker run --rm -i -v `pwd`:/home/opam/qubes-mirage-firewall qubes-mirage-firewall +docker run --rm -i -v `pwd`:/tmp/orb-build qubes-mirage-firewall echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)" -echo "SHA2 last known: f499b2379c62917ac32854be63f201e6b90466e645e54dea51e376baccdf26ab" +echo "SHA2 last known: 3f71a1b672a15d145c7d40405dd75f06a2b148d2cfa106dc136e3da38552de41" echo "(hashes should match for released versions)"