Git-Mirrors/qubes-mirage-firewall
1
0
Fork 0
mirror of https://github.com/mirage/qubes-mirage-firewall.git synced 2024-10-01 01:05:39 -04:00
Code Issues Packages Projects Releases Wiki Activity

Reproducible build systems: use in GitHub action the build-with-docker.sh

Browse Source 
Also upload the artifact to GitHub action, and in addition use the same setup
(ubuntu 20.04 image) and build directories as done on builds.robur.coop.

Also use `strip` on the resulting binary to reduce it's size (since the debug
section aren't mapped into the running unikernel, there's nothing we get from
them -- also they are preserved (as .debug file) and uploaded to
https://builds.robur.coop if one needs them).

This entails binary reproducibility between the different systems:
- a developer using ./build-with-docker.sh
- GitHub action (run on every PR)
- builds.robur.coop with the ubuntu-20.04 worker
This commit is contained in:
Hannes Mehnert 2022-11-13 12:22:59 +01:00
parent ee45c7ba3d
commit ba6629f4ca
4 changed files with 23 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.github/workflows/main.yml vendored
View File

@ -14,8 +14,6 @@ jobs:
matrix: matrix:
os: os:
- ubuntu-latest - ubuntu-latest
ocaml-compiler:
- 4.14.x
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
@ -23,19 +21,10 @@ jobs:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Use OCaml ${{ matrix.ocaml-compiler }} - run: ./build-with-docker.sh
uses: ocaml/setup-ocaml@v2
- name: Upload Artifact
uses: actions/upload-artifact@v3
with: with:
ocaml-compiler: ${{ matrix.ocaml-compiler }} name: mirage-firewall.tar.bz2
path: mirage-firewall.tar.bz2
- run: opam depext solo5 "mirage>4"
- run: opam install solo5 "mirage>4"
- run: opam exec -- mirage configure -t xen
- run: opam exec -- make depend
- run: opam exec -- dune build
- run: sha256sum dist/qubes-firewall.xen

25
Dockerfile
View File

@ -1,20 +1,21 @@
# Pin the base image to a specific hash for maximum reproducibility. # Pin the base image to a specific hash for maximum reproducibility.
# It will probably still work on newer images, though, unless an update # It will probably still work on newer images, though, unless an update
# changes some compiler optimisations (unlikely). # changes some compiler optimisations (unlikely).
# fedora-35-ocaml-4.14 # ubuntu-20.04
FROM ocaml/opam@sha256:68b7ce1fd4c992d6f3bfc9b4b0a88ee572ced52427f0547b6e4eb6194415f585 FROM ubuntu@sha256:b25ef49a40b7797937d0d23eca3b0a41701af6757afca23d504d50826f0b37ce
ENV PATH="${PATH}:/home/opam/.opam/4.14/bin"
# Since mirage 4.2 we must use opam version 2.1 or later RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip make gcc g++ libc-dev
RUN sudo ln -sf /usr/bin/opam-2.1 /usr/bin/opam RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.3/opam-2.1.3-i686-linux && chmod 755 /usr/bin/opam
ENV OPAMROOT=/tmp
ENV OPAMCONFIRMLEVEL=unsafe-yes
# Pin last known-good version for reproducible builds. # Pin last known-good version for reproducible builds.
# Remove this line (and the base image pin above) if you want to test with the # Remove this line (and the base image pin above) if you want to test with the
# latest versions. # latest versions.
RUN cd /home/opam/opam-repository && git fetch origin master && git reset --hard 685eb4efcebfa671660e55d76dea017f00fed4d9 && opam update RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#685eb4efcebfa671660e55d76dea017f00fed4d9
RUN opam switch create myswitch 4.14.0
RUN opam install -y mirage opam-monorepo ocaml-solo5 RUN opam exec -- opam install -y mirage opam-monorepo ocaml-solo5
RUN mkdir /home/opam/qubes-mirage-firewall RUN mkdir /tmp/orb-build
ADD config.ml /home/opam/qubes-mirage-firewall/config.ml ADD config.ml /tmp/orb-build/config.ml
WORKDIR /home/opam/qubes-mirage-firewall WORKDIR /tmp/orb-build
CMD opam exec -- mirage configure -t xen && make depend && make tar CMD opam exec -- sh -exc 'mirage configure -t xen --allocation-policy=best-fit && make depend && make tar'

2
Makefile.user
View File

@ -1,6 +1,8 @@
tar: build tar: build
rm -rf _build/mirage-firewall rm -rf _build/mirage-firewall
mkdir _build/mirage-firewall mkdir _build/mirage-firewall
cp dist/qubes-firewall.xen dist/qubes-firewall.xen.debug
strip dist/qubes-firewall.xen
cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz
touch _build/mirage-firewall/modules.img touch _build/mirage-firewall/modules.img
cat /dev/null | gzip -n > _build/mirage-firewall/initramfs cat /dev/null | gzip -n > _build/mirage-firewall/initramfs

4
build-with-docker.sh
View File

@ -3,7 +3,7 @@ set -eu
echo Building Docker image with dependencies.. echo Building Docker image with dependencies..
docker build -t qubes-mirage-firewall . docker build -t qubes-mirage-firewall .
echo Building Firewall... echo Building Firewall...
docker run --rm -i -v `pwd`:/home/opam/qubes-mirage-firewall qubes-mirage-firewall docker run --rm -i -v `pwd`:/tmp/orb-build qubes-mirage-firewall
echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)" echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)"
echo "SHA2 last known: f499b2379c62917ac32854be63f201e6b90466e645e54dea51e376baccdf26ab" echo "SHA2 last known: 3f71a1b672a15d145c7d40405dd75f06a2b148d2cfa106dc136e3da38552de41"
echo "(hashes should match for released versions)" echo "(hashes should match for released versions)"