mirror of
https://github.com/mirage/qubes-mirage-firewall.git
synced 2024-12-27 16:19:24 -05:00
Reproducible build systems: use in GitHub action the build-with-docker.sh
Also upload the artifact to GitHub action, and in addition use the same setup (ubuntu 20.04 image) and build directories as done on builds.robur.coop. Also use `strip` on the resulting binary to reduce it's size (since the debug section aren't mapped into the running unikernel, there's nothing we get from them -- also they are preserved (as .debug file) and uploaded to https://builds.robur.coop if one needs them). This entails binary reproducibility between the different systems: - a developer using ./build-with-docker.sh - GitHub action (run on every PR) - builds.robur.coop with the ubuntu-20.04 worker
This commit is contained in:
parent
ee45c7ba3d
commit
ba6629f4ca
23
.github/workflows/main.yml
vendored
23
.github/workflows/main.yml
vendored
@ -14,8 +14,6 @@ jobs:
|
|||||||
matrix:
|
matrix:
|
||||||
os:
|
os:
|
||||||
- ubuntu-latest
|
- ubuntu-latest
|
||||||
ocaml-compiler:
|
|
||||||
- 4.14.x
|
|
||||||
|
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
|
|
||||||
@ -23,19 +21,10 @@ jobs:
|
|||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
- name: Use OCaml ${{ matrix.ocaml-compiler }}
|
- run: ./build-with-docker.sh
|
||||||
uses: ocaml/setup-ocaml@v2
|
|
||||||
|
- name: Upload Artifact
|
||||||
|
uses: actions/upload-artifact@v3
|
||||||
with:
|
with:
|
||||||
ocaml-compiler: ${{ matrix.ocaml-compiler }}
|
name: mirage-firewall.tar.bz2
|
||||||
|
path: mirage-firewall.tar.bz2
|
||||||
- run: opam depext solo5 "mirage>4"
|
|
||||||
|
|
||||||
- run: opam install solo5 "mirage>4"
|
|
||||||
|
|
||||||
- run: opam exec -- mirage configure -t xen
|
|
||||||
|
|
||||||
- run: opam exec -- make depend
|
|
||||||
|
|
||||||
- run: opam exec -- dune build
|
|
||||||
|
|
||||||
- run: sha256sum dist/qubes-firewall.xen
|
|
||||||
|
25
Dockerfile
25
Dockerfile
@ -1,20 +1,21 @@
|
|||||||
# Pin the base image to a specific hash for maximum reproducibility.
|
# Pin the base image to a specific hash for maximum reproducibility.
|
||||||
# It will probably still work on newer images, though, unless an update
|
# It will probably still work on newer images, though, unless an update
|
||||||
# changes some compiler optimisations (unlikely).
|
# changes some compiler optimisations (unlikely).
|
||||||
# fedora-35-ocaml-4.14
|
# ubuntu-20.04
|
||||||
FROM ocaml/opam@sha256:68b7ce1fd4c992d6f3bfc9b4b0a88ee572ced52427f0547b6e4eb6194415f585
|
FROM ubuntu@sha256:b25ef49a40b7797937d0d23eca3b0a41701af6757afca23d504d50826f0b37ce
|
||||||
ENV PATH="${PATH}:/home/opam/.opam/4.14/bin"
|
|
||||||
|
|
||||||
# Since mirage 4.2 we must use opam version 2.1 or later
|
RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip make gcc g++ libc-dev
|
||||||
RUN sudo ln -sf /usr/bin/opam-2.1 /usr/bin/opam
|
RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.3/opam-2.1.3-i686-linux && chmod 755 /usr/bin/opam
|
||||||
|
|
||||||
|
ENV OPAMROOT=/tmp
|
||||||
|
ENV OPAMCONFIRMLEVEL=unsafe-yes
|
||||||
# Pin last known-good version for reproducible builds.
|
# Pin last known-good version for reproducible builds.
|
||||||
# Remove this line (and the base image pin above) if you want to test with the
|
# Remove this line (and the base image pin above) if you want to test with the
|
||||||
# latest versions.
|
# latest versions.
|
||||||
RUN cd /home/opam/opam-repository && git fetch origin master && git reset --hard 685eb4efcebfa671660e55d76dea017f00fed4d9 && opam update
|
RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#685eb4efcebfa671660e55d76dea017f00fed4d9
|
||||||
|
RUN opam switch create myswitch 4.14.0
|
||||||
RUN opam install -y mirage opam-monorepo ocaml-solo5
|
RUN opam exec -- opam install -y mirage opam-monorepo ocaml-solo5
|
||||||
RUN mkdir /home/opam/qubes-mirage-firewall
|
RUN mkdir /tmp/orb-build
|
||||||
ADD config.ml /home/opam/qubes-mirage-firewall/config.ml
|
ADD config.ml /tmp/orb-build/config.ml
|
||||||
WORKDIR /home/opam/qubes-mirage-firewall
|
WORKDIR /tmp/orb-build
|
||||||
CMD opam exec -- mirage configure -t xen && make depend && make tar
|
CMD opam exec -- sh -exc 'mirage configure -t xen --allocation-policy=best-fit && make depend && make tar'
|
||||||
|
@ -1,6 +1,8 @@
|
|||||||
tar: build
|
tar: build
|
||||||
rm -rf _build/mirage-firewall
|
rm -rf _build/mirage-firewall
|
||||||
mkdir _build/mirage-firewall
|
mkdir _build/mirage-firewall
|
||||||
|
cp dist/qubes-firewall.xen dist/qubes-firewall.xen.debug
|
||||||
|
strip dist/qubes-firewall.xen
|
||||||
cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz
|
cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz
|
||||||
touch _build/mirage-firewall/modules.img
|
touch _build/mirage-firewall/modules.img
|
||||||
cat /dev/null | gzip -n > _build/mirage-firewall/initramfs
|
cat /dev/null | gzip -n > _build/mirage-firewall/initramfs
|
||||||
|
@ -3,7 +3,7 @@ set -eu
|
|||||||
echo Building Docker image with dependencies..
|
echo Building Docker image with dependencies..
|
||||||
docker build -t qubes-mirage-firewall .
|
docker build -t qubes-mirage-firewall .
|
||||||
echo Building Firewall...
|
echo Building Firewall...
|
||||||
docker run --rm -i -v `pwd`:/home/opam/qubes-mirage-firewall qubes-mirage-firewall
|
docker run --rm -i -v `pwd`:/tmp/orb-build qubes-mirage-firewall
|
||||||
echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)"
|
echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)"
|
||||||
echo "SHA2 last known: f499b2379c62917ac32854be63f201e6b90466e645e54dea51e376baccdf26ab"
|
echo "SHA2 last known: 3f71a1b672a15d145c7d40405dd75f06a2b148d2cfa106dc136e3da38552de41"
|
||||||
echo "(hashes should match for released versions)"
|
echo "(hashes should match for released versions)"
|
||||||
|
Loading…
Reference in New Issue
Block a user