Skip to content

Commit

Permalink
Use buildkit's builtin mechanism to generate SBOM
Browse files Browse the repository at this point in the history 
- --sbom=true is not compatible with --load because docker doesn't
  support full OCI spec. Instead we export TAR file in OCI format and
  later load it linuxkit cache

- since the image is now hosted by linuxkit cache we should use 'cache
  push' command to push it to dockerhub registry

Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
  • Loading branch information
@rucoder
rucoder committed Feb 28, 2024
1 parent 9b109b5 commit 16ec9f3
Showing 1 changed file with 21 additions and 8 deletions.
29 changes: 21 additions & 8 deletions Makefile.eve
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ KERNEL_TAG=v6.1.38
PLATFORM=linux/$(ARCHITECTURE)
BUILD_USER:=$(shell id -un)

IMAGE_REPOSITOR?=lfedge/eve-kernel

LINUXKIT_VERSION=54d9db8650400a9f6af72b176b64c6dcc30cba07
GOBIN=/tmp/linuxkit-$(LINUXKIT_VERSION)
LK=$(GOBIN)/linuxkit

SOURCE_DATE_EPOCH=$(shell git log -1 --format=%ct)
BRANCH=eve-kernel-$(ARCHITECTURE)-$(KERNEL_TAG)-$(EVE_FLAVOR)
# make sure we get a date in correct format, otherwise initramfs cpio mtime will be variable
Expand Down Expand Up @@ -41,20 +47,27 @@ help: Makefile
@echo " clean: remove generated files"
@echo

pull-eve-build-tools:
docker pull lfedge/eve-build-tools:main
.PHONY: pull-eve-build-tools
.PHONY: linuxkit
linuxkit: $(LK)
$(LK):
GOBIN=$(GOBIN) go install github.com/linuxkit/linuxkit/src/cmd/linuxkit@$(LINUXKIT_VERSION)

kernel-gcc: DOCKERFILE:=Dockerfile.gcc
kernel-clang: DOCKERFILE:=Dockerfile.clang

kernel-build-%: Makefile.eve
KERNEL_OCI_FILE:=$(shell mktemp -u)-kernel.tar

kernel-build-%: Makefile.eve linuxkit
@echo "Building kernel version $(BRANCH):$(VERSION)-$* with compiler $*"
docker buildx build \
--build-arg="SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH)" \
--build-arg="KBUILD_BUILD_TIMESTAMP=$(KBUILD_BUILD_TIMESTAMP)" \
--build-arg="LOCALVERSION=$(VERSION)$(DIRTY)" \
--platform $(PLATFORM) -t lfedge/eve-kernel:$(BRANCH)-$(VERSION)$(DIRTY)-$* --load -f Dockerfile.$* .
--platform $(PLATFORM) -t $(IMAGE_REPOSITORY):$(BRANCH)-$(VERSION)$(DIRTY)-$* \
--sbom=true --output=type=oci,dest=$(KERNEL_OCI_FILE) -f Dockerfile.$* .
$(LK) cache import $(KERNEL_OCI_FILE)
rm -f $(KERNEL_OCI_FILE)


# we need these intermediate targets to make .PHONY work for pattern rules
kernel-gcc: kernel-build-gcc
Expand All @@ -67,12 +80,12 @@ push-clang: push-image-clang
.PHONY: kernel-gcc kernel-clang docker-tag-gcc docker-tag-clang push-gcc push-clang

docker-tag-generate-%:
@echo "docker.io/lfedge/eve-kernel:$(BRANCH)-$(VERSION)$(DIRTY)-$*"
@echo "docker.io/$(IMAGE_REPOSITORY):$(BRANCH)-$(VERSION)$(DIRTY)-$*"

push-image-%:
$(if $(DIRTY), $(error "Not pushing since the repo is dirty"))
docker push lfedge/eve-kernel:$(BRANCH)-$(VERSION)-$*
$(LK) cache push $(IMAGE_REPOSITORY):$(BRANCH)-$(VERSION)-$*

.PHONY: clean
clean:
echo "Cleaning"
echo "Cleaning"

0 comments on commit 16ec9f3

Please sign in to comment.