From b57f17371f835b5c4d93b609cbfeb7b6bea94c80 Mon Sep 17 00:00:00 2001 From: Mikhail Malyshev Date: Tue, 27 Feb 2024 15:47:50 +0000 Subject: [PATCH 1/3] Remove SBOM generation by external tools Signed-off-by: Mikhail Malyshev (cherry picked from commit f997da2bb1a208c7a377ba9a8ef2cb965276da3b) Signed-off-by: Mikhail Malyshev --- Dockerfile.gcc | 4 ---- Makefile.eve | 22 ++-------------------- 2 files changed, 2 insertions(+), 24 deletions(-) diff --git a/Dockerfile.gcc b/Dockerfile.gcc index 6a7943fe0c711..e2db25cf41520 100644 --- a/Dockerfile.gcc +++ b/Dockerfile.gcc @@ -160,10 +160,6 @@ RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdept tar cf - -T - | (cd $dir; tar xf -) && \ ( cd /tmp && tar cf /out/kernel-dev.tar usr/src ) -# copy SBOM files -RUN cp /kernel-src/kernel-sbom-docker.spdx.json /out/ && \ - cp /kernel-src/kernel-sbom-gh.spdx.json /out/ - FROM scratch ENTRYPOINT [] CMD [] diff --git a/Makefile.eve b/Makefile.eve index ff0cd3eeee5c4..79c32668f1d40 100644 --- a/Makefile.eve +++ b/Makefile.eve @@ -45,28 +45,10 @@ pull-eve-build-tools: docker pull lfedge/eve-build-tools:main .PHONY: pull-eve-build-tools -# do not build sbom target directly, it depends on DOCKERFILE variable set by kernel-gcc or kernel-clang -SBOM_TARGETS=kernel-sbom-gh.spdx.json kernel-sbom-docker.spdx.json -sbom: $(SBOM_TARGETS) - -kernel-sbom-gh.spdx.json: pull-eve-build-tools - docker run -v $(PWD):/in lfedge/eve-build-tools:main github-sbom-generator \ - generate --format spdx-json /in/ | jq . > ./kernel-sbom-gh.spdx.json - -#if DOCKERFILE is not set, this target will fail -kernel-sbom-docker.spdx.json: pull-eve-build-tools $(DOCKERFILE) - @if [ -z "$(DOCKERFILE)" ]; then \ - echo "DOCKERFILE not set. Do not build 'sbom' target directly"; \ - exit 1; \ - fi - @echo "Generating SBOM for $(DOCKERFILE)" - docker run -v $(PWD):/in lfedge/eve-build-tools:main dockerfile-add-scanner scan /in/$(DOCKERFILE) \ - --format spdx-json | jq . > ./kernel-sbom-docker.spdx.json - kernel-gcc: DOCKERFILE:=Dockerfile.gcc kernel-clang: DOCKERFILE:=Dockerfile.clang -kernel-build-%: sbom Makefile.eve +kernel-build-%: Makefile.eve @echo "Building kernel version $(BRANCH):$(VERSION)-$* with compiler $*" docker buildx build \ --build-arg="SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH)" \ @@ -93,4 +75,4 @@ push-image-%: .PHONY: clean clean: - rm -f $(SBOM_TARGETS) + echo "Cleaning" \ No newline at end of file From a318f62674ec4c2823fccdd145fe9741ceccd103 Mon Sep 17 00:00:00 2001 From: Mikhail Malyshev Date: Tue, 27 Feb 2024 23:49:51 +0000 Subject: [PATCH 2/3] Use buildkit's builtin mechanism to generate SBOM - --sbom=true is not compatible with --load because docker doesn't support full OCI spec. Instead we export TAR file in OCI format and later load it linuxkit cache - since the image is now hosted by linuxkit cache we should use 'cache push' command to push it to dockerhub registry Signed-off-by: Mikhail Malyshev (cherry picked from commit 885b542a6cfb612a4a0c05233fba075384b4765b) Signed-off-by: Mikhail Malyshev --- Makefile.eve | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/Makefile.eve b/Makefile.eve index 79c32668f1d40..fabbaf06393d1 100644 --- a/Makefile.eve +++ b/Makefile.eve @@ -7,6 +7,12 @@ KERNEL_TAG=v6.1.38 PLATFORM=linux/$(ARCHITECTURE) BUILD_USER:=$(shell id -un) +IMAGE_REPOSITORY?=lfedge/eve-kernel + +LINUXKIT_VERSION=58c36c9eb0c32acf66ae7877d18a9ad24d59d73e +GOBIN=/tmp/linuxkit-$(LINUXKIT_VERSION) +LK=$(GOBIN)/linuxkit + SOURCE_DATE_EPOCH=$(shell git log -1 --format=%ct) BRANCH=eve-kernel-$(ARCHITECTURE)-$(KERNEL_TAG)-$(EVE_FLAVOR) # make sure we get a date in correct format, otherwise initramfs cpio mtime will be variable @@ -41,20 +47,24 @@ help: Makefile @echo " clean: remove generated files" @echo -pull-eve-build-tools: - docker pull lfedge/eve-build-tools:main -.PHONY: pull-eve-build-tools +.PHONY: linuxkit +linuxkit: $(LK) +$(LK): + GOBIN=$(GOBIN) go install github.com/linuxkit/linuxkit/src/cmd/linuxkit@$(LINUXKIT_VERSION) -kernel-gcc: DOCKERFILE:=Dockerfile.gcc -kernel-clang: DOCKERFILE:=Dockerfile.clang +KERNEL_OCI_FILE:=$(shell mktemp -u)-kernel.tar -kernel-build-%: Makefile.eve +kernel-build-%: Makefile.eve linuxkit @echo "Building kernel version $(BRANCH):$(VERSION)-$* with compiler $*" docker buildx build \ --build-arg="SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH)" \ --build-arg="KBUILD_BUILD_TIMESTAMP=$(KBUILD_BUILD_TIMESTAMP)" \ --build-arg="LOCALVERSION=$(VERSION)$(DIRTY)" \ - --platform $(PLATFORM) -t lfedge/eve-kernel:$(BRANCH)-$(VERSION)$(DIRTY)-$* --load -f Dockerfile.$* . + --platform $(PLATFORM) -t $(IMAGE_REPOSITORY):$(BRANCH)-$(VERSION)$(DIRTY)-$* \ + --sbom=true --output=type=oci,dest=$(KERNEL_OCI_FILE) -f Dockerfile.$* . + $(LK) cache import $(KERNEL_OCI_FILE) + rm -f $(KERNEL_OCI_FILE) + # we need these intermediate targets to make .PHONY work for pattern rules kernel-gcc: kernel-build-gcc @@ -67,12 +77,12 @@ push-clang: push-image-clang .PHONY: kernel-gcc kernel-clang docker-tag-gcc docker-tag-clang push-gcc push-clang docker-tag-generate-%: - @echo "docker.io/lfedge/eve-kernel:$(BRANCH)-$(VERSION)$(DIRTY)-$*" + @echo "docker.io/$(IMAGE_REPOSITORY):$(BRANCH)-$(VERSION)$(DIRTY)-$*" push-image-%: $(if $(DIRTY), $(error "Not pushing since the repo is dirty")) - docker push lfedge/eve-kernel:$(BRANCH)-$(VERSION)-$* + $(LK) cache push $(IMAGE_REPOSITORY):$(BRANCH)-$(VERSION)-$* .PHONY: clean clean: - echo "Cleaning" \ No newline at end of file + echo "Cleaning" From 562092a9eb6b2b016a41738777a01f9fb246803d Mon Sep 17 00:00:00 2001 From: Mikhail Malyshev Date: Mon, 4 Mar 2024 13:28:11 +0000 Subject: [PATCH 3/3] Make sure we have correct buildx builder Our build may depend on buildx features e.g. --sbom so we need to make sure we have a correct builder version. This is not a big problem for local build but a big one for GH runners. Signed-off-by: Mikhail Malyshev (cherry picked from commit ae347d3a26ece0dd8463c3aae4b41071505c486b) Signed-off-by: Mikhail Malyshev --- Makefile.eve | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Makefile.eve b/Makefile.eve index fabbaf06393d1..16f440def4d88 100644 --- a/Makefile.eve +++ b/Makefile.eve @@ -13,6 +13,9 @@ LINUXKIT_VERSION=58c36c9eb0c32acf66ae7877d18a9ad24d59d73e GOBIN=/tmp/linuxkit-$(LINUXKIT_VERSION) LK=$(GOBIN)/linuxkit +BUILD_KIT_VERSION=v0.12.5 +BUILD_KIT_BUILDER=eve-kernel-builder-$(BUILD_KIT_VERSION) + SOURCE_DATE_EPOCH=$(shell git log -1 --format=%ct) BRANCH=eve-kernel-$(ARCHITECTURE)-$(KERNEL_TAG)-$(EVE_FLAVOR) # make sure we get a date in correct format, otherwise initramfs cpio mtime will be variable @@ -47,6 +50,12 @@ help: Makefile @echo " clean: remove generated files" @echo +.PHONY: ensure-builder +ensure-builder: + docker buildx inspect $(BUILD_KIT_BUILDER) 2>/dev/null || \ + docker buildx create --name $(BUILD_KIT_BUILDER) \ + --driver docker-container --bootstrap --driver-opt=image=moby/buildkit:$(BUILD_KIT_VERSION) + .PHONY: linuxkit linuxkit: $(LK) $(LK): @@ -54,9 +63,10 @@ $(LK): KERNEL_OCI_FILE:=$(shell mktemp -u)-kernel.tar -kernel-build-%: Makefile.eve linuxkit +kernel-build-%: Makefile.eve linuxkit | ensure-builder @echo "Building kernel version $(BRANCH):$(VERSION)-$* with compiler $*" docker buildx build \ + --builder=$(BUILD_KIT_BUILDER) \ --build-arg="SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH)" \ --build-arg="KBUILD_BUILD_TIMESTAMP=$(KBUILD_BUILD_TIMESTAMP)" \ --build-arg="LOCALVERSION=$(VERSION)$(DIRTY)" \