mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-23 06:42:27 +00:00
46cad549ef
- include nix tools inside of the docker to be able to call the garbage collector prior of creating docker. - protect roots from garbage collection (WiP) - Requires external preparation call so that nix (the binary) is not wiped as well. See NIX_REPRO_NOTES at the end of the file for repro notes - Could probably be improved. Works as of now and created a 4Gb vs 3.02Gb docker image I'm uploading now. - CircleCI bumped to use v0.0.9 version including this - CircleCI now depending on flake.lock for all cache layers. Will rebuild clean once again So now we have qemu with canokey support in image, nix basic tools inside of container. Possible to call docker with DISPLAY, see NIX_REPRO_NOTES as of now. That feels nice. No need of USB security dongle to have TPM based TPMTOTP nor detach sign? Not tested but feature is there TODO: - make docker creating nicer in the Nix way. - Add canokey support under targets/qemu.mk - add canokey board version At least we have reproducible stack and testing stack being in same docker image. Docker image moved from 991.18MB (v0.0.8) to 1.18GB (v0.0.9) - And I tried to clean binaries of symbols here! Seems like I do not know enough of the Nix way here. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
78 lines
3.2 KiB
Plaintext
78 lines
3.2 KiB
Plaintext
Notes to repro on top of QubesOS debian-12-xfce template based qube
|
|
|
|
- Clone a debian-12-xfce on top of Q4.2.1 to be specialized
|
|
- Deploy QubesOS nix requirements in template: https://dataswamp.org/~solene/2023-05-15-qubes-os-install-nix.html
|
|
- Deploy QubesOS requirements for docker: https://gist.github.com/tlaurion/9113983bbdead492735c8438cd14d6cd
|
|
- Create a qube based on the cloned template above
|
|
- Open qube
|
|
- Clone whatever repo is most recent between https://github.com/mmlb/osresearch-heads/tree/wip-nix-for-build or https://github.com/tlaurion/heads/tree/wip-nix-for-build
|
|
- git clone Above_repo
|
|
- cd /home/user/heads or cd /home/user/osresearch-heads
|
|
- git checkout wip-nix-for-build
|
|
- git reset --hard
|
|
|
|
|
|
|
|
Now, replication traces
|
|
|
|
#Install nix cleanly:
|
|
sudo rm -rf /nix/* || echo "cannot delete /nix" && sh <(curl -L https://nixos.org/nix/install) --no-daemon
|
|
#Source nix prior of creating nix cache and jumping in it
|
|
. /home/user/.nix-profile/etc/profile.d/nix.sh
|
|
#Configure nix for local builds until we have proper docker image instead:
|
|
mkdir -p ~/.config/nix
|
|
echo 'experimental-features = nix-command flakes' >~/.config/nix/nix.conf
|
|
#Build nix developer local env with flakes locks to specified versions and jump into it:
|
|
nix --print-build-logs --verbose develop --ignore-environment
|
|
#Build a board
|
|
make BOARD=nitropad-nv41
|
|
|
|
|
|
|
|
In case you need to rebuild from packages+ patches + a clean ./install (where libraries and headers are found):
|
|
make real.remove_canary_files-extract_patch_rebuild_what_changed
|
|
|
|
IF that doesn;t help you, look at the end of the global Helper for more helper. Iterate.
|
|
|
|
|
|
|
|
build docker out of nix develop environement and jump into it:
|
|
nix build .#dockerImage && docker load < result && docker run --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env
|
|
|
|
From there, rebuild with
|
|
make real.remove_canary_files-extract_patch_rebuild_chat_changed
|
|
make BOARD=nitropad-nv41
|
|
|
|
Make changes until taht part works in both nix layer on top of OS and withing docker image.
|
|
......
|
|
|
|
SUCCESSSSS?!?!?!?! CELEBRATION!
|
|
Tell @mmlb and @insurgo on matrix channel!!!!
|
|
|
|
|
|
-------
|
|
|
|
Some raw and incomplete notes on how to push that docker to dockerhub
|
|
docker tag linuxboot/heads:dev-env tlaurion/heads-dev-env:v0.0.3
|
|
docker push tlaurion/heads-dev-env:v0.0.3
|
|
(to be continued)
|
|
|
|
-------------------
|
|
|
|
#To create the docker image, I was not able to set gcroot dynamically, so here are the manual steps so nix is not wiped per garbage collector
|
|
mkdir -p /nix/var/nix/gcroots/per-user/$(whoami)
|
|
ln -sfn $(readlink -f $HOME/.nix-profile) /nix/var/nix/gcroots/per-user/$(whoami)/profile
|
|
|
|
#And then build derivates and cal garbarrge collection (not yet successfull since docker build fails now)
|
|
nix build .#dockerImage && docker load < result && docker run --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env
|
|
|
|
#Use it
|
|
docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env -- make BOARD=qemu-coreboot-whiptail-tpm2
|
|
docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env -- make BOARD=qemu-coreboot-whiptail-tpm2 run
|
|
|
|
#push it
|
|
docker login
|
|
docker tag linuxboot/heads:dev-env tlaurion/heads-dev-env:v0.0.9
|
|
docker push tlaurion/heads-dev-env:v0.0.9
|
|
|