heads/NIX_REPRO_NOTES
Thierry Laurion 46cad549ef
WiP flake.nix: make docker image usable for testing as well, target: qemu-coreboot-whiptail-tpm2 with swtpm and canokey for smartcard
- include nix tools inside of the docker to be able to call the garbage collector prior of creating docker.
- protect roots from garbage collection (WiP)
  - Requires external preparation call so that nix (the binary) is not wiped as well. See NIX_REPRO_NOTES at the end of the file for repro notes
   - Could probably be improved. Works as of now and created a 4Gb vs 3.02Gb docker image I'm uploading now.
- CircleCI bumped to use v0.0.9 version including this
- CircleCI now depending on flake.lock for all cache layers. Will rebuild clean once again

So now we have qemu with canokey support in image, nix basic tools inside of container. Possible to call docker with DISPLAY, see NIX_REPRO_NOTES as of now.
That feels nice. No need of USB security dongle to have TPM based TPMTOTP nor detach sign? Not tested but feature is there

TODO:
- make docker creating nicer in the Nix way.
- Add canokey support under targets/qemu.mk
- add canokey board version

At least we have reproducible stack and testing stack being in same docker image. Docker image moved from 991.18MB (v0.0.8) to 1.18GB (v0.0.9)
- And I tried to clean binaries of symbols here! Seems like I do not know enough of the Nix way here.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 20:51:18 -04:00

78 lines
3.2 KiB
Plaintext

Notes to repro on top of QubesOS debian-12-xfce template based qube
- Clone a debian-12-xfce on top of Q4.2.1 to be specialized
- Deploy QubesOS nix requirements in template: https://dataswamp.org/~solene/2023-05-15-qubes-os-install-nix.html
- Deploy QubesOS requirements for docker: https://gist.github.com/tlaurion/9113983bbdead492735c8438cd14d6cd
- Create a qube based on the cloned template above
- Open qube
- Clone whatever repo is most recent between https://github.com/mmlb/osresearch-heads/tree/wip-nix-for-build or https://github.com/tlaurion/heads/tree/wip-nix-for-build
- git clone Above_repo
- cd /home/user/heads or cd /home/user/osresearch-heads
- git checkout wip-nix-for-build
- git reset --hard
Now, replication traces
#Install nix cleanly:
sudo rm -rf /nix/* || echo "cannot delete /nix" && sh <(curl -L https://nixos.org/nix/install) --no-daemon
#Source nix prior of creating nix cache and jumping in it
. /home/user/.nix-profile/etc/profile.d/nix.sh
#Configure nix for local builds until we have proper docker image instead:
mkdir -p ~/.config/nix
echo 'experimental-features = nix-command flakes' >~/.config/nix/nix.conf
#Build nix developer local env with flakes locks to specified versions and jump into it:
nix --print-build-logs --verbose develop --ignore-environment
#Build a board
make BOARD=nitropad-nv41
In case you need to rebuild from packages+ patches + a clean ./install (where libraries and headers are found):
make real.remove_canary_files-extract_patch_rebuild_what_changed
IF that doesn;t help you, look at the end of the global Helper for more helper. Iterate.
build docker out of nix develop environement and jump into it:
nix build .#dockerImage && docker load < result && docker run --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env
From there, rebuild with
make real.remove_canary_files-extract_patch_rebuild_chat_changed
make BOARD=nitropad-nv41
Make changes until taht part works in both nix layer on top of OS and withing docker image.
......
SUCCESSSSS?!?!?!?! CELEBRATION!
Tell @mmlb and @insurgo on matrix channel!!!!
-------
Some raw and incomplete notes on how to push that docker to dockerhub
docker tag linuxboot/heads:dev-env tlaurion/heads-dev-env:v0.0.3
docker push tlaurion/heads-dev-env:v0.0.3
(to be continued)
-------------------
#To create the docker image, I was not able to set gcroot dynamically, so here are the manual steps so nix is not wiped per garbage collector
mkdir -p /nix/var/nix/gcroots/per-user/$(whoami)
ln -sfn $(readlink -f $HOME/.nix-profile) /nix/var/nix/gcroots/per-user/$(whoami)/profile
#And then build derivates and cal garbarrge collection (not yet successfull since docker build fails now)
nix build .#dockerImage && docker load < result && docker run --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env
#Use it
docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env -- make BOARD=qemu-coreboot-whiptail-tpm2
docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env -- make BOARD=qemu-coreboot-whiptail-tpm2 run
#push it
docker login
docker tag linuxboot/heads:dev-env tlaurion/heads-dev-env:v0.0.9
docker push tlaurion/heads-dev-env:v0.0.9