QubesOS dom0 package build workflow

Signed-off-by: Sergii Dmytruk <[email protected]>

.github/workflows/qubes-dom0-package.yml

@@ -0,0 +1,88 @@
+name: Test build and package QubesOS RPMs
+
+on:
+  on: # this marks the workflow as reuseable
+     workflow_call:
+       inputs:
+         base-commit:
+           description: >
+             First upstream commit to be used as a base for `git format-patch`
+             command.
+           required: true
+           type: string
+         patch-start:
+           description: >
+             --start-number argument for `git format-patch` command.
+           required: true
+           type: number
+         qubes-component:
+           description: >
+             Name of QubesOS component as recognized by its build system.
+           required: true
+           type: string
+         spec-pattern:
+           description: >
+             `sed` pattern used to find insert position for patches in *.spec.in
+             files.
+           required: true
+           type: string
+
+jobs:
+  build-and-package:
+    runs-on: ubuntu-latest
+    name: Compile and package as QubesOS RPM
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 100 # need history for `git format-patch`
+
+      - name: Cache Docker image and dom0 stuff
+        uses: actions/cache@v3
+        id: docker-cache
+        with:
+          path: |
+            /tmp/qubes-fedora-builder.tar
+            /tmp/cache/dom0.tar
+          key: ${{ hashFiles('.github/docker/*') }}-docker-container
+
+      - name: Load Docker image
+        if: steps.docker-cache.outputs.cache-hit == 'true'
+        run: |
+          docker load --input /tmp/qubes-fedora-builder.tar
+
+      - name: Build Fedora image
+        if: steps.docker-cache.outputs.cache-hit != 'true'
+        uses: docker/build-push-action@v4
+        with:
+          tags: qubes-fedora-builder:latest
+          context: ./.github/docker
+
+      - name: Export Docker image
+        if: steps.docker-cache.outputs.cache-hit != 'true'
+        run: |
+          docker save --output /tmp/qubes-fedora-builder.tar \
+                      qubes-fedora-builder:latest
+
+      - name: Prepare dom0 cache storage
+        if: steps.docker-cache.outputs.cache-hit != 'true'
+        run: |
+          mkdir --mode=777 /tmp/cache
+
+      - name: Build and package
+        run: |
+          docker run --privileged \
+                     -v /tmp/cache:/tmp/cache/ \
+                     -v "$GITHUB_WORKSPACE:$GITHUB_WORKSPACE" \
+                     -w "$GITHUB_WORKSPACE" \
+                     -e "COMPONENT=${{ inputs.qubes-component }}" \
+                     -e "PATCH_START=${{ inputs.patch-start }}" \
+                     -e "BASE_COMMIT=${{ inputs.base-commit }}" \
+                     -e "SPEC_PATTERN=${{ inputs.spec-pattern }}" \
+                     qubes-fedora-builder:latest
+
+      - name: Save built packages
+        uses: actions/upload-artifact@v3
+        with:
+          name: qubesos.dom0.fc37-${{ inputs.qubes-component }}-${{ github.sha }}
+          path: '*.rpm'

qubes-dom0-docker/Dockerfile

@@ -0,0 +1,42 @@
+FROM fedora:37
+
+RUN dnf -y install \
+    createrepo \
+    debootstrap \
+    devscripts \
+    dpkg-dev \
+    dialog \
+    dnf-plugins-core \
+    e2fsprogs \
+    git \
+    gnupg \
+    make \
+    perl-open \
+    perl-Digest-MD5 \
+    perl-Digest-SHA \
+    psmisc \
+    python2 \
+    python3-pyyaml \
+    python3-sh \
+    rpm-build \
+    rpm-sign \
+    rpmdevtools \
+    systemd-container \
+    systemd-udev \
+    wget \
+    which
+
+# the build system requires regular user with passwordless sudo access
+RUN groupadd -g 1000 builder && \
+    useradd -ms /bin/bash -u 1000 -g 1000 builder && \
+    usermod -aG wheel builder && \
+    sed -e 's/^%wheel/#%wheel/g' -e 's/^# %wheel/%wheel/g' -i /etc/sudoers
+
+RUN git clone --depth=1 https://github.com/QubesOS/qubes-builder /builder && \
+    chown -R builder:builder /builder
+COPY builder.conf /builder/builder.conf
+RUN su -c 'make -C /builder COMPONENTS=builder-rpm get-sources' - builder
+
+COPY entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

qubes-dom0-docker/builder.conf

@@ -0,0 +1,51 @@
+RELEASE := 4.2
+
+SSH_ACCESS  := 0
+GIT_BASEURL := https://github.com
+GIT_PREFIX  := QubesOS/qubes-
+BRANCH      ?= main
+
+# Fetch repositories with depth=1
+GIT_CLONE_FAST ?= 1
+
+BACKEND_VMM = xen
+
+DIST_DOM0 ?= fc37
+DISTS_VM ?=
+
+MGMT_COMPONENTS = \
+    salt \
+    mgmt-salt \
+    mgmt-salt-base \
+    mgmt-salt-base-topd \
+    mgmt-salt-base-config \
+    mgmt-salt-dom0-qvm \
+    mgmt-salt-dom0-virtual-machines \
+    mgmt-salt-dom0-update
+
+COMPONENTS := \
+    builder \
+    builder-rpm \
+
+BRANCH_linux_kernel = stable-6.1
+GIT_URL_linux_kernel_latest = $(GIT_BASEURL)/$(GIT_PREFIX)linux-kernel
+BRANCH_linux_kernel_latest = main
+
+BUILDER_PLUGINS :=
+BUILDER_PLUGINS += builder-rpm
+BUILDER_PLUGINS += mgmt-salt
+
+# Put all the enabled plugins into components to download them. But avoid
+# duplicates
+COMPONENTS += $(filter-out $(COMPONENTS), $(BUILDER_PLUGINS))
+
+DEBUG = 0
+VERBOSE = 0
+NO_SIGN = 1
+
+DIST_DOM0 ?= fc20
+
+export USE_QUBES_REPO_VERSION = $(RELEASE)
+export USE_QUBES_REPO_TESTING = 0
+
+# vim: filetype=make

qubes-dom0-docker/entrypoint.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+set -xe
+
+fail() {
+    echo "$@"
+    exit 1
+}
+
+# make sure all input environment variables were provided to avoid cryptic
+# failures
+[ -n "$COMPONENT" ] || fail "\$COMPONENT is empty"
+[ -n "$PATCH_START" ] || fail "\$PATCH_START is empty"
+[ -n "$BASE_COMMIT" ] || fail "\$BASE_COMMIT is empty"
+[ -n "$SPEC_PATTERN" ] || fail "\$SPEC_PATTERN is empty"
+
+# prevent errors due to inconsistent ownership
+git config --global --add safe.directory "$PWD"
+
+# load dom0 cache
+if [ -f /tmp/cache/dom0.tar ]; then
+    rm -rf /builder/cache /builder/chroot-dom0-fc37
+    tar -C /builder -xf /tmp/cache/dom0.tar
+fi
+
+# fetch component's sources
+su -c "make -C /builder 'COMPONENTS=$COMPONENT' get-sources" - builder
+
+# create a set of patches on top of component's base and integrate them into
+# sources
+patches=( $(git format-patch --start-number "$PATCH_START" "$BASE_COMMIT") )
+specLines=$'\\\n\\\n# Intel TXT support patches'
+set +x # less noise in build logs
+for patch in "${patches[@]}"; do
+    patchNum=${patch%%-*}
+    specLines=$specLines$'\\\n'"Patch$patchNum: $patch"
+done
+set -x
+chown builder:builder "${patches[@]}"
+mv "${patches[@]}" "/builder/qubes-src/$COMPONENT/"
+sed -i \
+    "${SPEC_PATTERN}a${specLines}" \
+    "/builder/qubes-src/$COMPONENT/${COMPONENT##*-}.spec.in"
+
+# build the component
+su -c "make -C /builder 'COMPONENTS=$COMPONENT' '$COMPONENT'" - builder
+
+# move RPMs out of the container
+rpms=( $(find "/builder/qubes-src/$COMPONENT/pkgs" -name '*.rpm') )
+cp --verbose "${rpms[@]}" .
+
+# store dom0 cache if we didn't load from it
+if [ ! -f /tmp/cache/dom0.tar ]; then
+    umount /builder/chroot-dom0-fc37/proc
+    tar -C /builder -cf /tmp/cache/dom0.tar cache chroot-dom0-fc37
+fi