Move OEM sysext build from vms phase to build_image #3619
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The cryptsetup useflag is required for signing sysexts built with systemd-repart. Signed-off-by: Daniel Zatovic <[email protected]>
Generate an ephemeral sysext signing key, that is injected into the image's sysext root of trust. All OS-dependent sysexts will be signed by this key and the private key (stored in /tmp) will be discarded on SDK container exit. Signed-off-by: Daniel Zatovic <[email protected]>
We removed the sysext compression, because we double-compression is redundant for sysexts stored in already coimpressed BTRFS /usr. However, OS-dependent sysexts that are downloaded on-demand were now also uncompressed. This commit brings back the compression via SYSTEMD_REPART_MKFS_OPTIONS_EROFS option. Signed-off-by: Daniel Zatovic <[email protected]>
Signed-off-by: Daniel Zatovic <[email protected]>
Move OEM sysext building from the vms phase to the image phase. This ensures OEM sysexts are signed with the same ephemeral key as other sysexts, which is generated during image build and discarded afterward. - Add create_oem_sysexts() to build all OEM sysexts during image build - Add oem_sysexts.sh with OEM sysext definitions - Update install_oem_sysext() to use prebuilt sysexts - Add OEM sysext download to vms.sh for CI builds Signed-off-by: Daniel Zatovic <[email protected]>
danzatt
changed the title
Contributor
Author
|
The tests are failing on arm64 azure, but they are also failing for nightly: http://jenkins.infra.kinvolk.io:8080/job/container/job/test/43566/console (The |
pothos
reviewed
Jan 8, 2026
Update the changelog entry to include information about OEM sysexts being signed and built during the image phase. Signed-off-by: Daniel Zatovic <[email protected]>
danzatt
force-pushed
the
danzatt/fix-oem-sysexts
branch
from
9bc330e to
5b87e64
Compare
Contributor
Author
|
Done. |
Contributor
Author
|
Verification steps to compare build artifacts with latest nightly: rclone ls :http: --http-url "https://bincache.flatcar-linux.net/images/amd64/9999.0.1+fix-oem-sysexts/" 2>/dev/null | awk '{print $2}' | sort > /tmp/fix-oem-sysexts.txt
rclone ls :http: --http-url "https://bincache.flatcar-linux.net/images/amd64/4572.0.0+nightly-20260106-2100/" 2>/dev/null | awk '{print $2}' | sort > /tmp/latest-nightly.txt
diff /tmp/fix-oem-sysexts.txt /tmp/latest-nightly.txtI've tried this and the output is the same (1400 files, no diff), so the OEM sysexts are uploded just fine and seem to be in the right place. |
chewi
requested changes
Jan 8, 2026
Comment on lines
+122
to
+134
| local sysext name arches arch_array | ||
| for sysext in "${OEM_SYSEXTS[@]}"; do | ||
| IFS="|" read -r name _ _ arches <<< "$sysext" | ||
| # Skip if sysext doesn't support this architecture | ||
| if [[ -n "$arches" ]]; then | ||
| arch_array=(${arches//,/ }) | ||
| local should_skip=1 | ||
| local a | ||
| for a in "${arch_array[@]}"; do | ||
| [[ "$a" == "$arch" ]] && should_skip=0 | ||
| done | ||
| [[ $should_skip -eq 1 ]] && continue | ||
| fi |
Contributor
There was a problem hiding this comment.
Suggested change
| local sysext name arches arch_array | |
| for sysext in "${OEM_SYSEXTS[@]}"; do | |
| IFS="|" read -r name _ _ arches <<< "$sysext" | |
| # Skip if sysext doesn't support this architecture | |
| if [[ -n "$arches" ]]; then | |
| arch_array=(${arches//,/ }) | |
| local should_skip=1 | |
| local a | |
| for a in "${arch_array[@]}"; do | |
| [[ "$a" == "$arch" ]] && should_skip=0 | |
| done | |
| [[ $should_skip -eq 1 ]] && continue | |
| fi | |
| local sysext name arches | |
| for sysext in "${OEM_SYSEXTS[@]}"; do | |
| IFS="|" read -r name _ _ arches <<< "$sysext" | |
| # Skip if sysext doesn't support this architecture | |
| [[ ,${arches}, == *,"${arch}",* ]] || continue |
| done | ||
| if [[ $should_skip -eq 1 ]]; then | ||
| continue | ||
| fi |
Contributor
There was a problem hiding this comment.
As with vms.sh:
local sysext_name package_atoms useflags arches
IFS="|" read -r sysext_name package_atoms useflags arches <<< "$sysext"
[[ ,${arches}, == *,"${ARCH}",* ]] || continue
Comment on lines
+290
to
+302
| local arch_array=(${arches//,/ }) | ||
|
|
||
| if [[ -n "$arches" ]]; then | ||
| local should_skip=1 | ||
| for arch in "${arch_array[@]}"; do | ||
| if [[ $arch == "$ARCH" ]]; then | ||
| should_skip=0 | ||
| fi | ||
| done | ||
| if [[ $should_skip -eq 1 ]]; then | ||
| continue | ||
| fi | ||
| fi |
Contributor
There was a problem hiding this comment.
Suggested change
| local arch_array=(${arches//,/ }) | |
| if [[ -n "$arches" ]]; then | |
| local should_skip=1 | |
| for arch in "${arch_array[@]}"; do | |
| if [[ $arch == "$ARCH" ]]; then | |
| should_skip=0 | |
| fi | |
| done | |
| if [[ $should_skip -eq 1 ]]; then | |
| continue | |
| fi | |
| fi | |
| [[ ,${arches}, == *,"${ARCH}",* ]] || continue |
chewi
reviewed
Jan 8, 2026
Contributor
There was a problem hiding this comment.
Apparently, you can get the list of OEMs for each architecture via get_oem_id_list? It looks a bit weird, but maybe it just works, and then you probably wouldn't need this new file. The helper is in the wrong place, under ci-automation, but maybe it could be moved? It doesn't give you the USE flags, but I'm not even sure those are needed, and the common-oem-files ebuild just assumes the flags match the OEM names anyway.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Move OEM sysext build from
vmsphase tobuild_imageSigning sysexts with ephemeral keys showed an issue during prod builds due to the ephemeral keys being wiped between image and vms build (reverted in #3567). The OEM sysexts are built on demand during vms build, but the ephemeral keys are no longer on the system. This PR fixes that by prebuilding all OEM sysexts during image build. The VM image build then just pulls the prebuilt OEM sysext.
This PR also re-introduces the sysext signing feature reverted in #3567.
CI job:
http://jenkins.infra.kinvolk.io:8080/job/container/job/packages_all_arches/7218/
How to use
[ describe what reviewers need to do in order to validate this PR ]
Testing done
[Describe the testing you have done before submitting this PR. Please include both the commands you issued as well as the output you got.]
changelog/directory (user-facing change, bug fix, security fix, update)/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.