optimizations and updates for CI/CD (#604)

* bump versions and use driver-opts

* use rehosting arc registry

* use insecure for registry mirror

* log in after establishing that it's insecure

* parsing

* newline

* cache mode max

* cache to/from publish

* formatting

* again

* registry updates

* insecure

* drop cache briefly

* use login command

* try again?

* more

* more

* invalid

* try more things?

* cat out daemon.json

* drop

* sleep forever

* fixup

* dockerfile: allow registry setting

* use registry in build-args

* maybe?

* fixup

* use /proxy

* update ca certificats

* did we ever need these?

* adjust

* try?

* try again

* don't restart docker

* setup buildx

* fixup publish and build process

* dockerfile: drop depencies txt files (caching is bad)

* drop ./dependencies

Author: lacraig2

.github/workflows/build.yaml

@@ -37,46 +37,54 @@ jobs:
 
   build_container:
     runs-on: rehosting-arc
-    
-    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
-    # (required)
     permissions:
       contents: write
       packages: write
     needs: lint
 
     steps:
-      - name: Log in to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: rehosting
-          password: ${{secrets.DOCKERHUB_TOKEN}}
-
-      - name: Install dependencies and label git workspace safe
-        run: |
-          sudo apt-get update
-          sudo apt-get -y install python3-pip git curl jq gzip tmux
-          python3 -m pip install click
-          git config --global --add safe.directory "$GITHUB_WORKSPACE"
-      
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: Trust Harbor's self-signed certificate
+        run: |
+          echo "Fetching certificate from ${{ secrets.REHOSTING_ARC_REGISTRY }}"
+          openssl s_client -showcerts -connect ${{ secrets.REHOSTING_ARC_REGISTRY }}:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee /usr/local/share/ca-certificates/harbor.crt > /dev/null
+          sudo update-ca-certificates
       
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+        with:
+          driver-opts: |
+            image=moby/buildkit:master
+            network=host
+          buildkitd-config-inline: |
+            [registry."${{ secrets.REHOSTING_ARC_REGISTRY }}"]
+              insecure = true
+              http = true
+      
+      - name: Log in to Rehosting Arc Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ secrets.REHOSTING_ARC_REGISTRY }}
+          username: ${{ secrets.REHOSTING_ARC_REGISTRY_USER }}
+          password: ${{ secrets.REHOSTING_ARC_REGISTRY_PASSWORD }}
 
       - name: Build Docker image and push to Docker Hub
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
-          tags: rehosting/penguin:${{ github.sha }}
+          tags: ${{secrets.REHOSTING_ARC_REGISTRY}}/library/penguin:${{ github.sha }}
+          build-args: |
+            REGISTRY=${{ secrets.REHOSTING_ARC_REGISTRY }}/proxy
           cache-from: |
-            type=registry,ref=rehosting/penguin:latest,mode=max
-            type=registry,ref=rehosting/penguin:cache-PR-${{github.event.number}},mode=max
-          cache-to: type=registry,ref=rehosting/penguin:cache-PR-${{ github.event.number }}
+            type=registry,ref=${{secrets.REHOSTING_ARC_REGISTRY}}/library/penguin:cache,mode=max
+            type=registry,ref=${{secrets.REHOSTING_ARC_REGISTRY}}/library/penguin:cache-PR-${{github.event.number}},mode=max
+          cache-to: |
+            type=registry,ref=${{secrets.REHOSTING_ARC_REGISTRY}}/library/penguin:cache,mode=max
+            type=registry,ref=${{secrets.REHOSTING_ARC_REGISTRY}}/library/penguin:cache-PR-${{ github.event.number }}
 
   run_tests:
     needs: build_container
@@ -98,18 +106,25 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Log in to Docker Hub
+      - name: Trust Harbor's self-signed certificate
+        run: |
+          echo "Fetching certificate from ${{ secrets.REHOSTING_ARC_REGISTRY }}"
+          openssl s_client -showcerts -connect ${{ secrets.REHOSTING_ARC_REGISTRY }}:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee /usr/local/share/ca-certificates/harbor.crt > /dev/null
+          sudo update-ca-certificates
+      
+      - name: Log in to Rehosting Arc Registry
         uses: docker/login-action@v3
         with:
-          username: rehosting
-          password: ${{secrets.DOCKERHUB_TOKEN}}
+          registry: ${{ secrets.REHOSTING_ARC_REGISTRY }}
+          username: ${{ secrets.REHOSTING_ARC_REGISTRY_USER }}
+          password: ${{ secrets.REHOSTING_ARC_REGISTRY_PASSWORD }}
 
 
       # Locally tag as latest, just for testing
-      - name: Pull the image from Dockerhub
+      - name: Pull the image from Rehosting Arc Registry
         run: |
-              docker pull rehosting/penguin:${{ github.sha }};
-              docker tag rehosting/penguin:${{ github.sha }} rehosting/penguin:latest
+              docker pull ${{secrets.REHOSTING_ARC_REGISTRY}}/library/penguin:${{ github.sha }};
+              docker tag ${{secrets.REHOSTING_ARC_REGISTRY}}/library/penguin:${{ github.sha }} rehosting/penguin:latest
       
       - name: Basic test for ${{ matrix.arch }}
         run: timeout 10m python3 $GITHUB_WORKSPACE/tests/unit_tests/basic_target/test.py --arch ${{ matrix.arch }}

.github/workflows/publish.yaml

@@ -24,6 +24,19 @@ jobs:
             with:
               username: rehosting
               password: ${{secrets.DOCKERHUB_TOKEN}}
+          
+          - name: Trust Harbor's self-signed certificate
+            run: |
+              echo "Fetching certificate from ${{ secrets.REHOSTING_ARC_REGISTRY }}"
+              openssl s_client -showcerts -connect ${{ secrets.REHOSTING_ARC_REGISTRY }}:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee /usr/local/share/ca-certificates/harbor.crt > /dev/null
+              sudo update-ca-certificates
+          
+          - name: Log in to Rehosting Arc Registry
+            uses: docker/login-action@v3
+            with:
+              registry: ${{ secrets.REHOSTING_ARC_REGISTRY }}
+              username: ${{ secrets.REHOSTING_ARC_REGISTRY_USER }}
+              password: ${{ secrets.REHOSTING_ARC_REGISTRY_PASSWORD }}
 
           - name: Install dependencies and label git workspace safe
             run: |
@@ -35,26 +48,39 @@ jobs:
             uses: actions/checkout@v4
             with:
               fetch-depth: 0
-
+      
+          - name: Set up Docker Buildx
+            uses: docker/setup-buildx-action@v3
+            with:
+              driver-opts: |
+                image=moby/buildkit:master
+                network=host
+              buildkitd-config-inline: |
+                [registry."${{ secrets.REHOSTING_ARC_REGISTRY }}"]
+                  insecure = true
+                  http = true
+          
           - name: Build Docker image and push to Dockerhub
-            uses: docker/build-push-action@v6.3.0
+            uses: docker/build-push-action@v6.18.0
             with:
               context: .
               push: true
-              cache-from: type=registry,ref=rehosting/penguin:latest
-              cache-to: type=inline
+              cache-from: |
+                type=registry,ref=${{secrets.REHOSTING_ARC_REGISTRY}}/library/penguin:cache,mode=max
+              cache-to: |
+                type=registry,ref=${{secrets.REHOSTING_ARC_REGISTRY}}/library/penguin:cache,mode=max
               tags: rehosting/penguin:${{ github.sha }},rehosting/penguin:${{ steps.version.outputs.v-version }},rehosting/penguin:latest
               build-args: |
                 OVERRIDE_VERSION=${{ steps.version.outputs.v-version }}
           
           - name: Create release
             id: create_release
-            uses: softprops/action-gh-release@v2.0.8
+            uses: softprops/action-gh-release@v2.3.2
             env:
               GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
             with:
               tag_name: ${{ steps.version.outputs.v-version }}
-              release_name: Release ${{ steps.version.outputs.v-version }} ${{ github.ref }}
+              name: Release ${{ steps.version.outputs.v-version }} ${{ github.ref }}
               body: |
                 Release ${{ steps.version.outputs.v-version }} @${{ github.ref }}
               draft: false

Dockerfile

@@ -1,5 +1,6 @@
 # versions of the various dependencies.
-ARG BASE_IMAGE="ubuntu:22.04"
+ARG REGISTRY="docker.io"
+ARG BASE_IMAGE="${REGISTRY}/ubuntu:22.04"
 ARG DOWNLOAD_TOKEN="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"
 ARG VPN_VERSION="1.0.24"
 ARG BUSYBOX_VERSION="0.0.15"
@@ -19,7 +20,7 @@ ARG PANDA_VERSION="pandav0.0.37"
 ARG PANDANG_VERSION="0.0.26"
 ARG RIPGREP_VERSION="14.1.1"
 
-FROM rust:1.86 as rust_builder
+FROM ${REGISTRY}/rust:1.86 AS rust_builder
 RUN git clone --depth 1 -q https://github.com/rust-vmm/vhost-device/ /root/vhost-device
 ARG VHOST_DEVICE_VERSION
 ENV PATH="/root/.cargo/bin:$PATH"
@@ -167,7 +168,7 @@ COPY ./src/resources/ltrace_nvram.conf /tmp/ltrace/lib_inject.so.conf
 
 
 #### CROSS BUILDER: Build send_hypercall ###
-FROM ghcr.io/rehosting/embedded-toolchains:latest AS cross_builder
+FROM ${REGISTRY}/rehosting/embedded-toolchains:latest AS cross_builder
 COPY ./guest-utils/native/ /source
 WORKDIR /source
 RUN wget -q https://raw.githubusercontent.com/panda-re/libhc/main/hypercall.h
@@ -303,8 +304,7 @@ RUN if [ ! -z "${OVERRIDE_VERSION}" ]; then \
 FROM $BASE_IMAGE AS fw2tar_dep_builder
 ENV DEBIAN_FRONTEND=noninteractive
 
-COPY ./dependencies/fw2tar.txt /tmp/fw2tar.txt
-RUN apt-get update && apt-get install -y -q git $(cat /tmp/fw2tar.txt)
+RUN apt-get update && apt-get install -y -q git android-sdk-libsparse-utils arj automake build-essential bzip2 cabextract clang cpio cramfsswap curl default-jdk e2fsprogs fakeroot gcc git gzip lhasa libarchive-dev libfontconfig1-dev libacl1-dev libcap-dev liblzma-dev liblzo2-dev liblz4-dev libbz2-dev libssl-dev libmagic1 locales lz4 lziprecover lzop mtd-utils openssh-client p7zip p7zip-full python3 python3-pip qtbase5-dev sleuthkit squashfs-tools srecord tar unar unrar unrar-free unyaffs unzip wget xz-utils zlib1g-dev zstd
 
 ARG DOWNLOAD_TOKEN
 ARG FW2TAR_TAG
@@ -345,7 +345,6 @@ COPY --from=downloader /tmp/pandare-plugins.deb /tmp/
 COPY --from=downloader /tmp/glow.deb /tmp/
 COPY --from=downloader /tmp/gum.deb /tmp/
 COPY --from=downloader /tmp/ripgrep.deb /tmp/
-COPY ./dependencies/* /tmp
 
 # We need pycparser>=2.21 for angr. If we try this later with the other pip commands,
 # we'll fail because we get a distutils distribution of pycparser 2.19 that we can't
@@ -372,8 +371,10 @@ RUN wget https://apt.llvm.org/llvm.sh && \
     chmod +x llvm.sh && \
     ./llvm.sh 20
 
-# Install apt dependencies - largely for binwalk, some for penguin, some for fw2tar
-RUN apt-get update && apt-get install -q -y $(cat /tmp/penguin.txt) $(cat /tmp/fw2tar.txt) && \
+# Install apt dependencies - first line for penguin - second for fw2tar
+RUN apt-get update && apt-get install -q -y \
+    fakeroot genext2fs graphviz graphviz-dev libarchive13 libgcc-s1 liblinear4 liblua5.3-0 libpcap0.8 libpcre3 libssh2-1 libssl3 libstdc++6 libxml2 lua-lpeg nmap python3 python3-lxml python3-venv sudo telnet vim wget zlib1g pigz clang-20 lldb-20 lld-20 \
+    android-sdk-libsparse-utils arj automake build-essential bzip2 cabextract clang cpio cramfsswap curl default-jdk e2fsprogs fakeroot gcc git gzip lhasa libarchive-dev libfontconfig1-dev libacl1-dev libcap-dev liblzma-dev liblzo2-dev liblz4-dev libbz2-dev libssl-dev libmagic1 locales lz4 lziprecover lzop mtd-utils openssh-client p7zip p7zip-full python3 python3-pip qtbase5-dev sleuthkit squashfs-tools srecord tar unar unrar unrar-free unyaffs unzip wget xz-utils zlib1g-dev zstd && \
     apt install -yy -f /tmp/pandare.deb -f /tmp/pandare-plugins.deb \
     -f /tmp/glow.deb -f /tmp/gum.deb -f /tmp/ripgrep.deb && \
     rm -rf /var/lib/apt/lists/* /tmp/*.deb