✨ Move Earthly logic into Dockerfiles (#2008)

* Add framework files

and generate os-release

Signed-off-by: Mauro Morales <[email protected]>

* Install provider and k3s

Plus clean at the end

Signed-off-by: Mauro Morales <[email protected]>

* Fix os-release names

Signed-off-by: Mauro Morales <[email protected]>

* Use no-base-image on Earthly as a first step

Signed-off-by: Mauro Morales <[email protected]>

* Fix KAIROS_VERSION calculation

Signed-off-by: Mauro Morales <[email protected]>

* Move logic for alpine

Signed-off-by: Mauro Morales <[email protected]>

* Move logic for opensuse

Signed-off-by: Mauro Morales <[email protected]>

* Lint

Signed-off-by: Mauro Morales <[email protected]>

* Add debian & rhel

Signed-off-by: Mauro Morales <[email protected]>

* Fix ubuntu arm generic

Signed-off-by: Mauro Morales <[email protected]>

* Framework changes and luet versions

Signed-off-by: Mauro Morales <[email protected]>

* hadolint

Signed-off-by: Mauro Morales <[email protected]>

* yamllint

Signed-off-by: Mauro Morales <[email protected]>

* test building nvidia on pr

Signed-off-by: Mauro Morales <[email protected]>

* fix push

Signed-off-by: Mauro Morales <[email protected]>

* fix path

Signed-off-by: Mauro Morales <[email protected]>

* use quay

Signed-off-by: Mauro Morales <[email protected]>

* login quay

Signed-off-by: Mauro Morales <[email protected]>

* 🤦

Signed-off-by: Mauro Morales <[email protected]>

* define the nvidia jetson strategy in the ubuntu file

Signed-off-by: Mauro Morales <[email protected]>

* Only run build of nvidia if dockerfile changed

Signed-off-by: Mauro Morales <[email protected]>

* same for all other steps

Signed-off-by: Mauro Morales <[email protected]>

* No need to push latest

Signed-off-by: Mauro Morales <[email protected]>

* process nvidia on master and release

Signed-off-by: Mauro Morales <[email protected]>

* remove no-base-image

Signed-off-by: Mauro Morales <[email protected]>

* extract kairos common & remove non-hwe

Signed-off-by: Mauro Morales <[email protected]>

* Remove Dockerfile.kairos-*

Signed-off-by: Mauro Morales <[email protected]>

* hadolint

Signed-off-by: Mauro Morales <[email protected]>

* forgot to remove this section on debian

Signed-off-by: Mauro Morales <[email protected]>

* move non-hwe to examples

Signed-off-by: Mauro Morales <[email protected]>

* feedback

Signed-off-by: Mauro Morales <[email protected]>

* add name generation for base-images

Signed-off-by: Mauro Morales <[email protected]>

* shoot

Signed-off-by: Mauro Morales <[email protected]>

* lint

Signed-off-by: Mauro Morales <[email protected]>

* oops

Signed-off-by: Mauro Morales <[email protected]>

---------

Signed-off-by: Mauro Morales <[email protected]>

.earthlyignore

@@ -1,4 +1,4 @@
-build/*iso
+build/*
 # this is created by the strat_vm_qemu.sh script
-disk.img
+*.img
 *.raw

.github/flavors.json

@@ -338,15 +338,5 @@
         "baseImage": "rockylinux:9",
         "arch": "amd64",
         "worker": "self-hosted"
-    },
-    {
-        "family": "nvidia",
-        "flavor": "ubuntu",
-        "flavorRelease": "20.04",
-        "variant": "core",
-        "model": "nvidia-jetson-agx-orin",
-        "baseImage": "ubuntu:20.04",
-        "arch": "arm64",
-        "worker": "fast"
     }
 ]

.github/workflows/image-arm-pr.yaml

@@ -12,7 +12,7 @@ env:
   FORCE_COLOR: 1
 
 jobs:
-  docker:
+  opensuse:
     uses: ./.github/workflows/reusable-docker-arm-build.yaml
     with:
       flavor: opensuse
@@ -21,7 +21,7 @@ jobs:
       base_image: opensuse/leap:15.5
       model: rpi4
       worker: fast
-  docker-alpine:
+  alpine:
     uses: ./.github/workflows/reusable-docker-arm-build.yaml
     with:
       flavor: alpine

.github/workflows/image-arm.yaml

@@ -57,6 +57,83 @@ jobs:
           # end of optional handling for multi line json
           echo "::set-output name=matrix::{\"include\": $content }"
 
+  build-nvidia-base:
+    runs-on: fast
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v40
+        with:
+          files_yaml: |
+            nvidia:
+              - 'images/Dockerfile.nvidia'
+      - name: Release space from worker
+        if: steps.changed-files.outputs.nvidia_any_changed == 'true'
+        run: |
+          echo "Listing top largest packages"
+          pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
+          head -n 30 <<< "${pkgs}"
+          echo
+          df -h
+          echo
+          sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true
+          sudo apt-get remove --auto-remove android-sdk-platform-tools || true
+          sudo apt-get purge --auto-remove android-sdk-platform-tools || true
+          sudo rm -rf /usr/local/lib/android
+          sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true
+          sudo rm -rf /usr/share/dotnet
+          sudo apt-get remove -y '^mono-.*' || true
+          sudo apt-get remove -y '^ghc-.*' || true
+          sudo apt-get remove -y '.*jdk.*|.*jre.*' || true
+          sudo apt-get remove -y 'php.*' || true
+          sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true
+          sudo apt-get remove -y '^google-.*' || true
+          sudo apt-get remove -y azure-cli || true
+          sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true
+          sudo apt-get remove -y '^gfortran-.*' || true
+          sudo apt-get autoremove -y
+          sudo apt-get clean
+          echo
+          echo "Listing top largest packages"
+          pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
+          head -n 30 <<< "${pkgs}"
+          echo
+          sudo rm -rfv build || true
+          df -h
+      - name: Set up Docker Buildx
+        if: steps.changed-files.outputs.nvidia_any_changed == 'true'
+        id: buildx
+        uses: docker/setup-buildx-action@master
+      - name: Block all traffic to metadata ip  # For cloud runners, the metadata ip can interact with our test machines
+        if: steps.changed-files.outputs.nvidia_any_changed == 'true'
+        run: |
+          sudo iptables -I INPUT -s 169.254.169.254 -j DROP
+          sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP
+      - name: Login to Quay Registry
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && steps.changed-files.outputs.nvidia_any_changed == 'true' }}
+        run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
+      - name: Build  🔧 & Push 🚀
+        if: steps.changed-files.outputs.nvidia_any_changed == 'true'
+        run: |
+          export IMAGE=$(FAMILY=ubuntu FLAVOR=ubuntu FLAVOR_RELEASE="20.04" MODEL=nvidia-jetson-agx-orin VARIANT=core TARGETARCH=arm64 REGISTRY_AND_ORG="quay.io/kairos" ./images/naming.sh container_artifact_base_name)
+          docker build --platform=linux/arm64 -t $IMAGE -f ./images/Dockerfile.nvidia ./images
+          docker push $IMAGE
+
+  nvidia-arm-core:
+    needs: build-nvidia-base
+    uses: ./.github/workflows/reusable-docker-arm-build.yaml
+    with:
+      flavor: ubuntu
+      flavor_release: "20.04"
+      family: ubuntu
+      # is there a way to run the naming.sh script here?
+      base_image: quay.io/kairos/ubuntu:20.04-core-arm64-nvidia-jetson-agx-orin-master
+      model: nvidia-jetson-agx-orin
+      worker: fast
+
   build-arm-core:
     uses: ./.github/workflows/reusable-docker-arm-build.yaml
     secrets: inherit

.github/workflows/release-arm.yaml

@@ -49,6 +49,71 @@ jobs:
           # end of optional handling for multi line json
           echo "::set-output name=matrix::{\"include\": $content }"
 
+  build-nvidia-base:
+    runs-on: fast
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Release space from worker
+        if: steps.changed-files.outputs.nvidia_any_changed == 'true'
+        run: |
+          echo "Listing top largest packages"
+          pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
+          head -n 30 <<< "${pkgs}"
+          echo
+          df -h
+          echo
+          sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true
+          sudo apt-get remove --auto-remove android-sdk-platform-tools || true
+          sudo apt-get purge --auto-remove android-sdk-platform-tools || true
+          sudo rm -rf /usr/local/lib/android
+          sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true
+          sudo rm -rf /usr/share/dotnet
+          sudo apt-get remove -y '^mono-.*' || true
+          sudo apt-get remove -y '^ghc-.*' || true
+          sudo apt-get remove -y '.*jdk.*|.*jre.*' || true
+          sudo apt-get remove -y 'php.*' || true
+          sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true
+          sudo apt-get remove -y '^google-.*' || true
+          sudo apt-get remove -y azure-cli || true
+          sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true
+          sudo apt-get remove -y '^gfortran-.*' || true
+          sudo apt-get autoremove -y
+          sudo apt-get clean
+          echo
+          echo "Listing top largest packages"
+          pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
+          head -n 30 <<< "${pkgs}"
+          echo
+          sudo rm -rfv build || true
+          df -h
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@master
+      - name: Block all traffic to metadata ip  # For cloud runners, the metadata ip can interact with our test machines
+        run: |
+          sudo iptables -I INPUT -s 169.254.169.254 -j DROP
+          sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP
+      - name: Login to Quay Registry
+        run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
+      - name: Build  🔧 & Push 🚀
+        run: |
+          export IMAGE=$(FAMILY=ubuntu FLAVOR=ubuntu FLAVOR_RELEASE="20.04" MODEL=nvidia-jetson-agx-orin VARIANT=core TARGETARCH=arm64 REGISTRY_AND_ORG="quay.io/kairos" BRANCH=release ./images/naming.sh container_artifact_base_name)
+          docker build --platform=linux/arm64 -t $IMAGE -f ./images/Dockerfile.nvidia ./images
+          docker push $IMAGE
+
+  nvidia-arm-core:
+    uses: ./.github/workflows/reusable-docker-arm-build.yaml
+    with:
+      flavor: ubuntu
+      flavor_release: "20.04"
+      family: ubuntu
+      # is there a way to run the naming.sh script here?
+      base_image: quay.io/kairos/ubuntu:20.04-core-arm64-nvidia-jetson-agx-orin-release
+      model: nvidia-jetson-agx-orin
+      worker: fast
+
   build-arm-core:
     runs-on: ${{ matrix.worker }}
     needs:

.github/workflows/reusable-build-framework.yaml

@@ -49,5 +49,5 @@ jobs:
           # Push with earthly so it pushes the multi-arch properly
           earthly --push +multi-build-framework-image --SECURITY_PROFILE=${{ inputs.security_profile }} --VERSION=master
           # Fetch the RepoDigests for the mutli-arch image
-          docker pull "$ARTIFACT" 
+          docker pull "$ARTIFACT"
           cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$ARTIFACT")

.github/workflows/reusable-docker-arm-build.yaml

@@ -68,26 +68,34 @@ jobs:
           echo
           sudo rm -rfv build || true
           df -h
+      - name: Block all traffic to metadata ip  # For cloud runners, the metadata ip can interact with our test machines
+        run: |
+          sudo iptables -I INPUT -s 169.254.169.254 -j DROP
+          sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up QEMU
         uses: docker/setup-qemu-action@master
         with:
           platforms: all
-      - name: Login to Quay Registry
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
-        run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
       - name: Install Cosign
         uses: sigstore/cosign-installer@main
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@master
       - name: Install earthly
         uses: Luet-lab/[email protected]
         with:
           repository: quay.io/kairos/packages
           packages: utils/earthly
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@master
+      - name: Login to Quay Registry
+        if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) }}
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
       - name: Set compression for PR
         if: ${{ github.event_name == 'pull_request' }}
         run: |
@@ -96,31 +104,66 @@ jobs:
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
         run: |
           echo "IMG_COMPRESSION=xz" >> $GITHUB_ENV
-      - name: Block all traffic to metadata ip  # For cloud runners, the metadata ip can interact with our test machines
-        run: |
-          sudo iptables -I INPUT -s 169.254.169.254 -j DROP
-          sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP
       - name: Build  🔧
         run: |
-          earthly --allow-privileged +all-arm \
-              --FAMILY=${{ inputs.family }} \
+          earthly -P +all-arm \
+              --VARIANT=core \
+              --MODEL=${{ inputs.model }} \
               --FLAVOR=${{ inputs.flavor }} \
               --FLAVOR_RELEASE=${{ inputs.flavor_release }} \
+              --FAMILY=${{ inputs.family }} \
               --BASE_IMAGE=${{ inputs.base_image }} \
-              --MODEL=${{ inputs.model }} \
-              --VARIANT=core \
               --IMG_COMPRESSION=${{env.IMG_COMPRESSION}}
       - name: Show img sizes
         run: |
           ls -ltra build
           ls -ltrh build
+      - name: Convert all json files into a reports.tar.gz file
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: |
+          export VERSION=$(cat build/VERSION)
+          cd build
+          filename=$(ls *-grype.json | head -n 1) && filename=${filename%%-grype.json}
+          sudo tar cvf "${filename}-scan-reports.tar.gz" *.json
       - name: Push  🔧
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: |
+          docker push $(cat build/IMAGE)
+      - name: Sign image
+        if: startsWith(github.ref, 'refs/tags/v')
+        env:
+          COSIGN_YES: true
+        run: |
+          export IMAGE=$(cat build/IMAGE)
+          docker push "$IMAGE" # Otherwise .RepoDigests will be empty for some reason
+          cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
+      - name: Upload Image
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: |
+          curl https://luet.io/install.sh | sudo sh
+          IMAGE=$(cat build/IMAGE | sed 's/$/-img/')
+          sudo tar cvf build.tar build
+          sudo luet util pack $IMAGE build.tar image.tar
+          sudo -E docker load -i image.tar
+          sudo -E docker push "$IMAGE"
+          sudo rm -rf build/IMAGE build/VERSION
+      - name: Release
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: softprops/action-gh-release@v1
+        with:
+          files: |
+            build/*scan-reports.tar.gz
+      - name: Prepare sarif files  🔧
+        if: startsWith(github.ref, 'refs/tags/v')
         run: |
-          export _IMG=$(cat build/IMAGE)
-          export _NEW_IMG=$(echo $_IMG | cut -f1 -d:):latest
-          docker tag $_IMG $_NEW_IMG
-          docker push $_NEW_IMG
+          mkdir sarif
+          sudo mv build/*.sarif sarif/
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: startsWith(github.ref, 'refs/tags/v')
+        with:
+          sarif_file: 'sarif'
+          category: ${{ matrix.flavor }}
       - name: Prepare sarif files  🔧
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
         run: |
@@ -132,21 +175,8 @@ jobs:
         with:
           sarif_file: 'sarif'
           category: ${{ inputs.flavor }}
-      - name: Sign image
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
-        run: |
-          # Avoid pushing a new image for every commit (re-use latest)
-          export _IMG=$(cat build/IMAGE)
-          export _LATEST=$(echo $_IMG | cut -f1 -d:):latest
-          docker push $_LATEST
-          image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$_LATEST")
-          spdx=$(ls build/*.spdx.json)
-          cosign attach sbom --sbom $spdx $image_ref
-          cosign sign -y $image_ref --attachment sbom
-          # in-toto attestation
-          cosign attest -y --type spdx --predicate $spdx $image_ref
       - name: Upload results
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.flavor != 'ubuntu-20-lts-arm-nvidia-jetson-agx-orin' }}
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.model != 'nvidia-jetson-agx-orin' }}
         uses: actions/upload-artifact@v3
         with:
           name: ${{ inputs.flavor }}-image

.hadolint.yaml

@@ -17,4 +17,6 @@ override:
     # warning: Use WORKDIR to switch to a directory
     # Reason: Sometimes we don't want to change the workdir
     - DL3003
+    # Do not use --platform= with FROM. https://github.com/hadolint/hadolint/wiki/DL3029  
+    - DL3029
 failure-threshold: warning