feat(talos): allow building custom versions
This commit is contained in:
parent
d726e53f48
commit
75c1210aff
3 changed files with 182 additions and 104 deletions
174
.github/workflows/talos-boot-assets.yaml
vendored
174
.github/workflows/talos-boot-assets.yaml
vendored
|
@ -2,9 +2,14 @@
|
||||||
name: Talos Boot Assets Generation
|
name: Talos Boot Assets Generation
|
||||||
|
|
||||||
on:
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
inputs:
|
||||||
|
version:
|
||||||
|
description: Talos version
|
||||||
|
default: latest
|
||||||
|
required: false
|
||||||
schedule:
|
schedule:
|
||||||
- cron: "0 * * * *"
|
- cron: "0 * * * *"
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
concurrency:
|
concurrency:
|
||||||
group: ${{ github.actor }}-build
|
group: ${{ github.actor }}-build
|
||||||
|
@ -21,25 +26,29 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Fetch latest Talos release version
|
- name: Fetch Talos release version
|
||||||
id: talos-release
|
id: talos-release
|
||||||
run: |
|
run: |
|
||||||
|
if [ "${{ inputs.version }}" != "latest" ]; then
|
||||||
|
talos_release_tag="${{ inputs.version }}"
|
||||||
|
else
|
||||||
talos_release_tag=$(curl -sL https://api.github.com/repos/siderolabs/talos/releases/latest | jq -r ".tag_name")
|
talos_release_tag=$(curl -sL https://api.github.com/repos/siderolabs/talos/releases/latest | jq -r ".tag_name")
|
||||||
|
fi
|
||||||
echo "talos_release_tag=$talos_release_tag" >> $GITHUB_OUTPUT
|
echo "talos_release_tag=$talos_release_tag" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
|
- name: Fetch Talos release body
|
||||||
|
id: talos-release-body
|
||||||
|
run: |
|
||||||
|
echo 'talos_release_body<<EOF' >> $GITHUB_OUTPUT
|
||||||
|
curl -sL https://api.github.com/repos/siderolabs/talos/releases/tags/${{ steps.talos-release.outputs.talos_release_tag }} | jq -r ".body" >> $GITHUB_OUTPUT
|
||||||
|
echo EOF >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
- name: Fetch latest Boot Asset release version
|
- name: Fetch latest Boot Asset release version
|
||||||
id: boot-asset-release
|
id: boot-asset-release
|
||||||
run: |
|
run: |
|
||||||
boot_assets_release_tag=$(curl -sL https://api.github.com/repos/buroa/talos-boot-assets/releases/latest | jq -r ".tag_name")
|
boot_assets_release_tag=$(curl -sL https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r ".tag_name")
|
||||||
echo "boot_assets_release_tag=$boot_assets_release_tag" >> $GITHUB_OUTPUT
|
echo "boot_assets_release_tag=$boot_assets_release_tag" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
- name: Fetch latest Talos release body
|
|
||||||
id: talos-release-body
|
|
||||||
run: |
|
|
||||||
echo 'talos_release_body<<EOF' >> $GITHUB_OUTPUT
|
|
||||||
curl -sL https://api.github.com/repos/siderolabs/talos/releases/latest | jq -r ".body" >> $GITHUB_OUTPUT
|
|
||||||
echo EOF >> $GITHUB_OUTPUT
|
|
||||||
|
|
||||||
- name: Compare release versions
|
- name: Compare release versions
|
||||||
if: steps.talos-release.outputs.talos_release_tag != steps.boot-asset-release.outputs.boot_assets_release_tag
|
if: steps.talos-release.outputs.talos_release_tag != steps.boot-asset-release.outputs.boot_assets_release_tag
|
||||||
id: compare-releases
|
id: compare-releases
|
||||||
|
@ -56,94 +65,45 @@ jobs:
|
||||||
talosReleaseTag: ${{ steps.talos-release.outputs.talos_release_tag }}
|
talosReleaseTag: ${{ steps.talos-release.outputs.talos_release_tag }}
|
||||||
talosReleaseBody: ${{ steps.talos-release-body.outputs.talos_release_body }}
|
talosReleaseBody: ${{ steps.talos-release-body.outputs.talos_release_body }}
|
||||||
|
|
||||||
sync-talos-fork:
|
build-kernel:
|
||||||
needs: [ check-releases ]
|
needs: [ check-releases ]
|
||||||
name: Sync talos fork with upstream
|
if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch'
|
||||||
|
name: Build kernel image
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
with:
|
|
||||||
repository: ${{ github.repository }}
|
|
||||||
ref: talos
|
|
||||||
token: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
fetch-depth: 0
|
|
||||||
|
|
||||||
- name: Setup git
|
|
||||||
run: |
|
|
||||||
git config --global user.name "${{ github.actor }}"
|
|
||||||
git config --global user.email "${{ github.actor }}@users.noreply.github.com"
|
|
||||||
|
|
||||||
- name: Sync upstream changes
|
|
||||||
run: |
|
|
||||||
git remote add talos https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/siderolabs/talos
|
|
||||||
git pull talos refs/tags/${{ needs.check-releases.outputs.talosReleaseTag }} --rebase
|
|
||||||
git push --set-upstream origin talos --force
|
|
||||||
|
|
||||||
sync-pkgs-fork:
|
|
||||||
needs: [ check-releases ]
|
|
||||||
name: Sync pkgs fork with upstream
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
with:
|
|
||||||
repository: ${{ github.repository }}
|
|
||||||
ref: pkgs
|
|
||||||
token: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
fetch-depth: 0
|
|
||||||
|
|
||||||
- name: Get pkgs release tag
|
- name: Get pkgs release tag
|
||||||
id: pkgs-release
|
id: pkgs-release
|
||||||
run: |
|
run: |
|
||||||
release=release-$(grep -Eo '[0-9]\.[0-9]+' <<< '${{ needs.check-releases.outputs.talosReleaseTag }}')
|
release=release-$(grep -Eo '[0-9]\.[0-9]+' <<< '${{ needs.check-releases.outputs.talosReleaseTag }}')
|
||||||
echo "release=$release" >> $GITHUB_OUTPUT
|
echo "release=$release" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
- name: Setup git
|
|
||||||
run: |
|
|
||||||
git config --global user.name "${{ github.actor }}"
|
|
||||||
git config --global user.email "${{ github.actor }}@users.noreply.github.com"
|
|
||||||
|
|
||||||
- name: Sync upstream changes
|
|
||||||
run: |
|
|
||||||
git remote add pkgs https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/siderolabs/pkgs
|
|
||||||
git pull pkgs ${{ steps.pkgs-release.outputs.release }} --rebase
|
|
||||||
git push --set-upstream origin pkgs --force
|
|
||||||
|
|
||||||
build-kernel:
|
|
||||||
needs: [ check-releases, sync-pkgs-fork ]
|
|
||||||
if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch'
|
|
||||||
name: Build kernel image
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
outputs:
|
|
||||||
sha: ${{ steps.hash.outputs.sha_short }}
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
repository: siderolabs/pkgs
|
||||||
|
ref: ${{ steps.pkgs-release.outputs.release }}
|
||||||
|
token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
fetch-depth: 0
|
||||||
|
|
||||||
|
- name: Checkout patches
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: ${{ github.repository }}
|
repository: ${{ github.repository }}
|
||||||
ref: pkgs
|
ref: ${{ github.sha }}
|
||||||
|
token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
path: patches
|
||||||
|
sparse-checkout: patches/pkgs
|
||||||
|
sparse-checkout-cone-mode: false
|
||||||
|
|
||||||
- name: Get short commit hash
|
- name: Apply patches
|
||||||
id: hash
|
|
||||||
run: |
|
run: |
|
||||||
sha_short=$(git rev-parse --short HEAD)
|
while IFS= read -r file; do
|
||||||
echo "sha_short=$sha_short" >> $GITHUB_OUTPUT
|
echo "==> Adding $file"
|
||||||
|
git apply -v $file
|
||||||
- name: Check if kernel image is already built
|
done < <(find "./patches/patches/pkgs" -type f -name "*.patch" | sort)
|
||||||
id: check
|
|
||||||
run: |
|
|
||||||
token=$(echo "${{ secrets.GITHUB_TOKEN }}" | base64)
|
|
||||||
tags=$(curl -H "Authorization: Bearer $token" https://ghcr.io/v2/${{ github.actor }}/kernel/tags/list)
|
|
||||||
built=$(echo "$tags" | jq -r '.tags | contains(["${{ steps.hash.outputs.sha_short }}"])')
|
|
||||||
echo "built=$built" >> $GITHUB_OUTPUT
|
|
||||||
|
|
||||||
- name: Maximize build space
|
- name: Maximize build space
|
||||||
if: steps.check.outputs.built == 'false'
|
|
||||||
uses: jlumbroso/free-disk-space@main
|
uses: jlumbroso/free-disk-space@main
|
||||||
with:
|
with:
|
||||||
large-packages: true
|
large-packages: true
|
||||||
|
@ -151,15 +111,12 @@ jobs:
|
||||||
swap-storage: true
|
swap-storage: true
|
||||||
|
|
||||||
- name: Set up QEMU
|
- name: Set up QEMU
|
||||||
if: steps.check.outputs.built == 'false'
|
|
||||||
uses: docker/setup-qemu-action@v3
|
uses: docker/setup-qemu-action@v3
|
||||||
|
|
||||||
- name: Set up Docker Buildx
|
- name: Set up Docker Buildx
|
||||||
if: steps.check.outputs.built == 'false'
|
|
||||||
uses: docker/setup-buildx-action@v3
|
uses: docker/setup-buildx-action@v3
|
||||||
|
|
||||||
- name: Login to GitHub Container Registry
|
- name: Login to GitHub Container Registry
|
||||||
if: steps.check.outputs.built == 'false'
|
|
||||||
uses: docker/login-action@v3.1.0
|
uses: docker/login-action@v3.1.0
|
||||||
with:
|
with:
|
||||||
registry: ghcr.io
|
registry: ghcr.io
|
||||||
|
@ -167,25 +124,44 @@ jobs:
|
||||||
password: ${{ secrets.GITHUB_TOKEN }}
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
- name: Build kernel image
|
- name: Build kernel image
|
||||||
if: steps.check.outputs.built == 'false'
|
run: |
|
||||||
env:
|
make kernel \
|
||||||
PLATFORM: linux/amd64
|
PLATFORM=linux/amd64 \
|
||||||
USERNAME: ${{ github.actor }}
|
USERNAME="${{ github.actor }}" \
|
||||||
PUSH: "true"
|
TAG="${{ needs.check-releases.outputs.talosReleaseTag }}" \
|
||||||
run: make kernel
|
PUSH="true"
|
||||||
|
|
||||||
build-installer:
|
build-installer:
|
||||||
needs: [ check-releases, sync-talos-fork, build-kernel ]
|
needs: [ check-releases, build-kernel ]
|
||||||
if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch'
|
if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch'
|
||||||
name: Build installer image
|
name: Build installer image
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
repository: siderolabs/talos
|
||||||
|
ref: refs/tags/${{ needs.check-releases.outputs.talosReleaseTag }}
|
||||||
|
token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
fetch-depth: 0
|
||||||
|
|
||||||
|
- name: Checkout patches
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: ${{ github.repository }}
|
repository: ${{ github.repository }}
|
||||||
ref: talos
|
ref: ${{ github.sha }}
|
||||||
|
token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
path: patches
|
||||||
|
sparse-checkout: patches/talos
|
||||||
|
sparse-checkout-cone-mode: false
|
||||||
|
|
||||||
|
- name: Apply patches
|
||||||
|
run: |
|
||||||
|
while IFS= read -r file; do
|
||||||
|
echo "==> Adding $file"
|
||||||
|
git apply -v $file
|
||||||
|
done < <(find "./patches/patches/talos" -type f -name "*.patch" | sort)
|
||||||
|
|
||||||
- name: Set up QEMU
|
- name: Set up QEMU
|
||||||
uses: docker/setup-qemu-action@v3
|
uses: docker/setup-qemu-action@v3
|
||||||
|
@ -201,13 +177,13 @@ jobs:
|
||||||
password: ${{ secrets.GITHUB_TOKEN }}
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
- name: Build installer image
|
- name: Build installer image
|
||||||
env:
|
run: |
|
||||||
PLATFORM: linux/amd64
|
make installer \
|
||||||
USERNAME: ${{ github.actor }}
|
PLATFORM="linux/amd64" \
|
||||||
TAG: ${{ needs.check-releases.outputs.talosReleaseTag }}
|
USERNAME="${{ github.actor }}" \
|
||||||
PKG_KERNEL: ghcr.io/${{ github.actor }}/kernel:${{ needs.build-kernel.outputs.sha }}
|
TAG="${{ needs.check-releases.outputs.talosReleaseTag }}" \
|
||||||
PUSH: "true"
|
PKG_KERNEL="ghcr.io/${{ github.actor }}/kernel:${{ needs.check-releases.outputs.talosReleaseTag }}" \
|
||||||
run: make installer
|
PUSH="true"
|
||||||
|
|
||||||
build-boot-assets:
|
build-boot-assets:
|
||||||
needs: [ check-releases, build-installer ]
|
needs: [ check-releases, build-installer ]
|
||||||
|
@ -219,7 +195,7 @@ jobs:
|
||||||
contents: write
|
contents: write
|
||||||
|
|
||||||
container:
|
container:
|
||||||
image: ghcr.io/buroa/installer:${{ needs.check-releases.outputs.talosReleaseTag }}
|
image: ghcr.io/${{ github.actor }}/installer:${{ needs.check-releases.outputs.talosReleaseTag }}
|
||||||
options: --privileged
|
options: --privileged
|
||||||
volumes:
|
volumes:
|
||||||
- /dev:/dev
|
- /dev:/dev
|
||||||
|
|
62
patches/pkgs/0001-feat-add-apple-t2-patches.patch
Normal file
62
patches/pkgs/0001-feat-add-apple-t2-patches.patch
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
From a1c892e579f5191fd09fb377794b8675fb2b79f1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Steven Kreitzer <skre@skre.me>
|
||||||
|
Date: Fri, 15 Dec 2023 05:36:52 -0600
|
||||||
|
Subject: [PATCH] feat: add apple t2 patches
|
||||||
|
|
||||||
|
Signed-off-by: Steven Kreitzer <skre@skre.me>
|
||||||
|
---
|
||||||
|
kernel/build/pkg.yaml | 7 +++++++
|
||||||
|
kernel/prepare/pkg.yaml | 12 ++++++++++++
|
||||||
|
2 files changed, 19 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/kernel/build/pkg.yaml b/kernel/build/pkg.yaml
|
||||||
|
index 35f0e380f..1a3ccc31c 100644
|
||||||
|
--- a/kernel/build/pkg.yaml
|
||||||
|
+++ b/kernel/build/pkg.yaml
|
||||||
|
@@ -12,6 +12,13 @@ steps:
|
||||||
|
cd /src
|
||||||
|
cp -v /pkg/config-${CARCH} .config
|
||||||
|
cp -v /pkg/certs/* certs/
|
||||||
|
+ - |
|
||||||
|
+ cd /src
|
||||||
|
+ scripts/config --enable CONFIG_APPLE_BCE
|
||||||
|
+ scripts/config --enable CONFIG_HID_APPLE_IBRIDGE
|
||||||
|
+ scripts/config --enable CONFIG_SENSORS_APPLESMC
|
||||||
|
+ scripts/config --enable CONFIG_USB4
|
||||||
|
+ scripts/config --enable CONFIG_USB4_NET
|
||||||
|
build:
|
||||||
|
{{ if .BUILD_ARG_KERNEL_TARGET }}
|
||||||
|
- |
|
||||||
|
diff --git a/kernel/prepare/pkg.yaml b/kernel/prepare/pkg.yaml
|
||||||
|
index 35dba08d1..b369f4976 100644
|
||||||
|
--- a/kernel/prepare/pkg.yaml
|
||||||
|
+++ b/kernel/prepare/pkg.yaml
|
||||||
|
@@ -9,6 +9,10 @@ steps:
|
||||||
|
destination: linux.tar.xz
|
||||||
|
sha256: "{{ .linux_sha256 }}"
|
||||||
|
sha512: "{{ .linux_sha512 }}"
|
||||||
|
+ - url: https://github.com/t2linux/linux-t2-patches/archive/15ed66844da78b46dde88fd361154c95b37d0286.tar.gz
|
||||||
|
+ destination: patches.tar.gz
|
||||||
|
+ sha256: 8d80db3d846eed1e9b30fb29b3004ba440f4cd3509700045cc3e9216382eacbc
|
||||||
|
+ sha512: d7317bda6c056d7c11b642a98e65e6ee8ae635995ff3f58e258f6bfa140a767cf07bc91c2db2a3f6e528fe793f492543ef2d6799dfda95d30852eceac467477b
|
||||||
|
env:
|
||||||
|
ARCH: {{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}x86_64{{ else }}unsupported{{ end }}
|
||||||
|
prepare:
|
||||||
|
@@ -40,6 +44,14 @@ steps:
|
||||||
|
done
|
||||||
|
|
||||||
|
make mrproper
|
||||||
|
+ - |
|
||||||
|
+ mkdir -p /pkg/patches
|
||||||
|
+ tar xf patches.tar.gz --strip-components=1 -C /pkg/patches
|
||||||
|
+ - |
|
||||||
|
+ while IFS= read -r file; do
|
||||||
|
+ echo "==> Adding $file"
|
||||||
|
+ patch -p1 < "$file"
|
||||||
|
+ done < <(find "/pkg/patches/" -type f -name "*.patch" | sort)
|
||||||
|
- |
|
||||||
|
cd /toolchain && git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
|
||||||
|
install:
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
40
patches/talos/0001-fix-large-apple-efi.patch
Normal file
40
patches/talos/0001-fix-large-apple-efi.patch
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
From 60659a28f750cdd0bb71ac73e14fd878c91e0b8a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Steven Kreitzer <skre@skre.me>
|
||||||
|
Date: Fri, 15 Dec 2023 05:42:06 -0600
|
||||||
|
Subject: [PATCH] fix: large apple efi
|
||||||
|
|
||||||
|
Signed-off-by: Steven Kreitzer <skre@skre.me>
|
||||||
|
---
|
||||||
|
internal/pkg/partition/constants.go | 2 +-
|
||||||
|
pkg/imager/profile/default.go | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/internal/pkg/partition/constants.go b/internal/pkg/partition/constants.go
|
||||||
|
index 534537181..d18877cd1 100644
|
||||||
|
--- a/internal/pkg/partition/constants.go
|
||||||
|
+++ b/internal/pkg/partition/constants.go
|
||||||
|
@@ -30,7 +30,7 @@ const (
|
||||||
|
const (
|
||||||
|
MiB = 1024 * 1024
|
||||||
|
|
||||||
|
- EFISize = 100 * MiB
|
||||||
|
+ EFISize = 500 * MiB
|
||||||
|
BIOSGrubSize = 1 * MiB
|
||||||
|
BootSize = 1000 * MiB
|
||||||
|
// EFIUKISize is the size of the EFI partition when UKI is enabled.
|
||||||
|
diff --git a/pkg/imager/profile/default.go b/pkg/imager/profile/default.go
|
||||||
|
index 45ab35873..54261f81d 100644
|
||||||
|
--- a/pkg/imager/profile/default.go
|
||||||
|
+++ b/pkg/imager/profile/default.go
|
||||||
|
@@ -14,7 +14,7 @@ const (
|
||||||
|
mib = 1024 * 1024
|
||||||
|
|
||||||
|
// MinRAWDiskSize is the minimum size disk we can create. Used for metal images.
|
||||||
|
- MinRAWDiskSize = 1246 * mib
|
||||||
|
+ MinRAWDiskSize = 1646 * mib
|
||||||
|
|
||||||
|
// DefaultRAWDiskSize is the value we use for any non-metal images by default.
|
||||||
|
DefaultRAWDiskSize = 8192 * mib
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
Loading…
Reference in a new issue