feat(talos): allow building custom versions

This commit is contained in:
Steven Kreitzer 2024-04-05 07:19:41 -05:00
parent d726e53f48
commit 75c1210aff
No known key found for this signature in database
GPG key ID: 76F902141A05C232
3 changed files with 182 additions and 104 deletions

View file

@ -2,9 +2,14 @@
name: Talos Boot Assets Generation name: Talos Boot Assets Generation
on: on:
workflow_dispatch:
inputs:
version:
description: Talos version
default: latest
required: false
schedule: schedule:
- cron: "0 * * * *" - cron: "0 * * * *"
workflow_dispatch:
concurrency: concurrency:
group: ${{ github.actor }}-build group: ${{ github.actor }}-build
@ -21,25 +26,29 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Fetch latest Talos release version - name: Fetch Talos release version
id: talos-release id: talos-release
run: | run: |
if [ "${{ inputs.version }}" != "latest" ]; then
talos_release_tag="${{ inputs.version }}"
else
talos_release_tag=$(curl -sL https://api.github.com/repos/siderolabs/talos/releases/latest | jq -r ".tag_name") talos_release_tag=$(curl -sL https://api.github.com/repos/siderolabs/talos/releases/latest | jq -r ".tag_name")
fi
echo "talos_release_tag=$talos_release_tag" >> $GITHUB_OUTPUT echo "talos_release_tag=$talos_release_tag" >> $GITHUB_OUTPUT
- name: Fetch Talos release body
id: talos-release-body
run: |
echo 'talos_release_body<<EOF' >> $GITHUB_OUTPUT
curl -sL https://api.github.com/repos/siderolabs/talos/releases/tags/${{ steps.talos-release.outputs.talos_release_tag }} | jq -r ".body" >> $GITHUB_OUTPUT
echo EOF >> $GITHUB_OUTPUT
- name: Fetch latest Boot Asset release version - name: Fetch latest Boot Asset release version
id: boot-asset-release id: boot-asset-release
run: | run: |
boot_assets_release_tag=$(curl -sL https://api.github.com/repos/buroa/talos-boot-assets/releases/latest | jq -r ".tag_name") boot_assets_release_tag=$(curl -sL https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r ".tag_name")
echo "boot_assets_release_tag=$boot_assets_release_tag" >> $GITHUB_OUTPUT echo "boot_assets_release_tag=$boot_assets_release_tag" >> $GITHUB_OUTPUT
- name: Fetch latest Talos release body
id: talos-release-body
run: |
echo 'talos_release_body<<EOF' >> $GITHUB_OUTPUT
curl -sL https://api.github.com/repos/siderolabs/talos/releases/latest | jq -r ".body" >> $GITHUB_OUTPUT
echo EOF >> $GITHUB_OUTPUT
- name: Compare release versions - name: Compare release versions
if: steps.talos-release.outputs.talos_release_tag != steps.boot-asset-release.outputs.boot_assets_release_tag if: steps.talos-release.outputs.talos_release_tag != steps.boot-asset-release.outputs.boot_assets_release_tag
id: compare-releases id: compare-releases
@ -56,94 +65,45 @@ jobs:
talosReleaseTag: ${{ steps.talos-release.outputs.talos_release_tag }} talosReleaseTag: ${{ steps.talos-release.outputs.talos_release_tag }}
talosReleaseBody: ${{ steps.talos-release-body.outputs.talos_release_body }} talosReleaseBody: ${{ steps.talos-release-body.outputs.talos_release_body }}
sync-talos-fork: build-kernel:
needs: [ check-releases ] needs: [ check-releases ]
name: Sync talos fork with upstream if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch'
name: Build kernel image
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout
uses: actions/checkout@v4
with:
repository: ${{ github.repository }}
ref: talos
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0
- name: Setup git
run: |
git config --global user.name "${{ github.actor }}"
git config --global user.email "${{ github.actor }}@users.noreply.github.com"
- name: Sync upstream changes
run: |
git remote add talos https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/siderolabs/talos
git pull talos refs/tags/${{ needs.check-releases.outputs.talosReleaseTag }} --rebase
git push --set-upstream origin talos --force
sync-pkgs-fork:
needs: [ check-releases ]
name: Sync pkgs fork with upstream
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
repository: ${{ github.repository }}
ref: pkgs
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0
- name: Get pkgs release tag - name: Get pkgs release tag
id: pkgs-release id: pkgs-release
run: | run: |
release=release-$(grep -Eo '[0-9]\.[0-9]+' <<< '${{ needs.check-releases.outputs.talosReleaseTag }}') release=release-$(grep -Eo '[0-9]\.[0-9]+' <<< '${{ needs.check-releases.outputs.talosReleaseTag }}')
echo "release=$release" >> $GITHUB_OUTPUT echo "release=$release" >> $GITHUB_OUTPUT
- name: Setup git
run: |
git config --global user.name "${{ github.actor }}"
git config --global user.email "${{ github.actor }}@users.noreply.github.com"
- name: Sync upstream changes
run: |
git remote add pkgs https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/siderolabs/pkgs
git pull pkgs ${{ steps.pkgs-release.outputs.release }} --rebase
git push --set-upstream origin pkgs --force
build-kernel:
needs: [ check-releases, sync-pkgs-fork ]
if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch'
name: Build kernel image
runs-on: ubuntu-latest
outputs:
sha: ${{ steps.hash.outputs.sha_short }}
steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4
with:
repository: siderolabs/pkgs
ref: ${{ steps.pkgs-release.outputs.release }}
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0
- name: Checkout patches
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
repository: ${{ github.repository }} repository: ${{ github.repository }}
ref: pkgs ref: ${{ github.sha }}
token: ${{ secrets.GITHUB_TOKEN }}
path: patches
sparse-checkout: patches/pkgs
sparse-checkout-cone-mode: false
- name: Get short commit hash - name: Apply patches
id: hash
run: | run: |
sha_short=$(git rev-parse --short HEAD) while IFS= read -r file; do
echo "sha_short=$sha_short" >> $GITHUB_OUTPUT echo "==> Adding $file"
git apply -v $file
- name: Check if kernel image is already built done < <(find "./patches/patches/pkgs" -type f -name "*.patch" | sort)
id: check
run: |
token=$(echo "${{ secrets.GITHUB_TOKEN }}" | base64)
tags=$(curl -H "Authorization: Bearer $token" https://ghcr.io/v2/${{ github.actor }}/kernel/tags/list)
built=$(echo "$tags" | jq -r '.tags | contains(["${{ steps.hash.outputs.sha_short }}"])')
echo "built=$built" >> $GITHUB_OUTPUT
- name: Maximize build space - name: Maximize build space
if: steps.check.outputs.built == 'false'
uses: jlumbroso/free-disk-space@main uses: jlumbroso/free-disk-space@main
with: with:
large-packages: true large-packages: true
@ -151,15 +111,12 @@ jobs:
swap-storage: true swap-storage: true
- name: Set up QEMU - name: Set up QEMU
if: steps.check.outputs.built == 'false'
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx - name: Set up Docker Buildx
if: steps.check.outputs.built == 'false'
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
if: steps.check.outputs.built == 'false'
uses: docker/login-action@v3.1.0 uses: docker/login-action@v3.1.0
with: with:
registry: ghcr.io registry: ghcr.io
@ -167,25 +124,44 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Build kernel image - name: Build kernel image
if: steps.check.outputs.built == 'false' run: |
env: make kernel \
PLATFORM: linux/amd64 PLATFORM=linux/amd64 \
USERNAME: ${{ github.actor }} USERNAME="${{ github.actor }}" \
PUSH: "true" TAG="${{ needs.check-releases.outputs.talosReleaseTag }}" \
run: make kernel PUSH="true"
build-installer: build-installer:
needs: [ check-releases, sync-talos-fork, build-kernel ] needs: [ check-releases, build-kernel ]
if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch' if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch'
name: Build installer image name: Build installer image
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4
with:
repository: siderolabs/talos
ref: refs/tags/${{ needs.check-releases.outputs.talosReleaseTag }}
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0
- name: Checkout patches
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
repository: ${{ github.repository }} repository: ${{ github.repository }}
ref: talos ref: ${{ github.sha }}
token: ${{ secrets.GITHUB_TOKEN }}
path: patches
sparse-checkout: patches/talos
sparse-checkout-cone-mode: false
- name: Apply patches
run: |
while IFS= read -r file; do
echo "==> Adding $file"
git apply -v $file
done < <(find "./patches/patches/talos" -type f -name "*.patch" | sort)
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@v3
@ -201,13 +177,13 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Build installer image - name: Build installer image
env: run: |
PLATFORM: linux/amd64 make installer \
USERNAME: ${{ github.actor }} PLATFORM="linux/amd64" \
TAG: ${{ needs.check-releases.outputs.talosReleaseTag }} USERNAME="${{ github.actor }}" \
PKG_KERNEL: ghcr.io/${{ github.actor }}/kernel:${{ needs.build-kernel.outputs.sha }} TAG="${{ needs.check-releases.outputs.talosReleaseTag }}" \
PUSH: "true" PKG_KERNEL="ghcr.io/${{ github.actor }}/kernel:${{ needs.check-releases.outputs.talosReleaseTag }}" \
run: make installer PUSH="true"
build-boot-assets: build-boot-assets:
needs: [ check-releases, build-installer ] needs: [ check-releases, build-installer ]
@ -219,7 +195,7 @@ jobs:
contents: write contents: write
container: container:
image: ghcr.io/buroa/installer:${{ needs.check-releases.outputs.talosReleaseTag }} image: ghcr.io/${{ github.actor }}/installer:${{ needs.check-releases.outputs.talosReleaseTag }}
options: --privileged options: --privileged
volumes: volumes:
- /dev:/dev - /dev:/dev

View file

@ -0,0 +1,62 @@
From a1c892e579f5191fd09fb377794b8675fb2b79f1 Mon Sep 17 00:00:00 2001
From: Steven Kreitzer <skre@skre.me>
Date: Fri, 15 Dec 2023 05:36:52 -0600
Subject: [PATCH] feat: add apple t2 patches
Signed-off-by: Steven Kreitzer <skre@skre.me>
---
kernel/build/pkg.yaml | 7 +++++++
kernel/prepare/pkg.yaml | 12 ++++++++++++
2 files changed, 19 insertions(+)
diff --git a/kernel/build/pkg.yaml b/kernel/build/pkg.yaml
index 35f0e380f..1a3ccc31c 100644
--- a/kernel/build/pkg.yaml
+++ b/kernel/build/pkg.yaml
@@ -12,6 +12,13 @@ steps:
cd /src
cp -v /pkg/config-${CARCH} .config
cp -v /pkg/certs/* certs/
+ - |
+ cd /src
+ scripts/config --enable CONFIG_APPLE_BCE
+ scripts/config --enable CONFIG_HID_APPLE_IBRIDGE
+ scripts/config --enable CONFIG_SENSORS_APPLESMC
+ scripts/config --enable CONFIG_USB4
+ scripts/config --enable CONFIG_USB4_NET
build:
{{ if .BUILD_ARG_KERNEL_TARGET }}
- |
diff --git a/kernel/prepare/pkg.yaml b/kernel/prepare/pkg.yaml
index 35dba08d1..b369f4976 100644
--- a/kernel/prepare/pkg.yaml
+++ b/kernel/prepare/pkg.yaml
@@ -9,6 +9,10 @@ steps:
destination: linux.tar.xz
sha256: "{{ .linux_sha256 }}"
sha512: "{{ .linux_sha512 }}"
+ - url: https://github.com/t2linux/linux-t2-patches/archive/15ed66844da78b46dde88fd361154c95b37d0286.tar.gz
+ destination: patches.tar.gz
+ sha256: 8d80db3d846eed1e9b30fb29b3004ba440f4cd3509700045cc3e9216382eacbc
+ sha512: d7317bda6c056d7c11b642a98e65e6ee8ae635995ff3f58e258f6bfa140a767cf07bc91c2db2a3f6e528fe793f492543ef2d6799dfda95d30852eceac467477b
env:
ARCH: {{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}x86_64{{ else }}unsupported{{ end }}
prepare:
@@ -40,6 +44,14 @@ steps:
done
make mrproper
+ - |
+ mkdir -p /pkg/patches
+ tar xf patches.tar.gz --strip-components=1 -C /pkg/patches
+ - |
+ while IFS= read -r file; do
+ echo "==> Adding $file"
+ patch -p1 < "$file"
+ done < <(find "/pkg/patches/" -type f -name "*.patch" | sort)
- |
cd /toolchain && git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
install:
--
2.44.0

View file

@ -0,0 +1,40 @@
From 60659a28f750cdd0bb71ac73e14fd878c91e0b8a Mon Sep 17 00:00:00 2001
From: Steven Kreitzer <skre@skre.me>
Date: Fri, 15 Dec 2023 05:42:06 -0600
Subject: [PATCH] fix: large apple efi
Signed-off-by: Steven Kreitzer <skre@skre.me>
---
internal/pkg/partition/constants.go | 2 +-
pkg/imager/profile/default.go | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/internal/pkg/partition/constants.go b/internal/pkg/partition/constants.go
index 534537181..d18877cd1 100644
--- a/internal/pkg/partition/constants.go
+++ b/internal/pkg/partition/constants.go
@@ -30,7 +30,7 @@ const (
const (
MiB = 1024 * 1024
- EFISize = 100 * MiB
+ EFISize = 500 * MiB
BIOSGrubSize = 1 * MiB
BootSize = 1000 * MiB
// EFIUKISize is the size of the EFI partition when UKI is enabled.
diff --git a/pkg/imager/profile/default.go b/pkg/imager/profile/default.go
index 45ab35873..54261f81d 100644
--- a/pkg/imager/profile/default.go
+++ b/pkg/imager/profile/default.go
@@ -14,7 +14,7 @@ const (
mib = 1024 * 1024
// MinRAWDiskSize is the minimum size disk we can create. Used for metal images.
- MinRAWDiskSize = 1246 * mib
+ MinRAWDiskSize = 1646 * mib
// DefaultRAWDiskSize is the value we use for any non-metal images by default.
DefaultRAWDiskSize = 8192 * mib
--
2.44.0