Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion .github/workflows/build-amt-installer.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,11 @@ on:
required: false
default: 'ghcr.io/blockcast/kernel:v1.13.4-amt'
type: string
installer_tag:
description: 'Installer image tag to publish'
required: false
default: 'v1.13.4-amt'
type: string

concurrency:
group: build-amt-installer-${{ github.ref }}
Expand All @@ -66,16 +71,19 @@ jobs:
IN_TALOS: ${{ inputs.talos_version }}
IN_PKGS: ${{ inputs.pkgs_sha }}
IN_KIMG: ${{ inputs.kernel_image }}
IN_INSTALLER_TAG: ${{ inputs.installer_tag }}
run: |
set -euo pipefail
TALOS="${IN_TALOS:-v1.13.4}"
PKGS="${IN_PKGS:-v1.13.0-28-g54ec9fc}"
KIMG="${IN_KIMG:-ghcr.io/blockcast/kernel:v1.13.4-amt}"
INSTALLER_TAG="${IN_INSTALLER_TAG:-${TALOS}-amt}"
case "$TALOS" in v[0-9]*.[0-9]*.[0-9]*) : ;; *) echo "bad talos: $TALOS" >&2; exit 1 ;; esac
case "$INSTALLER_TAG" in v[0-9]*.[0-9]*.[0-9]*-*) : ;; *) echo "bad installer_tag: $INSTALLER_TAG" >&2; exit 1 ;; esac
echo "talos=$TALOS" >> "$GITHUB_OUTPUT"
echo "pkgs=$PKGS" >> "$GITHUB_OUTPUT"
echo "kimg=$KIMG" >> "$GITHUB_OUTPUT"
echo "image_tag=${TALOS}-amt" >> "$GITHUB_OUTPUT"
echo "image_tag=$INSTALLER_TAG" >> "$GITHUB_OUTPUT"

- name: Checkout siderolabs/talos @ tag
uses: actions/checkout@v4
Expand Down
147 changes: 147 additions & 0 deletions .github/workflows/build-ct6-mroute-kernel.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
name: build-ct6-mroute-kernel

on:
workflow_dispatch:
inputs:
image_tag:
description: 'Kernel image tag to publish'
required: false
default: 'v1.13.4-amt-ct6-mroute'
type: string
kver:
description: 'Vanilla kernel.org base version'
required: false
default: '6.18.34'
type: string
push:
branches:
- blockcast-ct6-ipv6-pimsm
paths:
- 'kernel/build/config-amd64'
- 'kernel/build/certs/**'
- 'kernel/build/patches/**'
- 'kernel/build/pkg.yaml'
- 'kernel/prepare/pkg.yaml'
- '.github/workflows/build-ct6-mroute-kernel.yml'

concurrency:
group: build-ct6-mroute-kernel-${{ github.ref }}
cancel-in-progress: false

jobs:
build:
runs-on: chromium-build
timeout-minutes: 350
permissions:
contents: read
packages: write
steps:
- name: Checkout pkgs branch
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Resolve build params
id: p
env:
IN_TAG: ${{ inputs.image_tag }}
IN_KVER: ${{ inputs.kver }}
run: |
set -euo pipefail
IMAGE_TAG="${IN_TAG:-v1.13.4-amt-ct6-mroute}"
KVER="${IN_KVER:-6.18.34}"
case "$IMAGE_TAG" in v[0-9]*.[0-9]*.[0-9]*-*) : ;; *) echo "bad image_tag: $IMAGE_TAG" >&2; exit 1 ;; esac
case "$KVER" in [0-9]*.[0-9]*.[0-9]*) : ;; *) echo "bad kver: $KVER" >&2; exit 1 ;; esac
echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
echo "kver=$KVER" >> "$GITHUB_OUTPUT"

- name: Assert GTM multicast kernel config
env:
KVER: ${{ steps.p.outputs.kver }}
run: |
set -euo pipefail
grep -q "Linux/x86 ${KVER} Kernel Configuration" kernel/build/config-amd64
grep -q '^CONFIG_MPLS_ROUTING=y$' kernel/build/config-amd64
grep -q '^CONFIG_IPV6_PIMSM_V2=y$' kernel/build/config-amd64
grep -q '^CONFIG_IP_MROUTE_MULTIPLE_TABLES=y$' kernel/build/config-amd64
grep -q '^CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y$' kernel/build/config-amd64
grep -q '^# CONFIG_NET_IPGRE_BROADCAST is not set$' kernel/build/config-amd64
echo "ct6 mroute config confirmed for ${KVER}"

- name: Resolve dind socket
run: |
set -euo pipefail
echo "DOCKER_HOST=${DOCKER_HOST:-<unset; default>}"
docker version

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Login to ghcr
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Login to registry.blockcast.net cache
uses: docker/login-action@v3
with:
registry: registry.blockcast.net
username: ${{ secrets.HARBOR_USERNAME }}
password: ${{ secrets.HARBOR_PASSWORD }}

- name: Install Blockcast module signing key
env:
BLOCKCAST_MODULE_SIGNING_KEY: ${{ secrets.BLOCKCAST_MODULE_SIGNING_KEY }}
run: |
set -euo pipefail
if [ -z "${BLOCKCAST_MODULE_SIGNING_KEY:-}" ]; then
echo "BLOCKCAST_MODULE_SIGNING_KEY secret is required for CONFIG_MODULE_SIG_KEY=certs/blockcast_signing_key.pem" >&2
exit 1
fi

key="kernel/build/certs/blockcast_signing_key.pem"
cert="kernel/build/certs/blockcast-modsign.crt"
tmp="$(mktemp -d)"
trap 'rm -rf "${tmp}"' EXIT

umask 077
printf '%s\n' "${BLOCKCAST_MODULE_SIGNING_KEY}" > "${key}"
if ! grep -q -- '-----BEGIN CERTIFICATE-----' "${key}"; then
printf '\n' >> "${key}"
cat "${cert}" >> "${key}"
fi

openssl pkey -in "${key}" -pubout -out "${tmp}/key.pub" >/dev/null
openssl x509 -in "${cert}" -pubkey -noout > "${tmp}/cert.pub"
cmp -s "${tmp}/key.pub" "${tmp}/cert.pub"
echo "Blockcast module signing key installed for kernel build"

- name: Build + push kernel pkg
env:
IMAGE_TAG: ${{ steps.p.outputs.image_tag }}
run: |
set -euo pipefail
CACHE=registry.blockcast.net/blockcast/amt-kernel-buildcache
# bldr v0.6.0 does not expose a BuildKit secret mount for pkg steps.
# Keep cache import, but do not export layers while the private signing
# key is present in the kernel-build package context.
make kernel \
PUSH=true \
PLATFORM=linux/amd64 \
REGISTRY=ghcr.io \
USERNAME=blockcast \
TAG="${IMAGE_TAG}" \
IMAGE_TAG="${IMAGE_TAG}" \
CI_ARGS="--cache-from=type=registry,ref=${CACHE}"

- name: Scrub Blockcast module signing key
if: always()
run: rm -f kernel/build/certs/blockcast_signing_key.pem

- name: Report published image
env:
IMAGE_TAG: ${{ steps.p.outputs.image_tag }}
run: |
echo "Published: ghcr.io/blockcast/kernel:${IMAGE_TAG}"
6 changes: 2 additions & 4 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,7 @@ jobs:
issues: read
packages: write
pull-requests: read
runs-on:
group: pkgs
runs-on: pkgs
if: (!startsWith(github.head_ref, 'renovate/') && !startsWith(github.head_ref, 'dependabot/'))
outputs:
labels: ${{ steps.retrieve-pr-labels.outputs.result }}
Expand Down Expand Up @@ -127,8 +126,7 @@ jobs:
body_path: _out/RELEASE_NOTES.md
draft: "true"
reproducibility:
runs-on:
group: pkgs
runs-on: pkgs
if: contains(fromJSON(needs.default.outputs.labels || '[]'), 'integration/reproducibility')
needs:
- default
Expand Down
32 changes: 28 additions & 4 deletions .github/workflows/compose-signed-installer.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,17 +50,41 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}
- name: Compose + push signed installer
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Cross-repo pull: the imager fetches the SIGNED amt-kmod extension
# (Blockcast/linux-amt, private), which this repo's GITHUB_TOKEN cannot
# read (GET .../amt-kmod/manifests: DENIED). Use the org PAT (read:packages
# across repos) for the imager's ghcr auth. The docker login step above
# keeps GITHUB_TOKEN for `docker push` of the output (a pkgs-owned package).
GHCR_USER: ${{ github.actor }}
GHCR_PULL_TOKEN: ${{ secrets.GH_PAT }}
BASE: ${{ inputs.base_installer }}
EXT: ${{ inputs.extension }}
OUT: ${{ inputs.out_tag }}
TALOS: ${{ inputs.talos_version }}
run: |
set -euo pipefail
mkdir -p _out && chmod 0777 _out
# -e GITHUB_TOKEN lets the imager pull the PRIVATE base + extension.
docker run --rm -e GITHUB_TOKEN \
-v /var/run/docker.sock:/var/run/docker.sock \

if [ -z "${GHCR_PULL_TOKEN:-}" ]; then
echo "GH_PAT secret with read:packages access to ghcr.io/blockcast/amt-kmod is required" >&2
exit 1
fi

sock="${DOCKER_HOST#unix://}"
sock="${sock:-/var/run/docker.sock}"
test -S "$sock" || { echo "docker socket not found at '$sock' (DOCKER_HOST=${DOCKER_HOST:-})" >&2; exit 1; }

imager_cfg="$RUNNER_TEMP/imager-docker"
mkdir -p "$imager_cfg"
printf '{"auths":{"ghcr.io":{"auth":"%s"}}}' \
"$(printf '%s:%s' "$GHCR_USER" "$GHCR_PULL_TOKEN" | base64 -w0)" > "$imager_cfg/config.json"

# DOCKER_CONFIG is required because the imager uses go-containerregistry
# internally; the runner's docker login credStore is not visible there.
docker run --rm \
-e DOCKER_CONFIG=/root/.docker \
-v "$sock:/var/run/docker.sock" \
-v "$imager_cfg/config.json:/root/.docker/config.json:ro" \
-v "$PWD/_out:/out" \
"ghcr.io/siderolabs/imager:${TALOS}" installer \
--base-installer-image "$BASE" \
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/weekly.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,7 @@ concurrency:
name: weekly
jobs:
reproducibility:
runs-on:
group: pkgs
runs-on: pkgs
steps:
- name: gather-system-info
id: system-info
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@
# Generated on 2023-11-02T09:50:52Z by kres 3a2980e-dirty.

_out
kernel/build/certs/blockcast_signing_key.pem
6 changes: 3 additions & 3 deletions Pkgfile
Original file line number Diff line number Diff line change
Expand Up @@ -103,9 +103,9 @@ vars:
kspp_sha512: 1befd930ca0e43acb049f3ffac584e9a13c0ef716abba0670eb976e1b6bcee3f833b2b16cb02ac193c33c3fbbeb6ff221394f4265f5b0d4b8e65488a530b0d0a

# renovate: datasource=git-tags extractVersion=^v(?<version>.*)$ depName=git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
linux_version: 6.18.35
linux_sha256: f78602932219125e211c5f5bfd84edcfd4ec5ce88fc944f8248413f665bef236
linux_sha512: 8888a1f908473ea91e943a9c61cff956939709b0ded2d2e5cc26f377d1799ce5ba4d247c522508d13c3769ad90f804a8ef423fa782c10ae8e7ce9e7504bd8871
linux_version: 6.18.34
linux_sha256: 840c8de08267447a3bdd5fdd14496c7b70f1e7157d9feebac78fddfad37f623f
linux_sha512: 3eb8bcdea2c88daa98c032e18dbcc5421b8777725969dd00fe628f984a9f97aedef42c826e7e66ef32a4596bc1ce731f52150fd002ed836567ca8ca8c474c5a2

# renovate: datasource=git-tags extractVersion=^libaio-(?<version>.*)$ depName=https://pagure.io/libaio.git
libaio_version: 0.3.113
Expand Down
31 changes: 31 additions & 0 deletions kernel/build/certs/blockcast-modsign.crt
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIFVDCCAzygAwIBAgIUQq5TYNefYpCAw4bm+NrDNZ28YMkwDQYJKoZIhvcNAQEL
BQAwRTEYMBYGA1UECgwPQmxvY2tjYXN0LCBJbmMuMSkwJwYDVQQDDCBCbG9ja2Nh
c3QgQU1UIE1vZHVsZSBTaWduaW5nIEtleTAeFw0yNjA2MjQwMjU2NTlaFw0zNjA2
MjEwMjU2NTlaMEUxGDAWBgNVBAoMD0Jsb2NrY2FzdCwgSW5jLjEpMCcGA1UEAwwg
QmxvY2tjYXN0IEFNVCBNb2R1bGUgU2lnbmluZyBLZXkwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDJ8d/6s1EXQOOZnHJs8s3NKlqDeyeTJ69t+OcsMjFx
xyuC1CMuaUg9wIeO6AWL2jKWNDE2M28lHNk43lq9brYJqx3zbnI32+hahAUiplfI
AwSE60Z1o7877szP+BrPAehMf51wPGjEBnFECCsAk/qrm4HCddMCbIADK82MCKpv
rVCzqhr6QwlGWUmZl5eyLrSu4wh3RKDxJVeBAKyTOfc8hjnFzb2sH/DvjDAGUzus
JUhtggCnoVshDSDlrRN7FMWqN6Vcmzx7mmyry0VY4nXmP6BGEg9ZGiEG4ZeEbCRQ
29CvV6fS2FvPo6vjxUuoJI7a1vYSpqunJ5l9cFO5g8UUjOxM86eWzgXSugLiI+Yb
hE9952D1bJdVT0Yyis6DaJFrJiFWmv9kqIKmZ82pwOCrgpgP356KfzS+rJv1ikr+
UjUfi/1HijqJS4YMcTrfzIyJsaSRQhynLSsRuMmOJBcdjL6aAN21zsgHA/7JYyHc
VXAxLO2QyGgzWwfvgtpd00SCjZeP4Ge3YhFE3tQUt6f4PrxeM0QiZR4icrkLjoin
sljWOldb4hllJ012sQ5/qtzyUQqKlXZZKj8deb5ISjNahnU68AAAHLfw3YxofWgv
FS0Tr0jDorb9UuOId4dwOeBioiZjm3EGG4P+N32DPcGNirewMzhs3IN5G3HIsy1N
QQIDAQABozwwOjAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQU
xfRI1MRtUSbelUA2oqvfgHoUAIUwDQYJKoZIhvcNAQELBQADggIBADbHa31HIO5W
FB9NKT4sA4xKcgbi/MKX4m+2m3Ho1/TRmWmzoT7x1wAsNwo7d/qPFxMTM4d6Tukf
+/0YjbWoi0HqwF7TK0lf+DmxBza1XfYhI+5gq09QwxXyOIcFl3wNv/TqZ8qkLeWb
1Sg5Qo1Icpo1OGyVTW0+ME1i7jjktEtDBnj7yv3XriRvKTK0LHRG6xKctZs5KPT9
oz8ySvAySWuQzSIjaVFfYVL4w/0CbVSxMe0Vb4jGXmUvDqAW/DiQZpfKEUFuEW1v
jBdvvDts5ZYvTBcPJhoLMYHuCQXKiOVnFNknUzHGRp5ovoU4Uzc01wvE6fUBbw2m
j2gkiKqVxRJYkMtNc5CniK+MLTWebaMD6PlMB7GodzTLTCyJ7pbQDhuIUtYVjKOV
thnB/b8IE29dNWk46rud53cqLVdykP2dVVhaOtEpZ7YW9isikkrvBjqb1HnKbgM1
WQ92W2HzKQSOa7W3Gu3FtqK9D+FUEp8qoN/eINE/uBQ31NWnLs1fWcFPxuZnikL0
+uxxJgGeHlif/vnuaWQK8g39qQPjOuHstDlcmNtvle5PiTFZL6P6OXEXpv0WniHf
fNiZvF0KoswwNZLYcqNABZcTElb2MEjplsFwcN57HeFhPKbuIEde6DXRgZilp0Md
932YbN2Zpg/n5uvo2pmphHmJi2fO5lhc
-----END CERTIFICATE-----
Loading
Loading