Add OSTree output and remove signed image

.github/workflows/build-iso.yml → .github/workflows/build.yml

@@ -1,4 +1,4 @@
-name: Build ISO Image
+name: Build filesystem and export to OSTree
 
 on:
   push:
@@ -8,7 +8,7 @@ on:
   workflow_dispatch:
 
 jobs:
-  build-iso:
+  build:
     # https://runs-on.com/configuration/job-labels/
     # https://aws.amazon.com/ec2/instance-types/
     runs-on:
@@ -92,10 +92,9 @@ jobs:
                 client-key: $(pwd)/client.key
           EOF
 
-      - name: Generate secure boot keys
+      - name: Generate development-only OSTree signing key (temporary)
         run: |
-          make -C files/boot-keys clean
-          make -C files/boot-keys IMPORT_MODE=snakeoil
+          make ostree-gpg
 
       - name: Enable unprivileged userns
         run: |
@@ -106,7 +105,8 @@ jobs:
         with:
           sccache: s3
       - uses: mozilla-actions/[email protected]
-      - name: Build ISO image
+      - name: Build filesystem and export to OSTree repo
         run: |
           source venv/bin/activate
-          bst build gnome-build-meta.bst:iso/image.bst
+          make files/ostree-config/eos.gpg
+          bst build eos/repo.bst

.gitignore

@@ -8,31 +8,16 @@
 # Never commit project.refs
 project.refs
 
-# Produced by the gnomeos build scripts
+# Produced by the local development helpers
 ostree-gpg/
 ostree-repo/
+files/ostree-config/eos.gpg
 
 **/*.DS_STORE
 logs/
 *.img
 
-# Ignore the default checkout directory
+# Ignore the working directories
 checkout/
-
-files/boot-keys/*.key
-files/boot-keys/*.crt
-files/boot-keys/*.pem
-files/boot-keys/modules/*.crt
-files/boot-keys/extra-db/*.crt
-files/boot-keys/extra-db/*.owner
-files/boot-keys/extra-db-mic/*.crt
-files/boot-keys/extra-db-mic/*.owner
-files/boot-keys/extra-kek/*.crt
-files/boot-keys/extra-kek/*.owner
-files/boot-keys/extra-kek-mic/*.crt
-files/boot-keys/extra-kek-mic/*.owner
-files/boot-keys/import-pubring.gpg
-files/boot-keys/private-key/
-files/boot-keys/VENDOR.der
-current-secure-vm/
-secure-vm-repo/
+ostree-gpg/
+ostree-repo/

Makefile

@@ -0,0 +1,53 @@
+# This Makefile is a convenience tool to generate local-only OSTree signing keys
+# for the Endless OS build output. It's used only for the local development
+# workflow.
+#
+# See the README.md for intended use.
+#
+# These targets are based on the Makefile from Freedesktop SDK 24.08.22:
+# <https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/freedesktop-sdk-24.08.22/Makefile?ref_type=tags>
+
+BST=bst
+
+define OSTREE_GPG_CONFIG
+Key-Type: DSA
+Key-Length: 1024
+Subkey-Type: ELG-E
+Subkey-Length: 1024
+Name-Real: Insecure OSTree signing key for local development use only.
+Expire-Date: 0
+%no-protection
+%commit
+%echo finished
+endef
+
+export OSTREE_GPG_CONFIG
+ostree-gpg:
+	rm -rf ostree-gpg.tmp
+	mkdir ostree-gpg.tmp
+	chmod 0700 ostree-gpg.tmp
+	echo "$${OSTREE_GPG_CONFIG}" >ostree-gpg.tmp/key-config
+	gpg --batch --homedir=ostree-gpg.tmp --generate-key ostree-gpg.tmp/key-config
+	gpg --homedir=ostree-gpg.tmp -k --with-colons | sed '/^fpr:/q;d' | cut -d: -f10 >ostree-gpg.tmp/default-id
+	mv ostree-gpg.tmp ostree-gpg
+
+files/ostree-config/eos.gpg: ostree-gpg
+	gpg --homedir=ostree-gpg --export --armor >"$@"
+
+OSTREE_BRANCH=eos-buildstream
+
+update-ostree: ostree-gpg files/ostree-config/eos.gpg
+	env BST="$(BST)" utils/update-repo.sh      \
+	  --gpg-homedir=ostree-gpg                 \
+	  --gpg-sign=$$(cat ostree-gpg/default-id) \
+	  --collection-id=com.endlessm.Os          \
+	  ostree-repo eos/repo.bst                 \
+	  $(OSTREE_BRANCH)
+
+ostree-repo:
+	$(MAKE) update-ostree
+
+ostree-serve: ostree-repo
+	utils/run-local-repo.sh
+
+.PHONY: ostree-repo update-ostree

README.md

@@ -11,29 +11,17 @@ project.
 
 ## Build outputs
 
-Some of the possible build outputs are documented below.
+All versions of Endless OS are deployed using OSTree.
 
-### Endless OS
+This repo contains one toplevel element, `eos/repo.bst` which outputs
+an artifact with an OSTree repo.
 
-To build the Endless OS "secure boot" image locally:
+The output is suitable for use with the existing Endless OS tooling,
+`eos-ostree-builder` and `eos-image-builder`, which respectively produce
+the final update trees and OS images.
 
-1. Generate keys:
-```
-$ make -C files/boot-keys clean
-$ make -C files/boot-keys
-```
-
-2. Build the disk image (first command) or the ISO installer (second command):
-```
-$ bst build gnome-build-meta.bst:gnomeos/image.bst
-$ bst build gnome-build-meta.bst:iso/image.bst
-```
-
-3. Checkout the image or installer:
-```
-$ bst artifact checkout gnome-build-meta.bst:gnomeos/image.bst --directory ./disk
-$ bst artifact checkout gnome-build-meta.bst:iso/image.bst --directory ./iso
-```
+The build and release workflows are implemented using Github Actions,
+in this repo.
 
 ## Maintaining
 
@@ -87,3 +75,35 @@ overriden be updated accordingly.
 
 If an element was overridden to backport some changes and there is nothing more
 to get from the junction, the junctioned element and its files can be removed.
+
+### Local builds
+
+It is possible to build and deploy development-only builds of Endless OS
+manually.
+
+You'll need to set up BuildStream with the necessary plugins and their
+dependencies.
+
+You can then use the Makefile to do the following:
+
+  * Create fake signing keys: `make ostree-gpg`
+  * Create/update a local OSTree repo from the `eos/repo.bst` element: `make ostree-repo`
+  * Serve the repo over HTTP: `make ostree-serve`
+
+On the target device, add an OSTree remote pointing to that machine.
+Here's an example of how to do this on the target device.  The GPG public key
+used this available in file: ``.
+
+    # Replace `server` with address or hostname of the machine serving the repo. 
+    sudo ostree remote add dev http://server:8000
+
+    # Paste in public key from `files/ostree-config/eos.gpg`, then CTRL-D.
+    sudo ostree remote gpg-import dev --stdin
+
+You can now pull and deploy the new tree as follows:
+
+    sudo ostree pull dev eos-buildstream
+    sudo ostree admin deploy eos-buildstream
+
+If the deploy succeeds, you can now reboot the target machine into your
+newly built OS.

elements/core/meta-gnome-core-apps.bst

@@ -19,5 +19,3 @@ depends:
 - gnome-build-meta.bst:core/nautilus.bst
 - gnome-build-meta.bst:core/simple-scan.bst
 - gnome-build-meta.bst:sdk/yelp.bst
-
-- eos/deps.bst

elements/eos/config/bash-config.bst

@@ -0,0 +1,34 @@
+# Based on `components/bash-config.bst` from Freedesktop SDK 24.08.22.
+#
+# Adapted to avoid installing files in `/root`, which is not the correct
+# place on an OSTree system.
+#
+# See also, an upstream issue in FDSDK discussing other ways to configure Bash:
+# <https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/issues/1875>.
+
+kind: manual
+description: |
+  Default user configuration for Bash shell.
+
+depends:
+- freedesktop-sdk.bst:public-stacks/runtime-minimal.bst
+
+variables:
+  strip-binaries: ''
+
+config:
+  install-commands:
+  - install -Dm644 bashrc '%{install-root}%{sysconfdir}/bashrc'
+  - install -Dm644 profile '%{install-root}%{sysconfdir}/profile'
+  - install -Dm644 dot-profile '%{install-root}%{sysconfdir}/skel/.profile'
+  - install -Dm644 dot-bashrc '%{install-root}%{sysconfdir}/skel/.bashrc'
+
+sources:
+- kind: local
+  path: files/bash-config/profile
+- kind: local
+  path: files/bash-config/bashrc
+- kind: local
+  path: files/bash-config/dot-profile
+- kind: local
+  path: files/bash-config/dot-bashrc

elements/eos/config/ostree.bst

@@ -0,0 +1,47 @@
+# Adapted from `vm/config/ostree.bst` from Freedesktop SDK 24.08.22.
+
+kind: manual
+description: |
+  Root filesystem setup and OSTree configuration.
+
+build-depends:
+- freedesktop-sdk.bst:public-stacks/runtime-minimal.bst
+- freedesktop-sdk.bst:components/m4.bst
+
+runtime-depends:
+- freedesktop-sdk.bst:components/systemd.bst
+- freedesktop-sdk.bst:components/ostree.bst
+
+variables:
+  strip-binaries: ''
+
+config:
+  install-commands:
+  - mkdir %{install-root}/boot
+  - mkdir %{install-root}/efi
+  - mkdir %{install-root}/etc
+  - mkdir %{install-root}/mnt
+  - mkdir %{install-root}/run
+  - mkdir %{install-root}/opt
+  - mkdir %{install-root}/sys
+  - mkdir %{install-root}/tmp
+  - mkdir %{install-root}/dev
+  - mkdir %{install-root}/proc
+
+  - mkdir -p "%{install-root}/sysroot"
+  - ln -s sysroot/ostree "%{install-root}/ostree"
+  # Though we use /var/home in /etc/passwd and this symlink should
+  # be useless removing this symlink breaks --filesystem=host on
+  # flatpak.
+  - ln -s var/home "%{install-root}/home"
+  - ln -s var/roothome "%{install-root}/root"
+  - ln -s run/media "%{install-root}/media"
+
+  - install -Dm644 -t "%{install-root}/usr/lib/tmpfiles.d" ostree.conf
+
+  # Public part of the OSTree signing key.
+  - install -Dm644 -t "%{install-root}/etc/pki/ostree" eos.gpg
+
+sources:
+- kind: local
+  path: files/ostree-config

elements/eos/config/sudo.bst

@@ -0,0 +1,19 @@
+kind: manual
+description: |
+  Configuration for `sudo`.
+
+depends:
+- freedesktop-sdk.bst:public-stacks/runtime-minimal.bst
+- freedesktop-sdk.bst:components/sudo.bst
+
+variables:
+  strip-binaries: ''
+
+config:
+  install-commands:
+  - |
+    install -Dm644 -t "%{install-root}%{sysconfdir}/sudoers.d" sudo
+
+sources:
+- kind: local
+  path: files/sudo-config

elements/eos/deps.bst

@@ -1,10 +1,22 @@
 kind: stack
 description: |
-  Endless OS specific elements.
+  Top level stack that defines the contents of Endless OS.
 
-  All additions on top of the base GNOME OS image are listed in this stack.
+  This defines everything in the filesystem tree that is built by
+  BuildStream. Extra content can be injected later by `eos-image-builder`.
+  Endless OS specific elements.
 
 depends:
+# Low level OS elements.
+- eos/config/ostree.bst
+- freedesktop-sdk.bst:components/dracut.bst
+- freedesktop-sdk.bst:vm/boot/efi-ostree.bst
+
+# GNOME OS elements.
+- gnome-build-meta.bst:gnomeos-deps/deps.bst
+- gnome-build-meta.bst:gnomeos/os-release-user.bst
+
+# Endless additions to GNOME OS.
 - eos/eos-media.bst
 - eos/eos-meta.bst
 - eos/eos-theme.bst

elements/eos/filesystem.bst

@@ -0,0 +1,15 @@
+kind: compose
+description: |
+  Apply split-rules to the `eos/deps.bst` artifact.
+
+  The split-rules filter unwanted files from the system, such as development
+  headers and debug symbols.
+
+build-depends:
+- eos/deps.bst
+
+config:
+  exclude:
+  - debug
+  - devel
+  - doc

elements/eos/initial-scripts.bst

@@ -0,0 +1,12 @@
+kind: collect_initial_scripts
+description: |
+  Collects any `initial-script` public data set by elements in `deps.bst`.
+
+  This is written to a well-known location and used when preparing the
+  filesystem, for example with `files/vm/prepare-image.sh`.
+
+build-depends:
+- eos/deps.bst
+
+config:
+  path: /etc/fdsdk/initial_scripts