Build_sysext script to enable sysext builds in the OS image build process

[krishjainx]

Build_sysext script to enable sysext builds in the OS image build process

Included a script to enable generating systemd-sysexts. Successfully tested sysext generation (manually; script refinement in progress) with a fresh Flatcar image (e.g., Python and Neofetch system extension). Part of my internship work.

Link to the related issue: Flatcar Issue #1052.

How to use

The current OS images we provide are not OK as base for flatcar specific sysext images: it lacks the package metadata and portage configuration, in order to keep end user OS image clean. This script retains this information and allows you to produce systemd-sysexts to extend the system. This script can be used to build a Flatcar sysext image. Recommended to run from image build folder.

sudo build_sysext --board=amd64-usr command-extras package_1 package_2 package_3 - builds sysext named python-sysext with package_1, package_2 and package_3 within it  for amd64 architecture.
sudo build_sysext --board=arm64-usr command-extras package_1 package_2 package_3 - builds sysext named python-sysext with package_1, package_2 and package_3 within it  for arm64 architecture.

Testing done

I have built multiple sysext images using the script and have been able to successfully extend a fresh upstream Flatcar image with packages such as Python, Neofetch, etc. I provided a Butane configuration similar to the one below, transpiled it to Ignition, and booted with it. I received a review and advice on how to make the script more robust and meet the demands of the Flatcar team.

variant: flatcar
version: 1.0.0
storage:
  files:
    - path: /etc/extensions/python.raw
      mode: 0644
      contents:
        source: https://0x0.st/HQpJ.raw

Notes:

A problem with installing regular packages is that in many cases the software won't correctly work because only /usr is added. Files on /etc will be missing and the approach in the Azure OEM was that we ship the needed files in the sysext and then set up symlinks before, e.g., a service starts (We could build a confext in the future but this doesn't work now). Also, files in /var will be missing. For some of these files there might be tmpfile directives but they won't get executed on load. Finally, the services that use .wants symlinks to be enabled would currently work because we have deployed a workaround but we plan to drop this because the recommended way is to use Upholds= instead of Wants= (currently through drop-ins for the multi-user target but in systemd 254 it should work to use .upholds symlinks). In summary, we need some postprocessing for some scenarios and call out what won't work for the rest.

"I think this should be addressed to some degree by the --manglefs_script option" - @krnowak

Edit: A great use case for this would be to build a Docker and containerd sysext to replace torcx.

[pothos]

A problem with installing regular packages is that in many cases the software won't correctly work because only /usr is added.
Files on /etc will be missing and the approach in the Azure OEM was that we ship the needed files in the sysext and then set up symlinks before, e.g., a service starts (We could build a confext in the future but this doesn't work now).
Also, files in /var will be missing. For some of these files there might be tmpfile directives but they won't get executed on load.
Finally, the services that use .wants symlinks to be enabled would currently work because we have deployed a workaround but we plan to drop this because the recommended way is to use Upholds= instead of Wants= (currently through drop-ins for the multi-user target but in systemd 254 it should work to use .upholds symlinks).
In summary, we need some postprocessing for some scenarios and call out what won't work for the rest.

Edit: A great use case for this would be to build a Docker and containerd sysext to replace torcx.

[github-actions]

Build action triggered: https://github.com/flatcar/scripts/actions/runs/5424483460

[jepio]

@krishjainx
can you paste a log showing the output you see when you execute ./build_sysext (with whatever package you're testing with)?

Please try running the build two times in a row to make sure things don't break when this is done.

[jepio]

Could you also make the script executable with chmod?

[t-lo]

The build looks good, tests are successful with a single failure that can be explained.
The devcontainer tests are failing for systemd-nspawn and docker on both archs; the tests break in emerge_gitclone with:

Cloning into _/var/lib/portage/scripts_..."
error: pathspec _285cff6c98_ did not match any file(s) known to git"

Pathspec cannot be found because the upstream scripts repo was cloned by emerge_gitclone but this PR uses a fork.

[krishjainx]

Could you review? @pothos @jepio Thanks!

[pothos]

Looks good except for unused imports: https://github.com/flatcar/scripts/pull/920/files#r1242488294

[krishjainx]

This and squash the commits

[krnowak]

I'd like to make a review before merging this, please.

[krnowak]

A problem with installing regular packages is that in many cases the software won't correctly work because only /usr is added. Files on /etc will be missing and the approach in the Azure OEM was that we ship the needed files in the sysext and then set up symlinks before, e.g., a service starts (We could build a confext in the future but this doesn't work now). Also, files in /var will be missing. For some of these files there might be tmpfile directives but they won't get executed on load. Finally, the services that use .wants symlinks to be enabled would currently work because we have deployed a workaround but we plan to drop this because the recommended way is to use Upholds= instead of Wants= (currently through drop-ins for the multi-user target but in systemd 254 it should work to use .upholds symlinks). In summary, we need some postprocessing for some scenarios and call out what won't work for the rest.

Edit: A great use case for this would be to build a Docker and containerd sysext to replace torcx.

I think this should be addressed to some degree by the --manglefs_script option.

[krishjainx]

Squashed 🐛 s and squashed commits

[krnowak]

I'm currently trying to use this script to build OEM sysexts, just to see if we can do it. I think I'll want more changes, mostly related to the BUILD_DIR stuff. You can see my branch here: https://github.com/flatcar/scripts/commits/krnowak/test-new-oem-script (ignore the fact that the commits are made by Flatcar Buildbot, apparently I messed up my git config :) ). The changes in the script that I have made are here: 72d2b62

[krishjainx]

Ok cool. Just these changes?

…

On Fri, Jun 30, 2023, 5:05 PM Krzesimir Nowak ***@***.***> wrote: I'm currently trying to use this script to build OEM sysexts, just to see if we can do it. I think I'll want more changes, mostly related to the BUILD_DIR stuff. You can see my branch here: https://github.com/flatcar/scripts/commits/krnowak/test-new-oem-script (ignore the fact that the commits are made by Flatcar Buildbot, apparently I messed up my git config :) ). The changes in the script that I have made are here: 72d2b62 <72d2b62> — Reply to this email directly, view it on GitHub <#920 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AR4RDLIP2WY6QE6Z6TYZ5GLXN3TL5ANCNFSM6AAAAAAZGUVG34> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[krnowak]

Ok cool. Just these changes?

I think I'll let you know on Monday - the build is currently running on our Jenkins instance.

[krishjainx]

cool :)

…

On Fri, Jun 30, 2023, 5:23 PM Krzesimir Nowak ***@***.***> wrote: Ok cool. Just these changes? I think I'll let you know on Monday - the build is currently running on our Jenkins instance. — Reply to this email directly, view it on GitHub <#920 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AR4RDLLO3KTSYPQZNR7GATDXN3VPBANCNFSM6AAAAAAZGUVG34> . You are receiving this because you were mentioned.Message ID: ***@***.***>