| Message ID | 288fcc10dbcbdab1c33ebfb95bedf2366ba64122.1729760501.git.javi.merino@cloud.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | automation: Refresh the remaining Debian containers | expand |
On 24/10/2024 11:04 am, Javi Merino wrote: > Rework the container to use heredocs for readability, and use > apt-get --no-install-recommends to keep the size down. > > This reduces the size of the (uncompressed) container from 3.44GB to 1.67GB. !! > > Signed-off-by: Javi Merino <javi.merino@cloud.com> > --- > automation/build/debian/12-x86_64.dockerfile | 68 ++++++++++++++++++++ > automation/build/debian/bookworm.dockerfile | 57 ---------------- > automation/gitlab-ci/build.yaml | 20 +++--- > automation/gitlab-ci/test.yaml | 14 ++-- > automation/scripts/containerize | 2 +- > 5 files changed, 86 insertions(+), 75 deletions(-) > create mode 100644 automation/build/debian/12-x86_64.dockerfile > delete mode 100644 automation/build/debian/bookworm.dockerfile > > diff --git a/automation/build/debian/12-x86_64.dockerfile b/automation/build/debian/12-x86_64.dockerfile > new file mode 100644 > index 000000000000..e0ca8b7e9c91 > --- /dev/null > +++ b/automation/build/debian/12-x86_64.dockerfile > @@ -0,0 +1,68 @@ > +# syntax=docker/dockerfile:1 > +FROM --platform=linux/amd64 debian:bookworm > +LABEL maintainer.name="The Xen Project" \ > + maintainer.email="xen-devel@lists.xenproject.org" This wants to become two LABEL lines. > + > +ENV DEBIAN_FRONTEND=noninteractive > + > +# build depends > +RUN <<EOF > +#!/bin/bash > + set -eu Doesn't this need a `useradd --create-home user` here? [Edit] Oh, no, because of the script change. In which case can you note this in the commit message and says a root container for now, until some other CI scripts can be adjusted. > + > + apt-get update apt-get -y > + DEPS=( > + # Xen > + bison > + build-essential > + checkpolicy > + clang > + flex > + > + # Tools (general) > + ca-certificates Interestingly, we've gained ca-certificates and dropped apt-transport-https. ca-certificates is a side effect of --no-install-recommends, so is fine. I recall there being a specific reason why we needed apt-transport-https, but I can't recall why exactly. Something about the LetsEncrypt Cert used by xenbits IIRC. Anthony - do you remember? > + expect Expect is only for the test phase, so should move later. > + git-core > + libnl-3-dev libnl-3-dev should be down in the #libxl section. It's only for COLO support. > + pkg-config > + wget > + # libxenguest dombuilder > + liblzma-dev > + zlib1g-dev This is also fun. In Ubuntu, I've got: libbz2-dev libzstd-dev liblzo2-dev liblzma-dev zlib1g-dev which I think is all the algorithms we support in libxenguest. Any decompressor which we don't find a suitable devel package gets the hypervisor form instead. > + # To build the documentation > + pandoc I know we had pandoc before, but I'd like to drop it. I'm intending to turn off docs generally, and do them separately in a single job that has *all* the docs build dependencies, not a misc subset that the build system happens not to complain at. I'm on the fence about the Qemu build things. It's off by default now, but the container never previously had meson/ninja so it wouldn't have built either. Perhaps leave them out until someone complains. One thing you did drop which probably wants to stay is golang. We have golang bindings for libxl which (like Ocaml) are built conditionally on finding the toolchain. ~Andrew
On Thu, Oct 24, 2024 at 03:04:10PM +0100, Andrew Cooper wrote: > On 24/10/2024 11:04 am, Javi Merino wrote: > > Rework the container to use heredocs for readability, and use > > apt-get --no-install-recommends to keep the size down. > > > > This reduces the size of the (uncompressed) container from 3.44GB to 1.67GB. > > !! > > > > > Signed-off-by: Javi Merino <javi.merino@cloud.com> > > --- > > automation/build/debian/12-x86_64.dockerfile | 68 ++++++++++++++++++++ > > automation/build/debian/bookworm.dockerfile | 57 ---------------- > > automation/gitlab-ci/build.yaml | 20 +++--- > > automation/gitlab-ci/test.yaml | 14 ++-- > > automation/scripts/containerize | 2 +- > > 5 files changed, 86 insertions(+), 75 deletions(-) > > create mode 100644 automation/build/debian/12-x86_64.dockerfile > > delete mode 100644 automation/build/debian/bookworm.dockerfile > > > > diff --git a/automation/build/debian/12-x86_64.dockerfile b/automation/build/debian/12-x86_64.dockerfile > > new file mode 100644 > > index 000000000000..e0ca8b7e9c91 > > --- /dev/null > > +++ b/automation/build/debian/12-x86_64.dockerfile > > @@ -0,0 +1,68 @@ > > +# syntax=docker/dockerfile:1 > > +FROM --platform=linux/amd64 debian:bookworm > > +LABEL maintainer.name="The Xen Project" \ > > + maintainer.email="xen-devel@lists.xenproject.org" > > This wants to become two LABEL lines. Yes, Anthony pointed it out in another patch. I have fixed all the dockerfiles in these series. > > + > > +ENV DEBIAN_FRONTEND=noninteractive > > + > > +# build depends > > +RUN <<EOF > > +#!/bin/bash > > + set -eu > > Doesn't this need a `useradd --create-home user` here? > > [Edit] Oh, no, because of the script change. In which case can you note > this in the commit message and says a root container for now, until some > other CI scripts can be adjusted. I put it in the cover letter. I'll add it to the commit message as well. > > + > > + apt-get update > > apt-get -y apt-get update refreshes the package lists. -y doesn't do anything here. It is needed for "apt-get install" below but not for apt-get update. It would be needed for "apt-get upgrade", but we don't. > > + DEPS=( > > + # Xen > > + bison > > + build-essential > > + checkpolicy > > + clang > > + flex > > + > > + # Tools (general) > > + ca-certificates > > Interestingly, we've gained ca-certificates and dropped apt-transport-https. ca-certificates is needed for curl, wget or anything that tries to validate tls certificates. It is a Recommends of libcurl, as curl by default validates the ca certificate of https servers. > ca-certificates is a side effect of --no-install-recommends, so is > fine. I recall there being a specific reason why we needed > apt-transport-https, but I can't recall why exactly. Something about > the LetsEncrypt Cert used by xenbits IIRC. I dropped apt-transport-https because it doesn't make sense to have it. apt-transport-https allows apt to access package repositories over https, but we were installing alongside all the other packages. apt is never used again, so giving it the ability to install packages over https is pointless. > Anthony - do you remember? > > > > + expect > > Expect is only for the test phase, so should move later. I put it here because ./configure checks for it. > > + git-core > > + libnl-3-dev > > libnl-3-dev should be down in the #libxl section. It's only for COLO > support. Moved. > > + pkg-config > > + wget > > + # libxenguest dombuilder > > + liblzma-dev > > + zlib1g-dev > > This is also fun. In Ubuntu, I've got: > > libbz2-dev > libzstd-dev > liblzo2-dev > liblzma-dev > zlib1g-dev > > which I think is all the algorithms we support in libxenguest. I did this in the arm64v8 container and forgot to do it here. Fixed now. > Any decompressor which we don't find a suitable devel package gets the > hypervisor form instead. > > > + # To build the documentation > > + pandoc > > I know we had pandoc before, but I'd like to drop it. > > I'm intending to turn off docs generally, and do them separately in a > single job that has *all* the docs build dependencies, not a misc subset > that the build system happens not to complain at. I had the "build the docs as its own job" in my TODO list and was going to drop pandoc from this dockerfile then. I can remove pandoc in this commit if you prefer. > I'm on the fence about the Qemu build things. It's off by default now, > but the container never previously had meson/ninja so it wouldn't have > built either. Perhaps leave them out until someone complains. I thought I had removed them. Is there anything else that needs to go? > One thing you did drop which probably wants to stay is golang. We have > golang bindings for libxl which (like Ocaml) are built conditionally on > finding the toolchain. Gah. Another one that I did in the arm64 container that I forgot to move here. I will add golang-go in the next version of the series. Thanks, Javi
On 24/10/2024 4:10 pm, Javi Merino wrote: > On Thu, Oct 24, 2024 at 03:04:10PM +0100, Andrew Cooper wrote: >> On 24/10/2024 11:04 am, Javi Merino wrote: >>> + >>> + apt-get update >> apt-get -y > apt-get update refreshes the package lists. -y doesn't do anything > here. It is needed for "apt-get install" below but not for > apt-get update. It would be needed for "apt-get upgrade", but > we don't. Hmm ok. We might want to adjust the others to match then. > >>> + DEPS=( >>> + # Xen >>> + bison >>> + build-essential >>> + checkpolicy >>> + clang >>> + flex >>> + >>> + # Tools (general) >>> + ca-certificates >> Interestingly, we've gained ca-certificates and dropped apt-transport-https. > ca-certificates is needed for curl, wget or anything that tries to > validate tls certificates. It is a Recommends of libcurl, as > curl by default validates the ca certificate of https servers. > >> ca-certificates is a side effect of --no-install-recommends, so is >> fine. I recall there being a specific reason why we needed >> apt-transport-https, but I can't recall why exactly. Something about >> the LetsEncrypt Cert used by xenbits IIRC. > I dropped apt-transport-https because it doesn't make sense to have > it. apt-transport-https allows apt to access package repositories over https, > but we were installing alongside all the other packages. apt is never > used again, so giving it the ability to install packages over https is > pointless. That is, as they say, an assumption. fe746c26c0d2 ("automation/gitlab: add https transport support to Debian images") Although, subsequently the use of apt.llvm.org was removed: a6b1e2b80fe2 ("automation: Remove clang-8 from Debian unstable container") 7a2983757216 ("CI: Remove llvm-8 from the Debian Stretch container") So I guess we're back to being ok without it. >>> + expect >> Expect is only for the test phase, so should move later. > I put it here because ./configure checks for it. It does? That's not necessary/expected. >> Any decompressor which we don't find a suitable devel package gets the >> hypervisor form instead. >> >>> + # To build the documentation >>> + pandoc >> I know we had pandoc before, but I'd like to drop it. >> >> I'm intending to turn off docs generally, and do them separately in a >> single job that has *all* the docs build dependencies, not a misc subset >> that the build system happens not to complain at. > I had the "build the docs as its own job" in my TODO list and was > going to drop pandoc from this dockerfile then. I can remove pandoc > in this commit if you prefer. Dropping packages from existing containers is complicated, because the container (name) is shared with prior branches. You have to wait until the oldest version of Xen which still uses the package leaves testing (== leaves security support, == 3y), or we've backported changes to all branches to drop the dependency. The rename here gives us leeway because this change won't clobber any older branches in Xen, but I don't want to set the precedent. > >> I'm on the fence about the Qemu build things. It's off by default now, >> but the container never previously had meson/ninja so it wouldn't have >> built either. Perhaps leave them out until someone complains. > I thought I had removed them. Is there anything else that needs to > go? These containers are both for CI and human use, so "what happens in CI" isn't the only consideration. But, given that Qemu didn't build in the old container anyway, I'm not overly fussed about keeping it working in the new container. So yes, please keep the deps removed. We can always add them back in later. ~Andrew
diff --git a/automation/build/debian/12-x86_64.dockerfile b/automation/build/debian/12-x86_64.dockerfile new file mode 100644 index 000000000000..e0ca8b7e9c91 --- /dev/null +++ b/automation/build/debian/12-x86_64.dockerfile @@ -0,0 +1,68 @@ +# syntax=docker/dockerfile:1 +FROM --platform=linux/amd64 debian:bookworm +LABEL maintainer.name="The Xen Project" \ + maintainer.email="xen-devel@lists.xenproject.org" + +ENV DEBIAN_FRONTEND=noninteractive + +# build depends +RUN <<EOF +#!/bin/bash + set -eu + + apt-get update + DEPS=( + # Xen + bison + build-essential + checkpolicy + clang + flex + + # Tools (general) + ca-certificates + expect + git-core + libnl-3-dev + pkg-config + wget + # libxenguest dombuilder + liblzma-dev + zlib1g-dev + # libacpi + acpica-tools + # libxl + uuid-dev + libyajl-dev + # RomBIOS + bcc + bin86 + # xentop + libncurses5-dev + # Python bindings + python3-dev + python3-setuptools + # Ocaml bindings/oxenstored + ocaml-nox + ocaml-findlib + # To build the documentation + pandoc + + # for test phase, qemu-smoke-* jobs + qemu-system-x86 + + # for qemu-alpine-x86_64-gcc + busybox-static + cpio + + # For *-efi jobs + ovmf + ) + + apt-get -y --no-install-recommends install "${DEPS[@]}" + + rm -rf /var/lib/apt/lists* +EOF + +USER root +WORKDIR /build diff --git a/automation/build/debian/bookworm.dockerfile b/automation/build/debian/bookworm.dockerfile deleted file mode 100644 index 72e01aa58b55..000000000000 --- a/automation/build/debian/bookworm.dockerfile +++ /dev/null @@ -1,57 +0,0 @@ -# syntax=docker/dockerfile:1 -FROM --platform=linux/amd64 debian:bookworm -LABEL maintainer.name="The Xen Project" \ - maintainer.email="xen-devel@lists.xenproject.org" - -ENV DEBIAN_FRONTEND=noninteractive -ENV USER root - -RUN mkdir /build -WORKDIR /build - -# build depends -RUN apt-get update && \ - apt-get --quiet --yes install \ - build-essential \ - zlib1g-dev \ - libncurses5-dev \ - python3-dev \ - python3-setuptools \ - uuid-dev \ - libyajl-dev \ - libaio-dev \ - libglib2.0-dev \ - clang \ - libpixman-1-dev \ - pkg-config \ - flex \ - bison \ - acpica-tools \ - bin86 \ - bcc \ - liblzma-dev \ - libnl-3-dev \ - ocaml-nox \ - libfindlib-ocaml-dev \ - markdown \ - transfig \ - pandoc \ - checkpolicy \ - wget \ - git \ - nasm \ - gnupg \ - apt-transport-https \ - golang \ - # for test phase, qemu-smoke-* jobs - qemu-system-x86 \ - expect \ - # For *-efi jobs - ovmf \ - # for test phase, qemu-alpine-* jobs - cpio \ - busybox-static \ - && \ - apt-get autoremove -y && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml index 09dd9e6ccbd0..eb2c23619a2c 100644 --- a/automation/gitlab-ci/build.yaml +++ b/automation/gitlab-ci/build.yaml @@ -341,15 +341,15 @@ alpine-3.18-gcc-debug: CONTAINER: alpine:3.18 BUILD_QEMU_XEN: y -debian-bookworm-gcc-debug: +debian-12-x86_64-gcc-debug: extends: .gcc-x86-64-build-debug variables: - CONTAINER: debian:bookworm + CONTAINER: debian:12-x86_64 -debian-bookworm-clang-debug: +debian-12-x86_64-clang-debug: extends: .clang-x86-64-build-debug variables: - CONTAINER: debian:bookworm + CONTAINER: debian:12-x86_64 debian-12-ppc64le-gcc-debug: extends: .gcc-ppc64le-cross-build-debug @@ -553,20 +553,20 @@ debian-12-x86_64-gcc-ibt: EXTRA_FIXED_RANDCONFIG: | CONFIG_XEN_IBT=y -debian-bookworm-clang: +debian-12-x86_64-clang: extends: .clang-x86-64-build variables: - CONTAINER: debian:bookworm + CONTAINER: debian:12-x86_64 -debian-bookworm-gcc: +debian-12-x86_64-gcc: extends: .gcc-x86-64-build variables: - CONTAINER: debian:bookworm + CONTAINER: debian:12-x86_64 -debian-bookworm-gcc-randconfig: +debian-12-x86_64-gcc-randconfig: extends: .gcc-x86-64-build variables: - CONTAINER: debian:bookworm + CONTAINER: debian:12-x86_64 RANDCONFIG: y debian-bookworm-32-clang-debug: diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index e76a37bef32d..0812ddb42d9b 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -43,7 +43,7 @@ .qemu-x86-64: extends: .test-jobs-common variables: - CONTAINER: debian:bookworm + CONTAINER: debian:12-x86_64 LOGFILE: qemu-smoke-x86-64.log artifacts: paths: @@ -155,7 +155,7 @@ build-each-commit-gcc: extends: .test-jobs-common variables: - CONTAINER: debian:bookworm + CONTAINER: debian:12-x86_64 XEN_TARGET_ARCH: x86_64 CC: gcc script: @@ -461,35 +461,35 @@ qemu-smoke-x86-64-gcc: script: - ./automation/scripts/qemu-smoke-x86-64.sh pv 2>&1 | tee ${LOGFILE} needs: - - debian-bookworm-gcc-debug + - debian-12-x86_64-gcc-debug qemu-smoke-x86-64-clang: extends: .qemu-smoke-x86-64 script: - ./automation/scripts/qemu-smoke-x86-64.sh pv 2>&1 | tee ${LOGFILE} needs: - - debian-bookworm-clang-debug + - debian-12-x86_64-clang-debug qemu-smoke-x86-64-gcc-pvh: extends: .qemu-smoke-x86-64 script: - ./automation/scripts/qemu-smoke-x86-64.sh pvh 2>&1 | tee ${LOGFILE} needs: - - debian-bookworm-gcc-debug + - debian-12-x86_64-gcc-debug qemu-smoke-x86-64-clang-pvh: extends: .qemu-smoke-x86-64 script: - ./automation/scripts/qemu-smoke-x86-64.sh pvh 2>&1 | tee ${LOGFILE} needs: - - debian-bookworm-clang-debug + - debian-12-x86_64-clang-debug qemu-smoke-x86-64-gcc-efi: extends: .qemu-smoke-x86-64 script: - ./automation/scripts/qemu-smoke-x86-64-efi.sh pv 2>&1 | tee ${LOGFILE} needs: - - debian-bookworm-gcc-debug + - debian-12-x86_64-gcc-debug qemu-smoke-riscv64-gcc: extends: .qemu-riscv64 diff --git a/automation/scripts/containerize b/automation/scripts/containerize index 6ac02c42d124..ea6e1a9b18f4 100755 --- a/automation/scripts/containerize +++ b/automation/scripts/containerize @@ -34,7 +34,7 @@ case "_${CONTAINER}" in _bullseye-riscv64) CONTAINER="${BASE}/debian:11-riscv64" ;; _bookworm-riscv64) CONTAINER="${BASE}/debian:12-riscv64" ;; _bookworm-x86_64-gcc-ibt) CONTAINER="${BASE}/debian:12-x86_64-gcc-ibt" ;; - _bookworm|_) CONTAINER="${BASE}/debian:bookworm" ;; + _bookworm|_bookworm-x86_64|_) CONTAINER="${BASE}/debian:12-x86_64" ;; _bookworm-i386) CONTAINER="${BASE}/debian:bookworm-i386" ;; _bookworm-arm64v8-arm32-gcc) CONTAINER="${BASE}/debian:bookworm-arm64v8-arm32-gcc" ;; _bookworm-arm64v8) CONTAINER="${BASE}/debian:bookworm-arm64v8" ;;
Rework the container to use heredocs for readability, and use apt-get --no-install-recommends to keep the size down. This reduces the size of the (uncompressed) container from 3.44GB to 1.67GB. Signed-off-by: Javi Merino <javi.merino@cloud.com> --- automation/build/debian/12-x86_64.dockerfile | 68 ++++++++++++++++++++ automation/build/debian/bookworm.dockerfile | 57 ---------------- automation/gitlab-ci/build.yaml | 20 +++--- automation/gitlab-ci/test.yaml | 14 ++-- automation/scripts/containerize | 2 +- 5 files changed, 86 insertions(+), 75 deletions(-) create mode 100644 automation/build/debian/12-x86_64.dockerfile delete mode 100644 automation/build/debian/bookworm.dockerfile