)]}' { "log": [ { "commit": "3ea707028e5f140b1a5186a7086c0089a70c8f9c", "tree": "f07f5a23d75445789a1cbb116e8ca30471106ab2", "parents": [ "544440b6c8603ddaa548add84a657c999feeec49" ], "author": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Oct 23 16:40:06 2019 +0200" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Oct 23 16:40:06 2019 +0200" }, "message": "Mount Bazel repository_cache, Go mod cache and Go build cache as volumes\n\nThis leaves us with only git_repository rules not being cached,\nthe worst offender being the edk2 recursive submodule clone.\n\nSee: https://github.com/bazelbuild/bazel/issues/5116\n\ngazelle\u0027s repo lookup (running `go list`) is also not cached, even if the\nrepositories themselves are.\n\nWe can eliminate most of the remaining rebuild time by mounting\nthe entire execroot, however, this is currently foiled by a podman bug\n(Bazel needs to execute lots of binaries inside the root):\n\nhttps://github.com/containers/libpod/issues/4318\n\nTest Plan:\nRan `bazel build scripts:launch`, recreated container, ran it again.\n\nBuild times decreased significantly:\n\n INFO: Elapsed time: 279.951s, Critical Path: 119.05s\n INFO: 477 processes: 476 linux-sandbox, 1 local.\n INFO: Build completed successfully, 497 total actions\n\nX-Origin-Diff: phab/D206\nGitOrigin-RevId: 2d17a7eeb5d8b70ad4e26c13a0c6b31c4edfb33f\n" }, { "commit": "2a2081cc8bdb0a04a1c5e4509ce5cb569f3ef110", "tree": "af2403c83ae163f1f512721b1c27643d21ab39b2", "parents": [ "7afd390eadf37eac58d4db8ad3751783c40bdf37" ], "author": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Oct 23 13:33:10 2019 +0200" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Oct 23 13:33:10 2019 +0200" }, "message": "Increase robustness of bazel wrapper script and remove repository_cache\n\nThis allows the wrapper script to be called from anywhere.\n\nThe repo cache does not actually work as expected since it does not\ncache most external dependencies we care about, and is not always a\nvalid command line argument, so we would either have to specify it\nin .bazelrc (breaking non-standard dev setups), or specify it manually.\n\nTest Plan: Ran the bazel wrapper from my home directory, got expected output.\n\nX-Origin-Diff: phab/D204\nGitOrigin-RevId: 74d09ba24fd84ba0dd6e1ba282995c452546eb25\n" }, { "commit": "7afd390eadf37eac58d4db8ad3751783c40bdf37", "tree": "73b7533e0ba991eb8f2d98ed58e4350ca4c8e394", "parents": [ "2983d7285fe019f943f1b722f26a0f2e959c5f80" ], "author": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Oct 23 12:16:57 2019 +0200" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Oct 23 12:16:57 2019 +0200" }, "message": "Use --privileged in Fedora container\n\nThis enables the namespace-based sandbox in Bazel.\n\nUsing `--privileged` isn\u0027t as dangerous as it looks, when used with podman in rootless mode (i.e. ran as unprivileged user), in which case it uses user namespaces.\n\nWe drop `--net\u003dhost`, which is not actually necessary.\n\nTest Plan:\n scripts/destroy_container.sh\n scripts/create_container.sh\n scripts/run_in_container.sh bazelisk build :swtpm_data\n\n This now fails properly when ran with the container:\n\n swtpm-localca: touch: cannot touch \u0027/var/lib/swtpm-localca/.lock.swtpm-localca\u0027: Read-only file system\n swtpm-localca: Error: Could not create lock file /var/lib/swtpm-localca/.lock.swtpm-localca.\n\nX-Origin-Diff: phab/D202\nGitOrigin-RevId: f51a831e7584cccf21860e9f18b73272a658f055\n" }, { "commit": "2983d7285fe019f943f1b722f26a0f2e959c5f80", "tree": "f6b5056682bef41597d02347dff0d523916d196f", "parents": [ "e28e1b3556feb786c71f161b357fcf6899e44c19" ], "author": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Oct 23 12:16:42 2019 +0200" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Oct 23 12:16:42 2019 +0200" }, "message": "Improve Bazel Fedora build container handling and cache repository downloads\n\nAdds lifecycle management scripts for the dev container and a \"bazel\" wrapper script, which sets container-only startup options.\n\nReplaces /dev/null bind mounts by SELinux contexts for container breakup prevention, since newer podman versions managed to somehow break the ordering of mounts and mounting on top of a volume gives ENOENT. This requires a placeholder .arcconfig.\n\nOn Fedora, SELinux prevents the container from accessing /dev/kvm, which requires a custom policy (see rWa716c988d69e).\n\nDesign considerations:\n\n- The build cache is on a tmpfs. This avoids fuse-overlayfs overhead. If the container is recreated, we want to drop the build cache - Bazel does not track ambient dependencies, so we do not know if we need to rebuild anything (like after upgrading a compiler).\n\n- The repository cache contains just workspace dependencies and is mounted as a volume.\n\nThe repository caches does not work terribly well yet, we probably need to mount parts ~/.cache/bazel as well. podman always mounts volumes as noexec, so this is not as straight-forward as it looks.\n\nTest Plan:\nRan the commands from the README as my unprivileged workstation user.\nSmalltown was built and launched successfully.\n\nX-Origin-Diff: phab/D198\nGitOrigin-RevId: aff720d2862cdf5d1df67813d842d221d69a84c0\n" }, { "commit": "e28e1b3556feb786c71f161b357fcf6899e44c19", "tree": "4bc2b91b2e276c6e7ee4131ab0c76eec4ec391fa", "parents": [ "5c80acaec733e0b7c43cb0584cdeb7cebc826aa9" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Oct 22 19:20:34 2019 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Oct 22 19:20:34 2019 +0200" }, "message": "Fix Bazel on properly sandboxed execution\n\nTest Plan: Tested by launching VM\n\nX-Origin-Diff: phab/D199\nGitOrigin-RevId: d27f09e62067082ca0d6f40510c851752094b481\n" }, { "commit": "5c80acaec733e0b7c43cb0584cdeb7cebc826aa9", "tree": "f7db6de47e4ef38599da89dd4f1082c65569ca03", "parents": [ "a71b5a4c36d5cae089666eaad57514c64baf6f24" ], "author": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Tue Oct 22 15:48:58 2019 +0200" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Tue Oct 22 15:48:58 2019 +0200" }, "message": "Replace build system with a Bazel-based one\n\nThis pins our external dependencies and introduces a mostly-hermetic build where all dependencies are explicitly declared and rebuilt if needed.\n\nNecessary prerequite for a proper CI workflow. Since Bazel can cache build artifacts, we can remove the hardcoded binary artifacts from the repo.\n\nAs suggested in our discussions, the genrule that builds mkfs.xfs is basically doing the same as the previous build_artifacts.sh script (see source code comments for rationale).\n\nThe main issue at this point is that the `build/linux_kernel:image` target rebuilds the kernel each time any of its inputs (like cmd/init)\nchange. This is very hard to fix without compromising on hermeticity, porting kbuild to Bazel (no thanks) or injecting the initramfs into the\nkernel image in a separate rule (might just work, but the kernel build rule would either have custom code, or a massive set of outputs).\n\nPerhaps we could use a separate initramfs for development? Or deliberately poke holes into Bazel\u0027s sandbox to reuse kernel build?\n\nTest Plan:\nRun this in a fresh container with empty Bazel cache:\n\n bazelisk run scripts:launch\n\n... and watch as Bazel rebuilds the world.\n\nX-Origin-Diff: phab/D197\nGitOrigin-RevId: 21eea0e213a50e1c4ad25b2ac2bb87c53e36ea6d\n" }, { "commit": "67f9d096fb66d9f9298542d98d128a42b9d43695", "tree": "cb548c7e7a63df850302f6bb42a5a6bb3e5d2700", "parents": [ "40ab4b41d338657c67a7fa72a3f76e26f582d98e" ], "author": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Tue Oct 22 15:41:42 2019 +0200" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Tue Oct 22 15:41:42 2019 +0200" }, "message": "Refactor build_artifacts.sh and makefile\n\n- Move everything to .data, .vendor, .artifacts and .bin in order to cleanly separate build input and output.\n- Sprinkle some subshells on build_artifacts.sh to make it fail more gracefully.\n- Fix fetch_third_party.sh check.\n- GOBUILD make helper.\n- Dockerfile with build dependencies.\n\nTest Plan:\nRan `make clean` and build steps described in README.md, it boots:\n\n{P84}\n\nX-Origin-Diff: phab/D195\nGitOrigin-RevId: 4106534c7248931b79e93e2a13153482033cd0d8\n" }, { "commit": "f95909d11f20c01129120274076a44a689eabe3d", "tree": "2ba85463c30b26c0df8b7c278ea5df22da42dfdb", "parents": [ "ae0d90d0f95a1a71801d31d5460d32f8644fc0dd" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Sep 11 19:48:26 2019 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Sep 11 19:48:26 2019 +0200" }, "message": "UEFI EDK II, TPM minting, QEMU launcher and basic DHCP support\n\nTest Plan:\nYou still need a recent version of QEMU and swtpm installed (these are not yet integrated)\nRun `make launch` and have fun with a running Smalltown instance :)\n\nX-Origin-Diff: phab/D159\nGitOrigin-RevId: c7245bfbabebf92507445525bee009a71d19caea\n" } ] }