MT#60283 Update to grml-live version v0.53.2 + Debian/trixie

grml-live had >410 commits since v0.47.7 (which we used so far),
including getting rid of FAI (through our own so called minifai
implementation), supporting mmdebstrap for bootstrapping (and using it
by default nowadays), and usage inside non-privileged containers.

Misc changes:

* No longer run any docker containers with --privileged, now that this
  is handled all internally from within grml-live's build driver

* Upgrade everything to Debian/trixie (given that we also switched our
  trunk/master branch towards trixie also)

* Provide wrapper.sh script to avoid maintaining it also inside
  jenkins-configs' jobs/internal/grml/build_grml_image.sh (which meant
  going through yet another layer and every single change to it required
  a full jenkins-config change). Update README.txt accordingly to
  provide usage examples.

* Set up keyring for custom bootstrapping using our own mirror, using
  grml_build/config/bootstrap-keyring/SIPWISE and
  deploying /usr/share/keyrings/sipwise-archive-keyring.gpg via
  updatebase hook script

* Ship .gitignore files to ignore directories that are relevant for
  the build process, though we also don't need to explicitly create them
  on every single build any longer.

* Update configuration layout for grml-live change as of upstream
  version v0.51.0 (see grml-live.git commit f1dc42a), moving from
  /etc/grml/fai/config into /usr/share/grml-live/config.

* Update configuration layout for grml-live change as of upstream
  version 0.53.0 (see grml-live.git commit 3a4bd41), changing schema
  files/<path>/<CLASS> into files/<CLASS>/<path>,
  class/<CLASS>.var into env/<CLASS> and
  hooks/<hookname>.<CLASS> into hooks/<CLASS>/<hookname>.

* Add memtest86+ + ipxe to SIPWISE class, so they are available for boot
  menu integration (grml-live uses addons from grml_chroot and no longer
  from host system).

grml_build/Dockerfile related changes:

* Adjust ENV usage (fixes `LegacyKeyValueFormat: "ENV key=value" should
  be used instead of legacy "ENV key value" format (line 9)`)

* Add snippet for usage with debian:trixie-slim as base docker image
  (useful for debugging e.g. without access to Sipwise systems)

* Install ca-certificates (needed for access to https://github.com/ with
  debian:trixie-slim)

* Switch from grml-live v0.47.7 to v0.53.2

* Drop deprecated dependencies that are no longer relevant with recent
  grml-live versions (fai-client + fai-server get replaced by our own
  minifai implementation, mksh is no longer relevant for grml-live, and
  isolinux, ipxe, memtest86+ + syslinux are used from the grml_chroot
  instead of from the host system, also see above)

* Instead install mmdebstrap (which is much faster for bootstrapping
  than debootstrap), now being supported and the default, thanks to our
  minifai implementation

* Drop /root/.bash_history, as we switched towards our custom wrapper.sh
  script

t/Dockerfile related changes:

* Mark /code as safe directory for git, to not fail with
  "fatal: detected dubious ownership in repository at '/code'"

* Adjust ENV usage (fixes `LegacyKeyValueFormat: "ENV key=value" should
  be used instead of legacy "ENV key value" format (line 8)`)

Addendum: it's yet unclear why we need the `ulimit -n 1048576`
workaround to fix an apt/apt-mark performance issue. It feels similar to
what has been observed for fakeroot at https://bugs.debian.org/920913.

Credits to Chris Hofstaedtler for review and working on grml-live's
minifai, to support all our needs.

Change-Id: I85111806a550f1aeffcb5263af2455ec8b90cc32

README.txt

@@ -11,3 +11,11 @@ Execute:
 
 This will generate ISO file, providing the custom bootsplash
 with Sipwise specific boot menu entries.
+
+To generate the underlying base ISO, you can use the wrapper script:
+
+  % osversion=auto release=trunk ./wrapper.sh
+
+To not use release-trunk, use something like:
+
+  % osversion=auto release=mr13.3.1 ./wrapper.sh

build_iso.sh

@@ -120,7 +120,7 @@ mkdir -p artifacts
 echo "*** Moving ${SIPWISE_ISO} ${SIPWISE_ISO}.sha1 ${SIPWISE_ISO}.md5 to artifacts/ ***"
 mv "${SIPWISE_ISO}" "${SIPWISE_ISO}.sha1" "${SIPWISE_ISO}.md5" artifacts/
 
-docker run --rm -i --privileged -v "$(pwd)":/code/ docker.mgm.sipwise.com/deployment-iso-bullseye:latest \
+docker run --rm -i -v "$(pwd)":/code/ docker.mgm.sipwise.com/deployment-iso-trixie:latest \
   /code/t/iso-tester /code/artifacts/"${SIPWISE_ISO}" /code/artifacts/memtest.jpg "${MEMTEST_SCREENSHOT}"
 
 popd &>/dev/null

grml_build/Dockerfile

@@ -1,28 +1,26 @@
-# DOCKER_NAME=grml-build-bookworm
-FROM docker.mgm.sipwise.com/sipwise-bookworm:latest
+# DOCKER_NAME=grml-build-trixie
+FROM docker.mgm.sipwise.com/sipwise-trixie:latest
+#FROM --platform=linux/amd64 debian:trixie-slim
 
 # Important! Update this no-op ENV variable when this Dockerfile
 # is updated with the current date. It will force refresh of all
 # of the base images and things like `apt-get update` won't be using
 # old cached versions when the Dockerfile is built.
-ENV REFRESHED_AT 2024-06-10
+ENV REFRESHED_AT=2025-06-13
 
 # tools for building and testing
 RUN apt-get update && apt-get install --assume-yes --no-install-recommends \
   bc \
   bzip2 \
+  ca-certificates \
   dosfstools \
-  fai-client \
-  fai-server \
   git \
   grml2usb \
   imagemagick \
-  isolinux \
   isomd5sum \
   jo \
   kmod \
-  memtest86+ \
-  mksh \
+  mmdebstrap \
   moreutils \
   mtools \
   pciutils \
@@ -32,41 +30,13 @@ RUN apt-get update && apt-get install --assume-yes --no-install-recommends \
   socat \
   squashfs-tools \
   sudo \
-  syslinux \
   wget \
   xorriso
 
-RUN echo "SECURE_BOOT=disable ./grml-live -s bookworm -a amd64 -c GRMLBASE,SIPWISE,AMD64 -t /code/grml-live/templates/ -o /grml/ -r grml-sipwise -v 0.42" >/root/.bash_history && \
-  echo "export LIVE_CONF=/code/grml-live/etc/grml/grml-live.conf" >>/root/.bash_history && \
-  echo "export SCRIPTS_DIRECTORY=/code/grml-live/scripts"         >>/root/.bash_history && \
-  echo "export GRML_FAI_CONFIG=/code/grml-live/etc/grml/fai"      >>/root/.bash_history && \
-  echo "cp /deployment-iso/grml_build/package_config/SIPWISE /code/grml-live/etc/grml/fai/config/package_config/SIPWISE" >>/root/.bash_history
-
 # base build tools
 WORKDIR /code/
-RUN git clone -b 'v0.47.7' --single-branch --depth 1 https://github.com/grml/grml-live
-RUN mkdir -p /code/grml-live/templates/boot/addons/ \
-  /code/grml-live/etc/grml/fai/config/files/etc/apt/sources.list.d/sipwise.list/ \
-  /code/grml-live/etc/grml/fai/config/files/etc/apt/trusted.gpg.d/sipwise-keyring.gpg/ \
-  /code/grml-live/etc/grml/fai/config/files/etc/apt/trusted.gpg.d/sipwise-keyring-bootstrap.gpg/ \
-  /code/grml-live/etc/grml/fai/config/files/root/puppet.gpg/ \
-  /code/grml-live/etc/grml/fai/config/scripts/PUPPETLABS/
-
-# addons
-RUN wget https://debian.sipwise.com/debian/pool/main/m/memtest86+/memtest86+_6.00-1_amd64.deb && \
-  dpkg -x memtest86+_6.00-1_amd64.deb /tmp/memtest86 && \
-  cp /tmp/memtest86/boot/memtest86+x64.bin /code/grml-live/templates/boot/addons/memtest86+x64.bin && \
-  cp /tmp/memtest86/boot/memtest86+x64.efi /code/grml-live/templates/boot/addons/memtest86+x64.efi && \
-  rm -rf /tmp/memtest86
-
-RUN wget -O /code/grml-live/templates/boot/addons/netboot.xyz.efi https://boot.netboot.xyz/ipxe/netboot.xyz.efi && \
-  wget -O /code/grml-live/templates/boot/addons/netboot.xyz.lkrn https://boot.netboot.xyz/ipxe/netboot.xyz.lkrn
 
-RUN wget http://ftp.de.debian.org/debian/pool/main/i/ipxe/ipxe_1.0.0+git-20190125.36a4c85-1_all.deb && \
-  dpkg -x ipxe_1.0.0+git-20190125.36a4c85-1_all.deb /tmp/ipxe && \
-  cp /tmp/ipxe/boot/ipxe.efi /code/grml-live/templates/boot/addons/ipxe.efi && \
-  cp /tmp/ipxe/boot/ipxe.lkrn /code/grml-live/templates/boot/addons/ipxe.lkrn && \
-  rm -rf /tmp/ipxe
+RUN git clone -b 'v0.53.2' --single-branch --depth 1 https://github.com/grml/grml-live
 
 WORKDIR /code/grml-live
 
@@ -75,20 +45,9 @@ WORKDIR /code/grml-live
 #
 # docker build --tag="grml-sipwise" -f grml_build/Dockerfile .
 #
-## Build Grml image (assuming current working directory is deployment-iso.git):
-#
-# mkdir -p grml/
-# docker run --rm -i -t --privileged -v $(pwd):/deployment-iso/ -v $(pwd)/grml:/grml/ grml-sipwise
-#
-## inside docker container (also available in shell history):
-#
-# export GRML_FAI_CONFIG=$(pwd)/etc/grml/fai
-# export SCRIPTS_DIRECTORY=$(pwd)/scripts
-# export LIVE_CONF=$(pwd)/etc/grml/grml-live.conf
-# cp /deployment-iso/grml_build/package_config/SIPWISE /code/grml-live/etc/grml/fai/config/package_config/SIPWISE
-# ./grml-live -s bookworm -a amd64 -c GRMLBASE,SIPWISE,AMD64 -t $(pwd)/templates/ -o /grml/ -r grml-sipwise -v 0.42
+## Build Grml image:
 #
-## A successful run results in ISO file in /grml/grml_isos/ (inside container),
-## available via volume folder also outside of docker container ($pwd/grml/grml_isos/).
+# osversion=auto release=trunk ./wrapper.sh
 #
+## A successful run results in an ISO file in grml_build/grml_isos/
 ####################################################################################################

grml_build/config/files/PUPPETLABS/root/.gitignore

@@ -0,0 +1 @@
+*

grml_build/config/files/SIPWISE/etc/apt/sources.list.d/.gitignore

@@ -0,0 +1 @@
+*

grml_build/config/hooks/SIPWISE/updatebase

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -eux
+
+# shellcheck disable=SC2154
+echo "Deploying /usr/share/keyrings/sipwise-archive-keyring.gpg to ${target}/etc/apt/trusted.gpg.d/"
+cp /usr/share/keyrings/sipwise-archive-keyring.gpg "${target}"/etc/apt/trusted.gpg.d/

grml_build/config/package_config/SIPWISE

@@ -30,6 +30,7 @@ imvirt
 iproute2
 iptstate
 iputils-ping
+ipxe
 isc-dhcp-client
 isomd5sum
 iw
@@ -41,6 +42,7 @@ locales
 lsof
 lsscsi
 mawk
+memtest86+
 mmdebstrap
 mount
 mtools

t/Dockerfile

@@ -1,14 +1,16 @@
-# DOCKER_NAME=deployment-iso-bookworm
-FROM docker.mgm.sipwise.com/sipwise-bookworm:latest
+# DOCKER_NAME=deployment-iso-trixie
+FROM docker.mgm.sipwise.com/sipwise-trixie:latest
 
 # Important! Update this no-op ENV variable when this Dockerfile
 # is updated with the current date. It will force refresh of all
 # of the base images and things like `apt-get update` won't be using
 # old cached versions when the Dockerfile is built.
-ENV REFRESHED_AT 2023-06-26
+ENV REFRESHED_AT=2025-06-13
 
 RUN apt-get update && apt-get install --assume-yes git make gcc dpkg-dev
 
+RUN git config --global --add safe.directory /code
+
 RUN echo './t/testrunner' >>/root/.bash_history
 
 WORKDIR /code/
@@ -19,13 +21,13 @@ WORKDIR /code/
 # When you want to build the base image from scratch
 # jump to the next section if you don't want to build yourself!:
 #
-# % docker build --tag="deployment-iso-bookworm" -f t/Dockerfile .
-# % docker run --rm -i -t -v $(pwd):/code:rw deployment-iso-bookworm:latest bash
+# % docker build --tag="deployment-iso-trixie" -f t/Dockerfile .
+# % docker run --rm -i -t -v $(pwd):/code:rw deployment-iso-trixie:latest bash
 #
 # Use the existing docker image:
-# % docker pull docker.mgm.sipwise.com/deployment-iso-bookworm
+# % docker pull docker.mgm.sipwise.com/deployment-iso-trixie
 # NOTE: run the following command from root folder of git repository:
-# % docker run --rm -i -t -v $(pwd):/code:rw docker.mgm.sipwise.com/deployment-iso-bookworm:latest bash
+# % docker run --rm -i -t -v $(pwd):/code:rw docker.mgm.sipwise.com/deployment-iso-trixie:latest bash
 #
 # Inside docker (the command is in history, just press UP button):
 #   ./t/testrunner

wrapper.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+# sanity checks
+if [ -z "${osversion:-}" ];  then
+  echo "Error: osversion is unset, please set to supported Debian/release (like 'trixie' or 'auto')" >&2
+  exit 1
+fi
+
+if [ -z "${release:-}" ];  then
+  echo "Error: release is unset, please set to supported Sipwise release (like 'mr13.5.1' or 'trunk')" >&2
+  exit 1
+fi
+
+if ! [ -d grml_build ] ; then
+  echo "Error: grml_build doesn't exist, executing outside deployment-iso directory?" >&2
+  exit 1
+fi
+
+# ensure that we're running it manually inside deployment-iso,
+# or we're running it from within Jenkins
+if [ "$(basename "$(pwd)")" = "deployment-iso" ] ; then
+  echo "*** Looks we're running locally inside deployment-iso directory ***"
+elif [ -n "${WORKSPACE:-}" ] && [ "$(basename "$(pwd)")" = "source" ] ; then
+  echo "*** Looks we're running inside Jenkins ***"
+else
+  echo "Error: you need to run this inside the deployment-iso directory or from within Jenkins" >&2
+  exit 1
+fi
+
+# derive Debian release from grml_build/Dockerfile if osversion is set to "auto"
+if [[ "${osversion}" == 'auto' ]]; then
+  osversion="$( sed -rn 's|^FROM docker.mgm.sipwise.com/sipwise-([A-Za-z0-9]+):.+$|\1|p' grml_build/Dockerfile )"
+fi
+
+if [ -z "${WORKSPACE:-}" ] ; then
+  docker_image="grml-sipwise"
+  echo "*** Assuming local build with docker image '${docker_image}' ***"
+else
+  echo "*** Looks like we are running inside Jenkins environment ***"
+  docker_repo=${docker_repo:-docker.mgm.sipwise.com}
+  docker_repo_port=${docker_repo_port:-5000}
+  docker_name="grml-build-${osversion}"
+  docker_tag="${dockertag:-latest}"  # support custom build param via grml-build-iso Jenkins job
+  docker_image="${docker_repo}:${docker_repo_port}/${docker_name}:${docker_tag}"
+  echo "*** Pulling ${docker_image} docker image ***"
+  docker pull "${docker_image}"
+fi
+
+if [ -z "${osversion:-}" ]; then
+  echo "Can not detect osversion, exiting" >&2
+  exit 1
+fi
+
+# misc variables
+fai_config='/code/grml-live/config/'
+outside_fai_config="${PWD}/grml_build/config/"
+debian_bootstrap_url="https://debian.sipwise.com/debian/"
+iso_image_name="grml-sipwise-${osversion}-$(date +%Y%m%d_%H%M%S).iso"
+
+# write apt sources
+source_list_path='etc/apt/sources.list.d/sipwise.list'
+repo_addr="deb https://deb.sipwise.com/autobuild release-trunk-${osversion} main"
+if [[ "${release}" != 'trunk' ]]; then
+  repo_addr="deb https://deb.sipwise.com/spce/${release} ${osversion} main"
+fi
+echo "${repo_addr}" > "${outside_fai_config}files/SIPWISE/${source_list_path}"
+
+# get the puppet public key, so no need to download it in deployment.sh
+puppet_key='puppet.gpg'
+wget -O "${outside_fai_config}/files/PUPPETLABS/root/${puppet_key}" http://apt.puppetlabs.com/DEB-GPG-KEY-puppetlabs
+
+build_command=''
+build_command+=" cp -rv /grml/config/ /code/grml-live/"
+build_command+=" && ulimit -n 1048576"  # workaround to fix apt/apt-mark performance issue
+build_command+=" && GRML_NAME=grml64-small"
+build_command+=" CHROOT_OUTPUT=/root/grml_chroot"
+build_command+=" FAI_DEBOOTSTRAP='${osversion} ${debian_bootstrap_url}'"
+build_command+=" LIVE_CONF=/code/grml-live/etc/grml/grml-live.conf"
+build_command+=" GRML_FAI_CONFIG=${fai_config}"
+build_command+=" ./grml-live"
+build_command+=" -s '${osversion}'"
+build_command+=" -a amd64"
+build_command+=" -i '${iso_image_name}'"
+build_command+=" -c GRMLBASE,SIPWISE,AMD64,PUPPETLABS"
+build_command+=" -t /code/grml-live/templates/"
+build_command+=" -o /grml/"
+build_command+=" -r 'grml-sipwise-${osversion}'"
+build_command+=" -v '${release}'"
+build_command+=" -F"
+build_command+=" && cd /grml/grml_isos/"
+build_command+=" && sha1sum '${iso_image_name}' > '${iso_image_name}.sha1'"
+build_command+=" && md5sum  '${iso_image_name}' > '${iso_image_name}.md5'"
+
+echo "System information:"
+uname -a
+lsb_release -a
+docker --version
+dpkg -l | grep docker
+
+echo "Build command is:"
+echo "${build_command}"
+
+docker run --rm \
+  -v "$(pwd)":/deployment-iso/ \
+  -v "$(pwd)/grml_build/":/grml/ \
+  "${docker_image}" \
+  /bin/bash -c "${build_command}"