Ensure we're building on top of sipwise-trixie docker image, quoting
from jenkins-configs.git:
commit c3abc88488284a52f555223ad4e927d56193d561 (HEAD -> master, origin/master, origin/HEAD)
Author: Michael Prokop <mprokop@sipwise.com>
Date: Fri Jan 30 18:47:17 2026 +0100
MT#62249 Update sipwise-trixie docker image
Otherwise we end up with shipping ngcp-archive-keyring v2016.01.12+0~mr13.4.1.1
instead of the current one, v2016.01.12+0~mr14.0.1.2.
We ended up here after a many-hour debugging session, tackling the SHA-1
key situation for our Debian repository signing key.
When updating our stack, everything was fine, until we faked the date of
our deployment system and ended up with a breaking installation, because
the expected keyring files weren't there.
As it turned out, we're using the sipwise-trixie docker image as a base
for further docker runs, like present in deployment-iso's
grml-build-trixie one, which we use for building our Grml ISO.
Make sure we refresh our docker image, to have the latest
ngcp-archive-keyring package present.
Change-Id: I177c1ef189885c0d9524687d699b200d44626cd7
Lots of changes took place in between v0.54.1 and v0.55.1 upstream[1].
To ensure to follow upstream changes, let's make sure our configuration
avoids relying on features that are going to be dropped in upcoming
versions.
[1] FTR:
% git log --oneline --no-merges v0.54.1..v0.55.1 ^83c27dcf
28272472 (tag: v0.55.1) Update changelog for 0.55.1 release
7e3e30d6 (pull-requests/452) SW: add ncurses-term to GRML_FULL,GRML_SMALL
94f956a1 (pull-requests/451, origin/mika/p9) 9p virtio: do not complain if mount_tag doesn't exist
0b6b8db2 (pull-requests/450, origin/mika/flashrom) SW: drop flashrom package from GRML_FULL
1f7fee83 (tag: v0.55.0) Update changelog for 0.55.0 release
7ebdc43e (pull-requests/449, origin/mika/outputdir) Fix output directory handling if base directory doesn't exist
6c64ec50 (pull-requests/447, origin/mika/squashfs) Fix squashfs exclude usage for grml-live directory
523de64c (pull-requests/446, origin/mika/firmware) SW: add firmware-mediatek to GRMLBASE
00322e7b (pull-requests/445) ZFS remove /proc workaround
04593ba9 (pull-requests/444, origin/mika/xorg, mika/xorg) SW: drop grml-desktop from XORG
7c010147 (pull-requests/443) SW: GRML_FULL: remove mpt-status
64f6ec40 (pull-requests/424) grml.sources snapshot: disable
62a7d5f3 (pull-requests/435, origin/mika/vbox) grml-autoconfig _detect_virtual: prefer Virtualbox over KVM in virt-what
b7c7c20a (pull-requests/146) also mention -I/CHROOT_INSTALL as a possible ssh key injection point
2cd9a141 explain operators how to complete the TOR configuration
661be4de Revert "new SSHGEN class to generate SSH keys at build time"
3cdd9610 new SSHGEN class to generate SSH keys at build time
c4ab37ff add TOR class to the grml-live(8) manual
d1f8ad19 (pull-requests/439, origin/zeha/doc-cleanup) doc: stylize the output directories consistently
ac4dfbb8 doc: specify bookworm as minimum host Debian
91125018 doc: remove squashfs version info
4c85eae5 doc: remove outdated base tarball instructions
345e1b92 (pull-requests/438) doc: simplify "local-files" example with -I option
911a66e9 TOR class to allow remote SSH access over deep networks
af5b4c69 (pull-requests/437, origin/zeha/no-snapshot) build-driver: remove SNAPSHOT
5a79060c (pull-requests/436) restore-config: do not read unused /etc/grml/script-functions
c233f265 (pull-requests/434, origin/mika/bootctl) SW: add systemd-boot-tools to GRML_SMALL + GRML_FULL
acf7575e (pull-requests/433) Stop symlinking /etc/locale.alias
ebe9b2ec (pull-requests/430, origin/zeha/adoc) Rename asciidoc files to *.adoc
cfe71db7 (pull-requests/429, origin/zeha/merge-run-screen) config: import run-screen from grml-scripts
bd281f83 config: getty@tty12: inline run-journalctl
80a4a71f (pull-requests/423) Restrict Docker image pushes to branches from upstream repo
d04e2394 (pull-requests/422) 15-initsetup: Ignore errors as systemd upstream does not support containers
4fe5b0e5 (pull-requests/421) cheatcodes: drop nosyslog option
ae2a3185 cheatcodes: drop noconsolefont option
49421fdd cheatcodes: drop wondershaper option
e5b0e7ef 15-initsetup: un-function-ify
5324bf46 (pull-requests/415) 98-clean-chroot: install xinit files as executable
bda93669 (pull-requests/417) config: drop DEBIAN_BULLSEYE class
18bd18a1 (pull-requests/418) Build Docker images and publish to GitHub Package Registry
f53cf463 grml-desktop: appease shellcheck
5945ee74 cheatcodes: remove mention of release 2010.12 in example
8257f7f1 cheatcodes: drop info about releases older than 10 years
8a0756df 41-memtest: drop support for memtest86+ from bullseye
8a108094 SW: drop grml-desktop
Change-Id: I4ded42b493632bc15226a2b8399f6587adc2f95a
Lots of changes took place in between v0.53.2 and v0.54.1. To ensure to
follow upstream changes, let's make sure our configuration avoids
relying on features that are going to be dropped in upcoming versions.
Relevant changes:
* FAI_DEBOOTSTRAP=... became BOOTSTRAP_MIRROR=... (without the Debian
release name, but just requiring the mirror URL)
* the templates command line option `-t ...` is considered deprecated,
now that boot templates are also class-based configuration files
(via ${GRML_FAI_CONFIG}/config/media-files/$CLASS)
Let's keep our templates as-is, but provide
grml_build/config/media-files/SIPWISE as symlink to our templates
directory
* GRMLBASE and architecture-specific classes are now enabled by
default and no longer should be included in the grml-live invocation,
so drop GRMLBASE + AMD64 class names in wrapper.sh
* The RELEASE class (which cleans up /root and /home/grml) is also
automatically enabled, but since we e.g. ship files like /root/puppet.gpg
we need to disable this new behavior by enabling the new "-R" option
Change-Id: I66dc8c685decac25370234844e33d4be60dea08a
grml-live had >410 commits since v0.47.7 (which we used so far),
including getting rid of FAI (through our own so called minifai
implementation), supporting mmdebstrap for bootstrapping (and using it
by default nowadays), and usage inside non-privileged containers.
Misc changes:
* No longer run any docker containers with --privileged, now that this
is handled all internally from within grml-live's build driver
* Upgrade everything to Debian/trixie (given that we also switched our
trunk/master branch towards trixie also)
* Provide wrapper.sh script to avoid maintaining it also inside
jenkins-configs' jobs/internal/grml/build_grml_image.sh (which meant
going through yet another layer and every single change to it required
a full jenkins-config change). Update README.txt accordingly to
provide usage examples.
* Set up keyring for custom bootstrapping using our own mirror, using
grml_build/config/bootstrap-keyring/SIPWISE and
deploying /usr/share/keyrings/sipwise-archive-keyring.gpg via
updatebase hook script
* Ship .gitignore files to ignore directories that are relevant for
the build process, though we also don't need to explicitly create them
on every single build any longer.
* Update configuration layout for grml-live change as of upstream
version v0.51.0 (see grml-live.git commit f1dc42a), moving from
/etc/grml/fai/config into /usr/share/grml-live/config.
* Update configuration layout for grml-live change as of upstream
version 0.53.0 (see grml-live.git commit 3a4bd41), changing schema
files/<path>/<CLASS> into files/<CLASS>/<path>,
class/<CLASS>.var into env/<CLASS> and
hooks/<hookname>.<CLASS> into hooks/<CLASS>/<hookname>.
* Add memtest86+ + ipxe to SIPWISE class, so they are available for boot
menu integration (grml-live uses addons from grml_chroot and no longer
from host system).
grml_build/Dockerfile related changes:
* Adjust ENV usage (fixes `LegacyKeyValueFormat: "ENV key=value" should
be used instead of legacy "ENV key value" format (line 9)`)
* Add snippet for usage with debian:trixie-slim as base docker image
(useful for debugging e.g. without access to Sipwise systems)
* Install ca-certificates (needed for access to https://github.com/ with
debian:trixie-slim)
* Switch from grml-live v0.47.7 to v0.53.2
* Drop deprecated dependencies that are no longer relevant with recent
grml-live versions (fai-client + fai-server get replaced by our own
minifai implementation, mksh is no longer relevant for grml-live, and
isolinux, ipxe, memtest86+ + syslinux are used from the grml_chroot
instead of from the host system, also see above)
* Instead install mmdebstrap (which is much faster for bootstrapping
than debootstrap), now being supported and the default, thanks to our
minifai implementation
* Drop /root/.bash_history, as we switched towards our custom wrapper.sh
script
t/Dockerfile related changes:
* Mark /code as safe directory for git, to not fail with
"fatal: detected dubious ownership in repository at '/code'"
* Adjust ENV usage (fixes `LegacyKeyValueFormat: "ENV key=value" should
be used instead of legacy "ENV key value" format (line 8)`)
Addendum: it's yet unclear why we need the `ulimit -n 1048576`
workaround to fix an apt/apt-mark performance issue. It feels similar to
what has been observed for fakeroot at https://bugs.debian.org/920913.
Credits to Chris Hofstaedtler for review and working on grml-live's
minifai, to support all our needs.
Change-Id: I85111806a550f1aeffcb5263af2455ec8b90cc32
Quoting from grml-live upstream:
| commit 3edddaef70f137f4f2874cef669c05948a41438c
| Author: Michael Prokop <mika@grml.org>
| Date: Mon Apr 11 18:47:19 2022 +0200
|
| SW: move from ntp/ntpdate to ntpsec/ntpsec-ntpdate in GRML_SMALL + GRML_FULL
|
| Starting with bookworm (current Debian/testing), ntpsec replaces ntp,
| and ntpsec-ntpdate replaces ntpdate. Now both the ntp + ntpdate packages
| are transitional packages. Given that ntpsec/ntpsec-ntpdate are
| available even for oldstable, let's follow this transition now (also see
| https://sources.debian.org/src/ntpsec/1.2.1%2Bdfsg1-6/debian/NEWS/).
| [...]
Now that ntpdate no longer exists in Debian/trixie, we need to switch
from ntpdate to ntpsec-ntpdate in our deployment ISO (the later package
also provides the /usr/sbin/ntpdate binary, so nothing further needs to
be adjusted).
Given that ntpsec-ntpdate exists even since oldoldstable AKA buster, we
can further adjust it in our deployment script for our puppet
deployments (to not break when switching to trixie there).
Change-Id: Ie332023aa2e6b4afedddf5a5077cec1c41ecb75b
Quoting from grml-live upstream:
| commit 61b77ff04fb60e09123a79b5f0ededbb6455add5
| Author: Michael Prokop <mika@grml.org>
| Date: Thu Dec 13 12:08:01 2018 +0100
|
| SW: drop deprecated cpufrequtils (+ drop scripts/GRMLBASE/36-cpufrequtils)
|
| The cpufreq drivers are autoloaded and the powersave/ondemand driver
| is mature enough. The linux-cpupower tools provide the binaries
| as replacement for what cpufrequtils provided so far and we ship
| them (with GRML_FULL) already.
|
| Also see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877016
|
| Thanks: Michael Biebl for the pointer
| Closes: https://github.com/grml/grml/issues/51
Now that cpufrequtils no longer exists as of Debian/trixie and newer,
drop it accordingly in our deployment ISO.
Change-Id: I4373ef907824a844cdf8adf240fa3cc2f878a1cd
As reported when sending new deployment-iso reviews,
triggered by newer docker image / shellcheck:
| not ok 1 source/templates/scripts/includes/deployment.sh:1543:10: warning: Quote to prevent word splitting/globbing, or split robustly with mapfile or read -a. [SC2206]
| not ok 2 source/templates/scripts/includes/deployment.sh:1903:22: warning: Prefer mapfile or read -a to split command output (or quote to avoid splitting). [SC2207]
| not ok 3 source/templates/scripts/includes/deployment.sh:2275:20: warning: Prefer mapfile or read -a to split command output (or quote to avoid splitting). [SC2207]
| not ok 4 source/templates/scripts/includes/deployment.sh:2486:12: note: Not following: ./etc/profile.d/puppet-agent.sh was not specified as input (see shellcheck -x). [SC1091]
Let's take this as a chance to properly parse ip(8) output via its JSON
output, instead of awk/sed magic.
Change-Id: I723959626fb514ab9e57202b0e5f415b411f5a01
It's better to have this package in grml-sipwise image so any system
with this network card can use all it's power even in deployment stage.
Change-Id: I765efcf446a410a42ef156b2ccc2e6612a33ddd6
Packages like 'firmware-linux', 'firmware-linux-nonfree',
'firmware-misc-nonfree' and further 'firmware-*' got moved from non-free
to the new non-free-firmware component/repository (related to
https://www.debian.org/vote/2022/vote_003).
grml-live v0.43.0 provides supports for this new component, so let's
make sure we have proper support for firmware related packages by
updating to the corresponding grml-live version.
Change-Id: I4704e8be051ab6b5496021f07f42208b34963739
Relevant changes:
* GRMLBASE/39-modprobe: avoid usage of /lib/modprobe.d/50-nfs.conf
* GRMLBASE/39-modprobe: do not expect all files in /etc/modprobe.d to be used
This gives us working netboot images and avoids sysctl errors during bootup,
if nfs-kernel-server should be present on the ISO.
Change-Id: I0012199658c186b69c45ac51bc249ce75b8d81ce
If the date of the running system isn't appropriate enough, then apt
runs might fail with somehint like:
| E: Release file for https://deb/sipwise/com/spce/mr10.5.2/dists/bullseye/InRelease is not valid yet (invalid for another 6h 19min 2s)
So let's try to sync date/time of the system via NTP. Given that chrony
is a small (only 650 kB disk space) and secure replacement for ntp,
let's ship chrony with the Grml deployment ISO (and fall back to ntp
usage in deployment script if chrony shouldn't be available).
Also, if the system is configured to read the RTC time in the local time
zone, this is known as another source of problems, so let's make sure to
use the RTC in UTC.
Change-Id: I747665d1cee3b6f835c62812157d0203bcfa96e2
For deploying Debian/bookworm (see MT#55524), we'd like to have an
updated Grml ISO. With such a Debian/bookworm based live system, we can
still deploy older target systems (like Debian/bullseye).
Relevant changes:
1) Ad jo as new build-dependency, to generate build information in
conf/buildinfo.json (new dependency of grml-live)
2) Always include ca-certificates, as this is required with more recent
mmdebstrap versions (>=0.8.0), when using apt repositories with
https, otherwise bootstrapping Debian fails.
3) Update to latest stable grml-live version v0.42.0, which:
a) added support for "bookworm" as suite name
cff66073a7
b) provides corresponding templates for memtest support:
c01a86b3fc
c) and a workaround for a kmod/initramfs-tools issue with PXE/NFS boot:
ea1e5ea330
4) Update memtest86+ to v6.00-1 as present in Debian/bookworm and
add corresponding UEFI support (based on grml-live's upstream change,
though as we don't support i386, dropped the 32bit related bits)
Change-Id: I327c0e25c28f46e097212ef4329d75fc8d34767c
The dmraid package executes udevadm in its postinst script:
| jenkins@jenkins-slave11:/tmp/grml-live/deployment-iso$ docker run --rm -it -v "$(pwd)":/deployment-iso/ -v "$(pwd)/grml_build/":/grml/ docker.mgm.sipwise.com:5000/grml-build-bullseye:latest /bin/bash
| root@fa6b983da364:/code/grml-live# apt install dmraid
| [...]
| Setting up dmraid (1.0.0.rc16-8+b1) ...
| Failed to write 'change' to '/sys/devices/pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0/block/sda/uevent': Read-only file system
| dpkg: error processing package dmraid (--configure):
| installed dmraid package post-installation script subprocess returned error exit status 1
| Processing triggers for libc-bin (2.31-4) ...
| Errors were encountered while processing:
| dmraid
| E: Sub-process /usr/bin/dpkg returned an error code (1)
Also see https://bugs.debian.org/962300.
Installing the dmraid package on bullseye requires execution of docker
containers with privileged mode, which is something we would like to
avoid. dmraid also had its latest Debian upload in 2017, the last
upstream release dates back to 2010 (see
http://people.redhat.com/~heinzm/sw/dmraid/src/) and it has plenty of
bugs. It's furthermore relevant for so called fake RAIDs only, something
we don't support and therefore shouldn't matter for us.
Change-Id: I7ed50d8d732f75c56e94b8bfd97a71613577f3bd
Add options to install bullseye in all places where buster is used, use
it as default when possible, and keep these for the moment.
Switch to bullseye in Dockerfile.
Change-Id: I2f693982ba92a671a6f2254c5a245a1d05231404
grml-live v0.38.0 is the current release, including a change to use 1m
block size for squashfs, which reduces ISO size (see
fada6dea0f),
improvements to EFI, GRUB, documentation and several bug fixes.
Change-Id: I3382bd81a8a41d3672a1a709200740cb7284cbbd
No need to install this package to non-vagrant system.
Do not add this package to Sipwise-grml image - it's too heavy (86M)
and not needed on real systems.
Change-Id: I9ec9ff76d588f4ced30ba199f05bb167eec5288a
Otherwise execution of FAI might fail:
| Calling task_faiend
| /usr/lib/fai/subroutines: line 142: ps: command not found
| [...]
This is supposed to be fixed with FAI 5.9.4, while
version 5.8.4 suffers from this bug, so until >=5.9.4
is available in buster/stable let's fix this via an
explicit dependency.
Change-Id: I99490f263d1b2a1aec65f55feebe429b62628918
We no longer support linux-image-amd64-grml, so there's
no point in sitting at kernel version 4.19.0-1-grml-amd64,
instead switch to the plain Debian kernel.
Change-Id: I00efa274acf9724241762ef43a15ecec61e2a409
grml-live v0.35.3 is the current release, planned to be the
base for the upcoming new Grml stable release and its release candidate.
Change-Id: Ia5916250975b90f8d5f75d6fd1aefa5a9bd17d4c
Instead of having to maintain this ISO in our web server off-band,
we switch to use the packaged version, which makes validation
unnecessary as apt gives us that. And it also gives us a newer
version (currently 6.0.4 with Debian buster 10.3 vs the old 5.2.26).
Change-Id: Id89280bbe7fadeb35d391b5dc46e930935017588
* Addon fixes:
* Provide custom addon template according to our needs, instead of
relying on the default one being present in grml-live.git/templates
* Install memtest86+ as addon for BIOS usage
* Install netboot.xyz.lkrn for BIOS usage and netboot.xyz.efi for EFI usage
* Install ipxe.lkrn for BIOS usage and ipxe.efi for EFI usage
* Stick grml-live version to v0.34.3, instead of relying on some random
git master version
* Stick grml2usb version to v0.17.0, instead of relying on the grml2usb
version available on the host system (being 0.14.14 on Debian/stretch as
present on our current build hosts). For arbitrary addon file names we
need grml2iso (which uses grml2usb underneath) from grml2usb >=0.17.0.
FTR, grml2iso and grml2usb can be executed from within the git repository,
assuming all relevant tools are present
* No longer invoke isohybrid on the resulting ISO, instead rely on
grml2iso behaviour (which also checks for EFI support and enables
according switches as needed)
* Fix usage instructions in t/Dockerfile:
* it's "deployment-iso-buster" and not "lua-ngcp-kamailio-buster"
* refer to working directory instead of "deployment-iso.git",
which very probably isn't named as such on any of our systems,
while the $(pwd) approach works for c/p
* Fix docker build usage in grml_build/Dockerfile (for building we need
to provide a PATH (being current working directory for us)
* Provide testing tools in grml-build-buster docker environment
* Provide new testing script t/iso-tester to compare generated ISO
against pre-defined screenshot (only testing memtest feature using
./t/screenshots/01-memtest.jpg for now)
Change-Id: I67e3f85bbe86bd1b3ee709161504b5250ca5d7fe
In mr7.5+ bootstrap gpg keyring is named sipwise-keyring-bootstrap.gpg
so add appropriate directory.
Change-Id: I633deac1ffb203e7d566e5262e0dff35354aa2e5
This script copies puppet.gpg file to '/root' dir of Grml-sipwise
image in building process.
Create 'scripts/PUPPETLABS' so '10-gpgkey' is copied there in runtime.
Change-Id: I836fa35e3f64f40cb4ee4a298fc18676f7689b54
This package contains Sipwise gpg keys so we don't need to download them
on fly during deployment.sh.
Change-Id: I629c7e43d9f62e033a0e869a307bf5b3b0490ce0
Create directories to place files with repo information and gpg key
during building of grml-sipwise iso.
Change-Id: I9ed158b085ea6caaab6a34ce74b5f66ec0f80ce7
The Secure Boot enabled GRUB from Ubuntu breaks EFI boot on
Dell servers (e.g. on PowerEdge R330). Until we know how
to solve this disable Secure Boot support within our ISOs.
Change-Id: I3cf96ca40b6e66c591b60b73e77ac164fd79f472
Add docker file to build tools' images.
Add package list SIPWISE with all the needed packages for deployment.sh.
Add building dirs to gitignore/dist-clean target of Makefile
Building tools and dockerfile were provided by Michael Prokop <mika@grml.org>
Change-Id: I69239cb7b7b4f07edbdb1bd766cb3f125258f890
Michael Prokop
Sipwise Jenkins Builder
Mykola Malkov
Manuel Montecelo
Guillem Jover
Alexander Lutay