podvm-mkosi: use toolchain from nixpkgs #1523
Conversation
katexochen
force-pushed
the
feat/mkosi-builds-nix
branch
2 times, most recently
from
23a3b64 to
b90d180
Compare
Adding a Nix flake to pin toolchain and dependencies for building OS images with mkosi. Signed-off-by: Paul Meyer <[email protected]>
This commit switches the mkosi image build process to use a Nix environment instead of docker. Signed-off-by: Paul Meyer <[email protected]>
katexochen
force-pushed
the
feat/mkosi-builds-nix
branch
from
b90d180 to
000a81c
Compare
Adding a worklflow to build podvm images with mkosi in the CI. Signed-off-by: Paul Meyer <[email protected]>
katexochen
force-pushed
the
feat/mkosi-builds-nix
branch
from
000a81c to
de8f4af
Compare
There was a problem hiding this comment.
LGTM. built an image and tested it in a peerpod deployment.
I didn't test the GH action code. I'm not entirely sure about the build-space issue on a worker, locally my podvm-mkosi folder consumes 2.5G, and this includes the vhd copy. I'd suspected docker build leftovers, but we should be on a fresh node 🤔
|
I tried the gh workflow using nektos/act and it failed during the build image step. |
|
Another question on the gh-action, is it possible to reuse a pre-built binaries for the podvm "build image" job ? In my local env, re-running the "build image" job results in rebuilding the binaries. And it took roughly 30 min to build the binaries on a VM with 2vcpus and 16GB mem. |
I haven't tried this with act, not sure what caused the error you observed. If you want to test this workflow, you can just trigger it on your fork. Container images are automatically pushed to the registry of the repo the workflow is executed. Here is a successful run on my fork: https://github.com/katexochen/cloud-api-adaptor/actions/runs/6928972339 |
Yes, this definitely can be optimized. Should we just add a input for the image name? Then we can skip the first job if the image is passed as input. As we've already discussed a few times, we should get rid of the binaries container image build step, build binaries in separate and cache them in the mid-term. |
Yeah, this might be helpful.
Would it make sense to split the workflow into two - one for building the binaries and another for the podvm image ? |
Not sure about this, that would place the burden on managing cache invalidation on the developer - which hasn't been working out well with the old image pipeline, where we would only update these images once or twice a release cycle. |
This reduces the build time if you have to rebuild often and know that the binaries haven't changed. Signed-off-by: Paul Meyer <[email protected]>
I see.. |
|
Workflow run with prebuilt binaries image: https://github.com/katexochen/cloud-api-adaptor/actions/runs/7043741095/job/19170078950 |
| jobs: | ||
| build-binaries: | ||
| name: Build binaries | ||
| if : ${{ github.event.inputs.binaries-image == '' }} |
There was a problem hiding this comment.
nice.. thanks for adding this.
If we want to have reproducible OS image build, we need to use the toolchain from nixpkgs. The mkosi version in nixpkgs uses a patched version of systemd (with commits that are upstream, but will only be part of the next release). We also fixed many of the tools mkosi uses to get things reproducible.
I maintain the mkosi package in nixpkgs with a colleague. We have nightly tests running on nixpkgs master + mkosi main to ensure things stay reproducible and working.
The use of Nix in general is discussed in #1516. Nevertheless, as I already have this ready, I wanted to open this at least as a draft. I don't think using Nix must be an all-or-nothing decision. I don't think there is currently a way to get around using it for what it is used in this PR if we want reproducible images.