podvm-mkosi: use toolchain from nixpkgs

.github/workflows/podvm_mkosi.yaml

@@ -0,0 +1,92 @@
+name: Create a Pod VM image with mkosi
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build-binaries:
+    name: Build binaries
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build builder
+        uses: docker/build-push-action@v5
+        with:
+          tags: ghcr.io/${{ github.repository }}/podvm/builder-fedora:${{ github.sha }}
+          file: podvm/Dockerfile.podvm_builder.fedora
+          push: true
+
+      - name: Build binaries
+        uses: docker/build-push-action@v5
+        with:
+          tags: ghcr.io/${{ github.repository }}/podvm/binaries-fedora:${{ github.sha }}
+          file: podvm/Dockerfile.podvm_binaries.fedora
+          push: true
+          build-args:
+            "BUILDER_IMG=ghcr.io/${{ github.repository }}/podvm/builder-fedora:${{ github.sha }}"
+
+  build-image:
+    name: Build image
+    needs: [build-binaries]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v22
+
+      - name: Build nix shell to cache dependencies
+        run: nix build .#devShells.x86_64-linux.podvm-mkosi
+
+      - name: Install crane
+        run: nix profile install nixpkgs#crane
+
+        # This removes the checkout and creates a btrfs volume with maximized
+        # build space.
+      - name: Maximize build space
+        uses: katexochen/maximize-build-space@btrfs
+        with:
+          swap-size-mb: 1024
+          remove-dotnet: "true"
+          remove-android: "true"
+          remove-haskell: "true"
+          remove-codeql: "true"
+          remove-docker-images: "true"
+
+      - name: Second checkout
+        uses: actions/checkout@v3
+
+      - name: Download binaries and unpack into binaries-tree
+        run: |
+          crane export \
+            ghcr.io/${{ github.repository }}/podvm/binaries-fedora:${{ github.sha }} \
+            podvm-binaries.tar
+          mkdir -p podvm-mkosi/resources/binaries-tree
+          tar xf podvm-binaries.tar -C podvm-mkosi/resources/binaries-tree
+          rm podvm-binaries.tar
+
+      - name: Build image
+        working-directory: podvm-mkosi
+        run: make image-debug
+
+      - name: Upload image
+        uses: actions/upload-artifact@v2
+        with:
+          name: podvm-mkosi-${{ github.sha }}
+          path: podvm-mkosi/build/system.raw

flake.nix

@@ -0,0 +1,45 @@
+{
+  description = "Cloud API Adaptor for Confidential Containers";
+
+  inputs = {
+    nixpkgsUnstable = {
+      url = "github:nixos/nixpkgs/nixos-unstable";
+    };
+    flake-utils = {
+      url = "github:numtide/flake-utils";
+    };
+  };
+
+  outputs =
+    { self
+    , nixpkgsUnstable
+    , flake-utils
+    }:
+    flake-utils.lib.eachDefaultSystem
+      (system:
+      let
+        pkgsUnstable = import nixpkgsUnstable { inherit system; };
+      in
+      {
+        devShells = {
+          # Shell for building podvm images with mkosi.
+          podvm-mkosi = pkgsUnstable.mkShell {
+            nativeBuildInputs = with pkgsUnstable; [
+              btrfs-progs
+              cryptsetup
+              dnf5
+              dosfstools
+              mkosi-full
+              mtools
+              rpm
+              squashfsTools
+              util-linux
+              zstd
+              e2fsprogs # remove when switching to squashFS
+            ];
+          };
+        };
+
+        formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt;
+      });
+}

podvm-mkosi/Makefile

@@ -1,7 +1,12 @@
 AA_KBC ?= offline_fs_kbc
 
+.DEFAULT_GOAL := all
+.PHONY: all
 all: fedora-binaries-builder binaries image
 
+.PHONY: debug
+debug: fedora-binaries-builder binaries image-debug
+
 PHONY: fedora-binaries-builder
 fedora-binaries-builder:
 	@echo "Building fedora-binaries-builder image..."
@@ -20,34 +25,24 @@ binaries:
 		-o type=local,dest="./resources/binaries-tree" \
 		- < ../podvm/Dockerfile.podvm_binaries.fedora
 
-define build-image =
-docker buildx use default
-@echo "Building mkosi-builder..."
-docker buildx build \
-	-t mkosi-builder \
-	--load \
-	--no-cache \
-	.
-rm -rf ./build
-mkdir -p build
-@echo "Building image..."
-docker run \
-	--rm \
-	--privileged \
-	-v $(PWD)/build:/mkosi/build \
-	mkosi-builder \
-	mkosi
-endef
-
 PHONY: image
 image:
 	@echo "Enabling production preset..."
 	rm -rf resources/buildDebugImage
-	$(build-image)
-
+	rm -rf ./build
+	@echo "Building image..."
+	nix develop ..#podvm-mkosi --command "mkosi"
 
 PHONY: image-debug
 image-debug:
 	@echo "Enabling debug preset..."
 	touch resources/buildDebugImage
-	$(build-image)
+	rm -rf ./build
+	@echo "Building image..."
+	nix develop ..#podvm-mkosi --command "mkosi"
+
+PHONY: clean
+clean:
+	rm -rf resources/buildDebugImage
+	rm -rf ./build
+	rm -rf ./resources/binaries-tree

podvm-mkosi/README.md

@@ -2,10 +2,18 @@
 
 [mkosi](https://github.com/systemd/mkosi) builds a bootable OS image from scratch. This way, we have full control over every detail of the image, especially over the image format and boot process. On the long run, we will implement fully, bit-by-bit reproducible images with mkosi, and use measured boot and an immutable root FS to ensure the image integrity through remote attestation.
 
-## Building the image
+## Prerequisites
+
+Currently, mksoi and other related tools are provided through a [Nix](https://nixos.org/) flake. Nix ensures all tools used in the build of the image are itself reproducible and pinned. mkosi requires a very recent systemd version, so using tools installed on the host is usually not possible. Nix needs to be configured to enable `flakes` and `nix command`. It is recommended to install Nix with the `DeterminateSystems nix-installer`, which comes with a configuration that is ready to use.
+
+### Building the image
+
+```sh
+make # this will rebuild the builder, the binaries and the OS image
+```
 
 ```sh
-make
+make image # this will only rebuild the OS image
 ```
 
 ### Upload the image to the desired cloud provider
@@ -31,11 +39,11 @@ Further, the image has access through the serial console enabled, you can access
 of the cloud provider.
 
 ```sh
-# for building the binaries
-make fedora-binaries-builder
-make binaries
-# for building a debug image
-make image-debug
+make debug # this will rebuild the builder, the binaries and the OS image
+```
+
+```sh
+make image-debug # this will only rebuild the OS image
 ```
 
 Notice that building a debug image will overwrite any previous existing debug or production image.