The recipe creates the image for rockpro64 board bootable
with MMC or EMMC bootable devices.

New variable `sbc` (single-board computer) is introduced for selecting
the target device. This variable is needed for proper U-Boot files
selection and should have the same name as U-Boot directory targeting
to this device under `/usr/lib/u-boot/`:
 - firefly-rk3399
 - pinebook-pro-rk3399
 - puma-rk3399
 - rock-pi-4-rk3399
 - rock64-rk3328
 - rockpro64-rk3399

"rock-pi-4-rk3399" is used as a default target device.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Peter Senna Tschudin authored 4 years ago and Emanuele Aina committed 4 years ago

The user account `user` that is created on the SDK already has sudo
powers. However this user account is not part of the sudo group.

With the upgrade of blueman from 2.0.8-1co1 to 2.0.8-1+deb10u1co1
this has was now causing an error dialog saying that
"You might not be able to connect to the Bluetooth network via this machine":

https://github.com/blueman-project/blueman/issues/948



It seems that polkit was disabled and the update which came from
debian-security to fix CVE-2020-15238 enabled it:

> Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the
> DhcpClient method of the D-Bus interface to blueman-mechanism is prone
> to an argument injection vulnerability. The impact highly depends on the
> system configuration. If Polkit-1 is disabled and for versions lower
> than 2.0.6, any local user can possibly exploit this. If Polkit-1 is
> enabled for version 2.0.6 and later, a possible attacker needs to be
> allowed to use the `org.blueman.dhcp.client` action. That is limited to
> users in the wheel group in the shipped rules file that do have the
> privileges anyway. On systems with ISC DHCP client (dhclient), attackers
> can pass arguments to `ip link` with the interface name that can e.g. be
> used to bring down an interface or add an arbitrary XDP/BPF program. On
> systems with dhcpcd and without ISC DHCP client, attackers can even run
> arbitrary scripts by passing `-c/path/to/script` as an interface name.
> Patches are included in 2.1.4 and master that change the DhcpClient
> D-Bus method(s) to accept BlueZ network object paths instead of network
> interface names. A backport to 2.0(.8) is also available. As a
> workaround, make sure that Polkit-1-support is enabled and limit
> privileges for the `org.blueman.dhcp.client` action to users that are
> able to run arbitrary commands as root anyway in
> /usr/share/polkit-1/rules.d/blueman.rules.

With polkit now being enabled, this snippets becomes relevant:

```
$ sudo cat /usr/share/polkit-1/rules.d/blueman.rules
// Allow users in sudo or netdev group to use blueman feature requiring root without authentication
polkit.addRule(function(action, subject) {
    if ((action.id == "org.blueman.network.setup" ||
         action.id == "org.blueman.dhcp.client" ||
         action.id == "org.blueman.rfkill.setstate" ||
         action.id == "org.blueman.pppd.pppconnect") &&
        subject.local && subject.active &&
        (subject.isInGroup("sudo") || subject.isInGroup("netdev"))) {
        return polkit.Result.YES;
    }
});
```

Adding the user to the `sudo` group would then make blueman happy again.

Signed-off-by: Peter Senna Tschudin <peter.senna@collabora.com>

After cleaning deployment `/boot` directory all files were
moved to `/usr/lib/ostree-boot`. Fix the source path in boot
script for copying firmware from new location.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Remove empty `/boot/efi` from deployment since it is used only
for initial efi setup during image preparation.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Ostree have a special handling for populating boot files
(kernel/initramfs/dtb) from deployed commit.
It may use `/boot` or `/usr/lib/ostree-boot` source directories
from deployment to generate bootable configuration for given bootloader.

Move all files from deployment `/boot` to `/usr/lib/ostree-boot` to
avoid systemd confusion during boot -- `/boot` directory must be empty.

Changed `setup-boot` function to pass additional agrument with a target
directory where to put all bootables.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

In order to have a standard filesystem in ROOTDIR and be able to scan
/usr/share/doc move the build of the BOM file prior to the OSTree
commit.

Emanuele Aina authored 4 years ago and Frederic Danis committed 4 years ago

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The sample recipes were not really propagating their custom osname to
the included recipes, so they were still effectively using `apertis`.

To fix that, propagate the `osname` variable but also add a separate
`keyring` variable to ensure that the `apertis-archive-keyring` gets
used since we still want to access the Apertis APT repositories.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 4 years ago and Denis Pynkin committed 4 years ago

After increasing the available CMA memory on the i.MX6 SABRElite boards
and thus making gfx hw acceleration fully functional the Mildenhall
compositor has been badly flickering, while the AGL compositor works
fine.

Since the Mildenhall compositor is on its way out, revert to the
previous situation by forcefully disabling acceleration in Mesa
when using it.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Download and unpack the multimedia demo archive after the action
`filesystem-deploy` to avoid unpacking to the memory (or temporary
storage) and copying files to the target RFS later.

With this fix the downloaded multimedia archive would be unpacked to
the target root filesystem, saving some resources during images creation.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Governor module is required for panfrost correct initialisation.
Without the governor module panfrost driver is failed:

  [5.242672] panfrost ff9a0000.gpu: devfreq_add_device: Unable to find governor for the device
  [5.243710] panfrost ff9a0000.gpu: [drm:panfrost_devfreq_init [panfrost]] *ERROR* Couldn't initialize GPU devfreq
  [5.245640] panfrost ff9a0000.gpu: devfreq init failed -22
  [5.246150] panfrost ff9a0000.gpu: Fatal error during GPU init

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Module `snd_soc_imx_sgtl5000` should be loaded prior to
`snd_soc_fsl_asoc_card` to avoid weird kernel backtrace.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Documentation should be removed from the image which is creating,
not from the build environment.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Commit 0f98e2a4 "gitlab-ci: Try to upload artifacts immediately" was
a bit too eager to skip capturing all OSTree bundles when in fact we
still need to capture the main update bundles to upload them to hawkBit.

Putting the hawkBit upload directly in the job building the bundles
would be a better option, but it seems too early since the hawkBit
upload has been restored only recently and it may still be flaky, so
a dedicated jobw with `allow_failure: true` still seems appropriate.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Rather than saving images and bundles as CI/CD artifacts only to
redownload them for the final upload to the publishing location, try to
upload them directly without capturing them as artifacts.

This should lead to some advantages:
* the pipeline is overall faster since it does not have to retrieve
  large artifacts in the upload job, which leads to cost savings
* bandwidth usage is reduced as there's no useless trasfer of data,
  avoiding potential egress costs

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Let recipes specify files to be skipped by setting the `upload_exclude`
variable if they want to pass anything to the `--exclude` option when
invoking `rsync`.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

This does not introduce any functional change, but uses YAML anchors to
avoid repeating the same conditions multiple times.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

This does not introduce any functional change, but uses YAML anchors to
avoid repeating the same code multiple times.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

When multiple projects upload to the same folder, conflicts will occur
if they all use a `build-env.txt` file. To avoid that, disambiguate the
name of the file so each project does not risk overwriting files
produced by other projects.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Walter Lozano authored 4 years ago and Emanuele Aina committed 4 years ago

As part of the OSS compliance process add BOM file generation for images
minimal and target, saving the output to artifacts folder.

Also delete files in /usr/share/doc as they where only kept there to
be able to build the BOM file.

Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

Walter Lozano authored 4 years ago and Emanuele Aina committed 4 years ago

Update the overlay for dpkg which excludes docs by adding path-include
to install the required files for BOM file creation.

Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

Walter Lozano authored 4 years ago and Emanuele Aina committed 4 years ago

To avoid installing unneeded files add dpkg overlay for path-exclude
in the same way it is done in minimal.

Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

Walter Lozano authored 4 years ago and Emanuele Aina committed 4 years ago

To avoid installing unneeded files move overlay for dpkg exclusions prior
to use apt for installing packages.

Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

Walter Lozano authored 4 years ago and Emanuele Aina committed 4 years ago

As dpkg exclusions should be used also in target images rename the overlay
to make it more general.

Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

Walter Lozano authored 4 years ago and Emanuele Aina committed 4 years ago

Add a new script generate_bom.py which scans a folder to find FOSSology
report and the list of source file names for each package in order to
build a BOM file.

Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

The hawkBit upload appears to be more stable now, though we are seeing
occasional connection issues. Enable retries to see if a retry works.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Produce ostree commit which allow to upgrade Apertis v2021+
to current version (v2022dev1 atm).

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Curl is switching to GET requests when faced with a 301 redirect. We need
to use POST in a number of places. such as when uploading artifacts. Force
Curl to try the URL as a POST when we need it.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

We have a new instance of hawkbit on hawkbit.apertis.org which is better
configured and secured. Switch over to using this version so that we can
decommision the one on images.apertis.org.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

We are deploying hawkBit behind NginX and redirecting http requests to
https. We need the curl commands to follow redirects.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

Drop the `apertis-` prefix from the default output filenames of the
sample recipes and ensure that `README` is consistent with that, fixing
the `test/test-sample-documentation` test.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Commit 943e1ce5ba34 "gitlab-ci: No need to source the build-env explicitly"
has been a bit too eager in moving variables from the shell script to
the YAML and as a result we ended up generating a broken URL for the
sysroot index.

The issue lies in `sysrooturl` as is defined to use `sysrootname` which
in turns uses other variables, but since they are defined at the same
level those variables are not expanded when expanding `sysrootname` in
`sysrooturl`, yielding an URL like:

    https://images.apertis.org/daily/v2021pre/20201201.1206/armhf/sysroot/sysroot-${osname}-${release}-${architecture}-${PIPELINE_VERSION}.tar.gz



Move back the definition of `sysrooturl` to the shell script so
variables are expanded correctly.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Denis Pynkin authored 4 years ago and Emanuele Aina committed 4 years ago

Starting version v2020.7 `libostree` upstream provides deltas with
[signed metadata](https://github.com/ostreedev/ostree/pull/1985)
allowing to validate the creator of the delta file itself, not only
the commit inside.

The new repository option `core.sign-verify-deltas=true` forces both
`libostree` and AUM to accept deltas with signed metadata only.

This change affect only to systems using `libostree` v2020.7+.
Apertis Update Manager must be
[updated](pkg/apertis-update-manager!57

)
to accept deltas with signed metadata.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Signed-off-by: Ritesh Raj Sarraf <rrs@debian.org>

The `baseurl` variable in the template was misspelt as `base_url` when
the template was instantiated, resulting in LAVA jobs failing due to
the invalid URLs generated:

    Job error: Unsupported url protocol scheme:

Use `set -u` to ensure the shell loudly complains if we end up again
using a variable that has not been explicitly set.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

By default `jq -r` returns "null" string if the property does not exist.
Replacing "null" by empty using the alternative operator allows to keep
normal bash behavior, see https://github.com/stedolan/jq/issues/354https://github.com/stedolan/jq/issues/354#issuecomment-43147898

.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>