Merge branch 'main' into 2.0

Author: jslobodzian

…rceData/base/Dockerfile-Busybox-Template …nerSourceData/busybox/Dockerfile-Busybox.pipelines/containerSourceData/base/Dockerfile-Busybox-Template renamed to .pipelines/containerSourceData/busybox/Dockerfile-Busybox .pipelines/containerSourceData/base/Dockerfile-Busybox-Template renamed to .pipelines/containerSourceData/busybox/Dockerfile-Busybox

@@ -7,31 +7,28 @@ FROM $BASE_IMAGE AS BASE
 
 ARG AZL_VERSION=2.0
 
-ARG RPMS
-ARG LOCAL_REPO_FILE="local.repo"
-ARG LOCAL_REPO_PATH="/localrepo" 
+ARG RPMS_TO_INSTALL
+ARG RPMS_PATH="/dockerStage/RPMS"
+ARG LOCAL_REPO_FILE="/dockerStage/marinerLocalRepo.repo"
+ARG LOCAL_REPO_PATH="/localrepo"
 
-COPY ${RPMS} /WORKDIR/RPMS
-COPY ${LOCAL_REPO_FILE} /WORKDIR/REPO/local.repo
-
-# Create local repo if RPMS are provided
+# Create local repo with the given RPMS.
 # This will allow the user to install packages from the local repo
 # instead of fetching from PMC
-RUN if [ "${RPMS}" ]; then \
+RUN --mount=type=bind,source=./Stage/,target=/dockerStage/ \
     mkdir -p $LOCAL_REPO_PATH; \
     tdnf install -y --releasever=$AZL_VERSION createrepo; \
-    cp -r /WORKDIR/RPMS ${LOCAL_REPO_PATH}; \
-    cp /WORKDIR/REPO/local.repo /etc/yum.repos.d/local.repo; \
-    createrepo --database ${LOCAL_REPO_PATH} --workers 10; \
+    cp -r ${RPMS_PATH} ${LOCAL_REPO_PATH}; \
+    cp ${LOCAL_REPO_FILE} /etc/yum.repos.d/local.repo; \
+    createrepo --compatibility --database ${LOCAL_REPO_PATH} --workers 10; \
     tdnf makecache; \
-    tdnf autoremove -y createrepo; \
-fi
+    tdnf autoremove -y createrepo;
 
-# Install busybox, glibc, and their dependencies into a staging location.
+# Install packages into a staging location.
 # Staging directory is copied into the final scratch image.
 RUN mkdir /staging \
     && tdnf install -y --releasever=$AZL_VERSION --installroot /staging \
-    busybox glibc \
+    ${RPMS_TO_INSTALL} \
     && tdnf clean all \
     && pushd /staging \
     && rm -rf boot media mnt opt run \

.pipelines/containerSourceData/busybox/busybox.pkg

@@ -0,0 +1,3 @@
+busybox
+glibc
+mariner-release

.pipelines/containerSourceData/scripts/BuildBaseContainers.sh

@@ -23,7 +23,6 @@ set -e
 #   │   ├── base
 #   │   │   ├── Dockerfile-Base-Template
 #   │   │   ├── Dockerfile-Base-Nonroot-Template
-#   │   |   ├── Dockerfile-Busybox-Template
 #   │   │   ├── Dockerfile-Distroless-Template
 #   │   │   ├── Dockerfile-Distroless-Nonroot-Template
 #   │   container_tarballs
@@ -165,7 +164,6 @@ function initialization {
     # Image types
     BASE="base"
     DISTROLESS="distroless"
-    BUSYBOX="busybox"
     MARINARA="marinara"
 
     base_tarball_file_name=$(basename "$BASE_TARBALL")      # core-2.0.20230607.tar.gz
@@ -190,7 +188,6 @@ function initialization {
     DISTROLESS_DEBUG_NONROOT_IMAGE_NAME="$ACR_NAME_FULL/distroless/debug:$NONROOT_IMAGE_TAG"
     DISTROLESS_DEBUG_IMAGE_NAME="$ACR_NAME_FULL/distroless/debug:$IMAGE_TAG"
 
-    BUSYBOX_IMAGE_NAME="$ACR_NAME_FULL/busybox:$IMAGE_TAG"
     MARINARA_IMAGE_NAME="$ACR_NAME_FULL/marinara:$IMAGE_TAG"
 
     echo "BASE_IMAGE_NAME                       -> $BASE_IMAGE_NAME"
@@ -201,7 +198,6 @@ function initialization {
     echo "DISTROLESS_MINIMAL_NONROOT_IMAGE_NAME -> $DISTROLESS_MINIMAL_NONROOT_IMAGE_NAME"
     echo "DISTROLESS_DEBUG_IMAGE_NAME           -> $DISTROLESS_DEBUG_IMAGE_NAME"
     echo "DISTROLESS_DEBUG_NONROOT_IMAGE_NAME   -> $DISTROLESS_DEBUG_NONROOT_IMAGE_NAME"
-    echo "BUSYBOX_IMAGE_NAME                    -> $BUSYBOX_IMAGE_NAME"
     echo "MARINARA_IMAGE_NAME                   -> $MARINARA_IMAGE_NAME"
 }
 
@@ -233,7 +229,8 @@ function docker_build {
         --build-arg EULA="$EULA_FILE_NAME" \
         --build-arg BASE_IMAGE="$temp_image" \
         -t "$image_full_name" \
-        --no-cache
+        --no-cache \
+        --progress=plain
 
     docker rmi "$temp_image"
     popd > /dev/null
@@ -261,7 +258,8 @@ function docker_build_custom {
         --build-arg LOCAL_REPO_FILE="$LOCAL_REPO_FILE" \
         -t "$image_full_name" \
         -f "$CONTAINER_SRC_DIR/base/$dockerfile" \
-        --no-cache
+        --no-cache \
+        --progress=plain
 
     popd > /dev/null
 
@@ -323,8 +321,6 @@ function build_images {
     docker_build_custom $DISTROLESS "$DISTROLESS_MINIMAL_NONROOT_IMAGE_NAME" "$DISTROLESS_MINIMAL_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template"
     docker_build_custom $DISTROLESS "$DISTROLESS_DEBUG_NONROOT_IMAGE_NAME" "$DISTROLESS_DEBUG_IMAGE_NAME" "Dockerfile-Distroless-Nonroot-Template"
 
-    docker_build_custom $BUSYBOX "$BUSYBOX_IMAGE_NAME" "" "Dockerfile-Busybox-Template"
-
     docker_build_marinara
 }
 

.pipelines/containerSourceData/scripts/BuildGoldenContainer.sh

@@ -27,6 +27,7 @@ set -e
 # - s) SBOM tool path.
 # - t) Script to create SBOM for the container image.
 # - u) Create Distroless container (e.g. true, false. If true, the script will also create a distroless container)
+# - v) Version extract command (e.g. 'busybox | head -1 | cut -c 10-15')
 
 # Assuming you are in your current working directory. Below should be the directory structure:
 #   │   rpms.tar.gz
@@ -55,7 +56,7 @@ set -e
 #     -j OUTPUT -k ./rpms.tar.gz -l ~/CBL-Mariner/.pipelines/containerSourceData \
 #     -m "false" -n "false" -p development -q "false" -u "true"
 
-while getopts ":a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" OPTIONS; do
+while getopts ":a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" OPTIONS; do
     case ${OPTIONS} in
     a ) BASE_IMAGE_NAME_FULL=$OPTARG;;
     b ) ACR=$OPTARG;;
@@ -78,6 +79,7 @@ while getopts ":a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" OPTIONS; do
     s ) SBOM_TOOL_PATH=$OPTARG;;
     t ) SBOM_SCRIPT=$OPTARG;;
     u ) DISTROLESS=$OPTARG;;
+    v ) VERSION_EXTRACT_CMD=$OPTARG;;
 
     \? )
         echo "Error - Invalid Option: -$OPTARG" 1>&2
@@ -113,6 +115,7 @@ function print_inputs {
     echo "CONTAINER_SRC_DIR             -> $CONTAINER_SRC_DIR"
     echo "IS_HCI_IMAGE                  -> $IS_HCI_IMAGE"
     echo "USE_RPM_QA_CMD                -> $USE_RPM_QA_CMD"
+    echo "Version Extract Command       -> $VERSION_EXTRACT_CMD"
     echo "REPO_PREFIX                   -> $REPO_PREFIX"
     echo "PUBLISHING_LEVEL              -> $PUBLISHING_LEVEL"
     echo "PUBLISH_TO_ACR                -> $PUBLISH_TO_ACR"
@@ -277,21 +280,26 @@ function set_image_tag {
     local containerId
     local installedPackage
 
-    containerId=$(docker run --entrypoint /bin/bash -dt "$GOLDEN_IMAGE_NAME")
+    containerId=$(docker run --entrypoint /bin/sh -dt "$GOLDEN_IMAGE_NAME")
 
     echo "Container ID                  -> $containerId"
 
-    if [[ $USE_RPM_QA_CMD =~ [Tt]rue ]] ; then
-        echo "Using rpm -qa command to get installed package."
-        installedPackage=$(docker exec "$containerId" rpm -qa | grep ^"$COMPONENT")
+    if [[ -n "$VERSION_EXTRACT_CMD" ]]; then
+        echo "Using custom version extract command."
+        COMPONENT_VERSION=$(docker exec "$containerId" sh -c "$VERSION_EXTRACT_CMD")
     else
-        echo "Using tdnf repoquery command to get installed package."
-        # exec as root as the default user for some containers is non-root
-        installedPackage=$(docker exec -u 0 "$containerId" tdnf repoquery --installed "$COMPONENT" | grep ^"$COMPONENT")
+        if [[ $USE_RPM_QA_CMD =~ [Tt]rue ]] ; then
+            echo "Using rpm -qa command to get installed package."
+            installedPackage=$(docker exec "$containerId" rpm -qa | grep ^"$COMPONENT")
+        else
+            echo "Using tdnf repoquery command to get installed package."
+            # exec as root as the default user for some containers is non-root
+            installedPackage=$(docker exec -u 0 "$containerId" tdnf repoquery --installed "$COMPONENT" | grep ^"$COMPONENT")
+        fi
+        echo "Full Installed Package:       -> $installedPackage"
+        COMPONENT_VERSION=$(echo "$installedPackage" | awk '{n=split($0,a,"-")};{split(a[n],b,".")}; {print a[n-1]"-"b[1]}') # 16.16.0-1
     fi
 
-    echo "Full Installed Package:       -> $installedPackage"
-    COMPONENT_VERSION=$(echo "$installedPackage" | awk '{n=split($0,a,"-")};{split(a[n],b,".")}; {print a[n-1]"-"b[1]}') # 16.16.0-1
     echo "Component Version             -> $COMPONENT_VERSION"
     docker rm -f "$containerId"
 

.pipelines/prchecks/PackageBuildPRCheck.yml

@@ -42,8 +42,6 @@ variables:
 extends:
   template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates
   parameters:
-    featureFlags:
-      runOnHost: true
     globalSdl:
       credscan:
         suppressionsFile: .config/CredScanSuppressions.json
@@ -57,7 +55,7 @@ extends:
                   isCustom: true
                   name: ${{ configuration.agentPool }}
                 variables:
-                  ob_artifactBaseName: $(toolchainArtifactNameBase)_${{ configuration.name }}
+                  ob_artifactBaseName: $(toolchainArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
                   ob_outputDirectory: $(Build.ArtifactStagingDirectory)
                 steps:
                   - template: .pipelines/templates/RawToolchainDownload.yml@self
@@ -74,13 +72,17 @@ extends:
                   # and make it available to the next stage via an output variable: 'CalculateToolchainPackageRetestList.toolchainPackageRetestList'
                   - template: .pipelines/templates/ToolchainCalculatePackageRetests.yml@self
 
+                  - script: echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)"
+                    name: "ToolchainArtifactName"
+                    displayName: "Set variable for published artifact name"
+
                   # 1. Automatic publishing won't work if 'isCustom: true' is set on the pool. We cannot do 'isCustom: false' because
                   #    then OneBranch attempts to perform additional actions (adding build tags for instance), which require additional permissions
                   #    that the PR check pipeline does not have.
                   # 2. The value for 'artifact' must equal $(ob_artifactBaseName), as this is the only value OneBranch accepts.
                   - task: PublishPipelineArtifact@1
                     inputs:
-                      artifact: $(toolchainArtifactNameBase)_${{ configuration.name }}
+                      artifact: $(toolchainArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
                       targetPath: $(ob_outputDirectory)
                     condition: always()
                     displayName: "Publish toolchain artifacts"
@@ -94,25 +96,31 @@ extends:
                   isCustom: true
                   name: ${{ configuration.agentPool }}
                 variables:
-                  ob_artifactBaseName: ${{ variables.rpmsArtifactNameBase }}_${{ configuration.name }}
+                  ob_artifactBaseName: ${{ variables.rpmsArtifactNameBase }}_${{ configuration.name }}_$(System.JobAttempt)
                   ob_outputDirectory: $(Build.ArtifactStagingDirectory)
                   testListFromToolchain: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['CalculateToolchainPackageRetestList.toolchainPackageRetestList'] ]
+                  toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ]
                 steps:
                   - template: .pipelines/templates/PackageBuild.yml@self
                     parameters:
-                      customToolchainArtifactName: $(toolchainArtifactNameBase)_${{ configuration.name }}
+                      customToolchainArtifactName: $(toolchainArtifactName)
                       isCheckBuild: true
                       isQuickRebuildPackages: true
+                      isUseCCache: true
                       outputArtifactsFolder: $(ob_outputDirectory)
                       maxCPU: "${{ configuration.maxCPUs }}"
                       pipArtifactFeeds: "mariner/Mariner-Pypi-Feed"
                       selfRepoName: self
                       testSuiteName: "[${{ configuration.name }}] Package test"
                       testRerunList: "$(testListFromToolchain)"
 
+                  - script: echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)"
+                    name: "RPMsArtifactName"
+                    displayName: "Set variable for published artifact name"
+
                   - task: PublishPipelineArtifact@1
                     inputs:
-                      artifact: ${{ variables.rpmsArtifactNameBase }}_${{ configuration.name }}
+                      artifact: ${{ variables.rpmsArtifactNameBase }}_${{ configuration.name }}_$(System.JobAttempt)
                       targetPath: $(ob_outputDirectory)
                     condition: always()
                     displayName: "Publish packages build artifacts"
@@ -125,7 +133,9 @@ extends:
                   type: linux
                   isCustom: true
                   name: ${{ configuration.agentPool }}
+                variables:
+                  rpmsArtifactName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsArtifactName'] ]
                 steps:
                   - template: .pipelines/templatesWithCheckout/SodiffCheck.yml@self
                     parameters:
-                      inputArtifactName: ${{ variables.rpmsArtifactNameBase }}_${{ configuration.name }}
+                      inputArtifactName: $(rpmsArtifactName)

.pipelines/templates/PackageBuild.yml

@@ -182,6 +182,10 @@ steps:
         delta_fetch_arg="DELTA_FETCH=n"
       fi
 
+      if [[ -n "${{ parameters.maxCascadingRebuilds }}" ]]; then
+        max_cascading_rebuilds_arg="MAX_CASCADING_REBUILDS=${{ parameters.maxCascadingRebuilds }}"
+      fi
+
       if [[ ${{ parameters.isQuickRebuildPackages }} == "true" ]]; then
         quick_rebuild_packages_arg="QUICK_REBUILD_PACKAGES=y"
       elif [[ ${{ parameters.isQuickRebuildPackages }} == "false" ]]; then
@@ -194,27 +198,27 @@ steps:
         run_check_arg="RUN_CHECK=n"
       fi
 
+      if [[ -n "${{ parameters.customToolchainArtifactName }}" ]]; then
+        toolchain_archive_arg="TOOLCHAIN_ARCHIVE=$(toolchainArchive)"
+      fi
+
       if [[ ${{ parameters.isUseCCache }} == "true" ]]; then
         use_ccache_arg="USE_CCACHE=y"
       elif [[ ${{ parameters.isUseCCache }} == "false" ]]; then
         use_ccache_arg="USE_CCACHE=n"
       fi
 
-      if [[ -n "${{ parameters.customToolchainArtifactName }}" ]]; then
-        toolchain_archive_arg="TOOLCHAIN_ARCHIVE=$(toolchainArchive)"
-      fi
-
       sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" build-packages -j$(nproc) \
         CONCURRENT_PACKAGE_BUILDS=${{ parameters.concurrentPackageBuilds }} \
         CONFIG_FILE="" \
-        MAX_CASCADING_REBUILDS="${{ parameters.maxCascadingRebuilds }}" \
         MAX_CPU="${{ parameters.maxCPU }}" \
         REBUILD_TOOLS=y \
         REPO_LIST="${{ parameters.extraPackageRepos }}" \
         SPECS_DIR="${{ parameters.buildRepoRoot }}/${{ parameters.specsFolderPath }}" \
         SRPM_PACK_LIST="${{ parameters.srpmPackList }}" \
         TEST_RERUN_LIST="${{ parameters.testRerunList }}" \
         $delta_fetch_arg \
+        $max_cascading_rebuilds_arg \
         $quick_rebuild_packages_arg \
         $run_check_arg \
         $toolchain_archive_arg \

SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for Azure
 Name:           kernel-azure-signed-%{buildarch}
-Version:        5.15.148.2
+Version:        5.15.153.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -153,6 +153,18 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Wed Mar 27 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.153.1-1
+- Auto-upgrade to 5.15.153.1
+
+* Mon Mar 25 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.151.2-1
+- Upgrade to 5.15.151.2
+
+* Wed Mar 13 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.151.1-1
+- Auto-upgrade to 5.15.151.1
+
+* Sat Mar 02 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.150.1-1
+- Auto-upgrade to 5.15.150.1
+
 * Thu Feb 08 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.148.2-1
 - Auto-upgrade to 5.15.148.2
 

SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec

@@ -4,7 +4,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for HCI
 Name:           kernel-hci-signed-%{buildarch}
-Version:        5.15.148.2
+Version:        5.15.153.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -149,6 +149,18 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Wed Mar 27 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.153.1-1
+- Auto-upgrade to 5.15.153.1
+
+* Mon Mar 25 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.151.2-1
+- Upgrade to 5.15.151.2
+
+* Wed Mar 13 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.151.1-1
+- Auto-upgrade to 5.15.151.1
+
+* Sat Mar 02 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.150.1-1
+- Auto-upgrade to 5.15.150.1
+
 * Thu Feb 08 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.148.2-1
 - Auto-upgrade to 5.15.148.2
 

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,8 +9,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.15.148.2
-Release:        2%{?dist}
+Version:        5.15.153.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -153,6 +153,18 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Wed Mar 27 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.153.1-1
+- Auto-upgrade to 5.15.153.1
+
+* Mon Mar 25 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.151.2-1
+- Upgrade to 5.15.151.2
+
+* Wed Mar 13 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.151.1-1
+- Auto-upgrade to 5.15.151.1
+
+* Sat Mar 02 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.150.1-1
+- Auto-upgrade to 5.15.150.1
+
 * Wed Feb 14 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.148.2-2
 - Bump release to match kernel