azurelinux icon indicating copy to clipboard operation
azurelinux copied to clipboard
verified publisher icon microsoft

Add NO_TOOLCHAIN_CONTAINER build option for bootstrapping (#13109)

Open Googulator opened this issue 4 months ago • 3 comments

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • [x] The toolchain has been rebuilt successfully (or no changes were made to it)
  • [x] The toolchain/worker package manifests are up-to-date
  • [x] Any updated packages successfully build (or no packages were changed)
  • [x] Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • [ ] Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • [x] All package sources are available
  • [x] cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • [x] LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • [x] All source files have up-to-date hashes in the *.signatures.json files
  • [x] sudo make go-tidy-all and sudo make go-test-coverage pass
  • [x] Documentation has been updated to match any changes to the build system
  • [ ] Ready to merge
Summary

This introduces a new build option, NO_TOOLCHAIN_CONTAINER=y, to enable building the initial toolchain without containerization. This makes it possible to build the toolchain, and by extension, the entire distribution, without relying on prebuilt packages of itself included in the toolchain building container, closing a potential Trusting Trust attack vector, and paving the way for a full source bootstrap of Azure Linux from a minimal binary seed (e.g. the stage0 project's sub-1KiB seeds). The existing containerized workflow is unchanged, and remains the default way to build the toolchain.

Change Log
  • Add new build variable NO_TOOLCHAIN_CONTAINER with default value n
  • Pass NO_TOOLCHAIN_CONTAINER to create_toolchain_in_container.sh (TODO: rename to create_toolchain.sh?)
  • Make the use of the toolchain container optional in create_toolchain_in_container.sh
  • Introduce new script bypass_container.sh to replicate the functionality of the Dockerfile without using a container or any precompiled binaries from a previous Azure Linux build
  • Explicitly use /bin/bash as the interpreter for toolchain_build_temp_tools.sh (TODO remove sanity check to ensure /bin/sh is Bash?)
  • Access build tools via $LFS/tools during temp toolchain build, do not assume /tools is a symlink
Does this affect the toolchain?

YES (it affects only the toolchain)

Associated issues
  • #13109
Test Methodology
  • Local build (containerized toolchain)
  • Local build (uncontainerized toolchain on Ubuntu 22.04)
  • Local build (uncontainerized toolchain in live-bootstrap bare metal environment)

Googulator avatar Aug 24 '25 02:08 Googulator