[qubes-users] QubesOS weekly builds

Hi,
As some of you may know, months(years?) ago, I've setup a pipeline that is automatically PR latest kernels for Qubes OS and more recently, pulseaudio headers too. This is done every week.

At some point, I added the build of ISO including kernel-latest for users who were having issues with latest hardware. I stopped it quickly because we were merging more and more kernel versions thank to the help of automatic PR and Qubes point releases.

Due to recent troubles with kernels 5.4.X and 5.10.X, I've decided to add again to this weekly pipeline, the build of a fresh Qubes R4.1 ISO. I don't build any package or any template. It uses only Qubes OS repositories. The qubes-builder conf is: qubes-release-configs/qubes-os-iso-full-online.conf at master · QubesOS/qubes-release-configs · GitHub and the kickstart can be found here: qubes-installer-qubes-os/iso-full-online.ks at master · QubesOS/qubes-installer-qubes-os · GitHub.

Please note that, contrary to my first attempt, I don't include kernel-latest kernels. It's a standard R4.1 ISO as if Marek would release one. It is built in a dedicated AppVM together with Split GPG. The ISOs are signed by "fepitre-bot" 1C8714D640F30457EC953050656946BA873DDEC1. Some of you already download latest R4.1 devel ISOs in openQA but they are not signed and not necessary built in a safe environment because it's only for CI purposes. That's a solution between CI ISOs and R4.1 alpha release.

That said, the ISO(s) can be found on my self hosted server: Index of /qubes/iso/.

Best regards,
Frédéric

Trying to use the info provided to kick off my own ISO build.
This posted links to does not use the QubesBuilder approach, as it references stuff apparently checked out to ~/qubes-src, rather than ~/qubes-builder/qubes-src.

Is this different approach to building documented? What else should check out to ~/qubes-src? How does this fit into the “Development Workflow”?

Per those docs:

Qubes is split into a bunch of git repos. This are all contained in the qubes-src directory under qubes-builder. Subdirectories there are separate components, stored in separate git repositories.

Just making ~/qubes-src a symbolic link to ~/qubes-builder/qubes-src does not fix things as, despite the claim that this are all contained in ~/qubes-builder/qubes-src, the two new git repos referenced are not contained there.

[user@qubes-build qubes-src] pwd /home/user/qubes-builder/qubes-src [user@qubes-build qubes-src] ls qubes-release-configs
ls: cannot access ‘qubes-release-configs’: No such file or directory
[user@qubes-build qubes-src] ls qubes-installer-qubes-os ls: cannot access 'qubes-installer-qubes-os': No such file or directory [user@qubes-build qubes-src] ls ~/qubes-src
ls: cannot access ‘/home/user/qubes-src’: No such file or directory

It's written "qubes-builder" conf. So use this as builder.conf and that's all: make iso. The kickstart reference provided is the one used by this conf: qubes-release-configs/qubes-os-iso-full-online.conf at master · QubesOS/qubes-release-configs · GitHub. Meaning the installer will use the file in installer-qubes-os sources: qubes-installer-qubes-os/iso-full-online.ks at master · QubesOS/qubes-installer-qubes-os · GitHub

Frédéric

I forgot to mention also that the reference used in builder.conf for INSTALLER_KICKSTART=ZZZ is a path under the build chroot and not to your local qubes-builder. The build chroot has sources from qubes-builder/qubes-src copied to chroot-dom0-fcXX/home/user/qubes-src. The value for the kickstart is then used when build is ran under the chroot. That probably deserves a note in the doc if it's not the case.

Frédéric

Hi Frédéric,

Due to recent troubles with kernels 5.4.X and 5.10.X, I've decided to add
again to this weekly pipeline, the build of a fresh Qubes R4.1 ISO. I don't
build any package or any template. It uses only Qubes OS repositories.

yay, that's very nice and useful! thank you!

Please note that, contrary to my first attempt, I don't include kernel-latest kernels.

So do they have 5.4.x or 5.10.x?

The ISOs are signed by "fepitre-bot" 1C8714D640F30457EC953050656946BA873DDEC1.

nice!

That said, the ISO(s) can be found on my self hosted server: Index of /qubes/iso/.

I'll give them a try in the next days on some new hardware which doesn't
work with the iso from December but should be working now...

I guess you have ran diffoscope on two builds, how is the result? Do you
already have this in CI too? (this is for testing for reproducible builds...)

Hi Holger,

Hi Frédéric,

Due to recent troubles with kernels 5.4.X and 5.10.X, I've decided to add
again to this weekly pipeline, the build of a fresh Qubes R4.1 ISO. I don't
build any package or any template. It uses only Qubes OS repositories.

yay, that's very nice and useful! thank you!

You are welcome.

Please note that, contrary to my first attempt, I don't include kernel-latest kernels.

So do they have 5.4.x or 5.10.x?

R4.1 has switched to 5.10.X as default LTS that's a very good point for new hardware.

The ISOs are signed by "fepitre-bot" 1C8714D640F30457EC953050656946BA873DDEC1.

nice!

That said, the ISO(s) can be found on my self hosted server: Index of /qubes/iso/.

I'll give them a try in the next days on some new hardware which doesn't
work with the iso from December but should be working now...

I guess you have ran diffoscope on two builds, how is the result? Do you
already have this in CI too? (this is for testing for reproducible builds...)

Not yet but I've discussed few days ago with Marek on how to do the build integration in order to reproduce the ISO. I'm finishing few Fedora related reproducible things then I guess I would do this, depending on what Marek has in mind for the schedule.

Additionally, I've added few days ago the automatic openQA trigger for each ISO I build: Qubes OS openQA. It's jobs corresponding to "BUILD20XXYYZZ-4.1" where in the settings, for example this one: Qubes OS openQA: qubesos-4.1-install-iso-x86_64-Build20210327-4.1-install_minimal@64bit test results, it downloads from my hosting repository the built ISO.

Best regards,
Frédéric