diff mbox series

[RFC,v2,19/19] use copy of sbom-chroot for sbom creation

Message ID 20260220171601.3845113-20-felix.moessbauer@siemens.com
State New
Headers show
Series add support to build isar unprivileged | expand

Commit Message

Felix Moessbauer Feb. 20, 2026, 5:16 p.m. UTC 
We previously used the same sbom-chroot for generating the sbom of
different root filesystems. This required to have a live copy of the
sbom-chroot in the deploy dir, on which also was operated on. Further,
this copy was left behind in the deploy dir.

We improve this by just storing a minimized tarball of the sbom-chroot
in the deploy dir and extract that into the workdir of the rootfs.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/sbom.bbclass                     | 29 ++++++++++++++++---
 .../sbom-chroot/sbom-chroot.bb                | 11 ++++++-
 2 files changed, 35 insertions(+), 5 deletions(-)
diff mbox series

Patch

diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass
index e3d0e702..69c5d1b0 100644
--- a/meta/classes/sbom.bbclass
+++ b/meta/classes/sbom.bbclass
@@ -23,7 +23,8 @@  SBOM_SPDX_NAMESPACE_PREFIX ?= "https://spdx.org/spdxdocs"
 DEPLOY_DIR_SBOM = "${DEPLOY_DIR_IMAGE}"
 
 SBOM_DIR = "${DEPLOY_DIR}/sbom"
-SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot"
+SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot.tar.zst"
+SBOM_CHROOT_LOCAL = "${WORKDIR}/sbom-chroot"
 
 # adapted from the isar-cip-core image_uuid.bbclass
 def generate_document_uuid(d, warn_not_repr=True):
@@ -40,14 +41,25 @@  def sbom_doc_uuid(d):
     if not d.getVar("SBOM_DOCUMENT_UUID"):
         d.setVar("SBOM_DOCUMENT_UUID", generate_document_uuid(d))
 
+prepare_sbom_chroot() {
+    create_chroot_parent_dir ${WORKDIR}
+    run_privileged_heredoc <<'EOF'
+        set -e
+        mkdir -p ${SBOM_CHROOT_LOCAL}
+        tar -xf ${SBOM_CHROOT} -C ${SBOM_CHROOT_LOCAL}
+EOF
+}
+
 generate_sbom() {
-    run_privileged mkdir -p ${SBOM_CHROOT}/mnt/rootfs ${SBOM_CHROOT}/mnt/deploy-dir
+    run_privileged mkdir -p \
+        ${SBOM_CHROOT_LOCAL}/mnt/rootfs \
+        ${SBOM_CHROOT_LOCAL}/mnt/deploy-dir
 
     TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
     bwrap \
         --unshare-user \
         --unshare-pid \
-        --bind ${SBOM_CHROOT} / \
+        --bind ${SBOM_CHROOT_LOCAL} / \
         --bind ${ROOTFSDIR} /mnt/rootfs \
         --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \
         -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \
@@ -59,8 +71,17 @@  generate_sbom() {
             --timestamp $TIMESTAMP ${SBOM_DEBSBOM_EXTRA_ARGS}
 }
 
+cleanup_sbom_chroot() {
+    run_privileged rm -rf ${SBOM_CHROOT_LOCAL}
+}
+
 do_generate_sbom[dirs] += "${DEPLOY_DIR_SBOM}"
+do_generate_sbom[network] = "${TASK_USE_SUDO}"
 python do_generate_sbom() {
     sbom_doc_uuid(d)
-    bb.build.exec_func("generate_sbom", d)
+    try:
+        bb.build.exec_func("prepare_sbom_chroot", d)
+        bb.build.exec_func("generate_sbom", d)
+    finally:
+        bb.build.exec_func("cleanup_sbom_chroot", d)
 }
diff --git a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
index bf6d6683..fec1f502 100644
--- a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
+++ b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
@@ -27,7 +27,16 @@  ROOTFSDIR = "${WORKDIR}/rootfs"
 ROOTFS_PACKAGES = "${SBOM_IMAGE_INSTALL}"
 
 do_sbomchroot_deploy[dirs] = "${SBOM_DIR}"
+do_sbomchroot_deploy[network] = "${TASK_USE_SUDO}"
 do_sbomchroot_deploy() {
-    ln -Tfsr "${ROOTFSDIR}" "${SBOM_CHROOT}"
+    # deploy with empty var to make it smaller
+    lopts="--one-file-system --exclude=var/*"
+    ZSTD="zstd -${SSTATE_ZSTD_CLEVEL} -T${ZSTD_THREADS}"
+
+    run_privileged \
+        tar -C ${ROOTFSDIR} -cpS $lopts ${ROOTFS_TAR_ATTR_FLAGS} . \
+            | $ZSTD > ${SBOM_CHROOT}
+    # cleanup extracted rootfs
+    run_privileged rm -rf ${ROOTFSDIR}
 }
 addtask do_sbomchroot_deploy before do_build after do_rootfs