diff mbox series

[v3,14/16] use copy of sbom-chroot for sbom creation

Message ID 20260407142310.2327696-15-felix.moessbauer@siemens.com
State New
Headers show
Series add support to build isar unprivileged | expand

Commit Message

Felix Moessbauer April 7, 2026, 2:23 p.m. UTC 
We previously used the same sbom-chroot for generating the sbom of
different root filesystems. This required to have a live copy of the
sbom-chroot in the deploy dir, on which also was operated on. Further,
this copy was left behind in the deploy dir.

We improve this by just storing a minimized tarball of the sbom-chroot
in the deploy dir and extract that into the workdir of the rootfs.

With the new logic in place, we also enable the sbom generation in
unshare mode again.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 .../image-tools-extension.bbclass             | 27 +++++++++++++++---
 meta/classes-recipe/imagetypes_wic.bbclass    |  4 ++-
 meta/classes/sbom.bbclass                     | 28 ++++++++++++++++---
 .../sbom-chroot/sbom-chroot.bb                | 11 +++++++-
 4 files changed, 60 insertions(+), 10 deletions(-)
diff mbox series

Patch

diff --git a/meta/classes-recipe/image-tools-extension.bbclass b/meta/classes-recipe/image-tools-extension.bbclass
index cc046fdb..c75025ca 100644
--- a/meta/classes-recipe/image-tools-extension.bbclass
+++ b/meta/classes-recipe/image-tools-extension.bbclass
@@ -82,7 +82,7 @@  EOAPT
             dpkg-query -W -f='${source:Package}|${source:Version}|${Package}:${Architecture}|${Version}\n' ${local_bom} > \
         ${WORKDIR}/imager.manifest
 
-        ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'generate_imager_sbom', '', d)}
+        ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'generate_imager_sbom $schroot_dir', '', d)}
     fi
 
     schroot -e -c ${session_id}
@@ -91,14 +91,18 @@  EOAPT
     schroot_delete_configs
 }
 
-generate_imager_sbom() {
+generate_imager_sbom_in_chroot() {
+    run_privileged mkdir -p \
+        ${SBOM_CHROOT_LOCAL}/mnt/rootfs \
+        ${SBOM_CHROOT_LOCAL}/mnt/deploy-dir
+
     TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
     sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"
     bwrap \
         --unshare-user \
         --unshare-pid \
-        --bind ${SBOM_CHROOT} / \
-        --bind $schroot_dir /mnt/rootfs \
+        --bind ${SBOM_CHROOT_LOCAL} / \
+        --bind $1 /mnt/rootfs \
         --bind ${WORKDIR} /mnt/deploy-dir \
         -- debsbom -vv generate ${SBOM_DEBSBOM_TYPE_ARGS} \
             --from-pkglist -r /mnt/rootfs -o /mnt/deploy-dir/imager \
@@ -128,6 +132,7 @@  imager_run_unshare() {
     fi
 
     local_install="${@(d.getVar("INSTALL_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}"
+    local_bom="${@(d.getVar("BOM_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}"
 
     run_privileged_heredoc <<'EOF'
     set -e
@@ -185,5 +190,19 @@  EOF
         chroot ${ROOTFS_IMAGETOOLS} "$@" <&3
 EOF
 
+    if [ -n "${local_bom}" ]; then
+        run_in_chroot ${ROOTFS_IMAGETOOLS} \
+            dpkg-query -W -f='${source:Package}|${source:Version}|${Package}:${Architecture}|${Version}\n' ${local_bom} > \
+            ${WORKDIR}/imager.manifest
+
+        ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'generate_imager_sbom {}'.format(d.getVar('ROOTFS_IMAGETOOLS')), '', d)}
+    fi
+
     run_privileged rm -rf ${ROOTFS_IMAGETOOLS}
 }
+
+generate_imager_sbom() {
+    prepare_sbom_chroot
+    trap 'cleanup_sbom_chroot' EXIT
+    generate_imager_sbom_in_chroot "$1"
+}
diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass
index 3e261622..3c65ed0d 100644
--- a/meta/classes-recipe/imagetypes_wic.bbclass
+++ b/meta/classes-recipe/imagetypes_wic.bbclass
@@ -205,9 +205,11 @@  EOIMAGER
         | sort | uniq > "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.manifest"
 
     if ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'true', 'false', d)} ; then
+        prepare_sbom_chroot
         for bomtype in ${SBOM_TYPES}; do
             merge_wic_sbom $bomtype
         done
+        cleanup_sbom_chroot
     fi
 }
 
@@ -227,7 +229,7 @@  merge_wic_sbom() {
     bwrap \
         --unshare-user \
         --unshare-pid \
-        --bind ${SBOM_CHROOT} / \
+        --bind ${SBOM_CHROOT_LOCAL} / \
         -- debsbom -v merge -t $BOMTYPE \
             --distro-name '${SBOM_DISTRO_NAME}-Image' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
             --distro-version '${SBOM_DISTRO_VERSION}' --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass
index b4fcddaa..2e6d579f 100644
--- a/meta/classes/sbom.bbclass
+++ b/meta/classes/sbom.bbclass
@@ -23,7 +23,8 @@  SBOM_SPDX_NAMESPACE_PREFIX ?= "https://spdx.org/spdxdocs"
 DEPLOY_DIR_SBOM = "${DEPLOY_DIR_IMAGE}"
 
 SBOM_DIR = "${DEPLOY_DIR}/sbom"
-SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot"
+SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot.tar.zst"
+SBOM_CHROOT_LOCAL = "${WORKDIR}/sbom-chroot"
 
 # adapted from the isar-cip-core image_uuid.bbclass
 def generate_document_uuid(d, warn_not_repr=True):
@@ -40,14 +41,24 @@  def sbom_doc_uuid(d):
     if not d.getVar("SBOM_DOCUMENT_UUID"):
         d.setVar("SBOM_DOCUMENT_UUID", generate_document_uuid(d))
 
+prepare_sbom_chroot() {
+    run_privileged_heredoc <<'EOF'
+        set -e
+        mkdir -p ${SBOM_CHROOT_LOCAL}
+        tar -xf ${SBOM_CHROOT} -C ${SBOM_CHROOT_LOCAL}
+EOF
+}
+
 generate_sbom() {
-    run_privileged mkdir -p ${SBOM_CHROOT}/mnt/rootfs ${SBOM_CHROOT}/mnt/deploy-dir
+    run_privileged mkdir -p \
+        ${SBOM_CHROOT_LOCAL}/mnt/rootfs \
+        ${SBOM_CHROOT_LOCAL}/mnt/deploy-dir
 
     TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
     bwrap \
         --unshare-user \
         --unshare-pid \
-        --bind ${SBOM_CHROOT} / \
+        --bind ${SBOM_CHROOT_LOCAL} / \
         --bind ${ROOTFSDIR} /mnt/rootfs \
         --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \
         -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${ROOTFS_PACKAGE_SUFFIX}' \
@@ -59,8 +70,17 @@  generate_sbom() {
             --timestamp $TIMESTAMP ${SBOM_DEBSBOM_EXTRA_ARGS}
 }
 
+cleanup_sbom_chroot() {
+    run_privileged rm -rf ${SBOM_CHROOT_LOCAL}
+}
+
 do_generate_sbom[dirs] += "${DEPLOY_DIR_SBOM}"
+do_generate_sbom[network] = "${TASK_USE_SUDO}"
 python do_generate_sbom() {
     sbom_doc_uuid(d)
-    bb.build.exec_func("generate_sbom", d)
+    try:
+        bb.build.exec_func("prepare_sbom_chroot", d)
+        bb.build.exec_func("generate_sbom", d)
+    finally:
+        bb.build.exec_func("cleanup_sbom_chroot", d)
 }
diff --git a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
index 182432a0..f347327b 100644
--- a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
+++ b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
@@ -27,7 +27,16 @@  ROOTFSDIR = "${WORKDIR}/rootfs"
 ROOTFS_PACKAGES = "${SBOM_IMAGE_INSTALL}"
 
 do_sbomchroot_deploy[dirs] = "${SBOM_DIR}"
+do_sbomchroot_deploy[network] = "${TASK_USE_SUDO}"
 do_sbomchroot_deploy() {
-    ln -Tfsr "${ROOTFSDIR}" "${SBOM_CHROOT}"
+    # deploy with empty var to make it smaller
+    lopts="--one-file-system --exclude=var/*"
+    ZSTD="zstd -${SSTATE_ZSTD_CLEVEL} -T${ZSTD_THREADS}"
+
+    run_privileged \
+        tar -C ${ROOTFSDIR} -cpS $lopts ${ROOTFS_TAR_ATTR_FLAGS} . \
+            | $ZSTD > ${SBOM_CHROOT}
+    # cleanup extracted rootfs
+    run_privileged rm -rf ${ROOTFSDIR}
 }
 addtask do_sbomchroot_deploy before do_build after do_rootfs