Hi, I found a minor bug. There is no logs directory in /var, only a log directory. This makes the HTTP server unable to start.

sudo yum install httpd
sudo systemctl start httpd

Jul 23 10:17:37 cbl-mariner httpd[630]: (2)No such file or directory: AH02291: Cannot access directory '/var/logs/' for main error log
Jul 23 10:17:37 cbl-mariner httpd[630]: AH00014: Configuration check failed
Jul 23 10:17:37 cbl-mariner systemd[1]: httpd.service: Control process exited, code=exited status=1
Jul 23 10:17:37 cbl-mariner systemd[1]: httpd.service: Failed with result 'exit-code'.
Jul 23 10:17:37 cbl-mariner systemd[1]: Failed to start The Apache HTTP Server.

It was enough to create this directory, and it works.

sudo mkdir /var/logs
sudo systemctl start httpd

Hi, I'm trying to generate a VHDX image of CBL-Mariner.
I'm working on Arch Linux but I checked the required tools are installed.
An error occurs during the building process in chroot, it seems blkid executable is not found (manually checking it's in /sbin) but I don't know if it's the cause or a consequence of the issue.
Here the log.
I have checked in the logs but I have found no other related explanation.
Thank you in advance.

I'm trying to use the oscap-docker tool from the openscap package.

The first problem I ran into was that I needed to install openscap-python in order for the oscap-docker tool to work:

Traceback (most recent call last):
  File "/usr/bin/oscap-docker", line 23, in <module>
    from oscap_docker_python.oscap_docker_util import OscapScan
ModuleNotFoundError: No module named 'oscap_docker_python'

That suggests openscap-python should be a dependency of openscap (or the oscap-docker tool should be packaged separately with a dependency on openscap-python).

After installing openscap-python, the second problem I ran into was that oscap-docker uses python 2, even though the openscap python code isn't python 2 compatible:

oscap-docker
Traceback (most recent call last):
  File "/usr/bin/oscap-docker", line 23, in <module>
    from oscap_docker_python.oscap_docker_util import OscapScan
  File "/usr/lib/python2.7/site-packages/oscap_docker_python/oscap_docker_util.py", line 27, in <module>
    from oscap_docker_python.get_cve_input import getInputCVE
  File "/usr/lib/python2.7/site-packages/oscap_docker_python/get_cve_input.py", line 18, in <module>
    import urllib.parse
ImportError: No module named parse

Still from the toolkit folder, copy the toolchain archive built in the previous step into the toolkit folder

mv ../build/toolchain/toolchain_built_rpms_all.tar.gz .

Build ALL packages FOR AMD64 this is for ARM64?

sudo make build-packages -j$(nproc) CONFIG_FILE= TOOLCHAIN_ARCHIVE=toolchain_built_rpms_all.tar.gz DOWNLOAD_SRPMS=y REBUILD_TOOLS=y REBUILD_TOOLCHAIN=n REBUILD_PACKAGES=y PACKAGE_IGNORE_LIST="openjdk8 openjdk8_aarch64 shim-unsigned-aarch64"

Build ALL packages FOR ARM64 this is for AMD64 ?

sudo make build-packages -j$(nproc) CONFIG_FILE= TOOLCHAIN_ARCHIVE=toolchain_built_rpms_all.tar.gz DOWNLOAD_SRPMS=y REBUILD_TOOLS=y REBUILD_TOOLCHAIN=n REBUILD_PACKAGES=y PACKAGE_IGNORE_LIST="openjdk8 openjdk8_amd64 shim-unsigned-amd64"

We're making our own fork of CBL-Mariner but we keep encountering issues where some packages randomly fail hydration, the usual culprits were GSL, Cython, ant-contrib, ant, acl and ALSA packages.

The hydration errors only happen when you're completely building from source.

Adding RPM to worker chroot: filesystem-1.1-7.cm1.x86_64.rpm.
Adding RPM to worker chroot: kernel-headers-5.10.42.1-1.cm1.noarch.rpm.
Adding RPM to worker chroot: glibc-2.28-18.cm1.x86_64.rpm.
Elevated install failed for package glibc-2.28-18.cm1.x86_64.rpm, aborting. Inspect /mnt/c/Users/sylvian/CBL-Mariner/build/logs/worker_chroot.log for more info. Did you hydrate the toolchain?
make: *** [/mnt/c/Users/sylvian/CBL-Mariner/toolkit/scripts/tools.mk:148: /mnt/c/Users/sylvian/CBL-Mariner/build/worker/worker_chroot.tar.gz] Error 1

From the log file:

Adding RPM to worker chroot: filesystem-1.1-7.cm1.x86_64.rpm.
Found full path for package filesystem-1.1-7.cm1.x86_64.rpm in /mnt/c/Users/sylvian/CBL-Mariner/build/rpm_cache/cache: (/mnt/c/Users/sylvian/CBL-Mariner/build/rpm_cache/cache/x86_64/filesystem-1.1-7.cm1.x86_64.rpm)
rpm: RPM should not be used directly install RPM packages, use Alien instead!
rpm: However assuming you know what you are doing...
warning: /mnt/c/Users/sylvian/CBL-Mariner/build/rpm_cache/cache/x86_64/filesystem-1.1-7.cm1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 3135ce90: NOKEY
Verifying packages...
Preparing packages...
filesystem-1.1-7.cm1.x86_64
Adding RPM to worker chroot: kernel-headers-5.10.42.1-1.cm1.noarch.rpm.
Found full path for package kernel-headers-5.10.42.1-1.cm1.noarch.rpm in /mnt/c/Users/sylvian/CBL-Mariner/build/rpm_cache/cache: (/mnt/c/Users/sylvian/CBL-Mariner/build/rpm_cache/cache/noarch/kernel-headers-5.10.42.1-1.cm1.noarch.rpm)
rpm: RPM should not be used directly install RPM packages, use Alien instead!
rpm: However assuming you know what you are doing...
warning: /mnt/c/Users/sylvian/CBL-Mariner/build/rpm_cache/cache/noarch/kernel-headers-5.10.42.1-1.cm1.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 3135ce90: NOKEY
Verifying packages...
Preparing packages...
kernel-headers-5.10.42.1-1.cm1.noarch
Adding RPM to worker chroot: glibc-2.28-18.cm1.x86_64.rpm.
Found full path for package glibc-2.28-18.cm1.x86_64.rpm in /mnt/c/Users/sylvian/CBL-Mariner/build/rpm_cache/cache: (/mnt/c/Users/sylvian/CBL-Mariner/build/rpm_cache/cache/x86_64/glibc-2.28-18.cm1.x86_64.rpm)
rpm: RPM should not be used directly install RPM packages, use Alien instead!
rpm: However assuming you know what you are doing...
warning: /mnt/c/Users/sylvian/CBL-Mariner/build/rpm_cache/cache/x86_64/glibc-2.28-18.cm1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 3135ce90: NOKEY
Verifying packages...
Preparing packages...
glibc-2.28-18.cm1.x86_64
error: unpacking of archive failed on file /usr/libexec/getconf/POSIX_V6_LP64_OFF64;60d305a4: cpio: link failed - No such file or directory
error: glibc-2.28-18.cm1.x86_64: install failed
Elevated install failed for package glibc-2.28-18.cm1.x86_64.rpm, aborting. Inspect /mnt/c/Users/sylvian/CBL-Mariner/build/logs/worker_chroot.log for more info. Did you hydrate the toolchain?

Hi Team ,

I tried cloning the repo. but facing below issue.

remote: Compressing objects: 100% (562/562), done.
fatal: The remote end hung up unexpectedly.77 MiB | 837.00 KiB/s
fatal: early EOF
fatal: index-pack failed

i also tried with fork and then clone still same issue. please guide how to clone successfully.

Is there an easy way to build an image with a single node ready-to-use Kubernetes instance running on it?

There seems to be a Kubernetes folder under SPECS: https://github.com/microsoft/CBL-Mariner/tree/1.0/SPECS/kubernetes

But it’s removed in this PR: #1003

How exactly does this work? Are there any examples showing how to enable Kubernetes?

I'm trying to extend CBL-Mariner to include libdrm in the installation.

For a baseline, I am using 1.0-stable, and without any modifications to the repository, I am able to successfully build an ISO image, and install/run this OS using the following command sequence :

Get the source code

git clone https://github.com/microsoft/CBL-Mariner.git cd CBL-Mariner/toolkit

Checkout the desired release branch. The 1.0-stable tag tracks the most recent successful `release of the 1.0 branch.

git checkout 1.0-stable`

Build the Go tools

sudo make go-tools REBUILD_TOOLS=y

Get the package sources

sudo make input-srpms DOWNLOAD_SRPMS=y

Build an ISO version of ./imageconfigs/core-efi.json entirely from downloaded, pre-built packages

sudo make iso REBUILD_TOOLS=y REBUILD_PACKAGES=n

Now I would like to build a new ISO that allows me to install libdrm, so I've attempted to follow instructions for adding a SPEC file CBL-Mariner/SPECS/libdrm/libdrm.spec. It is unclear to me what additional steps are necessary to build Mariner so that libdrm is supported. I am referencing libdrm packages located at https://dri.freedesktop.org/libdrm/. I have attempted a variety of commands from the documentation in order to build this additional package, but have not been successful.

Any suggestions on how to proceed would be appreciated.

Hi, I've followed all steps in prerequisites.md and quickstart.md. I understand the ISO builder is isomaker from CBL-Mariner/toolkit/out/tools directory.

When I execute ./isomaker, I'm getting:

isomaker: error: required flag --build-dir not provided, try --help

Can you explain how to use this command correctly?

Not an issue so I'm not really sure what I should do with this, but I thought it would be best sharing with anyone having difficulty building the ISOs.

I have found Ubuntu Desktop 18.04 builds the image much more reliably than Ubuntu Server 18.04. I am not sure why, or if it even is the case, but it seems that way for me.

If anyone is having trouble building the images, and has better luck with Ubuntu Desktop, please let me know so I know I am not the only one. If it seems this way, maybe we could add this to the build documentation?

Updating packages in Mariner takes a lot of manual steps, and this isn't really good for the velocity we need to address security vulnerabilities in the tight SLAs we're working with. I'd like a tool that would automate a lot of these things:

• Bump the package release automatically.
• Create a new changelog entry (using my name/email from the Git configuration), possibly opening in $EDITOR.
• Update the manifests for all the subpackages in the spec file.
• If you're updating a package to the new version, try to guess the URL automatically by changing the old version in the URL to the new version; if it doesn't work, it can ask the actual URL for the new version. Regardless, it should update the *.signatures.json files.
• If it's a package that's flagged to be part of the toolchain, some additional steps might be involved.
• It can optionally build the package to see if it works, determining the build-dep packages from the specfile and building them too.
• Once everything is said and done, it'll create a new Git commit with the changes; the message can include the specfile changelog entry.

I was thinking about this for the CLI interface; for instance, to update a package to a new upstream version:

$ mariner-up bash --new-upstream
Currently packaged version is 4.9.
Source currently lives in https://some/gnu/mirror/bash-4.9.tar.gz

*** New version? 5.0

Trying to fetch version 5.0 from https://some/gnu/mirror/bash-5.0.tar.gz
Fetch successful, using this URL for the new source tarball.

Bumping package release from 29 to 30.
Creating ChangeLog entry:
    Mon Aug 17 2020 Leandro Pereira <[email protected]> 5.0-30
    - Update to upstream version 5.0.

*** Edit with /usr/bin/joe (y/N)? n

Git commit created.

*** Package has not been built; verify it builds and update manifests (Y/n)? Y

Building package. Follow progress in /tmp/asdfasdasdf-bash.log
Package built successfully in 00:03:37.
Updating manifests and amending Git commit.

Some of the questions that are asked could be passed as command-line arguments (e.g. --build-package to avoid asking if you want to build the package).

@microsoft/cbl-mariner-devs: Questions? Comments? Suggestions?

Hi Team,

Getting below error:

[root@localhost toolkit]# make iso REBUILD_TOOLS=y REBUILD_PACKAGES=n CONFIG_FILE=./imageconfigs/full.json
cd /media/CBL-Mariner/toolkit/tools/ &&
go test -covermode=atomic -coverprofile=/media/CBL-Mariner/build/tools/internal.test_coverage ./...
go: golang.org/x/[email protected]: Get "https://goproxy.io/golang.org/x/sys/@v/v0.0.0-20200509044756-6aff5f38e54f.mod": x509: certificate signed by unknown authority
make: *** [/media/CBL-Mariner/build/tools/internal.test_coverage] Error 1

I am new to go lang. Please suggest ???

CBL-Mariner on the Microsoft Store?

Hey folks,

I am primarily a Linux user. On my desktop machine I have a customized
slackware variant, but I compile about 99% of software from source.
Anyway.

On my Win10 laptop I run WSL1 still (will eventually switch to WSL2
but you know how it goes ... once things are working fine, and
everything is working quite nicely on WSL1, inertia kicks in), most
of the time ubuntu, but also SUSE Linux.

I'd like to test CBL-Mariner as well. This is less so about "which
unique features does CBL Mariner have"; I am aware that your target
audience is probably other folks, e. g. cloud/business people so
less "hobbyists". But my main rationale for wanting to try CBL-Mariner
is actually the thought that CBL-Mariner may be better "optimised"
for Win10 than Linux distributions per se. Perhaps not in WSL1 but
in WSL2 - no clue. And perhaps not right now, but in the future. So
I want to "anticipate" a little bit in the future.

Anyway. I took a look at the Microsoft Store, and while Ubuntu and
SUSE are available there, CBL-Mariner is not available.

Now there may be several reasons as to why. I assume one reason
may be that you guys haven't everything "fully prepared" as-is,
and CBL-Mariner is still in flux. That's fine.

See also articles such as this:

https://www.zdnet.com/article/say-hi-to-microsofts-own-linux-cbl-mariner/

Which brought me to that blog entry:

https://blog.jreypo.io/2021/07/09/a-look-into-cbl-mariner-microsoft-internal-linux-distribution/

by Juan Manuel Rey. I had a look at the main README.md here, and also
the link to this entry:

https://github.com/microsoft/CBL-Mariner/blob/1.0/toolkit/README.md

But I did not seem to see that blog, so perhaps some information is
not "gathered" in the main README or other documentation parts. But
this is an aside.

So my question is:

• Would it be possible to add CBL-Mariner, at the least the ".iso"
  variant that Juan talks about, to the Microsoft Store?

Note: I don't mean that you guys have to provide a new .iso here
every week; but something sensible, such as 3-months releases or
even 6-months releases. My use case is really the very same I use
ubuntu on WSL1 too right now. I can adapt my workflow without
having to modify it a lot; all my ruby commandline scripts work
fine (most work fine on plain windows anyway, but cmd.exe is a
bit more annoying to work with, and there are some platform
differences still that require adjustments to my scripts every
now and then).

Of course I do not know whether that conflicts with any other goal
or policies, or whether there are tier use cases that require
financial investments or not, but I am really talking about the
"hobbyist" use case primarily, not the business side. Just like
the blog entry shows with the .iso that is created. (I assume
it may even be possible to just install such an .iso and have
it work similar to how ubuntu or SUSE works, but I also lack
information, which is why I created this issue. Being able to
install from the Microsoft Store directly would be most
convenient, but if this is not possible for any reason, then
perhaps a document that showcases the initial step-by-step
commands for getting CBL-Mariner to work.)

Please feel free to close this issue at any moment in time;
and if this is planned, but not yet working anyway, but may
work in the future, then please feel free to close the issue
as well. Thanks for reading.

From what I can gather, it appears that packages are taken either from upstream or Fedora. Clear Linux provides optimized rpm packages which are built with autospec (a tool I think should be the default for rpm generation). The need for using the bundles isn't there and they do have a repo that can be used with dnf directly. So I propose basically repackaging those packages for Mariner using the same optimizations.

Hey guys,

I lately read about CBL-Mariner on reddit. I am using WSL1 (still) on my Win10 laptop;
my main desktop here is on Linux. I am using ubuntu on Win10 but perhaps CBL-Mariner
may be an alternative.

Which brings me to my question: is CBL-Mariner available for installation?

If so, either way, would you guys briefly clarify this on the main README? Perhaps it
may change at a later time, so we could look at the README and then it could have
a sentence like "CBL-Mariner is available via the MS Store" or something like that.
Or that it is presently not available. This mostly just so that people know whether
they could test CBL Mariner rather than, say, Ubuntu instead. Perhaps CBL Mariner
may work better on Windows for instance. (I am still using WSL1 but I suppose
in the long run people will all move to WSL2 so perhaps there are some additional
benefits for CBL Mariner in a WSL2 setup. But I really don't know - it is a genuine
question and mostly focusing on the README.md really)

I'm the lead maintainer for sos which I see is packaged in CBL-Mariner.

However, as sos functions based on what the project calls distribution policies to define how to enable plugins and perform collections, it is not currently functional for CBL-Mariner.

We would be more than happy to help extend support in sos for Mariner, but my question is if this is desired given the internal use case of Mariner versus the nature of sos which is to collect diagnostic information for troubleshooting (almost always with a technical support vendor).

If so we can probably create a new sos policy fairly quickly, and in time for our next upstream release, sos-4.2, which is due to close in mid August.

#741 added an iptables rule to ip4save that contains --dport ssh.

This adds an undeclared dependency on iana-etc. If you create an image with iptables without also installing iana-etc then the iptables systemd service will fail, preventing a successful boot.

Running the make statement from documentation to make ISO file. Getting the following error

joluedem@UbuntuServer:~/CBL-Mariner/toolkit$ sudo make iso REBUILD_TOOLS=y REBUILD_PACKAGES=n CONFIG_FILE=./imageconfigs/full.json

Downloading toolchain RPM: kernel-headers-5.10.28.1-4.cm1.noarch.rpm

ERROR: Failed to download toolchain package: kernel-headers-5.10.28.1-4.cm1.noarch.rpm.
ERROR: Last 20 lines from log '/home/joluedem/CBL-Mariner/build/logs/toolchain/downloads/kernel-headers-5.10.28.1-4.cm1.noarch.rpm.log':

    Downloading toolchain RPM: kernel-headers-5.10.28.1-4.cm1.noarch.rpm
    --2021-05-06 21:27:08--  https://packages.microsoft.com/cbl-mariner/1.0/prod/base/x86_64/rpms/kernel-headers-5.10.28.1-4.cm1.noarch.rpm
    Resolving packages.microsoft.com (packages.microsoft.com)... 13.93.224.173
    Connecting to packages.microsoft.com (packages.microsoft.com)|13.93.224.173|:443... connected.
    HTTP request sent, awaiting response... 404 Not Found
    2021-05-06 21:27:12 ERROR 404: Not Found.

    --2021-05-06 21:27:12--  https://packages.microsoft.com/cbl-mariner/1.0/prod/update/x86_64/rpms/kernel-headers-5.10.28.1-4.cm1.noarch.rpm
    Resolving packages.microsoft.com (packages.microsoft.com)... 13.93.224.173
    Connecting to packages.microsoft.com (packages.microsoft.com)|13.93.224.173|:443... connected.
    HTTP request sent, awaiting response... 404 Not Found
    2021-05-06 21:27:12 ERROR 404: Not Found.

Toolchain download failed. See above errors for more details.
/home/joluedem/CBL-Mariner/toolkit/scripts/toolchain.mk:200: recipe for target '/home/joluedem/CBL-Mariner/build/rpm_cache/cache/noarch/kernel-headers-5.10.28.1-4.cm1.noarch.rpm' failed
make: *** [/home/joluedem/CBL-Mariner/build/rpm_cache/cache/noarch/kernel-headers-5.10.28.1-4.cm1.noarch.rpm] Error 1

I wanted to try playing around with CBL-Mariner on a VM, and it would be a lot easier to set up if there is a link to a publicly available ISO image. If it would be possible to host an ISO image online, it would be great! Thanks for all the awesome work that you do!!

Hi team,

I am new to CBL-Mariner. I followed the Prerequisites doc to install all the requirements for building. Then, run the command below to build tools as docs mentioned.

sudo make toolchain REBUILD_TOOLS=y REBUILD_TOOLCHAIN=y DOWNLOAD_SRPMS=y

Almost 2 hours later, got the following error

My dev environment is:

• Ubuntu 18.04 @ WSL2
• Docker desktop v2.3.0.5 for Windows
• commit ID: 83de3e2 @ main branch

While trying to build the ISO, kernel-headers package fails to download. Not sure if there are other RPMs that end in 404 error. This is the first 404 (not found) encountered and the script terminates.

Here's sample output:
---cut---
Downloading toolchain RPM: filesystem-1.1-7.cm1.x86_64.rpm
Downloading toolchain RPM: kernel-headers-5.10.52.1-1.cm1.noarch.rpm

ERROR: Failed to download toolchain package: kernel-headers-5.10.52.1-1.cm1.noarch.rpm.
ERROR: Last 20 lines from log '/home/ubuntu/CBL-Mariner/build/logs/toolchain/downloads/kernel-headers-5.10.52.1-1.cm1.noarch.rpm.log':

    Downloading toolchain RPM: kernel-headers-5.10.52.1-1.cm1.noarch.rpm
    --2021-07-26 22:59:15--  https://packages.microsoft.com/cbl-mariner/1.0/prod/base/x86_64/rpms/kernel-headers-5.10.52.1-1.cm1.noarch.rpm
    Resolving packages.microsoft.com (packages.microsoft.com)... 13.93.152.112
    Connecting to packages.microsoft.com (packages.microsoft.com)|13.93.152.112|:443... connected.
    HTTP request sent, awaiting response... 404 Not Found
    2021-07-26 22:59:15 ERROR 404: Not Found.

    --2021-07-26 22:59:15--  https://packages.microsoft.com/cbl-mariner/1.0/prod/update/x86_64/rpms/kernel-headers-5.10.52.1-1.cm1.noarch.rpm
    Resolving packages.microsoft.com (packages.microsoft.com)... 13.93.152.112
    Connecting to packages.microsoft.com (packages.microsoft.com)|13.93.152.112|:443... connected.
    HTTP request sent, awaiting response... 404 Not Found
    2021-07-26 22:59:15 ERROR 404: Not Found.

https://www.appcoda.com/learnswift/build-your-first-app.htmls

Hi Team,

I got below error while building iso.

Downloading toolchain RPM: kernel-headers-5.10.52.1-1.cm1.noarch.rpm
--2021-07-30 15:55:16-- https://packages.microsoft.com/cbl-mariner/1.0/prod/base/x86_64/rpms/kernel-headers-5.10.52.1-1.cm1.noarch.rpm
Resolving packages.microsoft.com (packages.microsoft.com)... 52.163.211.218
Connecting to packages.microsoft.com (packages.microsoft.com)|52.163.211.218|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2021-07-30 15:55:17 ERROR 404: Not Found.

I also validated by looking into below path and package is not there.
https://packages.microsoft.com/cbl-mariner/1.0/prod/update/x86_64/rpms/

Regards,
Rajnish Soni

Built the ISO image. While trying to install getting this error:
./liveinstaller: /lib/libc.so.6: version `GLIBC_2.32' not found (required by ./liveinstaller)

and stuck in root account:
root [ /installer ]#

Ubuntu release where I built ISO image is 21.04.

The README seems to suggest similarities to Clear Linux. Can you provide a detailed comparison between CBL-Mariner and Clear Linux? Performance benchmarks are part of it but also about security, update efficiency, etc. I would also suggest switching to autospec made by Clear Linux for rpm generation and utilize their rpms prior to utilizing rpms from Fedora, EPEL, etc.

The rubygem-prometheus-client spec doesn't declare any runtime dependencies: https://github.com/microsoft/CBL-Mariner/blob/1.0/SPECS/rubygem-prometheus-client/rubygem-prometheus-client.spec

But this gem depends on quantile: https://rubygems.org/gems/prometheus-client/versions/0.9.0

In order to use the prometheus-client gem I need to explicitly install rubygem-quantile.

While debugging #42, it was found that if a package has a %post step or a post-install script which starts a service, this service could hold a reference to the kernel mountpoints. When the tooling exits the setup chroot, it is unable to unmount the kernel mountpoints, and we do not cleanly exit the chroot environment.

This issue is to track the investigation of cleanly shutting down any running services within the setup chroot prior to chroot exit.

Since CBL-Mariner is a combination of source-built and binary-based. It'll make sense that Mariner users will also like to run their own mirrors based on the source here. Documentation should be extended to cover for this use case.

It seems that despite our best efforts our .md files don't follow any single rule when it comes to formatting. It would be ideal to add an automated check for that for each documentation PR. My first suggestion is to follow the rules mentioned here.

So I was creating the ISO with the sudo make iso REBUILD_TOOLS=y REBUILD_PACKAGES=n CONFIG_FILE=./imageconfigs/full.json command and it errored out. I retried and I am receiving the same error

Error -

Could anyone please help me diagnose the issue?

Most distributions have /sys/kernel/btf/vmlinux which is where the BPF Type Format information for the kernel is stored.

This is missing in Mariner.

If this is deliberate, we should document it and if not fixing it would be great.

I am trying to port mariner to imx8(aarch64) custom board, but encounter some problems.

Build environment as following:
mariner github tag: 1.0-stable
build machine: x86_64
target platform: imx8(aarch64) custom board, bootloader is uboot which is support UEFI binary

first, I follow quick start steps(like the following commands) to build mariner images.

• sudo make toolchain REBUILD_TOOLS=y REBUILD_TOOLCHAIN=y DOWNLOAD_SRPMS=y

• sudo make build-packages -j$(nproc) CONFIG_FILE= TOOLCHAIN_ARCHIVE=toolchain_built_rpms_all.tar.gz DOWNLOAD_SRPMS=y REBUILD_TOOLS=y REBUILD_TOOLCHAIN=n REBUILD_PACKAGES=y PACKAGE_IGNORE_LIST="openjdk8 openjdk8_aarch64 shim-unsigned-aarch64"

• sudo make make-raw-image CONFIG_FILE=./imageconfigs/core-efi.json TOOLCHAIN_ARCHIVE=toolchain_built_rpms_all.tar.gz REBUILD_TOOLCHAIN=n REBUILD_PACKAGES=n REBUILD_TOOLS=y REPO_LIST=

After completed above steps, I got image files in "./build/imagegen/core-efi/imager_output/" or "../out/images/full" path.
But I found that the grub64.efi ,vmlinux and rootfs files in image file is x86 elf format, these images file can't run on imx8 platform.
So do i need an aarch64 host machine to build mariner arm64 images instead of x86 host? or there are other way to run the mariner in imx8 platform.
Could someone give me a suggestion for this problem?
Thanks.

In here: https://github.com/microsoft/CBL-Mariner/blob/1.0/toolkit/docs/quick_start/quickstart.md#clone-cbl-mariner

It uses the SSH method to clone, which will cause normal users to not able to clone due to lack of permissions. HTTPS should be used for the repository.

On running sudo make image CONFIG_FILE=./imageconfigs/core-container.json REBUILD_TOOLS=y SOURCE_URL=https://cblmarinerstorage.blob.core.windows.net/sources/core

I get the following error when building gcc-9.1.0-7.cm1.src.rpm:

INFO[0000] Building (gcc-9.1.0-7.cm1.src.rpm).
INFO[1800] Heartbeat: still building (gcc-9.1.0-7.cm1.src.rpm).
WARN[3344] Failed package build attempt (/root/CBL-Mariner/build/INTERMEDIATE_SRPMS/gcc-9.1.0-7.cm1.src.rpm), error (exit status 1)
ERRO[3344] Failed to build SRPM '/root/CBL-Mariner/build/INTERMEDIATE_SRPMS/gcc-9.1.0-7.cm1.src.rpm'. For details see log file: /root/CBL-Mariner/build/logs/pkggen/rpmbuilding/gcc-9.1.0-7.cm1.src.rpm.log.
PANI[3344] exit status 1
panic: (*logrus.Entry) 0xc0000a2230

goroutine 1 [running]:
github.com/sirupsen/logrus.Entry.log(0xc0000a3880, 0xc00039eae0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        /root/go/pkg/mod/github.com/sirupsen/[email protected]/entry.go:259 +0x345
github.com/sirupsen/logrus.(*Entry).Log(0xc0000a2000, 0x0, 0xc000453c28, 0x1, 0x1)
        /root/go/pkg/mod/github.com/sirupsen/[email protected]/entry.go:287 +0xf0
github.com/sirupsen/logrus.(*Entry).Logln(0xc0000a2000, 0xc000000000, 0xc000453cc0, 0x1, 0x1)
        /root/go/pkg/mod/github.com/sirupsen/[email protected]/entry.go:378 +0xd6
github.com/sirupsen/logrus.(*Logger).Logln(0xc0000a3880, 0xc000000000, 0xc000453cc0, 0x1, 0x1)
        /root/go/pkg/mod/github.com/sirupsen/[email protected]/logger.go:240 +0x7e
github.com/sirupsen/logrus.(*Logger).Panicln(...)
        /root/go/pkg/mod/github.com/sirupsen/[email protected]/logger.go:281
microsoft.com/pkggen/internal/logger.PanicOnError(0x677be0, 0xc00040bca0, 0xc000453e00, 0x3, 0x3)
        /root/CBL-Mariner/toolkit/tools/internal/logger/log.go:122 +0xfa
main.main()
        /root/CBL-Mariner/toolkit/tools/pkgworker/pkgworker.go:96 +0x84e

Digging into the build logs I can see:

time="2021-08-01T00:00:10Z" level=debug msg="Processing files: libgcc-atomic-9.1.0-7.cm1.x86_64"
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Provides: /usr/lib/rpm/find-provides"
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Requires(interp): "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Requires(rpmlib): "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Requires(verify): "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Requires(pre): "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Requires(post): "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Requires(preun): "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Requires(postun): "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Requires(pretrans): "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Requires(posttrans): "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Requires: /usr/lib/rpm/find-requires"
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Conflicts: "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Obsoletes: "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Recommends: "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Suggests: "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Supplements: "
time="2021-08-01T00:00:10Z" level=debug msg="Finding  Enhances: "
time="2021-08-01T00:00:10Z" level=debug msg="error: File not found: /usr/src/mariner/BUILDROOT/gcc-9.1.0-7.cm1.x86_64/usr/lib/libcc1.*"
time="2021-08-01T00:00:10Z" level=debug msg="    Macro expanded in comment on line 22: %{with_check}"
time="2021-08-01T00:00:10Z" level=debug
time="2021-08-01T00:00:10Z" level=debug msg="    Deprecated external dependency generator is used!"
time="2021-08-01T00:00:10Z" level=debug msg="    Deprecated external dependency generator is used!"
time="2021-08-01T00:00:10Z" level=debug msg="    Deprecated external dependency generator is used!"
time="2021-08-01T00:00:10Z" level=debug msg="    Deprecated external dependency generator is used!"
time="2021-08-01T00:00:10Z" level=debug msg="    File not found: /usr/src/mariner/BUILDROOT/gcc-9.1.0-7.cm1.x86_64/usr/lib/libcc1.*"
time="2021-08-01T00:00:10Z" level=debug msg="Provides: libatomic.so.1()(64bit) libatomic.so.1(LIBATOMIC_1.0)(64bit) libatomic.so.1(LIBATOMIC_1.1)(64bit) libatomic.so.1(LIBATOMIC_1.2)(64bit) libgcc-atomic = 9.1.0-7.cm1 libgcc-atomic(x86-64) = 9.1.0-7.cm1"
time="2021-08-01T00:00:10Z" level=debug msg="Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1"
time="2021-08-01T00:00:10Z" level=debug msg="Requires: libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.4)(64bit) libpthread.so.0()(64bit) libpthread.so.0(GLIBC_2.2.5)(64bit)"
time="2021-08-01T00:00:10Z" level=debug msg="Processing files: libgcc-devel-9.1.0-7.cm1.x86_64"
time="2021-08-01T00:00:10Z" level=debug
time="2021-08-01T00:00:10Z" level=debug
time="2021-08-01T00:00:10Z" level=debug msg="RPM build errors:"
time="2021-08-01T00:00:10Z" level=debug msg="Exiting Chroot"
time="2021-08-01T00:00:10Z" level=debug msg="Unmounting (/root/CBL-Mariner/build/worker/chroot/gcc-9.1.0-7.cm1/upstream-cached-rpms)"
time="2021-08-01T00:00:10Z" level=debug msg="Unmounting (/root/CBL-Mariner/build/worker/chroot/gcc-9.1.0-7.cm1/sys)"
time="2021-08-01T00:00:10Z" level=debug msg="Unmounting (/root/CBL-Mariner/build/worker/chroot/gcc-9.1.0-7.cm1/run)"
time="2021-08-01T00:00:10Z" level=debug msg="Unmounting (/root/CBL-Mariner/build/worker/chroot/gcc-9.1.0-7.cm1/proc)"
time="2021-08-01T00:00:10Z" level=debug msg="Unmounting (/root/CBL-Mariner/build/worker/chroot/gcc-9.1.0-7.cm1/localrpms)"
time="2021-08-01T00:00:10Z" level=debug msg="Unmounting (/root/CBL-Mariner/build/worker/chroot/gcc-9.1.0-7.cm1/dev/pts)"
time="2021-08-01T00:00:10Z" level=debug msg="Unmounting (/root/CBL-Mariner/build/worker/chroot/gcc-9.1.0-7.cm1/dev)"
time="2021-08-01T00:00:16Z" level=warning msg="Failed package build attempt (/root/CBL-Mariner/build/INTERMEDIATE_SRPMS/gcc-9.1.0-7.cm1.src.rpm), error (exit status 1)"
time="2021-08-01T00:00:16Z" level=error msg="Failed to build SRPM '/root/CBL-Mariner/build/INTERMEDIATE_SRPMS/gcc-9.1.0-7.cm1.src.rpm'. For details see log file: /root/CBL-Mariner/build/logs/pkggen/rpmbuilding/gcc-9.1.0-7.cm1.src.rpm.log."
time="2021-08-01T00:00:16Z" level=panic msg="exit status 1"

Is there any way to auto-install CBL-Mariner installation using an ISO and user-data & meta-data files?

I have tried creating a "meta-user-data.iso" file using the attached files (appended .txt extension so GitHub would allow them) with the following command:
genisoimage -output meta-user-data.iso -volid cidata -rock user-data meta-data

The command produced an ISO output but when supplying this with the main ISO, I am just stuck on the usual selection for how to install - Graphical/Terminal/Terminal with speech.

If this is not available currently, it is something which would be extremely useful as there are only a handful of these sorts of distributions available. It would make it much easier to provision these virtual machines using Terraform.

I appreciate what you are doing for the Linux community. This release was a pleasant surprise.

meta-data.txt
user-data.txt

Frame pointers are critical for production profiling, which is crucial for running production services.

I propose we have an option in Mariner that supports compiling all packages with this option and providing a flavor of this build to customers.

It would be great if Mariner became the first Linux distribution that had a flavor for frame pointers disabled.

/proc/sys/net/core/bpf_jit_enable is 0 on a default installation. This is probably intentional, putting a note in the kernel protections would be informative to the user.

WARN[0008] tar: Удаляется начальный `/' из имен объектов
WARN[0016] Skipping move. Source and destination are the same file (/home/user/CBL-Mariner/out/images/iso_initrd/iso-initrd.img.tar.gz).
INFO[0016] [1/1] Converted (/home/user/CBL-Mariner/build/imagegen/iso_initrd/imager_output/rootfs) -> (/home/user/CBL-Mariner/out/images/iso_initrd/iso-initrd.img.tar.gz)
make[1]: выход из каталога «/home/user/CBL-Mariner/toolkit»
INFO[0000] Building ISO under '/home/user/CBL-Mariner/build/imagegen/full/workspace'.
WARN[0000] Unexpected: temporary ISO build path '/home/user/CBL-Mariner/build/imagegen/full/workspace' exists. Removing.
INFO[0002] Preparing ISO's bootloaders.
WARN[0002] 3+0 записей получено
WARN[0002] 3+0 записей отправлено
WARN[0002] 3145728 байт (3,1 MB, 3,0 MiB) скопирован, 0,00925706 s, 340 MB/s
INFO[0007] Generating ISO image under '/home/user/CBL-Mariner/out/images/full/full-1.0.20210714.1028.iso'.
WARN[0007] Bad Option '-e' (error -1 BADFLAG).
WARN[0007] Usage: mkisofs [options] [-find] file... [find expression]
WARN[0007]
WARN[0007] Use mkisofs -help
WARN[0007] to get a list all of valid options.
WARN[0007]
WARN[0007] Use mkisofs -find -help
WARN[0007] to get a list of all valid -find options.
WARN[0007]
WARN[0007] Most important Options:
WARN[0007] -posix-H Follow sylinks encountered on command line
WARN[0007] -posix-L Follow all symlinks
WARN[0007] -posix-P Do not follow symlinks (default)
WARN[0007] -o FILE, -output FILE Set output file name
WARN[0007] -R, -rock Generate Rock Ridge directory information
WARN[0007] -r, -rational-rock Generate rationalized Rock Ridge directory info
WARN[0007] -J, -joliet Generate Joliet directory information
WARN[0007] -print-size Print estimated filesystem size and exit
WARN[0007] -UDF Generate UDF file system
WARN[0007] -dvd-audio Generate DVD-Audio compliant UDF file system
WARN[0007] -dvd-video Generate DVD-Video compliant UDF file system
WARN[0007] -dvd-hybrid Generate a hybrid (DVD-Audio/DVD-Video) compliant UDF file system
WARN[0007] -iso-level LEVEL Set ISO9660 level (1..3) or 4 for ISO9660 v 2
WARN[0007] -V ID, -volid ID Set Volume ID
WARN[0007] -graft-points Allow to use graft points for filenames
WARN[0007] -M FILE, -prev-session FILE Set path to previous session to merge
PANI[0007] Command 'mkisofs' failed with error: exit status 255
panic: (*logrus.Entry) 0xc000092d20

I bump into
ERRO[0000] env variable CHROOT_DIR not defined
Trying to workaround, the tool complains it does not find a chroot environment and a chroot-pool.lock file

Use slightly modified version of https://github.com/WhitewaterFoundry/pengwin-setup/blob/master/pengwin-setup.d/go.sh instead of ppa:longsleep/golang-backports.

This also removes need for this line since proper exports for env vars and $PATH are done in the script:

Fix go 1.13 link

sudo ln -vs /usr/lib/go-1.13/bin/go /usr/bin/go

I noticed that you by default disable the network configuration support in cloud-init.

I tried to use a post-install script to remove the 99-disable-network-config.cfg which did something, but not what I wanted it to do. I can see now in cloud-init logs that it is indeed trying to configure the network now as the meta-data instructs but that doesn't seem to result in the system actually having any configuration under /etc/systemd/network.

From this I'm assuming there is some other mechanism I should be using to provide the network configuration to Mariner? Could you point me in the right direction?

It would be great if we could create a yaml file that then anyone could use to setup their own GitHub action or Azure DevOps pipeline to build Mariner.

Then we can have a continuous integration build of Mariner that any one can build.

Hi, I have RPI 3B.
Can I build .img file for this edge device?

Would be nice if we had a GitHub bot to label issues automatically:

• If CVE-\d+-\d+ is mentioned in the commit message, newly-added changelog entry of a spec file, etc, add a Security label
• If a file named CVE-\d+-\d+\.patch is added to a spec directory, add a Security label
• If the PR touches spec files or files in a spec directory, add a Package label
• If the PR touches files related to tools, add a Tooling label
• If the PR touches files related to CI, add a CI label

This should help prioritize stuff better.