rpardini's May'24 fix batch: slim for 2Gb RAM devices (#225)

> - recent userspace additions took the initramfs size near or over the 900mb mark for certain kernels.
> - initramfs (gzipped cpio) is uncompressed by bootloader and mounted on tmpfs by kernel.
> - tmpfs allows only 50% of physical RAM by default, and default can't be changed easily.
> - slim down both the userspace (by stripping / removing some / etc) and the Armbian kernels (by removing modules)
> - with those we're back below 900mb uncompressed again, and the default x86 hook tarball is down from 223 to 180mb compressed.
> - add a check for uncompressed cpio size at 900mb; warn in GHA if it is ever hit again.
> - also includes: fixes for ttyAML consoles, better logging, some dev/debug options used for batch
> 
> note: review is easier if done commit-by-commit; sent a large batch due to same-line changes across them

----

#### build: common: better logging & emit notice/warn/error also to GHA workflow commands

- see https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-a-notice-message
- introduces `notice` level, which is just like `info` but brighter and goes to GHA
- also: curb warning about USE_KERNEL_ID down to info


#### kernel: armbian: fix: use ORAS binary appropriate to the (host) arch; bump ORAS to 1.2.0-rc.1 (from beta.1)

- otherwise can't build those "kernels" on arm64-only & qemu+binfmt-deprived hosts


#### build: introduce `OUTPUT_TARBALL_FILELIST=yes` to include LK's `--format tar` output and its filelist

- useful during development for:
  - debugging esoteric issue with file permissions
  - checking the space usage distribution, so we can slim down where needed


#### kernel: armbian: ensure kernel.tar contains entry for the / (root) directory

- quite esoteric, but it seems LinuxKit uses the kernel.tar's root entry as its own entry
- if that is missing, then the final product rootfs will have root dir with very strange permissions


#### kernel: armbian: don't flood output with tar's verbose option


#### kernel: armbian: remove some heavy kernel modules (so it fits in 2Gb RAM)

- Armbian kernels are meant for general-purpose initrd's, and including all modules is overkill
- this allows to boot on 2Gb RAM machines (tmpfs allows only up to 50% RAM)


#### images: slim down golang binaries, by building without DWARF/debug symbols, stripping prebuilts, and removing unneeded bins

- strip golang binaries (both during build with ldflags and prebuilt ones with 'strip'/binutils)
- don't ship apk caches
- we won't use docker-buildx nor docker-compose bins, which are huge; remove them
- remove stray 'hook-bootkit' binary from source directory (leftover from ?)


#### hook: add handling for ttyAML0/1 (used on Amlogic SoCs)

- complements a68b629
- create /dev devices with 243 major and 0/1 minor
- add to securetty


#### build: introduce check for initramfs size > 900Mb and warn/notice

- those will most likely fail to boot on 2Gb RAM machines
  - initramfs will by default use tmpfs (which defaults to 50% ram), not ramfs

Author: mergify[bot]

bash/common.sh

@@ -1,16 +1,23 @@
 #!/usr/bin/env bash
 
 # logger utility, output ANSI-colored messages to stderr; first argument is level (debug/info/warn/error), all other arguments are the message.
-declare -A log_colors=(["debug"]="0;36" ["info"]="0;32" ["warn"]="0;33" ["error"]="0;31")
-declare -A log_emoji=(["debug"]="🐛" ["info"]="📗" ["warn"]="🚧" ["error"]="🚨")
+declare -A log_colors=(["debug"]="0;36" ["info"]="0;32" ["notice"]="1;32" ["warn"]="1;33" ["error"]="1;31")
+declare -A log_emoji=(["debug"]="🐛" ["info"]="🌿" ["notice"]="🌱" ["warn"]="🚸" ["error"]="🚨")
+declare -A log_gha_levels=(["notice"]="notice" ["warn"]="warning" ["error"]="error")
 function log() {
 	declare level="${1}"
 	shift
 	[[ "${level}" == "debug" && "${DEBUG}" != "yes" ]] && return # Skip debugs unless DEBUG=yes is set in the environment
-	declare color="${log_colors[${level}]}"
+	# If running on GitHub Actions, and level exists in log_gha_levels...
+	if [[ -n "${GITHUB_ACTIONS}" && -n "${log_gha_levels[${level}]}" ]]; then
+		echo "::${log_gha_levels[${level}]} ::${*}" >&2
+	fi
+	# Normal output
+	declare color="\033[${log_colors[${level}]}m"
 	declare emoji="${log_emoji[${level}]}"
+	declare ansi_reset="\033[0m"
 	level=$(printf "%-5s" "${level}") # pad to 5 characters before printing
-	echo -e "${emoji} \033[${color}m${SECONDS}: [${level}] $*\033[0m" >&2
+	echo -e "${emoji} ${ansi_reset}[${color}${level}${ansi_reset}] ${color}${*}${ansi_reset}" >&2
 }
 
 function install_dependencies() {

bash/json-matrix.sh

@@ -73,7 +73,7 @@ function prepare_json_matrix() {
 
 		if [[ "${matrix_type}" == "KERNEL" ]]; then # special case for kernel builds, if USE_KERNEL_ID is set, skip this kernel
 			if [[ -n "${kernel_info[USE_KERNEL_ID]}" ]]; then
-				log warn "Skipping build of kernel '${kernel}' due to it having USE_KERNEL_ID set to '${kernel_info[USE_KERNEL_ID]}'"
+				log info "Skipping build of kernel '${kernel}' due to it having USE_KERNEL_ID set to '${kernel_info[USE_KERNEL_ID]}'"
 				continue
 			fi
 		fi

bash/kernel/kernel_armbian.sh

@@ -45,8 +45,15 @@ function calculate_kernel_version_armbian() {
 
 	declare -g ARMBIAN_KERNEL_DOCKERFILE="kernel/Dockerfile.autogen.armbian.${inventory_id}"
 
-	declare oras_version="1.2.0-beta.1" # @TODO bump this once it's released; yes it's much better than 1.1.x's
-	declare oras_down_url="https://github.com/oras-project/oras/releases/download/v${oras_version}/oras_${oras_version}_linux_amd64.tar.gz"
+	declare oras_version="1.2.0-rc.1" # @TODO bump this once it's released; yes it's much better than 1.1.x's
+	# determine the arch to download from current arch
+	declare oras_arch="unknown"
+	case "$(uname -m)" in
+		"x86_64") oras_arch="amd64" ;;
+		"aarch64") oras_arch="arm64" ;;
+		*) log error "ERROR: ARCH $(uname -m) not supported by ORAS? check https://github.com/oras-project/oras/releases" && exit 1 ;;
+	esac
+	declare oras_down_url="https://github.com/oras-project/oras/releases/download/v${oras_version}/oras_${oras_version}_linux_${oras_arch}.tar.gz"
 
 	# Lets create a Dockerfile that will be used to obtain the artifacts needed, using ORAS binary
 	echo "Creating Dockerfile '${ARMBIAN_KERNEL_DOCKERFILE}'... "
@@ -83,8 +90,16 @@ function calculate_kernel_version_armbian() {
 		# Get the kernel image...
 		RUN cp -v boot/vmlinuz* /armbian/output/kernel
 
-		# Create a tarball with the modules in lib
-		RUN tar -cvf /armbian/output/kernel.tar lib
+		# Create a tarball with the modules in lib.
+		# Important: this tarball needs to have permissions for the root directory included! Otherwise linuxkit rootfs will have the wrong permissions on / (root)
+		WORKDIR /armbian/modules_only
+		RUN mv /armbian/image/lib /armbian/modules_only/
+		RUN echo "Before cleaning: " && du -h -d 10 -x . | sort -h | tail -n 20
+		# Trim the kernel modules to save space; hopefully your required hardware is not included here
+		RUN rm -rfv ./lib/modules/*/kernel/drivers/net/wireless ./lib/modules/*/kernel/sound ./lib/modules/*/kernel/drivers/media
+		RUN rm -rfv ./lib/modules/*/kernel/drivers/infiniband
+		RUN echo "After cleaning: " &&  du -h -d 10 -x . | sort -h | tail -n 20
+		RUN tar -cf /armbian/output/kernel.tar .
 
 		# Create a tarball with the dtbs in usr/lib/linux-image-*
 		RUN { cd usr/lib/linux-image-* || { echo "No DTBS for this arch, empty tar..." && mkdir -p usr/lib/linux-image-no-dtbs && cd usr/lib/linux-image-* ; } ; }  && pwd && du -h -d 1 . && tar -czvf /armbian/output/dtbs.tar.gz . && ls -lah /armbian/output/dtbs.tar.gz

bash/linuxkit.sh

@@ -84,15 +84,31 @@ function linuxkit_build() {
 	declare -a lk_args=(
 		"--docker"
 		"--arch" "${kernel_info['DOCKER_ARCH']}"
-		"--format" "kernel+initrd"
 		"--name" "hook"
 		"--cache" "${lk_cache_dir}"
 		"--dir" "${lk_output_dir}"
 		"hook.${inventory_id}.yaml" # the linuxkit configuration file
 	)
 
+	if [[ "${OUTPUT_TARBALL_FILELIST:-"no"}" == "yes" ]]; then
+		log info "OUTPUT_TARBALL_FILELIST=yes; Building Hook (tar/filelist) with kernel ${inventory_id} using linuxkit: ${lk_args[*]}"
+		"${linuxkit_bin}" build "--format" "tar" "${lk_args[@]}"
+	fi
+
 	log info "Building Hook with kernel ${inventory_id} using linuxkit: ${lk_args[*]}"
-	"${linuxkit_bin}" build "${lk_args[@]}"
+	"${linuxkit_bin}" build "--format" "kernel+initrd" "${lk_args[@]}"
+
+	declare initramfs_path="${lk_output_dir}/hook-initrd.img"
+	# initramfs_path is a gzipped file. obtain the uncompressed byte size, without decompressing it
+	declare -i initramfs_size_bytes=0
+	initramfs_size_bytes=$(gzip -l "${initramfs_path}" | tail -n 1 | awk '{print $2}')
+	log info "Uncompressed initramfs size in bytes: ${initramfs_size_bytes}"
+	# If the size is larger than 900mb, it is unlikely to boot on a 2gb RAM machine. Warn.
+	if [[ "${initramfs_size_bytes}" -gt 943718400 ]]; then
+		log warn "${inventory_id}: Uncompressed initramfs size (${initramfs_size_bytes} bytes) is larger than 900mb; it may not boot on a 2gb RAM machine."
+	else
+		log notice "${inventory_id}: Uncompressed initramfs size (${initramfs_size_bytes} bytes) is smaller than 900mb."
+	fi
 
 	if [[ "${LK_RUN}" == "qemu" ]]; then
 		linuxkit_run_qemu
@@ -137,6 +153,13 @@ function linuxkit_build() {
 	rm -rf "${dtbs_tmp_dir}"
 	rm "${lk_output_dir}/dtbs-${OUTPUT_ID}.tar.gz"
 
+	if [[ "${OUTPUT_TARBALL_FILELIST:-"no"}" == "yes" ]]; then
+		log info "OUTPUT_TARBALL_FILELIST=yes; including tar and filelist in output."
+		mv -v "${lk_output_dir}/hook.tar" "out/hook/hook_rootfs_${OUTPUT_ID}.tar"
+		tar --list -vf "out/hook/hook_rootfs_${OUTPUT_ID}.tar" > "out/hook/hook_rootfs_${OUTPUT_ID}.filelist"
+	fi
+
+	# finally clean up the hook-specific out dir
 	rm -rf "${lk_output_dir}"
 
 	# tar the files into out/hook.tar in such a way that vmlinuz and initramfs are at the root of the tar; pigz it

images/hook-bootkit/Dockerfile

@@ -2,7 +2,7 @@ FROM golang:1.21-alpine as dev
 COPY . /src/
 WORKDIR /src
 RUN go mod download
-RUN CGO_ENABLED=0 go build -a -ldflags '-w -extldflags "-static"' -o /bootkit
+RUN CGO_ENABLED=0 go build -a -ldflags '-s -w -extldflags "-static"' -o /bootkit
 
 FROM alpine
 COPY --from=dev /bootkit .

images/hook-bootkit/hook-bootkit

@@ -18,7 +18,7 @@ RUN mkdir -p $GOPATH/src/github.com/containerd && \
   git checkout $CONTAINERD_COMMIT
 RUN apk add --no-cache btrfs-progs-dev gcc libc-dev linux-headers make libseccomp-dev
 WORKDIR $GOPATH/src/github.com/containerd/containerd
-RUN make binaries EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS='-extldflags "-fno-PIC -static"' BUILDTAGS="static_build no_devmapper"
+RUN make binaries EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS='-w -s -extldflags "-fno-PIC -static"' BUILDTAGS="static_build no_devmapper"
 
 # install nerdctl
 RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then ARCHITECTURE=amd64; elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then ARCHITECTURE=arm64; else ARCHITECTURE=amd64; fi \

images/hook-containerd/Dockerfile

@@ -1,10 +1,16 @@
 FROM golang:1.20-alpine as dev
 COPY . /src/
 WORKDIR /src
-RUN CGO_ENABLED=0 go build -a -ldflags '-w -extldflags "-static"' -o /hook-docker
+RUN CGO_ENABLED=0 go build -a -ldflags '-s -w -extldflags "-static"' -o /hook-docker
 
 FROM docker:26.1.0-dind
 RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories
-RUN apk update; apk add kexec-tools
+RUN apk update && apk add kexec-tools binutils && rm -rf /var/cache/apk/*
+# Won't use docker-buildx nor docker-compose
+RUN rm -rf /usr/local/libexec/docker/cli-plugins
+# Strip some large binaries
+RUN strip /usr/local/bin/docker /usr/local/bin/dockerd /usr/local/bin/docker-proxy /usr/local/bin/runc
+# Purge binutils package after stripping
+RUN apk del binutils
 COPY --from=dev /hook-docker .
 ENTRYPOINT ["/hook-docker"]

images/hook-docker/Dockerfile

@@ -2,7 +2,7 @@ FROM alpine
 
 USER root:root
 
-RUN apk add --no-cache mdev-conf
+RUN apk add --no-cache mdev-conf && rm -rf /var/cache/apk/*
 
 CMD ["mdev", "-v", "-df"]
 

images/hook-mdev/Dockerfile

@@ -19,7 +19,7 @@ RUN mkdir -p $GOPATH/src/github.com/opencontainers && \
   git clone https://github.com/opencontainers/runc.git
 WORKDIR $GOPATH/src/github.com/opencontainers/runc
 RUN git checkout $RUNC_COMMIT
-RUN make static BUILDTAGS="seccomp" EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS="-extldflags \\\"-fno-PIC -static\\\""
+RUN make static BUILDTAGS="seccomp" EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS="-s -w -extldflags \\\"-fno-PIC -static\\\""
 RUN cp runc /usr/bin/
 
 RUN mkdir -p /etc/init.d && ln -s /usr/bin/service /etc/init.d/010-onboot