[PATCH v1 15/16] use copy of sbom-chroot for sbom creation

["'Felix Moessbauer' via isar-users" <isar-users@googlegroups.com>]

We previously used the same sbom-chroot for generating the sbom of
different root filesystems. This required to have a live copy of the
sbom-chroot in the deploy dir, on which also was operated on. Further,
this copy was left behind in the deploy dir.

We improve this by just storing a minimized tarball of the sbom-chroot
in the deploy dir and extract that into the workdir of the rootfs.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes-recipe/imagetypes_wic.bbclass    |  4 ++-
 meta/classes/sbom.bbclass                     | 28 ++++++++++++++++---
 .../sbom-chroot/sbom-chroot.bb                | 11 +++++++-
 3 files changed, 37 insertions(+), 6 deletions(-)

diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass
index 9f1e3de4..20afc615 100644
--- a/meta/classes-recipe/imagetypes_wic.bbclass
+++ b/meta/classes-recipe/imagetypes_wic.bbclass
@@ -205,9 +205,11 @@ EOIMAGER
         | sort | uniq > "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.manifest"
 
     if ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'true', 'false', d)} ; then
+        prepare_sbom_chroot
         for bomtype in ${SBOM_TYPES}; do
             merge_wic_sbom $bomtype
         done
+        cleanup_sbom_chroot
     fi
 }
 
@@ -222,7 +224,7 @@ merge_wic_sbom() {
     bwrap \
         --unshare-user \
         --unshare-pid \
-        --bind ${SBOM_CHROOT} / \
+        --bind ${SBOM_CHROOT_LOCAL} / \
         -- debsbom -v merge -t $BOMTYPE \
             --distro-name '${SBOM_DISTRO_NAME}-Image' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
             --distro-version '${SBOM_DISTRO_VERSION}' --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass
index e3d0e702..d45ae54d 100644
--- a/meta/classes/sbom.bbclass
+++ b/meta/classes/sbom.bbclass
@@ -23,7 +23,8 @@ SBOM_SPDX_NAMESPACE_PREFIX ?= "https://spdx.org/spdxdocs"
 DEPLOY_DIR_SBOM = "${DEPLOY_DIR_IMAGE}"
 
 SBOM_DIR = "${DEPLOY_DIR}/sbom"
-SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot"
+SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot.tar.zst"
+SBOM_CHROOT_LOCAL = "${WORKDIR}/sbom-chroot"
 
 # adapted from the isar-cip-core image_uuid.bbclass
 def generate_document_uuid(d, warn_not_repr=True):
@@ -40,14 +41,24 @@ def sbom_doc_uuid(d):
     if not d.getVar("SBOM_DOCUMENT_UUID"):
         d.setVar("SBOM_DOCUMENT_UUID", generate_document_uuid(d))
 
+prepare_sbom_chroot() {
+    run_privileged_heredoc <<'EOF'
+        set -e
+        mkdir -p ${SBOM_CHROOT_LOCAL}
+        tar -xf ${SBOM_CHROOT} -C ${SBOM_CHROOT_LOCAL}
+EOF
+}
+
 generate_sbom() {
-    run_privileged mkdir -p ${SBOM_CHROOT}/mnt/rootfs ${SBOM_CHROOT}/mnt/deploy-dir
+    run_privileged mkdir -p \
+        ${SBOM_CHROOT_LOCAL}/mnt/rootfs \
+        ${SBOM_CHROOT_LOCAL}/mnt/deploy-dir
 
     TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
     bwrap \
         --unshare-user \
         --unshare-pid \
-        --bind ${SBOM_CHROOT} / \
+        --bind ${SBOM_CHROOT_LOCAL} / \
         --bind ${ROOTFSDIR} /mnt/rootfs \
         --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \
         -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \
@@ -59,8 +70,17 @@ generate_sbom() {
             --timestamp $TIMESTAMP ${SBOM_DEBSBOM_EXTRA_ARGS}
 }
 
+cleanup_sbom_chroot() {
+    run_privileged rm -rf ${SBOM_CHROOT_LOCAL}
+}
+
 do_generate_sbom[dirs] += "${DEPLOY_DIR_SBOM}"
+do_generate_sbom[network] = "${TASK_USE_SUDO}"
 python do_generate_sbom() {
     sbom_doc_uuid(d)
-    bb.build.exec_func("generate_sbom", d)
+    try:
+        bb.build.exec_func("prepare_sbom_chroot", d)
+        bb.build.exec_func("generate_sbom", d)
+    finally:
+        bb.build.exec_func("cleanup_sbom_chroot", d)
 }
diff --git a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
index bf6d6683..fec1f502 100644
--- a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
+++ b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
@@ -27,7 +27,16 @@ ROOTFSDIR = "${WORKDIR}/rootfs"
 ROOTFS_PACKAGES = "${SBOM_IMAGE_INSTALL}"
 
 do_sbomchroot_deploy[dirs] = "${SBOM_DIR}"
+do_sbomchroot_deploy[network] = "${TASK_USE_SUDO}"
 do_sbomchroot_deploy() {
-    ln -Tfsr "${ROOTFSDIR}" "${SBOM_CHROOT}"
+    # deploy with empty var to make it smaller
+    lopts="--one-file-system --exclude=var/*"
+    ZSTD="zstd -${SSTATE_ZSTD_CLEVEL} -T${ZSTD_THREADS}"
+
+    run_privileged \
+        tar -C ${ROOTFSDIR} -cpS $lopts ${ROOTFS_TAR_ATTR_FLAGS} . \
+            | $ZSTD > ${SBOM_CHROOT}
+    # cleanup extracted rootfs
+    run_privileged rm -rf ${ROOTFSDIR}
 }
 addtask do_sbomchroot_deploy before do_build after do_rootfs
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260226162843.1642329-18-felix.moessbauer%40siemens.com.