merge trunk/l2 into main (#115)

* chore: move persistent-mount under bob

* chore: tidy up gitignore

* fix: specify the package during rust builds

* feat: implement blanket gcp image build

* fix: measurement output

* feat: use available resources + 2.0 readiness

* feat: add preflight command

* use fixed time in kernel build

* fix: "normalise" yocto kernel

* fix: "normalise" ubuntu kernel config snippet

* feat: allow modular kernel config snippets

* feat: add reproducibility check

* feat: implement base l2 image

* fix: build profile-less base

* feat: implement op-rbuilder image

* fix: fix setup_lima when run on a mac

Prior to this commit, env_wrapper's 'setup_lima' command would only work for Linux
because it uses the 'nproc' and 'free' shell commands, which do not exist on Mac.
Now, the script detects the platform and uses the appropriate shell commands

* chore: use reth 1.9.2 + fixes

* fix cmake under apple silicon

* disable saving gcp measurements to file

* Update GCP measurement tool to latest version

* Switch to official fluent-bit build

* Fix gcp measurement cmdline

* Pin Debian archive

* Update measurement code again

* chore: tidy-up

(move snippets around to the right places)

* chore: drop unused code

* fix: bail out if curl is not installed

* fix: downgrade to 1.8.4 op-reth

* fix: revert away from official fluent-bit build

* Revert "fix: revert away from official fluent-bit build"

This reverts commit cf2f4b2.

(cherry picked from commit 9941146)

* Fix fluent bit

(cherry picked from commit ea20da4)

* Normalize UID and GID entries

* chore: tidy-up

* Update GCP measurement code

* Allow installing packages from debian backports

* Replace L2 rustup with debian backports rustc/cargo

* Cleanups for L2 branch

* Use default mirror uri, not empty file

* Fix issue from testing

* upgrade: use op-rbuilder `0.2.13`

(cherry picked from commit c41df38)

* Use permit for flashblocks number contract

(cherry picked from commit 42ad1bb)

* feat: allow building rproxy with features

* chore: bump rproxy version

* fix: the shutdown scripts

* fix: the shutdown script

* chore: update the doc

* feat: implement l2 simulator builds

* Add flashblocks block time arg

* chore: tidy-up

* chore: tidy up

* fix: add missing package

* fix: use different uid for simulator

* feat: allow using full conf file names

* feat: implement l2 unichain-builder builds

* fix: pull op-rbuilder repo for tdx-quote-provider build

* feat: allow using git sha versions

* fix: enforce exec bit

* fix: use rust 1.91.1 for simulator

* fix: use correct source of data

* feat: create build manifest

* chore: fix typo

* feat: add build duration to the manifest

* chore: bump rproxy version

* fix: enable circuit breaker

* chore: upgrade op-rbuilder

* fix: dont use local

* feat: enable cargo features

* fix: distinguish binaries with different features

* feat: pick RUSTFLAGS from config.toml

* chore: bump op-rbuilder rust version to 1.92.0

* feat: allow feature-less simulator

* feat: rework image ids

* Apply suggestion from @0x416e746f6e

Co-authored-by: Anton <anton@northernforest.nl>

* chore: tidy up

* chore: migrate to signal-boost repo

* chore: enable backrun and statediff ports

* bump rust stable 1.94

* chore: remove post-integration artifacts

* feat: log time to build the image

* feat: add environment pre-warm command

* chore: explain gitignore entries

* chore: add sudo command to the dev image

* feat: pre-add `debian` user to dev image

* fix: make sure to update hostname on boot

* chore: bump max image size to 1Gb

* feat: generate build-manifest

* feat: implement builder images

* feat: implement simulator image

* fix: enable non-root users to login on dev images

* fix: move services under minimal.target

* fix: use local gcp dns

* feat: implement console-less dev images

* chore: disable console

* feat: implement disabling root login on dev images

* chore: disable root-login

* chore: switch to `.chroot` scripts

* chore: remove redundant code

* fix: revert to 500MiB

measured boot scripts are hardcoded at that size

* fix: remove redundant `systemctl enable`

* fix: move set-host script under l2

* review: drop time

* feat: add artifact sizes to build manifest

* review: remove redundant config

* chore: remove redundant `systemctl enable`

* review: resolve internal domains via nic's dns

* chore: extract dev users creation

---------

Co-authored-by: Ilya Lukyanov <ilya@luk.moe>
Co-authored-by: Melvillian <alex.melville@uniswap.org>
Co-authored-by: alexhulbert <alex@alexhulbert.com>
Co-authored-by: avalonche <avalonche@protonmail.com>
Co-authored-by: julio4 <30329843+julio4@users.noreply.github.com>

Author: 6 people

.gitignore

@@ -1,15 +1,23 @@
-build/
+# mkosi/build artifacts
+
+.bypass-lima
+*.qcow2
 build.*/
-mkosi/
+build/
 env.json
-mkosi.packages/
-mkosi.cache/
 mkosi.builddir/
-*.qcow2
-.claudesync/
-.claudeignore
-tmp/
-.temp
+mkosi.cache/
+mkosi.packages/
+mkosi/
 NvVars
+
+# temporary files
+
+.temp
+tmp/
+
+# IDEs/agents/whatnot
+
+.claudeignore
+.claudesync/
 .vscode
-.bypass-lima

Makefile

@@ -35,6 +35,9 @@ all: build
 setup: ## Install dependencies (Linux only)
 	@scripts/setup_deps.sh
 
+preflight:
+	@$(WRAPPER) echo "Ready to build"
+
 # Build module
 build: setup ## Build the specified module
 	$(WRAPPER) mkosi --force --image-id $(IMAGE) --include=images/$(IMAGE).conf

README.md

@@ -104,7 +104,7 @@ sudo usermod -aG kvm $USER
   ```
 
 > [!NOTE]
-> 
+>
 > Depending on your Linux distro, these commands may require changing the
 > supplied OVMF paths or installing your distro's OVMF package.
 

images/l2-op-rbuilder-bproxy.conf

@@ -0,0 +1,14 @@
+[Config]
+Profiles=gcp
+
+[Distribution]
+Snapshot=20260301T083349Z
+
+[Include]
+Include=shared/mkosi.conf
+Include=modules/l2/_common/mkosi.conf
+Include=modules/l2/_gcp/mkosi.conf
+Include=modules/l2/_devtools_users/mkosi.conf
+Include=modules/l2/_devtools_no_console/mkosi.conf
+Include=modules/l2/_devtools_no_root_login/mkosi.conf
+Include=modules/l2/op-rbuilder-bproxy/mkosi.conf

images/l2-op-rbuilder.conf

@@ -0,0 +1,14 @@
+[Config]
+Profiles=gcp
+
+[Distribution]
+Snapshot=20260301T083349Z
+
+[Include]
+Include=shared/mkosi.conf
+Include=modules/l2/_common/mkosi.conf
+Include=modules/l2/_gcp/mkosi.conf
+Include=modules/l2/_devtools_users/mkosi.conf
+Include=modules/l2/_devtools_no_console/mkosi.conf
+Include=modules/l2/_devtools_no_root_login/mkosi.conf
+Include=modules/l2/op-rbuilder/mkosi.conf

images/l2-simulator.conf

@@ -0,0 +1,14 @@
+[Config]
+Profiles=gcp
+
+[Distribution]
+Snapshot=20260301T083349Z
+
+[Include]
+Include=shared/mkosi.conf
+Include=modules/l2/_common/mkosi.conf
+Include=modules/l2/_gcp/mkosi.conf
+Include=modules/l2/_devtools_users/mkosi.conf
+Include=modules/l2/_devtools_no_console/mkosi.conf
+Include=modules/l2/_devtools_no_root_login/mkosi.conf
+Include=modules/l2/simulator/mkosi.conf

mkosi.profiles/devtools/mkosi.conf

@@ -18,6 +18,7 @@ Packages=adjtimex
          screen
          socat
          strace
+         sudo
          tcpdump
          tcpflow
          vim

…tc/systemd/system/serial-console.service …ib/systemd/system/serial-console.servicemkosi.profiles/devtools/mkosi.extra/etc/systemd/system/serial-console.service renamed to mkosi.profiles/devtools/mkosi.extra/usr/lib/systemd/system/serial-console.service mkosi.profiles/devtools/mkosi.extra/etc/systemd/system/serial-console.service renamed to mkosi.profiles/devtools/mkosi.extra/usr/lib/systemd/system/serial-console.service

@@ -1,6 +1,11 @@
 #!/bin/bash
+
 set -euxo pipefail
 
+# Enable console service
+mkosi-chroot systemctl unmask serial-console.service
+mkosi-chroot systemctl add-wants minimal.target serial-console.service
+
 # Deterministically set root password
 PASSWORD="dqSPjo4p"
 HASH=$(mkosi-chroot openssl passwd -6 -salt salt "$PASSWORD")
@@ -16,6 +21,6 @@ if [ -f "$BUILDROOT/etc/default/dropbear" ]; then
 else
     echo "PermitRootLogin yes" >> "$BUILDROOT/etc/ssh/sshd_config"
     echo "PasswordAuthentication yes" >> "$BUILDROOT/etc/ssh/sshd_config"
-    mkosi-chroot systemctl unmask ssh.service ssh.socket
-    mkosi-chroot systemctl add-wants minimal.target ssh.service
+    mkosi-chroot systemctl unmask ssh.service ssh.socket systemd-user-sessions.service
+    mkosi-chroot systemctl add-wants minimal.target ssh.service systemd-user-sessions.service
 fi

mkosi.profiles/devtools/mkosi.postinst

@@ -0,0 +1 @@
+CONFIG_XFS_FS=y