[PATCH 0/7] ci: container: include musl and LLVM

[PATCH 0/7] ci: container: include musl and LLVM

[Ahmad Fatoum]

We have been using clang out-of-tree for libfuzzer and clang-analyzer.
As preparation for upstream these as well as CI jobs that make use of
them, add them LLVM to the container image.

While at it, add musl-tools as well, so we can start catching musl
breakage in CI before Yocto CI runs into it.

Ahmad Fatoum (7):
  Revert "ci: container: downgrade OpenRISC toolchain from 14.2.0 to
    13.1.0"
  ci: container: download and delete kvx.tgz in the same layer
  ci: container: don't leave labgrid checkout in /tmp
  ci: container: don't install recommended packages
  ci: container: run apt-get clean after installation
  ci: container: add musl-tools
  ci: container: install LLVM/clang

 test/Containerfile | 40 +++++++++++++++++++++++++++-------------
 1 file changed, 27 insertions(+), 13 deletions(-)

-- 
2.39.5

[PATCH 1/7] Revert "ci: container: downgrade OpenRISC toolchain from 14.2.0 to 13.1.0"

[Ahmad Fatoum]

This or1k issue turned out to be caused by the QEMU update[1] that came
with bumping the Debian release of the container image and not the
toolchain update.

We don't have the QEMU fix in the container yet, but we have a
workaround in commit b2a21df3b07b ("openrisc: dts: describe all 4 UARTs").

So let's revert the erroneous toolchain downgrade.

[1]: https://lore.kernel.org/all/20241203111513.402641-2-shorne@gmail.com/

Fixes: 6d4c6b01f4c4 ("ci: container: downgrade OpenRISC toolchain from 14.2.0 to 13.1.0")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/Containerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Containerfile b/test/Containerfile
index 53a5443e48fe..94b3f618261c 100644
--- a/test/Containerfile
+++ b/test/Containerfile
@@ -61,7 +61,7 @@ RUN korg_crosstool_dl() { wget -nv -O - https://mirrors.edge.kernel.org/pub/tool
     korg_crosstool_dl x86_64 ${GCC_VERSION} arm-linux-gnueabi && \
     korg_crosstool_dl x86_64 ${GCC_VERSION} aarch64-linux     && \
     korg_crosstool_dl x86_64 ${GCC_VERSION} mips-linux        && \
-    korg_crosstool_dl x86_64 13.1.0         or1k-linux        && \
+    korg_crosstool_dl x86_64 ${GCC_VERSION} or1k-linux        && \
     korg_crosstool_dl x86_64 ${GCC_VERSION} powerpc-linux     && \
     korg_crosstool_dl x86_64 ${GCC_VERSION} riscv64-linux
 
-- 
2.39.5

[PATCH 2/7] ci: container: download and delete kvx.tgz in the same layer

[Ahmad Fatoum]

The results of each RUN instruction are saved to layer in the resulting
container. Having a separate RUN instruction to delete temporary files
thus only hides them at runtime, but the files are still there eating
up space.

The common wisdom is thus to combine creation, usage and deletion of
temporary files into a single RUN instruction.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/Containerfile | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/test/Containerfile b/test/Containerfile
index 94b3f618261c..246f50d5b648 100644
--- a/test/Containerfile
+++ b/test/Containerfile
@@ -65,12 +65,10 @@ RUN korg_crosstool_dl() { wget -nv -O - https://mirrors.edge.kernel.org/pub/tool
     korg_crosstool_dl x86_64 ${GCC_VERSION} powerpc-linux     && \
     korg_crosstool_dl x86_64 ${GCC_VERSION} riscv64-linux
 
-RUN wget -nv -O kvx.tgz https://github.com/kalray/build-scripts/releases/download/v5.0.0/gcc-kalray-kvx-ubuntu-22.04-v5.0.0.tar.gz
-
-RUN echo "d27b3d6e6246f5debffee0bb01e77eb133bd32c658782a68a779cf9fb4c436bc kvx.tgz" | \
-    sha256sum --check --status
-
-RUN tar -C /opt -xzf kvx.tgz && rm kvx.tgz
+RUN tgz_checksum_dl() { set -e; wget -nv -O archive.tgz "$1"; \
+                        echo "$2 archive.tgz" | sha256sum --check --status; tar -C /opt -xzf archive.tgz; rm archive.tgz; } && \
+    tgz_checksum_dl https://github.com/kalray/build-scripts/releases/download/v5.0.0/gcc-kalray-kvx-ubuntu-22.04-v5.0.0.tar.gz \
+                    d27b3d6e6246f5debffee0bb01e77eb133bd32c658782a68a779cf9fb4c436bc
 
 RUN wget -nv "https://github.com/qemu/qemu/blob/v5.2.0/pc-bios/opensbi-riscv32-generic-fw_dynamic.bin?raw=true" -O /usr/share/qemu/opensbi-riscv32-generic-fw_dynamic.bin
 
-- 
2.39.5

[PATCH 3/7] ci: container: don't leave labgrid checkout in /tmp

[Ahmad Fatoum]

The /tmp directory survives into the built container.
As pip can install directly from a remote git repository, let's use that
instead.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/Containerfile | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/test/Containerfile b/test/Containerfile
index 246f50d5b648..c4b2ba0ea583 100644
--- a/test/Containerfile
+++ b/test/Containerfile
@@ -77,11 +77,9 @@ RUN useradd -m -U barebox
 RUN echo barebox ALL=NOPASSWD: ALL > /etc/sudoers.d/barebox
 
 # install labgrid
-RUN cd /tmp && \
-    git clone --depth 1 -b v24.0 https://github.com/labgrid-project/labgrid && \
-    cd labgrid && \
-    pip3 install --break-system-packages . && \
-    ln -s $(which pytest) /usr/local/bin/labgrid-pytest;
+RUN pip3 install -q --no-cache-dir --break-system-packages \
+    git+https://github.com/labgrid-project/labgrid.git@v24.0 && \
+    ln -s $(which pytest) /usr/local/bin/labgrid-pytest
 
 ENV CROSS_COMPILE_arm=/opt/gcc-${GCC_VERSION}-nolibc/arm-linux-gnueabi/bin/arm-linux-gnueabi-
 ENV CROSS_COMPILE_arm64=/opt/gcc-${GCC_VERSION}-nolibc/aarch64-linux/bin/aarch64-linux-
-- 
2.39.5

[PATCH 4/7] ci: container: don't install recommended packages

[Ahmad Fatoum]

Either we want a package and we reference it explicitly or we don't, in
which case we don't want it taking up space in the container.

This breaks SVG to png image conversion with imagemagick, because it
calls rsvg-convert. Import librsvg2-bin to provide it.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/Containerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/test/Containerfile b/test/Containerfile
index c4b2ba0ea583..73b0f1b70802 100644
--- a/test/Containerfile
+++ b/test/Containerfile
@@ -10,7 +10,7 @@ LABEL Description="This image is for building and testing barebox inside a conta
 ENV DEBIAN_FRONTEND=noninteractive
 
 # Update and install things from apt now
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
 	bison \
 	build-essential \
 	coreutils \
@@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y \
 	libgit2-dev \
 	libguestfs-tools \
 	liblz4-tool \
+	librsvg2-bin \
 	libseccomp-dev \
 	libssl-dev \
 	libtool \
-- 
2.39.5

[PATCH 5/7] ci: container: run apt-get clean after installation

[Ahmad Fatoum]

For good measure, let's run an apt-get clean after having installed the
package to hopefully save some space.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/Containerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/Containerfile b/test/Containerfile
index 73b0f1b70802..02610196f0d9 100644
--- a/test/Containerfile
+++ b/test/Containerfile
@@ -53,6 +53,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 	u-boot-tools \
 	yamllint \
 	yq \
+	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 
 ENV GCC_VERSION=14.2.0
-- 
2.39.5

[PATCH 6/7] ci: container: add musl-tools

[Ahmad Fatoum]

The musl-tools package provides a musl-gcc wrapper that can be used to
compile applications statically against musl.

Add it to the BSP, so we can use it from CI in future.
This will enable us to:

  - catch breakage in especially host/target tools when compiled with
    musl as OpenEmbedded does in CI and Alpine/PostmarketOS does
    by default

  - distribute statically linked tools with releases.

Cc: Jules Maselbas <jmaselbas@zdiv.net>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/Containerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/Containerfile b/test/Containerfile
index 02610196f0d9..e9b044c87ab7 100644
--- a/test/Containerfile
+++ b/test/Containerfile
@@ -31,6 +31,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 	lzma-alone \
 	lzop \
 	mount \
+	musl-tools \
 	openssl \
 	pkg-config \
 	util-linux \
-- 
2.39.5

[PATCH 7/7] ci: container: install LLVM/clang

[Ahmad Fatoum]

This will be used later for clang-analyzer and libfuzzer.
We intentionally use the LLVM project apt repositories for greater
flexibility in the versions we want to use, e.g. LLVM 20 is not yet
available on Debian Bookworm.

kernel.org also hosts more barebones LLVM toolchains, but we are
interested in more than that.

The LLVM layer added to the container sits at 1.04GiB, which is about
200MiB less than what we are using for the GCC toolchains.
It contains support for cross-compiling 47 different targets.

Cc: Jules Maselbas <jmaselbas@zdiv.net>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/Containerfile | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/test/Containerfile b/test/Containerfile
index e9b044c87ab7..20402c384b6f 100644
--- a/test/Containerfile
+++ b/test/Containerfile
@@ -58,6 +58,16 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 	&& rm -rf /var/lib/apt/lists/*
 
 ENV GCC_VERSION=14.2.0
+ENV LLVM_VERSION=20
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+	lsb-release software-properties-common gnupg \
+	&& wget https://apt.llvm.org/llvm.sh \
+	&& chmod +x llvm.sh && ./llvm.sh ${LLVM_VERSION} \
+	&& apt-get remove -y lsb-release software-properties-common gnupg \
+	&& apt-get autoremove -y --purge \
+	&& apt-get clean \
+	&& rm -rf llvm.sh /var/lib/apt/lists/*
 
 # Manually install the kernel.org Crosstool based toolchains
 RUN korg_crosstool_dl() { wget -nv -O - https://mirrors.edge.kernel.org/pub/tools/crosstool/files/bin/${1}/${2}/${1}-gcc-${2}-nolibc-${3}.tar.xz | tar -C /opt -xJ ; } && \
@@ -92,4 +102,9 @@ ENV CROSS_COMPILE_powerpc=/opt/gcc-${GCC_VERSION}-nolibc/powerpc-linux/bin/power
 ENV CROSS_COMPILE_riscv=/opt/gcc-${GCC_VERSION}-nolibc/riscv64-linux/bin/riscv64-linux-
 ENV CROSS_COMPILE_kvx=/opt/gcc-kalray-kvx-v5.0.0/bin/kvx-elf-
 
+ENV CROSS_COMPILE_llvm=-${LLVM_VERSION}
+# Workaround for https://github.com/llvm/llvm-project/issues/112458
+RUN ln -Ts /usr/lib/llvm-${LLVM_VERSION}/lib/clang/${LLVM_VERSION}/lib/linux/ \
+           /usr/lib/llvm-${LLVM_VERSION}/lib/clang/${LLVM_VERSION}/lib/x86_64-pc-linux-gnu
+
 USER barebox:barebox
-- 
2.39.5

Re: [PATCH 0/7] ci: container: include musl and LLVM

[Sascha Hauer]

On Wed, 26 Mar 2025 13:36:12 +0100, Ahmad Fatoum wrote:
> We have been using clang out-of-tree for libfuzzer and clang-analyzer.
> As preparation for upstream these as well as CI jobs that make use of
> them, add them LLVM to the container image.
> 
> While at it, add musl-tools as well, so we can start catching musl
> breakage in CI before Yocto CI runs into it.
> 
> [...]

Applied, thanks!

[1/7] Revert "ci: container: downgrade OpenRISC toolchain from 14.2.0 to 13.1.0"
      https://git.pengutronix.de/cgit/barebox/commit/?id=fc304e4f07c8 (link may not be stable)
[2/7] ci: container: download and delete kvx.tgz in the same layer
      https://git.pengutronix.de/cgit/barebox/commit/?id=69a3750c7b3c (link may not be stable)
[3/7] ci: container: don't leave labgrid checkout in /tmp
      https://git.pengutronix.de/cgit/barebox/commit/?id=864116e7642f (link may not be stable)
[4/7] ci: container: don't install recommended packages
      https://git.pengutronix.de/cgit/barebox/commit/?id=c037cd73fe99 (link may not be stable)
[5/7] ci: container: run apt-get clean after installation
      https://git.pengutronix.de/cgit/barebox/commit/?id=b99360e1c2e2 (link may not be stable)
[6/7] ci: container: add musl-tools
      https://git.pengutronix.de/cgit/barebox/commit/?id=d4122875856f (link may not be stable)
[7/7] ci: container: install LLVM/clang
      https://git.pengutronix.de/cgit/barebox/commit/?id=256014d2c998 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>