From a56d87d4e670c51d3f53490763ff4e6a8312b5d6 Mon Sep 17 00:00:00 2001
From: Leon Anavi <leon.anavi@konsulko.com>
Date: Mon, 14 Apr 2025 16:55:04 +0300
Subject: [PATCH] yocto-builder/Dockerfile: Ubuntu 22.04

Upgrade to Ubuntu 22.04 because it is compatible with the Yocto
Project release Walnascar and provides a newer Python version:
- Add --ulimit "nofile=1024:1048576" to yocto-builds.yml.
- Increase vm.max_map_count.
- Add --security-opt apparmor=unconfined to docker cmdline.
- Run docker without the default seccomp profile

This commit is backport from branch master to Scarthgap because
Ubuntu 20.04 reached its end of life (EOL) on May 31, 2025. Yocto
release Scarthgap also supports Ubuntu 22.04.

This work was sponsored by GOVCERT.LU.

Suggested-by: Martin Steegmanns <martin.steegmanns@govcert.etat.lu>
Suggested-by: Stu Westerman @stu-spp
Suggested-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
---
 .github/workflows/compliance.yml               |  4 +++-
 .../docker-images/yocto-builder/Dockerfile     | 18 +++++++++++-------
 .github/workflows/yocto-builds.yml             |  4 +++-
 .github/workflows/yocto-layer.yml              |  3 ++-
 4 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
index ec489f0..1207acb 100644
--- a/.github/workflows/compliance.yml
+++ b/.github/workflows/compliance.yml
@@ -23,7 +23,9 @@ jobs:
           id: ${{ github.event.number }}
       - name: Do DCO check
         run: |
-          docker run --rm -v "$GITHUB_WORKSPACE:/work:ro" \
+          docker run --rm --security-opt apparmor=unconfined \
+            --security-opt seccomp=unconfined \
+            -v "$GITHUB_WORKSPACE:/work:ro" \
             --env "BASE_REF=$GITHUB_BASE_REF" \
             "dco-check-${{ github.event.number }}"
       - name: Cleanup temporary docker image
diff --git a/.github/workflows/docker-images/yocto-builder/Dockerfile b/.github/workflows/docker-images/yocto-builder/Dockerfile
index 87221b9..728b473 100644
--- a/.github/workflows/docker-images/yocto-builder/Dockerfile
+++ b/.github/workflows/docker-images/yocto-builder/Dockerfile
@@ -2,20 +2,21 @@
 #
 # SPDX-License-Identifier: MIT
 
-FROM ubuntu:20.04
+FROM ubuntu:22.04
 
 ARG DEBIAN_FRONTEND="noninteractive"
-RUN apt-get update -qq
+RUN apt-get update -q -y
 RUN apt-get install -y eatmydata
 
 # Yocto/OE build host dependencies
 # Keep this in sync with
-# https://git.yoctoproject.org/poky/tree/documentation/poky.yaml
+# https://git.yoctoproject.org/poky/tree/documentation/poky.yaml.in
+# https://git.yoctoproject.org/poky/tree/documentation/tools/host_packages_scripts/ubuntu_essential.sh
 RUN eatmydata apt-get install -qq -y \
-	gawk wget git diffstat unzip texinfo gcc build-essential chrpath \
-	socat cpio python3 python3-pip python3-pexpect xz-utils debianutils \
-	iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev \
-	pylint3 xterm python3-subunit mesa-common-dev zstd liblz4-tool
+	build-essential chrpath cpio debianutils diffstat file gawk gcc \
+	git iputils-ping libacl1 liblz4-tool locales python3 python3-git \
+	python3-jinja2 python3-pexpect python3-pip python3-subunit socat \
+	texinfo unzip wget xz-utils zstd
 
 # en_US.UTF-8 is required by the build system
 RUN eatmydata apt-get install -qq -y locales \
@@ -29,6 +30,9 @@ RUN eatmydata apt-get clean && rm -rf /var/lib/apt/lists/*
 RUN echo "dash dash/sh boolean false" | debconf-set-selections \
  && dpkg-reconfigure dash
 
+# Fix the resource exhaustion problem on the build infrastructure
+RUN echo 'vm.max_map_count = 4048576' >> /etc/sysctl.conf
+
 # Run under normal user called 'ci'
 RUN useradd --create-home --uid 1000 --shell /usr/bin/bash ci
 USER ci
diff --git a/.github/workflows/yocto-builds.yml b/.github/workflows/yocto-builds.yml
index 408d25e..87b009b 100644
--- a/.github/workflows/yocto-builds.yml
+++ b/.github/workflows/yocto-builds.yml
@@ -66,7 +66,8 @@ jobs:
         if: steps.changed-files-specific.outputs.any_changed == 'true'
       - name: Build the image
         run: |
-          docker run --rm \
+          docker run --rm --security-opt apparmor=unconfined \
+            --security-opt seccomp=unconfined \
             -v "$GITHUB_WORKSPACE:/work:ro" \
             -v "$DL_DIR:$DL_DIR:rw" \
             -v "$SSTATE_DIR:$SSTATE_DIR:rw" \
@@ -76,6 +77,7 @@ jobs:
             --env "IMAGE=${{ matrix.image }}" \
             --env "DL_DIR=$DL_DIR" \
             --env "SSTATE_DIR=$SSTATE_DIR" \
+            --ulimit "nofile=1024:1048576" \
             "yocto-builder-${{ github.event.number }}" \
             /entrypoint-build.sh
         if: steps.changed-files-specific.outputs.any_changed == 'true'
diff --git a/.github/workflows/yocto-layer.yml b/.github/workflows/yocto-layer.yml
index fa11815..555241b 100644
--- a/.github/workflows/yocto-layer.yml
+++ b/.github/workflows/yocto-layer.yml
@@ -42,7 +42,8 @@ jobs:
         if: steps.changed-files-specific.outputs.any_changed == 'true'
       - name: Run yocto-check-layer
         run: |
-          docker run --rm -v "$GITHUB_WORKSPACE:/work:ro" \
+          docker run --rm --security-opt apparmor=unconfined \
+            -v "$GITHUB_WORKSPACE:/work:ro" \
             --env "BASE_REF=$GITHUB_BASE_REF" \
             "yocto-builder-${{ github.event.number }}" \
             /entrypoint-yocto-check-layer.sh