39 lines
2.1 KiB
Markdown
39 lines
2.1 KiB
Markdown
# runtime_sources
|
|
|
|
Source-of-truth inputs for `make runtime-bundle`.
|
|
|
|
Current state:
|
|
- `build/runtime_sources/` contains the real materialized runtime inputs used to build the packaged bundle.
|
|
- the checked-in tracked files under `runtime_sources/linux-x86_64/` are build recipes and lock metadata, not the materialized binaries/images.
|
|
- `guest/pyro_guest_agent.py` is the guest agent source artifact that is installed into each built rootfs.
|
|
- real source materialization now writes into `build/runtime_sources/`, not back into the tracked placeholder files.
|
|
- the packaged runtime images under `src/pyro_mcp/runtime_bundle/` are stored via Git LFS, so contributor clones need `git lfs install` and LFS-enabled checkout.
|
|
|
|
Materialization workflow:
|
|
1. `make runtime-fetch-binaries`
|
|
2. `make runtime-build-kernel-real`
|
|
3. `make runtime-build-rootfs-real`
|
|
4. `make runtime-bundle`
|
|
|
|
Official environment publication workflow:
|
|
1. `make runtime-materialize`
|
|
2. `OCI_REGISTRY_USERNAME=... OCI_REGISTRY_PASSWORD=... make runtime-publish-official-environments-oci`
|
|
3. or run the repo workflow at `.github/workflows/publish-environments.yml`
|
|
|
|
Build requirements for the real path:
|
|
- `docker`
|
|
- outbound network access to GitHub and Debian snapshot mirrors
|
|
- enough disk for a kernel build plus 2G ext4 images per profile
|
|
|
|
Kernel build note:
|
|
- the kernel builder now defaults to conservative parallelism to avoid compiler crashes on memory-constrained hosts
|
|
- if you still need to force a lower setting, use `PYRO_KERNEL_BUILD_JOBS=1 make runtime-build-kernel-real` or `PYRO_KERNEL_BUILD_JOBS=1 make runtime-materialize`
|
|
|
|
Current status:
|
|
1. Firecracker and Jailer are materialized from pinned official release artifacts.
|
|
2. The kernel and rootfs images are built from pinned inputs into `build/runtime_sources/`.
|
|
3. The guest agent is installed into each rootfs and used for vsock exec.
|
|
4. `runtime.lock.json` now advertises real guest capabilities.
|
|
|
|
Safety rule:
|
|
- The build pipeline should never emit `vm_boot=true`, `guest_exec=true`, or `guest_network=true` while any source artifact is still a shim or placeholder.
|