merge main into trunk/l2#107
Conversation
lighthouse 8.0.0 needs it
BoB L1: new tdx-init, LH 8.0.0, fix artifact naming
Switch from Fluent Bit to custom Rust solution
Simplify reproducible lighthouse v8 build process
…g.d, and reverted other buildernet changes
There was a problem hiding this comment.
question:
@alexhulbert do you know why is this removed?
There was a problem hiding this comment.
functionality isn't affected, see https://www.notion.so/flashbots/Standardized-Mkosi-Networking-Config-3206b4a0d87680479d0be394fe8c84f7?source=copy_link
There was a problem hiding this comment.
functionality isn't affected
not entirely:
metadata.google.internal works, yes:
# dig metadata.google.internal
; <<>> DiG 9.20.18-1~deb13u1-Debian <<>> metadata.google.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6621
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;metadata.google.internal. IN A
;; ANSWER SECTION:
metadata.google.internal. 3600 IN A 169.254.169.254
;; Query time: 1 msec
;; SERVER: 169.254.169.254#53(169.254.169.254) (UDP)
;; WHEN: Thu Mar 12 10:10:35 UTC 2026
;; MSG SIZE rcvd: 69but just metadata is broken:
# dig metadata
; <<>> DiG 9.20.11-4-Debian <<>> metadata
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40267
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;metadata. IN A
;; Query time: 3747 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Mar 12 10:15:55 UTC 2026
;; MSG SIZE rcvd: 37There was a problem hiding this comment.
question:
@alexhulbert do you know why is this removed?
There was a problem hiding this comment.
functionality isn't affected, see https://www.notion.so/flashbots/Standardized-Mkosi-Networking-Config-3206b4a0d87680479d0be394fe8c84f7?source=copy_link
There was a problem hiding this comment.
split-horizon DNS is broken b/c of this.
with current config (1.1.1.1 over DoT):
# dig rpc.builder.opt-uni-testnet-1301.l2b.flashbots.net
; <<>> DiG 9.20.11-4-Debian <<>> rpc.builder.opt-uni-testnet-1301.l2b.flashbots.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26087
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;rpc.builder.opt-uni-testnet-1301.l2b.flashbots.net. IN A
;; AUTHORITY SECTION:
l2b.flashbots.net. 300 IN SOA ns-cloud-c1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300
;; Query time: 46 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Mar 12 10:19:20 UTC 2026
;; MSG SIZE rcvd: 172 ^Csame via GCP's metadata:
# dig rpc.builder.opt-uni-testnet-1301.l2b.flashbots.net @metadata.google.internal
; <<>> DiG 9.20.11-4-Debian <<>> rpc.builder.opt-uni-testnet-1301.l2b.flashbots.net @metadata.google.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24134
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;rpc.builder.opt-uni-testnet-1301.l2b.flashbots.net. IN A
;; ANSWER SECTION:
rpc.builder.opt-uni-testnet-1301.l2b.flashbots.net. 3600 IN A 10.86.0.15
;; Query time: 6 msec
;; SERVER: 169.254.169.254#53(metadata.google.internal) (UDP)
;; WHEN: Thu Mar 12 10:19:47 UTC 2026
;; MSG SIZE rcvd: 95There was a problem hiding this comment.
non splid-horizon DNS resolution doesn't work either, b.t.w.
compare this:
# dig prometheus.l2-meva-uni.gcp.internal
; <<>> DiG 9.20.11-4-Debian <<>> prometheus.l2-meva-uni.gcp.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44604
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;prometheus.l2-meva-uni.gcp.internal. IN A
;; AUTHORITY SECTION:
. 7047 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2026031200 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Mar 12 16:14:15 UTC 2026
;; MSG SIZE rcvd: 139with this:
# dig prometheus.l2-meva-uni.gcp.internal @metadata.google.internal
; <<>> DiG 9.20.11-4-Debian <<>> prometheus.l2-meva-uni.gcp.internal @metadata.google.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45668
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;prometheus.l2-meva-uni.gcp.internal. IN A
;; ANSWER SECTION:
prometheus.l2-meva-uni.gcp.internal. 3600 IN A 10.86.0.30
;; Query time: 5 msec
;; SERVER: 169.254.169.254#53(metadata.google.internal) (UDP)
;; WHEN: Thu Mar 12 16:15:02 UTC 2026
;; MSG SIZE rcvd: 80There was a problem hiding this comment.
ahh, i see.
adding Domains=~internal to base/mkosi.extra/etc/systemd/network/10-ethernet.network should fix the issue. and then for your split-horizon, you can add additional domains via a module-specific
mkosi.extra/etc/systemd/network/10-ethernet.network.d/extra.conf like so:
[Network]
Domains=~l2b.flashbots.net
There was a problem hiding this comment.
question:
@alexhulbert what's the point of this file? (it doesn't seem to be referenced anywhere)
There was a problem hiding this comment.
forgot to remove it. hostname stuff shouldn't be in the global GCP profile since buildernet handles hostnames differently (they're set from builderhub there)
| SizeMinBytes=524288000 | ||
| SizeMaxBytes=524288000 |
There was a problem hiding this comment.
question:
can we bump this to 1Gb @alexhulbert? (I had corner cases where I needed that much)
There was a problem hiding this comment.
dynamic will do too.
|
|
||
| # Refine trusted sources using cloud hypervisor when available | ||
| server 169.254.169.254 iburst minpoll 4 maxpoll 4 | ||
| server 169.254.169.123 iburst minpoll 4 maxpoll 4 |
There was a problem hiding this comment.
question:
@alexhulbert these two look like blanket references to NTP services in different clouds. why not have them in dedicated mkosi.profiles?
There was a problem hiding this comment.
these two together form the standards for all cloud providers and these lines do nothing on a non-cloud image, so I added them here for simplicity. see https://www.notion.so/flashbots/Standardized-Mkosi-Networking-Config-3206b4a0d87680479d0be394fe8c84f7?source=copy_link for details
| @@ -0,0 +1,3 @@ | |||
| [Resolve] | |||
| DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com | |||
There was a problem hiding this comment.
question:
@alexhulbert is it ok to override this in particular images?
e.g. I use split-horizon DNS in some places => for those to work the resolver must be of the relevant cloud, not external.
There was a problem hiding this comment.
the new image actually supports that out of the box via DHCP-peovided domains, no need to override anything. see https://www.notion.so/flashbots/Standardized-Mkosi-Networking-Config-3206b4a0d87680479d0be394fe8c84f7?source=copy_link for details
There was a problem hiding this comment.
it might support DHCP-provided domains, but I am talking about split-horizon DNS (so, not DHCP)
There was a problem hiding this comment.
im also talking about split horizon DNS. shortcuts like "metadata" or fully qualified names like "metadata.google.internal" correctly resolve using the google hypervisor DNS server, but then regular sites like flashbots.net resolve thru cloudflare over DoT. DHCP doesn't just provide an IP, it also provides a list of LAN asdresses with corresponding hostnames that systemd-resolved can add to its list of hosts.
if you're doing something even more complicated, you can always add a drop in file, though.
There was a problem hiding this comment.
pls see comment above. neither split-dns, not just plain internal dns are reliably working.
There was a problem hiding this comment.
question:
shouldn't this only happen in dev images @alexhulbert?
There was a problem hiding this comment.
this file provides access to a timestamp-fixed snapshot of the Debian backports repo. This allows us to install newer versions of packages before they're officially released in debian trixie. It's a no-op to your actual package list unless you add "/trixie-backports" to one of your installed packages in your mkosi.conf
There was a problem hiding this comment.
I mean, on prod images that we don't have access to we wouldn't even be able to install any packages, neither any kinds of automations are supposed to do that either.
I think that any debian repos should be present only dev images, right?
kernel/snippets/ubuntu.config
Outdated
There was a problem hiding this comment.
question:
how was this update produced @alexhulbert?
There was a problem hiding this comment.
Fryd's recently finished PR produces an equivalent kernel but in a much simpler and more transparent way. Removing this file is the final step in the standardization/simplification process and should be merged into main this week.
There was a problem hiding this comment.
I don't understand. my question was about this present file - namely how was it produced. not about parallel work Fryd has done.
or do you mean to say that this file is here temporarily and will be replaced by Fryd's work?
fix: set default file to latest.efi
Bump lighthouse to 8.1.2
feat: add support to Debian kernel source builds and kernel patches
Reorganize Repo Directory Structure
9 participants
subj.