Merge branch 'main' of github.com:flashbots/flashbots-images into ilya/podman-init

Author: alexhulbert

DEVELOPMENT.md

@@ -22,10 +22,11 @@ This comprehensive guide covers everything you need to know about developing wit
 ```
 flashboxes/
 ├── base/                   # Core minimal Linux system
-│   ├── base.conf           # Base mkosi configuration
+│   ├── mkosi.conf          # Base mkosi configuration
 │   ├── mkosi.skeleton/     # Base filesystem overlay
 │   └── debloat*.sh         # System cleanup scripts
-├── bob/                    # BoB Searcher sandbox 
+├── bob-common/             # TEE Searcher common image
+├── bob-l1/                 # L1 TEE Searcher sandbox image
 ├── buildernet/             # BuilderNet
 ├── tdx-dummy/              # TDX test environment
 ├── kernel/                 # Kernel configuration
@@ -58,7 +59,7 @@ chmod +x mkosi.build mkosi.postinst
 
 ### Step 2: Create Module Configuration
 
-**`mymodule/mymodule.conf`**:
+**`mymodule/mkosi.conf`**:
 ```ini
 [Build]
 # Environment variables available in scripts
@@ -89,8 +90,8 @@ BuildPackages=build-essential
 **`mymodule.conf`** (in project root):
 ```ini
 [Include]
-Include=base/base.conf
-Include=mymodule/mymodule.conf
+Include=base/mkosi.conf
+Include=mymodule/mkosi.conf
 ```
 
 ### Step 4: Build Your Module
@@ -469,7 +470,7 @@ Reproducible builds are essential for security and trust. Here's how to verify y
 mkosi --force -I mymodule.conf
 cp build/mymodule-image.efi build/first-build.efi
 
-mkosi --force -I mymodule.conf  
+mkosi --force -I mymodule.conf
 cp build/mymodule-image.efi build/second-build.efi
 
 # Compare hashes
@@ -536,7 +537,7 @@ set -e
 # Create system user
 useradd -r -s /bin/false myapp || true
 
-# Set permissions  
+# Set permissions
 chown myapp:myapp /etc/myapp/config.conf
 chmod 600 /etc/myapp/config.conf
 
@@ -547,7 +548,7 @@ systemctl start myapp.service || true
 exit 0
 ```
 
-### Pre-removal Script  
+### Pre-removal Script
 
 **`DEBIAN/prerm`**:
 ```bash
@@ -598,15 +599,15 @@ sudo dpkg -i mypackage-1.0.deb
 ### Package Scripts Execution Order
 
 1. **Installation**: `preinst` → files copied → `postinst`
-2. **Upgrade**: `preinst upgrade` → files copied → `postinst configure` 
+2. **Upgrade**: `preinst upgrade` → files copied → `postinst configure`
 3. **Removal**: `prerm remove` → files removed → `postrm remove`
 4. **Purge**: `prerm remove` → files removed → `postrm purge`
 
 For comprehensive .deb creation, see: [Debian New Maintainers' Guide](https://www.debian.org/doc/manuals/maint-guide/)
 
 ## Building with Podman (Not Recommended)
 For systems without systemd v250+ or where Nix installation isn't feasible, you can use the experimental Podman containerization support. This approach is not recommended due to slower build times and a complex setup process.
-1. Configure the Podman daemon to use a storage driver other than OverlayFS  
+1. Configure the Podman daemon to use a storage driver other than OverlayFS
    - The btrfs driver is fastest, but requires that you have a btrfs filesystem
    - The storage driver can be configuring by editing `/etc/containers/storage.conf`
 2. Build the development container:
@@ -615,7 +616,7 @@ For systems without systemd v250+ or where Nix installation isn't feasible, you
    ```
 3. Create required directories
    ```
-   mkdir mkosi.packages mkosi.cache mkosi.builddir build 
+   mkdir mkosi.packages mkosi.cache mkosi.builddir build
    ```
 4. Run the container with proper mounts and privilages
    ```

README.md

@@ -2,11 +2,18 @@
 
 **Reproducible hardened Linux images for confidential computing and safe MEV**
 
-This repository provides a toolkit for building minimal, hardened Linux images designed for confidential computing environments and MEV (Maximum Extractable Value) applications. Built on mkosi and Nix, it provides reproducible, security-focused Linux distributions with strong network isolation, attestation capabilities, and blockchain infrastructure support.
+This repository provides a toolkit for building minimal, hardened Linux images
+designed for confidential computing environments and MEV (Maximum Extractable
+Value) applications. Built on mkosi and Nix, it provides reproducible,
+security-focused Linux distributions with strong network isolation, attestation
+capabilities, and blockchain infrastructure support.
 
-It contains our [bottom-of-block searcher sandbox](https://collective.flashbots.net/t/searching-in-tdx/3902) infrastructure and will soon contain our [BuilderNet](https://buildernet.org/blog/introducing-buildernet) infrastructure as well, along with any future TDX projects we implement.
+It contains our [bottom-of-block searcher sandbox](https://collective.flashbots.net/t/searching-in-tdx/3902)
+infrastructure and will soon contain our [BuilderNet](https://buildernet.org/blog/introducing-buildernet)
+infrastructure as well, along with any future TDX projects we implement.
 
-For more information about this repository, see [the Flashbots collective post](https://collective.flashbots.net/t/beyond-yocto-exploring-mkosi-for-tdx-images/4739).
+For more information about this repository, see
+[the Flashbots collective post](https://collective.flashbots.net/t/beyond-yocto-exploring-mkosi-for-tdx-images/4739).
 
 ## 🌟 Features
 
@@ -19,57 +26,27 @@ For more information about this repository, see [the Flashbots collective post](
 
 ### Prerequisites
 
-0. Make sure you're running systemd v250 or greater. Alternatively, you can utilize experimental [container support](DEVELOPMENT.md#building-with-podman-not-recommended).
-
-1. **Install Nix** (single user mode is sufficient):
-   ```bash
-   sh <(curl -L https://nixos.org/nix/install) --no-daemon
-   ```
-
-2. **Enable Nix experimental features** in `~/.config/nix/nix.conf`:
-   ```
-   experimental-features = nix-command flakes
-   ```
-
-3. **Install Debian archive keyring** (temporary requirement):
-   ```bash
-   # On Ubuntu/Debian
-   sudo apt install debian-archive-keyring
-   # On other systems, download via package manager or use Docker approach below
-   ```
+In order to build images, you'll need to install [Lima](https://lima-vm.io/) for your operating system. Building images without Lima is possible, but due to inconsistencies between distributions, it is not supported for generating official reproducible images.
 
 ### Building Images
 
-**Using Make (Recommended)**:
 ```bash
 # Build the BOB (searcher sandbox) image
 make build IMAGE=bob
 
-# Build the Buildernet image  
+# Build the Buildernet image
 make build IMAGE=buildernet
 
+# Build the l2 builder image
+make build IMAGE=l2-builder
+
 # Build with development tools
 make build-dev IMAGE=bob
 
 # View all available targets
 make help
 ```
 
-**Manual Build**:
-```bash
-# Enter the development environment
-nix develop -c $SHELL
-
-# Build a specific image
-mkosi --force -I bob.conf
-mkosi --force -I buildernet.conf
-
-# Build with profiles
-mkosi --force -I bob.conf --profile=devtools
-mkosi --force -I bob.conf --profile=azure
-mkosi --force -I bob.conf --profile=azure,devtools
-```
-
 ### Measuring TDX Boot Process
 
 **Export TDX measurements** for the built image:
@@ -116,9 +93,89 @@ This generates measurement files in the `build/` directory for attestation and v
     # ... rest of options same as above
   ```
 
-> Depending on your Linux distro, these commands may require changing the supplied OVMF paths or installing your distro's OVMF package.
+> [!NOTE]
+> 
+> Depending on your Linux distro, these commands may require changing the
+> supplied OVMF paths or installing your distro's OVMF package.
+
+> [!NOTE]
+>
+> Running `systemctl status` generates a report with an `unmerged-bin` taint. That's
+> expected.
+>
+> See [bug report #1085370](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085370)
+> for details.
+
+## Building Without Lima (Unsupported)
+
+### Prerequisites
+
+1. **Install Nix** (single user mode is sufficient):
+
+    ```bash
+    sh <(curl -L https://nixos.org/nix/install) --no-daemon
+    ```
+
+2. **Enable Nix experimental features** in `~/.config/nix/nix.conf`:
+
+    ```conf
+    experimental-features = nix-command flakes
+    ```
+
+3. **Install Debian archive keyring** (temporary requirement):
+
+    ```bash
+    # On Ubuntu/Debian
+    sudo apt install debian-archive-keyring
+    # On other systems, download via package manager or use Docker approach below
+    ```
+
+### Building
+
+```bash
+# Enter the development environment
+nix develop -c $SHELL
+
+# Build a specific image
+mkosi --force -I bob.conf
+mkosi --force -I buildernet.conf
+
+# Build with profiles
+mkosi --force -I bob.conf --profile=devtools
+mkosi --force -I bob.conf --profile=azure
+mkosi --force -I bob.conf --profile=azure,devtools
+```
+
+### Troubleshooting
+
+- If you encounter `mkosi was forbidden to unshare namespaces`, try
+adding an apparmor profile like so:
+
+  ```bash
+    sudo cat <<EOF > /etc/apparmor.d/mkosi
+    abi <abi/4.0>,
+    include <tunables/global>
+
+    /nix/store/*-mkosi-*/bin/mkosi flags=(default_allow) {
+      userns,
+    }
+    EOF
+
+    sudo systemctl reload apparmor
+  ```
+
+- If you encounter `unshare: setgroups failed: Operation not permitted`,
+try to disable apparmor's restriction:
+
+  ```bash
+  sudo sysctl kernel.apparmor_restrict_unprivileged_userns=0
+
+  sudo -c 'echo "kernel.apparmor_restrict_unprivileged_userns=0" >> /etc/sysctl.conf'
+  ```
+
+- If you encounter `bootctl: unrecognized option '--root=/buildroot'`, you'll need to upgrade to a newer version of systemd (at least v250), which is only supported by recent versions of Ubuntu.
 
 ## 📖 Documentation
 
 - [Development Guide](DEVELOPMENT.md) - Comprehensive guide for creating new modules and extending existing ones
-- [BOB Module Guide](bob/readme.md) - Detailed documentation for the MEV searcher environment
+- [BOB Module Guide](bob-common/readme.md) - Detailed documentation for the MEV searcher environment

base/base.conf renamed to base/mkosi.conf

@@ -1,12 +1,11 @@
 #!/bin/bash
 set -euxo pipefail
 
-source scripts/build_rust_package.sh
 source scripts/make_git_package.sh
 
 # Compile searchersh
 mkdir -p "$DESTDIR/usr/bin"
-mkosi-chroot gcc -o "$DESTDIR/usr/bin/searchersh" "$SRCDIR/bob/searchersh.c"
+mkosi-chroot gcc -o "$DESTDIR/usr/bin/searchersh" "$SRCDIR/bob-common/searchersh.c"
 chmod 755 "$DESTDIR/usr/bin/searchersh"
 
 # Compile cryptsetup
@@ -18,32 +17,6 @@ make_git_package \
     ".libs/cryptsetup:/usr/sbin/cryptsetup" \
     ".libs/libcryptsetup.so.12.11.0:/usr/lib/libcryptsetup.so.12"
 
-# Compile lighthouse
-LIGHTHOUSE_BUILD_CMD="
-    # Switch from jemalloc to the system allocator to fix reproducibility issues
-    sed -i 's/malloc_utils = { workspace = true, features = \[\"jemalloc\"\] }/malloc_utils = { workspace = true }/' lighthouse/Cargo.toml
-    sed -i 's/#\[cfg(target_os = \"windows\")\]/#[cfg(not(feature = \"jemalloc\"))]/' lighthouse/src/main.rs
-    sed -i 's/#\[cfg(not(target_os = \"windows\"))\]/#[cfg(feature = \"jemalloc\")]/' lighthouse/src/main.rs
-
-    # Reproducibility flags
-    export RUSTFLAGS='-C target-cpu=generic -C link-arg=-Wl,--build-id=none -C symbol-mangling-version=v0 -L /usr/lib/x86_64-linux-gnu -l z -l zstd -l snappy'
-    export CARGO_PROFILE_RELEASE_LTO='thin'
-    export CARGO_PROFILE_RELEASE_CODEGEN_UNITS='1'
-    export CARGO_PROFILE_RELEASE_PANIC='unwind'
-    export CARGO_PROFILE_RELEASE_STRIP='none'
-    export CARGO_PROFILE_RELEASE_OPT_LEVEL='3'
-    export CARGO_TERM_COLOR='never'
-
-    cargo fetch
-    DESTDIR=$BUILDROOT cargo build --release --frozen --bin lighthouse --no-default-features --features portable
-"
-make_git_package \
-    "lighthouse" \
-    "v7.1.0" \
-    "https://github.com/sigp/lighthouse.git" \
-	"$LIGHTHOUSE_BUILD_CMD" \
-    "target/release/lighthouse:/usr/bin/lighthouse"
-
 # Build fluent-bit
 BUILD_CMD="
     export SOURCE_DATE_EPOCH=0

bob/mkosi.build renamed to bob-common/mkosi.build

@@ -1,11 +1,10 @@
 [Build]
-Environment=LIGHTHOUSE_BINARY KERNEL_CONFIG_SNIPPETS=bob/kernel.config
 WithNetwork=true
 
 [Content]
-ExtraTrees=bob/mkosi.extra
-PostInstallationScripts=bob/mkosi.postinst
-BuildScripts=bob/mkosi.build
+ExtraTrees=bob-common/mkosi.extra
+PostInstallationScripts=bob-common/mkosi.postinst
+BuildScripts=bob-common/mkosi.build
 
 Packages=podman
          runc
@@ -32,12 +31,6 @@ Packages=podman
 BuildPackages=build-essential
               git
               gcc
-              zlib1g-dev
-              libzstd-dev
-              libleveldb-dev
-              libsnappy-dev
-              libpq-dev
-              libssl-dev
               golang
               autoconf
               automake