Add Dockerfile, build.sh wrapper and files

Dockerfile

@@ -0,0 +1,40 @@
+# SPDX-License-Identifier: MIT
+# Author: Nils Freydank <nils.freydank@posteo.de>
+#
+# ===========================================================================
+#   Update the source image.
+# ===========================================================================
+FROM gentoo/stage3:amd64-nomultilib-systemd as bootstrap
+# Migrate to a merged-usr form.
+RUN emerge --quiet-build=y --oneshot merge-usr
+RUN merge-usr
+RUN eselect profile set "default/linux/amd64/17.1/no-multilib/systemd/merged-usr"
+# Replace /etc/portage/make.conf.
+RUN rm --one-file-system /etc/portage/make.conf
+COPY make.conf /etc/portage/make.conf
+RUN chown root:root -R /etc/portage/make.conf
+# Update the compiler
+RUN emerge --oneshot --usepkg sys-devel/gcc:13
+RUN eselect gcc set x86_64-pc-linux-gnu-13 && source /etc/profile
+# Update libtool after the compiler update.
+RUN emerge --oneshot sys-devel/libtool
+# Rebuild the whole world set, probably mostly with binpkgs.
+RUN emerge --emptytree --verbose --usepkg @world
+# Install further toolchains
+RUN emerge --usepkg --noreplace dev-lang/rust dev-lang/go \
+    @rust-rebuild @golang-rebuild
+# Rebuild packages if necessary.
+RUN emerge @preserved-rebuild
+
+# ===========================================================================
+#   Clean up the image.
+# ===========================================================================
+RUN rm --verbose --recursive --preserve-root /var/tmp/
+
+# ===========================================================================
+#   Create the new image
+# ===========================================================================
+FROM scratch
+COPY --from=bootstrap / /
+
+# vim:fileencoding=utf-8:ts=4:syntax=dockerfile:expandtab

build.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# SPDX-License-Identifier: MIT
+# Author: Nils Freydank <nils.freydank@posteo.de>
+PATH="/usr/bin:/bin:/usr/sbin:/sbin"
+set -uxa
+
+GPG_SIGNING_KEY="${GPG_SIGNING_KEY:-0x0F1DEAB2D36AD112}"
+
+IMAGE_TAG="gentoo-bootstrap-1:$(date --utc +%Y%m%d_%H%M%S)"
+REPOS="${REPOS:-/var/db/repos}"
+DISTFILES="${DISTFILES:-/var/cache/distfiles-podman-1}"
+BINPKG="${BINPKG:-/var/cache/packages-podman-1}"
+LOGDIR="${LOGDIR:-$(pwd)/logs}"
+DOCKER_FILE="${DOCKER_FILE:-$(pwd)/Dockerfile}"
+
+podman_build_args=(
+    # Limit the memory to be used.
+    --memory=20G
+    --memory-swap=1G
+    --shm-size=2G
+    # Share the gentoo repo, overlays etc.
+    -v "${REPOS}:/var/db/repos:ro"
+    # Share the distfiles, i.e. typically source archives.
+    -v "${DISTFILES}:/var/cache/distfiles:rw,U"
+    # Share the binpkgs r/w cache.
+    -v "${BINPKG}:/var/cache/packages:rw,U"
+    # Keep the logs out of the container.
+    -v "${LOGDIR}:/var/log:rw,U"
+    # Use the given OCI file/Dockerfile.
+    -f "${DOCKER_FILE}"
+    # Tag the generated image.
+    -t "${IMAGE_TAG}"
+    # Label the image.
+    --label="gentoo-nfr-${IMAGE_TAG}"
+    # Sign the image.
+    #--sign-by="${GPG_SIGNING_KEY}"
+    --no-cache
+)
+
+mkdir -p "${REPOS}"
+mkdir -p "${DISTFILES}"
+mkdir -p "${BINPKG}"
+mkdir -p "${LOGDIR}"
+
+podman pull gentoo/stage3:amd64-nomultilib-systemd
+podman build "${podman_build_args[@]}"
+
+# vim:fileencoding=utf-8:ts=4:syntax=bash:expandtab

make.conf/LLVM_TARGETS

@@ -0,0 +1 @@
+LLVM_TARGETS="BPF X86"

make.conf/elogv

@@ -0,0 +1,2 @@
+PORTAGE_ELOG_SYSTEM="save"
+PORTAGE_ELOG_CLASSES="warn error info log qa"

make.conf/flags

@@ -0,0 +1,13 @@
+COMMON_FLAGS="-O3 -pipe -march=x86-64-v3"
+CFLAGS="${COMMON_FLAGS} -D_FORTIFY_SOURCE=3"
+CXXFLAGS="${COMMON_FLAGS} -D_FORTIFY_SOURCE=3 -D_GLIBCXX_ASSERTIONS"
+FCFLAGS="${COMMON_FLAGS}"
+FFLAGS="${COMMON_FLAGS}"
+# -Wl,-O1 -Wl,-as-needed are the default flags
+# '-fdiagnostics-color=always': print colourful diagnostic messages, see man ld
+# '__gentoo_check_ldflags__'  : print QA linker flags
+# '-Wl,-z,relro'              : make segments RO after relocation
+# '-Wl,-z,now'                : disable lazy-binding
+LDFLAGS="-Wl,-O2 -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -fdiagnostics-color=always -Wl,--defsym=__gentoo_check_ldflags__=0"
+
+CPU_FLAGS_X86="aes"

make.conf/global_use

@@ -0,0 +1,2 @@
+USE="-cet -filecaps -python -nls -sslv3 -tcpd"
+USE="${USE} caps hardened"

make.conf/portage

@@ -0,0 +1,27 @@
+ACCEPT_KEYWORDS="~amd64"
+EMERGE_DEFAULT_OPTS="--quiet-build --autounmask=n --binpkg-respect-use=y"
+FEATURES="buildpkg clean-logs compress-build-logs noinfo preserve-libs"
+FEATURES="${FEATURES} -ipc-sandbox -network-sandbox -pid-sandbox"
+MAKEOPTS="-j7 -l8"
+#
+BINPKG_FORMAT="gpkg"
+PORTAGE_COMPRESS="xz"
+PORTAGE_COMPRESS_FLAGS="-9 -T6 --memlimit-decompress=1500M"
+BINPKG_COMPRESS="${PORTAGE_COMPRESS}"
+BINPKG_COMPRESS_FLAGS="${PORTAGE_COMPRESS_FLAGS}"
+#BINPKG_GPG_SIGNING_GPG_HOME="/var/lib/portage/home/.gnupg"
+#BINPKG_GPG_SIGNING_KEY="0x1234567890ABCDEF"
+#FEATURES="${FEATURES} binpkg-signing"
+
+# see bug #662982
+P_BASE="/var/cache"
+DISTDIR="${P_BASE}/distfiles"
+PKGDIR="${P_BASE}/packages"
+
+PORT_LOGDIR="/var/log/portage"
+PORT_LOGDIR_CLEAN="find \"${PORT_LOGDIR}\" -type f ! -name \"summary.log*\" -mtime +84 -delete"
+
+# This sets the language of build output to English.
+# Please keep this setting intact when reporting bugs.
+LC_MESSAGES=C
+# EOF