Reduce changes to only GuestOS

ic-os/defs.bzl

@@ -147,15 +147,8 @@ def icos_build(
             "/run",
             "/boot",
             "/var",
-            "/usr/lib/firmware/brcm/brcmfmac43241b4-sdio.Intel Corp.-VALLEYVIEW C0 PLATFORM.txt.zst",
-            "/usr/lib/firmware/brcm/brcmfmac43340-sdio.ASUSTeK COMPUTER INC.-TF103CE.txt.zst",
-            "/usr/lib/firmware/brcm/brcmfmac43362-sdio.ASUSTeK COMPUTER INC.-ME176C.txt.zst",
-            "/usr/lib/firmware/brcm/brcmfmac43430a0-sdio.ONDA-V80 PLUS.txt.zst",
-            "/usr/lib/firmware/brcm/brcmfmac43455-sdio.MINIX-NEO Z83-4.txt.zst",
-            "/usr/lib/firmware/brcm/brcmfmac43455-sdio.Raspberry Pi Foundation-Raspberry Pi 4 Model B.txt.zst",
-            "/usr/lib/firmware/brcm/brcmfmac43455-sdio.Raspberry Pi Foundation-Raspberry Pi Compute Module 4.txt.zst",
-            "/usr/lib/firmware/brcm/brcmfmac4356-pcie.Intel Corporation-CHERRYVIEW D1 PLATFORM.txt.zst",
-            "/usr/lib/firmware/brcm/brcmfmac4356-pcie.Xiaomi Inc-Mipad2.txt.zst",
+            "/usr/lib/firmware/brcm/brcmfmac43430a0-sdio.ONDA-V80 PLUS.txt",
+            "/usr/lib/firmware/brcm/brcmfmac43455-sdio.MINIX-NEO Z83-4.txt",
         ],
         target_compatible_with = [
             "@platforms//os:linux",

ic-os/hostos/context/Dockerfile

@@ -39,7 +39,7 @@ RUN localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 
 # Clear files that may lead to indeterministic build.
 RUN apt-get clean && \
-    find /usr/lib/python3.12 -name "*.pyc" | xargs rm && \
+    find /usr/lib/python3.8 -name "*.pyc" | xargs rm && \
     find /usr/lib/python3 -name "*.pyc" | xargs rm && \
     find /usr/share/python3 -name "*.pyc" | xargs rm && \
     truncate --size 0 /etc/machine-id
@@ -91,7 +91,6 @@ RUN systemctl enable \
     chrony \
     libvirtd \
     nftables \
-    ssh \
     systemd-journal-gatewayd \
     systemd-networkd \
     systemd-networkd-wait-online \
@@ -118,8 +117,14 @@ RUN rm -rf \
         /usr/local/share/qemu/edk2-arm-code.fd \
         /usr/local/share/qemu/edk2-arm-vars.fd
 
+# Add user/group entries specified here: /usr/lib/sysusers.d/systemd.conf E.g., systemd-timesync/coredump
+RUN systemd-sysusers && \
+    # Fix reproducibility issue. Notes in hostos/context/Dockerfile    
+    usermod -p '!!' systemd-timesync && \
+    usermod -p '!!' systemd-coredump
+
 # Set /bin/sh to point to /bin/bash instead of the default /bin/dash
-RUN ln -sf bash /usr/bin/sh
+RUN echo "set dash/sh false" | debconf-communicate && dpkg-reconfigure -fnoninteractive dash
 
 # Group accounts to which parts of the runtime state are assigned such that
 # user accounts can be granted individual access rights.

ic-os/hostos/context/Dockerfile.base

@@ -20,7 +20,7 @@
 # First build stage:
 # - Download 3rd party tools
 #
-FROM ubuntu:24.04 AS download
+FROM ubuntu:20.04 AS download
 
 USER root:root
 
@@ -48,7 +48,7 @@ RUN cd /tmp/ && \
 # Second build stage:
 # - Compile downloaded archives from first build stage
 #
-FROM ubuntu:24.04 AS build
+FROM ubuntu:20.04 AS build
 
 USER root:root
 
@@ -63,8 +63,7 @@ RUN apt-get -y update && apt-get -y upgrade && apt-get -y --no-install-recommend
     libusb-1.0-0-dev \
     ninja-build \
     pkg-config \
-    python3 \
-    python3-setuptools
+    python3
 
 # Configure and compile QEMU
 COPY --from=download /tmp/qemu-6.2.0.tar.xz /tmp/qemu-6.2.0.tar.xz
@@ -82,7 +81,7 @@ RUN cd /tmp/ && \
 # - Install and cache upstream packages from built-in Ubuntu repositories.
 # - Install compiled packages from the second stage.
 #
-FROM ubuntu:24.04
+FROM ubuntu:20.04
 
 USER root:root
 

ic-os/hostos/context/packages.common

@@ -5,14 +5,13 @@
 # image only.
 
 # Need kernel to boot anything
-linux-image-generic-hwe-24.04
+linux-image-generic-hwe-20.04
 initramfs-tools
 
 # Need systemd for boot process
 systemd
 systemd-sysv
 systemd-journal-remote
-systemd-resolved
 
 # Third-party services we will be running
 chrony
@@ -76,7 +75,7 @@ xxd
 # QEMU required dependencies for version 6.2
 ipxe-qemu
 ipxe-qemu-256k-compat-efi-roms
-libaio1t64
+libaio1
 libatomic1
 libc6
 libfdt1

ic-os/hostos/context/packages.dev

@@ -7,7 +7,7 @@ nano
 # packages requested by networking
 tcpdump
 iperf
-netcat-openbsd
+netcat
 curl
 iputils-ping
 

ic-os/hostos/envs/dev/BUILD.bazel

@@ -7,7 +7,6 @@ load("//ic-os/hostos:defs.bzl", "image_deps")
 #    or //ic-os/defs.bzl for the full list of targets.
 icos_build(
     name = "dev",
-    build_local_base_image = True,
     ic_version = "//bazel:rc_only_version.txt",
     image_deps_func = image_deps,
     upload_prefix = "host-os",

ic-os/hostos/envs/prod/BUILD.bazel

@@ -7,7 +7,6 @@ load("//ic-os/hostos:defs.bzl", "image_deps")
 #    or //ic-os/defs.bzl for the full list of targets.
 icos_build(
     name = "prod",
-    build_local_base_image = True,
     image_deps_func = image_deps,
     upload_prefix = "host-os",
     visibility = ["//rs:ic-os-pkg"],

ic-os/setupos/context/Dockerfile

@@ -39,7 +39,7 @@ RUN localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 
 # Clear files that may lead to indeterministic build.
 RUN apt-get clean && \
-    find /usr/lib/python3.12 -name "*.pyc" | xargs rm && \
+    find /usr/lib/python3.8 -name "*.pyc" | xargs rm && \
     find /usr/lib/python3 -name "*.pyc" | xargs rm && \
     find /usr/share/python3 -name "*.pyc" | xargs rm && \
     truncate --size 0 /etc/machine-id
@@ -76,6 +76,7 @@ RUN systemctl enable \
     systemd-resolved
 
 RUN systemctl disable \
+    systemd-timesyncd \
     ssh
 
 # ------ SETUPOS WORK --------------------------------------------

ic-os/setupos/context/Dockerfile.base

@@ -16,7 +16,7 @@
 # 1. Get your MR approved and merged into master
 # 2. On the next hourly master pipeline, click the "deploy-setup-os-baseimg" job
 # 3. Note the sha256 and update the sha256 reference in the neighboring Dockerfiles.
-FROM ubuntu:24.04
+FROM ubuntu:20.04
 
 USER root:root
 

ic-os/setupos/context/packages.common

@@ -3,20 +3,18 @@
 # operation for the "prod" image.
 
 # Need kernel to boot anything
-linux-image-generic-hwe-24.04
+linux-image-generic-hwe-20.04
 initramfs-tools
 
 # Need systemd for boot process
 systemd
 systemd-sysv
 systemd-journal-remote
-systemd-resolved
 
 # Third-party services we will be running
 chrony
 
 # Required system setup tools
-ssh
 attr
 ca-certificates
 curl

ic-os/setupos/context/packages.dev

@@ -7,7 +7,7 @@ nano
 # packages requested by networking
 tcpdump
 iperf
-netcat-openbsd
+netcat
 curl
 iputils-ping
 

ic-os/setupos/envs/dev/BUILD.bazel

@@ -8,7 +8,6 @@ load("//ic-os/setupos:defs.bzl", "image_deps")
 #    or //ic-os/defs.bzl for the full list of targets.
 icos_build(
     name = "dev",
-    build_local_base_image = True,
     ic_version = "//bazel:rc_only_version.txt",
     image_deps_func = image_deps,
     upgrades = False,

ic-os/setupos/envs/prod/BUILD.bazel

@@ -8,7 +8,6 @@ load("//ic-os/setupos:defs.bzl", "image_deps")
 #    or //ic-os/defs.bzl for the full list of targets.
 icos_build(
     name = "prod",
-    build_local_base_image = True,
     image_deps_func = image_deps,
     upgrades = False,
     upload_prefix = "setup-os",