feat: wip

.devcontainer/devcontainer.json

@@ -1,5 +1,5 @@
 {
-  "image": "ghcr.io/dfinity/ic-dev@sha256:0b0e1cf7202f83a29c645a84e984aea8fc2f18c3ff61869b4fd80f30949d7aa0",
+  "image": "ghcr.io/dfinity/ic-dev@sha256:b894f45fd9ed37fcb19c8cbe55cba88ca0b003b1f2350b403829b54a233077f5",
   "remoteUser": "ubuntu",
   "privileged": true,
   "runArgs": [

.github/workflows/api-bn-recovery-test.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on:
       labels: dind-large
     container:
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       options: >-
         -e NODE_NAME --privileged --cgroupns host
         --mount type=tmpfs,target="/home/buildifier/.local/share/containers"

.github/workflows/ci-main.yml

@@ -33,7 +33,7 @@ jobs:
     runs-on: &dind-large-setup
       labels: dind-large
     container: &container-setup
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       options: >-
          -e NODE_NAME --privileged --cgroupns host --mount type=tmpfs,target="/tmp/containers"
     timeout-minutes: 90

.github/workflows/ci-pr-only.yml

@@ -37,7 +37,7 @@ jobs:
     runs-on: &dind-small-setup
       labels: dind-small
     container: &container-setup
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       options: >-
          -e NODE_NAME --mount type=tmpfs,target="/tmp/containers"
     steps:

.github/workflows/container-api-bn-recovery.yml

@@ -28,7 +28,7 @@ jobs:
     runs-on:
       labels: dind-large
     container:
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       options: >-
         -e NODE_NAME --privileged --cgroupns host
         --mount type=tmpfs,target="/home/buildifier/.local/share/containers"

.github/workflows/container-scan-nightly.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on:
       labels: dind-large
     container:
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       options: >-
         -e NODE_NAME --privileged --cgroupns host --mount type=tmpfs,target="/tmp/containers"
     timeout-minutes: 60

.github/workflows/pocket-ic-tests-windows.yml

@@ -45,7 +45,7 @@ jobs:
   bazel-build-pocket-ic:
     name: Bazel Build PocketIC
     container:
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       options: >-
         -e NODE_NAME --privileged --cgroupns host --mount type=tmpfs,target="/tmp/containers"
     timeout-minutes: 90

.github/workflows/rate-limits-backend-release.yml

@@ -32,7 +32,7 @@ jobs:
       labels: dind-large
 
     container:
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       options: >-
         -e NODE_NAME --privileged --cgroupns host -v /var/tmp:/var/tmp -v /ceph-s3-info:/ceph-s3-info --mount type=tmpfs,target="/tmp/containers"
 

.github/workflows/release-testing.yml

@@ -35,7 +35,7 @@ jobs:
       group: dm1
       labels: dind-large
     container: &container-setup
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       options: >-
          -e NODE_NAME --privileged --cgroupns host --mount type=tmpfs,target="/tmp/containers"
     timeout-minutes: 180

.github/workflows/rosetta-release.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on:
       labels: dind-large
     container:
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       options: >-
         -e NODE_NAME --privileged --cgroupns host --mount type=tmpfs,target="/tmp/containers"
     environment: DockerHub

.github/workflows/salt-sharing-canister-release.yml

@@ -32,7 +32,7 @@ jobs:
       labels: dind-large
 
     container:
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       options: >-
         -e NODE_NAME --privileged --cgroupns host -v /var/tmp:/var/tmp -v /ceph-s3-info:/ceph-s3-info --mount type=tmpfs,target="/tmp/containers"
 

.github/workflows/schedule-daily.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: &dind-large-setup
       labels: dind-large
     container: &container-setup
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       options: >-
         -e NODE_NAME --privileged --cgroupns host --mount type=tmpfs,target="/tmp/containers"
     timeout-minutes: 720 # 12 hours

.github/workflows/schedule-rust-bench.yml

@@ -24,7 +24,7 @@ jobs:
       # see linux-x86-64 runner group
       labels: rust-benchmarks
     container:
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       # running on bare metal machine using ubuntu user
       options: --user ubuntu --mount type=tmpfs,target="/tmp/containers"
     timeout-minutes: 720 # 12 hours

.github/workflows/system-tests-benchmarks-nightly.yml

@@ -17,7 +17,7 @@ jobs:
       group: dm1
       labels: dind-large
     container:
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       options: >-
         -e NODE_NAME --privileged --cgroupns host --mount type=tmpfs,target="/tmp/containers"
     timeout-minutes: 480

.github/workflows/update-mainnet-canister-revisions.yaml

@@ -25,7 +25,7 @@ jobs:
       labels: dind-small
     environment: CREATE_PR
     container:
-      image: ghcr.io/dfinity/ic-build@sha256:688586207f0119e428d56b710538a610533f5cb400ca527baabc0b122536ce6e
+      image: ghcr.io/dfinity/ic-build@sha256:b2146fafb387bbb8eb325a6e4c49c76678d001d14016482dd5d9c4c0cb0d8d63
       options: >-
         -e NODE_NAME --privileged --cgroupns host -v /var/tmp:/var/tmp -v /ceph-s3-info:/ceph-s3-info --mount type=tmpfs,target="/tmp/containers"
     env:

BUILD.bazel

@@ -1,6 +1,7 @@
 load("@bazel_skylib//rules:common_settings.bzl", "string_setting")
 load("@gazelle//:def.bzl", "gazelle")
 load("@rules_python//python:pip.bzl", "compile_pip_requirements")
+load("//bazel:defs.bzl", "tool_file")
 load("//ci/src/artifacts:upload.bzl", "upload_artifacts")
 
 package(default_visibility = ["//visibility:public"])
@@ -248,6 +249,34 @@ alias(
     }),
 )
 
+# Single-file, executable handles for the FAT image tools above. The aliases
+# resolve to multi-file configure_make bundles; these expose just the binary so
+# it can be passed around by path (e.g. fed to the system-test driver as a
+# $(rootpath) runtime dep for creating UVM/SetupOS config images).
+# These resolve to @platforms//:incompatible on non-(linux, x86_64) platforms (see
+# the aliases above), so gate the extractors to the same platforms; otherwise the
+# rule would run with an empty bundle and fail. Consumers propagate this and are
+# skipped accordingly off-platform.
+tool_file(
+    name = "mkfs.fat.bin",
+    binary = "mkfs.fat",
+    bundle = "//:mkfs.fat",
+    target_compatible_with = [
+        "@platforms//os:linux",
+        "@platforms//cpu:x86_64",
+    ],
+)
+
+tool_file(
+    name = "mtools.bin",
+    binary = "mtools",
+    bundle = "//:mtools",
+    target_compatible_with = [
+        "@platforms//os:linux",
+        "@platforms//cpu:x86_64",
+    ],
+)
+
 ### e2fsdroid, used to populate ext4 filesystem images (fs_config + SELinux contexts)
 
 alias(

bazel/defs.bzl

@@ -129,6 +129,44 @@ mcopy = rule(
     },
 )
 
+def _tool_file(ctx):
+    """Extracts a single named binary out of a multi-file tool bundle.
+
+    Our `mkfs.fat`/`mtools` targets are `configure_make` bundles (the binary plus
+    e.g. an include dir), so they can't be passed around by a single path (e.g.
+    as a `$(rootpath)` runtime dep). This picks the requested binary out by
+    basename and exposes it as a standalone, executable, single-file target.
+
+    The output keeps the binary's original basename (placed under a per-target
+    directory to avoid colliding with the bundle alias of the same name). This
+    matters for multi-call binaries like `mtools`, which dispatch on argv[0]:
+    it must still be invoked as `mtools -c <subcmd>`.
+    """
+    tool = None
+    for f in ctx.files.bundle:
+        if f.basename == ctx.attr.binary:
+            tool = f
+            break
+    if not tool:
+        fail("could not locate '{}' binary among {} outputs".format(ctx.attr.binary, ctx.attr.bundle.label))
+
+    out = ctx.actions.declare_file("{}/{}".format(ctx.label.name, ctx.attr.binary))
+    ctx.actions.run_shell(
+        command = "cp -p {src} {out} && chmod +x {out}".format(src = tool.path, out = out.path),
+        inputs = [tool],
+        outputs = [out],
+    )
+    return [DefaultInfo(files = depset([out]), runfiles = ctx.runfiles(files = [out]))]
+
+tool_file = rule(
+    implementation = _tool_file,
+    doc = "Exposes a single named binary from a multi-file tool bundle as a standalone executable file.",
+    attrs = {
+        "bundle": attr.label(mandatory = True, allow_files = True),
+        "binary": attr.string(mandatory = True),
+    },
+)
+
 # Binaries needed for testing with canister_sandbox
 _SANDBOX_DATA = [
     "//rs/canister_sandbox",

ci/container/TAG

@@ -1 +1 @@
-85500ab8d8fa12c3fe8dd2930023d65b9184b3f19e3789d22a9b6d282c160556
+f96c20ebb316dcc7dd4e537b40fd2b88a1d2fa43cf2ba80c243076c23ab8e136

ci/container/files/packages.common

@@ -27,7 +27,6 @@ llvm
 # IC-OS
 clang
 cryptsetup-bin
-dosfstools # provides mkfs.vfat
 faketime
 fdisk
 iasl # to build OVMF
@@ -38,7 +37,6 @@ libselinux-dev
 libsystemd-dev
  # Linked in by IC-OS binaries for managing virtual machines programmatically.
 libvirt-dev
-mtools # used for mcopy and mmd
 nasm # to build OVMF
 podman
 rsync

ic-os/dev-tools/bare_metal_deployment/deploy.py

@@ -109,6 +109,10 @@ class Args:
     # Path to the setupos-inject-config tool. Necessary if any inject* args are present
     inject_configuration_tool: Optional[str] = None
 
+    # Path to the Bazel-built mtools binary, used by setupos-inject-config to write the
+    # FAT config partition.
+    mtools_tool: Optional[str] = None
+
     # Time to wait between each remote deployment, in minutes
     wait_time: int = field(default=DEFAULT_SETUPOS_WAIT_TIME_MINS, alias="-t")
 
@@ -160,6 +164,7 @@ def __post_init__(self):
         ), "Both ipv6_prefix and ipv6_gateway flags must be present or none"
         if self.inject_image_ipv6_prefix:
             assert self.inject_configuration_tool, "setupos_inject_config tool required to modify image"
+            assert self.mtools_tool, "mtools tool required to modify image"
         ipv4_args = [
             self.inject_image_ipv4_address,
             self.inject_image_ipv4_gateway,
@@ -706,6 +711,7 @@ def upload_to_file_share(
 
 def inject_config_into_image(
     setupos_inject_config_path: Path,
+    mtools_path: Path,
     working_dir: Path,
     compressed_image_path: Path,
     node_reward_type: str,
@@ -732,6 +738,9 @@ def is_executable(p: Path) -> bool:
 
     assert setupos_inject_config_path.exists() and is_executable(setupos_inject_config_path)
 
+    # Absolute path: setupos-inject-config runs mtools with its own working directory.
+    mtools = os.path.abspath(mtools_path)
+
     invoke.run(f"tar --extract --zstd --file {compressed_image_path} --directory {working_dir}", echo=True)
 
     img_path = Path(f"{working_dir}/disk.img")
@@ -764,6 +773,7 @@ def is_executable(p: Path) -> bool:
     invoke.run(
         f"{setupos_inject_config_path} {image_part} {reward_part} {prefix_part} {gateway_part} {ipv4_part} {enable_trusted_execution_environment_part} {verbose_part} {admin_key_part}",
         echo=True,
+        env={"MTOOLS": mtools},
     )
 
     # Reuse the name of the compressed image path in the working directory
@@ -836,6 +846,7 @@ def main():
             tmpdir = tempfile.mkdtemp()
             modified_image_path = inject_config_into_image(
                 Path(args.inject_configuration_tool),
+                Path(args.mtools_tool),
                 Path(tmpdir),
                 Path(args.upload_img),
                 args.inject_image_node_reward_type,

ic-os/dev-tools/bare_metal_deployment/tools.bzl

@@ -34,6 +34,10 @@ def launch_bare_metal(name, image_zst_file):
             "$(location :" + binary_name + ")",
             "--inject_configuration_tool",
             "$(location //rs/ic_os/dev_test_tools/setupos-image-config:setupos-inject-config)",
+            # Bazel-built mtools (the build container no longer ships system mtools),
+            # used by setupos-inject-config to write the FAT config partition.
+            "--mtools_tool",
+            "$(location //:mtools.bin)",
             "--upload_img",
             "$(location " + image_zst_file + ")",
             "--deterministic_ips_tool",
@@ -51,6 +55,7 @@ def launch_bare_metal(name, image_zst_file):
         data = [
             ":" + binary_name,
             image_zst_file,
+            "//:mtools.bin",
             "//rs/ic_os/dev_test_tools/setupos-image-config:setupos-inject-config",
             "//ic-os/dev-tools/bare_metal_deployment:redfish_scripts",
             "//ic-os/dev-tools/bare_metal_deployment:benchmark_runner.sh",

ic-os/dev-tools/build-setupos-config-image.sh

@@ -6,18 +6,22 @@ CONFIG_DIR="${1}"
 DATA_DIR="${2}"
 OUTPUT_IMAGE="${3}"
 
+# MKFS_VFAT and MTOOLS are the Bazel-built mkfs.fat / mtools binaries, set in the
+# environment by the system_test rule (so the build container doesn't need system
+# dosfstools/mtools). mtools is a multi-call binary, driven as `mtools -c <cmd>`.
+
 TMPDIR=$(mktemp -d)
 
 tar cf "${TMPDIR}/config.tar" -C "${CONFIG_DIR}" .
 tar cf "${TMPDIR}/data.tar" -C "${DATA_DIR}" .
 
 truncate -s 10M "${OUTPUT_IMAGE}"
 
-/usr/sbin/mkfs.vfat "${OUTPUT_IMAGE}"
+"$MKFS_VFAT" "${OUTPUT_IMAGE}"
 
-mlabel -i "${OUTPUT_IMAGE}" ::OVERRIDE
+"$MTOOLS" -c mlabel -i "${OUTPUT_IMAGE}" ::OVERRIDE
 
-mcopy -i "${OUTPUT_IMAGE}" -o "${TMPDIR}/config.tar" ::
-mcopy -i "${OUTPUT_IMAGE}" -o "${TMPDIR}/data.tar" ::
+"$MTOOLS" -c mcopy -i "${OUTPUT_IMAGE}" -o "${TMPDIR}/config.tar" ::
+"$MTOOLS" -c mcopy -i "${OUTPUT_IMAGE}" -o "${TMPDIR}/data.tar" ::
 
 rm -rf "${TMPDIR}"

rs/ic_os/build_tools/partition_tools/BUILD.bazel

@@ -23,6 +23,16 @@ rust_library(
 rust_test(
     name = "partition_tools_test",
     crate = ":partition_tools",
+    # Bazel-built FAT tools used by the tests (instead of system dosfstools/mtools);
+    # fat.rs reads MKFS_VFAT/MTOOLS from the environment.
+    data = [
+        "//:mkfs.fat.bin",
+        "//:mtools.bin",
+    ],
+    env = {
+        "MKFS_VFAT": "$(rootpath //:mkfs.fat.bin)",
+        "MTOOLS": "$(rootpath //:mtools.bin)",
+    },
     proc_macro_deps = [
         # Keep sorted.
         "@crate_index//:indoc",