From 5652e29b5052478ddb3182969984840deecbf4cc Mon Sep 17 00:00:00 2001
From: Konstantin Vasin <126960927+k-v1@users.noreply.github.com>
Date: Sun, 29 Oct 2023 03:16:28 +0300
Subject: [PATCH 1/5] make sonic-build-hooks reproducible

---
 src/sonic-build-hooks/Makefile | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/sonic-build-hooks/Makefile b/src/sonic-build-hooks/Makefile
index f20acac0b143..266061b69e98 100644
--- a/src/sonic-build-hooks/Makefile
+++ b/src/sonic-build-hooks/Makefile
@@ -15,24 +15,28 @@ SYMBOL_LINK_PATH = $(BUILD_ROOT_DIR)/usr/sbin
 SCRIPTS_PATH = $(INSTALL_PATH)/scripts
 HOOKS_PATH = $(INSTALL_PATH)/hooks
 DPKGTOOL = $(shell which dpkg-deb)
+# To make sonic-build-hooks reproducible
+# use time of the last commit that modified files in sonic-build-hooks directory
+# as a build time for deb package
+BUILD_TIME = $(shell git log -1 --pretty=%ct .)
 
 
 # If the depk-deb not installed, use the docker container to make the debian package
 ifeq ($(shell which dpkg-deb),)
-BUILD_COMMAND=docker run --user $(shell id -u):$(shell id -g) --rm -v $(shell pwd):/build debian:buster bash -c 'cd /build; dpkg-deb --build $(TMP_DIR)/$(SONIC_BUILD_HOOKS) $(SONIC_BUILD_HOOKS_TARGET)'
+BUILD_COMMAND=docker run --user $(shell id -u):$(shell id -g) --rm -v $(shell pwd):/build debian:bullseye bash -c 'cd /build; SOURCE_DATE_EPOCH=$(BUILD_TIME) dpkg-deb -Zxz --root-owner-group --build $(TMP_DIR)/$(SONIC_BUILD_HOOKS) $(SONIC_BUILD_HOOKS_TARGET)'
 else
-BUILD_COMMAND=dpkg-deb -Zxz --build $(TMP_DIR)/$(SONIC_BUILD_HOOKS) $(SONIC_BUILD_HOOKS_TARGET)
+BUILD_COMMAND=SOURCE_DATE_EPOCH=$(BUILD_TIME) dpkg-deb -Zxz --root-owner-group --build $(TMP_DIR)/$(SONIC_BUILD_HOOKS) $(SONIC_BUILD_HOOKS_TARGET)
 endif
 
 DEPENDS := $(shell find scripts hooks debian -type f)
 $(SONIC_BUILD_HOOKS_TARGET): $(DEPENDS)
 	@rm -rf $(BUILDINFO_DIR)/$(SONIC_BUILD_HOOKS) $(TMP_DIR)
-	@mkdir -p $(DEBIAN_DIR) $(SCRIPTS_PATH) $(HOOKS_PATH) $(SYMBOL_LINK_PATH) $(TRUSTED_GPG_PATH) $(BUILDINFO_DIR)
-	@chmod 0775 $(DEBIAN_DIR)
-	@cp debian/* $(DEBIAN_DIR)/
-	@cp scripts/* $(SCRIPTS_PATH)/
-	@cp hooks/* $(HOOKS_PATH)/
+	@install -m 755 -d $(DEBIAN_DIR) $(SCRIPTS_PATH) $(HOOKS_PATH) $(SYMBOL_LINK_PATH) $(TRUSTED_GPG_PATH) $(BUILDINFO_DIR)
+	@install -m 644 debian/* $(DEBIAN_DIR)
+	@install -m 755 scripts/* $(SCRIPTS_PATH)
+	@install -m 755 hooks/* $(HOOKS_PATH)
 	@for url in $$(echo $(TRUSTED_GPG_URLS) | sed 's/[,;]/ /g'); do wget -q "$$url" -P "$(TRUSTED_GPG_PATH)/"; done
+	@find $(TRUSTED_GPG_PATH) -type f -exec chmod 644 {} \;
 	@for f in $(SYMBOL_LINKS); do ln -s $(SYMBOL_LINKS_SRC_DIR)/$$f $(SYMBOL_LINK_PATH)/$$f; done
 	@$(BUILD_COMMAND)
 

From 042a9086735fa7f08ce3bdbb1f41e38997792600 Mon Sep 17 00:00:00 2001
From: Konstantin Vasin <126960927+k-v1@users.noreply.github.com>
Date: Fri, 20 Oct 2023 20:57:55 +0300
Subject: [PATCH 2/5] enable pigz by default

---
 Makefile.work                      | 9 ---------
 build_debian.sh                    | 8 +++-----
 build_image.sh                     | 4 ++--
 rules/config                       | 4 ----
 slave.mk                           | 4 +---
 sonic-slave-bullseye/Dockerfile.j2 | 3 ++-
 sonic-slave-buster/Dockerfile.j2   | 3 ++-
 sonic-slave-stretch/Dockerfile.j2  | 3 ++-
 8 files changed, 12 insertions(+), 26 deletions(-)

diff --git a/Makefile.work b/Makefile.work
index 628f770a8200..69b18fb0a26f 100644
--- a/Makefile.work
+++ b/Makefile.work
@@ -53,9 +53,6 @@
 #  * ENABLE_BOOTCHART: Enable SONiC bootchart
 #  *                 Default: n
 #  *                 Values: y,n
-#  * GZ_COMPRESS_PROGRAM: Select pigz to reduce build time
-#  *                 Default: gzip
-#  *                 Values: pigz,gzip
 #  * UNATTENDED: Don't wait for interactive input from terminal, setting this
 #  *             value to anything will enable it
 #  *             Default: unset
@@ -151,10 +148,6 @@ ifeq ($(LEGACY_SONIC_MGMT_DOCKER),)
 	override LEGACY_SONIC_MGMT_DOCKER = y
 endif
 
-ifneq ($(GZ_COMPRESS_PROGRAM), pigz)
-override GZ_COMPRESS_PROGRAM = gzip
-endif
-
 ifeq ($(CONFIGURED_ARCH),amd64)
 SLAVE_BASE_IMAGE = $(SLAVE_DIR)
 MULTIARCH_QEMU_ENVIRON = n
@@ -217,7 +210,6 @@ $(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
 	INCLUDE_FIPS=$(INCLUDE_FIPS) \
 	DOCKER_EXTRA_OPTS=$(DOCKER_EXTRA_OPTS) \
 	DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \
-	GZ_COMPRESS_PROGRAM=$(GZ_COMPRESS_PROGRAM) \
 	j2 $(SLAVE_DIR)/Dockerfile.j2 > $(SLAVE_DIR)/Dockerfile)
 
 $(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
@@ -573,7 +565,6 @@ SONIC_BUILD_INSTRUCTION :=  $(MAKE) \
                            SONIC_SLAVE_DOCKER_DRIVER=$(SONIC_SLAVE_DOCKER_DRIVER) \
                            MIRROR_URLS=$(MIRROR_URLS) \
                            MIRROR_SECURITY_URLS=$(MIRROR_SECURITY_URLS) \
-                           GZ_COMPRESS_PROGRAM=$(GZ_COMPRESS_PROGRAM) \
                            MIRROR_SNAPSHOT=$(MIRROR_SNAPSHOT) \
                            SONIC_VERSION_CONTROL_COMPONENTS=$(SONIC_VERSION_CONTROL_COMPONENTS) \
                            ONIE_IMAGE_PART_SIZE=$(ONIE_IMAGE_PART_SIZE) \
diff --git a/build_debian.sh b/build_debian.sh
index 055daba9e66b..13aba27e81ae 100755
--- a/build_debian.sh
+++ b/build_debian.sh
@@ -150,9 +150,7 @@ else
 fi
 
 ## docker and mkinitramfs on target system will use pigz/unpigz automatically
-if [[ $GZ_COMPRESS_PROGRAM == pigz ]]; then
-    sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install pigz
-fi
+sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install pigz
 
 ## Install initramfs-tools and linux kernel
 ## Note: initramfs-tools recommends depending on busybox, and we really want busybox for
@@ -866,8 +864,8 @@ if [[ $MULTIARCH_QEMU_ENVIRON == y || $CROSS_BUILD_ENVIRON == y ]]; then
 fi
 
 ## Compress docker files
-pushd $FILESYSTEM_ROOT && sudo tar -I $GZ_COMPRESS_PROGRAM -cf $OLDPWD/$FILESYSTEM_DOCKERFS -C ${DOCKERFS_PATH}var/lib/docker .; popd
+pushd $FILESYSTEM_ROOT && sudo tar -I pigz -cf $OLDPWD/$FILESYSTEM_DOCKERFS -C ${DOCKERFS_PATH}var/lib/docker .; popd
 
 ## Compress together with /boot, /var/lib/docker and $PLATFORM_DIR as an installer payload zip file
-pushd $FILESYSTEM_ROOT && sudo tar -I $GZ_COMPRESS_PROGRAM -cf platform.tar.gz -C $PLATFORM_DIR . && sudo zip -n .gz $OLDPWD/$ONIE_INSTALLER_PAYLOAD -r boot/ platform.tar.gz; popd
+pushd $FILESYSTEM_ROOT && sudo tar -I pigz -cf platform.tar.gz -C $PLATFORM_DIR . && sudo zip -n .gz $OLDPWD/$ONIE_INSTALLER_PAYLOAD -r boot/ platform.tar.gz; popd
 sudo zip -g -n .squashfs:.gz $ONIE_INSTALLER_PAYLOAD $FILESYSTEM_SQUASHFS $FILESYSTEM_DOCKERFS
diff --git a/build_image.sh b/build_image.sh
index 0b735f612e0f..81c0e307979e 100755
--- a/build_image.sh
+++ b/build_image.sh
@@ -56,10 +56,10 @@ generate_kvm_image()
         exit 1
     }
 
-    $GZ_COMPRESS_PROGRAM $KVM_IMAGE_DISK
+    pigz $KVM_IMAGE_DISK
 
     [ -r $KVM_IMAGE_DISK.gz ] || {
-        echo "Error : $GZ_COMPRESS_PROGRAM $KVM_IMAGE_DISK failed!"
+        echo "Error : pigz $KVM_IMAGE_DISK failed!"
         exit 1
     }
 
diff --git a/rules/config b/rules/config
index bd77e91c59d9..3dbe2e6c18d0 100644
--- a/rules/config
+++ b/rules/config
@@ -309,10 +309,6 @@ ENABLE_FIPS ?= n
 # SONIC_SLAVE_DOCKER_DRIVER - set the sonic slave docker storage driver
 SONIC_SLAVE_DOCKER_DRIVER ?= vfs
 
-# GZ_COMPRESS_PROGRAM - select pigz (a parallel implementation of gzip) to reduce a build time
-# and speed up a decompression of docker images on target system
-GZ_COMPRESS_PROGRAM ?= gzip
-
 # SONIC_OS_VERSION - sonic os version
 SONIC_OS_VERSION ?= 11
 
diff --git a/slave.mk b/slave.mk
index bf4f22463161..1a7cf4eb3a03 100644
--- a/slave.mk
+++ b/slave.mk
@@ -87,7 +87,6 @@ export DOCKER_BASE_ARCH
 export CROSS_BUILD_ENVIRON
 export BLDENV
 export BUILD_WORKDIR
-export GZ_COMPRESS_PROGRAM
 export MIRROR_SNAPSHOT
 export SONIC_OS_VERSION
 
@@ -447,7 +446,6 @@ ifeq ($(CONFIGURED_PLATFORM),vs)
 $(info "BUILD_MULTIASIC_KVM"             : "$(BUILD_MULTIASIC_KVM)")
 endif
 $(info "CROSS_BUILD_ENVIRON"             : "$(CROSS_BUILD_ENVIRON)")
-$(info "GZ_COMPRESS_PROGRAM"             : "$(GZ_COMPRESS_PROGRAM)")
 $(info "LEGACY_SONIC_MGMT_DOCKER"        : "$(LEGACY_SONIC_MGMT_DOCKER)")
 $(info )
 else
@@ -537,7 +535,7 @@ define docker-image-save
     @echo "Tagging docker image $(1)-$(DOCKER_USERNAME):$(DOCKER_USERTAG) as $(1):$(call docker-get-tag,$(1))" $(LOG)
     docker tag $(1)-$(DOCKER_USERNAME):$(DOCKER_USERTAG) $(1):$(call docker-get-tag,$(1)) $(LOG)
     @echo "Saving docker image $(1):$(call docker-get-tag,$(1))" $(LOG)
-        docker save $(1):$(call docker-get-tag,$(1)) | $(GZ_COMPRESS_PROGRAM) -c > $(2)
+        docker save $(1):$(call docker-get-tag,$(1)) | pigz -c > $(2)
     if [ x$(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD) == x"y" ]; then
         @echo "Removing docker image $(1):$(call docker-get-tag,$(1))" $(LOG)
         docker rmi -f $(1):$(call docker-get-tag,$(1)) $(LOG)
diff --git a/sonic-slave-bullseye/Dockerfile.j2 b/sonic-slave-bullseye/Dockerfile.j2
index 19e1babc3952..eeae7032a770 100644
--- a/sonic-slave-bullseye/Dockerfile.j2
+++ b/sonic-slave-bullseye/Dockerfile.j2
@@ -87,7 +87,8 @@ RUN apt-get update && apt-get install -y eatmydata && eatmydata apt-get install
         curl \
         wget \
         unzip \
-        {{ GZ_COMPRESS_PROGRAM }} \
+        gzip \
+        pigz \
         git \
         build-essential \
         libtool \
diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2
index bb1ec2c97036..edb6ccd53693 100644
--- a/sonic-slave-buster/Dockerfile.j2
+++ b/sonic-slave-buster/Dockerfile.j2
@@ -90,7 +90,8 @@ RUN apt-get update && apt-get install -y eatmydata && eatmydata apt-get install
         curl \
         wget \
         unzip \
-        {{ GZ_COMPRESS_PROGRAM }} \
+        gzip \
+        pigz \
         git \
         build-essential \
         libtool \
diff --git a/sonic-slave-stretch/Dockerfile.j2 b/sonic-slave-stretch/Dockerfile.j2
index d63861c6d98f..44f5409493b8 100644
--- a/sonic-slave-stretch/Dockerfile.j2
+++ b/sonic-slave-stretch/Dockerfile.j2
@@ -23,7 +23,8 @@ RUN apt-get update && apt-get install -y \
         curl \
         wget \
         unzip \
-        {{ GZ_COMPRESS_PROGRAM }} \
+        gzip \
+        pigz \
         git \
         build-essential \
         libtool \

From 5f07338abb8408a1dad5b531b1fb1142be6d303d Mon Sep 17 00:00:00 2001
From: Konstantin Vasin <126960927+k-v1@users.noreply.github.com>
Date: Sun, 5 Nov 2023 00:29:06 +0300
Subject: [PATCH 3/5] pass DBGOPT to slave.mk

---
 Makefile.work | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile.work b/Makefile.work
index 69b18fb0a26f..8235157ce40d 100644
--- a/Makefile.work
+++ b/Makefile.work
@@ -494,6 +494,7 @@ SONIC_SLAVE_USER_BUILD = \
 
 SONIC_BUILD_INSTRUCTION :=  $(MAKE) \
                            -f slave.mk \
+                           DBGOPT='$(DBGOPT)' \
                            PLATFORM=$(PLATFORM) \
                            PLATFORM_ARCH=$(PLATFORM_ARCH) \
                            MULTIARCH_QEMU_ENVIRON=$(MULTIARCH_QEMU_ENVIRON)  \

From 57f0cefd9dea8642819a7b5ba2263fd58de4bbb5 Mon Sep 17 00:00:00 2001
From: Konstantin Vasin <126960927+k-v1@users.noreply.github.com>
Date: Mon, 6 Nov 2023 05:38:31 +0300
Subject: [PATCH 4/5] split rfs refactoring

---
 .gitignore                                    |   1 +
 Makefile.cache                                |  24 +-
 build_debian.sh                               | 397 +++---------------
 build_rfs.sh                                  | 344 +++++++++++++++
 .../host-image/versions-py3-all-armhf         |   1 -
 .../build_templates/sonic_debian_extension.j2 |  81 ----
 functions.sh                                  |   8 +
 slave.mk                                      |  42 +-
 8 files changed, 424 insertions(+), 474 deletions(-)
 create mode 100755 build_rfs.sh
 delete mode 100644 files/build/versions/host-image/versions-py3-all-armhf

diff --git a/.gitignore b/.gitignore
index 5797d0cd11ed..3f08f49b773c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,7 @@ rules/config.user
 
 # Build artifacts
 fsroot/
+fsroot-*/
 fs.*
 target/
 *.deb
diff --git a/Makefile.cache b/Makefile.cache
index 137cf9c7bb2d..9a8191f2dc56 100644
--- a/Makefile.cache
+++ b/Makefile.cache
@@ -357,23 +357,13 @@ define SAVE_CACHE
 	$(if $(call CHECK_WCACHE_ENABLED,$(1)), $(call SAVE_INTO_CACHE,$(1),$(2)))
 endef
 
-RFS_DEP_FILES := $(wildcard \
+RFS_DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST) $(SONIC_VERSION_CONTROL_COMPONENTS) $(MIRROR_SNAPSHOT)
+RFS_DEP_FILES := $(SONIC_COMMON_FILES_LIST) $(SONIC_COMMON_BASE_FILES_LIST) \
+	build_rfs.sh functions.sh \
 	$(addprefix scripts/, build_debian_base_system.sh prepare_debian_image_buildinfo.sh build_mirror_config.sh) \
-	$(addprefix $(IMAGE_DISTRO_DEBS_PATH)/,$(INITRAMFS_TOOLS) $(LINUX_KERNEL)) \
-	$(shell git ls-files files/initramfs-tools) \
-	$(shell git ls-files files/image_config) \
-	$(shell git ls-files files/apparmor) \
+	$(wildcard src/sonic-build-hooks/buildinfo/sonic-build-hooks_*_all.deb) \
 	$(shell git ls-files files/apt) \
-	$(shell git ls-files files/sshd) \
-	$(shell git ls-files files/dhcp) \
-	src/sonic-build-hooks/buildinfo/trusted.gpg.d \
-	platform/$(CONFIGURED_PLATFORM)/modules  \
-	files/docker/docker.service.conf \
-	files/build_templates/default_users.json.j2 \
-	files/build_scripts/generate_asic_config_checksum.py \
-	files/scripts/core_cleanup.py \
-	build_debian.sh onie-image.conf)
-
+	$(wildcard files/build/versions/default/* files/build/versions/host-base-image/* files/build/versions/host-image/*)
 
 # Set the target path for each target.
 $(foreach pkg, $(SONIC_MAKE_DEBS) $(SONIC_DPKG_DEBS) $(SONIC_ONLINE_DEBS) $(SONIC_COPY_DEBS), \
@@ -403,8 +393,8 @@ $(foreach pkg, $(SONIC_INSTALL_PKGS), \
 $(foreach pkg, $(SONIC_RFS_TARGETS), \
         $(eval $(pkg)_DST_PATH := $(if $($(pkg)_DST_PATH), $($(pkg)_DST_PATH), $(TARGET_PATH))) \
         $(eval $(pkg)_CACHE_MODE := GIT_CONTENT_SHA) \
-        $(eval $(pkg)_DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST)) \
-        $(eval $(pkg)_DEP_FILES := $(SONIC_COMMON_BASE_FILES_LIST) $(RFS_DEP_FILES)) \
+        $(eval $(pkg)_DEP_FLAGS := $(RFS_DEP_FLAGS)) \
+        $(eval $(pkg)_DEP_FILES := $(RFS_DEP_FILES)) \
         $(eval $(TARGET_PATH)/$(pkg)_TARGET := $(pkg)) )
 
 # define the DEP files(.dep and .smdep) and SHA files (.sha and smsha) for each target
diff --git a/build_debian.sh b/build_debian.sh
index 13aba27e81ae..e1ef0d05b447 100755
--- a/build_debian.sh
+++ b/build_debian.sh
@@ -1,6 +1,7 @@
-#!/bin/bash
+#!/bin/bash -xe
 ## This script is to automate the preparation for a debian file system, which will be used for
 ## an ONIE installer image.
+## This is the 2nd part. 1st part in build_rfs.sh
 ##
 ## USAGE:
 ##   USERNAME=username PASSWORD=password ./build_debian
@@ -10,39 +11,19 @@
 ##   PASSWORD
 ##          The password, expected by chpasswd command
 
-## Default user
-[ -n "$USERNAME" ] || {
-    echo "Error: no or empty USERNAME"
-    exit 1
-}
-
-## Password for the default user
-[ -n "$PASSWORD" ] || {
-    echo "Error: no or empty PASSWORD"
-    exit 1
-}
-
 ## Include common functions
 . functions.sh
 
-## Enable debug output for script
-set -x -e
-
-CONFIGURED_ARCH=$([ -f .arch ] && cat .arch || echo amd64)
+[ -n "$USERNAME" ] || die "[ERROR] USERNAME is not set"
+[ -n "$PASSWORD" ] || die "[ERROR] PASSWORD is not set"
+[ -n "$RFS_SQUASHFS_NAME" ] || die "[ERROR] RFS_SQUASHFS_NAME is not set"
 
-## docker engine version (with platform)
-DOCKER_VERSION=5:24.0.2-1~debian.11~$IMAGE_DISTRO
-CONTAINERD_IO_VERSION=1.6.21-1
-LINUX_KERNEL_VERSION=5.10.0-23-2
+LINUX_KERNEL_VERSION=$SONIC_LINUX_KERNEL_VERSION
 
 ## Working directory to prepare the file system
 FILESYSTEM_ROOT=./fsroot
 PLATFORM_DIR=platform
-## Hostname for the linux image
-HOSTNAME=sonic
 DEFAULT_USERINFO="Default admin user,,,"
-BUILD_TOOL_PATH=src/sonic-build-hooks/buildinfo
-TRUSTED_GPG_DIR=$BUILD_TOOL_PATH/trusted.gpg.d
 
 ## Read ONIE image related config file
 . ./onie-image.conf
@@ -63,114 +44,32 @@ if [ "$IMAGE_TYPE" = "aboot" ]; then
     TARGET_BOOTLOADER="aboot"
 fi
 
-## Check if not a last stage of RFS build
-if [[ $RFS_SPLIT_LAST_STAGE != y ]]; then
-
-## Prepare the file system directory
-if [[ -d $FILESYSTEM_ROOT ]]; then
-    sudo rm -rf $FILESYSTEM_ROOT || die "Failed to clean chroot directory"
-fi
-mkdir -p $FILESYSTEM_ROOT
-mkdir -p $FILESYSTEM_ROOT/$PLATFORM_DIR
-touch $FILESYSTEM_ROOT/$PLATFORM_DIR/firsttime
-
-bootloader_packages=""
-if [ "$TARGET_BOOTLOADER" != "aboot" ]; then
-    mkdir -p $FILESYSTEM_ROOT/$PLATFORM_DIR/grub
-    bootloader_packages="grub2-common"
-fi
-
 ## ensure proc is mounted
 sudo mount proc /proc -t proc || true
 
-## Build the host debian base system
-echo '[INFO] Build host debian base system...'
-TARGET_PATH=$TARGET_PATH scripts/build_debian_base_system.sh $CONFIGURED_ARCH $IMAGE_DISTRO $FILESYSTEM_ROOT
-
-# Prepare buildinfo
-sudo SONIC_VERSION_CACHE=${SONIC_VERSION_CACHE} \
-	DBGOPT="${DBGOPT}" \
-	scripts/prepare_debian_image_buildinfo.sh $CONFIGURED_ARCH $IMAGE_DISTRO $FILESYSTEM_ROOT $http_proxy
+## Prepare the file system directory
+sudo rm -rf $FILESYSTEM_ROOT || die "Failed to clean chroot directory"
+## Extract 1st stage RFS (build_rfs.sh)
+sudo unsquashfs -d $FILESYSTEM_ROOT $TARGET_PATH/$RFS_SQUASHFS_NAME
 
+## make / as a mountpoint in chroot env, needed by dockerd
+pushd $FILESYSTEM_ROOT
+sudo mount --bind . .
+popd
 
 sudo chown root:root $FILESYSTEM_ROOT
 
-## Config hostname and hosts, otherwise 'sudo ...' will complain 'sudo: unable to resolve host ...'
-sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '$HOSTNAME' > /etc/hostname"
-sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '127.0.0.1       $HOSTNAME' >> /etc/hosts"
-sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '127.0.0.1       localhost' >> /etc/hosts"
-
-## Config basic fstab
-sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c 'echo "proc /proc proc defaults 0 0" >> /etc/fstab'
-sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c 'echo "sysfs /sys sysfs defaults 0 0" >> /etc/fstab'
+## Update /etc/resolv.conf
+sudo cat /etc/resolv.conf | sudo tee $FILESYSTEM_ROOT/etc/resolv.conf
 
 ## Setup proxy
 [ -n "$http_proxy" ] && sudo /bin/bash -c "echo 'Acquire::http::Proxy \"$http_proxy\";' > $FILESYSTEM_ROOT/etc/apt/apt.conf.d/01proxy"
 
-trap_push 'sudo LANG=C chroot $FILESYSTEM_ROOT umount /proc || true'
+## Mount /proc.
+trap_push "sudo LANG=C chroot $FILESYSTEM_ROOT umount /proc || true"
 sudo LANG=C chroot $FILESYSTEM_ROOT mount proc /proc -t proc
-## Note: mounting is necessary to makedev and install linux image
-echo '[INFO] Mount all'
-## Output all the mounted device for troubleshooting
-sudo LANG=C chroot $FILESYSTEM_ROOT mount
-
-## Install the trusted gpg public keys
-[ -d $TRUSTED_GPG_DIR ] && [ ! -z "$(ls $TRUSTED_GPG_DIR)" ] && sudo cp $TRUSTED_GPG_DIR/* ${FILESYSTEM_ROOT}/etc/apt/trusted.gpg.d/
-
-## Pointing apt to public apt mirrors and getting latest packages, needed for latest security updates
-scripts/build_mirror_config.sh files/apt $CONFIGURED_ARCH $IMAGE_DISTRO
-sudo cp files/apt/sources.list.$CONFIGURED_ARCH $FILESYSTEM_ROOT/etc/apt/sources.list
-sudo cp files/apt/apt-retries-count $FILESYSTEM_ROOT/etc/apt/apt.conf.d/
-sudo cp files/apt/apt.conf.d/{81norecommends,apt-{clean,gzip-indexes,no-languages},no-check-valid-until} $FILESYSTEM_ROOT/etc/apt/apt.conf.d/
-
-## Note: set lang to prevent locale warnings in your chroot
-sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y update
-sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y upgrade
-
-echo '[INFO] Install and setup eatmydata'
-sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install eatmydata
-sudo LANG=C chroot $FILESYSTEM_ROOT ln -s /usr/bin/eatmydata /usr/local/bin/dpkg
-echo 'Dir::Bin::dpkg "/usr/local/bin/dpkg";' | sudo tee $FILESYSTEM_ROOT/etc/apt/apt.conf.d/00image-install-eatmydata > /dev/null
-## Note: dpkg hook conflict with eatmydata
-sudo LANG=C chroot $FILESYSTEM_ROOT rm /usr/local/sbin/dpkg -f
-
-echo '[INFO] Install packages for building image'
-sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install makedev psmisc
-
-if [[ $CROSS_BUILD_ENVIRON == y ]]; then
-    sudo LANG=C chroot $FILESYSTEM_ROOT dpkg --add-architecture $CONFIGURED_ARCH
-fi
-
-## Create device files
-echo '[INFO] MAKEDEV'
-if [[ $CONFIGURED_ARCH == armhf || $CONFIGURED_ARCH == arm64 ]]; then
-    sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c 'cd /dev && MAKEDEV generic-arm'
-else
-    sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c 'cd /dev && MAKEDEV generic'
-fi
 
-## docker and mkinitramfs on target system will use pigz/unpigz automatically
-sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install pigz
-
-## Install initramfs-tools and linux kernel
-## Note: initramfs-tools recommends depending on busybox, and we really want busybox for
-## 1. commands such as touch
-## 2. mount supports squashfs
-## However, 'dpkg -i' plus 'apt-get install -f' will ignore the recommended dependency. So
-## we install busybox explicitly
-sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install busybox linux-base
-echo '[INFO] Install SONiC linux kernel image'
-## Note: duplicate apt-get command to ensure every line return zero
-sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/initramfs-tools-core_*.deb || \
-    sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
-sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/initramfs-tools_*.deb || \
-    sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
-sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/linux-image-${LINUX_KERNEL_VERSION}-*_${CONFIGURED_ARCH}.deb || \
-    sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install acl
-if [[ $CONFIGURED_ARCH == amd64 ]]; then
-    sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm
-fi
+sudo LANG=C chroot $FILESYSTEM_ROOT apt-get update
 
 ## Sign the Linux kernel
 # note: when flag SONIC_ENABLE_SECUREBOOT_SIGNATURE is enabled the Secure Upgrade flags should be disabled (no_sign) to avoid conflict between the features.
@@ -243,37 +142,12 @@ if [ -f platform/$CONFIGURED_PLATFORM/modules ]; then
     cat platform/$CONFIGURED_PLATFORM/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null
 fi
 
-## Add mtd and uboot firmware tools package
-sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install u-boot-tools libubootenv-tool mtd-utils device-tree-compiler
-
-## Install docker
-echo '[INFO] Install docker'
-## Install apparmor utils since they're missing and apparmor is enabled in the kernel
-## Otherwise Docker will fail to start
-sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apparmor
 sudo cp files/image_config/ntp/ntp-apparmor $FILESYSTEM_ROOT/etc/apparmor.d/local/usr.sbin.ntpd
-sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apt-transport-https \
-                                                       ca-certificates \
-                                                       curl \
-                                                       gnupg2 \
-                                                       software-properties-common
-if [[ $CONFIGURED_ARCH == armhf ]]; then
-    # update ssl ca certificates for secure pem
-    sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT c_rehash
-fi
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT curl -o /tmp/docker.asc -fsSL https://download.docker.com/linux/debian/gpg
-sudo LANG=C chroot $FILESYSTEM_ROOT mv /tmp/docker.asc /etc/apt/trusted.gpg.d/
-sudo LANG=C chroot $FILESYSTEM_ROOT add-apt-repository \
-                                    "deb [arch=$CONFIGURED_ARCH] https://download.docker.com/linux/debian $IMAGE_DISTRO stable"
-sudo LANG=C chroot $FILESYSTEM_ROOT apt-get update
-sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install docker-ce=${DOCKER_VERSION} docker-ce-cli=${DOCKER_VERSION} containerd.io=${CONTAINERD_IO_VERSION}
-
-# Uninstall 'python3-gi' installed as part of 'software-properties-common' to remove debian version of 'PyGObject'
-# pip version of 'PyGObject' will be installed during installation of 'sonic-host-services'
-sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y remove software-properties-common gnupg2 python3-gi
 
 install_kubernetes () {
     local ver="$1"
+    sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install gnupg
+    sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y remove gnupg
     sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT curl -fsSL \
         https://packages.cloud.google.com/apt/doc/apt-key.gpg | \
         sudo LANG=C chroot $FILESYSTEM_ROOT apt-key add -
@@ -301,9 +175,7 @@ then
     echo '[INFO] Install kubernetes master'
     install_kubernetes ${MASTER_KUBERNETES_VERSION}
 
-    sudo LANG=C chroot $FILESYSTEM_ROOT apt-get update
-    sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install hyperv-daemons gnupg xmlstarlet parted netcat
-    sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y remove gnupg
+    sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install hyperv-daemons xmlstarlet parted netcat
     sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT curl -o /tmp/cri-dockerd.deb -fsSL \
         https://github.com/Mirantis/cri-dockerd/releases/download/v${MASTER_CRI_DOCKERD}/cri-dockerd_${MASTER_CRI_DOCKERD}.3-0.debian-${IMAGE_DISTRO}_amd64.deb
     sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install -f /tmp/cri-dockerd.deb
@@ -327,84 +199,6 @@ echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd
 sudo LANG=C chroot $FILESYSTEM_ROOT groupadd -f redis
 sudo LANG=C chroot $FILESYSTEM_ROOT usermod -aG redis $USERNAME
 
-if [[ $CONFIGURED_ARCH == amd64 ]]; then
-    ## Pre-install hardware drivers
-    sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install      \
-        firmware-linux-nonfree
-fi
-
-## Pre-install the fundamental packages
-## Note: gdisk is needed for sgdisk in install.sh
-## Note: parted is needed for partprobe in install.sh
-## Note: ca-certificates is needed for easy_install
-## Note: don't install python-apt by pip, older than Debian repo one
-## Note: fdisk and gpg are needed by fwutil
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install      \
-    file                    \
-    ifmetric                \
-    iproute2                \
-    bridge-utils            \
-    isc-dhcp-client         \
-    sudo                    \
-    vim                     \
-    tcpdump                 \
-    dbus                    \
-    ntpstat                 \
-    openssh-server          \
-    python3-apt             \
-    traceroute              \
-    iputils-ping            \
-    arping                  \
-    net-tools               \
-    bsdmainutils            \
-    ca-certificates         \
-    i2c-tools               \
-    efibootmgr              \
-    usbutils                \
-    pciutils                \
-    iptables-persistent     \
-    ebtables                \
-    logrotate               \
-    curl                    \
-    kexec-tools             \
-    less                    \
-    unzip                   \
-    gdisk                   \
-    sysfsutils              \
-    squashfs-tools          \
-    $bootloader_packages    \
-    screen                  \
-    hping3                  \
-    tcptraceroute           \
-    mtr-tiny                \
-    locales                 \
-    cgroup-tools            \
-    ipmitool                \
-    ndisc6                  \
-    makedumpfile            \
-    conntrack               \
-    python3                 \
-    python3-distutils       \
-    python3-pip             \
-    python-is-python3       \
-    cron                    \
-    libprotobuf23           \
-    libgrpc++1              \
-    libgrpc10               \
-    haveged                 \
-    fdisk                   \
-    gpg                     \
-    jq                      \
-    auditd                  \
-    linux-perf              \
-    resolvconf              \
-	lsof                    \
-	sysstat
-
-# default rsyslog version is 8.2110.0 which has a bug on log rate limit,
-# use backport version
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -t bullseye-backports -y install rsyslog
-
 # Have systemd create the auditd log directory
 sudo mkdir -p ${FILESYSTEM_ROOT}/etc/systemd/system/auditd.service.d
 sudo tee ${FILESYSTEM_ROOT}/etc/systemd/system/auditd.service.d/log-directory.conf >/dev/null <<EOF
@@ -417,12 +211,6 @@ EOF
 # override tcpdump profile to allow tcpdump access TACACS config file.
 sudo cp files/apparmor/usr.bin.tcpdump $FILESYSTEM_ROOT/etc/apparmor.d/local/usr.bin.tcpdump
 
-if [[ $CONFIGURED_ARCH == amd64 ]]; then
-## Pre-install the fundamental packages for amd64 (x86)
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install      \
-    rasdaemon
-fi
-
 ## Set /etc/shadow permissions to -rw-------.
 sudo LANG=c chroot $FILESYSTEM_ROOT chmod 600 /etc/shadow
 
@@ -437,18 +225,6 @@ sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 'MODULES=most' >> /etc/in
 # Copy vmcore-sysctl.conf to add more vmcore dump flags to kernel
 sudo cp files/image_config/kdump/vmcore-sysctl.conf $FILESYSTEM_ROOT/etc/sysctl.d/
 
-#Adds a locale to a debian system in non-interactive mode
-sudo sed -i '/^#.* en_US.* /s/^#//' $FILESYSTEM_ROOT/etc/locale.gen && \
-    sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT locale-gen "en_US.UTF-8"
-sudo LANG=en_US.UTF-8 DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT update-locale "LANG=en_US.UTF-8"
-sudo LANG=C chroot $FILESYSTEM_ROOT bash -c "find /usr/share/i18n/locales/ ! -name 'en_US' -type f -exec rm -f {} +"
-
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
-    picocom \
-    systemd \
-    systemd-sysv \
-    ntp
-
 # Workaround for issue: The udev rule may fail to be executed because the
 #                       daemon-reload command is executed in parallel
 # Github issue: https://github.com/systemd/systemd/issues/24668
@@ -457,19 +233,6 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
 sudo patch $FILESYSTEM_ROOT/lib/systemd/system/systemd-udevd.service \
     files/image_config/systemd/systemd-udevd/fix-udev-rule-may-fail-if-daemon-reload-command-runs.patch
 
-if [[ $TARGET_BOOTLOADER == grub ]]; then
-    if [[ $CONFIGURED_ARCH == amd64 ]]; then
-        GRUB_PKG=grub-pc-bin
-    elif [[ $CONFIGURED_ARCH == arm64 ]]; then
-        GRUB_PKG=grub-efi-arm64-bin
-    fi
-
-    sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get install -d -o dir::cache=/var/cache/apt \
-        $GRUB_PKG
-
-    sudo cp $FILESYSTEM_ROOT/var/cache/apt/archives/grub*.deb $FILESYSTEM_ROOT/$PLATFORM_DIR/grub
-fi
-
 ## Disable kexec supported reboot which was installed by default
 sudo sed -i 's/LOAD_KEXEC=true/LOAD_KEXEC=false/' $FILESYSTEM_ROOT/etc/default/kexec
 
@@ -510,7 +273,6 @@ sudo augtool -r $FILESYSTEM_ROOT --autosave "
 rm /files/lib/systemd/system/rsyslog.service/Service/ExecStart/arguments
 set /files/lib/systemd/system/rsyslog.service/Service/ExecStart/arguments/1 -n
 "
-
 sudo mkdir -p $FILESYSTEM_ROOT/var/core
 
 # Config sysctl
@@ -533,28 +295,6 @@ done < files/image_config/sysctl/sysctl-net.conf
 
 sudo augtool --autosave "$sysctl_net_cmd_string" -r $FILESYSTEM_ROOT
 
-# Upgrade pip via PyPI and uninstall the Debian version
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install --upgrade pip
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get purge -y python3-pip
-
-# For building Python packages
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install 'setuptools==49.6.00'
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install 'wheel==0.35.1'
-
-# docker Python API package is needed by Ansible docker module as well as some SONiC applications
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install 'docker==6.1.1'
-
-# Install scapy
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install 'scapy==2.4.4'
-
-# The option --no-build-isolation can be removed when upgrading PyYAML to 6.0.1
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install 'PyYAML==5.4.1' --no-build-isolation
-
-## Note: keep pip installed for maintainance purpose
-
-# Install GCC, needed for building/installing some Python packages
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install gcc
-
 ## Create /var/run/redis folder for docker-database to mount
 sudo mkdir -p $FILESYSTEM_ROOT/var/run/redis
 
@@ -581,11 +321,28 @@ if [ -f files/image_config/ntp/ntp-systemd-wrapper ]; then
     sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/lib/ntp/
 fi
 
-## Version file part 1
+## Version file
 sudo mkdir -p $FILESYSTEM_ROOT/etc/sonic
 if [ -f files/image_config/sonic_release ]; then
     sudo cp files/image_config/sonic_release $FILESYSTEM_ROOT/etc/sonic/
 fi
+export build_version="${SONIC_IMAGE_VERSION}"
+export debian_version="$(cat $FILESYSTEM_ROOT/etc/debian_version)"
+export kernel_version="${kversion}"
+export asic_type="${sonic_asic_platform}"
+export asic_subtype="${TARGET_MACHINE}"
+export commit_id="$(git rev-parse --short HEAD)"
+export branch="$(git rev-parse --abbrev-ref HEAD)"
+export release="$(if [ -f $FILESYSTEM_ROOT/etc/sonic/sonic_release ]; then cat $FILESYSTEM_ROOT/etc/sonic/sonic_release; fi)"
+export build_date="$(date -u)"
+export build_number="${BUILD_NUMBER:-0}"
+export built_by="$USER@$BUILD_HOSTNAME"
+export sonic_os_version="${SONIC_OS_VERSION}"
+j2 files/build_templates/sonic_version.yml.j2 | sudo tee $FILESYSTEM_ROOT/etc/sonic/sonic_version.yml
+
+if [ -f sonic_debian_extension.sh ]; then
+    ./sonic_debian_extension.sh $FILESYSTEM_ROOT $PLATFORM_DIR $IMAGE_DISTRO
+fi
 
 # Default users info
 export password_expire="$( [[ "$CHANGE_DEFAULT_PASSWORD" == "y" ]] && echo true || echo false )"
@@ -607,69 +364,11 @@ if [[ ! -f './asic_config_checksum' ]]; then
 fi
 sudo cp ./asic_config_checksum $FILESYSTEM_ROOT/etc/sonic/asic_config_checksum
 
-## Check if not a last stage of RFS build
-fi
-
-if [[ $RFS_SPLIT_FIRST_STAGE == y ]]; then
-    echo '[INFO] Finished with RFS first stage'
-    echo '[INFO] Umount all'
-
-    ## Display all process details access /proc
-    sudo LANG=C chroot $FILESYSTEM_ROOT fuser -vm /proc
-    ## Kill the processes
-    sudo LANG=C chroot $FILESYSTEM_ROOT fuser -km /proc || true
-    ## Wait fuser fully kill the processes
-    sudo timeout 15s bash -c 'until LANG=C chroot $0 umount /proc; do sleep 1; done' $FILESYSTEM_ROOT || true
-
-    sudo rm -f $TARGET_PATH/$RFS_SQUASHFS_NAME
-    sudo mksquashfs $FILESYSTEM_ROOT $TARGET_PATH/$RFS_SQUASHFS_NAME -Xcompression-level 1
-
-    exit 0
-fi
-
-if [[ $RFS_SPLIT_LAST_STAGE == y ]]; then
-    echo '[INFO] RFS build: second stage'
-
-    ## ensure proc is mounted
-    sudo mount proc /proc -t proc || true
-
-    sudo fuser -vm $FILESYSTEM_ROOT || true
-    sudo rm -rf $FILESYSTEM_ROOT
-    sudo unsquashfs -d $FILESYSTEM_ROOT $TARGET_PATH/$RFS_SQUASHFS_NAME
-
-    ## make / as a mountpoint in chroot env, needed by dockerd
-    pushd $FILESYSTEM_ROOT
-    sudo mount --bind . .
-    popd
-
-    trap_push 'sudo LANG=C chroot $FILESYSTEM_ROOT umount /proc || true'
-    sudo LANG=C chroot $FILESYSTEM_ROOT mount proc /proc -t proc
-fi
-
-## Version file part 2
-export build_version="${SONIC_IMAGE_VERSION}"
-export debian_version="$(cat $FILESYSTEM_ROOT/etc/debian_version)"
-export kernel_version="${kversion}"
-export asic_type="${sonic_asic_platform}"
-export asic_subtype="${TARGET_MACHINE}"
-export commit_id="$(git rev-parse --short HEAD)"
-export branch="$(git rev-parse --abbrev-ref HEAD)"
-export release="$(if [ -f $FILESYSTEM_ROOT/etc/sonic/sonic_release ]; then cat $FILESYSTEM_ROOT/etc/sonic/sonic_release; fi)"
-export build_date="$(date -u)"
-export build_number="${BUILD_NUMBER:-0}"
-export built_by="$USER@$BUILD_HOSTNAME"
-export sonic_os_version="${SONIC_OS_VERSION}"
-j2 files/build_templates/sonic_version.yml.j2 | sudo tee $FILESYSTEM_ROOT/etc/sonic/sonic_version.yml
-
-if [ -f sonic_debian_extension.sh ]; then
-    ./sonic_debian_extension.sh $FILESYSTEM_ROOT $PLATFORM_DIR $IMAGE_DISTRO
-fi
-
 ## Organization specific extensions such as Configuration & Scripts for features like AAA, ZTP...
 if [ "${enable_organization_extensions}" = "y" ]; then
    if [ -f files/build_templates/organization_extensions.sh ]; then
       sudo chmod 755 files/build_templates/organization_extensions.sh
-      ./files/build_templates/organization_extensions.sh -f $FILESYSTEM_ROOT -h $HOSTNAME
+      ./files/build_templates/organization_extensions.sh -f $FILESYSTEM_ROOT -h $SONIC_DEFAULT_HOSTNAME
    fi
 fi
 
@@ -780,8 +479,18 @@ SONIC_VERSION_CACHE=${SONIC_VERSION_CACHE}  \
 	DBGOPT="${DBGOPT}" \
 	scripts/collect_host_image_version_files.sh $CONFIGURED_ARCH $IMAGE_DISTRO $TARGET_PATH $FILESYSTEM_ROOT
 
-# Remove GCC
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y remove gcc
+# Remove dev packages
+sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y remove \
+    build-essential \
+    gcc \
+    libcairo2-dev \
+    libdbus-1-dev \
+    libgirepository1.0-dev \
+    libssl-dev \
+    libsystemd-dev \
+    pkg-config \
+    python3-dev \
+    swig
 
 # Remove eatmydata
 sudo rm $FILESYSTEM_ROOT/etc/apt/apt.conf.d/00image-install-eatmydata $FILESYSTEM_ROOT/usr/local/bin/dpkg
diff --git a/build_rfs.sh b/build_rfs.sh
new file mode 100755
index 000000000000..0429ab17720e
--- /dev/null
+++ b/build_rfs.sh
@@ -0,0 +1,344 @@
+#!/bin/bash -xe
+
+## This script is to automate the preparation for a debian file system,
+## which will be used for an ONIE installer image.
+## This is the 1st part. 2nd part in build_debian.sh
+## WARNING: this part can be cached (DPKG cache)
+
+## Include common functions
+. functions.sh
+
+FILESYSTEM_ROOT=./fsroot-rfs
+PLATFORM_DIR=platform
+
+DOCKER_VERSION=5:24.0.2-1~debian.11~$IMAGE_DISTRO
+CONTAINERD_IO_VERSION=1.6.21-1
+
+## Ensure proc is mounted
+sudo mount proc /proc -t proc || true
+
+## Prepare the file system directory
+sudo rm -rf $FILESYSTEM_ROOT || die "[ERROR] Failed to clean chroot directory"
+
+mkdir -p $FILESYSTEM_ROOT
+mkdir -p $FILESYSTEM_ROOT/$PLATFORM_DIR
+touch $FILESYSTEM_ROOT/$PLATFORM_DIR/firsttime
+
+bootloader_packages=""
+if [ "$IMAGE_TYPE" = "aboot" ]; then
+    TARGET_BOOTLOADER="aboot"
+fi
+if [ "$TARGET_BOOTLOADER" != "aboot" ]; then
+    mkdir -p $FILESYSTEM_ROOT/$PLATFORM_DIR/grub
+    bootloader_packages="grub2-common"
+fi
+
+## Build the host debian base system
+echo '[INFO] Build host debian base system...'
+TARGET_PATH=$TARGET_PATH scripts/build_debian_base_system.sh $CONFIGURED_ARCH $IMAGE_DISTRO $FILESYSTEM_ROOT
+
+## Prepare buildinfo
+echo "[INFO] Prepare buildinfo"
+sudo DBGOPT="${DBGOPT}" \
+    scripts/prepare_debian_image_buildinfo.sh $CONFIGURED_ARCH $IMAGE_DISTRO $FILESYSTEM_ROOT
+
+## https://unix.stackexchange.com/questions/593529/can-not-configure-systemd-inside-a-chrooted-environment
+sudo chown root:root $FILESYSTEM_ROOT
+
+## Config hostname and hosts, otherwise 'sudo ...' will complain 'sudo: unable to resolve host ...'
+run_in_chroot $FILESYSTEM_ROOT /bin/bash -c "echo '$SONIC_DEFAULT_HOSTNAME' > /etc/hostname"
+run_in_chroot $FILESYSTEM_ROOT /bin/bash -c "echo '127.0.0.1 $SONIC_DEFAULT_HOSTNAME' >> /etc/hosts"
+run_in_chroot $FILESYSTEM_ROOT /bin/bash -c "echo '127.0.0.1 localhost' >> /etc/hosts"
+
+## Config basic fstab
+run_in_chroot $FILESYSTEM_ROOT /bin/bash -c 'echo "proc /proc proc defaults 0 0" >> /etc/fstab'
+run_in_chroot $FILESYSTEM_ROOT /bin/bash -c 'echo "sysfs /sys sysfs defaults 0 0" >> /etc/fstab'
+
+## Mount /proc.
+trap_push "sudo chroot $FILESYSTEM_ROOT umount /proc || true"
+run_in_chroot $FILESYSTEM_ROOT mount proc /proc -t proc
+
+## Pointing apt to public apt mirrors and getting latest packages, needed for latest security updates
+scripts/build_mirror_config.sh files/apt $CONFIGURED_ARCH $IMAGE_DISTRO
+sudo cp files/apt/sources.list.$CONFIGURED_ARCH $FILESYSTEM_ROOT/etc/apt/sources.list
+sudo cp files/apt/apt-retries-count $FILESYSTEM_ROOT/etc/apt/apt.conf.d/
+sudo cp files/apt/apt.conf.d/{81norecommends,apt-{clean,gzip-indexes,no-languages},no-check-valid-until} $FILESYSTEM_ROOT/etc/apt/apt.conf.d/
+
+## Setup apt proxy
+[ -n "$http_proxy" ] && sudo /bin/bash -c "echo 'Acquire::http::Proxy \"$http_proxy\";' > $FILESYSTEM_ROOT/etc/apt/apt.conf.d/01proxy"
+
+## Upgrade installed deb packages
+run_in_chroot $FILESYSTEM_ROOT apt-get update
+run_in_chroot $FILESYSTEM_ROOT apt-get -y upgrade
+
+## Install eatmydata to speedup deb package installation
+echo '[INFO] Install and setup eatmydata'
+run_in_chroot $FILESYSTEM_ROOT apt-get -y install eatmydata
+run_in_chroot $FILESYSTEM_ROOT ln -s /usr/bin/eatmydata /usr/local/bin/dpkg
+echo 'Dir::Bin::dpkg "/usr/local/bin/dpkg";' | sudo tee $FILESYSTEM_ROOT/etc/apt/apt.conf.d/00image-install-eatmydata > /dev/null
+## Note: dpkg hook conflict with eatmydata
+run_in_chroot $FILESYSTEM_ROOT rm /usr/local/sbin/dpkg -f
+
+echo '[INFO] Install packages for building image'
+run_in_chroot $FILESYSTEM_ROOT apt-get -y install makedev psmisc
+
+if [[ $CROSS_BUILD_ENVIRON == y ]]; then
+    run_in_chroot $FILESYSTEM_ROOT dpkg --add-architecture $CONFIGURED_ARCH
+fi
+
+## Create device files
+echo '[INFO] MAKEDEV'
+if [[ $CONFIGURED_ARCH == armhf || $CONFIGURED_ARCH == arm64 ]]; then
+    run_in_chroot $FILESYSTEM_ROOT /bin/bash -c 'cd /dev && MAKEDEV generic-arm'
+else
+    run_in_chroot $FILESYSTEM_ROOT /bin/bash -c 'cd /dev && MAKEDEV generic'
+fi
+
+## Install initramfs-tools and linux kernel
+## Note: initramfs-tools recommends depending on busybox, and we really want busybox for
+## 1. commands such as touch
+## 2. mount supports squashfs
+## However, 'dpkg -i' plus 'apt-get install -f' will ignore the recommended dependency. So
+## we install busybox explicitly
+run_in_chroot $FILESYSTEM_ROOT apt-get -y install busybox linux-base pigz
+echo '[INFO] Install SONiC linux kernel image'
+## Note: duplicate apt-get command to ensure every line return zero
+sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/initramfs-tools-core_*.deb || \
+    run_in_chroot $FILESYSTEM_ROOT apt-get -y install -f
+sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/initramfs-tools_*.deb || \
+    run_in_chroot $FILESYSTEM_ROOT apt-get -y install -f
+sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/linux-image-$SONIC_LINUX_KERNEL_VERSION-*_$CONFIGURED_ARCH.deb || \
+    run_in_chroot $FILESYSTEM_ROOT apt-get -y install -f
+
+## Install docker
+echo '[INFO] Install docker'
+## Install apparmor utils since they're missing and apparmor is enabled in the kernel
+## Otherwise Docker will fail to start
+run_in_chroot $FILESYSTEM_ROOT apt-get -y install \
+    apt-transport-https \
+    ca-certificates \
+    curl
+
+if [[ $CONFIGURED_ARCH == armhf ]]; then
+    # update ssl ca certificates for secure pem
+    run_in_chroot $FILESYSTEM_ROOT c_rehash
+fi
+run_in_chroot $FILESYSTEM_ROOT curl -o /tmp/docker.asc -fsSL https://download.docker.com/linux/debian/gpg
+run_in_chroot $FILESYSTEM_ROOT mv /tmp/docker.asc /etc/apt/trusted.gpg.d/
+sudo tee $FILESYSTEM_ROOT/etc/apt/sources.list.d/docker.list >/dev/null <<EOF
+deb [arch=$CONFIGURED_ARCH] https://download.docker.com/linux/debian $IMAGE_DISTRO stable
+EOF
+run_in_chroot $FILESYSTEM_ROOT apt-get update
+run_in_chroot $FILESYSTEM_ROOT apt-get -y install \
+    docker-ce=${DOCKER_VERSION} \
+    docker-ce-cli=${DOCKER_VERSION} \
+    containerd.io=${CONTAINERD_IO_VERSION}
+
+## Pre-install the fundamental packages
+##
+## apparmor is enabled in the kernel, otherwise Docker will fail to start
+## ca-certificates is needed for easy_install
+## python3-cryptography for azure-storage
+## efitools to support secure upgrade
+## fdisk and gpg are needed by fwutil
+## gdisk is needed for sgdisk in install.sh
+## libffi-dev to match utilities' dependency
+## libpam-cracklib for supporting password hardening
+## parted is needed for partprobe in install.sh
+run_in_chroot $FILESYSTEM_ROOT apt-get -y install \
+    $bootloader_packages    \
+    acl                     \
+    apparmor                \
+    arping                  \
+    auditd                  \
+    bash-completion         \
+    bridge-utils            \
+    bsdmainutils            \
+    ca-certificates         \
+    cgroup-tools            \
+    conntrack               \
+    cron                    \
+    curl                    \
+    dbus                    \
+    device-tree-compiler    \
+    ebtables                \
+    efibootmgr              \
+    efitools                \
+    fdisk                   \
+    file                    \
+    gdisk                   \
+    gpg                     \
+    haveged                 \
+    hping3                  \
+    i2c-tools               \
+    ifmetric                \
+    ipmitool                \
+    iproute2                \
+    iptables-persistent     \
+    iputils-ping            \
+    isc-dhcp-client         \
+    jq                      \
+    kexec-tools             \
+    less                    \
+    libffi-dev              \
+    libgrpc++1              \
+    libgrpc10               \
+    libpam-cracklib         \
+    libprotobuf23           \
+    libubootenv-tool        \
+    linux-perf              \
+    locales                 \
+    logrotate               \
+    lsof                    \
+    makedumpfile            \
+    mokutil                 \
+    mtd-utils               \
+    mtr-tiny                \
+    ndisc6                  \
+    net-tools               \
+    ntp                     \
+    ntpstat                 \
+    openssh-server          \
+    openssl                 \
+    pciutils                \
+    picocom                 \
+    python3                 \
+    python3-apt             \
+    python3-cryptography    \
+    python3-distutils       \
+    python3-pip             \
+    python-is-python3       \
+    resolvconf              \
+    screen                  \
+    squashfs-tools          \
+    sudo                    \
+    sysfsutils              \
+    sysstat                 \
+    systemd                 \
+    systemd-sysv            \
+    tcpdump                 \
+    tcptraceroute           \
+    traceroute              \
+    u-boot-tools            \
+    unzip                   \
+    usbutils                \
+    vim
+
+# default rsyslog version is 8.2110.0 which has a bug on log rate limit,
+# use backport version
+run_in_chroot $FILESYSTEM_ROOT apt-get -t bullseye-backports -y install rsyslog
+
+# Installed smartmontools version should match installed smartmontools in docker-platform-monitor Dockerfile
+run_in_chroot $FILESYSTEM_ROOT apt-get -y install smartmontools=7.2-1
+
+if [[ $CONFIGURED_ARCH == amd64 ]]; then
+    ## Pre-install packages for amd64 (x86)
+    run_in_chroot $FILESYSTEM_ROOT apt-get -y install \
+        firmware-linux-nonfree \
+        rasdaemon \
+        dmidecode \
+        hdparm
+fi
+
+if [[ $CONFIGURED_ARCH == armhf || $CONFIGURED_ARCH == arm64 ]]; then
+    ## Install dependency pkgs for SONiC config engine Python 2 package
+    run_in_chroot $FILESYSTEM_ROOT apt-get -y install libxslt-dev libz-dev
+fi
+
+## Install dev packages, needed for building/installing some Python packages, remove them later
+run_in_chroot $FILESYSTEM_ROOT apt-get -y install \
+    build-essential \
+    gcc \
+    libcairo2-dev \
+    libdbus-1-dev \
+    libgirepository1.0-dev \
+    libssl-dev \
+    libsystemd-dev \
+    pkg-config \
+    python3-dev \
+    swig
+
+## Mark runtime dependencies as manually installed to avoid them being auto-removed while uninstalling build dependencies
+run_in_chroot $FILESYSTEM_ROOT apt-mark manual \
+    gir1.2-glib-2.0 \
+    libdbus-1-3 \
+    libgirepository-1.0-1 \
+    libsystemd0 \
+    python3-dbus
+
+#Adds a locale to a debian system in non-interactive mode
+sudo sed -i '/^#.* en_US.* /s/^#//' $FILESYSTEM_ROOT/etc/locale.gen && \
+    run_in_chroot $FILESYSTEM_ROOT locale-gen "en_US.UTF-8"
+sudo LANG=en_US.UTF-8 DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT update-locale "LANG=en_US.UTF-8"
+run_in_chroot $FILESYSTEM_ROOT bash -c "find /usr/share/i18n/locales/ ! -name 'en_US' -type f -exec rm -f {} +"
+
+if [[ $TARGET_BOOTLOADER == grub ]]; then
+    if [[ $CONFIGURED_ARCH == amd64 ]]; then
+        GRUB_PKG=grub-pc-bin
+    elif [[ $CONFIGURED_ARCH == arm64 ]]; then
+        GRUB_PKG=grub-efi-arm64-bin
+    fi
+
+    run_in_chroot $FILESYSTEM_ROOT apt-get install -d -o dir::cache=/var/cache/apt $GRUB_PKG
+    sudo cp $FILESYSTEM_ROOT/var/cache/apt/archives/grub*.deb $FILESYSTEM_ROOT/$PLATFORM_DIR/grub
+fi
+
+## Upgrade pip via PyPI and uninstall the Debian version
+## Note: keep pip installed for maintainance purpose
+run_in_chroot $FILESYSTEM_ROOT pip3 install --upgrade pip
+run_in_chroot $FILESYSTEM_ROOT apt-get purge -y python3-pip
+
+## For building Python packages
+run_in_chroot $FILESYSTEM_ROOT pip3 install 'setuptools==49.6.00'
+run_in_chroot $FILESYSTEM_ROOT pip3 install 'wheel==0.35.1'
+
+## docker Python API package is needed by Ansible docker module as well as some SONiC applications
+run_in_chroot $FILESYSTEM_ROOT pip3 install 'docker==6.1.1'
+
+## Install scapy
+run_in_chroot $FILESYSTEM_ROOT pip3 install 'scapy==2.4.4'
+
+## The option --no-build-isolation can be removed when upgrading PyYAML to 6.0.1
+run_in_chroot $FILESYSTEM_ROOT pip3 install 'PyYAML==5.4.1' --no-build-isolation
+
+## Install j2cli for handling jinja template
+run_in_chroot $FILESYSTEM_ROOT pip3 install "j2cli==0.3.10"
+
+## Install Python client for Redis
+run_in_chroot $FILESYSTEM_ROOT pip3 install "redis==3.5.3"
+
+## Install Python module for psutil
+run_in_chroot $FILESYSTEM_ROOT pip3 install psutil
+
+## Install Python module for ipaddr
+run_in_chroot $FILESYSTEM_ROOT pip3 install ipaddr
+
+## Install Python module for grpcio and grpcio-tools
+if [[ $CONFIGURED_ARCH == amd64 ]]; then
+    run_in_chroot $FILESYSTEM_ROOT pip3 install "grpcio==1.39.0"
+    run_in_chroot $FILESYSTEM_ROOT pip3 install "grpcio-tools==1.39.0"
+fi
+
+## Install systemd-python for SONiC host services
+sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install systemd-python
+
+sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install azure-storage==0.36.0
+sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install watchdog==0.10.3
+
+## Remove apt proxy
+sudo rm -f $FILESYSTEM_ROOT/etc/apt/apt.conf.d/01proxy
+
+## Remove resolv.conf
+sudo rm -f $FILESYSTEM_ROOT/etc/resolv.conf
+
+echo '[INFO] Umount all'
+## Display all process details access /proc
+run_in_chroot $FILESYSTEM_ROOT fuser -vm /proc
+## Kill the processes
+run_in_chroot $FILESYSTEM_ROOT fuser -km /proc || true
+## Wait fuser fully kill the processes
+sudo timeout 15s bash -c 'until chroot $0 umount /proc; do sleep 1; done' $FILESYSTEM_ROOT
+
+sudo rm -f $TARGET_PATH/$RFS_SQUASHFS_NAME
+sudo mksquashfs $FILESYSTEM_ROOT $TARGET_PATH/$RFS_SQUASHFS_NAME -Xcompression-level 1
+sudo rm -rf $FILESYSTEM_ROOT
diff --git a/files/build/versions/host-image/versions-py3-all-armhf b/files/build/versions/host-image/versions-py3-all-armhf
deleted file mode 100644
index 4b03e7899eb1..000000000000
--- a/files/build/versions/host-image/versions-py3-all-armhf
+++ /dev/null
@@ -1 +0,0 @@
-cryptography==3.3.1
diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2
index b4ecda9942ca..85486213233b 100644
--- a/files/build_templates/sonic_debian_extension.j2
+++ b/files/build_templates/sonic_debian_extension.j2
@@ -78,10 +78,6 @@ fi
 # Update apt's snapshot of its repos
 sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get update
 
-# Install efitools to support secure upgrade
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install efitools
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install mokutil
-
 # Apply environtment configuration files
 sudo cp $IMAGE_CONFIGS/environment/environment $FILESYSTEM_ROOT/etc/
 sudo cp $IMAGE_CONFIGS/environment/motd $FILESYSTEM_ROOT/etc/
@@ -105,16 +101,6 @@ sudo dpkg --root=$FILESYSTEM_ROOT --force-confdef --force-confold -i $debs_path/
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y \
     -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install -f
 
-# Install dependencies for SONiC config engine
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
-    python3-dev
-
-# Install j2cli for handling jinja template
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install "j2cli==0.3.10"
-
-# Install Python client for Redis
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install "redis==3.5.3"
-
 # Install redis-dump-load Python 3 package
 # Note: the scripts will be overwritten by corresponding Python 2 package
 REDIS_DUMP_LOAD_PY3_WHEEL_NAME=$(basename {{redis_dump_load_py3_wheel_path}})
@@ -122,29 +108,12 @@ sudo cp {{redis_dump_load_py3_wheel_path}} $FILESYSTEM_ROOT/$REDIS_DUMP_LOAD_PY3
 sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install $REDIS_DUMP_LOAD_PY3_WHEEL_NAME
 sudo rm -rf $FILESYSTEM_ROOT/$REDIS_DUMP_LOAD_PY3_WHEEL_NAME
 
-# Install Python module for psutil
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install psutil
-
-# Install Python module for ipaddr
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install ipaddr
-
-# Install Python module for grpcio and grpcio-toole
-if [[ $CONFIGURED_ARCH == amd64 ]]; then
-    sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install "grpcio==1.39.0"
-    sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install "grpcio-tools==1.39.0"
-fi
-
 # Install sonic-py-common Python 3 package
 SONIC_PY_COMMON_PY3_WHEEL_NAME=$(basename {{sonic_py_common_py3_wheel_path}})
 sudo cp {{sonic_py_common_py3_wheel_path}} $FILESYSTEM_ROOT/$SONIC_PY_COMMON_PY3_WHEEL_NAME
 sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install $SONIC_PY_COMMON_PY3_WHEEL_NAME
 sudo rm -rf $FILESYSTEM_ROOT/$SONIC_PY_COMMON_PY3_WHEEL_NAME
 
-# Install dependency pkgs for SONiC config engine Python 2 package
-if [[ $CONFIGURED_ARCH == armhf || $CONFIGURED_ARCH == arm64 ]]; then
-    sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install libxslt-dev libz-dev
-fi
-
 # Install sonic-yang-models Python 3 package, install dependencies
 sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libyang_*.deb
 sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libyang-cpp_*.deb
@@ -200,16 +169,6 @@ sudo cp {{system_health_py3_wheel_path}} $FILESYSTEM_ROOT/$SYSTEM_HEALTH_PY3_WHE
 sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install $SYSTEM_HEALTH_PY3_WHEEL_NAME
 sudo rm -rf $FILESYSTEM_ROOT/$SYSTEM_HEALTH_PY3_WHEEL_NAME
 
-# Install prerequisites needed for installing the Python m2crypto package, used by sonic-utilities
-# These packages can be uninstalled after intallation
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install build-essential libssl-dev swig
-
-# Install prerequisites needed for using the Python m2crypto package, used by sonic-utilities
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install openssl
-
-# install libffi-dev to match utilities' dependency.
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install libffi-dev
-
 # Install SONiC Utilities Python package
 SONIC_UTILITIES_PY3_WHEEL_NAME=$(basename {{sonic_utilities_py3_wheel_path}})
 sudo cp {{sonic_utilities_py3_wheel_path}} $FILESYSTEM_ROOT/$SONIC_UTILITIES_PY3_WHEEL_NAME
@@ -231,16 +190,6 @@ sudo cp -f $IMAGE_CONFIGS/bash/bash.bashrc $FILESYSTEM_ROOT/etc/
 # Install readline's initialization file
 sudo cp -f $IMAGE_CONFIGS/readline/inputrc $FILESYSTEM_ROOT/etc/
 
-# Install prerequisites needed for installing the dependent Python packages of sonic-host-services
-# These packages can be uninstalled after installation
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install libcairo2-dev libdbus-1-dev libgirepository1.0-dev libsystemd-dev pkg-config
-
-# Mark runtime dependencies as manually installed to avoid them being auto-removed while uninstalling build dependencies
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-mark manual gir1.2-glib-2.0 libdbus-1-3 libgirepository-1.0-1 libsystemd0 python3-dbus
-
-# Install systemd-python for SONiC host services
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install systemd-python
-
 # Install SONiC host services package
 SONIC_HOST_SERVICES_PY3_WHEEL_NAME=$(basename {{sonic_host_services_py3_wheel_path}})
 sudo cp {{sonic_host_services_py3_wheel_path}} $FILESYSTEM_ROOT/$SONIC_HOST_SERVICES_PY3_WHEEL_NAME
@@ -269,9 +218,6 @@ fi
 sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/sonic-device-data_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
 
-# package for supporting password hardening
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install libpam-cracklib
-
 # Install pam-tacplus and nss-tacplus
 sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libtac2_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
@@ -355,9 +301,6 @@ sudo chmod 755 $FILESYSTEM_ROOT/usr/bin/memory_checker
 sudo cp $IMAGE_CONFIGS/monit/restart_service $FILESYSTEM_ROOT/usr/bin/
 sudo chmod 755 $FILESYSTEM_ROOT/usr/bin/restart_service
 
-# Installed smartmontools version should match installed smartmontools in docker-platform-monitor Dockerfile
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install smartmontools=7.2-1
-
 # Install custom-built openssh sshd
 sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/openssh-server_${OPENSSH_VERSION}_*.deb $debs_path/openssh-client_${OPENSSH_VERSION}_*.deb $debs_path/openssh-sftp-server_${OPENSSH_VERSION}_*.deb
 
@@ -466,8 +409,6 @@ sudo cp $IMAGE_CONFIGS/rasdaemon/rasdaemon.timer $FILESYSTEM_ROOT_USR_LIB_SYSTEM
 sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT systemctl disable rasdaemon.service
 sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT systemctl enable rasdaemon.timer
 
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install libffi-dev libssl-dev
-
 {% if include_bootchart == 'y' %}
 sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install systemd-bootchart
 sudo tee $FILESYSTEM_ROOT_ETC/systemd/bootchart.conf > /dev/null <<EOF
@@ -480,19 +421,6 @@ sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable systemd-bootchart
 {% endif %}
 {% endif %}
 
-if [[ $CONFIGURED_ARCH == armhf ]]; then
-    # The azure-storage package depends on the cryptography package. Newer
-    # versions of cryptography require the rust compiler, the correct version
-    # for which is not readily available in buster. Hence we pre-install an
-    # older version here to satisfy the azure-storage dependency.
-    # Note: This is not a problem for other architectures as pre-built versions
-    # of cryptography are available for those. This sequence can be removed
-    # after upgrading to debian bullseye.
-    sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install cryptography==3.3.1
-fi
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install azure-storage==0.36.0
-sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip3 install watchdog==0.10.3
-
 {% if include_kubernetes == "y" %}
 # Point to kubelet to /etc/resolv.conf
 #
@@ -926,12 +854,6 @@ sudo LANG=C cp $SCRIPTS_DIR/mark_dhcp_packet.py $FILESYSTEM_ROOT/usr/local/bin/m
 sudo cp $BUILD_TEMPLATES/sonic.target $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
 sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable sonic.target
 
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get purge -y python3-dev
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get purge -y build-essential libssl-dev swig
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get purge -y libcairo2-dev libdbus-1-dev libgirepository1.0-dev libsystemd-dev pkg-config
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get clean -y
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get autoremove -y
-
 {% for file in installer_extra_files.split(' ') -%}
 {% if file.strip() -%}
 {% set src = file.split(':')[0] -%}
@@ -988,6 +910,3 @@ sudo cp $BUILD_SCRIPTS_DIR/mask_disabled_services.py $FILESYSTEM_ROOT/tmp/
 sudo chmod a+x $FILESYSTEM_ROOT/tmp/mask_disabled_services.py
 sudo LANG=C chroot $FILESYSTEM_ROOT /tmp/mask_disabled_services.py
 sudo rm -rf $FILESYSTEM_ROOT/tmp/mask_disabled_services.py
-
-
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install python3-dbus
diff --git a/functions.sh b/functions.sh
index cb52bf816c52..a333198161db 100644
--- a/functions.sh
+++ b/functions.sh
@@ -66,3 +66,11 @@ sonic_get_version() {
         echo "${branch_name}.${BUILD_NUMBER}${dirty:--$(git rev-parse --short HEAD)}" | sed 's/\//_/g'
     fi
 }
+
+## RUN command in chroot environment
+## 1st argument is path to new root
+run_in_chroot() {
+    sudo LC_ALL=C LANGUAGE=C LANG=C \
+        DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
+        http_proxy=$http_proxy https_proxy=$https_proxy chroot "$@"
+}
diff --git a/slave.mk b/slave.mk
index 1a7cf4eb3a03..ad12cf5bba13 100644
--- a/slave.mk
+++ b/slave.mk
@@ -47,6 +47,8 @@ BUILD_WORKDIR = /sonic
 DPKG_ADMINDIR_PATH = $(BUILD_WORKDIR)/dpkg
 SLAVE_DIR ?= sonic-slave-$(BLDENV)
 
+SONIC_DEFAULT_HOSTNAME=sonic
+SONIC_LINUX_KERNEL_VERSION=5.10.0-23-2
 CONFIGURED_PLATFORM := $(shell [ -f .platform ] && cat .platform || echo generic)
 PLATFORM_PATH = platform/$(CONFIGURED_PLATFORM)
 CONFIGURED_ARCH := $(shell [ -f .arch ] && cat .arch || echo amd64)
@@ -465,6 +467,7 @@ define rfs_define_target
 $(eval rfs_target=$(call rfs_build_target_name,$(1),$($(1)_MACHINE)))
 $(eval $(rfs_target)_INSTALLER=$(1))
 $(eval $(rfs_target)_MACHINE=$($(1)_MACHINE))
+$(eval $(rfs_target)_DEPENDS=$(DEBOOTSTRAP) $(INITRAMFS_TOOLS) $(INITRAMFS_TOOLS_CORE) $(LINUX_KERNEL))
 $(eval SONIC_RFS_TARGETS+=$(rfs_target))
 
 $(if $($(1)_DEPENDENT_MACHINE),\
@@ -1244,53 +1247,31 @@ $(DOCKER_LOAD_TARGETS) : $(TARGET_PATH)/%.gz-load : .platform docker-start $$(TA
 
 $(addprefix $(TARGET_PATH)/, $(SONIC_RFS_TARGETS)) : $(TARGET_PATH)/% : \
         .platform \
-        build_debian.sh \
+        build_rfs.sh \
         $(addprefix $(IMAGE_DISTRO_DEBS_PATH)/,$(INITRAMFS_TOOLS) $(LINUX_KERNEL)) \
         $(addsuffix -install,$(addprefix $(IMAGE_DISTRO_DEBS_PATH)/,$(DEBOOTSTRAP))) \
         $$(addprefix $(TARGET_PATH)/,$$($$*_DEPENDENT_RFS)) \
         $(call dpkg_depend,$(TARGET_PATH)/%.dep)
 	$(HEADER)
 
-	# $(call LOAD_CACHE,$*,$@)
+	$(call LOAD_CACHE,$*,$@)
 
 	# Skip building the target if it is already loaded from cache
 	if [ -z '$($*_CACHE_LOADED)' ] ; then
 
 		$(eval installer=$($*_INSTALLER))
-		$(eval machine=$($*_MACHINE))
 
 		export debs_path="$(IMAGE_DISTRO_DEBS_PATH)"
-		export initramfs_tools="$(IMAGE_DISTRO_DEBS_PATH)/$(INITRAMFS_TOOLS)"
-		export linux_kernel="$(IMAGE_DISTRO_DEBS_PATH)/$(LINUX_KERNEL)"
-		export kversion="$(KVERSION)"
-		export image_type="$($(installer)_IMAGE_TYPE)"
-		export sonicadmin_user="$(USERNAME)"
-		export sonic_asic_platform="$(patsubst %-$(CONFIGURED_ARCH),%,$(CONFIGURED_PLATFORM))"
-		export RFS_SPLIT_FIRST_STAGE=y
-		export RFS_SPLIT_LAST_STAGE=n
-
-		j2 -f env files/initramfs-tools/union-mount.j2 onie-image.conf > files/initramfs-tools/union-mount
-		j2 -f env files/initramfs-tools/arista-convertfs.j2 onie-image.conf > files/initramfs-tools/arista-convertfs
 
 		RFS_SQUASHFS_NAME=$* \
-		USERNAME="$(USERNAME)" \
-		PASSWORD="$(PASSWORD)" \
-		CHANGE_DEFAULT_PASSWORD="$(CHANGE_DEFAULT_PASSWORD)" \
-		TARGET_MACHINE=$(machine) \
-		IMAGE_TYPE=$($(installer)_IMAGE_TYPE) \
 		TARGET_PATH=$(TARGET_PATH) \
-		TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) \
-		SONIC_ENABLE_SECUREBOOT_SIGNATURE="$(SONIC_ENABLE_SECUREBOOT_SIGNATURE)" \
-		SIGNING_KEY="$(SIGNING_KEY)" \
-		SIGNING_CERT="$(SIGNING_CERT)" \
-		PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \
 		DBGOPT='$(DBGOPT)' \
-		SONIC_VERSION_CACHE=$(SONIC_VERSION_CACHE) \
+		SONIC_DEFAULT_HOSTNAME=$(SONIC_DEFAULT_HOSTNAME) \
+		SONIC_LINUX_KERNEL_VERSION=$(SONIC_LINUX_KERNEL_VERSION) \
+		IMAGE_TYPE=$($(installer)_IMAGE_TYPE) \
 		MULTIARCH_QEMU_ENVIRON=$(MULTIARCH_QEMU_ENVIRON) \
 		CROSS_BUILD_ENVIRON=$(CROSS_BUILD_ENVIRON) \
-		MASTER_KUBERNETES_VERSION=$(MASTER_KUBERNETES_VERSION) \
-		MASTER_CRI_DOCKERD=$(MASTER_CRI_DOCKERD) \
-			./build_debian.sh $(LOG)
+			./build_rfs.sh $(LOG)
 
 		$(call SAVE_CACHE,$*,$@)
 
@@ -1511,9 +1492,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
 		chmod +x sonic_debian_extension.sh,
 	)
 
-	export RFS_SPLIT_FIRST_STAGE=n
-	export RFS_SPLIT_LAST_STAGE=y
-
 	# Build images for the MACHINE, DEPENDENT_MACHINE defined.
 	$(foreach dep_machine, $($*_MACHINE) $($*_DEPENDENT_MACHINE), \
 		DEBUG_IMG="$(INSTALL_DEBUG_TOOLS)" \
@@ -1553,6 +1531,8 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
 		MASTER_MDM_VERSION=$(MASTER_MDM_VERSION) \
 		MASTER_MDS_VERSION=$(MASTER_MDS_VERSION) \
 		MASTER_FLUENTD_VERSION=$(MASTER_FLUENTD_VERSION) \
+		SONIC_DEFAULT_HOSTNAME=$(SONIC_DEFAULT_HOSTNAME) \
+		SONIC_LINUX_KERNEL_VERSION=$(SONIC_LINUX_KERNEL_VERSION) \
 			./build_debian.sh $(LOG)
 
 		USERNAME="$(USERNAME)" \

From ba3949aa5201944bbe523e4e879eb5f3d618302a Mon Sep 17 00:00:00 2001
From: Konstantin Vasin <126960927+k-v1@users.noreply.github.com>
Date: Tue, 14 Nov 2023 15:31:29 +0300
Subject: [PATCH 5/5] allow to disable DPKG cache for RFS using option
 SONIC_ENABLE_RFS_DPKG_CACHE

---
 Makefile.cache | 7 ++++++-
 Makefile.work  | 1 +
 rules/config   | 3 +++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/Makefile.cache b/Makefile.cache
index 9a8191f2dc56..b8f9fa2d90ec 100644
--- a/Makefile.cache
+++ b/Makefile.cache
@@ -357,6 +357,11 @@ define SAVE_CACHE
 	$(if $(call CHECK_WCACHE_ENABLED,$(1)), $(call SAVE_INTO_CACHE,$(1),$(2)))
 endef
 
+ifeq ($(SONIC_ENABLE_RFS_DPKG_CACHE),y)
+RFS_CACHE_MODE := GIT_CONTENT_SHA
+else
+RFS_CACHE_MODE := none
+endif
 RFS_DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST) $(SONIC_VERSION_CONTROL_COMPONENTS) $(MIRROR_SNAPSHOT)
 RFS_DEP_FILES := $(SONIC_COMMON_FILES_LIST) $(SONIC_COMMON_BASE_FILES_LIST) \
 	build_rfs.sh functions.sh \
@@ -392,7 +397,7 @@ $(foreach pkg, $(SONIC_INSTALL_PKGS), \
 
 $(foreach pkg, $(SONIC_RFS_TARGETS), \
         $(eval $(pkg)_DST_PATH := $(if $($(pkg)_DST_PATH), $($(pkg)_DST_PATH), $(TARGET_PATH))) \
-        $(eval $(pkg)_CACHE_MODE := GIT_CONTENT_SHA) \
+        $(eval $(pkg)_CACHE_MODE := $(RFS_CACHE_MODE)) \
         $(eval $(pkg)_DEP_FLAGS := $(RFS_DEP_FLAGS)) \
         $(eval $(pkg)_DEP_FILES := $(RFS_DEP_FILES)) \
         $(eval $(TARGET_PATH)/$(pkg)_TARGET := $(pkg)) )
diff --git a/Makefile.work b/Makefile.work
index 8235157ce40d..e85d0974d04a 100644
--- a/Makefile.work
+++ b/Makefile.work
@@ -527,6 +527,7 @@ SONIC_BUILD_INSTRUCTION :=  $(MAKE) \
                            KERNEL_PROCURE_METHOD=$(KERNEL_PROCURE_METHOD) \
                            SONIC_DPKG_CACHE_METHOD=$(SONIC_DPKG_CACHE_METHOD) \
                            SONIC_DPKG_CACHE_SOURCE=$(SONIC_DPKG_CACHE_SOURCE) \
+                           SONIC_ENABLE_RFS_DPKG_CACHE=$(SONIC_ENABLE_RFS_DPKG_CACHE) \
                            HTTP_PROXY=$(http_proxy) \
                            HTTPS_PROXY=$(https_proxy) \
                            NO_PROXY=$(no_proxy) \
diff --git a/rules/config b/rules/config
index 3dbe2e6c18d0..368bad2ec921 100644
--- a/rules/config
+++ b/rules/config
@@ -121,6 +121,9 @@ FRR_USER_GID = 300
 SONIC_DPKG_CACHE_METHOD ?= none
 SONIC_DPKG_CACHE_SOURCE ?= /var/cache/sonic/artifacts
 
+# Enable DPKG cache for root fs (build_rfs.sh)
+SONIC_ENABLE_RFS_DPKG_CACHE ?= y
+
 # Default VS build memory preparation
 DEFAULT_VS_PREPARE_MEM = yes