diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 31dcaac..043c7ec 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -39,6 +39,8 @@ get_version: stage: rootfs before_script: - pacman -Syu --noconfirm make devtools fakechroot fakeroot + script: + - make $PWD/output/Dockerfile.$GROUP artifacts: paths: - output/* @@ -54,8 +56,6 @@ rootfs: parallel: matrix: - GROUP: [base, base-devel] - script: - - make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP rootfs:secure: extends: .rootfs @@ -70,8 +70,6 @@ rootfs:secure: parallel: matrix: - GROUP: [base, base-devel] - script: - - make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP .image: stage: image @@ -151,22 +149,26 @@ image:publish:secure: refs: - releases - tags - script: - - pacman -Sy - - pacman -Qqk - - pacman -Syu --noconfirm docker grep - - docker -v - - id -u http - - locale | grep -q UTF-8 + +.test-script: &test-script + - pacman -Sy + - pacman -Qqk + - pacman -Syu --noconfirm docker grep + - docker -v + - id -u http + - locale | grep -q UTF-8 test:base: extends: .test image: $CI_REGISTRY_IMAGE:base-$CI_COMMIT_REF_SLUG + script: + - *test-script test:base-devel: extends: .test image: $CI_REGISTRY_IMAGE:base-devel-$CI_COMMIT_REF_SLUG - after_script: + script: + - *test-script - gcc -v - g++ -v - make -v diff --git a/Dockerfile.template b/Dockerfile.template index 1ddf356..550bc3e 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -20,15 +20,7 @@ RUN ROOTFS="$(curl -sOJL --continue-at - -w "%{filename_effective}" TEMPLATE_ROO FROM scratch AS root COPY --from=verify /rootfs/ / -# manually run all alpm hooks that can't be run inside the fakechroot -RUN ldconfig && update-ca-trust && locale-gen -RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers ' - -# update /etc/os-release -RUN ln -s /usr/lib/os-release /etc/os-release - -# initialize the archlinux keyring, but discard any private key that may be shipped. -RUN pacman-key --init && pacman-key --populate archlinux && bash -c "rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*" +RUN ldconfig ENV LANG=en_US.UTF-8 CMD ["/usr/bin/bash"] diff --git a/Makefile b/Makefile index e430121..e827461 100644 --- a/Makefile +++ b/Makefile @@ -8,13 +8,22 @@ define rootfs mkdir -vp $(BUILDDIR)/var/lib/pacman/ $(OUTPUTDIR) install -Dm644 /usr/share/devtools/pacman-extra.conf $(BUILDDIR)/etc/pacman.conf cat pacman-conf.d-noextract.conf >> $(BUILDDIR)/etc/pacman.conf + fakechroot -- fakeroot -- pacman -Sy -r $(BUILDDIR) \ --noconfirm --dbpath $(BUILDDIR)/var/lib/pacman \ --config $(BUILDDIR)/etc/pacman.conf \ --noscriptlet \ --hookdir $(BUILDDIR)/alpm-hooks/usr/share/libalpm/hooks/ $(2) + cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/ +fakechroot -- fakeroot -- chroot $(BUILDDIR) update-ca-trust + fakechroot -- fakeroot -- chroot $(BUILDDIR) locale-gen + fakechroot -- fakeroot -- chroot $(BUILDDIR) sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers' + fakechroot -- fakeroot -- chroot $(BUILDDIR) sh -c 'pacman-key --init && pacman-key --populate archlinux && bash -c "rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*"' + + ln -fs /usr/lib/os-release $(BUILDDIR)/etc/os-release + # remove passwordless login for root (see CVE-2019-5021 for reference) sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow" @@ -42,16 +51,16 @@ $(OUTPUTDIR)/base.tar.xz: $(OUTPUTDIR)/base-devel.tar.xz: $(call rootfs,base-devel,base base-devel) -$(OUTPUTDIR)/Dockerfile.base: +$(OUTPUTDIR)/Dockerfile.base: $(OUTPUTDIR)/base.tar.xz $(call dockerfile,base) -$(OUTPUTDIR)/Dockerfile.base-devel: +$(OUTPUTDIR)/Dockerfile.base-devel: $(OUTPUTDIR)/base-devel.tar.xz $(call dockerfile,base-devel) .PHONY: docker-image-base -image-base: $(OUTPUTDIR)/base.tar.xz $(OUTPUTDIR)/Dockerfile.base +image-base: $(OUTPUTDIR)/Dockerfile.base docker build -f $(OUTPUTDIR)/Dockerfile.base -t archlinux/archlinux:base $(OUTPUTDIR) .PHONY: docker-image-base-devel -image-base-devel: $(OUTPUTDIR)/base-devel.tar.xz $(OUTPUTDIR)/Dockerfile.base-devel +image-base-devel: $(OUTPUTDIR)/Dockerfile.base-devel docker build -f $(OUTPUTDIR)/Dockerfile.base-devel -t archlinux/archlinux:base-devel $(OUTPUTDIR)