From d177146b3b09145d71146190cb947b9ee675f7da Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Sat, 7 Nov 2020 16:48:54 +0100 Subject: [PATCH 1/6] Move all Dockerfile commands to Makefile Resolves #45. --- Dockerfile.template | 10 ---------- Makefile | 9 +++++++++ 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index 1ddf356..e68d3d8 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -20,15 +20,5 @@ RUN ROOTFS="$(curl -sOJL --continue-at - -w "%{filename_effective}" TEMPLATE_ROO FROM scratch AS root COPY --from=verify /rootfs/ / -# manually run all alpm hooks that can't be run inside the fakechroot -RUN ldconfig && update-ca-trust && locale-gen -RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers ' - -# update /etc/os-release -RUN ln -s /usr/lib/os-release /etc/os-release - -# initialize the archlinux keyring, but discard any private key that may be shipped. -RUN pacman-key --init && pacman-key --populate archlinux && bash -c "rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*" - ENV LANG=en_US.UTF-8 CMD ["/usr/bin/bash"] diff --git a/Makefile b/Makefile index e430121..0d556f3 100644 --- a/Makefile +++ b/Makefile @@ -8,11 +8,20 @@ define rootfs mkdir -vp $(BUILDDIR)/var/lib/pacman/ $(OUTPUTDIR) install -Dm644 /usr/share/devtools/pacman-extra.conf $(BUILDDIR)/etc/pacman.conf cat pacman-conf.d-noextract.conf >> $(BUILDDIR)/etc/pacman.conf + fakechroot -- fakeroot -- pacman -Sy -r $(BUILDDIR) \ --noconfirm --dbpath $(BUILDDIR)/var/lib/pacman \ --config $(BUILDDIR)/etc/pacman.conf \ --noscriptlet \ --hookdir $(BUILDDIR)/alpm-hooks/usr/share/libalpm/hooks/ $(2) + fakechroot -- fakeroot -- chroot $(BUILDDIR) ldconfig + fakechroot -- fakeroot -- chroot $(BUILDDIR) update-ca-trust + fakechroot -- fakeroot -- chroot $(BUILDDIR) locale-gen + fakechroot -- fakeroot -- chroot $(BUILDDIR) sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers' + fakechroot -- fakeroot -- chroot $(BUILDDIR) sh -c 'pacman-key --init && pacman-key --populate archlinux && bash -c "rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*"' + + ln -fs /usr/lib/os-release $(BUILDDIR)/etc/os-release + cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/ # remove passwordless login for root (see CVE-2019-5021 for reference) From 0b616a629affc2fed93ab331139d3bf7898c970b Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Sat, 7 Nov 2020 16:50:03 +0100 Subject: [PATCH 2/6] Always build rootfs archives before the Dockerfiles The Dockerfiles require them for their sha256sum. --- Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 0d556f3..06477fc 100644 --- a/Makefile +++ b/Makefile @@ -51,16 +51,16 @@ $(OUTPUTDIR)/base.tar.xz: $(OUTPUTDIR)/base-devel.tar.xz: $(call rootfs,base-devel,base base-devel) -$(OUTPUTDIR)/Dockerfile.base: +$(OUTPUTDIR)/Dockerfile.base: $(OUTPUTDIR)/base.tar.xz $(call dockerfile,base) -$(OUTPUTDIR)/Dockerfile.base-devel: +$(OUTPUTDIR)/Dockerfile.base-devel: $(OUTPUTDIR)/base-devel.tar.xz $(call dockerfile,base-devel) .PHONY: docker-image-base -image-base: $(OUTPUTDIR)/base.tar.xz $(OUTPUTDIR)/Dockerfile.base +image-base: $(OUTPUTDIR)/Dockerfile.base docker build -f $(OUTPUTDIR)/Dockerfile.base -t archlinux/archlinux:base $(OUTPUTDIR) .PHONY: docker-image-base-devel -image-base-devel: $(OUTPUTDIR)/base-devel.tar.xz $(OUTPUTDIR)/Dockerfile.base-devel +image-base-devel: $(OUTPUTDIR)/Dockerfile.base-devel docker build -f $(OUTPUTDIR)/Dockerfile.base-devel -t archlinux/archlinux:base-devel $(OUTPUTDIR) From a51b77535ab6413906b183993e82fd7f60a124bb Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Sat, 7 Nov 2020 17:09:11 +0100 Subject: [PATCH 3/6] Clean GitLabCI make commands --- .gitlab-ci.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 31dcaac..d437f6f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -39,6 +39,8 @@ get_version: stage: rootfs before_script: - pacman -Syu --noconfirm make devtools fakechroot fakeroot + script: + - make $PWD/output/Dockerfile.$GROUP artifacts: paths: - output/* @@ -54,8 +56,6 @@ rootfs: parallel: matrix: - GROUP: [base, base-devel] - script: - - make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP rootfs:secure: extends: .rootfs @@ -70,8 +70,6 @@ rootfs:secure: parallel: matrix: - GROUP: [base, base-devel] - script: - - make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP .image: stage: image From 52c1613c205cb1cd9edae59fe76849591377022a Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Sat, 7 Nov 2020 17:19:16 +0100 Subject: [PATCH 4/6] Don't use after_script to test base-devel after_script won't affect the job exit code [1], so we can't use it for tests. Instead we are using YAML anchors for script [2]. [1] https://docs.gitlab.com/ee/ci/yaml/#before_script-and-after_script [2] https://docs.gitlab.com/ee/ci/yaml/#yaml-anchors-for-script --- .gitlab-ci.yml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d437f6f..043c7ec 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -149,22 +149,26 @@ image:publish:secure: refs: - releases - tags - script: - - pacman -Sy - - pacman -Qqk - - pacman -Syu --noconfirm docker grep - - docker -v - - id -u http - - locale | grep -q UTF-8 + +.test-script: &test-script + - pacman -Sy + - pacman -Qqk + - pacman -Syu --noconfirm docker grep + - docker -v + - id -u http + - locale | grep -q UTF-8 test:base: extends: .test image: $CI_REGISTRY_IMAGE:base-$CI_COMMIT_REF_SLUG + script: + - *test-script test:base-devel: extends: .test image: $CI_REGISTRY_IMAGE:base-devel-$CI_COMMIT_REF_SLUG - after_script: + script: + - *test-script - gcc -v - g++ -v - make -v From f875ac9565ce0af7e57c2e6976301c5f406ea825 Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Sat, 7 Nov 2020 17:52:07 +0100 Subject: [PATCH 5/6] Move ldconfig back to Dockerfile since its a noop in fakechroot strace: execve("/bin/true", ["ldconfig"], 0x563fc29f9fa0 /* 101 vars */) = 0 --- Dockerfile.template | 2 ++ Makefile | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile.template b/Dockerfile.template index e68d3d8..550bc3e 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -20,5 +20,7 @@ RUN ROOTFS="$(curl -sOJL --continue-at - -w "%{filename_effective}" TEMPLATE_ROO FROM scratch AS root COPY --from=verify /rootfs/ / +RUN ldconfig + ENV LANG=en_US.UTF-8 CMD ["/usr/bin/bash"] diff --git a/Makefile b/Makefile index 06477fc..5c68c65 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,6 @@ define rootfs --config $(BUILDDIR)/etc/pacman.conf \ --noscriptlet \ --hookdir $(BUILDDIR)/alpm-hooks/usr/share/libalpm/hooks/ $(2) - fakechroot -- fakeroot -- chroot $(BUILDDIR) ldconfig fakechroot -- fakeroot -- chroot $(BUILDDIR) update-ca-trust fakechroot -- fakeroot -- chroot $(BUILDDIR) locale-gen fakechroot -- fakeroot -- chroot $(BUILDDIR) sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers' From 17b668efb44a23c3b5605b209434448203320743 Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Sat, 7 Nov 2020 21:14:58 +0100 Subject: [PATCH 6/6] Add configuration files before we run locale-gen --- Makefile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 5c68c65..e827461 100644 --- a/Makefile +++ b/Makefile @@ -14,15 +14,16 @@ define rootfs --config $(BUILDDIR)/etc/pacman.conf \ --noscriptlet \ --hookdir $(BUILDDIR)/alpm-hooks/usr/share/libalpm/hooks/ $(2) - fakechroot -- fakeroot -- chroot $(BUILDDIR) update-ca-trust + + cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/ + +fakechroot -- fakeroot -- chroot $(BUILDDIR) update-ca-trust fakechroot -- fakeroot -- chroot $(BUILDDIR) locale-gen fakechroot -- fakeroot -- chroot $(BUILDDIR) sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers' fakechroot -- fakeroot -- chroot $(BUILDDIR) sh -c 'pacman-key --init && pacman-key --populate archlinux && bash -c "rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*"' ln -fs /usr/lib/os-release $(BUILDDIR)/etc/os-release - cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/ - # remove passwordless login for root (see CVE-2019-5021 for reference) sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow"