diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 97520a6..aaa3642 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -9,7 +9,8 @@ stages: lint: stage: lint image: hadolint/hadolint:latest - script: hadolint --ignore DL3020 Dockerfile.template + # DL3007: We use the latest tag for multistage build + script: hadolint --ignore DL3007 --ignore DL3020 Dockerfile.template rootfs:base: stage: rootfs @@ -20,10 +21,11 @@ rootfs:base: - echo "BUILD_DATE=$(date +%Y%m%d)" > build.env script: - pacman -Syu --noconfirm make devtools fakechroot fakeroot - - make base.tar.xz + - make dockerfile-image-base artifacts: paths: - base.tar.xz + - Dockerfile.base expire_in: 10m reports: dotenv: build.env @@ -37,10 +39,11 @@ rootfs:base-devel: - echo "BUILD_DATE=$(date +%Y%m%d)" > build.env script: - pacman -Syu --noconfirm make devtools fakechroot fakeroot - - make base-devel.tar.xz + - make dockerfile-image-base-devel artifacts: paths: - base-devel.tar.xz + - Dockerfile.base-devel expire_in: 10m reports: dotenv: build.env @@ -54,8 +57,6 @@ docker:base: - job: "rootfs:base" before_script: - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json - - sed "s/TEMPLATE_LOCATION_HERE/base.tar/" Dockerfile.template > Dockerfile.base - - unxz base.tar.xz script: - /kaniko/executor --whitelist-var-run="false" @@ -72,8 +73,6 @@ docker:base-devel: - job: "rootfs:base-devel" before_script: - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json - - sed "s/TEMPLATE_LOCATION_HERE/base-devel.tar/" Dockerfile.template > Dockerfile.base-devel - - unxz base-devel.tar.xz script: - /kaniko/executor --whitelist-var-run="false" diff --git a/Dockerfile.template b/Dockerfile.template index ffe6415..45612ef 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -1,5 +1,13 @@ +FROM archlinux:latest AS verify +COPY TEMPLATE_ROOTFS_FILE / +SHELL ["/bin/bash", "-c"] +RUN ROOTFS="$(curl --continue-at - --remote-name --write-out "%{filename_effective}" TEMPLATE_ROOTFS_URL)" && \ + sha256sum -c <<< "TEMPLATE_ROOTFS_HASH" && \ + mkdir /rootfs && \ + tar -C /rootfs --extract --auto-compress --file "${ROOTFS}" + FROM scratch AS base -ADD TEMPLATE_LOCATION_HERE / +COPY --from=verify /rootfs/ / # manually run all alpm hooks that can't be run inside the fakechroot RUN ldconfig && update-ca-trust && locale-gen diff --git a/Makefile b/Makefile index 1736e13..9ed96df 100644 --- a/Makefile +++ b/Makefile @@ -49,20 +49,32 @@ rootfs-base-devel: hooks base.tar.xz: rootfs-base xz -9 -T0 -f base.tar + sha256sum base.tar.xz > base.tar.xz.SHA256 base-devel.tar.xz: rootfs-base-devel xz -9 -T0 -f base-devel.tar + sha256sum base-devel.tar.xz > base-devel.tar.xz.SHA256 + +.PHONY: dockerfile-image-base +dockerfile-image-base: base.tar.xz + sed -e "s/TEMPLATE_ROOTFS_FILE/base.tar.xz/" \ + -e "s/TEMPLATE_ROOTFS_URL/file:\/\/\/base.tar.xz/" \ + -e "s/TEMPLATE_ROOTFS_HASH/$$(cat base.tar.xz.SHA256)/" \ + Dockerfile.template > Dockerfile.base + +.PHONY: dockerfile-image-base-devel +dockerfile-image-base-devel: base-devel.tar.xz + sed -e "s/TEMPLATE_ROOTFS_FILE/base-devel.tar.xz/" \ + -e "s/TEMPLATE_ROOTFS_URL/file:\/\/\/base-devel.tar.xz/" \ + -e "s/TEMPLATE_ROOTFS_HASH/$$(cat base-devel.tar.xz.SHA256)/" \ + Dockerfile.template > Dockerfile.base-devel .PHONY: docker-image-base -docker-image-base: base.tar.xz - unxz base.tar.xz - sed "s/TEMPLATE_LOCATION_HERE/base.tar/" Dockerfile.template > Dockerfile.base +docker-image-base: dockerfile-image-base docker build -f Dockerfile.base -t archlinux/archlinux:base . .PHONY: docker-image-base-devel -docker-image-base-devel: base-devel.tar.xz - unxz base-devel.tar.xz - sed "s/TEMPLATE_LOCATION_HERE/base-devel.tar/" Dockerfile.template > Dockerfile.base-devel +docker-image-base-devel: dockerfile-image-base-devel docker build -f Dockerfile.base-devel -t archlinux/archlinux:base-devel . .PHONY: docker-push-base diff --git a/ci/release.py b/ci/release.py index 5896f20..b4b5fed 100755 --- a/ci/release.py +++ b/ci/release.py @@ -11,6 +11,7 @@ Required env vars: """ import os +import re from pathlib import Path import gitlab @@ -24,22 +25,36 @@ if __name__ == "__main__": project = gl.projects.get(project_id) print("Uploading base.tar.xz") + base_filename = f"base-{build_date}.tar.xz" base_uploaded_url = project.upload( - f"base-{build_date}.tar.xz", filepath="base.tar.xz" + base_filename, filepath="base.tar.xz" )["url"] base_template = Path("Dockerfile.template").read_text() base_full_url = f"{project_url}{base_uploaded_url}" - base_replaced = base_template.replace("TEMPLATE_LOCATION_HERE", base_full_url) + base_replaced = base_template.replace("TEMPLATE_ROOTFS_URL", base_full_url) + base_hash = f"{Path('base.tar.xz.SHA256').read_text()[0:64]} {base_filename}" + base_replaced = base_replaced.replace( + "TEMPLATE_ROOTFS_HASH", base_hash + ) + # Remove the line containing TEMPLATE_ROOTFS_FILE + base_replaced = re.sub(".*TEMPLATE_ROOTFS_FILE.*\n", "", base_replaced) print("Uploading base-devel.tar.xz") + base_devel_filename = f"base-devel-{build_date}.tar.xz" base_devel_uploaded_url = project.upload( - f"base-devel-{build_date}.tar.xz", filepath="base-devel.tar.xz" + base_devel_filename, filepath="base-devel.tar.xz" )["url"] base_devel_template = Path("Dockerfile.template").read_text() base_devel_full_url = f"{project_url}{base_devel_uploaded_url}" base_devel_replaced = base_devel_template.replace( - "TEMPLATE_LOCATION_HERE", base_devel_full_url + "TEMPLATE_ROOTFS_URL", base_devel_full_url ) + base_devel_hash = f"{Path('base-devel.tar.xz.SHA256').read_text()[0:64]} {base_devel_filename}" + base_devel_replaced = base_devel_replaced.replace( + "TEMPLATE_ROOTFS_HASH", base_devel_hash + ) + # Remove the line containing TEMPLATE_ROOTFS_FILE + base_devel_replaced = re.sub(".*TEMPLATE_ROOTFS_FILE.*\n", "", base_devel_replaced) print("Templating Dockerfiles") data = {