mirrors/archlinux-docker
1
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/archlinux-docker.git synced 2025-08-07 22:57:17 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'verify-rootfs' into 'add-base-devel-tags'

Browse Source 
Generate and verify checksum for the rootfs

See merge request archlinux/archlinux-docker!40
This commit is contained in:
Sven-Hendrik Haase 2020-10-13 22:44:52 +00:00
commit 9f60536bd5
4 changed files with 52 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.gitlab-ci.yml
View File

@ -9,7 +9,8 @@ stages:
lint: lint:
stage: lint stage: lint
image: hadolint/hadolint:latest image: hadolint/hadolint:latest
script: hadolint --ignore DL3020 Dockerfile.template # DL3007: We use the latest tag for multistage build
script: hadolint --ignore DL3007 --ignore DL3020 Dockerfile.template
rootfs:base: rootfs:base:
stage: rootfs stage: rootfs
@ -20,10 +21,11 @@ rootfs:base:
- echo "BUILD_DATE=$(date +%Y%m%d)" > build.env - echo "BUILD_DATE=$(date +%Y%m%d)" > build.env
script: script:
- pacman -Syu --noconfirm make devtools fakechroot fakeroot - pacman -Syu --noconfirm make devtools fakechroot fakeroot
- make base.tar.xz - make dockerfile-image-base
artifacts: artifacts:
paths: paths:
- base.tar.xz - base.tar.xz
- Dockerfile.base
expire_in: 10m expire_in: 10m
reports: reports:
dotenv: build.env dotenv: build.env
@ -37,10 +39,11 @@ rootfs:base-devel:
- echo "BUILD_DATE=$(date +%Y%m%d)" > build.env - echo "BUILD_DATE=$(date +%Y%m%d)" > build.env
script: script:
- pacman -Syu --noconfirm make devtools fakechroot fakeroot - pacman -Syu --noconfirm make devtools fakechroot fakeroot
- make base-devel.tar.xz - make dockerfile-image-base-devel
artifacts: artifacts:
paths: paths:
- base-devel.tar.xz - base-devel.tar.xz
- Dockerfile.base-devel
expire_in: 10m expire_in: 10m
reports: reports:
dotenv: build.env dotenv: build.env
@ -54,8 +57,6 @@ docker:base:
- job: "rootfs:base" - job: "rootfs:base"
before_script: before_script:
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
- sed "s/TEMPLATE_LOCATION_HERE/base.tar/" Dockerfile.template > Dockerfile.base
- unxz base.tar.xz
script: script:
- /kaniko/executor - /kaniko/executor
--whitelist-var-run="false" --whitelist-var-run="false"
@ -72,8 +73,6 @@ docker:base-devel:
- job: "rootfs:base-devel" - job: "rootfs:base-devel"
before_script: before_script:
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
- sed "s/TEMPLATE_LOCATION_HERE/base-devel.tar/" Dockerfile.template > Dockerfile.base-devel
- unxz base-devel.tar.xz
script: script:
- /kaniko/executor - /kaniko/executor
--whitelist-var-run="false" --whitelist-var-run="false"

10
Dockerfile.template
View File

@ -1,5 +1,13 @@
FROM archlinux:latest AS verify
COPY TEMPLATE_ROOTFS_FILE /
SHELL ["/bin/bash", "-c"]
RUN ROOTFS="$(curl --continue-at - --remote-name --write-out "%{filename_effective}" TEMPLATE_ROOTFS_URL)" && \
sha256sum -c <<< "TEMPLATE_ROOTFS_HASH" && \
mkdir /rootfs && \
tar -C /rootfs --extract --auto-compress --file "${ROOTFS}"
FROM scratch AS base FROM scratch AS base
ADD TEMPLATE_LOCATION_HERE / COPY --from=verify /rootfs/ /
# manually run all alpm hooks that can't be run inside the fakechroot # manually run all alpm hooks that can't be run inside the fakechroot
RUN ldconfig && update-ca-trust && locale-gen RUN ldconfig && update-ca-trust && locale-gen

24
Makefile
View File

@ -49,20 +49,32 @@ rootfs-base-devel: hooks
base.tar.xz: rootfs-base base.tar.xz: rootfs-base
xz -9 -T0 -f base.tar xz -9 -T0 -f base.tar
sha256sum base.tar.xz > base.tar.xz.SHA256
base-devel.tar.xz: rootfs-base-devel base-devel.tar.xz: rootfs-base-devel
xz -9 -T0 -f base-devel.tar xz -9 -T0 -f base-devel.tar
sha256sum base-devel.tar.xz > base-devel.tar.xz.SHA256
.PHONY: dockerfile-image-base
dockerfile-image-base: base.tar.xz
sed -e "s/TEMPLATE_ROOTFS_FILE/base.tar.xz/" \
-e "s/TEMPLATE_ROOTFS_URL/file:\/\/\/base.tar.xz/" \
-e "s/TEMPLATE_ROOTFS_HASH/$$(cat base.tar.xz.SHA256)/" \
Dockerfile.template > Dockerfile.base
.PHONY: dockerfile-image-base-devel
dockerfile-image-base-devel: base-devel.tar.xz
sed -e "s/TEMPLATE_ROOTFS_FILE/base-devel.tar.xz/" \
-e "s/TEMPLATE_ROOTFS_URL/file:\/\/\/base-devel.tar.xz/" \
-e "s/TEMPLATE_ROOTFS_HASH/$$(cat base-devel.tar.xz.SHA256)/" \
Dockerfile.template > Dockerfile.base-devel
.PHONY: docker-image-base .PHONY: docker-image-base
docker-image-base: base.tar.xz docker-image-base: dockerfile-image-base
unxz base.tar.xz
sed "s/TEMPLATE_LOCATION_HERE/base.tar/" Dockerfile.template > Dockerfile.base
docker build -f Dockerfile.base -t archlinux/archlinux:base . docker build -f Dockerfile.base -t archlinux/archlinux:base .
.PHONY: docker-image-base-devel .PHONY: docker-image-base-devel
docker-image-base-devel: base-devel.tar.xz docker-image-base-devel: dockerfile-image-base-devel
unxz base-devel.tar.xz
sed "s/TEMPLATE_LOCATION_HERE/base-devel.tar/" Dockerfile.template > Dockerfile.base-devel
docker build -f Dockerfile.base-devel -t archlinux/archlinux:base-devel . docker build -f Dockerfile.base-devel -t archlinux/archlinux:base-devel .
.PHONY: docker-push-base .PHONY: docker-push-base

23
ci/release.py
View File

@ -11,6 +11,7 @@ Required env vars:
""" """
import os import os
import re
from pathlib import Path from pathlib import Path
import gitlab import gitlab
@ -24,22 +25,36 @@ if __name__ == "__main__":
project = gl.projects.get(project_id) project = gl.projects.get(project_id)
print("Uploading base.tar.xz") print("Uploading base.tar.xz")
base_filename = f"base-{build_date}.tar.xz"
base_uploaded_url = project.upload( base_uploaded_url = project.upload(
f"base-{build_date}.tar.xz", filepath="base.tar.xz" base_filename, filepath="base.tar.xz"
)["url"] )["url"]
base_template = Path("Dockerfile.template").read_text() base_template = Path("Dockerfile.template").read_text()
base_full_url = f"{project_url}{base_uploaded_url}" base_full_url = f"{project_url}{base_uploaded_url}"
base_replaced = base_template.replace("TEMPLATE_LOCATION_HERE", base_full_url) base_replaced = base_template.replace("TEMPLATE_ROOTFS_URL", base_full_url)
base_hash = f"{Path('base.tar.xz.SHA256').read_text()[0:64]} {base_filename}"
base_replaced = base_replaced.replace(
"TEMPLATE_ROOTFS_HASH", base_hash
)
# Remove the line containing TEMPLATE_ROOTFS_FILE
base_replaced = re.sub(".*TEMPLATE_ROOTFS_FILE.*\n", "", base_replaced)
print("Uploading base-devel.tar.xz") print("Uploading base-devel.tar.xz")
base_devel_filename = f"base-devel-{build_date}.tar.xz"
base_devel_uploaded_url = project.upload( base_devel_uploaded_url = project.upload(
f"base-devel-{build_date}.tar.xz", filepath="base-devel.tar.xz" base_devel_filename, filepath="base-devel.tar.xz"
)["url"] )["url"]
base_devel_template = Path("Dockerfile.template").read_text() base_devel_template = Path("Dockerfile.template").read_text()
base_devel_full_url = f"{project_url}{base_devel_uploaded_url}" base_devel_full_url = f"{project_url}{base_devel_uploaded_url}"
base_devel_replaced = base_devel_template.replace( base_devel_replaced = base_devel_template.replace(
"TEMPLATE_LOCATION_HERE", base_devel_full_url "TEMPLATE_ROOTFS_URL", base_devel_full_url
) )
base_devel_hash = f"{Path('base-devel.tar.xz.SHA256').read_text()[0:64]} {base_devel_filename}"
base_devel_replaced = base_devel_replaced.replace(
"TEMPLATE_ROOTFS_HASH", base_devel_hash
)
# Remove the line containing TEMPLATE_ROOTFS_FILE
base_devel_replaced = re.sub(".*TEMPLATE_ROOTFS_FILE.*\n", "", base_devel_replaced)
print("Templating Dockerfiles") print("Templating Dockerfiles")
data = { data = {