refactor(build_image): Build dev and prod images independently

We need some more control over exactly what lands in dev vs prod images
which will require letting them diverge in what is currently the common
base image step. There isn't any real need for the base image in the
first place other than to speed up building both dev and prod images at
the same time but that isn't common enough to worry about.

As part of this cleanup also remove references to CHROMEOS_* variables
and the recovery image that never actually existed in CoreOS.

build_image

@@ -74,7 +74,7 @@ DEFINE_string version "" \
 # Parse command line.
 FLAGS "$@" || exit 1
 
-eval set -- "${FLAGS_ARGV}"
+eval set -- "${FLAGS_ARGV:-dev}"
 
 # Only now can we die on error.  shflags functions leak non-zero error codes,
 # so will die prematurely if 'switch_to_strict_mode' is specified before now.
@@ -92,14 +92,18 @@ check_gsutil_opts
 . "${BUILD_LIBRARY_DIR}/dev_image_util.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/test_image_content.sh" || exit 1
 
-parse_build_image_args
+PROD_IMAGE=0
+DEV_IMAGE=0
+for arg in "$@"; do
+  case "${arg}" in
+    prod) PROD_IMAGE=1 ;;
+    dev)  DEV_IMAGE=1 ;;
+    *)    die_notrace "Unknown image type ${arg}" ;;
+  esac
+done
 
 BASE_PACKAGE="coreos-base/coreos"
 
-PRISTINE_IMAGE_NAME=${CHROMEOS_BASE_IMAGE_NAME}
-
-DEVKEYSDIR="/usr/share/vboot/devkeys"
-
 eclean-$BOARD -d packages
 
 if [[ ${skip_blacklist_check} -ne 1 ]]; then
@@ -134,31 +138,14 @@ mkdir -p "${BUILD_DIR}"
 
 DISK_LAYOUT="${FLAGS_disk_layout:-base}"
 
-# Create the base image.
-create_base_image "${PRISTINE_IMAGE_NAME}" "${DISK_LAYOUT}" "${FLAGS_group}"
-if should_build_image ${PRISTINE_IMAGE_NAME}; then
-  upload_image "${BUILD_DIR}/${PRISTINE_IMAGE_NAME}"
+if [[ "${DEV_IMAGE}" -eq 1 ]]; then
+  create_base_image ${COREOS_DEVELOPER_IMAGE_NAME} ${DISK_LAYOUT} ${FLAGS_group}
+  install_dev_packages ${COREOS_DEVELOPER_IMAGE_NAME} ${DISK_LAYOUT}
+  upload_image "${BUILD_DIR}/${COREOS_DEVELOPER_IMAGE_NAME}"
 fi
 
-# Running board-specific setup if any exists.
-if type board_setup &>/dev/null; then
-  board_setup "${BUILD_DIR}/${PRISTINE_IMAGE_NAME}"
-fi
-
-# Create a developer image if an image that is based on it is requested.
-if should_build_image ${CHROMEOS_DEVELOPER_IMAGE_NAME}; then
-  if should_build_image ${COREOS_PRODUCTION_IMAGE_NAME}; then
-    cp "${BUILD_DIR}/${PRISTINE_IMAGE_NAME}" \
-        "${BUILD_DIR}/${CHROMEOS_DEVELOPER_IMAGE_NAME}"
-  else
-    copy_image ${PRISTINE_IMAGE_NAME} ${CHROMEOS_DEVELOPER_IMAGE_NAME}
-  fi
-  install_dev_packages ${CHROMEOS_DEVELOPER_IMAGE_NAME} ${DISK_LAYOUT}
-  upload_image "${BUILD_DIR}/${CHROMEOS_DEVELOPER_IMAGE_NAME}"
-fi
-
-if should_build_image ${COREOS_PRODUCTION_IMAGE_NAME}; then
-  copy_image ${CHROMEOS_BASE_IMAGE_NAME} ${COREOS_PRODUCTION_IMAGE_NAME}
+if [[ "${PROD_IMAGE}" -eq 1 ]]; then
+  create_base_image ${COREOS_PRODUCTION_IMAGE_NAME} ${DISK_LAYOUT} ${FLAGS_group}
   setup_prod_image ${COREOS_PRODUCTION_IMAGE_NAME} ${DISK_LAYOUT}
   upload_image "${BUILD_DIR}/${COREOS_PRODUCTION_IMAGE_NAME}"
   if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then
@@ -166,10 +153,6 @@ if should_build_image ${COREOS_PRODUCTION_IMAGE_NAME}; then
   fi
 fi
 
-if ! should_build_image ${PRISTINE_IMAGE_NAME}; then
-  rm -f "${BUILD_DIR}/${PRISTINE_IMAGE_NAME}"
-fi
-
 # Write out a version.txt file, this will be used by image_to_vm.sh
 tee "${BUILD_DIR}/version.txt" <<EOF
 COREOS_BUILD=${COREOS_BUILD}
@@ -203,15 +186,12 @@ EOF
 }
 
 # Print out the images we generated.
-if should_build_image ${COREOS_PRODUCTION_IMAGE_NAME}; then
+if [[ "${PROD_IMAGE}" -eq 1 ]]; then
   echo "CoreOS Production image created as ${COREOS_PRODUCTION_IMAGE_NAME}"
   print_image_to_vm "prod"
 fi
-if should_build_image ${CHROMEOS_BASE_IMAGE_NAME}; then
-  echo "Non-developer CoreOS image created as ${PRISTINE_IMAGE_NAME}"
-fi
-if should_build_image ${CHROMEOS_DEVELOPER_IMAGE_NAME}; then
-  echo "Developer image created as ${CHROMEOS_DEVELOPER_IMAGE_NAME}"
+if [[ "${DEV_IMAGE}" -eq 1 ]]; then
+  echo "Developer image created as ${COREOS_DEVELOPER_IMAGE_NAME}"
   print_image_to_vm
 fi
 

build_library/build_image_util.sh

@@ -18,7 +18,6 @@ else
 fi
 BUILD_DIR="${FLAGS_output_root}/${BOARD}/${IMAGE_SUBDIR}"
 OUTSIDE_OUTPUT_DIR="../build/images/${BOARD}/${IMAGE_SUBDIR}"
-IMAGES_TO_BUILD=
 
 set_build_symlinks() {
     local build=$(basename ${BUILD_DIR})
@@ -29,70 +28,6 @@ set_build_symlinks() {
     done
 }
 
-# Populates list of IMAGES_TO_BUILD from args passed in.
-# Arguments should be the shortnames of images we want to build.
-get_images_to_build() {
-  local image_to_build
-  for image_to_build in $*; do
-    # Shflags leaves "'"s around ARGV.
-    case ${image_to_build} in
-      \'prod\' )
-        IMAGES_TO_BUILD="${IMAGES_TO_BUILD} ${COREOS_PRODUCTION_IMAGE_NAME}"
-        ;;
-      \'base\' )
-        IMAGES_TO_BUILD="${IMAGES_TO_BUILD} ${CHROMEOS_BASE_IMAGE_NAME}"
-        ;;
-      \'dev\' )
-        IMAGES_TO_BUILD="${IMAGES_TO_BUILD} ${CHROMEOS_DEVELOPER_IMAGE_NAME}"
-        ;;
-      * )
-        die "${image_to_build} is not an image specification."
-        ;;
-    esac
-  done
-
-  # Set default if none specified.
-  if [ -z "${IMAGES_TO_BUILD}" ]; then
-    IMAGES_TO_BUILD=${CHROMEOS_DEVELOPER_IMAGE_NAME}
-  fi
-
-  info "The following images will be built ${IMAGES_TO_BUILD}."
-}
-
-# Look at flags to determine which image types we should build.
-parse_build_image_args() {
-  get_images_to_build ${FLAGS_ARGV}
-}
-
-should_build_image() {
-  # Fast pass back if we should build all incremental images.
-  local image_name
-  local image_to_build
-
-  for image_name in "$@"; do
-    for image_to_build in ${IMAGES_TO_BUILD}; do
-      [ "${image_to_build}" = "${image_name}" ] && return 0
-    done
-  done
-
-  return 1
-}
-
-# Utility function for creating a copy of an image prior to
-# modification from the BUILD_DIR:
-#  $1: source filename
-#  $2: destination filename
-copy_image() {
-  local src="${BUILD_DIR}/$1"
-  local dst="${BUILD_DIR}/$2"
-  if should_build_image $1; then
-    echo "Creating $2 from $1..."
-    cp --sparse=always "${src}" "${dst}" || die "Cannot copy $1 to $2"
-  else
-    mv "${src}" "${dst}" || die "Cannot move $1 to $2"
-  fi
-}
-
 check_blacklist() {
   info "Verifying that the base image does not contain a blacklisted package."
   info "Generating list of packages for ${BASE_PACKAGE}."

common.sh

@@ -404,16 +404,8 @@ DEFAULT_FAST=${FLAGS_FALSE}
 BUILD_DIR=
 
 # Standard filenames
-CHROMEOS_BASE_IMAGE_NAME="coreos_base_image.bin"
-CHROMEOS_DEVELOPER_IMAGE_NAME="coreos_developer_image.bin"
-CHROMEOS_IMAGE_NAME="$CHROMEOS_DEVELOPER_IMAGE_NAME"
-CHROMEOS_RECOVERY_IMAGE_NAME="recovery_image.bin"
-
-COREOS_BASE_IMAGE_NAME=${CHROMEOS_BASE_IMAGE_NAME}
-COREOS_IMAGE_NAME=${CHROMEOS_IMAGE_NAME}
-COREOS_DEVELOPER_IMAGE_NAME=${CHROMEOS_DEVELOPER_IMAGE_NAME}
+COREOS_DEVELOPER_IMAGE_NAME="coreos_developer_image.bin"
 COREOS_PRODUCTION_IMAGE_NAME="coreos_production_image.bin"
-COREOS_RECOVERY_IMAGE_NAME=${CHROMEOS_RECOVERY_IMAGE_NAME}
 
 # -----------------------------------------------------------------------------
 # Functions

image_to_vm.sh

@@ -91,7 +91,7 @@ if [ ${FLAGS_prod_image} -eq ${FLAGS_TRUE} ]; then
   set_vm_paths "${FLAGS_from}" "${FLAGS_to}" "${COREOS_PRODUCTION_IMAGE_NAME}"
 else
   # Use the standard image
-  set_vm_paths "${FLAGS_from}" "${FLAGS_to}" "${CHROMEOS_IMAGE_NAME}"
+  set_vm_paths "${FLAGS_from}" "${FLAGS_to}" "${COREOS_DEVELOPER_IMAGE_NAME}"
 fi
 
 # Make sure things are cleaned up on failure

security_test_image

@@ -1,112 +0,0 @@
-#!/bin/bash
-
-# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-CROS_LOG_PREFIX=${0##*/}
-
-SCRIPT_ROOT=$(dirname "$(readlink -f "$0")")
-. "${SCRIPT_ROOT}/build_library/build_common.sh" || exit 1
-
-# Developer-visible flags.
-DEFINE_string board "${DEFAULT_BOARD}" \
-  "The board to build an image for."
-DEFINE_string image "" \
-  "Source release image to use (${CHROMEOS_RECOVERY_IMAGE_NAME} by default)."
-DEFINE_string baselines "" \
-  "Directory to load security baselines from (default from cros-signing)"
-
-FLAGS_HELP="USAGE: security_test_image [flags]
-This script is used to run security tests on a Chrome OS images.
-
-Note: You probably will need an internal checkout by default for these
-      tests to be useful.  You can provide your own baselines, but you
-      can certainly provide your own set of configs.
-
-Note: These tests will fail on dev images.  They are designed to
-      check recovery images only.
-"
-show_help_if_requested "$@"
-
-# Parse command line.
-FLAGS "$@" || exit 1
-eval set -- "${FLAGS_ARGV}"
-
-# Only now can we die on error.  shflags functions leak non-zero error codes,
-# so will die prematurely if 'switch_to_strict_mode' is specified before now.
-switch_to_strict_mode
-
-SIGNER_DIR="${CHROOT_TRUNK_DIR}/cros-signing"
-SIGNING_TOOLS_DIR="${SIGNER_DIR}/signer/signingtools-bin"
-SECURITY_BASELINE_DIR="${SIGNER_DIR}/security_test_baselines"
-VBOOT_DIR="${CHROOT_TRUNK_DIR}/src/platform/vboot_reference/scripts/"\
-"image_signing"
-
-# No security baselines provided.  Use the standard one.
-if [[ -z ${FLAGS_baselines} ]]; then
-  FLAGS_baselines=${SECURITY_BASELINE_DIR}
-  if [[ ! -d ${FLAGS_baselines} ]]; then
-    if [[ ! -d ${SIGNER_DIR} ]]; then
-      warn "Skipping security tests with public manifest"
-      exit 0
-    else
-      die "Could not locate security baselines from" \
-          "${FLAGS_baselines} with private manifest"
-    fi
-  fi
-fi
-info "Loading baselines from ${FLAGS_baselines}"
-
-# No image was provided.  Use the standard latest image.
-if [[ -z ${FLAGS_image} ]]; then
-  DEFAULT_IMAGE_DIR=$("${SCRIPT_ROOT}"/get_latest_image.sh \
-                        --board="${FLAGS_board}")
-  FLAGS_image="${DEFAULT_IMAGE_DIR}/${CHROMEOS_RECOVERY_IMAGE_NAME}"
-fi
-info "Using ${FLAGS_image}"
-
-# The signer uses these binaries, so we should too.
-PATH="${SIGNING_TOOLS_DIR}:${PATH}"
-
-# Run all the security tests.
-failed_count=0
-run_check() {
-  local cmd=(
-    "${VBOOT_DIR}/ensure_$1.sh"
-    "${FLAGS_image}"
-  )
-  if [[ $# -ge 2 ]]; then
-    cmd+=( "${FLAGS_baselines}/ensure_$1.config" )
-  fi
-  info "Running ensure_$1.sh"
-  if ! "${cmd[@]}"; then
-    error "$1: test failed"
-    : $(( ++failed_count ))
-  fi
-}
-
-sec_checks=(
-  no_nonrelease_files
-  sane_lsb-release
-  secure_kernelparams
-)
-for check in "${sec_checks[@]}"; do
-  run_check "${check}" "${check}"
-done
-
-sec_checks=(
-  not_ASAN
-  # This test requires an update key to be inserted
-  # first which the signer itself currently does.
-  #update_verification
-)
-for check in "${sec_checks[@]}"; do
-  run_check "${check}"
-done
-
-if [[ ${failed_count} -gt 0 ]]; then
-  die_notrace "${failed_count} tests failed"
-else
-  info "All tests passed!"
-fi