From 934d9979a681d869f5eabc331beb16ea9fde8b9c Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Fri, 20 Jun 2014 17:58:12 -0700 Subject: [PATCH 1/4] updates: Add script for enabling the official update signing key. This script should be called before running build_image when generating official production images. Images built with official key will not accept updates signed with the default development signing key. --- set_official | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100755 set_official diff --git a/set_official b/set_official new file mode 100755 index 0000000000..e7695f5e22 --- /dev/null +++ b/set_official @@ -0,0 +1,37 @@ +#!/bin/bash + +# Copyright (c) 2014 The CoreOS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +SCRIPT_ROOT=$(dirname $(readlink -f "$0")) +. "${SCRIPT_ROOT}/common.sh" || exit 1 + +# Script must run inside the chroot +restart_in_chroot_if_needed "$@" + +assert_not_root_user + +DEFINE_string board "${DEFAULT_BOARD}" \ + "The board to update." +DEFINE_boolean official ${FLAGS_TRUE} \ + "Enable (or disable) official key." + +# Parse flags +FLAGS "$@" || exit 1 +eval set -- "${FLAGS_ARGV}" +switch_to_strict_mode + +# set BOARD and BOARD_ROOT +. "${BUILD_LIBRARY_DIR}/toolchain_util.sh" +. "${BUILD_LIBRARY_DIR}/board_options.sh" + +if [[ ${FLAGS_official} -eq ${FLAGS_TRUE} ]]; then + sudo mkdir -p "${BOARD_ROOT}/etc/portage/package.use" + sudo_clobber "${BOARD_ROOT}/etc/portage/package.use/official" \ + <<<"coreos-base/coreos-au-key official" +else + sudo rm -f "${BOARD_ROOT}/etc/portage/package.use/official" +fi + +emerge-${BOARD} -v --quiet-build=y --nospinner coreos-base/coreos-au-key From eb605751cd9fff43bb99801f35d1ac71ccf48a7b Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Fri, 20 Jun 2014 18:45:20 -0700 Subject: [PATCH 2/4] build_image: check that set_official wasn't forgotten in official builds --- build_library/prod_image_util.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh index 96b1b5b6da..29b03cf8a2 100755 --- a/build_library/prod_image_util.sh +++ b/build_library/prod_image_util.sh @@ -42,6 +42,14 @@ create_prod_image() { emerge_to_image "${root_fs_dir}" coreos-base/coreos write_packages "${root_fs_dir}" "${BUILD_DIR}/${image_packages}" + # Assert that if this is supposed to be an official build that the + # official update keys have been used. + if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then + grep -q official \ + "${root_fs_dir}"/var/db/pkg/coreos-base/coreos-au-key-*/USE \ + || die_notrace "coreos-au-key is missing the 'official' use flag" + fi + # clean-ups of things we do not need sudo rm ${root_fs_dir}/etc/csh.env sudo rm -rf ${root_fs_dir}/var/db/pkg From 7231b95af12ab61bf76c7f3c1d9c11def43cdac0 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Mon, 23 Jun 2014 12:07:19 -0700 Subject: [PATCH 3/4] updates: extract usr partition when building images The current generate_update function is now less useful, the important part that we need is just the partition image now. Also by defaulting to extracting the partition the old cors_generate_update which is still in use by devserver can be removed entirely, devserver will just expect the extracted partition image instead. --- build_image | 7 +++++++ build_library/build_image_util.sh | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/build_image b/build_image index 1361315b48..e308099253 100755 --- a/build_image +++ b/build_image @@ -34,6 +34,8 @@ DEFINE_string group "${DEFAULT_GROUP}" \ "The update group." DEFINE_boolean generate_update "${FLAGS_FALSE}" \ "Generate update payload. (prod only)" +DEFINE_boolean extract_update "${FLAGS_TRUE}" \ + "Extract the /usr partition for generating updates." DEFINE_string developer_data "" \ "Insert a custom cloudinit file into the image." @@ -151,6 +153,9 @@ fi if [[ "${DEV_IMAGE}" -eq 1 ]]; then create_dev_image ${COREOS_DEVELOPER_IMAGE_NAME} ${DISK_LAYOUT} ${FLAGS_group} + if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then + extract_update "${COREOS_DEVELOPER_IMAGE_NAME}" "${DISK_LAYOUT}" + fi fi if [[ "${CONTAINER}" -eq 1 ]]; then @@ -161,6 +166,8 @@ if [[ "${PROD_IMAGE}" -eq 1 ]]; then create_prod_image ${COREOS_PRODUCTION_IMAGE_NAME} ${DISK_LAYOUT} ${FLAGS_group} if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then generate_update "${COREOS_PRODUCTION_IMAGE_NAME}" ${DISK_LAYOUT} + elif [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then + extract_update "${COREOS_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" fi fi diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index 2a19fa5c11..36ef234eb0 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -54,6 +54,16 @@ delete_prompt() { fi } +extract_update() { + local image_name="$1" + local disk_layout="$2" + local update_path="${BUILD_DIR}/${image_name%_image.bin}_update.bin" + + "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \ + extract "${BUILD_DIR}/${image_name}" "USR-A" "${update_path}" + upload_image "${update_path}" +} + generate_update() { local image_name="$1" local disk_layout="$2" From d4c1c0b867af0eeb0af236e2614d1e36d7d146c4 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Mon, 23 Jun 2014 14:41:42 -0700 Subject: [PATCH 4/4] updates: use HTTPS for fetching update payloads --- core_roller_upload | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core_roller_upload b/core_roller_upload index ddece71ff9..eb04023c97 100755 --- a/core_roller_upload +++ b/core_roller_upload @@ -50,7 +50,7 @@ switch_to_strict_mode FLAGS_storage="${FLAGS_storage%%/}" GS_URL="${FLAGS_storage}/${FLAGS_board}/${FLAGS_version}/update.gz" -HTTP_URL="http://${GS_URL#gs://}" +HTTP_URL="https://commondatastorage.googleapis.com/${GS_URL#gs://}" gsutil cp "${FLAGS_payload}" "${GS_URL}" rollerctl \