Verified Commit 0ecdad06 authored by Sven-Hendrik Haase's avatar Sven-Hendrik Haase
Browse files

Implement secure deployment concept

parent 4da01263
Pipeline #1858 passed with stages
in 21 minutes and 46 seconds
......@@ -25,10 +25,9 @@ shfmt:
before_script:
- pacman -Syu --needed --noconfirm qemu-headless libisoburn
script:
- echo "BUILD_DATE=$(date -I)" > build.env
- . build.env
- ./build-in-qemu.sh
- mv build.env output/
- echo "BUILD_VERSION=$(date +%Y.%m.%d)" > build.env
- export $(< build.env)
- ./build-host.sh
after_script:
- echo "image_size_megabytes{image=\"qcow2\"} $(du -m output/*cloudimg*qcow2)" > metrics.txt
- echo "image_size_megabytes{image=\"libvirt\"} $(du -m output/*libvirt*box)" >> metrics.txt
......@@ -36,38 +35,56 @@ shfmt:
artifacts:
reports:
metrics: metrics.txt
dotenv: build.env
build:
extends: .build
except:
- master
build:release:
build:secure:
extends: .build
tags:
- secure
only:
- master
- schedules
- tags
artifacts:
name: "output"
paths:
- "output/*"
expire_in: 2d
tag_release:
stage: publish
tags:
- secure
only:
refs:
- schedules
variables:
- $SCHEDULED_PUBLISH == "TRUE"
before_script:
- pacman -Syu --needed --noconfirm httpie
script:
- http --ignore-stdin "$CI_API_V4_URL/projects/$CI_PROJECT_ID/releases"
"JOB-TOKEN:$CI_JOB_TOKEN"
"name=v$BUILD_VERSION"
"tag_name=v$BUILD_VERSION"
"ref=$CI_COMMIT_SHA"
publish:
stage: publish
tags:
- secure
only:
- tags
before_script:
- pacman -Syu --needed --noconfirm vagrant
script:
- . output/build.env
- vagrant cloud auth login --token "${VAGRANT_API_TOKEN}"
- vagrant cloud auth login --check
- vagrant cloud box show archlinux/archlinux
- vagrant cloud publish archlinux/archlinux "v${BUILD_DATE}" libvirt output/Arch-Linux-x86_64-libvirt-*.box --release -f
- vagrant cloud publish archlinux/archlinux "v${BUILD_DATE}" virtualbox output/Arch-Linux-x86_64-virtualbox-*.box --release -f
only:
variables:
- $SCHEDULED_PUBLISH == "TRUE"
resource_group: vm-build
- vagrant cloud publish archlinux/archlinux "v${BUILD_VERSION}" libvirt output/Arch-Linux-x86_64-libvirt-*.box --release -f
- vagrant cloud publish archlinux/archlinux "v${BUILD_VERSION}" virtualbox output/Arch-Linux-x86_64-virtualbox-*.box --release -f
......@@ -2,11 +2,11 @@
[![CI Status](https://gitlab.archlinux.org/archlinux/arch-boxes/badges/master/pipeline.svg)](https://gitlab.archlinux.org/archlinux/arch-boxes/-/pipelines)
- [Vagrant Cloud](https://app.vagrantup.com/archlinux/boxes/archlinux)
- [Download latest qcow2 image](https://gitlab.archlinux.org/archlinux/arch-boxes/-/jobs/artifacts/master/download?job=build:cloud-qemu)
- [Download latest qcow2 image](https://gitlab.archlinux.org/archlinux/arch-boxes/-/jobs/artifacts/master/download?job=build:secure)
Arch-boxes provides automated builds of the Arch Linux releases for
different providers and post-processors. Check the providers or post-processor sections if you want to know
which are currently supported.
Arch-boxes provides automated builds of the Arch Linux releases for different providers and
post-processors. Check the providers or post-processor sections if you want to know which are
currently supported.
## Dependencies
You'll need the following dependencies:
......
#!/bin/bash
# build-in qemu.sh runs build.sh in a qemu VM running the latest Arch installer iso
# build-host.sh runs build-inside-vm.sh in a qemu VM running the latest Arch installer iso
#
# nounset: "Treat unset variables and parameters [...] as an error when performing parameter expansion."
# errexit: "Exit immediately if [...] command exits with a non-zero status."
......@@ -117,7 +117,7 @@ function main() {
expect "# "
send "mkfs.ext4 /dev/vda && mkdir /mnt/scratch-disk/ && mount /dev/vda /mnt/scratch-disk && cd /mnt/scratch-disk\n"
expect "# "
send "cp -a /mnt/arch-boxes/{box.ovf,build.sh,http} .\n"
send "cp -a /mnt/arch-boxes/{box.ovf,build-inside-vm.sh,http} .\n"
expect "# "
send "mkdir pkg && mount --bind pkg /var/cache/pacman/pkg\n"
expect "# "
......@@ -131,7 +131,7 @@ function main() {
expect "# "
## Start build and copy output to local disk
send "bash -x ./build.sh\n"
send "bash -x ./build-inside-vm.sh ${BUILD_VERSION}\n"
expect "# " 240 # qemu-img convert can take a long time
send "cp -r --preserve=mode,timestamps output /mnt/arch-boxes/tmp/$(basename "${TMPDIR}")/\n"
expect "# " 60
......
#!/bin/bash
# build.sh builds the images (cloud image, vagrant boxes)
# build-inside-vm.sh builds the images (cloud image, vagrant boxes)
# nounset: "Treat unset variables and parameters [...] as an error when performing parameter expansion."
# errexit: "Exit immediately if [...] command exits with a non-zero status."
......@@ -209,6 +209,7 @@ EOF
rm Vagrantfile metadata.json packer-virtualbox.vmdk box.ovf
}
# ${1} - Optional build version. If not set, will generate a default based on date.
function main() {
if [ "$(id -u)" -ne 0 ]; then
echo "root is required"
......@@ -223,11 +224,16 @@ function main() {
arch-chroot "${MOUNT}" grub-install --target=i386-pc "${LOOPDEV}"
unmount_image
if [ -z "${BUILD_DATE:-}" ]; then
BUILD_DATE="$(date -I)"
local build_version
if [ -z "${1:-}" ]; then
build_version="$(date +%Y.%m.%d)"
echo "WARNING: BUILD_VERSION wasn't set!"
echo "Falling back to $build_version"
else
build_version="${1}"
fi
create_image "cloud-img.img" "Arch-Linux-x86_64-cloudimg-${BUILD_DATE}.qcow2" cloud_image cloud_image_post
create_image "vagrant-qemu.img" "Arch-Linux-x86_64-libvirt-${BUILD_DATE}.box" vagrant_qemu vagrant_qemu_post
create_image "vagrant-virtualbox.img" "Arch-Linux-x86_64-virtualbox-${BUILD_DATE}.box" vagrant_qemu vagrant_virtualbox_post
create_image "cloud-img.img" "Arch-Linux-x86_64-cloudimg-${build_version}.qcow2" cloud_image cloud_image_post
create_image "vagrant-qemu.img" "Arch-Linux-x86_64-libvirt-${build_version}.box" vagrant_qemu vagrant_qemu_post
create_image "vagrant-virtualbox.img" "Arch-Linux-x86_64-virtualbox-${build_version}.box" vagrant_qemu vagrant_virtualbox_post
}
main
main "$@"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment