Commits · 85daccf46c5aa3d4d48d7b04a53cbd1b9094c6be · Arch Linux / infrastructure

Feb 15, 2024

gitlab_runner: fix error about unbound variable · 3a431006


When there was an error i.e. with the image verification the loopdev
variable was unbound in the cleanup function. We fix this by defining
the variable as empty.

Signed-off-by: Christian Heusel <christian@heusel.eu>

Verified

3a431006

gitlab_runner: fix image update for sequoia 0.33.0 · fb4d54ce
Christian Heusel authored 1 year ago
```
Signed-off-by: Christian Heusel <christian@heusel.eu>
```
Verified

fb4d54ce

Jun 04, 2023
- gitlab_runner: change partnum in img update script · f435f957
  Evangelos Foutras authored 1 year ago
  
  arch-boxes!182 creates an EFI system partition so rootfs is now in p3.
  Verified
  
  f435f957
May 02, 2023
- gitlab_runner: fix image update for sequoia 0.29.0 · 72760bc2
  Evangelos Foutras authored 1 year ago
  
  sq verify --signer-cert now expects a fingerprint/key ID.
  Verified
  
  72760bc2
Jan 08, 2023

gitlab_runner: adjust to arch-boxes switch to Geo · 20b7ca7f

Evangelos Foutras authored 2 years ago

The arch-boxes images now default to Geo mirrors and no longer ship
reflector, so we don't have to disable reflector-init or update the
mirrorlist.

Verified

20b7ca7f

Sep 18, 2022

gitlab_runner: Disable slow/unneeded systemd-time-wait-sync in the VM image · 1ae3a815

Kristian Klausen authored 2 years ago

The service was enabled in arch-boxes to account for "hardware clock is
not in UTC, but instead UTC+X"[1], in our case the (VM) hardware clock
is in UTC and we therfor don't need the slow systemd-time-wait-sync
service (+30 seconds).

[1] arch-boxes@e23d3c57

Verified

1ae3a815

Sep 12, 2022

gitlab_runner: try to protect the VM runner kernel from the root user · ab612463

nl6720 authored 2 years ago

Enable kernel lockdown in confidentiality mode to restrict how the root user can interact with the kernel.
See https://wiki.archlinux.org/title/Security#Kernel_lockdown_mode and https://man.archlinux.org/man/kernel_lockdown.7

This could prevent a scenario where a malicious kernel module or access to some interface that kernel lockdown prevents, would allow or assist in escaping the KVM.
It is not very likely as there needs to be an exploitable vulnerability in the hypervisor.
To make it more secure, the host too would need to enable kernel lockdown.

In the end this may only give some sense of security, but, as we all know, that's all that matters anyway.

Unverified

ab612463

Jul 30, 2022

gitlab_runner: Initial the keyring in the base image for faster boot · 466230e4

Kristian Klausen authored 2 years ago

"Disabling revoked keys in keyring" when running "pacman-key --populate"
is very slow (easily +20 seconds), in our case the boot is now ~27
seconds faster (tested on secure-runner1). The pacman master private key
is removed to prevent malicious actors from injecting packages, a new
key is generated by pacman-init.service on boot.

Verified

466230e4

gitlab_runner: Refactor libvirt-executor · 7ea1eb29

Kristian Klausen authored 2 years ago

Changes:
- Switch to arch-boxes' base image
- Verify the base image's signature
- Use the new "latest" symlink, instead of parsing the HTML for
  finding the latest arch-boxes image[1]
- Create the base image by using arch-chroot and friends, instead of
  creating a full-blown VM
- Create the VMs from domain XML template instead of virt-clone
- Switch mirror to geo.mirror.pkgbuild.com
- Try to follow "filesystem hierarchy" standards for where to place
  configuration (id_ed25519) and "vendor data" (arch-boxes.asc and
  domain_template.xml)
- Use a ed25519 key instead of RSA key
- Only start the "update base image" server if network and DNS are up
- Misc fixes and cleanups

[1] !552

Verified

7ea1eb29

Admin message