Verified Commit fa1ed714 authored by hashworks's avatar hashworks
Browse files

Merge remote-tracking branch 'origin/no-root-build' into github/fork/TheLinuxNinja/dockerfile-typo

parents eaa38cb4 9bd11c95
name: Github-Actions
on: [push, pull_request]
runs-on: ubuntu-latest
- uses: actions/checkout@v1
- name: make ci-test
run: make rootfs ci-test
......@@ -2,3 +2,4 @@
......@@ -2,9 +2,12 @@ FROM scratch
ADD archlinux.tar.xz /
# manually run all alpm hooks that can't be run inside the fakechroot
RUN ldconfig && update-ca-trust && locale-gen
RUN ldconfig && update-ca-trust && locale-gen
RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers '
# update /etc/os-release
RUN ln -s /usr/lib/os-release /etc/os-release
# initialize the archlinux keyring, but discard any private key that may be shipped.
RUN pacman-key --init && pacman-key --populate archlinux && rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*
......@@ -10,16 +10,27 @@ hooks:
rootfs: hooks
mkdir -vp $(BUILDDIR)/var/lib/pacman/
cp /usr/share/devtools/pacman-extra.conf rootfs/etc/pacman.conf
cat pacman-conf.d-noextract.conf >> rootfs/etc/pacman.conf
fakechroot -- fakeroot -- pacman -Sy -r $(BUILDDIR) \
--noconfirm --dbpath $(PWD)/$(BUILDDIR)/var/lib/pacman \
--config pacman.conf \
--config rootfs/etc/pacman.conf \
--noscriptlet \
--hookdir $(PWD)/alpm-hooks/usr/share/libalpm/hooks/ $(shell cat packages)
cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/
tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar
# remove passwordless login for root (see CVE-2019-5021 for reference)
sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow"
# fakeroot to map the gid/uid of the builder process to root
# fixes #22
fakeroot -- tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar
rm -rf $(BUILDDIR) alpm-hooks
compress-rootfs: rootfs
archlinux.tar: rootfs
compress-rootfs: archlinux.tar
xz -f archlinux.tar
xz -9e -T0 -f archlinux.tar
docker-image: compress-rootfs
......@@ -28,8 +39,7 @@ docker-image: compress-rootfs
docker-image-test: docker-image
# FIXME: /etc/mtab is hidden by docker so the stricter -Qkk fails
docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Sy && /usr/bin/pacman -Qqk"
docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm docker && docker -v"
# Ensure that the image does not include a private key
docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm docker && docker -v" # Ensure that the image does not include a private key
! docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) pacman-key --lsign-key
docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/id -u http"
docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm grep && locale | grep -q UTF-8"
......@@ -2,3 +2,9 @@ sed
NoExtract = usr/share/help/* !usr/share/help/en*
NoExtract = usr/share/gtk-doc/html/* usr/share/doc/*
NoExtract = usr/share/locale/* usr/share/X11/locale/* usr/share/i18n/*
NoExtract = !*locale*/en*/* !usr/share/i18n/charmaps/UTF-8.gz !usr/share/*locale*/locale.*
NoExtract = !usr/share/*locales/en_?? !usr/share/*locales/i18n* !usr/share/*locales/iso*
NoExtract = !usr/share/*locales/trans*
NoExtract = usr/share/man/* usr/share/info/*
NoExtract = usr/share/vim/vim*/lang/*
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment