Verified Commit fa1ed714 authored by hashworks's avatar hashworks
Browse files

Merge remote-tracking branch 'origin/no-root-build' into github/fork/TheLinuxNinja/dockerfile-typo

parents eaa38cb4 9bd11c95
name: Github-Actions
on: [push, pull_request]
jobs:
ci-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: make ci-test
run: make rootfs ci-test
...@@ -2,3 +2,4 @@ ...@@ -2,3 +2,4 @@
*.orig *.orig
/.idea /.idea
/archlinux.tar /archlinux.tar
rootfs/etc/pacman.conf
...@@ -2,9 +2,12 @@ FROM scratch ...@@ -2,9 +2,12 @@ FROM scratch
ADD archlinux.tar.xz / ADD archlinux.tar.xz /
# manually run all alpm hooks that can't be run inside the fakechroot # manually run all alpm hooks that can't be run inside the fakechroot
RUN ldconfig && update-ca-trust && locale-gen RUN ldconfig && update-ca-trust && locale-gen
RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers ' RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers '
# update /etc/os-release
RUN ln -s /usr/lib/os-release /etc/os-release
# initialize the archlinux keyring, but discard any private key that may be shipped. # initialize the archlinux keyring, but discard any private key that may be shipped.
RUN pacman-key --init && pacman-key --populate archlinux && rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}* RUN pacman-key --init && pacman-key --populate archlinux && rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*
......
...@@ -10,16 +10,27 @@ hooks: ...@@ -10,16 +10,27 @@ hooks:
rootfs: hooks rootfs: hooks
mkdir -vp $(BUILDDIR)/var/lib/pacman/ mkdir -vp $(BUILDDIR)/var/lib/pacman/
cp /usr/share/devtools/pacman-extra.conf rootfs/etc/pacman.conf
cat pacman-conf.d-noextract.conf >> rootfs/etc/pacman.conf
fakechroot -- fakeroot -- pacman -Sy -r $(BUILDDIR) \ fakechroot -- fakeroot -- pacman -Sy -r $(BUILDDIR) \
--noconfirm --dbpath $(PWD)/$(BUILDDIR)/var/lib/pacman \ --noconfirm --dbpath $(PWD)/$(BUILDDIR)/var/lib/pacman \
--config pacman.conf \ --config rootfs/etc/pacman.conf \
--noscriptlet \ --noscriptlet \
--hookdir $(PWD)/alpm-hooks/usr/share/libalpm/hooks/ $(shell cat packages) --hookdir $(PWD)/alpm-hooks/usr/share/libalpm/hooks/ $(shell cat packages)
cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/ cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/
tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar
# remove passwordless login for root (see CVE-2019-5021 for reference)
sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow"
# fakeroot to map the gid/uid of the builder process to root
# fixes #22
fakeroot -- tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar
rm -rf $(BUILDDIR) alpm-hooks rm -rf $(BUILDDIR) alpm-hooks
compress-rootfs: rootfs archlinux.tar: rootfs
compress-rootfs: archlinux.tar
xz -f archlinux.tar
xz -9e -T0 -f archlinux.tar xz -9e -T0 -f archlinux.tar
docker-image: compress-rootfs docker-image: compress-rootfs
...@@ -28,8 +39,7 @@ docker-image: compress-rootfs ...@@ -28,8 +39,7 @@ docker-image: compress-rootfs
docker-image-test: docker-image docker-image-test: docker-image
# FIXME: /etc/mtab is hidden by docker so the stricter -Qkk fails # FIXME: /etc/mtab is hidden by docker so the stricter -Qkk fails
docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Sy && /usr/bin/pacman -Qqk" docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Sy && /usr/bin/pacman -Qqk"
docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm docker && docker -v" docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm docker && docker -v" # Ensure that the image does not include a private key
# Ensure that the image does not include a private key
! docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) pacman-key --lsign-key pierre@archlinux.de ! docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) pacman-key --lsign-key pierre@archlinux.de
docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/id -u http" docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/id -u http"
docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm grep && locale | grep -q UTF-8" docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm grep && locale | grep -q UTF-8"
......
...@@ -2,3 +2,9 @@ sed ...@@ -2,3 +2,9 @@ sed
gzip gzip
pacman pacman
systemd systemd
gawk
file
grep
tar
procps-ng
licenses
[options]
NoExtract = usr/share/help/* !usr/share/help/en*
NoExtract = usr/share/gtk-doc/html/* usr/share/doc/*
NoExtract = usr/share/locale/* usr/share/X11/locale/* usr/share/i18n/*
NoExtract = !*locale*/en*/* !usr/share/i18n/charmaps/UTF-8.gz !usr/share/*locale*/locale.*
NoExtract = !usr/share/*locales/en_?? !usr/share/*locales/i18n* !usr/share/*locales/iso*
NoExtract = !usr/share/*locales/trans*
NoExtract = usr/share/man/* usr/share/info/*
NoExtract = usr/share/vim/vim*/lang/*
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment