Verified Commit 0ecdad06 authored by Sven-Hendrik Haase's avatar Sven-Hendrik Haase
Browse files

Implement secure deployment concept

parent 4da01263
...@@ -25,10 +25,9 @@ shfmt: ...@@ -25,10 +25,9 @@ shfmt:
before_script: before_script:
- pacman -Syu --needed --noconfirm qemu-headless libisoburn - pacman -Syu --needed --noconfirm qemu-headless libisoburn
script: script:
- echo "BUILD_DATE=$(date -I)" > build.env - echo "BUILD_VERSION=$(date +%Y.%m.%d)" > build.env
- . build.env - export $(< build.env)
- ./build-in-qemu.sh - ./build-host.sh
- mv build.env output/
after_script: after_script:
- echo "image_size_megabytes{image=\"qcow2\"} $(du -m output/*cloudimg*qcow2)" > metrics.txt - echo "image_size_megabytes{image=\"qcow2\"} $(du -m output/*cloudimg*qcow2)" > metrics.txt
- echo "image_size_megabytes{image=\"libvirt\"} $(du -m output/*libvirt*box)" >> metrics.txt - echo "image_size_megabytes{image=\"libvirt\"} $(du -m output/*libvirt*box)" >> metrics.txt
...@@ -36,38 +35,56 @@ shfmt: ...@@ -36,38 +35,56 @@ shfmt:
artifacts: artifacts:
reports: reports:
metrics: metrics.txt metrics: metrics.txt
dotenv: build.env
build: build:
extends: .build extends: .build
except: except:
- master - master
build:release: build:secure:
extends: .build extends: .build
tags: tags:
- secure - secure
only: only:
- master - master
- schedules
- tags
artifacts: artifacts:
name: "output" name: "output"
paths: paths:
- "output/*" - "output/*"
expire_in: 2d expire_in: 2d
tag_release:
stage: publish
tags:
- secure
only:
refs:
- schedules
variables:
- $SCHEDULED_PUBLISH == "TRUE"
before_script:
- pacman -Syu --needed --noconfirm httpie
script:
- http --ignore-stdin "$CI_API_V4_URL/projects/$CI_PROJECT_ID/releases"
"JOB-TOKEN:$CI_JOB_TOKEN"
"name=v$BUILD_VERSION"
"tag_name=v$BUILD_VERSION"
"ref=$CI_COMMIT_SHA"
publish: publish:
stage: publish stage: publish
tags: tags:
- secure - secure
only:
- tags
before_script: before_script:
- pacman -Syu --needed --noconfirm vagrant - pacman -Syu --needed --noconfirm vagrant
script: script:
- . output/build.env
- vagrant cloud auth login --token "${VAGRANT_API_TOKEN}" - vagrant cloud auth login --token "${VAGRANT_API_TOKEN}"
- vagrant cloud auth login --check - vagrant cloud auth login --check
- vagrant cloud box show archlinux/archlinux - vagrant cloud box show archlinux/archlinux
- vagrant cloud publish archlinux/archlinux "v${BUILD_DATE}" libvirt output/Arch-Linux-x86_64-libvirt-*.box --release -f - vagrant cloud publish archlinux/archlinux "v${BUILD_VERSION}" libvirt output/Arch-Linux-x86_64-libvirt-*.box --release -f
- vagrant cloud publish archlinux/archlinux "v${BUILD_DATE}" virtualbox output/Arch-Linux-x86_64-virtualbox-*.box --release -f - vagrant cloud publish archlinux/archlinux "v${BUILD_VERSION}" virtualbox output/Arch-Linux-x86_64-virtualbox-*.box --release -f
only:
variables:
- $SCHEDULED_PUBLISH == "TRUE"
resource_group: vm-build
...@@ -2,11 +2,11 @@ ...@@ -2,11 +2,11 @@
[![CI Status](https://gitlab.archlinux.org/archlinux/arch-boxes/badges/master/pipeline.svg)](https://gitlab.archlinux.org/archlinux/arch-boxes/-/pipelines) [![CI Status](https://gitlab.archlinux.org/archlinux/arch-boxes/badges/master/pipeline.svg)](https://gitlab.archlinux.org/archlinux/arch-boxes/-/pipelines)
- [Vagrant Cloud](https://app.vagrantup.com/archlinux/boxes/archlinux) - [Vagrant Cloud](https://app.vagrantup.com/archlinux/boxes/archlinux)
- [Download latest qcow2 image](https://gitlab.archlinux.org/archlinux/arch-boxes/-/jobs/artifacts/master/download?job=build:cloud-qemu) - [Download latest qcow2 image](https://gitlab.archlinux.org/archlinux/arch-boxes/-/jobs/artifacts/master/download?job=build:secure)
Arch-boxes provides automated builds of the Arch Linux releases for Arch-boxes provides automated builds of the Arch Linux releases for different providers and
different providers and post-processors. Check the providers or post-processor sections if you want to know post-processors. Check the providers or post-processor sections if you want to know which are
which are currently supported. currently supported.
## Dependencies ## Dependencies
You'll need the following dependencies: You'll need the following dependencies:
......
#!/bin/bash #!/bin/bash
# build-in qemu.sh runs build.sh in a qemu VM running the latest Arch installer iso # build-host.sh runs build-inside-vm.sh in a qemu VM running the latest Arch installer iso
# #
# nounset: "Treat unset variables and parameters [...] as an error when performing parameter expansion." # nounset: "Treat unset variables and parameters [...] as an error when performing parameter expansion."
# errexit: "Exit immediately if [...] command exits with a non-zero status." # errexit: "Exit immediately if [...] command exits with a non-zero status."
...@@ -117,7 +117,7 @@ function main() { ...@@ -117,7 +117,7 @@ function main() {
expect "# " expect "# "
send "mkfs.ext4 /dev/vda && mkdir /mnt/scratch-disk/ && mount /dev/vda /mnt/scratch-disk && cd /mnt/scratch-disk\n" send "mkfs.ext4 /dev/vda && mkdir /mnt/scratch-disk/ && mount /dev/vda /mnt/scratch-disk && cd /mnt/scratch-disk\n"
expect "# " expect "# "
send "cp -a /mnt/arch-boxes/{box.ovf,build.sh,http} .\n" send "cp -a /mnt/arch-boxes/{box.ovf,build-inside-vm.sh,http} .\n"
expect "# " expect "# "
send "mkdir pkg && mount --bind pkg /var/cache/pacman/pkg\n" send "mkdir pkg && mount --bind pkg /var/cache/pacman/pkg\n"
expect "# " expect "# "
...@@ -131,7 +131,7 @@ function main() { ...@@ -131,7 +131,7 @@ function main() {
expect "# " expect "# "
## Start build and copy output to local disk ## Start build and copy output to local disk
send "bash -x ./build.sh\n" send "bash -x ./build-inside-vm.sh ${BUILD_VERSION}\n"
expect "# " 240 # qemu-img convert can take a long time expect "# " 240 # qemu-img convert can take a long time
send "cp -r --preserve=mode,timestamps output /mnt/arch-boxes/tmp/$(basename "${TMPDIR}")/\n" send "cp -r --preserve=mode,timestamps output /mnt/arch-boxes/tmp/$(basename "${TMPDIR}")/\n"
expect "# " 60 expect "# " 60
......
#!/bin/bash #!/bin/bash
# build.sh builds the images (cloud image, vagrant boxes) # build-inside-vm.sh builds the images (cloud image, vagrant boxes)
# nounset: "Treat unset variables and parameters [...] as an error when performing parameter expansion." # nounset: "Treat unset variables and parameters [...] as an error when performing parameter expansion."
# errexit: "Exit immediately if [...] command exits with a non-zero status." # errexit: "Exit immediately if [...] command exits with a non-zero status."
...@@ -209,6 +209,7 @@ EOF ...@@ -209,6 +209,7 @@ EOF
rm Vagrantfile metadata.json packer-virtualbox.vmdk box.ovf rm Vagrantfile metadata.json packer-virtualbox.vmdk box.ovf
} }
# ${1} - Optional build version. If not set, will generate a default based on date.
function main() { function main() {
if [ "$(id -u)" -ne 0 ]; then if [ "$(id -u)" -ne 0 ]; then
echo "root is required" echo "root is required"
...@@ -223,11 +224,16 @@ function main() { ...@@ -223,11 +224,16 @@ function main() {
arch-chroot "${MOUNT}" grub-install --target=i386-pc "${LOOPDEV}" arch-chroot "${MOUNT}" grub-install --target=i386-pc "${LOOPDEV}"
unmount_image unmount_image
if [ -z "${BUILD_DATE:-}" ]; then local build_version
BUILD_DATE="$(date -I)" if [ -z "${1:-}" ]; then
build_version="$(date +%Y.%m.%d)"
echo "WARNING: BUILD_VERSION wasn't set!"
echo "Falling back to $build_version"
else
build_version="${1}"
fi fi
create_image "cloud-img.img" "Arch-Linux-x86_64-cloudimg-${BUILD_DATE}.qcow2" cloud_image cloud_image_post create_image "cloud-img.img" "Arch-Linux-x86_64-cloudimg-${build_version}.qcow2" cloud_image cloud_image_post
create_image "vagrant-qemu.img" "Arch-Linux-x86_64-libvirt-${BUILD_DATE}.box" vagrant_qemu vagrant_qemu_post create_image "vagrant-qemu.img" "Arch-Linux-x86_64-libvirt-${build_version}.box" vagrant_qemu vagrant_qemu_post
create_image "vagrant-virtualbox.img" "Arch-Linux-x86_64-virtualbox-${BUILD_DATE}.box" vagrant_qemu vagrant_virtualbox_post create_image "vagrant-virtualbox.img" "Arch-Linux-x86_64-virtualbox-${build_version}.box" vagrant_qemu vagrant_virtualbox_post
} }
main main "$@"
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment