Commit 9b52d567 authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Generate and verify checksum for the rootfs

parent d51a887e
......@@ -9,7 +9,8 @@ stages:
lint:
stage: lint
image: hadolint/hadolint:latest
script: hadolint --ignore DL3020 Dockerfile.template
# DL3007: We use the latest tag for multistage build
script: hadolint --ignore DL3007 --ignore DL3020 Dockerfile.template
rootfs:base:
stage: rootfs
......@@ -20,10 +21,11 @@ rootfs:base:
- echo "BUILD_DATE=$(date +%Y%m%d)" > build.env
script:
- pacman -Syu --noconfirm make devtools fakechroot fakeroot
- make base.tar.xz
- make dockerfile-image-base
artifacts:
paths:
- base.tar.xz
- Dockerfile.base
expire_in: 10m
reports:
dotenv: build.env
......@@ -37,10 +39,11 @@ rootfs:base-devel:
- echo "BUILD_DATE=$(date +%Y%m%d)" > build.env
script:
- pacman -Syu --noconfirm make devtools fakechroot fakeroot
- make base-devel.tar.xz
- make dockerfile-image-base-devel
artifacts:
paths:
- base-devel.tar.xz
- Dockerfile.base-devel
expire_in: 10m
reports:
dotenv: build.env
......@@ -54,8 +57,6 @@ docker:base:
- job: "rootfs:base"
before_script:
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
- sed "s/TEMPLATE_LOCATION_HERE/base.tar/" Dockerfile.template > Dockerfile.base
- unxz base.tar.xz
script:
- /kaniko/executor
--whitelist-var-run="false"
......@@ -72,8 +73,6 @@ docker:base-devel:
- job: "rootfs:base-devel"
before_script:
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
- sed "s/TEMPLATE_LOCATION_HERE/base-devel.tar/" Dockerfile.template > Dockerfile.base-devel
- unxz base-devel.tar.xz
script:
- /kaniko/executor
--whitelist-var-run="false"
......
FROM archlinux:latest AS verify
COPY TEMPLATE_ROOTFS_FILE /
SHELL ["/bin/bash", "-c"]
RUN ROOTFS="$(curl --continue-at - --remote-name --write-out "%{filename_effective}" TEMPLATE_ROOTFS_URL)" && \
sha256sum -c <<< "TEMPLATE_ROOTFS_HASH" && \
mkdir /rootfs && \
tar -C /rootfs --extract --auto-compress --file "${ROOTFS}"
FROM scratch AS base
ADD TEMPLATE_LOCATION_HERE /
COPY --from=verify /rootfs/ /
# manually run all alpm hooks that can't be run inside the fakechroot
RUN ldconfig && update-ca-trust && locale-gen
......
......@@ -49,20 +49,32 @@ rootfs-base-devel: hooks
base.tar.xz: rootfs-base
xz -9 -T0 -f base.tar
sha256sum base.tar.xz > base.tar.xz.SHA256
base-devel.tar.xz: rootfs-base-devel
xz -9 -T0 -f base-devel.tar
sha256sum base-devel.tar.xz > base-devel.tar.xz.SHA256
.PHONY: dockerfile-image-base
dockerfile-image-base: base.tar.xz
sed -e "s/TEMPLATE_ROOTFS_FILE/base.tar.xz/" \
-e "s/TEMPLATE_ROOTFS_URL/file:\/\/\/base.tar.xz/" \
-e "s/TEMPLATE_ROOTFS_HASH/$$(cat base.tar.xz.SHA256)/" \
Dockerfile.template > Dockerfile.base
.PHONY: dockerfile-image-base-devel
dockerfile-image-base-devel: base-devel.tar.xz
sed -e "s/TEMPLATE_ROOTFS_FILE/base-devel.tar.xz/" \
-e "s/TEMPLATE_ROOTFS_URL/file:\/\/\/base-devel.tar.xz/" \
-e "s/TEMPLATE_ROOTFS_HASH/$$(cat base-devel.tar.xz.SHA256)/" \
Dockerfile.template > Dockerfile.base-devel
.PHONY: docker-image-base
docker-image-base: base.tar.xz
unxz base.tar.xz
sed "s/TEMPLATE_LOCATION_HERE/base.tar/" Dockerfile.template > Dockerfile.base
docker-image-base: dockerfile-image-base
docker build -f Dockerfile.base -t archlinux/archlinux:base .
.PHONY: docker-image-base-devel
docker-image-base-devel: base-devel.tar.xz
unxz base-devel.tar.xz
sed "s/TEMPLATE_LOCATION_HERE/base-devel.tar/" Dockerfile.template > Dockerfile.base-devel
docker-image-base-devel: dockerfile-image-base-devel
docker build -f Dockerfile.base-devel -t archlinux/archlinux:base-devel .
.PHONY: docker-push-base
......
......@@ -11,6 +11,7 @@ Required env vars:
"""
import os
import re
from pathlib import Path
import gitlab
......@@ -24,22 +25,36 @@ if __name__ == "__main__":
project = gl.projects.get(project_id)
print("Uploading base.tar.xz")
base_filename = f"base-{build_date}.tar.xz"
base_uploaded_url = project.upload(
f"base-{build_date}.tar.xz", filepath="base.tar.xz"
base_filename, filepath="base.tar.xz"
)["url"]
base_template = Path("Dockerfile.template").read_text()
base_full_url = f"{project_url}{base_uploaded_url}"
base_replaced = base_template.replace("TEMPLATE_LOCATION_HERE", base_full_url)
base_replaced = base_template.replace("TEMPLATE_ROOTFS_URL", base_full_url)
base_hash = f"{Path('base.tar.xz.SHA256').read_text()[0:64]} {base_filename}"
base_replaced = base_replaced.replace(
"TEMPLATE_ROOTFS_HASH", base_hash
)
# Remove the line containing TEMPLATE_ROOTFS_FILE
base_replaced = re.sub(".*TEMPLATE_ROOTFS_FILE.*\n", "", base_replaced)
print("Uploading base-devel.tar.xz")
base_devel_filename = f"base-devel-{build_date}.tar.xz"
base_devel_uploaded_url = project.upload(
f"base-devel-{build_date}.tar.xz", filepath="base-devel.tar.xz"
base_devel_filename, filepath="base-devel.tar.xz"
)["url"]
base_devel_template = Path("Dockerfile.template").read_text()
base_devel_full_url = f"{project_url}{base_devel_uploaded_url}"
base_devel_replaced = base_devel_template.replace(
"TEMPLATE_LOCATION_HERE", base_devel_full_url
"TEMPLATE_ROOTFS_URL", base_devel_full_url
)
base_devel_hash = f"{Path('base-devel.tar.xz.SHA256').read_text()[0:64]} {base_devel_filename}"
base_devel_replaced = base_devel_replaced.replace(
"TEMPLATE_ROOTFS_HASH", base_devel_hash
)
# Remove the line containing TEMPLATE_ROOTFS_FILE
base_devel_replaced = re.sub(".*TEMPLATE_ROOTFS_FILE.*\n", "", base_devel_replaced)
print("Templating Dockerfiles")
data = {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment