From 56bd00ea39c8da140fa106893c56103900238d56 Mon Sep 17 00:00:00 2001 From: Lunar Date: Mon, 13 Oct 2014 00:26:22 +0200 Subject: [PATCH 001/137] Copy target image as a sparse file in LXC mode This will save us from writing a lot of zeros on disk. --- libexec/make-clean-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexec/make-clean-vm b/libexec/make-clean-vm index 68b7b8a..d99bf8e 100755 --- a/libexec/make-clean-vm +++ b/libexec/make-clean-vm @@ -59,7 +59,7 @@ case $VMSW in qemu-img create -f qcow2 -o backing_file="$BASE.qcow2" "$OUT.qcow2" ;; LXC) - cp -a $BASE $OUT + cp -a --sparse=always $BASE $OUT libexec/config-bootstrap-fixup on-target -u root bash < target-bin/bootstrap-fixup ;; From c4c8348dff35ea0c09b3321a2e8f7fcea8659068 Mon Sep 17 00:00:00 2001 From: Lunar Date: Mon, 13 Oct 2014 00:26:58 +0200 Subject: [PATCH 002/137] Use virtio for disk in KVM instead of emulating real hardware This should improve I/O performance. --- libexec/start-target | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexec/start-target b/libexec/start-target index 95376cc..467ed63 100755 --- a/libexec/start-target +++ b/libexec/start-target @@ -22,7 +22,7 @@ case $VMSW in [ -n "$KVM" ] || KVM=qemu-system-x86_64 ;; esac - $KVM -enable-kvm -m ${VMEM:-2000} -smp ${NPROCS:-2} -drive file=target-$SUFFIX.qcow2,cache=writeback -net nic,model=virtio -net user,hostfwd=tcp:127.0.0.1:$VM_SSH_PORT-:22 -vnc 127.0.0.1:16 > var/target.log 2>&1 & + $KVM -enable-kvm -m ${VMEM:-2000} -smp ${NPROCS:-2} -drive file=target-$SUFFIX.qcow2,cache=writeback,if=virtio -net nic,model=virtio -net user,hostfwd=tcp:127.0.0.1:$VM_SSH_PORT-:22 -vnc 127.0.0.1:16 > var/target.log 2>&1 & echo $! > var/target.pid wait rm var/target.pid From dcf28c8b8638d2e83bb4b9ffd15cdb07ad3de249 Mon Sep 17 00:00:00 2001 From: Cory Fields Date: Mon, 10 Nov 2014 01:39:28 -0500 Subject: [PATCH 003/137] git: minimize uploaded git files Rather than uploading every checked-out file of a repository and the repository objects themselves, skip the checkout and instruct git to compact before upload. The result is that only a handful of files are transferred, rather than hundreds or thousands for large repositories. The HEAD ref is updated before upload so that a hard reset works as before on the target. The reflog is also disabled in order to avoid uploading useless log files. This change is backwards-compatible, but it will only have an effect on new repositories. --- bin/gbuild | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index 0e9ca58..68ad5a9 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -231,12 +231,15 @@ build_desc["remotes"].each do |remote| dir = sanitize(remote["dir"], remote["dir"]) unless File.exist?("inputs/#{dir}") system!("git init inputs/#{dir}") + system!("cd inputs/#{dir} && git config core.logAllRefUpdates false") end - system!("cd inputs/#{dir} && git fetch --update-head-ok #{sanitize_path(remote["url"], remote["url"])} +refs/tags/*:refs/tags/* +refs/heads/*:refs/heads/*") + system!("cd inputs/#{dir} && git fetch -q #{sanitize_path(remote["url"], remote["url"])} +refs/tags/*:refs/remotes/tags/* +refs/heads/*:refs/remotes/heads/*") commit = sanitize(remote["commit"], remote["commit"]) commit = `cd inputs/#{dir} && git log --format=%H -1 #{commit}`.strip raise "error looking up commit for tag #{remote["commit"]}" unless $?.exitstatus == 0 - system!("cd inputs/#{dir} && git checkout -q #{commit}") + system!("cd inputs/#{dir} && git update-ref HEAD #{commit}") + system!("cd inputs/#{dir} && git repack -a -d -q") + system!("cd inputs/#{dir} && git pack-refs --all") in_sums << "git:#{commit} #{dir}" end From 66015b9f14387295de4b8850097e510578cac651 Mon Sep 17 00:00:00 2001 From: Cory Fields Date: Mon, 10 Nov 2014 01:37:54 -0500 Subject: [PATCH 004/137] cache: define variables for cache paths --- bin/gbuild | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bin/gbuild b/bin/gbuild index 0e9ca58..7a38e4b 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -109,6 +109,8 @@ def build_one_configuration(suite, arch, build_desc, reference_datetime) script.puts "umask 002" script.puts "export OUTDIR=$HOME/out" script.puts "GBUILD_BITS=#{bits}" + script.puts "GBUILD_PACKAGE_CACHE=$HOME/cache/#{build_desc["name"]}" + script.puts "GBUILD_COMMON_CACHE=$HOME/cache/common" script.puts "MAKEOPTS=(-j#{@options[:num_procs]})" (ref_date, ref_time) = reference_datetime.split script.puts "REFERENCE_DATETIME='#{reference_datetime}'" From b1e59cf0a1489074b2a5adf8db8b346dacf66c15 Mon Sep 17 00:00:00 2001 From: Cory Fields Date: Tue, 11 Nov 2014 01:20:32 -0500 Subject: [PATCH 005/137] cache: define cache paths and GBUILD_CACHE_ENABLED only if caching is enabled --- bin/gbuild | 7 +++++-- doc/CACHE | 9 ++++++--- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index f4858c2..5b3cb8d 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -109,8 +109,11 @@ def build_one_configuration(suite, arch, build_desc, reference_datetime) script.puts "umask 002" script.puts "export OUTDIR=$HOME/out" script.puts "GBUILD_BITS=#{bits}" - script.puts "GBUILD_PACKAGE_CACHE=$HOME/cache/#{build_desc["name"]}" - script.puts "GBUILD_COMMON_CACHE=$HOME/cache/common" + if build_desc["enable_cache"] + script.puts "GBUILD_CACHE_ENABLED=1" + script.puts "GBUILD_PACKAGE_CACHE=$HOME/cache/#{build_desc["name"]}" + script.puts "GBUILD_COMMON_CACHE=$HOME/cache/common" + end script.puts "MAKEOPTS=(-j#{@options[:num_procs]})" (ref_date, ref_time) = reference_datetime.split script.puts "REFERENCE_DATETIME='#{reference_datetime}'" diff --git a/doc/CACHE b/doc/CACHE index ea320fa..9df1b59 100644 --- a/doc/CACHE +++ b/doc/CACHE @@ -5,14 +5,17 @@ is enabled in the build descriptor. Common cache: All descriptors share this cache. It can be useful for storing fetched sources, sharing build assets between descriptors, etc. -To add or update files, copy them to ~/cache/common from the build script. Per-descriptor cache Files installed to this cache can only be seen by this descriptor. Use this to store assets created as part of the build process, to avoid having to rebuild them in future builds. -To add or update files, copy them to ~/cache/$NAME from the build script, where -$NAME is the value of the descriptor's "name" key. + +If caching is enabled, GBUILD_CACHE_ENABLED will be set to 1 in the build +script. In addition, GBUILD_PACKAGE_CACHE and GBUILD_COMMON_CACHE will be set +to their respective paths. GBUILD_PACKAGE_CACHE contains the descriptor's +"name" key as a means of separating caches. To add or update the cached files, +copy them to these paths. Before each build, all files and folders in the cache directories will be transferred to the VM. After each successful build, the caches will be From c834f371bbbb31ed5b9ffa7b7da07230c5220c38 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Tue, 25 Nov 2014 11:30:07 -0800 Subject: [PATCH 006/137] Revert "git: minimize uploaded git files" This reverts commit dcf28c8b8638d2e83bb4b9ffd15cdb07ad3de249. due to issue #74 - branches don't work --- bin/gbuild | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index 5b3cb8d..6130796 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -236,15 +236,12 @@ build_desc["remotes"].each do |remote| dir = sanitize(remote["dir"], remote["dir"]) unless File.exist?("inputs/#{dir}") system!("git init inputs/#{dir}") - system!("cd inputs/#{dir} && git config core.logAllRefUpdates false") end - system!("cd inputs/#{dir} && git fetch -q #{sanitize_path(remote["url"], remote["url"])} +refs/tags/*:refs/remotes/tags/* +refs/heads/*:refs/remotes/heads/*") + system!("cd inputs/#{dir} && git fetch --update-head-ok #{sanitize_path(remote["url"], remote["url"])} +refs/tags/*:refs/tags/* +refs/heads/*:refs/heads/*") commit = sanitize(remote["commit"], remote["commit"]) commit = `cd inputs/#{dir} && git log --format=%H -1 #{commit}`.strip raise "error looking up commit for tag #{remote["commit"]}" unless $?.exitstatus == 0 - system!("cd inputs/#{dir} && git update-ref HEAD #{commit}") - system!("cd inputs/#{dir} && git repack -a -d -q") - system!("cd inputs/#{dir} && git pack-refs --all") + system!("cd inputs/#{dir} && git checkout -q #{commit}") in_sums << "git:#{commit} #{dir}" end From 037d17aff733f1a156ff833cc659ca2c0d2024ac Mon Sep 17 00:00:00 2001 From: Cory Fields Date: Tue, 23 Dec 2014 20:36:56 -0500 Subject: [PATCH 007/137] fix copy-from-target when using lxc to copy a subdir --- libexec/copy-from-target | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexec/copy-from-target b/libexec/copy-from-target index f82da66..6f2aaff 100755 --- a/libexec/copy-from-target +++ b/libexec/copy-from-target @@ -50,5 +50,5 @@ if [ -z "$USE_LXC" ]; then scp $QUIET_FLAG -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_dsa -P $VM_SSH_PORT -r $TUSER@localhost:$1 $2 else config-lxc - sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -cf - "$1" | tar -C "$2" -xkf - + sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -C `dirname "$1"` -cf - `basename "$1"` | tar -C "$2" -xkf - fi From 7b82201dd7cb8cfa2f9d538983072ce358ed253e Mon Sep 17 00:00:00 2001 From: Devrandom Date: Thu, 15 Jan 2015 11:44:18 -0800 Subject: [PATCH 008/137] allow overwrite in copy-from-target fixes #80 --- libexec/copy-from-target | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexec/copy-from-target b/libexec/copy-from-target index 6f2aaff..cdc2944 100755 --- a/libexec/copy-from-target +++ b/libexec/copy-from-target @@ -50,5 +50,5 @@ if [ -z "$USE_LXC" ]; then scp $QUIET_FLAG -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_dsa -P $VM_SSH_PORT -r $TUSER@localhost:$1 $2 else config-lxc - sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -C `dirname "$1"` -cf - `basename "$1"` | tar -C "$2" -xkf - + sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -C `dirname "$1"` -cf - `basename "$1"` | tar -C "$2" -xf - fi From b4201676d8e21d0b2e2e80f4889f01b0ed0e1913 Mon Sep 17 00:00:00 2001 From: Dev Random Date: Fri, 13 Mar 2015 12:21:02 -0700 Subject: [PATCH 009/137] fix trusty kernel install --- bin/make-base-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 161e197..565f3fa 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -74,7 +74,7 @@ if [ $ARCH = "amd64" -a $SUITE = "hardy" ]; then FLAVOUR=server fi -addpkg=openssh-server,pciutils,build-essential,git-core,subversion,lxc +addpkg=openssh-server,pciutils,build-essential,git-core,subversion,lxc,linux-image-generic # Remove cron to work around vmbuilder issue when umounting /dev on target removepkg=cron From 7d1e7c5419121ed4e703902cce2c522fcc7097d3 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Mon, 23 Mar 2015 19:46:44 -0700 Subject: [PATCH 010/137] trusty fixes, remove legacy grub fixes #84 --- bin/gbuild | 2 +- target-bin/grab-packages.sh | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/bin/gbuild b/bin/gbuild index 6130796..ac04bd9 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -96,7 +96,7 @@ def build_one_configuration(suite, arch, build_desc, reference_datetime) info "Installing additional packages (log in var/install.log)" system! "on-target -u root -e DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends -y install #{build_desc["packages"].join(" ")} > var/install.log 2>&1" - info "Grabbing package manifest" + info "Downloading system packages and creating manifest. This may take a while." system! "on-target -u root bash < target-bin/grab-packages.sh > var/base-#{suitearch}.manifest" info "Creating build script (var/build-script)" diff --git a/target-bin/grab-packages.sh b/target-bin/grab-packages.sh index adf8e34..838ebc4 100644 --- a/target-bin/grab-packages.sh +++ b/target-bin/grab-packages.sh @@ -8,5 +8,8 @@ cd /var/cache/apt/archives #apt-get clean +# remove obsolete grub, it causes package dependency issues +apt-get -y purge grub > /dev/null || true + dpkg-query -W -f '${Package}\n' | xargs -n 50 apt-get install --reinstall -y -d > /dev/null sha256sum *.deb | sort --key 2 From 81bf5d70252363a95cb75eea70f8d1d129948013 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Mon, 23 Mar 2015 20:47:39 -0700 Subject: [PATCH 011/137] ensure guest upgrade occurs before attempting to get manifest fixes #85 --- .gitignore | 1 + RELEASE_NOTES | 13 +++++++++++++ bin/gbuild | 9 ++++++++- target-bin/grab-packages.sh | 9 +++------ target-bin/upgrade-system.sh | 15 +++++++++++++++ 5 files changed, 40 insertions(+), 7 deletions(-) create mode 100644 target-bin/upgrade-system.sh diff --git a/.gitignore b/.gitignore index 54df527..696aae0 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ inputs base* *.qcow2 sigs +target-bin/bootstrap-fixup diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 514cfdc..7662703 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -1,3 +1,16 @@ +2015-03-23 +---------- + +Now ensuring that `apt-get dist-upgrade` occurs at least once before package manifest +is computed. This is because distributions usually don't store old versions of packages +in the repos, so we can't download the exact package version we have installed if it's +out of date. + +gbuild now has a --upgrade flag that forces an upgrade after the first one. + +Other Notes +=========== + Important: We are planning on switching from using lxc-start to using lxc-execute. lxc-execute requires lxc-init (or init.lxc) to be available on the guest at one of the expected places. You might have to manually install lxc on your base VM image or recreate the image. diff --git a/bin/gbuild b/bin/gbuild index ac04bd9..b7905b1 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -96,7 +96,11 @@ def build_one_configuration(suite, arch, build_desc, reference_datetime) info "Installing additional packages (log in var/install.log)" system! "on-target -u root -e DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends -y install #{build_desc["packages"].join(" ")} > var/install.log 2>&1" - info "Downloading system packages and creating manifest. This may take a while." + if @options[:upgrade] || system("on-target -u root '[ ! -e /var/cache/gitian/initial-upgrade ]'") + info "Upgrading system, may take a while" + system! "on-target -u root bash < target-bin/upgrade-system.sh > var/install.log 2>&1" + end + info "Creating package manifest" system! "on-target -u root bash < target-bin/grab-packages.sh > var/base-#{suitearch}.manifest" info "Creating build script (var/build-script)" @@ -141,6 +145,9 @@ OptionParser.new do |opts| opts.on("-i", "--skip-image", "reuse current target image") do |v| @options[:skip_image] = v end + opts.on("--upgrade", "upgrade guest with latest packages") do |v| + @options[:upgrade] = v + end opts.on("-q", "--quiet", "be quiet") do |v| @options[:quiet] = v end diff --git a/target-bin/grab-packages.sh b/target-bin/grab-packages.sh index 838ebc4..2fef08e 100644 --- a/target-bin/grab-packages.sh +++ b/target-bin/grab-packages.sh @@ -6,10 +6,7 @@ set -e cd /var/cache/apt/archives -#apt-get clean - -# remove obsolete grub, it causes package dependency issues -apt-get -y purge grub > /dev/null || true - -dpkg-query -W -f '${Package}\n' | xargs -n 50 apt-get install --reinstall -y -d > /dev/null +# make sure all packages with installed versions are downloaded +dpkg-query -W -f '${Package}=${Version}\n' | xargs -n 50 apt-get install -q --reinstall -y -d > /tmp/download.log +grep "cannot be downloaded" /tmp/download.log && { echo Could not download some packages, please run gbuild --upgrade 1>&2 ; exit 1 ; } sha256sum *.deb | sort --key 2 diff --git a/target-bin/upgrade-system.sh b/target-bin/upgrade-system.sh new file mode 100644 index 0000000..9384229 --- /dev/null +++ b/target-bin/upgrade-system.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +# Upgrade system + +set -e + +mkdir -p /var/cache/gitian + +# remove obsolete grub, it causes package dependency issues +apt-get -q -y purge grub > /dev/null 2>&1 || true + +# upgrade packages +DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade > /dev/null > /var/cache/gitian/upgrade.log 2>&1 + +touch /var/cache/gitian/initial-upgrade From 04ab7c121842be8c5848b3de5076c8ded7761314 Mon Sep 17 00:00:00 2001 From: Christopher Gurnee Date: Sat, 9 May 2015 22:10:40 -0400 Subject: [PATCH 012/137] prevent upgrade of grub-pc which can fail in lxc fixes #86 --- target-bin/grab-packages.sh | 3 ++- target-bin/upgrade-system.sh | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/target-bin/grab-packages.sh b/target-bin/grab-packages.sh index 2fef08e..c06e3e5 100644 --- a/target-bin/grab-packages.sh +++ b/target-bin/grab-packages.sh @@ -7,6 +7,7 @@ set -e cd /var/cache/apt/archives # make sure all packages with installed versions are downloaded -dpkg-query -W -f '${Package}=${Version}\n' | xargs -n 50 apt-get install -q --reinstall -y -d > /tmp/download.log +# (except for held packages, which may not be available for download) +dpkg-query -W -f '${Status}\t${Package}=${Version}\n' | grep -v ^hold | cut -f2- | xargs -n 50 apt-get install -q --reinstall -y -d > /tmp/download.log grep "cannot be downloaded" /tmp/download.log && { echo Could not download some packages, please run gbuild --upgrade 1>&2 ; exit 1 ; } sha256sum *.deb | sort --key 2 diff --git a/target-bin/upgrade-system.sh b/target-bin/upgrade-system.sh index 9384229..90fa51a 100644 --- a/target-bin/upgrade-system.sh +++ b/target-bin/upgrade-system.sh @@ -9,6 +9,9 @@ mkdir -p /var/cache/gitian # remove obsolete grub, it causes package dependency issues apt-get -q -y purge grub > /dev/null 2>&1 || true +# prevent upgrade of grub-pc, it fails to find a boot drive in lxc containers +echo grub-pc hold | dpkg --set-selections || true + # upgrade packages DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade > /dev/null > /var/cache/gitian/upgrade.log 2>&1 From 2c091595c1bc14ae618e7b364844389b369bb57c Mon Sep 17 00:00:00 2001 From: Michael Ford Date: Wed, 13 May 2015 21:32:36 +0800 Subject: [PATCH 013/137] Ignore .vagrant hidden files --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 696aae0..043c12a 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ base* *.qcow2 sigs target-bin/bootstrap-fixup +.vagrant From af56f89a6acffd363c845a489ec163f0d85d30be Mon Sep 17 00:00:00 2001 From: Devrandom Date: Sat, 16 May 2015 20:48:18 -0700 Subject: [PATCH 014/137] improved LXC support fixes #86 --- RELEASE_NOTES | 8 +++++ bin/make-base-vm | 56 ++++++++++++++++++++++++----------- etc/lxc.config.in | 1 + libexec/gconfig | 7 ++++- target-bin/bootstrap-fixup.in | 13 ++++++++ target-bin/upgrade-system.sh | 3 -- 6 files changed, 66 insertions(+), 22 deletions(-) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 7662703..0b66d14 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -1,3 +1,11 @@ +2015-05-16 +---------- + +LXC support has been revamped: + +* debootstrap is now used directly, so that no kernel or grub packages are installed +* an attempt has been made to eliminate cases where an update of a package can fail because the container is missing a real init/upstart process + 2015-03-23 ---------- diff --git a/bin/make-base-vm b/bin/make-base-vm index 565f3fa..c326451 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -74,7 +74,13 @@ if [ $ARCH = "amd64" -a $SUITE = "hardy" ]; then FLAVOUR=server fi -addpkg=openssh-server,pciutils,build-essential,git-core,subversion,lxc,linux-image-generic +addpkg=pciutils,build-essential,git-core,subversion + +if [ $LXC = "1" ]; then + addpkg=$addpkg,lxc +else + addpkg=$addpkg,linux-image-generic,grub-pc,openssh-server +fi # Remove cron to work around vmbuilder issue when umounting /dev on target removepkg=cron @@ -99,26 +105,40 @@ if [ $VBOX = "1" ]; then exit 0 fi -if [ -e $OUT.qcow2 ]; then - echo $OUT.qcow2 already exists, please remove it first - exit 1 +if [ $LXC = "1" ]; then + if [ -e $OUT ]; then + echo $OUT already exists, please remove it first + #exit 1 + fi +else + if [ -e $OUT.qcow2 ]; then + echo $OUT.qcow2 already exists, please remove it first + exit 1 + fi fi -libexec/config-bootstrap-fixup -rm -rf $OUT -env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo vmbuilder kvm ubuntu --rootsize 10240 --arch=$ARCH --suite=$SUITE --addpkg=$addpkg --removepkg=$removepkg --ssh-key=var/id_dsa.pub --ssh-user-key=var/id_dsa.pub --mirror=$MIRROR --security-mirror=$SECURITY_MIRROR --dest=$OUT --flavour=$FLAVOUR --firstboot=`pwd`/target-bin/bootstrap-fixup -mv $OUT/*.qcow2 $OUT.qcow2 -rm -rf $OUT - if [ $LXC = "1" ]; then - #sudo debootstrap --include=$addpkg --arch=$ARCH $SUITE $OUT-root $MIRROR - echo Extracting partition for lxc - qemu-img convert $OUT.qcow2 $OUT.raw - loop=`sudo kpartx -av $OUT.raw|sed -n '/loop.p1/{s/.*loop\(.\)p1.*/\1/;p}'` - sudo cp --sparse=always /dev/mapper/loop${loop}p1 $OUT - sudo chown $USER $OUT - sudo kpartx -d /dev/loop$loop - rm -f $OUT.raw + sudo rm -rf $OUT-bootstrap + # Need universe for lxc in lucid + env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo debootstrap --arch=$ARCH --include=$addpkg --exclude=$removepkg --components=main,universe $SUITE $OUT-bootstrap $MIRROR + dd if=/dev/zero of=$OUT-lxc bs=1M count=1 seek=10240 + mkfs.ext4 $OUT-lxc + t=`mktemp -d gitian.XXXXXXXX` + sudo mount $OUT-lxc $t + sudo cp -a $OUT-bootstrap/* $t + sudo umount $t + rmdir $t + + sudo rm -rf $OUT-bootstrap + mv $OUT-lxc $OUT # bootstrap-fixup is done in libexec/make-clean-vm +else + libexec/config-bootstrap-fixup + + rm -rf $OUT + env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo vmbuilder kvm ubuntu --rootsize 10240 --arch=$ARCH --suite=$SUITE --addpkg=$addpkg --removepkg=$removepkg --ssh-key=var/id_dsa.pub --ssh-user-key=var/id_dsa.pub --mirror=$MIRROR --security-mirror=$SECURITY_MIRROR --dest=$OUT --flavour=$FLAVOUR --firstboot=`pwd`/target-bin/bootstrap-fixup + mv $OUT/*.qcow2 $OUT.qcow2 + rm -rf $OUT + # bootstrap-fixup is done on first boot fi diff --git a/etc/lxc.config.in b/etc/lxc.config.in index 74a9c82..7ba575d 100644 --- a/etc/lxc.config.in +++ b/etc/lxc.config.in @@ -32,3 +32,4 @@ lxc.network.type = veth lxc.network.flags = up lxc.network.link = GUESTLINK lxc.network.ipv4 = GUESTIP/24 +lxc.utsname = gitian diff --git a/libexec/gconfig b/libexec/gconfig index fa69055..044e6d6 100644 --- a/libexec/gconfig +++ b/libexec/gconfig @@ -1,4 +1,9 @@ VM_SSH_PORT=2223 if [ -z "$LXC_EXECUTE" ]; then - LXC_EXECUTE=lxc-start + ver=`lxc-start --version` + if dpkg --compare-versions $ver ge 1.1.0 ; then + LXC_EXECUTE=lxc-execute + else + LXC_EXECUTE=lxc-start + fi fi diff --git a/target-bin/bootstrap-fixup.in b/target-bin/bootstrap-fixup.in index 1908417..64724ee 100755 --- a/target-bin/bootstrap-fixup.in +++ b/target-bin/bootstrap-fixup.in @@ -5,4 +5,17 @@ set -e . /etc/lsb-release echo "deb http://HOSTIP:3142/archive.ubuntu.com/ubuntu $DISTRIB_CODENAME main universe" > $1/etc/apt/sources.list +echo "deb http://HOSTIP:3142/security.ubuntu.com/ubuntu $DISTRIB_CODENAME-security main universe" >> $1/etc/apt/sources.list echo "deb http://HOSTIP:3142/archive.ubuntu.com/ubuntu $DISTRIB_CODENAME-updates main universe" >> $1/etc/apt/sources.list +echo '127.0.1.1 gitian' >> /etc/hosts + +# If LXC +if grep /lxc/gitian /proc/1/cgroup > /dev/null; then + apt-get remove -y rsyslog + dpkg-divert --local --rename --add /sbin/initctl + ln -s /bin/true /sbin/initctl + dpkg-divert --local --rename --add /usr/bin/ischroot + ln -s /bin/true /usr/bin/ischroot + echo lxc hold | dpkg --set-selections || true + echo cgmanager hold | dpkg --set-selections || true +fi diff --git a/target-bin/upgrade-system.sh b/target-bin/upgrade-system.sh index 90fa51a..9384229 100644 --- a/target-bin/upgrade-system.sh +++ b/target-bin/upgrade-system.sh @@ -9,9 +9,6 @@ mkdir -p /var/cache/gitian # remove obsolete grub, it causes package dependency issues apt-get -q -y purge grub > /dev/null 2>&1 || true -# prevent upgrade of grub-pc, it fails to find a boot drive in lxc containers -echo grub-pc hold | dpkg --set-selections || true - # upgrade packages DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade > /dev/null > /var/cache/gitian/upgrade.log 2>&1 From f4b72bbec4c2d2c3ced9301c3b1acbf753d50d98 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Sat, 16 May 2015 20:52:55 -0700 Subject: [PATCH 015/137] hold packages for lucid --- target-bin/bootstrap-fixup.in | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/target-bin/bootstrap-fixup.in b/target-bin/bootstrap-fixup.in index 64724ee..a043074 100755 --- a/target-bin/bootstrap-fixup.in +++ b/target-bin/bootstrap-fixup.in @@ -16,6 +16,7 @@ if grep /lxc/gitian /proc/1/cgroup > /dev/null; then ln -s /bin/true /sbin/initctl dpkg-divert --local --rename --add /usr/bin/ischroot ln -s /bin/true /usr/bin/ischroot - echo lxc hold | dpkg --set-selections || true - echo cgmanager hold | dpkg --set-selections || true + for pkg in lxc cgmanager udev plymouth dmsetup upstart; do + echo $pkg hold | dpkg --set-selections || true + done fi From 1ae746f68f0e4409197365f775defd9ae901a96c Mon Sep 17 00:00:00 2001 From: Devrandom Date: Sun, 17 May 2015 10:35:19 -0700 Subject: [PATCH 016/137] LXC cleanup --- bin/make-base-vm | 48 ++++++++++++++++------------------- target-bin/bootstrap-fixup.in | 12 ++++++--- 2 files changed, 31 insertions(+), 29 deletions(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index c326451..7fc7818 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -74,7 +74,7 @@ if [ $ARCH = "amd64" -a $SUITE = "hardy" ]; then FLAVOUR=server fi -addpkg=pciutils,build-essential,git-core,subversion +addpkg=pciutils,build-essential,git-core,subversion,language-pack-en if [ $LXC = "1" ]; then addpkg=$addpkg,lxc @@ -108,37 +108,33 @@ fi if [ $LXC = "1" ]; then if [ -e $OUT ]; then echo $OUT already exists, please remove it first - #exit 1 + exit 1 fi + sudo rm -rf $OUT-bootstrap + # Need universe for lxc in lucid + env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo debootstrap --arch=$ARCH --include=$addpkg --exclude=$removepkg --components=main,universe $SUITE $OUT-bootstrap $MIRROR + dd if=/dev/zero of=$OUT-lxc bs=1M count=1 seek=10240 + mkfs.ext4 -F $OUT-lxc + t=`mktemp -d gitian.XXXXXXXX` + sudo mount $OUT-lxc $t + sudo cp -a $OUT-bootstrap/* $t + sudo umount $t + rmdir $t + + sudo rm -rf $OUT-bootstrap + mv $OUT-lxc $OUT + # bootstrap-fixup is done in libexec/make-clean-vm else if [ -e $OUT.qcow2 ]; then echo $OUT.qcow2 already exists, please remove it first exit 1 fi -fi - -if [ $LXC = "1" ]; then - sudo rm -rf $OUT-bootstrap - # Need universe for lxc in lucid - env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo debootstrap --arch=$ARCH --include=$addpkg --exclude=$removepkg --components=main,universe $SUITE $OUT-bootstrap $MIRROR - dd if=/dev/zero of=$OUT-lxc bs=1M count=1 seek=10240 - mkfs.ext4 $OUT-lxc - t=`mktemp -d gitian.XXXXXXXX` - sudo mount $OUT-lxc $t - sudo cp -a $OUT-bootstrap/* $t - sudo umount $t - rmdir $t - - sudo rm -rf $OUT-bootstrap - mv $OUT-lxc $OUT - # bootstrap-fixup is done in libexec/make-clean-vm -else - libexec/config-bootstrap-fixup + libexec/config-bootstrap-fixup - rm -rf $OUT - env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo vmbuilder kvm ubuntu --rootsize 10240 --arch=$ARCH --suite=$SUITE --addpkg=$addpkg --removepkg=$removepkg --ssh-key=var/id_dsa.pub --ssh-user-key=var/id_dsa.pub --mirror=$MIRROR --security-mirror=$SECURITY_MIRROR --dest=$OUT --flavour=$FLAVOUR --firstboot=`pwd`/target-bin/bootstrap-fixup - mv $OUT/*.qcow2 $OUT.qcow2 - rm -rf $OUT - # bootstrap-fixup is done on first boot + rm -rf $OUT + env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo vmbuilder kvm ubuntu --rootsize 10240 --arch=$ARCH --suite=$SUITE --addpkg=$addpkg --removepkg=$removepkg --ssh-key=var/id_dsa.pub --ssh-user-key=var/id_dsa.pub --mirror=$MIRROR --security-mirror=$SECURITY_MIRROR --dest=$OUT --flavour=$FLAVOUR --firstboot=`pwd`/target-bin/bootstrap-fixup + mv $OUT/*.qcow2 $OUT.qcow2 + rm -rf $OUT + # bootstrap-fixup is done on first boot fi diff --git a/target-bin/bootstrap-fixup.in b/target-bin/bootstrap-fixup.in index a043074..5d77cf2 100755 --- a/target-bin/bootstrap-fixup.in +++ b/target-bin/bootstrap-fixup.in @@ -11,12 +11,18 @@ echo '127.0.1.1 gitian' >> /etc/hosts # If LXC if grep /lxc/gitian /proc/1/cgroup > /dev/null; then + adduser --disabled-password --gecos ubuntu --quiet ubuntu || true apt-get remove -y rsyslog dpkg-divert --local --rename --add /sbin/initctl ln -s /bin/true /sbin/initctl dpkg-divert --local --rename --add /usr/bin/ischroot ln -s /bin/true /usr/bin/ischroot - for pkg in lxc cgmanager udev plymouth dmsetup upstart; do - echo $pkg hold | dpkg --set-selections || true - done + # Prevent interaction with init during upgrades + dpkg-divert --local --rename --add /usr/sbin/policy-rc.d + echo 'exit 101' > /usr/sbin/policy-rc.d + chmod +x /usr/sbin/policy-rc.d +## These are superceded by the policy-rc.d fix above +# for pkg in lxc cgmanager udev plymouth dmsetup upstart; do +# echo $pkg hold | dpkg --set-selections || true +# done fi From 1913792091dbbbc3f36ee09dbee2664dfed2bf03 Mon Sep 17 00:00:00 2001 From: Dev Random Date: Thu, 4 Jun 2015 12:37:01 -0700 Subject: [PATCH 017/137] Start using lxc-execute from LXC version 1.0.0 --- libexec/gconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexec/gconfig b/libexec/gconfig index 044e6d6..9d6e8d1 100644 --- a/libexec/gconfig +++ b/libexec/gconfig @@ -1,7 +1,7 @@ VM_SSH_PORT=2223 if [ -z "$LXC_EXECUTE" ]; then ver=`lxc-start --version` - if dpkg --compare-versions $ver ge 1.1.0 ; then + if dpkg --compare-versions $ver ge 1.0.0 ; then LXC_EXECUTE=lxc-execute else LXC_EXECUTE=lxc-start From 7219c490cccf332837753690c6e21bfc8041ed0c Mon Sep 17 00:00:00 2001 From: Devrandom Date: Thu, 4 Jun 2015 12:46:20 -0700 Subject: [PATCH 018/137] make bootstrap-fixup idempotent --- target-bin/bootstrap-fixup.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/target-bin/bootstrap-fixup.in b/target-bin/bootstrap-fixup.in index 5d77cf2..54dc75e 100755 --- a/target-bin/bootstrap-fixup.in +++ b/target-bin/bootstrap-fixup.in @@ -12,11 +12,11 @@ echo '127.0.1.1 gitian' >> /etc/hosts # If LXC if grep /lxc/gitian /proc/1/cgroup > /dev/null; then adduser --disabled-password --gecos ubuntu --quiet ubuntu || true - apt-get remove -y rsyslog + apt-get remove -y rsyslog || true dpkg-divert --local --rename --add /sbin/initctl - ln -s /bin/true /sbin/initctl + ln -sf /bin/true /sbin/initctl dpkg-divert --local --rename --add /usr/bin/ischroot - ln -s /bin/true /usr/bin/ischroot + ln -sf /bin/true /usr/bin/ischroot # Prevent interaction with init during upgrades dpkg-divert --local --rename --add /usr/sbin/policy-rc.d echo 'exit 101' > /usr/sbin/policy-rc.d From da0276608e43c95c7082bec42a695023bbfeb679 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Mon, 29 Jun 2015 09:02:25 -0400 Subject: [PATCH 019/137] Add ECDSA signing to gsign Relies on a script in the Armory source tree to handle the actual signing. --- bin/gsign | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/bin/gsign b/bin/gsign index 665e8ac..4f729c9 100755 --- a/bin/gsign +++ b/bin/gsign @@ -45,6 +45,14 @@ OptionParser.new do |opts| opts.on("-d DEST", "--destination DEST", "directory to place signature in") do |v| @options[:destination] = v end + + opts.on("-e", "--ecdsa", "enable ecdsa signing instead of gpg") do |v| + @options[:ecdsa] = v + end + + opts.on("-a PATH", "--armory PATH", "path to Armory source tree") do |v| + @options[:armory] = v + end end.parse! base_dir = Pathname.new(__FILE__).expand_path.dirname.parent @@ -75,7 +83,9 @@ result['name'] = package_name result['type'] = 'build' result['optionals'] = optionals -signer = @options[:signer] or raise "must supply signer with --signer" +unless @options[:ecdsa] + signer = @options[:signer] or raise "must supply signer with --signer" +end FileUtils.mkdir_p(destination) @@ -85,4 +95,9 @@ assert_path = File.join(release_path, "#{package_name}-build.assert") File.open(assert_path, "w") do |io| io.write result.to_yaml end -system!("gpg --detach-sign -u \"#{signer}\" \"#{assert_path}\"") +if @options[:ecdsa] + ecdsa_path = File.join(@options[:armory], release_scripts, "signassert.py") + system("python #{ecdsa_path} \"#{assert_path}\"") +else + system!("gpg --detach-sign -u \"#{signer}\" \"#{assert_path}\"") +end From ede6af786437ff87e29e9b971bde3950949ec1e1 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Mon, 29 Jun 2015 15:09:31 -0400 Subject: [PATCH 020/137] Switch ECDSA signing to generic --signing_program option This should allow anyone to write any signing program and use it in conjunction with gsign as long as it supports the same options/arguments as gpg does (namely -u for the signer and an argument for the file to sign). --- bin/gsign | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/bin/gsign b/bin/gsign index 4f729c9..42ae8e6 100755 --- a/bin/gsign +++ b/bin/gsign @@ -46,12 +46,8 @@ OptionParser.new do |opts| @options[:destination] = v end - opts.on("-e", "--ecdsa", "enable ecdsa signing instead of gpg") do |v| - @options[:ecdsa] = v - end - - opts.on("-a PATH", "--armory PATH", "path to Armory source tree") do |v| - @options[:armory] = v + opts.on("-p PROG", "--signing_program PROG", "specify signing program to use") do |v| + @options[:program] = v end end.parse! @@ -83,9 +79,8 @@ result['name'] = package_name result['type'] = 'build' result['optionals'] = optionals -unless @options[:ecdsa] - signer = @options[:signer] or raise "must supply signer with --signer" -end +signer = @options[:signer] or raise "must supply signer with --signer" +program = @options[:program] || "gpg --detach-sign" FileUtils.mkdir_p(destination) @@ -95,9 +90,4 @@ assert_path = File.join(release_path, "#{package_name}-build.assert") File.open(assert_path, "w") do |io| io.write result.to_yaml end -if @options[:ecdsa] - ecdsa_path = File.join(@options[:armory], release_scripts, "signassert.py") - system("python #{ecdsa_path} \"#{assert_path}\"") -else - system!("gpg --detach-sign -u \"#{signer}\" \"#{assert_path}\"") -end +system("#{program} -u \"#{signer}\" \"#{assert_path}\"") From db712b254e67ab81d1338e984898f88844dacbd7 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Mon, 29 Jun 2015 15:42:06 -0400 Subject: [PATCH 021/137] Add back accidentally removed ! from gsign --- bin/gsign | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/gsign b/bin/gsign index 42ae8e6..a03c810 100755 --- a/bin/gsign +++ b/bin/gsign @@ -90,4 +90,4 @@ assert_path = File.join(release_path, "#{package_name}-build.assert") File.open(assert_path, "w") do |io| io.write result.to_yaml end -system("#{program} -u \"#{signer}\" \"#{assert_path}\"") +system!("#{program} -u \"#{signer}\" \"#{assert_path}\"") From b48730064a54a01d926d60062e9feb303ede2396 Mon Sep 17 00:00:00 2001 From: Miron Date: Tue, 30 Jun 2015 15:17:41 -0700 Subject: [PATCH 022/137] handle no lxc installed --- libexec/gconfig | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libexec/gconfig b/libexec/gconfig index 9d6e8d1..204be94 100644 --- a/libexec/gconfig +++ b/libexec/gconfig @@ -1,9 +1,11 @@ VM_SSH_PORT=2223 -if [ -z "$LXC_EXECUTE" ]; then - ver=`lxc-start --version` - if dpkg --compare-versions $ver ge 1.0.0 ; then - LXC_EXECUTE=lxc-execute - else - LXC_EXECUTE=lxc-start +if [ -n "$USE_LXC" ]; then + if [ -z "$LXC_EXECUTE" ]; then + ver=`lxc-start --version` + if dpkg --compare-versions $ver ge 1.0.0 ; then + LXC_EXECUTE=lxc-execute + else + LXC_EXECUTE=lxc-start + fi fi fi From f8a3307bc866019ef702597e7e800b39252ff560 Mon Sep 17 00:00:00 2001 From: Dev Random Date: Tue, 7 Jul 2015 14:02:35 -0700 Subject: [PATCH 023/137] Debian instructions --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index b43f486..d350420 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,14 @@ This performs a build inside a VM, with deterministic inputs and outputs. If th sudo apt-get install qemu-kvm # for KVM mode sudo apt-get install debootstrap lxc # for LXC mode +### Debian: + +See Ubuntu, and also run the following on Debian Jessie or newer: + + sudo apt-get install ubuntu-archive-keyring + +On Debian Wheezy you run the same command, but you must first add backports to your system, because the package is only available in wheezy-backports. + ### OSX with MacPorts: sudo port install ruby coreutils From ec56a82d4b14872fe27fe10a93a346162318f8f5 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Wed, 29 Jul 2015 13:17:03 -0700 Subject: [PATCH 024/137] full path to mkfs.ext4 --- bin/make-base-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 7fc7818..4788f62 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -114,7 +114,7 @@ if [ $LXC = "1" ]; then # Need universe for lxc in lucid env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo debootstrap --arch=$ARCH --include=$addpkg --exclude=$removepkg --components=main,universe $SUITE $OUT-bootstrap $MIRROR dd if=/dev/zero of=$OUT-lxc bs=1M count=1 seek=10240 - mkfs.ext4 -F $OUT-lxc + /sbin/mkfs.ext4 -F $OUT-lxc t=`mktemp -d gitian.XXXXXXXX` sudo mount $OUT-lxc $t sudo cp -a $OUT-bootstrap/* $t From 9d46e26c2e81ac11918d38efc9b7102d392be56e Mon Sep 17 00:00:00 2001 From: Luke Dashjr Date: Sat, 1 Aug 2015 17:14:44 +0000 Subject: [PATCH 025/137] gbuild: Allow disabling fetch of modified caches with `--cache-read-only` option --- bin/gbuild | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bin/gbuild b/bin/gbuild index 6130796..e1f572d 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -156,6 +156,9 @@ OptionParser.new do |opts| opts.on("-u PAIRS", "--url PAIRS", "comma separated list of DIRECTORY=URL pairs") do |v| @options[:url] = v end + opts.on("--cache-read-only", "only use existing cache files, do not update them") do |v| + @options[:cache_ro] = v + end end.parse! if !ENV["USE_LXC"] and !File.exist?("/dev/kvm") @@ -259,11 +262,13 @@ suites.each do |suite| info "Grabbing results" system! "copy-from-target #{@quiet_flag} out #{build_dir}" + unless @options[:cache_ro] if enable_cache info "Grabbing cache" system! "copy-from-target #{@quiet_flag} cache/#{package_name}/ #{cache_dir}" system! "copy-from-target #{@quiet_flag} cache/common/ #{cache_dir}" end + end base_manifest = File.read("var/base-#{suite}-#{arch}.manifest") base_manifests["#{suite}-#{arch}"] = base_manifest end From 923016ec8d1abb127c92a127a527f71c67d78acf Mon Sep 17 00:00:00 2001 From: Devrandom Date: Mon, 3 Aug 2015 14:21:43 -0700 Subject: [PATCH 026/137] minor cleanup of previous --- bin/gbuild | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index 0a48f38..64b3c92 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -163,7 +163,7 @@ OptionParser.new do |opts| opts.on("-u PAIRS", "--url PAIRS", "comma separated list of DIRECTORY=URL pairs") do |v| @options[:url] = v end - opts.on("--cache-read-only", "only use existing cache files, do not update them") do |v| + opts.on("-o", "--cache-read-only", "only use existing cache files, do not update them") do |v| @options[:cache_ro] = v end end.parse! @@ -266,16 +266,14 @@ suites.each do |suite| # Build! build_one_configuration(suite, arch, build_desc, reference_datetime) - info "Grabbing results" + info "Grabbing results from target" system! "copy-from-target #{@quiet_flag} out #{build_dir}" - unless @options[:cache_ro] - if enable_cache - info "Grabbing cache" + if enable_cache && !@options[:cache_ro] + info "Grabbing cache from target" system! "copy-from-target #{@quiet_flag} cache/#{package_name}/ #{cache_dir}" system! "copy-from-target #{@quiet_flag} cache/common/ #{cache_dir}" end - end base_manifest = File.read("var/base-#{suite}-#{arch}.manifest") base_manifests["#{suite}-#{arch}"] = base_manifest end From e3e67df408f451db94a445d90a977d37dbc58b77 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Mon, 3 Aug 2015 14:31:36 -0700 Subject: [PATCH 027/137] eliminate uneeded verbosity from apt-get for Ubuntu credit goes to @Michagogo related to #44 --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d350420..0ed79e3 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,13 @@ This performs a build inside a VM, with deterministic inputs and outputs. If th ### Ubuntu: +This pulls in all pre-requisites for KVM building on Ubuntu: + sudo apt-get install git apache2 apt-cacher-ng python-vm-builder ruby qemu-utils - sudo apt-get install qemu-kvm # for KVM mode - sudo apt-get install debootstrap lxc # for LXC mode + +If you'd like to use LXC mode instead, install it as follows: + + sudo apt-get install lxc ### Debian: From 21852dffc358572ff0de4935390a0e71768e034e Mon Sep 17 00:00:00 2001 From: Zach Date: Tue, 1 Sep 2015 13:46:44 -0230 Subject: [PATCH 028/137] Updated README.md with OS X Homebrew instructions Added info for OS X homebrew commands alongside the Macports as some people prefer to use Homebrew over MacPorts and it is a pain to switch over from the two. --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 0ed79e3..9eff3ad 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,11 @@ On Debian Wheezy you run the same command, but you must first add backports to y sudo port install ruby coreutils export PATH=$PATH:/opt/local/libexec/gnubin # Needed for sha256sum + +### OSX with Homebrew: + + brew install ruby coreutils + export PATH=$PATH:/opt/local/libexec/gnubin #### VirtualBox: From aac596e34668a531596d8e9893d45418a920b8ee Mon Sep 17 00:00:00 2001 From: Daniel Morante Date: Tue, 15 Sep 2015 00:01:08 -0400 Subject: [PATCH 029/137] Missing wget The build process for [Bitcoin](https://github.com/bitcoin/bitcoin/blob/master/doc/gitian-building.md) was failing with the following error ``` ./bin/gbuild:21:in `system!': failed to run on-target setarch x86_64 bash -x < var/build-script > var/build.log 2>&1 (RuntimeError) from ./bin/gbuild:137:in `build_one_configuration' from ./bin/gbuild:267:in `block (2 levels) in
' from ./bin/gbuild:262:in `each' from ./bin/gbuild:262:in `block in
' from ./bin/gbuild:260:in `each' from ./bin/gbuild:260:in `
' ``` Inside the log file `var/build.log` the entries towards the end show ``` /bin/sh: 1: wget: not found ``` --- bin/make-base-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 4788f62..8f0a7cc 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -74,7 +74,7 @@ if [ $ARCH = "amd64" -a $SUITE = "hardy" ]; then FLAVOUR=server fi -addpkg=pciutils,build-essential,git-core,subversion,language-pack-en +addpkg=pciutils,build-essential,git-core,subversion,language-pack-en,wget if [ $LXC = "1" ]; then addpkg=$addpkg,lxc From dbf04f4ece406f0376cef531ad3ba5478d6af718 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Tue, 6 Oct 2015 19:32:06 -0400 Subject: [PATCH 030/137] Use lsb_release to get codename rather than /etc/lsb-release It seems like a lsb_release program should be available on any distro if the appropriate package is installed. So it seems better to use lsb_release instead of /etc/lsb-release, because Debian doesn't appear to have /etc/lsb-release. --- bin/make-base-vm | 2 +- target-bin/bootstrap-fixup.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 8f0a7cc..f1d3174 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -74,7 +74,7 @@ if [ $ARCH = "amd64" -a $SUITE = "hardy" ]; then FLAVOUR=server fi -addpkg=pciutils,build-essential,git-core,subversion,language-pack-en,wget +addpkg=pciutils,build-essential,git-core,subversion,language-pack-en,wget,lsb-release if [ $LXC = "1" ]; then addpkg=$addpkg,lxc diff --git a/target-bin/bootstrap-fixup.in b/target-bin/bootstrap-fixup.in index 54dc75e..80b6978 100755 --- a/target-bin/bootstrap-fixup.in +++ b/target-bin/bootstrap-fixup.in @@ -2,7 +2,7 @@ set -e -. /etc/lsb-release +DISTRIB_CODENAME=`lsb_release -cs` echo "deb http://HOSTIP:3142/archive.ubuntu.com/ubuntu $DISTRIB_CODENAME main universe" > $1/etc/apt/sources.list echo "deb http://HOSTIP:3142/security.ubuntu.com/ubuntu $DISTRIB_CODENAME-security main universe" >> $1/etc/apt/sources.list From 8b297cbcdf68aaf2f39fb652924d689feb6ffa0b Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Tue, 6 Oct 2015 22:23:02 -0400 Subject: [PATCH 031/137] Initial Debian guest support --- bin/gbuild | 3 ++ bin/make-base-vm | 58 +++++++++++++++++++++++++++-------- libexec/copy-from-target | 2 +- libexec/copy-to-target | 2 +- libexec/on-target | 2 +- target-bin/bootstrap-fixup.in | 13 ++++++-- 6 files changed, 62 insertions(+), 18 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index 64b3c92..aa07ad6 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -204,10 +204,13 @@ if enable_cache FileUtils.mkdir_p(File.join(cache_dir, package_name)) end +distro = build_desc["distro"] or raise "must supply distro" suites = build_desc["suites"] or raise "must supply suites" archs = build_desc["architectures"] or raise "must supply architectures" reference_datetime = build_desc["reference_datetime"] or raise "must supply reference_datetime" +ENV['DISTRO'] = distro + desc_sum = `sha256sum #{build_desc_file}` desc_sum = desc_sum.sub(build_desc_file, "#{package_name}-desc.yml") in_sums << desc_sum diff --git a/bin/make-base-vm b/bin/make-base-vm index f1d3174..e886a56 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -1,10 +1,10 @@ #!/bin/sh set -e +DISTRO=ubuntu SUITE=lucid ARCH=amd64 -MIRROR=http://${MIRROR_HOST:-127.0.0.1}:3142/archive.ubuntu.com/ubuntu -SECURITY_MIRROR=http://${MIRROR_HOST:-127.0.0.1}:3142/security.ubuntu.com/ubuntu +MIRROR_BASE=http://${MIRROR_HOST:-127.0.0.1}:3142 LXC=0 VBOX=0 @@ -13,11 +13,12 @@ usage() { echo "Make a base client." echo cat << EOF - --help display this help and exit - --suite U build suite U instead of lucid - --arch A build architecture A (e.g. i386) instead of amd64 - --lxc use lxc instead of kvm - --vbox use VirtualBox instead of kvm + --help display this help and exit + --distro D build distro D (e.g. debian) instead of ubuntu + --suite U build suite U instead of lucid + --arch A build architecture A (e.g. i386) instead of amd64 + --lxc use lxc instead of kvm + --vbox use VirtualBox instead of kvm The MIRROR_HOST environment variable can be used to change the apt-cacher host. It should be something that both the host and the @@ -34,6 +35,10 @@ if [ $# != 0 ] ; then usage exit 0 ;; + --distro|-d) + DISTRO="$2" + shift 2 + ;; --suite|-s) SUITE="$2" shift 2 @@ -61,6 +66,19 @@ if [ $# != 0 ] ; then done fi +if [ $DISTRO = "debian" -a $LXC = "1" ]; then + echo "There is no support for Debian guests using LXC currently. Please use KVM or another distro for now." + exit 1 +fi + +if [ $DISTRO = "ubuntu" ]; then + MIRROR=$MIRROR_BASE/archive.ubuntu.com/ubuntu + SECURITY_MIRROR=$MIRROR_BASE/security.ubuntu.com/ubuntu +elif [ $DISTRO = "debian" ]; then + MIRROR=$MIRROR_BASE/ftp.debian.org/debian + SECURITY_MIRROR=$MIRROR_BASE/security.debian.org/ +fi + mkdir -p var if [ ! -e var/id_dsa ]; then @@ -74,12 +92,28 @@ if [ $ARCH = "amd64" -a $SUITE = "hardy" ]; then FLAVOUR=server fi -addpkg=pciutils,build-essential,git-core,subversion,language-pack-en,wget,lsb-release +if [ $DISTRO = "debian" -a $ARCH = "amd64" ]; then + FLAVOUR=amd64 +elif [ $DISTRO = "debian" -a $ARCH = "i386" ]; then + FLAVOUR=i686-pae +fi + +LOCALE_PKG=language-pack-en +if [ $DISTRO = "debian" ]; then + LOCALE_PKG=locales +fi + +addpkg=pciutils,build-essential,git-core,subversion,$LOCALE_PKG,wget,lsb-release + +KERNEL_PKG=linux-image-generic +if [ $DISTRO = "debian" ]; then + KERNEL_PKG= +fi if [ $LXC = "1" ]; then addpkg=$addpkg,lxc else - addpkg=$addpkg,linux-image-generic,grub-pc,openssh-server + addpkg=$addpkg,$KERNEL_PKG,grub-pc,openssh-server fi # Remove cron to work around vmbuilder issue when umounting /dev on target @@ -96,8 +130,8 @@ if [ $VBOX = "1" ]; then vagrant ssh "$NAME" -c "sudo mkdir -p /root/.ssh && sudo chmod 700 /root/.ssh" vagrant ssh "$NAME" -c "sudo sh -c 'cat >> /root/.ssh/authorized_keys'" < var/id_dsa.pub - vagrant ssh "$NAME" -c "sudo -u ubuntu mkdir -p /home/ubuntu/.ssh && sudo -u ubuntu chmod 700 /home/ubuntu/.ssh" - vagrant ssh "$NAME" -c "sudo sh -c 'cat >> /home/ubuntu/.ssh/authorized_keys'" < var/id_dsa.pub + vagrant ssh "$NAME" -c "sudo -u $DISTRO mkdir -p /home/$DISTRO/.ssh && sudo -u $DISTRO chmod 700 /home/$DISTRO/.ssh" + vagrant ssh "$NAME" -c "sudo sh -c 'cat >> /home/$DISTRO/.ssh/authorized_keys'" < var/id_dsa.pub VBoxManage snapshot "Gitian-$NAME" take "Gitian-Clean" vagrant suspend "$NAME" @@ -132,7 +166,7 @@ else libexec/config-bootstrap-fixup rm -rf $OUT - env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo vmbuilder kvm ubuntu --rootsize 10240 --arch=$ARCH --suite=$SUITE --addpkg=$addpkg --removepkg=$removepkg --ssh-key=var/id_dsa.pub --ssh-user-key=var/id_dsa.pub --mirror=$MIRROR --security-mirror=$SECURITY_MIRROR --dest=$OUT --flavour=$FLAVOUR --firstboot=`pwd`/target-bin/bootstrap-fixup + env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo vmbuilder kvm $DISTRO --rootsize 10240 --arch=$ARCH --suite=$SUITE --addpkg=$addpkg --removepkg=$removepkg --ssh-key=var/id_dsa.pub --ssh-user-key=var/id_dsa.pub --mirror=$MIRROR --security-mirror=$SECURITY_MIRROR --dest=$OUT --flavour=$FLAVOUR --firstboot=`pwd`/target-bin/bootstrap-fixup mv $OUT/*.qcow2 $OUT.qcow2 rm -rf $OUT # bootstrap-fixup is done on first boot diff --git a/libexec/copy-from-target b/libexec/copy-from-target index cdc2944..990d2f0 100755 --- a/libexec/copy-from-target +++ b/libexec/copy-from-target @@ -2,7 +2,7 @@ . gconfig -TUSER=ubuntu +TUSER=$DISTRO QUIET_FLAG= usage() { diff --git a/libexec/copy-to-target b/libexec/copy-to-target index 5ea8705..2ad9f96 100755 --- a/libexec/copy-to-target +++ b/libexec/copy-to-target @@ -2,7 +2,7 @@ . gconfig -TUSER=ubuntu +TUSER=$DISTRO QUIET_FLAG= usage() { diff --git a/libexec/on-target b/libexec/on-target index cf05d0a..fdc57c3 100755 --- a/libexec/on-target +++ b/libexec/on-target @@ -2,7 +2,7 @@ . gconfig -TUSER=ubuntu +TUSER=$DISTRO usage() { echo "Usage: ${0##*/} [OPTION]... " diff --git a/target-bin/bootstrap-fixup.in b/target-bin/bootstrap-fixup.in index 80b6978..11f91d9 100755 --- a/target-bin/bootstrap-fixup.in +++ b/target-bin/bootstrap-fixup.in @@ -2,11 +2,18 @@ set -e +DISTRIB_NAME=`lsb_release -is` DISTRIB_CODENAME=`lsb_release -cs` -echo "deb http://HOSTIP:3142/archive.ubuntu.com/ubuntu $DISTRIB_CODENAME main universe" > $1/etc/apt/sources.list -echo "deb http://HOSTIP:3142/security.ubuntu.com/ubuntu $DISTRIB_CODENAME-security main universe" >> $1/etc/apt/sources.list -echo "deb http://HOSTIP:3142/archive.ubuntu.com/ubuntu $DISTRIB_CODENAME-updates main universe" >> $1/etc/apt/sources.list +if [ $DISTRIB_NAME = "Ubuntu" ]; then + echo "deb http://HOSTIP:3142/archive.ubuntu.com/ubuntu $DISTRIB_CODENAME main universe" > $1/etc/apt/sources.list + echo "deb http://HOSTIP:3142/security.ubuntu.com/ubuntu $DISTRIB_CODENAME-security main universe" >> $1/etc/apt/sources.list + echo "deb http://HOSTIP:3142/archive.ubuntu.com/ubuntu $DISTRIB_CODENAME-updates main universe" >> $1/etc/apt/sources.list +elif [ $DISTRIB_NAME = "Debian" ]; then + echo "deb http://HOSTIP:3142/ftp.debian.org/debian $DISTRIB_CODENAME main" > $1/etc/apt/sources.list + echo "deb http://HOSTIP:3142/security.debian.org/ $DISTRIB_CODENAME/updates main" >> $1/etc/apt/sources.list + echo "deb http://HOSTIP:3142/ftp.debian.org/debian $DISTRIB_CODENAME-updates main" >> $1/etc/apt/sources.list +fi echo '127.0.1.1 gitian' >> /etc/hosts # If LXC From c0c8392d49a0386bef6e5eed3144626ad0049c6d Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Sat, 17 Oct 2015 11:30:14 -0400 Subject: [PATCH 032/137] Purge grub-legacy and bcron-run to work around Debian guest issue --- target-bin/bootstrap-fixup.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/target-bin/bootstrap-fixup.in b/target-bin/bootstrap-fixup.in index 11f91d9..6ffc0d2 100755 --- a/target-bin/bootstrap-fixup.in +++ b/target-bin/bootstrap-fixup.in @@ -13,6 +13,10 @@ elif [ $DISTRIB_NAME = "Debian" ]; then echo "deb http://HOSTIP:3142/ftp.debian.org/debian $DISTRIB_CODENAME main" > $1/etc/apt/sources.list echo "deb http://HOSTIP:3142/security.debian.org/ $DISTRIB_CODENAME/updates main" >> $1/etc/apt/sources.list echo "deb http://HOSTIP:3142/ftp.debian.org/debian $DISTRIB_CODENAME-updates main" >> $1/etc/apt/sources.list + # grub-legacy conflicts grub-pc dependencies + # No grub-legacy on Ubuntu, just on Debian + # Work around bcron-run conflict due to cron being removed + apt-get purge -y grub-legacy bcron-run &> /dev/null fi echo '127.0.1.1 gitian' >> /etc/hosts From 86f31e89c6833b576ec736bfae3f6e91974a8802 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Sat, 17 Oct 2015 19:01:03 -0400 Subject: [PATCH 033/137] Default to ubuntu as distro if not specified This is so that old Gitian descriptors don't break. --- bin/gbuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/gbuild b/bin/gbuild index aa07ad6..483d73a 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -204,7 +204,7 @@ if enable_cache FileUtils.mkdir_p(File.join(cache_dir, package_name)) end -distro = build_desc["distro"] or raise "must supply distro" +distro = build_desc["distro"] || "ubuntu" suites = build_desc["suites"] or raise "must supply suites" archs = build_desc["architectures"] or raise "must supply architectures" reference_datetime = build_desc["reference_datetime"] or raise "must supply reference_datetime" From 2d51b140d0e41d83d0ee0bbe899bd0be5aad4d0f Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Sat, 17 Oct 2015 19:39:30 -0400 Subject: [PATCH 034/137] Add information about Debian guests to README.md --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index 9eff3ad..a1835c9 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,22 @@ On Debian Wheezy you run the same command, but you must first add backports to y Install virtualbox from http://www.virtualbox.org, and make sure `VBoxManage` is in your `$PATH`. +## Debian Guests + +Gitian now supports Debian guests in addition to Ubuntu guests. Note that this doesn't mean you can allow the builders to choose to use either Debian or Ubuntu guests. The person creating the Gitian descriptor will need to choose a particular distro and suite for the guest and all builders must use that particular distro and suite, otherwise the software won't reproduce for everyone. + +The official vmbuilder only includes support for Ubuntu guests, so you need to install [Joseph Bisch's fork of vmbuilder](https://github.com/josephbisch/vmbuilder), which adds a Debian plugin. + +To create a Debian guest: + + bin/make-base-vm --distro debian --suite jessie + +There is currently no support for LXC Debian guests. There is just KVM support. LXC support for Debian guests is planned to be added soon. + +Only Debian Jessie guests have been tested with Gitian. Debian Jessie is the current stable release of Debian at this time. If you have success (or trouble) with other versions of Debian, please let us know. + +If you are creating a Gitian descriptor, you can now specify a distro. If no distro is provided, the default is to assume Ubuntu. Since Ubuntu is assumed, older Gitian descriptors that don't specify a distro will still work as they always have. + ## Create the base VM for use in further builds **NOTE:** requires `sudo`, please review the script From fe1abd115324d2e706626ed567d1f234fd300e64 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Thu, 12 Nov 2015 10:05:58 -0500 Subject: [PATCH 035/137] Fix flavour for i386 arch Wheezy on up has linux-image-686-pae. Squeeze on down has linux-image-686. --- bin/make-base-vm | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index e886a56..10f1db0 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -94,8 +94,10 @@ fi if [ $DISTRO = "debian" -a $ARCH = "amd64" ]; then FLAVOUR=amd64 -elif [ $DISTRO = "debian" -a $ARCH = "i386" ]; then - FLAVOUR=i686-pae +elif [ $DISTRO = "debian" -a $ARCH = "i386" -a \($SUITE = "wheezy" -o $SUITE = "jessie" -o $SUITE = "stretch" -o $SUITE = "sid"\) ]; then + FLAVOUR=686-pae +elif [ $DISTRO = "debian" ]; then + FLAVOUR=686 fi LOCALE_PKG=language-pack-en From 4f69707c4df4224506a64b760cbd4fd14eb83c8f Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Thu, 12 Nov 2015 12:42:58 -0500 Subject: [PATCH 036/137] Fix issue with apt in Debian <= Squeeze --- bin/make-base-vm | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 10f1db0..056072a 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -107,15 +107,18 @@ fi addpkg=pciutils,build-essential,git-core,subversion,$LOCALE_PKG,wget,lsb-release -KERNEL_PKG=linux-image-generic -if [ $DISTRO = "debian" ]; then - KERNEL_PKG= +if [ $DISTRO = "ubuntu" ]; then + # Need comma at end to work around an issue with apt for Debian <= Squeeze regarding empty strings + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744940 + # http://anonscm.debian.org/cgit/apt/apt.git/commit/?h=1.0.3&id=d99854cac4065bc7b337815fb2116269d58dab73 + KERNEL_PKG=linux-image-generic, fi if [ $LXC = "1" ]; then addpkg=$addpkg,lxc else - addpkg=$addpkg,$KERNEL_PKG,grub-pc,openssh-server + # Lack of comma after KERNEL_PKG is not a typo + addpkg=$addpkg,${KERNEL_PKG}grub-pc,openssh-server fi # Remove cron to work around vmbuilder issue when umounting /dev on target From 5b7c52b2310e851251cf4222b1527ccb0cc3e791 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Fri, 13 Nov 2015 09:05:46 -0500 Subject: [PATCH 037/137] Swap Debian i386 flavour checks Check for older suites with 686 flavour before checking for 686-pae flavour suites, because the former should never change, but the latter would have to be changed whenever a new suite was released if it wasn't the last if statement. --- bin/make-base-vm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 056072a..ddd2c54 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -94,10 +94,10 @@ fi if [ $DISTRO = "debian" -a $ARCH = "amd64" ]; then FLAVOUR=amd64 -elif [ $DISTRO = "debian" -a $ARCH = "i386" -a \($SUITE = "wheezy" -o $SUITE = "jessie" -o $SUITE = "stretch" -o $SUITE = "sid"\) ]; then - FLAVOUR=686-pae -elif [ $DISTRO = "debian" ]; then +elif [ $DISTRO = "debian" -a $ARCH = "i386" -a \($SUITE = "squeeze" -o $SUITE = "lenny" -o $SUITE = "etch" -o $SUITE = "sarge" -o $SUITE = "woody" -o $SUITE = "potato" -o $SUITE = "slink" -o $SUITE = "hamm" -o $SUITE = "bo" -o $SUITE = "rex" -o $SUITE = "buzz"\) ]; then FLAVOUR=686 +elif [ $DISTRO = "debian" ]; then + FLAVOUR=686-pae fi LOCALE_PKG=language-pack-en From 1aad9f407975e4b16426ba4243242224fd1a0dbd Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Fri, 13 Nov 2015 09:22:19 -0500 Subject: [PATCH 038/137] Expand on apt issue/workaround and correct affected Debian suites --- bin/make-base-vm | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index ddd2c54..8102951 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -108,7 +108,15 @@ fi addpkg=pciutils,build-essential,git-core,subversion,$LOCALE_PKG,wget,lsb-release if [ $DISTRO = "ubuntu" ]; then - # Need comma at end to work around an issue with apt for Debian <= Squeeze regarding empty strings + # Need comma at end to work around an issue with apt for Debian <= Wheezy regarding empty strings + # + # If we left the comma down below when adding KERNEL_PKG to addpkg, the fact that KERNEL_PKG is undefined + # if DISTRO is debian would result in two commas in a row (,,), which is interpreted by apt-get as the + # package with the name empty string (""). This triggers a bug with apt versions < 1.0.3. So by adding the + # comma to the end of KERNEL_PKG, we are including that comma if the distro is ubuntu (and therefore we do + # have a kernel package that needs to be installed). If KERNEL_PKG is not set (i.e. we have Debian as the + # distro), then we don't add that extra comma and therefore, we don't end up with two commas in a row. + # # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744940 # http://anonscm.debian.org/cgit/apt/apt.git/commit/?h=1.0.3&id=d99854cac4065bc7b337815fb2116269d58dab73 KERNEL_PKG=linux-image-generic, From 23ccc3d1dd64104c6358718303c1a5b48fa1f6c9 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Fri, 13 Nov 2015 10:04:50 -0500 Subject: [PATCH 039/137] Use grub package instead of grub-pc unless distro is ubuntu According to the Debian wiki, installing the package grub installs the correct version of grub for your suite automatically. This fixes a "you have held broken packages" error when creating the package manifest due to a conflict between grub-pc and grub-legacy (at least with Wheezy). --- bin/make-base-vm | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 8102951..b978a8e 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -122,11 +122,16 @@ if [ $DISTRO = "ubuntu" ]; then KERNEL_PKG=linux-image-generic, fi +GRUB_PKG=grub +if [ $DISTRO = "ubuntu" ]; then + GRUB_PKG=grub-pc +fi + if [ $LXC = "1" ]; then addpkg=$addpkg,lxc else # Lack of comma after KERNEL_PKG is not a typo - addpkg=$addpkg,${KERNEL_PKG}grub-pc,openssh-server + addpkg=$addpkg,${KERNEL_PKG}${GRUB_PKG},openssh-server fi # Remove cron to work around vmbuilder issue when umounting /dev on target From 3edec91085a05ec6f28c98d1aa744c863d48a7be Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Wed, 18 Nov 2015 10:22:38 -0500 Subject: [PATCH 040/137] Set TUSER to ubuntu by default and update README Now, if a user is using something like on-target directly, that user doesn't need to set the DISTRO or TUSER variables if using Ubuntu guests (so the scripts function the same as they did before Debian guest support was added). --- README.md | 6 +++++- libexec/copy-from-target | 2 +- libexec/copy-to-target | 2 +- libexec/on-target | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a1835c9..20103c9 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,10 @@ If you have everything set-up properly, you should be able to: PATH=$PATH:$(pwd)/libexec make-clean-vm --suite lucid --arch i386 + # on-target needs $DISTRO to be set to debian if using a Debian guest + # (when running gbuild, $DISTRO is set based on the descriptor, so this line isn't needed) + DiSTRO=debian + # For LXC: LXC_ARCH=i386 LXC_SUITE=lucid on-target ls -la @@ -161,7 +165,7 @@ After you've merged everybody's signatures, verify them: * Log files are captured to the _var_ directory * You can run the utilities in libexec by running `PATH="libexec:$PATH"` * To start the target VM run `start-target 32 lucid-i386` or `start-target 64 lucid-amd64` -* To ssh into the target run `on-target` or `on-target -u root` +* To ssh into the target run `on-target` (after setting $DISTRO to debian if using a Debian guest) or `on-target -u root` * On the target, the _build_ directory contains the code as it is compiled and _install_ contains intermediate libraries * By convention, the script in `.yml` starts with any environment setup you would need to manually compile things on the target diff --git a/libexec/copy-from-target b/libexec/copy-from-target index 990d2f0..68c4fe7 100755 --- a/libexec/copy-from-target +++ b/libexec/copy-from-target @@ -2,7 +2,7 @@ . gconfig -TUSER=$DISTRO +TUSER=${DISTRO:-ubuntu} QUIET_FLAG= usage() { diff --git a/libexec/copy-to-target b/libexec/copy-to-target index 2ad9f96..f188148 100755 --- a/libexec/copy-to-target +++ b/libexec/copy-to-target @@ -2,7 +2,7 @@ . gconfig -TUSER=$DISTRO +TUSER=${DISTRO:-ubuntu} QUIET_FLAG= usage() { diff --git a/libexec/on-target b/libexec/on-target index fdc57c3..97aa9eb 100755 --- a/libexec/on-target +++ b/libexec/on-target @@ -2,7 +2,7 @@ . gconfig -TUSER=$DISTRO +TUSER=${DISTRO:-ubuntu} usage() { echo "Usage: ${0##*/} [OPTION]... " From cb718681e97218c886f42c76b2fe3542991681f4 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Thu, 19 Nov 2015 13:16:17 +0100 Subject: [PATCH 041/137] Set up IPv4 gateway automatically I need this to get networking inside the LXC container in a Debian 8.2 VM. --- etc/lxc.config.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/lxc.config.in b/etc/lxc.config.in index 7ba575d..8879f43 100644 --- a/etc/lxc.config.in +++ b/etc/lxc.config.in @@ -32,4 +32,6 @@ lxc.network.type = veth lxc.network.flags = up lxc.network.link = GUESTLINK lxc.network.ipv4 = GUESTIP/24 +lxc.network.ipv4.gateway = auto + lxc.utsname = gitian From 7e4b665acbbc2240b2436ae3013d868598fdff5c Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Wed, 2 Dec 2015 13:14:13 +0100 Subject: [PATCH 042/137] Replace deprecated dsa with rsa --- README.md | 4 ++-- bin/make-base-vm | 10 +++++----- libexec/copy-from-target | 2 +- libexec/copy-to-target | 2 +- libexec/on-target | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 20103c9..61d6145 100644 --- a/README.md +++ b/README.md @@ -100,8 +100,8 @@ Command-line `VBoxManage` must be in your `$PATH`. The final setup needed is to create an `ssh` key that will be used to login to the virtual machine: - ssh-keygen -t dsa -f var/id_dsa -N "" - ssh -p 2223 ubuntu@localhost 'mkdir -p .ssh && chmod 700 .ssh && cat >> .ssh/authorized_keys' < var/id_dsa.pub + ssh-keygen -t rsa -f var/id_rsa -N "" + ssh -p 2223 ubuntu@localhost 'mkdir -p .ssh && chmod 700 .ssh && cat >> .ssh/authorized_keys' < var/id_rsa.pub Then log into the vm and copy the `ssh` keys to root's `authorized_keys` file. diff --git a/bin/make-base-vm b/bin/make-base-vm index b978a8e..5376baa 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -81,8 +81,8 @@ fi mkdir -p var -if [ ! -e var/id_dsa ]; then - ssh-keygen -t dsa -f var/id_dsa -N "" +if [ ! -e var/id_rsa ]; then + ssh-keygen -t rsa -f var/id_rsa -N "" fi OUT=base-$SUITE-$ARCH @@ -147,9 +147,9 @@ if [ $VBOX = "1" ]; then vagrant up "$NAME" vagrant ssh "$NAME" -c "sudo mkdir -p /root/.ssh && sudo chmod 700 /root/.ssh" - vagrant ssh "$NAME" -c "sudo sh -c 'cat >> /root/.ssh/authorized_keys'" < var/id_dsa.pub + vagrant ssh "$NAME" -c "sudo sh -c 'cat >> /root/.ssh/authorized_keys'" < var/id_rsa.pub vagrant ssh "$NAME" -c "sudo -u $DISTRO mkdir -p /home/$DISTRO/.ssh && sudo -u $DISTRO chmod 700 /home/$DISTRO/.ssh" - vagrant ssh "$NAME" -c "sudo sh -c 'cat >> /home/$DISTRO/.ssh/authorized_keys'" < var/id_dsa.pub + vagrant ssh "$NAME" -c "sudo sh -c 'cat >> /home/$DISTRO/.ssh/authorized_keys'" < var/id_rsa.pub VBoxManage snapshot "Gitian-$NAME" take "Gitian-Clean" vagrant suspend "$NAME" @@ -184,7 +184,7 @@ else libexec/config-bootstrap-fixup rm -rf $OUT - env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo vmbuilder kvm $DISTRO --rootsize 10240 --arch=$ARCH --suite=$SUITE --addpkg=$addpkg --removepkg=$removepkg --ssh-key=var/id_dsa.pub --ssh-user-key=var/id_dsa.pub --mirror=$MIRROR --security-mirror=$SECURITY_MIRROR --dest=$OUT --flavour=$FLAVOUR --firstboot=`pwd`/target-bin/bootstrap-fixup + env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo vmbuilder kvm $DISTRO --rootsize 10240 --arch=$ARCH --suite=$SUITE --addpkg=$addpkg --removepkg=$removepkg --ssh-key=var/id_rsa.pub --ssh-user-key=var/id_rsa.pub --mirror=$MIRROR --security-mirror=$SECURITY_MIRROR --dest=$OUT --flavour=$FLAVOUR --firstboot=`pwd`/target-bin/bootstrap-fixup mv $OUT/*.qcow2 $OUT.qcow2 rm -rf $OUT # bootstrap-fixup is done on first boot diff --git a/libexec/copy-from-target b/libexec/copy-from-target index 68c4fe7..cf7c4f7 100755 --- a/libexec/copy-from-target +++ b/libexec/copy-from-target @@ -47,7 +47,7 @@ if [ $# = 0 ] ; then fi if [ -z "$USE_LXC" ]; then - scp $QUIET_FLAG -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_dsa -P $VM_SSH_PORT -r $TUSER@localhost:$1 $2 + scp $QUIET_FLAG -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -P $VM_SSH_PORT -r $TUSER@localhost:$1 $2 else config-lxc sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -C `dirname "$1"` -cf - `basename "$1"` | tar -C "$2" -xf - diff --git a/libexec/copy-to-target b/libexec/copy-to-target index f188148..3b1784b 100755 --- a/libexec/copy-to-target +++ b/libexec/copy-to-target @@ -47,7 +47,7 @@ if [ $# = 0 ] ; then fi if [ -z "$USE_LXC" ]; then - scp $QUIET_FLAG -r -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_dsa -P $VM_SSH_PORT $1 $TUSER@localhost:$2 + scp $QUIET_FLAG -r -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -P $VM_SSH_PORT $1 $TUSER@localhost:$2 else config-lxc tar -C `dirname "$1"` -cf - `basename "$1"` | sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -C "$2" -xf - diff --git a/libexec/on-target b/libexec/on-target index 97aa9eb..78eab62 100755 --- a/libexec/on-target +++ b/libexec/on-target @@ -47,7 +47,7 @@ fi #fi if [ -z "$USE_LXC" ]; then - ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_dsa -p $VM_SSH_PORT $TUSER@localhost $* + ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT $TUSER@localhost $* else config-lxc sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -u $TUSER $ENV -i -- $* From 2f0abd10019ad0045948c991a4026f9f294d3de6 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Sat, 5 Dec 2015 00:03:31 -0500 Subject: [PATCH 043/137] Add instructions for using gitian-builder with an Arch host --- README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.md b/README.md index 20103c9..06f3113 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,27 @@ This performs a build inside a VM, with deterministic inputs and outputs. If th ## Prerequisites: +### Arch: + + sudo pacman -S python2-cheetah qemu rsync + sudo pacman -S lxc libvirt bridge-utils # for lxc mode + +From AUR: + +* [apt-cacher-ng](https://aur.archlinux.org/packages/apt-cacher-ng/) (you may have to play with permissions (chown to apt-cacher-ng) on files to get apt-cacher-ng to start) +* [debian-archive-keyring](https://aur.archlinux.org/packages/debian-archive-keyring/) (for making Debian guests) +* [debootstrap](https://aur.archlinux.org/packages/debootstrap/) +* [dpkg](https://aur.archlinux.org/packages/dpkg/) +* [gnupg1](https://aur.archlinux.org/packages/gnupg1/) +* [multipath-tools](https://aur.archlinux.org/packages/multipath-tools/) (for kpartx) +* [ubuntu-keyring](https://aur.archlinux.org/packages/ubuntu-keyring/) (for making Ubuntu guests) + +From Launchpad: + +* [vmbuilder](https://launchpad.net/vmbuilder) + +Also, I had to modify the default /etc/sudoers file to uncomment the `secure_path` line, because vmbuilder isn't found otherwise when the `env -i ... sudo vmbuilder ...` line is executed (because the i flag resets the environment variables including the PATH). + ### Gentoo: layman -a luke-jr # needed for vmbuilder From f9ab5871bd145d7cf5f06bedea0d710936957b37 Mon Sep 17 00:00:00 2001 From: Dev Random Date: Sat, 12 Dec 2015 10:44:14 -0800 Subject: [PATCH 044/137] Update RELEASE_NOTES --- RELEASE_NOTES | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 0b66d14..ed40dec 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -1,3 +1,8 @@ +2015-12-12 +---------- + +Since OpenSSH removed support for DSS, Gitian now uses RSA keys instead. Base images should be regenerated. + 2015-05-16 ---------- From dd2ba39d323438b286c52460ab896757b5005e5c Mon Sep 17 00:00:00 2001 From: Luke Dashjr Date: Sun, 13 Dec 2015 09:41:19 +0000 Subject: [PATCH 045/137] Use rsync instead of scp for file transfers to save time on cache download from VM --- libexec/copy-from-target | 4 ++-- libexec/copy-to-target | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libexec/copy-from-target b/libexec/copy-from-target index cf7c4f7..dd4949b 100755 --- a/libexec/copy-from-target +++ b/libexec/copy-from-target @@ -3,7 +3,7 @@ . gconfig TUSER=${DISTRO:-ubuntu} -QUIET_FLAG= +QUIET_FLAG="-vP" usage() { echo "Usage: ${0##*/} [OPTION]... " @@ -47,7 +47,7 @@ if [ $# = 0 ] ; then fi if [ -z "$USE_LXC" ]; then - scp $QUIET_FLAG -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -P $VM_SSH_PORT -r $TUSER@localhost:$1 $2 + rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "$TUSER@localhost:$1" "$2" else config-lxc sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -C `dirname "$1"` -cf - `basename "$1"` | tar -C "$2" -xf - diff --git a/libexec/copy-to-target b/libexec/copy-to-target index 3b1784b..f92c93b 100755 --- a/libexec/copy-to-target +++ b/libexec/copy-to-target @@ -3,7 +3,7 @@ . gconfig TUSER=${DISTRO:-ubuntu} -QUIET_FLAG= +QUIET_FLAG="-vP" usage() { echo "Usage: ${0##*/} [OPTION]... " @@ -47,7 +47,7 @@ if [ $# = 0 ] ; then fi if [ -z "$USE_LXC" ]; then - scp $QUIET_FLAG -r -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -P $VM_SSH_PORT $1 $TUSER@localhost:$2 + rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "$1" "$TUSER@localhost:$2" else config-lxc tar -C `dirname "$1"` -cf - `basename "$1"` | sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -C "$2" -xf - From bf52af13777f02acd58c247f0492ba9466f58fe4 Mon Sep 17 00:00:00 2001 From: Luke Dashjr Date: Mon, 14 Dec 2015 08:21:23 +0000 Subject: [PATCH 046/137] Bugfix: copy-{to,from}-target: Strip trailing / from sources to avoid triggering special rsync behaviour Without this, the caches end up in the wrong place (one level of directories gets removed) --- libexec/copy-from-target | 3 ++- libexec/copy-to-target | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libexec/copy-from-target b/libexec/copy-from-target index dd4949b..08c6ecf 100755 --- a/libexec/copy-from-target +++ b/libexec/copy-from-target @@ -47,7 +47,8 @@ if [ $# = 0 ] ; then fi if [ -z "$USE_LXC" ]; then - rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "$TUSER@localhost:$1" "$2" + src="${1%/}" # remove trailing / which triggers special rsync behaviour + rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "$TUSER@localhost:${src}" "$2" else config-lxc sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -C `dirname "$1"` -cf - `basename "$1"` | tar -C "$2" -xf - diff --git a/libexec/copy-to-target b/libexec/copy-to-target index f92c93b..6670862 100755 --- a/libexec/copy-to-target +++ b/libexec/copy-to-target @@ -47,7 +47,8 @@ if [ $# = 0 ] ; then fi if [ -z "$USE_LXC" ]; then - rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "$1" "$TUSER@localhost:$2" + src="${1%/}" # remove trailing / which triggers special rsync behaviour + rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "${src}" "$TUSER@localhost:$2" else config-lxc tar -C `dirname "$1"` -cf - `basename "$1"` | sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -C "$2" -xf - From fa7840ea26cb82efc47c41e77a4cc94fd9f98e00 Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Sat, 26 Dec 2015 13:28:02 +0100 Subject: [PATCH 047/137] reference_datetime: Default to git author date --- bin/gbuild | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index 483d73a..f8793dd 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -35,7 +35,7 @@ def info(str) puts str unless @options[:quiet] end -def build_one_configuration(suite, arch, build_desc, reference_datetime) +def build_one_configuration(suite, arch, build_desc) FileUtils.rm_f("var/build.log") bits = @bitness[arch] or raise "unknown architecture ${arch}" @@ -119,16 +119,24 @@ def build_one_configuration(suite, arch, build_desc, reference_datetime) script.puts "GBUILD_COMMON_CACHE=$HOME/cache/common" end script.puts "MAKEOPTS=(-j#{@options[:num_procs]})" - (ref_date, ref_time) = reference_datetime.split - script.puts "REFERENCE_DATETIME='#{reference_datetime}'" - script.puts "REFERENCE_DATE='#{ref_date}'" - script.puts "REFERENCE_TIME='#{ref_time}'" script.puts + author_date = nil build_desc["remotes"].each do |remote| dir = sanitize(remote["dir"], remote["dir"]) + + author_date = `cd inputs/#{dir} && git log --format=@%at -1 | date +"%F %T" -u -f -`.strip + raise "error looking up author date in #{dir}" unless $?.exitstatus == 0 + system! "copy-to-target #{@quiet_flag} inputs/#{dir} build/" script.puts "(cd build/#{dir} && git reset -q --hard && git clean -q -f -d)" end + script.puts + ref_datetime = build_desc["reference_datetime"] || author_date + (ref_date, ref_time) = ref_datetime.split + script.puts "REFERENCE_DATETIME='#{ref_datetime}'" + script.puts "REFERENCE_DATE='#{ref_date}'" + script.puts "REFERENCE_TIME='#{ref_time}'" + script.puts script.puts "cd build" script.puts build_desc["script"] end @@ -207,7 +215,6 @@ end distro = build_desc["distro"] || "ubuntu" suites = build_desc["suites"] or raise "must supply suites" archs = build_desc["architectures"] or raise "must supply architectures" -reference_datetime = build_desc["reference_datetime"] or raise "must supply reference_datetime" ENV['DISTRO'] = distro @@ -267,7 +274,7 @@ suites.each do |suite| arch = sanitize(arch, "architecture") # Build! - build_one_configuration(suite, arch, build_desc, reference_datetime) + build_one_configuration(suite, arch, build_desc) info "Grabbing results from target" system! "copy-from-target #{@quiet_flag} out #{build_dir}" From fa6f0b630128d5256e787589201b230f4d1742ac Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Wed, 30 Dec 2015 20:24:48 +0100 Subject: [PATCH 048/137] raise "must supply reference_datetime or remotes" --- bin/gbuild | 1 + 1 file changed, 1 insertion(+) diff --git a/bin/gbuild b/bin/gbuild index f8793dd..2de17b2 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -215,6 +215,7 @@ end distro = build_desc["distro"] || "ubuntu" suites = build_desc["suites"] or raise "must supply suites" archs = build_desc["architectures"] or raise "must supply architectures" +build_desc["reference_datetime"] or build_desc["remotes"].size > 0 or raise "must supply `reference_datetime` or `remotes`" ENV['DISTRO'] = distro From 992efcf3a5b4a2eb7112c904d495ecc70cb1b149 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Tue, 19 Jan 2016 09:53:26 +0100 Subject: [PATCH 049/137] devtools: replace github-merge with python version This is meant to be a direct translation of the bash script, with the difference that it retrieves the PR title from github, thus creating pull messages like: Merge #12345: Expose transaction temperature over RPC --- contrib/devtools/README.md | 37 +++++ contrib/devtools/github-merge.py | 223 +++++++++++++++++++++++++++++++ 2 files changed, 260 insertions(+) create mode 100644 contrib/devtools/README.md create mode 100755 contrib/devtools/github-merge.py diff --git a/contrib/devtools/README.md b/contrib/devtools/README.md new file mode 100644 index 0000000..c1a13e6 --- /dev/null +++ b/contrib/devtools/README.md @@ -0,0 +1,37 @@ +Contents +======== +This directory contains tools for developers working on this repository. + +github-merge.py +=============== + +A small script to automate merging pull-requests securely and sign them with GPG. + +For example: + + ./github-merge.py 3077 + +(in any git repository) will help you merge pull request #3077 for the +bitcoin/bitcoin repository. + +What it does: +* Fetch master and the pull request. +* Locally construct a merge commit. +* Show the diff that merge results in. +* Ask you to verify the resulting source tree (so you can do a make +check or whatever). +* Ask you whether to GPG sign the merge commit. +* Ask you whether to push the result upstream. + +This means that there are no potential race conditions (where a +pullreq gets updated while you're reviewing it, but before you click +merge), and when using GPG signatures, that even a compromised github +couldn't mess with the sources. + +Setup +--------- +Configuring the github-merge tool for the bitcoin repository is done in the following way: + + git config githubmerge.repository bitcoin/bitcoin + git config githubmerge.testcmd "make -j4 check" (adapt to whatever you want to use for testing) + git config --global user.signingkey mykeyid (if you want to GPG sign) diff --git a/contrib/devtools/github-merge.py b/contrib/devtools/github-merge.py new file mode 100755 index 0000000..33d33b7 --- /dev/null +++ b/contrib/devtools/github-merge.py @@ -0,0 +1,223 @@ +#!/usr/bin/env python2 +# Copyright (c) 2016 Bitcoin Core Developers +# Distributed under the MIT software license, see the accompanying +# file COPYING or http://www.opensource.org/licenses/mit-license.php. + +# This script will locally construct a merge commit for a pull request on a +# github repository, inspect it, sign it and optionally push it. + +# The following temporary branches are created/overwritten and deleted: +# * pull/$PULL/base (the current master we're merging onto) +# * pull/$PULL/head (the current state of the remote pull request) +# * pull/$PULL/merge (github's merge) +# * pull/$PULL/local-merge (our merge) + +# In case of a clean merge that is accepted by the user, the local branch with +# name $BRANCH is overwritten with the merged result, and optionally pushed. +from __future__ import division,print_function,unicode_literals +import os,sys +from sys import stdin,stdout,stderr +import argparse +import subprocess + +# External tools (can be overridden using environment) +GIT = os.getenv('GIT','git') +BASH = os.getenv('BASH','bash') + +def git_config_get(option, default=None): + ''' + Get named configuration option from git repository. + ''' + try: + return subprocess.check_output([GIT,'config','--get',option]).rstrip() + except subprocess.CalledProcessError as e: + return default + +def retrieve_pr_title(repo,pull): + ''' + Retrieve pull request title from github. + Return None if no title can be found, or an error happens. + ''' + import urllib2,json + try: + req = urllib2.Request("https://api.github.com/repos/"+repo+"/pulls/"+pull) + result = urllib2.urlopen(req) + result = json.load(result) + return result['title'] + except Exception as e: + print('Warning: unable to retrieve pull title from github: %s' % e) + return None + +def ask_prompt(text): + print(text,end=" ",file=stderr) + reply = stdin.readline().rstrip() + print("",file=stderr) + return reply + +def parse_arguments(branch): + epilog = ''' + In addition, you can set the following git configuration variables: + githubmerge.repository (mandatory), + user.signingkey (mandatory), + githubmerge.host (default: git@github.com), + githubmerge.branch (default: master), + githubmerge.testcmd (default: none). + ''' + parser = argparse.ArgumentParser(description='Utility to merge, sign and push github pull requests', + epilog=epilog) + parser.add_argument('pull', metavar='PULL', type=int, nargs=1, + help='Pull request ID to merge') + parser.add_argument('branch', metavar='BRANCH', type=str, nargs='?', + default=branch, help='Branch to merge against (default: '+branch+')') + return parser.parse_args() + +def main(): + # Extract settings from git repo + repo = git_config_get('githubmerge.repository') + host = git_config_get('githubmerge.host','git@github.com') + branch = git_config_get('githubmerge.branch','master') + testcmd = git_config_get('githubmerge.testcmd') + signingkey = git_config_get('user.signingkey') + if repo is None: + print("ERROR: No repository configured. Use this command to set:", file=stderr) + print("git config githubmerge.repository /", file=stderr) + exit(1) + if signingkey is None: + print("ERROR: No GPG signing key set. Set one using:",file=stderr) + print("git config --global user.signingkey ",file=stderr) + exit(1) + + host_repo = host+":"+repo # shortcut for push/pull target + + # Extract settings from command line + args = parse_arguments(branch) + pull = str(args.pull[0]) + branch = args.branch + + # Initialize source branches + head_branch = 'pull/'+pull+'/head' + base_branch = 'pull/'+pull+'/base' + merge_branch = 'pull/'+pull+'/merge' + local_merge_branch = 'pull/'+pull+'/local-merge' + + devnull = open(os.devnull,'w') + try: + subprocess.check_call([GIT,'checkout','-q',branch]) + except subprocess.CalledProcessError as e: + print("ERROR: Cannot check out branch %s." % (branch), file=stderr) + exit(3) + try: + subprocess.check_call([GIT,'fetch','-q',host_repo,'+refs/pull/'+pull+'/*:refs/heads/pull/'+pull+'/*']) + except subprocess.CalledProcessError as e: + print("ERROR: Cannot find pull request #%s on %s." % (pull,host_repo), file=stderr) + exit(3) + try: + subprocess.check_call([GIT,'log','-q','-1','refs/heads/'+head_branch], stdout=devnull, stderr=stdout) + except subprocess.CalledProcessError as e: + print("ERROR: Cannot find head of pull request #%s on %s." % (pull,host_repo), file=stderr) + exit(3) + try: + subprocess.check_call([GIT,'log','-q','-1','refs/heads/'+merge_branch], stdout=devnull, stderr=stdout) + except subprocess.CalledProcessError as e: + print("ERROR: Cannot find merge of pull request #%s on %s." % (pull,host_repo), file=stderr) + exit(3) + try: + subprocess.check_call([GIT,'fetch','-q',host_repo,'+refs/heads/'+branch+':refs/heads/'+base_branch]) + except subprocess.CalledProcessError as e: + print("ERROR: Cannot find branch %s on %s." % (branch,host_repo), file=stderr) + exit(3) + subprocess.check_call([GIT,'checkout','-q',base_branch]) + subprocess.call([GIT,'branch','-q','-D',local_merge_branch], stderr=devnull) + subprocess.check_call([GIT,'checkout','-q','-b',local_merge_branch]) + + try: + # Create unsigned merge commit. + title = retrieve_pr_title(repo,pull) + if title: + firstline = 'Merge #%s: %s' % (pull,title) + else: + firstline = 'Merge #%s' % (pull,) + message = firstline + '\n\n' + message += subprocess.check_output([GIT,'log','--no-merges','--topo-order','--pretty=format:%h %s (%an)',base_branch+'..'+head_branch]) + try: + subprocess.check_call([GIT,'merge','-q','--commit','--no-edit','--no-ff','-m',message,head_branch]) + except subprocess.CalledProcessError as e: + print("ERROR: Cannot be merged cleanly.",file=stderr) + subprocess.check_call([GIT,'merge','--abort']) + exit(4) + logmsg = subprocess.check_output([GIT,'log','--pretty=format:%s','-n','1']) + if logmsg.rstrip() != firstline.rstrip(): + print("ERROR: Creating merge failed (already merged?).",file=stderr) + exit(4) + + # Run test command if configured. + if testcmd: + # Go up to the repository's root. + toplevel = subprocess.check_output([GIT,'rev-parse','--show-toplevel']) + os.chdir(toplevel) + if subprocess.call(testcmd,shell=True): + print("ERROR: Running %s failed." % testcmd,file=stderr) + exit(5) + + # Show the created merge. + diff = subprocess.check_output([GIT,'diff',merge_branch+'..'+local_merge_branch]) + subprocess.check_call([GIT,'diff',base_branch+'..'+local_merge_branch]) + if diff: + print("WARNING: merge differs from github!",file=stderr) + reply = ask_prompt("Type 'ignore' to continue.") + if reply.lower() == 'ignore': + print("Difference with github ignored.",file=stderr) + else: + exit(6) + reply = ask_prompt("Press 'd' to accept the diff.") + if reply.lower() == 'd': + print("Diff accepted.",file=stderr) + else: + print("ERROR: Diff rejected.",file=stderr) + exit(6) + else: + # Verify the result manually. + print("Dropping you on a shell so you can try building/testing the merged source.",file=stderr) + print("Run 'git diff HEAD~' to show the changes being merged.",file=stderr) + print("Type 'exit' when done.",file=stderr) + if os.path.isfile('/etc/debian_version'): # Show pull number on Debian default prompt + os.putenv('debian_chroot',pull) + subprocess.call([BASH,'-i']) + reply = ask_prompt("Type 'm' to accept the merge.") + if reply.lower() == 'm': + print("Merge accepted.",file=stderr) + else: + print("ERROR: Merge rejected.",file=stderr) + exit(7) + + # Sign the merge commit. + reply = ask_prompt("Type 's' to sign off on the merge.") + if reply == 's': + try: + subprocess.check_call([GIT,'commit','-q','--gpg-sign','--amend','--no-edit']) + except subprocess.CalledProcessError as e: + print("Error signing, exiting.",file=stderr) + exit(1) + else: + print("Not signing off on merge, exiting.",file=stderr) + exit(1) + + # Put the result in branch. + subprocess.check_call([GIT,'checkout','-q',branch]) + subprocess.check_call([GIT,'reset','-q','--hard',local_merge_branch]) + finally: + # Clean up temporary branches. + subprocess.call([GIT,'checkout','-q',branch]) + subprocess.call([GIT,'branch','-q','-D',head_branch],stderr=devnull) + subprocess.call([GIT,'branch','-q','-D',base_branch],stderr=devnull) + subprocess.call([GIT,'branch','-q','-D',merge_branch],stderr=devnull) + subprocess.call([GIT,'branch','-q','-D',local_merge_branch],stderr=devnull) + + # Push the result. + reply = ask_prompt("Type 'push' to push the result to %s, branch %s." % (host_repo,branch)) + if reply.lower() == 'push': + subprocess.check_call([GIT,'push',host_repo,'refs/heads/'+branch]) + +if __name__ == '__main__': + main() + From 0ae5a180695735c324c05a875b68edb04163cc9d Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Fri, 22 Jan 2016 16:37:21 +0100 Subject: [PATCH 050/137] devtools: show pull and commit information in github-merge Print the number and title of the pull, as well as the commits to be merged. --- contrib/devtools/github-merge.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/contrib/devtools/github-merge.py b/contrib/devtools/github-merge.py index 33d33b7..6854ecb 100755 --- a/contrib/devtools/github-merge.py +++ b/contrib/devtools/github-merge.py @@ -24,6 +24,15 @@ GIT = os.getenv('GIT','git') BASH = os.getenv('BASH','bash') +# OS specific configuration for terminal attributes +ATTR_RESET = '' +ATTR_PR = '' +COMMIT_FORMAT = '%h %s (%an)%d' +if os.name == 'posix': # if posix, assume we can use basic terminal escapes + ATTR_RESET = '\033[0m' + ATTR_PR = '\033[1;36m' + COMMIT_FORMAT = '%C(bold blue)%h%Creset %s %C(cyan)(%an)%Creset%C(green)%d%Creset' + def git_config_get(option, default=None): ''' Get named configuration option from git repository. @@ -150,6 +159,9 @@ def main(): print("ERROR: Creating merge failed (already merged?).",file=stderr) exit(4) + print('%s#%s%s %s' % (ATTR_RESET+ATTR_PR,pull,ATTR_RESET,title)) + subprocess.check_call([GIT,'log','--graph','--topo-order','--pretty=format:'+COMMIT_FORMAT,base_branch+'..'+head_branch]) + print() # Run test command if configured. if testcmd: # Go up to the repository's root. From 7d99dee286d6f28a58d3fd5a67b3b67ce92dd643 Mon Sep 17 00:00:00 2001 From: Andrew C Date: Sat, 23 Jan 2016 10:35:27 -0500 Subject: [PATCH 051/137] [devtools] github-merge get toplevel dir without extra whitespace Fixes a bug in github merge when it runs the tests where the toplevel directory has an extra '\n' appended to the path string. Now it doesn't. --- contrib/devtools/github-merge.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/devtools/github-merge.py b/contrib/devtools/github-merge.py index 6854ecb..f7781cc 100755 --- a/contrib/devtools/github-merge.py +++ b/contrib/devtools/github-merge.py @@ -165,7 +165,7 @@ def main(): # Run test command if configured. if testcmd: # Go up to the repository's root. - toplevel = subprocess.check_output([GIT,'rev-parse','--show-toplevel']) + toplevel = subprocess.check_output([GIT,'rev-parse','--show-toplevel']).strip() os.chdir(toplevel) if subprocess.call(testcmd,shell=True): print("ERROR: Running %s failed." % testcmd,file=stderr) From ee6dee4a2a497ee7cd8762413ae2b8bbcc2e5640 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Wed, 27 Jan 2016 11:39:58 +0100 Subject: [PATCH 052/137] devtools: Fix utf-8 support in messages for github-merge MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use 'utf-8' instead of the Python 2 default of 'ascii' to encode/decode commit messages. This can be removed when switching to Python 3, as 'utf-8' is the default there. Necessary for merging #7422 due to the ฿ in ฿tcDrak. --- contrib/devtools/github-merge.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/devtools/github-merge.py b/contrib/devtools/github-merge.py index f7781cc..c8dcaae 100755 --- a/contrib/devtools/github-merge.py +++ b/contrib/devtools/github-merge.py @@ -147,14 +147,14 @@ def main(): else: firstline = 'Merge #%s' % (pull,) message = firstline + '\n\n' - message += subprocess.check_output([GIT,'log','--no-merges','--topo-order','--pretty=format:%h %s (%an)',base_branch+'..'+head_branch]) + message += subprocess.check_output([GIT,'log','--no-merges','--topo-order','--pretty=format:%h %s (%an)',base_branch+'..'+head_branch]).decode('utf-8') try: - subprocess.check_call([GIT,'merge','-q','--commit','--no-edit','--no-ff','-m',message,head_branch]) + subprocess.check_call([GIT,'merge','-q','--commit','--no-edit','--no-ff','-m',message.encode('utf-8'),head_branch]) except subprocess.CalledProcessError as e: print("ERROR: Cannot be merged cleanly.",file=stderr) subprocess.check_call([GIT,'merge','--abort']) exit(4) - logmsg = subprocess.check_output([GIT,'log','--pretty=format:%s','-n','1']) + logmsg = subprocess.check_output([GIT,'log','--pretty=format:%s','-n','1']).decode('utf-8') if logmsg.rstrip() != firstline.rstrip(): print("ERROR: Creating merge failed (already merged?).",file=stderr) exit(4) From 784d87896bf4ade9528bfb5656af5a43955a903b Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Mon, 14 Mar 2016 22:40:02 +0100 Subject: [PATCH 053/137] Adjust readme for gitian-builder --- contrib/devtools/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/devtools/README.md b/contrib/devtools/README.md index c1a13e6..1af476c 100644 --- a/contrib/devtools/README.md +++ b/contrib/devtools/README.md @@ -12,7 +12,7 @@ For example: ./github-merge.py 3077 (in any git repository) will help you merge pull request #3077 for the -bitcoin/bitcoin repository. +devrandom/gitian-builder repository. What it does: * Fetch master and the pull request. @@ -30,8 +30,8 @@ couldn't mess with the sources. Setup --------- -Configuring the github-merge tool for the bitcoin repository is done in the following way: +Configuring the github-merge tool for this repository is done in the following way: - git config githubmerge.repository bitcoin/bitcoin + git config githubmerge.repository devrandom/gitian-builder git config githubmerge.testcmd "make -j4 check" (adapt to whatever you want to use for testing) git config --global user.signingkey mykeyid (if you want to GPG sign) From e4b4780c74f878d3a66f8886905b9614b035f432 Mon Sep 17 00:00:00 2001 From: Chris Kleeschulte Date: Tue, 14 Jun 2016 16:04:59 -0400 Subject: [PATCH 054/137] Allow build to use sudo without a password, part deux - apropos to a discussion about merge request #36, added a flag in the descriptor and command line flag. - adding sudo: true in the yml file plus adding a command line flag --allow-sudo will allow script user to elevate permissions with no password. --- bin/gbuild | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/bin/gbuild b/bin/gbuild index 2de17b2..e305960 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -72,6 +72,10 @@ def build_one_configuration(suite, arch, build_desc) system! "on-target true" + system! "on-target -u root tee -a /etc/sudoers.d/#{ENV['DISTRO'] || 'ubuntu'} > /dev/null << EOF +%#{ENV['DISTRO'] || 'ubuntu'} ALL=(ALL) NOPASSWD: ALL +EOF" if build_desc["sudo"] and @options[:allow_sudo] + info "Preparing build environment" system! "on-target setarch #{@arches[arch]} bash < target-bin/init-build.sh" @@ -150,6 +154,9 @@ end OptionParser.new do |opts| opts.banner = "Usage: build [options] .yml" + opts.on("--allow-sudo", "override SECURITY on the target VM and allow the use of sudo with no password for the default user") do |v| + @options[:allow_sudo] = v + end opts.on("-i", "--skip-image", "reuse current target image") do |v| @options[:skip_image] = v end From 44444eb387df3f604801202c35f040a349b9aa20 Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Sat, 19 Mar 2016 17:48:25 +0100 Subject: [PATCH 055/137] [gverify] print result with bold formatting --- bin/gverify | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/bin/gverify b/bin/gverify index 5eab37b..5315a91 100755 --- a/bin/gverify +++ b/bin/gverify @@ -5,6 +5,8 @@ require 'yaml' require 'fileutils' require 'pathname' +bold = ["\033[0m", "\033[1m"] + @options = {} def system!(cmd) @@ -33,6 +35,11 @@ OptionParser.new do |opts| opts.on("-v", "--verbose", "be more verbose") do |v| @options[:verbose] = v end + @options[:markup] = true + opts.on("-m", "--[no-]markup", "markup the output using ANSI escape codes") do |m| + @options[:markup] = m + end + opts.on("-r REL", "--release REL", "release name") do |v| @options[:release] = v end @@ -62,6 +69,7 @@ destination = @options[:destination] || File.join(base_dir, "sigs", package_name release = @options[:release] || "current" release = sanitize(release, "release") verbose = @options[:verbose] +bold = ['', ''] unless @options[:markup] release_path = File.join(destination, release) @@ -109,7 +117,8 @@ Dir.foreach(release_path) do |signer_dir| puts line end end - puts "#{signer_dir}: BAD SIGNATURE" + puts "#{bold[1]}#{signer_dir}: BAD SIGNATURE#{bold[0]}" + puts did_fail = true elsif current_manifest and (result['out_manifest'] != current_manifest or result['release'] != release or result['name'] != package_name) out.each_line do |line| @@ -123,7 +132,8 @@ Dir.foreach(release_path) do |signer_dir| puts line end end - puts "#{signer_dir}: MISMATCH" + puts "#{bold[1]}#{signer_dir}: MISMATCH#{bold[0]}" + puts if verbose lines1 = current_manifest.each_line lines2 = result['out_manifest'].each_line @@ -147,7 +157,8 @@ Dir.foreach(release_path) do |signer_dir| puts line end end - puts "#{signer_dir}: OK" + puts "#{bold[1]}#{signer_dir}: OK#{bold[0]}" + puts end if !current_manifest # take first manifest as 'current' to compare against From 9cbb3bf61bbbf94cdcebe03b6e3a9c569b741fa0 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Thu, 21 Jul 2016 18:04:15 +0200 Subject: [PATCH 056/137] doc: Remove GCC_ISSUES This file is outdated, the mentioned issue is no longer there for newer gcc versions - for bitcoin we haven't had to specify any special optimization flag overrides for a long time (we compile using -O2). --- doc/GCC_ISSUES | 39 --------------------------------------- 1 file changed, 39 deletions(-) delete mode 100644 doc/GCC_ISSUES diff --git a/doc/GCC_ISSUES b/doc/GCC_ISSUES deleted file mode 100644 index 103a8c9..0000000 --- a/doc/GCC_ISSUES +++ /dev/null @@ -1,39 +0,0 @@ -# The Problem - -gcc sometimes generates slightly different code with the same semantics. - -## Optimizations - -The following optimizer flags reduce non-determinism when compiling wxWidgets: - - -fno-tree-loop-optimize - -fno-trapping-math - -fno-tree-reassoc - -## Left Over - -Even with the above flags, the compiler still generates this difference in one out of 100 builds of wxWidgets: - - monolib_property.o: elf64-elf_x86_64 - - aef7: 00 - aef8: 45 31 f6 xor %r14d,%r14d - aefb: 48 8d 84 24 50 06 00 00 lea 0x650(%rsp),%rax - - af03: c6 44 24 67 00 movb $0x0,0x67(%rsp) - - af08: 48 83 c2 10 add $0x10,%rdx - - af0c: 48 83 c1 10 add $0x10,%rcx - - af10: 48 81 7c 24 08 ff ff ff cmpq $0xffffff,0x8(%rsp) - - af18: 00 - - af19: c6 44 24 47 00 movb $0x0,0x47(%rsp) - - af1e: c7 44 24 24 00 00 00 00 movl $0x0,0x24(%rsp) - + af03: c7 44 24 24 00 00 00 00 movl $0x0,0x24(%rsp) - + af0b: 48 83 c2 10 add $0x10,%rdx - + af0f: 48 83 c1 10 add $0x10,%rcx - + af13: 48 81 7c 24 08 ff ff ff cmpq $0xffffff,0x8(%rsp) - + af1b: 00 - + af1c: c6 44 24 47 00 movb $0x0,0x47(%rsp) - + af21: c6 44 24 67 00 movb $0x0,0x67(%rsp) - af26: 4c 8d bc 24 28 03 00 00 lea 0x328(%rsp),%r15 - af2e: 48 89 44 24 10 mov %rax,0x10(%rsp) - af33: 48 89 54 24 78 mov %rdx,0x78(%rsp) - From 0db6c052004c51a3f163048fe2a207af0854b78e Mon Sep 17 00:00:00 2001 From: Tigusoft Admin Date: Mon, 5 Sep 2016 11:02:20 +0100 Subject: [PATCH 057/137] Allow custom DEBOOTSTRAP_DIR, to give own template (v3) So you can make local copy of /usr/share/debootstrap/ and e.g. add there missing e.g. "xenial" or other script/template, without mucking around in system directory managed by package manager. --- bin/make-base-vm | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 5376baa..d7d102a 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -25,6 +25,21 @@ usage() { target VM can reach. It may be set to 127.0.0.1, in which case it will be changed to 10.0.2.2 on the guest (or GITIAN_HOST_IP if it is defined) 10.0.2.2 is the host IP as visible from the guest under qemu networking. + + The DEBOOTSTRAP_DIR (but also GITIAN_SUDO_USE_DEBOOTSTRAP_DIR, see below!) + environment variable can be set to select a directory + that will contain data like in "/usr/share/debootstrap/". This allows user to + make a copy of this files to some local dir and modify them locally: + e.g. set env variable "DEBOOTSTRAP_DIR=./mydeboot/", then copy or link + system's version of files there, and modify them there + (e.g. copy your debootstrap-script file "xenial" to "./mydeboot/scripts/"). + + Set env GITIAN_SUDO_USE_DEBOOTSTRAP_DIR="yes" to allow sudo for debootstrap + to use flags like --preserve-env that are required for DEBOOTSTRAP_DIR to work. + It must be equal string "yes". + This is done as separate variable to make it clear that we modify sudo + behaviour here regarding security (though anyway env is cleared with + whitelist so should be perfectly safe). EOF } @@ -164,7 +179,13 @@ if [ $LXC = "1" ]; then fi sudo rm -rf $OUT-bootstrap # Need universe for lxc in lucid - env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo debootstrap --arch=$ARCH --include=$addpkg --exclude=$removepkg --components=main,universe $SUITE $OUT-bootstrap $MIRROR + + unset preserve_env + if [ "$GITIAN_SUDO_USE_DEBOOTSTRAP_DIR" = "yes" ]; then + echo "sudo will preserve (some) env flags" + preserve_env=yes # if you would want to set false then unset this variable + fi + env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 DEBOOTSTRAP_DIR="$DEBOOTSTRAP_DIR" sudo ${preserve_env+--preserve-env} debootstrap --arch=$ARCH --include=$addpkg --exclude=$removepkg --components=main,universe $SUITE $OUT-bootstrap $MIRROR dd if=/dev/zero of=$OUT-lxc bs=1M count=1 seek=10240 /sbin/mkfs.ext4 -F $OUT-lxc t=`mktemp -d gitian.XXXXXXXX` From ddd3aed17276f429847f3113f99f9117a9a970a5 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Thu, 6 Oct 2016 10:23:18 -0400 Subject: [PATCH 058/137] Switch to xenial for default suite It can be confusing to new users for make-base-vm to create a lucid vm by default, so switch to xenial, which is also a LTS release, but isn't EOL yet. Using lucid with gitian-builder is broken anyway, because lucid has been moved to old-releases.ubuntu.com since it is EOL and gitian-builder doesn't support old-releases.ubuntu.com. --- README.md | 12 ++++++------ bin/make-base-vm | 4 ++-- libexec/make-clean-vm | 4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 1558367..05b435b 100644 --- a/README.md +++ b/README.md @@ -111,12 +111,12 @@ Command-line `VBoxManage` must be in your `$PATH`. `make-base-vm` cannot yet make VirtualBox virtual machines ( _patches welcome_, it should be possible to use `VBoxManage`, boot-from-network Linux images and PXE booting to do it). So you must either get or manually create VirtualBox machines that: -1. Are named `Gitian--` -- e.g. Gitian-lucid-i386 for a 32-bit, Ubuntu 10 machine. +1. Are named `Gitian--` -- e.g. Gitian-xenial-i386 for a 32-bit, Ubuntu 16 machine. 2. Have a booted-up snapshot named `Gitian-Clean` . The build script resets the VM to that snapshot to get reproducible builds. 3. Has the VM's NAT networking setup to forward port `localhost:2223` on the host machine to port `22` of the VM; e.g.: ``` - VBoxManage modifyvm Gitian-lucid-i386 --natpf1 "guestssh,tcp,,2223,,22" + VBoxManage modifyvm Gitian-xenial-i386 --natpf1 "guestssh,tcp,,2223,,22" ``` The final setup needed is to create an `ssh` key that will be used to login to the virtual machine: @@ -140,17 +140,17 @@ Set the `USE_VBOX` environment variable to use `VBOX` instead of `KVM`: If you have everything set-up properly, you should be able to: PATH=$PATH:$(pwd)/libexec - make-clean-vm --suite lucid --arch i386 + make-clean-vm --suite xenial --arch i386 # on-target needs $DISTRO to be set to debian if using a Debian guest # (when running gbuild, $DISTRO is set based on the descriptor, so this line isn't needed) DiSTRO=debian # For LXC: - LXC_ARCH=i386 LXC_SUITE=lucid on-target ls -la + LXC_ARCH=i386 LXC_SUITE=xenial on-target ls -la # For KVM: - start-target 32 lucid-i386 & + start-target 32 xenial-i386 & # wait a few seconds for VM to start on-target ls -la stop-target @@ -185,7 +185,7 @@ After you've merged everybody's signatures, verify them: * Log files are captured to the _var_ directory * You can run the utilities in libexec by running `PATH="libexec:$PATH"` -* To start the target VM run `start-target 32 lucid-i386` or `start-target 64 lucid-amd64` +* To start the target VM run `start-target 32 xenial-i386` or `start-target 64 xenial-amd64` * To ssh into the target run `on-target` (after setting $DISTRO to debian if using a Debian guest) or `on-target -u root` * On the target, the _build_ directory contains the code as it is compiled and _install_ contains intermediate libraries * By convention, the script in `.yml` starts with any environment setup you would need to manually compile things on the target diff --git a/bin/make-base-vm b/bin/make-base-vm index d7d102a..0da173b 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -2,7 +2,7 @@ set -e DISTRO=ubuntu -SUITE=lucid +SUITE=xenial ARCH=amd64 MIRROR_BASE=http://${MIRROR_HOST:-127.0.0.1}:3142 LXC=0 @@ -15,7 +15,7 @@ usage() { cat << EOF --help display this help and exit --distro D build distro D (e.g. debian) instead of ubuntu - --suite U build suite U instead of lucid + --suite U build suite U instead of xenial --arch A build architecture A (e.g. i386) instead of amd64 --lxc use lxc instead of kvm --vbox use VirtualBox instead of kvm diff --git a/libexec/make-clean-vm b/libexec/make-clean-vm index d99bf8e..5049662 100755 --- a/libexec/make-clean-vm +++ b/libexec/make-clean-vm @@ -1,7 +1,7 @@ #!/bin/sh set -e -SUITE=lucid +SUITE=xenial ARCH=amd64 VMSW=KVM @@ -17,7 +17,7 @@ usage() { echo cat << EOF --help display this help and exit - --suite U build suite U instead of lucid + --suite U build suite U instead of xenial --arch A build architecture A (e.g. i386) instead of amd64 EOF } From e3c2e8d3dab858055fcd0bbdf87517f3549318fb Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Tue, 26 Jan 2016 10:02:39 -0500 Subject: [PATCH 059/137] Add support for Debian guests using LXC --- bin/make-base-vm | 14 ++++++++------ target-bin/bootstrap-fixup.in | 5 +++-- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 0da173b..f844fc2 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -81,17 +81,14 @@ if [ $# != 0 ] ; then done fi -if [ $DISTRO = "debian" -a $LXC = "1" ]; then - echo "There is no support for Debian guests using LXC currently. Please use KVM or another distro for now." - exit 1 -fi - if [ $DISTRO = "ubuntu" ]; then MIRROR=$MIRROR_BASE/archive.ubuntu.com/ubuntu SECURITY_MIRROR=$MIRROR_BASE/security.ubuntu.com/ubuntu + components=main,universe elif [ $DISTRO = "debian" ]; then MIRROR=$MIRROR_BASE/ftp.debian.org/debian SECURITY_MIRROR=$MIRROR_BASE/security.debian.org/ + components=main,contrib fi mkdir -p var @@ -144,6 +141,9 @@ fi if [ $LXC = "1" ]; then addpkg=$addpkg,lxc + if [ $DISTRO = "debian" ]; then + addpkg=$addpkg,sudo + fi else # Lack of comma after KERNEL_PKG is not a typo addpkg=$addpkg,${KERNEL_PKG}${GRUB_PKG},openssh-server @@ -185,7 +185,9 @@ if [ $LXC = "1" ]; then echo "sudo will preserve (some) env flags" preserve_env=yes # if you would want to set false then unset this variable fi - env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 DEBOOTSTRAP_DIR="$DEBOOTSTRAP_DIR" sudo ${preserve_env+--preserve-env} debootstrap --arch=$ARCH --include=$addpkg --exclude=$removepkg --components=main,universe $SUITE $OUT-bootstrap $MIRROR + env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 DEBOOTSTRAP_DIR="$DEBOOTSTRAP_DIR" sudo ${preserve_env+--preserve-env} debootstrap --arch=$ARCH --include=$addpkg --exclude=$removepkg --components=$components $SUITE $OUT-bootstrap $MIRROR + # Fix lxc issue + sudo cp $OUT-bootstrap/usr/lib/x86_64-linux-gnu/lxc/lxc-init $OUT-bootstrap/usr/sbin/init.lxc dd if=/dev/zero of=$OUT-lxc bs=1M count=1 seek=10240 /sbin/mkfs.ext4 -F $OUT-lxc t=`mktemp -d gitian.XXXXXXXX` diff --git a/target-bin/bootstrap-fixup.in b/target-bin/bootstrap-fixup.in index 6ffc0d2..222b368 100755 --- a/target-bin/bootstrap-fixup.in +++ b/target-bin/bootstrap-fixup.in @@ -16,13 +16,14 @@ elif [ $DISTRIB_NAME = "Debian" ]; then # grub-legacy conflicts grub-pc dependencies # No grub-legacy on Ubuntu, just on Debian # Work around bcron-run conflict due to cron being removed - apt-get purge -y grub-legacy bcron-run &> /dev/null + # Needed for KVM, but apparently errors out for LXC, so the true ignores the error + apt-get purge -y grub-legacy bcron-run &> /dev/null || true fi echo '127.0.1.1 gitian' >> /etc/hosts # If LXC if grep /lxc/gitian /proc/1/cgroup > /dev/null; then - adduser --disabled-password --gecos ubuntu --quiet ubuntu || true + adduser --disabled-password --gecos ${DISTRIB_NAME,,} --quiet ${DISTRIB_NAME,,} || true apt-get remove -y rsyslog || true dpkg-divert --local --rename --add /sbin/initctl ln -sf /bin/true /sbin/initctl From ad0a871e0710501b7baf1b895402fe4566ec4a30 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 7 Feb 2016 13:29:46 +0100 Subject: [PATCH 060/137] make-base-vm: fix init.lxc path --- bin/make-base-vm | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index f844fc2..55b7b31 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -187,7 +187,17 @@ if [ $LXC = "1" ]; then fi env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 DEBOOTSTRAP_DIR="$DEBOOTSTRAP_DIR" sudo ${preserve_env+--preserve-env} debootstrap --arch=$ARCH --include=$addpkg --exclude=$removepkg --components=$components $SUITE $OUT-bootstrap $MIRROR # Fix lxc issue - sudo cp $OUT-bootstrap/usr/lib/x86_64-linux-gnu/lxc/lxc-init $OUT-bootstrap/usr/sbin/init.lxc + if [ -f $OUT-bootstrap/usr/lib/lxc/lxc-init ] + then + sudo cp $OUT-bootstrap/usr/lib/lxc/lxc-init $OUT-bootstrap/usr/sbin/init.lxc + else + if [ $ARCH = "amd64" ] + then + sudo cp $OUT-bootstrap/usr/lib/x86_64-linux-gnu/lxc/lxc-init $OUT-bootstrap/usr/sbin/init.lxc + else + sudo cp $OUT-bootstrap/usr/lib/i386-linux-gnu/lxc/lxc-init $OUT-bootstrap/usr/sbin/init.lxc + fi + fi dd if=/dev/zero of=$OUT-lxc bs=1M count=1 seek=10240 /sbin/mkfs.ext4 -F $OUT-lxc t=`mktemp -d gitian.XXXXXXXX` From 73f696920be0eb754bd6bf46b41ab6317f641fd0 Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Mon, 27 Oct 2014 00:07:25 -0700 Subject: [PATCH 061/137] Add script to verify all merge commits are signed --- contrib/README.md | 9 +++++ contrib/verify-commits/gpg.sh | 15 +++++++ contrib/verify-commits/pre-push-hook.sh | 16 ++++++++ contrib/verify-commits/trusted-git-root | 1 + contrib/verify-commits/trusted-keys | 5 +++ contrib/verify-commits/verify-commits.sh | 51 ++++++++++++++++++++++++ 6 files changed, 97 insertions(+) create mode 100644 contrib/README.md create mode 100755 contrib/verify-commits/gpg.sh create mode 100755 contrib/verify-commits/pre-push-hook.sh create mode 100644 contrib/verify-commits/trusted-git-root create mode 100644 contrib/verify-commits/trusted-keys create mode 100755 contrib/verify-commits/verify-commits.sh diff --git a/contrib/README.md b/contrib/README.md new file mode 100644 index 0000000..da1fc06 --- /dev/null +++ b/contrib/README.md @@ -0,0 +1,9 @@ +Repository Tools +--------------------- + +### [Developer tools](/contrib/devtools) ### +Specific tools for developers working on this repository. +Contains the script `github-merge.sh` for merging github pull requests securely and signing them using GPG. + +### [Verify-Commits](/contrib/verify-commits) ### +Tool to verify that every merge commit was signed by a developer using the above `github-merge.sh` script. diff --git a/contrib/verify-commits/gpg.sh b/contrib/verify-commits/gpg.sh new file mode 100755 index 0000000..6b5137e --- /dev/null +++ b/contrib/verify-commits/gpg.sh @@ -0,0 +1,15 @@ +#!/bin/sh +INPUT=$(/dev/null); do + case "$LINE" in "[GNUPG:] VALIDSIG"*) + while read KEY; do + case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac + done < ./contrib/verify-commits/trusted-keys + esac +done +if ! $VALID; then + exit 1 +fi +echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null diff --git a/contrib/verify-commits/pre-push-hook.sh b/contrib/verify-commits/pre-push-hook.sh new file mode 100755 index 0000000..607c0ca --- /dev/null +++ b/contrib/verify-commits/pre-push-hook.sh @@ -0,0 +1,16 @@ +#!/bin/bash +if ! [[ "$2" =~ [git@]?[www.]?github.com[:|/]bitcoin/bitcoin[.git]? ]]; then + exit 0 +fi + +while read LINE; do + set -- A $LINE + if [ "$4" != "refs/heads/master" ]; then + continue + fi + if ! ./contrib/verify-commits/verify-commits.sh $3 > /dev/null 2>&1; then + echo "ERROR: A commit is not signed, can't push" + ./contrib/verify-commits/verify-commits.sh + exit 1 + fi +done < /dev/stdin diff --git a/contrib/verify-commits/trusted-git-root b/contrib/verify-commits/trusted-git-root new file mode 100644 index 0000000..eb13f87 --- /dev/null +++ b/contrib/verify-commits/trusted-git-root @@ -0,0 +1 @@ +053038e5ba116cb319fb85f3cb3e062cf1b3df15 diff --git a/contrib/verify-commits/trusted-keys b/contrib/verify-commits/trusted-keys new file mode 100644 index 0000000..658ad03 --- /dev/null +++ b/contrib/verify-commits/trusted-keys @@ -0,0 +1,5 @@ +71A3B16735405025D447E8F274810B012346C9A6 +1F4410F6A89268CE3197A84C57896D2FF8F0B657 +01CDF4627A3B88AAE4A571C87588242FBE38D3A8 +AF8BE07C7049F3A26B239D5325B3083201782B2F +81291FA67D2C379A006A053FEAB5AF94D9E9ABE7 diff --git a/contrib/verify-commits/verify-commits.sh b/contrib/verify-commits/verify-commits.sh new file mode 100755 index 0000000..5841fa2 --- /dev/null +++ b/contrib/verify-commits/verify-commits.sh @@ -0,0 +1,51 @@ +#!/bin/sh + +DIR=$(dirname "$0") + +echo "Please verify all commits in the following list are not evil:" +git log "$DIR" + +VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root") + +HAVE_FAILED=false +IS_SIGNED () { + if [ $1 = $VERIFIED_ROOT ]; then + return 0; + fi + if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then + return 1; + fi + local PARENTS=$(git show -s --format=format:%P $1) + for PARENT in $PARENTS; do + if IS_SIGNED $PARENT > /dev/null; then + return 0; + fi + done + if ! "$HAVE_FAILED"; then + echo "No parent of $1 was signed with a trusted key!" > /dev/stderr + echo "Parents are:" > /dev/stderr + for PARENT in $PARENTS; do + git show -s $PARENT > /dev/stderr + done + HAVE_FAILED=true + fi + return 1; +} + +if [ x"$1" = "x" ]; then + TEST_COMMIT="HEAD" +else + TEST_COMMIT="$1" +fi + +IS_SIGNED "$TEST_COMMIT" +RES=$? +if [ "$RES" = 1 ]; then + if ! "$HAVE_FAILED"; then + echo "$TEST_COMMIT was not signed with a trusted key!" + fi +else + echo "There is a valid path from $TEST_COMMIT to $VERIFIED_ROOT where all commits are signed!" +fi + +exit $RES From 3be7a42fe95f79e03c513163d0411c3aa3c9a074 Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Thu, 22 Oct 2015 19:50:01 -0700 Subject: [PATCH 062/137] Fix pre-push-hook regexes --- contrib/verify-commits/pre-push-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/verify-commits/pre-push-hook.sh b/contrib/verify-commits/pre-push-hook.sh index 607c0ca..c572228 100755 --- a/contrib/verify-commits/pre-push-hook.sh +++ b/contrib/verify-commits/pre-push-hook.sh @@ -1,5 +1,5 @@ #!/bin/bash -if ! [[ "$2" =~ [git@]?[www.]?github.com[:|/]bitcoin/bitcoin[.git]? ]]; then +if ! [[ "$2" =~ ^(git@)?(www.)?github.com(:|/)bitcoin/bitcoin(.git)?$ ]]; then exit 0 fi From e1873f6578968fd1cdf821dc5cbc97b8bc90a3eb Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Tue, 15 Mar 2016 12:51:48 +0100 Subject: [PATCH 063/137] Adjust verify-commits to gitian-builder --- contrib/README.md | 4 ++-- contrib/verify-commits/pre-push-hook.sh | 2 +- contrib/verify-commits/trusted-git-root | 2 +- contrib/verify-commits/trusted-keys | 6 +----- 4 files changed, 5 insertions(+), 9 deletions(-) diff --git a/contrib/README.md b/contrib/README.md index da1fc06..b313986 100644 --- a/contrib/README.md +++ b/contrib/README.md @@ -3,7 +3,7 @@ Repository Tools ### [Developer tools](/contrib/devtools) ### Specific tools for developers working on this repository. -Contains the script `github-merge.sh` for merging github pull requests securely and signing them using GPG. +Contains the script `github-merge.py` for merging github pull requests securely and signing them using GPG. ### [Verify-Commits](/contrib/verify-commits) ### -Tool to verify that every merge commit was signed by a developer using the above `github-merge.sh` script. +Tool to verify that every merge commit was signed by a developer using the above `github-merge.py` script. diff --git a/contrib/verify-commits/pre-push-hook.sh b/contrib/verify-commits/pre-push-hook.sh index c572228..56a894f 100755 --- a/contrib/verify-commits/pre-push-hook.sh +++ b/contrib/verify-commits/pre-push-hook.sh @@ -1,5 +1,5 @@ #!/bin/bash -if ! [[ "$2" =~ ^(git@)?(www.)?github.com(:|/)bitcoin/bitcoin(.git)?$ ]]; then +if ! [[ "$2" =~ ^(git@)?(www.)?github.com(:|/)devrandom/gitian-builder(.git)?$ ]]; then exit 0 fi diff --git a/contrib/verify-commits/trusted-git-root b/contrib/verify-commits/trusted-git-root index eb13f87..8048b8f 100644 --- a/contrib/verify-commits/trusted-git-root +++ b/contrib/verify-commits/trusted-git-root @@ -1 +1 @@ -053038e5ba116cb319fb85f3cb3e062cf1b3df15 +bb4f92f6cbde6ee78e39ae35b0934da3b55e154d diff --git a/contrib/verify-commits/trusted-keys b/contrib/verify-commits/trusted-keys index 658ad03..d3e500e 100644 --- a/contrib/verify-commits/trusted-keys +++ b/contrib/verify-commits/trusted-keys @@ -1,5 +1 @@ -71A3B16735405025D447E8F274810B012346C9A6 -1F4410F6A89268CE3197A84C57896D2FF8F0B657 -01CDF4627A3B88AAE4A571C87588242FBE38D3A8 -AF8BE07C7049F3A26B239D5325B3083201782B2F -81291FA67D2C379A006A053FEAB5AF94D9E9ABE7 +498FA3769A88C4AD1B187A7428EB4B0FB7AAF6B0 From fe83a6df80960642c9533adcf959a9ac4d878817 Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Fri, 23 Oct 2015 02:05:42 -0700 Subject: [PATCH 064/137] Allow to whitelist commits signed with a revoked key (cherry picked from commit 1d94b72019e31066b33947af5709383b8075e43a) --- contrib/verify-commits/allow-revsig-commits | 0 contrib/verify-commits/gpg.sh | 22 +++++++++++++++++++-- contrib/verify-commits/verify-commits.sh | 12 +++++++++++ 3 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 contrib/verify-commits/allow-revsig-commits diff --git a/contrib/verify-commits/allow-revsig-commits b/contrib/verify-commits/allow-revsig-commits new file mode 100644 index 0000000..e69de29 diff --git a/contrib/verify-commits/gpg.sh b/contrib/verify-commits/gpg.sh index 6b5137e..0218b82 100755 --- a/contrib/verify-commits/gpg.sh +++ b/contrib/verify-commits/gpg.sh @@ -1,15 +1,33 @@ #!/bin/sh INPUT=$(/dev/null); do - case "$LINE" in "[GNUPG:] VALIDSIG"*) + case "$LINE" in + "[GNUPG:] VALIDSIG "*) while read KEY; do case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac done < ./contrib/verify-commits/trusted-keys + ;; + "[GNUPG:] REVKEYSIG "*) + [ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1 + while read KEY; do + case "$LINE" in "[GNUPG:] REVKEYSIG ${KEY:24:40} "*) + REVSIG=true + GOODREVSIG="[GNUPG:] GOODSIG ${KEY:24:40} " + ;; + esac + done < ./contrib/verify-commits/trusted-keys + ;; esac done if ! $VALID; then exit 1 fi -echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null +if $VALID && $REVSIG; then + echo "$INPUT" | gpg --trust-model always "$@" | grep "\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)" 2>/dev/null + echo "$GOODREVSIG" +else + echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null +fi diff --git a/contrib/verify-commits/verify-commits.sh b/contrib/verify-commits/verify-commits.sh index 5841fa2..9ba7810 100755 --- a/contrib/verify-commits/verify-commits.sh +++ b/contrib/verify-commits/verify-commits.sh @@ -7,11 +7,23 @@ git log "$DIR" VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root") +IS_REVSIG_ALLOWED () { + while read LINE; do + [ "$LINE" = "$1" ] && return 0 + done < "${DIR}/allow-revsig-commits" + return 1 +} + HAVE_FAILED=false IS_SIGNED () { if [ $1 = $VERIFIED_ROOT ]; then return 0; fi + if IS_REVSIG_ALLOWED "$1"; then + export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1 + else + export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0 + fi if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then return 1; fi From acb55ddd0115406070c2582649cafeb5b289df7b Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Fri, 20 May 2016 18:29:15 -0700 Subject: [PATCH 065/137] Make verify-commits POSIX-compliant --- contrib/verify-commits/gpg.sh | 10 +++++----- contrib/verify-commits/verify-commits.sh | 15 ++++++--------- 2 files changed, 11 insertions(+), 14 deletions(-) diff --git a/contrib/verify-commits/gpg.sh b/contrib/verify-commits/gpg.sh index 0218b82..375d711 100755 --- a/contrib/verify-commits/gpg.sh +++ b/contrib/verify-commits/gpg.sh @@ -1,8 +1,9 @@ #!/bin/sh -INPUT=$(/dev/null); do case "$LINE" in "[GNUPG:] VALIDSIG "*) @@ -13,10 +14,9 @@ for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do "[GNUPG:] REVKEYSIG "*) [ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1 while read KEY; do - case "$LINE" in "[GNUPG:] REVKEYSIG ${KEY:24:40} "*) + case "$LINE" in "[GNUPG:] REVKEYSIG ${KEY#????????????????????????} "*) REVSIG=true - GOODREVSIG="[GNUPG:] GOODSIG ${KEY:24:40} " - ;; + GOODREVSIG="[GNUPG:] GOODSIG ${KEY#????????????????????????} " esac done < ./contrib/verify-commits/trusted-keys ;; diff --git a/contrib/verify-commits/verify-commits.sh b/contrib/verify-commits/verify-commits.sh index 9ba7810..c9d2b96 100755 --- a/contrib/verify-commits/verify-commits.sh +++ b/contrib/verify-commits/verify-commits.sh @@ -1,4 +1,6 @@ #!/bin/sh +# Not technically POSIX-compliant due to use of "local", but almost every +# shell anyone uses today supports it, so its probably fine DIR=$(dirname "$0") @@ -6,20 +8,14 @@ echo "Please verify all commits in the following list are not evil:" git log "$DIR" VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root") - -IS_REVSIG_ALLOWED () { - while read LINE; do - [ "$LINE" = "$1" ] && return 0 - done < "${DIR}/allow-revsig-commits" - return 1 -} +REVSIG_ALLOWED=$(cat "${DIR}/allow-revsig-commits") HAVE_FAILED=false IS_SIGNED () { if [ $1 = $VERIFIED_ROOT ]; then return 0; fi - if IS_REVSIG_ALLOWED "$1"; then + if [ "${REVSIG_ALLOWED#*$1}" != "$REVSIG_ALLOWED" ]; then export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1 else export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0 @@ -27,7 +23,8 @@ IS_SIGNED () { if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then return 1; fi - local PARENTS=$(git show -s --format=format:%P $1) + local PARENTS + PARENTS=$(git show -s --format=format:%P $1) for PARENT in $PARENTS; do if IS_SIGNED $PARENT > /dev/null; then return 0; From befe6a53682913c9cef406e948e4d16bd3bdb77d Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Sat, 21 May 2016 01:44:29 -0700 Subject: [PATCH 066/137] Make verify-commits path-independent --- contrib/verify-commits/verify-commits.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/verify-commits/verify-commits.sh b/contrib/verify-commits/verify-commits.sh index c9d2b96..a859e67 100755 --- a/contrib/verify-commits/verify-commits.sh +++ b/contrib/verify-commits/verify-commits.sh @@ -3,6 +3,7 @@ # shell anyone uses today supports it, so its probably fine DIR=$(dirname "$0") +[ "/${DIR#/}" != "$DIR" ] && DIR=$(dirname "$(pwd)/$0") echo "Please verify all commits in the following list are not evil:" git log "$DIR" From c2d1d6225e140caec051813b3d5c80d34e7afac6 Mon Sep 17 00:00:00 2001 From: Peter Todd Date: Fri, 18 Mar 2016 06:04:08 -0400 Subject: [PATCH 067/137] Remove pointless warning Any attacker who managed to make an evil commit that changed something in the contrib/verify-commits/ directory could just as easily remove the warning and/or modify it to not display the evil commits; telling the user to check those commits specifically misleads them into checking just those commits rather than the script itself. --- contrib/verify-commits/verify-commits.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/contrib/verify-commits/verify-commits.sh b/contrib/verify-commits/verify-commits.sh index a859e67..5219331 100755 --- a/contrib/verify-commits/verify-commits.sh +++ b/contrib/verify-commits/verify-commits.sh @@ -5,9 +5,6 @@ DIR=$(dirname "$0") [ "/${DIR#/}" != "$DIR" ] && DIR=$(dirname "$(pwd)/$0") -echo "Please verify all commits in the following list are not evil:" -git log "$DIR" - VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root") REVSIG_ALLOWED=$(cat "${DIR}/allow-revsig-commits") From 2862e189b057e507f8782cb9f4375005cdd88f27 Mon Sep 17 00:00:00 2001 From: Peter Todd Date: Thu, 9 Jun 2016 13:55:12 -0400 Subject: [PATCH 068/137] Add README for verify-commits --- contrib/verify-commits/README.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 contrib/verify-commits/README.md diff --git a/contrib/verify-commits/README.md b/contrib/verify-commits/README.md new file mode 100644 index 0000000..e9e3f65 --- /dev/null +++ b/contrib/verify-commits/README.md @@ -0,0 +1,26 @@ +Tooling for verification of PGP signed commits +---------------------------------------------- + +This is an incomplete work in progress, but currently includes a pre-push hook +script (`pre-push-hook.sh`) for maintainers to ensure that their own commits +are PGP signed (nearly always merge commits), as well as a script to verify +commits against a trusted keys list. + + +Using verify-commits.sh safely +------------------------------ + +Remember that you can't use an untrusted script to verify itself. This means +that checking out code, then running `verify-commits.sh` against `HEAD` is +_not_ safe, because the version of `verify-commits.sh` that you just ran could +be backdoored. Instead, you need to use a trusted version of verify-commits +prior to checkout to make sure you're checking out only code signed by trusted +keys: + + git fetch origin && \ + ./contrib/verify-commits/verify-commits.sh origin/master && \ + git checkout origin/master + +Note that the above isn't a good UI/UX yet, and needs significant improvements +to make it more convenient and reduce the chance of errors; pull-reqs +improving this process would be much appreciated. From 31f53d8bb8658bf11b20acd7b4f0f3bf4ce8a263 Mon Sep 17 00:00:00 2001 From: isle2983 Date: Sun, 11 Sep 2016 13:36:22 -0600 Subject: [PATCH 069/137] [copyright] add MIT license headers to .sh scripts where missing Years are set according to 'git log' history --- contrib/verify-commits/gpg.sh | 4 ++++ contrib/verify-commits/pre-push-hook.sh | 4 ++++ contrib/verify-commits/verify-commits.sh | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/contrib/verify-commits/gpg.sh b/contrib/verify-commits/gpg.sh index 375d711..09ff237 100755 --- a/contrib/verify-commits/gpg.sh +++ b/contrib/verify-commits/gpg.sh @@ -1,4 +1,8 @@ #!/bin/sh +# Copyright (c) 2014-2016 The Bitcoin Core developers +# Distributed under the MIT software license, see the accompanying +# file COPYING or http://www.opensource.org/licenses/mit-license.php. + INPUT=$(cat /dev/stdin) VALID=false REVSIG=false diff --git a/contrib/verify-commits/pre-push-hook.sh b/contrib/verify-commits/pre-push-hook.sh index 56a894f..5cd449d 100755 --- a/contrib/verify-commits/pre-push-hook.sh +++ b/contrib/verify-commits/pre-push-hook.sh @@ -1,4 +1,8 @@ #!/bin/bash +# Copyright (c) 2014-2015 The Bitcoin Core developers +# Distributed under the MIT software license, see the accompanying +# file COPYING or http://www.opensource.org/licenses/mit-license.php. + if ! [[ "$2" =~ ^(git@)?(www.)?github.com(:|/)devrandom/gitian-builder(.git)?$ ]]; then exit 0 fi diff --git a/contrib/verify-commits/verify-commits.sh b/contrib/verify-commits/verify-commits.sh index 5219331..cfe4f11 100755 --- a/contrib/verify-commits/verify-commits.sh +++ b/contrib/verify-commits/verify-commits.sh @@ -1,4 +1,8 @@ #!/bin/sh +# Copyright (c) 2014-2016 The Bitcoin Core developers +# Distributed under the MIT software license, see the accompanying +# file COPYING or http://www.opensource.org/licenses/mit-license.php. + # Not technically POSIX-compliant due to use of "local", but almost every # shell anyone uses today supports it, so its probably fine From 7d0542cbc487908bab451f5d59535ef8b8093150 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Wed, 23 Mar 2016 11:55:46 +0100 Subject: [PATCH 070/137] devtools: make github-merge.py use py3 This makes github-merge.py the first developer tool to go all Python 3 (for context see #7717). The changes are straightforward as the script already was `from __future__ import division,print_function,unicode_literals`. However urllib2 changed name, and json will only accept unicode data not bytes. This retains py2 compatibility for now: not strictly necessary as it's not used by the build system - but it was easy. --- contrib/devtools/github-merge.py | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/contrib/devtools/github-merge.py b/contrib/devtools/github-merge.py index c8dcaae..9a62fcc 100755 --- a/contrib/devtools/github-merge.py +++ b/contrib/devtools/github-merge.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python2 +#!/usr/bin/env python3 # Copyright (c) 2016 Bitcoin Core Developers # Distributed under the MIT software license, see the accompanying # file COPYING or http://www.opensource.org/licenses/mit-license.php. @@ -19,6 +19,11 @@ from sys import stdin,stdout,stderr import argparse import subprocess +import json,codecs +try: + from urllib.request import Request,urlopen +except: + from urllib2 import Request,urlopen # External tools (can be overridden using environment) GIT = os.getenv('GIT','git') @@ -38,7 +43,7 @@ def git_config_get(option, default=None): Get named configuration option from git repository. ''' try: - return subprocess.check_output([GIT,'config','--get',option]).rstrip() + return subprocess.check_output([GIT,'config','--get',option]).rstrip().decode('utf-8') except subprocess.CalledProcessError as e: return default @@ -47,18 +52,19 @@ def retrieve_pr_title(repo,pull): Retrieve pull request title from github. Return None if no title can be found, or an error happens. ''' - import urllib2,json try: - req = urllib2.Request("https://api.github.com/repos/"+repo+"/pulls/"+pull) - result = urllib2.urlopen(req) - result = json.load(result) - return result['title'] + req = Request("https://api.github.com/repos/"+repo+"/pulls/"+pull) + result = urlopen(req) + reader = codecs.getreader('utf-8') + obj = json.load(reader(result)) + return obj['title'] except Exception as e: print('Warning: unable to retrieve pull title from github: %s' % e) return None def ask_prompt(text): print(text,end=" ",file=stderr) + stderr.flush() reply = stdin.readline().rstrip() print("",file=stderr) return reply From e1a57442fd1b8b0a90be6b31f875fd9244b1af0a Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Fri, 1 Apr 2016 14:35:57 +0200 Subject: [PATCH 071/137] devtools: Auto-set branch to merge to in github-merge As we are already using the API to retrieve the pull request title, also retrieve the base branch. This makes sure that pull requests for 0.12 automatically end up in 0.12, and pull requests for master automatically end up in master, and so on. It is still possible to override the branch from the command line or using the `githubmerge.branch` git option. --- contrib/devtools/github-merge.py | 34 +++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/contrib/devtools/github-merge.py b/contrib/devtools/github-merge.py index 9a62fcc..f82362f 100755 --- a/contrib/devtools/github-merge.py +++ b/contrib/devtools/github-merge.py @@ -47,9 +47,9 @@ def git_config_get(option, default=None): except subprocess.CalledProcessError as e: return default -def retrieve_pr_title(repo,pull): +def retrieve_pr_info(repo,pull): ''' - Retrieve pull request title from github. + Retrieve pull request information from github. Return None if no title can be found, or an error happens. ''' try: @@ -57,9 +57,9 @@ def retrieve_pr_title(repo,pull): result = urlopen(req) reader = codecs.getreader('utf-8') obj = json.load(reader(result)) - return obj['title'] + return obj except Exception as e: - print('Warning: unable to retrieve pull title from github: %s' % e) + print('Warning: unable to retrieve pull information from github: %s' % e) return None def ask_prompt(text): @@ -69,13 +69,13 @@ def ask_prompt(text): print("",file=stderr) return reply -def parse_arguments(branch): +def parse_arguments(): epilog = ''' In addition, you can set the following git configuration variables: githubmerge.repository (mandatory), user.signingkey (mandatory), githubmerge.host (default: git@github.com), - githubmerge.branch (default: master), + githubmerge.branch (no default), githubmerge.testcmd (default: none). ''' parser = argparse.ArgumentParser(description='Utility to merge, sign and push github pull requests', @@ -83,14 +83,14 @@ def parse_arguments(branch): parser.add_argument('pull', metavar='PULL', type=int, nargs=1, help='Pull request ID to merge') parser.add_argument('branch', metavar='BRANCH', type=str, nargs='?', - default=branch, help='Branch to merge against (default: '+branch+')') + default=None, help='Branch to merge against (default: githubmerge.branch setting, or base branch for pull, or \'master\')') return parser.parse_args() def main(): # Extract settings from git repo repo = git_config_get('githubmerge.repository') host = git_config_get('githubmerge.host','git@github.com') - branch = git_config_get('githubmerge.branch','master') + opt_branch = git_config_get('githubmerge.branch',None) testcmd = git_config_get('githubmerge.testcmd') signingkey = git_config_get('user.signingkey') if repo is None: @@ -105,9 +105,20 @@ def main(): host_repo = host+":"+repo # shortcut for push/pull target # Extract settings from command line - args = parse_arguments(branch) + args = parse_arguments() pull = str(args.pull[0]) - branch = args.branch + + # Receive pull information from github + info = retrieve_pr_info(repo,pull) + if info is None: + exit(1) + title = info['title'] + # precedence order for destination branch argument: + # - command line argument + # - githubmerge.branch setting + # - base branch for pull (as retrieved from github) + # - 'master' + branch = args.branch or opt_branch or info['base']['ref'] or 'master' # Initialize source branches head_branch = 'pull/'+pull+'/head' @@ -147,7 +158,6 @@ def main(): try: # Create unsigned merge commit. - title = retrieve_pr_title(repo,pull) if title: firstline = 'Merge #%s: %s' % (pull,title) else: @@ -165,7 +175,7 @@ def main(): print("ERROR: Creating merge failed (already merged?).",file=stderr) exit(4) - print('%s#%s%s %s' % (ATTR_RESET+ATTR_PR,pull,ATTR_RESET,title)) + print('%s#%s%s %s %sinto %s%s' % (ATTR_RESET+ATTR_PR,pull,ATTR_RESET,title,ATTR_RESET+ATTR_PR,branch,ATTR_RESET)) subprocess.check_call([GIT,'log','--graph','--topo-order','--pretty=format:'+COMMIT_FORMAT,base_branch+'..'+head_branch]) print() # Run test command if configured. From 543e0d506123f6c92614bfcab28cf79735ad0cd3 Mon Sep 17 00:00:00 2001 From: Kevin Gallagher Date: Mon, 10 Oct 2016 19:50:07 -0700 Subject: [PATCH 072/137] Check existence of lxc-init before cp to init.lxc --- bin/make-base-vm | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 55b7b31..a7c182b 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -193,9 +193,15 @@ if [ $LXC = "1" ]; then else if [ $ARCH = "amd64" ] then - sudo cp $OUT-bootstrap/usr/lib/x86_64-linux-gnu/lxc/lxc-init $OUT-bootstrap/usr/sbin/init.lxc + if [ -f $OUT-bootstrap/usr/lib/x86_64-linux-gnu/lxc/lxc-init ] + then + sudo cp $OUT-bootstrap/usr/lib/x86_64-linux-gnu/lxc/lxc-init $OUT-bootstrap/usr/sbin/init.lxc + fi else - sudo cp $OUT-bootstrap/usr/lib/i386-linux-gnu/lxc/lxc-init $OUT-bootstrap/usr/sbin/init.lxc + if [ -f $OUT-bootstrap/usr/lib/i386-linux-gnu/lxc/lxc-init ] + then + sudo cp $OUT-bootstrap/usr/lib/i386-linux-gnu/lxc/lxc-init $OUT-bootstrap/usr/sbin/init.lxc + fi fi fi dd if=/dev/zero of=$OUT-lxc bs=1M count=1 seek=10240 From 75502b045d80ded718b55509f06ad078a45fcfae Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Fri, 25 Nov 2016 18:03:04 +0100 Subject: [PATCH 073/137] stop-target: use poweroff instead of halt When running Debian Jessie in KVM, using the halt command shuts down all services but does not stop the qemu process. Using the poweroff command avoids this problem. --- libexec/stop-target | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexec/stop-target b/libexec/stop-target index 6db547d..46714dc 100755 --- a/libexec/stop-target +++ b/libexec/stop-target @@ -11,7 +11,7 @@ case $VMSW in KVM) if [ ! -e var/target.pid ]; then exit; fi - on-target -u root halt + on-target -u root poweroff sleep 5 if [ ! -e var/target.pid ]; then exit; fi From 7f7c5f5ea8eef00e7b39511c6144f51997f3ba55 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Sat, 5 Aug 2017 16:07:54 -0400 Subject: [PATCH 074/137] Detect running in LXC container using new method It seems LXC 2.0 switched to using the systemd container interface specification and one can no longer detect LXC containers using /proc/1/cgroup (but I am leaving the old method, so that people using distros with older versions of LXC can still use Gitian). https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ --- target-bin/bootstrap-fixup.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target-bin/bootstrap-fixup.in b/target-bin/bootstrap-fixup.in index 222b368..5c04c1f 100755 --- a/target-bin/bootstrap-fixup.in +++ b/target-bin/bootstrap-fixup.in @@ -22,7 +22,7 @@ fi echo '127.0.1.1 gitian' >> /etc/hosts # If LXC -if grep /lxc/gitian /proc/1/cgroup > /dev/null; then +if grep /lxc/gitian /proc/1/cgroup > /dev/null || grep container=lxc /proc/1/environ > /dev/null; then adduser --disabled-password --gecos ${DISTRIB_NAME,,} --quiet ${DISTRIB_NAME,,} || true apt-get remove -y rsyslog || true dpkg-divert --local --rename --add /sbin/initctl From c2ff3f9025ab6d5c7bc8bbfbd72f79d40e119401 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Sat, 5 Aug 2017 16:14:41 -0400 Subject: [PATCH 075/137] Add LXC mount entry for shm This change gets rid of a mount failure message output by lxc when running gbuild. --- etc/lxc.config.in | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/lxc.config.in b/etc/lxc.config.in index 8879f43..1a17675 100644 --- a/etc/lxc.config.in +++ b/etc/lxc.config.in @@ -22,6 +22,7 @@ lxc.cgroup.devices.allow = c 254:0 rwm # mounts points lxc.mount.entry=proc ROOTFS/proc proc nodev,noexec,nosuid 0 0 lxc.mount.entry=sysfs ROOTFS/sys sysfs defaults 0 0 +lxc.mount.entry=shm dev/shm tmpfs rw,nodev,noexec,nosuid,relatime,mode=1777,create=dir 0 0 # Container with network virtualized using a pre-configured bridge named br0 and # veth pair virtual network devices From 542c5c435bb6ef92e1a20ceebfb81519378ba8b7 Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Sat, 12 Aug 2017 10:33:42 -0400 Subject: [PATCH 076/137] Revert "Add LXC mount entry for shm" This reverts commit c2ff3f9025ab6d5c7bc8bbfbd72f79d40e119401. That commit broke the use of gitian on debian jessie. --- etc/lxc.config.in | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/lxc.config.in b/etc/lxc.config.in index 1a17675..8879f43 100644 --- a/etc/lxc.config.in +++ b/etc/lxc.config.in @@ -22,7 +22,6 @@ lxc.cgroup.devices.allow = c 254:0 rwm # mounts points lxc.mount.entry=proc ROOTFS/proc proc nodev,noexec,nosuid 0 0 lxc.mount.entry=sysfs ROOTFS/sys sysfs defaults 0 0 -lxc.mount.entry=shm dev/shm tmpfs rw,nodev,noexec,nosuid,relatime,mode=1777,create=dir 0 0 # Container with network virtualized using a pre-configured bridge named br0 and # veth pair virtual network devices From 91358425201a8ac116ae2d4ef0e54d469797d13a Mon Sep 17 00:00:00 2001 From: Joseph Bisch Date: Thu, 24 Aug 2017 11:45:12 -0400 Subject: [PATCH 077/137] Update vmbuilder references in README Prompted by change of upstream for vmbuilder: https://bugs.launchpad.net/ubuntu/+source/vm-builder/+bug/1260062/comments/15 --- README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 05b435b..9822d64 100644 --- a/README.md +++ b/README.md @@ -25,9 +25,9 @@ From AUR: * [multipath-tools](https://aur.archlinux.org/packages/multipath-tools/) (for kpartx) * [ubuntu-keyring](https://aur.archlinux.org/packages/ubuntu-keyring/) (for making Ubuntu guests) -From Launchpad: +From newroco on GitHub: -* [vmbuilder](https://launchpad.net/vmbuilder) +* [vmbuilder](https://github.com/newroco/vmbuilder) Also, I had to modify the default /etc/sudoers file to uncomment the `secure_path` line, because vmbuilder isn't found otherwise when the `env -i ... sudo vmbuilder ...` line is executed (because the i flag resets the environment variables including the PATH). @@ -72,9 +72,7 @@ Install virtualbox from http://www.virtualbox.org, and make sure `VBoxManage` is ## Debian Guests -Gitian now supports Debian guests in addition to Ubuntu guests. Note that this doesn't mean you can allow the builders to choose to use either Debian or Ubuntu guests. The person creating the Gitian descriptor will need to choose a particular distro and suite for the guest and all builders must use that particular distro and suite, otherwise the software won't reproduce for everyone. - -The official vmbuilder only includes support for Ubuntu guests, so you need to install [Joseph Bisch's fork of vmbuilder](https://github.com/josephbisch/vmbuilder), which adds a Debian plugin. +Gitian supports Debian guests in addition to Ubuntu guests. Note that this doesn't mean you can allow the builders to choose to use either Debian or Ubuntu guests. The person creating the Gitian descriptor will need to choose a particular distro and suite for the guest and all builders must use that particular distro and suite, otherwise the software won't reproduce for everyone. To create a Debian guest: @@ -82,7 +80,7 @@ To create a Debian guest: There is currently no support for LXC Debian guests. There is just KVM support. LXC support for Debian guests is planned to be added soon. -Only Debian Jessie guests have been tested with Gitian. Debian Jessie is the current stable release of Debian at this time. If you have success (or trouble) with other versions of Debian, please let us know. +Only Debian Jessie guests have been tested with Gitian. If you have success (or trouble) with other versions of Debian, please let us know. If you are creating a Gitian descriptor, you can now specify a distro. If no distro is provided, the default is to assume Ubuntu. Since Ubuntu is assumed, older Gitian descriptors that don't specify a distro will still work as they always have. From 052f3c1ae4ff9ad779bc36c745fe19ba2176c322 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Amaury=20S=C3=A9chet?= Date: Sun, 15 Oct 2017 19:39:34 +0200 Subject: [PATCH 078/137] Add support for multiarch --- bin/gbuild | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/bin/gbuild b/bin/gbuild index e305960..44c8420 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -94,6 +94,13 @@ EOF" if build_desc["sudo"] and @options[:allow_sudo] end end + if build_desc["multiarch"] + info "Adding multiarch support (log in var/install.log)" + for a in build_desc["multiarch"] + system! "on-target -u root dpkg --add-architecture #{a} > var/install.log 2>&1" + end + end + info "Updating apt-get repository (log in var/install.log)" system! "on-target -u root apt-get update > var/install.log 2>&1" From 6ed65a2fff1daaccaecd087d5208c0a5800f86ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Amaury=20S=C3=A9chet?= Date: Mon, 16 Oct 2017 12:36:44 +0200 Subject: [PATCH 079/137] Add support for update-alternatives --- bin/gbuild | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/bin/gbuild b/bin/gbuild index e305960..54b7f42 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -100,6 +100,13 @@ EOF" if build_desc["sudo"] and @options[:allow_sudo] info "Installing additional packages (log in var/install.log)" system! "on-target -u root -e DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends -y install #{build_desc["packages"].join(" ")} > var/install.log 2>&1" + if build_desc["alternatives"] + info "Set alternatives (log in var/install.log)" + for a in build_desc["alternatives"] + system! "on-target -u root update-alternatives --set #{a["package"]} #{a["path"]} > var/install.log 2>&1" + end + end + if @options[:upgrade] || system("on-target -u root '[ ! -e /var/cache/gitian/initial-upgrade ]'") info "Upgrading system, may take a while" system! "on-target -u root bash < target-bin/upgrade-system.sh > var/install.log 2>&1" From 7338dc5d7701e1d7a20e9c7f03c55d9407abf0e1 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Tue, 13 Feb 2018 13:40:42 -0800 Subject: [PATCH 080/137] do not complain about kvm if in VBOX mode --- bin/gbuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/gbuild b/bin/gbuild index 65787dd..470410c 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -197,7 +197,7 @@ OptionParser.new do |opts| end end.parse! -if !ENV["USE_LXC"] and !File.exist?("/dev/kvm") +if !ENV["USE_LXC"] and !ENV["USE_VBOX"] and !File.exist?("/dev/kvm") $stderr.puts "\n************* WARNING: kvm not loaded, this will probably not work out\n\n" end From ead388a050307f60cb805fc1488b94cf47b10da6 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Tue, 13 Feb 2018 13:41:31 -0800 Subject: [PATCH 081/137] headless vbox --- libexec/start-target | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexec/start-target b/libexec/start-target index 467ed63..c8f8261 100755 --- a/libexec/start-target +++ b/libexec/start-target @@ -31,7 +31,7 @@ case $VMSW in true #sudo lxc-start -n gitian -c var/target.log -f lxc.config ;; VBOX) - VBoxManage startvm "Gitian-${2}" # --type headless + VBoxManage startvm "Gitian-${2}" --type headless echo "Gitian-${2}" > var/target.vmname ;; esac From 496f45d17b0441288239ce35938b7940fe71b80a Mon Sep 17 00:00:00 2001 From: Devrandom Date: Tue, 13 Feb 2018 13:51:20 -0800 Subject: [PATCH 082/137] support Debian / virtualbox via Vagrant Cloud --- Vagrantfile | 28 +++++++++++++++++++++++----- bin/make-base-vm | 10 ++++++++++ 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 47f6dc7..49e80ba 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -12,27 +12,45 @@ echo "ok" SCRIPT archs = ["amd64", "i386"] -suites = ["precise", "quantal", "raring", "saucy", "trusty"] +ubuntu_suites = ["precise", "quantal", "raring", "saucy", "trusty", "xenial"] +debian_suites = ["jessie", "stretch"] if ARGV[0] == "up" and ARGV.length == 1 puts "Specify a name of the form 'suite-architecture'" - puts " suites: " + suites.join(', ') + puts " ubuntu suites: " + ubuntu_suites.join(', ') + puts " debian suites (x86_64 only): " + debian_suites.join(', ') puts " architectures: " + archs.join(', ') Process.exit 1 end -Vagrant.configure("2") do |config| +# vagrant 1.9.1 (Ubuntu 17.10) compat +if Vagrant::DEFAULT_SERVER_URL =~ /hashicorp/ + Vagrant::DEFAULT_SERVER_URL.replace('https://vagrantcloud.com') +end +Vagrant.configure("2") do |config| config.vm.provision "shell", inline: $script config.vm.network :forwarded_port, id: "ssh", guest: 22, host: 2223 - suites.each do |suite| + debian_suites.each do |suite| + name = "#{suite}-amd64" + box = "debian/#{suite}64" + + config.vm.define name do |config| + config.vm.box = box + config.vm.provider :virtualbox do |vb| + vb.name = "Gitian-#{name}" + end + end + end + + ubuntu_suites.each do |suite| archs.each do |arch| name = "#{suite}-#{arch}" config.vm.define name do |config| config.vm.box = name - config.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/#{suite}/current/#{suite}-server-cloudimg-#{arch}-vagrant-disk1.box" + config.vm.box_url = "https://cloud-images.ubuntu.com/#{suite}/current/#{suite}-server-cloudimg-#{arch}-vagrant.box" config.vm.provider :virtualbox do |vb| vb.name = "Gitian-#{name}" end diff --git a/bin/make-base-vm b/bin/make-base-vm index a7c182b..aa419c4 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -112,6 +112,7 @@ elif [ $DISTRO = "debian" ]; then FLAVOUR=686-pae fi + LOCALE_PKG=language-pack-en if [ $DISTRO = "debian" ]; then LOCALE_PKG=locales @@ -159,7 +160,16 @@ if [ $VBOX = "1" ]; then exit 1 fi + DISTRO_USER_CREATE=0 + if [ $DISTRO = "debian" ]; then + # we use a vagrant provider + DISTRO_USER_CREATE=1 + fi + vagrant up "$NAME" + if [ $DISTRO_USER_CREATE = "1" ]; then + vagrant ssh "$NAME" -c "sudo useradd -m -s /bin/bash $DISTRO" + fi vagrant ssh "$NAME" -c "sudo mkdir -p /root/.ssh && sudo chmod 700 /root/.ssh" vagrant ssh "$NAME" -c "sudo sh -c 'cat >> /root/.ssh/authorized_keys'" < var/id_rsa.pub From cac395d6e5741624788c8d8364943721c7f6b521 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Wed, 14 Feb 2018 11:59:05 -0800 Subject: [PATCH 083/137] git submodule support --- bin/gbuild | 1 + 1 file changed, 1 insertion(+) diff --git a/bin/gbuild b/bin/gbuild index 470410c..67b2865 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -284,6 +284,7 @@ build_desc["remotes"].each do |remote| commit = `cd inputs/#{dir} && git log --format=%H -1 #{commit}`.strip raise "error looking up commit for tag #{remote["commit"]}" unless $?.exitstatus == 0 system!("cd inputs/#{dir} && git checkout -q #{commit}") + system!("cd inputs/#{dir} && git submodule update --init --recursive --force") in_sums << "git:#{commit} #{dir}" end From 923c711d253b30761df5ef82ea8548690e0c1c14 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Wed, 14 Feb 2018 14:56:50 -0800 Subject: [PATCH 084/137] add CODEOWNERS --- CODEOWNERS | 1 + Vagrantfile | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..68438f5 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @devrandom diff --git a/Vagrantfile b/Vagrantfile index 49e80ba..e0397d5 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -12,7 +12,7 @@ echo "ok" SCRIPT archs = ["amd64", "i386"] -ubuntu_suites = ["precise", "quantal", "raring", "saucy", "trusty", "xenial"] +ubuntu_suites = ["precise", "quantal", "raring", "saucy", "trusty", "xenial", "bionic"] debian_suites = ["jessie", "stretch"] if ARGV[0] == "up" and ARGV.length == 1 From d0127cceee75a6f66cd7d130526d5fd015caa950 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Wed, 14 Feb 2018 15:03:19 -0800 Subject: [PATCH 085/137] Release notes --- RELEASE_NOTES | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index ed40dec..36024eb 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -1,3 +1,12 @@ +2017-02-14 +---------- + +- VirtualBox launches are now headless. You can use the VirtualBox Manager to open the console UI if needed. +- Debian on VirtualBox is supported via Vagrant Cloud images +- Note that Debian on kvm is currently not supported because vmbuilder fails in the grub install stage +- git submodule support - any submodules are cloned and checked out +- Note that lxc-execute in Ubuntu 17.10 has a showstopper bug in stdin handling + 2015-12-12 ---------- From faa2dc2c2cc560bc0219db870490d88404f71370 Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Tue, 1 May 2018 11:33:38 -0400 Subject: [PATCH 086/137] Package git-core has been renamed to git --- Vagrantfile | 2 +- bin/make-base-vm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 47f6dc7..fcbfae6 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -5,7 +5,7 @@ set -eu sudo apt-get update -y sudo apt-get upgrade -y -sudo apt-get install -y autoconf2.13 automake build-essential bsdmainutils faketime g++ g++-mingw-w64 git-core libqt4-dev libtool libz-dev mingw-w64 nsis pciutils pkg-config psmisc subversion unzip zip +sudo apt-get install -y autoconf2.13 automake build-essential bsdmainutils faketime g++ g++-mingw-w64 git libqt4-dev libtool libz-dev mingw-w64 nsis pciutils pkg-config psmisc subversion unzip zip echo "ok" diff --git a/bin/make-base-vm b/bin/make-base-vm index a7c182b..7892117 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -117,7 +117,7 @@ if [ $DISTRO = "debian" ]; then LOCALE_PKG=locales fi -addpkg=pciutils,build-essential,git-core,subversion,$LOCALE_PKG,wget,lsb-release +addpkg=pciutils,build-essential,git,subversion,$LOCALE_PKG,wget,lsb-release if [ $DISTRO = "ubuntu" ]; then # Need comma at end to work around an issue with apt for Debian <= Wheezy regarding empty strings From 9231b6d5bf502748561abe6d232664aa35859bc1 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Tue, 29 May 2018 10:02:34 +0200 Subject: [PATCH 087/137] Make verification program configurable for gverify This adds an option `-p` or `--verify-program` to be able to override `gpg` as used by default. This is useful on Ubuntu 16.04 where `gpg` still gpg 1.x, and it is desireable to use `gpg2` instead to be able to verify ECDSA signatures and such. --- bin/gverify | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/bin/gverify b/bin/gverify index 5315a91..e35c063 100755 --- a/bin/gverify +++ b/bin/gverify @@ -50,6 +50,10 @@ OptionParser.new do |opts| opts.on("-c SIGNER", "--compare-to SIGNER", "compare other manifests to SIGNER's, if not given pick first") do |v| @options[:compareto] = v end + + opts.on("-p PROG", "--verify-program PROG", "specify verification program to use (default is gpg)") do |v| + @options[:program] = v + end end.parse! base_dir = Pathname.new(__FILE__).expand_path.dirname.parent @@ -71,6 +75,8 @@ release = sanitize(release, "release") verbose = @options[:verbose] bold = ['', ''] unless @options[:markup] +program = @options[:program] || "gpg" + release_path = File.join(destination, release) File.exists?(release_path) or raise "#{release_path} does not exist" @@ -107,8 +113,8 @@ Dir.foreach(release_path) do |signer_dir| end result = YAML.load_file(result_path) - system("gpg --keyserver pgp.mit.edu --recv-keys `gpg --quiet --batch --verify \"#{File.join(signer_path, 'signature.pgp')}\" \"#{result_path}\" 2>&1 | head -n1 | grep \"key ID\" | awk '{ print $15 }'` > /dev/null 2>&1") - out = `gpg --quiet --batch --verify \"#{sig_path}\" \"#{result_path}\" 2>&1` + system("#{program} --keyserver pgp.mit.edu --recv-keys `#{program} --quiet --batch --verify \"#{File.join(signer_path, 'signature.pgp')}\" \"#{result_path}\" 2>&1 | head -n1 | grep \"key ID\" | awk '{ print $15 }'` > /dev/null 2>&1") + out = `#{program} --quiet --batch --verify \"#{sig_path}\" \"#{result_path}\" 2>&1` if $? != 0 out.each_line do |line| if line =~ /^gpg: Signature made/ From 1ca59fd8fba71743de9893264bb75b2d36d1943b Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Mon, 28 May 2018 21:02:01 -0400 Subject: [PATCH 088/137] Option for make-base-vm to create docker image make-base-vm can be run with --docker to create a dockerfile and docker image for the specified arch and suite. --- bin/make-base-vm | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/bin/make-base-vm b/bin/make-base-vm index b6c5013..d86c709 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -7,6 +7,7 @@ ARCH=amd64 MIRROR_BASE=http://${MIRROR_HOST:-127.0.0.1}:3142 LXC=0 VBOX=0 +DOCKER=0 usage() { echo "Usage: ${0##*/} [OPTION]..." @@ -19,6 +20,7 @@ usage() { --arch A build architecture A (e.g. i386) instead of amd64 --lxc use lxc instead of kvm --vbox use VirtualBox instead of kvm + --docker use docker instead of kvm The MIRROR_HOST environment variable can be used to change the apt-cacher host. It should be something that both the host and the @@ -70,6 +72,10 @@ if [ $# != 0 ] ; then VBOX=1 shift 1 ;; + --docker) + DOCKER=1 + shift 1 + ;; --*) echo "unrecognized option $1" exit 1 @@ -153,6 +159,32 @@ fi # Remove cron to work around vmbuilder issue when umounting /dev on target removepkg=cron +if [ $DOCKER = "1" ]; then + + addpkg=`echo $addpkg | tr ',' ' '` + + mkdir -p docker + cd docker + + # Generate the dockerfile + cat << EOF > $OUT.Dockerfile +FROM $DISTRO:$SUITE + +ENV DEBIAN_FRONTEND=noninteractive +RUN apt-get update && apt-get --no-install-recommends -y install $addpkg + +RUN useradd -ms /bin/bash -U $DISTRO +USER $DISTRO:$DISTRO +WORKDIR /home/$DISTRO + +CMD ["sleep", "infinity"] +EOF + + docker build --pull -f $OUT.Dockerfile -t $OUT . + + exit 0 +fi + if [ $VBOX = "1" ]; then NAME="$SUITE-$ARCH" if ! vagrant status | grep "$NAME" | grep "not created" > /dev/null; then From 3934150c5a0715212ff8794612c222aae406f28d Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Mon, 28 May 2018 21:03:01 -0400 Subject: [PATCH 089/137] Have libexec scripts be able to communicate with a docker container start-target creates and starts a docker container from the image created by make-base-vm stop-target stops and removes the docker container from start-target copy-from-target, copy-to-target, and on-target can execute commands and copy files to and from the docker container started by start-target. make-clean-vm does nothing because nothing needs to be done to make a clean docker container. --- libexec/copy-from-target | 4 +++- libexec/copy-to-target | 5 ++++- libexec/make-clean-vm | 5 +++++ libexec/on-target | 4 +++- libexec/start-target | 5 +++++ libexec/stop-target | 6 ++++++ 6 files changed, 26 insertions(+), 3 deletions(-) diff --git a/libexec/copy-from-target b/libexec/copy-from-target index 08c6ecf..1a00a12 100755 --- a/libexec/copy-from-target +++ b/libexec/copy-from-target @@ -46,7 +46,9 @@ if [ $# = 0 ] ; then exit 1 fi -if [ -z "$USE_LXC" ]; then +if [ -n "$USE_DOCKER" ]; then + docker cp gitian-target:"/home/$TUSER/$1" $2 +elif [ -z "$USE_LXC" ]; then src="${1%/}" # remove trailing / which triggers special rsync behaviour rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "$TUSER@localhost:${src}" "$2" else diff --git a/libexec/copy-to-target b/libexec/copy-to-target index 6670862..0a39c66 100755 --- a/libexec/copy-to-target +++ b/libexec/copy-to-target @@ -46,7 +46,10 @@ if [ $# = 0 ] ; then exit 1 fi -if [ -z "$USE_LXC" ]; then +if [ -n "$USE_DOCKER" ]; then + docker exec -u $TUSER gitian-target mkdir -p "/home/$TUSER/$2" + docker cp "$1" gitian-target:"/home/$TUSER/$2" +elif [ -z "$USE_LXC" ]; then src="${1%/}" # remove trailing / which triggers special rsync behaviour rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "${src}" "$TUSER@localhost:$2" else diff --git a/libexec/make-clean-vm b/libexec/make-clean-vm index 5049662..9c5cacd 100755 --- a/libexec/make-clean-vm +++ b/libexec/make-clean-vm @@ -9,6 +9,8 @@ if [ -n "$USE_LXC" ]; then VMSW=LXC elif [ -n "$USE_VBOX" ]; then VMSW=VBOX +elif [ -n "$USE_DOCKER" ]; then + VMSW=DOCKER fi usage() { @@ -66,4 +68,7 @@ case $VMSW in VBOX) VBoxManage snapshot "Gitian-${SUITE}-${ARCH}" restore "Gitian-Clean" ;; + DOCKER) + true #Docker doesn't need to do anything + ;; esac diff --git a/libexec/on-target b/libexec/on-target index 78eab62..0892e4c 100755 --- a/libexec/on-target +++ b/libexec/on-target @@ -46,7 +46,9 @@ fi # exit 1 #fi -if [ -z "$USE_LXC" ]; then +if [ -n "$USE_DOCKER" ]; then + docker exec -u $TUSER -i gitian-target $* +elif [ -z "$USE_LXC" ]; then ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT $TUSER@localhost $* else config-lxc diff --git a/libexec/start-target b/libexec/start-target index c8f8261..0b20f06 100755 --- a/libexec/start-target +++ b/libexec/start-target @@ -10,6 +10,8 @@ if [ -n "$USE_LXC" ]; then VMSW=LXC elif [ -n "$USE_VBOX" ]; then VMSW=VBOX +elif [ -n "$USE_DOCKER" ]; then + VMSW=DOCKER fi case $VMSW in @@ -34,4 +36,7 @@ case $VMSW in VBoxManage startvm "Gitian-${2}" --type headless echo "Gitian-${2}" > var/target.vmname ;; + DOCKER) + docker run -d --name gitian-target base-$SUFFIX:latest > /dev/null + ;; esac diff --git a/libexec/stop-target b/libexec/stop-target index 46714dc..8dcc11b 100755 --- a/libexec/stop-target +++ b/libexec/stop-target @@ -5,6 +5,8 @@ if [ -n "$USE_LXC" ]; then VMSW=LXC elif [ -n "$USE_VBOX" ]; then VMSW=VBOX +elif [ -n "$USE_DOCKER" ]; then + VMSW=DOCKER fi case $VMSW in @@ -30,4 +32,8 @@ case $VMSW in VBoxManage controlvm `cat var/target.vmname` savestate rm var/target.vmname ;; + DOCKER) + docker container stop gitian-target > /dev/null + docker container rm gitian-target > /dev/null + ;; esac From 8847ca1127abffa531009c0cb686901193aef482 Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Mon, 28 May 2018 21:11:24 -0400 Subject: [PATCH 090/137] update readme for docker --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index 9822d64..f07ab5b 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,10 @@ If you'd like to use LXC mode instead, install it as follows: sudo apt-get install lxc +If you'd like to use docker mode instead, install it as follows: + + sudo apt-get install docker-ce + ### Debian: See Ubuntu, and also run the following on Debian Jessie or newer: @@ -101,6 +105,15 @@ Set the `USE_LXC` environment variable to use `LXC` instead of `KVM`: export USE_LXC=1 +### Docker + + bin/make-base-vm --docker + bin/make-base-vm --docker --arch i386 + +Set the `USE_DOCKER` environment variable to use `DOCKER` instead of `KVM`: + + export USE_DOCKER=1 + ### VirtualBox Command-line `VBoxManage` must be in your `$PATH`. From 27d01300d2d312d31f4f1cfbf872db9e891056a1 Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Mon, 28 May 2018 21:52:33 -0400 Subject: [PATCH 091/137] update gitignore for docker --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 043c12a..7e0fd10 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,5 @@ base* sigs target-bin/bootstrap-fixup .vagrant +docker +*.Dockerfile From 4053f3c88e6d16d174b6983f01d5976958576ab5 Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Fri, 1 Jun 2018 13:58:22 -0400 Subject: [PATCH 092/137] Option to specify docker image hash Adds the option to specify a docker image hash to use for the base vm and for descriptors --- bin/gbuild | 8 ++++++++ bin/make-base-vm | 34 ++++++++++++++++++++++++++-------- 2 files changed, 34 insertions(+), 8 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index 67b2865..8590d23 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -237,6 +237,14 @@ distro = build_desc["distro"] || "ubuntu" suites = build_desc["suites"] or raise "must supply suites" archs = build_desc["architectures"] or raise "must supply architectures" build_desc["reference_datetime"] or build_desc["remotes"].size > 0 or raise "must supply `reference_datetime` or `remotes`" +docker_image_digests = build_desc["docker_image_digests"] || [] + +# if docker_image_digests are supplied, it must be the same length as suites +if docker_image_digests.size > 0 and suites.size != docker_image_digests.size + raise "`suites` and `docker_image_digests` must both be the same size if both are supplied" +elsif ENV["USE_DOCKER"] and docker_image_digests.size > 0 and suites.size == docker_image_digests.size + suites = docker_image_digests +end ENV['DISTRO'] = distro diff --git a/bin/make-base-vm b/bin/make-base-vm index d86c709..916c11f 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -8,19 +8,21 @@ MIRROR_BASE=http://${MIRROR_HOST:-127.0.0.1}:3142 LXC=0 VBOX=0 DOCKER=0 +DOCKER_IMAGE_HASH="" usage() { echo "Usage: ${0##*/} [OPTION]..." echo "Make a base client." echo cat << EOF - --help display this help and exit - --distro D build distro D (e.g. debian) instead of ubuntu - --suite U build suite U instead of xenial - --arch A build architecture A (e.g. i386) instead of amd64 - --lxc use lxc instead of kvm - --vbox use VirtualBox instead of kvm - --docker use docker instead of kvm + --help display this help and exit + --distro D build distro D (e.g. debian) instead of ubuntu + --suite U build suite U instead of xenial + --arch A build architecture A (e.g. i386) instead of amd64 + --lxc use lxc instead of kvm + --vbox use VirtualBox instead of kvm + --docker use docker instead of kvm + --docker-image-hash D digest of the docker image to build from The MIRROR_HOST environment variable can be used to change the apt-cacher host. It should be something that both the host and the @@ -42,6 +44,11 @@ usage() { This is done as separate variable to make it clear that we modify sudo behaviour here regarding security (though anyway env is cleared with whitelist so should be perfectly safe). + + The --docker-image-hash option can be used to specify the hash of a particular + base image to use. These hashes can be found under the "RepoDigests" field of + "docker image inspect ". They will be reported in the form "sha256:"; + only need the part is needed EOF } @@ -76,6 +83,10 @@ if [ $# != 0 ] ; then DOCKER=1 shift 1 ;; + --docker-image-digest) + DOCKER_IMAGE_HASH="$2" + shift 2 + ;; --*) echo "unrecognized option $1" exit 1 @@ -166,9 +177,16 @@ if [ $DOCKER = "1" ]; then mkdir -p docker cd docker + if [ -n "$DOCKER_IMAGE_HASH" ]; then + base_image="$DISTRO@sha256:$DOCKER_IMAGE_HASH" + OUT=base-$DOCKER_IMAGE_HASH-$ARCH + else + base_image="$DISTRO:$SUITE" + fi + # Generate the dockerfile cat << EOF > $OUT.Dockerfile -FROM $DISTRO:$SUITE +FROM $base_image ENV DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get --no-install-recommends -y install $addpkg From 5da1adce920da4b49fea7c880334bfcf8aaeae85 Mon Sep 17 00:00:00 2001 From: PenTesting Date: Mon, 18 Jun 2018 00:20:56 +0300 Subject: [PATCH 093/137] Regex hardening to fix CVE-2018-12356. --- contrib/verify-commits/gpg.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/verify-commits/gpg.sh b/contrib/verify-commits/gpg.sh index 09ff237..27b9e3f 100755 --- a/contrib/verify-commits/gpg.sh +++ b/contrib/verify-commits/gpg.sh @@ -30,7 +30,7 @@ if ! $VALID; then exit 1 fi if $VALID && $REVSIG; then - echo "$INPUT" | gpg --trust-model always "$@" | grep "\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)" 2>/dev/null + echo "$INPUT" | gpg --trust-model always "$@" | grep "^\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)" 2>/dev/null echo "$GOODREVSIG" else echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null From fa54ada75cd2c8fb8ecf43c965e6e77dbd529168 Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Mon, 25 Jun 2018 08:10:41 -0400 Subject: [PATCH 094/137] gbuild: Avoid printing kvm warning when using docker --- bin/gbuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/gbuild b/bin/gbuild index 8590d23..24e4e2a 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -197,7 +197,7 @@ OptionParser.new do |opts| end end.parse! -if !ENV["USE_LXC"] and !ENV["USE_VBOX"] and !File.exist?("/dev/kvm") +if !ENV["USE_LXC"] and !ENV["USE_DOCKER"] and !ENV["USE_VBOX"] and !File.exist?("/dev/kvm") $stderr.puts "\n************* WARNING: kvm not loaded, this will probably not work out\n\n" end From 76cb7e40cb9d41ce45b10e548f9675dc9e972e05 Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Tue, 3 Jul 2018 16:13:49 -0700 Subject: [PATCH 095/137] Set permissions to container uid and group docker cp has a bug where it uses the host machine's uid and group for copied files and directories even though the copied files and directories should use the container's user's uid and group. To fix this, we run chown as root on the copied files and directories to get the correct permissions. --- libexec/copy-to-target | 1 + 1 file changed, 1 insertion(+) diff --git a/libexec/copy-to-target b/libexec/copy-to-target index 0a39c66..f422e3f 100755 --- a/libexec/copy-to-target +++ b/libexec/copy-to-target @@ -49,6 +49,7 @@ fi if [ -n "$USE_DOCKER" ]; then docker exec -u $TUSER gitian-target mkdir -p "/home/$TUSER/$2" docker cp "$1" gitian-target:"/home/$TUSER/$2" + docker exec -u root gitian-target chown -R $TUSER:$TUSER "/home/$TUSER/$2" elif [ -z "$USE_LXC" ]; then src="${1%/}" # remove trailing / which triggers special rsync behaviour rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "${src}" "$TUSER@localhost:$2" From 4ba8e2843e7513f5196ab343c4b3587c98b07ffe Mon Sep 17 00:00:00 2001 From: Chun Kuan Lee Date: Sat, 5 May 2018 00:38:51 +0800 Subject: [PATCH 096/137] Add compatibility with lxc 3 --- etc/lxc.3.config.in | 38 ++++++++++++++++++++++++++++++++++++++ libexec/config-lxc | 13 ++++++++++++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 etc/lxc.3.config.in diff --git a/etc/lxc.3.config.in b/etc/lxc.3.config.in new file mode 100644 index 0000000..18a8f53 --- /dev/null +++ b/etc/lxc.3.config.in @@ -0,0 +1,38 @@ +lxc.tty.max = 4 +lxc.pty.max = 1024 +lxc.rootfs.path = ROOTFS +lxc.arch = ARCH +lxc.cgroup.devices.deny = a +# /dev/null and zero +lxc.cgroup.devices.allow = c 1:3 rwm +lxc.cgroup.devices.allow = c 1:5 rwm +# consoles +lxc.cgroup.devices.allow = c 5:1 rwm +lxc.cgroup.devices.allow = c 5:0 rwm +lxc.cgroup.devices.allow = c 4:0 rwm +lxc.cgroup.devices.allow = c 4:1 rwm +# /dev/{,u}random +lxc.cgroup.devices.allow = c 1:9 rwm +lxc.cgroup.devices.allow = c 1:8 rwm +lxc.cgroup.devices.allow = c 136:* rwm +lxc.cgroup.devices.allow = c 5:2 rwm +# rtc +lxc.cgroup.devices.allow = c 254:0 rwm + +# mounts points +lxc.mount.entry=proc ROOTFS/proc proc nodev,noexec,nosuid 0 0 +lxc.mount.entry=sysfs ROOTFS/sys sysfs defaults 0 0 + +# Container with network virtualized using a pre-configured bridge named br0 and +# veth pair virtual network devices +# On the host, run: ifconfig br0 up 10.0.2.2 +# Alternatively, you can use another IP range for the bridge interface, in this case set +# the environment variables GITIAN_HOST_IP and LXC_GUEST_IP appropriately. +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.link = GUESTLINK +lxc.net.0.ipv4.address = GUESTIP/24 +lxc.net.0.ipv4.gateway = auto + +lxc.uts.name = gitian + diff --git a/libexec/config-lxc b/libexec/config-lxc index ddeabcf..e858fde 100755 --- a/libexec/config-lxc +++ b/libexec/config-lxc @@ -10,4 +10,15 @@ if [ -z "$LXC_BRIDGE" ]; then LXC_BRIDGE=br0 fi -sed "s;ROOTFS;$wd/target-$LXC_SUITE-$LXC_ARCH;;s;ARCH;$LXC_ARCH;g;;s;GUESTIP;$LXC_GUEST_IP;g;s;GUESTLINK;$LXC_BRIDGE;g" < etc/lxc.config.in > var/lxc.config +OLD_IFS=$IFS +IFS=. +VERSION=($(lxc-start --version)) +IFS=$OLD_IFS + +if [ $VERSION -ge 3 ]; then + LXC_CONFIG=etc/lxc.3.config.in +else + LXC_CONFIG=etc/lxc.config.in +fi + +sed "s;ROOTFS;$wd/target-$LXC_SUITE-$LXC_ARCH;;s;ARCH;$LXC_ARCH;g;;s;GUESTIP;$LXC_GUEST_IP;g;s;GUESTLINK;$LXC_BRIDGE;g" < $LXC_CONFIG > var/lxc.config From 6c2294d8919e4015383698c2d1cbe97eeacaad44 Mon Sep 17 00:00:00 2001 From: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> Date: Tue, 11 Sep 2018 12:04:40 +0300 Subject: [PATCH 097/137] Do not overwrite var/install.log --- bin/gbuild | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index 24e4e2a..2a897c4 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -36,6 +36,7 @@ def info(str) end def build_one_configuration(suite, arch, build_desc) + FileUtils.rm_f("var/install.log") FileUtils.rm_f("var/build.log") bits = @bitness[arch] or raise "unknown architecture ${arch}" @@ -97,26 +98,26 @@ EOF" if build_desc["sudo"] and @options[:allow_sudo] if build_desc["multiarch"] info "Adding multiarch support (log in var/install.log)" for a in build_desc["multiarch"] - system! "on-target -u root dpkg --add-architecture #{a} > var/install.log 2>&1" + system! "on-target -u root dpkg --add-architecture #{a} >> var/install.log 2>&1" end end info "Updating apt-get repository (log in var/install.log)" - system! "on-target -u root apt-get update > var/install.log 2>&1" + system! "on-target -u root apt-get update >> var/install.log 2>&1" info "Installing additional packages (log in var/install.log)" - system! "on-target -u root -e DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends -y install #{build_desc["packages"].join(" ")} > var/install.log 2>&1" + system! "on-target -u root -e DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends -y install #{build_desc["packages"].join(" ")} >> var/install.log 2>&1" if build_desc["alternatives"] info "Set alternatives (log in var/install.log)" for a in build_desc["alternatives"] - system! "on-target -u root update-alternatives --set #{a["package"]} #{a["path"]} > var/install.log 2>&1" + system! "on-target -u root update-alternatives --set #{a["package"]} #{a["path"]} >> var/install.log 2>&1" end end if @options[:upgrade] || system("on-target -u root '[ ! -e /var/cache/gitian/initial-upgrade ]'") - info "Upgrading system, may take a while" - system! "on-target -u root bash < target-bin/upgrade-system.sh > var/install.log 2>&1" + info "Upgrading system, may take a while (log in var/install.log)" + system! "on-target -u root bash < target-bin/upgrade-system.sh >> var/install.log 2>&1" end info "Creating package manifest" system! "on-target -u root bash < target-bin/grab-packages.sh > var/base-#{suitearch}.manifest" From 7b1ac8aa764b01ac87ab2e31ab5b0d0c113f77c2 Mon Sep 17 00:00:00 2001 From: Jonathan Cross Date: Thu, 27 Sep 2018 01:27:16 +0200 Subject: [PATCH 098/137] README: dealing with missing AUR packages and typo --- README.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f07ab5b..e569c61 100644 --- a/README.md +++ b/README.md @@ -18,12 +18,15 @@ This performs a build inside a VM, with deterministic inputs and outputs. If th From AUR: * [apt-cacher-ng](https://aur.archlinux.org/packages/apt-cacher-ng/) (you may have to play with permissions (chown to apt-cacher-ng) on files to get apt-cacher-ng to start) -* [debian-archive-keyring](https://aur.archlinux.org/packages/debian-archive-keyring/) (for making Debian guests) -* [debootstrap](https://aur.archlinux.org/packages/debootstrap/) +* [debootstrap](https://aur.archlinux.org/packages/debootstrap-git/) * [dpkg](https://aur.archlinux.org/packages/dpkg/) * [gnupg1](https://aur.archlinux.org/packages/gnupg1/) * [multipath-tools](https://aur.archlinux.org/packages/multipath-tools/) (for kpartx) -* [ubuntu-keyring](https://aur.archlinux.org/packages/ubuntu-keyring/) (for making Ubuntu guests) + +Non-AUR packages: + +* [debian-archive-keyring](https://packages.debian.org/jessie/debian-archive-keyring) (for making Debian guests) +* [ubuntu-keyring](https://packages.ubuntu.com/search?keywords=ubuntu-keyring) (for making Ubuntu guests) From newroco on GitHub: @@ -216,7 +219,7 @@ Right now `lxc-start` is the default, but you can force `lxc-execute` (useful fo export LXC_EXECUTE=lxc-execute -Recent distributions allow lxc-execute / lxc-start to be run by non-priviledged users, so you might be able to rip-out the `sudo` calls in `libexec/*`. +Recent distributions allow lxc-execute / lxc-start to be run by non-privileged users, so you might be able to rip-out the `sudo` calls in `libexec/*`. If you have a runaway `lxc-start` command, just use `kill -9` on it. From 4eda053e8e256f03a9d28c62b969cd16e1d8de3f Mon Sep 17 00:00:00 2001 From: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> Date: Tue, 22 Jan 2019 14:17:43 +0200 Subject: [PATCH 099/137] Ignore cache directory and target-* files --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 7e0fd10..c33c616 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,5 @@ target-bin/bootstrap-fixup .vagrant docker *.Dockerfile +cache +target-* From 041772973f31d08c881e19fab99b26545ceadcce Mon Sep 17 00:00:00 2001 From: Putta Khunchalee Date: Fri, 8 Mar 2019 19:08:10 +0700 Subject: [PATCH 100/137] Do not fetch remote when it already there --- bin/gbuild | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index 2a897c4..0c48313 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -285,15 +285,15 @@ build_desc["remotes"].each do |remote| remote["url"] = urls[remote["dir"]] end dir = sanitize(remote["dir"], remote["dir"]) + commit = sanitize(remote["commit"], remote["commit"]) unless File.exist?("inputs/#{dir}") - system!("git init inputs/#{dir}") + system!("git init inputs/#{dir}") + system!("cd inputs/#{dir} && git fetch --update-head-ok #{sanitize_path(remote["url"], remote["url"])} +refs/tags/*:refs/tags/* +refs/heads/*:refs/heads/*") + system!("cd inputs/#{dir} && git checkout -q #{commit}") + system!("cd inputs/#{dir} && git submodule update --init --recursive --force") end - system!("cd inputs/#{dir} && git fetch --update-head-ok #{sanitize_path(remote["url"], remote["url"])} +refs/tags/*:refs/tags/* +refs/heads/*:refs/heads/*") - commit = sanitize(remote["commit"], remote["commit"]) commit = `cd inputs/#{dir} && git log --format=%H -1 #{commit}`.strip raise "error looking up commit for tag #{remote["commit"]}" unless $?.exitstatus == 0 - system!("cd inputs/#{dir} && git checkout -q #{commit}") - system!("cd inputs/#{dir} && git submodule update --init --recursive --force") in_sums << "git:#{commit} #{dir}" end From 46229f9a7ea5ec88a2dbe166d18cdadb2f29ae56 Mon Sep 17 00:00:00 2001 From: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> Date: Thu, 14 Mar 2019 20:39:39 +0200 Subject: [PATCH 101/137] Fix typo in README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e569c61..9f58c17 100644 --- a/README.md +++ b/README.md @@ -158,7 +158,7 @@ If you have everything set-up properly, you should be able to: # on-target needs $DISTRO to be set to debian if using a Debian guest # (when running gbuild, $DISTRO is set based on the descriptor, so this line isn't needed) - DiSTRO=debian + DISTRO=debian # For LXC: LXC_ARCH=i386 LXC_SUITE=xenial on-target ls -la From 25a0feb2a3dfdf2a8bf47704911d73f378665667 Mon Sep 17 00:00:00 2001 From: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> Date: Sat, 16 Mar 2019 12:24:15 +0200 Subject: [PATCH 102/137] Increase LXC disk size from 10241 MiB to 12 GiB --- bin/make-base-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 916c11f..18b2df8 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -264,7 +264,7 @@ if [ $LXC = "1" ]; then fi fi fi - dd if=/dev/zero of=$OUT-lxc bs=1M count=1 seek=10240 + dd if=/dev/zero of=$OUT-lxc bs=1M count=1 seek=12287 /sbin/mkfs.ext4 -F $OUT-lxc t=`mktemp -d gitian.XXXXXXXX` sudo mount $OUT-lxc $t From 175796e79e6f29f38530e687110b0df9a98b8231 Mon Sep 17 00:00:00 2001 From: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> Date: Sun, 7 Apr 2019 17:57:33 +0300 Subject: [PATCH 103/137] Do not leave rsyslog configuration files --- target-bin/bootstrap-fixup.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target-bin/bootstrap-fixup.in b/target-bin/bootstrap-fixup.in index 5c04c1f..3936b4d 100755 --- a/target-bin/bootstrap-fixup.in +++ b/target-bin/bootstrap-fixup.in @@ -24,7 +24,7 @@ echo '127.0.1.1 gitian' >> /etc/hosts # If LXC if grep /lxc/gitian /proc/1/cgroup > /dev/null || grep container=lxc /proc/1/environ > /dev/null; then adduser --disabled-password --gecos ${DISTRIB_NAME,,} --quiet ${DISTRIB_NAME,,} || true - apt-get remove -y rsyslog || true + apt-get purge -y rsyslog || true dpkg-divert --local --rename --add /sbin/initctl ln -sf /bin/true /sbin/initctl dpkg-divert --local --rename --add /usr/bin/ischroot From b6f00215fe558446f8233177bffaaa77625858fd Mon Sep 17 00:00:00 2001 From: marpme Date: Mon, 22 Apr 2019 10:43:08 +0200 Subject: [PATCH 104/137] For CI output everything directly to the stdout --- bin/gbuild | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index 2a897c4..be28644 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -160,8 +160,13 @@ EOF" if build_desc["sudo"] and @options[:allow_sudo] script.puts build_desc["script"] end - info "Running build script (log in var/build.log)" - system! "on-target setarch #{@arches[arch]} bash -x < var/build-script > var/build.log 2>&1" + if ENV["CI"] + info "Running build script" + system! "on-target setarch #{@arches[arch]} bash -x < var/build-script" + else + info "Running build script (log in var/build.log)" + system! "on-target setarch #{@arches[arch]} bash -x < var/build-script > var/build.log 2>&1" + end end ################################ From 2f96ca44f1d639d1e45ed76b9686b31dbb6db4a2 Mon Sep 17 00:00:00 2001 From: marpme Date: Fri, 3 May 2019 14:32:19 +0200 Subject: [PATCH 105/137] Write build stdout/stderr to the build.log and the stdout --- bin/gbuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/gbuild b/bin/gbuild index be28644..7662313 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -162,7 +162,7 @@ EOF" if build_desc["sudo"] and @options[:allow_sudo] if ENV["CI"] info "Running build script" - system! "on-target setarch #{@arches[arch]} bash -x < var/build-script" + system! "on-target setarch #{@arches[arch]} bash -x < var/build-script 2>&1 | tee var/build.log" else info "Running build script (log in var/build.log)" system! "on-target setarch #{@arches[arch]} bash -x < var/build-script > var/build.log 2>&1" From 8e12e01dff220283ecfbfc24ed384e78e8bde51d Mon Sep 17 00:00:00 2001 From: marpme Date: Fri, 3 May 2019 14:34:33 +0200 Subject: [PATCH 106/137] Remove duplicated code (info logs) --- bin/gbuild | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index 7662313..09daabd 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -159,12 +159,11 @@ EOF" if build_desc["sudo"] and @options[:allow_sudo] script.puts "cd build" script.puts build_desc["script"] end - + + info "Running build script (log in var/build.log)" if ENV["CI"] - info "Running build script" system! "on-target setarch #{@arches[arch]} bash -x < var/build-script 2>&1 | tee var/build.log" else - info "Running build script (log in var/build.log)" system! "on-target setarch #{@arches[arch]} bash -x < var/build-script > var/build.log 2>&1" end end From d36b85d4114cc055ed414cd872b24aabe494c394 Mon Sep 17 00:00:00 2001 From: marpme Date: Fri, 3 May 2019 15:07:58 +0200 Subject: [PATCH 107/137] Remove useless whitespace --- bin/gbuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/gbuild b/bin/gbuild index 09daabd..4c35581 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -159,7 +159,7 @@ EOF" if build_desc["sudo"] and @options[:allow_sudo] script.puts "cd build" script.puts build_desc["script"] end - + info "Running build script (log in var/build.log)" if ENV["CI"] system! "on-target setarch #{@arches[arch]} bash -x < var/build-script 2>&1 | tee var/build.log" From 4b886a975c3603431cb6eeae4f014f0dfc18fa54 Mon Sep 17 00:00:00 2001 From: Putta Khunchalee Date: Mon, 13 May 2019 16:53:36 +0700 Subject: [PATCH 108/137] Update RELEASE_NOTES --- RELEASE_NOTES | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 36024eb..f0838ca 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -1,3 +1,8 @@ +2019-05-13 +---------- + +- No longer fetch repository from remote when directory is already exists + 2017-02-14 ---------- From 355cd7e01f330b4b3a60985cf473728de57d32d3 Mon Sep 17 00:00:00 2001 From: Putta Khunchalee Date: Tue, 14 May 2019 11:57:10 +0700 Subject: [PATCH 109/137] Fix incorrect gramma in RELEASE_NOTES --- RELEASE_NOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index f0838ca..fa0a6b2 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -1,7 +1,7 @@ 2019-05-13 ---------- -- No longer fetch repository from remote when directory is already exists +- No longer fetch repository from remote when the directory already exists 2017-02-14 ---------- From c76ac9d903e01212d4b400960944258e19f28593 Mon Sep 17 00:00:00 2001 From: Mitchell Cash Date: Wed, 22 May 2019 11:04:01 +0100 Subject: [PATCH 110/137] Add argument to skip fetching the latest remote source --- RELEASE_NOTES | 5 +++++ bin/gbuild | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index fa0a6b2..10762ed 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -1,3 +1,8 @@ +2019-05-23 +---------- + +- Add `--skip-fetch` argument that skips fetching the latest remote source + 2019-05-13 ---------- diff --git a/bin/gbuild b/bin/gbuild index 0c48313..7ad397f 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -196,6 +196,9 @@ OptionParser.new do |opts| opts.on("-o", "--cache-read-only", "only use existing cache files, do not update them") do |v| @options[:cache_ro] = v end + opts.on("--skip-fetch", "skip fetching the latest git objects and refs from the remote source") do |v| + @options[:skip_fetch] = v + end end.parse! if !ENV["USE_LXC"] and !ENV["USE_DOCKER"] and !ENV["USE_VBOX"] and !File.exist?("/dev/kvm") @@ -288,6 +291,8 @@ build_desc["remotes"].each do |remote| commit = sanitize(remote["commit"], remote["commit"]) unless File.exist?("inputs/#{dir}") system!("git init inputs/#{dir}") + end + if !@options[:skip_fetch] system!("cd inputs/#{dir} && git fetch --update-head-ok #{sanitize_path(remote["url"], remote["url"])} +refs/tags/*:refs/tags/* +refs/heads/*:refs/heads/*") system!("cd inputs/#{dir} && git checkout -q #{commit}") system!("cd inputs/#{dir} && git submodule update --init --recursive --force") From 72c51f0bd2adec4eedab4dbd06c9229b9c4eb0e3 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Wed, 12 Jun 2019 03:29:28 +0100 Subject: [PATCH 111/137] Use apt-cacher in Docker image The setup scripts install apt-cacher-ng but the docker image didn't use it. --- bin/make-base-vm | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 18b2df8..c808fdb 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -4,7 +4,6 @@ set -e DISTRO=ubuntu SUITE=xenial ARCH=amd64 -MIRROR_BASE=http://${MIRROR_HOST:-127.0.0.1}:3142 LXC=0 VBOX=0 DOCKER=0 @@ -98,6 +97,13 @@ if [ $# != 0 ] ; then done fi +if [ $DOCKER = "1" ]; then + MIRROR_DEFAULT=172.17.0.1 +else + MIRROR_DEFAULT=127.0.0.1 +fi +MIRROR_BASE=http://${MIRROR_HOST:-$MIRROR_DEFAULT}:3142 + if [ $DISTRO = "ubuntu" ]; then MIRROR=$MIRROR_BASE/archive.ubuntu.com/ubuntu SECURITY_MIRROR=$MIRROR_BASE/security.ubuntu.com/ubuntu @@ -189,6 +195,7 @@ if [ $DOCKER = "1" ]; then FROM $base_image ENV DEBIAN_FRONTEND=noninteractive +RUN echo 'Acquire::http { Proxy "$MIRROR_BASE"; };' > /etc/apt/apt.conf.d/50cacher RUN apt-get update && apt-get --no-install-recommends -y install $addpkg RUN useradd -ms /bin/bash -U $DISTRO From fa0f0f4e54028b860d8b3e5428016905d1d4b0ce Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Tue, 25 Jun 2019 18:59:15 -0400 Subject: [PATCH 112/137] copy-from-target: docker: Use tar to create files with the correct owner --- libexec/copy-from-target | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libexec/copy-from-target b/libexec/copy-from-target index 1a00a12..e3c1bb7 100755 --- a/libexec/copy-from-target +++ b/libexec/copy-from-target @@ -47,7 +47,8 @@ if [ $# = 0 ] ; then fi if [ -n "$USE_DOCKER" ]; then - docker cp gitian-target:"/home/$TUSER/$1" $2 + # Use tar, so that files are created with the correct owner on the host + docker exec -u $TUSER gitian-target tar -C `dirname "$1"` -cf - `basename "$1"` | tar -C "$2" -xf - elif [ -z "$USE_LXC" ]; then src="${1%/}" # remove trailing / which triggers special rsync behaviour rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "$TUSER@localhost:${src}" "$2" From 3859105bdabd5f9b7bb6634aad96bb52c235d194 Mon Sep 17 00:00:00 2001 From: Alex Peters Date: Thu, 1 Aug 2019 14:19:19 +0200 Subject: [PATCH 113/137] OS agnostic date conversion --- bin/gbuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/gbuild b/bin/gbuild index 7ad397f..e280a3c 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -143,7 +143,7 @@ EOF" if build_desc["sudo"] and @options[:allow_sudo] build_desc["remotes"].each do |remote| dir = sanitize(remote["dir"], remote["dir"]) - author_date = `cd inputs/#{dir} && git log --format=@%at -1 | date +"%F %T" -u -f -`.strip + author_date = `cd inputs/#{dir} && TZ=UTC git log --date='format-local:%F %T' --format="%ad" -1`.strip raise "error looking up author date in #{dir}" unless $?.exitstatus == 0 system! "copy-to-target #{@quiet_flag} inputs/#{dir} build/" From 155ffe5750200948e891c0d67d8b5070796ade19 Mon Sep 17 00:00:00 2001 From: Riku Date: Sat, 17 Aug 2019 11:25:24 +0200 Subject: [PATCH 114/137] add disk size option Allow to specify a disk / image size when creating the base image in LXC or KVM --- bin/make-base-vm | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index c808fdb..a0967ad 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -4,6 +4,7 @@ set -e DISTRO=ubuntu SUITE=xenial ARCH=amd64 +DISKSIZE=12287 LXC=0 VBOX=0 DOCKER=0 @@ -18,6 +19,7 @@ usage() { --distro D build distro D (e.g. debian) instead of ubuntu --suite U build suite U instead of xenial --arch A build architecture A (e.g. i386) instead of amd64 + --disksize S disk/image size S in MB (default 12287) --lxc use lxc instead of kvm --vbox use VirtualBox instead of kvm --docker use docker instead of kvm @@ -70,6 +72,10 @@ if [ $# != 0 ] ; then ARCH="$2" shift 2 ;; + --disksize) + DISKSIZE="$2" + shift 2 + ;; --lxc) LXC=1 shift 1 @@ -271,7 +277,7 @@ if [ $LXC = "1" ]; then fi fi fi - dd if=/dev/zero of=$OUT-lxc bs=1M count=1 seek=12287 + dd if=/dev/zero of=$OUT-lxc bs=1M count=1 seek=$DISKSIZE /sbin/mkfs.ext4 -F $OUT-lxc t=`mktemp -d gitian.XXXXXXXX` sudo mount $OUT-lxc $t @@ -290,7 +296,7 @@ else libexec/config-bootstrap-fixup rm -rf $OUT - env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo vmbuilder kvm $DISTRO --rootsize 10240 --arch=$ARCH --suite=$SUITE --addpkg=$addpkg --removepkg=$removepkg --ssh-key=var/id_rsa.pub --ssh-user-key=var/id_rsa.pub --mirror=$MIRROR --security-mirror=$SECURITY_MIRROR --dest=$OUT --flavour=$FLAVOUR --firstboot=`pwd`/target-bin/bootstrap-fixup + env -i LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 sudo vmbuilder kvm $DISTRO --rootsize $DISKSIZE --arch=$ARCH --suite=$SUITE --addpkg=$addpkg --removepkg=$removepkg --ssh-key=var/id_rsa.pub --ssh-user-key=var/id_rsa.pub --mirror=$MIRROR --security-mirror=$SECURITY_MIRROR --dest=$OUT --flavour=$FLAVOUR --firstboot=`pwd`/target-bin/bootstrap-fixup mv $OUT/*.qcow2 $OUT.qcow2 rm -rf $OUT # bootstrap-fixup is done on first boot From fafa06d9b5df590123922456aad2e72641214e4a Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Thu, 7 Nov 2019 22:40:33 -0500 Subject: [PATCH 115/137] gbuild: Allow for generic linux64 host --- bin/gbuild | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bin/gbuild b/bin/gbuild index e280a3c..18efc84 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -10,11 +10,13 @@ require 'pathname' @bitness = { 'i386' => 32, 'amd64' => 64, + 'linux64' => 64, } @arches = { 'i386' => 'i386', 'amd64' => 'x86_64', + 'linux64' => 'linux64', } def system!(cmd) From 63433e0fe6d5b9cefc9a7f6c21b5432d08cf2c08 Mon Sep 17 00:00:00 2001 From: abitmore Date: Sat, 13 Jun 2020 15:33:26 +0000 Subject: [PATCH 116/137] Update `#!/usr/bin/ruby` to `#!/usr/bin/env ruby` --- bin/gbuild | 2 +- bin/gsign | 2 +- bin/gverify | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index de761af..2a9def4 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -1,4 +1,4 @@ -#!/usr/bin/ruby +#!/usr/bin/env ruby require 'optparse' require 'yaml' diff --git a/bin/gsign b/bin/gsign index a03c810..e79a0db 100755 --- a/bin/gsign +++ b/bin/gsign @@ -1,4 +1,4 @@ -#!/usr/bin/ruby +#!/usr/bin/env ruby require 'optparse' require 'yaml' diff --git a/bin/gverify b/bin/gverify index e35c063..7a7c549 100755 --- a/bin/gverify +++ b/bin/gverify @@ -1,4 +1,4 @@ -#!/usr/bin/ruby +#!/usr/bin/env ruby require 'optparse' require 'yaml' From 357896e2e1c04e01a254854bfa5b0613282b2f6d Mon Sep 17 00:00:00 2001 From: Fabien Date: Mon, 20 Jul 2020 14:52:28 +0200 Subject: [PATCH 117/137] Don't ignore the target-bin/ directory The target-* pattern intent is to ignore the target vm file when using LXC, but it also matches the `target-bin/` directory which is an undesired side-effect. --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index c33c616..c0d0ba5 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ docker *.Dockerfile cache target-* +!target-bin/ From 23043eb8bf2d1fbd2d312b9d361e896ecc3f001d Mon Sep 17 00:00:00 2001 From: Fabien Date: Tue, 18 Aug 2020 11:54:04 +0200 Subject: [PATCH 118/137] Allow for adding repositories to sources list and install packages This adds a new section to the descriptor YAML to add an entry to the `sources.list` and install packages from that source. The primary use case is to allow for installing packages from the backport repositories. Example use [from Bitcoin ABC](https://github.com/Bitcoin-ABC/bitcoin-abc/commit/82e154c2796969676ad36e18206321b0dc5091eb): ``` repositories: - "distribution": "buster-backports" "source": "deb http://deb.debian.org/debian/ buster-backports main" packages: - "cmake" ``` --- bin/gbuild | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/bin/gbuild b/bin/gbuild index 2a9def4..a8b2c0c 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -104,12 +104,28 @@ EOF" if build_desc["sudo"] and @options[:allow_sudo] end end + if build_desc["repositories"] + info "Adding repositories to the sources list (log in var/install.log)" + for r in build_desc["repositories"] + system! "on-target -u root tee -a /etc/apt/sources.list >> var/install.log 2>&1 << EOF +#{r["source"]} +EOF" + end + end + info "Updating apt-get repository (log in var/install.log)" system! "on-target -u root apt-get update >> var/install.log 2>&1" info "Installing additional packages (log in var/install.log)" system! "on-target -u root -e DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends -y install #{build_desc["packages"].join(" ")} >> var/install.log 2>&1" + if build_desc["repositories"] + for r in build_desc["repositories"] + info "Installing additional packages from repository #{r["distribution"]} (log in var/install.log)" + system! "on-target -u root -e DEBIAN_FRONTEND=noninteractive apt-get -t #{r["distribution"]} --no-install-recommends -y install #{r["packages"].join(" ")} >> var/install.log 2>&1" + end + end + if build_desc["alternatives"] info "Set alternatives (log in var/install.log)" for a in build_desc["alternatives"] From e8c0ff5da9ed2eb7b00978d06997383b242b9be2 Mon Sep 17 00:00:00 2001 From: "Jason B. Cox" Date: Thu, 1 Oct 2020 16:52:04 -0700 Subject: [PATCH 119/137] By default, cleanup the target after use --- bin/gbuild | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/bin/gbuild b/bin/gbuild index a8b2c0c..170a4f1 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -221,6 +221,9 @@ OptionParser.new do |opts| opts.on("--skip-fetch", "skip fetching the latest git objects and refs from the remote source") do |v| @options[:skip_fetch] = v end + opts.on("--skip-cleanup", "skip cleaning up the target VM. this may be useful for copying additional files from the target after the build") do |v| + @options[:skip_cleanup] = v + end end.parse! if !ENV["USE_LXC"] and !ENV["USE_DOCKER"] and !ENV["USE_VBOX"] and !File.exist?("/dev/kvm") @@ -348,6 +351,11 @@ suites.each do |suite| end end +unless @options[:skip_cleanup] + info "Cleaning up target" + system "stop-target" +end + out_dir = File.join(build_dir, "out") out_sums = {} cache_common_dir = File.join(cache_dir, "common") From 47f615778059f1e0e52cf46cc0aba201d0da7899 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Mon, 23 Nov 2020 18:28:38 +0000 Subject: [PATCH 120/137] fix for spaces in names in bitcoin-core gitian.sigs --- bin/gverify | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/gverify b/bin/gverify index 7a7c549..ff0e56c 100755 --- a/bin/gverify +++ b/bin/gverify @@ -19,7 +19,7 @@ def sanitize(str, where) end def sanitize_path(str, where) - raise "unsanitary string in #{where}" if (str =~ /[^@\w\/.:+-]/) + raise "unsanitary string in #{where}" if (str =~ /[^@\w\\ '\/.:+-]/) str end From 6df5db850f9590229a1c2c71ecab4208a16fd05a Mon Sep 17 00:00:00 2001 From: Carl Dong Date: Thu, 3 Dec 2020 20:30:59 +0000 Subject: [PATCH 121/137] Specifically fetch the requested commit Instead of fetching all tags and all heads, just fetch the requested commit. This accomplishes two things: 1. Avoids overzealous fetching of unrelated objects from the repo 2. Allows building commits which do not belong to any branch in a repository, such as merge commits generated by DrahtBot ([example](https://github.com/bitcoin/bitcoin/commit/4cd306c4d67aac6616196da0ed1ec91d6abd46a4)). Previously this was not possible. --- bin/gbuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/gbuild b/bin/gbuild index 170a4f1..7b466c8 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -318,7 +318,7 @@ build_desc["remotes"].each do |remote| system!("git init inputs/#{dir}") end if !@options[:skip_fetch] - system!("cd inputs/#{dir} && git fetch --update-head-ok #{sanitize_path(remote["url"], remote["url"])} +refs/tags/*:refs/tags/* +refs/heads/*:refs/heads/*") + system!("cd inputs/#{dir} && git fetch --update-head-ok #{sanitize_path(remote["url"], remote["url"])} #{commit}") system!("cd inputs/#{dir} && git checkout -q #{commit}") system!("cd inputs/#{dir} && git submodule update --init --recursive --force") end From 8399df9d1b0d76f41755c2e8c9b2838812a37cba Mon Sep 17 00:00:00 2001 From: Devrandom Date: Mon, 7 Dec 2020 12:06:44 -0800 Subject: [PATCH 122/137] Must tag desired commit when fetching Fixes #238 --- bin/gbuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index 7b466c8..5181833 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -318,8 +318,8 @@ build_desc["remotes"].each do |remote| system!("git init inputs/#{dir}") end if !@options[:skip_fetch] - system!("cd inputs/#{dir} && git fetch --update-head-ok #{sanitize_path(remote["url"], remote["url"])} #{commit}") - system!("cd inputs/#{dir} && git checkout -q #{commit}") + system!("cd inputs/#{dir} && git fetch --update-head-ok #{sanitize_path(remote["url"], remote["url"])} #{commit}:refs/tags/tobuild") + system!("cd inputs/#{dir} && git checkout -q tobuild") system!("cd inputs/#{dir} && git submodule update --init --recursive --force") end commit = `cd inputs/#{dir} && git log --format=%H -1 #{commit}`.strip From 1f325d775340ee0f3f96e62350755ba9e5cde720 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Mon, 7 Dec 2020 12:11:29 -0800 Subject: [PATCH 123/137] Force tag update on fetch --- bin/gbuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/gbuild b/bin/gbuild index 5181833..596909d 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -318,7 +318,7 @@ build_desc["remotes"].each do |remote| system!("git init inputs/#{dir}") end if !@options[:skip_fetch] - system!("cd inputs/#{dir} && git fetch --update-head-ok #{sanitize_path(remote["url"], remote["url"])} #{commit}:refs/tags/tobuild") + system!("cd inputs/#{dir} && git fetch -f --update-head-ok #{sanitize_path(remote["url"], remote["url"])} #{commit}:refs/tags/tobuild") system!("cd inputs/#{dir} && git checkout -q tobuild") system!("cd inputs/#{dir} && git submodule update --init --recursive --force") end From 0c0859c9b0ab67fdd36dbaff4a36337320f973b8 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Wed, 9 Dec 2020 06:15:09 -0800 Subject: [PATCH 124/137] Lookup correct tag --- bin/gbuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/gbuild b/bin/gbuild index 596909d..3648f10 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -322,7 +322,7 @@ build_desc["remotes"].each do |remote| system!("cd inputs/#{dir} && git checkout -q tobuild") system!("cd inputs/#{dir} && git submodule update --init --recursive --force") end - commit = `cd inputs/#{dir} && git log --format=%H -1 #{commit}`.strip + commit = `cd inputs/#{dir} && git log --format=%H -1 tobuild`.strip raise "error looking up commit for tag #{remote["commit"]}" unless $?.exitstatus == 0 in_sums << "git:#{commit} #{dir}" end From 52c3602d019c568cc5c3922b9223f049afa693a7 Mon Sep 17 00:00:00 2001 From: abitmore Date: Mon, 25 Jan 2021 12:48:40 +0000 Subject: [PATCH 125/137] Add --fetch-branches and --fetch-tags options and fix --skip-fetch --- bin/gbuild | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index 3648f10..71d8804 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -221,6 +221,12 @@ OptionParser.new do |opts| opts.on("--skip-fetch", "skip fetching the latest git objects and refs from the remote source") do |v| @options[:skip_fetch] = v end + opts.on("--fetch-branches", "fetch branches from the remote source") do |v| + @options[:fetch_branches] = v + end + opts.on("--fetch-tags", "fetch tags from the remote source") do |v| + @options[:fetch_tags] = v + end opts.on("--skip-cleanup", "skip cleaning up the target VM. this may be useful for copying additional files from the target after the build") do |v| @options[:skip_cleanup] = v end @@ -318,12 +324,19 @@ build_desc["remotes"].each do |remote| system!("git init inputs/#{dir}") end if !@options[:skip_fetch] - system!("cd inputs/#{dir} && git fetch -f --update-head-ok #{sanitize_path(remote["url"], remote["url"])} #{commit}:refs/tags/tobuild") - system!("cd inputs/#{dir} && git checkout -q tobuild") - system!("cd inputs/#{dir} && git submodule update --init --recursive --force") + if @options[:fetch_branches] + system!("cd inputs/#{dir} && git fetch -f --update-head-ok #{sanitize_path(remote["url"], remote["url"])} +refs/heads/*:refs/heads/*") + end + if @options[:fetch_tags] + system!("cd inputs/#{dir} && git fetch -f --update-head-ok #{sanitize_path(remote["url"], remote["url"])} +refs/tags/*:refs/tags/*") + end + system!("cd inputs/#{dir} && git fetch -f --update-head-ok #{sanitize_path(remote["url"], remote["url"])} #{commit}") + system!("cd inputs/#{dir} && git checkout -q FETCH_HEAD") + else + system!("cd inputs/#{dir} && git checkout -q #{commit}") end - commit = `cd inputs/#{dir} && git log --format=%H -1 tobuild`.strip - raise "error looking up commit for tag #{remote["commit"]}" unless $?.exitstatus == 0 + system!("cd inputs/#{dir} && git submodule update --init --recursive --force") + commit = `cd inputs/#{dir} && git log --format=%H -1`.strip in_sums << "git:#{commit} #{dir}" end From f11b251b59391d36a8e47bd1e0f73e5cae6dcabf Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Thu, 8 Jul 2021 19:56:54 -0400 Subject: [PATCH 126/137] Always install sudo If sudo is not installed, --allow-sudo does not work. --- bin/make-base-vm | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index a0967ad..30e4fbf 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -147,7 +147,7 @@ if [ $DISTRO = "debian" ]; then LOCALE_PKG=locales fi -addpkg=pciutils,build-essential,git,subversion,$LOCALE_PKG,wget,lsb-release +addpkg=pciutils,build-essential,git,subversion,$LOCALE_PKG,wget,lsb-release,sudo if [ $DISTRO = "ubuntu" ]; then # Need comma at end to work around an issue with apt for Debian <= Wheezy regarding empty strings @@ -171,9 +171,6 @@ fi if [ $LXC = "1" ]; then addpkg=$addpkg,lxc - if [ $DISTRO = "debian" ]; then - addpkg=$addpkg,sudo - fi else # Lack of comma after KERNEL_PKG is not a typo addpkg=$addpkg,${KERNEL_PKG}${GRUB_PKG},openssh-server From 6fbe1bfc8a6c683c5bd8ad1aa6e08ba9d37edf59 Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Sun, 11 Jul 2021 13:52:33 -0400 Subject: [PATCH 127/137] Pass num_procs and memory options into the build script It is useful to have the number of processors and memory available in the build script --- bin/gbuild | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bin/gbuild b/bin/gbuild index 3648f10..bf6fcc6 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -156,6 +156,8 @@ EOF" script.puts "GBUILD_COMMON_CACHE=$HOME/cache/common" end script.puts "MAKEOPTS=(-j#{@options[:num_procs]})" + script.puts "NUM_PROCS=#{@options[:num_procs]}" + script.puts "NUM_MEM=#{@options[:memory]}" script.puts author_date = nil build_desc["remotes"].each do |remote| From bfbeea865e8ea9d30e57e9b0783369b0acf9d027 Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Sun, 11 Jul 2021 13:56:48 -0400 Subject: [PATCH 128/137] Allow privileged mode in docker Some builds may need docker to be in privileged mode, allow this through an environment variable --- libexec/start-target | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libexec/start-target b/libexec/start-target index 0b20f06..33b59fa 100755 --- a/libexec/start-target +++ b/libexec/start-target @@ -37,6 +37,10 @@ case $VMSW in echo "Gitian-${2}" > var/target.vmname ;; DOCKER) - docker run -d --name gitian-target base-$SUFFIX:latest > /dev/null + EXTRA_ARGS="" + if [ -n "$GITIAN_ALLOW_PRIVILEGED" ]; then + EXTRA_ARGS="--privileged" + fi + docker run -d --name gitian-target $EXTRA_ARGS base-$SUFFIX:latest > /dev/null ;; esac From 98f408d3231d6f09bceaaa790a3505781ca5f8d8 Mon Sep 17 00:00:00 2001 From: AbcSxyZ Date: Fri, 17 Sep 2021 13:20:24 +0200 Subject: [PATCH 129/137] Enable use of USE_* variables with 0 or 1 --- bin/gbuild | 6 +++--- libexec/copy-from-target | 10 +++++----- libexec/copy-to-target | 10 +++++----- libexec/gconfig | 2 +- libexec/make-clean-vm | 6 +++--- libexec/on-target | 8 ++++---- libexec/start-target | 6 +++--- libexec/stop-target | 6 +++--- 8 files changed, 27 insertions(+), 27 deletions(-) diff --git a/bin/gbuild b/bin/gbuild index bf6fcc6..1448880 100755 --- a/bin/gbuild +++ b/bin/gbuild @@ -43,7 +43,7 @@ def build_one_configuration(suite, arch, build_desc) bits = @bitness[arch] or raise "unknown architecture ${arch}" - if ENV["USE_LXC"] + if ENV["USE_LXC"] == "1" ENV["LXC_ARCH"] = arch ENV["LXC_SUITE"] = suite end @@ -228,7 +228,7 @@ OptionParser.new do |opts| end end.parse! -if !ENV["USE_LXC"] and !ENV["USE_DOCKER"] and !ENV["USE_VBOX"] and !File.exist?("/dev/kvm") +if ENV["USE_LXC"] != "1" and ENV["USE_DOCKER"] != "1" and ENV["USE_VBOX"] != "1" and !File.exist?("/dev/kvm") $stderr.puts "\n************* WARNING: kvm not loaded, this will probably not work out\n\n" end @@ -273,7 +273,7 @@ docker_image_digests = build_desc["docker_image_digests"] || [] # if docker_image_digests are supplied, it must be the same length as suites if docker_image_digests.size > 0 and suites.size != docker_image_digests.size raise "`suites` and `docker_image_digests` must both be the same size if both are supplied" -elsif ENV["USE_DOCKER"] and docker_image_digests.size > 0 and suites.size == docker_image_digests.size +elsif ENV["USE_DOCKER"] == "1" and docker_image_digests.size > 0 and suites.size == docker_image_digests.size suites = docker_image_digests end diff --git a/libexec/copy-from-target b/libexec/copy-from-target index e3c1bb7..f95d79b 100755 --- a/libexec/copy-from-target +++ b/libexec/copy-from-target @@ -46,13 +46,13 @@ if [ $# = 0 ] ; then exit 1 fi -if [ -n "$USE_DOCKER" ]; then +if [ "$USE_DOCKER" -eq 1 ]; then # Use tar, so that files are created with the correct owner on the host docker exec -u $TUSER gitian-target tar -C `dirname "$1"` -cf - `basename "$1"` | tar -C "$2" -xf - -elif [ -z "$USE_LXC" ]; then - src="${1%/}" # remove trailing / which triggers special rsync behaviour - rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "$TUSER@localhost:${src}" "$2" -else +elif [ "$USE_LXC" -eq 1 ]; then config-lxc sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -C `dirname "$1"` -cf - `basename "$1"` | tar -C "$2" -xf - +else + src="${1%/}" # remove trailing / which triggers special rsync behaviour + rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "$TUSER@localhost:${src}" "$2" fi diff --git a/libexec/copy-to-target b/libexec/copy-to-target index f422e3f..91b3e1a 100755 --- a/libexec/copy-to-target +++ b/libexec/copy-to-target @@ -46,14 +46,14 @@ if [ $# = 0 ] ; then exit 1 fi -if [ -n "$USE_DOCKER" ]; then +if [ "$USE_DOCKER" -eq 1 ]; then docker exec -u $TUSER gitian-target mkdir -p "/home/$TUSER/$2" docker cp "$1" gitian-target:"/home/$TUSER/$2" docker exec -u root gitian-target chown -R $TUSER:$TUSER "/home/$TUSER/$2" -elif [ -z "$USE_LXC" ]; then - src="${1%/}" # remove trailing / which triggers special rsync behaviour - rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "${src}" "$TUSER@localhost:$2" -else +elif [ "$USE_LXC" -eq 1 ]; then config-lxc tar -C `dirname "$1"` -cf - `basename "$1"` | sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -C "$2" -xf - +else + src="${1%/}" # remove trailing / which triggers special rsync behaviour + rsync --checksum -a $QUIET_FLAG -e "ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT" "${src}" "$TUSER@localhost:$2" fi diff --git a/libexec/gconfig b/libexec/gconfig index 204be94..39fe4b8 100644 --- a/libexec/gconfig +++ b/libexec/gconfig @@ -1,5 +1,5 @@ VM_SSH_PORT=2223 -if [ -n "$USE_LXC" ]; then +if [ "$USE_LXC" -eq 1 ]; then if [ -z "$LXC_EXECUTE" ]; then ver=`lxc-start --version` if dpkg --compare-versions $ver ge 1.0.0 ; then diff --git a/libexec/make-clean-vm b/libexec/make-clean-vm index 9c5cacd..852ff99 100755 --- a/libexec/make-clean-vm +++ b/libexec/make-clean-vm @@ -5,11 +5,11 @@ SUITE=xenial ARCH=amd64 VMSW=KVM -if [ -n "$USE_LXC" ]; then +if [ "$USE_LXC" -eq 1 ]; then VMSW=LXC -elif [ -n "$USE_VBOX" ]; then +elif [ "$USE_VBOX" -eq 1 ]; then VMSW=VBOX -elif [ -n "$USE_DOCKER" ]; then +elif [ "$USE_DOCKER" -eq 1 ]; then VMSW=DOCKER fi diff --git a/libexec/on-target b/libexec/on-target index 0892e4c..65154d1 100755 --- a/libexec/on-target +++ b/libexec/on-target @@ -46,11 +46,11 @@ fi # exit 1 #fi -if [ -n "$USE_DOCKER" ]; then +if [ "$USE_DOCKER" -eq 1 ]; then docker exec -u $TUSER -i gitian-target $* -elif [ -z "$USE_LXC" ]; then - ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT $TUSER@localhost $* -else +elif [ "$USE_LXC" -eq 1 ]; then config-lxc sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -u $TUSER $ENV -i -- $* +else + ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_rsa -p $VM_SSH_PORT $TUSER@localhost $* fi diff --git a/libexec/start-target b/libexec/start-target index 33b59fa..924dbcb 100755 --- a/libexec/start-target +++ b/libexec/start-target @@ -6,11 +6,11 @@ ARCH=qemu$1 SUFFIX=$2 VMSW=KVM -if [ -n "$USE_LXC" ]; then +if [ "$USE_LXC" -eq 1 ]; then VMSW=LXC -elif [ -n "$USE_VBOX" ]; then +elif [ "$USE_VBOX" -eq 1 ]; then VMSW=VBOX -elif [ -n "$USE_DOCKER" ]; then +elif [ "$USE_DOCKER" -eq 1 ]; then VMSW=DOCKER fi diff --git a/libexec/stop-target b/libexec/stop-target index 8dcc11b..c1123b8 100755 --- a/libexec/stop-target +++ b/libexec/stop-target @@ -1,11 +1,11 @@ #!/bin/sh VMSW=KVM -if [ -n "$USE_LXC" ]; then +if [ "$USE_LXC" -eq 1 ]; then VMSW=LXC -elif [ -n "$USE_VBOX" ]; then +elif [ "$USE_VBOX" -eq 1 ]; then VMSW=VBOX -elif [ -n "$USE_DOCKER" ]; then +elif [ "$USE_DOCKER" -eq 1 ]; then VMSW=DOCKER fi From 581120b2cacdcf70a344f30d8a4eacf5dfbfdc6f Mon Sep 17 00:00:00 2001 From: AbcSxyZ Date: Fri, 17 Sep 2021 15:04:12 +0200 Subject: [PATCH 130/137] USE_* variables: compare strings instead of integers --- libexec/copy-from-target | 4 ++-- libexec/copy-to-target | 4 ++-- libexec/gconfig | 2 +- libexec/make-clean-vm | 6 +++--- libexec/on-target | 4 ++-- libexec/start-target | 6 +++--- libexec/stop-target | 6 +++--- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/libexec/copy-from-target b/libexec/copy-from-target index f95d79b..02806c3 100755 --- a/libexec/copy-from-target +++ b/libexec/copy-from-target @@ -46,10 +46,10 @@ if [ $# = 0 ] ; then exit 1 fi -if [ "$USE_DOCKER" -eq 1 ]; then +if [ "$USE_DOCKER" = "1" ]; then # Use tar, so that files are created with the correct owner on the host docker exec -u $TUSER gitian-target tar -C `dirname "$1"` -cf - `basename "$1"` | tar -C "$2" -xf - -elif [ "$USE_LXC" -eq 1 ]; then +elif [ "$USE_LXC" = "1" ]; then config-lxc sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -C `dirname "$1"` -cf - `basename "$1"` | tar -C "$2" -xf - else diff --git a/libexec/copy-to-target b/libexec/copy-to-target index 91b3e1a..37d045f 100755 --- a/libexec/copy-to-target +++ b/libexec/copy-to-target @@ -46,11 +46,11 @@ if [ $# = 0 ] ; then exit 1 fi -if [ "$USE_DOCKER" -eq 1 ]; then +if [ "$USE_DOCKER" = "1" ]; then docker exec -u $TUSER gitian-target mkdir -p "/home/$TUSER/$2" docker cp "$1" gitian-target:"/home/$TUSER/$2" docker exec -u root gitian-target chown -R $TUSER:$TUSER "/home/$TUSER/$2" -elif [ "$USE_LXC" -eq 1 ]; then +elif [ "$USE_LXC" = "1" ]; then config-lxc tar -C `dirname "$1"` -cf - `basename "$1"` | sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -i -u $TUSER tar -C "$2" -xf - else diff --git a/libexec/gconfig b/libexec/gconfig index 39fe4b8..a046bf2 100644 --- a/libexec/gconfig +++ b/libexec/gconfig @@ -1,5 +1,5 @@ VM_SSH_PORT=2223 -if [ "$USE_LXC" -eq 1 ]; then +if [ "$USE_LXC" = "1" ]; then if [ -z "$LXC_EXECUTE" ]; then ver=`lxc-start --version` if dpkg --compare-versions $ver ge 1.0.0 ; then diff --git a/libexec/make-clean-vm b/libexec/make-clean-vm index 852ff99..8f88a00 100755 --- a/libexec/make-clean-vm +++ b/libexec/make-clean-vm @@ -5,11 +5,11 @@ SUITE=xenial ARCH=amd64 VMSW=KVM -if [ "$USE_LXC" -eq 1 ]; then +if [ "$USE_LXC" = "1" ]; then VMSW=LXC -elif [ "$USE_VBOX" -eq 1 ]; then +elif [ "$USE_VBOX" = "1" ]; then VMSW=VBOX -elif [ "$USE_DOCKER" -eq 1 ]; then +elif [ "$USE_DOCKER" = "1" ]; then VMSW=DOCKER fi diff --git a/libexec/on-target b/libexec/on-target index 65154d1..26c066d 100755 --- a/libexec/on-target +++ b/libexec/on-target @@ -46,9 +46,9 @@ fi # exit 1 #fi -if [ "$USE_DOCKER" -eq 1 ]; then +if [ "$USE_DOCKER" = "1" ]; then docker exec -u $TUSER -i gitian-target $* -elif [ "$USE_LXC" -eq 1 ]; then +elif [ "$USE_LXC" = "1" ]; then config-lxc sudo $LXC_EXECUTE -n gitian -f var/lxc.config -- sudo -u $TUSER $ENV -i -- $* else diff --git a/libexec/start-target b/libexec/start-target index 924dbcb..5e6a502 100755 --- a/libexec/start-target +++ b/libexec/start-target @@ -6,11 +6,11 @@ ARCH=qemu$1 SUFFIX=$2 VMSW=KVM -if [ "$USE_LXC" -eq 1 ]; then +if [ "$USE_LXC" = "1" ]; then VMSW=LXC -elif [ "$USE_VBOX" -eq 1 ]; then +elif [ "$USE_VBOX" = "1" ]; then VMSW=VBOX -elif [ "$USE_DOCKER" -eq 1 ]; then +elif [ "$USE_DOCKER" = "1" ]; then VMSW=DOCKER fi diff --git a/libexec/stop-target b/libexec/stop-target index c1123b8..169c63a 100755 --- a/libexec/stop-target +++ b/libexec/stop-target @@ -1,11 +1,11 @@ #!/bin/sh VMSW=KVM -if [ "$USE_LXC" -eq 1 ]; then +if [ "$USE_LXC" = "1" ]; then VMSW=LXC -elif [ "$USE_VBOX" -eq 1 ]; then +elif [ "$USE_VBOX" = "1" ]; then VMSW=VBOX -elif [ "$USE_DOCKER" -eq 1 ]; then +elif [ "$USE_DOCKER" = "1" ]; then VMSW=DOCKER fi From 0a60ce2cdaa6735cb130038b9ffbbd052ab5f2af Mon Sep 17 00:00:00 2001 From: Devrandom Date: Mon, 22 Nov 2021 10:26:59 +0100 Subject: [PATCH 131/137] Maintenance mode --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 9f58c17..ee0f84d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,7 @@ +# MAINTENANCE MODE + +Due to the move of Bitcoin Core to [Guix](https://github.com/bitcoin/bitcoin/blob/master/doc/release-process.md#building), this repository is switching to maintenance mode. Only serious bugs (including security issues) will be considered going forward. + # Gitian Read about the project goals at the [project home page](https://gitian.org/). From f07a0951d7bae8ebf4b6f37c2664bdb05ebbb4cc Mon Sep 17 00:00:00 2001 From: Vitalik-Hakim <73163003+Vitalik-Hakim@users.noreply.github.com> Date: Mon, 7 Feb 2022 23:10:24 +0000 Subject: [PATCH 132/137] Fix Release Packages not found on archive.ubuntu Fix Release Packages not found on archive.ubuntu and change it to old-releases.ubuntu. --- bin/make-base-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 30e4fbf..86aed16 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -111,7 +111,7 @@ fi MIRROR_BASE=http://${MIRROR_HOST:-$MIRROR_DEFAULT}:3142 if [ $DISTRO = "ubuntu" ]; then - MIRROR=$MIRROR_BASE/archive.ubuntu.com/ubuntu + MIRROR=$MIRROR_BASE/old-releases.ubuntu.com/ubuntu SECURITY_MIRROR=$MIRROR_BASE/security.ubuntu.com/ubuntu components=main,universe elif [ $DISTRO = "debian" ]; then From e2c4195ffce85a2d2bf32a9c9e5f9750cc7651ee Mon Sep 17 00:00:00 2001 From: Vitalik-Hakim <73163003+Vitalik-Hakim@users.noreply.github.com> Date: Wed, 9 Feb 2022 18:54:36 +0000 Subject: [PATCH 133/137] Fix Release Packages Fix Release Packages not found on archive.ubuntu and change it to old-releases.ubuntu. --- target-bin/bootstrap-fixup.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target-bin/bootstrap-fixup.in b/target-bin/bootstrap-fixup.in index 3936b4d..ed05e9d 100755 --- a/target-bin/bootstrap-fixup.in +++ b/target-bin/bootstrap-fixup.in @@ -6,9 +6,9 @@ DISTRIB_NAME=`lsb_release -is` DISTRIB_CODENAME=`lsb_release -cs` if [ $DISTRIB_NAME = "Ubuntu" ]; then - echo "deb http://HOSTIP:3142/archive.ubuntu.com/ubuntu $DISTRIB_CODENAME main universe" > $1/etc/apt/sources.list + echo "deb http://HOSTIP:3142/old-releases.ubuntu.com/ubuntu $DISTRIB_CODENAME main universe" > $1/etc/apt/sources.list echo "deb http://HOSTIP:3142/security.ubuntu.com/ubuntu $DISTRIB_CODENAME-security main universe" >> $1/etc/apt/sources.list - echo "deb http://HOSTIP:3142/archive.ubuntu.com/ubuntu $DISTRIB_CODENAME-updates main universe" >> $1/etc/apt/sources.list + echo "deb http://HOSTIP:3142/old-releases.ubuntu.com/ubuntu $DISTRIB_CODENAME-updates main universe" >> $1/etc/apt/sources.list elif [ $DISTRIB_NAME = "Debian" ]; then echo "deb http://HOSTIP:3142/ftp.debian.org/debian $DISTRIB_CODENAME main" > $1/etc/apt/sources.list echo "deb http://HOSTIP:3142/security.debian.org/ $DISTRIB_CODENAME/updates main" >> $1/etc/apt/sources.list From 88c9b37ffc9dbabff6992480be4609dbc9e78706 Mon Sep 17 00:00:00 2001 From: Devrandom Date: Mon, 21 Feb 2022 09:27:45 -0800 Subject: [PATCH 134/137] Revert "Fix Release Packages " This reverts commit e2c4195ffce85a2d2bf32a9c9e5f9750cc7651ee. --- target-bin/bootstrap-fixup.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target-bin/bootstrap-fixup.in b/target-bin/bootstrap-fixup.in index ed05e9d..3936b4d 100755 --- a/target-bin/bootstrap-fixup.in +++ b/target-bin/bootstrap-fixup.in @@ -6,9 +6,9 @@ DISTRIB_NAME=`lsb_release -is` DISTRIB_CODENAME=`lsb_release -cs` if [ $DISTRIB_NAME = "Ubuntu" ]; then - echo "deb http://HOSTIP:3142/old-releases.ubuntu.com/ubuntu $DISTRIB_CODENAME main universe" > $1/etc/apt/sources.list + echo "deb http://HOSTIP:3142/archive.ubuntu.com/ubuntu $DISTRIB_CODENAME main universe" > $1/etc/apt/sources.list echo "deb http://HOSTIP:3142/security.ubuntu.com/ubuntu $DISTRIB_CODENAME-security main universe" >> $1/etc/apt/sources.list - echo "deb http://HOSTIP:3142/old-releases.ubuntu.com/ubuntu $DISTRIB_CODENAME-updates main universe" >> $1/etc/apt/sources.list + echo "deb http://HOSTIP:3142/archive.ubuntu.com/ubuntu $DISTRIB_CODENAME-updates main universe" >> $1/etc/apt/sources.list elif [ $DISTRIB_NAME = "Debian" ]; then echo "deb http://HOSTIP:3142/ftp.debian.org/debian $DISTRIB_CODENAME main" > $1/etc/apt/sources.list echo "deb http://HOSTIP:3142/security.debian.org/ $DISTRIB_CODENAME/updates main" >> $1/etc/apt/sources.list From 3f472fc484a6802499e796d27b7ace57fc8876ae Mon Sep 17 00:00:00 2001 From: Luke Dashjr Date: Sat, 26 Feb 2022 19:36:21 +0000 Subject: [PATCH 135/137] make-clean-vm: Specify backing_fmt to qemu-img explicitly Recent versions of qemu require it now --- libexec/make-clean-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexec/make-clean-vm b/libexec/make-clean-vm index 52d3c87..fe07d89 100755 --- a/libexec/make-clean-vm +++ b/libexec/make-clean-vm @@ -53,7 +53,7 @@ OUT=target-$SUITE-$ARCH case $VMSW in KVM) - qemu-img create -f qcow2 -o backing_file="$BASE.qcow2" "$OUT.qcow2" + qemu-img create -f qcow2 -o backing_fmt=qcow2,backing_file="$BASE.qcow2" "$OUT.qcow2" ;; LXC) cp -a $BASE $OUT From 21c5850f8c59a709458325168d6d1bd46ce2cfd8 Mon Sep 17 00:00:00 2001 From: Charlie O'Keefe Date: Fri, 18 Mar 2022 16:29:18 -0600 Subject: [PATCH 136/137] Add Debian 11 Buster security line format described here: https://wiki.debian.org/NewInBullseye --- target-bin/bootstrap-fixup.in | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/target-bin/bootstrap-fixup.in b/target-bin/bootstrap-fixup.in index 3936b4d..3cc4da4 100755 --- a/target-bin/bootstrap-fixup.in +++ b/target-bin/bootstrap-fixup.in @@ -4,6 +4,7 @@ set -e DISTRIB_NAME=`lsb_release -is` DISTRIB_CODENAME=`lsb_release -cs` +DISTRIB_NUMBER=`lsb_release -rs` if [ $DISTRIB_NAME = "Ubuntu" ]; then echo "deb http://HOSTIP:3142/archive.ubuntu.com/ubuntu $DISTRIB_CODENAME main universe" > $1/etc/apt/sources.list @@ -11,7 +12,15 @@ if [ $DISTRIB_NAME = "Ubuntu" ]; then echo "deb http://HOSTIP:3142/archive.ubuntu.com/ubuntu $DISTRIB_CODENAME-updates main universe" >> $1/etc/apt/sources.list elif [ $DISTRIB_NAME = "Debian" ]; then echo "deb http://HOSTIP:3142/ftp.debian.org/debian $DISTRIB_CODENAME main" > $1/etc/apt/sources.list - echo "deb http://HOSTIP:3142/security.debian.org/ $DISTRIB_CODENAME/updates main" >> $1/etc/apt/sources.list + + # This line format changed with the release of Debian 11 Buster + # https://wiki.debian.org/NewInBullseye + if [ $DISTRIB_NUMBER -ge 11 ]; then + echo "deb http://HOSTIP:3142/security.debian.org/debian-security $DISTRIB_CODENAME-security main" >> $1/etc/apt/sources.list + else + echo "deb http://HOSTIP:3142/security.debian.org/ $DISTRIB_CODENAME/updates main" >> $1/etc/apt/sources.list + fi + echo "deb http://HOSTIP:3142/ftp.debian.org/debian $DISTRIB_CODENAME-updates main" >> $1/etc/apt/sources.list # grub-legacy conflicts grub-pc dependencies # No grub-legacy on Ubuntu, just on Debian From 3b2334b0659d3a1440d3252cfcef456baf801d99 Mon Sep 17 00:00:00 2001 From: Patrick Lodder Date: Mon, 9 May 2022 23:24:39 +0200 Subject: [PATCH 137/137] Revert "Fix Release Packages not found on archive.ubuntu " This reverts commit f07a0951d7bae8ebf4b6f37c2664bdb05ebbb4cc. --- bin/make-base-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/make-base-vm b/bin/make-base-vm index 86aed16..30e4fbf 100755 --- a/bin/make-base-vm +++ b/bin/make-base-vm @@ -111,7 +111,7 @@ fi MIRROR_BASE=http://${MIRROR_HOST:-$MIRROR_DEFAULT}:3142 if [ $DISTRO = "ubuntu" ]; then - MIRROR=$MIRROR_BASE/old-releases.ubuntu.com/ubuntu + MIRROR=$MIRROR_BASE/archive.ubuntu.com/ubuntu SECURITY_MIRROR=$MIRROR_BASE/security.ubuntu.com/ubuntu components=main,universe elif [ $DISTRO = "debian" ]; then