Merge "Fix Gentoo hardened support"

2016-02-02 20:49:30 +00:00 · 2016-02-02 20:49:30 +00:00 · 4526cf23ec
commit 4526cf23ec
parent 66184b7b40 01fce7b70c
10 changed files with 90 additions and 6 deletions
--- a/bin/disk-image-create
+++ b/bin/disk-image-create
@ -217,6 +217,15 @@ if [ -z "$DIB_ROOT_LABEL" ]; then
    fi
 fi

+# xattr support cannot be relied upon with tmpfs builds
+# some kernels supoprt it, some don't
+if [[ -n "${GENTOO_PROFILE}" ]]; then
+    if [[ "${GENTOO_PROFILE}" =~ "hardened" ]]; then
+        echo 'disabling tmpfs for gentoo hardened build'
+        export DIB_NO_TMPFS=1
+    fi
+fi
+
 mk_build_dir
 create_base
 # This variable needs to be propagated into the chroot
--- a/elements/base/pkg-map
+++ b/elements/base/pkg-map
@ -5,6 +5,28 @@
    },
    "suse": {
      "dkms_package": ""
+    },
+    "gentoo": {
+      "ccache_package": "dev-util/ccache",
+      "curl": "net-misc/curl",
+      "dhcp_client": "net-misc/dhcp",
+      "dkms_package": "",
+      "extlinux": "sys-boot/syslinux",
+      "git": "dev-vcs/git",
+      "grub_bios": "sys-boot/grub",
+      "grub-pc": "sys-boot/grub",
+      "ironic-python-agent": "",
+      "iscsi_package": "sys-block/open-iscsi",
+      "isc-dhcp-client": "net-misc/dhcp",
+      "isolinux": "",
+      "ncat": "net-analyzer/netcat",
+      "qemu-utils": "app-emulation/qemu",
+      "python-dev": "",
+      "PyYAML": "dev-python/pyyaml",
+      "syslinux": "sys-boot/syslinux",
+      "syslinux-common": "",
+      "tftp": "net-ftp/tftp-hpa",
+      "tgt": "sys-block/tgt"
    }
  },
  "default": {
--- a/elements/gentoo/bin/install-packages
+++ b/elements/gentoo/bin/install-packages
@ -34,6 +34,12 @@ function show_options {

 function fix_shm {
    if [[ "${RUN_ONCE_SHM}" == '1' ]]; then
+        if [[ -L /dev/shm.orig ]]; then
+            rm /dev/shm.orig
+        fi
+        if [[ -d /dev/shm.orig ]]; then
+            rm -Rf /dev/shm.orig
+        fi
        mv /dev/shm /dev/shm.orig
        mkdir /dev/shm
        mount -t tmpfs none /dev/shm
@ -53,7 +59,7 @@ function unfix_shm {
 function install_gentoo_packages {
    RUN_ONCE_SHM='1'
    fix_shm
-    emerge "$@"
+    emerge $@
    unfix_shm
 }

--- a/elements/gentoo/element-deps
+++ b/elements/gentoo/element-deps
@ -1,2 +1,3 @@
 cache-url
 dib-run-parts
+package-installs
--- a/elements/gentoo/environment.d/00-gentoo-distro-name.bash
+++ b/elements/gentoo/environment.d/00-gentoo-distro-name.bash
@ -0,0 +1,2 @@
+export DISTRO_NAME=gentoo
+export GENTOO_PROFILE=$(eselect profile show | tail -n 1)
--- a/elements/gentoo/environment.d/10-gentoo-distro-name.bash
+++ b/elements/gentoo/environment.d/10-gentoo-distro-name.bash
@ -1 +0,0 @@
-export DISTRO_NAME=gentoo
--- a/elements/gentoo/package-installs.yaml
+++ b/elements/gentoo/package-installs.yaml
@ -0,0 +1 @@
+sys-fs/dosfstools:
--- a/elements/gentoo/post-install.d/99-cleanup
+++ b/elements/gentoo/post-install.d/99-cleanup
@ -0,0 +1,39 @@
+#!/bin/bash
+
+if [[ ${DIB_DEBUG_TRACE:-0} -gt 0 ]]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+# make sure system is in a consistant state
+USE="-build" emerge -uDNv --with-bdeps=y --jobs=2 @world
+USE="-build" emerge --verbose=n --depclean
+USE="-build" emerge -v --usepkg=n @preserved-rebuild
+
+# update config files
+etc-update --automode -5
+
+# clean up portage files
+emerge --verbose=n --depclean
+emaint all -f
+eselect news read all
+eclean-dist --destructive
+
+# clean up files that may have been changed during build
+shopt -s extglob
+rm -Rf /tmp/!(ccache|in_target*|profiledir*)
+shopt -u extglob
+
+rm -Rf /root/.ccache/* /usr/portage/* /usr/src/* /var/cache/edb/dep/* /var/cache/genkernel/* /var/empty/* /var/run/* /var/state/* /var/tmp/* /var/cache/portage/distfiles
+rm -Rf /etc/*- /etc/*.old /etc/ssh/ssh_host_* /root/.*history /root/.lesshst /root/.ssh/known_hosts /root/.viminfo /usr/share/genkernel /usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz
+
+# shrink a bit
+for i in $(find /var/log -type f); do echo > $i; done
+find /usr/share/man/ -mindepth 1  -maxdepth 1 -path "/usr/share/man/man*" -prune -o -exec rm -rf {} \;
+
+# make it so we don't have to reinstall grub
+if [[ -a /usr/sbin/grub2-install ]]; then
+    mkdir -p /tmp/grub
+    touch /tmp/grub/install
+fi
--- a/elements/gentoo/pre-install.d/01-gentoo-install
+++ b/elements/gentoo/pre-install.d/01-gentoo-install
@ -7,3 +7,8 @@ set -eu
 set -o pipefail

 install -m 0755 -o root -g root $(dirname $0)/../bin/* /usr/local/bin
+
+# migrate pt_pax flags to xt_pax
+if [[ -a /usr/sbin/migrate-pax ]]; then
+    /usr/sbin/migrate-pax -m
+fi
--- a/elements/gentoo/root.d/10-gentoo-image
+++ b/elements/gentoo/root.d/10-gentoo-image
@ -42,16 +42,16 @@ ELEMENT_DIR=${ELEMENT_DIR:-"${ELEMENTS_PATH}/gentoo"}
 GENTOO_PROFILE=${GENTOO_PROFILE:-'default/linux/amd64/13.0'}
 if [[ "${GENTOO_PROFILE}" == "default/linux/amd64/13.0" ]]; then
    FILENAME_BASE='gentoo-stage4'
-    SIGNED_SOURCE_SUFFIX='cloud'
+    SIGNED_SOURCE_SUFFIX='minimal'
 elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/13.0/no-multilib" ]]; then
    FILENAME_BASE='gentoo-stage4-nomultilib'
-    SIGNED_SOURCE_SUFFIX='cloud-nomultilib'
+    SIGNED_SOURCE_SUFFIX='minimal-nomultilib'
 elif [[ "${GENTOO_PROFILE}" == "hardened/linux/amd64" ]]; then
    FILENAME_BASE='gentoo-stage4-hardened'
-    SIGNED_SOURCE_SUFFIX='hardened+cloud'
+    SIGNED_SOURCE_SUFFIX='hardened+minimal'
 elif [[ "${GENTOO_PROFILE}" == "hardened/linux/amd64/no-multilib" ]]; then
    FILENAME_BASE='gentoo-stage4-hardened-nomultilib'
-    SIGNED_SOURCE_SUFFIX='hardened+cloud-nomultilib'
+    SIGNED_SOURCE_SUFFIX='hardened+minimal-nomultilib'
 else
    echo 'invalid profile, please select from the following profiles'
    echo 'default/linux/amd64/13.0'