diskimage-builder/diskimage_builder/elements/ubuntu-minimal/root.d/75-ubuntu-minimal-baseinstall
Sam Yaple c144246cc9
Add keyring if supplied
When building with debootstrap, debootstrap will use the key to check
that everything is properly signed. It will not `apt-key add` the key
into the final environment, however.

Early adding the key after debootstrap before we need to read from the
private repo again prevents unsigned issues. This also maintains the
integrity of the packages in the environment throughout the build.

Change-Id: I5ca75ae4620c9fb26b512cb30f8cd79fa7a0373a
2018-07-02 14:33:35 -04:00

71 lines
2.3 KiB
Bash
Executable File

#!/bin/bash
# Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
#
# See the License for the specific language governing permissions and
# limitations under the License.
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
# NOTE(SamYaple): Add the keyring deboostrap used if specified
if [ -n "${DIB_APT_KEYRING:-${DIB_DEBIAN_KEYRING:-}}" ]; then
cat $DIB_APT_KEYRING | sudo chroot $TARGET_ROOT /usr/bin/apt-key add -
fi
# We should manage this in a betterer way
sudo bash -c "cat << EOF >$TARGET_ROOT/etc/apt/sources.list
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE ${DIB_DEBIAN_COMPONENTS//,/ }
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE-updates ${DIB_DEBIAN_COMPONENTS//,/ }
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE-backports ${DIB_DEBIAN_COMPONENTS//,/ }
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE-security ${DIB_DEBIAN_COMPONENTS//,/ }
EOF"
sudo mount -t proc none $TARGET_ROOT/proc
sudo mount -t sysfs none $TARGET_ROOT/sys
trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get" # dib-lint: safe_sudo
# Need to update to retrieve the signed Release file
$apt_get update
$apt_get clean
$apt_get dist-upgrade -y
to_install=""
# pre-bionic (18.04) brought this in via debootstrap, but init
# dependencies have narrowed in the container world, so now we add it
# explicitly here so it's brought in early.
if [ $DIB_RELEASE != "trusty" ] && [ $DIB_RELEASE != "xenial" ]; then
to_install+="systemd-sysv "
fi
# default required
to_install+="busybox sudo " # dib-lint: safe_sudo
if [ "$DIB_PYTHON_VERSION" == "2" ]; then
to_install+="python "
elif [ "$DIB_PYTHON_VERSION" == "3" ]; then
to_install+="python3 "
else
echo "ERROR: DIB_PYTHON_VERSION is '$DIB_PYTHON_VERSION' but needs to be 2 or 3"
exit 1
fi
$apt_get install -y $to_install