672705831f
As motivation for this; we have had two breakouts of dib in recent memory. One was a failure to unmount through symlinks in the core code (I335316019ef948758392b03e91f9869102a472b9) and the other was removing host keys on the build-system (Ib01d71ff9415a0ae04d963f6e380aab9ac2260ce). For the most part, dib runs unprivileged. Bits of the core code are hopefully well tested (modulo bugs like the first one!). We give free reign inside the chroot (although there is still some potential there for adverse external affects via bind mounts). Where we could be a bit safer (and could have prevented at least the second of these breakouts) is with some better checking that the "sudo" calls *outside* the chroot at least looked sane. This adds a basic check that we're using chroot or image paths when calling sudo in those parts of elements that run *outside* the chroot. Various files are updated to accomodate this check; mostly by just ignoring it for existing code (I have not audited these calls). Nobody is pretending this type of checking makes dib magically safe, or removes the issues with it needing to do things as root during the build. But this can help find egregious errors like the key removal. Change-Id: I161a5aea1d29dcdc7236f70d372c53246ec73749
51 lines
1.7 KiB
Bash
Executable file
51 lines
1.7 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# dib-lint: disable=safe_sudo
|
|
|
|
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
|
|
set -x
|
|
fi
|
|
set -eu
|
|
set -o pipefail
|
|
|
|
|
|
[ -n "$TARGET_ROOT" ]
|
|
|
|
source $_LIB/img-functions
|
|
|
|
IMAGE_PATH=$(readlink -f $IMAGE_NAME)
|
|
cd $TARGET_ROOT
|
|
|
|
echo "#disabled" > ./tmp/fstab.new
|
|
sudo mv ./tmp/fstab.new ./etc/fstab
|
|
sudo ln -s ./sbin/init ./
|
|
|
|
# Remove python object files, they're not particularly useful for a ramdisk
|
|
sudo find ./usr -name "*.pyc" -or -name "*.pyo" -delete
|
|
|
|
# Note: The pci.ids, which is used by lshw, locate on Ubuntu
|
|
# in /usr/share/misc. Therefore we are removing only the
|
|
# ./usr/share/misc/m* (will remove the magic and magic.mgc files).
|
|
# on RHEL pci.ids is locate on /usr/share/hwdata/pci.ids.
|
|
sudo find . -xdev \
|
|
-path './sys/*' -prune -o \
|
|
-path './tmp/*' -prune -o \
|
|
-path './boot/*' -prune -o \
|
|
-path './root/.cache' -prune -o \
|
|
-path './usr/lib/locale/*' -prune -o \
|
|
-path './usr/share/doc/*' -prune -o \
|
|
-path './usr/share/man/*' -prune -o \
|
|
-path './usr/share/info/*' -prune -o \
|
|
-path './usr/share/licenses/*' -prune -o \
|
|
-path './usr/share/misc/m*' -prune -o \
|
|
-print | sudo cpio -o -H newc | gzip > ${IMAGE_PATH}.initramfs
|
|
|
|
select_boot_kernel_initrd $TARGET_ROOT
|
|
sudo cp $BOOTDIR/$KERNEL ${IMAGE_PATH}.kernel
|
|
|
|
# TODO(lucasagomes): Create a hard link for the .vmlinuz file to keep
|
|
# it backward compatible. Remove it after it has been consistent and
|
|
# documented in both places for at least one full OpenStack release cycle
|
|
echo "WARNING: The kernel extension .vmlinuz has been deprecated. Please rely on the file with the extension .kernel instead."
|
|
sudo rm -f ${IMAGE_PATH}.vmlinuz
|
|
sudo ln ${IMAGE_PATH}.kernel ${IMAGE_PATH}.vmlinuz
|