diskimage-builder/diskimage_builder/elements/debian-minimal/root.d/75-debian-minimal-baseinstall
Sam Yaple c144246cc9
Add keyring if supplied
When building with debootstrap, debootstrap will use the key to check
that everything is properly signed. It will not `apt-key add` the key
into the final environment, however.

Early adding the key after debootstrap before we need to read from the
private repo again prevents unsigned issues. This also maintains the
integrity of the packages in the environment throughout the build.

Change-Id: I5ca75ae4620c9fb26b512cb30f8cd79fa7a0373a
2018-07-02 14:33:35 -04:00

83 lines
2.5 KiB
Bash
Executable file

#!/bin/bash
# Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
# Copyright (c) 2016 Andreas Florath (andreas@florath.net)
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
#
# See the License for the specific language governing permissions and
# limitations under the License.
# dib-lint: disable=safe_sudo
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
# NOTE(SamYaple): Add the keyring deboostrap used if specified
if [ -n "${DIB_APT_KEYRING:-${DIB_DEBIAN_KEYRING:-}}" ]; then
cat $DIB_APT_KEYRING | sudo chroot $TARGET_ROOT /usr/bin/apt-key add -
fi
# Writes the apt sources files.
# The description is passed in via line coded elements.
# (The approach using associative arrays for configuration faild,
# because it looks that there is no way to handle defaults in
# this case - and additionally we run with '-u'.)
function apt_sources_write {
local APT_SOURCES_CONF="$1"
sudo mkdir -p $TARGET_ROOT/etc/apt/sources.list.d
echo "${APT_SOURCES_CONF}" \
| while read line; do
local name=$(echo ${line} | cut -d ":" -f 1)
local value=$(echo ${line} | cut -d ":" -f 2-)
echo "$value" | sudo tee $TARGET_ROOT/etc/apt/sources.list.d/${name}.list
done
}
sudo mount -t proc none $TARGET_ROOT/proc
sudo mount -t sysfs none $TARGET_ROOT/sys
trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get"
apt_sources_write "${DIB_APT_SOURCES_CONF}"
# Need to update to retrieve the signed Release file
$apt_get update
$apt_get clean
$apt_get dist-upgrade -y
to_install=""
# pre-stretch (9.0) brought this in via debootstrap, but init
# dependencies have narrowed in the container world, so now we add it
# explicitly here so it's brought in early.
to_install+="systemd-sysv "
# default required
to_install+="busybox sudo "
if [ "$DIB_PYTHON_VERSION" == "2" ]; then
to_install+="python "
elif [ "$DIB_PYTHON_VERSION" == "3" ]; then
to_install+="python3 "
else
echo "ERROR: DIB_PYTHON_VERSION is '$DIB_PYTHON_VERSION' but needs to be 2 or 3"
exit 1
fi
$apt_get install -y $to_install