c144246cc9
When building with debootstrap, debootstrap will use the key to check that everything is properly signed. It will not `apt-key add` the key into the final environment, however. Early adding the key after debootstrap before we need to read from the private repo again prevents unsigned issues. This also maintains the integrity of the packages in the environment throughout the build. Change-Id: I5ca75ae4620c9fb26b512cb30f8cd79fa7a0373a
83 lines
2.5 KiB
Bash
Executable file
83 lines
2.5 KiB
Bash
Executable file
#!/bin/bash
|
|
# Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
|
|
# Copyright (c) 2016 Andreas Florath (andreas@florath.net)
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
# implied.
|
|
#
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# dib-lint: disable=safe_sudo
|
|
|
|
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
|
|
set -x
|
|
fi
|
|
set -eu
|
|
set -o pipefail
|
|
|
|
# NOTE(SamYaple): Add the keyring deboostrap used if specified
|
|
if [ -n "${DIB_APT_KEYRING:-${DIB_DEBIAN_KEYRING:-}}" ]; then
|
|
cat $DIB_APT_KEYRING | sudo chroot $TARGET_ROOT /usr/bin/apt-key add -
|
|
fi
|
|
|
|
# Writes the apt sources files.
|
|
# The description is passed in via line coded elements.
|
|
# (The approach using associative arrays for configuration faild,
|
|
# because it looks that there is no way to handle defaults in
|
|
# this case - and additionally we run with '-u'.)
|
|
function apt_sources_write {
|
|
local APT_SOURCES_CONF="$1"
|
|
|
|
sudo mkdir -p $TARGET_ROOT/etc/apt/sources.list.d
|
|
|
|
echo "${APT_SOURCES_CONF}" \
|
|
| while read line; do
|
|
local name=$(echo ${line} | cut -d ":" -f 1)
|
|
local value=$(echo ${line} | cut -d ":" -f 2-)
|
|
echo "$value" | sudo tee $TARGET_ROOT/etc/apt/sources.list.d/${name}.list
|
|
done
|
|
}
|
|
|
|
sudo mount -t proc none $TARGET_ROOT/proc
|
|
sudo mount -t sysfs none $TARGET_ROOT/sys
|
|
trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
|
|
|
|
apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get"
|
|
|
|
apt_sources_write "${DIB_APT_SOURCES_CONF}"
|
|
|
|
# Need to update to retrieve the signed Release file
|
|
$apt_get update
|
|
|
|
$apt_get clean
|
|
$apt_get dist-upgrade -y
|
|
|
|
to_install=""
|
|
|
|
# pre-stretch (9.0) brought this in via debootstrap, but init
|
|
# dependencies have narrowed in the container world, so now we add it
|
|
# explicitly here so it's brought in early.
|
|
to_install+="systemd-sysv "
|
|
|
|
# default required
|
|
to_install+="busybox sudo "
|
|
|
|
if [ "$DIB_PYTHON_VERSION" == "2" ]; then
|
|
to_install+="python "
|
|
elif [ "$DIB_PYTHON_VERSION" == "3" ]; then
|
|
to_install+="python3 "
|
|
else
|
|
echo "ERROR: DIB_PYTHON_VERSION is '$DIB_PYTHON_VERSION' but needs to be 2 or 3"
|
|
exit 1
|
|
fi
|
|
|
|
$apt_get install -y $to_install
|