c144246cc9
When building with debootstrap, debootstrap will use the key to check that everything is properly signed. It will not `apt-key add` the key into the final environment, however. Early adding the key after debootstrap before we need to read from the private repo again prevents unsigned issues. This also maintains the integrity of the packages in the environment throughout the build. Change-Id: I5ca75ae4620c9fb26b512cb30f8cd79fa7a0373a
70 lines
2.3 KiB
Bash
Executable file
70 lines
2.3 KiB
Bash
Executable file
#!/bin/bash
|
|
# Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
# implied.
|
|
#
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
|
|
set -x
|
|
fi
|
|
set -eu
|
|
set -o pipefail
|
|
|
|
# NOTE(SamYaple): Add the keyring deboostrap used if specified
|
|
if [ -n "${DIB_APT_KEYRING:-${DIB_DEBIAN_KEYRING:-}}" ]; then
|
|
cat $DIB_APT_KEYRING | sudo chroot $TARGET_ROOT /usr/bin/apt-key add -
|
|
fi
|
|
|
|
# We should manage this in a betterer way
|
|
sudo bash -c "cat << EOF >$TARGET_ROOT/etc/apt/sources.list
|
|
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE ${DIB_DEBIAN_COMPONENTS//,/ }
|
|
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE-updates ${DIB_DEBIAN_COMPONENTS//,/ }
|
|
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE-backports ${DIB_DEBIAN_COMPONENTS//,/ }
|
|
deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE-security ${DIB_DEBIAN_COMPONENTS//,/ }
|
|
EOF"
|
|
|
|
sudo mount -t proc none $TARGET_ROOT/proc
|
|
sudo mount -t sysfs none $TARGET_ROOT/sys
|
|
trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
|
|
|
|
apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get" # dib-lint: safe_sudo
|
|
|
|
# Need to update to retrieve the signed Release file
|
|
$apt_get update
|
|
|
|
$apt_get clean
|
|
$apt_get dist-upgrade -y
|
|
|
|
to_install=""
|
|
|
|
# pre-bionic (18.04) brought this in via debootstrap, but init
|
|
# dependencies have narrowed in the container world, so now we add it
|
|
# explicitly here so it's brought in early.
|
|
if [ $DIB_RELEASE != "trusty" ] && [ $DIB_RELEASE != "xenial" ]; then
|
|
to_install+="systemd-sysv "
|
|
fi
|
|
|
|
# default required
|
|
to_install+="busybox sudo " # dib-lint: safe_sudo
|
|
|
|
if [ "$DIB_PYTHON_VERSION" == "2" ]; then
|
|
to_install+="python "
|
|
elif [ "$DIB_PYTHON_VERSION" == "3" ]; then
|
|
to_install+="python3 "
|
|
else
|
|
echo "ERROR: DIB_PYTHON_VERSION is '$DIB_PYTHON_VERSION' but needs to be 2 or 3"
|
|
exit 1
|
|
fi
|
|
|
|
$apt_get install -y $to_install
|