diskimage-builder/diskimage_builder/elements/gentoo/root.d/10-gentoo-image
Matthew Thode 9755c4f9a2
update gentoo systemd profile to 17.1 from 17.0
Upstream is now publishing 17.1 profile systemd stages

Also updates the docs that were forgotten in the last patch

Change-Id: I0f2e7976845b1d3c55ffe8869eec0bc04a191252
2019-08-19 15:13:09 -05:00

109 lines
4.4 KiB
Bash
Executable File

#!/bin/bash
# Copyright 2016 Matthew Thode
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
[ -n "${ARCH}" ]
[ -n "${TARGET_ROOT}" ]
if [ 'amd64' = "${ARCH}" ] ; then
ARCH='x86_64'
fi
if ! [ 'x86_64' = "${ARCH}" ] ; then
echo "Only x86_64 images are currently available but ARCH is set to ${ARCH}."
exit 1
fi
# valid gentoo profiles are as follows
# default/linux/amd64/13.0
# default/linux/amd64/13.0/no-multilib
# hardened/linux/amd64
# hardened/linux/amd64/no-multilib
GENTOO_PROFILE=${GENTOO_PROFILE:-'default/linux/amd64/17.1'}
if [[ "${GENTOO_PROFILE}" == "default/linux/amd64/17.1" ]]; then
FILENAME_BASE='gentoo-stage4'
SIGNED_SOURCE_SUFFIX='minimal'
elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/17.1/no-multilib" ]]; then
FILENAME_BASE='gentoo-stage4-nomultilib'
SIGNED_SOURCE_SUFFIX='minimal-nomultilib'
elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/17.1/hardened" ]]; then
FILENAME_BASE='gentoo-stage4-hardened'
SIGNED_SOURCE_SUFFIX='hardened+minimal'
elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/17.1/no-multilib/hardened" ]]; then
FILENAME_BASE='gentoo-stage4-hardened-nomultilib'
SIGNED_SOURCE_SUFFIX='hardened+minimal-nomultilib'
elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/17.1/systemd" ]]; then
FILENAME_BASE='gentoo-stage4-systemd'
SIGNED_SOURCE_SUFFIX='systemd'
else
echo 'invalid profile, please select from the following profiles'
echo 'default/linux/amd64/17.1'
echo 'default/linux/amd64/17.1/no-multilib'
echo 'default/linux/amd64/17.1/hardened'
echo 'default/linux/amd64/17.1/no-multilib/hardened'
echo 'default/linux/amd64/17.1/systemd'
exit 1
fi
DIB_CLOUD_SOURCE=${DIB_CLOUD_SOURCE:-"http://distfiles.gentoo.org/releases/amd64/autobuilds/latest-stage4-amd64-${SIGNED_SOURCE_SUFFIX}.txt"}
BASE_IMAGE_FILE=${BASE_IMAGE_FILE:-"http://distfiles.gentoo.org/releases/amd64/autobuilds/$(curl ${DIB_CLOUD_SOURCE} -s -f | tail -n 1 | cut -d\ -f 1)"}
BASE_IMAGE_FILE_SUFFIX=${BASE_IMAGE_FILE_SUFFIX:-"$(basename ${BASE_IMAGE_FILE} | cut -d. -f 2,3)"}
SIGNATURE_FILE="${SIGNATURE_FILE:-${BASE_IMAGE_FILE}.DIGESTS.asc}"
CACHED_FILE="${DIB_IMAGE_CACHE}/${FILENAME_BASE}.${BASE_IMAGE_FILE_SUFFIX}"
CACHED_SIGNATURE_FILE="${DIB_IMAGE_CACHE}/${FILENAME_BASE}.asc"
if [ -n "${DIB_OFFLINE}" -a -f "${CACHED_FILE}" ] ; then
echo "Not checking freshness of cached ${CACHED_FILE}"
else
echo 'Fetching Base Image'
"${TMP_HOOKS_PATH}"/bin/cache-url "${SIGNATURE_FILE}" "${CACHED_SIGNATURE_FILE}"
"${TMP_HOOKS_PATH}"/bin/cache-url "${BASE_IMAGE_FILE}" "${CACHED_FILE}"
pushd "${DIB_IMAGE_CACHE}"
# import the key
# this key can be verified at one of the following places
# https://wiki.gentoo.org/wiki/Project:RelEng#Keys
# https://dev.gentoo.org/~dolsen/releases/keyrings/gentoo-keys-*.tar.xz
# http://distfiles.gentoo.org/distfiles/gentoo-keys-*.tar.xz
GPGDIR=$(mktemp -d -t)
gpg --no-default-keyring --keyring "${GPGDIR}"/gentookeys.gpg --import "${TMP_HOOKS_PATH}"/extra-data.d/gentoo-releng.gpg
# check the sig file
gpgv --keyring "${GPGDIR}"/gentookeys.gpg "${CACHED_SIGNATURE_FILE}"
if [[ "${?}" != 0 ]]; then
echo 'invalid signature file'
exit 1
fi
rm -rf "${GPGDIR}"
echo 'valid key used'
CACHED_SHA512SUM=$(grep -A1 -e 'SHA512' "${CACHED_SIGNATURE_FILE}" | grep -e "${BASE_IMAGE_FILE_SUFFIX}$" | cut -d\ -f 1)
ACTUAL_SHA512SUM=$(sha512sum "${CACHED_FILE}" | cut -d\ -f 1)
if [[ "${ACTUAL_SHA512SUM}" != "${CACHED_SHA512SUM}" ]]; then
echo "invalid checksum on downloaded tarball: ${CACHED_FILE}"
exit 1
fi
echo 'valid checksum'
popd
fi
# Extract the base image (use --numeric-owner to avoid UID/GID mismatch between
# image tarball and host OS)
sudo tar -C "${TARGET_ROOT}" --numeric-owner --xattrs -xf "${CACHED_FILE}"