bea81bd234
Adds: 1. grub-efi package mappings 2. efi-64 support 3. default (openrc) arm64 profile 4. systemd arm64 profile Cleans up the keywords and use flags in 02-gentoo-02-flags. Most stuff was stablized. Also cleaned up some formatting for the if statements. Enables less trusted overlays (up to the end user to verify). in 10-gentoo-image I cleaned up some bash lint things as well. using && instead of -a and avoiding $? Change-Id: I3dffe1aab4bbdc4946a9bf2269bf0cde49529a4e
131 lines
5.5 KiB
Bash
Executable File
131 lines
5.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Copyright 2016 Matthew Thode
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
|
|
set -x
|
|
fi
|
|
set -eu
|
|
set -o pipefail
|
|
|
|
[ -n "${ARCH}" ]
|
|
[ -n "${TARGET_ROOT}" ]
|
|
|
|
if [ 'amd64' = "${ARCH}" ] ; then
|
|
ARCH='x86_64'
|
|
fi
|
|
|
|
if [[ 'x86_64' != "${ARCH}" ]] && [[ 'arm64' != "${ARCH}" ]]; then
|
|
echo "Only x86_64 or arm64 images are currently available but ARCH is set to ${ARCH}."
|
|
exit 1
|
|
fi
|
|
|
|
# valid gentoo profiles are as follows
|
|
# default/linux/amd64/13.0
|
|
# default/linux/amd64/13.0/no-multilib
|
|
# hardened/linux/amd64
|
|
# hardened/linux/amd64/no-multilib
|
|
# default/linux/arm64/17.0
|
|
# default/linux/arm64/17.0/systemd
|
|
GENTOO_PROFILE=${GENTOO_PROFILE:-'default/linux/amd64/17.1'}
|
|
if [[ "${GENTOO_PROFILE}" == "default/linux/amd64/17.1" ]]; then
|
|
FILENAME_BASE='amd64_gentoo-stage3'
|
|
SIGNED_SOURCE_SUFFIX=''
|
|
elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/17.1/no-multilib" ]]; then
|
|
FILENAME_BASE='amd64_gentoo-stage3-nomultilib'
|
|
SIGNED_SOURCE_SUFFIX='-nomultilib'
|
|
elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/17.1/hardened" ]]; then
|
|
FILENAME_BASE='amd64_gentoo-stage3-hardened'
|
|
SIGNED_SOURCE_SUFFIX='-hardened'
|
|
elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/17.1/no-multilib/hardened" ]]; then
|
|
FILENAME_BASE='amd64_gentoo-stage3-hardened-nomultilib'
|
|
SIGNED_SOURCE_SUFFIX='-hardened+nomultilib'
|
|
elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/17.0/musl/hardened" ]]; then
|
|
FILENAME_BASE='amd64_gentoo-stage3-hardened-musl'
|
|
SIGNED_SOURCE_SUFFIX='-musl-hardened'
|
|
elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/17.1/systemd" ]]; then
|
|
FILENAME_BASE='amd64_gentoo-stage3-systemd'
|
|
SIGNED_SOURCE_SUFFIX='-systemd'
|
|
elif [[ "${GENTOO_PROFILE}" == "default/linux/arm64/17.0" ]]; then
|
|
FILENAME_BASE='arm64_gentoo-stage3'
|
|
SIGNED_SOURCE_SUFFIX=''
|
|
elif [[ "${GENTOO_PROFILE}" == "default/linux/arm64/17.0/systemd" ]]; then
|
|
FILENAME_BASE='arm64_gentoo-stage3-systemd'
|
|
SIGNED_SOURCE_SUFFIX='-systemd'
|
|
else
|
|
echo 'invalid profile, please select from the following profiles'
|
|
echo 'default/linux/amd64/17.1'
|
|
echo 'default/linux/amd64/17.1/no-multilib'
|
|
echo 'default/linux/amd64/17.1/hardened'
|
|
echo 'default/linux/amd64/17.1/no-multilib/hardened'
|
|
echo 'default/linux/amd64/17.1/systemd'
|
|
echo 'default/linux/arm64/17.0'
|
|
echo 'default/linux/arm64/17.0/systemd'
|
|
exit 1
|
|
fi
|
|
|
|
if [[ "${GENTOO_PROFILE}" == *'amd64'* ]]; then
|
|
ARCH_PATH='amd64'
|
|
elif [[ "${GENTOO_PROFILE}" == *'arm64'* ]]; then
|
|
ARCH_PATH='arm64'
|
|
fi
|
|
DIB_CLOUD_SOURCE=${DIB_CLOUD_SOURCE:-"http://distfiles.gentoo.org/releases/${ARCH_PATH}/autobuilds/latest-stage3-${ARCH_PATH}${SIGNED_SOURCE_SUFFIX}.txt"}
|
|
BASE_IMAGE_FILE=${BASE_IMAGE_FILE:-"http://distfiles.gentoo.org/releases/${ARCH_PATH}/autobuilds/$(curl "${DIB_CLOUD_SOURCE}" -s -f | tail -n 1 | cut -d\ -f 1)"}
|
|
BASE_IMAGE_FILE_SUFFIX=${BASE_IMAGE_FILE_SUFFIX:-"$(basename "${BASE_IMAGE_FILE}" | cut -d. -f 2,3)"}
|
|
SIGNATURE_FILE="${SIGNATURE_FILE:-${BASE_IMAGE_FILE}.DIGESTS.asc}"
|
|
CACHED_FILE="${DIB_IMAGE_CACHE}/${FILENAME_BASE}.${BASE_IMAGE_FILE_SUFFIX}"
|
|
CACHED_SIGNATURE_FILE="${DIB_IMAGE_CACHE}/${FILENAME_BASE}.asc"
|
|
|
|
if [[ -n "${DIB_OFFLINE}" ]] && [[ -f "${CACHED_FILE}" ]] ; then
|
|
echo "Not checking freshness of cached ${CACHED_FILE}"
|
|
else
|
|
echo 'Fetching Base Image'
|
|
"${TMP_HOOKS_PATH}"/bin/cache-url "${SIGNATURE_FILE}" "${CACHED_SIGNATURE_FILE}"
|
|
"${TMP_HOOKS_PATH}"/bin/cache-url "${BASE_IMAGE_FILE}" "${CACHED_FILE}"
|
|
pushd "${DIB_IMAGE_CACHE}"
|
|
# import the key
|
|
# this key can be verified at one of the following places
|
|
# https://wiki.gentoo.org/wiki/Project:RelEng#Keys
|
|
# https://dev.gentoo.org/~dolsen/releases/keyrings/gentoo-keys-*.tar.xz
|
|
# http://distfiles.gentoo.org/distfiles/gentoo-keys-*.tar.xz
|
|
# check the sig file
|
|
if ! gpgv --keyring "${TMP_HOOKS_PATH}"/extra-data.d/gentoo-releng.gpg "${CACHED_SIGNATURE_FILE}"; then
|
|
echo 'invalid signature file'
|
|
exit 1
|
|
fi
|
|
echo 'valid key used'
|
|
CACHED_SHA512SUM=$(grep -A1 -e 'SHA512' "${CACHED_SIGNATURE_FILE}" | grep -e "${BASE_IMAGE_FILE_SUFFIX}$" | cut -d\ -f 1)
|
|
ACTUAL_SHA512SUM=$(sha512sum "${CACHED_FILE}" | cut -d\ -f 1)
|
|
if [[ "${ACTUAL_SHA512SUM}" != "${CACHED_SHA512SUM}" ]]; then
|
|
echo "invalid checksum on downloaded tarball: ${CACHED_FILE}"
|
|
exit 1
|
|
fi
|
|
echo 'valid checksum'
|
|
popd
|
|
fi
|
|
|
|
# Extract the base image (use --numeric-owner to avoid UID/GID mismatch between
|
|
# image tarball and host OS)
|
|
sudo tar -C "${TARGET_ROOT}" --numeric-owner --xattrs -xf "${CACHED_FILE}"
|
|
|
|
# Put in a dummy /etc/resolv.conf over the temporary one we used
|
|
# to bootstrap. systemd has a bug/feature [1] that it will assume
|
|
# you want systemd-networkd as the network manager and create a
|
|
# broken symlink to /run/... if the base image doesn't have one.
|
|
# This broken link confuses things like dhclient.
|
|
# [1] https://bugzilla.redhat.com/show_bug.cgi?id=1197204
|
|
echo -e "# This file intentionally left blank\n" | sudo tee "${TARGET_ROOT}"/etc/resolv.conf
|