diff options
| -rw-r--r-- | data/live-build-config/includes.chroot/etc/apt/apt.conf.d/01gpgvnoexpkeysig | 1 | ||||
| -rwxr-xr-x | data/live-build-config/includes.chroot/usr/libexec/gpgvnoexpkeysig | 51 | ||||
| -rw-r--r-- | docker/Dockerfile | 25 | ||||
| -rwxr-xr-x | docker/gpgvnoexpkeysig | 51 | ||||
| -rw-r--r-- | packages/vyos-build-container/Jenkinsfile | 72 | ||||
| -rwxr-xr-x | packages/vyos-build-container/build.sh | 25 | ||||
| -rwxr-xr-x | packages/wide-dhcpv6/build-wide.sh | 4 | ||||
| -rwxr-xr-x | scripts/build-config | 17 | ||||
| -rwxr-xr-x | scripts/check-qemu-install | 25 | ||||
| -rw-r--r-- | vars/buildPackage.groovy | 20 | ||||
| -rw-r--r-- | vars/isCustomBuild.groovy | 4 |
11 files changed, 290 insertions, 5 deletions
diff --git a/data/live-build-config/includes.chroot/etc/apt/apt.conf.d/01gpgvnoexpkeysig b/data/live-build-config/includes.chroot/etc/apt/apt.conf.d/01gpgvnoexpkeysig new file mode 100644 index 00000000..8bb07cd2 --- /dev/null +++ b/data/live-build-config/includes.chroot/etc/apt/apt.conf.d/01gpgvnoexpkeysig @@ -0,0 +1 @@ +Apt::Key::gpgvcommand "/usr/libexec/gpgvnoexpkeysig"; diff --git a/data/live-build-config/includes.chroot/usr/libexec/gpgvnoexpkeysig b/data/live-build-config/includes.chroot/usr/libexec/gpgvnoexpkeysig new file mode 100755 index 00000000..f528ee4b --- /dev/null +++ b/data/live-build-config/includes.chroot/usr/libexec/gpgvnoexpkeysig @@ -0,0 +1,51 @@ +#!/bin/sh +# +# No copyright is claimed. This code is in the public domain; do with +# it what you wish. +# +# Author: Johannes Schauer Marin Rodrigues <josch@mister-muffin.de> +# +# This is a wrapper around gpgv as invoked by apt. It turns EXPKEYSIG results +# from gpgv into GOODSIG results. This is necessary for apt to access very old +# timestamps from snapshot.debian.org for which the GPG key is already expired: +# +# Get:1 http://snapshot.debian.org/archive/debian/20150106T000000Z unstable InRelease [242 kB] +# Err:1 http://snapshot.debian.org/archive/debian/20150106T000000Z unstable InRelease +# The following signatures were invalid: EXPKEYSIG 8B48AD6246925553 Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org> +# Reading package lists... +# W: GPG error: http://snapshot.debian.org/archive/debian/20150106T000000Z unstable InRelease: The following signatures were invalid: EXPKEYSIG 8B48AD6246925553 Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org> +# E: The repository 'http://snapshot.debian.org/archive/debian/20150106T000000Z unstable InRelease' is not signed. +# +# To use this script, call apt with +# +# -o Apt::Key::gpgvcommand=/usr/libexec/mmdebstrap/gpgvnoexpkeysig +# +# Scripts doing similar things can be found here: +# +# * debuerreotype as /usr/share/debuerreotype/scripts/.gpgv-ignore-expiration.sh +# * derivative census: salsa.d.o/deriv-team/census/-/blob/master/bin/fakegpgv + +set -eu + +find_gpgv_status_fd() { + while [ "$#" -gt 0 ]; do + if [ "$1" = '--status-fd' ]; then + echo "$2" + return 0 + fi + shift + done + # default fd is stdout + echo 1 +} +GPGSTATUSFD="$(find_gpgv_status_fd "$@")" + +case $GPGSTATUSFD in + ''|*[!0-9]*) + echo "invalid --status-fd argument" >&2 + exit 1 + ;; +esac + +# we need eval because we cannot redirect a variable fd +eval 'exec gpgv "$@" '"$GPGSTATUSFD"'>&1 | sed "s/^\[GNUPG:\] EXPKEYSIG /[GNUPG:] GOODSIG /" >&'"$GPGSTATUSFD" diff --git a/docker/Dockerfile b/docker/Dockerfile index dfa71ad1..4e51fe0e 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -50,6 +50,10 @@ RUN echo "dash dash/sh boolean false" | debconf-set-selections && \ RUN echo -e 'APT::Install-Recommends "0";\nAPT::Install-Suggests "0";' > /etc/apt/apt.conf.d/01norecommends +# Add workaround for APT KEYEXPIRED +COPY gpgvnoexpkeysig /usr/libexec/gpgvnoexpkeysig +RUN echo 'Apt::Key::gpgvcommand "/usr/libexec/gpgvnoexpkeysig";' > /etc/apt/apt.conf.d/01gpgvnoexpkeysig + # We now have Debian Bullseye (11) so cached images require the permit to # change the releaseinfo from stable -> oldstable RUN apt-get update --allow-releaseinfo-change @@ -58,6 +62,19 @@ RUN apt-get update && apt-get install -y \ apt-utils \ locales +# Use the --build-arg ELTS_MIRROR=http://your-elts-mirror argument to specify your ELTS mirror +ARG ELTS_MIRROR="none" +RUN <<EOF +set -e +if [ "$ELTS_MIRROR" != "none" ]; then + apt-get install wget -y + wget --no-check-certificate https://deb.freexian.com/extended-lts/pool/main/f/freexian-archive-keyring/freexian-archive-keyring_2022.06.08_all.deb + dpkg -i freexian-archive-keyring_2022.06.08_all.deb + echo "deb $ELTS_MIRROR buster main contrib non-free" > /etc/apt/sources.list.d/elts.list + apt-get full-upgrade -y +fi +EOF + RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen ENV LANG en_US.utf8 @@ -642,6 +659,14 @@ RUN apt-get update && apt-get install -y \ tcpdump \ yajl-tools + +# Extra packages +RUN apt-get update +# For vyos-xe-guest-utilities +RUN apt-get install -y golang +# For vyos-strongswan +RUN apt-get install -y libcurl4-openssl-dev + # # fpm: a command-line program designed to help you build packages (e.g. deb) # diff --git a/docker/gpgvnoexpkeysig b/docker/gpgvnoexpkeysig new file mode 100755 index 00000000..f528ee4b --- /dev/null +++ b/docker/gpgvnoexpkeysig @@ -0,0 +1,51 @@ +#!/bin/sh +# +# No copyright is claimed. This code is in the public domain; do with +# it what you wish. +# +# Author: Johannes Schauer Marin Rodrigues <josch@mister-muffin.de> +# +# This is a wrapper around gpgv as invoked by apt. It turns EXPKEYSIG results +# from gpgv into GOODSIG results. This is necessary for apt to access very old +# timestamps from snapshot.debian.org for which the GPG key is already expired: +# +# Get:1 http://snapshot.debian.org/archive/debian/20150106T000000Z unstable InRelease [242 kB] +# Err:1 http://snapshot.debian.org/archive/debian/20150106T000000Z unstable InRelease +# The following signatures were invalid: EXPKEYSIG 8B48AD6246925553 Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org> +# Reading package lists... +# W: GPG error: http://snapshot.debian.org/archive/debian/20150106T000000Z unstable InRelease: The following signatures were invalid: EXPKEYSIG 8B48AD6246925553 Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org> +# E: The repository 'http://snapshot.debian.org/archive/debian/20150106T000000Z unstable InRelease' is not signed. +# +# To use this script, call apt with +# +# -o Apt::Key::gpgvcommand=/usr/libexec/mmdebstrap/gpgvnoexpkeysig +# +# Scripts doing similar things can be found here: +# +# * debuerreotype as /usr/share/debuerreotype/scripts/.gpgv-ignore-expiration.sh +# * derivative census: salsa.d.o/deriv-team/census/-/blob/master/bin/fakegpgv + +set -eu + +find_gpgv_status_fd() { + while [ "$#" -gt 0 ]; do + if [ "$1" = '--status-fd' ]; then + echo "$2" + return 0 + fi + shift + done + # default fd is stdout + echo 1 +} +GPGSTATUSFD="$(find_gpgv_status_fd "$@")" + +case $GPGSTATUSFD in + ''|*[!0-9]*) + echo "invalid --status-fd argument" >&2 + exit 1 + ;; +esac + +# we need eval because we cannot redirect a variable fd +eval 'exec gpgv "$@" '"$GPGSTATUSFD"'>&1 | sed "s/^\[GNUPG:\] EXPKEYSIG /[GNUPG:] GOODSIG /" >&'"$GPGSTATUSFD" diff --git a/packages/vyos-build-container/Jenkinsfile b/packages/vyos-build-container/Jenkinsfile new file mode 100644 index 00000000..1b554fff --- /dev/null +++ b/packages/vyos-build-container/Jenkinsfile @@ -0,0 +1,72 @@ +// Copyright (C) 2020-2024 VyOS maintainers and contributors +// +// This program is free software; you can redistribute it and/or modify +// in order to easy exprort images built to 'external' world +// it under the terms of the GNU General Public License version 2 or later as +// published by the Free Software Foundation. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. +@NonCPS + +// Using a version specifier library, use 'equuleus' branch. The underscore (_) +// is not a typo! You need this underscore if the line immediately after the +// @Library annotation is not an import statement! +@Library('vyos-build@equuleus')_ + +pipeline { + agent none + parameters { + string(name: 'ELTS_MIRROR', defaultValue: 'http://172.17.17.17:3142/deb.freexian.com/extended-lts', description: 'You can apt install apt-cacher-ng and then replace 172.17.17.17 with your local IP or provide your own ELTS mirror.') + } + options { + disableConcurrentBuilds() + timeout(time: 240, unit: 'MINUTES') + timestamps() + buildDiscarder(logRotator(numToKeepStr: '10')) + } + stages { + stage('Build') { + agent { + label "ec2_amd64" + } + when { + anyOf { + changeset pattern: "**/docker/*", caseSensitive: true + triggeredBy cause: "UserIdCause" + } + } + steps { + script { + // Checkout git repository which hold 'Jenkinsfile' + checkout scm + + // Display Git commit Id used with the Jenkinsfile on the Job 'Build History' pane + def commitId = sh(returnStdout: true, script: 'git rev-parse --short=11 HEAD').trim() + currentBuild.description = 'Git SHA1: ' + commitId + + // Fetch sources and build docker image + dir(getJenkinsfilePath() + 'vyos-build') { + checkout([$class: 'GitSCM', + doGenerateSubmoduleConfigurations: false, + extensions: [[$class: 'CleanCheckout']], + branches: [[name: env.BRANCH_NAME]], + userRemoteConfigs: [[url: 'https://github.com/dd010101/vyos-build.git']]]) + + sh 'cd ..; ./build.sh' + } + } + } + post { + cleanup { + deleteDir() + } + } + } + } +} diff --git a/packages/vyos-build-container/build.sh b/packages/vyos-build-container/build.sh new file mode 100755 index 00000000..f91a326a --- /dev/null +++ b/packages/vyos-build-container/build.sh @@ -0,0 +1,25 @@ +#!/bin/sh +set -e + +cd vyos-build/docker + +echo "Inspecting current image of ${BRANCH_NAME}..." +previousImageId=$(docker images --filter=reference="vyos/vyos-build:${BRANCH_NAME}" --format "{{.ID}}") + +echo "Building docker build container for branch ${BRANCH_NAME}..." +docker build --build-arg "ELTS_MIRROR=${ELTS_MIRROR}" \ + --no-cache -t "vyos/vyos-build:${BRANCH_NAME}" . + +echo "Pushing ${BRANCH_NAME} image to registry ${CUSTOM_DOCKER_REPO}..." +docker tag "vyos/vyos-build:${BRANCH_NAME}" "${CUSTOM_DOCKER_REPO}/vyos/vyos-build:${BRANCH_NAME}" +docker push "${CUSTOM_DOCKER_REPO}/vyos/vyos-build:$BRANCH_NAME" + +echo "Cleaning previous image of ${BRANCH_NAME}..." +if [ "$previousImageId" != "" ]; then + docker rmi --force "$previousImageId" || true +fi + +echo "Cleaning local registry..." +docker exec registry registry garbage-collect /etc/docker/registry/config.yml --delete-untagged=true + +echo "Image ${BRANCH_NAME} was successfully built and pushed to registry ${CUSTOM_DOCKER_REPO}." diff --git a/packages/wide-dhcpv6/build-wide.sh b/packages/wide-dhcpv6/build-wide.sh index 6da4534b..9476c272 100755 --- a/packages/wide-dhcpv6/build-wide.sh +++ b/packages/wide-dhcpv6/build-wide.sh @@ -21,5 +21,9 @@ if [ -d $PATCH_DIR ]; then fi cd ${WIDE_SRC} + +echo "I: Apply workaround for cfparse.y make target" +rm y.tab.h + echo "I: Build Debian Package" dpkg-buildpackage -uc -us -tc -b diff --git a/scripts/build-config b/scripts/build-config index fa0b3512..8369a684 100755 --- a/scripts/build-config +++ b/scripts/build-config @@ -68,6 +68,7 @@ options = { 'build-by': ('Builder identifier (e.g. jrandomhacker@example.net)', get_default_build_by, None), 'debian-mirror': ('Debian repository mirror for ISO build', lambda: build_defaults['debian_mirror'], None), 'debian-security-mirror': ('Debian security updates mirror', lambda: build_defaults['debian_security_mirror'], None), + 'debian-elts-mirror': ('Debian extended long term eupport (ELTS) mirror', None, None), 'pbuilder-debian-mirror': ('Debian repository mirror for pbuilder env bootstrap', lambda: build_defaults['debian_mirror'], None), 'vyos-mirror': ('VyOS package mirror', lambda: build_defaults["vyos_mirror"], None), 'build-type': ('Build type, release or development', lambda: 'development', lambda x: x in ['release', 'development']), @@ -110,6 +111,22 @@ if (args['debian_mirror'] != build_defaults["debian_mirror"]) and \ (args['pbuilder_debian_mirror'] == build_defaults["debian_mirror"]): args['pbuilder_debian_mirror'] = args['debian_mirror'] +# Handle ELTS mirror workaround +if args['debian_elts_mirror']: + # purge any internal 'local.deb.vyos.io' repository + modified_repositories = [] + for definition in build_defaults["additional_repositories"]: + if "local.deb.vyos.io" in definition: + continue + modified_repositories.append(definition) + + # append custom ELTS repository as replacement + elts_definition = "deb %s buster main contrib non-free" % args['debian_elts_mirror'] + modified_repositories.append(elts_definition) + + # replace 'additional_repositories' with modified version + build_defaults["additional_repositories"] = modified_repositories + # Version can only be set for release builds, # for dev builds it hardly makes any sense if args['build_type'] == 'development': diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install index aaac8250..42aeb71c 100755 --- a/scripts/check-qemu-install +++ b/scripts/check-qemu-install @@ -72,6 +72,7 @@ parser.add_argument('--no-interfaces', help='Execute testsuite without interface action='store_true', default=False) parser.add_argument('--configtest', help='Execute load/commit config tests', action='store_true', default=False) +parser.add_argument('--sandbox', help='Interactive sandbox mode', action='store_true', default=False) args = parser.parse_args() @@ -143,7 +144,7 @@ def get_qemu_cmd(name, enable_kvm, enable_uefi, disk_img, raid=None, iso_img=Non -smp sockets=1,cpus={cpucount},cores=1 \ -cpu host \ {uefi} \ - -m 1G \ + -m 4G \ -vga none \ -nographic \ -machine accel=kvm \ @@ -367,12 +368,32 @@ try: # Start/stop config daemon ################################################# if args.configd: - c.sendline('sudo systemctl start vyos-configd.service &> /dev/null') + c.sendline('sudo systemctl restart vyos-configd.service &> /dev/null') else: c.sendline('sudo systemctl stop vyos-configd.service &> /dev/null') c.expect(op_mode_prompt) ################################################# + # Sandbox mode + ################################################# + + if args.sandbox: + log.info("SANDBOX: now you are in control!") + c.sendline("") + c.logfile = None + c.interact() + if not args.keep: + log.info("SANDBOX: removing disk file: %s" % args.disk) + try: + os.remove(args.disk) + if diskname_raid: + os.remove(diskname_raid) + except Exception: + pass + log.info("SANDBOX: end") + exit(0) + + ################################################# # Basic Configmode/Opmode switch ################################################# log.info('Basic CLI configuration mode test') diff --git a/vars/buildPackage.groovy b/vars/buildPackage.groovy index 611a948c..fe75a054 100644 --- a/vars/buildPackage.groovy +++ b/vars/buildPackage.groovy @@ -165,7 +165,7 @@ def call(description=null, pkgList=null, buildCmd=null, changesPattern="**") { } } - files = findFiles(glob: '**/*.deb') + files = findFiles(glob: '**/*.deb', excludes: '**/Makefile.deb') if (files) { echo "Remove deprecated binary package(s) from the repository..." files.each { FILE -> @@ -194,11 +194,25 @@ def call(description=null, pkgList=null, buildCmd=null, changesPattern="**") { def PACKAGE = sh(returnStdout: true, script: "cat ${FILE} | grep Source ").trim().tokenize(' ').last() sh(script: "scp ${SSH_OPTS} ${FILE} ${SSH_REMOTE}:${SSH_DIR}") def FILENAME = FILE.toString().tokenize('/').last() - sh(script: "ssh ${SSH_OPTS} ${SSH_REMOTE} -t \"uncron-add 'reprepro -v -b ${VYOS_REPO_PATH} includedsc ${RELEASE} ${SSH_DIR}/${FILENAME}'\"") + def EXTRA_ARGS = '' + // Add generic Priority if missing + if (sh(returnStatus: true, script: "cat ${FILE} | grep Priority:") != 0) { + EXTRA_ARGS = EXTRA_ARGS + ' -P optional' + } + // Add generic Section if missing + if (sh(returnStatus: true, script: "cat ${FILE} | grep Section:") != 0) { + EXTRA_ARGS = EXTRA_ARGS + ' -S misc' + } + // Ingore .dsc in git format + if (sh(returnStatus: true, script: "cat ${FILE} | grep Format: 3.0 (git)") != 0) { + echo "${FILE}: detected unsupported git format, skipping..." + return + } + sh(script: "ssh ${SSH_OPTS} ${SSH_REMOTE} -t \"uncron-add 'reprepro -v -b ${VYOS_REPO_PATH}${EXTRA_ARGS} includedsc ${RELEASE} ${SSH_DIR}/${FILENAME}'\"") } } - files = findFiles(glob: '**/*.deb') + files = findFiles(glob: '**/*.deb', excludes: '**/Makefile.deb') if (files) { echo "Uploading binary package(s) to the repository ..." files.each { FILE -> diff --git a/vars/isCustomBuild.groovy b/vars/isCustomBuild.groovy index c5e5fab7..b1e6fe76 100644 --- a/vars/isCustomBuild.groovy +++ b/vars/isCustomBuild.groovy @@ -22,5 +22,9 @@ def call() { def gitURI = 'git@github.com:vyos/' + getGitRepoName() def httpURI = 'https://github.com/vyos/' + getGitRepoName() + if (env.CUSTOM_BUILD_CHECK_DISABLED) { + return false + } + return !((getGitRepoURL() == gitURI) || (getGitRepoURL() == httpURI)) || isPullRequest() } |