Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rootfs.tar.gz: Automate construction from Gentoo's amd64 stage3 #3

Merged
merged 8 commits into from
Jan 20, 2016
Merged

rootfs.tar.gz: Automate construction from Gentoo's amd64 stage3 #3

merged 8 commits into from
Jan 20, 2016

Conversation

wking
Copy link
Contributor

@wking wking commented Jan 20, 2016

Cross-posted from mrunalp/ocitools#17.

Details in the commit messages (and docs in the README commit), but
this pulls a statically-linked BusyBox from Gentoo's amd64 stage3 and
uses it to seed the tarball. We can also easily grab other things
from that stage3 if we need them later, but things like libapparmor
(that aren't in Gentoo's stage3) will need a different approach.

@wking
get-stage3.sh: Add script for downloading Gentoo's current amd64 stage3
a9dbe8b 
Based on [1] and relicenced under the Apache License, Version 2.0.

[1]: https://github.com/wking/oci-gentoo-minimal/blob/5f6850f05a4c183434cdb77774b10c9719649d49/grab.sh

Signed-off-by: W. Trevor King <[email protected]>
@wking
Makefile: Add downloads/stage3-amd64-current.tar.bz2 rule
ed9f52e 
Based on [1] and relicenced under the Apache License, Version 2.0.

[1]: https://github.com/wking/oci-gentoo-minimal/blob/5f6850f05a4c183434cdb77774b10c9719649d49/Makefile#L18-L20

Signed-off-by: W. Trevor King <[email protected]>
@wking
Makefile: Add rootfs/bin/busybox rule
6b6a15c 
Based on [1] and relicenced under the Apache License, Version 2.0.

The 'sudo' for mkdir generates a directory belonging to root.

We check the digest signature and SHA512 hash of the stage3 to ensure
the downloaded file is from Gentoo's release engineering team.  For
the SHA512 check, the first grep removes the Whirlpool hashes to avoid
confusing sha512sum.  The second grep removes the '--' separator added
by the first grep.

The touch avoids attempted rebuilds if the stage3's busybox has an
mtime older than the local dependencies like
downloads/stage3-amd64-current.tar.bz2.

[1]: https://github.com/wking/oci-gentoo-minimal/blob/5f6850f05a4c183434cdb77774b10c9719649d49/Makefile#L22-L25

Signed-off-by: W. Trevor King <[email protected]>
@wking
Makefile: Add rootfs/bin/echo rule
ecd5f36 
For creating symlinks for all of the BusyBox binary's supported
commands.  We could put these in their usual directories by using
--list-full (which would give entries like sbin/brctl), but I don't
think it's worth keeping multiple bin directories in a
single-filesystem root that's only used for containers.

Signed-off-by: W. Trevor King <[email protected]>
@wking
Makefile: Add rootfs.tar.gz rule
53ebbcc 
For creating a tarball that can be committed to version control.  Git
just tracks the executable bit (not the file owner etc.), so using a
tarball is easier than restoring that stuff after clones and
checkouts.

Signed-off-by: W. Trevor King <[email protected]>
@wking
rootfs.tar.gz: Update from stage3-amd64-20151203.tar.bz2
deefe39 
Generated with:

  $ make rootfs.tar.gz

stage3-amd64-20151203.tar.bz2 had a SHA512 hash of [1], and a valid
signature by [2].

[1]: 180741e224714fc48962f5ed61fa0340e6ce544ba6174d503db960e5eaafc4c3e568bee69490bbe6f632dbf437335652a2988297ae50d532e5c718f6abd911e6
[2]: Gentoo Linux Release Engineering (Automated Weekly Release Key) <[email protected]>
     Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910

Signed-off-by: W. Trevor King <[email protected]>
@wking
README: Document stage3-based rootfs.tar.gz generation
986632d 
Signed-off-by: W. Trevor King <[email protected]>
@wking wking mentioned this pull request Jan 20, 2016
Closed
@mrunalp
Copy link
Contributor

mrunalp commented Jan 20, 2016

I followed the guide. It probably needs more info to setup the keys ;)

[root@localhost ocitools]# make rootfs.tar.gz                                                                                                                
./get-stage3.sh
--2016-01-20 17:00:05--  http://distfiles.gentoo.org/releases/amd64/autobuilds/latest-stage3.txt
Resolving distfiles.gentoo.org (distfiles.gentoo.org)... 64.50.233.100, 64.50.236.52, 140.211.166.134, ...
Connecting to distfiles.gentoo.org (distfiles.gentoo.org)|64.50.233.100|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 784 [text/plain]
Saving to: ‘STDOUT’

-                                       100%[============================================================================>]     784  --.-KB/s    in 0s      

2016-01-20 17:00:06 (48.8 MB/s) - written to stdout [784/784]

touch downloads/stage3-amd64-*.tar.bz2
gpg --verify downloads/stage3-amd64-current.tar.bz2.DIGESTS.asc
gpg: Signature made Thu 14 Jan 2016 09:00:11 PM EST using RSA key ID 2D182910
gpg: Can't check signature: public key not found
Makefile:15: recipe for target 'rootfs/bin/busybox' failed
make: *** [rootfs/bin/busybox] Error 2

@wking
Copy link
Contributor Author

wking commented Jan 20, 2016

On Wed, Jan 20, 2016 at 02:02:20PM -0800, Mrunal Patel wrote:

I followed the guide. It probably needs more info to setup the keys ;)

gpg --verify downloads/stage3-amd64-current.tar.bz2.DIGESTS.asc
gpg: Signature made Thu 14 Jan 2016 09:00:11 PM EST using RSA key ID 2D182910
gpg: Can't check signature: public key not found

You need:

$ gpg --search 0x2D182910

and then import the key. Until your web-of-trust reaches out to the
Gentoo Rel-Eng team, verification will give you:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

but that's not fatal (and I'm not sure how you'd make it fatal even if
you wanted it to be). Does that fall under “basic GnuPG usage”, or is
it worth writing up in docs here?

@mrunalp
Copy link
Contributor

mrunalp commented Jan 20, 2016

@wking I think we should just add to the steps so it is easy for someone to rebuild the rootfs.
I tested it out and it the rootfs works with the runtime tests and runc.

@wking
README: Document GnuPG missing-key import and fix
a328eef 
We were linking to the [gentoo-signatures] reference before, and they
give this example command there, but Mrunal wanted explicit docs to
make everything as obvious as possible [1].

[1]: opencontainers#3 (comment)

Signed-off-by: W. Trevor King <[email protected]>
@wking
Copy link
Contributor Author

wking commented Jan 20, 2016

On Wed, Jan 20, 2016 at 02:25:49PM -0800, Mrunal Patel wrote:

@wking I think we should just add to the steps so it is easy for
someone to rebuild the rootfs.

I just pushed a328eef with more docs around this. Let me know if
that is what you were looking for (and feel free to push some fixup
commits where I can get them if it wasn't ;).

@mrunalp
Copy link
Contributor

mrunalp commented Jan 20, 2016

LGTM

mrunalp pushed a commit that referenced this pull request Jan 20, 2016
Merge pull request #3 from wking/stage3-rootfs
1cc2055 
rootfs.tar.gz: Automate construction from Gentoo's amd64 stage3
@mrunalp mrunalp merged commit 1cc2055 into opencontainers:master Jan 20, 2016
@wking wking mentioned this pull request Jan 20, 2016
Closed
@wking wking deleted the stage3-rootfs branch March 8, 2016 04:25
@RobDolinMS RobDolinMS mentioned this pull request May 17, 2016
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wking @mrunalp