starlingx/root
Code Issues Proposed changes

Merge remote-tracking branch 'origin/master' into f/centos75

Browse Source 
Change-Id: I1e44bd44a6771c6df6032d58da7dcbf96f97bad9
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
This commit is contained in:
Dean Troyer 2018-09-14 10:40:32 -05:00
commit 21bcc10955
4 changed files with 167 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

279
build-tools/sign-rpms
View File

@ -23,43 +23,43 @@ export MOCK=/usr/bin/mock
# check input variables # check input variables
function check_vars { function check_vars {
# need access to repo, which should normally be defined as MY_REPO in the env # need access to repo, which should normally be defined as MY_REPO in the env
if [ ! -z "$MY_REPO" ] && [ -d "$MY_REPO" ] ; then if [ ! -z "$MY_REPO" ] && [ -d "$MY_REPO" ] ; then
INTERNAL_REPO_ROOT=$MY_REPO INTERNAL_REPO_ROOT=$MY_REPO
fi fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " unable to use \$MY_REPO (value \"$MY_REPO\")\n" printf " unable to use \$MY_REPO (value \"$MY_REPO\")\n"
printf " -- checking \$MY_REPO_ROOT_DIR (value \"$MY_REPO_ROOT_DIR\")\n" printf " -- checking \$MY_REPO_ROOT_DIR (value \"$MY_REPO_ROOT_DIR\")\n"
if [ ! -z "$MY_REPO_ROOT_DIR" ] && [ -d "$MY_REPO_ROOT_DIR/cgcs-root" ] ; then if [ ! -z "$MY_REPO_ROOT_DIR" ] && [ -d "$MY_REPO_ROOT_DIR/cgcs-root" ] ; then
INTERNAL_REPO_ROOT=$MY_REPO_ROOT_DIR/cgcs-root INTERNAL_REPO_ROOT=$MY_REPO_ROOT_DIR/cgcs-root
printf " Found!\n" printf " Found!\n"
fi fi
fi fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " No joy -- checking for \$MY_WORKSPACE/cgcs-root\n" printf " No joy -- checking for \$MY_WORKSPACE/cgcs-root\n"
if [ -d "$MY_WORKSPACE/cgcs-root" ] ; then if [ -d "$MY_WORKSPACE/cgcs-root" ] ; then
INTERNAL_REPO_ROOT=$MY_WORKSPACE/cgcs-root INTERNAL_REPO_ROOT=$MY_WORKSPACE/cgcs-root
printf " Found!\n" printf " Found!\n"
fi fi
fi fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " Error -- could not locate cgcs-root repo.\n" printf " Error -- could not locate cgcs-root repo.\n"
exit 1 exit 1
fi fi
if [ -z "$MY_BUILD_ENVIRONMENT" ] ; then if [ -z "$MY_BUILD_ENVIRONMENT" ] ; then
printf " Error -- missing environment variable MY_BUILD_ENVIRONMENT" printf " Error -- missing environment variable MY_BUILD_ENVIRONMENT"
exit 1 exit 1
fi fi
if [ -z "$MY_BUILD_DIR" ] ; then if [ -z "$MY_BUILD_DIR" ] ; then
printf " Error -- missing environment variable MY_BUILD_DIR" printf " Error -- missing environment variable MY_BUILD_DIR"
exit 1 exit 1
fi fi
} }
@ -73,119 +73,155 @@ function check_vars {
# This process is using mock because the build servers do not have the same rpm / rpmsign version # This process is using mock because the build servers do not have the same rpm / rpmsign version
# #
function _local_cleanup {
printf "Cleaning mock environment\n"
$MOCK -q -r $_MOCK_CFG --scrub=all
}
function __local_trapdoor {
printf "caught signal while attempting to sign files. Cleaning up."
_local_cleanup
exit 1
}
function sign_packages { function sign_packages {
OLD_PWD=$PWD OLD_PWD=$PWD
_MOCK_PKG_DIR=/mnt/Packages _MOCK_PKG_DIR=/mnt/Packages
_IMA_PRIV_KEY=ima_signing_key.priv _IMA_PRIV_KEY=ima_signing_key.priv
_KEY_DIR=$MY_REPO/build-tools/signing _KEY_DIR=$MY_REPO/build-tools/signing
_MOCK_KEY_DIR=/mnt/keys _MOCK_KEY_DIR=/mnt/keys
_SIGN_MAKEFILE=_sign_pkgs.mk _SIGN_MAKEFILE=_sign_pkgs.mk
_MK_DIR=$MY_REPO/build-tools/mk _MK_DIR=$MY_REPO/build-tools/mk
_MOCK_MK_DIR=/mnt/mk _MOCK_MK_DIR=/mnt/mk
# mock confgiuration file # mock confgiuration file
_MOCK_CFG=$MY_BUILD_DIR/${MY_BUILD_ENVIRONMENT}-sign.cfg _MOCK_CFG=$MY_BUILD_DIR/${MY_BUILD_ENVIRONMENT}-sign.cfg
# recreate configuration file # recreate configuration file
rm $_MOCK_CFG rm $_MOCK_CFG
export BUILD_TYPE=std export BUILD_TYPE=std
export MY_BUILD_DIR_TOP=$MY_BUILD_DIR export MY_BUILD_DIR_TOP=$MY_BUILD_DIR
modify-build-cfg $_MOCK_CFG modify-build-cfg $_MOCK_CFG
# and customize # and customize
echo "config_opts['chroot_setup_cmd'] = 'install shadow-utils make rpm-sign'" >> $_MOCK_CFG echo "config_opts['chroot_setup_cmd'] = 'install shadow-utils make rpm-sign'" >> $_MOCK_CFG
echo "config_opts['root'] = 'mock-sign'" >> $_MOCK_CFG echo "config_opts['root'] = 'mock-sign'" >> $_MOCK_CFG
echo "config_opts['basedir'] = '${MY_WORKSPACE}'" >> $_MOCK_CFG echo "config_opts['basedir'] = '${MY_WORKSPACE}'" >> $_MOCK_CFG
echo "config_opts['cache_topdir'] = '${MY_WORKSPACE}/mock-cache'" >> $_MOCK_CFG echo "config_opts['cache_topdir'] = '${MY_WORKSPACE}/mock-cache'" >> $_MOCK_CFG
echo "Signing packages in $_PKG_DIR with $NPROCS threads" echo "Signing packages in $_PKG_DIR with $NPROCS threads"
echo "using development key $_KEY_DIR/$_IMA_PRIV_KEY" echo "using development key $_KEY_DIR/$_IMA_PRIV_KEY"
printf "Initializing mock environment\n" printf "Initializing mock environment\n"
# invoke make in mock to sign packages. trap __local_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
# this call will also create and initialize the mock env
eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\"
retval=$? # invoke make in mock to sign packages.
# this call will also create and initialize the mock env
eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\"
printf "Cleaning mock environment\n" retval=$?
$MOCK -q -r $_MOCK_CFG --scrub=all
if [ $retval -ne 0 ] ; then trap - SIGHUP SIGINT SIGABRT SIGTERM
echo "failed to add file signatures to RPMs in mock environment."
return $retval
fi
cd $OLD_PWD _local_cleanup
if [ $retval -ne 0 ] ; then
echo "failed to add file signatures to RPMs in mock environment."
return $retval
fi
cd $OLD_PWD
} }
function _copy_and_sign { function _copy_and_sign {
# upload rpms to server # upload rpms to server
scp $_PKG_DIR/*.rpm $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR scp $_PKG_DIR/*.rpm $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR
retval=$? retval=$?
if [ $retval -ne 0 ] ; then if [ $retval -ne 0 ] ; then
echo "ERROR: failed to copy RPM files to signing server." echo "ERROR: failed to copy RPM files to signing server."
return $retval return $retval
fi fi
# get server to sign packages. # get server to sign packages.
ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -s -d $sub ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -s -d $sub
retval=$? retval=$?
if [ $retval -ne 0 ] ; then if [ $retval -ne 0 ] ; then
echo "ERROR: failed to sign RPM files." echo "ERROR: failed to sign RPM files."
return $retval return $retval
fi fi
# download results back. This overwrites the original files. # download results back. This overwrites the original files.
scp $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR/*.rpm $_PKG_DIR scp $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR/*.rpm $_PKG_DIR
retval=$? retval=$?
if [ $retval -ne 0 ] ; then if [ $retval -ne 0 ] ; then
echo "ERROR: failed to copy signed RPM files back from signing server." echo "ERROR: failed to copy signed RPM files back from signing server."
return $retval return $retval
fi fi
return $retval return $retval
} }
function _server_cleanup {
# cleanup
ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove rpms from temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
fi
ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
fi
}
function __server_trapdoor {
printf "caught signal while attempting to sign files. Cleaning up."
_server_cleanup
exit 1
}
function sign_packages_on_server { function sign_packages_on_server {
retval=0 retval=0
# obtain temporary diretory to upload RPMs on signing server # obtain temporary diretory to upload RPMs on signing server
_UPLOAD_DIR=`ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -r` _UPLOAD_DIR=`ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -r`
retval=$? retval=$?
if [ $retval -ne 0 ] ; then if [ $retval -ne 0 ] ; then
echo "failed to obtain upload directory from signing server." echo "failed to obtain upload directory from signing server."
return $retval return $retval
fi fi
# extract base chroot dir and rpm dir within chroot # extract base chroot dir and rpm dir within chroot
read base com sub <<< $_UPLOAD_DIR read base com sub <<< $_UPLOAD_DIR
# this is the upload temp dir, outside of chroot env # this is the upload temp dir, outside of chroot env
_UPLOAD_DIR=$base$sub _UPLOAD_DIR=$base$sub
_copy_and_sign trap __server_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
retval=$?
# cleanup _copy_and_sign
ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm retval=$?
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove rpms from temporary upload directory."
fi
ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove temporary upload directory."
fi
return $retval trap - SIGHUP SIGINT SIGABRT SIGTERM
_server_cleanup
return $retval
} }
@ -196,9 +232,6 @@ function sign_packages_on_server {
# Check args # Check args
HELP=0 HELP=0
SIGNING_SERVER=yow-tiks01
SIGNING_USER=signing
SIGNING_SERVER_SCRIPT=/opt/signing/sign_rpms_18.03.sh
# return value # return value
retval=0 retval=0
@ -206,8 +239,8 @@ retval=0
# read the options # read the options
TEMP=`getopt -o hd: --long help,pkg-dir: -n 'test.sh' -- "$@"` TEMP=`getopt -o hd: --long help,pkg-dir: -n 'test.sh' -- "$@"`
if [ $? -ne 0 ] ; then if [ $? -ne 0 ] ; then
echo "Invalid parameters - exiting" echo "Invalid parameters - exiting"
exit 1 exit 1
fi fi
eval set -- "$TEMP" eval set -- "$TEMP"
@ -223,21 +256,21 @@ while true ; do
done done
if [ $HELP -eq 1 ]; then if [ $HELP -eq 1 ]; then
usage usage
exit 0 exit 0
fi fi
# package directory must be defined # package directory must be defined
if [ -z "$_PKG_DIR" ]; then if [ -z "$_PKG_DIR" ]; then
echo "Need package directory. Use -d/--pkg-dir option" echo "Need package directory. Use -d/--pkg-dir option"
usage usage
exit 1 exit 1
fi fi
# ... and must exist # ... and must exist
if [ ! -d "$_PKG_DIR" ]; then if [ ! -d "$_PKG_DIR" ]; then
echo "Package directory $_PKG_DIR does not exist" echo "Package directory $_PKG_DIR does not exist"
exit 1 exit 1
fi fi
# Init variables # Init variables

2
build-tools/sign-secure-boot
View File

@ -454,8 +454,6 @@ if [ "x$MY_WORKSPACE" == "x" ]; then
fi fi
ARCH="x86_64" ARCH="x86_64"
SIGNING_SERVER=yow-tiks01
SIGNING_USER=signing
SIGNING_SCRIPT=/opt/signing/sign.sh SIGNING_SCRIPT=/opt/signing/sign.sh
UPLOAD_PATH=`ssh $SIGNING_USER@$SIGNING_SERVER sudo $SIGNING_SCRIPT -r` UPLOAD_PATH=`ssh $SIGNING_USER@$SIGNING_SERVER sudo $SIGNING_SCRIPT -r`
SIGNED_PKG_DB=${MY_WORKSPACE}/signed_pkg_list.txt SIGNED_PKG_DB=${MY_WORKSPACE}/signed_pkg_list.txt

15
build-tools/sign_iso_formal.sh
View File

@ -16,7 +16,6 @@ ISO_FILE_PATH=$1
ISO_FILE_NAME=$(basename ${ISO_FILE_PATH}) ISO_FILE_NAME=$(basename ${ISO_FILE_PATH})
ISO_FILE_ROOT=$(dirname ${ISO_FILE_PATH}) ISO_FILE_ROOT=$(dirname ${ISO_FILE_PATH})
ISO_FILE_NOEXT="${ISO_FILE_NAME%.*}" ISO_FILE_NOEXT="${ISO_FILE_NAME%.*}"
SIGNING_SERVER="signing@yow-tiks01"
GET_UPLOAD_PATH="sudo /opt/signing/sign.sh -r" GET_UPLOAD_PATH="sudo /opt/signing/sign.sh -r"
REQUEST_SIGN="sudo /opt/signing/sign_iso.sh" REQUEST_SIGN="sudo /opt/signing/sign_iso.sh"
SIGNATURE_FILE="$ISO_FILE_NOEXT.sig" SIGNATURE_FILE="$ISO_FILE_NOEXT.sig"
@ -24,7 +23,7 @@ SIGNATURE_FILE="$ISO_FILE_NOEXT.sig"
# Make a request for an upload path # Make a request for an upload path
# Output is a path where we can upload stuff, of the form # Output is a path where we can upload stuff, of the form
# "Upload: /tmp/sign_upload.5jR11pS0" # "Upload: /tmp/sign_upload.5jR11pS0"
UPLOAD_PATH=`ssh ${SIGNING_SERVER} ${GET_UPLOAD_PATH}` UPLOAD_PATH=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Could not get upload path. Do you have permissions on the signing server?" echo "Could not get upload path. Do you have permissions on the signing server?"
exit 1 exit 1
@ -32,7 +31,7 @@ fi
UPLOAD_PATH=`echo ${UPLOAD_PATH} | cut -d ' ' -f 2` UPLOAD_PATH=`echo ${UPLOAD_PATH} | cut -d ' ' -f 2`
echo "Uploading file" echo "Uploading file"
scp -q ${ISO_FILE_PATH} ${SIGNING_SERVER}:${UPLOAD_PATH} scp -q ${ISO_FILE_PATH} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Could not upload ISO" echo "Could not upload ISO"
exit 1 exit 1
@ -41,22 +40,22 @@ echo "File uploaded to signing server -- signing"
# Make the signing request. # Make the signing request.
# Output is path of detached signature # Output is path of detached signature
RESULT=`ssh ${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${ISO_FILE_NAME}` RESULT=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${ISO_FILE_NAME}`
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Could not perform signing -- output $RESULT" echo "Could not perform signing -- output $RESULT"
ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME} ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
exit 1 exit 1
fi fi
echo "Signing complete. Downloading detached signature" echo "Signing complete. Downloading detached signature"
scp -q ${SIGNING_SERVER}:${RESULT} ${ISO_FILE_ROOT}/${SIGNATURE_FILE} scp -q ${SIGNING_USER}@${SIGNING_SERVER}:${RESULT} ${ISO_FILE_ROOT}/${SIGNATURE_FILE}
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Could not download newly signed file" echo "Could not download newly signed file"
ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME} ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
exit 1 exit 1
fi fi
# Clean up (ISOs are big) # Clean up (ISOs are big)
ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME} ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
echo "${ISO_FILE_ROOT}/${SIGNATURE_FILE} detached signature" echo "${ISO_FILE_ROOT}/${SIGNATURE_FILE} detached signature"

9
build-tools/sign_patch_formal.sh
View File

@ -13,21 +13,20 @@ fi
PATCH_FILE_PATH=$1 PATCH_FILE_PATH=$1
PATCH_FILE_NAME=$(basename ${PATCH_FILE_PATH}) PATCH_FILE_NAME=$(basename ${PATCH_FILE_PATH})
SIGNING_SERVER="signing@yow-tiks01"
GET_UPLOAD_PATH="sudo /opt/signing/sign.sh -r" GET_UPLOAD_PATH="sudo /opt/signing/sign.sh -r"
REQUEST_SIGN="sudo /opt/signing/sign_patch.sh" REQUEST_SIGN="sudo /opt/signing/sign_patch.sh"
# Make a request for an upload path # Make a request for an upload path
# Output is a path where we can upload stuff, of the form # Output is a path where we can upload stuff, of the form
# "Upload: /tmp/sign_upload.5jR11pS0" # "Upload: /tmp/sign_upload.5jR11pS0"
UPLOAD_PATH=`ssh ${SIGNING_SERVER} ${GET_UPLOAD_PATH}` UPLOAD_PATH=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Could not get upload path. Do you have permissions on the signing server?" echo "Could not get upload path. Do you have permissions on the signing server?"
exit 1 exit 1
fi fi
UPLOAD_PATH=`echo ${UPLOAD_PATH} | cut -d ' ' -f 2` UPLOAD_PATH=`echo ${UPLOAD_PATH} | cut -d ' ' -f 2`
scp -q ${PATCH_FILE_PATH} ${SIGNING_SERVER}:${UPLOAD_PATH} scp -q ${PATCH_FILE_PATH} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Could upload patch" echo "Could upload patch"
exit 1 exit 1
@ -36,14 +35,14 @@ echo "File uploaded to signing server"
# Make the signing request. # Make the signing request.
# Output is path of newly signed file # Output is path of newly signed file
RESULT=`ssh ${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${PATCH_FILE_NAME}` RESULT=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${PATCH_FILE_NAME}`
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Could not perform signing -- output $RESULT" echo "Could not perform signing -- output $RESULT"
exit 1 exit 1
fi fi
echo "Signing complete. Downloading" echo "Signing complete. Downloading"
scp -q ${SIGNING_SERVER}:${RESULT} ${PATCH_FILE_PATH} scp -q ${SIGNING_USER}@${SIGNING_SERVER}:${RESULT} ${PATCH_FILE_PATH}
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Could not download newly signed file" echo "Could not download newly signed file"
exit 1 exit 1