Polish up for working version 0.0.2

2024-01-07 21:42:44 +01:00 · 2024-01-07 21:42:44 +01:00 · 502f81ffdc
parent 9b51edbed2
commit 502f81ffdc
16 changed files with 208 additions and 33 deletions
--- a/mkosi.conf
+++ b/mkosi.conf
@ -5,22 +5,15 @@ Architecture=x86-64
 [Config]
 Images=server

-[Output]
-# For Reproducible Builds
-Seed=834dd70f55be43cc9934b20fc0b7f7be
-
 [Validation]
-SecureBoot=true
 # Use RSA 2048 keys for wide UEFI compatibility
 SecureBootKey=signing-keys/rafeOS_secureboot.key
 SecureBootCertificate=signing-keys/rafeOS_secureboot.crt
-SignExpectedPcr=true
 # Use modern EC keys
 VerityKey=signing-keys/rafeOS_verity.key
 VerityCertificate=signing-keys/rafeOS_verity.crt
-Checksum=true

 [Host]
 Incremental=true
 ToolsTree=default
-RuntimeSize=12G
+RuntimeSize=16G
--- a/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-systemd.conf
+++ b/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-systemd.conf
@ -31,7 +31,7 @@ C   /etc/systemd/journal-remote.conf
 C   /etc/systemd/journal-upload.conf
 C   /etc/systemd/journald.conf
 C   /etc/systemd/logind.conf
-C   /etc/systemd/network/networkd.conf
+C   /etc/systemd/networkd.conf
 C   /etc/systemd/oomd.conf
 C   /etc/systemd/pstore.conf
 C   /etc/systemd/resolved.conf
--- a/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/systemd-resolved.conf
+++ b/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/systemd-resolved.conf
@ -1 +1,2 @@
+# Use systemd-resolved as dns backend (auto-detected)
 L+  /etc/resolv.conf - - - /run/systemd/resolve/stub-resolv.conf
--- a/mkosi.images/base/mkosi.postinst.chroot
+++ b/mkosi.images/base/mkosi.postinst.chroot
@ -1,4 +1,6 @@
 #!/bin/bash
+set -eu
+
 ETC_FACTORY_DIR=/usr/share/factory/etc

 # copy additional files provided by package filesystem to factory
@ -36,17 +38,15 @@ cp -af /etc/systemd/journal-remote.conf $ETC_FACTORY_DIR/systemd/
 cp -af /etc/systemd/journal-upload.conf $ETC_FACTORY_DIR/systemd/
 cp -af /etc/systemd/journald.conf $ETC_FACTORY_DIR/systemd/
 cp -af /etc/systemd/logind.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/networkd.conf $ETC_FACTORY_DIR/systemd/
 cp -af /etc/systemd/oomd.conf $ETC_FACTORY_DIR/systemd/
 cp -af /etc/systemd/pstore.conf $ETC_FACTORY_DIR/systemd/
-cp -af /etc/systemd/resovled.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/resolved.conf $ETC_FACTORY_DIR/systemd/
 cp -af /etc/systemd/sleep.conf $ETC_FACTORY_DIR/systemd/
 cp -af /etc/systemd/system.conf $ETC_FACTORY_DIR/systemd/
 cp -af /etc/systemd/timesyncd.conf $ETC_FACTORY_DIR/systemd/
 cp -af /etc/systemd/user.conf $ETC_FACTORY_DIR/systemd/

-install -d -m0755 $ETC_FACTORY_DIR/systemd/network/
-cp -af /etc/systemd/network/networkd.conf $ETC_FACTORY_DIR/systemd/network/
-
 install -d -m0755 $ETC_FACTORY_DIR/udev/
 cp -af /etc/udev/iocost.conf $ETC_FACTORY_DIR/udev/
 cp -af /etc/udev/udev.conf $ETC_FACTORY_DIR/udev/
@ -87,12 +87,12 @@ cp -af /etc/tpm2-tss/fapi-profiles/P_RSA2048SHA256.json $ETC_FACTORY_DIR/tpm2-ts

 # copy files provided by package bash to factory
 cp -af /etc/bash.bash_logout $ETC_FACTORY_DIR/
-cp -af /etc/bash.rc $ETC_FACTORY_DIR/
+cp -af /etc/bash.bashrc $ETC_FACTORY_DIR/

 install -d -m0755 $ETC_FACTORY_DIR/skel/
-cp -af /etc/.bash_logout $ETC_FACTORY_DIR/skel/
-cp -af /etc/.bash_profile $ETC_FACTORY_DIR/skel/
-cp -af /etc/.bashrc $ETC_FACTORY_DIR/skel/
+cp -af /etc/skel/.bash_logout $ETC_FACTORY_DIR/skel/
+cp -af /etc/skel/.bash_profile $ETC_FACTORY_DIR/skel/
+cp -af /etc/skel/.bashrc $ETC_FACTORY_DIR/skel/

 # copy files provided by package kbd to factory
 install -d -m0755 $ETC_FACTORY_DIR/pam.d/
@ -189,7 +189,7 @@ install -d -m0755 $ETC_FACTORY_DIR/fwupd/
 cp -af /etc/fwupd/fwupd.conf $ETC_FACTORY_DIR/fwupd/

 install -d -m0755 $ETC_FACTORY_DIR/fwupd/bios-settings.d/
-cp -af /etc/fwupd/bios-settings.d/README $ETC_FACTORY_DIR/fwupd/bios-settings.d/
+cp -af /etc/fwupd/bios-settings.d/README.md $ETC_FACTORY_DIR/fwupd/bios-settings.d/

 install -d -m0755 $ETC_FACTORY_DIR/fwupd/remotes.d/
 cp -af /etc/fwupd/remotes.d/fwupd-tests.conf $ETC_FACTORY_DIR/fwupd/remotes.d/
@ -207,7 +207,7 @@ cp -af /etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service $ETC_FACTOR
 cp -af /etc/pki/fwupd-metadata/LVFS-CA.pem $ETC_FACTORY_DIR/pki/fwupd-metadata/

 install -d -m0755 $ETC_FACTORY_DIR/pki/fwupd/
-cp -af /etc/pki/fwupd/GPG-KEY-Linux-Foundation-Metadata $ETC_FACTORY_DIR/pki/fwupd/
+cp -af /etc/pki/fwupd/GPG-KEY-Linux-Foundation-Firmware $ETC_FACTORY_DIR/pki/fwupd/
 cp -af /etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service $ETC_FACTORY_DIR/pki/fwupd/
 cp -af /etc/pki/fwupd/LVFS-CA.pem $ETC_FACTORY_DIR/pki/fwupd/

--- a/mkosi.images/initrd/mkosi.conf
+++ b/mkosi.images/initrd/mkosi.conf
@ -81,9 +81,4 @@ RemoveFiles=
 	/usr/share/man/*
 	/usr/share/locale/*
 	/usr/share/info/*
-	/usr/share/gtk-doc/*
-
-[Validation]
-SecureBoot=false
-SignExpectedPcr=false
-Checksum=false
+	/usr/share/gtk-doc/*
--- a/mkosi.images/server/mkosi.conf
+++ b/mkosi.images/server/mkosi.conf
@ -9,7 +9,12 @@ SplitArtifacts=yes
 ManifestFormat=json,changelog
 ImageId=rafeOS
 SectorSize=4096
-CompressOutput=xz
+# For Reproducible Builds
+Seed=834dd70f55be43cc9934b20fc0b7f7be
+
+[Validation]
+SecureBoot=true
+SignExpectedPcr=true

 [Content]
 Bootable=yes
@ -28,10 +33,10 @@ KernelCommandLine=
 	#quiet
 	# prevent access to a shell if boot fails
 	rd.shell=0
-	# prevent access to a shell if the root is corrupt
+	# prevent access to a shell if the /usr is corrupt
 	rd.emergency=reboot
 	# prevents untrusted code from running (the default behavior will just print an error to dmesg)
-	systemd.verity_root_options=panic-on-corruption
+	systemd.verity_usr_options=panic-on-corruption
 	# reboot system 30 seconds after a kernel panic
 	panic=30
 	# enable apparmor (enables kernel lockdown mode, requires signed kernel modules)
--- a/mkosi.images/server/mkosi.extra/usr/lib/sysupdate.d/40-verity-sig.conf
+++ b/mkosi.images/server/mkosi.extra/usr/lib/sysupdate.d/40-verity-sig.conf
@ -0,0 +1,15 @@
+[Transfer]
+ProtectVersion=%A
+
+[Source]
+Type=url-file
+Path=https://code.strobel.one/api/packages/rafeOS/generic/image/server/
+MatchPattern=rafeOS-server_@v_@u.usr-verity-sig.raw.xz
+
+[Target]
+Type=partition
+Path=auto
+MatchPattern=rafeOS-server_@v
+MatchPartitionType=usr-verity-sig
+PartitionFlags=0
+ReadOnly=1
--- a/mkosi.images/server/mkosi.extra/usr/lib/sysupdate.d/50-verity.conf
+++ b/mkosi.images/server/mkosi.extra/usr/lib/sysupdate.d/50-verity.conf
@ -0,0 +1,15 @@
+[Transfer]
+ProtectVersion=%A
+
+[Source]
+Type=url-file
+Path=https://code.strobel.one/api/packages/rafeOS/generic/image/server/
+MatchPattern=rafeOS-server_@v_@u.usr-verity.raw.xz
+
+[Target]
+Type=partition
+Path=auto
+MatchPattern=rafeOS-server_@v
+MatchPartitionType=usr-verity
+PartitionFlags=0
+ReadOnly=1
--- a/mkosi.images/server/mkosi.extra/usr/lib/sysupdate.d/60-usr.conf
+++ b/mkosi.images/server/mkosi.extra/usr/lib/sysupdate.d/60-usr.conf
@ -0,0 +1,15 @@
+[Transfer]
+ProtectVersion=%A
+
+[Source]
+Type=url-file
+Path=https://code.strobel.one/api/packages/rafeOS/generic/image/server/
+MatchPattern=rafeOS-server_@v_@u.usr.raw.xz
+
+[Target]
+Type=partition
+Path=auto
+MatchPattern=rafeOS-server_@v
+MatchPartitionType=usr
+PartitionFlags=0
+ReadOnly=1
--- a/mkosi.images/server/mkosi.extra/usr/lib/sysupdate.d/70-kernel.conf
+++ b/mkosi.images/server/mkosi.extra/usr/lib/sysupdate.d/70-kernel.conf
@ -0,0 +1,19 @@
+[Transfer]
+ProtectVersion=%A
+
+[Source]
+Type=url-file
+Path=https://code.strobel.one/api/packages/rafeOS/generic/image/server/
+MatchPattern=rafeOS-server_@v.efi
+
+[Target]
+Type=regular-file
+Path=/EFI/Linux
+PathRelativeTo=boot
+MatchPattern=rafeOS-server_@v+@l-@d.efi \
+             rafeOS-server_@v+@l.efi \
+             rafeOS-server_@v.efi
+Mode=0444
+TriesLeft=3
+TriesDone=0
+InstancesMax=2
--- a/mkosi.images/server/mkosi.postinst.chroot
+++ b/mkosi.images/server/mkosi.postinst.chroot
@ -1,6 +1,4 @@
 #!/bin/bash
+set -eu

-echo "VARIANT_ID=server" >> /etc/os-release
-
-# Use systemd-resolved as dns backend for NetworkManager (auto-detected)
-ln -sf /run/systemd/resolve/stub-resolve.conf /etc/resolv.conf
+echo "VARIANT_ID=\"server\"" >> /etc/os-release
--- a/mkosi.images/server/mkosi.repart/10-usr.conf
+++ b/mkosi.images/server/mkosi.repart/10-usr.conf
@ -1,5 +1,6 @@
 [Partition]
 Type=usr
+SplitName=usr
 Label=%M-%W_%A
 SizeMinBytes=3G
 SizeMaxBytes=3G
--- a/mkosi.images/server/mkosi.repart/11-usr-verity.conf
+++ b/mkosi.images/server/mkosi.repart/11-usr-verity.conf
@ -1,5 +1,6 @@
 [Partition]
 Type=usr-verity
+SplitName=usr-verity
 Label=%M-%W_%A
 SizeMinBytes=256M
 SizeMaxBytes=256M
--- a/mkosi.images/server/mkosi.repart/12-usr-verity-sig.conf
+++ b/mkosi.images/server/mkosi.repart/12-usr-verity-sig.conf
@ -1,5 +1,6 @@
 [Partition]
 Type=usr-verity-sig
+SplitName=usr-verity-sig
 Label=%M-%W_%A
 Verity=signature
 VerityMatchKey=usr
--- a/mkosi.images/server/mkosi.version
+++ b/mkosi.images/server/mkosi.version
@ -1 +1 @@
-0.0.1
+0.0.2
--- a/prepare-release-upload.sh
+++ b/prepare-release-upload.sh
@ -0,0 +1,116 @@
+#!/bin/bash
+set -eu
+
+IMAGE_ID="rafeOS"
+IMAGE_VARIANT="server"
+# rafeOS release signing key <rafeos-release@rafe.li>
+GPG_SIGNING_KEY="497B1B17BEE53D5DF0AE833F60775900DDDFAA67"
+
+# Check if script is run as root
+if [ "$(id -u)" -ne 0 ]; then
+    echo "Error: This script must be run as root (use sudo)."
+    exit 1
+fi
+
+# Check if a directory path is provided
+if [ $# -lt 1 ]; then
+    echo "Error: Please provide the path to the directory containing raw disk image files as the first parameter."
+    exit 1
+fi
+
+# Set the output directory and get its absolute path
+output_directory=$(realpath "$1")
+
+# Check if the version string is provided as the second argument
+if [ $# -lt 2 ]; then
+    # Determine the latest semver version from the files in the directory
+    latest_raw_file=$(find "$output_directory" -maxdepth 1 -type f -name "${IMAGE_ID}-${IMAGE_VARIANT}_*.raw" | \
+        grep -E "${IMAGE_ID}-${IMAGE_VARIANT}_([0-9]+\.[0-9]+\.[0-9]+)\.raw" | \
+        sort -V | tail -n 1)
+    
+    if [ -n "$latest_raw_file" ]; then
+        version_string=$(basename "$latest_raw_file" | sed -n "s/${IMAGE_ID}-${IMAGE_VARIANT}_\([0-9]*\.[0-9]*\.[0-9]*\)\.raw/\1/p")
+    else
+        echo "Error: No raw disk image files found in the directory."
+        exit 1
+    fi
+else
+    version_string="$2"
+fi
+
+# Check if the version string is not empty
+if [ -z "$version_string" ]; then
+    echo "Error: Unable to determine the version string."
+    exit 1
+fi
+
+# Run systemd-dissect on the raw disk image file and save the json output
+json_output=$(systemd-dissect "$output_directory/${IMAGE_ID}-${IMAGE_VARIANT}_$version_string.raw" --json=short)
+
+# Extract partition UUIDs for each partition type using jq
+declare -A partition_uuids
+
+partition_types=("usr" "usr-verity" "usr-verity-sig")
+for partition_type in $(echo "${partition_types[@]}" | tr ' ' '\n' | sort); do
+    partition_uuid=$(echo "$json_output" | jq -r '.mounts[] | select(.designator == "'"$partition_type"'") | .partition_uuid')
+    partition_uuids["$partition_type"]=$partition_uuid
+done
+
+## Output the content of the array as a table
+#echo -e "Partition Type\tUUID"
+#for partition_type in $(echo "${!partition_uuids[@]}" | tr ' ' '\n' | sort); do
+#    uuid=${partition_uuids["$partition_type"]}
+#    echo -e "$partition_type\t$uuid"
+#done
+
+echo "Rename and source the files in the output directory..."
+for file in "$output_directory/${IMAGE_ID}-${IMAGE_VARIANT}_$version_string".*; do
+    if [[ -f $file ]]; then
+        # Extract the file extension
+        extension="${file##*.}"
+        
+        # Check if the file is one of the raw partitions that needs renaming
+        if [[ $extension == "raw" && $file =~ $version_string\.([^.]+)\.raw$ ]]; then
+            partition_type="${BASH_REMATCH[1]}"
+            
+            # Check if the partition type is in the array
+            if [[ -n "${partition_uuids[$partition_type]}" ]]; then
+                new_filename="${IMAGE_ID}-${IMAGE_VARIANT}_${version_string}_${partition_uuids[$partition_type]}.$partition_type.raw"
+                mv "$file" "$output_directory/$new_filename"
+                echo "Renamed: $file -> $new_filename"
+            else
+                echo "Error: Partition type $partition_type not found in partition_uuids array."
+            fi
+        fi
+    fi
+done
+
+# Create a new directory for the release
+release_directory="$output_directory/release-v$version_string"
+mkdir -p "$release_directory"
+
+# Move all files of the release to the new directory
+mv "$output_directory/${IMAGE_ID}-${IMAGE_VARIANT}_$version_string"* "$release_directory/"
+
+cd "$release_directory/"
+
+echo "Compress files via xz..."
+for file in "${IMAGE_ID}-${IMAGE_VARIANT}_$version_string".raw \
+            "${IMAGE_ID}-${IMAGE_VARIANT}_$version_string"_{*.usr.raw,*.usr-verity.raw,*.usr-verity-sig.raw} \
+            "${IMAGE_ID}-${IMAGE_VARIANT}_$version_string".efi; do
+    if [[ -f "$file" ]]; then
+        xz --verbose --threads=0 "$file"
+        echo "Compressed: $file -> $file.xz"
+    fi
+done
+
+# Delete unneeded files ending in <VERSION>.initrd and <VERSION>.vmlinuz
+rm -f "${IMAGE_ID}-server_$version_string".{initrd,vmlinuz}
+
+echo "Calculate SHA256 checksums for all files in the release directory..."
+sha256sum * > "SHA256SUMS"
+
+echo "Sign the SHA256SUMS file with a detached signature..."
+gpg --default-key "$GPG_SIGNING_KEY" --output "SHA256SUMS.gpg" --detach-sign "SHA256SUMS"
+
+echo "Release for image version $version_string is ready in $release_directory!"
 @ -1 +1 @@
 .0.1
 .0.2