Browse Source

use apt cacher, minor cleanup

tags/0.1
devrandom 9 years ago
parent
commit
85809700da
4 changed files with 27 additions and 19 deletions
  1. 2
    0
      .gitignore
  2. 10
    7
      README.md
  3. 11
    11
      bin/gbuild
  4. 4
    1
      bin/make-base-vm

+ 2
- 0
.gitignore View File

@@ -6,3 +6,5 @@ build
var
result
inputs
base*
*.qcow2

+ 10
- 7
README.md View File

@@ -8,18 +8,21 @@ This package can do a deterministic build of a package inside a VM.

This performs a build inside a VM, with deterministic inputs and outputs. If the build script takes care of all sources of non-determinism (mostly caused by timestamps), the result will always be the same. This allows multiple independent verifiers to sign a binary with the assurance that it really came from the source they reviewed.

Synopsis:
## Synopsis:

* Install prereqs:
Install prereqs:

sudo apt-get install python-vm-builder qemu-kvm
sudo apt-get install python-vm-builder qemu-kvm apt-cacher
sudo service apt-cacher start

* This will create the base VM for use in further builds (requires sudo):
Create the base VM for use in further builds (requires sudo, please review the script):

bin/make-base-vm

* This will build using a YAML description file (can be run as non-root):
Copy any additional build inputs into a directory named _inputs_.

bin/gbuild _package_-desc.yml
Then execute the build using a YAML description file (can be run as non-root):

The resulting report will appear in result/_package_-res.yml
bin/gbuild <package>-desc.yml

The resulting report will appear in result/\<package\>-res.yml

+ 11
- 11
bin/gbuild View File

@@ -84,21 +84,21 @@ info ''

system! "on-target true"

info "Installing additional packages (log in var/install.log)"
system! "on-target -u root apt-get -y install #{build_desc["packages"].join(" ")} > var/install.log 2>&1"

info "Grabbing package manifest"
system! "on-target -u root bash < target-bin/grab-packages.sh > var/base.manifest"

info "Preparing build environment"
system! "on-target bash < target-bin/init-build.sh"

build_desc["files"].each do |filename|
filename = sanitize(filename, "files section")
system! "cd inputs ; copy-to-target #{filename} build/"
in_sums << `cd inputs ; sha256sum #{filename}`
system! "cd inputs && copy-to-target #{filename} build/"
in_sums << `cd inputs && sha256sum #{filename}`
end

info "Installing additional packages (log in var/install.log)"
system! "on-target -u root apt-get -y install #{build_desc["packages"].join(" ")} > var/install.log 2>&1"

info "Grabbing package manifest"
system! "on-target -u root bash < target-bin/grab-packages.sh > var/base.manifest"

info "Creating build script (var/build-script)"

File.open("var/build-script", "w") do |script|
@@ -113,7 +113,7 @@ File.open("var/build-script", "w") do |script|
script.puts
build_desc["remotes"].each do |remote|
script.puts "git clone -q #{remote["url"]} build/#{remote["dir"]}"
script.puts "(cd build/#{remote["dir"]} ; git checkout -q #{remote["commit"]})"
script.puts "(cd build/#{remote["dir"]} && git checkout -q #{remote["commit"]})"
end
script.puts "cd build"
script.puts build_desc["script"]
@@ -132,7 +132,7 @@ info "Generating report"
Dir.new(out_dir).each do |file|
next if file.start_with?(".")
file = sanitize(file, out_dir)
out_sums[file] = `cd #{out_dir} ; sha256sum #{file}`
out_sums[file] = `cd #{out_dir} && sha256sum #{file}`
raise "failed to sum #{file}" unless $? == 0
puts out_sums[file] unless @options[:quiet]
end
@@ -155,6 +155,6 @@ File.open(File.join(result_dir, result_file), "w") do |io|
io.write report.to_yaml
end

system!("cd #{result_dir} ; sha256sum #{result_file}") unless @options[:quiet]
system!("cd #{result_dir} && sha256sum #{result_file}") unless @options[:quiet]

info "Done."

+ 4
- 1
bin/make-base-vm View File

@@ -3,9 +3,12 @@ set -e

SUITE=lucid
ARCH=amd64
MIRROR=http://${MIRROR_HOST:-`hostname`}:3142/archive.ubuntu.com/ubuntu

mkdir -p var

if [ ! -e var/id_dsa ]; then
ssh-keygen -t dsa -f var/id_dsa -N ""
fi
sudo vmbuilder kvm ubuntu --arch=$ARCH --suite=$SUITE --addpkg=openssh-server,pciutils,build-essential,git-core,mercurial,subversion --ssh-key=var/id_dsa.pub --ssh-user-key=var/id_dsa.pub --mirror=http://localhost:3142/ubuntu --dest=base --flavour=virtual --overwrite
sudo vmbuilder kvm ubuntu --arch=$ARCH --suite=$SUITE --addpkg=openssh-server,pciutils,build-essential,git-core,subversion --ssh-key=var/id_dsa.pub --ssh-user-key=var/id_dsa.pub --mirror=$MIRROR --dest=base --flavour=virtual --overwrite
mv base/*.qcow2 base.qcow2

Loading…
Cancel
Save