├── .gitignore ├── MAINTAINERS ├── README.md ├── acbuild.sh └── build.sh /.gitignore: -------------------------------------------------------------------------------- 1 | rootfs 2 | -------------------------------------------------------------------------------- /MAINTAINERS: -------------------------------------------------------------------------------- 1 | Sergiusz Urbaniak (@s-urbaniak) 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## :warning: End of project :warning: 2 | 3 | [![development](https://img.shields.io/badge/development-halted-red.svg)](https://github.com/rkt/rkt/issues/4024) 4 | 5 | This project [has ended](https://github.com/rkt/rkt/issues/4024), and **all development/maintenance activities have halted**. 6 | 7 | As it is free software, people are free and welcome to fork and develop the codebase on their own. 8 | However, to avoid any confusion, the original repository is archived and we recommend any further fork/development to proceed with an explicit rename and rebranding first. 9 | 10 | We encourage all interested parties to mirror any relevant bits as we can't actively guarantee their existence in the future. 11 | 12 | --- 13 | 14 | # rkt-builder 15 | 16 | This repository holds scripts and releases for the rkt-in-rkt builder ACI. 17 | 18 | ## Usage 19 | 20 | ### Building a new rkt-in-rkt builder ACI 21 | 22 | To build the builder ACI image, first update the version variable `IMG_VERSION` in `acbuild.sh`, and execute: 23 | 24 | $ sudo ./acbuild.sh 25 | 26 | The rkt project key must be used to sign the generated image. `$RKTSUBKEYID` is the key ID of the rkt Yubikey. Connect the key and run `gpg2 --card-status` to get the ID. 27 | 28 | The public key for GPG signing can be found at [CoreOS Application Signing Key](https://coreos.com/security/app-signing-key) and is assumed as trusted. 29 | 30 | $ gpg2 -u $RKTSUBKEYID'!' --armor --output rkt-builder.aci.asc --detach-sign rkt-builder.aci 31 | 32 | Commit any changes to `acbuild.sh`, and push them. 33 | 34 | Add a signed tag: 35 | 36 | $ GIT_COMMITTER_NAME="CoreOS Application Signing Key" GIT_COMMITTER_EMAIL="security@coreos.com" git tag -u $RKTSUBKEYID'!' -s v1.2.0 -m "rkt-builder v1.2.0"` 37 | 38 | Push the tag to GitHub: 39 | 40 | $ git push --tags 41 | 42 | ### Building rkt-in-rkt 43 | 44 | $ git clone github.com/rkt/rkt 45 | $ cd rkt 46 | $ sudo rkt run \ 47 | --volume src-dir,kind=host,source="$(pwd)" \ 48 | --volume build-dir,kind=host,source="$(pwd)/release-build" \ 49 | --interactive \ 50 | coreos.com/rkt/builder:1.3.0 51 | 52 | ## Overview 53 | 54 | This repository consists of two scripts: 55 | 56 | - `acbuild.sh`: This script builds the rkt-in-rkt builder ACI. 57 | - `build.sh`: This script is added to the rkt-in-rkt builder ACI as `/scripts/build.sh`, and is defined as the entrypoint. 58 | 59 | The built rkt-in-rkt ACI declares the following volumes: 60 | 61 | - `src-dir`: Points to the directory holding the rkt source code. 62 | - `build-dir`: Points to the output directory where the build artifacts are being placed. 63 | -------------------------------------------------------------------------------- /acbuild.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | if [[ $EUID -ne 0 ]]; then 5 | echo "This script must be run as root" 1>&2 6 | exit 1 7 | fi 8 | 9 | machine="$(uname -m)" 10 | 11 | case ${machine} in 12 | x86_64) 13 | ACI_ARCH="amd64" 14 | DEBIAN_SID_DEPS_EXTRA="gcc-aarch64-linux-gnu libc6-dev-arm64-cross" 15 | ;; 16 | i386|aarch64|aarch64_be|armv6l|armv7l|armv7b|ppc64|ppc64le|s390x) 17 | ACI_ARCH="${machine}" 18 | ;; 19 | *) 20 | echo "Unknown machine: ${machine}" 1>&2 21 | exit 1 22 | ;; 23 | esac 24 | 25 | IMG_NAME="coreos.com/rkt/builder" 26 | VERSION="1.3.0" 27 | OS=linux 28 | DEBIAN_VERSION=buster 29 | 30 | FLAGS=${FLAGS:-""} 31 | ACI_FILE=rkt-builder-"${VERSION}"-"${OS}"-"${ACI_ARCH}".aci 32 | BUILDDIR=/opt/build-rkt 33 | SRC_DIR=/opt/rkt 34 | ACI_GOPATH=/go 35 | 36 | DEBIAN_SID_DEPS_BASE="ca-certificates \ 37 | gcc \ 38 | libc6-dev \ 39 | make \ 40 | automake \ 41 | wget \ 42 | git \ 43 | golang-go \ 44 | cpio \ 45 | squashfs-tools \ 46 | realpath \ 47 | autoconf \ 48 | file \ 49 | xz-utils \ 50 | patch \ 51 | bc \ 52 | locales \ 53 | libacl1-dev \ 54 | libssl-dev \ 55 | libsystemd-dev \ 56 | gnupg \ 57 | ruby \ 58 | ruby-dev \ 59 | rpm \ 60 | python \ 61 | python3 \ 62 | zlib1g-dev \ 63 | pkg-config \ 64 | libglib2.0-dev \ 65 | libpixman-1-dev \ 66 | libcap-dev \ 67 | libfdt-dev \ 68 | " 69 | 70 | DEBIAN_SID_DEPS="${DEBIAN_SID_DEPS_BASE} ${DEBIAN_SID_DEPS_EXTRA}" 71 | 72 | function acbuildend() { 73 | export EXIT=$?; 74 | acbuild --debug end && rm -rf rootfs && exit $EXIT; 75 | } 76 | 77 | echo "Generating debian ${DEBIAN_VERSION} tree" 78 | 79 | mkdir rootfs 80 | debootstrap --variant=minbase --components=main --include="${DEBIAN_SID_DEPS}" ${DEBIAN_VERSION} rootfs http://httpredir.debian.org/debian/ 81 | rm -rf rootfs/var/cache/apt/archives/* 82 | 83 | echo "Version: v${VERSION}" 84 | echo "Building ${ACI_FILE}" 85 | 86 | acbuild begin ./rootfs 87 | trap acbuildend EXIT 88 | 89 | acbuild $FLAGS set-name $IMG_NAME 90 | acbuild $FLAGS label add version $VERSION 91 | acbuild $FLAGS set-user 0 92 | acbuild $FLAGS set-group 0 93 | echo '{ "set": ["@rkt/default-whitelist", "mlock"] }' | acbuild isolator add "os/linux/seccomp-retain-set" - 94 | acbuild $FLAGS environment add OS_VERSION ${DEBIAN_VERSION} 95 | acbuild $FLAGS environment add GOPATH $ACI_GOPATH 96 | acbuild $FLAGS environment add BUILDDIR $BUILDDIR 97 | acbuild $FLAGS environment add SRC_DIR $SRC_DIR 98 | acbuild $FLAGS mount add build-dir $BUILDDIR 99 | acbuild $FLAGS mount add src-dir $SRC_DIR 100 | acbuild $FLAGS set-working-dir $SRC_DIR 101 | acbuild $FLAGS copy-to-dir build.sh /scripts 102 | acbuild $FLAGS run /bin/mkdir -- -p $ACI_GOPATH 103 | acbuild $FLAGS run /bin/sh -- -c "GOPATH=${ACI_GOPATH} go get github.com/appc/spec/actool" 104 | if [[ "${ACI_ARCH}" == "amd64" ]]; then 105 | acbuild $FLAGS run /usr/bin/gem -- install fpm 106 | fi 107 | acbuild $FLAGS set-exec /bin/bash /scripts/build.sh 108 | acbuild write --overwrite $ACI_FILE 109 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | ./autogen.sh 6 | ./configure \ 7 | --enable-tpm=no \ 8 | --with-stage1-default-images-directory=/usr/lib/rkt/stage1-images \ 9 | --with-stage1-default-location=/usr/lib/rkt/stage1-images/stage1-coreos.aci 10 | make manpages 11 | make bash-completion 12 | make -j4 13 | --------------------------------------------------------------------------------