diff options
| author |   Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> | 2016-03-24 04:01:55 +0000 |
|---|---|---|
| committer | Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> | 2016-03-24 04:01:55 +0000 |
| commit | ece722e3b7a35118acd9fd00513ffa816bb98043 (patch) | |
| tree | 0b7ef3397397695bb78777ab2223d6a0cd976358 | |
| parent | Add minimal stage4s. (diff) | |
| download | releng-ece722e3b7a35118acd9fd00513ffa816bb98043.tar.gz releng-ece722e3b7a35118acd9fd00513ffa816bb98043.tar.bz2 releng-ece722e3b7a35118acd9fd00513ffa816bb98043.zip | |
Add hardened stage4 and tools-* from master.
Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
| -rw-r--r-- | releases/weekly/specs/amd64/hardened/stage4-minimal.spec | 73 | ||||
| -rw-r--r-- | releases/weekly/specs/amd64/hardened/stage4-nomultilib-minimal.spec | 73 | ||||
| -rw-r--r-- | tools-hardened/common.sh | 61 | ||||
| -rwxr-xr-x | tools-systemd/clean.sh | 6 | ||||
| -rw-r--r-- | tools-systemd/common.sh | 61 | ||||
| -rwxr-xr-x | tools-systemd/run.sh | 50 | ||||
| -rw-r--r-- | tools-systemd/stage-all.conf.template | 7 |
7 files changed, 331 insertions, 0 deletions
diff --git a/releases/weekly/specs/amd64/hardened/stage4-minimal.spec b/releases/weekly/specs/amd64/hardened/stage4-minimal.spec new file mode 100644 index 00000000..895a48dd --- /dev/null +++ b/releases/weekly/specs/amd64/hardened/stage4-minimal.spec @@ -0,0 +1,73 @@ +subarch: amd64 +target: stage4 +version_stamp: hardened+minimal-latest +rel_type: hardened +profile: hardened/linux/amd64 +snapshot: latest +source_subpath: hardened/stage3-amd64-hardened-latest +portage_confdir: @REPO_DIR@/releases/weekly/portage/cloud-stages + +stage4/use: + bindist + bzip2 + idm + ipv6 + mmx + sse + sse2 + urandom + +stage4/packages: + app-admin/sudo + net-misc/dhcp + sys-boot/grub + sys-apps/dmidecode + sys-apps/gptfdisk + sys-apps/iproute2 + sys-apps/lsb-release + sys-devel/bc + sys-power/acpid +stage4/fsscript: @REPO_DIR@/releases/weekly/scripts/cloud-prep.sh +stage4/root_overlay: @REPO_DIR@/releases/weekly/overlays/cloud-overlay +stage4/rcadd: + acpid|default + net.lo|default + netmount|default + sshd|default + +boot/kernel: gentoo +boot/kernel/gentoo/sources: hardened-sources +boot/kernel/gentoo/config: @REPO_DIR@/releases/weekly/kconfig/amd64/cloud-amd64-hardened.config +boot/kernel/gentoo/extraversion: openstack +boot/kernel/gentoo/gk_kernargs: --all-ramdisk-modules + +# all of the cleanup... +stage4/unmerge: + sys-kernel/genkernel + sys-kernel/hardened-sources + +stage4/empty: + /root/.ccache + /tmp + /usr/portage/distfiles + /usr/src + /var/cache/edb/dep + /var/cache/genkernel + /var/cache/portage/distfiles + /var/empty + /var/run + /var/state + /var/tmp + +stage4/rm: + /etc/*- + /etc/*.old + /etc/ssh/ssh_host_* + /root/.*history + /root/.lesshst + /root/.ssh/known_hosts + /root/.viminfo + # Remove any generated stuff by genkernel + /usr/share/genkernel + # This is 3MB of crap for each copy + /usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz diff --git a/releases/weekly/specs/amd64/hardened/stage4-nomultilib-minimal.spec b/releases/weekly/specs/amd64/hardened/stage4-nomultilib-minimal.spec new file mode 100644 index 00000000..c083a4e6 --- /dev/null +++ b/releases/weekly/specs/amd64/hardened/stage4-nomultilib-minimal.spec @@ -0,0 +1,73 @@ +subarch: amd64 +target: stage4 +version_stamp: hardened+minimal-nomultilib-latest +rel_type: hardened +profile: hardened/linux/amd64/no-multilib +snapshot: latest +source_subpath: hardened/stage3-amd64-hardened+nomultilib-latest +portage_confdir: @REPO_DIR@/releases/weekly/portage/cloud-stages + +stage4/use: + bindist + bzip2 + idm + ipv6 + mmx + sse + sse2 + urandom + +stage4/packages: + app-admin/sudo + net-misc/dhcp + net-misc/iputils + sys-boot/grub + sys-apps/gptfdisk + sys-apps/iproute2 + sys-apps/lsb-release + sys-devel/bc + sys-power/acpid +stage4/fsscript: @REPO_DIR@/releases/weekly/scripts/cloud-prep.sh +stage4/root_overlay: @REPO_DIR@/releases/weekly/overlays/cloud-overlay +stage4/rcadd: + acpid|default + net.lo|default + netmount|default + sshd|default + +boot/kernel: gentoo +boot/kernel/gentoo/sources: hardened-sources +boot/kernel/gentoo/config: @REPO_DIR@/releases/weekly/kconfig/amd64/cloud-amd64-hardened.config +boot/kernel/gentoo/extraversion: openstack +boot/kernel/gentoo/gk_kernargs: --all-ramdisk-modules + +# all of the cleanup... +stage4/unmerge: + sys-kernel/genkernel + sys-kernel/hardened-sources + +stage4/empty: + /root/.ccache + /tmp + /usr/portage/distfiles + /usr/src + /var/cache/edb/dep + /var/cache/genkernel + /var/cache/portage/distfiles + /var/empty + /var/run + /var/state + /var/tmp + +stage4/rm: + /etc/*- + /etc/*.old + /etc/ssh/ssh_host_* + /root/.*history + /root/.lesshst + /root/.ssh/known_hosts + /root/.viminfo + # Remove any generated stuff by genkernel + /usr/share/genkernel + # This is 3MB of crap for each copy + /usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz diff --git a/tools-hardened/common.sh b/tools-hardened/common.sh new file mode 100644 index 00000000..9a0a03af --- /dev/null +++ b/tools-hardened/common.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +source /etc/catalyst/catalyst.conf + +mydate=`date +%Y%m%d` + + +undo_grsec() { + [[ -d /proc/sys/kernel/grsecurity ]] || return + for i in /proc/sys/kernel/grsecurity/chroot_* ; do + echo 0 > $i + done +} + + +banner() { +cat << EOF | tee -a zzz.log > stage$1-$2-systemd.log + +************************************************************************ +* stage$1-$2-systemd +************************************************************************" + +EOF +} + + +do_stages() { + local arch=$1 + + for s in 1 2 3; do + local tgpath="${storedir}/builds/systemd/${arch}" + local target="stage${s}-${arch}-systemd-${mydate}.tar.bz2" + local tglink="stage${s}-${arch}-systemd.tar.bz2" + + if [[ ! -f "${tgpath}/${tglink}" ]]; then + touch stage${s}-${arch}-systemd.log + echo "!!! ${tglink} at ${tgpath} doesn't exist" \ + | tee -a zzz.log \ + > stage${s}-${arch}-systemd.err + return 1 + fi + + banner ${s} ${arch} + catalyst -f stage${s}-${arch}-systemd.conf \ + | tee -a zzz.log \ + > stage${s}-${arch}-systemd.log \ + 2> stage${s}-${arch}-systemd.err + + if [[ -f "${tgpath}/${target}" ]]; then + rm -f "${tgpath}/${tglink}" + ln -s ${target} "${tgpath}/${tglink}" + else + echo "!!! ${target} was not generated" \ + | tee -a zzz.log \ + >stage${s}-${arch}-systemd.err + return 1 + fi + done + + return 0 +} diff --git a/tools-systemd/clean.sh b/tools-systemd/clean.sh new file mode 100755 index 00000000..916c4eb4 --- /dev/null +++ b/tools-systemd/clean.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# This just removes the temporary conf err and log +# files generated during a run + +rm -f *conf *err *log diff --git a/tools-systemd/common.sh b/tools-systemd/common.sh new file mode 100644 index 00000000..9a0a03af --- /dev/null +++ b/tools-systemd/common.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +source /etc/catalyst/catalyst.conf + +mydate=`date +%Y%m%d` + + +undo_grsec() { + [[ -d /proc/sys/kernel/grsecurity ]] || return + for i in /proc/sys/kernel/grsecurity/chroot_* ; do + echo 0 > $i + done +} + + +banner() { +cat << EOF | tee -a zzz.log > stage$1-$2-systemd.log + +************************************************************************ +* stage$1-$2-systemd +************************************************************************" + +EOF +} + + +do_stages() { + local arch=$1 + + for s in 1 2 3; do + local tgpath="${storedir}/builds/systemd/${arch}" + local target="stage${s}-${arch}-systemd-${mydate}.tar.bz2" + local tglink="stage${s}-${arch}-systemd.tar.bz2" + + if [[ ! -f "${tgpath}/${tglink}" ]]; then + touch stage${s}-${arch}-systemd.log + echo "!!! ${tglink} at ${tgpath} doesn't exist" \ + | tee -a zzz.log \ + > stage${s}-${arch}-systemd.err + return 1 + fi + + banner ${s} ${arch} + catalyst -f stage${s}-${arch}-systemd.conf \ + | tee -a zzz.log \ + > stage${s}-${arch}-systemd.log \ + 2> stage${s}-${arch}-systemd.err + + if [[ -f "${tgpath}/${target}" ]]; then + rm -f "${tgpath}/${tglink}" + ln -s ${target} "${tgpath}/${tglink}" + else + echo "!!! ${target} was not generated" \ + | tee -a zzz.log \ + >stage${s}-${arch}-systemd.err + return 1 + fi + done + + return 0 +} diff --git a/tools-systemd/run.sh b/tools-systemd/run.sh new file mode 100755 index 00000000..064700fb --- /dev/null +++ b/tools-systemd/run.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +source common.sh + +prepare_confs() { + local arch=$1 + + for s in 1 2 3; do + + local cstage=stage${s} + local p=$(( s - 1 )) + [[ $p == 0 ]] && p=3 + local pstage=stage${p} + + local parch="${arch}" + [[ "${arch}" == "i686" ]] && parch="x86" + + cat stage-all.conf.template | \ + sed -e "s:\(^version_stamp.*$\):\1-${mydate}:" \ + -e "s:CSTAGE:${cstage}:g" \ + -e "s:PSTAGE:${pstage}:g" \ + -e "s:SARCH:${arch}:g" \ + -e "s:PARCH:${parch}:g" \ + > stage${s}-${arch}-systemd.conf + done +} + + +main() { + >zzz.log + + undo_grsec + + catalyst -s current | tee -a zzz.log >snapshot.log 2>snapshot.err + + for arch in amd64 i686; do + prepare_confs ${arch} + done + + # The parallelization `( do_stages ... ) &` doesn't work here + # if catalyst is using snapcache, bug #519656 + for arch in amd64 i686; do + ( + do_stages ${arch} + [[ $? == 1 ]] && echo "FAILURE at ${arch}" | tee zzz.log + ) & + done +} + +main $1 & diff --git a/tools-systemd/stage-all.conf.template b/tools-systemd/stage-all.conf.template new file mode 100644 index 00000000..5e4cb39f --- /dev/null +++ b/tools-systemd/stage-all.conf.template @@ -0,0 +1,7 @@ +subarch: SARCH +target: CSTAGE +version_stamp: systemd +rel_type: systemd/SARCH +profile: default/linux/PARCH/13.0/systemd +snapshot: current +source_subpath: systemd/SARCH/PSTAGE-SARCH-systemd |