diff --git a/.gitignore b/.gitignore index bf0eb21f7..0c6c86a01 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ # Folders _obj _test +rootfs # Architecture specific extensions/prefixes *.[568vq] diff --git a/Makefile b/Makefile index 4dd93ae55..c7a922737 100644 --- a/Makefile +++ b/Makefile @@ -8,5 +8,30 @@ all: install: cp ocitools /usr/local/bin/ocitools +rootfs.tar.gz: rootfs/bin/echo + tar -czf $@ -C rootfs . + +rootfs/bin/busybox: downloads/stage3-amd64-current.tar.bz2 rootfs-files + gpg --verify $<.DIGESTS.asc + (cd downloads && \ + grep -A1 '^# SHA512 HASH' stage3-amd64-current.tar.bz2.DIGESTS.asc | \ + grep -v '^--' | \ + sha512sum -c) + sudo rm -rf rootfs + sudo mkdir rootfs + sudo tar -xvf downloads/stage3-amd64-current.tar.bz2 -C rootfs \ + --no-recursion --wildcards $$(< rootfs-files) + sudo touch $@ + +rootfs/bin/echo: rootfs/bin/busybox + sudo sh -c 'for COMMAND in $$($< --list); do \ + ln -rs $< "rootfs/bin/$${COMMAND}"; \ + done' + +downloads/stage3-amd64-current.tar.bz2: get-stage3.sh + ./$< + touch downloads/stage3-amd64-*.tar.bz2 + clean: - rm ocitools runtimetest + rm -f ocitools runtimetest downloads/* + sudo rm -rf rootfs diff --git a/README.md b/README.md index 8c77ba330..5a8fb59d2 100644 --- a/README.md +++ b/README.md @@ -75,3 +75,41 @@ VALIDATING RUNTIME: runc Runtime runc passed validation ``` + +Building `rootfs.tar.gz` +------------------------ + +The root filesystem tarball is based on [Gentoo][]'s [amd64 +stage3][stage3-amd64] (which we check for a valid GnuPG +signature][gentoo-signatures]), copying a [minimal +subset](rootfs-files) to the root filesytem, and adding symlinks for +all BusyBox commands. To rebuild the tarball based on a newer stage3, +just run: + +``` +$ touch get-stage3.sh +$ make rootfs.tar.gz +``` + +### Getting Gentoo's Release Engineering public key + +If `make rootfs.tar.gz` gives an error like: + +``` +gpg --verify downloads/stage3-amd64-current.tar.bz2.DIGESTS.asc +gpg: Signature made Thu 14 Jan 2016 09:00:11 PM EST using RSA key ID 2D182910 +gpg: Can't check signature: public key not found +``` + +you will need to [add the missing public key to your +keystore][gentoo-signatures]. One way to do that is by [asking a +keyserver][recv-keys]: + +``` +$ gpg --keyserver pool.sks-keyservers.net --recv-keys 2D182910 +``` + +[Gentoo]: https://www.gentoo.org/ +[stage3-amd64]: http://distfiles.gentoo.org/releases/amd64/autobuilds/ +[gentoo-signatures]: https://www.gentoo.org/downloads/signatures/ +[recv-keys]: https://www.gnupg.org/documentation/manuals/gnupg/Operational-GPG-Commands.html diff --git a/downloads/.gitignore b/downloads/.gitignore new file mode 100644 index 000000000..72e8ffc0d --- /dev/null +++ b/downloads/.gitignore @@ -0,0 +1 @@ +* diff --git a/get-stage3.sh b/get-stage3.sh new file mode 100755 index 000000000..0a0d0acea --- /dev/null +++ b/get-stage3.sh @@ -0,0 +1,51 @@ +#!/bin/sh +# +# Download the current Gentoo stage3 +# +# Copyright (C) 2014-2015 W. Trevor King +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +MIRROR="${MIRROR:-http://distfiles.gentoo.org/}" +BASE_ARCH_URL="${BASE_ARCH_URL:-${MIRROR}releases/amd64/autobuilds/}" +LATEST=$(wget -O - "${BASE_ARCH_URL}latest-stage3.txt") +DATE=$(echo "${LATEST}" | sed -n 's|/stage3-amd64-[0-9]*[.]tar[.]bz2.*||p') +ARCH_URL="${ARCH_URL:-${BASE_ARCH_URL}${DATE}/}" +STAGE3="${STAGE3:-stage3-amd64-${DATE}.tar.bz2}" +STAGE3_CONTENTS="${STAGE3_CONTENTS:-${STAGE3}.CONTENTS}" +STAGE3_DIGESTS="${STAGE3_DIGESTS:-${STAGE3}.DIGESTS.asc}" + +die() +{ + echo "$1" + exit 1 +} + +for FILE in "${STAGE3}" "${STAGE3_CONTENTS}" "${STAGE3_DIGESTS}"; do + if [ ! -f "downloads/${FILE}" ]; then + wget -O "downloads/${FILE}" "${ARCH_URL}${FILE}" + if [ "$?" -ne 0 ]; then + rm -f "downloads/${FILE}" && + die "failed to download ${ARCH_URL}${FILE}" + fi + fi + + CURRENT="${FILE/${DATE}/current}" + ( + cd downloads && + rm -f "${CURRENT}" && + ln -s "${FILE}" "${CURRENT}" || + die "failed to link ${CURRENT} -> ${FILE}" + ) +done + diff --git a/rootfs-files b/rootfs-files new file mode 100644 index 000000000..319a0f5f1 --- /dev/null +++ b/rootfs-files @@ -0,0 +1,3 @@ +./bin/busybox +./etc/group +./etc/passwd diff --git a/rootfs.tar.gz b/rootfs.tar.gz index ac4e9536e..0f460aee4 100644 Binary files a/rootfs.tar.gz and b/rootfs.tar.gz differ