mirror of
https://github.com/mirage/qubes-mirage-firewall.git
synced 2025-01-27 22:57:12 -05:00
Merge pull request #205 from palainp/update-saltscript
Update the salt script
This commit is contained in:
commit
9fe27016ab
8
.github/workflows/docker.yml
vendored
8
.github/workflows/docker.yml
vendored
@ -19,14 +19,14 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- run: ./build-with.sh docker
|
||||
|
||||
- run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi'
|
||||
- run: sh -exc 'if [ "$(sha256sum dist/qubes-firewall.xen)" = "$(cat qubes-firewall.sha256)" ]; then echo "SHA256 MATCHES"; else exit 42; fi'
|
||||
|
||||
- name: Upload Artifact
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: mirage-firewall.tar.bz2
|
||||
path: mirage-firewall.tar.bz2
|
||||
name: qubes-firewall.xen
|
||||
path: qubes-firewall.xen
|
||||
|
8
.github/workflows/podman.yml
vendored
8
.github/workflows/podman.yml
vendored
@ -19,14 +19,14 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- run: ./build-with.sh podman
|
||||
|
||||
- run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi'
|
||||
- run: sh -exc 'if [ "$(sha256sum dist/qubes-firewall.xen)" = "$(cat qubes-firewall.sha256)" ]; then echo "SHA256 MATCHES"; else exit 42; fi'
|
||||
|
||||
- name: Upload Artifact
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: mirage-firewall.tar.bz2
|
||||
path: mirage-firewall.tar.bz2
|
||||
name: qubes-firewall.xen
|
||||
path: qubes-firewall.xen
|
||||
|
@ -32,4 +32,4 @@ WORKDIR /tmp/orb-build
|
||||
CMD opam exec -- sh -exc 'mirage configure -t xen --extra-repos=\
|
||||
opam-overlays:https://github.com/dune-universe/opam-overlays.git#4e75ee36715b27550d5bdb87686bb4ae4c9e89c4,\
|
||||
mirage-overlays:https://github.com/dune-universe/mirage-opam-overlays.git#797cb363df3ff763c43c8fbec5cd44de2878757e \
|
||||
&& make depend && make tar'
|
||||
&& make depend && make unikernel'
|
||||
|
@ -1,13 +1,8 @@
|
||||
tar: build
|
||||
rm -rf _build/mirage-firewall
|
||||
mkdir _build/mirage-firewall
|
||||
unikernel: build
|
||||
cp dist/qubes-firewall.xen dist/qubes-firewall.xen.debug
|
||||
strip dist/qubes-firewall.xen
|
||||
cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz
|
||||
touch _build/mirage-firewall/modules.img
|
||||
cat /dev/null | gzip -n > _build/mirage-firewall/initramfs
|
||||
tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with.sh mirage-firewall
|
||||
sha256sum mirage-firewall.tar.bz2 > mirage-firewall.sha256
|
||||
cp dist/qubes-firewall.xen .
|
||||
sha256sum qubes-firewall.xen
|
||||
|
||||
fetchmotron: qubes_firewall.xen
|
||||
test-mirage qubes_firewall.xen mirage-fw-test &
|
||||
|
@ -10,13 +10,14 @@
|
||||
{% set DownloadVM = "DownloadVmMirage" %}
|
||||
{% set MirageFW = "sys-mirage-fw" %}
|
||||
{% set GithubUrl = "https://github.com/mirage/qubes-mirage-firewall" %}
|
||||
{% set Filename = "mirage-firewall.tar.bz2" %}
|
||||
{% set Kernel = "qubes-firewall.xen" %}
|
||||
{% set Shasum = "qubes-firewall-release.sha256" %}
|
||||
{% set MirageInstallDir = "/var/lib/qubes/vm-kernels/mirage-firewall" %}
|
||||
|
||||
#download and install the latest version
|
||||
{% set Release = salt['cmd.shell']("qvm-run --dispvm " ~ DispVM ~ " --pass-io \"curl --silent --location -o /dev/null -w %{url_effective} " ~ GithubUrl ~ "/releases/latest | rev | cut -d \"/\" -f 1 | rev\"") %}
|
||||
|
||||
{% if Release != salt['cmd.shell']("[ ! -f " ~ MirageInstallDir ~ "/version.txt" ~ " ] && touch " ~ MirageInstallDir ~ "/version.txt" ~ ";cat " ~ MirageInstallDir ~ "/version.txt") %}
|
||||
{% if Release != salt['cmd.shell']("test -e " ~ MirageInstallDir ~ "/version.txt" ~ " || mkdir " ~ MirageInstallDir ~ " ; touch " ~ MirageInstallDir ~ "/version.txt" ~ " ; cat " ~ MirageInstallDir ~ "/version.txt") %}
|
||||
|
||||
create-downloader-VM:
|
||||
qvm.vm:
|
||||
@ -28,13 +29,14 @@ create-downloader-VM:
|
||||
- template: {{ DownloadVMTemplate }}
|
||||
- include-in-backups: false
|
||||
|
||||
{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Filename %}
|
||||
{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Kernel %}
|
||||
{% set DownloadShasum = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Shasum %}
|
||||
|
||||
download-and-unpack-in-DownloadVM4mirage:
|
||||
cmd.run:
|
||||
- names:
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadBinary }}
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "tar -xvjf " ~ Filename }}
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadShasum }}
|
||||
- require:
|
||||
- create-downloader-VM
|
||||
|
||||
@ -42,23 +44,22 @@ download-and-unpack-in-DownloadVM4mirage:
|
||||
check-checksum-in-DownloadVM:
|
||||
cmd.run:
|
||||
- names:
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }}
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }}
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of release on github:\\\";cat " ~ Shasum ~ " | cut -d\' \' -f1\"" }}
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum " ~ Kernel ~ " | cut -d\' \' -f1\"" }}
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(cat " ~ Shasum ~ " | cut -d\' \' -f1) <(sha256sum " ~ Kernel ~ " | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }}
|
||||
- require:
|
||||
- download-and-unpack-in-DownloadVM4mirage
|
||||
|
||||
copy-mirage-kernel-to-dom0:
|
||||
cmd.run:
|
||||
- name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat ~/mirage-firewall/vmlinuz" > {{ MirageInstallDir ~ "/vmlinuz" }}
|
||||
- name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} {{ "cat " ~ Kernel }} > {{ MirageInstallDir ~ "/vmlinuz" }}
|
||||
- require:
|
||||
- download-and-unpack-in-DownloadVM4mirage
|
||||
- check-checksum-in-DownloadVM
|
||||
|
||||
create-initramfs:
|
||||
update-version:
|
||||
cmd.run:
|
||||
- names:
|
||||
- gzip -n9 < /dev/null > {{ MirageInstallDir ~ "/initramfs" }}
|
||||
- echo {{ Release }} > {{ MirageInstallDir ~ "/version.txt" }}
|
||||
- require:
|
||||
- copy-mirage-kernel-to-dom0
|
||||
@ -90,9 +91,9 @@ create-sys-mirage-fw:
|
||||
cleanup-in-DownloadVM:
|
||||
cmd.run:
|
||||
- names:
|
||||
- qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Filename ~ "; rm -R ~/mirage-firewall" }}"
|
||||
- qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Kernel ~ " " ~ Shasum }}"
|
||||
- require:
|
||||
- create-initramfs
|
||||
- update-version
|
||||
|
||||
remove-DownloadVM4mirage:
|
||||
qvm.absent:
|
||||
|
@ -19,6 +19,7 @@ echo Building $builder image with dependencies..
|
||||
$builder build -t qubes-mirage-firewall .
|
||||
echo Building Firewall...
|
||||
$builder run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall
|
||||
echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)"
|
||||
echo "SHA2 last known: 78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc"
|
||||
echo "(hashes should match for released versions)"
|
||||
echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen | cut -d' ' -f1)"
|
||||
echo "SHA2 current head: $(cat qubes-firewall.sha256 | cut -d' ' -f1)"
|
||||
echo "SHA2 last release: $(cat qubes-firewall-release.sha256 | cut -d' ' -f1)"
|
||||
echo "(hashes should match for head versions)"
|
||||
|
1
qubes-firewall-release.sha256
Normal file
1
qubes-firewall-release.sha256
Normal file
@ -0,0 +1 @@
|
||||
78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc dist/qubes-firewall.xen
|
1
qubes-firewall.sha256
Normal file
1
qubes-firewall.sha256
Normal file
@ -0,0 +1 @@
|
||||
78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc dist/qubes-firewall.xen
|
Loading…
x
Reference in New Issue
Block a user