From 16a50aad9bc56ab11ea9df5ff22934187ea285e2 Mon Sep 17 00:00:00 2001 From: Pierre Alain Date: Tue, 26 Dec 2023 11:12:06 +0100 Subject: [PATCH] allow podman as building system --- .github/workflows/{main.yml => docker.yml} | 4 +-- .github/workflows/podman.yml | 32 +++++++++++++++++++ Makefile.user | 2 +- README.md | 25 +++++++++------ ...ownloadAndInstallMirageFirewallInQubes.sls | 4 +-- build-with-docker.sh | 9 ------ build-with.sh | 24 ++++++++++++++ 7 files changed, 77 insertions(+), 23 deletions(-) rename .github/workflows/{main.yml => docker.yml} (72%) create mode 100644 .github/workflows/podman.yml delete mode 100755 build-with-docker.sh create mode 100755 build-with.sh diff --git a/.github/workflows/main.yml b/.github/workflows/docker.yml similarity index 72% rename from .github/workflows/main.yml rename to .github/workflows/docker.yml index 148d4e3..53b3324 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/docker.yml @@ -21,9 +21,9 @@ jobs: - name: Checkout code uses: actions/checkout@v2 - - run: ./build-with-docker.sh + - run: ./build-with.sh docker - - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with-docker.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi' + - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi' - name: Upload Artifact uses: actions/upload-artifact@v3 diff --git a/.github/workflows/podman.yml b/.github/workflows/podman.yml new file mode 100644 index 0000000..fba19eb --- /dev/null +++ b/.github/workflows/podman.yml @@ -0,0 +1,32 @@ +name: Main workflow + +on: + pull_request: + push: + schedule: + # Prime the caches every Monday + - cron: 0 1 * * MON + +jobs: + build: + strategy: + fail-fast: false + matrix: + os: + - ubuntu-latest + + runs-on: ${{ matrix.os }} + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - run: ./build-with.sh podman + + - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi' + + - name: Upload Artifact + uses: actions/upload-artifact@v3 + with: + name: mirage-firewall.tar.bz2 + path: mirage-firewall.tar.bz2 diff --git a/Makefile.user b/Makefile.user index c8a1d5d..00890f6 100644 --- a/Makefile.user +++ b/Makefile.user @@ -6,7 +6,7 @@ tar: build cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz touch _build/mirage-firewall/modules.img cat /dev/null | gzip -n > _build/mirage-firewall/initramfs - tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with-docker.sh mirage-firewall + tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with.sh mirage-firewall sha256sum mirage-firewall.tar.bz2 > mirage-firewall.sha256 fetchmotron: qubes_firewall.xen diff --git a/README.md b/README.md index aa9d594..27a7107 100644 --- a/README.md +++ b/README.md @@ -13,13 +13,13 @@ See the [Deploy](#deploy) section below for installation instructions. ## Build from source -Note: The most reliable way to build is using Docker. +Note: The most reliable way to build is using Docker or Podman. Fedora 38 works well for this, Debian 12 also works, but you'll need to follow the instructions at [docker.com][debian-docker] to get Docker (don't use Debian's version). Create a new Fedora-38 AppVM (or reuse an existing one). In the Qube's Settings (Basic / Disk storage), increase the private storage max size from the default 2048 MiB to 8192 MiB. Open a terminal. -Clone this Git repository and run the `build-with-docker.sh` script (Note: The `chcon` call is mandatory on Fedora with new SELinux policies which do not allow to standardly keep the docker images in homedir): +Clone this Git repository and run the `build-with.sh` script with either `docker` or `podman` as argument (Note: The `chcon` call is mandatory on Fedora with new SELinux policies which do not allow to standardly keep the docker images in homedir): mkdir /home/user/docker sudo ln -s /home/user/docker /var/lib/docker @@ -28,23 +28,30 @@ Clone this Git repository and run the `build-with-docker.sh` script (Note: The ` sudo systemctl start docker git clone https://github.com/mirage/qubes-mirage-firewall.git cd qubes-mirage-firewall - sudo ./build-with-docker.sh + sudo ./build-with.sh docker + +Or + + sudo systemctl start podman + git clone https://github.com/mirage/qubes-mirage-firewall.git + cd qubes-mirage-firewall + ./build-with.sh podman This took about 15 minutes on my laptop (it will be much quicker if you run it again). -The symlink step at the start isn't needed if your build VM is standalone. -It gives Docker more disk space and avoids losing the Docker image cache when you reboot the Qube. +The symlink step at the start isn't needed if your build VM is standalone. It gives Docker more disk space and avoids losing the Docker image cache when you reboot the Qube. +It's not needed with Podman as the containers lives in your home directory by default. Note: the object files are stored in the `_build` directory to speed up incremental builds. If you change the dependencies, you will need to delete this directory before rebuilding. -It's OK to install the Docker package in a template VM if you want it to remain +It's OK to install the Docker or Podman package in a template VM if you want it to remain after a reboot, but the build of the firewall itself should be done in a regular AppVM. -You can also build without Docker, as for any normal Mirage unikernel; +You can also build without that script, as for any normal Mirage unikernel; see [the Mirage installation instructions](https://mirage.io/wiki/install) for details. -The Docker build fixes the versions of the libraries it uses, ensuring that you will get -exactly the same binary that is in the release. If you build without Docker, it will build +The build script fixes the versions of the libraries it uses, ensuring that you will get +exactly the same binary that is in the release. If you build without it, it will build against the latest versions instead (and the hash will therefore probably not match). However, it should still work fine. diff --git a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls index 3f932c9..4a6641d 100644 --- a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls +++ b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls @@ -42,9 +42,9 @@ download-and-unpack-in-DownloadVM4mirage: check-checksum-in-DownloadVM: cmd.run: - names: - - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }} + - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }} - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }} - - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img + - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img - require: - download-and-unpack-in-DownloadVM4mirage diff --git a/build-with-docker.sh b/build-with-docker.sh deleted file mode 100755 index 8daa1b0..0000000 --- a/build-with-docker.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -set -eu -echo Building Docker image with dependencies.. -docker build -t qubes-mirage-firewall . -echo Building Firewall... -docker run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall -echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)" -echo "SHA2 last known: 2c3f68f49afdeaeedd2c03f8ef6d30d6bb4d6306bda0a1ff40f95f440a90034c" -echo "(hashes should match for released versions)" diff --git a/build-with.sh b/build-with.sh new file mode 100755 index 0000000..712b012 --- /dev/null +++ b/build-with.sh @@ -0,0 +1,24 @@ +#!/bin/sh +set -eu + +if [[ $# -ne 1 ]] ; then + echo "Usage: build-with.sh { docker | podman }" + exit 1 +fi + +builder=$1 +case $builder in + docker|podman) + ;; + *) + echo "You should use either docker or podman for building" + exit 2 +esac + +echo Building $builder image with dependencies.. +$builder build -t qubes-mirage-firewall . +echo Building Firewall... +$builder run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall +echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)" +echo "SHA2 last known: 2c3f68f49afdeaeedd2c03f8ef6d30d6bb4d6306bda0a1ff40f95f440a90034c" +echo "(hashes should match for released versions)"