mirror of
https://github.com/mirage/qubes-mirage-firewall.git
synced 2024-10-01 01:05:39 -04:00
Merge pull request #191 from palainp/podman
allow podman as building system
This commit is contained in:
commit
b318fabd43
@ -21,9 +21,9 @@ jobs:
|
|||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
- run: ./build-with-docker.sh
|
- run: ./build-with.sh docker
|
||||||
|
|
||||||
- run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with-docker.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi'
|
- run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi'
|
||||||
|
|
||||||
- name: Upload Artifact
|
- name: Upload Artifact
|
||||||
uses: actions/upload-artifact@v3
|
uses: actions/upload-artifact@v3
|
32
.github/workflows/podman.yml
vendored
Normal file
32
.github/workflows/podman.yml
vendored
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
name: Main workflow
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
push:
|
||||||
|
schedule:
|
||||||
|
# Prime the caches every Monday
|
||||||
|
- cron: 0 1 * * MON
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
os:
|
||||||
|
- ubuntu-latest
|
||||||
|
|
||||||
|
runs-on: ${{ matrix.os }}
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
|
- run: ./build-with.sh podman
|
||||||
|
|
||||||
|
- run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi'
|
||||||
|
|
||||||
|
- name: Upload Artifact
|
||||||
|
uses: actions/upload-artifact@v3
|
||||||
|
with:
|
||||||
|
name: mirage-firewall.tar.bz2
|
||||||
|
path: mirage-firewall.tar.bz2
|
@ -6,7 +6,7 @@ tar: build
|
|||||||
cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz
|
cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz
|
||||||
touch _build/mirage-firewall/modules.img
|
touch _build/mirage-firewall/modules.img
|
||||||
cat /dev/null | gzip -n > _build/mirage-firewall/initramfs
|
cat /dev/null | gzip -n > _build/mirage-firewall/initramfs
|
||||||
tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with-docker.sh mirage-firewall
|
tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with.sh mirage-firewall
|
||||||
sha256sum mirage-firewall.tar.bz2 > mirage-firewall.sha256
|
sha256sum mirage-firewall.tar.bz2 > mirage-firewall.sha256
|
||||||
|
|
||||||
fetchmotron: qubes_firewall.xen
|
fetchmotron: qubes_firewall.xen
|
||||||
|
25
README.md
25
README.md
@ -13,13 +13,13 @@ See the [Deploy](#deploy) section below for installation instructions.
|
|||||||
|
|
||||||
## Build from source
|
## Build from source
|
||||||
|
|
||||||
Note: The most reliable way to build is using Docker.
|
Note: The most reliable way to build is using Docker or Podman.
|
||||||
Fedora 38 works well for this, Debian 12 also works, but you'll need to follow the instructions at [docker.com][debian-docker] to get Docker
|
Fedora 38 works well for this, Debian 12 also works, but you'll need to follow the instructions at [docker.com][debian-docker] to get Docker
|
||||||
(don't use Debian's version).
|
(don't use Debian's version).
|
||||||
|
|
||||||
Create a new Fedora-38 AppVM (or reuse an existing one). In the Qube's Settings (Basic / Disk storage), increase the private storage max size from the default 2048 MiB to 8192 MiB. Open a terminal.
|
Create a new Fedora-38 AppVM (or reuse an existing one). In the Qube's Settings (Basic / Disk storage), increase the private storage max size from the default 2048 MiB to 8192 MiB. Open a terminal.
|
||||||
|
|
||||||
Clone this Git repository and run the `build-with-docker.sh` script (Note: The `chcon` call is mandatory on Fedora with new SELinux policies which do not allow to standardly keep the docker images in homedir):
|
Clone this Git repository and run the `build-with.sh` script with either `docker` or `podman` as argument (Note: The `chcon` call is mandatory on Fedora with new SELinux policies which do not allow to standardly keep the docker images in homedir):
|
||||||
|
|
||||||
mkdir /home/user/docker
|
mkdir /home/user/docker
|
||||||
sudo ln -s /home/user/docker /var/lib/docker
|
sudo ln -s /home/user/docker /var/lib/docker
|
||||||
@ -28,23 +28,30 @@ Clone this Git repository and run the `build-with-docker.sh` script (Note: The `
|
|||||||
sudo systemctl start docker
|
sudo systemctl start docker
|
||||||
git clone https://github.com/mirage/qubes-mirage-firewall.git
|
git clone https://github.com/mirage/qubes-mirage-firewall.git
|
||||||
cd qubes-mirage-firewall
|
cd qubes-mirage-firewall
|
||||||
sudo ./build-with-docker.sh
|
sudo ./build-with.sh docker
|
||||||
|
|
||||||
|
Or
|
||||||
|
|
||||||
|
sudo systemctl start podman
|
||||||
|
git clone https://github.com/mirage/qubes-mirage-firewall.git
|
||||||
|
cd qubes-mirage-firewall
|
||||||
|
./build-with.sh podman
|
||||||
|
|
||||||
This took about 15 minutes on my laptop (it will be much quicker if you run it again).
|
This took about 15 minutes on my laptop (it will be much quicker if you run it again).
|
||||||
The symlink step at the start isn't needed if your build VM is standalone.
|
The symlink step at the start isn't needed if your build VM is standalone. It gives Docker more disk space and avoids losing the Docker image cache when you reboot the Qube.
|
||||||
It gives Docker more disk space and avoids losing the Docker image cache when you reboot the Qube.
|
It's not needed with Podman as the containers lives in your home directory by default.
|
||||||
|
|
||||||
Note: the object files are stored in the `_build` directory to speed up incremental builds.
|
Note: the object files are stored in the `_build` directory to speed up incremental builds.
|
||||||
If you change the dependencies, you will need to delete this directory before rebuilding.
|
If you change the dependencies, you will need to delete this directory before rebuilding.
|
||||||
|
|
||||||
It's OK to install the Docker package in a template VM if you want it to remain
|
It's OK to install the Docker or Podman package in a template VM if you want it to remain
|
||||||
after a reboot, but the build of the firewall itself should be done in a regular AppVM.
|
after a reboot, but the build of the firewall itself should be done in a regular AppVM.
|
||||||
|
|
||||||
You can also build without Docker, as for any normal Mirage unikernel;
|
You can also build without that script, as for any normal Mirage unikernel;
|
||||||
see [the Mirage installation instructions](https://mirage.io/wiki/install) for details.
|
see [the Mirage installation instructions](https://mirage.io/wiki/install) for details.
|
||||||
|
|
||||||
The Docker build fixes the versions of the libraries it uses, ensuring that you will get
|
The build script fixes the versions of the libraries it uses, ensuring that you will get
|
||||||
exactly the same binary that is in the release. If you build without Docker, it will build
|
exactly the same binary that is in the release. If you build without it, it will build
|
||||||
against the latest versions instead (and the hash will therefore probably not match).
|
against the latest versions instead (and the hash will therefore probably not match).
|
||||||
However, it should still work fine.
|
However, it should still work fine.
|
||||||
|
|
||||||
|
@ -42,9 +42,9 @@ download-and-unpack-in-DownloadVM4mirage:
|
|||||||
check-checksum-in-DownloadVM:
|
check-checksum-in-DownloadVM:
|
||||||
cmd.run:
|
cmd.run:
|
||||||
- names:
|
- names:
|
||||||
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }}
|
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }}
|
||||||
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }}
|
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }}
|
||||||
- qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img
|
- qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img
|
||||||
- require:
|
- require:
|
||||||
- download-and-unpack-in-DownloadVM4mirage
|
- download-and-unpack-in-DownloadVM4mirage
|
||||||
|
|
||||||
|
@ -1,9 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
set -eu
|
|
||||||
echo Building Docker image with dependencies..
|
|
||||||
docker build -t qubes-mirage-firewall .
|
|
||||||
echo Building Firewall...
|
|
||||||
docker run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall
|
|
||||||
echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)"
|
|
||||||
echo "SHA2 last known: 2c3f68f49afdeaeedd2c03f8ef6d30d6bb4d6306bda0a1ff40f95f440a90034c"
|
|
||||||
echo "(hashes should match for released versions)"
|
|
24
build-with.sh
Executable file
24
build-with.sh
Executable file
@ -0,0 +1,24 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
if [[ $# -ne 1 ]] ; then
|
||||||
|
echo "Usage: build-with.sh { docker | podman }"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
builder=$1
|
||||||
|
case $builder in
|
||||||
|
docker|podman)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "You should use either docker or podman for building"
|
||||||
|
exit 2
|
||||||
|
esac
|
||||||
|
|
||||||
|
echo Building $builder image with dependencies..
|
||||||
|
$builder build -t qubes-mirage-firewall .
|
||||||
|
echo Building Firewall...
|
||||||
|
$builder run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall
|
||||||
|
echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)"
|
||||||
|
echo "SHA2 last known: 2c3f68f49afdeaeedd2c03f8ef6d30d6bb4d6306bda0a1ff40f95f440a90034c"
|
||||||
|
echo "(hashes should match for released versions)"
|
Loading…
Reference in New Issue
Block a user