From de9a6ccc86c525a3dbe290f2f5984e18af7e97d5 Mon Sep 17 00:00:00 2001 From: Pierre Alain Date: Thu, 17 Oct 2024 07:45:42 +0200 Subject: [PATCH] WIP: update the salt script + releases files --- .github/workflows/docker.yml | 2 +- .github/workflows/podman.yml | 2 +- Dockerfile | 2 +- Makefile.user | 11 +++-------- ...DownloadAndInstallMirageFirewallInQubes.sls | 18 ++++++++++-------- build-with.sh | 7 ++++--- qubes-firewall-release.sha256 | 1 + qubes-firewall.sha256 | 1 + 8 files changed, 22 insertions(+), 22 deletions(-) create mode 100644 qubes-firewall-release.sha256 create mode 100644 qubes-firewall.sha256 diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 53b3324..fdf17d7 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -23,7 +23,7 @@ jobs: - run: ./build-with.sh docker - - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi' + - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen) = $(cat qubes-firewall.sha256) ]; then echo "SHA256 MATCHES"; else exit 42; fi' - name: Upload Artifact uses: actions/upload-artifact@v3 diff --git a/.github/workflows/podman.yml b/.github/workflows/podman.yml index fba19eb..f8f8c3f 100644 --- a/.github/workflows/podman.yml +++ b/.github/workflows/podman.yml @@ -23,7 +23,7 @@ jobs: - run: ./build-with.sh podman - - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi' + - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen) = $(cat qubes-firewall.sha256) ]; then echo "SHA256 MATCHES"; else exit 42; fi' - name: Upload Artifact uses: actions/upload-artifact@v3 diff --git a/Dockerfile b/Dockerfile index 2c2f732..edf9e96 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,4 +32,4 @@ WORKDIR /tmp/orb-build CMD opam exec -- sh -exc 'mirage configure -t xen --extra-repos=\ opam-overlays:https://github.com/dune-universe/opam-overlays.git#4e75ee36715b27550d5bdb87686bb4ae4c9e89c4,\ mirage-overlays:https://github.com/dune-universe/mirage-opam-overlays.git#797cb363df3ff763c43c8fbec5cd44de2878757e \ -&& make depend && make tar' +&& make depend && make unikernel' diff --git a/Makefile.user b/Makefile.user index 00890f6..7188982 100644 --- a/Makefile.user +++ b/Makefile.user @@ -1,13 +1,8 @@ -tar: build - rm -rf _build/mirage-firewall - mkdir _build/mirage-firewall +unikernel: build cp dist/qubes-firewall.xen dist/qubes-firewall.xen.debug strip dist/qubes-firewall.xen - cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz - touch _build/mirage-firewall/modules.img - cat /dev/null | gzip -n > _build/mirage-firewall/initramfs - tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with.sh mirage-firewall - sha256sum mirage-firewall.tar.bz2 > mirage-firewall.sha256 + cp dist/qubes-firewall.xen . + sha256sum qubes-firewall.xen fetchmotron: qubes_firewall.xen test-mirage qubes_firewall.xen mirage-fw-test & diff --git a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls index dc83f20..cfb4a0e 100644 --- a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls +++ b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls @@ -10,7 +10,8 @@ {% set DownloadVM = "DownloadVmMirage" %} {% set MirageFW = "sys-mirage-fw" %} {% set GithubUrl = "https://github.com/mirage/qubes-mirage-firewall" %} -{% set Filename = "mirage-firewall.tar.bz2" %} +{% set Kernel = "qubes-firewall.xen" %} +{% set Shasum = "qubes-firewall-release.sha256" %} {% set MirageInstallDir = "/var/lib/qubes/vm-kernels/mirage-firewall" %} #download and install the latest version @@ -28,13 +29,14 @@ create-downloader-VM: - template: {{ DownloadVMTemplate }} - include-in-backups: false -{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Filename %} +{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Kernel %} +{% set DownloadShasum = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Shasum %} download-and-unpack-in-DownloadVM4mirage: cmd.run: - names: - qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadBinary }} - - qvm-run --pass-io {{ DownloadVM }} {{ "tar -xvjf " ~ Filename }} + - qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadShasum }} - require: - create-downloader-VM @@ -42,15 +44,15 @@ download-and-unpack-in-DownloadVM4mirage: check-checksum-in-DownloadVM: cmd.run: - names: - - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }} - - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }} - - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img + - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of release on github:\\\";cat " ~ Shasum ~ " | cut -d\' \' -f1\"" }} + - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum " ~ Kernel ~ " | cut -d\' \' -f1\"" }} + - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(cat " ~ Shasum ~ " | cut -d\' \' -f1) <(sha256sum " ~ Kernel ~ " | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} - require: - download-and-unpack-in-DownloadVM4mirage copy-mirage-kernel-to-dom0: cmd.run: - - name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat ~/mirage-firewall/vmlinuz" > {{ MirageInstallDir ~ "/vmlinuz" }} + - name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat " ~ Kernel > {{ MirageInstallDir ~ "/" ~ Kernel }} - require: - download-and-unpack-in-DownloadVM4mirage - check-checksum-in-DownloadVM @@ -90,7 +92,7 @@ create-sys-mirage-fw: cleanup-in-DownloadVM: cmd.run: - names: - - qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Filename ~ "; rm -R ~/mirage-firewall" }}" + - qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Kernel ~ " " ~ Shasum }}" - require: - create-initramfs diff --git a/build-with.sh b/build-with.sh index eba233e..728ab1f 100755 --- a/build-with.sh +++ b/build-with.sh @@ -19,6 +19,7 @@ echo Building $builder image with dependencies.. $builder build -t qubes-mirage-firewall . echo Building Firewall... $builder run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall -echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)" -echo "SHA2 last known: 78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc" -echo "(hashes should match for released versions)" +echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen | cut -d' ' -f1)" +echo "SHA2 current head: $(cat qubes-firewall.sha256 | cut -d' ' -f1)" +echo "SHA2 last release: $(cat qubes-firewall-release.sha256 | cut -d' ' -f1)" +echo "(hashes should match for head versions)" diff --git a/qubes-firewall-release.sha256 b/qubes-firewall-release.sha256 new file mode 100644 index 0000000..b89e36f --- /dev/null +++ b/qubes-firewall-release.sha256 @@ -0,0 +1 @@ +78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc dist/qubes-firewall.xen diff --git a/qubes-firewall.sha256 b/qubes-firewall.sha256 new file mode 100644 index 0000000..b89e36f --- /dev/null +++ b/qubes-firewall.sha256 @@ -0,0 +1 @@ +78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc dist/qubes-firewall.xen