-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbuildscript.sh
More file actions
executable file
·376 lines (325 loc) · 12.7 KB
/
buildscript.sh
File metadata and controls
executable file
·376 lines (325 loc) · 12.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
#!/bin/bash
# debug="set -x" # uncomment to enable debugging
$debug
run_id=$PKEXEC_UID
run_as=$(id -u $run_id -n)
if [[ "$run_id" == "" ]]; then
if [[ "$(whoami)" == *root* ]]; then
echo && echo "DO NOT run with sudo or su root"
echo "Instead Use: ~\$ 'pkexec --keep-cwd ./buildscript.sh'" && echo
exit 1
else
echo && echo "Pkexec is required for installation steps"
echo "Using: ~\$ 'pkexec --keep-cwd ./buildscript.sh'" && echo
if [[ "$(which asciinema)" == "/usr/bin/asciinema" ]]; then
repo=$(cat .identity | grep REPO= | cut -d'=' -f2)
project=$(cat .identity | grep PROJECT= | cut -d'=' -f2)
rel_date=$(date -d "$(date)" +%m-%d-%Y)
exec asciinema rec -t "$repo/$project:$rel_date" -c "pkexec --keep-cwd \"$0\" \"$@\" "
else
exec pkexec --keep-cwd "$0" "$@"
fi
exit 0
fi
fi
if [[ "$(cat /lib/udev/rules.d/60-scdaemon.rules | grep $run_as)" != *$run_as* ]]; then
sed -i "s/\"1050\", ATTR{idProduct}==\"040.\", /&MODE=\"0660\", GROUP=\"$run_as\", /g" \
/lib/udev/rules.d/60-scdaemon.rules
udevadm control --reload-rules && udevadm trigger
fi
while [[ "$(lsusb | grep Yubikey)" != *Yubikey* ]]; do
printf "\rPlease insert yubikey...\033[K"
done && sleep 1 && echo
chown $run_as:$run_as /dev/hidraw*
DEVICE=$(lsusb -d 1050:0407 | grep -o Device.... - | grep -o [0-9][0-9][0-9])
BUS=$(lsusb -d 1050:0407 | grep -o Bus.... - | grep -o [0-9][0-9][0-9])
set_facl=$(echo "setfacl -m u:$run_as:rw /dev/bus/usb/$BUS/$DEVICE")
echo $set_facl | bash || echo $set_facl | bash || exit 1
home=/home/$run_as
run_dir=/run/user/$run_id
data_dir=$home/.local/share
sysusr_path=$data_dir/systemd/user
rootless_path=$data_dir/rootless
docker_data=$data_dir/docker
snap_path=snap/docker/current
docker_path=/$snap_path/bin
docker=$docker_path/docker
systemd_service=/etc/systemd/system/snap.docker.dockerd.service
sysusr_service=$sysusr_path/docker.dockerd.service
plugins_path=usr/libexec/docker/cli-plugins
source .pinned_ver
sed_ech=$(cat << _EOF__
\\\\[Service\\\\]\\
Group=$run_as\\
Slice=docker.slice\\
_EOF__
)
quiet() {
echt="$@"
script -q -c "$echt" /dev/null > /dev/null
}
clean_most() {
rm -r -f /home/root/*
rm -r -f /root/snap/docker/
rm -r -f /run/snap.docker/
rm -r -f /run/containerd/
rm -r -f /run/docker*
rm -r -f /run/runc/
rm -r -f /usr/libexec/docker/
rm -r -f /var/lib/snapd/cache/*
rm -r -f $run_dir/containerd/
rm -r -f $run_dir/docker*
rm -r -f $run_dir/runc/
rm -r -f $docker_data/*
rm -r -f $docker_data/
}
clean_all() {
rm -r -f /var/snap/docker/
rm -r -f $home/snap/docker/
rm -r -f $home/.docker/
rm -r -f $data_dir/rootless*
rm -r -f $data_dir/systemd/
clean_most
}
clean_all
apt-get -qq update && apt-get -qq upgrade -y
apt-get -qq install -y cosign gnupg2 gpg-agent \
jq pkexec rootlesskit \
scdaemon slirp4netns snapd \
systemd-container uidmap
snap install syft --classic && wait
snap install grype --classic && wait
snap remove docker --purge 2>/dev/null && wait || echo "Failed to remove Docker"
quiet networkctl delete docker0
if [[ "$(uname -m)" == "aarch64" ]]; then
snap install docker --revision=$docker_snap_arm64_ver && wait || echo "Failed to install Docker"
quiet systemctl mask snap.docker.nvidia-container-toolkit --runtime --now
elif [[ "$(uname -m)" == "x86_64" ]]; then
snap install docker --revision=$docker_snap_amd64_ver && wait || echo "Failed to install Docker"
else
echo 'Unknown Architecture '$(uname -m)
exit 1
fi
echo
snap stop docker && wait
systemctl reset-failed && wait
systemctl stop snap.docker.* --all && wait
quiet systemctl mask snap.docker.dockerd --runtime --now
quiet networkctl delete docker0
systemctl daemon-reload
clean_most
groupadd -f docker && wait
usermod -aG docker $run_as && wait
mkdir -p /home/root && sed -i "s|:/root:|:/home/root:|" /etc/passwd
mkdir -p /$plugins_path && wait
ln -s /$snap_path/$plugins_path/docker-buildx /$plugins_path/docker-buildx > /dev/null || exit 1
ln -s /$snap_path/$plugins_path/docker-compose /$plugins_path/docker-compose > /dev/null || exit 1
machinectl shell $run_as@ /bin/bash -c "
$debug
cd $(echo $PWD)
HOME=$home
mkdir -p $home/.ssh && chmod 0700 $home/.ssh && \
touch $home/.ssh/config && chmod 0644 $home/.ssh/config
ssh_conf=\$(<\$HOME/.ssh/config)
systemctl --user restart gpg-agent.service && wait
export GPG_TTY=\$(tty)
source .identity
source .pinned_ver
chmod 0600 $home/\$IDENTITY_FILE && chmod 0644 $home/\$IDENTITY_FILE.pub
if [[ \"\$EPOCH\" == \"\" ]]; then
EPOCH=\"today\"
fi
source_date_epoch=1
if [[ \"\$EPOCH\" == *today* ]]; then
timestamp=\$(date -d \$(date +%D) +%s);
if [[ \"\$timestamp\" != \"\" ]]; then
echo && echo \"Setting SOURCE_DATE_EPOCH from today's date: \$(date +%D) = @\$timestamp\";
source_date_epoch=\$((timestamp));
else
echo \"Can't get timestamp. Defaulting to 1.\";
source_date_epoch=1;
fi
elif [[ \"\$EPOCH\" != 0 ]]; then
echo && echo \"Using override timestamp \$EPOCH for SOURCE_DATE_EPOCH.\"
source_date_epoch=\$((\$EPOCH))
fi
SOURCE_DATE_EPOCH=\$source_date_epoch
clean_some() {
rm -r -f /home/$run_as/.docker/
rm -r -f /home/$run_as/.local/share/rootless*
rm -r -f /home/$run_as/.local/share/systemd/
}
sys_ctl_common() {
systemctl --user daemon-reload && wait
systemctl --user reset-failed && wait
systemctl --user stop docker* --all && wait
systemctl --user list-units docker* --all && echo
}
echo && read -p 'Press enter to start docker login'
clean_some && docker login && mkdir -p $docker_data/.docker && wait && \
ln -s $home/$snap_path/.docker/config.json $docker_data/.docker/config.json || exit 1
echo && syft login registry-1.docker.io -u \$USERNAME && echo 'Logged in to syft' && echo
mkdir -p $rootless_path/tmp && wait
> $rootless_path.sh && > $rootless_path/env-docker && > $rootless_path/env-rootless && chmod +x $rootless_path.sh && wait
cat >> $rootless_path.sh << __EOF
#!/bin/bash
$debug
mkdir -p $rootless_path/tmp && wait
> $rootless_path/env-docker && > $rootless_path/env-rootless && wait
rootlesskit --copy-up=/etc --copy-up=/run --net=slirp4netns --disable-host-loopback --state-dir $rootless_path/tmp /bin/bash -i -c '
env > $rootless_path/env-docker && grep ROOTLESS $rootless_path/env-docker > $rootless_path/env-rootless && rm -f $rootless_path/env-docker
echo \"docker=$docker
HOME=$home
XDG_CONFIG_HOME=$home
XDG_RUNTIME_DIR=/run/user/$run_id
DOCKER_TMPDIR=$docker_data/tmp
DOCKER_CONFIG=$docker_data/.docker
DOCKER_HOST=unix:///run/user/$run_id/docker.sock
BUILDX_METADATA_PROVENANCE=max
BUILDX_METADATA_WARNINGS=1
BUILDKIT_PROGRESS=plain
SOURCE_DATE_EPOCH=\$source_date_epoch
SYFT_CACHE_DIR=$docker_data/syft
GRYPE_DB_CACHE_DIR=$docker_data/grype
PATH=/usr/sbin:/usr/bin:/snap/bin:$docker_path\" >> $rootless_path/env-rootless
sed \"s/^/export -- /g\" $rootless_path/env-rootless > $rootless_path/env-rootless.exp
\$(echo \"echo echo $\(\<$rootless_path/env-rootless\)\" $(echo $docker)d --rootless \
--userland-proxy-path=$docker_path/docker-proxy --init-path=$docker_path/docker-init \
--feature cdi=false --group docker) | /bin/bash | /bin/bash 2>> $rootless_path/rootless.log'
__EOF
mkdir -p $sysusr_path && wait && \
cp $systemd_service $sysusr_service || exit 1
sed -z -i \"s|\[Service\]\nEnv|$(printf \"%s\\\\n\" $(echo $sed_ech))Env|\" $sysusr_service
sed -i \"s|EnvironmentFile.*|EnvironmentFile=-$rootless_path/env-rootless|\" $sysusr_service
sed -i \"s|ExecStart.*|ExecStart=/bin/bash -c \'$data_dir/rootless.sh\'|\" $sysusr_service
mkdir -p $docker_data/syft && mkdir -p $docker_data/grype
scan_using_grype() { # $1 = Name, $2 = Repo/Name:tag or /Path --select-catalogers debian, $3 = Attest Tag
grype config > $docker_data/.grype.yaml
if [[ \"\$3\" != \"\" ]]; then
read -p 'Press enter to start attestation' && echo
echo 'Starting Syft...'
TMPDIR=$docker_data/syft syft attest --output spdx-json docker.io/\$REPO/\$1:\$3 || \
TMPDIR=$docker_data/syft syft attest --output spdx-json docker.io/\$REPO/\$1:\$3 || exit 1
echo
else
echo 'Starting Syft...'
fi
TMPDIR=$docker_data/syft syft scan \$2 -o spdx-json=\$1.spdx.json || \
TMPDIR=$docker_data/syft syft scan \$2 -o spdx-json=\$1.spdx.json || exit 1
rm -f -r $docker_data/syft/*
echo && echo 'Starting Grype...'
script -q -c \"TMPDIR=$docker_data/grype grype sbom:\$1.spdx.json \
-c $docker_data/.grype.yaml -o json > \$1.grype.json\" \$1.grype.tmp.tmp > \$1.grype.tmp
rm -f -r $docker_data/grype/*
marker() { # $1 = Name, $2 = Order, $3 = Marker/ID
unset \"wright\$2\"
grep \"\$3\" \$1.grype.tmp | tail -n 1 > \$1.grype.status.\$2
tr -d '\000-\037\177' < \$1.grype.status.\$2 | sed '/^$/d' > \$1.grype.status.\$2.tmp
line1=\$(cat \$1.grype.status.\$2)
if [[ \"\$line1\" == *\$3* ]]; then
export \"wright\$2\"=\"\$line1\"
fi
}
marker \$1 1 \"✔ Scanned for vulnerabilities\"
marker \$1 2 \"├── by severity:\"
marker \$1 3 \"└── by status:\"
echo \$wright1 > \$1.grype.status
echo \$wright2 >> \$1.grype.status
echo \$wright3 >> \$1.grype.status
sed -i 's/[^[:print:]]//g' \$1.grype.status
sed -i 's/\[K//g' \$1.grype.status
sed -i 's/\[2A//g' \$1.grype.status
sed -i 's/\[3A//g' \$1.grype.status
rm -f \$1.grype.tmp*
rm -f \$1.grype.status.*
cp \$1.grype.status readme.md
sed -i '1,3s/^/#### /g' readme.md
echo '## ' >> readme.md
echo '\`\`\`' >> readme.md
}
quiet() {
echt=\"\$@\"
script -q -c \"\$echt\" /dev/null > /dev/null
}
sys_ctl_common
systemctl --user start docker.dockerd && sleep 10
systemctl --user status docker.dockerd --all --no-pager -n 150 > $rootless_path/rootless.ctl.log
source $rootless_path/env-rootless.exp
quiet \"\$docker info | grep rootless > $rootless_path/rootless.status\"
if [[ \"\$(grep root $rootless_path/rootless.status)\" != *rootless* ]]; then
echo \"Rootless Docker Failed\" && echo
exit 1
else
echo \"Rootless Docker Started\" && echo
echo \"Rootless Docker Started\" > $rootless_path/rootless.status
fi
if [[ \"\$ssh_conf\" != *\$PROJECT* ]]; then
echo \"
Host \$PROJECT
Hostname github.com
IdentityFile $home/\$IDENTITY_FILE
IdentitiesOnly yes\" >> $home/.ssh/config
fi
eval \"\$(ssh-agent -s)\" && wait
ssh -T git@github.com 2> /dev/null
ssh-add -t 1D -h git@github.com $home/\$IDENTITY_FILE && ssh-add -l
if [[ \"\$(gpg-card list - openpgp)\" == *\$SIGNING_KEY* ]]; then
echo && echo \"Signing key present\" && echo
else
echo && echo \"Signing key \$SIGNING_KEY missing\"
echo \"Check Yubikey and .identity file\" && echo
lsusb && ls -la /dev/hid* && gpg-card list - openpgp
systemctl --user status gpg-agent* --all --no-pager
ls -la $home/.gnupg
exit 1
fi
git remote remove origin && git remote add origin git@\$PROJECT:\$REPO/\$PROJECT.git
git submodule --quiet foreach \"cd .. && git config submodule.\$name.url git@\$PROJECT:\$REPO/\$PROJECT.git\"
git submodule update --init --remote --merge && echo
git submodule --quiet foreach \"git remote remove origin && git remote add origin git@\$PROJECT:\$REPO/\$PROJECT.git\"
unset rel_date date_rel rel_ver sub_ver
rel_date=\$(date -d \"\$(date)\" +\"%m-%d-%Y\")
date_rel=\$(date -d \"\$(date)\" +\"%Y-%m-%d\")
rel_ver=\$(git log --pretty=reference --grep=Successful\\ Build\\ of\\ Release\\ \$date_rel | wc -l)
sub_ver=\$(git submodule --quiet foreach \"git log --pretty=reference --grep=debian-slim:\$rel_date\" | wc -l)
if [[ \"\$rel_ver\" -lt 1 ]]; then
wait
elif [[ \"\$sub_ver\" -ge 1 ]]; then
rel_date=\$(date -d \"\$(date)\" +\"%m-%d-%Y-00\$sub_ver\")
date_rel=\$(date -d \"\$(date)\" +\"%Y-%m-%d-00\$sub_ver\")
echo \"Build Subversion: 00\$sub_ver\" && echo
fi
if [[ \"\$(uname -m)\" == \"aarch64\" ]]; then
\$docker run --privileged --rm tonistiigi/binfmt:qemu-v10.0.4-59 --install amd64
echo
elif [[ \"\$(uname -m)\" == \"x86_64\" ]]; then
\$docker run --privileged --rm tonistiigi/binfmt:qemu-v10.0.4-59 --install arm64
echo
else
echo 'Unknown Architecture '\$(uname -m)
exit 1
fi
source modules
mkdir -p Results && pushd Results
scan_using_grype ubuntu \"/ --select-catalogers debian\"
cat ../*/*.digest > image.digests
cat image.digests >> readme.md && cat readme.md && echo
popd
git status && git add -A && git status && read -p 'Press enter to launch pinentry'
git commit -a -S -m \"Successful Build of Release \$date_rel\" && git push --set-upstream origin builder
git tag -a \$date_rel -s -m \"Tagged Release \$date_rel\" && git push origin \$date_rel
ssh-add -D && eval \"\$(ssh-agent -k)\"
clean_some
sys_ctl_common"
quiet systemctl unmask snap.docker.dockerd --runtime
quiet systemctl unmask snap.docker.nvidia-container-toolkit --runtime
snap disable docker
snap remove docker --purge || echo "Failed to remove Docker"
quiet networkctl delete docker0
snap remove grype --purge
snap remove syft --purge
sed -i "s|:/home/root:|:/root:|" /etc/passwd
delgroup docker
clean_all
systemctl daemon-reload
exit 0