Étiquetage selinux pour une utilisation non-root

Contournement pour https://github.com/moby/buildkit/issues/905

hooks/containerbuild/debian/install-letsencrypt-ca

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+set -e
+
+DESTDIR=/usr/local/share/ca-certificates
+UPDATE_CERTS_CMD=update-ca-certificates
+CERTS="$(cat <<EOF
+https://letsencrypt.org/certs/isrgrootx1.pem
+https://letsencrypt.org/certs/isrg-root-x2.pem
+https://letsencrypt.org/certs/lets-encrypt-r3.pem
+https://letsencrypt.org/certs/lets-encrypt-e1.pem
+https://letsencrypt.org/certs/lets-encrypt-r4.pem
+https://letsencrypt.org/certs/lets-encrypt-e2.pem
+EOF
+)"
+
+
+echo "ENV DEBIAN_FRONTEND=noninteractive" >> Dockerfile
+echo "RUN apt-get update && apt-get install --yes --no-install-recommends wget openssl ca-certificates" >> Dockerfile
+
+for cert in $CERTS; do
+    filename=$(basename "$cert")
+    echo "RUN wget -O '$DESTDIR/$filename' $cert" >> Dockerfile
+    echo "RUN openssl x509 -in '$DESTDIR/$filename' -inform PEM -out '$DESTDIR/$filename.crt'" >> Dockerfile
+done
+
+echo "RUN $UPDATE_CERTS_CMD" >> Dockerfile
+echo "ENV DEBIAN_FRONTEND=" >> Dockerfile

hooks/prebuild/eole/create-changelog

@@ -1,5 +1,4 @@
 #!/usr/bin/env bash
-
 cd src
 if [ -f debian/changelog ] || [ ! -d .git ]; then
     tamarin_info "Not a Git repository or Debian changelog already exists !"
@@ -13,11 +12,11 @@ pkg_tags="$(git for-each-ref --format '%(refname)' refs/tags | tac)"
 
 # Set starting commit
 ceiling_commit=$(git describe --match "build/*" --abbrev=0 2>/dev/null)
-if [ -n "ceiling_commit" ]
+if [ -z "$ceiling_commit" ]
 then
   ceiling_commit="HEAD"
 fi
-first_commit=$(git rev-list --max-parents=0 master)
+first_commit=$(git rev-list --max-parents=0 HEAD)
 
 # Get commits log as changelog
 
@@ -55,7 +54,7 @@ function get_short_hash {
 function get_previous_pkg_tag {
   # Return previous pkg/* tag or current tag if no previous pkg/* exists. 
   commit="$1"
-  echo "$(git describe --abbrev=0 --always --match='pkg/*' $commit)"
+  echo "$(git describe --abbrev=0 --match='pkg/*' $commit 2>/dev/null)"
 }
 
 function parse_tag {
@@ -64,10 +63,10 @@ function parse_tag {
   extended_version="${tag##*/}"
   if [ "$flavor" = "pkg" ]
   then
-    exploded_version="$(echo $extended_version | sed "s/\([a-z0-9.]\+\)-\([0-9]\+\)\(-[a-z]\++[0-9]\+\)\?\(-\([0-9]\+\)-\(g[a-z0-9]\+\)\)\?$/version:\1 revision:\2 modification:\3 distance:\5 anchor:\6/")"
+    exploded_version="$(echo $extended_version | sed "s/\([a-z0-9.+]\+\)-\([0-9]\+\)\(-[a-z]\++[0-9]\+\)\?\(-\([0-9]\+\)-\(g[a-z0-9]\+\)\)\?$/version:\1 revision:\2 modification:\3 distance:\5 anchor:\6/")"
   elif [ "$flavor" = "release" ]
   then
-    exploded_version="$(echo $extended_version | sed "s/\([a-z0-9.]\+\)\(-\([0-9]\+\)-\(g[a-z0-9]\+\)\)\?$/version:\1 distance:\3 anchor:\4/")"
+    exploded_version="$(echo $extended_version | sed "s/\([a-z0-9.+]\+\)\(-\([0-9]\+\)-\(g[a-z0-9]\+\)\)\?$/version:\1 distance:\3 anchor:\4/")"
   fi
   echo $exploded_version
 }
@@ -103,6 +102,16 @@ function get_package_version_from_tag {
   echo "$package"
 }
 
+function get_distribution_from_tag {
+  # tag pkg like pkg/<level>/<distrib>/<version>
+  # <distrib> may be composed
+  tag="$1"
+  distribution="${tag#pkg/*/}"
+  distribution="${distribution%/*}"
+  distribution="${distribution/\//-}"
+  echo $distribution
+}
+
 function get_previous_release_tag {
   # Return previous pkg/* tag or current tag if no previous pkg/* exists. 
   commit="$1"
@@ -113,7 +122,7 @@ function on_pkg_tag {
   # Return 1 if current commit is tagged with pkg/* tag.
   commit="$1"
   nearest_old_pkg_tag="$(get_previous_pkg_tag $commit)"
-  if [ "$(get_hash ${commit})" = "$(get_hash ${nearest_old_pkg_tag})" ]
+  if [ -n "${nearest_old_pkg_tag}" ] && [ "$(get_hash ${commit})" = "$(get_hash ${nearest_old_pkg_tag})" ]
   then
     return 0
   else
@@ -159,19 +168,20 @@ function date_from_commit {
 function packager_from_commit {
   # Return Name <mail> id format, suitable for changelog entry signature
   commit="$1"
-  if [ "${commit}" = "HEAD" ]
+  if on_pkg_tag "${commit}"
   then
-    maintainer="$(git log -n1 --format='%cn <%ce>')"
-  else
     maintainer_commit="$(get_previous_pkg_tag $commit)"
     maintainer="$(git tag -l --format='%(creator)' ${maintainer_commit})"
     maintainer="${maintainer%>*}>"
+  else
+    maintainer="$(git log -n1 --format='%cn <%ce>')"
   fi
   maintainer=$(tamarin_db get maintainer "${maintainer}")
   echo "$maintainer"
 }
 
 function next_version {
+  set -x
   commit="$1"
   # upstream version is given by most recent of release or pkg tag
   previous_pkg="$(git describe --long --match='pkg/*' $commit 2>/dev/null)"
@@ -190,10 +200,12 @@ function next_version {
     fi
   elif [ -n "$previous_release" ]
   then
+    distance_from_release=$(get_distance_from_tag "$previous_release" "$commit")
     distance=$distance_from_release
     version="$(get_upstream_version_from_tag $previous_release)-1"
   elif [ -n "$previous_pkg" ]
   then
+    distance_from_pkg=$(get_distance_from_tag "$previous_pkg" "$commit")
     distance=$distance_from_pkg
     version="$(get_upstream_version_from_tag $previous_pkg)-$(expr $(get_package_version_from_tag $previous_pkg) + 1)"
   else
@@ -202,34 +214,34 @@ function next_version {
   fi
   if [ "$package_level" = 'dev' ] || [ "$package_level" = 'staging' ]
   then
-    version="${version}~${package_level}+${distance}~$(get_short_hash $commit)"
+    version="${version}~${package_level}+${distance}"
   fi
   echo $version
+  set +x
 }
 
 function gen_changelog_entry {
   ceiling_commit=$1
   floor_commit="$(next_step "${ceiling_commit}")"
-
   if [ "$(get_hash ${ceiling_commit})" = "$(get_hash ${floor_commit})" ]
   then
     return 1
   fi
-
   if on_pkg_tag $ceiling_commit
   then
+    ceiling_commit="$(get_previous_pkg_tag $ceiling_commit)"
     version="$(get_upstream_version_from_tag $ceiling_commit)-$(get_package_version_from_tag $ceiling_commit)"
+    distribution="$(get_distribution_from_tag $ceiling_commit)"
   else
     tamarin_info "current commit $ceiling_commit"
     version=$(next_version $ceiling_commit)
+    distribution="UNRELEASED"
   fi
-  
   #current_release="$(git describe --abbrev=0 --always --match='release/*' $ceiling_commit)"
   tamarin_info "Création de l’entrée de changelog entre ${ceiling_commit} et ${floor_commit}"
 
   maintainer="$(packager_from_commit ${ceiling_commit})"
   package_date="$(date_from_commit ${ceiling_commit})"
-
   version=${version/_/-}
   changelog_entry="${project_name} (${version}) ${distribution}; urgency=${urgency}"
   echo "$changelog_entry" >> debian/changelog
@@ -248,9 +260,15 @@ function gen_changelog_entry {
 }
 
 function gen_changelog() {
+  limit=10
   while gen_changelog_entry $ceiling_commit
   do
+    limit=`expr $limit - 1`
     echo $changelog_entry
+    if [ "$limit" -le 0 ]
+    then
+      break
+    fi
   done
 }
 

lib/tamarin.py

@@ -12,12 +12,18 @@ def run_profile_hooks(profile, step, **kwargs):
     hook_path = os.path.join(hooks_dir, trimmed_hook_name)
     run([hook_path], **kwargs)
 
+def get_base_dir():
+  return os.path.realpath(os.path.dirname(os.path.abspath(__file__)) + "/..")
+
 def get_hooks_dir():
   return os.path.realpath(os.path.dirname(os.path.abspath(__file__)) + "/../hooks")
 
 def get_lib_dir():
   return os.path.realpath(os.path.dirname(os.path.abspath(__file__)) + "/../lib")
 
+def get_utils_dir():
+  return os.path.realpath(os.path.dirname(os.path.abspath(__file__)) + "/../utils")
+
 def load_profile(profile_name, debug=False):
   profile_filename = profile_name+".conf"
   for profile_file in get_available_profiles():

package

@@ -23,13 +23,16 @@ def create_args_parser():
     parser.add_argument("--cleanup", help="Clear the workspace and remove obsolete Docker images before build", action="store_true", default=False)
     parser.add_argument("--override-docker-args", help="Override all 'docker run' arguments. Use '[IMAGE_TAG]', '[PROFILE]' and '[ARCH]' to insert the corresponding values into your command.", default="")
     parser.add_argument("--prepare-only", help="Only prepare build environment for the given profile", action="store_true", default=False)
+    parser.add_argument("--no-lib-mounts", help="Disable Tamarin library volumes mount", action="store_true", default=False)
 
     return parser
 
 def build_image(build_workspace, base_image, profile_name, profile, debug=False, rebuild=False):
+    shutil.copytree(tamarin.get_base_dir(), os.path.join(build_workspace, '.tamarin'))
 
     with open("{:s}/Dockerfile".format(build_workspace), 'w') as dockerfile:
         dockerfile.write("FROM {:s}\n".format(base_image))
+        dockerfile.write("COPY .tamarin /tamarin\n")
 
     # Configure "containerbuild" hooks environment
     hooks_env = os.environ.copy()
@@ -80,6 +83,8 @@ if __name__ == "__main__":
     pid = os.getpid()
     build_workspace = tamarin.get_workspace_subdir('tmp/build_{:d}'.format(pid))
 
+    shutil.copytree(tamarin.get_utils_dir(), os.path.join(build_workspace, 'utils'))
+
     base_image = args.base if args.base != '' else profile['profile']['default_image']
 
     image_tag = build_image(build_workspace, base_image, args.profile, profile,  debug=args.debug, rebuild=args.rebuild)
@@ -103,13 +108,18 @@ if __name__ == "__main__":
 
         # volumes definition
         docker_args += [
-            "-v", "{:s}:/src:ro".format(project_dir),
-            "-v", "{:s}:/dist".format(output_dir),
-            "-v", "{:s}:/tamarin/hooks:ro".format(tamarin.get_hooks_dir()),
-            "-v", "{:s}:/tamarin/lib:ro".format(tamarin.get_lib_dir()),
-            "-v", "{:s}:/tamarin/profiles:ro".format(tamarin.get_profiles_dir())
+            "-v", "{:s}:/src:z,ro".format(project_dir),
+            "-v", "{:s}:/dist:z".format(output_dir),
         ]
 
+        if not args.no_lib_mounts:
+            docker_args += [
+                "-v", "{:s}:/tamarin/hooks:z,ro".format(tamarin.get_hooks_dir()),
+                "-v", "{:s}:/tamarin/lib:z,ro".format(tamarin.get_lib_dir()),
+                "-v", "{:s}:/tamarin/profiles:z,ro".format(tamarin.get_profiles_dir()),
+                "-v", "{:s}:/tamarin/utils:z,ro".format(tamarin.get_utils_dir())
+            ]
+
         # Use environment proxy if defined
         for proxy_var in ['HTTP_PROXY', 'HTTPS_PROXY', 'http_proxy', 'https_proxy']:
             if proxy_var in os.environ:

profiles/debian.conf

@@ -7,7 +7,8 @@ default_image=debian:stretch
 [containerbuild]
 hooks=
   containerbuild/debian/install-build-essential,
-  containerbuild/debian/install-git
+  containerbuild/debian/install-git,
+  containerbuild/debian/install-letsencrypt-ca
 
 # Configuration de l'étape de pré-construction du paquet
 [prebuild]

profiles/eole-2.7.0.conf

@@ -0,0 +1,30 @@
+# Configuration générale du profil
+[profile]
+# Image Docker par défaut
+default_image=ubuntu:bionic
+
+# Configuration de l'étape de pré-construction du conteneur
+[containerbuild]
+hooks=
+  containerbuild/debian/install-build-essential,
+  containerbuild/debian/install-git,
+
+# Configuration de l'étape de pré-construction du paquet
+[prebuild]
+hooks=
+  prebuild/debian/copy-sources-to-workspace,
+  prebuild/debian/run-project-hooks,
+  prebuild/debian/load-project-db,
+  prebuild/debian/complete-project-db,
+  prebuild/eole/create-changelog,
+  prebuild/debian/install-build-depends
+
+# Configuration de l'étape de construction du paquet
+[build]
+hooks=build/debian/build
+
+# Configuration de l'étape de post-construction du paquet
+[postbuild]
+hooks=
+  postbuild/debian/run-project-hooks,
+  postbuild/debian/export-dist

profiles/eole-2.7.1.conf

@@ -17,7 +17,6 @@ hooks=
   prebuild/debian/load-project-db,
   prebuild/debian/complete-project-db,
   prebuild/eole/create-changelog,
-  prebuild/eole/add-package-version-suffix,
   prebuild/debian/install-build-depends
 
 # Configuration de l'étape de construction du paquet

profiles/eole-2.7.2.conf

@@ -0,0 +1,30 @@
+# Configuration générale du profil
+[profile]
+# Image Docker par défaut
+default_image=ubuntu:bionic
+
+# Configuration de l'étape de pré-construction du conteneur
+[containerbuild]
+hooks=
+  containerbuild/debian/install-build-essential,
+  containerbuild/debian/install-git,
+
+# Configuration de l'étape de pré-construction du paquet
+[prebuild]
+hooks=
+  prebuild/debian/copy-sources-to-workspace,
+  prebuild/debian/run-project-hooks,
+  prebuild/debian/load-project-db,
+  prebuild/debian/complete-project-db,
+  prebuild/eole/create-changelog,
+  prebuild/debian/install-build-depends
+
+# Configuration de l'étape de construction du paquet
+[build]
+hooks=build/debian/build
+
+# Configuration de l'étape de post-construction du paquet
+[postbuild]
+hooks=
+  postbuild/debian/run-project-hooks,
+  postbuild/debian/export-dist

profiles/eole-2.8.1.conf

@@ -0,0 +1,30 @@
+# Configuration générale du profil
+[profile]
+# Image Docker par défaut
+default_image=ubuntu:focal
+
+# Configuration de l'étape de pré-construction du conteneur
+[containerbuild]
+hooks=
+  containerbuild/debian/install-build-essential,
+  containerbuild/debian/install-git,
+
+# Configuration de l'étape de pré-construction du paquet
+[prebuild]
+hooks=
+  prebuild/debian/copy-sources-to-workspace,
+  prebuild/debian/run-project-hooks,
+  prebuild/debian/load-project-db,
+  prebuild/debian/complete-project-db,
+  prebuild/eole/create-changelog,
+  prebuild/debian/install-build-depends
+
+# Configuration de l'étape de construction du paquet
+[build]
+hooks=build/debian/build
+
+# Configuration de l'étape de post-construction du paquet
+[postbuild]
+hooks=
+  postbuild/debian/run-project-hooks,
+  postbuild/debian/export-dist

profiles/eole-2.9.0.conf

@@ -0,0 +1,31 @@
+# Configuration générale du profil
+[profile]
+# Image Docker par défaut
+default_image=ubuntu:jammy
+
+# Configuration de l'étape de pré-construction du conteneur
+[containerbuild]
+hooks=
+  containerbuild/debian/install-build-essential,
+  containerbuild/debian/install-git,
+  containerbuild/eole-2.9.0/configure-additional-repository,
+
+# Configuration de l'étape de pré-construction du paquet
+[prebuild]
+hooks=
+  prebuild/debian/copy-sources-to-workspace,
+  prebuild/debian/run-project-hooks,
+  prebuild/debian/load-project-db,
+  prebuild/debian/complete-project-db,
+  prebuild/eole/create-changelog,
+  prebuild/debian/install-build-depends
+
+# Configuration de l'étape de construction du paquet
+[build]
+hooks=build/debian/build
+
+# Configuration de l'étape de post-construction du paquet
+[postbuild]
+hooks=
+  postbuild/debian/run-project-hooks,
+  postbuild/debian/export-dist

utils/sshForJenkins.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$@"