diff --git a/Dockerfile b/Dockerfile index 790e671..4569f50 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,10 +4,12 @@ # =========================================================================== # Update the source image. # =========================================================================== -FROM gentoo/stage3:amd64-nomultilib-systemd as bootstrap -# Migrate to a merged-usr form. -RUN emerge --quiet-build=y --oneshot merge-usr -RUN merge-usr + +FROM scratch as bootstrap +# Unpack the stage3 archive (which is downloaded and verifed externally). +ARG ROOTFS_FILENAME="" +ADD ${ROOTFS_FILENAME} / +# Set the profile. RUN eselect profile set "default/linux/amd64/17.1/no-multilib/systemd/merged-usr" # Replace /etc/portage/make.conf. RUN rm --one-file-system /etc/portage/make.conf diff --git a/build-image.sh b/build-image.sh index 4f2e489..5524e4c 100755 --- a/build-image.sh +++ b/build-image.sh @@ -12,10 +12,15 @@ IMAGE_TAG="${REGISTRY}:${VERSION}" REPOS="${REPOS:-/var/db/repos}" DISTFILES="${DISTFILES:-/var/cache/distfiles-podman-1}" +DISTFILES_STAGE3="${DISTFILES_STAGE3:-distfiles}" BINPKG="${BINPKG:-/var/cache/packages-podman-1}" LOGDIR="${LOGDIR:-$(pwd)/log}" DOCKER_FILE="${DOCKER_FILE:-$(pwd)/Dockerfile}" +ARCH="${ARCH:-amd64}" +MICROARCH="${MICROARCH:-amd64}" +OCI_ARCH="${OCI_ARCH:-linux/amd64}" + PODMAN_BUILD_ARGS=( # Do not leak the host's /etc/host into the container. --no-hosts @@ -34,11 +39,16 @@ PODMAN_BUILD_ARGS=( -v "${LOGDIR}:/var/log:rw,U" # Use the given OCI file/Dockerfile. -f "${DOCKER_FILE}" + # Add details about the architecture. + --build-arg ARCH="${ARCH}" + --build-arg MICROARCH="${MICROARCH}" + --platform "${OCI_ARCH}" # Tag the generated image. -t "${IMAGE_TAG}" + -t "${REGISTRY}:latest" # Label the image. --label="gentoo-nfr-${IMAGE_TAG}" - # Sign the image. + # sign the image. #--sign-by="${GPG_SIGNING_KEY}" # Rebuild everything w/o cache. --no-cache @@ -55,17 +65,43 @@ _mkdir() mkdir -p "${@}" || exit_err "Could not create dir ${@}." } +# === Prepare all directories. _mkdir "${REPOS}" _mkdir "${DISTFILES}" +_mkdir "${DISTFILES_STAGE3}" _mkdir "${BINPKG}" _mkdir "${LOGDIR}" -podman pull gentoo/stage3:amd64-nomultilib-systemd || exit_err "Could not fetch the image." -podman build "${PODMAN_BUILD_ARGS[@]}" || exit_err "Build failed." +# === Fetch the stage3 file (and verify it). +# Note: This uses some nasty string manipulation assuming a certain structure. +# If upstream changes the format, things will break here, again. +SERVER="https://ftp-osl.osuosl.org/pub/gentoo/releases/${ARCH}/autobuilds" +MY_STAGE3="latest-stage3-amd64-nomultilib-systemd-mergedusr.txt" -# Update the tag 'latest'. +# Fetch the stage3 archive and its signature. +curl -sLC- -O --output-dir "${DISTFILES_STAGE3}" "${SERVER}/${MY_STAGE3}" \ + || exit_err "Could not download the pointer file for the stage3 archive." +gpg --verify "${DISTFILES_STAGE3}/${MY_STAGE3}" \ + || exit_err "Could not verify the download pointer file." + +LATEST_ARCHIVE="$(grep $(echo ${MY_STAGE3} | sed 's/latest-//;s/.txt//') ${DISTFILES_STAGE3}/${MY_STAGE3} | cut -f1 -d' ')" +ARCHIVE_FILE_NAME="$(echo ${LATEST_ARCHIVE} | cut -f2 -d'/')" + +curl -sLC- -O --output-dir "${DISTFILES_STAGE3}" "${SERVER}/${LATEST_ARCHIVE}" \ + || exit_err "Could not download the stage3 archive." +curl -sLC- -O --output-dir "${DISTFILES_STAGE3}" "${SERVER}/${LATEST_ARCHIVE}.asc" \ + || exit_err "Could not download the stage3 archive signature." + +# Verify the signature. +gpg --verify "${DISTFILES_STAGE3}/${ARCHIVE_FILE_NAME}"{.asc,} \ + || exit_err "Could not verify the stage3 archive." + +# === Remove the old tag 'latest'. podman tag rm "${REGISTRY}:latest" # Do not exit_err here. At least on first run # there is no latest tag to delete. -podman tag "${REGISTRY}:${VERSION}" "${REGISTRY}:latest" || exit_err "Could not tag new image as 'latest'." + +# === Build the new image. +podman build --build-arg=ROOTFS_FILENAME="${DISTFILES_STAGE3}/${ARCHIVE_FILE_NAME}" \ + "${PODMAN_BUILD_ARGS[@]}" || exit_err "Build failed." # vim:fileencoding=utf-8:ts=4:syntax=bash:expandtab