mirror of
https://github.com/netbootxyz/netboot.xyz.git
synced 2026-01-23 02:34:26 +00:00
Merge pull request #423 from netbootxyz/certs
Fixing signatures and add certs to loaders
This commit is contained in:
Antony Messerli
GitHub
commit
d0f97a7a59
11 changed files with 70 additions and 16 deletions
10
.travis.yml
10
.travis.yml
|
|
@ -1,14 +1,10 @@
|
|||
sudo: true
|
||||
|
||||
language: bash
|
||||
|
||||
services:
|
||||
- docker
|
||||
|
||||
env:
|
||||
global:
|
||||
- DEBIAN_FRONTEND="noninteractive"
|
||||
|
||||
jobs:
|
||||
include:
|
||||
- stage: test
|
||||
|
|
@ -23,6 +19,8 @@ jobs:
|
|||
|
||||
- stage: development
|
||||
if: branch = development AND type != pull_request
|
||||
before_install:
|
||||
- ./script/retrieve_certs
|
||||
script:
|
||||
- ./script/build_release dev
|
||||
after_failure:
|
||||
|
|
@ -49,7 +47,7 @@ jobs:
|
|||
- stage: release-candidate
|
||||
if: branch = RC AND type != pull_request
|
||||
before_install:
|
||||
- ./script/pre_install
|
||||
- ./script/retrieve_certs
|
||||
script:
|
||||
- ./script/build_release rc
|
||||
workspaces:
|
||||
|
|
@ -109,6 +107,8 @@ jobs:
|
|||
|
||||
- stage: release
|
||||
if: branch = master AND type != pull_request
|
||||
before_install:
|
||||
- ./script/retrieve_certs
|
||||
script:
|
||||
- ./script/build_release release
|
||||
workspaces:
|
||||
|
|
|
|||
32
Dockerfile-build.production
Normal file
32
Dockerfile-build.production
Normal file
|
|
@ -0,0 +1,32 @@
|
|||
FROM ubuntu:bionic as builder
|
||||
|
||||
RUN \
|
||||
echo "**** install deps ****" && \
|
||||
apt-get update && \
|
||||
apt-get install -y \
|
||||
ansible \
|
||||
apache2 \
|
||||
build-essential \
|
||||
dosfstools \
|
||||
genisoimage \
|
||||
git \
|
||||
liblzma-dev \
|
||||
python-minimal \
|
||||
python-yaml \
|
||||
syslinux
|
||||
|
||||
# repo for build
|
||||
COPY . /ansible
|
||||
|
||||
RUN \
|
||||
echo "**** running ansible ****" && \
|
||||
cd /ansible && \
|
||||
ansible-playbook -i inventory site.yml --extra-vars "@script/netbootxyz-overrides.yml"
|
||||
|
||||
# runtime stage
|
||||
FROM alpine:3.10
|
||||
|
||||
COPY --from=builder /var/www/html/ /mnt/
|
||||
COPY docker-build-root/ /
|
||||
|
||||
ENTRYPOINT [ "/dumper.sh" ]
|
||||
|
|
@ -15,7 +15,7 @@
|
|||
- name: Generate signatures for source files
|
||||
shell: |
|
||||
openssl cms -sign -binary -noattr -in {{ netbootxyz_root }}/{{ item }} \
|
||||
-signer {{ codesign_cert_location }} -inkey {{ codesign_key_location }} -certfile {{ cert_file_location }} -outform DER \
|
||||
-signer {{ codesign_cert_filename }} -inkey {{ codesign_key_filename }} -certfile {{ cert_file_filename }} -outform DER \
|
||||
-out {{ sigs_dir }}/{{ item }}.sig
|
||||
args:
|
||||
chdir: "{{ cert_dir }}"
|
||||
|
|
|
|||
|
|
@ -10,9 +10,6 @@
|
|||
- include: generate_signatures.yml
|
||||
when:
|
||||
- generate_signatures | default(false) | bool
|
||||
- codesign_cert_location is defined
|
||||
- codesign_key_location is defined
|
||||
- cert_file_location is defined
|
||||
|
||||
- include: generate_disks.yml
|
||||
with_items:
|
||||
|
|
|
|||
|
|
@ -14,10 +14,10 @@ set memdisk {{ memdisk_location }}
|
|||
set live_endpoint {{ live_endpoint }}
|
||||
|
||||
# signature check enabled?
|
||||
set sigs_enabled {{ sigs_enabled | default(false) | bool }}
|
||||
set sigs_enabled {{ sigs_enabled | default(false) | bool | lower }}
|
||||
|
||||
# image signatures check enabled?
|
||||
set img_sigs_enabled {{ img_sigs_enabled | default(false) | bool }}
|
||||
set img_sigs_enabled {{ img_sigs_enabled | default(false) | bool | lower }}
|
||||
|
||||
# set location of signatures for sources
|
||||
set sigs {{ sigs_location }}
|
||||
|
|
|
|||
|
|
@ -58,9 +58,13 @@ item netinfo ${space} Network card info
|
|||
item about ${space} About netboot.xyz
|
||||
{% if sigs_menu | bool %}
|
||||
item --gap Signature Checks:
|
||||
item sig_check ${space} netboot.xyz [ enabled: ${sigs_enabled} ]
|
||||
{% if sigs_enabled | bool %}
|
||||
item sig_check ${space} {{ site_name }} [ enabled: ${sigs_enabled} ]
|
||||
{% endif %}
|
||||
{% if img_sigs_enabled | bool %}
|
||||
item img_sigs_check ${space} Images [ enabled: ${img_sigs_enabled} ]
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if custom_github_menus | bool %}
|
||||
isset ${github_user} && item --gap Custom Github Menu: ||
|
||||
isset ${github_user} && item custom-github ${space} ${github_user}'s Custom Menu ||
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ TYPE=$1
|
|||
HARD_RELEASE="2.x"
|
||||
HARD_RC="2.x-RC"
|
||||
LIVE_URL="staging.boot.netboot.xyz"
|
||||
DOCKER_FILE="Dockerfile-build.production"
|
||||
|
||||
# Set boot domain
|
||||
if [[ "${TYPE}" == "dev" ]]; then
|
||||
|
|
@ -13,6 +14,7 @@ if [[ "${TYPE}" == "dev" ]]; then
|
|||
elif [[ "${TYPE}" == "pr" ]]; then
|
||||
BOOT_DOMAIN="test.com"
|
||||
BOOT_VERSION="test"
|
||||
DOCKER_FILE="Dockerfile-build"
|
||||
elif [[ "${TYPE}" == "rc" ]]; then
|
||||
BOOT_VERSION=$(cat version.txt)-RC
|
||||
BOOT_DOMAIN="${LIVE_URL}/${BOOT_VERSION}"
|
||||
|
|
@ -28,7 +30,7 @@ sed -i \
|
|||
user_overrides.yml
|
||||
|
||||
# Build release
|
||||
docker build -t localbuild -f Dockerfile-build .
|
||||
docker build -t localbuild -f ${DOCKER_FILE} .
|
||||
docker run --rm -it -v $(pwd):/buildout localbuild
|
||||
|
||||
# Generate folder outputs
|
||||
|
|
@ -51,7 +53,7 @@ if [[ "${TYPE}" == "release" ]] || [[ "${TYPE}" == "rc" ]]; then
|
|||
-e "/^boot_version/c\boot_version: \"${HARD_RELEASE}\"" \
|
||||
-e "/^boot_domain/c\boot_domain: ${LIVE_URL}" \
|
||||
user_overrides.yml
|
||||
docker build -t localbuild -f Dockerfile-build .
|
||||
docker build -t localbuild -f ${DOCKER_FILE} .
|
||||
docker run --rm -it -v $(pwd):/buildout localbuild
|
||||
fi
|
||||
if [[ "${TYPE}" == "rc" ]]; then
|
||||
|
|
@ -59,7 +61,7 @@ if [[ "${TYPE}" == "release" ]] || [[ "${TYPE}" == "rc" ]]; then
|
|||
-e "/^boot_version/c\boot_version: \"${HARD_RC}\"" \
|
||||
-e "/^boot_domain/c\boot_domain: ${LIVE_URL}/rc" \
|
||||
user_overrides.yml
|
||||
docker build -t localbuild -f Dockerfile-build .
|
||||
docker build -t localbuild -f ${DOCKER_FILE} .
|
||||
docker run --rm -it -v $(pwd):/buildout localbuild
|
||||
fi
|
||||
mkdir -p s3out-latest
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
TYPE=$1
|
||||
|
||||
|
|
|
|||
|
|
@ -6,4 +6,13 @@ bootloader_multiple: true
|
|||
bootloader_disks:
|
||||
- "netboot.xyz"
|
||||
- "netboot.xyz-packet"
|
||||
generate_signatures: true
|
||||
generate_signatures: true
|
||||
sigs_dir: "{{ netbootxyz_root }}/sigs"
|
||||
sigs_location: "http://${boot_domain}/sigs/"
|
||||
cert_dir: "/ansible/certs"
|
||||
ipxe_trust_args: "TRUST={{ ipxe_ca_location }}"
|
||||
ipxe_ca_url: http://ca.ipxe.org/ca.crt
|
||||
ipxe_ca_filename: ca-ipxe-org.crt
|
||||
codesign_cert_filename: codesign.crt
|
||||
codesign_key_filename: codesign.key
|
||||
cert_file_filename : ca-netboot-xyz.crt
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
# Install aws cli
|
||||
sudo pip install awscli tornado
|
||||
|
|
|
|||
8
script/retrieve_certs
Executable file
8
script/retrieve_certs
Executable file
|
|
@ -0,0 +1,8 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
# retrieve certs
|
||||
git clone https://$GIT_USER:$GIT_AUTH@$GIT_URL certs
|
||||
cp certs/certs.tar.enc .
|
||||
openssl aes-256-cbc -K $encrypted_9ca5918f08ba_key -iv $encrypted_9ca5918f08ba_iv -in certs.tar.enc -out certs.tar -d
|
||||
tar xvf certs.tar -C certs
|
||||
Loading…
Add table
Add a link
Reference in a new issue