Fixing signatures and add certs to loaders

* Shifting after_deploy messages and aws invalidation to proper locations * Add cert checkout to preinstall and setting those on s3 deploys only * Adding production docker file which runs netboot.xyz overrides * Only display sig menus if enabled * Fix var names for signing
2026-01-23 02:34:26 +00:00 · 2019-12-15 08:13:35 +00:00 · 2019-12-15 08:13:35 +00:00 · f628157e43
commit f628157e43
parent 6c03e92881
11 changed files with 70 additions and 16 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -1,14 +1,10 @@
 sudo: true
-
 language: bash
-
 services:
  - docker
-
 env:
  global:
    - DEBIAN_FRONTEND="noninteractive"
-
 jobs:
  include:
    - stage: test
@ -23,6 +19,8 @@ jobs:

    - stage: development
      if: branch = development AND type != pull_request
+      before_install:
+        - ./script/retrieve_certs
      script:
        - ./script/build_release dev
      after_failure:
@ -49,7 +47,7 @@ jobs:
    - stage: release-candidate
      if: branch = RC AND type != pull_request
      before_install:
-        - ./script/pre_install
+        - ./script/retrieve_certs
      script:
        - ./script/build_release rc
      workspaces:
@ -109,6 +107,8 @@ jobs:

    - stage: release
      if: branch = master AND type != pull_request
+      before_install:
+        - ./script/retrieve_certs
      script:
        - ./script/build_release release
      workspaces:
--- a/Dockerfile-build.production
+++ b/Dockerfile-build.production
@ -0,0 +1,32 @@
+FROM ubuntu:bionic as builder
+
+RUN \
+ echo "**** install deps ****" && \
+ apt-get update && \
+ apt-get install -y \
+	ansible \
+	apache2  \
+	build-essential \
+	dosfstools \
+	genisoimage \
+	git \
+	liblzma-dev \
+	python-minimal \
+	python-yaml \
+	syslinux
+
+# repo for build
+COPY . /ansible
+
+RUN \
+ echo "**** running ansible ****" && \
+ cd /ansible && \
+ ansible-playbook -i inventory site.yml --extra-vars "@script/netbootxyz-overrides.yml"
+
+# runtime stage
+FROM alpine:3.10
+
+COPY --from=builder /var/www/html/ /mnt/
+COPY docker-build-root/ /
+
+ENTRYPOINT [ "/dumper.sh" ]
--- a/roles/netbootxyz/tasks/generate_signatures.yml
+++ b/roles/netbootxyz/tasks/generate_signatures.yml
@ -15,7 +15,7 @@
  - name: Generate signatures for source files
    shell: |
      openssl cms -sign -binary -noattr -in {{ netbootxyz_root }}/{{ item }} \
-      -signer {{ codesign_cert_location }} -inkey {{ codesign_key_location }} -certfile {{ cert_file_location }} -outform DER \
+      -signer {{ codesign_cert_filename }} -inkey {{ codesign_key_filename }} -certfile {{ cert_file_filename }} -outform DER \
      -out {{ sigs_dir }}/{{ item }}.sig
    args:
      chdir: "{{ cert_dir }}"
--- a/roles/netbootxyz/tasks/main.yml
+++ b/roles/netbootxyz/tasks/main.yml
@ -10,9 +10,6 @@
  - include: generate_signatures.yml
    when:
    - generate_signatures | default(false) | bool
-    - codesign_cert_location is defined
-    - codesign_key_location is defined
-    - cert_file_location is defined

  - include: generate_disks.yml
    with_items:
--- a/roles/netbootxyz/templates/menu/boot.cfg.j2
+++ b/roles/netbootxyz/templates/menu/boot.cfg.j2
@ -14,10 +14,10 @@ set memdisk {{ memdisk_location }}
 set live_endpoint {{ live_endpoint }}

 # signature check enabled?
-set sigs_enabled {{ sigs_enabled | default(false) | bool }}
+set sigs_enabled {{ sigs_enabled | default(false) | bool | lower }}

 # image signatures check enabled?
-set img_sigs_enabled {{ img_sigs_enabled | default(false) | bool }}
+set img_sigs_enabled {{ img_sigs_enabled | default(false) | bool | lower }}

 # set location of signatures for sources
 set sigs {{ sigs_location }}
--- a/roles/netbootxyz/templates/menu/menu.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/menu.ipxe.j2
@ -58,9 +58,13 @@ item netinfo ${space} Network card info
 item about ${space} About netboot.xyz
 {% if sigs_menu | bool %}
 item --gap Signature Checks:
-item sig_check ${space} netboot.xyz [ enabled: ${sigs_enabled} ]
+{% if sigs_enabled | bool %}
+item sig_check ${space} {{ site_name }} [ enabled: ${sigs_enabled} ]
+{% endif %}
+{% if img_sigs_enabled | bool %}
 item img_sigs_check ${space} Images [ enabled: ${img_sigs_enabled} ]
 {% endif %}
+{% endif %}
 {% if custom_github_menus | bool %}
 isset ${github_user} && item --gap Custom Github Menu: ||
 isset ${github_user} && item custom-github ${space} ${github_user}'s Custom Menu ||
--- a/script/build_release
+++ b/script/build_release
@ -5,6 +5,7 @@ TYPE=$1
 HARD_RELEASE="2.x"
 HARD_RC="2.x-RC"
 LIVE_URL="staging.boot.netboot.xyz"
+DOCKER_FILE="Dockerfile-build.production"

 # Set boot domain
 if [[ "${TYPE}" == "dev" ]]; then
@ -13,6 +14,7 @@ if [[ "${TYPE}" == "dev" ]]; then
 elif [[ "${TYPE}" == "pr" ]]; then
  BOOT_DOMAIN="test.com"
  BOOT_VERSION="test"
+  DOCKER_FILE="Dockerfile-build"
 elif [[ "${TYPE}" == "rc" ]]; then
  BOOT_VERSION=$(cat version.txt)-RC
  BOOT_DOMAIN="${LIVE_URL}/${BOOT_VERSION}"
@ -28,7 +30,7 @@ sed -i \
  user_overrides.yml

 # Build release
-docker build -t localbuild -f Dockerfile-build .
+docker build -t localbuild -f ${DOCKER_FILE} .
 docker run --rm -it -v $(pwd):/buildout localbuild

 # Generate folder outputs
@ -51,7 +53,7 @@ if [[ "${TYPE}" == "release" ]] || [[ "${TYPE}" == "rc" ]]; then
      -e "/^boot_version/c\boot_version: \"${HARD_RELEASE}\"" \
      -e "/^boot_domain/c\boot_domain: ${LIVE_URL}" \
      user_overrides.yml
-    docker build -t localbuild -f Dockerfile-build .
+    docker build -t localbuild -f ${DOCKER_FILE} .
    docker run --rm -it -v $(pwd):/buildout localbuild
  fi
  if [[ "${TYPE}" == "rc" ]]; then
@ -59,7 +61,7 @@ if [[ "${TYPE}" == "release" ]] || [[ "${TYPE}" == "rc" ]]; then
      -e "/^boot_version/c\boot_version: \"${HARD_RC}\"" \
      -e "/^boot_domain/c\boot_domain: ${LIVE_URL}/rc" \
      user_overrides.yml
-    docker build -t localbuild -f Dockerfile-build .
+    docker build -t localbuild -f ${DOCKER_FILE} .
    docker run --rm -it -v $(pwd):/buildout localbuild
  fi
  mkdir -p s3out-latest
--- a/script/message
+++ b/script/message
@ -1,4 +1,5 @@
 #!/bin/bash
+set -e

 TYPE=$1

--- a/script/netbootxyz-overrides.yml
+++ b/script/netbootxyz-overrides.yml
@ -6,4 +6,13 @@ bootloader_multiple: true
 bootloader_disks:
  - "netboot.xyz"
  - "netboot.xyz-packet"
-generate_signatures: true
+generate_signatures: true
+sigs_dir: "{{ netbootxyz_root }}/sigs"
+sigs_location: "http://${boot_domain}/sigs/"
+cert_dir: "/ansible/certs"
+ipxe_trust_args: "TRUST={{ ipxe_ca_location }}"
+ipxe_ca_url: http://ca.ipxe.org/ca.crt
+ipxe_ca_filename: ca-ipxe-org.crt
+codesign_cert_filename: codesign.crt
+codesign_key_filename: codesign.key
+cert_file_filename : ca-netboot-xyz.crt
--- a/script/pre_install
+++ b/script/pre_install
@ -1,4 +1,5 @@
 #!/bin/bash
+set -e

 # Install aws cli
 sudo pip install awscli tornado
--- a/script/retrieve_certs
+++ b/script/retrieve_certs
@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+
+# retrieve certs
+git clone https://$GIT_USER:$GIT_AUTH@$GIT_URL certs
+cp certs/certs.tar.enc .
+openssl aes-256-cbc -K $encrypted_9ca5918f08ba_key -iv $encrypted_9ca5918f08ba_iv -in certs.tar.enc -out certs.tar -d
+tar xvf certs.tar -C certs