diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml index bbf381d43..6eb7ad0ce 100644 --- a/.github/workflows/build-and-release.yml +++ b/.github/workflows/build-and-release.yml @@ -54,3 +54,13 @@ jobs: run: | ${IGNITE} checkout installer/image.yml ${SERVER_REPO_PATH}/releases/${VERSION}/ (cd ${SERVER_REPO_PATH}/releases/${VERSION}/; zsyncmake -b 2048 -C -u ${SERVER_REPO_URL}/releases/${VERSION}/rlxos-x86_64-${VERSION}.iso rlxos-x86_64-${VERSION}.iso) + + - name: Update Extensions + run: | + for ext in elements/extensions/*.yml ; do + ELEMENT=${ext#*/} + EXT_ID=${ELEMENT#*/} + EXT_ID=${EXT_ID%.*} + ${IGNITE} build ${ELEMENT} + COMMIT_MESSAGE="UPDATED WITH BASE" OSTREE_BRANCH="x86_64/extension/${EXT_ID}/${VERSION}" ELEMENT_FILE=${ELEMENT} make update-ostree + done \ No newline at end of file diff --git a/TODO.ELEMENTS b/TODO.ELEMENTS index 85a23622e..c0d49f5f6 100644 --- a/TODO.ELEMENTS +++ b/TODO.ELEMENTS @@ -69,8 +69,6 @@ components/gc.yml: check patch components/openjdk.yml: fix update url components/nvidia-settings.yml: check patch components/udisks.yml: check update url -components/make-ca.yml: fix certdata.txt file -components/make-ca.yml: do we need this after ca-certificates components/openjdk-bin.yml: fix update url components/openldap.yml: fix post-script and configurations components/apr-util.yml: fix update url diff --git a/elements/collections/core.yml b/elements/collections/core.yml index 64ceb3fcc..ffe7e7c8c 100644 --- a/elements/collections/core.yml +++ b/elements/collections/core.yml @@ -3,7 +3,7 @@ merge: [version.yml, elements/include/meta.yml] depends: - components/busybox.yml - - components/ca-certificates.yml + - components/make-ca.yml - components/coreutils.yml - components/dbus.yml - components/diffutils.yml diff --git a/elements/components/at-spi2-atk.yml b/elements/components/at-spi2-atk.yml deleted file mode 100644 index 4a84779a9..000000000 --- a/elements/components/at-spi2-atk.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: at-spi2-atk -version: 2.38.0 -about: Library that bridges ATK to At-Spi2 D-Bus service - -depends: - - components/at-spi2-core.yml - - components/atk.yml - -sources: - - https://download.gnome.org/sources/at-spi2-atk/%{version:1}/at-spi2-atk-%{version}.tar.xz diff --git a/elements/components/ca-certificates.yml b/elements/components/ca-certificates.yml deleted file mode 100644 index a21143c2a..000000000 --- a/elements/components/ca-certificates.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: ca-certificates -version: 2023-08-22 -about: | - CA Root certificates bundle from Mozilla - -sources: - - https://curl.se/ca/cacert-%{version}.pem - -script: | - install -D -m 644 %{build-root}/cacert-%{version}.pem \ - %{install-root}/%{sysconfdir}/ssl/cert.pem - - install -d %{install-root}/%{sysconfdir}/ssl/certs - ln -s /etc/ssl/cert.pem %{install-root}/%{sysconfdir}/ssl/certs/ca-certificates.crt - ln -s /etc/ssl/cert.pem %{install-root}/%{sysconfdir}/ssl/ca-bundle.crt diff --git a/elements/components/core.yml b/elements/components/core.yml index b03096ede..cdf585ee9 100644 --- a/elements/components/core.yml +++ b/elements/components/core.yml @@ -8,7 +8,7 @@ script: | depends: - components/busybox.yml - - components/ca-certificates.yml + - components/make-ca.yml - components/coreutils.yml - components/dbus.yml - components/diffutils.yml diff --git a/elements/components/curl.yml b/elements/components/curl.yml index f2113998a..973759011 100644 --- a/elements/components/curl.yml +++ b/elements/components/curl.yml @@ -7,8 +7,7 @@ sources: build-type: autotools depends: - components/glibc.yml - - components/ca-certificates.yml configure: >- --enable-threaded-resolver - --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt + --with-ca-path=/etc/ssl/certs --with-openssl diff --git a/elements/components/gnutls.yml b/elements/components/gnutls.yml index 5098a303d..6991c8df7 100644 --- a/elements/components/gnutls.yml +++ b/elements/components/gnutls.yml @@ -5,9 +5,7 @@ about: transport layer configure: >- - --disable-guile - --disable-rpath - --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt + --with-default-trust-store-pkcs11="pkcs11:" depends: - components/nettle.yml diff --git a/elements/components/gtk.yml b/elements/components/gtk.yml index 47ea6a483..e3e394277 100644 --- a/elements/components/gtk.yml +++ b/elements/components/gtk.yml @@ -21,7 +21,7 @@ build-depends: - components/gtk-doc.yml depends: - - components/at-spi2-atk.yml + - components/at-spi2-core.yml - components/gdk-pixbuf.yml - components/libepoxy.yml - components/pango.yml diff --git a/elements/components/libcap-ng.yml b/elements/components/libcap-ng.yml index bd9e03f9c..d14ba4020 100644 --- a/elements/components/libcap-ng.yml +++ b/elements/components/libcap-ng.yml @@ -2,6 +2,8 @@ id: libcap-ng version: 0.8.3 about: A library for Linux that makes using posix capabilities easy +build-type: autotools + configure: >- --enable-static=no --without-python diff --git a/elements/components/make-ca.yml b/elements/components/make-ca.yml index d371dba84..d58bd7d3e 100644 --- a/elements/components/make-ca.yml +++ b/elements/components/make-ca.yml @@ -1,15 +1,20 @@ id: make-ca -version: "1.7" +version: 1.13 about: MakeCA -release: 0 + depends: - components/p11-kit.yml - components/nss.yml sources: - - https://github.com/djlucas/make-ca/releases/download/v1.7/make-ca-1.7.tar.xz + - https://github.com/lfs-book/make-ca/releases/download/v%{version}/make-ca-%{version}.tar.xz + script: |- - # install -v -D -m 0644 /files/certdata.txt -t %{install-root}%{sysconfdir}/ssl/ - make install LIBEXECDIR=/usr/lib SBINDIR=/usr/bin DESTDIR=%{install-root} + make install LIBEXECDIR=%{libdir}/make-ca SBINDIR=%{bindir} DESTDIR=%{install-root} + + install -vDm 0754 /dev/stdin %{install-root}%{sysconfdir}/cron.weekly/update-pki.sh << "EOF" + #!/bin/bash + %{bindir}/make-ca -g + EOF -# TODO: fix certdata.txt file -# TODO: do we need this after ca-certificates +integration: |- + make-ca -g \ No newline at end of file diff --git a/elements/components/mercurial.yml b/elements/components/mercurial.yml index 9fe4ae83e..a008d4871 100644 --- a/elements/components/mercurial.yml +++ b/elements/components/mercurial.yml @@ -26,5 +26,5 @@ script: |- install -m 755 -d %{install-root}%{sysconfdir}/mercurial cat <<-EOF > %{install-root}%{sysconfdir}/mercurial/hgrc [web] - cacerts = %{sysconfdir}/ssl/certs/ca-certificates.crt + cacerts = %{sysconfdir}/pki/tls/certs/ca-bundle.crt EOF diff --git a/elements/components/mono.yml b/elements/components/mono.yml index d18c12425..eb9283e07 100644 --- a/elements/components/mono.yml +++ b/elements/components/mono.yml @@ -3,7 +3,6 @@ version: 6.12.0.205 about: Free implementation of the .NET platform including runtime and compiler depends: - - components/ca-certificates.yml - components/libgdiplus.yml - components/python.yml - components/zlib.yml diff --git a/elements/components/networkmanager-openvpn.yml b/elements/components/networkmanager-openvpn.yml new file mode 100644 index 000000000..a418d87bf --- /dev/null +++ b/elements/components/networkmanager-openvpn.yml @@ -0,0 +1,26 @@ +id: networkmanager-openvpn +version: 1.10.2 +about: NetworkManager VPN plugin for OpenVPN + +build-type: autotools + +pre-script: |- + autoreconf -fiv + +variables: + run-autogen: false + seperate-build-dir: false + +depends: + - components/libnma.yml + - components/libsecret.yml + - components/openvpn.yml + - components/networkmanager.yml + +post-script: |- + install -v -D -m 0644 /dev/stdin %{install-root}/%{libdir}/sysusers.d/%{id}.conf << "EOF" + u nm-openvpn - "NetworkManager OpenVPN" + EOF + +sources: + - https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/archive/%{version}/NetworkManager-openvpn-%{version}.tar.gz \ No newline at end of file diff --git a/elements/components/openvpn.yml b/elements/components/openvpn.yml new file mode 100644 index 000000000..a82a7d7d6 --- /dev/null +++ b/elements/components/openvpn.yml @@ -0,0 +1,47 @@ +id: openvpn +version: 2.6.8 +about: An easy-to-use, robust and highly configurable VPN (Virtual Private Network) + +build-type: autotools + +pre-script: |- + sed -i '/^CONFIGURE_DEFINES=/s/set/env/g' configure.ac + patch -Np1 -i /patches/%{id}/0001-unprivileged.patch + + autoreconf --force --install + +configure: >- + --enable-plugins + --enable-systemd + --enable-x509-alt-username + +post-script: |- + install -v -D -m 0644 /dev/stdin %{install-root}/%{libdir}/sysusers.d/%{id}.conf << "EOF" + u openvpn - "OpenVPN" + EOF + + install -v -D -m 0644 /dev/stdin %{install-root}/%{libdir}/tmpfiles.d/%{id}.conf << "EOF" + d /etc/openvpn/client 0750 openvpn network - + d /etc/openvpn/server 0750 openvpn network - + d /run/openvpn-client 0750 openvpn network - + d /run/openvpn-server 0750 openvpn network - + EOF + + for FILE in $(find contrib -type f); do + case "$(file --brief --mime-type --no-sandbox "${FILE}")" in + "text/x-shellscript") + install -D -m0755 ${FILE} "%{install-root}/%{datadir}/%{id}/${FILE}" ;; + *) + install -D -m0644 ${FILE} "%{install-root}/%{datadir}/%{id}/${FILE}" ;; + esac + done + +depends: + - components/lz4.yml + - components/lzo.yml + - components/openssl.yml + - components/libnl.yml + - components/libcap-ng.yml + +sources: + - https://github.com/OpenVPN/openvpn/releases/download/v%{version}/openvpn-%{version}.tar.gz \ No newline at end of file diff --git a/elements/components/p11-kit.yml b/elements/components/p11-kit.yml index 0923a39e4..2431d007b 100644 --- a/elements/components/p11-kit.yml +++ b/elements/components/p11-kit.yml @@ -1,15 +1,22 @@ id: p11-kit -version: 0.25.0 +version: 0.25.3 about: | Provides a way to load and enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules +pre-script: |- + sed '20,$ d' -i trust/trust-extract-compat + cat >> trust/trust-extract-compat << "EOF" + %{libdir}/make-ca/copy-trust-modifications + %{bindir}/make-ca -f -g + EOF + post-script: |- ln -sfv ./pkcs11/p11-kit-trust.so %{install-root}%{libdir}/libnssckbi.so - -build-type: autotools + ln -s %{libdir}/p11-kit/trust-extract-compat %{install-root}%{bindir}/update-ca-trust configure: >- - --with-trust-paths=%{sysconfdir}/pki/anchors + -D trust_paths=%{sysconfdir}/pki/anchors + -D module_path=%{libdir}/pkcs11 depends: - components/libtasn1.yml diff --git a/elements/components/qemu.yml b/elements/components/qemu.yml index 3bc36b944..ec91e9179 100644 --- a/elements/components/qemu.yml +++ b/elements/components/qemu.yml @@ -13,10 +13,11 @@ post-script: |- # chgrp kvm %{install-root}/%{libdir}/qemu-bridge-helper chmod -v 4750 %{install-root}/%{libdir}/qemu-bridge-helper + rmdir %{install-root}/var/run + configure: >- --audio-drv-list=alsa --smbd=/usr/bin/smbd - --target-list=x86_64-softmmu --enable-modules --enable-sdl --enable-gtk diff --git a/elements/components/rustc.yml b/elements/components/rustc.yml index 39fcb25db..eb28e55b5 100644 --- a/elements/components/rustc.yml +++ b/elements/components/rustc.yml @@ -18,7 +18,6 @@ build-depends: - components/cmake.yml - components/gdb.yml - components/ninja.yml - - components/ca-certificates.yml sources: - https://static.rust-lang.org/dist/rustc-%{version}-src.tar.xz diff --git a/elements/components/swupd.yml b/elements/components/swupd.yml index fae4a0db9..2fb759044 100644 --- a/elements/components/swupd.yml +++ b/elements/components/swupd.yml @@ -3,7 +3,7 @@ version: 0.1.0 about: Software Updater Daemon variables: - commit: 35e069d6ee4e2df2f8c31b5a30ff86e1127a6e74 + commit: 226c4c21b652821e073efb267bcce2ff08de6b84 post-script: |- install -v -D -m 0755 -t %{install-root}%{bindir} target/release/%{id} diff --git a/elements/components/wget.yml b/elements/components/wget.yml index 10b7b31b9..1eab5ffc2 100644 --- a/elements/components/wget.yml +++ b/elements/components/wget.yml @@ -10,7 +10,6 @@ sources: depends: - components/glibc.yml - - components/ca-certificates.yml - components/openssl.yml - components/util-linux.yml - components/libidn2.yml diff --git a/elements/extensions/qemu.yml b/elements/extensions/qemu.yml new file mode 100644 index 000000000..8e82df402 --- /dev/null +++ b/elements/extensions/qemu.yml @@ -0,0 +1,8 @@ +id: qemu +about: RLXOS QEMU Virtualization Kit +include: + - components/qemu.yml + - components/libcacard.yml + - components/usbredir.yml + +merge: [elements/include/extension.yml] \ No newline at end of file diff --git a/elements/layers/sdk.yml b/elements/extensions/sdk.yml similarity index 91% rename from elements/layers/sdk.yml rename to elements/extensions/sdk.yml index 50e283a39..99be981b0 100644 --- a/elements/layers/sdk.yml +++ b/elements/extensions/sdk.yml @@ -16,4 +16,4 @@ include: - components/autoconf-archive.yml - components/pkg-config.yml -merge: [elements/include/layer.yml] \ No newline at end of file +merge: [elements/include/extension.yml] \ No newline at end of file diff --git a/elements/include/extension.yml b/elements/include/extension.yml new file mode 100644 index 000000000..e03865436 --- /dev/null +++ b/elements/include/extension.yml @@ -0,0 +1,12 @@ +merge: [version.yml, elements/include/ostree.yml] +variables: + force-rebuild: true + include-depends: false + include-root: /sysroot + strip: false + extra-commands: "" + initial-commands: |- + [ -d %{include-root}/%{sysconfdir} ] && mv %{include-root}/%{sysconfdir} %{include-root}/%{prefix}/ + %{extra-commands} + + ostree-branch: x86_64/extension/%{id}/%{version} \ No newline at end of file diff --git a/elements/include/layer.yml b/elements/include/layer.yml deleted file mode 100644 index e42efaf3b..000000000 --- a/elements/include/layer.yml +++ /dev/null @@ -1,19 +0,0 @@ -merge: [version.yml] -variables: - force-rebuild: true - include-depends: false - include-root: /sysroot - strip: false - -build-type: system -build-depends: - - components/squashfs-tools.yml - -post-script: |- - mkdir -p %{include-root}/%{datadir}/factory/ - [[ -d %{include-root}/%{sysconfdir} ]] && mv %{include-root}/%{sysconfdir} %{include-root}/%{datadir}/factory - mv %{include-root}/%{prefix} %{install-root} - - install -vDm 0644 /dev/stdin %{install-root}/share/layers/%{id} << "EOF" - IMAGE_VERSION: %{version} - EOF diff --git a/elements/system/repo.yml b/elements/system/repo.yml index 2c6de4181..c41845b66 100644 --- a/elements/system/repo.yml +++ b/elements/system/repo.yml @@ -128,6 +128,8 @@ include: - components/network-manager-applet.yml - components/system-config-printer.yml + - components/networkmanager-openvpn.yml + - apps/firefox.yml - components/lightdm-gtk-greeter.yml diff --git a/go.mod b/go.mod index f69b81dd1..7d026cbb6 100644 --- a/go.mod +++ b/go.mod @@ -6,5 +6,3 @@ require ( github.com/dustin/go-humanize v1.0.1 gopkg.in/yaml.v2 v2.4.0 ) - -require github.com/itsmanjeet/framework v0.0.0-20231010170234-a2978b10eaf1 diff --git a/go.sum b/go.sum index 87c977f44..0908da987 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,5 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= -github.com/itsmanjeet/framework v0.0.0-20231010170234-a2978b10eaf1 h1:lvkd7p4mPPXC1suOm7BaYlMl9mC25h7U6b8RDPe445g= -github.com/itsmanjeet/framework v0.0.0-20231010170234-a2978b10eaf1/go.mod h1:EwFUbJJY2SbZJFs1j/prHjCNkSEDf7ZQwePk4U7EcTo= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= diff --git a/patches/openvpn/0001-unprivileged.patch b/patches/openvpn/0001-unprivileged.patch new file mode 100644 index 000000000..aa0e37b65 --- /dev/null +++ b/patches/openvpn/0001-unprivileged.patch @@ -0,0 +1,28 @@ +diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in +index 159fb4dc..2277a7d9 100644 +--- a/distro/systemd/openvpn-client@.service.in ++++ b/distro/systemd/openvpn-client@.service.in +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/client + ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE + LimitNPROC=10 + DeviceAllow=/dev/null rw +diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in +index 6e8e7d94..b2814e4b 100644 +--- a/distro/systemd/openvpn-server@.service.in ++++ b/distro/systemd/openvpn-server@.service.in +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/server + ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + LimitNPROC=10 + DeviceAllow=/dev/null rw