diff --git a/README.md b/README.md new file mode 100644 index 0000000..9a02af8 --- /dev/null +++ b/README.md @@ -0,0 +1,49 @@ +# rkt-builder + +This repository holds scripts and releases for the rkt-in-rkt builder ACI. + +## Usage + +### Building a new rkt-in-rkt builder ACI + +To build the builder ACI image, first update the version variable `IMG_VERSION` in `acbuild.sh`, and execute: + + $ sudo ./acbuild.sh + +The rkt project key must be used to sign the generated image. `$RKTSUBKEYID` is the key ID of the rkt Yubikey. Connect the key and run `gpg2 --card-status` to get the ID. + +The public key for GPG signing can be found at [CoreOS Application Signing Key](https://coreos.com/security/app-signing-key) and is assumed as trusted. + + $ gpg2 -u $RKTSUBKEYID'!' --armor --output rkt-builder.aci.asc --detach-sign rkt-builder.aci + +Commit any changes to `acbuild.sh`, and push them. + +Add a signed tag: + + $ GIT_COMMITTER_NAME="CoreOS Application Signing Key" GIT_COMMITTER_EMAIL="security@coreos.com" git tag -u $RKTSUBKEYID'!' -s v1.0.0 -m "rkt-builder v1.0.0"` + +Push the tag to GitHub: + + $ git push --tags + +### Building rkt-in-rkt + + $ git clone github.com/coreos/rkt + $ cd rkt + $ sudo rkt run \ + --volume src-dir,kind=host,source="$(pwd)" \ + --volume build-dir,kind=host,source="$(pwd)/release-build" \ + --interactive \ + coreos.com/rkt/builder:v1.0.0 + +## Overview + +This repository consists of two scripts: + +- `acbuild.sh`: This script builds the rkt-in-rkt builder ACI. +- `build.sh`: This script is added to the rkt-in-rkt builder ACI as `/scripts/build.sh`, and is defined as the entrypoint. + +The built rkt-in-rkt ACI declares the following volumes: + +- `src-dir`: Points to the directory holding the rkt source code. +- `build-dir`: Points to the output directory where the build artifacts are being placed. diff --git a/acbuild.sh b/acbuild.sh new file mode 100755 index 0000000..75fb2b0 --- /dev/null +++ b/acbuild.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash +set -ex + +if [[ $EUID -ne 0 ]]; then + echo "This script must be run as root" 1>&2 + exit 1 +fi + +IMG_NAME="coreos.com/rkt/builder" +VERSION="1.0.0" +ARCH=amd64 +OS=linux + +FLAGS=${FLAGS:-""} +ACI_FILE=rkt-builder-"${VERSION}"-"${OS}"-"${ARCH}".aci +BUILDDIR=/opt/build-rkt +SRC_DIR=/opt/rkt +ACI_GOPATH=/go + +DEBIAN_SID_DEPS="ca-certificates gcc libc6-dev make automake wget git golang-go cpio squashfs-tools realpath autoconf file xz-utils patch bc locales libacl1-dev libssl-dev libsystemd-dev gnupg" + +function acbuildend() { + export EXIT=$?; + acbuild --debug end && rm -rf rootfs && exit $EXIT; +} + +echo "Generating debian sid tree" + +mkdir rootfs +debootstrap --force-check-gpg --variant=minbase --components=main --include="${DEBIAN_SID_DEPS}" sid rootfs http://httpredir.debian.org/debian/ +rm -rf rootfs/var/cache/apt/archives/* + +echo "Version: v${VERSION}" +echo "Building ${ACI_FILE}" + +acbuild begin ./rootfs +trap acbuildend EXIT + +acbuild $FLAGS set-name $IMG_NAME +acbuild $FLAGS label add version v$VERSION +acbuild $FLAGS set-user 0 +acbuild $FLAGS set-group 0 +acbuild $FLAGS environment add OS_VERSION sid +acbuild $FLAGS environment add GOPATH $ACI_GOPATH +acbuild $FLAGS environment add BUILDDIR $BUILDDIR +acbuild $FLAGS environment add SRC_DIR $SRC_DIR +acbuild $FLAGS mount add build-dir $BUILDDIR +acbuild $FLAGS mount add src-dir $SRC_DIR +acbuild $FLAGS set-working-dir $SRC_DIR +acbuild $FLAGS copy-to-dir build.sh /scripts +acbuild $FLAGS run /bin/mkdir -- -p $ACI_GOPATH +acbuild $FLAGS run /bin/sh -- -c "GOPATH=${ACI_GOPATH} go get github.com/appc/spec/actool" +acbuild $FLAGS set-exec /bin/bash /scripts/build.sh +acbuild write --overwrite $ACI_FILE diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..65db041 --- /dev/null +++ b/build.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +set -e + +./autogen.sh +./configure \ + --enable-tpm=no \ + --with-stage1-default-images-directory=/usr/lib/rkt/stage1-images \ + --with-stage1-default-location=/usr/lib/rkt/stage1-images/stage1-coreos.aci +make manpages +make bash-completion +make -j4