particle-os/debian-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-forge/runners/org.osbuild.rhel81
Tom Gundersen 8ad791be13 runners: drop ca certificate handling 
Now that stages no longer access the network, drop CA certificate
setup.

In the future, we may want to restrict all network access to the
container, but that requires more work.

Signed-off-by: Tom Gundersen <teg@jklm.no>
2020-04-15 15:29:52 +02:00

108 lines
3.6 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python3.6
import array
import json
import os
import socket
import subprocess
import sys
# copied from remoteloop.py
def load_fds(sock, msglen):
fds = array.array("i") # Array of ints
msg, ancdata, _, addr = sock.recvmsg(msglen, socket.CMSG_LEN(253 * fds.itemsize))
for cmsg_level, cmsg_type, cmsg_data in ancdata:
if (cmsg_level == socket.SOL_SOCKET and cmsg_type == socket.SCM_RIGHTS):
# Append data, ignoring any truncated integers at the end.
fds.frombytes(cmsg_data[:len(cmsg_data) - (len(cmsg_data) % fds.itemsize)])
return json.loads(msg), list(fds), addr
def ldconfig():
# ld.so.conf must exist, or `ldconfig` throws a warning
subprocess.run(["touch", "/etc/ld.so.conf"], check=True)
subprocess.run(["ldconfig"], check=True)
def sysusers():
try:
subprocess.run(["systemd-sysusers"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, check=True)
except subprocess.CalledProcessError as error:
sys.stderr.write(error.stdout)
sys.exit(1)
def tmpfiles():
# Allow systemd-tmpfiles to return non-0. Some packages want to create
# directories owned by users that are not set up with systemd-sysusers.
subprocess.run(["systemd-tmpfiles", "--create"], check=False)
def nsswitch():
# the default behavior is fine, but using nss-resolve does not
# necessarily work in a non-booted container, so make sure that
# is not configured.
try:
os.remove("/etc/nsswitch.conf")
except FileNotFoundError:
pass
def setup_stdio():
with socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM) as sock:
sock.setsockopt(socket.SOL_SOCKET, socket.SO_PASSCRED, 1)
sock.connect("/run/osbuild/api/osbuild")
req = {'method': 'setup-stdio'}
sock.send(json.dumps(req).encode('utf-8'))
msg, fds, _ = load_fds(sock, 1024)
for io in ['stdin', 'stdout', 'stderr']:
target = getattr(sys, io)
source = fds[msg[io]]
os.dup2(source, target.fileno())
os.close(source)
def os_release():
"""/usr/lib/os-release doesn't exist. The `redhat-release` package
generates `/etc/os-release directly. To work around this, do the same here.
https://bugzilla.redhat.com/show_bug.cgi?id=1766754
"""
# remove the symlink that systemd-nspawn creates
os.remove("/etc/os-release")
with open("/etc/os-release", "w") as f:
f.write('NAME="Red Hat Enterprise Linux"\n')
f.write('VERSION="8.1 (Ootpa)"\n')
f.write('ID="rhel"\n')
f.write('ID_LIKE="fedora"\n')
f.write('VERSION_ID="8.1"\n')
f.write('PLATFORM_ID="platform:el8"\n')
f.write('PRETTY_NAME="Red Hat Enterprise Linux 8.1 (Ootpa)"\n')
f.write('ANSI_COLOR="0;31"\n')
f.write('CPE_NAME="cpe:/o:redhat:enterprise_linux:8.1:GA"\n')
f.write('HOME_URL="https://www.redhat.com/"\n')
f.write('BUG_REPORT_URL="https://bugzilla.redhat.com/"\n')
def python_alternatives():
"""/usr/bin/python3 is a symlink to /etc/alternatives/python3, which points
to /usr/bin/python3.6 by default. Recreate the link in /etc, so that
shebang lines in stages and assemblers work.
"""
os.makedirs("/etc/alternatives", exist_ok=True)
try:
os.symlink("/usr/bin/python3.6", "/etc/alternatives/python3")
except FileExistsError:
pass
if __name__ == "__main__":
setup_stdio()
ldconfig()
sysusers()
tmpfiles()
nsswitch()
os_release()
python_alternatives()
r = subprocess.run(sys.argv[1:], check=False)
sys.exit(r.returncode)
Reference in a new issue View git blame Copy permalink