mkarchiso: Add buildmode to export netboot artifacts
archiso/mkarchiso: Implement a buildmode to export artifacts required for netboot with IPXE. When providing the buildmode 'netboot' via profiledef.sh or the `-m` option, all targets necessary to create an ISO medium are built, but the components required for netboot are exported to the output dir. Optionally, it is possible to provide a set of certificates for codsigning using the `-c` option, where the first file is considered as the signer certificate and the second as the key. Add `_export_netboot_artifacts()` to copy build artifacts to the output directory. Add `_sign_netboot_artifacts()` to codesign the netboot artifacts in the work directory. Add `_validate_requirements_buildmode_netboot()` to check for openssl. Add `_build_iso_base()` to implement common function calls between the 'iso' and the 'netboot' buildmodes. Add `_build_buildmode_netboot()` to make use of `_build_iso_base()`, (optionally) `_sign_netboot_artifacts()` and `_export_netboot_artifacts()`. Change `_build_buildmode_iso()` to make use of `_build_iso_base()`. Add `-c` as an option to mkarchiso to read in a list of file names. Unify the output of `_usage()` by using the same definition style for lists of strings provided to options that accept them (e.g. `-c`, `-m`, `-p`). Closes #128
This commit is contained in:
parent
1fed84c795
commit
d54bf635cd
@ -34,6 +34,8 @@ buildmodes=()
|
|||||||
bootmodes=()
|
bootmodes=()
|
||||||
airootfs_image_type=""
|
airootfs_image_type=""
|
||||||
airootfs_image_tool_options=()
|
airootfs_image_tool_options=()
|
||||||
|
cert_list=()
|
||||||
|
sign_netboot_artifacts=""
|
||||||
declare -A file_permissions=()
|
declare -A file_permissions=()
|
||||||
|
|
||||||
|
|
||||||
@ -96,13 +98,17 @@ usage: ${app_name} [options] <profile_dir>
|
|||||||
Default: '${iso_label}'
|
Default: '${iso_label}'
|
||||||
-P <publisher> Set the ISO publisher
|
-P <publisher> Set the ISO publisher
|
||||||
Default: '${iso_publisher}'
|
Default: '${iso_publisher}'
|
||||||
|
-c [cert ..] Provide certificates for codesigning of netboot artifacts
|
||||||
|
Multiple files are provided as quoted, space delimited list.
|
||||||
|
The first file is considered as the signing certificate,
|
||||||
|
the second as the key.
|
||||||
-g <gpg_key> Set the PGP key ID to be used for signing the rootfs image
|
-g <gpg_key> Set the PGP key ID to be used for signing the rootfs image
|
||||||
-h This message
|
-h This message
|
||||||
-m [build modes] Build modes to use (valid modes are: 'bootstrap' and 'iso').
|
-m [mode ..] Build mode(s) to use (valid modes are: 'bootstrap', 'iso' and 'netboot').
|
||||||
Multiple build modes are provided as quoted, space delimited list.
|
Multiple build modes are provided as quoted, space delimited list.
|
||||||
-o <out_dir> Set the output directory
|
-o <out_dir> Set the output directory
|
||||||
Default: '${out_dir}'
|
Default: '${out_dir}'
|
||||||
-p PACKAGE(S) Package(s) to install.
|
-p [package ..] Package(s) to install.
|
||||||
Multiple packages are provided as quoted, space delimited list.
|
Multiple packages are provided as quoted, space delimited list.
|
||||||
-v Enable verbose output
|
-v Enable verbose output
|
||||||
-w <work_dir> Set the working directory
|
-w <work_dir> Set the working directory
|
||||||
@ -127,6 +133,7 @@ _show_config() {
|
|||||||
_msg_info " Current build mode: ${buildmode}"
|
_msg_info " Current build mode: ${buildmode}"
|
||||||
_msg_info " Build modes: ${buildmodes[*]}"
|
_msg_info " Build modes: ${buildmodes[*]}"
|
||||||
_msg_info " GPG key: ${gpg_key:-None}"
|
_msg_info " GPG key: ${gpg_key:-None}"
|
||||||
|
_msg_info "Code signing certificates: ${cert_list[*]}"
|
||||||
_msg_info " Profile: ${profile}"
|
_msg_info " Profile: ${profile}"
|
||||||
_msg_info "Pacman configuration file: ${pacman_conf}"
|
_msg_info "Pacman configuration file: ${pacman_conf}"
|
||||||
_msg_info " Image file name: ${image_name:-None}"
|
_msg_info " Image file name: ${image_name:-None}"
|
||||||
@ -650,6 +657,34 @@ _prepare_airootfs_image() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# export build artifacts for netboot
|
||||||
|
_export_netboot_artifacts() {
|
||||||
|
_msg_info "Exporting netboot artifacts..."
|
||||||
|
install -d -m 0755 "${out_dir}"
|
||||||
|
cp -a -- "${isofs_dir}/${install_dir}/" "${out_dir}/"
|
||||||
|
_msg_info "Done!"
|
||||||
|
du -h -- "${out_dir}/${install_dir}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# sign build artifacts for netboot
|
||||||
|
_sign_netboot_artifacts() {
|
||||||
|
local _file _dir
|
||||||
|
_msg_info "Signing netboot artifacts..."
|
||||||
|
_dir="${isofs_dir}/${install_dir}/"
|
||||||
|
for _file in "${_dir}/boot/"*ucode.img "${_dir}/boot/${arch}/vmlinuz-"* "${_dir}/boot/${arch}/initramfs-"*.img; do
|
||||||
|
openssl cms \
|
||||||
|
-sign \
|
||||||
|
-binary \
|
||||||
|
-noattr \
|
||||||
|
-in "${_file}" \
|
||||||
|
-signer "${cert_list[0]}" \
|
||||||
|
-inkey "${cert_list[1]}" \
|
||||||
|
-outform DER \
|
||||||
|
-out "${_file}".ipxe.sig
|
||||||
|
done
|
||||||
|
_msg_info "Done!"
|
||||||
|
}
|
||||||
|
|
||||||
_validate_requirements_airootfs_image_type_squashfs() {
|
_validate_requirements_airootfs_image_type_squashfs() {
|
||||||
if ! command -v mksquashfs &> /dev/null; then
|
if ! command -v mksquashfs &> /dev/null; then
|
||||||
(( validation_error=validation_error+1 ))
|
(( validation_error=validation_error+1 ))
|
||||||
@ -703,6 +738,14 @@ _validate_requirements_buildmode_iso() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
_validate_requirements_buildmode_netboot() {
|
||||||
|
_validate_requirements_buildmode_all
|
||||||
|
if ! command -v openssl &> /dev/null; then
|
||||||
|
(( validation_error=validation_error+1 ))
|
||||||
|
_msg_error "Validating build mode '${_buildmode}': openssl is not available on this host. Install 'openssl'!" 0
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# SYSLINUX El Torito
|
# SYSLINUX El Torito
|
||||||
_add_xorrisofs_options_bios.syslinux.eltorito() {
|
_add_xorrisofs_options_bios.syslinux.eltorito() {
|
||||||
xorrisofs_options+=(
|
xorrisofs_options+=(
|
||||||
@ -884,9 +927,10 @@ _read_profile() {
|
|||||||
|
|
||||||
# Validate set options
|
# Validate set options
|
||||||
_validate_options() {
|
_validate_options() {
|
||||||
local validation_error=0 bootmode _buildmode
|
local validation_error=0 bootmode _cert _buildmode
|
||||||
local pkg_list_from_file=()
|
local pkg_list_from_file=()
|
||||||
local bootstrap_pkg_list_from_file=()
|
local bootstrap_pkg_list_from_file=()
|
||||||
|
local _override_cert_list=()
|
||||||
|
|
||||||
_msg_info "Validating options..."
|
_msg_info "Validating options..."
|
||||||
# Check if the package list file exists and read packages from it
|
# Check if the package list file exists and read packages from it
|
||||||
@ -917,7 +961,23 @@ _validate_options() {
|
|||||||
_msg_error "Bootstrap packages file '${bootstrap_packages}' does not exist." 0
|
_msg_error "Bootstrap packages file '${bootstrap_packages}' does not exist." 0
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
if [[ "${sign_netboot_artifacts}" == "y" ]]; then
|
||||||
|
# Check if the certificate files exist
|
||||||
|
for _cert in "${cert_list[@]}"; do
|
||||||
|
if [[ -e "${_cert}" ]]; then
|
||||||
|
_override_cert_list+=("$(realpath -- "${_cert}")")
|
||||||
|
else
|
||||||
|
(( validation_error=validation_error+1 ))
|
||||||
|
_msg_error "File '${_cert}' does not exist." 0
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
cert_list=("${_override_cert_list[@]}")
|
||||||
|
# Check if there are at least two certificate files
|
||||||
|
if (( "${#cert_list[@]}" < 2 )); then
|
||||||
|
(( validation_error=validation_error+1 ))
|
||||||
|
_msg_error "Two certificates are required for codesigning, but '${cert_list[*]}' is provided." 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
# Check if pacman configuration file exists
|
# Check if pacman configuration file exists
|
||||||
if [[ ! -e "${pacman_conf}" ]]; then
|
if [[ ! -e "${pacman_conf}" ]]; then
|
||||||
(( validation_error=validation_error+1 ))
|
(( validation_error=validation_error+1 ))
|
||||||
@ -1017,6 +1077,10 @@ _set_overrides() {
|
|||||||
install_dir="${app_name}"
|
install_dir="${app_name}"
|
||||||
fi
|
fi
|
||||||
[[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key"
|
[[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key"
|
||||||
|
if [[ -v override_cert_list ]]; then
|
||||||
|
sign_netboot_artifacts="y"
|
||||||
|
fi
|
||||||
|
[[ ! -v override_cert_list ]] || cert_list+=("${override_cert_list[@]}")
|
||||||
if [[ -v override_quiet ]]; then
|
if [[ -v override_quiet ]]; then
|
||||||
quiet="$override_quiet"
|
quiet="$override_quiet"
|
||||||
elif [[ -z "$quiet" ]]; then
|
elif [[ -z "$quiet" ]]; then
|
||||||
@ -1079,38 +1143,15 @@ _make_pkglist() {
|
|||||||
_msg_info "Done!"
|
_msg_info "Done!"
|
||||||
}
|
}
|
||||||
|
|
||||||
_build_buildmode_bootstrap() {
|
# build the base for an ISO and/or a netboot target
|
||||||
local image_name="${iso_name}-bootstrap-${iso_version}-${arch}.tar.gz"
|
_build_iso_base() {
|
||||||
local run_once_mode="${buildmode}"
|
local run_once_mode="base"
|
||||||
local buildmode_packages="${bootstrap_packages}"
|
|
||||||
local buildmode_pkg_list=()
|
|
||||||
|
|
||||||
# Set the package list to use
|
|
||||||
buildmode_pkg_list=("${bootstrap_pkg_list[@]}")
|
|
||||||
# Set up essential directory paths
|
|
||||||
pacstrap_dir="${work_dir}/${arch}/bootstrap/root.${arch}"
|
|
||||||
[[ -d "${work_dir}" ]] || install -d -- "${work_dir}"
|
|
||||||
install -d -m 0755 -o 0 -g 0 -- "${pacstrap_dir}"
|
|
||||||
|
|
||||||
[[ "${quiet}" == "y" ]] || _show_config
|
|
||||||
_run_once _make_pacman_conf
|
|
||||||
_run_once _make_packages
|
|
||||||
_run_once _make_version
|
|
||||||
_run_once _make_pkglist
|
|
||||||
_run_once _cleanup_pacstrap_dir
|
|
||||||
_run_once _build_bootstrap_image
|
|
||||||
}
|
|
||||||
|
|
||||||
_build_buildmode_iso() {
|
|
||||||
local image_name="${iso_name}-${iso_version}-${arch}.iso"
|
|
||||||
local run_once_mode="${buildmode}"
|
|
||||||
local buildmode_packages="${packages}"
|
local buildmode_packages="${packages}"
|
||||||
local buildmode_pkg_list=()
|
# Set the package list to use
|
||||||
|
local buildmode_pkg_list=("${pkg_list[@]}")
|
||||||
# Set up essential directory paths
|
# Set up essential directory paths
|
||||||
pacstrap_dir="${work_dir}/${arch}/airootfs"
|
pacstrap_dir="${work_dir}/${arch}/airootfs"
|
||||||
isofs_dir="${work_dir}/iso"
|
isofs_dir="${work_dir}/iso"
|
||||||
# Set the package list to use
|
|
||||||
buildmode_pkg_list=("${pkg_list[@]}")
|
|
||||||
|
|
||||||
# Create working directory
|
# Create working directory
|
||||||
[[ -d "${work_dir}" ]] || install -d -- "${work_dir}"
|
[[ -d "${work_dir}" ]] || install -d -- "${work_dir}"
|
||||||
@ -1132,6 +1173,46 @@ _build_buildmode_iso() {
|
|||||||
_make_bootmodes
|
_make_bootmodes
|
||||||
_run_once _cleanup_pacstrap_dir
|
_run_once _cleanup_pacstrap_dir
|
||||||
_run_once _prepare_airootfs_image
|
_run_once _prepare_airootfs_image
|
||||||
|
}
|
||||||
|
|
||||||
|
# Build the bootstrap buildmode
|
||||||
|
_build_buildmode_bootstrap() {
|
||||||
|
local image_name="${iso_name}-bootstrap-${iso_version}-${arch}.tar.gz"
|
||||||
|
local run_once_mode="${buildmode}"
|
||||||
|
local buildmode_packages="${bootstrap_packages}"
|
||||||
|
# Set the package list to use
|
||||||
|
local buildmode_pkg_list=("${bootstrap_pkg_list[@]}")
|
||||||
|
|
||||||
|
# Set up essential directory paths
|
||||||
|
pacstrap_dir="${work_dir}/${arch}/bootstrap/root.${arch}"
|
||||||
|
[[ -d "${work_dir}" ]] || install -d -- "${work_dir}"
|
||||||
|
install -d -m 0755 -o 0 -g 0 -- "${pacstrap_dir}"
|
||||||
|
|
||||||
|
[[ "${quiet}" == "y" ]] || _show_config
|
||||||
|
_run_once _make_pacman_conf
|
||||||
|
_run_once _make_packages
|
||||||
|
_run_once _make_version
|
||||||
|
_run_once _make_pkglist
|
||||||
|
_run_once _cleanup_pacstrap_dir
|
||||||
|
_run_once _build_bootstrap_image
|
||||||
|
}
|
||||||
|
|
||||||
|
# Build the netboot buildmode
|
||||||
|
_build_buildmode_netboot() {
|
||||||
|
local run_once_mode="${buildmode}"
|
||||||
|
|
||||||
|
_run_once _build_iso_base
|
||||||
|
if [[ -v cert_list ]]; then
|
||||||
|
_run_once _sign_netboot_artifacts
|
||||||
|
fi
|
||||||
|
_run_once _export_netboot_artifacts
|
||||||
|
}
|
||||||
|
|
||||||
|
# Build the ISO buildmode
|
||||||
|
_build_buildmode_iso() {
|
||||||
|
local image_name="${iso_name}-${iso_version}-${arch}.iso"
|
||||||
|
local run_once_mode="${buildmode}"
|
||||||
|
_run_once _build_iso_base
|
||||||
_run_once _build_iso_image
|
_run_once _build_iso_image
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1145,7 +1226,7 @@ _build() {
|
|||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
while getopts 'p:C:L:P:A:D:w:m:o:g:vh?' arg; do
|
while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do
|
||||||
case "${arg}" in
|
case "${arg}" in
|
||||||
p) read -r -a override_pkg_list <<< "${OPTARG}" ;;
|
p) read -r -a override_pkg_list <<< "${OPTARG}" ;;
|
||||||
C) override_pacman_conf="${OPTARG}" ;;
|
C) override_pacman_conf="${OPTARG}" ;;
|
||||||
@ -1153,6 +1234,7 @@ while getopts 'p:C:L:P:A:D:w:m:o:g:vh?' arg; do
|
|||||||
P) override_iso_publisher="${OPTARG}" ;;
|
P) override_iso_publisher="${OPTARG}" ;;
|
||||||
A) override_iso_application="${OPTARG}" ;;
|
A) override_iso_application="${OPTARG}" ;;
|
||||||
D) override_install_dir="${OPTARG}" ;;
|
D) override_install_dir="${OPTARG}" ;;
|
||||||
|
c) read -r -a override_cert_list <<< "${OPTARG}" ;;
|
||||||
w) override_work_dir="${OPTARG}" ;;
|
w) override_work_dir="${OPTARG}" ;;
|
||||||
m) read -r -a override_buildmodes <<< "${OPTARG}" ;;
|
m) read -r -a override_buildmodes <<< "${OPTARG}" ;;
|
||||||
o) override_out_dir="${OPTARG}" ;;
|
o) override_out_dir="${OPTARG}" ;;
|
||||||
|
Loading…
Reference in New Issue
Block a user