/
image_builder
267 lines (206 loc) · 9.44 KB
/
image_builder
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
#!/bin/bash
function get_arch()
{
local architecture
if uname -m | grep -q "arm64" || uname -m | grep -q "aarch64"; then
architecture="arm64"
elif uname -m | grep -q "64"; then
architecture="amd64"
elif uname -m | grep -q "86"; then
architecture="i386"
elif uname -m | grep -q "arm"; then
architecture="armhf"
else
architecture="unknown"
fi
echo $architecture
}
function rotate_image()
{
local instance_to_publish=$1
local alias_image=$2
# Save the finger print to delete the old image later
local finger_print_to_delete=$(incus image info "$alias_image" | grep Fingerprint | awk '{print $2}')
local should_restart=0
# If the container is running, stop it
if [ "$(incus info $instance_to_publish | grep Status | awk '{print tolower($2)}')" = "running" ]
then
should_restart=1
incus stop "$instance_to_publish"
fi
# Create image before install
incus publish "$instance_to_publish" --alias "$alias_image" --reuse --public "${@:3}"
# Remove old image
incus image delete "$finger_print_to_delete"
if [ $should_restart = 1 ]
then
incus start "$instance_to_publish"
sleep 5
fi
}
function rebuild_base_incus()
{
local YNH_BRANCH=${1:-stable}
local DIST=${2:-bullseye}
local ARCH=${3:-$(dpkg --print-architecture)}
local img_name=$YNH_BRANCH-$DIST-$ARCH
set -x
incus info $img_name >/dev/null && incus delete $img_name --force
if [ $(get_arch) = $ARCH ];
then
incus launch images:debian/$DIST/$ARCH $img_name -c security.privileged=true -c security.nesting=true
else
incus image info $img_name >/dev/null && incus image delete $img_name
tmp_dir=$(mktemp -d)
pushd $tmp_dir
incus image export images:debian/$DIST/$ARCH
tar xJf lxd.tar.xz
local current_arch=$(get_arch)
sed -i "0,/architecture: $ARCH/s//architecture: $current_arch/" metadata.yaml
tar cJf lxd.tar.xz metadata.yaml templates
incus image import lxd.tar.xz rootfs.squashfs --alias $img_name
popd
rm -rf "$tmp_dir"
incus launch $img_name $img_name -c security.privileged=true -c security.nesting=true
fi
sleep 5
IN_INCUS="incus exec $img_name --"
local INSTALL_SCRIPT="https://install.yunohost.org/$DIST"
$IN_INCUS apt install curl -y
$IN_INCUS /bin/bash -c "echo exit 101 > /usr/sbin/policy-rc.d"
$IN_INCUS /bin/bash -c "chmod +x /usr/sbin/policy-rc.d"
$IN_INCUS /bin/bash -c "curl $INSTALL_SCRIPT | bash -s -- -a -d $YNH_BRANCH"
$IN_INCUS /bin/bash -c "rm /usr/sbin/policy-rc.d"
$IN_INCUS systemctl -q disable apt-daily.timer --now
$IN_INCUS systemctl -q disable apt-daily-upgrade.timer --now
$IN_INCUS systemctl -q disable apt-daily.service --now
$IN_INCUS systemctl -q disable apt-daily-upgrade.service --now
$IN_INCUS rm -f /etc/cron.daily/apt-compat
$IN_INCUS cp /bin/true /usr/lib/apt/apt.systemd.daily
# Disable services that are useless in the vast majority of cases to try to improve perfs
$IN_INCUS systemctl -q disable rspamd --now
$IN_INCUS systemctl -q disable dovecot --now
$IN_INCUS systemctl -q disable postsrsd --now
$IN_INCUS systemctl -q disable metronome --now
$IN_INCUS systemctl -q disable yunohost-api --now
$IN_INCUS systemctl -q disable fake-hwclock.service --now
$IN_INCUS systemctl -q disable yunoprompt --now
$IN_INCUS systemctl -q disable haveged.service --now
$IN_INCUS systemctl -q disable metronome.service --now
$IN_INCUS systemctl -q disable unattended-upgrades.service --now
$IN_INCUS systemctl -q disable e2scrub_all.timer
$IN_INCUS systemctl -q disable logrotate.timer
$IN_INCUS systemctl -q disable phpsessionclean.timer
$IN_INCUS systemctl -q disable systemd-tmpfiles-clean.timer
$IN_INCUS sed -i 's/worker_processes.*;/worker_processes 4;/g' /etc/nginx/nginx.conf
$IN_INCUS /bin/bash -c "reboot 0"
sleep 5
# Publish ynh-dev image
local INCUS_BASE="ynh-dev-$DIST-$ARCH-$YNH_BRANCH-base"
rotate_image $img_name $INCUS_BASE "os=YunoHost" "ynh-release=$YNH_BRANCH" "stage=ynh-dev" "release=${DIST^}" "architecture=$ARCH" "description=YunoHost $DIST $YNH_BRANCH ynh-dev $ARCH ($(date '+%Y%m%d'))"
local YUNO_PWD="SomeSuperStrongPassword"
local DOMAIN="domain.tld"
local SUBDOMAIN="sub.$DOMAIN"
local TEST_USER="package_checker"
local TEST_USER_DISPLAY=${TEST_USER//"_"/""}
# Disable password strength check
$IN_INCUS yunohost tools postinstall --domain $DOMAIN --password $YUNO_PWD --username $TEST_USER --fullname "$TEST_USER_DISPLAY"
$IN_INCUS /bin/bash -c "echo 'admin_strength: -1' >> /etc/yunohost/settings.yml"
$IN_INCUS /bin/bash -c "echo 'user_strength: -1' >> /etc/yunohost/settings.yml"
$IN_INCUS yunohost domain add $SUBDOMAIN
$IN_INCUS yunohost --version
INCUS_BASE="ynh-appci-$DIST-$ARCH-$YNH_BRANCH-base"
incus stop $img_name
rotate_image $img_name $INCUS_BASE "os=YunoHost" "ynh-release=$YNH_BRANCH" "stage=ynh-appci" "release=${DIST^}" "architecture=$ARCH" "description=YunoHost $DIST $YNH_BRANCH ynh-appci $ARCH ($(date '+%Y%m%d'))"
incus delete $img_name
set +x
}
function update_appci_image()
{
local YNH_BRANCH=${1:-stable}
local DIST=${2:-bullseye}
local ARCH=${3:-$(dpkg --print-architecture)}
local img_name=$YNH_BRANCH-$DIST-$ARCH
set -x
incus launch ynh-dev-$DIST-$ARCH-$YNH_BRANCH-base $img_name -c security.privileged=true -c security.nesting=true
IN_INCUS="incus exec $img_name --"
sleep 3
echo "nameserver 8.8.8.8" | $IN_INCUS tee /etc/resolv.conf
sleep 3
$IN_INCUS ping -c3 deb.debian.org || exit 1
$IN_INCUS apt update
$IN_INCUS apt dist-upgrade -y
local YUNO_PWD="SomeSuperStrongPassword"
local DOMAIN="domain.tld"
local SUBDOMAIN="sub.$DOMAIN"
local TEST_USER="package_checker"
local TEST_USER_DISPLAY=${TEST_USER//"_"/""}
# Disable password strength check
$IN_INCUS yunohost tools postinstall --domain $DOMAIN --password $YUNO_PWD --username $TEST_USER --fullname "$TEST_USER_DISPLAY"
$IN_INCUS /bin/bash -c "echo 'admin_strength: -1' >> /etc/yunohost/settings.yml"
$IN_INCUS /bin/bash -c "echo 'user_strength: -1' >> /etc/yunohost/settings.yml"
$IN_INCUS yunohost domain add $SUBDOMAIN
$IN_INCUS yunohost --version
INCUS_BASE="ynh-appci-$DIST-$ARCH-$YNH_BRANCH-base"
incus stop $img_name
rotate_image $img_name $INCUS_BASE "os=YunoHost" "ynh-release=$YNH_BRANCH" "stage=ynh-appci" "release=${DIST^}" "architecture=$ARCH" "description=YunoHost $DIST $YNH_BRANCH ynh-appci $ARCH ($(date '+%Y%m%d'))"
incus delete $img_name
set +x
}
function from_stable_to_another_version()
{
local YNH_BRANCH=${1:-testing}
local DIST=${2:-bullseye}
local ARCH=${3:-$(dpkg --print-architecture)}
local BASE_IMG=${4:-stable}
local OLD_INCUS_BASE="ynh-dev-$DIST-$ARCH-$BASE_IMG-base"
local NEW_INCUS_BASE="ynh-dev-$DIST-$ARCH-$YNH_BRANCH-base"
local CUSTOMAPT=/etc/apt/sources.list.d/yunohost.list
if [[ "$YNH_BRANCH" == "testing" ]] ; then
CHANNELS="testing"
elif [[ "$YNH_BRANCH" == "unstable" ]] ; then
CHANNELS="testing unstable"
fi
local CUSTOMDEB="deb [signed-by=/usr/share/keyrings/yunohost-archive-keyring.gpg] http://forge.yunohost.org/debian/ $DIST stable $CHANNELS"
#curl --fail --silent https://forge.yunohost.org/yunohost_bullseye.asc | gpg --dearmor > /usr/share/keyrings/yunohost-archive-keyring.gpg
set -x
IN_INCUS="incus exec $NEW_INCUS_BASE --"
incus launch $OLD_INCUS_BASE $NEW_INCUS_BASE -c security.privileged=true -c security.nesting=true
sleep 5
$IN_INCUS /bin/bash -c "echo '$CUSTOMDEB' > $CUSTOMAPT"
$IN_INCUS /bin/bash -c "apt-get update"
$IN_INCUS /bin/bash -c "apt-get dist-upgrade -y"
incus stop $NEW_INCUS_BASE
rotate_image $NEW_INCUS_BASE $NEW_INCUS_BASE "os=YunoHost" "ynh-release=$YNH_BRANCH" "stage=ynh-dev" "release=${DIST^}" "architecture=$ARCH" "description=YunoHost $DIST $YNH_BRANCH ynh-dev $ARCH ($(date '+%Y%m%d'))"
incus delete $NEW_INCUS_BASE
OLD_INCUS_BASE="ynh-appci-$DIST-$ARCH-stable-base"
NEW_INCUS_BASE="ynh-appci-$DIST-$ARCH-$YNH_BRANCH-base"
IN_INCUS="incus exec $NEW_INCUS_BASE --"
incus launch $OLD_INCUS_BASE $NEW_INCUS_BASE -c security.privileged=true -c security.nesting=true
sleep 5
$IN_INCUS /bin/bash -c "echo '$CUSTOMDEB' > $CUSTOMAPT"
$IN_INCUS /bin/bash -c "apt-get update"
$IN_INCUS /bin/bash -c "apt-get dist-upgrade -y"
$IN_INCUS /bin/bash -c "echo 'admin_strength: -1' >> /etc/yunohost/settings.yml"
$IN_INCUS /bin/bash -c "echo 'user_strength: -1' >> /etc/yunohost/settings.yml"
incus stop $NEW_INCUS_BASE
rotate_image $NEW_INCUS_BASE $NEW_INCUS_BASE "os=YunoHost" "ynh-release=$YNH_BRANCH" "stage=ynh-appci" "release=${DIST^}" "architecture=$ARCH" "description=YunoHost $DIST $YNH_BRANCH ynh-appci $ARCH ($(date '+%Y%m%d'))"
incus delete $NEW_INCUS_BASE
set +x
}
for DIST in "bullseye" # Add new debian version here
do
rebuild_base_incus "stable" $DIST
for YNH_BRANCH in "testing" "unstable"
do
from_stable_to_another_version $YNH_BRANCH $DIST
done
done
for DIST in "bookworm" # Add new debian version here
do
rebuild_base_incus "unstable" $DIST
for YNH_BRANCH in "testing"
do
from_stable_to_another_version $YNH_BRANCH $DIST "$(dpkg --print-architecture)" "unstable"
done
done