Merge pull request #205 from palainp/update-saltscript

Update the salt script
mirage · Oct 18, 2024 · 9fe2701 · 9fe2701
2 parents 54a964e + 8817893
commit 9fe2701
Show file tree

Hide file tree

Showing 8 changed files with 31 additions and 32 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -19,14 +19,14 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - run: ./build-with.sh docker
 
-      - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi'
+      - run: sh -exc 'if [ "$(sha256sum dist/qubes-firewall.xen)" = "$(cat qubes-firewall.sha256)" ]; then echo "SHA256 MATCHES"; else exit 42; fi'
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v3
         with:
-          name: mirage-firewall.tar.bz2
-          path: mirage-firewall.tar.bz2
+          name: qubes-firewall.xen
+          path: qubes-firewall.xen
diff --git a/.github/workflows/podman.yml b/.github/workflows/podman.yml
@@ -19,14 +19,14 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - run: ./build-with.sh podman
 
-      - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi'
+      - run: sh -exc 'if [ "$(sha256sum dist/qubes-firewall.xen)" = "$(cat qubes-firewall.sha256)" ]; then echo "SHA256 MATCHES"; else exit 42; fi'
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v3
         with:
-          name: mirage-firewall.tar.bz2
-          path: mirage-firewall.tar.bz2
+          name: qubes-firewall.xen
+          path: qubes-firewall.xen
diff --git a/Dockerfile b/Dockerfile
@@ -32,4 +32,4 @@ WORKDIR /tmp/orb-build
 CMD opam exec -- sh -exc 'mirage configure -t xen --extra-repos=\
 opam-overlays:https://github.com/dune-universe/opam-overlays.git#4e75ee36715b27550d5bdb87686bb4ae4c9e89c4,\
 mirage-overlays:https://github.com/dune-universe/mirage-opam-overlays.git#797cb363df3ff763c43c8fbec5cd44de2878757e \
-&& make depend && make tar'
+&& make depend && make unikernel'
diff --git a/Makefile.user b/Makefile.user
@@ -1,13 +1,8 @@
-tar: build
-	rm -rf _build/mirage-firewall
-	mkdir _build/mirage-firewall
+unikernel: build
 	cp dist/qubes-firewall.xen dist/qubes-firewall.xen.debug
 	strip dist/qubes-firewall.xen
-	cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz
-	touch _build/mirage-firewall/modules.img
-	cat /dev/null | gzip -n > _build/mirage-firewall/initramfs
-	tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with.sh mirage-firewall
-	sha256sum mirage-firewall.tar.bz2 > mirage-firewall.sha256
+	cp dist/qubes-firewall.xen .
+	sha256sum qubes-firewall.xen
 
 fetchmotron: qubes_firewall.xen
 	test-mirage qubes_firewall.xen mirage-fw-test &

diff --git a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls
@@ -10,13 +10,14 @@
 {% set DownloadVM = "DownloadVmMirage" %}
 {% set MirageFW = "sys-mirage-fw" %}
 {% set GithubUrl = "https://github.com/mirage/qubes-mirage-firewall" %}
-{% set Filename = "mirage-firewall.tar.bz2" %}
+{% set Kernel = "qubes-firewall.xen" %}
+{% set Shasum = "qubes-firewall-release.sha256" %}
 {% set MirageInstallDir = "/var/lib/qubes/vm-kernels/mirage-firewall" %}
 
 #download and install the latest version
 {% set Release = salt['cmd.shell']("qvm-run --dispvm " ~ DispVM ~ " --pass-io \"curl --silent --location -o /dev/null -w %{url_effective} " ~ GithubUrl ~ "/releases/latest | rev | cut -d \"/\" -f 1 | rev\"") %}
 
-{% if Release != salt['cmd.shell']("[ ! -f " ~ MirageInstallDir ~ "/version.txt" ~ " ] && touch " ~ MirageInstallDir ~ "/version.txt" ~ ";cat " ~ MirageInstallDir ~ "/version.txt") %}
+{% if Release != salt['cmd.shell']("test -e " ~ MirageInstallDir ~ "/version.txt" ~ " || mkdir " ~ MirageInstallDir ~ " ; touch " ~ MirageInstallDir ~ "/version.txt" ~ " ; cat " ~ MirageInstallDir ~ "/version.txt") %}
 
 create-downloader-VM:
   qvm.vm:
@@ -28,37 +29,37 @@ create-downloader-VM:
        - template: {{ DownloadVMTemplate }}
        - include-in-backups: false
 
-{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Filename %}
+{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Kernel %}
+{% set DownloadShasum = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Shasum %}
 
 download-and-unpack-in-DownloadVM4mirage:
   cmd.run: 
     - names:
       - qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadBinary }}
-      - qvm-run --pass-io {{ DownloadVM }} {{ "tar -xvjf " ~ Filename }}
+      - qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadShasum }}
     - require: 
       - create-downloader-VM
 
 
 check-checksum-in-DownloadVM:
   cmd.run: 
     - names:
-      - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh  | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }}
-      - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }}
-      - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh  | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img
+      - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of release on github:\\\";cat " ~ Shasum ~ " | cut -d\' \' -f1\"" }}
+      - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum " ~ Kernel ~ " | cut -d\' \' -f1\"" }}
+      - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(cat " ~ Shasum ~ " | cut -d\' \' -f1) <(sha256sum " ~ Kernel ~ " | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }}
     - require: 
       - download-and-unpack-in-DownloadVM4mirage
 
 copy-mirage-kernel-to-dom0:
   cmd.run: 
-    - name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat ~/mirage-firewall/vmlinuz" > {{ MirageInstallDir ~ "/vmlinuz" }}
+    - name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} {{ "cat " ~ Kernel }} > {{ MirageInstallDir ~ "/vmlinuz" }}
     - require: 
       - download-and-unpack-in-DownloadVM4mirage
       - check-checksum-in-DownloadVM
 
-create-initramfs:
+update-version:
   cmd.run: 
     - names: 
-      - gzip -n9 < /dev/null > {{ MirageInstallDir ~ "/initramfs" }}
       - echo {{ Release }} > {{ MirageInstallDir ~ "/version.txt" }}
     - require: 
       - copy-mirage-kernel-to-dom0
@@ -90,9 +91,9 @@ create-sys-mirage-fw:
 cleanup-in-DownloadVM:
   cmd.run:
    - names:
-      - qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Filename ~ "; rm -R ~/mirage-firewall" }}"
+      - qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Kernel ~ " " ~ Shasum }}"
    - require: 
-     - create-initramfs
+     - update-version 
 
 remove-DownloadVM4mirage:
   qvm.absent:

diff --git a/build-with.sh b/build-with.sh
@@ -19,6 +19,7 @@ echo Building $builder image with dependencies..
 $builder build -t qubes-mirage-firewall .
 echo Building Firewall...
 $builder run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall
-echo "SHA2 of build:   $(sha256sum ./dist/qubes-firewall.xen)"
-echo "SHA2 last known: 78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc"
-echo "(hashes should match for released versions)"
+echo "SHA2 of build:     $(sha256sum ./dist/qubes-firewall.xen | cut -d' ' -f1)"
+echo "SHA2 current head: $(cat qubes-firewall.sha256 | cut -d' ' -f1)"
+echo "SHA2 last release: $(cat qubes-firewall-release.sha256 | cut -d' ' -f1)"
+echo "(hashes should match for head versions)"
diff --git a/qubes-firewall-release.sha256 b/qubes-firewall-release.sha256
@@ -0,0 +1 @@
+78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc  dist/qubes-firewall.xen
diff --git a/qubes-firewall.sha256 b/qubes-firewall.sha256
@@ -0,0 +1 @@
+78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc  dist/qubes-firewall.xen