From de9a6ccc86c525a3dbe290f2f5984e18af7e97d5 Mon Sep 17 00:00:00 2001 From: Pierre Alain Date: Thu, 17 Oct 2024 07:45:42 +0200 Subject: [PATCH 1/4] WIP: update the salt script + releases files --- .github/workflows/docker.yml | 2 +- .github/workflows/podman.yml | 2 +- Dockerfile | 2 +- Makefile.user | 11 +++-------- ...DownloadAndInstallMirageFirewallInQubes.sls | 18 ++++++++++-------- build-with.sh | 7 ++++--- qubes-firewall-release.sha256 | 1 + qubes-firewall.sha256 | 1 + 8 files changed, 22 insertions(+), 22 deletions(-) create mode 100644 qubes-firewall-release.sha256 create mode 100644 qubes-firewall.sha256 diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 53b3324..fdf17d7 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -23,7 +23,7 @@ jobs: - run: ./build-with.sh docker - - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi' + - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen) = $(cat qubes-firewall.sha256) ]; then echo "SHA256 MATCHES"; else exit 42; fi' - name: Upload Artifact uses: actions/upload-artifact@v3 diff --git a/.github/workflows/podman.yml b/.github/workflows/podman.yml index fba19eb..f8f8c3f 100644 --- a/.github/workflows/podman.yml +++ b/.github/workflows/podman.yml @@ -23,7 +23,7 @@ jobs: - run: ./build-with.sh podman - - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi' + - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen) = $(cat qubes-firewall.sha256) ]; then echo "SHA256 MATCHES"; else exit 42; fi' - name: Upload Artifact uses: actions/upload-artifact@v3 diff --git a/Dockerfile b/Dockerfile index 2c2f732..edf9e96 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,4 +32,4 @@ WORKDIR /tmp/orb-build CMD opam exec -- sh -exc 'mirage configure -t xen --extra-repos=\ opam-overlays:https://github.com/dune-universe/opam-overlays.git#4e75ee36715b27550d5bdb87686bb4ae4c9e89c4,\ mirage-overlays:https://github.com/dune-universe/mirage-opam-overlays.git#797cb363df3ff763c43c8fbec5cd44de2878757e \ -&& make depend && make tar' +&& make depend && make unikernel' diff --git a/Makefile.user b/Makefile.user index 00890f6..7188982 100644 --- a/Makefile.user +++ b/Makefile.user @@ -1,13 +1,8 @@ -tar: build - rm -rf _build/mirage-firewall - mkdir _build/mirage-firewall +unikernel: build cp dist/qubes-firewall.xen dist/qubes-firewall.xen.debug strip dist/qubes-firewall.xen - cp dist/qubes-firewall.xen _build/mirage-firewall/vmlinuz - touch _build/mirage-firewall/modules.img - cat /dev/null | gzip -n > _build/mirage-firewall/initramfs - tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with.sh mirage-firewall - sha256sum mirage-firewall.tar.bz2 > mirage-firewall.sha256 + cp dist/qubes-firewall.xen . + sha256sum qubes-firewall.xen fetchmotron: qubes_firewall.xen test-mirage qubes_firewall.xen mirage-fw-test & diff --git a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls index dc83f20..cfb4a0e 100644 --- a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls +++ b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls @@ -10,7 +10,8 @@ {% set DownloadVM = "DownloadVmMirage" %} {% set MirageFW = "sys-mirage-fw" %} {% set GithubUrl = "https://github.com/mirage/qubes-mirage-firewall" %} -{% set Filename = "mirage-firewall.tar.bz2" %} +{% set Kernel = "qubes-firewall.xen" %} +{% set Shasum = "qubes-firewall-release.sha256" %} {% set MirageInstallDir = "/var/lib/qubes/vm-kernels/mirage-firewall" %} #download and install the latest version @@ -28,13 +29,14 @@ create-downloader-VM: - template: {{ DownloadVMTemplate }} - include-in-backups: false -{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Filename %} +{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Kernel %} +{% set DownloadShasum = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Shasum %} download-and-unpack-in-DownloadVM4mirage: cmd.run: - names: - qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadBinary }} - - qvm-run --pass-io {{ DownloadVM }} {{ "tar -xvjf " ~ Filename }} + - qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadShasum }} - require: - create-downloader-VM @@ -42,15 +44,15 @@ download-and-unpack-in-DownloadVM4mirage: check-checksum-in-DownloadVM: cmd.run: - names: - - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }} - - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }} - - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img + - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of release on github:\\\";cat " ~ Shasum ~ " | cut -d\' \' -f1\"" }} + - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum " ~ Kernel ~ " | cut -d\' \' -f1\"" }} + - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(cat " ~ Shasum ~ " | cut -d\' \' -f1) <(sha256sum " ~ Kernel ~ " | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} - require: - download-and-unpack-in-DownloadVM4mirage copy-mirage-kernel-to-dom0: cmd.run: - - name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat ~/mirage-firewall/vmlinuz" > {{ MirageInstallDir ~ "/vmlinuz" }} + - name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat " ~ Kernel > {{ MirageInstallDir ~ "/" ~ Kernel }} - require: - download-and-unpack-in-DownloadVM4mirage - check-checksum-in-DownloadVM @@ -90,7 +92,7 @@ create-sys-mirage-fw: cleanup-in-DownloadVM: cmd.run: - names: - - qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Filename ~ "; rm -R ~/mirage-firewall" }}" + - qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Kernel ~ " " ~ Shasum }}" - require: - create-initramfs diff --git a/build-with.sh b/build-with.sh index eba233e..728ab1f 100755 --- a/build-with.sh +++ b/build-with.sh @@ -19,6 +19,7 @@ echo Building $builder image with dependencies.. $builder build -t qubes-mirage-firewall . echo Building Firewall... $builder run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall -echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)" -echo "SHA2 last known: 78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc" -echo "(hashes should match for released versions)" +echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen | cut -d' ' -f1)" +echo "SHA2 current head: $(cat qubes-firewall.sha256 | cut -d' ' -f1)" +echo "SHA2 last release: $(cat qubes-firewall-release.sha256 | cut -d' ' -f1)" +echo "(hashes should match for head versions)" diff --git a/qubes-firewall-release.sha256 b/qubes-firewall-release.sha256 new file mode 100644 index 0000000..b89e36f --- /dev/null +++ b/qubes-firewall-release.sha256 @@ -0,0 +1 @@ +78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc dist/qubes-firewall.xen diff --git a/qubes-firewall.sha256 b/qubes-firewall.sha256 new file mode 100644 index 0000000..b89e36f --- /dev/null +++ b/qubes-firewall.sha256 @@ -0,0 +1 @@ +78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc dist/qubes-firewall.xen From 887f2d524c5c9843487b921cf769ee5c746e01b0 Mon Sep 17 00:00:00 2001 From: Pierre Alain Date: Thu, 17 Oct 2024 08:09:35 +0200 Subject: [PATCH 2/4] fix string comparison in github actions --- .github/workflows/docker.yml | 2 +- .github/workflows/podman.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index fdf17d7..4b18223 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -23,7 +23,7 @@ jobs: - run: ./build-with.sh docker - - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen) = $(cat qubes-firewall.sha256) ]; then echo "SHA256 MATCHES"; else exit 42; fi' + - run: sh -exc 'if [ "$(sha256sum dist/qubes-firewall.xen)" = "$(cat qubes-firewall.sha256)" ]; then echo "SHA256 MATCHES"; else exit 42; fi' - name: Upload Artifact uses: actions/upload-artifact@v3 diff --git a/.github/workflows/podman.yml b/.github/workflows/podman.yml index f8f8c3f..6f6b8f5 100644 --- a/.github/workflows/podman.yml +++ b/.github/workflows/podman.yml @@ -23,7 +23,7 @@ jobs: - run: ./build-with.sh podman - - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen) = $(cat qubes-firewall.sha256) ]; then echo "SHA256 MATCHES"; else exit 42; fi' + - run: sh -exc 'if [ "$(sha256sum dist/qubes-firewall.xen)" = "$(cat qubes-firewall.sha256)" ]; then echo "SHA256 MATCHES"; else exit 42; fi' - name: Upload Artifact uses: actions/upload-artifact@v3 From e7eb1f2e3b2d5fd707d0893aae0feccf653c6b70 Mon Sep 17 00:00:00 2001 From: Pierre Alain Date: Thu, 17 Oct 2024 08:21:49 +0200 Subject: [PATCH 3/4] fix artifact uploads --- .github/workflows/docker.yml | 4 ++-- .github/workflows/podman.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 4b18223..1f1dcda 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -28,5 +28,5 @@ jobs: - name: Upload Artifact uses: actions/upload-artifact@v3 with: - name: mirage-firewall.tar.bz2 - path: mirage-firewall.tar.bz2 + name: qubes-firewall.xen + path: qubes-firewall.xen diff --git a/.github/workflows/podman.yml b/.github/workflows/podman.yml index 6f6b8f5..0fdab2a 100644 --- a/.github/workflows/podman.yml +++ b/.github/workflows/podman.yml @@ -28,5 +28,5 @@ jobs: - name: Upload Artifact uses: actions/upload-artifact@v3 with: - name: mirage-firewall.tar.bz2 - path: mirage-firewall.tar.bz2 + name: qubes-firewall.xen + path: qubes-firewall.xen From 8817893c62eb77aaf6ea567d4851c04e887f1f41 Mon Sep 17 00:00:00 2001 From: Pierre Alain Date: Thu, 17 Oct 2024 13:37:12 +0200 Subject: [PATCH 4/4] update GH action checkout version update salt script --- .github/workflows/docker.yml | 2 +- .github/workflows/podman.yml | 2 +- SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls | 9 ++++----- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 1f1dcda..9a8216d 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - run: ./build-with.sh docker diff --git a/.github/workflows/podman.yml b/.github/workflows/podman.yml index 0fdab2a..f62e075 100644 --- a/.github/workflows/podman.yml +++ b/.github/workflows/podman.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - run: ./build-with.sh podman diff --git a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls index cfb4a0e..f9886b9 100644 --- a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls +++ b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls @@ -17,7 +17,7 @@ #download and install the latest version {% set Release = salt['cmd.shell']("qvm-run --dispvm " ~ DispVM ~ " --pass-io \"curl --silent --location -o /dev/null -w %{url_effective} " ~ GithubUrl ~ "/releases/latest | rev | cut -d \"/\" -f 1 | rev\"") %} -{% if Release != salt['cmd.shell']("[ ! -f " ~ MirageInstallDir ~ "/version.txt" ~ " ] && touch " ~ MirageInstallDir ~ "/version.txt" ~ ";cat " ~ MirageInstallDir ~ "/version.txt") %} +{% if Release != salt['cmd.shell']("test -e " ~ MirageInstallDir ~ "/version.txt" ~ " || mkdir " ~ MirageInstallDir ~ " ; touch " ~ MirageInstallDir ~ "/version.txt" ~ " ; cat " ~ MirageInstallDir ~ "/version.txt") %} create-downloader-VM: qvm.vm: @@ -52,15 +52,14 @@ check-checksum-in-DownloadVM: copy-mirage-kernel-to-dom0: cmd.run: - - name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat " ~ Kernel > {{ MirageInstallDir ~ "/" ~ Kernel }} + - name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} {{ "cat " ~ Kernel }} > {{ MirageInstallDir ~ "/vmlinuz" }} - require: - download-and-unpack-in-DownloadVM4mirage - check-checksum-in-DownloadVM -create-initramfs: +update-version: cmd.run: - names: - - gzip -n9 < /dev/null > {{ MirageInstallDir ~ "/initramfs" }} - echo {{ Release }} > {{ MirageInstallDir ~ "/version.txt" }} - require: - copy-mirage-kernel-to-dom0 @@ -94,7 +93,7 @@ cleanup-in-DownloadVM: - names: - qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Kernel ~ " " ~ Shasum }}" - require: - - create-initramfs + - update-version remove-DownloadVM4mirage: qvm.absent: