arm64

bin/generate-signature

@@ -44,6 +44,8 @@ if [[ "$filename" == "debian"*".tar.gz" ]]; then
     BRANCH="$(sed -En 's|^.*_([0-9]+)\.[0-9]-[1-9].*|\1|p'<<<$filename).x"
 elif [[ "$filename" == "turnkey"*".iso" ]]; then
     BRANCH="$(sed -En 's|^[a-z0-9-]+-([0-9]+)\.[0-9].*|\1|p'<<<$filename ).x"
+elif [[ "$filename" == "turnkey"*".img.xz" ]]; then
+    BRANCH="$(sed -En 's|^[a-z0-9-]+-([0-9]+)\.[0-9].*|\1|p'<<<$filename ).x"
 else
     fatal "Unexpected filename: $filename"
 fi

bt-ec2-arm

@@ -0,0 +1,199 @@
+#!/bin/bash -e
+# Copyright (c) 2011-2021 TurnKey GNU/Linux - http://www.turnkeylinux.org
+# 
+# This file is part of buildtasks.
+# 
+# Buildtasks is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Affero General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at your
+# option) any later version.
+
+
+fatal() { echo "FATAL [$(basename $0)]: $@" 1>&2; exit 1; }
+warning() { echo "WARNING [$(basename $0)]: $@"; }
+info() { echo "INFO [$(basename $0)]: $@"; }
+
+usage() {
+cat<<EOF
+Syntax: $(basename $0) [ --publish ] appname
+Builds appliance appname (e.g., core) EC2 arm64 EBS-backed HVM AMI
+
+Arguments::
+
+    appname             - e.g., core
+
+Options::
+
+    --name=             - use as name basis (default: turnkey-version)
+    --copy              - if set, image will be copied to all other regions
+                          (ignored if non-stable version, unless --force set)
+    --publish           - if set, image will be made public and log published
+    --marketplace       - if set, image will be shared for marketplace
+                          (ignored if non-stable version, unless --force set)
+    --force             - --copy &/or --marketplace honored, even if non-stable
+                          (otherwise --copy & --marketplace ignored)
+    --secupdates        - install security updates before building image
+    --increment         - install all (apt) updates before building image and
+                          add increment to version number; e.g. 16.2.1
+    --pvmshim           - apply paravirtual shim so snapshot is pvm compat.
+    --pvmregister       - register pvm-virtualized snapshot, too
+
+Environment::
+
+    BT_DEBUG            - turn on debugging
+EOF
+exit 1
+}
+
+ARGS="$*"
+unset ebs_opts force secupdates increment pvmshim appver
+while [ "$1" != "" ]; do
+    case $1 in
+        --help|-h)     usage;;
+        --name=*)      ebs_opts+="$1 ";;
+        --copy)        ebs_opts+="$1 ";;
+        --marketplace) ebs_opts+="$1 ";;
+        --publish)     ebs_opts+="$1 "; publish="yes";;
+        --force)       force="yes";;
+        --secupdates)  secupdates="yes";;
+        --increment)   increment="yes";;
+        --pvmshim)     pvmshim="yes";;
+        --pvmregister) ebs_opts+="$1 ";;
+        *)             if [ -n "$appname" ]; then usage; else appname=$1; fi ;;
+    esac
+    shift
+done
+
+
+[ -n "$appname" ] || usage
+[ -n "$secupdates" ] || warning "--secupdates was not specified"
+if [[ -n "$secupdates" ]] && [[ -n "$increment" ]]; then
+    warning "--increment implies --secupdates"
+    unset secupdates
+fi
+
+[ -n "$BT_DEBUG" ] && set -x
+
+export BT=$(dirname $(readlink -f $0))
+export BT_CONFIG=$BT/config
+. $BT_CONFIG/common.cfg
+. $BT_CONFIG/aws.cfg
+
+if [ "$publish" == "yes" ]; then
+    [ -n "$BT_PUBLISH_IMGS" ] || fatal "BT_PUBLISH_IMGS not set"
+    [ -n "$BT_PUBLISH_META" ] || fatal "BT_PUBLISH_META not set"
+    [ -n "$BT_PUBLISH_PROFILES" ] || fatal "BT_PUBLISH_PROFILES not set"
+else
+    warning "--publish was not specified"
+fi
+
+if [[ ! -f /usr/bin/ec2metadata ]]; then
+    codename=$(lsb_release -sc)
+    case $codename in
+        buster)
+            pkgs="ec2metadata python-boto3";;
+        bullseye|bookworm|trixie)
+            pkgs="tkl-ec2metadata";;
+        *)
+            fatal "Expected codename: $codename";;
+    esac
+    apt-get update -qq
+    apt-get install -y $pkgs
+fi
+
+if [[ ! -e /root/ec2-setup.done ]]; then
+    $BT/bin/ec2-setup
+    touch /root/ec2-setup.done
+fi
+
+# Leverage tkldev-setup to ensure important repos are cloned and at latest
+# commit; also ensures RELEASE & ARCH are set.
+tkldev-setup $appname \
+        || warning "tkldev-setup failed. Attempting to continue anyway."
+
+cd $BT_PRODUCTS/$appname
+
+O=$BT_BUILDS/ec2
+mkdir -p $O
+
+export BT_VERSION=${appversion}-${codename}-${arch}
+name=turnkey-${appname}-${BT_VERSION}
+rootfs=$name.rootfs
+logfile=$name.log
+if [[ -n "$increment" ]]; then
+    new_version="${appversion}.1"
+    new_name=turnkey-${appname}-${new_version}-${codename}-${arch}
+    logfile=$new_name.log
+else
+    new_name=$name
+fi
+
+export LOGFILE_PATH=$O/$logfile
+echo > $LOGFILE_PATH
+
+rootfs=build/root.sandbox
+# TODO FIX
+# deck -D build/root.sandbox || true
+# make clean || true
+# make root.sandbox || true
+
+proxy=/etc/apt/apt.conf.d/00proxy
+info "Checking for proxy ports"
+grep -r '127.0.0.1:3128' /etc/apt/apt.conf.d/ || true
+grep -r '127.0.0.1:8124' /etc/apt/apt.conf.d/ || true
+if netstat -tlnp | grep -q polipo; then
+    cp $rootfs/$proxy $rootfs/_proxy_backup
+    sed -i "s|3128|8124|"  $rootfs/$proxy
+elif [[ -f "$rootfs/_proxy_backup" ]]; then
+    # assume that it's left over backup that didn't make it back
+    mv "$rootfs/_proxy_backup" "$rootfs/$proxy"
+fi
+
+function _cleanup() {
+    umount -l $rootfs/dev || true
+    umount -l $rootfs/sys || true
+    umount -l $rootfs/proc || true
+    mv $rootfs/_proxy_backup $rootfs/$proxy || true
+
+    if [[ -z "$BT_DEBUG" ]] && ! (mount | grep -q $(basename $rootfs)); then
+        rm -rf $rootfs
+    fi
+}
+
+trap _cleanup INT TERM EXIT
+
+mount --bind --make-rslave /proc $rootfs/proc
+mount --bind --make-rslave /sys $rootfs/sys
+mount --bind --make-rslave /dev $rootfs/dev
+
+$BT/bin/purge-pkgs $rootfs
+
+tklpatch-apply $rootfs $BT/patches/headless
+tklpatch-apply $rootfs $BT/patches/cloud
+tklpatch-apply $rootfs $BT/patches/ec2
+[[ "$secupdates" == "yes" ]] && tklpatch-apply $rootfs $BT/patches/secupdates
+[[ "$pvmshim" == "yes" ]] && tklpatch-apply $rootfs $BT/patches/ec2-pvmshim
+
+umount -l $rootfs/dev || true
+umount -l $rootfs/sys || true
+umount -l $rootfs/proc || true
+
+$BT/bin/rootfs-cleanup $rootfs
+$BT/bin/aptconf-tag $rootfs ec2
+$BT/bin/build-tag $rootfs ec2
+
+if [[ -f /usr/bin/python ]]; then
+    $BT/bin/ec2/legacy/ebs.py $ebs_opts $rootfs
+else
+    $BT/bin/ec2/ebs.py $ebs_opts $rootfs
+fi
+
+# $BT/bin/generate-buildenv ec2 $BT_ISOS/$isofile.hash > $O/$new_name.ec2.buildenv
+
+if [ "$publish" == "yes" ]; then
+    export PUBLISH_DEST=${BT_PUBLISH_LOGS}/ec2/
+    $BT/bin/publish-files $LOGFILE_PATH
+
+    export PUBLISH_DEST=${BT_PUBLISH_META}/
+    $BT/bin/publish-files $O/$new_name.ec2.buildenv
+fi

bt-img

@@ -45,10 +45,6 @@ done
 [ -n "$appname" ] || usage
 [ -n "$BT_DEBUG" ] && set -x
 
-REQ_FAB_V=0.8
-REQ_DBOOT_V=1.0.123
-HOST_VER=$(lsb_release -sr | cut -d. -f1)
-
 export BT=$(dirname $(readlink -f $0))
 export BT_CONFIG=$BT/config
 . $BT_CONFIG/common.cfg
@@ -61,124 +57,44 @@ else
     warning "--publish was not specified"
 fi
 
-clone_or_pull() {
-    # If $dir doesn't exist, clone $repo. If it does, update from origin master
-    dir=$1
-    repo=$2
-    [[ -n "$dir" ]] && [[ -n "$repo" ]] \
-        || fatal "One or more empty values passed to function: $FUNCNAME."
-    if [ ! -e $dir ]; then
-        info "Attempting to clone repo $repo to $dir."
-        cd $(dirname $dir)
-        git clone https://github.com/$repo $dir
-        cd $dir
-    else
-        info "Repo $repo found, attempting to update"
-        cd $dir
-        git pull origin master
-    fi
-}
-
-get_version() {
-    pkg=$1
-    pkg_info=$(dpkg -l | grep ^ii | tr -s [[:blank:]] ' ' | cut -d' ' -f2,3 \
-        | grep "^$pkg[ |:]")
-    echo $pkg_info | cut -d' ' -f2
-}
-
-install_pkg() {
-    _pkg=$1
-    _url=$2
-    wget -O /tmp/$_pkg $_url/$_pkg
-    apt install /tmp/$_pkg
-    rm -rf /tmp/$_pkg
-}
-
 # Leverage tkldev-setup to ensure important repos are cloned and at latest
 # commit; also ensures RELEASE & ARCH are set.
 tkldev-setup $appname \
         || warning "tkldev-setup failed. Attempting to continue anyway."
 
-# if v17.x (bullseye) being built on v16.x (buster) get/build right bootstrap
-TKL_VER=$(head -1 $BT_PRODUCTS/$appname/changelog | cut -d' ' -f1)
-MAJ_VER_NO=$(basename $(echo $TKL_VER | tr '-' '/') | cut -d'.' -f1)
-if [[ "$HOST_VER" -eq 10 ]] \
-    && [[ $MAJ_VER_NO -eq 17 ]]; then
-    warning "Buster host detected, attempting to build for Bullseye."
-    RC="rc1"
-    info "Assuming RC build. Nominating $RC."
-    export VERSION_TAG=$RC
-    export CODENAME="bullseye"
-    export RELEASE="debian/$CODENAME"
-    info "Fab v$(get_version fab) detected."
-    if [[ "$(get_version fab)" != "$REQ_FAB_V"* ]]; then
-        warning "Fab v$REQ_FAB_V required, attempting install."
-        fab_pkg=fab_${REQ_FAB_V}_stretch_amd64.deb
-        fab_url=https://github.com/turnkeylinux/fab/releases/download/v${REQ_FAB_V}
-        install_pkg $fab_pkg $fab_url
-    fi
-    export GPGKEY="A8B2EF4287819B03D3516CCA76231C20425E9772"
-    IMAGES="http://mirror.turnkeylinux.org/turnkeylinux/images"
-    BOOTSTRAP_NAME="bootstrap-$CODENAME-$(dpkg --print-architecture)"
-    BOOTSTRAP_PATH="$FAB_PATH/bootstraps/$CODENAME"
-    if [ ! -d $BOOTSTRAP_PATH ]; then
-        info "Attempting to download $BOOTSTRAP_NAME"
-        mkdir -p $(dirname $BOOTSTRAP_PATH)
-        cd $(dirname $BOOTSTRAP_PATH)
-        exit_code=0
-        #wget -nc $IMAGES/bootstrap/$BOOTSTRAP_NAME.tar.gz || exit_code=$?
-        #wget -nc $IMAGES/bootstrap/$BOOTSTRAP_NAME.tar.gz.hash || exit_code=$?
-        exit_code=1 # force rebuild of bootstrap...
-        if [[ "$exit_code" -eq 0 ]]; then
-            info "verifying $BOOTSTRAP_NAME"
-            gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys $GPGKEY
-            gpg --verify $BOOTSTRAP_NAME.tar.gz.hash
-
-            info "unpacking $BOOTSTRAP_NAME"
-            mkdir $BOOTSTRAP_PATH
-            tar -zxf $BOOTSTRAP_NAME.tar.gz -C $BOOTSTRAP_PATH
-            cd -
-        else
-            warning "Downloading bootstrap failed."
-            info "Attempting to build bootstrap."
-            info "Debootstrap v$(get_version debootstrap) detected."
-            if [[ "$(get_version debootstrap)" != "$REQ_DBOOT_V"* ]]; then
-                warning "Debootstrap v$REQ_DBOOT_V required, attempting install."
-                dboot_pkg=debootstrap_${REQ_DBOOT_V}_all.deb
-                dboot_url=http://deb.debian.org/debian/pool/main/d/debootstrap/
-                install_pkg $dboot_pkg $dboot_url
-            fi
-            unset PUBLISH
-            BOOTSTRAP_SRC=$(dirname $FAB_PATH)/bootstrap
-            [[ "$publish" != "yes" ]] || PUBLISH="--publish"
-            $BT/bt-bootstrap $PUBLISH --no-clean --force \
-                || fatal "Building bootstrap failed... :("
-            rsync --delete -Hac $BOOTSTRAP_SRC/build/bootstrap/ \
-                $FAB_PATH/bootstraps/$CODENAME/
-            # create symlinks so bin/generate-buildenv completes successfully
-            ln -s $BT_BUILDS/bootstrap/$BOOTSTRAP_NAME.tar.gz \
-                $(dirname $BOOTSTRAP_PATH)/$BOOTSTRAP_NAME.tar.gz
-            ln -s $BT_BUILDS/bootstrap/$BOOTSTRAP_NAME.tar.gz.hash \
-                $(dirname $BOOTSTRAP_PATH)/$BOOTSTRAP_NAME.tar.gz.hash
-        fi
-    fi
-    touch $BOOTSTRAP_PATH/bullseye_on_buster
-fi
-
-info "Preperation done. Building appliance $appname."
 cd $BT_PRODUCTS/$appname
 deck -D build/root.sandbox || true
 make clean || true
-make || true
+make root.sandbox || true
 
-if [ ! -e build/product.img.xz ]; then
+if [ ! -e build/root.sandbox ]; then
     if [ -z "$BT_DEBUG" ]; then
         deck -D build/root.sandbox >/dev/null 2>&1 || true
         make clean >/dev/null 2>&1 || true
     fi
+
     fatal "Build failed..."
 fi
 
+tklpatch-apply build/root.sandbox $BT/patches/rpi
+
+qemu-img create -f raw build/product.img 2G
+parted -s build/product.img mklabel msdos
+parted -s build/product.img -- mkpart primary fat32 4MiB 400MiB
+parted -s build/product.img -- mkpart primary ext2 400MiB 100%
+kpartx -asv build/product.img
+mkfs -t vfat -n RASPIFIRM /dev/mapper/loop0p1
+mkfs -t ext4 -L RASPIROOT /dev/mapper/loop0p2
+mkdir -p build/sdroot
+mount /dev/mapper/loop0p2 build/sdroot
+mkdir -p build/sdroot/boot/firmware
+mount /dev/mapper/loop0p1 build/sdroot/boot/firmware
+cp -ax build/root.sandbox/* build/sdroot
+umount build/sdroot/boot/firmware
+umount build/sdroot
+kpartx -dsv build/product.img
+xz -8 -f build/product.img
+
 mkdir -p $BT_IMGS
 $BT/bin/img-release --force $BT_IMGS
 

patches/rpi/conf

@@ -0,0 +1,14 @@
+#!/bin/bash -e
+
+apt -y install raspi-firmware wireless-tools wpasupplicant firmware-brcm80211
+
+systemctl enable rpi-reconfigure-raspi-firmware.service
+
+cp /usr/lib/linux-image-*-arm64/broadcom/bcm*rpi*.dtb /boot/firmware/
+
+sed -i 's/root=/console=ttyS1,115200 root=/' /boot/firmware/cmdline.txt
+sed -i 's#root=/dev/mmcblk0p2#root=LABEL=RASPIROOT#' /boot/firmware/cmdline.txt
+sed -i 's/^#ROOTPART=.*/ROOTPART=LABEL=RASPIROOT/' /etc/default/raspi*-firmware
+
+sed -i 's/cma=64M //' /boot/firmware/cmdline.txt
+

patches/rpi/overlay/etc/fstab

@@ -0,0 +1,4 @@
+# The root file system has fs_passno=1 as per fstab(5) for automatic fsck.
+LABEL=RASPIROOT / ext4 rw 0 1
+# All other file systems have fs_passno=2 as per fstab(5) for automatic fsck.
+LABEL=RASPIFIRM /boot/firmware vfat rw 0 2