keremet/rpm-ostree
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
7c99809a71
rpm-ostree/ci/build.sh
Colin Walters 90f9fe80e4 scripts: Drop most capabilities 
Note this PR requires [bubblewrap 0.2.0](https://github.com/projectatomic/bubblewrap/releases/tag/v0.2.0).

Change our bwrap invocations drop truly dangerous capabilities like
`cap_sys_admin` and `cap_sys_module` just like Docker does today. Because of the
popularity of Docker, we can be pretty sure that most RPM scripts should have
adapted to this (although a problematic area here is that traditional librpm
doesn't actually error out if scripts fail).

There are two reasons to do this:

 - We want "offline" updates by default; updates shouldn't affect the
   running system.  If we prepare the new root in the background, a
   %post shouldn't restart a service for example.  We already "handle"
   this by making `systemctl` a symlink to `/bin/true`, but this approach
   also shuts off `%post`s that do e.g. `insmod`.
 - Protection against accidental system damage

Closes: #1099
Approved by: jlebon
2017-12-05 02:54:23 +00:00

43 lines
1.6 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/bash
# Install build dependencies, run unit tests and installed tests.
set -xeuo pipefail
dn=$(dirname $0)
. ${dn}/libbuild.sh
# Use the latest ostree by default
id=$(. /etc/os-release && echo $ID)
version_id=$(. /etc/os-release && echo $VERSION_ID)
if [ "$id" == fedora ] && [ "$version_id" == 27 ]; then
echo -e '[fahc]\nmetadata_expire=1m\nbaseurl=https://ci.centos.org/artifacts/sig-atomic/fahc/rdgo/build/\ngpgcheck=0\n' > /etc/yum.repos.d/fahc.repo
# Until we fix https://github.com/rpm-software-management/libdnf/pull/149
sed -i -e 's,metadata_expire=6h,exclude=ostree ostree-devel ostree-libs ostree-grub2\nmetadata_expire=6h,' /etc/yum.repos.d/fedora-updates.repo
elif [ "$id" == centos ]; then
echo -e '[cahc]\nmetdata_expire=1m\nbaseurl=https://ci.centos.org/artifacts/sig-atomic/rdgo/centos-continuous/build\ngpgcheck=0\n' > /etc/yum.repos.d/cahc.repo
fi
pkg_upgrade
pkg_install_builddeps rpm-ostree
# Mostly dependencies for tests
pkg_install ostree{,-devel,-grub2} createrepo_c /usr/bin/jq PyYAML \
libubsan libasan libtsan elfutils fuse sudo python-gobject-base \
selinux-policy-devel selinux-policy-targeted
# For ex-container tests and clang build
pkg_install_if_os fedora parallel clang
if [ -n "${CI_PKGS:-}" ]; then
pkg_install ${CI_PKGS}
fi
# create an unprivileged user for testing
adduser testuser
export LSAN_OPTIONS=verbosity=1:log_threads=1
BWRAP=/usr/bin/bwrap
# we use smoketested now, which uses a git master-ish version of bwrap
#if [ "$id" == centos ]; then
# BWRAP=/usr/lib64/rpm-ostree/bwrap
#fi
build --enable-installed-tests --enable-gtk-doc --with-bubblewrap=$BWRAP
Reference in New Issue View Git Blame Copy Permalink