[lxc-devel] [PATCH v2] lxc-alpine: download a static package manager if its missing

Serge Hallyn serge.hallyn at ubuntu.com
Wed May 29 20:03:50 UTC 2013 

Quoting Natanael Copa (ncopa at alpinelinux.org):
> If the package manager, apk-tools is missing, then:
>  - download a static binary and public keys
>  - verify the keys against embedded checksum
>  - verify the signature of the static binary against the downloaded keys
>  - use the verified static binary
> 
> Signed-off-by: Natanael Copa <ncopa at alpinelinux.org>
> Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen at datakunkku.fi>
> ---
> Changes since v1:
>  - verify signature of static binary

Hi,

this looks good, but is there a default repository we should
code in?

> 
>  templates/lxc-alpine.in | 56 +++++++++++++++++++++++++++++++++++++++++++++++--
>  1 file changed, 54 insertions(+), 2 deletions(-)
> 
> diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
> index 6180afd..cdf2743 100644
> --- a/templates/lxc-alpine.in
> +++ b/templates/lxc-alpine.in
> @@ -1,10 +1,56 @@
>  #!/bin/sh
>  
> +key_sha256sums="9c102bcc376af1498d549b77bdbfa815ae86faa1d2d82f040e616b18ef2df2d4  alpine-devel at lists.alpinelinux.org-4a6a0840.rsa.pub
> +2adcf7ce224f476330b5360ca5edb92fd0bf91c92d83292ed028d7c4e26333ab  alpine-devel at lists.alpinelinux.org-4d07755e.rsa.pub"
> +
> +get_static_apk () {
> +    rootfs="$1"
> +    echo "Using static apk from $repository/$apk_arch"
> +    wget="wget -q -O - $repository/$apk_arch"
> +
> +    # parse APKINDEX to find the current versions
> +    static_pkgs=$($wget/APKINDEX.tar.gz | \
> +        tar -Oxz APKINDEX | \
> +        awk -F: -v pkglist="alpine-keys:apk-tools-static" '
> +            BEGIN { split(pkglist,pkg) }
> +            $0 != "" { f[$1] = $2 }
> +            $0 == "" { for (i in pkg)
> +                           if (pkg[i] == f["P"])
> +                               print(f["P"] "-" f["V"] ".apk") }')
> +    [ "$static_pkgs" ] || return 1
> +
> +    mkdir -p "$rootfs" || return 1
> +    for pkg in $static_pkgs; do
> +        echo "Downloading $pkg"
> +        $wget/$pkg | tar -xz -C "$rootfs"
> +    done
> +
> +    # clean up .apk meta files
> +    rm -f "$rootfs"/.[A-Z]*
> +
> +    # verify checksum of the key
> +    keyname=$(echo $rootfs/sbin/apk.static.*.pub | sed 's/.*\.SIGN\.RSA\.//')
> +    checksum=$(echo "$key_sha256sums" |  grep -w "$keyname")
> +    if [ -z "$checksum" ]; then
> +        echo "ERROR: checksum is missing for $keyname"
> +        return 1
> +    fi
> +    (cd $rootfs/etc/apk/keys && echo "$checksum" | sha256sum -c -) || return 1
> +
> +    # verify the static apk binary signature
> +    APK=$rootfs/sbin/apk.static
> +    openssl dgst -verify $rootfs/etc/apk/keys/$keyname \
> +        -signature "$APK.SIGN.RSA.$keyname" "$APK" || return 1
> +}
> +
>  install_alpine() {
>      rootfs="$1"
>      shift
>      mkdir -p "$rootfs"/etc/apk || return 1
> -    cp -r ${keys_dir:-/etc/apk/keys} "$rootfs"/etc/apk/
> +    : ${keys_dir:=/etc/apk/keys}
> +    if ! [ -d "$rootfs"/etc/apk/keys ] && [ -d "$keys_dir" ]; then
> +        cp -r "$keys_dir" "$rootfs"/etc/apk/keys
> +    fi
>      if [ -n "$repository" ]; then
>          echo "$repository" > "$rootfs"/etc/apk/repositories
>      else
> @@ -14,7 +60,7 @@ install_alpine() {
>      if [ -n "$apk_arch" ]; then
>          opt_arch="--arch $apk_arch"
>      fi
> -    ${APK:-apk} add -U --initdb --root $rootfs $opt_arch "$@" alpine-base
> +    $APK add -U --initdb --root $rootfs $opt_arch "$@" alpine-base
>  }
>  
>  configure_alpine() {
> @@ -167,6 +213,7 @@ optarg_check() {
>  }
>  
>  default_path=@LXCPATH@
> +arch=$(uname -m)
>  
>  while [ $# -gt 0 ]; do
>      opt="$1"
> @@ -243,6 +290,11 @@ case "$arch" in
>  	*)	die "unsupported architecture: $arch";;
>  esac
>  
> +: ${APK:=apk}
> +if ! which $APK >/dev/null; then
> +    get_static_apk "$rootfs" || die "Failed to download a valid static apk"
> +fi
> +
>  install_alpine "$rootfs" "$@" || die "Failed to install rootfs for $name"
>  configure_alpine "$rootfs" "$name" || die "Failed to configure $name"
>  copy_configuration "$path" "$rootfs" "$name"
> -- 
> 1.8.3
> 
> 
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service 
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

More information about the lxc-devel mailing list