This commit fixes commit "2999f810ff: build,IB: include kmods only in
local builds" which cause the local packages/ folder only to be added
for local builds but no longer for ImageBuilder created by the Buildbot.
The commits intention was to use remote kmods repositories rather than
storing them locally. Accidentally the entire handling of the local
`packages/` was removed.
Re-add the folder and include a README describing what it can be used
for.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Using these config-options to customize the folders used at build-time
makes these folder settings appear in generated archive. This causes the
imagebuilder to be not portable, as it's going to use the build-time folders
on the new systems. Errors look like:
mkdir: cannot create directory '/mnt/build': Permission denied
Makefile:116: recipe for target '_call_image' failed
make[2]: *** [_call_image] Error 1
Makefile:241: recipe for target 'image' failed
make[1]: *** [image] Error 2
The build-time settings of these folders are passed into the archives via
.config file.
The expected behavior is that after unpacking the imagebuilder acts like
these settings have their defaults, using intree folders. So unset the
build-time settings.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
Invoke bundle-libraries.sh with any buildroot related directory entries
removed from $PATH to avoid picking up cross versions of utilities like
ldd which will not properly work when used against host executables.
This should fix executable bundling for glibc-target imagebuilders.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When building images with the imagebuilder, the partition signature
never changes. The signature is generated by hashing SOURCE_DATE_EPOCH
and LINUX_VERMAGIC which are undefined. Prepopulate these variables, as
done by the SDK.
Signed-off-by: Matthew Gyurgyik <matthew@gyurgyik.io>
The ImageBuilder downloads pre-built packages and adds them to images.
This process uses `opkg` which has the capability to verify package list
signatures via `usign`, as enabled per default on running OpenWrt
devices.
Until now this was disabled for ImageBuilders because neither the `opkg`
keys nor the `opkg-add` script was present during first packagelist
update.
To harden the ImageBuilder against *drive-by-download-attacks* both keys
and verification script are added to the ImageBuilder allowing `opkg` to
verify downloaded package indices.
This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys
folder is added to ImageBuilder $TOPDIR to have an obvious place for users to
store their own keys. The `option check_signature` is appended to the
repositories.conf file. All of the above only happens if the Buildbot
runs with the SIGNATURE_CHECK option.
The keys stored in the ImageBuilder keys/ are the same as included in
the openwrt-keyring package. To avoid the chicken-egg problem of
downloading and verifying a package, containing signing keys, the keys
are added during the ImageBuilder generation. They are same as in
shipped images (stored at `/etc/opkg/keys/`).
To allow a local package feed in which the user can add additional
packages, a local set of `usign` and `ucert` keys is generated, same as
building OpenWrt from source. The private key signs the local repository
inside the packages/ folder. The local public key is added to the keys/
folder to be considered by `opkg` when updating repositories. This way a
local package feed can be modified while requiring `opkg` to check
signatures for remote feed, making HTTPS optional.
The new option `ADD_LOCAL_KEY` allows to add the local key inside the
created images, adding the advantage that sysupgrades can validate the
ImageBuilders local key.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Without an absolute path to staging_dir/host/bin/sstrip the Makefile
tries to run a host installed version of sstrip, which is likely not
available.
Signed-off-by: Paul Spooren <mail@aparcar.org>
The buildbots generate a kmod archive which should be used instead of a
local copy. This is possible due to the introduction of a kernelversion
specific feed.
This commit adds the ability of using only signed package feeds.
Signed-off-by: Paul Spooren <mail@aparcar.org>
The `libfakeroot` files are currently missing in the ImageBuilder. As
`fakeroot` is always built, copy those files unconditionally.
Signed-off-by: Paul Spooren <mail@aparcar.org>
This speeds up the packing of the imagebuilder a lot:
imagebuilder-T0.tar.xz real 0m25.199s user 2m45.967s sys 0m1.218s
imagebuilder-T1.tar.xz real 2m02.543s user 2m02.418s sys 0m1.653s
imagebuilder-T2.tar.xz real 1m03.684s user 1m59.931s sys 0m0.587s
imagebuilder-T3.tar.xz real 0m48.033s user 2m02.904s sys 0m0.637s
imagebuilder-T4.tar.xz real 0m38.963s user 2m15.521s sys 0m0.783s
imagebuilder-T5.tar.xz real 0m37.994s user 2m21.461s sys 0m0.919s
imagebuilder-T6.tar.xz real 0m39.524s user 2m48.115s sys 0m1.279s
imagebuilder-T7.tar.xz real 0m34.061s user 2m45.097s sys 0m1.174s
imagebuilder-T8.tar.xz real 0m27.286s user 2m55.449s sys 0m1.329s
imagebuilder-T9.tar.xz real 0m25.205s user 2m44.894s sys 0m1.208s
To keep the output reproducible in any case, we enforce a minimum amount
of 2 threads.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[refactored into reusable NPROC var, more verbose commit message]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
