Upstream MR 186 for Debos protect the 'resolv.conf' from
changes caused by systemd-nspawn and debootstrap action.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

systemd-nspawn set own resolv.conf configuration during UEFI bootloader
setup and this configuration became the part of the final image.
Since we are using the Connman for the name management we end with
incorrect default configuration in resolv.conf.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

In light of e21ecdb6 fixing an issue caused by a missing `def` that makes a
variable to be global and thus unwillingly overridden, do a sanity check on the
whole file and add some missing `def`.

Even if their lack currenly seem harmless, it may prevent issues when moving
things around.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 5 years ago and Sjoerd Simons committed 5 years ago

For a long time we had a race in the sysroot index files generation that
sometimes caused one of the links contained there to point to the wrong
architecture, for instance the `armhf` index pointing to `arm64`.

Commit a221b5f4 was an attempt to fix it, but didn't improve the situation.
Hovewer, it gave us some additional output that we could use to reason a bit
more about the issue.

For instance, the v2019 20191122.0 job has this in the logs at
https://jenkins.apertis.org/view/apertis-v2019/job/apertis-v2019/job/images/job/debos-image-build/140/consoleText:

    [Pipeline] echo
    sysroot sysroot/v2019/sysroot-apertis-v2019-armhf
    version=v2019 20191122.0
    url=https://images.apertis.org/daily/v2019/20191122.0/arm64/sysroot/sysroot-apertis-v2019-arm64-20191122.0.tar.gz

The relevant code:
    sysrootname = "sysroot-${osname}-${release}-${architecture}-${env.PIPELINE_VERSION}"
    sysrooturl = "${image_url_prefix}/daily/${release}/${env.PIPELINE_VERSION}/${architecture}/sysroot/${sysrootname}.tar.gz"
    sh(script: """
        cd ${PIPELINE_VERSION}/${architecture}/${type}
        debos ${debosarguments} \
          --show-boot \
          -t architecture:${architecture} \
          -t ospack:ospack_${release}-${architecture}-${type}_${PIPELINE_VERSION} \
          -t sysroot:${sysrootname} \
          ${WORKSPACE}/${osname}-sysroot.yaml; \
        """)

    // Generate sysroot metadata
    def metadata_file = "sysroot/${release}/sysroot-${osname}-${release}-${architecture}"
    def metadata_contents = "version=${release} ${PIPELINE_VERSION}\nurl=${sysrooturl}\n"
    echo "sysroot ${metadata_file}\n${metadata_contents}"
    writeFile file: metadata_file, text: metadata_contents

From the output we can conclude that `metadata_file` is correct, while
`metadata_contents` has the wrong arch, which comes from `sysrooturl`.

Note the lack of `def` before `sysrooturl`. That means that Groovy is creating
a **global** variable. So every time the stage is run, the shared global
variable is overridden: in this case, the stage is run for `armhf` first and
before it reaches the `Generate sysroot metadata` section the `arm64` stage is
run as well, overridding `sysrooturl`.

Adding a `def` there should finally fix this longstanding issue.

See https://phabricator.apertis.org/T6317

 for more details.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

As we now have a working graphics stack for armhf boards (specifically the
Sabrelite reference hardware), enable the target image to be built for
this architecture so that we have a stock image which can be used to test
this.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

The target image includes most of the components of a GL stack, however
it is lacking the hardware backends to enable this to be used. As debian
(and thus Apertis) includes these hardware backends in a single package
include these in the target image to the GL stack to be used.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>

NTP and dnsmasq are used for DUT management and setup during the tests.
Services are disabled by default.
(See APERTIS-6509)

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

The upload is considered successful even if it fails, since the
Apertis hawkBit server is not yet production-ready and may not
respond at all times.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Denis Pynkin authored 5 years ago and Emanuele Aina committed 5 years ago

We use `ext4` and `btrfs` filesystems for ostree-based images
hence need implicitly include utilities for check these FSes.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Signed-off-by: Ritesh Raj Sarraf <rrs@debian.org>

System refuses to install unsigned delta file breaking rollback test.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Frederic Danis authored 5 years ago and Emanuele Aina committed 5 years ago

apt dialy service generates errors in sanity-check lava test for ostree
images.

ostree does not use apt, so apt daily services can be disabled.
see https://lava.collabora.co.uk/scheduler/job/1813569#L2552



Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Emanuele Aina authored 5 years ago and Denis Pynkin committed 5 years ago

Work around issues with the APT downloader corrupting files and
causing "Hash Sum Mismatch" errors.

A typical occurence is like:

    Get:97 https://repositories.apertis.org/apertis v2019pre/target amd64 libsystemd-dev amd64 240-5co3bb1 [317 kB]
    Err:97 https://repositories.apertis.org/apertis

 v2019pre/target amd64 libsystemd-dev amd64 240-5co3bb1
      Hash Sum mismatch
      Hashes of expected file:
       - SHA256:39654a35430ef132537880d67cd906bc958e1282e5e2d267e0d9ea96198c3649
       - SHA1:3d358b67b624162c4737a619de078cb8ae6091f6 [weak]
       - MD5Sum:c9da96eacf456df58bd564ab587a7a22 [weak]
       - Filesize:317116 [weak]
      Hashes of received file:
       - SHA256:caf4eacc492e6e67651c6d4ace49ee2800c3166e8d630cddd35b87c94042f655
       - SHA1:9690ac45a5282cc04fcbfc6fc3d2ac2e4c6fa375 [weak]
       - MD5Sum:33dcb5800d6e0c3c4d86f0e37c3d134e [weak]
       - Filesize:317116 [weak]
      Last modification reported: Tue, 21 May 2019 14:59:26 +0000

The failures rate goes from hard-to-reproduce to reliably-fails.

Downloading the affected files with `wget` or `curl` has not reproduced
the issue, and only `apt` seems affected. The issue has hit jobs on
Jenkins as well as pipelines on GitLab, and from time to time people
have been able to remporarily reproduce it locally in image builder
Docker container.

From the captured network traffic it seems that HTTP pipelining is
involved, disabling its usage in APT so far prevented the issue to come
up in cases where it was reproducible.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Use secret file with base64 encoded ed25519 signature.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Enable signature verification for OTA updates by adding
`sign-verify` key for remote "origin".
After this only commits signed with known key will be used for
update, i.e. public key must be placed into well-known system places
or added into remote config by using keys `verification-key` or
`verification-file`.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Add ed25519 public key to be used for validation.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

The audit log can now be retrieved from the systemd journal and most if not all
the testcases have been switched to do that.

On the ostree images the auditd.service is failing because `/var/log/audit` is
not being created on boot.

	# systemctl status auditd.service
	● auditd.service - Security Auditing Service
	   Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
	   Active: failed (Result: exit-code) since Thu 2019-09-05 22:55:59 UTC; 20s ago
	     Docs: man:auditd(8)
		   https://github.com/linux-audit/audit-documentation


	  Process: 335 ExecStart=/sbin/auditd (code=exited, status=6)

	Sep 05 22:55:59 apertis systemd[1]: Starting Security Auditing Service...
	Sep 05 22:55:59 apertis auditd[335]: Could not open dir /var/log/audit (No such file or directory)
	Sep 05 22:55:59 apertis auditd[335]: The audit daemon is exiting.
	Sep 05 22:55:59 apertis systemd[1]: auditd.service: Control process exited, code=exited, status=6/NOTCONFIGURED
	Sep 05 22:55:59 apertis systemd[1]: auditd.service: Failed with result 'exit-code'.
	Sep 05 22:55:59 apertis systemd[1]: Failed to start Security Auditing Service.

Any remaining non-ostree testcase still using `audit.log` can be ported to the
journal as the longer term solution or it can add a dependency on the `auditd`
package in the short term.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Fix indentation and scope in the buildSysroot(), which **may** actually fix the
weird mismatching sysroot index file generation error.

See https://phabricator.apertis.org/T6317

In particular, the issue led to the generation of sysroot index files where the
architecture of the contents didn't match the expected one.

For instance, see the `arm64` job below, pointing to `armhf` artifacts:
https://jenkins.apertis.org/job/apertis-v2019/job/images/job/debos-image-build/55/execution/node/474/log/



My suspect is that since `sysrootname` and `sysrooturl` where generated outside
of the scope of the stage(), they got overridden before the lazy evaluation of
the stage kicked in: in the case above, the `arm64` job probably ran first, but
before its stage() got evaluated the loop moved to `armhf` and updated
``sysrootname` and `sysrooturl`, so that when the `arm64` stage actually got
evaluated it picked up the new `armhf` values.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Denis Pynkin authored 5 years ago and Emanuele Aina committed 5 years ago

On Arm64 the initramfs post-install does not call `zz-u-boot-menu` from
`u-boot-menupackage` if it is installed at the same time as the kernel.
When it is installed before the kernel in separate action it works
well and produces a bootable configuration, so use that as a work around.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Nearly all of them are unharmful being in documentation and tests, except the
one in the image builder container name.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

It got out of sync after branching: to prevent this from happening again, let's
derive the branch name from the release name automatically.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

We must have disabled it during the rebase to get the initial image.
Re-enable it now given that the package is been made available

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Extend the script replacing the GPLv2 forks of `tar` and `coreutils` to
also replace the newly introduced `grep-gplv2`, `diffutils-gplv2` and
`findutils-gplv2`.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

For an SDK image, it makes sense to enable all source repositories for
the components that are enabled. This change allows for all packages'
sources  in the :target component to be readily available through the
`apt source` command

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Need to provide the OSTree repository URL via Jenkinsfile for
ostree-based images to configure "origin" for updates from Jenkinsfile.

Fixes: APERTIS-6234

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Signed-off-by: Luis Araujo <luis.araujo@collabora.co.uk>

Devroot have no systemd and do not need to mount tmpfs.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Denis Pynkin authored 5 years ago and Emanuele Aina committed 5 years ago

Enabled mount of tmpfs since Debian do not use it by default.
This allow to reduse flash wearing and protect rootfs partition
from filling with temporary files.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Denis Pynkin authored 5 years ago and Emanuele Aina committed 5 years ago

Added script which enables tmp.mount unit provided by systemd.
Used this unit since do not want to touch '/etc/fstab' generated by
debos.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Signed-off-by: Luis Araujo <luis.araujo@collabora.co.uk>

This is useful for internal images which need to retrieve resources protected
by HTTP Basic Auth.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Signed-off-by: Ritesh Raj Sarraf <rrs@debian.org>

The barkway packages were disabled during the initial phase of the rebase and
have been available for quite a while now.

This should fix the power off pop-up icon in mildenhall-compositor not coming
up on the SDK.

Fixes: https://phabricator.apertis.org/T6005



Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Storing the sysroot artifacts with the others will make it easier to prevent
inconsistencies due to image rotations and other factors.

The metadata file pointing to the latest version is kept in the current
location as expected by `ade`, and contains the updated URL pointing to the
actual tarball.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 5 years ago and Frédéric Dalleau committed 5 years ago

Running the devroot and building images for foreign architectures from
the SDK relies on the binfmt support in the kernel to run foreign
binaries via `qemu-user-static`.

However, `qemu-user-static` was being installed before the
`binfmt-support` package, so it was not registering itself as
an interpreter.

Fix it by explicitly listing `binfmt-support` in the packages to
install in the same run as `qemu-user-static` (via `debos`).

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>