Commit 6e2140ee authored by hark's avatar hark
Browse files

initram from debian

parent 52c6a642
......@@ -8,15 +8,13 @@ set -e
#KERNELCONFIG=/root/kernel_config_4.18.11.txt
#KERNELVERSION=4.18.11
##actual logic
init
get_kernel
if check_if_build
then
exit 0
exit 0
else
exit 10
exit 10
fi
#!/usr/bin/env bash
set -eux
DIR=`mktemp -d`
VERSION="$KERNELVERSION"
KDIR="$KERNELDIR"
#KDIR=/etc/xen/boot/debian
#VERSION="4.19.0-9-cloud-amd64"
cat > $DIR/initramfs.conf <<EOF
MODULES=most
BUSYBOX=auto
KEYMAP=n
COMPRESS=gzip
DEVICE=
NFSROOT=auto
RUNSIZE=10%
EOF
touch $DIR/modules
mkdir $DIR/conf.d
cat > $DIR/conf.d/resume <<EOF
RESUME=none
EOF
apt-get -y install "linux-image-$VERSION"
echo "generating initramfs for the vm"
mkdir -p $KDIR
cp /boot/vmlinuz-"${VERSION}" "$KDIR/vmlinuz-${VERSION}"
mkinitramfs -r /dev/vda -d $DIR -v -o "$KDIR/initrd.img-${VERSION}" "${VERSION}"
function install_dependencies() {
echo "Installing dependencies..."
sudo apt -qq update
sudo apt -qq install curl git wget bison flex
## Apparently this does not satisfy all package requirements
#sudo apt -qq build-dep linux-image-generic
sudo apt -y -qq install build-essential fakeroot libncurses5-dev libssl-dev ccache libelf-dev dirmngr gcc-6-plugin-dev
gpg --recv 647F28654894E3BD457199BE38DBBDC86092693E
echo "Installing dependencies..."
sudo apt -qq update
sudo apt -qq install curl git wget bison flex
sudo apt -y -qq install build-essential fakeroot libncurses5-dev libssl-dev ccache libelf-dev dirmngr gcc-6-plugin-dev
gpg --recv 647F28654894E3BD457199BE38DBBDC86092693E
gpg --recv F81962A54902300F72ECB83AA1FC1F6AD2D09049
}
function init() {
echo "Initializing..."
#WORKDIR=/root/kernelbuilder
echo "Initializing..."
#WORKDIR=/root/kernelbuilder
#KERNELDIR=/etc/xen/boot
#KERNELCONFIG=/root/kernel_config_4.18.11.txt
#KERNELVERSION=4.18.11
......@@ -26,74 +23,74 @@ function init() {
#kernel_config=$(ls /boot/config-* | grep generic | sort -Vr | head -n 1)
kernel_config=$KERNELCONFIG
kerneldir=$KERNELDIR
config_shasum=`sha1sum $kernel_config | cut -f 1 -d ' '`
echo "config sum is: $config_shasum"
current_dir=$(pwd)
# working_dir=$(mktemp -d)
working_dir=$WORKDIR
kernelname=$KERNELNAME
#kernel_config=$(ls /boot/config-* | grep generic | sort -Vr | head -n 1)
kernel_config=$KERNELCONFIG
kerneldir=$KERNELDIR
config_shasum=`sha1sum $kernel_config | cut -f 1 -d ' '`
echo "config sum is: $config_shasum"
current_dir=$(pwd)
# working_dir=$(mktemp -d)
working_dir=$WORKDIR
kernelname=$KERNELNAME
# mkdir -p $working_dir
cd "${working_dir}" || exit
##install_dependencies
# mkdir -p $working_dir
cd "${working_dir}" || exit
##install_dependencies
}
function get_latest_version() {
stable_releases="https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/"
stable_version=$(curl -s "${stable_releases}" | grep -E -o 'linux-([0-9]{1,}\.)+[0-9]{1,}' | sort -Vr | head -n 1 | cut -d '-' -f 2)
stable_link="${stable_releases}linux-${stable_version}.tar.xz"
stable_siglink="${stable_releases}linux-${stable_version}.tar.sign"
stable_sigfile="linux-${stable_version}.tar.sign"
stable_file="linux-${stable_version}.tar.xz"
imagename="${stable_version}_$config_shasum.vmlinuz"
stable_releases="https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/"
stable_version=$(curl -s "${stable_releases}" | grep -E -o 'linux-([0-9]{1,}\.)+[0-9]{1,}' | sort -Vr | head -n 1 | cut -d '-' -f 2)
stable_link="${stable_releases}linux-${stable_version}.tar.xz"
stable_siglink="${stable_releases}linux-${stable_version}.tar.sign"
stable_sigfile="linux-${stable_version}.tar.sign"
stable_file="linux-${stable_version}.tar.xz"
imagename="${stable_version}_$config_shasum.vmlinuz"
}
function get_specific_version() {
stable_releases="https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/"
# stable_version=$(curl -s "${stable_releases}" | grep -E -o 'linux-([0-9]{1,}\.)+[0-9]{1,}' | sort -Vr | head -n 1 | cut -d '-' -f 2)
stable_releases="https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/"
# stable_version=$(curl -s "${stable_releases}" | grep -E -o 'linux-([0-9]{1,}\.)+[0-9]{1,}' | sort -Vr | head -n 1 | cut -d '-' -f 2)
stable_version="$1"
stable_link="${stable_releases}linux-${stable_version}.tar.xz"
stable_siglink="${stable_releases}linux-${stable_version}.tar.sign"
stable_sigfile="linux-${stable_version}.tar.sign"
stable_file="linux-${stable_version}.tar.xz"
imagename="${stable_version}_$config_shasum.vmlinuz"
stable_link="${stable_releases}linux-${stable_version}.tar.xz"
stable_siglink="${stable_releases}linux-${stable_version}.tar.sign"
stable_sigfile="linux-${stable_version}.tar.sign"
stable_file="linux-${stable_version}.tar.xz"
imagename="${stable_version}_$config_shasum.vmlinuz"
}
function get_grsec_version() {
grsec_releases="http://ftp.lag/grsec/"
# stable_version=$(curl -s "${stable_releases}" | grep -E -o 'linux-([0-9]{1,}\.)+[0-9]{1,}' | sort -Vr | head -n 1 | cut -d '-' -f 2)
grsec_releases="http://ftp.lag/grsec/"
# stable_version=$(curl -s "${stable_releases}" | grep -E -o 'linux-([0-9]{1,}\.)+[0-9]{1,}' | sort -Vr | head -n 1 | cut -d '-' -f 2)
stable_version="$1"
stable_link="${grsec_releases}linux-${stable_version}_${stable_version}.orig.tar.gz"
stable_siglink="${grsec_releases}linux-${stable_version}_${stable_version}.orig.tar.gz.gpg"
stable_file="linux-${stable_version}_${stable_version}.orig.tar.gz"
stable_sigfile="linux-${stable_version}_${stable_version}.orig.tar.gz.gpg"
imagename="${stable_version}_$config_shasum.vmlinuz"
imagename="${stable_version}_$config_shasum.vmlinuz"
}
get_kernel() {
if [ "$KERNELVERSION" == "latest" ]
then
echo 'latest'
get_latest_version
echo 'latest'
get_latest_version
TYPE='stable'
elif [[ "$KERNELVERSION" == *"grsec" ]]
then
echo "grsec"
get_grsec_version $KERNELVERSION
echo "grsec"
get_grsec_version "$KERNELVERSION"
TYPE='grsec'
else
echo 'specific'
get_specific_version $KERNELVERSION
echo 'specific'
get_specific_version "$KERNELVERSION"
fi
}
function verify_signature() {
......@@ -114,25 +111,25 @@ function verify_signature() {
function download_and_unpack() {
kernel_version="${stable_version}"
kernel_name="linux-${kernel_version}"
#ls -lhtr ${stable_file}
echo "file: ${stable_file}"
if [ ! -f ${stable_file} ]
then
echo "downloading tar"
wget "${stable_link}"
fi
if [ ! -f ${stable_sigfile} ]
then
echo "downloading sig"
wget "${stable_siglink}"
fi
kernel_version="${stable_version}"
kernel_name="linux-${kernel_version}"
#ls -lhtr ${stable_file}
echo "file: ${stable_file}"
if [ ! -f "${stable_file}" ]
then
echo "downloading tar"
wget "${stable_link}"
fi
if [ ! -f "${stable_sigfile}" ]
then
echo "downloading sig"
wget "${stable_siglink}"
fi
echo "checking sig"
if [[ $TYPE == 'grsec' ]]
then
if verify_signature ${stable_sigfile} ${stable_file}
if verify_signature "${stable_sigfile}" "${stable_file}"
then
echo "grsec sig verification good"
else
......@@ -140,54 +137,54 @@ then
exit 23
fi
if [ ! -d ${kernel_name} ]
then
echo "unpacking"
tar -xvf ${stable_file}
fi
if [ ! -d "${kernel_name}" ]
then
echo "unpacking"
tar -xvf "${stable_file}"
fi
else
echo "unxzing"
if unxz ${stable_file}
if unxz "${stable_file}"
then
echo "unxz ok"
else
echo "unxz failed, probably cause was already unxz before"
fi
if verify_signature ${stable_sigfile} ${kernel_name}.tar
if verify_signature "${stable_sigfile}" "${kernel_name}.tar"
then
echo "sig verification good"
else
echo "sig verification failed"
exit 23
fi
if [ ! -d ${kernel_name} ]
then
echo "unpacking"
tar -xvf ${kernel_name}.tar
fi
if [ ! -d "${kernel_name}" ]
then
echo "unpacking"
tar -xvf "${kernel_name}.tar"
fi
fi
#tar xvf "${kernel_name}.tar.xz"
cd "${kernel_name}" || exit
#tar xvf "${kernel_name}.tar.xz"
cd "${kernel_name}" || exit
}
function build_kernel() {
kernel_localversion="-localversion"
cp "${kernel_config}" .config
yes '' | make oldconfig
make -j 4
#FIXME: make clean
cp arch/x86/boot/bzImage $kerneldir/$imagename
cd "${current_dir}" || exit
#FIXME: rm -rf "${working_dir}"
kernel_localversion="-localversion"
cp "${kernel_config}" .config
yes '' | make oldconfig
make -j 4
#FIXME: make clean
cp arch/x86/boot/bzImage "$kerneldir/$imagename"
cd "${current_dir}" || exit
#FIXME: rm -rf "${working_dir}"
}
......@@ -215,11 +212,21 @@ ln -s "$kerneldir/$imagename" "$kerneldir/$TYPE.vmlinuz"
function check_if_build() {
if [ -f "$kerneldir/$imagename" ]
then
echo "kernel exists"
return 0
if [ -f "$kerneldir/$kernelname.vmlinuz" ]
then
echo "kernel exists: $kerneldir/$kernelname.vmlinuz ($imagename)"
return 0
else
rm "$kerneldir/$kernelname.vmlinuz.old" && true
mv "$kerneldir/$kernelname.vmlinuz" "$kerneldir/$kernelname.vmlinuz.old" && true
ln -s "$kerneldir/$imagename" "$kerneldir/$kernelname.vmlinuz"
echo "kernel existed, but the links where not in place, made them now"
return 0
fi
else
echo "kernel does not exist"
return 10
echo "kernel does not exist"
return 10
fi
}
......
define buildkernel::kernel (
String $kernel_version = 'latest',
String $kernel_workdir = '/root/kernelbuilder',
String $kernel_kerneldir = '/usr/share/qemu-efi/boot',
String $kernel_version = 'latest',
String $kbuser = $buildkernel::kernelprep::kbuser,
String $kernel_workdir = $buildkernel::kernelprep::kernel_workdir,
String $kernel_kerneldir = $buildkernel::kernelprep::kernel_kerneldir,
String $config_version = 'latest',
String $kernel_name = $title,
String $kernel_type = 'debian',
) {
) {
require buildkernel::kernelprep
require buildkernel::kernelprep
# scripts
if ($kernel_type == 'debian') {
Exec { "generate initram for $name $kernel_version":
command => "/usr/local/bin/generate-debian-initramfs.sh",
user => root,
logoutput => true,
require => [
File['/usr/local/bin/generate-debian-initramfs.sh'],
],
creates => "/etc/xen/boot/debian/initrd.img-${kernel_version}",
environment => ["WORKDIR=${kernel_workdir}",
"KERNELVERSION=${kernel_version}",
"KERNELCONFIG=${kernel_workdir}/config_${kernel_version}.kconf",
"KERNELDIR=${kernel_kerneldir}/debian",
"KERNELNAME=${kernel_name}"],
file { "$kernel_workdir/config_$kernel_version.kconf":
ensure => present,
owner => root,
group => root,
mode => '0700',
source => "puppet:///modules/$module_name/kconfig/${kernel_version}_${config_version}.kconf",
}
timeout => 0,
}
}
Exec { "Check kernel $kernel_version with config $config_version":
command => "/usr/local/bin/check_kernel.sh",
logoutput => true,
require => [
File['/usr/local/bin/build_kernel.sh'],
File['/usr/local/bin/check_kernel.sh'],
File[$kernel_workdir],
File[$kernel_kerneldir],
File["$kernel_workdir/config_$kernel_version.kconf"],
if ($type == 'source'){
file { "$kernel_workdir/config_$kernel_version.kconf":
ensure => present,
owner => root,
group => $kbuser,
mode => '0740',
source => "puppet:///modules/$module_name/kconfig/${kernel_version}_${config_version}.kconf",
}
],
# onlyif => "/usr/local/bin/check_kernel.sh",
environment => ["WORKDIR=${kernel_workdir}",
"KERNELVERSION=${kernel_version}",
"KERNELCONFIG=${kernel_workdir}/config_${kernel_version}.kconf",
"KERNELDIR=${kernel_kerneldir}",
"KERNELNAME=${kernel_name}"],
timeout => 0,
}
Exec { "Check kernel $kernel_version with config $config_version":
command => "/usr/local/bin/check_kernel.sh",
user => $kbuser,
logoutput => true,
require => [
File['/usr/local/bin/build_kernel.sh'],
File['/usr/local/bin/check_kernel.sh'],
File[$kernel_workdir],
File[$kernel_kerneldir],
File["$kernel_workdir/config_$kernel_version.kconf"],
Exec { "Build kernel $kernel_version with config $config_version":
command => "/usr/local/bin/build_kernel.sh",
logoutput => true,
],
# onlyif => "/usr/local/bin/check_kernel.sh",
environment => ["WORKDIR=${kernel_workdir}",
"KERNELVERSION=${kernel_version}",
"KERNELCONFIG=${kernel_workdir}/config_${kernel_version}.kconf",
"KERNELDIR=${kernel_kerneldir}",
"KERNELNAME=${kernel_name}"],
require => [
File['/usr/local/bin/build_kernel.sh'],
File['/usr/local/bin/check_kernel.sh'],
File[$kernel_workdir],
File[$kernel_kerneldir],
File["$kernel_workdir/config_$kernel_version.kconf"],
],
#subscribe => File["$kernel_workdir/config_$kernel_version.kconf"],
#refreshonly => true,
unless => "/usr/local/bin/check_kernel.sh",
timeout => 0,
}
# onlyif => "/usr/local/bin/check_kernel.sh",
environment => ["WORKDIR=${kernel_workdir}",
"KERNELVERSION=${kernel_version}",
"KERNELCONFIG=${kernel_workdir}/config_${kernel_version}.kconf",
"KERNELDIR=${kernel_kerneldir}",
"KERNELNAME=${kernel_name}"],
Exec { "Build kernel $kernel_version with config $config_version":
command => "/usr/local/bin/build_kernel.sh",
logoutput => true,
user => $kbuser,
require => [
File['/usr/local/bin/build_kernel.sh'],
File['/usr/local/bin/check_kernel.sh'],
File[$kernel_workdir],
File[$kernel_kerneldir],
File["$kernel_workdir/config_$kernel_version.kconf"],
],
#subscribe => File["$kernel_workdir/config_$kernel_version.kconf"],
#refreshonly => true,
unless => "/usr/local/bin/check_kernel.sh",
timeout => 0,
}
# onlyif => "/usr/local/bin/check_kernel.sh",
environment => ["WORKDIR=${kernel_workdir}",
"KERNELVERSION=${kernel_version}",
"KERNELCONFIG=${kernel_workdir}/config_${kernel_version}.kconf",
"KERNELDIR=${kernel_kerneldir}",
"KERNELNAME=${kernel_name}"],
timeout => 0,
}
}
}
class buildkernel::kernelprep (
String $kernel_workdir = '/root/kernelbuilder',
String $kernel_kerneldir = '/usr/share/qemu-efi/boot',
String $kernel_workdir = '/var/cache/kernelbuilder',
String $kernel_kerneldir = '/etc/xen/boot',
String $signingkey = '647F28654894E3BD457199BE38DBBDC86092693E',
$signingkeys = [ '647F28654894E3BD457199BE38DBBDC86092693E', 'F81962A54902300F72ECB83AA1FC1F6AD2D09049' ]
$signingkeys = [ '647F28654894E3BD457199BE38DBBDC86092693E', 'F81962A54902300F72ECB83AA1FC1F6AD2D09049' ],
String $kbuser = 'kernelbuilder',
)
{
include git
$packages = [
'build-essential',
'python-pip',
'libncurses5-dev',
'libssl-dev',
'libelf-dev',
'dirmngr',
'curl',
'wget',
'bison',
'flex',
# 'gcc-6-plugin-dev',
'bc',
'gcc-8-plugin-dev',
'gcc-7-plugin-dev'
]
ensure_packages($packages, {ensure => 'installed'})
group { 'kernelbuilder':
}
user { 'kernelbuilder':
gid => 'kernelbuilder',
system => true,
shell => "/usr/sbin/nologin",
managehome => "true",
}
Exec { "/usr/bin/pip3 install git+https://github.com/a13xp0p0v/kconfig-hardened-check":
user => $kbuser,
}
file { '/usr/local/bin/generate-debian-initramfs.sh':
ensure => present,
owner => root,
group => kernelbuilder,
mode => '0750',
source => "puppet:///modules/$module_name/scripts/generate-debian-initramfs.sh",
}
file { '/usr/local/bin/build_kernel.sh':
ensure => present,
owner => root,
group => root,
mode => '0700',
group => kernelbuilder,
mode => '0750',
source => "puppet:///modules/$module_name/scripts/build_kernel.sh",
}
$signingkeys.each |$fp| {
file { "/tmp/$fp.gpg":
file { "$kernel_workdir/$fp.gpg":
ensure => present,
owner => root,
group => root,
mode => '0700',
group => kernelbuilder,
mode => '0740',
source => "puppet:///modules/$module_name/$fp.gpg",
}
Exec { "/usr/bin/gpg --recv $fp":
user => $kbuser,
}
}
Exec { "/usr/bin/gpg --import /tmp/$signingkey.gpg":
Exec { "/usr/bin/gpg --import $kernel_workdir/$signingkey.gpg":
user => $kbuser,
require => [
File["/tmp/$signingkey.gpg"],
File["$kernel_workdir/$signingkey.gpg"],
File['/usr/local/bin/build_kernel.sh'],
File['/usr/local/bin/check_kernel.sh'],
File[$kernel_workdir],
......@@ -47,23 +94,23 @@ class buildkernel::kernelprep (
file { '/usr/local/bin/kernel_functions.sh':
ensure => present,
owner => root,
group => root,
mode => '0700',
group => kernelbuilder,
mode => '0750',
source => "puppet:///modules/$module_name/scripts/kernel_functions.sh",
}
file { '/usr/local/bin/check_kernel.sh':
ensure => present,
owner => root,
group => root,
mode => '0700',
group => kernelbuilder,
mode => '0750',
source => "puppet:///modules/$module_name/scripts/check_kernel.sh",
}
file { '/usr/local/bin/test_kernelscript.sh':
ensure => present,
owner => root,
group => root,
mode => '0700',
group => kernelbuilder,
mode => '0750',