58 plugin directorries not owned by root get root ownership (#61)

Fixed plugin deployment to worker nodes
Added InSpec/Cinc-Auditor CI-tests for worker nodes
Added CI-test for proper file structure and file ownership of deployed plugins

.github/workflows/build_and_run.yaml

@@ -70,11 +70,20 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
-      - name: Download build artifacts
+
+      - name: Download build artifact
         uses: actions/download-artifact@v2
+        with:
+          path: debirf/build
+
+      - name: Setup Ruby and InSpec/Cinc-Auditor
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.1
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+          working-directory: server/test
+
       - name: Set up Coinboot requirements
-        shell: bash
-        # run: https://raw.githubusercontent.com/frzb/coinboot/"${GITHUB_REF##*/}"/setup_coinboot_requirements | bash
         run: ./setup_coinboot_requirements
 
       - name: Run Coinboot server and boot workers
@@ -87,10 +96,10 @@ jobs:
           export RELEASE=$PRE_RELEASE_TAG
           ./server/run_coinboot
 
-      - name: Download build artifact
-        uses: actions/download-artifact@v2
-        with:
-          path: debirf/build
+          #- name: Setup tmate session
+          #  uses: mxschmitt/action-tmate@v3
+          #  with:
+          #    limit-access-to-actor: true
 
       - name: Create release on main or develop
         # Release on develop keeps the type pre-release

README.md

@@ -98,7 +98,7 @@ The RootFS (`*initramfs*`) and Kernel (`*vmlinuz*`) you want to use are to be pl
 
 #### Plugins
 
-Coinboot plugins should be placed into the directory `./server/plugins`
+Coinboot plugins should be placed into the directory `./plugins/enabled`
 
 You can create your own plugins (see below) or pick some at: [./plugins](./plugins)
 

coinbootmaker/coinbootmaker

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -Eeo pipefail
 
-# Copyright (C) 2018 - 2021 Gunter Miegel coinboot.io
+# Copyright (C) 2018 - 2022 Gunter Miegel coinboot.io
 #
 # This file is part of Coinboot.
 # This software may be modified and distributed under the terms
@@ -16,22 +16,27 @@ display_help() {
   echo
   echo 'Packaged Coinboot pluings are written to the ./builds directory'
   echo
-  echo 'Usage: coinbootmaker [-i] [-h] [-l] [-p <plugin name> <path to initramfs>]'
+  echo 'Usage: coinbootmaker [-i] [-h] [-l] [-p <plugin build script path>]'
   echo
-  echo '-i              Interactive mode - opens a shell in the build environment'
-  echo '-p <file name>  Plugin to build'
-  echo '-l              List plugins available to build'
-  echo '-h              Display this help'
+  echo '-i                             Interactive mode - opens a shell in the build environment'
+  echo '-p <plugin build script path>  Plugin to build'
+  echo '-l                             List plugins available to build'
+  echo '-h                             Display this help'
   echo
 }
 
 list_plugins() {
+  echo
+  echo 'Available plugin build scripts'
+  echo
   pushd . > /dev/null
   cd src
+  find . -type f  ! -wholename '*\/upstream*' -name "*.yaml" -printf '%P\n'
+  popd  > /dev/null
   echo
-  find * -type f -print
+  echo 'Usage: ./coinbootmaker -p <plugin build script path>'
   echo
-  popd  > /dev/null
+
 }
 
 while getopts "ip:lh" opt; do
@@ -58,33 +63,33 @@ done
 
 shift $((OPTIND -1))
 
-
 WGET='wget --retry-connrefused --waitretry=5 --read-timeout=20 --timeout=15 -t 0'
 CURL='curl --max-time 5 --retry-max-time 20 --retry 999'
 CACHE_DIR=$(readlink -f ./cache)
 GITHUB_REPO=frzb/coinboot
-RELEASE=latest
+RELEASE=${RELEASE:-latest}
 ## initramfs and kernel vmlinuz ##
 # RELEASE is set via an environment variable under ./conf/environment
 # If the value is 'latest' we determine the latest release, else we use the set value.
 
-
-
 if [ $RELEASE = latest ]; then
   RESPONSE=$($CURL --silent "https://api.github.com/repos/${GITHUB_REPO}/tags")
   sleep 5
-  while ! TAG=$(echo $RESPONSE | jq -r '.[0].name'); do
+  while ! TAG=$(echo $RESPONSE | jq -r  '[ .[].name | select(test("^pre.*") | not) ] | sort | last'); do
     echo "Calling the Github API has failed, repeat ..."
     RESPONSE=$($CURL --silent "https://api.github.com/repos/${GITHUB_REPO}/tags")
-      sleep 5
-    done
-  echo "Using latest coinboot-debirf release: $TAG"
+    sleep 5
+  done
+  echo "Coinbootmaker is using the latest (default) Coinboot release: $TAG"
+else
+  TAG=$RELEASE
+  echo "Coinbootmaker is using Coinboot release: $TAG"
 fi
 
 DOWNLOAD_URL=https://github.com/${GITHUB_REPO}/releases/download/${TAG}
 
 if [ -z $KERNEL ]; then
-  KERNEL=5.4.0-58-generic
+  KERNEL=5.11.0-46-generic
 fi
 INITRAMFS=coinboot-initramfs-$KERNEL
 
@@ -93,33 +98,44 @@ $WGET $DOWNLOAD_URL/$INITRAMFS -P $CACHE_DIR
 fi
 
 BASEDIR=$PWD
-#INITRAMFS=$(readlink -f $1)
 LOWER=/tmp/$(basename $INITRAMFS)_extracted_by_coinbootmaker/lower
 UPPER=/tmp/$(basename $INITRAMFS)_extracted_by_coinbootmaker/upper
 WORKING_DIRECTORY=/tmp/$(basename $INITRAMFS)_extracted_by_coinbootmaker/working_dir
 MERGED=/tmp/$(basename $INITRAMFS)_extracted_by_coinbootmaker/merged
 
-while sudo runc list | grep coinbootmaker | grep running; do
+# Initial Cleanup
+
+while sudo runc list | grep coinbootmaker | grep -q running; do
   echo 'Waiting for Coinbootmaker container to be stopped ...'
   sudo runc kill coinbootmaker KILL
   sleep 1
 done
 
-while sudo runc list | grep coinbootmaker | grep stopped; do
+while sudo runc list | grep coinbootmaker | grep -q stopped; do
   echo 'Waiting for Coinbootmaker container to be cleaned up ...'
   sudo runc delete coinbootmaker
   sleep 1
 done
 
-  sudo runc delete coinbootmaker || true
-  sudo ip link delete cbm-host || true
-  sudo ip netns delete coinbootmaker || true
-  if mountpoint $MERGED; then
-    sudo umount $MERGED
-  fi
-  sudo rm -rf $UPPER $LOWER $WORKING_DIRECTORY $MERGED
+while sudo ip link | grep -q cbm-host; do
+  echo 'Waiting for Coinbootmaker network interface to be cleaned up ...'
+  sudo ip link delete cbm-host
   sleep 1
+done
 
+while sudo ip netns | grep -q coinbootmaker; do
+  echo 'Waiting for Coinbootmaker network namespace to be cleaned up ...'
+  sudo ip netns delete coinbootmaker
+  sleep 1
+done
+
+if mountpoint -q $MERGED; then
+  sudo umount $MERGED
+fi
+
+sudo rm -rf $UPPER $LOWER $WORKING_DIRECTORY $MERGED
+
+# End of initial Cleanup
 
 sudo mkdir -p $UPPER $LOWER $WORKING_DIRECTORY $MERGED
 # We create our own TMPFS.
@@ -136,20 +152,20 @@ cd $LOWER/rootfs
 # We have to use 'sudo' for 'cpio' else the ownership of the files in the
 # archive is messed up.
 # We just extract the nested initramfs archive
-zcat $CACHE_DIR/$INITRAMFS | sudo cpio -idvm "rootfs.cgz"
-zcat rootfs.cgz | sudo cpio -idm
+zstd -d $CACHE_DIR/$INITRAMFS -c | sudo cpio -idm --quiet "rootfs.czst"
+zstd -d rootfs.czst -c | sudo cpio -idm --quiet
 
 # The nested initramfs archive can be removed now
-sudo rm -v rootfs.cgz
+sudo rm rootfs.czst
 
 # Adapt nameserver settings.
 # resolv.conf is a symling to the systemd stub resolver which we have to delete beforehand.
 sudo rm etc/resolv.conf
-sudo tee etc/resolv.conf << EOF
+sudo tee etc/resolv.conf << EOF 1> /dev/null
 nameserver 1.1.1.1
 EOF
 
-sudo tee etc/hosts << EOF
+sudo tee etc/hosts << EOF 1> /dev/null
 127.0.1.1 coinbootmaker
 EOF
 
@@ -162,7 +178,7 @@ cd $LOWER
 # So we omit the jq limbo and the dependency to jq.
 # We use the same set of capabilities as Docker by default does.
 #https://github.com/moby/moby/blob/master/oci/defaults.go#L14-L30
-sudo tee ./config.json << EOF
+sudo tee ./config.json << EOF 1> /dev/null
 {
         "ociVersion": "1.0.0",
         "process": {
@@ -439,7 +455,7 @@ sudo runc run -d coinbootmaker
 
 # This commands can only be executed if the container is already running.
 # So let's wait until it is ready.
-while ! sudo runc list | grep coinbootmaker; do
+while ! sudo runc list | grep -q coinbootmaker; do
   echo 'Waiting for Coinbootmaker container...'
   sleep 1
 done
@@ -464,7 +480,7 @@ fi
 
 # Cleanup
 sudo runc kill coinbootmaker KILL
-while ! sudo runc list | grep coinbootmaker | grep stopped; do
+while ! sudo runc list | grep coinbootmaker | grep -q stopped; do
   echo 'Waiting for Coinbootmaker container to be stopped ...'
   sleep 1
 done
@@ -474,7 +490,7 @@ sudo runc delete coinbootmaker
 sudo ip link delete cbm-host
 sudo ip netns delete coinbootmaker
 
-echo "Cleaning up directories"
+echo "Cleaning up temporary working directories ..."
 cd $BASEDIR
-sudo umount -v $MERGED
-sudo rm -rf $UPPER $LOWER $WORKING_DIRECTORY $MERGED
+sudo umount --quiet $MERGED
+sudo rm -rf $BASEDIR/plugin $UPPER $LOWER $WORKING_DIRECTORY $MERGED

debirf/build_and_run_images

@@ -1,6 +1,5 @@
 #!/bin/bash
 set -e -o pipefail
-set -x
 
 # Copyright (C) 2019 Gunter Miegel coinboot.io
 #

debirf/debirf

@@ -380,7 +380,7 @@ else
   # FIXME: Move this stuff to Python.
   curl -s http://$HTTP_SERVER/plugins/ | grep -v -Fe '[' -e ']' | cut -f 4 -d'"' | while read plugin; do
     echo "Downloading and extracting plugin: $plugin"
-    wget  http://$HTTP_SERVER/plugins/$plugin -O - | tar ---no-overwrite -dirPxzvf -
+    wget  http://$HTTP_SERVER/plugins/$plugin -O - | tar --no-overwrite-dir -Pxzvf -
     /usr/local/bin/dpkg_status.py --new /tmp/dpkg_status --old /var/lib/dpkg/status --union > /tmp/status_$plugin
     mv -v /tmp/status_$plugin /var/lib/dpkg/status
     echo '----------------------------'

debirf/scripts/create_plugin.py

@@ -138,6 +138,8 @@ def main(arguments):
 
         print("------------------------------------")
 
+        print("------------------------------------")
+
         print("Created Coinboot Plugin:", archive_name)
 
 

server/docker/coinboot-download-helper

@@ -33,7 +33,7 @@ GITHUB_REPO=frzb/coinboot
 if [ $RELEASE = latest ]; then
   RESPONSE=$($CURL --silent "https://api.github.com/repos/${GITHUB_REPO}/tags")
   sleep 5
-  while ! TAG=$(echo $RESPONSE | jq -r '.[0].name'); do
+  while ! TAG=$(echo $RESPONSE | jq -r '[ .[].name | select(test("^pre.*") | not) ] | sort | last'); do
     echo "Calling the Github API has failed, repeat ..."
     RESPONSE=$($CURL --silent "https://api.github.com/repos/${GITHUB_REPO}/tags")
     sleep 5

server/plugins

@@ -0,0 +1 @@
+../plugins/enabled