Merge pull request #423 from netbootxyz/certs

Fixing signatures and add certs to loaders

.travis.yml

@@ -1,14 +1,10 @@
 sudo: true
-
 language: bash
-
 services:
   - docker
-
 env:
   global:
     - DEBIAN_FRONTEND="noninteractive"
-
 jobs:
   include:
     - stage: test
@@ -23,6 +19,8 @@ jobs:
 
     - stage: development
       if: branch = development AND type != pull_request
+      before_install:
+        - ./script/retrieve_certs
       script:
         - ./script/build_release dev
       after_failure:
@@ -49,7 +47,7 @@ jobs:
     - stage: release-candidate
       if: branch = RC AND type != pull_request
       before_install:
-        - ./script/pre_install
+        - ./script/retrieve_certs
       script:
         - ./script/build_release rc
       workspaces:
@@ -109,6 +107,8 @@ jobs:
 
     - stage: release
       if: branch = master AND type != pull_request
+      before_install:
+        - ./script/retrieve_certs
       script:
         - ./script/build_release release
       workspaces:

Dockerfile-build.production

@@ -0,0 +1,32 @@
+FROM ubuntu:bionic as builder
+
+RUN \
+ echo "**** install deps ****" && \
+ apt-get update && \
+ apt-get install -y \
+	ansible \
+	apache2  \
+	build-essential \
+	dosfstools \
+	genisoimage \
+	git \
+	liblzma-dev \
+	python-minimal \
+	python-yaml \
+	syslinux
+
+# repo for build
+COPY . /ansible
+
+RUN \
+ echo "**** running ansible ****" && \
+ cd /ansible && \
+ ansible-playbook -i inventory site.yml --extra-vars "@script/netbootxyz-overrides.yml"
+
+# runtime stage
+FROM alpine:3.10
+
+COPY --from=builder /var/www/html/ /mnt/
+COPY docker-build-root/ /
+
+ENTRYPOINT [ "/dumper.sh" ]

roles/netbootxyz/tasks/generate_signatures.yml

@@ -15,7 +15,7 @@
   - name: Generate signatures for source files
     shell: |
       openssl cms -sign -binary -noattr -in {{ netbootxyz_root }}/{{ item }} \
-      -signer {{ codesign_cert_location }} -inkey {{ codesign_key_location }} -certfile {{ cert_file_location }} -outform DER \
+      -signer {{ codesign_cert_filename }} -inkey {{ codesign_key_filename }} -certfile {{ cert_file_filename }} -outform DER \
       -out {{ sigs_dir }}/{{ item }}.sig
     args:
       chdir: "{{ cert_dir }}"

roles/netbootxyz/tasks/main.yml

@@ -10,9 +10,6 @@
   - include: generate_signatures.yml
     when:
     - generate_signatures | default(false) | bool
-    - codesign_cert_location is defined
-    - codesign_key_location is defined
-    - cert_file_location is defined
 
   - include: generate_disks.yml
     with_items:

roles/netbootxyz/templates/menu/boot.cfg.j2

@@ -14,10 +14,10 @@ set memdisk {{ memdisk_location }}
 set live_endpoint {{ live_endpoint }}
 
 # signature check enabled?
-set sigs_enabled {{ sigs_enabled | default(false) | bool }}
+set sigs_enabled {{ sigs_enabled | default(false) | bool | lower }}
 
 # image signatures check enabled?
-set img_sigs_enabled {{ img_sigs_enabled | default(false) | bool }}
+set img_sigs_enabled {{ img_sigs_enabled | default(false) | bool | lower }}
 
 # set location of signatures for sources
 set sigs {{ sigs_location }}

roles/netbootxyz/templates/menu/menu.ipxe.j2

@@ -58,9 +58,13 @@ item netinfo ${space} Network card info
 item about ${space} About netboot.xyz
 {% if sigs_menu | bool %}
 item --gap Signature Checks:
-item sig_check ${space} netboot.xyz [ enabled: ${sigs_enabled} ]
+{% if sigs_enabled | bool %}
+item sig_check ${space} {{ site_name }} [ enabled: ${sigs_enabled} ]
+{% endif %}
+{% if img_sigs_enabled | bool %}
 item img_sigs_check ${space} Images [ enabled: ${img_sigs_enabled} ]
 {% endif %}
+{% endif %}
 {% if custom_github_menus | bool %}
 isset ${github_user} && item --gap Custom Github Menu: ||
 isset ${github_user} && item custom-github ${space} ${github_user}'s Custom Menu ||

script/build_release

@@ -5,6 +5,7 @@ TYPE=$1
 HARD_RELEASE="2.x"
 HARD_RC="2.x-RC"
 LIVE_URL="staging.boot.netboot.xyz"
+DOCKER_FILE="Dockerfile-build.production"
 
 # Set boot domain
 if [[ "${TYPE}" == "dev" ]]; then
@@ -13,6 +14,7 @@ if [[ "${TYPE}" == "dev" ]]; then
 elif [[ "${TYPE}" == "pr" ]]; then
   BOOT_DOMAIN="test.com"
   BOOT_VERSION="test"
+  DOCKER_FILE="Dockerfile-build"
 elif [[ "${TYPE}" == "rc" ]]; then
   BOOT_VERSION=$(cat version.txt)-RC
   BOOT_DOMAIN="${LIVE_URL}/${BOOT_VERSION}"
@@ -28,7 +30,7 @@ sed -i \
   user_overrides.yml
 
 # Build release
-docker build -t localbuild -f Dockerfile-build .
+docker build -t localbuild -f ${DOCKER_FILE} .
 docker run --rm -it -v $(pwd):/buildout localbuild
 
 # Generate folder outputs
@@ -51,7 +53,7 @@ if [[ "${TYPE}" == "release" ]] || [[ "${TYPE}" == "rc" ]]; then
       -e "/^boot_version/c\boot_version: \"${HARD_RELEASE}\"" \
       -e "/^boot_domain/c\boot_domain: ${LIVE_URL}" \
       user_overrides.yml
-    docker build -t localbuild -f Dockerfile-build .
+    docker build -t localbuild -f ${DOCKER_FILE} .
     docker run --rm -it -v $(pwd):/buildout localbuild
   fi
   if [[ "${TYPE}" == "rc" ]]; then
@@ -59,7 +61,7 @@ if [[ "${TYPE}" == "release" ]] || [[ "${TYPE}" == "rc" ]]; then
       -e "/^boot_version/c\boot_version: \"${HARD_RC}\"" \
       -e "/^boot_domain/c\boot_domain: ${LIVE_URL}/rc" \
       user_overrides.yml
-    docker build -t localbuild -f Dockerfile-build .
+    docker build -t localbuild -f ${DOCKER_FILE} .
     docker run --rm -it -v $(pwd):/buildout localbuild
   fi
   mkdir -p s3out-latest

script/message

@@ -1,4 +1,5 @@
 #!/bin/bash
+set -e
 
 TYPE=$1
 

script/netbootxyz-overrides.yml

@@ -6,4 +6,13 @@ bootloader_multiple: true
 bootloader_disks:
   - "netboot.xyz"
   - "netboot.xyz-packet"
-generate_signatures: true
+generate_signatures: true
+sigs_dir: "{{ netbootxyz_root }}/sigs"
+sigs_location: "http://${boot_domain}/sigs/"
+cert_dir: "/ansible/certs"
+ipxe_trust_args: "TRUST={{ ipxe_ca_location }}"
+ipxe_ca_url: http://ca.ipxe.org/ca.crt
+ipxe_ca_filename: ca-ipxe-org.crt
+codesign_cert_filename: codesign.crt
+codesign_key_filename: codesign.key
+cert_file_filename : ca-netboot-xyz.crt

script/pre_install

@@ -1,4 +1,5 @@
 #!/bin/bash
+set -e
 
 # Install aws cli
 sudo pip install awscli tornado

script/retrieve_certs

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+
+# retrieve certs
+git clone https://$GIT_USER:$GIT_AUTH@$GIT_URL certs
+cp certs/certs.tar.enc .
+openssl aes-256-cbc -K $encrypted_9ca5918f08ba_key -iv $encrypted_9ca5918f08ba_iv -in certs.tar.enc -out certs.tar -d
+tar xvf certs.tar -C certs