mirror of
https://github.com/systemd/systemd.git
synced 2024-11-26 19:53:45 +08:00
7aea1c9e80
Now that we have the mkosi.clangd script to run clangd from the mkosi build script, it becomes clear that doing cleanup with mkosi.clean has a big gap in that we always run the mkosi.clean script and thus we also run it when we run the mkosi.clangd script, causing the previously built packages to be removed when we run clangd without producing new ones. In mkosi we're improving the situation by only running clean scripts when we clean up the output directory and disallowing writing to the output directory from build scripts. Let's adapt systemd to these changes by moving the copying of packages to the output directory to the postinst script.
181 lines
6.4 KiB
Bash
Executable File
181 lines
6.4 KiB
Bash
Executable File
#!/bin/bash
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
set -e
|
|
set -o nounset
|
|
|
|
find "$BUILDDIR" \( -name "*.rpm" -o -name "*.deb" -o -name "*.pkg.tar" -o -name systemd.raw \) -exec cp -t "$OUTPUTDIR" {} \;
|
|
|
|
useradd \
|
|
--uid 4711 \
|
|
--user-group \
|
|
--create-home \
|
|
--password "$(openssl passwd -1 testuser)" \
|
|
--shell /bin/bash \
|
|
testuser
|
|
|
|
if command -v authselect >/dev/null; then
|
|
# authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
|
|
# let's use the new name if it exists.
|
|
if [ -d /usr/share/authselect/default/local ]; then
|
|
PROFILE=local
|
|
else
|
|
PROFILE=minimal
|
|
fi
|
|
|
|
authselect select "$PROFILE"
|
|
|
|
if authselect list-features "$PROFILE" | grep -q "with-homed"; then
|
|
authselect enable-feature with-homed
|
|
fi
|
|
fi
|
|
|
|
# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
|
|
# if that's the case.
|
|
mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
|
|
rm -f /etc/resolv.conf
|
|
|
|
for f in "$BUILDROOT"/usr/share/*.verity.sig; do
|
|
jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash"
|
|
done
|
|
|
|
# We want /var/log/journal to be created on first boot so it can be created with the right chattr settings by
|
|
# systemd-journald.
|
|
rm -rf "$BUILDROOT/var/log/journal"
|
|
|
|
rm -f /etc/nsswitch.conf
|
|
cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
|
|
|
|
# Remove to make TEST-73-LOCALE pass on Ubuntu.
|
|
rm -f /etc/default/keyboard
|
|
|
|
# This is executed inside the chroot so no need to disable any features as the default features will match
|
|
# the kernel's supported features.
|
|
SYSTEMD_REPART_MKFS_OPTIONS_EXT4="" \
|
|
systemd-repart \
|
|
--empty=create \
|
|
--dry-run=no \
|
|
--size=auto \
|
|
--offline=true \
|
|
--root test/TEST-24-CRYPTSETUP \
|
|
--definitions test/TEST-24-CRYPTSETUP/keydev.repart \
|
|
"$OUTPUTDIR/keydev.raw"
|
|
|
|
can_test_pkcs11() {
|
|
if ! command -v "softhsm2-util" >/dev/null; then
|
|
echo "softhsm2-util not available, skipping the PKCS#11 test" >&2
|
|
return 1
|
|
fi
|
|
if ! command -v "pkcs11-tool" >/dev/null; then
|
|
echo "pkcs11-tool not available, skipping the PKCS#11 test" >&2
|
|
return 1
|
|
fi
|
|
if ! command -v "certtool" >/dev/null; then
|
|
echo "certtool not available, skipping the PKCS#11 test" >&2
|
|
return 1
|
|
fi
|
|
if ! systemctl --version | grep -q "+P11KIT"; then
|
|
echo "Support for p11-kit is disabled, skipping the PKCS#11 test" >&2
|
|
return 1
|
|
fi
|
|
if ! systemctl --version | grep -q "+OPENSSL"; then
|
|
echo "Support for openssl is disabled, skipping the PKCS#11 test" >&2
|
|
return 1
|
|
fi
|
|
if ! systemctl --version | grep -q "+LIBCRYPTSETUP\b"; then
|
|
echo "Support for libcryptsetup is disabled, skipping the PKCS#11 test" >&2
|
|
return 1
|
|
fi
|
|
if ! systemctl --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
|
|
echo "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" >&2
|
|
return 1
|
|
fi
|
|
|
|
return 0
|
|
}
|
|
|
|
setup_pkcs11_token() {
|
|
echo "Setup PKCS#11 token" >&2
|
|
local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
|
|
|
|
export SOFTHSM2_CONF="/tmp/softhsm2.conf"
|
|
mkdir -p /usr/lib/softhsm/tokens/
|
|
cat >$SOFTHSM2_CONF <<EOF
|
|
directories.tokendir = /usr/lib/softhsm/tokens/
|
|
objectstore.backend = file
|
|
slots.removable = false
|
|
slots.mechanisms = ALL
|
|
EOF
|
|
export GNUTLS_PIN="1234"
|
|
export GNUTLS_SO_PIN="12345678"
|
|
softhsm2-util --init-token --free --label "TestToken" --pin "$GNUTLS_PIN" --so-pin "$GNUTLS_SO_PIN"
|
|
|
|
if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
|
|
echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
|
|
P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
|
|
fi
|
|
|
|
if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
|
|
echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
|
|
P11_MODULE_DIR="/usr/lib/pkcs11"
|
|
fi
|
|
|
|
SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
|
|
if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
|
|
SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
|
|
fi
|
|
|
|
# RSA #####################################################
|
|
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
|
|
|
|
certtool --generate-self-signed \
|
|
--load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
|
|
--load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
|
|
--template "test/TEST-24-CRYPTSETUP/template.cfg" \
|
|
--outder --outfile "/tmp/rsa_test.crt"
|
|
|
|
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
|
|
rm "/tmp/rsa_test.crt"
|
|
|
|
# prime256v1 ##############################################
|
|
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
|
|
|
|
certtool --generate-self-signed \
|
|
--load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
|
|
--load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
|
|
--template "test/TEST-24-CRYPTSETUP/template.cfg" \
|
|
--outder --outfile "/tmp/ec_test.crt"
|
|
|
|
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
|
|
rm "/tmp/ec_test.crt"
|
|
|
|
###########################################################
|
|
rm "$SOFTHSM2_CONF"
|
|
unset SOFTHSM2_CONF
|
|
|
|
cat >/etc/softhsm2.conf <<EOF
|
|
directories.tokendir = /usr/lib/softhsm/tokens/
|
|
objectstore.backend = file
|
|
slots.removable = false
|
|
slots.mechanisms = ALL
|
|
log.level = INFO
|
|
EOF
|
|
|
|
mkdir -p /etc/systemd/system/systemd-cryptsetup@.service.d
|
|
cat >/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf <<EOF
|
|
[Unit]
|
|
# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times
|
|
StartLimitBurst=10
|
|
|
|
[Service]
|
|
Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
|
|
Environment="PIN=$GNUTLS_PIN"
|
|
EOF
|
|
|
|
unset GNUTLS_PIN
|
|
unset GNUTLS_SO_PIN
|
|
}
|
|
|
|
if can_test_pkcs11; then
|
|
setup_pkcs11_token
|
|
fi
|