Create qubes.AppendLog service #2023

Open
rootkovska opened this Issue May 24, 2016 · 1 comment

Projects

None yet

2 participants

@rootkovska
Member

Very useful to e.g. gather build logs in a reliable way, i.e. even if the build VM gets compromised during the build process (e.g due to curl|bash in a Makefile), the log can still be meaningful. Also for many other uses. Related to #830.

@rootkovska rootkovska added this to the Release 4.0 milestone May 24, 2016
@marmarek marmarek added a commit to marmarek/qubes-builder that referenced this issue Dec 6, 2016
@marmarek marmarek Don't enable external logging by default
Require explicit call to scripts/make-with-log.
Later will be plugged in build automation.

QubesOS/qubes-issues#2023
45b96ec
@marmarek marmarek added a commit to marmarek/qubes-builder that referenced this issue Dec 6, 2016
@marmarek marmarek Log only status of selected git repositories
Take a look at COMPONENTS setting. This way single-component build log
is not trashed with a status of all the repositories.

QubesOS/qubes-issues#2023
43b1221
@marmarek marmarek added a commit to marmarek/qubes-builder that referenced this issue Dec 6, 2016
@marmarek marmarek build-log: call post-log-hook for possible logs uploading d7cc141
@marmarek marmarek added a commit to marmarek/qubes-builder that referenced this issue Dec 6, 2016
@marmarek marmarek build-log: call post-log-hook for possible logs uploading f7fa9db
@marmarek marmarek added a commit to marmarek/qubes-builder-debian that referenced this issue Dec 17, 2016
@marmarek marmarek template: log hashes of all downloaded packages before installation
This, connected with append-only build log (QubesOS/qubes-issues#2023)
will allow for meaningful inspection what really got installed during
template build, even if signature verification is buggy, or release
signing key is compromised.

Adding this for debootstrap - after downloading but before installing
packages is somehow complex. Split the operation into two phases - first
download all the packages, then install them. Point at local directory
for the second run to not download packages (or repository metadata)
the second time. That local directory needs to have proper repository
metadata.
f1e2283
@marmarek marmarek added a commit to QubesOS/qubes-builder-debian that referenced this issue Dec 17, 2016
@marmarek marmarek template: log hashes of all downloaded packages before installation
This, connected with append-only build log (QubesOS/qubes-issues#2023)
will allow for meaningful inspection what really got installed during
template build, even if signature verification is buggy, or release
signing key is compromised.

Adding this for debootstrap - after downloading but before installing
packages is somehow complex. Split the operation into two phases - first
download all the packages, then install them. Point at local directory
for the second run to not download packages (or repository metadata)
the second time. That local directory needs to have proper repository
metadata.

(cherry picked from commit f1e2283)
03a2fac
@andrewdavidwong andrewdavidwong added a commit that referenced this issue Dec 17, 2016
@andrewdavidwong andrewdavidwong Track #2023 f0b52fa
@marmarek marmarek added a commit to marmarek/qubes-builder that referenced this issue Dec 18, 2016
@marmarek marmarek Do not recurse indefinitely
GIT_REPOS variable may contains qubes-builder itself, as ".".

Fixes 43b1221 "Log only status of selected git repositories"

QubesOS/qubes-issues#2023
910a7db
@marmarek marmarek added a commit to marmarek/qubes-builder that referenced this issue Dec 19, 2016
@marmarek marmarek build-log: fix timestamp loging
Default value for keyword argument is calculate at function definition
time, not a call time. So the previous version basically logged script
start time.

QubesOS/qubes-issues#2023
03e412e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment