-
Notifications
You must be signed in to change notification settings - Fork 1
/
.gitlab-ci.yml
154 lines (148 loc) · 6.37 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
variables:
# At the moment we can't build kali-last-release Docker images for arm64,
# as ldconfig segfaults. This is fixed with a newer kernel, but we don't
# control the GitLab CI kernel, and there is no ETA to update it:
# cf. https://gitlab.com/gitlab-com/gl-infra/production/-/issues/5401.
# This is also fixed by a newer glibc/ldconf (2.34), which landed in Kali
# rolling. So for now, let's disable kali-last-release. We can enable it
# again after the next release.
#BASE_IMAGES: "kali-rolling kali-last-release kali-dev"
# NB: Images will appear in this order on the Docker Hub, so keep everything
# sorted per order of importance here, both architectures and images.
BASE_IMAGES: "kali-rolling kali-dev"
EXTRA_IMAGES: "kali-bleeding-edge kali-experimental"
ARCHS: "amd64 arm64 armhf"
stages:
- build-rootfs
- build
- test
- publish
build-rootfs:
stage: build-rootfs
image: debian:testing
artifacts:
paths:
- "*.tar.gz"
- "*.release.version"
before_script:
- |
# Take a look at the surroundings
v() { echo "==== $ $@"; "$@"; }
echo "================================"
v uname -a
v cat /proc/cmdline
v sh -c "cut -d ' ' -f 1 /proc/modules | sort -u"
v ls -l --time-style=+ /dev
v cat /proc/mounts
[ -e /proc/config.gz ] && v zgrep BINFMT_MISC /proc/config.gz
[ -e /boot/config-$(uname -r) ] && v grep BINFMT_MISC /boot/config-$(uname -r)
echo "================================"
- |
# Remount /builds with the dev option if needed.
# Since GitLab migrated to Google Container-Optimized OS & Docker 19.03.15
# in August 2021, /builds is mounted with the option nodev, and it breaks
# debootstrap. References:
# * https://gitlab.com/kalilinux/build-scripts/kali-docker/-/issues/40
# * https://gitlab.com/gitlab-com/gl-infra/production/-/issues/5184
findmnt -no options -T . | grep -qw nodev && mount -vo remount,dev $(stat -c %m .) || true
script:
- |
# Install packages
apt-get update
apt-get install -y arch-test binfmt-support debootstrap qemu-user-static wget
- |
# Install Kali archive keyring
KEYRING_PKG_URL=$(wget -nv -O - \
https://http.kali.org/kali/dists/kali-rolling/main/binary-amd64/Packages.gz \
| gzip -dc | grep ^Filename: | grep kali-archive-keyring | head -n 1 | awk '{print $2}')
KEYRING_PKG_URL="https://http.kali.org/kali/$KEYRING_PKG_URL"
wget -nv "$KEYRING_PKG_URL"
dpkg -i kali-archive-keyring_*_all.deb
rm kali-archive-keyring_*_all.deb
- |
# Test architectures right away
echo "Arch test:"
for arch in $ARCHS; do
echo -n "* $arch: " && /usr/lib/arch-test/$arch
done
- |
# Build all the rootfs
for image in $BASE_IMAGES; do
for arch in $ARCHS; do
echo "============================================================"
echo "Building rootfs $image/$arch"
echo "============================================================"
./build-rootfs.sh "$image" "$arch"
done
done
build-docker-images:
stage: build
image: debian:testing
dependencies:
- build-rootfs
artifacts:
paths:
- "*.conf"
script: |
set -e
apt-get update
apt-get install -y binfmt-support ca-certificates podman qemu-user-static
echo "$CI_JOB_TOKEN" | podman login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
for image in $BASE_IMAGES; do
for arch in $ARCHS; do
echo "============================================================"
echo "Building docker image $image/$arch"
echo "============================================================"
./docker-build.sh "$image" "$arch"
done
done
for image in $EXTRA_IMAGES; do
for arch in $ARCHS; do
echo "============================================================"
echo "Building extra docker image $image/$arch"
echo "============================================================"
./docker-build-extra.sh "$image" "$arch"
done
done
test-docker-images:
stage: test
image: debian:testing
dependencies:
- build-docker-images
script: |
set -e
apt-get update
apt-get install -y binfmt-support ca-certificates podman qemu-user-static
# Switch to iptables legacy, as long as GitLab CI doesn't support nftables.
# Cf. https://gitlab.com/gitlab-com/gl-infra/production/-/issues/5184#note_637383773
update-alternatives --set iptables /usr/sbin/iptables-legacy
for image in $BASE_IMAGES $EXTRA_IMAGES; do
for arch in $ARCHS; do
echo "============================================================"
echo "Testing docker image $image/$arch"
echo "============================================================"
./docker-test.sh "$image" "$arch"
done
done
publish-docker-images:
stage: publish
image: debian:testing
dependencies:
- build-docker-images
script: |
set -e
apt-get update
apt-get install -y ca-certificates podman
echo "$CI_JOB_TOKEN" | podman login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
if [ -n "$DOCKER_HUB_ACCESS_TOKEN" ]; then
echo "$DOCKER_HUB_ACCESS_TOKEN" | podman login -u "$DOCKER_HUB_USER" --password-stdin docker.io
fi
# Push images in reverse order, so that they appear in order in Docker Hub.
ARCHS=$(printf "%s\n" $ARCHS | tac | paste -s -d " ")
IMAGES=$(printf "%s\n" $BASE_IMAGES $EXTRA_IMAGES | tac | paste -s -d " ")
for image in $IMAGES; do
echo "============================================================"
echo "Publishing docker image $image ($ARCHS)"
echo "============================================================"
./docker-publish.sh "$image" "$ARCHS"
done